Merge branch 'master' into 4299-querylog-stats-api

2023-02-27 17:23:20 +03:00 · 2023-02-27 17:23:20 +03:00 · e1ea4797af
parent d7db0a5af1 bb80a7c215
commit e1ea4797af
8 changed files with 117 additions and 52 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -23,15 +23,6 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->

-### Added
-
- Two new HTTP APIs, `PUT /control/stats/config/update` and `GET
-  control/stats/config`, which can be used to set and receive the query log
-  configuration.  See openapi/openapi.yaml for the full description.
- Two new HTTP APIs, `PUT /control/querylog/config/update` and `GET
-  control/querylog/config`, which can be used to set and receive the statistics
-  configuration.  See openapi/openapi.yaml for the full description.
-
 ### Changed

 #### Configuration Changes
@ -78,14 +69,30 @@ In this release, the schema version has changed from 16 to 17.
 - The `POST /control/querylog_config` HTTP API; use the new `PUT
  /control/querylog/config/update` API instead.

+### Added
+
+- Two new HTTP APIs, `PUT /control/stats/config/update` and `GET
+  control/stats/config`, which can be used to set and receive the query log
+  configuration.  See openapi/openapi.yaml for the full description.
+- Two new HTTP APIs, `PUT /control/querylog/config/update` and `GET
+  control/querylog/config`, which can be used to set and receive the statistics
+  configuration.  See openapi/openapi.yaml for the full description.
+- The ability to use `dnstype` rules in the disallowed domains list ([#5468]).
+  This allows dropping requests based on their question types.
+
 ### Fixed

+- Automatic update on MIPS64 and little-endian 32-bit MIPS architectures
+  ([#5270], [#5373]).
 - Requirements to domain names in domain-specific upstream configurations have
  been relaxed to meet those from [RFC 3696][rfc3696] ([#4884]).
 - Failing service installation via script on FreeBSD ([#5431]).

 [#4884]: https://github.com/AdguardTeam/AdGuardHome/issues/4884
+[#5270]: https://github.com/AdguardTeam/AdGuardHome/issues/5270
+[#5373]: https://github.com/AdguardTeam/AdGuardHome/issues/5373
 [#5431]: https://github.com/AdguardTeam/AdGuardHome/issues/5431
+[#5468]: https://github.com/AdguardTeam/AdGuardHome/issues/5468

 [rfc3696]: https://datatracker.ietf.org/doc/html/rfc3696

--- a/internal/dnsforward/access.go
+++ b/internal/dnsforward/access.go
@ -13,6 +13,7 @@ import (
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/AdguardTeam/urlfilter"
 	"github.com/AdguardTeam/urlfilter/filterlist"
+	"github.com/AdguardTeam/urlfilter/rules"
 )

 // unit is a convenient alias for struct{}
@ -127,8 +128,12 @@ func (a *accessManager) isBlockedClientID(id string) (ok bool) {
 }

 // isBlockedHost returns true if host should be blocked.
-func (a *accessManager) isBlockedHost(host string) (ok bool) {
-	_, ok = a.blockedHostsEng.Match(strings.ToLower(host))
+func (a *accessManager) isBlockedHost(host string, qt rules.RRType) (ok bool) {
+	_, ok = a.blockedHostsEng.MatchRequest(&urlfilter.DNSRequest{
+		Hostname: host,
+		ClientIP: "0.0.0.0",
+		DNSType:  qt,
+	})

 	return ok
 }
--- a/internal/dnsforward/access_test.go
+++ b/internal/dnsforward/access_test.go
@ -4,6 +4,8 @@ import (
 	"net/netip"
 	"testing"

+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@ -28,54 +30,75 @@ func TestIsBlockedHost(t *testing.T) {
 		"host1",
 		"*.host.com",
 		"||host3.com^",
+		"||*^$dnstype=HTTPS",
 	})
 	require.NoError(t, err)

 	testCases := []struct {
+		want assert.BoolAssertionFunc
 		name string
 		host string
-		want bool
+		qt   rules.RRType
 	}{{
+		want: assert.True,
 		name: "plain_match",
 		host: "host1",
-		want: true,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.False,
 		name: "plain_mismatch",
 		host: "host2",
-		want: false,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.True,
 		name: "subdomain_match_short",
 		host: "asdf.host.com",
-		want: true,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.True,
 		name: "subdomain_match_long",
 		host: "qwer.asdf.host.com",
-		want: true,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.False,
 		name: "subdomain_mismatch_no_lead",
 		host: "host.com",
-		want: false,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.False,
 		name: "subdomain_mismatch_bad_asterisk",
 		host: "asdf.zhost.com",
-		want: false,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.True,
 		name: "rule_match_simple",
 		host: "host3.com",
-		want: true,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.True,
 		name: "rule_match_complex",
 		host: "asdf.host3.com",
-		want: true,
+		qt:   dns.TypeA,
 	}, {
+		want: assert.False,
 		name: "rule_mismatch",
 		host: ".host3.com",
-		want: false,
+		qt:   dns.TypeA,
+	}, {
+		want: assert.True,
+		name: "by_qtype",
+		host: "site-with-https-record.example",
+		qt:   dns.TypeHTTPS,
+	}, {
+		want: assert.False,
+		name: "by_qtype_other",
+		host: "site-with-https-record.example",
+		qt:   dns.TypeA,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			assert.Equal(t, tc.want, a.isBlockedHost(tc.host))
+			tc.want(t, a.isBlockedHost(tc.host, tc.qt))
 		})
 	}
 }
@ -93,29 +116,29 @@ func TestIsBlockedIP(t *testing.T) {
 	require.NoError(t, err)

 	testCases := []struct {
+		ip          netip.Addr
 		name        string
 		wantRule    string
-		ip          netip.Addr
 		wantBlocked bool
 	}{{
+		ip:          netip.MustParseAddr("1.2.3.4"),
 		name:        "match_ip",
 		wantRule:    "1.2.3.4",
-		ip:          netip.MustParseAddr("1.2.3.4"),
 		wantBlocked: true,
 	}, {
+		ip:          netip.MustParseAddr("5.6.7.100"),
 		name:        "match_cidr",
 		wantRule:    "5.6.7.8/24",
-		ip:          netip.MustParseAddr("5.6.7.100"),
 		wantBlocked: true,
 	}, {
+		ip:          netip.MustParseAddr("9.2.3.4"),
 		name:        "no_match_ip",
 		wantRule:    "",
-		ip:          netip.MustParseAddr("9.2.3.4"),
 		wantBlocked: false,
 	}, {
+		ip:          netip.MustParseAddr("9.6.7.100"),
 		name:        "no_match_cidr",
 		wantRule:    "",
-		ip:          netip.MustParseAddr("9.6.7.100"),
 		wantBlocked: false,
 	}}

--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@ -31,9 +31,11 @@ func (s *Server) beforeRequestHandler(
 	}

 	if len(pctx.Req.Question) == 1 {
-		host := strings.TrimSuffix(pctx.Req.Question[0].Name, ".")
-		if s.access.isBlockedHost(host) {
-			log.Debug("host %s is in access blocklist", host)
+		q := pctx.Req.Question[0]
+		qt := q.Qtype
+		host := strings.TrimSuffix(q.Name, ".")
+		if s.access.isBlockedHost(host, qt) {
+			log.Debug("request %s %s is in access blocklist", dns.Type(qt), host)

 			return s.preBlockedResponse(pctx)
 		}
--- a/internal/home/controlupdate.go
+++ b/internal/home/controlupdate.go
@ -98,7 +98,7 @@ func requestVersionInfo(resp *versionResponse, recheck bool) (err error) {
 	if err != nil {
 		vcu := Context.updater.VersionCheckURL()

-		return fmt.Errorf("getting version info from %s: %s", vcu, err)
+		return fmt.Errorf("getting version info from %s: %w", vcu, err)
 	}

 	return nil
--- a/internal/updater/check.go
+++ b/internal/updater/check.go
@ -10,6 +10,9 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghio"
 	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 )

 // TODO(a.garipov): Make configurable.
@ -81,9 +84,9 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) {
 		return info, fmt.Errorf("version.json: %w", err)
 	}

-	for _, v := range versionJSON {
+	for k, v := range versionJSON {
 		if v == "" {
-			return info, fmt.Errorf("version.json: invalid data")
+			return info, fmt.Errorf("version.json: bad data: value for key %q is empty", k)
 		}
 	}

@ -91,9 +94,9 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) {
 	info.Announcement = versionJSON["announcement"]
 	info.AnnouncementURL = versionJSON["announcement_url"]

-	packageURL, ok := u.downloadURL(versionJSON)
-	if !ok {
-		return info, fmt.Errorf("version.json: packageURL not found")
+	packageURL, key, found := u.downloadURL(versionJSON)
+	if !found {
+		return info, fmt.Errorf("version.json: no package URL: key %q not found in object", key)
 	}

 	info.CanAutoUpdate = aghalg.BoolToNullBool(info.NewVersion != u.version)
@ -104,25 +107,40 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) {
 	return info, nil
 }

-// downloadURL returns the download URL for current build.
-func (u *Updater) downloadURL(json map[string]string) (string, bool) {
-	var key string
-
+// downloadURL returns the download URL for current build as well as its key in
+// versionObj.  If the key is not found, it additionally prints an informative
+// log message.
+func (u *Updater) downloadURL(versionObj map[string]string) (dlURL, key string, ok bool) {
 	if u.goarch == "arm" && u.goarm != "" {
 		key = fmt.Sprintf("download_%s_%sv%s", u.goos, u.goarch, u.goarm)
-	} else if u.goarch == "mips" && u.gomips != "" {
+	} else if isMIPS(u.goarch) && u.gomips != "" {
 		key = fmt.Sprintf("download_%s_%s_%s", u.goos, u.goarch, u.gomips)
-	}
-
-	val, ok := json[key]
-	if !ok {
+	} else {
 		key = fmt.Sprintf("download_%s_%s", u.goos, u.goarch)
-		val, ok = json[key]
 	}

-	if !ok {
-		return "", false
+	dlURL, ok = versionObj[key]
+	if ok {
+		return dlURL, key, true
 	}

-	return val, true
+	keys := maps.Keys(versionObj)
+	slices.Sort(keys)
+	log.Error("updater: key %q not found; got keys %q", key, keys)
+
+	return "", key, false
+}
+
+// isMIPS returns true if arch is any MIPS architecture.
+func isMIPS(arch string) (ok bool) {
+	switch arch {
+	case
+		"mips",
+		"mips64",
+		"mips64le",
+		"mipsle":
+		return true
+	default:
+		return false
+	}
 }
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@ -272,7 +272,7 @@ func (u *Updater) backup(firstRun bool) (err error) {
 	wd := u.workDir
 	err = copySupportingFiles(u.unpackedFiles, wd, u.backupDir)
 	if err != nil {
-		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %s", wd, u.backupDir, err)
+		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %w", wd, u.backupDir, err)
 	}

 	return nil
@ -283,7 +283,7 @@ func (u *Updater) backup(firstRun bool) (err error) {
 func (u *Updater) replace() error {
 	err := copySupportingFiles(u.unpackedFiles, u.updateDir, u.workDir)
 	if err != nil {
-		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %s", u.updateDir, u.workDir, err)
+		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %w", u.updateDir, u.workDir, err)
 	}

 	log.Debug("updater: renaming: %s to %s", u.currentExeName, u.backupExeName)
@ -315,7 +315,7 @@ func (u *Updater) clean() {
 // MaxPackageFileSize is a maximum package file length in bytes. The largest
 // package whose size is limited by this constant currently has the size of
 // approximately 9 MiB.
-const MaxPackageFileSize = 32 * 1024 * 1024
+const MaxPackageFileSize = 32 * 10 * 1024

 // Download package file and save it to disk
 func (u *Updater) downloadPackageFile() (err error) {
--- a/scripts/make/build-release.sh
+++ b/scripts/make/build-release.sh
@ -390,6 +390,16 @@ echo "{
  \"selfupdate_min_version\": \"0.0\",
 " >> "$version_json"

+# Add the MIPS* object keys without the "softfloat" part to mitigate the
+# consequences of #5373.
+#
+# TODO(a.garipov): Remove this around fall 2023.
+echo "
+  \"download_linux_mips64\": \"${version_download_url}/AdGuardHome_linux_mips64_softfloat.tar.gz\",
+  \"download_linux_mips64le\": \"${version_download_url}/AdGuardHome_linux_mips64le_softfloat.tar.gz\",
+  \"download_linux_mipsle\": \"${version_download_url}/AdGuardHome_linux_mipsle_softfloat.tar.gz\",
+" >> "$version_json"
+
 # Same as with checksums above, don't use ls, because files matching one of the
 # patterns may be absent.
 ar_files="$( find "./${dist}/" ! -name "${dist}" -prune \( -name '*.tar.gz' -o -name '*.zip' \) )"