tests for misconfigured plugins (#1534)

2022-05-19 13:27:24 +02:00 · 2022-05-19 13:27:24 +02:00 · cdab206d05
parent 9c1c4093a3
commit cdab206d05
2 changed files with 99 additions and 5 deletions
--- a/tests/bats/70_http_plugin.bats
+++ b/tests/bats/70_http_plugin.bats
@ -13,6 +13,8 @@ setup_file() {
    MOCK_PORT="9999"
    MOCK_URL="http://localhost:${MOCK_PORT}"
    export MOCK_URL
+    PLUGIN_DIR=$(config_yq '.config_paths.plugin_dir')
+    export PLUGIN_DIR

    # https://mikefarah.gitbook.io/yq/operators/env-variable-operators
    yq e '
@ -39,6 +41,9 @@ setup_file() {

 teardown_file() {
    load "../lib/teardown_file.sh"
+    rm -f "${PLUGIN_DIR}"/badname
+    chmod go-w "${PLUGIN_DIR}"/notification-http
+    ./instance-crowdsec stop
    ./instance-mock-http stop
 }

@ -48,7 +53,7 @@ setup() {

 #----------

-@test "$FILE add two bans" {
+@test "${FILE} add two bans" {
    run -0 cscli decisions add --ip 1.2.3.4 --duration 30s
    assert_output --partial 'Decision successfully added'

@ -57,25 +62,26 @@ setup() {
    sleep 5
 }

-@test "$FILE expected 1 log line from http server" {
+@test "${FILE} expected 1 log line from http server" {
    run -0 wc -l <"${MOCK_OUT}"
    # wc can pad with spaces on some platforms
    run -0 tr -d ' ' < <(output)
    assert_output 1
 }

-@test "$FILE expected to receive 2 alerts in the request body from plugin" {
+@test "${FILE} expected to receive 2 alerts in the request body from plugin" {
    run -0 jq -r '.request_body' <"${MOCK_OUT}"
    run -0 jq -r 'length' <(output)
    assert_output 2
 }

-@test "$FILE expected to receive IP 1.2.3.4 as value of first decision" {
+@test "${FILE} expected to receive IP 1.2.3.4 as value of first decision" {
    run -0 jq -r '.request_body[0].decisions[0].value' <"${MOCK_OUT}"
    assert_output 1.2.3.4
 }

-@test "$FILE expected to receive IP 1.2.3.5 as value of second decision" {
+@test "${FILE} expected to receive IP 1.2.3.5 as value of second decision" {
    run -0 jq -r '.request_body[1].decisions[0].value' <"${MOCK_OUT}"
    assert_output 1.2.3.5
 }
+
--- a/tests/bats/72_plugin_badconfig.bats
+++ b/tests/bats/72_plugin_badconfig.bats
@ -0,0 +1,88 @@
+#!/usr/bin/env bats
+# vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si:
+
+set -u
+
+setup_file() {
+    load "../lib/setup_file.sh"
+
+    PLUGIN_DIR=$(config_yq '.config_paths.plugin_dir')
+    export PLUGIN_DIR
+
+    PROFILES_PATH=$(config_yq '.api.server.profiles_path')
+    export PROFILES_PATH
+}
+
+teardown_file() {
+    load "../lib/teardown_file.sh"
+}
+
+setup() {
+    load "../lib/setup.sh"
+    ./instance-data load
+}
+
+teardown() {
+    ./instance-crowdsec stop
+    rm -f "${PLUGIN_DIR}"/badname
+    chmod go-w "${PLUGIN_DIR}"/notification-http
+}
+
+#----------
+
+@test "${FILE} misconfigured plugin, only user is empty" {
+    yq e '.plugin_config.user="" | .plugin_config.group="nogroup"' -i "${CONFIG_YAML}"
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: both plugin user and group must be set"
+}
+
+@test "${FILE} misconfigured plugin, only group is empty" {
+    yq e '(.plugin_config.user="nobody") | (.plugin_config.group="")' -i "${CONFIG_YAML}"
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: both plugin user and group must be set"
+}
+
+@test "${FILE} misconfigured plugin, user does not exist" {
+    yq e '(.plugin_config.user="userdoesnotexist") | (.plugin_config.group="groupdoesnotexist")' -i "${CONFIG_YAML}"
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: user: unknown user userdoesnotexist"
+}
+
+@test "${FILE} misconfigured plugin, group does not exist" {
+    yq e '(.plugin_config.user=strenv(USER)) | (.plugin_config.group="groupdoesnotexist")' -i "${CONFIG_YAML}"
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: group: unknown group groupdoesnotexist"
+}
+
+@test "${FILE} bad plugin name" {
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    cp "${PLUGIN_DIR}"/notification-http "${PLUGIN_DIR}"/badname
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: plugin name ${PLUGIN_DIR}/badname is invalid. Name should be like {type-name}"
+}
+
+@test "${FILE} bad plugin permission (group writable)" {
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    chmod g+w "${PLUGIN_DIR}"/notification-http
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is group writable, group writable plugins are invalid"
+}
+
+@test "${FILE} bad plugin permission (world writable)" {
+    yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}"
+    chmod o+w "${PLUGIN_DIR}"/notification-http
+    run -1 --separate-stderr timeout 2s "${CROWDSEC}"
+    run -0 echo "${stderr}"
+    assert_output --partial "api server init: unable to run local API: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is world writable, world writable plugins are invalid"
+}
+