diff --git a/CHANGELOG.md b/CHANGELOG.md index d93aaefa..36d7ed90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,15 +23,6 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26]. NOTE: Add new changes BELOW THIS COMMENT. --> -### Added - -- Two new HTTP APIs, `PUT /control/stats/config/update` and `GET - control/stats/config`, which can be used to set and receive the query log - configuration. See openapi/openapi.yaml for the full description. -- Two new HTTP APIs, `PUT /control/querylog/config/update` and `GET - control/querylog/config`, which can be used to set and receive the statistics - configuration. See openapi/openapi.yaml for the full description. - ### Changed #### Configuration Changes @@ -78,14 +69,30 @@ In this release, the schema version has changed from 16 to 17. - The `POST /control/querylog_config` HTTP API; use the new `PUT /control/querylog/config/update` API instead. +### Added + +- Two new HTTP APIs, `PUT /control/stats/config/update` and `GET + control/stats/config`, which can be used to set and receive the query log + configuration. See openapi/openapi.yaml for the full description. +- Two new HTTP APIs, `PUT /control/querylog/config/update` and `GET + control/querylog/config`, which can be used to set and receive the statistics + configuration. See openapi/openapi.yaml for the full description. +- The ability to use `dnstype` rules in the disallowed domains list ([#5468]). + This allows dropping requests based on their question types. + ### Fixed +- Automatic update on MIPS64 and little-endian 32-bit MIPS architectures + ([#5270], [#5373]). - Requirements to domain names in domain-specific upstream configurations have been relaxed to meet those from [RFC 3696][rfc3696] ([#4884]). - Failing service installation via script on FreeBSD ([#5431]). [#4884]: https://github.com/AdguardTeam/AdGuardHome/issues/4884 +[#5270]: https://github.com/AdguardTeam/AdGuardHome/issues/5270 +[#5373]: https://github.com/AdguardTeam/AdGuardHome/issues/5373 [#5431]: https://github.com/AdguardTeam/AdGuardHome/issues/5431 +[#5468]: https://github.com/AdguardTeam/AdGuardHome/issues/5468 [rfc3696]: https://datatracker.ietf.org/doc/html/rfc3696 diff --git a/internal/dnsforward/access.go b/internal/dnsforward/access.go index 6d45a6d5..12f5f3c7 100644 --- a/internal/dnsforward/access.go +++ b/internal/dnsforward/access.go @@ -13,6 +13,7 @@ import ( "github.com/AdguardTeam/golibs/stringutil" "github.com/AdguardTeam/urlfilter" "github.com/AdguardTeam/urlfilter/filterlist" + "github.com/AdguardTeam/urlfilter/rules" ) // unit is a convenient alias for struct{} @@ -127,8 +128,12 @@ func (a *accessManager) isBlockedClientID(id string) (ok bool) { } // isBlockedHost returns true if host should be blocked. -func (a *accessManager) isBlockedHost(host string) (ok bool) { - _, ok = a.blockedHostsEng.Match(strings.ToLower(host)) +func (a *accessManager) isBlockedHost(host string, qt rules.RRType) (ok bool) { + _, ok = a.blockedHostsEng.MatchRequest(&urlfilter.DNSRequest{ + Hostname: host, + ClientIP: "0.0.0.0", + DNSType: qt, + }) return ok } diff --git a/internal/dnsforward/access_test.go b/internal/dnsforward/access_test.go index 7889cdad..d5d7da26 100644 --- a/internal/dnsforward/access_test.go +++ b/internal/dnsforward/access_test.go @@ -4,6 +4,8 @@ import ( "net/netip" "testing" + "github.com/AdguardTeam/urlfilter/rules" + "github.com/miekg/dns" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -28,54 +30,75 @@ func TestIsBlockedHost(t *testing.T) { "host1", "*.host.com", "||host3.com^", + "||*^$dnstype=HTTPS", }) require.NoError(t, err) testCases := []struct { + want assert.BoolAssertionFunc name string host string - want bool + qt rules.RRType }{{ + want: assert.True, name: "plain_match", host: "host1", - want: true, + qt: dns.TypeA, }, { + want: assert.False, name: "plain_mismatch", host: "host2", - want: false, + qt: dns.TypeA, }, { + want: assert.True, name: "subdomain_match_short", host: "asdf.host.com", - want: true, + qt: dns.TypeA, }, { + want: assert.True, name: "subdomain_match_long", host: "qwer.asdf.host.com", - want: true, + qt: dns.TypeA, }, { + want: assert.False, name: "subdomain_mismatch_no_lead", host: "host.com", - want: false, + qt: dns.TypeA, }, { + want: assert.False, name: "subdomain_mismatch_bad_asterisk", host: "asdf.zhost.com", - want: false, + qt: dns.TypeA, }, { + want: assert.True, name: "rule_match_simple", host: "host3.com", - want: true, + qt: dns.TypeA, }, { + want: assert.True, name: "rule_match_complex", host: "asdf.host3.com", - want: true, + qt: dns.TypeA, }, { + want: assert.False, name: "rule_mismatch", host: ".host3.com", - want: false, + qt: dns.TypeA, + }, { + want: assert.True, + name: "by_qtype", + host: "site-with-https-record.example", + qt: dns.TypeHTTPS, + }, { + want: assert.False, + name: "by_qtype_other", + host: "site-with-https-record.example", + qt: dns.TypeA, }} for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - assert.Equal(t, tc.want, a.isBlockedHost(tc.host)) + tc.want(t, a.isBlockedHost(tc.host, tc.qt)) }) } } @@ -93,29 +116,29 @@ func TestIsBlockedIP(t *testing.T) { require.NoError(t, err) testCases := []struct { + ip netip.Addr name string wantRule string - ip netip.Addr wantBlocked bool }{{ + ip: netip.MustParseAddr("1.2.3.4"), name: "match_ip", wantRule: "1.2.3.4", - ip: netip.MustParseAddr("1.2.3.4"), wantBlocked: true, }, { + ip: netip.MustParseAddr("5.6.7.100"), name: "match_cidr", wantRule: "5.6.7.8/24", - ip: netip.MustParseAddr("5.6.7.100"), wantBlocked: true, }, { + ip: netip.MustParseAddr("9.2.3.4"), name: "no_match_ip", wantRule: "", - ip: netip.MustParseAddr("9.2.3.4"), wantBlocked: false, }, { + ip: netip.MustParseAddr("9.6.7.100"), name: "no_match_cidr", wantRule: "", - ip: netip.MustParseAddr("9.6.7.100"), wantBlocked: false, }} diff --git a/internal/dnsforward/filter.go b/internal/dnsforward/filter.go index f36fd52a..6ee4e0f3 100644 --- a/internal/dnsforward/filter.go +++ b/internal/dnsforward/filter.go @@ -31,9 +31,11 @@ func (s *Server) beforeRequestHandler( } if len(pctx.Req.Question) == 1 { - host := strings.TrimSuffix(pctx.Req.Question[0].Name, ".") - if s.access.isBlockedHost(host) { - log.Debug("host %s is in access blocklist", host) + q := pctx.Req.Question[0] + qt := q.Qtype + host := strings.TrimSuffix(q.Name, ".") + if s.access.isBlockedHost(host, qt) { + log.Debug("request %s %s is in access blocklist", dns.Type(qt), host) return s.preBlockedResponse(pctx) } diff --git a/internal/home/controlupdate.go b/internal/home/controlupdate.go index 5718bfaa..1cea1d14 100644 --- a/internal/home/controlupdate.go +++ b/internal/home/controlupdate.go @@ -98,7 +98,7 @@ func requestVersionInfo(resp *versionResponse, recheck bool) (err error) { if err != nil { vcu := Context.updater.VersionCheckURL() - return fmt.Errorf("getting version info from %s: %s", vcu, err) + return fmt.Errorf("getting version info from %s: %w", vcu, err) } return nil diff --git a/internal/updater/check.go b/internal/updater/check.go index 5de7ecfc..a72e58ee 100644 --- a/internal/updater/check.go +++ b/internal/updater/check.go @@ -10,6 +10,9 @@ import ( "github.com/AdguardTeam/AdGuardHome/internal/aghalg" "github.com/AdguardTeam/AdGuardHome/internal/aghio" "github.com/AdguardTeam/golibs/errors" + "github.com/AdguardTeam/golibs/log" + "golang.org/x/exp/maps" + "golang.org/x/exp/slices" ) // TODO(a.garipov): Make configurable. @@ -81,9 +84,9 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) { return info, fmt.Errorf("version.json: %w", err) } - for _, v := range versionJSON { + for k, v := range versionJSON { if v == "" { - return info, fmt.Errorf("version.json: invalid data") + return info, fmt.Errorf("version.json: bad data: value for key %q is empty", k) } } @@ -91,9 +94,9 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) { info.Announcement = versionJSON["announcement"] info.AnnouncementURL = versionJSON["announcement_url"] - packageURL, ok := u.downloadURL(versionJSON) - if !ok { - return info, fmt.Errorf("version.json: packageURL not found") + packageURL, key, found := u.downloadURL(versionJSON) + if !found { + return info, fmt.Errorf("version.json: no package URL: key %q not found in object", key) } info.CanAutoUpdate = aghalg.BoolToNullBool(info.NewVersion != u.version) @@ -104,25 +107,40 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) { return info, nil } -// downloadURL returns the download URL for current build. -func (u *Updater) downloadURL(json map[string]string) (string, bool) { - var key string - +// downloadURL returns the download URL for current build as well as its key in +// versionObj. If the key is not found, it additionally prints an informative +// log message. +func (u *Updater) downloadURL(versionObj map[string]string) (dlURL, key string, ok bool) { if u.goarch == "arm" && u.goarm != "" { key = fmt.Sprintf("download_%s_%sv%s", u.goos, u.goarch, u.goarm) - } else if u.goarch == "mips" && u.gomips != "" { + } else if isMIPS(u.goarch) && u.gomips != "" { key = fmt.Sprintf("download_%s_%s_%s", u.goos, u.goarch, u.gomips) - } - - val, ok := json[key] - if !ok { + } else { key = fmt.Sprintf("download_%s_%s", u.goos, u.goarch) - val, ok = json[key] } - if !ok { - return "", false + dlURL, ok = versionObj[key] + if ok { + return dlURL, key, true } - return val, true + keys := maps.Keys(versionObj) + slices.Sort(keys) + log.Error("updater: key %q not found; got keys %q", key, keys) + + return "", key, false +} + +// isMIPS returns true if arch is any MIPS architecture. +func isMIPS(arch string) (ok bool) { + switch arch { + case + "mips", + "mips64", + "mips64le", + "mipsle": + return true + default: + return false + } } diff --git a/internal/updater/updater.go b/internal/updater/updater.go index f042ab3c..1fdd858e 100644 --- a/internal/updater/updater.go +++ b/internal/updater/updater.go @@ -272,7 +272,7 @@ func (u *Updater) backup(firstRun bool) (err error) { wd := u.workDir err = copySupportingFiles(u.unpackedFiles, wd, u.backupDir) if err != nil { - return fmt.Errorf("copySupportingFiles(%s, %s) failed: %s", wd, u.backupDir, err) + return fmt.Errorf("copySupportingFiles(%s, %s) failed: %w", wd, u.backupDir, err) } return nil @@ -283,7 +283,7 @@ func (u *Updater) backup(firstRun bool) (err error) { func (u *Updater) replace() error { err := copySupportingFiles(u.unpackedFiles, u.updateDir, u.workDir) if err != nil { - return fmt.Errorf("copySupportingFiles(%s, %s) failed: %s", u.updateDir, u.workDir, err) + return fmt.Errorf("copySupportingFiles(%s, %s) failed: %w", u.updateDir, u.workDir, err) } log.Debug("updater: renaming: %s to %s", u.currentExeName, u.backupExeName) @@ -315,7 +315,7 @@ func (u *Updater) clean() { // MaxPackageFileSize is a maximum package file length in bytes. The largest // package whose size is limited by this constant currently has the size of // approximately 9 MiB. -const MaxPackageFileSize = 32 * 1024 * 1024 +const MaxPackageFileSize = 32 * 10 * 1024 // Download package file and save it to disk func (u *Updater) downloadPackageFile() (err error) { diff --git a/scripts/make/build-release.sh b/scripts/make/build-release.sh index 6194d87b..2884f568 100644 --- a/scripts/make/build-release.sh +++ b/scripts/make/build-release.sh @@ -390,6 +390,16 @@ echo "{ \"selfupdate_min_version\": \"0.0\", " >> "$version_json" +# Add the MIPS* object keys without the "softfloat" part to mitigate the +# consequences of #5373. +# +# TODO(a.garipov): Remove this around fall 2023. +echo " + \"download_linux_mips64\": \"${version_download_url}/AdGuardHome_linux_mips64_softfloat.tar.gz\", + \"download_linux_mips64le\": \"${version_download_url}/AdGuardHome_linux_mips64le_softfloat.tar.gz\", + \"download_linux_mipsle\": \"${version_download_url}/AdGuardHome_linux_mipsle_softfloat.tar.gz\", +" >> "$version_json" + # Same as with checksums above, don't use ls, because files matching one of the # patterns may be absent. ar_files="$( find "./${dist}/" ! -name "${dist}" -prune \( -name '*.tar.gz' -o -name '*.zip' \) )"