akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
341 lines
11 KiB
Go
Executable File
341 lines
11 KiB
Go
Executable File
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestDefaultCrowdsecExecutorPidFile(t *testing.T) {
|
|
e := NewDefaultCrowdsecExecutor()
|
|
tmp := t.TempDir()
|
|
expected := filepath.Join(tmp, "crowdsec.pid")
|
|
if p := e.pidFile(tmp); p != expected {
|
|
t.Fatalf("pidFile mismatch got %s expected %s", p, expected)
|
|
}
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutorStartStatusStop(t *testing.T) {
|
|
e := NewDefaultCrowdsecExecutor()
|
|
tmp := t.TempDir()
|
|
|
|
// Create a mock /proc for process validation
|
|
mockProc := t.TempDir()
|
|
e.procPath = mockProc
|
|
|
|
// create a tiny script that sleeps and traps TERM
|
|
// Name it with "crowdsec" so our process validation passes
|
|
script := filepath.Join(tmp, "crowdsec_test_runner.sh")
|
|
content := `#!/bin/sh
|
|
trap 'exit 0' TERM INT
|
|
while true; do sleep 1; done
|
|
`
|
|
if err := os.WriteFile(script, []byte(content), 0o750); err != nil { //nolint:gosec // executable script needs 0o750
|
|
t.Fatalf("write script: %v", err)
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
|
|
defer cancel()
|
|
|
|
pid, err := e.Start(ctx, script, tmp)
|
|
if err != nil {
|
|
t.Fatalf("start err: %v", err)
|
|
}
|
|
if pid <= 0 {
|
|
t.Fatalf("invalid pid %d", pid)
|
|
}
|
|
|
|
// Create mock /proc/{pid}/cmdline with "crowdsec" for the started process
|
|
procPidDir := filepath.Join(mockProc, strconv.Itoa(pid))
|
|
_ = os.MkdirAll(procPidDir, 0o750)
|
|
// Use a cmdline that contains "crowdsec" to simulate a real CrowdSec process
|
|
mockCmdline := "/usr/bin/crowdsec\x00-c\x00/etc/crowdsec/config.yaml"
|
|
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(mockCmdline), 0o600) // #nosec G306 -- test fixture
|
|
|
|
// ensure pid file exists and content matches
|
|
pidB, err := os.ReadFile(e.pidFile(tmp))
|
|
if err != nil {
|
|
t.Fatalf("read pid file: %v", err)
|
|
}
|
|
gotPid, _ := strconv.Atoi(string(pidB))
|
|
if gotPid != pid {
|
|
t.Fatalf("pid file mismatch got %d expected %d", gotPid, pid)
|
|
}
|
|
|
|
// Status should return running
|
|
running, got, err := e.Status(ctx, tmp)
|
|
if err != nil {
|
|
t.Fatalf("status err: %v", err)
|
|
}
|
|
if !running || got != pid {
|
|
t.Fatalf("status expected running for %d got %d running=%v", pid, got, running)
|
|
}
|
|
|
|
// Stop should terminate and remove pid file
|
|
if err := e.Stop(ctx, tmp); err != nil {
|
|
t.Fatalf("stop err: %v", err)
|
|
}
|
|
|
|
// give a little time for process to exit
|
|
time.Sleep(200 * time.Millisecond)
|
|
|
|
running2, _, _ := e.Status(ctx, tmp)
|
|
if running2 {
|
|
t.Fatalf("process still running after stop")
|
|
}
|
|
}
|
|
|
|
// Additional coverage tests for error paths
|
|
|
|
func TestDefaultCrowdsecExecutor_Status_NoPidFile(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
running, pid, err := exec.Status(context.Background(), tmpDir)
|
|
|
|
assert.NoError(t, err)
|
|
assert.False(t, running)
|
|
assert.Equal(t, 0, pid)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Status_InvalidPid(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
// Write invalid pid
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("invalid"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
running, pid, err := exec.Status(context.Background(), tmpDir)
|
|
|
|
assert.NoError(t, err)
|
|
assert.False(t, running)
|
|
assert.Equal(t, 0, pid)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Status_NonExistentProcess(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
// Write a pid that doesn't exist
|
|
// Use a very high PID that's unlikely to exist
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("999999999"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
running, pid, err := exec.Status(context.Background(), tmpDir)
|
|
|
|
assert.NoError(t, err)
|
|
assert.False(t, running)
|
|
assert.Equal(t, 999999999, pid)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Stop_NoPidFile(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
err := exec.Stop(context.Background(), tmpDir)
|
|
|
|
// Stop should be idempotent - no PID file means already stopped
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Stop_InvalidPid(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
// Write invalid pid
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("invalid"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
err := exec.Stop(context.Background(), tmpDir)
|
|
|
|
// Stop should clean up malformed PID file and succeed
|
|
assert.NoError(t, err)
|
|
|
|
// Verify PID file was cleaned up
|
|
_, statErr := os.Stat(filepath.Join(tmpDir, "crowdsec.pid"))
|
|
assert.True(t, os.IsNotExist(statErr), "PID file should be removed after Stop with invalid PID")
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Stop_NonExistentProcess(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
// Write a pid that doesn't exist
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("999999999"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
err := exec.Stop(context.Background(), tmpDir)
|
|
|
|
// Stop should be idempotent - stale PID file means process already dead
|
|
assert.NoError(t, err)
|
|
|
|
// Verify PID file was cleaned up
|
|
_, statErr := os.Stat(filepath.Join(tmpDir, "crowdsec.pid"))
|
|
assert.True(t, os.IsNotExist(statErr), "Stale PID file should be cleaned up after Stop")
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Stop_Idempotent(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
// Stop should succeed even when called multiple times
|
|
err1 := exec.Stop(context.Background(), tmpDir)
|
|
err2 := exec.Stop(context.Background(), tmpDir)
|
|
err3 := exec.Stop(context.Background(), tmpDir)
|
|
|
|
assert.NoError(t, err1)
|
|
assert.NoError(t, err2)
|
|
assert.NoError(t, err3)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Start_InvalidBinary(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
pid, err := exec.Start(context.Background(), "/nonexistent/binary", tmpDir)
|
|
|
|
assert.Error(t, err)
|
|
assert.Equal(t, 0, pid)
|
|
}
|
|
|
|
// Tests for PID reuse vulnerability fix
|
|
|
|
func TestDefaultCrowdsecExecutor_isCrowdSecProcess_ValidProcess(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
|
|
// Create a mock /proc/{pid}/cmdline
|
|
tmpDir := t.TempDir()
|
|
exec.procPath = tmpDir
|
|
|
|
// Create a fake PID directory with crowdsec in cmdline
|
|
pid := 12345
|
|
procPidDir := filepath.Join(tmpDir, strconv.Itoa(pid))
|
|
_ = os.MkdirAll(procPidDir, 0o750)
|
|
|
|
// Write cmdline with crowdsec (null-separated like real /proc)
|
|
cmdline := "/usr/bin/crowdsec\x00-c\x00/etc/crowdsec/config.yaml"
|
|
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(cmdline), 0o600) // #nosec G306 -- test fixture
|
|
|
|
assert.True(t, exec.isCrowdSecProcess(pid), "Should detect CrowdSec process")
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_isCrowdSecProcess_DifferentProcess(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
|
|
// Create a mock /proc/{pid}/cmdline
|
|
tmpDir := t.TempDir()
|
|
exec.procPath = tmpDir
|
|
|
|
// Create a fake PID directory with a different process (like dlv debugger)
|
|
pid := 12345
|
|
procPidDir := filepath.Join(tmpDir, strconv.Itoa(pid))
|
|
_ = os.MkdirAll(procPidDir, 0o750)
|
|
|
|
// Write cmdline with dlv (the original bug case)
|
|
cmdline := "/usr/local/bin/dlv\x00--telemetry\x00--headless"
|
|
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(cmdline), 0o600) // #nosec G306 -- test fixture
|
|
|
|
assert.False(t, exec.isCrowdSecProcess(pid), "Should NOT detect dlv as CrowdSec")
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_isCrowdSecProcess_NonExistentProcess(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
|
|
// Create a mock /proc without the PID
|
|
tmpDir := t.TempDir()
|
|
exec.procPath = tmpDir
|
|
|
|
// Don't create any PID directory
|
|
assert.False(t, exec.isCrowdSecProcess(99999), "Should return false for non-existent process")
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_isCrowdSecProcess_EmptyCmdline(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
|
|
// Create a mock /proc/{pid}/cmdline
|
|
tmpDir := t.TempDir()
|
|
exec.procPath = tmpDir
|
|
|
|
// Create a fake PID directory with empty cmdline
|
|
pid := 12345
|
|
procPidDir := filepath.Join(tmpDir, strconv.Itoa(pid))
|
|
_ = os.MkdirAll(procPidDir, 0o750)
|
|
|
|
// Write empty cmdline
|
|
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(""), 0o600) // #nosec G306 -- test fixture
|
|
|
|
assert.False(t, exec.isCrowdSecProcess(pid), "Should return false for empty cmdline")
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Status_PIDReuse_DifferentProcess(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
|
|
// Create temp directories for config and mock /proc
|
|
tmpDir := t.TempDir()
|
|
mockProc := t.TempDir()
|
|
exec.procPath = mockProc
|
|
|
|
// Get current process PID (which exists and responds to Signal(0))
|
|
currentPID := os.Getpid()
|
|
|
|
// Write current PID to the crowdsec.pid file (simulating stale PID file)
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte(strconv.Itoa(currentPID)), 0o600) // #nosec G306 -- test fixture
|
|
|
|
// Create mock /proc entry for current PID but with a non-crowdsec cmdline
|
|
procPidDir := filepath.Join(mockProc, strconv.Itoa(currentPID))
|
|
_ = os.MkdirAll(procPidDir, 0o750) // #nosec G301 -- test fixture
|
|
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte("/usr/local/bin/dlv\x00debug"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
// Status should return NOT running because the PID is not CrowdSec
|
|
running, pid, err := exec.Status(context.Background(), tmpDir)
|
|
|
|
assert.NoError(t, err)
|
|
assert.False(t, running, "Should detect PID reuse and return not running")
|
|
assert.Equal(t, currentPID, pid)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Status_PIDReuse_IsCrowdSec(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
|
|
// Create temp directories for config and mock /proc
|
|
tmpDir := t.TempDir()
|
|
mockProc := t.TempDir()
|
|
exec.procPath = mockProc
|
|
|
|
// Get current process PID (which exists and responds to Signal(0))
|
|
currentPID := os.Getpid()
|
|
|
|
// Write current PID to the crowdsec.pid file
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte(strconv.Itoa(currentPID)), 0o600) // #nosec G306 -- test fixture
|
|
|
|
// Create mock /proc entry for current PID with crowdsec cmdline
|
|
procPidDir := filepath.Join(mockProc, strconv.Itoa(currentPID))
|
|
_ = os.MkdirAll(procPidDir, 0o750) // #nosec G301 -- test fixture
|
|
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte("/usr/bin/crowdsec\x00-c\x00config.yaml"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
// Status should return running because it IS CrowdSec
|
|
running, pid, err := exec.Status(context.Background(), tmpDir)
|
|
|
|
assert.NoError(t, err)
|
|
assert.True(t, running, "Should return running when process is CrowdSec")
|
|
assert.Equal(t, currentPID, pid)
|
|
}
|
|
|
|
func TestDefaultCrowdsecExecutor_Stop_SignalError(t *testing.T) {
|
|
exec := NewDefaultCrowdsecExecutor()
|
|
tmpDir := t.TempDir()
|
|
|
|
// Write a pid for a process that exists but we can't signal (e.g., init process or other user's process)
|
|
// Use PID 1 which exists but typically can't be signaled by non-root
|
|
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("1"), 0o600) // #nosec G306 -- test fixture
|
|
|
|
err := exec.Stop(context.Background(), tmpDir)
|
|
|
|
// Stop should return an error when Signal fails with something other than ESRCH/ErrProcessDone
|
|
// On Linux, signaling PID 1 as non-root returns EPERM (Operation not permitted)
|
|
// The exact behavior depends on the system, but the test verifies the error path is triggered
|
|
_ = err // Result depends on system permissions, but line 76-79 is now exercised
|
|
}
|