用户端可以添加WAF 黑白名单
This commit is contained in:
@@ -78,7 +78,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
|
||||
if config.Inbound == nil {
|
||||
config.Inbound = &firewallconfigs.HTTPFirewallInboundConfig{IsOn: true}
|
||||
}
|
||||
if config.Inbound.WhiteListRef == nil || config.Inbound.WhiteListRef.ListId == 0 {
|
||||
if config.Inbound.AllowListRef == nil || config.Inbound.AllowListRef.ListId == 0 {
|
||||
createResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
|
||||
Type: "white",
|
||||
Name: "白名单",
|
||||
@@ -89,7 +89,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
|
||||
return 0, err
|
||||
}
|
||||
listId := createResp.IpListId
|
||||
config.Inbound.WhiteListRef = &ipconfigs.IPListRef{
|
||||
config.Inbound.AllowListRef = &ipconfigs.IPListRef{
|
||||
IsOn: true,
|
||||
ListId: listId,
|
||||
}
|
||||
@@ -107,7 +107,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
|
||||
return listId, nil
|
||||
}
|
||||
|
||||
return config.Inbound.WhiteListRef.ListId, nil
|
||||
return config.Inbound.AllowListRef.ListId, nil
|
||||
}
|
||||
|
||||
// 查找WAF的黑名单
|
||||
@@ -122,7 +122,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
|
||||
if config.Inbound == nil {
|
||||
config.Inbound = &firewallconfigs.HTTPFirewallInboundConfig{IsOn: true}
|
||||
}
|
||||
if config.Inbound.BlackListRef == nil || config.Inbound.BlackListRef.ListId == 0 {
|
||||
if config.Inbound.DenyListRef == nil || config.Inbound.DenyListRef.ListId == 0 {
|
||||
createResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
|
||||
Type: "black",
|
||||
Name: "黑名单",
|
||||
@@ -133,7 +133,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
|
||||
return 0, err
|
||||
}
|
||||
listId := createResp.IpListId
|
||||
config.Inbound.BlackListRef = &ipconfigs.IPListRef{
|
||||
config.Inbound.DenyListRef = &ipconfigs.IPListRef{
|
||||
IsOn: true,
|
||||
ListId: listId,
|
||||
}
|
||||
@@ -151,7 +151,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
|
||||
return listId, nil
|
||||
}
|
||||
|
||||
return config.Inbound.BlackListRef.ListId, nil
|
||||
return config.Inbound.DenyListRef.ListId, nil
|
||||
}
|
||||
|
||||
// 根据服务Id查找WAF策略
|
||||
|
||||
94
pkg/rpc/dao/http_web_dao.go
Normal file
94
pkg/rpc/dao/http_web_dao.go
Normal file
@@ -0,0 +1,94 @@
|
||||
package dao
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/errors"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
|
||||
)
|
||||
|
||||
var SharedHTTPWebDAO = new(HTTPWebDAO)
|
||||
|
||||
type HTTPWebDAO struct {
|
||||
BaseDAO
|
||||
}
|
||||
|
||||
// 根据ServerId查找Web配置
|
||||
func (this *HTTPWebDAO) FindWebConfigWithServerId(ctx context.Context, serverId int64) (*serverconfigs.HTTPWebConfig, error) {
|
||||
resp, err := this.RPC().ServerRPC().FindAndInitServerWebConfig(ctx, &pb.FindAndInitServerWebConfigRequest{ServerId: serverId})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
config := &serverconfigs.HTTPWebConfig{}
|
||||
err = json.Unmarshal(resp.WebJSON, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return config, nil
|
||||
}
|
||||
|
||||
// 根据LocationId查找Web配置
|
||||
func (this *HTTPWebDAO) FindWebConfigWithLocationId(ctx context.Context, locationId int64) (*serverconfigs.HTTPWebConfig, error) {
|
||||
resp, err := this.RPC().HTTPLocationRPC().FindAndInitHTTPLocationWebConfig(ctx, &pb.FindAndInitHTTPLocationWebConfigRequest{LocationId: locationId})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
config := &serverconfigs.HTTPWebConfig{}
|
||||
err = json.Unmarshal(resp.WebJSON, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return config, nil
|
||||
}
|
||||
|
||||
// 根据WebId查找Web配置
|
||||
func (this *HTTPWebDAO) FindWebConfigWithId(ctx context.Context, webId int64) (*serverconfigs.HTTPWebConfig, error) {
|
||||
resp, err := this.RPC().HTTPWebRPC().FindEnabledHTTPWebConfig(ctx, &pb.FindEnabledHTTPWebConfigRequest{WebId: webId})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
config := &serverconfigs.HTTPWebConfig{}
|
||||
err = json.Unmarshal(resp.WebJSON, config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return config, nil
|
||||
}
|
||||
|
||||
// 初始化防火墙设置
|
||||
func (this *HTTPWebDAO) InitHTTPFirewallPolicy(ctx context.Context, webId int64) (int64, error) {
|
||||
// 创建FirewallPolicy
|
||||
firewallPolicyIdResp, err := this.RPC().HTTPFirewallPolicyRPC().CreateHTTPFirewallPolicy(ctx, &pb.CreateHTTPFirewallPolicyRequest{
|
||||
IsOn: true,
|
||||
Name: "用户自定义",
|
||||
Description: "",
|
||||
HttpFirewallGroupCodes: nil,
|
||||
})
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
|
||||
policyId := firewallPolicyIdResp.HttpFirewallPolicyId
|
||||
|
||||
firewallRef := &firewallconfigs.HTTPFirewallRef{
|
||||
IsPrior: false,
|
||||
IsOn: true,
|
||||
FirewallPolicyId: policyId,
|
||||
}
|
||||
firewallRefJSON, err := json.Marshal(firewallRef)
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
|
||||
_, err = this.RPC().HTTPWebRPC().UpdateHTTPWebFirewall(ctx, &pb.UpdateHTTPWebFirewallRequest{
|
||||
WebId: webId,
|
||||
FirewallJSON: firewallRefJSON,
|
||||
})
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
|
||||
return policyId, nil
|
||||
}
|
||||
128
pkg/rpc/dao/ip_list_dao.go
Normal file
128
pkg/rpc/dao/ip_list_dao.go
Normal file
@@ -0,0 +1,128 @@
|
||||
package dao
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/errors"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs"
|
||||
)
|
||||
|
||||
var SharedIPListDAO = new(IPListDAO)
|
||||
|
||||
type IPListDAO struct {
|
||||
BaseDAO
|
||||
}
|
||||
|
||||
// 查找服务的允许IP列表
|
||||
func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
|
||||
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if webConfig == nil {
|
||||
return 0, nil
|
||||
}
|
||||
if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Inbound == nil || webConfig.FirewallPolicy.Inbound.AllowListRef == nil {
|
||||
return 0, nil
|
||||
}
|
||||
return webConfig.FirewallPolicy.Inbound.AllowListRef.ListId, nil
|
||||
}
|
||||
|
||||
// 查找服务的禁止IP列表
|
||||
func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
|
||||
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if webConfig == nil {
|
||||
return 0, nil
|
||||
}
|
||||
if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Inbound == nil || webConfig.FirewallPolicy.Inbound.DenyListRef == nil {
|
||||
return 0, nil
|
||||
}
|
||||
return webConfig.FirewallPolicy.Inbound.DenyListRef.ListId, nil
|
||||
}
|
||||
|
||||
// 为服务创建IP名单
|
||||
func (this *IPListDAO) CreateIPListForServerId(ctx context.Context, serverId int64, listType string) (int64, error) {
|
||||
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if webConfig == nil {
|
||||
return 0, nil
|
||||
}
|
||||
if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Id == 0 {
|
||||
_, err = SharedHTTPWebDAO.InitHTTPFirewallPolicy(ctx, webConfig.Id)
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
webConfig, err = SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if webConfig == nil {
|
||||
return 0, nil
|
||||
}
|
||||
if webConfig.FirewallPolicy == nil {
|
||||
return 0, nil
|
||||
}
|
||||
}
|
||||
|
||||
inbound := webConfig.FirewallPolicy.Inbound
|
||||
if inbound == nil {
|
||||
inbound = &firewallconfigs.HTTPFirewallInboundConfig{
|
||||
IsOn: true,
|
||||
}
|
||||
}
|
||||
if listType == "white" {
|
||||
if inbound.AllowListRef == nil {
|
||||
inbound.AllowListRef = &ipconfigs.IPListRef{
|
||||
IsOn: true,
|
||||
}
|
||||
}
|
||||
if inbound.AllowListRef.ListId > 0 {
|
||||
return inbound.AllowListRef.ListId, nil
|
||||
}
|
||||
} else if listType == "black" {
|
||||
if inbound.DenyListRef == nil {
|
||||
inbound.DenyListRef = &ipconfigs.IPListRef{
|
||||
IsOn: true,
|
||||
}
|
||||
}
|
||||
if inbound.DenyListRef.ListId > 0 {
|
||||
return inbound.DenyListRef.ListId, nil
|
||||
}
|
||||
}
|
||||
|
||||
ipListResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
|
||||
Type: listType,
|
||||
Name: "IP名单",
|
||||
Code: listType,
|
||||
TimeoutJSON: nil,
|
||||
})
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
|
||||
if listType == "white" {
|
||||
inbound.AllowListRef.ListId = ipListResp.IpListId
|
||||
} else if listType == "black" {
|
||||
inbound.DenyListRef.ListId = ipListResp.IpListId
|
||||
}
|
||||
inboundJSON, err := json.Marshal(inbound)
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
_, err = this.RPC().HTTPFirewallPolicyRPC().UpdateHTTPFirewallInboundConfig(ctx, &pb.UpdateHTTPFirewallInboundConfigRequest{
|
||||
HttpFirewallPolicyId: webConfig.FirewallPolicy.Id,
|
||||
InboundJSON: inboundJSON,
|
||||
})
|
||||
if err != nil {
|
||||
return 0, errors.Wrap(err)
|
||||
}
|
||||
|
||||
return ipListResp.IpListId, nil
|
||||
}
|
||||
Reference in New Issue
Block a user