From d70f53301e84c69e2ea444a3d39f5e81ed35b24f Mon Sep 17 00:00:00 2001 From: zhangwenqing Date: Tue, 15 Jan 2019 14:12:33 +0800 Subject: [PATCH] =?UTF-8?q?IP=20Spoofing=E5=A2=9E=E5=8A=A0=E9=85=8D?= =?UTF-8?q?=E7=BD=AE=E5=AF=BC=E5=85=A5=E5=8A=9F=E8=83=BD.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../template/IpSpoofingTemplate.java | 31 ++++ .../java/com/nis/util/excel/ExportExcel.java | 33 +++- .../excel/thread/CheckIpFormatThread.java | 32 ++++ .../nis/web/controller/BaseController.java | 149 ++++++++++++++++++ .../configuration/ntc/IpController.java | 6 + .../configuration/PxyObjSpoofingIpPoolDao.xml | 4 +- .../java/com/nis/web/service/BaseService.java | 3 + .../configuration/InterceptCfgService.java | 2 + .../PxyObjSpoofingIpPoolService.java | 25 +++ .../sql/20190115/update_function_dicts.sql | 3 + 10 files changed, 285 insertions(+), 3 deletions(-) create mode 100644 src/main/java/com/nis/domain/configuration/template/IpSpoofingTemplate.java create mode 100644 src/main/resources/sql/20190115/update_function_dicts.sql diff --git a/src/main/java/com/nis/domain/configuration/template/IpSpoofingTemplate.java b/src/main/java/com/nis/domain/configuration/template/IpSpoofingTemplate.java new file mode 100644 index 000000000..13274838f --- /dev/null +++ b/src/main/java/com/nis/domain/configuration/template/IpSpoofingTemplate.java @@ -0,0 +1,31 @@ +package com.nis.domain.configuration.template; + +import com.nis.util.excel.ExcelField; + +/** + * EXCEL IpSpoofing 导入模板 + * @author dell + * + */ +public class IpSpoofingTemplate extends IpAllTemplate{ + + private String userRegion1; + private String userRegion2; + + @ExcelField(title="spoofing",dictType="SPOOFING_IP_TYPE",align=2,sort=3) + public String getUserRegion1() { + return userRegion1; + } + public void setUserRegion1(String userRegion1) { + this.userRegion1 = userRegion1; + } + + @ExcelField(title="With",align=2,sort=4) + public String getUserRegion2() { + return userRegion2; + } + public void setUserRegion2(String userRegion2) { + this.userRegion2 = userRegion2; + } + +} diff --git a/src/main/java/com/nis/util/excel/ExportExcel.java b/src/main/java/com/nis/util/excel/ExportExcel.java index 1b48a066f..932c07abd 100644 --- a/src/main/java/com/nis/util/excel/ExportExcel.java +++ b/src/main/java/com/nis/util/excel/ExportExcel.java @@ -522,7 +522,38 @@ public class ExportExcel { index++; } } - + + /** Ip Spoofing **/ + if("spoofing".equals(headerStr) && (region.getFunctionId().equals(214))){ + commentStr=""; + List dict=DictUtils.getDictList("SPOOFING_IP_TYPE"); + if(dict !=null && dict.size()>0){ + for (SysDataDictionaryItem sysDataDictionaryItem : dict) { + commentStr=commentStr+sysDataDictionaryItem.getItemCode()+"("+msgProp.getProperty(sysDataDictionaryItem.getItemValue(),sysDataDictionaryItem.getItemValue())+")\n"; + index++; + } + defaultValue=dict.get(0).getItemCode(); + } + commentStr=msgProp.getProperty("select")+":\n"+commentStr; + index++; + index++; + commentStr=commentStr+"\n"+msgProp.getProperty("rule_desc_tip")+":\n"; + index++; + if(!StringUtil.isEmpty(defaultValue)){ + //1、默认值说明 + commentStr=commentStr+"▶"+msgProp.getProperty("default_value")+":"+defaultValue+"\n"; + index++; + index++; + } + } + if(("With".equals(headerStr)) && (region.getFunctionId().equals(214))){ + commentStr=commentStr+msgProp.getProperty("rule_desc_tip")+":\n"; + index++; + //1、非空 + commentStr=commentStr+"▶"+msgProp.getProperty("required")+"\n"; + index++; + } + if(region.getRegionType().equals(1)){//IP配置 //ip配置需要导入的信息:srcIp srcPort destIp destPort Protocol Direction //确定需要导入的srcIp srcPort destIp destPort信息 diff --git a/src/main/java/com/nis/util/excel/thread/CheckIpFormatThread.java b/src/main/java/com/nis/util/excel/thread/CheckIpFormatThread.java index e5f017850..d8c7ce563 100644 --- a/src/main/java/com/nis/util/excel/thread/CheckIpFormatThread.java +++ b/src/main/java/com/nis/util/excel/thread/CheckIpFormatThread.java @@ -521,6 +521,38 @@ public class CheckIpFormatThread implements Callable{ } } + // IpSpoofing + if (regionDict.getFunctionId().equals(214)) { + List dicts = DictUtils.getDictList("SPOOFING_IP_TYPE"); + if(StringUtils.isBlank(baseIpCfg.getUserRegion1())) { + baseIpCfg.setUserRegion1(dicts.get(0).getItemCode()); + } + String userRegion1 = baseIpCfg.getUserRegion1(); // SpooFing + String userRegion2 = baseIpCfg.getUserRegion2(); // With + if (StringUtils.isNotBlank(userRegion1)) { + boolean has = false; + for (SysDataDictionaryItem dict : dicts) { + if (dict.getItemCode().equals(userRegion1)) { + has = true; + break; + } + } + if (!has) { + errInfo.append(String.format(prop.getProperty("is_incorrect"),prop.getProperty("spoofing") + " ") + ";"); + } + } + String errMsg = null == prop.getProperty("With")?"With ":prop.getProperty("With"); + if(StringUtils.isBlank(userRegion2)) { + errInfo.append( + String.format(prop.getProperty("can_not_null"),errMsg + " ") + ";"); + }else { + String regex = "^((25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)$"; + if(!userRegion2.matches(regex)) { + errInfo.append(String.format(prop.getProperty("is_in_wrong_format"),errMsg +" ") + ";"); + } + } + } + if (regionDict.getRegionType().equals(1)) { boolean srcIpEmpty = false; boolean destIpEmpty = false; diff --git a/src/main/java/com/nis/web/controller/BaseController.java b/src/main/java/com/nis/web/controller/BaseController.java index bdfce26ee..54c3a024f 100644 --- a/src/main/java/com/nis/web/controller/BaseController.java +++ b/src/main/java/com/nis/web/controller/BaseController.java @@ -73,6 +73,7 @@ import com.nis.domain.configuration.DnsResStrategy; import com.nis.domain.configuration.FileDigestCfg; import com.nis.domain.configuration.IpPortCfg; import com.nis.domain.configuration.PxyObjKeyring; +import com.nis.domain.configuration.PxyObjSpoofingIpPool; import com.nis.domain.configuration.PxyObjTrustedCaCert; import com.nis.domain.configuration.PxyObjTrustedCaCrl; import com.nis.domain.configuration.RequestInfo; @@ -104,6 +105,7 @@ import com.nis.domain.configuration.template.IpAllTemplate; import com.nis.domain.configuration.template.IpCfgTemplate; import com.nis.domain.configuration.template.IpPayloadTemplate; import com.nis.domain.configuration.template.IpRateLimitTemplate; +import com.nis.domain.configuration.template.IpSpoofingTemplate; import com.nis.domain.configuration.template.IpWhitelistTemplate; import com.nis.domain.configuration.template.P2pHashStringTemplate; import com.nis.domain.configuration.template.P2pIpTemplate; @@ -120,6 +122,7 @@ import com.nis.domain.maat.MaatCfg.NumBoundaryCfg; import com.nis.domain.maat.MaatCfg.StringCfg; import com.nis.domain.report.NtcPzReport; import com.nis.domain.maat.ToMaatBean; +import com.nis.domain.maat.ToMaatResult; import com.nis.domain.specific.ConfigGroupInfo; import com.nis.domain.specific.SpecificServiceCfg; import com.nis.exceptions.MaatConvertException; @@ -142,6 +145,7 @@ import com.nis.util.excel.thread.CheckDnsResStrategyFormatThread; import com.nis.util.excel.thread.CheckIpFormatThread; import com.nis.util.excel.thread.CheckStringFormatThread; import com.nis.util.excel.thread.CheckTopicWebsiteFormatThread; +import com.nis.web.dao.configuration.PxyObjSpoofingIpPoolDao; import com.nis.web.security.UserUtils; import com.nis.web.service.ArchiveServcie; import com.nis.web.service.AreaService; @@ -151,6 +155,7 @@ import com.nis.web.service.LogService; import com.nis.web.service.MenuService; import com.nis.web.service.OfficeService; import com.nis.web.service.RoleService; +import com.nis.web.service.SpringContextHolder; import com.nis.web.service.SystemService; import com.nis.web.service.UserService; import com.nis.web.service.basics.AsnGroupInfoService; @@ -1435,6 +1440,9 @@ public class BaseController { }else if(regionDict.getFunctionId().equals(3)) { // IP白名单 BlockingQueue list = ei.getDataList(IpWhitelistTemplate.class ); ipPortCfgs=this.checkIpCfgMulity(errTip,serviceDict, regionDict,null,asnGroupInfos, list); + }else if(regionDict.getFunctionId().equals(214)) { // IpSpoofing + BlockingQueue list = ei.getDataList(IpSpoofingTemplate.class ); + ipPortCfgs=this.checkIpCfgMulity(errTip,serviceDict, regionDict,null,asnGroupInfos, list); }else { BlockingQueue list = ei.getDataList(IpAllTemplate.class ); ipPortCfgs=this.checkIpCfgMulity(errTip,serviceDict, regionDict, null,asnGroupInfos, list); @@ -1627,6 +1635,145 @@ public class BaseController { _ipPortCfgs.clear(); asnIpCfgs.clear(); } + }else if(regionDict.getFunctionId().intValue()==214) { // IpSpoofing + List _ipPortCfgs=Lists.newArrayList(Constants.MAAT_JSON_SEND_SIZE); + while(!ipPortCfgs.isEmpty()) { + ipPortCfgs.drainTo(_ipPortCfgs, Constants.MAAT_JSON_SEND_SIZE); + List compileIds=Lists.newArrayList(); + List spoofingPoolIds=Lists.newArrayList(); + List regionIds=Lists.newArrayList(); + List groupIds=Lists.newArrayList(); + List numRegionGroupIds=Lists.newArrayList(); + List numRegionRegionIds=Lists.newArrayList(); + List spoofingPools = new ArrayList(); + PxyObjSpoofingIpPoolDao pxyObjSpoofingIpPoolDao = SpringContextHolder.getBean(PxyObjSpoofingIpPoolDao.class); + PxyObjSpoofingIpPoolService pxyObjSpoofingIpPoolService = SpringContextHolder.getBean(PxyObjSpoofingIpPoolService.class); + try { + compileIds = ConfigServiceUtil.getId(1,_ipPortCfgs.size()); + spoofingPoolIds = ConfigServiceUtil.getId(1,_ipPortCfgs.size()); + if(isSend.equals("1")) { + groupIds = ConfigServiceUtil.getId(2,_ipPortCfgs.size()); + regionIds = ConfigServiceUtil.getId(3,_ipPortCfgs.size()); + //需要获取数值域的id + if(serviceDict!=null&&serviceDict.getProtocolId()!=null&&serviceDict.getProtocolId()>0) { + numRegionGroupIds = ConfigServiceUtil.getId(2,_ipPortCfgs.size()); + numRegionRegionIds = ConfigServiceUtil.getId(3,_ipPortCfgs.size()); + } + } + } catch (Exception e) { + e.printStackTrace(); + logger.info("获取编译ID出错"); + throw new MaatConvertException(":"+e.getMessage()); + } + + int ind=0; + for (BaseIpCfg cfg : _ipPortCfgs) { + cfg.setAction(serviceDict==null?null:serviceDict.getAction()); + cfg.setCfgRegionCode(regionDict.getConfigRegionCode()); + cfg.setCfgType(regionDict.getConfigRegionValue()); + cfg.setCreateTime(date); + cfg.setCreatorId(UserUtils.getUser().getId()); + cfg.setFunctionId(regionDict.getFunctionId()); + if(isSend.equals("1")) { + cfg.setIsAudit(Constants.AUDIT_YES); + cfg.setIsValid(Constants.VALID_YES); + cfg.setAuditorId(UserUtils.getUser().getId()); + cfg.setAuditTime(date); + if(groupIds!=null&&groupIds.size()==_ipPortCfgs.size()) { + cfg.setGroupId(groupIds.get(ind)); + } + if(regionIds!=null&®ionIds.size()==_ipPortCfgs.size()) { + cfg.setRegionId(regionIds.get(ind)); + } + if(serviceDict!=null&&serviceDict.getProtocolId()!=null) { + if(numRegionGroupIds!=null&&numRegionGroupIds.size()==_ipPortCfgs.size()) { + cfg.setNumberRegionGroupId(numRegionGroupIds.get(ind)); + } + if(numRegionRegionIds!=null&&numRegionRegionIds.size()==_ipPortCfgs.size()) { + cfg.setNumberRegionRegionId(numRegionRegionIds.get(ind)); + } + } + }else { + cfg.setIsAudit(Constants.AUDIT_NOT_YET); + cfg.setIsValid(Constants.VALID_NO); + } + cfg.setIsAreaEffective(0); + cfg.setLable("0"); + cfg.setRequestId(StringUtil.isEmpty(requestId) ? 0 : requestId); + cfg.setAttribute(attribute); + cfg.setClassify(classify); + cfg.setServiceId(serviceDict==null?null:serviceDict.getServiceId()); + cfg.setTableName("ip_port_cfg"); + if(compileIds.size()==_ipPortCfgs.size()) { + cfg.setCompileId(compileIds.get(ind)); + } + + // 保存IP仿冒池 + PxyObjSpoofingIpPool spoofingPool = new PxyObjSpoofingIpPool(); + spoofingPool.setIpType(4);//ipv4 + spoofingPool.setIpAddress(cfg.getUserRegion2());//仿冒IP + spoofingPool.setProtocol(0); + if("dnat".equals(cfg.getUserRegion1().toLowerCase())){//spoofing server ip->dnat + spoofingPool.setDirection(1); + }else{ + spoofingPool.setDirection(2);//spoofing client ip->snat + } + spoofingPool.setPort("0"); + spoofingPool.setUserRegion("0"); + spoofingPool.setLocation(0); + spoofingPool.setServiceId(642); + spoofingPool.setAreaEffectiveIds("0"); + spoofingPool.setIsAreaEffective(0); + spoofingPool.setCreateTime(date); + spoofingPool.setCreatorId(UserUtils.getUser().getId()); + if(spoofingPoolIds.size()==_ipPortCfgs.size()) { + spoofingPool.setCompileId(spoofingPoolIds.get(ind)); + } + spoofingPool.setAction(1); + spoofingPool.setFunctionId(666); + spoofingPool.setRequestId(0); + if(isSend.equals("1")) { + spoofingPool.setIsAudit(Constants.AUDIT_YES); + spoofingPool.setIsValid(Constants.VALID_YES); + spoofingPool.setAuditorId(UserUtils.getUser().getId()); + spoofingPool.setAuditTime(date); + + }else { + spoofingPool.setIsValid(Constants.VALID_NO); + spoofingPool.setIsAudit(Constants.AUDIT_NOT_YET); + + } + pxyObjSpoofingIpPoolDao.insert(spoofingPool);//保存仿冒IP池配置 + cfg.setUserRegion3(String.valueOf(spoofingPool.getCfgId()));//将仿冒IP池配置ID作为策略组ID + + if(isSend.equals("1")) { + PxyObjSpoofingIpPool pool=new PxyObjSpoofingIpPool(); + pool.setCfgId(Long.valueOf(cfg.getUserRegion3())); + pool.setIsValid(cfg.getIsValid()); + pool.setIsAudit(cfg.getIsAudit()); + pool.setAuditorId(UserUtils.getUser().getId()); + pool.setAuditTime(date); + pxyObjSpoofingIpPoolDao.update(pool); + + spoofingPool.setAreaEffectiveIds("0"); + spoofingPool.setGroupId(spoofingPool.getCfgId().intValue()); + spoofingPools.add(spoofingPool); + } + + CfgIndexInfo cfgIndexInfo = new CfgIndexInfo(); + BeanUtils.copyProperties(cfg, cfgIndexInfo,new String[] {"cfgId"}); + cfgIndexInfos.add(cfgIndexInfo); + + ind++; + } + if(isSend.equals("1") && spoofingPools.size()>0) { + pxyObjSpoofingIpPoolService.auditSpoofingPool(spoofingPools); + } + ipCfgService.saveAndSend(regionDict, serviceDict, specificServiceCfg, _ipPortCfgs, cfgIndexInfos, appPolicyCfgs,appFeatureIndexs,asnNoMaps,isSend.equals("1")); + cfgIndexInfos.clear(); + appPolicyCfgs.clear(); + _ipPortCfgs.clear(); + } }else { List _ipPortCfgs=Lists.newArrayList(Constants.MAAT_JSON_SEND_SIZE); while(!ipPortCfgs.isEmpty()) { @@ -2297,6 +2444,8 @@ public class BaseController { } } else if(regionDict.getFunctionId().equals(3)) { // IP白名单 ei.loadInitParams(IpWhitelistTemplate.class, msgProp, regionDict, serviceDict); + } else if(regionDict.getFunctionId().equals(214)) { // IpSpoofing + ei.loadInitParams(IpSpoofingTemplate.class, msgProp, regionDict, serviceDict); } else { ei.loadInitParams(IpAllTemplate.class, msgProp, regionDict, serviceDict); } diff --git a/src/main/java/com/nis/web/controller/configuration/ntc/IpController.java b/src/main/java/com/nis/web/controller/configuration/ntc/IpController.java index 51e6ed59a..3a02f7288 100644 --- a/src/main/java/com/nis/web/controller/configuration/ntc/IpController.java +++ b/src/main/java/com/nis/web/controller/configuration/ntc/IpController.java @@ -58,6 +58,7 @@ import com.nis.domain.configuration.template.IpAllNotDoLogTemplate; import com.nis.domain.configuration.template.IpAllTemplate; import com.nis.domain.configuration.template.IpPayloadTemplate; import com.nis.domain.configuration.template.IpRateLimitTemplate; +import com.nis.domain.configuration.template.IpSpoofingTemplate; import com.nis.domain.configuration.template.IpWhitelistTemplate; import com.nis.domain.configuration.template.P2pHashStringTemplate; import com.nis.domain.configuration.template.P2pIpTemplate; @@ -417,6 +418,11 @@ public class IpController extends BaseController{ excel.setDataList(pro,classList,null). write(request,response, fileName).dispose(); } + }else if(regionDict.getFunctionId().equals(214)){// IpSpoofing + List classList=new ArrayList(); + ExportExcel excel=new ExportExcel(serviceDict,regionDict,this.getMsgProp(),null, IpSpoofingTemplate.class, 2); + excel.setDataList(pro,classList,null). + write(request,response, fileName).dispose(); }else{ List classList=new ArrayList(); ExportExcel excel=new ExportExcel(serviceDict,regionDict,pro,null, IpAllTemplate.class, 2); diff --git a/src/main/java/com/nis/web/dao/configuration/PxyObjSpoofingIpPoolDao.xml b/src/main/java/com/nis/web/dao/configuration/PxyObjSpoofingIpPoolDao.xml index 399c7a143..da1d89aba 100644 --- a/src/main/java/com/nis/web/dao/configuration/PxyObjSpoofingIpPoolDao.xml +++ b/src/main/java/com/nis/web/dao/configuration/PxyObjSpoofingIpPoolDao.xml @@ -180,8 +180,8 @@ )values ( #{cfgDesc,jdbcType=VARCHAR}, #{action,jdbcType=INTEGER}, - 0, - 0, + #{isValid,jdbcType=INTEGER}, + #{isAudit,jdbcType=INTEGER}, #{creatorId,jdbcType=INTEGER}, #{createTime,jdbcType=TIMESTAMP}, #{editorId,jdbcType=INTEGER}, diff --git a/src/main/java/com/nis/web/service/BaseService.java b/src/main/java/com/nis/web/service/BaseService.java index f13b626cf..3967913b6 100644 --- a/src/main/java/com/nis/web/service/BaseService.java +++ b/src/main/java/com/nis/web/service/BaseService.java @@ -2488,6 +2488,9 @@ public abstract class BaseService { maatCfg.setUserRegion(userRegion); }else if(regionDict.getFunctionId()==563 || regionDict.getFunctionId()==565 || regionDict.getFunctionId()==566) {// APP Payload、HTTP、SSL Admin maatCfg.setUserRegion(Constants.APP_ID_REGION+"="+_cfg.getAppCode()); + }else if(regionDict.getFunctionId()==214) { + String userRegion="nat_type="+_cfg.getUserRegion1()+";spoofing_ip_pool="+_cfg.getUserRegion3(); + maatCfg.setUserRegion(userRegion); } configCompileList.add(maatCfg); diff --git a/src/main/java/com/nis/web/service/configuration/InterceptCfgService.java b/src/main/java/com/nis/web/service/configuration/InterceptCfgService.java index 071c1eca2..532dff991 100644 --- a/src/main/java/com/nis/web/service/configuration/InterceptCfgService.java +++ b/src/main/java/com/nis/web/service/configuration/InterceptCfgService.java @@ -149,6 +149,8 @@ public class InterceptCfgService extends CrudService spoofingPool.setCreatorId(UserUtils.getUser().getId()); spoofingPool.setCompileId(spoofingPoolId); spoofingPool.setAction(1); + spoofingPool.setIsValid(0); + spoofingPool.setIsAudit(0); spoofingPool.setFunctionId(666); spoofingPool.setRequestId(0); pxyObjSpoofingIpPoolDao.insert(spoofingPool);//保存仿冒IP池配置 diff --git a/src/main/java/com/nis/web/service/configuration/PxyObjSpoofingIpPoolService.java b/src/main/java/com/nis/web/service/configuration/PxyObjSpoofingIpPoolService.java index ddceb2d5a..1999122fb 100644 --- a/src/main/java/com/nis/web/service/configuration/PxyObjSpoofingIpPoolService.java +++ b/src/main/java/com/nis/web/service/configuration/PxyObjSpoofingIpPoolService.java @@ -269,6 +269,31 @@ public class PxyObjSpoofingIpPoolService extends BaseService{ return gsonToJson(rangeCfg); } + + /** + * IP Spoofing配置导入时 下发仿冒IP池配置 + * @param spoofingPools + */ + public void auditSpoofingPool(List spoofingPools) { + //调用服务接口下发配置数据 + String json=gsonToJson(spoofingPools); + if(spoofingPools.size()>10) { + logger.info("欺骗IP池配置下发配置条数:" + spoofingPools.size()); + }else { + logger.info("欺骗IP池配置下发配置参数:" + json); + } + //调用服务接口下发配置 + try { + ToMaatResult result = ConfigServiceUtil.postCallbackCfg(json); + if(result!=null){ + logger.info("欺骗IP池配置下发响应信息:"+result.getMsg()); + } + } catch (Exception e) { + logger.error("欺骗IP池配置配置下发失败",e); + throw e; + } + + } } \ No newline at end of file diff --git a/src/main/resources/sql/20190115/update_function_dicts.sql b/src/main/resources/sql/20190115/update_function_dicts.sql new file mode 100644 index 000000000..16d095466 --- /dev/null +++ b/src/main/resources/sql/20190115/update_function_dicts.sql @@ -0,0 +1,3 @@ +-- IP Spoofing Import +UPDATE function_region_dict SET is_import = 1,config_protocol = '6,17' WHERE function_id = 214; +UPDATE function_service_dict SET is_import = 1 WHERE function_id = 214; \ No newline at end of file