curiefense icon indicating copy to clipboard operation
curiefense copied to clipboard
verified publisher icon curiefense

ACL profiles - when tags at "deny bot" and "deny" columns, the evaluation flow is not as described at manual

Open olgasobolevsky opened this issue 4 years ago • 7 comments

Describe the bug https://docs.curiefense.io/settings/policies-rules/acl-profiles As described at manual, the evaluation flow is: "Evaluation is performed from left to right: The incoming request is evaluated to see if it matches any of the tags in the far left column. If a match is found, that column's action is performed, and no further evaluation is done. " acl evaluation flow

When we have tag match for "deny bot" column and tag match for "deny" column, the "deny bot" is on left side from "deny", so we expect the challenge be activated. Actual result: no challenge, "deny" by tag that match "deny" column.

To Reproduce Steps to reproduce the behavior:

  1. Go to ACL Profiles -> create profile with: "deny bot" match:all "deny" match:tag2 acl with 2 tags

  2. Send with curl request to match both tags.

  3. Actual result: no challenge, request blocked by tag2 kibana log

Expected behavior Challenge, blocked by "deny bot" tag:all. deny bot manual

Desktop (please complete the following information):

  • OS: MacOS
  • Browser chrome

Additional context nginx deployment

olgasobolevsky avatar Feb 20 '22 11:02 olgasobolevsky

The blocking logic should have been sound, but the logging was wrong. PR #726 should fix this.

bartavelle avatar Feb 21 '22 14:02 bartavelle

@bartavelle Now, the logging show block reason: tag "all" although request is tagged "human" and blocked by "tag2". proxy log acl

I expected: block reason:tag "all" - when request is "bot"; block reason:tag "tag2" - when request is "human".

olgasobolevsky avatar Mar 01 '22 14:03 olgasobolevsky

PR written :)

bartavelle avatar Mar 01 '22 18:03 bartavelle

@bartavelle When I send 2 requests with curl (bot): first request with tag "all" and second request with tags "all" and "tag2". Both requests can't pass the challenge and blocked by tag "all". But the log shows different status, block reason, block reason initiator.

kibana log block reason initiator

First request: kibana log challenge block

Second request: kibana log acl block

I expected same status (247), same reason initiator (phase01), block reason (challenge). Why the difference?

olgasobolevsky avatar Mar 08 '22 07:03 olgasobolevsky

One of them could pass the challenge, because humans are allowed, so the challenge is proposed. The other can't pass even if human, so it is denied.

bartavelle avatar Mar 08 '22 15:03 bartavelle

This needs to be discussed!

bartavelle avatar Mar 21 '22 17:03 bartavelle

Another observation: According to the issue https://github.com/curiefense/curiefense/issues/525, ACL Policies check both Deny Bot and Allow Bot even when the ACL is not active in its respective URL Map. In the case above, the challenged (Deny Bot) isn't proposed when ACL is not active.

olgasobolevsky avatar Mar 23 '22 07:03 olgasobolevsky