fix(ja4ebpf): split bpf2go generate into Ja4Tc + Ja4Ssl, fix RPM systemd-rpm-macros

- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue - Update loader.go to hold tcObjs/sslObjs separately with correct field names: UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit, KprobeAccept4Entry, KretprobeAccept4Exit - Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10) so that %{_unitdir} macro resolves correctly - RPMs now build successfully for el8, el9, el10 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 23:21:11 +02:00
parent a1e4c1dad5
commit 3b047b680a
155 changed files with 197011 additions and 599 deletions
--- a/tests/integration/apache/run-tests.sh
+++ b/tests/integration/apache/run-tests.sh
@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# =============================================================================
+# run-tests.sh — Tests d'intégration stack Apache HTTPD + ja4ebpf
+#
+# Usage :
+#   ./run-tests.sh                           # build + start + test + down
+#   ./run-tests.sh --no-down                 # garder la stack après les tests
+#   ./run-tests.sh --build-only              # build uniquement
+#   PLATFORM_BASE_IMAGE=almalinux:8 ./run-tests.sh   # tester sur el8
+# =============================================================================
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+export STACK_NAME="apache"
+export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
+
+for arg in "$@"; do
+    case "$arg" in
+        --no-down)    export KEEP_UP=true ;;
+        --build-only) export BUILD_ONLY=true ;;
+    esac
+done
+
+source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
+
+# ── Vérifications spécifiques Apache ─────────────────────────────────────────
+stack_verify_extra() {
+    # Vérifie que httpd répond avec le bon Server header
+    local server_hdr
+    server_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        curl -skI https://localhost/ 2>/dev/null | grep -i "^Server:" | tr -d '\r' || echo "")
+    if echo "$server_hdr" | grep -qi "apache\|httpd"; then
+        pass "Header Server: Apache présent dans les réponses HTTPS"
+    else
+        warn "Header Server Apache non détecté (réponse: '$server_hdr')"
+    fi
+
+    # Vérifie HTTP/2 ALPN h2 via curl
+    local alpn_result
+    alpn_result=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
+    if [ "$alpn_result" = "2" ]; then
+        pass "HTTP/2 (ALPN h2) négocié avec succès sur Apache"
+    else
+        warn "HTTP/2 non négocié (version: '$alpn_result') — vérifier mod_http2 et SSLProtocol"
+    fi
+
+    # Vérifie que ja4ebpf tourne
+    local ja4_pid
+    ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
+    if [ -n "$ja4_pid" ]; then
+        pass "Processus ja4ebpf actif (PID $ja4_pid)"
+    else
+        fail "Processus ja4ebpf introuvable dans le conteneur platform"
+    fi
+
+    # Vérifie que httpd tourne
+    local httpd_count
+    httpd_count=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        pgrep -c httpd 2>/dev/null || echo "0")
+    if [ "${httpd_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "Apache HTTPD actif ($httpd_count processus httpd)"
+    else
+        fail "Aucun processus httpd trouvé"
+    fi
+
+    # Vérifie les données L7 capturées via uprobe httpd
+    local l7_count
+    l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
+    if [ "${l7_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "L7 capturé via uprobe httpd : $l7_count requêtes HTTP"
+    else
+        warn "Aucune requête L7 — uprobe httpd peut nécessiter que httpd lie directement libssl"
+        log "  Vérifier : ldd /usr/sbin/httpd | grep ssl"
+    fi
+
+    # Vérifie JA4 fingerprint
+    local ja4_sample
+    ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
+    if [ -n "$ja4_sample" ]; then
+        pass "JA4 fingerprint capturé : $ja4_sample"
+    else
+        warn "JA4 fingerprint vide — TC ingress hook peut-être non fonctionnel"
+    fi
+
+    # Vérifie le SNI capturé
+    local sni_count
+    sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
+    if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "SNI capturé dans $sni_count enregistrements"
+    else
+        warn "Aucun SNI capturé"
+    fi
+
+    # Vérifie HTTP port 80 (trafic en clair — kprobe tcp_recvmsg)
+    local plain_count
+    plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = 0 AND method != ''" 2>/dev/null || echo "0")
+    if [ "${plain_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "HTTP en clair capturé : $plain_count requêtes (kprobe tcp_recvmsg)"
+    else
+        warn "Aucune requête HTTP port 80 en clair détectée (normal si traffic-gen n'envoie que du HTTPS)"
+    fi
+}
+
+run_all_phases