def test_policy_matching_ingress_class(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src,
):
"""
Test if policy with matching ingress class is applied to vs
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_ingress_class_src, test_namespace)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
assert (
policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid"
)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name)
assert (
vs_info["status"]
and vs_info["status"]["reason"] == "AddedOrUpdated"
and vs_info["status"]["state"] == "Valid"
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
def test_policy_non_matching_ingress_class(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src,
):
"""
Test if non matching policy gets caught by vc validation
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_other_ingress_class_src, test_namespace)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
assert "status" not in policy_info, "the policy is not managed by the IC, therefore the status is not updated"
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name)
assert (
vs_info["status"]
and "rate-limit-primary is missing or invalid" in vs_info["status"]["message"]
and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning"
and vs_info["status"]["state"] == "Warning"
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
def test_status_valid(self, kube_apis, crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup):
"""
Test VirtualServerRoute status with a valid fields in yaml
"""
response_m = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
response_s = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_s.namespace,
"virtualserverroutes",
v_s_route_setup.route_s.name,
)
assert (response_m["status"]
and response_m["status"]["reason"] == "AddedOrUpdated"
and response_m["status"]["referencedBy"]
and response_m["status"]["state"] == "Valid")
assert (response_s["status"]
and response_s["status"]["reason"] == "AddedOrUpdated"
and response_s["status"]["referencedBy"]
and response_s["status"]["state"] == "Valid")
def test_status_warning(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
):
"""
Test VirtualServer status with conflicting Upstream fields
Only for N+ since Slow-start isn
"""
patch_src = f"{TEST_DATA}/virtual-server-status/warning-state.yaml"
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
patch_src,
virtual_server_setup.namespace,
)
wait_before_test()
response = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
self.patch_valid_vs(kube_apis, virtual_server_setup)
assert (response["status"]
and response["status"]["reason"] == "AddedOrUpdatedWithWarning"
and response["status"]["state"] == "Warning")
def test_status_invalid(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
):
"""
Test VirtualServer status with a invalid path pattern
"""
patch_src = f"{TEST_DATA}/virtual-server-status/invalid-state.yaml"
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
patch_src,
virtual_server_setup.namespace,
)
wait_before_test()
response = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
self.patch_valid_vs(kube_apis, virtual_server_setup)
assert (response["status"]
and response["status"]["reason"] == "Rejected"
and response["status"]["state"] == "Invalid")
def test_jwt_policy_override(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if first reference to a policy in the same context(subroute) takes precedence,
i.e. in this case, policy without $httptoken over policy with $httptoken.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policies: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_override_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name_1,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_2,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
assert (f"Multiple jwt policies in the same context is not valid."
in crd_info["status"]["message"])
def test_jwt_policy_delete_policy(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if requests result in 500 when policy is deleted
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,)
print(resp1.status_code)
delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace)
resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,)
print(resp2.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 200
assert f"Request ID:" in resp1.text
assert crd_info["status"]["state"] == "Warning"
assert (
f"{v_s_route_setup.route_m.namespace}/{pol_name} is missing"
in crd_info["status"]["message"]
)
assert resp2.status_code == 500
assert f"Internal Server Error" in resp2.text
def test_status_invalid_prefix(self, kube_apis, crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup):
"""
Test VirtualServerRoute status with a invalid path /prefix in vsr yaml
i.e. referring to non-existing path
"""
patch_src_m = f"{TEST_DATA}/virtual-server-route-status/route-multiple-invalid-prefixed-path.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
patch_src_m,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
patch_src_s = f"{TEST_DATA}/virtual-server-route-status/route-single-invalid-prefixed-path.yaml"
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_s.name,
patch_src_s,
v_s_route_setup.route_s.namespace,
)
wait_before_test()
response_m = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
response_s = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_s.namespace,
"virtualserverroutes",
v_s_route_setup.route_s.name,
)
self.patch_valid_vsr(kube_apis, v_s_route_setup)
assert (response_m["status"]
and response_m["status"]["reason"] == "AddedOrUpdated"
and response_m["status"]["referencedBy"]
and response_m["status"]["state"] == "Valid")
assert (response_s["status"]
and response_s["status"]["reason"] == "Ignored"
and not response_s["status"]["referencedBy"]
and response_s["status"]["state"] == "Warning")
def test_auth_basic_policy_secret(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, htpasswd_secret,
):
"""
Test auth-basic-policy with a valid and an invalid secret
"""
if htpasswd_secret == htpasswd_sec_valid_src:
pol = auth_basic_pol_valid_src
vs = auth_basic_vs_single_src
elif htpasswd_secret == htpasswd_sec_invalid_src:
pol = auth_basic_pol_invalid_sec_src
vs = auth_basic_vs_single_invalid_sec_src
else:
pytest.fail("Invalid configuration")
secret, pol_name, headers = self.setup_single_policy(
kube_apis, test_namespace, valid_credentials, htpasswd_secret, pol, virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {pol}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url, headers=headers)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if htpasswd_secret == htpasswd_sec_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif htpasswd_secret == htpasswd_sec_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_rl_policy_1rs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy is working with ~1 rps in vsr:subroute
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert occur.count(200) <= 1
def test_status_invalid_vsr_in_vs(self, kube_apis, crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup):
"""
Test VirtualServerRoute status with invalid vsr reference in vs yaml
"""
patch_src = f"{TEST_DATA}/virtual-server-route-status/virtual-server-invalid.yaml"
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.vs_name,
patch_src,
v_s_route_setup.namespace,
)
wait_before_test()
response_m = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
response_s = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_s.namespace,
"virtualserverroutes",
v_s_route_setup.route_s.name,
)
self.patch_valid_vs(kube_apis, v_s_route_setup)
assert (response_m["status"]
and response_m["status"]["reason"] == "Ignored"
and not response_m["status"]["referencedBy"]
and response_m["status"]["state"] == "Warning")
assert (response_s["status"]
and response_s["status"]["reason"] == "Ignored"
and not response_s["status"]["referencedBy"]
and response_s["status"]["state"] == "Warning")
def test_status_remove_vs(self, kube_apis, crd_ingress_controller,
v_s_route_setup, v_s_route_app_setup):
"""
Test VirtualServerRoute status after deleting referenced VirtualServer
"""
delete_virtual_server(
kube_apis.custom_objects,
v_s_route_setup.vs_name,
v_s_route_setup.namespace,
)
response_m = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
response_s = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_s.namespace,
"virtualserverroutes",
v_s_route_setup.route_s.name,
)
vs_src = f"{TEST_DATA}/virtual-server-route-status/standard/virtual-server.yaml"
create_virtual_server_from_yaml(kube_apis.custom_objects, vs_src,
v_s_route_setup.namespace)
assert (response_m["status"]
and response_m["status"]["reason"] == "NoVirtualServerFound"
and not response_m["status"]["referencedBy"]
and response_m["status"]["state"] == "Warning")
assert (response_s["status"]
and response_s["status"]["reason"] == "NoVirtualServerFound"
and not response_s["status"]["referencedBy"]
and response_s["status"]["state"] == "Warning")
def test_rl_policy_1rs(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy is working with 1 rps
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src, test_namespace)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert occur.count(200) <= 1
def test_status_valid(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
):
"""
Test VirtualServer status with a valid fields in yaml
"""
response = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
assert (response["status"]
and response["status"]["reason"] == "AddedOrUpdated"
and response["status"]["state"] == "Valid")
def test_rl_policy_invalid_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if using an invalid policy in vsr:subroute results in 500
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
invalid_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_invalid_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies",
invalid_pol_name,
)
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, invalid_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500
def test_rl_policy_invalid(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
src,
):
"""
Test the status code is 500 if invalid policy is deployed
"""
print(f"Create rl policy")
invalid_pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_invalid,
test_namespace)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
invalid_pol_name)
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
)
print(resp.text)
delete_policy(kube_apis.custom_objects, invalid_pol_name,
test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500
def test_auth_basic_policy_delete_secret(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if requests result in 500 when secret is deleted
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {auth_basic_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
auth_basic_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp1.status_code)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp2.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 200
assert f"Request ID:" in resp1.text
assert crd_info["status"]["state"] == "Warning"
assert (
f"references an invalid secret {v_s_route_setup.route_m.namespace}/{secret}: secret doesn't exist or of an unsupported type"
in crd_info["status"]["message"])
assert resp2.status_code == 500
assert f"Internal Server Error" in resp2.text
def test_jwt_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
policy,
):
"""
Test jwt-policy with a valid and an invalid policy
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
policy,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {policy}")
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
if policy == jwt_pol_valid_src:
vs_src = jwt_vs_single_src
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
elif policy == jwt_pol_invalid_src:
vs_src = jwt_vs_single_invalid_pol_src
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
else:
pytest.fail("Invalid configuration")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if policy == jwt_pol_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif policy == jwt_pol_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_jwt_policy(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
policy,
):
"""
Test jwt-policy with a valid and an invalid policy
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
if policy == jwt_pol_valid_src:
vsr = jwt_vsr_valid_src
elif policy == jwt_pol_invalid_src:
vsr = jwt_vsr_invalid_src
else:
pytest.fail(f"Not a valid case or parameter")
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
policy,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {policy}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
vsr,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if policy == jwt_pol_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
elif policy == jwt_pol_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
else:
pytest.fail(f"Not a valid case or parameter")
def test_allow_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create allow policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
allow_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text
and resp1.status_code == 200
and "Server address:" in resp1.text)
def test_invalid_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if applying invalid-policy results in 500.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create invalid policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
invalid_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
invalid_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
vsr_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500 and "500 Internal Server Error" in resp.text
assert (vsr_info["status"]["state"] == "Warning" and
vsr_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def read_vsr(custom_objects: CustomObjectsApi, namespace, name) -> object:
"""
Read VirtualServerRoute resource.
"""
return read_custom_resource(custom_objects, namespace,
"virtualserverroutes", name)
def read_policy(custom_objects: CustomObjectsApi, namespace, name) -> object:
"""
Read Policy resource.
"""
return read_custom_resource(custom_objects, namespace, "policies", name)
def test_deleted_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
src,
):
"""
Test if valid policy is deleted then response is 500
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
assert vs_info["status"]["state"] == "Valid"
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
wait_before_test()
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
vs_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert resp.status_code == 500 and "500 Internal Server Error" in resp.text
assert (vs_info["status"]["state"] == "Warning"
and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_deny_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
src,
):
"""
Test if ip (10.0.0.1) block-listing is working: default(no policy) -> deny
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp1.status_code == 403 and "403 Forbidden" in resp1.text
and resp2.status_code == 200
and "Server address:" in resp2.text)
def test_auth_basic_policy_secret(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
htpasswd_secret,
):
"""
Test auth-basic-policy with a valid and an invalid secret
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
if htpasswd_secret == htpasswd_sec_valid_src:
pol = auth_basic_pol_valid_src
vsr = auth_basic_vsr_valid_src
elif htpasswd_secret == htpasswd_sec_invalid_src:
pol = auth_basic_pol_invalid_sec_src
vsr = auth_basic_vsr_invalid_sec_src
else:
pytest.fail(f"Not a valid case or parameter")
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_credentials,
htpasswd_secret,
pol,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {pol}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
vsr,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if htpasswd_secret == htpasswd_sec_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif htpasswd_secret == htpasswd_sec_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
