-
Notifications
You must be signed in to change notification settings - Fork 7
Build
To build from the source, you need:
Tinygo is a go compiler for embedded systems, as such it is able to build WASM files. WASM is a format that can be used to extend Envoy, hence our design choice.
To extend Envoy, we used the dedicated Proxy WASM Go SDK.
To recompile your own WASM plugin from the go source files, do the following:
cd cloud-active-defense/proxy/wasm
tinygo build -o ./cloud-active-defense.wasm -scheduler=none -target=wasi ./main.go
The scheduler is not supported in the WASM format and should thus be removed. The source code is not needed for the application to run, only the compiled WASM file is necessary.
To update the version of the dependencies used before compiling, run:
cd cloud-active-defense/proxy/wasm
go mod tidy
tinygo build -o ./cloud-active-defense.wasm -scheduler=none -target=wasi ./main.go
If you add a new dependency to the source code, this needs to be reflected in the go.mod and go.sum files. Running go mod tidy will update these files.
The go.mod and go.sum files were initially created with the commands:
cd cloud-active-defense/proxy/wasm
go mod init sundew
go mod tidy
To run the basic tests, run these commands:
cd cloud-active-defense/tests
./runTests.sh
The tests rely on curl , uuidgen and docker-compose, make sure you have these installed on your system.
apt install curl -y
apt install uuid-runtime -y
apt install docker-compose -y
The main test script will do the following:
- re-build the docker images with some modifications for test purposes
- such as running configmanager as root to allow the overwriting of config files
- such as exposing myapp on port 3000 for direct access
- run cloud active defense in demo mode
- run all tests located in tests/tests
- display a PASS or FAIL message for each of these tests
- stop the application
Individual tests should be stored in tests/tests. They should all follow the same pattern:
- perform some action, such as "modify the decoy config" and "visit a certain URL"
- check for proper injection in the curl output
- check for proper detection / alerting in the docker logs
- output PASS or FAIL
Check check-default-config.sh for how to deal with testing injection. Check detectURL.sh for how to deal with testing detection. You can use the file TEMPLATE.txt as inspiration.
To run the stress tests, run these commands:
cd cloud-active-defense/tests
./runStressTests.sh
Stress tests work exactly like basic tests, they are stored in /tests/stress
sundew is the internal name of the module. This name is reflected in the folder hierarchy of the source code. A sundew is a carnivorous plant which attracts insects with 'dew', a sticky substance which seems to be edible. Cloud active defense deploys decoys in a similar way, with elements which seem to be vulnerable...