From cfb7f7e41c538a35a4e1cb280ef28ef353e0c7c9 Mon Sep 17 00:00:00 2001 From: Jonathan Cobb Date: Wed, 15 Apr 2020 08:47:47 -0400 Subject: [PATCH 1/4] fix error message, use correct method name --- .../src/test/java/bubble/test/BubbleApiRunnerListener.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bubble-server/src/test/java/bubble/test/BubbleApiRunnerListener.java b/bubble-server/src/test/java/bubble/test/BubbleApiRunnerListener.java index c195612f..3a25f6c6 100644 --- a/bubble-server/src/test/java/bubble/test/BubbleApiRunnerListener.java +++ b/bubble-server/src/test/java/bubble/test/BubbleApiRunnerListener.java @@ -102,7 +102,7 @@ public class BubbleApiRunnerListener extends SimpleApiRunnerListener { .stream().filter(c -> c.usesDriver(StripePaymentDriver.class)) .findFirst().orElse(null); if (stripe == null) { - die("afterScript: no cloud found with driverClass=" + StripePaymentDriver.class.getName()); + die("stripTokenizeCard: no cloud found with driverClass=" + StripePaymentDriver.class.getName()); return; } stripe.getPaymentDriver(configuration); @@ -118,7 +118,7 @@ public class BubbleApiRunnerListener extends SimpleApiRunnerListener { final Token token = Token.create(tokenParams); ctx.put(CTX_STRIPE_TOKEN, token.getId()); } catch (Exception e) { - die("afterScript: error creating Stripe token: " + e); + die("stripTokenizeCard: error creating Stripe token: " + e); } } From bfb91cc5d00b67d42e173a5dcb90c065ad5dd6c6 Mon Sep 17 00:00:00 2001 From: Jonathan Cobb Date: Wed, 15 Apr 2020 08:53:14 -0400 Subject: [PATCH 2/4] support regex passthru --- .../rule/passthru/TlsPassthruConfig.java | 44 +++++++++++++++---- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java b/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java index 98f1a5fb..a457b3ee 100644 --- a/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java +++ b/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java @@ -16,6 +16,7 @@ import org.cobbzilla.util.string.StringUtil; import java.io.InputStream; import java.util.*; +import java.util.regex.Pattern; import java.util.stream.Collectors; import static bubble.rule.passthru.TlsPassthruFeed.EMPTY_FEEDS; @@ -68,16 +69,36 @@ public class TlsPassthruConfig { return !empty(feedList) ? Arrays.stream(feedList).collect(Collectors.toCollection(TreeSet::new)) : Collections.emptySet(); } - @JsonIgnore @Getter(lazy=true) private final AutoRefreshingReference> passthruSetRef = new AutoRefreshingReference<>() { - @Override public Set refresh() { return loadPassthruSet(); } + private class TlsPassthruMatcher { + @Getter @Setter private String fqdn; + @Getter @Setter private Pattern fqdnPattern; + public boolean hasPattern () { return fqdnPattern != null; } + public TlsPassthruMatcher (String fqdn) { + if (fqdn.startsWith("/") && fqdn.endsWith("/")) { + this.fqdnPattern = Pattern.compile(fqdn.substring(1, fqdn.length()-1), Pattern.CASE_INSENSITIVE); + } else { + this.fqdn = fqdn; + } + } + public boolean matches (String val) { + return hasPattern() ? fqdnPattern.matcher(val).matches() : fqdn.equals(val); + } + } + + @JsonIgnore @Getter(lazy=true) private final AutoRefreshingReference> passthruSetRef = new AutoRefreshingReference<>() { + @Override public Set refresh() { return loadPassthruSet(); } // todo: load refresh interval from config. implement a config view with an action to set it @Override public long getTimeout() { return DEFAULT_TLS_FEED_REFRESH_INTERVAL; } }; - @JsonIgnore public Set getPassthruSet() { return getPassthruSetRef().get(); } + @JsonIgnore public Set getPassthruSet() { return getPassthruSetRef().get(); } - private Set loadPassthruSet() { - final Set set = new HashSet<>(); - if (hasFqdnList()) set.addAll(Arrays.asList(fqdnList)); + private Set loadPassthruSet() { + final Set set = new HashSet<>(); + if (hasFqdnList()) { + for (String val : getFqdnList()) { + set.add(new TlsPassthruMatcher(val)); + } + } if (hasFeedList()) { // put in a set to avoid duplicate URLs for (TlsPassthruFeed feed : new HashSet<>(Arrays.asList(feedList))) { @@ -90,7 +111,9 @@ public class TlsPassthruConfig { if (loaded.hasFqdnList()) recentFeedValues.put(feed.getFeedUrl(), loaded.getFqdnList()); } } - set.addAll(recentFeedValues.values().stream().flatMap(Collection::stream).collect(Collectors.toSet())); + for (String val : recentFeedValues.values().stream().flatMap(Collection::stream).collect(Collectors.toSet())) { + set.add(new TlsPassthruMatcher(val)); + } if (log.isDebugEnabled()) log.debug("loadPassthruSet: returning fqdnList: "+StringUtil.toString(set, ", ")); return set; } @@ -122,6 +145,11 @@ public class TlsPassthruConfig { return loaded; } - public boolean isPassthru(String fqdn) { return getPassthruSet().contains(fqdn); } + public boolean isPassthru(String fqdn) { + for (TlsPassthruMatcher match : getPassthruSet()) { + if (match.matches(fqdn)) return true; + } + return false; + } } From 5f60de5b68b2eb1c297923530d71932493653ad1 Mon Sep 17 00:00:00 2001 From: Jonathan Cobb Date: Wed, 15 Apr 2020 09:40:20 -0400 Subject: [PATCH 3/4] default to no tls passthru for raw IPs --- automation/roles/mitmproxy/files/bubble_passthru.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/roles/mitmproxy/files/bubble_passthru.py b/automation/roles/mitmproxy/files/bubble_passthru.py index c47c6347..b5f0df21 100644 --- a/automation/roles/mitmproxy/files/bubble_passthru.py +++ b/automation/roles/mitmproxy/files/bubble_passthru.py @@ -84,8 +84,8 @@ def should_passthru(remote_addr, addr): bubble_log(prefix+' not in redis or empty, calling check_bubble_passthru...') fqdn = fqdn_for_addr(addr) if fqdn is None or len(fqdn) == 0: - bubble_log(prefix+' no fqdn found for addr '+addr+', returning (uncached) passthru = True') - return {'fqdn': None, 'addr': addr, 'passthru': True} + bubble_log(prefix+' no fqdn found for addr '+addr+', returning (uncached) passthru = False') + return {'fqdn': None, 'addr': addr, 'passthru': False} passthru = check_bubble_passthru(remote_addr, addr, fqdn) bubble_log(prefix+'check_bubble_passthru returned '+repr(passthru)+", storing in redis...") redis_set(cache_key, json.dumps(passthru), ex=REDIS_PASSTHRU_DURATION) From e7404c8a2d530491ad64dd57ce034175ba0f5a27 Mon Sep 17 00:00:00 2001 From: Jonathan Cobb Date: Wed, 15 Apr 2020 09:41:18 -0400 Subject: [PATCH 4/4] always set fqdn so that remove operation works --- .../main/java/bubble/rule/passthru/TlsPassthruConfig.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java b/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java index a457b3ee..a4025320 100644 --- a/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java +++ b/bubble-server/src/main/java/bubble/rule/passthru/TlsPassthruConfig.java @@ -69,15 +69,14 @@ public class TlsPassthruConfig { return !empty(feedList) ? Arrays.stream(feedList).collect(Collectors.toCollection(TreeSet::new)) : Collections.emptySet(); } - private class TlsPassthruMatcher { + private static class TlsPassthruMatcher { @Getter @Setter private String fqdn; @Getter @Setter private Pattern fqdnPattern; public boolean hasPattern () { return fqdnPattern != null; } public TlsPassthruMatcher (String fqdn) { + this.fqdn = fqdn; if (fqdn.startsWith("/") && fqdn.endsWith("/")) { this.fqdnPattern = Pattern.compile(fqdn.substring(1, fqdn.length()-1), Pattern.CASE_INSENSITIVE); - } else { - this.fqdn = fqdn; } } public boolean matches (String val) {