Pull request: 3419 client allowlist collision

Updates #3419. Squashed commit of the following: commit 370094c00d9c15b1336fbedb1e233bd4436c9898 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Sep 10 17:31:16 2021 +0300 added link to github issue commit 407ba9b2db46b887a30ddb081bd37c56e56b0496 Merge: 426c8146 80548233 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Sep 10 17:29:52 2021 +0300 Merge branch 'master' into 3419-client-allowlist-collision commit 426c8146cff5c112ebb25192af276c6601200528 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Sep 10 16:28:11 2021 +0300 fix en commit d28c6022321828c6bdc55c3f9a4f655b26d146d2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Sep 10 15:49:12 2021 +0300 added missing space commit b374a09327968ca5343c1595d1ab8cf317c15ffe Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Sep 10 15:43:55 2021 +0300 fixes after review commit 2be629d66e4703e2f5a85615bf1eaaa92e03c6fd Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Sep 9 14:17:19 2021 +0300 fixes commit 5c2aa6201cc0ecf404d4057e354fbb0bdadcdd6d Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Wed Sep 8 15:04:30 2021 +0300 return empty line to locale file commit 3631c3772babbd595b1c3de4a7e91be6bac3e80f Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Wed Sep 8 13:57:51 2021 +0300 all: fix collisions in access lists && expand block/unblock client
2024-08-16 14:10:22 +03:00 · 2021-09-10 17:57:09 +03:00 · 2021-09-10 17:57:09 +03:00 · 8fdd789474
commit 8fdd789474
parent 80548233ba
13 changed files with 238 additions and 65 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -46,6 +46,8 @@ and this project adheres to

 ### Changed

+- Items in allowed clients, disallowed clients, and blocked hosts lists must
+  be unique ([#3419]).
 - The TLS private key previously saved as a string isn't shown in API responses
  any more ([#1898]).
 - Better OpenWrt detection ([#3435]).
@ -178,6 +180,7 @@ In this release, the schema version has changed from 10 to 12.
 [#3351]: https://github.com/AdguardTeam/AdGuardHome/issues/3351
 [#3372]: https://github.com/AdguardTeam/AdGuardHome/issues/3372
 [#3417]: https://github.com/AdguardTeam/AdGuardHome/issues/3417
+[#3419]: https://github.com/AdguardTeam/AdGuardHome/issues/3419
 [#3435]: https://github.com/AdguardTeam/AdGuardHome/issues/3435
 [#3437]: https://github.com/AdguardTeam/AdGuardHome/issues/3437
 [#3443]: https://github.com/AdguardTeam/AdGuardHome/issues/3443
--- a/client/src/__locales/en.json
+++ b/client/src/__locales/en.json
@ -613,7 +613,8 @@
    "click_to_view_queries": "Click to view queries",
    "port_53_faq_link": "Port 53 is often occupied by \"DNSStubListener\" or \"systemd-resolved\" services. Please read <0>this instruction</0> on how to resolve this.",
    "adg_will_drop_dns_queries": "AdGuard Home will be dropping all DNS queries from this client.",
-    "client_not_in_allowed_clients": "The client is not allowed because it is not in the \"Allowed clients\" list.",
+    "filter_allowlist": "WARNING: This action also will exclude the rule \"{{disallowed_rule}}\" from the list of allowed clients.",
+    "last_rule_in_allowlist": "Cannot disallow this client because excluding the rule \"{{disallowed_rule}}\" will DISABLE \"Allowed clients\" list.",
    "experimental": "Experimental",
    "use_saved_key": "Use the previously saved key"
 }
--- a/client/src/actions/access.js
+++ b/client/src/actions/access.js
@ -52,25 +52,34 @@ export const toggleClientBlock = (ip, disallowed, disallowed_rule) => async (dis
    dispatch(toggleClientBlockRequest());
    try {
        const accessList = await apiClient.getAccessList();
-        const allowed_clients = accessList.allowed_clients ?? [];
        const blocked_hosts = accessList.blocked_hosts ?? [];
-        const disallowed_clients = accessList.disallowed_clients ?? [];
-
-        const updatedDisallowedClients = disallowed
-            ? disallowed_clients.filter((client) => client !== disallowed_rule)
-            : disallowed_clients.concat(ip);
+        let allowed_clients = accessList.allowed_clients ?? [];
+        let disallowed_clients = accessList.disallowed_clients ?? [];

+        if (disallowed) {
+            if (!disallowed_rule) {
+                allowed_clients = allowed_clients.concat(ip);
+            } else {
+                disallowed_clients = disallowed_clients
+                    .filter((client) => client !== disallowed_rule);
+            }
+        } else if (allowed_clients.length > 1) {
+            allowed_clients = allowed_clients
+                .filter((client) => client !== disallowed_rule);
+        } else {
+            disallowed_clients = disallowed_clients.concat(ip);
+        }
        const values = {
            allowed_clients,
            blocked_hosts,
-            disallowed_clients: updatedDisallowedClients,
+            disallowed_clients,
        };

        await apiClient.setAccessList(values);
        dispatch(toggleClientBlockSuccess(values));

        if (disallowed) {
-            dispatch(addSuccessToast(i18next.t('client_unblocked', { ip: disallowed_rule })));
+            dispatch(addSuccessToast(i18next.t('client_unblocked', { ip: disallowed_rule || ip })));
        } else {
            dispatch(addSuccessToast(i18next.t('client_blocked', { ip })));
        }
--- a/client/src/components/Dashboard/Clients.js
+++ b/client/src/components/Dashboard/Clients.js
@ -38,15 +38,23 @@ const renderBlockingButton = (ip, disallowed, disallowed_rule) => {
    const dispatch = useDispatch();
    const { t } = useTranslation();
    const processingSet = useSelector((state) => state.access.processingSet);
+    const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);

    const buttonClass = classNames('button-action button-action--main', {
        'button-action--unblock': disallowed,
    });

    const toggleClientStatus = async (ip, disallowed, disallowed_rule) => {
-        const confirmMessage = disallowed
-            ? t('client_confirm_unblock', { ip: disallowed_rule })
-            : `${t('adg_will_drop_dns_queries')} ${t('client_confirm_block', { ip })}`;
+        let confirmMessage;
+
+        if (disallowed) {
+            confirmMessage = t('client_confirm_unblock', { ip: disallowed_rule || ip });
+        } else {
+            confirmMessage = `${t('adg_will_drop_dns_queries')} ${t('client_confirm_block', { ip })}`;
+            if (allowedСlients.length > 0) {
+                confirmMessage = confirmMessage.concat(`\n\n${t('filter_allowlist', { disallowed_rule })}`);
+            }
+        }

        if (window.confirm(confirmMessage)) {
            await dispatch(toggleClientBlock(ip, disallowed, disallowed_rule));
@ -58,15 +66,16 @@ const renderBlockingButton = (ip, disallowed, disallowed_rule) => {

    const text = disallowed ? BLOCK_ACTIONS.UNBLOCK : BLOCK_ACTIONS.BLOCK;

-    const isNotInAllowedList = disallowed && disallowed_rule === '';
+    const lastRuleInAllowlist = !disallowed && allowedСlients === disallowed_rule;
+    const disabled = processingSet || lastRuleInAllowlist;
    return (
        <div className="table__action pl-4">
            <button
                type="button"
                className={buttonClass}
-                onClick={isNotInAllowedList ? undefined : onClick}
-                disabled={isNotInAllowedList || processingSet}
-                title={t(isNotInAllowedList ? 'client_not_in_allowed_clients' : text)}
+                onClick={onClick}
+                disabled={disabled}
+                title={lastRuleInAllowlist ? t('last_rule_in_allowlist', { disallowed_rule }) : ''}
            >
                <Trans>{text}</Trans>
            </button>
--- a/client/src/components/Logs/Cells/ClientCell.js
+++ b/client/src/components/Logs/Cells/ClientCell.js
@ -28,6 +28,8 @@ const ClientCell = ({
    const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
    const processingRules = useSelector((state) => state.filtering.processingRules);
    const isDetailed = useSelector((state) => state.queryLogs.isDetailed);
+    const processingSet = useSelector((state) => state.access.processingSet);
+    const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
    const [isOptionsOpened, setOptionsOpened] = useState(false);

    const autoClient = autoClients.find((autoClient) => autoClient.name === client);
@ -71,11 +73,12 @@ const ClientCell = ({
        const {
            confirmMessage,
            buttonKey: blockingClientKey,
-            isNotInAllowedList,
+            lastRuleInAllowlist,
        } = getBlockClientInfo(
            client,
            client_info?.disallowed || false,
            client_info?.disallowed_rule || '',
+            allowedСlients,
        );

        const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
@ -100,7 +103,7 @@ const ClientCell = ({
                        await dispatch(updateLogs());
                    }
                },
-                disabled: isNotInAllowedList,
+                disabled: processingSet || lastRuleInAllowlist,
            },
        ];

--- a/client/src/components/Logs/Cells/helpers/index.js
+++ b/client/src/components/Logs/Cells/helpers/index.js
@ -2,17 +2,24 @@ import i18next from 'i18next';

 export const BUTTON_PREFIX = 'btn_';

-export const getBlockClientInfo = (ip, disallowed, disallowed_rule) => {
-    const confirmMessage = disallowed
-        ? i18next.t('client_confirm_unblock', { ip: disallowed_rule })
-        : `${i18next.t('adg_will_drop_dns_queries')} ${i18next.t('client_confirm_block', { ip })}`;
+export const getBlockClientInfo = (ip, disallowed, disallowed_rule, allowedСlients) => {
+    let confirmMessage;
+
+    if (disallowed) {
+        confirmMessage = i18next.t('client_confirm_unblock', { ip: disallowed_rule || ip });
+    } else {
+        confirmMessage = `${i18next.t('adg_will_drop_dns_queries')} ${i18next.t('client_confirm_block', { ip })}`;
+        if (allowedСlients.length > 0) {
+            confirmMessage = confirmMessage.concat(`\n\n${i18next.t('filter_allowlist', { disallowed_rule })}`);
+        }
+    }

    const buttonKey = i18next.t(disallowed ? 'allow_this_client' : 'disallow_this_client');
-    const isNotInAllowedList = disallowed && disallowed_rule === '';
+    const lastRuleInAllowlist = !disallowed && allowedСlients === disallowed_rule;

    return {
        confirmMessage,
        buttonKey,
-        isNotInAllowedList,
+        lastRuleInAllowlist,
    };
 };
--- a/client/src/components/Logs/Cells/index.js
+++ b/client/src/components/Logs/Cells/index.js
@ -50,6 +50,8 @@ const Row = memo(({
    const filters = useSelector((state) => state.filtering.filters, shallowEqual);
    const whitelistFilters = useSelector((state) => state.filtering.whitelistFilters, shallowEqual);
    const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
+    const processingSet = useSelector((state) => state.access.processingSet);
+    const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);

    const clients = useSelector((state) => state.dashboard.clients);

@ -104,11 +106,12 @@ const Row = memo(({
        const {
            confirmMessage,
            buttonKey: blockingClientKey,
-            isNotInAllowedList,
+            lastRuleInAllowlist,
        } = getBlockClientInfo(
            client,
            client_info?.disallowed || false,
            client_info?.disallowed_rule || '',
+            allowedСlients,
        );

        const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
@ -147,7 +150,7 @@ const Row = memo(({
        const blockClientButton = <button
                className='text-center font-weight-bold py-2 button-action--arrow-option'
                onClick={onBlockingClientClick}
-                disabled={isNotInAllowedList}>
+                disabled={processingSet || lastRuleInAllowlist}>
            {t(blockingClientKey)}
        </button>;

--- a/client/src/components/Logs/index.js
+++ b/client/src/components/Logs/index.js
@ -15,6 +15,7 @@ import Disabled from './Disabled';
 import { getFilteringStatus } from '../../actions/filtering';
 import { getClients } from '../../actions';
 import { getDnsConfig } from '../../actions/dnsConfig';
+import { getAccessList } from '../../actions/access';
 import {
    getLogsConfig,
    resetFilteredLogs,
@ -126,6 +127,7 @@ const Logs = () => {
                await Promise.all([
                    dispatch(getLogsConfig()),
                    dispatch(getDnsConfig()),
+                    dispatch(getAccessList()),
                ]);
            } catch (err) {
                console.error(err);
--- a/client/src/components/Settings/Dns/Access/Form.js
+++ b/client/src/components/Settings/Dns/Access/Form.js
@ -1,6 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
-import { Field, reduxForm } from 'redux-form';
+import { connect } from 'react-redux';
+import { Field, reduxForm, formValueSelector } from 'redux-form';
 import { Trans, withTranslation } from 'react-i18next';
 import flow from 'lodash/flow';
 import { renderTextareaField } from '../../../../helpers/form';
@ -31,16 +32,20 @@ const fields = [
    },
 ];

-const Form = (props) => {
+let Form = (props) => {
    const {
-        handleSubmit, submitting, invalid, processingSet,
+        allowedClients, handleSubmit, submitting, invalid, processingSet,
    } = props;

    const renderField = ({
-        id, title, subtitle, disabled = processingSet, normalizeOnBlur,
+        id, title, subtitle, disabled = false, processingSet, normalizeOnBlur,
    }) => <div key={id} className="form__group mb-5">
        <label className="form__label form__label--with-desc" htmlFor={id}>
            <Trans>{title}</Trans>
+            {disabled && <>
+                <span> </span>
+                (<Trans>disabled</Trans>)
+            </>}
        </label>
        <div className="form__desc form__desc--top">
            <Trans>{subtitle}</Trans>
@ -51,7 +56,7 @@ const Form = (props) => {
            component={renderTextareaField}
            type="text"
            className="form-control form-control--textarea font-monospace"
-            disabled={disabled}
+            disabled={disabled || processingSet}
            normalizeOnBlur={normalizeOnBlur}
        />
    </div>;
@ -66,7 +71,15 @@ const Form = (props) => {

    return (
        <form onSubmit={handleSubmit}>
-            {fields.map(renderField)}
+            {
+                fields.map((f) => {
+                    const props = { ...f };
+                    if (allowedClients && f.id === 'disallowed_clients') {
+                        props.disabled = true;
+                    }
+                    return renderField(props);
+                })
+            }
            <div className="card-actions">
                <div className="btn-list">
                    <button
@ -90,6 +103,21 @@ Form.propTypes = {
    processingSet: PropTypes.bool.isRequired,
    t: PropTypes.func.isRequired,
    textarea: PropTypes.bool,
+    allowedClients: PropTypes.string,
 };

-export default flow([withTranslation(), reduxForm({ form: FORM_NAME.ACCESS })])(Form);
+const selector = formValueSelector(FORM_NAME.ACCESS);
+
+Form = connect((state) => {
+    const allowedClients = selector(state, 'allowed_clients');
+    return {
+        allowedClients,
+    };
+})(Form);
+
+export default flow([
+    withTranslation(),
+    reduxForm({
+        form: FORM_NAME.ACCESS,
+    }),
+])(Form);
--- a/internal/dnsforward/access.go
+++ b/internal/dnsforward/access.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strings"

+	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/stringutil"
@ -192,6 +193,60 @@ func (s *Server) handleAccessList(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func isUniq(slice []string) (ok bool, uniqueMap map[string]unit) {
+	exists := make(map[string]unit)
+	for _, key := range slice {
+		if _, has := exists[key]; has {
+			return false, nil
+		}
+		exists[key] = unit{}
+	}
+	return true, exists
+}
+
+func intersect(mapA, mapB map[string]unit) bool {
+	for key := range mapA {
+		if _, has := mapB[key]; has {
+			return true
+		}
+	}
+	return false
+}
+
+// validateAccessSet checks the internal accessListJSON lists.  To search for
+// duplicates, we cannot compare the new stringutil.Set and []string, because
+// creating a set for a large array can be an unnecessary algorithmic complexity
+func validateAccessSet(list accessListJSON) (err error) {
+	const (
+		errAllowedDup    errors.Error = "duplicates in allowed clients"
+		errDisallowedDup errors.Error = "duplicates in disallowed clients"
+		errBlockedDup    errors.Error = "duplicates in blocked hosts"
+		errIntersect     errors.Error = "some items in allowed and " +
+			"disallowed lists at the same time"
+	)
+
+	ok, allowedClients := isUniq(list.AllowedClients)
+	if !ok {
+		return errAllowedDup
+	}
+
+	ok, disallowedClients := isUniq(list.DisallowedClients)
+	if !ok {
+		return errDisallowedDup
+	}
+
+	ok, _ = isUniq(list.BlockedHosts)
+	if !ok {
+		return errBlockedDup
+	}
+
+	if intersect(allowedClients, disallowedClients) {
+		return errIntersect
+	}
+
+	return nil
+}
+
 func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
 	list := accessListJSON{}
 	err := json.NewDecoder(r.Body).Decode(&list)
@ -201,6 +256,13 @@ func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	err = validateAccessSet(list)
+	if err != nil {
+		httpError(r, w, http.StatusBadRequest, err.Error())
+
+		return
+	}
+
 	var a *accessCtx
 	a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts)
 	if err != nil {
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@ -285,39 +285,70 @@ func toQueryLogWHOIS(wi *RuntimeClientWHOISInfo) (cw *querylog.ClientWHOIS) {
 	}
 }

-// findMultiple is a wrapper around Find to make it a valid client finder for
-// the query log.  err is always nil.
+// findMultiple returns info about client.  If no information about the client
+// is found, it sends the client by default only with the "Disallowed" field
+// filled in.  err is always nil.
 func (clients *clientsContainer) findMultiple(ids []string) (c *querylog.Client, err error) {
+	var emptyClient *querylog.Client
+
 	for _, id := range ids {
-		var name string
-		whois := &querylog.ClientWHOIS{}
 		ip := net.ParseIP(id)
-
-		c, ok := clients.Find(id)
-		if ok {
-			name = c.Name
-		} else if ip != nil {
-			var rc *RuntimeClient
-			rc, ok = clients.FindRuntimeClient(ip)
-			if !ok {
-				continue
-			}
-
-			name = rc.Host
-			whois = toQueryLogWHOIS(rc.WHOISInfo)
-		}
-
 		disallowed, disallowedRule := clients.dnsServer.IsBlockedClient(ip, id)

-		return &querylog.Client{
-			Name:           name,
-			DisallowedRule: disallowedRule,
-			WHOIS:          whois,
-			Disallowed:     disallowed,
-		}, nil
+		client := clients.clientInfo(ip, id, disallowed, disallowedRule)
+
+		if client.Name == "" && client.DisallowedRule == "" {
+			emptyClient = client
+
+			continue
+		}
+
+		return client, nil
 	}

-	return nil, nil
+	return emptyClient, nil
+}
+
+// clientInfo is a wrapper around Find to make it a valid client finder for
+// the query log.
+func (clients *clientsContainer) clientInfo(
+	ip net.IP,
+	id string,
+	disallowed bool,
+	rule string,
+) (c *querylog.Client) {
+	whois := &querylog.ClientWHOIS{}
+	client, ok := clients.Find(id)
+	if ok {
+		return &querylog.Client{
+			Name:           client.Name,
+			DisallowedRule: rule,
+			WHOIS:          whois,
+			Disallowed:     disallowed,
+		}
+	}
+
+	if ip == nil {
+		return nil
+	}
+
+	var rc *RuntimeClient
+	rc, ok = clients.FindRuntimeClient(ip)
+	if ok {
+		return &querylog.Client{
+			Name:           rc.Host,
+			DisallowedRule: rule,
+			WHOIS:          toQueryLogWHOIS(rc.WHOISInfo),
+			Disallowed:     disallowed,
+		}
+	}
+
+	return &querylog.Client{
+		Name:           "",
+		DisallowedRule: rule,
+		WHOIS:          &querylog.ClientWHOIS{},
+		Disallowed:     disallowed,
+	}
 }

 func (clients *clientsContainer) Find(id string) (c *Client, ok bool) {
--- a/openapi/CHANGELOG.md
+++ b/openapi/CHANGELOG.md
@ -4,12 +4,25 @@

 ## v0.107: API changes

+### New possible value of `"name"` field in `QueryLogItemClient`
+
+* The value of `"name"` field in `GET /control/querylog` method is never empty:
+  either persistent client's name or runtime client's hostname.
+
+### Lists in `AccessList`
+
+* Fields `"allowed_clients"`, `"disallowed_clients"` and `"blocked_hosts"` in
+  `POST /access/set` now should contain only unique elements.
+
+* Fields `"allowed_clients"` and `"disallowed_clients"` cannot contain the same
+  elements.
+
 ### The new field `"private_key_saved"` in `TlsConfig`

 * The new field `"private_key_saved"` in `POST /control/tls/configure`,
-`POST /control/tls/validate` and `GET /control/tls/status` is true if the
-private key was previously saved as a string and now the private key omitted
-from communication between server and client due to security issues.
+  `POST /control/tls/validate` and `GET /control/tls/status` is true if the
+  private key was previously saved as a string and now the private key omitted
+  from communication between server and client due to security issues.

 ### The new field `"cache_optimistic"` in DNS configuration

--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@ -1962,8 +1962,7 @@
            The rule due to which the client is allowed or blocked.
        'name':
          'description': >
-            Persistent client's name or an empty string if this is a runtime
-            client.
+            Persistent client's name or runtime client's hostname.
          'type': 'string'
        'whois':
          '$ref': '#/components/schemas/QueryLogItemClientWhois'
@ -2363,7 +2362,10 @@
    'AccessSetRequest':
      '$ref': '#/components/schemas/AccessList'
    'AccessList':
-      'description': 'Client and host access list'
+      'description': >
+        Client and host access list.  Each of the lists should contain only
+        unique elements.  In addition, allowed and disallowed lists cannot
+        contain the same elements.
      'properties':
        'allowed_clients':
          'description': >