def test_ap_waf_policy_block(
self,
kube_apis,
crd_ingress_controller_with_ap,
v_s_route_setup,
appprotect_setup,
test_namespace,
ap_enable,
):
"""
Test if WAF policy is working with VSR deployments
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
v_s_route_setup.route_m.namespace,
test_namespace,
ap_enable,
ap_enable,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vsr with policy: {waf_subroute_vsr_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
waf_subroute_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
response = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'",
headers={"host": v_s_route_setup.vs_host},
)
print(response.text)
delete_policy(kube_apis.custom_objects, "waf-policy",
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
if ap_enable == True:
assert_invalid_responses(response)
elif ap_enable == False:
assert_valid_responses(response)
else:
pytest.fail(f"Invalid arguments")
def test_ap_waf_policy_allow(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
vs_src,
waf,
):
"""
Test waf policy when disabled
"""
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf,
test_namespace,
test_namespace,
False,
False,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vs with policy: {vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response1 = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response1.text)
print(
"----------------------- Send request with blocked keyword in UDS----------------------"
)
response2 = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
data="kic",
)
print(response2.text)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_valid_responses(response1)
assert_valid_responses(response2)
def test_ap_waf_policy_logs(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
):
"""
Test waf policy logs
"""
src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
log_loc = f"/var/log/messages"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
wait_before_test(40)
syslog_ep = (kube_apis.v1.read_namespaced_endpoints(
"syslog-svc", test_namespace).subsets[0].addresses[0].ip)
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
test_namespace,
test_namespace,
True,
True,
ap_pol_name,
log_name,
f"syslog:server={syslog_ep}:514",
)
wait_before_test()
print(f"Patch vs with policy: {waf_spec_vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
waf_spec_vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_invalid_responses(response)
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents)
assert f'severity="Critical"' in log_contents
assert f'request_status="blocked"' in log_contents
assert f'outcome="REJECTED"' in log_contents
def test_ap_waf_policy_vs_batch_start(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_waf_setup,
test_namespace,
):
"""
Pod startup time with AP WAF Policy
"""
waf_spec_vs_src = f"{TEST_DATA}/ap-waf/virtual-server-waf-spec.yaml"
waf_pol_dataguard_src = f"{TEST_DATA}/ap-waf/policies/waf-dataguard.yaml"
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
test_namespace,
test_namespace,
True,
False,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vs with policy: {waf_spec_vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
waf_spec_vs_src,
virtual_server_setup.namespace,
)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response1 = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response1.status_code)
print(
"----------------------- Send request with blocked keyword in UDS----------------------"
)
response2 = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
data="kic",
)
total_vs = int(request.config.getoption("--batch-resources"))
print(response2.status_code)
for i in range(1, total_vs + 1):
with open(waf_spec_vs_src) as f:
doc = yaml.safe_load(f)
doc["metadata"]["name"] = f"virtual-server-{i}"
doc["spec"]["host"] = f"virtual-server-{i}.example.com"
kube_apis.custom_objects.create_namespaced_custom_object(
"k8s.nginx.org", "v1", test_namespace, "virtualservers",
doc)
print(
f"VirtualServer created with name '{doc['metadata']['name']}'"
)
print(f"Total resources deployed is {total_vs}")
wait_before_test()
ic_ns = ingress_controller_prerequisites.namespace
scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress",
ic_ns, 0)
while get_pods_amount(kube_apis.v1, ic_ns) is not 0:
print(f"Number of replicas not 0, retrying...")
wait_before_test()
num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api,
"nginx-ingress", ic_ns, 1)
assert (get_total_vs(virtual_server_setup.metrics_url, "nginx")
== str(total_vs + 1) and get_last_reload_status(
virtual_server_setup.metrics_url, "nginx") == "1")
for i in range(1, total_vs + 1):
delete_virtual_server(kube_apis.custom_objects,
f"virtual-server-{i}", test_namespace)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
assert num is None
