EdgeNode/internal/waf/action_record_ip.go

package waf

import (
	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
	"github.com/TeaOSLab/EdgeNode/internal/events"
	"github.com/TeaOSLab/EdgeNode/internal/goman"
	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
	"github.com/TeaOSLab/EdgeNode/internal/rpc"
	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
	"github.com/iwind/TeaGo/types"
	"net/http"
	"strings"
	"time"
)

type recordIPTask struct {
	ip        string
	listId    int64
	expiredAt int64
	level     string
	serverId  int64

	sourceServerId                int64
	sourceHTTPFirewallPolicyId    int64
	sourceHTTPFirewallRuleGroupId int64
	sourceHTTPFirewallRuleSetId   int64
}

var recordIPTaskChan = make(chan *recordIPTask, 1024)

func init() {
	events.On(events.EventLoaded, func() {
		goman.New(func() {
			rpcClient, err := rpc.SharedRPC()
			if err != nil {
				remotelogs.Error("WAF_RECORD_IP_ACTION", "create rpc client failed: "+err.Error())
				return
			}

			for task := range recordIPTaskChan {
				ipType := "ipv4"
				if strings.Contains(task.ip, ":") {
					ipType = "ipv6"
				}
				_, err = rpcClient.IPItemRPC().CreateIPItem(rpcClient.Context(), &pb.CreateIPItemRequest{
					IpListId:                      task.listId,
					IpFrom:                        task.ip,
					IpTo:                          "",
					ExpiredAt:                     task.expiredAt,
					Reason:                        "触发WAF规则自动加入",
					Type:                          ipType,
					EventLevel:                    task.level,
					ServerId:                      task.serverId,
					SourceNodeId:                  teaconst.NodeId,
					SourceServerId:                task.sourceServerId,
					SourceHTTPFirewallPolicyId:    task.sourceHTTPFirewallPolicyId,
					SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,
					SourceHTTPFirewallRuleSetId:   task.sourceHTTPFirewallRuleSetId,
				})
				if err != nil {
					remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())
				}
			}
		})
	})
}

type RecordIPAction struct {
	BaseAction

	Type     string `yaml:"type" json:"type"`
	IPListId int64  `yaml:"ipListId" json:"ipListId"`
	Level    string `yaml:"level" json:"level"`
	Timeout  int32  `yaml:"timeout" json:"timeout"`
	Scope    string `yaml:"scope" json:"scope"`
}

func (this *RecordIPAction) Init(waf *WAF) error {
	return nil
}

func (this *RecordIPAction) Code() string {
	return ActionRecordIP
}

func (this *RecordIPAction) IsAttack() bool {
	return this.Type == "black"
}

func (this *RecordIPAction) WillChange() bool {
	return this.Type == "black"
}

func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {
	// 是否在本地白名单中
	if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
		return true
	}

	timeout := this.Timeout
	if timeout <= 0 {
		timeout = 86400 // 1天
	}
	expiredAt := time.Now().Unix() + int64(timeout)

	if this.Type == "black" {
		writer.WriteHeader(http.StatusForbidden)

		request.WAFClose()

		// 先加入本地的黑名单
		SharedIPBlackList.Add(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)
	} else {
		// 加入本地白名单
		SharedIPWhiteList.Add("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)
	}

	// 上报
	if this.IPListId > 0 {
		var serverId int64
		if this.Scope == firewallconfigs.FirewallScopeService {
			serverId = request.WAFServerId()
		}

		select {
		case recordIPTaskChan <- &recordIPTask{
			ip:                            request.WAFRemoteIP(),
			listId:                        this.IPListId,
			expiredAt:                     expiredAt,
			level:                         this.Level,
			serverId:                      serverId,
			sourceServerId:                request.WAFServerId(),
			sourceHTTPFirewallPolicyId:    waf.Id,
			sourceHTTPFirewallRuleGroupId: group.Id,
			sourceHTTPFirewallRuleSetId:   set.Id,
		}:
		default:

		}
	}

	return this.Type != "black"
}
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`package waf`

			`import (`
			`"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`teaconst "github.com/TeaOSLab/EdgeNode/internal/const"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/events"`
优化系统goroutine使用，减少goroutine数量，增加goman查看goroutine数量指令 2021-12-08 15:17:45 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/goman"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/remotelogs"`
			`"github.com/TeaOSLab/EdgeNode/internal/rpc"`
			`"github.com/TeaOSLab/EdgeNode/internal/waf/requests"`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`"github.com/iwind/TeaGo/types"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"net/http"`
			`"strings"`
			`"time"`
			`)`

			`type recordIPTask struct {`
			`ip string`
			`listId int64`
			`expiredAt int64`
			`level string`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`serverId int64`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00
			`sourceServerId int64`
			`sourceHTTPFirewallPolicyId int64`
			`sourceHTTPFirewallRuleGroupId int64`
			`sourceHTTPFirewallRuleSetId int64`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

			`var recordIPTaskChan = make(chan *recordIPTask, 1024)`

			`func init() {`
			`events.On(events.EventLoaded, func() {`
优化系统goroutine使用，减少goroutine数量，增加goman查看goroutine数量指令 2021-12-08 15:17:45 +08:00			`goman.New(func() {`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`rpcClient, err := rpc.SharedRPC()`
			`if err != nil {`
			`remotelogs.Error("WAF_RECORD_IP_ACTION", "create rpc client failed: "+err.Error())`
			`return`
			`}`

			`for task := range recordIPTaskChan {`
			`ipType := "ipv4"`
			`if strings.Contains(task.ip, ":") {`
			`ipType = "ipv6"`
			`}`
			`_, err = rpcClient.IPItemRPC().CreateIPItem(rpcClient.Context(), &pb.CreateIPItemRequest{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`IpListId: task.listId,`
			`IpFrom: task.ip,`
			`IpTo: "",`
			`ExpiredAt: task.expiredAt,`
			`Reason: "触发WAF规则自动加入",`
			`Type: ipType,`
			`EventLevel: task.level,`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`ServerId: task.serverId,`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`SourceNodeId: teaconst.NodeId,`
			`SourceServerId: task.sourceServerId,`
			`SourceHTTPFirewallPolicyId: task.sourceHTTPFirewallPolicyId,`
			`SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,`
			`SourceHTTPFirewallRuleSetId: task.sourceHTTPFirewallRuleSetId,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`})`
			`if err != nil {`
			`remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())`
			`}`
			`}`
优化系统goroutine使用，减少goroutine数量，增加goman查看goroutine数量指令 2021-12-08 15:17:45 +08:00			`})`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`})`
			`}`

			`type RecordIPAction struct {`
			`BaseAction`

			Type string `yaml:"type" json:"type"`
			IPListId int64 `yaml:"ipListId" json:"ipListId"`
			Level string `yaml:"level" json:"level"`
			Timeout int32 `yaml:"timeout" json:"timeout"`
WAF动作支持有效范围 2021-10-18 20:08:43 +08:00			Scope string `yaml:"scope" json:"scope"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

			`func (this RecordIPAction) Init(waf WAF) error {`
			`return nil`
			`}`

			`func (this *RecordIPAction) Code() string {`
			`return ActionRecordIP`
			`}`

			`func (this *RecordIPAction) IsAttack() bool {`
			`return this.Type == "black"`
			`}`

			`func (this *RecordIPAction) WillChange() bool {`
			`return this.Type == "black"`
			`}`

			`func (this RecordIPAction) Perform(waf WAF, group RuleGroup, set RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {`
			`// 是否在本地白名单中`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`return true`
			`}`

			`timeout := this.Timeout`
			`if timeout <= 0 {`
			`timeout = 86400 // 1天`
			`}`
			`expiredAt := time.Now().Unix() + int64(timeout)`

			`if this.Type == "black" {`
WAF动作record_ip返回403/优化关闭连接方法 2021-10-12 09:06:28 +08:00			`writer.WriteHeader(http.StatusForbidden)`

			`request.WAFClose()`
WAF增加多个动作 2021-07-18 15:51:49 +08:00
WAF动作支持有效范围 2021-10-18 20:08:43 +08:00			`// 先加入本地的黑名单`
			`SharedIPBlackList.Add(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`} else {`
			`// 加入本地白名单`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`SharedIPWhiteList.Add("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

			`// 上报`
			`if this.IPListId > 0 {`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`var serverId int64`
			`if this.Scope == firewallconfigs.FirewallScopeService {`
			`serverId = request.WAFServerId()`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`select {`
			`case recordIPTaskChan <- &recordIPTask{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`ip: request.WAFRemoteIP(),`
			`listId: this.IPListId,`
			`expiredAt: expiredAt,`
			`level: this.Level,`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`serverId: serverId,`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`sourceServerId: request.WAFServerId(),`
			`sourceHTTPFirewallPolicyId: waf.Id,`
			`sourceHTTPFirewallRuleGroupId: group.Id,`
			`sourceHTTPFirewallRuleSetId: set.Id,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}:`
			`default:`

			`}`
			`}`

			`return this.Type != "black"`
			`}`