Test Plan - Defend / WAF

Introduction

Currently, the only available Defend feature is Web Application Firewall. This gives us a great opportunity to have Defend features fully tested early in the stage's lifecycle and set an example going forward.

Scope

WAF is enabled by default in Kubernetes deployments using the ingress application and uses the OWASP Core Rule Set. The default configuration is detection-only, which monitors for rule violations but does not actively block any requests.

Capabilities

When an application is deployed with Kubernetes + Ingress
- WAF should log a request identified as an exploit attempt recognized by the OWASP rule set into Kubernetes logs

Test Plan

A QA E2E test for this functionality may have an excessively long runtime, and it may be difficult to get the Kubernetes ingress logs from the test. Ideal coverage would be with a QA E2E test, but if this is not possible, we can work around by creating a test project similar to what is used by Secure to test the analyzers and verify log output in a CI job.

What the scope does not cover

It is possible to disable WAF, but this requires toggling a feature flag in the Rails console and reinstalling the ingress application in the Kubernetes cluster, which seems unwieldy to automate in a first pass. Additionally, configuration changes to the WAF implementation are changes to the underlying open source tool, and can be considered out of scope of our testing unless they facilitate testing GitLab features.

Edited Dec 10, 2019 by Aleksandr Soborov