tencentcloud-edgeone-migration-nodejs-v2/src/transfer/IpFilterRefererUserAgentFilter.js

tencentcloud cdn config copy to edgeone

const { t } = require("../../i18n/trans")
const _ = require('lodash')
const { ZONE_GLOBAL_ENTITY, USE_DEFAULT } = require("../const");
const { checkIsCIDR, TEO } = require('../utils');
const genLog = require("../../logGenerator");
const capi = require("../api")

async function IpFilterRefererUserAgentFilter(zoneId, domain, domainConfig, report) {
  const ipFilter = domainConfig?.IpFilter;
  const referer = domainConfig.Referer;
  const userAgentFilter = domainConfig.UserAgentFilter;
  let ipFilterFlag = true;
  let refererFlag = true;
  let userAgentFilterFlag = true;
  if (
    !ipFilter ||
    !ipFilter.FilterRules ||
    (ipFilter.FilterRules.length === 0 && ipFilter.Filters.length === 0) 
  ) {
    ipFilterFlag = false;
  }

  if (
    !referer ||
    !referer.RefererRules ||
    referer.RefererRules.length === 0 
  ) {
    refererFlag = false;
  }
  if (
    !userAgentFilter ||
    !userAgentFilter.FilterRules ||
    userAgentFilter.FilterRules.length === 0 
  ) {
    userAgentFilterFlag = false;
  }

  const ipFilterRules = ipFilter.FilterRules.length ? ipFilter.FilterRules : [{
    FilterType: ipFilter.FilterType,
    Filters: ipFilter?.Filters,
    RuleType: 'ip',
    RulePaths: ['*']
  }];
  const refererRules = referer.RefererRules;
  const userAgentFilterRules = userAgentFilter.FilterRules;

  if (
    userAgentFilterRules.find((rule) => {
      return rule.RuleType !== "all";
    })
  ) {
    report.Details.push({
      config: t("UA黑白名单(UserAgentFilter)"),
      result: t("失败"),
      detail: t(`EO 不支持按目录配置 UA 黑白名单，本配置无法迁移`),
    });
    genLog.errorLog(t('EO 不支持按目录配置 UA 黑白名单，本配置无法迁移'));
    userAgentFilterFlag = false;
  }
  let param = {
    ZoneId: zoneId,
    Entity: domain,
    SecurityConfig: {
      IpTableConfig: {
        IpTableRules: [],
        Switch: ipFilter.Switch,
      },
    },
  };

  if (ipFilterFlag) {
    const blackIpTempList = [];
    const whiteIpList = [];
    const transToAclConfigList = [];
    // edgeone 基础访问管控不支持相同域名下配置不同黑白名单
    if(ipFilter?.Filters.length) {
      ipFilterRules.forEach((item) => {
        if (item.FilterType === "blacklist") {
          blackIpTempList.push(...item.Filters);
        } else if (item.FilterType === "whitelist") {
          whiteIpList.push(...item.Filters);
        }
      });
    } else {
      ipFilterRules.forEach((item) => {
        const isAllRuleType = item.RuleType === "all";
        const hasWildcardPath = item.RulePaths.some((path) => path.includes("*"));
  
        if (isAllRuleType && hasWildcardPath) {
          if (item.FilterType === "blacklist") {
            blackIpTempList.push(...item.Filters);
          } else if (item.FilterType === "whitelist") {
            whiteIpList.push(...item.Filters);
          }
        } else {
          transToAclConfigList.push(item);
        }
      });
    }

    const blackIpList = blackIpTempList.filter(
      (ip) => !whiteIpList.includes(ip)
    );
    let uniqWhitelist = _.uniq(whiteIpList);
    let uniqBlacklist = _.uniq(blackIpList);
    const allAllowCIDR = checkIsCIDR([
      ...whiteIpList,
      ...blackIpTempList,
    ]).filter((cidrIp) => cidrIp.split("/").length > 1);
    const whiteIntersect = _.intersection(uniqWhitelist, allAllowCIDR).length;
    const blackIntersect = _.intersection(uniqBlacklist, allAllowCIDR).length;
    if (whiteIntersect || blackIntersect) {
      uniqWhitelist = uniqWhitelist.filter((item) => {
        if (allAllowCIDR.includes(item)) {
          return true;
        } else if (item.split("/").length > 1) {
          return false;
        }
        return true;
      });

      uniqBlacklist = uniqBlacklist.filter(
        (item) => item.split("/").length === 1
      );
    }

    if (whiteIpList.length) {
      param.SecurityConfig.IpTableConfig.IpTableRules.push({
        MatchFrom: "ip",
        MatchContent: uniqWhitelist.join(","),
        Action: "drop",
        Status: ipFilter.Switch,
        Operator: "not_match",
        RuleName: t(`CDN迁移EO-IP白名单-{{domain}}`, { domain }),
      });
    }
    if (blackIpList.length) {
      param.SecurityConfig.IpTableConfig.IpTableRules.push({
        MatchFrom: "ip",
        MatchContent: uniqBlacklist.join(","),
        Action: "drop",
        Status: ipFilter.Switch,
        Operator: "match",
        RuleName: t(`CDN迁移EO-IP黑名单-{{domain}}`, { domain }),
      });
    }
    if (transToAclConfigList.length) {
      param.SecurityConfig.AclConfig = {
        AclUserRules: transToAclConfigList.map((rule, index) => {
          return {
            AclConditions: [
              {
                MatchContent: domain,
                MatchFrom: "host",
                MatchParam: "",
                Operator: "equal",
              },
              {
                MatchContent: rule.Filters.join(","),
                MatchFrom: "sip",
                MatchParam: "",
                Operator:
                  rule.FilterType === "blacklist" ? "match" : "not_match",
              },
              {
                MatchContent: rule.RulePaths.join(","),
                MatchFrom: "cgi",
                MatchParam: "",
                Operator: "equal",
              },
            ],
            RuleName:
              rule.FilterType === "blacklist"
                ? t("CDN迁移EO-IP黑名单-{{domain}}-{{index}}", {
                    domain,
                    index,
                  })
                : t("CDN迁移EO-IP白名单-{{domain}}-{{index}}", {
                    domain,
                    index,
                  }),
            Action: "drop",
            RuleStatus: ipFilter.Switch,
            RulePriority: 50,
          };
        }),
      };
    }
  }

  if (refererFlag) {
    refererRules.forEach((rule) => {
      param.SecurityConfig.IpTableConfig.IpTableRules.push({
        MatchFrom: "referer",
        MatchContent: rule.Referers.join(","),
        Action: rule.RefererType === "blacklist" ? "drop" : "trans",
        Status: referer.Switch,
        Operator: "equal",
        RuleName: t(`CDN迁移EO-referer黑白名单-{{domain}}`, { domain }),
      });

      if (rule.AllowEmpty) {
        param.SecurityConfig.IpTableConfig.IpTableRules.push({
          MatchFrom: "referer",
          Action: rule.RefererType === "blacklist" ? "drop" : "trans",
          Status: referer.Switch,
          Operator: "is_empty",
          MatchContent: "",
          RuleName: t(`CDN迁移EO-referer黑白名单-空referer-{{domain}}`, {
            domain,
          }),
        });
      }
    });
  }

  if (userAgentFilterFlag) {
    userAgentFilter?.FilterRules.forEach((rule, index) => {
      param.SecurityConfig.IpTableConfig.IpTableRules.push({
        MatchFrom: "ua",
        MatchContent: rule.UserAgents.join(","),
        Action: rule.FilterType === "blacklist" ? "drop" : "trans",
        Status: userAgentFilter.Switch,
        Operator: "equal",
        RuleName: t(`CDN迁移EO-UA黑白名单-{{index}}-{{domain}}`, {
          index,
          domain,
        }),
      });
    });
  }

  try {
    // 新站点，新增域名修改安全配置步骤：解绑到空模板
    try {
      await capi("BindSecurityTemplateToEntity", TEO, {
        Entities: [domain],
        Operate: USE_DEFAULT,
        OverWrite: true,
        TemplateId: ZONE_GLOBAL_ENTITY,
        ZoneId: zoneId,
      })
    } catch (e) {
      genLog.defaultLog(e?.message)
    }
    const res = await capi("ModifySecurityPolicy", TEO, param)
    report.Details.push({
      config: t(
        "安全配置创建(IP黑白名单:IpFilter, 防盗链:Referer, UA黑白名单:UserAgentFilter)"
      ),
      result: t("成功"),
      detail: ``,
    });
    genLog.successLog(`${t('安全配置创建(IP黑白名单:IpFilter, 防盗链:Referer, UA黑白名单:UserAgentFilter)')}${t('成功')}`)
    return res;
  } catch (e) {
    report.Details.push({
      config: t(
        "安全配置创建(IP黑白名单:IpFilter, 防盗链:Referer, UA黑白名单:UserAgentFilter)"
      ),
      result: t("失败"),
      detail: `${e.toString()}`,
    });
    genLog.errorLog(`${t('安全配置创建(IP黑白名单:IpFilter, 防盗链:Referer, UA黑白名单:UserAgentFilter)')}${t('失败')}`)
  }
}

module.exports = IpFilterRefererUserAgentFilter;