Add grpc waf vs test

tests/data/ap-waf-grpc/grpc-block-saygoodbye.yaml

@@ -0,0 +1,32 @@
+apiVersion: appprotect.f5.com/v1beta1
+kind: APPolicy
+metadata:
+  name: grpc-block-saygoodbye
+spec:
+  policy:
+    blocking-settings:
+      violations:
+      - name: VIOL_GRPC_METHOD
+        block: true
+        alarm: true 
+    applicationLanguage: utf-8
+    bot-defense:
+      settings:
+        isEnabled: false
+    grpc-profiles:
+    - associateUrls: true
+      defenseAttributes:
+        allowUnknownFields: false
+        maximumDataLength: "10000"
+      description: My first profile
+      idlFiles:
+      - idlFile:
+          fileName: autheid.proto
+      name: gProf1
+    idl-files:
+    - isBase64: true
+      fileName: autheid.proto
+      contents: Ly8gVGhlIGdyZWV0aW5nIHNlcnZpY2UgZGVmaW5pdGlvbi4KCnN5bnRheCA9ICJwcm90bzMiOwoKcGFja2FnZSBoZWxsb3dvcmxkOwoKc2VydmljZSBHcmVldGVyIHsKICAvLyBTZW5kcyBhIGdyZWV0aW5nCiAgcnBjIFNheUhlbGxvIChIZWxsb1JlcXVlc3QpIHJldHVybnMgKEhlbGxvUmVwbHkpIHt9Cn0KCi8vIFRoZSByZXF1ZXN0IG1lc3NhZ2UgY29udGFpbmluZyB0aGUgdXNlcidzIG5hbWUuCm1lc3NhZ2UgSGVsbG9SZXF1ZXN0IHsKICBzdHJpbmcgbmFtZSA9IDE7Cn0KCi8vIFRoZSByZXNwb25zZSBtZXNzYWdlIGNvbnRhaW5pbmcgdGhlIGdyZWV0aW5ncwptZXNzYWdlIEhlbGxvUmVwbHkgewogIHN0cmluZyBtZXNzYWdlID0gMTsKfQo= 
+    name: valid_string_encoding_policy
+    template:
+      name: POLICY_TEMPLATE_NGINX_BASE

tests/data/ap-waf-grpc/grpc-block-sayhello.yaml

@@ -0,0 +1,32 @@
+apiVersion: appprotect.f5.com/v1beta1
+kind: APPolicy
+metadata:
+  name: grpc-block-sayhello
+spec:
+  policy:
+    blocking-settings:
+      violations:
+      - name: VIOL_GRPC_METHOD
+        block: true
+        alarm: true 
+    applicationLanguage: utf-8
+    bot-defense:
+      settings:
+        isEnabled: false
+    grpc-profiles:
+    - associateUrls: true
+      defenseAttributes:
+        allowUnknownFields: false
+        maximumDataLength: "10000"
+      description: My first profile
+      idlFiles:
+      - idlFile:
+          fileName: autheid.proto
+      name: gProf1
+    idl-files:
+    - isBase64: true
+      fileName: autheid.proto
+      contents: Ly8gVGhlIGdyZWV0aW5nIHNlcnZpY2UgZGVmaW5pdGlvbi4KCnN5bnRheCA9ICJwcm90bzMiOwoKcGFja2FnZSBoZWxsb3dvcmxkOwoKc2VydmljZSBHcmVldGVyIHsKICAvLyBTZW5kcyBhIGdyZWV0aW5nCiAgcnBjIFNheUdvb2RieWUgKEhlbGxvUmVxdWVzdCkgcmV0dXJucyAoSGVsbG9SZXBseSkge30KfQoKLy8gVGhlIHJlcXVlc3QgbWVzc2FnZSBjb250YWluaW5nIHRoZSB1c2VyJ3MgbmFtZS4KbWVzc2FnZSBIZWxsb1JlcXVlc3QgewogIHN0cmluZyBuYW1lID0gMTsKfQoKLy8gVGhlIHJlc3BvbnNlIG1lc3NhZ2UgY29udGFpbmluZyB0aGUgZ3JlZXRpbmdzCm1lc3NhZ2UgSGVsbG9SZXBseSB7CiAgc3RyaW5nIG1lc3NhZ2UgPSAxOwp9Cg== 
+    name: valid_string_encoding_policy
+    template:
+      name: POLICY_TEMPLATE_NGINX_BASE

tests/data/ap-waf-grpc/logconf.yaml

@@ -0,0 +1,11 @@
+apiVersion: appprotect.f5.com/v1beta1
+kind: APLogConf
+metadata:
+  name: logconf
+spec:
+  content:
+    format: default
+    max_message_size: 64k
+    max_request_size: any
+  filter:
+    request_type: all

tests/data/ap-waf-grpc/nginx-config.yaml

@@ -0,0 +1,7 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: nginx-config
+  namespace: nginx-ingress
+data:
+  http2: "true"

tests/data/ap-waf-grpc/policies/waf-block-saygoodbye.yaml

@@ -0,0 +1,13 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: waf-policy
+spec:
+  ingressClassName: nginx
+  waf:
+    enable: true
+    apPolicy: "default/grpc-block-saygoodbye"
+    securityLog:
+      enable: true
+      apLogConf: "default/logconf"
+      logDest: "syslog:server=127.0.0.1:514"

tests/data/ap-waf-grpc/policies/waf-block-sayhello.yaml

@@ -0,0 +1,12 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: waf-policy
+spec:
+  waf:
+    enable: true
+    apPolicy: "default/grpc-block-sayhello"
+    securityLog:
+      enable: true
+      apLogConf: "default/logconf"
+      logDest: "syslog:server=127.0.0.1:514"

tests/data/ap-waf-grpc/syslog.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: syslog
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: syslog
+  template:
+    metadata:
+      labels:
+        app: syslog
+    spec:
+      containers:
+        - name: syslog
+          image: balabit/syslog-ng:3.31.2-buster
+          ports:
+            - containerPort: 514
+            - containerPort: 601
+          volumeMounts:
+          - name: config-volume
+            mountPath: /etc/syslog-ng/syslog-ng.conf
+            subPath: syslog-ng.conf
+      volumes:
+        - name: config-volume
+          configMap:
+            name: syslog-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: syslog-svc
+spec:
+  ports:
+    - port: 514
+      targetPort: 514
+      protocol: TCP
+  selector:
+    app: syslog
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: syslog-config
+data:
+  syslog-ng.conf: |-
+    @version: 3.29
+    @include "scl.conf"
+
+    source s_local {
+      internal();
+    };
+
+    source s_network {
+      default-network-drivers(
+        max_connections(300)
+      );
+    };
+
+    destination d_local {
+      file("/var/log/messages");
+      file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
+    };
+
+    log {
+      source(s_local);
+      source(s_network);
+      destination(d_local);
+    };

tests/data/ap-waf-grpc/tls-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: virtual-server-tls-grpc-secret
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzakNDQXBvQ0NRREdqUVE5L3hnejZqQU5CZ2txaGtpRzl3MEJBUXNGQURDQm1qRUxNQWtHQTFVRUJoTUMKU1VVeERUQUxCZ05WQkFnTUJFTnZjbXN4RFRBTEJnTlZCQWNNQkVOdmNtc3hFekFSQmdOVkJBb01DazVIU1U1WQpMQ0JKYm1NeERqQU1CZ05WQkFzTUJVNUhTVTVZTVNNd0lRWURWUVFEREJwMmFYSjBkV0ZzTFhObGNuWmxjaTVsCmVHRnRjR3hsTG1OdmJURWpNQ0VHQ1NxR1NJYjNEUUVKQVJZVWEzVmlaWEp1WlhSbGMwQnVaMmx1ZUM1amIyMHcKSGhjTk1qRXhNVEkxTVRrek5qUXdXaGNOTWpNeE1ESTJNVGt6TmpRd1dqQ0JtakVMTUFrR0ExVUVCaE1DU1VVeApEVEFMQmdOVkJBZ01CRU52Y21zeERUQUxCZ05WQkFjTUJFTnZjbXN4RXpBUkJnTlZCQW9NQ2s1SFNVNVlMQ0JKCmJtTXhEakFNQmdOVkJBc01CVTVIU1U1WU1TTXdJUVlEVlFRRERCcDJhWEowZFdGc0xYTmxjblpsY2k1bGVHRnQKY0d4bExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWpiMjB3Z2dFaQpNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNoYnlha0tlbzZzR2Q0eFBva3dQaHpjMGcvCnNiNXZpZnNnbHJvc2IyUjhjaGJtQlJRV1lGZlNzbldidWtkejB2RFVaWHhlY1hOZUdKVFc0WWdOOUZUSERnQXcKNjhxNWFBS3RiY1d2ejlDVEd0RkthdW5GcE1GU21pcWU5VHFQM1JaVkJGa1gwWFkzYTFWbmlQNDFxV2wxdnVKQgpMM2JwKzlzNVVadnMraER4UFFuMG5xSFJCQ0t2VDNUZWpHbnJPelprQ2ljUGhSS0hhNnExNlhiNGhGd2E4RXB2CmhYMFZkWVNDNFMzL2xSNThkNFJxL0lJSmUyZlhpZTJwcFF5UUpsNTJ6SGZvUnVFK3VvM3NsMmREdDF6dC96Yk0Ka2M3bmZiYzJqZFVoT0FONGhOOEowS0NvWEI4U3FwcjcxNXlKdklJc3ZSRC9RRFNyd1BQeXh2N1VnMTZoQWdNQgpBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUY3SFg5OUY5Q2FsMEplZzJScktSS3lxTXBrWGNKWjhEd2RJCkdmMm9UL2I5OGdmRWxhbFgxMHBQc2lHQ2NVOFJjRW9wdzJ6bHdUNXNSTDVXWVVyN3FnS1RKOXR0cm9rRUhPL0IKYUdORWsveFpNZ1JkOFpVL1NTOGdsQ0tjUGdOekI4TmVhQmV2U3lhT0NJYndjMWZSalF0YlVjYkp3N3JWUlp6cApaU1JJZWVPVVV2ZVg1RDZaNGQyN2RGd1pKU1B3TkV3eVlnZERKQWxhelMwMnJOZDZRUktwTFViNUJSUlB4aVYvCmtvNGUxK1h0V3FvVFpWMi9IbDZRWnB6MzdyMjZXQ0dxbUpHYnJzM0JmRkwxUFkvTEFqY1NZOVRrNU9kdU80SXcKM09PN3p5UTV3eDhuc3V4SHlQOUJUMFh3aU5hMzU1RXpwd3V6N1hyTzI0ZElNYjVsZWRnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ2hieWFrS2VvNnNHZDQKeFBva3dQaHpjMGcvc2I1dmlmc2dscm9zYjJSOGNoYm1CUlFXWUZmU3NuV2J1a2R6MHZEVVpYeGVjWE5lR0pUVwo0WWdOOUZUSERnQXc2OHE1YUFLdGJjV3Z6OUNUR3RGS2F1bkZwTUZTbWlxZTlUcVAzUlpWQkZrWDBYWTNhMVZuCmlQNDFxV2wxdnVKQkwzYnArOXM1VVp2cytoRHhQUW4wbnFIUkJDS3ZUM1Rlakduck96WmtDaWNQaFJLSGE2cTEKNlhiNGhGd2E4RXB2aFgwVmRZU0M0UzMvbFI1OGQ0UnEvSUlKZTJmWGllMnBwUXlRSmw1MnpIZm9SdUUrdW8zcwpsMmREdDF6dC96Yk1rYzduZmJjMmpkVWhPQU40aE44SjBLQ29YQjhTcXByNzE1eUp2SUlzdlJEL1FEU3J3UFB5Cnh2N1VnMTZoQWdNQkFBRUNnZ0VBWm5KWlBWajBNaVo4bzZHdGRPR1pTZnJnNExyMXRXY0ZIVnRKN3FVS1NnZEYKRE5nd05Uc1N3TDFMOFhXM25vTkJIaWtCVWhZQk5yZTJ6TjczTHBQZHNTenJaaUJjMkdodk9vd3RKak5sazlVeQorRno4MmRhQ2NOOHhLUXRMREwwclRPeWpkWUFSMjMyY0IwWml2TDgwRStyOVBveldsQXFteHF0Sm5vdmJjSnRmCmpBK3RkTTcvTTJ0ckJqRmJXKzlwTERoS3orVkw2TUc0b1BGYmtVcTJ3bVFYRE0vQ1hKZnE5WXVMTmhVODFsbEwKYzZwN0trckNwU3M1QWRHWitwU1IxNWlSRWUwblRMT1JkVWFFdWRkVm0xQllmZWVhcVVia0VPUk1WTm5oSG1ORwpTV25KdEhDanNpUitDWmdBYktOT3ZkQ3IrekN5ZHdZUyt4RWxpSXE1T1FLQmdRRFVtM0p2WHhEbDloY2g5TUg1CkY4Y2lVS2NuVnJHZ1lHRXU5ZTlaOG5JeFVEUWlkQVlJSkI3WEZSL1RlY3RubzFjQjd3cVlWcHpvenNZaC9RNkcKYTVMeXA3cnc1NkFwek1qV0IxOGtzbTJHUmloK1VleEtiMVVNYWlpeEFrRjZ4cWVjSTFxUVN1T0hQTFlrRjNUWgpOcCtvRkhYUHBFMlE0cVNtVVl0ZHJOdWpZd0tCZ1FEQ1lmUjFGNHpjbkpnTWZJVGpaOVEzd1JmaW9YalVFak9ICjZLT2d2bUppRDFsdG5rT3JSNTlKMXIvdTU3cU4zbGlNakdGT2pod25qaUIrWk5BcDZRenN0bkhVV09yUHduQXYKUjJXNUoyRW9oSGgxaTJhWUg4SkNTRVpocmZBSXZIbEIvQ29XaUFiZzkvR0lpNG9oNFB0NEljOTJLemNaK0RVeQpBbzltV1Uxdkt3S0JnUUNnKy9OeWtURmlieXlrOFlmTzdVcERtWDU0TXhUY3N4M2pTU1dybmdFSmhnbHo3UmFFCkk1V1dsdEE2ZVFhanV2S3U3Q25Cb0JPLzFKSUNPbk05SlVkbnBjblBrQk9la3dtZnhvVXNiRTZ5VlgxajZQUmEKaUdLRnUveUR5NGw1UmVLMFA3RGJnVmszbGFqMU95Mm5LODFJbi9WMC9Kd2ZFUDVMVVlPTnNzMjhzUUtCZ1FDRQp3NWJPS3VtZy9LdTFTNDhRS3loOWREczJKWWQ3Z1hzRXh0YUx3YjA4c0xNcDljRE9TYnI0R2Q4NTg3Z3RrY0gxCkxTU0JIUHNKNFQ4OFZPc0ExUlpvenl2c0YxYzUwOW4vME1vZnJrL2o5cWEzMGlDZW9vSng5eDlyTS93UVczcU8Kb1FhMklPNWgxYmQ0eGFYeEFkTi85OGZWTkNzTVo4VWRoVFlnZDdvMXhRS0JnQ1Fjdmw1Yy9ZY3NHRUd1YU02Mwp1NzNaNm9ha05mNkpEZ2lzdjZ2c3dHMHdLbFRQNGgwKzNTSmdmL2dnTGVMNVBxdm5pemxZbEJSQUd3KzQwYVFGCmZnZnZBOWVlaVFZdVdiRDV0RlpUTDZKcFBnd01PSlVQUFBIU0JianJSTGpoMzk5dlBBdlhqekNPT25ad01LcXcKTDBIZWF1M1J6a0ZkRDllNTk3c3U3MG90Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

tests/data/ap-waf-grpc/virtual-server-waf-spec.yaml

@@ -0,0 +1,26 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: virtual-server
+spec:
+  host: virtual-server.example.com
+  policies:
+  - name: waf-policy
+  tls:
+    secret: virtual-server-tls-grpc-secret
+  upstreams:
+  - name: grpc1
+    service: grpc1-svc
+    port: 50051
+    type: grpc
+  - name: grpc2
+    service: grpc2-svc
+    port: 50051
+    type: grpc
+  routes:
+  - path: "/helloworld.Greeter"
+    action:
+      pass: grpc1
+  - path: "/notimplemented"
+    action:
+      pass: grpc2

tests/suite/ap_resources_utils.py

@@ -42,7 +42,7 @@ def create_ap_waf_policy_from_yaml(
     appolicy,
     aplogconf,
     logdest,
-) -> None:
+) -> str:
     """
     Create a Policy based on yaml file.
 
@@ -55,7 +55,7 @@ def create_ap_waf_policy_from_yaml(
     :param appolicy: AppProtect policy name
     :param aplogconf: Logconf name
     :param logdest: AP log destination (syslog)
-    :return: None
+    :return: str
     """
     with open(yaml_manifest) as f:
         dep = yaml.safe_load(f)
@@ -70,6 +70,7 @@ def create_ap_waf_policy_from_yaml(
             "k8s.nginx.org", "v1", namespace, "policies", dep
         )
         print(f"Policy created: {dep}")
+        return dep["metadata"]["name"]
     except ApiException:
         logging.exception(f"Exception occurred while creating Policy: {dep['metadata']['name']}")
         raise