from pathlib import Path import copy import re import sqlite3 from flask import Blueprint, request, redirect, flash, send_file, jsonify import auth import config_utils import sanitize import mod_validation as validate DNS_LOG_FILE = Path(config_utils.BLOCKLISTS_DIR) / '.log' _PAGE = Path(__file__).parent.name bp = Blueprint(_PAGE, __name__) def _row_index(): try: return int(request.form.get('row_index', '')) except (ValueError, TypeError): return None def _hash_ok(): if not config_utils.verify_config_hash(request.form.get('config_hash', '')): flash('Configuration was modified by another session. Please refresh and try again.', 'error') return False return True def _save_as_from_name(name, ext): slug = re.sub(r'[^a-z0-9_-]', '_', name.lower()).strip('_') return f'{slug}.{ext}' def _write_local_file(save_as, lines): """Write domain list to blocklists dir. Returns error string or None.""" try: bl_path = Path(config_utils.BLOCKLISTS_DIR) / save_as bl_path.parent.mkdir(parents=True, exist_ok=True) bl_path.write_text('\n'.join(lines)) except Exception as ex: return str(ex) return None def _parse_fields(): bl_type = sanitize.filtervalue(request.form.get('bl_type', ''), {'community', 'local'}) name = sanitize.name(request.form.get('name', '')) description = sanitize.description(request.form.get('description', '')) if not name: flash('The configuration has not been saved because a name is required.', 'error') return None, True if not bl_type: flash('The configuration has not been saved because a type is required.', 'error') return None, True if bl_type == 'local': raw = request.form.get('local_entries', '') local_lines = [ln.strip() for ln in raw.splitlines() if ln.strip()] return {'name': name, 'description': description, 'bl_type': 'local', 'local_lines': local_lines}, None url = sanitize.url(request.form.get('url', '')) if not url: flash('The configuration has not been saved because a URL is required.', 'error') return None, True return {'name': name, 'description': description, 'bl_type': 'community', 'url': url}, None @bp.route('/api/dnsblocking/search', methods=['GET']) @auth.require_level('viewer') def api_blocklist_search(): term = request.args.get('term', '').strip() match = request.args.get('match', 'partial') blocklist = request.args.get('blocklist', '').strip() try: limit = max(1, min(5000, int(request.args.get('limit', 500)))) except (ValueError, TypeError): limit = 500 if not term: return jsonify({'results': [], 'count': 0, 'truncated': False}) if match not in ('exact', 'starts_with', 'ends_with', 'partial'): match = 'partial' escaped = term.replace('\\', '\\\\').replace('%', '\\%').replace('_', '\\_') if match == 'exact': sql_where = 'WHERE d.domain = ?' param = term elif match == 'starts_with': sql_where = "WHERE d.domain LIKE ? ESCAPE '\\'" param = escaped + '%' elif match == 'ends_with': sql_where = "WHERE d.domain LIKE ? ESCAPE '\\'" param = '%' + escaped else: sql_where = "WHERE d.domain LIKE ? ESCAPE '\\'" param = '%' + escaped + '%' db_path = str(Path(config_utils.BLOCKLISTS_DIR) / 'domains.db') try: con = sqlite3.connect(db_path) bl_filter = "AND b.name = ?" if blocklist else "" sql_params = (param, blocklist) if blocklist else (param,) rows = con.execute(f""" SELECT d.domain, GROUP_CONCAT(b.name, '|') FROM domains d JOIN blocklists b ON b.id = d.blocklist_id {sql_where} {bl_filter} GROUP BY d.domain ORDER BY d.domain LIMIT ? """, sql_params + (limit + 1,)).fetchall() capped_rows = rows[:limit] domain_list = [r[0] for r in capped_rows] phs = ','.join('?' * len(domain_list)) overridden = set( r[0] for r in con.execute( f"SELECT domain FROM overrides WHERE domain IN ({phs})", domain_list ).fetchall() ) if domain_list else set() con.close() except Exception: return jsonify({'error': 'Database unavailable. Run merge-blocklists first.'}) cfg = config_utils.load_config() bl_vlans = {} for vlan in cfg.get('vlans', []): for bl_name in vlan.get('use_blocklists', []): bl_vlans.setdefault(bl_name, []).append(vlan['name']) truncated = len(rows) > limit results = [] for domain, bl_str in capped_rows: bl_names = bl_str.split('|') if bl_str else [] vlans = [] for bl in bl_names: for v in bl_vlans.get(bl, []): if v not in vlans: vlans.append(v) results.append({'domain': domain, 'blocklists': bl_names, 'vlans': vlans, 'overridden': domain in overridden}) return jsonify({'results': results, 'count': len(results), 'truncated': truncated}) @bp.route('/api/dnsblocking/override', methods=['POST']) @auth.require_level('administrator') def api_blocklist_override(): data = request.get_json(silent=True) or {} domain = str(data.get('domain', '')).strip().lower() allow = bool(data.get('allow', False)) if not domain: return jsonify({'error': 'domain required'}) db_path = str(Path(config_utils.BLOCKLISTS_DIR) / 'domains.db') try: con = sqlite3.connect(db_path) if allow: con.execute("INSERT OR IGNORE INTO overrides (domain) VALUES (?)", (domain,)) else: con.execute("DELETE FROM overrides WHERE domain = ?", (domain,)) con.commit() con.close() except Exception as e: return jsonify({'error': str(e)}) config_utils.queue_command('merge blocklists') return jsonify({'ok': True}) @bp.route('/action/dnsblocking/blocklists_delete', methods=['POST']) @auth.require_level('administrator') def blocklists_delete(): idx = _row_index() if idx is None: flash('Invalid request.', 'error') return redirect(f'/{_PAGE}') if not _hash_ok(): return redirect(f'/{_PAGE}') cfg = config_utils.load_config() items = cfg.get('dns_blocking', {}).get('blocklists', []) if idx < 0 or idx >= len(items): flash('Entry not found.', 'error') return redirect(f'/{_PAGE}') before = copy.deepcopy(items[idx]) name = before.get('name', str(idx)) items.pop(idx) for vlan in cfg.get('vlans', []): current = set(vlan.get('use_blocklists', [])) if name in current: current.discard(name) vlan['use_blocklists'] = sorted(current) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') changes = config_utils.diff_fields(before, None) flash(config_utils.record_group(cfg, 'dns_blocking.blocklists', 'name', name, changes, 'merge blocklists'), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/blocklists_edit', methods=['POST']) @auth.require_level('administrator') def blocklists_edit(): idx = _row_index() if idx is None: flash('Invalid request.', 'error') return redirect(f'/{_PAGE}') fields, err = _parse_fields() if err: return redirect(f'/{_PAGE}') if not _hash_ok(): return redirect(f'/{_PAGE}') cfg = config_utils.load_config() items = cfg.get('dns_blocking', {}).get('blocklists', []) if idx < 0 or idx >= len(items): flash('Entry not found.', 'error') return redirect(f'/{_PAGE}') before = copy.deepcopy(items[idx]) err = validate.check_blocklist_name_unique(items, fields['name'], exclude_idx=idx) if err: flash(err, 'error') return redirect(f'/{_PAGE}') if fields['bl_type'] == 'local': save_as = items[idx].get('save_as') or _save_as_from_name(fields['name'], 'txt') write_err = _write_local_file(save_as, fields['local_lines']) if write_err: flash(f'Could not save local blocklist file: {write_err}', 'error') return redirect(f'/{_PAGE}') items[idx].update({ 'name': fields['name'], 'description': fields['description'], 'bl_type': 'local', 'save_as': save_as, }) items[idx].pop('format', None) items[idx].pop('url', None) else: items[idx].update({ 'name': fields['name'], 'description': fields['description'], 'bl_type': 'community', 'url': fields['url'], }) if not items[idx].get('save_as'): items[idx]['save_as'] = _save_as_from_name(fields['name'], 'conf') items[idx].pop('local_lines', None) old_name = before.get('name', '') used_by_vlans = set(request.form.getlist('used_by_vlans')) for vlan in cfg.get('vlans', []): vlan_name = vlan.get('name', '') current = set(vlan.get('use_blocklists', [])) if old_name and old_name != fields['name']: current.discard(old_name) if vlan_name in used_by_vlans: current.add(fields['name']) else: current.discard(fields['name']) vlan['use_blocklists'] = sorted(current) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') changes = config_utils.diff_fields(before, items[idx]) flash(config_utils.record_group(cfg, 'dns_blocking.blocklists', 'name', fields['name'], changes, 'merge blocklists'), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/addblocklist_add', methods=['POST']) @auth.require_level('administrator') def addblocklist_add(): fields, err = _parse_fields() if err: return redirect(f'/{_PAGE}') if not _hash_ok(): return redirect(f'/{_PAGE}') cfg = config_utils.load_config() blocklists = cfg.setdefault('dns_blocking', {}).setdefault('blocklists', []) err = validate.check_blocklist_name_unique(blocklists, fields['name']) if err: flash(err, 'error') return redirect(f'/{_PAGE}') if fields['bl_type'] == 'local': save_as = _save_as_from_name(fields['name'], 'txt') write_err = _write_local_file(save_as, fields['local_lines']) if write_err: flash(f'Could not save local blocklist file: {write_err}', 'error') return redirect(f'/{_PAGE}') entry = { 'name': fields['name'], 'description': fields['description'], 'bl_type': 'local', 'save_as': save_as, } else: entry = { 'name': fields['name'], 'description': fields['description'], 'bl_type': 'community', 'url': fields['url'], 'save_as': _save_as_from_name(fields['name'], 'conf'), } blocklists.append(entry) used_by_vlans = set(request.form.getlist('used_by_vlans')) for vlan in cfg.get('vlans', []): vlan_name = vlan.get('name', '') current = set(vlan.get('use_blocklists', [])) if vlan_name in used_by_vlans: current.add(fields['name']) else: current.discard(fields['name']) vlan['use_blocklists'] = sorted(current) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') changes = config_utils.diff_fields(None, entry) flash(config_utils.record_group(cfg, 'dns_blocking.blocklists', 'name', fields['name'], changes, 'merge blocklists'), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/blocklistrefresh_save', methods=['POST']) @auth.require_level('administrator') def blocklistrefresh_save(): daily_execute_time = validate.time_24h(sanitize.time_24h(request.form.get('daily_execute_time_24hr_local', ''))) if not daily_execute_time: flash('Daily Refresh Time must be a valid 24-hour time (e.g. 02:30).', 'error') return redirect(f'/{_PAGE}') if not config_utils.verify_config_hash(request.form.get('config_hash', '')): flash('Configuration was modified by another session. Please refresh and try again.', 'error') return redirect(f'/{_PAGE}') cfg = config_utils.load_config() before = copy.deepcopy(cfg.get('dns_blocking', {}).get('general', {})) cfg.setdefault('dns_blocking', {}).setdefault('general', {})['daily_execute_time_24hr_local'] = daily_execute_time changes = config_utils.diff_fields(before, cfg['dns_blocking']['general']) flash(config_utils.record_group(cfg, 'dns_blocking.general', None, None, changes, 'core apply'), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/blocklistrefresh_refresh', methods=['POST']) @auth.require_level('administrator') def blocklistrefresh_refresh(): config_utils.queue_command('download blocklists') config_utils.queue_command('merge blocklists') flash('Blocklist download and merge queued.', 'success') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/logging_save', methods=['POST']) @auth.require_level('administrator') def logging_save(): log_max_kb_raw = request.form.get('log_max_kb', '').strip() log_errors_only = 'log_errors_only' in request.form log_max_kb = validate.int_range(log_max_kb_raw, 64, None) if log_max_kb is None: flash('Max Log Size must be a number >= 64.', 'error') return redirect(f'/{_PAGE}') if not config_utils.verify_config_hash(request.form.get('config_hash', '')): flash('Configuration was modified by another session. Please refresh and try again.', 'error') return redirect(f'/{_PAGE}') cfg = config_utils.load_config() before = copy.deepcopy(cfg.get('dns_blocking', {}).get('general', {})) cfg.setdefault('dns_blocking', {}).setdefault('general', {}).update({ 'log_max_kb': log_max_kb, 'log_errors_only': log_errors_only, }) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') changes = config_utils.diff_fields(before, cfg['dns_blocking']['general']) flash(config_utils.record_group(cfg, 'dns_blocking.general', None, None, changes, 'core apply', queue=False), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/logging_clear', methods=['POST']) @auth.require_level('administrator') def logging_clear(): try: DNS_LOG_FILE.write_text('') flash('DNS blocking log cleared.', 'success') except Exception as ex: flash(f'Could not clear log: {ex}', 'error') return redirect(f'/{_PAGE}') @bp.route('/action/dnsblocking/logging_download', methods=['GET']) @auth.require_level('administrator') def logging_download(): if not DNS_LOG_FILE.is_file(): flash('Log file not found.', 'error') return redirect(f'/{_PAGE}') return send_file(DNS_LOG_FILE, as_attachment=True, download_name='blocklists.log', mimetype='text/plain')