implement persistent Ignore/Deny list with Names and PGP ID

Author: jolavillette

src/pqi/authssl.cc

@@ -1426,7 +1426,7 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 
 		RsInfo() << __PRETTY_FUNCTION__ << " " << errMsg << std::endl;
 
-		if(rsEvents)
+		if(rsEvents && !isNotifyDenied(pgpId))
 		{
 			ev->mSslId = sslId;
 			ev->mSslCn = sslCn;
@@ -1467,7 +1467,7 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 
 		Dbg1() << __PRETTY_FUNCTION__ << " " << errMsg << std::endl;
 
-		if(rsEvents)
+		if(rsEvents && !isNotifyDenied(pgpId))
 		{
 			ev->mSslId = sslId;
 			ev->mSslCn = sslCn;
@@ -1874,6 +1874,18 @@ bool AuthSSLimpl::saveList(bool& cleanup, std::list<RsItem*>& lst)
         }
         lst.push_back(vitem);
 
+        /* Save Deny List */
+        if (!mDenyList.empty()) {
+            RsConfigKeyValueSet* denyItem = new RsConfigKeyValueSet;
+            for (const auto& pair : mDenyList) {
+                RsTlvKeyValue kv;
+                kv.key = pair.first.toStdString();
+                kv.value = "DENY:" + pair.second;
+                denyItem->tlvkvs.pairs.push_back(kv);
+            }
+            lst.push_back(denyItem);
+        }
+
         return true ;
 }
 
@@ -1903,6 +1915,11 @@ bool AuthSSLimpl::loadList(std::list<RsItem*>& load)
                                         continue;
                                 }
 
+                                if (kit->value.compare(0, 5, "DENY:") == 0) {
+                                    mDenyList[RsPgpId(kit->key)] = kit->value.substr(5);
+                                    continue;
+                                }
+
                                 X509 *peer = loadX509FromPEM(kit->value);
                                 /* authenticate it */
                                 uint32_t diagnos ;
@@ -1918,6 +1935,32 @@ bool AuthSSLimpl::loadList(std::list<RsItem*>& load)
         return true;
 }
 
+void AuthSSLimpl::addNotifyDeny(const RsPgpId& pgpId, const std::string& name)
+{
+	RsStackMutex stack(sslMtx);
+	mDenyList[pgpId] = name;
+	IndicateConfigChanged();
+}
+
+void AuthSSLimpl::removeNotifyDeny(const RsPgpId& pgpId)
+{
+	RsStackMutex stack(sslMtx);
+	mDenyList.erase(pgpId);
+	IndicateConfigChanged();
+}
+
+bool AuthSSLimpl::isNotifyDenied(const RsPgpId& pgpId)
+{
+	RsStackMutex stack(sslMtx);
+	return mDenyList.find(pgpId) != mDenyList.end();
+}
+
+void AuthSSLimpl::getNotifyDenyList(std::map<RsPgpId, std::string>& ids)
+{
+	RsStackMutex stack(sslMtx);
+	ids = mDenyList;
+}
+
 const EVP_PKEY*RsX509Cert::getPubKey(const X509& x509)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

src/pqi/authssl.h

@@ -112,6 +112,11 @@ class AuthSSL
 
 	virtual X509* SignX509ReqWithGPG(X509_REQ* req, long days) = 0;
 
+	virtual void addNotifyDeny(const RsPgpId& pgpId, const std::string& name) = 0;
+	virtual void removeNotifyDeny(const RsPgpId& pgpId) = 0;
+	virtual bool isNotifyDenied(const RsPgpId& pgpId) = 0;
+	virtual void getNotifyDenyList(std::map<RsPgpId, std::string>& ids) = 0;
+
 	/**
 	 * @brief Verify PGP signature correcteness on given X509 certificate
 	 * Beware this doesn't check if the PGP signer is friend or not, just if the
@@ -207,6 +212,11 @@ class AuthSSLimpl : public AuthSSL, public p3Config
 	bool decrypt(void *&out, int &outlen, const void *in, int inlen) override;
 
 	virtual X509* SignX509ReqWithGPG(X509_REQ *req, long days) override;
+	
+	void addNotifyDeny(const RsPgpId& pgpId, const std::string& name) override;
+	void removeNotifyDeny(const RsPgpId& pgpId) override;
+	bool isNotifyDenied(const RsPgpId& pgpId) override;
+	void getNotifyDenyList(std::map<RsPgpId, std::string>& ids) override;
 
 	/// @see AuthSSL
 	bool AuthX509WithGPG(X509 *x509, bool verbose, uint32_t& auth_diagnostic) override;
@@ -265,4 +275,6 @@ class AuthSSLimpl : public AuthSSL, public p3Config
 	RsPgpId _last_gpgid_to_connect;
 	std::string _last_sslcn_to_connect;
 	RsPeerId _last_sslid_to_connect;
+
+	std::map<RsPgpId, std::string> mDenyList;
 };