Skip to content

Commit

Permalink
log levels, file names and profiles
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmetc
mmetc committed May 28, 2024
1 parent 501e48e commit 7c79668
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 86 deletions.
82 changes: 43 additions & 39 deletions test/bats/11_bouncers_tls.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,67 +14,71 @@ setup_file() {
export CFDIR

# Root CA
cfssl gencert \
--initca "${CFDIR}/ca_root.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/ca"
cfssl gencert -loglevel 2 \
--initca "${CFDIR}/ca_root.json" \
| cfssljson --bare "${tmpdir}/root"

# Intermediate CA
cfssl gencert \
--initca "${CFDIR}/ca_intermediate.json" 2>/dev/null \
cfssl gencert -loglevel 2 \
--initca "${CFDIR}/ca_intermediate.json" \
| cfssljson --bare "${tmpdir}/inter"

cfssl sign \
-ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \
-config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null \
cfssl sign -loglevel 2 \
-ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \
-config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" \
| cfssljson --bare "${tmpdir}/inter"

# Server cert for crowdsec with the intermediate
cfssl gencert \
cfssl gencert -loglevel 2 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null \
-config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" \
| cfssljson --bare "${tmpdir}/server"

# Client cert (valid)
cfssl gencert \
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/bouncer"
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" \
| cfssljson --bare "${tmpdir}/leaf"

# Bad client cert (invalid OU)
cfssl gencert \
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer_invalid.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/bouncer_bad_ou"
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer_invalid.json" \
| cfssljson --bare "${tmpdir}/leaf_bad_ou"

# Bad client cert (directly signed by the CA, it should be refused by crowdsec as it uses the intermediate)
cfssl gencert \
-ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/bouncer_invalid"
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" \
| cfssljson --bare "${tmpdir}/leaf_invalid"

# Bad client certs (revoked)
for cert_name in "revoked_1" "revoked_2"; do
cfssl gencert \
for cert_name in "leaf_rev1" "leaf_rev2"; do
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" \
| cfssljson --bare "${tmpdir}/${cert_name}"

cfssl certinfo \
-cert "${tmpdir}/${cert_name}.pem" \
| jq -r '.serial_number' > "${tmpdir}/serials_${cert_name}.txt"
done

truncate -s 0 "${tmpdir}/crl.pem"

# Generate separate CRL blocks and concatenate them
for cert_name in "revoked_1" "revoked_2"; do
echo '-----BEGIN X509 CRL-----' > "${tmpdir}/crl_${cert_name}.pem"
cfssl gencrl \
"${tmpdir}/serials_${cert_name}.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" \
>> "${tmpdir}/crl_${cert_name}.pem"
echo '-----END X509 CRL-----' >> "${tmpdir}/crl_${cert_name}.pem"
for cert_name in "leaf_rev1" "leaf_rev2"; do
{
echo '-----BEGIN X509 CRL-----'
cfssl gencrl \
"${tmpdir}/serials_${cert_name}.txt" \
"${tmpdir}/root.pem" \
"${tmpdir}/root-key.pem"
echo '-----END X509 CRL-----'
} >> "${tmpdir}/crl.pem"
done
cat "${tmpdir}/crl_revoked_1.pem" "${tmpdir}/crl_revoked_2.pem" >"${tmpdir}/crl.pem"

cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
cat "${tmpdir}/root.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"

config_set '
.api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
Expand Down Expand Up @@ -109,8 +113,8 @@ teardown() {

@test "simulate a bouncer request with a valid cert" {
rune -0 curl -f -s \
--cert "${tmpdir}/bouncer.pem" \
--key "${tmpdir}/bouncer-key.pem" \
--cert "${tmpdir}/leaf.pem" \
--key "${tmpdir}/leaf-key.pem" \
--cacert "${tmpdir}/bundle.pem" \
https://localhost:8080/v1/decisions\?ip=42.42.42.42
assert_output "null"
Expand All @@ -125,18 +129,18 @@ teardown() {

@test "simulate a bouncer request with an invalid cert" {
rune -77 curl -f -s \
--cert "${tmpdir}/bouncer_invalid.pem" \
--key "${tmpdir}/bouncer_invalid-key.pem" \
--cacert "${tmpdir}/ca-key.pem" \
--cert "${tmpdir}/leaf_invalid.pem" \
--key "${tmpdir}/leaf_invalid-key.pem" \
--cacert "${tmpdir}/root-key.pem" \
https://localhost:8080/v1/decisions\?ip=42.42.42.42
rune -0 cscli bouncers list -o json
assert_output "[]"
}

@test "simulate a bouncer request with an invalid OU" {
rune -22 curl -f -s \
--cert "${tmpdir}/bouncer_bad_ou.pem" \
--key "${tmpdir}/bouncer_bad_ou-key.pem" \
--cert "${tmpdir}/leaf_bad_ou.pem" \
--key "${tmpdir}/leaf_bad_ou-key.pem" \
--cacert "${tmpdir}/bundle.pem" \
https://localhost:8080/v1/decisions\?ip=42.42.42.42
rune -0 cscli bouncers list -o json
Expand All @@ -145,7 +149,7 @@ teardown() {

@test "simulate a bouncer request with a revoked certificate" {
# we have two certificates revoked by different CRL blocks
for cert_name in "revoked_1" "revoked_2"; do
for cert_name in "leaf_rev1" "leaf_rev2"; do
truncate_log
rune -0 curl -s \
--cert "${tmpdir}/${cert_name}.pem" \
Expand Down
84 changes: 44 additions & 40 deletions test/bats/30_machines_tls.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,67 +17,71 @@ setup_file() {
export CFDIR

# Root CA
cfssl gencert \
--initca "${CFDIR}/ca_root.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/ca"
cfssl gencert -loglevel 2 \
--initca "${CFDIR}/ca_root.json" \
| cfssljson --bare "${tmpdir}/root"

# Intermediate CA
cfssl gencert \
--initca "${CFDIR}/ca_intermediate.json" 2>/dev/null \
cfssl gencert -loglevel 2 \
--initca "${CFDIR}/ca_intermediate.json" \
| cfssljson --bare "${tmpdir}/inter"

cfssl sign \
-ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \
-config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null \
cfssl sign -loglevel 2 \
-ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \
-config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" \
| cfssljson --bare "${tmpdir}/inter"

# Server cert for crowdsec with the intermediate
cfssl gencert \
cfssl gencert -loglevel 2 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null \
-config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" \
| cfssljson --bare "${tmpdir}/server"

# Client cert (valid)
cfssl gencert \
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/agent"
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" \
| cfssljson --bare "${tmpdir}/leaf"

# Bad client cert (invalid OU)
cfssl gencert \
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent_invalid.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/agent_bad_ou"
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent_invalid.json" \
| cfssljson --bare "${tmpdir}/leaf_bad_ou"

# Bad client cert (directly signed by the CA, it should be refused by crowdsec as it uses the intermediate)
cfssl gencert \
-ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null \
| cfssljson --bare "${tmpdir}/agent_invalid"
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" \
| cfssljson --bare "${tmpdir}/leaf_invalid"

# Bad client certs (revoked)
for cert_name in "revoked_1" "revoked_2"; do
cfssl gencert \
for cert_name in "leaf_rev1" "leaf_rev2"; do
cfssl gencert -loglevel 3 \
-ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null \
-config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" \
| cfssljson --bare "${tmpdir}/${cert_name}"

cfssl certinfo \
-cert "${tmpdir}/${cert_name}.pem" \
| jq -r '.serial_number' > "${tmpdir}/serials_${cert_name}.txt"
done

truncate -s 0 "${tmpdir}/crl.pem"

# Generate separate CRL blocks and concatenate them
for cert_name in "revoked_1" "revoked_2"; do
echo '-----BEGIN X509 CRL-----' > "${tmpdir}/crl_${cert_name}.pem"
cfssl gencrl \
"${tmpdir}/serials_${cert_name}.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" \
>> "${tmpdir}/crl_${cert_name}.pem"
echo '-----END X509 CRL-----' >> "${tmpdir}/crl_${cert_name}.pem"
for cert_name in "leaf_rev1" "leaf_rev2"; do
{
echo '-----BEGIN X509 CRL-----'
cfssl gencrl \
"${tmpdir}/serials_${cert_name}.txt" \
"${tmpdir}/root.pem" \
"${tmpdir}/root-key.pem"
echo '-----END X509 CRL-----'
} >> "${tmpdir}/crl.pem"
done
cat "${tmpdir}/crl_revoked_1.pem" "${tmpdir}/crl_revoked_2.pem" >"${tmpdir}/crl.pem"

cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
cat "${tmpdir}/root.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"

config_set '
.api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
Expand Down Expand Up @@ -136,8 +140,8 @@ teardown() {
@test "invalid OU for agent" {
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
.key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" |
.cert_path=strenv(tmpdir) + "/agent_bad_ou.pem" |
.key_path=strenv(tmpdir) + "/leaf_bad_ou-key.pem" |
.cert_path=strenv(tmpdir) + "/leaf_bad_ou.pem" |
.url="https://127.0.0.1:8080"
'

Expand All @@ -150,8 +154,8 @@ teardown() {
@test "we have exactly one machine registered with TLS" {
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
.key_path=strenv(tmpdir) + "/agent-key.pem" |
.cert_path=strenv(tmpdir) + "/agent.pem" |
.key_path=strenv(tmpdir) + "/leaf-key.pem" |
.cert_path=strenv(tmpdir) + "/leaf.pem" |
.url="https://127.0.0.1:8080"
'

Expand Down Expand Up @@ -191,15 +195,15 @@ teardown() {

config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
del(.ca_cert_path) |
.key_path=strenv(tmpdir) + "/agent-key.pem"
.key_path=strenv(tmpdir) + "/leaf-key.pem"
'

rune -1 cscli lapi status
assert_stderr --partial "loading api client: cannot use TLS with a unix socket"

config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
del(.key_path) |
.cert_path=strenv(tmpdir) + "/agent.pem"
.cert_path=strenv(tmpdir) + "/leaf.pem"
'

rune -1 cscli lapi status
Expand All @@ -211,8 +215,8 @@ teardown() {
@test "invalid cert for agent" {
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
.key_path=strenv(tmpdir) + "/agent_invalid-key.pem" |
.cert_path=strenv(tmpdir) + "/agent_invalid.pem" |
.key_path=strenv(tmpdir) + "/leaf_invalid-key.pem" |
.cert_path=strenv(tmpdir) + "/leaf_invalid.pem" |
.url="https://127.0.0.1:8080"
'
config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)'
Expand All @@ -224,7 +228,7 @@ teardown() {

@test "revoked cert for agent" {
# we have two certificates revoked by different CRL blocks
for cert_name in "revoked_1" "revoked_2"; do
for cert_name in "leaf_rev1" "leaf_rev2"; do
truncate_log
cert_name="$cert_name" config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
Expand Down
7 changes: 0 additions & 7 deletions test/bats/testdata/cfssl/profiles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
"intermediate_ca": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
Expand All @@ -23,18 +22,12 @@
},
"server": {
"usages": [
"signing",
"digital signing",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
],
"expiry": "8760h"
Expand Down

0 comments on commit 7c79668

Please sign in to comment.