Merge branch 'main' into new-instrumentation

Author: timokoessler

.github/workflows/benchmark.yml

@@ -23,6 +23,7 @@ jobs:
           - "27016:5432"
     timeout-minutes: 10
     strategy:
+      fail-fast: false
       matrix:
         node-version: [20.x, 24.x]
     steps:

end2end/server/src/handlers/lists.js

@@ -2,6 +2,9 @@ const {
   getBlockedIPAddresses,
   getBlockedUserAgents,
   getAllowedIPAddresses,
+  getMonitoredUserAgents,
+  getMonitoredIPAddresses,
+  getUserAgentDetails,
 } = require("../zen/config");
 
 module.exports = function lists(req, res) {
@@ -12,6 +15,9 @@ module.exports = function lists(req, res) {
   const blockedIps = getBlockedIPAddresses(req.app);
   const blockedUserAgents = getBlockedUserAgents(req.app);
   const allowedIps = getAllowedIPAddresses(req.app);
+  const monitoredUserAgents = getMonitoredUserAgents(req.app);
+  const monitoredIps = getMonitoredIPAddresses(req.app);
+  const userAgentDetails = getUserAgentDetails(req.app);
 
   res.json({
     success: true,
@@ -20,22 +26,37 @@ module.exports = function lists(req, res) {
       blockedIps.length > 0
         ? [
             {
+              key: "geoip/Belgium;BE",
               source: "geoip",
               description: "geo restrictions",
               ips: blockedIps,
             },
           ]
         : [],
     blockedUserAgents: blockedUserAgents,
+    monitoredUserAgents: monitoredUserAgents,
+    userAgentDetails: userAgentDetails,
     allowedIPAddresses:
       allowedIps.length > 0
         ? [
             {
+              key: "geoip/Belgium;BE",
               source: "geoip",
               description: "geo restrictions",
               ips: allowedIps,
             },
           ]
         : [],
+    monitoredIPAddresses:
+      monitoredIps.length > 0
+        ? monitoredIps
+        : [
+            {
+              key: "geoip/Belgium;BE",
+              source: "geoip",
+              description: "geo restrictions",
+              ips: monitoredIps,
+            },
+          ],
   });
 };

end2end/server/src/handlers/updateLists.js

@@ -2,6 +2,9 @@ const {
   updateBlockedIPAddresses,
   updateBlockedUserAgents,
   updateAllowedIPAddresses,
+  updateMonitoredUserAgents,
+  updateMonitoredIPAddresses,
+  updateUserAgentDetails,
 } = require("../zen/config");
 
 module.exports = function updateIPLists(req, res) {
@@ -46,5 +49,26 @@ module.exports = function updateIPLists(req, res) {
     updateAllowedIPAddresses(req.app, req.body.allowedIPAddresses);
   }
 
+  if (
+    req.body.monitoredUserAgents &&
+    typeof req.body.monitoredUserAgents === "string"
+  ) {
+    updateMonitoredUserAgents(req.app, req.body.monitoredUserAgents);
+  }
+
+  if (
+    req.body.monitoredIPAddresses &&
+    Array.isArray(req.body.monitoredIPAddresses)
+  ) {
+    updateMonitoredIPAddresses(req.app, req.body.monitoredIPAddresses);
+  }
+
+  if (
+    req.body.userAgentDetails &&
+    Array.isArray(req.body.userAgentDetails)
+  ) {
+    updateUserAgentDetails(req.app, req.body.userAgentDetails);
+  }
+
   res.json({ success: true });
 };

end2end/server/src/zen/config.js

@@ -40,6 +40,9 @@ function updateAppConfig(app, newConfig) {
 const blockedIPAddresses = [];
 const blockedUserAgents = [];
 const allowedIPAddresses = [];
+const monitoredUserAgents = [];
+const monitoredIPAddresses = [];
+const userAgentDetails = [];
 
 function updateBlockedIPAddresses(app, ips) {
   let entry = blockedIPAddresses.find((ip) => ip.serviceId === app.serviceId);
@@ -90,7 +93,7 @@ function getAllowedIPAddresses(app) {
 }
 
 function updateBlockedUserAgents(app, uas) {
-  let entry = blockedUserAgents.find((e) => e.serviceId === e.serviceId);
+  let entry = blockedUserAgents.find((e) => e.serviceId === app.serviceId);
 
   if (entry) {
     entry.userAgents = uas;
@@ -104,7 +107,7 @@ function updateBlockedUserAgents(app, uas) {
 }
 
 function getBlockedUserAgents(app) {
-  const entry = blockedUserAgents.find((e) => e.serviceId === e.serviceId);
+  const entry = blockedUserAgents.find((e) => e.serviceId === app.serviceId);
 
   if (entry) {
     return entry.userAgents;
@@ -113,6 +116,78 @@ function getBlockedUserAgents(app) {
   return "";
 }
 
+function updateMonitoredUserAgents(app, uas) {
+  let entry = monitoredUserAgents.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.userAgents = uas;
+  } else {
+    entry = { serviceId: app.serviceId, userAgents: uas };
+    monitoredUserAgents.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getMonitoredUserAgents(app) {
+  const entry = monitoredUserAgents.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.userAgents;
+  }
+
+  return "";
+}
+
+function updateMonitoredIPAddresses(app, ips) {
+  let entry = monitoredIPAddresses.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.ipAddresses = ips;
+  } else {
+    entry = { serviceId: app.serviceId, ipAddresses: ips };
+    monitoredIPAddresses.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getMonitoredIPAddresses(app) {
+  const entry = monitoredIPAddresses.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.ipAddresses;
+  }
+
+  return [];
+}
+
+function updateUserAgentDetails(app, uas) {
+  let entry = userAgentDetails.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.userAgents = uas;
+  } else {
+    entry = { serviceId: app.serviceId, userAgents: uas };
+    userAgentDetails.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getUserAgentDetails(app) {
+  const entry = userAgentDetails.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.userAgents;
+  }
+
+  return [];
+}
+
 module.exports = {
   getAppConfig,
   updateAppConfig,
@@ -122,4 +197,10 @@ module.exports = {
   getBlockedUserAgents,
   getAllowedIPAddresses,
   updateAllowedIPAddresses,
+  updateMonitoredUserAgents,
+  getMonitoredUserAgents,
+  updateMonitoredIPAddresses,
+  getMonitoredIPAddresses,
+  updateUserAgentDetails,
+  getUserAgentDetails,
 };

end2end/tests/hono-xml-allowlists.test.ts

@@ -32,6 +32,24 @@ t.beforeEach(async () => {
             enabled: false,
           },
         },
+        {
+          route: "/admin/*",
+          method: "GET",
+          forceProtectionOff: false,
+          allowedIPAddresses: ["10.0.0.1/16"],
+          rateLimiting: {
+            enabled: false,
+          },
+        },
+        {
+          route: "/admin/public",
+          method: "GET",
+          forceProtectionOff: false,
+          allowedIPAddresses: ["0.0.0.0/0", "::/0"],
+          rateLimiting: {
+            enabled: false,
+          },
+        },
       ],
     }),
   });
@@ -150,6 +168,22 @@ t.test("it blocks non-allowed IP addresses", (t) => {
         signal: AbortSignal.timeout(5000),
       });
       t.same(resp6.status, 403);
+
+      const resp7 = await fetch("http://127.0.0.1:4002/admin/public", {
+        headers: {
+          "X-Forwarded-For": "5.6.7.8",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp7.status, 200);
+
+      const resp8 = await fetch("http://127.0.0.1:4002/admin/private", {
+        headers: {
+          "X-Forwarded-For": "5.6.7.8",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp8.status, 403);
     })
     .catch((error) => {
       t.fail(error);