def test_ap_waf_policy_block( self, kube_apis, crd_ingress_controller_with_ap, v_s_route_setup, appprotect_setup, test_namespace, ap_enable, ): """ Test if WAF policy is working with VSR deployments """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf_pol_dataguard_src, v_s_route_setup.route_m.namespace, test_namespace, ap_enable, ap_enable, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) wait_before_test() print(f"Patch vsr with policy: {waf_subroute_vsr_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, waf_subroute_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) response = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'", headers={"host": v_s_route_setup.vs_host}, ) print(response.text) delete_policy(kube_apis.custom_objects, "waf-policy", v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) if ap_enable == True: assert_invalid_responses(response) elif ap_enable == False: assert_valid_responses(response) else: pytest.fail(f"Invalid arguments")
def test_ap_waf_policy_allow( self, kube_apis, crd_ingress_controller_with_ap, virtual_server_setup, appprotect_setup, test_namespace, vs_src, waf, ): """ Test waf policy when disabled """ print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf, test_namespace, test_namespace, False, False, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) wait_before_test() print(f"Patch vs with policy: {vs_src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace, ) wait_before_test() ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) print( "----------------------- Send request with embedded malicious script----------------------" ) response1 = requests.get( virtual_server_setup.backend_1_url + "</script>", headers={"host": virtual_server_setup.vs_host}, ) print(response1.text) print( "----------------------- Send request with blocked keyword in UDS----------------------" ) response2 = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, data="kic", ) print(response2.text) delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert_valid_responses(response1) assert_valid_responses(response2)
def test_ap_waf_policy_logs( self, kube_apis, crd_ingress_controller_with_ap, virtual_server_setup, appprotect_setup, test_namespace, ): """ Test waf policy logs """ src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml" log_loc = f"/var/log/messages" create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) wait_before_test(40) syslog_ep = (kube_apis.v1.read_namespaced_endpoints( "syslog-svc", test_namespace).subsets[0].addresses[0].ip) syslog_pod = kube_apis.v1.list_namespaced_pod( test_namespace).items[-1].metadata.name print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf_pol_dataguard_src, test_namespace, test_namespace, True, True, ap_pol_name, log_name, f"syslog:server={syslog_ep}:514", ) wait_before_test() print(f"Patch vs with policy: {waf_spec_vs_src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, waf_spec_vs_src, virtual_server_setup.namespace, ) wait_before_test() ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) print( "----------------------- Send request with embedded malicious script----------------------" ) response = requests.get( virtual_server_setup.backend_1_url + "</script>", headers={"host": virtual_server_setup.vs_host}, ) print(response.text) wait_before_test(5) log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert_invalid_responses(response) assert ( f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log_contents) assert f'severity="Critical"' in log_contents assert f'request_status="blocked"' in log_contents assert f'outcome="REJECTED"' in log_contents
def test_ap_waf_policy_vs_batch_start( self, request, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, virtual_server_setup, appprotect_waf_setup, test_namespace, ): """ Pod startup time with AP WAF Policy """ waf_spec_vs_src = f"{TEST_DATA}/ap-waf/virtual-server-waf-spec.yaml" waf_pol_dataguard_src = f"{TEST_DATA}/ap-waf/policies/waf-dataguard.yaml" print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf_pol_dataguard_src, test_namespace, test_namespace, True, False, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) wait_before_test() print(f"Patch vs with policy: {waf_spec_vs_src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, waf_spec_vs_src, virtual_server_setup.namespace, ) wait_before_test(120) print( "----------------------- Send request with embedded malicious script----------------------" ) response1 = requests.get( virtual_server_setup.backend_1_url + "</script>", headers={"host": virtual_server_setup.vs_host}, ) print(response1.status_code) print( "----------------------- Send request with blocked keyword in UDS----------------------" ) response2 = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, data="kic", ) total_vs = int(request.config.getoption("--batch-resources")) print(response2.status_code) for i in range(1, total_vs + 1): with open(waf_spec_vs_src) as f: doc = yaml.safe_load(f) doc["metadata"]["name"] = f"virtual-server-{i}" doc["spec"]["host"] = f"virtual-server-{i}.example.com" kube_apis.custom_objects.create_namespaced_custom_object( "k8s.nginx.org", "v1", test_namespace, "virtualservers", doc) print( f"VirtualServer created with name '{doc['metadata']['name']}'" ) print(f"Total resources deployed is {total_vs}") wait_before_test() ic_ns = ingress_controller_prerequisites.namespace scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress", ic_ns, 0) while get_pods_amount(kube_apis.v1, ic_ns) is not 0: print(f"Number of replicas not 0, retrying...") wait_before_test() num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress", ic_ns, 1) assert (get_total_vs(virtual_server_setup.metrics_url, "nginx") == str(total_vs + 1) and get_last_reload_status( virtual_server_setup.metrics_url, "nginx") == "1") for i in range(1, total_vs + 1): delete_virtual_server(kube_apis.custom_objects, f"virtual-server-{i}", test_namespace) delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace) assert num is None