Feature/01 test all the things

2022-03-14 15:41:45 +00:00
parent bfe4a0af89
commit 4ca4233892
9 changed files with 324 additions and 52 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -1,4 +1,5 @@
 import pytest
+import base64
 from jail2ban import create_app


@ -8,7 +9,7 @@ def app():
    app.config.update({
        "TESTING": True,
        "SECRET_KEY": 'Testing',
-        "AUTHFILE": 'tests/users-test.txt'
+        "AUTHFILE": '../tests/users-test.txt'
    })

    # other setup can go here
@ -26,3 +27,8 @@ def client(app):
@pytest.fixture()
 def runner(app):
    return app.test_cli_runner()
+
+
+@pytest.fixture()
+def valid_credentials():
+    return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
--- a/tests/test_ban.py
+++ b/tests/test_ban.py
@ -0,0 +1,102 @@
+from types import SimpleNamespace
+
+
+def test_ban_ipv6(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = SimpleNamespace()
+    run_res.stdout = b''
+    run_res.stderr = b'1/1 addresses added.\n'
+    run_res.returncode = 0
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"name": "sshd", "ip": "2001:db8::abad:cafe"}
+    response = client.put("/ban",
+                          json=json_payload,
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.json['operation'] == 'add'
+
+
+def test_ban_ipv4(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = SimpleNamespace()
+    run_res.stdout = b''
+    run_res.stderr = b'1/1 addresses added.\n'
+    run_res.returncode = 0
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"name": "sshd", "ip": "192.0.2.42"}
+    response = client.put("/ban",
+                          json=json_payload,
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.json['operation'] == 'add'
+
+
+def test_ban_invalid(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = SimpleNamespace()
+    run_res.stdout = b''
+    run_res.stderr = b'1/1 addresses added.\n'
+    run_res.returncode = 0
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"name": "sshd", "ip": "not:an::addr:ess"}
+    response = client.put("/ban",
+                          json=json_payload,
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.json['error'] == "'not:an::addr:ess' does not " \
+                                     "appear to be an IPv4 or IPv6 address"
+
+
+def test_unban_ipv6(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = SimpleNamespace()
+    run_res.stdout = b''
+    run_res.stderr = b'1/1 addresses deleted.\n'
+    run_res.returncode = 0
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"name": "sshd", "ip": "2001:db8::abad:cafe"}
+    response = client.delete("/ban",
+                             json=json_payload,
+                             headers={"Authorization":
+                                      "Basic " + valid_credentials})
+
+    assert response.json['operation'] == 'delete'
+
+
+def test_unban_ipv4(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = SimpleNamespace()
+    run_res.stdout = b''
+    run_res.stderr = b'1/1 addresses deleted.\n'
+    run_res.returncode = 0
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"name": "sshd", "ip": "192.0.2.42"}
+    response = client.delete("/ban",
+                             json=json_payload,
+                             headers={"Authorization":
+                                      "Basic " + valid_credentials})
+
+    assert response.json['operation'] == 'delete'
--- a/tests/test_flush.py
+++ b/tests/test_flush.py
@ -0,0 +1,77 @@
+from types import SimpleNamespace
+from subprocess import CalledProcessError
+
+
+def test_flush(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = SimpleNamespace()
+    run_res.stdout = b''
+    run_res.stderr = b'1/1 addresses deleted.\n'
+    run_res.returncode = 0
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    name = 'sshd'
+    response = client.get(f"/flush/{name}",
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.json['operation'] == 'flush'
+
+
+def test_flush_nonexistent(client, mocker, valid_credentials):
+
+    cmd = ['/usr/local/bin/sudo',
+           '/sbin/pfctl', '-a', 'some/anchor',
+           '-t', 'nonexistent', '-T', 'flush']
+
+    side_effect = CalledProcessError(255, cmd, output=b'',
+                                     stderr=b'pfctl: Table does not exist')
+
+    mocker.patch('jail2ban.pfctl.run',
+                 side_effect=side_effect)
+
+    name = 'nonexistent'
+    response = client.get(f"/flush/{name}",
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert 'error' in response.json
+
+
+def test_wrong_method(client, mocker, valid_credentials):
+
+    cmd = ['/usr/local/bin/sudo',
+           '/sbin/pfctl', '-a', 'some/anchor',
+           '-t', 'nonexistent', '-T', 'flush']
+
+    side_effect = CalledProcessError(255, cmd, output=b'',
+                                     stderr=b'pfctl: Table does not exist')
+
+    mocker.patch('jail2ban.pfctl.run',
+                 side_effect=side_effect)
+
+    name = 'nonexistent'
+    response = client.put(f"/flush/{name}",
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.status_code == 405
+
+
+def test_filenotfound(app, mocker, valid_credentials):
+
+    app.config.update({
+        "AUTHFILE": '../tests/nonexistent-users-test.txt'
+    })
+
+    client = app.test_client()
+
+    name = 'nonexistent'
+    response = client.get(f"/flush/{name}",
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.status_code == 500
--- a/tests/test_register.py
+++ b/tests/test_register.py
@ -1,5 +1,4 @@
-import base64
-from types import SimpleNamespace
+from subprocess import CompletedProcess

 pfctl_stdout_lines = b'''
 block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
@ -7,31 +6,108 @@ block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
 block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
 block drop quick proto tcp from <f2b-sshd> to any port = ssh
 block drop quick proto tcp from <f2b-recidive> to any
-'''
+'''.strip() + b'\n'
+
+pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \
+                             b'block quick proto tcp from <f2b-dovecot>' \
+                             b' to any port ' \
+                             b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'


-def test_request_unauth(client):
-    json_payload = {"port": "any port {pop3,pop3s,imap,imaps,submission,465,sieve}", "name": "dovecot", "protocol": "tcp"}
+def test_register_unauth(client):
+    json_payload = {"port":
+                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
+                    "name": "dovecot", "protocol": "tcp"}
    response = client.put("/register", json=json_payload)

    assert response.json['error'] == 'Access Denied'


-def test_request_example(client, mocker):
+def test_unregister_valid(client, mocker, valid_credentials):
    def noop():
        pass
-    run_res = SimpleNamespace()
+    run_res = CompletedProcess(args=['true'], returncode=0)
    run_res.stdout = pfctl_stdout_lines
    run_res.check_returncode = noop

    mocker.patch('jail2ban.pfctl.run', return_value=run_res)

+    json_payload = {"port":
+                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
+                    "name": "dovecot", "protocol": "tcp"}
+
+    response = client.delete("/register",
+                             json=json_payload,
+                             headers={"Authorization":
+                                      "Basic " + valid_credentials})
+
+    assert response.json['action'] == 'stop'
+
+
+def test_register_valid(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = CompletedProcess(args=['true'], returncode=0)
+    run_res.stdout = pfctl_stdout_lines
+    run_res.check_returncode = noop
+
+    pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"port":
+                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
+                    "name": "dovecot", "protocol": "tcp"}

-    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
-    json_payload = {"port": "any port {pop3,pop3s,imap,imaps,submission,465,sieve}", "name": "dovecot", "protocol": "tcp"}
    response = client.put("/register",
                          json=json_payload,
-                          headers={"Authorization": "Basic " + valid_credentials})
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
+    for existing_line in pfctl_stdout_lines.splitlines():
+        assert existing_line in pfctl_run_input_arg.splitlines()
+
+    assert response.json['action'] == 'start'


-    assert response.json['remote_user'] == 'test.example.com'
+def test_register_valid_from_scratch(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = CompletedProcess(args=['true'], returncode=0)
+    run_res.stdout = b''
+    run_res.check_returncode = noop
+
+    pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"port":
+                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
+                    "name": "dovecot", "protocol": "tcp"}
+
+    response = client.put("/register",
+                          json=json_payload,
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
+    assert pfctl_run_input_arg == pfctl_stdout_lines_scratch
+    assert response.json['action'] == 'start'
+
+
+def test_register_invalid(client, mocker, valid_credentials):
+    def noop():
+        pass
+    run_res = CompletedProcess(args=['true'], returncode=0)
+    run_res.stdout = pfctl_stdout_lines
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    json_payload = {"port":
+                    "not a pf statement",
+                    "name": "dovecot", "protocol": "tcp"}
+
+    response = client.put("/register",
+                          json=json_payload,
+                          headers={"Authorization":
+                                   "Basic " + valid_credentials})
+
+    assert response.json['error'] == '"not a pf statement" is tainted'