用户端可以添加WAF 黑白名单

This commit is contained in:
GoEdgeLab
2021-01-03 20:18:21 +08:00
parent 3ce5ac7929
commit ecd16cba0e
8 changed files with 367 additions and 28 deletions

View File

@@ -78,7 +78,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
if config.Inbound == nil {
config.Inbound = &firewallconfigs.HTTPFirewallInboundConfig{IsOn: true}
}
if config.Inbound.WhiteListRef == nil || config.Inbound.WhiteListRef.ListId == 0 {
if config.Inbound.AllowListRef == nil || config.Inbound.AllowListRef.ListId == 0 {
createResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
Type: "white",
Name: "白名单",
@@ -89,7 +89,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
return 0, err
}
listId := createResp.IpListId
config.Inbound.WhiteListRef = &ipconfigs.IPListRef{
config.Inbound.AllowListRef = &ipconfigs.IPListRef{
IsOn: true,
ListId: listId,
}
@@ -107,7 +107,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
return listId, nil
}
return config.Inbound.WhiteListRef.ListId, nil
return config.Inbound.AllowListRef.ListId, nil
}
// 查找WAF的黑名单
@@ -122,7 +122,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
if config.Inbound == nil {
config.Inbound = &firewallconfigs.HTTPFirewallInboundConfig{IsOn: true}
}
if config.Inbound.BlackListRef == nil || config.Inbound.BlackListRef.ListId == 0 {
if config.Inbound.DenyListRef == nil || config.Inbound.DenyListRef.ListId == 0 {
createResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
Type: "black",
Name: "黑名单",
@@ -133,7 +133,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
return 0, err
}
listId := createResp.IpListId
config.Inbound.BlackListRef = &ipconfigs.IPListRef{
config.Inbound.DenyListRef = &ipconfigs.IPListRef{
IsOn: true,
ListId: listId,
}
@@ -151,7 +151,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
return listId, nil
}
return config.Inbound.BlackListRef.ListId, nil
return config.Inbound.DenyListRef.ListId, nil
}
// 根据服务Id查找WAF策略

View File

@@ -0,0 +1,94 @@
package dao
import (
"context"
"encoding/json"
"github.com/TeaOSLab/EdgeCommon/pkg/errors"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
)
var SharedHTTPWebDAO = new(HTTPWebDAO)
type HTTPWebDAO struct {
BaseDAO
}
// 根据ServerId查找Web配置
func (this *HTTPWebDAO) FindWebConfigWithServerId(ctx context.Context, serverId int64) (*serverconfigs.HTTPWebConfig, error) {
resp, err := this.RPC().ServerRPC().FindAndInitServerWebConfig(ctx, &pb.FindAndInitServerWebConfigRequest{ServerId: serverId})
if err != nil {
return nil, err
}
config := &serverconfigs.HTTPWebConfig{}
err = json.Unmarshal(resp.WebJSON, config)
if err != nil {
return nil, err
}
return config, nil
}
// 根据LocationId查找Web配置
func (this *HTTPWebDAO) FindWebConfigWithLocationId(ctx context.Context, locationId int64) (*serverconfigs.HTTPWebConfig, error) {
resp, err := this.RPC().HTTPLocationRPC().FindAndInitHTTPLocationWebConfig(ctx, &pb.FindAndInitHTTPLocationWebConfigRequest{LocationId: locationId})
if err != nil {
return nil, err
}
config := &serverconfigs.HTTPWebConfig{}
err = json.Unmarshal(resp.WebJSON, config)
if err != nil {
return nil, err
}
return config, nil
}
// 根据WebId查找Web配置
func (this *HTTPWebDAO) FindWebConfigWithId(ctx context.Context, webId int64) (*serverconfigs.HTTPWebConfig, error) {
resp, err := this.RPC().HTTPWebRPC().FindEnabledHTTPWebConfig(ctx, &pb.FindEnabledHTTPWebConfigRequest{WebId: webId})
if err != nil {
return nil, err
}
config := &serverconfigs.HTTPWebConfig{}
err = json.Unmarshal(resp.WebJSON, config)
if err != nil {
return nil, err
}
return config, nil
}
// 初始化防火墙设置
func (this *HTTPWebDAO) InitHTTPFirewallPolicy(ctx context.Context, webId int64) (int64, error) {
// 创建FirewallPolicy
firewallPolicyIdResp, err := this.RPC().HTTPFirewallPolicyRPC().CreateHTTPFirewallPolicy(ctx, &pb.CreateHTTPFirewallPolicyRequest{
IsOn: true,
Name: "用户自定义",
Description: "",
HttpFirewallGroupCodes: nil,
})
if err != nil {
return 0, errors.Wrap(err)
}
policyId := firewallPolicyIdResp.HttpFirewallPolicyId
firewallRef := &firewallconfigs.HTTPFirewallRef{
IsPrior: false,
IsOn: true,
FirewallPolicyId: policyId,
}
firewallRefJSON, err := json.Marshal(firewallRef)
if err != nil {
return 0, errors.Wrap(err)
}
_, err = this.RPC().HTTPWebRPC().UpdateHTTPWebFirewall(ctx, &pb.UpdateHTTPWebFirewallRequest{
WebId: webId,
FirewallJSON: firewallRefJSON,
})
if err != nil {
return 0, errors.Wrap(err)
}
return policyId, nil
}

128
pkg/rpc/dao/ip_list_dao.go Normal file
View File

@@ -0,0 +1,128 @@
package dao
import (
"context"
"encoding/json"
"github.com/TeaOSLab/EdgeCommon/pkg/errors"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs"
)
var SharedIPListDAO = new(IPListDAO)
type IPListDAO struct {
BaseDAO
}
// 查找服务的允许IP列表
func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {
return 0, err
}
if webConfig == nil {
return 0, nil
}
if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Inbound == nil || webConfig.FirewallPolicy.Inbound.AllowListRef == nil {
return 0, nil
}
return webConfig.FirewallPolicy.Inbound.AllowListRef.ListId, nil
}
// 查找服务的禁止IP列表
func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {
return 0, err
}
if webConfig == nil {
return 0, nil
}
if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Inbound == nil || webConfig.FirewallPolicy.Inbound.DenyListRef == nil {
return 0, nil
}
return webConfig.FirewallPolicy.Inbound.DenyListRef.ListId, nil
}
// 为服务创建IP名单
func (this *IPListDAO) CreateIPListForServerId(ctx context.Context, serverId int64, listType string) (int64, error) {
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {
return 0, err
}
if webConfig == nil {
return 0, nil
}
if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Id == 0 {
_, err = SharedHTTPWebDAO.InitHTTPFirewallPolicy(ctx, webConfig.Id)
if err != nil {
return 0, errors.Wrap(err)
}
webConfig, err = SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {
return 0, err
}
if webConfig == nil {
return 0, nil
}
if webConfig.FirewallPolicy == nil {
return 0, nil
}
}
inbound := webConfig.FirewallPolicy.Inbound
if inbound == nil {
inbound = &firewallconfigs.HTTPFirewallInboundConfig{
IsOn: true,
}
}
if listType == "white" {
if inbound.AllowListRef == nil {
inbound.AllowListRef = &ipconfigs.IPListRef{
IsOn: true,
}
}
if inbound.AllowListRef.ListId > 0 {
return inbound.AllowListRef.ListId, nil
}
} else if listType == "black" {
if inbound.DenyListRef == nil {
inbound.DenyListRef = &ipconfigs.IPListRef{
IsOn: true,
}
}
if inbound.DenyListRef.ListId > 0 {
return inbound.DenyListRef.ListId, nil
}
}
ipListResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
Type: listType,
Name: "IP名单",
Code: listType,
TimeoutJSON: nil,
})
if err != nil {
return 0, errors.Wrap(err)
}
if listType == "white" {
inbound.AllowListRef.ListId = ipListResp.IpListId
} else if listType == "black" {
inbound.DenyListRef.ListId = ipListResp.IpListId
}
inboundJSON, err := json.Marshal(inbound)
if err != nil {
return 0, errors.Wrap(err)
}
_, err = this.RPC().HTTPFirewallPolicyRPC().UpdateHTTPFirewallInboundConfig(ctx, &pb.UpdateHTTPFirewallInboundConfigRequest{
HttpFirewallPolicyId: webConfig.FirewallPolicy.Id,
InboundJSON: inboundJSON,
})
if err != nil {
return 0, errors.Wrap(err)
}
return ipListResp.IpListId, nil
}