github.com/crowdsecurity/crowdsec@v1.6.1/test/bats/80_alerts.bats (about) 1 #!/usr/bin/env bats 2 # vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si: 3 4 set -u 5 6 setup_file() { 7 load "../lib/setup_file.sh" 8 } 9 10 teardown_file() { 11 load "../lib/teardown_file.sh" 12 } 13 14 setup() { 15 load "../lib/setup.sh" 16 ./instance-data load 17 ./instance-crowdsec start 18 } 19 20 teardown() { 21 ./instance-crowdsec stop 22 } 23 24 #---------- 25 26 @test "cscli alerts list, with and without --machine" { 27 is_db_postgres && skip 28 rune -0 cscli decisions add -i 10.20.30.40 -t ban 29 30 rune -0 cscli alerts list 31 refute_output --partial 'machine' 32 # machine name appears quoted in the "REASON" column 33 assert_output --regexp " 'githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?' " 34 refute_output --regexp " githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})? " 35 36 rune -0 cscli alerts list -m 37 assert_output --partial 'machine' 38 assert_output --regexp " 'githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?' " 39 assert_output --regexp " githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})? " 40 41 rune -0 cscli alerts list --machine 42 assert_output --partial 'machine' 43 assert_output --regexp " 'githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?' " 44 assert_output --regexp " githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})? " 45 } 46 47 @test "cscli alerts list, human/json/raw" { 48 rune -0 cscli decisions add -i 10.20.30.40 -t ban 49 50 rune -0 cscli alerts list -o human 51 rune -0 plaintext < <(output) 52 assert_output --regexp ".* ID .* value .* reason .* country .* as .* decisions .* created_at .*" 53 assert_output --regexp ".*Ip:10.20.30.40.*manual 'ban' from.*ban:1.*" 54 55 rune -0 cscli alerts list -o json 56 rune -0 jq -c '.[].decisions[0] | [.origin, .scenario, .scope, .simulated, .type, .value]' <(output) 57 assert_line --regexp "\[\"cscli\",\"manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?'\",\"Ip\",false,\"ban\",\"10.20.30.40\"\]" 58 59 rune -0 cscli alerts list -o raw 60 assert_line "id,scope,value,reason,country,as,decisions,created_at" 61 assert_line --regexp ".*,Ip,10.20.30.40,manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?',,,ban:1,.*" 62 63 rune -0 cscli alerts list -o raw --machine 64 assert_line "id,scope,value,reason,country,as,decisions,created_at,machine" 65 assert_line --regexp "^[0-9]+,Ip,10.20.30.40,manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?',,,ban:1,.*,githubciXXXXXXXXXXXXXXXXXXXXXXXX([a-zA-Z0-9]{16})?$" 66 } 67 68 @test "cscli alerts inspect" { 69 rune -1 cscli alerts inspect 70 assert_stderr --partial 'missing alert_id' 71 72 rune -0 cscli decisions add -i 10.20.30.40 -t ban 73 rune -0 cscli alerts list -o raw <(output) 74 rune -0 grep 10.20.30.40 <(output) 75 rune -0 cut -d, -f1 <(output) 76 ALERT_ID="${output}" 77 78 rune -0 cscli alerts inspect "${ALERT_ID}" -o human 79 rune -0 plaintext < <(output) 80 assert_line --regexp '^#+$' 81 assert_line --regexp "^ - ID *: ${ALERT_ID}$" 82 assert_line --regexp "^ - Date *: .*$" 83 assert_line --regexp "^ - Machine *: githubciXXXXXXXXXXXXXXXXXXXXXXXX.*" 84 assert_line --regexp "^ - Simulation *: false$" 85 assert_line --regexp "^ - Reason *: manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX.*'$" 86 assert_line --regexp "^ - Events Count *: 1$" 87 assert_line --regexp "^ - Scope:Value *: Ip:10.20.30.40$" 88 assert_line --regexp "^ - Country *: *$" 89 assert_line --regexp "^ - AS *: *$" 90 assert_line --regexp "^ - Begin *: .*$" 91 assert_line --regexp "^ - End *: .*$" 92 assert_line --regexp "^ - Active Decisions *:$" 93 assert_line --regexp "^.* ID .* scope:value .* action .* expiration .* created_at .*$" 94 assert_line --regexp "^.* Ip:10.20.30.40 .* ban .*$" 95 96 rune -0 cscli alerts inspect "${ALERT_ID}" -o human --details 97 # XXX can we have something here? 98 99 rune -0 cscli alerts inspect "${ALERT_ID}" -o raw 100 assert_line --regexp "^ *capacity: 0$" 101 assert_line --regexp "^ *id: ${ALERT_ID}$" 102 assert_line --regexp "^ *origin: cscli$" 103 assert_line --regexp "^ *scenario: manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX.*'$" 104 assert_line --regexp "^ *scope: Ip$" 105 assert_line --regexp "^ *simulated: false$" 106 assert_line --regexp "^ *type: ban$" 107 assert_line --regexp "^ *value: 10.20.30.40$" 108 109 rune -0 cscli alerts inspect "${ALERT_ID}" -o json 110 alert=${output} 111 rune jq -c '.decisions[] | [.origin,.scenario,.scope,.simulated,.type,.value]' <<<"${alert}" 112 assert_output --regexp "\[\"cscli\",\"manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX.*'\",\"Ip\",false,\"ban\",\"10.20.30.40\"\]" 113 rune jq -c '.source' <<<"${alert}" 114 assert_json '{ip:"10.20.30.40",scope:"Ip",value:"10.20.30.40"}' 115 } 116 117 @test "no active alerts" { 118 rune -0 cscli alerts list --until 200d -o human 119 assert_output "No active alerts" 120 rune -0 cscli alerts list --until 200d -o json 121 assert_json "[]" 122 rune -0 cscli alerts list --until 200d -o raw 123 assert_output "id,scope,value,reason,country,as,decisions,created_at" 124 rune -0 cscli alerts list --until 200d -o raw --machine 125 assert_output "id,scope,value,reason,country,as,decisions,created_at,machine" 126 } 127 128 @test "cscli alerts delete (by id)" { 129 rune -0 cscli alerts delete --help 130 if [[ ! "$output" =~ "--id string" ]]; then 131 skip "cscli alerts delete --id not supported" 132 fi 133 134 # make sure there is at least one alert 135 rune -0 cscli decisions add -i 127.0.0.1 -d 1h -R crowdsecurity/test 136 # when testing with global config, alert id is not guaranteed to be 1. 137 # we'll just remove the first alert we find 138 rune -0 cscli alerts list -o json 139 rune -0 jq -c '.[0].id' <(output) 140 ALERT_ID="$output" 141 142 rune -0 cscli alerts delete --id "$ALERT_ID" 143 refute_output 144 assert_stderr --partial "1 alert(s) deleted" 145 146 # can't delete twice 147 rune -1 cscli alerts delete --id "$ALERT_ID" 148 refute_output 149 assert_stderr --partial "unable to delete alert" 150 assert_stderr --partial "API error: ent: alert not found" 151 } 152 153 @test "cscli alerts delete (all)" { 154 rune -0 cscli alerts delete --all 155 assert_stderr --partial '0 alert(s) deleted' 156 157 rune -0 cscli decisions add -i 1.2.3.4 -d 1h -R crowdsecurity/test 158 rune -0 cscli decisions add -i 1.2.3.5 -d 1h -R crowdsecurity/test 159 160 rune -0 cscli alerts delete --all 161 assert_stderr --partial '2 alert(s) deleted' 162 163 # XXX TODO: delete by scope, value, scenario, range.. 164 } 165 166 @test "cscli alerts delete (with cascade to decisions)" { 167 rune -0 cscli decisions add -i 1.2.3.4 168 rune -0 cscli decisions list -o json 169 rune -0 jq '. | length' <(output) 170 assert_output 1 171 172 rune -0 cscli alerts delete -i 1.2.3.4 173 assert_stderr --partial 'alert(s) deleted' 174 rune -0 cscli decisions list -o json 175 assert_json '[]' 176 } 177 178 @test "cscli alerts delete (must ignore the query limit)" { 179 for _i in $(seq 1 200); do 180 rune -0 cscli decisions add -i 1.2.3.4 181 done 182 rune -0 cscli alerts delete -i 1.2.3.4 183 assert_stderr --partial '200 alert(s) deleted' 184 } 185 186 @test "bad duration" { 187 skip 'TODO' 188 rune -0 cscli decisions add -i 10.20.30.40 -t ban 189 rune -9 cscli decisions list --ip 10.20.30.40 -o json 190 rune -9 jq -r '.[].decisions[].id' <(output) 191 DECISION_ID="${output}" 192 193 ./instance-crowdsec stop 194 rune -0 ./instance-db exec_sql "UPDATE decisions SET ... WHERE id=${DECISION_ID}" 195 ./instance-crowdsec start 196 }