From 89e1567641c8f4d3e4c99f8da09272679b79f254 Mon Sep 17 00:00:00 2001 From: Kwitsch Date: Fri, 12 Nov 2021 21:58:22 +0100 Subject: [PATCH 1/4] comama seperated client names (cherry picked from commit cdb009d0c8e14b2be25b6a8beb563017c603f674) --- resolver/blocking_resolver.go | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/resolver/blocking_resolver.go b/resolver/blocking_resolver.go index 11619bbeb..d19311b42 100644 --- a/resolver/blocking_resolver.go +++ b/resolver/blocking_resolver.go @@ -79,6 +79,7 @@ type BlockingResolver struct { blockHandler blockHandler whitelistOnlyGroups map[string]bool status *status + clientGroupsBlock map[string][]string } // NewBlockingResolver returns a new configured instance of the resolver @@ -103,6 +104,19 @@ func NewBlockingResolver(cfg config.BlockingConfig) (ChainedResolver, error) { return nil, multierror.Prefix(err, "blocking resolver: ") } + //split identifiers by commas and merge groups + cgb := make(map[string][]string) + for identifier, cfgGroups := range cfg.ClientGroupsBlock { + for _, ipart := range strings.Split(identifier, ",") { + existingGroups, found := cgb[ipart] + if found { + cgb[ipart] = append(existingGroups, cfgGroups...) + } else { + cgb[ipart] = cfgGroups + } + } + } + res := &BlockingResolver{ blockHandler: blockHandler, cfg: cfg, @@ -113,6 +127,7 @@ func NewBlockingResolver(cfg config.BlockingConfig) (ChainedResolver, error) { enabled: true, enableTimer: time.NewTimer(0), }, + clientGroupsBlock: cgb, } return res, nil @@ -365,7 +380,7 @@ func (r *BlockingResolver) groupsToCheckForClient(request *model.Request) []stri var groups []string // try client names for _, cName := range request.ClientNames { - for blockGroup, groupsByName := range r.cfg.ClientGroupsBlock { + for blockGroup, groupsByName := range r.clientGroupsBlock { if util.ClientNameMatchesGroupName(blockGroup, cName) { groups = append(groups, groupsByName...) } @@ -373,14 +388,14 @@ func (r *BlockingResolver) groupsToCheckForClient(request *model.Request) []stri } // try IP - groupsByIP, found := r.cfg.ClientGroupsBlock[request.ClientIP.String()] + groupsByIP, found := r.clientGroupsBlock[request.ClientIP.String()] if found { groups = append(groups, groupsByIP...) } // try CIDR - for cidr, groupsByCidr := range r.cfg.ClientGroupsBlock { + for cidr, groupsByCidr := range r.clientGroupsBlock { if util.CidrContainsIP(cidr, request.ClientIP) { groups = append(groups, groupsByCidr...) } @@ -388,7 +403,7 @@ func (r *BlockingResolver) groupsToCheckForClient(request *model.Request) []stri if len(groups) == 0 { // return default - groups = r.cfg.ClientGroupsBlock["default"] + groups = r.clientGroupsBlock["default"] } var result []string From bc5a0402f9525227ea52012c54ec260947853958 Mon Sep 17 00:00:00 2001 From: Kwitsch Date: Fri, 12 Nov 2021 22:50:48 +0100 Subject: [PATCH 2/4] blocking_resolver unittest (cherry picked from commit cb059deb282bcc614939dc021041c0b35665a84e) --- resolver/blocking_resolver_test.go | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/resolver/blocking_resolver_test.go b/resolver/blocking_resolver_test.go index e66ad7840..a06f9f22a 100644 --- a/resolver/blocking_resolver_test.go +++ b/resolver/blocking_resolver_test.go @@ -118,12 +118,13 @@ badcnamedomain.com`) "defaultGroup": {defaultGroupFile.Name()}, }, ClientGroupsBlock: map[string][]string{ - "client1": {"gr1"}, - "192.168.178.55": {"gr1"}, - "altName": {"gr2"}, - "10.43.8.67/28": {"gr1"}, - "wildcard[0-9]*": {"gr1"}, - "default": {"defaultGroup"}, + "client1": {"gr1"}, + "client2,client3": {"gr1"}, + "192.168.178.55": {"gr1"}, + "altName": {"gr2"}, + "10.43.8.67/28": {"gr1"}, + "wildcard[0-9]*": {"gr1"}, + "default": {"defaultGroup"}, }, BlockType: "ZeroIP", } @@ -139,6 +140,16 @@ badcnamedomain.com`) Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeA, 21600, "0.0.0.0")) }) + It("should block the A query if domain is on the black list multipart 1", func() { + resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeA, "1.2.1.2", "client2")) + + Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeA, 21600, "0.0.0.0")) + }) + It("should block the A query if domain is on the black list multipart 2", func() { + resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeA, "1.2.1.2", "client3")) + + Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeA, 21600, "0.0.0.0")) + }) It("should block the AAAA query if domain is on the black list", func() { resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeAAAA, "1.2.1.2", "client1")) From 1e984c68860fe421e8c428209aab912eed19f52a Mon Sep 17 00:00:00 2001 From: Kwitsch Date: Sat, 13 Nov 2021 14:16:05 +0100 Subject: [PATCH 3/4] linter errors reduced --- resolver/blocking_resolver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resolver/blocking_resolver.go b/resolver/blocking_resolver.go index d19311b42..9f2987bc3 100644 --- a/resolver/blocking_resolver.go +++ b/resolver/blocking_resolver.go @@ -104,8 +104,8 @@ func NewBlockingResolver(cfg config.BlockingConfig) (ChainedResolver, error) { return nil, multierror.Prefix(err, "blocking resolver: ") } - //split identifiers by commas and merge groups cgb := make(map[string][]string) + for identifier, cfgGroups := range cfg.ClientGroupsBlock { for _, ipart := range strings.Split(identifier, ",") { existingGroups, found := cgb[ipart] From 6afc9f6c5ea6ced801d3b2357cafc575764c7e20 Mon Sep 17 00:00:00 2001 From: Kwitsch Date: Sat, 13 Nov 2021 14:29:04 +0100 Subject: [PATCH 4/4] unit test for group merge --- resolver/blocking_resolver_test.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/resolver/blocking_resolver_test.go b/resolver/blocking_resolver_test.go index a06f9f22a..459a01a48 100644 --- a/resolver/blocking_resolver_test.go +++ b/resolver/blocking_resolver_test.go @@ -120,6 +120,7 @@ badcnamedomain.com`) ClientGroupsBlock: map[string][]string{ "client1": {"gr1"}, "client2,client3": {"gr1"}, + "client3": {"gr2"}, "192.168.178.55": {"gr1"}, "altName": {"gr2"}, "10.43.8.67/28": {"gr1"}, @@ -135,21 +136,26 @@ badcnamedomain.com`) }) When("client name is defined in client groups block", func() { - It("should block the A query if domain is on the black list", func() { + It("should block the A query if domain is on the black list (single)", func() { resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeA, "1.2.1.2", "client1")) Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeA, 21600, "0.0.0.0")) }) - It("should block the A query if domain is on the black list multipart 1", func() { + It("should block the A query if domain is on the black list (multipart 1)", func() { resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeA, "1.2.1.2", "client2")) Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeA, 21600, "0.0.0.0")) }) - It("should block the A query if domain is on the black list multipart 2", func() { + It("should block the A query if domain is on the black list (multipart 2)", func() { resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeA, "1.2.1.2", "client3")) Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeA, 21600, "0.0.0.0")) }) + It("should block the A query if domain is on the black list (merged)", func() { + resp, err = sut.Resolve(newRequestWithClient("blocked2.com.", dns.TypeA, "1.2.1.2", "client3")) + + Expect(resp.Res.Answer).Should(BeDNSRecord("blocked2.com.", dns.TypeA, 21600, "0.0.0.0")) + }) It("should block the AAAA query if domain is on the black list", func() { resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeAAAA, "1.2.1.2", "client1"))