def test_ap_enable_false_policy_correct(
self, kube_apis, crd_ingress_controller_with_ap, appprotect_setup, test_namespace
):
"""
Test malicious script request is working normally while AppProtect is disabled in Ingress
"""
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, ap_policy, "False", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is disabled with correct policy ---------"
)
ap_crd_info = read_ap_custom_resource(
kube_apis.custom_objects, test_namespace, "appolicies", ap_policy
)
assert_ap_crd_info(ap_crd_info, ap_policy)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host, check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(
appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_valid_responses(response)
def test_ap_enable_true_policy_correct_uds(self, request, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace):
"""
Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress
"""
create_ap_usersig_from_yaml(kube_apis.custom_objects, uds_crd_resource,
test_namespace)
# Apply dataguard-alarm AP policy with UDS
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml",
test_namespace,
)
wait_before_test()
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy and UDS ---------"
)
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy)
wait_before_test(120)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url,
headers={"host": ingress_host},
verify=False,
data="kic")
print(response.text)
reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
# Restore default dataguard-alarm policy
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy}.yaml",
test_namespace,
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_ap_crd_info(ap_crd_info, ap_policy)
assert_invalid_responses(response)
def test_ap_waf_policy_block(
self,
kube_apis,
crd_ingress_controller_with_ap,
v_s_route_setup,
appprotect_setup,
test_namespace,
ap_enable,
):
"""
Test if WAF policy is working with VSR deployments
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
v_s_route_setup.route_m.namespace,
test_namespace,
ap_enable,
ap_enable,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vsr with policy: {waf_subroute_vsr_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
waf_subroute_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
response = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'",
headers={"host": v_s_route_setup.vs_host},
)
print(response.text)
delete_policy(kube_apis.custom_objects, "waf-policy",
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
if ap_enable == True:
assert_invalid_responses(response)
elif ap_enable == False:
assert_valid_responses(response)
else:
pytest.fail(f"Invalid arguments")
def test_ap_waf_policy_logs(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
):
"""
Test waf policy logs
"""
src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
log_loc = f"/var/log/messages"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_dst = f"syslog-svc.{test_namespace}"
syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
test_namespace,
test_namespace,
True,
True,
ap_pol_name,
log_name,
f"syslog:server={syslog_dst}:514",
)
wait_before_test()
print(f"Patch vs with policy: {waf_spec_vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
waf_spec_vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(
kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds
)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_invalid_responses(response)
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents
)
assert f'severity="Critical"' in log_contents
assert f'request_status="blocked"' in log_contents
assert f'outcome="REJECTED"' in log_contents
def test_ap_waf_policy_allow(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
vs_src,
waf,
):
"""
Test waf policy when disabled
"""
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf,
test_namespace,
test_namespace,
False,
False,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vs with policy: {vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(
kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds
)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response1 = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response1.text)
print(
"----------------------- Send request with blocked keyword in UDS----------------------"
)
response2 = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
data="kic",
)
print(response2.text)
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_valid_responses(response1)
assert_valid_responses(response2)
def test_ap_waf_policy_multi_logs(
self,
kube_apis,
crd_ingress_controller_with_ap,
virtual_server_setup,
appprotect_setup,
test_namespace,
):
"""
Test waf policy logs
"""
src_syslog_yaml = f"{TEST_DATA}/ap-waf/syslog.yaml"
src_syslog_yaml_additional = f"{TEST_DATA}/ap-waf/syslog-1.yaml"
log_loc = f"/var/log/messages"
src_log_yaml_escape = f"{TEST_DATA}/ap-waf/logconf-esc.yaml"
log_esc_name = create_ap_logconf_from_yaml(kube_apis.custom_objects,
src_log_yaml_escape,
test_namespace)
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
create_items_from_yaml(kube_apis, src_syslog_yaml_additional,
test_namespace)
syslog_dst1 = f"syslog-svc.{test_namespace}"
syslog_dst2 = f"syslog-svc-1.{test_namespace}"
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace, label_selector="app=syslog").items
syslog_esc_pod = kube_apis.v1.list_namespaced_pod(
test_namespace, label_selector="app=syslog-1").items
print(f"Create waf policy")
create_ap_multilog_waf_policy_from_yaml(
kube_apis.custom_objects, waf_pol_dataguard_src, test_namespace,
test_namespace, True, True, ap_pol_name, [log_name, log_esc_name],
[
f"syslog:server={syslog_dst1}:514",
f"syslog:server={syslog_dst2}:514"
])
wait_before_test()
print(f"Patch vs with policy: {waf_spec_vs_src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
waf_spec_vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
print(
"----------------------- Send request with embedded malicious script----------------------"
)
response = requests.get(
virtual_server_setup.backend_1_url + "</script>",
headers={"host": virtual_server_setup.vs_host},
)
print(response.text)
log_contents = ""
retry = 0
while "ASM:attack_type" not in log_contents and retry <= 30:
log_contents = get_file_contents(kube_apis.v1, log_loc,
syslog_pod[0].metadata.name,
test_namespace)
retry += 1
wait_before_test(1)
print(log_contents)
print(f"Security log not updated, retrying... #{retry}")
log_esc_contents = ""
retry = 0
while "attack_type" not in log_esc_contents and retry <= 30:
log_esc_contents = get_file_contents(
kube_apis.v1, log_loc, syslog_esc_pod[0].metadata.name,
test_namespace)
retry += 1
wait_before_test(1)
print(log_esc_contents)
print(f"Security log not updated, retrying... #{retry}")
delete_policy(kube_apis.custom_objects, "waf-policy", test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
assert_invalid_responses(response)
assert f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"' in log_contents
assert f'severity="Critical"' in log_contents
assert f'request_status="blocked"' in log_contents
assert f'outcome="REJECTED"' in log_contents
assert f'"my_attack_type": "[Non-browser Client' in log_esc_contents