ܜ^c@sdZdZdZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl mZddlmZdd lmZdd lmZdd lmZd d lmZmZmZmZmZmZmZeeZ e j!Z"ej#Z$ej%dZ&d$Z'ej%dZ(idd6dd6Z)idd6dd6Z*e*j+e)dee,fdYZ-de,fdYZ.idd6d d!6Z/d"e.fd#YZ0dS(%s'Cyril Jaquier and Fail2Ban Contributorss>Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav HalchenkotGPLiN(tABCMeta(tMutableMappingi(t mapTag2Opt(tDNSUtils(tMyTime(tUtilsi(t getLoggert_merge_copy_dictst splitwordstsubstituteRecursiveTagst uni_stringtTAG_CREtMAX_TAG_REPLACE_COUNTstinet4tinet6s^(\w+)\?(family)=(.*)$cCsttjdtS(Ntfqdn(tstrRt getHostnametTrue(((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt<ss fq-hostnamecCsttjdtS(NR(RRRtFalse(((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyR=ss sh-hostnames tbrt tspt CallingMapcBseZdZdZdZdZedZedZ e Z eddZ d Z d Zd Zd Zd ZdZdZdZRS(s"A Mapping type which returns the result of callable values. `CallingMap` behaves similar to a standard python dictionary, with the exception that any values which are callable, are called and the result is returned as the value. No error handling is in place, such that any errors raised in the callable will raised as usual. Actual dictionary is stored in property `data`, and can be accessed to obtain original callable values. Attributes ---------- data : dict The dictionary data which can be accessed to obtain items uncalled tdatatstoraget immutablet __org_datacOs+t|_t|_t|||_dS(N(tdictRRRR(tselftargstkwargs((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt__init__\s  cCs=t|_y|j|_Wntk r/nX||_dS(N(RRt_CallingMap__org_dataRtAttributeErrorR(RR((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytresetas   cCs d|jj|j|tfS(Ns%s(%r)(t __class__t__name__t_asdictR(Rt calculated((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt_asrepriscstjj}|s;tfd|jDSxc|jD]U\}}t|rHy0j|}|r||n|||rs (RRRt iteritemstitemsR+t __getitem__(RR)tcheckertdR.R/((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyR(os    cCs6y|j|}Wntk r1|j|}nX|S(N(RtKeyErrorR(Rtkeytvalue((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt getRawItems  cCsy|j|}Wntk r1|j|}nXt|r~t|dre|jjre||n|}||j|sN(RuRHRtdir(R((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt _propertiess  cCs|jS(N(Rw(R((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt _substCachesc sA|j||jdr"dnddfdd|jS(Nt conditionalsfamily=Rhtaddreplcs|dkrSdS(Ntfamily(RH(ttag(R(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRstcache(t replaceTagRRw(RRR((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt _getOperationsc Gs<d|f}t|s~t|s@|jj|ij|Sg|jj|ijD]\}}||r\|^q\S|d}|ry|j|}Wn"tk ri}|j|      c s?t}d}|sCg|jjD]\}|r"^q"}nx|D]y|j|}t} |r||j|fdkr|j||j} || M}n|r|| n|j|| r|ndWqJtk r } t }| }qJXqJW|s;t d||j |j |fn|S(sExecutes the operation commands (like "actionstart", "actionstop", etc). Replace the tags in the action command with actions properties and executes the resulting command. s Script errorcs |kS(N((R(tfamoper(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRssError %s action %s/%s: %rN( RRvR0RRt executeCmdRaRHt ValueErrorRt RuntimeErrorRVRW( RRt operationRt afterExectresterrR/Rtrette((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt_executeOperations(1 ' #%cCsf|jjd}|dk r"|St}x*|jD]}tj|r2t}Pq2q2W||jd<|S(Nt__hasCondSection(RR}RHRtCONDITIONAL_FAM_REtmatchR(RR/R.((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt_hasCondSections  cCs|jjd}|r|S|jjd}|rYt|ttf rYt|}n3|jrtrwddgndg}n dg}||jd<|S(Nt __familiestfamiliesRRRh(RR}t isinstancetlisttsetR Rt allowed_ipv6(RR/((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt _familiess !  cCs<|jjd}|dk r"|S|j}||jd<|S(s1Checks the action depends on family (conditional)tactionstart_on_demandN(RR}RHR(RR/((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt_startOnDemands    cCs |jS(sExecutes the "actionstart" command. Replace the tags in the action command with actions properties and executes the resulting command. (t_start(R((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRKscsjr|s3tSn| r3jj|r3tS|dk rH|gnj}fd}jddd|d|}|S(sExecutes the "actionstart" command. Replace the tags in the action command with actions properties and executes the resulting command. cs-|r)jd|ddj|i(RRHRv(RR(R(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt_startedss tstartingRRN(RRRvR}RHRR(RRt forceStartRR((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRs s cCs|jdd}|jrF|jj|sF|j|dtqFn|j||sktd|n|jj|ddB|j|sError prolonging %(ip)sN(RR(RR[((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytprolong0s cCsW|jdd}|jj|dd@rS|jd|sStd|qSndS(sExecutes the "actionunban" command. Replaces the tags in the action command with actions properties and ban information, and executes the resulting command. Parameters ---------- aInfo : dict Dictionary which includes information in relation to the ban. RRhiis sError unbanning %(ip)sN(R}RvRR(RR[R((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRO?s cCs|j||jrdndS(sDExecutes the "actionreban" command if available, otherwise simply repeat "actionban". Replaces the tags in the action command with actions properties and ban information, and executes the resulting command. Parameters ---------- aInfo : dict Dictionary which includes information in relation to the ban. s s (RMRl(RR[((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRNPs csmgjjD]"\}}|d@dkr|^q}|sBtSfd}jddd|d|S(sExecutes the "actionflush" command. Command executed in order to flush all bans at once (e. g. by stop/shutdown the system), instead of unbanning of each single ticket. Replaces the tags in the action command with actions properties and executes the resulting command. ics2|r.jj|r.j|cdMtflushingRR(RvR0RR(RRR/RR((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytflush_s 8cCs |jS(sExecutes the "actionstop" command. Replaces the tags in the action command with actions properties and executes the resulting command. (t_stop(R((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRLrscs|dkrPgjjD]\}}|r|^q}|sDtSi_n5y j|cdM<|g}Wntk rtSXfd}jddd|d|S(sExecutes the "actionstop" command. Replaces the tags in the action command with actions properties and executes the resulting command. ics |rjd|dndS(Ns (RRH(RR(R(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt_stoppedss tstoppingRRN(RHRvR0RR5R(RRRR/R((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRzs .   cKs|jddS(sExecutes the "actionreload" command. Parameters ---------- kwargs : dict Currently unused, because CommandAction do not support initOpts Replaces the tags in the action command with actions properties and executes the resulting command. st reloading(R(RR!((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytreloads cCs|t}|jrxxf|jjD]R\}}|r|j|| rd|j|<|jd|d|tM}qqWn|S(sFExecutes the invariant check with repair if expected (conditional). is N(RRnRvR1t_invariantCheckRRHR(Rt beforeRepairRRtstarted((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytconsistencyChecks  s[\\#&;`|*?~<>^()\[\]{}$'"\n\r]cs<idd6dd6fd}|jj||}|S(s5Escape characters which may be used for command injection. Parameters ---------- value : str A string of which characters will be escaped. Returns ------- str `value` with certain characters escaped. Notes ----- The following characters are escaped:: \#&;`|*?~<>^()[]{}$'" R.s trs cs |j}dj||S(Ns\(tgroupR}(tmtc(t_map2c(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt substChars (t ESCAPE_CREtsub(RQR7R((Rs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt escapeTagsRhc sd|kr|S|d k rK|f}y ||SWqKtk rGqKXnt|t}||sd }|d k rdt|f}y||Wqtk rqXnd krt|djd|n|d k r||\^\(\)\[\]{}$'"\n\r]s\Wcstfdttfd}tj||}d|krjdsxinfd}tj||}nrtj|}n|S(s%Replaces dynamical tags in `query` with property values. **Important** ------------- Because this tags are dynamic resp. foreign (user) input: - values should be escaped (using "escape" as shell variable) - no recursive substitution (no interpolation for >) - don't use cache Parameters ---------- query : str String with tags. aInfo : dict Tags(keys) and associated values for substitution in query. Returns ------- str shell script as string or array with tags replaced (direct or as variables). csFjj|rBdjjd|}||dSXd||S(NiRhtF_(RtgroupsR R5(RRR7(RttickData(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytsubstTagbs  ( RRRR RR}t FCUSTAG_CRERt buildShellCmd(RQtrealCmdR[RR((RR[RQRRRs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytreplaceDynamicTags(s     cCst|ddS(Nt _banEpochi(RP(R((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytbanEpochqscCsI|jdk r5|jjjd|_|jj_n|jd|_dS(sIncrements ban epoch of jail and this action, so already banned tickets would cause a re-ban for all tickets with previous epoch.iN(RVRHtactionsRR(R((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytinvalidateBanEpochts&c Csf| r&|d k r&||jkr&dS|jd|}| sT|j||jrXdS|rl| rldS|jjd|j|jd|}|r|j||jsd|j|<|jjddSd|j|is<Invariant check failed. Trying to restore a sane environmentsisUnable to restore environmentRN(RHRvRRRaRXterrorRtcriticalRRRRR}(RRRRtcheckCmdt repairCmd((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyR|s4"    (csdkr jjdtSy|d}Wnttfk rMd}nXjrfd}j||ddk}|dkrtSnjj d|rd |ndd j }|d k rj ||}n}j |jS( sExecutes a command with preliminary checks and substitutions. Before executing any commands, executes the "check" command first in order to check if pre-requirements are met. If this check fails, it tries to restore a sane environment before executing the real command. Parameters ---------- cmd : str The command to execute. aInfo : dictionary Dynamic properties. Returns ------- bool True if the command succeeded. Rhs Nothing to doRcs7dkr3jjd r3jjdtStS(Ns tactionrepair_on_unbans,Invariant check failed. Unban is impossible.(RR}RXRRR((RR(s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyt _beforeRepairsRs iRsfamily=RN(RXRxRR5t TypeErrorRnRRRRRwRHRRRa(RRR[RRRR((RRs:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRs$    " i<c Ksotjtjkr(tjd|n|s?tjdtSt$tj ||dtdt |SWdQXdS(sIExecutes a command. Parameters ---------- realCmd : str The command to execute. timeout : int The time out in seconds for the command. Returns ------- bool True if the command succeeded. Raises ------ OSError If command fails to be executed. RuntimeError If command execution times out. i s Nothing to dotshelltoutputN( tlogSystgetEffectiveLeveltloggingtDEBUGtlogRxRt _cmd_lockRRR(RRaR!((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRs (ReRfRgN(1R'RDRERRRsR"R^RURR=RR_RRRRRHRRRRRKRRRMR\RRORNRRLRRRtretcompileRRRRRRRRRRt staticmethodR(((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pyRdsR                 YI ( 8(sinet4sinet6(1t __author__t __copyright__t __license__RtosRtsignalt subprocessttempfilet threadingttimetabcRt collectionsRt failregexRtipdnsRtmytimeRtutilsRthelpersRRR R R R R R'RtLockRt IPv6IsAllowedRRRt COND_FAMILIESRt DYN_REPL_TAGSRtupdatetobjectRRJR|Rd(((s:/usr/lib/python2.7/site-packages/fail2ban/server/action.pytsH        4       oc