cscli capi status: save auth token, add tests (#3623)

mmetc · web-flow · commit 14a1725efe3b · 2025-05-14T16:31:56.000+02:00
* "cscli capi status": save auth token
* CI: test auth token cache
* test that capi status saves the token too
* fix postgres test
diff --git a/cmd/crowdsec-cli/clicapi/capi.go b/cmd/crowdsec-cli/clicapi/capi.go
@@ -21,6 +21,7 @@ import (
 	"github.com/crowdsecurity/crowdsec/pkg/apiclient"
 	"github.com/crowdsecurity/crowdsec/pkg/csconfig"
 	"github.com/crowdsecurity/crowdsec/pkg/cwhub"
+	"github.com/crowdsecurity/crowdsec/pkg/database"
 	"github.com/crowdsecurity/crowdsec/pkg/models"
 	"github.com/crowdsecurity/crowdsec/pkg/types"
 )
@@ -120,7 +121,7 @@ func (cli *cliCapi) register(ctx context.Context, capiUserPrefix string, outputF
 
 		log.Infof("Central API credentials written to '%s'", dumpFile)
 	} else {
-		fmt.Println(string(apiConfigDump))
+		fmt.Fprintln(os.Stdout, string(apiConfigDump))
 	}
 
 	if msg := reload.UserMessage(); msg != "" {
@@ -154,8 +155,8 @@ func (cli *cliCapi) newRegisterCmd() *cobra.Command {
 	return cmd
 }
 
-// queryCAPIStatus checks if the Central API is reachable, and if the credentials are correct. It then checks if the instance is enrolle in the console.
-func queryCAPIStatus(ctx context.Context, hub *cwhub.Hub, credURL string, login string, password string) (bool, bool, error) {
+// queryCAPIStatus checks if the Central API is reachable, and if the credentials are correct. It then checks if the instance is enrolled in the console.
+func queryCAPIStatus(ctx context.Context, db *database.Client, hub *cwhub.Hub, credURL string, login string, password string) (bool, bool, error) {
 	apiURL, err := url.Parse(credURL)
 	if err != nil {
 		return false, false, err
@@ -198,6 +199,10 @@ func queryCAPIStatus(ctx context.Context, hub *cwhub.Hub, credURL string, login
 		return false, false, err
 	}
 
+	if err := db.SaveAPICToken(ctx, authResp.Token); err != nil {
+		return false, false, err
+	}
+
 	client.GetClient().Transport.(*apiclient.JWTTransport).Token = authResp.Token
 
 	if client.IsEnrolled() {
@@ -207,7 +212,7 @@ func queryCAPIStatus(ctx context.Context, hub *cwhub.Hub, credURL string, login
 	return true, false, nil
 }
 
-func (cli *cliCapi) Status(ctx context.Context, out io.Writer, hub *cwhub.Hub) error {
+func (cli *cliCapi) Status(ctx context.Context, db *database.Client, out io.Writer, hub *cwhub.Hub) error {
 	cfg := cli.cfg()
 
 	if err := require.CAPIRegistered(cfg); err != nil {
@@ -219,7 +224,7 @@ func (cli *cliCapi) Status(ctx context.Context, out io.Writer, hub *cwhub.Hub) e
 	fmt.Fprintf(out, "Loaded credentials from %s\n", cfg.API.Server.OnlineClient.CredentialsFilePath)
 	fmt.Fprintf(out, "Trying to authenticate with username %s on %s\n", cred.Login, cred.URL)
 
-	auth, enrolled, err := queryCAPIStatus(ctx, hub, cred.URL, cred.Login, cred.Password)
+	auth, enrolled, err := queryCAPIStatus(ctx, db, hub, cred.URL, cred.Login, cred.Password)
 	if err != nil {
 		return fmt.Errorf("failed to authenticate to Central API (CAPI): %w", err)
 	}
@@ -263,12 +268,20 @@ func (cli *cliCapi) newStatusCmd() *cobra.Command {
 		Args:              args.NoArgs,
 		DisableAutoGenTag: true,
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			hub, err := require.Hub(cli.cfg(), nil)
+			cfg := cli.cfg()
+			ctx := cmd.Context()
+
+			hub, err := require.Hub(cfg, nil)
+			if err != nil {
+				return err
+			}
+
+			db, err := require.DBClient(ctx, cfg.DbConfig)
 			if err != nil {
 				return err
 			}
 
-			return cli.Status(cmd.Context(), color.Output, hub)
+			return cli.Status(ctx, db, color.Output, hub)
 		},
 	}
 
diff --git a/cmd/crowdsec-cli/clisupport/support.go b/cmd/crowdsec-cli/clisupport/support.go
@@ -256,13 +256,13 @@ func (cli *cliSupport) dumpLAPIStatus(ctx context.Context, zw *zip.Writer, hub *
 	return nil
 }
 
-func (cli *cliSupport) dumpCAPIStatus(ctx context.Context, zw *zip.Writer, hub *cwhub.Hub) error {
+func (cli *cliSupport) dumpCAPIStatus(ctx context.Context, zw *zip.Writer, hub *cwhub.Hub, db *database.Client) error {
 	log.Info("Collecting CAPI status")
 
 	out := new(bytes.Buffer)
 	cc := clicapi.New(cli.cfg)
 
-	err := cc.Status(ctx, out, hub)
+	err := cc.Status(ctx, db, out, hub)
 	if err != nil {
 		fmt.Fprintf(out, "%s\n", err)
 	}
@@ -534,7 +534,7 @@ func (cli *cliSupport) dump(ctx context.Context, outFile string) error {
 	}
 
 	if !skipCAPI {
-		if err = cli.dumpCAPIStatus(ctx, zipWriter, hub); err != nil {
+		if err = cli.dumpCAPIStatus(ctx, zipWriter, hub, db); err != nil {
 			log.Warnf("could not collect CAPI status: %s", err)
 		}
 
diff --git a/pkg/apiserver/apic.go b/pkg/apiserver/apic.go
@@ -17,7 +17,6 @@ import (
 
 	"github.com/davecgh/go-spew/spew"
 	"github.com/go-openapi/strfmt"
-	"github.com/golang-jwt/jwt/v4"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/tomb.v2"
 
@@ -247,70 +246,13 @@ func NewAPIC(ctx context.Context, config *csconfig.OnlineApiClientCfg, dbClient
 	return ret, err
 }
 
-// loadAPICToken attempts to retrieve and validate a JWT token from the local database.
-// It returns the token string, its expiration time, and a boolean indicating whether the token is valid.
-//
-// A token is considered valid if:
-//   - it exists in the database,
-//   - it is a properly formatted JWT with an "exp" claim,
-//   - it is not expired or near expiry.
-func loadAPICToken(ctx context.Context, db *database.Client) (string, time.Time, bool) {
-	token, err := db.GetConfigItem(ctx, "apic_token")
-	if err != nil {
-		log.Debugf("error fetching token from DB: %s", err)
-		return "", time.Time{}, false
-	}
-
-	if token == "" {
-		log.Debug("no token found in DB")
-		return "", time.Time{}, false
-	}
-
-	parser := new(jwt.Parser)
-
-	tok, _, err := parser.ParseUnverified(token, jwt.MapClaims{})
-	if err != nil {
-		log.Debugf("error parsing token: %s", err)
-		return "", time.Time{}, false
-	}
-
-	claims, ok := tok.Claims.(jwt.MapClaims)
-	if !ok {
-		log.Debugf("error parsing token claims: %s", err)
-		return "", time.Time{}, false
-	}
-
-	expFloat, ok := claims["exp"].(float64)
-	if !ok {
-		log.Debug("token missing 'exp' claim")
-		return "", time.Time{}, false
-	}
-
-	exp := time.Unix(int64(expFloat), 0)
-	if time.Now().UTC().After(exp.Add(-1 * time.Minute)) {
-		log.Debug("auth token expired")
-		return "", time.Time{}, false
-	}
-
-	return token, exp, true
-}
-
-// saveAPICToken stores the given JWT token in the local database under the "apic_token" config item.
-func saveAPICToken(ctx context.Context, db *database.Client, token string) error {
-	if err := db.SetConfigItem(ctx, "apic_token", token); err != nil {
-		return fmt.Errorf("saving token to db: %w", err)
-	}
-
-	return nil
-}
-
 // Authenticate ensures the API client is authorized to communicate with the CAPI.
 // It attempts to reuse a previously saved JWT token from the database, falling back to
 // an authentication request if the token is missing, invalid, or expired.
 //
 // If a new token is obtained, it is saved back to the database for caching.
 func (a *apic) Authenticate(ctx context.Context, config *csconfig.OnlineApiClientCfg) error {
-	if token, exp, valid := loadAPICToken(ctx, a.dbClient); valid {
+	if token, exp, valid := a.dbClient.LoadAPICToken(ctx, log.StandardLogger()); valid {
 		log.Debug("using valid token from DB")
 
 		a.apiClient.GetClient().Transport.(*apiclient.JWTTransport).Token = token
@@ -343,7 +285,7 @@ func (a *apic) Authenticate(ctx context.Context, config *csconfig.OnlineApiClien
 
 	a.apiClient.GetClient().Transport.(*apiclient.JWTTransport).Token = authResp.Token
 
-	return saveAPICToken(ctx, a.dbClient, authResp.Token)
+	return a.dbClient.SaveAPICToken(ctx, authResp.Token)
 }
 
 // keep track of all alerts in cache and push it to CAPI every PushInterval.
diff --git a/pkg/database/config.go b/pkg/database/config.go
@@ -2,13 +2,19 @@ package database
 
 import (
 	"context"
+	"fmt"
+	"time"
 
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 
 	"github.com/crowdsecurity/crowdsec/pkg/database/ent"
 	"github.com/crowdsecurity/crowdsec/pkg/database/ent/configitem"
 )
 
+const apicTokenKey = "apic_token"
+
 func (c *Client) GetConfigItem(ctx context.Context, key string) (string, error) {
 	result, err := c.Ent.ConfigItem.Query().Where(configitem.NameEQ(key)).First(ctx)
 
@@ -38,3 +44,60 @@ func (c *Client) SetConfigItem(ctx context.Context, key string, value string) er
 
 	return nil
 }
+
+// LoadAPICToken attempts to retrieve and validate a JWT token from the local database.
+// It returns the token string, its expiration time, and a boolean indicating whether the token is valid.
+//
+// A token is considered valid if:
+//   - it exists in the database,
+//   - it is a properly formatted JWT with an "exp" claim,
+//   - it is not expired or near expiry.
+func (c *Client) LoadAPICToken(ctx context.Context, logger logrus.FieldLogger) (string, time.Time, bool) {
+	token, err := c.GetConfigItem(ctx, apicTokenKey)
+	if err != nil {
+		logger.Debugf("error fetching token from DB: %s", err)
+		return "", time.Time{}, false
+	}
+
+	if token == "" {
+		logger.Debug("no token found in DB")
+		return "", time.Time{}, false
+	}
+
+	parser := new(jwt.Parser)
+
+	tok, _, err := parser.ParseUnverified(token, jwt.MapClaims{})
+	if err != nil {
+		logger.Debugf("error parsing token: %s", err)
+		return "", time.Time{}, false
+	}
+
+	claims, ok := tok.Claims.(jwt.MapClaims)
+	if !ok {
+		logger.Debugf("error parsing token claims: %s", err)
+		return "", time.Time{}, false
+	}
+
+	expFloat, ok := claims["exp"].(float64)
+	if !ok {
+		logger.Debug("token missing 'exp' claim")
+		return "", time.Time{}, false
+	}
+
+	exp := time.Unix(int64(expFloat), 0)
+	if time.Now().UTC().After(exp.Add(-1 * time.Minute)) {
+		logger.Debug("auth token expired")
+		return "", time.Time{}, false
+	}
+
+	return token, exp, true
+}
+
+// SaveAPICToken stores the given JWT token in the local database under the appropriate config item.
+func (c *Client) SaveAPICToken(ctx context.Context, token string) error {
+	if err := c.SetConfigItem(ctx, apicTokenKey, token); err != nil {
+		return fmt.Errorf("saving token to db: %w", err)
+	}
+
+	return nil
+}
diff --git a/test/bats/04_capi.bats b/test/bats/04_capi.bats
@@ -42,7 +42,7 @@ setup() {
 
     config_set 'del(.api.server.online_client)'
     rune -1 cscli capi status
-    assert_stderr --regexp "no configuration for Central API \(CAPI\) in '$(echo $CONFIG_YAML|sed s#//#/#g)'"
+    assert_stderr --regexp "no configuration for Central API \(CAPI\) in '${CONFIG_YAML//\/\//\/}'"
 }
 
 @test "cscli {capi,papi} status" {
@@ -100,6 +100,49 @@ setup() {
     assert_output --partial "You can successfully interact with Central API (CAPI)"
 }
 
+@test "CAPI login: use cached token from the db" {
+    ./instance-crowdsec stop
+
+    config_set '.common.log_media="stdout" | .common.log_level="debug"'
+
+    # a correct token was set in the previous test
+
+    rune -0 wait-for \
+        --err "CAPI manager configured successfully" \
+        "$CROWDSEC"
+    assert_stderr --partial "using valid token from DB"
+    refute_stderr --partial "No token found, authenticating"
+
+    # not valid anymore
+
+    rune -0 ./instance-db exec_sql "UPDATE config_items SET VALUE='abc' WHERE name='apic_token'"
+
+    rune -0 wait-for \
+        --err "CAPI manager configured successfully" \
+        "$CROWDSEC"
+    refute_stderr --partial "using valid token from DB"
+    assert_stderr --partial "error parsing token: token contains an invalid number of segments"
+    assert_stderr --partial "No token found, authenticating"
+
+    # token was re-created
+
+    rune -0 wait-for \
+        --err "CAPI manager configured successfully" \
+        "$CROWDSEC"
+    assert_stderr --partial "using valid token from DB"
+    refute_stderr --partial "No token found, authenticating"
+
+    # "cscli capi status" also saves the token
+
+    rune -0 ./instance-db exec_sql "UPDATE config_items SET VALUE='abc' WHERE name='apic_token'"
+    rune -0 cscli capi status
+    rune -0 wait-for \
+        --err "CAPI manager configured successfully" \
+        "$CROWDSEC"
+    assert_stderr --partial "using valid token from DB"
+    refute_stderr --partial "No token found, authenticating"
+}
+
 @test "capi register must be run from lapi" {
     config_disable_lapi
     rune -1 cscli capi register --schmilblick githubciXXXXXXXXXXXXXXXXXXXXXXXX
diff --git a/test/bats/sql.bats b/test/bats/sql.bats
@@ -0,0 +1,24 @@
+#!/usr/bin/env bats
+
+set -u
+
+setup_file() {
+    load "../lib/setup_file.sh"
+}
+
+teardown_file() {
+    load "../lib/teardown_file.sh"
+}
+
+setup() {
+    load "../lib/setup.sh"
+    load "../lib/bats-file/load.bash"
+    ./instance-data load
+}
+
+#----------
+
+@test "sql helper" {
+    rune -0 ./instance-db exec_sql "SELECT 11235813"
+    assert_output --partial '11235813'
+}
diff --git a/test/lib/db/instance-postgres b/test/lib/db/instance-postgres
@@ -91,6 +91,8 @@ case "$1" in
         restore "$@"
         ;;
     exec_sql)
+        PGDATABASE=${PGDATABASE:-crowdsec_test}
+        export PGDATABASE
         shift
         exec_sql "$@"
         ;;

Original file line number	Diff line number	Diff line change
`@@ -256,13 +256,13 @@ func (cli cliSupport) dumpLAPIStatus(ctx context.Context, zw zip.Writer, hub *`
`256`	`256`	`return nil`
`257`	`257`	`}`
`258`	`258`
`259`		`-func (cli cliSupport) dumpCAPIStatus(ctx context.Context, zw zip.Writer, hub *cwhub.Hub) error {`
	`259`	`+func (cli cliSupport) dumpCAPIStatus(ctx context.Context, zw zip.Writer, hub cwhub.Hub, db database.Client) error {`
`260`	`260`	`log.Info("Collecting CAPI status")`
`261`	`261`
`262`	`262`	`out := new(bytes.Buffer)`
`263`	`263`	`cc := clicapi.New(cli.cfg)`
`264`	`264`
`265`		`- err := cc.Status(ctx, out, hub)`
	`265`	`+ err := cc.Status(ctx, db, out, hub)`
`266`	`266`	`if err != nil {`
`267`	`267`	`fmt.Fprintf(out, "%s\n", err)`
`268`	`268`	`}`
`@@ -534,7 +534,7 @@ func (cli *cliSupport) dump(ctx context.Context, outFile string) error {`
`534`	`534`	`}`
`535`	`535`
`536`	`536`	`if !skipCAPI {`
`537`		`- if err = cli.dumpCAPIStatus(ctx, zipWriter, hub); err != nil {`
	`537`	`+ if err = cli.dumpCAPIStatus(ctx, zipWriter, hub, db); err != nil {`
`538`	`538`	`log.Warnf("could not collect CAPI status: %s", err)`
`539`	`539`	`}`
`540`	`540`