diff --git a/include/maat.h b/include/maat.h index b0db46d..43b1296 100644 --- a/include/maat.h +++ b/include/maat.h @@ -296,7 +296,7 @@ struct maat_state *maat_state_new(struct maat *instance, int thread_id); * @param ex_data_array: rule ex_data array * @param n_result: the size of rule_array and ex_data_array */ -size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result); +size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], size_t n_result); void maat_state_reset(struct maat_state *state); diff --git a/scanner/expr_matcher/adapter_hs/adapter_hs.cpp b/scanner/expr_matcher/adapter_hs/adapter_hs.cpp index bfd88a2..b3420d5 100644 --- a/scanner/expr_matcher/adapter_hs/adapter_hs.cpp +++ b/scanner/expr_matcher/adapter_hs/adapter_hs.cpp @@ -341,7 +341,6 @@ static int matched_event_cb(unsigned int id, unsigned long long from, return 0; } -UT_icd ut_hs_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL}; void *hs_lit_stream_open(void *hs_lit_engine, int thread_id) { if (NULL == hs_lit_engine || thread_id < 0) { diff --git a/scanner/expr_matcher/adapter_rs/adapter_rs.cpp b/scanner/expr_matcher/adapter_rs/adapter_rs.cpp index c85fb0a..4c642d6 100644 --- a/scanner/expr_matcher/adapter_rs/adapter_rs.cpp +++ b/scanner/expr_matcher/adapter_rs/adapter_rs.cpp @@ -313,7 +313,6 @@ void rs_lit_engine_free(void *rs_lit_engine) FREE(rs_lit_inst); } -UT_icd ut_rs_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL}; void *rs_lit_engine_new(struct expr_rule *rules, size_t n_rule, struct pattern_attribute *pat_attr, void *rs_lit_db, size_t n_thread, diff --git a/scanner/expr_matcher/expr_matcher.cpp b/scanner/expr_matcher/expr_matcher.cpp index eba443a..0e6bb9e 100644 --- a/scanner/expr_matcher/expr_matcher.cpp +++ b/scanner/expr_matcher/expr_matcher.cpp @@ -65,7 +65,7 @@ struct db_operations { int (*build_db)(void **lit_db, void *compile_data, struct log_handle *logger); }; -UT_icd ut_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL}; +static UT_icd ut_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL}; struct db_operations db_ops[EXPR_ENGINE_TYPE_AUTO] = { { diff --git a/scanner/ipport_matcher/ipport_matcher.c b/scanner/ipport_matcher/ipport_matcher.c index a4ddb18..c3c45f4 100644 --- a/scanner/ipport_matcher/ipport_matcher.c +++ b/scanner/ipport_matcher/ipport_matcher.c @@ -35,7 +35,7 @@ struct ipport_matcher { struct ip_matcher *ip_matcher; }; -UT_icd ut_port_range_icd = {sizeof(struct port_range), NULL, NULL, NULL}; +static UT_icd ut_port_range_icd = {sizeof(struct port_range), NULL, NULL, NULL}; static inline int compare_port_range_for_sort(const void *a, const void *b) { struct port_range range_a = *(const struct port_range *)a; diff --git a/src/maat_api.c b/src/maat_api.c index 6aa0e85..b4b30d1 100644 --- a/src/maat_api.c +++ b/src/maat_api.c @@ -1170,7 +1170,7 @@ string_scan(struct table_manager *tbl_mgr, int thread_id, return object_hit_cnt; } -size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result) +size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], size_t n_result) { int table_id = maat_get_table_id(state->maat_inst, table_name); if (table_id < 0) { @@ -1183,16 +1183,10 @@ size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid } int rule_num = rule_runtime_match((struct rule_runtime *)rule_rt, rule_array, n_result, state); - if (rule_num <= 0) { - return 0; + if (rule_num > 0) { + alignment_int64_array_add(state->maat_inst->stat->hit_rule_cnt, state->thread_id, rule_num); } - for (int i = 0; i < rule_num; i++) { - ex_data_array[i] = maat_plugin_table_get_ex_data(state->maat_inst, table_name, (char*)&rule_array[i], sizeof(uuid_t)); - } - - alignment_int64_array_add(state->maat_inst->stat->hit_rule_cnt, state->thread_id, rule_num); - return rule_num; } diff --git a/src/maat_ex_data.c b/src/maat_ex_data.c index d38cb74..56eb59d 100644 --- a/src/maat_ex_data.c +++ b/src/maat_ex_data.c @@ -54,7 +54,7 @@ void cache_row_copy(void *dst, const void *src) ex_data_row_dst->op = ex_data_row_src->op; } -UT_icd ut_cache_row_icd = {sizeof(struct ex_data_row), NULL, cache_row_copy, cache_row_free}; +static UT_icd ut_cache_row_icd = {sizeof(struct ex_data_row), NULL, cache_row_copy, cache_row_free}; struct ex_data_runtime * ex_data_runtime_new(int table_id, int gc_timeout_s, struct log_handle *logger) diff --git a/src/maat_object.c b/src/maat_object.c index f57558d..92aa5ad 100644 --- a/src/maat_object.c +++ b/src/maat_object.c @@ -69,7 +69,7 @@ struct object_group_runtime { struct log_handle *logger; }; -UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL}; +static UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL}; static inline int compare_object_uuid(const void *a, const void *b) { diff --git a/src/maat_rule.c b/src/maat_rule.c index d3beb76..4f51e86 100644 --- a/src/maat_rule.c +++ b/src/maat_rule.c @@ -71,9 +71,11 @@ struct table_condition { struct attribute_hit_object_collection { char attribute_name[MAX_ATTR_NAME_LEN]; UT_array *direct_items; - UT_array *indirect_object_uuids;//TODO: ??????? change it to graph? + UT_array *indirect_object_uuids;//TODO: change it to graph? UT_array *all_object_uuids; - int need_not_condition; + UT_array *negate_object_uuids; + int need_negate_condition; + int need_scan_not_object; int Nth_scan; UT_hash_handle hh; }; @@ -142,11 +144,11 @@ struct rule_compile_state { struct attribute_hit_object_collection *attr_hit_objects_hashtbl; }; -UT_icd ut_condition_id_icd = {sizeof(long long), NULL, NULL, NULL}; -UT_icd ut_condition_literal_icd = {sizeof(struct condition_literal), NULL, NULL, NULL}; -UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL}; -UT_icd ut_maat_item_icd = {sizeof(struct maat_item), NULL, NULL, NULL}; -UT_icd ut_hit_path_icd = {sizeof(struct internal_hit_path), NULL, NULL, NULL}; +static UT_icd ut_condition_id_icd = {sizeof(long long), NULL, NULL, NULL}; +static UT_icd ut_condition_literal_icd = {sizeof(struct condition_literal), NULL, NULL, NULL}; +static UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL}; +static UT_icd ut_maat_item_icd = {sizeof(struct maat_item), NULL, NULL, NULL}; +static UT_icd ut_hit_path_icd = {sizeof(struct internal_hit_path), NULL, NULL, NULL}; static void rule_item_free(struct rule_item *item) { @@ -818,7 +820,21 @@ void rule_compile_state_reset(struct rule_compile_state *rule_compile_state) struct attribute_hit_object_collection *attr_hit_obj = NULL, *tmp_hit_attr_obj = NULL; HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj, tmp_hit_attr_obj) { - //TODO: clear + if (attr_hit_obj->direct_items != NULL) { + utarray_clear(attr_hit_obj->direct_items); + } + + if (attr_hit_obj->indirect_object_uuids != NULL) { + utarray_clear(attr_hit_obj->indirect_object_uuids); + } + + if (attr_hit_obj->all_object_uuids != NULL) { + utarray_clear(attr_hit_obj->all_object_uuids); + } + + attr_hit_obj->need_negate_condition = 0; + attr_hit_obj->need_scan_not_object = 0; + attr_hit_obj->Nth_scan = 0; } } @@ -851,7 +867,30 @@ void rule_compile_state_free(struct rule_compile_state *rule_compile_state, rule_compile_state->exclude_not_conditions = NULL; } - //TODO: free attr_hit_objects_hashtbl + struct attribute_hit_object_collection *attr_hit_obj = NULL, *tmp_hit_attr_obj = NULL; + HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj, tmp_hit_attr_obj) { + if (attr_hit_obj->direct_items != NULL) { + free_bytes += utarray_size(attr_hit_obj->direct_items) * sizeof(struct maat_item); + utarray_free(attr_hit_obj->direct_items); + attr_hit_obj->direct_items = NULL; + } + + if (attr_hit_obj->indirect_object_uuids != NULL) { + free_bytes += utarray_size(attr_hit_obj->indirect_object_uuids) * sizeof(uuid_t); + utarray_free(attr_hit_obj->indirect_object_uuids); + attr_hit_obj->indirect_object_uuids = NULL; + } + + if (attr_hit_obj->all_object_uuids != NULL) { + free_bytes += utarray_size(attr_hit_obj->all_object_uuids) * sizeof(uuid_t); + utarray_free(attr_hit_obj->all_object_uuids); + attr_hit_obj->all_object_uuids = NULL; + } + + HASH_DEL(rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj); + free_bytes += sizeof(struct attribute_hit_object_collection); + FREE(attr_hit_obj); + } FREE(rule_compile_state); @@ -1463,6 +1502,7 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, { struct rule_compile_state *rule_compile_state = state->rule_compile_state; struct rule_item *rule_items[rule_ids_size]; + int clear_scan_not_obj_flag = 0; utarray_clear(rule_compile_state->all_hit_conditions); utarray_clear(rule_compile_state->exclude_not_conditions); @@ -1484,7 +1524,7 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, rule_compile_state_add_hit_conditions(rule_compile_state, condition_id_kv->condition_ids); } - if (attr_hit_obj_coll->need_not_condition) { + if (attr_hit_obj_coll->need_negate_condition) { key.negate_option = 1; HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv); if (condition_id_kv != NULL) { @@ -1492,27 +1532,27 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, } } } + + if (attr_hit_obj_coll->need_scan_not_object) { + clear_scan_not_obj_flag = 1; + } } //not conditions struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL; HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) { HASH_FIND_STR(rule_compile_state->attr_hit_objects_hashtbl, condition_id_kv->key.attribute_name, attr_hit_obj_coll); - if (attr_hit_obj_coll == NULL || attr_hit_obj_coll->need_not_condition == 0) { + if (attr_hit_obj_coll == NULL || attr_hit_obj_coll->need_negate_condition == 0) { continue; } - uuid_t *object_uuid = bsearch(&(condition_id_kv->key.object_uuid), - utarray_eltptr(attr_hit_obj_coll->all_object_uuids, 0), - utarray_len(attr_hit_obj_coll->all_object_uuids), - sizeof(uuid_t), compare_object_uuid); - if (object_uuid != NULL) { + if (utarray_find(attr_hit_obj_coll->all_object_uuids, &(condition_id_kv->key.object_uuid), compare_object_uuid) != NULL) { continue; } rule_compile_state_add_hit_not_conditions(rule_compile_state, condition_id_kv->condition_ids); - if (state->maat_inst->opts.hit_path_on) { + if (state->maat_inst->opts.hit_path_on && attr_hit_obj_coll->need_scan_not_object) { uuid_t null_uuid; uuid_clear(null_uuid); rule_compile_state_add_internal_hit_path(rule_compile_state, null_uuid, @@ -1522,6 +1562,14 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, } } + if (clear_scan_not_obj_flag) { + HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj_coll, tmp) { + if (attr_hit_obj_coll->need_scan_not_object) { + attr_hit_obj_coll->need_scan_not_object = 0; + } + } + } + // all hit condition_id -> rule_id size_t bool_match_ret = maat_rule_bool_matcher_match(rule_rt, rule_compile_state, @@ -1646,8 +1694,9 @@ void rule_compile_state_not_logic_update(struct maat *maat_inst, struct rule_com struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); assert(attr_hit_obj_coll != NULL); - attr_hit_obj_coll->need_not_condition = 1; - rule_compile_state->Nth_scan = Nth_scan; + attr_hit_obj_coll->need_negate_condition = 1; + attr_hit_obj_coll->need_scan_not_object = 1; + attr_hit_obj_coll->Nth_scan = Nth_scan; return; } @@ -1713,8 +1762,6 @@ size_t rule_compile_state_get_hit_objects(struct maat *maat_inst, struct rule_co uuid_copy(object_array[i], *(uuid_t *)utarray_eltptr(attr_hit_obj_coll->all_object_uuids, i)); } - utarray_clear(attr_hit_obj_coll->all_object_uuids); - return i; } diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 6ebc425..1883adb 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -23,7 +23,7 @@ const char *g_table_info_path = "./table_info.json"; const char *g_json_filename = "maat_json.json"; size_t g_thread_num = 4; - +const char *default_rule_table_name = "RULE_CONJUNCTION"; static int test_add_expr_command(struct maat *maat_inst, const char *expr_table, const char *attr_name, const char *rule_uuid_str, int timeout, @@ -117,38 +117,50 @@ void scan_with_old_or_new_cfg(struct maat *maat_inst, int is_old) memset(results, 0, sizeof(results)); int ret = maat_scan_string(maat_inst, table_name, attribute_name, hit_old_data, - strlen(hit_old_data), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(hit_old_data), state); if (is_old) { EXPECT_EQ(ret, MAAT_SCAN_HIT); + } else { + EXPECT_EQ(ret, MAAT_SCAN_OK); + } + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + + if (is_old) { + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_TRUE(strcmp(uuid_str, "9c5ee166-3af6-fb23-f8f8-8c7062ed3717") == 0); } else { - EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(n_hit_result, 0); } - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); ret = maat_scan_string(maat_inst, table_name, attribute_name, hit_new_data, - strlen(hit_new_data), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(hit_new_data), state); if (!is_old) { EXPECT_EQ(ret, MAAT_SCAN_HIT); - char uuid_str[UUID_STR_LEN] = {0}; - uuid_unparse(results[0], uuid_str); - EXPECT_EQ(strcmp(uuid_str, "9b0d44a1-1e9e-7988-6ab2-c619d5906818"), 0); } else { EXPECT_EQ(ret, MAAT_SCAN_OK); } - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + + if (!is_old) { + EXPECT_EQ(n_hit_result, 1); + char uuid_str[UUID_STR_LEN] = {0}; + uuid_unparse(results[0], uuid_str); + EXPECT_EQ(strcmp(uuid_str, "9b0d44a1-1e9e-7988-6ab2-c619d5906818"), 0); + } else { + EXPECT_EQ(n_hit_result, 0); + } + maat_state_free(state); } @@ -233,9 +245,13 @@ TEST_F(FlagScan, basic) { memset(results, 0, sizeof(results)); - int ret = maat_scan_flag(maat_inst, flag_table_name, attribute_name, scan_data, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_flag(maat_inst, flag_table_name, attribute_name, scan_data, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, flag_table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -243,10 +259,6 @@ TEST_F(FlagScan, basic) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000192"); - - ret = maat_scan_not_logic(maat_inst, flag_table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = 0; @@ -258,9 +270,13 @@ TEST_F(FlagScan, basic) { scan_data = 13; memset(results, 0, sizeof(results)); n_hit_result = 0; - ret = maat_scan_flag(maat_inst, flag_table_name, attribute_name, scan_data, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_flag(maat_inst, flag_table_name, attribute_name, scan_data, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, flag_table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000207"); @@ -268,23 +284,20 @@ TEST_F(FlagScan, basic) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000192"); - ret = maat_scan_not_logic(maat_inst, flag_table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); scan_data = 6; memset(results, 0, sizeof(results)); n_hit_result = 0; - ret = maat_scan_flag(maat_inst, flag_table_name, attribute_name, scan_data, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - EXPECT_EQ(n_hit_result, 0); + ret = maat_scan_flag(maat_inst, flag_table_name, attribute_name, scan_data, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, flag_table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, flag_table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -306,15 +319,15 @@ TEST_F(FlagScan, withExprRegion) { memset(results, 0, sizeof(results)); - int ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - EXPECT_EQ(n_hit_result, 0); + int ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = 0; @@ -324,18 +337,18 @@ TEST_F(FlagScan, withExprRegion) { const char *expr_scan_data = "hello world"; ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, expr_scan_data, - strlen(expr_scan_data), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(expr_scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000193"); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -356,9 +369,13 @@ TEST_F(FlagScan, hitMultiRule) { memset(results, 0, sizeof(results)); - int ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 3); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -370,19 +387,16 @@ TEST_F(FlagScan, hitMultiRule) { uuid_unparse(results[2], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000192"); - ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - memset(results, 0, sizeof(results)); - ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 3);//maat return all hit rules every time without removing duplicate hit rules + struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = 0; @@ -409,9 +423,13 @@ TEST_F(FlagScan, hitRepeatedRule) { //rule_id:192 flag: 0000 0001 mask: 0000 0011 //scan_data: 0000 1001 or 0000 1101 should hit long long flag_scan_data1 = 9; - int ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data1, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data1, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -419,35 +437,36 @@ TEST_F(FlagScan, hitRepeatedRule) { uuid_unparse(results[1], uuid_str); EXPECT_EQ(strcmp(uuid_str, "00000000-0000-0000-0000-000000000192"), 0); - ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - //rule_id:192 flag: 0000 0001 mask: 0000 0011 //rule_id:194 flag: 0001 0101 mask: 0001 1111 //scan_data: 0001 0101 should hit rule192 and rule194 long long flag_scan_data2 = 21; memset(results, 0, sizeof(results)); - ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data2, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data2, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000194"); - ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 3); + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000207"); + uuid_unparse(results[1], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000194"); + uuid_unparse(results[2], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000192"); + memset(results, 0, sizeof(results)); - ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data2, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_flag(maat_inst, flag_table_name, flag_attribute_name, flag_scan_data2, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, flag_table_name, flag_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 3);//maat return all hit rules every time without removing duplicate hit rules + struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = 0; @@ -544,15 +563,16 @@ TEST_P(StringScan, ScanDataOnlyOneByte) { const char scan_data = 0x20; memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, &scan_data, sizeof(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, &scan_data, sizeof(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -570,18 +590,18 @@ TEST_P(StringScan, Full) { "?action=search&query=username,abckkk,1234567"; memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000125"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -598,18 +618,18 @@ TEST_P(StringScan, Regex) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000148"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -626,17 +646,18 @@ TEST_P(StringScan, RegexUnicode) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000229"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -653,22 +674,22 @@ TEST_P(StringScan, BackslashR_N_Escape) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000225"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } - TEST_P(StringScan, BackslashR_N_Escape_IncUpdate) { int ret = 0; uuid_t results[ARRAY_SIZE]; @@ -681,16 +702,18 @@ TEST_P(StringScan, BackslashR_N_Escape_IncUpdate) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000234"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); const char *rule_table_name = "RULE_DEFAULT"; @@ -726,19 +749,19 @@ TEST_P(StringScan, BackslashR_N_Escape_IncUpdate) { sleep(WAIT_FOR_EFFECTIVE_S * 3); - ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000234"); uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -756,17 +779,18 @@ TEST_P(StringScan, BackslashCtrlCharactor) struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, payload, strlen(payload), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000235"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -784,18 +808,18 @@ TEST_P(StringScan, Expr8) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000182"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = 0; @@ -820,19 +844,24 @@ TEST_P(StringScan, HexBinCaseSensitive) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data2, strlen(scan_data2), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data2, strlen(scan_data2), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -840,10 +869,6 @@ TEST_P(StringScan, HexBinCaseSensitive) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000191"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); } @@ -861,28 +886,29 @@ TEST_P(StringScan, HexbinCombineString) struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data2, strlen(scan_data2), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data2, strlen(scan_data2), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000236"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); } @@ -916,18 +942,18 @@ TEST_P(StringScan, BugReport20190325) { memset(results, 0, sizeof(results)); int ret = maat_scan_string(maat_inst, table_name, attribute_name, (char *)scan_data, - sizeof(scan_data), results, ARRAY_SIZE, - &n_hit_result, state); + sizeof(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000150"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -948,17 +974,20 @@ TEST_P(StringScan, PrefixAndSuffix) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - int ret = maat_scan_integer(maat_inst, cont_sz_table_name, cont_sz_attribute_name, 2015, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_integer(maat_inst, cont_sz_table_name, cont_sz_attribute_name, 2015, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, cont_sz_table_name, cont_sz_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, cont_sz_table_name, cont_sz_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, mail_addr_table_name, mail_addr_attribute_name, hit_twice, - strlen(hit_twice), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(hit_twice), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, mail_addr_table_name, mail_addr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -966,42 +995,38 @@ TEST_P(StringScan, PrefixAndSuffix) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000152"); - ret = maat_scan_not_logic(maat_inst, mail_addr_table_name, mail_addr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); ret = maat_scan_string(maat_inst, mail_addr_table_name, mail_addr_attribute_name, hit_suffix, - strlen(hit_suffix), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(hit_suffix), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, mail_addr_table_name, mail_addr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000151"); - ret = maat_scan_not_logic(maat_inst, mail_addr_table_name, mail_addr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_integer(maat_inst, cont_sz_table_name, cont_sz_attribute_name, 2015, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_integer(maat_inst, cont_sz_table_name, cont_sz_attribute_name, 2015, results, - ARRAY_SIZE, &n_hit_result, state); - - ret = maat_scan_not_logic(maat_inst, cont_sz_table_name, cont_sz_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, cont_sz_table_name, cont_sz_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, mail_addr_table_name, mail_addr_attribute_name, hit_prefix, - strlen(hit_prefix), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(hit_prefix), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000152"); - ret = maat_scan_not_logic(maat_inst, mail_addr_table_name, mail_addr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, mail_addr_table_name, mail_addr_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 2); + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000151"); + uuid_unparse(results[1], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000152"); + maat_state_free(state); state = NULL; } @@ -1018,18 +1043,18 @@ TEST_P(StringScan, MaatUnescape) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000132"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1059,21 +1084,22 @@ TEST_P(StringScan, OffsetChunk64) { int pass_flag = 0; while (0 == feof(fp)) { read_size = fread(scan_data, 1, sizeof(scan_data), fp); - ret = maat_stream_scan(sp, scan_data, read_size, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data, read_size, state); if (ret > 0) { pass_flag = 1; break; } - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000136"); @@ -1108,21 +1134,22 @@ TEST_P(StringScan, OffsetChunk1460) { int pass_flag = 0; while (0 == feof(fp)) { read_size = fread(scan_data, 1, sizeof(scan_data), fp); - ret = maat_stream_scan(sp, scan_data, read_size, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data, read_size, state); if (ret > 0) { pass_flag = 1; break; } - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000136"); @@ -1153,15 +1180,13 @@ TEST_P(StringScan, StreamScanUTF8) { int pass_flag = 0; while (0 == feof(fp)) { size_t read_size = fread(scan_data, 1, sizeof(scan_data), fp); - int ret = maat_stream_scan(sp, scan_data, read_size, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_stream_scan(sp, scan_data, read_size, state); if (ret == MAAT_SCAN_HIT) { pass_flag = 1; break; } - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); if (ret == MAAT_SCAN_HIT) { pass_flag = 1; break; @@ -1169,6 +1194,9 @@ TEST_P(StringScan, StreamScanUTF8) { } EXPECT_EQ(pass_flag, 1); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000157"); @@ -1200,18 +1228,18 @@ TEST_P(StringScan, InvisibleCharactor) { } memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, (char*)binary_data, binary_data_length, - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, (char*)binary_data, binary_data_length, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000238"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1233,27 +1261,25 @@ TEST_P(StringScan, StreamInput) { struct maat_stream *sp = maat_stream_new(maat_inst, table_name, attribute_name, state); ASSERT_TRUE(sp != NULL); - int ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); maat_stream_free(sp); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000125"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1276,28 +1302,28 @@ TEST_P(StringScan, StreamHitDirectObject) { struct maat_stream *sp = maat_stream_new(maat_inst, table_name_url, attribute_name_url, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, - ARRAY_SIZE, &n_hit_result, state); - + ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000133"); - struct maat_hit_object object_array[ARRAY_SIZE]; - ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE); + uuid_t object_uuid_array[ARRAY_SIZE]; + uuid_t item_uuid_array[ARRAY_SIZE]; + ret = maat_state_get_hit_items(state, attribute_name_url, item_uuid_array, object_uuid_array, ARRAY_SIZE); EXPECT_EQ(ret, 1); - uuid_unparse(object_array[0].object_uuid, uuid_str); + uuid_unparse(object_uuid_array[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000112"); - ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - - ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE); + ret = maat_state_get_hit_item_cnt(state, attribute_name_url); EXPECT_EQ(ret, 0); maat_stream_free(sp); @@ -1310,32 +1336,32 @@ TEST_P(StringScan, StreamHitDirectObject) { sp = maat_stream_new(maat_inst, table_name_sig, attribute_name_sig, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data3, strlen(scan_data3), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data3, strlen(scan_data3), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_stream_scan(sp, scan_data4, strlen(scan_data4), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data4, strlen(scan_data4), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name_sig, attribute_name_sig, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000128"); - ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE); + ret = maat_state_get_hit_items(state, attribute_name_sig, item_uuid_array, object_uuid_array, ARRAY_SIZE); EXPECT_EQ(ret, 1); - uuid_unparse(object_array[0].object_uuid, uuid_str); + uuid_unparse(object_uuid_array[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000107"); - ret = maat_scan_not_logic(maat_inst, table_name_sig, attribute_name_sig, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_stream_scan(sp, scan_data4, strlen(scan_data4), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT);//rule has been hit before + ret = maat_stream_scan(sp, scan_data4, strlen(scan_data4), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE); + ret = maat_state_get_hit_items(state, attribute_name_sig, item_uuid_array, object_uuid_array, ARRAY_SIZE); EXPECT_EQ(ret, 1); - uuid_unparse(object_array[0].object_uuid, uuid_str); + uuid_unparse(object_uuid_array[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000107"); maat_stream_free(sp); @@ -1360,19 +1386,17 @@ TEST_P(StringScan, StreamLiteralPrefix) struct maat_stream *sp = maat_stream_new(maat_inst, table_name_url, attribute_name_url, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); - + ret = maat_stream_scan(sp, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000239"); - ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - maat_stream_free(sp); maat_state_free(state); state = NULL; @@ -1395,19 +1419,17 @@ TEST_P(StringScan, StreamLiteralSuffix) struct maat_stream *sp = maat_stream_new(maat_inst, table_name_url, attribute_name_url, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); - + ret = maat_stream_scan(sp, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000241"); - ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - maat_stream_free(sp); maat_state_free(state); state = NULL; @@ -1430,19 +1452,17 @@ TEST_P(StringScan, StreamRegexPrefix) struct maat_stream *sp = maat_stream_new(maat_inst, table_name_url, attribute_name_url, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); - + ret = maat_stream_scan(sp, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000240"); - ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - maat_stream_free(sp); maat_state_free(state); state = NULL; @@ -1465,19 +1485,17 @@ TEST_P(StringScan, StreamRegexSuffix) struct maat_stream *sp = maat_stream_new(maat_inst, table_name_url, attribute_name_url, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); - + ret = maat_stream_scan(sp, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000242"); - ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - maat_stream_free(sp); maat_state_free(state); state = NULL; @@ -1496,18 +1514,17 @@ TEST_P(StringScan, LiteralPrefix) const char *scan_data = "test-literal-prefix abcde"; memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000239"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1525,18 +1542,17 @@ TEST_P(StringScan, LiteralSuffix) const char *scan_data = "abcd test-literal-suffix"; memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000241"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1554,18 +1570,17 @@ TEST_P(StringScan, RegexPrefix) const char *scan_data = "test-regex-prefix abcde"; memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000240"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1583,18 +1598,17 @@ TEST_P(StringScan, RegexSuffix) const char *scan_data = "abcd test-regex-suffix"; memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000242"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1611,15 +1625,15 @@ TEST_P(StringScan, dynamic_config) { memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, data, strlen(data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - EXPECT_EQ(n_hit_result, 0); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, data, strlen(data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); const char *rule_table_name = "RULE_DEFAULT"; @@ -1654,18 +1668,17 @@ TEST_P(StringScan, dynamic_config) { sleep(WAIT_FOR_EFFECTIVE_S * 3); - ret = maat_scan_string(maat_inst, table_name, attribute_name, data, strlen(data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, data, strlen(data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); /* EXPR_TYPE_AND MATCH_METHOD_SUB */ @@ -1680,15 +1693,14 @@ TEST_P(StringScan, dynamic_config) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, data, strlen(data), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - EXPECT_EQ(n_hit_result, 0); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, data, strlen(data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -1776,26 +1788,21 @@ TEST_P(StreamScan, dynamic_config) { struct maat_stream *sp = maat_stream_new(maat_inst, table_name, attribute_name, state); ASSERT_TRUE(sp != NULL); - ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); // STEP 2: Inc config update, use same stream to scan and wait old expr_runtime invalid @@ -1807,9 +1814,10 @@ TEST_P(StreamScan, dynamic_config) { EXPECT_EQ(ret, 1); // Inc config has not yet taken effect, stream scan can hit rule - ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); @@ -1819,14 +1827,15 @@ TEST_P(StreamScan, dynamic_config) { sleep(WAIT_FOR_EFFECTIVE_S); // Inc config has taken effect, stream reference old expr_runtime, should not hit rule - ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_stream_free(sp); maat_state_free(state); sp = NULL; @@ -1900,14 +1909,13 @@ TEST_F(IPScan, IPv4Unspecified) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip1, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip1, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 0); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; @@ -1929,14 +1937,13 @@ TEST_F(IPScan, IPv4Broadcast) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip1, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip1, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 0); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; @@ -1958,18 +1965,17 @@ TEST_F(IPScan, MatchSingleIPv4) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000169"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -1990,18 +1996,17 @@ TEST_F(IPScan, IPv6Unspecified) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000210"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); } @@ -2021,14 +2026,13 @@ TEST_F(IPScan, IPv6Broadcast) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 0); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } @@ -2049,18 +2053,17 @@ TEST_F(IPScan, MatchSingleIPv6) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000210"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -2081,9 +2084,12 @@ TEST_F(IPScan, MatchIPv4Range) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2092,10 +2098,6 @@ TEST_F(IPScan, MatchIPv4Range) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000154"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -2115,14 +2117,14 @@ TEST_F(IPScan, MatchIPv4Port) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4_port(maat_inst, table_name, attribute_name, sip, 443, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4_port(maat_inst, table_name, attribute_name, sip, 443, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); - ret = maat_scan_ipv4_port(maat_inst, table_name, attribute_name, sip, 80, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4_port(maat_inst, table_name, attribute_name, sip, 80, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2147,9 +2149,12 @@ TEST_F(IPScan, MatchIPv6Range) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2158,10 +2163,6 @@ TEST_F(IPScan, MatchIPv6Range) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000155"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -2182,9 +2183,10 @@ TEST_F(IPScan, MatchIPv6Port) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv6_port(maat_inst, table_name, attribute_name, sip, port, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6_port(maat_inst, table_name, attribute_name, sip, port, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2195,9 +2197,10 @@ TEST_F(IPScan, MatchIPv6Port) { maat_state_reset(state); //If the port is not present, should not match rules with port range. In this case, only rule 210 "::/0" should match. - ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000210"); @@ -2222,14 +2225,15 @@ TEST_F(IPScan, BugReport20210515) { struct maat_state *state = maat_state_new(maat_inst, thread_id); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv6(maat_inst, table_name, attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -2248,14 +2252,13 @@ TEST_F(IPScan, RuleUpdates) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - EXPECT_EQ(n_hit_result, 0); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); @@ -2288,18 +2291,17 @@ TEST_F(IPScan, RuleUpdates) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); /* ip table del line */ @@ -2314,14 +2316,15 @@ TEST_F(IPScan, RuleUpdates) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -2382,26 +2385,23 @@ TEST_F(IntervalScan, IntegerRange) { unsigned int scan_data1 = 2015; - int ret = maat_scan_integer(maat_inst, table_name, attribute_name, scan_data1, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_integer(maat_inst, table_name, attribute_name, scan_data1, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); unsigned int scan_data2 = 300; - ret = maat_scan_integer(maat_inst, table_name, attribute_name, scan_data2, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - EXPECT_EQ(n_hit_result, 0); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_integer(maat_inst, table_name, attribute_name, scan_data2, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -2417,17 +2417,16 @@ TEST_F(IntervalScan, SingleInteger) { unsigned int scan_data1 = 3000; - int ret = maat_scan_integer(maat_inst, table_name, attribute_name, scan_data1, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_integer(maat_inst, table_name, attribute_name, scan_data1, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000218"); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; @@ -2487,12 +2486,15 @@ TEST_F(ObjectScan, PhysicalTable) { struct maat *maat_inst = ObjectScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - struct maat_hit_object hit_object; - uuid_parse("00000000-0000-0000-0000-000000000247", hit_object.object_uuid); + uuid_t object_uuid; + uuid_t item_uuid; + uuid_parse("00000000-0000-0000-0000-000000000247", object_uuid); + uuid_clear(item_uuid); - int ret = maat_scan_object(maat_inst, table_name, attribute_name, &hit_object, 1, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + int ret = maat_scan_object(maat_inst, table_name, attribute_name, &object_uuid, &item_uuid, 1, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2512,12 +2514,15 @@ TEST_F(ObjectScan, Attribute) { struct maat *maat_inst = ObjectScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - struct maat_hit_object hit_object; - uuid_parse("00000000-0000-0000-0000-000000000259", hit_object.object_uuid); + uuid_t object_uuid; + uuid_t item_uuid; + uuid_parse("00000000-0000-0000-0000-000000000259", object_uuid); + uuid_clear(item_uuid); - int ret = maat_scan_object(maat_inst, table_name, attribute_name, &hit_object, 1, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + int ret = maat_scan_object(maat_inst, table_name, attribute_name, &object_uuid, &item_uuid, 1, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2587,14 +2592,13 @@ TEST_F(NOTLogic, OneRegion) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_name, attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2603,13 +2607,14 @@ TEST_F(NOTLogic, OneRegion) { maat_state_reset(state); ret = maat_scan_string(maat_inst, table_name, attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_free(state); state = NULL; @@ -2632,40 +2637,38 @@ TEST_F(NOTLogic, ScanNotAtLast) { // scan string_should_hit(HTTP_URL_FILTER) & string_should_not_hit(HTTP_RESPONSE_KEYWORDS) => not hit rule int ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_contain_nothing, - strlen(string_contain_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_contain_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //scan string_should_hit(HTTP_URL_FILTER) & nothing(HTTP_RESPONSE_KEYWORDS) => hit rule144 ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_contain_nothing, - strlen(string_contain_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_contain_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2689,22 +2692,20 @@ TEST_F(NOTLogic, ScanIrrelavantAtLast) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_irrelevant, - strlen(string_irrelevant), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_irrelevant), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2730,38 +2731,37 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyExpr) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_should_not_hit), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.8.186", &sip); - ret = maat_scan_ipv4(maat_inst, hit_table_name, hit_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, hit_table_name, hit_attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000186"); - ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, empty_table_name, empty_attribute_name, string_match_no_region, - strlen(string_match_no_region), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_match_no_region), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, empty_table_name, empty_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, empty_table_name, empty_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + maat_state_free(state); state = NULL; } @@ -2781,40 +2781,39 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyInteger) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_should_not_hit), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.8.187", &sip); - ret = maat_scan_ipv4(maat_inst, hit_table_name, hit_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, hit_table_name, hit_attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000187"); - ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - int empty_table_id = maat_get_table_id(maat_inst, empty_table_name); ASSERT_GT(empty_table_id, 0); - ret = maat_scan_integer(maat_inst, empty_table_name, empty_attribute_name, 2015, - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_integer(maat_inst, empty_table_name, empty_attribute_name, 2015, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, empty_table_name, empty_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, empty_table_name, empty_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + maat_state_free(state); state = NULL; } @@ -2833,24 +2832,22 @@ TEST_F(NOTLogic, ScanNotIP) { // scan string_should_hit(HTTP_URL) & hit ip(ATTRIBUTE_IP_CONFIG) => not hit rule int ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.6.205", &sip); - ret = maat_scan_ipv4(maat_inst, not_hit_table_name, not_hit_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, not_hit_table_name, not_hit_attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2860,18 +2857,18 @@ TEST_F(NOTLogic, ScanNotIP) { // scan string_should_hit(HTTP_URL) & not hit ip(ATTRIBUTE_IP_CONFIG) => hit rule145 ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); inet_pton(AF_INET, "10.0.6.201", &sip); - ret = maat_scan_ipv4(maat_inst, not_hit_table_name, not_hit_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, not_hit_table_name, not_hit_attribute_name, sip, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_free(state); state = NULL; @@ -2896,72 +2893,67 @@ TEST_F(NOTLogic, NotUrlAndNotIp) { //scan string_should_half_hit(HTTP_URL_FILTER) & hit ip(ATTRIBUTE_IP_CONFIG) => not hit rule int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string_should_half_hit, - strlen(string_should_half_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_half_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.6.201", &sip); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); // scan string_should_half_hit(HTTP_RESPONSE_KEYWORDS) & not hit ip(ATTRIBUTE_IP_CONFIG) => not hit rule ret = maat_scan_string(maat_inst, http_table_name, http_attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "10.1.0.0", &sip); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); // scan scan string_should_half_hit(HTTP_URL_FILTER) & not hit ip(ATTRIBUTE_IP_CONFIG) => hit rule146 ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string_should_half_hit, - strlen(string_should_half_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_half_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); ret = maat_scan_string(maat_inst, http_table_name, http_attribute_name, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "10.1.0.0", &sip); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -2985,32 +2977,31 @@ TEST_F(NOTLogic, NotPhysicalTable) { // scan hit string1(KEYWORDS_TABLE) & hit string2(HTTP_RESPONSE_KEYWORDS) => not hit rule int ret = maat_scan_string(maat_inst, table_name, table_name, string1, - strlen(string1), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, table_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, table_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, attribute_name, string2, strlen(string2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string2, strlen(string2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); //scan not hit string1(KEYWORDS_TABLE) & hit string2(HTTP_RESPONSE_KEYWORDS) => hit rule224 - ret = maat_scan_string(maat_inst, table_name, table_name, string3, strlen(string3), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, table_name, string3, strlen(string3), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, table_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, table_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, attribute_name, string2, strlen(string2), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string2, strlen(string2), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3038,76 +3029,62 @@ TEST_F(NOTLogic, EightNotCondition) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_name, attribute_name1, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name1, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name1, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name2, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name2, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name2, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name3, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name3, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name3, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name4, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name4, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name4, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name5, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name5, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name5, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name6, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name6, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name6, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name7, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name7, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name7, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name8, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name8, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name8, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3133,31 +3110,27 @@ TEST_F(NOTLogic, NotConditionAndExcludeObject1) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string_should_half_hit, - strlen(string_should_half_hit), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_half_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, http_table_name, http_attribute_name, string_nothing, - strlen(string_nothing), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3182,40 +3155,37 @@ TEST_F(NOTLogic, NotConditionAndExcludeObject2) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, http_table_name, http_attribute_name, string_keywords, - strlen(string_keywords), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_keywords), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string1, strlen(string1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string1, strlen(string1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); ret = maat_scan_string(maat_inst, http_table_name, http_attribute_name, string_keywords, - strlen(string_keywords), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_keywords), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, http_table_name, http_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string2, strlen(string2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, string2, strlen(string2), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3238,24 +3208,25 @@ TEST_F(NOTLogic, SingleNotCondition) { //string_should_hit(HTTP_NOT_LOGIC_1) => not hit rule int ret = maat_scan_string(maat_inst, table_name, attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //string nothing(HTTP_NOT_LOGIC_1) => hit rule222 - ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3280,58 +3251,58 @@ TEST_F(NOTLogic, MultiNotConditions) { // rule223 = !string1 & !string2 & !string3 //Case1: scan string1 & !string2 & !string3 - int ret = maat_scan_string(maat_inst, table_name, attribute_name, string1, strlen(string1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, string1, strlen(string1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //Case2: scan !string1 & string2 & !string3 - ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, attribute_name, string2, strlen(string2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string2, strlen(string2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //Case3: scan !string1 & !string2 & string3 - ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, attribute_name, string3, strlen(string3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string3, strlen(string3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //Case4: scan !string1 & !string2 & !string3 - ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, string_nothing, strlen(string_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3359,67 +3330,66 @@ TEST_F(NOTLogic, MultiObjectsInOneNotCondition) { //-------------------------------------- // Source ASN1 & Dest ASN => not hit rule //-------------------------------------- - int ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); //-------------------------------------- // Source ASN2 & Dest ASN => not hit rule //-------------------------------------- - ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); //-------------------------------------- // Source ASN3 & Dest ASN => not hit rule //-------------------------------------- - ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); // Source nothing & Dest ASN => hit rule177 ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn_nothing, - strlen(src_asn_nothing),results, ARRAY_SIZE, - &n_hit_result, state); + strlen(src_asn_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, dst_asn_attribute_name, dst_asn, strlen(dst_asn), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3449,34 +3419,33 @@ TEST_F(NOTLogic, MultiLiteralsInOneNotCondition) { //------------------------------------------- // Source ASN1 & IP Geo //------------------------------------------- - int ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, src_asn_table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, src_asn_table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //------------------------------------------- // Source nothing & IP Geo //------------------------------------------- - ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_nothing, strlen(src_nothing), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_nothing, strlen(src_nothing), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_not_logic(maat_inst, src_asn_table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, src_asn_table_name, src_asn_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3487,18 +3456,18 @@ TEST_F(NOTLogic, MultiLiteralsInOneNotCondition) { //------------------------------------------- // Source ASN2 & IP Geo //------------------------------------------- - ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, src_asn_table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, src_asn_table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //-------------------------------------- @@ -3506,17 +3475,17 @@ TEST_F(NOTLogic, MultiLiteralsInOneNotCondition) { //-------------------------------------- uint32_t ip_addr; inet_pton(AF_INET, "192.168.40.88", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); @@ -3525,17 +3494,16 @@ TEST_F(NOTLogic, MultiLiteralsInOneNotCondition) { //-------------------------------------- inet_pton(AF_INET, "192.168.40.89", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000181"); @@ -3566,84 +3534,79 @@ TEST_F(NOTLogic, SameAttributeInMultiCondition) { //------------------------------------------- // Dest ASN1 & Dest ASN3 & IP Config //------------------------------------------- - int ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn1, strlen(src_asn1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn1, strlen(src_asn1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); //------------------------------------------- // Dest ASN2 & Dest ASN3 & IP Config //------------------------------------------- - ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn2, strlen(src_asn2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn2, strlen(src_asn2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); //------------------------------------------- // Dest IP Geo & Dest ASN3 & IP Config //------------------------------------------- - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_geo_table_name, ip_geo_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_geo_table_name, ip_geo_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); //------------------------------------------- // Dest ASN3 & IP Geo //------------------------------------------- - ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3654,19 +3617,19 @@ TEST_F(NOTLogic, SameAttributeInMultiCondition) { //-------------------------------------- // IP Config & IP Geo //-------------------------------------- - ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, dst_asn_table_name, dst_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); inet_pton(AF_INET, "192.168.40.89", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, dst_asn_table_name, dst_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -3731,27 +3694,25 @@ TEST_F(ExcludeLogic, ScanExcludeAtFirst) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_should_not_hit), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_should_hit), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000199"); - ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -3769,29 +3730,29 @@ TEST_F(ExcludeLogic, ScanExcludeAtLast) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_name, attribute_name, string_should_not_hit, - strlen(string_should_not_hit), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(string_should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); ret = maat_scan_string(maat_inst, table_name, attribute_name, string_should_hit, - strlen(string_should_hit), results, - ARRAY_SIZE, &n_hit_result, state); - + strlen(string_should_hit), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000200"); - - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000200"); maat_state_free(state); state = NULL; @@ -3811,27 +3772,29 @@ TEST_F(ExcludeLogic, ScanIrrelavantAtLast) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, hit_table_name, hit_attribute_name, string_should_hit, - strlen(string_should_hit), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_should_hit), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000200"); - ret = maat_scan_not_logic(maat_inst, hit_table_name, hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, not_hit_table_name, not_hit_attribute_name, string_irrelevant, - strlen(string_irrelevant), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(string_irrelevant), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, not_hit_table_name, not_hit_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000200"); + maat_state_free(state); state = NULL; } @@ -3849,9 +3812,12 @@ TEST_F(ExcludeLogic, ScanAttribute) { uint32_t should_not_hit_ip; inet_pton(AF_INET, "100.64.1.1", &should_hit_ip); - int ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_hit_ip, results, - ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_hit_ip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -3859,43 +3825,40 @@ TEST_F(ExcludeLogic, ScanAttribute) { maat_state_reset(state); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + inet_pton(AF_INET, "100.64.1.5", &should_hit_ip); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_hit_ip, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - inet_pton(AF_INET, "100.64.1.5", &should_hit_ip); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_hit_ip, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000202"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); inet_pton(AF_INET, "100.64.1.6", &should_not_hit_ip); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_not_hit_ip, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_not_hit_ip, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); inet_pton(AF_INET, "100.64.1.11", &should_not_hit_ip); - ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_not_hit_ip, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, table_name, attribute_name, should_not_hit_ip, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_free(state); } @@ -3916,50 +3879,50 @@ TEST_F(ExcludeLogic, ScanWithMultiCondition) { uint32_t ip_addr; inet_pton(AF_INET, "192.168.50.43", &ip_addr); - int ret = maat_scan_ipv4(maat_inst, ip_table_name, src_ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_ipv4(maat_inst, ip_table_name, src_ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, src_ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, src_ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "47.92.108.93", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, dst_ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, dst_ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, dst_ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, dst_ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + const char *expr_attribute_name = "HTTP_RESPONSE_KEYWORDS"; const char *expr_table_name = "KEYWORDS_TABLE"; const char *should_not_hit_expr = "www.jianshu.com"; ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, should_not_hit_expr, - strlen(should_not_hit_expr), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(should_not_hit_expr), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + const char *should_hit_expr = "mail.jianshu.com"; ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, should_hit_expr, - strlen(should_hit_expr), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(should_hit_expr), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000203"); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -3977,61 +3940,65 @@ TEST_F(ExcludeLogic, ExcludeInDifferentLevel) { uint32_t ip_addr; inet_pton(AF_INET, "100.64.2.1", &ip_addr); - int ret = maat_scan_ipv4(maat_inst, ip_table_name, src_ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_ipv4(maat_inst, ip_table_name, src_ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, src_ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, src_ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + inet_pton(AF_INET, "100.64.2.6", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, dst_ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, dst_ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, dst_ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, dst_ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + const char *expr_attribute_name = "HTTP_RESPONSE_KEYWORDS"; const char *expr_table_name = "KEYWORDS_TABLE"; const char *should_not_hit_expr1 = "www.baidu.com"; ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, should_not_hit_expr1, - strlen(should_not_hit_expr1), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(should_not_hit_expr1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + const char *should_not_hit_expr2 = "mail.baidu.com"; ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, should_not_hit_expr2, - strlen(should_not_hit_expr2), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(should_not_hit_expr2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + const char *should_hit_expr = "hit.baidu.com"; ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, should_hit_expr, - strlen(should_hit_expr), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(should_hit_expr), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000204"); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); } @@ -4986,9 +4953,10 @@ TEST_F(Attribute, basic) { char scan_data[128] = "string1, string2, string3, string4, string5," " string6, string7, string8"; - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 0); maat_state_free(state); state = NULL; @@ -5186,9 +5154,12 @@ TEST_F(RuleTable, Conjunction1) { struct maat *maat_inst = RuleTable::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -5197,10 +5168,6 @@ TEST_F(RuleTable, Conjunction1) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000141"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_EQ(n_read, 2); @@ -5220,9 +5187,12 @@ TEST_F(RuleTable, Conjunction2) { struct maat *maat_inst = RuleTable::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -5231,22 +5201,20 @@ TEST_F(RuleTable, Conjunction2) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000141"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE]; int n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_EQ(n_read, 2); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 2); + memset(hit_path, 0, sizeof(hit_path)); n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_EQ(n_read, 4); @@ -5365,23 +5333,25 @@ TEST_F(Policy, RuleRuleTags) { int ret = maat_scan_string(maat_inst, table_name, attribute_name, should_not_hit, - strlen(should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_name, should_hit, - strlen(should_hit), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(should_hit), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + char uuid_str[UUID_STR_LEN] = {0}; + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000139"); + maat_state_free(state); state = NULL; } @@ -5407,26 +5377,21 @@ TEST_F(Policy, RuleEXData) { rule_ex_param_dup, 0, &ex_data_counter); ASSERT_TRUE(ret == 0); - EXPECT_EQ(ex_data_counter, 2); + EXPECT_EQ(ex_data_counter, 1); - ret = maat_state_set_scan_rule_table(state, conj_rule_table_name); - EXPECT_EQ(ret, 0); - - ret = maat_scan_string(maat_inst, table_name, attribute_name, url, strlen(url), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, url, strlen(url), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, conj_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000198"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - void *ex_data = maat_plugin_table_get_ex_data(maat_inst, plugin_table_name, uuid_str, strlen(uuid_str)); - ASSERT_TRUE(ex_data!=NULL); struct rule_ex_param *param = (struct rule_ex_param *)ex_data; EXPECT_EQ(param->id, 7799); @@ -5450,28 +5415,28 @@ TEST_F(Policy, SubObject) { const char *attribute_name = "MAIL_ADDR"; const char *table_name = "MAIL_ADDR"; - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + const char *ip_table_name = "IP_CONFIG"; const char *ip_attribute_name = "IP_CONFIG"; - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000153"); - - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } @@ -5486,9 +5451,13 @@ TEST_F(Policy, EvaluationOrder) { const char *table_name = "HTTP_URL"; const char *attribute_name = "HTTP_URL"; - int ret = maat_scan_string(maat_inst, table_name, attribute_name, url, strlen(url), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, url, strlen(url), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 3); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -5561,10 +5530,6 @@ TEST_F(Policy, EvaluationOrder) { uuid_unparse(hit_path[5].rule_uuid, uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000167"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - uint32_t ip_addr; inet_pton(AF_INET, "192.168.23.23", &ip_addr); @@ -5572,17 +5537,16 @@ TEST_F(Policy, EvaluationOrder) { const char *ip_plus_attribute_name = "IP_PLUS_CONFIG"; memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, ip_plus_table_name, ip_plus_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_plus_table_name, ip_plus_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000165"); - - ret = maat_scan_not_logic(maat_inst, ip_plus_table_name, ip_plus_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_plus_table_name, ip_plus_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 4); + uuid_unparse(results[3], uuid_str); + EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000165"); + maat_state_free(state); } @@ -5598,20 +5562,22 @@ TEST_F(Policy, NotConditionHitPath) { struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, url, strlen(url), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, url, strlen(url), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); uint32_t ip_addr; inet_pton(AF_INET, "192.168.101.101", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -5726,9 +5692,12 @@ TEST_F(TableInfo, Conjunction) { struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, conj_table_name, attribute_name, scan_data, - strlen(scan_data), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, conj_table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -5737,10 +5706,6 @@ TEST_F(TableInfo, Conjunction) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000133"); - ret = maat_scan_not_logic(maat_inst, conj_table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -5807,8 +5772,6 @@ TEST_F(FileTest, StreamFiles) { struct stat file_info; size_t file_size = 0; char file_path[PATH_MAX] = {0}; - uuid_t results[ARRAY_SIZE]; - size_t n_hit_result = 0; int hit_cnt = 0; for (int i = 0; i < n; i++) { @@ -5831,8 +5794,7 @@ TEST_F(FileTest, StreamFiles) { } int read_len = fread(buff, 1, file_size, fp); - ret = maat_stream_scan(stream, buff, read_len, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_stream_scan(stream, buff, read_len, state); read_len = fread(buff, 1, sizeof(buff), fp); if (ret > 0) { hit_cnt++; @@ -5913,39 +5875,38 @@ TEST_F(ObjectHierarchy, AttributeOfOnePhysical) struct maat *maat_inst = ObjectHierarchy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); - int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, http_url, strlen(http_url), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, url_table_name, url_attribute_name, http_url, strlen(http_url), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, keywords_table_name, keywords_attribute_name, http_content, strlen(http_content), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, keywords_table_name, keywords_attribute_name, http_content, strlen(http_content), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000160"); - ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); const char *should_not_hit = "2018-10-05 is a keywords of table " "KEYWORDS_TABLE. Should not hit."; ret = maat_scan_string(maat_inst, keywords_table_name, keywords_attribute_name, should_not_hit, - strlen(should_not_hit), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(should_not_hit), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -5964,27 +5925,25 @@ TEST_F(ObjectHierarchy, OneObjectInTwoAttribute) { struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_string(maat_inst, table_name, req_attribute_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(http_resp_hdr_cookie), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, req_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, req_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, res_attribute_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_resp_hdr_cookie), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, res_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000163"); - ret = maat_scan_not_logic(maat_inst, table_name, res_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6006,74 +5965,67 @@ TEST_F(ObjectHierarchy, MultiObjectsInOneCondition) { //-------------------------------------- // Source ASN1 & Dest ASN //-------------------------------------- - int ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_sttribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, dst_asn_sttribute_name, dst_asn, strlen(dst_asn), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, dst_asn_sttribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000178"); - ret = maat_scan_not_logic(maat_inst, table_name, dst_asn_sttribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); //-------------------------------------- // Source ASN2 & Dest ASN //-------------------------------------- - ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_sttribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, dst_asn_sttribute_name, dst_asn, strlen(dst_asn), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, dst_asn_sttribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000178"); - ret = maat_scan_not_logic(maat_inst, table_name, dst_asn_sttribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); //-------------------------------------- // Source ASN3 & Dest ASN //-------------------------------------- - ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn3, strlen(src_asn3), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, src_asn_attribute_name, src_asn3, strlen(src_asn3), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, src_asn_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_string(maat_inst, table_name, dst_asn_sttribute_name, dst_asn, strlen(dst_asn), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, dst_asn_sttribute_name, dst_asn, strlen(dst_asn), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, dst_asn_sttribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000178"); - ret = maat_scan_not_logic(maat_inst, table_name, dst_asn_sttribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6098,16 +6050,16 @@ TEST_F(ObjectHierarchy, MultiLiteralsInOneCondition) { // Source ASN1 & IP //-------------------------------------- - int ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + int ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn1, strlen(src_asn1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); uint32_t ip_addr; inet_pton(AF_INET, "192.168.40.88", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -6118,13 +6070,13 @@ TEST_F(ObjectHierarchy, MultiLiteralsInOneCondition) { //-------------------------------------- // IP Geo & IP //-------------------------------------- - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000180"); @@ -6134,17 +6086,16 @@ TEST_F(ObjectHierarchy, MultiLiteralsInOneCondition) { //-------------------------------------- // (Source ASN2 | IP Geo) & IP //-------------------------------------- - ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, src_asn_table_name, src_asn_attribute_name, src_asn2, strlen(src_asn2), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_string(maat_inst, ip_geo_table_name, ip_geo_attribute_name, my_county, strlen(my_county), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000180"); @@ -6240,18 +6191,18 @@ TEST_F(MaatCmd, SetIP) { int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GE(table_id, 0); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, sip, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6287,9 +6238,13 @@ TEST_F(MaatCmd, SetExpr) { sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -6297,10 +6252,6 @@ TEST_F(MaatCmd, SetExpr) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str1); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); ret = rule_table_set_line(maat_inst, rule_table_name, MAAT_OP_DEL, rule_uuid_str1, @@ -6311,14 +6262,15 @@ TEST_F(MaatCmd, SetExpr) { EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); int timeout = 1; @@ -6328,14 +6280,15 @@ TEST_F(MaatCmd, SetExpr) { struct maat_cmd_and_condition and_condition; test_add_expr_command(maat_inst, table_name, attribute_name, rule_uuid_str, timeout, keywords, &and_condition); sleep(timeout + 1); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -6384,18 +6337,18 @@ TEST_F(MaatCmd, SetExpr8) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data8, strlen(scan_data8), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data8, strlen(scan_data8), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_DEL, item_uuid_str, @@ -6408,17 +6361,17 @@ TEST_F(MaatCmd, SetExpr8) { sleep(WAIT_FOR_EFFECTIVE_S); memset(&results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data7, strlen(scan_data7), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data7, strlen(scan_data7), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6452,12 +6405,15 @@ TEST_F(MaatCmd, ObjectScan) { sleep(WAIT_FOR_EFFECTIVE_S); - struct maat_hit_object hit_object; - uuid_parse(object_uuid_str, hit_object.object_uuid); - strncpy(hit_object.attribute_name, attribute_name, sizeof(hit_object.attribute_name)); - ret = maat_scan_object(maat_inst, table_name, attribute_name, &hit_object, 1, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); + uuid_t object_uuid; + uuid_t item_uuid; + uuid_parse(object_uuid_str, object_uuid); + uuid_clear(item_uuid); + + ret = maat_scan_object(maat_inst, table_name, attribute_name, &object_uuid, &item_uuid, 1, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -6515,18 +6471,18 @@ TEST_F(MaatCmd, SameFilterRefByOneRule) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6550,48 +6506,49 @@ TEST_F(MaatCmd, RuleIDRecycle) { sleep(WAIT_FOR_EFFECTIVE_S); int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, - strlen(scan_data), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); rule_table_set_line(maat_inst, "RULE_DEFAULT", MAAT_OP_DEL, rule_uuid_str, &and_condition, 1, NULL, 0); sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); test_add_expr_command(maat_inst, table_name, attribute_name, rule_uuid_str, 0, keywords, &and_condition); sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6624,9 +6581,12 @@ TEST_F(MaatCmd, ReturnRuleIDWithDescendingOrder) { sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, repeat_times); for (i = 0; i < repeat_times; i++) { char uuid_str[UUID_STR_LEN] = {0}; @@ -6634,10 +6594,6 @@ TEST_F(MaatCmd, ReturnRuleIDWithDescendingOrder) { EXPECT_STREQ(uuid_str, rule_uuid_str_array[repeat_times - i - 1]); } - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); } @@ -6707,9 +6663,13 @@ TEST_F(MaatCmd, SubObject) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); @@ -6717,10 +6677,6 @@ TEST_F(MaatCmd, SubObject) { uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); /* item1 -> object2 -> object1 -> rule1 @@ -6732,17 +6688,17 @@ TEST_F(MaatCmd, SubObject) { EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); /* item1 -> object2 -> object1 -> X @@ -6759,17 +6715,17 @@ TEST_F(MaatCmd, SubObject) { EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule2_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); /* item1 -> object2 -> object1 -> X @@ -6790,14 +6746,15 @@ TEST_F(MaatCmd, SubObject) { ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item2_uuid_str, object3_uuid_str, keyword2, EXPR_TYPE_AND, 0);/* EXPR_TYPE_AND MATCH_METHOD_SUB */ sleep(2); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data2, strlen(scan_data2), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data2, strlen(scan_data2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_reset(state); /* item1 -> object2 -> object1 -> X @@ -6815,17 +6772,17 @@ TEST_F(MaatCmd, SubObject) { EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule2_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6893,18 +6850,18 @@ TEST_F(MaatCmd, RefObject) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -6972,27 +6929,25 @@ TEST_F(MaatCmd, Attribute) { size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, table_name, attribute_req_name, http_req_hdr_ua, - strlen(http_req_hdr_ua), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(http_req_hdr_ua), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_req_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_name, attribute_req_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_name, attribute_resp_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_resp_hdr_cookie), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_resp_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_resp_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); //delete object1 @@ -7010,17 +6965,17 @@ TEST_F(MaatCmd, Attribute) { sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_name, attribute_resp_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, - ARRAY_SIZE, &n_hit_result, state); + strlen(http_resp_hdr_cookie), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_resp_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_resp_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -7812,45 +7767,41 @@ TEST_F(MaatCmd, ObjectInMassRules) { uuid_t results[4]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, url_table_name, url_attribute_anme, http_url2, strlen(http_url2), - results, 4, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, url_table_name, url_attribute_anme, http_url2, strlen(http_url2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_anme, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_anme, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_integer(maat_inst, appid_table_name, appid_attribute_name, 100, results, 4, - &n_hit_result, state); + ret = maat_scan_integer(maat_inst, appid_table_name, appid_attribute_name, 100, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, appid_table_name, appid_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, 4); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, target_rule_uuid_str); - ret = maat_scan_not_logic(maat_inst, appid_table_name, appid_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); - ret = maat_scan_string(maat_inst, url_table_name, url_attribute_anme, http_url1, strlen(http_url1), - results, 4, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_anme, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - ret = maat_scan_integer(maat_inst, appid_table_name, appid_attribute_name, 100, results, 4, - &n_hit_result, state); + ret = maat_scan_string(maat_inst, url_table_name, url_attribute_anme, http_url1, strlen(http_url1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 4); - ret = maat_scan_not_logic(maat_inst, appid_table_name, appid_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, url_table_name, url_attribute_anme, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + ret = maat_scan_integer(maat_inst, appid_table_name, appid_attribute_name, 100, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, appid_table_name, appid_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, 4); + EXPECT_EQ(n_hit_result, 4); + maat_state_free(state); state = NULL; } @@ -7996,56 +7947,46 @@ TEST_F(MaatCmd, HitObject) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, http_sig_table_name, http_req_attr_name, http_url, strlen(http_url), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, http_sig_table_name, http_req_attr_name, http_url, strlen(http_url), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); size_t scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 1); - struct maat_hit_object hit_objects[128]; - memset(hit_objects, 0, sizeof(hit_objects)); + uuid_t item_uuids[128]; + uuid_t object_uuids[128]; - size_t n_hit_object = maat_state_get_direct_hit_object_cnt(state); - maat_state_get_direct_hit_objects(state, hit_objects, n_hit_object); - EXPECT_EQ(n_hit_object, 1); + size_t n_hit_cnt = maat_state_get_hit_items(state, http_req_attr_name, item_uuids, object_uuids, 128); + + EXPECT_EQ(n_hit_cnt, 1); char uuid_str[UUID_STR_LEN] = {0}; - uuid_unparse(hit_objects[0].item_uuid, uuid_str); + uuid_unparse(item_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, item1_uuid_str); - uuid_unparse(hit_objects[0].object_uuid, uuid_str); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object1_uuid_str); - EXPECT_STREQ(hit_objects[0].attribute_name, http_req_attr_name); - memset(hit_objects, 0, sizeof(hit_objects)); - n_hit_object = maat_state_get_indirect_hit_object_cnt(state); - maat_state_get_indirect_hit_objects(state, hit_objects, n_hit_object); - EXPECT_EQ(n_hit_object, 1); - EXPECT_TRUE(uuid_is_null(hit_objects[0].item_uuid)); - uuid_unparse(hit_objects[0].object_uuid, uuid_str); + + n_hit_cnt = maat_state_get_indirect_hit_objects(state, http_req_attr_name, object_uuids, 128); + + EXPECT_EQ(n_hit_cnt, 1); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object11_uuid_str); - EXPECT_STREQ(hit_objects[0].attribute_name, http_req_attr_name); - size_t n_last_hit_object = maat_state_get_last_hit_object_cnt(state); - struct maat_hit_object last_hit_objects[128]; - maat_state_get_last_hit_objects(state, last_hit_objects, 128); - EXPECT_EQ(n_last_hit_object, 2); + n_hit_cnt = maat_state_get_hit_objects(state, http_req_attr_name, object_uuids, 128); - uuid_unparse(last_hit_objects[0].item_uuid, uuid_str); - EXPECT_STREQ(uuid_str, item1_uuid_str); - uuid_unparse(last_hit_objects[0].object_uuid, uuid_str); + EXPECT_EQ(n_hit_cnt, 2); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object1_uuid_str); - EXPECT_STREQ(last_hit_objects[0].attribute_name, http_req_attr_name); - EXPECT_TRUE(uuid_is_null(last_hit_objects[1].item_uuid)); - uuid_unparse(last_hit_objects[1].object_uuid, uuid_str); + uuid_unparse(object_uuids[1], uuid_str); EXPECT_STREQ(uuid_str, object11_uuid_str); - EXPECT_STREQ(last_hit_objects[1].attribute_name, http_req_attr_name); ret = maat_scan_string(maat_inst, http_sig_table_name, http_resp_attr_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_resp_hdr_cookie), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); @@ -8053,109 +7994,78 @@ TEST_F(MaatCmd, HitObject) { scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 2); - memset(hit_objects, 0, sizeof(hit_objects)); - n_hit_object = maat_state_get_direct_hit_object_cnt(state); - maat_state_get_direct_hit_objects(state, hit_objects, n_hit_object); - EXPECT_EQ(n_hit_object, 1); - - uuid_unparse(hit_objects[0].item_uuid, uuid_str); + n_hit_cnt = maat_state_get_hit_items(state, http_resp_attr_name, item_uuids, object_uuids, 128); + EXPECT_EQ(n_hit_cnt, 1); + uuid_unparse(item_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, item2_uuid_str); - uuid_unparse(hit_objects[0].object_uuid, uuid_str); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object2_uuid_str); - EXPECT_STREQ(hit_objects[0].attribute_name, http_resp_attr_name); - memset(hit_objects, 0, sizeof(hit_objects)); - n_hit_object = maat_state_get_indirect_hit_object_cnt(state); - maat_state_get_indirect_hit_objects(state, hit_objects, n_hit_object); - EXPECT_EQ(n_hit_object, 1); - EXPECT_TRUE(uuid_is_null(hit_objects[0].item_uuid)); - uuid_unparse(hit_objects[0].object_uuid, uuid_str); + n_hit_cnt = maat_state_get_indirect_hit_objects(state, http_resp_attr_name, object_uuids, 128); + EXPECT_EQ(n_hit_cnt, 1); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object21_uuid_str); - EXPECT_STREQ(hit_objects[0].attribute_name, http_resp_attr_name); - n_last_hit_object = maat_state_get_last_hit_object_cnt(state); - maat_state_get_last_hit_objects(state, last_hit_objects, 128); - EXPECT_EQ(n_last_hit_object, 2); + n_hit_cnt = maat_state_get_hit_objects(state, http_resp_attr_name, object_uuids, 128); + EXPECT_EQ(n_hit_cnt, 2); - uuid_unparse(last_hit_objects[0].item_uuid, uuid_str); - EXPECT_STREQ(uuid_str, item2_uuid_str); - uuid_unparse(last_hit_objects[0].object_uuid, uuid_str); - EXPECT_STREQ(uuid_str, object2_uuid_str); - EXPECT_STREQ(last_hit_objects[0].attribute_name, http_resp_attr_name); - - EXPECT_TRUE(uuid_is_null(last_hit_objects[1].item_uuid)); - uuid_unparse(last_hit_objects[1].object_uuid, uuid_str); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object21_uuid_str); - EXPECT_STREQ(last_hit_objects[1].attribute_name, http_resp_attr_name); + + uuid_unparse(object_uuids[1], uuid_str); + EXPECT_STREQ(uuid_str, object2_uuid_str); const char* keywords1="In graph theory, hit object item forth"; const char *keywords2="To test one object hit object item fifth"; struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_name, keywords_attr_name, state); - ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, keywords1, strlen(keywords1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 3); uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.150", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 4); - memset(hit_objects, 0, sizeof(hit_objects)); - n_hit_object = maat_state_get_direct_hit_object_cnt(state); - maat_state_get_direct_hit_objects(state, hit_objects, n_hit_object); - EXPECT_EQ(n_hit_object, 2); - - uuid_unparse(hit_objects[0].item_uuid, uuid_str); + n_hit_cnt = maat_state_get_hit_items(state, keywords_attr_name, item_uuids, object_uuids, 128); + EXPECT_EQ(n_hit_cnt, 1); + uuid_unparse(item_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, item4_uuid_str); - uuid_unparse(hit_objects[0].object_uuid, uuid_str); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object4_uuid_str); - EXPECT_STREQ(hit_objects[0].attribute_name, keywords_attr_name); - uuid_unparse(hit_objects[1].item_uuid, uuid_str); + n_hit_cnt = maat_state_get_hit_items(state, ip_attribute_name, item_uuids, object_uuids, 128); + EXPECT_EQ(n_hit_cnt, 1); + uuid_unparse(item_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, item3_uuid_str); - uuid_unparse(hit_objects[1].object_uuid, uuid_str); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object3_uuid_str); - EXPECT_STREQ(hit_objects[1].attribute_name, ip_attribute_name); - ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, keywords2, strlen(keywords2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 5); - memset(hit_objects, 0, sizeof(hit_objects)); - n_hit_object = maat_state_get_direct_hit_object_cnt(state); - maat_state_get_direct_hit_objects(state, hit_objects, n_hit_object); - EXPECT_EQ(n_hit_object, 1); - - uuid_unparse(hit_objects[0].item_uuid, uuid_str); + n_hit_cnt = maat_state_get_hit_items(state, keywords_attr_name, item_uuids, object_uuids, 128); + EXPECT_EQ(n_hit_cnt, 1); + uuid_unparse(item_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, item5_uuid_str); - uuid_unparse(hit_objects[0].object_uuid, uuid_str); + uuid_unparse(object_uuids[0], uuid_str); EXPECT_STREQ(uuid_str, object1_uuid_str); - EXPECT_STREQ(hit_objects[0].attribute_name, keywords_attr_name); - n_last_hit_object = maat_state_get_last_hit_object_cnt(state); - maat_state_get_last_hit_objects(state, last_hit_objects, 128); - EXPECT_EQ(n_last_hit_object, 2); - - uuid_unparse(last_hit_objects[0].item_uuid, uuid_str); - EXPECT_STREQ(uuid_str, item5_uuid_str); - uuid_unparse(last_hit_objects[0].object_uuid, uuid_str); - EXPECT_STREQ(uuid_str, object1_uuid_str); - EXPECT_STREQ(last_hit_objects[0].attribute_name, keywords_attr_name); - - EXPECT_TRUE(uuid_is_null(last_hit_objects[1].item_uuid)); - uuid_unparse(last_hit_objects[1].object_uuid, uuid_str); - EXPECT_STREQ(uuid_str, object11_uuid_str); - EXPECT_STREQ(last_hit_objects[1].attribute_name, keywords_attr_name); + const char *attr_names[10]; + size_t attr_cnt = maat_state_get_attribute_names(state, attr_names, 10); + EXPECT_EQ(attr_cnt, 4); + EXPECT_STREQ(attr_names[0], http_req_attr_name); + EXPECT_STREQ(attr_names[1], http_resp_attr_name); + EXPECT_STREQ(attr_names[2], keywords_attr_name); + EXPECT_STREQ(attr_names[3], ip_attribute_name); maat_stream_free(stream); maat_state_free(state); @@ -8289,14 +8199,15 @@ TEST_F(MaatCmd, HitPathBasic) { Nth_scan++; uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, http_sig_table_name, http_req_attr_name, http_url, strlen(http_url), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, http_sig_table_name, http_req_attr_name, http_url, strlen(http_url), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_req_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_req_attr_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + size_t scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 1); @@ -8329,17 +8240,17 @@ TEST_F(MaatCmd, HitPathBasic) { Nth_scan++; ret = maat_scan_string(maat_inst, http_sig_table_name, http_resp_attr_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_resp_hdr_cookie), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_resp_attr_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_resp_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 2); @@ -8401,14 +8312,15 @@ that the edges be all directed in the same direction."; struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_name, keywords_attr_name, state); Nth_scan++; - ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, keywords1, strlen(keywords1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1);//still rule1 + scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 3); @@ -8430,14 +8342,15 @@ that the edges be all directed in the same direction."; uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.148", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1);//still rule1 + scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 4); @@ -8456,14 +8369,15 @@ that the edges be all directed in the same direction."; EXPECT_TRUE(uuid_is_null(hit_path[path_idx].rule_uuid) == 1); Nth_scan++; - ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, keywords2, strlen(keywords2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1);//still rule1 + scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 5); @@ -8667,9 +8581,11 @@ TEST_F(MaatCmd, HitPathAdvanced) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, keywords_table_name, keywords_attr_name, http_url_computer, - strlen(http_url_computer), results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + strlen(http_url_computer), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); @@ -8689,9 +8605,10 @@ TEST_F(MaatCmd, HitPathAdvanced) { EXPECT_TRUE(uuid_is_null(hit_path[path_idx].rule_uuid) == 1); ret = maat_scan_string(maat_inst, keywords_table_name, keywords_attr_name, http_url_social, - strlen(http_url_social), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_url_social), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); @@ -8741,10 +8658,11 @@ TEST_F(MaatCmd, HitPathAdvanced) { uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.168", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 2); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule2_uuid_str); @@ -8821,10 +8739,11 @@ TEST_F(MaatCmd, HitPathAdvanced) { const char *keywords1 = "In theory, basic and advanced is common"; ret = maat_scan_string(maat_inst, keywords_table_name, keywords_attr_name, keywords1, - strlen(keywords1), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(keywords1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 3); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule3_uuid_str); @@ -9057,14 +8976,15 @@ TEST_F(MaatCmd, HitPathHasNotObject) { Nth_scan++; uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, http_sig_table_name, http_req_attr_name, http_url, strlen(http_url), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, http_sig_table_name, http_req_attr_name, http_url, strlen(http_url), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_req_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_req_attr_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + size_t scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 1); @@ -9098,17 +9018,17 @@ TEST_F(MaatCmd, HitPathHasNotObject) { Nth_scan++; ret = maat_scan_string(maat_inst, http_sig_table_name, http_resp_attr_name, http_resp_hdr_cookie, - strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_resp_hdr_cookie), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_resp_attr_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_resp_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 2); @@ -9171,14 +9091,15 @@ TEST_F(MaatCmd, HitPathHasNotObject) { struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_name, keywords_attr_name, state); Nth_scan++; - ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, keywords1, strlen(keywords1), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 3); @@ -9200,14 +9121,15 @@ TEST_F(MaatCmd, HitPathHasNotObject) { Nth_scan++; uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.158", &ip_addr); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 4); @@ -9227,14 +9149,15 @@ TEST_F(MaatCmd, HitPathHasNotObject) { EXPECT_TRUE(uuid_is_null(hit_path[path_idx].rule_uuid) == 1); Nth_scan++; - ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, keywords2, strlen(keywords2), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, keywords_table_name, keywords_attr_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 1); + scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 5); @@ -9319,19 +9242,19 @@ TEST_F(MaatCmd, SameSuperObjectRefByMultiRule) { struct maat_hit_path hit_path[128]; ret = maat_scan_string(maat_inst, http_sig_table_name, http_resp_attr_name, http_res_key_str, - strlen(http_res_key_str), results, ARRAY_SIZE, - &n_hit_result, state); + strlen(http_res_key_str), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_resp_attr_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule3_uuid_str); uuid_unparse(results[1], uuid_str); EXPECT_STREQ(uuid_str, rule2_uuid_str); - - ret = maat_scan_not_logic(maat_inst, http_sig_table_name, http_resp_attr_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); memset(hit_path, 0, sizeof(hit_path)); int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); @@ -9433,21 +9356,20 @@ TEST_F(MaatCmd, ObjectEdit) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + int scan_app_id = 42; - ret = maat_scan_integer(maat_inst, app_id_table_name, app_id_attribute_name, scan_app_id, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_integer(maat_inst, app_id_table_name, app_id_attribute_name, scan_app_id, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, app_id_table_name, app_id_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, app_id_table_name, app_id_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); @@ -9467,23 +9389,22 @@ TEST_F(MaatCmd, ObjectEdit) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); - - - ret = maat_scan_integer(maat_inst, app_id_table_name, app_id_attribute_name, scan_app_id, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + + ret = maat_scan_integer(maat_inst, app_id_table_name, app_id_attribute_name, scan_app_id, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, app_id_table_name, app_id_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, app_id_table_name, app_id_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); @@ -9501,21 +9422,20 @@ TEST_F(MaatCmd, ObjectEdit) { sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_integer(maat_inst, app_id_table_name, app_id_attribute_name, scan_app_id, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_integer(maat_inst, app_id_table_name, app_id_attribute_name, scan_app_id, state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, app_id_table_name, app_id_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, app_id_table_name, app_id_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); maat_state_free(state); state = NULL; @@ -9565,18 +9485,18 @@ TEST_F(MaatCmd, RuleDelete_TSG6548) { int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = rule_table_set_line(maat_inst, rule_table_name, MAAT_OP_DEL, rule1_uuid_str, and_conditions, 1, NULL, 0); EXPECT_EQ(ret, 1); @@ -9586,16 +9506,17 @@ TEST_F(MaatCmd, RuleDelete_TSG6548) { time_t update_time = time(NULL); time_t now = update_time; while (now - update_time < 3) { - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); if (ret == MAAT_SCAN_HIT) { - hit_cnt++; - uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, rule1_uuid_str); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + if (n_hit_result > 0) { + hit_cnt++; + uuid_unparse(results[0], uuid_str); + EXPECT_STREQ(uuid_str, rule1_uuid_str); + } else { + miss_cnt++; + } } - if (ret == MAAT_SCAN_HALF_HIT) { - miss_cnt++; - } now = time(NULL); } @@ -9646,19 +9567,18 @@ TEST_F(MaatCmd, UpdateDeadLockDetection) { uuid_t results[ARRAY_SIZE]; size_t n_hit_result = 0; - ret = maat_scan_string(maat_inst, table_http_url, attribute_http_url, scan_data1, strlen(scan_data1), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_http_url, attribute_http_url, scan_data1, strlen(scan_data1), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_http_url, attribute_http_url, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, table_http_url, attribute_http_url, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - //object2 -> rule2 long long object2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_OBJECT", 1); char object2_uuid_str[UUID_STR_LEN] = {0}; @@ -9689,15 +9609,16 @@ TEST_F(MaatCmd, UpdateDeadLockDetection) { sleep(10); memset(results, 0, sizeof(results)); - ret = maat_scan_string(maat_inst, table_http_url, attribute_http_url, scan_data2, strlen(scan_data2), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_http_url, attribute_http_url, scan_data2, strlen(scan_data2), state); //After full update, condition ids are re-orgnized, therefore mid are not compatible to the new scanner (hierarchy). - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, table_http_url, attribute_http_url, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, table_http_url, attribute_http_url, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -9735,12 +9656,10 @@ TEST_F(MaatCmd, StreamScanWhenExprTableIncUpdate) { size_t n_hit_result = 0; struct maat_stream *stream = maat_stream_new(maat_inst, scan_table_name, scan_attribute_name, state); - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //item1 -> object1 -> rule1 @@ -9757,29 +9676,27 @@ TEST_F(MaatCmd, StreamScanWhenExprTableIncUpdate) { /* maat_stream store expr_runtime version when maat_stream_new(). Add new expr_item has changed expr_runtime version which has been sensed by maat_stream_scan. */ - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_OK); - ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); stream = maat_stream_new(maat_inst, scan_table_name, scan_attribute_name, state); - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_stream_free(stream); maat_state_free(state); state = NULL; @@ -9826,18 +9743,18 @@ TEST_F(MaatCmd, StreamScanSegfaultWhenVersionRollBack_TSG6324) { size_t n_hit_result = 0; struct maat_stream *stream = maat_stream_new(maat_inst, scan_table_name, scan_attribute_name, state); - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule1_uuid_str); - ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - //DON'T DO THIS!!! //Roll back version, trigger full update. //This operation generates FATAL logs in test_maat_redis.log.yyyy-mm-dd. @@ -9847,12 +9764,10 @@ TEST_F(MaatCmd, StreamScanSegfaultWhenVersionRollBack_TSG6324) { //Wating for scanner garbage collect expiration. sleep(10); - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_OK); //Scan was interupted after full update. - ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, scan_table_name, scan_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); @@ -9927,14 +9842,15 @@ TEST_F(MaatCmd, IPAndStreamScanWhenIncUpdate) { int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + //add rule2 for rule runtime inc update long long rule2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); char rule2_uuid_str[UUID_STR_LEN] = {0}; @@ -9948,31 +9864,19 @@ TEST_F(MaatCmd, IPAndStreamScanWhenIncUpdate) { const char *scan_data = "Here is a stream-keywords-003, this should hit."; struct maat_stream *stream = maat_stream_new(maat_inst, expr_table_name, expr_attribute_name, state); - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); + + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, rule1_uuid_str); - - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - /* - becase rule1_id has been returned, maat_scan_xx will not return duplicate rule_id again - */ - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule2_uuid_str); - - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + uuid_unparse(results[1], uuid_str); + EXPECT_STREQ(uuid_str, rule1_uuid_str); maat_stream_free(stream); maat_state_free(state); @@ -10044,14 +9948,15 @@ TEST_F(MaatCmd, IPAndStreamScanWhenFullUpdate) { ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + //DON'T DO THIS!!! //Roll back version, trigger full update. maat_cmd_incrby(maat_inst, "MAAT_VERSION", -100); @@ -10062,26 +9967,25 @@ TEST_F(MaatCmd, IPAndStreamScanWhenFullUpdate) { const char *scan_data = "Here is a stream-keywords-004, this should hit."; struct maat_stream *stream = maat_stream_new(maat_inst, expr_table_name, expr_attribute_name, state); - ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_stream_scan(stream, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); /* maat_state keep the rule_rt version when maat_state_new(). After full updating, new rule_rt version is different from that of maat_state, so MAAT_SCAN_HIT will never happen. */ - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_stream_free(stream); maat_state_free(state); state = NULL; @@ -10152,14 +10056,15 @@ TEST_F(MaatCmd, IPAndStringScanWhenIncUpdate) { ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + //add rule2 for rule runtime inc update long long rule2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); char rule2_uuid_str[UUID_STR_LEN] = {0}; @@ -10172,31 +10077,19 @@ TEST_F(MaatCmd, IPAndStringScanWhenIncUpdate) { const char *scan_data = "Here is a IP and stringinc, this should hit."; - ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); + + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 2); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, rule1_uuid_str); - - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - - /* - becase rule1_id has been returned, maat_scan_xx will not return duplicate rule_id again - */ - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, rule2_uuid_str); - - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + uuid_unparse(results[1], uuid_str); + EXPECT_STREQ(uuid_str, rule1_uuid_str); maat_state_free(state); state = NULL; @@ -10267,14 +10160,15 @@ TEST_F(MaatCmd, IPAndStringScanWhenFullupdate) { ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr,state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + //DON'T DO THIS!!! //Roll back version, trigger full update. maat_cmd_incrby(maat_inst, "MAAT_VERSION", -100); @@ -10284,26 +10178,28 @@ TEST_F(MaatCmd, IPAndStringScanWhenFullupdate) { const char *scan_data = "scan IP and string, this should hit."; - ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_string(maat_inst, expr_table_name, expr_attribute_name, scan_data, strlen(scan_data), state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, expr_table_name, expr_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + /* maat_state keep the rule_rt version when maat_state_new(). After full updating, new rule_rt version is different from that of maat_state, so MAAT_SCAN_HIT will never happen. */ - ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + ret = maat_scan_ipv4(maat_inst, ip_table_name, ip_attribute_name, ip_addr, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); - ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); + ret = maat_scan_not_logic(maat_inst, ip_table_name, ip_attribute_name, state); EXPECT_EQ(ret, MAAT_SCAN_OK); + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); + EXPECT_EQ(n_hit_result, 0); + maat_state_free(state); state = NULL; } @@ -10456,18 +10352,18 @@ TEST_F(MaatRollback, FullConfigRollback) { const char *scan_data = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000125"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); sleep(5); @@ -10489,17 +10385,17 @@ TEST_F(MaatRollback, FullConfigRollback) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000125"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } @@ -10517,18 +10413,18 @@ TEST_F(MaatRollback, FullConfigRollbackWhenScanUnfinished) { const char *scan_data = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; - int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); char uuid_str[UUID_STR_LEN] = {0}; uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000125"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); sleep(5); @@ -10550,17 +10446,17 @@ TEST_F(MaatRollback, FullConfigRollbackWhenScanUnfinished) { sleep(WAIT_FOR_EFFECTIVE_S); - ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, table_name, attribute_name, scan_data, strlen(scan_data), state); EXPECT_EQ(ret, MAAT_SCAN_HIT); + + ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + n_hit_result = maat_state_compile(state, default_rule_table_name, results, ARRAY_SIZE); EXPECT_EQ(n_hit_result, 1); uuid_unparse(results[0], uuid_str); EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000125"); - ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE, - &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_free(state); state = NULL; } diff --git a/test/object_nesting/object_nesting_gtest.cpp b/test/object_nesting/object_nesting_gtest.cpp index 3f1421a..f05c051 100644 --- a/test/object_nesting/object_nesting_gtest.cpp +++ b/test/object_nesting/object_nesting_gtest.cpp @@ -31,7 +31,7 @@ struct object_group_rule { struct object_item del_items[MAX_ITEM_NUM]; }; -UT_icd ut_ex_object_id_icd = {sizeof(long long), NULL, NULL, NULL}; +static UT_icd ut_ex_object_id_icd = {sizeof(long long), NULL, NULL, NULL}; static int parse_config_file(const char *filename, struct object_group_rule *rules)