Merge pull request firewalla#719 from firewalla/beta_6_0

[Production] Release 1.95
BillysCoolJob · Feb 7, 2018 · fe30c6b · fe30c6b
2 parents 51ebf03 + be27f52
commit fe30c6b
Show file tree

Hide file tree

Showing 59 changed files with 1,524 additions and 642 deletions.
diff --git a/alarm/AlarmManager2.js b/alarm/AlarmManager2.js
@@ -28,8 +28,10 @@ let flat = require('flat');
 let audit = require('../util/audit.js');
 let util = require('util');
 
-let async = require('asyncawait/async');
-let await = require('asyncawait/await');
+const async = require('asyncawait/async');
+const await = require('asyncawait/await');
+
+const fc = require('../net2/config.js')
 
 const Promise = require('bluebird');
 Promise.promisifyAll(redis.RedisClient.prototype);
@@ -46,6 +48,9 @@ let Policy = require('./Policy.js');
 let PolicyManager2 = require('./PolicyManager2.js');
 let pm2 = new PolicyManager2();
 
+const IntelTool = require('../net2/IntelTool.js')
+const intelTool = new IntelTool()
+
 let instance = null;
 
 const alarmActiveKey = "alarm_active";
@@ -143,6 +148,12 @@ module.exports = class {
     return rclient.zremAsync(alarmActiveKey, alarmID)
   }
 
+  isAlarmTypeEnabled(alarm) {
+    const alarmType = alarm.type
+    const featureKey = `alarm:${alarmType}`
+    return fc.isFeatureOn(featureKey)
+  }
+
   validateAlarm(alarm) {
     let keys = alarm.requiredKeys();
     for(var i = 0; i < keys.length; i++) {
@@ -316,13 +327,20 @@ module.exports = class {
 
   checkAndSave(alarm, callback) {
     callback = callback || function() {}
-
+    
     let verifyResult = this.validateAlarm(alarm);
     if(!verifyResult) {
       callback(new Error("invalid alarm, failed to pass verification"));
       return;
     }
 
+    // disable this check for now, since we use new way to check feature enable/disable
+    // let enabled = this.isAlarmTypeEnabled(alarm)
+    // if(!enabled) {
+    //   callback(new Error(`alarm type ${alarm.type} is disabled`))
+    //   return
+    // }
+
     let dedupResult = this.dedup(alarm).then((dup) => {
 
       if(dup) {
@@ -631,7 +649,7 @@ module.exports = class {
     })()
   }
 
-  blockAlarmByPolicy(alarm, policy, info) {
+  blockAlarmByPolicy(alarm, policy, info, needArchive) {
     return async(() => {
       if(!alarm || !policy) {
         return
@@ -647,7 +665,12 @@ module.exports = class {
       }
 
       await (this.updateAlarm(alarm))
-      await (this.archiveAlarm(alarm.aid))
+
+      if(needArchive) {
+        await (this.archiveAlarm(alarm.aid))
+      } else {
+        await (this.removeFromActiveQueueAsync(alarm.aid))
+      }
 
       log.info(`Alarm ${alarm.aid} is blocked successfully`)
     })()
@@ -674,7 +697,7 @@ module.exports = class {
     })()
   }
 
-  allowAlarmByException(alarm, exception, info) {
+  allowAlarmByException(alarm, exception, info, needArchive) {
     return async(() => {
       if(!alarm || !exception) {
         return
@@ -690,8 +713,13 @@ module.exports = class {
       }
 
       await (this.updateAlarm(alarm))
-      await (this.archiveAlarm(alarm.aid))
 
+      if(needArchive) {
+        await (this.archiveAlarm(alarm.aid))
+      } else {
+        await (this.removeFromActiveQueueAsync(alarm.aid))
+      }
+
       log.info(`Alarm ${alarm.aid} is allowed successfully`)
     })()
   }
@@ -1160,22 +1188,38 @@ module.exports = class {
       if(!destIP)
         return Promise.reject(new Error("Requiring p.dest.ip"));
 
-      return new Promise((resolve, reject) => {
-        im._location(destIP, (err, loc) => {
-          if(err) {
-            reject(err);
-          }
-          if (loc && loc.loc) {
-            let location = loc.loc;
-            let ll = location.split(",");
-            if(ll.length === 2) {
-              alarm["p.dest.latitude"] = parseFloat(ll[0]);
-              alarm["p.dest.longitude"] = parseFloat(ll[1]);
-            }
-            alarm["p.dest.country"] = loc.country; // FIXME: need complete location info
+      const locationAsync = Promise.promisify(im._location).bind(im)
+
+      return async(() => {
+
+        // location
+        const loc = await (locationAsync(destIP))
+        if(loc && loc.loc) {
+          const location = loc.loc;
+          const ll = location.split(",");
+          if(ll.length === 2) {
+            alarm["p.dest.latitude"] = parseFloat(ll[0]);
+            alarm["p.dest.longitude"] = parseFloat(ll[1]);
           }
-          resolve(alarm);
-        });
-      });
+          alarm["p.dest.country"] = loc.country; // FIXME: need complete location info
+        }
+
+        // intel
+        const intel = await (intelTool.getIntel(destIP))
+        if(intel.app) {
+          alarm["p.dest.app"] = intel.app
+        }
+
+        if(intel.category) {
+          alarm["p.dest.category"] = intel.category
+        }
+
+        if(intel.host) {
+          alarm["p.dest.name"] = intel.host
+        }
+
+        return alarm
+
+      })()
     }
   }
diff --git a/alarm/ExceptionManager.js b/alarm/ExceptionManager.js
@@ -7,6 +7,8 @@ const await = require('asyncawait/await');
 
 const Promise = require('bluebird');
 
+const minimatch = require('minimatch')
+
 let Exception = require('./Exception.js');
 let Bone = require('../lib/Bone.js');
 
@@ -268,7 +270,26 @@ module.exports = class {
       });
   }
 
+  isFirewallaCloud(alarm) {
+    const name = alarm["p.dest.name"]
+    if(!name) {
+      return false
+    }
+
+    return name === "firewalla.encipher.io" ||
+      name === "firewalla.com" ||
+      minimatch(name, "*.firewalla.com")
+
+    // TODO: might need to add static ip address here
+  }
+
   match(alarm, callback) {
+
+    if(this.isFirewallaCloud(alarm)) {
+      callback(null, true, [])
+      return
+    }
+
     this.loadExceptions((err, results) => {
       if(err) {
         callback(err);

diff --git a/alarm/PolicyManager2.js b/alarm/PolicyManager2.js
@@ -29,7 +29,12 @@ let Bone = require('../lib/Bone.js');
 let async = require('asyncawait/async')
 let await = require('asyncawait/await')
 
-let Promise = require('bluebird');
+const Promise = require('bluebird');
+
+const minimatch = require('minimatch')
+
+const SysManager = require('../net2/SysManager.js')
+const sysManager = new SysManager('info');
 
 let instance = null;
 
@@ -218,12 +223,16 @@ class PolicyManager2 {
     async(()=>{
       //FIXME: data inconsistence risk for multi-processes or multi-threads
       try {
+        if(this.isFirewallaCloud(policy)) {
+          callback(new Error("Firewalla cloud can't be blocked"))
+          return
+        }
         // let policies = await(this.getSamePolicies(policy))
         // if (policies && policies.length > 0) {
         //   log.info("policy with type:" + policy.type + ",target:" + policy.target + " already existed")
         //   callback(new Error("policy existed"))
         // } else {
-          this.savePolicy(policy, callback);
+        this.savePolicy(policy, callback);
 //        }
       } catch (err) {
         log.error("failed to save policy:" + err)
@@ -465,11 +474,24 @@ class PolicyManager2 {
     })()
   }
 
+  isFirewallaCloud(policy) {
+    const target = policy.target
+
+    return sysManager.isMyServer(target) ||
+           target === "firewalla.encipher.com" ||
+           target === "firewalla.com" ||
+           minimatch(target, "*.firewalla.com")
+  }
+
   enforce(policy) {
     log.info("Enforce policy: ", policy, {});
 
     let type = policy["i.type"] || policy["type"]; //backward compatibility
 
+    if(this.isFirewallaCloud(policy)) {
+      return Promise.reject(new Error("Firewalla cloud can't be blocked."))
+    }
+
     switch(type) {
     case "ip":
       return Block.block(policy.target);
@@ -479,7 +501,7 @@ class PolicyManager2 {
       return blockMacAsync(policy.target);
       break;
     case "domain":
-    case "dns":
+    case "dns":    
       return dnsmasq.addPolicyFilterEntry(policy.target)
         .then(() => {
           sem.emitEvent({

diff --git a/api/app-local.js b/api/app-local.js
@@ -64,7 +64,7 @@ function enableSubPath(path, lib) {
 // encipher api is enabled even for production enviornment
 enableSubPath('encipher');
 
-if(!firewalla.isProduction()) {
+if(!firewalla.isProductionOrBeta()) {
   // apis for development purpose only, do NOT enable them in production
   subpath_v1.use('/message', message);
   subpath_v1.use('/ss', shadowsocks);

diff --git a/api/bin/www b/api/bin/www
@@ -110,7 +110,7 @@ function runLocalAPI() {
    * Listen on provided port, on all network interfaces.
    */
 
-  if(f.isProduction()) {
+  if(f.isProductionOrBeta()) {
     serverForLocalAPI.listen(portForLocalAPI, 'localhost')
   } else {
     serverForLocalAPI.listen(portForLocalAPI)
@@ -181,7 +181,8 @@ function onListening() {
 }
 
 // for non production, just print on console
-if(f.isProduction() && !f.isDocker()) {
+if((f.isProductionOrBeta())
+  && !f.isDocker()) {
   process.on('uncaughtException',(err)=>{
     log.info("################### CRASH #############");
     log.info("+-+-+-",err.message,err.stack);

diff --git a/bin/bitbridge6.sh b/bin/bitbridge6.sh
@@ -13,7 +13,7 @@ branch=$(cd $FIREWALLA_HOME; git rev-parse --abbrev-ref HEAD)
 
 # both beta and prod will disable ipv6
 
-if [[ -e $FIREWALLA_BIN/dev || (($branch == release_* || $branch == beta_*) && ! -f /home/pi/.firewalla/config/enablev6) ]]; then
+if [[ -e $FIREWALLA_BIN/dev || (($branch == release_*) && ! -f /home/pi/.firewalla/config/enablev6) ]]; then
   cp $FIREWALLA_BIN{/mock,}/$BINARY
 else
   cp $FIREWALLA_BIN{/real,}/$BINARY