gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix test case using rule from json file

Browse Source
This commit is contained in:
root
2024-10-10 06:28:40 +00:00
parent 35667246d3
commit e180ce18e0
15 changed files with 776 additions and 739 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/maat_bool_plugin.c
View File

@@ -260,17 +260,13 @@ bool_plugin_accept_tag_match(struct bool_plugin_schema *schema,
size_t n_tag = table_manager_accept_tags_count(schema->ref_tbl_mgr);
cJSON *tmp_obj = NULL;
tmp_obj = cJSON_GetObjectItem(json, "tag");
tmp_obj = cJSON_GetObjectItem(json, "effective_range");
if (tmp_obj && n_tag > 0) {
if (tmp_obj->type != cJSON_String) {
log_fatal(logger, MODULE_BOOL_PLUGIN,
"[%s:%d] bool_plugin table:<%s> has invalid tag format"
" in line:%s", __FUNCTION__, __LINE__, table_name,
cJSON_Print(json));
return TAG_MATCH_ERR;
}
char *tag_str = cJSON_Print(tmp_obj);
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tmp_obj->valuestring);
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str);
FREE(tag_str);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_BOOL_PLUGIN,
"[%s:%d] bool_plugin table:<%s> has invalid tag"

2
src/maat_config_monitor.c
View File

@@ -219,7 +219,7 @@ void convert_maat_json_rule(cJSON **json_root, unsigned char *json_buff)
cJSON *table_name = cJSON_GetObjectItem(tmp_item, "table_name");
cJSON *table_content = cJSON_GetObjectItem(tmp_item, "table_content");
cJSON *new_item = cJSON_CreateObject();
cJSON *new_table_content = cJSON_Duplicate(table_content, 0);
cJSON *new_table_content = cJSON_Duplicate(table_content, 1);
if (object_id_obj == NULL) {
char uuid_str[UUID_STR_LEN];

34
src/maat_expr.c
View File

@@ -41,10 +41,8 @@ struct expr_schema {
enum expr_type {
EXPR_TYPE_INVALID = -1,
EXPR_TYPE_STRING = 0,
EXPR_TYPE_AND,
EXPR_TYPE_AND = 0,
EXPR_TYPE_REGEX,
EXPR_TYPE_OFFSET,
EXPR_TYPE_MAX
};
@@ -93,30 +91,10 @@ struct expr_runtime_stream {
struct expr_matcher_stream *handle;
};
static enum expr_type int_to_expr_type(int expr_type) {
enum expr_type type = EXPR_TYPE_INVALID;
switch (expr_type) {
case 0:
case 1:
case 3:
type = EXPR_TYPE_AND;
break;
case 2:
type = EXPR_TYPE_REGEX;
break;
default:
break;
}
return type;
}
static struct expr_item *
expr_item_new(struct expr_schema *expr_schema, const char *table_name,
const cJSON *json, struct expr_runtime *expr_rt, uuid_t item_uuid)
{
int expr_type = -1;
struct expr_item *expr_item = ALLOC(struct expr_item, 1);
cJSON *tmp_obj = NULL;
size_t len = 0;
@@ -158,8 +136,14 @@ expr_item_new(struct expr_schema *expr_schema, const char *table_name,
goto error;
}
expr_type = atoi(tmp_obj->valuestring);
expr_item->expr_type = int_to_expr_type(expr_type);
if (strncmp(tmp_obj->valuestring, "and", 3) == 0) {
expr_item->expr_type = EXPR_TYPE_AND;
} else if (strncmp(tmp_obj->valuestring, "regex", 5) == 0) {
expr_item->expr_type = EXPR_TYPE_REGEX;
} else {
expr_item->expr_type = EXPR_TYPE_INVALID;
}
if (expr_item->expr_type == EXPR_TYPE_INVALID) {
log_fatal(expr_rt->logger, MODULE_EXPR,
"[%s:%d] expr table:<%s> has invalid expr_type in line:%s",

40
src/maat_fqdn_plugin.c
View File

@@ -211,34 +211,28 @@ fqdn_plugin_accept_tag_match(struct fqdn_plugin_schema *schema,
size_t n_tag = table_manager_accept_tags_count(schema->ref_tbl_mgr);
cJSON *tmp_obj = NULL;
tmp_obj = cJSON_GetObjectItem(json, "tag");
tmp_obj = cJSON_GetObjectItem(json, "effective_range");
if (tmp_obj != NULL && n_tag > 0) {
if (tmp_obj->type != cJSON_String) {
char *tag_str = cJSON_Print(tmp_obj);
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str);
FREE(tag_str);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_FQDN_PLUGIN,
"[%s:%d] fqdn_plugin table:<%s> has invalid tag format"
" in line:%s", __FUNCTION__, __LINE__, table_name,
cJSON_Print(json));
"[%s:%d] fqdn_plugin table:<%s> has invalid tag"
" format in line:%s", __FUNCTION__, __LINE__,
table_name, cJSON_Print(json));
return TAG_MATCH_ERR;
}
const char *tag = tmp_obj->valuestring;
if (strlen(tag) > 2) {
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_FQDN_PLUGIN,
"[%s:%d] fqdn_plugin table:<%s> has invalid tag"
" format in line:%s", __FUNCTION__, __LINE__,
table_name, cJSON_Print(json));
return TAG_MATCH_ERR;
}
if (TAG_MATCH_UNMATCHED == ret) {
log_fatal(logger, MODULE_FQDN_PLUGIN,
"[%s:%d] fqdn_plugin table:<%s> has unmatched tag"
" in line:%s", __FUNCTION__, __LINE__, table_name,
cJSON_Print(json));
return TAG_MATCH_UNMATCHED;
}
if (TAG_MATCH_UNMATCHED == ret) {
log_fatal(logger, MODULE_FQDN_PLUGIN,
"[%s:%d] fqdn_plugin table:<%s> has unmatched tag"
" in line:%s", __FUNCTION__, __LINE__, table_name,
cJSON_Print(json));
return TAG_MATCH_UNMATCHED;
}
}

13
src/maat_ip_plugin.c
View File

@@ -110,16 +110,13 @@ ip_plugin_accept_tag_match(struct ip_plugin_schema *schema,
cJSON *tmp_obj = NULL;
size_t n_tag = table_manager_accept_tags_count(schema->ref_tbl_mgr);
tmp_obj = cJSON_GetObjectItem(json, "tag");
tmp_obj = cJSON_GetObjectItem(json, "effective_range");
if (tmp_obj && n_tag > 0) {
if (tmp_obj->type != cJSON_String) {
log_fatal(logger, MODULE_IP_PLUGIN,
"[%s:%d] ip_plugin table:<%s> has invalid tag format"
" in line:%s", __FUNCTION__, __LINE__, table_name, cJSON_Print(json));
return TAG_MATCH_ERR;
}
char *tag_str = cJSON_Print(tmp_obj);
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tmp_obj->valuestring);
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str);
FREE(tag_str);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_IP_PLUGIN,
"[%s:%d] ip_plugin table:<%s> has invalid tag format"

12
src/maat_ipport_plugin.c
View File

@@ -602,7 +602,17 @@ int ipport_plugin_runtime_get_ex_data(void *ipport_plugin_runtime,
}
struct ipport_result results[n_ex_data];
int n_hit_item = ipport_matcher_match(ipport_plugin_rt->matcher, ip_addr,
struct ip_addr ip_data;
if (ip_addr->ip_type == IPV4) {
ip_data.ip_type = IPV4;
ip_data.ipv4 = ntohl(ip_addr->ipv4);
} else {
ip_data.ip_type = IPV6;
memcpy(ip_data.ipv6, ip_addr->ipv6, sizeof(ip_data.ipv6));
ipv6_ntoh(ip_data.ipv6);
}
int n_hit_item = ipport_matcher_match(ipport_plugin_rt->matcher, &ip_data,
port, results, n_ex_data);
if (n_hit_item <= 0) {
return n_hit_item;

92
src/maat_object.c
View File

@@ -290,67 +290,71 @@ object2object_item_new(const char *line, struct object2object_schema *o2o_schema
tmp_obj = cJSON_GetObjectItem(json, "object_uuid");
if (tmp_obj == NULL || tmp_obj->type != cJSON_String) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> has no object_id or format is not string in line:%s",
"[%s:%d] o2o table:<%s> has no object_uuid or format is not string in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
uuid_parse(tmp_obj->valuestring, o2o_item->object_uuid);
tmp_obj = cJSON_GetObjectItem(json, "included_sub_object_uuids");
if (tmp_obj == NULL || tmp_obj->type != cJSON_Array) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> has no included_sub_object_ids or format is not array in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
for (int i = 0; i < cJSON_GetArraySize(tmp_obj); i++) {
cJSON *item = cJSON_GetArrayItem(tmp_obj, i);
if (item == NULL || item->type != cJSON_String) {
if (tmp_obj) {
if (tmp_obj->type != cJSON_Array) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> included_sub_object_ids format error in line:%s",
__FUNCTION__, __LINE__, table_name, line);
"[%s:%d] o2o table:<%s> included_sub_object_ids format is not array in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
uuid_t object_uuid;
uuid_parse(item->valuestring, object_uuid);
utarray_push_back(o2o_item->incl_sub_object_uuids, &object_uuid);
}
if (utarray_len(o2o_item->incl_sub_object_uuids) > MAX_OBJECT_CNT) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2r table:<%s> included_sub_object_ids exceed maximum:%d in line:%s",
__FUNCTION__, __LINE__, table_name, MAX_OBJECT_CNT, line);
goto error;
for (int i = 0; i < cJSON_GetArraySize(tmp_obj); i++) {
cJSON *item = cJSON_GetArrayItem(tmp_obj, i);
if (item == NULL || item->type != cJSON_String) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> included_sub_object_ids format error in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
uuid_t object_uuid;
uuid_parse(item->valuestring, object_uuid);
utarray_push_back(o2o_item->incl_sub_object_uuids, &object_uuid);
}
if (utarray_len(o2o_item->incl_sub_object_uuids) > MAX_OBJECT_CNT) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2r table:<%s> included_sub_object_ids exceed maximum:%d in line:%s",
__FUNCTION__, __LINE__, table_name, MAX_OBJECT_CNT, line);
goto error;
}
}
tmp_obj = cJSON_GetObjectItem(json, "excluded_sub_object_uuids");
if (tmp_obj == NULL || tmp_obj->type != cJSON_Array) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> has no excluded_sub_object_ids or format is not array in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
for (int i = 0; i < cJSON_GetArraySize(tmp_obj); i++) {
cJSON *item = cJSON_GetArrayItem(tmp_obj, i);
if (item == NULL || item->type != cJSON_String) {
if (tmp_obj) {
if (tmp_obj->type != cJSON_Array) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> excluded_sub_object_ids format error in line:%s",
__FUNCTION__, __LINE__, table_name, line);
"[%s:%d] o2o table:<%s> excluded_sub_object_ids format is not array in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
uuid_t object_uuid;
uuid_parse(item->valuestring, object_uuid);
utarray_push_back(o2o_item->excl_sub_object_uuids, &object_uuid);
}
if (utarray_len(o2o_item->excl_sub_object_uuids) > MAX_OBJECT_CNT) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2r table:<%s> excluded_sub_object_ids exceed maximum:%d in line:%s",
__FUNCTION__, __LINE__, table_name, MAX_OBJECT_CNT, line);
goto error;
}
for (int i = 0; i < cJSON_GetArraySize(tmp_obj); i++) {
cJSON *item = cJSON_GetArrayItem(tmp_obj, i);
if (item == NULL || item->type != cJSON_String) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2o table:<%s> excluded_sub_object_ids format error in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
uuid_t object_uuid;
uuid_parse(item->valuestring, object_uuid);
utarray_push_back(o2o_item->excl_sub_object_uuids, &object_uuid);
}
if (utarray_len(o2o_item->excl_sub_object_uuids) > MAX_OBJECT_CNT) {
log_fatal(logger, MODULE_OBJECT,
"[%s:%d] o2r table:<%s> excluded_sub_object_ids exceed maximum:%d in line:%s",
__FUNCTION__, __LINE__, table_name, MAX_OBJECT_CNT, line);
goto error;
}
}
cJSON_Delete(json);

43
src/maat_plugin.c
View File

@@ -376,42 +376,29 @@ static int plugin_accept_tag_match(struct plugin_schema *schema,
const char *table_name, const char *line,
struct log_handle *logger)
{
size_t tag_len = 0;
size_t n_tag = table_manager_accept_tags_count(schema->ref_tbl_mgr);
cJSON *tmp_obj = NULL;
int ret = 0;
cJSON *json = cJSON_Parse(line);
tmp_obj = cJSON_GetObjectItem(json, "tag");
tmp_obj = cJSON_GetObjectItem(json, "effective_range");
if (tmp_obj != NULL && n_tag > 0) {
if (tmp_obj->type != cJSON_String) {
char *tag_str = cJSON_Print(tmp_obj);
ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str);
FREE(tag_str);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_PLUGIN,
"[%s:%d] table: <%s> has invalid tag format in json, line %s",
__FUNCTION__, __LINE__, table_name, cJSON_Print(json));
"[%s:%d] table: <%s> has invalid tag format in table_line:%s",
__FUNCTION__, __LINE__, table_name, cJSON_Print(json));
return TAG_MATCH_ERR;
}
tag_len = strlen(tmp_obj->valuestring);
if (tag_len > 2) {
char *tag_str = ALLOC(char, tag_len + 1);
memcpy(tag_str, tmp_obj->valuestring, tag_len);
ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str);
FREE(tag_str);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_PLUGIN,
"[%s:%d] table: <%s> has invalid tag format in table_line:%s",
__FUNCTION__, __LINE__, table_name, cJSON_Print(json));
return TAG_MATCH_ERR;
}
if (TAG_MATCH_UNMATCHED == ret) {
log_fatal(logger, MODULE_PLUGIN,
"[%s:%d] table: <%s> has unmatched tag in table_line:%s",
__FUNCTION__, __LINE__, table_name, cJSON_Print(json));
return TAG_MATCH_UNMATCHED;
}
if (TAG_MATCH_UNMATCHED == ret) {
log_fatal(logger, MODULE_PLUGIN,
"[%s:%d] table: <%s> has unmatched tag in table_line:%s",
__FUNCTION__, __LINE__, table_name, cJSON_Print(json));
return TAG_MATCH_UNMATCHED;
}
}
@@ -440,9 +427,9 @@ static int plugin_table_line_get_ip_key(struct plugin_schema *schema,
int ret = 0;
tmp_obj = cJSON_GetObjectItem(json, "addr_type");
if (tmp_obj == NULL || tmp_obj->type != cJSON_String) {
if (tmp_obj == NULL || tmp_obj->type != cJSON_Number) {
log_fatal(logger, MODULE_PLUGIN,
"[%s:%d] plugin table:<%s> has no addr_type or not string format in table_line:%s",
"[%s:%d] plugin table:<%s> has no addr_type or not number format in table_line:%s",
__FUNCTION__, __LINE__, table_name, cJSON_Print(json));
goto ERROR;
}
@@ -451,7 +438,7 @@ static int plugin_table_line_get_ip_key(struct plugin_schema *schema,
// snprintf() write at most (key_len+1) bytes (including the terminating null{'\0}) to ip_key.
snprintf(ip_key, src_key_len + 1, "%s", src_key);
int addr_type = atoi(tmp_obj->valuestring);
int addr_type = tmp_obj->valueint;
if (IPV4 == addr_type) {
uint32_t ipv4_addr;
ret = inet_pton(AF_INET, ip_key, &ipv4_addr);

12
src/maat_rule.c
View File

@@ -348,11 +348,12 @@ static int rule_accept_tag_match(struct rule_schema *schema, const char *line,
cJSON *tmp_obj = NULL;
cJSON *table_json = cJSON_Parse(line);
tmp_obj = cJSON_GetObjectItem(table_json, "tag");
tmp_obj = cJSON_GetObjectItem(table_json, "effective_range");
if (tmp_obj && n_tag > 0) {
char *tag_str = tmp_obj->valuestring;
char *tag_str = cJSON_Print(tmp_obj);
int ret = table_manager_accept_tags_match(schema->ref_tbl_mgr, tag_str);
FREE(tag_str);
if (TAG_MATCH_ERR == ret) {
log_fatal(logger, MODULE_RULE,
"[%s:%d] table: <%s> has invalid tag format in line:%s",
@@ -1627,7 +1628,7 @@ static int rule_sort_para_compare(const struct rule_sort_para *a,
if (a->condition_num != b->condition_num) {
return (a->condition_num - b->condition_num);
} else {
return uuid_compare(a->rule_uuid, b->rule_uuid);
return uuid_compare(b->rule_uuid, a->rule_uuid);
}
}
@@ -1779,8 +1780,11 @@ void rule_compile_state_not_logic_update(struct rule_compile_state *rule_compile
struct condition_id_kv *condition_id_kv = NULL;
for (size_t i = 0; i < utarray_len(tbl_object->object_uuids); i++) {
uuid_t *object_uuid = utarray_eltptr(tbl_object->object_uuids, i);
struct condition_query_key key;
uuid_t *object_uuid = utarray_eltptr(tbl_object->object_uuids, i);
memset(&key, 0, sizeof(key));
snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attribute_name);
key.negate_option = 1;
uuid_copy(key.object_uuid, *object_uuid);