Pull request: 3419 client allowlist collision

Updates #3419.

Squashed commit of the following:

commit 370094c00d9c15b1336fbedb1e233bd4436c9898
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Fri Sep 10 17:31:16 2021 +0300

    added link to github issue

commit 407ba9b2db46b887a30ddb081bd37c56e56b0496
Merge: 426c8146 80548233
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Fri Sep 10 17:29:52 2021 +0300

    Merge branch 'master' into 3419-client-allowlist-collision

commit 426c8146cff5c112ebb25192af276c6601200528
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Fri Sep 10 16:28:11 2021 +0300

    fix en

commit d28c6022321828c6bdc55c3f9a4f655b26d146d2
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Fri Sep 10 15:49:12 2021 +0300

    added missing space

commit b374a09327968ca5343c1595d1ab8cf317c15ffe
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Fri Sep 10 15:43:55 2021 +0300

    fixes after review

commit 2be629d66e4703e2f5a85615bf1eaaa92e03c6fd
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Thu Sep 9 14:17:19 2021 +0300

    fixes

commit 5c2aa6201cc0ecf404d4057e354fbb0bdadcdd6d
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Wed Sep 8 15:04:30 2021 +0300

    return empty line to locale file

commit 3631c3772babbd595b1c3de4a7e91be6bac3e80f
Author: Dmitriy Seregin <d.seregin@adguard.com>
Date:   Wed Sep 8 13:57:51 2021 +0300

    all: fix collisions in access lists && expand block/unblock client
This commit is contained in:
Dmitry Seregin 2021-09-10 17:57:09 +03:00 committed by Ainar Garipov
parent 80548233ba
commit 8fdd789474
13 changed files with 238 additions and 65 deletions

View File

@ -46,6 +46,8 @@ and this project adheres to
### Changed
- Items in allowed clients, disallowed clients, and blocked hosts lists must
be unique ([#3419]).
- The TLS private key previously saved as a string isn't shown in API responses
any more ([#1898]).
- Better OpenWrt detection ([#3435]).
@ -178,6 +180,7 @@ In this release, the schema version has changed from 10 to 12.
[#3351]: https://github.com/AdguardTeam/AdGuardHome/issues/3351
[#3372]: https://github.com/AdguardTeam/AdGuardHome/issues/3372
[#3417]: https://github.com/AdguardTeam/AdGuardHome/issues/3417
[#3419]: https://github.com/AdguardTeam/AdGuardHome/issues/3419
[#3435]: https://github.com/AdguardTeam/AdGuardHome/issues/3435
[#3437]: https://github.com/AdguardTeam/AdGuardHome/issues/3437
[#3443]: https://github.com/AdguardTeam/AdGuardHome/issues/3443

View File

@ -613,7 +613,8 @@
"click_to_view_queries": "Click to view queries",
"port_53_faq_link": "Port 53 is often occupied by \"DNSStubListener\" or \"systemd-resolved\" services. Please read <0>this instruction</0> on how to resolve this.",
"adg_will_drop_dns_queries": "AdGuard Home will be dropping all DNS queries from this client.",
"client_not_in_allowed_clients": "The client is not allowed because it is not in the \"Allowed clients\" list.",
"filter_allowlist": "WARNING: This action also will exclude the rule \"{{disallowed_rule}}\" from the list of allowed clients.",
"last_rule_in_allowlist": "Cannot disallow this client because excluding the rule \"{{disallowed_rule}}\" will DISABLE \"Allowed clients\" list.",
"experimental": "Experimental",
"use_saved_key": "Use the previously saved key"
}

View File

@ -52,25 +52,34 @@ export const toggleClientBlock = (ip, disallowed, disallowed_rule) => async (dis
dispatch(toggleClientBlockRequest());
try {
const accessList = await apiClient.getAccessList();
const allowed_clients = accessList.allowed_clients ?? [];
const blocked_hosts = accessList.blocked_hosts ?? [];
const disallowed_clients = accessList.disallowed_clients ?? [];
const updatedDisallowedClients = disallowed
? disallowed_clients.filter((client) => client !== disallowed_rule)
: disallowed_clients.concat(ip);
let allowed_clients = accessList.allowed_clients ?? [];
let disallowed_clients = accessList.disallowed_clients ?? [];
if (disallowed) {
if (!disallowed_rule) {
allowed_clients = allowed_clients.concat(ip);
} else {
disallowed_clients = disallowed_clients
.filter((client) => client !== disallowed_rule);
}
} else if (allowed_clients.length > 1) {
allowed_clients = allowed_clients
.filter((client) => client !== disallowed_rule);
} else {
disallowed_clients = disallowed_clients.concat(ip);
}
const values = {
allowed_clients,
blocked_hosts,
disallowed_clients: updatedDisallowedClients,
disallowed_clients,
};
await apiClient.setAccessList(values);
dispatch(toggleClientBlockSuccess(values));
if (disallowed) {
dispatch(addSuccessToast(i18next.t('client_unblocked', { ip: disallowed_rule })));
dispatch(addSuccessToast(i18next.t('client_unblocked', { ip: disallowed_rule || ip })));
} else {
dispatch(addSuccessToast(i18next.t('client_blocked', { ip })));
}

View File

@ -38,15 +38,23 @@ const renderBlockingButton = (ip, disallowed, disallowed_rule) => {
const dispatch = useDispatch();
const { t } = useTranslation();
const processingSet = useSelector((state) => state.access.processingSet);
const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
const buttonClass = classNames('button-action button-action--main', {
'button-action--unblock': disallowed,
});
const toggleClientStatus = async (ip, disallowed, disallowed_rule) => {
const confirmMessage = disallowed
? t('client_confirm_unblock', { ip: disallowed_rule })
: `${t('adg_will_drop_dns_queries')} ${t('client_confirm_block', { ip })}`;
let confirmMessage;
if (disallowed) {
confirmMessage = t('client_confirm_unblock', { ip: disallowed_rule || ip });
} else {
confirmMessage = `${t('adg_will_drop_dns_queries')} ${t('client_confirm_block', { ip })}`;
if (allowedСlients.length > 0) {
confirmMessage = confirmMessage.concat(`\n\n${t('filter_allowlist', { disallowed_rule })}`);
}
}
if (window.confirm(confirmMessage)) {
await dispatch(toggleClientBlock(ip, disallowed, disallowed_rule));
@ -58,15 +66,16 @@ const renderBlockingButton = (ip, disallowed, disallowed_rule) => {
const text = disallowed ? BLOCK_ACTIONS.UNBLOCK : BLOCK_ACTIONS.BLOCK;
const isNotInAllowedList = disallowed && disallowed_rule === '';
const lastRuleInAllowlist = !disallowed && allowedСlients === disallowed_rule;
const disabled = processingSet || lastRuleInAllowlist;
return (
<div className="table__action pl-4">
<button
type="button"
className={buttonClass}
onClick={isNotInAllowedList ? undefined : onClick}
disabled={isNotInAllowedList || processingSet}
title={t(isNotInAllowedList ? 'client_not_in_allowed_clients' : text)}
onClick={onClick}
disabled={disabled}
title={lastRuleInAllowlist ? t('last_rule_in_allowlist', { disallowed_rule }) : ''}
>
<Trans>{text}</Trans>
</button>

View File

@ -28,6 +28,8 @@ const ClientCell = ({
const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
const processingRules = useSelector((state) => state.filtering.processingRules);
const isDetailed = useSelector((state) => state.queryLogs.isDetailed);
const processingSet = useSelector((state) => state.access.processingSet);
const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
const [isOptionsOpened, setOptionsOpened] = useState(false);
const autoClient = autoClients.find((autoClient) => autoClient.name === client);
@ -71,11 +73,12 @@ const ClientCell = ({
const {
confirmMessage,
buttonKey: blockingClientKey,
isNotInAllowedList,
lastRuleInAllowlist,
} = getBlockClientInfo(
client,
client_info?.disallowed || false,
client_info?.disallowed_rule || '',
allowedСlients,
);
const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
@ -100,7 +103,7 @@ const ClientCell = ({
await dispatch(updateLogs());
}
},
disabled: isNotInAllowedList,
disabled: processingSet || lastRuleInAllowlist,
},
];

View File

@ -2,17 +2,24 @@ import i18next from 'i18next';
export const BUTTON_PREFIX = 'btn_';
export const getBlockClientInfo = (ip, disallowed, disallowed_rule) => {
const confirmMessage = disallowed
? i18next.t('client_confirm_unblock', { ip: disallowed_rule })
: `${i18next.t('adg_will_drop_dns_queries')} ${i18next.t('client_confirm_block', { ip })}`;
export const getBlockClientInfo = (ip, disallowed, disallowed_rule, allowedСlients) => {
let confirmMessage;
if (disallowed) {
confirmMessage = i18next.t('client_confirm_unblock', { ip: disallowed_rule || ip });
} else {
confirmMessage = `${i18next.t('adg_will_drop_dns_queries')} ${i18next.t('client_confirm_block', { ip })}`;
if (allowedСlients.length > 0) {
confirmMessage = confirmMessage.concat(`\n\n${i18next.t('filter_allowlist', { disallowed_rule })}`);
}
}
const buttonKey = i18next.t(disallowed ? 'allow_this_client' : 'disallow_this_client');
const isNotInAllowedList = disallowed && disallowed_rule === '';
const lastRuleInAllowlist = !disallowed && allowedСlients === disallowed_rule;
return {
confirmMessage,
buttonKey,
isNotInAllowedList,
lastRuleInAllowlist,
};
};

View File

@ -50,6 +50,8 @@ const Row = memo(({
const filters = useSelector((state) => state.filtering.filters, shallowEqual);
const whitelistFilters = useSelector((state) => state.filtering.whitelistFilters, shallowEqual);
const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
const processingSet = useSelector((state) => state.access.processingSet);
const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
const clients = useSelector((state) => state.dashboard.clients);
@ -104,11 +106,12 @@ const Row = memo(({
const {
confirmMessage,
buttonKey: blockingClientKey,
isNotInAllowedList,
lastRuleInAllowlist,
} = getBlockClientInfo(
client,
client_info?.disallowed || false,
client_info?.disallowed_rule || '',
allowedСlients,
);
const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
@ -147,7 +150,7 @@ const Row = memo(({
const blockClientButton = <button
className='text-center font-weight-bold py-2 button-action--arrow-option'
onClick={onBlockingClientClick}
disabled={isNotInAllowedList}>
disabled={processingSet || lastRuleInAllowlist}>
{t(blockingClientKey)}
</button>;

View File

@ -15,6 +15,7 @@ import Disabled from './Disabled';
import { getFilteringStatus } from '../../actions/filtering';
import { getClients } from '../../actions';
import { getDnsConfig } from '../../actions/dnsConfig';
import { getAccessList } from '../../actions/access';
import {
getLogsConfig,
resetFilteredLogs,
@ -126,6 +127,7 @@ const Logs = () => {
await Promise.all([
dispatch(getLogsConfig()),
dispatch(getDnsConfig()),
dispatch(getAccessList()),
]);
} catch (err) {
console.error(err);

View File

@ -1,6 +1,7 @@
import React from 'react';
import PropTypes from 'prop-types';
import { Field, reduxForm } from 'redux-form';
import { connect } from 'react-redux';
import { Field, reduxForm, formValueSelector } from 'redux-form';
import { Trans, withTranslation } from 'react-i18next';
import flow from 'lodash/flow';
import { renderTextareaField } from '../../../../helpers/form';
@ -31,16 +32,20 @@ const fields = [
},
];
const Form = (props) => {
let Form = (props) => {
const {
handleSubmit, submitting, invalid, processingSet,
allowedClients, handleSubmit, submitting, invalid, processingSet,
} = props;
const renderField = ({
id, title, subtitle, disabled = processingSet, normalizeOnBlur,
id, title, subtitle, disabled = false, processingSet, normalizeOnBlur,
}) => <div key={id} className="form__group mb-5">
<label className="form__label form__label--with-desc" htmlFor={id}>
<Trans>{title}</Trans>
{disabled && <>
<span> </span>
(<Trans>disabled</Trans>)
</>}
</label>
<div className="form__desc form__desc--top">
<Trans>{subtitle}</Trans>
@ -51,7 +56,7 @@ const Form = (props) => {
component={renderTextareaField}
type="text"
className="form-control form-control--textarea font-monospace"
disabled={disabled}
disabled={disabled || processingSet}
normalizeOnBlur={normalizeOnBlur}
/>
</div>;
@ -66,7 +71,15 @@ const Form = (props) => {
return (
<form onSubmit={handleSubmit}>
{fields.map(renderField)}
{
fields.map((f) => {
const props = { ...f };
if (allowedClients && f.id === 'disallowed_clients') {
props.disabled = true;
}
return renderField(props);
})
}
<div className="card-actions">
<div className="btn-list">
<button
@ -90,6 +103,21 @@ Form.propTypes = {
processingSet: PropTypes.bool.isRequired,
t: PropTypes.func.isRequired,
textarea: PropTypes.bool,
allowedClients: PropTypes.string,
};
export default flow([withTranslation(), reduxForm({ form: FORM_NAME.ACCESS })])(Form);
const selector = formValueSelector(FORM_NAME.ACCESS);
Form = connect((state) => {
const allowedClients = selector(state, 'allowed_clients');
return {
allowedClients,
};
})(Form);
export default flow([
withTranslation(),
reduxForm({
form: FORM_NAME.ACCESS,
}),
])(Form);

View File

@ -7,6 +7,7 @@ import (
"net/http"
"strings"
"github.com/AdguardTeam/golibs/errors"
"github.com/AdguardTeam/golibs/log"
"github.com/AdguardTeam/golibs/netutil"
"github.com/AdguardTeam/golibs/stringutil"
@ -192,6 +193,60 @@ func (s *Server) handleAccessList(w http.ResponseWriter, r *http.Request) {
}
}
func isUniq(slice []string) (ok bool, uniqueMap map[string]unit) {
exists := make(map[string]unit)
for _, key := range slice {
if _, has := exists[key]; has {
return false, nil
}
exists[key] = unit{}
}
return true, exists
}
func intersect(mapA, mapB map[string]unit) bool {
for key := range mapA {
if _, has := mapB[key]; has {
return true
}
}
return false
}
// validateAccessSet checks the internal accessListJSON lists. To search for
// duplicates, we cannot compare the new stringutil.Set and []string, because
// creating a set for a large array can be an unnecessary algorithmic complexity
func validateAccessSet(list accessListJSON) (err error) {
const (
errAllowedDup errors.Error = "duplicates in allowed clients"
errDisallowedDup errors.Error = "duplicates in disallowed clients"
errBlockedDup errors.Error = "duplicates in blocked hosts"
errIntersect errors.Error = "some items in allowed and " +
"disallowed lists at the same time"
)
ok, allowedClients := isUniq(list.AllowedClients)
if !ok {
return errAllowedDup
}
ok, disallowedClients := isUniq(list.DisallowedClients)
if !ok {
return errDisallowedDup
}
ok, _ = isUniq(list.BlockedHosts)
if !ok {
return errBlockedDup
}
if intersect(allowedClients, disallowedClients) {
return errIntersect
}
return nil
}
func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
list := accessListJSON{}
err := json.NewDecoder(r.Body).Decode(&list)
@ -201,6 +256,13 @@ func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
return
}
err = validateAccessSet(list)
if err != nil {
httpError(r, w, http.StatusBadRequest, err.Error())
return
}
var a *accessCtx
a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts)
if err != nil {

View File

@ -285,39 +285,70 @@ func toQueryLogWHOIS(wi *RuntimeClientWHOISInfo) (cw *querylog.ClientWHOIS) {
}
}
// findMultiple is a wrapper around Find to make it a valid client finder for
// the query log. err is always nil.
// findMultiple returns info about client. If no information about the client
// is found, it sends the client by default only with the "Disallowed" field
// filled in. err is always nil.
func (clients *clientsContainer) findMultiple(ids []string) (c *querylog.Client, err error) {
var emptyClient *querylog.Client
for _, id := range ids {
var name string
whois := &querylog.ClientWHOIS{}
ip := net.ParseIP(id)
c, ok := clients.Find(id)
if ok {
name = c.Name
} else if ip != nil {
var rc *RuntimeClient
rc, ok = clients.FindRuntimeClient(ip)
if !ok {
continue
}
name = rc.Host
whois = toQueryLogWHOIS(rc.WHOISInfo)
}
disallowed, disallowedRule := clients.dnsServer.IsBlockedClient(ip, id)
return &querylog.Client{
Name: name,
DisallowedRule: disallowedRule,
WHOIS: whois,
Disallowed: disallowed,
}, nil
client := clients.clientInfo(ip, id, disallowed, disallowedRule)
if client.Name == "" && client.DisallowedRule == "" {
emptyClient = client
continue
}
return client, nil
}
return nil, nil
return emptyClient, nil
}
// clientInfo is a wrapper around Find to make it a valid client finder for
// the query log.
func (clients *clientsContainer) clientInfo(
ip net.IP,
id string,
disallowed bool,
rule string,
) (c *querylog.Client) {
whois := &querylog.ClientWHOIS{}
client, ok := clients.Find(id)
if ok {
return &querylog.Client{
Name: client.Name,
DisallowedRule: rule,
WHOIS: whois,
Disallowed: disallowed,
}
}
if ip == nil {
return nil
}
var rc *RuntimeClient
rc, ok = clients.FindRuntimeClient(ip)
if ok {
return &querylog.Client{
Name: rc.Host,
DisallowedRule: rule,
WHOIS: toQueryLogWHOIS(rc.WHOISInfo),
Disallowed: disallowed,
}
}
return &querylog.Client{
Name: "",
DisallowedRule: rule,
WHOIS: &querylog.ClientWHOIS{},
Disallowed: disallowed,
}
}
func (clients *clientsContainer) Find(id string) (c *Client, ok bool) {

View File

@ -4,12 +4,25 @@
## v0.107: API changes
### New possible value of `"name"` field in `QueryLogItemClient`
* The value of `"name"` field in `GET /control/querylog` method is never empty:
either persistent client's name or runtime client's hostname.
### Lists in `AccessList`
* Fields `"allowed_clients"`, `"disallowed_clients"` and `"blocked_hosts"` in
`POST /access/set` now should contain only unique elements.
* Fields `"allowed_clients"` and `"disallowed_clients"` cannot contain the same
elements.
### The new field `"private_key_saved"` in `TlsConfig`
* The new field `"private_key_saved"` in `POST /control/tls/configure`,
`POST /control/tls/validate` and `GET /control/tls/status` is true if the
private key was previously saved as a string and now the private key omitted
from communication between server and client due to security issues.
`POST /control/tls/validate` and `GET /control/tls/status` is true if the
private key was previously saved as a string and now the private key omitted
from communication between server and client due to security issues.
### The new field `"cache_optimistic"` in DNS configuration

View File

@ -1962,8 +1962,7 @@
The rule due to which the client is allowed or blocked.
'name':
'description': >
Persistent client's name or an empty string if this is a runtime
client.
Persistent client's name or runtime client's hostname.
'type': 'string'
'whois':
'$ref': '#/components/schemas/QueryLogItemClientWhois'
@ -2363,7 +2362,10 @@
'AccessSetRequest':
'$ref': '#/components/schemas/AccessList'
'AccessList':
'description': 'Client and host access list'
'description': >
Client and host access list. Each of the lists should contain only
unique elements. In addition, allowed and disallowed lists cannot
contain the same elements.
'properties':
'allowed_clients':
'description': >