Skip to content

Commit

Permalink
func tests: no api key and certs at the same time (#327)
Browse files Browse the repository at this point in the history
  • Loading branch information
mmetc authored Sep 21, 2023
1 parent bdd7ed8 commit a220ee6
Show file tree
Hide file tree
Showing 4 changed files with 90 additions and 27 deletions.
2 changes: 1 addition & 1 deletion Pipfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[packages]
exceptiongroup = "1.1.1"
pexpect = "4.8.0"
pytest-cs = {ref = "0.7.16", git = "https://github.com/crowdsecurity/pytest-cs.git"}
pytest-cs = {ref = "0.7.18", git = "https://github.com/crowdsecurity/pytest-cs.git"}
pytest-dependency = "0.5.1"
pytest-dotenv = "0.5.2"
flask = "2.2.3"
Expand Down
66 changes: 43 additions & 23 deletions Pipfile.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions test/bouncer/test_firewall_bouncer.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ def test_api_url(crowdsec, bouncer, fw_cfg_factory):
def test_api_key(crowdsec, bouncer, fw_cfg_factory, api_key_factory, bouncer_under_test):
api_key = api_key_factory()
env = {
'BOUNCER_KEY_firewall': api_key
'BOUNCER_KEY_bouncer': api_key
}

with crowdsec(environment=env) as lapi:
Expand Down Expand Up @@ -101,6 +101,6 @@ def test_api_key(crowdsec, bouncer, fw_cfg_factory, api_key_factory, bouncer_und
assert res.exit_code == 0
bouncers = json.loads(res.output)
assert len(bouncers) == 1
assert bouncers[0]['name'] == 'firewall'
assert bouncers[0]['name'] == 'bouncer'
assert bouncers[0]['auth_type'] == 'api-key'
assert bouncers[0]['type'] == bouncer_under_test
45 changes: 44 additions & 1 deletion test/bouncer/test_tls.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import json


def test_tls_server(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factory):
"""TLS with server-only certificate"""

Expand All @@ -11,7 +12,7 @@ def test_tls_server(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factor
'LAPI_KEY_FILE': '/etc/ssl/crowdsec/lapi.key',
'USE_TLS': 'true',
'LOCAL_API_URL': 'https://localhost:8080',
'BOUNCER_KEY_custom': api_key,
'BOUNCER_KEY_bouncer': api_key,
}

certs = certs_dir(lapi_hostname='lapi')
Expand Down Expand Up @@ -108,3 +109,45 @@ def test_tls_mutual(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factor
assert bouncers[0]['name'].startswith('@')
assert bouncers[0]['auth_type'] == 'tls'
assert bouncers[0]['type'] == bouncer_under_test


def test_api_key_and_cert(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factory):
"""Attempt to send an api key and a certificate too"""

api_key = api_key_factory()

lapi_env = {
'CACERT_FILE': '/etc/ssl/crowdsec/ca.crt',
'LAPI_CERT_FILE': '/etc/ssl/crowdsec/lapi.crt',
'LAPI_KEY_FILE': '/etc/ssl/crowdsec/lapi.key',
'USE_TLS': 'true',
'LOCAL_API_URL': 'https://localhost:8080',
'BOUNCER_KEY_bouncer': api_key,
}

certs = certs_dir(lapi_hostname='lapi')

volumes = {
certs: {'bind': '/etc/ssl/crowdsec', 'mode': 'ro'},
}

with crowdsec(environment=lapi_env, volumes=volumes) as cs:
cs.wait_for_log("*CrowdSec Local API listening*")
cs.wait_for_http(8080, '/health', want_status=None)

port = cs.probe.get_bound_port('8080')
cfg = fw_cfg_factory()
cfg['api_url'] = f'https://localhost:{port}'
cfg['ca_cert_path'] = (certs / 'ca.crt').as_posix()
cfg['api_key'] = api_key

cfg['cert_path'] = (certs / 'bouncer.crt').as_posix()
cfg['key_path'] = (certs / 'bouncer.key').as_posix()

cs.wait_for_log("*Starting processing data*")

with bouncer(cfg) as cb:
cb.wait_for_lines_fnmatch([
"*Starting crowdsec-firewall-bouncer*",
"*unable to configure bouncer: api client init: cannot use both API key and certificate auth*",
])

0 comments on commit a220ee6

Please sign in to comment.