gfwleak/k18-ntcs-web-ntc
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改拦截策略的证书信息校验规则:

Browse Source 
1. Keyring的下拉列表显示全部已生效的证书;
2. 如选择了实体证书,必须配置域名,或者IP与域名的组合配置;
3.
域名配置,如匹配方式为完全匹配,则域名必须与所选择的实体证书的CN和SAN相同。如匹配方式为后缀匹配,则域名须与所选择的实体证书的CN和SAN后缀相同;
4. 如选择了中间证书或者根证书,则可配置IP,或者域名,或者两者组合;

Conflicts:
	src/main/resources/messages/message_en.properties
	src/main/resources/messages/message_ru.properties
	src/main/resources/messages/message_zh_CN.properties
This commit is contained in:
zhangwei
2019-01-19 14:39:40 +06:00
parent 9e6e2fbd37
commit aa5eccf995
5 changed files with 60 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/main/java/com/nis/web/controller/configuration/proxy/InterceptController.java
View File

@@ -88,12 +88,12 @@ public class InterceptController extends CommonController {
} }
// 获取证书信息 // 获取证书信息
List<PxyObjKeyring> certificateList = new ArrayList<PxyObjKeyring>(); List<PxyObjKeyring> certificateList = new ArrayList<PxyObjKeyring>();
if (entity.getFunctionId().equals(200)) { // if (entity.getFunctionId().equals(200)) {
certificateList = pxyObjKeyringService.findPxyObjKeyrings(null, 1, 1, "ip"); certificateList = pxyObjKeyringService.findPxyObjKeyrings(null, 1, 1, null);
} // }
if (entity.getFunctionId().equals(201)) { // if (entity.getFunctionId().equals(201)) {
certificateList = pxyObjKeyringService.findPxyObjKeyrings(null, 1, 1, "domain"); // certificateList = pxyObjKeyringService.findPxyObjKeyrings(null, 1, 1, "domain");
} // }
model.addAttribute("certificateList", certificateList); model.addAttribute("certificateList", certificateList);
model.addAttribute("_cfg", entity); model.addAttribute("_cfg", entity);

7
src/main/resources/messages/message_en.properties
View File

@@ -1475,4 +1475,9 @@ block_drop=Block(Drop)
mail_record=Mail Records mail_record=Mail Records
ssl_record=SSL Records ssl_record=SSL Records
http_record=HTTP Records http_record=HTTP Records
second_bps=bps second_bps=bps
ip_existed=IP has existed!
user_check=In use, Can not be deleted!
deletedAsnTip=The asnId ASN configuration with ID cfgId is deleted;
reedit=Please re-edit!
intercep_domain_required_tip=Domain is required

8
src/main/resources/messages/message_ru.properties
View File

@@ -1479,4 +1479,10 @@ framework_log=\u0421\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0438\u0440\u043e
block_drop=\u0411\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435(\u041f\u0430\u0434\u0435\u043d\u0438\u0435) block_drop=\u0411\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435(\u041f\u0430\u0434\u0435\u043d\u0438\u0435)
mail_record=\u0417\u0430\u043f\u0438\u0441\u0438 \u041f\u043e\u0447\u0442\u044b mail_record=\u0417\u0430\u043f\u0438\u0441\u0438 \u041f\u043e\u0447\u0442\u044b
ssl_record=SSL \u0417\u0430\u043f\u0438\u0441\u0438 ssl_record=SSL \u0417\u0430\u043f\u0438\u0441\u0438
http_record=HTTP \u0417\u0430\u043f\u0438\u0441\u0438 http_record=HTTP \u0417\u0430\u043f\u0438\u0441\u0438
second_bps=bps
ip_existed=IP \u0443\u0436\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442!
user_check=\u0414\u0430\u043D\u043D\u044B\u0439 \u043E\u0431\u044A\u0435\u043A\u0442 \u0437\u0430\u043D\u044F\u0442, \u043D\u0435\u043B\u044C\u0437\u044F \u0443\u0434\u0430\u043B\u0438\u0442\u044C!
deletedAsnTip=\u041A\u043E\u043D\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044F \u2116 cfgId \u0441 ASN asnId \u0431\u044B\u043B\u0430 \u0443\u0434\u0430\u043B\u0435\u043D\u0430;
reedit=\u041F\u043E\u0436\u0430\u043B\u0443\u0439\u0441\u0442\u0430, \u0440\u0435\u0434\u0430\u043A\u0442\u0438\u0440\u0443\u0439\u0442\u0435 \u0437\u0430\u043D\u043E\u0432\u043E!
intercep_domain_required_tip=Domain is required

7
src/main/resources/messages/message_zh_CN.properties
View File

@@ -1475,4 +1475,9 @@ block_drop=\u5c01\u5835(\u4e22\u5f03)
mail_record=\u90ae\u4ef6\u6cdb\u6536 mail_record=\u90ae\u4ef6\u6cdb\u6536
ssl_record=SSL\u6cdb\u6536 ssl_record=SSL\u6cdb\u6536
http_record=HTTP\u6cdb\u6536 http_record=HTTP\u6cdb\u6536
second_bps=bps second_bps=bps
ip_existed=IP\u5DF2\u5B58\u5728\uFF01
user_check=\u6B63\u5728\u4F7F\u7528\uFF0C\u4E0D\u80FD\u5220\u9664\uFF01
deletedAsnTip=\u914D\u7F6EID\u4E3AcfgId\u7684asnId ASN\u914D\u7F6E\u5DF2\u88AB\u5220\u9664;
reedit=\u8BF7\u91CD\u65B0\u7F16\u8F91\uFF01
intercep_domain_required_tip=\u57DF\u540D\u4FE1\u606F\u5FC5\u987B\u914D\u7F6E

56
src/main/webapp/WEB-INF/views/cfg/intercept/interceptForm.jsp
View File

@@ -50,15 +50,25 @@
var flag = true; var flag = true;
var actionValue=$("input[name=action]:checked").val(); var actionValue=$("input[name=action]:checked").val();
flag=validDomain(actionValue);
if(!flag){
return;
}
//代表所有业务都隐藏了,提示必须增加一种业务数据 //代表所有业务都隐藏了,提示必须增加一种业务数据
if($(".boxSolid").length ==$(".boxSolid.hidden").length){ if($(".boxSolid").length ==$(".boxSolid.hidden").length){
top.$.jBox.tip("<spring:message code='one_more'/>", "<spring:message code='info'/>"); top.$.jBox.tip("<spring:message code='one_more'/>", "<spring:message code='info'/>");
return; return;
}else{
$(".boxSolid").each(function(){
if($(this).hasClass("intercept_domain_div")){
var inputObj = $(this).find("input[name$='cfgRegionCode']");
flag=validDomain(actionValue,inputObj);
if(!flag){
return;
}
}
});
if(!flag){
return;
}
} }
//代表所有区域都隐藏了,提示必须增加个区域信息 //代表所有区域都隐藏了,提示必须增加个区域信息
@@ -188,20 +198,27 @@
$("#certDomain").addClass("hidden"); $("#certDomain").addClass("hidden");
} }
} }
var validDomain=function(actionValue){ var validDomain=function(actionValue,inputObj){
var flag=false; var flag=false;
if(actionValue == 1){ if(actionValue == 1){
var serviceType=$(inputObj).attr("serviceType");
var prefixName=$(inputObj).attr("name").split("cfgRegionCode")[0];
//var matchMethod=$("select[name='"+prefixName+"matchMethod']").val();
var cert=$(".monitAction").find("select[name='userRegion1']").val(); var cert=$(".monitAction").find("select[name='userRegion1']").val();
var keyringType=$(".monitAction").find("select[name='userRegion1']").find("option[value='"+cert+"']").attr("keyringType"); var keyringType=$(".monitAction").find("select[name='userRegion1']").find("option[value='"+cert+"']").attr("keyringType");
if(cert != '' && keyringType == 'end-entity'){ if(cert != '' && keyringType == 'end-entity'){
var domainDiv = $(inputObj).parent(".intercept_domain_div").is(':hidden');
if(domainDiv){
top.$.jBox.tip("<spring:message code='intercep_domain_required_tip'/>", "<spring:message code='info'/>");
return false;
}
var cn=$(".monitAction").find("select[name='userRegion1']").find("option[value='"+cert+"']").attr("cn"); var cn=$(".monitAction").find("select[name='userRegion1']").find("option[value='"+cert+"']").attr("cn");
if(cn !='' && cn != null){ if(cn !='' && cn != null){
var cnReg = new RegExp('^(?=^.{3,255}$)[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\'+cn.replace("*","")+')+$'); var cnReg = new RegExp('^(?=^.{3,255}$)[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\'+cn.replace("*","")+')+$');
var san=$(".monitAction").find("select[name='userRegion1']").find("option[value='"+cert+"']").attr("san"); var san=$(".monitAction").find("select[name='userRegion1']").find("option[value='"+cert+"']").attr("san");
if(san != null && san !=''){ if(san != null && san !=''){
$("input[name$='cfgRegionCode'").each(function(){ //$(".intercept_domain_div").each(function(){
var serviceType=$(this).attr("serviceType");
var prefixName=$(this).attr("name").split("cfgRegionCode")[0];
if(serviceType == "intercept_domain"){ if(serviceType == "intercept_domain"){
var domain=$("input[name='"+prefixName+"cfgKeywords']").val(); var domain=$("input[name='"+prefixName+"cfgKeywords']").val();
var domain=domain.trim(); var domain=domain.trim();
@@ -212,25 +229,26 @@
break; break;
} }
var sanStr=san.split(",")[i].trim(); var sanStr=san.split(",")[i].trim();
if(sanStr.indexOf("*") >-1){ if(sanStr.indexOf("*") >-1){//如证书域名包含*,则用该域名与配置进行后缀匹配
var sanReg= new RegExp('^(?=^.{3,255}$)[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\'+sanStr.replace("*","")+')+$'); var sanReg= new RegExp('^(?=^.{3,255}$)[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\'+sanStr.replace("*","")+')+$');
if(sanReg.exec(domain) != null){ if(sanReg.exec(domain) != null){
flag=true; flag=true;
} }
}else{ }else{//证书域名不包含*,则该域名与配置完全匹配
if(sanStr == domain){ //完全匹配 if(sanStr == domain){ //完全匹配
flag=true; flag=true;
} }
} }
} }
} }
if(!flag){ if(!flag){
if(cn.indexOf("*") > -1){ if(cn.indexOf("*") > -1){//如证书域名包含*,则用该域名与配置进行后缀匹配
if(cnReg.exec(domain) != null){ if(cnReg.exec(domain) != null){
flag=true; flag=true;
} }
}else{ }else{//证书域名不包含*,则该域名与配置完全匹配
if(cn == domain){ //完全匹配 if(cn == domain){ //完全匹配
flag=true; flag=true;
} }
@@ -246,12 +264,10 @@
}else{ }else{
$("div[for='"+prefixName+"cfgKeywords']").html(""); $("div[for='"+prefixName+"cfgKeywords']").html("");
} }
}); //});
}else{ }else{
flag=false; flag=false;
$("input[name$='cfgRegionCode'").each(function(){ //$("input[name$='cfgRegionCode'").each(function(){
var serviceType=$(this).attr("serviceType");
var prefixName=$(this).attr("name").split("cfgRegionCode")[0];
if(serviceType == "intercept_domain"){ if(serviceType == "intercept_domain"){
if(error ==null || error.trim() == ''){ if(error ==null || error.trim() == ''){
$("div[for='"+prefixName+"cfgKeywords']").html(""); $("div[for='"+prefixName+"cfgKeywords']").html("");
@@ -259,13 +275,11 @@
} }
} }
}); //});
} }
}else{ }else{
flag=false; flag=false;
$("input[name$='cfgRegionCode'").each(function(){ //$("input[name$='cfgRegionCode'").each(function(){
var serviceType=$(this).attr("serviceType");
var prefixName=$(this).attr("name").split("cfgRegionCode")[0];
var error=$("div[for='"+prefixName+"cfgKeywords']").html(); var error=$("div[for='"+prefixName+"cfgKeywords']").html();
if(serviceType == "intercept_domain"){ if(serviceType == "intercept_domain"){
if(error ==null || error.trim() == ''){ if(error ==null || error.trim() == ''){
@@ -274,7 +288,7 @@
} }
} }
}); //});
} }
}else{ }else{
flag=true; flag=true;