ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ruben:develop
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1
..
compare: ruben:main
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1

14 Commits
develop ... main

Author SHA1 Message Date
Ruben van Staveren
39c3fc0342
install types / be non interactive
Some checks failed
Flake8 / build (3.11) (push) Successful in 8s
Details
Pylint / build (3.11) (push) Failing after 15s
Details
Mypy / build (3.11) (push) Failing after 39s
Details
2025-03-14 12:22:51 +01:00
Ruben van Staveren
221a7c2de2
Add pylint/mypy
Some checks failed
Flake8 / build (3.11) (push) Successful in 7s
Details
Mypy / build (3.11) (push) Failing after 38s
Details
Pylint / build (3.11) (push) Failing after 17s
Details
2025-03-14 12:12:28 +01:00
Ruben van Staveren
5c8cd6c00f
Ah, I need to checkout stuff
All checks were successful
Flake8 / build (3.11) (push) Successful in 7s
Details
2025-03-14 12:07:00 +01:00
Ruben van Staveren
ae3c846a39
if it is not a git repo, what is it then?
All checks were successful
Flake8 / build (3.11) (push) Successful in 2s
Details
2025-03-14 12:01:55 +01:00
Ruben van Staveren
5291140caf
without :host then?
All checks were successful
Flake8 / build (3.11) (push) Successful in 1s
Details
2025-03-14 11:54:28 +01:00
Ruben van Staveren
ee66b64cd8
Try to run on the host directly
Some checks failed
Flake8 / build (3.11) (push) Has been cancelled
Details
2025-03-14 11:38:50 +01:00
Ruben van Staveren
7f7d398e5c
Remind me that I need to do stuff with uv
Some checks failed
Flake8 / build (3.11) (push) Failing after 1s
Details
2025-03-14 11:35:05 +01:00
Ruben van Staveren
b539eac83d
Test gitea actions 2025-03-14 11:27:41 +01:00
Ruben van Staveren
f7cc4d9d4e
lint fixes (tests) 2024-07-31 16:30:43 +02:00
Ruben van Staveren
63c8e39b59
lint fixes 2024-07-31 16:14:52 +02:00
Ruben van Staveren
0b1294b6e7
Switch to python 3.11 2024-07-31 15:50:29 +02:00
Ruben van Staveren
dd68fd4ead
Add linters 2024-07-31 15:49:41 +02:00
Ruben van Staveren
a64d17b2e8
Merge branch 'release/2023.1' 2023-01-13 10:33:45 +01:00
Ruben van Staveren
9c6208f5c0
Merge branch 'release/2022.1' 2022-03-14 16:43:26 +01:00
16 changed files with 197 additions and 218 deletions
Show Stats Expand all files Collapse all files

17
.gitea/workflows/flake8.yml Normal file
View File

@ -0,0 +1,17 @@
---
name: Flake8
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Flake8
run: |
flake8 $(git ls-files '*.py')

17
.gitea/workflows/mypy.yml Normal file
View File

@ -0,0 +1,17 @@
---
name: Mypy
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Mypy
run: |
mypy --install-types --non-interactive $(git ls-files '*.py')

17
.gitea/workflows/pylint.yml Normal file
View File

@ -0,0 +1,17 @@
---
name: Pylint
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Pylint
run: |
pylint $(git ls-files '*.py')

2
.gitignore vendored
View File

@ -1,7 +1,5 @@
venv/ venv/
*.sw?
*.pyc *.pyc
__pycache__/ __pycache__/

30
.gitlab-ci.yml
View File

@ -1,6 +1,34 @@
---
run pylint:
stage: test
image: python:3.11
script:
- pip install --upgrade pylint
- pylint $(git ls-files '*.py')
tags:
- docker
run flake8:
stage: test
image: python:3.11
script:
- pip install --upgrade flake8
- flake8 $(git ls-files '*.py')
tags:
- docker
run mypy:
stage: test
image: python:3.11
script:
- pip install --upgrade mypy
- mypy --install-types --non-interactive $(git ls-files '*.py')
tags:
- docker
run tests: run tests:
stage: test stage: test
image: python:3.9 image: python:3.11
script: script:
- pip install pytest pytest-cov pytest-mock pytest-flask - pip install pytest pytest-cov pytest-mock pytest-flask
- pip install Flask-HTTPAuth - pip install Flask-HTTPAuth

2
.pylintrc
View File

@ -1,2 +0,0 @@
[TYPECHECK]
generated-members=app.logger.*

1
README.md
View File

@ -1,6 +1,7 @@
[![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
[![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
An API to remotely control a pf based fail2ban
## Installation ## Installation

79
jail2ban/__init__.py
View File

@ -1,16 +1,17 @@
''' '''
jail2ban, a remote fail2ban action plugin using OpenBSD pf(8) An API to remotely control a pf based fail2ban
''' '''
from ipaddress import ip_address
import re import re
from ipaddress import ip_address
from subprocess import CalledProcessError from subprocess import CalledProcessError
from flask import Flask, request, jsonify, current_app from flask import Flask, current_app, jsonify, request
from flask_httpauth import HTTPBasicAuth from flask_httpauth import HTTPBasicAuth # type: ignore
from werkzeug.security import check_password_hash from werkzeug.security import check_password_hash
from jail2ban.pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
from jail2ban.auth import get_users from jail2ban.auth import get_users
from jail2ban.pfctl import pfctl_cfg_read, pfctl_cfg_write, pfctl_table_op
auth = HTTPBasicAuth() auth = HTTPBasicAuth()
@ -20,15 +21,8 @@ PAT_PORT = r'^any(?:\s+port\s+{\w+(?:,\w+)*})?$'
PAT_PROT = r'^(?:tcp|udp)$' PAT_PROT = r'^(?:tcp|udp)$'
PAT_NAME = r'^[\w\-]+$' PAT_NAME = r'^[\w\-]+$'
_PFCTL_TABLE_PAT = r'''\s+(?P<addr>\S+)\n
\s+Cleared:\s+(?P<date>\S+\s+\S+\s+\d+\s+(?:\d{2}:){2}\d{2}\s+\d{4})\n
\s+In/Block:\s+\[\s+Packets:\s+(?P<in_pckt_block>\d+)\s+Bytes:\s+(?P<in_bytes_block>\d+)\s+\]\n
\s+In/Pass:\s+\[\s+Packets:\s+(?P<in_pckt_pass>\d+)\s+Bytes:\s+(?P<in_bytes_pass>\d+)\s+\]\n
\s+Out/Block:\s+\[\s+Packets:\s+(?P<out_pckt_block>\d+)\s+Bytes:\s+(?P<out_bytes_block>\d+)\s+\]\n
\s+Out/Pass:\s+\[\s+Packets:\s+(?P<out_pckt_pass>\d+)\s+Bytes:\s+(?P<out_bytes_pass>\d+)\s+\]'''
def untaint(pattern: str, string: str) -> str:
def untaint(pattern, string):
''' '''
untaint string (as perl does) untaint string (as perl does)
''' '''
@ -40,7 +34,7 @@ def untaint(pattern, string):
def create_app(): def create_app():
''' '''
Create wsgi application instance Create the flask application
''' '''
app = Flask(__name__, instance_relative_config=True) app = Flask(__name__, instance_relative_config=True)
@ -48,7 +42,7 @@ def create_app():
app.config.from_pyfile('config.py', silent=True) app.config.from_pyfile('config.py', silent=True)
@auth.verify_password @auth.verify_password
def verify_password(username, password): def verify_password(username: str, password: str) -> str | None:
users = get_users() users = get_users()
current_app.logger.debug(users) current_app.logger.debug(users)
current_app.logger.debug('Checking password of %s', username) current_app.logger.debug('Checking password of %s', username)
@ -62,17 +56,18 @@ def create_app():
def ping(): def ping():
remote_user = auth.username() remote_user = auth.username()
app.logger.info('Received ping for' app.logger.info('Received ping for'
f' anchor f2b-jail/{remote_user}') ' anchor f2b-jail/%s', remote_user)
return jsonify({'anchor': f'f2b-jail/{remote_user}', return jsonify({'anchor': f'f2b-jail/{remote_user}',
'operation': 'ping', 'operation': 'ping',
'result': 'pong'}) 'result': 'pong'})
@app.route("/flush/<name>", methods=['GET']) @app.route("/flush/<name>", methods=['GET'])
@auth.login_required @auth.login_required
def flush(name): def flush(name):
remote_user = auth.username() remote_user = auth.username()
name = untaint(PAT_NAME, name) name = untaint(PAT_NAME, name)
app.logger.info(f'Flushing table f2b-{name}' app.logger.info('Flushing table f2b-%s'
f' in anchor f2b-jail/{remote_user}') ' in anchor f2b-jail/%s', name, remote_user)
res = pfctl_table_op('f2b-jail/{remote_user}', res = pfctl_table_op('f2b-jail/{remote_user}',
table='f2b-{name}', table='f2b-{name}',
operation='flush') operation='flush')
@ -81,36 +76,6 @@ def create_app():
'operation': 'flush', 'operation': 'flush',
'result': [x.decode('ascii') for x in res]}) 'result': [x.decode('ascii') for x in res]})
@app.route("/list/<name>", methods=['GET'])
@auth.login_required
def list_table(name):
remote_user = auth.username()
name = untaint(PAT_NAME, name)
app.logger.info(f'Flushing table f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
reply = {'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}',
'operation': 'list'}
try:
res = pfctl_table_op('f2b-jail/{remote_user}',
table='f2b-{name}',
operation='show',
verbose=True)
except CalledProcessError as err:
if err.stderr.find(b'pfctl: Table does not exist.') > 0:
res = []
reply.update({'error': f'\'{name}\' is not a known fail2ban jail'})
else:
raise err
result = [entry.groupdict() for entry in
re.finditer(_PFCTL_TABLE_PAT,
'\n'.join([x.decode('ascii') for x in res]),
re.MULTILINE|re.VERBOSE)]
reply.update({'result': result})
return jsonify(reply), 200 if len(res) else 404
@app.route("/register", methods=['PUT', 'DELETE']) @app.route("/register", methods=['PUT', 'DELETE'])
@auth.login_required @auth.login_required
def register(): def register():
@ -142,7 +107,7 @@ def create_app():
pfctl_table_op(f'f2b-jail/{remote_user}', pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}', table=f'f2b-{name}',
operation='kill') operation='kill')
app.logger.info(f'pfctl -a f2b-jail/{remote_user} -f-') app.logger.info('pfctl -a f2b-jail/%s -f-', remote_user)
return jsonify({'anchor': f'f2b-jail/{remote_user}', return jsonify({'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}', 'table': f'f2b-{name}',
'action': 'start' if request.method == 'PUT' 'action': 'start' if request.method == 'PUT'
@ -156,21 +121,21 @@ def create_app():
data = request.get_json() data = request.get_json()
# name / ip # name / ip
name = untaint(PAT_NAME, data['name']) name = untaint(PAT_NAME, data['name'])
ip_addr = ip_address(data['ip']) ip = ip_address(data['ip'])
if request.method == 'PUT': if request.method == 'PUT':
app.logger.info(f'Add {ip_addr} to f2b-{name}' app.logger.info('Add %s to f2b-%s'
f' in anchor f2b-jail/{remote_user}') ' in anchor f2b-jail/%s', ip, name, remote_user)
res = pfctl_table_op(f'f2b-jail/{remote_user}', res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}', table=f'f2b-{name}',
operation='add', operation='add',
value=str(ip_addr)) value=str(ip))
else: # 'DELETE': else: # 'DELETE':
app.logger.info(f'Remove {ip_addr} from f2b-{name}' app.logger.info('Remove %s from f2b-%s'
f' in anchor f2b-jail/{remote_user}') ' in anchor f2b-jail/%s', ip, name, remote_user)
res = pfctl_table_op(f'f2b-jail/{remote_user}', res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}', table=f'f2b-{name}',
operation='delete', operation='delete',
value=str(ip_addr)) value=str(ip))
return jsonify({'anchor': f'f2b-jail/{remote_user}', return jsonify({'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}', 'table': f'f2b-{name}',
'operation': 'add' if request.method == 'PUT' 'operation': 'add' if request.method == 'PUT'
@ -191,8 +156,6 @@ def create_app():
Show a json parsable error if the value is illegal Show a json parsable error if the value is illegal
''' '''
app.logger.fatal(error) app.logger.fatal(error)
app.logger.fatal('stdout: %s', error.stderr)
app.logger.fatal('stderr: %s', error.stderr)
return jsonify({'error': str(error)}), 500 return jsonify({'error': str(error)}), 500
@app.errorhandler(FileNotFoundError) @app.errorhandler(FileNotFoundError)

6
jail2ban/auth.py
View File

@ -1,7 +1,13 @@
'''
Authentication backend
'''
from flask import current_app from flask import current_app
def get_users(): def get_users():
'''
Load users from password file (AUTHFILE)
'''
users = {} users = {}
authfile = current_app.config['AUTHFILE'] authfile = current_app.config['AUTHFILE']

14
jail2ban/pfctl.py
View File

@ -1,5 +1,5 @@
''' '''
Lowlevel routines for calling the pf binary with passwordless sudo pf table/anchor operations
''' '''
import logging import logging
from subprocess import run from subprocess import run
@ -7,9 +7,10 @@ from subprocess import run
_SUDO = '/usr/local/bin/sudo' _SUDO = '/usr/local/bin/sudo'
_PFCTL = '/sbin/pfctl' _PFCTL = '/sbin/pfctl'
def pfctl_cfg_read(anchor): def pfctl_cfg_read(anchor):
''' '''
Read pf rules stored under a certain anchor Read from pf anchor
''' '''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr'] cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr']
logging.info('Running %s', cmd) logging.info('Running %s', cmd)
@ -22,7 +23,7 @@ def pfctl_cfg_read(anchor):
def pfctl_cfg_write(anchor, cfg): def pfctl_cfg_write(anchor, cfg):
''' '''
Write pf rules under a certain anchor Apply configuration to pf anchor
''' '''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-'] cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-']
logging.info('Running %s', cmd) logging.info('Running %s', cmd)
@ -40,12 +41,15 @@ def pfctl_cfg_write(anchor, cfg):
def pfctl_table_op(anchor, **kwargs): def pfctl_table_op(anchor, **kwargs):
''' '''
pf table operation pf table operation
Parameters:
* table: which table to work on
* operation: operation used on the table
* value (optional): value used for the operation
''' '''
table = kwargs['table'] table = kwargs['table']
operation = kwargs['operation'] operation = kwargs['operation']
value = kwargs['value'] if 'value' in kwargs else None value = kwargs['value'] if 'value' in kwargs else None
verbose = '-v' if 'verbose' in kwargs and kwargs['verbose'] else None cmd = [_SUDO, _PFCTL, '-a', anchor, '-t', table, '-T', operation, value]
cmd = [_SUDO, _PFCTL, '-a', anchor, '-t', table, verbose, '-T', operation, value]
logging.info('Running %s', cmd) logging.info('Running %s', cmd)

16
tests/conftest.py
View File

@ -1,5 +1,10 @@
import pytest '''
Test fixtures
'''
import base64 import base64
import pytest
from jail2ban import create_app from jail2ban import create_app
@ -21,14 +26,23 @@ def app():
@pytest.fixture() @pytest.fixture()
def client(app): def client(app):
'''
Create a synthetic client
'''
return app.test_client() return app.test_client()
@pytest.fixture() @pytest.fixture()
def runner(app): def runner(app):
'''
Create a synthetic runner
'''
return app.test_cli_runner() return app.test_cli_runner()
@pytest.fixture() @pytest.fixture()
def valid_credentials(): def valid_credentials():
'''
Mock authentication for the test
'''
return base64.b64encode(b"test.example.com:testpassword").decode("utf-8") return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")

18
tests/test_ban.py
View File

@ -1,7 +1,13 @@
'''
Test banning
'''
from types import SimpleNamespace from types import SimpleNamespace
def test_ban_ipv6(client, mocker, valid_credentials): def test_ban_ipv6(client, mocker, valid_credentials):
'''
Test ban an IPv6 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -22,6 +28,9 @@ def test_ban_ipv6(client, mocker, valid_credentials):
def test_ban_ipv4(client, mocker, valid_credentials): def test_ban_ipv4(client, mocker, valid_credentials):
'''
Test ban an IPv4 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -42,6 +51,9 @@ def test_ban_ipv4(client, mocker, valid_credentials):
def test_ban_invalid(client, mocker, valid_credentials): def test_ban_invalid(client, mocker, valid_credentials):
'''
Test ban an invalid address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -63,6 +75,9 @@ def test_ban_invalid(client, mocker, valid_credentials):
def test_unban_ipv6(client, mocker, valid_credentials): def test_unban_ipv6(client, mocker, valid_credentials):
'''
Test unbanning an IPv6 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -83,6 +98,9 @@ def test_unban_ipv6(client, mocker, valid_credentials):
def test_unban_ipv4(client, mocker, valid_credentials): def test_unban_ipv4(client, mocker, valid_credentials):
'''
Test unbanning an IPv4 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()

17
tests/test_flush.py
View File

@ -1,8 +1,14 @@
'''
Test flushing pf tables
'''
from types import SimpleNamespace from types import SimpleNamespace
from subprocess import CalledProcessError from subprocess import CalledProcessError
def test_flush(client, mocker, valid_credentials): def test_flush(client, mocker, valid_credentials):
'''
Test flushing existing entry
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -22,6 +28,9 @@ def test_flush(client, mocker, valid_credentials):
def test_flush_nonexistent(client, mocker, valid_credentials): def test_flush_nonexistent(client, mocker, valid_credentials):
'''
Test flushing non existing entry
'''
cmd = ['/usr/local/bin/sudo', cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor', '/sbin/pfctl', '-a', 'some/anchor',
@ -42,6 +51,9 @@ def test_flush_nonexistent(client, mocker, valid_credentials):
def test_wrong_method(client, mocker, valid_credentials): def test_wrong_method(client, mocker, valid_credentials):
'''
Test invalid method
'''
cmd = ['/usr/local/bin/sudo', cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor', '/sbin/pfctl', '-a', 'some/anchor',
@ -61,7 +73,10 @@ def test_wrong_method(client, mocker, valid_credentials):
assert response.status_code == 405 assert response.status_code == 405
def test_filenotfound(app, mocker, valid_credentials): def test_filenotfound(app, valid_credentials):
'''
Test for when AUTHFILE cannot be found
'''
app.config.update({ app.config.update({
"AUTHFILE": '../tests/nonexistent-users-test.txt' "AUTHFILE": '../tests/nonexistent-users-test.txt'

140
tests/test_list.py
View File

@ -1,140 +0,0 @@
'''
Tests for /list route
'''
from types import SimpleNamespace
from subprocess import CalledProcessError
_PF_TABLE_LIST = b''' 192.0.2.66
Cleared: Sat Jan 7 12:50:36 2023
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
2001:db8::abad:cafe
Cleared: Sat Jan 7 05:13:53 2023
In/Block: [ Packets: 4 Bytes: 240 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
2001:db8::abad:f00d:cafe
Cleared: Sat Jan 7 05:05:16 2023
In/Block: [ Packets: 48 Bytes: 2880 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]'''
_LIST_RESULT = [{'addr': '192.0.2.66',
'date': 'Sat Jan 7 12:50:36 2023',
'in_pckt_block': '0',
'in_bytes_block': '0',
'in_pckt_pass': '0',
'in_bytes_pass': '0',
'out_pckt_block': '0',
'out_bytes_block': '0',
'out_pckt_pass': '0',
'out_bytes_pass': '0'},
{'addr': '2001:db8::abad:cafe',
'date': 'Sat Jan 7 05:13:53 2023',
'in_pckt_block': '4',
'in_bytes_block': '240',
'in_pckt_pass': '0',
'in_bytes_pass': '0',
'out_pckt_block': '0',
'out_bytes_block': '0',
'out_pckt_pass': '0',
'out_bytes_pass': '0'},
{'addr': '2001:db8::abad:f00d:cafe',
'date': 'Sat Jan 7 05:05:16 2023',
'in_pckt_block': '48',
'in_bytes_block': '2880',
'in_pckt_pass': '0',
'in_bytes_pass': '0',
'out_pckt_block': '0',
'out_bytes_block': '0',
'out_pckt_pass': '0',
'out_bytes_pass': '0'}]
def test_list_single_table(client, mocker, valid_credentials):
'''
List a single pf table using the fail2ban jail name
'''
def noop():
pass
run_res = SimpleNamespace()
run_res.stdout = _PF_TABLE_LIST
run_res.stderr = b'No ALTQ support in kernel\nALTQ related functions disabled\n'
run_res.returncode = 0
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res)
response = client.get("/list/sshd",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.json['table'] == 'f2b-sshd'
assert response.json['result'] == _LIST_RESULT
def test_list_nonexistent_table(client, mocker, valid_credentials):
'''
Test for nonexistent table. Should result in a 404 not found
'''
def noop():
pass
run_res = SimpleNamespace()
run_res.stdout = b''
run_res.stderr = b'No ALTQ support in kernel\nALTQ related functions disabled\n' \
b'pfctl: Table does not exist.\n'
run_res.returncode = 255
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run',
return_value=run_res,
side_effect=CalledProcessError(run_res.returncode,
'foobar',
output=run_res.stdout,
stderr=run_res.stderr)
)
response = client.get("/list/nonexistent",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.status_code == 404
assert response.json['error'] == "'nonexistent' is not " \
"a known fail2ban jail"
def test_list_wrong_table_name(client, mocker, valid_credentials):
'''
Test for an wrong table name that lets pfctl fail. should result in a 500
'''
def noop():
pass
run_res = SimpleNamespace()
run_res.stdout = b''
run_res.stderr = b'No ALTQ support in kernel\nALTQ related functions disabled\n' \
b'pfctl: Invalid argument.\n'
run_res.returncode = 255
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run',
return_value=run_res,
side_effect=CalledProcessError(run_res.returncode,
'foobar',
output=run_res.stdout,
stderr=run_res.stderr)
)
response = client.get("/list/notanerrorbuttestneedstofail",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.status_code == 500
assert response.json['error'] == "Command 'foobar' returned non-zero exit status 255."

7
tests/test_ping.py
View File

@ -1,4 +1,9 @@
def test_ping(client, mocker, valid_credentials): '''
Test application health check
'''
def test_ping(client, valid_credentials):
''' '''
Test application health check Test application health check
''' '''

32
tests/test_register.py
View File

@ -1,6 +1,9 @@
'''
Test various registration scenarios
'''
from subprocess import CompletedProcess from subprocess import CompletedProcess
pfctl_stdout_lines = b''' PFCTL_STDOUT_LINES = b'''
block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
@ -8,13 +11,16 @@ block drop quick proto tcp from <f2b-sshd> to any port = ssh
block drop quick proto tcp from <f2b-recidive> to any block drop quick proto tcp from <f2b-recidive> to any
'''.strip() + b'\n' '''.strip() + b'\n'
pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \ PFCTL_STDOUT_LINES_SCRATCH = b'table <f2b-dovecot> persist counters\n' \
b'block quick proto tcp from <f2b-dovecot>' \ b'block quick proto tcp from <f2b-dovecot>' \
b' to any port ' \ b' to any port ' \
b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n' b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'
def test_register_unauth(client): def test_register_unauth(client):
'''
Test a registration without being authorized
'''
json_payload = {"port": json_payload = {"port":
"any port {pop3,pop3s,imap,imaps,submission,465,sieve}", "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
"name": "dovecot", "protocol": "tcp"} "name": "dovecot", "protocol": "tcp"}
@ -24,10 +30,13 @@ def test_register_unauth(client):
def test_unregister_valid(client, mocker, valid_credentials): def test_unregister_valid(client, mocker, valid_credentials):
'''
Test unregistration
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = pfctl_stdout_lines run_res.stdout = PFCTL_STDOUT_LINES
run_res.check_returncode = noop run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res) mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -45,10 +54,13 @@ def test_unregister_valid(client, mocker, valid_credentials):
def test_register_valid(client, mocker, valid_credentials): def test_register_valid(client, mocker, valid_credentials):
'''
Test a registration of a rule
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = pfctl_stdout_lines run_res.stdout = PFCTL_STDOUT_LINES
run_res.check_returncode = noop run_res.check_returncode = noop
pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res) pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -63,13 +75,16 @@ def test_register_valid(client, mocker, valid_credentials):
"Basic " + valid_credentials}) "Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input'] pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
for existing_line in pfctl_stdout_lines.splitlines(): for existing_line in PFCTL_STDOUT_LINES.splitlines():
assert existing_line in pfctl_run_input_arg.splitlines() assert existing_line in pfctl_run_input_arg.splitlines()
assert response.json['action'] == 'start' assert response.json['action'] == 'start'
def test_register_valid_from_scratch(client, mocker, valid_credentials): def test_register_valid_from_scratch(client, mocker, valid_credentials):
'''
Test from scratch point of view
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
@ -88,15 +103,18 @@ def test_register_valid_from_scratch(client, mocker, valid_credentials):
"Basic " + valid_credentials}) "Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input'] pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
assert pfctl_run_input_arg == pfctl_stdout_lines_scratch assert pfctl_run_input_arg == PFCTL_STDOUT_LINES_SCRATCH
assert response.json['action'] == 'start' assert response.json['action'] == 'start'
def test_register_invalid(client, mocker, valid_credentials): def test_register_invalid(client, mocker, valid_credentials):
'''
Test a bogus pf command
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = pfctl_stdout_lines run_res.stdout = PFCTL_STDOUT_LINES
run_res.check_returncode = noop run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res) mocker.patch('jail2ban.pfctl.run', return_value=run_res)