Merge pull request #5127 from rspamd/vstakhov-fuzzy-symbols

Rework fuzzy symbols
author: Vsevolod Stakhov <vsevolod@rspamd.com> 2024-09-05 21:34:49 +0600
committer: GitHub <noreply@github.com> 2024-09-05 21:34:49 +0600
commit: f0c6643468c2cd4345fa4b96e7c6d829d94b0312 (patch)
tree: 6bd9db459539b1cb509e235d059cb36063622f8b
parent: bb6604f2a6439613fa6546e5e8ec8b61006ec208 (diff)
parent: fa45b8e629a26114deaade89fa4825e500691473 (diff)
download: rspamd-f0c6643468c2cd4345fa4b96e7c6d829d94b0312.tar.gz
rspamd-f0c6643468c2cd4345fa4b96e7c6d829d94b0312.zip
2 files changed, 64 insertions, 11 deletions
diff --git a/src/fuzzy_storage.c b/src/fuzzy_storage.c
index 5fd3303dc..e65fbb31a 100644
--- a/src/fuzzy_storage.c
+++ b/src/fuzzy_storage.c
@@ -1464,7 +1464,14 @@ rspamd_fuzzy_process_command(struct fuzzy_session *session)
 
 	if (session->ctx->encrypted_only && !encrypted) {
 		/* Do not accept unencrypted commands */
-		result.v1.value = 403;
+		result.v1.value = 415;
+		result.v1.prob = 0.0f;
+		rspamd_fuzzy_make_reply(cmd, &result, session, send_flags);
+		return;
+	}
+
+	if (!rspamd_fuzzy_check_client(session->ctx, session->addr)) {
+		result.v1.value = 503;
 		result.v1.prob = 0.0f;
 		rspamd_fuzzy_make_reply(cmd, &result, session, send_flags);
 		return;
@@ -1487,23 +1494,24 @@ rspamd_fuzzy_process_command(struct fuzzy_session *session)
 	}
 
 	if (cmd->cmd == FUZZY_CHECK) {
-		bool can_continue = true;
+		bool is_rate_allowed = true;
 
 		if (session->ctx->ratelimit_buckets) {
 			if (session->ctx->ratelimit_log_only) {
 				(void) rspamd_fuzzy_check_ratelimit(session); /* Check but ignore */
 			}
 			else {
-				can_continue = rspamd_fuzzy_check_ratelimit(session);
+				is_rate_allowed = rspamd_fuzzy_check_ratelimit(session);
 			}
 		}
 
-		if (can_continue) {
+		if (is_rate_allowed) {
 			REF_RETAIN(session);
 			rspamd_fuzzy_backend_check(session->ctx->backend, cmd,
 									   rspamd_fuzzy_check_callback, session);
 		}
 		else {
+			/* Should be 429 but we keep compatibility */
 			result.v1.value = 403;
 			result.v1.prob = 0.0f;
 			result.v1.flag = 0;
@@ -1574,7 +1582,7 @@ rspamd_fuzzy_process_command(struct fuzzy_session *session)
 			result.v1.prob = 1.0f;
 		}
 		else {
-			result.v1.value = 403;
+			result.v1.value = 503;
 			result.v1.prob = 0.0f;
 		}
 	reply:
@@ -2041,11 +2049,6 @@ accept_fuzzy_socket(EV_P_ ev_io *w, int revents)
 				if (MSG_FIELD(msg[i], msg_namelen) >= sizeof(struct sockaddr)) {
 					client_addr = rspamd_inet_address_from_sa(MSG_FIELD(msg[i], msg_name),
 															  MSG_FIELD(msg[i], msg_namelen));
-					if (!rspamd_fuzzy_check_client(worker->ctx, client_addr)) {
-						/* Disallow forbidden clients silently */
-						rspamd_inet_address_free(client_addr);
-						continue;
-					}
 				}
 				else {
 					client_addr = NULL;
diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c
index 91b77c702..6ca6f3459 100644
--- a/src/plugins/fuzzy_check.c
+++ b/src/plugins/fuzzy_check.c
@@ -49,6 +49,9 @@
 #include "libutil/libev_helper.h"
 
 #define DEFAULT_SYMBOL "R_FUZZY_HASH"
+#define RSPAMD_FUZZY_SYMBOL_FORBIDDEN "FUZZY_FORBIDDEN"
+#define RSPAMD_FUZZY_SYMBOL_RATELIMITED "FUZZY_RATELIMITED"
+#define RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED "FUZZY_ENCRYPTION_REQUIRED"
 
 #define DEFAULT_IO_TIMEOUT 1.0
 #define DEFAULT_RETRANSMITS 3
@@ -1153,6 +1156,44 @@ int fuzzy_check_module_config(struct rspamd_config *cfg, bool validate)
 								 1,
 								 1);
 
+		/* Register meta symbols (blocked, ratelimited, etc) */
+		rspamd_symcache_add_symbol(cfg->cache,
+								   RSPAMD_FUZZY_SYMBOL_FORBIDDEN, 0, NULL, NULL,
+								   SYMBOL_TYPE_VIRTUAL,
+								   cb_id);
+		rspamd_config_add_symbol(cfg,
+								 RSPAMD_FUZZY_SYMBOL_FORBIDDEN,
+								 0.0,
+								 "Fuzzy access denied",
+								 "fuzzy",
+								 0,
+								 1,
+								 1);
+		rspamd_symcache_add_symbol(cfg->cache,
+								   RSPAMD_FUZZY_SYMBOL_RATELIMITED, 0, NULL, NULL,
+								   SYMBOL_TYPE_VIRTUAL,
+								   cb_id);
+		rspamd_config_add_symbol(cfg,
+								 RSPAMD_FUZZY_SYMBOL_RATELIMITED,
+								 0.0,
+								 "Fuzzy rate limit is reached",
+								 "fuzzy",
+								 0,
+								 1,
+								 1);
+		rspamd_symcache_add_symbol(cfg->cache,
+								   RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED, 0, NULL, NULL,
+								   SYMBOL_TYPE_VIRTUAL,
+								   cb_id);
+		rspamd_config_add_symbol(cfg,
+								 RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED,
+								 0.0,
+								 "Fuzzy encryption is required by a server",
+								 "fuzzy",
+								 0,
+								 1,
+								 1);
+
 		/*
 		 * Here we can have 2 possibilities:
 		 *
@@ -2486,7 +2527,16 @@ fuzzy_check_try_read(struct fuzzy_client_session *session)
 				}
 			}
 			else if (rep->v1.value == 403) {
-				rspamd_task_insert_result(task, "FUZZY_BLOCKED", 0.0,
+				/* In fact, it should be 429, but we preserve compatibility */
+				rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_RATELIMITED, 1.0,
+										  session->rule->name);
+			}
+			else if (rep->v1.value == 503) {
+				rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_FORBIDDEN, 1.0,
+										  session->rule->name);
+			}
+			else if (rep->v1.value == 415) {
+				rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED, 1.0,
 										  session->rule->name);
 			}
 			else if (rep->v1.value == 401) {
author	Vsevolod Stakhov <vsevolod@rspamd.com>	2024-09-05 21:34:49 +0600
committer	GitHub <noreply@github.com>	2024-09-05 21:34:49 +0600
commit	f0c6643468c2cd4345fa4b96e7c6d829d94b0312 (patch)
tree	6bd9db459539b1cb509e235d059cb36063622f8b
parent	bb6604f2a6439613fa6546e5e8ec8b61006ec208 (diff)
parent	fa45b8e629a26114deaade89fa4825e500691473 (diff)
download	rspamd-f0c6643468c2cd4345fa4b96e7c6d829d94b0312.tar.gz rspamd-f0c6643468c2cd4345fa4b96e7c6d829d94b0312.zip