install types / be non interactive

.gitea/workflows/flake8.yml

@@ -0,0 +1,17 @@
+---
+name: Flake8
+on: [push]
+
+
+# XXX need to do stuff with uv
+jobs:
+  build:
+    runs-on: freebsd
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Analyse code with Flake8
+        run: |
+          flake8 $(git ls-files '*.py')

.gitea/workflows/mypy.yml

@@ -0,0 +1,17 @@
+---
+name: Mypy
+on: [push]
+
+
+# XXX need to do stuff with uv
+jobs:
+  build:
+    runs-on: freebsd
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Analyse code with Mypy
+        run: |
+          mypy --install-types --non-interactive $(git ls-files '*.py')

.gitea/workflows/pylint.yml

@@ -0,0 +1,17 @@
+---
+name: Pylint
+on: [push]
+
+
+# XXX need to do stuff with uv
+jobs:
+  build:
+    runs-on: freebsd
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Analyse code with Pylint
+        run: |
+          pylint $(git ls-files '*.py')

.gitlab-ci.yml

@@ -1,6 +1,34 @@
+---
+run pylint:
+  stage: test
+  image: python:3.11
+  script:
+    - pip install --upgrade pylint
+    - pylint $(git ls-files '*.py')
+  tags:
+    - docker
+
+run flake8:
+  stage: test
+  image: python:3.11
+  script:
+    - pip install --upgrade flake8
+    - flake8 $(git ls-files '*.py')
+  tags:
+    - docker
+
+run mypy:
+  stage: test
+  image: python:3.11
+  script:
+    - pip install --upgrade mypy
+    - mypy --install-types --non-interactive $(git ls-files '*.py')
+  tags:
+    - docker
+
 run tests:
   stage: test
-  image: python:3.9
+  image: python:3.11
   script:
     - pip install pytest pytest-cov pytest-mock pytest-flask
     - pip install Flask-HTTPAuth

README.md

@@ -1,6 +1,7 @@
 [![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
 [![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
 
+An API to remotely control a pf based fail2ban
 
 ## Installation
 

jail2ban/__init__.py

@@ -1,12 +1,18 @@
-from flask import Flask, request, jsonify, current_app
+'''
-from flask_httpauth import HTTPBasicAuth
+An API to remotely control a pf based fail2ban
-from werkzeug.security import check_password_hash
+'''
-from ipaddress import ip_address
+
 import re
-from jail2ban.pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
+from ipaddress import ip_address
-from jail2ban.auth import get_users
 from subprocess import CalledProcessError
 
+from flask import Flask, current_app, jsonify, request
+from flask_httpauth import HTTPBasicAuth  # type: ignore
+from werkzeug.security import check_password_hash
+
+from jail2ban.auth import get_users
+from jail2ban.pfctl import pfctl_cfg_read, pfctl_cfg_write, pfctl_table_op
+
 
 auth = HTTPBasicAuth()
 
@@ -16,48 +22,52 @@ PAT_PROT = r'^(?:tcp|udp)$'
 PAT_NAME = r'^[\w\-]+$'
 
 
-def untaint(pattern, string):
+def untaint(pattern: str, string: str) -> str:
     '''
     untaint string (as perl does)
     '''
     match = re.match(pattern, string)
     if match:
         return match.string
-    else:
+    raise ValueError(f'"{string}" is tainted')
-        raise ValueError(f'"{string}" is tainted')
 
 
 def create_app():
+    '''
+    Create the flask application
+    '''
     app = Flask(__name__, instance_relative_config=True)
 
     # load the instance config, if it exists, when not testing
     app.config.from_pyfile('config.py', silent=True)
 
     @auth.verify_password
-    def verify_password(username, password):
+    def verify_password(username: str, password: str) -> str | None:
         users = get_users()
         current_app.logger.debug(users)
         current_app.logger.debug('Checking password of %s', username)
         if username in users and \
                 check_password_hash(users.get(username), password):
             return username
+        return None
 
     @app.route("/ping", methods=['GET'])
     @auth.login_required
     def ping():
         remote_user = auth.username()
         app.logger.info('Received ping for'
-                        f' anchor f2b-jail/{remote_user}')
+                        ' anchor f2b-jail/%s', remote_user)
         return jsonify({'anchor': f'f2b-jail/{remote_user}',
                         'operation': 'ping',
                         'result': 'pong'})
+
     @app.route("/flush/<name>", methods=['GET'])
     @auth.login_required
     def flush(name):
         remote_user = auth.username()
         name = untaint(PAT_NAME, name)
-        app.logger.info(f'Flushing table f2b-{name}'
+        app.logger.info('Flushing table f2b-%s'
-                        f' in anchor f2b-jail/{remote_user}')
+                        ' in anchor f2b-jail/%s', name, remote_user)
         res = pfctl_table_op('f2b-jail/{remote_user}',
                              table='f2b-{name}',
                              operation='flush')
@@ -97,7 +107,7 @@ def create_app():
             pfctl_table_op(f'f2b-jail/{remote_user}',
                            table=f'f2b-{name}',
                            operation='kill')
-        app.logger.info(f'pfctl -a f2b-jail/{remote_user} -f-')
+        app.logger.info('pfctl -a f2b-jail/%s -f-', remote_user)
         return jsonify({'anchor': f'f2b-jail/{remote_user}',
                         'table': f'f2b-{name}',
                         'action': 'start' if request.method == 'PUT'
@@ -113,15 +123,15 @@ def create_app():
         name = untaint(PAT_NAME, data['name'])
         ip = ip_address(data['ip'])
         if request.method == 'PUT':
-            app.logger.info(f'Add {ip} to f2b-{name}'
+            app.logger.info('Add %s to f2b-%s'
-                            f' in anchor f2b-jail/{remote_user}')
+                            ' in anchor f2b-jail/%s', ip, name, remote_user)
             res = pfctl_table_op(f'f2b-jail/{remote_user}',
                                  table=f'f2b-{name}',
                                  operation='add',
                                  value=str(ip))
         else:  # 'DELETE':
-            app.logger.info(f'Remove {ip} from f2b-{name}'
+            app.logger.info('Remove %s from f2b-%s'
-                            f' in anchor f2b-jail/{remote_user}')
+                            ' in anchor f2b-jail/%s', ip, name, remote_user)
             res = pfctl_table_op(f'f2b-jail/{remote_user}',
                                  table=f'f2b-{name}',
                                  operation='delete',

jail2ban/auth.py

@@ -1,7 +1,13 @@
+'''
+Authentication backend
+'''
 from flask import current_app
 
 
 def get_users():
+    '''
+    Load users from password file (AUTHFILE)
+    '''
     users = {}
     authfile = current_app.config['AUTHFILE']
 

jail2ban/pfctl.py

@@ -1,3 +1,6 @@
+'''
+pf table/anchor operations
+'''
 import logging
 from subprocess import run
 
@@ -6,6 +9,9 @@ _PFCTL = '/sbin/pfctl'
 
 
 def pfctl_cfg_read(anchor):
+    '''
+    Read from pf anchor
+    '''
     cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr']
     logging.info('Running %s', cmd)
 
@@ -16,6 +22,9 @@ def pfctl_cfg_read(anchor):
 
 
 def pfctl_cfg_write(anchor, cfg):
+    '''
+    Apply configuration to pf anchor
+    '''
     cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-']
     logging.info('Running %s', cmd)
     logging.info('Config %s', cfg)
@@ -30,6 +39,13 @@ def pfctl_cfg_write(anchor, cfg):
 
 
 def pfctl_table_op(anchor, **kwargs):
+    '''
+    pf table operation
+    Parameters:
+    * table: which table to work on
+    * operation: operation used on the table
+    * value (optional): value used for the operation
+    '''
     table = kwargs['table']
     operation = kwargs['operation']
     value = kwargs['value'] if 'value' in kwargs else None

tests/conftest.py

@@ -1,5 +1,10 @@
-import pytest
+'''
+Test fixtures
+'''
 import base64
+
+import pytest
+
 from jail2ban import create_app
 
 
@@ -21,14 +26,23 @@ def app():
 
 @pytest.fixture()
 def client(app):
+    '''
+    Create a synthetic client
+    '''
     return app.test_client()
 
 
 @pytest.fixture()
 def runner(app):
+    '''
+    Create a synthetic runner
+    '''
     return app.test_cli_runner()
 
 
 @pytest.fixture()
 def valid_credentials():
+    '''
+    Mock authentication for the test
+    '''
     return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")

tests/test_ban.py

@@ -1,7 +1,13 @@
+'''
+Test banning
+'''
 from types import SimpleNamespace
 
 
 def test_ban_ipv6(client, mocker, valid_credentials):
+    '''
+    Test ban an IPv6 address
+    '''
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -22,6 +28,9 @@ def test_ban_ipv6(client, mocker, valid_credentials):
 
 
 def test_ban_ipv4(client, mocker, valid_credentials):
+    '''
+    Test ban an IPv4 address
+    '''
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -42,6 +51,9 @@ def test_ban_ipv4(client, mocker, valid_credentials):
 
 
 def test_ban_invalid(client, mocker, valid_credentials):
+    '''
+    Test ban an invalid address
+    '''
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -63,6 +75,9 @@ def test_ban_invalid(client, mocker, valid_credentials):
 
 
 def test_unban_ipv6(client, mocker, valid_credentials):
+    '''
+    Test unbanning an IPv6 address
+    '''
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -83,6 +98,9 @@ def test_unban_ipv6(client, mocker, valid_credentials):
 
 
 def test_unban_ipv4(client, mocker, valid_credentials):
+    '''
+    Test unbanning an IPv4 address
+    '''
     def noop():
         pass
     run_res = SimpleNamespace()

tests/test_flush.py

@@ -1,8 +1,14 @@
+'''
+Test flushing pf tables
+'''
 from types import SimpleNamespace
 from subprocess import CalledProcessError
 
 
 def test_flush(client, mocker, valid_credentials):
+    '''
+    Test flushing existing entry
+    '''
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -22,6 +28,9 @@ def test_flush(client, mocker, valid_credentials):
 
 
 def test_flush_nonexistent(client, mocker, valid_credentials):
+    '''
+    Test flushing non existing entry
+    '''
 
     cmd = ['/usr/local/bin/sudo',
            '/sbin/pfctl', '-a', 'some/anchor',
@@ -42,6 +51,9 @@ def test_flush_nonexistent(client, mocker, valid_credentials):
 
 
 def test_wrong_method(client, mocker, valid_credentials):
+    '''
+    Test invalid method
+    '''
 
     cmd = ['/usr/local/bin/sudo',
            '/sbin/pfctl', '-a', 'some/anchor',
@@ -61,7 +73,10 @@ def test_wrong_method(client, mocker, valid_credentials):
     assert response.status_code == 405
 
 
-def test_filenotfound(app, mocker, valid_credentials):
+def test_filenotfound(app, valid_credentials):
+    '''
+    Test for when AUTHFILE cannot be found
+    '''
 
     app.config.update({
         "AUTHFILE": '../tests/nonexistent-users-test.txt'

tests/test_ping.py

@@ -1,4 +1,9 @@
-def test_ping(client, mocker, valid_credentials):
+'''
+Test application health check
+'''
+
+
+def test_ping(client, valid_credentials):
     '''
     Test application health check
     '''

tests/test_register.py

@@ -1,6 +1,9 @@
+'''
+Test various registration scenarios
+'''
 from subprocess import CompletedProcess
 
-pfctl_stdout_lines = b'''
+PFCTL_STDOUT_LINES = b'''
 block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
 block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
 block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
@@ -8,13 +11,16 @@ block drop quick proto tcp from <f2b-sshd> to any port = ssh
 block drop quick proto tcp from <f2b-recidive> to any
 '''.strip() + b'\n'
 
-pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \
+PFCTL_STDOUT_LINES_SCRATCH = b'table <f2b-dovecot> persist counters\n' \
                              b'block quick proto tcp from <f2b-dovecot>' \
                              b' to any port ' \
                              b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'
 
 
 def test_register_unauth(client):
+    '''
+    Test a registration without being authorized
+    '''
     json_payload = {"port":
                     "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
                     "name": "dovecot", "protocol": "tcp"}
@@ -24,10 +30,13 @@ def test_register_unauth(client):
 
 
 def test_unregister_valid(client, mocker, valid_credentials):
+    '''
+    Test unregistration
+    '''
     def noop():
         pass
     run_res = CompletedProcess(args=['true'], returncode=0)
-    run_res.stdout = pfctl_stdout_lines
+    run_res.stdout = PFCTL_STDOUT_LINES
     run_res.check_returncode = noop
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@@ -45,10 +54,13 @@ def test_unregister_valid(client, mocker, valid_credentials):
 
 
 def test_register_valid(client, mocker, valid_credentials):
+    '''
+    Test a registration of a rule
+    '''
     def noop():
         pass
     run_res = CompletedProcess(args=['true'], returncode=0)
-    run_res.stdout = pfctl_stdout_lines
+    run_res.stdout = PFCTL_STDOUT_LINES
     run_res.check_returncode = noop
 
     pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@@ -63,13 +75,16 @@ def test_register_valid(client, mocker, valid_credentials):
                                    "Basic " + valid_credentials})
 
     pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
-    for existing_line in pfctl_stdout_lines.splitlines():
+    for existing_line in PFCTL_STDOUT_LINES.splitlines():
         assert existing_line in pfctl_run_input_arg.splitlines()
 
     assert response.json['action'] == 'start'
 
 
 def test_register_valid_from_scratch(client, mocker, valid_credentials):
+    '''
+    Test from scratch point of view
+    '''
     def noop():
         pass
     run_res = CompletedProcess(args=['true'], returncode=0)
@@ -88,15 +103,18 @@ def test_register_valid_from_scratch(client, mocker, valid_credentials):
                                    "Basic " + valid_credentials})
 
     pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
-    assert pfctl_run_input_arg == pfctl_stdout_lines_scratch
+    assert pfctl_run_input_arg == PFCTL_STDOUT_LINES_SCRATCH
     assert response.json['action'] == 'start'
 
 
 def test_register_invalid(client, mocker, valid_credentials):
+    '''
+    Test a bogus pf command
+    '''
     def noop():
         pass
     run_res = CompletedProcess(args=['true'], returncode=0)
-    run_res.stdout = pfctl_stdout_lines
+    run_res.stdout = PFCTL_STDOUT_LINES
     run_res.check_returncode = noop
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)