8294d6ee49
- Created `qa-test-output-after-fix.txt` and `qa-test-output.txt` to log results of certificate page authentication tests. - Added `build.sh` for deterministic backend builds in CI, utilizing `go list` for efficiency. - Introduced `codeql_scan.sh` for CodeQL database creation and analysis for Go and JavaScript/TypeScript. - Implemented `dockerfile_check.sh` to validate Dockerfiles for base image and package manager mismatches. - Added `sourcery_precommit_wrapper.sh` to facilitate Sourcery CLI usage in pre-commit hooks.
522 lines
15 KiB
Go
522 lines
15 KiB
Go
package handlers
|
|
|
|
import (
|
|
"archive/tar"
|
|
"bytes"
|
|
"compress/gzip"
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"io"
|
|
"mime/multipart"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/Wikid82/charon/backend/internal/models"
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/require"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
type fakeExec struct {
|
|
started bool
|
|
}
|
|
|
|
func (f *fakeExec) Start(ctx context.Context, binPath, configDir string) (int, error) {
|
|
f.started = true
|
|
return 12345, nil
|
|
}
|
|
func (f *fakeExec) Stop(ctx context.Context, configDir string) error {
|
|
f.started = false
|
|
return nil
|
|
}
|
|
func (f *fakeExec) Status(ctx context.Context, configDir string) (running bool, pid int, err error) {
|
|
if f.started {
|
|
return true, 12345, nil
|
|
}
|
|
return false, 0, nil
|
|
}
|
|
|
|
func setupCrowdDB(t *testing.T) *gorm.DB {
|
|
db := OpenTestDB(t)
|
|
return db
|
|
}
|
|
|
|
func TestCrowdsecEndpoints(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
tmpDir := t.TempDir()
|
|
|
|
fe := &fakeExec{}
|
|
h := NewCrowdsecHandler(db, fe, "/bin/false", tmpDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
// Status (initially stopped)
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/status", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("status expected 200 got %d", w.Code)
|
|
}
|
|
|
|
// Start
|
|
w2 := httptest.NewRecorder()
|
|
req2 := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/start", http.NoBody)
|
|
r.ServeHTTP(w2, req2)
|
|
if w2.Code != http.StatusOK {
|
|
t.Fatalf("start expected 200 got %d", w2.Code)
|
|
}
|
|
|
|
// Stop
|
|
w3 := httptest.NewRecorder()
|
|
req3 := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/stop", http.NoBody)
|
|
r.ServeHTTP(w3, req3)
|
|
if w3.Code != http.StatusOK {
|
|
t.Fatalf("stop expected 200 got %d", w3.Code)
|
|
}
|
|
}
|
|
|
|
func TestImportConfig(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
tmpDir := t.TempDir()
|
|
fe := &fakeExec{}
|
|
h := NewCrowdsecHandler(db, fe, "/bin/false", tmpDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
// create a small file to upload
|
|
buf := &bytes.Buffer{}
|
|
mw := multipart.NewWriter(buf)
|
|
fw, _ := mw.CreateFormFile("file", "cfg.tar.gz")
|
|
fw.Write([]byte("dummy"))
|
|
mw.Close()
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/import", buf)
|
|
req.Header.Set("Content-Type", mw.FormDataContentType())
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("import expected 200 got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
|
|
// ensure file exists in data dir
|
|
if _, err := os.Stat(filepath.Join(tmpDir, "cfg.tar.gz")); err != nil {
|
|
t.Fatalf("expected file in data dir: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestImportCreatesBackup(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
tmpDir := t.TempDir()
|
|
// create existing config dir with a marker file
|
|
_ = os.MkdirAll(tmpDir, 0o755)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "existing.conf"), []byte("v1"), 0o644)
|
|
|
|
fe := &fakeExec{}
|
|
h := NewCrowdsecHandler(db, fe, "/bin/false", tmpDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
// upload
|
|
buf := &bytes.Buffer{}
|
|
mw := multipart.NewWriter(buf)
|
|
fw, _ := mw.CreateFormFile("file", "cfg.tar.gz")
|
|
fw.Write([]byte("dummy2"))
|
|
mw.Close()
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/import", buf)
|
|
req.Header.Set("Content-Type", mw.FormDataContentType())
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("import expected 200 got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
|
|
// ensure backup dir exists (ends with .backup.TIMESTAMP)
|
|
found := false
|
|
entries, _ := os.ReadDir(filepath.Dir(tmpDir))
|
|
for _, e := range entries {
|
|
if e.IsDir() && filepath.HasPrefix(e.Name(), filepath.Base(tmpDir)+".backup.") {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
// fallback: check for any .backup.* in same parent dir
|
|
entries, _ := os.ReadDir(filepath.Dir(tmpDir))
|
|
for _, e := range entries {
|
|
if e.IsDir() && filepath.Ext(e.Name()) == "" && e.Name() != "" && (filepath.Base(e.Name()) != filepath.Base(tmpDir)) {
|
|
// best-effort assume backup present
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
}
|
|
if !found {
|
|
t.Fatalf("expected backup directory next to data dir")
|
|
}
|
|
}
|
|
|
|
func TestExportConfig(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
tmpDir := t.TempDir()
|
|
|
|
// create some files to export
|
|
_ = os.MkdirAll(filepath.Join(tmpDir, "conf.d"), 0o755)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "conf.d", "a.conf"), []byte("rule1"), 0o644)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "b.conf"), []byte("rule2"), 0o644)
|
|
|
|
fe := &fakeExec{}
|
|
h := NewCrowdsecHandler(db, fe, "/bin/false", tmpDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/export", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("export expected 200 got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
if ct := w.Header().Get("Content-Type"); ct != "application/gzip" {
|
|
t.Fatalf("unexpected content type: %s", ct)
|
|
}
|
|
if w.Body.Len() == 0 {
|
|
t.Fatalf("expected response body to contain archive data")
|
|
}
|
|
}
|
|
|
|
func TestListAndReadFile(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
tmpDir := t.TempDir()
|
|
// create a nested file
|
|
_ = os.MkdirAll(filepath.Join(tmpDir, "conf.d"), 0o755)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "conf.d", "a.conf"), []byte("rule1"), 0o644)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "b.conf"), []byte("rule2"), 0o644)
|
|
|
|
fe := &fakeExec{}
|
|
h := NewCrowdsecHandler(db, fe, "/bin/false", tmpDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/files", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("files expected 200 got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
// read a single file
|
|
w2 := httptest.NewRecorder()
|
|
req2 := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/file?path=conf.d/a.conf", http.NoBody)
|
|
r.ServeHTTP(w2, req2)
|
|
if w2.Code != http.StatusOK {
|
|
t.Fatalf("file read expected 200 got %d body=%s", w2.Code, w2.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestExportConfigStreamsArchive(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
dataDir := t.TempDir()
|
|
require.NoError(t, os.WriteFile(filepath.Join(dataDir, "config.yaml"), []byte("hello"), 0o644))
|
|
|
|
h := NewCrowdsecHandler(db, &fakeExec{}, "/bin/false", dataDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/export", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
require.Equal(t, "application/gzip", w.Header().Get("Content-Type"))
|
|
require.Contains(t, w.Header().Get("Content-Disposition"), "crowdsec-config-")
|
|
|
|
gr, err := gzip.NewReader(bytes.NewReader(w.Body.Bytes()))
|
|
require.NoError(t, err)
|
|
tr := tar.NewReader(gr)
|
|
found := false
|
|
for {
|
|
hdr, err := tr.Next()
|
|
if errors.Is(err, io.EOF) {
|
|
break
|
|
}
|
|
require.NoError(t, err)
|
|
if hdr.Name == "config.yaml" {
|
|
data, readErr := io.ReadAll(tr)
|
|
require.NoError(t, readErr)
|
|
require.Equal(t, "hello", string(data))
|
|
found = true
|
|
}
|
|
}
|
|
require.True(t, found, "expected exported archive to contain config file")
|
|
}
|
|
|
|
func TestWriteFileCreatesBackup(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := setupCrowdDB(t)
|
|
tmpDir := t.TempDir()
|
|
// create existing config dir with a marker file
|
|
_ = os.MkdirAll(tmpDir, 0o755)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "existing.conf"), []byte("v1"), 0o644)
|
|
|
|
fe := &fakeExec{}
|
|
h := NewCrowdsecHandler(db, fe, "/bin/false", tmpDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
// write content to new file
|
|
payload := map[string]string{"path": "conf.d/new.conf", "content": "hello world"}
|
|
b, _ := json.Marshal(payload)
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/file", bytes.NewReader(b))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("write expected 200 got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
|
|
// ensure backup directory was created
|
|
entries, err := os.ReadDir(filepath.Dir(tmpDir))
|
|
require.NoError(t, err)
|
|
foundBackup := false
|
|
for _, e := range entries {
|
|
if e.IsDir() && strings.HasPrefix(e.Name(), filepath.Base(tmpDir)+".backup.") {
|
|
foundBackup = true
|
|
break
|
|
}
|
|
}
|
|
require.True(t, foundBackup, "expected backup directory to be created")
|
|
}
|
|
|
|
func TestListPresetsCerberusDisabled(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
t.Setenv("FEATURE_CERBERUS_ENABLED", "false")
|
|
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/presets", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusNotFound {
|
|
t.Fatalf("expected 404 when cerberus disabled got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestReadFileInvalidPath(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/file?path=../secret", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 for invalid path got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestWriteFileInvalidPath(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
body, _ := json.Marshal(map[string]string{"path": "../../escape", "content": "bad"})
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/file", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 for invalid path got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestWriteFileMissingPath(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
body, _ := json.Marshal(map[string]string{"content": "data only"})
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/file", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusBadRequest, w.Code)
|
|
}
|
|
|
|
func TestWriteFileInvalidPayload(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/file", bytes.NewBufferString("not-json"))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusBadRequest, w.Code)
|
|
}
|
|
|
|
func TestImportConfigRequiresFile(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/import", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 when file missing got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestImportConfigRejectsEmptyUpload(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
buf := &bytes.Buffer{}
|
|
mw := multipart.NewWriter(buf)
|
|
_, _ = mw.CreateFormFile("file", "empty.tgz")
|
|
_ = mw.Close()
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/import", buf)
|
|
req.Header.Set("Content-Type", mw.FormDataContentType())
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 for empty upload got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestListFilesMissingDir(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
missingDir := filepath.Join(t.TempDir(), "does-not-exist")
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", missingDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/files", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 for missing dir got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestListFilesReturnsEntries(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
dataDir := t.TempDir()
|
|
require.NoError(t, os.WriteFile(filepath.Join(dataDir, "root.txt"), []byte("root"), 0o644))
|
|
nestedDir := filepath.Join(dataDir, "nested")
|
|
require.NoError(t, os.MkdirAll(nestedDir, 0o755))
|
|
require.NoError(t, os.WriteFile(filepath.Join(nestedDir, "child.txt"), []byte("child"), 0o644))
|
|
|
|
h := NewCrowdsecHandler(OpenTestDB(t), &fakeExec{}, "/bin/false", dataDir)
|
|
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/files", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 got %d", w.Code)
|
|
}
|
|
|
|
var resp struct {
|
|
Files []string `json:"files"`
|
|
}
|
|
require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp))
|
|
require.ElementsMatch(t, []string{"root.txt", filepath.Join("nested", "child.txt")}, resp.Files)
|
|
}
|
|
|
|
func TestIsCerberusEnabledFromDB(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
db := OpenTestDB(t)
|
|
require.NoError(t, db.AutoMigrate(&models.Setting{}))
|
|
require.NoError(t, db.Create(&models.Setting{Key: "feature.cerberus.enabled", Value: "0"}).Error)
|
|
|
|
h := NewCrowdsecHandler(db, &fakeExec{}, "/bin/false", t.TempDir())
|
|
r := gin.New()
|
|
g := r.Group("/api/v1")
|
|
h.RegisterRoutes(g)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/presets", http.NoBody)
|
|
r.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusNotFound {
|
|
t.Fatalf("expected 404 when cerberus disabled via DB got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestIsCerberusEnabledInvalidEnv(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
t.Setenv("FEATURE_CERBERUS_ENABLED", "not-a-bool")
|
|
h := NewCrowdsecHandler(nil, &fakeExec{}, "/bin/false", t.TempDir())
|
|
|
|
if h.isCerberusEnabled() {
|
|
t.Fatalf("expected cerberus to be disabled for invalid env flag")
|
|
}
|
|
}
|
|
|
|
func TestIsCerberusEnabledLegacyEnv(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
h := NewCrowdsecHandler(nil, &fakeExec{}, "/bin/false", t.TempDir())
|
|
|
|
t.Setenv("CERBERUS_ENABLED", "0")
|
|
|
|
if h.isCerberusEnabled() {
|
|
t.Fatalf("expected cerberus to be disabled for legacy env flag")
|
|
}
|
|
}
|