v0.1.65

分支 (1)

标签 (75)

管理

管理

master

v0.1.73

v0.1.72

v0.1.71

v0.1.70

v0.1.69

v0.1.68

v0.1.67

v0.1.66

v0.1.65

v0.1.64

v0.1.63

v0.1.62

v0.1.61

v0.1.60

v0.1.59

v0.1.58

v0.1.57

v0.1.56

v0.1.55

v0.1.54

vpn-core-go
/
pkg
/
policy
/
policy_check.go

package policy

import (
	"gitee.com/carlmax_my/vpn-core-go/pkg/control_dto"
	"github.com/pkg/errors"
)

// x(b/c)为non-dynamic(ip/location)，t为time
// t && b && c  => t && (b && c)  => t && x  => x为 false,结果一定为 false, x为 true,  结果就由t决定
// t || b || c  => t || (b || c)  => t || x  => x为 true, 结果一定为 true,  x为 false, 结果就由t决定
// 总结下来，后端检查non-dynamic+time，前端检查time
//
// policy has 3 types:
// 1. only time rules, dynamic check, all send to pop
// 2. only ip/location rules, only check passed send to pop
// 3. both time & ip/location rules, 因为ip/location reject 的不send， 其他的send
//
// need confirm:
// true: means time rules need send to pop and check, and timeRules is not empty
// false: means currPass is the final result
//
// return time rules and summary result
//
// call 之前先计算好每条rule的result
func (h *PolicyChecker) CheckWithPolicyAndRules(
	policy *control_dto.SecPolicyBase, rules map[string]*control_dto.SecPolicyRule,
) (currPassed bool, needConfirm bool, err error) {
	// case 1: timeRules and otherRules are empty
	if len(rules) == 0 {
		return true, false, nil
	}

	var timeRule *control_dto.SecPolicyRule
	otherRules := map[string]*control_dto.SecPolicyRule{}
	for key, rule := range rules {
		if len(rule.TimeValues) == 0 && len(rule.ParsedValues) == 0 {
			rule.Result = true
		}

		if key == control_dto.POLICY_RULE_Time {
			timeRule = rule
			// 组内默认是or
			rule.Result, err = h.SummarizePolicyTimeValues(control_dto.POLICY_OP_OR, rule.TimeValues)
			if err != nil {
				return false, false, err
			}
			continue
		}

		rule.Result, err = h.SummarizePolicyRuleValues(control_dto.POLICY_OP_OR, rule.ParsedValues)
		if err != nil {
			return false, false, err
		}
		otherRules[key] = rule
	}

	// case 2: timeRules is not empty, otherRules is empty
	if len(otherRules) == 0 {
		if timeRule == nil {
			currPassed = true
			needConfirm = false // no any rules
		} else {
			currPassed = timeRule.Result
			needConfirm = true // case (1), need send timeRules
		}
		return
	}

	// case 3: timeRules is empty, otherRules is not empty
	if timeRule == nil || len(timeRule.TimeValues) == 0 {
		currPassed, err = h.SummarizePolicyRulesMap(policy.Operator, otherRules)
		needConfirm = false
		return
	}

	// case 4: timeRules and otherRules are not empty
	var passedCase uint16
	passedCase, err = h.SummarizeNonDynamicRulesMap(policy.Operator, otherRules)
	if err != nil {
		return false, false, err
	}

	switch passedCase {
	case POLICY_NOT_PASSED:
		currPassed = false
		needConfirm = false // no need to check time
		return
	case POLICY_PASSED:
		currPassed = true
		needConfirm = false // no need to check time
		return
	default:
		currPassed = timeRule.Result
		needConfirm = true // case (2), need send timeRules
	}

	return
}

// check single rule
func (h *PolicyChecker) CheckWithPolicyRule(rule *control_dto.SecPolicyRule, clientIp string) (bool, error) {
	switch rule.Type {
	case control_dto.POLICY_RULE_IpRange:
		return CheckWithPolicyIpRange(rule.Values, clientIp)

	case control_dto.POLICY_RULE_Location:
		return h.CheckWithPolicyLocation(rule.Values, clientIp)

	case control_dto.POLICY_RULE_Time:
		return h.CheckWithPolicyTimeRule(rule), nil
	}

	return false, errors.Errorf("unknown rule type: %s", rule.Type)
}

// except time, ruleValue is the split value
func (h *PolicyChecker) CheckWithPolicyStrValue(ruleType string, ruleValue string, clientIp string) (bool, error) {
	switch ruleType {
	case control_dto.POLICY_RULE_IpRange:
		return CheckWithPolicyIpRange(ruleValue, clientIp)

	case control_dto.POLICY_RULE_Location:
		return h.CheckWithPolicyLocation(ruleValue, clientIp)
	}

	return false, errors.Errorf("unknown rule type: %s", ruleType)
}