feat(*): Add "allow list" support for CAPI (#36)

* feat(allow list): Handle allow list decisions

* feat(allow list): Use 20 years as infinite TTL

* feat(remdiation): Early return a bypass if there is an allow list decision

* test(*): Update test for private method

* style(*): Pass through code format tools

* test(*): Add code coverage

* style(*): Rearrange code

* docs(*): Prepare release 4.3.0

Author: julienloizelet

CHANGELOG.md

@@ -13,6 +13,16 @@ The [public API](https://semver.org/spec/v2.0.0.html#spec-item-1)  of this libra
 As far as possible, we try to adhere to [Symfony guidelines](https://symfony.com/doc/current/contributing/code/bc.html#working-on-symfony-code) when deciding whether a change is a breaking change or not.
 
 
+---
+
+## [4.3.0](https://github.com/crowdsecurity/php-remediation-engine/releases/tag/v4.3.0) - 2025-04-??
+[_Compare with previous release_](https://github.com/crowdsecurity/php-remediation-engine/compare/v4.2.0...HEAD)
+
+
+### Added
+
+- Add support for `Allowlists` decisions
+
 ---
 
 ## [4.2.0](https://github.com/crowdsecurity/php-remediation-engine/releases/tag/v4.2.0) - 2025-01-31

docs/USER_GUIDE.md

@@ -64,6 +64,7 @@ This kind of action is called a remediation and can be:
     - Handle Range scoped decisions for IPv4
     - Handle Country scoped decisions using [MaxMind](https://www.maxmind.com) database
     - Handle List decisions
+    - Handle Allow list decisions for CAPI
   - Determine remediation for a given IP
     - Use the cached decisions for CAPI and for LAPI in stream mode
     - For LAPI in live mode, call LAPI if there is no cached decision

src/AbstractRemediation.php

@@ -16,6 +16,8 @@
 
 abstract class AbstractRemediation
 {
+    /** @var string The CrowdSec name for allowlist */
+    public const CS_ALLOW = 'allowlists';
     /** @var string The CrowdSec name for blocklist */
     public const CS_BLOCK = 'blocklists';
     /** @var string The CrowdSec name for deleted decisions */
@@ -487,6 +489,15 @@ private function normalize(string $value): string
     private function retrieveRemediationFromCachedDecisions(array $cacheDecisions): array
     {
         $cleanDecisions = $this->cacheStorage->cleanCachedValues($cacheDecisions);
+        // Early return for Allow list
+        foreach ($cleanDecisions as $decision) {
+            if (Constants::ALLOW_LIST_REMEDIATION === $decision[AbstractCache::INDEX_MAIN]) {
+                return [
+                    self::INDEX_REM => Constants::REMEDIATION_BYPASS,
+                    self::INDEX_ORIGIN => $decision[AbstractCache::INDEX_ORIGIN],
+                ];
+            }
+        }
         $sortedDecisions = $this->sortDecisionsByPriority($cleanDecisions);
         $this->logger->debug('Decisions have been sorted by priority', [
             'type' => 'REM_SORTED_DECISIONS',

src/CacheStorage/AbstractCache.php

@@ -48,6 +48,8 @@ abstract class AbstractCache
     public const LAST_PULL = 'last_pull';
     /** @var string Internal name for list */
     public const LIST = 'list';
+    /** @var string Internal name for allow list */
+    public const ALLOW_LIST = 'allow_list';
     /** @var string Internal name for cache remediation origin count item */
     public const ORIGINS_COUNT = 'origins_count';
     /** @var string Internal name for cache clean item */
@@ -398,7 +400,7 @@ protected function saveDeferred(CacheItemInterface $item): bool
      */
     private function format(Decision $decision, ?int $bucketInt = null): array
     {
-        $mainValue = $bucketInt ? $decision->getValue() : $decision->getType();
+        $mainValue = null !== $bucketInt ? $decision->getValue() : $decision->getType();
 
         return [
             self::INDEX_MAIN => $mainValue,
@@ -470,7 +472,7 @@ private function getRangeIntForIp(string $ip): int
      */
     private function getTags(Decision $decision, ?int $bucketInt = null): array
     {
-        return $bucketInt ? [self::RANGE_BUCKET_TAG] : [self::CACHE_TAG_REM, $decision->getScope()];
+        return null !== $bucketInt ? [self::RANGE_BUCKET_TAG] : [self::CACHE_TAG_REM, $decision->getScope()];
     }
 
     /**
@@ -529,7 +531,7 @@ private function manageRange(Decision $decision): ?RangeInterface
     private function remove(Decision $decision, ?int $bucketInt = null): array
     {
         $result = [self::DONE => 0, self::DEFER => 0, self::REMOVED => []];
-        $cacheKey = $bucketInt ? $this->getCacheKey(self::IPV4_BUCKET_KEY, (string) $bucketInt) :
+        $cacheKey = null !== $bucketInt ? $this->getCacheKey(self::IPV4_BUCKET_KEY, (string) $bucketInt) :
             $this->getCacheKey($decision->getScope(), $decision->getValue());
         $item = $this->getItem($cacheKey);
 
@@ -605,7 +607,7 @@ private function saveItemWithDuration(
      */
     private function store(Decision $decision, ?int $bucketInt = null): array
     {
-        $cacheKey = $bucketInt ? $this->getCacheKey(self::IPV4_BUCKET_KEY, (string) $bucketInt) :
+        $cacheKey = null !== $bucketInt ? $this->getCacheKey(self::IPV4_BUCKET_KEY, (string) $bucketInt) :
             $this->getCacheKey($decision->getScope(), $decision->getValue());
         $item = $this->getItem($cacheKey);
         $cachedValues = $item->isHit() ? $item->get() : [];

src/CapiRemediation.php

@@ -66,6 +66,42 @@ public function getIpRemediation(string $ip): array
         return $this->processCachedDecisions($cachedDecisions);
     }
 
+    /**
+     * @throws CacheStorageException
+     * @throws InvalidArgumentException
+     * @throws CacheException|ClientException
+     */
+    public function refreshDecisions(): array
+    {
+        $rawDecisions = $this->client->getStreamDecisions();
+        $newDecisions = $this->convertRawCapiDecisionsToDecisions($rawDecisions[self::CS_NEW] ?? []);
+        $deletedDecisions = $this->convertRawCapiDecisionsToDecisions($rawDecisions[self::CS_DEL] ?? []);
+        $listDecisions = $this->handleListDecisions($rawDecisions[self::CS_LINK][self::CS_BLOCK] ?? []);
+        $allowListDecisions = $this->handleAllowListDecisions($rawDecisions[self::CS_LINK][self::CS_ALLOW] ?? []);
+
+        $stored = $this->storeDecisions(array_merge(
+            $newDecisions,
+            $listDecisions,
+            $allowListDecisions
+        ));
+        $removed = $this->removeDecisions($deletedDecisions);
+
+        return [
+            self::CS_NEW => $stored[AbstractCache::DONE] ?? 0,
+            self::CS_DEL => $removed[AbstractCache::DONE] ?? 0,
+        ];
+    }
+
+    /**
+     * Process and validate input configurations.
+     */
+    private function configure(array $configs): void
+    {
+        $configuration = new CapiRemediationConfig();
+        $processor = new Processor();
+        $this->configs = $processor->processConfiguration($configuration, [$configuration->cleanConfigs($configs)]);
+    }
+
     private function convertRawCapiDecisionsToDecisions(array $rawDecisions): array
     {
         $decisions = [];
@@ -100,31 +136,90 @@ private function formatIfModifiedSinceHeader(int $timestamp): string
         return gmdate('D, d M Y H:i:s \G\M\T', $timestamp);
     }
 
-    /**
-     * This method allows to know if the "If-Modified-Since" should be added when pulling list decisions.
-     *
-     * @param int $pullTime           // Moment when the list is pulled
-     * @param int $listExpirationTime // Expiration of the cached list decisions
-     * @param int $frequency          // Amount of time in seconds that represents the average decision pull frequency
-     */
-    private function shouldAddModifiedSince(int $pullTime, int $listExpirationTime, int $frequency): bool
+    private function getDurationInSeconds(string $futureDate): int
     {
-        return ($listExpirationTime - $frequency) > $pullTime;
+        try {
+            // Remove microseconds for better compatibility with older PHP versions
+            $cleanDate = preg_replace('/\.\d{3,6}/', '', $futureDate);
+
+            $expiration = new \DateTime($cleanDate, new \DateTimeZone('UTC'));
+            $now = new \DateTime('now', new \DateTimeZone('UTC'));
+
+            $duration = $expiration->getTimestamp() - $now->getTimestamp();
+
+            return max(0, $duration);
+        } catch (\Throwable $e) {
+            // If parsing fails, return 0 as a fallback
+            return 0;
+        }
     }
 
-    private function handleListPullHeaders(array $headers, array $lastPullContent, int $pullTime): array
+    /**
+     * @throws InvalidArgumentException|CacheException
+     */
+    private function handleAllowListDecisions(array $allowlists): array
     {
-        $shouldAddModifiedSince = false;
-        if (isset($lastPullContent[AbstractCache::INDEX_EXP])) {
-            $frequency = $this->getConfig('refresh_frequency_indicator') ?? Constants::REFRESH_FREQUENCY;
-            $shouldAddModifiedSince = $this->shouldAddModifiedSince(
-                $pullTime,
-                (int) $lastPullContent[AbstractCache::INDEX_EXP],
-                (int) $frequency
-            );
+        $decisions = [];
+        try {
+            foreach ($allowlists as $allowlist) {
+                $headers = [];
+                if ($this->validateAllowlist($allowlist)) {
+                    // The existence of the following indexes must be guaranteed by the validateAllowlist method
+                    $listName = strtolower((string) $allowlist['name']);
+                    $listId = (string) $allowlist['id'];
+                    $url = (string) $allowlist['url'];
+                    $origin = Constants::ORIGIN_LISTS;
+                    $allowDecision = [
+                        'type' => Constants::ALLOW_LIST_REMEDIATION,
+                        'origin' => $origin,
+                        'scenario' => $listName,
+                    ];
+
+                    $lastPullCacheKey = $this->getCacheStorage()->getCacheKey(
+                        AbstractCache::ALLOW_LIST,
+                        $listId
+                    );
+
+                    $lastPullItem = $this->getCacheStorage()->getItem($lastPullCacheKey);
+
+                    $pullTime = time();
+                    if ($lastPullItem->isHit()) {
+                        $lastPullContent = $lastPullItem->get();
+                        $headers = $this->handleAllowListPullHeaders($headers, $lastPullContent);
+                    }
+
+                    $listResponse = rtrim(
+                        $this->client->getCapiHandler()->getListDecisions($url, $headers),
+                        \PHP_EOL
+                    );
+
+                    if ($listResponse) {
+                        $this->cacheStorage->upsertItem(
+                            $lastPullCacheKey,
+                            [
+                                AbstractCache::LAST_PULL => $pullTime,
+                            ],
+                            0,
+                            [AbstractCache::ALLOW_LIST, $listName]
+                        );
+                        $decisions = $this->handleAllowListResponse($listResponse, $allowDecision);
+                    }
+                }
+            }
+        } catch (\Exception $e) {
+            $this->logger->info('Something went wrong during list decisions process', [
+                'type' => 'CAPI_REM_HANDLE_ALLOW_LIST_DECISIONS',
+                'message' => $e->getMessage(),
+                'code' => $e->getCode(),
+            ]);
         }
 
-        if ($shouldAddModifiedSince && isset($lastPullContent[AbstractCache::LAST_PULL])) {
+        return $decisions;
+    }
+
+    private function handleAllowListPullHeaders(array $headers, array $lastPullContent): array
+    {
+        if (isset($lastPullContent[AbstractCache::LAST_PULL])) {
             $headers['If-Modified-Since'] = $this->formatIfModifiedSinceHeader(
                 (int) $lastPullContent[AbstractCache::LAST_PULL]
             );
@@ -133,6 +228,34 @@ private function handleListPullHeaders(array $headers, array $lastPullContent, i
         return $headers;
     }
 
+    private function handleAllowListResponse(string $listResponse, array $allowDecision): array
+    {
+        $decisions = [];
+        $listedAllows = explode(\PHP_EOL, $listResponse);
+        $this->logger->debug('Handle allow list decisions', [
+            'type' => 'CAPI_REM_HANDLE_ALLOW_LIST_DECISIONS',
+            'list_count' => count($listedAllows),
+        ]);
+        foreach ($listedAllows as $listedAllow) {
+            $decoded = json_decode($listedAllow, true);
+            $allowDecision['value'] = $decoded['value'];
+            $allowDecision['scope'] = $decoded['scope'];
+            $allowDecision['duration'] = '1s'; // Will be overwritten by the duration in the allowlist
+            $decision = $this->convertRawDecision($allowDecision);
+
+            if ($decision) {
+                $durationInSeconds = isset($decoded['expiration']) ?
+                    $this->getDurationInSeconds($decoded['expiration']) :
+                    Constants::MAX_DURATION;
+
+                $decision->setExpiresAt(time() + $durationInSeconds);
+                $decisions[] = $decision;
+            }
+        }
+
+        return $decisions;
+    }
+
     /**
      * @throws InvalidArgumentException|CacheException
      */
@@ -168,7 +291,9 @@ private function handleListDecisions(array $blocklists): array
                     $pullTime = time();
                     if ($lastPullItem->isHit()) {
                         $lastPullContent = $lastPullItem->get();
-                        $headers = $this->handleListPullHeaders($headers, $lastPullContent, $pullTime);
+                        $frequency = $this->getConfig('refresh_frequency_indicator') ?? Constants::REFRESH_FREQUENCY;
+                        $headers = $this->handleListPullHeaders($headers, $lastPullContent, $pullTime, (int)
+                        $frequency);
                     }
 
                     $listResponse = rtrim(
@@ -202,6 +327,26 @@ private function handleListDecisions(array $blocklists): array
         return $decisions;
     }
 
+    private function handleListPullHeaders(array $headers, array $lastPullContent, int $pullTime, int $frequency): array
+    {
+        $shouldAddModifiedSince = false;
+        if (isset($lastPullContent[AbstractCache::INDEX_EXP])) {
+            $shouldAddModifiedSince = $this->shouldAddModifiedSince(
+                $pullTime,
+                (int) $lastPullContent[AbstractCache::INDEX_EXP],
+                $frequency
+            );
+        }
+
+        if ($shouldAddModifiedSince && isset($lastPullContent[AbstractCache::LAST_PULL])) {
+            $headers['If-Modified-Since'] = $this->formatIfModifiedSinceHeader(
+                (int) $lastPullContent[AbstractCache::LAST_PULL]
+            );
+        }
+
+        return $headers;
+    }
+
     private function handleListResponse(string $listResponse, array $blockDecision): array
     {
         $decisions = [];
@@ -221,6 +366,37 @@ private function handleListResponse(string $listResponse, array $blockDecision):
         return $decisions;
     }
 
+    /**
+     * This method allows to know if the "If-Modified-Since" should be added when pulling list decisions.
+     *
+     * @param int $pullTime           // Moment when the list is pulled
+     * @param int $listExpirationTime // Expiration of the cached list decisions
+     * @param int $frequency          // Amount of time in seconds that represents the average decision pull frequency
+     */
+    private function shouldAddModifiedSince(int $pullTime, int $listExpirationTime, int $frequency): bool
+    {
+        return ($listExpirationTime - $frequency) > $pullTime;
+    }
+
+    private function validateAllowlist(array $allowlist): bool
+    {
+        if (
+            !empty($allowlist['id'])
+            && !empty($allowlist['name'])
+            && !empty($allowlist['description'])
+            && !empty($allowlist['url'])
+        ) {
+            return true;
+        }
+
+        $this->logger->error('Retrieved allowlist is not as expected', [
+            'type' => 'REM_RAW_DECISION_NOT_AS_EXPECTED',
+            'raw_decision' => json_encode($allowlist),
+        ]);
+
+        return false;
+    }
+
     private function validateBlocklist(array $blocklist): bool
     {
         if (
@@ -240,35 +416,4 @@ private function validateBlocklist(array $blocklist): bool
 
         return false;
     }
-
-    /**
-     * @throws CacheStorageException
-     * @throws InvalidArgumentException
-     * @throws CacheException|ClientException
-     */
-    public function refreshDecisions(): array
-    {
-        $rawDecisions = $this->client->getStreamDecisions();
-        $newDecisions = $this->convertRawCapiDecisionsToDecisions($rawDecisions[self::CS_NEW] ?? []);
-        $deletedDecisions = $this->convertRawCapiDecisionsToDecisions($rawDecisions[self::CS_DEL] ?? []);
-        $listDecisions = $this->handleListDecisions($rawDecisions[self::CS_LINK][self::CS_BLOCK] ?? []);
-
-        $stored = $this->storeDecisions(array_merge($newDecisions, $listDecisions));
-        $removed = $this->removeDecisions($deletedDecisions);
-
-        return [
-            self::CS_NEW => $stored[AbstractCache::DONE] ?? 0,
-            self::CS_DEL => $removed[AbstractCache::DONE] ?? 0,
-        ];
-    }
-
-    /**
-     * Process and validate input configurations.
-     */
-    private function configure(array $configs): void
-    {
-        $configuration = new CapiRemediationConfig();
-        $processor = new Processor();
-        $this->configs = $processor->processConfiguration($configuration, [$configuration->cleanConfigs($configs)]);
-    }
 }