Feat: Add blocklist feature integration

Implemented a new blocklist feature that triggers actions based on client IP checks against a specified blocklist. Updated the Dockerfile to use a new user group "blocklist" for security purposes, and modified the Telegram plugin to handle blocklist notifications. Signed-off-by: Christian Roessner <[email protected]>
croessner · Sep 10, 2024 · d5151ec · d5151ec
1 parent 907a4a9
commit d5151ec
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 2 deletions.
diff --git a/Dockerfile.blocklist b/Dockerfile.blocklist
@@ -20,8 +20,8 @@ LABEL com.roessner-network-solutions.vendor="Rößner-Network-Solutions"
 
 WORKDIR /usr/app
 
-RUN addgroup -S nauthilus; \
-    adduser -S nauthilus -G nauthilus -D -H -s /bin/nologin
+RUN addgroup -S blocklist; \
+    adduser -S blocklist -G blocklist -D -H -s /bin/nologin
 
 RUN apk --no-cache --upgrade add ca-certificates bash curl
 

diff --git a/server/lua-plugins.d/actions/telegram.lua b/server/lua-plugins.d/actions/telegram.lua
@@ -58,6 +58,13 @@ function nauthilus_call_action(request)
             end
         end
 
+        -- feature_blocklist
+        if rt.feature_blocklist then
+            send_message = true
+            headline = "Feature triggered"
+            log_prefix = "feature_"
+        end
+
         -- filter_geoippolicyd
         if rt.filter_geoippolicyd then
             send_message = true

diff --git a/server/lua-plugins.d/features/blocklist.lua b/server/lua-plugins.d/features/blocklist.lua
@@ -0,0 +1,70 @@
+local nauthilus_util = require("nauthilus_util")
+
+dynamic_loader("nauthilus_context")
+local nauthilus_context = require("nauthilus_context")
+
+dynamic_loader("nauthilus_gll_http")
+local http = require("http")
+
+dynamic_loader("nauthilus_gll_json")
+local json = require("json")
+
+local client = http.client({
+    timeout = 30,
+    user_agent = "Nauthilus"
+})
+
+local N = "feature_blocklist"
+
+function nauthilus_call_feature(request)
+    if not request.client_ip then
+        nauthilus_builtin.custom_log_add(N, "no client IP found")
+
+        return nauthilus_builtin.FEATURE_TRIGGER_NO, nauthilus_builtin.FEATURES_ABORT_NO, nauthilus_builtin.FEATURE_RESULT_FAILURE
+    end
+
+    -- Get result table
+    local rt = nauthilus_context.context_get("rt")
+    if rt == nil then
+        rt = {}
+    end
+
+    local t = {}
+
+    t.ip = request.client_ip
+
+    local payload, json_encode_err = json.encode(t)
+    nauthilus_util.if_error_raise(json_encode_err)
+
+    local blocklist_request = http.request("POST", os.getenv("BLOCKLIST_URL"), payload)
+    blocklist_request:header_set("Content-Type", "application/json")
+
+    local result, request_err = client:do_request(blocklist_request)
+    nauthilus_util.if_error_raise(request_err)
+
+    if result.code ~= 200 then
+        nauthilus_util.if_error_raise(N .. "_status_code=" .. tostring(result.code))
+    end
+
+    local response, err_jdec = json.decode(result.body)
+    nauthilus_util.if_error_raise(err_jdec)
+
+    if response.error then
+        return nauthilus_builtin.FEATURE_TRIGGER_NO, nauthilus_builtin.FEATURES_ABORT_NO, nauthilus_builtin.FEATURE_RESULT_FAILURE
+    end
+
+    if response.found then
+        if nauthilus_util.is_table(rt) then
+            rt.feature_blocklist = true
+
+            nauthilus_context.context_set("rt", rt)
+        end
+
+        nauthilus_builtin.custom_log_add(N .. "_ip", request.client_ip)
+        nauthilus_builtin.status_message_set("IP address blocked")
+
+        return nauthilus_builtin.FEATURE_TRIGGER_YES, nauthilus_builtin.FEATURES_ABORT_YES, nauthilus_builtin.FEATURE_RESULT_OK
+    end
+
+    return nauthilus_builtin.FEATURE_TRIGGER_NO, nauthilus_builtin.FEATURES_ABORT_NO, nauthilus_builtin.FEATURE_RESULT_OK
+end