文章目录
-
-
- 1. 构造 keyword 的查询条件
- 2. 构造 threatSubType 的查询条件
- 3. 相应的实体类
List<AlertWhiteEntity> findListByKeyword(
Integer offset, Integer limit, String keyword, String order,
String sortKey, List<String> threatSubType
);
@Override
public List<AlertWhiteEntity> findListByKeyword(
Integer offset, Integer limit, String keyword, String order,
String sortKey,
List<String> threatSubType
) {
Query query = new Query();
if (!StringUtils.isEmpty(keyword)) {
query.addCriteria(dealKeyword(keyword));
}
Sort.Order orderSort = Sort.Order.desc(sortKey);
if (Objects.equals(order, ASC)) {
orderSort = Sort.Order.asc(sortKey);
}
getThreatSubTypeFilter(threatSubType, query);
query.with(Sort.by(Sort.Order.desc("status"), orderSort));
query.skip((long) (offset - 1) * limit).limit(limit);
return incidentMongoTemplate.find(query, AlertWhiteEntity.class);
}
1. 构造 keyword 的查询条件
private CriteriaDefinition dealKeyword(String keyword) {
Pattern pattern = Pattern.compile("^.*" + keyword + ".*$", Pattern.CASE_INSENSITIVE);
Criteria criteria = new Criteria();
Criteria[] criteriaArray = null;
String fullIp = "";
if (IpUtil.judgeLegalIp(keyword)) {
if (IpUtil.judgeIpv6(keyword)) {
fullIp = IpUtil.formatIpv6Full(keyword);
} else if (IpUtil.judgeIpv4(keyword)) {
fullIp = IpUtil.formatIpv4Full(keyword);
}
criteriaArray = new Criteria[] {
new Criteria().and("ruleList.ruleList").elemMatch(
new Criteria()
.andOperator(new Criteria().orOperator(new Criteria().and("type").is("srcIp"), new Criteria().and("type").is("dstIp")), new Criteria().and("value").regex(pattern))
),
new Criteria().and("creator").regex(pattern),
new Criteria().and("name").regex(pattern),
new Criteria().and("ruleList.ipRange").elemMatch(
new Criteria().and("value").elemMatch(new Criteria().andOperator(Criteria.where("startIp").lte(fullIp), Criteria.where("endIp").gte(fullIp)))
)
};
} else {
criteriaArray = new Criteria[] {
new Criteria().and("ruleList.ruleList").elemMatch(
new Criteria()
.andOperator(new Criteria().orOperator(new Criteria().and("type").is("srcIp"), new Criteria().and("type").is("dstIp")), new Criteria().and("value").regex(pattern))
),
new Criteria().and("creator").regex(pattern),
new Criteria().and("name").regex(pattern)
};
}
criteria.orOperator(criteriaArray);
return criteria;
}
2. 构造 threatSubType 的查询条件
private void getThreatSubTypeFilter(List<String> threatSubType, Query query) {
if (threatSubType != null && threatSubType.size() != 0) {
if (!threatSubType.contains(ALL)) {
threatSubType.add(ALL);
}
query.addCriteria(Criteria.where("threatSubTypeId").in(threatSubType));
}
query.addCriteria(Criteria.where("deleted").is(false));
}
3. 相应的实体类
@Data
@Document("t_alert_white_rules")
public class AlertWhiteEntity {
@JsonProperty("_id")
@MongoId
@ApiModelProperty(value = "元api id")
@JsonSerialize(using = ObjectIdSerializer.class)
private ObjectId id;
@Field("whiteId")
@ApiModelProperty(value = "白名单id")
private String whiteId;
@Field("alertType")
@ApiModelProperty(value = "告警类型,前端使用控制展示哪种模板")
private String alertType;
@ApiModelProperty(value = "告警类型,前端使用控制渲染告警类型")
private String originAlertType;
@Field("threatSubType")
@ApiModelProperty(value = "攻击小类数量", example = "{[\"label\":\"aaaa\",\"value\":\"1_2_3\"]}")
private List<WhiteScreenEntity> threatSubType;
@Field("threatSubTypeView")
@ApiModelProperty(value = "攻击小类展示数组", example = "[\"aaa\"]")
private List<String> threatSubTypeView;
@Field("threatSubTypeId")
@ApiModelProperty(value = "攻击小类ID数组", example = "[\"1_2_3\"]")
private List<String> threatSubTypeId;
@Field("hostIp")
@ApiModelProperty(value = "生效主机", example = "1.1.1.1")
private List<String> hostIp;
@Field("isHostAll")
@ApiModelProperty(value = "是否勾选全部")
private Boolean isHostAll;
@Field("repeatMd5")
@ApiModelProperty(value = "用于判断是否重复md5")
private String repeatMd5;
@Field("status")
@ApiModelProperty(value = "状态", notes = "启用enable | 禁用disable")
private String status;
@Field("name")
@ApiModelProperty(value = "规则名称")
private String name;
@Field("isUnlimited")
@ApiModelProperty(value = "是否永久生效", notes = "永久生效1 | 自定义0")
private Integer isUnlimited;
@Field("sort_status")
@ApiModelProperty(value = "分类状态", notes = "status是enable时1 | status是disable时0")
private Integer sortStatus;
@Field("reason")
@ApiModelProperty(value = "备注")
private String reason;
@Field("ruleList")
@ApiModelProperty(value = "规则列表")
private RuleEntity ruleList;
@Field("creator")
@ApiModelProperty(value = "创建人")
private String creator;
@Field("creatorId")
@ApiModelProperty(value = "创建人Id")
private String creatorId;
@Field("startTime")
@ApiModelProperty(value = "开始时间")
private Long startTime;
@Field("endTime")
@ApiModelProperty(value = "结束时间")
private Long endTime;
@Field("createTime")
@ApiModelProperty(value = "创建时间")
private long createTime;
@Field("updateTime")
@ApiModelProperty(value = "更新时间")
private long updateTime;
@Field("deleted")
@ApiModelProperty(value = "是否删除", notes = "否0 | 是1")
private boolean deleted;
}
@Data
public class RuleEntity {
@ApiModelProperty(value = "规则列表")
private List<RuleInfoEntity<String>> ruleList;
@ApiModelProperty(value = "IP范围")
private List<RuleInfoEntity<IpInfoEntity>> ipRange;
@ApiModelProperty(value = "IOA类型")
private List<List<RuleInfoEntity<String>>> ioaRuleList;
}
@AllArgsConstructor
@NoArgsConstructor
@Data
@JsonInclude(JsonInclude.Include.NON_NULL)
@ApiModel(description = "匹配规则")
public class RuleInfoEntity<T> implements ValidateAble {
@ApiModelProperty(value = "匹配字段", required = true, example = "srcIp")
private String type;
@ApiModelProperty(value = "匹配值", required = true)
private List<T> value;
@ApiModelProperty(value = "TMG匹配值", required = true)
private List<T> tmgValue;
@ApiModelProperty(value = "中文名称", example = "srcIp")
private String title;
@ApiModelProperty(value = "匹配模式", required = true, example = "IN")
private String mode;
@ApiModelProperty(value = "匹配值")
private List<String> view;
@ApiModelProperty(value = "是否忽略大小写")
private Boolean isIgnorecase;
}
@Data
public class IpInfoEntity {
@ApiModelProperty(value = "开始IP")
private String startIp;
@ApiModelProperty(value = "结束ip")
private String endIp;
}