WAF允许动作默认跳过所有规则

2025-12-27 15:46:34 +08:00 · 2024-01-20 20:54:41 +08:00
parent 7d11b3c63b
commit 095c381ae5
22 changed files with 558 additions and 161 deletions
--- a/internal/waf/waf_test.go
+++ b/internal/waf/waf_test.go
@@ -5,6 +5,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
 	"github.com/iwind/TeaGo/assert"
+	"github.com/iwind/TeaGo/maps"
 	"net/http"
 	"testing"
 )
@@ -44,7 +45,7 @@ func TestWAF_MatchRequest(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	goNext, _, _, set, err := wafInstance.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
+	result, err := wafInstance.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -52,6 +53,160 @@ func TestWAF_MatchRequest(t *testing.T) {
 		t.Log("not match")
 		return
 	}
-	t.Log("goNext:", goNext, "set:", set.Name)
-	a.IsFalse(goNext)
+	t.Log("goNext:", result.GoNext, "set:", set.Name)
+	a.IsFalse(result.GoNext)
+}
+
+func TestWAF_MatchRequest_Allow(t *testing.T) {
+	var a = assert.NewAssertion(t)
+
+	var wafInstance = waf.NewWAF()
+
+	{
+		var set = waf.NewRuleSet()
+		set.Id = 1
+		set.Name = "set1"
+		set.Connector = waf.RuleConnectorAnd
+		set.Rules = []*waf.Rule{
+			{
+				Param:    "${requestPath}",
+				Operator: waf.RuleOperatorMatch,
+				Value:    "hello",
+			},
+		}
+		set.AddAction(waf.ActionAllow, maps.Map{
+			"scope": "global",
+		})
+
+		var group = waf.NewRuleGroup()
+		group.Id = 1
+		group.AddRuleSet(set)
+		group.IsInbound = true
+
+		wafInstance.AddRuleGroup(group)
+	}
+
+	{
+		var set = waf.NewRuleSet()
+		set.Id = 2
+		set.Name = "set2"
+		set.Connector = waf.RuleConnectorAnd
+		set.Rules = []*waf.Rule{
+			{
+				Param:    "${requestPath}",
+				Operator: waf.RuleOperatorMatch,
+				Value:    "he",
+			},
+		}
+		set.AddAction(waf.ActionAllow, maps.Map{
+			"scope": "global",
+		})
+
+		var group = waf.NewRuleGroup()
+		group.Id = 2
+		group.AddRuleSet(set)
+		group.IsInbound = true
+
+		wafInstance.AddRuleGroup(group)
+	}
+
+	errs := wafInstance.Init()
+	if len(errs) > 0 {
+		t.Fatal(errs[0])
+	}
+
+	req, err := http.NewRequest(http.MethodGet, "http://teaos.cn/hello?name=lu&age=20", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	result, err := wafInstance.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if result.Set == nil {
+		t.Log("not match")
+		return
+	}
+	t.Log("goNext:", result.GoNext, "set:", result.Set.Name)
+	a.IsTrue(result.Set.Id == 1)
+	a.IsTrue(result.GoNext)
+	a.IsTrue(result.IsAllowed)
+	a.IsTrue(result.AllowScope == "global")
+}
+
+func TestWAF_MatchRequest_Allow2(t *testing.T) {
+	var a = assert.NewAssertion(t)
+
+	var wafInstance = waf.NewWAF()
+
+	{
+		var set = waf.NewRuleSet()
+		set.Id = 1
+		set.Name = "set1"
+		set.Connector = waf.RuleConnectorAnd
+		set.Rules = []*waf.Rule{
+			{
+				Param:    "${requestPath}",
+				Operator: waf.RuleOperatorMatch,
+				Value:    "hello",
+			},
+		}
+		set.AddAction(waf.ActionAllow, maps.Map{
+			"scope": "group",
+		})
+
+		var group = waf.NewRuleGroup()
+		group.Id = 1
+		group.AddRuleSet(set)
+		group.IsInbound = true
+
+		wafInstance.AddRuleGroup(group)
+	}
+
+	{
+		var set = waf.NewRuleSet()
+		set.Id = 2
+		set.Name = "set2"
+		set.Connector = waf.RuleConnectorAnd
+		set.Rules = []*waf.Rule{
+			{
+				Param:    "${requestPath}",
+				Operator: waf.RuleOperatorMatch,
+				Value:    "he",
+			},
+		}
+		set.AddAction(waf.ActionAllow, maps.Map{
+			"scope": "global",
+		})
+
+		var group = waf.NewRuleGroup()
+		group.Id = 2
+		group.AddRuleSet(set)
+		group.IsInbound = true
+
+		wafInstance.AddRuleGroup(group)
+	}
+
+	errs := wafInstance.Init()
+	if len(errs) > 0 {
+		t.Fatal(errs[0])
+	}
+
+	req, err := http.NewRequest(http.MethodGet, "http://teaos.cn/hello?name=lu&age=20", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	result, err := wafInstance.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if result.Set == nil {
+		t.Log("not match")
+		return
+	}
+	t.Log("goNext:", result.GoNext, "set:", result.Set.Name)
+	a.IsTrue(result.Set.Id == 2)
+	a.IsTrue(result.GoNext)
+	a.IsTrue(result.IsAllowed)
+	a.IsTrue(result.AllowScope == "global")
 }