mrheinen · mrheinen · May 19, 2025 · May 18, 2025 · May 18, 2025 · May 19, 2025
diff --git a/config/database.sql b/config/database.sql
@@ -111,6 +111,7 @@ CREATE TABLE content_rule (
   responder_regex VARCHAR(1024) default '',
   responder_decoder RESPONDER_DECODER_TYPE default 'NONE',
      enabled         BOOL DEFAULT TRUE,
+  block           BOOL DEFAULT FALSE,
   CONSTRAINT fk_content_id FOREIGN KEY(content_id) REFERENCES content(id)
 );
 

diff --git a/pkg/agent/http_server.go b/pkg/agent/http_server.go
@@ -191,10 +191,21 @@ func (h *HttpServer) catchAll(w http.ResponseWriter, r *http.Request) {
 		log.Printf("unable to process request: %+v", err)
 
 		if st, ok := status.FromError(err); ok {
-			if st.Code() == codes.ResourceExhausted {
-				w.WriteHeader(http.StatusNotFound)
-				w.Write([]byte("<html></html>"))
-				return
+			switch st.Code() {
+				case codes.PermissionDenied:
+					w.WriteHeader(http.StatusForbidden)
+					w.Write([]byte("<html></html>"))
+					return
+
+				case codes.ResourceExhausted:
+					w.WriteHeader(http.StatusServiceUnavailable)
+					w.Write([]byte("<html></html>"))
+					return
+
+				default:
+					w.WriteHeader(http.StatusNotFound)
+					w.Write([]byte("<html></html>"))
+					return
 			}
 		} else {
 			w.WriteHeader(http.StatusOK)

diff --git a/pkg/agent/http_server_test.go b/pkg/agent/http_server_test.go
@@ -110,7 +110,75 @@ func TestCatchAllResourceExhausted(t *testing.T) {
 	res := w.Result()
 	defer res.Body.Close()
 
-	// Verify status code is 404
+	// Verify status code is 503 - Service Unavailable
+	if res.StatusCode != http.StatusServiceUnavailable {
+		t.Errorf("expected status code %d, got %d", http.StatusServiceUnavailable, res.StatusCode)
+	}
+
+	// Verify response body
+	data, err := io.ReadAll(res.Body)
+	if err != nil {
+		t.Errorf("reading response body: %s", err)
+	}
+
+	expectedBody := "<html></html>"
+	if string(data) != expectedBody {
+		t.Errorf("expected body %q, got %q", expectedBody, string(data))
+	}
+}
+
+func TestCatchAllPermissionDenied(t *testing.T) {
+	listenAddr := "127.0.0.1:8888"
+
+	// Creat
8000
e a backend client that returns a PermissionDenied error
+	bc := backend.FakeBackendClient{
+		HandleProbeReturnError: status.Error(codes.PermissionDenied, "Rule blocks request"),
+	}
+
+	// Create server and test request
+	s := NewHttpServer(&bc, listenAddr, "127.0.0.1")
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	w := httptest.NewRecorder()
+	s.catchAll(w, req)
+
+	res := w.Result()
+	defer res.Body.Close()
+
+	// Verify status code is 403 - Forbidden
+	if res.StatusCode != http.StatusForbidden {
+		t.Errorf("expected status code %d, got %d", http.StatusForbidden, res.StatusCode)
+	}
+
+	// Verify response body
+	data, err := io.ReadAll(res.Body)
+	if err != nil {
+		t.Errorf("reading response body: %s", err)
+	}
+
+	expectedBody := "<html></html>"
+	if string(data) != expectedBody {
+		t.Errorf("expected body %q, got %q", expectedBody, string(data))
+	}
+}
+
+func TestCatchAllDefaultError(t *testing.T) {
+	listenAddr := "127.0.0.1:8888"
+
+	// Create a backend client that returns an Unavailable error (not specifically handled)
+	bc := backend.FakeBackendClient{
+		HandleProbeReturnError: status.Error(codes.Unavailable, "Service unavailable"),
+	}
+
+	// Create server and test request
+	s := NewHttpServer(&bc, listenAddr, "127.0.0.1")
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	w := httptest.NewRecorder()
+	s.catchAll(w, req)
+
+	res := w.Result()
+	defer res.Body.Close()
+
+	// Verify status code is 404 - Not Found (default case)
 	if res.StatusCode != http.StatusNotFound {
 		t.Errorf("expected status code %d, got %d", http.StatusNotFound, res.StatusCode)
 	}
@@ -126,3 +194,37 @@ func TestCatchAllResourceExhausted(t *testing.T) {
 		t.Errorf("expected body %q, got %q", expectedBody, string(data))
 	}
 }
+
+func TestCatchAllNonStatusError(t *testing.T) {
+	listenAddr := "127.0.0.1:8888"
+
+	// Create a backend client that returns a non-status error
+	bc := backend.FakeBackendClient{
+		HandleProbeReturnError: fmt.Errorf("regular error, not a status error"),
+	}
+
+	// Create server and test request
+	s := NewHttpServer(&bc, listenAddr, "127.0.0.1")
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	w := httptest.NewRecorder()
+	s.catchAll(w, req)
+
+	res := w.Result()
+	defer res.Body.Close()
+
+	// Verify status code is 200 - OK (for non-status errors)
+	if res.StatusCode != http.StatusOK {
+		t.Errorf("expected status code %d, got %d", http.StatusOK, res.StatusCode)
+	}
+
+	// Verify response body
+	data, err := io.ReadAll(res.Body)
+	if err != nil {
+		t.Errorf("reading response body: %s", err)
+	}
+
+	expectedBody := "<html></html>"
+	if string(data) != expectedBody {
+		t.Errorf("expected body %q, got %q", expectedBody, string(data))
+	}
+}
diff --git a/pkg/backend/backend.go b/pkg/backend/backend.go
@@ -937,6 +937,10 @@ func (s *BackendServer) HandleProbe(ctx context.Context, req *backend_service.Ha
 		}
 	}
 
+	if matchedRule.Block {
+		return nil, status.Errorf(codes.PermissionDenied, "Rule blocks request")
+	}
+
 	sReq.ContentID = matchedRule.ContentID
 	sReq.RuleID = matchedRule.ID
 	sReq.AppID = matchedRule.AppID

diff --git a/pkg/backend/backend_test.go b/pkg/backend/backend_test.go
@@ -44,6 +44,8 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/vingarcia/ksql"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 func GetContextWithAuthMetadata() context.Context {
@@ -679,9 +681,10 @@ func TestHandleProbe(t *testing.T) {
 			},
 		},
 		ContentRulesToReturn: []models.ContentRule{
-			{ID: 1, AppID: 42, Method: "GET", Port: 80, Uri: "/aa", UriMatching: "exact", ContentID: 42},
-			{ID: 2, AppID: 42, Method: "GET", Port: 80, Uri: "/aa", UriMatching: "exact", ContentID: 42},
-			{ID: 3, AppID: 1, Method: "GET", Port: 80, Uri: "/script", UriMatching: "exact", ContentID: 44},
+			{ID: 1, AppID: 42, Block: false, Method: "GET", Port: 80, Uri: "/aa", UriMatching: "exact", ContentID: 42},
+			{ID: 2, AppID: 42, Block: false, Method: "GET", Port: 80, Uri: "/aa", UriMatching: "exact", ContentID: 42},
+			{ID: 3, AppID: 1, Block: false, Method: "GET", Port: 80, Uri: "/script", UriMatching: "exact", ContentID: 44},
+			{ID: 4, AppID: 5, Block: true, Method: "GET", Port: 80, Uri: "/blocked", UriMatching: "exact", ContentID: 42},
 		},
 	}
 
@@ -846,6 +849,44 @@ func TestHandleProbe(t *testing.T) {
 			t.Fatalf("expected %d, got %s", testSessionId, fIpMgr.Events[0].SourceRef)
 		}
 	})
+
+	t.Run("rule blocks request", func(t *testing.T) {
+		// Reset limiter for this test
+		fakeLimiter.BoolToReturn = true
+		fakeLimiter.ErrorToReturn = nil
+
+		// Set request URI to match our blocking rule
+		probeReq.RequestUri = "/blocked"
+		probeReq.Request.ParsedUrl.Path = "/blocked"
+
+		// Call HandleProbe and verify it returns a PermissionDenied error
+		res, err := b.HandleProbe(ctx, &probeReq)
+
+		// Check that we got the expected error
+		if res != nil {
+			t.Errorf("Expected nil response but got: %v", res)
+		}
+
+		if err == nil {
+			t.Errorf("Expected error but got none")
+		}
+
+		// Check for the specific error code and message
+		statusErr, ok := status.FromError(err)
+		if !ok {
+			t.Errorf("Expected gRPC status error but got: %v", err)
+		}
+
+		if statusErr.Code() != codes.PermissionDenied {
+			t.Errorf("Expected PermissionDenied error but got: %v", statusErr.Code())
+		}
+
+		if statusErr.Message() != "Rule blocks request" {
+			t.Errorf("Expected 'Rule blocks request' in error message but got: %s", statusErr.Message())
+		}
+
+		// No request should be added to the queue for blocked requests
+	})
 }
 
 func TestProcessQueue(t *testing.T) {

diff --git a/pkg/database/models/content_rule.go b/pkg/database/models/content_rule.go
@@ -49,6 +49,7 @@ type ContentRule struct {
 	UpdatedAt   time.Time `ksql:"updated_at,timeNowUTC" json:"updated_at" yaml:"updated_at" doc:"Last update date of the rule"`
 	Alert       bool      `ksql:"alert" json:"alert" doc:"A bool (0 or 1) indicating if the rule should alert"`
 	Enabled     bool      `ksql:"enabled" json:"enabled" doc:"A bool (0 or 1) indicating if the rule is enabled"`
+	Block       bool      `ksql:"block" json:"block" doc:"A bool (0 or 1) indicating if requests matching the rule should be blocked"`
 	ExtVersion  int64     `ksql:"ext_version" json:"ext_version" yaml:"ext_version" doc:"The external numerical version of the rule"`
 	ExtUuid     string    `ksql:"ext_uuid" json:"ext_uuid" yaml:"ext_uuid" doc:"The external unique ID of the rule"`
 	// The request purpose should indicate what the request is intended to do. It

diff --git a/ui/src/components/container/RuleForm.vue b/ui/src/components/container/RuleForm.vue
@@ -207,6 +207,16 @@
                   />
                 </td>
               </tr>
+              <tr>
+                <th>Block</th>
+                <td>
+                  <CheckBox
+                    inputId="block"
+                    v-model="localRule.block"
+                    :binary="true"
+                  />
+                </td>
+              </tr>
             </table>
           </div>
         </div>
@@ -311,6 +321,7 @@ export default {
         responder: "NONE",
         responder_decoder: "NONE",
         enabled: true,
+        block: false,
         ports: [],
         parsed: {
           port_field: "",