3

TB(d=a�
@s�dZd
Z
dZddlZddlZddlZddlZyddlmZ
Wn e	k
r\


ddl
mZ
YnXddl
mZ
ddlm
Z
mZ
dd	lmZ
dd
lmZ
ddlmZmZmZ
ddlmZ
dd
lmZ
ddlmZ
ddlmZ
ee�
Z Gdd�dee�Z!dS)z
Cyril Jaquierz Copyright (c) 2004 Cyril JaquierZGPL�N)
�Mapping)
�OrderedDict�
)�
BanManager�	BanTicket)
�IPAddr)
�
JailThread)�
ActionBase�
CommandAction�
CallingMap)
�MyTime)
�	Observers)
�Utils�)
�	getLoggerc@s
eZ
dZd
Zdd�Zedd��
Zd?dd	�
Zd@dd�
Zd
d�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�ZdAdd �
Zd!d"�ZdBd#d$�
ZdCd%d&�
Zd'd(�ZGd)d*�d*e�Zd+d,�ZdDd.d/�
ZdEd0d1�
ZdFd2d3�
Zd4d5�ZdGd6d7�
ZdHd8d9�
ZdId:d;�
Z dJd=d>�
Z!dS)K�Actionsa�Handles jail actions.

	This class handles the actions of the jail. Creation, deletion or to
	actions must be done through this class. This class is based on the
	Mapping type, and the `add` method must be used to add new actions.
	This class also starts and stops the actions, and fetches bans from
	the jail executing these bans via the actions.

	Parameters
	----------
	jail: Jail
		The jail of which the actions belongs to.

	Attributes
	----------
	daemon
	ident
	name
	status
	active : bool
		Control the state of the thread.
	idle : bool
		Control the idle state of the thread.
	sleeptime : int
		The time the thread sleeps for in the loop.
	cCsLtj
|d
|
jd�
|
|_t�|_t�|_d|_d|_	d|_
|j
d|_dS)Nzf2b/a.)
�namer
�
r)r�__init__r�_jailr�_actionsr�
banManager�banEpoch� _Actions__lastConsistencyCheckTM�
banPrecedence�
unbanMaxCount)�self�jail�r�/usr/lib/python3.6/actions.pyrNs



zActions.__init__c
CsFtj
|�
}
t|
d
�s"td|�
�
n t|
jt�sBtd||
jjf�
�
|
S)N�Actionz&%s module does not have 'Action' classz0%s module %s does not implement required methods)rZload_python_module�hasattr�RuntimeError�
issubclassr r	�__name__)�pythonModule�modrrr�_load_python_module\s









zActions._load_python_moduleNFcCs�|
|jkrN|st
d
|
�
�
|j|
}t|d�rNt|d�rJ|j�
||j|
<dS|dkrdt|j|
�}n|j|�
}|j|j|
f|�
}||j|
<dS)a�Adds a new action.

		Add a new action if not already present, defaulting to standard
		`CommandAction`, or specified Python module.

		Parameters
		----------
		name : str
			The name of the action.
		pythonModule : str, optional
			Path to Python file which must contain `Action` class.
			Default None, which means `CommandAction` is used.
		initOpts : dict, optional
			Options for Python Action, used as keyword arguments for
			initialisation. Default None.

		Raises
		------
		ValueError
			If action name already exists.
		RuntimeError
			If external Python module does not have `Action` class
			or does not implement necessary methods as per `ActionBase`
			abstract class.
		zAction %s already exists�reload�clearAllParamsN)	r�
ValueErrorr!r)�_reload_actionsr
rr'r )rrr%�initOptsr(�actionZcustomActionModulerrr�addis














zActions.addTcs�|
rt��_
n�t�d
�r�x:�j
j�D],\}}|�jkr$�j|jf|rJ|ni�

q$Wt�f
dd��jj�D�
�
}t|�
r��jd|dd�
�j	|d�

t
�d
�
dS)	z@ Begin or end of reloading resp. refreshing of all parameters
		r+c
3s$|]\}
}|
�jkr|
|fV
qdS)
N)
r+)�.0rr-)
rrr�	<genexpr>�s
z!Actions.reload.<locals>.<genexpr>FT)�db�actions�stop)
r2N)�dictr+r!�itemsrr(r�len�_Actions__flushBan�stopActions�delattr)rZbeginrr,Zdelactsr)
rrr(�s






zActions.reloadcCs0y
|j|
St
k
r*


t
d
|
�
�
YnXdS)NzInvalid Action name: %s)r�KeyError)rrrrr�__getitem__�s




zActions.__getitem__cCs2y|j|
=Wn t
k
r,


t
d
|
�
�
YnXdS)NzInvalid Action name: %s)rr:)rrrrr�__delitem__�s



zActions.__delitem__c

Cs
t|j
�
S)
N)�iterr)
rrrr�__iter__�s
zActions.__iter__c

Cs
t|j
�
S)
N)r6r)
rrrr�__len__�s
zActions.__len__c
Csd
S)NFr)r�otherrrr�__eq__�s
zActions.__eq__c

Cst|�
S)
N)
�id)
rrrr�__hash__�s
zActions.__hash__cCs(tj
|
�
}
|jj|
�

tjd
|
�

dS)Nz
  banTime: %s)rZstr2secondsr�
setBanTime�logSys�info)r�valuerrrrD�s



zActions.setBanTimec


Cs
|jj
�S)
N)r�
getBanTime)
rrrrrH�s
zActions.getBanTimecsD|jj
��|
s�St|
�
d
kr2|
d�kr.d
SdS�f
dd�|
D�
S)Nrr
c
sg|]}
|
�krdnd
�qS)rr
r)r/�ip)
�lstrr�
<listcomp>�sz%Actions.getBanned.<locals>.<listcomp>)r�
getBanListr6)rZidsr)
rJr�	getBanned�s






zActions.getBannedcCs|jj
d
|
d�S)zkReturns the list of banned IP addresses.

		Returns
		-------
		list
			The list of banned IP addresses.
		T)Zordered�withTime)rrL)rrNrrrrL�szActions.getBanListcs<tj
��t|
t�r&�f
d
d�|
D�
}nt|
��f
}|j|�
S)zBan an IP or list of IPs.c
3s|]}
t|
��V
qdS)
N)
r)r/rI)
�unixTimerrr0�sz&Actions.addBannedIP.<locals>.<genexpr>)r�time�
isinstance�listr�_Actions__checkBan)rrI�ticketsr)
rOr�addBannedIP�s

zActions.addBannedIPcCs8
|
d
kr|j|�
St
|
ttf�r�g}d}xF|
D]>}y||j|||�7}Wq.tk
rj


|sf|j|�

Yq.Xq.W|r�td|�
�
|S|r�|jjd
k	r�|jjj	|j|
�
|j
j|
�
}|d
k	r�|j|�

nnt
|
t
��
st
|
�
}|j�
stt|j|j
j���
}	|	�
r|j|	||�Sd|
}
tjtj|
�
|�
r,dSt|
�
�
dS)aO
Removes banned IP calling actions' unban method

		Remove a banned IP now, rather than waiting for it to expire,
		even if set to never expire.

		Parameters
		----------
		ip : list, str, IPAddr or None
			The IP address (or multiple IPs as list) to unban or all IPs if None

		Raises
		------
		ValueError
			If `ip` is not banned
		Nr
znot banned: %rz%s is not bannedr)r7rQrR�tuple�removeBannedIPr*�appendr�database�delBanrZ
getTicketByID�_Actions__unBanrZisSingle�filter�containsrLrE�log�loggingZMSG)rrIr1ZifexistsZmissed�cnt�
i�ticketZipaZips�msgrrrrW�s>

























zActions.removeBannedIPcCs�|
d
kr|j}
x�t
t|
j��
�
D]t\}}y|j�
WnDtk
rx
}
z(tjd|jj	||tj
�tjk
d�
WYd
d
}~XnX|j|=tj
d|jj	|�
q Wd
S)z>Stops the actions in reverse sequence (optionally filtered)
		Nz(Failed to stop jail '%s' action '%s': %s)
�exc_infoz%s: action %s terminated)r�reversedrRr5r3�	ExceptionrE�errorrr�getEffectiveLevelr_�DEBUG�debug)rr2rr-�
errrr8/
s








$

zActions.stopActionsc
s�
d
}
xh�jj
�D]Z\}}y|j�
Wqtk
rh
}
z(tjd�jj||tj�t	j
k
d�
WYdd}~XqXqW�
xZ�j�
rʐ
y�jr�tj
d�

tj�f
dd�dd��j�
tj
d	�

wrd
}t�j�jjtj��}tjd
d|�j�
tj�f
dd�|��
r
�j�}|
|7}
|�
s|
�jk�
r��j�
r||d
9}tjd
d|�
rL|�jk�
rL|n�j|�j�
�j|�
rt|�jk�
rt|n�j�

d
}
Wqrtk
�
r�
}
z&tjd�jj|tj�t	j
k
d�
WYdd}~XqrXqrW�jdd�

�j�
dS)z�Main loop for Threading.

		This function is the main loop of the thread. It checks the jail
		queue and executes commands when an IP address is banned.

		Returns
		-------
		bool
			True when the thread exits nicely.
		r
z)Failed to start jail '%s' action '%s': %s)
rdNzActions: enter idle modec
s�jp�j
S)
N)�active�idler)
rrr�<lambda>V
szActions.run.<locals>.<lambda>c
Ssd
S)NFrrrrrrnW
szActions: leave idle mode�z1Actions: wait for pending tickets %s (default %s)c
s�jp�j
jS)
N)rlrZhasFailTicketsr)
rrrrn^
srz+Actions: check-unban %s, bancnt %s, max: %sz*[%s] unhandled error in actions thread: %sT)
r3)rr5�startrfrErgrrrhr_rirlrmrjrZwait_forZ	sleeptime�minrZ_nextUnbanTimerrPr^rSrr�_Actions__checkUnBanr7r8)rr`rr-rkZbancntZwtr)
rr�run?
sF







(
















,
"




(

zActions.runc@s�eZ
dZd(Zdd�dd�dd�dd�dd�d	d�d
d�dd�dd�d
d�dd�d)dd�
dd�dd�dd�dd�dd�dd�dd�dd�dd�d�Zejd*Zddefdd �
Zd!d"�Zd#d$�Z	d+d&d'�
Z
dS),zActions.ActionInfo�fid�
raw-ticketc


Cs
|jj
�S)
N)�_ActionInfo__ticketZgetIP)
rrrrrnw
szActions.ActionInfo.<lambda>c

Cs
|d
jS)NrI)
Z	familyStr)
rrrrrnx
sc

Cs|d
jd�
S)NrI�)
ZgetPTR)
rrrrrny
sc

Cs|d
j�S)NrI)
ZgetHost)
rrrrrnz
sc


Cs
|jj
�S)
N)rv�getID)
rrrrrn{
sc


Cs
|jj
�S)
N)rv�
getAttempt)
rrrrrn|
sc


Cs
|jj
�S)
N)rv�getTime)
rrrrrn}
sc


Cs|j�S)
N)
�_getBanTime)
rrrrrn~
sc


Cs
|jj
�S)
N)rvZgetBanCount)
rrrrrn
sc

Csd
j|j
j��
S)N�

)�joinrv�
getMatches)
rrrrrn�
sc


Cs|jj
rd
SdS)Nrr
)rv�restored)
rrrrrn�
sNcCs|jj
|
�
S)
N)rvZgetData)r�tagrrrrn�
sc

Csd
j|j
d�
j��
S)Nr|T)r}�_mi4ipr~)
rrrrrn�
sc

Csd
j|j
�j��
S)Nr|)r}r�r~)
rrrrrn�
sc

Cs|jd
�
j
�S)NT)r�ry)
rrrrrn�
sc


Cs|j�j
�S)
N)r�ry)
rrrrrn�
sc

Cs
t|j
�
S)
N)�reprrv)
rrrrrn�
sc


Cs|jj
jj�S)
N)�_ActionInfo__jailr2r�size)
rrrrrn�
sc


Cs|jj
jj�S)
N)r�r2r�getBanTotal)
rrrrrn�
sc


Cs|jj
jj�S)
N)r�r\�failManagerr�)
rrrrrn�
sc


Cs|jj
jj�S)
N)r�r\r�ZgetFailTotal)
rrrrrn�
s)rIZfamilyzip-revzip-hostrtZfailuresrPZbantimeZbancountZmatchesrzF-*Z	ipmatchesZ
ipjailmatchesZ
ipfailuresZipjailfailuresz
raw-ticketzjail.bannedzjail.banned_totalz
jail.foundzjail.found_total�__ticket�__jail�__mi4ipTcCs$|
|_||_
t�|_||_||_dS)
N)rvr�r4Zstorage�	immutable�data)rrbrr�r�rrrr�
s





zActions.ActionInfo.__init__c

Cs|j|j
|j|j|jj��S)
N)�	__class__rvr�r�r��copy)
rrrrr��
s
zActions.ActionInfo.copyc
Cs&|jj
�}
|
dkr|jjj
�}
t|
�
S)
N)rvrHr�r2�int)r�btimerrrr{�
s



zActions.ActionInfo._getBanTimeFcCs�t|d
�si|_
|j
}|
rdnd}||krD||dk	r>||S|jSyR|j}|d}d||<|jsh|jS|
r�|jj|d�
||<n|jj||d�||<WnBtk
r�
}
z&tjd||j	|tj
�tjk
d	�
WYdd}~XnX||dk	r�||S|jS)
a�Gets bans merged once, a helper for lambda(s), prevents stop of executing action by any exception inside.

			This function never returns None for ainfo lambdas - always a ticket (merged or single one)
			and prevents any errors through merging (to guarantee ban actions will be executed).
			[TODO] move merging to observer - here we could wait for merge and read already merged info from a database

			Parameters
			----------
			overalljails : bool
				switch to get a merged bans :
				False - (default) bans merged for current jail only
				True - bans merged for all jails of current ip address

			Returns
			-------
			BanTicket 
				merged or self ticket only
			r��allrNrI)
rI)rIrz+Failed to get %s bans merged, jail '%s': %s)
rd)
r!Z_ActionInfo__mi4iprvr�rYZ
getBansMergedrfrErgrrhr_ri)rZoveralljailsZmi�idxrrIrkrrrr��
s*


















$
zActions.ActionInfo._mi4ip)rtru)
N)r�r�r�)
F)r$�
__module__�__qualname__Z
CM_REPR_ITEMSZAI_DICTr�	__slots__rr�r{r�rrrr�
ActionInfor
s6















r�cCs$|
std
t
j��}
tj|
|j�}|S)Nrw)rrrPrr�r)rrb�aInforrr�_getActionInfo�
s



zActions._getActionInfo�dccs4d
}x*||
kr.|jj
�}|sP|V
|d7}qWdS)zAGenerator to get maximal count failure tickets from fail-manager.r
rN)rZ
getFailTicket)r�countr`rbrrrZ__getFailTickets�
s







zActions.__getFailTicketscs�d
}|
s|j|j
�
}
d}�x�|
D�]v}tj|�
�|j|jj��
}�j�}|j��
}i}|jj�|d��
r^|d7}t	j
dk	r��jr�t	j
jd�|j
|�
tjd|j
j�js�dnd|�
x�|jj�D]�\}	}
y0�jr�t|
d	d
�r�w�|js�|j�
|
j|�

Wq�tk
�
r@
}
z*tjd|j
j|	||tj�tjk
d�
WYdd}~Xq�Xq�Wd
�_|j�r�|j�_q |jdd
��
r�tjd|j
j|�
q |jd����j�r�|j ��j �}|dk�
r�tjn|dk�
r�tj!ntj"}
tj#|
d|j
j|�
�j|jk�rF|dk�rF|�rFt$j%�|j&dk�rFt$j%�|_&x(|jj'�D]}
t(|
d��r(|
j)�
�q(W�j|jk�r�|�svt*�f
dd�|jj�D�
�
}||j+�|d�7}q ||j+��
7}q W|�r�tj,d||jj-�|jj.�|j
j�
|S)a
Check for IP address to ban.

		If tickets are not specified look in the jail queue for FailTicket. If a ticket is available,
		it executes the "ban" command and adds a ticket to the BanManager.

		Returns
		-------
		bool
			True if an IP address get banned.
		r
N)
�reasonrZbanFoundz
[%s] %sBan %srwzRestore �
norestoredFz9Failed to execute ban jail '%s' action '%s' info '%r': %s)
rdTZexpiredz[%s] Ignore %s, expired bantimerb��<z[%s] %s already banned�consistencyCheckc
3s&|]\}
}|j�jkr|
|fV
qdS)
N)
r)r/rr-)
�bTicketrrr0(s
z%Actions.__checkBan.<locals>.<genexpr>)
r2z"Banned %s / %s, %s ticket(s) in %r)/�_Actions__getFailTicketsrrZwraprHrrxr�ZaddBanTicketr
ZMainrr.rrE�noticerrr5�getattrr��resetZbanrfrgrhr_ri�bannedr�getrFrzZNOTICEZWARNINGr^rrPr�valuesr!r�r4�_Actions__reBanrjr�r�)rrTr`Z	rebanactsrbr�rIr�r�rr-rkZdiftmZllr)
r�rZ
__checkBan�
sp






















(


















zActions.__checkBanc	Cs�|p|j}|
j
�}|j|
�
}|rTtjd
|jj|t|�
dkrNdt|j	��
dnd�
x�|j
�D]~\}}y0tjd|jj||�
|js�|j
�
|j|�

Wq^tk
r�
}
z(tjd|jj|||tj�tjk
d�
dSd	}~Xq^Xq^Wd
|
_|jr�|j|
_dS)z�Repeat bans for the ticket.

		Executes the actions in order to reban the host given in the
		ticket.

		Parameters
		----------
		ticket : Ticket
			Ticket to reban
		z[%s] Reban %s%srz, action %rr
rwz[%s] action %r: reban %sz;Failed to execute reban jail '%s' action '%s' info '%r': %s)
rdNT)rrxr�rEr�rrr6rR�keysr5rjr�r�Zrebanrfrgrhr_rir�r)	rrbr2r^rIr�rr-rkrrrZ__reBan4s*





4












zActions.__reBancCs�|jj
|
�
sdSd}x�|jj�D]�\}}yJ|
jr>t|d
d�r>w |jsFw |dkrX|j|
�
}|jsf|j	�
|j
|�

Wq tk
r�
}
z*tj
d|jj|||tj�tjk
d�
WYdd}~Xq Xq WdS)Nr�Fz9Failed to execute ban jail '%s' action '%s' info '%r': %s)
rd)rZ
_inBanListrr5rr�Z_prolongabler�r�r�ZprolongrfrErgrrrhr_ri)rrbr�rr-rkrrr�_prolongBanVs&














zActions._prolongBancCsT|jj
tj�|
�}x|D]}|j|�

qWt|�
}|rPtjd
||jj�|j	j
�
|S)zKCheck for IP address to unban.

		Unban IP addresses which are outdated.
		zUnbanned %s, %s ticket(s) in %r)rZ	unBanListrrPr[r6rErjr�rr)rZmaxCountrJrbr`rrrZ__checkUnBanms







zActions.__checkUnBancs�
d
}|dkr"tj
d�

|jj�}nd}t|j�
}d}i}x�|dk	rF|n|jj�D]�\}�y<t�d�r�t�t	�sv�j
r�tjd|jj
|�
�j�r�wPWnttk
�
r
}	
zVtjd|jj
||	tj�tjk
d	�
tjd
�

t�d�r���
fdd
�}
�j|
�

wPWYdd}	~	XnXtj
d�

�||<qPW|}|
�
rR|jjdk	�
rRtj
d�

|jjj|j�

x&|D]}|j|||d�
|d7}�
qXWtj
d||jj�|jj
�
|S)z�Flush the ban list.

		Unban all IP address which are still in the banning list.

		If actions specified, don't flush list - just execute unban for 
		given actions (reload, obsolete resp. removed actions).
		TNz  Flush ban listFr
�flushz[%s] Flush ticket(s) with %sz1Failed to flush bans in jail '%s' action '%s': %s)
rdz'No flush occurred, do consistency checkr�cs$�
r t�d
d�r t
jd�

dSdS)NZactionrepair_on_unbanz,Invariant check failed. Flush is impossible.FT)r�rErgr)r-r3rr�
_beforeRepair�s




z)Actions.__flushBan.<locals>._beforeRepairz   Unban tickets each individualyz  Flush jail in database)r2r^rz!  Unbanned %s, %s ticket(s) in %r)rErjrZflushBanListr=rr5r!rQr
Zactionflushr�rrr�rfrgrhr_rirFr�rYrZr[r�)rr1r2r3r^rJr`�
unbactionsrrkr�rbr)r-r3rZ
__flushBan{sF







 



























zActions.__flushBanc
Cs�|d
kr|j}n|}|
j
�}|j|
�
}|r<tjd|jj|�
x�|j�D]�\}}y0tjd|jj||�
|j	sr|j
�
|j|�

WqFtk
r�
}	
z*tj
d|jj|||	tj�tjk
d�
WYd
d
}	~	XqFXqFWd
S)z�Unbans host corresponding to the ticket.

		Executes the actions in order to unban the host given in the
		ticket.

		Parameters
		----------
		ticket : FailTicket
			Ticket of failures of which to unban
		Nz
[%s] Unban %sz[%s] action %r: unban %sz;Failed to execute unban jail '%s' action '%s' info '%r': %s)
rd)rrxr�rEr�rrr5rjr�r�Zunbanrfrgrhr_ri)
rrbr2r^r�rIr�rr-rkrrrZ__unBan�s$














zActions.__unBan�basiccCs�d
ddg}|
dks|
|kr,tj
d|
|f�

|
d
krH|jj�}t|�
}n
|jj�}d|fd|jj�fg}|
d
kr~|d|fg
7}|
dkr�|jj�}|d	|jj|�
fd
|jj	|�
fd|jj
|�
fg7}|S)zEStatus of current and total ban counts and current banned IP list.
		Zshortr�ZcymruNz9Unsupported extended jail status flavor %r. Supported: %szCurrently bannedzTotal bannedzBanned IP listzBanned ASN listzBanned Country listzBanned RIR list)rEZwarningrrLr6r�r�ZgetBanListExtendedCymruInfoZgeBanListExtendedASNZgeBanListExtendedCountryZgeBanListExtendedRIR)rZflavorZsupported_flavorsr�r`�retZ
cymru_inforrr�status�s$



















zActions.status)NNF)
T)
F)NTF)
N)
r�)
N)NT)
N)FNF)NT)
r�)"r$r�r��__doc__r�staticmethodr'r.r(r;r<r>r?rArCrDrHrMrLrUrWr8rsrr�r�r�rSr�r�rrr7r[r�rrrrr2s:
.




:
3]


U
"

6
r)"�
__author__Z
__copyright__Z__license__r_�os�sysrP�collections.abcr�ImportError�collectionsrZ
banmanagerrrZipdnsrZ
jailthreadrr-r	r
rZmytimerZobserverr
ZutilsrZhelpersrr$rErrrrr�<module>s*