def test_ap_enable_true_policy_correct_uds(self, request, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress """ usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects, uds_crd_resource, test_namespace) # Apply dataguard-alarm AP policy with UDS delete_and_create_ap_policy_from_yaml( kube_apis.custom_objects, ap_policy, f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml", test_namespace, ) wait_before_test() create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy and UDS ---------" ) ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) wait_before_test(120) ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True) print("----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url, headers={"host": ingress_host}, verify=False, data="kic") print(response.text) reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[ f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" # Restore default dataguard-alarm policy delete_and_create_ap_policy_from_yaml( kube_apis.custom_objects, ap_policy, f"{TEST_DATA}/appprotect/{ap_policy}.yaml", test_namespace, ) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_ap_crd_info(ap_crd_info, ap_policy) assert_invalid_responses(response)
def test_response_code_200_and_server_name( self, request, ingress_controller, smoke_setup, path ): req_url = f"https://{smoke_setup.public_endpoint.public_ip}:{smoke_setup.public_endpoint.port_ssl}/{path}" metrics_url = f"http://{smoke_setup.public_endpoint.public_ip}:{smoke_setup.public_endpoint.metrics_port}/metrics" ensure_response_from_backend(req_url, smoke_setup.ingress_host) resp = requests.get(req_url, headers={"host": smoke_setup.ingress_host}, verify=False) reload_ms = get_last_reload_time(metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" assert resp.status_code == 200 assert f"Server name: {path}" in resp.text
def test_responses_dataguard_alarm(self, request, kube_apis, crd_ingress_controller_with_ap, backend_setup, test_namespace): """ Test dataguard-alarm AppProtect policy: Block malicious script in url """ print( "------------- Run test for AP policy: dataguard-alarm --------------" ) print( f"Request URL: {backend_setup.req_url} and Host: {backend_setup.ingress_host}" ) ensure_response_from_backend(backend_setup.req_url, backend_setup.ingress_host, check404=True) print( "----------------------- Send valid request ----------------------" ) resp_valid = requests.get(backend_setup.req_url, headers={"host": backend_setup.ingress_host}, verify=False) print(resp_valid.text) reload_ms = get_last_reload_time(backend_setup.metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[ f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" assert valid_resp_addr in resp_valid.text assert valid_resp_name in resp_valid.text assert resp_valid.status_code == 200 print( "---------------------- Send invalid request ---------------------" ) resp_invalid = requests.get( backend_setup.req_url + "/<script>", headers={"host": backend_setup.ingress_host}, verify=False, ) print(resp_invalid.text) assert invalid_resp_title in resp_invalid.text assert invalid_resp_body in resp_invalid.text assert resp_invalid.status_code == 200
def test_deny_policy( self, request, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, src, ): """ Test if ip (10.0.0.1) block-listing is working: default(no policy) -> deny """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") reload_ms = get_last_reload_time(virtual_server_setup.metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[ f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp1.status_code == 403 and "403 Forbidden" in resp1.text and resp2.status_code == 200 and "Server address:" in resp2.text)
def test_ap_multi_sec_logs( self, request, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace ): """ Test corresponding log entries with multiple log destinations (in this case, two syslog servers) """ src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml" src_syslog2_yaml = f"{TEST_DATA}/appprotect/syslog2.yaml" log_loc = "/var/log/messages" print("Create two syslog servers") create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) create_items_from_yaml(kube_apis, src_syslog2_yaml, test_namespace) syslog_dst = f"syslog-svc.{test_namespace}" syslog2_dst = f"syslog2-svc.{test_namespace}" syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-2].metadata.name syslog2_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name with open(src_ing_yaml) as f: doc = yaml.safe_load(f) doc["metadata"]["annotations"]["appprotect.f5.com/app-protect-policy"] = ap_policy doc["metadata"]["annotations"]["appprotect.f5.com/app-protect-enable"] = "True" doc["metadata"]["annotations"][ "appprotect.f5.com/app-protect-security-log-enable" ] = "True" # both lists need to be the same length, if one of the referenced configs is invalid/non-existent then no logconfs are applied. doc["metadata"]["annotations"][ "appprotect.f5.com/app-protect-security-log" ] = f"{test_namespace}/logconf,{test_namespace}/logconf" doc["metadata"]["annotations"][ "appprotect.f5.com/app-protect-security-log-destination" ] = f"syslog:server={syslog_dst}:514,syslog:server={syslog2_dst}:514" create_ingress(kube_apis.networking_v1, test_namespace, doc) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True) print("----------------------- Send request ----------------------") response = requests.get( appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False ) print(response.text) log_contents = "" log2_contents = "" retry = 0 while ( "ASM:attack_type" not in log_contents and "ASM:attack_type" not in log2_contents and retry <= 60 ): log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) log2_contents = get_file_contents(kube_apis.v1, log_loc, syslog2_pod, test_namespace) retry += 1 wait_before_test(1) print(f"Security log not updated, retrying... #{retry}") reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) delete_items_from_yaml(kube_apis, src_syslog2_yaml, test_namespace) assert_invalid_responses(response) # check logs in dest. #1 i.e. syslog server #1 assert ( 'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log_contents and 'severity="Critical"' in log_contents and 'request_status="blocked"' in log_contents and 'outcome="REJECTED"' in log_contents ) # check logs in dest. #2 i.e. syslog server #2 assert ( 'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log2_contents and 'severity="Critical"' in log2_contents and 'request_status="blocked"' in log2_contents and 'outcome="REJECTED"' in log2_contents )