EdgeAPI/internal/db/models/http_firewall_policy_dao.go

package models

import (
	"encoding/json"
	"github.com/TeaOSLab/EdgeAPI/internal/errors"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	_ "github.com/go-sql-driver/mysql"
	"github.com/iwind/TeaGo/Tea"
	"github.com/iwind/TeaGo/dbs"
	"github.com/iwind/TeaGo/maps"
	"github.com/iwind/TeaGo/types"
)

const (
	HTTPFirewallPolicyStateEnabled  = 1 // 已启用
	HTTPFirewallPolicyStateDisabled = 0 // 已禁用
)

type HTTPFirewallPolicyDAO dbs.DAO

func NewHTTPFirewallPolicyDAO() *HTTPFirewallPolicyDAO {
	return dbs.NewDAO(&HTTPFirewallPolicyDAO{
		DAOObject: dbs.DAOObject{
			DB:     Tea.Env,
			Table:  "edgeHTTPFirewallPolicies",
			Model:  new(HTTPFirewallPolicy),
			PkName: "id",
		},
	}).(*HTTPFirewallPolicyDAO)
}

var SharedHTTPFirewallPolicyDAO *HTTPFirewallPolicyDAO

func init() {
	dbs.OnReady(func() {
		SharedHTTPFirewallPolicyDAO = NewHTTPFirewallPolicyDAO()
	})
}

// Init 初始化
func (this *HTTPFirewallPolicyDAO) Init() {
	_ = this.DAOObject.Init()
}

// EnableHTTPFirewallPolicy 启用条目
func (this *HTTPFirewallPolicyDAO) EnableHTTPFirewallPolicy(tx *dbs.Tx, id int64) error {
	_, err := this.Query(tx).
		Pk(id).
		Set("state", HTTPFirewallPolicyStateEnabled).
		Update()
	return err
}

// DisableHTTPFirewallPolicy 禁用条目
func (this *HTTPFirewallPolicyDAO) DisableHTTPFirewallPolicy(tx *dbs.Tx, policyId int64) error {
	_, err := this.Query(tx).
		Pk(policyId).
		Set("state", HTTPFirewallPolicyStateDisabled).
		Update()
	if err != nil {
		return err
	}

	return this.NotifyUpdate(tx, policyId)
}

// FindEnabledHTTPFirewallPolicy 查找启用中的条目
func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(tx *dbs.Tx, id int64) (*HTTPFirewallPolicy, error) {
	result, err := this.Query(tx).
		Pk(id).
		Attr("state", HTTPFirewallPolicyStateEnabled).
		Find()
	if result == nil {
		return nil, err
	}
	return result.(*HTTPFirewallPolicy), err
}

// FindHTTPFirewallPolicyName 根据主键查找名称
func (this *HTTPFirewallPolicyDAO) FindHTTPFirewallPolicyName(tx *dbs.Tx, id int64) (string, error) {
	return this.Query(tx).
		Pk(id).
		Result("name").
		FindStringCol("")
}

// FindAllEnabledFirewallPolicies 查找所有可用策略
func (this *HTTPFirewallPolicyDAO) FindAllEnabledFirewallPolicies(tx *dbs.Tx) (result []*HTTPFirewallPolicy, err error) {
	_, err = this.Query(tx).
		State(HTTPFirewallPolicyStateEnabled).
		DescPk().
		Slice(&result).
		FindAll()
	return
}

// CreateFirewallPolicy 创建策略
func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64, serverId int64, isOn bool, name string, description string, inboundJSON []byte, outboundJSON []byte) (int64, error) {
	op := NewHTTPFirewallPolicyOperator()
	op.UserId = userId
	op.ServerId = serverId
	op.State = HTTPFirewallPolicyStateEnabled
	op.IsOn = isOn
	op.Name = name
	op.Description = description
	if len(inboundJSON) > 0 {
		op.Inbound = inboundJSON
	}
	if len(outboundJSON) > 0 {
		op.Outbound = outboundJSON
	}
	err := this.Save(tx, op)
	return types.Int64(op.Id), err
}

// UpdateFirewallPolicyInboundAndOutbound 修改策略的Inbound和Outbound
func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicyInboundAndOutbound(tx *dbs.Tx, policyId int64, inboundJSON []byte, outboundJSON []byte) error {
	if policyId <= 0 {
		return errors.New("invalid policyId")
	}
	op := NewHTTPFirewallPolicyOperator()
	op.Id = policyId
	if len(inboundJSON) > 0 {
		op.Inbound = inboundJSON
	} else {
		op.Inbound = "null"
	}
	if len(outboundJSON) > 0 {
		op.Outbound = outboundJSON
	} else {
		op.Outbound = "null"
	}
	err := this.Save(tx, op)
	if err != nil {
		return err
	}

	return this.NotifyUpdate(tx, policyId)
}

// UpdateFirewallPolicyInbound 修改策略的Inbound
func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicyInbound(tx *dbs.Tx, policyId int64, inboundJSON []byte) error {
	if policyId <= 0 {
		return errors.New("invalid policyId")
	}
	op := NewHTTPFirewallPolicyOperator()
	op.Id = policyId
	if len(inboundJSON) > 0 {
		op.Inbound = inboundJSON
	} else {
		op.Inbound = "null"
	}
	err := this.Save(tx, op)
	if err != nil {
		return err
	}

	return this.NotifyUpdate(tx, policyId)
}

// UpdateFirewallPolicy 修改策略
func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx, policyId int64, isOn bool, name string, description string, inboundJSON []byte, outboundJSON []byte, blockOptionsJSON []byte) error {
	if policyId <= 0 {
		return errors.New("invalid policyId")
	}
	op := NewHTTPFirewallPolicyOperator()
	op.Id = policyId
	op.IsOn = isOn
	op.Name = name
	op.Description = description
	if len(inboundJSON) > 0 {
		op.Inbound = inboundJSON
	} else {
		op.Inbound = "null"
	}
	if len(outboundJSON) > 0 {
		op.Outbound = outboundJSON
	} else {
		op.Outbound = "null"
	}
	if len(blockOptionsJSON) > 0 {
		op.BlockOptions = blockOptionsJSON
	}
	err := this.Save(tx, op)
	if err != nil {
		return err
	}

	return this.NotifyUpdate(tx, policyId)
}

// CountAllEnabledFirewallPolicies 计算所有可用的策略数量
func (this *HTTPFirewallPolicyDAO) CountAllEnabledFirewallPolicies(tx *dbs.Tx, keyword string) (int64, error) {
	query := this.Query(tx)
	if len(keyword) > 0 {
		query.Where("(name LIKE :keyword)").
			Param("keyword", "%"+keyword+"%")
	}
	return query.
		State(HTTPFirewallPolicyStateEnabled).
		Attr("userId", 0).
		Attr("serverId", 0).
		Count()
}

// ListEnabledFirewallPolicies 列出单页的策略
func (this *HTTPFirewallPolicyDAO) ListEnabledFirewallPolicies(tx *dbs.Tx, keyword string, offset int64, size int64) (result []*HTTPFirewallPolicy, err error) {
	query := this.Query(tx)
	if len(keyword) > 0 {
		query.Where("(name LIKE :keyword)").
			Param("keyword", "%"+keyword+"%")
	}
	_, err = query.
		State(HTTPFirewallPolicyStateEnabled).
		Attr("userId", 0).
		Attr("serverId", 0).
		Offset(offset).
		Limit(size).
		DescPk().
		Slice(&result).
		FindAll()
	return
}

// ComposeFirewallPolicy 组合策略配置
func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId int64) (*firewallconfigs.HTTPFirewallPolicy, error) {
	policy, err := this.FindEnabledHTTPFirewallPolicy(tx, policyId)
	if err != nil {
		return nil, err
	}
	if policy == nil {
		return nil, nil
	}

	config := &firewallconfigs.HTTPFirewallPolicy{}
	config.Id = int64(policy.Id)
	config.IsOn = policy.IsOn == 1
	config.Name = policy.Name
	config.Description = policy.Description

	// Inbound
	inbound := &firewallconfigs.HTTPFirewallInboundConfig{}
	if IsNotNull(policy.Inbound) {
		err = json.Unmarshal([]byte(policy.Inbound), inbound)
		if err != nil {
			return nil, err
		}
		if len(inbound.GroupRefs) > 0 {
			resultGroupRefs := []*firewallconfigs.HTTPFirewallRuleGroupRef{}
			resultGroups := []*firewallconfigs.HTTPFirewallRuleGroup{}

			for _, groupRef := range inbound.GroupRefs {
				groupConfig, err := SharedHTTPFirewallRuleGroupDAO.ComposeFirewallRuleGroup(tx, groupRef.GroupId)
				if err != nil {
					return nil, err
				}
				if groupConfig != nil {
					resultGroupRefs = append(resultGroupRefs, groupRef)
					resultGroups = append(resultGroups, groupConfig)
				}
			}

			inbound.GroupRefs = resultGroupRefs
			inbound.Groups = resultGroups
		}
	}
	config.Inbound = inbound

	// Outbound
	outbound := &firewallconfigs.HTTPFirewallOutboundConfig{}
	if IsNotNull(policy.Outbound) {
		err = json.Unmarshal([]byte(policy.Outbound), outbound)
		if err != nil {
			return nil, err
		}
		if len(outbound.GroupRefs) > 0 {
			resultGroupRefs := []*firewallconfigs.HTTPFirewallRuleGroupRef{}
			resultGroups := []*firewallconfigs.HTTPFirewallRuleGroup{}

			for _, groupRef := range outbound.GroupRefs {
				groupConfig, err := SharedHTTPFirewallRuleGroupDAO.ComposeFirewallRuleGroup(tx, groupRef.GroupId)
				if err != nil {
					return nil, err
				}
				if groupConfig != nil {
					resultGroupRefs = append(resultGroupRefs, groupRef)
					resultGroups = append(resultGroups, groupConfig)
				}
			}

			outbound.GroupRefs = resultGroupRefs
			outbound.Groups = resultGroups
		}
	}
	config.Outbound = outbound

	// Block动作配置
	if IsNotNull(policy.BlockOptions) {
		blockAction := &firewallconfigs.HTTPFirewallBlockAction{}
		err = json.Unmarshal([]byte(policy.BlockOptions), blockAction)
		if err != nil {
			return config, err
		}
		config.BlockOptions = blockAction
	}

	return config, nil
}

// CheckUserFirewallPolicy 检查用户防火墙策略
func (this *HTTPFirewallPolicyDAO) CheckUserFirewallPolicy(tx *dbs.Tx, userId int64, firewallPolicyId int64) error {
	ok, err := this.Query(tx).
		Pk(firewallPolicyId).
		Attr("userId", userId).
		Exist()
	if err != nil {
		return err
	}
	if ok {
		return nil
	}

	// TODO 检查是否为用户Server所使用

	return ErrNotFound
}

// FindEnabledFirewallPolicyIdsWithIPListId 查找包含某个IPList的所有策略
func (this *HTTPFirewallPolicyDAO) FindEnabledFirewallPolicyIdsWithIPListId(tx *dbs.Tx, ipListId int64) ([]int64, error) {
	ones, err := this.Query(tx).
		ResultPk().
		State(HTTPFirewallPolicyStateEnabled).
		Where("(JSON_CONTAINS(inbound, :listQuery, '$.whiteListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.blackListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.publicWhiteListRefs')  OR JSON_CONTAINS(inbound, :listQuery, '$.publicBlackListRefs'))").
		Param("listQuery", maps.Map{"isOn": true, "listId": ipListId}.AsJSON()).
		FindAll()
	if err != nil {
		return nil, err
	}
	result := []int64{}
	for _, one := range ones {
		result = append(result, int64(one.(*HTTPFirewallPolicy).Id))
	}
	return result, nil
}

// FindEnabledFirewallPolicyIdWithRuleGroupId 查找包含某个规则分组的策略ID
func (this *HTTPFirewallPolicyDAO) FindEnabledFirewallPolicyIdWithRuleGroupId(tx *dbs.Tx, ruleGroupId int64) (int64, error) {
	return this.Query(tx).
		ResultPk().
		State(HTTPFirewallPolicyStateEnabled).
		Where("(JSON_CONTAINS(inbound, :jsonQuery, '$.groupRefs') OR JSON_CONTAINS(outbound, :jsonQuery, '$.groupRefs'))").
		Param("jsonQuery", maps.Map{"groupId": ruleGroupId}.AsJSON()).
		FindInt64Col(0)
}

// UpdateFirewallPolicyServerId 设置某个策略所属的服务ID
func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicyServerId(tx *dbs.Tx, policyId int64, serverId int64) error {
	_, err := this.Query(tx).
		Pk(policyId).
		Set("serverId", serverId).
		Update()
	return err
}

// NotifyUpdate 通知更新
func (this *HTTPFirewallPolicyDAO) NotifyUpdate(tx *dbs.Tx, policyId int64) error {
	webIds, err := SharedHTTPWebDAO.FindAllWebIdsWithHTTPFirewallPolicyId(tx, policyId)
	if err != nil {
		return err
	}
	for _, webId := range webIds {
		err := SharedHTTPWebDAO.NotifyUpdate(tx, webId)
		if err != nil {
			return err
		}
	}

	clusterIds, err := SharedNodeClusterDAO.FindAllEnabledNodeClusterIdsWithHTTPFirewallPolicyId(tx, policyId)
	if err != nil {
		return err
	}
	for _, clusterId := range clusterIds {
		err := SharedNodeClusterDAO.NotifyUpdate(tx, clusterId)
		if err != nil {
			return err
		}
	}

	return nil
}
实现防火墙配置 2020-09-20 20:12:47 +08:00			`package models`

			`import (`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`"encoding/json"`
			`"github.com/TeaOSLab/EdgeAPI/internal/errors"`
			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`_ "github.com/go-sql-driver/mysql"`
			`"github.com/iwind/TeaGo/Tea"`
			`"github.com/iwind/TeaGo/dbs"`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00			`"github.com/iwind/TeaGo/maps"`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`"github.com/iwind/TeaGo/types"`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`)`

			`const (`
			`HTTPFirewallPolicyStateEnabled = 1 // 已启用`
			`HTTPFirewallPolicyStateDisabled = 0 // 已禁用`
			`)`

			`type HTTPFirewallPolicyDAO dbs.DAO`

			`func NewHTTPFirewallPolicyDAO() *HTTPFirewallPolicyDAO {`
			`return dbs.NewDAO(&HTTPFirewallPolicyDAO{`
			`DAOObject: dbs.DAOObject{`
			`DB: Tea.Env,`
			`Table: "edgeHTTPFirewallPolicies",`
			`Model: new(HTTPFirewallPolicy),`
			`PkName: "id",`
			`},`
			`}).(*HTTPFirewallPolicyDAO)`
			`}`

初步实现安装界面 2020-10-13 20:05:13 +08:00			`var SharedHTTPFirewallPolicyDAO *HTTPFirewallPolicyDAO`

			`func init() {`
			`dbs.OnReady(func() {`
			`SharedHTTPFirewallPolicyDAO = NewHTTPFirewallPolicyDAO()`
			`})`
			`}`
实现防火墙配置 2020-09-20 20:12:47 +08:00
WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// Init 初始化`
实现HTTP部分功能 2020-09-26 08:06:40 +08:00			`func (this *HTTPFirewallPolicyDAO) Init() {`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00			`_ = this.DAOObject.Init()`
实现HTTP部分功能 2020-09-26 08:06:40 +08:00			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// EnableHTTPFirewallPolicy 启用条目`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) EnableHTTPFirewallPolicy(tx dbs.Tx, id int64) error {`
			`_, err := this.Query(tx).`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`Pk(id).`
			`Set("state", HTTPFirewallPolicyStateEnabled).`
			`Update()`
			`return err`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// DisableHTTPFirewallPolicy 禁用条目`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`func (this HTTPFirewallPolicyDAO) DisableHTTPFirewallPolicy(tx dbs.Tx, policyId int64) error {`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`_, err := this.Query(tx).`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`Pk(policyId).`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`Set("state", HTTPFirewallPolicyStateDisabled).`
			`Update()`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`if err != nil {`
			`return err`
			`}`

			`return this.NotifyUpdate(tx, policyId)`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// FindEnabledHTTPFirewallPolicy 查找启用中的条目`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(tx dbs.Tx, id int64) (*HTTPFirewallPolicy, error) {`
			`result, err := this.Query(tx).`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`Pk(id).`
			`Attr("state", HTTPFirewallPolicyStateEnabled).`
			`Find()`
			`if result == nil {`
			`return nil, err`
			`}`
			`return result.(*HTTPFirewallPolicy), err`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// FindHTTPFirewallPolicyName 根据主键查找名称`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) FindHTTPFirewallPolicyName(tx dbs.Tx, id int64) (string, error) {`
			`return this.Query(tx).`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`Pk(id).`
			`Result("name").`
			`FindStringCol("")`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// FindAllEnabledFirewallPolicies 查找所有可用策略`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) FindAllEnabledFirewallPolicies(tx dbs.Tx) (result []*HTTPFirewallPolicy, err error) {`
			`_, err = this.Query(tx).`
实现防火墙配置 2020-09-20 20:12:47 +08:00			`State(HTTPFirewallPolicyStateEnabled).`
			`DescPk().`
			`Slice(&result).`
			`FindAll()`
			`return`
			`}`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00
WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// CreateFirewallPolicy 创建策略`
WAF记录ServerId 2021-01-20 14:19:29 +08:00			`func (this HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx dbs.Tx, userId int64, serverId int64, isOn bool, name string, description string, inboundJSON []byte, outboundJSON []byte) (int64, error) {`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`op := NewHTTPFirewallPolicyOperator()`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:07 +08:00			`op.UserId = userId`
WAF记录ServerId 2021-01-20 14:19:29 +08:00			`op.ServerId = serverId`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`op.State = HTTPFirewallPolicyStateEnabled`
			`op.IsOn = isOn`
			`op.Name = name`
			`op.Description = description`
			`if len(inboundJSON) > 0 {`
			`op.Inbound = inboundJSON`
			`}`
			`if len(outboundJSON) > 0 {`
			`op.Outbound = outboundJSON`
			`}`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`err := this.Save(tx, op)`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`return types.Int64(op.Id), err`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// UpdateFirewallPolicyInboundAndOutbound 修改策略的Inbound和Outbound`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) UpdateFirewallPolicyInboundAndOutbound(tx dbs.Tx, policyId int64, inboundJSON []byte, outboundJSON []byte) error {`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if policyId <= 0 {`
			`return errors.New("invalid policyId")`
			`}`
			`op := NewHTTPFirewallPolicyOperator()`
			`op.Id = policyId`
			`if len(inboundJSON) > 0 {`
			`op.Inbound = inboundJSON`
			`} else {`
			`op.Inbound = "null"`
			`}`
			`if len(outboundJSON) > 0 {`
			`op.Outbound = outboundJSON`
			`} else {`
			`op.Outbound = "null"`
			`}`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`err := this.Save(tx, op)`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`if err != nil {`
			`return err`
			`}`

			`return this.NotifyUpdate(tx, policyId)`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// UpdateFirewallPolicyInbound 修改策略的Inbound`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) UpdateFirewallPolicyInbound(tx dbs.Tx, policyId int64, inboundJSON []byte) error {`
增加国家/地区封禁管理 2020-11-06 11:02:53 +08:00			`if policyId <= 0 {`
			`return errors.New("invalid policyId")`
			`}`
			`op := NewHTTPFirewallPolicyOperator()`
			`op.Id = policyId`
			`if len(inboundJSON) > 0 {`
			`op.Inbound = inboundJSON`
			`} else {`
			`op.Inbound = "null"`
			`}`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`err := this.Save(tx, op)`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`if err != nil {`
			`return err`
			`}`

			`return this.NotifyUpdate(tx, policyId)`
增加国家/地区封禁管理 2020-11-06 11:02:53 +08:00			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// UpdateFirewallPolicy 修改策略`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx dbs.Tx, policyId int64, isOn bool, name string, description string, inboundJSON []byte, outboundJSON []byte, blockOptionsJSON []byte) error {`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if policyId <= 0 {`
			`return errors.New("invalid policyId")`
			`}`
			`op := NewHTTPFirewallPolicyOperator()`
			`op.Id = policyId`
			`op.IsOn = isOn`
			`op.Name = name`
			`op.Description = description`
			`if len(inboundJSON) > 0 {`
			`op.Inbound = inboundJSON`
			`} else {`
			`op.Inbound = "null"`
			`}`
			`if len(outboundJSON) > 0 {`
			`op.Outbound = outboundJSON`
			`} else {`
			`op.Outbound = "null"`
			`}`
[waf]可以配置阻止动作的状态码和提示内容 2020-11-22 16:54:48 +08:00			`if len(blockOptionsJSON) > 0 {`
			`op.BlockOptions = blockOptionsJSON`
			`}`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`err := this.Save(tx, op)`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`if err != nil {`
			`return err`
			`}`

			`return this.NotifyUpdate(tx, policyId)`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// CountAllEnabledFirewallPolicies 计算所有可用的策略数量`
			`func (this HTTPFirewallPolicyDAO) CountAllEnabledFirewallPolicies(tx dbs.Tx, keyword string) (int64, error) {`
			`query := this.Query(tx)`
			`if len(keyword) > 0 {`
			`query.Where("(name LIKE :keyword)").`
			`Param("keyword", "%"+keyword+"%")`
			`}`
			`return query.`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`State(HTTPFirewallPolicyStateEnabled).`
管理员查询WAF策略时隐藏用户创建的 2021-01-05 14:11:00 +08:00			`Attr("userId", 0).`
WAF记录ServerId 2021-01-20 14:19:29 +08:00			`Attr("serverId", 0).`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`Count()`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// ListEnabledFirewallPolicies 列出单页的策略`
			`func (this HTTPFirewallPolicyDAO) ListEnabledFirewallPolicies(tx dbs.Tx, keyword string, offset int64, size int64) (result []*HTTPFirewallPolicy, err error) {`
			`query := this.Query(tx)`
			`if len(keyword) > 0 {`
			`query.Where("(name LIKE :keyword)").`
			`Param("keyword", "%"+keyword+"%")`
			`}`
			`_, err = query.`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`State(HTTPFirewallPolicyStateEnabled).`
管理员查询WAF策略时隐藏用户创建的 2021-01-05 14:11:00 +08:00			`Attr("userId", 0).`
WAF记录ServerId 2021-01-20 14:19:29 +08:00			`Attr("serverId", 0).`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`Offset(offset).`
			`Limit(size).`
			`DescPk().`
			`Slice(&result).`
			`FindAll()`
			`return`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// ComposeFirewallPolicy 组合策略配置`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`func (this HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx dbs.Tx, policyId int64) (*firewallconfigs.HTTPFirewallPolicy, error) {`
			`policy, err := this.FindEnabledHTTPFirewallPolicy(tx, policyId)`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if err != nil {`
			`return nil, err`
			`}`
			`if policy == nil {`
			`return nil, nil`
			`}`

			`config := &firewallconfigs.HTTPFirewallPolicy{}`
			`config.Id = int64(policy.Id)`
			`config.IsOn = policy.IsOn == 1`
			`config.Name = policy.Name`
			`config.Description = policy.Description`

			`// Inbound`
实现WAF部分功能 2020-10-07 11:18:12 +08:00			`inbound := &firewallconfigs.HTTPFirewallInboundConfig{}`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if IsNotNull(policy.Inbound) {`
			`err = json.Unmarshal([]byte(policy.Inbound), inbound)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(inbound.GroupRefs) > 0 {`
			`resultGroupRefs := []*firewallconfigs.HTTPFirewallRuleGroupRef{}`
			`resultGroups := []*firewallconfigs.HTTPFirewallRuleGroup{}`

			`for _, groupRef := range inbound.GroupRefs {`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`groupConfig, err := SharedHTTPFirewallRuleGroupDAO.ComposeFirewallRuleGroup(tx, groupRef.GroupId)`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if err != nil {`
			`return nil, err`
			`}`
			`if groupConfig != nil {`
			`resultGroupRefs = append(resultGroupRefs, groupRef)`
			`resultGroups = append(resultGroups, groupConfig)`
			`}`
			`}`

			`inbound.GroupRefs = resultGroupRefs`
			`inbound.Groups = resultGroups`
			`}`
			`}`
实现WAF部分功能 2020-10-07 11:18:12 +08:00			`config.Inbound = inbound`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00
			`// Outbound`
实现WAF部分功能 2020-10-07 11:18:12 +08:00			`outbound := &firewallconfigs.HTTPFirewallOutboundConfig{}`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if IsNotNull(policy.Outbound) {`
			`err = json.Unmarshal([]byte(policy.Outbound), outbound)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(outbound.GroupRefs) > 0 {`
			`resultGroupRefs := []*firewallconfigs.HTTPFirewallRuleGroupRef{}`
			`resultGroups := []*firewallconfigs.HTTPFirewallRuleGroup{}`

			`for _, groupRef := range outbound.GroupRefs {`
所有数据库相关的操作支持事务 2021-01-01 23:31:30 +08:00			`groupConfig, err := SharedHTTPFirewallRuleGroupDAO.ComposeFirewallRuleGroup(tx, groupRef.GroupId)`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`if err != nil {`
			`return nil, err`
			`}`
			`if groupConfig != nil {`
			`resultGroupRefs = append(resultGroupRefs, groupRef)`
			`resultGroups = append(resultGroups, groupConfig)`
			`}`
			`}`

			`outbound.GroupRefs = resultGroupRefs`
			`outbound.Groups = resultGroups`
			`}`
			`}`
实现WAF部分功能 2020-10-07 11:18:12 +08:00			`config.Outbound = outbound`
实现WAF策略部分功能 2020-10-06 21:02:15 +08:00
[waf]可以配置阻止动作的状态码和提示内容 2020-11-22 16:54:48 +08:00			`// Block动作配置`
			`if IsNotNull(policy.BlockOptions) {`
			`blockAction := &firewallconfigs.HTTPFirewallBlockAction{}`
			`err = json.Unmarshal([]byte(policy.BlockOptions), blockAction)`
			`if err != nil {`
			`return config, err`
			`}`
			`config.BlockOptions = blockAction`
			`}`

实现WAF策略部分功能 2020-10-06 21:02:15 +08:00			`return config, nil`
			`}`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:07 +08:00
WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// CheckUserFirewallPolicy 检查用户防火墙策略`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:07 +08:00			`func (this HTTPFirewallPolicyDAO) CheckUserFirewallPolicy(tx dbs.Tx, userId int64, firewallPolicyId int64) error {`
			`ok, err := this.Query(tx).`
			`Pk(firewallPolicyId).`
			`Attr("userId", userId).`
			`Exist()`
			`if err != nil {`
			`return err`
			`}`
部分API对user角色开放 2021-01-18 21:28:51 +08:00			`if ok {`
			`return nil`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:07 +08:00			`}`
部分API对user角色开放 2021-01-18 21:28:51 +08:00
			`// TODO 检查是否为用户Server所使用`

			`return ErrNotFound`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:07 +08:00			`}`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00
WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// FindEnabledFirewallPolicyIdsWithIPListId 查找包含某个IPList的所有策略`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00			`func (this HTTPFirewallPolicyDAO) FindEnabledFirewallPolicyIdsWithIPListId(tx dbs.Tx, ipListId int64) ([]int64, error) {`
			`ones, err := this.Query(tx).`
			`ResultPk().`
			`State(HTTPFirewallPolicyStateEnabled).`
实现公用的IP名单 2021-06-23 13:12:54 +08:00			`Where("(JSON_CONTAINS(inbound, :listQuery, '$.whiteListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.blackListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.publicWhiteListRefs') OR JSON_CONTAINS(inbound, :listQuery, '$.publicBlackListRefs'))").`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00			`Param("listQuery", maps.Map{"isOn": true, "listId": ipListId}.AsJSON()).`
			`FindAll()`
			`if err != nil {`
			`return nil, err`
			`}`
			`result := []int64{}`
			`for _, one := range ones {`
			`result = append(result, int64(one.(*HTTPFirewallPolicy).Id))`
			`}`
			`return result, nil`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// FindEnabledFirewallPolicyIdWithRuleGroupId 查找包含某个规则分组的策略ID`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00			`func (this HTTPFirewallPolicyDAO) FindEnabledFirewallPolicyIdWithRuleGroupId(tx dbs.Tx, ruleGroupId int64) (int64, error) {`
			`return this.Query(tx).`
			`ResultPk().`
			`State(HTTPFirewallPolicyStateEnabled).`
			`Where("(JSON_CONTAINS(inbound, :jsonQuery, '$.groupRefs') OR JSON_CONTAINS(outbound, :jsonQuery, '$.groupRefs'))").`
			`Param("jsonQuery", maps.Map{"groupId": ruleGroupId}.AsJSON()).`
			`FindInt64Col(0)`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// UpdateFirewallPolicyServerId 设置某个策略所属的服务ID`
WAF记录ServerId 2021-01-20 14:19:29 +08:00			`func (this HTTPFirewallPolicyDAO) UpdateFirewallPolicyServerId(tx dbs.Tx, policyId int64, serverId int64) error {`
增加WAF更新通知 2021-02-02 16:22:47 +08:00			`_, err := this.Query(tx).`
WAF记录ServerId 2021-01-20 14:19:29 +08:00			`Pk(policyId).`
			`Set("serverId", serverId).`
			`Update()`
			`return err`
			`}`

WAF策略支持搜索 2021-06-07 08:58:26 +08:00			`// NotifyUpdate 通知更新`
增加节点同步状态提示和任务列表 2021-01-17 16:48:00 +08:00			`func (this HTTPFirewallPolicyDAO) NotifyUpdate(tx dbs.Tx, policyId int64) error {`
			`webIds, err := SharedHTTPWebDAO.FindAllWebIdsWithHTTPFirewallPolicyId(tx, policyId)`
			`if err != nil {`
			`return err`
			`}`
			`for _, webId := range webIds {`
			`err := SharedHTTPWebDAO.NotifyUpdate(tx, webId)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`clusterIds, err := SharedNodeClusterDAO.FindAllEnabledNodeClusterIdsWithHTTPFirewallPolicyId(tx, policyId)`
			`if err != nil {`
			`return err`
			`}`
			`for _, clusterId := range clusterIds {`
			`err := SharedNodeClusterDAO.NotifyUpdate(tx, clusterId)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`