tests for misconfigured plugins (#1534)
This commit is contained in:
parent
9c1c4093a3
commit
cdab206d05
|
@ -13,6 +13,8 @@ setup_file() {
|
|||
MOCK_PORT="9999"
|
||||
MOCK_URL="http://localhost:${MOCK_PORT}"
|
||||
export MOCK_URL
|
||||
PLUGIN_DIR=$(config_yq '.config_paths.plugin_dir')
|
||||
export PLUGIN_DIR
|
||||
|
||||
# https://mikefarah.gitbook.io/yq/operators/env-variable-operators
|
||||
yq e '
|
||||
|
@ -39,6 +41,9 @@ setup_file() {
|
|||
|
||||
teardown_file() {
|
||||
load "../lib/teardown_file.sh"
|
||||
rm -f "${PLUGIN_DIR}"/badname
|
||||
chmod go-w "${PLUGIN_DIR}"/notification-http
|
||||
./instance-crowdsec stop
|
||||
./instance-mock-http stop
|
||||
}
|
||||
|
||||
|
@ -48,7 +53,7 @@ setup() {
|
|||
|
||||
#----------
|
||||
|
||||
@test "$FILE add two bans" {
|
||||
@test "${FILE} add two bans" {
|
||||
run -0 cscli decisions add --ip 1.2.3.4 --duration 30s
|
||||
assert_output --partial 'Decision successfully added'
|
||||
|
||||
|
@ -57,25 +62,26 @@ setup() {
|
|||
sleep 5
|
||||
}
|
||||
|
||||
@test "$FILE expected 1 log line from http server" {
|
||||
@test "${FILE} expected 1 log line from http server" {
|
||||
run -0 wc -l <"${MOCK_OUT}"
|
||||
# wc can pad with spaces on some platforms
|
||||
run -0 tr -d ' ' < <(output)
|
||||
assert_output 1
|
||||
}
|
||||
|
||||
@test "$FILE expected to receive 2 alerts in the request body from plugin" {
|
||||
@test "${FILE} expected to receive 2 alerts in the request body from plugin" {
|
||||
run -0 jq -r '.request_body' <"${MOCK_OUT}"
|
||||
run -0 jq -r 'length' <(output)
|
||||
assert_output 2
|
||||
}
|
||||
|
||||
@test "$FILE expected to receive IP 1.2.3.4 as value of first decision" {
|
||||
@test "${FILE} expected to receive IP 1.2.3.4 as value of first decision" {
|
||||
run -0 jq -r '.request_body[0].decisions[0].value' <"${MOCK_OUT}"
|
||||
assert_output 1.2.3.4
|
||||
}
|
||||
|
||||
@test "$FILE expected to receive IP 1.2.3.5 as value of second decision" {
|
||||
@test "${FILE} expected to receive IP 1.2.3.5 as value of second decision" {
|
||||
run -0 jq -r '.request_body[1].decisions[0].value' <"${MOCK_OUT}"
|
||||
assert_output 1.2.3.5
|
||||
}
|
||||
|
||||
|
|
88
tests/bats/72_plugin_badconfig.bats
Normal file
88
tests/bats/72_plugin_badconfig.bats
Normal file
|
@ -0,0 +1,88 @@
|
|||
#!/usr/bin/env bats
|
||||
# vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si:
|
||||
|
||||
set -u
|
||||
|
||||
setup_file() {
|
||||
load "../lib/setup_file.sh"
|
||||
|
||||
PLUGIN_DIR=$(config_yq '.config_paths.plugin_dir')
|
||||
export PLUGIN_DIR
|
||||
|
||||
PROFILES_PATH=$(config_yq '.api.server.profiles_path')
|
||||
export PROFILES_PATH
|
||||
}
|
||||
|
||||
teardown_file() {
|
||||
load "../lib/teardown_file.sh"
|
||||
}
|
||||
|
||||
setup() {
|
||||
load "../lib/setup.sh"
|
||||
./instance-data load
|
||||
}
|
||||
|
||||
teardown() {
|
||||
./instance-crowdsec stop
|
||||
rm -f "${PLUGIN_DIR}"/badname
|
||||
chmod go-w "${PLUGIN_DIR}"/notification-http
|
||||
}
|
||||
|
||||
#----------
|
||||
|
||||
@test "${FILE} misconfigured plugin, only user is empty" {
|
||||
yq e '.plugin_config.user="" | .plugin_config.group="nogroup"' -i "${CONFIG_YAML}"
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: both plugin user and group must be set"
|
||||
}
|
||||
|
||||
@test "${FILE} misconfigured plugin, only group is empty" {
|
||||
yq e '(.plugin_config.user="nobody") | (.plugin_config.group="")' -i "${CONFIG_YAML}"
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: both plugin user and group must be set"
|
||||
}
|
||||
|
||||
@test "${FILE} misconfigured plugin, user does not exist" {
|
||||
yq e '(.plugin_config.user="userdoesnotexist") | (.plugin_config.group="groupdoesnotexist")' -i "${CONFIG_YAML}"
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: user: unknown user userdoesnotexist"
|
||||
}
|
||||
|
||||
@test "${FILE} misconfigured plugin, group does not exist" {
|
||||
yq e '(.plugin_config.user=strenv(USER)) | (.plugin_config.group="groupdoesnotexist")' -i "${CONFIG_YAML}"
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: group: unknown group groupdoesnotexist"
|
||||
}
|
||||
|
||||
@test "${FILE} bad plugin name" {
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
cp "${PLUGIN_DIR}"/notification-http "${PLUGIN_DIR}"/badname
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: plugin name ${PLUGIN_DIR}/badname is invalid. Name should be like {type-name}"
|
||||
}
|
||||
|
||||
@test "${FILE} bad plugin permission (group writable)" {
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
chmod g+w "${PLUGIN_DIR}"/notification-http
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is group writable, group writable plugins are invalid"
|
||||
}
|
||||
|
||||
@test "${FILE} bad plugin permission (world writable)" {
|
||||
yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
|
||||
chmod o+w "${PLUGIN_DIR}"/notification-http
|
||||
run -1 --separate-stderr timeout 2s "${CROWDSEC}"
|
||||
run -0 echo "${stderr}"
|
||||
assert_output --partial "api server init: unable to run local API: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is world writable, world writable plugins are invalid"
|
||||
}
|
||||
|
Loading…
Reference in a new issue