Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions internal/controller/trafficprotectionpolicy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -796,6 +796,17 @@ func (r *TrafficProtectionPolicyReconciler) processTrafficProtectionPolicyForHTT
route.attachedToRouteRules.Insert(routeRuleName)
}

if resolveErr := paranoiaLevelsResolveError(policy); resolveErr != nil {
gatewaystatus.SetResolveErrorForPolicyAncestor(
&policy.Status.PolicyStatus,
ancestorRef,
string(r.Config.Gateway.ControllerName),
policy.Generation,
resolveErr,
)
return policyAttachments
}

gatewaystatus.SetConditionForPolicyAncestor(&policy.Status.PolicyStatus,
ancestorRef,
string(r.Config.Gateway.ControllerName),
Expand Down Expand Up @@ -933,6 +944,17 @@ func (r *TrafficProtectionPolicyReconciler) processTrafficProtectionPolicyForGat
gateway.attachedToListeners.Insert(listenerName)
}

if resolveErr := paranoiaLevelsResolveError(policy); resolveErr != nil {
gatewaystatus.SetResolveErrorForPolicyAncestor(
&policy.Status.PolicyStatus,
ancestorRef,
string(r.Config.Gateway.ControllerName),
policy.Generation,
resolveErr,
)
return policyAttachments
}

gatewaystatus.SetConditionForPolicyAncestor(&policy.Status.PolicyStatus,
ancestorRef,
string(r.Config.Gateway.ControllerName),
Expand Down Expand Up @@ -1208,6 +1230,28 @@ func getVHostConstraintForGateway(namespace string, gateway *gatewayv1.Gateway)
)
}

// paranoiaLevelsResolveError returns a resolve error when a policy's OWASP CRS
// paranoia levels are inverted (detection below blocking). CRS rule 901500 fails
// closed on this configuration and denies every request with HTTP 500 before any
// attack evaluation, so the policy must not be attached.
func paranoiaLevelsResolveError(policy *policyContext) *gatewaystatus.PolicyResolveError {
for _, ruleSet := range policy.Spec.RuleSets {
if ruleSet.Type != networkingv1alpha.TrafficProtectionPolicyOWASPCoreRuleSet {
continue
}
levels := ruleSet.OWASPCoreRuleSet.ParanoiaLevels
if levels.Detection < levels.Blocking {
return &gatewaystatus.PolicyResolveError{
Reason: gatewayv1.PolicyReasonInvalid,
Message: fmt.Sprintf(
"OWASPCoreRuleSet detection paranoia level (%d) must be greater than or equal to blocking paranoia level (%d); this is an illegal CRS configuration that would deny all traffic with HTTP 500",
levels.Detection, levels.Blocking),
}
}
}
return nil
}

func (r *TrafficProtectionPolicyReconciler) getCorazaDirectivesForTrafficProtectionPolicy(
policy *policyContext,
) []string {
Expand Down
105 changes: 105 additions & 0 deletions internal/controller/trafficprotectionpolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -518,6 +518,43 @@ func TestProcessTrafficProtectionPolicyForHTTPRoute(t *testing.T) {
}
},
},
{
name: "inverted paranoia levels rejected",
policy: &policyContext{
TrafficProtectionPolicy: ptr.To(newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) {
tpp.Spec.RuleSets[0].OWASPCoreRuleSet.ParanoiaLevels = networkingv1alpha.ParanoiaLevels{
Blocking: 2,
Detection: 1,
}
})),
},
routeMap: map[client.ObjectKey]*policyRouteTargetContext{
{Namespace: "default", Name: "route-1"}: {
HTTPRoute: newHTTPRoute("default", "route-1"),
},
},
gatewayMap: map[client.ObjectKey]*policyGatewayTargetContext{
{Namespace: "default", Name: "gateway-1"}: {
Gateway: ptr.To(newGatewayFunc("default", "gateway-1")),
},
},
targetRef: gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{
LocalPolicyTargetReference: gatewayv1.LocalPolicyTargetReference{
Kind: "HTTPRoute",
Name: "route-1",
},
},
assert: func(t *testContext, policyAttachments []policyAttachment) {
assert.Empty(t, policyAttachments, "invalid policy must not be attached")
if assert.Len(t, t.policy.Status.Ancestors, 1) {
if assert.Len(t, t.policy.Status.Ancestors[0].Conditions, 1) {
cond := t.policy.Status.Ancestors[0].Conditions[0]
assert.Equal(t, string(gatewayv1.PolicyReasonInvalid), cond.Reason, "expected invalid reason")
assert.Equal(t, metav1.ConditionFalse, cond.Status, "expected Accepted=False")
}
}
},
},
}

for _, tt := range tests {
Expand Down Expand Up @@ -649,6 +686,38 @@ func TestProcessTrafficProtectionPolicyForGateway(t *testing.T) {
}
},
},
{
name: "inverted paranoia levels rejected",
policy: &policyContext{
TrafficProtectionPolicy: ptr.To(newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) {
tpp.Spec.RuleSets[0].OWASPCoreRuleSet.ParanoiaLevels = networkingv1alpha.ParanoiaLevels{
Blocking: 2,
Detection: 1,
}
})),
},
gatewayMap: map[client.ObjectKey]*policyGatewayTargetContext{
{Namespace: "default", Name: "gateway-1"}: {
Gateway: ptr.To(newGatewayFunc("default", "gateway-1")),
},
},
targetRef: gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{
LocalPolicyTargetReference: gatewayv1.LocalPolicyTargetReference{
Kind: "Gateway",
Name: "gateway-1",
},
},
assert: func(t *testContext, policyAttachments []policyAttachment) {
assert.Empty(t, policyAttachments, "invalid policy must not be attached")
if assert.Len(t, t.policy.Status.Ancestors, 1) {
if assert.Len(t, t.policy.Status.Ancestors[0].Conditions, 1) {
cond := t.policy.Status.Ancestors[0].Conditions[0]
assert.Equal(t, string(gatewayv1.PolicyReasonInvalid), cond.Reason, "expected invalid reason")
assert.Equal(t, metav1.ConditionFalse, cond.Status, "expected Accepted=False")
}
}
},
},
}

for _, tt := range tests {
Expand All @@ -675,6 +744,42 @@ func TestProcessTrafficProtectionPolicyForGateway(t *testing.T) {
}
}

func TestParanoiaLevelsResolveError(t *testing.T) {
tests := []struct {
name string
blocking int
detection int
wantError bool
}{
{name: "equal levels", blocking: 2, detection: 2, wantError: false},
{name: "higher detection", blocking: 1, detection: 3, wantError: false},
{name: "detection below blocking", blocking: 2, detection: 1, wantError: true},
{name: "defaulted detection below blocking", blocking: 4, detection: 1, wantError: true},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
policy := &policyContext{
TrafficProtectionPolicy: ptr.To(newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) {
tpp.Spec.RuleSets[0].OWASPCoreRuleSet.ParanoiaLevels = networkingv1alpha.ParanoiaLevels{
Blocking: tt.blocking,
Detection: tt.detection,
}
})),
}

resolveErr := paranoiaLevelsResolveError(policy)
if tt.wantError {
if assert.NotNil(t, resolveErr) {
assert.Equal(t, gatewayv1.PolicyReasonInvalid, resolveErr.Reason)
}
} else {
assert.Nil(t, resolveErr)
}
})
}
}

func TestGetDesiredEnvoyPatchPolicies(t *testing.T) {

operatorConfig := config.NetworkServicesOperator{
Expand Down
Loading