Bug 1933266 - Update domain allowlist matching for Widevine (#3252)

Author: aosmond

src/auslib/AUS.py

@@ -1,5 +1,6 @@
 import functools
 import logging
+import re
 from random import randint
 from urllib.parse import urlparse
 
@@ -34,14 +35,29 @@ def isSpecialURL(url, specialForceHosts):
 def isForbiddenUrl(url, product, allowlistedDomains):
     if allowlistedDomains is None:
         allowlistedDomains = []
-    domain = urlparse(url)[1]
+    parsedUrl = urlparse(url)
+    domain = parsedUrl.netloc
     if domain not in allowlistedDomains:
         logging.warning("Forbidden domain: %s", domain)
         return True
-    if product not in allowlistedDomains[domain]:
+    allowlistedDomain = allowlistedDomains[domain]
+    if isinstance(allowlistedDomain, tuple):
+        if product in allowlistedDomain:
+            return False
         logging.warning("Forbidden domain for product %s: %s", product, domain)
-        return True
-    return False
+    elif isinstance(allowlistedDomain, dict):
+        path = parsedUrl.path
+        for pathRegex in allowlistedDomain:
+            if not re.fullmatch(pathRegex, path):
+                continue
+            if product in allowlistedDomain[pathRegex]:
+                return False
+            logging.warning("Forbidden domain/path for product %s: %s (%s)", product, domain, path)
+            return True
+        logging.warning("Forbidden domain/path: %s (%s)", domain, path)
+    else:
+        logging.warning("Forbidden domain, malformed entry: %s", domain)
+    return True
 
 
 def getFallbackChannel(channel):

tests/test_AUS.py

@@ -4,7 +4,7 @@
 import mock
 import pytest
 
-from auslib.AUS import AUS, FORCE_FALLBACK_MAPPING, FORCE_MAIN_MAPPING
+from auslib.AUS import AUS, FORCE_FALLBACK_MAPPING, FORCE_MAIN_MAPPING, isForbiddenUrl
 from auslib.blobs.base import createBlob
 from auslib.global_state import dbo
 
@@ -211,3 +211,36 @@ def testPinningWithThrottling25WithForcingFailureAndFallback(self):
 
         self.assertEqual(served_pinned, 1)
         self.assertEqual(tested, 1)
+
+
+class TestForbiddenUrl(unittest.TestCase):
+    def test_urls(self):
+        allowlist = {
+            "ignore.net": ("c", "d"),
+            "b.org": ("e", "f"),
+            "a.com": {
+                "/path/[\\w\\.]+/[\\w\\.]+\\.bin": (
+                    "a",
+                    "b",
+                ),
+            },
+        }
+
+        # Unmatched domain
+        self.assertTrue(isForbiddenUrl("https://b.com/path/foo/bar.bin", "c", allowlist))
+
+        # Matches domain without path but not product
+        self.assertTrue(isForbiddenUrl("https://b.org/anything/I/want.exe", "d", allowlist))
+
+        # Matches domain and product without path
+        self.assertFalse(isForbiddenUrl("https://b.org/anything/I/want.exe", "e", allowlist))
+
+        # Matches domain but path doesn't match regex
+        self.assertTrue(isForbiddenUrl("https://a.com/not/allowed.bin", "a", allowlist))
+        self.assertTrue(isForbiddenUrl("https://a.com/path/not/allowed+.bin", "b", allowlist))
+
+        # Matches domain and path, but not product
+        self.assertTrue(isForbiddenUrl("https://a.com/path/foo/bar.bin", "c", allowlist))
+
+        # Matches domain, path and product
+        self.assertFalse(isForbiddenUrl("https://a.com/path/foo/bar.bin", "b", allowlist))

uwsgi/admin.wsgi

@@ -34,6 +34,12 @@ DOMAIN_ALLOWLIST = {
         "Widevine",
         "Widevine-L1",
     ),
+    "www.google.com": {
+        "/dl/release2/chrome_component/[\\w\\.]+/[\\w\\.]+\\.crx3": (
+            "Widevine",
+            "Widevine-L1",
+        ),
+    },
     "ftp.mozilla.org": ("SystemAddons",),
     "fpn.firefox.com": ("FirefoxVPN", "Guardian"),
     "vpn.mozilla.org": ("FirefoxVPN", "Guardian"),

uwsgi/public.wsgi

@@ -35,6 +35,12 @@ DOMAIN_ALLOWLIST = {
         "Widevine",
         "Widevine-L1",
     ),
+    "www.google.com": {
+        "/dl/release2/chrome_component/[\\w\\.]+/[\\w\\.]+\\.crx3": (
+            "Widevine",
+            "Widevine-L1",
+        ),
+    },
     "ftp.mozilla.org": ("SystemAddons",),
     "fpn.firefox.com": ("FirefoxVPN", "Guardian"),
     "vpn.mozilla.org": ("FirefoxVPN", "Guardian"),