def fin(): if is_secret_present(kube_apis.v1, secret_name, secret_namespace): print("cleaning up secret!") delete_secret(kube_apis.v1, secret_name, secret_namespace) # restore the original secret created in ingress_controller_prerequisites fixture create_secret_from_yaml(kube_apis.v1, secret_namespace, secret_path)
def test_response_codes_after_secret_remove_and_restore( self, kube_apis, auth_basic_secrets_setup, test_namespace, auth_basic_secret): req_url = f"http://{auth_basic_secrets_setup.public_endpoint.public_ip}:{auth_basic_secrets_setup.public_endpoint.port}/backend2" delete_secret(kube_apis.v1, auth_basic_secret.secret_name, test_namespace) wait_before_test(1) resp = requests.get( req_url, headers={ "host": auth_basic_secrets_setup.ingress_host, "authorization": f"Basic {to_base64(auth_basic_secrets_setup.credentials)}" }) assert resp.status_code == 403 auth_basic_secret.secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/auth-basic-secrets/auth-basic-secret.yaml") wait_before_test(1) resp = requests.get( req_url, headers={ "host": auth_basic_secrets_setup.ingress_host, "authorization": f"Basic {to_base64(auth_basic_secrets_setup.credentials)}" }) assert resp.status_code == 200
def test_jwt_policy_override_spec( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, ): """ Test if policy reference in route takes precedence over policy in spec """ secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, virtual_server_setup.vs_host, ) print( f"Patch vs with invalid policy in route and valid policy in spec") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_override_spec_route_1, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp1.status_code) print( f"Patch vs with valid policy in route and invalid policy in spec") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_override_spec_route_2, virtual_server_setup.namespace, ) wait_before_test() resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) delete_policy(kube_apis.custom_objects, pol_name_1, test_namespace) delete_policy(kube_apis.custom_objects, pol_name_2, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert resp1.status_code == 401 # 401 unauthorized, since no token is attached to policy assert resp2.status_code == 200
def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace)
def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret): print("Delete policy and related secrets") delete_secret(kube_apis.v1, tls_secret, test_namespace) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, mtls_secret, test_namespace)
def fin(): print("Clean up simple app") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace)
def test_jwt_policy_override( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if first reference to a policy in the same context(subroute) takes precedence, i.e. in this case, policy without $httptoken over policy with $httptoken. """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policies: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_override_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) crd_info = read_crd( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name_1, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_2, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp.status_code == 401 assert f"Authorization Required" in resp.text assert (f"Multiple jwt policies in the same context is not valid." in crd_info["status"]["message"])
def test_jwt_auth_response_codes_and_location(self, kube_apis, jwt_auth_setup, test_namespace): print("Step 1: execute check after secrets creation") execute_checks(jwt_auth_setup, step_1_expected_results) print("Step 2: replace master secret") replace_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_2_expected_results) print("Step 3: now replace minion secret as well") replace_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_3_expected_results) print("Step 4: now remove minion secret") delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_4_expected_results) print("Step 5: finally remove master secret as well") delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_5_expected_results)
def test_jwt_auth_response_codes_and_location(self, kube_apis, jwt_auth_setup, test_namespace): print("Step 1: execute check after secrets creation") execute_checks(jwt_auth_setup, step_1_expected_results) print("Step 2: replace master secret") replace_secret( kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_2_expected_results) print("Step 3: now replace minion secret as well") replace_secret( kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_3_expected_results) print("Step 4: now remove minion secret") delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_4_expected_results) print("Step 5: finally remove master secret as well") delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_5_expected_results)
def test_jwt_policy_delete_policy( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if requests result in 500 when policy is deleted """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,) print(resp1.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,) print(resp2.status_code) crd_info = read_crd( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 200 assert f"Request ID:" in resp1.text assert crd_info["status"]["state"] == "Warning" assert ( f"{v_s_route_setup.route_m.namespace}/{pol_name} is missing" in crd_info["status"]["message"] ) assert resp2.status_code == 500 assert f"Internal Server Error" in resp2.text
def test_jwt_policy_token( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, token, ): """ Test jwt-policy with no token, valid token and invalid token """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, token, jwk_sec_valid_src, jwt_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {jwt_vsr_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp1.status_code) resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers) print(resp2.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 401 assert f"401 Authorization Required" in resp1.text if token == valid_token: assert resp2.status_code == 200 assert f"Request ID:" in resp2.text else: assert resp2.status_code == 401 assert f"Authorization Required" in resp2.text
def test_jwt_policy_secret( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, jwk_secret, ): """ Test jwt-policy with a valid and an invalid secret """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_token, jwk_secret, jwt_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {jwt_vs_single_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) crd_info = read_crd( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if jwk_secret == jwk_sec_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif jwk_secret == jwk_sec_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_jwt_policy_token( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, token, ): """ Test jwt-policy with no token, valid token and invalid token """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, token, jwk_sec_valid_src, jwt_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {jwt_vs_single_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, ) print(resp1.status_code) resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert resp1.status_code == 401 assert f"401 Authorization Required" in resp1.text if token == valid_token: assert resp2.status_code == 200 assert f"Request ID:" in resp2.text else: assert resp2.status_code == 401 assert f"Authorization Required" in resp2.text
def test_jwt_policy_override_vs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, vs_src, ): """ Test if policy specified in vsr:subroute (policy without $httptoken) takes preference over policy specified in: 1. vs:spec (policy with $httptoken) 2. vs:route (policy with $httptoken) """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policies: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_multi_src, v_s_route_setup.route_m.namespace, ) patch_virtual_server_from_yaml( kube_apis.custom_objects, v_s_route_setup.vs_name, vs_src, v_s_route_setup.namespace, ) wait_before_test() resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers,) print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name_1, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_2, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) patch_virtual_server_from_yaml( kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace ) assert resp.status_code == 401 assert f"Authorization Required" in resp.text
def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) write_to_json(f"reload-{get_test_file_name(request.node.fspath)}.json", reload_times)
def test_auth_basic_policy_secret( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, htpasswd_secret, ): """ Test auth-basic-policy with a valid and an invalid secret """ if htpasswd_secret == htpasswd_sec_valid_src: pol = auth_basic_pol_valid_src vs = auth_basic_vs_single_src elif htpasswd_secret == htpasswd_sec_invalid_src: pol = auth_basic_pol_invalid_sec_src vs = auth_basic_vs_single_invalid_sec_src else: pytest.fail("Invalid configuration") secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_credentials, htpasswd_secret, pol, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {pol}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if htpasswd_secret == htpasswd_sec_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif htpasswd_secret == htpasswd_sec_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret): req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2" delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace) wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 500 jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml") wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 200
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret): req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2" delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace) wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 500 jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml") wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 200
def test_auth_basic_policy_credentials( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, credentials, ): """ Test auth-basic-policy with no credentials, valid credentials and invalid credentials """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, credentials, htpasswd_sec_valid_src, auth_basic_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {auth_basic_vsr_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, auth_basic_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers) print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if credentials == valid_credentials: assert resp.status_code == 200 assert f"Request ID:" in resp.text else: assert resp.status_code == 401 assert f"Authorization Required" in resp.text
def fin(): print("Delete Master Secret:") if is_secret_present(kube_apis.v1, master_secret_name, test_namespace): delete_secret(kube_apis.v1, master_secret_name, test_namespace) print("Delete Minion Secret:") if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace): delete_secret(kube_apis.v1, minion_secret_name, test_namespace) print("Clean up the JWT Auth Mergeable Minions Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace)
def fin(): print("Delete Master Secret:") if is_secret_present(kube_apis.v1, master_secret_name, test_namespace): delete_secret(kube_apis.v1, master_secret_name, test_namespace) print("Delete Minion Secret:") if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace): delete_secret(kube_apis.v1, minion_secret_name, test_namespace) print("Clean up the JWT Auth Mergeable Minions Application:") delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace) delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace)
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) wait_before_test(1) req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1" resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False) assert resp.status_code == 200 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) wait_before_test(1) req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1" resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False) assert resp.status_code == 200 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_jwt_policy_delete_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, ): """ Test if requests result in 500 when policy is deleted """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {jwt_pol_valid_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp1.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert resp1.status_code == 200 assert resp2.status_code == 500
def test_certificate_subject_updates_after_secret_update( self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) create_secret_from_yaml( kube_apis.v1, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject( wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_tls_termination(self, kube_apis, crd_ingress_controller, virtual_server_setup, clean_up): print("\nStep 1: no secret") assert_ssl_error(virtual_server_setup) print("\nStep 2: deploy secret and check") secret_name = create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 3: remove secret and check") delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace) wait_before_test(1) assert_ssl_error(virtual_server_setup) print("\nStep 4: restore secret and check") create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 5: deploy invalid secret and check") replace_secret( kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml") wait_before_test(1) assert_ssl_error(virtual_server_setup) print("\nStep 6: restore secret and check") replace_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 7: update secret and check") replace_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/new-tls-secret.yaml") wait_before_test(1) assert_gb_subject(virtual_server_setup)
def test_certificate_subject_remains_with_invalid_secret( self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) create_secret_from_yaml( kube_apis.v1, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml" ) wait_before_test(1) subject_dict = get_server_certificate_subject( wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'CN'] == b'example.com'
def test_auth_basic_policy_credentials( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, credentials, ): """ Test auth-basic-policy with no credentials, valid credentials and invalid credentials """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, credentials, htpasswd_sec_valid_src, auth_basic_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {auth_basic_vs_single_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, auth_basic_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if credentials in valid_credentials_list: assert resp.status_code == 200 assert f"Request ID:" in resp.text else: assert resp.status_code == 401 assert f"Authorization Required" in resp.text
def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, secret_setup, default_server_setup): print("Step 1: ensure CN of the default server TLS cert") assert_cn(ingress_controller_endpoint, "NGINXIngressController") print( "Step 2: ensure CN of the default server TLS cert after removing the secret" ) delete_secret(kube_apis.v1, secret_name, secret_namespace) wait_before_test(1) # Ingress Controller retains the previous valid secret assert_cn(ingress_controller_endpoint, "NGINXIngressController") print( "Step 3: ensure CN of the default TLS cert after creating an updated secret" ) create_secret_from_yaml(kube_apis.v1, secret_namespace, new_secret_path) wait_before_test(1) assert_cn(ingress_controller_endpoint, "cafe.example.com") print( "Step 4: ensure CN of the default TLS cert after making the secret invalid" ) replace_secret(kube_apis.v1, secret_name, secret_namespace, invalid_secret_path) wait_before_test(1) # Ingress Controller retains the previous valid secret assert_cn(ingress_controller_endpoint, "cafe.example.com") print( "Step 5: ensure CN of the default TLS cert after restoring the secret" ) replace_secret(kube_apis.v1, secret_name, secret_namespace, secret_path) wait_before_test(1) assert_cn(ingress_controller_endpoint, "NGINXIngressController")
def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_namespace, tls_setup): print("Step 1: no secret") assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 2: deploy secret and check") create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 3: remove secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) wait_before_test(1) assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 4: restore secret and check") create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 5: deploy invalid secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.invalid_secret_path) wait_before_test(1) assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 6: restore secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 7: update secret and check") replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace, tls_setup.new_secret_path) wait_before_test(1) assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)
def fin(): print("Remove IC and wildcard secret:") delete_ingress_controller(kube_apis.apps_v1_api, name, cli_arguments['deployment-type'], namespace) if is_secret_present(kube_apis.v1, secret_name, namespace): delete_secret(kube_apis.v1, secret_name, namespace)
def fin(): print("Delete Secret:") if is_secret_present(kube_apis.v1, secret_name, test_namespace): delete_secret(kube_apis.v1, secret_name, test_namespace)
def test_jwt_policy( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, policy, ): """ Test jwt-policy with a valid and an invalid policy """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" if policy == jwt_pol_valid_src: vsr = jwt_vsr_valid_src elif policy == jwt_pol_invalid_src: vsr = jwt_vsr_invalid_src else: pytest.fail(f"Not a valid case or parameter") secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, policy, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {policy}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, vsr, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) crd_info = read_crd( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if policy == jwt_pol_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif policy == jwt_pol_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def fin(): print("Delete Secret:") if is_secret_present(kube_apis.v1, secret_name, test_namespace): delete_secret(kube_apis.v1, secret_name, test_namespace)
def fin(): print("Remove IC and wildcard secret:") delete_ingress_controller(kube_apis.extensions_v1_beta1, name, cli_arguments['deployment-type'], namespace) if is_secret_present(kube_apis.v1, secret_name, namespace): delete_secret(kube_apis.v1, secret_name, namespace)
def fin(): delete_secret(kube_apis.v1, prometheus_secret_name, "nginx-ingress")
def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace) delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace)