优化WAF区域/省份封禁：增加仅允许、增加中国香港澳台、内地等特殊区域

pkg/serverconfigs/firewallconfigs/http_firewall_region_config.go

@@ -1,11 +1,17 @@
 package firewallconfigs
 
-import "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
+import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
+)
 
 type HTTPFirewallRegionConfig struct {
-	IsOn            bool    `yaml:"isOn" json:"isOn"`
-	DenyCountryIds  []int64 `yaml:"denyCountryIds" json:"denyCountryIds"`   // 封禁的国家|地区
-	DenyProvinceIds []int64 `yaml:"denyProvinceIds" json:"denyProvinceIds"` // 封禁的省或自治区
+	IsOn bool `yaml:"isOn" json:"isOn"`
+
+	AllowCountryIds  []int64 `yaml:"allowCountryIds" json:"allowCountryIds"`   // 允许的国家/地区
+	DenyCountryIds   []int64 `yaml:"denyCountryIds" json:"denyCountryIds"`     // 封禁的国家/地区
+	AllowProvinceIds []int64 `yaml:"allowProvinceIds" json:"allowProvinceIds"` // 允许的省或自治区
+	DenyProvinceIds  []int64 `yaml:"denyProvinceIds" json:"denyProvinceIds"`   // 封禁的省或自治区
 
 	CountryOnlyURLPatterns   []*shared.URLPattern `yaml:"countryOnlyURLPatterns" json:"countryOnlyURLPatterns"`     // 仅限的URL
 	CountryExceptURLPatterns []*shared.URLPattern `yaml:"countryExceptURLPatterns" json:"countryExceptURLPatterns"` // 排除的URL
@@ -14,11 +20,37 @@ type HTTPFirewallRegionConfig struct {
 	ProvinceExceptURLPatterns []*shared.URLPattern `yaml:"provinceExceptURLPatterns" json:"provinceExceptURLPatterns"` // 排除的URL
 
 	isNotEmpty bool
+
+	allowCountryIdMap  map[int64]bool
+	denyCountryIdMap   map[int64]bool
+	allowProvinceIdMap map[int64]bool
+	denyProvinceIdMap  map[int64]bool
 }
 
 func (this *HTTPFirewallRegionConfig) Init() error {
-	this.isNotEmpty = len(this.DenyCountryIds) > 0 || len(this.DenyProvinceIds) > 0
+	// countries and provinces
+	this.isNotEmpty = len(this.AllowCountryIds) > 0 || len(this.AllowProvinceIds) > 0 || len(this.DenyCountryIds) > 0 || len(this.DenyProvinceIds) > 0
+	this.allowCountryIdMap = map[int64]bool{}
+	for _, countryId := range this.AllowCountryIds {
+		this.allowCountryIdMap[countryId] = true
+	}
 
+	this.denyCountryIdMap = map[int64]bool{}
+	for _, countryId := range this.DenyCountryIds {
+		this.denyCountryIdMap[countryId] = true
+	}
+
+	this.allowProvinceIdMap = map[int64]bool{}
+	for _, provinceId := range this.AllowProvinceIds {
+		this.allowProvinceIdMap[provinceId] = true
+	}
+
+	this.denyProvinceIdMap = map[int64]bool{}
+	for _, provinceId := range this.DenyProvinceIds {
+		this.denyProvinceIdMap[provinceId] = true
+	}
+
+	// url patterns
 	for _, pattern := range this.CountryExceptURLPatterns {
 		err := pattern.Init()
 		if err != nil {
@@ -54,6 +86,70 @@ func (this *HTTPFirewallRegionConfig) IsNotEmpty() bool {
 	return this.isNotEmpty
 }
 
+func (this *HTTPFirewallRegionConfig) IsAllowedCountry(countryId int64, provinceId int64) bool {
+	if len(this.allowCountryIdMap) > 0 {
+		if this.allowCountryIdMap[countryId] {
+			return true
+		}
+
+		// china sub regions
+		if countryId == regionconfigs.RegionChinaId && provinceId > 0 {
+			if this.allowCountryIdMap[regionconfigs.RegionChinaIdHK] && provinceId == regionconfigs.RegionChinaProvinceIdHK {
+				return true
+			}
+			if this.allowCountryIdMap[regionconfigs.RegionChinaIdMO] && provinceId == regionconfigs.RegionChinaProvinceIdMO {
+				return true
+			}
+			if this.allowCountryIdMap[regionconfigs.RegionChinaIdTW] && provinceId == regionconfigs.RegionChinaProvinceIdTW {
+				return true
+			}
+			if this.allowCountryIdMap[regionconfigs.RegionChinaIdMainland] && regionconfigs.CheckRegionProvinceIsInChinaMainland(provinceId) {
+				return true
+			}
+		}
+
+		return false
+	}
+	if len(this.denyCountryIdMap) > 0 {
+		if !this.denyCountryIdMap[countryId] {
+			// china sub regions
+			if countryId == regionconfigs.RegionChinaId && provinceId > 0 {
+				if this.denyCountryIdMap[regionconfigs.RegionChinaIdHK] && provinceId == regionconfigs.RegionChinaProvinceIdHK {
+					return false
+				}
+				if this.denyCountryIdMap[regionconfigs.RegionChinaIdMO] && provinceId == regionconfigs.RegionChinaProvinceIdMO {
+					return false
+				}
+				if this.denyCountryIdMap[regionconfigs.RegionChinaIdTW] && provinceId == regionconfigs.RegionChinaProvinceIdTW {
+					return false
+				}
+				if this.denyCountryIdMap[regionconfigs.RegionChinaIdMainland] && regionconfigs.CheckRegionProvinceIsInChinaMainland(provinceId) {
+					return false
+				}
+			}
+
+			return true
+		}
+
+		return false
+	}
+
+	return true
+}
+
+func (this *HTTPFirewallRegionConfig) IsAllowedProvince(countryId int64, provinceId int64) bool {
+	if countryId != regionconfigs.RegionChinaId {
+		return true
+	}
+	if len(this.allowProvinceIdMap) > 0 {
+		return this.allowProvinceIdMap[provinceId]
+	}
+	if len(this.denyProvinceIdMap) > 0 {
+		return !this.denyProvinceIdMap[provinceId]
+	}
+	return true
+}
+
 func (this *HTTPFirewallRegionConfig) MatchCountryURL(url string) bool {
 	// except
 	if len(this.CountryExceptURLPatterns) > 0 {

pkg/serverconfigs/firewallconfigs/http_firewall_region_config_test.go

@@ -0,0 +1,180 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package firewallconfigs_test
+
+import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
+	"github.com/iwind/TeaGo/assert"
+	"testing"
+)
+
+func TestHTTPFirewallRegionConfig_IsAllowed(t *testing.T) {
+	var a = assert.NewAssertion(t)
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowCountryIds = []int64{1, 2, 3}
+		config.DenyCountryIds = []int64{4, 5, 6}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedCountry(1, 1))
+		a.IsFalse(config.IsAllowedCountry(0, 0))
+		a.IsFalse(config.IsAllowedCountry(4, 0))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowCountryIds = []int64{1, 2, 3}
+		config.DenyCountryIds = []int64{1, 2, 3}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedCountry(1, 1))
+		a.IsFalse(config.IsAllowedCountry(0, 0))
+		a.IsFalse(config.IsAllowedCountry(4, 0))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowCountryIds = []int64{}
+		config.DenyCountryIds = []int64{1, 2, 3}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsFalse(config.IsAllowedCountry(1, 0))
+		a.IsTrue(config.IsAllowedCountry(0, 0))
+		a.IsTrue(config.IsAllowedCountry(4, 0))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowProvinceIds = []int64{1, 2, 3}
+		config.DenyProvinceIds = []int64{4, 5, 6}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedProvince(1, 1))
+		a.IsFalse(config.IsAllowedProvince(1, 0))
+		a.IsFalse(config.IsAllowedProvince(1, 4))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowProvinceIds = []int64{}
+		config.DenyProvinceIds = []int64{4, 5, 6}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedProvince(1, 1))
+		a.IsTrue(config.IsAllowedProvince(1, 3))
+		a.IsFalse(config.IsAllowedProvince(1, 4))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowProvinceIds = []int64{}
+		config.DenyProvinceIds = []int64{}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedProvince(1, 1))
+		a.IsTrue(config.IsAllowedProvince(1, 4))
+		a.IsTrue(config.IsAllowedProvince(1, 4))
+	}
+
+	// the greater China area: Taiwan & Hongkong & Macao
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowCountryIds = []int64{
+			regionconfigs.RegionChinaIdHK,
+			regionconfigs.RegionChinaIdMO,
+			regionconfigs.RegionChinaIdTW,
+			//regionconfigs.RegionChinaIdMainland,
+		}
+		config.DenyCountryIds = []int64{}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdHK))
+		a.IsTrue(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdTW))
+		a.IsTrue(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdMO))
+		a.IsFalse(config.IsAllowedCountry(1, 1))
+		a.IsFalse(config.IsAllowedCountry(1, 0))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowCountryIds = []int64{
+			regionconfigs.RegionChinaIdHK,
+			regionconfigs.RegionChinaIdMainland,
+		}
+		config.DenyCountryIds = []int64{}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsTrue(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdHK))
+		a.IsFalse(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdTW))
+		a.IsFalse(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdMO))
+		a.IsTrue(config.IsAllowedCountry(1, 1))
+		a.IsFalse(config.IsAllowedCountry(1, 0))
+	}
+
+	{
+		var config = &firewallconfigs.HTTPFirewallRegionConfig{}
+		config.AllowCountryIds = []int64{}
+		config.DenyCountryIds = []int64{
+			regionconfigs.RegionChinaIdHK,
+			regionconfigs.RegionChinaIdMainland,
+		}
+		err := config.Init()
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsFalse(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdHK))
+		a.IsTrue(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdTW))
+		a.IsTrue(config.IsAllowedCountry(1, regionconfigs.RegionChinaProvinceIdMO))
+		a.IsFalse(config.IsAllowedCountry(1, 1))
+		a.IsTrue(config.IsAllowedCountry(1, 0))
+	}
+}
+
+func Benchmark_HTTPFirewallRegionConfig_Map(b *testing.B) {
+	var m = map[int64]bool{}
+	const max = 50
+	for i := 0; i < max; i++ {
+		m[int64(i)] = true
+	}
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		_ = m[int64(i%max)]
+	}
+}
+
+func Benchmark_HTTPFirewallRegionConfig_Slice(b *testing.B) {
+	var m = []int64{}
+	const max = 50
+	for i := 0; i < max; i++ {
+		m = append(m, int64(i))
+	}
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		var l = int64(i % max)
+		for _, v := range m {
+			if v == l {
+				break
+			}
+		}
+	}
+}

pkg/serverconfigs/regionconfigs/china.go

@@ -0,0 +1,41 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package regionconfigs
+
+type RegionId = int64
+type RegionProvinceId = int64
+
+const (
+	RegionChinaId         RegionId = 1
+	RegionChinaIdHK       RegionId = 261
+	RegionChinaIdTW       RegionId = 262
+	RegionChinaIdMO       RegionId = 263
+	RegionChinaIdMainland RegionId = 264
+
+	RegionChinaProvinceIdHK RegionProvinceId = 32
+	RegionChinaProvinceIdTW RegionProvinceId = 34
+	RegionChinaProvinceIdMO RegionProvinceId = 33
+)
+
+func CheckRegionIsInGreaterChina(regionId RegionId) bool {
+	return regionId == RegionChinaId ||
+		regionId == RegionChinaIdHK ||
+		regionId == RegionChinaIdTW ||
+		regionId == RegionChinaIdMO ||
+		regionId == RegionChinaIdMainland
+}
+
+func FindAllGreaterChinaSubRegionIds() []RegionId {
+	return []RegionId{
+		RegionChinaIdMainland, RegionChinaIdHK, RegionChinaIdMO, RegionChinaIdTW,
+	}
+}
+
+func CheckRegionProvinceIsInChinaMainland(regionProvinceId RegionProvinceId) bool {
+	if regionProvinceId <= 0 {
+		return false
+	}
+	return regionProvinceId != RegionChinaProvinceIdHK &&
+		regionProvinceId != RegionChinaProvinceIdMO &&
+		regionProvinceId != RegionChinaProvinceIdTW
+}