From 79c2cb7b730a46e114fee9a5340155ea44b551ef Mon Sep 17 00:00:00 2001 From: GoEdgeLab Date: Tue, 16 Nov 2021 16:11:05 +0800 Subject: [PATCH] =?UTF-8?q?IP=E5=90=8D=E5=8D=95=E4=B8=ADIP=E5=88=9B?= =?UTF-8?q?=E5=BB=BA=E6=97=B6=E4=BF=9D=E5=AD=98=E7=9B=B8=E5=85=B3=E8=8A=82?= =?UTF-8?q?=E7=82=B9=E3=80=81=E6=9C=8D=E5=8A=A1=E3=80=81WAF=E7=AD=96?= =?UTF-8?q?=E7=95=A5=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/const/vars.go | 2 ++ internal/nodes/node.go | 2 ++ internal/nodes/waf_manager.go | 10 ++++---- internal/waf/action_captcha.go | 3 ++- internal/waf/action_get_302.go | 3 ++- internal/waf/action_go_group.go | 3 ++- internal/waf/action_go_set.go | 5 ++-- internal/waf/action_post_307.go | 3 ++- internal/waf/action_record_ip.go | 42 ++++++++++++++++++++++---------- internal/waf/rule_group.go | 12 +++------ internal/waf/rule_set.go | 4 +-- internal/waf/template.go | 2 +- internal/waf/waf.go | 21 ++++++---------- 13 files changed, 62 insertions(+), 50 deletions(-) diff --git a/internal/const/vars.go b/internal/const/vars.go index be7446f..f2b6fcc 100644 --- a/internal/const/vars.go +++ b/internal/const/vars.go @@ -7,4 +7,6 @@ var ( InTrafficBytes = uint64(0) OutTrafficBytes = uint64(0) + + NodeId int64 = 0 ) diff --git a/internal/nodes/node.go b/internal/nodes/node.go index 6fa72b1..bda00ec 100644 --- a/internal/nodes/node.go +++ b/internal/nodes/node.go @@ -131,6 +131,7 @@ func (this *Node) Start() { remotelogs.Error("NODE", "start failed: read node config failed: "+err.Error()) return } + teaconst.NodeId = nodeConfig.Id err = nodeConfig.Init() if err != nil { remotelogs.Error("NODE", "init node config failed: "+err.Error()) @@ -363,6 +364,7 @@ func (this *Node) syncConfig(taskVersion int64) error { if err != nil { return errors.New("decode config failed: " + err.Error()) } + teaconst.NodeId = nodeConfig.Id // 写入到文件中 err = nodeConfig.Save() diff --git a/internal/nodes/waf_manager.go b/internal/nodes/waf_manager.go index 513fff2..db021c1 100644 --- a/internal/nodes/waf_manager.go +++ b/internal/nodes/waf_manager.go @@ -61,7 +61,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( policy.Mode = firewallconfigs.FirewallModeDefend } w := &waf.WAF{ - Id: strconv.FormatInt(policy.Id, 10), + Id: policy.Id, IsOn: policy.IsOn, Name: policy.Name, Mode: policy.Mode, @@ -71,7 +71,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( if policy.Inbound != nil && policy.Inbound.IsOn { for _, group := range policy.Inbound.Groups { g := &waf.RuleGroup{ - Id: strconv.FormatInt(group.Id, 10), + Id: group.Id, IsOn: group.IsOn, Name: group.Name, Description: group.Description, @@ -82,7 +82,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( // rule sets for _, set := range group.Sets { s := &waf.RuleSet{ - Id: strconv.FormatInt(set.Id, 10), + Id: set.Id, Code: set.Code, IsOn: set.IsOn, Name: set.Name, @@ -126,7 +126,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( if policy.Outbound != nil && policy.Outbound.IsOn { for _, group := range policy.Outbound.Groups { g := &waf.RuleGroup{ - Id: strconv.FormatInt(group.Id, 10), + Id: group.Id, IsOn: group.IsOn, Name: group.Name, Description: group.Description, @@ -137,7 +137,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( // rule sets for _, set := range group.Sets { s := &waf.RuleSet{ - Id: strconv.FormatInt(set.Id, 10), + Id: set.Id, Code: set.Code, IsOn: set.IsOn, Name: set.Name, diff --git a/internal/waf/action_captcha.go b/internal/waf/action_captcha.go index 8414065..c3431a8 100644 --- a/internal/waf/action_captcha.go +++ b/internal/waf/action_captcha.go @@ -5,6 +5,7 @@ import ( "github.com/TeaOSLab/EdgeNode/internal/utils" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/maps" + "github.com/iwind/TeaGo/types" stringutil "github.com/iwind/TeaGo/utils/string" "net/http" "net/url" @@ -44,7 +45,7 @@ func (this *CaptchaAction) WillChange() bool { func (this *CaptchaAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) { // 是否在白名单中 - if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { + if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { return true } diff --git a/internal/waf/action_get_302.go b/internal/waf/action_get_302.go index ab230c2..2fbc3e7 100644 --- a/internal/waf/action_get_302.go +++ b/internal/waf/action_get_302.go @@ -5,6 +5,7 @@ import ( "github.com/TeaOSLab/EdgeNode/internal/utils" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/maps" + "github.com/iwind/TeaGo/types" "net/http" "net/url" "time" @@ -47,7 +48,7 @@ func (this *Get302Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, requ } // 是否已经在白名单中 - if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { + if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { return true } diff --git a/internal/waf/action_go_group.go b/internal/waf/action_go_group.go index 85f2f64..201dfd0 100644 --- a/internal/waf/action_go_group.go +++ b/internal/waf/action_go_group.go @@ -3,6 +3,7 @@ package waf import ( "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/logs" + "github.com/iwind/TeaGo/types" "net/http" ) @@ -27,7 +28,7 @@ func (this *GoGroupAction) WillChange() bool { } func (this *GoGroupAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) { - nextGroup := waf.FindRuleGroup(this.GroupId) + nextGroup := waf.FindRuleGroup(types.Int64(this.GroupId)) if nextGroup == nil || !nextGroup.IsOn { return true } diff --git a/internal/waf/action_go_set.go b/internal/waf/action_go_set.go index eadfd03..0f515e5 100644 --- a/internal/waf/action_go_set.go +++ b/internal/waf/action_go_set.go @@ -3,6 +3,7 @@ package waf import ( "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/logs" + "github.com/iwind/TeaGo/types" "net/http" ) @@ -28,11 +29,11 @@ func (this *GoSetAction) WillChange() bool { } func (this *GoSetAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) { - nextGroup := waf.FindRuleGroup(this.GroupId) + nextGroup := waf.FindRuleGroup(types.Int64(this.GroupId)) if nextGroup == nil || !nextGroup.IsOn { return true } - nextSet := nextGroup.FindRuleSet(this.SetId) + nextSet := nextGroup.FindRuleSet(types.Int64(this.SetId)) if nextSet == nil || !nextSet.IsOn { return true } diff --git a/internal/waf/action_post_307.go b/internal/waf/action_post_307.go index 49aa8ae..07df980 100644 --- a/internal/waf/action_post_307.go +++ b/internal/waf/action_post_307.go @@ -5,6 +5,7 @@ import ( "github.com/TeaOSLab/EdgeNode/internal/utils" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/maps" + "github.com/iwind/TeaGo/types" "net/http" "time" ) @@ -41,7 +42,7 @@ func (this *Post307Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, req } // 是否已经在白名单中 - if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { + if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { return true } diff --git a/internal/waf/action_record_ip.go b/internal/waf/action_record_ip.go index 97dd148..5951b71 100644 --- a/internal/waf/action_record_ip.go +++ b/internal/waf/action_record_ip.go @@ -2,10 +2,12 @@ package waf import ( "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb" + teaconst "github.com/TeaOSLab/EdgeNode/internal/const" "github.com/TeaOSLab/EdgeNode/internal/events" "github.com/TeaOSLab/EdgeNode/internal/remotelogs" "github.com/TeaOSLab/EdgeNode/internal/rpc" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" + "github.com/iwind/TeaGo/types" "net/http" "strings" "time" @@ -16,6 +18,11 @@ type recordIPTask struct { listId int64 expiredAt int64 level string + + sourceServerId int64 + sourceHTTPFirewallPolicyId int64 + sourceHTTPFirewallRuleGroupId int64 + sourceHTTPFirewallRuleSetId int64 } var recordIPTaskChan = make(chan *recordIPTask, 1024) @@ -35,13 +42,18 @@ func init() { ipType = "ipv6" } _, err = rpcClient.IPItemRPC().CreateIPItem(rpcClient.Context(), &pb.CreateIPItemRequest{ - IpListId: task.listId, - IpFrom: task.ip, - IpTo: "", - ExpiredAt: task.expiredAt, - Reason: "触发WAF规则自动加入", - Type: ipType, - EventLevel: task.level, + IpListId: task.listId, + IpFrom: task.ip, + IpTo: "", + ExpiredAt: task.expiredAt, + Reason: "触发WAF规则自动加入", + Type: ipType, + EventLevel: task.level, + SourceNodeId: teaconst.NodeId, + SourceServerId: task.sourceServerId, + SourceHTTPFirewallPolicyId: task.sourceHTTPFirewallPolicyId, + SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId, + SourceHTTPFirewallRuleSetId: task.sourceHTTPFirewallRuleSetId, }) if err != nil { remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error()) @@ -79,7 +91,7 @@ func (this *RecordIPAction) WillChange() bool { func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) { // 是否在本地白名单中 - if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { + if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) { return true } @@ -98,17 +110,21 @@ func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re SharedIPBlackList.Add(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt) } else { // 加入本地白名单 - SharedIPWhiteList.Add("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt) + SharedIPWhiteList.Add("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt) } // 上报 if this.IPListId > 0 { select { case recordIPTaskChan <- &recordIPTask{ - ip: request.WAFRemoteIP(), - listId: this.IPListId, - expiredAt: expiredAt, - level: this.Level, + ip: request.WAFRemoteIP(), + listId: this.IPListId, + expiredAt: expiredAt, + level: this.Level, + sourceServerId: request.WAFServerId(), + sourceHTTPFirewallPolicyId: waf.Id, + sourceHTTPFirewallRuleGroupId: group.Id, + sourceHTTPFirewallRuleSetId: set.Id, }: default: diff --git a/internal/waf/rule_group.go b/internal/waf/rule_group.go index 19577c4..a05e50d 100644 --- a/internal/waf/rule_group.go +++ b/internal/waf/rule_group.go @@ -6,7 +6,7 @@ import ( // rule group type RuleGroup struct { - Id string `yaml:"id" json:"id"` + Id int64 `yaml:"id" json:"id"` IsOn bool `yaml:"isOn" json:"isOn"` Name string `yaml:"name" json:"name"` // such as SQL Injection Description string `yaml:"description" json:"description"` @@ -41,10 +41,7 @@ func (this *RuleGroup) AddRuleSet(ruleSet *RuleSet) { this.RuleSets = append(this.RuleSets, ruleSet) } -func (this *RuleGroup) FindRuleSet(id string) *RuleSet { - if len(id) == 0 { - return nil - } +func (this *RuleGroup) FindRuleSet(id int64) *RuleSet { for _, ruleSet := range this.RuleSets { if ruleSet.Id == id { return ruleSet @@ -65,10 +62,7 @@ func (this *RuleGroup) FindRuleSetWithCode(code string) *RuleSet { return nil } -func (this *RuleGroup) RemoveRuleSet(id string) { - if len(id) == 0 { - return - } +func (this *RuleGroup) RemoveRuleSet(id int64) { result := []*RuleSet{} for _, ruleSet := range this.RuleSets { if ruleSet.Id == id { diff --git a/internal/waf/rule_set.go b/internal/waf/rule_set.go index 35169d3..14227a4 100644 --- a/internal/waf/rule_set.go +++ b/internal/waf/rule_set.go @@ -6,7 +6,6 @@ import ( "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/lists" "github.com/iwind/TeaGo/maps" - "github.com/iwind/TeaGo/utils/string" "net/http" "sort" ) @@ -19,7 +18,7 @@ const ( ) type RuleSet struct { - Id string `yaml:"id" json:"id"` + Id int64 `yaml:"id" json:"id"` Code string `yaml:"code" json:"code"` IsOn bool `yaml:"isOn" json:"isOn"` Name string `yaml:"name" json:"name"` @@ -36,7 +35,6 @@ type RuleSet struct { func NewRuleSet() *RuleSet { return &RuleSet{ - Id: stringutil.Rand(16), IsOn: true, } } diff --git a/internal/waf/template.go b/internal/waf/template.go index 334f488..1ebdaff 100644 --- a/internal/waf/template.go +++ b/internal/waf/template.go @@ -2,7 +2,7 @@ package waf func Template() *WAF { waf := NewWAF() - waf.Id = "template" + waf.Id = 0 waf.IsOn = true // xss diff --git a/internal/waf/waf.go b/internal/waf/waf.go index 3a744d2..3752f24 100644 --- a/internal/waf/waf.go +++ b/internal/waf/waf.go @@ -8,7 +8,6 @@ import ( "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/Tea" "github.com/iwind/TeaGo/files" - "github.com/iwind/TeaGo/utils/string" "gopkg.in/yaml.v3" "io/ioutil" "net/http" @@ -16,7 +15,7 @@ import ( ) type WAF struct { - Id string `yaml:"id" json:"id"` + Id int64 `yaml:"id" json:"id"` IsOn bool `yaml:"isOn" json:"isOn"` Name string `yaml:"name" json:"name"` Inbound []*RuleGroup `yaml:"inbound" json:"inbound"` @@ -35,7 +34,6 @@ type WAF struct { func NewWAF() *WAF { return &WAF{ - Id: stringutil.Rand(16), IsOn: true, } } @@ -121,11 +119,7 @@ func (this *WAF) AddRuleGroup(ruleGroup *RuleGroup) { } } -func (this *WAF) RemoveRuleGroup(ruleGroupId string) { - if len(ruleGroupId) == 0 { - return - } - +func (this *WAF) RemoveRuleGroup(ruleGroupId int64) { { result := []*RuleGroup{} for _, group := range this.Inbound { @@ -149,10 +143,7 @@ func (this *WAF) RemoveRuleGroup(ruleGroupId string) { } } -func (this *WAF) FindRuleGroup(ruleGroupId string) *RuleGroup { - if len(ruleGroupId) == 0 { - return nil - } +func (this *WAF) FindRuleGroup(ruleGroupId int64) *RuleGroup { for _, group := range this.Inbound { if group.Id == ruleGroupId { return group @@ -396,10 +387,14 @@ func (this *WAF) MergeTemplate() (changedItems []string) { groups := []*RuleGroup{} groups = append(groups, template.Inbound...) groups = append(groups, template.Outbound...) + + var newGroupId int64 = 1_000_000_000 + for _, group := range groups { oldGroup := this.FindRuleGroupWithCode(group.Code) if oldGroup == nil { - group.Id = stringutil.Rand(16) + newGroupId++ + group.Id = newGroupId this.AddRuleGroup(group) changedItems = append(changedItems, "+group "+group.Name) continue