nanChen/ai-security-xdr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1、新增降噪日志数据健康监测告警

Browse Source 
2、IP联动封禁功能完善
This commit is contained in:
nanChen
2026-05-06 17:54:59 +08:00
parent 5e73c1c8f6
commit 19c563b3f3
23 changed files with 2953 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
haobang-security-xdr/syslog-serve/pom.xml
+21 -1
View File
@@ -90,7 +90,6 @@
<version>1.4.2</version>
</dependency>
<!-- json 框架 -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
@@ -180,8 +179,29 @@
<version>${pagehelper.version}</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</dependency>
<!-- Hutool 核心工具库 -->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.8.27</version> <!-- 建议使用较新的稳定版本 -->
</dependency>
<!-- Bouncy Castle 国密算法支持 -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15to18</artifactId>
<version>1.78</version> <!-- 兼容 Java 1.8 -->
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
haobang-security-xdr/syslog-serve/src/main/java/com/haobang/controller/InterlockingController.java
+191
View File
@@ -0,0 +1,191 @@
package com.haobang.controller;
import com.haobang.interlocking.InterlockingService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* 探针联动控制器
* 提供手动触发封禁的REST API
*/
@RestController
@RequestMapping("/interlocking")
public class InterlockingController {
@Autowired
private InterlockingService interlockingService;
/**
* 手动封禁单个IP
* POST /interlocking/block
*
* @param request 封禁请求参数
* @return 执行结果
*/
@PostMapping("/block")
public ResponseEntity<Map<String, Object>> blockIp(@RequestBody Map<String, Object> request) {
Map<String, Object> result = new HashMap<>();
try {
String ip = (String) request.get("ip");
String cmdType = (String) request.getOrDefault("cmdType", "add_blacklist");
Integer age = request.containsKey("age") ? ((Number) request.get("age")).intValue() : -1;
String reason = (String) request.getOrDefault("reason", "manual_block");
if (ip == null || ip.isEmpty()) {
result.put("code", 400);
result.put("message", "IP地址不能为空");
return ResponseEntity.badRequest().body(result);
}
Map<String, Object> response = interlockingService.manualBlock(ip, cmdType, age, reason);
result.put("code", 200);
result.put("message", "success");
result.put("data", response);
return ResponseEntity.ok(result);
} catch (Exception e) {
result.put("code", 500);
result.put("message", "封禁失败: " + e.getMessage());
return ResponseEntity.status(500).body(result);
}
}
/**
* 批量封禁IP
* POST /interlocking/block/batch
*
* @param request 批量封禁请求参数
* @return 执行结果
*/
@PostMapping("/block/batch")
public ResponseEntity<Map<String, Object>> batchBlockIp(@RequestBody Map<String, Object> request) {
Map<String, Object> result = new HashMap<>();
try {
@SuppressWarnings("unchecked")
List<String> ips = (List<String>) request.get("ips");
String cmdType = (String) request.getOrDefault("cmdType", "add_blacklist");
Integer age = request.containsKey("age") ? ((Number) request.get("age")).intValue() : -1;
String reason = (String) request.getOrDefault("reason", "manual_batch_block");
if (ips == null || ips.isEmpty()) {
result.put("code", 400);
result.put("message", "IP地址列表不能为空");
return ResponseEntity.badRequest().body(result);
}
Map<String, Object> response = interlockingService.batchManualBlock(ips, cmdType, age, reason);
result.put("code", 200);
result.put("message", "success");
result.put("data", response);
result.put("total", ips.size());
return ResponseEntity.ok(result);
} catch (Exception e) {
result.put("code", 500);
result.put("message", "批量封禁失败: " + e.getMessage());
return ResponseEntity.status(500).body(result);
}
}
/**
* 从黑名单删除IP
* DELETE /interlocking/blacklist/{ip}
*/
@DeleteMapping("/blacklist/{ip}")
public ResponseEntity<Map<String, Object>> removeFromBlacklist(@PathVariable String ip) {
Map<String, Object> result = new HashMap<>();
try {
Map<String, Object> response = interlockingService.manualBlock(ip, "del_blacklist", -1, "");
result.put("code", 200);
result.put("message", "success");
result.put("data", response);
return ResponseEntity.ok(result);
} catch (Exception e) {
result.put("code", 500);
result.put("message", "删除黑名单失败: " + e.getMessage());
return ResponseEntity.status(500).body(result);
}
}
/**
* 批量从黑名单删除IP
* DELETE /interlocking/blacklist
*/
@DeleteMapping("/blacklist")
public ResponseEntity<Map<String, Object>> batchRemoveFromBlacklist(@RequestBody Map<String, Object> request) {
Map<String, Object> result = new HashMap<>();
try {
@SuppressWarnings("unchecked")
List<String> ips = (List<String>) request.get("ips");
if (ips == null || ips.isEmpty()) {
result.put("code", 400);
result.put("message", "IP地址列表不能为空");
return ResponseEntity.badRequest().body(result);
}
Map<String, Object> response = interlockingService.batchManualBlock(ips, "del_blacklist", -1, "");
result.put("code", 200);
result.put("message", "success");
result.put("data", response);
result.put("total", ips.size());
return ResponseEntity.ok(result);
} catch (Exception e) {
result.put("code", 500);
result.put("message", "批量删除黑名单失败: " + e.getMessage());
return ResponseEntity.status(500).body(result);
}
}
/**
* 获取联动服务状态
* GET /interlocking/status
*/
@GetMapping("/status")
public ResponseEntity<Map<String, Object>> getStatus() {
Map<String, Object> result = new HashMap<>();
try {
result.put("code", 200);
result.put("message", "success");
Map<String, Object> status = new HashMap<>();
status.put("enabled", interlockingService.isInterlockingEnabled());
status.put("probeId", interlockingService.getProbeId());
result.put("data", status);
return ResponseEntity.ok(result);
} catch (Exception e) {
result.put("code", 500);
result.put("message", "获取状态失败: " + e.getMessage());
return ResponseEntity.status(500).body(result);
}
}
/**
* 健康检查
* GET /interlocking/health
*/
@GetMapping("/health")
public ResponseEntity<Map<String, Object>> health() {
Map<String, Object> result = new HashMap<>();
result.put("code", 200);
result.put("message", "OK");
result.put("service", "interlocking-client");
result.put("probeId", interlockingService.getProbeId());
result.put("enabled", interlockingService.isInterlockingEnabled());
return ResponseEntity.ok(result);
}
}
haobang-security-xdr/syslog-serve/src/main/java/com/haobang/firewall/FirewallApiClient.java
+420
View File
@@ -0,0 +1,420 @@
package com.haobang.firewall;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.net.ssl.*;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.*;
import java.util.stream.Collectors;
import java.net.ProtocolException;
/**
* 防火墙API客户端
* 支持安恒信息-明御安全网关的黑名单/白名单操作
*/
@Component
public class FirewallApiClient {
private static final Logger logger = LoggerFactory.getLogger(FirewallApiClient.class);
private final ObjectMapper objectMapper = new ObjectMapper();
// 黑名单API配置
@Value("${blacklist.api.url:https://103.43.84.11/api/v3/Objects/Blacklist}")
private String blacklistApiUrl;
@Value("${blacklist.api.username:apt-admin103}")
private String blacklistUsername;
@Value("${blacklist.api.password:C9W2xYgfc%SN1}")
private String blacklistPassword;
// 白名单API配置
@Value("${whitelist.api.url:https://103.43.84.11/api/v3/Policies/GlobalWhitelist}")
private String whitelistApiUrl;
@Value("${whitelist.api.username:apt-admin103}")
private String whitelistUsername;
@Value("${whitelist.api.password:C9W2xYgfc%SN1}")
private String whitelistPassword;
@Value("${firewall.enabled:true}")
private boolean firewallEnabled;
/**
* 添加IP到黑名单
* @param ip IP地址
* @param age 生命周期(秒),-1表示永久
* @param reason 原因/备注
* @return 操作结果
*/
public FirewallResponse addToBlacklist(String ip, int age, String reason) {
if (!firewallEnabled) {
logger.info("[测试模式] 添加黑名单: ip={}, age={}, reason={}", ip, age, reason);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
Map<String, Object> payload = new HashMap<>();
payload.put("blist", ip);
payload.put("age", String.valueOf(age));
payload.put("enable", "1");
if (reason != null && !reason.isEmpty()) {
payload.put("reason", reason);
}
return doPost(blacklistApiUrl, blacklistUsername, blacklistPassword, payload);
}
/**
* 批量添加IP到黑名单
* @param ips IP列表,每个元素包含 ip, age, reason
* @return 操作结果
*/
public FirewallResponse batchAddToBlacklist(List<Map<String, String>> ips) {
if (!firewallEnabled) {
logger.info("[测试模式] 批量添加黑名单: {}", ips);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
List<Map<String, String>> entries = new ArrayList<>();
for (Map<String, String> ipInfo : ips) {
Map<String, String> entry = new HashMap<>();
entry.put("blist", ipInfo.get("ip"));
entry.put("age", ipInfo.getOrDefault("age", "-1"));
entry.put("enable", "1");
if (ipInfo.containsKey("reason")) {
entry.put("reason", ipInfo.get("reason"));
}
entries.add(entry);
}
Map<String, Object> payload = new HashMap<>();
payload.put("blist_entry", entries);
return doPost(blacklistApiUrl, blacklistUsername, blacklistPassword, payload);
}
/**
* 从黑名单删除IP
* @param ip IP地址
* @return 操作结果
*/
public FirewallResponse removeFromBlacklist(String ip) {
if (!firewallEnabled) {
logger.info("[测试模式] 删除黑名单: ip={}", ip);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
String deleteUrl = blacklistApiUrl + "/blist/" + ip;
return doDelete(deleteUrl, blacklistUsername, blacklistPassword);
}
/**
* 批量从黑名单删除IP
* @param ips IP地址列表
* @return 操作结果
*/
public FirewallResponse batchRemoveFromBlacklist(List<String> ips) {
if (!firewallEnabled) {
logger.info("[测试模式] 批量删除黑名单: {}", ips);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
List<Map<String, String>> entries = ips.stream()
.map(ip -> {
Map<String, String> entry = new HashMap<>();
entry.put("blist", ip);
return entry;
})
.collect(Collectors.toList());
Map<String, Object> payload = new HashMap<>();
payload.put("blist_entry", entries);
return doDelete(blacklistApiUrl, blacklistUsername, blacklistPassword, payload);
}
/**
* 添加IP到白名单
* @param ip IP地址
* @param name 名称
* @param desc 描述
* @return 操作结果
*/
public FirewallResponse addToWhitelist(String ip, String name, String desc) {
if (!firewallEnabled) {
logger.info("[测试模式] 添加白名单: ip={}, name={}", ip, name);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
List<Map<String, String>> addresses = new ArrayList<>();
Map<String, String> address = new HashMap<>();
address.put("address", ip);
addresses.add(address);
Map<String, Object> payload = new HashMap<>();
payload.put("enable", "1");
payload.put("name", name);
payload.put("desc", desc != null ? desc : "");
payload.put("addr", addresses);
return doPost(whitelistApiUrl, whitelistUsername, whitelistPassword, payload);
}
/**
* 删除白名单
* @param name 白名单名称
* @return 操作结果
*/
public FirewallResponse removeFromWhitelist(String name) {
if (!firewallEnabled) {
logger.info("[测试模式] 删除白名单: name={}", name);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
String deleteUrl = whitelistApiUrl + "/name/" + name;
return doDelete(deleteUrl, whitelistUsername, whitelistPassword);
}
/**
* 批量删除白名单
* @param names 白名单名称列表
* @return 操作结果
*/
public FirewallResponse batchRemoveFromWhitelist(List<String> names) {
if (!firewallEnabled) {
logger.info("[测试模式] 批量删除白名单: {}", names);
return new FirewallResponse(true, "1", "测试模式-模拟成功");
}
List<Map<String, String>> nameList = names.stream()
.map(name -> {
Map<String, String> entry = new HashMap<>();
entry.put("name", name);
return entry;
})
.collect(Collectors.toList());
Map<String, Object> payload = new HashMap<>();
payload.put("name_list", nameList);
String batchDeleteUrl = whitelistApiUrl + "Batch";
return doDelete(batchDeleteUrl, whitelistUsername, whitelistPassword, payload);
}
/**
* 执行POST请求
*/
private FirewallResponse doPost(String urlStr, String username, String password, Map<String, Object> payload) {
HttpURLConnection conn = null;
try {
URL url = new URL(urlStr);
conn = (HttpURLConnection) url.openConnection();
setupConnection(conn, username, password, "POST");
// 发送请求体
ObjectMapper mapper = new ObjectMapper();
String jsonBody = mapper.writeValueAsString(payload);
try (OutputStream os = conn.getOutputStream()) {
os.write(jsonBody.getBytes(StandardCharsets.UTF_8));
}
// 获取响应
int responseCode = conn.getResponseCode();
String response = readResponse(conn);
logger.info("POST请求响应: url={}, code={}, response={}", urlStr, responseCode, response);
// 解析响应
JsonNode jsonNode = mapper.readTree(response);
int code = jsonNode.has("code") ? jsonNode.get("code").asInt() : responseCode;
String msg = jsonNode.has("msg") && !jsonNode.get("msg").isNull() ? jsonNode.get("msg").asText() : "";
return new FirewallResponse(code == 1, String.valueOf(code), msg, response);
} catch (Exception e) {
logger.error("POST请求失败: url={}, error={}", urlStr, e.getMessage(), e);
return new FirewallResponse(false, "-1", "请求失败: " + e.getMessage());
} finally {
if (conn != null) {
conn.disconnect();
}
}
}
/**
* 执行DELETE请求(无请求体)
*/
private FirewallResponse doDelete(String urlStr, String username, String password) {
HttpURLConnection conn = null;
try {
URL url = new URL(urlStr);
conn = (HttpURLConnection) url.openConnection();
setupConnection(conn, username, password, "DELETE");
int responseCode = conn.getResponseCode();
String response = readResponse(conn);
logger.info("DELETE请求响应: url={}, code={}, response={}", urlStr, responseCode, response);
ObjectMapper mapper = new ObjectMapper();
JsonNode jsonNode = mapper.readTree(response);
int code = jsonNode.has("code") ? jsonNode.get("code").asInt() : responseCode;
String msg = jsonNode.has("msg") && !jsonNode.get("msg").isNull() ? jsonNode.get("msg").asText() : "";
return new FirewallResponse(code == 1, String.valueOf(code), msg, response);
} catch (Exception e) {
logger.error("DELETE请求失败: url={}, error={}", urlStr, e.getMessage(), e);
return new FirewallResponse(false, "-1", "请求失败: " + e.getMessage());
} finally {
if (conn != null) {
conn.disconnect();
}
}
}
/**
* 执行DELETE请求(带请求体)
*/
private FirewallResponse doDelete(String urlStr, String username, String password, Map<String, Object> payload) {
HttpURLConnection conn = null;
try {
URL url = new URL(urlStr);
conn = (HttpURLConnection) url.openConnection();
setupConnection(conn, username, password, "DELETE");
// 发送请求体
ObjectMapper mapper = new ObjectMapper();
String jsonBody = mapper.writeValueAsString(payload);
try (OutputStream os = conn.getOutputStream()) {
os.write(jsonBody.getBytes(StandardCharsets.UTF_8));
}
int responseCode = conn.getResponseCode();
String response = readResponse(conn);
logger.info("DELETE请求响应: url={}, code={}, response={}", urlStr, responseCode, response);
JsonNode jsonNode = mapper.readTree(response);
int code = jsonNode.has("code") ? jsonNode.get("code").asInt() : responseCode;
String msg = jsonNode.has("msg") && !jsonNode.get("msg").isNull() ? jsonNode.get("msg").asText() : "";
return new FirewallResponse(code == 1, String.valueOf(code), msg, response);
} catch (Exception e) {
logger.error("DELETE请求失败: url={}, error={}", urlStr, e.getMessage(), e);
return new FirewallResponse(false, "-1", "请求失败: " + e.getMessage());
} finally {
if (conn != null) {
conn.disconnect();
}
}
}
/**
* 配置HTTP连接
*/
private void setupConnection(HttpURLConnection conn, String username, String password, String method)
throws NoSuchAlgorithmException, KeyManagementException, ProtocolException{
conn.setRequestMethod(method);
conn.setConnectTimeout(10000);
conn.setReadTimeout(30000);
conn.setDoInput(true);
conn.setDoOutput(true);
// 设置请求头
conn.setRequestProperty("Content-Type", "application/json");
conn.setRequestProperty("Accept", "application/json");
// HTTP Basic Auth
String auth = username + ":" + password;
String encodedAuth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8));
conn.setRequestProperty("Authorization", "Basic " + encodedAuth);
// 信任所有证书(用于HTTPS
if (conn instanceof HttpsURLConnection) {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
public void checkClientTrusted(X509Certificate[] certs, String authType) {}
public void checkServerTrusted(X509Certificate[] certs, String authType) {}
}}, new java.security.SecureRandom());
((HttpsURLConnection) conn).setSSLSocketFactory(sslContext.getSocketFactory());
((HttpsURLConnection) conn).setHostnameVerifier((hostname, session) -> true);
}
}
/**
* 读取响应内容
*/
private String readResponse(HttpURLConnection conn) throws IOException {
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(
conn.getResponseCode() >= 400 ? conn.getErrorStream() : conn.getInputStream(),
StandardCharsets.UTF_8))) {
StringBuilder response = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
response.append(line);
}
return response.toString();
}
}
/**
* 防火墙响应结果类
*/
public static class FirewallResponse {
private boolean success;
private String code;
private String message;
private String rawResponse;
public FirewallResponse(boolean success, String code, String message) {
this.success = success;
this.code = code;
this.message = message;
}
public FirewallResponse(boolean success, String code, String message, String rawResponse) {
this.success = success;
this.code = code;
this.message = message;
this.rawResponse = rawResponse;
}
public boolean isSuccess() { return success; }
public void setSuccess(boolean success) { this.success = success; }
public String getCode() { return code; }
public void setCode(String code) { this.code = code; }
public String getMessage() { return message; }
public void setMessage(String message) { this.message = message; }
public String getRawResponse() { return rawResponse; }
public void setRawResponse(String rawResponse) { this.rawResponse = rawResponse; }
@Override
public String toString() {
return "FirewallResponse{" +
"success=" + success +
", code='" + code + '\'' +
", message='" + message + '\'' +
'}';
}
}
}
haobang-security-xdr/syslog-serve/src/main/java/com/haobang/interlocking/InterlockingApiClient.java
+176
View File
@@ -0,0 +1,176 @@
package com.haobang.interlocking;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.*;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestTemplate;
import java.nio.charset.StandardCharsets;
import java.util.*;
/**
* 探针联动API客户端
* 用于调用syslog-consumer模块提供的REST API
*/
@Component
public class InterlockingApiClient {
private static final Logger logger = LoggerFactory.getLogger(InterlockingApiClient.class);
private final RestTemplate restTemplate = new RestTemplate();
private final ObjectMapper objectMapper = new ObjectMapper();
@Value("${interlocking.api-key:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6}")
private String apiKey;
@Value("${interlocking.api.base-url:http://localhost:8089/xdrservice/interlocking}")
private String baseUrl;
/**
* 获取待执行的封禁指令
* @param probeId 探针ID
* @return 指令列表
*/
public List<Map<String, Object>> getPendingCommands(Long probeId) {
String url = baseUrl + "/cmd/pending?probeId=" + probeId;
try {
String response = doGet(url);
JsonNode jsonNode = objectMapper.readTree(response);
if (jsonNode.has("code") && jsonNode.get("code").asInt() == 200) {
JsonNode dataNode = jsonNode.get("data");
List<Map<String, Object>> commands = new ArrayList<>();
if (dataNode.isArray()) {
for (JsonNode node : dataNode) {
commands.add(objectMapper.convertValue(node, Map.class));
}
}
return commands;
}
logger.warn("获取待执行指令失败: {}", response);
return Collections.emptyList();
} catch (Exception e) {
logger.error("获取待执行指令异常: {}", e.getMessage(), e);
return Collections.emptyList();
}
}
/**
* 更新指令状态为执行中
* @param cmdId 指令ID
* @return 是否成功
*/
public boolean updateStatusToExecuting(Long cmdId) {
String url = baseUrl + "/cmd/" + cmdId + "/status/executing";
try {
String response = doPut(url, null);
JsonNode jsonNode = objectMapper.readTree(response);
return jsonNode.has("code") && jsonNode.get("code").asInt() == 200;
} catch (Exception e) {
logger.error("更新指令状态为执行中失败: cmdId={}, error={}", cmdId, e.getMessage());
return false;
}
}
/**
* 更新指令状态为执行完成
* @param cmdId 指令ID
* @return 是否成功
*/
public boolean updateStatusToCompleted(Long cmdId) {
String url = baseUrl + "/cmd/" + cmdId + "/status/completed";
try {
String response = doPut(url, null);
JsonNode jsonNode = objectMapper.readTree(response);
return jsonNode.has("code") && jsonNode.get("code").asInt() == 200;
} catch (Exception e) {
logger.error("更新指令状态为执行完成失败: cmdId={}, error={}", cmdId, e.getMessage());
return false;
}
}
/**
* 更新指令状态为执行失败
* @param cmdId 指令ID
* @param errorMessage 错误信息
* @return 是否成功
*/
public boolean updateStatusToFailed(Long cmdId, String errorMessage) {
String url = baseUrl + "/cmd/" + cmdId + "/status/failed";
try {
Map<String, Object> body = new HashMap<>();
body.put("errorMessage", errorMessage);
String response = doPut(url, body);
JsonNode jsonNode = objectMapper.readTree(response);
return jsonNode.has("code") && jsonNode.get("code").asInt() == 200;
} catch (Exception e) {
logger.error("更新指令状态为执行失败失败: cmdId={}, error={}", cmdId, e.getMessage());
return false;
}
}
/**
* 批量插入封禁记录
* @param logs 封禁记录列表
* @return 是否成功
*/
public boolean batchInsertLogs(List<Map<String, Object>> logs) {
String url = baseUrl + "/log/batch";
try {
Map<String, Object> request = new HashMap<>();
request.put("logs", logs);
String response = doPost(url, request);
JsonNode jsonNode = objectMapper.readTree(response);
return jsonNode.has("code") && jsonNode.get("code").asInt() == 200;
} catch (Exception e) {
logger.error("批量插入封禁记录失败: error={}", e.getMessage());
return false;
}
}
/**
* 执行GET请求
*/
private String doGet(String url) {
HttpHeaders headers = new HttpHeaders();
headers.set("X-API-KEY", apiKey);
HttpEntity<String> entity = new HttpEntity<>(headers);
ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.GET, entity, String.class);
return response.getBody();
}
/**
* 执行PUT请求
*/
private String doPut(String url, Map<String, Object> body) {
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
headers.set("X-API-KEY", apiKey);
HttpEntity<Map<String, Object>> entity = new HttpEntity<>(body, headers);
ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.PUT, entity, String.class);
return response.getBody();
}
/**
* 执行POST请求
*/
private String doPost(String url, Map<String, Object> body) {
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
headers.set("X-API-KEY", apiKey);
HttpEntity<Map<String, Object>> entity = new HttpEntity<>(body, headers);
ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.POST, entity, String.class);
return response.getBody();
}
public String getApiKey() { return apiKey; }
public void setApiKey(String apiKey) { this.apiKey = apiKey; }
public String getBaseUrl() { return baseUrl; }
public void setBaseUrl(String baseUrl) { this.baseUrl = baseUrl; }
}
haobang-security-xdr/syslog-serve/src/main/java/com/haobang/interlocking/InterlockingService.java
+412
View File
@@ -0,0 +1,412 @@
package com.haobang.interlocking;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.haobang.firewall.FirewallApiClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Service;
import javax.annotation.PostConstruct;
import java.util.*;
import java.util.concurrent.atomic.AtomicBoolean;
/**
* 探针联动封禁服务
* 核心业务逻辑:
* 1. 从syslog-consumer获取待执行的封禁指令
* 2. 解析封禁指令,生成逐条指令
* 3. 调用防火墙API执行封禁
* 4. 记录封禁结果到syslog-consumer
* 5. 更新指令状态
*/
@Service
public class InterlockingService {
private static final Logger logger = LoggerFactory.getLogger(InterlockingService.class);
@Autowired
private InterlockingApiClient apiClient;
@Autowired
private FirewallApiClient firewallClient;
private final ObjectMapper objectMapper = new ObjectMapper();
// 探针ID,从配置读取
@Value("${app.service.device_collect_id:1}")
private Integer probeId;
// 是否启用联动功能
@Value("${interlocking.enabled:true}")
private boolean interlockingEnabled;
// 执行锁,防止重复执行
private final AtomicBoolean executing = new AtomicBoolean(false);
@PostConstruct
public void init() {
logger.info("探针联动封禁服务初始化完成,探针ID: {}, 启用状态: {}", probeId, interlockingEnabled);
}
/**
* 定时任务:检查并执行待处理的封禁指令
* 每30秒执行一次
*/
@Scheduled(fixedDelay = 30000)
public void processPendingCommands() {
if (!interlockingEnabled) {
return;
}
// 防止重复执行
if (!executing.compareAndSet(false, true)) {
logger.debug("上次执行尚未完成,跳过本次调度");
return;
}
try {
logger.info("开始检查待执行的封禁指令...");
// 1. 获取待执行的封禁指令
List<Map<String, Object>> pendingCommands = apiClient.getPendingCommands(probeId.longValue());
if (pendingCommands.isEmpty()) {
logger.debug("没有待执行的封禁指令");
return;
}
logger.info("获取到 {} 条待执行的封禁指令", pendingCommands.size());
// 2. 逐条处理指令
for (Map<String, Object> cmd : pendingCommands) {
try {
processCommand(cmd);
} catch (Exception e) {
logger.error("处理封禁指令异常: cmdId={}, error={}", cmd.get("id"), e.getMessage(), e);
}
}
} catch (Exception e) {
logger.error("检查待执行指令失败: {}", e.getMessage(), e);
} finally {
executing.set(false);
}
}
/**
* 处理单条封禁指令
* 指令数据结构(JSON字段名为驼峰格式):
* - banIps: 封禁IP数组
* - banType: 封禁类型(0:黑名单、1:白名单)
* - banOperationType: 操作类型(0:新增、1:删除)
* - banDuration: 封禁时长(秒)
* - deviceInterlockingIp: 联动设备IP数组
* - deviceInterlockingId: 联动设备ID数组
*/
private void processCommand(Map<String, Object> cmd) {
Long cmdId = ((Number) cmd.get("id")).longValue();
// JSON字段名使用驼峰格式
List<String> banIps = parseStringArray(cmd.get("banIps"));
String banType = (String) cmd.get("banType");
Integer banOperationType = cmd.get("banOperationType") != null ?
((Number) cmd.get("banOperationType")).intValue() : 0;
Integer banDuration = cmd.get("banDuration") != null ?
((Number) cmd.get("banDuration")).intValue() : -1;
List<String> deviceIps = parseStringArray(cmd.get("deviceInterlockingIp"));
logger.info("开始处理封禁指令: cmdId={}, banType={}, operationType={}, ipCount={}",
cmdId, banType, banOperationType, banIps.size());
try {
// 3. 更新状态为执行中
if (!apiClient.updateStatusToExecuting(cmdId)) {
logger.warn("更新指令状态为执行中失败,跳过此指令: cmdId={}", cmdId);
return;
}
if (banIps.isEmpty()) {
logger.warn("封禁IP列表为空: cmdId={}", cmdId);
apiClient.updateStatusToCompleted(cmdId);
return;
}
// 4. 根据设备列表执行封禁
int successCount = 0;
int failCount = 0;
List<Map<String, Object>> allResults = new ArrayList<>();
// 遍历每个联动设备执行封禁
for (String deviceIp : deviceIps) {
// 设置防火墙客户端的设备IP(这里简化处理,实际可能需要从配置获取)
List<Map<String, Object>> results = executeBlockOperations(
deviceIp, banType, banOperationType, banIps, banDuration, cmdId);
allResults.addAll(results);
for (Map<String, Object> result : results) {
// banResult: 1表示成功,0表示失败
if ("1".equals(result.get("banResult"))) {
successCount++;
} else {
failCount++;
}
}
}
// 5. 批量记录封禁结果
for (Map<String, Object> result : allResults) {
result.put("deviceInterlockingCmdId", cmdId);
result.put("probeId", probeId);
result.put("banMethod", "1"); // 自动化封禁
}
boolean logSaved = apiClient.batchInsertLogs(allResults);
if (!logSaved) {
logger.warn("批量记录封禁结果失败: cmdId={}", cmdId);
}
// 6. 更新指令状态为执行完成
if (apiClient.updateStatusToCompleted(cmdId)) {
logger.info("封禁指令执行完成: cmdId={}, 成功={}, 失败={}", cmdId, successCount, failCount);
} else {
logger.error("更新指令状态为执行完成失败: cmdId={}", cmdId);
}
} catch (Exception e) {
logger.error("处理封禁指令异常: cmdId={}, error={}", cmdId, e.getMessage(), e);
apiClient.updateStatusToFailed(cmdId, e.getMessage());
}
}
/**
* 解析PostgreSQL数组格式
*/
private List<String> parseStringArray(Object obj) {
List<String> result = new ArrayList<>();
if (obj == null) {
return result;
}
try {
if (obj instanceof List) {
for (Object item : (List<?>) obj) {
result.add(String.valueOf(item));
}
} else if (obj instanceof String) {
String str = (String) obj;
// 处理PostgreSQL数组格式 {a,b,c}
if (str.startsWith("{") && str.endsWith("}")) {
str = str.substring(1, str.length() - 1);
for (String item : str.split(",")) {
if (!item.isEmpty()) {
result.add(item.trim());
}
}
}
}
} catch (Exception e) {
logger.error("解析数组失败: {}", e.getMessage());
}
return result;
}
/**
* 执行封禁操作
* @param deviceIp 设备IP
* @param banType 封禁类型(0:黑名单、1:白名单)
* @param operationType 操作类型(0:新增、1:删除)
* @param ipList IP列表
* @param duration 封禁时长
* @param cmdId 指令ID
*/
private List<Map<String, Object>> executeBlockOperations(
String deviceIp, String banType, int operationType,
List<String> ipList, int duration, Long cmdId) {
List<Map<String, Object>> results = new ArrayList<>();
// 确定操作类型
String operationName;
if ("0".equals(banType)) {
// 黑名单
operationName = operationType == 0 ? "add_blacklist" : "del_blacklist";
} else {
// 白名单
operationName = operationType == 0 ? "add_whitelist" : "del_whitelist";
}
for (String ip : ipList) {
Map<String, Object> result = new HashMap<>();
result.put("banIp", ip);
result.put("deviceInterlockingId", null); // 后续可关联
result.put("deviceName", deviceIp);
result.put("banResult", "0"); // 默认失败,0表示失败
result.put("reqBody", "");
result.put("respBody", "");
try {
FirewallApiClient.FirewallResponse response;
switch (operationName) {
case "add_blacklist":
response = firewallClient.addToBlacklist(ip, duration, "联动封禁");
break;
case "del_blacklist":
response = firewallClient.removeFromBlacklist(ip);
break;
case "add_whitelist":
response = firewallClient.addToWhitelist(ip, "whitelist_" + ip, "联动封禁白名单");
break;
case "del_whitelist":
response = firewallClient.removeFromWhitelist(ip);
break;
default:
logger.warn("未知的指令类型: {}", operationName);
result.put("respBody", "未知的指令类型: " + operationName);
results.add(result);
continue;
}
// banResult: 1表示成功,0表示失败
result.put("banResult", response.isSuccess() ? "1" : "0");
result.put("respBody", response.getRawResponse());
// 构建请求body用于记录
result.put("reqBody", buildRequestBody(operationName, ip, duration));
} catch (Exception e) {
logger.error("执行封禁操作异常: ip={}, operation={}, error={}", ip, operationName, e.getMessage());
result.put("respBody", "执行异常: " + e.getMessage());
}
results.add(result);
}
return results;
}
/**
* 构建请求body用于记录
*/
private String buildRequestBody(String cmdType, String ip, int duration) {
try {
Map<String, Object> body = new HashMap<>();
switch (cmdType) {
case "add_blacklist":
body.put("blist", ip);
body.put("age", String.valueOf(duration));
body.put("enable", "1");
break;
case "del_blacklist":
body.put("blist", ip);
break;
case "add_whitelist":
body.put("enable", "1");
body.put("name", "whitelist_" + ip);
List<Map<String, String>> addr = new ArrayList<>();
Map<String, String> addrItem = new HashMap<>();
addrItem.put("address", ip);
addr.add(addrItem);
body.put("addr", addr);
break;
case "del_whitelist":
body.put("name", ip);
break;
}
return objectMapper.writeValueAsString(body);
} catch (Exception e) {
return "";
}
}
/**
* 手动触发封禁
*/
public Map<String, Object> manualBlock(String ip, String cmdType, int age, String reason) {
Map<String, Object> result = new HashMap<>();
try {
FirewallApiClient.FirewallResponse response;
switch (cmdType) {
case "add_blacklist":
response = firewallClient.addToBlacklist(ip, age, reason);
break;
case "del_blacklist":
response = firewallClient.removeFromBlacklist(ip);
break;
case "add_whitelist":
response = firewallClient.addToWhitelist(ip, "manual_" + ip, reason);
break;
case "del_whitelist":
response = firewallClient.removeFromWhitelist(ip);
break;
default:
result.put("success", false);
result.put("message", "未知的指令类型: " + cmdType);
return result;
}
result.put("success", response.isSuccess());
result.put("code", response.getCode());
result.put("message", response.getMessage());
} catch (Exception e) {
logger.error("手动封禁异常: ip={}, cmdType={}, error={}", ip, cmdType, e.getMessage());
result.put("success", false);
result.put("message", "执行异常: " + e.getMessage());
}
return result;
}
/**
* 批量手动封禁
*/
public Map<String, Object> batchManualBlock(List<String> ips, String cmdType, int age, String reason) {
Map<String, Object> result = new HashMap<>();
List<Map<String, String>> ipList = new ArrayList<>();
for (String ip : ips) {
Map<String, String> ipInfo = new HashMap<>();
ipInfo.put("ip", ip);
ipInfo.put("age", String.valueOf(age));
ipInfo.put("reason", reason);
ipList.add(ipInfo);
}
try {
FirewallApiClient.FirewallResponse response;
if ("add_blacklist".equals(cmdType)) {
response = firewallClient.batchAddToBlacklist(ipList);
} else if ("del_blacklist".equals(cmdType)) {
response = firewallClient.batchRemoveFromBlacklist(ips);
} else {
result.put("success", false);
result.put("message", "批量操作暂不支持此类型: " + cmdType);
return result;
}
result.put("success", response.isSuccess());
result.put("code", response.getCode());
result.put("message", response.getMessage());
} catch (Exception e) {
logger.error("批量手动封禁异常: cmdType={}, error={}", cmdType, e.getMessage());
result.put("success", false);
result.put("message", "执行异常: " + e.getMessage());
}
return result;
}
public Integer getProbeId() { return probeId; }
public void setProbeId(Integer probeId) { this.probeId = probeId; }
public boolean isInterlockingEnabled() { return interlockingEnabled; }
public void setInterlockingEnabled(boolean interlockingEnabled) { this.interlockingEnabled = interlockingEnabled; }
}