EdgeNode/internal/waf/waf_manager.go

package waf

import (
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	"github.com/TeaOSLab/EdgeNode/internal/errors"
	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
	"strconv"
	"sync"
)

var SharedWAFManager = NewWAFManager()

// WAFManager WAF管理器
type WAFManager struct {
	mapping map[int64]*WAF // policyId => WAF
	locker  sync.RWMutex
}

// NewWAFManager 获取新对象
func NewWAFManager() *WAFManager {
	return &WAFManager{
		mapping: map[int64]*WAF{},
	}
}

// UpdatePolicies 更新策略
func (this *WAFManager) UpdatePolicies(policies []*firewallconfigs.HTTPFirewallPolicy) {
	this.locker.Lock()
	defer this.locker.Unlock()

	m := map[int64]*WAF{}
	for _, p := range policies {
		w, err := this.ConvertWAF(p)
		if w != nil {
			m[p.Id] = w
		}
		if err != nil {
			remotelogs.Error("WAF", "initialize policy '"+strconv.FormatInt(p.Id, 10)+"' failed: "+err.Error())
			continue
		}
	}
	this.mapping = m
}

// FindWAF 查找WAF
func (this *WAFManager) FindWAF(policyId int64) *WAF {
	this.locker.RLock()
	w, _ := this.mapping[policyId]
	this.locker.RUnlock()
	return w
}

// ConvertWAF 将Policy转换为WAF
func (this *WAFManager) ConvertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (*WAF, error) {
	if policy == nil {
		return nil, errors.New("policy should not be nil")
	}
	if len(policy.Mode) == 0 {
		policy.Mode = firewallconfigs.FirewallModeDefend
	}
	var w = &WAF{
		Id:               policy.Id,
		IsOn:             policy.IsOn,
		Name:             policy.Name,
		Mode:             policy.Mode,
		UseLocalFirewall: policy.UseLocalFirewall,
		SYNFlood:         policy.SYNFlood,
	}

	// inbound
	if policy.Inbound != nil && policy.Inbound.IsOn {
		for _, group := range policy.Inbound.Groups {
			g := &RuleGroup{
				Id:          group.Id,
				IsOn:        group.IsOn,
				Name:        group.Name,
				Description: group.Description,
				Code:        group.Code,
				IsInbound:   true,
			}

			// rule sets
			for _, set := range group.Sets {
				s := &RuleSet{
					Id:          set.Id,
					Code:        set.Code,
					IsOn:        set.IsOn,
					Name:        set.Name,
					Description: set.Description,
					Connector:   set.Connector,
					IgnoreLocal: set.IgnoreLocal,
				}
				for _, a := range set.Actions {
					s.AddAction(a.Code, a.Options)
				}

				// rules
				for _, rule := range set.Rules {
					r := &Rule{
						Id:                rule.Id,
						Description:       rule.Description,
						Param:             rule.Param,
						ParamFilters:      []*ParamFilter{},
						Operator:          rule.Operator,
						Value:             rule.Value,
						IsCaseInsensitive: rule.IsCaseInsensitive,
						CheckpointOptions: rule.CheckpointOptions,
					}

					for _, paramFilter := range rule.ParamFilters {
						r.ParamFilters = append(r.ParamFilters, &ParamFilter{
							Code:    paramFilter.Code,
							Options: paramFilter.Options,
						})
					}

					s.Rules = append(s.Rules, r)
				}

				g.RuleSets = append(g.RuleSets, s)
			}

			w.Inbound = append(w.Inbound, g)
		}
	}

	// outbound
	if policy.Outbound != nil && policy.Outbound.IsOn {
		for _, group := range policy.Outbound.Groups {
			g := &RuleGroup{
				Id:          group.Id,
				IsOn:        group.IsOn,
				Name:        group.Name,
				Description: group.Description,
				Code:        group.Code,
				IsInbound:   true,
			}

			// rule sets
			for _, set := range group.Sets {
				s := &RuleSet{
					Id:          set.Id,
					Code:        set.Code,
					IsOn:        set.IsOn,
					Name:        set.Name,
					Description: set.Description,
					Connector:   set.Connector,
					IgnoreLocal: set.IgnoreLocal,
				}

				for _, a := range set.Actions {
					s.AddAction(a.Code, a.Options)
				}

				// rules
				for _, rule := range set.Rules {
					r := &Rule{
						Id:                rule.Id,
						Description:       rule.Description,
						Param:             rule.Param,
						Operator:          rule.Operator,
						Value:             rule.Value,
						IsCaseInsensitive: rule.IsCaseInsensitive,
						CheckpointOptions: rule.CheckpointOptions,
					}
					s.Rules = append(s.Rules, r)
				}

				g.RuleSets = append(g.RuleSets, s)
			}

			w.Outbound = append(w.Outbound, g)
		}
	}

	// block action
	if policy.BlockOptions != nil {
		w.DefaultBlockAction = &BlockAction{
			StatusCode: policy.BlockOptions.StatusCode,
			Body:       policy.BlockOptions.Body,
			URL:        policy.BlockOptions.URL,
			Timeout:    policy.BlockOptions.Timeout,
		}
	}

	// captcha action
	if policy.CaptchaOptions != nil {
		w.DefaultCaptchaAction = &CaptchaAction{
			Life:              policy.CaptchaOptions.Life,
			MaxFails:          policy.CaptchaOptions.MaxFails,
			FailBlockTimeout:  policy.CaptchaOptions.FailBlockTimeout,
			FailBlockScopeAll: policy.CaptchaOptions.FailBlockScopeAll,
			CountLetters:      policy.CaptchaOptions.CountLetters,
			UIIsOn:            policy.CaptchaOptions.UIIsOn,
			UITitle:           policy.CaptchaOptions.UITitle,
			UIPrompt:          policy.CaptchaOptions.UIPrompt,
			UIButtonTitle:     policy.CaptchaOptions.UIButtonTitle,
			UIShowRequestId:   policy.CaptchaOptions.UIShowRequestId,
			UICss:             policy.CaptchaOptions.UICss,
			UIFooter:          policy.CaptchaOptions.UIFooter,
			UIBody:            policy.CaptchaOptions.UIBody,
			Lang:              policy.CaptchaOptions.Lang,
		}
	}

	errorList := w.Init()
	if len(errorList) > 0 {
		return w, errorList[0]
	}

	return w, nil
}
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`package waf`
实现WAF 2020-10-08 15:06:42 +08:00
			`import (`
			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"`
			`"github.com/TeaOSLab/EdgeNode/internal/errors"`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/remotelogs"`
实现WAF 2020-10-08 15:06:42 +08:00			`"strconv"`
			`"sync"`
			`)`

WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`var SharedWAFManager = NewWAFManager()`
实现WAF 2020-10-08 15:06:42 +08:00
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`// WAFManager WAF管理器`
实现WAF 2020-10-08 15:06:42 +08:00			`type WAFManager struct {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`mapping map[int64]*WAF // policyId => WAF`
实现WAF 2020-10-08 15:06:42 +08:00			`locker sync.RWMutex`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`// NewWAFManager 获取新对象`
实现WAF 2020-10-08 15:06:42 +08:00			`func NewWAFManager() *WAFManager {`
			`return &WAFManager{`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`mapping: map[int64]*WAF{},`
实现WAF 2020-10-08 15:06:42 +08:00			`}`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`// UpdatePolicies 更新策略`
实现WAF 2020-10-08 15:06:42 +08:00			`func (this WAFManager) UpdatePolicies(policies []firewallconfigs.HTTPFirewallPolicy) {`
			`this.locker.Lock()`
			`defer this.locker.Unlock()`

WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`m := map[int64]*WAF{}`
实现WAF 2020-10-08 15:06:42 +08:00			`for _, p := range policies {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`w, err := this.ConvertWAF(p)`
国家、省份数据不再每个小时更新一次；WAF增加国家/地区、省份、城市、ISP等参数 2022-01-06 16:27:39 +08:00			`if w != nil {`
			`m[p.Id] = w`
			`}`
实现WAF 2020-10-08 15:06:42 +08:00			`if err != nil {`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`remotelogs.Error("WAF", "initialize policy '"+strconv.FormatInt(p.Id, 10)+"' failed: "+err.Error())`
实现WAF 2020-10-08 15:06:42 +08:00			`continue`
			`}`
			`}`
			`this.mapping = m`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`// FindWAF 查找WAF`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`func (this WAFManager) FindWAF(policyId int64) WAF {`
实现WAF 2020-10-08 15:06:42 +08:00			`this.locker.RLock()`
			`w, _ := this.mapping[policyId]`
			`this.locker.RUnlock()`
			`return w`
			`}`

WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`// ConvertWAF 将Policy转换为WAF`
			`func (this WAFManager) ConvertWAF(policy firewallconfigs.HTTPFirewallPolicy) (*WAF, error) {`
实现WAF 2020-10-08 15:06:42 +08:00			`if policy == nil {`
			`return nil, errors.New("policy should not be nil")`
			`}`
修复WAF策略模式为空导致动作不起作用的问题 2021-10-03 08:35:28 +08:00			`if len(policy.Mode) == 0 {`
			`policy.Mode = firewallconfigs.FirewallModeDefend`
			`}`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`var w = &WAF{`
自动使用本地防火墙/增加edge-node [ip.drop\|ip.reject\|ip.remove]等命令 2022-01-09 17:07:37 +08:00			`Id: policy.Id,`
			`IsOn: policy.IsOn,`
			`Name: policy.Name,`
			`Mode: policy.Mode,`
			`UseLocalFirewall: policy.UseLocalFirewall,`
实现自动SYN Flood防护 2022-01-10 19:54:10 +08:00			`SYNFlood: policy.SYNFlood,`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

			`// inbound`
			`if policy.Inbound != nil && policy.Inbound.IsOn {`
			`for _, group := range policy.Inbound.Groups {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`g := &RuleGroup{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`Id: group.Id,`
实现WAF 2020-10-08 15:06:42 +08:00			`IsOn: group.IsOn,`
			`Name: group.Name,`
			`Description: group.Description,`
			`Code: group.Code,`
			`IsInbound: true,`
			`}`

			`// rule sets`
			`for _, set := range group.Sets {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`s := &RuleSet{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`Id: set.Id,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`Code: set.Code,`
			`IsOn: set.IsOn,`
			`Name: set.Name,`
			`Description: set.Description,`
			`Connector: set.Connector,`
支持规则集忽略局域网IP 2021-12-02 16:08:25 +08:00			`IgnoreLocal: set.IgnoreLocal,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`
			`for _, a := range set.Actions {`
			`s.AddAction(a.Code, a.Options)`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

			`// rules`
			`for _, rule := range set.Rules {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`r := &Rule{`
WAF多个相同Key的cc2统计规则不再重复累加 2022-07-25 09:34:34 +08:00			`Id: rule.Id,`
实现WAF 2020-10-08 15:06:42 +08:00			`Description: rule.Description,`
			`Param: rule.Param,`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`ParamFilters: []*ParamFilter{},`
实现WAF 2020-10-08 15:06:42 +08:00			`Operator: rule.Operator,`
			`Value: rule.Value,`
			`IsCaseInsensitive: rule.IsCaseInsensitive,`
			`CheckpointOptions: rule.CheckpointOptions,`
			`}`
[waf]支持包含二进制、不支持二进制等操作符；支持对参数值编解码 2020-11-21 20:44:19 +08:00
			`for _, paramFilter := range rule.ParamFilters {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`r.ParamFilters = append(r.ParamFilters, &ParamFilter{`
[waf]支持包含二进制、不支持二进制等操作符；支持对参数值编解码 2020-11-21 20:44:19 +08:00			`Code: paramFilter.Code,`
			`Options: paramFilter.Options,`
			`})`
			`}`

实现WAF 2020-10-08 15:06:42 +08:00			`s.Rules = append(s.Rules, r)`
			`}`

			`g.RuleSets = append(g.RuleSets, s)`
			`}`

			`w.Inbound = append(w.Inbound, g)`
			`}`
			`}`

			`// outbound`
			`if policy.Outbound != nil && policy.Outbound.IsOn {`
			`for _, group := range policy.Outbound.Groups {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`g := &RuleGroup{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`Id: group.Id,`
实现WAF 2020-10-08 15:06:42 +08:00			`IsOn: group.IsOn,`
			`Name: group.Name,`
			`Description: group.Description,`
			`Code: group.Code,`
			`IsInbound: true,`
			`}`

			`// rule sets`
			`for _, set := range group.Sets {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`s := &RuleSet{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`Id: set.Id,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`Code: set.Code,`
			`IsOn: set.IsOn,`
			`Name: set.Name,`
			`Description: set.Description,`
			`Connector: set.Connector,`
支持规则集忽略局域网IP 2021-12-02 16:08:25 +08:00			`IgnoreLocal: set.IgnoreLocal,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

			`for _, a := range set.Actions {`
			`s.AddAction(a.Code, a.Options)`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

			`// rules`
			`for _, rule := range set.Rules {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`r := &Rule{`
WAF多个相同Key的cc2统计规则不再重复累加 2022-07-25 09:34:34 +08:00			`Id: rule.Id,`
实现WAF 2020-10-08 15:06:42 +08:00			`Description: rule.Description,`
			`Param: rule.Param,`
			`Operator: rule.Operator,`
			`Value: rule.Value,`
			`IsCaseInsensitive: rule.IsCaseInsensitive,`
			`CheckpointOptions: rule.CheckpointOptions,`
			`}`
			`s.Rules = append(s.Rules, r)`
			`}`

			`g.RuleSets = append(g.RuleSets, s)`
			`}`

			`w.Outbound = append(w.Outbound, g)`
			`}`
			`}`

WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`// block action`
[waf]可以配置阻止动作的状态码和提示内容 2020-11-22 16:54:43 +08:00			`if policy.BlockOptions != nil {`
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`w.DefaultBlockAction = &BlockAction{`
[waf]可以配置阻止动作的状态码和提示内容 2020-11-22 16:54:43 +08:00			`StatusCode: policy.BlockOptions.StatusCode,`
			`Body: policy.BlockOptions.Body,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`URL: policy.BlockOptions.URL,`
			`Timeout: policy.BlockOptions.Timeout,`
[waf]可以配置阻止动作的状态码和提示内容 2020-11-22 16:54:43 +08:00			`}`
			`}`
实现WAF 2020-10-08 15:06:42 +08:00
WAF策略中增加验证码相关定制设置 2022-05-21 11:17:53 +08:00			`// captcha action`
			`if policy.CaptchaOptions != nil {`
			`w.DefaultCaptchaAction = &CaptchaAction{`
			`Life: policy.CaptchaOptions.Life,`
			`MaxFails: policy.CaptchaOptions.MaxFails,`
			`FailBlockTimeout: policy.CaptchaOptions.FailBlockTimeout,`
			`FailBlockScopeAll: policy.CaptchaOptions.FailBlockScopeAll,`
			`CountLetters: policy.CaptchaOptions.CountLetters,`
			`UIIsOn: policy.CaptchaOptions.UIIsOn,`
			`UITitle: policy.CaptchaOptions.UITitle,`
			`UIPrompt: policy.CaptchaOptions.UIPrompt,`
			`UIButtonTitle: policy.CaptchaOptions.UIButtonTitle,`
			`UIShowRequestId: policy.CaptchaOptions.UIShowRequestId,`
			`UICss: policy.CaptchaOptions.UICss,`
			`UIFooter: policy.CaptchaOptions.UIFooter,`
			`UIBody: policy.CaptchaOptions.UIBody,`
			`Lang: policy.CaptchaOptions.Lang,`
			`}`
			`}`

国家、省份数据不再每个小时更新一次；WAF增加国家/地区、省份、城市、ISP等参数 2022-01-06 16:27:39 +08:00			`errorList := w.Init()`
			`if len(errorList) > 0 {`
			`return w, errorList[0]`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

			`return w, nil`
			`}`