U

]^^�@s�dZd
Z
dZddlZddlZddlZddlZddlmZm	Z	m
Z

ddlmZm
Z

ddlmZ
d	d
lmZ
d	dlmZmZmZ
Gdd
�d
e�ZdS)z
Cyril Jaquierz Copyright (c) 2004 Cyril JaquierZGPL�N�)�
CommandAction�
CallingMap�substituteRecursiveTags)�OrderedDict�Actions)
�Utils�
)
�	DummyJail)�
pid_exists�with_tmpdir�LogCaptureTestCasec@s�eZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
edd��
Zdd�Z
edd��
Zedd��
Zedd��
Zdd�Zdd�Zdd �Zd!d"�Zd#d$�Zd%d&�Zd'd(�Zd)d*�Zd+d,�Zd-d.�Zd/d0�Zd1d2�Zd3d4�Zd5S)6�CommandActionTestc
s>t�
�
�

td
d��
_d�
_�
jj���
fdd�}
|
�
j_d
S)zCall before every test case.NZTestFcsd
�
_��S)NT)
�"_CommandActionTest__action_started��Zorgstart�selfr�?/usr/lib/python3/dist-packages/fail2ban/tests/actiontestcase.py�
_action_start1s

z.CommandActionTest.setUp.<locals>._action_start)r
�setUpr�_CommandActionTest__actionr�start)rrrrrr*s



zCommandActionTest.setUpc

Cs|jr|j
��
t�|�

d
S)zCall after every test case.N)rr�stopr
�tearDown�
rrrrr6s


zCommandActionTest.tearDownc

Cs�
d
ddd�}
|�t
dd��
|�t
dd��
|�t
dd��
|�t
d	d��
|�t
d
d��
tr�|�ttd�
�
dd
ddd��
|�ttd�
�
dddd
ddd��
|�ttd�
�
td�
�
|�t
dd��
|�t
dd��
|�tddi
�
ddi
�
|�tddd��
d dd��
|�td!d"d#��
d$d"d#��
|�td%d"d#��
d&d"d#��
|�td'd(d)d*��
d+d(d)d*��
|�t|
�
d
d,d-d��
|�td.d/d0��
d1d/d0��
|�td.d/d2d3��
d2d/d2d3��
|�td4d5d2d3��
d6d5d2d3��
dS)7N�	192.0.2.0z
123 <HOST>z	890 <ABC>��HOST�ABC�xyzcSstd
di
�
S)N�
A�<A>�
rrrrr�<lambda>D�z?CommandActionTest.testSubstituteRecursiveTags.<locals>.<lambda>cSstd
dd��
S)N�<B>r!�r �
Br"rrrrr#Fr$cSstd
ddd��
S)Nr%�<C>r!)r r'�
Cr"rrrrr#Hr$cSstd
dddd��
S)Nzto=<B> fromip=<IP>r%r(�)r r)r'�
Dr"rrrrr#Kr$cSstd
dddd��
S)Nzto=<honeypot> fromip=<IP>z
<honeypot>z<sweet>r*)�	failregexZsweet�honeypot�ignoreregexr"rrrrr#Mr$))�
Xzx=x<T>��
T�
1)�
Zz<X> <T> <Y>��
Yzy=y<T>zx=x1r2zy=y1zx=x1 1 y=y1)r/r1r5r3))r/zx=x<T> <Z> <<R1>> <<R2>>)�R1r3)�R2r5r0)r3z<T> <Y>r4zx=x1 1 y=y1 1 y=y1 y=y1r3r5z1 y=y1)r/r6r7r1r3r5)
)�actionstartzgipset create <ipmset> hash:ip timeout <bantime> family <ipsetfamily>
<iptables> -I <chain> <actiontype>)�ipmsetz
f2b-<name>��name�any�ZbantimeZ600�ZipsetfamilyZinet)�iptablesziptables <lockingopt>�Z
lockingoptz-w��chainZINPUT)�
actiontypez<multiport>)�	multiportzY-p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>�ZprotocolZtcp�ZportZssh�Z	blocktypeZREJECT)
)r8z�ipset create f2b-any hash:ip timeout 600 family inet
iptables -w -I INPUT -p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT)r9zf2b-anyr:r=r>)r?ziptables -wr@rA)rC�I-p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT)rDrHrErFrGcSstt
d
�
�
S)N)�r z<<B><C>>�r'r+�r)�
E�ZDEz	cycle <A>�rrrrrrr#{r$cSstt
d
�
�
S)N)rMrIrJrKrNrrrrr#�r$r r(z<C> <D> <X>Zfun)r r/z<C> <D> funz<C> <B>Zcoolr&z<C> coolz
<matches> <B>z<matches> coolz/to=<honeypot> fromip=<IP> evilperson=<honeypot>Zpokier*)r,r-r.z%to=pokie fromip=<IP> evilperson=pokiez
123 192.0.2.0z890 123 192.0.2.0z<<PREF>HOST>ZIPV4)r �PREFz
<IPV4HOST>z1.2.3.4)r rOZIPV4HOSTzA <IP<PREF>HOST> B IP<PREF> CZV4zA 1.2.3.4 B IPV4 C)�assertRaises�
ValueErrorr�assertEqualr�r�aInforrr�testSubstituteRecursiveTags<sx

�
�
�
�
�
�
��
��� 




��



��
�

�

�z-CommandActionTest.testSubstituteRecursiveTagsc

s�td
dd�ddd��
�t
��

ddd�
�d<�
�t�f
dd��
t
��

d	�d
<�
�t�f
dd��
�
��
j�d��d
�
�
��
j�d��d�
�
�t��
fdd��
�
��
j�d��d	�
dS)Nr
c


Ssd
S)Nz<A><A>rrrrrr#�r$zHCommandActionTest.testSubstRec_DontTouchUnusedCallable.<locals>.<lambda>r*)r r'r)r+cSsd
t|d�
S)N�r �
�int)r�
irrrr#�r$r)cs�d
S)Nr)rr�
�cmrrr#�r$�test=<C>r+cst��
S�
Nr"rrZrrr#�r$ztest=<A>ztest=0ztest=<A>--<B>--<A>ztest=0--<A><A>--0cs�
j�
d
��S)Nr\)r�
replaceTagr�r[rrrr#�r$z<D>)
r
)rrrP�ZeroDivisionErrorrRrr^rrr_r�$testSubstRec_DontTouchUnusedCallable�s 




�z6CommandActionTest.testSubstRec_DontTouchUnusedCallablec
Cs�d
ddd�}
|�|j
�d|
�d�
|�|j
�d|
�d�
|�|j
�d	|
�d
�
|�|j
�ddd
i
�d�
|�|j
�ddd
i
�d�
|�|j
�dddi
�d�
d|
d<|�|j
�d	|
�d�
|�|j
�dtdd�d�
�d�
dS)Nr�123Z890rzText<br>textz	Text
textzText <HOST> textzText 192.0.2.0 textzText <xyz> text <ABC> ABCzText 890 text 123 ABCz	<matches>�matchesz$some >char< should \< be[ escap}ed&
z,some \>char\< should \\\< be\[ escap\}ed\&\nz<ipmatches>Z	ipmatchesz<ipjailmatches>Z
ipjailmatchesz%some >char< should \< be[ escap}ed&
z.some \>char\< should \\\< be\[ escap\}ed\&\r\nz<xyz>rzText 890 text 890 ABCz09 <matches> 11c

Sstd
�
S�N�
�
�strrrrrr#�r$z2CommandActionTest.testReplaceTag.<locals>.<lambda>�
rcz09 10 11�rRrr^rrSrrr�testReplaceTag�sZ

�

�

�

�

��

��

��


�

��z CommandActionTest.testReplaceTagc

Cs$|�|j
�d
tdd�d�
�d
�
dS)N�abcc

Sstd
�
S�N�
arWrrrrr#�r$z4CommandActionTest.testReplaceNoTag.<locals>.<lambda>rhrirrrr�testReplaceNoTag�s

�
�z"CommandActionTest.testReplaceNoTagc

s�t�j
d
d�
t�j
dd�
t�j
dd�
t�j
dd�
t�j
d	d
�
t�j
dd�
��td
�f
dd��
t�j
d�
��td�f
dd��
dS)Nrmz<a�
bzc>zb?family=inet6zb>Zac�<a><b>Zabz<ac>zx?family=inet6r*z/properties contain self referencing definitionscs�jj
d
�jjdd�S)Nrp�family=inet4�
�conditional�rr^�_propertiesrrrrr#�s
�z?CommandActionTest.testReplaceTagSelfRecursion.<locals>.<lambda>z.possible self referencing definitions in querycs�jj
d
�jjdd�S)Nz?<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>�family=inet6rrrtrrrrr#�s
�)�setattrrZassertRaisesRegexrQ�delattrrrrr�testReplaceTagSelfRecursion�s







�

�z-CommandActionTest.testReplaceTagSelfRecursionc
	Csp
t|j
d
d�
t|j
dd�
t|j
dd�
t|j
dd�
t|j
d	d
�
|j
j}
td�
D]d}|�|j
jd|j
jd
|
d�d�
|�|j
jd|j
jd|
d�d�
|�|j
jd|j
jd|
d�d�
qV|�t|
�
dk�

t|j
dd�
|�t|
�
d�
td�
D]d}|�|j
jd|j
jd
|
d�d�
|�|j
jd|j
jd|
d�d�
|�|j
jd|j
jd|
d�d�
q�|�t|
�
dk�

dS)Nrkrbzabc?family=inet4Z345zabc?family=inet6Z567rz	890-<abc>Z	banactionzText <xyz> text <abc>rz<banaction> '<abc>'r*)rs�cachezText 890-123 text 123 '123'rqzText 890-345 text 345 '345'rvzText 890-567 text 567 '567'�z	000-<abc>r
zText 000-123 text 123 '123'zText 000-345 text 345 '345'zText 000-567 text 567 '567')	rwrZ_substCache�rangerRr^ru�
assertTrue�len)rrzrYrrr�testReplaceTagConditionalCached
sl








��

��

��



��

��

��z1CommandActionTest.testReplaceTagConditionalCachedcCs�|
d
7}
d|
|j_
|jj
|j_|�|jj
d|
�
d|
|j_|�|jjd|
�
d|j_|�|jjd�
d|
|j_|�|jjd|
�
d|j_|�|jjd�
|��
|�	d�

|j�
ddi
�

|�d	�

|�d
�

|j��
|�|jj�

dS)N�/fail2ban.test�
touch '%s'�
rm -f '%s'zecho -n�[ -e '%s' ]�trueZreturned�ip�Invariant check failedzreturned successfully)
rr8�actionrepairrR�
actionstop�	actionban�actioncheck�actionunban�pruneLog�assertNotLogged�ban�assertLoggedr�rZtmprrr�testExecuteActionBan,
s&



















z&CommandActionTest.testExecuteActionBanc

Cs�d
|j_
d
|j_d|j_d|j_|j��
|j�i�

|��
|j�i�

|j	ddd�
|j�i�

|�d�

|j�
�
|j�i�

|j��
|j	ddd�
|�d�

dS)	Nr*zecho -n 'flush'zecho -n 'stop'�
Nothing to doT�
�wait�	[phase 2]r)
rr�r�Zactionflushr�rr�r��unbanr��flushrr�rrrr�testExecuteActionEmptyUnbanE
s 

















z-CommandActionTest.testExecuteActionEmptyUnbancCsL|
d
7}
d|j_
d|
|j_d|
|j_d|
|j_|j��
|j��
dS)Nr�rztouch '%s.<HOST>'zrm -f '%s.<HOST>'z[ -e '%s.192.0.2.0' ])rrr8r�r�rZconsistencyCheckr�rrr�testExecuteActionStartCtagsY
s






z-CommandActionTest.testExecuteActionStartCtagscCs�|
d
7}
d|j_
d|
|j_d|
|j_d|
|j_|�t|jjddi
�
|jddd	d
�
|�	d�

d|
|j_
d|
|j_d
|
|j_d|
|j_|j�ddi
�

|�d�

|�
d�

dS)Nr�r*r��rm '%s'r�r�r��Unable to restore environmentT�
�allr�r�zprintf "%%%%b
" <ip> >> '%s')rr8r�r�r�rP�RuntimeErrorr�r�r�r�r�rrr�(testExecuteActionCheckRestoreEnvironmentc
s














z:CommandActionTest.testExecuteActionCheckRestoreEnvironmentcCs�|
d
7}
d|j_
d|j_d|
|j_d|
|j_d|
|j_|j�ddi
�

|jddd	d
�
|��
d|j_|�	t
|jjddi
�
|jdddd	d
�
dS)Nr�r*r�r�zecho 'repair ...'; touch '%s'r�zInvariant check failed. Tryingzecho 'repair ...'Tr�r�)rr8r�r�r�r�r�r�r�rPr�r�rrr�'testExecuteActionCheckRepairEnvironmentv
s"











�z9CommandActionTest.testExecuteActionCheckRepairEnvironmentc

Cs.|�t
t|jd
�
d|j_|�|jjd�
dS)N�ROSTr)rP�AttributeError�getattrrr�rRrrrr�testExecuteActionChangeCtags�
s


z.CommandActionTest.testExecuteActionChangeCtagsc
CsPtd
ddd�d��
}
d|j
_d|j
_|j
�|
�

|j
�|
�

|jdd	d
d�
dS)Nrb�	192.0.2.1c

Ssd
ddd�S)N�o��Ztester)ZfidZfport�userrrrrrr#�
s


�z?CommandActionTest.testExecuteActionUnbanAinfo.<locals>.<lambda>)rr�zF-*zFecho '<ABC>, failure <F-ID> of <F-USER> -<F-TEST>- from <ip>:<F-PORT>'z$echo '<ABC>, user <F-USER> unbanned'z> -- stdout: '123, failure 111 of tester -- from 192.0.2.1:222'z' -- stdout: '123, user tester unbanned'Tr�)rrr�r�r�r�r�rSrrr�testExecuteActionUnbanAinfo�
s



�	






�z-CommandActionTest.testExecuteActionUnbanAinfoc

Cs^d
|j_
|j��
|�|j�d
�
�

|�d�

|��
|�|j�d
�
�

|�d�

|��
dS)Nr*r�)rr8rr}�
executeCmdr�r�Z_processCmdrrrr�testExecuteActionStartEmpty�
s










z-CommandActionTest.testExecuteActionStartEmptyc

Cs6|�|j
jd
dddd�d��

|jddd	d
dd�
dS)
NzUprintf %b "foreign input:\n -- $f2bV_A --\n -- $f2bV_B --\n -- $(echo -n $f2bV_C) --"z I'm a hacker; && $(echo $f2bV_B)zI"m very bad hackerz#`Very | very
$(bad & worst hacker)`)Zf2bV_AZf2bV_BZf2bV_C)
ZvarsDictzforeign input:z' -- I'm a hacker; && $(echo $f2bV_B) --z -- I"m very bad hacker --z* -- `Very | very $(bad & worst hacker)` --Tr�)r}rr�r�rrrr�testExecuteWithVars�
s




��


�z%CommandActionTest.testExecuteWithVarsc
Cs�d
|j_
d|j_d|j_dddddg}
d	d
d�|
�
d�}|��
|j�|�

|jd
|d|df|
�ddi
�

|jd|dddd�
|��
|j�	|�

|j�
�
|jd|dddd�
dS)Nz3echo "** ban <ip>, reason: <reason> ...\n<matches>"zecho "** unban <ip>"zecho "** stop monitoring"z
<actionunban>z" Hooray! #z`I'm cool script kiddyz7`I`m very cool > /here-is-the-path/to/bin/.x-attempt.shz<actionstop>r�zAhacking attempt ( he thought he knows how f2b internally works ;)�

)r��reasonrcz	** ban %sr�r�r�Tz** unban %sz** stop monitoringr�)rr�r�r��joinr�r�r�r�r�r)rrcrTrrr� testExecuteReplaceEscapeWithVars�
sH






�

�



�
�
�

�





�z2CommandActionTest.testExecuteReplaceEscapeWithVarsc

Cst�
d
�

|�d�

dS)Nz+/bin/ls >/dev/null
bogusXXX now 2>/dev/nullz HINT on 127: "Command not found"�rr�r�rrrr�testExecuteIncorrectCmd�
s


z)CommandActionTest.testExecuteIncorrectCmdc
Csvt��}
t
jjsd
nd}|�tjd|d��

|�t��|
|koRt��|
|d
k
�

|jdddd�
|�dd	�
dS)
Nr	g{�G�z�?zsleep 30�
�timeoutz -- timed out afterTr�� -- killed with SIGTERM� -- killed with SIGKILL)	�time�unittestZF2BZfast�assertFalserr�r}r�)r�stimer�rrr�testExecuteTimeout�
s

*


�z$CommandActionTest.testExecuteTimeoutc
	s<
t�
d
d��t�d��}
|
�d��

W5QRXd��
�fdd�}�f
dd	��
t���|�tjd
�|d��

�
��|�t	�
�f
dd
�d��

|�dd�
|�d�

|�dd�
t�
�d�

t���|�tjd�|d��

�
��|�t	�
�f
dd
�d��

|�dd�
|�d�

|�dd�
t�
��

t�
�d�

dS)Nz.shZ	fail2ban_�
wzo#!/bin/bash
		trap : HUP EXIT TERM

		echo "$$" > %s.pid
		echo "my pid $$ . sleeping lo-o-o-ong"
		sleep 30
		r
cs��dk	pt���
d
kS�NrV)
r�r)�getnastypidr�rr�
getnasty_tout�
s

�zLCommandActionTest.testExecuteTimeoutWithNastyChildren.<locals>.getnasty_toutc	sVd}tj
��d
�
rRt�d
�
�,}
zt|
���
}Wntk
rF


YnXW5QRX|S)N�.pid)�os�path�isfile�openrX�readrQ)�cpid�
f)
�tmpFilenamerrr��
s







zJCommandActionTest.testExecuteTimeoutWithNastyChildren.<locals>.getnastypidzbash %sr�cs
t��
Sr]�
rr�
r�rrr#r$zGCommandActionTest.testExecuteTimeoutWithNastyChildren.<locals>.<lambda>r{zmy pid z Resource temporarily unavailablez	timed outzkilled with SIGTERMzkilled with SIGKILLr�zout=`bash %s`; echo ALRIGHTcs
t��
Sr]r�rr�rrr#r$z
 -- timed outr�r�)�tempfileZmktempr��writer�r�rr�r}rZwait_forr�r��unlink)rr�r�r)r�r�r�r�r�#testExecuteTimeoutWithNastyChildren�
sF
�

�




�

�




�

z5CommandActionTest.testExecuteTimeoutWithNastyChildrenc

Cs,t�
d
�

|�d�

t�
d�

|�d�

dS)Nzecho "How now brown cow"zstdout: 'How now brown cow'
z7echo "The rain in Spain stays mainly in the plain" 1>&2z6stderr: 'The rain in Spain stays mainly in the plain'
r�rrrr�testCaptureStdOutErr&s





�
�z&CommandActionTest.testCaptureStdOutErrc
Cs>td
d�dd�ddd�}
|�
d|
d�
|�td	d�|
�
dS)
Nc

Sstd
�
Srdrfrrrrr#/r$z2CommandActionTest.testCallingMap.<locals>.<lambda>c

Sstd
�
SrlrWrrrrr#/r$�string�)Zcallme�errorZ
dontcallmeZnumberz)%(callme)s okay %(dontcallme)s %(number)iz10 okay string 17c

Ssd
|S)Nz	%(error)ir)
�
xrrrr#7r$)rrRrPrQ)rZmymaprrr�testCallingMap.s

�

�z CommandActionTest.testCallingMapc
CsT
td
d�dd�dd��
}
|
�
�
d|
d<|
d=|�t|
�
d	�
|�d|
�
|�|
d|
d
fd�
|
�
�
t|
�
}|�t|
�
d�
|�d|
�
|�|
d|
d
|
dfd
�
d|
d<|
��}dd�|d<d|d<|d
=|d=|�d
|
k�

|�d|
k�

|�	d
|k�

|�	d|k�

|�|
d|
d
|
d|
dfd�
|�|d|dfd�
dS)Nc


Ssd
Sr�rrrrrr#;r$z8CommandActionTest.testCallingMapModify.<locals>.<lambda>c

Ss|d
dS�Nrm�rrrrrr#<r$�test�rmro�
c�rmr�rro)r�rer{)rV�r��dddd�
dc

Ss|d
dS)Nrm�rrrrrr#Qr$r	)rVr�r�r�)r	�)
r�resetrRr~�assertNotIn�repr�assertIn�copyr}r�)r�
m�
sZm2rrr�testCallingMapModify9s8



�
















$
z&CommandActionTest.testCallingMapModifyc
Cs�td
d�dd�dd��
}
t
|
�
}|�d|�
|�d|�
|�d|�
|
�d	�
}|�d
|�
|�d|�
|�d|�
dd�|
d
<|
�d	�
}|�d
|�
|�d|�
|�d|�
|�d|�
dS)Nc


Ssd
Sr�rrrrrr#^r$z5CommandActionTest.testCallingMapRep.<locals>.<lambda>c

Ss|d
dSr�rrrrrr#_r$r*r�z'a': z'b': z'c': ''Tz'a': 5z'b': 11c

Ss|d
dS)NZxxxr�rrrrrr#lr$r�z'c': )rr�r�r�Z_asrepr)rr�r�rrr�testCallingMapRep\s&



�












z#CommandActionTest.testCallingMapRepc
CsRtt
��
}
d
|
_d|
_|
��
|jddd�
d|
_|jddd�
d|
_|
��
dS)Ng-C��6?TzActions: enter idle moderer�FzActions: leave idle mode)rr
Z	sleeptimeZidlerr�Zactiver�)rrmrrr�testActionsIdleModess




z%CommandActionTest.testActionsIdleModeN)�__name__�
__module__�__qualname__rrrUrarjrnryrrr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrrrr(s<e()



	




=#r)�
__author__Z
__copyright__Z__license__r�r�r�r�Z
server.actionrrrZserver.actionsrrZserver.utilsrZ	dummyjailr
Zutilsrrr
rrrrr�<module>s