Fixed challenge_session command

deflect-ca · Nov 22, 2023 · 8846252 · 8846252
1 parent ab72b78
commit 8846252
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 10 deletions.
diff --git a/banjax-config.yaml b/banjax-config.yaml
@@ -85,11 +85,11 @@ regexes_with_rates:
 sitewide_sha_inv_list:
   example.com: block
   foobar.com: no_block
-  localhost: no_block
+  sub.localhost: no_block
   www.localhost: no_block
 server_log_file: /var/log/banjax/banjax-format.log
 banning_log_file: /etc/banjax/ban_ip_list.log
-expiring_decision_ttl_seconds: 10
+expiring_decision_ttl_seconds: 100
 too_many_failed_challenges_interval_seconds: 10
 too_many_failed_challenges_threshold: 3
 password_cookie_ttl_seconds: 345600  # Dynamic apply to internal/password-protected-path.html:170
@@ -108,6 +108,7 @@ banning_log_file_temp: /etc/banjax/ban_ip_list_temp.log
 session_cookie_hmac_secret: some_secret
 session_cookie_ttl_seconds: 3600
 sites_to_disable_baskerville:
-  localhost: true
+  sub.localhost: false
 use_user_agent_in_cookie:
-  localhost: true
+  sub.localhost: true
+session_cookie_not_verify: true
diff --git a/internal/config.go b/internal/config.go
@@ -66,6 +66,7 @@ type Config struct {
 	DisableKafka                           bool              `yaml:"disable_kafka"`
 	SessionCookieHmacSecret                string            `yaml:"session_cookie_hmac_secret"`
 	SessionCookieTtlSeconds                int               `yaml:"session_cookie_ttl_seconds"`
+	SessionCookieNotVerify                 bool              `yaml:"session_cookie_not_verify"`
 	SitesToDisableBaskerville              map[string]bool   `yaml:"sites_to_disable_baskerville"`
 }
 
@@ -426,7 +427,6 @@ func updateExpiringDecisionLists(
 	}
 	if config.Debug {
 		log.Println("Update expiringDecision with existing and new: ", existingExpiringDecision.Decision, newDecision)
-		log.Println("From baskerville", fromBaskerville)
 	}
 
 	// XXX We are not using nginx to banjax cache feature yet
@@ -456,7 +456,10 @@ func updateExpiringDecisionListsSessionId(
 		}
 	}
 
-	// log.Printf("Update session id challenge with IP %s, session id %s, existing and new: %v, %v\n", ip, sessionId, existingExpiringDecision.Decision, newDecision)
+	if config.Debug {
+		log.Printf("Update session id challenge with IP %s, session id %s, existing and new: %v, %v\n",
+			ip, sessionId, existingExpiringDecision.Decision, newDecision)
+	}
 	expires := now.Add(time.Duration(config.ExpiringDecisionTtlSeconds) * time.Second)
 	(*decisionLists).ExpiringDecisionListsSessionId[sessionId] = ExpiringDecision{
 		newDecision, expires, ip, fromBaskerville}

diff --git a/internal/http_server.go b/internal/http_server.go
@@ -1039,12 +1039,12 @@ func checkExpiringDecisionLists(c *gin.Context, clientIp string, decisionLists *
 	if err == nil {
 		expiringDecision, ok := (*decisionLists).ExpiringDecisionListsSessionId[sessionId]
 		if ok {
+			log.Printf("DSC: found expiringDecision from session %s (%s)", sessionId, expiringDecision.Decision)
 			if time.Now().Sub(expiringDecision.Expires) > 0 {
 				delete((*decisionLists).ExpiringDecisionListsSessionId, sessionId)
 				// log.Println("deleted expired decision from expiring lists")
 				ok = false
 			}
-			log.Printf("DSC: challenge expiring decision for %s from session %s", expiringDecision.IpAddress, sessionId)
 			return expiringDecision, ok
 		}
 	}

diff --git a/internal/kafka.go b/internal/kafka.go
@@ -12,6 +12,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"log"
+	"net/url"
 	"os"
 	"sync"
 	"time"
@@ -163,25 +164,29 @@ func handleCommand(
 		} else {
 			log.Printf("KAFKA: command value looks malformed: %s\n", command.Value)
 		}
+		break
 	case "challenge_session":
 		// exempt a site from challenge according to config
 		_, disabled := config.SitesToDisableBaskerville[command.Host]
 
 		if !disabled {
+			// gin does urldecode or cookie, so we decode any possible urlencoded session id from kafka
+			sessionIdDecoded, _ := url.QueryUnescape(command.SessionId)
 			updateExpiringDecisionListsSessionId(
 				config,
 				command.Value,
-				command.SessionId,
+				sessionIdDecoded,
 				decisionListsMutex,
 				decisionLists,
 				time.Now(),
 				Challenge,
 				true, // from baskerville, provide to http_server to distinguish from regex
 			)
-			log.Printf("KAFKA: challenge_session: %s\n", command.SessionId)
+			log.Printf("KAFKA: challenge_session: %s\n", sessionIdDecoded)
 		} else {
 			log.Printf("KAFKA: DIS-BASK: not challenge %s, site %s disabled baskerville\n", command.Value, command.Host)
 		}
+		break
 	default:
 		log.Printf("KAFKA: unrecognized command name: %s\n", command.Name)
 	}

diff --git a/internal/session_cookie.go b/internal/session_cookie.go
@@ -123,7 +123,7 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error {
 	if err == nil {
 		// cookie exists, validate it
 		validateErr := validateSessionCookie(dsc, config.SessionCookieHmacSecret, time.Now(), clientIp)
-		if validateErr == nil {
+		if validateErr == nil || config.SessionCookieNotVerify {
 			// cookie is valid, do not attach cookie but only report dsc_new=false
 			// fmt.Printf("DSC: [%s] cookie %s is valid, report dsc_new=false\n", clientIp, dsc)
 			attachSessionCookie(c, config, dsc, false)