def test_openapi_validation_flow(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
config_old = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
vsr_src = f"{TEST_DATA}/virtual-server-route-error-pages/route-multiple-invalid-openapi.yaml"
try:
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_m.name, vsr_src,
v_s_route_setup.route_m.namespace)
except ApiException as ex:
assert ex.status == 422 \
and "spec.subroutes.errorPages.codes" in ex.body \
and "spec.subroutes.errorPages.redirect.code" in ex.body \
and "spec.subroutes.errorPages.redirect.url" in ex.body \
and "spec.subroutes.errorPages.return.code" in ex.body \
and "spec.subroutes.errorPages.return.type" in ex.body \
and "spec.subroutes.errorPages.return.body" in ex.body \
and "spec.subroutes.errorPages.return.headers.name" in ex.body \
and "spec.subroutes.errorPages.return.headers.value" in ex.body
except Exception as ex:
pytest.fail(f"An unexpected exception is raised: {ex}")
else:
pytest.fail("Expected an exception but there was none")
wait_before_test(1)
config_new = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
assert config_old == config_new, "Expected: config doesn't change"
def test_jwt_policy_override(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if first reference to a policy in the same context(subroute) takes precedence,
i.e. in this case, policy without $httptoken over policy with $httptoken.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policies: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_override_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name_1,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_2,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
assert (f"Multiple jwt policies in the same context is not valid."
in crd_info["status"]["message"])
def test_update(self, kube_apis, crd_ingress_controller, v_s_route_setup):
req_host = f"{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
req_url_1 = f"http://{req_host}{v_s_route_setup.route_m.paths[0]}"
req_url_2 = f"http://{req_host}{v_s_route_setup.route_m.paths[1]}"
wait_before_test(1)
vs_name = f"{v_s_route_setup.namespace}/{v_s_route_setup.vs_name}"
vsr_name = f"{v_s_route_setup.namespace}/{v_s_route_setup.route_m.name}"
vsr_event_text = f"Configuration for {vsr_name} was added or updated"
vs_event_text = f"Configuration for {vs_name} was added or updated"
events_ns = get_events(kube_apis.v1, v_s_route_setup.namespace)
initial_count_vs = assert_event_and_get_count(vs_event_text, events_ns)
initial_count_vsr = assert_event_and_get_count(vsr_event_text, events_ns)
vsr_src = f"{TEST_DATA}/virtual-server-route-canned-responses/route-multiple-updated.yaml"
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_m.name, vsr_src, v_s_route_setup.namespace)
wait_and_assert_status_code(501, req_url_1, v_s_route_setup.vs_host)
resp = requests.get(req_url_1, headers={"host": v_s_route_setup.vs_host})
resp_content = resp.content.decode('utf-8')
assert resp.headers['content-type'] == 'some/type' and resp_content == "{}"
wait_and_assert_status_code(201, req_url_2, v_s_route_setup.vs_host)
resp = requests.get(req_url_2, headers={"host": v_s_route_setup.vs_host})
resp_content = resp.content.decode('utf-8')
assert resp.headers['content-type'] == 'user-type' and resp_content == "line1\nline2"
new_events_ns = get_events(kube_apis.v1, v_s_route_setup.namespace)
assert_event_count_increased(vs_event_text, initial_count_vs, new_events_ns)
assert_event_count_increased(vsr_event_text, initial_count_vsr, new_events_ns)
def test_flow_for_invalid_vsr(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup,
v_s_route_app_setup):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
text_vs = f"{v_s_route_setup.namespace}/{v_s_route_setup.vs_name}"
text_vsr_s = f"{v_s_route_setup.route_m.namespace}/{v_s_route_setup.route_m.name}"
vs_event_text = f'Configuration for {text_vs} was added or updated with warning(s)'
vsr_event_text = f'VirtualServerRoute {text_vsr_s} was rejected with error: ' \
f'spec.subroutes[1].path: Duplicate value: "=/backends/exact-match$request"'
vs_src_yaml = f"{TEST_DATA}" \
f"/virtual-server-route-regexp-location/standard/virtual-server-exact.yaml"
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, vs_src_yaml,
v_s_route_setup.namespace)
vsr_src_yaml = f"{TEST_DATA}" \
f"/virtual-server-route-regexp-location/route-multiple-invalid-multiple-regexp-subroutes.yaml"
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_m.name, vsr_src_yaml,
v_s_route_setup.route_m.namespace)
wait_before_test(2)
config = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
ns_events = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace)
assert_event(vsr_event_text, ns_events) and assert_event(
vs_event_text, ns_events)
assert "location =/backends/exact-match$request {" not in config
def test_virtual_server_after_update(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller,
v_s_route_setup):
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_m.name,
f"{TEST_DATA}/virtual-server-route-error-pages/route-multiple-updated.yaml",
v_s_route_setup.route_m.namespace)
wait_and_assert_status_code(
301,
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
v_s_route_setup.vs_host,
allow_redirects=False)
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"x-forwarded-proto": "http"
},
allow_redirects=False)
assert f'http://{v_s_route_setup.vs_host}/error_http.html' in resp.next.url
wait_and_assert_status_code(
502,
f"{req_url}{v_s_route_setup.route_m.paths[1]}",
v_s_route_setup.vs_host,
allow_redirects=False)
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[1]}",
headers={"host": v_s_route_setup.vs_host})
resp_content = resp.content.decode('utf-8')
assert resp_content == 'Hello World!\n'
def test_response_for_regex_location(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup,
test_data):
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
vs_src_yaml = f"{TEST_DATA}" \
f"/virtual-server-route-regexp-location/standard/virtual-server-{test_data['regex_type']}.yaml"
vsr_src_yaml = f"{TEST_DATA}/virtual-server-route-regexp-location/route-single-{test_data['regex_type']}.yaml"
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, vs_src_yaml,
v_s_route_setup.namespace)
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_s.name, vsr_src_yaml,
v_s_route_setup.route_s.namespace)
wait_before_test(1)
for item in test_data['expected_results']:
uri = item
expected_code = test_data['expected_results'][uri]
ensure_response_from_backend(f"{req_url}{uri}",
v_s_route_setup.vs_host)
resp = requests.get(f"{req_url}{uri}",
headers={"host": v_s_route_setup.vs_host})
if expected_code == 200:
assert resp.status_code == expected_code and "Server name: backend2-" in resp.text
else:
assert resp.status_code == expected_code, "Expected 404 for URI that doesn't match"
def test_make_existing_vsr_invalid(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup,
route_yaml):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_s.name, route_yaml,
v_s_route_setup.route_s.namespace)
wait_before_test(1)
new_config = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
new_vs_events = get_events(kube_apis.v1, v_s_route_setup.namespace)
new_vsr_events = get_events(kube_apis.v1,
v_s_route_setup.route_s.namespace)
assert_locations_not_in_config(new_config,
v_s_route_setup.route_s.paths)
text = f"{v_s_route_setup.route_s.namespace}/{v_s_route_setup.route_s.name}"
assert_event_and_count(
f"Configuration for {v_s_route_setup.namespace}/{v_s_route_setup.vs_name} was added or updated with warning(s)",
1, new_vs_events)
if route_yaml == f"{TEST_DATA}/virtual-server-route/route-single-invalid-host.yaml":
assert_event_and_count(
f"VirtualServer is invalid or doesn't exist", 1,
new_vsr_events)
else:
assert_event_and_count(
f"VirtualServerRoute {text} was rejected with error", 1,
new_vsr_events)
def test_openapi_validation_flow(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
config_old = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
route_yaml = f"{TEST_DATA}/virtual-server-route/route-single-invalid-openapi.yaml"
try:
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_s.name, route_yaml,
v_s_route_setup.route_s.namespace)
except ApiException as ex:
assert ex.status == 422 and "spec.subroutes.action.pass" in ex.body
except Exception as ex:
pytest.fail(f"An unexpected exception is raised: {ex}")
else:
pytest.fail("Expected an exception but there was none")
wait_before_test(1)
config_new = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
assert config_old == config_new, "Expected: config doesn't change"
def test_flow_with_complex_conditions(self, kube_apis,
crd_ingress_controller,
vsr_adv_routing_setup):
patch_v_s_route_from_yaml(
kube_apis.custom_objects, vsr_adv_routing_setup.route.name,
f"{TEST_DATA}/virtual-server-route-advanced-routing/virtual-server-route-complex.yaml",
vsr_adv_routing_setup.namespace)
wait_before_test(1)
resp_1 = requests.get(vsr_adv_routing_setup.backends_url + "?arg1=v1",
headers={
"host": vsr_adv_routing_setup.vs_host,
"x-version": "future"
},
cookies={"user": "******"})
resp_2 = requests.post(vsr_adv_routing_setup.backends_url + "?arg1=v2",
headers={
"host": vsr_adv_routing_setup.vs_host,
"x-version": "deprecated"
},
cookies={"user": "******"})
resp_3 = requests.get(vsr_adv_routing_setup.backends_url + "?arg1=v2",
headers={
"host": vsr_adv_routing_setup.vs_host,
"x-version": "deprecated"
},
cookies={"user": "******"})
execute_assertions(resp_1, resp_2, resp_3)
def test_regex_rewrite(self, kube_apis, crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup):
"""
Test VirtualServerRoute URI rewrite using regex
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
patch_src_m = f"{TEST_DATA}/virtual-server-route-rewrites/route-multiple-prefix-regex.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
patch_src_m,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[1]}",
headers={"host": v_s_route_setup.vs_host})
resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[1]}/",
headers={"host": v_s_route_setup.vs_host})
resp3 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[1]}/abc",
headers={"host": v_s_route_setup.vs_host})
self.patch_standard_vsr(kube_apis, v_s_route_setup)
assert ("URI: /\nRequest" in resp1.text
and "URI: /\nRequest" in resp2.text
and "URI: /abc\nRequest" in resp3.text)
def test_ingress_mtls_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test ingress-mtls in vsr subroute context.
"""
mtls_secret, tls_secret, pol_name = setup_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
mtls_sec_valid_src,
tls_sec_valid_src,
mtls_pol_valid_src,
)
print(
f"Patch vsr with policy: {mtls_vsr_subroute_src} and vs with tls secret: {tls_secret}"
)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.vs_name,
mtls_vs_vsr_src,
v_s_route_setup.namespace,
)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
mtls_vsr_subroute_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
vsr_res = read_vsr(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
v_s_route_setup.route_m.name,
)
teardown_policy(
kube_apis, v_s_route_setup.route_m.namespace, tls_secret, pol_name, mtls_secret
)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.vs_name,
std_vs_vsr_src,
v_s_route_setup.namespace,
)
assert (
vsr_res["status"]["state"] == "Warning"
and f"{pol_name} is not allowed in the subroute context" in vsr_res["status"]["message"]
)
def test_overide_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
src,
):
"""
Test if vsr subroute policy overrides vs spec policy and vsr subroute policy overrides vs route policy
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, deny_pol_src,
v_s_route_setup.route_m.namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
allow_vsr_src,
v_s_route_setup.route_m.namespace,
)
# patch vs with blocking policy
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, src,
v_s_route_setup.namespace)
wait_before_test()
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
delete_policy(kube_apis.custom_objects, deny_pol_name,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, std_vs_src,
v_s_route_setup.namespace)
wait_before_test()
assert resp.status_code == 200 and "Server address:" in resp.text
def test_event_message_and_config(self, kube_apis, ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup):
invalid_fields_s = [
"upstreams[0].lb-method", "upstreams[0].fail-timeout",
"upstreams[0].max-fails", "upstreams[0].connect-timeout",
"upstreams[0].read-timeout", "upstreams[0].send-timeout",
"upstreams[0].keepalive", "upstreams[0].max-conns",
"upstreams[0].next-upstream",
"upstreams[0].next-upstream-timeout", "upstreams[0].next-upstream-tries",
"upstreams[0].client-max-body-size",
"upstreams[0].buffers.number", "upstreams[0].buffers.size", "upstreams[0].buffer-size"
]
invalid_fields_m = [
"upstreams[0].lb-method", "upstreams[0].fail-timeout",
"upstreams[0].max-fails", "upstreams[0].connect-timeout",
"upstreams[0].read-timeout", "upstreams[0].send-timeout",
"upstreams[0].keepalive", "upstreams[0].max-conns",
"upstreams[0].next-upstream",
"upstreams[0].next-upstream-timeout", "upstreams[0].next-upstream-tries",
"upstreams[0].client-max-body-size",
"upstreams[0].buffers.number", "upstreams[0].buffers.size", "upstreams[0].buffer-size",
"upstreams[1].lb-method", "upstreams[1].fail-timeout",
"upstreams[1].max-fails", "upstreams[1].connect-timeout",
"upstreams[1].read-timeout", "upstreams[1].send-timeout",
"upstreams[1].keepalive", "upstreams[1].max-conns",
"upstreams[1].next-upstream",
"upstreams[1].next-upstream-timeout", "upstreams[1].next-upstream-tries",
"upstreams[1].client-max-body-size",
"upstreams[1].buffers.number", "upstreams[1].buffers.size", "upstreams[1].buffer-size"
]
text_s = f"{v_s_route_setup.route_s.namespace}/{v_s_route_setup.route_s.name}"
text_m = f"{v_s_route_setup.route_m.namespace}/{v_s_route_setup.route_m.name}"
vsr_s_event_text = f"VirtualServerRoute {text_s} was rejected with error:"
vsr_m_event_text = f"VirtualServerRoute {text_m} was rejected with error:"
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_s.name,
f"{TEST_DATA}/virtual-server-route-upstream-options/route-single-invalid-keys.yaml",
v_s_route_setup.route_s.namespace)
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_m.name,
f"{TEST_DATA}/virtual-server-route-upstream-options/route-multiple-invalid-keys.yaml",
v_s_route_setup.route_m.namespace)
wait_before_test(2)
ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
config = get_vs_nginx_template_conf(kube_apis.v1,
v_s_route_setup.namespace,
v_s_route_setup.vs_name,
ic_pod_name,
ingress_controller_prerequisites.namespace)
vsr_s_events = get_events(kube_apis.v1, v_s_route_setup.route_s.namespace)
vsr_m_events = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace)
assert_event_starts_with_text_and_contains_errors(vsr_s_event_text, vsr_s_events, invalid_fields_s)
assert_event_starts_with_text_and_contains_errors(vsr_m_event_text, vsr_m_events, invalid_fields_m)
assert "upstream" not in config
def patch_valid_vs_route(self, kube_apis, v_s_route_setup) -> None:
"""
Function to revert vs deployment to valid state
"""
patch_src = f"{TEST_DATA}/virtual-server-route-grpc/route-multiple.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
patch_src,
v_s_route_setup.route_m.namespace,
)
def test_ap_waf_policy_block(
self,
kube_apis,
crd_ingress_controller_with_ap,
v_s_route_setup,
appprotect_setup,
test_namespace,
ap_enable,
):
"""
Test if WAF policy is working with VSR deployments
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
v_s_route_setup.route_m.namespace,
test_namespace,
ap_enable,
ap_enable,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vsr with policy: {waf_subroute_vsr_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
waf_subroute_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
response = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'",
headers={"host": v_s_route_setup.vs_host},
)
print(response.text)
delete_policy(kube_apis.custom_objects, "waf-policy",
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
if ap_enable == True:
assert_invalid_responses(response)
elif ap_enable == False:
assert_valid_responses(response)
else:
pytest.fail(f"Invalid arguments")
def restore_default_vsr(self, kube_apis, v_s_route_setup) -> None:
"""
Function to revert vsr deployments to valid state
"""
patch_src_m = f"{TEST_DATA}/virtual-server-route/route-multiple.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
patch_src_m,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
def test_auth_basic_policy_credentials(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
credentials,
):
"""
Test auth-basic-policy with no credentials, valid credentials and invalid credentials
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {auth_basic_vsr_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
auth_basic_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if credentials == valid_credentials:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
else:
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def test_rl_policy_1rs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy is working with ~1 rps in vsr:subroute
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert occur.count(200) <= 1
def test_rl_policy_override_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy with lower rps is used when multiple policies are listed in vsr:subroute
And test if the order of policies in vsr:subroute has no effect
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy: 1rps")
pol_name_pri = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Create rl policy: 5rps")
pol_name_sec = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_sec_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_pri,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_sec,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert occur.count(200) <= 1
def test_mixed_config(self, kube_apis, ingress_controller_prerequisites,
crd_ingress_controller, backend_setup,
v_s_route_setup):
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_m.name,
f"{TEST_DATA}/virtual-server-route-grpc/route-multiple-mixed.yaml",
v_s_route_setup.route_m.namespace)
wait_before_test()
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
config = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
assert_proxy_entries_exist(config)
assert_grpc_entries_exist(config)
def test_config_after_enable_tls(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller, backend_setup,
v_s_route_setup):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_m.name,
f"{TEST_DATA}/virtual-server-route-grpc/route-updated.yaml",
v_s_route_setup.route_m.namespace)
wait_before_test()
config = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
assert 'grpc_pass grpcs://' in config
def test_flow_with_variable(self, kube_apis, crd_ingress_controller,
vsr_adv_routing_setup):
patch_v_s_route_from_yaml(
kube_apis.custom_objects, vsr_adv_routing_setup.route.name,
f"{TEST_DATA}/virtual-server-route-advanced-routing/virtual-server-route-variable.yaml",
vsr_adv_routing_setup.namespace)
wait_before_test(1)
resp_1 = requests.get(vsr_adv_routing_setup.backends_url,
headers={"host": vsr_adv_routing_setup.vs_host})
resp_2 = requests.post(vsr_adv_routing_setup.backends_url,
headers={"host": vsr_adv_routing_setup.vs_host})
resp_3 = requests.put(vsr_adv_routing_setup.backends_url,
headers={"host": vsr_adv_routing_setup.vs_host})
execute_assertions(resp_1, resp_2, resp_3)
def test_responses_and_config_after_disable_tls(
self, kube_apis, ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup,
v_s_route_secure_app_setup):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
text_s = f"{v_s_route_setup.route_s.namespace}/{v_s_route_setup.route_s.name}"
text_m = f"{v_s_route_setup.route_m.namespace}/{v_s_route_setup.route_m.name}"
text_vs = f"{v_s_route_setup.namespace}/{v_s_route_setup.vs_name}"
vsr_s_event_text = f"Configuration for {text_s} was added or updated"
vsr_m_event_text = f"Configuration for {text_m} was added or updated"
vs_event_text = f"Configuration for {text_vs} was added or updated"
initial_events_ns_m = get_events(kube_apis.v1,
v_s_route_setup.route_m.namespace)
initial_events_ns_s = get_events(kube_apis.v1,
v_s_route_setup.route_s.namespace)
initial_count_vsr_m = assert_event_and_get_count(
vsr_m_event_text, initial_events_ns_m)
initial_count_vsr_s = assert_event_and_get_count(
vsr_s_event_text, initial_events_ns_s)
initial_count_vs = assert_event_and_get_count(vs_event_text,
initial_events_ns_m)
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_s.name,
f"{TEST_DATA}/virtual-server-route-upstream-tls/route-single-disable-tls.yaml",
v_s_route_setup.route_s.namespace)
wait_before_test(1)
config = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp_1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host})
resp_2 = requests.get(f"{req_url}{v_s_route_setup.route_s.paths[0]}",
headers={"host": v_s_route_setup.vs_host})
new_events_ns_m = get_events(kube_apis.v1,
v_s_route_setup.route_m.namespace)
new_events_ns_s = get_events(kube_apis.v1,
v_s_route_setup.route_s.namespace)
assert 'proxy_pass https://' not in config
assert_response_codes(resp_1, resp_2, 200, 400)
assert_event_count_increased(vsr_m_event_text, initial_count_vsr_m,
new_events_ns_m)
assert_event_count_increased(vs_event_text, initial_count_vs,
new_events_ns_m)
assert_event_count_increased(vsr_s_event_text, initial_count_vsr_s,
new_events_ns_s)
def test_validation_flow(self, kube_apis, crd_ingress_controller, v_s_route_setup):
invalid_fields = [
"spec.subroutes[0].action.return.code", "spec.subroutes[0].action.return.body"
]
req_host = f"{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
req_url = f"http://{req_host}{v_s_route_setup.route_s.paths[0]}"
text = f"{v_s_route_setup.namespace}/{v_s_route_setup.route_m.name}"
vsr_m_event_text = f"VirtualServerRoute {text} was rejected with error:"
vsr_src = f"{TEST_DATA}/virtual-server-route-canned-responses/route-multiple-invalid.yaml"
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_m.name, vsr_src, v_s_route_setup.namespace)
wait_before_test(1)
wait_and_assert_status_code(404, req_url, v_s_route_setup.vs_host)
events = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace)
assert_event_starts_with_text_and_contains_errors(vsr_m_event_text, events, invalid_fields)
def test_status_invalid_prefix(self, kube_apis, crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup):
"""
Test VirtualServerRoute status with a invalid path /prefix in vsr yaml
i.e. referring to non-existing path
"""
patch_src_m = f"{TEST_DATA}/virtual-server-route-status/route-multiple-invalid-prefixed-path.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
patch_src_m,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
patch_src_s = f"{TEST_DATA}/virtual-server-route-status/route-single-invalid-prefixed-path.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_s.name,
patch_src_s,
v_s_route_setup.route_s.namespace,
)
wait_before_test()
response_m = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
response_s = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_s.namespace,
"virtualserverroutes",
v_s_route_setup.route_s.name,
)
self.patch_valid_vsr(kube_apis, v_s_route_setup)
assert (response_m["status"]
and response_m["status"]["reason"] == "AddedOrUpdated"
and response_m["status"]["referencedBy"]
and response_m["status"]["state"] == "Valid")
assert (response_s["status"]
and response_s["status"]["reason"] == "Ignored"
and not response_s["status"]["referencedBy"]
and response_s["status"]["state"] == "Warning")
def test_splits_and_matches(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup,
v_s_r_data):
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_m.name,
f"{TEST_DATA}/virtual-server-route-error-pages/{v_s_r_data['src']}",
v_s_route_setup.route_m.namespace)
wait_and_assert_status_code(
v_s_r_data["expected_code"],
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
v_s_route_setup.vs_host,
allow_redirects=False)
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
allow_redirects=False)
assert f'http://{v_s_route_setup.vs_host}/error.html' in resp.next.url
def test_openapi_validation_flow(self, kube_apis, ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup):
ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
invalid_fields = [
"upstreams.healthCheck.enable", "upstreams.healthCheck.path",
"upstreams.healthCheck.interval", "upstreams.healthCheck.jitter",
"upstreams.healthCheck.fails", "upstreams.healthCheck.passes",
"upstreams.healthCheck.port", "upstreams.healthCheck.connect-timeout",
"upstreams.healthCheck.read-timeout", "upstreams.healthCheck.send-timeout",
"upstreams.healthCheck.headers.name", "upstreams.healthCheck.headers.value",
"upstreams.healthCheck.statusMatch",
"upstreams.slow-start",
"upstreams.queue.size", "upstreams.queue.timeout",
"upstreams.sessionCookie.name", "upstreams.sessionCookie.path",
"upstreams.sessionCookie.expires", "upstreams.sessionCookie.domain",
"upstreams.sessionCookie.httpOnly", "upstreams.sessionCookie.secure"
]
config_old = get_vs_nginx_template_conf(kube_apis.v1,
v_s_route_setup.namespace,
v_s_route_setup.vs_name,
ic_pod_name,
ingress_controller_prerequisites.namespace)
source_yaml = f"{TEST_DATA}/virtual-server-route-upstream-options/plus-route-s-invalid-keys-openapi.yaml"
try:
patch_v_s_route_from_yaml(kube_apis.custom_objects,
v_s_route_setup.route_s.name,
source_yaml,
v_s_route_setup.route_s.namespace)
except ApiException as ex:
assert ex.status == 422
for item in invalid_fields:
assert item in ex.body
except Exception as ex:
pytest.fail(f"An unexpected exception is raised: {ex}")
else:
pytest.fail("Expected an exception but there was none")
wait_before_test(2)
config_new = get_vs_nginx_template_conf(kube_apis.v1,
v_s_route_setup.namespace,
v_s_route_setup.vs_name,
ic_pod_name,
ingress_controller_prerequisites.namespace)
assert config_old == config_new, "Expected: config doesn't change"
def test_rl_policy_invalid_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if using an invalid policy in vsr:subroute results in 500
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
invalid_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_invalid_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies",
invalid_pol_name,
)
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, invalid_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500
def test_validation_flow(self, kube_apis, ingress_controller_prerequisites,
crd_ingress_controller, backend_setup,
v_s_route_setup):
print("\nTest 1: Wrong type")
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_m.name,
f"{TEST_DATA}/virtual-server-route-grpc/route-invalid-type.yaml",
v_s_route_setup.route_m.namespace)
wait_before_test()
text_m = f"{v_s_route_setup.route_m.namespace}/{v_s_route_setup.route_m.name}"
vsr_m_event_text = f"VirtualServerRoute {text_m} was rejected with error:"
invalid_fields_m = ["spec.upstreams[0].type", "spec.upstreams[1].type"]
vsr_m_events = get_events(kube_apis.v1,
v_s_route_setup.route_m.namespace)
assert_event_starts_with_text_and_contains_errors(
vsr_m_event_text, vsr_m_events, invalid_fields_m)
self.patch_valid_vs_route(kube_apis, v_s_route_setup)
wait_before_test()
def test_validation_flow(self, kube_apis, ingress_controller_prerequisites,
crd_ingress_controller, v_s_route_setup,
v_s_route_secure_app_setup):
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
initial_events_ns_m = get_events(kube_apis.v1,
v_s_route_setup.route_m.namespace)
initial_events_ns_s = get_events(kube_apis.v1,
v_s_route_setup.route_s.namespace)
try:
patch_v_s_route_from_yaml(
kube_apis.custom_objects, v_s_route_setup.route_s.name,
f"{TEST_DATA}/virtual-server-route-upstream-tls/route-single-invalid.yaml",
v_s_route_setup.route_s.namespace)
except ApiException as ex:
assert ex.status == 422 and "tls.enable" in ex.body
except Exception as ex:
pytest.fail(f"An unexpected exception is raised: {ex}")
else:
pytest.fail("Expected an exception but there was none")
wait_before_test(1)
config = get_vs_nginx_template_conf(
kube_apis.v1, v_s_route_setup.namespace, v_s_route_setup.vs_name,
ic_pod_name, ingress_controller_prerequisites.namespace)
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp_1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host})
resp_2 = requests.get(f"{req_url}{v_s_route_setup.route_s.paths[0]}",
headers={"host": v_s_route_setup.vs_host})
new_events_ns_m = get_events(kube_apis.v1,
v_s_route_setup.route_m.namespace)
new_events_ns_s = get_events(kube_apis.v1,
v_s_route_setup.route_s.namespace)
vs_line = f"vs_{v_s_route_setup.namespace}_{v_s_route_setup.vs_name}"
proxy_host_s = f"{vs_line}_vsr_{v_s_route_setup.route_s.namespace}_{v_s_route_setup.route_s.name}"
proxy_host_m = f"{vs_line}_vsr_{v_s_route_setup.route_m.namespace}_{v_s_route_setup.route_m.name}"
assert f'proxy_pass https://{proxy_host_m}' not in config
assert f'proxy_pass https://{proxy_host_s}' in config
assert_response_codes(resp_1, resp_2)
assert_no_new_events(initial_events_ns_m, new_events_ns_m)
assert_no_new_events(initial_events_ns_s, new_events_ns_s)