def test_ap_enable_true_policy_correct_uds(self, request, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace):
"""
Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress
"""
usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects,
uds_crd_resource,
test_namespace)
# Apply dataguard-alarm AP policy with UDS
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml",
test_namespace,
)
wait_before_test()
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy and UDS ---------"
)
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy)
wait_before_test(120)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url,
headers={"host": ingress_host},
verify=False,
data="kic")
print(response.text)
reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
# Restore default dataguard-alarm policy
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy}.yaml",
test_namespace,
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_ap_crd_info(ap_crd_info, ap_policy)
assert_invalid_responses(response)
def test_response_code_200_and_server_name(
self, request, ingress_controller, smoke_setup, path
):
req_url = f"https://{smoke_setup.public_endpoint.public_ip}:{smoke_setup.public_endpoint.port_ssl}/{path}"
metrics_url = f"http://{smoke_setup.public_endpoint.public_ip}:{smoke_setup.public_endpoint.metrics_port}/metrics"
ensure_response_from_backend(req_url, smoke_setup.ingress_host)
resp = requests.get(req_url, headers={"host": smoke_setup.ingress_host}, verify=False)
reload_ms = get_last_reload_time(metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
assert resp.status_code == 200
assert f"Server name: {path}" in resp.text
def test_responses_dataguard_alarm(self, request, kube_apis,
crd_ingress_controller_with_ap,
backend_setup, test_namespace):
"""
Test dataguard-alarm AppProtect policy: Block malicious script in url
"""
print(
"------------- Run test for AP policy: dataguard-alarm --------------"
)
print(
f"Request URL: {backend_setup.req_url} and Host: {backend_setup.ingress_host}"
)
ensure_response_from_backend(backend_setup.req_url,
backend_setup.ingress_host,
check404=True)
print(
"----------------------- Send valid request ----------------------"
)
resp_valid = requests.get(backend_setup.req_url,
headers={"host": backend_setup.ingress_host},
verify=False)
print(resp_valid.text)
reload_ms = get_last_reload_time(backend_setup.metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
assert valid_resp_addr in resp_valid.text
assert valid_resp_name in resp_valid.text
assert resp_valid.status_code == 200
print(
"---------------------- Send invalid request ---------------------"
)
resp_invalid = requests.get(
backend_setup.req_url + "/<script>",
headers={"host": backend_setup.ingress_host},
verify=False,
)
print(resp_invalid.text)
assert invalid_resp_title in resp_invalid.text
assert invalid_resp_body in resp_invalid.text
assert resp_invalid.status_code == 200
def test_deny_policy(
self,
request,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
src,
):
"""
Test if ip (10.0.0.1) block-listing is working: default(no policy) -> deny
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
reload_ms = get_last_reload_time(virtual_server_setup.metrics_url,
"nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp1.status_code == 403 and "403 Forbidden" in resp1.text
and resp2.status_code == 200
and "Server address:" in resp2.text)
def test_ap_multi_sec_logs(
self, request, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace
):
"""
Test corresponding log entries with multiple log destinations (in this case, two syslog servers)
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
src_syslog2_yaml = f"{TEST_DATA}/appprotect/syslog2.yaml"
log_loc = "/var/log/messages"
print("Create two syslog servers")
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
create_items_from_yaml(kube_apis, src_syslog2_yaml, test_namespace)
syslog_dst = f"syslog-svc.{test_namespace}"
syslog2_dst = f"syslog2-svc.{test_namespace}"
syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-2].metadata.name
syslog2_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name
with open(src_ing_yaml) as f:
doc = yaml.safe_load(f)
doc["metadata"]["annotations"]["appprotect.f5.com/app-protect-policy"] = ap_policy
doc["metadata"]["annotations"]["appprotect.f5.com/app-protect-enable"] = "True"
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-security-log-enable"
] = "True"
# both lists need to be the same length, if one of the referenced configs is invalid/non-existent then no logconfs are applied.
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-security-log"
] = f"{test_namespace}/logconf,{test_namespace}/logconf"
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-security-log-destination"
] = f"syslog:server={syslog_dst}:514,syslog:server={syslog2_dst}:514"
create_ingress(kube_apis.networking_v1, test_namespace, doc)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(
appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
)
print(response.text)
log_contents = ""
log2_contents = ""
retry = 0
while (
"ASM:attack_type" not in log_contents
and "ASM:attack_type" not in log2_contents
and retry <= 60
):
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace)
log2_contents = get_file_contents(kube_apis.v1, log_loc, syslog2_pod, test_namespace)
retry += 1
wait_before_test(1)
print(f"Security log not updated, retrying... #{retry}")
reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog2_yaml, test_namespace)
assert_invalid_responses(response)
# check logs in dest. #1 i.e. syslog server #1
assert (
'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents
and 'severity="Critical"' in log_contents
and 'request_status="blocked"' in log_contents
and 'outcome="REJECTED"' in log_contents
)
# check logs in dest. #2 i.e. syslog server #2
assert (
'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log2_contents
and 'severity="Critical"' in log2_contents
and 'request_status="blocked"' in log2_contents
and 'outcome="REJECTED"' in log2_contents
)