2020-09-30 17:46:43 +08:00
|
|
|
package models
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
2020-10-01 16:01:17 +08:00
|
|
|
"errors"
|
2021-11-11 14:16:42 +08:00
|
|
|
"github.com/TeaOSLab/EdgeAPI/internal/utils"
|
2020-09-30 17:46:43 +08:00
|
|
|
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/sslconfigs"
|
|
|
|
|
_ "github.com/go-sql-driver/mysql"
|
|
|
|
|
"github.com/iwind/TeaGo/Tea"
|
|
|
|
|
"github.com/iwind/TeaGo/dbs"
|
2021-08-22 11:35:33 +08:00
|
|
|
"github.com/iwind/TeaGo/maps"
|
2020-10-01 16:01:17 +08:00
|
|
|
"github.com/iwind/TeaGo/types"
|
2020-09-30 17:46:43 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
SSLPolicyStateEnabled = 1 // 已启用
|
|
|
|
|
SSLPolicyStateDisabled = 0 // 已禁用
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type SSLPolicyDAO dbs.DAO
|
|
|
|
|
|
|
|
|
|
func NewSSLPolicyDAO() *SSLPolicyDAO {
|
|
|
|
|
return dbs.NewDAO(&SSLPolicyDAO{
|
|
|
|
|
DAOObject: dbs.DAOObject{
|
|
|
|
|
DB: Tea.Env,
|
|
|
|
|
Table: "edgeSSLPolicies",
|
|
|
|
|
Model: new(SSLPolicy),
|
|
|
|
|
PkName: "id",
|
|
|
|
|
},
|
|
|
|
|
}).(*SSLPolicyDAO)
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-13 20:05:13 +08:00
|
|
|
var SharedSSLPolicyDAO *SSLPolicyDAO
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
dbs.OnReady(func() {
|
|
|
|
|
SharedSSLPolicyDAO = NewSSLPolicyDAO()
|
|
|
|
|
})
|
|
|
|
|
}
|
2020-09-30 17:46:43 +08:00
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// Init 初始化
|
2020-10-01 16:01:17 +08:00
|
|
|
func (this *SSLPolicyDAO) Init() {
|
2021-01-17 16:48:00 +08:00
|
|
|
_ = this.DAOObject.Init()
|
2020-10-01 16:01:17 +08:00
|
|
|
}
|
|
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// EnableSSLPolicy 启用条目
|
2021-01-01 23:31:30 +08:00
|
|
|
func (this *SSLPolicyDAO) EnableSSLPolicy(tx *dbs.Tx, id int64) error {
|
|
|
|
|
_, err := this.Query(tx).
|
2020-09-30 17:46:43 +08:00
|
|
|
Pk(id).
|
|
|
|
|
Set("state", SSLPolicyStateEnabled).
|
|
|
|
|
Update()
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// DisableSSLPolicy 禁用条目
|
2021-01-17 16:48:00 +08:00
|
|
|
func (this *SSLPolicyDAO) DisableSSLPolicy(tx *dbs.Tx, policyId int64) error {
|
2021-01-01 23:31:30 +08:00
|
|
|
_, err := this.Query(tx).
|
2021-01-17 16:48:00 +08:00
|
|
|
Pk(policyId).
|
2020-09-30 17:46:43 +08:00
|
|
|
Set("state", SSLPolicyStateDisabled).
|
|
|
|
|
Update()
|
2021-01-17 16:48:00 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return this.NotifyUpdate(tx, policyId)
|
2020-09-30 17:46:43 +08:00
|
|
|
}
|
|
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// FindEnabledSSLPolicy 查找启用中的条目
|
2021-01-01 23:31:30 +08:00
|
|
|
func (this *SSLPolicyDAO) FindEnabledSSLPolicy(tx *dbs.Tx, id int64) (*SSLPolicy, error) {
|
|
|
|
|
result, err := this.Query(tx).
|
2020-09-30 17:46:43 +08:00
|
|
|
Pk(id).
|
|
|
|
|
Attr("state", SSLPolicyStateEnabled).
|
|
|
|
|
Find()
|
|
|
|
|
if result == nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return result.(*SSLPolicy), err
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// ComposePolicyConfig 组合配置
|
2021-11-11 14:16:42 +08:00
|
|
|
func (this *SSLPolicyDAO) ComposePolicyConfig(tx *dbs.Tx, policyId int64, cacheMap *utils.CacheMap) (*sslconfigs.SSLPolicy, error) {
|
2021-08-22 11:35:33 +08:00
|
|
|
if cacheMap == nil {
|
2021-11-11 14:16:42 +08:00
|
|
|
cacheMap = utils.NewCacheMap()
|
2021-08-22 11:35:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var cacheKey = this.Table + ":config:" + types.String(policyId)
|
2021-11-11 14:16:42 +08:00
|
|
|
var cacheConfig, _ = cacheMap.Get(cacheKey)
|
2021-08-22 11:35:33 +08:00
|
|
|
if cacheConfig != nil {
|
|
|
|
|
return cacheConfig.(*sslconfigs.SSLPolicy), nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-01 23:31:30 +08:00
|
|
|
policy, err := this.FindEnabledSSLPolicy(tx, policyId)
|
2020-09-30 17:46:43 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if policy == nil {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
config := &sslconfigs.SSLPolicy{}
|
|
|
|
|
config.Id = int64(policy.Id)
|
|
|
|
|
config.IsOn = policy.IsOn == 1
|
|
|
|
|
config.ClientAuthType = int(policy.ClientAuthType)
|
|
|
|
|
config.HTTP2Enabled = policy.Http2Enabled == 1
|
|
|
|
|
config.MinVersion = policy.MinVersion
|
|
|
|
|
|
|
|
|
|
// certs
|
|
|
|
|
if IsNotNull(policy.Certs) {
|
|
|
|
|
refs := []*sslconfigs.SSLCertRef{}
|
2022-03-22 19:30:30 +08:00
|
|
|
err = json.Unmarshal(policy.Certs, &refs)
|
2020-09-30 17:46:43 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if len(refs) > 0 {
|
|
|
|
|
for _, ref := range refs {
|
2021-08-22 11:35:33 +08:00
|
|
|
certConfig, err := SharedSSLCertDAO.ComposeCertConfig(tx, ref.CertId, cacheMap)
|
2020-09-30 17:46:43 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if certConfig == nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
config.CertRefs = append(config.CertRefs, ref)
|
|
|
|
|
config.Certs = append(config.Certs, certConfig)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-01 16:01:17 +08:00
|
|
|
// client CA certs
|
|
|
|
|
if IsNotNull(policy.ClientCACerts) {
|
|
|
|
|
refs := []*sslconfigs.SSLCertRef{}
|
2022-03-22 19:30:30 +08:00
|
|
|
err = json.Unmarshal(policy.ClientCACerts, &refs)
|
2020-10-01 16:01:17 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if len(refs) > 0 {
|
|
|
|
|
for _, ref := range refs {
|
2021-08-22 11:35:33 +08:00
|
|
|
certConfig, err := SharedSSLCertDAO.ComposeCertConfig(tx, ref.CertId, cacheMap)
|
2020-10-01 16:01:17 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if certConfig == nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
config.ClientCARefs = append(config.ClientCARefs, ref)
|
|
|
|
|
config.ClientCACerts = append(config.ClientCACerts, certConfig)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-30 17:46:43 +08:00
|
|
|
// cipher suites
|
2020-10-01 16:01:17 +08:00
|
|
|
config.CipherSuitesIsOn = policy.CipherSuitesIsOn == 1
|
2020-09-30 17:46:43 +08:00
|
|
|
if IsNotNull(policy.CipherSuites) {
|
|
|
|
|
cipherSuites := []string{}
|
2022-03-22 19:30:30 +08:00
|
|
|
err = json.Unmarshal(policy.CipherSuites, &cipherSuites)
|
2020-09-30 17:46:43 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
config.CipherSuites = cipherSuites
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// hsts
|
|
|
|
|
if IsNotNull(policy.Hsts) {
|
|
|
|
|
hstsConfig := &sslconfigs.HSTSConfig{}
|
2022-03-22 19:30:30 +08:00
|
|
|
err = json.Unmarshal(policy.Hsts, hstsConfig)
|
2020-09-30 17:46:43 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
config.HSTS = hstsConfig
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-10 11:54:35 +08:00
|
|
|
// ocsp
|
|
|
|
|
config.OCSPIsOn = policy.OcspIsOn == 1
|
|
|
|
|
|
2021-11-11 14:16:42 +08:00
|
|
|
if cacheMap != nil {
|
|
|
|
|
cacheMap.Put(cacheKey, config)
|
|
|
|
|
}
|
2021-08-22 11:35:33 +08:00
|
|
|
|
2020-09-30 17:46:43 +08:00
|
|
|
return config, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// FindAllEnabledPolicyIdsWithCertId 查询使用单个证书的所有策略ID
|
2021-01-01 23:31:30 +08:00
|
|
|
func (this *SSLPolicyDAO) FindAllEnabledPolicyIdsWithCertId(tx *dbs.Tx, certId int64) (policyIds []int64, err error) {
|
2020-09-30 17:46:43 +08:00
|
|
|
if certId <= 0 {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-01 23:31:30 +08:00
|
|
|
ones, err := this.Query(tx).
|
2020-09-30 17:46:43 +08:00
|
|
|
State(SSLPolicyStateEnabled).
|
|
|
|
|
ResultPk().
|
2021-11-05 17:56:35 +08:00
|
|
|
Where("JSON_CONTAINS(certs, :certJSON)").
|
|
|
|
|
Param("certJSON", maps.Map{"certId": certId}.AsJSON()).
|
2020-09-30 17:46:43 +08:00
|
|
|
FindAll()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
for _, one := range ones {
|
|
|
|
|
policyIds = append(policyIds, int64(one.(*SSLPolicy).Id))
|
|
|
|
|
}
|
|
|
|
|
return policyIds, nil
|
|
|
|
|
}
|
2020-10-01 16:01:17 +08:00
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// CreatePolicy 创建Policy
|
2022-03-10 11:54:35 +08:00
|
|
|
func (this *SSLPolicyDAO) CreatePolicy(tx *dbs.Tx, adminId int64, userId int64, http2Enabled bool, minVersion string, certsJSON []byte, hstsJSON []byte, ocspIsOn bool, clientAuthType int32, clientCACertsJSON []byte, cipherSuitesIsOn bool, cipherSuites []string) (int64, error) {
|
2020-10-01 16:01:17 +08:00
|
|
|
op := NewSSLPolicyOperator()
|
|
|
|
|
op.State = SSLPolicyStateEnabled
|
|
|
|
|
op.IsOn = true
|
2020-12-18 21:18:53 +08:00
|
|
|
op.AdminId = adminId
|
|
|
|
|
op.UserId = userId
|
|
|
|
|
|
2020-10-01 16:01:17 +08:00
|
|
|
op.Http2Enabled = http2Enabled
|
|
|
|
|
op.MinVersion = minVersion
|
|
|
|
|
|
|
|
|
|
if len(certsJSON) > 0 {
|
|
|
|
|
op.Certs = certsJSON
|
|
|
|
|
}
|
|
|
|
|
if len(hstsJSON) > 0 {
|
|
|
|
|
op.Hsts = hstsJSON
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-10 11:54:35 +08:00
|
|
|
op.OcspIsOn = ocspIsOn
|
|
|
|
|
|
2020-10-01 16:01:17 +08:00
|
|
|
op.ClientAuthType = clientAuthType
|
|
|
|
|
if len(clientCACertsJSON) > 0 {
|
|
|
|
|
op.ClientCACerts = clientCACertsJSON
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
op.CipherSuitesIsOn = cipherSuitesIsOn
|
|
|
|
|
if len(cipherSuites) > 0 {
|
|
|
|
|
cipherSuitesJSON, err := json.Marshal(cipherSuites)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
op.CipherSuites = cipherSuitesJSON
|
|
|
|
|
}
|
2021-01-01 23:31:30 +08:00
|
|
|
err := this.Save(tx, op)
|
2020-10-01 16:01:17 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
return types.Int64(op.Id), nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// UpdatePolicy 修改Policy
|
2022-03-10 11:54:35 +08:00
|
|
|
func (this *SSLPolicyDAO) UpdatePolicy(tx *dbs.Tx, policyId int64, http2Enabled bool, minVersion string, certsJSON []byte, hstsJSON []byte, ocspIsOn bool, clientAuthType int32, clientCACertsJSON []byte, cipherSuitesIsOn bool, cipherSuites []string) error {
|
2020-10-01 16:01:17 +08:00
|
|
|
if policyId <= 0 {
|
|
|
|
|
return errors.New("invalid policyId")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
op := NewSSLPolicyOperator()
|
|
|
|
|
op.Id = policyId
|
|
|
|
|
op.Http2Enabled = http2Enabled
|
|
|
|
|
op.MinVersion = minVersion
|
|
|
|
|
|
|
|
|
|
if len(certsJSON) > 0 {
|
|
|
|
|
op.Certs = certsJSON
|
|
|
|
|
}
|
|
|
|
|
if len(hstsJSON) > 0 {
|
|
|
|
|
op.Hsts = hstsJSON
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-10 11:54:35 +08:00
|
|
|
op.OcspIsOn = ocspIsOn
|
|
|
|
|
|
2020-10-01 16:01:17 +08:00
|
|
|
op.ClientAuthType = clientAuthType
|
|
|
|
|
if len(clientCACertsJSON) > 0 {
|
|
|
|
|
op.ClientCACerts = clientCACertsJSON
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
op.CipherSuitesIsOn = cipherSuitesIsOn
|
|
|
|
|
if len(cipherSuites) > 0 {
|
|
|
|
|
cipherSuitesJSON, err := json.Marshal(cipherSuites)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
op.CipherSuites = cipherSuitesJSON
|
|
|
|
|
} else {
|
|
|
|
|
op.CipherSuites = "[]"
|
|
|
|
|
}
|
2021-01-01 23:31:30 +08:00
|
|
|
err := this.Save(tx, op)
|
2021-01-17 16:48:00 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return this.NotifyUpdate(tx, policyId)
|
2020-10-01 16:01:17 +08:00
|
|
|
}
|
2020-12-18 21:18:53 +08:00
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// CheckUserPolicy 检查是否为用户所属策略
|
2022-03-10 15:59:00 +08:00
|
|
|
func (this *SSLPolicyDAO) CheckUserPolicy(tx *dbs.Tx, userId int64, policyId int64) error {
|
2020-12-18 21:18:53 +08:00
|
|
|
if policyId <= 0 || userId <= 0 {
|
2022-03-10 15:59:00 +08:00
|
|
|
return ErrNotFound
|
2020-12-18 21:18:53 +08:00
|
|
|
}
|
2021-01-01 23:31:30 +08:00
|
|
|
ok, err := this.Query(tx).
|
2020-12-18 21:18:53 +08:00
|
|
|
State(SSLPolicyStateEnabled).
|
|
|
|
|
Pk(policyId).
|
|
|
|
|
Attr("userId", userId).
|
|
|
|
|
Exist()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !ok {
|
2022-03-10 15:59:00 +08:00
|
|
|
// 是否为当前用户的某个服务所用
|
|
|
|
|
exists, err := SharedServerDAO.ExistEnabledUserServerWithSSLPolicyId(tx, userId, policyId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !exists {
|
|
|
|
|
return ErrNotFound
|
|
|
|
|
}
|
2020-12-18 21:18:53 +08:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-01-17 16:48:00 +08:00
|
|
|
|
2021-08-22 11:35:33 +08:00
|
|
|
// NotifyUpdate 通知更新
|
2021-01-17 16:48:00 +08:00
|
|
|
func (this *SSLPolicyDAO) NotifyUpdate(tx *dbs.Tx, policyId int64) error {
|
|
|
|
|
serverIds, err := SharedServerDAO.FindAllEnabledServerIdsWithSSLPolicyIds(tx, []int64{policyId})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
for _, serverId := range serverIds {
|
|
|
|
|
err := SharedServerDAO.NotifyUpdate(tx, serverId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
