def test_ap_enable_false_policy_correct(self, kube_apis,
                                            crd_ingress_controller_with_ap,
                                            appprotect_setup, test_namespace):
        """
        Test malicious script request is working normally while AppProtect is disabled in Ingress
        """
        create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
                                           test_namespace, ap_policy, "False",
                                           "True", "127.0.0.1:514")
        ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)

        print(
            "--------- Run test while AppProtect module is disabled with correct policy ---------"
        )

        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy)
        assert_ap_crd_info(ap_crd_info, ap_policy)
        ensure_response_from_backend(appprotect_setup.req_url,
                                     ingress_host,
                                     check404=True)

        print("----------------------- Send request ----------------------")
        response = requests.get(appprotect_setup.req_url + "/<script>",
                                headers={"host": ingress_host},
                                verify=False)
        print(response.text)
        delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
        assert_valid_responses(response)
    def test_ap_enable_true_policy_correct_uds(self, request, kube_apis,
                                               crd_ingress_controller_with_ap,
                                               appprotect_setup,
                                               test_namespace):
        """
        Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress
        """

        usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects,
                                                   uds_crd_resource,
                                                   test_namespace)
        # Apply dataguard-alarm AP policy with UDS
        delete_and_create_ap_policy_from_yaml(
            kube_apis.custom_objects,
            ap_policy,
            f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml",
            test_namespace,
        )
        wait_before_test()

        create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
                                           test_namespace, ap_policy, "True",
                                           "True", "127.0.0.1:514")
        ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)

        print(
            "--------- Run test while AppProtect module is enabled with correct policy and UDS ---------"
        )

        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy)

        wait_before_test(120)
        ensure_response_from_backend(appprotect_setup.req_url,
                                     ingress_host,
                                     check404=True)
        print("----------------------- Send request ----------------------")
        response = requests.get(appprotect_setup.req_url,
                                headers={"host": ingress_host},
                                verify=False,
                                data="kic")
        print(response.text)

        reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
        print(f"last reload duration: {reload_ms} ms")
        reload_times[
            f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"

        # Restore default dataguard-alarm policy
        delete_and_create_ap_policy_from_yaml(
            kube_apis.custom_objects,
            ap_policy,
            f"{TEST_DATA}/appprotect/{ap_policy}.yaml",
            test_namespace,
        )
        delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)

        assert_ap_crd_info(ap_crd_info, ap_policy)
        assert_invalid_responses(response)
    def test_ap_waf_policy_block(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        v_s_route_setup,
        appprotect_setup,
        test_namespace,
        ap_enable,
    ):
        """
        Test if WAF policy is working with VSR deployments
        """
        req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"

        print(f"Create waf policy")
        create_ap_waf_policy_from_yaml(
            kube_apis.custom_objects,
            waf_pol_dataguard_src,
            v_s_route_setup.route_m.namespace,
            test_namespace,
            ap_enable,
            ap_enable,
            ap_pol_name,
            log_name,
            "syslog:server=127.0.0.1:514",
        )
        wait_before_test()
        print(f"Patch vsr with policy: {waf_subroute_vsr_src}")
        patch_v_s_route_from_yaml(
            kube_apis.custom_objects,
            v_s_route_setup.route_m.name,
            waf_subroute_vsr_src,
            v_s_route_setup.route_m.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy_uds)
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)
        response = requests.get(
            f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'",
            headers={"host": v_s_route_setup.vs_host},
        )
        print(response.text)
        delete_policy(kube_apis.custom_objects, "waf-policy",
                      v_s_route_setup.route_m.namespace)
        self.restore_default_vsr(kube_apis, v_s_route_setup)
        if ap_enable == True:
            assert_invalid_responses(response)
        elif ap_enable == False:
            assert_valid_responses(response)
        else:
            pytest.fail(f"Invalid arguments")
    def test_ap_waf_policy_logs(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        virtual_server_setup,
        appprotect_setup,
        test_namespace,
    ):
        """
        Test waf policy logs
        """
        src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
        log_loc = f"/var/log/messages"
        create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
        wait_before_test(40)
        syslog_ep = (kube_apis.v1.read_namespaced_endpoints(
            "syslog-svc", test_namespace).subsets[0].addresses[0].ip)
        syslog_pod = kube_apis.v1.list_namespaced_pod(
            test_namespace).items[-1].metadata.name
        print(f"Create waf policy")
        create_ap_waf_policy_from_yaml(
            kube_apis.custom_objects,
            waf_pol_dataguard_src,
            test_namespace,
            test_namespace,
            True,
            True,
            ap_pol_name,
            log_name,
            f"syslog:server={syslog_ep}:514",
        )
        wait_before_test()
        print(f"Patch vs with policy: {waf_spec_vs_src}")
        patch_virtual_server_from_yaml(
            kube_apis.custom_objects,
            virtual_server_setup.vs_name,
            waf_spec_vs_src,
            virtual_server_setup.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy_uds)
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)

        print(
            "----------------------- Send request with embedded malicious script----------------------"
        )
        response = requests.get(
            virtual_server_setup.backend_1_url + "</script>",
            headers={"host": virtual_server_setup.vs_host},
        )
        print(response.text)
        wait_before_test(5)
        log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
                                         test_namespace)

        delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
        self.restore_default_vs(kube_apis, virtual_server_setup)

        assert_invalid_responses(response)
        assert (
            f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
            in log_contents)
        assert f'severity="Critical"' in log_contents
        assert f'request_status="blocked"' in log_contents
        assert f'outcome="REJECTED"' in log_contents
    def test_ap_waf_policy_allow(
        self,
        kube_apis,
        crd_ingress_controller_with_ap,
        virtual_server_setup,
        appprotect_setup,
        test_namespace,
        vs_src,
        waf,
    ):
        """
        Test waf policy when disabled
        """
        print(f"Create waf policy")
        create_ap_waf_policy_from_yaml(
            kube_apis.custom_objects,
            waf,
            test_namespace,
            test_namespace,
            False,
            False,
            ap_pol_name,
            log_name,
            "syslog:server=127.0.0.1:514",
        )
        wait_before_test()
        print(f"Patch vs with policy: {vs_src}")
        patch_virtual_server_from_yaml(
            kube_apis.custom_objects,
            virtual_server_setup.vs_name,
            vs_src,
            virtual_server_setup.namespace,
        )
        wait_before_test()
        ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
                                              test_namespace, "appolicies",
                                              ap_policy_uds)
        assert_ap_crd_info(ap_crd_info, ap_policy_uds)
        wait_before_test(120)

        print(
            "----------------------- Send request with embedded malicious script----------------------"
        )
        response1 = requests.get(
            virtual_server_setup.backend_1_url + "</script>",
            headers={"host": virtual_server_setup.vs_host},
        )
        print(response1.text)

        print(
            "----------------------- Send request with blocked keyword in UDS----------------------"
        )
        response2 = requests.get(
            virtual_server_setup.backend_1_url,
            headers={"host": virtual_server_setup.vs_host},
            data="kic",
        )
        print(response2.text)

        delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
        self.restore_default_vs(kube_apis, virtual_server_setup)
        assert_valid_responses(response1)
        assert_valid_responses(response2)