def test_policy_matching_ingress_class( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if policy with matching ingress class is applied to vs """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_ingress_class_src, test_namespace) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) assert ( policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid" ) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name) assert ( vs_info["status"] and vs_info["status"]["reason"] == "AddedOrUpdated" and vs_info["status"]["state"] == "Valid" ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup)
def test_policy_non_matching_ingress_class( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if non matching policy gets caught by vc validation """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_other_ingress_class_src, test_namespace) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) assert "status" not in policy_info, "the policy is not managed by the IC, therefore the status is not updated" print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name) assert ( vs_info["status"] and "rate-limit-primary is missing or invalid" in vs_info["status"]["message"] and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning" and vs_info["status"]["state"] == "Warning" ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup)
def test_status_valid(self, kube_apis, crd_ingress_controller, v_s_route_setup, v_s_route_app_setup): """ Test VirtualServerRoute status with a valid fields in yaml """ response_m = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) response_s = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_s.namespace, "virtualserverroutes", v_s_route_setup.route_s.name, ) assert (response_m["status"] and response_m["status"]["reason"] == "AddedOrUpdated" and response_m["status"]["referencedBy"] and response_m["status"]["state"] == "Valid") assert (response_s["status"] and response_s["status"]["reason"] == "AddedOrUpdated" and response_s["status"]["referencedBy"] and response_s["status"]["state"] == "Valid")
def test_status_warning( self, kube_apis, crd_ingress_controller, virtual_server_setup, ): """ Test VirtualServer status with conflicting Upstream fields Only for N+ since Slow-start isn """ patch_src = f"{TEST_DATA}/virtual-server-status/warning-state.yaml" patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, patch_src, virtual_server_setup.namespace, ) wait_before_test() response = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) self.patch_valid_vs(kube_apis, virtual_server_setup) assert (response["status"] and response["status"]["reason"] == "AddedOrUpdatedWithWarning" and response["status"]["state"] == "Warning")
def test_status_invalid( self, kube_apis, crd_ingress_controller, virtual_server_setup, ): """ Test VirtualServer status with a invalid path pattern """ patch_src = f"{TEST_DATA}/virtual-server-status/invalid-state.yaml" patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, patch_src, virtual_server_setup.namespace, ) wait_before_test() response = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) self.patch_valid_vs(kube_apis, virtual_server_setup) assert (response["status"] and response["status"]["reason"] == "Rejected" and response["status"]["state"] == "Invalid")
def test_jwt_policy_override( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if first reference to a policy in the same context(subroute) takes precedence, i.e. in this case, policy without $httptoken over policy with $httptoken. """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policies: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_override_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name_1, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_2, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp.status_code == 401 assert f"Authorization Required" in resp.text assert (f"Multiple jwt policies in the same context is not valid." in crd_info["status"]["message"])
def test_jwt_policy_delete_policy( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if requests result in 500 when policy is deleted """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,) print(resp1.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,) print(resp2.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 200 assert f"Request ID:" in resp1.text assert crd_info["status"]["state"] == "Warning" assert ( f"{v_s_route_setup.route_m.namespace}/{pol_name} is missing" in crd_info["status"]["message"] ) assert resp2.status_code == 500 assert f"Internal Server Error" in resp2.text
def test_status_invalid_prefix(self, kube_apis, crd_ingress_controller, v_s_route_setup, v_s_route_app_setup): """ Test VirtualServerRoute status with a invalid path /prefix in vsr yaml i.e. referring to non-existing path """ patch_src_m = f"{TEST_DATA}/virtual-server-route-status/route-multiple-invalid-prefixed-path.yaml" patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, patch_src_m, v_s_route_setup.route_m.namespace, ) wait_before_test() patch_src_s = f"{TEST_DATA}/virtual-server-route-status/route-single-invalid-prefixed-path.yaml" patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_s.name, patch_src_s, v_s_route_setup.route_s.namespace, ) wait_before_test() response_m = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) response_s = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_s.namespace, "virtualserverroutes", v_s_route_setup.route_s.name, ) self.patch_valid_vsr(kube_apis, v_s_route_setup) assert (response_m["status"] and response_m["status"]["reason"] == "AddedOrUpdated" and response_m["status"]["referencedBy"] and response_m["status"]["state"] == "Valid") assert (response_s["status"] and response_s["status"]["reason"] == "Ignored" and not response_s["status"]["referencedBy"] and response_s["status"]["state"] == "Warning")
def test_auth_basic_policy_secret( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, htpasswd_secret, ): """ Test auth-basic-policy with a valid and an invalid secret """ if htpasswd_secret == htpasswd_sec_valid_src: pol = auth_basic_pol_valid_src vs = auth_basic_vs_single_src elif htpasswd_secret == htpasswd_sec_invalid_src: pol = auth_basic_pol_invalid_sec_src vs = auth_basic_vs_single_invalid_sec_src else: pytest.fail("Invalid configuration") secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_credentials, htpasswd_secret, pol, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {pol}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if htpasswd_secret == htpasswd_sec_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif htpasswd_secret == htpasswd_sec_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_rl_policy_1rs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if rate-limiting policy is working with ~1 rps in vsr:subroute """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert occur.count(200) <= 1
def test_status_invalid_vsr_in_vs(self, kube_apis, crd_ingress_controller, v_s_route_setup, v_s_route_app_setup): """ Test VirtualServerRoute status with invalid vsr reference in vs yaml """ patch_src = f"{TEST_DATA}/virtual-server-route-status/virtual-server-invalid.yaml" patch_virtual_server_from_yaml( kube_apis.custom_objects, v_s_route_setup.vs_name, patch_src, v_s_route_setup.namespace, ) wait_before_test() response_m = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) response_s = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_s.namespace, "virtualserverroutes", v_s_route_setup.route_s.name, ) self.patch_valid_vs(kube_apis, v_s_route_setup) assert (response_m["status"] and response_m["status"]["reason"] == "Ignored" and not response_m["status"]["referencedBy"] and response_m["status"]["state"] == "Warning") assert (response_s["status"] and response_s["status"]["reason"] == "Ignored" and not response_s["status"]["referencedBy"] and response_s["status"]["state"] == "Warning")
def test_status_remove_vs(self, kube_apis, crd_ingress_controller, v_s_route_setup, v_s_route_app_setup): """ Test VirtualServerRoute status after deleting referenced VirtualServer """ delete_virtual_server( kube_apis.custom_objects, v_s_route_setup.vs_name, v_s_route_setup.namespace, ) response_m = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) response_s = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_s.namespace, "virtualserverroutes", v_s_route_setup.route_s.name, ) vs_src = f"{TEST_DATA}/virtual-server-route-status/standard/virtual-server.yaml" create_virtual_server_from_yaml(kube_apis.custom_objects, vs_src, v_s_route_setup.namespace) assert (response_m["status"] and response_m["status"]["reason"] == "NoVirtualServerFound" and not response_m["status"]["referencedBy"] and response_m["status"]["state"] == "Warning") assert (response_s["status"] and response_s["status"]["reason"] == "NoVirtualServerFound" and not response_s["status"]["referencedBy"] and response_s["status"]["state"] == "Warning")
def test_rl_policy_1rs( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if rate-limiting policy is working with 1 rps """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_pri_src, test_namespace) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) occur = [] t_end = time.perf_counter() + 1 resp = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert occur.count(200) <= 1
def test_status_valid( self, kube_apis, crd_ingress_controller, virtual_server_setup, ): """ Test VirtualServer status with a valid fields in yaml """ response = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) assert (response["status"] and response["status"]["reason"] == "AddedOrUpdated" and response["status"]["state"] == "Valid")
def test_rl_policy_invalid_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if using an invalid policy in vsr:subroute results in 500 """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") invalid_pol_name = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_invalid_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", invalid_pol_name, ) resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) delete_policy(kube_apis.custom_objects, invalid_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500
def test_rl_policy_invalid( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test the status code is 500 if invalid policy is deployed """ print(f"Create rl policy") invalid_pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_invalid, test_namespace) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", invalid_pol_name) resp = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, ) print(resp.text) delete_policy(kube_apis.custom_objects, invalid_pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500
def test_auth_basic_policy_delete_secret( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if requests result in 500 when secret is deleted """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_credentials, htpasswd_sec_valid_src, auth_basic_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {auth_basic_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, auth_basic_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp1.status_code) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp2.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 200 assert f"Request ID:" in resp1.text assert crd_info["status"]["state"] == "Warning" assert ( f"references an invalid secret {v_s_route_setup.route_m.namespace}/{secret}: secret doesn't exist or of an unsupported type" in crd_info["status"]["message"]) assert resp2.status_code == 500 assert f"Internal Server Error" in resp2.text
def test_jwt_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, policy, ): """ Test jwt-policy with a valid and an invalid policy """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, policy, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {policy}") policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) if policy == jwt_pol_valid_src: vs_src = jwt_vs_single_src assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") elif policy == jwt_pol_invalid_src: vs_src = jwt_vs_single_invalid_pol_src assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") else: pytest.fail("Invalid configuration") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if policy == jwt_pol_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif policy == jwt_pol_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_jwt_policy( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, policy, ): """ Test jwt-policy with a valid and an invalid policy """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" if policy == jwt_pol_valid_src: vsr = jwt_vsr_valid_src elif policy == jwt_pol_invalid_src: vsr = jwt_vsr_invalid_src else: pytest.fail(f"Not a valid case or parameter") secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, policy, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {policy}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, vsr, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if policy == jwt_pol_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") elif policy == jwt_pol_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") else: pytest.fail(f"Not a valid case or parameter")
def test_allow_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create allow policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, allow_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text and resp1.status_code == 200 and "Server address:" in resp1.text)
def test_invalid_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if applying invalid-policy results in 500. """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create invalid policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, invalid_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, invalid_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") vsr_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500 and "500 Internal Server Error" in resp.text assert (vsr_info["status"]["state"] == "Warning" and vsr_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def read_vsr(custom_objects: CustomObjectsApi, namespace, name) -> object: """ Read VirtualServerRoute resource. """ return read_custom_resource(custom_objects, namespace, "virtualserverroutes", name)
def read_policy(custom_objects: CustomObjectsApi, namespace, name) -> object: """ Read Policy resource. """ return read_custom_resource(custom_objects, namespace, "policies", name)
def test_deleted_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, src, ): """ Test if valid policy is deleted then response is 500 """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) assert vs_info["status"]["state"] == "Valid" delete_policy(kube_apis.custom_objects, pol_name, test_namespace) wait_before_test() resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") vs_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) self.restore_default_vs(kube_apis, virtual_server_setup) assert resp.status_code == 500 and "500 Internal Server Error" in resp.text assert (vs_info["status"]["state"] == "Warning" and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_deny_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, src, ): """ Test if ip (10.0.0.1) block-listing is working: default(no policy) -> deny """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp1.status_code == 403 and "403 Forbidden" in resp1.text and resp2.status_code == 200 and "Server address:" in resp2.text)
def test_auth_basic_policy_secret( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, htpasswd_secret, ): """ Test auth-basic-policy with a valid and an invalid secret """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" if htpasswd_secret == htpasswd_sec_valid_src: pol = auth_basic_pol_valid_src vsr = auth_basic_vsr_valid_src elif htpasswd_secret == htpasswd_sec_invalid_src: pol = auth_basic_pol_invalid_sec_src vsr = auth_basic_vsr_invalid_sec_src else: pytest.fail(f"Not a valid case or parameter") secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_credentials, htpasswd_secret, pol, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {pol}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, vsr, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if htpasswd_secret == htpasswd_sec_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif htpasswd_secret == htpasswd_sec_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")