Add exception handler for when pfctl operations fail

.gitignore

@@ -12,6 +12,3 @@ htmlcov/
 dist/
 build/
 *.egg-info/
-
-coverage.xml
-report.xml

.gitlab-ci.yml

@@ -1,6 +1,6 @@
 run tests:
   stage: test
-  image: python:3.9
+  image: python:3.8
   script:
     - pip install pytest pytest-cov pytest-mock pytest-flask
     - pip install Flask-HTTPAuth
@@ -11,9 +11,7 @@ run tests:
   artifacts:
     when: always
     reports:
-      coverage_report:
+      cobertura: coverage.xml
-        coverage_format: cobertura
-        path: coverage.xml
       junit: report.xml
   tags:
     - docker

CHANGELOG

@@ -1,3 +0,0 @@
-- 2023.1
-
-* Implement #3, a /ping health check endpoint

README.md

@@ -1,130 +0,0 @@
-[![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
-[![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
-
-
-## Installation
-
-
-* Install uwsgi 
-
-```
-sudo pkg install www/uwsgi
-```
-
-* Clone this repository
-
-## Configuration
-
-### rc.conf
-
-* Use the following for configuring uwsgi in rc.conf
-
-```
-sudo sysrc uwsgi\_enable="YES"
-sudo sysrc uwsgi\_profiles="jail2ban\_pf"
-sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"
-```
-
-### jail2ban
-
-* Configure <installation root>/instance/config.py
-
-```
-SECRET\_KEY = os.urandom(32).hex()
-AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'
-```
-
-### nginx
-
-* Configure a nginx upstream and vhost
-
-_Of course you can listen on ipv4/ipv6 but you want to protect these addresses from inadvertent or malicious probes_
-
-    upstream uwsgi_pf_jail2ban {
-        server 127.0.0.1:3031;
-    }
-
-    server {
-        listen       unix:/path/to/jail_1/var/run/pf2ban/pf_jail2ban.sock;
-        listen       unix:/path/to/jail_2/var/run/pf2ban/pf_jail2ban.sock;
-        listen       unix:/path/to/jail_3/var/run/pf2ban/pf_jail2ban.sock;
-        server_name  _;
-
-        location / {
-            index     index.html index.htm index.php;
-            allow all;
-            include /usr/local/etc/nginx/uwsgi_params-dist;
-            uwsgi_pass uwsgi_pf_jail2ban;
-        }
-    }
-
-### /etc/pf.conf
-
-* Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration
-
-```
-anchor "f2b/*"
-anchor f2b-jail {
-    anchor "jail1_fqdn" to { <addr_jail1>, <addr_extra_jail1>, <addr_extra6_jail1> }
-    anchor "jail2_fqdn" to { <addr_jail2>, <addr_extra_jail2>, <addr_extra6_jail2> }
-    anchor "jail3_fqdn" to { <addr_jail3>, <addr_extra_jail3>, <addr_extra6_jail3> }
-}
-```
-
-Having seperate anchors per jail makes it possible to have fine grained
-blocking: Something that is harmful to jail2 might be perfectly legit for jail2.
-
-#### Checking rules/tables made with fail2ban/jail2ban
-Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.:
-
-    sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive
-    192.0.2.66
-    2001:db8:abad:cafe:0bad:f00d
-
-And the rules referencing these tables
-
-    sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules
-    block drop quick proto tcp from <f2b-dovecot> to any port = pop3
-    block drop quick proto tcp from <f2b-dovecot> to any port = pop3s
-    block drop quick proto tcp from <f2b-dovecot> to any port = imap
-    block drop quick proto tcp from <f2b-dovecot> to any port = imaps
-    block drop quick proto tcp from <f2b-dovecot> to any port = submission
-    block drop quick proto tcp from <f2b-dovecot> to any port = smtps
-    block drop quick proto tcp from <f2b-dovecot> to any port = sieve
-    block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
-    block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
-    block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
-    block drop quick proto tcp from <f2b-sshd> to any port = ssh
-    block drop quick proto tcp from <f2b-recidive> to any
-    
-### fail2ban
-
-* Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban
-
-```
-cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null
-Definition]
-actionstart = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XPUT -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
-actionstart_on_demand = false
-actionstop = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XDELETE -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
-actionflush = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X GET http://localhost/flush/<name>
-actioncheck = 
-actionban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X PUT -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
-actionunban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X DELETE -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
-[Init]
-protocol = tcp
-actiontype = <multiport>
-allports = any
-multiport = any port {<port>}
-jail2ban_sock = /var/run/pf2ban/jail2ban.sock
-jail2ban_user = login as set in password file for jail2ban
-jail2ban_pass = password as set in password file for jail2ban
-```
-
-* Configure jail.local
-
-```
-cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null
-[DEFAULT]
-banaction = jail2ban-pf
-```

jail2ban/__init__.py

@@ -42,15 +42,6 @@ def create_app():
                 check_password_hash(users.get(username), password):
             return username
 
-    @app.route("/ping", methods=['GET'])
-    @auth.login_required
-    def ping():
-        remote_user = auth.username()
-        app.logger.info('Received ping for'
-                        f' anchor f2b-jail/{remote_user}')
-        return jsonify({'anchor': f'f2b-jail/{remote_user}',
-                        'operation': 'ping',
-                        'result': 'pong'})
     @app.route("/flush/<name>", methods=['GET'])
     @auth.login_required
     def flush(name):
@@ -86,7 +77,7 @@ def create_app():
                 ])
             res = pfctl_cfg_write(f'f2b-jail/{remote_user}',
                                   b'\n'.join(cfg) + b'\n')
-        else:  # 'DELETE':
+        elif request.method == 'DELETE':
             cfg = [cfg_line for cfg_line in cfg
                    if cfg_line.find(bytes(f'<f2b-{name}>', 'ascii')) == -1]
             res = pfctl_cfg_write(f'f2b-jail/{remote_user}',
@@ -119,7 +110,7 @@ def create_app():
                                  table=f'f2b-{name}',
                                  operation='add',
                                  value=str(ip))
-        else:  # 'DELETE':
+        elif request.method == 'DELETE':
             app.logger.info(f'Remove {ip} from f2b-{name}'
                             f' in anchor f2b-jail/{remote_user}')
             res = pfctl_table_op(f'f2b-jail/{remote_user}',
@@ -148,14 +139,6 @@ def create_app():
         app.logger.fatal(error)
         return jsonify({'error': str(error)}), 500
 
-    @app.errorhandler(FileNotFoundError)
-    def filenotfound_err(error):
-        '''
-        Show a json parsable error if the value is illegal
-        '''
-        app.logger.fatal(error)
-        return jsonify({'error': str(error)}), 500
-
     @auth.error_handler
     def auth_error():
         app.logger.error('Access Denied')

jail2ban/auth.py

@@ -1,15 +1,18 @@
-from flask import current_app
+from flask import current_app, g
+import os
 
 
 def get_users():
+    if 'users' not in g:
         users = {}
         authfile = current_app.config['AUTHFILE']
 
         current_app.logger.debug('Reading %s for users', authfile)
 
-    with current_app.open_resource(authfile) as f:
+        with current_app.open_resource(os.path.join("..",
+                                                    authfile)) as f:
             for entry in f:
-            users.update({
+                users.update({tuple(entry.decode('ascii').strip().split(':', 1))})
-                tuple(entry.decode('ascii').strip().split(':', 1))})
+            g.users = users
-    current_app.logger.debug(users)
+    current_app.logger.debug(g.users)
-    return users
+    return g.users

tests/conftest.py

@@ -1,5 +1,4 @@
 import pytest
-import base64
 from jail2ban import create_app
 
 
@@ -9,7 +8,7 @@ def app():
     app.config.update({
         "TESTING": True,
         "SECRET_KEY": 'Testing',
-        "AUTHFILE": '../tests/users-test.txt'
+        "AUTHFILE": 'tests/users-test.txt'
     })
 
     # other setup can go here
@@ -27,8 +26,3 @@ def client(app):
 @pytest.fixture()
 def runner(app):
     return app.test_cli_runner()
-
-
-@pytest.fixture()
-def valid_credentials():
-    return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")

tests/test_ban.py

@@ -1,7 +1,8 @@
+import base64
 from types import SimpleNamespace
 
 
-def test_ban_ipv6(client, mocker, valid_credentials):
+def test_ban_ipv6(client, mocker):
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -12,16 +13,16 @@ def test_ban_ipv6(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"name": "sshd", "ip": "2001:db8::abad:cafe"}
     response = client.put("/ban",
                           json=json_payload,
-                          headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                   "Basic " + valid_credentials})
 
     assert response.json['operation'] == 'add'
 
 
-def test_ban_ipv4(client, mocker, valid_credentials):
+def test_ban_ipv4(client, mocker):
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -32,16 +33,15 @@ def test_ban_ipv4(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"name": "sshd", "ip": "192.0.2.42"}
     response = client.put("/ban",
                           json=json_payload,
-                          headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                   "Basic " + valid_credentials})
 
     assert response.json['operation'] == 'add'
 
-
+def test_ban_invalid(client, mocker):
-def test_ban_invalid(client, mocker, valid_credentials):
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -52,17 +52,16 @@ def test_ban_invalid(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"name": "sshd", "ip": "not:an::addr:ess"}
     response = client.put("/ban",
                           json=json_payload,
-                          headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                   "Basic " + valid_credentials})
 
-    assert response.json['error'] == "'not:an::addr:ess' does not " \
+    assert response.json['error'] == "'not:an::addr:ess' does not appear to be an IPv4 or IPv6 address"
-                                     "appear to be an IPv4 or IPv6 address"
 
 
-def test_unban_ipv6(client, mocker, valid_credentials):
+def test_unban_ipv6(client, mocker):
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -73,16 +72,16 @@ def test_unban_ipv6(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"name": "sshd", "ip": "2001:db8::abad:cafe"}
     response = client.delete("/ban",
                              json=json_payload,
-                             headers={"Authorization":
+                             headers={"Authorization": "Basic " + valid_credentials})
-                                      "Basic " + valid_credentials})
 
     assert response.json['operation'] == 'delete'
 
 
-def test_unban_ipv4(client, mocker, valid_credentials):
+def test_unban_ipv4(client, mocker):
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -93,10 +92,10 @@ def test_unban_ipv4(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"name": "sshd", "ip": "192.0.2.42"}
     response = client.delete("/ban",
                           json=json_payload,
-                             headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                      "Basic " + valid_credentials})
 
     assert response.json['operation'] == 'delete'

tests/test_flush.py

@@ -1,8 +1,9 @@
+import base64
 from types import SimpleNamespace
 from subprocess import CalledProcessError
 
 
-def test_flush(client, mocker, valid_credentials):
+def test_flush(client, mocker):
     def noop():
         pass
     run_res = SimpleNamespace()
@@ -13,65 +14,25 @@ def test_flush(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     name = 'sshd'
     response = client.get(f"/flush/{name}",
-                          headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                   "Basic " + valid_credentials})
 
     assert response.json['operation'] == 'flush'
 
 
-def test_flush_nonexistent(client, mocker, valid_credentials):
+def test_flush_nonexistent(client, mocker):
 
-    cmd = ['/usr/local/bin/sudo',
+    cmd = ['/usr/local/bin/sudo', '/sbin/pfctl', '-a', 'some/anchor', '-t', 'nonexistent', '-T', 'flush']
-           '/sbin/pfctl', '-a', 'some/anchor',
-           '-t', 'nonexistent', '-T', 'flush']
-
-    side_effect = CalledProcessError(255, cmd, output=b'',
-                                     stderr=b'pfctl: Table does not exist')
 
     mocker.patch('jail2ban.pfctl.run',
-                 side_effect=side_effect)
+                 side_effect=CalledProcessError(255, cmd, output=b'',
+                                                stderr=b'pfctl: Table does not exist'))
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     name = 'nonexistent'
     response = client.get(f"/flush/{name}",
-                          headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                   "Basic " + valid_credentials})
 
     assert 'error' in response.json
-
-
-def test_wrong_method(client, mocker, valid_credentials):
-
-    cmd = ['/usr/local/bin/sudo',
-           '/sbin/pfctl', '-a', 'some/anchor',
-           '-t', 'nonexistent', '-T', 'flush']
-
-    side_effect = CalledProcessError(255, cmd, output=b'',
-                                     stderr=b'pfctl: Table does not exist')
-
-    mocker.patch('jail2ban.pfctl.run',
-                 side_effect=side_effect)
-
-    name = 'nonexistent'
-    response = client.put(f"/flush/{name}",
-                          headers={"Authorization":
-                                   "Basic " + valid_credentials})
-
-    assert response.status_code == 405
-
-
-def test_filenotfound(app, mocker, valid_credentials):
-
-    app.config.update({
-        "AUTHFILE": '../tests/nonexistent-users-test.txt'
-    })
-
-    client = app.test_client()
-
-    name = 'nonexistent'
-    response = client.get(f"/flush/{name}",
-                          headers={"Authorization":
-                                   "Basic " + valid_credentials})
-
-    assert response.status_code == 500

tests/test_ping.py

@@ -1,10 +0,0 @@
-def test_ping(client, mocker, valid_credentials):
-    '''
-    Test application health check
-    '''
-
-    response = client.get("/ping",
-                          headers={"Authorization":
-                                   "Basic " + valid_credentials})
-
-    assert response.json['operation'] == 'ping'

tests/test_register.py

@@ -1,3 +1,4 @@
+import base64
 from subprocess import CompletedProcess
 
 pfctl_stdout_lines = b'''
@@ -6,12 +7,7 @@ block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
 block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
 block drop quick proto tcp from <f2b-sshd> to any port = ssh
 block drop quick proto tcp from <f2b-recidive> to any
-'''.strip() + b'\n'
+'''
-
-pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \
-                             b'block quick proto tcp from <f2b-dovecot>' \
-                             b' to any port ' \
-                             b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'
 
 
 def test_register_unauth(client):
@@ -23,7 +19,7 @@ def test_register_unauth(client):
     assert response.json['error'] == 'Access Denied'
 
 
-def test_unregister_valid(client, mocker, valid_credentials):
+def test_register_valid(client, mocker):
     def noop():
         pass
     run_res = CompletedProcess(args=['true'], returncode=0)
@@ -32,67 +28,19 @@ def test_unregister_valid(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"port":
                     "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
                     "name": "dovecot", "protocol": "tcp"}
 
     response = client.delete("/register",
                              json=json_payload,
-                             headers={"Authorization":
+                             headers={"Authorization": "Basic " + valid_credentials})
-                                      "Basic " + valid_credentials})
 
     assert response.json['action'] == 'stop'
 
 
-def test_register_valid(client, mocker, valid_credentials):
+def test_unregister_valid(client, mocker):
-    def noop():
-        pass
-    run_res = CompletedProcess(args=['true'], returncode=0)
-    run_res.stdout = pfctl_stdout_lines
-    run_res.check_returncode = noop
-
-    pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
-
-    json_payload = {"port":
-                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
-                    "name": "dovecot", "protocol": "tcp"}
-
-    response = client.put("/register",
-                          json=json_payload,
-                          headers={"Authorization":
-                                   "Basic " + valid_credentials})
-
-    pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
-    for existing_line in pfctl_stdout_lines.splitlines():
-        assert existing_line in pfctl_run_input_arg.splitlines()
-
-    assert response.json['action'] == 'start'
-
-
-def test_register_valid_from_scratch(client, mocker, valid_credentials):
-    def noop():
-        pass
-    run_res = CompletedProcess(args=['true'], returncode=0)
-    run_res.stdout = b''
-    run_res.check_returncode = noop
-
-    pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
-
-    json_payload = {"port":
-                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
-                    "name": "dovecot", "protocol": "tcp"}
-
-    response = client.put("/register",
-                          json=json_payload,
-                          headers={"Authorization":
-                                   "Basic " + valid_credentials})
-
-    pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
-    assert pfctl_run_input_arg == pfctl_stdout_lines_scratch
-    assert response.json['action'] == 'start'
-
-
-def test_register_invalid(client, mocker, valid_credentials):
     def noop():
         pass
     run_res = CompletedProcess(args=['true'], returncode=0)
@@ -101,13 +49,34 @@ def test_register_invalid(client, mocker, valid_credentials):
 
     mocker.patch('jail2ban.pfctl.run', return_value=run_res)
 
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
+    json_payload = {"port":
+                    "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
+                    "name": "dovecot", "protocol": "tcp"}
+
+    response = client.put("/register",
+                          json=json_payload,
+                          headers={"Authorization": "Basic " + valid_credentials})
+
+    assert response.json['action'] == 'start'
+
+
+def test_register_invalid(client, mocker):
+    def noop():
+        pass
+    run_res = CompletedProcess(args=['true'], returncode=0)
+    run_res.stdout = pfctl_stdout_lines
+    run_res.check_returncode = noop
+
+    mocker.patch('jail2ban.pfctl.run', return_value=run_res)
+
+    valid_credentials = base64.b64encode(b"test.example.com:testpassword").decode("utf-8")
     json_payload = {"port":
                     "not a pf statement",
                     "name": "dovecot", "protocol": "tcp"}
 
     response = client.put("/register",
                           json=json_payload,
-                          headers={"Authorization":
+                          headers={"Authorization": "Basic " + valid_credentials})
-                                   "Basic " + valid_credentials})
 
     assert response.json['error'] == '"not a pf statement" is tainted'

wsgi.py

@@ -1,3 +0,0 @@
-from jail2ban import create_app
-
-app = create_app()