bats: curl helpers to mock log processors and bouncers (#3141)

test/bats/10_bouncers.bats

@@ -42,6 +42,24 @@ teardown() {
     assert_json '[]'
 }
 
+@test "bouncer api-key auth" {
+    rune -0 cscli bouncers add ciTestBouncer --key "goodkey"
+
+    # connect with good credentials
+    rune -0 curl-tcp "/v1/decisions" -sS --fail-with-body -H "X-Api-Key: goodkey"
+    assert_output null
+
+    # connect with bad credentials
+    rune -22 curl-tcp "/v1/decisions" -sS --fail-with-body -H "X-Api-Key: badkey"
+    assert_stderr --partial 'error: 403'
+    assert_json '{message:"access forbidden"}'
+
+    # connect with no credentials
+    rune -22 curl-tcp "/v1/decisions" -sS --fail-with-body
+    assert_stderr --partial 'error: 403'
+    assert_json '{message:"access forbidden"}'
+}
+
 @test "bouncers delete has autocompletion" {
     rune -0 cscli bouncers add foo1
     rune -0 cscli bouncers add foo2

test/lib/db/instance-mysql

@@ -21,7 +21,7 @@ about() {
 
 check_requirements() {
     if ! command -v mysql >/dev/null; then
-        die "missing required program 'mysql' as a mysql client (package mariadb-client-core-10.6 on debian like system)"
+        die "missing required program 'mysql' as a mysql client (package mariadb-client on debian like system)"
     fi
 }
 

test/lib/setup_file.sh

@@ -282,18 +282,61 @@ rune() {
 }
 export -f rune
 
-# call the lapi through unix socket with an API_KEY (authenticates as a bouncer)
-# after $1, pass throught extra arguments to curl
-curl-with-key() {
+# call the lapi through unix socket
+# the path (and query string) must be the first parameter, the others will be passed to curl
+curl-socket() {
     [[ -z "$1" ]] && { fail "${FUNCNAME[0]}: missing path"; }
     local path=$1
     shift
-    [[ -z "$API_KEY" ]] && { fail "${FUNCNAME[0]}: missing API_KEY"; }
     local socket
     socket=$(config_get '.api.server.listen_socket')
     [[ -z "$socket" ]] && { fail "${FUNCNAME[0]}: missing .api.server.listen_socket"; }
-
     # curl needs a fake hostname when using a unix socket
-    curl -sS --fail-with-body -H "X-Api-Key: $API_KEY" --unix-socket "$socket" "http://lapi$path" "$@"
+    curl --unix-socket "$socket" "http://lapi$path" "$@"
+}
+export -f curl-socket
+
+# call the lapi through tcp
+# the path (and query string) must be the first parameter, the others will be passed to curl
+curl-tcp() {
+    [[ -z "$1" ]] && { fail "${FUNCNAME[0]}: missing path"; }
+    local path=$1
+    shift
+    local cred
+    cred=$(config_get .api.client.credentials_path)
+    local base_url
+    base_url="$(yq '.url' < "$cred")"
+    curl "$base_url$path" "$@"
+}
+export -f curl-tcp
+
+# call the lapi through unix socket with an API_KEY (authenticates as a bouncer)
+# after $1, pass throught extra arguments to curl
+curl-with-key() {
+    [[ -z "$API_KEY" ]] && { fail "${FUNCNAME[0]}: missing API_KEY"; }
+    curl-tcp "$@" -sS --fail-with-body -H "X-Api-Key: $API_KEY"
 }
 export -f curl-with-key
+
+# call the lapi through unix socket with a TOKEN (authenticates as a machine)
+# after $1, pass throught extra arguments to curl
+curl-with-token() {
+    [[ -z "$TOKEN" ]] && { fail "${FUNCNAME[0]}: missing TOKEN"; }
+    # curl needs a fake hostname when using a unix socket
+    curl-tcp "$@" -sS --fail-with-body -H "Authorization: Bearer $TOKEN"
+}
+export -f curl-with-token
+
+# as a log processor, connect to lapi and get a token
+lp-get-token() {
+    local cred
+    cred=$(config_get .api.client.credentials_path)
+    local resp
+    resp=$(yq -oj -I0 '{"machine_id":.login,"password":.password}' < "$cred" | curl-socket '/v1/watchers/login' -s -X POST --data-binary @-)
+    if [[ "$(yq -e '.code' <<<"$resp")" != 200 ]]; then
+        echo "login_lp: failed to login" >&3
+        return 1
+    fi
+    echo "$resp" | yq -r '.token'
+}
+export -f lp-get-token