def test_jwt_policy_override_spec(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
):
"""
Test if policy reference in route takes precedence over policy in spec
"""
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
virtual_server_setup.vs_host,
)
print(
f"Patch vs with invalid policy in route and valid policy in spec")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_override_spec_route_1,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp1.status_code)
print(
f"Patch vs with valid policy in route and invalid policy in spec")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_override_spec_route_2,
virtual_server_setup.namespace,
)
wait_before_test()
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
delete_policy(kube_apis.custom_objects, pol_name_1, test_namespace)
delete_policy(kube_apis.custom_objects, pol_name_2, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert resp1.status_code == 401 # 401 unauthorized, since no token is attached to policy
assert resp2.status_code == 200
def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name,
mtls_secret):
print("Delete policy and related secrets")
delete_secret(kube_apis.v1, tls_secret, test_namespace)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, mtls_secret, test_namespace)
def test_policy_matching_ingress_class(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src,
):
"""
Test if policy with matching ingress class is applied to vs
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_ingress_class_src, test_namespace)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
assert (
policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid"
)
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name)
assert (
vs_info["status"]
and vs_info["status"]["reason"] == "AddedOrUpdated"
and vs_info["status"]["state"] == "Valid"
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
def test_policy_non_matching_ingress_class(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src,
):
"""
Test if non matching policy gets caught by vc validation
"""
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_other_ingress_class_src, test_namespace)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
assert "status" not in policy_info, "the policy is not managed by the IC, therefore the status is not updated"
print(f"Patch vs with policy: {src}")
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
src,
virtual_server_setup.namespace,
)
wait_before_test()
vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name)
assert (
vs_info["status"]
and "rate-limit-primary is missing or invalid" in vs_info["status"]["message"]
and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning"
and vs_info["status"]["state"] == "Warning"
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
self.restore_default_vs(kube_apis, virtual_server_setup)
def test_jwt_policy_override(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if first reference to a policy in the same context(subroute) takes precedence,
i.e. in this case, policy without $httptoken over policy with $httptoken.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policies: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_override_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name_1,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_2,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
assert (f"Multiple jwt policies in the same context is not valid."
in crd_info["status"]["message"])
def test_jwt_policy_token(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
token,
):
"""
Test jwt-policy with no token, valid token and invalid token
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
token,
jwk_sec_valid_src,
jwt_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {jwt_vs_single_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host},
)
print(resp1.status_code)
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert resp1.status_code == 401
assert f"401 Authorization Required" in resp1.text
if token == valid_token:
assert resp2.status_code == 200
assert f"Request ID:" in resp2.text
else:
assert resp2.status_code == 401
assert f"Authorization Required" in resp2.text
def test_overide_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
src,
):
"""
Test if vsr subroute policy overrides vs spec policy and vsr subroute policy overrides vs route policy
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, deny_pol_src,
v_s_route_setup.route_m.namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
allow_vsr_src,
v_s_route_setup.route_m.namespace,
)
# patch vs with blocking policy
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, src,
v_s_route_setup.namespace)
wait_before_test()
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
delete_policy(kube_apis.custom_objects, deny_pol_name,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, std_vs_src,
v_s_route_setup.namespace)
wait_before_test()
assert resp.status_code == 200 and "Server address:" in resp.text
def test_auth_basic_policy_secret(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, htpasswd_secret,
):
"""
Test auth-basic-policy with a valid and an invalid secret
"""
if htpasswd_secret == htpasswd_sec_valid_src:
pol = auth_basic_pol_valid_src
vs = auth_basic_vs_single_src
elif htpasswd_secret == htpasswd_sec_invalid_src:
pol = auth_basic_pol_invalid_sec_src
vs = auth_basic_vs_single_invalid_sec_src
else:
pytest.fail("Invalid configuration")
secret, pol_name, headers = self.setup_single_policy(
kube_apis, test_namespace, valid_credentials, htpasswd_secret, pol, virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {pol}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url, headers=headers)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if htpasswd_secret == htpasswd_sec_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif htpasswd_secret == htpasswd_sec_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_ap_waf_policy_block(
self,
kube_apis,
crd_ingress_controller_with_ap,
v_s_route_setup,
appprotect_setup,
test_namespace,
ap_enable,
):
"""
Test if WAF policy is working with VSR deployments
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create waf policy")
create_ap_waf_policy_from_yaml(
kube_apis.custom_objects,
waf_pol_dataguard_src,
v_s_route_setup.route_m.namespace,
test_namespace,
ap_enable,
ap_enable,
ap_pol_name,
log_name,
"syslog:server=127.0.0.1:514",
)
wait_before_test()
print(f"Patch vsr with policy: {waf_subroute_vsr_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
waf_subroute_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy_uds)
assert_ap_crd_info(ap_crd_info, ap_policy_uds)
wait_before_test(120)
response = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'",
headers={"host": v_s_route_setup.vs_host},
)
print(response.text)
delete_policy(kube_apis.custom_objects, "waf-policy",
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
if ap_enable == True:
assert_invalid_responses(response)
elif ap_enable == False:
assert_valid_responses(response)
else:
pytest.fail(f"Invalid arguments")
def test_auth_basic_policy_credentials(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
credentials,
):
"""
Test auth-basic-policy with no credentials, valid credentials and invalid credentials
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {auth_basic_vsr_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
auth_basic_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if credentials == valid_credentials:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
else:
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def test_rl_policy_override_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy with lower rps is used when multiple policies are listed in vsr:subroute
And test if the order of policies in vsr:subroute has no effect
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy: 1rps")
pol_name_pri = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Create rl policy: 5rps")
pol_name_sec = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_sec_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_pri,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_sec,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert occur.count(200) <= 1
def test_route_override_spec(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
config_setup,
):
"""
Test allow policy specified under routes overrides block in spec
"""
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(kube_apis.custom_objects,
deny_pol_src, test_namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(kube_apis.custom_objects,
allow_pol_src, test_namespace)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
override_vs_spec_route_src,
virtual_server_setup.namespace,
)
wait_before_test()
print(f"Use IP listed in both deny and allow policies: 10.0.0.1")
resp = requests.get(
virtual_server_setup.backend_1_url,
headers={
"host": virtual_server_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
self.restore_default_vs(kube_apis, virtual_server_setup)
delete_policy(kube_apis.custom_objects, deny_pol_name, test_namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name, test_namespace)
assert resp.status_code == 200 and "Server address:" in resp.text
def test_rl_policy_1rs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if rate-limiting policy is working with ~1 rps in vsr:subroute
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert occur.count(200) <= 1
def test_jwt_policy_delete_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
):
"""
Test if requests result in 500 when policy is deleted
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {jwt_pol_valid_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp1.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert resp1.status_code == 200
assert resp2.status_code == 500
def test_rl_policy_invalid_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if using an invalid policy in vsr:subroute results in 500
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
invalid_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_invalid_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies",
invalid_pol_name,
)
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, invalid_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500
def test_auth_basic_policy_credentials(
self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, credentials,
):
"""
Test auth-basic-policy with no credentials, valid credentials and invalid credentials
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {auth_basic_vs_single_src}")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
auth_basic_vs_single_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url, headers=headers)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if credentials in valid_credentials_list:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
else:
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def cleanup(kube_apis, ingress_controller_prerequisites, src_pol_name,
test_namespace, vs_or_vsr, vs_name, vsr) -> None:
vsr_namespace = test_namespace if vs_or_vsr == "vs" else vsr.namespace
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_ap_policy(kube_apis.custom_objects, ap_pol_name, test_namespace)
delete_policy(kube_apis.custom_objects, src_pol_name, vsr_namespace)
delete_common_app(kube_apis, "grpc-vs", vsr_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
if vs_or_vsr == "vs":
delete_virtual_server(kube_apis.custom_objects, vs_name,
test_namespace)
delete_items_from_yaml(kube_apis, src_vs_sec_yaml, test_namespace)
elif vs_or_vsr == "vsr":
print("Delete test namespaces")
delete_namespace(kube_apis.v1, vsr.namespace)
def test_rl_policy_deleted_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
src,
):
"""
Test if deleting a policy results in 500
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
print(f"Create rl policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
print(f"Patch vsr with policy: {src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
assert resp.status_code == 200
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert resp.status_code == 500
def test_jwt_policy_token(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
token,
):
"""
Test jwt-policy with no token, valid token and invalid token
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
token,
jwk_sec_valid_src,
jwt_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {jwt_vsr_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp1.status_code)
resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers)
print(resp2.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 401
assert f"401 Authorization Required" in resp1.text
if token == valid_token:
assert resp2.status_code == 200
assert f"Request ID:" in resp2.text
else:
assert resp2.status_code == 401
assert f"Authorization Required" in resp2.text
def test_jwt_policy_override(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
):
"""
Test if first reference to a policy in the same context takes precedence
"""
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
virtual_server_setup.vs_host,
)
print(f"Patch vs with multiple policy in spec context")
print(
f"Patch vs with policy in order: {jwt_pol_multi_src} and {jwt_pol_valid_src}"
)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_multi_1_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp1 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp1.status_code)
print(
f"Patch vs with policy in order: {jwt_pol_valid_src} and {jwt_pol_multi_src}"
)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_multi_2_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp2 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp2.status_code)
print(f"Patch vs with multiple policy in route context")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
jwt_vs_override_route,
virtual_server_setup.namespace,
)
wait_before_test()
resp3 = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp3.status_code)
delete_policy(kube_apis.custom_objects, pol_name_1, test_namespace)
delete_policy(kube_apis.custom_objects, pol_name_2, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
assert (
resp1.status_code == 401
) # 401 unauthorized, since no token is attached to policy in spec context
assert resp2.status_code == 200
assert (
resp3.status_code == 401
) # 401 unauthorized, since no token is attached to policy in route context
def test_jwt_policy(
self,
kube_apis,
crd_ingress_controller,
virtual_server_setup,
test_namespace,
policy,
):
"""
Test jwt-policy with a valid and an invalid policy
"""
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
test_namespace,
valid_token,
jwk_sec_valid_src,
policy,
virtual_server_setup.vs_host,
)
print(f"Patch vs with policy: {policy}")
policy_info = read_custom_resource(kube_apis.custom_objects,
test_namespace, "policies",
pol_name)
if policy == jwt_pol_valid_src:
vs_src = jwt_vs_single_src
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
elif policy == jwt_pol_invalid_src:
vs_src = jwt_vs_single_invalid_pol_src
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
else:
pytest.fail("Invalid configuration")
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
vs_src,
virtual_server_setup.namespace,
)
wait_before_test()
resp = requests.get(virtual_server_setup.backend_1_url,
headers=headers)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
virtual_server_setup.namespace,
"virtualservers",
virtual_server_setup.vs_name,
)
delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_secret(kube_apis.v1, secret, test_namespace)
delete_and_create_vs_from_yaml(
kube_apis.custom_objects,
virtual_server_setup.vs_name,
std_vs_src,
virtual_server_setup.namespace,
)
if policy == jwt_pol_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif policy == jwt_pol_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_invalid_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if applying invalid-policy results in 500.
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create invalid policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
invalid_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
invalid_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
vsr_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
assert resp.status_code == 500 and "500 Internal Server Error" in resp.text
assert (vsr_info["status"]["state"] == "Warning" and
vsr_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_override_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if ip (10.0.0.1) allow-listing overrides block-listing (policy specified in vsr subroute)
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create deny policy")
deny_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, deny_pol_src,
v_s_route_setup.route_m.namespace)
print(f"Create allow policy")
allow_pol_name = create_policy_from_yaml(
kube_apis.custom_objects, allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
override_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, deny_pol_name,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, allow_pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text
and resp1.status_code == 200
and "Server address:" in resp1.text)
def test_allow_policy_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
config_setup,
v_s_route_setup,
):
"""
Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp.status_code}\n{resp.text}")
assert resp.status_code == 200
print(f"Create allow policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects,
allow_pol_src,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
allow_vsr_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
print(f"\nUse IP listed in deny block: 10.0.0.1")
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.1"
},
)
print(f"Response: {resp1.status_code}\n{resp1.text}")
print(f"\nUse IP not listed in deny block: 10.0.0.2")
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={
"host": v_s_route_setup.vs_host,
"X-Real-IP": "10.0.0.2"
},
)
print(f"Response: {resp2.status_code}\n{resp2.text}")
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text
and resp1.status_code == 200
and "Server address:" in resp1.text)
def test_jwt_policy(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
policy,
):
"""
Test jwt-policy with a valid and an invalid policy
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
if policy == jwt_pol_valid_src:
vsr = jwt_vsr_valid_src
elif policy == jwt_pol_invalid_src:
vsr = jwt_vsr_invalid_src
else:
pytest.fail(f"Not a valid case or parameter")
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
policy,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {policy}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
vsr,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
policy_info = read_custom_resource(kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"policies", pol_name)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if policy == jwt_pol_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
assert (policy_info["status"]
and policy_info["status"]["reason"] == "AddedOrUpdated"
and policy_info["status"]["state"] == "Valid")
elif policy == jwt_pol_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
assert (policy_info["status"]
and policy_info["status"]["reason"] == "Rejected"
and policy_info["status"]["state"] == "Invalid")
else:
pytest.fail(f"Not a valid case or parameter")
def test_override_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
test_namespace,
v_s_route_setup,
src,
):
"""
Test if vsr subroute policy overrides vs spec policy
And vsr subroute policy overrides vs route policy
"""
rate_sec = 5
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
# policy for virtualserver
print(f"Create rl policy: 1rps")
pol_name_vs = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_pri_src,
v_s_route_setup.route_m.namespace)
# policy for virtualserverroute
print(f"Create rl policy: 5rps")
pol_name_vsr = create_policy_from_yaml(
kube_apis.custom_objects, rl_pol_sec_src,
v_s_route_setup.route_m.namespace)
# patch vsr with 5rps policy
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
rl_vsr_sec_src,
v_s_route_setup.route_m.namespace,
)
# patch vs with 1rps policy
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, src,
v_s_route_setup.namespace)
wait_before_test()
occur = []
t_end = time.perf_counter() + 1
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
print(resp.status_code)
assert resp.status_code == 200
while time.perf_counter() < t_end:
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers={"host": v_s_route_setup.vs_host},
)
occur.append(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_vs,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_vsr,
v_s_route_setup.route_m.namespace)
self.restore_default_vsr(kube_apis, v_s_route_setup)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, std_vs_src,
v_s_route_setup.namespace)
assert rate_sec >= occur.count(200) >= (rate_sec - 2)
def test_jwt_policy_delete_policy(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if requests result in 500 when policy is deleted
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp1.status_code)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp2.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 200
assert f"Request ID:" in resp1.text
assert crd_info["status"]["state"] == "Warning"
assert (f"{v_s_route_setup.route_m.namespace}/{pol_name} is missing"
in crd_info["status"]["message"])
assert resp2.status_code == 500
assert f"Internal Server Error" in resp2.text
def test_auth_basic_policy_secret(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
htpasswd_secret,
):
"""
Test auth-basic-policy with a valid and an invalid secret
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
if htpasswd_secret == htpasswd_sec_valid_src:
pol = auth_basic_pol_valid_src
vsr = auth_basic_vsr_valid_src
elif htpasswd_secret == htpasswd_sec_invalid_src:
pol = auth_basic_pol_invalid_sec_src
vsr = auth_basic_vsr_invalid_sec_src
else:
pytest.fail(f"Not a valid case or parameter")
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_credentials,
htpasswd_secret,
pol,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {pol}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
vsr,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
if htpasswd_secret == htpasswd_sec_valid_src:
assert resp.status_code == 200
assert f"Request ID:" in resp.text
assert crd_info["status"]["state"] == "Valid"
elif htpasswd_secret == htpasswd_sec_invalid_src:
assert resp.status_code == 500
assert f"Internal Server Error" in resp.text
assert crd_info["status"]["state"] == "Warning"
else:
pytest.fail(f"Not a valid case or parameter")
def test_jwt_policy_override_vs_vsr(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
vs_src,
):
"""
Test if policy specified in vsr:subroute (policy without $httptoken) takes preference over policy specified in:
1. vs:spec (policy with $httptoken)
2. vs:route (policy with $httptoken)
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_token,
jwk_sec_valid_src,
jwt_pol_valid_src,
jwt_pol_multi_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policies: {jwt_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
jwt_vsr_valid_multi_src,
v_s_route_setup.route_m.namespace,
)
patch_virtual_server_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.vs_name,
vs_src,
v_s_route_setup.namespace,
)
wait_before_test()
resp = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp.status_code)
delete_policy(kube_apis.custom_objects, pol_name_1,
v_s_route_setup.route_m.namespace)
delete_policy(kube_apis.custom_objects, pol_name_2,
v_s_route_setup.route_m.namespace)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
v_s_route_setup.vs_name, std_vs_src,
v_s_route_setup.namespace)
assert resp.status_code == 401
assert f"Authorization Required" in resp.text
def test_auth_basic_policy_delete_secret(
self,
kube_apis,
crd_ingress_controller,
v_s_route_app_setup,
v_s_route_setup,
test_namespace,
):
"""
Test if requests result in 500 when secret is deleted
"""
req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
secret, pol_name, headers = self.setup_single_policy(
kube_apis,
v_s_route_setup.route_m.namespace,
valid_credentials,
htpasswd_sec_valid_src,
auth_basic_pol_valid_src,
v_s_route_setup.vs_host,
)
print(f"Patch vsr with policy: {auth_basic_pol_valid_src}")
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
auth_basic_vsr_valid_src,
v_s_route_setup.route_m.namespace,
)
wait_before_test()
resp1 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp1.status_code)
delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace)
resp2 = requests.get(
f"{req_url}{v_s_route_setup.route_m.paths[0]}",
headers=headers,
)
print(resp2.status_code)
crd_info = read_custom_resource(
kube_apis.custom_objects,
v_s_route_setup.route_m.namespace,
"virtualserverroutes",
v_s_route_setup.route_m.name,
)
delete_policy(kube_apis.custom_objects, pol_name,
v_s_route_setup.route_m.namespace)
patch_v_s_route_from_yaml(
kube_apis.custom_objects,
v_s_route_setup.route_m.name,
std_vsr_src,
v_s_route_setup.route_m.namespace,
)
assert resp1.status_code == 200
assert f"Request ID:" in resp1.text
assert crd_info["status"]["state"] == "Warning"
assert (
f"references an invalid secret {v_s_route_setup.route_m.namespace}/{secret}: secret doesn't exist or of an unsupported type"
in crd_info["status"]["message"])
assert resp2.status_code == 500
assert f"Internal Server Error" in resp2.text
