Store ASN with IP addresses ; add ability to restrict based on ASN#25030
Store ASN with IP addresses ; add ability to restrict based on ASN#25030diox wants to merge 6 commits into
Conversation
| uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| uwsgi_param X-Forwarded-Protocol ssl; | ||
| # Asn 64496–64511 are reserved for testing etc | ||
| # uwsgi_param HTTP_Asn 64496; |
There was a problem hiding this comment.
As with JA4 this can be uncommented to test locally.
eviljeff
left a comment
eviljeff
left a comment
There was a problem hiding this comment.
(going to test, just submitting my comments in the meantime)
| 'details', | ||
| 'kept_forever', | ||
| 'ip_address', | ||
| 'asn', |
There was a problem hiding this comment.
does iplog__asn work here? (I'm going to keep asking until we can actually make use of that new feature 😆)
There was a problem hiding this comment.
I tried! Unfortunately I had to revert that, because it turns out such lookups are not allowed in fields or readonly_fields, only list_display. It raises a system check error if you try.
Documentation for fields says:
The fields option accepts the same types of values as list_display, except that callables and __ lookups for related fields aren’t accepted.
| # must take care of overriding remote addr if the action is created | ||
| # from a task. | ||
| # must take care of overriding remote addr/metadata if the action | ||
| # is created from a task. |
There was a problem hiding this comment.
Have we gone through everywhere an existing task might need to do this?
I'm aware it's existing functionality, but it feels fragile to put the onus on each task, when the code that actually saves the activity log may be a few methods abstracted from that task. (I don't have an immediate suggestion how to address this)
2 participants
Fixes https://mozilla-hub.atlassian.net/browse/AMOENG-2549
Fixes https://mozilla-hub.atlassian.net/browse/AMOENG-2550
Description
This adds ASN data to
IPLogwhenever we store ip addresses (provided by Fastly through theAsnheader).This also adds a way to restrict requests and/or auto-approval from their ASN, similar to what we already have for email or IP addresses, as well as admin tools to manipulate that data.
Context
Like IP addresses and other metadata, we have to store that on the
FileUploadinsiderequest_metadataat upload, to then override whatever the current thread has when we create the finalVersion, in case that version is created in a task.This then allows not only
IPLogto be created with the correct value, but also the restriction stuff to use that metadata for auto-approval restrictions.Testing
Locally, you'll have to uncomment the
addons.conf.templatebit to pass an hardcodedAsnheader to your requests and restartnginx. From there:AsninIPLogtogether with your IP address.store_ip = Trueon the activity constant classusers>Asn user restrictions) it should affect submission or auto-approval depending on what is set