o ;s*b]@sdZdZdZddlZddlZddlZddlZddlmZm Z m Z ddl m Z m Z ddlmZd d lmZd d lmZmZmZGd d d eZdS)z Cyril Jaquierz Copyright (c) 2004 Cyril JaquierGPLN) CommandAction CallingMapsubstituteRecursiveTags) OrderedDictActions)Utils) DummyJail) pid_exists with_tmpdirLogCaptureTestCasec@seZdZddZddZddZddZd d Zd d Zd dZ ddZ e ddZ ddZ e ddZe ddZe ddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5S)6CommandActionTestcs>ttdd_d_jjfdd}|j_dS)zCall before every test case.NTestFcs d_S)NT)"_CommandActionTest__action_startedorgstartselfr?/usr/lib/python3/dist-packages/fail2ban/tests/actiontestcase.py _action_start1sz.CommandActionTest.setUp.._action_start)rsetUpr_CommandActionTest__actionrstart)rrrrrr*s   zCommandActionTest.setUpcCs|jr|jt|dS)zCall after every test case.N)rrstoprtearDownrrrrr6s zCommandActionTest.tearDownc Csdddd}|tdd|tdd|tdd|td d|td dtrl|ttd d d ddd|ttddddd ddd|ttdtd|tdd|tdd|tddiddi|tdddd dd|td!d"d#d$d"d#|td%d"d#d&d"d#|td'd(d)d*d+d(d)d*|t|dd,d-d|td.d/d0d1d/d0|td.d/d2d3d2d/d2d3|td4d5d2d3d6d5d2d3dS)7N 192.0.2.0z 123 z 890 HOSTABCxyzcSs tddiS)NArrrrrD z?CommandActionTest.testSubstituteRecursiveTags..cSstdddS)Nr$r#Br%rrrrr&FcSstddddS)Nr(r$)r#r*Cr%rrrrr&HcStdddddS)Nzto= fromip=r(r,)r#r-r*Dr%rrrrr&KcSr/)Nzto= fromip=z zr0) failregexsweethoneypot ignoreregexr%rrrrr&Mr2))Xzx=xT1)Zz Yzy=yzx=x1r:zy=y1z x=x1 1 y=y1)r7r9r=r;))r7zx=x <> <>)R1r;)R2r=r8)r;z r<zx=x1 1 y=y1 1 y=y1 y=y1r;r=z1 y=y1)r7r>r?r9r;r=) ) actionstartzgipset create hash:ip timeout family -I )ipmsetz f2b-nameanybantime600 ipsetfamilyinet)iptablesziptables  lockingoptz-wchainINPUT) actiontypez ) multiportzY-p -m multiport --dports -m set --match-set src -j protocoltcpportssh blocktypeREJECT) )r@zipset create f2b-any hash:ip timeout 600 family inet iptables -w -I INPUT -p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT)rAzf2b-anyrBrErH)rKz iptables -wrLrN)rQI-p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT)rRr\rSrVrYcS ttdS)N)r#z<>r*r1r-EDEz cycle rrrrrrr&{r'cSr])N)rbr^r_r`rdrrrrr&r'r#r,z fun)r#r7z funz coolr)z coolz z coolz/to= fromip= evilperson=pokier0)r3r5r6z%to=pokie fromip= evilperson=pokiez 123 192.0.2.0z890 123 192.0.2.0z <HOST>IPV4)r#PREFz z1.2.3.4)r#riIPV4HOSTzA HOST> B IP CV4zA 1.2.3.4 B IPV4 C) assertRaises ValueErrorr assertEqualrraInforrrtestSubstituteRecursiveTags<sx     z-CommandActionTest.testSubstituteRecursiveTagscstddddddtdddd<tfddtd d <tfd djd d jddtfddjdd dS)NrcSdS)Nzrrrrrr&zHCommandActionTest.testSubstRec_DontTouchUnusedCallable..r0)r#r*r-r1cSsdt|dS)Nr#int)rirrrr&r.r-csdS)Nr-rrcmrrr&test=r1cstSNr%rrxrrr&rzztest=ztest=0ztest=----ztest=0----0csjdS)Nr{)r replaceTagrryrrrr&r+z)r)rrrlZeroDivisionErrorrnrr}rrr~r$testSubstRec_DontTouchUnusedCallables z6CommandActionTest.testSubstRec_DontTouchUnusedCallablecCsdddd}||jd|d||jd|d||jd |d ||jd d d id||jddd id||jdddidd|d<||jd |d||jdtdddddS)Nr123890rz Text
textz Text textzText textzText 192.0.2.0 textzText text ABCzText 890 text 123 ABCz matchesz$some >char< should \< be[ escap}ed& z,some \>char\< should \\\< be\[ escap\}ed\&\nz ipmatchesz ipjailmatchesz%some >char< should \< be[ escap}ed& z.some \>char\< should \\\< be\[ escap\}ed\&\r\nzr!zText 890 text 890 ABCz09 11cStdSN strrrrrr&rzz2CommandActionTest.testReplaceTag..rz09 10 11rnrr}rrorrrtestReplaceTagsZ     z CommandActionTest.testReplaceTagcCs$||jdtdddddS)NabccSrNarurrrrr&rzz4CommandActionTest.testReplaceNoTag..rrrrrrtestReplaceNoTags  z"CommandActionTest.testReplaceNoTagcstjddtjddtjddtjddtjd d tjd d td fddtjdtdfdddS)Nrzzb?family=inet6zb>acabzzx?family=inet6r0z/properties contain self referencing definitionscjjdjjddS)Nr family=inet4 conditionalrr} _propertiesrrrrr&z?CommandActionTest.testReplaceTagSelfRecursion..z.possible self referencing definitions in querycr)NzZ>>>>>>>>>>>>>>>>>>>>>>>>>>>>> family=inet6rrrrrrr&r)setattrrassertRaisesRegexrmdelattrrrrrtestReplaceTagSelfRecursions   z-CommandActionTest.testReplaceTagSelfRecursionc Cspt|jddt|jddt|jddt|jddt|jd d |jj}td D]2}||jjd |jjd |dd||jjd |jjd|dd||jjd |jjd|ddq+|t|dkt|jdd|t|dtd D]2}||jjd |jjd |dd||jjd |jjd|dd||jjd |jjd|ddqz|t|dkdS)Nrrzabc?family=inet4345zabc?family=inet6567r"z 890- banactionzText text rz ''r0)rcachezText 890-123 text 123 '123'rzText 890-345 text 345 '345'rzText 890-567 text 567 '567'z 000-rzText 000-123 text 123 '123'zText 000-345 text 345 '345'zText 000-567 text 567 '567') rr _substCacherangernr}r assertTruelen)rrrwrrrtestReplaceTagConditionalCacheds`  z1CommandActionTest.testReplaceTagConditionalCachedcCs|d7}d||j_|jj|j_||jjd|d||j_||jjd|d|j_||jjdd||j_||jjd|d|j_||jjd|| d|j ddi| d | d |j | |jjdS) N/fail2ban.test touch '%s' rm -f '%s'zecho -n [ -e '%s' ]truereturnedipInvariant check failedzreturned successfully) rr@ actionrepairrn actionstop actionban actioncheck actionunbanpruneLogassertNotLoggedban assertLoggedrrtmprrrtestExecuteActionBan,s&        z&CommandActionTest.testExecuteActionBancCsd|j_d|j_d|j_d|j_|j|ji||ji|j ddd|ji|d|j |ji|j |j ddd| ddS) Nr0zecho -n 'flush'zecho -n 'stop' Nothing to doTwait [phase 2]r) rrr actionflushrrrrunbanrflushrrrrrrtestExecuteActionEmptyUnbanEs         z-CommandActionTest.testExecuteActionEmptyUnbancCsL|d7}d|j_d||j_d||j_d||j_|j|jdS)Nrrztouch '%s.'zrm -f '%s.'z[ -e '%s.192.0.2.0' ])rr r@rrrconsistencyCheckrrrrtestExecuteActionStartCtagsYs    z-CommandActionTest.testExecuteActionStartCtagscCs|d7}d|j_d||j_d||j_d||j_|t|jjddi|jddd d | d d ||j_d||j_d ||j_d||j_|jddi|d| ddS)Nrr0rrm '%s'rrrUnable to restore environmentTallrrzprintf "%%%%b " >> '%s') rr@rrrrl RuntimeErrorrrrrrrrr(testExecuteActionCheckRestoreEnvironmentcs         z:CommandActionTest.testExecuteActionCheckRestoreEnvironmentcCs|d7}d|j_d|j_d||j_d||j_d||j_|jddi|jddd d |d|j_| t |jjddi|jddd d d dS) Nrr0rrzecho 'repair ...'; touch '%s'rzInvariant check failed. Tryingzecho 'repair ...'Trr) rr@rrrrrrrrlrrrrr'testExecuteActionCheckRepairEnvironmentvs     z9CommandActionTest.testExecuteActionCheckRepairEnvironmentcCs.|tt|jdd|j_||jjddS)NROSTr)rlAttributeErrorgetattrrrrnrrrrtestExecuteActionChangeCtagssz.CommandActionTest.testExecuteActionChangeCtagscCsPtddddd}d|j_d|j_|j||j||jdd d d dS) Nr 192.0.2.1cSs ddddS)Notester)fidfportuserrrrrrr&sz?CommandActionTest.testExecuteActionUnbanAinfo..)r!rzF-*zFecho ', failure of -- from :'z$echo ', user unbanned'z> -- stdout: '123, failure 111 of tester -- from 192.0.2.1:222'z' -- stdout: '123, user tester unbanned'Tr)rrrrrrrrorrrtestExecuteActionUnbanAinfos    z-CommandActionTest.testExecuteActionUnbanAinfocCs^d|j_|j||jd|d|||jd|d|dS)Nr0r)rr@rr executeCmdrr _processCmdrrrrtestExecuteActionStartEmptys    z-CommandActionTest.testExecuteActionStartEmptycCs6||jjdddddd|jddd d d d dS) NzUprintf %b "foreign input:\n -- $f2bV_A --\n -- $f2bV_B --\n -- $(echo -n $f2bV_C) --"z I'm a hacker; && $(echo $f2bV_B)zI"m very bad hackerz#`Very | very $(bad & worst hacker)`)f2bV_Af2bV_Bf2bV_C)varsDictzforeign input:z' -- I'm a hacker; && $(echo $f2bV_B) --z -- I"m very bad hacker --z* -- `Very | very $(bad & worst hacker)` --Tr)rrrrrrrrtestExecuteWithVarss   z%CommandActionTest.testExecuteWithVarscCsd|j_d|j_d|j_gd}ddd|d}||j||jd |d |d g|Rd d i|jd|d dd d||j ||j |jd|d dd ddS)Nz3echo "** ban , reason: ...\n"zecho "** unban "zecho "** stop monitoring")z z " Hooray! #z`I'm cool script kiddyz7`I`m very cool > /here-is-the-path/to/bin/.x-attempt.shz rzAhacking attempt ( he thought he knows how f2b internally works ;) )rreasonrz ** ban %srrrTz ** unban %sz** stop monitoringr) rrrrjoinrrrrrr)rrrprrr testExecuteReplaceEscapeWithVarss4    z2CommandActionTest.testExecuteReplaceEscapeWithVarscCstd|ddS)Nz+/bin/ls >/dev/null bogusXXX now 2>/dev/nullz HINT on 127: "Command not found"rrrrrrrtestExecuteIncorrectCmds z)CommandActionTest.testExecuteIncorrectCmdcCsvt}tjjs dnd}|tjd|d|t||ko)t||dk|jdddd|dd dS) Nr g{Gz?zsleep 30timeoutz -- timed out afterTr -- killed with SIGTERM -- killed with SIGKILL) timeunittestF2Bfast assertFalserrrr)rstimerrrrtestExecuteTimeouts*z$CommandActionTest.testExecuteTimeoutcsPtddtd}|dWdn1swYdfdd}fdd t|tjd |d |t fd d d| dd| d| ddt dt|tjd|d |t fdd d| dd| d| ddt t ddS)Nz.sh fail2ban_wzo#!/bin/bash trap : HUP EXIT TERM echo "$$" > %s.pid echo "my pid $$ . sleeping lo-o-o-ong" sleep 30 rcsdup tdkSNrt)rr) getnastypidrrr getnasty_touts zLCommandActionTest.testExecuteTimeoutWithNastyChildren..getnasty_toutc szd}tjdr;td#}zt|}Wn ty"Yn wWd|SWd|S1s6wY|S)N.pid)ospathisfileopenrvreadrm)cpidf) tmpFilenamerrrs    zJCommandActionTest.testExecuteTimeoutWithNastyChildren..getnastypidzbash %src t Sr|r rrrrr& zGCommandActionTest.testExecuteTimeoutWithNastyChildren..rzmy pid z Resource temporarily unavailablez timed outzkilled with SIGTERMzkilled with SIGKILLrzout=`bash %s`; echo ALRIGHTcrr|rrrrrr&rz -- timed outrr)tempfilemktemprwriterrrrrr wait_forrrunlink)rrrr)rrrrr#testExecuteTimeoutWithNastyChildrensD         z5CommandActionTest.testExecuteTimeoutWithNastyChildrencCs,td|dtd|ddS)Nzecho "How now brown cow"zstdout: 'How now brown cow' z7echo "The rain in Spain stays mainly in the plain" 1>&2z6stderr: 'The rain in Spain stays mainly in the plain' rrrrrtestCaptureStdOutErr&s  z&CommandActionTest.testCaptureStdOutErrcCs>tddddddd}|d|d|td d|dS) NcSrrrrrrrr&/rzz2CommandActionTest.testCallingMap..cSrrrurrrrr&/rzstring)callmeerror dontcallmenumberz)%(callme)s okay %(dontcallme)s %(number)iz10 okay string 17cSsd|S)Nz %(error)ir)xrrrr&7rz)rrnrlrm)rmymaprrrtestCallingMap.sz CommandActionTest.testCallingMapcCsTtdddddd}|d|d<|d=|t|d |d|||d|d fd |t|}|t|d |d|||d|d |dfd d|d<|}dd|d<d|d<|d =|d=|d |v|d|v| d |v| d|v||d|d |d|dfd||d|dfddS)NcSrrrrrrrrr&;rsz8CommandActionTest.testCallingMapModify..cS |ddSNrrrrrrr&<r'testrrcrrrr)rrr)rt rdddddcSr)Nrrrrrrr&Qr'r )rtrrr )r ) rresetrnr assertNotInreprassertIncopyrr)rmsm2rrrtestCallingMapModify9s8   $z&CommandActionTest.testCallingMapModifycCstdddddd}t|}|d||d||d||d }|d ||d ||d|d d|d <|d }|d ||d ||d||d|dS)NcSrrrrrrrrr&^rsz5CommandActionTest.testCallingMapRep..cSrrrrrrrr&_r'r0rz'a': z'b': z'c': ''Tz'a': 5z'b': 11cSr)Nxxxr"rrrrrr&lr'rz'c': )rr&r%r'_asrepr)rr)r*rrrtestCallingMapRep\s&            z#CommandActionTest.testCallingMapRepcCsRtt}d|_d|_||jdddd|_|jdddd|_|dS)Ng-C6?TzActions: enter idle moderrFzActions: leave idle mode)rr sleeptimeidlerractiver)rrrrrtestActionsIdleModess  z%CommandActionTest.testActionsIdleModeN)__name__ __module__ __qualname__rrrqrrrrrr rrrrrrrrrrrrr rrr,r/r3rrrrr(s> e()      = # r) __author__ __copyright__ __license__rrrr server.actionrrrserver.actionsrr server.utilsr dummyjailr utilsr r rrrrrrs