TSG-22707 Adaptation of DB indicates changes, fixes self-check process testing issues

2024-10-16 16:16:44 +08:00
parent 8e38bbcf48
commit 48cba684fe
9 changed files with 82 additions and 98 deletions
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -237,7 +237,7 @@ struct ssl_policy_enforcer *ssl_policy_enforcer_create()
 	struct ssl_policy_enforcer *enforcer = ALLOC(struct ssl_policy_enforcer, 1);
 	enforcer->maat = tfe_get_maat_handle();
 	ret = maat_plugin_table_ex_schema_register(enforcer->maat,
-											   "PXY_PROFILE_DECRYPTION",
+											   "DECRYPTION_PROFILE",
 											   profile_param_new_cb,
 											   profile_param_free_cb,
 											   profile_param_dup_cb,
@@ -272,7 +272,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
 	uuid_unparse(decrypted_uuid, decrypted_uuid_str);
 	TFE_LOG_DEBUG(g_default_logger, "%s %s enforce policy %s", addr_string, sni, rule_uuid_str);

-	struct decryption_param *profile_param = (struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, "PXY_PROFILE_DECRYPTION", (const char *)decrypted_uuid_str, strlen(decrypted_uuid_str));
+	struct decryption_param *profile_param = (struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, "DECRYPTION_PROFILE", (const char *)decrypted_uuid_str, strlen(decrypted_uuid_str));
 	if (profile_param == NULL)
 	{
 		TFE_LOG_INFO(g_default_logger, "Failed to get decryption parameter of profile %s.", decrypted_uuid_str);
@@ -283,32 +283,32 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
 	if (!profile_param->mirror_client_version)
 	{
 		ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
-		assert(ret == 0);
+		assert(ret == 1);
 		ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, profile_param->ssl_max_version);
-		assert(ret == 0);
+		assert(ret == 1);
 	}
 	if (profile_param->allow_http2)
 	{
 		ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_ENABLE_ALPN, 1);
-		assert(ret == 0);
+		assert(ret == 1);
 	}
 	ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, profile_param->no_verify_cn);
-	assert(ret == 0);
+	assert(ret == 1);
 	ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, profile_param->no_verify_issuer);
-	assert(ret == 0);
+	assert(ret == 1);
 	ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, profile_param->no_verify_self_signed);
-	assert(ret == 0);
+	assert(ret == 1);
 	ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE, profile_param->no_verify_expry_date);
-	assert(ret == 0);
+	assert(ret == 1);
 	if (profile_param->block_fake_cert)
 	{
 		ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
-		assert(ret == 0);
+		assert(ret == 1);
 	}
 	ret = ssl_stream_set_uuid_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, &trusted_keyring_uuid);
-	assert(ret == 0);
+	assert(ret == 1);
 	ret = ssl_stream_set_uuid_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, &untrusted_keyring_uuid);
-	assert(ret == 0);
+	assert(ret == 1);
 	ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
 	assert(ret == 0);
 	ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &is_app_not_pinning);
--- a/plugin/business/tcp-policy/src/tcp_policy.cpp
+++ b/plugin/business/tcp-policy/src/tcp_policy.cpp
@@ -236,7 +236,7 @@ struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger)
    struct tcp_policy_enforcer *enforcer = ALLOC(struct tcp_policy_enforcer, 1);
    enforcer->maat = tfe_get_maat_handle();
    enforcer->logger = logger;
-    snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_PROFILE_TCP_OPTION");
+    snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PROXY_TCP_OPTION");

    ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name,
                                               profile_param_new_cb,
@@ -245,7 +245,7 @@ struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger)
                                               0, enforcer);
    if (ret < 0)
    {
-        TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_PROFILE_TCP_OPTION, ret = %d", ret);
+        TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PROXY_TCP_OPTION, ret = %d", ret);
        goto error_out;
    }
    return enforcer;
--- a/plugin/business/tsg-http/src/tsg_http.cpp
+++ b/plugin/business/tsg-http/src/tsg_http.cpp
@@ -245,7 +245,7 @@ void trusted_CA_update_cert_cb(const char *table_name, const char *table_line, e
 	cJSON* trust_ca_cert = cJSON_Parse(table_line);
 	if(trust_ca_cert == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_TRUSTED_CA_CERT parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "TRUSTED_CERTIFICATE_AUTHORITY parse table_line failed. table_line:%s", table_line);
 		return;
 	}

@@ -837,7 +837,7 @@ void ma_profile_table_new_cb(const char *table_name, const char* key, const char
 	cJSON* response_pages = cJSON_Parse(table_line);
 	if(response_pages == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "TSG_PROFILE_RESPONSE_PAGES parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "RESPONSE_PAGE parse table_line failed. table_line:%s", table_line);
 		return;
 	}

@@ -892,7 +892,7 @@ void ma_insert_profile_table_new_cb(const char *table_name, const char* key, con
 	cJSON* insert_script = cJSON_Parse(table_line);
 	if(insert_script == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_INSERT_SCRIPTS parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PROXY_INJECT_SCRIPT parse table_line failed. table_line:%s", table_line);
 		return;
 	}

@@ -952,7 +952,7 @@ void ma_hijack_profile_table_new_cb(const char *table_name, const char* key, con
 	cJSON* hihijack_files = cJSON_Parse(table_line);
 	if(hihijack_files == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_HIJACK_FILES parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PROXY_HIJACK_FILE parse table_line failed. table_line:%s", table_line);
 		return;
 	}

@@ -994,7 +994,7 @@ void ma_lua_profile_table_new_cb(const char *table_name, const char* key, const
 	cJSON* run_scripts = cJSON_Parse(table_line);
 	if(run_scripts == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_RUN_SCRIPTS parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "HTTP_MANIPULATION_SCRIPT parse table_line failed. table_line:%s", table_line);
 		return;
 	}

@@ -1108,10 +1108,10 @@ void ma_profile_table_dup_cb(const char *table_name, void **to, void **from, lon

 const char* table_name_idx2str(int profile_idx)
 {
-	const char *table_name_map[] = {"TSG_PROFILE_RESPONSE_PAGES",
-									"PXY_PROFILE_INSERT_SCRIPTS",
-									"PXY_PROFILE_HIJACK_FILES",
-									"PXY_PROFILE_RUN_SCRIPTS"};
+	const char *table_name_map[] = {"RESPONSE_PAGE",
+									"PROXY_INJECT_SCRIPT",
+									"PROXY_HIJACK_FILE",
+									"HTTP_MANIPULATION_SCRIPT"};

 	return table_name_map[profile_idx];
 }
@@ -1159,7 +1159,7 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
 		goto error_out;
 	}

-	ret = maat_table_callback_register(g_proxy_rt->feather, "PXY_PROFILE_TRUSTED_CA_CERT",
+	ret = maat_table_callback_register(g_proxy_rt->feather, "TRUSTED_CERTIFICATE_AUTHORITY",
 									   trusted_CA_update_start_cb,
 									   trusted_CA_update_cert_cb,
 									   trusted_CA_update_finish_cb,
@@ -1781,7 +1781,13 @@ static int html_generate(char *profile_uuid, const char* msg, char ** page_buff,
 {
 	int ret = 0;

-	struct manipulate_profile* block_profile=get_profile_by_id("TSG_PROFILE_RESPONSE_PAGES", profile_uuid);
+	if(profile_uuid==NULL)
+	{
+		ret=-1;
+		return ret;
+	}
+
+	struct manipulate_profile* block_profile=get_profile_by_id("RESPONSE_PAGE", profile_uuid);
 	if(block_profile==NULL)
 	{
 		ret=-1;
@@ -1832,7 +1838,7 @@ int http_lua_profile(char *profile_uuid_str, struct elua_script ***elua_ctx, cha
 {
 	int ret = 0;

-	struct manipulate_profile* lua_profile=get_profile_by_id("PXY_PROFILE_RUN_SCRIPTS", profile_uuid_str);
+	struct manipulate_profile* lua_profile=get_profile_by_id("HTTP_MANIPULATION_SCRIPT", profile_uuid_str);
 	if(lua_profile==NULL)
 	{
 		ret=-1;
@@ -2323,12 +2329,6 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s
 	int resp_code = param->status_code;
 	char *message = param->message;

-	if (param->profile_uuid_str< 0){
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %s", ctx->enforce_rules[0].config_uuid_string);
-		ctx->action = PX_ACTION_NONE;
-		return;
-	}
-
 	struct tfe_http_session * to_write_sess = NULL;
 	if (events & EV_HTTP_RESP_HDR || tfe_http_in_hdr(events))
 	{
@@ -2399,7 +2399,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e

 	if(events & EV_HTTP_RESP_HDR)
 	{
-		struct manipulate_profile* hijack_profile=get_profile_by_id("PXY_PROFILE_HIJACK_FILES", param->profile_uuid_str);
+		struct manipulate_profile* hijack_profile=get_profile_by_id("PROXY_HIJACK_FILE", param->profile_uuid_str);
 		if (NULL == hijack_profile)
 		{
 			TFE_LOG_ERROR(g_proxy_rt->local_logger, "get table obj faild, profile_id = %s", param->profile_uuid_str);
@@ -2469,7 +2469,7 @@ static int format_insert_rule(char *profile_uuid, struct insert_rule *rule)
 {
 	int ret = 0;

-	struct manipulate_profile* insert_profile=get_profile_by_id("PXY_PROFILE_INSERT_SCRIPTS", profile_uuid);
+	struct manipulate_profile* insert_profile=get_profile_by_id("PROXY_INJECT_SCRIPT", profile_uuid);
 	if(insert_profile==NULL)
 	{
 		ret=-1;
@@ -2882,14 +2882,14 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 				break;
 			}

-			scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, field_val, strlen(field_val),
+			scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_KEYWORD", attribute_name, field_val, strlen(field_val),
 					  				    result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
 			if (scan_ret == MAAT_SCAN_HIT)
 			{
 				hit_cnt += n_hit_result;
 			}
 		}
-		scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt,
+		scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORD", attribute_name, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt,
                          	      	  &n_hit_result, ctx->scan_mid);
 		if (scan_ret == MAAT_SCAN_HIT)
 		{
@@ -2901,7 +2901,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 	{
 		assert(ctx->sp == NULL);
 		attribute_name = events & EV_HTTP_REQ_BODY_BEGIN ? "ATTR_HTTP_REQ_BODY" : "ATTR_HTTP_RES_BODY";
-		ctx->sp = maat_stream_new(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, ctx->scan_mid);
+		ctx->sp = maat_stream_new(g_proxy_rt->feather, "TSG_OBJ_KEYWORD", attribute_name, ctx->scan_mid);
 	}

 	const unsigned char *scan_body_frag=NULL; size_t scan_len=0;
@@ -2925,7 +2925,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 	if ((events & EV_HTTP_REQ_BODY_END) | (events & EV_HTTP_RESP_BODY_END))
 	{
 		attribute_name = events & EV_HTTP_REQ_BODY_END ? "ATTR_HTTP_REQ_BODY" : "ATTR_HTTP_RES_BODY";
-		scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", "attribute_name", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt,
+		scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORD", "attribute_name", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt,
                          	      	   &n_hit_result, ctx->scan_mid);
 		if (scan_ret == MAAT_SCAN_HIT)
 		{