完成缓存策略和可信证书加载的开发，编译通过。

2018-11-09 15:52:14 +08:00
parent d6862e4ef7
commit 62d9eb0bef
8 changed files with 628 additions and 151 deletions
--- a/plugin/business/pangu-http/src/pangu_http.cpp
+++ b/plugin/business/pangu-http/src/pangu_http.cpp
@@ -85,6 +85,8 @@ struct pangu_rt
 	int fs_id[__PG_STAT_MAX];
 	struct event_base* gc_evbase;
 	struct event* gcev;
+
+	int ca_store_reseting;
 };
 struct pangu_rt * g_pangu_rt;

@@ -206,11 +208,111 @@ static void pangu_http_stat_init(struct pangu_rt * pangu_runtime)
 	return;
 }

+void trusted_CA_update_start_cb(int update_type, void* u_para)
+{
+	if(update_type==MAAT_RULE_UPDATE_TYPE_FULL)
+	{
+		if(g_pangu_rt->ca_store_reseting==0)
+		{
+			tfe_proxy_ssl_reset_trust_ca();
+			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Start.");
+		}
+		g_pangu_rt->ca_store_reseting++;
+	}
+		
+}
+void trusted_CA_update_cert_cb(int table_id, const char* table_line, void* u_para)
+{
+	int ret=0, cfg_id=0, is_valid=0;
+	char cert_name[128]={0}, cert_file[1024]={0};
+	ret=sscanf(table_line, "%d\t%s\t%s\t%d", &cfg_id, cert_name, cert_file, &is_valid);
+	if(ret!=4)
+	{
+		TFE_LOG_ERROR(g_pangu_rt->local_logger, "Trusted CA Store parse cert config failed: %s", table_line);
+		return;
+	}
+	if(is_valid==1)
+	{
+		ret=tfe_proxy_ssl_add_trust_ca(cert_file);
+		if(ret<0)
+		{
+			TFE_LOG_ERROR(g_pangu_rt->local_logger, "Trusted CA Store add cert failed %d:%s:%s", cfg_id, cert_name, cert_file);
+		}
+		else
+		{
+			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store add cert success %d:%s:%s", cfg_id, cert_name, cert_file);
+		}
+	}
+	else
+	{
+		ret=tfe_proxy_ssl_del_trust_ca(cert_file);
+		if(ret<0)
+		{
+			TFE_LOG_ERROR(g_pangu_rt->local_logger, "Trusted CA Store del cert failed %d:%s:%s", cfg_id, cert_name, cert_file);
+		}
+		else
+		{
+			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store del cert success %d:%s:%s", cfg_id, cert_name, cert_file);
+		}
+	}
+	return;
+}
+void trusted_CA_update_crl_cb(int table_id,const char* table_line,void* u_para)
+{
+	int ret=0, crl_id=0, cert_id=0, is_valid=0;
+	char crl_file[1024]={0};
+	ret=sscanf(table_line, "%d\t%d\t%s\t%d", &crl_id, &cert_id, crl_file, &is_valid);
+	if(ret!=4)
+	{
+		TFE_LOG_ERROR(g_pangu_rt->local_logger, "Trusted CA Store parse crl config failed: %s", table_line);
+		return;
+	}
+	if(is_valid==1)
+	{
+		ret=tfe_proxy_ssl_add_crl(crl_file);
+		if(ret<0)
+		{
+			TFE_LOG_ERROR(g_pangu_rt->local_logger, "Trusted CA Store add crl failed %d:%s:%s", crl_id, cert_id, crl_file);
+		}
+		else
+		{
+			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store add crl success %d:%d:%s", crl_id, cert_id, crl_file);
+		}
+	}
+	else
+	{
+		ret=tfe_proxy_ssl_del_crl(crl_file);
+		if(ret<0)
+		{
+			TFE_LOG_ERROR(g_pangu_rt->local_logger, "Trusted CA Store del crl failed %d:%s:%s", crl_id, cert_id, crl_file);
+		}
+		else
+		{
+			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store del crl success %d:%d:%s", crl_id, cert_id, crl_file);
+		}
+	}
+	return;
+}
+void trusted_CA_update_finish_cb(void* u_para)
+{
+	int is_last_updating_table=0, ret=0;
+	if(g_pangu_rt->ca_store_reseting>0)
+	{
+		g_pangu_rt->ca_store_reseting--;
+		if(g_pangu_rt->ca_store_reseting==0)
+		{
+			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish.");
+		}
+	}
+}
+

 int pangu_http_init(struct tfe_proxy * proxy)
 {
 	const char * profile = "./pangu_conf/pangu_pxy.conf";
-	const char * logfile = "./log/pangu_pxy.log";
+	const char * logfile = "./log/pangu_pxy.log";	
+	int table_id=0;
+	
 	g_pangu_rt = ALLOC(struct pangu_rt, 1);
 	g_pangu_rt->thread_num = tfe_proxy_get_work_thread_count();
 	g_pangu_rt->gc_evbase=tfe_proxy_get_gc_evbase();
@@ -266,7 +368,8 @@ int pangu_http_init(struct tfe_proxy * proxy)
 	MESA_load_profile_int_def(profile, "TANGO_CACHE", "enable_cache", &(g_pangu_rt->cache_enabled), 1);
 	if(g_pangu_rt->cache_enabled)
 	{
-		g_pangu_rt->cache = create_web_cache_handle(profile, "TANGO_CACHE", g_pangu_rt->gc_evbase, g_pangu_rt->local_logger);
+		g_pangu_rt->cache = create_web_cache_handle(profile, "TANGO_CACHE", g_pangu_rt->gc_evbase,
+															g_pangu_rt->maat, g_pangu_rt->local_logger);
 		if(!g_pangu_rt->cache)
 		{
 			TFE_LOG_INFO(NULL, "Tango Cache init failed.");
@@ -274,6 +377,30 @@ int pangu_http_init(struct tfe_proxy * proxy)
 		}
 		TFE_LOG_INFO(NULL, "Tango Cache Enabled.");
 	}
+	table_id=Maat_table_register(g_pangu_rt->maat, "PXY_OBJ_TRUSTED_CA_CERT");
+	if(table_id<0)
+	{
+		TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed.");
+		goto error_out;
+	}
+	Maat_table_callback_register(g_pangu_rt->maat, table_id, 
+							trusted_CA_update_start_cb,
+							trusted_CA_update_cert_cb,
+							trusted_CA_update_finish_cb,
+							g_pangu_rt);
+
+	table_id=Maat_table_register(g_pangu_rt->maat, "PXY_OBJ_TRUSTED_CA_CRL");
+	if(table_id<0)
+	{
+		TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CRL failed.");
+		goto error_out;
+	}
+	Maat_table_callback_register(g_pangu_rt->maat, table_id, 
+							trusted_CA_update_start_cb,
+							trusted_CA_update_crl_cb,
+							trusted_CA_update_finish_cb,
+							g_pangu_rt);
+	
 	TFE_LOG_INFO(NULL, "Pangu HTTP init success.");
 	return 0;

@@ -297,9 +424,9 @@ struct pangu_http_ctx
 	int magic_num;
 	enum pangu_action action;
 	char * action_para;
-	scan_status_t mid;
+	scan_status_t scan_mid;
 	stream_para_t sp;
-
+	struct cache_mid* cmid;
 	struct Maat_rule_t * enforce_rules;
 	size_t n_enforce;
 	char * enforce_para;
@@ -345,7 +472,7 @@ static struct pangu_http_ctx * pangu_http_ctx_new(unsigned int thread_id)
 {
 	struct pangu_http_ctx * ctx = ALLOC(struct pangu_http_ctx, 1);
 	ctx->magic_num=HTTP_CTX_MAGIC_NUM;
-	ctx->mid = NULL;
+	ctx->scan_mid = NULL;
 	ctx->thread_id = (int) thread_id;
 	return ctx;
 }
@@ -360,8 +487,8 @@ static void pangu_http_ctx_free(struct pangu_http_ctx * ctx)
 	}
 	FREE(&ctx->enforce_rules);
 	FREE(&ctx->enforce_para);
-	Maat_clean_status(&(ctx->mid));	
-	ctx->mid = NULL;
+	Maat_clean_status(&(ctx->scan_mid));	
+	ctx->scan_mid = NULL;

 	if(ctx->sp)
 	{
@@ -749,7 +876,7 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 		int str_url_length = (int) (strlen(session->req->req_spec.url));

 		scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_URL],
-			CHARSET_UTF8, str_url, str_url_length, result, NULL, MAX_SCAN_RESULT, &(ctx->mid), ctx->thread_id);
+			CHARSET_UTF8, str_url, str_url_length, result, NULL, MAX_SCAN_RESULT, &(ctx->scan_mid), ctx->thread_id);

 		if (scan_ret > 0)
 		{
@@ -770,13 +897,13 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 			}

 			const char * str_field_name = http_field_to_string(&field_name);
-			scan_ret = Maat_set_scan_status(g_pangu_rt->maat, &(ctx->mid), MAAT_SET_SCAN_DISTRICT,
+			scan_ret = Maat_set_scan_status(g_pangu_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
 				str_field_name, strlen(str_field_name));

 			assert(scan_ret == 0);
 			scan_ret = Maat_full_scan_string(g_pangu_rt->maat, table_id,
 				CHARSET_UTF8, field_val, strlen(field_val),
-				result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->mid), ctx->thread_id);
+				result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
 			if (scan_ret > 0)
 			{
 				hit_cnt += scan_ret;
@@ -795,7 +922,7 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 	if (body_frag != NULL)
 	{
 		scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size,
-			result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->mid));
+			result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
 		if (scan_ret > 0)
 		{
 			hit_cnt += scan_ret;
@@ -1057,7 +1184,7 @@ void cache_pending(const struct tfe_http_session * session,	unsigned int thread_
 	enum cache_pending_result ret;
 	ctx->f_cache_pending=future_create("cache_pend", cache_pending_on_succ, cache_pending_on_fail, ctx);	
 	ctx->ref_session=tfe_http_session_allow_write(session);
-	ctx->pending_result=web_cache_async_pending(g_pangu_rt->cache,  thread_id, session->req, ctx->f_cache_pending);
+	ctx->pending_result=web_cache_async_pending(g_pangu_rt->cache, thread_id, session->req, &(ctx->cmid), ctx->f_cache_pending);
 	switch(ctx->pending_result)
 	{
 		case PENDING_RESULT_REVALIDATE:
@@ -1077,7 +1204,7 @@ void cache_pending(const struct tfe_http_session * session,	unsigned int thread_
 void cache_query(const struct tfe_http_session * session,	unsigned int thread_id, struct pangu_http_ctx * ctx)
 {
 	ctx->f_cache_query=future_create("cache_get", cache_query_on_succ, cache_query_on_fail, ctx);
-	int ret=web_cache_async_query(g_pangu_rt->cache, thread_id, session->req, ctx->f_cache_query);
+	int ret=web_cache_async_query(g_pangu_rt->cache, thread_id, session->req, &(ctx->cmid), ctx->f_cache_query);
 	if(ret==0)
 	{
 		ctx->ref_session=tfe_http_session_allow_write(session);
@@ -1097,7 +1224,7 @@ void cache_update(const struct tfe_http_session * session, enum tfe_http_event e

 	if(events & EV_HTTP_RESP_BODY_BEGIN)
 	{
-		ctx->cache_update_ctx=web_cache_update_start(g_pangu_rt->cache, thread_id, session);
+		ctx->cache_update_ctx=web_cache_update_start(g_pangu_rt->cache, thread_id, session, &(ctx->cmid));
 	}
 	if(events & EV_HTTP_RESP_BODY_CONT && ctx->cache_update_ctx!=NULL)
 	{
@@ -1124,7 +1251,7 @@ void pangu_on_http_begin(const struct tfe_stream * stream,
 	ctx = pangu_http_ctx_new(thread_id);
 	addr_tfe2sapp(stream->addr, &sapp_addr);
 	hit_cnt = Maat_scan_proto_addr(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_IP], &sapp_addr, 0,
-		result, MAX_SCAN_RESULT, &(ctx->mid), (int) thread_id);
+		result, MAX_SCAN_RESULT, &(ctx->scan_mid), (int) thread_id);

 	if (hit_cnt > 0)
 	{
@@ -1174,6 +1301,7 @@ void pangu_on_http_end(const struct tfe_stream * stream,
 	{
 		ATOMIC_INC(&(g_pangu_rt->stat_val[STAT_ACTION_REPLACE]));
 	}
+	cache_mid_clear(&(ctx->cmid));
 	pangu_http_ctx_free(ctx);
 	*pme = NULL;
 	return;