ogfddZdZdZddlZddlZddlZddlZddlmZm Z m Z ddl m Z m Z ddlmZd d lmZd d lmZmZmZGd d eZy)z Cyril Jaquierz Copyright (c) 2004 Cyril JaquierGPLN) CommandAction CallingMapsubstituteRecursiveTags) OrderedDictActions)Utils) DummyJail) pid_exists with_tmpdirLogCaptureTestCaseceZdZdZdZdZdZdZdZdZ dZ e d Z d Z e d Ze d Ze d Ze dZdZdZdZdZdZdZdZdZdZdZdZdZdZy)CommandActionTestctjtdd_d_jj fd}|j_y)zCall before every test case.NTestFc d_S)NT)"_CommandActionTest__action_started)orgstartselfs?/usr/lib/python3/dist-packages/fail2ban/tests/actiontestcase.py _action_startz.CommandActionTest.setUp.._action_start1s4 *)rsetUpr_CommandActionTest__actionrstart)rrrs` @rrzCommandActionTest.setUp*sI4 f-$-$ ]] (&$--rcz|jr|jjtj|y)zCall after every test case.N)rrstoprtearDownrs rr zCommandActionTest.tearDown6s) ==d#rc dddd}|jtd|jtd|jtd|jtd|jtd |jtt d d d d dd|jtt ddddd dd d|jtt dt d|jtd|jtd|jtddiddi|jtdddddd|jtd d!d"d#d!d"|jtd$d!d"d%d!d"|jtd&d'd(d)d*d'd(d)|jt|dd+d,d|jtd-d.d/d0d.d/|jtd-d.d1d2d1d.d1d2|jtd3d4d1d2d5d4d1d2y)6N 192.0.2.0z 123 z 890 HOSTABCxyzctddiS)NArrrz?CommandActionTest.testSubstituteRecursiveTags..Ds "C< 0rctdddS)Nr*r)Br+r,rrr-z?CommandActionTest.testSubstituteRecursiveTags..Fs "U#; <rc tddddS)Nr/r*)r)r1Cr+r,rrr-z?CommandActionTest.testSubstituteRecursiveTags..Hs "U#G Hrc"tdddddS)Nzto= fromip=r/r3)r)r4r1Dr+r,rrr-z?CommandActionTest.testSubstituteRecursiveTags..Ks ")=EPU\^#_ `rc"tdddddS)Nzto= fromip=z zr6) failregexsweethoneypot ignoreregexr+r,rrr-z?CommandActionTest.testSubstituteRecursiveTags..Ms# "1LWcqzLN$O Pr))Xzx=xT1)Zz Yzy=yzx=x1r@zy=y1z x=x1 1 y=y1)r=r?rCrA))r=zx=x <> <>)R1rA)R2rCr>)rAz rBzx=x1 1 y=y1 1 y=y1 y=y1rArCz1 y=y1)r=rDrEr?rArC) ) actionstartzgipset create hash:ip timeout family -I )ipmsetz f2b-nameanybantime600 ipsetfamilyinet)iptablesziptables  lockingoptz-wchainINPUT) actiontypez ) multiportzY-p -m multiport --dports -m set --match-set src -j protocoltcpportssh blocktypeREJECT) )rFzipset create f2b-any hash:ip timeout 600 family inet iptables -w -I INPUT -p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT)rGzf2b-anyrHrKrN)rQz iptables -wrRrT)rWI-p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT)rXrbrYr\r_c*ttdS)N)r)z<>r1r7r4EDEz cycle rrr,rrr-z?CommandActionTest.testSubstituteRecursiveTags..y(?NB)rc*ttdS)N)rhrdrerfrjr,rrr-z?CommandActionTest.testSubstituteRecursiveTags..~rkrr)r3z fun)r)r=z funz coolr0z coolz z coolz/to= fromip= evilperson=pokier6)r9r;r<z%to=pokie fromip= evilperson=pokiez 123 192.0.2.0z890 123 192.0.2.0z <HOST>IPV4)r)PREFz z1.2.3.4)r)rqIPV4HOSTzA HOST> B IP CV4zA 1.2.3.4 B IPV4 C) assertRaises ValueError assertEqualrrraInfos rtestSubstituteRecursiveTagsz-CommandActionTest.testSubstituteRecursiveTags<s    % J02J<>JHJJ`bJPQ*KH-J 6 > *Kq-s %S#H[ab *K9-@J! J!*C<83,G*5+IJR_ejLkl*+HIQ[bhKij*v+NOWgntQuv*9jxQS,TU>  *51#  *+PQ 6*,*]f+gh I>@*1PZ^lu+vw !4YGIrctdddddtddd<jtfdtdd <jtfd j j j d d j j j d djtfdj j j ddy)Nrcy)Nzr,r!s rr-zHCommandActionTest.testSubstRec_DontTouchUnusedCallable..rr6)r)r1r4r7c$dt|dzS)Nr)int)ris rr-zHCommandActionTest.testSubstRec_DontTouchUnusedCallable..sQ#d3i.0rr4cdS)Nr4r,cmsrr-zHCommandActionTest.testSubstRec_DontTouchUnusedCallable..s r#wrtest=r7ctSNr+rsrr-zHCommandActionTest.testSubstRec_DontTouchUnusedCallable..s /Fr/Jrztest=ztest=0ztest=----ztest=0----0c<jjdS)Nr)r replaceTag)rrsrr-zHCommandActionTest.testSubstRec_DontTouchUnusedCallable..st}}/G/G TV/Wrz)r)rrrtZeroDivisionErrorrvrr)rrs`@r$testSubstRec_DontTouchUnusedCallablez6CommandActionTest.testSubstRec_DontTouchUnusedCallables  "" 0"S'%7" "S'%'JK4==++J;XF4==++,@"EGZ[%'WX4==++E26 Crcdddd}|j|jjd|d|j|jjd|d|j|jjd |d |j|jjd d d id|j|jjddd id|j|jjdddidd|d<|j|jjd |d|j|jjdtddy)Nr#123890r$z Text
textz Text textzText textzText 192.0.2.0 textzText text ABCzText 890 text 123 ABCz matchesz$some >char< should \< be[ escap}ed& z,some \>char\< should \\\< be\[ escap\}ed\&\nz ipmatchesz ipjailmatchesz%some >char< should \< be[ escap}ed& z.some \>char\< should \\\< be\[ escap\}ed\&\r\nzr&zText 890 text 890 ABCz09 11ctdSN strr!s rr-z2CommandActionTest.testReplaceTag..s CGrrz09 10 11rvrrrrws rtestReplaceTagz CommandActionTest.testReplaceTags}    % ==NE2==.6==7?==K89;:<==M:;=:<==-@AC=? %,==7? ==-+,. rcr|j|jjdtddy)NabcctdSNarr!s rr-z4CommandActionTest.testReplaceNoTag..s CHrrrr!s rtestReplaceNoTagz"CommandActionTest.testReplaceNoTags2==E,-/057rctjddtjddtjddtjddtjd d tjd d jtd fdt jdjtdfdy)Nrzzb?family=inet6zb>acabzzx?family=inet6r6z/properties contain self referencing definitionschjjdjjdS)Nr family=inet4 conditionalrr _propertiesr!srr-z?CommandActionTest.testReplaceTagSelfRecursion..s,4== # #HMM> $ ;rz.possible self referencing definitions in querychjjdjjdS)NzZ>>>>>>>>>>>>>>>>>>>>>>>>>>>>> family=inet6rrr!srr-z?CommandActionTest.testReplaceTagSelfRecursion..s,4== # #NMM> $ ;r)setattrrassertRaisesRegexrudelattrr!s`rtestReplaceTagSelfRecursionz-CommandActionTest.testReplaceTagSelfRecursions $--d# $--d# $--)40 $--x( $--v& $--)2.%W;  $--%V;rc Rt|jddt|jddt|jddt|jddt|jd d |jj}td D]}|j |jj d |jj d |d|j |jj d |jj d|d|j |jj d |jj d|d|jt|dk\t|jdd|j t|dtd D]}|j |jj d |jj d |d|j |jj d |jj d|d|j |jj d |jj d|d|jt|dk\y)Nrrzabc?family=inet4345zabc?family=inet6567r'z 890- banactionzText text rz ''r6)rcachezText 890-123 text 123 '123'rzText 890-345 text 345 '345'rzText 890-567 text 567 '567'z 000-rzText 000-123 text 123 '123'zText 000-345 text 345 '345'zText 000-567 text 567 '567') rr _substCacherangervrr assertTruelen)rrrs rtestReplaceTagConditionalCachedz1CommandActionTest.testReplaceTagConditionalCachedsJ $--& $--+U3 $--+U3 $-- , $--&=> -- # #% 8 #aMM2DMM4M4M5"!#MM2DMM4M4Mu.!#MM2DMM4M4Mu.!# #//#e*/" $-- ,3u:q! 8 #aMM2DMM4M4M5"!#MM2DMM4M4Mu.!#MM2DMM4M4Mu.!# #//#e*/"rc|dz }d|z|j_|jj|j_|j|jjd|zd|z|j_|j|jjd|zd|j_|j|jj dd|z|j_|j|jj d|zd|j_|j|jjd|j|jd|jjddi|jd |jd |jj|j|jjy) N/fail2ban.test touch '%s' rm -f '%s'z && echo -n [ -e '%s' ]truereturnedipInvariant check failedzreturned successfully) rrF actionrepairrv actionstop actionban actioncheck actionunbanpruneLogassertNotLoggedban assertLoggedrrtmps rtestExecuteActionBanz&CommandActionTest.testExecuteActionBan*su #*S0$--#}}88$--4==,,lS.@A)C/$--4==++\C-?@6$--4==**,FG+c1$--4==,,mc.AB$$--4==,,f5--/z"--T4L!,-+,--DMM,,-rcd|j_d|j_d|j_d|j_|jj |jj i|j|jji|jdd|jj i|jd|jj|jji|jj|jdd|jdy) Nr6zecho -n 'flush'zecho -n 'stop' Nothing to doTwait [phase 2]r) rrr actionflushrrrrunbanrflushrrr!s rtestExecuteActionEmptyUnbanz-CommandActionTest.testExecuteActionEmptyUnbanDs$-- $--/$---$------B--/--bO$/--B-- ----b--F&'rc|dz }d|j_d|z|j_d|z|j_d|z|j_|jj |jj y)Nrr#ztouch '%s.'zrm -f '%s.'z[ -e '%s.192.0.2.0' ])rr%rFrrrconsistencyCheckrs rtestExecuteActionStartCtagsz-CommandActionTest.testExecuteActionStartCtagsXsl #"$--1C7$--036$--5;$------  "rcj|dz }d|j_d|z|j_d|z|j_d|z|j_|j t |jjddi|jddd |jd d |z|j_d|z|j_d |z|j_d|z|j_|jjddi|jd|jdy)Nrr6rrm '%s'rrrUnable to restore environmentTallrrz- && printf "%%%%b " >> '%s') rrFrrrrt RuntimeErrorrrrrrs r(testExecuteActionCheckRestoreEnvironmentz:CommandActionTest.testExecuteActionCheckRestoreEnvironmentbs # $--)C/$--%O$--+c1$--L$--"3"3dD\B,.MSWX-- *S0$--&_$--PSVV$--+c1$----T4L!,-67rc |dz }d|z|j_d|z|j_d|z|j_d|z|j_d|z|j_d|j_|jjdD]P}|jd |z|jjd d i|jd d zd|jdd dzd |jj rdndzd dzdtj||j|jjd di|jdd dzd |jj rdndzd dzd dzd|jj rd|j_(|jj r@d|j_Sy)Nrztouch '%s'; echo 'started ...'rz![ -e '%s' ] && echo 'banned 'zB[ -e '%s' ] && echo 'check ok' || { echo 'check failed'; exit 1; }echo 'repair ...'; touch '%s'F)r rrz [phase %s]r 192.0.2.1z stdout: %rzbanned 192.0.2.1TrInvariant check failed. Tryingz check failedz repair ...z started ...zcheck okz 192.0.2.2zbanned 192.0.2.2r6)rrFrrrractionstart_on_demandrrrrrosremove)rrrs r"testExecuteActionCheckOnBanFailurez4CommandActionTest.testExecuteActionCheckOnBanFailureus #>D$--)C/$--?#E$--behh$-->D$--(-$--%-- /a==!"==dK()%%418>!DMM$>$>LMR:4) 99S>==?==dK()5>!DMM$>$>LMR:%%4 1  mm  !#DMM MM / /*.DMM'1/rc|dz }d|j_d|j_d|z|j_d|z|j_d|z|j_|jj ddi|jddd |jd|j_|jt|jj ddi|jddd d y) Nrr6rrrrrzecho 'repair ...'Trr) rrFrrrrrrrrtrrs r'testExecuteActionCheckRepairEnvironmentz9CommandActionTest.testExecuteActionCheckRepairEnvironments # $--$--%O$--+c1$-->D$----T4L!46ItT--/2$--L$--"3"3dD\B#".rc|jtt|jdd|j_|j |jjdy)NROSTr#)rtAttributeErrorgetattrrrrvr!s rtestExecuteActionChangeCtagsz.CommandActionTest.testExecuteActionChangeCtagss@NGT]]FC"$--4==%%k2rctdddd}d|j_d|j_|jj ||jj ||j ddd y) NrrcddddS)Notester)fidfportuserr,r!s rr-z?CommandActionTest.testExecuteActionUnbanAinfo..s  r)r&rzF-*zFecho ', failure of -- from :'z$echo ', user unbanned'z> -- stdout: '123, failure 111 of tester -- from 192.0.2.1:222'z' -- stdout: '123, user tester unbanned'Tr)rrrrrrrrws rtestExecuteActionUnbanAinfoz-CommandActionTest.testExecuteActionUnbanAinfosw     %e$--D$----E--eC, rcd|j_|jj|j|jj d|j d|j |j|jjd|j d|j y)Nr6r)rrFrr executeCmdrr _processCmdr!s rtestExecuteActionStartEmptyz-CommandActionTest.testExecuteActionStartEmptys $----//$--**2./O$--///$--++B/0O$--/rc |j|jjddddd|jddd d d y) NzUprintf %b "foreign input:\n -- $f2bV_A --\n -- $f2bV_B --\n -- $(echo -n $f2bV_C) --"z I'm a hacker; && $(echo $f2bV_B)zI"m very bad hackerz#`Very | very $(bad & worst hacker)`)f2bV_Af2bV_Bf2bV_C)varsDictzforeign input:z' -- I'm a hacker; && $(echo $f2bV_B) --z -- I"m very bad hacker --z* -- `Very | very $(bad & worst hacker)` --Tr)rrrrr!s rtestExecuteWithVarsz%CommandActionTest.testExecuteWithVarss\//$--** 1 " 3  +  )-/T;rc$d|j_d|j_d|j_gd}dddj |d}|j |jj ||jd |d z|d g|d d i|jd|d zdd |j |jj||jj|jd|d zdd y)Nz3echo "** ban , reason: ...\n"zecho "** unban "zecho "** stop monitoring")z z " Hooray! #z`I'm cool script kiddyz7`I`m very cool > /here-is-the-path/to/bin/.x-attempt.shz rzAhacking attempt ( he thought he knows how f2b internally works ;) )rreasonrz ** ban %srrrTz ** unban %sz** stop monitoringr) rrrrjoinrrrrrr)rrrxs r testExecuteReplaceEscapeWithVarsz2CommandActionTest.testExecuteReplaceEscapeWithVarssR$--4$--8$-- '  Pii  % --/--E$teHoC07C=AC5; 4$@--/--e--5; 4$@rcPtjd|jdy)Nz+/bin/ls >/dev/null bogusXXX now 2>/dev/nullz HINT on 127: "Command not found"rrrr!s rtestExecuteIncorrectCmdz)CommandActionTest.testExecuteIncorrectCmds IJ67rctj}tjjsdnd}|j t j d||jtj||zk\xrtj||zdzk|jddd|jdd y) Nr g{Gz?zsleep 30timeoutz -- timed out afterTr -- killed with SIGTERM -- killed with SIGKILL) timeunittestF2Bfast assertFalserrrr)rstimers rtestExecuteTimeoutz$CommandActionTest.testExecuteTimeouts ))+%\\&&AD'=++JHI//$))+0WTYY[EGOVWDW5WXJ 54@--/rctjddtd5}|jdzddddfd}fdt j|j t jdz| |jtjfd d |jd d |jd|jddtjdzt j|j t jdz| |jtjfdd |jd d |jd|jddtjtjdzy#1swYxYw)Nz.sh fail2ban_wzo#!/bin/bash trap : HUP EXIT TERM echo "$$" > %s.pid echo "my pid $$ . sleeping lo-o-o-ong" sleep 30 rcNduxstjz dkDSNr~)r) getnastypidrsr getnasty_toutzLCommandActionTest.testExecuteTimeoutWithNastyChildren..getnasty_touts*M yy{UQrcd}tjjdzr3tdz5} t |j }ddd|S|S#t $rYwxYw#1swY|SxYw)N.pid)rpathisfileopenrreadru)cpidf tmpFilenames rrzJCommandActionTest.testExecuteTimeoutWithNastyChildren..getnastypid$sv 4ggnn[6)* kF" # q ]d ;$;     ;s(A*A A'$A*&A''A**A4zbash %srct Srr r'srr-zGCommandActionTest.testExecuteTimeoutWithNastyChildren..5Z-=)=rrzmy pid z Resource temporarily unavailablez timed outzkilled with SIGTERMzkilled with SIGKILLr"zout=`bash %s`; echo ALRIGHTct Srr+r,srr-zGCommandActionTest.testExecuteTimeoutWithNastyChildren..Cr-rz -- timed outrr)tempfilemktempr%writerrrrrr wait_forrrunlink)rr(r r'rrr)s @@@@r#testExecuteTimeoutWithNastyChildrenz5CommandActionTest.testExecuteTimeoutWithNastyChildrens{3+ K77     %  ))+%=++ {M34 $//%..!=qABIABK ))+))K& ! ))+%=++ ;. GH $//%..!=qABIABO$--/))K))K& !ms GG#ctjd|jdtjd|jdy)Nzecho "How now brown cow"zstdout: 'How now brown cow' z7echo "The rain in Spain stays mainly in the plain" 1>&2z6stderr: 'The rain in Spain stays mainly in the plain' r r!s rtestCaptureStdOutErrz&CommandActionTest.testCaptureStdOutErrLsB5634<><>rctdddd}|jd|zd|jtd|y) NctdSrrr!s rr-z2CommandActionTest.testCallingMap..Us RrctdSrrr!s rr-z2CommandActionTest.testCallingMap..Us SXrstring)callmeerror dontcallmenumberz)%(callme)s okay %(dontcallme)s %(number)iz10 okay string 17c d|zS)Nz %(error)ir,)xs rr-z2CommandActionTest.testCallingMap..]s +/r)rrvrtru)rmymaps rtestCallingMapz CommandActionTest.testCallingMapTsG 08M $%.6J 95Arc tdddd}|jd|d<|d=|jt|d|j d||j|d|d fd |jt |}|jt|d |j d||j|d|d |dfd d |d<|j}d|d<d|d<|d =|d=|jd |v|jd|v|jd |v|jd|v|j|d|d |d|dfd|j|d|dfdy)Ncyrr,r!s rr-z8CommandActionTest.testCallingMapModify..ar|rc|ddzSNrr,r!s rr-z8CommandActionTest.testCallingMapModify..bT#Y]rtestrrcrrLrr)rMrr)r~ rJdddddc|ddzS)Nrr,r!s rr-z8CommandActionTest.testCallingMapModify..wscQrr )r~rNrJrO)r ) rresetrvr assertNotInreprassertIncopyrr)rmsm2s rtestCallingMapModifyz&CommandActionTest.testCallingMapModify_s"! '') !C&f3q613AcFAcF#W-'') 1g!3q61--QAcFAcFAcF+_= !C&vvx" &"S' "S'gg//#(//#(3"93"9AcFAcFAcFAcF35LMBsGRW%v.rctdddd}t|}|jd||jd||jd||j d}|jd ||jd ||jd|d |d <|j d}|jd ||jd ||jd ||jd|y)Ncyrr,r!s rr-z5CommandActionTest.testCallingMapRep..r|rc|ddzSrGr,r!s rr-z5CommandActionTest.testCallingMapRep..rIrr6rKz'a': z'b': z'c': ''Tz'a': 5z'b': 11c|ddzS)NxxxrRr,r!s rr-z5CommandActionTest.testCallingMapRep..sU arrLz'c': )rrVrUrW_asrepr)rrYrZs rtestCallingMapRepz#CommandActionTest.testCallingMapReps" !  1g!7A7A-- 1iio!--!-- 1-- 1 '!C&iio!--!-- 1--9a rctt}d|_d|_|j |j ddd|_|j ddd|_|jy)Ng-C6?TzActions: enter idle moderrFzActions: leave idle mode)r r sleeptimeidlerractiver )rrs rtestActionsIdleModez%CommandActionTest.testActionsIdleModesd ik!!+ !&'').R8 !&.R8 !(&&(rN)__name__ __module__ __qualname__rr ryrrrrrrrrrrrrrrrrr r rr4r6rCr\rcrhr,rrrr(s &$ aIFD>&P7('#R..2((##88$$/$/L..&3 (;"@88 /:"z> B!/F!. rr) __author__ __copyright__ __license__rr/rr server.actionrrrserver.actionsrr server.utilsr dummyjailr utilsr rrrr,rrrtsF. 2   NN1 >>  *  r