From 0f10945d2aaee95a74d815230d31b74e972c841b Mon Sep 17 00:00:00 2001 From: tejgokani Date: Thu, 28 May 2026 17:43:41 +0530 Subject: [PATCH 1/2] fix(docker): bouncer name strips wrong field from secrets path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When registering bouncers via Docker/Podman secrets, the secret filename 'bouncer_key_caddy' was split with 'cut -d_ -f2-', yielding 'key_caddy' instead of 'caddy'. The env-var registration loop (line 474) correctly uses 'cut -d_ -f3-' for BOUNCER_KEY_NAME → NAME. The secrets loop was inconsistent, using f2- instead of f3-. Fix: change f2- to f3- in the secrets loop (line 511). Adds regression test: mounts a mock secret file and asserts the registered bouncer name matches the suffix after 'bouncer_key_'. Fixes #4301 --- build/docker/docker_start.sh | 2 +- build/docker/test/tests/test_bouncer.py | 38 +++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/build/docker/docker_start.sh b/build/docker/docker_start.sh index 9f42b41561b..04eb2535015 100755 --- a/build/docker/docker_start.sh +++ b/build/docker/docker_start.sh @@ -508,7 +508,7 @@ fi shopt -s nullglob extglob for BOUNCER in /run/secrets/@(bouncer_key|BOUNCER_KEY)* ; do KEY=$(cat "${BOUNCER}") - NAME=$(echo "${BOUNCER}" | awk -F "/" '{printf $NF}' | cut -d_ -f2-) + NAME=$(echo "${BOUNCER}" | awk -F "/" '{printf $NF}' | cut -d_ -f3-) if [[ -n $KEY ]] && [[ -n $NAME ]]; then register_bouncer "$NAME" "$KEY" fi diff --git a/build/docker/test/tests/test_bouncer.py b/build/docker/test/tests/test_bouncer.py index b186c4579a8..98bad3fe415 100644 --- a/build/docker/test/tests/test_bouncer.py +++ b/build/docker/test/tests/test_bouncer.py @@ -43,3 +43,41 @@ def test_register_bouncer_env(crowdsec, flavor: str) -> None: assert res.exit_code == 0 j = json.loads(res.output) assert len(j) == 0 + + +def test_register_bouncer_secret(crowdsec, flavor: str, tmp_path) -> None: + """Test that bouncer name is correctly parsed from Docker secret filename. + + Secret file: /run/secrets/bouncer_key_caddy + Expected bouncer name: caddy (not key_caddy) + + Regression test for https://github.com/crowdsecurity/crowdsec/issues/4301 + """ + secret_dir = tmp_path / "secrets" + secret_dir.mkdir() + secret_file = secret_dir / "bouncer_key_caddy" + secret_file.write_text("test-api-key-caddy") + + volumes = { + str(secret_dir / "bouncer_key_caddy"): { + "bind": "/run/secrets/bouncer_key_caddy", + "mode": "ro", + } + } + + with crowdsec(flavor=flavor, volumes=volumes) as cs: + cs.wait_for_log("*Starting processing data*") + cs.wait_for_http(8080, "/health", want_status=HTTPStatus.OK) + + res = cs.cont.exec_run("cscli bouncers list -o json") + assert res.exit_code == 0 + + j = json.loads(res.output) + assert len(j) == 1, f"Expected 1 bouncer, got {len(j)}: {j}" + + bouncer = j[0] + assert bouncer["name"] == "caddy", ( + f"Bouncer name is '{bouncer['name']}' — " + f"expected 'caddy'. The secret filename 'bouncer_key_caddy' " + f"is being split at the wrong field." + ) \ No newline at end of file From 79e39c8f677824793532e9eb0bbba8e5e63ddd38 Mon Sep 17 00:00:00 2001 From: tejgokani Date: Thu, 28 May 2026 18:15:02 +0530 Subject: [PATCH 2/2] fix(docker): add trailing newline to test_bouncer.py --- build/docker/test/tests/test_bouncer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/docker/test/tests/test_bouncer.py b/build/docker/test/tests/test_bouncer.py index 98bad3fe415..82927f0caa2 100644 --- a/build/docker/test/tests/test_bouncer.py +++ b/build/docker/test/tests/test_bouncer.py @@ -80,4 +80,4 @@ def test_register_bouncer_secret(crowdsec, flavor: str, tmp_path) -> None: f"Bouncer name is '{bouncer['name']}' — " f"expected 'caddy'. The secret filename 'bouncer_key_caddy' " f"is being split at the wrong field." - ) \ No newline at end of file + )