all: sync with master; upd chlog

2024-04-02 20:22:19 +03:00
parent ce9bb588ed
commit 6fb2aee210
57 changed files with 1363 additions and 873 deletions
--- a/internal/home/auth.go
+++ b/internal/home/auth.go
@@ -11,6 +11,7 @@ import (

 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
 	"go.etcd.io/bbolt"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -51,14 +52,15 @@ func (s *session) deserialize(data []byte) bool {
 	return true
 }

-// Auth - global object
+// Auth is the global authentication object.
 type Auth struct {
-	db          *bbolt.DB
-	rateLimiter *authRateLimiter
-	sessions    map[string]*session
-	users       []webUser
-	lock        sync.Mutex
-	sessionTTL  uint32
+	trustedProxies netutil.SubnetSet
+	db             *bbolt.DB
+	rateLimiter    *authRateLimiter
+	sessions       map[string]*session
+	users          []webUser
+	lock           sync.Mutex
+	sessionTTL     uint32
 }

 // webUser represents a user of the Web UI.
@@ -69,15 +71,22 @@ type webUser struct {
 	PasswordHash string `yaml:"password"`
 }

-// InitAuth - create a global object
-func InitAuth(dbFilename string, users []webUser, sessionTTL uint32, rateLimiter *authRateLimiter) *Auth {
+// InitAuth initializes the global authentication object.
+func InitAuth(
+	dbFilename string,
+	users []webUser,
+	sessionTTL uint32,
+	rateLimiter *authRateLimiter,
+	trustedProxies netutil.SubnetSet,
+) (a *Auth) {
 	log.Info("Initializing auth module: %s", dbFilename)

-	a := &Auth{
-		sessionTTL:  sessionTTL,
-		rateLimiter: rateLimiter,
-		sessions:    make(map[string]*session),
-		users:       users,
+	a = &Auth{
+		sessionTTL:     sessionTTL,
+		rateLimiter:    rateLimiter,
+		sessions:       make(map[string]*session),
+		users:          users,
+		trustedProxies: trustedProxies,
 	}
 	var err error
 	a.db, err = bbolt.Open(dbFilename, 0o644, nil)
@@ -95,7 +104,7 @@ func InitAuth(dbFilename string, users []webUser, sessionTTL uint32, rateLimiter
 	return a
 }

-// Close - close module
+// Close closes the authentication database.
 func (a *Auth) Close() {
 	_ = a.db.Close()
 }
@@ -104,7 +113,8 @@ func bucketName() []byte {
 	return []byte("sessions-2")
 }

-// load sessions from file, remove expired sessions
+// loadSessions loads sessions from the database file and removes expired
+// sessions.
 func (a *Auth) loadSessions() {
 	tx, err := a.db.Begin(true)
 	if err != nil {
@@ -156,7 +166,8 @@ func (a *Auth) loadSessions() {
 	log.Debug("auth: loaded %d sessions from DB (removed %d expired)", len(a.sessions), removed)
 }

-// store session data in file
+// addSession adds a new session to the list of sessions and saves it in the
+// database file.
 func (a *Auth) addSession(data []byte, s *session) {
 	name := hex.EncodeToString(data)
 	a.lock.Lock()
@@ -167,7 +178,7 @@ func (a *Auth) addSession(data []byte, s *session) {
 	}
 }

-// store session data in file
+// storeSession saves a session in the database file.
 func (a *Auth) storeSession(data []byte, s *session) bool {
 	tx, err := a.db.Begin(true)
 	if err != nil {
--- a/internal/home/auth_internal_test.go
+++ b/internal/home/auth_internal_test.go
@@ -37,7 +37,7 @@ func TestAuth(t *testing.T) {
 		Name:         "name",
 		PasswordHash: "$2y$05$..vyzAECIhJPfaQiOK17IukcQnqEgKJHy0iETyYqxn3YXJl8yZuo2",
 	}}
-	a := InitAuth(fn, nil, 60, nil)
+	a := InitAuth(fn, nil, 60, nil, nil)
 	s := session{}

 	user := webUser{Name: "name"}
@@ -66,7 +66,7 @@ func TestAuth(t *testing.T) {
 	a.Close()

 	// load saved session
-	a = InitAuth(fn, users, 60, nil)
+	a = InitAuth(fn, users, 60, nil, nil)

 	// the session is still alive
 	assert.Equal(t, checkSessionOK, a.checkSession(sessStr))
@@ -82,7 +82,7 @@ func TestAuth(t *testing.T) {
 	time.Sleep(3 * time.Second)

 	// load and remove expired sessions
-	a = InitAuth(fn, users, 60, nil)
+	a = InitAuth(fn, users, 60, nil, nil)
 	assert.Equal(t, checkSessionNotFound, a.checkSession(sessStr))

 	a.Close()
--- a/internal/home/authhttp.go
+++ b/internal/home/authhttp.go
@@ -4,8 +4,8 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/http"
+	"net/netip"
 	"path"
 	"strconv"
 	"strings"
@@ -78,7 +78,7 @@ func (a *Auth) newCookie(req loginJSON, addr string) (c *http.Cookie, err error)
 // a well-maintained third-party module.
 //
 // TODO(a.garipov): Support header Forwarded from RFC 7329.
-func realIP(r *http.Request) (ip net.IP, err error) {
+func realIP(r *http.Request) (ip netip.Addr, err error) {
 	proxyHeaders := []string{
 		httphdr.CFConnectingIP,
 		httphdr.TrueClientIP,
@@ -87,8 +87,8 @@ func realIP(r *http.Request) (ip net.IP, err error) {

 	for _, h := range proxyHeaders {
 		v := r.Header.Get(h)
-		ip = net.ParseIP(v)
-		if ip != nil {
+		ip, err = netip.ParseAddr(v)
+		if err == nil {
 			return ip, nil
 		}
 	}
@@ -96,20 +96,20 @@ func realIP(r *http.Request) (ip net.IP, err error) {
 	// If none of the above yielded any results, get the leftmost IP address
 	// from the X-Forwarded-For header.
 	s := r.Header.Get(httphdr.XForwardedFor)
-	ipStrs := strings.SplitN(s, ", ", 2)
-	ip = net.ParseIP(ipStrs[0])
-	if ip != nil {
+	ipStr, _, _ := strings.Cut(s, ",")
+	ip, err = netip.ParseAddr(ipStr)
+	if err == nil {
 		return ip, nil
 	}

 	// When everything else fails, just return the remote address as understood
 	// by the stdlib.
-	ipStr, err := netutil.SplitHost(r.RemoteAddr)
+	ipStr, err = netutil.SplitHost(r.RemoteAddr)
 	if err != nil {
-		return nil, fmt.Errorf("getting ip from client addr: %w", err)
+		return netip.Addr{}, fmt.Errorf("getting ip from client addr: %w", err)
 	}

-	return net.ParseIP(ipStr), nil
+	return netip.ParseAddr(ipStr)
 }

 // writeErrorWithIP is like [aghhttp.Error], but includes the remote IP address
@@ -142,8 +142,6 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 	// to security issues.
 	//
 	// See https://github.com/AdguardTeam/AdGuardHome/issues/2799.
-	//
-	// TODO(e.burkov): Use realIP when the issue will be fixed.
 	if remoteIP, err = netutil.SplitHost(r.RemoteAddr); err != nil {
 		writeErrorWithIP(
 			r,
@@ -173,20 +171,24 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	cookie, err := Context.auth.newCookie(req, remoteIP)
-	if err != nil {
-		writeErrorWithIP(r, w, http.StatusForbidden, remoteIP, "%s", err)
-
-		return
-	}
-
-	// Use realIP here, since this IP address is only used for logging.
 	ip, err := realIP(r)
 	if err != nil {
 		log.Error("auth: getting real ip from request with remote ip %s: %s", remoteIP, err)
 	}

-	log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
+	cookie, err := Context.auth.newCookie(req, remoteIP)
+	if err != nil {
+		logIP := remoteIP
+		if Context.auth.trustedProxies.Contains(ip.Unmap()) {
+			logIP = ip.String()
+		}
+
+		writeErrorWithIP(r, w, http.StatusForbidden, logIP, "%s", err)
+
+		return
+	}
+
+	log.Info("auth: user %q successfully logged in from ip %s", req.Name, ip)

 	http.SetCookie(w, cookie)

--- a/internal/home/authhttp_internal_test.go
+++ b/internal/home/authhttp_internal_test.go
@@ -1,8 +1,8 @@
 package home

 import (
-	"net"
 	"net/http"
+	"net/netip"
 	"net/textproto"
 	"net/url"
 	"path/filepath"
@@ -39,7 +39,7 @@ func TestAuthHTTP(t *testing.T) {
 	users := []webUser{
 		{Name: "name", PasswordHash: "$2y$05$..vyzAECIhJPfaQiOK17IukcQnqEgKJHy0iETyYqxn3YXJl8yZuo2"},
 	}
-	Context.auth = InitAuth(fn, users, 60, nil)
+	Context.auth = InitAuth(fn, users, 60, nil, nil)

 	handlerCalled := false
 	handler := func(_ http.ResponseWriter, _ *http.Request) {
@@ -125,13 +125,13 @@ func TestRealIP(t *testing.T) {
 		header     http.Header
 		remoteAddr string
 		wantErrMsg string
-		wantIP     net.IP
+		wantIP     netip.Addr
 	}{{
 		name:       "success_no_proxy",
 		header:     nil,
 		remoteAddr: remoteAddr,
 		wantErrMsg: "",
-		wantIP:     net.IPv4(1, 2, 3, 4),
+		wantIP:     netip.MustParseAddr("1.2.3.4"),
 	}, {
 		name: "success_proxy",
 		header: http.Header{
@@ -139,7 +139,7 @@ func TestRealIP(t *testing.T) {
 		},
 		remoteAddr: remoteAddr,
 		wantErrMsg: "",
-		wantIP:     net.IPv4(1, 2, 3, 5),
+		wantIP:     netip.MustParseAddr("1.2.3.5"),
 	}, {
 		name: "success_proxy_multiple",
 		header: http.Header{
@@ -149,14 +149,14 @@ func TestRealIP(t *testing.T) {
 		},
 		remoteAddr: remoteAddr,
 		wantErrMsg: "",
-		wantIP:     net.IPv4(1, 2, 3, 6),
+		wantIP:     netip.MustParseAddr("1.2.3.6"),
 	}, {
 		name:       "error_no_proxy",
 		header:     nil,
 		remoteAddr: "1:::2",
 		wantErrMsg: `getting ip from client addr: address 1:::2: ` +
 			`too many colons in address`,
-		wantIP: nil,
+		wantIP: netip.Addr{},
 	}}

 	for _, tc := range testCases {
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@@ -19,6 +19,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/whois"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/container"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/hostsfile"
 	"github.com/AdguardTeam/golibs/log"
@@ -54,7 +55,7 @@ type clientsContainer struct {
 	// ipToRC maps IP addresses to runtime client information.
 	ipToRC map[netip.Addr]*client.Runtime

-	allTags *stringutil.Set
+	allTags *container.MapSet[string]

 	// dhcp is the DHCP service implementation.
 	dhcp DHCP
@@ -108,7 +109,7 @@ func (clients *clientsContainer) Init(

 	clients.clientIndex = client.NewIndex()

-	clients.allTags = stringutil.NewSet(clientTags...)
+	clients.allTags = container.NewMapSet(clientTags...)

 	// TODO(e.burkov):  Use [dhcpsvc] implementation when it's ready.
 	clients.dhcp = dhcpServer
@@ -213,7 +214,7 @@ type clientObject struct {
 // toPersistent returns an initialized persistent client if there are no errors.
 func (o *clientObject) toPersistent(
 	filteringConf *filtering.Config,
-	allTags *stringutil.Set,
+	allTags *container.MapSet[string],
 ) (cli *client.Persistent, err error) {
 	cli = &client.Persistent{
 		Name: o.Name,
@@ -307,8 +308,8 @@ func (clients *clientsContainer) forConfig() (objs []*clientObject) {
 			BlockedServices: cli.BlockedServices.Clone(),

 			IDs:       cli.IDs(),
-			Tags:      stringutil.CloneSlice(cli.Tags),
-			Upstreams: stringutil.CloneSlice(cli.Upstreams),
+			Tags:      slices.Clone(cli.Tags),
+			Upstreams: slices.Clone(cli.Upstreams),

 			UID: cli.UID,

--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -539,13 +539,13 @@ func fatalOnError(err error) {

 // run configures and starts AdGuard Home.
 func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
-	// Configure config filename.
-	initConfigFilename(opts)
-
-	// Configure working dir and config path.
+	// Configure working dir.
 	err := initWorkingDir(opts)
 	fatalOnError(err)

+	// Configure config filename.
+	initConfigFilename(opts)
+
 	// Configure log level and output.
 	err = configureLogger(opts)
 	fatalOnError(err)
@@ -674,8 +674,10 @@ func initUsers() (auth *Auth, err error) {
 		log.Info("authratelimiter is disabled")
 	}

+	trustedProxies := netutil.SliceSubnetSet(netutil.UnembedPrefixes(config.DNS.TrustedProxies))
+
 	sessionTTL := config.HTTPConfig.SessionTTL.Seconds()
-	auth = InitAuth(sessFilename, config.Users, uint32(sessionTTL), rateLimiter)
+	auth = InitAuth(sessFilename, config.Users, uint32(sessionTTL), rateLimiter, trustedProxies)
 	if auth == nil {
 		return nil, errors.Error("initializing auth module failed")
 	}
@@ -758,11 +760,12 @@ func writePIDFile(fn string) bool {
 }

 // initConfigFilename sets up context config file path.  This file path can be
-// overridden by command-line arguments, or is set to default.
+// overridden by command-line arguments, or is set to default.  Must only be
+// called after initializing the workDir with initWorkingDir.
 func initConfigFilename(opts options) {
 	confPath := opts.confFilename
 	if confPath == "" {
-		Context.confFilePath = "AdGuardHome.yaml"
+		Context.confFilePath = filepath.Join(Context.workDir, "AdGuardHome.yaml")

 		return
 	}
--- a/internal/home/i18n.go
+++ b/internal/home/i18n.go
@@ -5,12 +5,12 @@ import (
 	"net/http"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/golibs/container"
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/stringutil"
 )

 // TODO(a.garipov): Get rid of a global or generate from .twosky.json.
-var allowedLanguages = stringutil.NewSet(
+var allowedLanguages = container.NewMapSet(
 	"ar",
 	"be",
 	"bg",
--- a/internal/home/service.go
+++ b/internal/home/service.go
@@ -271,11 +271,12 @@ func handleServiceCommand(s service.Service, action string, opts options) (err e
 			return fmt.Errorf("failed to run service: %w", err)
 		}
 	case "install":
-		initConfigFilename(opts)
 		if err = initWorkingDir(opts); err != nil {
 			return fmt.Errorf("failed to init working dir: %w", err)
 		}

+		initConfigFilename(opts)
+
 		handleServiceInstallCommand(s)
 	case "uninstall":
 		handleServiceUninstallCommand(s)