fix: Use clientIP when passing coraza (#3322) #5581
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This workflow is actually running | |
# tests (with localstack) but the | |
# name is used for the badge in README.md | |
name: Build | |
on: | |
push: | |
branches: | |
- master | |
- releases/** | |
paths-ignore: | |
- 'README.md' | |
pull_request: | |
branches: | |
- master | |
- releases/** | |
paths-ignore: | |
- 'README.md' | |
# these env variables are for localstack, so we can emulate aws services | |
env: | |
RICHGO_FORCE_COLOR: 1 | |
AWS_HOST: localstack | |
# these are to mimic aws config | |
AWS_ACCESS_KEY_ID: test | |
AWS_SECRET_ACCESS_KEY: test | |
AWS_REGION: us-east-1 | |
CROWDSEC_FEATURE_DISABLE_HTTP_RETRY_BACKOFF: true | |
jobs: | |
build: | |
name: "Build + tests" | |
runs-on: ubuntu-latest | |
services: | |
localstack: | |
image: localstack/localstack:3.0 | |
ports: | |
- 4566:4566 # Localstack exposes all services on the same port | |
env: | |
DEBUG: "" | |
LAMBDA_EXECUTOR: "" | |
KINESIS_ERROR_PROBABILITY: "" | |
DOCKER_HOST: unix:///var/run/docker.sock | |
KINESIS_INITIALIZE_STREAMS: ${{ env.KINESIS_INITIALIZE_STREAMS }} | |
LOCALSTACK_HOST: ${{ env.AWS_HOST }} # Required so that resource urls are provided properly | |
# e.g sqs url will get localhost if we don't set this env to map our service | |
options: >- | |
--name=localstack | |
--health-cmd="curl -sS 127.0.0.1:4566 || exit 1" | |
--health-interval=10s | |
--health-timeout=5s | |
--health-retries=3 | |
zoo1: | |
image: confluentinc/cp-zookeeper:7.4.3 | |
ports: | |
- "2181:2181" | |
env: | |
ZOOKEEPER_CLIENT_PORT: 2181 | |
ZOOKEEPER_SERVER_ID: 1 | |
ZOOKEEPER_SERVERS: zoo1:2888:3888 | |
options: >- | |
--name=zoo1 | |
--health-cmd "jps -l | grep zookeeper" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
kafka1: | |
image: crowdsecurity/kafka-ssl | |
ports: | |
- "9093:9093" | |
- "9092:9092" | |
- "9999:9999" | |
env: | |
KAFKA_ADVERTISED_LISTENERS: LISTENER_DOCKER_INTERNAL://127.0.0.1:19092,LISTENER_DOCKER_EXTERNAL://127.0.0.1:9092,LISTENER_DOCKER_EXTERNAL_SSL://127.0.0.1:9093 | |
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: LISTENER_DOCKER_INTERNAL:PLAINTEXT,LISTENER_DOCKER_EXTERNAL:PLAINTEXT,LISTENER_DOCKER_EXTERNAL_SSL:SSL | |
KAFKA_INTER_BROKER_LISTENER_NAME: LISTENER_DOCKER_INTERNAL | |
KAFKA_ZOOKEEPER_CONNECT: "zoo1:2181" | |
KAFKA_BROKER_ID: 1 | |
KAFKA_LOG4J_LOGGERS: "kafka.controller=INFO,kafka.producer.async.DefaultEventHandler=INFO,state.change.logger=INFO" | |
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 | |
KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1 | |
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1 | |
KAFKA_JMX_PORT: 9999 | |
KAFKA_JMX_HOSTNAME: "127.0.0.1" | |
KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer | |
KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" | |
KAFKA_SSL_KEYSTORE_FILENAME: kafka.kafka1.keystore.jks | |
KAFKA_SSL_KEYSTORE_CREDENTIALS: kafka1_keystore_creds | |
KAFKA_SSL_KEY_CREDENTIALS: kafka1_sslkey_creds | |
KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.kafka1.truststore.jks | |
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: kafka1_truststore_creds | |
KAFKA_SSL_ENABLED_PROTOCOLS: TLSv1.2 | |
KAFKA_SSL_PROTOCOL: TLSv1.2 | |
KAFKA_SSL_CLIENT_AUTH: none | |
KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true" | |
options: >- | |
--name=kafka1 | |
--health-cmd "kafka-broker-api-versions --version" | |
--health-interval 10s | |
--health-timeout 10s | |
--health-retries 5 | |
loki: | |
image: grafana/loki:2.9.1 | |
ports: | |
- "3100:3100" | |
options: >- | |
--name=loki1 | |
--health-cmd "wget -q -O - http://localhost:3100/ready | grep 'ready'" | |
--health-interval 30s | |
--health-timeout 10s | |
--health-retries 5 | |
--health-start-period 30s | |
steps: | |
- name: Check out CrowdSec repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
submodules: false | |
- name: "Set up Go" | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.23" | |
- name: Run "go generate" and check for changes | |
run: | | |
set -e | |
# ensure the version of 'protoc' matches the one that generated the files | |
PROTOBUF_VERSION="21.12" | |
# don't pollute the repo | |
pushd $HOME | |
curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOBUF_VERSION}/protoc-${PROTOBUF_VERSION}-linux-x86_64.zip | |
unzip protoc-${PROTOBUF_VERSION}-linux-x86_64.zip -d $HOME/.protoc | |
popd | |
export PATH="$HOME/.protoc/bin:$PATH" | |
go install google.golang.org/protobuf/cmd/[email protected] | |
go install google.golang.org/grpc/cmd/[email protected] | |
go generate ./... | |
protoc --version | |
if [[ $(git status --porcelain) ]]; then | |
echo "Error: Uncommitted changes found after running 'make generate'. Please commit all generated code." | |
git diff | |
exit 1 | |
else | |
echo "No changes detected after running 'make generate'." | |
fi | |
- name: Create localstack streams | |
run: | | |
aws --endpoint-url=http://127.0.0.1:4566 --region us-east-1 kinesis create-stream --stream-name stream-1-shard --shard-count 1 | |
aws --endpoint-url=http://127.0.0.1:4566 --region us-east-1 kinesis create-stream --stream-name stream-2-shards --shard-count 2 | |
- name: Generate codecov configuration | |
run: | | |
.github/generate-codecov-yml.sh >> .github/codecov.yml | |
- name: Build and run tests, static | |
run: | | |
sudo apt -qq -y -o=Dpkg::Use-Pty=0 install build-essential libre2-dev | |
go install github.com/ory/[email protected] | |
go install github.com/kyoh86/[email protected] | |
set -o pipefail | |
make build BUILD_STATIC=1 | |
make go-acc | sed 's/ *coverage:.*of statements in.*//' | richgo testfilter | |
# check if some component stubs are missing | |
- name: "Build profile: minimal" | |
run: | | |
make build BUILD_PROFILE=minimal | |
- name: Run tests again, dynamic | |
run: | | |
make clean build | |
set -o pipefail | |
make go-acc | sed 's/ *coverage:.*of statements in.*//' | richgo testfilter | |
- name: Upload unit coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
files: coverage.out | |
flags: unit-linux | |
token: ${{ secrets.CODECOV_TOKEN }} | |
- name: golangci-lint | |
uses: golangci/golangci-lint-action@v6 | |
with: | |
version: v1.61 | |
args: --issues-exit-code=1 --timeout 10m | |
only-new-issues: false |