From f278315081b24b59bf73e9613e552e3519200a71 Mon Sep 17 00:00:00 2001
From: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 28 May 2012 04:39:18 +0000
Subject: Improve error reporting with a reason code. Improve debug and audit
 logging. Fix test scripts to cleanup state from previous builds and correctly
 report test errors.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1343138 13f79535-47bb-0310-9956-ffa450edef68
---
 sca-cpp/trunk/modules/http/Makefile.am             |  2 +-
 sca-cpp/trunk/modules/http/http-test               |  1 +
 sca-cpp/trunk/modules/http/http.hpp                | 30 +++++++--------
 sca-cpp/trunk/modules/http/httpd-test              |  1 +
 sca-cpp/trunk/modules/http/httpd.hpp               | 10 +++--
 sca-cpp/trunk/modules/http/mod-security-audit-conf | 44 ++++++++++++++++++++++
 sca-cpp/trunk/modules/http/mod-security-conf       | 21 ++---------
 sca-cpp/trunk/modules/http/proxy-test              |  1 +
 8 files changed, 73 insertions(+), 37 deletions(-)
 create mode 100755 sca-cpp/trunk/modules/http/mod-security-audit-conf

(limited to 'sca-cpp/trunk/modules/http')

diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 161279a73f..4fd7cc0818 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -76,7 +76,7 @@ if WANT_MODSECURITY
 modsecurity.prefix: $(top_builddir)/config.status
 	echo ${MODSECURITY_PREFIX} >modsecurity.prefix
 
-dist_modsecurity_SCRIPTS = mod-security-conf
+dist_modsecurity_SCRIPTS = mod-security-conf mod-security-audit-conf
 modsecurity_DATA = modsecurity.prefix
 modsecuritydir = $(prefix)/modules/http
 
diff --git a/sca-cpp/trunk/modules/http/http-test b/sca-cpp/trunk/modules/http/http-test
index 73cfe700a6..956b13a516 100755
--- a/sca-cpp/trunk/modules/http/http-test
+++ b/sca-cpp/trunk/modules/http/http-test
@@ -18,6 +18,7 @@
 #  under the License.
 
 # Setup
+rm -rf tmp
 ./httpd-conf tmp localhost 8090 htdocs
 ./httpd-event-conf tmp
 ./httpd-start tmp
diff --git a/sca-cpp/trunk/modules/http/http.hpp b/sca-cpp/trunk/modules/http/http.hpp
index eb7a8d506f..e8c88f8a83 100644
--- a/sca-cpp/trunk/modules/http/http.hpp
+++ b/sca-cpp/trunk/modules/http/http.hpp
@@ -371,7 +371,7 @@ template<typename R> const failable<list<R> > apply(const list<list<string> >& h
     // Setup the CURL session
     const failable<CURL*> fch = setup(url, cs);
     if (!hasContent(fch))
-        return mkfailure<list<R>>(reason(fch));
+        return mkfailure<list<R>>(fch);
     CURL* ch = content(fch);
 
     // Set the request headers
@@ -440,19 +440,19 @@ const failable<value> evalExpr(const value& expr, const string& url, const CURLS
     js::JSContext cx;
     const failable<list<string> > jsreq = json::jsonRequest(1, car<value>(expr), cdr<value>(expr), cx);
     if (!hasContent(jsreq))
-        return mkfailure<value>(reason(jsreq));
+        return mkfailure<value>(jsreq);
 
     // POST it to the URL
     const list<string> h = mklist<string>("Content-Type: application/json-rpc");
     const failable<list<list<string> > > res = apply<list<string> >(mklist<list<string> >(h, content(jsreq)), rcons<string>, list<string>(), url, "POST", cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
 
     // Parse and return JSON-RPC result
     const failable<value> rval = json::jsonResultValue(cadr<list<string> >(content(res)), cx);
     debug(rval, "http::evalExpr::result");
     if (!hasContent(rval))
-        return mkfailure<value>(reason(rval));
+        return mkfailure<value>(rval);
     return content(rval);
 }
 
@@ -513,7 +513,7 @@ const failable<value> getcontent(const string& url, const CURLSession& cs) {
     // Get the contents of the resource at the given URL
     const failable<list<list<string> > > res = get<list<string>>(rcons<string>, list<string>(), url, cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
     const list<string> ls(reverse(cadr(content(res))));
 
     // Return the content as a list of values
@@ -597,7 +597,7 @@ const failable<value> get(const string& url, const CURLSession& cs) {
     // Get the contents of the resource at the given URL
     const failable<list<list<string> > > res = get<list<string> >(rcons<string>, list<string>(), url, cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
 
     // Parse the returned content
     return responseValue(content(res));
@@ -608,7 +608,7 @@ const failable<value> get(const string& url, const CURLSession& cs) {
  */
 const failable<list<list<string> > > writeRequest(const failable<list<string> >& ls, const string& ct) {
     if (!hasContent(ls))
-        return mkfailure<list<list<string> > >(reason(ls));
+        return mkfailure<list<list<string> > >(ls);
     const list<list<string> > req =  mklist<list<string> >(mklist<string>(string("Content-Type: ") + ct), content(ls));
     debug(req, "http::writeRequest::req");
     return req;
@@ -695,13 +695,13 @@ const failable<value> post(const value& val, const string& url, const CURLSessio
     // Convert value to a content request
     const failable<list<list<string> > > req = contentRequest(val, url);
     if (!hasContent(req))
-        return mkfailure<value>(reason(req));
+        return mkfailure<value>(req);
     debug(content(req), "http::post::input");
 
     // POST it to the URL
     const failable<list<list<string> > > res = apply<list<string>>(content(req), rcons<string>, list<string>(), url, "POST", cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
 
     // Return the new entry id from the HTTP location header, if any
     const string loc = location(car(content(res)));
@@ -724,13 +724,13 @@ const failable<value> put(const value& val, const string& url, const CURLSession
     // Convert value to a content request
     const failable<list<list<string> > > req = contentRequest(val, url);
     if (!hasContent(req))
-        return mkfailure<value>(reason(req));
+        return mkfailure<value>(req);
     debug(content(req), "http::put::input");
 
     // PUT it to the URL
     const failable<list<list<string> > > res = apply<list<string> >(content(req), rcons<string>, list<string>(), url, "PUT", cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
 
     debug(true, "http::put::result");
     return value(true);
@@ -745,13 +745,13 @@ const failable<value> patch(const value& val, const string& url, const CURLSessi
     // Convert value to a content request
     const failable<list<list<string> > > req = contentRequest(val, url);
     if (!hasContent(req))
-        return mkfailure<value>(reason(req));
+        return mkfailure<value>(req);
     debug(content(req), "http::patch::input");
 
     // PATCH it to the URL
     const failable<list<list<string> > > res = apply<list<string> >(content(req), rcons<string>, list<string>(), url, "PATCH", cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
 
     debug(true, "http::patch::result");
     return value(true);
@@ -766,7 +766,7 @@ const failable<value, string> del(const string& url, const CURLSession& cs) {
     const list<list<string> > req = mklist(list<string>(), list<string>());
     const failable<list<list<string> > > res = apply<list<string> >(req, rcons<string>, list<string>(), url, "DELETE", cs);
     if (!hasContent(res))
-        return mkfailure<value>(reason(res));
+        return mkfailure<value>(res);
 
     debug(true, "http::delete::result");
     return value(true);
@@ -805,7 +805,7 @@ const failable<bool> connect(const string& url, CURLSession& cs) {
     // Setup the CURL session
     const failable<CURL*> fch = setup(url, cs);
     if (!hasContent(fch))
-        return mkfailure<bool>(reason(fch));
+        return mkfailure<bool>(fch);
     CURL* ch = content(fch);
 
     // Connect
diff --git a/sca-cpp/trunk/modules/http/httpd-test b/sca-cpp/trunk/modules/http/httpd-test
index 2b151d0e12..ab6ab5ad41 100755
--- a/sca-cpp/trunk/modules/http/httpd-test
+++ b/sca-cpp/trunk/modules/http/httpd-test
@@ -22,6 +22,7 @@ here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $h
 curl_prefix=`cat $here/../http/curl.prefix`
 
 # Setup
+rm -rf tmp
 ./httpd-conf tmp localhost 8090 htdocs
 ./httpd-event-conf tmp
 ./httpd-start tmp
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index 718ed6e52b..7147e8839c 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -402,7 +402,7 @@ const list<string> read(request_rec* r) {
  */
 const failable<int> writeResult(const failable<list<string> >& ls, const string& ct, request_rec* r) {
     if (!hasContent(ls))
-        return mkfailure<int>(reason(ls));
+        return mkfailure<int>(ls);
     ostringstream os;
     write(content(ls), os);
     const string ob(str(os));
@@ -437,8 +437,10 @@ const failable<int> writeResult(const failable<list<string> >& ls, const string&
  */
 const int reportStatus(const failable<int>& rc) {
     debug(rc, "httpd::reportStatus::rc");
-    if (!hasContent(rc))
-        return HTTP_INTERNAL_SERVER_ERROR;
+    if (!hasContent(rc)) {
+        const int r = rcode(rc);
+        return r == -1 ? HTTP_INTERNAL_SERVER_ERROR : r;
+    }
     return content(rc);
 }
 
@@ -725,7 +727,7 @@ const bool debugRequest(request_rec* r, const string& msg) {
     return true;
 }
 
-#define debug_httpdRequest(r, msg) if (debug_islogging()) httpd::debugRequest(r, msg)
+#define debug_httpdRequest(r, msg) do { if (debug_islogging()) httpd::debugRequest(r, msg); } while(0)
 
 #else
 
diff --git a/sca-cpp/trunk/modules/http/mod-security-audit-conf b/sca-cpp/trunk/modules/http/mod-security-audit-conf
new file mode 100755
index 0000000000..5914bd1df4
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/mod-security-audit-conf
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Generate a minimal mod-security audit configuration.
+here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
+mkdir -p $1
+root=`echo "import os; print os.path.realpath('$1')" | python`
+
+mkdir -p $root/tmp
+
+cat >>$root/conf/mod-security.conf <<EOF
+# Generated by: mod-security-audit-conf $*
+# Enable mod-security audit log
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+SecAuditLogParts ABIJDEFHKZ
+SecAuditLogType Serial
+Include conf/mod-security-audit-log.conf
+
+EOF
+
+# Configure audit logging
+cat >$root/conf/mod-security-audit-log.conf <<EOF
+# Generated by: mod-security-audit-conf $*
+SecAuditLog $root/logs/secaudit_log
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/mod-security-conf b/sca-cpp/trunk/modules/http/mod-security-conf
index fdc4d8e24d..4d978a01cb 100755
--- a/sca-cpp/trunk/modules/http/mod-security-conf
+++ b/sca-cpp/trunk/modules/http/mod-security-conf
@@ -81,8 +81,8 @@ IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
 
 # Avoid a potential RegEx DoS condition
-SecPcreMatchLimit 10000
-SecPcreMatchLimitRecursion 10000
+SecPcreMatchLimit 50000
+SecPcreMatchLimitRecursion 50000
 SecRule TX:/^MSC_/ "!@streq 0" "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 
 # Detect slow DoS attacks
@@ -100,13 +100,6 @@ SecResponseBodyLimitAction ProcessPartial
 SecTmpDir $root/tmp/
 SecDataDir $root/tmp/
 
-# Enable mod-security audit log
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-SecAuditLogParts ABIJDEFHKZ
-SecAuditLogType Serial
-Include conf/mod-security-log.conf
-
 # Use & as application/x-www-form-urlencoded parameter separator
 SecArgumentSeparator &
 
@@ -120,8 +113,8 @@ setvar:tx.critical_anomaly_score=5, \
 setvar:tx.error_anomaly_score=4, \
 setvar:tx.warning_anomaly_score=3, \
 setvar:tx.notice_anomaly_score=2"
-SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
-SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
+SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=10"
+SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=8"
 
 # Paranoid mode
 SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0"
@@ -186,12 +179,6 @@ Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf
 Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf
 Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
 Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf
-EOF
-
-# Configure audit logging
-cat >$root/conf/mod-security-log.conf <<EOF
-# Generated by: mod-security-conf $*
-SecAuditLog $root/logs/modsec_audit_log
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-test b/sca-cpp/trunk/modules/http/proxy-test
index 9f3d248fdf..0333dd280b 100755
--- a/sca-cpp/trunk/modules/http/proxy-test
+++ b/sca-cpp/trunk/modules/http/proxy-test
@@ -18,6 +18,7 @@
 #  under the License.
 
 # Setup
+rm -rf tmp
 ./httpd-conf tmp localhost 8091/8090 htdocs
 ./httpd-event-conf tmp
 ./httpd-start tmp
-- 
cgit v1.2.3