TLS cname loadshedding ignore list (#242)

* TLS cname loadshedding ignore list
Snapchat · Dec 8, 2023 · bb7c5a4 · bb7c5a4
1 parent bb115ca
commit bb7c5a4
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 2 deletions.
diff --git a/src/config.cpp b/src/config.cpp
@@ -863,6 +863,15 @@ void loadServerConfigFromString(char *config) {
             }
             for (int i = 1; i < argc; i++)
                 g_pserver->tls_auditlog_blocklist.emplace(argv[i], strlen(argv[i]));
+        } else if (!strcasecmp(argv[0], "tls-overload-ignorelist")) {
+            if (argc < 2) {
+                err = "must supply at least one element in the ignore list"; goto loaderr;
+            }
+            if (!g_pserver->tls_overload_ignorelist.empty()) {
+                err = "tls-overload-ignorelist may only be set once"; goto loaderr;
+            }
+            for (int i = 1; i < argc; i++)
+                g_pserver->tls_overload_ignorelist.emplace(argv[i], strlen(argv[i]));
         } else if (!strcasecmp(argv[0], "overload-ignorelist")) {
             if (argc < 2) {
                 err = "must supply at least one element in the ignore list"; goto loaderr;
@@ -1004,8 +1013,8 @@ void configSetCommand(client *c) {
 
     if (c->argc < 4 || c->argc > 4) {
         o = nullptr;
-        // Variadic set is only supported for tls-allowlist, tls-auditlog-blocklist and overload-ignorelist
-        if (strcasecmp(szFromObj(c->argv[2]), "tls-allowlist") && strcasecmp(szFromObj(c->argv[2]), "tls-auditlog-blocklist") && strcasecmp(szFromObj(c->argv[2]), "overload-ignorelist")) {
+        // Variadic set is only supported for tls-allowlist, tls-auditlog-blocklist, overload-ignorelist and tls-overload-ignorelist
+        if (strcasecmp(szFromObj(c->argv[2]), "tls-allowlist") && strcasecmp(szFromObj(c->argv[2]), "tls-auditlog-blocklist") && strcasecmp(szFromObj(c->argv[2]), "overload-ignorelist") && strcasecmp(szFromObj(c->argv[2]), "tls-overload-ignorelist") ) {
             addReplySubcommandSyntaxError(c);
             return;
         }
@@ -1186,6 +1195,12 @@ void configSetCommand(client *c) {
             robj *val = c->argv[i];
             g_pserver->tls_auditlog_blocklist.emplace(szFromObj(val), sdslen(szFromObj(val)));
         }
+    } config_set_special_field("tls-overload-ignorelist") {
+        g_pserver->tls_overload_ignorelist.clear();
+        for (int i = 3; i < c->argc; ++i) {
+            robj *val = c->argv[i];
+            g_pserver->tls_overload_ignorelist.emplace(szFromObj(val), sdslen(szFromObj(val)));
+        }
     } config_set_special_field("overload-ignorelist") {
         g_pserver->overload_ignorelist.clear();
         g_pserver->overload_ignorelist_ipv6.clear();
@@ -1415,6 +1430,14 @@ void configGetCommand(client *c) {
         }
         matches++;
     }
+    if (stringmatch(pattern, "tls-overload-ignorelist", 1)) {
+        addReplyBulkCString(c,"tls-overload-ignorelist");
+        addReplyArrayLen(c, (long)g_pserver->tls_overload_ignorelist.size());
+        for (auto &elem : g_pserver->tls_overload_ignorelist) {
+            addReplyBulkCBuffer(c, elem.get(), elem.size()); // addReplyBulkSds will free which we absolutely don't want
+        }
+        matches++;
+    }
     if (stringmatch(pattern, "overload-ignorelist", 1)) {
         addReplyBulkCString(c,"overload-ignorelist");
         addReplyArrayLen(c, (long)g_pserver->overload_ignorelist.size() + (long)g_pserver->overload_ignorelist_ipv6.size());
@@ -2113,6 +2136,20 @@ int rewriteConfig(char *path, int force_all) {
         rewriteConfigMarkAsProcessed(state, "tls-allowlist"); // ensure the line is removed if it existed
     }
 
+    if (!g_pserver->tls_overload_ignorelist.empty()) {
+        sds conf = sdsnew("tls-overload-ignorelist ");
+        for (auto &elem : g_pserver->tls_overload_ignorelist) {
+            conf = sdscatsds(conf, (sds)elem.get());
+            conf = sdscat(conf, " ");
+        }
+        // trim the trailing space
+        sdsrange(conf, 0, -1);
+        rewriteConfigRewriteLine(state,"tls-overload-ignorelist",conf,1 /*force*/);
+        // note: conf is owned by rewriteConfigRewriteLine - no need to free
+    } else {
+        rewriteConfigMarkAsProcessed(state, "tls-overload-ignorelist"); // ensure the line is removed if it existed
+    }
+
     if (!g_pserver->tls_auditlog_blocklist.empty()) {
         sds conf = sdsnew("tls-auditlog-blocklist ");
         for (auto &elem : g_pserver->tls_auditlog_blocklist) {

diff --git a/src/connection.h b/src/connection.h
@@ -52,6 +52,7 @@ typedef enum {
 #define CONN_FLAG_READ_THREADSAFE        (1<<2)
 #define CONN_FLAG_WRITE_THREADSAFE       (1<<3)
 #define CONN_FLAG_AUDIT_LOGGING_REQUIRED (1<<4)
+#define CONN_FLAG_IGNORE_OVERLOAD (1<<5)
 
 #define CONN_TYPE_SOCKET            1
 #define CONN_TYPE_TLS               2

diff --git a/src/networking.cpp b/src/networking.cpp
@@ -1175,6 +1175,9 @@ int chooseBestThreadForAccept()
 }
 
 bool checkOverloadIgnorelist(connection *conn) {
+    if (conn->flags & CONN_FLAG_IGNORE_OVERLOAD) {
+        return true;
+    }
     struct sockaddr_storage sa;
     socklen_t salen = sizeof(sa);
     if (getpeername(conn->fd, (struct sockaddr *)&sa, &salen) == -1) {

diff --git a/src/server.h b/src/server.h
@@ -2731,6 +2731,7 @@ struct redisServer {
     int tls_rotation;
 
     std::set<sdsstring> tls_auditlog_blocklist; /* Certificates that can be excluded from audit logging */
+    std::set<sdsstring> tls_overload_ignorelist; /* Certificates that are be excluded load shedding */
     std::set<sdsstring> tls_allowlist;
     class IPV4 {
         struct in_addr m_ip;

diff --git a/src/tls.cpp b/src/tls.cpp
@@ -627,6 +627,18 @@ bool tlsCheckCertificateAgainstAllowlist(tls_connection* conn, std::set<sdsstrin
     return false;
 }
 
+bool tlsCertificateIgnoreLoadShedding(tls_connection* conn) {
+    const char* cn = "";
+    if (tlsCheckCertificateAgainstAllowlist(conn, g_pserver->tls_overload_ignorelist, &cn)) {
+        // Certificate is in exclusion list, no need to audit log
+        serverLog(LL_NOTICE, "Loadshedding: disabled for %s", conn->c.fprint);
+        return true;
+    } else {
+        serverLog(LL_NOTICE, "Loadshedding: enabled for %s", conn->c.fprint);
+        return false;
+    }
+}
+
 bool tlsCertificateRequiresAuditLogging(tls_connection* conn){
     const char* cn = "";
     if (tlsCheckCertificateAgainstAllowlist(conn, g_pserver->tls_auditlog_blocklist, &cn)) {
@@ -879,6 +891,9 @@ void tlsHandleEvent(tls_connection *conn, int mask) {
                     if (tlsCertificateRequiresAuditLogging(conn)){
                         conn->c.flags |= CONN_FLAG_AUDIT_LOGGING_REQUIRED;
                     }
+                    if (tlsCertificateIgnoreLoadShedding(conn)){
+                        conn->c.flags |= CONN_FLAG_IGNORE_OVERLOAD;
+                    }
                 }
             }
 

diff --git a/tests/unit/introspection.tcl b/tests/unit/introspection.tcl
@@ -172,6 +172,7 @@ start_server {tags {"introspection"}} {
             repl-backlog-disk-reserve
             tls-allowlist
             tls-auditlog-blocklist
+            tls-overload-ignorelist
             overload-ignorelist
             db-s3-object
         }