Add on-demand IP investigation and richer IP details

2026-03-12 01:53:44 +01:00
parent 33dd9bac76
commit c5e1c4ff36
13 changed files with 1561 additions and 144 deletions
--- a/internal/investigation/service_test.go
+++ b/internal/investigation/service_test.go
@@ -0,0 +1,229 @@
+package investigation
+
+import (
+	"context"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/netip"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"git.dern.ovh/infrastructure/caddy-opnsense-blocker/internal/config"
+)
+
+func TestInvestigateRecognizesBotViaPublishedRanges(t *testing.T) {
+	t.Parallel()
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/ranges.json" {
+			http.NotFound(w, r)
+			return
+		}
+		_, _ = w.Write([]byte(`{"prefixes":[{"ipv4Prefix":"203.0.113.0/24"}]}`))
+	}))
+	defer server.Close()
+
+	svc := newService(
+		config.InvestigationConfig{Enabled: true, Timeout: config.Duration{Duration: time.Second}, UserAgent: "test-agent", SpamhausEnabled: true},
+		server.Client(),
+		&fakeResolver{},
+		log.New(testWriter{t}, "", 0),
+		[]botProvider{{
+			ID:           "google_official",
+			Name:         "Googlebot",
+			Icon:         "🤖",
+			SourceFormat: "json_prefixes",
+			CacheTTL:     time.Hour,
+			IPRangeURLs:  []string{server.URL + "/ranges.json"},
+		}},
+		map[string]string{"ipv4": server.URL + "/bootstrap-v4.json", "ipv6": server.URL + "/bootstrap-v6.json"},
+	)
+
+	investigation, err := svc.Investigate(context.Background(), "203.0.113.10", []string{"Mozilla/5.0"})
+	if err != nil {
+		t.Fatalf("investigate ip: %v", err)
+	}
+	if investigation.Bot == nil || investigation.Bot.Name != "Googlebot" {
+		t.Fatalf("expected Googlebot match, got %+v", investigation)
+	}
+	if investigation.Registration != nil || investigation.Reputation != nil {
+		t.Fatalf("expected bot investigation to stop before deep lookups, got %+v", investigation)
+	}
+}
+
+func TestInvestigateRecognizesBotViaReverseDNS(t *testing.T) {
+	t.Parallel()
+
+	resolver := &fakeResolver{
+		reverse: map[string][]string{"198.51.100.20": {"crawl.search.example.test."}},
+		forward: map[string][]net.IPAddr{"crawl.search.example.test": {{IP: net.ParseIP("198.51.100.20")}}},
+	}
+
+	svc := newService(
+		config.InvestigationConfig{Enabled: true, Timeout: config.Duration{Duration: time.Second}, UserAgent: "test-agent", SpamhausEnabled: true},
+		http.DefaultClient,
+		resolver,
+		log.New(testWriter{t}, "", 0),
+		[]botProvider{{
+			ID:                 "bing_official",
+			Name:               "Bingbot",
+			Icon:               "🤖",
+			CacheTTL:           time.Hour,
+			ReverseDNSSuffixes: []string{".search.example.test"},
+		}},
+		map[string]string{},
+	)
+
+	investigation, err := svc.Investigate(context.Background(), "198.51.100.20", nil)
+	if err != nil {
+		t.Fatalf("investigate ip: %v", err)
+	}
+	if investigation.Bot == nil || investigation.Bot.Name != "Bingbot" || investigation.ReverseDNS == nil || !investigation.ReverseDNS.ForwardConfirmed {
+		t.Fatalf("expected reverse DNS bot match, got %+v", investigation)
+	}
+}
+
+func TestInvestigateLoadsRegistrationAndSpamhausForNonBot(t *testing.T) {
+	t.Parallel()
+
+	serverURL := ""
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/bootstrap-v4.json":
+			_, _ = w.Write([]byte(`{"services":[[["198.51.100.0/24"],["` + serverURL + `/rdap/"]]]}`))
+		case "/rdap/ip/198.51.100.30":
+			_, _ = w.Write([]byte(`{
+					"handle":"NET-198-51-100-0-1",
+				"name":"Example Network",
+				"country":"FR",
+				"cidr0_cidrs":[{"v4prefix":"198.51.100.0","length":24}],
+				"entities":[{"roles":["abuse"],"vcardArray":["vcard",[["email",{},"text","abuse@example.test"],["fn",{},"text","Example ISP"]]]}]
+			}`))
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	serverURL = server.URL
+	defer server.Close()
+
+	resolver := &fakeResolver{
+		hosts: map[string][]string{spamhausQuery(t, "198.51.100.30"): {"127.0.0.2"}},
+	}
+
+	svc := newService(
+		config.InvestigationConfig{Enabled: true, Timeout: config.Duration{Duration: 2 * time.Second}, UserAgent: "test-agent", SpamhausEnabled: true},
+		server.Client(),
+		resolver,
+		log.New(testWriter{t}, "", 0),
+		nil,
+		map[string]string{"ipv4": server.URL + "/bootstrap-v4.json", "ipv6": server.URL + "/bootstrap-v6.json"},
+	)
+
+	investigation, err := svc.Investigate(context.Background(), "198.51.100.30", []string{"curl/8.0"})
+	if err != nil {
+		t.Fatalf("investigate ip: %v", err)
+	}
+	if investigation.Bot != nil {
+		t.Fatalf("expected no bot match, got %+v", investigation.Bot)
+	}
+	if investigation.Registration == nil || investigation.Registration.Organization != "Example ISP" || investigation.Registration.Prefix != "198.51.100.0/24" {
+		t.Fatalf("unexpected registration info: %+v", investigation.Registration)
+	}
+	if investigation.Reputation == nil || !investigation.Reputation.SpamhausListed {
+		t.Fatalf("expected spamhaus listing, got %+v", investigation.Reputation)
+	}
+}
+
+func TestPublishedNetworksAreCached(t *testing.T) {
+	t.Parallel()
+
+	var mu sync.Mutex
+	requestCount := 0
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mu.Lock()
+		requestCount++
+		mu.Unlock()
+		_, _ = w.Write([]byte(`{"prefixes":[{"ipv4Prefix":"203.0.113.0/24"}]}`))
+	}))
+	defer server.Close()
+
+	svc := newService(
+		config.InvestigationConfig{Enabled: true, Timeout: config.Duration{Duration: time.Second}, UserAgent: "test-agent", SpamhausEnabled: true},
+		server.Client(),
+		&fakeResolver{},
+		log.New(testWriter{t}, "", 0),
+		[]botProvider{{
+			ID:           "provider",
+			Name:         "Provider bot",
+			Icon:         "🤖",
+			SourceFormat: "json_prefixes",
+			CacheTTL:     time.Hour,
+			IPRangeURLs:  []string{server.URL},
+		}},
+		map[string]string{},
+	)
+
+	for index := 0; index < 2; index++ {
+		if _, err := svc.Investigate(context.Background(), "203.0.113.10", nil); err != nil {
+			t.Fatalf("investigate ip #%d: %v", index, err)
+		}
+	}
+
+	mu.Lock()
+	defer mu.Unlock()
+	if requestCount != 1 {
+		t.Fatalf("expected exactly one published-range request, got %d", requestCount)
+	}
+}
+
+type fakeResolver struct {
+	reverse map[string][]string
+	forward map[string][]net.IPAddr
+	hosts   map[string][]string
+}
+
+func (r *fakeResolver) LookupAddr(_ context.Context, addr string) ([]string, error) {
+	if values, ok := r.reverse[addr]; ok {
+		return values, nil
+	}
+	return nil, &net.DNSError{IsNotFound: true}
+}
+
+func (r *fakeResolver) LookupIPAddr(_ context.Context, host string) ([]net.IPAddr, error) {
+	if values, ok := r.forward[host]; ok {
+		return values, nil
+	}
+	return nil, &net.DNSError{IsNotFound: true}
+}
+
+func (r *fakeResolver) LookupHost(_ context.Context, host string) ([]string, error) {
+	if values, ok := r.hosts[host]; ok {
+		return values, nil
+	}
+	return nil, &net.DNSError{IsNotFound: true}
+}
+
+type testWriter struct{ t *testing.T }
+
+func (w testWriter) Write(payload []byte) (int, error) {
+	w.t.Helper()
+	w.t.Log(strings.TrimSpace(string(payload)))
+	return len(payload), nil
+}
+
+func spamhausQuery(t *testing.T, ip string) string {
+	t.Helper()
+	addr, err := netip.ParseAddr(ip)
+	if err != nil {
+		t.Fatalf("parse ip: %v", err)
+	}
+	query, err := spamhausLookupName(addr)
+	if err != nil {
+		t.Fatalf("build spamhaus query: %v", err)
+	}
+	return query
+}