plugin/view: Advanced routing interface and new 'view' plugin (#5538)

* introduce new interface "dnsserver.Viewer", that allows a plugin implementing it to decide if a query should be routed into its server block. * add new plugin "view", that uses the new interface to enable a user to define expression based conditions that must be met for a query to be routed to its server block. Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
2025-10-27 08:14:18 -04:00 · 2022-09-08 14:56:27 -04:00
parent 1f0a41a665
commit b56b080a7c
36 changed files with 880 additions and 114 deletions
--- a/core/dnsserver/address.go
+++ b/core/dnsserver/address.go
@@ -49,11 +49,23 @@ func newOverlapZone() *zoneOverlap {
 // registerAndCheck adds a new zoneAddr for validation, it returns information about existing or overlapping with already registered
 // we consider that an unbound address is overlapping all bound addresses for same zone, same port
 func (zo *zoneOverlap) registerAndCheck(z zoneAddr) (existingZone *zoneAddr, overlappingZone *zoneAddr) {
+	existingZone, overlappingZone = zo.check(z)
+	if existingZone != nil || overlappingZone != nil {
+		return existingZone, overlappingZone
+	}
+	// there is no overlap, keep the current zoneAddr for future checks
+	zo.registeredAddr[z] = z
+	zo.unboundOverlap[z.unbound()] = z
+	return nil, nil
+}
+
+// check validates a zoneAddr for overlap without registering it
+func (zo *zoneOverlap) check(z zoneAddr) (existingZone *zoneAddr, overlappingZone *zoneAddr) {
 	if exist, ok := zo.registeredAddr[z]; ok {
 		// exact same zone already registered
 		return &exist, nil
 	}
-	uz := zoneAddr{Zone: z.Zone, Address: "", Port: z.Port, Transport: z.Transport}
+	uz := z.unbound()
 	if already, ok := zo.unboundOverlap[uz]; ok {
 		if z.Address == "" {
 			// current is not bound to an address, but there is already another zone with a bind address registered
@@ -64,8 +76,11 @@ func (zo *zoneOverlap) registerAndCheck(z zoneAddr) (existingZone *zoneAddr, ove
 			return nil, &uz
 		}
 	}
-	// there is no overlap, keep the current zoneAddr for future checks
-	zo.registeredAddr[z] = z
-	zo.unboundOverlap[uz] = z
+	// there is no overlap
 	return nil, nil
 }
+
+// unbound returns an unbound version of the zoneAddr
+func (z zoneAddr) unbound() zoneAddr {
+	return zoneAddr{Zone: z.Zone, Address: "", Port: z.Port, Transport: z.Transport}
+}
--- a/core/dnsserver/config.go
+++ b/core/dnsserver/config.go
@@ -1,12 +1,14 @@
 package dnsserver

 import (
+	"context"
 	"crypto/tls"
 	"fmt"
 	"net/http"

 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/plugin"
+	"github.com/coredns/coredns/request"
 )

 // Config configuration for a single server.
@@ -40,6 +42,14 @@ type Config struct {
 	// may depend on it.
 	HTTPRequestValidateFunc func(*http.Request) bool

+	// FilterFuncs is used to further filter access
+	// to this handler. E.g. to limit access to a reverse zone
+	// on a non-octet boundary, i.e. /17
+	FilterFuncs []FilterFunc
+
+	// ViewName is the name of the Viewer PLugin defined in the Config
+	ViewName string
+
 	// TLSConfig when listening for encrypted connections (gRPC, DNS-over-TLS).
 	TLSConfig *tls.Config

@@ -60,8 +70,14 @@ type Config struct {
 	// firstConfigInBlock is used to reference the first config in a server block, for the
 	// purpose of sharing single instance of each plugin among all zones in a server block.
 	firstConfigInBlock *Config
+
+	// metaCollector references the first MetadataCollector plugin, if one exists
+	metaCollector MetadataCollector
 }

+// FilterFunc is a function that filters requests from the Config
+type FilterFunc func(context.Context, *request.Request) bool
+
 // keyForConfig builds a key for identifying the configs during setup time
 func keyForConfig(blocIndex int, blocKeyIndex int) string {
 	return fmt.Sprintf("%d:%d", blocIndex, blocKeyIndex)
--- a/core/dnsserver/onstartup.go
+++ b/core/dnsserver/onstartup.go
@@ -21,7 +21,7 @@ func checkZoneSyntax(zone string) bool {
 // startUpZones creates the text that we show when starting up:
 // grpc://example.com.:1055
 // example.com.:1053 on 127.0.0.1
-func startUpZones(protocol, addr string, zones map[string]*Config) string {
+func startUpZones(protocol, addr string, zones map[string][]*Config) string {
 	s := ""

 	keys := make([]string, len(zones))
--- a/core/dnsserver/register.go
+++ b/core/dnsserver/register.go
@@ -138,13 +138,6 @@ func (h *dnsContext) InspectServerBlocks(sourceFile string, serverBlocks []caddy

 // MakeServers uses the newly-created siteConfigs to create and return a list of server instances.
 func (h *dnsContext) MakeServers() ([]caddy.Server, error) {
-	// Now that all Keys and Directives are parsed and initialized
-	// lets verify that there is no overlap on the zones and addresses to listen for
-	errValid := h.validateZonesAndListeningAddresses()
-	if errValid != nil {
-		return nil, errValid
-	}
-
 	// Copy the Plugin, ListenHosts and Debug from first config in the block
 	// to all other config in the same block . Doing this results in zones
 	// sharing the same plugin instances and settings as other zones in
@@ -198,6 +191,27 @@ func (h *dnsContext) MakeServers() ([]caddy.Server, error) {
 		}
 	}

+	// For each server config, check for View Filter plugins
+	for _, c := range h.configs {
+		// Add filters in the plugin.cfg order for consistent filter func evaluation order.
+		for _, d := range Directives {
+			if vf, ok := c.registry[d].(Viewer); ok {
+				if c.ViewName != "" {
+					return nil, fmt.Errorf("multiple views defined in server block")
+				}
+				c.ViewName = vf.ViewName()
+				c.FilterFuncs = append(c.FilterFuncs, vf.Filter)
+			}
+		}
+	}
+
+	// Verify that there is no overlap on the zones and listen addresses
+	// for unfiltered server configs
+	errValid := h.validateZonesAndListeningAddresses()
+	if errValid != nil {
+		return nil, errValid
+	}
+
 	return servers, nil
 }

@@ -253,7 +267,15 @@ func (h *dnsContext) validateZonesAndListeningAddresses() error {
 		for _, h := range conf.ListenHosts {
 			// Validate the overlapping of ZoneAddr
 			akey := zoneAddr{Transport: conf.Transport, Zone: conf.Zone, Address: h, Port: conf.Port}
-			existZone, overlapZone := checker.registerAndCheck(akey)
+			var existZone, overlapZone *zoneAddr
+			if len(conf.FilterFuncs) > 0 {
+				// This config has filters. Check for overlap with other (unfiltered) configs.
+				existZone, overlapZone = checker.check(akey)
+			} else {
+				// This config has no filters. Check for overlap with other (unfiltered) configs,
+				// and register the zone to prevent subsequent zones from overlapping with it.
+				existZone, overlapZone = checker.registerAndCheck(akey)
+			}
 			if existZone != nil {
 				return fmt.Errorf("cannot serve %s - it is already defined", akey.String())
 			}
--- a/core/dnsserver/server.go
+++ b/core/dnsserver/server.go
@@ -37,23 +37,28 @@ type Server struct {
 	server [2]*dns.Server // 0 is a net.Listener, 1 is a net.PacketConn (a *UDPConn) in our case.
 	m      sync.Mutex     // protects the servers

-	zones        map[string]*Config // zones keyed by their address
-	dnsWg        sync.WaitGroup     // used to wait on outstanding connections
-	graceTimeout time.Duration      // the maximum duration of a graceful shutdown
-	trace        trace.Trace        // the trace plugin for the server
-	debug        bool               // disable recover()
-	stacktrace   bool               // enable stacktrace in recover error log
-	classChaos   bool               // allow non-INET class queries
+	zones        map[string][]*Config // zones keyed by their address
+	dnsWg        sync.WaitGroup       // used to wait on outstanding connections
+	graceTimeout time.Duration        // the maximum duration of a graceful shutdown
+	trace        trace.Trace          // the trace plugin for the server
+	debug        bool                 // disable recover()
+	stacktrace   bool                 // enable stacktrace in recover error log
+	classChaos   bool                 // allow non-INET class queries

 	tsigSecret map[string]string
 }

+// MetadataCollector is a plugin that can retrieve metadata functions from all metadata providing plugins
+type MetadataCollector interface {
+	Collect(context.Context, request.Request) context.Context
+}
+
 // NewServer returns a new CoreDNS server and compiles all plugins in to it. By default CH class
 // queries are blocked unless queries from enableChaos are loaded.
 func NewServer(addr string, group []*Config) (*Server, error) {
 	s := &Server{
 		Addr:         addr,
-		zones:        make(map[string]*Config),
+		zones:        make(map[string][]*Config),
 		graceTimeout: 5 * time.Second,
 		tsigSecret:   make(map[string]string),
 	}
@@ -72,8 +77,9 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 			log.D.Set()
 		}
 		s.stacktrace = site.Stacktrace
-		// set the config per zone
-		s.zones[site.Zone] = site
+
+		// append the config to the zone's configs
+		s.zones[site.Zone] = append(s.zones[site.Zone], site)

 		// copy tsig secrets
 		for key, secret := range site.TsigSecret {
@@ -88,6 +94,12 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 			// register the *handler* also
 			site.registerHandler(stack)

+			// If the current plugin is a MetadataCollector, bookmark it for later use. This loop traverses the plugin
+			// list backwards, so the first MetadataCollector plugin wins.
+			if mdc, ok := stack.(MetadataCollector); ok {
+				site.metaCollector = mdc
+			}
+
 			if s.trace == nil && stack.Name() == "trace" {
 				// we have to stash away the plugin, not the
 				// Tracer object, because the Tracer won't be initialized yet
@@ -254,24 +266,39 @@ func (s *Server) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg)
 	)

 	for {
-		if h, ok := s.zones[q[off:]]; ok {
-			if h.pluginChain == nil { // zone defined, but has not got any plugins
-				errorAndMetricsFunc(s.Addr, w, r, dns.RcodeRefused)
-				return
-			}
-			if r.Question[0].Qtype != dns.TypeDS {
-				rcode, _ := h.pluginChain.ServeDNS(ctx, w, r)
-				if !plugin.ClientWrite(rcode) {
-					errorFunc(s.Addr, w, r, rcode)
+		if z, ok := s.zones[q[off:]]; ok {
+			for _, h := range z {
+				if h.pluginChain == nil { // zone defined, but has not got any plugins
+					errorAndMetricsFunc(s.Addr, w, r, dns.RcodeRefused)
+					return
+				}
+
+				if h.metaCollector != nil {
+					// Collect metadata now, so it can be used before we send a request down the plugin chain.
+					ctx = h.metaCollector.Collect(ctx, request.Request{Req: r, W: w})
+				}
+
+				// If all filter funcs pass, use this config.
+				if passAllFilterFuncs(ctx, h.FilterFuncs, &request.Request{Req: r, W: w}) {
+					if h.ViewName != "" {
+						// if there was a view defined for this Config, set the view name in the context
+						ctx = context.WithValue(ctx, ViewKey{}, h.ViewName)
+					}
+					if r.Question[0].Qtype != dns.TypeDS {
+						rcode, _ := h.pluginChain.ServeDNS(ctx, w, r)
+						if !plugin.ClientWrite(rcode) {
+							errorFunc(s.Addr, w, r, rcode)
+						}
+						return
+					}
+					// The type is DS, keep the handler, but keep on searching as maybe we are serving
+					// the parent as well and the DS should be routed to it - this will probably *misroute* DS
+					// queries to a possibly grand parent, but there is no way for us to know at this point
+					// if there is an actual delegation from grandparent -> parent -> zone.
+					// In all fairness: direct DS queries should not be needed.
+					dshandler = h
 				}
-				return
 			}
-			// The type is DS, keep the handler, but keep on searching as maybe we are serving
-			// the parent as well and the DS should be routed to it - this will probably *misroute* DS
-			// queries to a possibly grand parent, but there is no way for us to know at this point
-			// if there is an actual delegation from grandparent -> parent -> zone.
-			// In all fairness: direct DS queries should not be needed.
-			dshandler = h
 		}
 		off, end = dns.NextLabel(q, off)
 		if end {
@@ -289,18 +316,46 @@ func (s *Server) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg)
 	}

 	// Wildcard match, if we have found nothing try the root zone as a last resort.
-	if h, ok := s.zones["."]; ok && h.pluginChain != nil {
-		rcode, _ := h.pluginChain.ServeDNS(ctx, w, r)
-		if !plugin.ClientWrite(rcode) {
-			errorFunc(s.Addr, w, r, rcode)
+	if z, ok := s.zones["."]; ok {
+		for _, h := range z {
+			if h.pluginChain == nil {
+				continue
+			}
+
+			if h.metaCollector != nil {
+				// Collect metadata now, so it can be used before we send a request down the plugin chain.
+				ctx = h.metaCollector.Collect(ctx, request.Request{Req: r, W: w})
+			}
+
+			// If all filter funcs pass, use this config.
+			if passAllFilterFuncs(ctx, h.FilterFuncs, &request.Request{Req: r, W: w}) {
+				if h.ViewName != "" {
+					// if there was a view defined for this Config, set the view name in the context
+					ctx = context.WithValue(ctx, ViewKey{}, h.ViewName)
+				}
+				rcode, _ := h.pluginChain.ServeDNS(ctx, w, r)
+				if !plugin.ClientWrite(rcode) {
+					errorFunc(s.Addr, w, r, rcode)
+				}
+				return
+			}
 		}
-		return
 	}

 	// Still here? Error out with REFUSED.
 	errorAndMetricsFunc(s.Addr, w, r, dns.RcodeRefused)
 }

+// passAllFilterFuncs returns true if all filter funcs evaluate to true for the given request
+func passAllFilterFuncs(ctx context.Context, filterFuncs []FilterFunc, req *request.Request) bool {
+	for _, ff := range filterFuncs {
+		if !ff(ctx, req) {
+			return false
+		}
+	}
+	return true
+}
+
 // OnStartupComplete lists the sites served by this server
 // and any relevant information, assuming Quiet is false.
 func (s *Server) OnStartupComplete() {
@@ -341,7 +396,7 @@ func errorAndMetricsFunc(server string, w dns.ResponseWriter, r *dns.Msg, rc int
 	answer.SetRcode(r, rc)
 	state.SizeAndDo(answer)

-	vars.Report(server, state, vars.Dropped, rcode.ToString(rc), "" /* plugin */, answer.Len(), time.Now())
+	vars.Report(server, state, vars.Dropped, "", rcode.ToString(rc), "" /* plugin */, answer.Len(), time.Now())

 	w.WriteMsg(answer)
 }
@@ -357,6 +412,9 @@ type (

 	// LoopKey is the context key to detect server wide loops.
 	LoopKey struct{}
+
+	// ViewKey is the context key for the current view, if defined
+	ViewKey struct{}
 )

 // EnableChaos is a map with plugin names for which we should open CH class queries as we block these by default.
--- a/core/dnsserver/server_grpc.go
+++ b/core/dnsserver/server_grpc.go
@@ -37,9 +37,11 @@ func NewServergRPC(addr string, group []*Config) (*ServergRPC, error) {
 	// The *tls* plugin must make sure that multiple conflicting
 	// TLS configuration returns an error: it can only be specified once.
 	var tlsConfig *tls.Config
-	for _, conf := range s.zones {
-		// Should we error if some configs *don't* have TLS?
-		tlsConfig = conf.TLSConfig
+	for _, z := range s.zones {
+		for _, conf := range z {
+			// Should we error if some configs *don't* have TLS?
+			tlsConfig = conf.TLSConfig
+		}
 	}
 	// http/2 is required when using gRPC. We need to specify it in next protos
 	// or the upgrade won't happen.
--- a/core/dnsserver/server_https.go
+++ b/core/dnsserver/server_https.go
@@ -50,9 +50,11 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
 	// The *tls* plugin must make sure that multiple conflicting
 	// TLS configuration returns an error: it can only be specified once.
 	var tlsConfig *tls.Config
-	for _, conf := range s.zones {
-		// Should we error if some configs *don't* have TLS?
-		tlsConfig = conf.TLSConfig
+	for _, z := range s.zones {
+		for _, conf := range z {
+			// Should we error if some configs *don't* have TLS?
+			tlsConfig = conf.TLSConfig
+		}
 	}

 	// http/2 is recommended when using DoH. We need to specify it in next protos
@@ -63,8 +65,10 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {

 	// Use a custom request validation func or use the standard DoH path check.
 	var validator func(*http.Request) bool
-	for _, conf := range s.zones {
-		validator = conf.HTTPRequestValidateFunc
+	for _, z := range s.zones {
+		for _, conf := range z {
+			validator = conf.HTTPRequestValidateFunc
+		}
 	}
 	if validator == nil {
 		validator = func(r *http.Request) bool { return r.URL.Path == doh.Path }
--- a/core/dnsserver/server_tls.go
+++ b/core/dnsserver/server_tls.go
@@ -28,9 +28,11 @@ func NewServerTLS(addr string, group []*Config) (*ServerTLS, error) {
 	// The *tls* plugin must make sure that multiple conflicting
 	// TLS configuration returns an error: it can only be specified once.
 	var tlsConfig *tls.Config
-	for _, conf := range s.zones {
-		// Should we error if some configs *don't* have TLS?
-		tlsConfig = conf.TLSConfig
+	for _, z := range s.zones {
+		for _, conf := range z {
+			// Should we error if some configs *don't* have TLS?
+			tlsConfig = conf.TLSConfig
+		}
 	}

 	return &ServerTLS{Server: s, tlsConfig: tlsConfig}, nil
--- a/core/dnsserver/view.go
+++ b/core/dnsserver/view.go
@@ -0,0 +1,20 @@
+package dnsserver
+
+import (
+	"context"
+
+	"github.com/coredns/coredns/request"
+)
+
+// Viewer - If Viewer is implemented by a plugin in a server block, its Filter()
+// is added to the server block's filter functions when starting the server. When a running server
+// serves a DNS request, it will route the request to the first Config (server block) that passes
+// all its filter functions.
+type Viewer interface {
+	// Filter returns true if the server should use the server block in which the implementing plugin resides, and the
+	// name of the view for metrics logging.
+	Filter(ctx context.Context, req *request.Request) bool
+
+	// ViewName returns the name of the view
+	ViewName() string
+}
--- a/core/dnsserver/zdirectives.go
+++ b/core/dnsserver/zdirectives.go
@@ -60,4 +60,5 @@ var Directives = []string{
 	"whoami",
 	"on",
 	"sign",
+	"view",
 }