Skip to content

Commit

Permalink
[BP-1232] Connectionpool blacklist (#181)
Browse files Browse the repository at this point in the history
* BP-1232: break connection attempts to domain '.'

* Add domain blacklist to LdapConnectionPool to try to alleviate pain from repeated query attempts to a domain we can't reach

* Check blacklist against global catalog connections too

* Renaming blacklisted domains => excluded domains

* Adding comment to explain use for _excludedDomains
  • Loading branch information
definitelynotagoblin authored Jan 9, 2025
1 parent c953260 commit 990136a
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/CommonLib/ConnectionPoolManager.cs
Original file line number Diff line number Diff line change
Expand Up @@ -73,14 +73,14 @@ public void ReleaseConnection(LdapConnectionWrapper connectionWrapper, bool conn
}

private bool GetPool(string identifier, out LdapConnectionPool pool) {
if (identifier == null) {
if (string.IsNullOrWhiteSpace(identifier)) {
pool = default;
return false;
}

var resolved = ResolveIdentifier(identifier);
if (!_pools.TryGetValue(resolved, out pool)) {
pool = new LdapConnectionPool(identifier, resolved, _ldapConfig,scanner: _portScanner);
pool = new LdapConnectionPool(identifier, resolved, _ldapConfig, scanner: _portScanner);
_pools.TryAdd(resolved, pool);
}

Expand All @@ -96,6 +96,7 @@ private bool GetPool(string identifier, out LdapConnectionPool pool) {
if (globalCatalog) {
return await pool.GetGlobalCatalogConnectionAsync();
}

return await pool.GetConnectionAsync();
}

Expand Down
13 changes: 13 additions & 0 deletions src/CommonLib/LdapConnectionPool.cs
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ internal class LdapConnectionPool : IDisposable{
private const int MaxRetries = 3;
private static readonly ConcurrentDictionary<string, NetAPIStructs.DomainControllerInfo?> DCInfoCache = new();

// Tracks domains we know we've determined we shouldn't try to connect to
private static readonly ConcurrentHashSet _excludedDomains = new();

public LdapConnectionPool(string identifier, string poolIdentifier, LdapConfig config, PortScanner scanner = null, NativeMethods nativeMethods = null, ILogger log = null) {
_connections = new ConcurrentBag<LdapConnectionWrapper>();
_globalCatalogConnection = new ConcurrentBag<LdapConnectionWrapper>();
Expand Down Expand Up @@ -595,6 +598,10 @@ private bool CallDsGetDcName(string domainName, out NetAPIStructs.DomainControll
}

public async Task<(bool Success, LdapConnectionWrapper ConnectionWrapper, string Message)> GetConnectionAsync() {
if (_excludedDomains.Contains(_identifier)) {
return (false, null, $"Identifier {_identifier} excluded for connection attempt");
}

if (!_connections.TryTake(out var connectionWrapper)) {
var (success, connection, message) = await CreateNewConnection();
if (!success) {
Expand All @@ -613,6 +620,10 @@ private bool CallDsGetDcName(string domainName, out NetAPIStructs.DomainControll
}

public async Task<(bool Success, LdapConnectionWrapper ConnectionWrapper, string Message)> GetGlobalCatalogConnectionAsync() {
if (_excludedDomains.Contains(_identifier)) {
return (false, null, $"Identifier {_identifier} excluded for connection attempt");
}

if (!_globalCatalogConnection.TryTake(out var connectionWrapper)) {
var (success, connection, message) = await CreateNewConnection(true);
if (!success) {
Expand Down Expand Up @@ -691,6 +702,7 @@ public void Dispose() {
_log.LogDebug(
"Could not get domain object from GetDomain, unable to create ldap connection for domain {Domain}",
_identifier);
_excludedDomains.Add(_identifier);
return (false, null, "Unable to get domain object for further strategies");
}
tempDomainName = domainObject.Name.ToUpper().Trim();
Expand Down Expand Up @@ -725,6 +737,7 @@ public void Dispose() {
}
} catch (Exception e) {
_log.LogInformation(e, "We will not be able to connect to domain {Domain} by any strategy, leaving it.", _identifier);
_excludedDomains.Add(_identifier);
}

return (false, null, "All attempted connections failed");
Expand Down

0 comments on commit 990136a

Please sign in to comment.