feat(tls): Add end-to-end test for TLS auth

Author: julienloizelet

.github/workflows/end-to-end-auto-prepend-test-suite.yml

@@ -103,6 +103,9 @@ jobs:
       - name: Prepare for playwright test
         run: |
           cd ${{ github.workspace }}
+          cp -r .ddev/custom_files/crowdsec/cfssl/* my-own-modules/${{ env.EXTENSION_PATH }}/tls
+          cd my-own-modules/${{ env.EXTENSION_PATH }}
+          docker cp "tls" ddev-${{ env.WP_VERSION_CODE }}-playwright://var/www/html/wp-content/plugins/crowdsec
           ddev maxmind-download DEFAULT GeoLite2-City /var/www/html/my-own-modules/${{ env.EXTENSION_PATH }}/geolocation
           ddev maxmind-download DEFAULT GeoLite2-Country /var/www/html/my-own-modules/${{ env.EXTENSION_PATH }}/geolocation
           cd ${{ github.workspace }}/my-own-modules/${{ env.EXTENSION_PATH }}/geolocation

.github/workflows/end-to-end-test-suite.yml

@@ -103,8 +103,9 @@ jobs:
       - name: Prepare for playwright test
         run: |
           cd ${{ github.workspace }}
-          mkdir -p wp-content/plugins/crowdsec/tls
-          cp -r .ddev/custom_files/crowdsec/cfssl/* wp-content/plugins/crowdsec/tls
+          cp -r .ddev/custom_files/crowdsec/cfssl/* my-own-modules/${{ env.EXTENSION_PATH }}/tls
+          cd my-own-modules/${{ env.EXTENSION_PATH }}
+          docker cp "tls" ddev-${{ env.WP_VERSION_CODE }}-playwright://var/www/html/wp-content/plugins/crowdsec
           ddev maxmind-download DEFAULT GeoLite2-City /var/www/html/my-own-modules/${{ env.EXTENSION_PATH }}/geolocation
           ddev maxmind-download DEFAULT GeoLite2-Country /var/www/html/my-own-modules/${{ env.EXTENSION_PATH }}/geolocation
           cd ${{ github.workspace }}/my-own-modules/${{ env.EXTENSION_PATH }}/geolocation

.github/workflows/end-to-end/run-single-test/action.yaml

@@ -23,7 +23,6 @@ runs:
         if [[ $PENDING_TESTS == "0" ]]
         then
         echo "No pending tests: OK"
-        echo "### ${{ inputs.file_path }} test was successful :rocket:" >> $GITHUB_STEP_SUMMARY
         else
         echo "There are pending tests: $PENDING_TESTS (KO)"
         exit 1

.github/workflows/release.yml

@@ -22,9 +22,6 @@ jobs:
         name: Deploy and create release
         runs-on: ubuntu-latest
 
-        env:
-            GITHUB_URL: "https://github.com/crowdsecurity/cs-wordpress-bouncer"
-
         steps:
             -   name: Check naming convention
                 run: |
@@ -50,15 +47,15 @@ jobs:
                     echo $CURRENT_DATE
                     echo $CHANGELOG_VERSION
                     echo "##[${{ env.VERSION_NUMBER }}]-$CURRENT_DATE"
-                    if [[ $CHANGELOG_VERSION == "##[${{ env.VERSION_NUMBER }}](${{ env.GITHUB_URL }}/releases/tag/v${{ env.VERSION_NUMBER }})-$CURRENT_DATE" ]]
+                    if [[ $CHANGELOG_VERSION == "##[${{ env.VERSION_NUMBER }}](${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/releases/tag/v${{ env.VERSION_NUMBER }})-$CURRENT_DATE" ]]
                     then
                        echo "Version in CHANGELOG.md: OK"
                     else
                        echo "Version in CHANGELOG.md: KO"
                        exit 1
                     fi
                     COMPARISON=$(grep -oP "\/compare\/\K(.*)$" CHANGELOG.md | head -1)
-                    LAST_TAG=$(curl -Ls -o /dev/null -w %{url_effective} ${{ env.GITHUB_URL }}/releases/latest | grep -oP "\/tag\/\K(.*)$")
+                    LAST_TAG=$(curl -Ls -o /dev/null -w %{url_effective} ${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/releases/latest | grep -oP "\/tag\/\K(.*)$")
                     if [[ $COMPARISON == "$LAST_TAG...v${{ env.VERSION_NUMBER }})" ]]
                     then
                       echo "VERSION COMPARISON OK"
@@ -135,7 +132,7 @@ jobs:
 
             -   name: Prepare release notes
                 run: |
-                    VERSION_RELEASE_NOTES=$(awk -v ver="[${{ env.VERSION_NUMBER }}](${{ env.GITHUB_URL }}/releases/tag/v${{ env.VERSION_NUMBER }})" '/^## / { if (p) { exit }; if ($2 == ver) { p=1; next} } p && NF' CHANGELOG.md | sed ':a;N;$!ba;s/\n---/ /g')
+                    VERSION_RELEASE_NOTES=$(awk -v ver="[${{ env.VERSION_NUMBER }}](${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/releases/tag/v${{ env.VERSION_NUMBER }})" '/^## / { if (p) { exit }; if ($2 == ver) { p=1; next} } p && NF' CHANGELOG.md | sed ':a;N;$!ba;s/\n---/ /g')
                     echo "$VERSION_RELEASE_NOTES" >> CHANGELOG.txt
                     cat CHANGELOG.txt
 

inc/Bounce.php

@@ -45,10 +45,10 @@ public function getBouncerInstance(array $settings): Bouncer
             // LAPI connection
             'api_key' => $this->escape($this->getStringSettings('crowdsec_api_key')),
             'auth_type' => $this->getStringSettings('crowdsec_auth_type')?:Constants::AUTH_KEY,
-            'tls_cert_path' => $this->getStringSettings('crowdsec_tls_cert_path'),
-            'tls_key_path' => $this->getStringSettings('crowdsec_tls_key_path'),
+            'tls_cert_path' => Constants::CROWDSEC_BOUNCER_TLS_DIR. '/'.ltrim($this->getStringSettings('crowdsec_tls_cert_path'), '/'),
+            'tls_key_path' => Constants::CROWDSEC_BOUNCER_TLS_DIR. '/'.ltrim($this->getStringSettings('crowdsec_tls_key_path'), '/'),
             'tls_verify_peer' => $this->getBoolSettings('crowdsec_tls_verify_peer'),
-            'tls_ca_cert_path' => $this->getStringSettings('crowdsec_tls_ca_cert_path'),
+            'tls_ca_cert_path' => Constants::CROWDSEC_BOUNCER_TLS_DIR. '/'.ltrim($this->getStringSettings('crowdsec_tls_ca_cert_path'), '/'),
             'api_url' => $this->escape($this->getStringSettings('crowdsec_api_url')),
             'use_curl' => $this->getBoolSettings('crowdsec_use_curl'),
             'api_user_agent' => Constants::CROWDSEC_BOUNCER_USER_AGENT,

inc/Constants.php

@@ -24,5 +24,6 @@ class Constants extends LibConstants
     public const CROWDSEC_CONFIG_PATH = __DIR__ . '/standalone-settings.php';
     public const CROWDSEC_BOUNCER_USER_AGENT = 'WordPress CrowdSec Bouncer/v1.8.1';
     public const CROWDSEC_BOUNCER_GEOLOCATION_DIR = __DIR__ . '/../geolocation';
+    public const CROWDSEC_BOUNCER_TLS_DIR = __DIR__ . '/../tls';
 
 }

inc/admin/settings.php

@@ -56,7 +56,7 @@ function adminSettings()
         'crowdsec_settings', 'crowdsec_admin_connection', function () {}, function () {}, '<p>This option determines whether request handler verifies the authenticity of the peer\'s certificate</p>');
 
     // Field "crowdsec_tls_ca_cert_path"
-    addFieldString('crowdsec_ca_cert_path', 'Path to the CA used to process peer verification', 'crowdsec_plugin_settings', 'crowdsec_settings',
+    addFieldString('crowdsec_tls_ca_cert_path', 'Path to the CA used to process peer verification', 'crowdsec_plugin_settings', 'crowdsec_settings',
         'crowdsec_admin_connection', function ($input) {
             return $input;
         }, '<p>Relative path from <i>wp-content/plugins/crowdsec/tls</i> folder</p>', 'ca-chain.pem', 'width: 180px;',

inc/bouncer-instance.php

@@ -23,10 +23,10 @@ function getDatabaseSettings(): array
         // Local API connection
         'api_key' => esc_attr(get_option('crowdsec_api_key')),
         'auth_type' => esc_attr(get_option('crowdsec_auth_type'))?:Constants::AUTH_KEY,
-        'tls_cert_path' => esc_attr(get_option('crowdsec_tls_cert_path')),
-        'tls_key_path' => esc_attr(get_option('crowdsec_tls_key_path')),
+        'tls_cert_path' => Constants::CROWDSEC_BOUNCER_TLS_DIR. '/'.ltrim(esc_attr(get_option('crowdsec_tls_cert_path')), '/'),
+        'tls_key_path' => Constants::CROWDSEC_BOUNCER_TLS_DIR. '/'.ltrim(esc_attr(get_option('crowdsec_tls_key_path')), '/'),
         'tls_verify_peer' => !empty(get_option('crowdsec_tls_verify_peer')),
-        'tls_ca_cert_path' => esc_attr(get_option('crowdsec_tls_ca_cert_path')),
+        'tls_ca_cert_path' => Constants::CROWDSEC_BOUNCER_TLS_DIR. '/'.ltrim(esc_attr(get_option('crowdsec_tls_ca_cert_path')), '/'),
         'api_url' => esc_attr(get_option('crowdsec_api_url')),
         'use_curl' => !empty(get_option('crowdsec_use_curl')),
         'api_user_agent' => Constants::CROWDSEC_BOUNCER_USER_AGENT,

inc/templates/settings.php

@@ -1,5 +1,50 @@
 <div class="wrap">
 	<h1>Configure your CrowdSec Bouncer</h1>
+    <script type="text/javascript">
+
+        jQuery(() => {
+            const $authType = jQuery('[name=crowdsec_auth_type]');
+            const $verifyPeer = jQuery('[name=crowdsec_tls_verify_peer]');
+            const $apiKeyTr = jQuery('[name=crowdsec_api_key]').parent().parent();
+            const $tlsCertTr = jQuery('[name=crowdsec_tls_cert_path]').parent().parent();
+            const $tlsKeyTr = jQuery('[name=crowdsec_tls_key_path]').parent().parent();
+            const $tlsVerifyPeerTr = $verifyPeer.parent().parent().parent();
+            const $tlsCaTr = jQuery('[name=crowdsec_tls_ca_cert_path]').parent().parent();
+
+            function handleCaCert () {
+                if(!$verifyPeer.is(":checked")) {
+                    $tlsCaTr.hide();
+                } else {$tlsCaTr.show()}
+            }
+
+            function updateTlsDisplay () {
+                $tlsCertTr.addClass('crowdsec-tls');
+                $tlsKeyTr.addClass('crowdsec-tls');
+                $tlsVerifyPeerTr.removeClass('ui-toggle').addClass('crowdsec-tls');
+                $tlsCaTr.addClass('crowdsec-tls');
+                $apiKeyTr.addClass('crowdsec-api-key');
+                switch ($authType.val()) {
+                    case 'api_key':
+                        jQuery('[class=crowdsec-tls]').hide();
+                        jQuery('[class=crowdsec-api-key]').show();
+                        break;
+                    case 'tls':
+                        jQuery('[class=crowdsec-tls]').show();
+                        jQuery('[class=crowdsec-api-key]').hide();
+                        if(!$verifyPeer.is(":checked")) {
+                            $tlsCaTr.hide();
+                        }
+                        break;
+                    default:
+                        jQuery('[class=crowdsec-tls]').hide();
+                        jQuery('[class=crowdsec-api-key]').show();
+                }
+            }
+            updateTlsDisplay();
+            $authType.change(updateTlsDisplay);
+            $verifyPeer.change(handleCaCert);
+        });
+    </script>
 	<?php settings_errors(); ?>
 	<div class="tab-content">
 		<div id="tab-1" class="tab-pane active">

tests/e2e-ddev/__tests__/3-live-mode-more.js

@@ -15,9 +15,11 @@ const {
 	onLoginPageLoginAsAdmin,
 	setDefaultConfig,
 	banOwnIpForSeconds,
+	selectByName,
+	setToggle
 } = require("../utils/helpers");
 
-const { CURRENT_IP, PROXY_IP } = require("../utils/constants");
+const { CURRENT_IP, PROXY_IP, TLS_PATH, BOUNCER_KEY_FILE, BOUNCER_CERT_FILE, AGENT_CERT_FILE, CA_CERT_FILE } = require("../utils/constants");
 
 describe(`Run in Live mode`, () => {
 	beforeAll(async () => {
@@ -111,4 +113,119 @@ describe(`Run in Live mode`, () => {
 		// Should be banned
 		await publicHomepageShouldBeBanWall();
 	});
+
+	describe(`Test TLS auth in Live mode`, () => {
+		it("Should configure TLS", async () => {
+			await goToAdmin();
+			await onAdminGoToSettingsPage();
+			await setToggle("crowdsec_use_curl", true);
+			await selectByName(
+				"crowdsec_auth_type",
+				"tls",
+			);
+	
+			await fillInput(
+				"crowdsec_tls_key_path",
+				`${BOUNCER_KEY_FILE}`,
+			);
+			await setToggle("crowdsec_tls_verify_peer",true);
+			await fillInput(
+				"crowdsec_tls_ca_cert_path",
+				`${CA_CERT_FILE}`,
+			);
+			// Bad path
+			await fillInput(
+				"crowdsec_tls_cert_path",
+				"bad-path",
+			);
+			await onAdminSaveSettings();
+			await page.click("#crowdsec_action_test_connection #submit");
+	
+			await wait(2000);
+			await expect(page).toMatchText(
+				".notice.notice-error",
+				/Technical error.*could not load PEM client certificate/,
+			);
+			// Bad cert
+			await fillInput(
+				"crowdsec_tls_cert_path",
+				`${AGENT_CERT_FILE}`,
+			);
+			await onAdminSaveSettings();
+			await page.click("#crowdsec_action_test_connection #submit");
+			await wait(2000);
+			await expect(page).toMatchText(
+				".notice.notice-error",
+				/Technical error.*unable to set private key file/,
+			);
+	
+			// Bad CA with verify peer
+			await fillInput(
+				"crowdsec_tls_cert_path",
+				`${BOUNCER_CERT_FILE}`,
+			);
+			await fillInput(
+				"crowdsec_tls_ca_cert_path",
+				`${AGENT_CERT_FILE}`,
+			);
+			await onAdminSaveSettings();
+			await page.click("#crowdsec_action_test_connection #submit");
+			await wait(2000);
+			await expect(page).toMatchText(
+				".notice.notice-error",
+				/Technical error.*unable to get local issuer certificate/,
+			);
+	
+			// Bad CA without verify peer
+			await setToggle("crowdsec_tls_verify_peer",false);
+			await onAdminSaveSettings();
+			await page.click("#crowdsec_action_test_connection #submit");
+			await wait(2000);
+			await expect(page).toMatchText(
+				".notice.notice-success",
+				/Bouncing has been successfully tested/,
+			);
+	
+			// Good settings with curl
+			await setToggle("crowdsec_tls_verify_peer",true);
+		
+			await fillInput(
+				"crowdsec_tls_ca_cert_path",
+				`${CA_CERT_FILE}`,
+			);
+			await fillInput(
+				"crowdsec_tls_cert_path",
+				`${BOUNCER_CERT_FILE}`,
+			);
+	
+			await onAdminSaveSettings();
+			await page.click("#crowdsec_action_test_connection #submit");
+			await wait(2000);
+			await expect(page).toMatchText(
+				".notice.notice-success",
+				/Bouncing has been successfully tested/,
+			);
+	
+			// Good settings without curl
+			await setToggle("crowdsec_use_curl", true);
+			await onAdminSaveSettings();
+			await page.click("#crowdsec_action_test_connection #submit");
+			await wait(2000);
+			await expect(page).toMatchText(
+				".notice.notice-success",
+				/Bouncing has been successfully tested/,
+			);
+	
+		});
+	
+		it("Should display the homepage with no remediation", async () => {
+			await removeAllDecisions();
+			await publicHomepageShouldBeAccessible();
+		});
+	
+		it("Should display a ban wall", async () => {
+			await banIpForSeconds(CURRENT_IP, 15 * 60);
+			await publicHomepageShouldBeBanWall();
+		});
+	});
 });