2019-10-30 15:11:16 +03:00
|
|
|
package dnsforward
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2020-03-20 14:41:13 +03:00
|
|
|
"fmt"
|
2019-10-30 15:11:16 +03:00
|
|
|
"net/http"
|
2022-10-24 16:29:44 +03:00
|
|
|
"net/netip"
|
2024-04-03 13:44:51 +03:00
|
|
|
"slices"
|
2020-03-20 14:41:13 +03:00
|
|
|
"strings"
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2022-01-19 20:45:50 +03:00
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
2021-12-16 20:54:59 +03:00
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
2024-04-03 13:44:51 +03:00
|
|
|
"github.com/AdguardTeam/golibs/container"
|
2019-10-30 15:11:16 +03:00
|
|
|
"github.com/AdguardTeam/golibs/log"
|
2021-07-29 17:40:31 +03:00
|
|
|
"github.com/AdguardTeam/golibs/stringutil"
|
2020-03-20 14:41:13 +03:00
|
|
|
"github.com/AdguardTeam/urlfilter"
|
|
|
|
"github.com/AdguardTeam/urlfilter/filterlist"
|
2023-02-27 16:48:32 +03:00
|
|
|
"github.com/AdguardTeam/urlfilter/rules"
|
2019-10-30 15:11:16 +03:00
|
|
|
)
|
|
|
|
|
2022-10-24 16:29:44 +03:00
|
|
|
// accessManager controls IP and client blocking that takes place before all
|
|
|
|
// other processing. An accessManager is safe for concurrent use.
|
|
|
|
type accessManager struct {
|
2024-04-03 13:44:51 +03:00
|
|
|
allowedIPs *container.MapSet[netip.Addr]
|
|
|
|
blockedIPs *container.MapSet[netip.Addr]
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2024-04-03 13:44:51 +03:00
|
|
|
allowedClientIDs *container.MapSet[string]
|
|
|
|
blockedClientIDs *container.MapSet[string]
|
2021-04-20 16:26:19 +03:00
|
|
|
|
2023-09-05 15:13:35 +03:00
|
|
|
// TODO(s.chzhen): Use [aghnet.IgnoreEngine].
|
2021-06-29 15:53:28 +03:00
|
|
|
blockedHostsEng *urlfilter.DNSEngine
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2024-04-03 13:44:51 +03:00
|
|
|
// TODO(a.garipov): Create a type for an efficient tree set of IP networks.
|
2022-10-24 16:29:44 +03:00
|
|
|
allowedNets []netip.Prefix
|
|
|
|
blockedNets []netip.Prefix
|
2021-06-29 15:53:28 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// processAccessClients is a helper for processing a list of client strings,
|
|
|
|
// which may be an IP address, a CIDR, or a ClientID.
|
|
|
|
func processAccessClients(
|
|
|
|
clientStrs []string,
|
2024-04-03 13:44:51 +03:00
|
|
|
ips *container.MapSet[netip.Addr],
|
2022-10-24 16:29:44 +03:00
|
|
|
nets *[]netip.Prefix,
|
2024-04-03 13:44:51 +03:00
|
|
|
clientIDs *container.MapSet[string],
|
2021-06-29 15:53:28 +03:00
|
|
|
) (err error) {
|
|
|
|
for i, s := range clientStrs {
|
2022-10-24 16:29:44 +03:00
|
|
|
var ip netip.Addr
|
|
|
|
var ipnet netip.Prefix
|
|
|
|
if ip, err = netip.ParseAddr(s); err == nil {
|
2024-04-03 13:44:51 +03:00
|
|
|
ips.Add(ip)
|
2022-10-24 16:29:44 +03:00
|
|
|
} else if ipnet, err = netip.ParsePrefix(s); err == nil {
|
2021-06-29 15:53:28 +03:00
|
|
|
*nets = append(*nets, ipnet)
|
|
|
|
} else {
|
2022-10-24 16:29:44 +03:00
|
|
|
err = ValidateClientID(s)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("value %q at index %d: bad ip, cidr, or clientid", s, i)
|
2021-06-29 15:53:28 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
clientIDs.Add(s)
|
|
|
|
}
|
|
|
|
}
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
return nil
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// newAccessCtx creates a new accessCtx.
|
2022-10-24 16:29:44 +03:00
|
|
|
func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, err error) {
|
|
|
|
a = &accessManager{
|
2024-04-03 13:44:51 +03:00
|
|
|
allowedIPs: container.NewMapSet[netip.Addr](),
|
|
|
|
blockedIPs: container.NewMapSet[netip.Addr](),
|
2021-06-29 15:53:28 +03:00
|
|
|
|
2024-04-03 13:44:51 +03:00
|
|
|
allowedClientIDs: container.NewMapSet[string](),
|
|
|
|
blockedClientIDs: container.NewMapSet[string](),
|
2021-04-20 16:26:19 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
err = processAccessClients(allowed, a.allowedIPs, &a.allowedNets, a.allowedClientIDs)
|
2019-10-30 15:11:16 +03:00
|
|
|
if err != nil {
|
2021-06-29 15:53:28 +03:00
|
|
|
return nil, fmt.Errorf("adding allowed: %w", err)
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
err = processAccessClients(blocked, a.blockedIPs, &a.blockedNets, a.blockedClientIDs)
|
2019-10-30 15:11:16 +03:00
|
|
|
if err != nil {
|
2021-06-29 15:53:28 +03:00
|
|
|
return nil, fmt.Errorf("adding blocked: %w", err)
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-04-07 20:16:06 +03:00
|
|
|
b := &strings.Builder{}
|
2021-06-29 15:53:28 +03:00
|
|
|
for _, h := range blockedHosts {
|
2021-07-29 17:40:31 +03:00
|
|
|
stringutil.WriteToBuilder(b, strings.ToLower(h), "\n")
|
2020-03-20 14:41:13 +03:00
|
|
|
}
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
lists := []filterlist.RuleList{
|
|
|
|
&filterlist.StringRuleList{
|
2023-07-27 21:06:51 +03:00
|
|
|
ID: 0,
|
2021-06-29 15:53:28 +03:00
|
|
|
RulesText: b.String(),
|
|
|
|
IgnoreCosmetic: true,
|
|
|
|
},
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
2021-06-29 15:53:28 +03:00
|
|
|
|
|
|
|
rulesStrg, err := filterlist.NewRuleStorage(lists)
|
2020-03-20 14:41:13 +03:00
|
|
|
if err != nil {
|
2021-06-29 15:53:28 +03:00
|
|
|
return nil, fmt.Errorf("adding blocked hosts: %w", err)
|
2020-03-20 14:41:13 +03:00
|
|
|
}
|
2021-06-29 15:53:28 +03:00
|
|
|
|
|
|
|
a.blockedHostsEng = urlfilter.NewDNSEngine(rulesStrg)
|
2020-03-20 14:41:13 +03:00
|
|
|
|
2021-04-20 16:26:19 +03:00
|
|
|
return a, nil
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// allowlistMode returns true if this *accessCtx is in the allowlist mode.
|
2022-10-24 16:29:44 +03:00
|
|
|
func (a *accessManager) allowlistMode() (ok bool) {
|
2024-04-03 13:44:51 +03:00
|
|
|
return a.allowedIPs.Len() != 0 || a.allowedClientIDs.Len() != 0 || len(a.allowedNets) != 0
|
2021-06-29 15:53:28 +03:00
|
|
|
}
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// isBlockedClientID returns true if the ClientID should be blocked.
|
2022-10-24 16:29:44 +03:00
|
|
|
func (a *accessManager) isBlockedClientID(id string) (ok bool) {
|
2021-06-29 15:53:28 +03:00
|
|
|
allowlistMode := a.allowlistMode()
|
|
|
|
if id == "" {
|
2022-02-10 15:42:59 +03:00
|
|
|
// In allowlist mode, consider requests without ClientIDs blocked by
|
|
|
|
// default.
|
2021-06-29 15:53:28 +03:00
|
|
|
return allowlistMode
|
|
|
|
}
|
2021-04-20 16:26:19 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
if allowlistMode {
|
|
|
|
return !a.allowedClientIDs.Has(id)
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
return a.blockedClientIDs.Has(id)
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// isBlockedHost returns true if host should be blocked.
|
2023-02-27 16:48:32 +03:00
|
|
|
func (a *accessManager) isBlockedHost(host string, qt rules.RRType) (ok bool) {
|
|
|
|
_, ok = a.blockedHostsEng.MatchRequest(&urlfilter.DNSRequest{
|
|
|
|
Hostname: host,
|
|
|
|
DNSType: qt,
|
|
|
|
})
|
2021-01-20 17:27:53 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
return ok
|
|
|
|
}
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// isBlockedIP returns the status of the IP address blocking as well as the rule
|
|
|
|
// that blocked it.
|
2022-10-24 16:29:44 +03:00
|
|
|
func (a *accessManager) isBlockedIP(ip netip.Addr) (blocked bool, rule string) {
|
2021-06-29 15:53:28 +03:00
|
|
|
blocked = true
|
|
|
|
ips := a.blockedIPs
|
|
|
|
ipnets := a.blockedNets
|
2019-10-30 15:11:16 +03:00
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
if a.allowlistMode() {
|
|
|
|
// Enable allowlist mode and use the allowlist sets.
|
|
|
|
blocked = false
|
|
|
|
ips = a.allowedIPs
|
|
|
|
ipnets = a.allowedNets
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2024-04-03 13:44:51 +03:00
|
|
|
if ips.Has(ip) {
|
2021-06-29 15:53:28 +03:00
|
|
|
return blocked, ip.String()
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
for _, ipnet := range ipnets {
|
2024-04-16 17:33:34 +03:00
|
|
|
// Remove zone before checking because prefixes stip zones.
|
|
|
|
//
|
|
|
|
// TODO(d.kolyshev): Cover with tests.
|
|
|
|
if ipnet.Contains(ip.WithZone("")) {
|
2021-06-29 15:53:28 +03:00
|
|
|
return blocked, ipnet.String()
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
return !blocked, ""
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
type accessListJSON struct {
|
|
|
|
AllowedClients []string `json:"allowed_clients"`
|
|
|
|
DisallowedClients []string `json:"disallowed_clients"`
|
|
|
|
BlockedHosts []string `json:"blocked_hosts"`
|
|
|
|
}
|
|
|
|
|
2021-05-26 17:55:19 +03:00
|
|
|
func (s *Server) accessListJSON() (j accessListJSON) {
|
|
|
|
s.serverLock.RLock()
|
|
|
|
defer s.serverLock.RUnlock()
|
|
|
|
|
|
|
|
return accessListJSON{
|
2024-04-03 13:44:51 +03:00
|
|
|
AllowedClients: slices.Clone(s.conf.AllowedClients),
|
|
|
|
DisallowedClients: slices.Clone(s.conf.DisallowedClients),
|
|
|
|
BlockedHosts: slices.Clone(s.conf.BlockedHosts),
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
2021-05-26 17:55:19 +03:00
|
|
|
}
|
|
|
|
|
2023-10-27 20:18:29 +03:00
|
|
|
// handleAccessList handles requests to the GET /control/access/list endpoint.
|
2021-05-26 17:55:19 +03:00
|
|
|
func (s *Server) handleAccessList(w http.ResponseWriter, r *http.Request) {
|
2023-08-29 20:03:40 +03:00
|
|
|
aghhttp.WriteJSONResponseOK(w, r, s.accessListJSON())
|
2019-10-30 15:11:16 +03:00
|
|
|
}
|
|
|
|
|
2021-09-10 17:57:09 +03:00
|
|
|
// validateAccessSet checks the internal accessListJSON lists. To search for
|
|
|
|
// duplicates, we cannot compare the new stringutil.Set and []string, because
|
|
|
|
// creating a set for a large array can be an unnecessary algorithmic complexity
|
2021-12-28 17:00:52 +03:00
|
|
|
func validateAccessSet(list *accessListJSON) (err error) {
|
|
|
|
allowed, err := validateStrUniq(list.AllowedClients)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("validating allowed clients: %w", err)
|
2021-09-10 17:57:09 +03:00
|
|
|
}
|
|
|
|
|
2021-12-28 17:00:52 +03:00
|
|
|
disallowed, err := validateStrUniq(list.DisallowedClients)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("validating disallowed clients: %w", err)
|
2021-09-10 17:57:09 +03:00
|
|
|
}
|
|
|
|
|
2021-12-28 17:00:52 +03:00
|
|
|
_, err = validateStrUniq(list.BlockedHosts)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("validating blocked hosts: %w", err)
|
2021-09-10 17:57:09 +03:00
|
|
|
}
|
|
|
|
|
2021-12-28 17:00:52 +03:00
|
|
|
merged := allowed.Merge(disallowed)
|
2022-08-03 14:36:18 +03:00
|
|
|
err = merged.Validate()
|
2021-12-28 17:00:52 +03:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("items in allowed and disallowed clients intersect: %w", err)
|
2021-09-10 17:57:09 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-12-28 17:00:52 +03:00
|
|
|
// validateStrUniq returns an informative error if clients are not unique.
|
2022-08-03 14:36:18 +03:00
|
|
|
func validateStrUniq(clients []string) (uc aghalg.UniqChecker[string], err error) {
|
|
|
|
uc = make(aghalg.UniqChecker[string], len(clients))
|
2021-12-28 17:00:52 +03:00
|
|
|
for _, c := range clients {
|
2022-01-19 20:45:50 +03:00
|
|
|
uc.Add(c)
|
2021-12-28 17:00:52 +03:00
|
|
|
}
|
|
|
|
|
2022-08-03 14:36:18 +03:00
|
|
|
return uc, uc.Validate()
|
2021-12-28 17:00:52 +03:00
|
|
|
}
|
|
|
|
|
2023-10-27 20:18:29 +03:00
|
|
|
// handleAccessSet handles requests to the POST /control/access/set endpoint.
|
2019-10-30 15:11:16 +03:00
|
|
|
func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
|
2021-12-28 17:00:52 +03:00
|
|
|
list := &accessListJSON{}
|
2021-06-29 15:53:28 +03:00
|
|
|
err := json.NewDecoder(r.Body).Decode(&list)
|
2019-10-30 15:11:16 +03:00
|
|
|
if err != nil {
|
2021-12-16 20:54:59 +03:00
|
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "decoding request: %s", err)
|
2019-10-30 15:11:16 +03:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-09-10 17:57:09 +03:00
|
|
|
err = validateAccessSet(list)
|
|
|
|
if err != nil {
|
2021-12-16 20:54:59 +03:00
|
|
|
aghhttp.Error(r, w, http.StatusBadRequest, err.Error())
|
2021-09-10 17:57:09 +03:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-10-24 16:29:44 +03:00
|
|
|
var a *accessManager
|
2021-06-29 15:53:28 +03:00
|
|
|
a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts)
|
2019-10-30 15:11:16 +03:00
|
|
|
if err != nil {
|
2021-12-16 20:54:59 +03:00
|
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "creating access ctx: %s", err)
|
2021-04-20 16:26:19 +03:00
|
|
|
|
2019-10-30 15:11:16 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
defer log.Debug(
|
|
|
|
"access: updated lists: %d, %d, %d",
|
|
|
|
len(list.AllowedClients),
|
|
|
|
len(list.DisallowedClients),
|
|
|
|
len(list.BlockedHosts),
|
|
|
|
)
|
2021-05-26 17:55:19 +03:00
|
|
|
|
|
|
|
defer s.conf.ConfigModified()
|
|
|
|
|
|
|
|
s.serverLock.Lock()
|
|
|
|
defer s.serverLock.Unlock()
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
s.conf.AllowedClients = list.AllowedClients
|
|
|
|
s.conf.DisallowedClients = list.DisallowedClients
|
|
|
|
s.conf.BlockedHosts = list.BlockedHosts
|
2019-10-30 15:11:16 +03:00
|
|
|
s.access = a
|
|
|
|
}
|