support/testing: add new test for nginx-modsecurity

This test verifies that we can run nginx with the modsecurity
directives.
It also checks a very simple rule that blocks requests containing the
keyword "blockme".

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien:
 - add / at directory end in DEVELOPERS
 - sort DEVELOPERS entries alphabetically
 - remove unneeded test configs already present in
   BASIC_TOOLCHAIN_CONFIG
 - sort test config directives alphabetically
]
Signed-off-by: Julien Olivain <ju.o@free.fr>

DEVELOPERS

@@ -2848,6 +2848,8 @@ F:	support/testing/tests/package/sample_python_s3transfer.py
 F:	support/testing/tests/package/sample_python_sdbus.py
 F:	support/testing/tests/package/sample_python_sdbus_networkmanager.py
 F:	support/testing/tests/package/sample_python_urllib3.py
+F:	support/testing/tests/package/test_nginx_modsecurity/
+F:	support/testing/tests/package/test_nginx_modsecurity.py
 F:	support/testing/tests/package/test_python_jmespath.py
 F:	support/testing/tests/package/test_python_pymupdf.py
 F:	support/testing/tests/package/test_python_rsa.py

support/testing/tests/package/test_nginx_modsecurity.py

@@ -0,0 +1,33 @@
+import os
+
+import infra.basetest
+
+
+class TestNginxModsecurity(infra.basetest.BRTest):
+    overlay = infra.filepath("tests/package/test_nginx_modsecurity/overlay")
+    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
+        f"""
+        BR2_PACKAGE_NGINX=y
+        BR2_PACKAGE_NGINX_HTTP=y
+        BR2_PACKAGE_NGINX_MODSECURITY=y
+        BR2_ROOTFS_OVERLAY="{overlay}"
+        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_CPIO_GZIP=y
+        """
+
+    def test_run(self):
+        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        self.emulator.boot(arch="armv5",
+                           kernel="builtin",
+                           options=["-initrd", cpio_file])
+        self.emulator.login()
+
+        self.assertRunOk("nginx -V")
+        self.assertRunOk("wget http://localhost/index.html")
+        self.assertRunOk("grep -F 'Welcome to nginx!' index.html")
+        cmd = "wget -q -O /dev/null --server-response 2>&1 " \
+            "http://localhost/blockme/ 2>&1 | awk '/^  HTTP/{print $2}'"
+        out, ret = self.emulator.run(cmd)
+        self.assertEqual(ret, 0)
+        # Check for HTTP 403 Unauthorized:
+        self.assertEqual(out[0], "403")

support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf

@@ -0,0 +1,7 @@
+SecRuleEngine On
+SecRule REQUEST_URI "@contains blockme" \
+    "id:100001, \
+    phase:2, \
+    deny, \
+    status:403, \
+    msg:'Blocked request with forbidden keyword in URI.'"

support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf

@@ -0,0 +1,15 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    server {
+        modsecurity on;
+        listen 80;
+        location / {
+            root   html;
+            index  index.html index.htm;
+            modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
+        }
+    }
+}