gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14484 Pxoxy支持Maat4

Browse Source
This commit is contained in:
fengweihao
2023-03-30 19:39:18 +08:00
parent a2a4c32384
commit df39fcda90
23 changed files with 1219 additions and 564 deletions
Download Patch File Download Diff File Expand all files Collapse all files

350
plugin/business/tsg-http/src/tsg_http.cpp
View File

@@ -13,10 +13,10 @@
#include <tfe_scan.h>
#include <tfe_types.h>
#include <MESA/Maat_rule.h>
#include <MESA/MESA_handle_logger.h>
#include <MESA/MESA_prof_load.h>
#include <MESA/stream.h>
#include <MESA/maat.h>
#include <event2/event.h>
#include <event2/buffer.h>
@@ -43,8 +43,8 @@ enum proxy_action //Bigger action number is prior.
PX_ACTION_DROP = 0x20, /* N/A */
PX_ACTION_MANIPULATE = 0x30,
PX_ACTION_RATELIMIT = 0x40, /* N/A */
PX_ACTION_LOOP = 0x60, /* N/A */
PX_ACTION_WHITELIST = 0x80,
PX_ACTION_WHITELIST = 0x60,
PX_ACTION_SHUNT = 0x80,
__PX_ACTION_MAX
};
@@ -64,9 +64,11 @@ enum manipulate_action
enum scan_table
{
PXY_CTRL_IP,
PXY_CTRL_SOURCE_ADDR,
PXY_CTRL_DESTINATION_ADDR,
PXY_CTRL_HTTP_URL,
PXY_CTRL_HTTP_FQDN,
PXY_CTRL_HTTP_FQDN_CAT,
PXY_CTRL_HTTP_REQ_HDR,
PXY_CTRL_HTTP_REQ_BODY,
PXY_CTRL_HTTP_RES_HDR,
@@ -118,14 +120,22 @@ struct manipulate_profile
pthread_mutex_t lock;
};
struct maat_rule_t
{
long long config_id;
int service_id;
unsigned char do_log;
unsigned char do_blacklist;
unsigned char action;
char *srv_def_large;
};
struct policy_action_param
{
int ref_cnt;
enum manipulate_action action;
char *message;
char *position;
float enforcement_ratio;
int vsys_id;
int profile_id;
@@ -133,16 +143,15 @@ struct policy_action_param
size_t n_rule;
struct replace_rule *repl_rule;
size_t e_rule;
struct edit_element_rule *elem_rule;
struct maat_rule_t hit_rule;
pthread_mutex_t lock;
};
struct tsg_proxy_rt
{
Maat_feather_t maat;
struct maat *feather;
struct proxy_logger * send_logger;
void * local_logger;
int thread_num;
@@ -223,7 +232,7 @@ void increase_redirect_policy_hit_num(void)
void trusted_CA_update_start_cb(int update_type, void* u_para)
{
if(update_type==MAAT_RULE_UPDATE_TYPE_FULL)
if(update_type==MAAT_UPDATE_TYPE_FULL)
{
if(g_proxy_rt->ca_store_reseting==0)
{
@@ -378,13 +387,25 @@ void octal_utf8_escapes(char *input)
return;
}
void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
MAAT_RULE_EX_DATA* ad, long argl, void *argp)
void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0;
int config_id=0, service_id=0, action=0;
int do_log=0,do_blacklist=0,is_valid=0;
char effective_range[1024]={0};
char srv_def_large[8192]={0};
struct policy_action_param* param=NULL;
ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%s\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log,effective_range, srv_def_large, &is_valid);
if(ret!=8)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "ctrl policy table parse failed, ret:%d, %s", ret, table_line);
return;
}
*ad=NULL;
if((unsigned int)rule->serv_def_len<strlen("{}")+1)
int serv_def_len=strlen(srv_def_large);
if((unsigned int)serv_def_len<strlen("{}")+1)
{
return;
}
@@ -394,29 +415,36 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
json=cJSON_Parse(srv_def_large);
if(json==NULL)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %d", rule->config_id);
TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %d", config_id);
return;
}
item=cJSON_GetObjectItem(json, "protocol");
if(unlikely(!item || !cJSON_IsString(item)))
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", rule->config_id);
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", config_id);
goto error_out;
}
if(0!=strcasecmp(item->valuestring, "http"))
{
goto error_out;
}
param=ALLOC(struct policy_action_param, 1);
param->ref_cnt=1;
param->hit_rule.action=action;
param->hit_rule.config_id=config_id;
param->hit_rule.do_blacklist=do_blacklist;
param->hit_rule.do_log=do_log;
param->hit_rule.srv_def_large=tfe_strdup(srv_def_large);
pthread_mutex_init(&(param->lock), NULL);
if(0!=strcasecmp(item->valuestring, "http"))
{
*ad=param;
goto error_out;
}
item=cJSON_GetObjectItem(json,"method");
if(item && item->type==cJSON_String)
{
param->action =manipulate_action_str2idx(item->valuestring);
param->action=manipulate_action_str2idx(item->valuestring);
}
switch(param->action)
@@ -628,13 +656,13 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
break;
}
*ad=param;
TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %d", rule->config_id);
TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %d", config_id);
error_out:
cJSON_Delete(json);
return;
}
void policy_action_param_free_cb(int table_id, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp)
{
unsigned int i=0;
if(*ad==NULL)
@@ -674,17 +702,20 @@ void policy_action_param_free_cb(int table_id, const struct Maat_rule_t* rule, c
FREE(&(param->message));
if (param->position)
FREE(&(param->position));
if(param->hit_rule.srv_def_large)
FREE(&(param->hit_rule.srv_def_large))
FREE(&(param));
return;
}
void policy_action_param_free(struct policy_action_param* param)
{
policy_action_param_free_cb(0, NULL, NULL, (void**)&param, 0, NULL);
policy_action_param_free_cb(0, (void**)&param, 0, NULL);
return;
}
void policy_action_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp)
void policy_action_param_dup(int idx, void **to, void **from, long argl, void *argp)
{
struct policy_action_param* from_param=*((struct policy_action_param**)from);
if(from_param==NULL)
@@ -699,7 +730,7 @@ void policy_action_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *
return;
}
void ma_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char profile_name[128]={0}, formate[128]={0};
@@ -739,7 +770,7 @@ void ma_profile_table_new_cb(int table_id, const char* key, const char* table_li
return;
}
void ma_insert_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char profile_name[128]={0}, formate[128]={0};
@@ -779,7 +810,7 @@ void ma_insert_profile_table_new_cb(int table_id, const char* key, const char* t
return;
}
void ma_hijack_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_hijack_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char profile_name[128]={0}, formate[128]={0};
@@ -806,7 +837,7 @@ void ma_hijack_profile_table_new_cb(int table_id, const char* key, const char* t
return;
}
void ma_lua_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_lua_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int timeout=0;
int ret=0, profile_id=0, is_valid=0;
@@ -848,7 +879,7 @@ void ma_lua_profile_table_new_cb(int table_id, const char* key, const char* tabl
return;
}
void ma_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp)
{
if(*ad==NULL)
{
@@ -895,7 +926,7 @@ void ma_profile_table_free(struct manipulate_profile* ply_obj)
ma_profile_table_free_cb(0, (void **)&ply_obj, 0, NULL);
}
void ma_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
{
struct manipulate_profile* ply_obj=(struct manipulate_profile*)(*from);
pthread_mutex_lock(&(ply_obj->lock));
@@ -905,15 +936,15 @@ void ma_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_
}
int maat_table_init(const char* table_name,
Maat_start_callback_t *start, Maat_update_callback_t *update,Maat_finish_callback_t *finish,
maat_start_callback_t *start, maat_update_callback_t *update, maat_finish_callback_t *finish,
void *u_para)
{
int table_id=0;
table_id=Maat_table_register(g_proxy_rt->maat, table_name);
table_id=maat_get_table_id(g_proxy_rt->feather, table_name);
if(table_id>=0)
{
Maat_table_callback_register(g_proxy_rt->maat, table_id,
maat_table_callback_register(g_proxy_rt->feather, table_id,
start, update, finish, u_para);
}
return table_id;
@@ -930,27 +961,27 @@ const char* table_name_idx2str(int profile_idx)
}
int maat_table_ex_init(int profile_idx,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func)
maat_ex_free_func_t* free_func,
maat_ex_dup_func_t* dup_func)
{
int table_id = 0;
const char *table_name = table_name_idx2str(profile_idx);
Maat_plugin_EX_new_func_t *new_func[] = {
maat_ex_new_func_t *new_func[] = {
[POLICY_PROFLIE_TABLE_REJECT] = ma_profile_table_new_cb,
[POLICY_PROFILE_TABLE_INSERT] = ma_insert_profile_table_new_cb,
[POLICY_PROFILE_TABLE_HIJACK] = ma_hijack_profile_table_new_cb,
[POLICY_PROFILE_TABLE_LUA] = ma_lua_profile_table_new_cb,
};
table_id=g_proxy_rt->plolicy_table_id[profile_idx]=Maat_table_register(g_proxy_rt->maat, table_name);
table_id=g_proxy_rt->plolicy_table_id[profile_idx]=maat_get_table_id(g_proxy_rt->feather, table_name);
if(table_id >= 0)
{
table_id=Maat_plugin_EX_register(g_proxy_rt->maat, table_id,
new_func[profile_idx],
free_func,
dup_func,
NULL, 0, NULL);
table_id=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name,
new_func[profile_idx],
free_func,
dup_func,
0, NULL);
return 0;
}
TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name);
@@ -960,12 +991,14 @@ int maat_table_ex_init(int profile_idx,
int proxy_policy_init(const char* profile_path, const char* static_section, const char* dynamic_section)
{
int ret = 0;
g_proxy_rt->maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);
g_proxy_rt->feather = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
const char * table_name[__SCAN_TABLE_MAX];
table_name[PXY_CTRL_IP] = "TSG_SECURITY_ADDR";
table_name[PXY_CTRL_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR";
table_name[PXY_CTRL_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL";
table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
table_name[PXY_CTRL_HTTP_FQDN_CAT] = "TSG_FIELD_HTTP_HOST_CAT";
table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY";
table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
@@ -973,7 +1006,7 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID";
for (int i = 0; i < __SCAN_TABLE_MAX; i++)
{
g_proxy_rt->scan_table_id[i] = Maat_table_register(g_proxy_rt->maat, table_name[i]);
g_proxy_rt->scan_table_id[i] = maat_get_table_id(g_proxy_rt->feather, table_name[i]);
if (g_proxy_rt->scan_table_id[i] < 0)
{
TFE_LOG_ERROR(NULL, "Pangu HTTP Maat table %s register failed.", table_name[i]);
@@ -981,17 +1014,18 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
}
}
g_proxy_rt->ctrl_compile_idx=Maat_rule_get_ex_new_index(g_proxy_rt->maat, "PXY_CTRL_COMPILE",
policy_action_param_new,
policy_action_param_free_cb,
policy_action_param_dup,
0, NULL);
g_proxy_rt->ctrl_compile_idx=maat_get_table_id(g_proxy_rt->feather, "PXY_CTRL_COMPILE");
maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_COMPILE",
policy_action_param_new,
policy_action_param_free_cb,
policy_action_param_dup,
0, NULL);
ret = maat_table_init("PXY_PROFILE_TRUSTED_CA_CERT",
trusted_CA_update_start_cb,
trusted_CA_update_cert_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
trusted_CA_update_start_cb,
trusted_CA_update_cert_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
if(ret<0)
{
TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed.");
@@ -999,10 +1033,10 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
}
ret = maat_table_init("PXY_OBJ_TRUSTED_CA_CRL",
trusted_CA_update_start_cb,
trusted_CA_update_crl_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
trusted_CA_update_start_cb,
trusted_CA_update_crl_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
if(ret<0)
{
TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CRL failed.");
@@ -1131,7 +1165,7 @@ int proxy_http_init(struct tfe_proxy * proxy)
if(g_proxy_rt->cache_enabled)
{
g_proxy_rt->cache = create_web_cache_handle(profile_path, "TANGO_CACHE", g_proxy_rt->gc_evbase,
g_proxy_rt->maat, g_proxy_rt->local_logger);
g_proxy_rt->feather, g_proxy_rt->local_logger);
if(!g_proxy_rt->cache)
{
TFE_LOG_INFO(NULL, "Tango Cache init failed.");
@@ -1187,11 +1221,11 @@ struct proxy_http_ctx
enum proxy_action action;
char * action_para;
int hit_cnt;
struct Maat_rule_t result[MAX_SCAN_RESULT];
scan_status_t scan_mid;
stream_para_t sp;
long long result[MAX_SCAN_RESULT];
struct maat_state *scan_mid;
struct maat_stream *sp;
struct cache_mid* cmid;
struct Maat_rule_t * enforce_rules;
struct maat_rule_t * enforce_rules;
size_t n_enforce;
struct policy_action_param *param;
struct evbuffer* log_req_body, *log_resp_body;
@@ -1293,7 +1327,7 @@ static struct proxy_http_ctx * proxy_http_ctx_new(unsigned int thread_id)
{
struct proxy_http_ctx * ctx = ALLOC(struct proxy_http_ctx, 1);
ctx->magic_num=HTTP_CTX_MAGIC_NUM;
ctx->scan_mid = NULL;
ctx->scan_mid = maat_state_new(g_proxy_rt->feather, thread_id);
ctx->thread_id = (int) thread_id;
return ctx;
}
@@ -1327,12 +1361,14 @@ static void proxy_http_ctx_free(struct proxy_http_ctx * ctx)
FREE(&ctx->enforce_rules);
policy_action_param_free(ctx->param);
ctx->param=NULL;
Maat_clean_status(&(ctx->scan_mid));
maat_state_free(ctx->scan_mid);
ctx->scan_mid = NULL;
if(ctx->sp)
{
Maat_stream_scan_string_end(&(ctx->sp));
maat_stream_free(ctx->sp);
ctx->sp=NULL;
}
if(ctx->cache_write_ctx)
{
@@ -1398,7 +1434,7 @@ static struct manipulate_profile* get_profile_by_id(int profile_table, int profi
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id);
int table_id = g_proxy_rt->plolicy_table_id[profile_table];
result = (struct manipulate_profile*)Maat_plugin_get_EX_data(g_proxy_rt->maat, table_id, (const char*)cfg_id_str);
result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_id, (const char*)cfg_id_str);
return result;
}
@@ -1428,13 +1464,29 @@ static inline int action_cmp(enum proxy_action a1, enum proxy_action a2)
}
//enforce_rules[0] contains execute action.
static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit,
struct Maat_rule_t ** enforce_rules, size_t * n_enforce, struct policy_action_param **param)
static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit,
struct maat_rule_t** enforce_rules, size_t * n_enforce, struct policy_action_param **param)
{
void *ex_data=NULL;
size_t n_monit = 0, exist_enforce_num = 0, i = 0;
const struct Maat_rule_t * prior_rule = hit_rules;
struct Maat_rule_t monit_rule[n_hit];
struct policy_action_param *get_ex_param=NULL;
struct maat_rule_t *hit_rules=NULL;
hit_rules=ALLOC(struct maat_rule_t, n_hit);
for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
{
get_ex_param =(struct policy_action_param *)maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&results[i]);
if(get_ex_param==NULL)
{
continue;
}
memcpy(hit_rules+i, &get_ex_param->hit_rule, sizeof(struct maat_rule_t));
policy_action_param_free(get_ex_param);
}
const struct maat_rule_t * prior_rule = hit_rules;
struct maat_rule_t monit_rule[n_hit];
enum proxy_action prior_action = PX_ACTION_NONE;
for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
@@ -1444,7 +1496,7 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
if (__action == PX_ACTION_MONIT)
{
memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct Maat_rule_t));
memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct maat_rule_t));
n_monit++;
}
if (action_cmp(__action, prior_action) > 0)
@@ -1469,11 +1521,11 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
{
if(*n_enforce==0)
{
*enforce_rules=ALLOC(struct Maat_rule_t, 1);
*enforce_rules=ALLOC(struct maat_rule_t, 1);
}
*enforce_rules[0]=*prior_rule;
*n_enforce=1;
ex_data=Maat_rule_get_ex_data(g_proxy_rt->maat, prior_rule, g_proxy_rt->ctrl_compile_idx);
ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&prior_rule->config_id);
if(ex_data!=NULL)
{
*param=(struct policy_action_param*)ex_data;
@@ -1491,19 +1543,19 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
*n_enforce += n_monit + 1;
}
*enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
*enforce_rules = (struct maat_rule_t *) realloc(*enforce_rules, sizeof(struct maat_rule_t) * (*n_enforce));
if (prior_action == PX_ACTION_MONIT)
{
memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct maat_rule_t));
}
else
{
memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct maat_rule_t));
memcpy(*enforce_rules, prior_rule, sizeof(struct maat_rule_t));
memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct maat_rule_t));
}
ex_data=Maat_rule_get_ex_data(g_proxy_rt->maat, prior_rule, g_proxy_rt->ctrl_compile_idx);
ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&prior_rule->config_id);
if(ex_data!=NULL)
{
*param=(struct policy_action_param*)ex_data;
@@ -1644,6 +1696,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
struct policy_action_param *param = ctx->param;
ctx->tsg_ctx = tsg_ctx = ALLOC(struct tsg_script_ctx, 1);
tsg_ctx->profile_id = param->profile_id;
tsg_ctx->addr = stream->addr;
tsg_ctx->elua_ctx = http_lua_ctx_new(lua_script, ctx->thread_id);
}
else
@@ -1665,16 +1718,17 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR))
{
tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0;
ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx);
if(ret==0 && tsg_ctx->execut_lua_sucess==1)
{
tsg_ctx->actually_executed =1;
}
tsg_ctx->http_req_uri=0;
tsg_ctx->execut_lua_sucess=0;
if (tfe_http_in_request(events))
{
tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0;
ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx);
if(ret==0 && tsg_ctx->execut_lua_sucess==1)
{
tsg_ctx->actually_executed =1;
}
tsg_ctx->http_req_uri=0;
tsg_ctx->execut_lua_sucess=0;
tsg_ctx->replacing = tfe_http_session_request_create(to_write_sess, in_req_spec->method, tsg_ctx->rewrite_uri !=NULL ? tsg_ctx->rewrite_uri : in_req_spec->uri);
tfe_http_session_request_set(to_write_sess, tsg_ctx->replacing);
}
@@ -1694,14 +1748,13 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
{
tsg_ctx->actually_executed =1;
}
struct tfe_http_half * in_half = tfe_http_in_request(events) ? in_req_half : in_resp_half;
struct http_field_name in_header_field{};
const char * in_header_value = NULL;
void * iterator = NULL;
while (true)
while (true && tsg_ctx->rewrite_header!=1)
{
if ((in_header_value = tfe_http_field_iterate(in_half, &iterator, &in_header_field)) == NULL)
{
@@ -1709,6 +1762,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
}
tfe_http_field_write(tsg_ctx->replacing, &in_header_field, in_header_value);
}
tsg_ctx->rewrite_header=0;
}
if ((events & EV_HTTP_REQ_BODY_BEGIN) || (events & EV_HTTP_RESP_BODY_BEGIN))
@@ -2033,7 +2087,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt
}
ctx->manipulate_replaced = 1;
if (resp_code <= 0 || rd_url == NULL){
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %d paramter",
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %lld paramter",
ctx->enforce_rules[0].config_id);
goto error_out;
}
@@ -2093,7 +2147,7 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s
char *message = param->message;
if (resp_code <= 0 || profile_id < 0){
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %d", ctx->enforce_rules[0].config_id);
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %lld", ctx->enforce_rules[0].config_id);
ctx->action = PX_ACTION_NONE;
return;
}
@@ -2149,7 +2203,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
if (param->profile_id <= 0)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %d",
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %lld",
ctx->enforce_rules[0].config_id);
ctx->action = PX_ACTION_NONE;
return;
@@ -2525,7 +2579,7 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h
struct policy_action_param *param = ctx->param;
if (param == NULL)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %d",
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %lld",
ctx->enforce_rules[0].config_id);
ctx->action = PX_ACTION_NONE;
return;
@@ -2590,9 +2644,10 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
const char * field_val = NULL;
struct http_field_name field_name;
struct tfe_http_half * http_half;
struct Maat_rule_t *result = ctx->result;
long long *result = ctx->result;
char buff[TFE_STRING_MAX], * p = NULL;
int scan_ret = 0, table_id = 0;
size_t n_hit_result=0;
size_t hit_cnt = ctx->hit_cnt, i = 0;
if (events & EV_HTTP_REQ_HDR)
@@ -2601,13 +2656,13 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
int str_host_length = get_fqdn_len(str_host);
if (str_host != NULL && str_host_length != 0)
{
scan_ret = Maat_full_scan_string(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
CHARSET_UTF8, str_host, str_host_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
str_host, str_host_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN]);
scan_ret = tfe_scan_fqdn_cat(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN_CAT]);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
@@ -2617,12 +2672,12 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
const char * str_url = session->req->req_spec.url;
int str_url_length = (int) (strlen(session->req->req_spec.url));
scan_ret = Maat_full_scan_string(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL],
CHARSET_UTF8, str_url, str_url_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL],
str_url, str_url_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret > 0)
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
}
@@ -2640,16 +2695,14 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
}
const char * str_field_name = http_field_name_to_string(&field_name);
scan_ret = Maat_set_scan_status(g_proxy_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
str_field_name, strlen(str_field_name));
scan_ret = maat_state_set_scan_district(ctx->scan_mid, str_field_name, strlen(str_field_name));
assert(scan_ret == 0);
scan_ret = Maat_full_scan_string(g_proxy_rt->maat, table_id,
CHARSET_UTF8, field_val, strlen(field_val),
result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string(g_proxy_rt->feather, table_id, field_val, strlen(field_val),
result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
}
}
@@ -2659,22 +2712,22 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
assert(ctx->sp == NULL);
table_id = events & EV_HTTP_REQ_BODY_BEGIN ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt
->scan_table_id[PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_proxy_rt->maat, table_id, ctx->thread_id);
ctx->sp = maat_stream_new(g_proxy_rt->feather, table_id, ctx->scan_mid);
}
if (body_frag != NULL)
{
scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size,
result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
if (scan_ret > 0)
scan_ret = maat_stream_scan(ctx->sp, (const char *)body_frag, (int)frag_size,
result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
}
if ((events & EV_HTTP_REQ_BODY_END) | (events & EV_HTTP_RESP_BODY_END))
{
Maat_stream_scan_string_end(&(ctx->sp));
maat_stream_free(ctx->sp);
ctx->sp = NULL;
}
@@ -2683,7 +2736,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
ctx->action = decide_ctrl_action(result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->param);
if (ctx->action == PX_ACTION_WHITELIST)
{
TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%d.",
TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%lld.",
session->req->req_spec.url, ctx->enforce_rules[0].config_id);
goto __out;
}
@@ -2692,12 +2745,12 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
p = buff;
for (i = 0; i < hit_cnt && i<MAX_SCAN_RESULT; i++)
{
p += snprintf(p, sizeof(buff) - (p - buff), "%d:", result[i].config_id);
p += snprintf(p, sizeof(buff) - (p - buff), "%lld:", result[i]);
}
*p = '\0';
TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%d.",
TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%lld.",
session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_id);
}
ctx->hit_cnt=0;
@@ -3015,39 +3068,68 @@ void proxy_on_http_begin(const struct tfe_stream * stream,
assert(ctx == NULL);
ATOMIC_INC(&(g_proxy_rt->stat_val[STAT_SESSION]));
ctx = proxy_http_ctx_new(thread_id);
struct Maat_rule_t *result = ctx->result;
long long *result = ctx->result;
size_t n_hit_result=0;
scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger);
scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
scan_ret = tfe_scan_ip_location(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, &(ctx->ip_ctx.location_server), &(ctx->ip_ctx.location_client));
scan_ret = tfe_scan_ip_location(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, &(ctx->ip_ctx.location_server), &(ctx->ip_ctx.location_client));
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
scan_ret = tfe_scan_ip_asn(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, &(ctx->ip_ctx.asn_server), &(ctx->ip_ctx.asn_client));
scan_ret = tfe_scan_ip_asn(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, &(ctx->ip_ctx.asn_server), &(ctx->ip_ctx.asn_client));
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
int scan_val=67;
scan_ret=Maat_scan_intval(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID], scan_val, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), (int) thread_id);
if(scan_ret>0)
scan_ret=maat_scan_integer(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID], scan_val, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid);
if(scan_ret==MAAT_SCAN_HIT)
{
hit_cnt+=scan_ret;
hit_cnt+=n_hit_result;
}
addr_tfe2sapp(stream->addr, &sapp_addr);
scan_ret = Maat_scan_proto_addr(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_IP], &sapp_addr, 0,
result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), (int) thread_id);
if(scan_ret>0)
if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{
hit_cnt+=scan_ret;
}
scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
sapp_addr.v4->saddr, sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (n_hit_result == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
sapp_addr.v4->daddr, sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
}
if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{
scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
sapp_addr.v6->saddr, sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
sapp_addr.v6->daddr, sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
}
if(hit_cnt > 0)
{
ctx->hit_cnt = hit_cnt;
@@ -3151,7 +3233,7 @@ void proxy_on_http_end(const struct tfe_stream * stream,
{
if(i+1 > ctx->n_enforce)
{
memmove(ctx->enforce_rules+i, ctx->enforce_rules+i+1, sizeof(struct Maat_rule_t));
memmove(ctx->enforce_rules+i, ctx->enforce_rules+i+1, sizeof(struct maat_rule_t));
}
j++;
}
@@ -3163,7 +3245,7 @@ void proxy_on_http_end(const struct tfe_stream * stream,
FREE(&(ctx->enforce_rules));
}
}
struct proxy_log log_msg = {.stream=stream, .http=session, .result=ctx->enforce_rules, .result_num=ctx->n_enforce,
struct proxy_log log_msg = {.stream=stream, .http=session, .result=(struct log_rule_t *)ctx->enforce_rules, .result_num=ctx->n_enforce,
.req_body=ctx->log_req_body, .resp_body=ctx->log_resp_body, .action=0, .inject_sz=ctx->inject_sz,
.asn_client=ctx->ip_ctx.asn_client, .asn_server=ctx->ip_ctx.asn_server, .location_client=ctx->ip_ctx.location_client,
.location_server=ctx->ip_ctx.location_server};