mirrors/AdGuardHome
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2025-04-18 15:21:04 +03:00
Code Issues Projects Releases Packages Wiki Activity

Pull request 2353: AGDNS-2688-check-host

Browse source 
Merge in DNS/adguard-home from AGDNS-2688-check-host to master

Squashed commit of the following:

commit bd9ed498b0e36fa044e6921fa946062ac40fe616
Merge: 8dffd94a3 c41af2763
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Fri Mar 14 13:42:34 2025 +0300

    Merge branch 'master' into AGDNS-2688-check-host

commit 8dffd94a3b
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Mar 12 17:12:56 2025 +0300

    filtering: imp code

commit d9a01c8fa6
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Tue Mar 11 20:33:18 2025 +0300

    all: imp code

commit f1aca5f2eb
Author: Ildar Kamalov <ik@adguard.com>
Date:   Tue Mar 11 16:05:32 2025 +0300

    ADG-9783 update check form

commit a8ebb0401d
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Mon Mar 10 16:41:55 2025 +0300

    dnsforward: imp docs

commit 36f5db9075
Merge: 9a746ee9a 66fba942c
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Mon Mar 10 16:09:22 2025 +0300

    Merge branch 'master' into AGDNS-2688-check-host

commit 9a746ee9a0
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Mon Mar 10 16:06:48 2025 +0300

    all: imp docs

commit 0a25e1e8f3
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Mar 6 21:48:44 2025 +0300

    all: imp code

commit ec618bc484
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Mar 6 17:38:35 2025 +0300

    all: imp code

commit 979c5cfd4c
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Mar 5 21:22:54 2025 +0300

    all: add tests

commit ce0d6117ad
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Tue Mar 4 15:13:06 2025 +0300

    all: check host
This commit is contained in:
Stanislav Chzhen 2025-03-14 13:51:45 +03:00 committed by Eugene Burkov
parent c41af2763f
commit 1a3853d52a
21 changed files with 467 additions and 300 deletions

5
CHANGELOG.md
View file

@ -22,6 +22,11 @@ NOTE: Add new changes BELOW THIS COMMENT.
- Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in [1.24.1][go-1.24.1].
### Added
- The ability to check filtering rules for host names using an optional query type and optional ClientID or client IP address.
- Optional `client` and `qtype` URL query parameters to the `GET /control/check_host` HTTP API.
### Fixed
- Clearing the DNS cache on the *DNS settings* page now includes both global cache and custom client cache.

4
client/src/__locales/en.json
View file

@ -620,6 +620,10 @@
"check_cname": "CNAME: {{cname}}",
"check_reason": "Reason: {{reason}}",
"check_service": "Service name: {{service}}",
"check_hostname": "Hostname or domain name",
"check_client_id": "Client identifier (ClientID or IP address)",
"check_enter_client_id": "Enter client identifier",
"check_dns_record": "Select DNS record type",
"service_name": "Service name",
"check_not_found": "Not found in your filter lists",
"client_confirm_block": "Are you sure you want to block the client \"{{ip}}\"?",

70
client/src/components/Filters/Check/index.tsx
View file

@ -9,13 +9,17 @@ import Info from './Info';
import { RootState } from '../../../initialState';
import { validateRequiredValue } from '../../../helpers/validators';
import { Input } from '../../ui/Controls/Input';
import { DNS_RECORD_TYPES } from '../../../helpers/constants';
import { Select } from '../../ui/Controls/Select';
interface FormValues {
export type FilteringCheckFormValues = {
name: string;
client?: string;
qtype?: string;
}
type Props = {
onSubmit?: (data: FormValues) => void;
onSubmit?: (data: FilteringCheckFormValues) => void;
};
const Check = ({ onSubmit }: Props) => {
@ -27,11 +31,13 @@ const Check = ({ onSubmit }: Props) => {
const {
control,
handleSubmit,
formState: { isDirty, isValid },
} = useForm<FormValues>({
formState: { isValid },
} = useForm<FilteringCheckFormValues>({
mode: 'onBlur',
defaultValues: {
name: '',
client: '',
qtype: DNS_RECORD_TYPES[0],
},
});
@ -48,24 +54,56 @@ const Check = ({ onSubmit }: Props) => {
<Input
{...field}
type="text"
label={t('check_hostname')}
data-testid="check_domain_name"
placeholder={t('form_enter_host')}
placeholder="example.com"
error={fieldState.error?.message}
rightAddon={
<span className="input-group-append">
<button
className="btn btn-success btn-standard btn-large"
type="submit"
data-testid="check_domain_submit"
disabled={!isDirty || !isValid || processingCheck}>
{t('check')}
</button>
</span>
}
/>
)}
/>
<Controller
name="client"
control={control}
render={({ field, fieldState }) => (
<Input
{...field}
type="text"
data-testid="check_client_id"
label={t('check_client_id')}
placeholder={t('check_enter_client_id')}
error={fieldState.error?.message}
/>
)}
/>
<Controller
name="qtype"
control={control}
render={({ field }) => (
<Select
{...field}
label={t('check_dns_record')}
data-testid="check_dns_record_type"
>
{DNS_RECORD_TYPES.map((type) => (
<option key={type} value={type}>
{type}
</option>
))}
</Select>
)}
/>
<button
className="btn btn-success btn-standard btn-large"
type="submit"
data-testid="check_domain_submit"
disabled={!isValid || processingCheck}
>
{t('check')}
</button>
{hostname && (
<>
<hr />

16
client/src/components/Filters/CustomRules.tsx
View file

@ -7,7 +7,7 @@ import PageTitle from '../ui/PageTitle';
import Examples from './Examples';
import Check from './Check';
import Check, { FilteringCheckFormValues } from './Check';
import { getTextareaCommentsHighlight, syncScroll } from '../../helpers/highlightTextareaComments';
import { COMMENT_LINE_DEFAULT_TOKEN } from '../../helpers/constants';
@ -48,8 +48,18 @@ class CustomRules extends Component<CustomRulesProps> {
this.props.setRules(this.props.filtering.userRules);
};
handleCheck = (values: any) => {
this.props.checkHost(values);
handleCheck = (values: FilteringCheckFormValues) => {
const params: FilteringCheckFormValues = { name: values.name };
if (values.client) {
params.client = values.client;
}
if (values.qtype) {
params.qtype = values.qtype;
}
this.props.checkHost(params);
};
onScroll = (e: any) => syncScroll(e, this.ref);

9
client/src/helpers/constants.ts
View file

@ -523,3 +523,12 @@ export const TIME_UNITS = {
HOURS: 'hours',
DAYS: 'days',
};
export const DNS_RECORD_TYPES = [
"A", "AAAA", "AFSDB", "APL", "CAA", "CDNSKEY", "CDS", "CERT", "CNAME",
"CSYNC", "DHCID", "DLV", "DNAME", "DNSKEY", "DS", "EUI48", "EUI64",
"HINFO", "HIP", "HTTPS", "IPSECKEY", "KEY", "KX", "LOC", "MX", "NAPTR",
"NS", "NSEC", "NSEC3", "NSEC3PARAM", "OPENPGPKEY", "PTR", "RP", "RRSIG",
"SIG", "SMIMEA", "SOA", "SRV", "SSHFP", "SVCB", "TA", "TKEY",
"TLSA", "TSIG", "TXT", "URI", "ZONEMD"
];

36
internal/client/storage.go
View file

@ -12,6 +12,7 @@ import (
"github.com/AdguardTeam/AdGuardHome/internal/arpdb"
"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
"github.com/AdguardTeam/AdGuardHome/internal/whois"
"github.com/AdguardTeam/dnsproxy/proxy"
"github.com/AdguardTeam/golibs/errors"
@ -671,3 +672,38 @@ func (s *Storage) ClearUpstreamCache() {
s.upstreamManager.clearUpstreamCache()
}
// ApplyClientFiltering retrieves persistent client information using the
// ClientID or client IP address, and applies it to the filtering settings.
func (s *Storage) ApplyClientFiltering(id string, addr netip.Addr, setts *filtering.Settings) {
c, ok := s.index.findByClientID(id)
if !ok {
c, ok = s.index.findByIP(addr)
}
if !ok {
s.logger.Debug("no client filtering settings found", "clientid", id, "addr", addr)
return
}
s.logger.Debug("applying custom client filtering settings", "client_name", c.Name)
setts.ClientIP = addr
if c.UseOwnBlockedServices {
setts.BlockedServices = c.BlockedServices.Clone()
}
setts.ClientName = c.Name
setts.ClientTags = slices.Clone(c.Tags)
if !c.UseOwnSettings {
return
}
setts.FilteringEnabled = c.FilteringEnabled
setts.SafeSearchEnabled = c.SafeSearchConf.Enabled
setts.ClientSafeSearch = c.SafeSearch
setts.SafeBrowsingEnabled = c.SafeBrowsingEnabled
setts.ParentalEnabled = c.ParentalEnabled
}

4
internal/dnsforward/config.go
View file

@ -16,7 +16,6 @@ import (
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
"github.com/AdguardTeam/AdGuardHome/internal/client"
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
"github.com/AdguardTeam/dnsproxy/proxy"
"github.com/AdguardTeam/dnsproxy/upstream"
"github.com/AdguardTeam/golibs/container"
@ -34,9 +33,6 @@ import (
type Config struct {
// Callbacks for other modules
// FilterHandler is an optional additional filtering callback.
FilterHandler func(cliAddr netip.Addr, clientID string, settings *filtering.Settings) `yaml:"-"`
// ClientsContainer stores the information about special handling of some
// DNS clients.
ClientsContainer ClientsContainer `yaml:"-"`

49
internal/dnsforward/dnsforward_internal_test.go
View file

@ -27,6 +27,7 @@ import (
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
"github.com/AdguardTeam/AdGuardHome/internal/filtering/hashprefix"
"github.com/AdguardTeam/AdGuardHome/internal/filtering/safesearch"
"github.com/AdguardTeam/AdGuardHome/internal/schedule"
"github.com/AdguardTeam/dnsproxy/proxy"
"github.com/AdguardTeam/dnsproxy/upstream"
"github.com/AdguardTeam/golibs/logutil/slogutil"
@ -106,6 +107,21 @@ func startDeferStop(t *testing.T, s *Server) {
testutil.CleanupAndRequireSuccess(t, s.Stop)
}
// applyEmptyClientFiltering is a helper function for tests with
// [filtering.Config] that does nothing.
func applyEmptyClientFiltering(_ string, _ netip.Addr, _ *filtering.Settings) {}
// emptyFilteringBlockedServices is a helper function that returns an empty
// filtering blocked services for tests.
func emptyFilteringBlockedServices() (bsvc *filtering.BlockedServices) {
return &filtering.BlockedServices{
Schedule: schedule.EmptyWeekly(),
}
}
// createTestServer is a helper function that returns a properly initialized
// *Server for use in tests, given the provided parameters. It also populates
// the filtering configuration with default parameters.
func createTestServer(
t *testing.T,
filterConf *filtering.Config,
@ -123,6 +139,12 @@ func createTestServer(
Data: []byte(rules),
}}
filterConf.BlockedServices = cmp.Or(filterConf.BlockedServices, emptyFilteringBlockedServices())
if filterConf.ApplyClientFiltering == nil {
filterConf.ApplyClientFiltering = applyEmptyClientFiltering
}
f, err := filtering.New(filterConf, filters)
require.NoError(t, err)
@ -926,9 +948,6 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
UDPListenAddrs: []*net.UDPAddr{{}},
TCPListenAddrs: []*net.TCPAddr{{}},
Config: Config{
FilterHandler: func(_ netip.Addr, _ string, settings *filtering.Settings) {
settings.FilteringEnabled = false
},
UpstreamMode: UpstreamModeLoadBalance,
EDNSClientSubnet: &EDNSClientSubnet{
Enabled: false,
@ -1020,10 +1039,12 @@ func TestBlockedCustomIP(t *testing.T) {
}}
f, err := filtering.New(&filtering.Config{
ProtectionEnabled: true,
BlockingMode: filtering.BlockingModeCustomIP,
BlockingIPv4: netip.Addr{},
BlockingIPv6: netip.Addr{},
ProtectionEnabled: true,
ApplyClientFiltering: applyEmptyClientFiltering,
BlockedServices: emptyFilteringBlockedServices(),
BlockingMode: filtering.BlockingModeCustomIP,
BlockingIPv4: netip.Addr{},
BlockingIPv6: netip.Addr{},
}, filters)
require.NoError(t, err)
@ -1176,7 +1197,9 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
func TestRewrite(t *testing.T) {
c := &filtering.Config{
BlockingMode: filtering.BlockingModeDefault,
ApplyClientFiltering: applyEmptyClientFiltering,
BlockedServices: emptyFilteringBlockedServices(),
BlockingMode: filtering.BlockingModeDefault,
Rewrites: []*filtering.LegacyRewrite{{
Domain: "test.com",
Answer: "1.2.3.4",
@ -1322,7 +1345,9 @@ func TestPTRResponseFromDHCPLeases(t *testing.T) {
const localDomain = "lan"
flt, err := filtering.New(&filtering.Config{
BlockingMode: filtering.BlockingModeDefault,
ApplyClientFiltering: applyEmptyClientFiltering,
BlockedServices: emptyFilteringBlockedServices(),
BlockingMode: filtering.BlockingModeDefault,
}, nil)
require.NoError(t, err)
@ -1411,8 +1436,10 @@ func TestPTRResponseFromHosts(t *testing.T) {
})
flt, err := filtering.New(&filtering.Config{
BlockingMode: filtering.BlockingModeDefault,
EtcHosts: hc,
ApplyClientFiltering: applyEmptyClientFiltering,
BlockedServices: emptyFilteringBlockedServices(),
BlockingMode: filtering.BlockingModeDefault,
EtcHosts: hc,
}, nil)
require.NoError(t, err)

4
internal/dnsforward/filter.go
View file

@ -17,9 +17,7 @@ import (
func (s *Server) clientRequestFilteringSettings(dctx *dnsContext) (setts *filtering.Settings) {
setts = s.dnsFilter.Settings()
setts.ProtectionEnabled = dctx.protectionEnabled
if s.conf.FilterHandler != nil {
s.conf.FilterHandler(dctx.proxyCtx.Addr.Addr(), dctx.clientID, setts)
}
s.dnsFilter.ApplyAdditionalFiltering(dctx.proxyCtx.Addr.Addr(), dctx.clientID, setts)
return setts
}

6
internal/dnsforward/filter_internal_test.go
View file

@ -45,8 +45,10 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
}}
f, err := filtering.New(&filtering.Config{
ProtectionEnabled: true,
BlockingMode: filtering.BlockingModeDefault,
ProtectionEnabled: true,
ApplyClientFiltering: applyEmptyClientFiltering,
BlockedServices: emptyFilteringBlockedServices(),
BlockingMode: filtering.BlockingModeDefault,
}, filters)
require.NoError(t, err)
f.SetEnabled(true)

3
internal/filtering/blocked.go
View file

@ -49,6 +49,9 @@ func initBlockedServices() {
}
// BlockedServices is the configuration of blocked services.
//
// TODO(s.chzhen): Move to a higher-level package to allow importing the client
// package into the filtering package.
type BlockedServices struct {
// Schedule is blocked services schedule for every day of the week.
Schedule *schedule.Weekly `json:"schedule" yaml:"schedule"`

17
internal/filtering/filter.go
View file

@ -4,6 +4,7 @@ import (
"fmt"
"io"
"net/http"
"net/netip"
"os"
"path/filepath"
"slices"
@ -629,3 +630,19 @@ func (d *DNSFilter) enableFiltersLocked(async bool) {
d.SetEnabled(d.conf.FilteringEnabled)
}
// ApplyAdditionalFiltering enhances the provided filtering settings with
// blocked services and client-specific configurations.
func (d *DNSFilter) ApplyAdditionalFiltering(cliAddr netip.Addr, clientID string, setts *Settings) {
d.ApplyBlockedServices(setts)
d.applyClientFiltering(clientID, cliAddr, setts)
if setts.BlockedServices != nil {
// TODO(e.burkov): Get rid of this crutch.
setts.ServicesRules = nil
svcs := setts.BlockedServices.IDs
if !setts.BlockedServices.Schedule.Contains(time.Now()) {
d.ApplyBlockedServicesList(setts, svcs)
}
}
}

19
internal/filtering/filtering.go
View file

@ -40,6 +40,8 @@ type ServiceEntry struct {
}
// Settings are custom filtering settings for a client.
//
// TODO(s.chzhen): Move to the client package.
type Settings struct {
ClientName string
ClientIP netip.Addr
@ -47,6 +49,10 @@ type Settings struct {
ServicesRules []ServiceEntry
// BlockedServices is the configuration of blocked services of a client. It
// is nil if the client does not have any blocked services.
BlockedServices *BlockedServices
ProtectionEnabled bool
FilteringEnabled bool
SafeSearchEnabled bool
@ -78,6 +84,11 @@ type Config struct {
SafeSearch SafeSearch `yaml:"-"`
// ApplyClientFiltering retrieves persistent client information using the
// ClientID or client IP address, and applies it to the filtering settings.
// It must not be nil.
ApplyClientFiltering func(clientID string, cliAddr netip.Addr, setts *Settings) `yaml:"-"`
// BlockedServices is the configuration of blocked services.
// Per-client settings can override this configuration.
BlockedServices *BlockedServices `yaml:"blocked_services"`
@ -244,6 +255,13 @@ type DNSFilter struct {
// parentalControl is the parental control hash-prefix checker.
parentalControlChecker Checker
// applyClientFiltering retrieves persistent client information using the
// ClientID or client IP address, and applies it to the filtering settings.
//
// TODO(s.chzhen): Consider finding a better approach while taking an
// import cycle into account.
applyClientFiltering func(clientID string, cliAddr netip.Addr, setts *Settings)
engineLock sync.RWMutex
// confMu protects conf.
@ -998,6 +1016,7 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
refreshLock: &sync.Mutex{},
safeBrowsingChecker: c.SafeBrowsingChecker,
parentalControlChecker: c.ParentalControlChecker,
applyClientFiltering: c.ApplyClientFiltering,
confMu: &sync.RWMutex{},
}

73
internal/filtering/http.go
View file

@ -9,6 +9,8 @@ import (
"os"
"path/filepath"
"slices"
"strconv"
"strings"
"sync"
"time"
@ -420,15 +422,53 @@ type checkHostResp struct {
FilterID rulelist.URLFilterID `json:"filter_id"`
}
// handleCheckHost is the handler for the GET /control/filtering/check_host HTTP
// API.
func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
host := r.URL.Query().Get("name")
query := r.URL.Query()
host := query.Get("name")
if host == "" {
aghhttp.Error(
r,
w,
http.StatusBadRequest,
`query parameter "name" is required`,
)
return
}
cli := query.Get("client")
qTypeStr := query.Get("qtype")
qType, err := stringToDNSType(qTypeStr)
if err != nil {
aghhttp.Error(
r,
w,
http.StatusUnprocessableEntity,
"bad qtype query parameter: %q",
qTypeStr,
)
return
}
setts := d.Settings()
setts.FilteringEnabled = true
setts.ProtectionEnabled = true
d.ApplyBlockedServices(setts)
result, err := d.CheckHost(host, dns.TypeA, setts)
addr, err := netip.ParseAddr(cli)
if err == nil {
setts.ClientIP = addr
d.ApplyAdditionalFiltering(addr, "", setts)
} else if cli != "" {
// TODO(s.chzhen): Set [Settings.ClientName] once urlfilter supports
// multiple client names. This will handle the case when a rule exists
// but the persistent client does not.
d.ApplyAdditionalFiltering(netip.Addr{}, cli, setts)
}
result, err := d.CheckHost(host, qType, setts)
if err != nil {
aghhttp.Error(
r,
@ -466,6 +506,33 @@ func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
aghhttp.WriteJSONResponseOK(w, r, resp)
}
// stringToDNSType is a helper function that converts a string to DNS type. If
// the string is empty, it returns the default value [dns.TypeA].
func stringToDNSType(str string) (qtype uint16, err error) {
if str == "" {
return dns.TypeA, nil
}
qtype, ok := dns.StringToType[str]
if ok {
return qtype, nil
}
// typePref is a prefix for DNS types from experimental RFCs.
const typePref = "TYPE"
if !strings.HasPrefix(str, typePref) {
return 0, errors.ErrBadEnumValue
}
val, err := strconv.ParseUint(str[len(typePref):], 10, 16)
if err != nil {
return 0, errors.ErrBadEnumValue
}
return uint16(val), nil
}
// setProtectedBool sets the value of a boolean pointer under a lock. l must
// protect the value under ptr.
//

169
internal/filtering/http_internal_test.go
View file

@ -3,11 +3,15 @@ package filtering
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"net/netip"
"strings"
"testing"
"time"
"github.com/AdguardTeam/AdGuardHome/internal/schedule"
"github.com/AdguardTeam/golibs/testutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -305,3 +309,168 @@ func TestDNSFilter_handleParentalStatus(t *testing.T) {
})
}
}
func TestDNSFilter_HandleCheckHost(t *testing.T) {
const (
cliName = "client_name"
cliID = "client_id"
notFilteredHost = "not.filterd.example"
allowedHost = "allowed.example"
blockedHost = "blocked.example"
cliHost = "client.example"
qTypeHost = "qtype.example"
cliQTypeHost = "cli.qtype.example"
target = "/control/check_host"
hostFmt = target + "?name=%s"
hostCliFmt = hostFmt + "&client=%s"
hostQTypeFmt = hostFmt + "&qtype=%s"
hostCliQTypeFmt = hostCliFmt + "&qtype=%s"
allowedRuleFmt = "@@||%s^"
blockedRuleFmt = "||%s^"
blockedRuleCliFmt = blockedRuleFmt + "$client=%s"
blockedRuleQTypeFmt = blockedRuleFmt + "$dnstype=%s"
blockedRuleCliQTypeFmt = blockedRuleCliFmt + ",dnstype=%s"
)
var (
allowedRule = fmt.Sprintf(allowedRuleFmt, allowedHost)
blockedRule = fmt.Sprintf(blockedRuleFmt, blockedHost)
blockedClientRule = fmt.Sprintf(blockedRuleCliFmt, cliHost, cliName)
blockedQTypeRule = fmt.Sprintf(blockedRuleQTypeFmt, qTypeHost, "CNAME")
blockedClientQTypeRule = fmt.Sprintf(blockedRuleCliQTypeFmt, cliQTypeHost, cliName, "CNAME")
notFilteredURL = fmt.Sprintf(hostFmt, notFilteredHost)
allowedURL = fmt.Sprintf(hostFmt, allowedHost)
blockedURL = fmt.Sprintf(hostFmt, blockedHost)
blockedClientURL = fmt.Sprintf(hostCliFmt, cliHost, cliID)
allowedQTypeURL = fmt.Sprintf(hostQTypeFmt, qTypeHost, "AAAA")
blockedQTypeURL = fmt.Sprintf(hostQTypeFmt, qTypeHost, "CNAME")
allowedClientQTypeURL = fmt.Sprintf(hostCliQTypeFmt, cliQTypeHost, cliID, "AAAA")
blockedClientQTypeURL = fmt.Sprintf(hostCliQTypeFmt, cliQTypeHost, cliID, "CNAME")
)
rules := []string{
allowedRule,
blockedRule,
blockedClientRule,
blockedQTypeRule,
blockedClientQTypeRule,
}
rulesData := strings.Join(rules, "\n")
filters := []Filter{{
ID: 0, Data: []byte(rulesData),
}}
clientNames := map[string]string{
cliID: cliName,
}
dnsFilter, err := New(&Config{
BlockedServices: &BlockedServices{
Schedule: schedule.EmptyWeekly(),
},
ApplyClientFiltering: func(clientID string, cliAddr netip.Addr, setts *Settings) {
setts.ClientName = clientNames[clientID]
},
}, filters)
require.NoError(t, err)
testCases := []struct {
name string
url string
want *checkHostResp
}{{
name: "not_filtered",
url: notFilteredURL,
want: &checkHostResp{
Reason: reasonNames[NotFilteredNotFound],
Rule: "",
Rules: []*checkHostRespRule{},
},
}, {
name: "allowed",
url: allowedURL,
want: &checkHostResp{
Reason: reasonNames[NotFilteredAllowList],
Rule: allowedRule,
Rules: []*checkHostRespRule{{
Text: allowedRule,
}},
},
}, {
name: "blocked",
url: blockedURL,
want: &checkHostResp{
Reason: reasonNames[FilteredBlockList],
Rule: blockedRule,
Rules: []*checkHostRespRule{{
Text: blockedRule,
}},
},
}, {
name: "blocked_client",
url: blockedClientURL,
want: &checkHostResp{
Reason: reasonNames[FilteredBlockList],
Rule: blockedClientRule,
Rules: []*checkHostRespRule{{
Text: blockedClientRule,
}},
},
}, {
name: "allowed_qtype",
url: allowedQTypeURL,
want: &checkHostResp{
Reason: reasonNames[NotFilteredNotFound],
Rule: "",
Rules: []*checkHostRespRule{},
},
}, {
name: "blocked_qtype",
url: blockedQTypeURL,
want: &checkHostResp{
Reason: reasonNames[FilteredBlockList],
Rule: blockedQTypeRule,
Rules: []*checkHostRespRule{{
Text: blockedQTypeRule,
}},
},
}, {
name: "blocked_client_qtype",
url: blockedClientQTypeURL,
want: &checkHostResp{
Reason: reasonNames[FilteredBlockList],
Rule: blockedClientQTypeRule,
Rules: []*checkHostRespRule{{
Text: blockedClientQTypeRule,
}},
},
}, {
name: "allowed_client_qtype",
url: allowedClientQTypeURL,
want: &checkHostResp{
Reason: reasonNames[NotFilteredNotFound],
Rule: "",
Rules: []*checkHostRespRule{},
},
}}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
r := httptest.NewRequest(http.MethodGet, tc.url, nil)
w := httptest.NewRecorder()
dnsFilter.handleCheckHost(w, r)
res := &checkHostResp{}
err = json.NewDecoder(w.Body).Decode(res)
require.NoError(t, err)
assert.Equal(t, tc.want, res)
})
}
}

3
internal/filtering/safesearch.go
View file

@ -3,6 +3,9 @@ package filtering
import "context"
// SafeSearch interface describes a service for search engines hosts rewrites.
//
// TODO(s.chzhen): Move to a higher-level package to allow importing the client
// package into the filtering package.
type SafeSearch interface {
// CheckHost checks host with safe search filter. CheckHost must be safe
// for concurrent use. qtype must be either [dns.TypeA] or [dns.TypeAAAA].

2
internal/home/clients.go
View file

@ -121,6 +121,8 @@ func (clients *clientsContainer) Init(
sigHdlr.addClientStorage(clients.storage)
filteringConf.ApplyClientFiltering = clients.storage.ApplyClientFiltering
return nil
}

52
internal/home/dns.go
View file

@ -247,7 +247,6 @@ func newServerConfig(
hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()})
fwdConf := dnsConf.Config
fwdConf.FilterHandler = applyAdditionalFiltering
fwdConf.ClientsContainer = clientsContainer
newConf = &dnsforward.ServerConfig{
@ -411,57 +410,6 @@ func getDNSEncryption(tlsMgr *tlsManager) (de dnsEncryption) {
return de
}
// applyAdditionalFiltering adds additional client information and settings if
// the client has them.
func applyAdditionalFiltering(clientIP netip.Addr, clientID string, setts *filtering.Settings) {
// pref is a prefix for logging messages around the scope.
const pref = "applying filters"
globalContext.filters.ApplyBlockedServices(setts)
log.Debug("%s: looking for client with ip %s and clientid %q", pref, clientIP, clientID)
if !clientIP.IsValid() {
return
}
setts.ClientIP = clientIP
c, ok := globalContext.clients.storage.Find(clientID)
if !ok {
c, ok = globalContext.clients.storage.Find(clientIP.String())
if !ok {
log.Debug("%s: no clients with ip %s and clientid %q", pref, clientIP, clientID)
return
}
}
log.Debug("%s: using settings for client %q (%s; %q)", pref, c.Name, clientIP, clientID)
if c.UseOwnBlockedServices {
// TODO(e.burkov): Get rid of this crutch.
setts.ServicesRules = nil
svcs := c.BlockedServices.IDs
if !c.BlockedServices.Schedule.Contains(time.Now()) {
globalContext.filters.ApplyBlockedServicesList(setts, svcs)
log.Debug("%s: services for client %q set: %s", pref, c.Name, svcs)
}
}
setts.ClientName = c.Name
setts.ClientTags = c.Tags
if !c.UseOwnSettings {
return
}
setts.FilteringEnabled = c.FilteringEnabled
setts.SafeSearchEnabled = c.SafeSearchConf.Enabled
setts.ClientSafeSearch = c.SafeSearch
setts.SafeBrowsingEnabled = c.SafeBrowsingEnabled
setts.ParentalEnabled = c.ParentalEnabled
}
func startDNSServer() error {
config.RLock()
defer config.RUnlock()

206
internal/home/dns_internal_test.go
View file

@ -1,206 +0,0 @@
package home
import (
"net/netip"
"testing"
"github.com/AdguardTeam/AdGuardHome/internal/client"
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
"github.com/AdguardTeam/AdGuardHome/internal/schedule"
"github.com/AdguardTeam/golibs/logutil/slogutil"
"github.com/AdguardTeam/golibs/testutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
var testIPv4 = netip.AddrFrom4([4]byte{1, 2, 3, 4})
// newStorage is a helper function that returns a client storage filled with
// persistent clients. It also generates a UID for each client.
func newStorage(tb testing.TB, clients []*client.Persistent) (s *client.Storage) {
tb.Helper()
ctx := testutil.ContextWithTimeout(tb, testTimeout)
s, err := client.NewStorage(ctx, &client.StorageConfig{
Logger: slogutil.NewDiscardLogger(),
})
require.NoError(tb, err)
for _, p := range clients {
p.UID = client.MustNewUID()
require.NoError(tb, s.Add(ctx, p))
}
return s
}
func TestApplyAdditionalFiltering(t *testing.T) {
var err error
globalContext.filters, err = filtering.New(&filtering.Config{
BlockedServices: &filtering.BlockedServices{
Schedule: schedule.EmptyWeekly(),
},
}, nil)
require.NoError(t, err)
globalContext.clients.storage = newStorage(t, []*client.Persistent{{
Name: "default",
ClientIDs: []string{"default"},
UseOwnSettings: false,
SafeSearchConf: filtering.SafeSearchConfig{Enabled: false},
FilteringEnabled: false,
SafeBrowsingEnabled: false,
ParentalEnabled: false,
}, {
Name: "custom_filtering",
ClientIDs: []string{"custom_filtering"},
UseOwnSettings: true,
SafeSearchConf: filtering.SafeSearchConfig{Enabled: true},
FilteringEnabled: true,
SafeBrowsingEnabled: true,
ParentalEnabled: true,
}, {
Name: "partial_custom_filtering",
ClientIDs: []string{"partial_custom_filtering"},
UseOwnSettings: true,
SafeSearchConf: filtering.SafeSearchConfig{Enabled: true},
FilteringEnabled: true,
SafeBrowsingEnabled: false,
ParentalEnabled: false,
}})
testCases := []struct {
name string
id string
FilteringEnabled assert.BoolAssertionFunc
SafeSearchEnabled assert.BoolAssertionFunc
SafeBrowsingEnabled assert.BoolAssertionFunc
ParentalEnabled assert.BoolAssertionFunc
}{{
name: "global_settings",
id: "default",
FilteringEnabled: assert.False,
SafeSearchEnabled: assert.False,
SafeBrowsingEnabled: assert.False,
ParentalEnabled: assert.False,
}, {
name: "custom_settings",
id: "custom_filtering",
FilteringEnabled: assert.True,
SafeSearchEnabled: assert.True,
SafeBrowsingEnabled: assert.True,
ParentalEnabled: assert.True,
}, {
name: "partial",
id: "partial_custom_filtering",
FilteringEnabled: assert.True,
SafeSearchEnabled: assert.True,
SafeBrowsingEnabled: assert.False,
ParentalEnabled: assert.False,
}}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
setts := &filtering.Settings{}
applyAdditionalFiltering(testIPv4, tc.id, setts)
tc.FilteringEnabled(t, setts.FilteringEnabled)
tc.SafeSearchEnabled(t, setts.SafeSearchEnabled)
tc.SafeBrowsingEnabled(t, setts.SafeBrowsingEnabled)
tc.ParentalEnabled(t, setts.ParentalEnabled)
})
}
}
func TestApplyAdditionalFiltering_blockedServices(t *testing.T) {
filtering.InitModule()
var (
globalBlockedServices = []string{"ok"}
clientBlockedServices = []string{"ok", "mail_ru", "vk"}
invalidBlockedServices = []string{"invalid"}
err error
)
globalContext.filters, err = filtering.New(&filtering.Config{
BlockedServices: &filtering.BlockedServices{
Schedule: schedule.EmptyWeekly(),
IDs: globalBlockedServices,
},
}, nil)
require.NoError(t, err)
globalContext.clients.storage = newStorage(t, []*client.Persistent{{
Name: "default",
ClientIDs: []string{"default"},
UseOwnBlockedServices: false,
}, {
Name: "no_services",
ClientIDs: []string{"no_services"},
BlockedServices: &filtering.BlockedServices{
Schedule: schedule.EmptyWeekly(),
},
UseOwnBlockedServices: true,
}, {
Name: "services",
ClientIDs: []string{"services"},
BlockedServices: &filtering.BlockedServices{
Schedule: schedule.EmptyWeekly(),
IDs: clientBlockedServices,
},
UseOwnBlockedServices: true,
}, {
Name: "invalid_services",
ClientIDs: []string{"invalid_services"},
BlockedServices: &filtering.BlockedServices{
Schedule: schedule.EmptyWeekly(),
IDs: invalidBlockedServices,
},
UseOwnBlockedServices: true,
}, {
Name: "allow_all",
ClientIDs: []string{"allow_all"},
BlockedServices: &filtering.BlockedServices{
Schedule: schedule.FullWeekly(),
IDs: clientBlockedServices,
},
UseOwnBlockedServices: true,
}})
testCases := []struct {
name string
id string
wantLen int
}{{
name: "global_settings",
id: "default",
wantLen: len(globalBlockedServices),
}, {
name: "custom_settings",
id: "no_services",
wantLen: 0,
}, {
name: "custom_settings_block",
id: "services",
wantLen: len(clientBlockedServices),
}, {
name: "custom_settings_invalid",
id: "invalid_services",
wantLen: 0,
}, {
name: "custom_settings_inactive_schedule",
id: "allow_all",
wantLen: 0,
}}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
setts := &filtering.Settings{}
applyAdditionalFiltering(testIPv4, tc.id, setts)
require.Len(t, setts.ServicesRules, tc.wantLen)
})
}
}

6
openapi/CHANGELOG.md
View file

@ -4,6 +4,12 @@
## v0.108.0: API changes
## v0.107.58: API changes
### The ability to check rules for query types and/or clients: GET /control/check_host
- Added optional `client` and `qtype` URL query parameters.
## v0.107.57: API changes
- The new field `"upstream_timeout"` in `GET /control/dns_info` and `POST /control/dns_config` is the number of seconds to wait for a response from the upstream server.

14
openapi/openapi.yaml
View file

@ -739,6 +739,20 @@
- 'name': 'name'
'in': 'query'
'description': 'Filter by host name'
'required': true
'example': 'google.com'
'schema':
'type': 'string'
- 'name': 'client'
'in': 'query'
'description': 'Optional ClientID or client IP address'
'example': '192.0.2.1'
'schema':
'type': 'string'
- 'name': 'qtype'
'in': 'query'
'description': 'Optional DNS type'
'example': 'AAAA'
'schema':
'type': 'string'
'responses':