akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

feat: Add CrowdSec console re-enrollment support

Browse Source 
- Add logging when enrollment is silently skipped due to existing state
- Add DELETE /admin/crowdsec/console/enrollment endpoint to clear state
- Add re-enrollment UI section with guidance and crowdsec.net link
- Add useClearConsoleEnrollment hook for state clearing

Fixes silent idempotency bug where backend returned 200 OK without
actually executing cscli when status was already enrolled.
This commit is contained in:
GitHub Actions
2025-12-16 03:39:08 +00:00
parent d435dd7f7f
commit 45102ae312
9 changed files with 1252 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
backend/internal/api/handlers/crowdsec_handler.go
View File

@@ -937,6 +937,29 @@ func (h *CrowdsecHandler) ConsoleStatus(c *gin.Context) {
c.JSON(http.StatusOK, status)
}
// DeleteConsoleEnrollment clears the local enrollment state to allow fresh enrollment.
// DELETE /api/v1/admin/crowdsec/console/enrollment
// Note: This does NOT unenroll from crowdsec.net - that must be done manually on the console.
func (h *CrowdsecHandler) DeleteConsoleEnrollment(c *gin.Context) {
if !h.isConsoleEnrollmentEnabled() {
c.JSON(http.StatusNotFound, gin.H{"error": "console enrollment disabled"})
return
}
if h.Console == nil {
c.JSON(http.StatusServiceUnavailable, gin.H{"error": "console enrollment service not available"})
return
}
ctx := c.Request.Context()
if err := h.Console.ClearEnrollment(ctx); err != nil {
logger.Log().WithError(err).Warn("failed to clear console enrollment state")
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
c.JSON(http.StatusOK, gin.H{"message": "enrollment state cleared"})
}
// GetCachedPreset returns cached preview for a slug when available.
func (h *CrowdsecHandler) GetCachedPreset(c *gin.Context) {
if !h.isCerberusEnabled() {
@@ -1474,6 +1497,7 @@ func (h *CrowdsecHandler) RegisterRoutes(rg *gin.RouterGroup) {
rg.GET("/admin/crowdsec/presets/cache/:slug", h.GetCachedPreset)
rg.POST("/admin/crowdsec/console/enroll", h.ConsoleEnroll)
rg.GET("/admin/crowdsec/console/status", h.ConsoleStatus)
rg.DELETE("/admin/crowdsec/console/enrollment", h.DeleteConsoleEnrollment)
// Decision management endpoints (Banned IP Dashboard)
rg.GET("/admin/crowdsec/decisions", h.ListDecisions)
rg.GET("/admin/crowdsec/decisions/lapi", h.GetLAPIDecisions)

163
backend/internal/api/handlers/crowdsec_handler_test.go
View File

@@ -1009,3 +1009,166 @@ labels:
require.True(t, w.Code == http.StatusOK || w.Code == http.StatusNotFound,
"expected 200 or 404, got %d", w.Code)
}
// ============================================
// DeleteConsoleEnrollment Tests
// ============================================
func TestDeleteConsoleEnrollmentDisabled(t *testing.T) {
gin.SetMode(gin.TestMode)
// Feature flag not set, should return 404
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
r := gin.New()
g := r.Group("/api/v1")
h.RegisterRoutes(g)
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/console/enrollment", http.NoBody)
r.ServeHTTP(w, req)
require.Equal(t, http.StatusNotFound, w.Code)
require.Contains(t, w.Body.String(), "disabled")
}
func TestDeleteConsoleEnrollmentServiceUnavailable(t *testing.T) {
gin.SetMode(gin.TestMode)
t.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "true")
// Create handler with nil Console service
db := OpenTestDB(t)
h := &CrowdsecHandler{
DB: db,
Executor: &fakeExec{},
CmdExec: &RealCommandExecutor{},
BinPath: "/bin/false",
DataDir: t.TempDir(),
Console: nil, // Explicitly nil
}
r := gin.New()
g := r.Group("/api/v1")
h.RegisterRoutes(g)
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/console/enrollment", http.NoBody)
r.ServeHTTP(w, req)
require.Equal(t, http.StatusServiceUnavailable, w.Code)
require.Contains(t, w.Body.String(), "not available")
}
func TestDeleteConsoleEnrollmentSuccess(t *testing.T) {
gin.SetMode(gin.TestMode)
t.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "true")
h, _ := setupTestConsoleEnrollment(t)
// First create an enrollment record
rec := &models.CrowdsecConsoleEnrollment{
UUID: "test-uuid",
Status: "enrolled",
AgentName: "test-agent",
Tenant: "test-tenant",
}
require.NoError(t, h.DB.Create(rec).Error)
r := gin.New()
g := r.Group("/api/v1")
h.RegisterRoutes(g)
// Delete the enrollment
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/console/enrollment", http.NoBody)
r.ServeHTTP(w, req)
require.Equal(t, http.StatusOK, w.Code)
require.Contains(t, w.Body.String(), "cleared")
// Verify the record is gone
var count int64
h.DB.Model(&models.CrowdsecConsoleEnrollment{}).Count(&count)
require.Equal(t, int64(0), count)
}
func TestDeleteConsoleEnrollmentNoRecordSuccess(t *testing.T) {
gin.SetMode(gin.TestMode)
t.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "true")
h, _ := setupTestConsoleEnrollment(t)
// Don't create any record - deletion should still succeed
r := gin.New()
g := r.Group("/api/v1")
h.RegisterRoutes(g)
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/console/enrollment", http.NoBody)
r.ServeHTTP(w, req)
require.Equal(t, http.StatusOK, w.Code)
require.Contains(t, w.Body.String(), "cleared")
}
func TestDeleteConsoleEnrollmentThenReenroll(t *testing.T) {
gin.SetMode(gin.TestMode)
t.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "true")
h, _ := setupTestConsoleEnrollment(t)
r := gin.New()
g := r.Group("/api/v1")
h.RegisterRoutes(g)
// First enroll
body := `{"enrollment_key": "abc123456789", "agent_name": "test-agent-1"}`
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/console/enroll", strings.NewReader(body))
req.Header.Set("Content-Type", "application/json")
r.ServeHTTP(w, req)
require.Equal(t, http.StatusOK, w.Code)
// Check status shows pending_acceptance
w2 := httptest.NewRecorder()
req2 := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/console/status", http.NoBody)
r.ServeHTTP(w2, req2)
require.Equal(t, http.StatusOK, w2.Code)
var resp map[string]interface{}
require.NoError(t, json.Unmarshal(w2.Body.Bytes(), &resp))
require.Equal(t, "pending_acceptance", resp["status"])
require.Equal(t, "test-agent-1", resp["agent_name"])
// Delete enrollment
w3 := httptest.NewRecorder()
req3 := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/console/enrollment", http.NoBody)
r.ServeHTTP(w3, req3)
require.Equal(t, http.StatusOK, w3.Code)
// Check status shows not_enrolled
w4 := httptest.NewRecorder()
req4 := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/console/status", http.NoBody)
r.ServeHTTP(w4, req4)
require.Equal(t, http.StatusOK, w4.Code)
var resp2 map[string]interface{}
require.NoError(t, json.Unmarshal(w4.Body.Bytes(), &resp2))
require.Equal(t, "not_enrolled", resp2["status"])
// Re-enroll with NEW agent name - should work WITHOUT force
body2 := `{"enrollment_key": "newkey123456", "agent_name": "test-agent-2"}`
w5 := httptest.NewRecorder()
req5 := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/console/enroll", strings.NewReader(body2))
req5.Header.Set("Content-Type", "application/json")
r.ServeHTTP(w5, req5)
require.Equal(t, http.StatusOK, w5.Code)
// Check status shows new agent name
w6 := httptest.NewRecorder()
req6 := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/console/status", http.NoBody)
r.ServeHTTP(w6, req6)
require.Equal(t, http.StatusOK, w6.Code)
var resp3 map[string]interface{}
require.NoError(t, json.Unmarshal(w6.Body.Bytes(), &resp3))
require.Equal(t, "pending_acceptance", resp3["status"])
require.Equal(t, "test-agent-2", resp3["agent_name"])
}

30
backend/internal/crowdsec/console_enroll.go
View File

@@ -160,6 +160,11 @@ func (s *ConsoleEnrollmentService) Enroll(ctx context.Context, req ConsoleEnroll
}
// If already enrolled or pending acceptance, skip unless Force is set
if (rec.Status == consoleStatusEnrolled || rec.Status == consoleStatusPendingAcceptance) && !req.Force {
logger.Log().WithFields(map[string]interface{}{
"status": rec.Status,
"agent_name": rec.AgentName,
"tenant": rec.Tenant,
}).Info("console enrollment skipped: already enrolled or pending acceptance - use force=true to re-enroll")
return s.statusFromModel(rec), nil
}
@@ -339,6 +344,31 @@ func (s *ConsoleEnrollmentService) load(ctx context.Context) (*models.CrowdsecCo
return &rec, nil
}
// ClearEnrollment resets the enrollment state to allow fresh enrollment.
// This does NOT unenroll from crowdsec.net - that must be done manually on the console.
func (s *ConsoleEnrollmentService) ClearEnrollment(ctx context.Context) error {
if s.db == nil {
return fmt.Errorf("database not initialized")
}
var rec models.CrowdsecConsoleEnrollment
if err := s.db.WithContext(ctx).First(&rec).Error; err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return nil // Already cleared
}
return fmt.Errorf("failed to find enrollment record: %w", err)
}
logger.Log().WithField("previous_status", rec.Status).Info("clearing console enrollment state")
// Delete the record
if err := s.db.WithContext(ctx).Delete(&rec).Error; err != nil {
return fmt.Errorf("failed to delete enrollment record: %w", err)
}
return nil
}
func (s *ConsoleEnrollmentService) statusFromModel(rec *models.CrowdsecConsoleEnrollment) ConsoleEnrollmentStatus {
if rec == nil {
return ConsoleEnrollmentStatus{Status: consoleStatusNotEnrolled}

203
backend/internal/crowdsec/console_enroll_test.go
View File

@@ -1,12 +1,15 @@
package crowdsec
import (
"bytes"
"context"
"fmt"
"strings"
"testing"
"time"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
@@ -772,3 +775,203 @@ func TestEnroll_RequiresLAPI(t *testing.T) {
require.Contains(t, exec.calls[0].args, "lapi")
require.Contains(t, exec.calls[0].args, "status")
}
// ============================================
// ClearEnrollment Tests
// ============================================
func TestConsoleEnrollService_ClearEnrollment(t *testing.T) {
db := openConsoleTestDB(t)
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// Create an enrollment record
rec := &models.CrowdsecConsoleEnrollment{
UUID: "test-uuid",
Status: "enrolled",
AgentName: "test-agent",
Tenant: "test-tenant",
}
require.NoError(t, db.Create(rec).Error)
// Verify record exists
var countBefore int64
db.Model(&models.CrowdsecConsoleEnrollment{}).Count(&countBefore)
require.Equal(t, int64(1), countBefore)
// Clear it
err := svc.ClearEnrollment(ctx)
require.NoError(t, err)
// Verify it's gone
var countAfter int64
db.Model(&models.CrowdsecConsoleEnrollment{}).Count(&countAfter)
assert.Equal(t, int64(0), countAfter)
}
func TestConsoleEnrollService_ClearEnrollment_NoRecord(t *testing.T) {
db := openConsoleTestDB(t)
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// Should not error when no record exists
err := svc.ClearEnrollment(ctx)
require.NoError(t, err)
}
func TestConsoleEnrollService_ClearEnrollment_NilDB(t *testing.T) {
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(nil, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// Should error when DB is nil
err := svc.ClearEnrollment(ctx)
require.Error(t, err)
require.Contains(t, err.Error(), "database not initialized")
}
func TestConsoleEnrollService_ClearEnrollment_ThenReenroll(t *testing.T) {
db := openConsoleTestDB(t)
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// First enrollment
_, err := svc.Enroll(ctx, ConsoleEnrollRequest{
EnrollmentKey: "abc123def4g",
AgentName: "agent-one",
})
require.NoError(t, err)
// Verify enrolled
status, err := svc.Status(ctx)
require.NoError(t, err)
require.Equal(t, consoleStatusPendingAcceptance, status.Status)
// Clear enrollment
err = svc.ClearEnrollment(ctx)
require.NoError(t, err)
// Verify status is now not_enrolled (new record will be created on next Status call)
status, err = svc.Status(ctx)
require.NoError(t, err)
require.Equal(t, consoleStatusNotEnrolled, status.Status)
// Re-enroll with new key should work without force
_, err = svc.Enroll(ctx, ConsoleEnrollRequest{
EnrollmentKey: "newkey12345",
AgentName: "agent-two",
Force: false, // Force NOT required after clear
})
require.NoError(t, err)
// Verify new enrollment
status, err = svc.Status(ctx)
require.NoError(t, err)
require.Equal(t, consoleStatusPendingAcceptance, status.Status)
require.Equal(t, "agent-two", status.AgentName)
}
// ============================================
// Logging When Skipped Tests
// ============================================
func TestConsoleEnrollService_LogsWhenSkipped(t *testing.T) {
db := openConsoleTestDB(t)
// Use a test logger that captures output
logger := logrus.New()
var logBuf bytes.Buffer
logger.SetOutput(&logBuf)
logger.SetLevel(logrus.InfoLevel)
logger.SetFormatter(&logrus.TextFormatter{DisableTimestamp: true})
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// Create an existing enrollment
rec := &models.CrowdsecConsoleEnrollment{
UUID: "test-uuid",
Status: "enrolled",
AgentName: "test-agent",
Tenant: "test-tenant",
}
require.NoError(t, db.Create(rec).Error)
// Try to enroll without force - this should be skipped
status, err := svc.Enroll(ctx, ConsoleEnrollRequest{
EnrollmentKey: "newkey12345",
AgentName: "new-agent",
Force: false,
})
require.NoError(t, err)
// Enrollment should be skipped - status remains enrolled
require.Equal(t, "enrolled", status.Status)
// The actual logging is done via the logger package, which uses a global logger.
// We can't easily capture that here without modifying the package.
// Instead, we verify the behavior is correct by checking exec.callCount()
// - if skipped properly, we should see lapi + capi calls but NO enroll call
require.Equal(t, 2, exec.callCount(), "should only call lapi status and capi register, not enroll")
}
func TestConsoleEnrollService_LogsWhenSkipped_PendingAcceptance(t *testing.T) {
db := openConsoleTestDB(t)
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// Create an existing enrollment with pending_acceptance status
rec := &models.CrowdsecConsoleEnrollment{
UUID: "test-uuid",
Status: consoleStatusPendingAcceptance,
AgentName: "test-agent",
Tenant: "test-tenant",
}
require.NoError(t, db.Create(rec).Error)
// Try to enroll without force - this should also be skipped
status, err := svc.Enroll(ctx, ConsoleEnrollRequest{
EnrollmentKey: "newkey12345",
AgentName: "new-agent",
Force: false,
})
require.NoError(t, err)
// Enrollment should be skipped - status remains pending_acceptance
require.Equal(t, consoleStatusPendingAcceptance, status.Status)
require.Equal(t, 2, exec.callCount(), "should only call lapi status and capi register, not enroll")
}
func TestConsoleEnrollService_ForceOverridesSkip(t *testing.T) {
db := openConsoleTestDB(t)
exec := &stubEnvExecutor{}
svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "test-secret")
ctx := context.Background()
// Create an existing enrollment
rec := &models.CrowdsecConsoleEnrollment{
UUID: "test-uuid",
Status: "enrolled",
AgentName: "test-agent",
Tenant: "test-tenant",
}
require.NoError(t, db.Create(rec).Error)
// Try to enroll WITH force - this should NOT be skipped
status, err := svc.Enroll(ctx, ConsoleEnrollRequest{
EnrollmentKey: "newkey12345",
AgentName: "new-agent",
Force: true,
})
require.NoError(t, err)
// Force enrollment should proceed - status becomes pending_acceptance
require.Equal(t, consoleStatusPendingAcceptance, status.Status)
require.Equal(t, "new-agent", status.AgentName)
require.Equal(t, 3, exec.callCount(), "should call lapi status, capi register, AND enroll")
}

594
docs/plans/current_spec.md
View File

@@ -1,21 +1,601 @@
# Investigation Report: CrowdSec Enrollment & Live Log Viewer Issues
**Date:** December 15, 2025
**Date:** December 15, 2025 (Updated: December 16, 2025)
**Investigator:** GitHub Copilot
**Status:**Issue A RESOLVED - Issue B Analysis Pending
**Status:**Analysis Complete - Re-Enrollment UX Options Evaluated
---
## Executive Summary (Updated December 16, 2025)
## 📋 CrowdSec Re-Enrollment UX Research (December 16, 2025)
This document covers TWO issues:
### CrowdSec CLI Capabilities
1. **CrowdSec Enrollment****FIXED**: Shows success locally but engine doesn't appear in CrowdSec.net dashboard
- **Root Cause**: Code incorrectly set status to `enrolled` after `cscli console enroll` succeeded, but CrowdSec's help explicitly states users must "validate the enrollment in the webapp"
- **Fix Applied**: Changed status to `pending_acceptance` and updated frontend to inform users they must accept on app.crowdsec.net
**Available Console Commands (`cscli console --help`):**
```text
Available Commands:
disable Disable a console option
enable Enable a console option
enroll Enroll this instance to https://app.crowdsec.net
status Shows status of the console options
```
**Enroll Command Flags (`cscli console enroll --help`):**
```text
Flags:
-d, --disable strings Disable console options
-e, --enable strings Enable console options
-h, --help help for enroll
-n, --name string Name to display in the console
--overwrite Force enroll the instance ← KEY FLAG FOR RE-ENROLLMENT
-t, --tags strings Tags to display in the console
```
**Key Finding: NO "unenroll" or "disconnect" command exists in CrowdSec CLI.**
The `disable --all` command only disables data sharing options (custom, tainted, manual, context, console_management) - it does NOT unenroll from the console.
### Current Data Model Analysis
**Model: `CrowdsecConsoleEnrollment`** ([crowdsec_console_enrollment.go](../../backend/internal/models/crowdsec_console_enrollment.go)):
```go
type CrowdsecConsoleEnrollment struct {
ID uint // Primary key
UUID string // Unique identifier
Status string // not_enrolled, enrolling, pending_acceptance, enrolled, failed
Tenant string // Organization identifier
AgentName string // Display name in console
EncryptedEnrollKey string // ← KEY IS STORED (encrypted with AES-GCM)
LastError string // Error message if failed
LastCorrelationID string // For debugging
LastAttemptAt *time.Time
EnrolledAt *time.Time
LastHeartbeatAt *time.Time
CreatedAt time.Time
UpdatedAt time.Time
}
```
**✅ Current Implementation Already Stores Enrollment Key:**
- The key is encrypted using AES-256-GCM with a key derived from a secret
- Stored in `EncryptedEnrollKey` field (excluded from JSON via `json:"-"`)
- Encryption implemented in `console_enroll.go` lines 377-409
### Enrollment Key Lifecycle (from crowdsec.net)
1. **Generation**: User generates enrollment key on app.crowdsec.net
2. **Usage**: Key is used with `cscli console enroll <key>` to request enrollment
3. **Validation**: CrowdSec validates the key against their API
4. **Acceptance**: User must accept enrollment request on app.crowdsec.net
5. **Reusability**: The SAME key can be used multiple times with `--overwrite` flag
6. **Expiration**: Keys do not expire but may be revoked by user on console
### UX Options Evaluation
#### Option A: "Re-enroll" Button Requiring NEW Key ✅ RECOMMENDED
**How it works:**
- User provides a new enrollment key from crowdsec.net
- Backend sends `cscli console enroll --overwrite --name <agent> <new_key>`
- User accepts on crowdsec.net
**Pros:**
- ✅ Simple implementation (already supported via `force: true`)
- ✅ Secure - no key storage concerns beyond current encrypted storage
- ✅ Fresh key guarantees user has console access
- ✅ Matches CrowdSec's intended workflow
**Cons:**
- ⚠️ Requires user to visit crowdsec.net to get new key
- ⚠️ Extra step for user
**Current UI Support:**
- "Rotate key" button already calls `submitConsoleEnrollment(true)` with `force=true`
- "Retry enrollment" button appears when status is `degraded`
#### Option B: "Re-enroll" with STORED Key
**How it works:**
- Use the encrypted key already stored in `EncryptedEnrollKey`
- Decrypt and re-send enrollment request
**Pros:**
- ✅ Simplest UX - one-click re-enrollment
- ✅ Key is already stored and encrypted
**Cons:**
- ⚠️ Security concern: Re-using stored keys increases exposure window
- ⚠️ Key may have been revoked on crowdsec.net without Charon knowing
- ⚠️ Old key may belong to different CrowdSec account
- ⚠️ Violates principle of least privilege
**Current Implementation Gap:**
- `decrypt()` method exists but is marked as "only used in tests"
- Would need new endpoint to retrieve stored key for re-enrollment
#### Option C: "Unenroll" + Manual Re-enroll ❌ NOT SUPPORTED
**How it would work:**
- Clear local enrollment state
- User goes through fresh enrollment
**Blockers:**
- ❌ CrowdSec CLI has NO unenroll/disconnect command
- ❌ Would require manual deletion of config files
- ❌ May leave orphaned engine on crowdsec.net console
**Files that would need cleanup:**
```text
/app/data/crowdsec/config/console.yaml # Console options
/app/data/crowdsec/config/online_api_credentials.yaml # CAPI credentials
```
Note: Deleting these files would also affect CAPI registration, not just console enrollment.
### 🎯 Recommended Approach: Option A (Enhanced)
**Justification:**
1. **Security First**: CrowdSec enrollment keys should be treated as sensitive credentials
2. **User Intent**: Re-enrollment implies user wants fresh connection to console
3. **Minimal Risk**: User must actively obtain new key, preventing accidental re-enrollments
4. **CrowdSec Best Practice**: The `--overwrite` flag is CrowdSec's designed mechanism for this
**UI Flow Enhancement:**
```text
┌─────────────────────────────────────────────────────────────────┐
│ Console Enrollment [?] Help │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Status: ● Enrolled │
│ Agent: Charon-Home │
│ Tenant: my-organization │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Need to re-enroll? │ │
│ │ │ │
│ │ To connect to a different CrowdSec console account or │ │
│ │ reset your enrollment, you'll need a new enrollment key │ │
│ │ from app.crowdsec.net. │ │
│ │ │ │
│ │ [Get new key ↗] [Re-enroll with new key] │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ New Enrollment Key: [________________________] │ │
│ │ Agent Name: [Charon-Home_____________] │ │
│ │ Tenant: [my-organization_________] │ │
│ │ │ │
│ │ [Re-enroll] │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
```
### Implementation Steps
#### Step 1: Update Frontend UI (Priority: HIGH)
**File:** `frontend/src/pages/CrowdSecConfig.tsx`
Changes:
1. Add "Re-enroll" section visible when `status === 'enrolled'`
2. Add expandable/collapsible panel for re-enrollment
3. Add link to app.crowdsec.net/enrollment-keys
4. Rename "Rotate key" button to "Re-enroll" for clarity
5. Add explanatory text about why re-enrollment requires new key
#### Step 2: Improve Backend Logging (Priority: MEDIUM)
**File:** `backend/internal/crowdsec/console_enroll.go`
Changes:
1. Add logging when enrollment is skipped due to existing status
2. Return `skipped: true` field in response when idempotency check triggers
3. Consider adding `reason` field to explain why enrollment was skipped
#### Step 3: Add "Clear Enrollment" Admin Function (Priority: LOW)
**File:** `backend/internal/api/handlers/crowdsec_handler.go`
New endpoint: `DELETE /api/v1/admin/crowdsec/console/enrollment`
Purpose: Reset local enrollment state to `not_enrolled` without touching CrowdSec config files.
Note: This does NOT unenroll from crowdsec.net - that must be done manually on the console.
#### Step 4: Documentation Update (Priority: MEDIUM)
**File:** `docs/cerberus.md`
Add section explaining:
- Why re-enrollment requires new key
- How to get new enrollment key from crowdsec.net
- What happens to old engine on crowdsec.net (must be manually removed)
- Troubleshooting common enrollment issues
---
## Executive Summary
This document covers THREE issues:
1. **CrowdSec Enrollment Backend** 🔴 **CRITICAL BUG FOUND**: Backend returns 200 OK but `cscli` is NEVER executed
- **Root Cause**: Silent idempotency check returns success without running enrollment command
- **Evidence**: POST returns 200 OK with 137ms latency, but NO `cscli` logs appear
- **Fix Required**: Add logging for skipped enrollments and clear guidance to use `force=true`
2. **Live Log Viewer**: Shows "Disconnected" status (Analysis pending implementation)
3. **Stale Database State**: Old `enrolled` status from pre-fix deployment blocks new enrollments
- **Symptoms**: User clicks Enroll, sees 200 OK, but nothing happens on crowdsec.net
- **Root Cause**: Database has `status=enrolled` from before the `pending_acceptance` fix was deployed
---
## 🔴 CRITICAL BUG: Silent Idempotency Check (December 16, 2025)
### Problem Statement
User submits enrollment form, backend returns 200 OK (confirmed in Docker logs), but the enrollment NEVER appears on crowdsec.net. No `cscli` command execution visible in logs.
### Docker Log Evidence
```
POST /api/v1/admin/crowdsec/console/enroll → 200 OK (137ms latency)
NO "starting crowdsec console enrollment" log ← cscli NEVER executed
NO cscli output logs
```
### Code Path Analysis
**File:** [backend/internal/crowdsec/console_enroll.go](backend/internal/crowdsec/console_enroll.go)
#### Step 1: Handler calls service (line 865-920)
```go
// crowdsec_handler.go:888-895
status, err := h.Console.Enroll(ctx, crowdsec.ConsoleEnrollRequest{
EnrollmentKey: payload.EnrollmentKey,
Tenant: payload.Tenant,
AgentName: payload.AgentName,
Force: payload.Force, // <-- User did NOT check Force checkbox
})
```
#### Step 2: Idempotency Check (lines 155-165) ⚠️ BUG HERE
```go
// console_enroll.go:155-165
if rec.Status == consoleStatusEnrolling {
return s.statusFromModel(rec), fmt.Errorf("enrollment already in progress")
}
// If already enrolled or pending acceptance, skip unless Force is set
if (rec.Status == consoleStatusEnrolled || rec.Status == consoleStatusPendingAcceptance) && !req.Force {
return s.statusFromModel(rec), nil // <-- RETURNS SUCCESS WITHOUT LOGGING OR RUNNING CSCLI!
}
```
#### Step 3: Database State (confirmed via container inspection)
```
uuid: fb129bb5-d223-4c66-941c-a30e2e2b3040
status: enrolled ← SET BY OLD CODE BEFORE pending_acceptance FIX
tenant: 5e045b3c-5196-406b-99cd-503bc64c7b0d
agent_name: Charon
```
### Root Cause
1. **Historical State**: User enrolled BEFORE the `pending_acceptance` fix was deployed
2. **Old Code Bug**: Previous code set `status = enrolled` immediately after cscli returned exit 0
3. **Silent Skip**: Current code silently skips enrollment when `status` is `enrolled` (or `pending_acceptance`)
4. **No User Feedback**: Returns 200 OK without logging or informing user enrollment was skipped
### Manual Test Results from Container
```bash
# cscli is available and working
docker exec charon cscli console enroll --help
# ✅ Shows help
# LAPI is running
docker exec charon cscli lapi status
# ✅ "You can successfully interact with Local API (LAPI)"
# Console status
docker exec charon cscli console status
# ✅ Shows options table (custom=true, tainted=true)
# Manual enrollment with invalid key shows proper error
docker exec charon cscli console enroll --name test TESTINVALIDKEY123
# ✅ Error: "the attachment key provided is not valid"
# Config path exists and is correct
docker exec charon ls /app/data/crowdsec/config/config.yaml
# ✅ File exists
```
### Required Fixes
#### Fix 1: Add Logging for Skipped Enrollments
**File:** `backend/internal/crowdsec/console_enroll.go` lines 162-165
**Current:**
```go
if (rec.Status == consoleStatusEnrolled || rec.Status == consoleStatusPendingAcceptance) && !req.Force {
return s.statusFromModel(rec), nil
}
```
**Fixed:**
```go
if (rec.Status == consoleStatusEnrolled || rec.Status == consoleStatusPendingAcceptance) && !req.Force {
logger.Log().WithField("status", rec.Status).WithField("agent", rec.AgentName).WithField("tenant", rec.Tenant).Info("enrollment skipped: already enrolled or pending - use force=true to re-enroll")
return s.statusFromModel(rec), nil
}
```
#### Fix 2: Add "Skipped" Indicator to Response
Add a field to indicate enrollment was skipped vs actually submitted:
```go
type ConsoleEnrollmentStatus struct {
Status string `json:"status"`
Skipped bool `json:"skipped,omitempty"` // <-- NEW
// ... other fields
}
```
And in the idempotency return:
```go
status := s.statusFromModel(rec)
status.Skipped = true
return status, nil
```
#### Fix 3: Frontend Should Show "Already Enrolled" State
**File:** `frontend/src/pages/CrowdSecConfig.tsx`
When `consoleStatusQuery.data?.status === 'enrolled'` or `'pending_acceptance'`:
- Show "You are already enrolled" message
- Show "Force Re-Enrollment" button with checkbox
- Explain that acceptance on crowdsec.net may be required
#### Fix 4: Migrate Stale "enrolled" Status to "pending_acceptance"
Either:
1. Add a database migration to change all `enrolled` to `pending_acceptance`
2. Or have users click "Force Re-Enroll" once
### Workaround for User
Until fix is deployed, user can re-enroll using the Force option:
1. In the UI: Check "Force re-enrollment" checkbox before clicking Enroll
2. Or via curl:
```bash
curl -X POST http://localhost:8080/api/v1/admin/crowdsec/console/enroll \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"enrollment_key":"<key>", "agent_name":"Charon", "force":true}'
```
---
## Previous Frontend Analysis (Still Valid for Reference)
### Enrollment Flow Path
```
User clicks "Enroll" button
CrowdSecConfig.tsx: <Button onClick={() => submitConsoleEnrollment(false)} ...>
submitConsoleEnrollment() function (line 269-299)
validateConsoleEnrollment() check (line 254-267)
enrollConsoleMutation.mutateAsync(payload)
useConsoleEnrollment.ts: enrollConsole(payload)
consoleEnrollment.ts: client.post('/admin/crowdsec/console/enroll', payload)
```
### Conditions That Block the Enrollment Request
#### 1. **Feature Flag Disabled** (POSSIBLE BLOCKER)
**File:** [CrowdSecConfig.tsx](frontend/src/pages/CrowdSecConfig.tsx#L44-L45)
```typescript
const { data: featureFlags } = useQuery({ queryKey: ['feature-flags'], queryFn: getFeatureFlags })
const consoleEnrollmentEnabled = Boolean(featureFlags?.['feature.crowdsec.console_enrollment'])
```
**Impact:** If `feature.crowdsec.console_enrollment` is `false` or undefined, the **entire enrollment card is not rendered**:
```typescript
{consoleEnrollmentEnabled && (
<Card data-testid="console-enrollment-card">
... enrollment UI ...
</Card>
)}
```
#### 2. **Enroll Button Disabled Conditions** ⚠️ HIGH PROBABILITY
**File:** [CrowdSecConfig.tsx](frontend/src/pages/CrowdSecConfig.tsx#L692)
```typescript
disabled={isConsolePending || (lapiStatusQuery.data && !lapiStatusQuery.data.lapi_ready) || !enrollmentToken.trim()}
```
The button is disabled when:
| Condition | Description |
|-----------|-------------|
| `isConsolePending` | Enrollment mutation is already in progress OR status is 'enrolling' |
| `lapiStatusQuery.data && !lapiStatusQuery.data.lapi_ready` | LAPI status query returned data but `lapi_ready` is `false` |
| `!enrollmentToken.trim()` | Enrollment token input is empty |
**⚠️ CRITICAL FINDING:** The LAPI ready check can block enrollment:
- If `lapiStatusQuery.data` exists AND `lapi_ready` is `false`, button is DISABLED
- This can happen if CrowdSec process is running but LAPI hasn't fully initialized
#### 3. **Validation Blocks in submitConsoleEnrollment()** ⚠️ HIGH PROBABILITY
**File:** [CrowdSecConfig.tsx](frontend/src/pages/CrowdSecConfig.tsx#L269-L276)
```typescript
const submitConsoleEnrollment = async (force = false) => {
const allowMissingTenant = force && !consoleTenant.trim()
const requireAck = normalizedConsoleStatus === 'not_enrolled'
if (!validateConsoleEnrollment({ allowMissingTenant, requireAck })) return // <-- EARLY RETURN
...
}
```
**Validation function** (line 254-267):
```typescript
const validateConsoleEnrollment = (options?) => {
const nextErrors = {}
if (!enrollmentToken.trim()) {
nextErrors.token = 'Enrollment token is required'
}
if (!consoleAgentName.trim()) {
nextErrors.agent = 'Agent name is required'
}
if (!consoleTenant.trim() && !options?.allowMissingTenant) {
nextErrors.tenant = 'Tenant / organization is required' // <-- BLOCKS if tenant empty
}
if (options?.requireAck && !consoleAck) {
nextErrors.ack = 'You must acknowledge...' // <-- BLOCKS if checkbox unchecked
}
setConsoleErrors(nextErrors)
return Object.keys(nextErrors).length === 0
}
```
**Validation will SILENTLY block** the request if:
1. `enrollmentToken` is empty
2. `consoleAgentName` is empty
3. `consoleTenant` is empty (for non-force enrollment)
4. **`consoleAck` checkbox is unchecked** (for first-time enrollment where status is `not_enrolled`)
### Summary of Blocking Conditions
| Condition | Where | Effect |
|-----------|-------|--------|
| Feature flag disabled | Line 44-45 | Entire enrollment card not rendered |
| **LAPI not ready** | Line 692 | **Button disabled** |
| Token empty | Line 692, validation | Button disabled + validation blocks |
| Agent name empty | Validation line 260 | Validation silently blocks |
| **Tenant empty** | Validation line 262 | **Validation silently blocks** |
| **Acknowledgment unchecked** | Validation line 265 | **Validation silently blocks** |
| Already enrolling | Line 692 | Button disabled |
### Most Likely Root Causes (Ordered by Probability)
#### 1. **LAPI Not Ready Check** ⚠️ HIGH PROBABILITY
The condition `(lapiStatusQuery.data && !lapiStatusQuery.data.lapi_ready)` will disable the button if:
- The status query has completed (data exists)
- But `lapi_ready` is `false`
**Check:** Call `GET /api/v1/admin/crowdsec/status` and verify `lapi_ready` field.
#### 2. **Acknowledgment Checkbox Not Checked** ⚠️ HIGH PROBABILITY
For first-time enrollment (`status === 'not_enrolled'`), the checkbox MUST be checked. The validation will silently `return` without making the API call.
**Check:** Ensure checkbox with `data-testid="console-ack-checkbox"` is checked.
#### 3. **Tenant Field Empty**
For non-force enrollment, the tenant field is required. An empty tenant will block the request silently.
**Check:** Ensure tenant input has a value.
### Code Sections That Need Fixes
#### Fix 1: Add Debug Logging (Temporary)
Add to `submitConsoleEnrollment()`:
```typescript
const submitConsoleEnrollment = async (force = false) => {
console.log('[DEBUG] submitConsoleEnrollment called', {
force,
enrollmentToken: enrollmentToken.trim() ? 'present' : 'empty',
consoleTenant,
consoleAgentName,
consoleAck,
normalizedConsoleStatus,
lapiReady: lapiStatusQuery.data?.lapi_ready,
})
// ... rest
}
```
#### Fix 2: Improve Validation Feedback
The validation currently sets `consoleErrors` but these may not be visible to the user. Ensure error messages are displayed.
#### Fix 3: Check LAPI Status Polling
The LAPI status query starts only after 3 seconds (`initialCheckComplete`). If the user clicks before then, the button may be enabled (good) but LAPI might not actually be ready (backend will fail).
### Recommended Debug Steps
1. **Open browser DevTools → Console**
2. **Check if enrollment card is rendered** (look for `data-testid="console-enrollment-card"`)
3. **Inspect button element** - check if `disabled` attribute is present
4. **Check Network tab** for:
- `GET /api/v1/feature-flags` response
- `GET /api/v1/admin/crowdsec/status` response (check `lapi_ready`)
5. **Verify form state**:
- Token field has value
- Agent name has value
- Tenant has value
- Checkbox is checked
### API Client Verification
**File:** [consoleEnrollment.ts](frontend/src/api/consoleEnrollment.ts#L27-L30)
```typescript
export async function enrollConsole(payload: ConsoleEnrollPayload): Promise<ConsoleEnrollmentStatus> {
const resp = await client.post<ConsoleEnrollmentStatus>('/admin/crowdsec/console/enroll', payload)
return resp.data
}
```
✅ The API client is correctly implemented. The issue is upstream - **the function is never being called** because conditions are blocking it.
---
## ✅ RESOLVED Issue A: CrowdSec Console Enrollment Not Working

251
docs/reports/qa_report.md
View File

@@ -1,169 +1,138 @@
# QA Security Report - CrowdSec Fixes Verification
# QA Audit Report: CrowdSec Re-Enrollment Fixes
**Date:** December 15, 2025
**Agent:** QA_SECURITY
**Scope:** CrowdSec fixes verification
**Date:** December 16, 2025
**Scope:** Backend and frontend fixes for CrowdSec re-enrollment functionality
---
## Summary
| Category | Status | Details |
|----------|--------|---------|
| Backend Tests | ✅ PASS | 18 packages, all tests passing |
| Frontend Tests | ✅ PASS | 91 test files, 956 tests passing, 2 skipped |
| TypeScript Check | ✅ PASS | No errors |
| Frontend Lint | ✅ PASS | 0 errors, 12 warnings (pre-existing) |
| Go Vet | ✅ PASS | No issues |
| Backend Build | ✅ PASS | Compiles successfully |
| Frontend Build | ✅ PASS | Production build successful |
**Overall Status: ✅ PASS**
| Check | Status | Details |
|-------|--------|---------|
| Backend Tests | ✅ PASS | All tests passed |
| Frontend Tests | ✅ PASS | 956 passed, 2 skipped |
| TypeScript Check | ✅ PASS | No type errors |
| Frontend Lint | ✅ PASS | 0 errors, 12 warnings |
| Pre-commit Checks | ✅ PASS | All hooks passed |
| Backend Build | ✅ PASS | Compiled successfully |
| Frontend Build | ✅ PASS | Built successfully |
---
## 1. Backend Tests
## Detailed Results
```bash
go test ./...
```
### 1. Backend Tests
**Result:** All 18 packages pass
| Package | Status |
|---------|--------|
| cmd/api | ✅ PASS |
| cmd/seed | ✅ PASS |
| internal/api/handlers | ✅ PASS |
| internal/api/middleware | ✅ PASS |
| internal/api/routes | ✅ PASS |
| internal/api/tests | ✅ PASS |
| internal/caddy | ✅ PASS |
| internal/cerberus | ✅ PASS |
| internal/config | ✅ PASS |
| internal/crowdsec | ✅ PASS |
| internal/database | ✅ PASS |
| internal/logger | ✅ PASS |
| internal/metrics | ✅ PASS |
| internal/models | ✅ PASS |
| internal/server | ✅ PASS |
| internal/services | ✅ PASS |
| internal/util | ✅ PASS |
| internal/version | ✅ PASS |
---
## 2. Frontend Tests
```bash
npm run test
```
**Result:** 91 test files pass, 956 tests pass, 2 skipped
### Tests Fixed During QA
The following tests were updated to match the new CrowdSec architecture where mode is controlled via the Security Dashboard toggle:
1. **CrowdSecConfig.test.tsx**
- Removed: `toggles mode between local and disabled`
- Added: `shows info banner directing to Security Dashboard`
2. **CrowdSecConfig.spec.tsx**
- Removed: `persists crowdsec.mode via settings when changed`
- Added: `shows info banner directing to Security Dashboard for mode control`
- Removed unused `settingsApi` import
3. **CrowdSecConfig.coverage.test.tsx**
- Removed: `toggles mode success and error`
- Added: `shows info banner directing to Security Dashboard`
- Removed mode toggle loading overlay test
4. **Security.audit.test.tsx**
- Fixed: `displays error toast when toggle mutation fails` - corrected expected message to "Failed to start CrowdSec" (since CrowdSec is not running, toggle tries to start it)
- Fixed: `threat summaries match spec when services enabled` - added `statusCrowdsec` mock with `running: true`
5. **Security.dashboard.test.tsx**
- Fixed: `should display threat protection descriptions for each card` - added `statusCrowdsec` mock with `running: true`
6. **Security.test.tsx**
- Fixed: `should display threat protection summaries` - added `statusCrowdsec` mock with `running: true`
---
## 3. TypeScript Check
```bash
npm run type-check
```
**Result:** ✅ PASS - No errors
---
## 4. Frontend Linting
```bash
npm run lint
```
**Result:** ✅ PASS - 0 errors, 12 warnings
Warnings are pre-existing and not related to CrowdSec fixes:
- `@typescript-eslint/no-unused-vars` (1)
- `@typescript-eslint/no-explicit-any` (10)
- `react-hooks/exhaustive-deps` (1)
---
## 5. Go Vet
```bash
go vet ./...
```
**Result:** ✅ PASS - No issues
---
## 6. Build Verification
### Backend Build
```bash
go build ./...
```
**Command:** `cd /projects/Charon/backend && go test ./... -v`
**Result:** ✅ PASS
### Frontend Build
- All packages tested successfully
- Coverage: 85.2% (minimum required: 85%)
- No test failures
```bash
npm run build
```
### 2. Frontend Tests
**Result:** ✅ PASS - 5.28s build time
**Command:** `cd /projects/Charon/frontend && npm run test -- --run`
**Result:** ✅ PASS
- **Test Files:** 91 passed
- **Tests:** 956 passed, 2 skipped
- **Duration:** 67.51s
- No test failures
### 3. TypeScript Check
**Command:** `cd /projects/Charon/frontend && npm run type-check`
**Result:** ✅ PASS
- No type errors found
### 4. Frontend Lint
**Command:** `cd /projects/Charon/frontend && npm run lint`
**Result:** ✅ PASS (with warnings)
- **Errors:** 0
- **Warnings:** 12
#### Warnings (non-blocking)
| File | Line | Warning |
|------|------|---------|
| `e2e/tests/security-mobile.spec.ts` | 289 | Unused variable `onclick` |
| `src/api/__tests__/consoleEnrollment.test.ts` | 485 | Unexpected `any` type |
| `src/pages/CrowdSecConfig.tsx` | 224 | Missing useEffect dependencies |
| `src/pages/CrowdSecConfig.tsx` | 936 | Unexpected `any` type |
| `src/pages/__tests__/CrowdSecConfig.spec.tsx` | 266, 292, 325 | Unexpected `any` type |
| `src/utils/__tests__/crowdsecExport.test.ts` | 142, 154, 181, 427, 432 | Unexpected `any` type |
**Note:** These warnings are in test files and do not affect production code quality.
### 5. Pre-commit Checks
**Command:** `source .venv/bin/activate && pre-commit run --all-files`
**Result:** ✅ PASS
All hooks passed:
- ✅ Go Test (with Coverage)
- ✅ Go Vet
- ✅ Check .version matches latest Git tag
- ✅ Prevent large files that are not tracked by LFS
- ✅ Prevent committing CodeQL DB artifacts
- ✅ Prevent committing data/backups files
- ✅ Frontend TypeScript Check
- ✅ Frontend Lint (Fix)
### 6. Backend Build
**Command:** `cd /projects/Charon/backend && go build ./...`
**Result:** ✅ PASS
- No compilation errors
- All packages built successfully
### 7. Frontend Build
**Command:** `cd /projects/Charon/frontend && npm run build`
**Result:** ✅ PASS
- TypeScript compilation successful
- Vite build completed in 4.92s
- 2234 modules transformed
- All assets generated successfully
---
## Changes Verified
## Issues Found
### Backend Changes
**No blocking issues found.**
1.`crowdsec_handler.go` - Start/Stop now sync settings table
2.`crowdsec_handler_state_sync_test.go` - New tests pass
### Non-blocking items (warnings only)
### Frontend Changes
1. **ESLint `@typescript-eslint/no-explicit-any` warnings:** 10 occurrences in test files using `any` type. These are acceptable in test files for mocking purposes.
1. `Security.tsx` - Toggle now uses `crowdsecStatus?.running`
2.`LiveLogViewer.tsx` - Fixed isPaused dependency, now uses ref
3. `CrowdSecConfig.tsx` - Removed mode toggle, added info banner and Start button
2. **ESLint `react-hooks/exhaustive-deps` warning:** 1 occurrence in `CrowdSecConfig.tsx` at line 224. The missing dependencies (`pullPresetMutation` and `selectedPreset`) appear to be intentionally excluded to prevent infinite loops.
3. **Unused variable warning:** 1 occurrence in `security-mobile.spec.ts` - an `onclick` variable that's assigned but not used.
---
## Conclusion
## Overall Status
All CrowdSec fixes have been verified. The changes properly sync CrowdSec state between the frontend and backend. Test suites were updated to reflect the new architecture where CrowdSec mode is controlled via the Security Dashboard toggle rather than a separate mode toggle on the CrowdSec Config page.
## ✅ PASS
**QA Status: ✅ APPROVED**
All critical QA checks have passed. The CrowdSec re-enrollment fixes are ready for deployment.
- No test failures
- No type errors
- No lint errors
- Builds compile successfully
- Coverage requirements met (85.2% ≥ 85%)

5
frontend/src/api/consoleEnrollment.ts
View File

@@ -29,7 +29,12 @@ export async function enrollConsole(payload: ConsoleEnrollPayload): Promise<Cons
return resp.data
}
export async function clearConsoleEnrollment(): Promise<void> {
await client.delete('/admin/crowdsec/console/enrollment')
}
export default {
getConsoleStatus,
enrollConsole,
clearConsoleEnrollment,
}

13
frontend/src/hooks/useConsoleEnrollment.ts
View File

@@ -1,5 +1,5 @@
import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
import { enrollConsole, getConsoleStatus, type ConsoleEnrollPayload, type ConsoleEnrollmentStatus } from '../api/consoleEnrollment'
import { enrollConsole, getConsoleStatus, clearConsoleEnrollment, type ConsoleEnrollPayload, type ConsoleEnrollmentStatus } from '../api/consoleEnrollment'
export function useConsoleStatus(enabled = true) {
return useQuery<ConsoleEnrollmentStatus>({ queryKey: ['crowdsec-console-status'], queryFn: getConsoleStatus, enabled })
@@ -14,3 +14,14 @@ export function useEnrollConsole() {
},
})
}
export function useClearConsoleEnrollment() {
const queryClient = useQueryClient()
return useMutation({
mutationFn: clearConsoleEnrollment,
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['crowdsec-console-status'] })
},
})
}

121
frontend/src/pages/CrowdSecConfig.tsx
View File

@@ -12,10 +12,10 @@ import { createBackup } from '../api/backups'
import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
import { toast } from '../utils/toast'
import { ConfigReloadOverlay } from '../components/LoadingStates'
import { Shield, ShieldOff, Trash2, Search, AlertTriangle } from 'lucide-react'
import { Shield, ShieldOff, Trash2, Search, AlertTriangle, ExternalLink } from 'lucide-react'
import { buildCrowdsecExportFilename, downloadCrowdsecExport, promptCrowdsecFilename } from '../utils/crowdsecExport'
import { CROWDSEC_PRESETS, CrowdsecPreset } from '../data/crowdsecPresets'
import { useConsoleStatus, useEnrollConsole } from '../hooks/useConsoleEnrollment'
import { useConsoleStatus, useEnrollConsole, useClearConsoleEnrollment } from '../hooks/useConsoleEnrollment'
export default function CrowdSecConfig() {
const { data: status, isLoading, error } = useQuery({ queryKey: ['security-status'], queryFn: getSecurityStatus })
@@ -47,6 +47,8 @@ export default function CrowdSecConfig() {
const [consoleErrors, setConsoleErrors] = useState<{ token?: string; agent?: string; tenant?: string; ack?: string; submit?: string }>({})
const consoleStatusQuery = useConsoleStatus(consoleEnrollmentEnabled)
const enrollConsoleMutation = useEnrollConsole()
const clearEnrollmentMutation = useClearConsoleEnrollment()
const [showReenrollForm, setShowReenrollForm] = useState(false)
const navigate = useNavigate()
const [initialCheckComplete, setInitialCheckComplete] = useState(false)
@@ -286,12 +288,13 @@ export default function CrowdSecConfig() {
})
setConsoleErrors({})
setEnrollmentToken('')
setShowReenrollForm(false)
if (!consoleTenant.trim()) {
setConsoleTenant(tenantValue)
}
toast.success(
force
? 'Enrollment token rotated - please accept the new enrollment on app.crowdsec.net'
? 'Enrollment submitted! Accept the request on app.crowdsec.net to complete.'
: 'Enrollment request sent! Accept the enrollment on app.crowdsec.net to complete registration.'
)
} catch (err) {
@@ -753,6 +756,118 @@ export default function CrowdSecConfig() {
</div>
)}
{/* Re-enrollment Section - shown when enrolled or pending */}
{(normalizedConsoleStatus === 'enrolled' || normalizedConsoleStatus === 'pending_acceptance') && (
<div className="border border-blue-500/30 bg-blue-500/5 rounded-lg p-4" data-testid="reenroll-section">
<div className="space-y-4">
<div className="flex items-start justify-between">
<div>
<h3 className="text-lg font-semibold text-gray-100">Re-enroll Console</h3>
<p className="text-sm text-gray-400 mt-1">
Need to connect to a different CrowdSec account or reset your enrollment?
</p>
</div>
</div>
{!showReenrollForm ? (
<div className="flex flex-wrap gap-3">
<a
href="https://app.crowdsec.net/security-engines"
target="_blank"
rel="noopener noreferrer"
className="inline-flex items-center gap-2 text-blue-400 hover:text-blue-300 text-sm"
>
<ExternalLink className="w-4 h-4" />
Get new enrollment key from CrowdSec Console
</a>
<Button
variant="secondary"
size="sm"
onClick={() => setShowReenrollForm(true)}
data-testid="show-reenroll-form-btn"
>
Re-enroll with new key
</Button>
</div>
) : (
<div className="space-y-4 pt-2 border-t border-gray-700">
{/* Re-enrollment form */}
<div className="space-y-3">
<div>
<label className="block text-sm font-medium text-gray-300 mb-1">
New Enrollment Key
</label>
<Input
type="text"
value={enrollmentToken}
onChange={(e) => setEnrollmentToken(e.target.value)}
placeholder="Paste your new enrollment key"
data-testid="reenroll-token-input"
/>
</div>
<div>
<label className="block text-sm font-medium text-gray-300 mb-1">
Agent Name
</label>
<Input
type="text"
value={consoleAgentName}
onChange={(e) => setConsoleAgentName(e.target.value)}
placeholder="e.g., Charon-Home"
/>
</div>
<div>
<label className="block text-sm font-medium text-gray-300 mb-1">
Tenant / Organization (optional)
</label>
<Input
type="text"
value={consoleTenant}
onChange={(e) => setConsoleTenant(e.target.value)}
placeholder="Your organization name"
/>
</div>
</div>
<div className="flex gap-3">
<Button
variant="primary"
onClick={() => submitConsoleEnrollment(true)}
disabled={!enrollmentToken.trim() || enrollConsoleMutation.isPending}
isLoading={enrollConsoleMutation.isPending}
data-testid="reenroll-submit-btn"
>
{enrollConsoleMutation.isPending ? 'Re-enrolling...' : 'Re-enroll'}
</Button>
<Button
variant="ghost"
onClick={() => setShowReenrollForm(false)}
>
Cancel
</Button>
</div>
</div>
)}
{/* Clear enrollment option */}
<div className="pt-3 border-t border-gray-700">
<button
onClick={() => {
if (window.confirm('Clear enrollment state? You will need to re-enroll with a new key.')) {
clearEnrollmentMutation.mutate()
}
}}
className="text-sm text-gray-500 hover:text-gray-400"
disabled={clearEnrollmentMutation.isPending}
data-testid="clear-enrollment-btn"
>
{clearEnrollmentMutation.isPending ? 'Clearing...' : 'Clear enrollment state'}
</button>
</div>
</div>
</div>
)}
<div className="grid grid-cols-1 md:grid-cols-3 gap-3 text-sm text-gray-400">
<div>
<p className="text-xs text-gray-500">Agent</p>