Pull request: all: allow clientid in access settings

Updates #2624.
Updates #3162.

Squashed commit of the following:

commit 68860da717a23a0bfeba14b7fe10b5e4ad38726d
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Tue Jun 29 15:41:33 2021 +0300

    all: imp types, names

commit ebd4ec26636853d0d58c4e331e6a78feede20813
Merge: 239eb721 16e5e09c
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Tue Jun 29 15:14:33 2021 +0300

    Merge branch 'master' into 2624-clientid-access

commit 239eb7215abc47e99a0300a0f4cf56002689b1a9
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Tue Jun 29 15:13:10 2021 +0300

    all: fix client blocking check

commit e6bece3ea8367b3cbe3d90702a3368c870ad4f13
Merge: 9935f2a3 9d1656b5
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Tue Jun 29 13:12:28 2021 +0300

    Merge branch 'master' into 2624-clientid-access

commit 9935f2a30bcfae2b853f3ef610c0ab7a56a8f448
Author: Ildar Kamalov <ik@adguard.com>
Date:   Tue Jun 29 11:26:51 2021 +0300

    client: show block button for client id

commit ed786a6a74a081cd89e9d67df3537a4fadd54831
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Jun 25 15:56:23 2021 +0300

    client: imp i18n

commit 4fed21c68473ad408960c08a7d87624cabce1911
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Jun 25 15:34:09 2021 +0300

    all: imp i18n, docs

commit 55e65c0d6b939560c53dcb834a4557eb3853d194
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Jun 25 13:34:01 2021 +0300

    all: fix cache, imp code, docs, tests

commit c1e5a83e76deb44b1f92729bb9ddfcc6a96ac4a8
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Thu Jun 24 19:27:12 2021 +0300

    all: allow clientid in access settings

internal/dnsforward/dnsforward.go

@@ -18,6 +18,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/cache"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/miekg/dns"
@@ -26,6 +27,11 @@ import (
 // DefaultTimeout is the default upstream timeout
 const DefaultTimeout = 10 * time.Second
 
+// defaultClientIDCacheCount is the default count of items in the LRU client ID
+// cache.  The assumption here is that there won't be more than this many
+// requests between the BeforeRequestHandler stage and the actual processing.
+const defaultClientIDCacheCount = 1024
+
 const (
 	safeBrowsingBlockHost = "standard-block.dns.adguard.com"
 	parentalBlockHost     = "family-block.dns.adguard.com"
@@ -44,12 +50,6 @@ var webRegistered bool
 // hostToIPTable is an alias for the type of Server.tableHostToIP.
 type hostToIPTable = map[string]net.IP
 
-// ipToHostTable is an alias for the type of Server.tableIPToHost.
-//
-// TODO(a.garipov): Define an IPMap type in aghnet and use here and in other
-// places?
-type ipToHostTable = map[string]string
-
 // Server is the main way to start a DNS server.
 //
 // Example:
@@ -81,9 +81,13 @@ type Server struct {
 	tableHostToIP     hostToIPTable
 	tableHostToIPLock sync.Mutex
 
-	tableIPToHost     ipToHostTable
+	tableIPToHost     *aghnet.IPMap
 	tableIPToHostLock sync.Mutex
 
+	// clientIDCache is a temporary storage for clientIDs that were
+	// extracted during the BeforeRequestHandler stage.
+	clientIDCache cache.Cache
+
 	// DNS proxy instance for internal usage
 	// We don't Start() it and so no listen port is required.
 	internalProxy *proxy.Proxy
@@ -152,6 +156,10 @@ func NewServer(p DNSCreateParams) (s *Server, err error) {
 		subnetDetector:    p.SubnetDetector,
 		localDomainSuffix: localDomainSuffix,
 		recDetector:       newRecursionDetector(recursionTTL, cachedRecurrentReqNum),
+		clientIDCache: cache.New(cache.Config{
+			EnableLRU: true,
+			MaxCount:  defaultClientIDCacheCount,
+		}),
 	}
 
 	// TODO(e.burkov): Enable the refresher after the actual implementation
@@ -414,19 +422,22 @@ func (s *Server) setupResolvers(localAddrs []string) (err error) {
 
 	log.Debug("upstreams to resolve PTR for local addresses: %v", localAddrs)
 
-	var upsConfig proxy.UpstreamConfig
-	upsConfig, err = proxy.ParseUpstreamsConfig(localAddrs, upstream.Options{
-		Bootstrap: bootstraps,
-		Timeout:   defaultLocalTimeout,
-		// TODO(e.burkov): Should we verify server's ceritificates?
-	})
+	var upsConfig *proxy.UpstreamConfig
+	upsConfig, err = proxy.ParseUpstreamsConfig(
+		localAddrs,
+		&upstream.Options{
+			Bootstrap: bootstraps,
+			Timeout:   defaultLocalTimeout,
+			// TODO(e.burkov): Should we verify server's ceritificates?
+		},
+	)
 	if err != nil {
 		return fmt.Errorf("parsing upstreams: %w", err)
 	}
 
 	s.localResolvers = &proxy.Proxy{
 		Config: proxy.Config{
-			UpstreamConfig: &upsConfig,
+			UpstreamConfig: upsConfig,
 		},
 	}
 
@@ -577,11 +588,33 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-// IsBlockedIP - return TRUE if this client should be blocked
-func (s *Server) IsBlockedIP(ip net.IP) (bool, string) {
-	if ip == nil {
-		return false, ""
+// IsBlockedClient returns true if the client is blocked by the current access
+// settings.
+func (s *Server) IsBlockedClient(ip net.IP, clientID string) (blocked bool, rule string) {
+	s.serverLock.RLock()
+	defer s.serverLock.RUnlock()
+
+	allowlistMode := s.access.allowlistMode()
+	blockedByIP, rule := s.access.isBlockedIP(ip)
+	blockedByClientID := s.access.isBlockedClientID(clientID)
+
+	// Allow if at least one of the checks allows in allowlist mode, but
+	// block if at least one of the checks blocks in blocklist mode.
+	if allowlistMode && blockedByIP && blockedByClientID {
+		log.Debug("client %s (id %q) is not in access allowlist", ip, clientID)
+
+		// Return now without substituting the empty rule for the
+		// clientID because the rule can't be empty here.
+		return true, rule
+	} else if !allowlistMode && (blockedByIP || blockedByClientID) {
+		log.Debug("client %s (id %q) is in access blocklist", ip, clientID)
+
+		blocked = true
 	}
 
-	return s.access.IsBlockedIP(ip)
+	if rule == "" {
+		rule = clientID
+	}
+
+	return blocked, rule
 }