From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 24 Dec 2024 13:41:29 +0000 (+0100)
Subject: dnsdist: Move HTTP rules to dnsdist-rules.cc
X-Git-Tag: dnsdist-2.0.0-alpha1~160^2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bd909b74717dc8055d6c350ea80cb835dba4956;p=thirdparty%2Fpdns.git

dnsdist: Move HTTP rules to dnsdist-rules.cc
---

diff --git a/pdns/dnsdistdist/dnsdist-doh-common.cc b/pdns/dnsdistdist/dnsdist-doh-common.cc
index df3c01d8a2..c533cc7e8c 100644
--- a/pdns/dnsdistdist/dnsdist-doh-common.cc
+++ b/pdns/dnsdistdist/dnsdist-doh-common.cc
@@ -21,87 +21,9 @@
  */
 #include "base64.hh"
 #include "dnsdist-doh-common.hh"
-#include "dnsdist-rules.hh"
+#include "dnsdist.hh"
 
 #ifdef HAVE_DNS_OVER_HTTPS
-
-HTTPHeaderRule::HTTPHeaderRule(const std::string& header, const std::string& regex) :
-  d_header(toLower(header)), d_regex(regex), d_visual("http[" + header + "] ~ " + regex)
-{
-}
-
-bool HTTPHeaderRule::matches(const DNSQuestion* dq) const
-{
-  if (dq->ids.du) {
-    const auto& headers = dq->ids.du->getHTTPHeaders();
-    for (const auto& header : headers) {
-      if (header.first == d_header) {
-        return d_regex.match(header.second);
-      }
-    }
-    return false;
-  }
-  if (dq->ids.doh3u) {
-    const auto& headers = dq->ids.doh3u->getHTTPHeaders();
-    for (const auto& header : headers) {
-      if (header.first == d_header) {
-        return d_regex.match(header.second);
-      }
-    }
-    return false;
-  }
-  return false;
-}
-
-string HTTPHeaderRule::toString() const
-{
-  return d_visual;
-}
-
-HTTPPathRule::HTTPPathRule(std::string path) :
-  d_path(std::move(path))
-{
-}
-
-bool HTTPPathRule::matches(const DNSQuestion* dq) const
-{
-  if (dq->ids.du) {
-    const auto path = dq->ids.du->getHTTPPath();
-    return d_path == path;
-  }
-  if (dq->ids.doh3u) {
-    return dq->ids.doh3u->getHTTPPath() == d_path;
-  }
-  return false;
-}
-
-string HTTPPathRule::toString() const
-{
-  return "url path == " + d_path;
-}
-
-HTTPPathRegexRule::HTTPPathRegexRule(const std::string& regex) :
-  d_regex(regex), d_visual("http path ~ " + regex)
-{
-}
-
-bool HTTPPathRegexRule::matches(const DNSQuestion* dq) const
-{
-  if (dq->ids.du) {
-    const auto path = dq->ids.du->getHTTPPath();
-    return d_regex.match(path);
-  }
-  if (dq->ids.doh3u) {
-    return d_regex.match(dq->ids.doh3u->getHTTPPath());
-  }
-  return false;
-}
-
-string HTTPPathRegexRule::toString() const
-{
-  return d_visual;
-}
-
 void DOHFrontend::rotateTicketsKey(time_t now)
 {
   return d_tlsContext.rotateTicketsKey(now);
diff --git a/pdns/dnsdistdist/dnsdist-lua.hh b/pdns/dnsdistdist/dnsdist-lua.hh
index 572b8a692e..34d821f81d 100644
--- a/pdns/dnsdistdist/dnsdist-lua.hh
+++ b/pdns/dnsdistdist/dnsdist-lua.hh
@@ -21,12 +21,8 @@
  */
 #pragma once
 
-#include <random>
-
 #include "dolog.hh"
 #include "dnsdist.hh"
-#include "dnsdist-dnsparser.hh"
-#include "dnsparser.hh"
 
 #include "ext/luawrapper/include/LuaContext.hpp"
 
diff --git a/pdns/dnsdistdist/dnsdist-rules.cc b/pdns/dnsdistdist/dnsdist-rules.cc
index 96666a2143..b2688b80dd 100644
--- a/pdns/dnsdistdist/dnsdist-rules.cc
+++ b/pdns/dnsdistdist/dnsdist-rules.cc
@@ -19,8 +19,107 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
-
 #include "dnsdist-rules.hh"
 
 std::atomic<uint64_t> LuaFFIPerThreadRule::s_functionsCounter = 0;
 thread_local std::map<uint64_t, LuaFFIPerThreadRule::PerThreadState> LuaFFIPerThreadRule::t_perThreadStates;
+
+HTTPHeaderRule::HTTPHeaderRule(const std::string& header, const std::string& regex) :
+  d_header(toLower(header)), d_regex(regex), d_visual("http[" + header + "] ~ " + regex)
+{
+#if !defined(HAVE_DNS_OVER_HTTPS) && !defined(HAVE_DNS_OVER_HTTP3)
+  throw std::runtime_error("Using HTTPHeaderRule while DoH support is not enabled");
+#endif /* HAVE_DNS_OVER_HTTPS || HAVE_DNS_OVER_HTTP3 */
+}
+
+bool HTTPHeaderRule::matches(const DNSQuestion* dnsQuestion) const
+{
+#if defined(HAVE_DNS_OVER_HTTPS)
+  if (dnsQuestion->ids.du) {
+    const auto& headers = dnsQuestion->ids.du->getHTTPHeaders();
+    for (const auto& header : headers) {
+      if (header.first == d_header) {
+        return d_regex.match(header.second);
+      }
+    }
+    return false;
+  }
+#endif /* HAVE_DNS_OVER_HTTPS */
+#if defined(HAVE_DNS_OVER_HTTP3)
+  if (dnsQuestion->ids.doh3u) {
+    const auto& headers = dnsQuestion->ids.doh3u->getHTTPHeaders();
+    for (const auto& header : headers) {
+      if (header.first == d_header) {
+        return d_regex.match(header.second);
+      }
+    }
+    return false;
+  }
+#endif /* defined(HAVE_DNS_OVER_HTTP3) */
+  return false;
+}
+
+string HTTPHeaderRule::toString() const
+{
+  return d_visual;
+}
+
+HTTPPathRule::HTTPPathRule(std::string path) :
+  d_path(std::move(path))
+{
+#if !defined(HAVE_DNS_OVER_HTTPS) && !defined(HAVE_DNS_OVER_HTTP3)
+  throw std::runtime_error("Using HTTPPathRule while DoH support is not enabled");
+#endif /* HAVE_DNS_OVER_HTTPS || HAVE_DNS_OVER_HTTP3 */
+}
+
+bool HTTPPathRule::matches(const DNSQuestion* dnsQuestion) const
+{
+#if defined(HAVE_DNS_OVER_HTTPS)
+  if (dnsQuestion->ids.du) {
+    const auto path = dnsQuestion->ids.du->getHTTPPath();
+    return d_path == path;
+  }
+#endif /* HAVE_DNS_OVER_HTTPS */
+#if defined(HAVE_DNS_OVER_HTTP3)
+  if (dnsQuestion->ids.doh3u) {
+    return dnsQuestion->ids.doh3u->getHTTPPath() == d_path;
+  }
+#endif /* defined(HAVE_DNS_OVER_HTTP3) */
+  return false;
+
+}
+
+string HTTPPathRule::toString() const
+{
+  return "url path == " + d_path;
+}
+
+HTTPPathRegexRule::HTTPPathRegexRule(const std::string& regex) :
+  d_regex(regex), d_visual("http path ~ " + regex)
+{
+#if !defined(HAVE_DNS_OVER_HTTPS) && !defined(HAVE_DNS_OVER_HTTP3)
+  throw std::runtime_error("Using HTTPRegexRule while DoH support is not enabled");
+#endif /* HAVE_DNS_OVER_HTTPS || HAVE_DNS_OVER_HTTP3 */
+}
+
+bool HTTPPathRegexRule::matches(const DNSQuestion* dnsQuestion) const
+{
+#if defined(HAVE_DNS_OVER_HTTPS)
+  if (dnsQuestion->ids.du) {
+    const auto path = dnsQuestion->ids.du->getHTTPPath();
+    return d_regex.match(path);
+  }
+#endif /* HAVE_DNS_OVER_HTTPS */
+#if defined(HAVE_DNS_OVER_HTTP3)
+  if (dnsQuestion->ids.doh3u) {
+    return d_regex.match(dnsQuestion->ids.doh3u->getHTTPPath());
+  }
+  return false;
+#endif /* HAVE_DNS_OVER_HTTP3 */
+  return false;
+}
+
+string HTTPPathRegexRule::toString() const
+{
+  return d_visual;
+}
diff --git a/pdns/dnsdistdist/dnsdist-svc.cc b/pdns/dnsdistdist/dnsdist-svc.cc
index 574cc9eea1..18ec3a62c3 100644
--- a/pdns/dnsdistdist/dnsdist-svc.cc
+++ b/pdns/dnsdistdist/dnsdist-svc.cc
@@ -21,6 +21,7 @@
  */
 #include "dnsdist-svc.hh"
 #include "dnsdist.hh"
+#include "dnsdist-dnsparser.hh"
 #include "dnsdist-ecs.hh"
 #include "dnsdist-lua.hh"
 #include "dnswriter.hh"
diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 8b91a2bbe2..739684477b 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -8,6 +8,7 @@
 #include <cerrno>
 #include <iostream>
 #include <thread>
+#include <string_view>
 
 #include <boost/algorithm/string.hpp>
 #include <h2o.h>
@@ -29,7 +30,6 @@
 #include "dnsdist-ecs.hh"
 #include "dnsdist-metrics.hh"
 #include "dnsdist-proxy-protocol.hh"
-#include "dnsdist-rules.hh"
 #include "libssl.hh"
 #include "threadname.hh"
 
@@ -56,7 +56,7 @@
 */
 
 /* 'Intermediate' compatibility from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 */
-static constexpr string_view DOH_DEFAULT_CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+static constexpr std::string_view DOH_DEFAULT_CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 
 class DOHAcceptContext
 {