Commit 0ed1b88a authored by Elger Jonker's avatar Elger Jonker

Attempting to fix FAALKAART-C2

Former-commit-id: b3fce5f4
parent 1c2c3acb
......@@ -605,7 +605,7 @@ def check_network(code_location=""):
def redirects_to_safety(endpoint: Endpoint):
Also includes the ip-version of the endpoint.
Also includes the ip-version of the endpoint. Implies that the endpoint resolves.
:param endpoint:
......@@ -14,7 +14,8 @@ from failmap.celery import app
from failmap.organizations.models import Organization, Url
from failmap.scanners.models import Endpoint
from failmap.scanners.scanmanager.endpoint_scan_manager import EndpointScanManager
from failmap.scanners.scanner.http import can_connect, connect_result, redirects_to_safety
from failmap.scanners.scanner.http import (can_connect, connect_result, redirects_to_safety,
resolves_on_v4, resolves_on_v6)
from failmap.scanners.scanner.scanner import allowed_to_scan, q_configurations_to_scan
log = logging.getLogger(__package__)
......@@ -62,10 +63,8 @@ def compose_task(
for incomplete_endpoint in incomplete_endpoints:
if incomplete_endpoint.ip_version == 6:
tasks.append( | store.s(incomplete_endpoint))
tasks.append( | store.s(incomplete_endpoint))
queue = "ipv4" if incomplete_endpoint.ip_version == 4 else "ipv6"
tasks.append( | store.s(incomplete_endpoint))
return group(tasks)
......@@ -122,25 +121,12 @@ def well_done(endpoint):
EndpointScanManager.add_scan("plain_https", endpoint, "0", cleaned_up)
def scan_v4(endpoint):
return scan(endpoint)
def scan_v6(endpoint):
return scan(endpoint)
# Task is written to work both on v4 and v6, but the network conf of the machine differs.
def scan(endpoint):
Using an incomplete endpoint
:param endpoint:
# calculate the score
# Organizations with wildcards can have this problem a lot:
# 1: It's not possible to distinguish the default page with another page, wildcards
......@@ -159,6 +145,22 @@ def scan(endpoint):
# 2: There is no guarantee that a wildcard serves a blank page.
# 3: In the transition phase to default https (coming years), it's not possible to say
# what should be the "leading" site.
:param endpoint:
# if the address doesn't resolve, why bother scanning at all?
resolves = False
if endpoint.ip_version == 4:
resolves = resolves_on_v4(endpoint.url.url)
if endpoint.ip_version == 6:
resolves = resolves_on_v6(endpoint.url.url)
if not resolves:
# no need to further check, can't even get the IP address...
return False, False, False
can_connect_result = can_connect(protocol="https", url=endpoint.url, port=443, ip_version=endpoint.ip_version)
redirects_to_safety_result = None
......@@ -166,13 +168,21 @@ def scan(endpoint):
if not can_connect_result:
redirects_to_safety_result = redirects_to_safety(endpoint)
return can_connect_result, redirects_to_safety_result
return resolves, can_connect_result, redirects_to_safety_result
def store(results, endpoint):
can_connect_result, redirects_to_safety_result = results
resolves, can_connect_result, redirects_to_safety_result = results
if not resolves:
# Don't administrate endpoints that don't resolve, that is a task for the http verify scanner. Here we just
# don't try to redirect to safety or otherwise miscalculate the result. If the http verify scanner is not run
# there will be mismatches between this (or previous results) and reality.
log.debug("Endpoint on %s doesn't resolve anymore. "
"Run the DNS verify scanner to prevent scanning non resolving endpoints." % endpoint)
connect_result(can_connect_result, protocol="https", url=endpoint.url, port=443, ip_version=endpoint.ip_version)
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment