more func tests

Pipfile

@@ -1,7 +1,7 @@
 [packages]
 exceptiongroup = "1.1.1"
 pexpect = "4.8.0"
-pytest-cs = {ref = "0.7.16", git = "https://github.com/crowdsecurity/pytest-cs.git"}
+pytest-cs = {ref = "0.7.18", git = "https://github.com/crowdsecurity/pytest-cs.git"}
 pytest-dependency = "0.5.1"
 pytest-dotenv = "0.5.2"
 flask = "2.2.3"

test/bouncer/test_firewall_bouncer.py

@@ -59,7 +59,7 @@ def test_api_url(crowdsec, bouncer, fw_cfg_factory):
 def test_api_key(crowdsec, bouncer, fw_cfg_factory, api_key_factory, bouncer_under_test):
     api_key = api_key_factory()
     env = {
-        'BOUNCER_KEY_firewall': api_key
+        'BOUNCER_KEY_bouncer': api_key
     }
 
     with crowdsec(environment=env) as lapi:
@@ -76,6 +76,8 @@ def test_api_key(crowdsec, bouncer, fw_cfg_factory, api_key_factory, bouncer_und
             fw.proc.wait()
             assert not fw.proc.is_running()
 
+        lapi.wait_for_log("*API key not found*")
+
         cfg['api_key'] = 'badkey'
 
         with bouncer(cfg) as fw:

test/bouncer/test_tls.py

@@ -1,5 +1,6 @@
 import json
 
+
 def test_tls_server(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factory):
     """TLS with server-only certificate"""
 
@@ -11,7 +12,7 @@ def test_tls_server(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factor
         'LAPI_KEY_FILE': '/etc/ssl/crowdsec/lapi.key',
         'USE_TLS': 'true',
         'LOCAL_API_URL': 'https://localhost:8080',
-        'BOUNCER_KEY_custom': api_key,
+        'BOUNCER_KEY_bouncer': api_key,
     }
 
     certs = certs_dir(lapi_hostname='lapi')
@@ -108,3 +109,47 @@ def test_tls_mutual(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factor
             assert bouncers[0]['name'].startswith('@')
             assert bouncers[0]['auth_type'] == 'tls'
             assert bouncers[0]['type'] == bouncer_under_test
+
+
+def test_api_key_and_cert(crowdsec, certs_dir, api_key_factory, bouncer, fw_cfg_factory):
+    """Attempt to send an api key and a certificate too"""
+
+    api_key = api_key_factory()
+
+    lapi_env = {
+        'CACERT_FILE': '/etc/ssl/crowdsec/ca.crt',
+        'LAPI_CERT_FILE': '/etc/ssl/crowdsec/lapi.crt',
+        'LAPI_KEY_FILE': '/etc/ssl/crowdsec/lapi.key',
+        'USE_TLS': 'true',
+        'LOCAL_API_URL': 'https://localhost:8080',
+        'BOUNCER_KEY_bouncer': api_key,
+    }
+
+    certs = certs_dir(lapi_hostname='lapi')
+
+    volumes = {
+        certs: {'bind': '/etc/ssl/crowdsec', 'mode': 'ro'},
+    }
+
+    with crowdsec(environment=lapi_env, volumes=volumes) as cs:
+        cs.wait_for_log("*CrowdSec Local API listening*")
+        cs.wait_for_http(8080, '/health', want_status=None)
+
+        port = cs.probe.get_bound_port('8080')
+        cfg = fw_cfg_factory()
+        cfg['api_url'] = f'https://localhost:{port}'
+        cfg['ca_cert_path'] = (certs / 'ca.crt').as_posix()
+        cfg['api_key'] = api_key
+
+        cfg['cert_path'] = (certs / 'bouncer.crt').as_posix()
+        cfg['key_path'] = (certs / 'bouncer.key').as_posix()
+
+        with bouncer(cfg) as cb:
+            cb.wait_for_lines_fnmatch([
+                "*Starting crowdsec-firewall-bouncer*",
+                "*Using CA cert*",
+                "*Using API key auth*",
+                "*Using cert auth with cert * and key *",
+            ])
+
+        cs.wait_for_log("*client certificate OU (?agent-ou?) doesn't match expected OU (?bouncer-ou?)*")