Handle block_session command

deflect-ca · Nov 27, 2023 · 558b009 · 558b009
1 parent 33263ff
commit 558b009
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/banjax-config.yaml b/banjax-config.yaml
@@ -100,7 +100,7 @@ hmac_secret: secret
 gin_log_file: /var/log/banjax/gin.log
 metrics_log_file: /var/log/banjax/metrics.log
 debug: true
-disable_kafka: false
+disable_kafka: true
 # sha_inv_challenge_html: /etc/banjax/sha-inverse-challenge.html
 # password_protected_path_html: /etc/banjax/password-protected-path.html
 disable_logging:

diff --git a/internal/config.go b/internal/config.go
@@ -457,7 +457,7 @@ func updateExpiringDecisionListsSessionId(
 	}
 
 	if config.Debug {
-		log.Printf("Update session id challenge with IP %s, session id %s, existing and new: %v, %v\n",
+		log.Printf("Update session id decision with IP %s, session id %s, existing and new: %v, %v\n",
 			ip, sessionId, existingExpiringDecision.Decision, newDecision)
 	}
 	expires := now.Add(time.Duration(config.ExpiringDecisionTtlSeconds) * time.Second)

diff --git a/internal/kafka.go b/internal/kafka.go
@@ -166,8 +166,9 @@ func handleCommand(
 		}
 		break
 	case "challenge_session":
+	case "block_session":
 		if command.SessionId == "" {
-			log.Printf("KAFKA: challenge_session: session_id is EMPTY, break\n")
+			log.Printf("KAFKA: session_id is EMPTY, break\n")
 			break
 		}
 		// exempt a site from challenge according to config
@@ -177,22 +178,29 @@ func handleCommand(
 			// gin does urldecode or cookie, so we decode any possible urlencoded session id from kafka
 			sessionIdDecoded, decodeErr := url.QueryUnescape(command.SessionId)
 			if decodeErr != nil {
-				log.Printf("KAFKA: challenge_session: fail to urldecode session_id %s, break\n", command.SessionId)
+				log.Printf("KAFKA: fail to urldecode session_id %s, break\n", command.SessionId)
 				break
 			}
+			var decision Decision
+			if command.Name == "block_session" {
+				log.Printf("KAFKA: block_session: %s\n", sessionIdDecoded)
+				decision = NginxBlock
+			} else {
+				log.Printf("KAFKA: challenge_session: %s\n", sessionIdDecoded)
+				decision = Challenge
+			}
 			updateExpiringDecisionListsSessionId(
 				config,
 				command.Value,
 				sessionIdDecoded,
 				decisionListsMutex,
 				decisionLists,
 				time.Now(),
-				Challenge,
+				decision,
 				true, // from baskerville, provide to http_server to distinguish from regex
 			)
-			log.Printf("KAFKA: challenge_session: %s\n", sessionIdDecoded)
 		} else {
-			log.Printf("KAFKA: DIS-BASK: not challenge %s, site %s disabled baskerville\n", command.Value, command.Host)
+			log.Printf("KAFKA: DIS-BASK: no action on %s, site %s disabled baskerville\n", command.Value, command.Host)
 		}
 		break
 	default: