def test_ap_pod_startup(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace,
):
"""
Log pod startup time while scaling up from 0 to 1
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
# items[-1] because syslog pod is last one to spin-up
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
ns = ingress_controller_prerequisites.namespace
scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress",
ns, 0)
while get_pods_amount(kube_apis.v1, ns) is not 0:
print(f"Number of replicas not 0, retrying...")
wait_before_test()
num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api,
"nginx-ingress", ns, 1)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
assert num is None
def ap_generic_setup(kube_apis, vs_namespace, test_namespace, policy_method,
vs_yaml):
src_pol_yaml = f"{TEST_DATA}/ap-waf-grpc/policies/waf-block-{policy_method}.yaml"
print(
"------------------------- Deploy logconf -----------------------------"
)
global log_name
log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects,
src_log_yaml, test_namespace)
print(
f"------------------------- Deploy AP policy ---------------------------"
)
src_appol_yaml = f"{TEST_DATA}/ap-waf-grpc/grpc-block-{policy_method}.yaml"
global ap_pol_name
ap_pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects,
src_appol_yaml, test_namespace)
print(
"------------------------- Deploy Syslog -----------------------------"
)
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
wait_before_test(20)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc", test_namespace)
print("------------------------- Deploy App -----------------------------")
create_example_app(kube_apis, "grpc-vs", vs_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, vs_namespace)
print(
"------------------------- Deploy Secret -----------------------------"
)
create_secret_from_yaml(kube_apis.v1, vs_namespace, src_vs_sec_yaml)
print(
f"------------------------- Deploy policy ---------------------------")
src_pol_name = create_ap_waf_policy_from_yaml(
kube_apis.custom_objects, src_pol_yaml, vs_namespace, test_namespace,
True, True, ap_pol_name, log_name, f"syslog:server={syslog_ep}:514")
print(
"------------------------- Deploy Virtual Server -----------------------------------"
)
vs_name = create_virtual_server_from_yaml(kube_apis.custom_objects,
vs_yaml, vs_namespace)
return (src_pol_name, vs_name)
def test_ap_multi_sec_logs(self, kube_apis, crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test corresponding log entries with multiple log destinations (in this case, two syslog servers)
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
src_syslog2_yaml = f"{TEST_DATA}/appprotect/syslog2.yaml"
log_loc = f"/var/log/messages"
print("Create two syslog servers")
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
create_items_from_yaml(kube_apis, src_syslog2_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
syslog2_ep = get_service_endpoint(kube_apis, "syslog2-svc",
test_namespace)
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-2].metadata.name
syslog2_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
with open(src_ing_yaml) as f:
doc = yaml.safe_load(f)
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-policy"] = ap_policy
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-enable"] = "True"
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-security-log-enable"] = "True"
# both lists need to be the same length, if one of the referenced configs is invalid/non-existent then no logconfs are applied.
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-security-log"] = f"{test_namespace}/logconf,{test_namespace}/logconf"
doc["metadata"]["annotations"][
"appprotect.f5.com/app-protect-security-log-destination"] = f"syslog:server={syslog_ep}:514,syslog:server={syslog2_ep}:514"
create_ingress(kube_apis.extensions_v1_beta1, test_namespace, doc)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
log_contents = ""
log2_contents = ""
retry = 0
while ("ASM:attack_type" not in log_contents
and "ASM:attack_type" not in log2_contents and retry <= 30):
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
log2_contents = get_file_contents(kube_apis.v1, log_loc,
syslog2_pod, test_namespace)
retry += 1
wait_before_test(1)
print(f"Security log not updated, retrying... #{retry}")
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog2_yaml, test_namespace)
assert_invalid_responses(response)
# check logs in dest. #1 i.e. syslog server #1
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents and f'severity="Critical"' in log_contents
and f'request_status="blocked"' in log_contents
and f'outcome="REJECTED"' in log_contents)
# check logs in dest. #2 i.e. syslog server #2
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log2_contents and f'severity="Critical"' in log2_contents
and f'request_status="blocked"' in log2_contents
and f'outcome="REJECTED"' in log2_contents)
def test_ap_sec_logs_on(self, kube_apis, crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test corresponding log entries with correct policy (includes setting up a syslog server as defined in syslog.yaml)
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
log_loc = f"/var/log/messages"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
# items[-1] because syslog pod is last one to spin-up
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print(
"----------------------- Send invalid request ----------------------"
)
response_block = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response_block.text)
log_contents = ""
retry = 0
while ("ASM:attack_type" not in log_contents and retry <= 30):
log_contents_block = get_file_contents(kube_apis.v1, log_loc,
syslog_pod, test_namespace)
retry += 1
wait_before_test(1)
print(f"Security log not updated, retrying... #{retry}")
print(
"----------------------- Send valid request ----------------------"
)
headers = {
"Host":
ingress_host,
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0",
}
response = requests.get(appprotect_setup.req_url,
headers=headers,
verify=False)
print(response.text)
wait_before_test(10)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
assert_invalid_responses(response_block)
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents_block)
assert f'severity="Critical"' in log_contents_block
assert f'request_status="blocked"' in log_contents_block
assert f'outcome="REJECTED"' in log_contents_block
assert_valid_responses(response)
assert f'ASM:attack_type="N/A"' in log_contents
assert f'severity="Informational"' in log_contents
assert f'request_status="passed"' in log_contents
assert f'outcome="PASSED"' in log_contents
def backend_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller_prerequisites,
test_namespace) -> BackendSetup:
"""
Deploy a simple application and AppProtect manifests.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
try:
print(
"------------------------- Replace ConfigMap with HTTP2 -------------------------"
)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/appprotect/grpc/nginx-config.yaml")
policy = request.param["policy"]
print(
"------------------------- Deploy backend application -------------------------"
)
create_example_app(kube_apis, "grpc", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
print(
"------------------------- Deploy Secret -----------------------------"
)
src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml"
create_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
print(
"------------------------- Deploy logconf -----------------------------"
)
src_log_yaml = f"{TEST_DATA}/appprotect/logconf.yaml"
log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects,
src_log_yaml, test_namespace)
print(
f"------------------------- Deploy appolicy: {policy} ---------------------------"
)
src_pol_yaml = f"{TEST_DATA}/appprotect/grpc/{policy}.yaml"
pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects,
src_pol_yaml, test_namespace)
print(
"------------------------- Deploy Syslog -----------------------------"
)
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
print(syslog_ep)
print(
"------------------------- Deploy ingress -----------------------------"
)
src_ing_yaml = f"{TEST_DATA}/appprotect/grpc/ingress.yaml"
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
wait_before_test(40)
except Exception as ex:
print("Failed to complete setup, cleaning up..")
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_common_app(kube_apis, "grpc", test_namespace)
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
pytest.fail(f"AP GRPC setup failed")
def fin():
print("Clean up:")
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_common_app(kube_apis, "grpc", test_namespace)
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
request.addfinalizer(fin)
return BackendSetup(ingress_host, ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port_ssl)
def test_ap_waf_policy_logs(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
):
"""
Test waf policy logs
"""
src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
log_loc = f"/var/log/messages"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
test_namespace,
test_namespace,
True,
True,
ap_pol_name,
log_name,
f"syslog:server={syslog_ep}:514",
)
wait_before_test()
print(f"Patch vs with policy: {waf_spec_vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
waf_spec_vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_invalid_responses(response)
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents)
assert f'severity="Critical"' in log_contents
assert f'request_status="blocked"' in log_contents
assert f'outcome="REJECTED"' in log_contents