monkeyDluffy6017 commented on code in PR #9838: URL: https://github.com/apache/apisix/pull/9838#discussion_r1280070922
########## t/plugin/chaitin-waf-reject.t: ########## @@ -0,0 +1,141 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); + +add_block_preprocessor(sub { + my ($block) = @_; + + my $stream_default_server = <<_EOC_; + server { + listen 8088; + listen 8089; + content_by_lua_block { + require("lib.chaitin_waf_server").reject() + } + } +_EOC_ + + $block->set_value("extra_stream_config", $stream_default_server); + $block->set_value("stream_conf_enable", 1); + + # setup default conf.yaml + my $extra_yaml_config = $block->extra_yaml_config // <<_EOC_; +apisix: + stream_proxy: # TCP/UDP L4 proxy + only: true # Enable L4 proxy only without L7 proxy. + tcp: + - addr: 9100 # Set the TCP proxy listening ports. + tls: true + - addr: "127.0.0.1:9101" + udp: # Set the UDP proxy listening ports. + - 9200 + - "127.0.0.1:9201" +plugins: + - chaitin-waf Review Comment: Done ########## apisix/plugins/chaitin-waf.lua: ########## @@ -0,0 +1,369 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local require = require +local core = require("apisix.core") +local rr_balancer = require("apisix.balancer.roundrobin") +local plugin = require("apisix.plugin") +local t1k = require "resty.t1k" +local expr = require("resty.expr.v1") + +local ngx = ngx +local ngx_now = ngx.now +local string = string +local fmt = string.format +local tostring = tostring +local tonumber = tonumber +local ipairs = ipairs + +local plugin_name = "chaitin-waf" + +local vars_schema = { + type = "array", +} + +local match_schema = { + type = "array", + items = { + type = "object", + properties = { + vars = vars_schema + } + }, +} + +local plugin_schema = { + type = "object", + properties = { + add_header = { + type = "boolean", + default = true + }, + add_debug_header = { + type = "boolean", + default = false + }, + match = match_schema, + config = { + type = "object", + properties = { + connect_timeout = { + type = "integer", + }, + send_timeout = { + type = "integer", + }, + read_timeout = { + type = "integer", + }, + req_body_size = { + type = "integer", + }, + keepalive_size = { + type = "integer", + }, + keepalive_timeout = { + type = "integer", + }, + remote_addr = { + type = "string", + } + }, + }, + }, +} + +local metadata_schema = { + type = "object", + properties = { + nodes = { + type = "array", + items = { + type = "object", + properties = { + host = { + type = "string", + }, + port = { + type = "integer", + minimum = 1, + default = 80 + }, + }, + required = { "host" } + }, + minItems = 1, + }, + config = { + type = "object", + properties = { + -- connect timeout, in milliseconds, integer, default 1s (1000ms) + connect_timeout = { + type = "integer", + default = 1000 + }, + -- send timeout, in milliseconds, integer, default 1s (1000ms) + send_timeout = { + type = "integer", + default = 1000 + }, + -- read timeout, in milliseconds, integer, default 1s (1000ms) + read_timeout = { + type = "integer", + default = 1000 + }, + -- request body size, in KB, integer, default 1MB (1024KB) + req_body_size = { + type = "integer", + default = 1024 + }, + -- maximum concurrent idle connections to + -- the SafeLine WAF detection service, integer, default 256 + keepalive_size = { + type = "integer", + default = 256 + }, + -- idle connection timeout, in milliseconds, integer, default 60s (60000ms) + keepalive_timeout = { + type = "integer", + default = 60000 + }, + -- remote address from ngx.var.VARIABLE, string + remote_addr = { + type = "string", + default = "http_x_forwarded_for: 1", Review Comment: Done ########## apisix/plugins/chaitin-waf.lua: ########## @@ -0,0 +1,369 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local require = require +local core = require("apisix.core") +local rr_balancer = require("apisix.balancer.roundrobin") +local plugin = require("apisix.plugin") +local t1k = require "resty.t1k" +local expr = require("resty.expr.v1") + +local ngx = ngx +local ngx_now = ngx.now +local string = string +local fmt = string.format +local tostring = tostring +local tonumber = tonumber +local ipairs = ipairs + +local plugin_name = "chaitin-waf" + +local vars_schema = { + type = "array", +} + +local match_schema = { + type = "array", + items = { + type = "object", + properties = { + vars = vars_schema + } + }, +} + +local plugin_schema = { + type = "object", + properties = { + add_header = { + type = "boolean", + default = true + }, + add_debug_header = { + type = "boolean", + default = false + }, + match = match_schema, + config = { + type = "object", + properties = { + connect_timeout = { + type = "integer", + }, + send_timeout = { + type = "integer", + }, + read_timeout = { + type = "integer", + }, + req_body_size = { + type = "integer", + }, + keepalive_size = { + type = "integer", + }, + keepalive_timeout = { + type = "integer", + }, + remote_addr = { + type = "string", + } + }, + }, + }, +} + +local metadata_schema = { + type = "object", + properties = { + nodes = { + type = "array", + items = { + type = "object", + properties = { + host = { + type = "string", + }, + port = { + type = "integer", + minimum = 1, + default = 80 + }, + }, + required = { "host" } + }, + minItems = 1, + }, + config = { + type = "object", + properties = { + -- connect timeout, in milliseconds, integer, default 1s (1000ms) + connect_timeout = { + type = "integer", + default = 1000 + }, + -- send timeout, in milliseconds, integer, default 1s (1000ms) + send_timeout = { + type = "integer", + default = 1000 + }, + -- read timeout, in milliseconds, integer, default 1s (1000ms) + read_timeout = { + type = "integer", + default = 1000 + }, + -- request body size, in KB, integer, default 1MB (1024KB) + req_body_size = { + type = "integer", + default = 1024 + }, + -- maximum concurrent idle connections to + -- the SafeLine WAF detection service, integer, default 256 + keepalive_size = { + type = "integer", + default = 256 + }, + -- idle connection timeout, in milliseconds, integer, default 60s (60000ms) + keepalive_timeout = { + type = "integer", + default = 60000 + }, + -- remote address from ngx.var.VARIABLE, string + remote_addr = { + type = "string", + default = "http_x_forwarded_for: 1", + } + }, + default = {}, + }, + }, + required = { "nodes" }, +} + +local global_server_picker + +local _M = { + version = 0.1, + priority = 2700, + name = plugin_name, + schema = plugin_schema, + metadata_schema = metadata_schema +} + +function _M.check_schema(conf, schema_type) + if schema_type == core.schema.TYPE_METADATA then + return core.schema.check(metadata_schema, conf) + end + + local ok, err = core.schema.check(plugin_schema, conf) + + if not ok then + return false, err + end + + if conf.match then + for _, m in ipairs(conf.match) do + local ok, err = expr.new(m.vars) + if not ok then + return false, "failed to validate the 'vars' expression: " .. err + end + end + end + + return true +end + +local function get_healthy_chaitin_server_nodes(metadata, checker) + local nodes = metadata.nodes + local new_nodes = core.table.new(0, #nodes) + + for i = 1, #nodes do + local host, port = nodes[i].host, nodes[i].port + new_nodes[host .. ":" .. tostring(port)] = 1 + end + return new_nodes +end + +local function get_chaitin_server(metadata, ctx) + if not global_server_picker or global_server_picker.upstream ~= metadata.value.nodes then + local up_nodes = get_healthy_chaitin_server_nodes(metadata.value) + if core.table.nkeys(up_nodes) == 0 then + return nil, nil, "no healthy nodes" + end + core.log.info("chaitin-waf nodes: ", core.json.delay_encode(up_nodes)) + + global_server_picker = rr_balancer.new(up_nodes, metadata.value.nodes) + end + + local server = global_server_picker.get(ctx) + local host, port, err = core.utils.parse_addr(server) + if err then + return nil, nil, err + end + return host, port, nil +end + +local function check_match(conf, ctx) + local match_passed = true + + if conf.match then + for _, match in ipairs(conf.match) do + local exp, err = expr.new(match.vars) + if err then + local msg = "failed to create match expression for " .. + tostring(match.vars) .. ", err: " .. tostring(err) + core.log.error(msg) + return false, msg + end + + match_passed = exp:eval(ctx.var) + if match_passed then + break + end + end + end + + return match_passed, nil +end + +local function get_conf(conf, metadata) + local t = { + mode = "block", -- block or monitor or off, default off + } + + if metadata.config then + t.connect_timeout = metadata.config.connect_timeout + t.send_timeout = metadata.config.send_timeout + t.read_timeout = metadata.config.read_timeout + t.req_body_size = metadata.config.req_body_size + t.keepalive_size = metadata.config.keepalive_size + t.keepalive_timeout = metadata.config.keepalive_timeout + t.remote_addr = metadata.config.remote_addr + end + + if conf.config then + t.connect_timeout = conf.config.connect_timeout + t.send_timeout = conf.config.send_timeout + t.read_timeout = conf.config.read_timeout + t.req_body_size = conf.config.req_body_size + t.keepalive_size = conf.config.keepalive_size + t.keepalive_timeout = conf.config.keepalive_timeout + t.remote_addr = conf.config.remote_addr + end + return t +end + +local HEADER_CHAITIN_WAF = "X-APISIX-CHAITIN-WAF" +local HEADER_CHAITIN_WAF_ERROR = "X-APISIX-CHAITIN-WAF-ERROR" +local HEADER_CHAITIN_WAF_TIME = "X-APISIX-CHAITIN-WAF-TIME" +local HEADER_CHAITIN_WAF_STATUS = "X-APISIX-CHAITIN-WAF-STATUS" +local HEADER_CHAITIN_WAF_ACTION = "X-APISIX-CHAITIN-WAF-ACTION" +local HEADER_CHAITIN_WAF_SERVER = "X-APISIX-CHAITIN-WAF-SERVER" +local blocked_message = [[{"code": %s, "success":false, ]] .. + [["message": "blocked by Chaitin SafeLine Web Application Firewall", "event_id": "%s"}]] + +local function do_access(conf, ctx) + local extra_headers = {} + + local match, err = check_match(conf, ctx) + if not match then + if err then + extra_headers[HEADER_CHAITIN_WAF] = "err" + extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err) + return 500, nil, extra_headers + else + extra_headers[HEADER_CHAITIN_WAF] = "no" + return nil, nil, extra_headers + end + end + + local metadata = plugin.plugin_metadata(plugin_name) + if not core.table.try_read_attr(metadata, "value", "nodes") then + extra_headers[HEADER_CHAITIN_WAF] = "err" + extra_headers[HEADER_CHAITIN_WAF_ERROR] = "missing metadata" + return 500, nil, extra_headers + end + + local host, port, err = get_chaitin_server(metadata, ctx) + if err then + extra_headers[HEADER_CHAITIN_WAF] = "unhealthy" + extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err) + + return 500, nil, extra_headers + end + + core.log.info("picked chaitin-waf server: ", host, ":", port) + + local t = get_conf(conf, metadata.value) + t.host = host + t.port = port + + extra_headers[HEADER_CHAITIN_WAF_SERVER] = host + extra_headers[HEADER_CHAITIN_WAF] = "yes" + + local start_time = ngx_now() * 1000 + local ok, err, result = t1k.do_access(t, false) + if not ok then + extra_headers[HEADER_CHAITIN_WAF] = "waf-err" + local err_msg = tostring(err) + if core.string.find(err_msg, "timeout") then + extra_headers[HEADER_CHAITIN_WAF] = "timeout" + end + extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err) + else + extra_headers[HEADER_CHAITIN_WAF_ACTION] = "pass" + end + extra_headers[HEADER_CHAITIN_WAF_TIME] = ngx_now() * 1000 - start_time + + local code = 200 + extra_headers[HEADER_CHAITIN_WAF_STATUS] = code + if result then + if result.status then + code = result.status + extra_headers[HEADER_CHAITIN_WAF_STATUS] = code + extra_headers[HEADER_CHAITIN_WAF_ACTION] = "reject" + + core.log.error("request rejected by chaitin-waf, event_id: " .. result.event_id) + return tonumber(code), fmt(blocked_message, code, + result.event_id) .. "\n", extra_headers + end + end + if not ok then + extra_headers[HEADER_CHAITIN_WAF_STATUS] = nil + end + + return nil, nil, extra_headers +end + Review Comment: Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
