up
This commit is contained in:
bui
parent
2e60e8021c
commit
7081666199
4 changed files with 52 additions and 55 deletions
|
|
@ -266,33 +266,33 @@ func (w *WaapSource) waapHandler(rw http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
w.InChan <- parsedRequest
|
||||
|
||||
message := <-parsedRequest.ResponseChannel
|
||||
response := <-parsedRequest.ResponseChannel
|
||||
|
||||
//@tko this parts needs to be redone
|
||||
if message.Err != nil {
|
||||
log.Errorf("Error while processing InBAND: %s", err)
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
// //@tko this parts needs to be redone
|
||||
// if message.Err != nil {
|
||||
// log.Errorf("Error while processing InBAND: %s", err)
|
||||
// rw.WriteHeader(http.StatusInternalServerError)
|
||||
// return
|
||||
// }
|
||||
|
||||
//here we must rely on WaapRuntimeConfig to know what to do
|
||||
if message.Interruption != nil {
|
||||
rw.WriteHeader(http.StatusForbidden)
|
||||
action := message.Interruption.Action
|
||||
if action == "deny" { // bouncers understand "ban" and not "deny"
|
||||
action = "ban"
|
||||
}
|
||||
body, err := json.Marshal(BodyResponse{Action: action})
|
||||
if err != nil {
|
||||
log.Errorf("unable to build response: %s", err)
|
||||
} else {
|
||||
rw.Write(body)
|
||||
}
|
||||
return
|
||||
}
|
||||
// //here we must rely on WaapRuntimeConfig to know what to do
|
||||
// if message.Interruption != nil {
|
||||
// rw.WriteHeader(http.StatusForbidden)
|
||||
// action := message.Interruption.Action
|
||||
// if action == "deny" { // bouncers understand "ban" and not "deny"
|
||||
// action = "ban"
|
||||
// }
|
||||
// body, err := json.Marshal(BodyResponse{Action: action})
|
||||
// if err != nil {
|
||||
// log.Errorf("unable to build response: %s", err)
|
||||
// } else {
|
||||
// rw.Write(body)
|
||||
// }
|
||||
// return
|
||||
// }
|
||||
|
||||
rw.WriteHeader(http.StatusOK)
|
||||
body, err := json.Marshal(BodyResponse{Action: "allow"})
|
||||
rw.WriteHeader(response.HTTPResponseCode)
|
||||
body, err := json.Marshal(BodyResponse{Action: response.Action})
|
||||
if err != nil {
|
||||
log.Errorf("unable to marshal response: %s", err)
|
||||
rw.WriteHeader(http.StatusInternalServerError)
|
||||
|
|
|
|||
|
|
@ -44,22 +44,22 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
|
|||
continue
|
||||
}
|
||||
//inband WAAP rules
|
||||
interrupt, err := r.WaapRuntime.ProcessInBandRules(request)
|
||||
err = r.WaapRuntime.ProcessInBandRules(request)
|
||||
elapsed := time.Since(startParsing)
|
||||
WafInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
|
||||
|
||||
//generate reponse for the remediation component, based on the WAAP config + inband rules evaluation
|
||||
//@tko : this should move in the WaapRuntimeConfig as it knows what to do with the interruption and the expected remediation
|
||||
response := waf.NewResponseRequest(r.WaapRuntime.InBandTx.Tx, interrupt, request.UUID, err)
|
||||
//response := waf.NewResponseRequest(r.WaapRuntime.InBandTx.Tx, interrupt, request.UUID, err)
|
||||
|
||||
err = r.WaapRuntime.ProcessOnMatchRules(request, response)
|
||||
err = r.WaapRuntime.ProcessOnMatchRules(request)
|
||||
if err != nil {
|
||||
r.logger.Errorf("unable to process OnMatch rules: %s", err)
|
||||
continue
|
||||
}
|
||||
|
||||
// send back the result to the HTTP handler for the InBand part
|
||||
request.ResponseChannel <- response
|
||||
request.ResponseChannel <- r.WaapRuntime.Response
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@ import (
|
|||
"net/url"
|
||||
|
||||
"github.com/crowdsecurity/coraza/v3/experimental"
|
||||
corazatypes "github.com/crowdsecurity/coraza/v3/types"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
|
|
@ -18,23 +17,23 @@ const (
|
|||
IPHeaderName = "X-Crowdsec-Waf-Ip"
|
||||
)
|
||||
|
||||
type ResponseRequest struct {
|
||||
UUID string
|
||||
Tx corazatypes.Transaction
|
||||
Interruption *corazatypes.Interruption
|
||||
Err error
|
||||
SendEvents bool
|
||||
}
|
||||
// type ResponseRequest struct {
|
||||
// UUID string
|
||||
// Tx corazatypes.Transaction
|
||||
// Interruption *corazatypes.Interruption
|
||||
// Err error
|
||||
// SendEvents bool
|
||||
// }
|
||||
|
||||
func NewResponseRequest(Tx experimental.FullTransaction, in *corazatypes.Interruption, UUID string, err error) ResponseRequest {
|
||||
return ResponseRequest{
|
||||
UUID: UUID,
|
||||
Tx: Tx,
|
||||
Interruption: in,
|
||||
Err: err,
|
||||
SendEvents: true,
|
||||
}
|
||||
}
|
||||
// func NewResponseRequest(Tx experimental.FullTransaction, in *corazatypes.Interruption, UUID string, err error) ResponseRequest {
|
||||
// return ResponseRequest{
|
||||
// UUID: UUID,
|
||||
// Tx: Tx,
|
||||
// Interruption: in,
|
||||
// Err: err,
|
||||
// SendEvents: true,
|
||||
// }
|
||||
// }
|
||||
|
||||
// func (r *ResponseRequest) SetRemediation(remediation string) error {
|
||||
// if r.Interruption == nil {
|
||||
|
|
@ -74,7 +73,7 @@ type ParsedRequest struct {
|
|||
TransferEncoding []string
|
||||
UUID string
|
||||
Tx experimental.FullTransaction
|
||||
ResponseChannel chan ResponseRequest
|
||||
ResponseChannel chan WaapTempResponse
|
||||
}
|
||||
|
||||
// Generate a ParsedRequest from a http.Request. ParsedRequest can be consumed by the Waap Engine
|
||||
|
|
@ -129,6 +128,6 @@ func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) {
|
|||
Proto: r.Proto,
|
||||
Body: body,
|
||||
TransferEncoding: r.TransferEncoding,
|
||||
ResponseChannel: make(chan ResponseRequest),
|
||||
ResponseChannel: make(chan WaapTempResponse),
|
||||
}, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -177,7 +177,7 @@ func (wc *WaapConfig) Build() (*WaapRuntimeConfig, error) {
|
|||
return ret, nil
|
||||
}
|
||||
|
||||
func (w *WaapRuntimeConfig) ProcessOnMatchRules(request ParsedRequest, response ResponseRequest) error {
|
||||
func (w *WaapRuntimeConfig) ProcessOnMatchRules(request ParsedRequest) error {
|
||||
|
||||
for _, rule := range w.CompiledOnMatch {
|
||||
if rule.FilterExpr != nil {
|
||||
|
|
@ -285,17 +285,15 @@ func (w *WaapRuntimeConfig) SetHTTPCode(code int) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (w *WaapRuntimeConfig) ProcessInBandRules(request ParsedRequest) (*corazatypes.Interruption, error) {
|
||||
func (w *WaapRuntimeConfig) ProcessInBandRules(request ParsedRequest) error {
|
||||
for _, rule := range w.InBandRules {
|
||||
interrupt, err := rule.Eval(request)
|
||||
_, err := rule.Eval(request)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to process inband rule %s : %s", rule.GetDisplayName(), err)
|
||||
}
|
||||
if interrupt != nil {
|
||||
return interrupt, nil
|
||||
return fmt.Errorf("unable to process inband rule %s : %s", rule.GetDisplayName(), err)
|
||||
}
|
||||
//...
|
||||
}
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
func (w *WaapRuntimeConfig) ProcessOutOfBandRules(request ParsedRequest) (*corazatypes.Interruption, error) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue