online api permissions

explicit path to overwrite local_api_credentials.yaml

cmd/crowdsec-cli/config_restore.go

@@ -215,7 +215,7 @@ func restoreConfigFromDirectory(dirPath string, oldBackup bool) error {
 			if csConfig.API.Server.OnlineClient != nil && csConfig.API.Server.OnlineClient.CredentialsFilePath != "" {
 				apiConfigDumpFile = csConfig.API.Server.OnlineClient.CredentialsFilePath
 			}
-			err = os.WriteFile(apiConfigDumpFile, apiConfigDump, 0o644)
+			err = os.WriteFile(apiConfigDumpFile, apiConfigDump, 0o600)
 			if err != nil {
 				return fmt.Errorf("write api credentials in '%s' failed: %s", apiConfigDumpFile, err)
 			}

cmd/crowdsec-cli/lapi.go

@@ -149,7 +149,7 @@ func runLapiRegister(cmd *cobra.Command, args []string) error {
 		log.Fatalf("unable to marshal api credentials: %s", err)
 	}
 	if dumpFile != "" {
-		err = os.WriteFile(dumpFile, apiConfigDump, 0644)
+		err = os.WriteFile(dumpFile, apiConfigDump, 0o600)
 		if err != nil {
 			log.Fatalf("write api credentials in '%s' failed: %s", dumpFile, err)
 		}

cmd/crowdsec-cli/machines.go

@@ -43,6 +43,7 @@ func generatePassword(length int) string {
 	charsetLength := len(charset)
 
 	buf := make([]byte, length)
+
 	for i := 0; i < length; i++ {
 		rInt, err := saferand.Int(saferand.Reader, big.NewInt(int64(charsetLength)))
 		if err != nil {
@@ -180,7 +181,7 @@ cscli machines add MyTestMachine --password MyPassword
 
 	flags := cmdMachinesAdd.Flags()
 	flags.StringP("password", "p", "", "machine password to login to the API")
-	flags.StringP("file", "f", "", "output file destination (defaults to "+csconfig.DefaultConfigPath("local_api_credentials.yaml")+")")
+	flags.StringP("file", "f", "-", "output file destination (defaults to stdout)")
 	flags.StringP("url", "u", "", "URL of the local API")
 	flags.BoolP("interactive", "i", false, "interfactive mode to enter the password")
 	flags.BoolP("auto", "a", false, "automatically generate password (and username if not provided)")
@@ -190,7 +191,6 @@ cscli machines add MyTestMachine --password MyPassword
 }
 
 func runMachinesAdd(cmd *cobra.Command, args []string) error {
-	var dumpFile string
 	var err error
 
 	flags := cmd.Flags()
@@ -200,11 +200,15 @@ func runMachinesAdd(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	outputFile, err := flags.GetString("file")
+	dumpFile, err := flags.GetString("file")
 	if err != nil {
 		return err
 	}
 
+	if dumpFile == "-" {
+		dumpFile = ""
+	}
+
 	apiURL, err := flags.GetString("url")
 	if err != nil {
 		return err
@@ -241,13 +245,6 @@ func runMachinesAdd(cmd *cobra.Command, args []string) error {
 		machineID = args[0]
 	}
 
-	/*check if file already exists*/
-	if outputFile != "" {
-		dumpFile = outputFile
-	} else if csConfig.API.Client != nil && csConfig.API.Client.CredentialsFilePath != "" {
-		dumpFile = csConfig.API.Client.CredentialsFilePath
-	}
-
 	// create a password if it's not specified by user
 	if machinePassword == "" && !interactive {
 		if !autoAdd {
@@ -267,6 +264,9 @@ func runMachinesAdd(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("unable to create machine: %s", err)
 	}
 	log.Infof("Machine '%s' successfully added to the local API", machineID)
+	if dumpFile == "" {
+		log.Infof("You need to copy the following lines to local_api_credentials.yaml on the new machine (make sure to restrict the file permissions)")
+	}
 
 	if apiURL == "" {
 		if csConfig.API.Client != nil && csConfig.API.Client.Credentials != nil && csConfig.API.Client.Credentials.URL != "" {
@@ -286,14 +286,15 @@ func runMachinesAdd(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return fmt.Errorf("unable to marshal api credentials: %s", err)
 	}
-	if dumpFile != "" && dumpFile != "-" {
-		err = os.WriteFile(dumpFile, apiConfigDump, 0644)
-		if err != nil {
-			return fmt.Errorf("write api credentials in '%s' failed: %s", dumpFile, err)
-		}
-		log.Printf("API credentials dumped to '%s'", dumpFile)
-	} else {
+
+	if dumpFile == "" {
 		fmt.Printf("%s\n", string(apiConfigDump))
+	} else {
+		err = os.WriteFile(dumpFile, apiConfigDump, 0o600)
+		if err != nil {
+			return fmt.Errorf("writing api credentials to '%s': %s", dumpFile, err)
+		}
+		log.Infof("API credentials dumped to '%s'", dumpFile)
 	}
 
 	return nil

test/bats/30_machines.bats

@@ -13,6 +13,7 @@ teardown_file() {
 
 setup() {
     load "../lib/setup.sh"
+    load "../lib/bats-file/load.bash"
     ./instance-data load
     ./instance-crowdsec start
 }
@@ -33,6 +34,27 @@ teardown() {
     assert_output '[1,"githubciXXXXXXXXXXXXXXXXXXXXXXXX",true]'
 }
 
+@test "adding a machines prints credentials (to stdout by default)" {
+    rune -0 cscli machines add testmachine --password testpassword
+    rune -0 yq -o json . <(output)
+    assert_json '{login: "testmachine", password: "testpassword", url: "http://127.0.0.1:8080"}'
+
+    rune -1 cscli machines add testmachine --password testpassword
+    assert_stderr --partial "unable to create machine: user 'testmachine': user already exist"
+
+    # the "-" name as stdout still works
+    rune -0 cscli machines add testmachine2 --password testpassword -f -
+    rune -0 yq -o json . <(output)
+    assert_json '{login: "testmachine2", password: "testpassword", url: "http://127.0.0.1:8080"}'
+
+    tempfile="${BATS_TEST_TMPDIR}/testmachine.yml"
+    rune -0 cscli machines add testmachine3 --password testpassword -f "${tempfile}"
+    assert_stderr --partial "API credentials dumped to '${tempfile}'"
+    rune -0 yq -o json . < "$tempfile"
+    assert_json '{login: "testmachine3", password: "testpassword", url: "http://127.0.0.1:8080"}'
+    assert_file_permission 600 "$tempfile"
+}
+
 @test "add a new machine and delete it" {
     rune -0 cscli machines add -a -f /dev/null CiTestMachine -o human
     assert_stderr --partial "Machine 'CiTestMachine' successfully added to the local API"