fix(ns-api): fix threat shield dns apis (#1008)

NethServer · Jan 20, 2025 · 0b43a8d · 0b43a8d
1 parent 034a115
commit 0b43a8d
Show file tree

Hide file tree

Showing 2 changed files with 133 additions and 11 deletions.
diff --git a/packages/ns-api/README.md b/packages/ns-api/README.md
@@ -5964,14 +5964,14 @@ api-cli ns.threatshield dns-list-settings
 
 Response example:
 ```json
-{"data": {"enabled": true, "zones": ["lan"]}}
+{"data": {"enabled": true, "zones": ["lan"], "ports": ["53", "853"]}}
 ```
 
 ### dns-edit-settings
 
 Edit dns adblock settings:
 ```
-api-cli ns.threatshield dns-edit-settings --data '{"enabled": true, "zones": ["lan"]}'
+api-cli ns.threatshield dns-edit-settings --data '{"enabled": true, "zones": ["lan"], "ports": ["53", "853"]}'
 ```
 
 Response example:
@@ -6009,9 +6009,12 @@ Response example:
 {"message": "success"}
 ```
 
+It can raise the following validation errors:
+- `address_already_present` if the address is already inside the allow list
+
 ### dns-edit-allowed
 
-Change the description of an address already insie the allow list:
+Change the description of an address already inside the allow list:
 ```
 api-cli ns.threatshield dns-edit-allowed --data '{"address": "nethesis.it", "description": "my new desc"}'
 ```
@@ -6021,6 +6024,9 @@ Response example:
 {"message": "success"}
 ```
 
+It can raise the following validation errors:
+- `address_not_found` if the address is not inside the allow list
+
 ### dns-delete-allowed
 
 Delete an address from the allow list:
@@ -6033,6 +6039,9 @@ Response example:
 {"message": "success"}
 ```
 
+It can raise the following validation errors:
+- `address_not_found` if the address is not inside the allow list
+
 ### dns-list-bypass
 
 List hosts that can bypass the adblock DNS redirect:
@@ -6069,6 +6078,69 @@ Response example:
 {"message": "success"}
 ```
 
+### dns-list-blocked
+
+List blocked domains from the local DNS block list:
+```
+api-cli ns.threatshield dns-list-blocked
+```
+
+Response example:
+```json
+{
+  "data": [
+    {
+      "address": "dangerousdomain.com",
+      "description": "Lorem ipsum dolor sit amet"
+    },
+    {
+      "address": "nastydomain.net",
+      "description": ""
+    }
+  ]
+}
+```
+
+### dns-add-blocked
+
+Add a domain to the local DNS block list:
+```
+api-cli ns.threatshield dns-add-blocked --data '{"address": "nastydomain.net", "description": "my block1"}'
+```
+
+Response example:
+```json
+{"message": "success"}
+```
+
+It can raise the following validation errors:
+- `address_already_present` if the address is already inside the block list
+
+### dns-edit-blocked
+
+Change the description of an address already inside the local DNS block list:
+```
+api-cli ns.threatshield dns-edit-blocked --data '{"address": "nastydomain.net", "description": "My new desc"}'
+```
+
+It can raise the following validation errors:
+- `address_not_found` if the address is not inside the block list
+
+### dns-delete-blocked
+
+Delete an address from the local DNS block list:
+```
+api-cli ns.threatshield dns-delete-blocked --data '{"address": "nastydomain.net"}'
+```
+
+Response example:
+```json
+{"message": "success"}
+```
+
+It can raise the following validation errors:
+- `address_not_found` if the address is not inside the block list
+
 ## ns.qos
 
 Allows to configure QoS for each network interface available.

diff --git a/packages/ns-api/files/ns.threatshield b/packages/ns-api/files/ns.threatshield
@@ -367,7 +367,6 @@ def dns_list_blocklist(e_uci):
     return { "data": ret }
 
 def dns_edit_blocklist(e_uci, payload):
-    feeds = list_dns_feeds()
     try:
         enabled = list(e_uci.get_all('adblock', 'global', 'adb_sources'))
     except:
@@ -382,10 +381,14 @@ def dns_edit_blocklist(e_uci, payload):
 
 def dns_list_settings(e_uci):
     try:
-        zones = list(e_uci.get('adblock', 'global', 'adb_zonelist'))
+        zones = list(e_uci.get_all('adblock', 'global', 'adb_zonelist'))
     except:
         zones = []
-    return { 'data': {'enabled': e_uci.get('adblock', 'global', 'ts_enabled') == '1', "zones": zones} }
+    try:
+        ports = list(e_uci.get_all('adblock', 'global', 'adb_portlist'))
+    except:
+        ports = []
+    return { 'data': {'enabled': e_uci.get('adblock', 'global', 'ts_enabled') == '1', "zones": zones, "ports": ports} }
 
 def dns_edit_settings(e_uci, payload):
     if payload['enabled']:
@@ -394,10 +397,7 @@ def dns_edit_settings(e_uci, payload):
         e_uci.set('adblock', 'global', 'adb_backup', '1')
         e_uci.set('adblock', 'global', 'adb_forcedns', '1')
         e_uci.set('adblock', 'global', 'adb_zonelist', payload.get('zones', ['lan']))
-        try:
-            e_uci.get('adblock', 'global', 'adb_portlist')
-        except:
-            e_uci.set('adblock', 'global', 'adb_portlist', ['53', '853'])
+        e_uci.set('adblock', 'global', 'adb_portlist', payload.get('ports', ['53', '853']))
     else:
         e_uci.set('adblock', 'global', 'ts_enabled', '0')
         e_uci.set('adblock', 'global', 'adb_enabled', '0')
@@ -408,6 +408,9 @@ def dns_edit_settings(e_uci, payload):
 def dns_list_allowed():
     return { "data": get_allow_list('/etc/adblock/adblock.whitelist') }
 
+def dns_list_blocked():
+    return { "data": get_allow_list('/etc/adblock/adblock.blacklist') }
+
 def dns_add_allowed(payload):
     cur = get_allow_list('/etc/adblock/adblock.whitelist')
     # extract address from cur list
@@ -417,6 +420,15 @@ def dns_add_allowed(payload):
     write_allow_list(cur, '/etc/adblock/adblock.whitelist')
     return {'message': 'success'}
 
+def dns_add_blocked(payload):
+    cur = get_allow_list('/etc/adblock/adblock.blacklist')
+    # extract address from cur list
+    if payload['address'] in [x['address'] for x in cur]:
+        raise ValidationError('address', 'address_already_present', payload['address'])
+    cur.append({ "address": payload['address'], "description": payload.get('description') })
+    write_allow_list(cur, '/etc/adblock/adblock.blacklist')
+    return {'message': 'success'}
+
 def dns_edit_allowed(payload):
     cur = get_allow_list('/etc/adblock/adblock.whitelist')
     if payload['address'] not in [x['address'] for x in cur]:
@@ -428,6 +440,17 @@ def dns_edit_allowed(payload):
     write_allow_list(cur, '/etc/adblock/adblock.whitelist')
     return {'message': 'success'}
 
+def dns_edit_blocked(payload):
+    cur = get_allow_list('/etc/adblock/adblock.blacklist')
+    if payload['address'] not in [x['address'] for x in cur]:
+        raise ValidationError('address', 'address_not_found', payload['address'])
+    for i in range(len(cur)):
+        if cur[i]['address'] == payload['address']:
+            cur[i]['description'] = payload.get('description')
+            break
+    write_allow_list(cur, '/etc/adblock/adblock.blacklist')
+    return {'message': 'success'}
+
 def dns_delete_allowed(payload):
     cur = get_allow_list('/etc/adblock/adblock.whitelist')
     if payload['address'] not in [x['address'] for x in cur]:
@@ -440,6 +463,18 @@ def dns_delete_allowed(payload):
     write_allow_list(cur, '/etc/adblock/adblock.whitelist')
     return {'message': 'success'}
 
+def dns_delete_blocked(payload):
+    cur = get_allow_list('/etc/adblock/adblock.blacklist')
+    if payload['address'] not in [x['address'] for x in cur]:
+        raise ValidationError('address', 'address_not_found', payload['address'])
+    # remove address from cur list
+    for i in range(len(cur)):
+        if cur[i]['address'] == payload['address']:
+            del cur[i]
+            break
+    write_allow_list(cur, '/etc/adblock/adblock.blacklist')
+    return {'message': 'success'}
+
 def dns_list_bypass(e_uci):
     # adblock.global.adb_bypass
     try:
@@ -503,11 +538,15 @@ if cmd == 'list':
         'dns-list-blocklist': {},
         'dns-edit-blocklist': { "blocklist": "blocklist_name", "enabled": True },
         'dns-list-settings': {},
-        'dns-edit-settings': { 'enabled': True, 'zones': ["lan"] },
+        'dns-edit-settings': { 'enabled': True, 'zones': ["lan"], "ports": ["53", "853"] },
         'dns-list-allowed': {},
         'dns-add-allowed': { 'address': 'test.org' , 'description': 'optional'},
         'dns-edit-allowed': { 'address': 'test.org', 'description': 'optional' },
         'dns-delete-allowed' : { 'address': 'test.org' },
+        'dns-list-blocked': {},
+        'dns-add-blocked': {'address': '1.2.3.4', 'description': 'optional'},
+        'dns-edit-blocked': {'address': '1.2.3.4', 'description': 'optional'},
+        'dns-delete-blocked': {'address': '1.2.3.4'},
         'dns-list-bypass': {},
         'dns-add-bypass': { 'address': '1.2.3.4' },
         'dns-delete-bypass': { 'address': '1.2.3.4' }
@@ -578,6 +617,17 @@ elif cmd == 'call':
         elif action == 'dns-delete-bypass':
             payload = json.loads(sys.stdin.read())
             ret = dns_delete_bypass(e_uci, payload)
+        elif action == 'dns-list-blocked':
+            ret = dns_list_blocked()
+        elif action == 'dns-add-blocked':
+            payload = json.loads(sys.stdin.read())
+            ret = dns_add_blocked(payload)
+        elif action == 'dns-edit-blocked':
+            payload = json.loads(sys.stdin.read())
+            ret = dns_edit_blocked(payload)
+        elif action == 'dns-delete-blocked':
+            payload = json.loads(sys.stdin.read())
+            ret = dns_delete_blocked(payload)
 
         print(json.dumps(ret))
     except ValidationError as ex: