def fin():
if is_secret_present(kube_apis.v1, secret_name, secret_namespace):
print("cleaning up secret!")
delete_secret(kube_apis.v1, secret_name, secret_namespace)
# restore the original secret created in ingress_controller_prerequisites fixture
create_secret_from_yaml(kube_apis.v1, secret_namespace,
secret_path)
def test_response_codes_after_secret_remove_and_restore(
self, kube_apis, auth_basic_secrets_setup, test_namespace,
auth_basic_secret):
req_url = f"http://{auth_basic_secrets_setup.public_endpoint.public_ip}:{auth_basic_secrets_setup.public_endpoint.port}/backend2"
delete_secret(kube_apis.v1, auth_basic_secret.secret_name,
test_namespace)
wait_before_test(1)
resp = requests.get(
req_url,
headers={
"host":
auth_basic_secrets_setup.ingress_host,
"authorization":
f"Basic {to_base64(auth_basic_secrets_setup.credentials)}"
})
assert resp.status_code == 403
auth_basic_secret.secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace,
f"{TEST_DATA}/auth-basic-secrets/auth-basic-secret.yaml")
wait_before_test(1)
resp = requests.get(
req_url,
headers={
"host":
auth_basic_secrets_setup.ingress_host,
"authorization":
f"Basic {to_base64(auth_basic_secrets_setup.credentials)}"
})
assert resp.status_code == 200
def test_jwt_policy_override_spec(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
):
"""
Test if policy reference in route takes precedence over policy in spec
"""
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
virtual_server_setup.vs_host,
)
print(
f"Patch vs with invalid policy in route and valid policy in spec")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_override_spec_route_1,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp1.status_code)
print(
f"Patch vs with valid policy in route and invalid policy in spec")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_override_spec_route_2,
virtual_server_setup.namespace,
)
wait_before_test()
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
delete_policy(kube_apis.custom_objects, pol_name_1, test_namespace)
delete_policy(kube_apis.custom_objects, pol_name_2, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert resp1.status_code == 401 # 401 unauthorized, since no token is attached to policy
assert resp2.status_code == 200
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name,
mtls_secret):
print("Delete policy and related secrets")
delete_secret(kube_apis.v1, tls_secret, test_namespace)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, mtls_secret, test_namespace)
def fin():
print("Clean up simple app")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
def test_jwt_policy_override(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if first reference to a policy in the same context(subroute) takes precedence,
i.e. in this case, policy without $httptoken over policy with $httptoken.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policies: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_override_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_crd(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name_1,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_2,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
assert (f"Multiple jwt policies in the same context is not valid."
in crd_info["status"]["message"])
def test_jwt_auth_response_codes_and_location(self, kube_apis, jwt_auth_setup, test_namespace):
print("Step 1: execute check after secrets creation")
execute_checks(jwt_auth_setup, step_1_expected_results)
print("Step 2: replace master secret")
replace_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_2_expected_results)
print("Step 3: now replace minion secret as well")
replace_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_3_expected_results)
print("Step 4: now remove minion secret")
delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_4_expected_results)
print("Step 5: finally remove master secret as well")
delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_5_expected_results)
def test_jwt_auth_response_codes_and_location(self, kube_apis,
jwt_auth_setup,
test_namespace):
print("Step 1: execute check after secrets creation")
execute_checks(jwt_auth_setup, step_1_expected_results)
print("Step 2: replace master secret")
replace_secret(
kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_2_expected_results)
print("Step 3: now replace minion secret as well")
replace_secret(
kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_3_expected_results)
print("Step 4: now remove minion secret")
delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name,
test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_4_expected_results)
print("Step 5: finally remove master secret as well")
delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name,
test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_5_expected_results)
def test_jwt_policy_delete_policy(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if requests result in 500 when policy is deleted
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,)
print(resp1.status_code)
delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace)
resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,)
print(resp2.status_code)
crd_info = read_crd(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 200
assert f"Request ID:" in resp1.text
assert crd_info["status"]["state"] == "Warning"
assert (
f"{v_s_route_setup.route_m.namespace}/{pol_name} is missing"
in crd_info["status"]["message"]
)
assert resp2.status_code == 500
assert f"Internal Server Error" in resp2.text
def test_jwt_policy_token(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
token,
):
"""
Test jwt-policy with no token, valid token and invalid token
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
token,
jwk_sec_valid_src,
jwt_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {jwt_vsr_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp1.status_code)
resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers)
print(resp2.status_code)
delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 401
assert f"401 Authorization Required" in resp1.text
if token == valid_token:
assert resp2.status_code == 200
assert f"Request ID:" in resp2.text
else:
assert resp2.status_code == 401
assert f"Authorization Required" in resp2.text
def test_jwt_policy_secret(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
jwk_secret,
):
"""
Test jwt-policy with a valid and an invalid secret
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
valid_token,
jwk_secret,
jwt_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {jwt_vs_single_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp.status_code)
crd_info = read_crd(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if jwk_secret == jwk_sec_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif jwk_secret == jwk_sec_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_jwt_policy_token(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
token,
):
"""
Test jwt-policy with no token, valid token and invalid token
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
token,
jwk_sec_valid_src,
jwt_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {jwt_vs_single_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
)
print(resp1.status_code)
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert resp1.status_code == 401
assert f"401 Authorization Required" in resp1.text
if token == valid_token:
assert resp2.status_code == 200
assert f"Request ID:" in resp2.text
else:
assert resp2.status_code == 401
assert f"Authorization Required" in resp2.text
def test_jwt_policy_override_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
vs_src,
):
"""
Test if policy specified in vsr:subroute (policy without $httptoken) takes preference over policy specified in:
1. vs:spec (policy with $httptoken)
2. vs:route (policy with $httptoken)
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policies: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_multi_src,
v_s_route_setup.route_m.namespace,
)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.vs_name,
vs_src,
v_s_route_setup.namespace,
)
wait_before_test()
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_1, v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_2, v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
patch_virtual_server_from_yaml(
kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace
)
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
write_to_json(f"reload-{get_test_file_name(request.node.fspath)}.json",
reload_times)
def test_auth_basic_policy_secret(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, htpasswd_secret,
):
"""
Test auth-basic-policy with a valid and an invalid secret
"""
if htpasswd_secret == htpasswd_sec_valid_src:
pol = auth_basic_pol_valid_src
vs = auth_basic_vs_single_src
elif htpasswd_secret == htpasswd_sec_invalid_src:
pol = auth_basic_pol_invalid_sec_src
vs = auth_basic_vs_single_invalid_sec_src
else:
pytest.fail("Invalid configuration")
secret, pol_name, headers = self.setup_single_policy(
kube_apis, test_namespace, valid_credentials, htpasswd_secret, pol, virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {pol}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url, headers=headers)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if htpasswd_secret == htpasswd_sec_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif htpasswd_secret == htpasswd_sec_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret):
req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2"
delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace)
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 500
jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml")
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 200
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret):
req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2"
delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace)
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 500
jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml")
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 200
def test_auth_basic_policy_credentials(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
credentials,
):
"""
Test auth-basic-policy with no credentials, valid credentials and invalid credentials
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {auth_basic_vsr_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
auth_basic_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if credentials == valid_credentials:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
else:
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def fin():
print("Delete Master Secret:")
if is_secret_present(kube_apis.v1, master_secret_name, test_namespace):
delete_secret(kube_apis.v1, master_secret_name, test_namespace)
print("Delete Minion Secret:")
if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace):
delete_secret(kube_apis.v1, minion_secret_name, test_namespace)
print("Clean up the JWT Auth Mergeable Minions Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml",
test_namespace)
def fin():
print("Delete Master Secret:")
if is_secret_present(kube_apis.v1, master_secret_name, test_namespace):
delete_secret(kube_apis.v1, master_secret_name, test_namespace)
print("Delete Minion Secret:")
if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace):
delete_secret(kube_apis.v1, minion_secret_name, test_namespace)
print("Clean up the JWT Auth Mergeable Minions Application:")
delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace)
delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml",
test_namespace)
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
wait_before_test(1)
req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1"
resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False)
assert resp.status_code == 200
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
wait_before_test(1)
req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1"
resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False)
assert resp.status_code == 200
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_jwt_policy_delete_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
):
"""
Test if requests result in 500 when policy is deleted
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {jwt_pol_valid_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp1.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert resp1.status_code == 200
assert resp2.status_code == 500
def test_certificate_subject_updates_after_secret_update(
self, kube_apis, ingress_controller_prerequisites,
wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup):
delete_secret(kube_apis.v1,
wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
create_secret_from_yaml(
kube_apis.v1, ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(
wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_tls_termination(self, kube_apis, crd_ingress_controller,
virtual_server_setup, clean_up):
print("\nStep 1: no secret")
assert_ssl_error(virtual_server_setup)
print("\nStep 2: deploy secret and check")
secret_name = create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 3: remove secret and check")
delete_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace)
wait_before_test(1)
assert_ssl_error(virtual_server_setup)
print("\nStep 4: restore secret and check")
create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 5: deploy invalid secret and check")
replace_secret(
kube_apis.v1, secret_name, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml")
wait_before_test(1)
assert_ssl_error(virtual_server_setup)
print("\nStep 6: restore secret and check")
replace_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 7: update secret and check")
replace_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/new-tls-secret.yaml")
wait_before_test(1)
assert_gb_subject(virtual_server_setup)
def test_certificate_subject_remains_with_invalid_secret(
self, kube_apis, ingress_controller_prerequisites,
wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup):
delete_secret(kube_apis.v1,
wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
create_secret_from_yaml(
kube_apis.v1, ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml"
)
wait_before_test(1)
subject_dict = get_server_certificate_subject(
wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'CN'] == b'example.com'
def test_auth_basic_policy_credentials(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, credentials,
):
"""
Test auth-basic-policy with no credentials, valid credentials and invalid credentials
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {auth_basic_vs_single_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
auth_basic_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url, headers=headers)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if credentials in valid_credentials_list:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
else:
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def test_with_default_tls_secret(self, kube_apis,
ingress_controller_endpoint, secret_setup,
default_server_setup):
print("Step 1: ensure CN of the default server TLS cert")
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
print(
"Step 2: ensure CN of the default server TLS cert after removing the secret"
)
delete_secret(kube_apis.v1, secret_name, secret_namespace)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
print(
"Step 3: ensure CN of the default TLS cert after creating an updated secret"
)
create_secret_from_yaml(kube_apis.v1, secret_namespace,
new_secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "cafe.example.com")
print(
"Step 4: ensure CN of the default TLS cert after making the secret invalid"
)
replace_secret(kube_apis.v1, secret_name, secret_namespace,
invalid_secret_path)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "cafe.example.com")
print(
"Step 5: ensure CN of the default TLS cert after restoring the secret"
)
replace_secret(kube_apis.v1, secret_name, secret_namespace,
secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
def test_tls_termination(self, kube_apis, ingress_controller_endpoint,
test_namespace, tls_setup):
print("Step 1: no secret")
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 2: deploy secret and check")
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 3: remove secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
wait_before_test(1)
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 4: restore secret and check")
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 5: deploy invalid secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.invalid_secret_path)
wait_before_test(1)
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 6: restore secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 7: update secret and check")
replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace,
tls_setup.new_secret_path)
wait_before_test(1)
assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)
def fin():
print("Remove IC and wildcard secret:")
delete_ingress_controller(kube_apis.apps_v1_api, name,
cli_arguments['deployment-type'], namespace)
if is_secret_present(kube_apis.v1, secret_name, namespace):
delete_secret(kube_apis.v1, secret_name, namespace)
def fin():
print("Delete Secret:")
if is_secret_present(kube_apis.v1, secret_name, test_namespace):
delete_secret(kube_apis.v1, secret_name, test_namespace)
def test_jwt_policy(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
policy,
):
"""
Test jwt-policy with a valid and an invalid policy
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
if policy == jwt_pol_valid_src:
vsr = jwt_vsr_valid_src
elif policy == jwt_pol_invalid_src:
vsr = jwt_vsr_invalid_src
else:
pytest.fail(f"Not a valid case or parameter")
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
policy,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {policy}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
vsr,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_crd(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if policy == jwt_pol_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif policy == jwt_pol_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def fin():
print("Delete Secret:")
if is_secret_present(kube_apis.v1, secret_name, test_namespace):
delete_secret(kube_apis.v1, secret_name, test_namespace)
def fin():
print("Remove IC and wildcard secret:")
delete_ingress_controller(kube_apis.extensions_v1_beta1, name, cli_arguments['deployment-type'], namespace)
if is_secret_present(kube_apis.v1, secret_name, namespace):
delete_secret(kube_apis.v1, secret_name, namespace)
def fin():
delete_secret(kube_apis.v1, prometheus_secret_name, "nginx-ingress")
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace)
delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
