-
-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log blocking rule in resolver #1489
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for following up with this!
I put comments about mostly minor things. but some of it does require changing a bunch of code so I tried to put suggestions those.
Could you also please add a couple checks in tests that return a positive mach for the rule? Alternatively, add some basic dedicated tests for that.
If it can be any help, the way I'd do it is update the tests to not assert anything. make the function print the rule before returning. and add an Expect(false)
at the end so ginkgo prints the output and you can copy past the rules instead of typing them out.
Some kind of snapshot testing would be nice here, but that's more work and we don't have anything like that already.
And just to be explicit about this: nothing is set in stone feel free to push back on anything :)
@@ -11,7 +11,7 @@ import ( | |||
|
|||
type stringCache interface { | |||
elementCount() int | |||
contains(searchString string) bool | |||
contains(searchString string) (bool, string) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it'd be nice to swap the return values so it matches map
:
contains(searchString string) (bool, string) | |
contains(searchString string) (string, bool) |
I'll put suggestions for the other uses, hopefully I don't miss anything!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would not do this with contains
method. The name implies that the main return type should be boolean. Consider error return value:
contains(searchString string) (bool, err)
err
should be at the end as it is not the main response from method.
Could we rename contains
to match
and get rid of boolean?
// returns rule if matched, otherwise empty string
func match(searchString string) (string)
@@ -36,12 +36,12 @@ func (cache stringMap) elementCount() int { | |||
return count | |||
} | |||
|
|||
func (cache stringMap) contains(searchString string) bool { | |||
func (cache stringMap) contains(searchString string) (bool, string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func (cache stringMap) contains(searchString string) (bool, string) { | |
func (cache stringMap) contains(searchString string) (string, bool) { |
normalized := normalizeEntry(searchString) | ||
searchLen := len(normalized) | ||
|
||
if searchLen == 0 { | ||
return false | ||
return false, "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return false, "" | |
return "", false |
@@ -54,11 +54,11 @@ func (cache stringMap) contains(searchString string) bool { | |||
if blockRule == normalized { | |||
log.PrefixedLog("string_map").Debugf("block rule '%s' matched with '%s'", blockRule, searchString) | |||
|
|||
return true | |||
return true, blockRule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return true, blockRule | |
return blockRule, true |
if groups := r.matches(groupsToCheck, r.allowlistMatcher, domain); len(groups) > 0 { | ||
logger.WithField("groups", groups).Debugf("domain is allowlisted") | ||
if matches := r.matches(groupsToCheck, r.allowlistMatcher, domain); len(matches) > 0 { | ||
logger.WithField("groups", maps.Keys(matches)).Debugf("domain is allowlisted") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can change this to log all the info:
logger.WithField("groups", maps.Keys(matches)).Debugf("domain is allowlisted") | |
logger.WithField("matches", matches).Debug("domain is allowlisted") |
return r.handleBlocked(logger, request, request.Req.Question[0], fmt.Sprintf("BLOCKED %s (%s)", tName, | ||
strings.Join(groups, ","))) | ||
if matches := r.matches(groupsToCheck, r.allowlistMatcher, entryToCheck); len(matches) > 0 { | ||
logger.WithField("groups", maps.Keys(matches)).Debugf("%s is allowlisted", tName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logger.WithField("groups", maps.Keys(matches)).Debugf("%s is allowlisted", tName) | |
logger.WithField("matches", matches).Debug("%s is allowlisted", tName) |
var entries []string | ||
for group, rule := range matches { | ||
entries = append(entries, strings.Join([]string{group, rule}, ":")) | ||
} | ||
|
||
msg := fmt.Sprintf("BLOCKED (%s)", strings.Join(entries, ", ")) | ||
resp, err := r.handleBlocked(logger, request, question, msg) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you pass matches
to handleBlock
instead of msg
so we can move the formatting there and deduplicate it with Resolve
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolver/blocking_resolver.go:383 passes a string:
resp, err := r.handleBlocked(logger, request, question, "BLOCKED (ALLOWLIST ONLY)")
Could we return custom type from r.matches(...)
and override String()
method?
var entries []string | ||
for group, rule := range matches { | ||
entries = append(entries, strings.Join([]string{group, rule}, ":")) | ||
} | ||
|
||
msg := fmt.Sprintf("BLOCKED %s (%s)", tName, strings.Join(entries, ", ")) | ||
|
||
return r.handleBlocked(logger, request, request.Req.Question[0], msg) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also pass maches
to handleBlocked
here.
Co-authored-by: ThinkChaos <[email protected]>
Co-authored-by: ThinkChaos <[email protected]>
Co-authored-by: ThinkChaos <[email protected]>
Co-authored-by: ThinkChaos <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1489 +/- ##
==========================================
+ Coverage 93.88% 94.28% +0.39%
==========================================
Files 78 78
Lines 6361 5018 -1343
==========================================
- Hits 5972 4731 -1241
+ Misses 300 196 -104
- Partials 89 91 +2 ☔ View full report in Codecov by Sentry. |
Sorry, I don't understand what you want. There are checks for the rules in |
Follow up of #1460 (review)
Closes #1458