github.com/crowdsecurity/crowdsec@v1.6.1/test/bats/11_bouncers_tls.bats

github.com/crowdsecurity/crowdsec@v1.6.1/test/bats/11_bouncers_tls.bats (about)

     1  #!/usr/bin/env bats
     2  # vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si:
     3  
     4  set -u
     5  
     6  setup_file() {
     7      load "../lib/setup_file.sh"
     8      ./instance-data load
     9  
    10      tmpdir="${BATS_FILE_TMPDIR}"
    11      export tmpdir
    12  
    13      CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
    14      export CFDIR
    15  
    16      #gen the CA
    17      cfssl gencert --initca "${CFDIR}/ca.json" 2>/dev/null | cfssljson --bare "${tmpdir}/ca"
    18      #gen an intermediate
    19      cfssl gencert --initca "${CFDIR}/intermediate.json" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
    20      cfssl sign -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
    21      #gen server cert for crowdsec with the intermediate
    22      cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null | cfssljson --bare "${tmpdir}/server"
    23      #gen client cert for the bouncer
    24      cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer"
    25      #gen client cert for the bouncer with an invalid OU
    26      cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer_invalid.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_bad_ou"
    27      #gen client cert for the bouncer directly signed by the CA, it should be refused by crowdsec as uses the intermediate
    28      cfssl gencert -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_invalid"
    29  
    30      cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_revoked"
    31      serial="$(openssl x509 -noout -serial -in "${tmpdir}/bouncer_revoked.pem" | cut -d '=' -f2)"
    32      echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
    33      cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
    34  
    35      cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
    36  
    37      config_set '
    38          .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
    39          .api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" |
    40          .api.server.tls.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
    41          .api.server.tls.crl_path=strenv(tmpdir) + "/crl.pem" | 
    42          .api.server.tls.bouncers_allowed_ou=["bouncer-ou"]
    43      '
    44  
    45      config_disable_agent
    46  }
    47  
    48  teardown_file() {
    49      load "../lib/teardown_file.sh"
    50  }
    51  
    52  setup() {
    53      load "../lib/setup.sh"
    54      ./instance-crowdsec start
    55  }
    56  
    57  teardown() {
    58      ./instance-crowdsec stop
    59  }
    60  
    61  #----------
    62  
    63  @test "there are 0 bouncers" {
    64      rune -0 cscli bouncers list -o json
    65      assert_output "[]"
    66  }
    67  
    68  @test "simulate one bouncer request with a valid cert" {
    69      rune -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
    70      assert_output "null"
    71      rune -0 cscli bouncers list -o json
    72      rune -0 jq '. | length' <(output)
    73      assert_output '1'
    74      rune -0 cscli bouncers list -o json
    75      rune -0 jq -r '.[] | .name' <(output)
    76      assert_output "localhost@127.0.0.1"
    77      rune cscli bouncers delete localhost@127.0.0.1
    78  }
    79  
    80  @test "simulate one bouncer request with an invalid cert" {
    81      rune curl -s --cert "${tmpdir}/bouncer_invalid.pem" --key "${tmpdir}/bouncer_invalid-key.pem" --cacert "${tmpdir}/ca-key.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
    82      rune -0 cscli bouncers list -o json
    83      assert_output "[]"
    84  }
    85  
    86  @test "simulate one bouncer request with an invalid OU" {
    87      rune curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
    88      rune -0 cscli bouncers list -o json
    89      assert_output "[]"
    90  }
    91  
    92  @test "simulate one bouncer request with a revoked certificate" {
    93      truncate_log
    94      rune -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
    95      assert_log --partial "client certificate is revoked by CRL"
    96      assert_log --partial "client certificate for CN=localhost OU=[bouncer-ou] is revoked"
    97      assert_output --partial "access forbidden"
    98      rune -0 cscli bouncers list -o json
    99      assert_output "[]"
   100  }