diff --git a/tests/bats/70_http_plugin.bats b/tests/bats/70_http_plugin.bats index 488ac542f..c272e8fae 100644 --- a/tests/bats/70_http_plugin.bats +++ b/tests/bats/70_http_plugin.bats @@ -13,6 +13,8 @@ setup_file() { MOCK_PORT="9999" MOCK_URL="http://localhost:${MOCK_PORT}" export MOCK_URL + PLUGIN_DIR=$(config_yq '.config_paths.plugin_dir') + export PLUGIN_DIR # https://mikefarah.gitbook.io/yq/operators/env-variable-operators yq e ' @@ -39,6 +41,9 @@ setup_file() { teardown_file() { load "../lib/teardown_file.sh" + rm -f "${PLUGIN_DIR}"/badname + chmod go-w "${PLUGIN_DIR}"/notification-http + ./instance-crowdsec stop ./instance-mock-http stop } @@ -48,7 +53,7 @@ setup() { #---------- -@test "$FILE add two bans" { +@test "${FILE} add two bans" { run -0 cscli decisions add --ip 1.2.3.4 --duration 30s assert_output --partial 'Decision successfully added' @@ -57,25 +62,26 @@ setup() { sleep 5 } -@test "$FILE expected 1 log line from http server" { +@test "${FILE} expected 1 log line from http server" { run -0 wc -l <"${MOCK_OUT}" # wc can pad with spaces on some platforms run -0 tr -d ' ' < <(output) assert_output 1 } -@test "$FILE expected to receive 2 alerts in the request body from plugin" { +@test "${FILE} expected to receive 2 alerts in the request body from plugin" { run -0 jq -r '.request_body' <"${MOCK_OUT}" run -0 jq -r 'length' <(output) assert_output 2 } -@test "$FILE expected to receive IP 1.2.3.4 as value of first decision" { +@test "${FILE} expected to receive IP 1.2.3.4 as value of first decision" { run -0 jq -r '.request_body[0].decisions[0].value' <"${MOCK_OUT}" assert_output 1.2.3.4 } -@test "$FILE expected to receive IP 1.2.3.5 as value of second decision" { +@test "${FILE} expected to receive IP 1.2.3.5 as value of second decision" { run -0 jq -r '.request_body[1].decisions[0].value' <"${MOCK_OUT}" assert_output 1.2.3.5 } + diff --git a/tests/bats/72_plugin_badconfig.bats b/tests/bats/72_plugin_badconfig.bats new file mode 100644 index 000000000..f24bfebb2 --- /dev/null +++ b/tests/bats/72_plugin_badconfig.bats @@ -0,0 +1,88 @@ +#!/usr/bin/env bats +# vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si: + +set -u + +setup_file() { + load "../lib/setup_file.sh" + + PLUGIN_DIR=$(config_yq '.config_paths.plugin_dir') + export PLUGIN_DIR + + PROFILES_PATH=$(config_yq '.api.server.profiles_path') + export PROFILES_PATH +} + +teardown_file() { + load "../lib/teardown_file.sh" +} + +setup() { + load "../lib/setup.sh" + ./instance-data load +} + +teardown() { + ./instance-crowdsec stop + rm -f "${PLUGIN_DIR}"/badname + chmod go-w "${PLUGIN_DIR}"/notification-http +} + +#---------- + +@test "${FILE} misconfigured plugin, only user is empty" { + yq e '.plugin_config.user="" | .plugin_config.group="nogroup"' -i "${CONFIG_YAML}" + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: both plugin user and group must be set" +} + +@test "${FILE} misconfigured plugin, only group is empty" { + yq e '(.plugin_config.user="nobody") | (.plugin_config.group="")' -i "${CONFIG_YAML}" + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: both plugin user and group must be set" +} + +@test "${FILE} misconfigured plugin, user does not exist" { + yq e '(.plugin_config.user="userdoesnotexist") | (.plugin_config.group="groupdoesnotexist")' -i "${CONFIG_YAML}" + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: user: unknown user userdoesnotexist" +} + +@test "${FILE} misconfigured plugin, group does not exist" { + yq e '(.plugin_config.user=strenv(USER)) | (.plugin_config.group="groupdoesnotexist")' -i "${CONFIG_YAML}" + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: while getting process attributes: group: unknown group groupdoesnotexist" +} + +@test "${FILE} bad plugin name" { + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + cp "${PLUGIN_DIR}"/notification-http "${PLUGIN_DIR}"/badname + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: plugin name ${PLUGIN_DIR}/badname is invalid. Name should be like {type-name}" +} + +@test "${FILE} bad plugin permission (group writable)" { + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + chmod g+w "${PLUGIN_DIR}"/notification-http + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is group writable, group writable plugins are invalid" +} + +@test "${FILE} bad plugin permission (world writable)" { + yq e '.notifications=["http_default"]' -i "${PROFILES_PATH}" + chmod o+w "${PLUGIN_DIR}"/notification-http + run -1 --separate-stderr timeout 2s "${CROWDSEC}" + run -0 echo "${stderr}" + assert_output --partial "api server init: unable to run local API: while loading plugin: plugin at ${PLUGIN_DIR}/notification-http is world writable, world writable plugins are invalid" +} +