实现WAF部分功能

2025-11-03 23:20:26 +08:00 · 2020-10-07 11:18:12 +08:00
parent 4b4b838c0b
commit 7066d09764
5 changed files with 132 additions and 4 deletions
--- a/internal/db/models/http_firewall_policy_dao.go
+++ b/internal/db/models/http_firewall_policy_dao.go
@@ -190,8 +190,8 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(policyId int64) (*firew
 	config.Description = policy.Description

 	// Inbound
+	inbound := &firewallconfigs.HTTPFirewallInboundConfig{}
 	if IsNotNull(policy.Inbound) {
-		inbound := &firewallconfigs.HTTPFirewallInboundConfig{}
 		err = json.Unmarshal([]byte(policy.Inbound), inbound)
 		if err != nil {
 			return nil, err
@@ -214,12 +214,12 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(policyId int64) (*firew
 			inbound.GroupRefs = resultGroupRefs
 			inbound.Groups = resultGroups
 		}
-		config.Inbound = inbound
 	}
+	config.Inbound = inbound

 	// Outbound
+	outbound := &firewallconfigs.HTTPFirewallOutboundConfig{}
 	if IsNotNull(policy.Outbound) {
-		outbound := &firewallconfigs.HTTPFirewallOutboundConfig{}
 		err = json.Unmarshal([]byte(policy.Outbound), outbound)
 		if err != nil {
 			return nil, err
@@ -242,8 +242,8 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(policyId int64) (*firew
 			outbound.GroupRefs = resultGroupRefs
 			outbound.Groups = resultGroups
 		}
-		config.Outbound = outbound
 	}
+	config.Outbound = outbound

 	return config, nil
 }
--- a/internal/db/models/http_firewall_rule_group_dao.go
+++ b/internal/db/models/http_firewall_rule_group_dao.go
@@ -2,6 +2,7 @@ package models

 import (
 	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
@@ -159,3 +160,31 @@ func (this *HTTPFirewallRuleGroupDAO) UpdateGroupIsOn(groupId int64, isOn bool)
 		Update()
 	return err
 }
+
+// 创建分组
+func (this *HTTPFirewallRuleGroupDAO) CreateGroup(isOn bool, name string, description string) (int64, error) {
+	op := NewHTTPFirewallRuleGroupOperator()
+	op.State = HTTPFirewallRuleStateEnabled
+	op.IsOn = isOn
+	op.Name = name
+	op.Description = description
+	_, err := this.Save(op)
+	if err != nil {
+		return 0, err
+	}
+	return types.Int64(op.Id), nil
+}
+
+// 修改分组
+func (this *HTTPFirewallRuleGroupDAO) UpdateGroup(groupId int64, isOn bool, name string, description string) error {
+	if groupId <= 0 {
+		return errors.New("invalid groupId")
+	}
+	op := NewHTTPFirewallRuleGroupOperator()
+	op.Id = groupId
+	op.IsOn = isOn
+	op.Name = name
+	op.Description = description
+	_, err := this.Save(op)
+	return err
+}
--- a/internal/nodes/api_node.go
+++ b/internal/nodes/api_node.go
@@ -161,6 +161,7 @@ func (this *APINode) listenRPC(listener net.Listener, tlsConfig *tls.Config) err
 	pb.RegisterSSLCertServiceServer(rpcServer, &services.SSLCertService{})
 	pb.RegisterSSLPolicyServiceServer(rpcServer, &services.SSLPolicyService{})
 	pb.RegisterSysSettingServiceServer(rpcServer, &services.SysSettingService{})
+	pb.RegisterHTTPFirewallRuleGroupServiceServer(rpcServer, &services.HTTPFirewallRuleGroupService{})
 	err := rpcServer.Serve(listener)
 	if err != nil {
 		return errors.New("[API]start rpc failed: " + err.Error())
--- a/internal/rpc/services/service_http_firewall_policy.go
+++ b/internal/rpc/services/service_http_firewall_policy.go
@@ -235,6 +235,22 @@ func (this *HTTPFirewallPolicyService) UpdateHTTPFirewallPolicy(ctx context.Cont
 	return rpcutils.RPCUpdateSuccess()
 }

+// 修改分组信息
+func (this *HTTPFirewallPolicyService) UpdateHTTPFirewallPolicyGroups(ctx context.Context, req *pb.UpdateHTTPFirewallPolicyGroupsRequest) (*pb.RPCUpdateSuccess, error) {
+	// 校验请求
+	_, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin)
+	if err != nil {
+		return nil, err
+	}
+
+	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicyInboundAndOutbound(req.FirewallPolicyId, req.InboundJSON, req.OutboundJSON)
+	if err != nil {
+		return nil, err
+	}
+
+	return rpcutils.RPCUpdateSuccess()
+}
+
 // 计算可用的防火墙策略数量
 func (this *HTTPFirewallPolicyService) CountAllEnabledFirewallPolicies(ctx context.Context, req *pb.CountAllEnabledFirewallPoliciesRequest) (*pb.CountAllEnabledFirewallPoliciesResponse, error) {
 	// 校验请求
--- a/internal/rpc/services/service_http_firewall_rule_group.go
+++ b/internal/rpc/services/service_http_firewall_rule_group.go
@@ -0,0 +1,82 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
+	rpcutils "github.com/TeaOSLab/EdgeAPI/internal/rpc/utils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+)
+
+// WAF规则分组相关服务
+type HTTPFirewallRuleGroupService struct {
+}
+
+// 设置是否启用分组
+func (this *HTTPFirewallRuleGroupService) UpdateHTTPFirewallRuleGroupIsOn(ctx context.Context, req *pb.UpdateHTTPFirewallRuleGroupIsOnRequest) (*pb.RPCUpdateSuccess, error) {
+	// 校验请求
+	_, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin)
+	if err != nil {
+		return nil, err
+	}
+
+	err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroupIsOn(req.FirewallRuleGroupId, req.IsOn)
+	if err != nil {
+		return nil, err
+	}
+
+	return rpcutils.RPCUpdateSuccess()
+}
+
+// 创建分组
+func (this *HTTPFirewallRuleGroupService) CreateHTTPFirewallRuleGroup(ctx context.Context, req *pb.CreateHTTPFirewallRuleGroupRequest) (*pb.CreateHTTPFirewallRuleGroupResponse, error) {
+	// 校验请求
+	_, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin)
+	if err != nil {
+		return nil, err
+	}
+
+	groupId, err := models.SharedHTTPFirewallRuleGroupDAO.CreateGroup(req.IsOn, req.Name, req.Description)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.CreateHTTPFirewallRuleGroupResponse{FirewallRuleGroupId: groupId}, nil
+}
+
+// 修改分组
+func (this *HTTPFirewallRuleGroupService) UpdateHTTPFirewallRuleGroup(ctx context.Context, req *pb.UpdateHTTPFirewallRuleGroupRequest) (*pb.RPCUpdateSuccess, error) {
+	// 校验请求
+	_, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin)
+	if err != nil {
+		return nil, err
+	}
+
+	err = models.SharedHTTPFirewallRuleGroupDAO.UpdateGroup(req.FirewallRuleGroupId, req.IsOn, req.Name, req.Description)
+	if err != nil {
+		return nil, err
+	}
+
+	return rpcutils.RPCUpdateSuccess()
+}
+
+// 获取分组配置
+func (this *HTTPFirewallRuleGroupService) FindHTTPFirewallRuleGroupConfig(ctx context.Context, req *pb.FindHTTPFirewallRuleGroupConfigRequest) (*pb.FindHTTPFirewallRuleGroupConfigResponse, error) {
+	// 校验请求
+	_, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin)
+	if err != nil {
+		return nil, err
+	}
+
+	groupConfig, err := models.SharedHTTPFirewallRuleGroupDAO.ComposeFirewallRuleGroup(req.FirewallRuleGroupId)
+	if err != nil {
+		return nil, err
+	}
+	if groupConfig == nil {
+		return &pb.FindHTTPFirewallRuleGroupConfigResponse{FirewallRuleGroupJSON: nil}, nil
+	}
+	groupConfigJSON, err := json.Marshal(groupConfig)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.FindHTTPFirewallRuleGroupConfigResponse{FirewallRuleGroupJSON: groupConfigJSON}, nil
+}