def jwt_secrets_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTSecretsSetup: with open(f"{TEST_DATA}/jwt-secrets/tokens/jwt-secrets-token.jwt", "r") as token_file: token = token_file.read().replace('\n', '') print( "------------------------- Deploy JWT Secrets Example -----------------------------------" ) create_items_from_yaml( kube_apis, f"{TEST_DATA}/jwt-secrets/{request.param}/jwt-secrets-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/jwt-secrets/{request.param}/jwt-secrets-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up the JWT Secrets Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/jwt-secrets/{request.param}/jwt-secrets-ingress.yaml", test_namespace) request.addfinalizer(fin) return JWTSecretsSetup(ingress_controller_endpoint, ingress_host, token)
def wildcard_tls_secret_setup(request, kube_apis, ingress_controller_endpoint, test_namespace) -> WildcardTLSSecretSetup: ing_type = request.param print( "------------------------- Deploy Wildcard-Tls-Secret-Example -----------------------------------" ) create_items_from_yaml( kube_apis, f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml", test_namespace) host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml" ) common_app = create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) def fin(): print("Clean up Wildcard-Tls-Secret-Example:") delete_items_from_yaml( kube_apis, f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml", test_namespace) delete_common_app(kube_apis.v1, kube_apis.apps_v1_api, common_app, test_namespace) request.addfinalizer(fin) return WildcardTLSSecretSetup(ingress_controller_endpoint, test_namespace, host)
def test_ap_enable_false_policy_incorrect(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test malicious script request is working normally while AppProtect is disabled in with incorrect policy in ingress """ create_ingress_with_ap_annotations( kube_apis, src_ing_yaml, test_namespace, "invalid-policy", "False", "True", "127.0.0.1:514", ) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is disabled with incorrect policy ---------" ) wait_before_test(40) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) print("----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_valid_responses(response)
def test_ap_enable_true_policy_correct_uds(self, request, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress """ usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects, uds_crd_resource, test_namespace) # Apply dataguard-alarm AP policy with UDS delete_and_create_ap_policy_from_yaml( kube_apis.custom_objects, ap_policy, f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml", test_namespace, ) wait_before_test() create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy and UDS ---------" ) ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) wait_before_test(120) ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True) print("----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url, headers={"host": ingress_host}, verify=False, data="kic") print(response.text) reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx") print(f"last reload duration: {reload_ms} ms") reload_times[ f"{request.node.name}"] = f"last reload duration: {reload_ms} ms" # Restore default dataguard-alarm policy delete_and_create_ap_policy_from_yaml( kube_apis.custom_objects, ap_policy, f"{TEST_DATA}/appprotect/{ap_policy}.yaml", test_namespace, ) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_ap_crd_info(ap_crd_info, ap_policy) assert_invalid_responses(response)
def auth_basic_secrets_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> AuthBasicSecretsSetup: with open(f"{TEST_DATA}/auth-basic-secrets/credentials/credentials.txt", "r") as credentials_file: credentials = credentials_file.read().replace('\n', '') print( "------------------------- Deploy Auth Basic Secrets Example -----------------------------------" ) create_items_from_yaml( kube_apis, f"{TEST_DATA}/auth-basic-secrets/{request.param}/auth-basic-secrets-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/auth-basic-secrets/{request.param}/auth-basic-secrets-ingress.yaml" ) create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up the Auth Basic Secrets Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/auth-basic-secrets/{request.param}/auth-basic-secrets-ingress.yaml", test_namespace) request.addfinalizer(fin) return AuthBasicSecretsSetup(ingress_controller_endpoint, ingress_host, credentials)
def smoke_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> SmokeSetup: print( "------------------------- Deploy Smoke Example -----------------------------------" ) secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) write_to_json(f"reload-{get_test_file_name(request.node.fspath)}.json", reload_times) request.addfinalizer(fin) return SmokeSetup(ingress_controller_endpoint, ingress_host)
def hsts_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, ingress_controller, test_namespace) -> HSTSSetup: print( "------------------------- Deploy HSTS-Example -----------------------------------" ) create_items_from_yaml( kube_apis, f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml", test_namespace) ingress_name = get_name_from_yaml( f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml") ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) req_https_url = f"https://{ingress_controller_endpoint.public_ip}:" \ f"{ingress_controller_endpoint.port_ssl}/backend1" ensure_response_from_backend(req_https_url, ingress_host) def fin(): print("Clean up HSTS Example:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml", test_namespace) request.addfinalizer(fin) return HSTSSetup(ingress_controller_endpoint, f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml", ingress_name, ingress_host, test_namespace)
def smoke_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> SmokeSetup: print( "------------------------- Deploy Smoke Example -----------------------------------" ) secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml") common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return SmokeSetup(ingress_controller_endpoint, ingress_host)
def ingress_setup(request, kube_apis, ingress_controller_endpoint, test_namespace) -> IngressSetup: print( "------------------------- Deploy Ingress Example -----------------------------------" ) secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml(kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1" def fin(): print("Clean up simple app") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return IngressSetup(req_url, ingress_host)
def annotations_grpc_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, ingress_controller, test_namespace) -> AnnotationsSetup: print("------------------------- Deploy gRPC Annotations-Example -----------------------------------") create_items_from_yaml(kube_apis, f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml", test_namespace) ingress_name = get_names_from_yaml(f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml")[0] ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml") replace_configmap_from_yaml(kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{TEST_DATA}/common/configmap-with-grpc.yaml") ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated" error_text = f"{event_text}, but not applied: Error reloading NGINX" def fin(): print("Clean up gRPC Annotations Example:") delete_items_from_yaml(kube_apis, f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml", test_namespace) request.addfinalizer(fin) return AnnotationsSetup(ingress_controller_endpoint, f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml", ingress_name, ingress_host, ic_pod_name, test_namespace, event_text, error_text)
def test_ap_perf_create_ingress( self, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, crd_ingress_controller_with_ap, appprotect_setup, enable_prometheus_port, test_namespace, ): """ Test reload times for creating AP ingress """ src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" create_ingress_with_ap_annotations( kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514" ) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print("--------- Run test while AppProtect module is enabled with correct policy ---------") ensure_response_from_backend(appprotect_setup.req_url, ingress_host) wait_before_test(40) response = requests.get( appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False ) print(response.text) self.collect_prom_reload_metrics( reload_ap, "creating AP ingress", ingress_controller_endpoint.public_ip, ingress_controller_endpoint.metrics_port, ) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_invalid_responses(response)
def tls_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, ingress_controller, test_namespace) -> TLSSetup: print( "------------------------- Deploy TLS setup -----------------------------------" ) test_data_path = f"{TEST_DATA}/tls" ingress_path = f"{test_data_path}/{request.param}/ingress.yaml" create_ingress_from_yaml(kube_apis.networking_v1, test_namespace, ingress_path) wait_before_test(1) ingress_host = get_first_ingress_host_from_yaml(ingress_path) secret_name = get_name_from_yaml(f"{test_data_path}/tls-secret.yaml") ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up TLS setup") delete_items_from_yaml(kube_apis, ingress_path, test_namespace) if is_secret_present(kube_apis.v1, secret_name, test_namespace): delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return TLSSetup(ingress_host, secret_name, f"{test_data_path}/tls-secret.yaml", f"{test_data_path}/new-tls-secret.yaml", f"{test_data_path}/invalid-tls-secret.yaml")
def test_ap_nginx_config_entries(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test to verify AppProtect annotations in nginx config """ conf_annotations = [ f"app_protect_enable on;", f"app_protect_policy_file /etc/nginx/waf/nac-policies/{test_namespace}_{ap_policy};", f"app_protect_security_log_enable on;", f"app_protect_security_log /etc/nginx/waf/nac-logconfs/{test_namespace}_logconf syslog:server=127.0.0.1:514;", ] create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True) pod_name = get_first_pod_name(kube_apis.v1, "nginx-ingress") result_conf = get_ingress_nginx_template_conf(kube_apis.v1, test_namespace, "appprotect-ingress", pod_name, "nginx-ingress") delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) for _ in conf_annotations: assert _ in result_conf
def test_ap_enable_false_policy_correct(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test malicious script request is working normally while AppProtect is disabled in Ingress """ src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "False", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is disabled with correct policy ---------" ) events_before_ingress = len(get_events(kube_apis.v1, test_namespace)) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) wait_status = wait_for_event_increment(kube_apis, test_namespace, events_before_ingress) ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) assert_ap_crd_info(ap_crd_info) wait_before_test(10) response = "" if wait_status: print( "----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_valid_responses(response)
def backend_setup(request, kube_apis, ingress_controller_endpoint, test_namespace) -> BackendSetup: """ Deploy simple application and all the Ingress resources under test in one namespace. :param request: pytest fixture :param kube_apis: client apis :param ingress_controller_endpoint: public endpoint :param test_namespace: :return: BackendSetup """ print("------------------------- Deploy the backend -----------------------------------") create_example_app(kube_apis, "simple", test_namespace) req_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/backend1" wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) print("------------------------- Deploy ingresses under test -----------------------------------") ingress_hosts = {} for item in ingresses_under_test: src_ing_yaml = f"{TEST_DATA}/ingress-class/{item}-ingress.yaml" create_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) ingress_hosts[item] = get_first_ingress_host_from_yaml(src_ing_yaml) wait_before_test(2) def fin(): print("Clean up:") delete_common_app(kube_apis, "simple", test_namespace) for item in ingresses_under_test: src_ing_yaml = f"{TEST_DATA}/ingress-class/{item}-ingress.yaml" delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) request.addfinalizer(fin) return BackendSetup(req_url, ingress_hosts)
def jwt_auth_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTAuthMergeableSetup: tokens = {"master": get_token_from_file("master"), "minion": get_token_from_file("minion")} master_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret.yaml") minion_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret.yaml") print("------------------------- Deploy JWT Auth Mergeable Minions Example -----------------------------------") create_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) wait_before_test(2) def fin(): print("Delete Master Secret:") if is_secret_present(kube_apis.v1, master_secret_name, test_namespace): delete_secret(kube_apis.v1, master_secret_name, test_namespace) print("Delete Minion Secret:") if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace): delete_secret(kube_apis.v1, minion_secret_name, test_namespace) print("Clean up the JWT Auth Mergeable Minions Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace) request.addfinalizer(fin) return JWTAuthMergeableSetup(ingress_controller_endpoint, ingress_host, master_secret_name, minion_secret_name, tokens)
def test_ap_enable_true_policy_correct(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test malicious script request is rejected while AppProtect is enabled in Ingress """ create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy ---------" ) ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy) assert_ap_crd_info(ap_crd_info, ap_policy) wait_before_test(40) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) print("----------------------- Send request ----------------------") response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_invalid_responses(response)
def ap_ingress_setup( request, kube_apis, ingress_controller_endpoint, test_namespace ) -> IngressSetup: """ Deploy a simple application and AppProtect manifests. :param request: pytest fixture :param kube_apis: client apis :param ingress_controller_endpoint: public endpoint :param test_namespace: :return: BackendSetup """ print("------------------------- Deploy backend application -------------------------") create_example_app(kube_apis, "simple", test_namespace) req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1" metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics" wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) print("------------------------- Deploy Secret -----------------------------") src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml" create_items_from_yaml(kube_apis, src_sec_yaml, test_namespace) print("------------------------- Deploy logconf -----------------------------") src_log_yaml = f"{TEST_DATA}/appprotect/logconf.yaml" log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects, src_log_yaml, test_namespace) print(f"------------------------- Deploy appolicy: ---------------------------") src_pol_yaml = f"{TEST_DATA}/appprotect/dataguard-alarm.yaml" pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects, src_pol_yaml, test_namespace) print("------------------------- Deploy ingress -----------------------------") ingress_host = {} src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" create_ingress_with_ap_annotations( kube_apis, src_ing_yaml, test_namespace, "dataguard-alarm", "True", "True", "127.0.0.1:514" ) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) wait_before_test() def fin(): print("Clean up:") src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace) delete_common_app(kube_apis, "simple", test_namespace) src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml" delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace) request.addfinalizer(fin) return IngressSetup(req_url, metrics_url, ingress_host)
def test_ap_perf_response( self, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, crd_ingress_controller_with_ap, appprotect_setup, enable_prometheus_port, test_namespace, setup_users, setup_time, setup_rate, ): """ Test response times for AP ingress by running locust as a subprocess. """ src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" print(src_ing_yaml) # create ingress with AP annotations create_ingress_with_ap_annotations( kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514" ) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print("--------- Run test while AppProtect module is enabled with correct policy ---------") ensure_response_from_backend(appprotect_setup.req_url, ingress_host) wait_before_test(30) response = "" response = requests.get( appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False ) print(appprotect_setup.req_url + "/<script>") print(ingress_host) print(response.text) # run response time tests using locust.io subprocess.run( [ "locust", "-f", "suite/ap_request_perf.py", "--headless", "--host", appprotect_setup.req_url, "--csv", "ap_response_times", "-u", setup_users, # total no. of users "-r", setup_rate, # no. of users hatched per second "-t", setup_time, # locust session duration in seconds ] ) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert_invalid_responses(response)
def external_name_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, ingress_controller, test_namespace) -> ExternalNameSetup: print( "------------------------- Deploy External-Backend -----------------------------------" ) external_ns = create_namespace_with_name_from_yaml( kube_apis.v1, "external-ns", f"{TEST_DATA}/common/ns.yaml") external_svc_name = create_service_with_name(kube_apis.v1, external_ns, "external-backend-svc") create_deployment_with_name(kube_apis.apps_v1_api, external_ns, "external-backend") print( "------------------------- Deploy External-Name-Example -----------------------------------" ) ingress_name = create_ingress_from_yaml( kube_apis.extensions_v1_beta1, test_namespace, f"{TEST_DATA}/externalname-services/externalname-ingress.yaml") ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/externalname-services/externalname-ingress.yaml") external_host = f"{external_svc_name}.{external_ns}.svc.cluster.local" config_map_name = ingress_controller_prerequisites.config_map["metadata"][ "name"] replace_configmap_from_yaml( kube_apis.v1, config_map_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/externalname-services/nginx-config.yaml") svc_name = create_service_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/externalname-services/externalname-svc.yaml") ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) ic_pod_name = get_first_pod_name( kube_apis.v1, ingress_controller_prerequisites.namespace) def fin(): print("Clean up External-Name-Example:") delete_namespace(kube_apis.v1, external_ns) replace_configmap(kube_apis.v1, config_map_name, ingress_controller_prerequisites.namespace, ingress_controller_prerequisites.config_map) delete_ingress(kube_apis.extensions_v1_beta1, ingress_name, test_namespace) delete_service(kube_apis.v1, svc_name, test_namespace) request.addfinalizer(fin) return ExternalNameSetup(ingress_controller_endpoint, ingress_name, ingress_host, ic_pod_name, svc_name, external_host, test_namespace)
def test_ap_perf_multiple_ingress( self, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, crd_ingress_controller_with_ap, appprotect_setup, enable_prometheus_port, test_namespace, ): """ Test reload times for creating AP ingress while a simple ingress exists. """ src1_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml" print(src1_ing_yaml) src2_ing_yaml = os.path.join(os.path.dirname(__file__), "../data/non-ap-ingress.yaml") print(src2_ing_yaml) with open(src2_ing_yaml) as f: doc = yaml.safe_load(f) # create ingress without AP annotation create_ingress(kube_apis.extensions_v1_beta1, test_namespace, doc) wait_before_test(10) # create ingress with AP annotations create_ingress_with_ap_annotations(kube_apis, src1_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514") ingress_host = get_first_ingress_host_from_yaml(src1_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy ---------" ) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) wait_before_test(30) response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) self.collect_prom_reload_metrics( reload_ap_with_ingress, "creating AP ingress alongside a simple ingress", ingress_controller_endpoint.public_ip, ingress_controller_endpoint.metrics_port, ) delete_items_from_yaml(kube_apis, src1_ing_yaml, test_namespace) delete_items_from_yaml(kube_apis, src2_ing_yaml, test_namespace) assert_invalid_responses(response)
def annotations_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, ingress_controller, test_namespace) -> AnnotationsSetup: print("------------------------- Deploy Annotations-Example -----------------------------------") create_items_from_yaml(kube_apis, f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml", test_namespace) ingress_name = get_name_from_yaml(f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml") ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml") if request.param == 'mergeable': minions_info = get_minions_info_from_yaml(f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml") else: minions_info = None create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) upstream_names = [] if request.param == 'mergeable': event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated" error_text = f"{test_namespace}/{ingress_name} was rejected: with error" for minion in minions_info: upstream_names.append(f"{test_namespace}-{minion['name']}-{ingress_host}-{minion['svc_name']}-80") else: event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated" error_text = f"{test_namespace}/{ingress_name} was rejected: with error" upstream_names.append(f"{test_namespace}-{ingress_name}-{ingress_host}-backend1-svc-80") upstream_names.append(f"{test_namespace}-{ingress_name}-{ingress_host}-backend2-svc-80") def fin(): print("Clean up Annotations Example:") replace_configmap_from_yaml(kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml(kube_apis, f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml", test_namespace) request.addfinalizer(fin) return AnnotationsSetup(ingress_controller_endpoint, f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml", ingress_name, ingress_host, ic_pod_name, test_namespace, event_text, error_text, upstream_names)
def annotations_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, ingress_controller, test_namespace) -> AnnotationsSetup: print( "------------------------- Deploy Annotations-Example -----------------------------------" ) create_items_from_yaml( kube_apis, f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml", test_namespace) ingress_name = get_names_from_yaml( f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml")[0] ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml") common_app = create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) ic_pod_name = get_first_pod_name( kube_apis.v1, ingress_controller_prerequisites.namespace) if request.param == 'mergeable': event_text = f"Configuration for {test_namespace}/{ingress_name}(Master) was added or updated" error_text = f"{event_text} but was not applied: Error reloading NGINX" else: event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated" error_text = f"{event_text}, but not applied: Error reloading NGINX" def fin(): print("Clean up Annotations Example:") replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_common_app(kube_apis.v1, kube_apis.apps_v1_api, common_app, test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml", test_namespace) request.addfinalizer(fin) return AnnotationsSetup( ingress_controller_endpoint, f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml", ingress_name, ingress_host, ic_pod_name, test_namespace, event_text, error_text)
def simple_ingress_setup( request, kube_apis, ingress_controller_endpoint, test_namespace, ingress_controller, ) -> IngressSetup: """ Deploy simple application and all the Ingress resources under test in one namespace. :param request: pytest fixture :param kube_apis: client apis :param ingress_controller_endpoint: public endpoint :param test_namespace: :return: BackendSetup """ req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1" metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics" secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml" ) create_example_app(kube_apis, "simple", test_namespace) create_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace ) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml" ) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) def fin(): print("Clean up the Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace ) request.addfinalizer(fin) return IngressSetup(req_url, metrics_url, ingress_host)
def test_ap_pod_startup( self, request, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, appprotect_setup, test_namespace, ): """ Log pod startup time while scaling up from 0 to 1 """ src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml" create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) syslog_ep = get_service_endpoint(kube_apis, "syslog-svc", test_namespace) # items[-1] because syslog pod is last one to spin-up syslog_pod = kube_apis.v1.list_namespaced_pod( test_namespace).items[-1].metadata.name create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", f"{syslog_ep}:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- AppProtect module is enabled with correct policy ---------" ) ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True) ns = ingress_controller_prerequisites.namespace scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress", ns, 0) while get_pods_amount(kube_apis.v1, ns) is not 0: print(f"Number of replicas not 0, retrying...") wait_before_test() num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress", ns, 1) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) assert num is None
def test_ap_nginx_config_entries(self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_dos, dos_setup, test_namespace): """ Test to verify Dos directive in nginx config """ conf_directive = [ f"app_protect_dos_enable on;", f"app_protect_dos_security_log_enable on;", f"app_protect_dos_monitor uri=dos.example.com protocol=http1 timeout=5;", f"app_protect_dos_name \"{test_namespace}/dos-protected/name\";", f"app_protect_dos_policy_file /etc/nginx/dos/policies/{test_namespace}_{dos_setup.pol_name}.json;", f"app_protect_dos_security_log_enable on;", f"app_protect_dos_security_log /etc/nginx/dos/logconfs/{test_namespace}_{dos_setup.log_name}.json syslog:server=syslog-svc.{ingress_controller_prerequisites.namespace}.svc.cluster.local:514;", ] create_ingress_with_dos_annotations( kube_apis, src_ing_yaml, test_namespace, test_namespace + "/dos-protected", ) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) ensure_response_from_backend(dos_setup.req_url, ingress_host, check404=True) pod_name = self.getPodNameThatContains( kube_apis, ingress_controller_prerequisites.namespace, "nginx-ingress") result_conf = get_ingress_nginx_template_conf(kube_apis.v1, test_namespace, "dos-ingress", pod_name, "nginx-ingress") delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) for _ in conf_directive: assert _ in result_conf
def backend_setup(request, kube_apis, ingress_controller_endpoint) -> BackendSetup: """ Create 2 namespaces and deploy simple applications in them. :param request: pytest fixture :param kube_apis: client apis :param ingress_controller_endpoint: public endpoint :return: BackendSetup """ watched_namespace = create_namespace_with_name_from_yaml( kube_apis.v1, f"watched-ns", f"{TEST_DATA}/common/ns.yaml") foreign_namespace = create_namespace_with_name_from_yaml( kube_apis.v1, f"foreign-ns", f"{TEST_DATA}/common/ns.yaml") ingress_hosts = {} for ns in [watched_namespace, foreign_namespace]: print( f"------------------------- Deploy the backend in {ns} -----------------------------------" ) create_example_app(kube_apis, "simple", ns) src_ing_yaml = f"{TEST_DATA}/watch-namespace/{ns}-ingress.yaml" create_items_from_yaml(kube_apis, src_ing_yaml, ns) ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) ingress_hosts[f"{ns}-ingress"] = ingress_host req_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/backend1" wait_until_all_pods_are_ready(kube_apis.v1, ns) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up:") delete_namespace(kube_apis.v1, watched_namespace) delete_namespace(kube_apis.v1, foreign_namespace) request.addfinalizer(fin) return BackendSetup(req_url, ingress_hosts)
def custom_annotations_setup(request, kube_apis, ingress_controller_prerequisites, ingress_controller_endpoint, test_namespace) -> CustomAnnotationsSetup: ing_type = request.param print( "------------------------- Deploy ConfigMap with custom template -----------------------------------" ) replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{TEST_DATA}/custom-annotations/{ing_type}/nginx-config.yaml") print( "------------------------- Deploy Custom Annotations Ingress -----------------------------------" ) ing_src = f"{TEST_DATA}/custom-annotations/{ing_type}/annotations-ingress.yaml" create_items_from_yaml(kube_apis, ing_src, test_namespace) host = get_first_ingress_host_from_yaml(ing_src) ingress_name = get_name_from_yaml(ing_src) wait_before_test(1) ic_pod_name = get_first_pod_name( kube_apis.v1, ingress_controller_prerequisites.namespace) def fin(): print("Clean up Custom Annotations Example:") replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_items_from_yaml(kube_apis, ing_src, test_namespace) request.addfinalizer(fin) return CustomAnnotationsSetup(ingress_controller_endpoint, ingress_name, test_namespace, host, ic_pod_name)
def test_ap_pod_startup( self, request, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, appprotect_setup, test_namespace, ): """ Log pod startup time while scaling up from 0 to 1 """ syslog_dst = f"syslog-svc.{test_namespace}" create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", f"{syslog_dst}:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- AppProtect module is enabled with correct policy ---------" ) ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True) ns = ingress_controller_prerequisites.namespace scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress", ns, 0) while get_pods_amount(kube_apis.v1, ns) is not 0: print(f"Number of replicas not 0, retrying...") wait_before_test() num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress", ns, 1) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) assert num is None
def test_ap_sec_logs_on(self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): """ Test corresponding log entries with correct policy (includes setting up a syslog server as defined in syslog.yaml) """ src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml" log_loc = f"/var/log/messages" create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) wait_before_test(40) syslog_ep = (kube_apis.v1.read_namespaced_endpoints( "syslog-svc", test_namespace).subsets[0].addresses[0].ip) # items[-1] because syslog pod is last one to spin-up syslog_pod = kube_apis.v1.list_namespaced_pod( test_namespace).items[-1].metadata.name create_ingress_with_ap_annotations(kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", f"{syslog_ep}:514") ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml) print( "--------- Run test while AppProtect module is enabled with correct policy ---------" ) wait_before_test(40) ensure_response_from_backend(appprotect_setup.req_url, ingress_host) print( "----------------------- Send invalid request ----------------------" ) response = requests.get(appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False) print(response.text) wait_before_test(5) log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) assert_invalid_responses(response) assert ( f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log_contents) assert f'severity="Critical"' in log_contents assert f'request_status="blocked"' in log_contents assert f'outcome="REJECTED"' in log_contents print( "----------------------- Send valid request ----------------------" ) headers = { "Host": ingress_host, "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0", } response = requests.get(appprotect_setup.req_url, headers=headers, verify=False) print(response.text) wait_before_test(5) log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace) delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) assert_valid_responses(response) assert f'ASM:attack_type="N/A"' in log_contents assert f'severity="Informational"' in log_contents assert f'request_status="passed"' in log_contents assert f'outcome="PASSED"' in log_contents