github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch '0.10' into 0.11

pull/2605/head
sebres 2020-01-15 21:54:37 +01:00
parent 9f701bb611 8dc6f30cdd
commit 50fbcda8b6
9 changed files with 104 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MANIFEST
View File

@ -227,6 +227,8 @@ fail2ban/tests/clientreadertestcase.py
fail2ban/tests/config/action.d/action.conf fail2ban/tests/config/action.d/action.conf
fail2ban/tests/config/action.d/brokenaction.conf fail2ban/tests/config/action.d/brokenaction.conf
fail2ban/tests/config/fail2ban.conf fail2ban/tests/config/fail2ban.conf
fail2ban/tests/config/filter.d/checklogtype.conf
fail2ban/tests/config/filter.d/checklogtype_test.conf
fail2ban/tests/config/filter.d/simple.conf fail2ban/tests/config/filter.d/simple.conf
fail2ban/tests/config/filter.d/test.conf fail2ban/tests/config/filter.d/test.conf
fail2ban/tests/config/filter.d/test.local fail2ban/tests/config/filter.d/test.local

8
fail2ban/client/configreader.py
View File

@ -120,6 +120,10 @@ class ConfigReader():
except AttributeError: except AttributeError:
return False return False
def has_option(self, sec, opt, withDefault=True):
return self._cfg.has_option(sec, opt) if withDefault \
else opt in self._cfg._sections.get(sec, {})
def merge_defaults(self, d): def merge_defaults(self, d):
self._cfg.get_defaults().update(d) self._cfg.get_defaults().update(d)
@ -261,8 +265,8 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
logSys.warning("'%s' not defined in '%s'. Using default one: %r" logSys.warning("'%s' not defined in '%s'. Using default one: %r"
% (optname, sec, optvalue)) % (optname, sec, optvalue))
values[optname] = optvalue values[optname] = optvalue
elif logSys.getEffectiveLevel() <= logLevel: # elif logSys.getEffectiveLevel() <= logLevel:
logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec) # logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec)
except ValueError: except ValueError:
logSys.warning("Wrong value for '" + optname + "' in '" + sec + logSys.warning("Wrong value for '" + optname + "' in '" + sec +
"'. Using default one: '" + repr(optvalue) + "'") "'. Using default one: '" + repr(optvalue) + "'")

7
fail2ban/client/fail2banregex.py
View File

@ -372,11 +372,8 @@ class Fail2banRegex(object):
if not ret: if not ret:
output( "ERROR: failed to load filter %s" % value ) output( "ERROR: failed to load filter %s" % value )
return False return False
# overwrite default logtype (considering that the filter could specify this too in Definition/Init sections): # set backend-related options (logtype):
if not fltOpt.get('logtype'): reader.applyAutoOptions(self._backend)
reader.merge_defaults({
'logtype': ['file','journal'][int(self._backend.startswith("systemd"))]
})
# get, interpolate and convert options: # get, interpolate and convert options:
reader.getOptions(None) reader.getOptions(None)
# show real options if expected: # show real options if expected:

8
fail2ban/client/filterreader.py
View File

@ -53,6 +53,14 @@ class FilterReader(DefinitionInitConfigReader):
def getFile(self): def getFile(self):
return self.__file return self.__file
def applyAutoOptions(self, backend):
# set init option to backend-related logtype, considering
# that the filter settings may be overwritten in its local:
if (not self._initOpts.get('logtype') and
not self.has_option('Definition', 'logtype', False)
):
self._initOpts['logtype'] = ['file','journal'][int(backend.startswith("systemd"))]
def convert(self): def convert(self):
stream = list() stream = list()
opts = self.getCombined() opts = self.getCombined()

7
fail2ban/client/jailreader.py
View File

@ -149,11 +149,8 @@ class JailReader(ConfigReader):
ret = self.__filter.read() ret = self.__filter.read()
if not ret: if not ret:
raise JailDefError("Unable to read the filter %r" % filterName) raise JailDefError("Unable to read the filter %r" % filterName)
if not filterOpt.get('logtype'): # set backend-related options (logtype):
# overwrite default logtype backend-related (considering that the filter settings may be overwritten): self.__filter.applyAutoOptions(self.__opts.get('backend', ''))
self.__filter.merge_defaults({
'logtype': ['file','journal'][int(self.__opts.get('backend', '').startswith("systemd"))]
})
# merge options from filter as 'known/...' (all options unfiltered): # merge options from filter as 'known/...' (all options unfiltered):
self.__filter.getOptions(self.__opts, all=True) self.__filter.getOptions(self.__opts, all=True)
ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/') ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/')

15
fail2ban/tests/clientreadertestcase.py
View File

@ -329,6 +329,21 @@ class JailReaderTest(LogCaptureTestCase):
i += 1 i += 1
if i > usednsidx: break if i > usednsidx: break
def testLogTypeOfBackendInJail(self):
unittest.F2B.SkipIfCfgMissing(stock=True); # expected include of common.conf
# test twice to check cache works peoperly:
for i in (1, 2):
# backend-related, overwritten in definition, specified in init parameters:
for prefline in ('JRNL', 'FILE', 'TEST', 'INIT'):
jail = JailReader('checklogtype_'+prefline.lower(), basedir=IMPERFECT_CONFIG,
share_config=IMPERFECT_CONFIG_SHARE_CFG, force_enable=True)
self.assertTrue(jail.read())
self.assertTrue(jail.getOptions())
stream = jail.convert()
# 'JRNL' for systemd, 'FILE' for file backend, 'TEST' for custom logtype (overwrite it):
self.assertEqual([['set', jail.getName(), 'addfailregex', '^%s failure from <HOST>$' % prefline]],
[o for o in stream if len(o) > 2 and o[2] == 'addfailregex'])
def testSplitOption(self): def testSplitOption(self):
# Simple example # Simple example
option = "mail-whois[name=SSH]" option = "mail-whois[name=SSH]"

31
fail2ban/tests/config/filter.d/checklogtype.conf Normal file
View File

@ -0,0 +1,31 @@
# Fail2Ban configuration file
#
[INCLUDES]
# Read common prefixes (logtype is set in default section)
before = ../../../../config/filter.d/common.conf
[Definition]
_daemon = test
failregex = ^<lt_<logtype>/__prefix_line> failure from <HOST>$
ignoreregex =
# following sections define prefix line considering logtype:
# backend-related (retrieved from backend, overwrite default):
[lt_file]
__prefix_line = FILE
[lt_journal]
__prefix_line = JRNL
# specified in definition section of filter (see filter checklogtype_test.conf):
[lt_test]
__prefix_line = TEST
# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init):
[lt_init]
__prefix_line = INIT

12
fail2ban/tests/config/filter.d/checklogtype_test.conf Normal file
View File

@ -0,0 +1,12 @@
# Fail2Ban configuration file
#
[INCLUDES]
# Read common prefixes (logtype is set in default section)
before = checklogtype.conf
[Definition]
# overwrite logtype in definition (no backend anymore):
logtype = test

25
fail2ban/tests/config/jail.conf
View File

@ -74,3 +74,28 @@ journalmatch = _COMM=test
maxlines = 2 maxlines = 2
usedns = no usedns = no
enabled = false enabled = false
[checklogtype_jrnl]
filter = checklogtype
backend = systemd
action = action
enabled = false
[checklogtype_file]
filter = checklogtype
backend = polling
logpath = README.md
action = action
enabled = false
[checklogtype_test]
filter = checklogtype_test
backend = systemd
action = action
enabled = false
[checklogtype_init]
filter = checklogtype_test[logtype=init]
backend = systemd
action = action
enabled = false