NullNet-ai
diff --git a/‎Cargo.lock
Lines changed: 26 additions & 26 deletions b/‎Cargo.lock
Lines changed: 26 additions & 26 deletions
diff --git a/‎firewall.json
Lines changed: 3 additions & 1 deletion b/‎firewall.json
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/app_guard_impl.rs
Lines changed: 14 additions & 6 deletions b/‎src/app_guard_impl.rs
Lines changed: 14 additions & 6 deletions
diff --git a/‎src/db/datastore_wrapper.rs
Lines changed: 61 additions & 0 deletions b/‎src/db/datastore_wrapper.rs
Lines changed: 61 additions & 0 deletions
diff --git a/‎src/db/entries.rs
Lines changed: 7 additions & 9 deletions b/‎src/db/entries.rs
Lines changed: 7 additions & 9 deletions
diff --git a/‎src/db/store/denied_ip.rs
Lines changed: 6 additions & 4 deletions b/‎src/db/store/denied_ip.rs
Lines changed: 6 additions & 4 deletions
diff --git a/‎src/entrypoint.rs
Lines changed: 4 additions & 5 deletions b/‎src/entrypoint.rs
Lines changed: 4 additions & 5 deletions
@@ -34,7 +34,9 @@
         {
           "type": "predicate",
           "condition": "contains",
-          "source_ip": "alias_name"
+          "source_ip": [
+            "alias_name"
+          ]
         }
       ]
     },
 
@@ -40,6 +40,7 @@ pub struct AppGuardImpl {
     ip_info_handler: IpInfoHandler,
     tx_store: UnboundedSender<DbEntry>,
     ctx: AppContext,
+    quarantine_alias_id: u64,
     // tx_ai: Sender<AiEntry>,
 }
 
@@ -60,12 +61,18 @@ pub fn terminate_app_guard(exit_code: i32) -> Result<(), Error> {
 }
 
 impl AppGuardImpl {
-    pub fn new(ctx: AppContext) -> AppGuardImpl {
-        let ds = ctx.datastore.clone();
+    pub async fn new(ctx: AppContext) -> Result<AppGuardImpl, Error> {
+        let mut ds = ctx.datastore.clone();
         let ds_2 = ctx.datastore.clone();
 
         log::info!("Connected to Datastore");
 
+        // upsert the 'ip_quarantine' host alias in datastore retrieving its ID
+        let root_token_provider = ctx.root_token_provider.clone();
+        let quarantine_alias_id = ds
+            .upsert_quarantine_alias(&root_token_provider.get().await?.jwt)
+            .await?;
+
         let config_2 = ctx.config_pair.clone();
 
         let ip_info_handler = ip_info_handler();
@@ -105,15 +112,16 @@ impl AppGuardImpl {
             store_entries(&ds, &mut rx_store).await;
         });
 
-        AppGuardImpl {
+        Ok(AppGuardImpl {
             entry_ids: EntryIds::default(),
             unanswered_connections: Arc::new(Mutex::new(HashMap::new())),
             ip_info_cache,
             ip_info_handler,
             tx_store,
             // tx_ai,
             ctx,
-        }
+            quarantine_alias_id,
+        })
     }
 
     fn config_log_requests(&self) -> Result<bool, Error> {
@@ -192,11 +200,11 @@ impl AppGuardImpl {
         if res.policy == FirewallPolicy::Deny {
             let denied_ip = DeniedIp {
                 ip: item.get_remote_ip(),
-                deny_reasons: res.reasons.clone(),
+                _deny_reasons: res.reasons.clone(),
             };
             self.tx_store
                 .send(DbEntry::DeniedIp((
-                    app_id.clone(),
+                    self.quarantine_alias_id,
                     denied_ip,
                     token.to_string(),
                 )))
 
@@ -1159,6 +1159,67 @@ impl DatastoreWrapper {
 
         Ok(ret_val)
     }
+
+    pub(crate) async fn upsert_quarantine_alias(&mut self, token: &str) -> Result<u64, Error> {
+        let record = json!(
+            {
+                "type": "host",
+                "name": "quarantine",
+                "description": "Alias for quarantined IPs",
+                "alias_status": "Applied",
+            }
+        )
+        .to_string();
+        let table = "aliases";
+
+        let request = UpsertRequest {
+            params: Some(Params {
+                id: String::new(),
+                table: table.into(),
+                r#type: String::new(),
+            }),
+            query: Some(Query {
+                pluck: String::from("id"),
+                durability: String::from("soft"),
+            }),
+            body: Some(UpsertBody {
+                data: record,
+                conflict_columns: vec!["name".to_string()],
+            }),
+        };
+
+        log::trace!("Before upsert to {table}");
+        let result = self.inner.upsert(request, token).await?;
+        log::trace!("After upsert to {table}");
+
+        let id = Self::internal_upsert_quarantine_alias_parse_response_data(result.data)?;
+        Ok(id)
+    }
+
+    fn internal_upsert_quarantine_alias_parse_response_data(data: String) -> Result<u64, Error> {
+        let array_val = serde_json::from_str::<serde_json::Value>(&data).handle_err(location!())?;
+        let array = array_val
+            .as_array()
+            .ok_or("Failed to parse response")
+            .handle_err(location!())?;
+
+        let i = array
+            .first()
+            .ok_or("Error upserting quarantine alias")
+            .handle_err(location!())?;
+
+        let map = i
+            .as_object()
+            .ok_or("Invalid data")
+            .handle_err(location!())?;
+        let id = map
+            .get("id")
+            .and_then(serde_json::Value::as_u64)
+            .ok_or("Invalid data")
+            .handle_err(location!())?;
+
+        Ok(id)
+    }
 }
 
 #[cfg(test)]
 
@@ -21,7 +21,7 @@ pub enum DbEntry {
     TcpConnection((AppGuardTcpConnection, u64)),
     // Blacklist((Vec<String>, String)),
     Firewall((String, Firewall, String)),
-    DeniedIp((String, DeniedIp, String)),
+    DeniedIp((u64, DeniedIp, String)),
     Config((Config, String)),
 }
 
@@ -70,13 +70,9 @@ impl DbEntry {
                 log::info!("Firewall inserted in datastore");
             }
             DbEntry::DeniedIp((_, denied_ip, _)) => {
-                // todo: change this to a custom query to aliases
+                // insert the denied IP into the ip_aliases table
                 let _ = ds.insert(self, token.as_str()).await?;
-                log::info!(
-                    "Denied IP inserted in datastore: {} {:?}",
-                    denied_ip.ip,
-                    denied_ip.deny_reasons
-                );
+                log::info!("Denied IP inserted in datastore: {}", denied_ip.ip);
             }
             DbEntry::Config((configs, _)) => {
                 let _ = ds.insert(self, token.as_str()).await?;
@@ -104,7 +100,9 @@ impl DbEntry {
             //     Ok(json)
             // }
             DbEntry::Firewall((app_id, f, _)) => f.to_json(app_id),
-            DbEntry::DeniedIp((app_id, denied_ip, _)) => denied_ip.to_json(app_id),
+            DbEntry::DeniedIp((quarantine_alias_id, denied_ip, _)) => {
+                denied_ip.to_json(*quarantine_alias_id)
+            }
             DbEntry::Config((configs, _)) => serde_json::to_string(configs).handle_err(location!()),
         }
     }
@@ -119,7 +117,7 @@ impl DbEntry {
             DbEntry::TcpConnection(_) => DbTable::TcpConnection,
             // DbEntry::Blacklist(_) => DbTable::Blacklist,
             DbEntry::Firewall(_) => DbTable::Firewall,
-            DbEntry::DeniedIp(_) => DbTable::Alias,
+            DbEntry::DeniedIp(_) => DbTable::IpAlias,
             DbEntry::Config(_) => DbTable::Config,
         }
     }
 
@@ -1,13 +1,15 @@
 use crate::firewall::denied_ip::DeniedIp;
-use nullnet_liberror::{location, Error, ErrorHandler, Location};
+use nullnet_liberror::Error;
 use serde_json::json;
 
 impl DeniedIp {
-    pub(crate) fn to_json(&self, app_id: &str) -> Result<String, Error> {
+    pub(crate) fn to_json(&self, quarantine_alias_id: u64) -> Result<String, Error> {
+        // a denied IP is always a single IP and (not a subnet)
+        let prefix = if self.ip.is_ipv4() { 32 } else { 128 };
         Ok(json!({
-            "app_id": app_id,
+            "alias_id": quarantine_alias_id,
             "ip": self.ip,
-            "deny_reasons": serde_json::to_string(&self.deny_reasons).handle_err(location!())?,
+            "prefix": prefix,
         })
         .to_string())
     }
 
@@ -23,7 +23,8 @@ pub async fn start_appguard(ctx: AppContext) -> Result<(), Error> {
 
     server_builder()?
         .add_service(
-            AppGuardServer::new(init_app_guard(ctx)?).max_decoding_message_size(50 * 1024 * 1024),
+            AppGuardServer::new(init_app_guard(ctx).await?)
+                .max_decoding_message_size(50 * 1024 * 1024),
         )
         .serve(addr)
         .await
@@ -41,7 +42,7 @@ pub async fn start_appguard(ctx: AppContext) -> Result<(), Error> {
 //     Logger::init(logger_config);
 // }
 
-fn init_app_guard(ctx: AppContext) -> Result<AppGuardImpl, Error> {
+async fn init_app_guard(ctx: AppContext) -> Result<AppGuardImpl, Error> {
     if cfg!(not(debug_assertions)) {
         // custom panic hook to correctly clean up the server, even in case a secondary thread fails
         let orig_hook = panic::take_hook();
@@ -58,9 +59,7 @@ fn init_app_guard(ctx: AppContext) -> Result<AppGuardImpl, Error> {
     })
     .handle_err(location!())?;
 
-    let app_guard_impl = AppGuardImpl::new(ctx);
-
-    Ok(app_guard_impl)
+    AppGuardImpl::new(ctx).await
 }
 
 fn server_builder() -> Result<Server, Error> {
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,9 @@`
`34`	`34`	`{`
`35`	`35`	`"type": "predicate",`
`36`	`36`	`"condition": "contains",`
`37`		`- "source_ip": "alias_name"`
	`37`	`+ "source_ip": [`
	`38`	`+ "alias_name"`
	`39`	`+ ]`
`38`	`40`	`}`
`39`	`41`	`]`
`40`	`42`	`},`