github.com/crowdsecurity/crowdsec@v1.6.1/test/bats/72_plugin_badconfig.bats (about) 1 #!/usr/bin/env bats 2 # vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si: 3 4 set -u 5 6 setup_file() { 7 load "../lib/setup_file.sh" 8 9 PLUGIN_DIR=$(config_get '.config_paths.plugin_dir') 10 # could have a trailing slash 11 PLUGIN_DIR=$(realpath "${PLUGIN_DIR}") 12 export PLUGIN_DIR 13 14 PROFILES_PATH=$(config_get '.api.server.profiles_path') 15 export PROFILES_PATH 16 } 17 18 teardown_file() { 19 load "../lib/teardown_file.sh" 20 } 21 22 setup() { 23 load "../lib/setup.sh" 24 ./instance-data load 25 } 26 27 teardown() { 28 ./instance-crowdsec stop 29 rm -f "${PLUGIN_DIR}"/badname 30 chmod go-w "${PLUGIN_DIR}"/notification-http || true 31 } 32 33 #---------- 34 35 @test "misconfigured plugin, only user is empty" { 36 config_set '.plugin_config.user="" | .plugin_config.group="nogroup"' 37 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 38 rune -0 wait-for \ 39 --err "api server init: unable to run plugin broker: while loading plugin: while getting process attributes: both plugin user and group must be set" \ 40 "${CROWDSEC}" 41 } 42 43 @test "misconfigured plugin, only group is empty" { 44 config_set '(.plugin_config.user="nobody") | (.plugin_config.group="")' 45 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 46 rune -0 wait-for \ 47 --err "api server init: unable to run plugin broker: while loading plugin: while getting process attributes: both plugin user and group must be set" \ 48 "${CROWDSEC}" 49 } 50 51 @test "misconfigured plugin, user does not exist" { 52 config_set '(.plugin_config.user="userdoesnotexist") | (.plugin_config.group="groupdoesnotexist")' 53 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 54 rune -0 wait-for \ 55 --err "api server init: unable to run plugin broker: while loading plugin: while getting process attributes: user: unknown user userdoesnotexist" \ 56 "${CROWDSEC}" 57 } 58 59 @test "misconfigured plugin, group does not exist" { 60 config_set '(.plugin_config.user=strenv(USER)) | (.plugin_config.group="groupdoesnotexist")' 61 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 62 rune -0 wait-for \ 63 --err "api server init: unable to run plugin broker: while loading plugin: while getting process attributes: group: unknown group groupdoesnotexist" \ 64 "${CROWDSEC}" 65 } 66 67 @test "bad plugin name" { 68 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 69 cp "${PLUGIN_DIR}"/notification-http "${PLUGIN_DIR}"/badname 70 rune -0 wait-for \ 71 --err "api server init: unable to run plugin broker: while loading plugin: plugin name ${PLUGIN_DIR}/badname is invalid. Name should be like {type-name}" \ 72 "${CROWDSEC}" 73 } 74 75 @test "duplicate notification config" { 76 CONFIG_DIR=$(dirname "$CONFIG_YAML") 77 # email_default has two configurations 78 rune -0 yq -i '.name="email_default"' "$CONFIG_DIR/notifications/http.yaml" 79 # enable a notification, otherwise plugins are ignored 80 config_set "${PROFILES_PATH}" '.notifications=["slack_default"]' 81 # the slack plugin may fail or not, but we just need the logs 82 config_set '.common.log_media="stdout"' 83 rune wait-for \ 84 --err "notification 'email_default' is defined multiple times" \ 85 "${CROWDSEC}" 86 } 87 88 @test "bad plugin permission (group writable)" { 89 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 90 chmod g+w "${PLUGIN_DIR}"/notification-http 91 rune -0 wait-for \ 92 --err "api server init: unable to run plugin broker: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is group writable, group writable plugins are invalid" \ 93 "${CROWDSEC}" 94 } 95 96 @test "bad plugin permission (world writable)" { 97 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 98 chmod o+w "${PLUGIN_DIR}"/notification-http 99 rune -0 wait-for \ 100 --err "api server init: unable to run plugin broker: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is world writable, world writable plugins are invalid" \ 101 "${CROWDSEC}" 102 } 103 104 @test "config.yaml: missing .plugin_config section" { 105 config_set 'del(.plugin_config)' 106 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 107 rune -0 wait-for \ 108 --err "api server init: plugins are enabled, but the plugin_config section is missing in the configuration" \ 109 "${CROWDSEC}" 110 } 111 112 @test "config.yaml: missing config_paths.notification_dir" { 113 config_set 'del(.config_paths.notification_dir)' 114 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 115 rune -0 wait-for \ 116 --err "api server init: plugins are enabled, but config_paths.notification_dir is not defined" \ 117 "${CROWDSEC}" 118 } 119 120 @test "config.yaml: missing config_paths.plugin_dir" { 121 config_set 'del(.config_paths.plugin_dir)' 122 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 123 rune -0 wait-for \ 124 --err "api server init: plugins are enabled, but config_paths.plugin_dir is not defined" \ 125 "${CROWDSEC}" 126 } 127 128 @test "unable to run plugin broker: while reading plugin config" { 129 config_set '.config_paths.notification_dir="/this/path/does/not/exist"' 130 config_set "${PROFILES_PATH}" '.notifications=["http_default"]' 131 rune -0 wait-for \ 132 --err "api server init: unable to run plugin broker: while loading plugin config: open /this/path/does/not/exist: no such file or directory" \ 133 "${CROWDSEC}" 134 }