用户端可以添加WAF 黑白名单

2025-11-03 20:40:25 +08:00 · 2021-01-03 20:18:21 +08:00
parent 3ce5ac7929
commit ecd16cba0e
8 changed files with 367 additions and 28 deletions
--- a/pkg/rpc/dao/ip_list_dao.go
+++ b/pkg/rpc/dao/ip_list_dao.go
@@ -0,0 +1,128 @@
+package dao
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeCommon/pkg/errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs"
+)
+
+var SharedIPListDAO = new(IPListDAO)
+
+type IPListDAO struct {
+	BaseDAO
+}
+
+// 查找服务的允许IP列表
+func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
+	webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
+	if err != nil {
+		return 0, err
+	}
+	if webConfig == nil {
+		return 0, nil
+	}
+	if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Inbound == nil || webConfig.FirewallPolicy.Inbound.AllowListRef == nil {
+		return 0, nil
+	}
+	return webConfig.FirewallPolicy.Inbound.AllowListRef.ListId, nil
+}
+
+// 查找服务的禁止IP列表
+func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
+	webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
+	if err != nil {
+		return 0, err
+	}
+	if webConfig == nil {
+		return 0, nil
+	}
+	if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Inbound == nil || webConfig.FirewallPolicy.Inbound.DenyListRef == nil {
+		return 0, nil
+	}
+	return webConfig.FirewallPolicy.Inbound.DenyListRef.ListId, nil
+}
+
+// 为服务创建IP名单
+func (this *IPListDAO) CreateIPListForServerId(ctx context.Context, serverId int64, listType string) (int64, error) {
+	webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
+	if err != nil {
+		return 0, err
+	}
+	if webConfig == nil {
+		return 0, nil
+	}
+	if webConfig.FirewallPolicy == nil || webConfig.FirewallPolicy.Id == 0 {
+		_, err = SharedHTTPWebDAO.InitHTTPFirewallPolicy(ctx, webConfig.Id)
+		if err != nil {
+			return 0, errors.Wrap(err)
+		}
+		webConfig, err = SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
+		if err != nil {
+			return 0, err
+		}
+		if webConfig == nil {
+			return 0, nil
+		}
+		if webConfig.FirewallPolicy == nil {
+			return 0, nil
+		}
+	}
+
+	inbound := webConfig.FirewallPolicy.Inbound
+	if inbound == nil {
+		inbound = &firewallconfigs.HTTPFirewallInboundConfig{
+			IsOn: true,
+		}
+	}
+	if listType == "white" {
+		if inbound.AllowListRef == nil {
+			inbound.AllowListRef = &ipconfigs.IPListRef{
+				IsOn: true,
+			}
+		}
+		if inbound.AllowListRef.ListId > 0 {
+			return inbound.AllowListRef.ListId, nil
+		}
+	} else if listType == "black" {
+		if inbound.DenyListRef == nil {
+			inbound.DenyListRef = &ipconfigs.IPListRef{
+				IsOn: true,
+			}
+		}
+		if inbound.DenyListRef.ListId > 0 {
+			return inbound.DenyListRef.ListId, nil
+		}
+	}
+
+	ipListResp, err := this.RPC().IPListRPC().CreateIPList(ctx, &pb.CreateIPListRequest{
+		Type:        listType,
+		Name:        "IP名单",
+		Code:        listType,
+		TimeoutJSON: nil,
+	})
+	if err != nil {
+		return 0, errors.Wrap(err)
+	}
+
+	if listType == "white" {
+		inbound.AllowListRef.ListId = ipListResp.IpListId
+	} else if listType == "black" {
+		inbound.DenyListRef.ListId = ipListResp.IpListId
+	}
+	inboundJSON, err := json.Marshal(inbound)
+	if err != nil {
+		return 0, errors.Wrap(err)
+	}
+	_, err = this.RPC().HTTPFirewallPolicyRPC().UpdateHTTPFirewallInboundConfig(ctx, &pb.UpdateHTTPFirewallInboundConfigRequest{
+		HttpFirewallPolicyId: webConfig.FirewallPolicy.Id,
+		InboundJSON:          inboundJSON,
+	})
+	if err != nil {
+		return 0, errors.Wrap(err)
+	}
+
+	return ipListResp.IpListId, nil
+}