def run(self):
source_ip = self.params['SourceIP']
operator = self.params['Operator']
if not netutil.is_valid_ip(source_ip):
res = sc(code.ParamError)
raise gen.Return(res)
data_info = {}
data_info['BlockListData'] = []
data_status = {}
thread_list = []
fw_list = self.application.firewalllist if operator == 'bgp' else [
self.application.ccfirewall, operator
]
for i in fw_list:
t = MyThread(self.select_block, args=(i, source_ip))
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
t.join()
for index, item in enumerate(thread_list):
data_status[fw_list[index]] = item.get_result()
for k, v in data_status.items():
data_info['BlockListData'].append({k: v})
res = sc(code.Success)
res.redata = data_info
raise gen.Return(res)
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# 1. X-Forwarded-For: 记录一个请求从客户端出发到目标服务器过程中经历的代理或
# 者负载平衡设备的IP。最早由 Squid 的开发人员引入,现已成为事实上的标准被广泛使用。
# 一般格式为: client1, proxy1, proxy2,其中的值通过一个 “逗号+空格” 把多
# 个 IP 地址分开,最左边(client1)是最原始客户端的IP地址, 代理服务器每成功收到
# 一个请求,就把请求来源 IP 地址添加到右边(所以最后一个代理的 IP 不在该字段中,但
# 可以通过 socket.getpeername() 获取,这个 Ip 是可靠的,伪造 Ip 的是无法通过
# TCP 三次握手的)。
#
# 2. X-Real-Ip:不是标准的 Http 头,不过 Nginx 在使用。通常被 HTTP 代理用来
# 表示与它产生 TCP 连接的设备 IP,这个设备可能是其他代理,也可能是真正的请求端。
#
# 3. 经过 Nginx 的 Http 请求,X-Forwarded-For 的最后一个 Ip 与 X-Real-Ip
# 是相同的,记录的是直接与 Nginx 建立连接的端 Ip。
#
# 4. 安全问题:伪造 X-Forwarded-For 字段很容易,所以使用该字段信息时要格外注意。
# 通常 X-Forwarded-For 是最后一个IP地址是最后一个代理服务器的IP地址,这通常是一
# 个比较可靠的信息来源。
#
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(',')[-1].strip()
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get(
"X-Scheme", headers.get("X-Forwarded-Proto", self.protocol))
if proto_header in ("http", "https"):
self.protocol = proto_header
def __init__(self, application, request, **kwargs):
"""
Constructor
:param application:
:param request:
:param kwargs:
"""
self._redis = application.settings['redis']
self._session = application.settings['db']
self._endpoints = application.settings['endpoints']
self._handler_docs = application.settings['handler_docs']
self._handler_validators = application.settings['handler_validators']
self._custom_response_headers = application.settings['custom_response_headers']
self._permissions = application.settings['permissions']
self._thread_pool = application.settings['thread_pool']
self._url_parser = lambda x: True
self._human_route = ''
"""Expire sql alchemy inner cache when initializing BaseHandler for incoming client"""
if options.expire_on_connect:
self._session.expire_all()
super(BaseHandler, self).__init__(application, request, **kwargs)
# added support for x-forwarded-for header in tornado web logs for client ip
forwarded_ip = self.request.headers.get("X-Forwarded-For", self.request.remote_ip)
if is_valid_ip(forwarded_ip):
self.request.remote_ip = forwarded_ip
def resolve(
self,
host: str,
port: int,
family: int = 0) -> "Generator[Any, Any, List[Tuple[int, Any]]]":
if is_valid_ip(host):
addresses = [host]
else:
# gethostbyname doesn't take callback as a kwarg
fut = Future() # type: Future[Tuple[Any, Any]]
self.channel.gethostbyname(
host, family, lambda result, error: fut.set_result(
(result, error)))
result, error = yield fut
if error:
raise IOError(
"C-Ares returned error %s: %s while resolving %s" %
(error, pycares.errno.strerror(error), host))
addresses = result.addresses
addrinfo = []
for address in addresses:
if "." in address:
address_family = socket.AF_INET
elif ":" in address:
address_family = socket.AF_INET6
else:
address_family = socket.AF_UNSPEC
if family != socket.AF_UNSPEC and family != address_family:
raise IOError("Requested socket family %d but got %d" %
(family, address_family))
addrinfo.append((typing.cast(int,
address_family), (address, port)))
return addrinfo
def resolve(self, host, port, family=0):
if is_valid_ip(host):
addresses = [host]
else:
# gethostbyname doesn't take callback as a kwarg
fut = Future()
self.channel.gethostbyname(
host, family, lambda result, error: fut.set_result(
(result, error)))
result, error = yield fut
if error:
raise IOError(
'C-Ares returned error %s: %s while resolving %s' %
(error, pycares.errno.strerror(error), host))
addresses = result.addresses
addrinfo = []
for address in addresses:
if '.' in address:
address_family = socket.AF_INET
elif ':' in address:
address_family = socket.AF_INET6
else:
address_family = socket.AF_UNSPEC
if family != socket.AF_UNSPEC and family != address_family:
raise IOError('Requested socket family %d but got %d' %
(family, address_family))
addrinfo.append((address_family, (address, port)))
raise gen.Return(addrinfo)
def resolve(self, host, port, family=0):
if is_valid_ip(host):
addresses = [host]
else:
# gethostbyname doesn't take callback as a kwarg
fut = Future()
self.channel.gethostbyname(host, family,
lambda result, error: fut.set_result((result, error)))
result, error = yield fut
if error:
raise IOError('C-Ares returned error %s: %s while resolving %s' %
(error, pycares.errno.strerror(error), host))
addresses = result.addresses
addrinfo = []
for address in addresses:
if '.' in address:
address_family = socket.AF_INET
elif ':' in address:
address_family = socket.AF_INET6
else:
address_family = socket.AF_UNSPEC
if family != socket.AF_UNSPEC and family != address_family:
raise IOError('Requested socket family %d but got %d' %
(family, address_family))
addrinfo.append((address_family, (address, port)))
raise gen.Return(addrinfo)
def resolve(self, host, port, family=0):
if is_valid_ip(host):
addresses = [host]
else:
# gethostbyname doesn't take callback as a kwarg
self.channel.gethostbyname(host, family, (yield gen.Callback(1)))
callback_args = yield gen.Wait(1)
assert isinstance(callback_args, gen.Arguments)
assert not callback_args.kwargs
result, error = callback_args.args
if error:
raise IOError('C-Ares returned error %s: %s while resolving %s' %
(error, pycares.errno.strerror(error), host))
addresses = result.addresses
addrinfo = []
for address in addresses:
if '.' in address:
address_family = socket.AF_INET
elif ':' in address:
address_family = socket.AF_INET6
else:
address_family = socket.AF_UNSPEC
if family != socket.AF_UNSPEC and family != address_family:
raise IOError('Requested socket family %d but got %d' %
(family, address_family))
addrinfo.append((address_family, (address, port)))
raise gen.Return(addrinfo)
def run(self):
operator = self.params['Operator']
hostname = self.params['Hostname']
data_info = {}
if not netutil.is_valid_ip(hostname):
res = sc(code.ParamError)
res.result = res.result % hostname
raise gen.Return(res)
thread_list = []
data_status = {}
fw_list = self.application.firewalllist if operator == 'bgp' else [
self.application.ccfirewall, operator
]
for i in fw_list:
t = MyThread(self.select_ip, args=(i, hostname))
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
t.join()
for index, item in enumerate(thread_list):
data_status[fw_list[index]] = item.get_result()
print(data_status)
for k, v in data_status.items():
if '白' not in v:
data_info['DescribeIPFirewallList'] = operator + ':IP不在白名单'
break
else:
data_info['DescribeIPFirewallList'] = operator + ':IP在白名单'
res = sc(code.Success)
res.redata = data_info
raise gen.Return(res)
def __init__(self, method, uri, version="HTTP/1.0", headers=None,
body=None, remote_ip=None, protocol=None, host=None,
files=None, connection=None):
self.method = method
self.uri = uri
self.version = version
self.headers = headers or httputil.HTTPHeaders()
self.body = body or ""
self.trace = None
# set remote IP and protocol
self.remote_ip = remote_ip
if protocol:
self.protocol = protocol
elif connection and isinstance(connection.stream,
iostream.SSLIOStream):
self.protocol = "https"
else:
self.protocol = "http"
# xheaders can override the defaults
if connection and connection.xheaders:
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = self.headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(',')[-1].strip()
ip = self.headers.get(
"X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto = self.headers.get(
"X-Scheme", self.headers.get("X-Forwarded-Proto", self.protocol))
if proto in ("http", "https"):
self.protocol = proto
# Zipkin users
if options.server_trace:
parent_span_id = self.headers.get("X-B3-ParentSpanId", None)
trace_id = self.headers.get("X-B3-TraceId", None)
span_id = self.headers.get("X-B3-SpanId", None)
name = method
endpoint = Endpoint(ipv4=socket.gethostbyname(socket.gethostname()), port=port, service_name=service_name)
self.trace = Trace(name=name, trace_id=trace_id, span_id=span_id, parent_span_id=parent_span_id)
self.trace.set_endpoint(endpoint)
self.host = host or self.headers.get("Host") or "127.0.0.1"
self.files = files or {}
self.connection = connection
self._start_time = time.time()
self._finish_time = None
self.path, sep, self.query = uri.partition('?')
self.arguments = parse_qs_bytes(self.query, keep_blank_values=True)
self.query_arguments = copy.deepcopy(self.arguments)
self.body_arguments = {}
if options.server_trace:
self.trace.record(Annotation.string('Url', uri))
self.trace.record(Annotation.string('Header', self.headers))
self.trace.record(Annotation.server_recv())
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# 1. X-Forwarded-For: 记录一个请求从客户端出发到目标服务器过程中经历的代理或
# 者负载平衡设备的IP。最早由 Squid 的开发人员引入,现已成为事实上的标准被广泛使用。
# 一般格式为: client1, proxy1, proxy2,其中的值通过一个 “逗号+空格” 把多
# 个 IP 地址分开,最左边(client1)是最原始客户端的IP地址, 代理服务器每成功收到
# 一个请求,就把请求来源 IP 地址添加到右边(所以最后一个代理的 IP 不在该字段中,但
# 可以通过 socket.getpeername() 获取,这个 Ip 是可靠的,伪造 Ip 的是无法通过
# TCP 三次握手的)。
#
# 2. X-Real-Ip:不是标准的 Http 头,不过 Nginx 在使用。通常被 HTTP 代理用来
# 表示与它产生 TCP 连接的设备 IP,这个设备可能是其他代理,也可能是真正的请求端。
#
# 3. 经过 Nginx 的 Http 请求,X-Forwarded-For 的最后一个 Ip 与 X-Real-Ip
# 是相同的,记录的是直接与 Nginx 建立连接的端 Ip。
#
# 4. 安全问题:伪造 X-Forwarded-For 字段很容易,所以使用该字段信息时要格外注意。
# 通常 X-Forwarded-For 是最后一个IP地址是最后一个代理服务器的IP地址,这通常是一
# 个比较可靠的信息来源。
#
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(",")[-1].strip()
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get("X-Scheme", headers.get("X-Forwarded-Proto", self.protocol))
if proto_header in ("http", "https"):
self.protocol = proto_header
def resolve(self, host, port, family=0, callback=None):
if is_valid_ip(host):
addresses = [host]
else:
# gethostbyname doesn't take callback as a kwarg
self.channel.gethostbyname(host, family, (yield gen.Callback(1)))
callback_args = yield gen.Wait(1)
assert isinstance(callback_args, gen.Arguments)
assert not callback_args.kwargs
result, error = callback_args.args
if error:
raise Exception('C-Ares returned error %s: %s while resolving %s' %
(error, pycares.errno.strerror(error), host))
addresses = result.addresses
addrinfo = []
for address in addresses:
if '.' in address:
address_family = socket.AF_INET
elif ':' in address:
address_family = socket.AF_INET6
else:
address_family = socket.AF_UNSPEC
if family != socket.AF_UNSPEC and family != address_family:
raise Exception('Requested socket family %d but got %d' %
(family, address_family))
addrinfo.append((address_family, (address, port)))
callback(addrinfo)
def test_is_valid_ip(self):
self.assertTrue(is_valid_ip('127.0.0.1'))
self.assertTrue(is_valid_ip('4.4.4.4'))
self.assertTrue(is_valid_ip('::1'))
self.assertTrue(is_valid_ip('2620:0:1cfe:face:b00c::3'))
self.assertTrue(not is_valid_ip('www.google.com'))
self.assertTrue(not is_valid_ip('localhost'))
self.assertTrue(not is_valid_ip('4.4.4.4<'))
self.assertTrue(not is_valid_ip(' 127.0.0.1'))
def test_is_valid_ip(self):
self.assertTrue(is_valid_ip('127.0.0.1'))
self.assertTrue(is_valid_ip('4.4.4.4'))
self.assertTrue(is_valid_ip('::1'))
self.assertTrue(is_valid_ip('2620:0:1cfe:face:b00c::3'))
self.assertTrue(not is_valid_ip('www.google.com'))
self.assertTrue(not is_valid_ip('localhost'))
self.assertTrue(not is_valid_ip('4.4.4.4<'))
self.assertTrue(not is_valid_ip(' 127.0.0.1'))
def delete_white_list(operator, hostname):
zhifirewalllist = ['ctc', 'cmcc']
firewall = ZhiFirewall(
operator) if operator in zhifirewalllist else Firewall(operator)
if netutil.is_valid_ip(hostname) is True:
return firewall.del_white_list(hostname)
else:
return firewall.del_domain_name(hostname)
def run(self):
source_ip = self.params['SourceIP']
remote_ip = self.params['RemoteIP']
operator = self.params['Operator']
user_org = self.params['AccessKeyId']
user_end = self.params[
'IPUserID'] if 'IPUserID' in self.params else None
ts = self.application.ts_begin
if not (netutil.is_valid_ip(source_ip)
and netutil.is_valid_ip(remote_ip)):
res = sc(code.ParamError)
raise gen.Return(res)
data_info = {}
data_info['ResetBlockIPData'] = []
data_status = {}
thread_list = []
condition = 0
fw_list = self.application.firewalllist if operator == 'bgp' else [
self.application.ccfirewall, operator
]
for i in fw_list:
t = MyThread(self.reset_block, args=(i, source_ip))
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
t.join()
for index, item in enumerate(thread_list):
data_status[fw_list[index]] = item.get_result()
for k, v in data_status.items():
if v != 200:
condition = ''
if isinstance(condition, int):
data_info['ResetBlockIPData'] = operator + ':屏蔽列表已重置'
res = sc(code.Success)
res.redata = data_info
else:
res = sc(code.ChangeFail)
res.result = res.result % {operator + ':屏蔽列表重置失败'}
raise gen.Return(res)
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(",")[-1].strip()
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get("X-Scheme", headers.get("X-Forwarded-Proto", self.protocol))
if proto_header in ("http", "https"):
self.protocol = proto_header
def __init__(self,
method,
uri,
version="HTTP/1.0",
headers=None,
body=None,
remote_ip=None,
protocol=None,
host=None,
files=None,
connection=None):
self.method = method
self.uri = uri
self.version = version
self.headers = headers or httputil.HTTPHeaders()
self.body = body or ""
# set remote IP and protocol
self.remote_ip = remote_ip
if protocol:
self.protocol = protocol
elif connection and isinstance(connection.stream,
iostream.SSLIOStream):
self.protocol = "https"
else:
self.protocol = "http"
# xheaders can override the defaults
if connection and connection.xheaders:
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = self.headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(',')[-1].strip()
ip = self.headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto = self.headers.get(
"X-Scheme", self.headers.get("X-Forwarded-Proto",
self.protocol))
if proto in ("http", "https"):
self.protocol = proto
self.host = host or self.headers.get("Host") or "127.0.0.1"
self.files = files or {}
self.connection = connection
self._start_time = time.time()
self._finish_time = None
self.path, sep, self.query = uri.partition('?')
self.arguments = parse_qs_bytes(self.query, keep_blank_values=True)
self.query_arguments = copy.deepcopy(self.arguments)
self.body_arguments = {}
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(',')[-1].strip()
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get(
"X-Scheme", headers.get("X-Forwarded-Proto", self.protocol))
if proto_header in ("http", "https"):
self.protocol = proto_header
def __init__(
self,
method,
uri,
version="HTTP/1.0",
headers=None,
body=None,
remote_ip=None,
protocol=None,
host=None,
files=None,
connection=None,
):
self.method = method
self.uri = uri
self.version = version
self.headers = headers or httputil.HTTPHeaders()
self.body = body or ""
# set remote IP and protocol
self.remote_ip = remote_ip
if protocol:
self.protocol = protocol
elif connection and isinstance(connection.stream, iostream.SSLIOStream):
self.protocol = "https"
else:
self.protocol = "http"
# xheaders can override the defaults
if connection and connection.xheaders:
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = self.headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(",")[-1].strip()
ip = self.headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto = self.headers.get("X-Scheme", self.headers.get("X-Forwarded-Proto", self.protocol))
if proto in ("http", "https"):
self.protocol = proto
self.host = host or self.headers.get("Host") or "127.0.0.1"
self.files = files or {}
self.connection = connection
self._start_time = time.time()
self._finish_time = None
self.path, sep, self.query = uri.partition("?")
self.arguments = parse_qs_bytes(self.query, keep_blank_values=True)
self.query_arguments = copy.deepcopy(self.arguments)
self.body_arguments = {}
def whois_query(self, name, server):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
stream = iostream.IOStream(sock)
logging.debug("Requesting {} whois for {}".format(server, name))
if self.resolver and not netutil.is_valid_ip(server):
server = yield self._get_ip_by_name(server)
yield stream.connect((server, self.whois_port))
yield stream.write("{}\r\n".format(name))
data = yield stream.read_until_close()
raise gen.Return(data)
def __init__(self, method, uri, version="HTTP/1.0", headers=None,
body=None, remote_ip=None, protocol=None, host=None,
files=None, connection=None):
# 简单提一下 HTTPRequest。它是【客户端请求的代表】,它携带了所有和客户端请求的信息,
# 因为 application 的回调__call__方法【只】接收 request 参数,
# 当然是把所有信息包在其中。另外,由于服务器只把 request 对象暴露给 application 的回调,
# 因此request 对象还需要提供 write,finish 方法来提供服务,
# 其实就是对 HTTPConnection 对象的【封装调用】。其它也没什么了。
self.method = method
self.uri = uri
self.version = version
self.headers = headers or httputil.HTTPHeaders()
self.body = body or ""
# set remote IP and protocol
self.remote_ip = remote_ip
if protocol:
self.protocol = protocol
elif connection and isinstance(connection.stream,
iostream.SSLIOStream):
self.protocol = "https"
else:
self.protocol = "http"
# xheaders can override the defaults
if connection and connection.xheaders:
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = self.headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(',')[-1].strip()
ip = self.headers.get(
"X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto = self.headers.get(
"X-Scheme", self.headers.get("X-Forwarded-Proto", self.protocol))
if proto in ("http", "https"):
self.protocol = proto
self.host = host or self.headers.get("Host") or "127.0.0.1"
self.files = files or {}
self.connection = connection
self._start_time = time.time()
self._finish_time = None
self.path, sep, self.query = uri.partition('?')
self.arguments = parse_qs_bytes(self.query, keep_blank_values=True)
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
# Skip trusted downstream hosts in X-Forwarded-For list
for ip in (cand.strip() for cand in reversed(ip.split(','))):
if ip not in self.trusted_downstream:
break
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get(
"X-Scheme", headers.get("X-Forwarded-Proto", self.protocol))
if proto_header in ("http", "https"):
self.protocol = proto_header
def checkIP(self):
k = 'IP'
ip_r = []
if k in self.params:
v = self.get_argument(k)
for ip in v.split(','):
if netutil.is_valid_ip(ip):
ip_r.append(ip)
if ip_r:
return True
else:
res = sc(code.ParamError)
res.result = res.result % v
return res
else:
return True
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
# Skip trusted downstream hosts in X-Forwarded-For list
for ip in (cand.strip() for cand in reversed(ip.split(','))):
if ip not in self.trusted_downstream:
break
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get(
"X-Scheme", headers.get("X-Forwarded-Proto",
self.protocol))
if proto_header in ("http", "https"):
self.protocol = proto_header
def remote_ip(self):
"""We don't use Tornado ``HTTPServerRequest.remote_ip`` directly, cause
this value depend on ``HTTPServer.xheaders`` setting. Gunicorn recent
change (http://docs.gunicorn.org/en/latest/news.html#tornado-worker)
make us cannot set this setting. So we first get remote IP from header.
"""
# get remote IP from XFF hdr, fallback to request.remote_ip
remote_ip = self.request.headers.get("X-Forwarded-For",
self.request.remote_ip)
remote_ip = remote_ip.split(',')[0].strip()
# prefer to get remote IP from X-Real-IP hdr, fallback to XFF IP
remote_ip = self.request.headers.get("X-Real-Ip", remote_ip)
remote_ip = remote_ip.split(',')[0].strip()
if is_valid_ip(remote_ip):
return remote_ip
return self.request.remote_ip
def _apply_xheaders(self, headers: httputil.HTTPHeaders) -> None:
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
# Skip trusted downstream hosts in X-Forwarded-For list
for ip in (cand.strip() for cand in reversed(ip.split(","))):
if ip not in self.trusted_downstream:
break
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get(
"X-Scheme", headers.get("X-Forwarded-Proto", self.protocol))
if proto_header:
# use only the last proto entry if there is more than one
# TODO: support trusting mutiple layers of proxied protocol
proto_header = proto_header.split(",")[-1].strip()
if proto_header in ("http", "https"):
self.protocol = proto_header
def _apply_xheaders(self, headers):
"""Rewrite the ``remote_ip`` and ``protocol`` fields."""
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = headers.get("X-Forwarded-For", self.remote_ip)
# Skip trusted downstream hosts in X-Forwarded-For list
for ip in (cand.strip() for cand in reversed(ip.split(','))):
if ip not in self.trusted_downstream:
break
ip = headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto_header = headers.get(
"X-Scheme", headers.get("X-Forwarded-Proto",
self.protocol))
if proto_header:
# use only the last proto entry if there is more than one
# TODO: support trusting mutiple layers of proxied protocol
proto_header = proto_header.split(',')[-1].strip()
if proto_header in ("http", "https"):
self.protocol = proto_header
def get_real_client_addr(self, xffirst=False):
ip = self.request.remote_ip
if ip == self.request.headers.get('X-Real-Ip'):
port = self.request.headers.get('X-Real-Port')
else:
ips = self.request.headers.get('X-Forwarded-For', '')
if not ips:
return
if not xffirst:
if ip not in ips:
return
else:
ip = ips.split(',')[0].strip()
if not netutil.is_valid_ip(ip):
return
port = self.request.headers.get('X-Forwarded-Port')
port = to_int(port)
if port is None or not is_valid_port(port):
# fake port
port = 65535
return (ip, port)
def run(self):
ts = self.application.ts_begin
ip = self.params['IP']
user_org = self.params['AccessKeyId']
user_end = self.params[
'IPUserID'] if 'IPUserID' in self.params else None
configs = urllib.parse.unquote(self.params['Configs'])
self.application.logger.info(self.params['Configs'])
self.application.logger.info(configs)
if len(ip.split(',')) > 1:
res = sc(code.ParamError)
raise gen.Return(res)
configs_dict = eval(configs)
serialuuid = 'SLBSevenLayer-' + str(uuid.uuid1())
seven_layer_info = {}
seven_layer_info['uuid'] = serialuuid
seven_layer_info['ip'] = self.makeinet(ip)
seven_layer_info['configtype'] = 'New'
# parames['Configs'] = urllib.unquote(parames['Configs'])
seven_layer_info['cts'] = ts
seven_layer_info['uts'] = ts
for config in configs_dict:
try:
a_type = config['Type']
domain = config['Domain']
cname = config['Cname'] if 'Cname' in config else ''
protocol = config['Protocol']
port = config['Port']
publickey = config['PublicKey'] if 'PublicKey' in config else ''
privatekey = config[
'PrivateKey'] if 'PrivateKey' in config else ''
sourceips = config['SourceIPs']
seven_layer_info['types'] = a_type
seven_layer_info['domains'] = domain
seven_layer_info['cname'] = cname
seven_layer_info['protocol'] = protocol
seven_layer_info['port'] = port
seven_layer_info['publickey'] = publickey
seven_layer_info['privatekey'] = privatekey
seven_layer_info['sourceips'] = sourceips
except Exception as e:
self.application.logger.info(e)
res = sc(code.ParamError)
res.result = res.result % config
raise gen.Return(res)
# check config
if a_type not in ['Site', 'App']:
res = sc(code.ParamError)
res.result = res.result % a_type
raise gen.Return(res)
if protocol not in ['HTTP', 'HTTPS']:
res = sc(code.ParamError)
res.result = res.result % protocol
raise gen.Return(res)
try:
int(port)
if not re.match('^\d{1,5}$', port):
res = sc(code.ParamError)
res.result = res.result % port
raise gen.Return(res)
if int(port) < 0 or int(port) > 65536:
res = sc(code.ParamError)
res.result = res.result % port
raise gen.Return(res)
except Exception as e:
self.application.logger.info(e)
res = sc(code.ParamError)
res.result = res.result % port
raise gen.Return(res)
sourceips_check = re.findall(r'\d+.\d+.\d+.\d+',
str(sourceips.split(",")))
for i in sourceips_check:
if not netutil.is_valid_ip(i):
res = sc(code.ParamError)
res.result = res.result % sourceips
raise gen.Return(res)
sql = "SELECT COUNT(0) FROM t_slb_seven_layer WHERE ip=%s AND domains=%s AND port=%s AND configtype in ('New','Mod')"
duplicate = self.application.dbcur.queryone(
sql, (
ip,
domain,
port,
))[0]
if duplicate:
res = sc(code.SLBConfDuplicate)
res.result = res.result % (ip + ':' + port)
raise gen.Return(res)
if protocol == 'HTTP':
nginx_conf_lines = 'upstream ' + domain + ' {\n'
default_port = '80'
else:
nginx_conf_lines = 'upstream ' + domain + '_443 {\n'
default_port = '443'
try:
for sourceip in sourceips.split(','):
if re.findall(':', sourceip):
sourceip_ip, sourceip_port = sourceip.split(':')
int(sourceip_port)
if not re.match('^\d{1,5}$', sourceip_port):
res = sc(code.ParamError)
res.result = res.result % sourceip_port
raise gen.Return(res)
if int(sourceip_port) < 0 or int(
sourceip_port) > 65536:
res = sc(code.ParamError)
res.result = res.result % sourceip_port
raise gen.Return(res)
else:
sourceip = sourceip + ':' + default_port
nginx_conf_lines += '\tserver ' + sourceip + ';\n'
nginx_conf_lines += '}\n'
except Exception as e:
res = sc(code.ParamError)
res.result = res.result % sourceips
raise gen.Return(res)
data = self.application.dbcur.queryall_dict(
'select name,value,type,idx from t_sys_parameter')
sys_parameter = {
ret['name'] + ret['idx']: {
ret['idx']: ret['value']
}
for ret in data
}
remoteser = RemoteOper(hostname=ip)
res = remoteser.init_remote()
if isinstance(res, sc):
raise gen.Return(res)
if platform.system() == 'Windows':
with open(
'C:\Temp' + str(uuid.uuid1()) + str(ip) + str(port) +
'.conf', 'w') as nginx_file:
nginx_file.write(nginx_conf_lines)
else:
with open(
'/tmp/' + str(uuid.uuid1()) + str(ip) + str(port) +
'.conf', 'w') as nginx_file:
nginx_file.write(nginx_conf_lines)
if protocol == 'HTTP':
REMOTE_FILE = os.path.join(
sys_parameter['SLBConfigWrokDir' + 'HTTP']['HTTP'],
str(domain) + '.conf')
else:
REMOTE_FILE = os.path.join(
sys_parameter['SLBConfigWrokDir' + 'HTTP']['HTTP'],
str(domain) + '_443.conf')
res = remoteser.put_file(nginx_file.name, REMOTE_FILE)
os.remove(nginx_file.name) if os.path.isfile(nginx_file.name) else None
if isinstance(res, sc):
raise gen.Return(res)
seven_layer_info['cfgfile'] = REMOTE_FILE
# check nginx conf file
stdin, stdout, stderr = remoteser.exec_cmd(
sys_parameter['SLBNginxCMD' + 'HTTP']['HTTP'] + ' -t -c ' +
sys_parameter['SLBConfigMainConfig' + 'HTTP']['HTTP'])
execret = stdout.readlines() + stderr.readlines()
# with open('C:\Temp\seven.log', 'w') as seven:
with open('/tmp/seven.log', 'w') as seven:
seven.write(str(ts) + '\r\n')
seven.write(str(stdin) + '\r\n')
seven.write(str(nginx_file) + '\r\n')
seven.write(str(execret) + '\r\n')
remoteser.put_file(seven.name, '/logs/nginx/new_seven.log')
remoteser.exec_cmd(
'cat /logs/nginx/new_seven.log >> /logs/nginx/seven.log')
os.remove(seven.name) if os.path.isfile(seven.name) else None
if not [x for x in execret if 'successful' in x]:
res = sc(code.SLBConfCheckFaile)
res.result = res.result % (str(execret) + ip)
remoteser.file.remove(REMOTE_FILE)
return res
# https key files
if protocol == 'HTTPS':
httpspublickey = sys_parameter['HTTPSPublicKey' +
'Default']['Default']
httpsprivatekey = sys_parameter['HTTPSPrivateKey' +
'Default']['Default']
if platform.system() == 'Windows':
with open(
'C:\Temp' + str(uuid.uuid1()) + str(ip) + str(port) +
'.conf', 'w') as httpspublickeyfile:
httpspublickeyfile.write(publickey)
with open(
'C:\Temp' + str(uuid.uuid1()) + str(ip) + str(port) +
'.conf', 'w') as httpsprivatekeyfile:
httpsprivatekeyfile.write(privatekey)
elif platform.system() == 'Linux':
with open(
'/tmp/' + str(uuid.uuid1()) + str(ip) + str(port) +
'.conf', 'w') as httpspublickeyfile:
httpspublickeyfile.write(publickey)
with open(
'/tmp/' + str(uuid.uuid1()) + str(ip) + str(port) +
'.conf', 'w') as httpsprivatekeyfile:
httpsprivatekeyfile.write(privatekey)
res = remoteser.put_file(httpspublickeyfile.name, httpspublickey)
os.remove(httpspublickeyfile.name) if os.path.isfile(
httpspublickeyfile.name) else None
if isinstance(res, sc):
raise gen.Return(res)
res = remoteser.put_file(httpsprivatekeyfile.name, httpsprivatekey)
os.remove(httpsprivatekeyfile.name) if os.path.isfile(
httpsprivatekeyfile.name) else None
if isinstance(res, sc):
raise gen.Return(res)
# restart|reload nginx
stdin, stdout, stderr = remoteser.exec_cmd(
sys_parameter['SLBNginxRESTART' + 'HTTP']['HTTP'])
execret = stdout.readlines() + stderr.readlines()
# with open('C:\Temp\seven.log', 'w') as seven:
with open('/tmp/new_seven.log', 'w') as seven:
seven.write(str(ts) + '\r\n')
seven.write(str(stdin) + '\r\n')
seven.write(str(execret) + '\r\n')
remoteser.put_file(seven.name, '/logs/nginx/new_seven.log')
remoteser.exec_cmd(
'cat /logs/nginx/new_seven.log >> /logs/nginx/seven.log')
os.remove(seven.name) if os.path.isfile(seven.name) else None
self.application.dbcur.insert_dict('t_slb_seven_layer',
seven_layer_info)
data_info = {}
data_info['SevenLayerAntiConfigInfo'] = {'UUID': str(serialuuid)}
res = sc(code.Success)
res.result = 'Success'
res.redata = data_info
raise gen.Return(res)
async def run(self) -> None:
try:
self.parsed = urllib.parse.urlsplit(_unicode(self.request.url))
if self.parsed.scheme not in ("http", "https"):
raise ValueError("Unsupported url scheme: %s" %
self.request.url)
# urlsplit results have hostname and port results, but they
# didn't support ipv6 literals until python 2.7.
netloc = self.parsed.netloc
if "@" in netloc:
userpass, _, netloc = netloc.rpartition("@")
host, port = httputil.split_host_and_port(netloc)
if port is None:
port = 443 if self.parsed.scheme == "https" else 80
if re.match(r"^\[.*\]$", host):
# raw ipv6 addresses in urls are enclosed in brackets
host = host[1:-1]
self.parsed_hostname = host # save final host for _on_connect
if self.request.allow_ipv6 is False:
af = socket.AF_INET
else:
af = socket.AF_UNSPEC
ssl_options = self._get_ssl_options(self.parsed.scheme)
source_ip = None
if self.request.network_interface:
if is_valid_ip(self.request.network_interface):
source_ip = self.request.network_interface
else:
raise ValueError(
"Unrecognized IPv4 or IPv6 address for network_interface, got %r"
% (self.request.network_interface, ))
timeout = min(self.request.connect_timeout,
self.request.request_timeout)
if timeout:
self._timeout = self.io_loop.add_timeout(
self.start_time + timeout,
functools.partial(self._on_timeout, "while connecting"),
)
stream = await self.tcp_client.connect(
host,
port,
af=af,
ssl_options=ssl_options,
max_buffer_size=self.max_buffer_size,
source_ip=source_ip,
)
if self.final_callback is None:
# final_callback is cleared if we've hit our timeout.
stream.close()
return
self.stream = stream
self.stream.set_close_callback(self.on_connection_close)
self._remove_timeout()
if self.final_callback is None:
return
if self.request.request_timeout:
self._timeout = self.io_loop.add_timeout(
self.start_time + self.request.request_timeout,
functools.partial(self._on_timeout, "during request"),
)
if (self.request.method not in self._SUPPORTED_METHODS
and not self.request.allow_nonstandard_methods):
raise KeyError("unknown method %s" % self.request.method)
for key in (
"proxy_host",
"proxy_port",
"proxy_username",
"proxy_password",
"proxy_auth_mode",
):
if getattr(self.request, key, None):
raise NotImplementedError("%s not supported" % key)
if "Connection" not in self.request.headers:
self.request.headers["Connection"] = "close"
if "Host" not in self.request.headers:
if "@" in self.parsed.netloc:
self.request.headers[
"Host"] = self.parsed.netloc.rpartition("@")[-1]
else:
self.request.headers["Host"] = self.parsed.netloc
username, password = None, None
if self.parsed.username is not None:
username, password = self.parsed.username, self.parsed.password
elif self.request.auth_username is not None:
username = self.request.auth_username
password = self.request.auth_password or ""
if username is not None:
assert password is not None
if self.request.auth_mode not in (None, "basic"):
raise ValueError("unsupported auth_mode %s",
self.request.auth_mode)
self.request.headers[
"Authorization"] = "Basic " + _unicode(
base64.b64encode(
httputil.encode_username_password(
username, password)))
if self.request.user_agent:
self.request.headers[
"User-Agent"] = self.request.user_agent
if not self.request.allow_nonstandard_methods:
# Some HTTP methods nearly always have bodies while others
# almost never do. Fail in this case unless the user has
# opted out of sanity checks with allow_nonstandard_methods.
body_expected = self.request.method in ("POST", "PATCH",
"PUT")
body_present = (self.request.body is not None
or self.request.body_producer is not None)
if (body_expected
and not body_present) or (body_present
and not body_expected):
raise ValueError(
"Body must %sbe None for method %s (unless "
"allow_nonstandard_methods is true)" %
("not " if body_expected else "",
self.request.method))
if self.request.expect_100_continue:
self.request.headers["Expect"] = "100-continue"
if self.request.body is not None:
# When body_producer is used the caller is responsible for
# setting Content-Length (or else chunked encoding will be used).
self.request.headers["Content-Length"] = str(
len(self.request.body))
if (self.request.method == "POST"
and "Content-Type" not in self.request.headers):
self.request.headers[
"Content-Type"] = "application/x-www-form-urlencoded"
if self.request.decompress_response:
self.request.headers["Accept-Encoding"] = "gzip"
req_path = (self.parsed.path or "/") + (
("?" + self.parsed.query) if self.parsed.query else "")
self.connection = self._create_connection(stream)
start_line = httputil.RequestStartLine(self.request.method,
req_path, "")
self.connection.write_headers(start_line, self.request.headers)
if self.request.expect_100_continue:
await self.connection.read_response(self)
else:
await self._write_body(True)
except Exception:
if not self._handle_exception(*sys.exc_info()):
raise
def validate_ip(cls, ip_address):
''' Checks the format of the string to confirm its a valid IPv4 or v6 address '''
if netutil.is_valid_ip(ip_address):
return ip_address
else:
raise ValueError("Invalid IP Address: '%s'" % str(ip_address))
def run(self):
operator = self.params['Operator']
hostname = self.params['Hostname']
user_org = self.params['AccessKeyId']
user_end = self.params['IPUserID']
ip = self.params['IP'] if 'IP' in self.params else None
package_id = self.params['PackageID'] if 'PackageID' in self.params else None
ts = self.application.ts_begin
sql = "select user_org,user_end,ip,package_protect_id,status from t_firewall WHERE hostname=%s and status>0"
data_add = self.application.dbcur.queryall_dict(sql, (hostname,))
if not netutil.is_valid_ip(hostname):
res = sc(code.ParamError)
res.result = res.result % hostname
raise gen.Return(res)
if ip is None and package_id is None:
res = sc(code.ParamError)
res.result = res.result % 'IP与包ID至少择一提交'
raise gen.Return(res)
num_sql = "SELECT count(1) FROM t_firewall WHERE user_end=%s AND types=1 AND status>0 "
if ip is None:
num_sql = num_sql + "AND package_protect_id=%s;"
num_data = self.application.dbcur.queryall_dict(num_sql, (user_end, package_id,))
elif package_id is None:
num_sql = num_sql + "AND ip=%s;"
num_data = self.application.dbcur.queryall_dict(num_sql, (user_end, ip,))
else:
num_sql = num_sql + "AND ip=%s AND package_protect_id=%s;"
num_data = self.application.dbcur.queryall_dict(num_sql, (user_end, ip, package_id,))
if num_data[0]['count'] > self.application.wlmaxvalue[0]:
res = sc(code.MaxWhiteList)
raise gen.Return(res)
data_info = {}
data_status = {}
thread_list = []
status_num = 0
user_dict = {'user_org': user_org, 'user_end': user_end, 'ip': ip, 'package_protect_id': package_id}
condition = 0
fw_list = self.application.firewalllist if operator == 'bgp' else [self.application.ccfirewall, operator]
for i in fw_list:
firewall = ZhiFirewall(i) if i in self.application.zhifirewalllist else Firewall(i)
condition += 2 ** firewall.number
if len(data_add) != 0:
if condition != data_add[0]['status']:
res = sc(code.ParamError)
res.result = res.result % operator
raise gen.Return(res)
for i in fw_list:
t = MyThread(self.add_ip, args=(i, hostname, data_add, user_dict))
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
t.join()
for index, item in enumerate(thread_list):
data_status[fw_list[index]] = item.get_result()
for k, v in data_status.items():
if '添加至' in v:
firewall = ZhiFirewall(k) if k in self.application.zhifirewalllist else Firewall(k)
status_num = status_num ^ 2**firewall.number
sql = "select user_org,user_end,ip,package_protect_id from t_firewall WHERE hostname=%s"
data = self.application.dbcur.queryall_dict(sql, (hostname,))
if user_dict in data:
if ip is None:
update_sql = 'UPDATE t_firewall SET status=%s, updatedt=%s WHERE user_org=%s AND user_end=%s AND hostname=%s AND ip IS NULL AND package_protect_id=%s'
self.application.dbcur.execute(update_sql,
(status_num, ts, user_org, user_end, hostname, package_id,))
elif package_id is None:
update_sql = 'UPDATE t_firewall SET status=%s, updatedt=%s WHERE user_org=%s AND user_end=%s AND hostname=%s AND ip=%s AND package_protect_id IS NULL'
self.application.dbcur.execute(update_sql, (status_num, ts, user_org, user_end, hostname, ip,))
else:
update_sql = 'UPDATE t_firewall SET status=%s, updatedt=%s WHERE user_org=%s AND user_end=%s AND hostname=%s AND ip=%s AND package_protect_id=%s'
self.application.dbcur.execute(update_sql,
(status_num, ts, user_org, user_end, hostname, ip, package_id,))
else:
white_info = {'user_org': user_org, 'user_end': user_end, 'ip': ip,
'package_protect_id': package_id, 'hostname': hostname, 'types': 1,
'status': status_num, 'createdt': ts}
self.application.dbcur.insert_dict('t_firewall', white_info)
else:
condition = ''
if isinstance(condition, int):
data_info['AddIPWhiteList'] = operator + ':IP添加至白名单'
res = sc(code.Success)
res.redata = data_info
else:
res = sc(code.ChangeFail)
res.result = res.result % {operator + ':此IP已被他人配置'}
raise gen.Return(res)
def test_is_valid_ip(self):
self.assertTrue(is_valid_ip("127.0.0.1"))
self.assertTrue(is_valid_ip("4.4.4.4"))
self.assertTrue(is_valid_ip("::1"))
self.assertTrue(is_valid_ip("2620:0:1cfe:face:b00c::3"))
self.assertTrue(not is_valid_ip("www.google.com"))
self.assertTrue(not is_valid_ip("localhost"))
self.assertTrue(not is_valid_ip("4.4.4.4<"))
self.assertTrue(not is_valid_ip(" 127.0.0.1"))
self.assertTrue(not is_valid_ip(""))
self.assertTrue(not is_valid_ip(" "))
self.assertTrue(not is_valid_ip("\n"))
self.assertTrue(not is_valid_ip("\x00"))
async def run(self) -> None:
try:
self.parsed = urllib.parse.urlsplit(_unicode(self.request.url))
if self.parsed.scheme not in ("http", "https"):
raise ValueError("Unsupported url scheme: %s" % self.request.url)
# urlsplit results have hostname and port results, but they
# didn't support ipv6 literals until python 2.7.
netloc = self.parsed.netloc
if "@" in netloc:
userpass, _, netloc = netloc.rpartition("@")
host, port = httputil.split_host_and_port(netloc)
if port is None:
port = 443 if self.parsed.scheme == "https" else 80
if re.match(r"^\[.*\]$", host):
# raw ipv6 addresses in urls are enclosed in brackets
host = host[1:-1]
self.parsed_hostname = host # save final host for _on_connect
if self.request.allow_ipv6 is False:
af = socket.AF_INET
else:
af = socket.AF_UNSPEC
ssl_options = self._get_ssl_options(self.parsed.scheme)
source_ip = None
if self.request.network_interface:
if is_valid_ip(self.request.network_interface):
source_ip = self.request.network_interface
else:
raise ValueError(
"Unrecognized IPv4 or IPv6 address for network_interface, got %r"
% (self.request.network_interface,)
)
timeout = min(self.request.connect_timeout, self.request.request_timeout)
if timeout:
self._timeout = self.io_loop.add_timeout(
self.start_time + timeout,
functools.partial(self._on_timeout, "while connecting"),
)
stream = await self.tcp_client.connect(
host,
port,
af=af,
ssl_options=ssl_options,
max_buffer_size=self.max_buffer_size,
source_ip=source_ip,
)
if self.final_callback is None:
# final_callback is cleared if we've hit our timeout.
stream.close()
return
self.stream = stream
self.stream.set_close_callback(self.on_connection_close)
self._remove_timeout()
if self.final_callback is None:
return
if self.request.request_timeout:
self._timeout = self.io_loop.add_timeout(
self.start_time + self.request.request_timeout,
functools.partial(self._on_timeout, "during request"),
)
if (
self.request.method not in self._SUPPORTED_METHODS
and not self.request.allow_nonstandard_methods
):
raise KeyError("unknown method %s" % self.request.method)
for key in (
"proxy_host",
"proxy_port",
"proxy_username",
"proxy_password",
"proxy_auth_mode",
):
if getattr(self.request, key, None):
raise NotImplementedError("%s not supported" % key)
if "Connection" not in self.request.headers:
self.request.headers["Connection"] = "close"
if "Host" not in self.request.headers:
if "@" in self.parsed.netloc:
self.request.headers["Host"] = self.parsed.netloc.rpartition(
"@"
)[-1]
else:
self.request.headers["Host"] = self.parsed.netloc
username, password = None, None
if self.parsed.username is not None:
username, password = self.parsed.username, self.parsed.password
elif self.request.auth_username is not None:
username = self.request.auth_username
password = self.request.auth_password or ""
if username is not None:
assert password is not None
if self.request.auth_mode not in (None, "basic"):
raise ValueError(
"unsupported auth_mode %s", self.request.auth_mode
)
self.request.headers["Authorization"] = "Basic " + _unicode(
base64.b64encode(
httputil.encode_username_password(username, password)
)
)
if self.request.user_agent:
self.request.headers["User-Agent"] = self.request.user_agent
if not self.request.allow_nonstandard_methods:
# Some HTTP methods nearly always have bodies while others
# almost never do. Fail in this case unless the user has
# opted out of sanity checks with allow_nonstandard_methods.
body_expected = self.request.method in ("POST", "PATCH", "PUT")
body_present = (
self.request.body is not None
or self.request.body_producer is not None
)
if (body_expected and not body_present) or (
body_present and not body_expected
):
raise ValueError(
"Body must %sbe None for method %s (unless "
"allow_nonstandard_methods is true)"
% ("not " if body_expected else "", self.request.method)
)
if self.request.expect_100_continue:
self.request.headers["Expect"] = "100-continue"
if self.request.body is not None:
# When body_producer is used the caller is responsible for
# setting Content-Length (or else chunked encoding will be used).
self.request.headers["Content-Length"] = str(len(self.request.body))
if (
self.request.method == "POST"
and "Content-Type" not in self.request.headers
):
self.request.headers[
"Content-Type"
] = "application/x-www-form-urlencoded"
if self.request.decompress_response:
self.request.headers["Accept-Encoding"] = "gzip"
req_path = (self.parsed.path or "/") + (
("?" + self.parsed.query) if self.parsed.query else ""
)
self.connection = self._create_connection(stream)
start_line = httputil.RequestStartLine(
self.request.method, req_path, ""
)
self.connection.write_headers(start_line, self.request.headers)
if self.request.expect_100_continue:
await self.connection.read_response(self)
else:
await self._write_body(True)
except Exception:
if not self._handle_exception(*sys.exc_info()):
raise
def test_is_valid_ip(self):
self.assertTrue(is_valid_ip("127.0.0.1"))
self.assertTrue(is_valid_ip("4.4.4.4"))
self.assertTrue(is_valid_ip("::1"))
self.assertTrue(is_valid_ip("2620:0:1cfe:face:b00c::3"))
self.assertTrue(not is_valid_ip("www.google.com"))
self.assertTrue(not is_valid_ip("localhost"))
self.assertTrue(not is_valid_ip("4.4.4.4<"))
self.assertTrue(not is_valid_ip(" 127.0.0.1"))
self.assertTrue(not is_valid_ip(""))
self.assertTrue(not is_valid_ip(" "))
self.assertTrue(not is_valid_ip("\n"))
self.assertTrue(not is_valid_ip("\x00"))
def run(self):
operator = self.params['Operator']
hostname = self.params['Hostname']
user_org = self.params['AccessKeyId']
user_end = self.params['IPUserID']
ip = self.params['IP'] if 'IP' in self.params else None
package_id = self.params['PackageID'] if 'PackageID' in self.params else None
ts = self.application.ts_begin
sql = "select user_org,user_end,ip,package_protect_id,status from t_firewall WHERE hostname=%s and status>0"
data_add = self.application.dbcur.queryall_dict(sql, (hostname,))
if netutil.is_valid_ip(hostname):
res = sc(code.ParamError)
res.result = res.result % hostname
raise gen.Return(res)
if len(data_add) == 0:
res = sc(code.PermissionDenied)
res.result = res.result % hostname
raise gen.Return(res)
if ip is None and package_id is None:
res = sc(code.ParamError)
res.result = res.result % 'IP与包ID至少择一提交'
raise gen.Return(res)
data_info = {}
data_status = {}
thread_list = []
status_num = data_add[0]['status']
user_dict = {'user_org': user_org, 'user_end': user_end, 'ip': ip, 'package_protect_id': package_id}
condition = 0
fw_list = self.application.firewalllist if operator == 'bgp' else [self.application.ccfirewall, operator]
for i in fw_list:
fw_num = ZhiFirewall(i) if i in self.application.zhifirewalllist else Firewall(i)
condition += 2**fw_num.number
if condition != status_num:
res = sc(code.ParamError)
res.result = res.result % operator
raise gen.Return(res)
for i in fw_list:
t = MyThread(self.del_domain, args=(i, hostname, data_add, user_dict))
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
t.join()
for index, item in enumerate(thread_list):
data_status[fw_list[index]] = item.get_result()
for k, v in data_status.items():
if '删除' in v:
firewall = ZhiFirewall(k) if k in self.application.zhifirewalllist else Firewall(k)
status_num = status_num ^ 2**firewall.number
if ip is None:
update_sql = 'UPDATE t_firewall SET status=%s, updatedt=%s WHERE user_org=%s AND user_end=%s AND hostname=%s AND ip IS NULL AND package_protect_id=%s'
self.application.dbcur.execute(update_sql,
(status_num, ts, user_org, user_end, hostname, package_id,))
elif package_id is None:
update_sql = 'UPDATE t_firewall SET status=%s, updatedt=%s WHERE user_org=%s AND user_end=%s AND hostname=%s AND ip=%s AND package_protect_id IS NULL'
self.application.dbcur.execute(update_sql, (status_num, ts, user_org, user_end, hostname, ip,))
else:
update_sql = 'UPDATE t_firewall SET status=%s, updatedt=%s WHERE user_org=%s AND user_end=%s AND hostname=%s AND ip=%s AND package_protect_id=%s'
self.application.dbcur.execute(update_sql,
(status_num, ts, user_org, user_end, hostname, ip, package_id,))
else:
condition = ''
if isinstance(condition, int):
data_info['DeleteDomainWhiteList'] = operator + ':域名从白名单删除'
res = sc(code.Success)
res.redata = data_info
else:
data_info['DeleteDomainWhiteList'] = operator + ':此域名已被他人配置'
res = sc(code.ChangeFail)
res.result = res.result % data_info
raise gen.Return(res)
def __init__(self,
method,
uri,
version="HTTP/1.0",
headers=None,
body=None,
remote_ip=None,
protocol=None,
host=None,
files=None,
connection=None):
self.method = method
self.uri = uri
self.version = version
self.headers = headers or httputil.HTTPHeaders()
self.body = body or ""
self.trace = None
# set remote IP and protocol
self.remote_ip = remote_ip
if protocol:
self.protocol = protocol
elif connection and isinstance(connection.stream,
iostream.SSLIOStream):
self.protocol = "https"
else:
self.protocol = "http"
# xheaders can override the defaults
if connection and connection.xheaders:
# Squid uses X-Forwarded-For, others use X-Real-Ip
ip = self.headers.get("X-Forwarded-For", self.remote_ip)
ip = ip.split(',')[-1].strip()
ip = self.headers.get("X-Real-Ip", ip)
if netutil.is_valid_ip(ip):
self.remote_ip = ip
# AWS uses X-Forwarded-Proto
proto = self.headers.get(
"X-Scheme", self.headers.get("X-Forwarded-Proto",
self.protocol))
if proto in ("http", "https"):
self.protocol = proto
# Zipkin users
if options.server_trace:
parent_span_id = self.headers.get("X-B3-ParentSpanId", None)
trace_id = self.headers.get("X-B3-TraceId", None)
span_id = self.headers.get("X-B3-SpanId", None)
name = method
endpoint = Endpoint(ipv4=socket.gethostbyname(
socket.gethostname()),
port=port,
service_name=service_name)
self.trace = Trace(name=name,
trace_id=trace_id,
span_id=span_id,
parent_span_id=parent_span_id)
self.trace.set_endpoint(endpoint)
self.host = host or self.headers.get("Host") or "127.0.0.1"
self.files = files or {}
self.connection = connection
self._start_time = time.time()
self._finish_time = None
self.path, sep, self.query = uri.partition('?')
self.arguments = parse_qs_bytes(self.query, keep_blank_values=True)
self.query_arguments = copy.deepcopy(self.arguments)
self.body_arguments = {}
if options.server_trace:
self.trace.record(Annotation.string('Url', uri))
self.trace.record(Annotation.string('Header', self.headers))
self.trace.record(Annotation.server_recv())
