def setup_multiple_policies(self, kube_apis, namespace, credentials, secret_list, policy_1, policy_2, vs_host): print(f"Create {len(secret_list)} htpasswd secrets") # secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret) secret_name_list = [] for secret in secret_list: secret_name_list.append( create_secret_from_yaml(kube_apis.v1, namespace, secret)) print(f"Create auth basic policy #1") pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects, policy_1, namespace) print(f"Create auth basic policy #2") pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects, policy_2, namespace) wait_before_test() with open(credentials, "r") as file: data = file.readline() headers = { "host": vs_host, "authorization": f"Basic {to_base64(data)}" } return secret_name_list, pol_name_1, pol_name_2, headers
def test_overide_vs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, src, ): """ Test if vsr subroute policy overrides vs spec policy and vsr subroute policy overrides vs route policy """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create deny policy") deny_pol_name = create_policy_from_yaml( kube_apis.custom_objects, deny_pol_src, v_s_route_setup.route_m.namespace) print(f"Create allow policy") allow_pol_name = create_policy_from_yaml( kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, allow_vsr_src, v_s_route_setup.route_m.namespace, ) # patch vs with blocking policy patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, src, v_s_route_setup.namespace) wait_before_test() print(f"\nUse IP listed in deny block: 10.0.0.1") resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") delete_policy(kube_apis.custom_objects, deny_pol_name, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, allow_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace) wait_before_test() assert resp.status_code == 200 and "Server address:" in resp.text
def test_rl_policy_override_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if rate-limiting policy with lower rps is used when multiple policies are listed in vsr:subroute And test if the order of policies in vsr:subroute has no effect """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy: 1rps") pol_name_pri = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Create rl policy: 5rps") pol_name_sec = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_sec_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name_pri, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_sec, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert occur.count(200) <= 1
def test_route_override_spec( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, ): """ Test allow policy specified under routes overrides block in spec """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") deny_pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) print(f"Create allow policy") allow_pol_name = create_policy_from_yaml(kube_apis.custom_objects, allow_pol_src, test_namespace) patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, override_vs_spec_route_src, virtual_server_setup.namespace, ) wait_before_test() print(f"Use IP listed in both deny and allow policies: 10.0.0.1") resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") self.restore_default_vs(kube_apis, virtual_server_setup) delete_policy(kube_apis.custom_objects, deny_pol_name, test_namespace) delete_policy(kube_apis.custom_objects, allow_pol_name, test_namespace) assert resp.status_code == 200 and "Server address:" in resp.text
def test_policy_matching_ingress_class( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if policy with matching ingress class is applied to vs """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_ingress_class_src, test_namespace) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) assert ( policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid" ) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name) assert ( vs_info["status"] and vs_info["status"]["reason"] == "AddedOrUpdated" and vs_info["status"]["state"] == "Valid" ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup)
def test_policy_non_matching_ingress_class( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if non matching policy gets caught by vc validation """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_other_ingress_class_src, test_namespace) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) assert "status" not in policy_info, "the policy is not managed by the IC, therefore the status is not updated" print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name) assert ( vs_info["status"] and "rate-limit-primary is missing or invalid" in vs_info["status"]["message"] and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning" and vs_info["status"]["state"] == "Warning" ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup)
def setup_multiple_policies(self, kube_apis, namespace, token, secret, policy_1, policy_2, vs_host): print(f"Create jwk secret") secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret) print(f"Create jwt policy #1") pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects, policy_1, namespace) print(f"Create jwt policy #2") pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects, policy_2, namespace) wait_before_test() with open(token, "r") as file: data = file.readline() headers = {"host": vs_host, "token": data} return secret_name, pol_name_1, pol_name_2, headers
def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): print(f"Create ingress-mtls secret") mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret) print(f"Create ingress-mtls policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) print(f"Create tls secret") tls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, tls_secret) return mtls_secret_name, tls_secret_name, pol_name
def test_rl_policy_1rs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if rate-limiting policy is working with ~1 rps in vsr:subroute """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert occur.count(200) <= 1
def setup_single_policy(self, kube_apis, test_namespace, token, secret, policy, vs_host): print(f"Create jwk secret") secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, secret) print(f"Create jwt policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) wait_before_test() with open(token, "r") as file: data = file.readline() headers = {"host": vs_host, "token": data} return secret_name, pol_name, headers
def setup_single_policy(self, kube_apis, test_namespace, credentials, secret, policy, vs_host): print(f"Create htpasswd secret") secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, secret) print(f"Create auth basic policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) wait_before_test() # generate header without auth if credentials == None : return secret_name, pol_name, {"host": vs_host} with open(credentials, "r") as file: data = file.readline() headers = {"host": vs_host, "authorization": f"Basic {to_base64(data)}"} return secret_name, pol_name, headers
def test_rl_policy_invalid_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if using an invalid policy in vsr:subroute results in 500 """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") invalid_pol_name = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_invalid_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", invalid_pol_name, ) resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) delete_policy(kube_apis.custom_objects, invalid_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500
def test_rl_policy_deleted_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if deleting a policy results in 500 """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) assert resp.status_code == 200 print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) self.restore_default_vsr(kube_apis, v_s_route_setup) assert resp.status_code == 500
def test_invalid_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if applying invalid-policy results in 500. """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create invalid policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, invalid_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, invalid_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") vsr_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500 and "500 Internal Server Error" in resp.text assert (vsr_info["status"]["state"] == "Warning" and vsr_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_override_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if ip (10.0.0.1) allow-listing overrides block-listing (policy specified in vsr subroute) """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") deny_pol_name = create_policy_from_yaml( kube_apis.custom_objects, deny_pol_src, v_s_route_setup.route_m.namespace) print(f"Create allow policy") allow_pol_name = create_policy_from_yaml( kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, override_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, deny_pol_name, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, allow_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text and resp1.status_code == 200 and "Server address:" in resp1.text)
def test_allow_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create allow policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, allow_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text and resp1.status_code == 200 and "Server address:" in resp1.text)
def test_deny_policy( self, request, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, src, ): """ Test if ip (10.0.0.1) block-listing is working: default(no policy) -> deny """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") reload_ms = get_last_reload_time(virtual_server_setup.metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[ f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp1.status_code == 403 and "403 Forbidden" in resp1.text and resp2.status_code == 200 and "Server address:" in resp2.text)
def test_override_vs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, v_s_route_setup, src, ): """ Test if vsr subroute policy overrides vs spec policy And vsr subroute policy overrides vs route policy """ rate_sec = 5 req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" # policy for virtualserver print(f"Create rl policy: 1rps") pol_name_vs = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) # policy for virtualserverroute print(f"Create rl policy: 5rps") pol_name_vsr = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_sec_src, v_s_route_setup.route_m.namespace) # patch vsr with 5rps policy patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, rl_vsr_sec_src, v_s_route_setup.route_m.namespace, ) # patch vs with 1rps policy patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, src, v_s_route_setup.namespace) wait_before_test() occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name_vs, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_vsr, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace) assert rate_sec >= occur.count(200) >= (rate_sec - 2)
def test_allow_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, src, ): """ Test if ip (10.0.0.1) allow-listing is working: default(no policy) -> allow """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create allow policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, allow_pol_src, test_namespace) patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) print(f"\nUse IP listed in allow block: 10.0.0.1") resp1 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"\nUse IP listed not in allow block: 10.0.0.2") print(f"Response: {resp1.status_code}\n{resp1.text}") resp2 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp1.status_code == 200 and "Server address:" in resp1.text and resp2.status_code == 403 and "403 Forbidden" in resp2.text)
def test_deleted_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, src, ): """ Test if valid policy is deleted then response is 500 """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) assert vs_info["status"]["state"] == "Valid" delete_policy(kube_apis.custom_objects, pol_name, test_namespace) wait_before_test() resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") vs_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) self.restore_default_vs(kube_apis, virtual_server_setup) assert resp.status_code == 500 and "500 Internal Server Error" in resp.text assert (vs_info["status"]["state"] == "Warning" and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_ap_waf_policy_block( self, kube_apis, crd_ingress_controller_with_ap, virtual_server_setup, appprotect_setup, test_namespace, vs_src, waf, ): """ Test waf policy when enabled with default and dataguard-alarm AP Policies """ print(f"Create waf policy") if waf == waf_pol_dataguard_src: create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf, test_namespace, test_namespace, True, False, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) elif waf == waf_pol_default_src: pol_name = create_policy_from_yaml(kube_apis.custom_objects, waf, test_namespace) else: pytest.fail(f"Invalid argument") wait_before_test() print(f"Patch vs with policy: {vs_src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace, ) wait_before_test() ap_crd_info = read_ap_custom_resource( kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds ) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) print( "----------------------- Send request with embedded malicious script----------------------" ) response1 = requests.get( virtual_server_setup.backend_1_url + "</script>", headers={"host": virtual_server_setup.vs_host}, ) print(response1.text) print( "----------------------- Send request with blocked keyword in UDS----------------------" ) response2 = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, data="kic", ) print(response2.text) delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert_invalid_responses(response1) if waf == waf_pol_dataguard_src: assert_invalid_responses(response2) elif waf == waf_pol_default_src: assert_valid_responses(response2) else: pytest.fail(f"Invalid arguments")