diff --git a/test/bats/11_bouncers_tls.bats b/test/bats/11_bouncers_tls.bats index 80dbee9e8e4..70729f5e2c8 100644 --- a/test/bats/11_bouncers_tls.bats +++ b/test/bats/11_bouncers_tls.bats @@ -14,49 +14,49 @@ setup_file() { export CFDIR # Root CA - cfssl gencert \ - --initca "${CFDIR}/ca_root.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/ca" + cfssl gencert -loglevel 2 \ + --initca "${CFDIR}/ca_root.json" \ + | cfssljson --bare "${tmpdir}/root" # Intermediate CA - cfssl gencert \ - --initca "${CFDIR}/ca_intermediate.json" 2>/dev/null \ + cfssl gencert -loglevel 2 \ + --initca "${CFDIR}/ca_intermediate.json" \ | cfssljson --bare "${tmpdir}/inter" - cfssl sign \ - -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \ - -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null \ + cfssl sign -loglevel 2 \ + -ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \ + -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" \ | cfssljson --bare "${tmpdir}/inter" # Server cert for crowdsec with the intermediate - cfssl gencert \ + cfssl gencert -loglevel 2 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null \ + -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" \ | cfssljson --bare "${tmpdir}/server" # Client cert (valid) - cfssl gencert \ + cfssl gencert -loglevel 3 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/bouncer" + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" \ + | cfssljson --bare "${tmpdir}/leaf" # Bad client cert (invalid OU) - cfssl gencert \ + cfssl gencert -loglevel 3 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer_invalid.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/bouncer_bad_ou" + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer_invalid.json" \ + | cfssljson --bare "${tmpdir}/leaf_bad_ou" # Bad client cert (directly signed by the CA, it should be refused by crowdsec as it uses the intermediate) - cfssl gencert \ - -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/bouncer_invalid" + cfssl gencert -loglevel 3 \ + -ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \ + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" \ + | cfssljson --bare "${tmpdir}/leaf_invalid" # Bad client certs (revoked) - for cert_name in "revoked_1" "revoked_2"; do - cfssl gencert \ + for cert_name in "leaf_rev1" "leaf_rev2"; do + cfssl gencert -loglevel 3 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null \ + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" \ | cfssljson --bare "${tmpdir}/${cert_name}" cfssl certinfo \ @@ -64,17 +64,21 @@ setup_file() { | jq -r '.serial_number' > "${tmpdir}/serials_${cert_name}.txt" done + truncate -s 0 "${tmpdir}/crl.pem" + # Generate separate CRL blocks and concatenate them - for cert_name in "revoked_1" "revoked_2"; do - echo '-----BEGIN X509 CRL-----' > "${tmpdir}/crl_${cert_name}.pem" - cfssl gencrl \ - "${tmpdir}/serials_${cert_name}.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" \ - >> "${tmpdir}/crl_${cert_name}.pem" - echo '-----END X509 CRL-----' >> "${tmpdir}/crl_${cert_name}.pem" + for cert_name in "leaf_rev1" "leaf_rev2"; do + { + echo '-----BEGIN X509 CRL-----' + cfssl gencrl \ + "${tmpdir}/serials_${cert_name}.txt" \ + "${tmpdir}/root.pem" \ + "${tmpdir}/root-key.pem" + echo '-----END X509 CRL-----' + } >> "${tmpdir}/crl.pem" done - cat "${tmpdir}/crl_revoked_1.pem" "${tmpdir}/crl_revoked_2.pem" >"${tmpdir}/crl.pem" - cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem" + cat "${tmpdir}/root.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem" config_set ' .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" | @@ -109,8 +113,8 @@ teardown() { @test "simulate a bouncer request with a valid cert" { rune -0 curl -f -s \ - --cert "${tmpdir}/bouncer.pem" \ - --key "${tmpdir}/bouncer-key.pem" \ + --cert "${tmpdir}/leaf.pem" \ + --key "${tmpdir}/leaf-key.pem" \ --cacert "${tmpdir}/bundle.pem" \ https://localhost:8080/v1/decisions\?ip=42.42.42.42 assert_output "null" @@ -125,9 +129,9 @@ teardown() { @test "simulate a bouncer request with an invalid cert" { rune -77 curl -f -s \ - --cert "${tmpdir}/bouncer_invalid.pem" \ - --key "${tmpdir}/bouncer_invalid-key.pem" \ - --cacert "${tmpdir}/ca-key.pem" \ + --cert "${tmpdir}/leaf_invalid.pem" \ + --key "${tmpdir}/leaf_invalid-key.pem" \ + --cacert "${tmpdir}/root-key.pem" \ https://localhost:8080/v1/decisions\?ip=42.42.42.42 rune -0 cscli bouncers list -o json assert_output "[]" @@ -135,8 +139,8 @@ teardown() { @test "simulate a bouncer request with an invalid OU" { rune -22 curl -f -s \ - --cert "${tmpdir}/bouncer_bad_ou.pem" \ - --key "${tmpdir}/bouncer_bad_ou-key.pem" \ + --cert "${tmpdir}/leaf_bad_ou.pem" \ + --key "${tmpdir}/leaf_bad_ou-key.pem" \ --cacert "${tmpdir}/bundle.pem" \ https://localhost:8080/v1/decisions\?ip=42.42.42.42 rune -0 cscli bouncers list -o json @@ -145,7 +149,7 @@ teardown() { @test "simulate a bouncer request with a revoked certificate" { # we have two certificates revoked by different CRL blocks - for cert_name in "revoked_1" "revoked_2"; do + for cert_name in "leaf_rev1" "leaf_rev2"; do truncate_log rune -0 curl -s \ --cert "${tmpdir}/${cert_name}.pem" \ diff --git a/test/bats/30_machines_tls.bats b/test/bats/30_machines_tls.bats index f235356bf2e..79ece10c533 100644 --- a/test/bats/30_machines_tls.bats +++ b/test/bats/30_machines_tls.bats @@ -17,49 +17,49 @@ setup_file() { export CFDIR # Root CA - cfssl gencert \ - --initca "${CFDIR}/ca_root.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/ca" + cfssl gencert -loglevel 2 \ + --initca "${CFDIR}/ca_root.json" \ + | cfssljson --bare "${tmpdir}/root" # Intermediate CA - cfssl gencert \ - --initca "${CFDIR}/ca_intermediate.json" 2>/dev/null \ + cfssl gencert -loglevel 2 \ + --initca "${CFDIR}/ca_intermediate.json" \ | cfssljson --bare "${tmpdir}/inter" - cfssl sign \ - -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \ - -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null \ + cfssl sign -loglevel 2 \ + -ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \ + -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" \ | cfssljson --bare "${tmpdir}/inter" # Server cert for crowdsec with the intermediate - cfssl gencert \ + cfssl gencert -loglevel 2 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null \ + -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" \ | cfssljson --bare "${tmpdir}/server" # Client cert (valid) - cfssl gencert \ + cfssl gencert -loglevel 3 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/agent" + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" \ + | cfssljson --bare "${tmpdir}/leaf" # Bad client cert (invalid OU) - cfssl gencert \ + cfssl gencert -loglevel 3 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent_invalid.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/agent_bad_ou" + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent_invalid.json" \ + | cfssljson --bare "${tmpdir}/leaf_bad_ou" # Bad client cert (directly signed by the CA, it should be refused by crowdsec as it uses the intermediate) - cfssl gencert \ - -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null \ - | cfssljson --bare "${tmpdir}/agent_invalid" + cfssl gencert -loglevel 3 \ + -ca "${tmpdir}/root.pem" -ca-key "${tmpdir}/root-key.pem" \ + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" \ + | cfssljson --bare "${tmpdir}/leaf_invalid" # Bad client certs (revoked) - for cert_name in "revoked_1" "revoked_2"; do - cfssl gencert \ + for cert_name in "leaf_rev1" "leaf_rev2"; do + cfssl gencert -loglevel 3 \ -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" \ - -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null \ + -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" \ | cfssljson --bare "${tmpdir}/${cert_name}" cfssl certinfo \ @@ -67,17 +67,21 @@ setup_file() { | jq -r '.serial_number' > "${tmpdir}/serials_${cert_name}.txt" done + truncate -s 0 "${tmpdir}/crl.pem" + # Generate separate CRL blocks and concatenate them - for cert_name in "revoked_1" "revoked_2"; do - echo '-----BEGIN X509 CRL-----' > "${tmpdir}/crl_${cert_name}.pem" - cfssl gencrl \ - "${tmpdir}/serials_${cert_name}.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" \ - >> "${tmpdir}/crl_${cert_name}.pem" - echo '-----END X509 CRL-----' >> "${tmpdir}/crl_${cert_name}.pem" + for cert_name in "leaf_rev1" "leaf_rev2"; do + { + echo '-----BEGIN X509 CRL-----' + cfssl gencrl \ + "${tmpdir}/serials_${cert_name}.txt" \ + "${tmpdir}/root.pem" \ + "${tmpdir}/root-key.pem" + echo '-----END X509 CRL-----' + } >> "${tmpdir}/crl.pem" done - cat "${tmpdir}/crl_revoked_1.pem" "${tmpdir}/crl_revoked_2.pem" >"${tmpdir}/crl.pem" - cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem" + cat "${tmpdir}/root.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem" config_set ' .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" | @@ -136,8 +140,8 @@ teardown() { @test "invalid OU for agent" { config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | - .key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" | - .cert_path=strenv(tmpdir) + "/agent_bad_ou.pem" | + .key_path=strenv(tmpdir) + "/leaf_bad_ou-key.pem" | + .cert_path=strenv(tmpdir) + "/leaf_bad_ou.pem" | .url="https://127.0.0.1:8080" ' @@ -150,8 +154,8 @@ teardown() { @test "we have exactly one machine registered with TLS" { config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | - .key_path=strenv(tmpdir) + "/agent-key.pem" | - .cert_path=strenv(tmpdir) + "/agent.pem" | + .key_path=strenv(tmpdir) + "/leaf-key.pem" | + .cert_path=strenv(tmpdir) + "/leaf.pem" | .url="https://127.0.0.1:8080" ' @@ -191,7 +195,7 @@ teardown() { config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' del(.ca_cert_path) | - .key_path=strenv(tmpdir) + "/agent-key.pem" + .key_path=strenv(tmpdir) + "/leaf-key.pem" ' rune -1 cscli lapi status @@ -199,7 +203,7 @@ teardown() { config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' del(.key_path) | - .cert_path=strenv(tmpdir) + "/agent.pem" + .cert_path=strenv(tmpdir) + "/leaf.pem" ' rune -1 cscli lapi status @@ -211,8 +215,8 @@ teardown() { @test "invalid cert for agent" { config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | - .key_path=strenv(tmpdir) + "/agent_invalid-key.pem" | - .cert_path=strenv(tmpdir) + "/agent_invalid.pem" | + .key_path=strenv(tmpdir) + "/leaf_invalid-key.pem" | + .cert_path=strenv(tmpdir) + "/leaf_invalid.pem" | .url="https://127.0.0.1:8080" ' config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)' @@ -224,7 +228,7 @@ teardown() { @test "revoked cert for agent" { # we have two certificates revoked by different CRL blocks - for cert_name in "revoked_1" "revoked_2"; do + for cert_name in "leaf_rev1" "leaf_rev2"; do truncate_log cert_name="$cert_name" config_set "${CONFIG_DIR}/local_api_credentials.yaml" ' .ca_cert_path=strenv(tmpdir) + "/bundle.pem" | diff --git a/test/bats/testdata/cfssl/profiles.json b/test/bats/testdata/cfssl/profiles.json index 9730572865c..47611beb64c 100644 --- a/test/bats/testdata/cfssl/profiles.json +++ b/test/bats/testdata/cfssl/profiles.json @@ -7,7 +7,6 @@ "intermediate_ca": { "usages": [ "signing", - "digital signature", "key encipherment", "cert sign", "crl sign", @@ -23,18 +22,12 @@ }, "server": { "usages": [ - "signing", - "digital signing", - "key encipherment", "server auth" ], "expiry": "8760h" }, "client": { "usages": [ - "signing", - "digital signature", - "key encipherment", "client auth" ], "expiry": "8760h"