TRKJ/EdgeAPI
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeAPI.git synced 2025-11-08 03:00:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

WAF策略:可以修改分组代号/导入时可以根据名称合并

Browse Source
This commit is contained in:
GoEdgeLab
2021-12-12 20:24:36 +08:00
parent 8096bf3cd5
commit 0646d474a9
5 changed files with 92 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/db/models/http_firewall_rule_group_dao.go
View File

@@ -95,6 +95,7 @@ func (this *HTTPFirewallRuleGroupDAO) ComposeFirewallRuleGroup(tx *dbs.Tx, group
config.Name = group.Name
config.Description = group.Description
config.Code = group.Code
config.IsTemplate = group.IsTemplate == 1
if IsNotNull(group.Sets) {
setRefs := []*firewallconfigs.HTTPFirewallRuleSetRef{}
@@ -125,6 +126,7 @@ func (this *HTTPFirewallRuleGroupDAO) CreateGroupFromConfig(tx *dbs.Tx, groupCon
op.Description = groupConfig.Description
op.State = HTTPFirewallRuleGroupStateEnabled
op.Code = groupConfig.Code
op.IsTemplate = groupConfig.IsTemplate
// sets
setRefs := []*firewallconfigs.HTTPFirewallRuleSetRef{}
@@ -178,7 +180,7 @@ func (this *HTTPFirewallRuleGroupDAO) CreateGroup(tx *dbs.Tx, isOn bool, name st
}
// UpdateGroup 修改分组
func (this *HTTPFirewallRuleGroupDAO) UpdateGroup(tx *dbs.Tx, groupId int64, isOn bool, name string, description string) error {
func (this *HTTPFirewallRuleGroupDAO) UpdateGroup(tx *dbs.Tx, groupId int64, isOn bool, name string, code string, description string) error {
if groupId <= 0 {
return errors.New("invalid groupId")
}
@@ -186,6 +188,7 @@ func (this *HTTPFirewallRuleGroupDAO) UpdateGroup(tx *dbs.Tx, groupId int64, isO
op.Id = groupId
op.IsOn = isOn
op.Name = name
op.Code = code
op.Description = description
err := this.Save(tx, op)
if err != nil {

4
internal/db/models/http_firewall_rule_group_model.go
View File

@@ -1,12 +1,13 @@
package models
// 防火墙规则分组
// HTTPFirewallRuleGroup 防火墙规则分组
type HTTPFirewallRuleGroup struct {
Id uint32 `field:"id"` // ID
IsOn uint8 `field:"isOn"` // 是否启用
Name string `field:"name"` // 名称
Description string `field:"description"` // 描述
Code string `field:"code"` // 代号
IsTemplate uint8 `field:"isTemplate"` // 是否为预置模板
AdminId uint32 `field:"adminId"` // 管理员ID
UserId uint32 `field:"userId"` // 用户ID
State uint8 `field:"state"` // 状态
@@ -20,6 +21,7 @@ type HTTPFirewallRuleGroupOperator struct {
Name interface{} // 名称
Description interface{} // 描述
Code interface{} // 代号
IsTemplate interface{} // 是否为预置模板
AdminId interface{} // 管理员ID
UserId interface{} // 用户ID
State interface{} // 状态

154
internal/rpc/services/service_http_firewall_policy.go
View File

@@ -506,46 +506,20 @@ func (this *HTTPFirewallPolicyService) ImportHTTPFirewallPolicy(ctx context.Cont
// 入站分组
if newConfig.Inbound != nil {
for _, g := range newConfig.Inbound.Groups {
var oldGroup *firewallconfigs.HTTPFirewallRuleGroup
// 使用代号查找
if len(g.Code) > 0 {
// 对于有代号的,覆盖或者添加
oldGroup := oldConfig.FindRuleGroupWithCode(g.Code)
if oldGroup == nil {
// 新创建分组
groupId, err := models.SharedHTTPFirewallRuleGroupDAO.CreateGroupFromConfig(tx, g)
if err != nil {
return nil, err
}
oldConfig.Inbound.GroupRefs = append(oldConfig.Inbound.GroupRefs, &firewallconfigs.HTTPFirewallRuleGroupRef{
IsOn: true,
GroupId: groupId,
})
} else {
setRefs := []*firewallconfigs.HTTPFirewallRuleSetRef{}
for _, set := range g.Sets {
setId, err := models.SharedHTTPFirewallRuleSetDAO.CreateOrUpdateSetFromConfig(tx, set)
if err != nil {
return nil, err
}
setRefs = append(setRefs, &firewallconfigs.HTTPFirewallRuleSetRef{
IsOn: true,
SetId: setId,
})
}
setsJSON, err := json.Marshal(setRefs)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupIsOn(tx, oldGroup.Id, true)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupSets(tx, oldGroup.Id, setsJSON)
if err != nil {
return nil, err
}
}
} else {
// 没有代号的直接创建
oldGroup = oldConfig.FindRuleGroupWithCode(g.Code)
}
// 再次根据Name查找
if oldGroup == nil && len(g.Name) > 0 {
oldGroup = oldConfig.FindRuleGroupWithName(g.Name)
}
if oldGroup == nil {
// 新创建分组
groupId, err := models.SharedHTTPFirewallRuleGroupDAO.CreateGroupFromConfig(tx, g)
if err != nil {
return nil, err
@@ -554,6 +528,32 @@ func (this *HTTPFirewallPolicyService) ImportHTTPFirewallPolicy(ctx context.Cont
IsOn: true,
GroupId: groupId,
})
} else {
setRefs := []*firewallconfigs.HTTPFirewallRuleSetRef{}
for _, set := range g.Sets {
setId, err := models.SharedHTTPFirewallRuleSetDAO.CreateOrUpdateSetFromConfig(tx, set)
if err != nil {
return nil, err
}
setRefs = append(setRefs, &firewallconfigs.HTTPFirewallRuleSetRef{
IsOn: true,
SetId: setId,
})
}
setsJSON, err := json.Marshal(setRefs)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroup(tx, oldGroup.Id, g.IsOn, g.Name, g.Code, g.Description)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupSets(tx, oldGroup.Id, setsJSON)
if err != nil {
return nil, err
}
}
}
}
@@ -561,46 +561,20 @@ func (this *HTTPFirewallPolicyService) ImportHTTPFirewallPolicy(ctx context.Cont
// 出站分组
if newConfig.Outbound != nil {
for _, g := range newConfig.Outbound.Groups {
var oldGroup *firewallconfigs.HTTPFirewallRuleGroup
// 使用代号查找
if len(g.Code) > 0 {
// 对于有代号的,覆盖或者添加
oldGroup := oldConfig.FindRuleGroupWithCode(g.Code)
if oldGroup == nil {
// 新创建分组
groupId, err := models.SharedHTTPFirewallRuleGroupDAO.CreateGroupFromConfig(tx, g)
if err != nil {
return nil, err
}
oldConfig.Outbound.GroupRefs = append(oldConfig.Outbound.GroupRefs, &firewallconfigs.HTTPFirewallRuleGroupRef{
IsOn: true,
GroupId: groupId,
})
} else {
setRefs := []*firewallconfigs.HTTPFirewallRuleSetRef{}
for _, set := range g.Sets {
setId, err := models.SharedHTTPFirewallRuleSetDAO.CreateOrUpdateSetFromConfig(tx, set)
if err != nil {
return nil, err
}
setRefs = append(setRefs, &firewallconfigs.HTTPFirewallRuleSetRef{
IsOn: true,
SetId: setId,
})
}
setsJSON, err := json.Marshal(setRefs)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupIsOn(tx, oldGroup.Id, true)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupSets(tx, oldGroup.Id, setsJSON)
if err != nil {
return nil, err
}
}
} else {
// 没有代号的直接创建
oldGroup = oldConfig.FindRuleGroupWithCode(g.Code)
}
// 再次根据Name查找
if oldGroup == nil && len(g.Name) > 0 {
oldGroup = oldConfig.FindRuleGroupWithName(g.Name)
}
if oldGroup == nil {
// 新创建分组
groupId, err := models.SharedHTTPFirewallRuleGroupDAO.CreateGroupFromConfig(tx, g)
if err != nil {
return nil, err
@@ -609,6 +583,30 @@ func (this *HTTPFirewallPolicyService) ImportHTTPFirewallPolicy(ctx context.Cont
IsOn: true,
GroupId: groupId,
})
} else {
setRefs := []*firewallconfigs.HTTPFirewallRuleSetRef{}
for _, set := range g.Sets {
setId, err := models.SharedHTTPFirewallRuleSetDAO.CreateOrUpdateSetFromConfig(tx, set)
if err != nil {
return nil, err
}
setRefs = append(setRefs, &firewallconfigs.HTTPFirewallRuleSetRef{
IsOn: true,
SetId: setId,
})
}
setsJSON, err := json.Marshal(setRefs)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroup(tx, oldGroup.Id, g.IsOn, g.Name, g.Code, g.Description)
if err != nil {
return nil, err
}
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupSets(tx, oldGroup.Id, setsJSON)
if err != nil {
return nil, err
}
}
}
}

2
internal/rpc/services/service_http_firewall_rule_group.go
View File

@@ -75,7 +75,7 @@ func (this *HTTPFirewallRuleGroupService) UpdateHTTPFirewallRuleGroup(ctx contex
tx := this.NullTx()
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroup(tx, req.FirewallRuleGroupId, req.IsOn, req.Name, req.Description)
err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroup(tx, req.FirewallRuleGroupId, req.IsOn, req.Name, req.Code, req.Description)
if err != nil {
return nil, err
}

9
internal/setup/sql_upgrade.go
View File

@@ -543,5 +543,12 @@ func upgradeV0_3_7(db *dbs.DB) error {
if err != nil {
return err
}
// WAF预置分组
_, err = db.Exec("UPDATE edgeHTTPFirewallRuleGroups SET isTemplate=1 WHERE LENGTH(code)>0")
if err != nil {
return err
}
return nil
}
}