README
¶
policy 总结
- logic: and/or
- 不同类型的rule(rime/ip/location)使用logic(and/or),同类型之间是or(t1和t2) 比如:有一条policy,配置了t1,t2,ip1,ip2,loc1,loc2 当policy的logic是and,那逻辑表达式是: (t1 || t2) and (ip1 || ip2) and (loc1 || loc2) logic是or: (t1 || t2) or (ip1 || ip2) or (loc1 || loc2)
总结就是(&&=and, ||=or): time && ip && loc time || ip || loc
// 一条变多条 // 问题1:time 是一个因子,如果再来一个因子,岂不是要拆分M*N?(暂时无解) // // 如果是POLICY_OP_AND, 那么iptables + timeCheck 双重检查 // 其他的情况,因为iptables添加复杂逻辑比较麻烦,那就只做timeCheck // timeCheck是在client端做,client定时检查time rule // 如果client异常关闭,通道还在连着,怎么通知服务端关掉这个通道?client也做定时heartbeat,超过5分钟没有心跳,服务端自动断开这个client
Documentation
¶
Index ¶
- Constants
- func CheckWithPolicyIpRange(ranges string, clientIp string) (bool, error)
- func CheckWithPolicyTime(value *control_dto.SecPolicyTimeValue) bool
- func CheckWithPolicyUTCTimeBase(value *control_dto.SecPolicyTimeValueBase) bool
- func GetTimezoneOffset(timezone string) (int64, error)
- func ParseGeneralStr(str string, valuesSplitter string) []*control_dto.SecPolicyStrValue
- func ParsePolicyTime(timeStr string, adjustEnd bool) (*control_dto.SecPolicyTimeValueBase, error)
- func ParseRuleTimeValues(timeStr string, valuesSplitter string, utcSplitter string, adjustEnd bool) ([]*control_dto.SecPolicyTimeValue, error)
- func ParseTimeRule(rule *control_dto.SecPolicyRule, valuesSplitter string, utcSplitter string, ...) ([]*control_dto.SecPolicyTimeValue, error)
- func ParseTimes(timeStr string, splitter string, adjustEnd bool) (*control_dto.SecPolicyTimeValue, error)
- func RestoreOriginalTimeFormat(timeStr string) (string, error)
- func SplitTimeRule(pol *control_dto.SecPolicyBase, timeRule *control_dto.SecPolicyRule) []control_dto.ParsedSecPolicy
- func ToRuleHours(rules []string, offset int64, adjustEnd bool) (int64, int64)
- type PolicyChecker
- func (h *PolicyChecker) CheckPolicyTimeRules4UI(policy *control_dto.SecPolicyBase, rules []control_dto.SecPolicyRule) (ret bool)
- func (h *PolicyChecker) CheckWithPolicyAndRules(policy *control_dto.SecPolicyBase, rules map[string]*control_dto.SecPolicyRule) (currPassed bool, needConfirm bool, err error)
- func (h *PolicyChecker) CheckWithPolicyLocation(countryCode string, clientIp string) (bool, error)
- func (h *PolicyChecker) CheckWithPolicyRule(rule *control_dto.SecPolicyRule, clientIp string) (bool, error)
- func (h *PolicyChecker) CheckWithPolicyStrValue(ruleType string, ruleValue string, clientIp string) (bool, error)
- func (h *PolicyChecker) CheckWithPolicyStrValues(values []*control_dto.SecPolicyStrValue) bool
- func (h *PolicyChecker) CheckWithPolicyTimeRule(rule *control_dto.SecPolicyRule) bool
- func (h *PolicyChecker) CheckWithPolicyTimeStr(timeStr string) (bool, error)
- func (h *PolicyChecker) CheckWithPolicyTimeValues(timeValues []*control_dto.SecPolicyTimeValue) bool
- func (h *PolicyChecker) CheckWithPolicyTimeValuesBase(timeValues []*control_dto.SecPolicyTimeValueBase) bool
- func (h *PolicyChecker) CheckWithUIPolicy(policy *control_dto.SecPolicyBase, rules map[string]*control_dto.SecPolicyRule) (currPassed bool, needConfirm bool, err error)
- func (h *PolicyChecker) ParseGeneralStr(str string) []*control_dto.SecPolicyStrValue
- func (h *PolicyChecker) ParseTimeRule(rule *control_dto.SecPolicyRule) ([]*control_dto.SecPolicyTimeValue, error)
- func (h *PolicyChecker) ParseTimes(timeStr string) ([]*control_dto.SecPolicyTimeValue, error)
- func (h *PolicyChecker) PreParseAndCategoryRules(rules []control_dto.SecPolicyRule, check bool, clientIp string) (map[string]*control_dto.SecPolicyRule, error)
- func (h *PolicyChecker) SummarizeNonDynamicRules(op string, nonDynamicRules []control_dto.SecPolicyRule) (uint16, error)
- func (h *PolicyChecker) SummarizeNonDynamicRulesMap(op string, nonDynamicRules map[string]*control_dto.SecPolicyRule) (uint16, error)
- func (h *PolicyChecker) SummarizePolicyRuleValues(op string, values []*control_dto.SecPolicyStrValue) (bool, error)
- func (h *PolicyChecker) SummarizePolicyRules(op string, rules []control_dto.SecPolicyRule) (bool, error)
- func (h *PolicyChecker) SummarizePolicyRulesMap(op string, rules map[string]*control_dto.SecPolicyRule) (bool, error)
- func (h *PolicyChecker) SummarizePolicyTimeBaseValues(op string, values []*control_dto.SecPolicyTimeValueBase) (bool, error)
- func (h *PolicyChecker) SummarizePolicyTimeValues(op string, values []*control_dto.SecPolicyTimeValue) (bool, error)
Constants ¶
View Source
const ( POLICY_NOT_PASSED uint16 = 0 POLICY_PASSED uint16 = 1 POLICY_NEED_CONFIRM uint16 = 2 // need time check )
Variables ¶
This section is empty.
Functions ¶
func CheckWithPolicyIpRange ¶
10.10.10.1-10.10.10.100 10.10.10.10/16 10.10.10.10
func CheckWithPolicyTime ¶ added in v0.1.40
func CheckWithPolicyTime(value *control_dto.SecPolicyTimeValue) bool
0 0 4 0 * 1,2,3_Asia/Shanghai timezone 可能涉及到offset,weekday也会调整,一条变多条,判断麻烦,所以都以utc为准,传进来就是utc,不考虑_后面的timezone
func CheckWithPolicyUTCTimeBase ¶ added in v0.1.55
func CheckWithPolicyUTCTimeBase(value *control_dto.SecPolicyTimeValueBase) bool
value is UTC
func ParseGeneralStr ¶ added in v0.1.55
func ParseGeneralStr(str string, valuesSplitter string) []*control_dto.SecPolicyStrValue
func ParsePolicyTime ¶ added in v0.1.40
func ParsePolicyTime(timeStr string, adjustEnd bool) (*control_dto.SecPolicyTimeValueBase, error)
single value means split, such as rule values in db: "a&b&c|d|e&f", timeStr is "a", all those are UTC based if error, just return
func ParseRuleTimeValues ¶ added in v0.1.55
func ParseRuleTimeValues(timeStr string, valuesSplitter string, utcSplitter string, adjustEnd bool) ([]*control_dto.SecPolicyTimeValue, error)
valuesSplitter="|", utcSplitter="&" timeStr is union format: "a&b&c|d|e&f" 格式错误,直接中断处理返回错误
func ParseTimeRule ¶ added in v0.1.55
func ParseTimeRule(rule *control_dto.SecPolicyRule, valuesSplitter string, utcSplitter string, adjustEnd bool) ([]*control_dto.SecPolicyTimeValue, error)
确保rules筛选过
func ParseTimes ¶ added in v0.1.41
func ParseTimes(timeStr string, splitter string, adjustEnd bool) (*control_dto.SecPolicyTimeValue, error)
timeStr is union format: "a&b&c"
splitter="&"
格式错误,直接中断处理返回错误
func RestoreOriginalTimeFormat ¶ added in v0.1.55
a&b=>c 0 0 19 6 * 0_Asia/Shanghai
func SplitTimeRule ¶ added in v0.1.55
func SplitTimeRule( pol *control_dto.SecPolicyBase, timeRule *control_dto.SecPolicyRule, ) []control_dto.ParsedSecPolicy
split to multiple time rules
Types ¶
type PolicyChecker ¶
type PolicyChecker struct {
// contains filtered or unexported fields
}
func NewPolicyChecker ¶
func NewPolicyChecker(geoClient types.IGeoClient, valuesSplitter string, utcSplitter string, adjustEnd bool) *PolicyChecker
func (*PolicyChecker) CheckPolicyTimeRules4UI ¶ added in v0.1.45
func (h *PolicyChecker) CheckPolicyTimeRules4UI(policy *control_dto.SecPolicyBase, rules []control_dto.SecPolicyRule) (ret bool)
这个是给client程序用的(lib mode) client 上可以单独检查time rules ip range 和location是固定的结果,不需要检查多次,一次就能确定,time是动态的需要定时检查 重点:rules发给client之前,在server端要检查一遍,因为geo和ip只需检查一遍 理论上进入这里,rules不会为空 这个是给client程序用的 client 上可以单独检查time rules ip range 和location是固定的结果,不需要检查多次,一次就能确定,time是动态的需要定时检查 重点:rules发给client之前,在server端要检查一遍,因为geo和ip只需检查一遍 rules
func (*PolicyChecker) CheckWithPolicyAndRules ¶ added in v0.1.35
func (h *PolicyChecker) CheckWithPolicyAndRules( policy *control_dto.SecPolicyBase, rules map[string]*control_dto.SecPolicyRule, ) (currPassed bool, needConfirm bool, err error)
x(b/c)为non-dynamic(ip/location),t为time t && b && c => t && (b && c) => t && x => x为 false,结果一定为 false, x为 true, 结果就由t决定 t || b || c => t || (b || c) => t || x => x为 true, 结果一定为 true, x为 false, 结果就由t决定 总结下来,后端检查non-dynamic+time,前端检查time
policy has 3 types: 1. only time rules, dynamic check, all send to pop 2. only ip/location rules, only check passed send to pop 3. both time & ip/location rules, 因为ip/location reject 的不send, 其他的send
need confirm: true: means time rules need send to pop and check, and timeRules is not empty false: means currPass is the final result
return time rules and summary result
call 之前先计算好每条rule的result
func (*PolicyChecker) CheckWithPolicyLocation ¶
func (h *PolicyChecker) CheckWithPolicyLocation(countryCode string, clientIp string) (bool, error)
location should be country code
func (*PolicyChecker) CheckWithPolicyRule ¶
func (h *PolicyChecker) CheckWithPolicyRule(rule *control_dto.SecPolicyRule, clientIp string) (bool, error)
check single rule
func (*PolicyChecker) CheckWithPolicyStrValue ¶ added in v0.1.55
func (h *PolicyChecker) CheckWithPolicyStrValue(ruleType string, ruleValue string, clientIp string) (bool, error)
except time, ruleValue is the split value
func (*PolicyChecker) CheckWithPolicyStrValues ¶ added in v0.1.55
func (h *PolicyChecker) CheckWithPolicyStrValues(values []*control_dto.SecPolicyStrValue) bool
func (*PolicyChecker) CheckWithPolicyTimeRule ¶ added in v0.1.45
func (h *PolicyChecker) CheckWithPolicyTimeRule(rule *control_dto.SecPolicyRule) bool
func (*PolicyChecker) CheckWithPolicyTimeStr ¶ added in v0.1.45
func (h *PolicyChecker) CheckWithPolicyTimeStr(timeStr string) (bool, error)
0 0 4 0 * 1,2,3_Asia/Shanghai&0 0 4 0 * 1,2,3_Asia/Shanghai|0 0 4 0 * 1,2,3_Asia/Shanghai 满足一条即返回true
func (*PolicyChecker) CheckWithPolicyTimeValues ¶ added in v0.1.55
func (h *PolicyChecker) CheckWithPolicyTimeValues(timeValues []*control_dto.SecPolicyTimeValue) bool
func (*PolicyChecker) CheckWithPolicyTimeValuesBase ¶ added in v0.1.55
func (h *PolicyChecker) CheckWithPolicyTimeValuesBase(timeValues []*control_dto.SecPolicyTimeValueBase) bool
func (*PolicyChecker) CheckWithUIPolicy ¶ added in v0.1.35
func (h *PolicyChecker) CheckWithUIPolicy( policy *control_dto.SecPolicyBase, rules map[string]*control_dto.SecPolicyRule, ) (currPassed bool, needConfirm bool, err error)
给 bookmark 用的,bookmark不走acl,由我们自己控制 call 之前先计算好每条rule的result client 连接的时候,server调用这个函数
func (*PolicyChecker) ParseGeneralStr ¶ added in v0.1.55
func (h *PolicyChecker) ParseGeneralStr(str string) []*control_dto.SecPolicyStrValue
func (*PolicyChecker) ParseTimeRule ¶ added in v0.1.55
func (h *PolicyChecker) ParseTimeRule(rule *control_dto.SecPolicyRule) ([]*control_dto.SecPolicyTimeValue, error)
确保rules筛选过
func (*PolicyChecker) ParseTimes ¶ added in v0.1.41
func (h *PolicyChecker) ParseTimes(timeStr string) ([]*control_dto.SecPolicyTimeValue, error)
timeStr is union format: "a&b&c|d|e&f"
func (*PolicyChecker) PreParseAndCategoryRules ¶ added in v0.1.45
func (h *PolicyChecker) PreParseAndCategoryRules(rules []control_dto.SecPolicyRule, check bool, clientIp string, ) (map[string]*control_dto.SecPolicyRule, error)
server side parse each rule and check each rule result each type of rule just has/if has one record
func (*PolicyChecker) SummarizeNonDynamicRules ¶ added in v0.1.34
func (h *PolicyChecker) SummarizeNonDynamicRules(op string, nonDynamicRules []control_dto.SecPolicyRule) (uint16, error)
summary all rules with operator
func (*PolicyChecker) SummarizeNonDynamicRulesMap ¶ added in v0.1.55
func (h *PolicyChecker) SummarizeNonDynamicRulesMap(op string, nonDynamicRules map[string]*control_dto.SecPolicyRule) (uint16, error)
summary all rules with operator
func (*PolicyChecker) SummarizePolicyRuleValues ¶ added in v0.1.55
func (h *PolicyChecker) SummarizePolicyRuleValues(op string, values []*control_dto.SecPolicyStrValue) (bool, error)
func (*PolicyChecker) SummarizePolicyRules ¶
func (h *PolicyChecker) SummarizePolicyRules(op string, rules []control_dto.SecPolicyRule) (bool, error)
summary all rules with operator
func (*PolicyChecker) SummarizePolicyRulesMap ¶ added in v0.1.55
func (h *PolicyChecker) SummarizePolicyRulesMap(op string, rules map[string]*control_dto.SecPolicyRule) (bool, error)
summary all rules with operator
func (*PolicyChecker) SummarizePolicyTimeBaseValues ¶ added in v0.1.55
func (h *PolicyChecker) SummarizePolicyTimeBaseValues(op string, values []*control_dto.SecPolicyTimeValueBase) (bool, error)
func (*PolicyChecker) SummarizePolicyTimeValues ¶ added in v0.1.55
func (h *PolicyChecker) SummarizePolicyTimeValues(op string, values []*control_dto.SecPolicyTimeValue) (bool, error)
Source Files
Click to show internal directories.
Click to hide internal directories.