fixed tls tests
This commit is contained in:
parent
46f20193f9
commit
520e40db37
|
@ -10,7 +10,8 @@ config_disable_agent() {
|
||||||
setup_file() {
|
setup_file() {
|
||||||
load "../lib/setup_file.sh"
|
load "../lib/setup_file.sh"
|
||||||
./instance-data load
|
./instance-data load
|
||||||
tmpdir=$(mktemp -d)
|
|
||||||
|
tmpdir="${BATS_FILE_TMPDIR}"
|
||||||
export tmpdir
|
export tmpdir
|
||||||
|
|
||||||
CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
|
CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
|
||||||
|
@ -48,7 +49,6 @@ setup_file() {
|
||||||
|
|
||||||
teardown_file() {
|
teardown_file() {
|
||||||
load "../lib/teardown_file.sh"
|
load "../lib/teardown_file.sh"
|
||||||
rm -rf "${tmpdir}"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
setup() {
|
setup() {
|
||||||
|
@ -62,12 +62,12 @@ teardown() {
|
||||||
|
|
||||||
#----------
|
#----------
|
||||||
|
|
||||||
@test "${FILE} there are 0 bouncers" {
|
@test "there are 0 bouncers" {
|
||||||
run -0 cscli bouncers list -o json
|
run -0 cscli bouncers list -o json
|
||||||
assert_output "[]"
|
assert_output "[]"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} simulate one bouncer request with a valid cert" {
|
@test "simulate one bouncer request with a valid cert" {
|
||||||
run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||||
assert_output "null"
|
assert_output "null"
|
||||||
run -0 cscli bouncers list -o json
|
run -0 cscli bouncers list -o json
|
||||||
|
@ -79,19 +79,19 @@ teardown() {
|
||||||
run cscli bouncers delete localhost@127.0.0.1
|
run cscli bouncers delete localhost@127.0.0.1
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} simulate one bouncer request with an invalid cert" {
|
@test "simulate one bouncer request with an invalid cert" {
|
||||||
run curl -s --cert "${tmpdir}/bouncer_invalid.pem" --key "${tmpdir}/bouncer_invalid-key.pem" --cacert "${tmpdir}/ca-key.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
run curl -s --cert "${tmpdir}/bouncer_invalid.pem" --key "${tmpdir}/bouncer_invalid-key.pem" --cacert "${tmpdir}/ca-key.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||||
run -0 cscli bouncers list -o json
|
run -0 cscli bouncers list -o json
|
||||||
assert_output "[]"
|
assert_output "[]"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} simulate one bouncer request with an invalid OU" {
|
@test "simulate one bouncer request with an invalid OU" {
|
||||||
run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||||
run -0 cscli bouncers list -o json
|
run -0 cscli bouncers list -o json
|
||||||
assert_output "[]"
|
assert_output "[]"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} simulate one bouncer request with a revoked certificate" {
|
@test "simulate one bouncer request with a revoked certificate" {
|
||||||
run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||||
assert_output --partial "access forbidden"
|
assert_output --partial "access forbidden"
|
||||||
run -0 cscli bouncers list -o json
|
run -0 cscli bouncers list -o json
|
||||||
|
|
|
@ -3,11 +3,18 @@
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
|
config_disable_agent() {
|
||||||
|
yq e 'del(.crowdsec_service)' -i "${CONFIG_YAML}"
|
||||||
|
}
|
||||||
|
|
||||||
setup_file() {
|
setup_file() {
|
||||||
load "../lib/setup_file.sh"
|
load "../lib/setup_file.sh"
|
||||||
./instance-data load
|
./instance-data load
|
||||||
|
|
||||||
tmpdir=$(mktemp -d)
|
CONFIG_DIR=$(dirname "${CONFIG_YAML}")
|
||||||
|
export CONFIG_DIR
|
||||||
|
|
||||||
|
tmpdir="${BATS_FILE_TMPDIR}"
|
||||||
export tmpdir
|
export tmpdir
|
||||||
|
|
||||||
CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
|
CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
|
||||||
|
@ -40,6 +47,8 @@ setup_file() {
|
||||||
.api.server.tls.agents_allowed_ou=["agent-ou"]
|
.api.server.tls.agents_allowed_ou=["agent-ou"]
|
||||||
' -i "${CONFIG_YAML}"
|
' -i "${CONFIG_YAML}"
|
||||||
|
|
||||||
|
run -0 cscli machines delete githubciXXXXXXXXXXXXXXXXXXXXXXXX
|
||||||
|
config_disable_agent
|
||||||
}
|
}
|
||||||
|
|
||||||
teardown_file() {
|
teardown_file() {
|
||||||
|
@ -48,7 +57,6 @@ teardown_file() {
|
||||||
|
|
||||||
setup() {
|
setup() {
|
||||||
load "../lib/setup.sh"
|
load "../lib/setup.sh"
|
||||||
cscli machines delete githubciXXXXXXXXXXXXXXXXXXXXXXXX
|
|
||||||
}
|
}
|
||||||
|
|
||||||
teardown() {
|
teardown() {
|
||||||
|
@ -57,9 +65,7 @@ teardown() {
|
||||||
|
|
||||||
#----------
|
#----------
|
||||||
|
|
||||||
@test "${FILE} invalid OU for agent" {
|
@test "invalid OU for agent" {
|
||||||
CONFIG_DIR=$(dirname "${CONFIG_YAML}")
|
|
||||||
|
|
||||||
yq e '
|
yq e '
|
||||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||||
.key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" |
|
.key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" |
|
||||||
|
@ -67,18 +73,13 @@ teardown() {
|
||||||
.url="https://127.0.0.1:8080"
|
.url="https://127.0.0.1:8080"
|
||||||
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
|
|
||||||
yq e 'del(.login)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
yq e 'del(.login,.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
yq e 'del(.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
|
||||||
./instance-crowdsec start
|
./instance-crowdsec start
|
||||||
#let the agent start
|
|
||||||
sleep 2
|
|
||||||
run -0 cscli machines list -o json
|
run -0 cscli machines list -o json
|
||||||
assert_output '[]'
|
assert_output '[]'
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} we have exactly one machine registered with TLS" {
|
@test "we have exactly one machine registered with TLS" {
|
||||||
CONFIG_DIR=$(dirname "${CONFIG_YAML}")
|
|
||||||
|
|
||||||
yq e '
|
yq e '
|
||||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||||
.key_path=strenv(tmpdir) + "/agent-key.pem" |
|
.key_path=strenv(tmpdir) + "/agent-key.pem" |
|
||||||
|
@ -86,23 +87,17 @@ teardown() {
|
||||||
.url="https://127.0.0.1:8080"
|
.url="https://127.0.0.1:8080"
|
||||||
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
|
|
||||||
yq e 'del(.login)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
yq e 'del(.login,.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
yq e 'del(.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
|
||||||
./instance-crowdsec start
|
./instance-crowdsec start
|
||||||
#let the agent start
|
run -0 cscli lapi status
|
||||||
sleep 2
|
|
||||||
run -0 cscli machines list -o json
|
run -0 cscli machines list -o json
|
||||||
run -0 jq -c '[. | length, .[0].machineId[0:32], .[0].isValidated, .[0].ipAddress, .[0].auth_type]' <(output)
|
run -0 jq -c '[. | length, .[0].machineId[0:32], .[0].isValidated, .[0].ipAddress, .[0].auth_type]' <(output)
|
||||||
|
|
||||||
assert_output '[1,"localhost@127.0.0.1",true,"127.0.0.1","tls"]'
|
assert_output '[1,"localhost@127.0.0.1",true,"127.0.0.1","tls"]'
|
||||||
cscli machines delete localhost@127.0.0.1
|
cscli machines delete localhost@127.0.0.1
|
||||||
|
|
||||||
./instance-crowdsec stop
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} invalid cert for agent" {
|
@test "invalid cert for agent" {
|
||||||
CONFIG_DIR=$(dirname "${CONFIG_YAML}")
|
|
||||||
|
|
||||||
yq e '
|
yq e '
|
||||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||||
.key_path=strenv(tmpdir) + "/agent_invalid-key.pem" |
|
.key_path=strenv(tmpdir) + "/agent_invalid-key.pem" |
|
||||||
|
@ -110,18 +105,13 @@ teardown() {
|
||||||
.url="https://127.0.0.1:8080"
|
.url="https://127.0.0.1:8080"
|
||||||
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
|
|
||||||
yq e 'del(.login)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
yq e 'del(.login,.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
yq e 'del(.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
|
||||||
./instance-crowdsec start
|
./instance-crowdsec start
|
||||||
#let the agent start
|
|
||||||
sleep 2
|
|
||||||
run -0 cscli machines list -o json
|
run -0 cscli machines list -o json
|
||||||
assert_output '[]'
|
assert_output '[]'
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "${FILE} revoked cert for agent" {
|
@test "revoked cert for agent" {
|
||||||
CONFIG_DIR=$(dirname "${CONFIG_YAML}")
|
|
||||||
|
|
||||||
yq e '
|
yq e '
|
||||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||||
.key_path=strenv(tmpdir) + "/agent_revoked-key.pem" |
|
.key_path=strenv(tmpdir) + "/agent_revoked-key.pem" |
|
||||||
|
@ -129,11 +119,8 @@ teardown() {
|
||||||
.url="https://127.0.0.1:8080"
|
.url="https://127.0.0.1:8080"
|
||||||
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
|
|
||||||
yq e 'del(.login)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
yq e 'del(.login,.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
||||||
yq e 'del(.password)' -i "${CONFIG_DIR}/local_api_credentials.yaml"
|
|
||||||
./instance-crowdsec start
|
./instance-crowdsec start
|
||||||
#let the agent start
|
|
||||||
sleep 2
|
|
||||||
run -0 cscli machines list -o json
|
run -0 cscli machines list -o json
|
||||||
assert_output '[]'
|
assert_output '[]'
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue