ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ruben:main
Branches Tags
ruben:main ruben:develop
ruben:2023.1 ruben:2022.1
..
compare: ruben:f39d319b25f5197859b06947d27e27e563aaafd6
Branches Tags
ruben:main ruben:develop
ruben:2023.1 ruben:2022.1

1 Commits
main ... f39d319b25

Author SHA1 Message Date
Ruben van Staveren
f39d319b25 Merge branch 'release/2023.1' into develop 2023-01-13 10:33:59 +01:00
13 changed files with 29 additions and 211 deletions
Expand all files Collapse all files

17
.gitea/workflows/flake8.yml
View File

@ -1,17 +0,0 @@
---
name: Flake8
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Flake8
run: |
flake8 $(git ls-files '*.py')

17
.gitea/workflows/mypy.yml
View File

@ -1,17 +0,0 @@
---
name: Mypy
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Mypy
run: |
mypy --install-types --non-interactive $(git ls-files '*.py')

17
.gitea/workflows/pylint.yml
View File

@ -1,17 +0,0 @@
---
name: Pylint
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Pylint
run: |
pylint $(git ls-files '*.py')

30
.gitlab-ci.yml
View File

@ -1,34 +1,6 @@
---
run pylint:
stage: test
image: python:3.11
script:
- pip install --upgrade pylint
- pylint $(git ls-files '*.py')
tags:
- docker
run flake8:
stage: test
image: python:3.11
script:
- pip install --upgrade flake8
- flake8 $(git ls-files '*.py')
tags:
- docker
run mypy:
stage: test
image: python:3.11
script:
- pip install --upgrade mypy
- mypy --install-types --non-interactive $(git ls-files '*.py')
tags:
- docker
run tests:
stage: test
image: python:3.11
image: python:3.9
script:
- pip install pytest pytest-cov pytest-mock pytest-flask
- pip install Flask-HTTPAuth

1
README.md
View File

@ -1,7 +1,6 @@
[![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
[![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
An API to remotely control a pf based fail2ban
## Installation

44
jail2ban/__init__.py
View File

@ -1,17 +1,11 @@
'''
An API to remotely control a pf based fail2ban
'''
import re
from ipaddress import ip_address
from subprocess import CalledProcessError
from flask import Flask, current_app, jsonify, request
from flask_httpauth import HTTPBasicAuth # type: ignore
from flask import Flask, request, jsonify, current_app
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import check_password_hash
from ipaddress import ip_address
import re
from jail2ban.pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
from jail2ban.auth import get_users
from jail2ban.pfctl import pfctl_cfg_read, pfctl_cfg_write, pfctl_table_op
from subprocess import CalledProcessError
auth = HTTPBasicAuth()
@ -22,52 +16,48 @@ PAT_PROT = r'^(?:tcp|udp)$'
PAT_NAME = r'^[\w\-]+$'
def untaint(pattern: str, string: str) -> str:
def untaint(pattern, string):
'''
untaint string (as perl does)
'''
match = re.match(pattern, string)
if match:
return match.string
else:
raise ValueError(f'"{string}" is tainted')
def create_app():
'''
Create the flask application
'''
app = Flask(__name__, instance_relative_config=True)
# load the instance config, if it exists, when not testing
app.config.from_pyfile('config.py', silent=True)
@auth.verify_password
def verify_password(username: str, password: str) -> str | None:
def verify_password(username, password):
users = get_users()
current_app.logger.debug(users)
current_app.logger.debug('Checking password of %s', username)
if username in users and \
check_password_hash(users.get(username), password):
return username
return None
@app.route("/ping", methods=['GET'])
@auth.login_required
def ping():
remote_user = auth.username()
app.logger.info('Received ping for'
' anchor f2b-jail/%s', remote_user)
f' anchor f2b-jail/{remote_user}')
return jsonify({'anchor': f'f2b-jail/{remote_user}',
'operation': 'ping',
'result': 'pong'})
@app.route("/flush/<name>", methods=['GET'])
@auth.login_required
def flush(name):
remote_user = auth.username()
name = untaint(PAT_NAME, name)
app.logger.info('Flushing table f2b-%s'
' in anchor f2b-jail/%s', name, remote_user)
app.logger.info(f'Flushing table f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op('f2b-jail/{remote_user}',
table='f2b-{name}',
operation='flush')
@ -107,7 +97,7 @@ def create_app():
pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}',
operation='kill')
app.logger.info('pfctl -a f2b-jail/%s -f-', remote_user)
app.logger.info(f'pfctl -a f2b-jail/{remote_user} -f-')
return jsonify({'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}',
'action': 'start' if request.method == 'PUT'
@ -123,15 +113,15 @@ def create_app():
name = untaint(PAT_NAME, data['name'])
ip = ip_address(data['ip'])
if request.method == 'PUT':
app.logger.info('Add %s to f2b-%s'
' in anchor f2b-jail/%s', ip, name, remote_user)
app.logger.info(f'Add {ip} to f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}',
operation='add',
value=str(ip))
else: # 'DELETE':
app.logger.info('Remove %s from f2b-%s'
' in anchor f2b-jail/%s', ip, name, remote_user)
app.logger.info(f'Remove {ip} from f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}',
operation='delete',

6
jail2ban/auth.py
View File

@ -1,13 +1,7 @@
'''
Authentication backend
'''
from flask import current_app
def get_users():
'''
Load users from password file (AUTHFILE)
'''
users = {}
authfile = current_app.config['AUTHFILE']

16
jail2ban/pfctl.py
View File

@ -1,6 +1,3 @@
'''
pf table/anchor operations
'''
import logging
from subprocess import run
@ -9,9 +6,6 @@ _PFCTL = '/sbin/pfctl'
def pfctl_cfg_read(anchor):
'''
Read from pf anchor
'''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr']
logging.info('Running %s', cmd)
@ -22,9 +16,6 @@ def pfctl_cfg_read(anchor):
def pfctl_cfg_write(anchor, cfg):
'''
Apply configuration to pf anchor
'''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-']
logging.info('Running %s', cmd)
logging.info('Config %s', cfg)
@ -39,13 +30,6 @@ def pfctl_cfg_write(anchor, cfg):
def pfctl_table_op(anchor, **kwargs):
'''
pf table operation
Parameters:
* table: which table to work on
* operation: operation used on the table
* value (optional): value used for the operation
'''
table = kwargs['table']
operation = kwargs['operation']
value = kwargs['value'] if 'value' in kwargs else None

16
tests/conftest.py
View File

@ -1,10 +1,5 @@
'''
Test fixtures
'''
import base64
import pytest
import base64
from jail2ban import create_app
@ -26,23 +21,14 @@ def app():
@pytest.fixture()
def client(app):
'''
Create a synthetic client
'''
return app.test_client()
@pytest.fixture()
def runner(app):
'''
Create a synthetic runner
'''
return app.test_cli_runner()
@pytest.fixture()
def valid_credentials():
'''
Mock authentication for the test
'''
return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")

18
tests/test_ban.py
View File

@ -1,13 +1,7 @@
'''
Test banning
'''
from types import SimpleNamespace
def test_ban_ipv6(client, mocker, valid_credentials):
'''
Test ban an IPv6 address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -28,9 +22,6 @@ def test_ban_ipv6(client, mocker, valid_credentials):
def test_ban_ipv4(client, mocker, valid_credentials):
'''
Test ban an IPv4 address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -51,9 +42,6 @@ def test_ban_ipv4(client, mocker, valid_credentials):
def test_ban_invalid(client, mocker, valid_credentials):
'''
Test ban an invalid address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -75,9 +63,6 @@ def test_ban_invalid(client, mocker, valid_credentials):
def test_unban_ipv6(client, mocker, valid_credentials):
'''
Test unbanning an IPv6 address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -98,9 +83,6 @@ def test_unban_ipv6(client, mocker, valid_credentials):
def test_unban_ipv4(client, mocker, valid_credentials):
'''
Test unbanning an IPv4 address
'''
def noop():
pass
run_res = SimpleNamespace()

17
tests/test_flush.py
View File

@ -1,14 +1,8 @@
'''
Test flushing pf tables
'''
from types import SimpleNamespace
from subprocess import CalledProcessError
def test_flush(client, mocker, valid_credentials):
'''
Test flushing existing entry
'''
def noop():
pass
run_res = SimpleNamespace()
@ -28,9 +22,6 @@ def test_flush(client, mocker, valid_credentials):
def test_flush_nonexistent(client, mocker, valid_credentials):
'''
Test flushing non existing entry
'''
cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor',
@ -51,9 +42,6 @@ def test_flush_nonexistent(client, mocker, valid_credentials):
def test_wrong_method(client, mocker, valid_credentials):
'''
Test invalid method
'''
cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor',
@ -73,10 +61,7 @@ def test_wrong_method(client, mocker, valid_credentials):
assert response.status_code == 405
def test_filenotfound(app, valid_credentials):
'''
Test for when AUTHFILE cannot be found
'''
def test_filenotfound(app, mocker, valid_credentials):
app.config.update({
"AUTHFILE": '../tests/nonexistent-users-test.txt'

7
tests/test_ping.py
View File

@ -1,9 +1,4 @@
'''
Test application health check
'''
def test_ping(client, valid_credentials):
def test_ping(client, mocker, valid_credentials):
'''
Test application health check
'''

32
tests/test_register.py
View File

@ -1,9 +1,6 @@
'''
Test various registration scenarios
'''
from subprocess import CompletedProcess
PFCTL_STDOUT_LINES = b'''
pfctl_stdout_lines = b'''
block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
@ -11,16 +8,13 @@ block drop quick proto tcp from <f2b-sshd> to any port = ssh
block drop quick proto tcp from <f2b-recidive> to any
'''.strip() + b'\n'
PFCTL_STDOUT_LINES_SCRATCH = b'table <f2b-dovecot> persist counters\n' \
pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \
b'block quick proto tcp from <f2b-dovecot>' \
b' to any port ' \
b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'
def test_register_unauth(client):
'''
Test a registration without being authorized
'''
json_payload = {"port":
"any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
"name": "dovecot", "protocol": "tcp"}
@ -30,13 +24,10 @@ def test_register_unauth(client):
def test_unregister_valid(client, mocker, valid_credentials):
'''
Test unregistration
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES
run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -54,13 +45,10 @@ def test_unregister_valid(client, mocker, valid_credentials):
def test_register_valid(client, mocker, valid_credentials):
'''
Test a registration of a rule
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES
run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop
pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -75,16 +63,13 @@ def test_register_valid(client, mocker, valid_credentials):
"Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
for existing_line in PFCTL_STDOUT_LINES.splitlines():
for existing_line in pfctl_stdout_lines.splitlines():
assert existing_line in pfctl_run_input_arg.splitlines()
assert response.json['action'] == 'start'
def test_register_valid_from_scratch(client, mocker, valid_credentials):
'''
Test from scratch point of view
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
@ -103,18 +88,15 @@ def test_register_valid_from_scratch(client, mocker, valid_credentials):
"Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
assert pfctl_run_input_arg == PFCTL_STDOUT_LINES_SCRATCH
assert pfctl_run_input_arg == pfctl_stdout_lines_scratch
assert response.json['action'] == 'start'
def test_register_invalid(client, mocker, valid_credentials):
'''
Test a bogus pf command
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES
run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res)