fix(security): Update .htaccess 403 directives #62
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: End-to-end auto-prepend-file mode test suite | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- '**.md' | |
workflow_dispatch: | |
permissions: | |
contents: read | |
env: | |
# Allow ddev get to use a GitHub token to prevent rate limiting by tests | |
DDEV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
jobs: | |
end-to-end-auto-prepend-file-mode-test-suite: | |
strategy: | |
fail-fast: false | |
# First and last minor versions of each major version | |
# Highest compatible PHP version | |
matrix: | |
include: | |
- wp-version: '4.9' | |
php-version: '7.2' | |
- wp-version: '5.0' | |
php-version: '7.2' | |
- wp-version: '5.9' | |
php-version: '7.2' | |
- wp-version: '5.9' | |
php-version: '8.0' | |
- wp-version: '6.0' | |
php-version: '7.2' | |
- wp-version: '6.0' | |
php-version: '8.0' | |
- wp-version: '6.7' | |
php-version: '7.2' | |
- wp-version: '6.7' | |
php-version: '8.3' | |
name: End-to-end auto-prepend-file mode test suite | |
runs-on: ubuntu-latest | |
if: ${{ !contains(github.event.head_commit.message, 'chore(') }} | |
env: | |
EXTENSION_NAME: "CrowdSec_Bouncer" | |
EXTENSION_PATH: "wp-content/plugins/crowdsec" | |
steps: | |
- name: Install DDEV | |
# @see https://ddev.readthedocs.io/en/stable/#installationupgrade-script-linux-and-macos-armarm64-and-amd64-architectures | |
run: | | |
curl -fsSL https://apt.fury.io/drud/gpg.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/ddev.gpg > /dev/null | |
echo "deb [signed-by=/etc/apt/trusted.gpg.d/ddev.gpg] https://apt.fury.io/drud/ * *" | sudo tee /etc/apt/sources.list.d/ddev.list | |
sudo apt-get -q update | |
sudo apt-get -q -y install libnss3-tools ddev | |
mkcert -install | |
ddev config global --instrumentation-opt-in=false --omit-containers=ddev-ssh-agent | |
- name: Set WP_VERSION_CODE env | |
# used in some directory path and conventional file naming | |
# Example : 5.6.5 => wp565 | |
run: | | |
echo "WP_VERSION_CODE=$(echo wp${{ matrix.wp-version }} | sed 's/\.//g' )" >> $GITHUB_ENV | |
- name: Create empty WordPress DDEV project (with Nginx) | |
run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --php-version=${{ matrix.php-version }} --webserver-type=nginx-fpm | |
- name: Disable automatic update | |
run: | | |
# @see https://wordpress.org/documentation/article/configuring-automatic-background-updates/#constant-to-disable-all-updates | |
sed -i -e 's/#ddev-generated//g' wp-config-ddev.php | |
echo "define( 'AUTOMATIC_UPDATER_DISABLED', true );" >> wp-config-ddev.php | |
- name: Add Redis, Memcached, Crowdsec and Playwright | |
run: | | |
ddev get ddev/ddev-redis | |
ddev get ddev/ddev-memcached | |
ddev get julienloizelet/ddev-playwright | |
# override redis.conf | |
ddev get julienloizelet/ddev-tools | |
ddev get julienloizelet/ddev-crowdsec-php | |
- name: Start DDEV | |
uses: nick-fields/retry@v3 | |
with: | |
timeout_minutes: 5 | |
max_attempts: 3 | |
shell: bash | |
command: | | |
ddev start | |
- name: Download WordPress | |
run: ddev wp core download --version=${{ matrix.wp-version }} | |
- name: Setup WordPress ${{ matrix.wp-version }} with PHP ${{ matrix.php-version }} | |
run: | | |
ddev wp core install --url='https://${{ env.WP_VERSION_CODE }}.ddev.site' --title='WordPress' --admin_user='admin' --admin_password='admin123' --admin_email='[email protected]' | |
- name: Clone ${{ env.EXTENSION_NAME }} files | |
uses: actions/checkout@v4 | |
with: | |
path: ${{ env.EXTENSION_PATH }} | |
- name: Prepare for playwright test | |
run: | | |
ddev exec -s crowdsec apk add iproute2 | |
cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php | |
cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" - | |
cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec Upload" - | |
ddev wp rewrite structure "/%postname%/" | |
mkdir -p crowdsec/tls | |
mkdir -p crowdsec/geolocation | |
cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/cache-actions-with-wordpress-load.php cache-actions.php | |
cp -r .ddev/okaeli-add-on/custom_files/crowdsec/cfssl/* crowdsec/tls | |
ddev maxmind-download DEFAULT GeoLite2-City crowdsec/geolocation | |
ddev maxmind-download DEFAULT GeoLite2-Country crowdsec/geolocation | |
cd crowdsec/geolocation | |
sha256sum -c GeoLite2-Country.tar.gz.sha256.txt | |
sha256sum -c GeoLite2-City.tar.gz.sha256.txt | |
tar -xf GeoLite2-Country.tar.gz | |
tar -xf GeoLite2-City.tar.gz | |
rm GeoLite2-Country.tar.gz GeoLite2-Country.tar.gz.sha256.txt GeoLite2-City.tar.gz GeoLite2-City.tar.gz.sha256.txt | |
cd ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev/__scripts__ | |
chmod +x test-init.sh | |
./test-init.sh | |
chmod +x run-tests.sh | |
- name: Some DEBUG information | |
run: | | |
ddev --version | |
ddev exec php -v | |
ddev exec -s crowdsec crowdsec -version | |
- name: Activate plugin with wp | |
run: ddev wp plugin install crowdsec --activate | |
- name: Configure CrowdSec and Wordpress bouncer plugin | |
run: | | |
ddev crowdsec-config | |
- name: Prepare auto-prepend-file mode test suite | |
run: | | |
cd ${{ github.workspace }}/.ddev | |
ddev nginx-config okaeli-add-on/wordpress/custom_files/crowdsec/crowdsec-prepend-nginx-site.conf | |
- name: Verify auto_prepend_file directive | |
run: | | |
cd ${{ github.workspace }} | |
cp .ddev/okaeli-add-on/common/custom_files/phpinfo.php phpinfo.php | |
curl -v https://${{ env.WP_VERSION_CODE }}.ddev.site/phpinfo.php | |
PREPENDVERIF=$(curl https://${{ env.WP_VERSION_CODE }}.ddev.site/phpinfo.php | grep -o -E "auto_prepend_file=(.*)php(.*)" | sed 's/<\/tr>//g; s/<\/td>//g;' | tr '\n' '#') | |
if [[ $PREPENDVERIF == "auto_prepend_file=/var/www/html/wp-content/plugins/crowdsec/inc/standalone-bounce.php#auto_prepend_file=/var/www/html/wp-content/plugins/crowdsec/inc/standalone-bounce.php#" ]] | |
then | |
echo "AUTO PREPEND FILE OK" | |
else | |
echo "AUTO PREPEND FILE KO" | |
echo $PREPENDVERIF | |
exit 1 | |
fi | |
- name: Enable Plugin auto_prepend_file mode | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 10-enable-autoprependfile-mode.js | |
- name: Run Live mode remediation tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 2-live-mode-remediations.js | |
- name: Run more Live mode remediation tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 3-live-mode-more.js | |
- name: Run Live mode cache tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 4-live-mode-cache.js | |
- name: Prepare cron usage | |
run: | | |
sed -i 's/fastcgi_finish_request/\/\/fastcgi_finish_request/g' wp-cron.php | |
- name: Run Stream mode tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 5-stream-mode.js | |
- name: Run Redis tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 6-redis.js | |
- name: Run Memcached tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 7-memcached.js | |
- name: Run Geolocation tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 8-geolocation.js | |
- name: Run AppSec tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 11-appsec.js | |
- name: Prepare CrowdSec for AppSec timeout tests | |
run: ddev exec -s crowdsec tc qdisc add dev eth0 root netem delay 500ms | |
- name: Run AppSec timeout tests | |
uses: ./wp-content/plugins/crowdsec/.github/workflows/end-to-end/run-single-test | |
with: | |
test_path: ${{ github.workspace }}/${{ env.EXTENSION_PATH }}/tests/e2e-ddev | |
file_path: 12-appsec-timeout.js | |
- name: Check tested version | |
run: | | |
CURRENT_VERSION=$(ddev wp core version) | |
if [[ ${{ matrix.wp-version }} == $CURRENT_VERSION ]] | |
then | |
echo "Tested version was as expected" | |
else | |
echo "Tested version was not as expected" | |
echo $CURRENT_VERSION | |
echo ${{ matrix.wp-version }} | |
exit 1 | |
fi |