go_gameshield/internal/service/webforwarding.go

package service

import (
	"context"
	"encoding/json"
	"fmt"
	v1 "github.com/go-nunu/nunu-layout-advanced/api/v1"
	"github.com/go-nunu/nunu-layout-advanced/internal/model"
	"github.com/go-nunu/nunu-layout-advanced/internal/repository"
	"github.com/go-nunu/nunu-layout-advanced/pkg/rabbitmq"
	"golang.org/x/sync/errgroup"
	"maps"
	"net"
	"sort"
)

type WebForwardingService interface {
	GetWebForwarding(ctx context.Context, req v1.GetForwardingRequest) (v1.WebForwardingDataRequest, error)
	GetWebForwardingWafWebAllIps(ctx context.Context, req v1.GetForwardingRequest) ([]v1.WebForwardingDataRequest, error)
	AddWebForwarding(ctx context.Context, req *v1.WebForwardingRequest) error
	EditWebForwarding(ctx context.Context, req *v1.WebForwardingRequest) error
	DeleteWebForwarding(ctx context.Context, Ids []int) error
}

func NewWebForwardingService(
	service *Service,
	required RequiredService,
	webForwardingRepository repository.WebForwardingRepository,
	crawler CrawlerService,
	parser ParserService,
	wafformatter WafFormatterService,
	aoDun AoDunService,
	mq *rabbitmq.RabbitMQ,
	gatewayGroupIpRep repository.GateWayGroupIpRepository,
	gatewayGroupRep repository.GatewayGroupRepository,
	cdn CdnService,
) WebForwardingService {
	return &webForwardingService{
		Service:                 service,
		webForwardingRepository: webForwardingRepository,
		required:                required,
		parser:                  parser,
		crawler:                 crawler,
		wafformatter:            wafformatter,
		aoDun:                   aoDun,
		mq:                      mq,
		gatewayGroupIpRep:        gatewayGroupIpRep,
		gatewayGroupRep:           gatewayGroupRep,
		cdn:                     cdn,
	}
}

type webForwardingService struct {
	*Service
	webForwardingRepository repository.WebForwardingRepository
	required                RequiredService
	parser                  ParserService
	crawler                 CrawlerService
	wafformatter            WafFormatterService
	aoDun                   AoDunService
	mq                      *rabbitmq.RabbitMQ
	gatewayGroupIpRep        repository.GateWayGroupIpRepository
	gatewayGroupRep           repository.GatewayGroupRepository
	cdn                     CdnService
}



const (
	isHttps         = 1
	protocolHttps        = "https"
	protocolHttp         = "http"
	defaultNodeClusterId = 1
)
func (s *webForwardingService) require(ctx context.Context,req v1.GlobalRequire) (v1.GlobalRequire, error) {
	var err error
	var res v1.GlobalRequire
	g, gCtx := errgroup.WithContext(ctx)

	//g.Go(func() error {
	//	result, e := s.wafformatter.require(gCtx, req, "web")
	//	if e != nil {
	//		return e
	//	}
	//	res = result
	//	return nil
	//})

	g.Go(func() error {
		e := s.wafformatter.validateWafDomainCount(gCtx, req)
		if e != nil {
			return e
		}
		return nil
	})
	if err 		= g.Wait(); err != nil {
		return v1.GlobalRequire{}, err
	}
	return res, nil
}

func (s *webForwardingService) GetWebForwarding(ctx context.Context, req v1.GetForwardingRequest) (v1.WebForwardingDataRequest, error) {
	var webForwarding model.WebForwarding
	var backend model.WebForwardingRule
	g, gCtx := errgroup.WithContext(ctx)
	g.Go(func() error {
		res, e := s.webForwardingRepository.GetWebForwarding(gCtx, int64(req.Id))
		if e != nil {
			// 直接返回错误，errgroup 会捕获它
			return fmt.Errorf("GetWebForwarding failed: %w", e)
		}
		if res != nil {
			webForwarding = *res
		}
		return nil
	})

	g.Go(func() error {
		res, e := s.webForwardingRepository.GetWebForwardingIpsByID(ctx, req.Id)
		if e != nil {
			return fmt.Errorf("GetWebForwardingByID failed: %w", e)
		}
		if res != nil {
			backend = *res
		}
		return nil
	})

	if err := g.Wait(); err != nil {
		return v1.WebForwardingDataRequest{}, err
	}

	return v1.WebForwardingDataRequest{
		Id:                  webForwarding.Id,
		Port:                webForwarding.Port,
		Domain:              webForwarding.Domain,
		IsHttps:             webForwarding.IsHttps,
		Comment:             webForwarding.Comment,
		BackendList:         backend.BackendList,
		AllowIpList:         backend.AllowIpList,
		DenyIpList:          backend.DenyIpList,
		AccessRule:          backend.AccessRule,
		HttpsKey: 			webForwarding.HttpsKey,
		HttpsCert: 			webForwarding.HttpsCert,
	}, nil
}


// buildWebForwardingModel 辅助函数，用于构建通用的 WebForwarding 模型
// ruleId 是从 WAF 系统获取的 ID
func (s *webForwardingService) buildWebForwardingModel(req *v1.WebForwardingDataRequest,ruleId int, require RequireResponse) *model.WebForwarding {
	return &model.WebForwarding{
		HostId:      require.HostId,
		CdnWebId:    ruleId,
		Port:        req.Port,
		Domain:      req.Domain,
		IsHttps:     req.IsHttps,
		Comment:     req.Comment,
		HttpsCert:   req.HttpsCert,
		HttpsKey:    req.HttpsKey,
		SslCertId: int(req.SslCertId),
	}
}

func (s *webForwardingService) buildWebRuleModel(reqData *v1.WebForwardingDataRequest, require RequireResponse, localDbId int, cdnOriginIds map[string]int64) *model.WebForwardingRule {
	return &model.WebForwardingRule{
		Uid:         require.Uid,
		HostId:      require.HostId,
		WebId:       localDbId,
		CdnOriginIds: cdnOriginIds,
		BackendList: reqData.BackendList,
		AllowIpList: reqData.AllowIpList,
		DenyIpList:  reqData.DenyIpList,
		AccessRule:  reqData.AccessRule,
	}
}





// =================================================================
// 主函数：prepareWafData
// 职责：协调整个流程，负责获取前置配置和组装最终的 formData。
// =================================================================
func (s *webForwardingService) prepareWafData(ctx context.Context, req *v1.WebForwardingRequest) (RequireResponse, v1.Website, error) {
	// 1. 获取基础配置
	require, err := s.wafformatter.Require(ctx, v1.GlobalRequire{
		HostId:  req.HostId,
		Uid:     req.Uid,
		Comment: req.WebForwardingData.Comment,
	})
	if err != nil {
		return RequireResponse{}, v1.Website{}, fmt.Errorf("获取WAF前置配置失败: %w", err)
	}
	if require.GatewayGroupId == 0 || require.Uid == 0 {
		return RequireResponse{}, v1.Website{}, fmt.Errorf("请先配置实例")
	}

	// 2. 调用辅助函数，构建核心的代理配置 (将复杂逻辑封装起来)
	byteData, err := s.buildProxyJSONConfig(ctx, req, require)
	if err != nil {
		return RequireResponse{}, v1.Website{}, err // 错误信息在辅助函数中已经包装好了
	}

	type serverNames struct {
		ServerNames string `json:"name" form:"name"`
		Type string `json:"type" form:"type"`
	}
	var serverName []serverNames
	var serverJson []byte
	if req.WebForwardingData.Domain != "" {
		serverName = append(serverName, serverNames{
			ServerNames: req.WebForwardingData.Domain,
			Type: "full",
		})
		serverJson, err = json.Marshal(serverName)
		if err != nil {
			return RequireResponse{}, v1.Website{}, err
		}
	}

	// 3. 组装最终的 WAF 表单数据
	formData := v1.Website{
		UserId:         int64(require.CdnUid),
		Type:           "httpProxy",
		Name:           require.Tag,
		ServerNamesJSON : serverJson,
		Description:    req.WebForwardingData.Comment,
		ServerGroupIds: []int64{int64(require.GroupId)},
		UserPlanId:     int64(require.RuleId),
		NodeClusterId:  defaultNodeClusterId,
	}

	var noSslByteData, _ = json.Marshal(v1.TypeJSON{IsOn: false})

	// 4. 根据协议类型，填充 HttpJSON 和 HttpsJSON 字段
	if req.WebForwardingData.IsHttps == isHttps {
		formData.HttpJSON = noSslByteData
		formData.HttpsJSON = byteData
	} else {
		formData.HttpJSON = byteData
		formData.HttpsJSON = noSslByteData
	}

	return require, formData, nil
}


// =================================================================
// 辅助函数：buildProxyJSONConfig
// 职责：专门负责处理 HTTP/HTTPS 的差异，并生成对应的 JSON 配置。
// =================================================================
func (s *webForwardingService) buildProxyJSONConfig(ctx context.Context, req *v1.WebForwardingRequest, require RequireResponse) ([]byte, error) {
	var (
		jsonData v1.TypeJSON
		apiType  string
		err      error
	)
	jsonData.IsOn = true

	// 判断协议类型，并处理 HTTPS 的特殊逻辑（证书）
	if req.WebForwardingData.IsHttps == isHttps {
		apiType = protocolHttps

		req.WebForwardingData.SslCertId, err = s.cdn.AddSSLCert(ctx, v1.SSlCert{
			UserId:       int64(require.CdnUid),
			Name:         req.WebForwardingData.Domain,
			Description:  req.WebForwardingData.Comment,
			CertData:     []byte(req.WebForwardingData.HttpsCert),
			KeyData:      []byte(req.WebForwardingData.HttpsKey),
			IsSelfSigned: false,
		})
		if err != nil {
			return  nil, fmt.Errorf("添加SSL证书失败: %w", err)
		}
		jsonData.SslPolicyRef.IsOn = true
		jsonData.SslPolicyRef.SslPolicyId = req.WebForwardingData.SslCertId
	} else {
		apiType = protocolHttp
	}

	// 填充通用的 Listen 配置
	for _, v := range require.GatewayIps {
		jsonData.Listen = append(jsonData.Listen, v1.Listen{
			Protocol: apiType,
			Host:     v,
			Port:     req.WebForwardingData.Port,
		})
	}

	// 序列化为 JSON
	byteData, err := json.Marshal(jsonData)
	if err != nil {
		return nil, fmt.Errorf("序列化WAF配置失败: %w", err)
	}

	return  byteData, nil
}

// 查找两个列表的差异
func (s webForwardingService) FindDifferenceList (oldList, newList []v1.BackendList) (added, removed []v1.BackendList) {
	diff := make(map[v1.BackendList]int)

	// 1. 遍历旧列表，为每个元素计数 +1
	for _, item := range oldList {
		diff[item]++
	}

	// 2. 遍历新列表，为每个元素计数 -1
	for _, item := range newList {
		diff[item]--
	}

	// 3. 遍历 diff map 来找出差异
	for item, count := range diff {
		if count > 0 {
			// 如果 count > 0，说明这个元素在 oldList 中但不在 newList 中
			removed = append(removed, item)
		} else if count < 0 {
			// 如果 count < 0，说明这个元素在 newList 中但不在 oldList 中
			added = append(added, item)
		}
		// 如果 count == 0，说明元素在两个列表中都存在，不做任何操作
	}

	return added, removed
}



func (s *webForwardingService) AddWebForwarding(ctx context.Context, req *v1.WebForwardingRequest) error {
	require, formData, err := s.prepareWafData(ctx, req)
	if err != nil {
		return err
	}
	err = s.wafformatter.validateWafPortCount(ctx, require.HostId)
	if err != nil {
		return err
	}

	webId, err := s.cdn.CreateWebsite(ctx, formData)
	if err != nil {
		return err
	}
	backendList := make(map[string]string)
	for _,k := range req.WebForwardingData.BackendList {
		backendList[k.Addr] = k.CustomHost
	}
	// 添加源站
	cdnOriginIds := make(map[string]int64)
	for _, v := range req.WebForwardingData.BackendList {
		apiType := protocolHttp
		// 如果条件满足，则覆盖为 HTTPS
		if v.IsHttps == isHttps {
			apiType = protocolHttps
		}
		id, err := s.wafformatter.AddOrigin(ctx, v1.WebJson{
			ApiType:  apiType,
			BackendList: v.Addr,
			Host:        v.CustomHost,
			Comment:     req.WebForwardingData.Comment,
		})
		if err != nil {
			return err
		}
		cdnOriginIds[v.Addr] = id
	}

	// 添加源站到网站
	for _, v := range cdnOriginIds {
		err = s.cdn.AddServerOrigin(ctx, webId, v)
		if err != nil {
			return err
		}
	}

	webModel := s.buildWebForwardingModel(&req.WebForwardingData, int(webId), require)

	id, err := s.webForwardingRepository.AddWebForwarding(ctx, webModel)
	if err != nil {
		return err
	}
	webRuleModel := s.buildWebRuleModel(&req.WebForwardingData,require, id, cdnOriginIds)
	if _, err = s.webForwardingRepository.AddWebForwardingIps(ctx, *webRuleModel); err != nil {
		return err
	}




	if req.WebForwardingData.Domain != "" {
		// 异步任务：将域名添加到白名单
		doMain, err := s.wafformatter.ConvertToWildcardDomain(ctx, req.WebForwardingData.Domain)
		if err != nil {
			return err
		}
		if len(require.GatewayIps) == 0 {
			return fmt.Errorf("网关组不存在")
		}
		firstIp,err :=  s.GetGatewayFirstIp(ctx, require.HostId)
		if err != nil {
			return err
		}
		go s.wafformatter.PublishDomainWhitelistTask(doMain, firstIp, "add")

	}

	// IP过白
	var ips []string
	if req.WebForwardingData.BackendList != nil {
		for _, v := range req.WebForwardingData.BackendList {
			ip, _, err := net.SplitHostPort(v.Addr)
			if err != nil {
				return err
			}
			ips = append(ips,ip)
		}
		go s.wafformatter.PublishIpWhitelistTask(ips, "add","","white")
	}
	var accessRuleIps []string
	if len(req.WebForwardingData.AllowIpList) > 0 {
		for _, v := range require.GatewayIps {
			for _, ip := range req.WebForwardingData.AllowIpList {
				if net.ParseIP(ip) != nil{
					accessRuleIps = append(accessRuleIps, ip)
				}
			}
			go s.wafformatter.PublishIpWhitelistTask(accessRuleIps, "add",v,"white")
		}
	}
	// 黑名单
	var denyRuleIps []string
	if len(req.WebForwardingData.DenyIpList) > 0 {
		for _, v := range require.GatewayIps {
			for _, ip := range req.WebForwardingData.DenyIpList {
				if net.ParseIP(ip) != nil{
					denyRuleIps = append(denyRuleIps, ip)
				}
			}
			go s.wafformatter.PublishIpWhitelistTask(denyRuleIps, "add",v,"black")
		}
	}




	return nil
}

func (s *webForwardingService) EditWebForwarding(ctx context.Context, req *v1.WebForwardingRequest) error {

	require, formData, err := s.prepareWafData(ctx, req)
	if err != nil {
		return  err
	}

	oldData, err := s.webForwardingRepository.GetWebForwarding(ctx, int64(req.WebForwardingData.Id))
	if err != nil {
		return err
	}

	//修改网站端口
	if oldData.Port != req.WebForwardingData.Port || oldData.Domain != req.WebForwardingData.Domain {
		var typeJson []byte
		var apiType string
		if req.WebForwardingData.IsHttps == isHttps {
			typeJson = formData.HttpJSON
			apiType = protocolHttps
		}else {
			typeJson = formData.HttpsJSON
			apiType = protocolHttp
		}
		err = s.cdn.EditServerType(ctx, v1.EditWebsite{
			Id:       int64(oldData.CdnWebId),
			TypeJSON: typeJson,
		}, apiType)
		if err != nil {
			return err
		}
	}

	//修改网站名字
	if oldData.Comment != req.WebForwardingData.Comment {
		err = s.cdn.EditServerBasic(ctx, int64(oldData.CdnWebId), require.Tag)
		if err != nil {
			return err
		}
	}




	// 将域名添加到白名单
	webData, err := s.webForwardingRepository.GetWebForwarding(ctx, int64(req.WebForwardingData.Id))
	if err != nil {
		return err
	}

	// 异步任务：将域名添加到白名单
	if webData.Domain != req.WebForwardingData.Domain {
		firstIp,err :=  s.GetGatewayFirstIp(ctx, req.HostId)
		if err != nil {
			return err
		}
		doMain, err := s.wafformatter.ConvertToWildcardDomain(ctx, req.WebForwardingData.Domain)
		if err != nil {
			return err
		}
		oldDomain, err := s.wafformatter.ConvertToWildcardDomain(ctx, webData.Domain)
		if err != nil {
			return err
		}
		if len(require.GatewayIps) == 0 {
			return fmt.Errorf("网关组不存在")
		}
		go s.wafformatter.PublishDomainWhitelistTask(oldDomain, firstIp, "del")
		go s.wafformatter.PublishDomainWhitelistTask(doMain, firstIp, "add")
	}

	// IP过白
	ipData, err := s.webForwardingRepository.GetWebForwardingIpsByID(ctx, req.WebForwardingData.Id)
	if err != nil {
		return err
	}
	var oldIps []string
	var newIps []string
	for _, v := range ipData.BackendList {
		ip, _, err := net.SplitHostPort(v.Addr)
		if err != nil {
			return err
		}
		oldIps = append(oldIps, ip)

	}
	for _, v := range req.WebForwardingData.BackendList {
		ip, _, err := net.SplitHostPort(v.Addr)
		if err != nil {
			return err
		}
		newIps = append(newIps, ip)
	}
	addedIps, removedIps := s.wafformatter.findIpDifferences(oldIps, newIps)
	if len(addedIps) > 0 {
		go s.wafformatter.PublishIpWhitelistTask(addedIps, "add","","white")
	}
	if len(removedIps) > 0 {
		go s.wafformatter.PublishIpWhitelistTask(removedIps, "del","","white")
	}

	//白名单IP
	addedAllowIps, removedAllowIps := s.WashDifferentIp(ipData.AllowIpList, req.WebForwardingData.AllowIpList)
	for _, v := range require.GatewayIps {
		if len(addedAllowIps) > 0 {
			go s.wafformatter.PublishIpWhitelistTask(addedAllowIps, "add",v,"white")
		}
		if len(removedAllowIps) > 0 {
			go s.wafformatter.PublishIpWhitelistTask(removedAllowIps, "del",v,"white")
		}
	}

	// 黑名单IP
	addedDenyIps, removedDenyIps := s.WashDifferentIp(ipData.DenyIpList, req.WebForwardingData.DenyIpList)
	for _, v := range require.GatewayIps {
		if len(addedDenyIps) > 0 {
			go s.wafformatter.PublishIpWhitelistTask(addedDenyIps, "add",v,"black")
		}
		if len(removedDenyIps) > 0 {
			go s.wafformatter.PublishIpWhitelistTask(removedDenyIps, "del",v,"black")
		}
	}



	//修改源站
	addOrigins, delOrigins := s.FindDifferenceList(ipData.BackendList, req.WebForwardingData.BackendList)
	addedIds := make(map[string]int64)
	for _, v := range addOrigins {
		var apiType string
		if v.IsHttps == isHttps {
			apiType = protocolHttps
		}else {
			apiType = protocolHttp
		}
		id, err := s.wafformatter.AddOrigin(ctx,v1.WebJson{
			ApiType: apiType,
			BackendList: v.Addr,
			Host: v.CustomHost,
			Comment: req.WebForwardingData.Comment,
		})
		if err != nil {
			return err
		}
		addedIds[v.Addr] = id
	}
	for _, v := range addedIds {
		err = s.cdn.AddServerOrigin(ctx, int64(oldData.CdnWebId), v)
		if err != nil {
			return err
		}
	}

	maps.Copy(ipData.CdnOriginIds, addedIds)
	for k, v := range ipData.CdnOriginIds {
		for _, ip := range delOrigins {
			if k == ip.Addr {
				err = s.cdn.DelServerOrigin(ctx, int64(oldData.CdnWebId), v)
				if err != nil {
					return err
				}
				delete(ipData.CdnOriginIds, k)
			}
		}
	}



	webModel := s.buildWebForwardingModel(&req.WebForwardingData, req.WebForwardingData.CdnWebId, require)
	webModel.Id = req.WebForwardingData.Id
	if err = s.webForwardingRepository.EditWebForwarding(ctx, webModel); err != nil {
		return err
	}
	webRuleModel := s.buildWebRuleModel(&req.WebForwardingData, require, req.WebForwardingData.Id,ipData.CdnOriginIds)
	if err = s.webForwardingRepository.EditWebForwardingIps(ctx, *webRuleModel); err != nil {
		return err
	}
	return nil
}

func (s *webForwardingService) DeleteWebForwarding(ctx context.Context, Ids []int) error {
	for _, Id := range Ids {
		oldData, err := s.webForwardingRepository.GetWebForwarding(ctx, int64(Id))
		if err != nil {
			return err
		}

		err = s.cdn.DelServer(ctx, int64(oldData.CdnWebId))
		if err != nil {
			return err
		}





		// 异步任务：将域名添加到白名单
		firstIp,err :=  s.GetGatewayFirstIp(ctx, oldData.HostId)
		if err != nil {
			return err
		}
		if oldData.Domain != "" {

			doMain, err := s.wafformatter.ConvertToWildcardDomain(ctx, oldData.Domain)
			if err != nil {
				return err
			}
			go s.wafformatter.PublishDomainWhitelistTask(doMain,firstIp, "del")
		}
		// IP过白
		ipData, err := s.webForwardingRepository.GetWebForwardingIpsByID(ctx, Id)
		if err != nil {
			return err
		}
		var ips []string
		if len(ipData.BackendList) > 0 {
			for _, v := range ipData.BackendList {
				ip, _, err := net.SplitHostPort(v.Addr)
				if err != nil {
					return err
				}
				ips = append(ips, ip)
			}
		}
		if len(ipData.AllowIpList) > 0 {
			ips = append(ips, ipData.AllowIpList...)
		}
		if len(ips) > 0 {
			go s.wafformatter.PublishIpWhitelistTask(ips, "del","","white")
		}

		// IP过黑
		if len(ipData.DenyIpList) > 0 {
			go s.wafformatter.PublishIpWhitelistTask(ipData.DenyIpList, "del","","black")
		}



		if err = s.webForwardingRepository.DeleteWebForwarding(ctx, int64(Id)); err != nil {
			return err
		}
		if err = s.webForwardingRepository.DeleteWebForwardingIpsById(ctx, Id); err != nil {
			return err
		}
	}

	return nil
}

func (s *webForwardingService) GetWebForwardingWafWebAllIps(ctx context.Context, req v1.GetForwardingRequest) ([]v1.WebForwardingDataRequest, error) {
	type CombinedResult struct {
		Id          int
		Forwarding  *model.WebForwarding
		BackendRule *model.WebForwardingRule
		Err         error // 如果此ID的处理出错，则携带错误
	}
	g, gCtx := errgroup.WithContext(ctx)
	ids, err := s.webForwardingRepository.GetWebForwardingWafWebAllIds(gCtx, req.HostId)
	if err != nil {
		return nil, fmt.Errorf("GetWebForwardingWafWebAllIds failed: %w", err)
	}

	if len(ids) == 0 {
		return nil, nil // 没有ID，直接返回空切片
	}

	// 创建一个通道来接收每个ID的处理结果
	// 通道缓冲区大小设为ID数量，这样发送者不会因为接收者慢而阻塞（在所有goroutine都启动后）
	resultsChan := make(chan CombinedResult, len(ids))

	for _, idVal := range ids {
		currentID := idVal // 捕获循环变量
		g.Go(func() error {
			var wf *model.WebForwarding
			var bk *model.WebForwardingRule
			var localErr error

			// 1. 获取 WebForwarding 信息
			wf, localErr = s.webForwardingRepository.GetWebForwarding(gCtx, int64(currentID))
			if localErr != nil {
				// 发送错误到通道，并由 errgroup 捕获
				// errgroup 会处理第一个非nil错误，并取消其他 goroutine
				resultsChan <- CombinedResult{Id: currentID, Err: fmt.Errorf("GetWebForwarding for id %d failed: %w", currentID, localErr)}
				return localErr // 返回错误给 errgroup
			}
			if wf == nil { // 正常情况下，如果没错误，wf不应为nil，但防御性检查
				localErr = fmt.Errorf("GetWebForwarding for id %d returned nil data without error", currentID)
				resultsChan <- CombinedResult{Id: currentID, Err: localErr}
				return localErr
			}


			// 2. 获取 Backend IP 信息
			// 注意：这里我们允许 GetWebForwardingIpsByID 可能返回 nil 数据（例如没有规则）而不是错误
			// 如果它也可能返回错误，则处理方式与上面类似
			bk, localErr = s.webForwardingRepository.GetWebForwardingIpsByID(gCtx, currentID)
			if localErr != nil {
				// 如果获取IP信息失败是一个致命错误，则也应返回错误
				// 如果允许部分成功（比如有WebForwarding但没有IP信息），则可以不将此视为errgroup的错误
				// 这里假设它也是一个需要errgroup捕获的错误
				resultsChan <- CombinedResult{Id: currentID, Forwarding: wf, Err: fmt.Errorf("GetWebForwardingIpsByID for id %d failed: %w", currentID, localErr)}
				return localErr // 返回错误给 errgroup
			}
			// bk 可能是 nil 如果没有错误且没有规则，这取决于业务逻辑

			// 发送成功的结果到通道
			resultsChan <- CombinedResult{Id: currentID, Forwarding: wf, BackendRule: bk}
			return nil // 此goroutine成功
		})
	}

	// 等待所有goroutine完成
	groupErr := g.Wait()

	// 关闭通道，表示所有发送者都已完成
	// 这一步很重要，这样下面的 range 循环才能正常结束
	close(resultsChan)

	// 如果 errgroup 捕获到任何错误，优先返回该错误
	if groupErr != nil {
		// 虽然errgroup已经出错了，但通道中可能已经有一些结果（来自出错前成功或出错的goroutine）
		// 我们需要排空通道以避免goroutine泄漏（如果它们在发送时阻塞）
		// 但由于我们优先返回groupErr，这些结果将被丢弃。
		// 在这种设计下，通常任何一个子任务失败都会导致整个操作失败。
		return nil, groupErr
	}

	// 如果没有错误，收集所有成功的结果
	finalResults := make([]v1.WebForwardingDataRequest, 0, len(ids))
	for res := range resultsChan {
		// 再次检查通道中的错误，尽管 errgroup 应该已经捕获了
		// 但这是一种更细致的错误处理，以防万一有goroutine在errgroup.Wait()前发送了错误但未被errgroup捕获
		// （理论上，如果goroutine返回了错误，errgroup会处理）
		// 主要目的是处理 res.forwarding 为 nil 的情况 (如果上面允许不返回错误)
		if res.Err != nil {
			// 如果到这里还有错误，说明逻辑可能有问题，或者我们决定忽略某些类型的子错误
			// 在此示例中，因为 g.Wait() 没有错误，所以这里的 res.err 应该是nil
			// 如果不是，那么可能是goroutine在return nil前发送了带有错误的res。
			// 严格来说，如果errgroup没有错误，这里res.err也应该是nil
			// 但以防万一，我们可以记录日志
			return nil, fmt.Errorf("received error from goroutine for ID %d: %w", res.Id, res.Err)
		}
		if res.Forwarding == nil {
			return nil, fmt.Errorf("received nil forwarding from goroutine for ID %d", res.Id)
		}


		dataReq := v1.WebForwardingDataRequest{
			Id:                  res.Forwarding.Id,
			Port:                res.Forwarding.Port,
			Domain:              res.Forwarding.Domain,
			IsHttps:             res.Forwarding.IsHttps,
			Comment:             res.Forwarding.Comment,
			HttpsKey:            res.Forwarding.HttpsKey,
			HttpsCert:           res.Forwarding.HttpsCert,
		}

		if res.BackendRule != nil { // 只有当 BackendRule 存在时才填充相关字段
			dataReq.BackendList = res.BackendRule.BackendList
			dataReq.AllowIpList = res.BackendRule.AllowIpList
			dataReq.DenyIpList = res.BackendRule.DenyIpList
			dataReq.AccessRule = res.BackendRule.AccessRule
		}
		finalResults = append(finalResults, dataReq)
	}

	sort.Slice(finalResults, func(i, j int) bool {
		return finalResults[i].Id > finalResults[j].Id
	})
	return finalResults, nil
}

func (s *webForwardingService) GetGatewayFirstIp(ctx context.Context, hostId int) (string, error) {
	gateWayGroup, err := s.gatewayGroupRep.GetGatewayGroupByHostId(ctx, int64(hostId))
	if err != nil {
		return "", err
	}
	if gateWayGroup == nil {
		return  "",fmt.Errorf("网关组不存在")
	}
	gateWayIps, err := s.gatewayGroupIpRep.GetGateWayGroupFirstIpByGatewayGroupId(ctx, gateWayGroup.Id)
	if err != nil {
		return "", err
	}
	if len(gateWayIps) == 0 {
		return  "",fmt.Errorf("网关组IP为空")
	}
	return gateWayIps, nil
}


// 清洗IP
func (s *webForwardingService) WashDifferentIp(newIpList []string, oldIpList []string) (addedDenyIps []string,removedDenyIps []string) {
	var newAllowIps []string
	var oldAllowIps []string
	if len(oldIpList) > 0 {
		for _, v := range oldIpList {
			if net.ParseIP(v) != nil{
				oldAllowIps = append(oldAllowIps, v)
			}
		}
	}
	if len(newIpList) > 0 {
		for _, v := range newIpList {
			if net.ParseIP(v) != nil{
				newAllowIps = append(newAllowIps, v)
			}
		}
	}
	addedDenyIps, removedDenyIps = s.wafformatter.findIpDifferences(oldAllowIps, newAllowIps)
	return addedDenyIps, removedDenyIps
}