Merge pull request #173 from AikidoSec/fix-monitoring-ip-issues

IP/UA Stats: Clean up

Author: bitterpanda63

agent_api/src/main/java/dev/aikido/agent_api/collectors/WebRequestCollector.java

@@ -4,6 +4,7 @@
 import dev.aikido.agent_api.context.Context;
 import dev.aikido.agent_api.context.ContextObject;
 import dev.aikido.agent_api.context.RouteMetadata;
+import dev.aikido.agent_api.storage.ServiceConfigStore;
 import dev.aikido.agent_api.storage.ServiceConfiguration;
 import dev.aikido.agent_api.storage.statistics.StatisticsStore;
 
@@ -43,11 +44,11 @@ public static Res report(ContextObject newContext) {
         if (endpointAllowlistRes != null)
             return endpointAllowlistRes;
 
-        Res blockedIpsRes = checkBlockedIps(newContext.getRemoteAddress(), config);
+        Res blockedIpsRes = checkBlockedIps(newContext.getRemoteAddress());
         if (blockedIpsRes != null)
             return blockedIpsRes;
 
-        return checkBlockedUserAgents(newContext.getHeader("user-agent"), config);
+        return checkBlockedUserAgents(newContext.getHeader("user-agent"));
     }
 
     private static Res checkEndpointAllowlist(RouteMetadata routeMetadata, String remoteAddress, ServiceConfiguration config) {
@@ -60,8 +61,8 @@ private static Res checkEndpointAllowlist(RouteMetadata routeMetadata, String re
         return null; // not blocked
     }
 
-    private static Res checkBlockedIps(String remoteAddress, ServiceConfiguration config) {
-        ServiceConfiguration.BlockedResult ipBlocked = config.isIpBlocked(remoteAddress);
+    private static Res checkBlockedIps(String remoteAddress) {
+        ServiceConfiguration.BlockedResult ipBlocked = ServiceConfigStore.isIpBlocked(remoteAddress);
         if (ipBlocked.blocked()) {
             String msg = "Your IP address is blocked. Reason: " + ipBlocked.description();
             msg += " (Your IP: " + remoteAddress + ")";
@@ -70,11 +71,11 @@ private static Res checkBlockedIps(String remoteAddress, ServiceConfiguration co
         return null; // not blocked
     }
 
-    private static Res checkBlockedUserAgents(String userAgent, ServiceConfiguration config) {
+    private static Res checkBlockedUserAgents(String userAgent) {
         if (userAgent == null || userAgent.isEmpty()) {
             return null; // not blocked
         }
-        if (config.isBlockedUserAgent(userAgent)) {
+        if (ServiceConfigStore.isBlockedUserAgent(userAgent)) {
             String msg = "You are not allowed to access this resource because you have been identified as a bot.";
             return new Res(msg, 403);
         }

agent_api/src/main/java/dev/aikido/agent_api/storage/ServiceConfigStore.java

@@ -5,7 +5,6 @@
 import dev.aikido.agent_api.helpers.logging.LogManager;
 import dev.aikido.agent_api.helpers.logging.Logger;
 
-import java.util.Optional;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
 public final class ServiceConfigStore {
@@ -24,6 +23,24 @@ public static ServiceConfiguration getConfig() {
         }
     }
 
+    public static ServiceConfiguration.BlockedResult isIpBlocked(String ip) {
+        mutex.readLock().lock();
+        try {
+            return config.isIpBlocked(ip);
+        } finally {
+            mutex.readLock().unlock();
+        }
+    }
+
+    public static boolean isBlockedUserAgent(String userAgent) {
+        mutex.readLock().lock();
+        try {
+            return config.isBlockedUserAgent(userAgent);
+        } finally {
+            mutex.readLock().unlock();
+        }
+    }
+
     public static void updateFromAPIResponse(APIResponse apiResponse) {
         mutex.writeLock().lock();
         try {

agent_api/src/main/java/dev/aikido/agent_api/storage/ServiceConfiguration.java

@@ -91,15 +91,20 @@ public BlockedResult isIpBlocked(String ip) {
             return new BlockedResult(true, "not in allowlist");
         }
 
-        // Check for blocked ip addresses
+        // Check for monitored IP addresses
+        List<ParsedFirewallLists.Match> monitoredIpMatches = firewallLists.matchMonitoredIps(ip);
+        for (ParsedFirewallLists.Match monitoredMatch: monitoredIpMatches) {
+            StatisticsStore.incrementIpHits(monitoredMatch.key());
+        }
+
+        // Check for blocked IP addresses
         List<ParsedFirewallLists.Match> blockedIpMatches = firewallLists.matchBlockedIps(ip);
-        for (ParsedFirewallLists.Match match : blockedIpMatches) {
-            StatisticsStore.incrementIpHits(match.key());
+        for (ParsedFirewallLists.Match blockedMatch : blockedIpMatches) {
+            StatisticsStore.incrementIpHits(blockedMatch.key());
         }
-        for (ParsedFirewallLists.Match match : firewallLists.matchBlockedIps(ip)) {
-            if (match.block()) {
-                return new BlockedResult(true, match.description());
-            }
+        if (!blockedIpMatches.isEmpty()) {
+            String description = blockedIpMatches.get(0).description();
+            return new BlockedResult(true, description);
         }
 
         return new BlockedResult(false, null);

agent_api/src/main/java/dev/aikido/agent_api/storage/service_configuration/ParsedFirewallLists.java

@@ -12,6 +12,7 @@
 
 public class ParsedFirewallLists {
     private final List<IPEntry> blockedIps = new ArrayList<>();
+    private final List<IPEntry> monitoredIps = new ArrayList<>();
     private final List<IPEntry> allowedIps = new ArrayList<>();
     private final List<UADetailsEntry> uaDetails = new ArrayList<>();
     private Pattern blockedUserAgents = null;
@@ -25,12 +26,23 @@ public List<Match> matchBlockedIps(String ip) {
         List<Match> matches = new ArrayList<>();
         for (IPEntry entry : this.blockedIps) {
             if (entry.ips().matches(ip)) {
-                matches.add(new Match(entry.key(), !entry.monitor(), entry.description()));
+                matches.add(new Match(entry.key(), entry.description()));
             }
         }
         return matches;
     }
 
+    public List<Match> matchMonitoredIps(String ip) {
+        List<Match> matches = new ArrayList<>();
+        for (IPEntry entry : this.monitoredIps) {
+            if (entry.ips().matches(ip)) {
+                matches.add(new Match(entry.key(), entry.description()));
+            }
+        }
+        return matches;
+    }
+
+
     // returns true if one or more matches has been found with allowlist.
     public boolean matchesAllowedIps(String ip) {
         if (this.allowedIps.isEmpty()) {
@@ -67,31 +79,30 @@ public UABlockedResult matchBlockedUserAgents(String userAgent) {
     }
 
     public void update(ReportingApi.APIListsResponse response) {
-        blockedIps.clear();
         updateBlockedIps(response.blockedIPAddresses());
         updateMonitoredIps(response.monitoredIPAddresses());
-
         updateAllowedIps(response.allowedIPAddresses());
-
         updateBlockedAndMonitoredUAs(response.blockedUserAgents(), response.monitoredUserAgents());
         updateUADetails(response.userAgentDetails());
     }
 
     public void updateBlockedIps(List<ReportingApi.ListsResponseEntry> blockedIpLists) {
+        this.blockedIps.clear();
         if (blockedIpLists == null)
             return;
         for (ReportingApi.ListsResponseEntry entry : blockedIpLists) {
             IPList ipList = createIPList(entry.ips());
-            blockedIps.add(new IPEntry(/* monitor */ false, entry.key(), entry.source(), entry.description(), ipList));
+            this.blockedIps.add(new IPEntry(entry.key(), entry.source(), entry.description(), ipList));
         }
     }
 
     public void updateMonitoredIps(List<ReportingApi.ListsResponseEntry> monitoredIpsList) {
+        this.monitoredIps.clear();
         if (monitoredIpsList == null)
             return;
         for (ReportingApi.ListsResponseEntry entry : monitoredIpsList) {
             IPList ipList = createIPList(entry.ips());
-            blockedIps.add(new IPEntry(/* monitor */ true, entry.key(), entry.source(), entry.description(), ipList));
+            this.monitoredIps.add(new IPEntry(entry.key(), entry.source(), entry.description(), ipList));
         }
     }
 
@@ -101,8 +112,7 @@ public void updateAllowedIps(List<ReportingApi.ListsResponseEntry> allowedIpList
             return;
         for (ReportingApi.ListsResponseEntry entry : allowedIpLists) {
             IPList ipList = createIPList(entry.ips());
-            boolean shouldMonitor = false; // we don't monitor allowed ips
-            allowedIps.add(new IPEntry(shouldMonitor, entry.key(), entry.source(), entry.description(), ipList));
+            allowedIps.add(new IPEntry(entry.key(), entry.source(), entry.description(), ipList));
         }
     }
 
@@ -124,13 +134,13 @@ public void updateBlockedAndMonitoredUAs(String blockedUAs, String monitoredUAs)
     }
 
 
-    public record Match(String key, boolean block, String description) {
+    public record Match(String key, String description) {
     }
 
     public record UABlockedResult(boolean block, List<String> matchedKeys) {
     }
 
-    private record IPEntry(boolean monitor, String key, String source, String description, IPList ips) {
+    private record IPEntry(String key, String source, String description, IPList ips) {
     }
 
     private record UADetailsEntry(String key, Pattern pattern) {

agent_api/src/test/java/background/cloud/ReportingAPITest.java

@@ -109,13 +109,14 @@ public void testParsedListsResponse() {
         assertEquals(1, matches.size());
         assertEquals("geo-1", matches.get(0).key());
         assertEquals("geo restrictions", matches.get(0).description());
-        assertTrue(matches.get(0).block());
 
         matches = parsed.matchBlockedIps("5.6.7.8");
+        assertEquals(0, matches.size());
+
+        matches = parsed.matchMonitoredIps("5.6.7.8");
         assertEquals(1, matches.size());
         assertEquals("geo-2", matches.get(0).key());
         assertEquals("should not be blocked", matches.get(0).description());
-        assertFalse(matches.get(0).block());
 
         matches = parsed.matchBlockedIps("2.3.4.5");
         assertEquals(0, matches.size());