588 lines
15 KiB
Go
588 lines
15 KiB
Go
package filtering
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/netip"
|
|
"net/url"
|
|
"os"
|
|
"path/filepath"
|
|
"slices"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/filtering/rulelist"
|
|
"github.com/AdguardTeam/golibs/errors"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// validateFilterURL validates the filter list URL or file name.
|
|
func validateFilterURL(urlStr string) (err error) {
|
|
defer func() { err = errors.Annotate(err, "checking filter: %w") }()
|
|
|
|
if filepath.IsAbs(urlStr) {
|
|
_, err = os.Stat(urlStr)
|
|
|
|
// Don't wrap the error since it's informative enough as is.
|
|
return err
|
|
}
|
|
|
|
u, err := url.ParseRequestURI(urlStr)
|
|
if err != nil {
|
|
// Don't wrap the error since it's informative enough as is.
|
|
return err
|
|
}
|
|
|
|
if s := u.Scheme; s != aghhttp.SchemeHTTP && s != aghhttp.SchemeHTTPS {
|
|
return &url.Error{
|
|
Op: "Check scheme",
|
|
URL: urlStr,
|
|
Err: fmt.Errorf("only %v allowed", []string{
|
|
aghhttp.SchemeHTTP,
|
|
aghhttp.SchemeHTTPS,
|
|
}),
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
type filterAddJSON struct {
|
|
Name string `json:"name"`
|
|
URL string `json:"url"`
|
|
Whitelist bool `json:"whitelist"`
|
|
}
|
|
|
|
func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request) {
|
|
fj := filterAddJSON{}
|
|
err := json.NewDecoder(r.Body).Decode(&fj)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "Failed to parse request body json: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
err = validateFilterURL(fj.URL)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
|
|
|
|
return
|
|
}
|
|
|
|
// Check for duplicates
|
|
if d.filterExists(fj.URL) {
|
|
err = errFilterExists
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "Filter with URL %q: %s", fj.URL, err)
|
|
|
|
return
|
|
}
|
|
|
|
// Set necessary properties
|
|
filt := FilterYAML{
|
|
Enabled: true,
|
|
URL: fj.URL,
|
|
Name: fj.Name,
|
|
white: fj.Whitelist,
|
|
Filter: Filter{
|
|
ID: d.idGen.next(),
|
|
},
|
|
}
|
|
|
|
// Download the filter contents
|
|
ok, err := d.update(&filt)
|
|
if err != nil {
|
|
aghhttp.Error(
|
|
r,
|
|
w,
|
|
http.StatusBadRequest,
|
|
"Couldn't fetch filter from URL %q: %s",
|
|
filt.URL,
|
|
err,
|
|
)
|
|
|
|
return
|
|
}
|
|
|
|
if !ok {
|
|
aghhttp.Error(
|
|
r,
|
|
w,
|
|
http.StatusBadRequest,
|
|
"Filter with URL %q is invalid (maybe it points to blank page?)",
|
|
filt.URL,
|
|
)
|
|
|
|
return
|
|
}
|
|
|
|
// URL is assumed valid so append it to filters, update config, write new
|
|
// file and reload it to engines.
|
|
err = d.filterAdd(filt)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "Filter with URL %q: %s", filt.URL, err)
|
|
|
|
return
|
|
}
|
|
|
|
d.conf.ConfigModified()
|
|
d.EnableFilters(true)
|
|
|
|
_, err = fmt.Fprintf(w, "OK %d rules\n", filt.RulesCount)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusInternalServerError, "Couldn't write body: %s", err)
|
|
}
|
|
}
|
|
|
|
func (d *DNSFilter) handleFilteringRemoveURL(w http.ResponseWriter, r *http.Request) {
|
|
type request struct {
|
|
URL string `json:"url"`
|
|
Whitelist bool `json:"whitelist"`
|
|
}
|
|
|
|
req := request{}
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "failed to parse request body json: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
var deleted FilterYAML
|
|
func() {
|
|
d.conf.filtersMu.Lock()
|
|
defer d.conf.filtersMu.Unlock()
|
|
|
|
filters := &d.conf.Filters
|
|
if req.Whitelist {
|
|
filters = &d.conf.WhitelistFilters
|
|
}
|
|
|
|
delIdx := slices.IndexFunc(*filters, func(flt FilterYAML) bool {
|
|
return flt.URL == req.URL
|
|
})
|
|
if delIdx == -1 {
|
|
log.Error("deleting filter with url %q: %s", req.URL, errFilterNotExist)
|
|
|
|
return
|
|
}
|
|
|
|
deleted = (*filters)[delIdx]
|
|
p := deleted.Path(d.conf.DataDir)
|
|
err = os.Rename(p, p+".old")
|
|
if err != nil && !errors.Is(err, os.ErrNotExist) {
|
|
log.Error("deleting filter %d: renaming file %q: %s", deleted.ID, p, err)
|
|
|
|
return
|
|
}
|
|
|
|
*filters = slices.Delete(*filters, delIdx, delIdx+1)
|
|
|
|
log.Info("deleted filter %d", deleted.ID)
|
|
}()
|
|
|
|
d.conf.ConfigModified()
|
|
d.EnableFilters(true)
|
|
|
|
// NOTE: The old files "filter.txt.old" aren't deleted. It's not really
|
|
// necessary, but will require the additional complicated code to run
|
|
// after enableFilters is done.
|
|
//
|
|
// TODO(a.garipov): Make sure the above comment is true.
|
|
|
|
_, err = fmt.Fprintf(w, "OK %d rules\n", deleted.RulesCount)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusInternalServerError, "couldn't write body: %s", err)
|
|
}
|
|
}
|
|
|
|
type filterURLReqData struct {
|
|
Name string `json:"name"`
|
|
URL string `json:"url"`
|
|
Enabled bool `json:"enabled"`
|
|
}
|
|
|
|
type filterURLReq struct {
|
|
Data *filterURLReqData `json:"data"`
|
|
URL string `json:"url"`
|
|
Whitelist bool `json:"whitelist"`
|
|
}
|
|
|
|
func (d *DNSFilter) handleFilteringSetURL(w http.ResponseWriter, r *http.Request) {
|
|
fj := filterURLReq{}
|
|
err := json.NewDecoder(r.Body).Decode(&fj)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "decoding request: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
if fj.Data == nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "%s", errors.Error("data is absent"))
|
|
|
|
return
|
|
}
|
|
|
|
err = validateFilterURL(fj.Data.URL)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "invalid url: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
filt := FilterYAML{
|
|
Enabled: fj.Data.Enabled,
|
|
Name: fj.Data.Name,
|
|
URL: fj.Data.URL,
|
|
}
|
|
|
|
restart, err := d.filterSetProperties(fj.URL, filt, fj.Whitelist)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, err.Error())
|
|
|
|
return
|
|
}
|
|
|
|
d.conf.ConfigModified()
|
|
if restart {
|
|
d.EnableFilters(true)
|
|
}
|
|
}
|
|
|
|
// filteringRulesReq is the JSON structure for settings custom filtering rules.
|
|
type filteringRulesReq struct {
|
|
Rules []string `json:"rules"`
|
|
}
|
|
|
|
func (d *DNSFilter) handleFilteringSetRules(w http.ResponseWriter, r *http.Request) {
|
|
if aghhttp.WriteTextPlainDeprecated(w, r) {
|
|
return
|
|
}
|
|
|
|
req := &filteringRulesReq{}
|
|
err := json.NewDecoder(r.Body).Decode(req)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "reading req: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
d.conf.UserRules = req.Rules
|
|
d.conf.ConfigModified()
|
|
d.EnableFilters(true)
|
|
}
|
|
|
|
func (d *DNSFilter) handleFilteringRefresh(w http.ResponseWriter, r *http.Request) {
|
|
type Req struct {
|
|
White bool `json:"whitelist"`
|
|
}
|
|
var err error
|
|
|
|
req := Req{}
|
|
err = json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "json decode: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
var ok bool
|
|
resp := struct {
|
|
Updated int `json:"updated"`
|
|
}{}
|
|
resp.Updated, _, ok = d.tryRefreshFilters(!req.White, req.White, true)
|
|
if !ok {
|
|
aghhttp.Error(
|
|
r,
|
|
w,
|
|
http.StatusInternalServerError,
|
|
"filters update procedure is already running",
|
|
)
|
|
|
|
return
|
|
}
|
|
|
|
aghhttp.WriteJSONResponseOK(w, r, resp)
|
|
}
|
|
|
|
type filterJSON struct {
|
|
URL string `json:"url"`
|
|
Name string `json:"name"`
|
|
LastUpdated string `json:"last_updated,omitempty"`
|
|
ID rulelist.URLFilterID `json:"id"`
|
|
RulesCount uint32 `json:"rules_count"`
|
|
Enabled bool `json:"enabled"`
|
|
}
|
|
|
|
type filteringConfig struct {
|
|
Filters []filterJSON `json:"filters"`
|
|
WhitelistFilters []filterJSON `json:"whitelist_filters"`
|
|
UserRules []string `json:"user_rules"`
|
|
Interval uint32 `json:"interval"` // in hours
|
|
Enabled bool `json:"enabled"`
|
|
}
|
|
|
|
func filterToJSON(f FilterYAML) filterJSON {
|
|
fj := filterJSON{
|
|
ID: f.ID,
|
|
Enabled: f.Enabled,
|
|
URL: f.URL,
|
|
Name: f.Name,
|
|
RulesCount: uint32(f.RulesCount),
|
|
}
|
|
|
|
if !f.LastUpdated.IsZero() {
|
|
fj.LastUpdated = f.LastUpdated.Format(time.RFC3339)
|
|
}
|
|
|
|
return fj
|
|
}
|
|
|
|
// Get filtering configuration
|
|
func (d *DNSFilter) handleFilteringStatus(w http.ResponseWriter, r *http.Request) {
|
|
resp := filteringConfig{}
|
|
d.conf.filtersMu.RLock()
|
|
resp.Enabled = d.conf.FilteringEnabled
|
|
resp.Interval = d.conf.FiltersUpdateIntervalHours
|
|
for _, f := range d.conf.Filters {
|
|
fj := filterToJSON(f)
|
|
resp.Filters = append(resp.Filters, fj)
|
|
}
|
|
for _, f := range d.conf.WhitelistFilters {
|
|
fj := filterToJSON(f)
|
|
resp.WhitelistFilters = append(resp.WhitelistFilters, fj)
|
|
}
|
|
resp.UserRules = d.conf.UserRules
|
|
d.conf.filtersMu.RUnlock()
|
|
|
|
aghhttp.WriteJSONResponseOK(w, r, resp)
|
|
}
|
|
|
|
// Set filtering configuration
|
|
func (d *DNSFilter) handleFilteringConfig(w http.ResponseWriter, r *http.Request) {
|
|
req := filteringConfig{}
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "json decode: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
if !ValidateUpdateIvl(req.Interval) {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "Unsupported interval")
|
|
|
|
return
|
|
}
|
|
|
|
func() {
|
|
d.conf.filtersMu.Lock()
|
|
defer d.conf.filtersMu.Unlock()
|
|
|
|
d.conf.FilteringEnabled = req.Enabled
|
|
d.conf.FiltersUpdateIntervalHours = req.Interval
|
|
}()
|
|
|
|
d.conf.ConfigModified()
|
|
d.EnableFilters(true)
|
|
}
|
|
|
|
type checkHostRespRule struct {
|
|
Text string `json:"text"`
|
|
FilterListID rulelist.URLFilterID `json:"filter_list_id"`
|
|
}
|
|
|
|
type checkHostResp struct {
|
|
Reason string `json:"reason"`
|
|
|
|
// Rule is the text of the matched rule.
|
|
//
|
|
// Deprecated: Use Rules[*].Text.
|
|
Rule string `json:"rule"`
|
|
|
|
Rules []*checkHostRespRule `json:"rules"`
|
|
|
|
// for FilteredBlockedService:
|
|
SvcName string `json:"service_name"`
|
|
|
|
// for Rewrite:
|
|
CanonName string `json:"cname"` // CNAME value
|
|
IPList []netip.Addr `json:"ip_addrs"` // list of IP addresses
|
|
|
|
// FilterID is the ID of the rule's filter list.
|
|
//
|
|
// Deprecated: Use Rules[*].FilterListID.
|
|
FilterID rulelist.URLFilterID `json:"filter_id"`
|
|
}
|
|
|
|
func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
|
|
host := r.URL.Query().Get("name")
|
|
|
|
setts := d.Settings()
|
|
setts.FilteringEnabled = true
|
|
setts.ProtectionEnabled = true
|
|
|
|
d.ApplyBlockedServices(setts)
|
|
result, err := d.CheckHost(host, dns.TypeA, setts)
|
|
if err != nil {
|
|
aghhttp.Error(
|
|
r,
|
|
w,
|
|
http.StatusInternalServerError,
|
|
"couldn't apply filtering: %s: %s",
|
|
host,
|
|
err,
|
|
)
|
|
|
|
return
|
|
}
|
|
|
|
rulesLen := len(result.Rules)
|
|
resp := checkHostResp{
|
|
Reason: result.Reason.String(),
|
|
SvcName: result.ServiceName,
|
|
CanonName: result.CanonName,
|
|
IPList: result.IPList,
|
|
Rules: make([]*checkHostRespRule, len(result.Rules)),
|
|
}
|
|
|
|
if rulesLen > 0 {
|
|
resp.FilterID = result.Rules[0].FilterListID
|
|
resp.Rule = result.Rules[0].Text
|
|
}
|
|
|
|
for i, r := range result.Rules {
|
|
resp.Rules[i] = &checkHostRespRule{
|
|
FilterListID: r.FilterListID,
|
|
Text: r.Text,
|
|
}
|
|
}
|
|
|
|
aghhttp.WriteJSONResponseOK(w, r, resp)
|
|
}
|
|
|
|
// setProtectedBool sets the value of a boolean pointer under a lock. l must
|
|
// protect the value under ptr.
|
|
//
|
|
// TODO(e.burkov): Make it generic?
|
|
func setProtectedBool(mu *sync.RWMutex, ptr *bool, val bool) {
|
|
mu.Lock()
|
|
defer mu.Unlock()
|
|
|
|
*ptr = val
|
|
}
|
|
|
|
// protectedBool gets the value of a boolean pointer under a read lock. l must
|
|
// protect the value under ptr.
|
|
//
|
|
// TODO(e.burkov): Make it generic?
|
|
func protectedBool(mu *sync.RWMutex, ptr *bool) (val bool) {
|
|
mu.RLock()
|
|
defer mu.RUnlock()
|
|
|
|
return *ptr
|
|
}
|
|
|
|
// handleSafeBrowsingEnable is the handler for the POST
|
|
// /control/safebrowsing/enable HTTP API.
|
|
func (d *DNSFilter) handleSafeBrowsingEnable(w http.ResponseWriter, r *http.Request) {
|
|
setProtectedBool(d.confMu, &d.conf.SafeBrowsingEnabled, true)
|
|
d.conf.ConfigModified()
|
|
}
|
|
|
|
// handleSafeBrowsingDisable is the handler for the POST
|
|
// /control/safebrowsing/disable HTTP API.
|
|
func (d *DNSFilter) handleSafeBrowsingDisable(w http.ResponseWriter, r *http.Request) {
|
|
setProtectedBool(d.confMu, &d.conf.SafeBrowsingEnabled, false)
|
|
d.conf.ConfigModified()
|
|
}
|
|
|
|
// handleSafeBrowsingStatus is the handler for the GET
|
|
// /control/safebrowsing/status HTTP API.
|
|
func (d *DNSFilter) handleSafeBrowsingStatus(w http.ResponseWriter, r *http.Request) {
|
|
resp := &struct {
|
|
Enabled bool `json:"enabled"`
|
|
}{
|
|
Enabled: protectedBool(d.confMu, &d.conf.SafeBrowsingEnabled),
|
|
}
|
|
|
|
aghhttp.WriteJSONResponseOK(w, r, resp)
|
|
}
|
|
|
|
// handleParentalEnable is the handler for the POST /control/parental/enable
|
|
// HTTP API.
|
|
func (d *DNSFilter) handleParentalEnable(w http.ResponseWriter, r *http.Request) {
|
|
setProtectedBool(d.confMu, &d.conf.ParentalEnabled, true)
|
|
d.conf.ConfigModified()
|
|
}
|
|
|
|
// handleParentalDisable is the handler for the POST /control/parental/disable
|
|
// HTTP API.
|
|
func (d *DNSFilter) handleParentalDisable(w http.ResponseWriter, r *http.Request) {
|
|
setProtectedBool(d.confMu, &d.conf.ParentalEnabled, false)
|
|
d.conf.ConfigModified()
|
|
}
|
|
|
|
// handleParentalStatus is the handler for the GET /control/parental/status
|
|
// HTTP API.
|
|
func (d *DNSFilter) handleParentalStatus(w http.ResponseWriter, r *http.Request) {
|
|
resp := &struct {
|
|
Enabled bool `json:"enabled"`
|
|
}{
|
|
Enabled: protectedBool(d.confMu, &d.conf.ParentalEnabled),
|
|
}
|
|
|
|
aghhttp.WriteJSONResponseOK(w, r, resp)
|
|
}
|
|
|
|
// RegisterFilteringHandlers - register handlers
|
|
func (d *DNSFilter) RegisterFilteringHandlers() {
|
|
registerHTTP := d.conf.HTTPRegister
|
|
if registerHTTP == nil {
|
|
return
|
|
}
|
|
|
|
registerHTTP(http.MethodPost, "/control/safebrowsing/enable", d.handleSafeBrowsingEnable)
|
|
registerHTTP(http.MethodPost, "/control/safebrowsing/disable", d.handleSafeBrowsingDisable)
|
|
registerHTTP(http.MethodGet, "/control/safebrowsing/status", d.handleSafeBrowsingStatus)
|
|
|
|
registerHTTP(http.MethodPost, "/control/parental/enable", d.handleParentalEnable)
|
|
registerHTTP(http.MethodPost, "/control/parental/disable", d.handleParentalDisable)
|
|
registerHTTP(http.MethodGet, "/control/parental/status", d.handleParentalStatus)
|
|
|
|
registerHTTP(http.MethodPost, "/control/safesearch/enable", d.handleSafeSearchEnable)
|
|
registerHTTP(http.MethodPost, "/control/safesearch/disable", d.handleSafeSearchDisable)
|
|
registerHTTP(http.MethodGet, "/control/safesearch/status", d.handleSafeSearchStatus)
|
|
registerHTTP(http.MethodPut, "/control/safesearch/settings", d.handleSafeSearchSettings)
|
|
|
|
registerHTTP(http.MethodGet, "/control/rewrite/list", d.handleRewriteList)
|
|
registerHTTP(http.MethodPost, "/control/rewrite/add", d.handleRewriteAdd)
|
|
registerHTTP(http.MethodPut, "/control/rewrite/update", d.handleRewriteUpdate)
|
|
registerHTTP(http.MethodPost, "/control/rewrite/delete", d.handleRewriteDelete)
|
|
|
|
registerHTTP(http.MethodGet, "/control/blocked_services/services", d.handleBlockedServicesIDs)
|
|
registerHTTP(http.MethodGet, "/control/blocked_services/all", d.handleBlockedServicesAll)
|
|
|
|
// Deprecated handlers.
|
|
registerHTTP(http.MethodGet, "/control/blocked_services/list", d.handleBlockedServicesList)
|
|
registerHTTP(http.MethodPost, "/control/blocked_services/set", d.handleBlockedServicesSet)
|
|
|
|
registerHTTP(http.MethodGet, "/control/blocked_services/get", d.handleBlockedServicesGet)
|
|
registerHTTP(http.MethodPut, "/control/blocked_services/update", d.handleBlockedServicesUpdate)
|
|
|
|
registerHTTP(http.MethodGet, "/control/filtering/status", d.handleFilteringStatus)
|
|
registerHTTP(http.MethodPost, "/control/filtering/config", d.handleFilteringConfig)
|
|
registerHTTP(http.MethodPost, "/control/filtering/add_url", d.handleFilteringAddURL)
|
|
registerHTTP(http.MethodPost, "/control/filtering/remove_url", d.handleFilteringRemoveURL)
|
|
registerHTTP(http.MethodPost, "/control/filtering/set_url", d.handleFilteringSetURL)
|
|
registerHTTP(http.MethodPost, "/control/filtering/refresh", d.handleFilteringRefresh)
|
|
registerHTTP(http.MethodPost, "/control/filtering/set_rules", d.handleFilteringSetRules)
|
|
registerHTTP(http.MethodGet, "/control/filtering/check_host", d.handleCheckHost)
|
|
}
|
|
|
|
// ValidateUpdateIvl returns false if i is not a valid filters update interval.
|
|
func ValidateUpdateIvl(i uint32) bool {
|
|
return i == 0 || i == 1 || i == 12 || i == 1*24 || i == 3*24 || i == 7*24
|
|
}
|