Skip to content

test: add inverted-paranoia WAF enforcement e2e#272

Merged
ecv merged 1 commit into
mainfrom
test/mechanism-a-runtime-coverage
Jul 13, 2026
Merged

test: add inverted-paranoia WAF enforcement e2e#272
ecv merged 1 commit into
mainfrom
test/mechanism-a-runtime-coverage

Conversation

@ecv

@ecv ecv commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

What

Adds a gated e2e case on the downstream WAF data plane exercising a valid Enforce TrafficProtectionPolicy end to end:

  • benign GET / → 200 with the backend body intact,
  • a CRS-tripping attack payload (?file=../../../../etc/passwd) → 403 with no backend leakage.

Assertions check body integrity, not status alone (per datum-cloud/infra#3321). Built on the WAF e2e env from #268 (config/e2e-downstream/).

Refs #242, #251, datum-cloud/infra#3408.

@ecv ecv marked this pull request as ready for review July 13, 2026 21:35
@ecv ecv requested review from kevwilliams and scotwells July 13, 2026 21:35
@ecv ecv changed the title test: add Mechanism A WAF enforcement and neutralization e2e test: add inverted-paranoia WAF enforcement and neutralization e2e Jul 13, 2026
@ecv ecv marked this pull request as draft July 13, 2026 22:45
@ecv

This comment was marked as resolved.

Add a gated e2e case on the downstream WAF data plane exercising a valid
Enforce TrafficProtectionPolicy end to end: a benign GET returns 200 with
the backend body intact, and a CRS-tripping attack payload returns 403 with
no backend leakage. Assertions check body integrity, not status alone, per
datum-cloud/infra#3321.

Neutralization of already-persisted inverted policies is tracked separately
as follow-up to #252, where the controller-side fix and its test belong.
@ecv ecv force-pushed the test/mechanism-a-runtime-coverage branch from 28a775e to c2fed66 Compare July 13, 2026 22:47
@ecv ecv changed the title test: add inverted-paranoia WAF enforcement and neutralization e2e test: add inverted-paranoia WAF enforcement e2e Jul 13, 2026
@ecv ecv marked this pull request as ready for review July 13, 2026 23:32
@ecv ecv enabled auto-merge July 13, 2026 23:33
Comment on lines +141 to +151
- script:
timeout: 60s
content: |
set -x
kubectl get gateway -A -o yaml
kubectl describe gateway -A
kubectl get gatewayclass datum-downstream-gateway -o yaml
kubectl -n datum-downstream-gateway get pods -o wide
kubectl -n datum-downstream-gateway describe pods
kubectl -n datum-downstream-gateway logs deploy/envoy-gateway --tail=-1
kubectl -n datum-downstream-gateway logs -l gateway.envoyproxy.io/owning-gateway-namespace --all-containers --tail=200 || true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this just for debugging?

@ecv ecv merged commit 89f35c1 into main Jul 13, 2026
11 checks passed
@ecv ecv deleted the test/mechanism-a-runtime-coverage branch July 13, 2026 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants