printban WIP

2019-08-08 18:39:09 +02:00 · 2019-08-08 18:39:09 +02:00 · 10677ec72e
parent 7128b6d5f6
commit 10677ec72e
4 changed files with 57 additions and 7 deletions
--- a/conf/base.conf
+++ b/conf/base.conf
@ -204,9 +204,9 @@ geoip {
 }
 security {
  collection.security = security
+  collection.print_ban = print_ban
  flood.duration = 60 seconds
  firewall {
-    enabled=true
    cookie {
      enabled = false
      name=fEKHA4zI74ZrZrom
--- a/modules/security/src/main/Env.scala
+++ b/modules/security/src/main/Env.scala
@ -28,7 +28,7 @@ final class Env(
  private val MailgunSender = config getString "mailgun.sender"
  private val MailgunReplyTo = config getString "mailgun.reply_to"
  private val CollectionSecurity = config getString "collection.security"
-  private val FirewallEnabled = config getBoolean "firewall.enabled"
+  private val CollectionPrintBan = config getString "collection.print_ban"
  private val FirewallCookieName = config getString "firewall.cookie.name"
  private val FirewallCookieEnabled = config getBoolean "firewall.cookie.enabled"
  private val FirewallCollectionFirewall = config getString "firewall.collection.firewall"
@ -60,7 +60,6 @@ final class Env(
  lazy val firewall = new Firewall(
    coll = firewallColl,
    cookieName = FirewallCookieName.some filter (_ => FirewallCookieEnabled),
-    enabled = FirewallEnabled,
    system = system
  )

@ -181,6 +180,8 @@ final class Env(

  lazy val api = new SecurityApi(storeColl, firewall, geoIP, authenticator, emailAddressValidator, tryOAuthServer)(system)

+  lazy val printBanApi = new PrintBanApi(printBanColl)
+
  lazy val csrfRequestHandler = new CSRFRequestHandler(NetDomain)

  def cli = new Cli
@ -191,6 +192,7 @@ final class Env(
  }

  private[security] lazy val storeColl = db(CollectionSecurity)
+  private[security] lazy val printBanColl = db(CollectionPrintBan)
  private[security] lazy val firewallColl = db(FirewallCollectionFirewall)
 }

--- a/modules/security/src/main/Firewall.scala
+++ b/modules/security/src/main/Firewall.scala
@ -10,9 +10,9 @@ import lila.db.BSON.BSONJodaDateTimeHandler
 import lila.db.dsl._

 final class Firewall(
-    coll: Coll,
+    ipColl: Coll,
+    fpColl: Coll,
    cookieName: Option[String],
-    enabled: Boolean,
    system: akka.actor.ActorSystem
 ) {

@ -20,7 +20,7 @@ final class Firewall(

  system.scheduler.scheduleOnce(10 minutes)(loadFromDb)

-  def blocksIp(ip: IpAddress): Boolean = current contains ip.value
+  def blocksIp(ip: IpAddress): Boolean = ipSet contains ip.value

  def blocks(req: RequestHeader): Boolean = enabled && {
    val v = blocksIp {
@ -47,7 +47,7 @@ final class Firewall(

  private def loadFromDb: Funit =
    coll.distinct[String, Set]("_id", none).map { ips =>
-      current = ips
+      ipSet = ips
      lila.mon.security.firewall.ip(ips.size)
    }

--- a/modules/security/src/main/PrintBanApi.scala
+++ b/modules/security/src/main/PrintBanApi.scala
@ -0,0 +1,48 @@
+package lila.security
+
+import reactivemongo.bson._
+
+import lila.db.dsl._
+
+private final class PrintBanApi(coll: Coll) {
+
+  private var current: Set[String] = Set.empty
+
+  def blocks(hash: FingerHash): Boolean = current contains hash.value
+
+  def blocks(req: RequestHeader): Boolean = enabled && {
+    val v = blocksIp {
+      lila.common.HTTPRequest lastRemoteAddress req
+    } || cookieName.?? { blocksCookies(req.cookies, _) }
+    if (v) lila.mon.security.firewall.block()
+    v
+  }
+
+  def accepts(req: RequestHeader): Boolean = !blocks(req)
+
+  def blockIps(ips: List[IpAddress]): Funit = ips.map { ip =>
+    validIp(ip) ?? {
+      coll.update(
+        $id(ip),
+        $doc("_id" -> ip, "date" -> DateTime.now),
+        upsert = true
+      ).void
+    }
+  }.sequenceFu >> loadFromDb
+
+  def unblockIps(ips: Iterable[IpAddress]): Funit =
+    coll.remove($inIds(ips.filter(validIp))).void >>- loadFromDb
+
+  private def loadFromDb: Funit =
+    coll.distinct[String, Set]("_id", none).map { ips =>
+      current = ips
+      lila.mon.security.firewall.ip(ips.size)
+    }
+
+  private def blocksCookies(cookies: Cookies, name: String) =
+    (cookies get name).isDefined
+
+  private def validIp(ip: IpAddress) =
+    (IpAddress.isv4(ip) && ip.value != "127.0.0.1" && ip.value != "0.0.0.0") ||
+      (IpAddress.isv6(ip) && ip.value != "0:0:0:0:0:0:0:1" && ip.value != "0:0:0:0:0:0:0:0")
+}