def setup_multiple_policies(self, kube_apis, namespace, credentials,
secret_list, policy_1, policy_2, vs_host):
print(f"Create {len(secret_list)} htpasswd secrets")
# secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret)
secret_name_list = []
for secret in secret_list:
secret_name_list.append(
create_secret_from_yaml(kube_apis.v1, namespace, secret))
print(f"Create auth basic policy #1")
pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects,
policy_1, namespace)
print(f"Create auth basic policy #2")
pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects,
policy_2, namespace)
wait_before_test()
with open(credentials, "r") as file:
data = file.readline()
headers = {
"host": vs_host,
"authorization": f"Basic {to_base64(data)}"
}
return secret_name_list, pol_name_1, pol_name_2, headers
def test_overide_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
src,
):
"""
Test if vsr subroute policy overrides vs spec policy and vsr subroute policy overrides vs route policy
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, deny_pol_src,
v_s_route_setup.route_m.namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
allow_vsr_src,
v_s_route_setup.route_m.namespace,
)
# patch vs with blocking policy
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, src,
v_s_route_setup.namespace)
wait_before_test()
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
delete_policy(kube_apis.custom_objects, deny_pol_name,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, std_vs_src,
v_s_route_setup.namespace)
wait_before_test()
assert resp.status_code == 200 and "Server address:" in resp.text
def test_rl_policy_override_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy with lower rps is used when multiple policies are listed in vsr:subroute
And test if the order of policies in vsr:subroute has no effect
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy: 1rps")
pol_name_pri = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Create rl policy: 5rps")
pol_name_sec = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_sec_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_pri,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_sec,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert occur.count(200) <= 1
def test_route_override_spec(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
):
"""
Test allow policy specified under routes overrides block in spec
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(kube_apis.custom_objects,
allow_pol_src, test_namespace)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
override_vs_spec_route_src,
virtual_server_setup.namespace,
)
wait_before_test()
print(f"Use IP listed in both deny and allow policies: 10.0.0.1")
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
self.restore_default_vs(kube_apis, virtual_server_setup)
delete_policy(kube_apis.custom_objects, deny_pol_name, test_namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name, test_namespace)
assert resp.status_code == 200 and "Server address:" in resp.text
def test_policy_matching_ingress_class(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src,
):
"""
Test if policy with matching ingress class is applied to vs
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_ingress_class_src, test_namespace)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
assert (
policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid"
)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name)
assert (
vs_info["status"]
and vs_info["status"]["reason"] == "AddedOrUpdated"
and vs_info["status"]["state"] == "Valid"
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
def test_policy_non_matching_ingress_class(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src,
):
"""
Test if non matching policy gets caught by vc validation
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_other_ingress_class_src, test_namespace)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
assert "status" not in policy_info, "the policy is not managed by the IC, therefore the status is not updated"
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name)
assert (
vs_info["status"]
and "rate-limit-primary is missing or invalid" in vs_info["status"]["message"]
and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning"
and vs_info["status"]["state"] == "Warning"
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
def setup_multiple_policies(self, kube_apis, namespace, token, secret,
policy_1, policy_2, vs_host):
print(f"Create jwk secret")
secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret)
print(f"Create jwt policy #1")
pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects,
policy_1, namespace)
print(f"Create jwt policy #2")
pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects,
policy_2, namespace)
wait_before_test()
with open(token, "r") as file:
data = file.readline()
headers = {"host": vs_host, "token": data}
return secret_name, pol_name_1, pol_name_2, headers
def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy):
print(f"Create ingress-mtls secret")
mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret)
print(f"Create ingress-mtls policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace)
print(f"Create tls secret")
tls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, tls_secret)
return mtls_secret_name, tls_secret_name, pol_name
def test_rl_policy_1rs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy is working with ~1 rps in vsr:subroute
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert occur.count(200) <= 1
def setup_single_policy(self, kube_apis, test_namespace, token, secret,
policy, vs_host):
print(f"Create jwk secret")
secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
secret)
print(f"Create jwt policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy,
test_namespace)
wait_before_test()
with open(token, "r") as file:
data = file.readline()
headers = {"host": vs_host, "token": data}
return secret_name, pol_name, headers
def setup_single_policy(self, kube_apis, test_namespace, credentials, secret, policy, vs_host):
print(f"Create htpasswd secret")
secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, secret)
print(f"Create auth basic policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace)
wait_before_test()
# generate header without auth
if credentials == None :
return secret_name, pol_name, {"host": vs_host}
with open(credentials, "r") as file:
data = file.readline()
headers = {"host": vs_host, "authorization": f"Basic {to_base64(data)}"}
return secret_name, pol_name, headers
def test_rl_policy_invalid_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if using an invalid policy in vsr:subroute results in 500
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
invalid_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_invalid_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies",
invalid_pol_name,
)
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, invalid_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500
def test_rl_policy_deleted_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if deleting a policy results in 500
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
assert resp.status_code == 200
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert resp.status_code == 500
def test_invalid_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if applying invalid-policy results in 500.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create invalid policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
invalid_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
invalid_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
vsr_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500 and "500 Internal Server Error" in resp.text
assert (vsr_info["status"]["state"] == "Warning" and
vsr_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_override_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if ip (10.0.0.1) allow-listing overrides block-listing (policy specified in vsr subroute)
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, deny_pol_src,
v_s_route_setup.route_m.namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
override_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, deny_pol_name,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text
and resp1.status_code == 200
and "Server address:" in resp1.text)
def test_allow_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create allow policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
allow_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text
and resp1.status_code == 200
and "Server address:" in resp1.text)
def test_deny_policy(
self,
request,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
src,
):
"""
Test if ip (10.0.0.1) block-listing is working: default(no policy) -> deny
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
reload_ms = get_last_reload_time(virtual_server_setup.metrics_url,
"nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp1.status_code == 403 and "403 Forbidden" in resp1.text
and resp2.status_code == 200
and "Server address:" in resp2.text)
def test_override_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
v_s_route_setup,
src,
):
"""
Test if vsr subroute policy overrides vs spec policy
And vsr subroute policy overrides vs route policy
"""
rate_sec = 5
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
# policy for virtualserver
print(f"Create rl policy: 1rps")
pol_name_vs = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
# policy for virtualserverroute
print(f"Create rl policy: 5rps")
pol_name_vsr = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_sec_src,
v_s_route_setup.route_m.namespace)
# patch vsr with 5rps policy
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
rl_vsr_sec_src,
v_s_route_setup.route_m.namespace,
)
# patch vs with 1rps policy
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, src,
v_s_route_setup.namespace)
wait_before_test()
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_vs,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_vsr,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, std_vs_src,
v_s_route_setup.namespace)
assert rate_sec >= occur.count(200) >= (rate_sec - 2)
def test_allow_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
src,
):
"""
Test if ip (10.0.0.1) allow-listing is working: default(no policy) -> allow
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create allow policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
allow_pol_src, test_namespace)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
print(f"\nUse IP listed in allow block: 10.0.0.1")
resp1 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"\nUse IP listed not in allow block: 10.0.0.2")
print(f"Response: {resp1.status_code}\n{resp1.text}")
resp2 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp1.status_code == 200 and "Server address:" in resp1.text
and resp2.status_code == 403 and "403 Forbidden" in resp2.text)
def test_deleted_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
src,
):
"""
Test if valid policy is deleted then response is 500
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
assert vs_info["status"]["state"] == "Valid"
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
wait_before_test()
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
vs_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert resp.status_code == 500 and "500 Internal Server Error" in resp.text
assert (vs_info["status"]["state"] == "Warning"
and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_ap_waf_policy_block(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
vs_src,
waf,
):
"""
Test waf policy when enabled with default and dataguard-alarm AP Policies
"""
print(f"Create waf policy")
if waf == waf_pol_dataguard_src:
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf,
test_namespace,
test_namespace,
True,
False,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
elif waf == waf_pol_default_src:
pol_name = create_policy_from_yaml(kube_apis.custom_objects, waf, test_namespace)
else:
pytest.fail(f"Invalid argument")
wait_before_test()
print(f"Patch vs with policy: {vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(
kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds
)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response1 = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response1.text)
print(
"----------------------- Send request with blocked keyword in UDS----------------------"
)
response2 = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
data="kic",
)
print(response2.text)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_invalid_responses(response1)
if waf == waf_pol_dataguard_src:
assert_invalid_responses(response2)
elif waf == waf_pol_default_src:
assert_valid_responses(response2)
else:
pytest.fail(f"Invalid arguments")
