def test_ap_enable_true_policy_correct(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test malicious script request is rejected while AppProtect is enabled in Ingress
"""
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace,
"appolicies", ap_policy)
assert_ap_crd_info(ap_crd_info, ap_policy)
wait_before_test(40)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_invalid_responses(response)
def test_ap_enable_false_policy_incorrect(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace):
"""
Test malicious script request is working normally while AppProtect is disabled in with incorrect policy in ingress
"""
create_ingress_with_ap_annotations(
kube_apis,
src_ing_yaml,
test_namespace,
"invalid-policy",
"False",
"True",
"127.0.0.1:514",
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is disabled with incorrect policy ---------"
)
wait_before_test(40)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_valid_responses(response)
def test_ap_enable_false_policy_correct(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test malicious script request is working normally while AppProtect is disabled in Ingress
"""
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "False",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is disabled with correct policy ---------"
)
events_before_ingress = len(get_events(kube_apis.v1, test_namespace))
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_status = wait_for_event_increment(kube_apis, test_namespace,
events_before_ingress)
ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace,
"appolicies", ap_policy)
assert_ap_crd_info(ap_crd_info)
wait_before_test(10)
response = ""
if wait_status:
print(
"----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_valid_responses(response)
def test_ap_nginx_config_entries(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test to verify AppProtect annotations in nginx config
"""
conf_annotations = [
f"app_protect_enable on;",
f"app_protect_policy_file /etc/nginx/waf/nac-policies/{test_namespace}_{ap_policy};",
f"app_protect_security_log_enable on;",
f"app_protect_security_log /etc/nginx/waf/nac-logconfs/{test_namespace}_logconf syslog:server=127.0.0.1:514;",
]
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
wait_before_test(40)
pod_name = get_first_pod_name(kube_apis.v1, "nginx-ingress")
result_conf = get_ingress_nginx_template_conf(kube_apis.v1,
test_namespace,
"appprotect-ingress",
pod_name,
"nginx-ingress")
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
for _ in conf_annotations:
assert _ in result_conf
def test_ap_perf_create_ingress(
self,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
crd_ingress_controller_with_ap,
appprotect_setup,
enable_prometheus_port,
test_namespace,
):
"""
Test reload times for creating AP ingress
"""
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print("--------- Run test while AppProtect module is enabled with correct policy ---------")
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_before_test(40)
response = requests.get(
appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
)
print(response.text)
self.collect_prom_reload_metrics(
reload_ap,
"creating AP ingress",
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.metrics_port,
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_invalid_responses(response)
def test_ap_enable_true_policy_correct_uds(self, request, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace):
"""
Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress
"""
usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects,
uds_crd_resource,
test_namespace)
# Apply dataguard-alarm AP policy with UDS
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml",
test_namespace,
)
wait_before_test()
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy and UDS ---------"
)
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy)
wait_before_test(120)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url,
headers={"host": ingress_host},
verify=False,
data="kic")
print(response.text)
reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
# Restore default dataguard-alarm policy
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy}.yaml",
test_namespace,
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_ap_crd_info(ap_crd_info, ap_policy)
assert_invalid_responses(response)
def test_ap_perf_response(
self,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
crd_ingress_controller_with_ap,
appprotect_setup,
enable_prometheus_port,
test_namespace,
setup_users,
setup_time,
setup_rate,
):
"""
Test response times for AP ingress by running locust as a subprocess.
"""
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
print(src_ing_yaml)
# create ingress with AP annotations
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print("--------- Run test while AppProtect module is enabled with correct policy ---------")
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_before_test(30)
response = ""
response = requests.get(
appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
)
print(appprotect_setup.req_url + "/<script>")
print(ingress_host)
print(response.text)
# run response time tests using locust.io
subprocess.run(
[
"locust",
"-f",
"suite/ap_request_perf.py",
"--headless",
"--host",
appprotect_setup.req_url,
"--csv",
"ap_response_times",
"-u",
setup_users, # total no. of users
"-r",
setup_rate, # no. of users hatched per second
"-t",
setup_time, # locust session duration in seconds
]
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_invalid_responses(response)
def ap_ingress_setup(
request, kube_apis, ingress_controller_endpoint, test_namespace
) -> IngressSetup:
"""
Deploy a simple application and AppProtect manifests.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
print("------------------------- Deploy backend application -------------------------")
create_example_app(kube_apis, "simple", test_namespace)
req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1"
metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics"
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
print("------------------------- Deploy Secret -----------------------------")
src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml"
create_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
print("------------------------- Deploy logconf -----------------------------")
src_log_yaml = f"{TEST_DATA}/appprotect/logconf.yaml"
log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects, src_log_yaml, test_namespace)
print(f"------------------------- Deploy appolicy: ---------------------------")
src_pol_yaml = f"{TEST_DATA}/appprotect/dataguard-alarm.yaml"
pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects, src_pol_yaml, test_namespace)
print("------------------------- Deploy ingress -----------------------------")
ingress_host = {}
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, "dataguard-alarm", "True", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
wait_before_test()
def fin():
print("Clean up:")
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_common_app(kube_apis, "simple", test_namespace)
src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml"
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
request.addfinalizer(fin)
return IngressSetup(req_url, metrics_url, ingress_host)
def test_ap_perf_multiple_ingress(
self,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
crd_ingress_controller_with_ap,
appprotect_setup,
enable_prometheus_port,
test_namespace,
):
"""
Test reload times for creating AP ingress while a simple ingress exists.
"""
src1_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
print(src1_ing_yaml)
src2_ing_yaml = os.path.join(os.path.dirname(__file__),
"../data/non-ap-ingress.yaml")
print(src2_ing_yaml)
with open(src2_ing_yaml) as f:
doc = yaml.safe_load(f)
# create ingress without AP annotation
create_ingress(kube_apis.extensions_v1_beta1, test_namespace, doc)
wait_before_test(10)
# create ingress with AP annotations
create_ingress_with_ap_annotations(kube_apis, src1_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src1_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_before_test(30)
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
self.collect_prom_reload_metrics(
reload_ap_with_ingress,
"creating AP ingress alongside a simple ingress",
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.metrics_port,
)
delete_items_from_yaml(kube_apis, src1_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src2_ing_yaml, test_namespace)
assert_invalid_responses(response)
def test_ap_pod_startup(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace,
):
"""
Log pod startup time while scaling up from 0 to 1
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
# items[-1] because syslog pod is last one to spin-up
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
ns = ingress_controller_prerequisites.namespace
scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress",
ns, 0)
while get_pods_amount(kube_apis.v1, ns) is not 0:
print(f"Number of replicas not 0, retrying...")
wait_before_test()
num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api,
"nginx-ingress", ns, 1)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
assert num is None
def test_ap_pod_startup(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace,
):
"""
Log pod startup time while scaling up from 0 to 1
"""
syslog_dst = f"syslog-svc.{test_namespace}"
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_dst}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
ns = ingress_controller_prerequisites.namespace
scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress",
ns, 0)
while get_pods_amount(kube_apis.v1, ns) is not 0:
print(f"Number of replicas not 0, retrying...")
wait_before_test()
num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api,
"nginx-ingress", ns, 1)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert num is None
def test_ap_sec_logs_on(self, kube_apis, crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test corresponding log entries with correct policy (includes setting up a syslog server as defined in syslog.yaml)
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
log_loc = f"/var/log/messages"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
wait_before_test(40)
syslog_ep = (kube_apis.v1.read_namespaced_endpoints(
"syslog-svc", test_namespace).subsets[0].addresses[0].ip)
# items[-1] because syslog pod is last one to spin-up
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
wait_before_test(40)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
print(
"----------------------- Send invalid request ----------------------"
)
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
assert_invalid_responses(response)
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents)
assert f'severity="Critical"' in log_contents
assert f'request_status="blocked"' in log_contents
assert f'outcome="REJECTED"' in log_contents
print(
"----------------------- Send valid request ----------------------"
)
headers = {
"Host":
ingress_host,
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0",
}
response = requests.get(appprotect_setup.req_url,
headers=headers,
verify=False)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
assert_valid_responses(response)
assert f'ASM:attack_type="N/A"' in log_contents
assert f'severity="Informational"' in log_contents
assert f'request_status="passed"' in log_contents
assert f'outcome="PASSED"' in log_contents
def backend_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller_prerequisites,
test_namespace) -> BackendSetup:
"""
Deploy a simple application and AppProtect manifests.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
try:
print(
"------------------------- Replace ConfigMap with HTTP2 -------------------------"
)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/appprotect/grpc/nginx-config.yaml")
policy = request.param["policy"]
print(
"------------------------- Deploy backend application -------------------------"
)
create_example_app(kube_apis, "grpc", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
print(
"------------------------- Deploy Secret -----------------------------"
)
src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml"
create_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
print(
"------------------------- Deploy logconf -----------------------------"
)
src_log_yaml = f"{TEST_DATA}/appprotect/logconf.yaml"
log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects,
src_log_yaml, test_namespace)
print(
f"------------------------- Deploy appolicy: {policy} ---------------------------"
)
src_pol_yaml = f"{TEST_DATA}/appprotect/grpc/{policy}.yaml"
pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects,
src_pol_yaml, test_namespace)
print(
"------------------------- Deploy Syslog -----------------------------"
)
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
print(syslog_ep)
print(
"------------------------- Deploy ingress -----------------------------"
)
src_ing_yaml = f"{TEST_DATA}/appprotect/grpc/ingress.yaml"
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
wait_before_test(40)
except Exception as ex:
print("Failed to complete setup, cleaning up..")
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_common_app(kube_apis, "grpc", test_namespace)
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
pytest.fail(f"AP GRPC setup failed")
def fin():
print("Clean up:")
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_common_app(kube_apis, "grpc", test_namespace)
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
request.addfinalizer(fin)
return BackendSetup(ingress_host, ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port_ssl)
def test_ap_sec_logs_on(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace,
):
"""
Test corresponding log entries with correct policy (includes setting up a syslog server as defined in syslog.yaml)
"""
log_loc = "/var/log/messages"
syslog_dst = f"syslog-svc.{test_namespace}"
syslog_pod = get_pod_name_that_contains(kube_apis.v1, test_namespace,
"syslog-")
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_dst}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print(
"----------------------- Send invalid request ----------------------"
)
response_block = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response_block.text)
log_contents_block = ""
retry = 0
while "ASM:attack_type" not in log_contents_block and retry <= 30:
log_contents_block = get_file_contents(kube_apis.v1, log_loc,
syslog_pod, test_namespace)
retry += 1
wait_before_test(1)
print(f"Security log not updated, retrying... #{retry}")
print(
"----------------------- Send valid request ----------------------"
)
headers = {
"Host":
ingress_host,
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0",
}
response = requests.get(appprotect_setup.req_url,
headers=headers,
verify=False)
print(response.text)
wait_before_test(10)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
clear_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace)
assert_invalid_responses(response_block)
assert (
'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents_block)
assert 'severity="Critical"' in log_contents_block
assert 'request_status="blocked"' in log_contents_block
assert 'outcome="REJECTED"' in log_contents_block
assert_valid_responses(response)
assert 'ASM:attack_type="N/A"' in log_contents
assert 'severity="Informational"' in log_contents
assert 'request_status="passed"' in log_contents
assert 'outcome="PASSED"' in log_contents
