From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 6 Aug 2019 16:02:05 +0000 (+0100)
Subject: location: Evaluate return code from DNS blacklists
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f94e19f3afcf248b4fd6f56ba85d93397b5cb53;p=ipfire.org.git

location: Evaluate return code from DNS blacklists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/backend/base.py b/src/backend/base.py
index 19797edb..075546e0 100644
--- a/src/backend/base.py
+++ b/src/backend/base.py
@@ -94,6 +94,7 @@ class Backend(object):
 			"cleanup"           : self.cleanup,
 			"scan-files"        : self.releases.scan_files,
 			"send-all-messages" : self.messages.queue.send_all,
+			"test-blacklist"    : self.geoip.test_blacklist,
 			"test-ldap"         : self.accounts.test_ldap,
 			"tweet"             : self.tweets.tweet,
 			"update-blog-feeds" : self.blog.update_feeds,
diff --git a/src/backend/geoip.py b/src/backend/geoip.py
index c2c4979a..06077f64 100644
--- a/src/backend/geoip.py
+++ b/src/backend/geoip.py
@@ -13,6 +13,12 @@ from . import countries
 from .decorators import *
 from .misc import Object
 
+# These lists are used to block access to the webapp
+BLOCKLISTS = (
+	"sbl.spamhaus.org",
+	"xbl.spamhaus.org",
+)
+
 BLACKLISTS = {
 	"access.redhawk.org" : False,
 	"all.de.bl.blocklist.de" : False,
@@ -204,6 +210,15 @@ class GeoIP(Object):
 	def get_country_name(self, code):
 		return countries.get_name(code)
 
+	@tornado.gen.coroutine
+	def test_blacklist(self, address):
+		address = self.lookup(address)
+
+		# Determne blacklist status
+		status = yield address.is_blacklisted()
+
+		print("Blacklist status for %s: %s" % (address, status))
+
 
 class Address(Object):
 	def init(self, address):
@@ -239,6 +254,8 @@ class Address(Object):
 
 	@tornado.gen.coroutine
 	def _resolve_blacklist(self, blacklist):
+		return_code = None
+
 		# Get resource record name
 		rr = self._make_blacklist_rr(blacklist)
 
@@ -256,12 +273,17 @@ class Address(Object):
 		except IOError as e:
 			logging.warning(e)
 
-			return None, "%s" % e
+			return return_code, "%s" % e
 
 		# Not found
 		if not res:
 			logging.debug("%s is not blacklisted on %s" % (self, blacklist))
-			return False, None
+			return return_code, None
+
+		# Extract return code from DNS response
+		for row in res:
+			return_code = row.host
+			break
 
 		# If the IP address is on a blacklist, we will try to fetch the TXT record
 		reason = yield self.backend.geoip.resolver.query(rr, type=pycares.QUERY_TYPE_TXT)
@@ -272,10 +294,10 @@ class Address(Object):
 		# Take the first reason
 		if reason:
 			for i in reason:
-				return True, i.text.decode()
+				return return_code, i.text
 
 		# Blocked, but no reason
-		return True, None
+		return return_code, None
 
 	@tornado.gen.coroutine
 	def get_blacklists(self, important_only=False):
@@ -288,9 +310,18 @@ class Address(Object):
 		logging.debug("Checking if %s is blacklisted..." % self)
 
 		# Perform checks
-		blacklists = yield self.get_blacklists(important_only=True)
+		blacklists = yield { bl : self._resolve_blacklist(bl) for bl in BLOCKLISTS }
 
 		# If we are blacklisted on one list, this one is screwed
-		for code, reason in blacklists.values():
+		for bl in blacklists:
+			code, message = blacklists[bl]
+
+			logging.debug("Response from %s is: %s (%s)" % (bl, code, message))
+
+			# Exclude matches on SBLCSS
+			if bl == "sbl.spamhaus.org" and code == "127.0.0.3":
+				continue
+
+			# Consider the host blocked for any non-zero return code
 			if code:
 				return True