TSG-91
* 修改策略编译配置表名称 * 增加对用户自定域协议字段处理 * 修改配置文件,json文件
This commit is contained in:
fengweihao
@@ -469,6 +469,8 @@ static enum manipulate_action manipulate_action_str2idx(const char *action_str)
|
||||
void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
|
||||
MAAT_RULE_EX_DATA* ad, long argl, void *argp)
|
||||
{
|
||||
struct policy_action_param* param=NULL;
|
||||
|
||||
*ad=NULL;
|
||||
if((unsigned int)rule->serv_def_len<strlen("{}")+1)
|
||||
{
|
||||
@@ -487,8 +489,18 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
|
||||
return;
|
||||
}
|
||||
|
||||
struct policy_action_param* param=ALLOC(struct policy_action_param, 1);
|
||||
item=cJSON_GetObjectItem(json, "protocol");
|
||||
if(unlikely(!item || !cJSON_IsString(item)))
|
||||
{
|
||||
TFE_LOG_ERROR(g_pangu_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", rule->config_id);
|
||||
goto error_out;
|
||||
}
|
||||
if(0!=strcasecmp(item->valuestring, "http"))
|
||||
{
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
param=ALLOC(struct policy_action_param, 1);
|
||||
param->ref_cnt=1;
|
||||
pthread_mutex_init(&(param->lock), NULL);
|
||||
|
||||
@@ -572,8 +584,10 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
|
||||
default: assert(0);
|
||||
break;
|
||||
}
|
||||
cJSON_Delete(json);
|
||||
*ad=param;
|
||||
TFE_LOG_INFO(g_pangu_rt->local_logger, "Add ctrl policy: %d", rule->config_id);
|
||||
error_out:
|
||||
cJSON_Delete(json);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1658,7 +1672,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
|
||||
}
|
||||
|
||||
if (tfe_http_in_request(events))
|
||||
{
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1696,9 +1710,9 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
|
||||
}
|
||||
const char* cont_disposition_val=tfe_http_std_field_read(to_write_sess->resp, TFE_HTTP_CONT_DISPOSITION);
|
||||
if (cont_disposition_val != NULL)
|
||||
{
|
||||
{
|
||||
tfe_http_std_field_write(response, TFE_HTTP_CONT_DISPOSITION, cont_disposition_val);
|
||||
}
|
||||
}
|
||||
tfe_http_std_field_write(response, TFE_HTTP_CONT_TYPE, hijack_profile->profile_type);
|
||||
snprintf(cont_len_str, sizeof(cont_len_str), "%lu", hijack_size);
|
||||
tfe_http_std_field_write(response, TFE_HTTP_CONT_LENGTH, cont_len_str);
|
||||
|
||||
@@ -191,12 +191,13 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
||||
|
||||
const char *app_proto[]= {"unkonw","http1", "http2"};
|
||||
|
||||
struct json_spec req_fields[]={ {"cookie", TFE_HTTP_COOKIE},
|
||||
{"referer", TFE_HTTP_REFERER},
|
||||
{"user_agent", TFE_HTTP_USER_AGENT} };
|
||||
struct json_spec req_fields[]={ {"http_cookie", TFE_HTTP_COOKIE},
|
||||
{"http_referer", TFE_HTTP_REFERER},
|
||||
{"http_user_agent", TFE_HTTP_USER_AGENT} };
|
||||
|
||||
struct json_spec resp_fields[]={ {"content_type", TFE_HTTP_CONT_TYPE},
|
||||
{"content_len", TFE_HTTP_CONT_LENGTH} };
|
||||
struct json_spec resp_fields[]={ {"http_content_type", TFE_HTTP_CONT_TYPE},
|
||||
{"http_content_length", TFE_HTTP_CONT_LENGTH},
|
||||
{"http_set_cookie", TFE_HTTP_SET_COOKIE}};
|
||||
|
||||
if (!handle->en_sendlog)
|
||||
{
|
||||
@@ -206,43 +207,55 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
||||
common_obj=cJSON_CreateObject();
|
||||
cur_time = time(NULL);
|
||||
|
||||
cJSON_AddNumberToObject(common_obj, "start_time", cur_time);
|
||||
cJSON_AddNumberToObject(common_obj, "end_time", cur_time);
|
||||
cJSON_AddStringToObject(common_obj, "app_proto", app_proto[http->major_version]);
|
||||
cJSON_AddNumberToObject(common_obj, "common_start_time", cur_time);
|
||||
cJSON_AddNumberToObject(common_obj, "common_end_time", cur_time);
|
||||
cJSON_AddStringToObject(common_obj, "http_version", app_proto[http->major_version]);
|
||||
|
||||
uint64_t opt_val;
|
||||
uint16_t opt_out_size;
|
||||
struct tfe_cmsg * cmsg = tfe_stream_get0_cmsg(log_msg->stream);
|
||||
if (cmsg!=NULL)
|
||||
{
|
||||
int ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_STREAM_TRACE_ID, (unsigned char *) &opt_val, sizeof(opt_val), &opt_out_size);
|
||||
if (ret==0)
|
||||
{
|
||||
cJSON_AddNumberToObject(common_obj, "common_stream_trace_id", opt_val);
|
||||
}
|
||||
}
|
||||
|
||||
switch(addr->addrtype)
|
||||
{
|
||||
case TFE_ADDR_STREAM_TUPLE4_V4:
|
||||
cJSON_AddNumberToObject(common_obj, "addr_type", 4);
|
||||
cJSON_AddNumberToObject(common_obj, "common_address_type", 4);
|
||||
inet_ntop(AF_INET, &addr->tuple4_v4->saddr, src_ip_str, sizeof(src_ip_str));
|
||||
inet_ntop(AF_INET, &addr->tuple4_v4->daddr, dst_ip_str, sizeof(dst_ip_str));
|
||||
cJSON_AddStringToObject(common_obj, "client_ip", src_ip_str);
|
||||
cJSON_AddStringToObject(common_obj, "server_ip", dst_ip_str);
|
||||
cJSON_AddNumberToObject(common_obj, "client_port", ntohs(addr->tuple4_v4->source));
|
||||
cJSON_AddNumberToObject(common_obj, "server_port", ntohs(addr->tuple4_v4->dest));
|
||||
cJSON_AddStringToObject(common_obj, "trans_proto", "IPv4_TCP");
|
||||
cJSON_AddStringToObject(common_obj, "common_client_ip", src_ip_str);
|
||||
cJSON_AddStringToObject(common_obj, "common_server_ip", dst_ip_str);
|
||||
cJSON_AddNumberToObject(common_obj, "common_client_port", ntohs(addr->tuple4_v4->source));
|
||||
cJSON_AddNumberToObject(common_obj, "common_server_port", ntohs(addr->tuple4_v4->dest));
|
||||
cJSON_AddStringToObject(common_obj, "common_l4_protocol", "IPv4_TCP");
|
||||
break;
|
||||
case TFE_ADDR_STREAM_TUPLE4_V6:
|
||||
cJSON_AddNumberToObject(common_obj, "addr_type", 6);
|
||||
cJSON_AddNumberToObject(common_obj, "common_address_type", 6);
|
||||
inet_ntop(AF_INET6, &addr->tuple4_v6->saddr, src_ip_str, sizeof(src_ip_str));
|
||||
inet_ntop(AF_INET6, &addr->tuple4_v6->daddr, dst_ip_str, sizeof(dst_ip_str));
|
||||
cJSON_AddStringToObject(common_obj, "client_ip", src_ip_str);
|
||||
cJSON_AddStringToObject(common_obj, "server_ip", dst_ip_str);
|
||||
cJSON_AddNumberToObject(common_obj, "client_port", ntohs(addr->tuple4_v6->source));
|
||||
cJSON_AddNumberToObject(common_obj, "server_port", ntohs(addr->tuple4_v6->dest));
|
||||
cJSON_AddStringToObject(common_obj, "trans_proto", "IPv6_TCP");
|
||||
cJSON_AddStringToObject(common_obj, "common_client_ip", src_ip_str);
|
||||
cJSON_AddStringToObject(common_obj, "common_server_ip", dst_ip_str);
|
||||
cJSON_AddNumberToObject(common_obj, "common_client_port", ntohs(addr->tuple4_v6->source));
|
||||
cJSON_AddNumberToObject(common_obj, "common_server_port", ntohs(addr->tuple4_v6->dest));
|
||||
cJSON_AddStringToObject(common_obj, "common_l4_protocol", "IPv6_TCP");
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
cJSON_AddNumberToObject(common_obj, "direction", 0); //0:域内->域外,1:域外->域内,描述的是CLIENT_IP信息
|
||||
cJSON_AddNumberToObject(common_obj, "Link_id", 0);
|
||||
cJSON_AddNumberToObject(common_obj, "stream_dir", 3); //1:c2s, 2:s2c, 3:double
|
||||
cJSON_AddStringToObject(common_obj, "cap_ip", handle->local_ip_str);
|
||||
cJSON_AddNumberToObject(common_obj, "entrance_id", handle->entry_id);
|
||||
cJSON_AddNumberToObject(common_obj, "device_id", 0);
|
||||
cJSON_AddStringToObject(common_obj, "url", http->req->req_spec.url);
|
||||
cJSON_AddStringToObject(common_obj, "host", http->req->req_spec.host);
|
||||
cJSON_AddNumberToObject(common_obj, "common_direction", 0); //0:域内->域外,1:域外->域内,描述的是CLIENT_IP信息
|
||||
cJSON_AddNumberToObject(common_obj, "common_link_id", 0);
|
||||
cJSON_AddNumberToObject(common_obj, "common_stream_dir", 3); //1:c2s, 2:s2c, 3:double
|
||||
cJSON_AddStringToObject(common_obj, "common_sled_ip", handle->local_ip_str);
|
||||
cJSON_AddNumberToObject(common_obj, "common_entrance_id", handle->entry_id);
|
||||
cJSON_AddNumberToObject(common_obj, "common_device_id", 0);
|
||||
cJSON_AddStringToObject(common_obj, "http_url", http->req->req_spec.url);
|
||||
cJSON_AddStringToObject(common_obj, "http_host", http->req->req_spec.host);
|
||||
for(size_t i=0;i<sizeof(req_fields)/sizeof(struct json_spec);i++)
|
||||
{
|
||||
tmp_val=tfe_http_std_field_read(http->req, req_fields[i].field_id);
|
||||
@@ -280,7 +293,7 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
||||
log_file_upload_path, sizeof(log_file_upload_path));
|
||||
if(tmp==0)
|
||||
{
|
||||
cJSON_AddStringToObject(common_obj, "req_body", log_file_upload_path);
|
||||
cJSON_AddStringToObject(common_obj, "http_request_body", log_file_upload_path);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -306,8 +319,7 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
||||
|
||||
if(tmp==0)
|
||||
{
|
||||
cJSON_AddStringToObject(common_obj, "resp_body", log_file_upload_path);
|
||||
|
||||
cJSON_AddStringToObject(common_obj, "http_response_body", log_file_upload_path);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -331,9 +343,9 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
||||
}
|
||||
|
||||
per_hit_obj=cJSON_Duplicate(common_obj, 1);
|
||||
cJSON_AddNumberToObject(per_hit_obj, "policy_id", log_msg->result[i].config_id);
|
||||
cJSON_AddNumberToObject(per_hit_obj, "service", log_msg->result[i].service_id);
|
||||
cJSON_AddNumberToObject(per_hit_obj, "action", (unsigned char)log_msg->result[i].action);
|
||||
cJSON_AddNumberToObject(per_hit_obj, "common_policy_id", log_msg->result[i].config_id);
|
||||
cJSON_AddNumberToObject(per_hit_obj, "common_service", log_msg->result[i].service_id);
|
||||
cJSON_AddNumberToObject(per_hit_obj, "common_action", (unsigned char)log_msg->result[i].action);
|
||||
log_payload = cJSON_PrintUnformatted(per_hit_obj);
|
||||
|
||||
TFE_LOG_DEBUG(handle->local_logger, "%s", log_payload);
|
||||
|
||||
@@ -60,26 +60,38 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
|
||||
ret=Maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
|
||||
if(ret<0)
|
||||
{
|
||||
{
|
||||
TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
|
||||
return;
|
||||
}
|
||||
}
|
||||
json_str=ALLOC(char, len+1);
|
||||
memcpy(json_str, table_line+intercept_user_region_offset, len);
|
||||
memcpy(json_str, table_line+intercept_user_region_offset, len);
|
||||
json=cJSON_Parse(json_str);
|
||||
if(json==NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
|
||||
goto error_out;
|
||||
}
|
||||
param=ALLOC(struct intercept_param, 1);
|
||||
|
||||
item=cJSON_GetObjectItem(json, "protocol");
|
||||
if(unlikely(!item || !cJSON_IsString(item)))
|
||||
{
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid protocol format", key);
|
||||
goto error_out;
|
||||
}
|
||||
if (0!=strcasecmp(item->valuestring, "SSL/HTTP"))
|
||||
{
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
param=ALLOC(struct intercept_param, 1);
|
||||
param->policy_id=atoi(key);
|
||||
param->ref_cnt=1;
|
||||
param->bypass_mutual_auth=1;
|
||||
param->bypass_pinning=1;
|
||||
param->mirror_client_version=1;
|
||||
param->keyring=1;
|
||||
|
||||
|
||||
item=cJSON_GetObjectItem(json, "keyring");
|
||||
if(item)
|
||||
{
|
||||
@@ -96,7 +108,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring format", param->policy_id);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
exclusions=cJSON_GetObjectItem(json, "dynamic_bypass");
|
||||
if(exclusions)
|
||||
{
|
||||
@@ -119,7 +131,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
if(approach)
|
||||
{
|
||||
item=cJSON_GetObjectItem(approach, "cn");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;
|
||||
item=cJSON_GetObjectItem(approach, "issuer");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_issuer=1;
|
||||
item=cJSON_GetObjectItem(approach, "self-signed");
|
||||
@@ -138,14 +150,14 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
}
|
||||
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
|
||||
if(ssl_ver)
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "mirror_client");
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "mirror_client");
|
||||
if(item && item->type==cJSON_Number) param->mirror_client_version=item->valueint;
|
||||
if(!param->mirror_client_version)
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "min");
|
||||
item=cJSON_GetObjectItem(ssl_ver, "min");
|
||||
if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->valuestring);
|
||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||
if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
|
||||
if(param->ssl_min_version<0||param->ssl_max_version<0)
|
||||
{
|
||||
@@ -153,12 +165,12 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: ssl version = %s", item->valuestring);
|
||||
}
|
||||
}
|
||||
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||
if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
|
||||
}
|
||||
*ad=param;
|
||||
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
|
||||
error_out:
|
||||
error_out:
|
||||
cJSON_Delete(json);
|
||||
free(json_str);
|
||||
return;
|
||||
@@ -171,7 +183,7 @@ void intercept_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, v
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
if ((__sync_sub_and_fetch(¶m->ref_cnt, 1) == 0))
|
||||
{
|
||||
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %d", param->policy_id);\
|
||||
@@ -189,10 +201,10 @@ struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
|
||||
struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
|
||||
enforcer->maat=g_business_maat;
|
||||
enforcer->logger=logger;
|
||||
enforcer->table_id=Maat_table_register(enforcer->maat, "PXY_INTERCEPT_COMPILE");
|
||||
UNUSED int ret=Maat_plugin_EX_register(enforcer->maat,
|
||||
enforcer->table_id=Maat_table_register(enforcer->maat, "TSG_SECURITY_COMPILE");
|
||||
UNUSED int ret=Maat_plugin_EX_register(enforcer->maat,
|
||||
enforcer->table_id,
|
||||
intercept_param_new_cb,
|
||||
intercept_param_new_cb,
|
||||
intercept_param_free_cb,
|
||||
intercept_param_dup_cb,
|
||||
NULL,
|
||||
@@ -222,7 +234,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
else
|
||||
{
|
||||
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
|
||||
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
|
||||
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
|
||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %d", addr_string, sni, policy_id);
|
||||
}
|
||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
|
||||
|
||||
@@ -83,6 +83,17 @@ void policy_table_ex_data_new_cb(int table_id, const char * key, const char * ta
|
||||
goto ignore;
|
||||
}
|
||||
|
||||
json_item=cJSON_GetObjectItem(json_root, "protocol");
|
||||
if (unlikely(!json_item || !cJSON_IsString(json_item)))
|
||||
{
|
||||
TFE_LOG_ERROR(instance->logger, "invalid JSON, protocol not existed or invalid type.");
|
||||
goto ignore;
|
||||
}
|
||||
if (0!=strcasecmp(json_item->valuestring, "SSL/HTTP"))
|
||||
{
|
||||
goto out;
|
||||
}
|
||||
|
||||
json_subroot = cJSON_GetObjectItem(json_root, "decrypt_mirror");
|
||||
if (unlikely(!json_subroot))
|
||||
{
|
||||
@@ -496,10 +507,10 @@ int traffic_mirror_init(struct tfe_proxy * proxy)
|
||||
}
|
||||
|
||||
/* REGISTER MAAT FEATHER */
|
||||
instance->policy_table_id = Maat_table_register(instance->maat_feather, "PXY_INTERCEPT_COMPILE");
|
||||
instance->policy_table_id = Maat_table_register(instance->maat_feather, "TSG_SECURITY_COMPILE");
|
||||
if (unlikely(instance->policy_table_id < 0))
|
||||
{
|
||||
TFE_LOG_ERROR(instance->logger, "failed at register table PXY_INTERCEPT_COMPILE, ret = %d",
|
||||
TFE_LOG_ERROR(instance->logger, "failed at register table TSG_SECURITY_COMPILE, ret = %d",
|
||||
instance->policy_table_id); goto errout;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user