TSG-18999 PolicyVerify适配TSG_SECURITY_COMPILE表名变更为SECURITY_COMPILE

2024-02-02 18:13:41 +08:00
parent 873f02cff2
commit 32bc9569d7
3 changed files with 95 additions and 130 deletions
--- a/common/include/verify_policy.h
+++ b/common/include/verify_policy.h
@@ -151,8 +151,6 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer
 void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON  *data_obj, void *pme);
 int maat_table_init(struct verify_policy * verify, const char* profile_path);
 int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, size_t hit_cnt, cJSON *data_obj, void *pme);
 void http_res_hdr_num(void *pem);
 void http_req_hdr_num(void *pem);
 void verify_policy_tunnle_add(void * pme);
 int policy_verify_regex_expression(const char *expression);
 void verify_reload_loglevel();
--- a/platform/src/verify_matcher.cpp
+++ b/platform/src/verify_matcher.cpp
@@ -90,6 +90,8 @@ struct http_field_name
 	enum http_std_field field_id;
 };
 /** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol,
 * the current hit path scan count needs to be recorded to correspond to the virtual table name */
 struct ip_data_ctx
 {
 	char *asn_client;
@@ -98,7 +100,7 @@ struct ip_data_ctx
 	char *organization_server;
 	char *location_client;
 	char *location_server;
-	int Nth_scan[2];
+	int Nth_scan[3];
 };
 struct fqdn_category_ctx
@@ -157,14 +159,12 @@ struct policy_scan_ctx
 	int n_read;
 	struct maat_hit_path hit_path[HIT_PATH_SIZE];
-	int req_hdr_num;
+	int ip_protocol_num;
 	int res_hdr_num;
 	int tunnel_endpoint_x;
 	int bool_id_array_idx;
    unsigned long long bool_id_array[256];
 	struct ip_data_ctx ip_ctx;
 	int thread_id;
 };
 struct verify_policy_rt
@@ -203,23 +203,10 @@ void verify_policy_tunnle_add(void * pme)
 	ctx->tunnel_endpoint_x++;
 }
 void http_req_hdr_num(void *pem)
 {
 	struct policy_scan_ctx * ctx = (struct policy_scan_ctx *)pem;
 	ctx->req_hdr_num++;
 }
 void http_res_hdr_num(void *pem)
 {
 	struct policy_scan_ctx * ctx = (struct policy_scan_ctx *)pem;
 	ctx->res_hdr_num++;
 }
 void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id)
 {
 	struct policy_scan_ctx * ctx = ALLOC(struct policy_scan_ctx, 1);
 	ctx->scan_mid = maat_state_new(g_policy_rt->feather[vsys_id], thread_id);
 	ctx->thread_id = (int) thread_id;
 	maat_state_set_scan_compile_table(ctx->scan_mid, g_policy_rt->compile_table_id[compile_table_id]);
 	return (void *)ctx;
@@ -1193,7 +1180,7 @@ int policy_verify_regex_expression(const char *expression)
 	return maat_helper_verify_regex_expression(expression);
 }
-int get_attributes_table_name(struct request_query_obj *query_obj, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject)
+int get_attributes_table_name(struct request_query_obj *request, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject)
 {
 	int i=0, j=0;
 	cJSON *attributeObj=NULL, *subchild=NULL;
@@ -1204,20 +1191,25 @@ int get_attributes_table_name(struct request_query_obj *query_obj, int num, int
 		cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_IP");
 		return 0;
 	}
 	if(ip_ctx->Nth_scan[1] == Nth_scan)
 	{
 		cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_IP");
 		return 0;
 	}
 	/**ip protocol*/
 	if(ip_ctx->Nth_scan[2] == Nth_scan)
 	{
 		cJSON_AddStringToObject(topObject, "tableName", "ATTR_IP_PROTOCOL");
 		return 0;
 	}
 	for(i=0; i<num; i++)
 	{
-		for(j=0; j<= query_obj[i].merge_nth_scan_num; j++)
+		for(j=0; j<= request[i].merge_nth_scan_num; j++)
 		{
-			if (query_obj[i].merge_nth_scan[j] == Nth_scan)
+			if (request[i].merge_nth_scan[j] == Nth_scan)
 			{
-				attributeObj=query_obj[i].attributes;
+				attributeObj=request[i].attributes;
 				subchild = cJSON_GetObjectItem(attributeObj, "tableName");
 				if(subchild && subchild->type==cJSON_String)
 				{
@@ -1520,6 +1512,27 @@ int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, struct ip_addr* sip,
 	return hit_cnt_ip;
 }
 static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, struct maat_hit_group hit_group, int table_id)
 {
 	size_t n_hit_result=0;
 	int scan_ret=0, hit_cnt_group=0;
 	scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1,
 							   ctx->result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid);
 	if(scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_group+=n_hit_result;
 	}
 	scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_group,
 								   MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid);
 	if (scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_group+=n_hit_result;
 	}
 	return hit_cnt_group;
 }
 int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_ctx * ctx, int vsys_id, const char *fqdn, int table_id, int hit_cnt)
 {
 	int j=0, k=0;
@@ -1630,29 +1643,18 @@ finish:
 int tunnel_level_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt)
 {
 	size_t n_hit_result=0;
 	int n_read, hit_path_cnt=0;
 	int scan_ret=0, hit_cnt_tunnel=0;
 	struct maat_hit_group hit_group;
 	int table_id = request->table_id;
 	int group_level_array[]={50, 51, 52, 53, 54, 55, 56, 57};
 	memset(&hit_group, 0, sizeof(hit_group));
 	hit_group.group_id=group_level_array[request->numeric];
-	scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1,
+	scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id);
-							   ctx->result+hit_cnt+hit_cnt_tunnel, MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel, &n_hit_result, ctx->scan_mid);
+	if(scan_ret > 0)
 	if(scan_ret == MAAT_SCAN_HIT)
 	{
-		hit_cnt_tunnel+=n_hit_result;
+		hit_cnt_tunnel += scan_ret;
 	}
 	scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_tunnel,
 								   MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel, &n_hit_result, ctx->scan_mid);
 	if (scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_tunnel+=n_hit_result;
 	}
 	if(scan_ret >= MAAT_SCAN_OK)
 	{
 		n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
@@ -1720,30 +1722,19 @@ static int app_id_scan(struct request_query_obj *request, struct policy_scan_ctx
 	int n_read=0;
 	int scan_ret=0, hit_cnt_app_id=0;
 	struct app_id_dict *app_dict=NULL;
 	size_t n_hit_result=0;
 	struct maat_hit_group hit_group;
-	long long app_id = request->numeric;
+	app_dict = (struct app_id_dict*)maat_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_APP_DI_DICT], (const char *)&(request->numeric), sizeof(long long));
 	int table_id = request->table_id;
 	app_dict = (struct app_id_dict*)maat_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_APP_DI_DICT], (const char *)&app_id, sizeof(long long));
 	if(app_dict==NULL)
 	{
 		return 0;
 	}
 	memset(&hit_group, 0, sizeof(hit_group));
 	hit_group.group_id=app_dict->group_id;
-    scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1,
+	scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id);
-							   ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid);
+	if(scan_ret > 0)
 	if(scan_ret == MAAT_SCAN_HIT)
 	{
-		hit_cnt_app_id+=n_hit_result;
+		hit_cnt_app_id += scan_ret;
 	}
 	scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 									&n_hit_result, ctx->scan_mid);
 	if (scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_app_id+=n_hit_result;
 	}
 	app_id_dict_free(app_dict);
 	n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
@@ -1780,7 +1771,7 @@ static int flag_scan(struct request_query_obj *request, struct policy_scan_ctx *
 	return hit_cnt_flag;
 }
-static int http_hdr_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, int hdr_num)
+static int http_hdr_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt)
 {
 	int n_read=0;
 	int scan_ret=0, hit_cnt_hdr=0;
@@ -1802,16 +1793,13 @@ static int http_hdr_scan(struct request_query_obj *request, struct policy_scan_c
 	{
 		hit_cnt_hdr += n_hit_result;
 	}
 	if(hdr_num == 0)
 	{
 	scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result + hit_cnt, MAX_SCAN_RESULT - hit_cnt,
                      				&n_hit_result, ctx->scan_mid);
 	if (scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_hdr += n_hit_result;
 	}
-	}
+
 	n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
 	request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid);
 	ctx->n_read=n_read;
@@ -1820,6 +1808,7 @@ static int http_hdr_scan(struct request_query_obj *request, struct policy_scan_c
 enum ip_protocol_type
 {
 	PROCOCOL_ANY=-1,
 	PROTOCOL_ICMP=1,
 	PROCOCOL_TCP=6,
 	PROCOCOL_UDP=17,
@@ -1829,6 +1818,9 @@ static int get_group_id_by_protocol(int protocol)
 	int group_id = 0;
 	switch(protocol)
 	{
 		case PROCOCOL_ANY:
 			group_id = PROTOCOL_ANY_GROUP_ID;
 			break;
 		case PROTOCOL_ICMP:
 			group_id = PROTOCOL_ICMP_GROUP_ID;
 			break;
@@ -1839,27 +1831,53 @@ static int get_group_id_by_protocol(int protocol)
 			group_id = PROTOCOL_UDP_GROUP_ID;
 			break;
 		default:
-			group_id = PROTOCOL_ANY_GROUP_ID;
+			group_id = 0;
 			break;
 	}
 	return group_id;
 }
 static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, int virtual_method)
 {
 	int n_read=0;
 	int scan_ret=0, hit_cnt_protocol=0;
 	struct maat_hit_group hit_group;
 	memset(&hit_group, 0, sizeof(hit_group));
 	hit_group.group_id=get_group_id_by_protocol(request->numeric);
 	if(hit_group.group_id != 0 && ctx->ip_protocol_num == 0)
 	{
 		scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL);
 		if(scan_ret > 0)
 		{
 			hit_cnt_protocol+=scan_ret; 
 		}
 		n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
 		if(virtual_method)
 		{
 			request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid);
 			ctx->n_read=n_read;
 		}
 		else
 		{
 			ctx->ip_ctx.Nth_scan[2] = maat_state_get_scan_count(ctx->scan_mid);
 			ctx->ip_protocol_num++;
 		}
 	}
 	return hit_cnt_protocol;
 }
 static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt)
 {
 	int n_read=0;
 	int scan_ret=0, hit_cnt_ip=0;
 	size_t n_hit_result=0;
 	struct maat_hit_group hit_group;
 	int table_id = request->table_id;
-	memset(&hit_group, 0, sizeof(hit_group));
+	scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 0);
-	hit_group.group_id=get_group_id_by_protocol(request->numeric);
+	if(scan_ret > 0)
    scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_PROTOCOL], &hit_group, 1,
 							   ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid);
 	if(scan_ret == MAAT_SCAN_HIT)
 	{
-		hit_cnt_ip+=n_hit_result;
+		hit_cnt_ip+=scan_ret; 
 	}
 	if (request->ip_addr->addrtype == ADDR_TYPE_IPV4)
@@ -1947,21 +1965,14 @@ static int ssl_extension_scan(struct request_query_obj *request, struct policy_s
 {
 	int n_read=0;
 	int scan_ret=0, hit_cnt_ssl=0;
 	size_t n_hit_result=0;
 	struct maat_hit_group hit_group;
 	int table_id = request->table_id;
 	memset(&hit_group, 0, sizeof(hit_group));
 	hit_group.group_id=(request->numeric == 1 ? BOOLEAN_TRUE_GROUP_ID : BOOLEAN_FLASE_GROUP_ID);
-    scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid);
+	scan_ret =group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id);
-	if(scan_ret == MAAT_SCAN_HIT)
+	if(scan_ret > 0)
 	{
-		hit_cnt_ssl+=n_hit_result;
+		hit_cnt_ssl += scan_ret;
 	}
 	scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid);
 	if (scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_ssl+=n_hit_result;
 	}
 	n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
 	request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid);
@@ -1974,17 +1985,13 @@ static int port_scan(struct request_query_obj *request, struct policy_scan_ctx *
 	int n_read=0;
 	int scan_ret=0, hit_cnt_port=0;
 	size_t n_hit_result=0;
 	struct maat_hit_group hit_group;
 	int table_id = request->table_id;
 	int port = atoi(request->string);
-	memset(&hit_group, 0, sizeof(hit_group));
+	scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 0);
-	hit_group.group_id=get_group_id_by_protocol(request->numeric);
+	if(scan_ret > 0)
    scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_PROTOCOL], &hit_group, 1,
 							   ctx->result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, ctx->scan_mid);
 	if(scan_ret == MAAT_SCAN_HIT)
 	{
-		hit_cnt_port+=n_hit_result;
+		hit_cnt_port+=scan_ret; 
 	}
 	scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], port, ctx->result+hit_cnt+hit_cnt_port,
@@ -2005,30 +2012,6 @@ static int port_scan(struct request_query_obj *request, struct policy_scan_ctx *
 	return hit_cnt_port;
 }
 static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt)
 {
 	size_t n_hit_result=0;
 	int scan_ret=0, hit_cnt_protocol=0;
 	struct maat_hit_group hit_group;
 	memset(&hit_group, 0, sizeof(hit_group));
 	hit_group.group_id=get_group_id_by_protocol(request->numeric);
    scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_PROTOCOL], &hit_group, 1,
 							   ctx->result+hit_cnt+hit_cnt_protocol, MAX_SCAN_RESULT-hit_cnt-hit_cnt_protocol, &n_hit_result, ctx->scan_mid);
 	if(scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_protocol+=n_hit_result;
 	}
 	scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_PROTOCOL], ctx->result+hit_cnt+hit_cnt_protocol,
 								   MAX_SCAN_RESULT-hit_cnt-hit_cnt_protocol, &n_hit_result, ctx->scan_mid);
 	if (scan_ret == MAAT_SCAN_HIT)
 	{
 		hit_cnt_protocol+=n_hit_result;
 	}
 	return hit_cnt_protocol;
 }
 size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *request, void *pme)
 {
 	size_t n_hit_result=0;
@@ -2070,7 +2053,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer
 			}
 			goto decide;
 		case TSG_OBJ_IP_PROTOCOL:
-			scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt);
+			scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 1);
 			if(scan_ret > 0)
 			{
 				hit_cnt+=scan_ret;
@@ -2118,16 +2101,8 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer
 			}
 			goto decide;
 		case TSG_OBJ_HTTP_REQ_HDR:
 			ctx->req_hdr_num--;
 			scan_ret = http_hdr_scan(request, ctx, vsys_id, hit_cnt, ctx->req_hdr_num);
 			if(scan_ret > 0)
 			{
 				hit_cnt+=scan_ret;
 			}
 			goto decide;
 		case TSG_OBJ_HTTP_RES_HDR:
-			ctx->res_hdr_num--;
+			scan_ret = http_hdr_scan(request, ctx, vsys_id, hit_cnt);
 			scan_ret = http_hdr_scan(request, ctx, vsys_id, hit_cnt, ctx->res_hdr_num);
 			if(scan_ret > 0)
 			{
 				hit_cnt+=scan_ret;
--- a/platform/src/verify_policy.cpp
+++ b/platform/src/verify_policy.cpp
@@ -459,14 +459,6 @@ static void get_count_form_attributeName(void *ctx, cJSON *subchild)
 		{
 			verify_policy_tunnle_add(ctx);
 		}
 		if(0 == strcasecmp(item->valuestring, "req_hdr"))
 		{
 			http_req_hdr_num(ctx);
 		}
 		if(0 == strcasecmp(item->valuestring, "res_hdr"))
 		{
 			http_res_hdr_num(ctx);
 		}
 	}
 	return;
 }