Add sha_inv_path_exceptions

deflect-ca · Jan 17, 2025 · ab58a2d · ab58a2d
1 parent d0ad0e3
commit ab58a2d
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/banjax-config.yaml b/banjax-config.yaml
@@ -125,3 +125,8 @@ sha_inv_expected_zero_bits: 10
 session_cookie_not_verify: true
 block_ip_ttl_seconds: 10
 block_session_ttl_seconds: 10
+sha_inv_path_exceptions:
+  "localhost:8081":
+    - /no_challenge
+  "localhost":
+    - /no_challenge
diff --git a/internal/config.go b/internal/config.go
@@ -74,6 +74,7 @@ type Config struct {
 	SessionCookieTtlSeconds                int               `yaml:"session_cookie_ttl_seconds"`
 	SessionCookieNotVerify                 bool              `yaml:"session_cookie_not_verify"`
 	SitesToDisableBaskerville              map[string]bool   `yaml:"sites_to_disable_baskerville"`
+	SitesToShaInvPathExceptions            map[string][]string `yaml:"sha_inv_path_exceptions"`
 }
 
 type RegexWithRate struct {

diff --git a/internal/http_server.go b/internal/http_server.go
@@ -782,6 +782,7 @@ const (
 	ExpiringAccessGranted // XXX should this even exist?
 	ExpiringChallenge
 	ExpiringBlock
+	PerSiteShaInvPathException
 	SiteWideChallenge
 	SiteWideChallengeException
 	NoMention
@@ -801,6 +802,7 @@ var DecisionListResultToString = map[DecisionListResult]string{
 	ExpiringAccessGranted:          "ExpiringAccessGranted",
 	ExpiringChallenge:              "ExpiringChallenge",
 	ExpiringBlock:                  "ExpiringBlock",
+	PerSiteShaInvPathException:     "PerSiteShaInvPathException",
 	SiteWideChallenge:              "SiteWideChallenge",
 	SiteWideChallengeException:     "SiteWideChallengeException",
 	NoMention:                      "NoMention",
@@ -1087,6 +1089,12 @@ func decisionForNginx2(
 			decisionForNginxResult.DecisionListResult = ExpiringAccessGranted
 			return
 		case Challenge:
+			// apply exception to both challenge from baskerville and regex banner
+			if checkPerSiteShaInvPathExceptions(config, requestedHost, requestedPath) {
+				accessGranted(c, config, DecisionListResultToString[PerSiteShaInvPathException])
+				decisionForNginxResult.DecisionListResult = PerSiteShaInvPathException
+				return
+			}
 			// Check if expiringDecision.fromBaskerville, if true, check if domain disabled baskerville
 			_, disabled := config.SitesToDisableBaskerville[requestedHost]
 			if expiringDecision.fromBaskerville && disabled {
@@ -1189,3 +1197,22 @@ func checkExpiringDecisionLists(c *gin.Context, clientIp string, decisionLists *
 	}
 	return expiringDecision, ok
 }
+
+func checkPerSiteShaInvPathExceptions(
+	config *Config,
+	requestedHost string,
+	requestedPath string,
+) bool {
+	// check against config.SitesToShaInvPathExceptions
+	pathExceptions, hasExceptions := config.SitesToShaInvPathExceptions[requestedHost]
+	if hasExceptions {
+		for _, pException := range pathExceptions {
+			// print
+			log.Println("requestedPath: ", requestedPath, " pException: ", pException)
+			if strings.HasPrefix(requestedPath, pException) {
+				return true
+			}
+		}
+	}
+	return false
+}