def test_ap_enable_false_policy_correct(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test malicious script request is working normally while AppProtect is disabled in Ingress """ create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "False", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is disabled with correct policy ---------" ) ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) assert_ap_crd_info(ap_crd_info, ap_policy) wait_before_test(40) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) print("----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_valid_responses(response)
def test_ap_enable_true_policy_correct(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test malicious script request is rejected while AppProtect is enabled in Ingress """ src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy ---------" ) events_before_ingress = len(get_events(kube_apis.v1, test_namespace)) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) wait_status = wait_for_event_increment(kube_apis, test_namespace, events_before_ingress) ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) assert_ap_crd_info(ap_crd_info) wait_before_test(10) response = "" if wait_status: print( "----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_invalid_responses(response)
def test_ap_waf_policy_block( self, kube_apis, crd_ingress_controller_with_ap, v_s_route_setup, appprotect_setup, test_namespace, ap_enable, ): """ Test if WAF policy is working with VSR deployments """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf_pol_dataguard_src, v_s_route_setup.route_m.namespace, test_namespace, ap_enable, ap_enable, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) wait_before_test() print(f"Patch vsr with policy: {waf_subroute_vsr_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, waf_subroute_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) response = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'", headers={"host": v_s_route_setup.vs_host}, ) print(response.text) delete_policy(kube_apis.custom_objects, "waf-policy", v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) if ap_enable == True: assert_invalid_responses(response) elif ap_enable == False: assert_valid_responses(response) else: pytest.fail(f"Invalid arguments")
def test_ap_enable_true_policy_correct_uds(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress """ usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects, uds_crd_resource, test_namespace) # Apply dataguard-alarm AP policy with UDS delete_and_create_ap_policy_from_yaml( kube_apis.custom_objects, ap_policy, f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml", test_namespace, ) wait_before_test() create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy and UDS ---------" ) ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) assert_ap_crd_info(ap_crd_info, ap_policy) wait_before_test(120) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) print("----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url, headers={"host": ingress_host}, verify=False, data="kic") print(response.text) # Restore default dataguard-alarm policy delete_and_create_ap_policy_from_yaml( kube_apis.custom_objects, ap_policy, f"{TEST_DATA}/appprotect/{ap_policy}.yaml", test_namespace, ) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_invalid_responses(response)
def test_ap_waf_policy_logs( self, kube_apis, crd_ingress_controller_with_ap, virtual_server_setup, appprotect_setup, test_namespace, ): """ Test waf policy logs """ src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml" log_loc = f"/var/log/messages" create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) wait_before_test(40) syslog_ep = (kube_apis.v1.read_namespaced_endpoints( "syslog-svc", test_namespace).subsets[0].addresses[0].ip) syslog_pod = kube_apis.v1.list_namespaced_pod( test_namespace).items[-1].metadata.name print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf_pol_dataguard_src, test_namespace, test_namespace, True, True, ap_pol_name, log_name, f"syslog:server={syslog_ep}:514", ) wait_before_test() print(f"Patch vs with policy: {waf_spec_vs_src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, waf_spec_vs_src, virtual_server_setup.namespace, ) wait_before_test() ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) print( "----------------------- Send request with embedded malicious script----------------------" ) response = requests.get( virtual_server_setup.backend_1_url + "</script>", headers={"host": virtual_server_setup.vs_host}, ) print(response.text) wait_before_test(5) log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert_invalid_responses(response) assert ( f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log_contents) assert f'severity="Critical"' in log_contents assert f'request_status="blocked"' in log_contents assert f'outcome="REJECTED"' in log_contents
def test_ap_waf_policy_allow( self, kube_apis, crd_ingress_controller_with_ap, virtual_server_setup, appprotect_setup, test_namespace, vs_src, waf, ): """ Test waf policy when disabled """ print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf, test_namespace, test_namespace, False, False, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) wait_before_test() print(f"Patch vs with policy: {vs_src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace, ) wait_before_test() ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) print( "----------------------- Send request with embedded malicious script----------------------" ) response1 = requests.get( virtual_server_setup.backend_1_url + "</script>", headers={"host": virtual_server_setup.vs_host}, ) print(response1.text) print( "----------------------- Send request with blocked keyword in UDS----------------------" ) response2 = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, data="kic", ) print(response2.text) delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert_valid_responses(response1) assert_valid_responses(response2)