Skip to content

Commit

Permalink
Fixed challenge_session command
Browse files Browse the repository at this point in the history
  • Loading branch information
jeremy5189 committed Nov 23, 2023
1 parent 73a3c01 commit ee51f5f
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 10 deletions.
9 changes: 5 additions & 4 deletions banjax-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,11 @@ regexes_with_rates:
sitewide_sha_inv_list:
example.com: block
foobar.com: no_block
localhost: no_block
sub.localhost: no_block
www.localhost: no_block
server_log_file: /var/log/banjax/banjax-format.log
banning_log_file: /etc/banjax/ban_ip_list.log
expiring_decision_ttl_seconds: 10
expiring_decision_ttl_seconds: 100
too_many_failed_challenges_interval_seconds: 10
too_many_failed_challenges_threshold: 3
password_cookie_ttl_seconds: 345600 # Dynamic apply to internal/password-protected-path.html:170
Expand All @@ -108,6 +108,7 @@ banning_log_file_temp: /etc/banjax/ban_ip_list_temp.log
session_cookie_hmac_secret: some_secret
session_cookie_ttl_seconds: 3600
sites_to_disable_baskerville:
localhost: true
sub.localhost: false
use_user_agent_in_cookie:
localhost: true
sub.localhost: true
session_cookie_not_verify: true
7 changes: 5 additions & 2 deletions internal/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ type Config struct {
DisableKafka bool `yaml:"disable_kafka"`
SessionCookieHmacSecret string `yaml:"session_cookie_hmac_secret"`
SessionCookieTtlSeconds int `yaml:"session_cookie_ttl_seconds"`
SessionCookieNotVerify bool `yaml:"session_cookie_not_verify"`
SitesToDisableBaskerville map[string]bool `yaml:"sites_to_disable_baskerville"`
}

Expand Down Expand Up @@ -426,7 +427,6 @@ func updateExpiringDecisionLists(
}
if config.Debug {
log.Println("Update expiringDecision with existing and new: ", existingExpiringDecision.Decision, newDecision)
log.Println("From baskerville", fromBaskerville)
}

// XXX We are not using nginx to banjax cache feature yet
Expand Down Expand Up @@ -456,7 +456,10 @@ func updateExpiringDecisionListsSessionId(
}
}

// log.Printf("Update session id challenge with IP %s, session id %s, existing and new: %v, %v\n", ip, sessionId, existingExpiringDecision.Decision, newDecision)
if config.Debug {
log.Printf("Update session id challenge with IP %s, session id %s, existing and new: %v, %v\n",
ip, sessionId, existingExpiringDecision.Decision, newDecision)
}
expires := now.Add(time.Duration(config.ExpiringDecisionTtlSeconds) * time.Second)
(*decisionLists).ExpiringDecisionListsSessionId[sessionId] = ExpiringDecision{
newDecision, expires, ip, fromBaskerville}
Expand Down
2 changes: 1 addition & 1 deletion internal/http_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -1039,12 +1039,12 @@ func checkExpiringDecisionLists(c *gin.Context, clientIp string, decisionLists *
if err == nil {
expiringDecision, ok := (*decisionLists).ExpiringDecisionListsSessionId[sessionId]
if ok {
log.Printf("DSC: found expiringDecision from session %s (%s)", sessionId, expiringDecision.Decision)
if time.Now().Sub(expiringDecision.Expires) > 0 {
delete((*decisionLists).ExpiringDecisionListsSessionId, sessionId)
// log.Println("deleted expired decision from expiring lists")
ok = false
}
log.Printf("DSC: challenge expiring decision for %s from session %s", expiringDecision.IpAddress, sessionId)
return expiringDecision, ok
}
}
Expand Down
9 changes: 7 additions & 2 deletions internal/kafka.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"crypto/x509"
"encoding/json"
"log"
"net/url"
"os"
"sync"
"time"
Expand Down Expand Up @@ -163,25 +164,29 @@ func handleCommand(
} else {
log.Printf("KAFKA: command value looks malformed: %s\n", command.Value)
}
break
case "challenge_session":
// exempt a site from challenge according to config
_, disabled := config.SitesToDisableBaskerville[command.Host]

if !disabled {
// gin does urldecode or cookie, so we decode any possible urlencoded session id from kafka
sessionIdDecoded, _ := url.QueryUnescape(command.SessionId)
updateExpiringDecisionListsSessionId(
config,
command.Value,
command.SessionId,
sessionIdDecoded,
decisionListsMutex,
decisionLists,
time.Now(),
Challenge,
true, // from baskerville, provide to http_server to distinguish from regex
)
log.Printf("KAFKA: challenge_session: %s\n", command.SessionId)
log.Printf("KAFKA: challenge_session: %s\n", sessionIdDecoded)
} else {
log.Printf("KAFKA: DIS-BASK: not challenge %s, site %s disabled baskerville\n", command.Value, command.Host)
}
break
default:
log.Printf("KAFKA: unrecognized command name: %s\n", command.Name)
}
Expand Down
2 changes: 1 addition & 1 deletion internal/session_cookie.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error {
if err == nil {
// cookie exists, validate it
validateErr := validateSessionCookie(urlDecodedDsc, config.SessionCookieHmacSecret, time.Now(), clientIp)
if validateErr == nil {
if validateErr == nil || config.SessionCookieNotVerify {
// cookie is valid, do not attach cookie but only report dsc_new=false
// log.Printf("DSC: [%s] cookie %s is valid, report dsc_new=false\n", clientIp, urlDecodedDsc)
attachSessionCookie(c, config, urlDecodedDsc, false)
Expand Down

0 comments on commit ee51f5f

Please sign in to comment.