update cache key system

mobula9 · mobula9 · commit d8d38dbe64d0 · 2021-01-18T22:45:46.000+01:00
diff --git a/scripts/setup-local-crowdsec.sh b/scripts/setup-local-crowdsec.sh
@@ -1,14 +1,17 @@
 #!/bin/sh
 
 # Delete existing LAPI database.
-[ -e ../var/docker-data/crowdsec.db ] && rm ../var/docker-data/crowdsec.db
+[ -e ./var/docker-data/crowdsec.db ] && rm ./var/docker-data/crowdsec.db
 
 # Start containers.
 docker-compose up --force-recreate -d crowdsec
 docker-compose up --remove-orphans -d redis memcached
 
 # Create a bouncer with cscli and copy expose generated key.
-docker-compose exec crowdsec /usr/local/bin/cscli bouncers add bouncer-php-library -o raw > ../.bouncer-key
+docker-compose exec crowdsec /usr/local/bin/cscli bouncers add bouncer-php-library -o raw > ./.bouncer-key
 
 # Create a watcher with cscli.
-docker-compose exec crowdsec cscli machines add PhpUnitTestMachine --password PhpUnitTestMachinePassword > /dev/null 2>&1
+docker-compose exec crowdsec cscli machines add PhpUnitTestMachine --password PhpUnitTestMachinePassword > /dev/null 2>&1
+
+# Ensure composer deps are presents
+docker-compose run app composer install
diff --git a/src/ApiCache.php b/src/ApiCache.php
@@ -5,6 +5,7 @@
 namespace CrowdSecBouncer;
 
 use DateTime;
+use IPLib\Address\AddressInterface;
 use IPLib\Factory;
 use IPLib\Range\Subnet;
 use Psr\Log\LoggerInterface;
@@ -257,19 +258,19 @@ private function saveRemediations(array $decisions): bool
 
             if ('Ip' === $decision['scope']) {
                 $address = Factory::addressFromString($decision['value']);
-                $this->addRemediationToCacheItem($address->toString(), $type, $exp, $id);
+                $this->addRemediationToCacheItem(Bouncer::formatIpAsCacheKey($address), $type, $exp, $id);
             } elseif ('Range' === $decision['scope']) {
                 $range = Subnet::fromString($decision['value']);
 
                 $comparableEndAddress = $range->getEndAddress()->getComparableString();
                 $address = $range->getStartAddress();
-                $this->addRemediationToCacheItem($address->toString(), $type, $exp, $id);
+                $this->addRemediationToCacheItem(Bouncer::formatIpAsCacheKey($address), $type, $exp, $id);
                 $ipCount = 1;
                 do {
                     $address = $address->getNextAddress();
-                    $this->addRemediationToCacheItem($address->toString(), $type, $exp, $id);
+                    $this->addRemediationToCacheItem(Bouncer::formatIpAsCacheKey($address), $type, $exp, $id);
                     ++$ipCount;
-                    if ($ipCount >= Constants::MAX_ALLOWED_IP_RANGE_WIDTH) {
+                    if ($ipCount >= 1000) {
                         throw new BouncerException("Unable to store the decision ${$decision['id']}, the IP range: ${$decision['value']} is too large and can cause storage problem. Decision ignored.");
                     }
                 } while (0 !== strcmp($address->getComparableString(), $comparableEndAddress));
@@ -285,7 +286,7 @@ private function removeRemediations(array $decisions): int
         foreach ($decisions as $decision) {
             if ('Ip' === $decision['scope']) {
                 $address = Factory::addressFromString($decision['value']);
-                if (!$this->removeDecisionFromRemediationItem($address->toString(), $decision['id'])) {
+                if (!$this->removeDecisionFromRemediationItem(Bouncer::formatIpAsCacheKey($address), $decision['id'])) {
                     $this->logger->debug('', ['type' => 'DECISION_TO_REMOVE_NOT_FOUND_IN_CACHE', 'decision' => $decision['id']]);
                 } else {
                     $this->logger->debug('', [
@@ -299,18 +300,18 @@ private function removeRemediations(array $decisions): int
 
                 $comparableEndAddress = $range->getEndAddress()->getComparableString();
                 $address = $range->getStartAddress();
-                if (!$this->removeDecisionFromRemediationItem($address->toString(), $decision['id'])) {
+                if (!$this->removeDecisionFromRemediationItem(Bouncer::formatIpAsCacheKey($address), $decision['id'])) {
                     $this->logger->debug('', ['type' => 'DECISION_TO_REMOVE_NOT_FOUND_IN_CACHE', 'decision' => $decision['id']]);
                 }
                 $ipCount = 1;
                 $success = true;
                 do {
                     $address = $address->getNextAddress();
-                    if (!$this->removeDecisionFromRemediationItem($address->toString(), $decision['id'])) {
+                    if (!$this->removeDecisionFromRemediationItem(Bouncer::formatIpAsCacheKey($address), $decision['id'])) {
                         $success = false;
                     }
                     ++$ipCount;
-                    if ($ipCount >= Constants::MAX_ALLOWED_IP_RANGE_WIDTH) {
+                    if ($ipCount >= 1000) {
                         throw new BouncerException("Unable to store the decision ${$decision['id']}, the IP range: ${$decision['value']} is too large and can cause storage problem. Decision ignored.");
                     }
                 } while (0 !== strcmp($address->getComparableString(), $comparableEndAddress));
@@ -458,16 +459,17 @@ public function pullUpdates(): array
      * In stream mode, as we considere cache is the single source of truth, the IP is considered clean.
      * Finally the result is stored in caches for further calls.
      */
-    private function miss(string $ip): string
+    private function miss(string $ipToQuery, string $cacheKey): string
     {
         $decisions = [];
 
         if ($this->liveMode) {
-            $this->logger->debug('', ['type' => 'DIRECT_API_CALL', 'ip' => $ip]);
-            $decisions = $this->apiClient->getFilteredDecisions(['ip' => $ip]);
+            $this->logger->debug('', ['type' => 'DIRECT_API_CALL', 'ip' => $ipToQuery]);
+            $decisions = $this->apiClient->getFilteredDecisions(['ip' => $ipToQuery]);
         }
 
-        return $this->saveRemediationsForIp($decisions, $ip);
+
+        return $this->saveRemediationsForIp($decisions, $cacheKey);
     }
 
     /**
@@ -491,27 +493,28 @@ private function hit(string $ip): string
      *
      * @return string the computed remediation string, or null if no decision was found
      */
-    public function get(string $ip): string
+    public function get(AddressInterface $address): string
     {
-        $this->logger->debug('', ['type' => 'START_IP_CHECK', 'ip' => $ip]);
+        $cacheKey = Bouncer::formatIpAsCacheKey($address);
+        $this->logger->debug('', ['type' => 'START_IP_CHECK', 'ip' => $cacheKey]);
         if (!$this->liveMode && !$this->warmedUp) {
             throw new BouncerException('CrowdSec Bouncer configured in "stream" mode. Please warm the cache up before trying to access it.');
         }
 
-        if ($this->adapter->hasItem(base64_encode($ip))) {
-            $remediation = $this->hit($ip);
+        if ($this->adapter->hasItem(base64_encode($cacheKey))) {
+            $remediation = $this->hit($cacheKey);
             $cache = 'hit';
         } else {
-            $remediation = $this->miss($ip);
+            $remediation = $this->miss($address->toString(), $cacheKey);
             $cache = 'miss';
         }
 
         if (Constants::REMEDIATION_BYPASS === $remediation) {
-            $this->logger->info('', ['type' => 'CLEAN_IP', 'ip' => $ip, 'cache' => $cache]);
+            $this->logger->info('', ['type' => 'CLEAN_IP', 'ip' => $cacheKey, 'cache' => $cache]);
         } else {
             $this->logger->warning('', [
                 'type' => 'BAD_IP',
-                'ip' => $ip,
+                'ip' => $cacheKey,
                 'remediation' => $remediation,
                 'cache' => $cache,
             ]);
diff --git a/src/Bouncer.php b/src/Bouncer.php
@@ -7,6 +7,8 @@
 
 use Gregwar\Captcha\CaptchaBuilder;
 use Gregwar\Captcha\PhraseBuilder;
+use IPLib\Address\AddressInterface;
+use IPLib\Address\Type;
 use IPLib\Factory;
 use Monolog\Handler\NullHandler;
 use Monolog\Logger;
@@ -91,6 +93,18 @@ private function capRemediationLevel(string $remediation): string
         return $remediation;
     }
 
+    /**
+     * Format the input IP address as a cache key.
+     */
+    public static function formatIpAsCacheKey(AddressInterface $ip): string
+    {
+        if (Type::T_IPv6 === $ip->getAddressType) {
+            return implode(':', \array_slice($ip->toString(true), 0, 4));
+        }
+
+        return $ip->toString();
+    }
+
     /**
      * Get the remediation for the specified IP. This method use the cache layer.
      * In live mode, when no remediation was found in cache,
@@ -100,11 +114,11 @@ private function capRemediationLevel(string $remediation): string
      */
     public function getRemediationForIp(string $ip): string
     {
-        $ip = Factory::addressFromString($ip, false);
-        if (null === $ip) {
+        $address = Factory::addressFromString($ip, false);
+        if (null === $address) {
             throw new BouncerException("IP $ip format is invalid.");
         }
-        $remediation = $this->apiCache->get($ip->toString());
+        $remediation = $this->apiCache->get($address);
 
         return $this->capRemediationLevel($remediation);
     }
diff --git a/src/Constants.php b/src/Constants.php
@@ -45,7 +45,4 @@ class Constants
 
     /** @var array<string> The list of each known remediation, sorted by priority */
     public const ORDERED_REMEDIATIONS = [self::REMEDIATION_BAN, self::REMEDIATION_CAPTCHA, self::REMEDIATION_BYPASS];
-
-    /** @var int The maximum allowed range width */
-    public const MAX_ALLOWED_IP_RANGE_WIDTH = 1000000;
 }

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,4 @@ class Constants`
`45`	`45`
`46`	`46`	`/** @var array<string> The list of each known remediation, sorted by priority */`
`47`	`47`	`public const ORDERED_REMEDIATIONS = [self::REMEDIATION_BAN, self::REMEDIATION_CAPTCHA, self::REMEDIATION_BYPASS];`
`48`		`-`
`49`		`- /** @var int The maximum allowed range width */`
`50`		`- public const MAX_ALLOWED_IP_RANGE_WIDTH = 1000000;`
`51`	`48`	`}`