ogfkdZdZdZddlZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZdd lmZmZmZmZdd lmZee_d Zee_ ej,j/ej,j1ed Zej,j/ej,j1ed ZdadZdZGddeZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'ej,j/edZ(ej,j/edZ)ej,j/edZ*dZ+dZ,dZ-ej,j/edd Z.ej,j/ed!d"Z/ej,j/ed#Z0ej,j/ed!d$Z1ej,j/edd%Z2ej,j/ed!d&Z3Gd'd(eZ4y))z Serg BresterzHCopyright (c) 2015 Serg G. Brester (sebres), 2008- Fail2Ban ContributorsGPLN) fail2banregex) Fail2banRegexget_opt_parserexec_command_lineoutput str2LogLevel) setUpMyTimetearDownMyTimeLogCaptureTestCaselogSys) CONFIG_DIRc6tjd|dy)N output: %sr)rnotice)argss F/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py _test_outputr&s|T!W%configfilesct}|jt|\}}|jdvr(t j t |j||t|fS)N)rwarning)r parse_argslist log_levelrsetLevelr r)rparseroptss r_Fail2banRegexr"0sV  !!$t*-$NN++//,t~~./ t]4())rc<t|\}}}|j|SN)r"start)rr! fail2banRegexs r _test_execr'8s$-t4$mD!!rceZdZdZy) ExitExceptionc&||_d|z|_y)NzExit with code: %s)codemsg)selfr+s r__init__zExitException.__init__=s$) !D ($(rN)__name__ __module__ __qualname__r.rrr)r)<s)rr)cdd}tjtjtjd}d}|t_tst t jdatxt_t_ tt||dt_|dt_|dt_|S#t$r}|j}Yd}~Fd}~wwxYw#|dt_|dt_|dt_wxYw) Nrct|r$)r))r+s r_exitz&_test_exec_command_line.._exitBs dr)exitstdoutstderrwr6r7r8)r) sysr6r7r8DEV_NULLopenosdevnullrrr)r+)rr5_org _exit_codees r_test_exec_command_linerBAsSZZ3::F T"**c2(##cjDJ&\#(H~#*H~#* vv*&\#(H~#*H~#*s*=B== C CCCC,D c0ddlm}|jy)Nr_decode_line_warn) server.filterrEclearrDs r_resetrHTs.rzRDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 192.0.2.0zB[sshd] error: PAM: Authentication failure for kevin from 192.0.2.0z(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) z8Authentication failure for .*? from $z.*? from $ztestcase01.logztestcase02.logztestcase-wrong-char.loga"Nov 28 09:16:03 srv sshd[32307]: Failed publickey for git from 192.0.2.1 port 57904 ssh2: ECDSA 0e:ff:xx:xx:xx:xx:xx:xx:xx:xx:xx:... Nov 28 09:16:03 srv sshd[32307]: Failed publickey for git from 192.0.2.1 port 57904 ssh2: RSA 04:bc:xx:xx:xx:xx:xx:xx:xx:xx:xx:... Nov 28 09:16:03 srv sshd[32307]: Postponed publickey for git from 192.0.2.1 port 57904 ssh2 [preauth] Nov 28 09:16:05 srv sshd[32310]: Failed publickey for git from 192.0.2.2 port 57910 ssh2: ECDSA 1e:fe:xx:xx:xx:xx:xx:xx:xx:xx:xx:... Nov 28 09:16:05 srv sshd[32310]: Failed publickey for git from 192.0.2.2 port 57910 ssh2: RSA 14:ba:xx:xx:xx:xx:xx:xx:xx:xx:xx:... Nov 28 09:16:05 srv sshd[32310]: Disconnecting: Too many authentication failures for git [preauth] Nov 28 09:16:05 srv sshd[32310]: Connection closed by 192.0.2.2 [preauth]zNov 28 09:16:06 srv sshd[32307]: Accepted publickey for git from 192.0.2.1 port 57904 ssh2: DSA 36:48:xx:xx:xx:xx:xx:xx:xx:xx:xx:...zINov 28 09:16:06 srv sshd[32307]: Connection closed by 192.0.2.1 [preauth]logssshdzfilter.dz sshd.confzzzz-sshd-obsolete-multiline.logz zzz-sshd-obsolete-multiline.confzzzz-generic-examplezzzz-generic-example.confceZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'y&)'Fail2banRegexTestcVtj|tty)zCall before every test case.N)rsetUpr rHr-s rrNzFail2banRegexTest.setUps4  -(rcBtj|ty)zCall after every test case.N)rtearDownr rOs rrQzFail2banRegexTest.tearDownsd#rc$|jtdd|jd|jddd|j|jtdd|jd|jd d dy) Ntestz.** from $$Unable to compile regular expressionmultiple repeat at position 2Fallz,^(?:(?PA)|B)? (?(typo)...) from zunknown group name: 'typo'zat position 23) assertFalser' assertLoggedpruneLogrOs r testWrongREzFail2banRegexTest.testWrongREs: :;%EB--/: ::;02BNrc |jtddddd|jd|jddd y) N --datepattern{^LN-BEG}EPOCHrSz.*? from $z.**rTrUrVFrWrYr'rZrOs rtestWrongIngnoreREz$Fail2banRegexTest.testWrongIngnoreREsL:$ :;%EBrcb|jtdd|jdddy)NrSzflt[a='x,y,z',b=z,y,x]zWrong filter name or optionszwrong syntax at 14: y,xTrWr`rOs rtestWrongFilterOptionsz(Fail2banRegexTest.testWrongFilterOptionss7: #24MSWXrc l|jtddddtd|jdy)Nr^*^(?:%a )?%b %d %H:%M:%S(?:\.%f)?(?: %ExY)?--print-all-matched--print-no-missed+Authentication failure for .*? from $.Lines: 1 lines, 0 ignored, 1 matched, 0 missed assertTruer'STR_00rZrOs rtestDirectFoundz!Fail2banRegexTest.testDirectFounds8//*A- 1  DErcf|jtdtd|jdy)N--print-all-missedzXYZ from $z.Lines: 1 lines, 0 ignored, 0 matched, 1 missedrjrOs rtestDirectNotFoundz$Fail2banRegexTest.testDirectNotFounds///*  DErch|jtdtdd|jdy)N--print-all-ignoredrhzkevin from 192.0.2.0$z.Lines: 1 lines, 1 ignored, 0 matched, 0 missedrjrOs rtestDirectIgnoredz#Fail2banRegexTest.testDirectIgnoreds2//* 1  DErc |jtdddtt|j d|j d|j d|j d|j dy) Nr^rerf0Lines: 19 lines, 0 ignored, 16 matched, 3 missedError decoding linez6Continuing to process line ignoring invalid characterszVDez 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128zVDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10rkr' FILENAME_01RE_00rZrOs rtestDirectRE_1z Fail2banRegexTest.testDirectRE_1sp//*A FG)*LMlmlmrc t|jtddddtt|j dy)Nr^rerf--rawz0Lines: 19 lines, 0 ignored, 19 matched, 0 missedrwrOs rtestDirectRE_1rawz#Fail2banRegexTest.testDirectRE_1raws6//*A' FGrc |jtdddddtt|j d|j |jtddd d |j d d |j dy)Nr^rerfr|z --usedns=noru-d^Epochz1490349000 test failed.dns.chz^\s*test \S+riTrWz)Unable to find a corresponding IP address)rkr'rxryrZr[assertNotLoggedrOs rtestDirectRE_1raw_noDnsz)Fail2banRegexTest.testDirectRE_1raw_noDnss//*A'= FG--///*"$?D$OBCrc r|jtdddtt|j dy)Nr^rerf/Lines: 13 lines, 0 ignored, 5 matched, 8 missedrkr' FILENAME_02ryrZrOs rtestDirectRE_2z Fail2banRegexTest.testDirectRE_2s4//*A EFrc |jtdddddddtt |j d|j d |j d y) Nr^rez --timezonezUTC+0200z --verbose--verbose-datergrz&141.3.81.106 Sun Aug 14 11:53:59 2005z&141.3.81.106 Sun Aug 14 11:54:59 2005rrOs r testVerbosezFail2banRegexTest.testVerboses]//*A "5  EF<=<=rc:|jtdddddddttd |j d d d |j |jtddd dtdd|j ddd |j ddd y)N-lr-vrrfrr-crJ8[29116]: User root not allowed because account is lockedz)[29116]: Received disconnect from 1.2.3.4TrW-vvzRDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 192.0.2.1zsshd[logtype=short]zReal filter options :z'logtype': 'short''logtype': 'file''logtype': 'journal')rkr'r FILENAME_SSHDrZr[rrOs rtestVerboseFullSshdz%Fail2banRegexTest.testVerboseFullSshds//* 02G& N.D:--///*$ W ,.BM*,BMrc ~|jtddddttd|j dddd y) Nrrrfrzsshd.conf[mode=normal]z"[29116]: Connection from 192.0.2.4r+[29116]: Received disconnect from 192.0.2.4TrW)rkr'rFILENAME_ZZZ_SSHDrZrOs r testFastSshdzFail2banRegexTest.testFastSshdsH//*. '=0d^\s*HOST \s*$zLines: z lines, 0 ignored, 2 matched, rz missedz| 1490349000 FAILz| 1490349001 HOST 192.0.2.34TrW)r[rkr'rZ)r-preLiness rtestDirectMultilineBufz(Fail2banRegexTest.testDirectMultilineBuf/s Vh=="X-.??:dH&;\3H$UV1  8TU:W_`aWabc)+JPTU Vrc|jtddddddddd d |jd |jd d y)Nrrrr --debuggexrfrrrr.Lines: 4 lines, 0 ignored, 2 matched, 2 missedz&flags=mz?flags=mrkr'rZrOs rtestDirectMultilineBufDebuggexz0Fail2banRegexTest.testDirectMultilineBufDebuggex>sO//* tT8\3H,X[T0 DEJ +rc j|jtddddddddd |jd y) Nrrrrrfz-L2z)1490349000 FAIL: failure host: 192.0.2.35z^\s*FAIL:\s*.*\nhost:\s+$.Lines: 2 lines, 0 ignored, 2 matched, 0 missedrrOs rtestSinglelineWithNLinContentz/Fail2banRegexTest.testSinglelineWithNLinContentHs=//* tT8%::% DErc f|jtddddddd|jdy) Nz-rr^\[{LEPOCH}\]\s+rrz[1516469849] 192.0.2.1 FAIL: failure [1516469849551] 192.0.2.2 FAIL: failure [1516469849551000] 192.0.2.3 FAIL: failure [1516469849551.000] 192.0.2.4 FAIL: failurez^ FAIL\b.Lines: 4 lines, 0 ignored, 4 matched, 0 missedrrOs rtestRegexEpochPatternsz(Fail2banRegexTest.testRegexEpochPatternsQs<//*"L#1 DErc |jtddddddd|jd|jd d d y) Nrrrrrz[1516469849] 192.0.2.1 FAIL: failure [1516469849] 192.0.2.1/24 FAIL: failure [1516469849] 2001:DB8:FF:FF::1 FAIL: failure [1516469849] 2001:DB8:FF:FF::1/60 FAIL: failure z^ FAIL\brz 192.0.2.0/24z2001:db8:ff:f0::/60TrWrrOs rtestRegexSubnetz!Fail2banRegexTest.testRegexSubnet\sR//*$#\37 DEN$9tDrc |jtddtt|j ddz|j |jtdddddd|j dt d z|j |jtddddd d |j dt d z|j |jtddddd d|j dt dz|j |jtddddd d|jdt dz|j ddz|j |jtddddd d|j ddzt dzdz|j |jtddtt|j ddzddd|j |jtddtt|j ddzddd|j |jtddtt|j dtz|j |jtddtt|j ddz|j |jtddtt|j dd z|j y)!N-oidrkevinrr_z"1591983743.667 192.0.2.1 192.0.2.2z(^\s* \S+)z 192.0.2.1 192.0.2.2z#1591983743.667 left 192.0.2.3 rightzM^\s*\S+ \S+)z 192.0.2.3leftrightz+1591983743.667 left [192.0.2.4]:12345 rightzc^\s*\S+ : \S+)z[192.0.2.4]:12345rripz 192.0.2.4zID: | IP:zID:z | IP:192.0.2.4rowz['kevin'z'ip4': '192.0.2.0'z'fid': 'kevin'TrWz ['192.0.2.0'z'user': 'kevin'r,userz, , z192.0.2.0, kevin, inet4) rkr'rlRE_00_IDrZr[strr RE_00_USERrOs rtestFrmtOutputz Fail2banRegexTest.testFrmtOutpuths//*T4:;L7*+--///*T4/?'.01L3'A#BBC--///*T4/?(SUVL3'E#FFG--///*T4/?0iklL3'M#NNO--///*T4/?0ikl|c*P&QQRL;./--///*T#7?O0iklL5(-S)TTUffg--///*T5&(;<L:-/CEU[_`--///*T5&*=>L>13GIZ`de--///*T5&*=>L6)*--///*T66:>?L7*+--///*T#=vzRSL#<<=--/rcdtddfdfdjdddjd jdfd }||d d y)NrrrezMay 27 00:16:33 host sshd[2364]: User root not allowed because account is locked May 27 00:16:33 host sshd[2364]: Received disconnect from 192.0.2.76 port 58846:11: Bye Bye [preauth]ct|zSr$)r')rr!s rzCFail2banRegexTest.testStalledIPByNoFailFrmtOutput..s TD[2rrzIP:rJz IP:192.0.2.76c .jdd|dz|zdz|zdzjdjjdd|dz|zdz|zdzjd jy) Nrz!ID:"" | IP: | U:z [failregex="^z4User \S+ not allowed ^z!Received disconnect from "]z'ID:"User root" | IP:192.0.2.76 | U:rootz'User \S+ not allowed ^z7Received disconnect from port \d+"]z3ID:"192.0.2.76 port 58846" | IP:192.0.2.76 | U:root)rkrZr[)fltprefix_testlogr-s r_test_variantszIFail2banRegexTest.testStalledIPByNoFailFrmtOutput.._test_variantss??5BC        >?==???5BC        JK==?rcommonz)\s*\S+ sshd\[\d+\]:\s+)r)rJ)rrkrZr[)r-rrrr!s` @@@rtestStalledIPByNoFailFrmtOutputz1Fail2banRegexTest.testStalledIPByNoFailFrmtOutputsm 6 $ k 3%//%if56O$--/$"MNrc 8|jtddddtt|j dddd |j |jtdd ddtt|j dd |j ddd y) Nrr_rzFound-ID:z*Found a match but no valid date/time foundzMatch without a timestamp:zFound-ID:kevinTrW{NONE})rkr' STR_00_NODTrrZr[rrOs rtestNoDateTimez Fail2banRegexTest.testNoDateTimes//*T#3T;Lk[cde/--///*T8T3DkS[\]/T+rch|jtdddd|jdddd y) NrzFound-ADDR:z192.0.2.1 - - [02/May/2021:18:40:55 +0100] "GET / HTTP/1.1" 302 328 "-" "Mozilla/5.0" "-" 192.0.2.2 - - [02/May/2021:18:40:55 +0100 192.0.2.3 - - [02/May/2021:18:40:55z^zFound-ADDR:192.0.2.1zFound-ADDR:192.0.2.2zFound-ADDR:192.0.2.3TrWrrOs rtestIncompleteDateTimez(Fail2banRegexTest.testIncompleteDateTimesH//* )  13ItUrc tjjd|jt dddt ddt dztzd t jd}|jd |d vxrd |d v|jd |d zd |d zd|jd|jd|jt dddt ddt dztzd|jd |dzd |dzd |d zd |d zd|jd|jd|jt dddt ddt dztzdt jdddtjdd dz}|jd|dzd|d zd|d zdy)NTstockrz, , rrr z&sshd[logtype=short, publickey=invalid]rz192.0.2.2, git, rWz192.0.2.1, git, zA[test-phase 1] mode=aggressive & publickey=nofail + OK (accepted)z$sshd[logtype=short, mode=aggressive]zL[test-phase 2] mode=aggressive & publickey=nofail + FAIL (closed on preauth)rr) unittestF2BSkipIfCfgMissingrkr'r STR_ML_SSHDSTR_ML_SSHD_OKsplitrZrr[STR_ML_SSHD_FAIL)r-liness rtestFrmtOutputWrapMLz&Fail2banRegexTest.testFrmtOutputWrapMLs ,,d+//*T#:Z&(PRS   D !%//+U2Y.K;%)3KLeBieBi  )*--ST//*T#:Z&(NPQeBieBieBieBi  )*--^_//*T#:Z((*PRS   D !!A &)9)?)?)Ebc)J J%eBieBieBi  rc tjjd|jt dddt dddd |j d |jd y) NTrrzfailure from == ==rrrzsvc[1] connect started 192.0.2.3 svc[1] connect finished 192.0.2.3 svc[2] connect started 192.0.2.4 svc[2] connect authorized 192.0.2.4 svc[2] connect finished 192.0.2.4 zcommon[prefregex="^svc\[\d+\] connect .+$", failregex="^started ^finished ^authorized ", maxlines=1]zfailure from == 192.0.2.3 ==zfailure from == 192.0.2.4 ==)rrrrkr'rrZrrOs r&testOutputNoPendingFailuresAfterGainedz8Fail2banRegexTest.testOutputNoPendingFailuresAfterGained sd ,,d+//*T#<T8)   2356rcJ|jtttyr$)rYr'rrOs rtestWrongFilterFilez%Fail2banRegexTest.testWrongFilterFile#s:%rc <tjjd|jt ddddt t |jd|jd|jd |jd |jd y) NTrrrr^rerrvz7Continuing to process line ignoring invalid characters:zMNov 8 00:16:12 main sshd[32548]: input_userauth_request: invalid user llincozkNov 8 00:16:12 main sshd[32547]: pam_succeed_if(sshd:auth): error retrieving information about user llincorrrrkr'FILENAME_WRONGCHAR FILTER_SSHDrZrOs r testWronCharzFail2banRegexTest.testWronChar)s ,,d+//*A{ DE)*MNcdBCrc tjjd|jt ddddddt t d |jd |jd |jd y) NTrrrr^rerrfz llinco[^\\]rvz.Lines: 4 lines, 1 ignored, 2 matched, 1 missedzhttps://rrOs rtestWronCharDebuggexz&Fail2banRegexTest.testWronCharDebuggex8sq ,,d+//*A&{ )*DEJrc  tjdd}dD]}|jd|z t|d}dD]"}|j |j |$|j |jtdd d |d d |d |jd|zdd|jd|j tj|y#j tj|wxYw)N tmp_fail2banuni)rsuffix)zutf-16bezutf-16lez[test-phase encoding=%s]wb)u?1490349000 € Failed auth: invalid user TestȊ from 192.0.2.1 u>1490349000 € Failed auth: invalid user TestI from 192.0.2.2 rrz --encodingr^z^EPOCHzFailed .* from z encoding : %srTrWzMissed line(s)) tempfilemktempr[r<writeencodecloserkr'rZrr=unlink)r-fnameencfoutls rtestNLCharAsPartOfUniCharz+Fail2banRegexTest.testNLCharAsPartOfUniCharFs // >% %c==+c12 t D ZZ    JJLOOJ(3i $  &,54A)*JJLIIe30 JJLIIes B C&&'D c*|jtd|j|jtdd|j t j |j|jtddy)Nrz-Vz --version)assertNotEqualrBr[ assertEqualrZr normVersionrOs rtestExecCmdLine_Usagez'Fail2banRegexTest.testExecCmdLine_Usagedsk-/3--/*40!4M--/0--/*;7;rcj|jtddtdd|jdy)Nrinforhrri)r rBrlrZrOs rtestExecCmdLine_Directz(Fail2banRegexTest.testExecCmdLine_Directls9* 9DErcj|jtddtdd|jdy)NrrzAuthentication failurerzNo failure-id group in )r rBrlrZrOs rtestExecCmdLine_MissFailIDz,Fail2banRegexTest.testExecCmdLine_MissFailIDss9- $-.rc |jtddddddd|jd|j|jtd ddddd|jd y) Nrrrz%:%.%-LOGRErz ERROR: Failed to set datepatternrzFailed to set datepattern)r rBrZr[rOs rtestExecCmdLine_ErrorParamz,Fail2banRegexTest.testExecCmdLine_ErrorParamzsw-45$67--/-x/0rctjstjd|j t dt dzdz|jd|jd|jd|j|j t dt dzd zdz|jd|jdy) Nz.Skip test because no systemd backend availablezsystemd-journalz,[journalmatch="SYSLOG_IDENTIFIER=dummy",z; failregex="^dummy regex, never match xxx"]rrz.Lines: 0 lines, 0 ignored, 0 matched, 0 missedz[logtype=file,z, journalmatch="SYSLOG_IDENTIFIER=dummy",) r FilterSystemdrSkipTestrkr'rrZrr[rOs rtestLogtypeSystemdJournalz+Fail2banRegexTest.testLogtypeSystemdJournals  $ $   K LL//*n@AKL *+*+DE--///*n@ALL '(-.rN)(r/r0r1rNrQr\rarcrmrprsrzr}rrrrrrrrrrrrrrrrrrrrrrr rrrrr2rrrLrL}s  PDY FFF nHD G >N, < < V,F F E6p#OJ+ U* X7, C  <<F/ 1/rrL)5 __author__ __copyright__ __license__r=r:rrclientrclient.fail2banregexrrrr r utilsr r rrrrrjoinr__file__TEST_CONFIG_DIRTEST_FILES_DIRr;r"r' Exceptionr)rBrHrlrryrrrxrrrrrrrrrrrrLr2rrr&s, Z  "iiJJ &$ '',,rwwx8(Cbggooh7A *")I) & ^R  d F L ggll>+;< ggll>+;< WW\\.2KLM Z^ ^VV< ggll:z;? GGLL1RS'',, <^_77<<8MNoz;UV^/*^/r