2020-09-20 20:12:47 +08:00
package models
import (
2020-10-06 21:02:15 +08:00
"encoding/json"
2024-07-27 14:15:25 +08:00
2022-03-27 12:22:47 +08:00
dbutils "github.com/TeaOSLab/EdgeAPI/internal/db/utils"
2020-10-06 21:02:15 +08:00
"github.com/TeaOSLab/EdgeAPI/internal/errors"
2021-11-11 14:16:42 +08:00
"github.com/TeaOSLab/EdgeAPI/internal/utils"
2020-10-06 21:02:15 +08:00
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
2024-05-05 19:51:59 +08:00
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs"
2020-09-20 20:12:47 +08:00
_ "github.com/go-sql-driver/mysql"
"github.com/iwind/TeaGo/Tea"
"github.com/iwind/TeaGo/dbs"
2021-08-25 11:18:37 +08:00
"github.com/iwind/TeaGo/lists"
2021-01-17 16:48:00 +08:00
"github.com/iwind/TeaGo/maps"
2020-10-06 21:02:15 +08:00
"github.com/iwind/TeaGo/types"
2020-09-20 20:12:47 +08:00
)
const (
HTTPFirewallPolicyStateEnabled = 1 // 已启用
HTTPFirewallPolicyStateDisabled = 0 // 已禁用
)
type HTTPFirewallPolicyDAO dbs . DAO
func NewHTTPFirewallPolicyDAO ( ) * HTTPFirewallPolicyDAO {
return dbs . NewDAO ( & HTTPFirewallPolicyDAO {
DAOObject : dbs . DAOObject {
DB : Tea . Env ,
Table : "edgeHTTPFirewallPolicies" ,
Model : new ( HTTPFirewallPolicy ) ,
PkName : "id" ,
} ,
} ) . ( * HTTPFirewallPolicyDAO )
}
2020-10-13 20:05:13 +08:00
var SharedHTTPFirewallPolicyDAO * HTTPFirewallPolicyDAO
func init ( ) {
dbs . OnReady ( func ( ) {
SharedHTTPFirewallPolicyDAO = NewHTTPFirewallPolicyDAO ( )
} )
}
2020-09-20 20:12:47 +08:00
2021-06-07 08:58:26 +08:00
// Init 初始化
2020-09-26 08:06:40 +08:00
func ( this * HTTPFirewallPolicyDAO ) Init ( ) {
2021-01-17 16:48:00 +08:00
_ = this . DAOObject . Init ( )
2020-09-26 08:06:40 +08:00
}
2021-06-07 08:58:26 +08:00
// EnableHTTPFirewallPolicy 启用条目
2021-01-01 23:31:30 +08:00
func ( this * HTTPFirewallPolicyDAO ) EnableHTTPFirewallPolicy ( tx * dbs . Tx , id int64 ) error {
_ , err := this . Query ( tx ) .
2020-09-20 20:12:47 +08:00
Pk ( id ) .
Set ( "state" , HTTPFirewallPolicyStateEnabled ) .
Update ( )
return err
}
2021-06-07 08:58:26 +08:00
// DisableHTTPFirewallPolicy 禁用条目
2021-02-02 16:22:47 +08:00
func ( this * HTTPFirewallPolicyDAO ) DisableHTTPFirewallPolicy ( tx * dbs . Tx , policyId int64 ) error {
2021-01-01 23:31:30 +08:00
_ , err := this . Query ( tx ) .
2021-02-02 16:22:47 +08:00
Pk ( policyId ) .
2020-09-20 20:12:47 +08:00
Set ( "state" , HTTPFirewallPolicyStateDisabled ) .
Update ( )
2021-02-02 16:22:47 +08:00
if err != nil {
return err
}
2021-11-16 17:50:52 +08:00
err = this . NotifyDisable ( tx , policyId )
if err != nil {
return err
}
2021-02-02 16:22:47 +08:00
return this . NotifyUpdate ( tx , policyId )
2020-09-20 20:12:47 +08:00
}
2021-06-07 08:58:26 +08:00
// FindEnabledHTTPFirewallPolicy 查找启用中的条目
2021-01-01 23:31:30 +08:00
func ( this * HTTPFirewallPolicyDAO ) FindEnabledHTTPFirewallPolicy ( tx * dbs . Tx , id int64 ) ( * HTTPFirewallPolicy , error ) {
result , err := this . Query ( tx ) .
2020-09-20 20:12:47 +08:00
Pk ( id ) .
Attr ( "state" , HTTPFirewallPolicyStateEnabled ) .
Find ( )
if result == nil {
return nil , err
}
return result . ( * HTTPFirewallPolicy ) , err
}
2021-06-07 08:58:26 +08:00
// FindHTTPFirewallPolicyName 根据主键查找名称
2021-01-01 23:31:30 +08:00
func ( this * HTTPFirewallPolicyDAO ) FindHTTPFirewallPolicyName ( tx * dbs . Tx , id int64 ) ( string , error ) {
return this . Query ( tx ) .
2020-09-20 20:12:47 +08:00
Pk ( id ) .
Result ( "name" ) .
FindStringCol ( "" )
}
2021-11-16 16:10:48 +08:00
// FindEnabledHTTPFirewallPolicyBasic 获取WAF策略基本信息
func ( this * HTTPFirewallPolicyDAO ) FindEnabledHTTPFirewallPolicyBasic ( tx * dbs . Tx , policyId int64 ) ( * HTTPFirewallPolicy , error ) {
result , err := this . Query ( tx ) .
Pk ( policyId ) .
Result ( "id" , "name" , "serverId" , "isOn" ) .
Attr ( "state" , HTTPFirewallPolicyStateEnabled ) .
Find ( )
if result == nil {
return nil , err
}
return result . ( * HTTPFirewallPolicy ) , err
}
2021-06-07 08:58:26 +08:00
// FindAllEnabledFirewallPolicies 查找所有可用策略
2021-01-01 23:31:30 +08:00
func ( this * HTTPFirewallPolicyDAO ) FindAllEnabledFirewallPolicies ( tx * dbs . Tx ) ( result [ ] * HTTPFirewallPolicy , err error ) {
_ , err = this . Query ( tx ) .
2020-09-20 20:12:47 +08:00
State ( HTTPFirewallPolicyStateEnabled ) .
DescPk ( ) .
Slice ( & result ) .
FindAll ( )
return
}
2020-10-06 21:02:15 +08:00
2021-06-07 08:58:26 +08:00
// CreateFirewallPolicy 创建策略
2021-10-07 16:47:21 +08:00
func ( this * HTTPFirewallPolicyDAO ) CreateFirewallPolicy ( tx * dbs . Tx , userId int64 , serverGroupId int64 , serverId int64 , isOn bool , name string , description string , inboundJSON [ ] byte , outboundJSON [ ] byte ) ( int64 , error ) {
2022-05-21 18:58:03 +08:00
var op = NewHTTPFirewallPolicyOperator ( )
2021-01-03 20:18:07 +08:00
op . UserId = userId
2021-10-07 16:47:21 +08:00
op . GroupId = serverGroupId
2021-01-20 14:19:29 +08:00
op . ServerId = serverId
2020-10-06 21:02:15 +08:00
op . State = HTTPFirewallPolicyStateEnabled
op . IsOn = isOn
op . Name = name
op . Description = description
if len ( inboundJSON ) > 0 {
op . Inbound = inboundJSON
}
if len ( outboundJSON ) > 0 {
op . Outbound = outboundJSON
}
2022-01-10 19:54:37 +08:00
2023-06-06 15:03:18 +08:00
if userId <= 0 && serverGroupId <= 0 && serverId <= 0 {
2022-05-21 18:58:03 +08:00
// synFlood
2024-04-07 14:21:01 +08:00
var synFloodConfig = firewallconfigs . NewSYNFloodConfig ( )
2022-05-21 18:58:03 +08:00
synFloodJSON , err := json . Marshal ( synFloodConfig )
2022-01-10 19:54:37 +08:00
if err != nil {
return 0 , err
}
op . SynFlood = synFloodJSON
2022-05-21 18:58:03 +08:00
// block options
2024-04-07 14:21:01 +08:00
var blockOptions = firewallconfigs . NewHTTPFirewallBlockAction ( )
2022-05-21 18:58:03 +08:00
blockOptionsJSON , err := json . Marshal ( blockOptions )
if err != nil {
return 0 , err
}
op . BlockOptions = blockOptionsJSON
2024-01-20 16:19:11 +08:00
// page options
2024-04-07 14:21:01 +08:00
var pageOptions = firewallconfigs . NewHTTPFirewallPageAction ( )
2024-01-20 16:19:11 +08:00
pageOptionsJSON , err := json . Marshal ( pageOptions )
if err != nil {
return 0 , err
}
op . PageOptions = pageOptionsJSON
2022-05-21 18:58:03 +08:00
// captcha options
2024-04-07 14:21:01 +08:00
var captchaOptions = firewallconfigs . NewHTTPFirewallCaptchaAction ( )
2022-05-21 18:58:03 +08:00
captchaOptionsJSON , err := json . Marshal ( captchaOptions )
if err != nil {
return 0 , err
}
op . CaptchaOptions = captchaOptionsJSON
2024-04-07 14:21:01 +08:00
// jscookie options
var jsCookieOptions = firewallconfigs . NewHTTPFirewallJavascriptCookieAction ( )
jsCookieOptionsJSON , err := json . Marshal ( jsCookieOptions )
if err != nil {
return 0 , err
}
op . JsCookieOptions = jsCookieOptionsJSON
2022-01-10 19:54:37 +08:00
}
2021-01-01 23:31:30 +08:00
err := this . Save ( tx , op )
2020-10-06 21:02:15 +08:00
return types . Int64 ( op . Id ) , err
}
2021-08-25 11:18:37 +08:00
// CreateDefaultFirewallPolicy 创建默认的WAF策略
func ( this * HTTPFirewallPolicyDAO ) CreateDefaultFirewallPolicy ( tx * dbs . Tx , name string ) ( int64 , error ) {
2021-10-07 16:47:21 +08:00
policyId , err := this . CreateFirewallPolicy ( tx , 0 , 0 , 0 , true , "\"" + name + "\"WAF策略" , "默认创建的WAF策略" , nil , nil )
2021-08-25 11:18:37 +08:00
if err != nil {
return 0 , err
}
// 初始化
var groupCodes = [ ] string { }
2023-08-02 17:15:26 +08:00
var templatePolicy = firewallconfigs . HTTPFirewallTemplate ( )
2021-08-25 11:18:37 +08:00
for _ , group := range templatePolicy . AllRuleGroups ( ) {
2023-08-02 17:15:26 +08:00
if group . IsOn {
groupCodes = append ( groupCodes , group . Code )
}
2021-08-25 11:18:37 +08:00
}
2022-05-21 18:58:03 +08:00
var inboundConfig = & firewallconfigs . HTTPFirewallInboundConfig { IsOn : true }
var outboundConfig = & firewallconfigs . HTTPFirewallOutboundConfig { IsOn : true }
2021-08-25 11:18:37 +08:00
if templatePolicy . Inbound != nil {
for _ , group := range templatePolicy . Inbound . Groups {
2023-08-02 17:15:26 +08:00
var isOn = lists . ContainsString ( groupCodes , group . Code )
2021-08-25 11:18:37 +08:00
group . IsOn = isOn
groupId , err := SharedHTTPFirewallRuleGroupDAO . CreateGroupFromConfig ( tx , group )
if err != nil {
return 0 , err
}
inboundConfig . GroupRefs = append ( inboundConfig . GroupRefs , & firewallconfigs . HTTPFirewallRuleGroupRef {
IsOn : true ,
GroupId : groupId ,
} )
}
}
if templatePolicy . Outbound != nil {
for _ , group := range templatePolicy . Outbound . Groups {
2023-08-02 17:15:26 +08:00
var isOn = lists . ContainsString ( groupCodes , group . Code )
2021-08-25 11:18:37 +08:00
group . IsOn = isOn
groupId , err := SharedHTTPFirewallRuleGroupDAO . CreateGroupFromConfig ( tx , group )
if err != nil {
return 0 , err
}
outboundConfig . GroupRefs = append ( outboundConfig . GroupRefs , & firewallconfigs . HTTPFirewallRuleGroupRef {
IsOn : true ,
GroupId : groupId ,
} )
}
}
inboundConfigJSON , err := json . Marshal ( inboundConfig )
if err != nil {
return 0 , err
}
outboundConfigJSON , err := json . Marshal ( outboundConfig )
if err != nil {
return 0 , err
}
2024-05-05 19:51:59 +08:00
err = this . UpdateFirewallPolicyInboundAndOutbound ( tx , policyId , 0 , 0 , inboundConfigJSON , outboundConfigJSON , false )
2021-08-25 11:18:37 +08:00
if err != nil {
return 0 , err
}
2022-05-21 18:58:03 +08:00
2021-08-25 11:18:37 +08:00
return policyId , nil
}
2021-06-07 08:58:26 +08:00
// UpdateFirewallPolicyInboundAndOutbound 修改策略的Inbound和Outbound
2024-05-05 19:51:59 +08:00
func ( this * HTTPFirewallPolicyDAO ) UpdateFirewallPolicyInboundAndOutbound ( tx * dbs . Tx , policyId int64 , userId int64 , serverId int64 , inboundJSON [ ] byte , outboundJSON [ ] byte , shouldNotify bool ) error {
2020-10-06 21:02:15 +08:00
if policyId <= 0 {
return errors . New ( "invalid policyId" )
}
2024-05-05 19:51:59 +08:00
// 创建默认的Inbound
var inboundConfig = & firewallconfigs . HTTPFirewallInboundConfig { IsOn : true }
if inboundJSON != nil {
err := json . Unmarshal ( inboundJSON , inboundConfig )
if err != nil {
return err
}
}
// IP名单
if inboundConfig . AllowListRef == nil {
listId , createListErr := SharedIPListDAO . CreateIPList ( tx , userId , serverId , ipconfigs . IPListTypeWhite , "白名单" , "" , nil , "" , false , false )
if createListErr != nil {
return createListErr
}
inboundConfig . AllowListRef = & ipconfigs . IPListRef {
IsOn : true ,
ListId : listId ,
}
}
if inboundConfig . DenyListRef == nil {
listId , createListErr := SharedIPListDAO . CreateIPList ( tx , userId , serverId , ipconfigs . IPListTypeBlack , "黑名单" , "" , nil , "" , false , false )
if createListErr != nil {
return createListErr
}
inboundConfig . DenyListRef = & ipconfigs . IPListRef {
IsOn : true ,
ListId : listId ,
}
}
if inboundConfig . GreyListRef == nil {
listId , createListErr := SharedIPListDAO . CreateIPList ( tx , userId , serverId , ipconfigs . IPListTypeGrey , "灰名单" , "" , nil , "" , false , false )
if createListErr != nil {
return createListErr
}
inboundConfig . GreyListRef = & ipconfigs . IPListRef {
IsOn : true ,
ListId : listId ,
}
}
var err error
inboundJSON , err = json . Marshal ( inboundConfig )
if err != nil {
return err
}
2022-07-24 09:56:27 +08:00
var op = NewHTTPFirewallPolicyOperator ( )
2020-10-06 21:02:15 +08:00
op . Id = policyId
if len ( inboundJSON ) > 0 {
op . Inbound = inboundJSON
} else {
op . Inbound = "null"
}
if len ( outboundJSON ) > 0 {
op . Outbound = outboundJSON
} else {
op . Outbound = "null"
}
2024-05-05 19:51:59 +08:00
err = this . Save ( tx , op )
2021-02-02 16:22:47 +08:00
if err != nil {
return err
}
2021-08-25 11:18:37 +08:00
if shouldNotify {
return this . NotifyUpdate ( tx , policyId )
}
return nil
2020-10-06 21:02:15 +08:00
}
2021-06-07 08:58:26 +08:00
// UpdateFirewallPolicyInbound 修改策略的Inbound
2021-01-01 23:31:30 +08:00
func ( this * HTTPFirewallPolicyDAO ) UpdateFirewallPolicyInbound ( tx * dbs . Tx , policyId int64 , inboundJSON [ ] byte ) error {
2020-11-06 11:02:53 +08:00
if policyId <= 0 {
return errors . New ( "invalid policyId" )
}
2022-07-24 09:56:27 +08:00
var op = NewHTTPFirewallPolicyOperator ( )
2020-11-06 11:02:53 +08:00
op . Id = policyId
if len ( inboundJSON ) > 0 {
op . Inbound = inboundJSON
} else {
op . Inbound = "null"
}
2021-01-01 23:31:30 +08:00
err := this . Save ( tx , op )
2021-02-02 16:22:47 +08:00
if err != nil {
return err
}
return this . NotifyUpdate ( tx , policyId )
2020-11-06 11:02:53 +08:00
}
2023-10-09 19:52:51 +08:00
// UpdateFirewallPolicyInboundRegion 修改入站封禁区域设置
func ( this * HTTPFirewallPolicyDAO ) UpdateFirewallPolicyInboundRegion ( tx * dbs . Tx , policyId int64 , regionConfig * firewallconfigs . HTTPFirewallRegionConfig ) error {
var inboundConfig = & firewallconfigs . HTTPFirewallInboundConfig { IsOn : true }
inboundJSON , err := this . Query ( tx ) .
Pk ( policyId ) .
Result ( "inbound" ) .
FindJSONCol ( )
if err != nil {
return err
}
if IsNotNull ( inboundJSON ) {
err = json . Unmarshal ( inboundJSON , inboundConfig )
if err != nil {
return err
}
}
inboundConfig . Region = regionConfig
newInboundJSON , err := json . Marshal ( inboundConfig )
if err != nil {
return err
}
return this . UpdateFirewallPolicyInbound ( tx , policyId , newInboundJSON )
}
2021-06-07 08:58:26 +08:00
// UpdateFirewallPolicy 修改策略
2022-04-21 20:00:56 +08:00
func ( this * HTTPFirewallPolicyDAO ) UpdateFirewallPolicy ( tx * dbs . Tx ,
policyId int64 ,
isOn bool ,
name string ,
description string ,
inboundJSON [ ] byte ,
outboundJSON [ ] byte ,
blockOptionsJSON [ ] byte ,
2024-01-20 16:19:11 +08:00
pageOptionsJSON [ ] byte ,
2022-05-20 22:07:23 +08:00
captchaOptionsJSON [ ] byte ,
2024-04-07 14:21:01 +08:00
jsCookieOptionsJSON [ ] byte ,
2022-04-21 20:00:56 +08:00
mode firewallconfigs . FirewallMode ,
useLocalFirewall bool ,
synFloodConfig * firewallconfigs . SYNFloodConfig ,
2023-08-02 16:59:38 +08:00
logConfig * firewallconfigs . HTTPFirewallPolicyLogConfig ,
2023-08-10 10:30:50 +08:00
maxRequestBodySize int64 ,
denyCountryHTML string ,
denyProvinceHTML string ) error {
2020-10-06 21:02:15 +08:00
if policyId <= 0 {
return errors . New ( "invalid policyId" )
}
2022-05-20 22:07:23 +08:00
var op = NewHTTPFirewallPolicyOperator ( )
2020-10-06 21:02:15 +08:00
op . Id = policyId
op . IsOn = isOn
op . Name = name
op . Description = description
2021-09-30 11:30:45 +08:00
op . Mode = mode
2020-10-06 21:02:15 +08:00
if len ( inboundJSON ) > 0 {
op . Inbound = inboundJSON
} else {
op . Inbound = "null"
}
if len ( outboundJSON ) > 0 {
op . Outbound = outboundJSON
} else {
op . Outbound = "null"
}
2022-05-20 22:07:23 +08:00
if IsNotNull ( blockOptionsJSON ) {
2020-11-22 16:54:48 +08:00
op . BlockOptions = blockOptionsJSON
}
2024-01-20 16:19:11 +08:00
if IsNotNull ( pageOptionsJSON ) {
op . PageOptions = pageOptionsJSON
}
2022-05-20 22:07:23 +08:00
if IsNotNull ( captchaOptionsJSON ) {
op . CaptchaOptions = captchaOptionsJSON
}
2024-04-07 14:21:01 +08:00
if IsNotNull ( jsCookieOptionsJSON ) {
op . JsCookieOptions = jsCookieOptionsJSON
}
2022-01-10 19:54:37 +08:00
if synFloodConfig != nil {
synFloodConfigJSON , err := json . Marshal ( synFloodConfig )
if err != nil {
return err
}
op . SynFlood = synFloodConfigJSON
} else {
op . SynFlood = "null"
}
2022-04-21 20:00:56 +08:00
if logConfig != nil {
logJSON , err := json . Marshal ( logConfig )
if err != nil {
return err
}
op . Log = logJSON
} else {
op . Log = "null"
}
2022-01-09 17:05:36 +08:00
op . UseLocalFirewall = useLocalFirewall
2023-08-02 16:59:38 +08:00
op . MaxRequestBodySize = maxRequestBodySize
2023-08-10 10:30:50 +08:00
op . DenyCountryHTML = denyCountryHTML
op . DenyProvinceHTML = denyProvinceHTML
2023-08-02 16:59:38 +08:00
2021-01-01 23:31:30 +08:00
err := this . Save ( tx , op )
2021-02-02 16:22:47 +08:00
if err != nil {
return err
}
return this . NotifyUpdate ( tx , policyId )
2020-10-06 21:02:15 +08:00
}
2021-06-07 08:58:26 +08:00
// CountAllEnabledFirewallPolicies 计算所有可用的策略数量
2022-01-11 15:46:41 +08:00
func ( this * HTTPFirewallPolicyDAO ) CountAllEnabledFirewallPolicies ( tx * dbs . Tx , clusterId int64 , keyword string ) ( int64 , error ) {
2021-06-07 08:58:26 +08:00
query := this . Query ( tx )
2022-01-11 15:46:41 +08:00
if clusterId > 0 {
query . Where ( "id IN (SELECT httpFirewallPolicyId FROM " + SharedNodeClusterDAO . Table + " WHERE id=:clusterId)" )
query . Param ( "clusterId" , clusterId )
}
2021-06-07 08:58:26 +08:00
if len ( keyword ) > 0 {
query . Where ( "(name LIKE :keyword)" ) .
2022-03-27 12:22:47 +08:00
Param ( "keyword" , dbutils . QuoteLike ( keyword ) )
2021-06-07 08:58:26 +08:00
}
return query .
2020-10-06 21:02:15 +08:00
State ( HTTPFirewallPolicyStateEnabled ) .
2021-01-05 14:11:00 +08:00
Attr ( "userId" , 0 ) .
2021-01-20 14:19:29 +08:00
Attr ( "serverId" , 0 ) .
2021-10-10 20:18:07 +08:00
Attr ( "groupId" , 0 ) .
2020-10-06 21:02:15 +08:00
Count ( )
}
2021-06-07 08:58:26 +08:00
// ListEnabledFirewallPolicies 列出单页的策略
2022-01-11 15:46:41 +08:00
func ( this * HTTPFirewallPolicyDAO ) ListEnabledFirewallPolicies ( tx * dbs . Tx , clusterId int64 , keyword string , offset int64 , size int64 ) ( result [ ] * HTTPFirewallPolicy , err error ) {
2021-06-07 08:58:26 +08:00
query := this . Query ( tx )
2022-01-11 15:46:41 +08:00
if clusterId > 0 {
query . Where ( "id IN (SELECT httpFirewallPolicyId FROM " + SharedNodeClusterDAO . Table + " WHERE id=:clusterId)" )
query . Param ( "clusterId" , clusterId )
}
2021-06-07 08:58:26 +08:00
if len ( keyword ) > 0 {
query . Where ( "(name LIKE :keyword)" ) .
2022-03-27 12:22:47 +08:00
Param ( "keyword" , dbutils . QuoteLike ( keyword ) )
2021-06-07 08:58:26 +08:00
}
_ , err = query .
2020-10-06 21:02:15 +08:00
State ( HTTPFirewallPolicyStateEnabled ) .
2021-01-05 14:11:00 +08:00
Attr ( "userId" , 0 ) .
2021-01-20 14:19:29 +08:00
Attr ( "serverId" , 0 ) .
2021-10-10 20:18:07 +08:00
Attr ( "groupId" , 0 ) .
2020-10-06 21:02:15 +08:00
Offset ( offset ) .
Limit ( size ) .
DescPk ( ) .
Slice ( & result ) .
FindAll ( )
return
}
2021-06-07 08:58:26 +08:00
// ComposeFirewallPolicy 组合策略配置
2023-08-13 10:51:52 +08:00
func ( this * HTTPFirewallPolicyDAO ) ComposeFirewallPolicy ( tx * dbs . Tx , policyId int64 , forNode bool , cacheMap * utils . CacheMap ) ( * firewallconfigs . HTTPFirewallPolicy , error ) {
2021-08-22 11:35:33 +08:00
if cacheMap == nil {
2021-11-11 14:16:42 +08:00
cacheMap = utils . NewCacheMap ( )
2021-08-22 11:35:33 +08:00
}
var cacheKey = this . Table + ":config:" + types . String ( policyId )
2021-11-11 14:16:42 +08:00
var cache , _ = cacheMap . Get ( cacheKey )
2021-08-22 11:35:33 +08:00
if cache != nil {
return cache . ( * firewallconfigs . HTTPFirewallPolicy ) , nil
}
2021-01-01 23:31:30 +08:00
policy , err := this . FindEnabledHTTPFirewallPolicy ( tx , policyId )
2020-10-06 21:02:15 +08:00
if err != nil {
return nil , err
}
if policy == nil {
return nil , nil
}
2022-04-21 09:41:04 +08:00
var config = & firewallconfigs . HTTPFirewallPolicy { }
2020-10-06 21:02:15 +08:00
config . Id = int64 ( policy . Id )
2023-12-20 15:08:05 +08:00
config . ServerId = int64 ( policy . ServerId )
2022-03-22 21:45:07 +08:00
config . IsOn = policy . IsOn
2020-10-06 21:02:15 +08:00
config . Name = policy . Name
config . Description = policy . Description
2022-01-09 17:05:36 +08:00
config . UseLocalFirewall = policy . UseLocalFirewall == 1
2023-08-02 16:59:38 +08:00
config . MaxRequestBodySize = int64 ( policy . MaxRequestBodySize )
2023-08-10 10:30:50 +08:00
config . DenyCountryHTML = policy . DenyCountryHTML
config . DenyProvinceHTML = policy . DenyProvinceHTML
2021-10-06 09:46:58 +08:00
if len ( policy . Mode ) == 0 {
policy . Mode = firewallconfigs . FirewallModeDefend
}
2021-09-30 11:30:45 +08:00
config . Mode = policy . Mode
2020-10-06 21:02:15 +08:00
// Inbound
2023-08-13 10:51:52 +08:00
var inbound = & firewallconfigs . HTTPFirewallInboundConfig { }
2020-10-06 21:02:15 +08:00
if IsNotNull ( policy . Inbound ) {
2022-03-22 19:30:30 +08:00
err = json . Unmarshal ( policy . Inbound , inbound )
2020-10-06 21:02:15 +08:00
if err != nil {
return nil , err
}
if len ( inbound . GroupRefs ) > 0 {
2023-08-13 10:51:52 +08:00
var resultGroupRefs = [ ] * firewallconfigs . HTTPFirewallRuleGroupRef { }
var resultGroups = [ ] * firewallconfigs . HTTPFirewallRuleGroup { }
2020-10-06 21:02:15 +08:00
for _ , groupRef := range inbound . GroupRefs {
2023-08-13 10:51:52 +08:00
groupConfig , err := SharedHTTPFirewallRuleGroupDAO . ComposeFirewallRuleGroup ( tx , groupRef . GroupId , forNode )
2020-10-06 21:02:15 +08:00
if err != nil {
return nil , err
}
if groupConfig != nil {
resultGroupRefs = append ( resultGroupRefs , groupRef )
resultGroups = append ( resultGroups , groupConfig )
}
}
inbound . GroupRefs = resultGroupRefs
inbound . Groups = resultGroups
}
}
2020-10-07 11:18:12 +08:00
config . Inbound = inbound
2020-10-06 21:02:15 +08:00
// Outbound
2023-08-13 10:51:52 +08:00
var outbound = & firewallconfigs . HTTPFirewallOutboundConfig { }
2020-10-06 21:02:15 +08:00
if IsNotNull ( policy . Outbound ) {
2022-03-22 19:30:30 +08:00
err = json . Unmarshal ( policy . Outbound , outbound )
2020-10-06 21:02:15 +08:00
if err != nil {
return nil , err
}
if len ( outbound . GroupRefs ) > 0 {
2023-08-13 10:51:52 +08:00
var resultGroupRefs = [ ] * firewallconfigs . HTTPFirewallRuleGroupRef { }
var resultGroups = [ ] * firewallconfigs . HTTPFirewallRuleGroup { }
2020-10-06 21:02:15 +08:00
for _ , groupRef := range outbound . GroupRefs {
2023-08-13 10:51:52 +08:00
groupConfig , err := SharedHTTPFirewallRuleGroupDAO . ComposeFirewallRuleGroup ( tx , groupRef . GroupId , forNode )
2020-10-06 21:02:15 +08:00
if err != nil {
return nil , err
}
if groupConfig != nil {
resultGroupRefs = append ( resultGroupRefs , groupRef )
resultGroups = append ( resultGroups , groupConfig )
}
}
outbound . GroupRefs = resultGroupRefs
outbound . Groups = resultGroups
}
}
2020-10-07 11:18:12 +08:00
config . Outbound = outbound
2020-10-06 21:02:15 +08:00
2020-11-22 16:54:48 +08:00
// Block动作配置
if IsNotNull ( policy . BlockOptions ) {
2024-04-07 14:21:01 +08:00
var blockAction = firewallconfigs . NewHTTPFirewallBlockAction ( )
2022-03-22 19:30:30 +08:00
err = json . Unmarshal ( policy . BlockOptions , blockAction )
2020-11-22 16:54:48 +08:00
if err != nil {
return config , err
}
config . BlockOptions = blockAction
}
2024-01-20 16:19:11 +08:00
// Page动作配置
if IsNotNull ( policy . PageOptions ) {
2024-04-07 14:21:01 +08:00
var pageAction = firewallconfigs . NewHTTPFirewallPageAction ( )
2024-01-20 16:19:11 +08:00
err = json . Unmarshal ( policy . PageOptions , pageAction )
if err != nil {
return config , err
}
config . PageOptions = pageAction
}
2022-05-20 22:07:23 +08:00
// Captcha动作配置
if IsNotNull ( policy . CaptchaOptions ) {
2024-04-07 14:21:01 +08:00
var captchaAction = firewallconfigs . NewHTTPFirewallCaptchaAction ( )
2022-05-20 22:07:23 +08:00
err = json . Unmarshal ( policy . CaptchaOptions , captchaAction )
if err != nil {
return config , err
}
config . CaptchaOptions = captchaAction
}
2024-04-07 14:21:01 +08:00
// JSCookie动作配置
if IsNotNull ( policy . JsCookieOptions ) {
var jsCookieAction = firewallconfigs . NewHTTPFirewallJavascriptCookieAction ( )
err = json . Unmarshal ( policy . JsCookieOptions , jsCookieAction )
if err != nil {
return config , err
}
config . JSCookieOptions = jsCookieAction
}
2022-01-10 19:54:37 +08:00
// syn flood
2022-03-22 19:30:30 +08:00
if IsNotNull ( policy . SynFlood ) {
2022-01-10 19:54:37 +08:00
var synFloodConfig = & firewallconfigs . SYNFloodConfig { }
2022-03-22 19:30:30 +08:00
err = json . Unmarshal ( policy . SynFlood , synFloodConfig )
2022-01-10 19:54:37 +08:00
if err != nil {
return nil , err
}
config . SYNFlood = synFloodConfig
}
2022-04-21 09:41:04 +08:00
// log
if IsNotNull ( policy . Log ) {
var logConfig = & firewallconfigs . HTTPFirewallPolicyLogConfig { }
err = json . Unmarshal ( policy . Log , logConfig )
if err != nil {
return nil , err
}
config . Log = logConfig
} else {
config . Log = firewallconfigs . DefaultHTTPFirewallPolicyLogConfig
}
2021-11-11 14:16:42 +08:00
if cacheMap != nil {
cacheMap . Put ( cacheKey , config )
}
2021-08-22 11:35:33 +08:00
2020-10-06 21:02:15 +08:00
return config , nil
}
2021-01-03 20:18:07 +08:00
2021-06-07 08:58:26 +08:00
// CheckUserFirewallPolicy 检查用户防火墙策略
2021-01-03 20:18:07 +08:00
func ( this * HTTPFirewallPolicyDAO ) CheckUserFirewallPolicy ( tx * dbs . Tx , userId int64 , firewallPolicyId int64 ) error {
ok , err := this . Query ( tx ) .
Pk ( firewallPolicyId ) .
Attr ( "userId" , userId ) .
Exist ( )
if err != nil {
return err
}
2021-01-18 21:28:51 +08:00
if ok {
return nil
2021-01-03 20:18:07 +08:00
}
2021-01-18 21:28:51 +08:00
2021-06-27 08:31:10 +08:00
// 检查是否为用户Server所使用
webIds , err := SharedHTTPWebDAO . FindAllWebIdsWithHTTPFirewallPolicyId ( tx , firewallPolicyId )
if err != nil {
return err
}
for _ , webId := range webIds {
err := SharedHTTPWebDAO . CheckUserWeb ( tx , userId , webId )
if err != nil {
if err != ErrNotFound {
return err
}
} else {
return nil
}
}
2021-01-18 21:28:51 +08:00
return ErrNotFound
2021-01-03 20:18:07 +08:00
}
2021-01-17 16:48:00 +08:00
2021-06-07 08:58:26 +08:00
// FindEnabledFirewallPolicyIdsWithIPListId 查找包含某个IPList的所有策略
2022-06-15 19:22:33 +08:00
// TODO 改成通过 serverId 查询
2021-01-17 16:48:00 +08:00
func ( this * HTTPFirewallPolicyDAO ) FindEnabledFirewallPolicyIdsWithIPListId ( tx * dbs . Tx , ipListId int64 ) ( [ ] int64 , error ) {
ones , err := this . Query ( tx ) .
ResultPk ( ) .
State ( HTTPFirewallPolicyStateEnabled ) .
2024-05-05 19:08:06 +08:00
Where ( "(JSON_CONTAINS(inbound, :listQuery, '$.whiteListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.blackListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.publicWhiteListRefs') OR JSON_CONTAINS(inbound, :listQuery, '$.publicBlackListRefs') OR JSON_CONTAINS(inbound, :listQuery, '$.publicGreyListRefs'))" ) .
2021-01-17 16:48:00 +08:00
Param ( "listQuery" , maps . Map { "isOn" : true , "listId" : ipListId } . AsJSON ( ) ) .
FindAll ( )
if err != nil {
return nil , err
}
result := [ ] int64 { }
for _ , one := range ones {
result = append ( result , int64 ( one . ( * HTTPFirewallPolicy ) . Id ) )
}
return result , nil
}
2021-11-17 19:51:00 +08:00
// FindEnabledFirewallPolicyWithIPListId 查找使用某个IPList的策略
2022-06-15 19:22:33 +08:00
// TODO 改成通过 serverId 查询
2021-11-17 19:51:00 +08:00
func ( this * HTTPFirewallPolicyDAO ) FindEnabledFirewallPolicyWithIPListId ( tx * dbs . Tx , ipListId int64 ) ( * HTTPFirewallPolicy , error ) {
one , err := this . Query ( tx ) .
State ( HTTPFirewallPolicyStateEnabled ) .
2024-05-05 19:08:06 +08:00
Where ( "(JSON_CONTAINS(inbound, :listQuery, '$.whiteListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.blackListRef') OR JSON_CONTAINS(inbound, :listQuery, '$.greyListRef'))" ) .
2021-11-17 19:51:00 +08:00
Param ( "listQuery" , maps . Map { "isOn" : true , "listId" : ipListId } . AsJSON ( ) ) .
Find ( )
if err != nil || one == nil {
return nil , err
}
return one . ( * HTTPFirewallPolicy ) , err
}
2021-06-07 08:58:26 +08:00
// FindEnabledFirewallPolicyIdWithRuleGroupId 查找包含某个规则分组的策略ID
2021-01-17 16:48:00 +08:00
func ( this * HTTPFirewallPolicyDAO ) FindEnabledFirewallPolicyIdWithRuleGroupId ( tx * dbs . Tx , ruleGroupId int64 ) ( int64 , error ) {
return this . Query ( tx ) .
ResultPk ( ) .
State ( HTTPFirewallPolicyStateEnabled ) .
Where ( "(JSON_CONTAINS(inbound, :jsonQuery, '$.groupRefs') OR JSON_CONTAINS(outbound, :jsonQuery, '$.groupRefs'))" ) .
Param ( "jsonQuery" , maps . Map { "groupId" : ruleGroupId } . AsJSON ( ) ) .
FindInt64Col ( 0 )
}
2021-06-07 08:58:26 +08:00
// UpdateFirewallPolicyServerId 设置某个策略所属的服务ID
2021-01-20 14:19:29 +08:00
func ( this * HTTPFirewallPolicyDAO ) UpdateFirewallPolicyServerId ( tx * dbs . Tx , policyId int64 , serverId int64 ) error {
2021-02-02 16:22:47 +08:00
_ , err := this . Query ( tx ) .
2021-01-20 14:19:29 +08:00
Pk ( policyId ) .
Set ( "serverId" , serverId ) .
Update ( )
return err
}
2021-11-16 17:50:52 +08:00
// FindFirewallPolicyIdsWithServerId 查找服务独立关联的策略IDs
func ( this * HTTPFirewallPolicyDAO ) FindFirewallPolicyIdsWithServerId ( tx * dbs . Tx , serverId int64 ) ( [ ] int64 , error ) {
2023-06-06 15:03:18 +08:00
if serverId <= 0 {
return nil , nil
}
2021-11-16 17:50:52 +08:00
var result = [ ] int64 { }
ones , err := this . Query ( tx ) .
Attr ( "serverId" , serverId ) .
State ( HTTPFirewallPolicyStateEnabled ) .
Result ( "id" ) .
FindAll ( )
if err != nil {
return nil , err
}
for _ , one := range ones {
result = append ( result , int64 ( one . ( * HTTPFirewallPolicy ) . Id ) )
}
return result , nil
}
2023-12-20 15:08:05 +08:00
// FindServerIdWithFirewallPolicyId 根据策略查找网站ID
func ( this * HTTPFirewallPolicyDAO ) FindServerIdWithFirewallPolicyId ( tx * dbs . Tx , policyId int64 ) ( serverId int64 , err error ) {
if policyId <= 0 {
return
}
serverId , err = this . Query ( tx ) .
Pk ( policyId ) .
Result ( "serverId" ) .
FindInt64Col ( 0 )
return
}
2021-06-07 08:58:26 +08:00
// NotifyUpdate 通知更新
2021-01-17 16:48:00 +08:00
func ( this * HTTPFirewallPolicyDAO ) NotifyUpdate ( tx * dbs . Tx , policyId int64 ) error {
webIds , err := SharedHTTPWebDAO . FindAllWebIdsWithHTTPFirewallPolicyId ( tx , policyId )
if err != nil {
return err
}
for _ , webId := range webIds {
err := SharedHTTPWebDAO . NotifyUpdate ( tx , webId )
if err != nil {
return err
}
}
clusterIds , err := SharedNodeClusterDAO . FindAllEnabledNodeClusterIdsWithHTTPFirewallPolicyId ( tx , policyId )
if err != nil {
return err
}
for _ , clusterId := range clusterIds {
err := SharedNodeClusterDAO . NotifyUpdate ( tx , clusterId )
if err != nil {
return err
}
}
return nil
}
2021-11-16 17:50:52 +08:00
// NotifyDisable 通知禁用
func ( this * HTTPFirewallPolicyDAO ) NotifyDisable ( tx * dbs . Tx , policyId int64 ) error {
if policyId <= 0 {
return nil
}
// 禁用IP名单
inboundString , err := this . Query ( tx ) .
Pk ( policyId ) .
Result ( "inbound" ) .
FindStringCol ( "" )
if err != nil {
return err
}
if len ( inboundString ) > 0 {
var inboundConfig = & firewallconfigs . HTTPFirewallInboundConfig { }
err = json . Unmarshal ( [ ] byte ( inboundString ) , inboundConfig )
if err != nil {
// 不处理错误
return nil
}
if inboundConfig . AllowListRef != nil && inboundConfig . AllowListRef . ListId > 0 {
err = SharedIPListDAO . DisableIPList ( tx , inboundConfig . AllowListRef . ListId )
if err != nil {
return err
}
err = SharedIPItemDAO . DisableIPItemsWithListId ( tx , inboundConfig . AllowListRef . ListId )
if err != nil {
return err
}
}
if inboundConfig . DenyListRef != nil && inboundConfig . DenyListRef . ListId > 0 {
err = SharedIPListDAO . DisableIPList ( tx , inboundConfig . DenyListRef . ListId )
if err != nil {
return err
}
err = SharedIPItemDAO . DisableIPItemsWithListId ( tx , inboundConfig . DenyListRef . ListId )
if err != nil {
return err
}
}
if inboundConfig . GreyListRef != nil && inboundConfig . GreyListRef . ListId > 0 {
err = SharedIPListDAO . DisableIPList ( tx , inboundConfig . GreyListRef . ListId )
if err != nil {
return err
}
err = SharedIPItemDAO . DisableIPItemsWithListId ( tx , inboundConfig . GreyListRef . ListId )
if err != nil {
return err
}
}
}
return nil
}
