TFE适配MAAT4，编译表只注册一次

2023-04-23 16:35:42 +08:00
parent 97a4386bc4
commit 2138d7f13e
12 changed files with 411 additions and 368 deletions
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -10,18 +10,9 @@
 struct ssl_policy_enforcer
 {
 	struct maat *maat;
-	int policy_table_id;
 	int profile_table_id;
 	void* logger;
 };
-struct intercept_param
-{
-	uint64_t policy_id;
-	int ref_cnt;
-	int keyring_for_trusted;
-	int keyring_for_untrusted;
-	int decryption_profile_id;
-};

 struct decryption_param
 {
@@ -43,147 +34,6 @@ struct decryption_param
 	int mirror_client_version;
 };

-void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
-{
-	struct intercept_param* param= (struct intercept_param*) *from;
-	if(param)
-	{
-		 __sync_add_and_fetch(&(param->ref_cnt), 1);
-		*to = param;
-	}
-	else
-	{
-		*to=NULL;
-	}
-	return;
-}
-
-void intercept_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
-{
-	int ret=0;
-	size_t intercept_user_region_offset=0, len=0;
-	char* json_str=NULL;
-	cJSON *json=NULL, *item=NULL;
-	struct intercept_param* param=NULL;
-
-	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
-	ret=maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
-	if(ret<0)
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
-		return;
-	}
-	json_str=ALLOC(char, len+1);
-	memcpy(json_str, table_line+intercept_user_region_offset, len);
-	json=cJSON_Parse(json_str);
-	if(json==NULL)
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
-		goto error_out;
-	}
-
-	item=cJSON_GetObjectItem(json, "protocol");
-	if(unlikely(!item || !cJSON_IsString(item)))
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid protocol format", key);
-        goto error_out;
-	}
-	if(0!=strcasecmp(item->valuestring, "SSL")&& 0!=strcasecmp(item->valuestring, "HTTP"))
-	{
-		goto error_out;
-	}
-
-	param=ALLOC(struct intercept_param, 1);
-	param->policy_id=atoll(key);
-	param->ref_cnt=1;
-	/*
-	param->bypass_mutual_auth=1;
-	param->bypass_pinning=1;
-	param->mirror_client_version=1;
-	*/
-	param->keyring_for_trusted=1;
-	param->keyring_for_untrusted=0;
-	param->decryption_profile_id=0;
-
-	item=cJSON_GetObjectItem(json, "keyring_for_trusted");
-	if(item)
-	{
-		if(item->type==cJSON_Number)
-		{
-			param->keyring_for_trusted=item->valueint;
-		}
-		else if(item->type==cJSON_String)
-		{
-			param->keyring_for_trusted=atoi(item->valuestring);
-		}
-		else
-		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_trusted format", param->policy_id);
-		}
-	}
-
-	item=cJSON_GetObjectItem(json, "keyring_for_untrusted");
-	if(item)
-	{
-		if(item->type==cJSON_Number)
-		{
-			param->keyring_for_untrusted=item->valueint;
-		}
-		else if(item->type==cJSON_String)
-		{
-			param->keyring_for_untrusted=atoi(item->valuestring);
-		}
-		else
-		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_untrusted format", param->policy_id);
-		}
-	}
-
-	item=cJSON_GetObjectItem(json, "decryption");
-	if(item)
-	{
-		if(item->type==cJSON_Number)
-		{
-			param->decryption_profile_id=item->valueint;
-		}
-		else if(item->type==cJSON_String)
-		{
-			param->decryption_profile_id=atoi(item->valuestring);
-		}
-		else
-		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid decryption format", param->policy_id);
-		}
-	}
-	*ad=param;
-	TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", param->policy_id);
-error_out:
-	cJSON_Delete(json);
-	free(json_str);
-	return;
-}
-void intercept_param_free_cb(int table_id, void **ad, long argl, void* argp)
-{
-	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
-	struct intercept_param* param= (struct intercept_param*) *ad;
-	if(param==NULL)
-	{
-		return;
-	}
-
-    if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
-	{
-		TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", param->policy_id);
-		free(param);
-		*ad=NULL;
-	}
-}
-void intercept_param_free(struct intercept_param* param)
-{
-	intercept_param_free_cb(0, (void**)&param, 0, NULL);
-	return;
-}
-
 void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
 {
 	struct decryption_param* param= (struct decryption_param*) *from;
@@ -319,21 +169,12 @@ error_out:
 }
 struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
 {
+	UNUSED int ret=0;
 	struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
 	enforcer->maat=(struct maat*)tfe_bussiness_resouce_get(STATIC_MAAT);;
 	enforcer->logger=logger;
-	enforcer->policy_table_id=maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
-	assert(enforcer->policy_table_id >= 0);
 	enforcer->profile_table_id=maat_get_table_id(enforcer->maat, "PXY_PROFILE_DECRYPTION");
 	assert(enforcer->profile_table_id >= 0);
-	UNUSED int ret=maat_plugin_table_ex_schema_register(enforcer->maat,
-												"TSG_SECURITY_COMPILE",
-												intercept_param_new_cb,
-												intercept_param_free_cb,
-												intercept_param_dup_cb,
-												0,
-												enforcer);
-	assert(ret==0);
 	ret=maat_plugin_table_ex_schema_register(enforcer->maat,
 										"PXY_PROFILE_DECRYPTION",
 										profile_param_new_cb,
@@ -347,32 +188,24 @@ struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
 enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para)
 {
 	UNUSED struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)u_para;
-	struct intercept_param *policy_param=NULL;
-	struct decryption_param *profile_param=NULL;
 	enum ssl_stream_action action=SSL_ACTION_PASSTHROUGH;
 	UNUSED int ret=0;
-	uint64_t policy_id=0;
-	char policy_id_str[16]={0};
+	char sni[512];
+	char addr_string[512];
 	char profile_id_str[16]={0};
-	char sni[512], addr_string[512];
-	policy_id = ssl_stream_get_policy_id(upstream);
-	snprintf(policy_id_str, sizeof(policy_id_str), "%lu", policy_id);
-	policy_param=(struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, policy_id_str);
-	if(policy_param==NULL)
-	{
-		TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", policy_id);
-		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param");
-		return SSL_ACTION_PASSTHROUGH;
-	}
-	else
-	{
-		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
-		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
-	}

-	snprintf(profile_id_str, sizeof(profile_id_str), "%u", policy_param->decryption_profile_id);
-	profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
+	uint64_t policy_id = ssl_stream_get_policy_id(upstream);
+	int decryption_profile_id = ssl_stream_get_decrypted_profile_id(upstream);
+	int keyring_for_trusted =  ssl_stream_get_trusted_keyring_profile_id(upstream);
+	int keyring_for_untrusted = ssl_stream_get_untrusted_keyring_profile_id(upstream);
+
+
+	ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
+	ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
+	TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
+
+	snprintf(profile_id_str, sizeof(profile_id_str), "%u", decryption_profile_id);
+	struct decryption_param *profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
 	if (profile_param==NULL)
 	{
 		TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
@@ -397,8 +230,8 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	{
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
 	}
-	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, policy_param->keyring_for_trusted);
-	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, policy_param->keyring_for_untrusted);
+	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, keyring_for_trusted);
+	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, keyring_for_untrusted);

 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
 	assert(ret==0);
@@ -415,46 +248,44 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_id);
 	}
 	else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_id);
 	}
 	else if (is_mauth && profile_param->bypass_mutual_auth)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_id);
 	}
 	else if (is_ev && profile_param->bypass_ev_cert)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_id);
 	}
 	else if (is_ct && profile_param->bypass_ct_cert)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_id);
 	}
 	else if (has_error && profile_param->bypass_protocol_errors)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_id);
 	}
 	else
 	{
 		action = SSL_ACTION_INTERCEPT;
 	}

-	intercept_param_free(policy_param);
 	profile_param_free(profile_param);
-	policy_param=NULL;
 	profile_param=NULL;
 	return action;
 }