Reuse credentials as fixture / linelength fixes for readability

Also test registering from scratch
Assert that we indeed merge the existing pf rules
2022-03-14 16:39:24 +01:00 · 2022-03-14 16:06:50 +01:00 · 2022-03-14 16:00:31 +01:00 · 2022-03-14 15:45:03 +01:00 · 2022-03-14 15:43:28 +01:00 · 2022-03-14 15:43:26 +01:00
7 changed files with 2 additions and 159 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,6 +12,3 @@ htmlcov/
 dist/
 build/
 *.egg-info/
 coverage.xml
 report.xml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,6 +1,6 @@
 run tests:
  stage: test
-  image: python:3.9
+  image: python:3.8
  script:
    - pip install pytest pytest-cov pytest-mock pytest-flask
    - pip install Flask-HTTPAuth
@ -11,9 +11,7 @@ run tests:
  artifacts:
    when: always
    reports:
-      coverage_report:
+      cobertura: coverage.xml
        coverage_format: cobertura
        path: coverage.xml
      junit: report.xml
  tags:
    - docker
--- a/3
+++ b/3
@ -1,3 +0,0 @@
 - 2023.1
 * Implement #3, a /ping health check endpoint
--- a/README.md
+++ b/README.md
@ -1,130 +1,3 @@
 [![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
 [![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
 ## Installation
 * Install uwsgi 
 ```
 sudo pkg install www/uwsgi
 ```
 * Clone this repository
 ## Configuration
 ### rc.conf
 * Use the following for configuring uwsgi in rc.conf
 ```
 sudo sysrc uwsgi\_enable="YES"
 sudo sysrc uwsgi\_profiles="jail2ban\_pf"
 sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"
 ```
 ### jail2ban
 * Configure <installation root>/instance/config.py
 ```
 SECRET\_KEY = os.urandom(32).hex()
 AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'
 ```
 ### nginx
 * Configure a nginx upstream and vhost
 _Of course you can listen on ipv4/ipv6 but you want to protect these addresses from inadvertent or malicious probes_
    upstream uwsgi_pf_jail2ban {
        server 127.0.0.1:3031;
    }
    server {
        listen       unix:/path/to/jail_1/var/run/pf2ban/pf_jail2ban.sock;
        listen       unix:/path/to/jail_2/var/run/pf2ban/pf_jail2ban.sock;
        listen       unix:/path/to/jail_3/var/run/pf2ban/pf_jail2ban.sock;
        server_name  _;
        location / {
            index     index.html index.htm index.php;
            allow all;
            include /usr/local/etc/nginx/uwsgi_params-dist;
            uwsgi_pass uwsgi_pf_jail2ban;
        }
    }
 ### /etc/pf.conf
 * Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration
 ```
 anchor "f2b/*"
 anchor f2b-jail {
    anchor "jail1_fqdn" to { <addr_jail1>, <addr_extra_jail1>, <addr_extra6_jail1> }
    anchor "jail2_fqdn" to { <addr_jail2>, <addr_extra_jail2>, <addr_extra6_jail2> }
    anchor "jail3_fqdn" to { <addr_jail3>, <addr_extra_jail3>, <addr_extra6_jail3> }
 }
 ```
 Having seperate anchors per jail makes it possible to have fine grained
 blocking: Something that is harmful to jail2 might be perfectly legit for jail2.
 #### Checking rules/tables made with fail2ban/jail2ban
 Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.:
    sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive
    192.0.2.66
    2001:db8:abad:cafe:0bad:f00d
 And the rules referencing these tables
    sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules
    block drop quick proto tcp from <f2b-dovecot> to any port = pop3
    block drop quick proto tcp from <f2b-dovecot> to any port = pop3s
    block drop quick proto tcp from <f2b-dovecot> to any port = imap
    block drop quick proto tcp from <f2b-dovecot> to any port = imaps
    block drop quick proto tcp from <f2b-dovecot> to any port = submission
    block drop quick proto tcp from <f2b-dovecot> to any port = smtps
    block drop quick proto tcp from <f2b-dovecot> to any port = sieve
    block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
    block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
    block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
    block drop quick proto tcp from <f2b-sshd> to any port = ssh
    block drop quick proto tcp from <f2b-recidive> to any
 ### fail2ban
 * Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban
 ```
 cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null
 Definition]
 actionstart = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XPUT -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
 actionstart_on_demand = false
 actionstop = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XDELETE -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
 actionflush = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X GET http://localhost/flush/<name>
 actioncheck = 
 actionban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X PUT -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
 actionunban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X DELETE -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
 [Init]
 protocol = tcp
 actiontype = <multiport>
 allports = any
 multiport = any port {<port>}
 jail2ban_sock = /var/run/pf2ban/jail2ban.sock
 jail2ban_user = login as set in password file for jail2ban
 jail2ban_pass = password as set in password file for jail2ban
 ```
 * Configure jail.local
 ```
 cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null
 [DEFAULT]
 banaction = jail2ban-pf
 ```
--- a/jail2ban/init.py
+++ b/jail2ban/init.py
@ -42,15 +42,6 @@ def create_app():
                check_password_hash(users.get(username), password):
            return username
    @app.route("/ping", methods=['GET'])
    @auth.login_required
    def ping():
        remote_user = auth.username()
        app.logger.info('Received ping for'
                        f' anchor f2b-jail/{remote_user}')
        return jsonify({'anchor': f'f2b-jail/{remote_user}',
                        'operation': 'ping',
                        'result': 'pong'})
    @app.route("/flush/<name>", methods=['GET'])
    @auth.login_required
    def flush(name):
--- a/tests/test_ping.py
+++ b/tests/test_ping.py
@ -1,10 +0,0 @@
 def test_ping(client, mocker, valid_credentials):
    '''
    Test application health check
    '''
    response = client.get("/ping",
                          headers={"Authorization":
                                   "Basic " + valid_credentials})
    assert response.json['operation'] == 'ping'
--- a/wsgi.py
+++ b/wsgi.py
@ -1,3 +0,0 @@
 from jail2ban import create_app
 app = create_app()
Author	SHA1	Message	Date
Ruben van Staveren	e0d115790e	Reuse credentials as fixture / linelength fixes for readability	2022-03-14 16:39:24 +01:00
Ruben van Staveren	58ac46126a	Also test registering from scratch	2022-03-14 16:06:50 +01:00
Ruben van Staveren	a7970c4f6b	Assert that we indeed merge the existing pf rules	2022-03-14 16:00:31 +01:00
Ruben van Staveren	3dacbe7a5d	Uh, switched names of tests	2022-03-14 15:45:03 +01:00
Ruben van Staveren	798a72cb73	Gracefully handle FileNotFoundError exceptions	2022-03-14 15:43:28 +01:00
Ruben van Staveren	59cc645b98	code coverage shows the case is not hit. remove noop conditional	2022-03-14 15:43:26 +01:00
Ruben van Staveren	feb8c93737	Let AUTHFILE be absolute path	2022-03-14 15:20:49 +01:00
Ruben van Staveren	27bc683f8f	Add readme with badges	2022-03-12 17:27:03 +01:00
Ruben van Staveren	3f94410716	Let's test an method that is not allowed in app.route	2022-03-11 22:07:04 +01:00
Ruben van Staveren	e3a71a851d	Allowed methods are listed in app.route, elif is noop here	2022-03-11 22:04:48 +01:00
Ruben van Staveren	542718b956	Add exception handler for when pfctl operations fail	2022-03-11 21:21:40 +01:00
Ruben van Staveren	34f871ae75	Simplify code by letting run() generate exception on non zero exit status	2022-03-11 20:42:19 +01:00
Ruben van Staveren	f3f8bd5dc6	Fix test (was used to test gitlab email	2022-03-11 13:42:36 +01:00
Ruben van Staveren	5971c27a8f	Correct stderr for test	2022-03-11 10:38:37 +01:00
Ruben van Staveren	47e8208ce2	Add test for flush	2022-03-11 10:38:19 +01:00
Ruben van Staveren	af1fef189c	Handle pfctl_cfg_write output as expected	2022-03-10 23:29:14 +01:00
Ruben van Staveren	c33e63978e	Test unregistering and check intended fields	2022-03-10 21:39:07 +01:00
Ruben van Staveren	963f7e5702	Test unban	2022-03-10 21:24:35 +01:00
Ruben van Staveren	450792b2d2	Do this always	2022-03-10 21:18:27 +01:00
Ruben van Staveren	ffe144f6b5	Add case for detecing invalid input	2022-03-10 21:12:24 +01:00
Ruben van Staveren	a20145b447	Also generate unit test report	2022-03-10 21:01:02 +01:00
Ruben van Staveren	b5f16f161c	Test for invalid address handling	2022-03-10 20:43:24 +01:00
Ruben van Staveren	7c7734c996	Not exactly using it. remove for now	2022-03-10 14:32:36 +01:00
Ruben van Staveren	bd12b2a18a	pylint fixes	2022-03-10 14:03:09 +01:00
Ruben van Staveren	64523ae8b5	Add tests for /ban	2022-03-10 13:37:34 +01:00
		`@ -1,3 +0,0 @@`
			`- 2023.1`

			`* Implement #3, a /ping health check endpoint`
		`@ -1,3 +0,0 @@`
			`from jail2ban import create_app`

			`app = create_app()`