Add tests for CRS paranoia level

Vincevrp · Vincevrp · commit c38aac1d3d45 · 2022-08-01T17:37:00.000+02:00
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
@@ -130,6 +130,35 @@
             }
             it { is_expected.to contain_file('/etc/httpd/modsecurity.d/custom_rules/custom_01_rules.conf').with_content %r{^\s*.*"id:199999,phase:1,nolog,allow,ctl:ruleEngine=off"$} }
           end
+
+          describe 'with CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 1,
+                executing_paranoia_level: 2,
+              }
+            end
+
+            it {
+              is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$}
+              is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=2"$}
+            }
+          end
+
+          describe 'with invalid CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 2,
+                executing_paranoia_level: 1,
+              }
+            end
+
+            it {
+              is_expected.to compile.and_raise_error(%r{Executing paranoia level cannot be lower than paranoia level})
+            }
+          end
         end
       when 'Debian'
         context 'on Debian based systems' do
@@ -259,6 +288,35 @@
               )
             }
           end
+
+          describe 'with CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 1,
+                executing_paranoia_level: 1,
+              }
+            end
+
+            it {
+              is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$}
+              is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=1"$}
+            }
+          end
+
+          describe 'with invalid CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 2,
+                executing_paranoia_level: 1,
+              }
+            end
+
+            it {
+              is_expected.to compile.and_raise_error(%r{Executing paranoia level cannot be lower than paranoia level})
+            }
+          end
         end
       end
     end
