Release/0.8.8 (#125)

* Fix schema update bug in API mode

* Bump up APIFW ver to v0.8.8

* Bump up Go version up to v1.23.6

* Dependencies upgrade

.github/workflows/binaries.yml

@@ -51,7 +51,7 @@ jobs:
     needs:
       - draft-release
     env:
-      X_GO_DISTRIBUTION: "https://go.dev/dl/go1.22.12.linux-amd64.tar.gz"
+      X_GO_DISTRIBUTION: "https://go.dev/dl/go1.23.6.linux-amd64.tar.gz"
       APIFIREWALL_NAMESPACE: "github.com/wallarm/api-firewall"
     strategy:
       matrix:
@@ -162,7 +162,7 @@ jobs:
     needs:
       - draft-release
     env:
-      X_GO_VERSION: "1.22.12"
+      X_GO_VERSION: "1.23.6"
       APIFIREWALL_NAMESPACE: "github.com/wallarm/api-firewall"
     strategy:
       matrix:
@@ -272,19 +272,19 @@ jobs:
         include:
           - arch: armv6
             distro: bullseye
-            go_distribution: https://go.dev/dl/go1.22.12.linux-armv6l.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.6.linux-armv6l.tar.gz
             artifact: armv6-libc
           - arch: aarch64
             distro: bullseye
-            go_distribution: https://go.dev/dl/go1.22.12.linux-arm64.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.6.linux-arm64.tar.gz
             artifact: arm64-libc
           - arch: armv6
             distro: alpine_latest
-            go_distribution: https://go.dev/dl/go1.22.12.linux-armv6l.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.6.linux-armv6l.tar.gz
             artifact: armv6-musl
           - arch: aarch64
             distro: alpine_latest
-            go_distribution: https://go.dev/dl/go1.22.12.linux-arm64.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.6.linux-arm64.tar.gz
             artifact: arm64-musl
     steps:
       - uses: actions/[email protected]

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22-alpine3.21 AS build
+FROM golang:1.23-alpine3.21 AS build
 
 ARG APIFIREWALL_NAMESPACE
 ARG APIFIREWALL_VERSION

Makefile

@@ -1,4 +1,4 @@
-VERSION := 0.8.7
+VERSION := 0.8.8
 NAMESPACE := github.com/wallarm/api-firewall
 
 .DEFAULT_GOAL := build

cmd/api-firewall/internal/handlers/api/updater.go

@@ -106,6 +106,8 @@ func (s *Specification) Run() {
 				}
 				s.lock.Unlock()
 
+				s.logger.Debugf("%s: OpenAPI specifications have been updated", logPrefix)
+
 				continue
 			}
 
@@ -140,8 +142,8 @@ func (s *Specification) Shutdown() error {
 // Load function reads DB file and returns it
 func (s *Specification) Load() (storage.DBOpenAPILoader, error) {
 
-	// Load specification
-	return storage.NewOpenAPIDB(s.cfg.PathToSpecDB, s.cfg.DBVersion)
+	// Load specification only (without after load actions)
+	return storage.LoadOpenAPIDB(s.cfg.PathToSpecDB, s.cfg.DBVersion)
 }
 
 // Find function searches for the handler by path and method

cmd/api-firewall/tests/updater_v2_test.go

@@ -44,6 +44,24 @@ paths:
           content: {}
 `
 
+const testUpdatedYamlSpecification = `openapi: 3.0.1
+info:
+  title: Service
+  version: 1.1.1
+servers:
+  - url: /
+paths:
+  /test/updated:
+    get:
+      tags:
+        - Redirects
+      summary: Absolutely 302 Redirects n times.
+      responses:
+        ''200'':
+          description: A redirection.
+          content: {}
+`
+
 var currentDBPath = "./wallarm_api2_update.db"
 
 var cfgV2 = config.APIMode{
@@ -95,6 +113,39 @@ func insertSpecV2(dbFilePath, newSpec, state string) (*EntryV2, error) {
 	return &entry, nil
 }
 
+func updateSpecV2(dbFilePath string, schemaID int, newState string, newSchema string) (*EntryV2, error) {
+
+	db, err := sql.Open("sqlite3", dbFilePath)
+	if err != nil {
+		return nil, err
+	}
+	defer db.Close()
+
+	q := fmt.Sprintf("UPDATE openapi_schemas SET status = '%s', schema_content='%s' WHERE schema_id == %d", newState, newSchema, schemaID)
+	_, err = db.Exec(q)
+	if err != nil {
+		return nil, err
+	}
+
+	// entry of the V2
+	entry := EntryV2{}
+
+	rows, err := db.Query(fmt.Sprintf("SELECT * FROM openapi_schemas WHERE schema_id == %d", schemaID))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		err = rows.Scan(&entry.SchemaID, &entry.SchemaVersion, &entry.SchemaFormat, &entry.SchemaContent, &entry.Status)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &entry, nil
+}
+
 // check that row is applied and delete this row
 func cleanSpecV2(dbFilePath string, schemaID int) error {
 
@@ -388,6 +439,61 @@ func TestUpdaterBasicV2(t *testing.T) {
 		}
 	}
 
+	// update the current entry state
+	_, err = updateSpecV2(currentDBPath, entry.SchemaID, "new", testUpdatedYamlSpecification)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// start updater second time.
+	updNewSpecErrors := make(chan error, 1)
+	updater = handlersAPI.NewHandlerUpdater(&lock, logger, specStorage, &cfgV2, &api, shutdown, &health, nil, nil)
+	go func() {
+		t.Logf("starting specification regular update process every %.0f seconds", cfg.SpecificationUpdatePeriod.Seconds())
+		updNewSpecErrors <- updater.Start()
+	}()
+
+	time.Sleep(3 * time.Second)
+
+	if err := updater.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+
+	// valid route in the updated spec
+	req = fasthttp.AcquireRequest()
+	req.SetRequestURI("/test/updated")
+	req.Header.SetMethod("GET")
+	req.Header.Add(web.XWallarmSchemaIDHeader, fmt.Sprintf("%d", entry.SchemaID))
+
+	reqCtx = fasthttp.RequestCtx{
+		Request: *req,
+	}
+
+	lock.RLock()
+	api.Handler(&reqCtx)
+	lock.RUnlock()
+
+	if reqCtx.Response.StatusCode() != 200 {
+		t.Errorf("Incorrect response status code. Expected: 200 and got %d",
+			reqCtx.Response.StatusCode())
+	}
+
+	apifwResponse = validator.ValidationResponse{}
+	if err := json.Unmarshal(reqCtx.Response.Body(), &apifwResponse); err != nil {
+		t.Errorf("Error while JSON response parsing: %v", err)
+	}
+
+	if len(apifwResponse.Summary) > 0 {
+		if *apifwResponse.Summary[0].SchemaID != entry.SchemaID {
+			t.Errorf("Incorrect error code. Expected: %d and got %d",
+				entry.SchemaID, *apifwResponse.Summary[0].SchemaID)
+		}
+		if *apifwResponse.Summary[0].StatusCode != fasthttp.StatusOK {
+			t.Errorf("Incorrect result status. Expected: %d and got %d",
+				fasthttp.StatusOK, *apifwResponse.Summary[0].StatusCode)
+		}
+	}
+
 }
 
 func TestUpdaterFromEmptyDBV2(t *testing.T) {

demo/docker-compose/OWASP_CoreRuleSet/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.8"
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.8.7
+    image: wallarm/api-firewall:v0.8.8
     restart: on-failure
     environment:
       APIFW_URL: "http://0.0.0.0:8080"

demo/docker-compose/docker-compose-api-mode.yml

@@ -2,7 +2,7 @@ version: '3.8'
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.8.7
+    image: wallarm/api-firewall:v0.8.8
     restart: on-failure
     environment:
       APIFW_MODE: "api"

demo/docker-compose/docker-compose-graphql-mode.yml

@@ -2,7 +2,7 @@ version: '3.8'
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.8.7
+    image: wallarm/api-firewall:v0.8.8
     restart: on-failure
     environment:
       APIFW_MODE: "graphql"

demo/docker-compose/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.8"
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.8.7
+    image: wallarm/api-firewall:v0.8.8
     restart: on-failure
     environment:
       APIFW_URL: "http://0.0.0.0:8080"

docs/release-notes.md

@@ -2,6 +2,17 @@
 
 This page describes new releases of Wallarm API Firewall.
 
+## v0.8.8 (2025-02-27)
+
+* Dependency upgrade
+* Fix schema update bug in API mode 
+* Update the Go version up to v1.23.6
+
+## v0.8.7 (2025-02-21)
+
+* Fix the high CPU load issue
+* Update the Go version up to v1.22.12
+
 ## v0.8.6 (2024-12-20)
 
 * Dependency upgrade

go.mod

@@ -1,33 +1,35 @@
 module github.com/wallarm/api-firewall
 
-go 1.22.12
+go 1.23.0
+
+toolchain go1.23.6
 
 require (
 	github.com/andybalholm/brotli v1.1.1
 	github.com/ardanlabs/conf v1.5.0
 	github.com/clbanning/mxj/v2 v2.7.0
-	github.com/corazawaf/coraza/v3 v3.2.1
+	github.com/corazawaf/coraza/v3 v3.3.2
 	github.com/dgraph-io/ristretto v0.2.0
-	github.com/fasthttp/websocket v1.5.11
+	github.com/fasthttp/websocket v1.5.12
 	github.com/foxcpp/go-mockdns v1.1.0
-	github.com/gabriel-vasile/mimetype v1.4.7
+	github.com/gabriel-vasile/mimetype v1.4.8
 	github.com/getkin/kin-openapi v0.124.0
 	github.com/go-playground/validator v9.31.0+incompatible
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.6.0
 	github.com/karlseguin/ccache/v2 v2.0.8
-	github.com/klauspost/compress v1.17.11
-	github.com/mattn/go-sqlite3 v1.14.23
+	github.com/klauspost/compress v1.18.0
+	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/pkg/errors v0.9.1
 	github.com/savsgio/gotils v0.0.0-20240704082632-aef3928b8a38
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
-	github.com/valyala/fasthttp v1.58.0
+	github.com/valyala/fasthttp v1.59.0
 	github.com/valyala/fastjson v1.6.4
 	github.com/wundergraph/graphql-go-tools v1.67.4
-	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67
-	golang.org/x/sync v0.10.0
+	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa
+	golang.org/x/sync v0.11.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -37,8 +39,8 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/corazawaf/libinjection-go v0.2.1 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/corazawaf/libinjection-go v0.2.2 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/eclipse/paho.mqtt.golang v1.2.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -55,9 +57,9 @@ require (
 	github.com/jensneuse/pipeline v0.0.0-20200117120358-9fb4de085cd6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/leodido/go-urn v1.2.0 // indirect
-	github.com/magefile/mage v1.15.0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/magefile/mage v1.15.1-0.20241126214340-bdc92f694516 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/miekg/dns v1.1.63 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
@@ -66,21 +68,23 @@ require (
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/r3labs/sse/v2 v2.8.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/r3labs/sse/v2 v2.10.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/tidwall/gjson v1.17.1 // indirect
+	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
+	github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	nhooyr.io/websocket v1.8.17 // indirect