From 9ed6b65b6dc936c955a9e1550b4978bceb7e9b7f Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 14:50:03 +0100 Subject: [PATCH 01/15] Exclude software testing reports --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index e72499f..7e71edb 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,6 @@ htmlcov/ dist/ build/ *.egg-info/ + +coverage.xml +report.xml From 359514e5814e184e1ed8b36c4502f2b93132fcf6 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 15:07:29 +0100 Subject: [PATCH 02/15] Update documentation --- README.md | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/README.md b/README.md index 9866aab..39e9912 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,80 @@ [![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) + +## Installation + + +* Install uwsgi + + sudo pkg install www/uwsgi + +* Use the following for configuring uwsgi in rc.conf + + sudo sysrc uwsgi\_enable="YES" + sudo sysrc uwsgi\_profiles="jail2ban\_pf" + sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + +* Configure /instance/config.py + + SECRET\_KEY = os.urandom(32).hex() + AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' + + +* Configure a nginx upstream and vhost + +_Of course you can listen on ipv4/ipv6 but you want to protect these addresses from inadvertent or malicious probes_ + + upstream uwsgi_pf_jail2ban { + server 127.0.0.1:3031; + } + + server { + listen unix:/path/to/jail_1/var/run/pf2ban/pf_jail2ban.sock; + listen unix:/path/to/jail_2/var/run/pf2ban/pf_jail2ban.sock; + listen unix:/path/to/jail_3/var/run/pf2ban/pf_jail2ban.sock; + server_name _; + + location / { + index index.html index.htm index.php; + allow all; + include /usr/local/etc/nginx/uwsgi_params-dist; + uwsgi_pass uwsgi_pf_jail2ban; + } + } + +* Place anchors in pf for jail2ban to use + + + anchor "f2b/*" + anchor f2b-jail { + anchor "jail1_fqdn" to { , , } + anchor "jail2_fqdn" to { , , } + anchor "jail3_fqdn" to { , , } + } + +Having seperate anchors per jail makes it possible to have fine grained +blocking: Something that is harmful to jail2 might be perfectly legit for jail2. + +Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.: + + sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive + 192.0.2.66 + 2001:db8:abad:cafe:0bad:f00d + +And the rules referencing these tables + + sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules + block drop quick proto tcp from to any port = pop3 + block drop quick proto tcp from to any port = pop3s + block drop quick proto tcp from to any port = imap + block drop quick proto tcp from to any port = imaps + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = sieve + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = smtp + block drop quick proto tcp from to any port = ssh + block drop quick proto tcp from to any + From 9875dccec0d359177354c37a2522737885b133cf Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 15:08:02 +0100 Subject: [PATCH 03/15] For use with the documented uwsgi --- wsgi.py | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 wsgi.py diff --git a/wsgi.py b/wsgi.py new file mode 100644 index 0000000..9600cb9 --- /dev/null +++ b/wsgi.py @@ -0,0 +1,3 @@ +from jail2ban import create_app + +app = create_app() From c868c63aa764d684ba45ec54b4029262d8fd80b8 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 15:11:40 +0100 Subject: [PATCH 04/15] fix documentation verbatim blocks --- README.md | 57 +++++++++++++++++++++++++++---------------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 39e9912..855545c 100644 --- a/README.md +++ b/README.md @@ -11,15 +11,14 @@ * Use the following for configuring uwsgi in rc.conf - sudo sysrc uwsgi\_enable="YES" - sudo sysrc uwsgi\_profiles="jail2ban\_pf" - sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + sudo sysrc uwsgi\_enable="YES" + sudo sysrc uwsgi\_profiles="jail2ban\_pf" + sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" * Configure /instance/config.py - SECRET\_KEY = os.urandom(32).hex() - AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' - + SECRET\_KEY = os.urandom(32).hex() + AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' * Configure a nginx upstream and vhost @@ -46,35 +45,35 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f * Place anchors in pf for jail2ban to use - anchor "f2b/*" - anchor f2b-jail { - anchor "jail1_fqdn" to { , , } - anchor "jail2_fqdn" to { , , } - anchor "jail3_fqdn" to { , , } - } + anchor "f2b/*" + anchor f2b-jail { + anchor "jail1_fqdn" to { , , } + anchor "jail2_fqdn" to { , , } + anchor "jail3_fqdn" to { , , } + } Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2. Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.: - sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive - 192.0.2.66 - 2001:db8:abad:cafe:0bad:f00d + sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive + 192.0.2.66 + 2001:db8:abad:cafe:0bad:f00d And the rules referencing these tables - sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules - block drop quick proto tcp from to any port = pop3 - block drop quick proto tcp from to any port = pop3s - block drop quick proto tcp from to any port = imap - block drop quick proto tcp from to any port = imaps - block drop quick proto tcp from to any port = submission - block drop quick proto tcp from to any port = smtps - block drop quick proto tcp from to any port = sieve - block drop quick proto tcp from to any port = submission - block drop quick proto tcp from to any port = smtps - block drop quick proto tcp from to any port = smtp - block drop quick proto tcp from to any port = ssh - block drop quick proto tcp from to any - + sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules + block drop quick proto tcp from to any port = pop3 + block drop quick proto tcp from to any port = pop3s + block drop quick proto tcp from to any port = imap + block drop quick proto tcp from to any port = imaps + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = sieve + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = smtp + block drop quick proto tcp from to any port = ssh + block drop quick proto tcp from to any + From 61869049a0d6e4c3763fa362c9367c7a9c4004e6 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 15:17:38 +0100 Subject: [PATCH 05/15] Picky markdown... --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 855545c..1a63a47 100644 --- a/README.md +++ b/README.md @@ -11,14 +11,14 @@ * Use the following for configuring uwsgi in rc.conf - sudo sysrc uwsgi\_enable="YES" - sudo sysrc uwsgi\_profiles="jail2ban\_pf" - sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + sudo sysrc uwsgi\_enable="YES" + sudo sysrc uwsgi\_profiles="jail2ban\_pf" + sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" * Configure /instance/config.py - SECRET\_KEY = os.urandom(32).hex() - AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' + SECRET\_KEY = os.urandom(32).hex() + AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' * Configure a nginx upstream and vhost @@ -45,12 +45,12 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f * Place anchors in pf for jail2ban to use - anchor "f2b/*" - anchor f2b-jail { - anchor "jail1_fqdn" to { , , } - anchor "jail2_fqdn" to { , , } - anchor "jail3_fqdn" to { , , } - } + anchor "f2b/*" + anchor f2b-jail { + anchor "jail1_fqdn" to { , , } + anchor "jail2_fqdn" to { , , } + anchor "jail3_fqdn" to { , , } + } Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2. From 72f0e095ca41b43127258d9b5fa2687edaaced7b Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 14:50:52 +0000 Subject: [PATCH 06/15] Fix code blocks, add additional documentation --- README.md | 89 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 1a63a47..104a48f 100644 --- a/README.md +++ b/README.md @@ -7,18 +7,28 @@ * Install uwsgi - sudo pkg install www/uwsgi + sudo pkg install www/uwsgi + +* Clone this repository + +## Configuration + +### rc.conf * Use the following for configuring uwsgi in rc.conf - sudo sysrc uwsgi\_enable="YES" - sudo sysrc uwsgi\_profiles="jail2ban\_pf" - sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + sudo sysrc uwsgi\_enable="YES" + sudo sysrc uwsgi\_profiles="jail2ban\_pf" + sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + +### jail2ban * Configure /instance/config.py - SECRET\_KEY = os.urandom(32).hex() - AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' + SECRET\_KEY = os.urandom(32).hex() + AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' + +### nginx * Configure a nginx upstream and vhost @@ -42,8 +52,9 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f } } -* Place anchors in pf for jail2ban to use +### /etc/pf.conf +* Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration anchor "f2b/*" anchor f2b-jail { @@ -55,25 +66,57 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2. +#### Checking rules/tables made with fail2ban/jail2ban Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.: - sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive - 192.0.2.66 - 2001:db8:abad:cafe:0bad:f00d + sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive + 192.0.2.66 + 2001:db8:abad:cafe:0bad:f00d And the rules referencing these tables - sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules - block drop quick proto tcp from to any port = pop3 - block drop quick proto tcp from to any port = pop3s - block drop quick proto tcp from to any port = imap - block drop quick proto tcp from to any port = imaps - block drop quick proto tcp from to any port = submission - block drop quick proto tcp from to any port = smtps - block drop quick proto tcp from to any port = sieve - block drop quick proto tcp from to any port = submission - block drop quick proto tcp from to any port = smtps - block drop quick proto tcp from to any port = smtp - block drop quick proto tcp from to any port = ssh - block drop quick proto tcp from to any + sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules + block drop quick proto tcp from to any port = pop3 + block drop quick proto tcp from to any port = pop3s + block drop quick proto tcp from to any port = imap + block drop quick proto tcp from to any port = imaps + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = sieve + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = smtp + block drop quick proto tcp from to any port = ssh + block drop quick proto tcp from to any +### fail2ban + +* Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban + +``` +cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null +Definition] +actionstart = curl --unix-socket --basic -u ':' -XPUT -H 'Content-Type: application/json' -d '{"port":"","name":"","protocol":""}' http://localhost/register +actionstart_on_demand = false +actionstop = curl --unix-socket --basic -u ':' -XDELETE -H 'Content-Type: application/json' -d '{"port":"","name":"","protocol":""}' http://localhost/register +actionflush = curl --unix-socket --basic -u ':' -X GET http://localhost/flush/ +actioncheck = +actionban = curl --unix-socket --basic -u ':' -X PUT -H 'Content-Type: application/json' -d '{"name":"","ip":""}' http://localhost/ban +actionunban = curl --unix-socket --basic -u ':' -X DELETE -H 'Content-Type: application/json' -d '{"name":"","ip":""}' http://localhost/ban +[Init] +protocol = tcp +actiontype = +allports = any +multiport = any port {} +jail2ban_sock = /var/run/pf2ban/jail2ban.sock +jail2ban_user = login as set in password file for jail2ban +jail2ban_pass = password as set in password file for jail2ban +``` + +* Configure jail.local + +``` +cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null +[DEFAULT] +banaction = jail2ban-pf +``` From ccc7165d1b228f040607456f0f92c1fea2b59988 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 14:59:52 +0000 Subject: [PATCH 07/15] More documentation fixes Using the web based markdown editor for this to get right --- README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 104a48f..a645aab 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,9 @@ * Install uwsgi - sudo pkg install www/uwsgi +``` +sudo pkg install www/uwsgi +``` * Clone this repository @@ -17,16 +19,20 @@ * Use the following for configuring uwsgi in rc.conf - sudo sysrc uwsgi\_enable="YES" - sudo sysrc uwsgi\_profiles="jail2ban\_pf" - sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" +``` +sudo sysrc uwsgi\_enable="YES" +sudo sysrc uwsgi\_profiles="jail2ban\_pf" +sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" +``` ### jail2ban * Configure /instance/config.py - SECRET\_KEY = os.urandom(32).hex() - AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' +``` +SECRET\_KEY = os.urandom(32).hex() +AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' +``` ### nginx From 29f6e6093bccb31aa2811ad83ce42409d1c6eb52 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 15:01:06 +0000 Subject: [PATCH 08/15] Missed a spot --- README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a645aab..cea12bc 100644 --- a/README.md +++ b/README.md @@ -62,12 +62,14 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f * Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration - anchor "f2b/*" - anchor f2b-jail { - anchor "jail1_fqdn" to { , , } - anchor "jail2_fqdn" to { , , } - anchor "jail3_fqdn" to { , , } - } +``` +anchor "f2b/*" +anchor f2b-jail { + anchor "jail1_fqdn" to { , , } + anchor "jail2_fqdn" to { , , } + anchor "jail3_fqdn" to { , , } +} +``` Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2. From 36ff86c71ea899484e6a527a40c2f562f802f6d2 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 22:38:14 +0100 Subject: [PATCH 09/15] Looks like the gitlab-ci.yml syntax was changed. adjust https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_report --- .gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9adadbd..9242464 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,7 +11,9 @@ run tests: artifacts: when: always reports: - cobertura: coverage.xml + coverage_report: + coverage_format: cobertura + path: coverage.xml junit: report.xml tags: - docker From a49da1f3ef4ec88b86a13572e109c37a9aa835d5 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 22:47:34 +0100 Subject: [PATCH 10/15] Enable SAST --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9242464..24b6806 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -17,3 +17,9 @@ run tests: junit: report.xml tags: - docker + +sast: + stage: test + include: + - template: Auto-DevOps.gitlab-ci.yml + From 9f86e143fed04f2af0878ccb61fb8307848f5fb0 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 21:51:10 +0000 Subject: [PATCH 11/15] Oops vim autoindent --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 24b6806..6d0c850 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,6 +20,6 @@ run tests: sast: stage: test - include: - - template: Auto-DevOps.gitlab-ci.yml +include: + - template: Auto-DevOps.gitlab-ci.yml From d9b5d36835f4ba0c98c881e5d8a1d83964c66668 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 22:55:21 +0100 Subject: [PATCH 12/15] Not yet --- .gitlab-ci.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6d0c850..9242464 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -17,9 +17,3 @@ run tests: junit: report.xml tags: - docker - -sast: - stage: test -include: - - template: Auto-DevOps.gitlab-ci.yml - From 969ba0f64c68f4f1249b524696c74c7a34498ec1 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 22:58:27 +0100 Subject: [PATCH 13/15] Switch to python 3.9 image --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9242464..5b27f88 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,6 @@ run tests: stage: test - image: python:3.8 + image: python:3.9 script: - pip install pytest pytest-cov pytest-mock pytest-flask - pip install Flask-HTTPAuth From 9b85bfabdba10bee0130962f4d49d00bb44964f1 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Fri, 13 Jan 2023 09:30:03 +0000 Subject: [PATCH 14/15] Implements #3, a /ping endpoint --- jail2ban/__init__.py | 9 +++++++++ tests/test_ping.py | 10 ++++++++++ 2 files changed, 19 insertions(+) create mode 100644 tests/test_ping.py diff --git a/jail2ban/__init__.py b/jail2ban/__init__.py index 889963d..da969d1 100644 --- a/jail2ban/__init__.py +++ b/jail2ban/__init__.py @@ -42,6 +42,15 @@ def create_app(): check_password_hash(users.get(username), password): return username + @app.route("/ping", methods=['GET']) + @auth.login_required + def ping(): + remote_user = auth.username() + app.logger.info('Received ping for' + f' anchor f2b-jail/{remote_user}') + return jsonify({'anchor': f'f2b-jail/{remote_user}', + 'operation': 'ping', + 'result': 'pong'}) @app.route("/flush/", methods=['GET']) @auth.login_required def flush(name): diff --git a/tests/test_ping.py b/tests/test_ping.py new file mode 100644 index 0000000..8384d9b --- /dev/null +++ b/tests/test_ping.py @@ -0,0 +1,10 @@ +def test_ping(client, mocker, valid_credentials): + ''' + Test application health check + ''' + + response = client.get("/ping", + headers={"Authorization": + "Basic " + valid_credentials}) + + assert response.json['operation'] == 'ping' From 3e64189f8f162552eedc74691445d448fd9f5ee2 Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Fri, 13 Jan 2023 10:33:34 +0100 Subject: [PATCH 15/15] 2023.1 release notes --- CHANGELOG | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 CHANGELOG diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..789156c --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,3 @@ +- 2023.1 + +* Implement #3, a /ping health check endpoint