diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c141bb7..867e51e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2,7 +2,7 @@ variables: GIT_STRATEGY: "clone" BUILD_IMAGE_CENTOS8: "git.mesalab.cn:7443/mesa_platform/build-env:rockylinux" BUILD_PADDING_PREFIX: /tmp/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX/ - INSTALL_DEPENDENCY_LIBRARY: framework_env openssl-devel libasan libfieldstat4-devel + INSTALL_DEPENDENCY_LIBRARY: framework_env openssl-devel libasan libfieldstat4-devel libuuid stages: - build diff --git a/src/inc_internal/maat_utils.h b/src/inc_internal/maat_utils.h index 4381398..55c9435 100644 --- a/src/inc_internal/maat_utils.h +++ b/src/inc_internal/maat_utils.h @@ -19,6 +19,7 @@ extern "C" #include #include #include +#include #include "uthash/utarray.h" #include "cJSON/cJSON.h" @@ -117,6 +118,7 @@ int system_cmd_gzip(const char *src_file, const char *dst_file); int system_cmd_encrypt(const char *src_file, const char *dst_file, const char *password); int ids_str2longlong_array(const char *ids_str, UT_array *ids_array); +void print_uuid_str(uuid_t uuid); #ifdef __cplusplus } diff --git a/src/maat_bool_plugin.c b/src/maat_bool_plugin.c index e88f49d..5a6fb3a 100644 --- a/src/maat_bool_plugin.c +++ b/src/maat_bool_plugin.c @@ -261,7 +261,7 @@ bool_plugin_accept_tag_match(struct bool_plugin_schema *schema, cJSON *tmp_obj = NULL; tmp_obj = cJSON_GetObjectItem(json, "effective_range"); - if (tmp_obj && n_tag > 0) { + if ((tmp_obj && cJSON_GetArraySize(tmp_obj) > 0) && n_tag > 0) { char *tag_str = cJSON_Print(tmp_obj); int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str); diff --git a/src/maat_config_monitor.c b/src/maat_config_monitor.c index 7dd8a6c..27831af 100644 --- a/src/maat_config_monitor.c +++ b/src/maat_config_monitor.c @@ -15,6 +15,7 @@ #include #include #include +#include "uthash/uthash.h" #include "maat_core.h" #include "maat_config_monitor.h" @@ -30,6 +31,12 @@ struct cm_table_info_t { char encrypt_algo[NAME_MAX]; }; +struct object_info { + char object_name[MAX_NAME_STR_LEN]; + char object_uuid[UUID_STR_LEN]; + UT_hash_handle hh; +}; + //replacement of glibc scandir, to adapt dictator malloc wrap #define ENLARGE_STEP 1024 int my_scandir(const char *dir, struct dirent ***namelist, @@ -179,13 +186,44 @@ void config_monitor_traverse(long long current_version, const cJSON *json_root, } } +static void object_info_add(struct object_info *object_name_map, const char *object_name, const char *object_uuid) +{ + struct object_info *object_info = NULL; + HASH_FIND_STR(object_name_map, object_name, object_info); + if (object_info == NULL) { + object_info = ALLOC(struct object_info, 1); + strncpy(object_info->object_name, object_name, sizeof(object_info->object_name)); + strncpy(object_info->object_uuid, object_uuid, sizeof(object_info->object_uuid)); + HASH_ADD_STR(object_name_map, object_name, object_info); + } +} + +static struct object_info *object_info_find(struct object_info *object_name_map, const char *object_name) +{ + struct object_info *object_info = NULL; + HASH_FIND_STR(object_name_map, object_name, object_info); + return object_info; +} + +static void object_info_free(struct object_info *object_name_map) +{ + struct object_info *object_info, *tmp; + HASH_ITER(hh, object_name_map, object_info, tmp) { + HASH_DEL(object_name_map, object_info); + FREE(object_info); + } +} + void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) { *json_root = cJSON_Parse((const char *)json_buff); cJSON *top_items = cJSON_GetObjectItem(*json_root, "items"); cJSON *top_objects = cJSON_GetObjectItem(*json_root, "objects"); cJSON *rules = cJSON_GetObjectItem(*json_root, "rules"); - uuid_t tmp_uuid; + struct object_info *object_name_map = NULL; + + int item_gen_id = 1000; + int object_gen_id = 1000; if (top_items == NULL) { top_items = cJSON_CreateArray(); @@ -223,8 +261,7 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) if (object_id_obj == NULL) { char uuid_str[UUID_STR_LEN]; - uuid_generate(tmp_uuid); - uuid_unparse(tmp_uuid, uuid_str); + snprintf(uuid_str, sizeof(uuid_str), "00000000-0000-0000-0000-00000000%d", object_gen_id++); cJSON_AddStringToObject(new_table_content, "object_uuid", uuid_str); } else { cJSON_AddStringToObject(new_table_content, "object_uuid", object_id_obj->valuestring); @@ -232,8 +269,7 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) if (cJSON_GetObjectItem(table_content, "uuid") == NULL) { char uuid_str[UUID_STR_LEN]; - uuid_generate(tmp_uuid); - uuid_unparse(tmp_uuid, uuid_str); + snprintf(uuid_str, sizeof(uuid_str), "00000000-0000-0000-0000-00000000%d", item_gen_id++); cJSON_AddStringToObject(new_table_content, "uuid", uuid_str); } @@ -276,20 +312,32 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) cJSON_ArrayForEach(tmp_condition, condition_array) { cJSON *tmp_object = NULL; cJSON *object_uuid_array = cJSON_CreateArray(); - cJSON *object_array = cJSON_GetObjectItem(tmp_condition, "objects"); - - if (object_array == NULL) { - continue; - } cJSON *negate_option = cJSON_GetObjectItem(tmp_condition, "negate_option"); if (negate_option == NULL) { cJSON_AddBoolToObject(tmp_condition, "negate_option", 0); } - cJSON_ArrayForEach(tmp_object, object_array) { + cJSON *object_name = cJSON_GetObjectItem(tmp_condition, "object_name"); + cJSON *object_uuid = cJSON_GetObjectItem(tmp_condition, "object_uuid"); + if (object_name && object_uuid) { + object_info_add(object_name_map, object_name->valuestring, object_uuid->valuestring); + } + + if (object_uuid) { + cJSON_AddItemToArray(object_uuid_array, cJSON_CreateString(object_uuid->valuestring)); + } else if (object_name) { + struct object_info *object_info = object_info_find(object_name_map, object_name->valuestring); + if (object_info) { + cJSON_AddItemToArray(object_uuid_array, cJSON_CreateString(object_info->object_uuid)); + } + } + + cJSON *object_array = cJSON_GetObjectItem(tmp_condition, "objects"); + cJSON_ArrayForEach(tmp_object, object_array) {//convert objects in rule //find items, generate item_id and object_id cJSON *object_id_obj = cJSON_GetObjectItem(tmp_object, "uuid"); + cJSON *object_name_obj = cJSON_GetObjectItem(tmp_object, "object_name"); cJSON *items = cJSON_GetObjectItem(tmp_object, "items"); cJSON *item = NULL; char obj_uuid_str[UUID_STR_LEN]; @@ -297,8 +345,11 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) if (object_id_obj != NULL) { snprintf(obj_uuid_str, sizeof(obj_uuid_str), "%s", object_id_obj->valuestring); } else { - uuid_generate(tmp_uuid); - uuid_unparse(tmp_uuid, obj_uuid_str); + snprintf(obj_uuid_str, sizeof(obj_uuid_str), "00000000-0000-0000-0000-00000000%d", object_gen_id++); + } + + if (object_name_obj) { + object_info_add(object_name_map, object_name_obj->valuestring, obj_uuid_str); } cJSON_ArrayForEach(item, items) { @@ -310,8 +361,7 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) if (cJSON_GetObjectItem(dup, "uuid") == NULL) { char uuid_str[UUID_STR_LEN]; - uuid_generate(tmp_uuid); - uuid_unparse(tmp_uuid, uuid_str); + snprintf(uuid_str, sizeof(uuid_str), "00000000-0000-0000-0000-00000000%d", item_gen_id++); cJSON_AddStringToObject(dup, "uuid", uuid_str); } cJSON_AddStringToObject(dup, "object_uuid", obj_uuid_str); @@ -328,6 +378,8 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff) } } + + object_info_free(object_name_map); } int load_maat_json_rule_file(struct maat *maat_inst, const char *json_filename, diff --git a/src/maat_fqdn_plugin.c b/src/maat_fqdn_plugin.c index 205eef7..282ba0e 100644 --- a/src/maat_fqdn_plugin.c +++ b/src/maat_fqdn_plugin.c @@ -212,7 +212,7 @@ fqdn_plugin_accept_tag_match(struct fqdn_plugin_schema *schema, cJSON *tmp_obj = NULL; tmp_obj = cJSON_GetObjectItem(json, "effective_range"); - if (tmp_obj != NULL && n_tag > 0) { + if ((tmp_obj && cJSON_GetArraySize(tmp_obj) > 0) && n_tag > 0) { char *tag_str = cJSON_Print(tmp_obj); diff --git a/src/maat_ip_plugin.c b/src/maat_ip_plugin.c index eb18391..8c33efa 100644 --- a/src/maat_ip_plugin.c +++ b/src/maat_ip_plugin.c @@ -111,7 +111,7 @@ ip_plugin_accept_tag_match(struct ip_plugin_schema *schema, size_t n_tag = table_manager_accept_tags_count(schema->ref_tbl_mgr); tmp_obj = cJSON_GetObjectItem(json, "effective_range"); - if (tmp_obj && n_tag > 0) { + if ((tmp_obj && cJSON_GetArraySize(tmp_obj) > 0) && n_tag > 0) { char *tag_str = cJSON_Print(tmp_obj); int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str); diff --git a/src/maat_plugin.c b/src/maat_plugin.c index b42454d..2c1e85a 100644 --- a/src/maat_plugin.c +++ b/src/maat_plugin.c @@ -383,7 +383,7 @@ static int plugin_accept_tag_match(struct plugin_schema *schema, tmp_obj = cJSON_GetObjectItem(json, "effective_range"); - if (tmp_obj != NULL && n_tag > 0) { + if ((tmp_obj != NULL && cJSON_GetArraySize(tmp_obj) > 0) && n_tag > 0) { char *tag_str = cJSON_Print(tmp_obj); ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str); FREE(tag_str); diff --git a/src/maat_rule.c b/src/maat_rule.c index 954e1ff..92d6597 100644 --- a/src/maat_rule.c +++ b/src/maat_rule.c @@ -92,9 +92,9 @@ struct rule_runtime { }; struct condition_literal { - long long object_ids[MAX_OBJECT_CNT]; + uuid_t object_uuids[MAX_OBJECT_CNT]; int object_cnt; - int attribute_id; + char attribute_name[MAX_ATTR_NAME_LEN]; }; struct rule_condition { @@ -350,7 +350,7 @@ static int rule_accept_tag_match(struct rule_schema *schema, const char *line, tmp_obj = cJSON_GetObjectItem(table_json, "effective_range"); - if (tmp_obj && n_tag > 0) { + if ((tmp_obj && cJSON_GetArraySize(tmp_obj) > 0) && n_tag > 0) { char *tag_str = cJSON_Print(tmp_obj); int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str); FREE(tag_str); @@ -1023,7 +1023,7 @@ static int maat_rule_has_condition_query_key(struct maat_rule *rule, static size_t maat_rule_get_hit_condition_index(struct maat_rule *rule, - const char *attribute_name, uuid_t hit_object_uuid, + const char *attribute_name, uuid_t *hit_object_uuid, int *condition_idx_array, size_t array_size) { size_t hit_condition_cnt = 0; @@ -1040,12 +1040,11 @@ maat_rule_get_hit_condition_index(struct maat_rule *rule, continue; } - uuid_t *tmp_object_uuid = bsearch(&hit_object_uuid, tmp_condition->object_uuids, + uuid_t *tmp_object_uuid = bsearch(hit_object_uuid, tmp_condition->object_uuids, tmp_condition->object_cnt, sizeof(uuid_t), compare_object_uuid); if (tmp_object_uuid != NULL) { condition_idx_array[hit_condition_cnt++] = i; - break; } } @@ -1086,7 +1085,7 @@ static void populate_hit_path_with_rule(struct maat_hit_path *hit_path_array, // find out which condition in rule hit n_condition_index = maat_rule_get_hit_condition_index(rule, attribute_name, - hit_path_array[idx].top_object_uuid, + &hit_path_array[idx].top_object_uuid, condition_index_array, MAX_ITEMS_PER_BOOL_EXPR); hit_path_array[idx].condition_index = condition_index_array[0]; @@ -1106,7 +1105,7 @@ static void populate_hit_path_with_rule(struct maat_hit_path *hit_path_array, hit_path_array[n_hit_path + new_hit_path_cnt] = tmp_path; new_hit_path_cnt++; n_condition_index = - maat_rule_get_hit_condition_index(rule, attribute_name, tmp_path.top_object_uuid, + maat_rule_get_hit_condition_index(rule, attribute_name, &tmp_path.top_object_uuid, condition_index_array, MAX_ITEMS_PER_BOOL_EXPR); hit_path_array[n_hit_path + new_hit_path_cnt - 1].condition_index = condition_index_array[0]; if (n_condition_index > 1) { diff --git a/src/maat_utils.c b/src/maat_utils.c index feaa351..6450863 100644 --- a/src/maat_utils.c +++ b/src/maat_utils.c @@ -615,4 +615,11 @@ int ids_str2longlong_array(const char *ids_str, UT_array *ids_array) } return 0; +} + +void print_uuid_str(uuid_t uuid) +{ + char uuid_str[37] = {0}; + uuid_unparse(uuid, uuid_str); + printf("%s\n", uuid_str); } \ No newline at end of file diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 2f9a97c..d97999c 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -5988,7 +5988,6 @@ TEST_F(Policy, SubObject) { maat_state_free(state); } -#if 0 //TODO: fix the test case TEST_F(Policy, EvaluationOrder) { const char *url = "cavemancircus.com/2019/12/27/pretty-girls-6/"; uuid_t results[ARRAY_SIZE]; @@ -6003,69 +6002,96 @@ TEST_F(Policy, EvaluationOrder) { results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 3); - EXPECT_EQ(results[0], 166); - EXPECT_EQ(results[1], 168); - EXPECT_EQ(results[2], 167); + char uuid_str[UUID_STR_LEN] = {0}; + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000166"); + + uuid_unparse(results[1], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000168"); + + uuid_unparse(results[2], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000167"); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); size_t n_hit_path = maat_state_get_hit_paths(state, hit_path, 128); EXPECT_EQ(n_hit_path, 6); - EXPECT_EQ(hit_path[0].attribute_id, table_id); - EXPECT_EQ(hit_path[0].sub_object_id, 158); - EXPECT_EQ(hit_path[0].top_object_id, 158); - EXPECT_EQ(hit_path[0].condition_index, 2); - EXPECT_EQ(hit_path[0].rule_id, 168); + EXPECT_STREQ(hit_path[0].attribute_name, attribute_name); + uuid_unparse(hit_path[0].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000157"); + uuid_unparse(hit_path[0].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000157"); + EXPECT_EQ(hit_path[0].condition_index, 0); + uuid_unparse(hit_path[0].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000166"); - EXPECT_EQ(hit_path[1].attribute_id, table_id); - EXPECT_EQ(hit_path[1].sub_object_id, 157); - EXPECT_EQ(hit_path[1].top_object_id, 157); - EXPECT_EQ(hit_path[1].condition_index, 0); - EXPECT_EQ(hit_path[1].rule_id, 166); + EXPECT_STREQ(hit_path[1].attribute_name, attribute_name); + uuid_unparse(hit_path[1].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000155"); + EXPECT_EQ(uuid_is_null(hit_path[1].top_object_uuid), 1); + EXPECT_EQ(hit_path[1].condition_index, -1); + EXPECT_EQ(uuid_is_null(hit_path[1].rule_uuid), 1); - EXPECT_EQ(hit_path[2].attribute_id, table_id); - EXPECT_EQ(hit_path[2].sub_object_id, 155); - EXPECT_EQ(hit_path[2].top_object_id, -1); - EXPECT_EQ(hit_path[2].condition_index, -1); - EXPECT_EQ(hit_path[2].rule_id, -1); - EXPECT_EQ(hit_path[3].attribute_id, table_id); - EXPECT_EQ(hit_path[3].sub_object_id, 158); - EXPECT_EQ(hit_path[3].top_object_id, 158); - EXPECT_EQ(hit_path[3].condition_index, 6); - EXPECT_EQ(hit_path[3].rule_id, 168); + EXPECT_STREQ(hit_path[2].attribute_name, attribute_name); + uuid_unparse(hit_path[2].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + uuid_unparse(hit_path[2].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + EXPECT_EQ(hit_path[2].condition_index, 0); + uuid_unparse(hit_path[2].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000168"); + - EXPECT_EQ(hit_path[4].attribute_id, table_id); - EXPECT_EQ(hit_path[4].sub_object_id, 158); - EXPECT_EQ(hit_path[4].top_object_id, 158); - EXPECT_EQ(hit_path[4].condition_index, 1); - EXPECT_EQ(hit_path[4].rule_id, 167); + EXPECT_STREQ(hit_path[3].attribute_name, attribute_name); + uuid_unparse(hit_path[3].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + uuid_unparse(hit_path[3].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + EXPECT_EQ(hit_path[3].condition_index, 1); + uuid_unparse(hit_path[3].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000168"); - EXPECT_EQ(hit_path[5].attribute_id, table_id); - EXPECT_EQ(hit_path[5].sub_object_id, 158); - EXPECT_EQ(hit_path[5].top_object_id, 158); - EXPECT_EQ(hit_path[5].condition_index, 3); - EXPECT_EQ(hit_path[5].rule_id, 167); - ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + EXPECT_STREQ(hit_path[4].attribute_name, attribute_name); + uuid_unparse(hit_path[4].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + uuid_unparse(hit_path[4].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + EXPECT_EQ(hit_path[4].condition_index, 0); + uuid_unparse(hit_path[4].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000167"); + + + EXPECT_STREQ(hit_path[5].attribute_name, attribute_name); + uuid_unparse(hit_path[5].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + uuid_unparse(hit_path[5].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000158"); + EXPECT_EQ(hit_path[5].condition_index, 1); + uuid_unparse(hit_path[5].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000167"); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t ip_addr; inet_pton(AF_INET, "192.168.23.23", &ip_addr); - table_id = maat_get_table_id(maat_inst, "IP_PLUS_CONFIG"); - ASSERT_GT(table_id, 0); + const char *ip_plus_table_name = "IP_PLUS_CONFIG"; + const char *ip_plus_attribute_name = "IP_PLUS_CONFIG"; memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, + ret = maat_scan_ipv4(maat_inst, ip_plus_table_name, ip_plus_attribute_name, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); - EXPECT_EQ(results[0], 165); + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000165"); - ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, + ret = maat_scan_not_logic(maat_inst, ip_plus_table_name, ip_plus_attribute_name, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); @@ -6074,7 +6100,9 @@ TEST_F(Policy, EvaluationOrder) { TEST_F(Policy, NotConditionHitPath) { const char *url_table_name = "HTTP_URL"; - const char *ip_table_name = "ATTRIBUTE_IP_CONFIG"; + const char *url_attribute_name = "HTTP_URL"; + const char *ip_table_name = "IP_CONFIG"; + const char *ip_attribute_name = "ATTRIBUTE_IP_CONFIG"; const char *url = "www.youtube.com"; uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; @@ -6082,28 +6110,24 @@ TEST_F(Policy, NotConditionHitPath) { struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - int url_table_id = maat_get_table_id(maat_inst, url_table_name); - ASSERT_GT(url_table_id, 0); - - int ret = maat_scan_string(maat_inst, url_table_id, url, strlen(url), + int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, url, strlen(url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); - ASSERT_GT(ip_table_id, 0); - uint32_t ip_addr; inet_pton(AF_INET, "192.168.101.101", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); - EXPECT_EQ(results[0], 228); + char uuid_str[UUID_STR_LEN] = {0}; + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000228"); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); @@ -6111,40 +6135,50 @@ TEST_F(Policy, NotConditionHitPath) { EXPECT_EQ(n_hit_path, 4); EXPECT_EQ(hit_path[0].Nth_scan, 1); - EXPECT_EQ(hit_path[0].attribute_id, url_table_id); + EXPECT_STREQ(hit_path[0].attribute_name, url_attribute_name); EXPECT_EQ(hit_path[0].negate_option, 0); - EXPECT_EQ(hit_path[0].condition_index, 1); - EXPECT_EQ(hit_path[0].sub_object_id, 249); - EXPECT_EQ(hit_path[0].top_object_id, 249); - EXPECT_EQ(hit_path[0].rule_id, 228); + EXPECT_EQ(hit_path[0].condition_index, 0); + uuid_unparse(hit_path[0].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000249"); + uuid_unparse(hit_path[0].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000249"); + uuid_unparse(hit_path[0].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000228"); + EXPECT_EQ(hit_path[1].Nth_scan, 2); - EXPECT_EQ(hit_path[1].attribute_id, ip_table_id); + EXPECT_STREQ(hit_path[1].attribute_name, ip_attribute_name); EXPECT_EQ(hit_path[1].negate_option, 1); EXPECT_EQ(hit_path[1].condition_index, -1); - EXPECT_EQ(hit_path[1].sub_object_id, 100); - EXPECT_EQ(hit_path[1].top_object_id, 144); - EXPECT_EQ(hit_path[1].rule_id, -1); + uuid_unparse(hit_path[1].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000100"); + uuid_unparse(hit_path[1].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000502"); + EXPECT_EQ(uuid_is_null(hit_path[1].rule_uuid), 1); EXPECT_EQ(hit_path[2].Nth_scan, 2); - EXPECT_EQ(hit_path[2].attribute_id, ip_table_id); + EXPECT_STREQ(hit_path[2].attribute_name, ip_attribute_name); EXPECT_EQ(hit_path[2].negate_option, 1); EXPECT_EQ(hit_path[2].condition_index, -1); - EXPECT_EQ(hit_path[2].sub_object_id, 100); - EXPECT_EQ(hit_path[2].top_object_id, -1); - EXPECT_EQ(hit_path[2].rule_id, -1); + uuid_unparse(hit_path[2].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000100"); + EXPECT_EQ(uuid_is_null(hit_path[2].top_object_uuid), 1); + EXPECT_EQ(uuid_is_null(hit_path[2].rule_uuid), 1); + EXPECT_EQ(hit_path[3].Nth_scan, 2); - EXPECT_EQ(hit_path[3].attribute_id, ip_table_id); + EXPECT_STREQ(hit_path[3].attribute_name, ip_attribute_name); EXPECT_EQ(hit_path[3].negate_option, 1); - EXPECT_EQ(hit_path[3].condition_index, 2); - EXPECT_EQ(hit_path[3].sub_object_id, 250); - EXPECT_EQ(hit_path[3].top_object_id, 250); - EXPECT_EQ(hit_path[3].rule_id, 228); + EXPECT_EQ(hit_path[3].condition_index, 1); + uuid_unparse(hit_path[3].sub_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000250"); + uuid_unparse(hit_path[3].top_object_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000250"); + uuid_unparse(hit_path[3].rule_uuid, uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000228"); maat_state_free(state); } -#endif class TableInfo : public testing::Test { diff --git a/test/maat_json.json b/test/maat_json.json index ac14ab1..2231a79 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -906,9 +906,8 @@ "conditions": [ { "attribute_name": "KEYWORDS_TABLE", - "object_uuids":[ - "00000000-0000-0000-0000-000000000111" - ] + "object_name": "TakeMeHome", + "object_uuid": "00000000-0000-0000-0000-000000000111" } ] }, @@ -978,6 +977,7 @@ "action": 1, "do_blacklist": 1, "do_log": 1, + "effective_range":{}, "action_parameter": "offset_string", "is_valid": "yes", "conditions": [ @@ -1008,6 +1008,7 @@ "action": 1, "do_blacklist": 1, "do_log": 1, + "effective_range":{}, "action_parameter": "offset_string", "is_valid": "yes", "conditions": [