docs(tls): Update docs for tls authentication

Author: julienloizelet

docs/DEVELOPER.md

@@ -148,11 +148,41 @@ Activate the CrowdSec plugin
 
 ##### End-to-end tests
 
+We are using a Jest/Playwright Node.js stack to launch a suite of end-to-end tests.
+
+**Please note** that those tests modify local configurations and log content on the fly.
+
+As we use a TLS ready CrowdSec container, you have first to copy some certificates and key:
+
+```bash
+cd wp-sources
+cp -r .ddev/custom_files/crowdsec/cfssl/* wp-content/plugins/crowdsec/tls
+```
+
+Then, ensure that `run-tests.sh` and `test-init.sh` files are executable.
+
 ```
 cd wp-sources/my-own-module/crowdsec-bouncer/tests/e2e-ddev/__scripts__
 ```
-Ensure that `run-tests.sh` and `test-init.sh` files are executable. Run `chmod +x run-tests.sh test-init.sh` if not.
+Run `chmod +x run-tests.sh test-init.sh` if not.
+
+Then you can use the `run-test.sh` script to run the tests:
+
+- the first parameter specifies if you want to run the test on your machine (`host`) or in the
+  docker containers (`docker`). You can also use `ci` if you want to have the same behavior as in GitHub action.
+- the second parameter list the test files you want to execute. If empty, all the test suite will be launched.
+
+In other words, you can test by running:
+
+`./run-tests.sh [context] [files]` where `[context]` can be `ci`, `docker` or `host` and files is the list of file to
+test (all files if empty);
+
+For example:
+```
+./run-tests.sh host "./2-live-mode-remediations.js"
+```
 
+**N.B**
 
 Before testing with the `docker` or `ci` parameter, you have to install all the required dependencies
 in the playwright container with this command :
@@ -166,15 +196,7 @@ yarn --cwd ./tests/e2e-ddev --force
 yarn global add cross-env
 ```
 
-Finally, you can test by running:
 
-`./run-tests.sh [context] [files]` where `[context]` can be `ci`, `docker` or `host` and files is the list of file to
-test (all files if empty);
-
-For example:
-```
-./run-tests.sh host "./2-live-mode-remediations.js"
-```
 
 #### Update composer dependencies
 
@@ -204,7 +226,7 @@ ddev composer update --no-dev --prefer-dist --optimize-autoloader --working-dir
 
 This guide exposes you the main features of the plugin.
 
-Before all, please retrieve your host IP (a.k.a. <YOUR_HOST_IP>)with the command:
+Before all, please retrieve your host IP (a.k.a. <YOUR_HOST_IP>) with the command:
 
 `ddev find-ip`
 
@@ -264,16 +286,18 @@ ddev exec -s exec crowdsec cscli decisions add --ip <YOUR_HOST_IP> --duration 15
 
 * Unless you manage to solve the captcha, you'll not be able to access the website.
 
-> Note: when you resolve the captcha in your browser, the associated PHP session is considered as sure.
-> If you remove the captcha decision with `cscli`, then you add a new captcha decision for your IP, you'll not be prompted for the current PHP session. To view the captcha page, You can force using a new PHP session opening the front page with incognito mode.
+> Note: when you resolve the captcha in your browser, the result is stored in cache.
+> If you remove the captcha decision with `cscli`, then you add a new captcha decision for your IP, you'll not be 
+> prompted until you clear the cache or the lifetime for captcha decision has been reached.
 
 ### Stream mode, for the high traffic websites
 
 With live mode, as you tried it just before, each time a user arrives to the website for the first time, a call is made to Local API. If the traffic on your website is high, the bouncer will call Local API very often.
 
 To avoid this, Local API offers a "stream" mode. The decisions list is updated at a predefined frequency and kept in cache. Let's try it!
 
-> This bouncer uses the WordPress cron system. For demo purposes, we encourage you to install the WP-Control plugin, a plugin to view and control each Wordpress Cron task jobs.
+> This bouncer uses the WordPress cron system. For demo purposes, we encourage you to install the WP-Control plugin, 
+> a plugin to view and control each WordPress Cron task jobs.
 
 First, clear the previous decisions:
 
@@ -366,13 +390,13 @@ Before publishing a new release, there are some manual steps to take:
 
 - Change the version number and stable tag in the `crowdsec.php` file
 - Change the stable tag  in the `readme.txt` file
-- Change the version number in the `inc/constants.php` file
+- Change the version number in the `inc/Constants.php` file
 - Update the `CHANGELOG.md` file
 
 Then, you have to [run the action manually from the GitHub repository](https://github.com/crowdsecurity/cs-wordpress-bouncer/actions/workflows/release.yml)
 
 
-Alternatively, you could use the [Github CLI](https://github.com/cli/cli):
+Alternatively, you could use the [GitHub CLI](https://github.com/cli/cli):
 - create a draft release:
 ```
 gh workflow run release.yml -f tag_name=vx.y.z -f draft=true
@@ -386,7 +410,7 @@ gh workflow run release.yml -f tag_name=vx.y.z -f prerelease=true
 gh workflow run release.yml -f tag_name=vx.y.z
 ```
 
-Note that the Github action will fail if the tag `tag_name` already exits.
+Note that the GitHub action will fail if the tag `tag_name` already exits.
 
 
 

docs/USER_GUIDE.md

@@ -68,7 +68,7 @@ These configurations are divided in three main parts : `CrowdSec`, `Theme custom
 In the `CrowdSec` part, you will set your connection details and refine bouncing according to your needs. You will 
 also be able to test your settings.
 
-![Connection details](images/screenshots/config-connection.jpg)
+![Connection details](images/screenshots/config-connection-details.jpg)
 
 ***
 
@@ -79,10 +79,65 @@ Url to join your CrowdSec Local API.
 
 ***
 
+`Connection details → Authentication type`
+
+Choose between `Bouncer API key` and `TLS certificates` (pki) authentication.
+
+TLS authentication is only available if you use CrowdSec agent with a version superior to 1.4.0.
+Please see [CrowdSec documentation](https://docs.crowdsec.net/docs/local_api/tls_auth/).
+
+***
+
 `Connection details → Bouncer API key`
 
 Key generated by the cscli command.
 
+Only if you chose `Bouncer API key` as authentication type.
+
+***
+
+`Connection details → Path to the bouncer certificate` 
+
+Relative path to the `wp-content/plugins/crowdsec/tls` folder of your WordPress instance.
+
+Example: `bouncer.pem`.
+
+Only if you chose `TLS certificates` as authentication type.
+
+***
+
+`Connection details → Path to the bouncer key`
+
+Relative path to the `wp-content/plugins/crowdsec/tls` folder of your WordPress instance.
+
+Example: `bouncer-key.pem`.
+
+Only if you chose `TLS certificates` as authentication type.
+
+***
+
+`Connection details → Verify peer`
+
+This option determines whether request handler verifies the authenticity of the peer's certificate.
+
+Only if you chose `TLS certificates` as authentication type.
+
+When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity.
+If `Verify peer` is checked, request handler verifies whether the certificate is authentic.
+This trust is based on a chain of digital signatures,
+rooted in certification authority (CA) certificate you supply using the `Path to the CA used to process for peer 
+verification` setting below.
+
+***
+
+`Connection details → Path to the CA certificate used to process peer verification`
+
+Relative path to the `wp-content/plugins/crowdsec/tls` folder of your WordPress instance.
+
+Example: `ca-chain.pem`.
+
+Only if you chose `TLS certificates` as authentication type.
+
 
 ***
 
@@ -93,6 +148,8 @@ By default, `file_get_contents` method is used to call Local API. This method re
 Here, you can choose to use `cURL` requests instead. Beware that in this case, you need to have php `cURL` extension 
 installed and enabled on your system.
 
+![Connection details](images/screenshots/config-bouncing.jpg)
+
 ***
 
 `Bouncing → Bouncing level`

docs/images/screenshots/config-bouncing.jpg

@@ -207,7 +207,7 @@ describe(`Run in Live mode`, () => {
 			);
 
 			// Good settings without curl
-			await setToggle("crowdsec_use_curl", true);
+			await setToggle("crowdsec_use_curl", false);
 			await onAdminSaveSettings();
 			await page.click("#crowdsec_action_test_connection #submit");
 			await wait(2000);