def test_bats_022_get_protection_types(sut_handle, shieldx_logger):
policy_mgmt = PolicyMgmt(sut_handle)
# Get Protection Types
protection_types = policy_mgmt.get_protection_types()
for protection_type in protection_types:
shieldx_logger.info("Protection Type: {}".format(protection_type))
def test_clean_setup(sut_handle, ixia_handle, shieldx_constants,
shieldx_logger, datadir, pytestconfig):
# Initialize
# DUT
sps_mgmt = SPS_Mgmt(sut_handle)
tpp_mgmt = TPP_Mgmt(sut_handle)
acl_mgmt = ACL_Mgmt(sut_handle)
sys_mgmt = SysMgmt(sut_handle)
# Traffic Gen
breaking_point = BreakingPoint(ixia_handle)
# Policies
from_tpp_name = "All Threats"
to_tpp_name = "All Threats Blocked TPP"
sps_name = "All Threats Blocked SPS"
#### Clear SPS from ACL Policy
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = "null"
acl_policy["aclRules"][0]["spsId"] = "null"
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
#### Delete obsolete SPS
sps = sps_mgmt.get_sps_by_name(sps_name)
shieldx_logger.info("Obsolete SPS: {}".format(sps))
if sps is not None:
sps_id = sps["id"]
is_deleted = sps_mgmt.delete_security_policy_set_by_id(sps_id)
assert is_deleted == True, "Unable to delete old SPS."
else:
# No-op
pass
#### Delete obsolete TPP
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(to_tpp_name)
shieldx_logger.info("Obsolete TPP: {}".format(tpp))
if tpp is not None:
to_tpp_id = tpp["id"]
is_deleted = tpp_mgmt.delete_threat_prevention_policy_by_id(to_tpp_id)
assert is_deleted == True, "Unable to delete old TPP."
else:
# No-op
pass
def test_bats_000_get_tpp_list(sut_handle, shieldx_logger):
policy_mgmt = PolicyMgmt(sut_handle)
# Get Threat Prevention Policy List
tpp_list = policy_mgmt.get_threat_prevention_policy_list()
for tpp in tpp_list:
shieldx_logger.info("TPP Name: {}".format(tpp["name"]))
shieldx_logger.info("TPP ID: {}".format(tpp["id"]))
shieldx_logger.info("---\n")
def test_count_tpp_rules(sut_handle, datadir, shieldx_constants,
shieldx_logger, tpp_name):
# Initialize
# DUT
tpp_mgmt = TPP_Mgmt(sut_handle)
sys_mgmt = SysMgmt(sut_handle)
# Get the system info
system_info = sys_mgmt.get_system_info()
software_version = system_info["version"]
content_version = system_info["contentVersion"]
# Results - ShieldX
shieldx_logger.info("Software: {}".format(software_version))
shieldx_logger.info("Content: {}".format(content_version))
shieldx_logger.info("TPP: {}".format(tpp_name))
# Save snapshots for reporting
result_dir = "{}{}".format(shieldx_constants["SX_REPORT_REPO"],
shieldx_constants["SX_TPP_RULES_REPO"])
column_names = [
"Build", "Threat Prevention Policy", "Threat Count", "App Count"
]
column_widths = [26, 24, 16, 16]
build = "Mgmt{}Content{}".format(software_version, content_version)
# Get Threat Prevention Policy
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(tpp_name)
# Get rules - threats and apps
if tpp is not None:
# TPP ID
tpp_id = tpp["id"]
# Threats and Apps
threats = tpp_mgmt.get_threats_by_policy_id(tpp_id)
apps = tpp_mgmt.get_apps_by_policy_id(tpp_id)
shieldx_logger.info("TPP Name: {}".format(tpp_name))
shieldx_logger.info("TPP ID: {}".format(tpp_id))
# Prep result
shieldx_results = ResultsMgmt(result_dir, column_names, column_widths)
result = [build, tpp_name, len(threats), len(apps)]
# Add result
shieldx_results.add(result)
else:
shieldx_logger.error("Unable to find the TPP.")
def test_func_002_check_threat_severities(sut_handle, shieldx_logger):
policy = PolicyMgmt(sut_handle)
expected_severities = ["Critical", "High", "Medium", "Low"].sort()
try:
# Get threat severities
threat_severities = policy.get_threat_severities()
shieldx_logger.info("Threat Severities: {}".format(threat_severities))
assert threat_severities.sort(
) == expected_severities, "Threat Severity mismatch."
except Exception as e:
shieldx_logger.error(e)
def test_func_001_check_threat_encyclopedia_references(sut_handle, threat,
shieldx_logger):
policy = PolicyMgmt(sut_handle)
try:
# Get existing threat prevention policies
threat_info = policy.get_threat_encyclopedia(threat["pm_id"],
threat["rule_id"])
shieldx_logger.info("Threat Info: {}".format(threat_info))
assert threat_info["entries"]["name"] == threat[
"name"], "Name mismatch."
except Exception as e:
shieldx_logger.error(e)
def test_bats_001_get_threats_by_policy(sut_handle, shieldx_logger):
policy_mgmt = PolicyMgmt(sut_handle)
# Get Threat Prevention Policy List
tpp_list = policy_mgmt.get_threat_prevention_policy_list()
for tpp in tpp_list:
# Get threats for each TPP
threats = policy_mgmt.get_threats_by_policy_id(tpp["id"])
shieldx_logger.info("TPP Name: {}".format(tpp["name"]))
shieldx_logger.info("TPP ID: {}".format(tpp["id"]))
shieldx_logger.info("Threat Count: {}".format(len(threats)))
shieldx_logger.info("---\n")
def test_bats_021_get_content_attributes(sut_handle, shieldx_logger):
policy_mgmt = PolicyMgmt(sut_handle)
# Get Content Attributes
content_attributes = policy_mgmt.get_content_attributes()
shieldx_logger.info("Content Attribute Count: {}".format(
len(content_attributes)))
# Show sample
shieldx_logger.info("Content Attribute Sample: {}".format(
content_attributes[0]))
shieldx_logger.info("Content Attribute Sample: {}".format(
content_attributes[101]))
shieldx_logger.info("Content Attribute Sample: {}".format(
content_attributes[1001]))
def test_bats_002_get_tpp_by_policy_id(sut_handle, policy_id, policy_name,
shieldx_constants, shieldx_logger):
policy_mgmt = PolicyMgmt(sut_handle)
# Get Threat Prevention Policy by ID
tpp = policy_mgmt.get_threat_prevention_policy_by_id(policy_id)
if tpp is not None:
shieldx_logger.info("TPP Name: {}".format(tpp["name"]))
shieldx_logger.info("TPP ID: {}".format(tpp["id"]))
shieldx_logger.info("---\n")
assert policy_name == tpp["name"], "TPP Name does not match."
assert policy_id == tpp["id"], "TPP ID does not match."
else:
shieldx_logger.error("Unknown policy Name: {}".format(policy_name))
shieldx_logger.error("Unknown policy ID: {}".format(policy_id))
time.sleep(1 * shieldx_constants["USER_WAIT"])
def test_bats_026_delete_tpp(sut_handle, policy_name, shieldx_logger):
is_deleted = False
policy_id = None
policy_mgmt = PolicyMgmt(sut_handle)
# Get Threat Prevention Policy List
tpp_list = policy_mgmt.get_threat_prevention_policy_list()
for tpp in tpp_list:
if policy_name == tpp["name"]:
policy_id = tpp["id"]
break
else:
continue
if policy_id is not None:
is_deleted = policy_mgmt.delete_threat_prevention_policy_by_id(
policy_id)
assert is_deleted == True, "Delete TPP failed."
else:
shieldx_logger.error("NOOP - Unable to find the TPP.")
def test_policy_clone_and_threat_detection(sut_handle, ixia_handle,
shieldx_constants, shieldx_logger,
content_bundle, traffic_profile,
expected_percent_blocked, datadir,
pytestconfig):
# Initialize
# DUT
sps_mgmt = SPS_Mgmt(sut_handle)
tpp_mgmt = TPP_Mgmt(sut_handle)
acl_mgmt = ACL_Mgmt(sut_handle)
sys_mgmt = SysMgmt(sut_handle)
# Traffic Gen
breaking_point = BreakingPoint(ixia_handle)
# Policies
from_tpp_name = "All Threats"
to_tpp_name = "All Threats Blocked TPP"
sps_name = "All Threats Blocked SPS"
#### Clear SPS from ACL Policy
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = "null"
acl_policy["aclRules"][0]["spsId"] = "null"
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
#### Delete obsolete SPS
sps = sps_mgmt.get_sps_by_name(sps_name)
shieldx_logger.info("Obsolete SPS: {}".format(sps))
if sps is not None:
sps_id = sps["id"]
is_deleted = sps_mgmt.delete_security_policy_set_by_id(sps_id)
assert is_deleted == True, "Unable to delete old SPS."
else:
# No-op
pass
#### Delete obsolete TPP
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(to_tpp_name)
shieldx_logger.info("Obsolete TPP: {}".format(tpp))
if tpp is not None:
to_tpp_id = tpp["id"]
is_deleted = tpp_mgmt.delete_threat_prevention_policy_by_id(to_tpp_id)
assert is_deleted == True, "Unable to delete old TPP."
else:
# No-op
pass
#### Apply desired license
shieldx_license = pytestconfig.getoption("license")
is_license_set = sys_mgmt.set_license(shieldx_license)
assert is_license_set == True, "Unable to set license."
#### File based content update
resolved_filename = str((datadir / content_bundle).resolve())
shieldx_logger.info("Filename: {}".format(resolved_filename))
is_content_update_initiated = sys_mgmt.file_based_update_content(
resolved_filename)
time.sleep(20 * shieldx_constants["USER_WAIT"])
assert is_content_update_initiated == True, "Failed to initiate content update."
#### Clone "All Threats" and set Response to BLOCK
block_threats = True
from_tpp_id = None
to_tpp_id = None
threats = None
apps = None
# Get Threat Prevention Policy
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(from_tpp_name)
from_tpp_id = tpp["id"]
if from_tpp_id is not None:
threats = tpp_mgmt.get_threats_by_policy_id(from_tpp_id)
apps = tpp_mgmt.get_apps_by_policy_id(from_tpp_id)
shieldx_logger.info("TPP Name: {}".format(from_tpp_name))
shieldx_logger.info("TPP ID: {}".format(from_tpp_id))
else:
shieldx_logger.error("Unable to find the TPP.")
# Fetch the payload from a config file
tpp_config_file = "tpp.json"
file_name = str((datadir / tpp_config_file).resolve())
with open(file_name, 'r') as config_file:
tpp_config = json.load(config_file)
# Get the payload for cloning
if "tpp_clone_payload" in tpp_config:
clone_payload = tpp_config["tpp_clone_payload"]
shieldx_logger.info("Clone Payload: {}".format(clone_payload))
else:
pass
# Get the payload for response action
if "tpp_bulk_edit_response_payload" in tpp_config:
response_payload = tpp_config["tpp_bulk_edit_response_payload"]
shieldx_logger.info(
"Bulk Edit Payload: {}".format(response_payload))
else:
pass
# Populate the payload
if clone_payload:
clone_payload["name"] = to_tpp_name
clone_payload["tenantId"] = 1 # this should be fetched
app_names = [app["name"] for app in apps]
# Special handling based on the policy being cloned
# Option is based on "Uses Specific Threats?" flag
# This flag is based whether "specificThreats" is populated.
if from_tpp_name == "Common Threats" or from_tpp_name == "AppVisibility":
# no need to specify the "appNames" in the rules.
# specify the "specificThreats" instead
clone_payload["rules"] = [{"specificThreats": threats}]
else:
# no need to specify the "specificThreats" in the rules.
# specify the "appNames" instead
if app_names:
clone_payload["rules"] = [{"appNames": app_names}]
else:
clone_payload["rules"] = []
else:
shieldx_logger.error(
"Unable to fetch the TPP payload from config file.")
# Create a clone of a TPP, get the TPP ID back
to_tpp_id = tpp_mgmt.create_threat_prevention_policy(clone_payload)
shieldx_logger.info("Create OK, TPP ID: {}".format(to_tpp_id))
assert to_tpp_id != 0, "TPP Clone failed."
# Clone TPP responses
is_cloned = tpp_mgmt.clone_threat_prevention_policy_responses(
from_tpp_id, to_tpp_id)
assert is_cloned == True, "Clone TPP responses failed."
# Bulk Edit - Block threats
if block_threats:
threat_responses = tpp_mgmt.get_threat_responses_by_policy_id(
to_tpp_id)
for threat_response in threat_responses:
threat_response["block"] = True
threat_response["policyId"] = to_tpp_id
response_payload["id"] = to_tpp_id
response_payload["responses"] = threat_responses
shieldx_logger.info("Bulk Edit Payload: {}".format(response_payload))
bulk_edit_success = tpp_mgmt.bulk_update_threat_responses(
response_payload)
assert bulk_edit_success == True, "Bulk edit response action failed."
else:
pass
#### Create "All Threats Blocked SPS"
sps_id = 0
# Fetch the payload from a config file
sps_config_file = "sps.json"
file_name = str((datadir / sps_config_file).resolve())
with open(file_name, 'r') as config_file:
sps_config = json.load(config_file)
# Get the payload for cloning
if "sps_create_payload" in sps_config:
create_payload = sps_config["sps_create_payload"]
shieldx_logger.info("Create Payload: {}".format(create_payload))
else:
create_payload = None
if create_payload is not None:
create_payload["name"] = sps_name
create_payload["threatPreventionPolicyName"] = to_tpp_name
create_payload["threatPreventionPolicyId"] = to_tpp_id
shieldx_logger.info("Create Payload: {}".format(create_payload))
sps_id = sps_mgmt.create_security_policy_set(create_payload)
assert sps_id > 0, "SPS creation failed."
else:
pass
#### Apply SPS to ACL
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
shieldx_logger.info("Update ACL with SPS Name: {}".format(sps_name))
shieldx_logger.info("Update ACL with SPS ID: {}".format(sps_id))
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = sps_id
acl_policy["aclRules"][0]["spsId"] = sps_id
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
# Compile and propagate config
time.sleep(20 * shieldx_constants["USER_WAIT"])
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
# Get the system info
system_info = sys_mgmt.get_system_info()
software_version = system_info["version"]
content_version = system_info["contentVersion"]
# Get the license info
license_info = sys_mgmt.get_license()
# Get SPS in default ACL
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
sps_id = acl_policy["aclRules"][0]["spsId"]
sps = sps_mgmt.get_sps_by_id(sps_id)
assert sps is not None, "Check strikes test init, SPS must not be empty."
# Proceed with test, get current SPS name
sps_name = sps["name"]
# Send traffic
processed_stats = breaking_point.send_strikes_traffic(
shieldx_constants["IXIA_SLOT"], shieldx_constants["IXIA_PORTS"],
traffic_profile)
# Results - ShieldX
shieldx_logger.info("Software: {}".format(software_version))
shieldx_logger.info("Content: {}".format(content_version))
shieldx_logger.info("License: {}".format(license_info))
shieldx_logger.info("SPS: {}".format(sps_name))
# Results - Breaking Point
shieldx_logger.info("BP Model Name: {}".format(
processed_stats["model_name"]))
shieldx_logger.info("BP Test ID: {}".format(processed_stats["test_id"]))
shieldx_logger.info("BP Test Iteration: {}".format(
processed_stats["test_iteration"]))
shieldx_logger.info("Total Strikes: {}".format(
processed_stats["total_strikes"]))
shieldx_logger.info("Total Allowed: {}".format(
processed_stats["total_allowed"]))
shieldx_logger.info("Total Blocked: {}".format(
processed_stats["total_blocked"]))
# Compute percentage
if int(processed_stats["total_strikes"]) != 0:
percent_blocked = "{:.2f}".format(
100 * (int(processed_stats["total_blocked"]) /
int(processed_stats["total_strikes"])))
else:
percent_blocked = "0.0"
# Save snapshots for reporting
result_dir = "{}{}".format(shieldx_constants["SX_REPORT_REPO"],
shieldx_constants["SX_STRIKES_REPO"])
column_names = [
"Build", "Test Name - Iteration - Internal ID", "SPS", "Cpty",
"Total Strikes", "Total Allowed", "Total Blocked", "% Blocked"
]
column_widths = [26, 54, 26, 6, 14, 14, 14, 10]
build = "Mgmt{}Content{}".format(software_version, content_version)
test_model_id_iter = "{} - {} - {}".format(
processed_stats["model_name"], processed_stats["test_iteration"],
processed_stats["test_id"])
cpty = license_info["expected_capacity"]
# Prep result
shieldx_results = Result_Mgmt(result_dir, column_names, column_widths)
result = [
build, test_model_id_iter, sps_name, cpty,
processed_stats["total_strikes"], processed_stats["total_allowed"],
processed_stats["total_blocked"], percent_blocked
]
# Add result
shieldx_results.add(result)
#### Clear SPS from ACL Policy
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = "null"
acl_policy["aclRules"][0]["spsId"] = "null"
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
#### Delete obsolete SPS
sps = sps_mgmt.get_sps_by_name(sps_name)
shieldx_logger.info("Obsolete SPS: {}".format(sps))
if sps is not None:
sps_id = sps["id"]
is_deleted = sps_mgmt.delete_security_policy_set_by_id(sps_id)
assert is_deleted == True, "Unable to delete old SPS."
else:
# No-op
pass
#### Delete obsolete TPP
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(to_tpp_name)
shieldx_logger.info("Obsolete TPP: {}".format(tpp))
if tpp is not None:
to_tpp_id = tpp["id"]
is_deleted = tpp_mgmt.delete_threat_prevention_policy_by_id(to_tpp_id)
assert is_deleted == True, "Unable to delete old TPP."
else:
# No-op
pass
# Pass/Fail Test
assert percent_blocked == 100.0, "Not all threats are detected, abort and check the setup."
def test_init_setup(sut_handle, ixia_handle, shieldx_constants, shieldx_logger,
datadir, pytestconfig):
# Initialize
# DUT
sps_mgmt = SPS_Mgmt(sut_handle)
tpp_mgmt = TPP_Mgmt(sut_handle)
acl_mgmt = ACL_Mgmt(sut_handle)
sys_mgmt = SysMgmt(sut_handle)
# Traffic Gen
breaking_point = BreakingPoint(ixia_handle)
#### Apply desired license
shieldx_license = pytestconfig.getoption("license")
is_license_set = sys_mgmt.set_license(shieldx_license)
assert is_license_set == True, "Unable to set license."
# Policies
from_tpp_name = "All Threats"
to_tpp_name = "All Threats Blocked TPP"
sps_name = "All Threats Blocked SPS"
#### Clear SPS from ACL Policy
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = "null"
acl_policy["aclRules"][0]["spsId"] = "null"
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
#### Delete obsolete SPS
sps = sps_mgmt.get_sps_by_name(sps_name)
shieldx_logger.info("Obsolete SPS: {}".format(sps))
if sps is not None:
sps_id = sps["id"]
is_deleted = sps_mgmt.delete_security_policy_set_by_id(sps_id)
assert is_deleted == True, "Unable to delete old SPS."
else:
# No-op
pass
#### Delete obsolete TPP
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(to_tpp_name)
shieldx_logger.info("Obsolete TPP: {}".format(tpp))
if tpp is not None:
to_tpp_id = tpp["id"]
is_deleted = tpp_mgmt.delete_threat_prevention_policy_by_id(to_tpp_id)
assert is_deleted == True, "Unable to delete old TPP."
else:
# No-op
pass
#### Clone "All Threats" and set Response to BLOCK
block_threats = True
from_tpp_id = None
to_tpp_id = None
threats = None
apps = None
# Get Threat Prevention Policy
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(from_tpp_name)
from_tpp_id = tpp["id"]
if from_tpp_id is not None:
threats = tpp_mgmt.get_threats_by_policy_id(from_tpp_id)
apps = tpp_mgmt.get_apps_by_policy_id(from_tpp_id)
shieldx_logger.info("TPP Name: {}".format(from_tpp_name))
shieldx_logger.info("TPP ID: {}".format(from_tpp_id))
else:
shieldx_logger.error("Unable to find the TPP.")
# Fetch the payload from a config file
tpp_config_file = "tpp.json"
file_name = str((datadir / tpp_config_file).resolve())
with open(file_name, 'r') as config_file:
tpp_config = json.load(config_file)
# Get the payload for cloning
if "tpp_clone_payload" in tpp_config:
clone_payload = tpp_config["tpp_clone_payload"]
shieldx_logger.info("Clone Payload: {}".format(clone_payload))
else:
pass
# Get the payload for response action
if "tpp_bulk_edit_response_payload" in tpp_config:
response_payload = tpp_config["tpp_bulk_edit_response_payload"]
shieldx_logger.info(
"Bulk Edit Payload: {}".format(response_payload))
else:
pass
# Populate the payload
if clone_payload:
clone_payload["name"] = to_tpp_name
clone_payload["tenantId"] = 1 # this should be fetched
app_names = [app["name"] for app in apps]
# Special handling based on the policy being cloned
# Option is based on "Uses Specific Threats?" flag
# This flag is based whether "specificThreats" is populated.
if from_tpp_name == "Common Threats" or from_tpp_name == "AppVisibility":
# no need to specify the "appNames" in the rules.
# specify the "specificThreats" instead
clone_payload["rules"] = [{"specificThreats": threats}]
else:
# no need to specify the "specificThreats" in the rules.
# specify the "appNames" instead
if app_names:
clone_payload["rules"] = [{"appNames": app_names}]
else:
clone_payload["rules"] = []
else:
shieldx_logger.error(
"Unable to fetch the TPP payload from config file.")
# Create a clone of a TPP, get the TPP ID back
to_tpp_id = tpp_mgmt.create_threat_prevention_policy(clone_payload)
shieldx_logger.info("Create OK, TPP ID: {}".format(to_tpp_id))
assert to_tpp_id != 0, "TPP Clone failed."
# Clone TPP responses
is_cloned = tpp_mgmt.clone_threat_prevention_policy_responses(
from_tpp_id, to_tpp_id)
assert is_cloned == True, "Clone TPP responses failed."
# Bulk Edit - Block threats
if block_threats:
threat_responses = tpp_mgmt.get_threat_responses_by_policy_id(
to_tpp_id)
for threat_response in threat_responses:
threat_response["block"] = True
threat_response["policyId"] = to_tpp_id
response_payload["id"] = to_tpp_id
response_payload["responses"] = threat_responses
shieldx_logger.info("Bulk Edit Payload: {}".format(response_payload))
bulk_edit_success = tpp_mgmt.bulk_update_threat_responses(
response_payload)
assert bulk_edit_success == True, "Bulk edit response action failed."
else:
pass
#### Create "All Threats Blocked SPS"
sps_id = 0
# Fetch the payload from a config file
sps_config_file = "sps.json"
file_name = str((datadir / sps_config_file).resolve())
with open(file_name, 'r') as config_file:
sps_config = json.load(config_file)
# Get the payload for cloning
if "sps_create_payload" in sps_config:
create_payload = sps_config["sps_create_payload"]
shieldx_logger.info("Create Payload: {}".format(create_payload))
else:
create_payload = None
if create_payload is not None:
create_payload["name"] = sps_name
create_payload["threatPreventionPolicyName"] = to_tpp_name
create_payload["threatPreventionPolicyId"] = to_tpp_id
shieldx_logger.info("Create Payload: {}".format(create_payload))
sps_id = sps_mgmt.create_security_policy_set(create_payload)
assert sps_id > 0, "SPS creation failed."
else:
pass
#### Apply SPS to ACL
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
shieldx_logger.info("Update ACL with SPS Name: {}".format(sps_name))
shieldx_logger.info("Update ACL with SPS ID: {}".format(sps_id))
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = sps_id
acl_policy["aclRules"][0]["spsId"] = sps_id
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
# Compile and propagate config
time.sleep(20 * shieldx_constants["USER_WAIT"])
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
def test_bats_002_create_sps(sut_handle, datadir, shieldx_logger, policy_name,
policy_components):
sps_mgmt = SPS_Mgmt(sut_handle)
tpp_mgmt = TPP_Mgmt(sut_handle)
# Fetch the payload from a config file
sps_config_file = "sps.json"
file_name = str((datadir / sps_config_file).resolve())
with open(file_name, 'r') as config_file:
sps_config = json.load(config_file)
# Get the payload for cloning
if "sps_create_payload" in sps_config:
create_payload = sps_config["sps_create_payload"]
shieldx_logger.info("Create Payload: {}".format(create_payload))
else:
create_payload = None
# Populate the payload
# Threat Prevention Policy
tpp_name = policy_components[0]
if tpp_name is not None:
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(tpp_name)
else:
tpp = None
assert tpp is not None, "TPP not found, skipped SPS creation."
shieldx_logger.info("TPP Name: {}".format(tpp["name"]))
shieldx_logger.info("TPP ID: {}".format(tpp["id"]))
# Malware Policy
mp_name = policy_components[1]
if mp_name == "WithSXCloud":
# TODO: Fetch from API
mp_id = 3
else:
mp_id = "null"
# URL Filtering Policy
ufp_name = policy_components[2]
if ufp_name == "Default URL Filtering Policy":
# TODO: Fetch from API
ufp_id = 3
else:
ufp_id = "null"
if create_payload is not None:
# SPS Name
create_payload["name"] = policy_name
# Threat Prevention Policy
create_payload["threatPreventionPolicyName"] = tpp_name
create_payload["threatPreventionPolicyId"] = tpp["id"]
# Malware Policy
create_payload["malwarePolicyName"] = mp_name
create_payload["malwarePolicyId"] = mp_id
# URL Filtering Policy
create_payload["urlfilteringPolicyName"] = ufp_name
create_payload["urlfilteringPolicyId"] = ufp_id
shieldx_logger.info("Create Payload: {}".format(create_payload))
sps_id = sps_mgmt.create_security_policy_set(create_payload)
assert sps_id != 0, "SPS creation failed, SPS ID returned is 0."
else:
assert False, "Skipped SPS creation."
def test_perf_by_cumulative_bucket(sut_handle, ixia_handle, shieldx_constants,
shieldx_logger, tpp_name, bucket_size,
threats_only, traffic_profile,
expected_tput, datadir, pytestconfig):
# Initialize
# DUT
sps_mgmt = SPS_Mgmt(sut_handle)
tpp_mgmt = TPP_Mgmt(sut_handle)
acl_mgmt = ACL_Mgmt(sut_handle)
sys_mgmt = SysMgmt(sut_handle)
# Traffic Gen
breaking_point = BreakingPoint(ixia_handle)
# Get the system info
system_info = sys_mgmt.get_system_info()
software_version = system_info["version"]
content_version = system_info["contentVersion"]
build = "Mgmt{}Content{}".format(software_version, content_version)
# Get the license info
license_info = sys_mgmt.get_license()
cpty = license_info["expected_capacity"]
# Save snapshots for reporting
result_dir = "{}{}".format(shieldx_constants["SX_REPORT_REPO"],
shieldx_constants["SX_BUCKET_REPO"])
column_names = [
"Build", "Test Name - Iteration - Internal ID", "SPS", "Cpty",
"AvgTxRate(Mbps)", "AvgRxRate(Mbps)", "AvgTCPResp(ms)",
"Rules Under Test", "Action", "BcktSize"
]
column_widths = [26, 54, 20, 6, 16, 16, 16, 36, 8, 8]
# Result Manager
shieldx_results = Result_Mgmt(result_dir, column_names, column_widths)
# Policies
from_tpp_name = tpp_name
to_tpp_name = "Cumulative TPP"
sps_name = "Cumulative SPS"
#### Clear SPS from ACL Policy
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = "null"
acl_policy["aclRules"][0]["spsId"] = "null"
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
# Delete obsolete SPS
sps = sps_mgmt.get_sps_by_name(sps_name)
if sps is not None:
sps_id = sps["id"]
is_deleted = sps_mgmt.delete_security_policy_set_by_id(sps_id)
time.sleep(10 * shieldx_constants["USER_WAIT"])
assert is_deleted, "Unable to delete obsolete SPS."
else:
pass
# Delete obsolete TPP
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(to_tpp_name)
if tpp is not None:
tpp_id = tpp["id"]
is_deleted = tpp_mgmt.delete_threat_prevention_policy_by_id(tpp_id)
time.sleep(10 * shieldx_constants["USER_WAIT"])
assert is_deleted, "Unable to delete obsolete TPP."
else:
pass
# Fetch the TPP and SPS payloads from a config file
tpp_config_file = "tpp.json"
file_name = str((datadir / tpp_config_file).resolve())
with open(file_name, 'r') as config_file:
tpp_config = json.load(config_file)
# Get the payload for cloning
if "tpp_clone_payload" in tpp_config:
tpp_clone_payload = tpp_config["tpp_clone_payload"]
shieldx_logger.info(
"TPP Clone Payload: {}".format(tpp_clone_payload))
else:
assert False, "Missing TPP payload in JSON file."
# Fetch the TPP and SPS payloads from a config file
sps_config_file = "sps.json"
file_name = str((datadir / sps_config_file).resolve())
with open(file_name, 'r') as config_file:
sps_config = json.load(config_file)
# Get the payload for cloning
if "sps_create_payload" in sps_config:
sps_create_payload = sps_config["sps_create_payload"]
shieldx_logger.info(
"SPS Create Payload: {}".format(sps_create_payload))
else:
assert False, "Missing SPS payload in JSON file."
#### Process source TPP
from_tpp_id = None
to_tpp_id = None
threats = None
apps = None
# Get Threat Prevention Policy
tpp = tpp_mgmt.get_threat_prevention_policy_by_name(from_tpp_name)
from_tpp_id = tpp["id"]
if from_tpp_id is not None:
threats = tpp_mgmt.get_threats_by_policy_id(from_tpp_id)
apps = tpp_mgmt.get_apps_by_policy_id(from_tpp_id)
shieldx_logger.info("TPP Name: {}".format(from_tpp_name))
shieldx_logger.info("TPP ID: {}".format(from_tpp_id))
else:
shieldx_logger.error("Unable to find the TPP.")
# Populate the payloads, do the check before proceeding
if tpp_clone_payload:
tpp_clone_payload["name"] = to_tpp_name
tpp_clone_payload["tenantId"] = 1 # this should be fetched
app_names = [app["name"] for app in apps]
else:
assert False, "Check JSON, needed for cloning TPP."
if sps_create_payload is not None:
sps_create_payload["name"] = sps_name
else:
assert False, "Check JSON, needed for creating SPS."
# Check flag if we want to include apps in TPP
if threats_only:
app_names = []
else:
pass
# Use slices of the threats for testing
index = 0
upper_limit = len(threats)
cumulative_ok_rules = []
while index <= upper_limit:
upper_bound = index + bucket_size
if upper_bound > upper_limit:
upper_bound = upper_limit
else:
pass
threat_slice = threats[index:upper_bound]
shieldx_logger.critical("Threat Slice: {}".format(threat_slice))
# merge new slice to accumulated rules
merged_list = cumulative_ok_rules + threat_slice
# Populate rules
tpp_clone_payload["rules"] = [{
"appNames": app_names,
"specificThreats": merged_list
}]
shieldx_logger.critical("Cumulative Bucket: {}".format(merged_list))
# Clone TPP
to_tpp_id = tpp_mgmt.create_threat_prevention_policy(tpp_clone_payload)
shieldx_logger.info("TPP ID: {}".format(to_tpp_id))
assert to_tpp_id > 0, "TPP creation failed."
time.sleep(10 * shieldx_constants["USER_WAIT"])
# Create SPS
sps_create_payload["threatPreventionPolicyName"] = to_tpp_name
sps_create_payload["threatPreventionPolicyId"] = to_tpp_id
sps_id = sps_mgmt.create_security_policy_set(sps_create_payload)
shieldx_logger.info("SPS ID: {}".format(sps_id))
assert sps_id > 0, "SPS creation failed."
time.sleep(10 * shieldx_constants["USER_WAIT"])
# Assign SPS to ACL (default)
is_updated = False
default_acl = "Default ACL Policy"
acl_policy = acl_mgmt.get_acl_by_name(default_acl)
if acl_policy is not None:
shieldx_logger.info(
"Update ACL with SPS Name: {}".format(sps_name))
shieldx_logger.info("Update ACL with SPS ID: {}".format(sps_id))
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = sps_id
acl_policy["aclRules"][0]["spsId"] = sps_id
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
# Wait for the Policy to be updated, do with jobs to check when update is done
time.sleep(10 * shieldx_constants["USER_WAIT"])
# Send traffic
processed_stats = breaking_point.send_perf_traffic(
shieldx_constants["IXIA_SLOT"], shieldx_constants["IXIA_PORTS"],
traffic_profile)
# Record result
sx_rules = [("{}:{}".format(threat["protocolID"], threat["threatID"]))
for threat in threat_slice]
if processed_stats["avg_tx_tput"] >= expected_tput[0] and \
processed_stats["avg_rx_tput"] >= expected_tput[1]:
cumulative_ok_rules.extend(threat_slice)
act_on_slice = "INCLUDE"
shieldx_logger.info("These rules PASS: {}".format(sx_rules))
else:
act_on_slice = "EXCLUDE"
shieldx_logger.critical("These rules FAIL: {}".format(sx_rules))
test_model_id_iter = "{} - {} - {}".format(
processed_stats["model_name"], processed_stats["test_iteration"],
processed_stats["test_id"])
# format rules to display
if len(threat_slice) > 3:
display_rules = "{} + {} rules".format(sx_rules[0:2],
len(sx_rules) - 2)
else:
display_rules = str(sx_rules)
result = [
build, test_model_id_iter, sps_name, cpty,
processed_stats["avg_tx_tput"], processed_stats["avg_rx_tput"],
processed_stats["avg_tcp_response_time"], display_rules,
act_on_slice,
len(cumulative_ok_rules)
]
# Add result
shieldx_results.add(result)
# Clear SPS from ACL Policy
if acl_policy is not None:
shieldx_logger.info("Cleanup SPS in ACL.")
# Modify the ACL Rule in the Default ACL Policy
acl_policy["spsId"] = "null"
acl_policy["aclRules"][0]["spsId"] = "null"
# Update the ACL
shieldx_logger.info("Update ACL: {}".format(acl_policy))
is_updated = acl_mgmt.update_acl(acl_policy)
assert is_updated == True, "Unable to update ACL."
else:
assert False, "Not able to find ACL."
# Delete SPS
is_deleted = sps_mgmt.delete_security_policy_set_by_id(sps_id)
assert is_deleted, "SPS delete failed."
# Wait for the change to be applied
time.sleep(10 * shieldx_constants["USER_WAIT"])
# Delete TPP
is_deleted = tpp_mgmt.delete_threat_prevention_policy_by_id(to_tpp_id)
assert is_deleted, "TPP delete failed."
# Wait for the change to be applied
time.sleep(10 * shieldx_constants["USER_WAIT"])
# Move to next slice
index = index + bucket_size
def test_bats_025_tpp_by_rule_ids(sut_handle, datadir, shieldx_logger,
input_json_file, tpp_name, block_threats):
""" Create TPP by rule IDs, block threats if flag is set. """
# JSON Config Reader
config_reader = CCR()
# Based on the All Threats TPP
policy_name = "All Threats"
from_policy_id = None
to_policy_id = None
threats = None
apps = None
policy_mgmt = PolicyMgmt(sut_handle)
# Get Threat Prevention Policy
tpp = policy_mgmt.get_threat_prevention_policy_by_name(policy_name)
from_policy_id = tpp["id"]
if from_policy_id is not None:
threats = policy_mgmt.get_threats_by_policy_id(from_policy_id)
apps = policy_mgmt.get_apps_by_policy_id(from_policy_id)
shieldx_logger.info("TPP Name: {}".format(policy_name))
shieldx_logger.info("TPP ID: {}".format(from_policy_id))
else:
shieldx_logger.error("Unable to find the TPP.")
# Selected Rule IDs
resolved_input_json_file = str((datadir / input_json_file).resolve())
selected_app_names = list(
config_reader.read_json_config(resolved_input_json_file))
shieldx_logger.info("Selected Names: {}".format(selected_app_names))
# Fetch the payload from a config file
tpp_config_file = "tpp.json"
resolved_tpp_config_file = str((datadir / tpp_config_file).resolve())
tpp_config = read_config(resolved_tpp_config_file)
if tpp_config is not None:
# Get the payload for cloning
if "tpp_clone_payload" in tpp_config:
clone_payload = tpp_config["tpp_clone_payload"]
shieldx_logger.info("Clone Payload: {}".format(clone_payload))
else:
pass
# Get the payload for response action
if "tpp_bulk_edit_response_payload" in tpp_config:
response_payload = tpp_config["tpp_bulk_edit_response_payload"]
shieldx_logger.info(
"Bulk Edit Payload: {}".format(response_payload))
else:
pass
# Populate the payload
if clone_payload:
clone_payload["name"] = tpp_name
clone_payload["tenantId"] = 1 # this should be fetched
clone_payload["rules"] = [{"appNames": selected_app_names}]
else:
shieldx_logger.error(
"Unable to fetch the TPP payload from config file.")
# Create a clone of a TPP, get the TPP ID back
to_policy_id = policy_mgmt.create_threat_prevention_policy(clone_payload)
shieldx_logger.info("Create OK, Policy ID: {}".format(to_policy_id))
assert to_policy_id != 0, "TPP Clone failed."
# Bulk Edit - Block threats
if block_threats:
threat_responses = policy_mgmt.get_threat_responses_by_policy_id(
to_policy_id)
if len(threat_responses) > 0:
for threat_response in threat_responses:
threat_response["block"] = True
threat_response["policyId"] = to_policy_id
response_payload["id"] = to_policy_id
response_payload["responses"] = threat_responses
shieldx_logger.info(
"Bulk Edit Payload: {}".format(response_payload))
bulk_edit_success = policy_mgmt.bulk_update_threat_responses(
response_payload)
assert bulk_edit_success == True, "Bulk edit response action failed."
else:
shieldx_logger.error("NOOP - no threat found.")
else:
shieldx_logger.info("NOOP - no blocking required.")
def test_bats_012_clone_tpp_plus_dlp(sut_handle, datadir, shieldx_logger,
policy_name, clone_name, block_threats):
""" Clone canned TPPs; add DLP rules; block threats if flag is set. """
from_policy_id = None
to_policy_id = None
threats = None
apps = None
policy_mgmt = PolicyMgmt(sut_handle)
# Get Threat Prevention Policy
tpp = policy_mgmt.get_threat_prevention_policy_by_name(policy_name)
from_policy_id = tpp["id"]
if from_policy_id is not None:
threats = policy_mgmt.get_threats_by_policy_id(from_policy_id)
apps = policy_mgmt.get_apps_by_policy_id(from_policy_id)
shieldx_logger.info("TPP Name: {}".format(policy_name))
shieldx_logger.info("TPP ID: {}".format(from_policy_id))
else:
shieldx_logger.error("Unable to find the TPP.")
# Fetch the payload from a config file
tpp_config_file = "tpp.json"
file_name = str((datadir / tpp_config_file).resolve())
with open(file_name, 'r') as config_file:
tpp_config = json.load(config_file)
# Get the payload for cloning
if "tpp_clone_payload" in tpp_config:
clone_payload = tpp_config["tpp_clone_payload"]
shieldx_logger.info("Clone Payload: {}".format(clone_payload))
else:
pass
# Get the payload for response action
if "tpp_bulk_edit_response_payload" in tpp_config:
response_payload = tpp_config["tpp_bulk_edit_response_payload"]
shieldx_logger.info(
"Bulk Edit Payload: {}".format(response_payload))
else:
pass
# Populate the payload
if clone_payload:
clone_payload["name"] = clone_name
clone_payload["tenantId"] = 1 # this should be fetched
app_names = [app["name"] for app in apps]
# Special handling based on the policy being cloned
# Option is based on "Uses Specific Threats?" flag
# This flag is based whether "specificThreats" is populated.
if policy_name == "Common Threats" or policy_name == "AppVisibility":
# no need to specify the "appNames" in the rules.
# specify the "specificThreats" instead
clone_payload["rules"] = [{
"specificThreats": threats
}, {
"protocolNames": ["DLP"]
}]
else:
# no need to specify the "specificThreats" in the rules.
# specify the "appNames" instead
if app_names:
clone_payload["rules"] = [{"appNames": app_names}]
else:
clone_payload["rules"] = []
else:
shieldx_logger.error(
"Unable to fetch the TPP payload from config file.")
# Create a clone of a TPP, get the TPP ID back
to_policy_id = policy_mgmt.create_threat_prevention_policy(clone_payload)
shieldx_logger.info("Create OK, Policy ID: {}".format(to_policy_id))
assert to_policy_id != 0, "TPP Clone failed."
# Clone TPP responses
is_cloned = policy_mgmt.clone_threat_prevention_policy_responses(
from_policy_id, to_policy_id)
assert is_cloned == True, "Clone TPP responses failed."
# Bulk Edit - Block threats
if block_threats:
threat_responses = policy_mgmt.get_threat_responses_by_policy_id(
to_policy_id)
for threat_response in threat_responses:
#threat["alert"] = True
threat_response["block"] = True
#threat["enabled"] = True
threat_response["policyId"] = to_policy_id
response_payload["id"] = to_policy_id
response_payload["responses"] = threat_responses
shieldx_logger.info("Bulk Edit Payload: {}".format(response_payload))
bulk_edit_success = policy_mgmt.bulk_update_threat_responses(
response_payload)
assert bulk_edit_success == True, "Bulk edit response action failed."
else:
pass