feat: support chaitin-waf plugin

apisix/plugins/chaitin-waf.lua

@@ -0,0 +1,373 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local require = require
+local core = require("apisix.core")
+local rr_balancer = require("apisix.balancer.roundrobin")
+local plugin = require("apisix.plugin")
+local t1k = require "resty.t1k"
+local expr = require("resty.expr.v1")
+
+local ngx = ngx
+local ngx_now = ngx.now
+local string = string
+local fmt = string.format
+local tostring = tostring
+local tonumber = tonumber
+local ipairs = ipairs
+
+local plugin_name = "chaitin-waf"
+
+local vars_schema = {
+    type = "array",
+}
+
+local match_schema = {
+    type = "array",
+    items = {
+        type = "object",
+        properties = {
+            vars = vars_schema
+        }
+    },
+}
+
+local plugin_schema = {
+    type = "object",
+    properties = {
+        -- TODO: we should add a configuration "mode" here
+        -- It can be one of off, block and monitor
+        match = match_schema,
+        append_waf_resp_header = {
+            type = "boolean",
+            default = true
+        },
+        append_waf_debug_header = {
+            type = "boolean",
+            default = false
+        },
+        config = {
+            type = "object",
+            properties = {
+                connect_timeout = {
+                    type = "integer",
+                },
+                send_timeout = {
+                    type = "integer",
+                },
+                read_timeout = {
+                    type = "integer",
+                },
+                req_body_size = {
+                    type = "integer",
+                },
+                keepalive_size = {
+                    type = "integer",
+                },
+                keepalive_timeout = {
+                    type = "integer",
+                }
+            },
+        },
+    },
+}
+
+local metadata_schema = {
+    type = "object",
+    properties = {
+        nodes = {
+            type = "array",
+            items = {
+                type = "object",
+                properties = {
+                    host = {
+                        type = "string",
+                        pattern = "^\\*?[0-9a-zA-Z-._\\[\\]:]+$"
+                    },
+                    port = {
+                        type = "integer",
+                        minimum = 1,
+                        default = 80
+                    },
+                },
+                required = { "host" }
+            },
+            minItems = 1,
+        },
+        config = {
+            type = "object",
+            properties = {
+                connect_timeout = {
+                    type = "integer",
+                    default = 1000 -- milliseconds
+                },
+                send_timeout = {
+                    type = "integer",
+                    default = 1000 -- milliseconds
+                },
+                read_timeout = {
+                    type = "integer",
+                    default = 1000 -- milliseconds
+                },
+                req_body_size = {
+                    type = "integer",
+                    default = 1024 -- milliseconds
+                },
+                -- maximum concurrent idle connections to
+                -- the SafeLine WAF detection service
+                keepalive_size = {
+                    type = "integer",
+                    default = 256
+                },
+                keepalive_timeout = {
+                    type = "integer",
+                    default = 60000 -- milliseconds
+                },
+                -- TODO: we need a configuration to enable/disable the real client ip
+                -- the real client ip is calculated by APISIX
+            },
+            default = {},
+        },
+    },
+    required = { "nodes" },
+}
+
+local _M = {
+    version = 0.1,
+    priority = 2700,
+    name = plugin_name,
+    schema = plugin_schema,
+    metadata_schema = metadata_schema
+}
+
+local global_server_picker
+
+local HEADER_CHAITIN_WAF = "X-APISIX-CHAITIN-WAF"
+local HEADER_CHAITIN_WAF_ERROR = "X-APISIX-CHAITIN-WAF-ERROR"
+local HEADER_CHAITIN_WAF_TIME = "X-APISIX-CHAITIN-WAF-TIME"
+local HEADER_CHAITIN_WAF_STATUS = "X-APISIX-CHAITIN-WAF-STATUS"
+local HEADER_CHAITIN_WAF_ACTION = "X-APISIX-CHAITIN-WAF-ACTION"
+local HEADER_CHAITIN_WAF_SERVER = "X-APISIX-CHAITIN-WAF-SERVER"
+local blocked_message = [[{"code": %s, "success":false, ]] ..
+        [["message": "blocked by Chaitin SafeLine Web Application Firewall", "event_id": "%s"}]]
+
+
+function _M.check_schema(conf, schema_type)
+    if schema_type == core.schema.TYPE_METADATA then
+        return core.schema.check(metadata_schema, conf)
+    end
+
+    local ok, err = core.schema.check(plugin_schema, conf)
+
+    if not ok then
+        return false, err
+    end
+
+    if conf.match then
+        for _, m in ipairs(conf.match) do
+            local ok, err = expr.new(m.vars)
+            if not ok then
+                return false, "failed to validate the 'vars' expression: " .. err
+            end
+        end
+    end
+
+    return true
+end
+
+
+local function get_healthy_chaitin_server_nodes(metadata, checker)
+    local nodes = metadata.nodes
+    local new_nodes = core.table.new(0, #nodes)
+
+    for i = 1, #nodes do
+        local host, port = nodes[i].host, nodes[i].port
+        new_nodes[host .. ":" .. tostring(port)] = 1
+    end
+
+    return new_nodes
+end
+
+
+local function get_chaitin_server(metadata, ctx)
+    if not global_server_picker or global_server_picker.upstream ~= metadata.value.nodes then
+        local up_nodes = get_healthy_chaitin_server_nodes(metadata.value)
+        if core.table.nkeys(up_nodes) == 0 then
+            return nil, nil, "no healthy nodes"
+        end
+        core.log.info("chaitin-waf nodes: ", core.json.delay_encode(up_nodes))
+
+        global_server_picker = rr_balancer.new(up_nodes, metadata.value.nodes)
+    end
+
+    local server = global_server_picker.get(ctx)
+    local host, port, err = core.utils.parse_addr(server)
+    if err then
+        return nil, nil, err
+    end
+
+    return host, port, nil
+end
+
+
+local function check_match(conf, ctx)
+    local match_passed = true
+
+    if conf.match then
+        for _, match in ipairs(conf.match) do
+            -- todo: use lrucache to cache the result
+            local exp, err = expr.new(match.vars)
+            if err then
+                local msg = "failed to create match expression for " ..
+                        tostring(match.vars) .. ", err: " .. tostring(err)
+                core.log.error(msg)
+                return false, msg
+            end
+
+            match_passed = exp:eval(ctx.var)
+            if match_passed then
+                break
+            end
+        end
+    end
+
+    return match_passed, nil
+end
+
+
+local function get_conf(conf, metadata)
+    local t = {
+        mode = "block",
+    }
+
+    if metadata.config then
+        t.connect_timeout = metadata.config.connect_timeout
+        t.send_timeout = metadata.config.send_timeout
+        t.read_timeout = metadata.config.read_timeout
+        t.req_body_size = metadata.config.req_body_size
+        t.keepalive_size = metadata.config.keepalive_size
+        t.keepalive_timeout = metadata.config.keepalive_timeout
+    end
+
+    if conf.config then
+        t.connect_timeout = conf.config.connect_timeout
+        t.send_timeout = conf.config.send_timeout
+        t.read_timeout = conf.config.read_timeout
+        t.req_body_size = conf.config.req_body_size
+        t.keepalive_size = conf.config.keepalive_size
+        t.keepalive_timeout = conf.config.keepalive_timeout
+    end
+
+    return t
+end
+
+
+local function do_access(conf, ctx)
+    local extra_headers = {}
+
+    local match, err = check_match(conf, ctx)
+    if not match then
+        if err then
+            extra_headers[HEADER_CHAITIN_WAF] = "err"
+            extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err)
+            return 500, nil, extra_headers
+        else
+            extra_headers[HEADER_CHAITIN_WAF] = "no"
+            return nil, nil, extra_headers
+        end
+    end
+
+    local metadata = plugin.plugin_metadata(plugin_name)
+    if not core.table.try_read_attr(metadata, "value", "nodes") then
+        extra_headers[HEADER_CHAITIN_WAF] = "err"
+        extra_headers[HEADER_CHAITIN_WAF_ERROR] = "missing metadata"
+        return 500, nil, extra_headers
+    end
+
+    local host, port, err = get_chaitin_server(metadata, ctx)
+    if err then
+        extra_headers[HEADER_CHAITIN_WAF] = "unhealthy"
+        extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err)
+
+        return 500, nil, extra_headers
+    end
+
+    core.log.info("picked chaitin-waf server: ", host, ":", port)
+
+    local t = get_conf(conf, metadata.value)
+    t.host = host
+    t.port = port
+
+    extra_headers[HEADER_CHAITIN_WAF_SERVER] = host
+    extra_headers[HEADER_CHAITIN_WAF] = "yes"
+
+    local start_time = ngx_now() * 1000
+    local ok, err, result = t1k.do_access(t, false)
+    if not ok then
+        extra_headers[HEADER_CHAITIN_WAF] = "waf-err"
+        local err_msg = tostring(err)
+        if core.string.find(err_msg, "timeout") then
+            extra_headers[HEADER_CHAITIN_WAF] = "timeout"
+        end
+        extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err)
+    else
+        extra_headers[HEADER_CHAITIN_WAF_ACTION] = "pass"
+    end
+    extra_headers[HEADER_CHAITIN_WAF_TIME] = ngx_now() * 1000 - start_time
+
+    local code = 200
+    extra_headers[HEADER_CHAITIN_WAF_STATUS] = code
+    if result then
+        if result.status then
+            code = result.status
+            extra_headers[HEADER_CHAITIN_WAF_STATUS] = code
+            extra_headers[HEADER_CHAITIN_WAF_ACTION] = "reject"
+
+            core.log.error("request rejected by chaitin-waf, event_id: " .. result.event_id)
+            return tonumber(code), fmt(blocked_message, code,
+                    result.event_id) .. "\n", extra_headers
+        end
+    end
+    if not ok then
+        extra_headers[HEADER_CHAITIN_WAF_STATUS] = nil
+    end
+
+    return nil, nil, extra_headers
+end
+
+
+function _M.access(conf, ctx)
+    local code, msg, extra_headers = do_access(conf, ctx)
+
+    if not conf.append_waf_debug_header then
+        extra_headers[HEADER_CHAITIN_WAF_ERROR] = nil
+        extra_headers[HEADER_CHAITIN_WAF_SERVER] = nil
+    end
+
+    if conf.append_waf_resp_header then
+        core.response.set_header(extra_headers)
+    end
+
+    return code, msg
+end
+
+
+function _M.header_filter(conf, ctx)
+    t1k.do_header_filter()
+end
+
+
+return _M

conf/config-default.yaml

@@ -450,6 +450,7 @@ plugins:                           # plugin list (sorted by priority)
   - csrf                           # priority: 2980
   - uri-blocker                    # priority: 2900
   - request-validation             # priority: 2800
+  - chaitin-waf                    # priority: 2700
   - openid-connect                 # priority: 2599
   - cas-auth                       # priority: 2597
   - authz-casbin                   # priority: 2560

docs/en/latest/config.json

@@ -126,7 +126,8 @@
             "plugins/consumer-restriction",
             "plugins/csrf",
             "plugins/public-api",
-            "plugins/gm"
+            "plugins/gm",
+            "plugins/chaitin-waf"
           ]
         },
         {