Ejemplo n.º 1
0
    def test_ap_enable_false_policy_correct(
        self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace
    ):
        """
        Test malicious script request is working normally while AppProtect is disabled in Ingress
        """
        create_ingress_with_ap_annotations(
            kube_apis, src_ing_yaml, test_namespace, ap_policy, "False", "True", "127.0.0.1:514"
        )
        ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)

        print(
            "--------- Run test while AppProtect module is disabled with correct policy ---------"
        )

        ap_crd_info = read_ap_custom_resource(
            kube_apis.custom_objects, test_namespace, "appolicies", ap_policy
        )
        assert_ap_crd_info(ap_crd_info, ap_policy)
        ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True)

        print("----------------------- Send request ----------------------")
        response = requests.get(
            appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
        )
        print(response.text)
        delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
        assert_valid_responses(response)
    def test_ap_enable_true_policy_correct_uds(self, request, kube_apis,
                                               crd_ingress_controller_with_ap,
                                               appprotect_setup,
                                               test_namespace):
        """
        Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress
        """

        create_ap_usersig_from_yaml(kube_apis.custom_objects, uds_crd_resource,
                                    test_namespace)
        # Apply dataguard-alarm AP policy with UDS
        delete_and_create_ap_policy_from_yaml(
            kube_apis.custom_objects,
            ap_policy,
            f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml",
            test_namespace,
        )
        wait_before_test()

        create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
                                           test_namespace, ap_policy, "True",
                                           "True", "127.0.0.1:514")
        ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)

        print(
            "--------- Run test while AppProtect module is enabled with correct policy and UDS ---------"
        )

        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy)

        wait_before_test(120)
        ensure_response_from_backend(appprotect_setup.req_url,
                                     ingress_host,
                                     check404=True)
        print("----------------------- Send request ----------------------")
        response = requests.get(appprotect_setup.req_url,
                                headers={"host": ingress_host},
                                verify=False,
                                data="kic")
        print(response.text)

        reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
        print(f"last reload duration: {reload_ms} ms")
        reload_times[
            f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"

        # Restore default dataguard-alarm policy
        delete_and_create_ap_policy_from_yaml(
            kube_apis.custom_objects,
            ap_policy,
            f"{TEST_DATA}/appprotect/{ap_policy}.yaml",
            test_namespace,
        )
        delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)

        assert_ap_crd_info(ap_crd_info, ap_policy)
        assert_invalid_responses(response)
    def test_ap_waf_policy_block(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        v_s_route_setup,
        appprotect_setup,
        test_namespace,
        ap_enable,
    ):
        """
        Test if WAF policy is working with VSR deployments
        """
        req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"

        print(f"Create waf policy")
        create_ap_waf_policy_from_yaml(
            kube_apis.custom_objects,
            waf_pol_dataguard_src,
            v_s_route_setup.route_m.namespace,
            test_namespace,
            ap_enable,
            ap_enable,
            ap_pol_name,
            log_name,
            "syslog:server=127.0.0.1:514",
        )
        wait_before_test()
        print(f"Patch vsr with policy: {waf_subroute_vsr_src}")
        patch_v_s_route_from_yaml(
            kube_apis.custom_objects,
            v_s_route_setup.route_m.name,
            waf_subroute_vsr_src,
            v_s_route_setup.route_m.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy_uds)
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)
        response = requests.get(
            f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'",
            headers={"host": v_s_route_setup.vs_host},
        )
        print(response.text)
        delete_policy(kube_apis.custom_objects, "waf-policy",
                      v_s_route_setup.route_m.namespace)
        self.restore_default_vsr(kube_apis, v_s_route_setup)
        if ap_enable == True:
            assert_invalid_responses(response)
        elif ap_enable == False:
            assert_valid_responses(response)
        else:
            pytest.fail(f"Invalid arguments")
    def test_ap_waf_policy_logs(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        virtual_server_setup,
        appprotect_setup,
        test_namespace,
    ):
        """
        Test waf policy logs
        """
        src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
        log_loc = f"/var/log/messages"
        create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
        syslog_dst = f"syslog-svc.{test_namespace}"
        syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name
        print(f"Create waf policy")
        create_ap_waf_policy_from_yaml(
            kube_apis.custom_objects,
            waf_pol_dataguard_src,
            test_namespace,
            test_namespace,
            True,
            True,
            ap_pol_name,
            log_name,
            f"syslog:server={syslog_dst}:514",
        )
        wait_before_test()
        print(f"Patch vs with policy: {waf_spec_vs_src}")
        patch_virtual_server_from_yaml(
            kube_apis.custom_objects,
            virtual_server_setup.vs_name,
            waf_spec_vs_src,
            virtual_server_setup.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(
            kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds
        )
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)

        print(
            "----------------------- Send request with embedded malicious script----------------------"
        )
        response = requests.get(
            virtual_server_setup.backend_1_url + "</script>",
            headers={"host": virtual_server_setup.vs_host},
        )
        print(response.text)
        wait_before_test(5)
        log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace)

        delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
        self.restore_default_vs(kube_apis, virtual_server_setup)

        assert_invalid_responses(response)
        assert (
            f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
            in log_contents
        )
        assert f'severity="Critical"' in log_contents
        assert f'request_status="blocked"' in log_contents
        assert f'outcome="REJECTED"' in log_contents
    def test_ap_waf_policy_allow(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        virtual_server_setup,
        appprotect_setup,
        test_namespace,
        vs_src,
        waf,
    ):
        """
        Test waf policy when disabled
        """
        print(f"Create waf policy")
        create_ap_waf_policy_from_yaml(
            kube_apis.custom_objects,
            waf,
            test_namespace,
            test_namespace,
            False,
            False,
            ap_pol_name,
            log_name,
            "syslog:server=127.0.0.1:514",
        )
        wait_before_test()
        print(f"Patch vs with policy: {vs_src}")
        patch_virtual_server_from_yaml(
            kube_apis.custom_objects,
            virtual_server_setup.vs_name,
            vs_src,
            virtual_server_setup.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(
            kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds
        )
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)

        print(
            "----------------------- Send request with embedded malicious script----------------------"
        )
        response1 = requests.get(
            virtual_server_setup.backend_1_url + "</script>",
            headers={"host": virtual_server_setup.vs_host},
        )
        print(response1.text)

        print(
            "----------------------- Send request with blocked keyword in UDS----------------------"
        )
        response2 = requests.get(
            virtual_server_setup.backend_1_url,
            headers={"host": virtual_server_setup.vs_host},
            data="kic",
        )
        print(response2.text)

        delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
        self.restore_default_vs(kube_apis, virtual_server_setup)
        assert_valid_responses(response1)
        assert_valid_responses(response2)
    def test_ap_waf_policy_multi_logs(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        virtual_server_setup,
        appprotect_setup,
        test_namespace,
    ):
        """
        Test waf policy logs
        """
        src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
        src_syslog_yaml_additional = f"{TEST_DATA}/ap-waf/syslog-1.yaml"
        log_loc = f"/var/log/messages"
        src_log_yaml_escape = f"{TEST_DATA}/ap-waf/logconf-esc.yaml"
        log_esc_name = create_ap_logconf_from_yaml(kube_apis.custom_objects,
                                                   src_log_yaml_escape,
                                                   test_namespace)
        create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
        create_items_from_yaml(kube_apis, src_syslog_yaml_additional,
                               test_namespace)
        syslog_dst1 = f"syslog-svc.{test_namespace}"
        syslog_dst2 = f"syslog-svc-1.{test_namespace}"
        syslog_pod = kube_apis.v1.list_namespaced_pod(
            test_namespace, label_selector="app=syslog").items
        syslog_esc_pod = kube_apis.v1.list_namespaced_pod(
            test_namespace, label_selector="app=syslog-1").items
        print(f"Create waf policy")
        create_ap_multilog_waf_policy_from_yaml(
            kube_apis.custom_objects, waf_pol_dataguard_src, test_namespace,
            test_namespace, True, True, ap_pol_name, [log_name, log_esc_name],
            [
                f"syslog:server={syslog_dst1}:514",
                f"syslog:server={syslog_dst2}:514"
            ])
        wait_before_test()
        print(f"Patch vs with policy: {waf_spec_vs_src}")
        patch_virtual_server_from_yaml(
            kube_apis.custom_objects,
            virtual_server_setup.vs_name,
            waf_spec_vs_src,
            virtual_server_setup.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy_uds)
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)

        print(
            "----------------------- Send request with embedded malicious script----------------------"
        )
        response = requests.get(
            virtual_server_setup.backend_1_url + "</script>",
            headers={"host": virtual_server_setup.vs_host},
        )
        print(response.text)
        log_contents = ""
        retry = 0
        while "ASM:attack_type" not in log_contents and retry <= 30:
            log_contents = get_file_contents(kube_apis.v1, log_loc,
                                             syslog_pod[0].metadata.name,
                                             test_namespace)
            retry += 1
            wait_before_test(1)
            print(log_contents)
            print(f"Security log not updated, retrying... #{retry}")

        log_esc_contents = ""
        retry = 0
        while "attack_type" not in log_esc_contents and retry <= 30:
            log_esc_contents = get_file_contents(
                kube_apis.v1, log_loc, syslog_esc_pod[0].metadata.name,
                test_namespace)
            retry += 1
            wait_before_test(1)
            print(log_esc_contents)
            print(f"Security log not updated, retrying... #{retry}")

        delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
        self.restore_default_vs(kube_apis, virtual_server_setup)

        assert_invalid_responses(response)

        assert f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log_contents
        assert f'severity="Critical"' in log_contents
        assert f'request_status="blocked"' in log_contents
        assert f'outcome="REJECTED"' in log_contents
        assert f'"my_attack_type": "[Non-browser Client' in log_esc_contents