temporarty hack to fix block mode for CONNECT requests

ontologytimemachine/custom_proxy.py

@@ -5,10 +5,10 @@
 from ontologytimemachine.proxy_wrapper import HttpRequestWrapper
 from ontologytimemachine.utils.proxy_logic import (
     get_response_from_request,
-    if_not_block_host,
+    do_block_CONNECT_request,
     is_archivo_ontology_request,
 )
-from ontologytimemachine.utils.config import Config, parse_arguments
+from ontologytimemachine.utils.config import Config, HttpsInterception, parse_arguments
 from http.client import responses
 import proxy
 import sys
@@ -41,14 +41,14 @@ def before_upstream_connection(self, request: HttpParser) -> HttpParser | None:
         wrapped_request = HttpRequestWrapper(request)
 
         if wrapped_request.is_connect_request():
-            logger.info(f"HTTPS interception mode: {self.config.httpsInterception}")
+            logger.info(f"Handling CONNECT request: configured HTTPS interception mode: {self.config.httpsInterception}")
 
-            # Only intercept if interception is enabled
-            if if_not_block_host(self.config):
-                logger.info("HTTPS interception is on, forwardig the request")
+            # Check whether to allow CONNECT requests since they can impose a security risk
+            if not do_block_CONNECT_request(self.config):
+                logger.info("Allowing the CONNECT request")
                 return request
             else:
-                logger.info("HTTPS interception is blocked")
+                logger.info("CONNECT request was blocked due to the configuration")
                 return None
 
         # # If only ontology mode, return None in all other cases
@@ -66,14 +66,14 @@ def do_intercept(self, _request: HttpParser) -> bool:
             return True
         elif self.config.httpsInterception in ["none"]:
             return False
+        # elif self.config.httpsInterception == HttpsInterception.BLOCK: #this should actually be not triggered
+        #     return False
         elif self.config.httpsInterception in ["archivo"]:
             if is_archivo_ontology_request(wrapped_request):
                 return True
             return False
         else:
-            logger.info(
-                f"httpsInterception: {self.config.httpsInterception} option is not allowed."
-            )
+            logger.info("Unknown Option for httpsInterception: %s -> fallback to no interception", self.config.httpsInterception)
             return False
 
     def handle_client_request(self, request: HttpParser) -> HttpParser:

ontologytimemachine/utils/proxy_logic.py

@@ -1,5 +1,7 @@
 import logging
 import requests
+from ontologytimemachine.proxy_wrapper import AbstractRequestWrapper
+from ontologytimemachine.utils.config import Config, HttpsInterception
 from ontologytimemachine.utils.utils import (
     set_onto_format_headers,
     get_format_from_accept_header,
@@ -24,14 +26,15 @@
 logger = logging.getLogger(__name__)
 
 
-def if_not_block_host(config):
-    if config.httpsInterception in ["none", "all"]:
+def do_block_CONNECT_request(config: Config) -> bool:
+    if config.httpsInterception == HttpsInterception.BLOCK:
+        logger.info("decided to block CONNECT request due to config enum")
+        return True
+    if config.httpsInterception == "block":
+        logger.info("decided to block CONNECT request due 'block' string")
         return True
-    elif config.httpsInterception in ["block"]:
-        return False
     return False
 
-
 def do_deny_request_due_non_archivo_ontology_uri(wrapped_request, only_ontologies):
     if only_ontologies:
         is_archivo_ontology = is_archivo_ontology_request(wrapped_request)

tests/test_proxy_logic.py

@@ -1,6 +1,6 @@
 import unittest
 from ontologytimemachine.utils.proxy_logic import (
-    if_not_block_host,
+    do_block_CONNECT_request,
     do_deny_request_due_non_archivo_ontology_uri,
     load_archivo_urls,
     is_archivo_ontology_request,