#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######################################################################## # OPENAPI-URI: /api/bans ######################################################################## # delete: # requestBody: # content: # application/json: # schema: # $ref: '#/components/schemas/IPAddress' # description: Removes a banlist entry # required: true # responses: # '200': # content: # application/json: # schema: # $ref: '#/components/schemas/ActionCompleted' # description: Removal successful # default: # content: # application/json: # schema: # $ref: '#/components/schemas/Error' # description: unexpected error # security: # - cookieAuth: [] # summary: Remove a whitelist entry # get: # responses: # '200': # content: # application/json: # schema: # $ref: '#/components/schemas/Empty' # description: 200 response # default: # content: # application/json: # schema: # $ref: '#/components/schemas/Error' # description: unexpected error # security: # - cookieAuth: [] # summary: Displays the current banlistr entries # put: # requestBody: # content: # application/json: # schema: # $ref: '#/components/schemas/IPAddress' # description: IP address or block to ban # required: true # responses: # '200': # content: # application/json: # schema: # $ref: '#/components/schemas/ActionCompleted' # description: Ban entry added # default: # content: # application/json: # schema: # $ref: '#/components/schemas/Error' # description: unexpected error # summary: Add a banmlist entry # ######################################################################## """ This is the banlist handler for Blocky/2 """ import json import re import time import bcrypt import hashlib import plugins.worker # Cached vars BANLIST = [] BAN_TS = 0 BAN_CACHE_TIME = 30 def find_rule(DB, doctype, ip): """ Find a rule, either v1 or v2 style """ bid = plugins.worker.make_sha1(str(ip)) # Blocky/2 ban doc if DB.ES.exists(index=DB.dbname, doc_type = doctype, id = bid): return DB.ES.get(index=DB.dbname, doc_type = doctype, id = bid) # Blocky/1 ban doc oid = str(ip).replace('/', '_').replace('_32', '').replace('_128', '') if DB.ES.exists(index=DB.dbname, doc_type = doctype, id = oid): return DB.ES.get(index=DB.dbname, doc_type = doctype, id = oid) def to_whitelist_temp(DB, hit): """ Temporarily turn a banlist entry into a whitelist entry """ doc = hit['_source'] ipaddress = doc.get('ip') if not ipaddress: ipaddress = hit['_id'].replace('_', '/') # Blocky/1 syntax, bah if ipaddress: ipaddress = ipaddress.strip() # blocky/1 bug block = plugins.worker.to_block(ipaddress) ip = str(block) entry = { 'ip': ip, 'reason': "Temporary system whitelist due to unban", 'target': "*", 'epoch': int(time.time()), 'timeout': int(time.time() + 3600) } bid = plugins.worker.make_sha1(ip) DB.ES.index(index=DB.dbname, doc_type = 'whitelist', id = bid, body = entry) plugins.worker.addnote(DB, 'system', "Whitelisting %s temporarily to flush blocks" % (ipaddress)) def remove_whitelist(session, white): """ Remove a white, either v1 or v2 style """ plugins.worker.addnote(session.DB, 'system',"Removing whitelist entry for %s due to forced banlisting" % white) bid = plugins.worker.make_sha1(str(white)) # Blocky/2 ban doc if session.DB.ES.exists(index=session.DB.dbname, doc_type = 'whitelist', id = bid): session.DB.ES.delete(index=session.DB.dbname, doc_type = 'whitelist', id = bid, refresh = 'wait_for') # Blocky/1 ban doc oid = str(white).replace('/', '_').replace('_32', '') if session.DB.ES.exists(index=session.DB.dbname, doc_type = 'whitelist', id = oid): session.DB.ES.delete(index=session.DB.dbname, doc_type = 'whitelist', id = oid, refresh = 'wait_for') def run(API, environ, indata, session): global BANLIST, BAN_TS method = environ['REQUEST_METHOD'] # Adding a new entry? if method == "PUT": ip = indata['source'] reason = indata['reason'] target = indata.get('target', '*') force = indata.get('force', False) submitter = environ.get('HTTP_PROXY_USER', 'Admin') reason = "Banned by %s: %s" % (submitter, reason) # Check if ban already exists if find_rule(session.DB, 'ban', ip): raise API.exception(400, "A ban already exists for this IP!") # Check if this IP is within a whitelisted space block = plugins.worker.to_block(ip) whitelist = plugins.worker.get_whitelist(session.DB) for white in whitelist: if block in white: if force: remove_whitelist(session, white) else: raise API.exception(403, "IP Address is whitelisted as %s, cannot ban!" % white) if white in block: if force: remove_whitelist(session, white) else: raise API.exception(403, "This ban would cancel whitelist entry for %s, cannot mix" % white) # all good? Okay, add the entry then entry = { 'ip': ip, 'reason': reason, 'target': target, 'epoch': int(time.time()) } bid = plugins.worker.make_sha1(str(block)) session.DB.ES.index(index=session.DB.dbname, doc_type = 'ban', id = bid, body = entry) plugins.worker.addnote(session.DB, 'manual', "Manual ban for %s added by %s: %s" % (ip, submitter, reason)) yield json.dumps({"message": "Entry added!"}) return # Delete an entry if method == "DELETE": submitter = environ.get('HTTP_PROXY_USER', 'Admin') rid = indata.get('rule') doc = None if re.match(r"^[a-f0-9]+$", rid): if session.DB.ES.exists(index=session.DB.dbname, doc_type='ban', id = rid): hit = session.DB.ES.get(index=session.DB.dbname, doc_type='ban', id = rid) plugins.worker.addnote(session.DB, 'manual', "Ban for %s removed by %s" % (hit['_source'].get('ip', rid), submitter)) to_whitelist_temp(session.DB, hit) session.DB.ES.delete(index=session.DB.dbname, doc_type='ban', id = rid, refresh = 'wait_for') yield json.dumps({"message": "Entry removed"}) return elif re.match(r"^[a-f0-9.:_]+$", rid): if session.DB.ES.exists(index=session.DB.dbname, doc_type='ban', id = rid): hit = session.DB.ES.get(index=session.DB.dbname, doc_type='ban', id = rid, refresh = 'wait_for') plugins.worker.addnote(session.DB, 'manual', "Ban for %s removed by %s" % (hit['_source'].get('ip', rid), submitter)) to_whitelist_temp(session.DB, hit) session.DB.ES.delete(index=session.DB.dbname, doc_type='ban', id = rid) yield json.dumps({"message": "Entry removed"}) return else: raise API.exception(400, "Invalid rule ID specified!") # Display the current banlist entries if method == "GET": # Only re-fetch banlist every 30 secs, save processing power! if BAN_TS < (time.time() - BAN_CACHE_TIME) or 'Mozilla' in environ.get('HTTP_USER_AGENT', 'python'): res = session.DB.ES.search( index=session.DB.dbname, doc_type="ban", size = 10000, body = { 'query': { 'match_all': {} } } ) BANLIST = [] for hit in res['hits']['hits']: doc = hit['_source'] ip = doc.get('ip') if not ip: ip = hit['_id'].replace('_', '/') # backwards compat if ip: doc['ip'] = ip.strip() doc['rid'] = hit['_id'] BANLIST.append(doc) BAN_TS = time.time() JSON_OUT = { 'bans': BANLIST } yield json.dumps(JSON_OUT) return # Finally, if we hit a method we don't know, balk! yield API.exception(400, "I don't know this request method!!")