From 2c653dab77d29c913481bc001da8706ebc798806 Mon Sep 17 00:00:00 2001 From: Lenny Linux Date: Thu, 9 Dec 2021 18:01:11 +0100 Subject: [PATCH 1/6] Check if refresh token is `undefined` and do not store it in this case (#2260) --- internal/configs/oidc/openid_connect.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/configs/oidc/openid_connect.js b/internal/configs/oidc/openid_connect.js index 2d9fabaad2..db0f33d837 100644 --- a/internal/configs/oidc/openid_connect.js +++ b/internal/configs/oidc/openid_connect.js @@ -83,7 +83,8 @@ function auth(r) { r.variables.session_jwt = tokenset.id_token; // Update key-value store // Update refresh token (if we got a new one) - if (r.variables.refresh_token != tokenset.refresh_token) { + // 12.2021 - In rare cases the IdP does not include the refresh-token in the response. The rt will be undefined in this case. + if (r.variables.refresh_token != tokenset.refresh_token && tokenset.refresh_token != undefined) { r.log("OIDC replacing previous refresh token (" + r.variables.refresh_token + ") with new value: " + tokenset.refresh_token); r.variables.refresh_token = tokenset.refresh_token; // Update key-value store } From 22c967b334c5c92660e015a329f84544818c0067 Mon Sep 17 00:00:00 2001 From: Jcahilltorre <78599298+Jcahilltorre@users.noreply.github.com> Date: Thu, 9 Dec 2021 18:35:33 +0000 Subject: [PATCH 2/6] feat: Cherry-Pick DOCOPS-474 F5-hugo theme bump December 2021 (#2263) * feat: Update hugo-theme to 0.15.6-December * feat: Update hugo-theme to 0.15.7-December --- .../nginx/controller/poc/f5-hugo/assets/css/f5-hugo.css | 8 ++++++++ .../controller/poc/f5-hugo/layouts/_default/docs.html | 8 +++++--- .../poc/f5-hugo/layouts/partials/feedback-form.html | 8 ++++---- docs/_vendor/modules.txt | 2 +- docs/go.mod | 2 +- docs/go.sum | 4 ++++ 6 files changed, 23 insertions(+), 9 deletions(-) diff --git a/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/assets/css/f5-hugo.css b/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/assets/css/f5-hugo.css index d275319874..1e32eabb49 100644 --- a/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/assets/css/f5-hugo.css +++ b/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/assets/css/f5-hugo.css @@ -88,6 +88,7 @@ ol > li > ol { border: 1px solid #f8f9f9; box-sizing: border-box; border-radius: 4px; + height: 100%; } a.products-card { @@ -168,8 +169,15 @@ ol > li > ol { .card-title { overflow-wrap: normal; + +} +.products-card > .card-title { + padding-left: 52px; + text-indent: -52px; } + + h3.card-title a { color: #000; } diff --git a/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/_default/docs.html b/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/_default/docs.html index 9d49147e45..ee4eafd207 100644 --- a/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/_default/docs.html +++ b/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/_default/docs.html @@ -20,9 +20,11 @@

{{ .Title }}

{{ if and (gt .WordCount 200 ) (.Params.toc) }} -
- {{ partial "toc.html" . }} -
+ {{ if (add (len (findRE " + {{ partial "toc.html" . }} + + {{ end }} {{ end }} diff --git a/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/partials/feedback-form.html b/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/partials/feedback-form.html index ff63f08138..ca1852c0ea 100644 --- a/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/partials/feedback-form.html +++ b/docs/_vendor/gitlab.com/f5/nginx/controller/poc/f5-hugo/layouts/partials/feedback-form.html @@ -1,13 +1,13 @@
- - + +
- - + + We'll never share your email with anyone else.
diff --git a/docs/_vendor/modules.txt b/docs/_vendor/modules.txt index 9b5c264fbb..4df126ba27 100644 --- a/docs/_vendor/modules.txt +++ b/docs/_vendor/modules.txt @@ -1,2 +1,2 @@ -# gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3 +# gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7 # github.com/jquery/jquery-dist v0.0.0-20210302171154-e786e3d9707f diff --git a/docs/go.mod b/docs/go.mod index a3beb24e45..f0ec2daacb 100644 --- a/docs/go.mod +++ b/docs/go.mod @@ -2,4 +2,4 @@ module github.com/nginxinc/kubernetes-ingress/docs go 1.15 -require gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3 // indirect +require gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7 // indirect diff --git a/docs/go.sum b/docs/go.sum index 75119151f2..bc7b2d284e 100644 --- a/docs/go.sum +++ b/docs/go.sum @@ -10,3 +10,7 @@ gitlab.com/f5/nginx/controller/poc/f5-hugo v0.14.1-0.20211019184158-5e5bd366bfcd gitlab.com/f5/nginx/controller/poc/f5-hugo v0.14.1-0.20211019184158-5e5bd366bfcd/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc= gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3 h1:cDf5OAzX/6Qg2gbSJGAkMHHWOA1RDDigTKVBIGzR2Gw= gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc= +gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.6 h1:jN+79xD+xUD3nDvZWoubwoUxzgI/G/e7RIf+K3kOPRQ= +gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.6/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc= +gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7 h1:O75I8D2xLjbQ5rYZAflXMcnEPFJ12YhLpyn5auO4EUI= +gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc= From ac14863024bbe741500536e22791094a1ece5d90 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Thu, 9 Dec 2021 15:11:52 +0000 Subject: [PATCH 3/6] tests: add VSR gRPC tests --- .../ap-waf-grpc/virtual-server-route-waf.yaml | 17 ++ .../ap-waf-grpc/vsr-virtual-server-spec.yaml | 11 ++ .../test_app_protect_waf_policies_grpc.py | 184 +++++++++++++----- 3 files changed, 166 insertions(+), 46 deletions(-) create mode 100644 tests/data/ap-waf-grpc/virtual-server-route-waf.yaml create mode 100644 tests/data/ap-waf-grpc/vsr-virtual-server-spec.yaml diff --git a/tests/data/ap-waf-grpc/virtual-server-route-waf.yaml b/tests/data/ap-waf-grpc/virtual-server-route-waf.yaml new file mode 100644 index 0000000000..bf1c6865f6 --- /dev/null +++ b/tests/data/ap-waf-grpc/virtual-server-route-waf.yaml @@ -0,0 +1,17 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServerRoute +metadata: + name: helloworld.greeter +spec: + host: virtual-server.example.com + upstreams: + - name: grpc1 + service: grpc1-svc + port: 50051 + type: grpc + subroutes: + - path: "~* /helloworld.greeter/" + action: + pass: grpc1 + policies: + - name: waf-policy diff --git a/tests/data/ap-waf-grpc/vsr-virtual-server-spec.yaml b/tests/data/ap-waf-grpc/vsr-virtual-server-spec.yaml new file mode 100644 index 0000000000..d99e0dab41 --- /dev/null +++ b/tests/data/ap-waf-grpc/vsr-virtual-server-spec.yaml @@ -0,0 +1,11 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server-route +spec: + host: virtual-server.example.com + tls: + secret: virtual-server-tls-grpc-secret + routes: + - path: "~* /helloworld.greeter/" + route: helloworld.greeter diff --git a/tests/suite/test_app_protect_waf_policies_grpc.py b/tests/suite/test_app_protect_waf_policies_grpc.py index e3133b912c..263318a1e8 100644 --- a/tests/suite/test_app_protect_waf_policies_grpc.py +++ b/tests/suite/test_app_protect_waf_policies_grpc.py @@ -2,7 +2,9 @@ import pytest from settings import TEST_DATA, DEPLOYMENTS from suite.fixtures import ( + VirtualServerRoute, VirtualServerSetup, + VirtualServerRouteSetup ) from suite.grpc.helloworld_pb2 import HelloRequest from suite.grpc.helloworld_pb2_grpc import GreeterStub @@ -18,10 +20,13 @@ delete_common_app, create_items_from_yaml, get_service_endpoint, + create_namespace_with_name_from_yaml, + delete_namespace, ) from suite.vs_vsr_resources_utils import( delete_virtual_server, create_virtual_server_from_yaml, + create_v_s_route_from_yaml, ) from suite.policy_resources_utils import( delete_policy, @@ -37,6 +42,7 @@ from suite.yaml_utils import ( get_first_host_from_yaml, get_paths_from_vs_yaml, + get_paths_from_vsr_yaml ) log_loc = f"/var/log/messages" @@ -47,7 +53,11 @@ src_vs_sec_yaml = f"{TEST_DATA}/ap-waf-grpc/tls-secret.yaml" src_log_yaml = f"{TEST_DATA}/ap-waf-grpc/logconf.yaml" src_syslog_yaml = f"{TEST_DATA}/ap-waf-grpc/syslog.yaml" +std_vs_src = f"{TEST_DATA}/ap-waf-grpc/standard/virtual-server.yaml" waf_spec_vs_src = f"{TEST_DATA}/ap-waf-grpc/virtual-server-waf-spec.yaml" +waf_route_vs_src = f"{TEST_DATA}/ap-waf-grpc/virtual-server-waf-route.yaml" +waf_subroute_vsr_src = f"{TEST_DATA}/ap-waf-grpc/virtual-server-route-waf.yaml" +vsr_vs_yaml = f"{TEST_DATA}/ap-waf-grpc/vsr-virtual-server-spec.yaml" @pytest.fixture(scope="class") @@ -62,29 +72,65 @@ def appprotect_setup(request, kube_apis, ingress_controller_endpoint, ingress_co :param test_namespace: """ policy_method = request.param["policy"] + vs_or_vsr = request.param["vs_or_vsr"] + vsr = None try: print("------------------------- Replace ConfigMap with HTTP2 -------------------------") replace_configmap_from_yaml(kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, cm_source) - (src_pol_name, vs_name, vs_host, vs_paths) = ap_vs_setup( - kube_apis, test_namespace, policy_method) + if vs_or_vsr == "vs": + (src_pol_name, vs_name, vs_host, vs_paths) = ap_vs_setup( + kube_apis, test_namespace, policy_method) + elif vs_or_vsr == "vsr": + (src_pol_name, vsr_ns, vs_host, vs_name, vsr) = ap_vsr_setup( + kube_apis, test_namespace, policy_method) wait_before_test(120) except Exception as ex: cleanup( - kube_apis, ingress_controller_prerequisites, src_pol_name, test_namespace, vs_name) + kube_apis, ingress_controller_prerequisites, src_pol_name, test_namespace, vs_or_vsr, vs_name, vsr) def fin(): print("Clean up:") cleanup( - kube_apis, ingress_controller_prerequisites, src_pol_name, test_namespace, vs_name) + kube_apis, ingress_controller_prerequisites, src_pol_name, test_namespace, vs_or_vsr, vs_name, vsr) request.addfinalizer(fin) - return VirtualServerSetup( - ingress_controller_endpoint, test_namespace, vs_host, vs_name, vs_paths - ) + if vs_or_vsr == "vs": + return VirtualServerSetup( + ingress_controller_endpoint, test_namespace, vs_host, vs_name, vs_paths + ) + elif vs_or_vsr == "vsr": + return VirtualServerRouteSetup( + ingress_controller_endpoint, vsr_ns, vs_host, vs_name, vsr, None + ) def ap_vs_setup(kube_apis, test_namespace, policy_method) -> tuple: + src_pol_name, vs_name = ap_generic_setup( + kube_apis, test_namespace, test_namespace, + policy_method, waf_spec_vs_src) + vs_host = get_first_host_from_yaml(waf_spec_vs_src) + vs_paths = get_paths_from_vs_yaml(waf_spec_vs_src) + return (src_pol_name, vs_name, vs_host, vs_paths) + +def ap_vsr_setup(kube_apis, test_namespace, policy_method) -> tuple: + print(f"------------------------- Deploy namespace ---------------------------") + vs_routes_ns = "grpcs" + vsr_ns = create_namespace_with_name_from_yaml( + kube_apis.v1, vs_routes_ns, f"{TEST_DATA}/common/ns.yaml") + src_pol_name, vs_name = ap_generic_setup( + kube_apis, vsr_ns, test_namespace, policy_method, + vsr_vs_yaml) + vs_host = get_first_host_from_yaml(vsr_vs_yaml) + print("------------------------- Deploy Virtual Server Route ----------------------------") + vsr_name = create_v_s_route_from_yaml( + kube_apis.custom_objects, waf_subroute_vsr_src, vsr_ns) + vsr_paths = get_paths_from_vsr_yaml(waf_subroute_vsr_src) + vsr = VirtualServerRoute(vsr_ns, vsr_name, vsr_paths) + + return (src_pol_name, vsr_ns, vs_host, vs_name, vsr) + +def ap_generic_setup(kube_apis, vs_namespace, test_namespace, policy_method, vs_yaml): src_pol_yaml = f"{TEST_DATA}/ap-waf-grpc/policies/waf-block-{policy_method}.yaml" print("------------------------- Deploy logconf -----------------------------") global log_name @@ -98,23 +144,22 @@ def ap_vs_setup(kube_apis, test_namespace, policy_method) -> tuple: wait_before_test(20) syslog_ep = get_service_endpoint(kube_apis, "syslog-svc", test_namespace) print("------------------------- Deploy App -----------------------------") - create_example_app(kube_apis, "grpc-vs", test_namespace) - wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) + create_example_app(kube_apis, "grpc-vs", vs_namespace) + wait_until_all_pods_are_ready(kube_apis.v1, vs_namespace) print("------------------------- Deploy Secret -----------------------------") - create_secret_from_yaml(kube_apis.v1, test_namespace, src_vs_sec_yaml) + create_secret_from_yaml(kube_apis.v1, vs_namespace, src_vs_sec_yaml) print(f"------------------------- Deploy policy ---------------------------") src_pol_name = create_ap_waf_policy_from_yaml( - kube_apis.custom_objects, src_pol_yaml, test_namespace, test_namespace, + kube_apis.custom_objects, src_pol_yaml, vs_namespace, test_namespace, True, True, ap_pol_name, log_name, f"syslog:server={syslog_ep}:514") print("------------------------- Deploy Virtual Server -----------------------------------") vs_name = create_virtual_server_from_yaml( - kube_apis.custom_objects, waf_spec_vs_src, test_namespace) - vs_host = get_first_host_from_yaml(waf_spec_vs_src) - vs_paths = get_paths_from_vs_yaml(waf_spec_vs_src) - return (src_pol_name, vs_name, vs_host, vs_paths) + kube_apis.custom_objects, vs_yaml, vs_namespace) + return (src_pol_name, vs_name) def cleanup(kube_apis, ingress_controller_prerequisites, src_pol_name, - test_namespace, vs_name) -> None: + test_namespace, vs_or_vsr, vs_name, vsr) -> None: + vsr_namespace = test_namespace if vs_or_vsr == "vs" else vsr.namespace replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], @@ -122,15 +167,17 @@ def cleanup(kube_apis, ingress_controller_prerequisites, src_pol_name, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace) delete_ap_policy(kube_apis.custom_objects, ap_pol_name, test_namespace) - delete_policy(kube_apis.custom_objects, src_pol_name, test_namespace) - delete_common_app(kube_apis, "grpc-vs", test_namespace) + delete_policy(kube_apis.custom_objects, src_pol_name, vsr_namespace) + delete_common_app(kube_apis, "grpc-vs", vsr_namespace) delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) - delete_virtual_server(kube_apis.custom_objects, vs_name, test_namespace) - delete_items_from_yaml(kube_apis, src_vs_sec_yaml, test_namespace) + if vs_or_vsr == "vs": + delete_virtual_server(kube_apis.custom_objects, vs_name, test_namespace) + delete_items_from_yaml(kube_apis, src_vs_sec_yaml, test_namespace) + elif vs_or_vsr == "vsr": + print("Delete test namespaces") + delete_namespace(kube_apis.v1, vsr.namespace) def grpc_waf_block(kube_apis, test_namespace, public_ip, vs_host, port_ssl): - syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name - cert = get_certificate(public_ip, vs_host, port_ssl) target = f'{public_ip}:{port_ssl}' credentials = grpc.ssl_channel_credentials(root_certificates=cert.encode()) @@ -145,20 +192,9 @@ def grpc_waf_block(kube_apis, test_namespace, public_ip, vs_host, port_ssl): except grpc.RpcError as e: ex = e.details() print(ex) - - log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) - assert ( - invalid_resp_text in ex and - 'ASM:attack_type="Directory Indexing"' in log_contents and - 'violations="Illegal gRPC method"' in log_contents and - 'severity="Error"' in log_contents and - 'outcome="REJECTED"' in log_contents - ) - + assert invalid_resp_text in ex def grpc_waf_allow(kube_apis, test_namespace, public_ip, vs_host, port_ssl): - syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name - cert = get_certificate(public_ip, vs_host, port_ssl) target = f'{public_ip}:{port_ssl}' credentials = grpc.ssl_channel_credentials(root_certificates=cert.encode()) @@ -173,15 +209,7 @@ def grpc_waf_allow(kube_apis, test_namespace, public_ip, vs_host, port_ssl): except grpc.RpcError as e: print(e.details()) pytest.fail("RPC error was not expected during call, exiting...") - - log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) - assert ( - valid_resp_txt in response.message and - 'ASM:attack_type="N/A"' in log_contents and - 'violations="N/A"' in log_contents and - 'severity="Informational"' in log_contents and - 'outcome="PASSED"' in log_contents - ) + assert valid_resp_txt in response.message @pytest.mark.skip_for_nginx_oss @@ -202,8 +230,7 @@ def grpc_waf_allow(kube_apis, test_namespace, public_ip, vs_host, port_ssl): indirect=True, ) class TestAppProtectVSGrpc: - @pytest.mark.smoke - @pytest.mark.parametrize("appprotect_setup", [{"policy": "sayhello",}], indirect=True) + @pytest.mark.parametrize("appprotect_setup", [{"policy": "sayhello", "vs_or_vsr": "vs",}], indirect=True) def test_responses_grpc_block( self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, appprotect_setup, test_namespace): @@ -216,8 +243,16 @@ def test_responses_grpc_block( appprotect_setup.public_endpoint.public_ip, appprotect_setup.vs_host, appprotect_setup.public_endpoint.port_ssl) + syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name + log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) + assert ( + 'ASM:attack_type="Directory Indexing"' in log_contents and + 'violations="Illegal gRPC method"' in log_contents and + 'severity="Error"' in log_contents and + 'outcome="REJECTED"' in log_contents + ) - @pytest.mark.parametrize("appprotect_setup", [{"policy": "saygoodbye", }], indirect=True) + @pytest.mark.parametrize("appprotect_setup", [{"policy": "saygoodbye", "vs_or_vsr": "vs",}], indirect=True) def test_responses_grpc_allow( self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, appprotect_setup, test_namespace @@ -231,3 +266,60 @@ def test_responses_grpc_allow( appprotect_setup.public_endpoint.public_ip, appprotect_setup.vs_host, appprotect_setup.public_endpoint.port_ssl) + syslog_pod = kube_apis.v1.list_namespaced_pod(test_namespace).items[-1].metadata.name + log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod, test_namespace) + assert ( + 'ASM:attack_type="N/A"' in log_contents and + 'violations="N/A"' in log_contents and + 'severity="Informational"' in log_contents and + 'outcome="PASSED"' in log_contents + ) + + +@pytest.mark.skip_for_nginx_oss +@pytest.mark.appprotect +@pytest.mark.parametrize( + "crd_ingress_controller_with_ap", + [ + { + "type": "complete", + "extra_args": [ + f"-enable-custom-resources", + f"-enable-leader-election=false", + f"-enable-app-protect", + f"-enable-preview-policies", + ], + }, + ], + indirect=True, +) +class TestAppProtectVSRGrpc: + @pytest.mark.parametrize("appprotect_setup", [{"policy": "sayhello", "vs_or_vsr": "vsr",}], indirect=True) + def test_responses_grpc_block( + self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, + appprotect_setup, test_namespace + ): + """ + Test grpc-block-hello AppProtect policy: Blocks /sayhello gRPC method only + Client sends request to /sayhello + """ + grpc_waf_block(kube_apis, + appprotect_setup.namespace, + appprotect_setup.public_endpoint.public_ip, + appprotect_setup.vs_host, + appprotect_setup.public_endpoint.port_ssl) + + @pytest.mark.parametrize("appprotect_setup", [{"policy": "saygoodbye", "vs_or_vsr": "vsr"}], indirect=True) + def test_responses_grpc_allow( + self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap, + appprotect_setup, test_namespace + ): + """ + Test grpc-block-goodbye AppProtect policy: Blocks /saygoodbye gRPC method only + Client sends request to /sayhello thus should pass + """ + grpc_waf_allow(kube_apis, + appprotect_setup.namespace, + appprotect_setup.public_endpoint.public_ip, + appprotect_setup.vs_host, + appprotect_setup.public_endpoint.port_ssl) From cb8a7f16ddc527b814ac4e9a6dc6c968c292bc54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Dec 2021 11:22:10 -0800 Subject: [PATCH 4/6] Bump locust from 2.5.0 to 2.5.1 in /perf-tests (#2266) Bumps [locust](https://github.com/locustio/locust) from 2.5.0 to 2.5.1. - [Release notes](https://github.com/locustio/locust/releases) - [Changelog](https://github.com/locustio/locust/blob/master/CHANGELOG.md) - [Commits](https://github.com/locustio/locust/compare/2.5.0...2.5.1) --- updated-dependencies: - dependency-name: locust dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- perf-tests/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/perf-tests/requirements.txt b/perf-tests/requirements.txt index f27f104adb..9d44b3903d 100644 --- a/perf-tests/requirements.txt +++ b/perf-tests/requirements.txt @@ -8,4 +8,4 @@ certifi==2021.10.8 urllib3==1.26.7 pytest-html==3.1.1 pytest-repeat==0.9.1 -locust==2.5.0 \ No newline at end of file +locust==2.5.1 \ No newline at end of file From d95496152370a1551f81b01f3177da097270fdb8 Mon Sep 17 00:00:00 2001 From: galitskiy Date: Tue, 30 Nov 2021 23:39:18 +0000 Subject: [PATCH 5/6] Unbind app-protect from -preview-policies --- docs/content/configuration/policy-resource.md | 2 -- pkg/apis/configuration/validation/policy.go | 4 --- .../configuration/validation/policy_test.go | 26 +++++++++---------- tests/suite/test_app_protect_waf_policies.py | 2 -- tests/suite/test_batch_startup_times.py | 1 - 5 files changed, 13 insertions(+), 22 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index b20c04c267..2e931b0c21 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -357,8 +357,6 @@ For `kubectl get` and similar commands, you can also use the short name `pol` in ### WAF -> **Feature Status**: WAF is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. - > Note: This feature is only available in NGINX Plus with AppProtect. The WAF policy configures NGINX Plus to secure client requests using App Protect policies. diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go index 7d367e5c44..2ee1886996 100644 --- a/pkg/apis/configuration/validation/policy.go +++ b/pkg/apis/configuration/validation/policy.go @@ -84,10 +84,6 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab } if spec.WAF != nil { - if !enablePreviewPolicies { - allErrs = append(allErrs, field.Forbidden(fieldPath.Child("waf"), - "waf is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) - } if !isPlus { allErrs = append(allErrs, field.Forbidden(fieldPath.Child("waf"), "WAF is only supported in NGINX Plus")) } diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go index 3748266330..98cf830848 100644 --- a/pkg/apis/configuration/validation/policy_test.go +++ b/pkg/apis/configuration/validation/policy_test.go @@ -71,6 +71,19 @@ func TestValidatePolicy(t *testing.T) { enableAppProtect: true, msg: "use WAF(plus only) policy", }, + { + policy: &v1.Policy{ + Spec: v1.PolicySpec{ + WAF: &v1.WAF{ + Enable: true, + }, + }, + }, + isPlus: true, + enablePreviewPolicies: false, + enableAppProtect: true, + msg: "WAF policy with preview policies disabled", + }, } for _, test := range tests { err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect) @@ -231,19 +244,6 @@ func TestValidatePolicyFails(t *testing.T) { enablePreviewPolicies: true, msg: "OIDC policy in OSS", }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - WAF: &v1.WAF{ - Enable: true, - }, - }, - }, - isPlus: true, - enablePreviewPolicies: false, - enableAppProtect: true, - msg: "WAF policy with preview policies disabled", - }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ diff --git a/tests/suite/test_app_protect_waf_policies.py b/tests/suite/test_app_protect_waf_policies.py index aac82fcea7..dffc434abe 100644 --- a/tests/suite/test_app_protect_waf_policies.py +++ b/tests/suite/test_app_protect_waf_policies.py @@ -137,7 +137,6 @@ def assert_valid_responses(response) -> None: f"-enable-custom-resources", f"-enable-leader-election=false", f"-enable-app-protect", - f"-enable-preview-policies", ], }, {"example": "ap-waf", "app_type": "simple",}, @@ -390,7 +389,6 @@ def test_ap_waf_policy_logs( f"-enable-custom-resources", f"-enable-leader-election=false", f"-enable-app-protect", - f"-enable-preview-policies", ], }, {"example": "virtual-server-route"}, diff --git a/tests/suite/test_batch_startup_times.py b/tests/suite/test_batch_startup_times.py index a94005bedb..2bb6fa30cc 100644 --- a/tests/suite/test_batch_startup_times.py +++ b/tests/suite/test_batch_startup_times.py @@ -412,7 +412,6 @@ def fin(): f"-enable-custom-resources", f"-enable-leader-election=false", f"-enable-app-protect", - f"-enable-preview-policies", f"-enable-prometheus-metrics", ], }, From 9197648f9876658ed434a06f4dea1b94e67eeba0 Mon Sep 17 00:00:00 2001 From: Rafal Wegrzycki Date: Mon, 13 Dec 2021 12:14:42 +0100 Subject: [PATCH 6/6] AP: Fix sec log tests --- tests/data/appprotect/syslog.yaml | 2 +- tests/data/appprotect/syslog2.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/data/appprotect/syslog.yaml b/tests/data/appprotect/syslog.yaml index dd0bec9a93..f10751d46c 100644 --- a/tests/data/appprotect/syslog.yaml +++ b/tests/data/appprotect/syslog.yaml @@ -35,7 +35,7 @@ spec: ports: - port: 514 targetPort: 514 - protocol: UDP + protocol: TCP selector: app: syslog --- diff --git a/tests/data/appprotect/syslog2.yaml b/tests/data/appprotect/syslog2.yaml index 3372a636f6..272e166aee 100644 --- a/tests/data/appprotect/syslog2.yaml +++ b/tests/data/appprotect/syslog2.yaml @@ -35,7 +35,7 @@ spec: ports: - port: 514 targetPort: 514 - protocol: UDP + protocol: TCP selector: app: syslog2 ---