[gitpod-db] Email domain blocklist: Add suffix matching capability

gitpod-io · Apr 20, 2022 · 39c4ec5 · 39c4ec5
1 parent 4e35c7d
commit 39c4ec5
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 1 deletion.
diff --git a/components/gitpod-db/src/email-domain-filter-db.spec.db.ts b/components/gitpod-db/src/email-domain-filter-db.spec.db.ts
@@ -0,0 +1,88 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the Gitpod Enterprise Source Code License,
+ * See License.enterprise.txt in the project root folder.
+ */
+
+import * as chai from "chai";
+import { suite, test, timeout } from "mocha-typescript";
+import { testContainer } from "./test-container";
+import { TypeORM } from "./typeorm/typeorm";
+import { EmailDomainFilterDB } from "./email-domain-filter-db";
+import { DBEmailDomainFilterEntry } from "./typeorm/entity/db-email-domain-filter-entry";
+const expect = chai.expect;
+
+@suite
+@timeout(5000)
+export class EmailDomainFilterDBSpec {
+    typeORM = testContainer.get<TypeORM>(TypeORM);
+    db = testContainer.get<EmailDomainFilterDB>(EmailDomainFilterDB);
+
+    async before() {
+        await this.clear();
+    }
+
+    async after() {
+        await this.clear();
+    }
+
+    protected async clear() {
+        const connection = await this.typeORM.getConnection();
+        const manager = connection.manager;
+        await manager.clear(DBEmailDomainFilterEntry);
+    }
+
+    @test public async filterSimple() {
+        await this.db.storeFilterEntry({
+            domain: "gitpod.io",
+            negative: true,
+        });
+
+        const actual = await this.db.isBlocked("gitpod.io");
+        expect(actual, "isBlocked").to.equal(true);
+    }
+
+    @test public async filterSimple_negative() {
+        await this.db.storeFilterEntry({
+            domain: "gitpod.io",
+            negative: true,
+        });
+
+        const actual = await this.db.isBlocked("example.org");
+        expect(actual, "isBlocked").to.equal(false);
+
+        const actual2 = await this.db.isBlocked("sub.gitpod.io");
+        expect(actual2, "isBlocked").to.equal(false);
+    }
+
+    @test public async filterSuffixMatch() {
+        await this.db.storeFilterEntry({
+            domain: "%.gitpod.io",
+            negative: true,
+        });
+
+        const actual = await this.db.isBlocked("gitpod.io");
+        expect(actual, "isBlocked").to.equal(false);
+
+        const actual2 = await this.db.isBlocked("sub.gitpod.io");
+        expect(actual2, "isBlocked").to.equal(true);
+
+        const actual3 = await this.db.isBlocked("sub.gitpod.io.xyz");
+        expect(actual3, "isBlocked").to.equal(false);
+    }
+
+    @test public async filterSimple_guard_against_blocking_everyone() {
+        await this.db.storeFilterEntry({
+            domain: "%",
+            negative: true,
+        });
+
+        const actual = await this.db.isBlocked("example.org");
+        expect(actual, "isBlocked").to.equal(false);
+
+        const actual2 = await this.db.isBlocked("sub.gitpod.io");
+        expect(actual2, "isBlocked").to.equal(false);
+    }
+}
+
+module.exports = EmailDomainFilterDBSpec;
diff --git a/components/gitpod-db/src/typeorm/email-domain-filter-db-impl.ts b/components/gitpod-db/src/typeorm/email-domain-filter-db-impl.ts
@@ -33,7 +33,8 @@ export class EmailDomainFilterDBImpl implements EmailDomainFilterDB {
         const repo = await this.getRepo();
         const result = await repo
             .createQueryBuilder("entry")
-            .where(`entry.domain = :domain`, { domain: domain })
+            .where(`:domain LIKE entry.domain`, { domain: domain })
+            .andWhere(`entry.domain != '%'`) // this ensures we do not accidentally block _all_ new users
             .andWhere(`entry.negative = '1'`)
             .getOne();
         return !!result;