diff --git a/README.md b/README.md index b8667f8b..2db0f39c 100644 --- a/README.md +++ b/README.md @@ -20,10 +20,10 @@ Blocky is a DNS proxy and ad-blocker for the local network written in Go with fo ## Features -- **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and whitelisting +- **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and allowlisting - - Definition of black and white lists per client group (Kids, Smart home devices, etc.) - - Periodical reload of external black and white lists + - Definition of allow/denylists per client group (Kids, Smart home devices, etc.) + - Periodical reload of external allow/denylists - Regex support - Blocking of request domain, response CNAME (deep CNAME inspection) and response IP addresses (against IP lists) diff --git a/cmd/root_test.go b/cmd/root_test.go index 2f608b0f..b5769a2d 100644 --- a/cmd/root_test.go +++ b/cmd/root_test.go @@ -39,7 +39,7 @@ var _ = Describe("root command", func() { " default:", " - 1.1.1.1", "blocking:", - " blackLists:", + " denylists:", " ads:", " - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt", " clientGroupsBlock:", diff --git a/config/blocking.go b/config/blocking.go index aa7520d3..4e255313 100644 --- a/config/blocking.go +++ b/config/blocking.go @@ -8,8 +8,8 @@ import ( // Blocking configuration for query blocking type Blocking struct { - BlackLists map[string][]BytesSource `yaml:"blackLists"` - WhiteLists map[string][]BytesSource `yaml:"whiteLists"` + Denylists map[string][]BytesSource `yaml:"denylists"` + Allowlists map[string][]BytesSource `yaml:"allowlists"` ClientGroupsBlock map[string][]string `yaml:"clientGroupsBlock"` BlockType string `yaml:"blockType" default:"ZEROIP"` BlockTTL Duration `yaml:"blockTTL" default:"6h"` @@ -17,19 +17,23 @@ type Blocking struct { // Deprecated options Deprecated struct { - DownloadTimeout *Duration `yaml:"downloadTimeout"` - DownloadAttempts *uint `yaml:"downloadAttempts"` - DownloadCooldown *Duration `yaml:"downloadCooldown"` - RefreshPeriod *Duration `yaml:"refreshPeriod"` - FailStartOnListError *bool `yaml:"failStartOnListError"` - ProcessingConcurrency *uint `yaml:"processingConcurrency"` - StartStrategy *InitStrategy `yaml:"startStrategy"` - MaxErrorsPerFile *int `yaml:"maxErrorsPerFile"` + BlackLists *map[string][]BytesSource `yaml:"blackLists"` + WhiteLists *map[string][]BytesSource `yaml:"whiteLists"` + DownloadTimeout *Duration `yaml:"downloadTimeout"` + DownloadAttempts *uint `yaml:"downloadAttempts"` + DownloadCooldown *Duration `yaml:"downloadCooldown"` + RefreshPeriod *Duration `yaml:"refreshPeriod"` + FailStartOnListError *bool `yaml:"failStartOnListError"` + ProcessingConcurrency *uint `yaml:"processingConcurrency"` + StartStrategy *InitStrategy `yaml:"startStrategy"` + MaxErrorsPerFile *int `yaml:"maxErrorsPerFile"` } `yaml:",inline"` } func (c *Blocking) migrate(logger *logrus.Entry) bool { return Migrate(logger, "blocking", c.Deprecated, map[string]Migrator{ + "blackLists": Move(To("denylists", c)), + "whiteLists": Move(To("allowlists", c)), "downloadTimeout": Move(To("loading.downloads.timeout", &c.Loading.Downloads)), "downloadAttempts": Move(To("loading.downloads.attempts", &c.Loading.Downloads)), "downloadCooldown": Move(To("loading.downloads.cooldown", &c.Loading.Downloads)), @@ -67,14 +71,14 @@ func (c *Blocking) LogConfig(logger *logrus.Entry) { logger.Info("loading:") log.WithIndent(logger, " ", c.Loading.LogConfig) - logger.Info("blacklist:") + logger.Info("denylists:") log.WithIndent(logger, " ", func(logger *logrus.Entry) { - c.logListGroups(logger, c.BlackLists) + c.logListGroups(logger, c.Denylists) }) - logger.Info("whitelist:") + logger.Info("allowlists:") log.WithIndent(logger, " ", func(logger *logrus.Entry) { - c.logListGroups(logger, c.WhiteLists) + c.logListGroups(logger, c.Allowlists) }) } diff --git a/config/blocking_test.go b/config/blocking_test.go index 9c84a9bf..45b8660f 100644 --- a/config/blocking_test.go +++ b/config/blocking_test.go @@ -17,7 +17,7 @@ var _ = Describe("BlockingConfig", func() { cfg = Blocking{ BlockType: "ZEROIP", BlockTTL: Duration(time.Minute), - BlackLists: map[string][]BytesSource{ + Denylists: map[string][]BytesSource{ "gr1": NewBytesSources("/a/file/path"), }, ClientGroupsBlock: map[string][]string{ @@ -60,4 +60,30 @@ var _ = Describe("BlockingConfig", func() { Expect(hook.Messages).Should(ContainElement(Equal("blockType = ZEROIP"))) }) }) + + Describe("migrate", func() { + It("should copy values", func() { + cfg, err := WithDefaults[Blocking]() + Expect(err).Should(Succeed()) + + cfg.Deprecated.BlackLists = &map[string][]BytesSource{ + "deny-group": NewBytesSources("/deny.txt"), + } + cfg.Deprecated.WhiteLists = &map[string][]BytesSource{ + "allow-group": NewBytesSources("/allow.txt"), + } + + migrated := cfg.migrate(logger) + Expect(migrated).Should(BeTrue()) + + Expect(hook.Calls).ShouldNot(BeEmpty()) + Expect(hook.Messages).Should(ContainElements( + ContainSubstring("blocking.allowlists"), + ContainSubstring("blocking.denylists"), + )) + + Expect(cfg.Allowlists).Should(Equal(*cfg.Deprecated.WhiteLists)) + Expect(cfg.Denylists).Should(Equal(*cfg.Deprecated.BlackLists)) + }) + }) }) diff --git a/config/config_test.go b/config/config_test.go index 4d963611..be75775d 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -988,8 +988,8 @@ func defaultTestFileConfig(config *Config) { Expect(config.Conditional.Mapping.Upstreams["multiple.resolvers"]).Should(HaveLen(2)) Expect(config.ClientLookup.Upstream.Host).Should(Equal("192.168.178.1")) Expect(config.ClientLookup.SingleNameOrder).Should(Equal([]uint{2, 1})) - Expect(config.Blocking.BlackLists).Should(HaveLen(2)) - Expect(config.Blocking.WhiteLists).Should(HaveLen(1)) + Expect(config.Blocking.Denylists).Should(HaveLen(2)) + Expect(config.Blocking.Allowlists).Should(HaveLen(1)) Expect(config.Blocking.ClientGroupsBlock).Should(HaveLen(2)) Expect(config.Blocking.BlockTTL).Should(Equal(Duration(time.Minute))) Expect(config.Blocking.Loading.RefreshPeriod).Should(Equal(Duration(2 * time.Hour))) @@ -1029,7 +1029,7 @@ func writeConfigYml(tmpDir *helpertest.TmpFolder) *helpertest.TmpFile { "fqdnOnly:", " enable: true", "blocking:", - " blackLists:", + " denylists:", " ads:", " - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt", " - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts", @@ -1039,9 +1039,9 @@ func writeConfigYml(tmpDir *helpertest.TmpFolder) *helpertest.TmpFile { " - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt", " special:", " - https://hosts-file.net/ad_servers.txt", - " whiteLists:", + " allowlists:", " ads:", - " - whitelist.txt", + " - allowlist.txt", " clientGroupsBlock:", " default:", " - ads", @@ -1119,7 +1119,7 @@ func writeConfigDir(tmpDir *helpertest.TmpFolder) { tmpDir.CreateStringFile("config2.yaml", "blocking:", - " blackLists:", + " denylists:", " ads:", " - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt", " - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts", @@ -1129,9 +1129,9 @@ func writeConfigDir(tmpDir *helpertest.TmpFolder) { " - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt", " special:", " - https://hosts-file.net/ad_servers.txt", - " whiteLists:", + " allowlists:", " ads:", - " - whitelist.txt", + " - allowlist.txt", " clientGroupsBlock:", " default:", " - ads", diff --git a/docs/additional_information.md b/docs/additional_information.md index d54800cd..3cc85304 100644 --- a/docs/additional_information.md +++ b/docs/additional_information.md @@ -33,7 +33,6 @@ To print runtime configuration / statistics, you can send `SIGUSR1` signal to ru INFO server: MEM NumGC = 1533 INFO server: RUN NumCPU = 4 INFO server: RUN NumGoroutine = 18 - ``` !!! hint @@ -49,7 +48,7 @@ automatically. Some links/ideas for lists: -### Blacklists +### Denylists * [https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts) * [https://github.com/nickspaargaren/no-google](https://github.com/nickspaargaren/no-google) @@ -60,11 +59,11 @@ Some links/ideas for lists: !!! warning - Use only blacklists from the sources you trust! + Use only denylists from the sources you trust! -### Whitelists +### Allowlists -* [https://github.com/anudeepND/whitelist](https://github.com/anudeepND/whitelist) +* [https://github.com/anudeepND/whitelist](https://github.com/anudeepND/allowlist) ## List of public DNS servers @@ -74,7 +73,7 @@ Some links/ideas for lists: Please read the description before using the DNS server as upstream. Some of them provide already an ad-blocker, some filters other content. If you use external DNS server with included ad-blocker, you can't choose which domains should be - blocked, and you can't use whitelisting. + blocked, and you can't use allowlisting. This is only a small excerpt of all free available DNS servers and should only be understood as an idee. diff --git a/docs/api/openapi.yaml b/docs/api/openapi.yaml index 926f8d91..8514c41c 100644 --- a/docs/api/openapi.yaml +++ b/docs/api/openapi.yaml @@ -8,10 +8,10 @@ info: ## Features - - **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and whitelisting + - **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and allowlisting - - Definition of black and white lists per client group (Kids, Smart home devices, etc.) - - Periodical reload of external black and white lists + - Definition of allow/denylists per client group (Kids, Smart home devices, etc.) + - Periodical reload of external allow/denylists - Regex support - Blocking of request domain, response CNAME (deep CNAME inspection) and response IP addresses (against IP lists) diff --git a/docs/blocky-grafana.json b/docs/blocky-grafana.json index 7224dc95..ed772765 100644 --- a/docs/blocky-grafana.json +++ b/docs/blocky-grafana.json @@ -429,7 +429,7 @@ "datasource": { "uid": "${DS_PROMETHEUS}" }, - "description": "Number of blacklist entries", + "description": "Number of denylist entries", "fieldConfig": { "defaults": { "mappings": [ @@ -487,7 +487,7 @@ "uid": "${DS_PROMETHEUS}" }, "exemplar": true, - "expr": "sum(blocky_blacklist_cache) / sum(up{job=~\"$job\"})", + "expr": "sum(blocky_denylist_cache) / sum(up{job=~\"$job\"})", "format": "table", "instant": false, "interval": "", @@ -495,7 +495,7 @@ "refId": "A" } ], - "title": "Blacklist entries total", + "title": "Denylist entries total", "transparent": true, "type": "stat" }, @@ -1683,7 +1683,7 @@ "uid": "${DS_PROMETHEUS}" }, "exemplar": false, - "expr": "topk(1, blocky_blacklist_cache) by (group)", + "expr": "topk(1, blocky_denylist_cache) by (group)", "format": "time_series", "instant": true, "interval": "", @@ -1691,7 +1691,7 @@ "refId": "A" } ], - "title": "Blacklist by group", + "title": "Denylist by group", "transparent": true, "type": "piechart" }, @@ -1978,4 +1978,4 @@ "uid": "JvOqE4gRk", "version": 1, "weekStart": "" -} +} \ No newline at end of file diff --git a/docs/blocky-query-grafana-postgres.json b/docs/blocky-query-grafana-postgres.json index 4dad81c9..8ca36173 100644 --- a/docs/blocky-query-grafana-postgres.json +++ b/docs/blocky-query-grafana-postgres.json @@ -243,7 +243,7 @@ ] } ], - "title": "Blocked by Blacklist", + "title": "Blocked by Denylist", "type": "piechart" }, { diff --git a/docs/blocky-query-grafana.json b/docs/blocky-query-grafana.json index 336af8cc..c024d8fc 100644 --- a/docs/blocky-query-grafana.json +++ b/docs/blocky-query-grafana.json @@ -243,7 +243,7 @@ ] } ], - "title": "Blocked by Blacklist", + "title": "Blocked by Denylist", "type": "piechart" }, { diff --git a/docs/config.yml b/docs/config.yml index a60dd399..dc0e2450 100644 --- a/docs/config.yml +++ b/docs/config.yml @@ -62,10 +62,10 @@ conditional: fritz.box: 192.168.178.1 lan.net: 192.168.178.1,192.168.178.2 -# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) +# optional: use allow/denylists to block queries (for example ads, trackers, adult pages etc.) blocking: - # definition of blacklist groups. Can be external link (http/https) or local file - blackLists: + # definition of denylist groups. Can be external link (http/https) or local file + denylists: ads: - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts @@ -77,14 +77,16 @@ blocking: *.example.com special: - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts - # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked - whiteLists: + # definition of allowlist groups. + # Note: if the same group has both allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed. + # If a group has only allowlist entries, only domains from this list are allowed, and all others be blocked. + allowlists: ads: - - whitelist.txt + - allowlist.txt - | # inline definition with YAML literal block scalar style # hosts format - whitelistdomain.com + allowlistdomain.com # this is a regex /^banners?[_.-]/ # definition: which groups should be applied for which client @@ -242,7 +244,7 @@ minTlsServeVersion: 1.3 #certFile: server.crt #keyFile: server.key -# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. +# optional: use these DNS servers to resolve denylist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. bootstrapDns: - tcp+udp:1.1.1.1 - https://1.1.1.1/dns-query diff --git a/docs/configuration.md b/docs/configuration.md index ff48f13a..4be9468a 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -395,16 +395,16 @@ contains a map of client name and multiple IP addresses. Use `192.168.178.1` for rDNS lookup. Take second name if present, if not take first name. IP address `192.168.178.29` is mapped to `laptop` as client name. -## Blocking and whitelisting +## Blocking and allowlisting Blocky can use lists of domains and IPs to block (e.g. advertisement, malware, trackers, adult sites). You can group several list sources together and define the blocking behavior per client. Blocking uses the [DNS sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole) approach. For each DNS query, the domain name from the request, IP address from the response, and any CNAME records will be checked to determine whether to block the query or not. -To avoid over-blocking, you can use whitelists. +To avoid over-blocking, you can use allowlists. -### Definition black and whitelists +### Definition allow/denylists Lists are defined in groups. This allows using different sets of lists for different clients. @@ -421,7 +421,7 @@ The supported list formats are: ```yaml blocking: - blackLists: + denylists: ads: - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts @@ -436,25 +436,24 @@ The supported list formats are: /^banners?[_.-]/ special: - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts - whiteLists: + allowlists: ads: - - whitelist.txt + - allowlist.txt - /path/to/file.txt - | # inline definition with YAML literal block scalar style - whitelistdomain.com + allowlistdomain.com ``` In this example you can see 2 groups: **ads** and **special** with one list. The **ads** group includes 2 inline lists. !!! warning - If the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. - If a group has **only** whitelist entries -> this means only domains from this list are allowed, all other domains will - be blocked. + If the same group has **both** allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed. + If a group has **only allowlist** entries, only domains from this list are allowed, and all others be blocked. !!! warning - You must also define client group mapping, otherwise you black and whitelist definition will have no effect. + You must also define a client group mapping, otherwise the allow/denylist definitions will have no effect. #### Wildcard support @@ -833,7 +832,7 @@ These settings apply only to the resolver under which they are nested. ```yaml blocking: loading: - # only applies to white/blacklists + # only applies to allow/denylists hostsFile: loading: diff --git a/docs/index.md b/docs/index.md index 713c4acd..000f9f01 100644 --- a/docs/index.md +++ b/docs/index.md @@ -8,10 +8,10 @@ Blocky is a DNS proxy and ad-blocker for the local network written in Go with fo ## Features -- **Blocking** - :no_entry: Blocking of DNS queries with external lists (Ad-block, malware) and whitelisting +- **Blocking** - :no_entry: Blocking of DNS queries with external lists (Ad-block, malware) and allowlisting - * Definition of black and white lists per client group (Kids, Smart home devices, etc.) - * Periodical reload of external black and white lists + * Definition of allow/denylists per client group (Kids, Smart home devices, etc.) + * Periodical reload of external allow/denylists * Regex support * Blocking of request domain, response CNAME (deep CNAME inspection) and response IP addresses (against IP lists) diff --git a/docs/installation.md b/docs/installation.md index f6c1712e..7ce5cacb 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -20,7 +20,7 @@ upstream: - tcp-tls:fdns1.dismail.de:853 - https://dns.digitale-gesellschaft.ch/dns-query blocking: - blackLists: + denylists: ads: - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts clientGroupsBlock: @@ -95,8 +95,8 @@ docker-compose up -d ### Advanced setup Following example shows, how to run blocky in a docker container and store query logs on a SAMBA share. Local black and -whitelists directories are mounted as volume. You can create own black or whitelists in these directories and define the -path like '/app/whitelists/whitelist.txt' in the config file. +allowlists directories are mounted as volume. You can create own black or allowlists in these directories and define the +path like '/app/allowlists/allowlist.txt' in the config file. !!! example @@ -118,9 +118,9 @@ services: - ./config.yml:/app/config.yml # write query logs in this volume - queryLogs:/logs - # put your custom white and blacklists in these directories - - ./blacklists:/app/blacklists/ - - ./whitelists:/app/whitelists/ + # put your custom allow/denylists in these directories + - ./denylists:/app/denylists/ + - ./allowlists:/app/allowlists/ volumes: queryLogs: diff --git a/docs/interfaces.md b/docs/interfaces.md index 813af09d..b40ab9bc 100644 --- a/docs/interfaces.md +++ b/docs/interfaces.md @@ -27,7 +27,7 @@ To run the CLI, please ensure, that blocky DNS server is running, then execute ` - `./blocky blocking status` to print current status of blocking - `./blocky query ` execute DNS query (A) (simple replacement for dig, useful for debug purposes) - `./blocky query --type ` execute DNS query with passed query type (A, AAAA, MX, ...) -- `./blocky lists refresh` reloads all white and blacklists +- `./blocky lists refresh` reloads all allow/denylists !!! tip diff --git a/docs/prometheus_grafana.md b/docs/prometheus_grafana.md index e599b474..8eff7134 100644 --- a/docs/prometheus_grafana.md +++ b/docs/prometheus_grafana.md @@ -10,7 +10,7 @@ Following metrics will be exported: | name | Description | | ------------------------------------------------ | -------------------------------------------------------- | -| blocky_blacklist_cache / blocky_whitelist_cache | Number of entries in blacklist/whitelist cache, partitioned by group | +| blocky_denylist_cache / blocky_allowlist_cache | Number of entries in denylist/allowlist cache, partitioned by group | | blocky_error_total | Number of total queries that ended in error for any reason | | blocky_query_total | Number of total queries, partitioned by client and DNS request type (A, AAAA, PTR, etc) | | blocky_request_duration_ms_bucket | Request duration histogram, partitioned by response type (Blocked, cached, etc) | diff --git a/e2e/blocking_test.go b/e2e/blocking_test.go index db2e7aa9..4d0b7367 100644 --- a/e2e/blocking_test.go +++ b/e2e/blocking_test.go @@ -24,7 +24,7 @@ var _ = Describe("External lists and query blocking", func() { Expect(err).Should(Succeed()) }) Describe("List download on startup", func() { - When("external blacklist ist not available", func() { + When("external denylist ist not available", func() { Context("loading.strategy = blocking", func() { BeforeEach(func(ctx context.Context) { blocky, err = createBlockyContainer(ctx, e2eNet, @@ -37,7 +37,7 @@ var _ = Describe("External lists and query blocking", func() { "blocking:", " loading:", " strategy: blocking", - " blackLists:", + " denylists:", " ads:", " - http://wrong.domain.url/list.txt", " clientGroupsBlock:", @@ -72,7 +72,7 @@ var _ = Describe("External lists and query blocking", func() { "blocking:", " loading:", " strategy: failOnError", - " blackLists:", + " denylists:", " ads:", " - http://wrong.domain.url/list.txt", " clientGroupsBlock:", @@ -96,8 +96,8 @@ var _ = Describe("External lists and query blocking", func() { }) }) }) - Describe("Query blocking against external blacklists", func() { - When("external blacklists are defined and available", func() { + Describe("Query blocking against external denylists", func() { + When("external denylists are defined and available", func() { BeforeEach(func(ctx context.Context) { _, err = createHTTPServerContainer(ctx, "httpserver", e2eNet, "list.txt", "blockeddomain.com") Expect(err).Should(Succeed()) @@ -110,7 +110,7 @@ var _ = Describe("External lists and query blocking", func() { " default:", " - moka", "blocking:", - " blackLists:", + " denylists:", " ads:", " - http://httpserver:8080/list.txt", " clientGroupsBlock:", diff --git a/e2e/metrics_test.go b/e2e/metrics_test.go index 685c4099..ce907bd5 100644 --- a/e2e/metrics_test.go +++ b/e2e/metrics_test.go @@ -49,7 +49,7 @@ var _ = Describe("Metrics functional tests", func() { " default:", " - moka1", "blocking:", - " blackLists:", + " denylists:", " group1:", " - http://httpserver1:8080/list1.txt", " group2:", @@ -129,8 +129,8 @@ var _ = Describe("Metrics functional tests", func() { It("Should expose list cache sizes per group as metrics", func(ctx context.Context) { Eventually(fetchBlockyMetrics).WithArguments(ctx, metricsURL). Should(ContainElements( - "blocky_blacklist_cache{group=\"group1\"} 1", - "blocky_blacklist_cache{group=\"group2\"} 3", + "blocky_denylist_cache{group=\"group1\"} 1", + "blocky_denylist_cache{group=\"group2\"} 3", )) }) }) diff --git a/lists/list_cache.go b/lists/list_cache.go index 409591f9..843b6bb7 100644 --- a/lists/list_cache.go +++ b/lists/list_cache.go @@ -24,8 +24,8 @@ const ( ) // ListCacheType represents the type of cached list ENUM( -// blacklist // is a list with blocked domains -// whitelist // is a list with whitelisted domains / IPs +// denylist // is a list with blocked domains +// allowlist // is a list with allowlisted domains / IPs // ) type ListCacheType int diff --git a/lists/list_cache_benchmark_test.go b/lists/list_cache_benchmark_test.go index 0a0c325c..5777187d 100644 --- a/lists/list_cache_benchmark_test.go +++ b/lists/list_cache_benchmark_test.go @@ -20,7 +20,7 @@ func BenchmarkRefresh(b *testing.B) { RefreshPeriod: config.Duration(-1), } downloader := NewDownloader(config.Downloader{}, nil) - cache, _ := NewListCache(context.Background(), ListCacheTypeBlacklist, cfg, lists, downloader) + cache, _ := NewListCache(context.Background(), ListCacheTypeDenylist, cfg, lists, downloader) b.ReportAllocs() diff --git a/lists/list_cache_enum.go b/lists/list_cache_enum.go index 39f41e52..720c9554 100644 --- a/lists/list_cache_enum.go +++ b/lists/list_cache_enum.go @@ -12,21 +12,21 @@ import ( ) const ( - // ListCacheTypeBlacklist is a ListCacheType of type Blacklist. + // ListCacheTypeDenylist is a ListCacheType of type Denylist. // is a list with blocked domains - ListCacheTypeBlacklist ListCacheType = iota - // ListCacheTypeWhitelist is a ListCacheType of type Whitelist. - // is a list with whitelisted domains / IPs - ListCacheTypeWhitelist + ListCacheTypeDenylist ListCacheType = iota + // ListCacheTypeAllowlist is a ListCacheType of type Allowlist. + // is a list with allowlisted domains / IPs + ListCacheTypeAllowlist ) var ErrInvalidListCacheType = fmt.Errorf("not a valid ListCacheType, try [%s]", strings.Join(_ListCacheTypeNames, ", ")) -const _ListCacheTypeName = "blacklistwhitelist" +const _ListCacheTypeName = "denylistallowlist" var _ListCacheTypeNames = []string{ - _ListCacheTypeName[0:9], - _ListCacheTypeName[9:18], + _ListCacheTypeName[0:8], + _ListCacheTypeName[8:17], } // ListCacheTypeNames returns a list of possible string values of ListCacheType. @@ -37,8 +37,8 @@ func ListCacheTypeNames() []string { } var _ListCacheTypeMap = map[ListCacheType]string{ - ListCacheTypeBlacklist: _ListCacheTypeName[0:9], - ListCacheTypeWhitelist: _ListCacheTypeName[9:18], + ListCacheTypeDenylist: _ListCacheTypeName[0:8], + ListCacheTypeAllowlist: _ListCacheTypeName[8:17], } // String implements the Stringer interface. @@ -57,8 +57,8 @@ func (x ListCacheType) IsValid() bool { } var _ListCacheTypeValue = map[string]ListCacheType{ - _ListCacheTypeName[0:9]: ListCacheTypeBlacklist, - _ListCacheTypeName[9:18]: ListCacheTypeWhitelist, + _ListCacheTypeName[0:8]: ListCacheTypeDenylist, + _ListCacheTypeName[8:17]: ListCacheTypeAllowlist, } // ParseListCacheType attempts to convert a string to a ListCacheType. diff --git a/lists/list_cache_test.go b/lists/list_cache_test.go index dbcd910d..b937b15e 100644 --- a/lists/list_cache_test.go +++ b/lists/list_cache_test.go @@ -46,7 +46,7 @@ var _ = Describe("ListCache", func() { ctx, cancelFn = context.WithCancel(context.Background()) DeferCleanup(cancelFn) - listCacheType = ListCacheTypeBlacklist + listCacheType = ListCacheTypeDenylist sutConfig, err = config.WithDefaults[config.SourceLoading]() Expect(err).Should(Succeed()) @@ -306,7 +306,7 @@ var _ = Describe("ListCache", func() { } }) It("should match", func() { - sut, err = NewListCache(ctx, ListCacheTypeBlacklist, sutConfig, lists, downloader) + sut, err = NewListCache(ctx, ListCacheTypeDenylist, sutConfig, lists, downloader) Expect(err).Should(Succeed()) Expect(sut.groupedCache.ElementCount("gr1")).Should(Equal(lines1 + lines2 + lines3)) @@ -408,7 +408,7 @@ var _ = Describe("ListCache", func() { }) It("should print list configuration", func() { - sut, err = NewListCache(ctx, ListCacheTypeBlacklist, sutConfig, lists, downloader) + sut, err = NewListCache(ctx, ListCacheTypeDenylist, sutConfig, lists, downloader) Expect(err).Should(Succeed()) sut.LogConfig(logger) @@ -432,7 +432,7 @@ var _ = Describe("ListCache", func() { }) It("should never return an error", func() { - _, err := NewListCache(ctx, ListCacheTypeBlacklist, sutConfig, lists, downloader) + _, err := NewListCache(ctx, ListCacheTypeDenylist, sutConfig, lists, downloader) Expect(err).Should(Succeed()) }) }) diff --git a/metrics/metrics_event_publisher.go b/metrics/metrics_event_publisher.go index effc3f76..f60e2c13 100644 --- a/metrics/metrics_event_publisher.go +++ b/metrics/metrics_event_publisher.go @@ -28,14 +28,14 @@ func registerApplicationEventListeners() { } func versionNumberGauge() *prometheus.GaugeVec { - blacklistCnt := prometheus.NewGaugeVec( + denylistCnt := prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "blocky_build_info", Help: "Version number and build info", }, []string{"version", "build_time"}, ) - return blacklistCnt + return denylistCnt } func registerBlockingEventListeners() { @@ -51,23 +51,23 @@ func registerBlockingEventListeners() { } }) - blacklistCnt := blacklistGauge() + denylistCnt := denylistGauge() - whitelistCnt := whitelistGauge() + allowlistCnt := allowlistGauge() lastListGroupRefresh := lastListGroupRefresh() - RegisterMetric(blacklistCnt) - RegisterMetric(whitelistCnt) + RegisterMetric(denylistCnt) + RegisterMetric(allowlistCnt) RegisterMetric(lastListGroupRefresh) subscribe(evt.BlockingCacheGroupChanged, func(listType lists.ListCacheType, groupName string, cnt int) { lastListGroupRefresh.Set(float64(time.Now().Unix())) switch listType { - case lists.ListCacheTypeBlacklist: - blacklistCnt.WithLabelValues(groupName).Set(float64(cnt)) - case lists.ListCacheTypeWhitelist: - whitelistCnt.WithLabelValues(groupName).Set(float64(cnt)) + case lists.ListCacheTypeDenylist: + denylistCnt.WithLabelValues(groupName).Set(float64(cnt)) + case lists.ListCacheTypeAllowlist: + allowlistCnt.WithLabelValues(groupName).Set(float64(cnt)) } }) } @@ -82,26 +82,26 @@ func enabledGauge() prometheus.Gauge { return enabledGauge } -func blacklistGauge() *prometheus.GaugeVec { - blacklistCnt := prometheus.NewGaugeVec( +func denylistGauge() *prometheus.GaugeVec { + denylistCnt := prometheus.NewGaugeVec( prometheus.GaugeOpts{ - Name: "blocky_blacklist_cache", - Help: "Number of entries in the blacklist cache", + Name: "blocky_denylist_cache", + Help: "Number of entries in the denylist cache", }, []string{"group"}, ) - return blacklistCnt + return denylistCnt } -func whitelistGauge() *prometheus.GaugeVec { - whitelistCnt := prometheus.NewGaugeVec( +func allowlistGauge() *prometheus.GaugeVec { + allowlistCnt := prometheus.NewGaugeVec( prometheus.GaugeOpts{ - Name: "blocky_whitelist_cache", - Help: "Number of entries in the whitelist cache", + Name: "blocky_allowlist_cache", + Help: "Number of entries in the allowlist cache", }, []string{"group"}, ) - return whitelistCnt + return allowlistCnt } func lastListGroupRefresh() prometheus.Gauge { diff --git a/resolver/blocking_resolver.go b/resolver/blocking_resolver.go index dc3cdab6..d9835fd2 100644 --- a/resolver/blocking_resolver.go +++ b/resolver/blocking_resolver.go @@ -79,16 +79,16 @@ type status struct { lock sync.RWMutex } -// BlockingResolver checks request's question (domain name) against black and white lists +// BlockingResolver checks request's question (domain name) against allow/denylists type BlockingResolver struct { configurable[*config.Blocking] NextResolver typed - blacklistMatcher *lists.ListCache - whitelistMatcher *lists.ListCache + denylistMatcher *lists.ListCache + allowlistMatcher *lists.ListCache blockHandler blockHandler - whitelistOnlyGroups map[string]bool + allowlistOnlyGroups map[string]bool status *status clientGroupsBlock map[string][]string redisClient *redis.Client @@ -125,11 +125,11 @@ func NewBlockingResolver(ctx context.Context, downloader := lists.NewDownloader(cfg.Loading.Downloads, bootstrap.NewHTTPTransport()) - blacklistMatcher, blErr := lists.NewListCache(ctx, lists.ListCacheTypeBlacklist, - cfg.Loading, cfg.BlackLists, downloader) - whitelistMatcher, wlErr := lists.NewListCache(ctx, lists.ListCacheTypeWhitelist, - cfg.Loading, cfg.WhiteLists, downloader) - whitelistOnlyGroups := determineWhitelistOnlyGroups(&cfg) + denylistMatcher, blErr := lists.NewListCache(ctx, lists.ListCacheTypeDenylist, + cfg.Loading, cfg.Denylists, downloader) + allowlistMatcher, wlErr := lists.NewListCache(ctx, lists.ListCacheTypeAllowlist, + cfg.Loading, cfg.Allowlists, downloader) + allowlistOnlyGroups := determineAllowlistOnlyGroups(&cfg) err = multierror.Append(err, blErr, wlErr).ErrorOrNil() if err != nil { @@ -141,9 +141,9 @@ func NewBlockingResolver(ctx context.Context, typed: withType("blocking"), blockHandler: blockHandler, - blacklistMatcher: blacklistMatcher, - whitelistMatcher: whitelistMatcher, - whitelistOnlyGroups: whitelistOnlyGroups, + denylistMatcher: denylistMatcher, + allowlistMatcher: allowlistMatcher, + allowlistOnlyGroups: allowlistOnlyGroups, status: &status{ enabled: true, enableTimer: time.NewTimer(0), @@ -198,18 +198,18 @@ func (r *BlockingResolver) redisSubscriber(ctx context.Context) { } } -// RefreshLists triggers the refresh of all black and white lists in the cache +// RefreshLists triggers the refresh of all allow/denylists in the cache func (r *BlockingResolver) RefreshLists() error { var err *multierror.Error - err = multierror.Append(err, r.blacklistMatcher.Refresh()) - err = multierror.Append(err, r.whitelistMatcher.Refresh()) + err = multierror.Append(err, r.denylistMatcher.Refresh()) + err = multierror.Append(err, r.allowlistMatcher.Refresh()) return err.ErrorOrNil() } func (r *BlockingResolver) retrieveAllBlockingGroups() []string { - result := maps.Keys(r.cfg.BlackLists) + result := maps.Keys(r.cfg.Denylists) result = append(result, "default") slices.Sort(result) @@ -217,7 +217,7 @@ func (r *BlockingResolver) retrieveAllBlockingGroups() []string { return result } -// EnableBlocking enables the blocking against the blacklists +// EnableBlocking enables the blocking against the denylists func (r *BlockingResolver) EnableBlocking(ctx context.Context) { r.internalEnableBlocking() @@ -310,13 +310,13 @@ func (r *BlockingResolver) BlockingStatus() api.BlockingStatus { } } -// returns groups, which have only whitelist entries -func determineWhitelistOnlyGroups(cfg *config.Blocking) (result map[string]bool) { - result = make(map[string]bool, len(cfg.WhiteLists)) +// returns groups, which have only allowlist entries +func determineAllowlistOnlyGroups(cfg *config.Blocking) (result map[string]bool) { + result = make(map[string]bool, len(cfg.Allowlists)) - for g, links := range cfg.WhiteLists { + for g, links := range cfg.Allowlists { if len(links) > 0 { - if _, found := cfg.BlackLists[g]; !found { + if _, found := cfg.Denylists[g]; !found { result[g] = true } } @@ -343,16 +343,16 @@ func (r *BlockingResolver) handleBlocked(logger *logrus.Entry, func (r *BlockingResolver) LogConfig(logger *logrus.Entry) { r.cfg.LogConfig(logger) - logger.Info("blacklist cache entries:") - log.WithIndent(logger, " ", r.blacklistMatcher.LogConfig) + logger.Info("denylist cache entries:") + log.WithIndent(logger, " ", r.denylistMatcher.LogConfig) - logger.Info("whitelist cache entries:") - log.WithIndent(logger, " ", r.whitelistMatcher.LogConfig) + logger.Info("allowlist cache entries:") + log.WithIndent(logger, " ", r.allowlistMatcher.LogConfig) } -func (r *BlockingResolver) hasWhiteListOnlyAllowed(groupsToCheck []string) bool { +func (r *BlockingResolver) hasAllowlistOnlyAllowed(groupsToCheck []string) bool { for _, group := range groupsToCheck { - if _, found := r.whitelistOnlyGroups[group]; found { + if _, found := r.allowlistOnlyGroups[group]; found { return true } } @@ -360,31 +360,31 @@ func (r *BlockingResolver) hasWhiteListOnlyAllowed(groupsToCheck []string) bool return false } -func (r *BlockingResolver) handleBlacklist(ctx context.Context, groupsToCheck []string, +func (r *BlockingResolver) handleDenylist(ctx context.Context, groupsToCheck []string, request *model.Request, logger *logrus.Entry, ) (bool, *model.Response, error) { logger.WithField("groupsToCheck", strings.Join(groupsToCheck, "; ")).Debug("checking groups for request") - whitelistOnlyAllowed := r.hasWhiteListOnlyAllowed(groupsToCheck) + allowlistOnlyAllowed := r.hasAllowlistOnlyAllowed(groupsToCheck) for _, question := range request.Req.Question { domain := util.ExtractDomain(question) logger := logger.WithField("domain", domain) - if groups := r.matches(groupsToCheck, r.whitelistMatcher, domain); len(groups) > 0 { - logger.WithField("groups", groups).Debugf("domain is whitelisted") + if groups := r.matches(groupsToCheck, r.allowlistMatcher, domain); len(groups) > 0 { + logger.WithField("groups", groups).Debugf("domain is allowlisted") resp, err := r.next.Resolve(ctx, request) return true, resp, err } - if whitelistOnlyAllowed { - resp, err := r.handleBlocked(logger, request, question, "BLOCKED (WHITELIST ONLY)") + if allowlistOnlyAllowed { + resp, err := r.handleBlocked(logger, request, question, "BLOCKED (ALLOWLIST ONLY)") return true, resp, err } - if groups := r.matches(groupsToCheck, r.blacklistMatcher, domain); len(groups) > 0 { + if groups := r.matches(groupsToCheck, r.denylistMatcher, domain); len(groups) > 0 { resp, err := r.handleBlocked(logger, request, question, fmt.Sprintf("BLOCKED (%s)", strings.Join(groups, ","))) return true, resp, err @@ -394,13 +394,13 @@ func (r *BlockingResolver) handleBlacklist(ctx context.Context, groupsToCheck [] return false, nil, nil } -// Resolve checks the query against the blacklist and delegates to next resolver if domain is not blocked +// Resolve checks the query against the denylist and delegates to next resolver if domain is not blocked func (r *BlockingResolver) Resolve(ctx context.Context, request *model.Request) (*model.Response, error) { ctx, logger := r.log(ctx) groupsToCheck := r.groupsToCheckForClient(request) if len(groupsToCheck) > 0 { - handled, resp, err := r.handleBlacklist(ctx, groupsToCheck, request, logger) + handled, resp, err := r.handleDenylist(ctx, groupsToCheck, request, logger) if handled { return resp, err } @@ -414,9 +414,9 @@ func (r *BlockingResolver) Resolve(ctx context.Context, request *model.Request) if len(entryToCheck) > 0 { logger := logger.WithField("response_entry", entryToCheck) - if groups := r.matches(groupsToCheck, r.whitelistMatcher, entryToCheck); len(groups) > 0 { - logger.WithField("groups", groups).Debugf("%s is whitelisted", tName) - } else if groups := r.matches(groupsToCheck, r.blacklistMatcher, entryToCheck); len(groups) > 0 { + if groups := r.matches(groupsToCheck, r.allowlistMatcher, entryToCheck); len(groups) > 0 { + logger.WithField("groups", groups).Debugf("%s is allowlisted", tName) + } else if groups := r.matches(groupsToCheck, r.denylistMatcher, entryToCheck); len(groups) > 0 { return r.handleBlocked(logger, request, request.Req.Question[0], fmt.Sprintf("BLOCKED %s (%s)", tName, strings.Join(groups, ","))) } diff --git a/resolver/blocking_resolver_test.go b/resolver/blocking_resolver_test.go index e110849e..64abc732 100644 --- a/resolver/blocking_resolver_test.go +++ b/resolver/blocking_resolver_test.go @@ -97,7 +97,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { sutConfig = config.Blocking{ BlockType: "ZEROIP", BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "gr1": config.NewBytesSources(group1File.Path), "gr2": config.NewBytesSources(group2File.Path), }, @@ -125,7 +125,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { sutConfig = config.Blocking{ BlockType: "ZEROIP", BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "gr1": config.NewBytesSources(group1File.Path), "gr2": config.NewBytesSources(group2File.Path), }, @@ -164,7 +164,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { sutConfig = config.Blocking{ BlockType: "ZEROIP", BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "gr1": {config.TextBytesSource("/regex/")}, }, ClientGroupsBlock: map[string][]string{ @@ -176,7 +176,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { } }) - When("Domain is on the black list", func() { + When("Domain is on the denylist", func() { It("should block request", func() { Eventually(sut.Resolve). WithContext(ctx). @@ -196,7 +196,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockTTL: config.Duration(6 * time.Hour), - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "gr1": config.NewBytesSources(group1File.Path), "gr2": config.NewBytesSources(group2File.Path), "defaultGroup": config.NewBytesSources(defaultGroupFile.Path), @@ -216,7 +216,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) When("client name is defined in client groups block", func() { - It("should block the A query if domain is on the black list (single)", func() { + It("should block the A query if domain is on the denylist (single)", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client1"))). Should( SatisfyAll( @@ -227,7 +227,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveReturnCode(dns.RcodeSuccess), )) }) - It("should block the A query if domain is on the black list (multipart 1)", func() { + It("should block the A query if domain is on the denylist (multipart 1)", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client2"))). Should( SatisfyAll( @@ -238,7 +238,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveReturnCode(dns.RcodeSuccess), )) }) - It("should block the A query if domain is on the black list (multipart 2)", func() { + It("should block the A query if domain is on the denylist (multipart 2)", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client3"))). Should( SatisfyAll( @@ -249,7 +249,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveReturnCode(dns.RcodeSuccess), )) }) - It("should block the A query if domain is on the black list (merged)", func() { + It("should block the A query if domain is on the denylist (merged)", func() { Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "client3"))). Should( SatisfyAll( @@ -260,7 +260,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveReturnCode(dns.RcodeSuccess), )) }) - It("should block the AAAA query if domain is on the black list", func() { + It("should block the AAAA query if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", AAAA, "1.2.1.2", "client1"))). Should( SatisfyAll( @@ -271,18 +271,18 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveReturnCode(dns.RcodeSuccess), )) }) - It("should block the HTTPS query if domain is on the black list", func() { + It("should block the HTTPS query if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", HTTPS, "1.2.1.2", "client1"))). Should(HaveReturnCode(dns.RcodeNameError)) }) - It("should block the MX query if domain is on the black list", func() { + It("should block the MX query if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", MX, "1.2.1.2", "client1"))). Should(HaveReturnCode(dns.RcodeNameError)) }) }) When("Client ip is defined in client groups block", func() { - It("should block the query if domain is on the black list", func() { + It("should block the query if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "192.168.178.55", "unknown"))). Should( SatisfyAll( @@ -295,7 +295,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) }) When("Client CIDR (10.43.8.64 - 10.43.8.79) is defined in client groups block", func() { - It("should not block the query for 10.43.8.63 if domain is on the black list", func() { + It("should not block the query for 10.43.8.63 if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.63", "unknown"))). Should( SatisfyAll( @@ -307,7 +307,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { // was delegated to next resolver m.AssertExpectations(GinkgoT()) }) - It("should not block the query for 10.43.8.80 if domain is on the black list", func() { + It("should not block the query for 10.43.8.80 if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.80", "unknown"))). Should( SatisfyAll( @@ -322,7 +322,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) When("Client CIDR (10.43.8.64 - 10.43.8.79) is defined in client groups block", func() { - It("should block the query for 10.43.8.64 if domain is on the black list", func() { + It("should block the query for 10.43.8.64 if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.64", "unknown"))). Should( SatisfyAll( @@ -333,7 +333,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveReturnCode(dns.RcodeSuccess), )) }) - It("should block the query for 10.43.8.79 if domain is on the black list", func() { + It("should block the query for 10.43.8.79 if domain is on the denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.79", "unknown"))). Should( SatisfyAll( @@ -402,7 +402,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "defaultGroup": config.NewBytesSources(defaultGroupFile.Path), }, ClientGroupsBlock: map[string][]string{ @@ -428,7 +428,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockType: "ZEROIP", - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "defaultGroup": config.NewBytesSources(defaultGroupFile.Path), }, ClientGroupsBlock: map[string][]string{ @@ -473,7 +473,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockTTL: config.Duration(6 * time.Hour), - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "defaultGroup": config.NewBytesSources(defaultGroupFile.Path), }, ClientGroupsBlock: map[string][]string{ @@ -511,7 +511,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { When("BlockType is custom IP only for ipv4", func() { BeforeEach(func() { sutConfig = config.Blocking{ - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "defaultGroup": config.NewBytesSources(defaultGroupFile.Path), }, ClientGroupsBlock: map[string][]string{ @@ -535,13 +535,13 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) }) - When("Blacklist contains IP", func() { + When("Denylist contains IP", func() { When("IP4", func() { BeforeEach(func() { // return defined IP as response mockAnswer, _ = util.NewMsgWithAnswer("example.com.", 300, A, "123.145.123.145") }) - It("should block query, if lookup result contains blacklisted IP", func() { + It("should block query, if lookup result contains denylisted IP", func() { Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))). Should( SatisfyAll( @@ -561,7 +561,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { AAAA, "2001:0db8:85a3:08d3::0370:7344", ) }) - It("should block query, if lookup result contains blacklisted IP", func() { + It("should block query, if lookup result contains denylisted IP", func() { Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", AAAA, "1.2.1.2", "unknown"))). Should( SatisfyAll( @@ -575,7 +575,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) }) - When("blacklist contains domain which is CNAME in response", func() { + When("denylist contains domain which is CNAME in response", func() { BeforeEach(func() { // reconfigure mock, to return CNAMEs rr1, _ := dns.NewRR("example.com 300 IN CNAME domain.com") @@ -584,7 +584,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { mockAnswer = new(dns.Msg) mockAnswer.Answer = []dns.RR{rr1, rr2, rr3} }) - It("should block the query, if response contains a CNAME with domain on a blacklist", func() { + It("should block the query, if response contains a CNAME with domain on a denylist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))). Should( SatisfyAll( @@ -598,14 +598,14 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) }) - Describe("Whitelisting", func() { - When("Requested domain is on black and white list", func() { + Describe("Allowlisting", func() { + When("Requested domain is on black and allowlist", func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockType: "ZEROIP", BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, - WhiteLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, + Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, + Allowlists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, ClientGroupsBlock: map[string][]string{ "default": {"gr1"}, }, @@ -625,12 +625,12 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) }) - When("Only whitelist is defined", func() { + When("Only allowlist is defined", func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockType: "zeroIP", BlockTTL: config.Duration(60 * time.Second), - WhiteLists: map[string][]config.BytesSource{ + Allowlists: map[string][]config.BytesSource{ "gr1": config.NewBytesSources(group1File.Path), "gr2": config.NewBytesSources(group2File.Path), }, @@ -642,8 +642,8 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }, } }) - It("should block everything else except domains on the white list with default group", func() { - By("querying domain on the whitelist", func() { + It("should block everything else except domains on the allowlist with default group", func() { + By("querying domain on the allowlist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))). Should( SatisfyAll( @@ -656,7 +656,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { m.AssertExpectations(GinkgoT()) }) - By("querying another domain, which is not on the whitelist", func() { + By("querying another domain, which is not on the allowlist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("google.com.", A, "1.2.1.2", "unknown"))). Should( SatisfyAll( @@ -664,15 +664,15 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveTTL(BeNumerically("==", 60)), HaveResponseType(ResponseTypeBLOCKED), HaveReturnCode(dns.RcodeSuccess), - HaveReason("BLOCKED (WHITELIST ONLY)"), + HaveReason("BLOCKED (ALLOWLIST ONLY)"), )) Expect(m.Calls).Should(HaveLen(1)) }) }) - It("should block everything else except domains on the white list "+ - "if multiple white list only groups are defined", func() { - By("querying domain on the whitelist", func() { + It("should block everything else except domains on the allowlist "+ + "if multiple allowlist only groups are defined", func() { + By("querying domain on the allowlist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "one-client"))). Should( SatisfyAll( @@ -685,7 +685,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { m.AssertExpectations(GinkgoT()) }) - By("querying another domain, which is not on the whitelist", func() { + By("querying another domain, which is not on the allowlist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "one-client"))). Should( SatisfyAll( @@ -693,14 +693,14 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { HaveTTL(BeNumerically("==", 60)), HaveResponseType(ResponseTypeBLOCKED), HaveReturnCode(dns.RcodeSuccess), - HaveReason("BLOCKED (WHITELIST ONLY)"), + HaveReason("BLOCKED (ALLOWLIST ONLY)"), )) Expect(m.Calls).Should(HaveLen(1)) }) }) - It("should block everything else except domains on the white list "+ - "if multiple white list only groups are defined", func() { - By("querying domain on the whitelist group 1", func() { + It("should block everything else except domains on the allowlist "+ + "if multiple allowlist only groups are defined", func() { + By("querying domain on the allowlist group 1", func() { Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "all-client"))). Should( SatisfyAll( @@ -713,7 +713,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { m.AssertExpectations(GinkgoT()) }) - By("querying another domain, which is in the whitelist group 1", func() { + By("querying another domain, which is in the allowlist group 1", func() { Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "all-client"))). Should( SatisfyAll( @@ -726,20 +726,20 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { }) }) - When("IP address is on black and white list", func() { + When("IP address is on black and allowlist", func() { BeforeEach(func() { sutConfig = config.Blocking{ BlockType: "ZEROIP", BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, - WhiteLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(defaultGroupFile.Path)}, + Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, + Allowlists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(defaultGroupFile.Path)}, ClientGroupsBlock: map[string][]string{ "default": {"gr1"}, }, } mockAnswer, _ = util.NewMsgWithAnswer("example.com.", 300, A, "123.145.123.145") }) - It("should not block if DNS answer contains IP from the white list", func() { + It("should not block if DNS answer contains IP from the allowlist", func() { Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))). Should( SatisfyAll( @@ -756,9 +756,9 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { Describe("Delegate request to next resolver", func() { BeforeEach(func() { sutConfig = config.Blocking{ - BlockType: "ZEROIP", - BlockTTL: config.Duration(time.Minute), - BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, + BlockType: "ZEROIP", + BlockTTL: config.Duration(time.Minute), + Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)}, ClientGroupsBlock: map[string][]string{ "default": {"gr1"}, }, @@ -768,7 +768,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { // was delegated to next resolver m.AssertExpectations(GinkgoT()) }) - When("domain is not on the black list", func() { + When("domain is not on the denylist", func() { It("should delegate to next resolver", func() { Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))). Should( @@ -801,7 +801,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { Describe("Control status via API", func() { BeforeEach(func() { sutConfig = config.Blocking{ - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "defaultGroup": config.NewBytesSources(defaultGroupFile.Path), "group1": config.NewBytesSources(group1File.Path), }, @@ -1124,8 +1124,8 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() { When("strategy is failOnError", func() { It("should fail if lists can't be downloaded", func() { _, err := NewBlockingResolver(ctx, config.Blocking{ - BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources("wrongPath")}, - WhiteLists: map[string][]config.BytesSource{"whitelist": config.NewBytesSources("wrongPath")}, + Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources("wrongPath")}, + Allowlists: map[string][]config.BytesSource{"allowlist": config.NewBytesSources("wrongPath")}, Loading: config.SourceLoading{ Init: config.Init{Strategy: config.InitStrategyFailOnError}, }, diff --git a/server/server_test.go b/server/server_test.go index 549f3025..fc0fde06 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -117,7 +117,7 @@ var _ = BeforeSuite(func() { }, }, Blocking: config.Blocking{ - BlackLists: map[string][]config.BytesSource{ + Denylists: map[string][]config.BytesSource{ "ads": config.NewBytesSources( doubleclickFile.Path, bildFile.Path, @@ -125,13 +125,13 @@ var _ = BeforeSuite(func() { ), "youtube": config.NewBytesSources(youtubeFile.Path), }, - WhiteLists: map[string][]config.BytesSource{ + Allowlists: map[string][]config.BytesSource{ "ads": config.NewBytesSources(heiseFile.Path), - "whitelist": config.NewBytesSources(heiseFile.Path), + "allowlist": config.NewBytesSources(heiseFile.Path), }, ClientGroupsBlock: map[string][]string{ "default": {"ads"}, - "clWhitelistOnly": {"whitelist"}, + "clAllowlistOnly": {"allowlist"}, "clAdsAndYoutube": {"ads", "youtube"}, "clYoutubeOnly": {"youtube"}, }, @@ -263,7 +263,7 @@ var _ = Describe("Running DNS server", func() { }) }) Context("no blocking default group with sub domain", func() { - It("Query with should not be blocked, sub domain is not in blacklist", func() { + It("Query with should not be blocked, sub domain is not in denylist", func() { Expect(requestServer(util.NewMsgWithQuestion("bild.de.", A))). Should( SatisfyAll( @@ -272,8 +272,8 @@ var _ = Describe("Running DNS server", func() { )) }) }) - Context("domain is on white and blacklist default group", func() { - It("Query with should not be blocked, domain is on white and blacklist", func() { + Context("domain is on allow/denylist default group", func() { + It("Query with should not be blocked, domain is on allow/denylist", func() { Expect(requestServer(util.NewMsgWithQuestion("heise.de.", A))). Should( SatisfyAll( @@ -282,9 +282,9 @@ var _ = Describe("Running DNS server", func() { )) }) }) - Context("domain is on client specific white list", func() { - It("Query with should not be blocked, domain is on client's white list", func() { - mockClientName.Store("clWhitelistOnly") + Context("domain is on client specific allowlist", func() { + It("Query with should not be blocked, domain is on client's allowlist", func() { + mockClientName.Store("clAllowlistOnly") Expect(requestServer(util.NewMsgWithQuestion("heise.de.", A))). Should( SatisfyAll( @@ -293,9 +293,9 @@ var _ = Describe("Running DNS server", func() { )) }) }) - Context("block client whitelist only", func() { - It("Query with should be blocked, client has only whitelist, domain is not on client's white list", func() { - mockClientName.Store("clWhitelistOnly") + Context("block client allowlist only", func() { + It("Query with should be blocked, client has only allowlist, domain is not on client's allowlist", func() { + mockClientName.Store("clAllowlistOnly") Expect(requestServer(util.NewMsgWithQuestion("google.de.", A))). Should( SatisfyAll(