deb, rpm: handle api key creation (skip/ignore) with .yaml.local or remote LAPI (#66)

Author: mmetc

Pipfile

@@ -1,9 +1,10 @@
 [packages]
+exceptiongroup = "1.1.1"
+pexpect = "4.8.0"
 pytest-cs = {ref = "0.7.15", git = "https://github.com/crowdsecurity/pytest-cs.git"}
-pytest-dotenv = "0.5.2"
 pytest-dependency = "0.5.1"
-pexpect = "4.8.0"
-exceptiongroup = "1.1.1"
+pytest-dotenv = "0.5.2"
+zxcvbn = "4.4.28"
 
 [dev-packages]
 gnureadline = "8.1.2"

Pipfile.lock

@@ -100,6 +100,7 @@ func main() {
 	verbose := flag.Bool("v", false, "set verbose mode")
 	bouncerVersion := flag.Bool("version", false, "display version and exit")
 	testConfig := flag.Bool("t", false, "test config and exit")
+	showConfig := flag.Bool("T", false, "show full config (.yaml + .yaml.local) and exit")
 
 	flag.Parse()
 
@@ -117,6 +118,11 @@ func main() {
 		log.Fatalf("unable to read config file: %s", err)
 	}
 
+	if *showConfig {
+		fmt.Println(string(configBytes))
+		return
+	}
+
 	config, err := cfg.NewConfig(bytes.NewReader(configBytes))
 	if err != nil {
 		log.Fatalf("unable to load configuration: %s", err)

main.go

@@ -86,9 +86,9 @@ config_not_set() {
         exit 1
     fi
 
-    before=$(cat "$CONFIG")
+    before=$("$BOUNCER" -c "$CONFIG" -T)
     # shellcheck disable=SC2016
-    after=$(envsubst "\$$varname" < "$CONFIG")
+    after=$(echo "$before" | envsubst "\$$varname")
 
     if [ "$before" = "$after" ]; then
         return 1
@@ -128,29 +128,31 @@ set_config_var_value() {
 
 set_api_key() {
     require 'CONFIG' 'BOUNCER_PREFIX'
-    local api_key ret unique bouncer_id before
+    local api_key ret bouncer_id before
     # if we can't set the key, the user will take care of it
-    api_key="<API_KEY>"
     ret=0
 
     if command -v cscli >/dev/null; then
         echo "cscli/crowdsec is present, generating API key" >&2
-        unique=$(date +%s)
-        bouncer_id="$BOUNCER_PREFIX-$unique"
-        api_key=$(cscli -oraw bouncers add "$bouncer_id")
-        if [ $? -eq 1 ]; then
+        bouncer_id="$BOUNCER_PREFIX-$(date +%s)"
+        api_key=$(cscli -oraw bouncers add "$bouncer_id" || true)
+        if [ "$api_key" = "" ]; then
             echo "failed to create API key" >&2
+            api_key="<API_KEY>"
             ret=1
         else
             echo "API Key successfully created" >&2
             echo "$bouncer_id" > "$CONFIG.id"
         fi
     else
         echo "cscli/crowdsec is not present, please set the API key manually" >&2
+        api_key="<API_KEY>"
         ret=1
     fi
 
-    set_config_var_value 'API_KEY' "$api_key"
+    if [ "$api_key" != "" ]; then
+        set_config_var_value 'API_KEY' "$api_key"
+    fi
 
     return "$ret"
 }
@@ -159,7 +161,8 @@ set_local_port() {
     require 'CONFIG'
     local port
     command -v cscli >/dev/null || return 0
-    port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2)
+    # the following will fail with a non-LAPI local crowdsec, leaving empty port
+    port=$(cscli config show --key "Config.API.Server.ListenURI" 2>/dev/null | cut -d ":" -f2 || true)
     if [ "$port" != "" ]; then
         sed -i "s/localhost:8080/127.0.0.1:$port/g" "$CONFIG"
         sed -i "s/127.0.0.1:8080/127.0.0.1:$port/g" "$CONFIG"
@@ -180,7 +183,7 @@ set_local_lapi_url() {
     fi
     command -v cscli >/dev/null || return 0
 
-    port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2 || true)
+    port=$(cscli config show --key "Config.API.Server.ListenURI" 2>/dev/null | cut -d ":" -f2 || true)
     if [ "$port" = "" ]; then
         port=8080
     fi

scripts/_bouncer.sh

@@ -13,8 +13,7 @@ API_KEY="<API_KEY>"
 gen_apikey() {
     if command -v cscli >/dev/null; then
         msg succ "cscli found, generating bouncer api key."
-        unique=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 8)
-        bouncer_id="$BOUNCER_PREFIX-$unique"
+        bouncer_id="$BOUNCER_PREFIX-$(date +%s)"
         API_KEY=$(cscli -oraw bouncers add "$bouncer_id")
         echo "$bouncer_id" > "$CONFIG.id"
         msg info "API Key: $API_KEY"

scripts/install.sh

@@ -0,0 +1,140 @@
+import os
+import subprocess
+import yaml
+from pathlib import Path
+
+import pytest
+from zxcvbn import zxcvbn
+
+pytestmark = pytest.mark.deb
+
+
+# TODO: use fixtures to install/purge and register/unregister bouncers
+
+
+def test_deb_install_purge(deb_package_path, bouncer_under_test, must_be_root):
+    # test the full install-purge cycle, doing that in separate tests would
+    # be a bit too much
+
+    # TODO: remove and reinstall
+
+    # use the package built as non-root by test_deb_build()
+    assert deb_package_path.exists(), f'This test requires {deb_package_path}'
+
+    p = subprocess.check_output(
+        ['dpkg-deb', '-f', deb_package_path.as_posix(), 'Package'],
+        encoding='utf-8'
+    )
+    package_name = p.strip()
+
+    subprocess.check_call(['dpkg', '--purge', package_name])
+
+    bouncer_exe = f"/usr/bin/{bouncer_under_test}"
+    assert not os.path.exists(bouncer_exe)
+
+    config = f"/etc/crowdsec/bouncers/{bouncer_under_test}.yaml"
+    assert not os.path.exists(config)
+
+    # install the package
+    p = subprocess.run(
+        ['dpkg', '--install', deb_package_path.as_posix()],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        encoding='utf-8'
+    )
+    assert p.returncode == 0, f'Failed to install {deb_package_path}'
+
+    assert os.path.exists(bouncer_exe)
+    assert os.stat(bouncer_exe).st_mode & 0o777 == 0o755
+
+    assert os.path.exists(config)
+    assert os.stat(config).st_mode & 0o777 == 0o600
+
+    with open(config) as f:
+        cfg = yaml.safe_load(f)
+        api_key = cfg['api_key']
+        # the api key has been set to a random value
+        assert zxcvbn(api_key)['score'] == 4, f"weak api_key: '{api_key}'"
+
+    with open(config+'.id') as f:
+        bouncer_name = f.read().strip()
+
+    p = subprocess.check_output(['cscli', 'bouncers', 'list', '-o', 'json'])
+    bouncers = yaml.safe_load(p)
+    assert len([b for b in bouncers if b['name'] == bouncer_name]) == 1
+
+    p = subprocess.run(
+        ['dpkg', '--purge', package_name],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        encoding='utf-8'
+    )
+    assert p.returncode == 0, f'Failed to purge {package_name}'
+
+    assert not os.path.exists(bouncer_exe)
+    assert not os.path.exists(config)
+
+
+def test_deb_install_purge_yaml_local(deb_package_path, bouncer_under_test, must_be_root):
+    """
+    Check .deb package installation with:
+
+    - a pre-existing .yaml.local file with an api key
+    - a pre-registered bouncer
+
+    => the configuration files are not touched (no new api key)
+    """
+
+    assert deb_package_path.exists(), f'This test requires {deb_package_path}'
+
+    p = subprocess.check_output(
+        ['dpkg-deb', '-f', deb_package_path.as_posix(), 'Package'],
+        encoding='utf-8'
+    )
+    package_name = p.strip()
+
+    subprocess.check_call(['dpkg', '--purge', package_name])
+    subprocess.run(['cscli', 'bouncers', 'delete', 'testbouncer'])
+
+    bouncer_exe = f"/usr/bin/{bouncer_under_test}"
+    config = Path(f"/etc/crowdsec/bouncers/{bouncer_under_test}.yaml")
+    config.parent.mkdir(parents=True, exist_ok=True)
+
+    subprocess.check_call(['cscli', 'bouncers', 'add', 'testbouncer', '-k', '123456'])
+
+    with open(config.with_suffix('.yaml.local'), 'w') as f:
+        f.write('api_key: "123456"')
+
+    p = subprocess.run(
+        ['dpkg', '--install', deb_package_path.as_posix()],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        encoding='utf-8'
+    )
+    assert p.returncode == 0, f'Failed to install {deb_package_path}'
+
+    assert os.path.exists(bouncer_exe)
+    assert os.path.exists(config)
+
+    with open(config) as f:
+        cfg = yaml.safe_load(f)
+        api_key = cfg['api_key']
+        # the api key has not been set
+        assert api_key == '${API_KEY}'
+
+    p = subprocess.check_output([bouncer_exe, '-c', config, '-T'])
+    merged_config = yaml.safe_load(p)
+    assert merged_config['api_key'] == '123456'
+
+    os.unlink(config.with_suffix('.yaml.local'))
+
+    p = subprocess.run(
+        ['dpkg', '--purge', package_name],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        encoding='utf-8'
+    )
+    assert p.returncode == 0, f'Failed to purge {package_name}'
+
+    assert not os.path.exists(bouncer_exe)
+    assert not os.path.exists(config)