github.com/crowdsecurity/crowdsec@v1.6.1/test/bats/30_machines_tls.bats (about) 1 #!/usr/bin/env bats 2 # vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si: 3 4 set -u 5 6 setup_file() { 7 load "../lib/setup_file.sh" 8 ./instance-data load 9 10 CONFIG_DIR=$(dirname "${CONFIG_YAML}") 11 export CONFIG_DIR 12 13 tmpdir="${BATS_FILE_TMPDIR}" 14 export tmpdir 15 16 CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl" 17 export CFDIR 18 19 #gen the CA 20 cfssl gencert --initca "${CFDIR}/ca.json" 2>/dev/null | cfssljson --bare "${tmpdir}/ca" 21 #gen an intermediate 22 cfssl gencert --initca "${CFDIR}/intermediate.json" 2>/dev/null | cfssljson --bare "${tmpdir}/inter" 23 cfssl sign -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null | cfssljson --bare "${tmpdir}/inter" 24 #gen server cert for crowdsec with the intermediate 25 cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null | cfssljson --bare "${tmpdir}/server" 26 #gen client cert for the agent 27 cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent" 28 #gen client cert for the agent with an invalid OU 29 cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent_invalid.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent_bad_ou" 30 #gen client cert for the agent directly signed by the CA, it should be refused by crowdsec as uses the intermediate 31 cfssl gencert -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent_invalid" 32 33 cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent_revoked" 34 serial="$(openssl x509 -noout -serial -in "${tmpdir}/agent_revoked.pem" | cut -d '=' -f2)" 35 echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt" 36 cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem" 37 38 cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem" 39 40 config_set ' 41 .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" | 42 .api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" | 43 .api.server.tls.ca_cert_path=strenv(tmpdir) + "/inter.pem" | 44 .api.server.tls.crl_path=strenv(tmpdir) + "/crl.pem" | 45 .api.server.tls.agents_allowed_ou=["agent-ou"] 46 ' 47 48 # remove all machines 49 50 for machine in $(cscli machines list -o json | jq -r '.[].machineId'); do 51 cscli machines delete "${machine}" >/dev/null 2>&1 52 done 53 54 config_disable_agent 55 } 56 57 teardown_file() { 58 load "../lib/teardown_file.sh" 59 } 60 61 setup() { 62 load "../lib/setup.sh" 63 config_set ' 64 .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" | 65 .api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" | 66 .api.server.tls.ca_cert_path=strenv(tmpdir) + "/inter.pem" | 67 .api.server.tls.crl_path=strenv(tmpdir) + "/crl.pem" | 68 .api.server.tls.agents_allowed_ou=["agent-ou"] 69 ' 70 } 71 72 teardown() { 73 ./instance-crowdsec stop 74 } 75 76 #---------- 77 78 @test "missing key_file" { 79 config_set '.api.server.tls.key_file=""' 80 81 rune -0 wait-for \ 82 --err "missing TLS key file" \ 83 "${CROWDSEC}" 84 } 85 86 @test "missing cert_file" { 87 config_set '.api.server.tls.cert_file=""' 88 89 rune -0 wait-for \ 90 --err "missing TLS cert file" \ 91 "${CROWDSEC}" 92 } 93 94 @test "invalid OU for agent" { 95 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 96 .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | 97 .key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" | 98 .cert_path=strenv(tmpdir) + "/agent_bad_ou.pem" | 99 .url="https://127.0.0.1:8080" 100 ' 101 102 config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)' 103 ./instance-crowdsec start 104 rune -0 cscli machines list -o json 105 assert_output '[]' 106 } 107 108 @test "we have exactly one machine registered with TLS" { 109 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 110 .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | 111 .key_path=strenv(tmpdir) + "/agent-key.pem" | 112 .cert_path=strenv(tmpdir) + "/agent.pem" | 113 .url="https://127.0.0.1:8080" 114 ' 115 116 config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)' 117 ./instance-crowdsec start 118 rune -0 cscli lapi status 119 rune -0 cscli machines list -o json 120 rune -0 jq -c '[. | length, .[0].machineId[0:32], .[0].isValidated, .[0].ipAddress, .[0].auth_type]' <(output) 121 122 assert_output '[1,"localhost@127.0.0.1",true,"127.0.0.1","tls"]' 123 rune -0 cscli machines delete localhost@127.0.0.1 124 } 125 126 @test "a machine can still connect with a unix socket, no TLS" { 127 sock=$(config_get '.api.server.listen_socket') 128 export sock 129 130 # an agent is a machine too 131 config_disable_agent 132 ./instance-crowdsec start 133 134 rune -0 cscli machines add with-socket --auto --force 135 rune -0 cscli lapi status 136 137 rune -0 cscli machines list -o json 138 rune -0 jq -c '[. | length, .[0].machineId[0:32], .[0].isValidated, .[0].ipAddress, .[0].auth_type]' <(output) 139 assert_output '[1,"with-socket",true,"127.0.0.1","password"]' 140 141 # TLS cannot be used with a unix socket 142 143 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 144 .ca_cert_path=strenv(tmpdir) + "/bundle.pem" 145 ' 146 147 rune -1 cscli lapi status 148 assert_stderr --partial "loading api client: cannot use TLS with a unix socket" 149 150 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 151 del(.ca_cert_path) | 152 .key_path=strenv(tmpdir) + "/agent-key.pem" 153 ' 154 155 rune -1 cscli lapi status 156 assert_stderr --partial "loading api client: cannot use TLS with a unix socket" 157 158 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 159 del(.key_path) | 160 .cert_path=strenv(tmpdir) + "/agent.pem" 161 ' 162 163 rune -1 cscli lapi status 164 assert_stderr --partial "loading api client: cannot use TLS with a unix socket" 165 166 rune -0 cscli machines delete with-socket 167 } 168 169 @test "invalid cert for agent" { 170 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 171 .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | 172 .key_path=strenv(tmpdir) + "/agent_invalid-key.pem" | 173 .cert_path=strenv(tmpdir) + "/agent_invalid.pem" | 174 .url="https://127.0.0.1:8080" 175 ' 176 config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)' 177 ./instance-crowdsec start 178 rune -1 cscli lapi status 179 rune -0 cscli machines list -o json 180 assert_output '[]' 181 } 182 183 @test "revoked cert for agent" { 184 truncate_log 185 config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' 186 .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | 187 .key_path=strenv(tmpdir) + "/agent_revoked-key.pem" | 188 .cert_path=strenv(tmpdir) + "/agent_revoked.pem" | 189 .url="https://127.0.0.1:8080" 190 ' 191 192 config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)' 193 ./instance-crowdsec start 194 rune -1 cscli lapi status 195 assert_log --partial "client certificate is revoked by CRL" 196 assert_log --partial "client certificate for CN=localhost OU=[agent-ou] is revoked" 197 rune -0 cscli machines list -o json 198 assert_output '[]' 199 }