src/network.js

'use strict';

exports = module.exports = {
    getBlocklist,
    setBlocklist
};

const assert = require('assert'),
    BoxError = require('./boxerror.js'),
    ipaddr = require('ipaddr.js'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    settings = require('./settings.js'),
    shell = require('./shell.js'),
    validator = require('validator');

const SET_BLOCKLIST_CMD = path.join(__dirname, 'scripts/setblocklist.sh');

function getBlocklist(callback) {
    assert.strictEqual(typeof callback, 'function');

    settings.getFirewallBlocklist(function (error, blocklist) {
        if (error) return callback(error);

        callback(null, blocklist);
    });
}

function setBlocklist(blocklist, auditSource, callback) {
    assert.strictEqual(typeof blocklist, 'string');
    assert.strictEqual(typeof auditSource, 'object');
    assert.strictEqual(typeof callback, 'function');

    const parsedIp = ipaddr.process(auditSource.ip);

    for (const line of blocklist.split('\n')) {
        if (!line || line.startsWith('#')) continue;
        const rangeOrIP = line.trim();
        if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`));

        if (rangeOrIP.indexOf('/') === -1) {
            if (auditSource.ip === rangeOrIP) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`));
        } else {
            const parsedRange = ipaddr.parseCIDR(rangeOrIP); // returns [addr, range]
            if (parsedRange[0].kind() === parsedIp.kind() && parsedIp.match(parsedRange)) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`));
        }
    }

    if (settings.isDemo()) return callback(new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode'));

    settings.setFirewallBlocklist(blocklist, function (error) {
        if (error) return callback(error);

        // this is done only because it's easier for the shell script and the firewall service to get the value
        if (!safe.fs.writeFileSync(paths.FIREWALL_BLOCKLIST_FILE, blocklist + '\n', 'utf8')) return callback(new BoxError(BoxError.FS_ERROR, safe.error.message));

        shell.sudo('setBlocklist', [ SET_BLOCKLIST_CMD ], {}, function (error) {
            if (error) return callback(new BoxError(BoxError.IPTABLES_ERROR, `Error setting blocklist: ${error.message}`));

            callback(null);
        });
    });
}
firewall: implement blocklist 2020-08-31 18:22:33 -07:00			`'use strict';`

			`exports = module.exports = {`
			`getBlocklist,`
			`setBlocklist`
			`};`

			`const assert = require('assert'),`
			`BoxError = require('./boxerror.js'),`
migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`ipaddr = require('ipaddr.js'),`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00			`path = require('path'),`
			`paths = require('./paths.js'),`
			`safe = require('safetydance'),`
do not allow setting blocklist in demo mode 2020-09-02 23:04:42 -07:00			`settings = require('./settings.js'),`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00			`shell = require('./shell.js'),`
			`validator = require('validator');`

			`const SET_BLOCKLIST_CMD = path.join(__dirname, 'scripts/setblocklist.sh');`

			`function getBlocklist(callback) {`
			`assert.strictEqual(typeof callback, 'function');`

migrate firewall configuration into database the ports.json is for the moment server specific 2021-05-04 15:21:38 -07:00			`settings.getFirewallBlocklist(function (error, blocklist) {`
			`if (error) return callback(error);`

			`callback(null, blocklist);`
			`});`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00			`}`

migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`function setBlocklist(blocklist, auditSource, callback) {`
			`assert.strictEqual(typeof blocklist, 'string');`
			`assert.strictEqual(typeof auditSource, 'object');`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00			`assert.strictEqual(typeof callback, 'function');`

migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`const parsedIp = ipaddr.process(auditSource.ip);`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00
migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`for (const line of blocklist.split('\n')) {`
			`if (!line \|\| line.startsWith('#')) continue;`
			`const rangeOrIP = line.trim();`
			if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`));
do not allow setting blocklist in demo mode 2020-09-02 23:04:42 -07:00
migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`if (rangeOrIP.indexOf('/') === -1) {`
			if (auditSource.ip === rangeOrIP) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`));
			`} else {`
Fix blocklist setting when source and list have mixed ip versions 2021-04-07 17:31:04 +02:00			`const parsedRange = ipaddr.parseCIDR(rangeOrIP); // returns [addr, range]`
			if (parsedRange[0].kind() === parsedIp.kind() && parsedIp.match(parsedRange)) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`));
migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`}`
			`}`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00
migrate blocklist to a txt file this allows easy copy/pasting of existing deny lists which contain comments and blank lines 2020-09-14 10:29:48 -07:00			`if (settings.isDemo()) return callback(new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode'));`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00
migrate firewall configuration into database the ports.json is for the moment server specific 2021-05-04 15:21:38 -07:00			`settings.setFirewallBlocklist(blocklist, function (error) {`
			`if (error) return callback(error);`

			`// this is done only because it's easier for the shell script and the firewall service to get the value`
			`if (!safe.fs.writeFileSync(paths.FIREWALL_BLOCKLIST_FILE, blocklist + '\n', 'utf8')) return callback(new BoxError(BoxError.FS_ERROR, safe.error.message));`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00
migrate firewall configuration into database the ports.json is for the moment server specific 2021-05-04 15:21:38 -07:00			`shell.sudo('setBlocklist', [ SET_BLOCKLIST_CMD ], {}, function (error) {`
			if (error) return callback(new BoxError(BoxError.IPTABLES_ERROR, `Error setting blocklist: ${error.message}`));
firewall: implement blocklist 2020-08-31 18:22:33 -07:00
migrate firewall configuration into database the ports.json is for the moment server specific 2021-05-04 15:21:38 -07:00			`callback(null);`
			`});`
firewall: implement blocklist 2020-08-31 18:22:33 -07:00			`});`
			`}`