diff --git a/CMakeLists.txt b/CMakeLists.txt index 4005d50..dc84d5c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,7 +1,8 @@ -#cmake_minimum_required(VERSION 3.5) +cmake_minimum_required(VERSION 3.5) project(verify-policy) set(CMAKE_MODULE_PATH ${PROJECT_SOURCE_DIR}/cmake) +set(CMAKE_SCRIPT_PATH ${PROJECT_SOURCE_DIR}/script) include(Version) include(Package) @@ -14,7 +15,7 @@ if(NOT CMAKE_BUILD_TYPE) endif() if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) - set (CMAKE_INSTALL_PREFIX "/home/mesasoft/tfe" CACHE PATH "default install path" FORCE ) + set (CMAKE_INSTALL_PREFIX "/home/tsg/verify-policy" CACHE PATH "default install path" FORCE ) endif() # Global compile options @@ -44,6 +45,7 @@ endif() add_custom_target("install-program" COMMAND ${CMAKE_COMMAND} ARGS -DCOMPONENT=Program -P cmake_install.cmake) add_custom_target("install-profile" COMMAND ${CMAKE_COMMAND} ARGS -DCOMPONENT=Profile -P cmake_install.cmake) +add_custom_target("tarball" COMMAND sh ${CMAKE_SCRIPT_PATH}/tarball.sh ${TARGET_VERSION} ${TARGET_DESCRIBE}) enable_testing() #add_subdirectory(conf) diff --git a/cmake/Package.cmake b/cmake/Package.cmake index d1e8880..bc2bb09 100644 --- a/cmake/Package.cmake +++ b/cmake/Package.cmake @@ -9,8 +9,9 @@ message(STATUS "Package: ${CPACK_PACKAGE_NAME}") set(CPACK_PACKAGE_VENDOR "MESASOFT") set(CPACK_PACKAGE_VERSION_MAJOR "${VERIFY_POLIC_VERSION_MAJOR}") set(CPACK_PACKAGE_VERSION_MINOR "${VERIFY_POLIC_VERSION_MINOR}") -set(CPACK_PACKAGE_VERSION_PATCH "${VERIFY_POLIC_VERSION_PATCH}.${VERIFY_POLIC_DESCRIBE}") +set(CPACK_PACKAGE_VERSION_PATCH "${VERIFY_POLIC_VERSION_PATCH}.${TARGET_DESCRIBE}") set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX}) +message(STATUS "VERSION: ${VERIFY_POLIC_VERSION_MAJOR}") # RPM Build set(CPACK_GENERATOR "RPM") @@ -19,10 +20,20 @@ set(CPACK_RPM_FILE_NAME "RPM-DEFAULT") set(CPACK_RPM_PACKAGE_AUTOREQPROV "no") set(CPACK_RPM_PACKAGE_RELEASE_DIST on) set(CPACK_RPM_DEBUGINFO_PACKAGE on) +set(CPACK_RPM_PRE_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PreInstall.in) #set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PostInstall.in) #set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PostUninstall.in) #set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PreUninstall.in) +set(CMAKE_INSTALL_PREFIX "/home/tsg/verify-policy") +set(CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX /home/tsg) + +install(PROGRAMS build/platform/verify-policy DESTINATION ./bin) +install(DIRECTORY ./conf DESTINATION ./) +install(DIRECTORY ./resource DESTINATION ./) + +install(FILES script/verify-policy.service DESTINATION /usr/lib/systemd/system/) + # Must uninstall the debug package before install release package if(CMAKE_BUILD_TYPE STREQUAL "Debug") set(CPACK_RPM_PACKAGE_CONFLICTS "verify-policy") @@ -31,7 +42,7 @@ else() endif() # setup %config(noreplace) -set(CPACK_RPM_USER_FILELIST "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/pangu/pangu_pxy.conf" - "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/tfe/decrypt_mirror.conf" - "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/tfe/tfe.conf") +set(CPACK_RPM_USER_FILELIST "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/verify_policy.conf" + "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/resource/table_info.conf" + "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/resource/dynamic_maat_table_info.conf") include(CPack) diff --git a/cmake/PostInstall.in b/cmake/PostInstall.in deleted file mode 100644 index d52334e..0000000 --- a/cmake/PostInstall.in +++ /dev/null @@ -1,2 +0,0 @@ -%systemd_post mrenv.service mrzcpd.service mrtunnat.service -/sbin/ldconfig \ No newline at end of file diff --git a/cmake/PostUninstall.in b/cmake/PostUninstall.in deleted file mode 100644 index d24e6f5..0000000 --- a/cmake/PostUninstall.in +++ /dev/null @@ -1,2 +0,0 @@ -%systemd_postun_with_restart mrenv.service mrzcpd.service mrtunnat.service -/sbin/ldconfig \ No newline at end of file diff --git a/cmake/PreInstall.in b/cmake/PreInstall.in new file mode 100644 index 0000000..e69de29 diff --git a/cmake/PreUninstall.in b/cmake/PreUninstall.in deleted file mode 100644 index 4dbf922..0000000 --- a/cmake/PreUninstall.in +++ /dev/null @@ -1 +0,0 @@ -%systemd_preun mrenv.service mrzcpd.service mrtunnat.service \ No newline at end of file diff --git a/cmake/Version.cmake b/cmake/Version.cmake index 0456017..f54c5fb 100644 --- a/cmake/Version.cmake +++ b/cmake/Version.cmake @@ -31,8 +31,14 @@ if(NOT VERIFY_POLIC_VERSION_PATCH) set(VERIFY_POLIC_VERSION_PATCH 0) endif() -set(VERIFY_POLIC_VERSION "${VERIFY_POLIC_VERSION_MAJOR}.${VERIFY_POLIC_VERSION_MINOR}.${VERIFY_POLIC_VERSION_PATCH}") +set(TARGET_DESCRIBE "${VCS_SHORT_HASH}") +set(TARGET_VERSION "${VERIFY_POLICY_VERSION_MAJOR}.${VERIFY_POLIC_VERSION_MINOR}.${VERIFY_POLIC_VERSION_PATCH}-${TARGET_DESCRIBE}") +set(TARGET_GIT_VERSION "${VERIFY_POLICY_VERSION_MAJOR}.${VERIFY_POLIC_VERSION_MINOR}.${VERIFY_POLIC_VERSION_PATCH}-${TARGET_DESCRIBE}") + +# Replace .- with _ +string(REGEX REPLACE "[\\.\\-]" "_" TARGET_VAR_VERSION "${TARGET_GIT_VERSION}") # print information -message(STATUS "Welcome to Verify Policy Engine, Version: ${VERIFY_POLIC_VERSION}") -add_definitions(-DVERIFY_POLIC_VERSION=${VERIFY_POLIC_VERSION}) +message(STATUS "Welcome to Verify Policy Engine, Version: ${TARGET_VERSION}") +add_definitions(-DTARGET_GIT_VERSION=\"${TARGET_GIT_VERSION}\") +add_definitions(-DTARGET_VAR_VERSION=${TARGET_VAR_VERSION}) \ No newline at end of file diff --git a/common/CMakeLists.txt b/common/CMakeLists.txt index eadaa1a..0c58ff8 100644 --- a/common/CMakeLists.txt +++ b/common/CMakeLists.txt @@ -1,4 +1,4 @@ add_library(common src/verify_policy_logging.cpp) target_include_directories(common PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) -target_link_libraries(common PUBLIC MESA_handle_logger) +target_link_libraries(common PUBLIC MESA_handle_logger libevent-static) diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index 5a96090..07aa087 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -1,7 +1,7 @@ /************************************************************************* > File Name: verify_policy.h - > Author: - > Mail: + > Author: + > Mail: > Created Time: 2019年08月23日 星期五 18时06分03秒 ************************************************************************/ @@ -38,7 +38,7 @@ enum http_ev_bit_number enum tfe_http_event { EV_HTTP_IP = 1ULL << IP_BITNUM, - EV_HTTP_URL = 1ULL << URL_BITNUM, + EV_HTTP_URL = 1ULL << URL_BITNUM, EV_HTTP_FQDN = 1ULL << FQDN_BITNUM, EV_HTTP_REQ_HDR = 1ULL << REQ_HDR_BITNUM, EV_HTTP_RESP_HDR = 1ULL << RESP_HDR_BITNUM, @@ -49,21 +49,21 @@ enum tfe_http_event struct verify_proxy_thread { int id; - pthread_t pid; + pthread_t pid; evutil_socket_t accept_fd; - pthread_attr_t *attr; + pthread_attr_t *attr; struct evhttp *http; struct event_base *base; - void * (*routine)(void *); + void * (*routine)(void *); }; struct verify_proxy -{ - char name[VERIFY_SYMBOL_MAX]; +{ + char name[VERIFY_SYMBOL_MAX]; void * logger; unsigned int log_level; unsigned int nr_work_threads; - unsigned int listen_port; + unsigned int listen_port; struct verify_proxy_thread *work_threads[TFE_THREAD_MAX]; }; diff --git a/common/src/verify_policy_logging.cpp b/common/src/verify_policy_logging.cpp index 44fce95..44d1495 100644 --- a/common/src/verify_policy_logging.cpp +++ b/common/src/verify_policy_logging.cpp @@ -47,6 +47,10 @@ void * verify_syslog_init(const char *config) }else{ mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Log module initialization"); } + + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "Log level", logging_sc_lid.run_log_level); + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%s", "Log Directory", logging_sc_lid.run_log_path); + return logging_sc_lid.run_log_handle; finish: return NULL; diff --git a/conf/verify-policy.conf b/conf/verify-policy.conf deleted file mode 100644 index bec95e4..0000000 --- a/conf/verify-policy.conf +++ /dev/null @@ -1,54 +0,0 @@ -[SYSTEM] -#1:print on screen, 0:don't -DEBUG_SWITCH = 1 -#10:DEBUG, 20:INFO, 30:FATAL -RUN_LOG_LEVEL = 10 -RUN_LOG_PATH = ./logs -[CONFIG] -#Number of running threads -thread-nu = 4 - -[maat] -# 0:json 1: redis 2: iris -maat_input_mode=0 -table_info=resource/pangu/table_info.conf -json_cfg_file=resource/pangu/pangu_http.json -stat_file=log/pangu_scan.status -full_cfg_dir=pangu_policy/ -inc_cfg_dir=pangu_policy/ - -maat_redis_server=192.168.10.31 -maat_redis_port=6379 -maat_redis_db_index=0 -effect_interval_s=1 -accept_tags={"tags":[{"tag":"location","value":"Astana"}]} - -[NTC_MAAT] -#Configure the load mode, -#0: using the configuration distribution network -#1: using local json -#2: using Redis reads -maat_json_switch=2 -#When the loading mode is sent to the network, set the scanning configuration modification interval (s). -effective_interval=1 -#Specify the location of the configuration library table file -table_info=./conf/table_info.conf -#Incremental profile path -inc_cfg_dir=./rule/inc/index -#Full profile path -full_cfg_dir=./rule/full/index -#Json file path when json schema is used -pxy_obj_keyring=./conf/pxy_obj_keyring.json -[LIBEVENT] -#Local monitor port number, default is 9991 -port = 9991 -[CERTSTORE_REDIS] -#The Redis server IP address and port number where the certificate is stored locally -ip = 127.0.0.1 -port = 6379 -[MAAT_REDIS] -#Maat monitors the Redsi server IP address and port number -ip = 192.168.11.243 -port = 6379 -dbindex = 4 - diff --git a/conf/verify_policy.conf b/conf/verify_policy.conf new file mode 100644 index 0000000..4e7d913 --- /dev/null +++ b/conf/verify_policy.conf @@ -0,0 +1,37 @@ +[SYSTEM] +#1:print on screen, 0:don't +DEBUG_SWITCH = 1 +#10:DEBUG, 20:INFO, 30:FATAL +RUN_LOG_LEVEL = 10 +RUN_LOG_PATH = ./logs +[CONFIG] +#Number of running threads +thread-nu = 4 + +[maat] +# 0:json 1: redis 2: iris +maat_input_mode=1 +table_info=./resource/table_info.conf +json_cfg_file=./resource/pangu_http.json +stat_file=logs/verify-policy.status +full_cfg_dir=verify-policy/ +inc_cfg_dir=verify-policy/ + +maat_redis_server=192.168.40.120 +maat_redis_port_range=7002 +maat_redis_db_index=0 +effect_interval_s=1 +accept_tags={"tags":[{"tag":"location","value":"Astana"}]} + +[dynamic_maat] +maat_input_mode=1 +table_info=./resource/dynamic_maat_table_info.conf +maat_redis_server=192.168.40.120 +maat_redis_port_range=7002 +maat_redis_db_index=1 +effect_interval_s=1 + +[LISTEN] +#Local monitor port number, default is 9991 +port = 9994 + diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index e965f06..6475f93 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -1,3 +1,7 @@ +if(COMMAND cmake_policy) + cmake_policy(SET CMP0003 NEW) +endif(COMMAND cmake_policy) + add_executable(verify-policy src/verify_policy.cpp) #target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index c18bef4..b755bd5 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -1,7 +1,7 @@ /************************************************************************* > File Name: verify-policy.cpp - > Author: - > Mail: + > Author: + > Mail: > Created Time: 2019年08月23日 星期五 14时41分17秒 ************************************************************************/ @@ -35,7 +35,7 @@ struct verify_policy_query { enum scan_table object_type; int addr_type; - + char *clientIp1; unsigned int clientPort1; char *serverIp1; @@ -44,17 +44,15 @@ struct verify_policy_query struct keyword_obj keywords[16]; }; -#if 0 -#ifdef VERIFY_POLIC_VERSION -char *git_version = VERIFY_POLIC_VERSION; +/* VERSION STRING */ +#ifdef TARGET_GIT_VERSION +static __attribute__((__used__)) const char * git_ver = TARGET_GIT_VERSION; #else -char *default_version = "1.1.1"; +static __attribute__((__used__)) const char * git_ver = "1.1"; #endif -#endif -const char *default_version = "1.1.1"; const char * version() { - return default_version; + return git_ver; } extern int pangu_policy_init(struct verify_proxy * verify, const char* profile_path); @@ -62,7 +60,7 @@ extern int pangu_policy_init(struct verify_proxy * verify, const char* profile_p static int verify_policy_init(struct verify_proxy * verify, const char *profile) { int xret = -1; - + xret = MESA_load_profile_uint_nodef(profile, "CONFIG", "thread-nu", &(verify->nr_work_threads)); if (xret < 0){ mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed"); @@ -71,7 +69,8 @@ static int verify_policy_init(struct verify_proxy * verify, const char *profile) if (xret < 0){ mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Listen Port invalid"); } - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Listen Port %d", verify->listen_port); + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "The Threads", verify->nr_work_threads); + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "Libevent Port", verify->listen_port); return xret; } @@ -86,7 +85,7 @@ enum scan_table verify_type_str2idx(const char *action_str) table_name[PXY_CTRL_HTTP_RES_HDR] = "res_hdr"; table_name[PXY_CTRL_HTTP_RES_BODY] = "keywords"; table_name[PXY_CTRL_SUBSCRIBE_ID] = "subscribeid"; - + size_t i = 0; for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++) @@ -107,9 +106,9 @@ struct verify_policy_query *get_query_from_request(const char *data) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter"); return NULL; - } + } struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1); - + cJSON* item = NULL, *subitem = NULL; item = cJSON_GetObjectItem(data_json,"objectType"); if(item && item->type==cJSON_String) @@ -155,20 +154,20 @@ struct verify_policy_query *get_query_from_request(const char *data) { query_ctx->keywords[i].condition_scope =strdup(item->valuestring); query_ctx->keywords[i].condition_type = verify_type_str2idx(item->valuestring); - } + } item = cJSON_GetObjectItem(subitem, "keywords"); if(item && item->type==cJSON_String) { query_ctx->keywords[i].keyword =strdup(item->valuestring); } i++; - } + } } for (i = 0; i < c_num; i++) { - p += snprintf(p, sizeof(buff) - (p - buff), ", conditionScope:%s, keywords:%s", query_ctx->keywords[i].condition_scope, query_ctx->keywords[i].keyword); + p += snprintf(p, sizeof(buff) - (p - buff), ", conditionScope:%s, keywords:%s", query_ctx->keywords[i].condition_scope, query_ctx->keywords[i].keyword); } - *p = '\0'; + *p = '\0'; mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff); return query_ctx; } @@ -184,7 +183,7 @@ char *verify_policy_scan(struct verify_policy_query *policy_query, int thread_id if (key_obj->condition_scope == NULL) key_obj->condition_type = policy_query->object_type; - + switch(key_obj->condition_type) { case PXY_CTRL_IP: @@ -198,19 +197,19 @@ char *verify_policy_scan(struct verify_policy_query *policy_query, int thread_id case PXY_CTRL_HTTP_FQDN: http_scan(key_obj->keyword, EV_HTTP_FQDN, NULL, 0, ctx); break; - case PXY_CTRL_HTTP_REQ_HDR: + case PXY_CTRL_HTTP_REQ_HDR: http_scan(key_obj->keyword, EV_HTTP_REQ_HDR, NULL, 0, ctx); break; case PXY_CTRL_HTTP_RES_HDR: http_scan(key_obj->keyword, EV_HTTP_RESP_HDR, NULL, 0, ctx); break; - case PXY_CTRL_HTTP_REQ_BODY: + case PXY_CTRL_HTTP_REQ_BODY: case PXY_CTRL_HTTP_RES_BODY: http_scan(key_obj->keyword, EV_HTTP_CONTENT, NULL, 0, ctx); break; default: break; - } + } } policy_payload = web_json_table_add(ctx); @@ -229,7 +228,7 @@ evhttp_socket_send(struct evhttp_request *req, char *sendbuf) goto err; } evhttp_add_header(evhttp_request_get_output_headers(req), - "Content-Type", "text/html"); + "Content-Type", "text/html"); evhttp_add_header(evhttp_request_get_output_headers(req), "Connection", "keep-alive"); evbuffer_add_printf(evb, "%s", sendbuf); evhttp_send_reply(req, HTTP_OK, "OK", evb); @@ -243,12 +242,12 @@ done: } void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) -{ +{ char *policy_payload= NULL; struct evbuffer * evbuf_body = NULL; - char *input = NULL; ssize_t inputlen=0; + char *input = NULL; ssize_t inputlen=0; struct verify_policy_query *policy_query = NULL; - + struct verify_proxy_thread *thread_ctx = (struct verify_proxy_thread *)arg; if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST) @@ -256,7 +255,7 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "FAILED (post type)"); goto error; } - evbuf_body = evhttp_request_get_input_buffer(evh_req); + evbuf_body = evhttp_request_get_input_buffer(evh_req); if (!evbuf_body || 0==(inputlen = evbuffer_get_length(evbuf_body)) ||!(input = (char *)evbuffer_pullup(evbuf_body,inputlen))) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to get post data information."); @@ -264,11 +263,11 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) } policy_query = get_query_from_request(input); if (policy_query == NULL) - { + { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Data parsing failed."); goto error; } - + policy_payload = verify_policy_scan(policy_query, thread_ctx->id); if (policy_payload) { @@ -277,7 +276,7 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) free(policy_payload); } goto finish; - + error: evhttp_send_error(evh_req, HTTP_BADREQUEST, 0); finish: @@ -288,30 +287,30 @@ void * verify_policy_thread(void * arg) { struct evhttp_bound_socket *bound = NULL; struct verify_proxy_thread *thread_ctx = (struct verify_proxy_thread *)arg; - + thread_ctx->base = event_base_new(); - if (! thread_ctx->base) + if (! thread_ctx->base) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Can'thread_ctx allocate event base"); goto finish; } thread_ctx->http = evhttp_new(thread_ctx->base); - if (!thread_ctx->http) + if (!thread_ctx->http) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "couldn'thread_ctx create evhttp. Exiting."); goto error; } - + evhttp_set_cb(thread_ctx->http, "/v1/policy/verification", evhttp_request_cb, thread_ctx); - + bound = evhttp_accept_socket_with_handle(thread_ctx->http, thread_ctx->accept_fd); - if (bound != NULL) + if (bound != NULL) { mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Bound(%p) to port %d - Awaiting connections ... ", bound, g_verify_proxy->listen_port); } mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Work thread %u is run...", thread_ctx->id); - + event_base_dispatch(thread_ctx->base); error: event_base_free(thread_ctx->base); @@ -466,7 +465,7 @@ int main(int argc, char * argv[]) switch (opt) { case 'v': - fprintf(stderr, "Tango Frontend Engine, Version: %s\n", version()); + fprintf(stderr, "Welcome to Verify Policy Engine, Version: %s\n", version()); return 0; default: break; @@ -481,12 +480,12 @@ int main(int argc, char * argv[]) ret = verify_policy_init(g_verify_proxy, main_profile); CHECK_OR_EXIT(ret == 0, "Failed at loading profile %s, Exit.", main_profile); - + ret = pangu_policy_init(g_verify_proxy, main_profile); CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit."); ret = pangu_policy_work_thread_run(g_verify_proxy); - + return ret; } diff --git a/resource/dynamic_maat_table_info.conf b/resource/dynamic_maat_table_info.conf new file mode 100644 index 0000000..e83c303 --- /dev/null +++ b/resource/dynamic_maat_table_info.conf @@ -0,0 +1,19 @@ +#each collumn seperate with '\t' +#id (0~65535) +#name string +#type one of ip,expr,expr_plus,digest,intval,compile or plugin +#src_charset one of GBK,BIG5,UNICODE,UTF8 +#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' +#do_merege [yes/no] +#cross cache [number] +#quick mode [quickon/quickoff], default [quickoff] +#For ip/intval/digest/compile/group +#id name type +# +#For plugin table +#id name type json_descr +# +#For expr/expr_plus Table +#id name type src_charset dst_charset do_merge cross_cache quick_mode + +1 TSG_DYN_SUBSCRIBER_IP plugin {"key":3,"valid":5} diff --git a/resource/table_info.conf b/resource/table_info.conf new file mode 100644 index 0000000..04e70e8 --- /dev/null +++ b/resource/table_info.conf @@ -0,0 +1,49 @@ +#each collumn seperate with '\t' +#id (0~65535) +#name string +#type one of ip,expr,expr_plus,digest,intval,compile or plugin +#src_charset one of GBK,BIG5,UNICODE,UTF8 +#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' +#do_merege [yes/no] +#cross cache [number] +#quick mode [quickon/quickoff], default [quickoff] +#For ip/intval/digest/compile/group +#id name type +# +#For plugin table +#id name type json_descr +# +#For expr/expr_plus Table +#id name type src_charset dst_charset do_merge cross_cache quick_mode +0 PXY_CTRL_COMPILE compile escape -- +1 GROUP_COMPILE_RELATION group -- +2 TSG_OBJ_IP_ADDR ip_plus --- +3 TSG_OBJ_URL expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff +4 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL -- +5 TSG_OBJ_FQDN expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff +5 TSG_OBJ_FQDN_CAT expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff +6 TSG_FIELD_HTTP_HOST virtual TSG_OBJ_FQDN -- +7 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8 yes 0 quickoff +8 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE -- +9 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE -- +10 TSG_OBJ_KEYWORDS expr UTF8 GBK/UNICODE/UTF8 yes 128 quickoff +11 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS -- +12 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS -- +13 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon +14 TSG_FIELD_SSL_SNI virtual TSG_OBJ_FQDN -- +15 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN -- +16 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN -- +17 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN -- +18 TSG_OBJ_ACCOUNT expr UTF8 UTF8 yes 0 +19 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT -- +20 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT -- +21 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT -- +22 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS -- +23 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS -- +24 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS -- +25 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS -- +26 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL -- +27 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS -- +28 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT -- + + diff --git a/scan/src/pangu_http.cpp b/scan/src/pangu_http.cpp index 1fa5b02..7978706 100644 --- a/scan/src/pangu_http.cpp +++ b/scan/src/pangu_http.cpp @@ -1,7 +1,7 @@ /************************************************************************* > File Name: pangu_http.cpp - > Author: - > Mail: + > Author: + > Mail: > Created Time: 2019年08月23日 星期五 16时53分25秒 ************************************************************************/ #include @@ -45,7 +45,7 @@ struct pangu_http_ctx stream_para_t sp; size_t hit_cnt; struct Maat_rule_t result[MAX_SCAN_RESULT]; - size_t n_enforce; + size_t n_enforce; struct Maat_rule_t * enforce_rules; int thread_id; }; @@ -169,46 +169,46 @@ char *web_json_table_add(void *pme) cJSON *execute_obj=NULL, *obj_list=NULL, *category_obj=NULL; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; - + policy_obj=cJSON_CreateObject(); - cJSON_AddNumberToObject(policy_obj, "code", 200); - cJSON_AddStringToObject(policy_obj, "msg", ""); + cJSON_AddNumberToObject(policy_obj, "code", 200); + cJSON_AddStringToObject(policy_obj, "msg", ""); cJSON_AddNumberToObject(policy_obj, "success", 1); - + data_obj = cJSON_CreateObject(); cJSON_AddItemToObject(policy_obj, "data", data_obj); - /*hitPolicyList **/ + /*hitPolicyList **/ hit_obj = cJSON_CreateObject(); cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj); if (ctx->hit_cnt >= 1) { for (i = 0; i < ctx->hit_cnt; i++) { - cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id); + cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id); cJSON_AddStringToObject(hit_obj, "policyName", ""); - } + } } /*executePolicyList **/ execute_obj = cJSON_CreateObject(); cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj); - cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id); + cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id); cJSON_AddStringToObject(execute_obj, "policyName", ""); /*objectList**/ obj_list = cJSON_CreateObject(); cJSON_AddItemToObject(data_obj, "objectList", obj_list); - cJSON_AddNumberToObject(obj_list, "objectId", 12); + cJSON_AddNumberToObject(obj_list, "objectId", 12); cJSON_AddStringToObject(obj_list, "objectName", ""); - cJSON *itemList = cJSON_CreateObject(); + cJSON *itemList = cJSON_CreateObject(); cJSON_AddItemToObject(obj_list, "itemList", itemList); - cJSON_AddNumberToObject(itemList, "itemId", 12); + cJSON_AddNumberToObject(itemList, "itemId", 12); cJSON_AddStringToObject(itemList, "reqParam", ""); - + /*categoryList**/ category_obj = cJSON_CreateObject(); cJSON_AddItemToObject(data_obj, "categoryList", category_obj); - cJSON_AddNumberToObject(category_obj, "categoryId", 12); + cJSON_AddNumberToObject(category_obj, "categoryId", 12); cJSON_AddStringToObject(category_obj, "reqParam", ""); policy_payload = cJSON_PrintUnformatted(policy_obj); @@ -224,7 +224,7 @@ void http_scan(const char * value, enum tfe_http_event events, const char * field_val = NULL; int scan_ret = 0, table_id = 0; size_t hit_cnt = 0; - + struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; if (events & EV_HTTP_IP) @@ -278,7 +278,7 @@ void http_scan(const char * value, enum tfe_http_event events, if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) { table_id = events & PXY_CTRL_HTTP_REQ_HDR ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_HDR]; - + const char * str_field_name = NULL; scan_ret = Maat_set_scan_status(g_pangu_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT, str_field_name, strlen(str_field_name)); @@ -314,7 +314,7 @@ void http_scan(const char * value, enum tfe_http_event events, } return ; } - + char * verify_policy_str_to_addr() { return NULL; @@ -342,7 +342,9 @@ static Maat_feather_t create_maat_feather(const char * instance_name, const char MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), ""); MESA_load_profile_string_def(profile, section, "maat_redis_server", redis_server, sizeof(redis_server), ""); + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%s", "Maat Redis Ip", redis_server); MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server), "6379"); + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%s", "Maat Redis Port", redis_port_range); ret=sscanf(redis_port_range,"%d-%d", &redis_port_begin, &redis_port_end); if(ret==1) { @@ -460,7 +462,7 @@ void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_D int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) { int ret = -1; - + g_pangu_rt = ALLOC(struct pangu_rt, 1); g_pangu_rt->thread_num = verify->nr_work_threads; @@ -473,14 +475,14 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) } const char * table_name[__SCAN_TABLE_MAX]; - table_name[PXY_CTRL_IP] = "PXY_CTRL_IP"; - table_name[PXY_CTRL_HTTP_URL] = "PXY_CTRL_HTTP_URL"; - table_name[PXY_CTRL_HTTP_FQDN] = "TSG_OBJ_FQDN"; - table_name[PXY_CTRL_HTTP_REQ_HDR] = "PXY_CTRL_HTTP_REQ_HDR"; - table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_OBJ_CONTENT"; - table_name[PXY_CTRL_HTTP_RES_HDR] = "PXY_CTRL_HTTP_RES_HDR"; - table_name[PXY_CTRL_HTTP_RES_BODY] = "TSG_OBJ_CONTENT"; - table_name[PXY_CTRL_SUBSCRIBE_ID] = "PXY_CTRL_SUBSCRIBE_ID"; + table_name[PXY_CTRL_IP] = "TSG_OBJ_IP_ADDR"; + table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL"; + table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST"; + table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR"; + table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT"; + table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; + table_name[PXY_CTRL_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT"; + table_name[PXY_CTRL_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; for (int i = 0; i < __SCAN_TABLE_MAX; i++) { g_pangu_rt->scan_table_id[i] = Maat_table_register(g_pangu_rt->maat, table_name[i]); @@ -490,7 +492,7 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) goto error_out; } } - + g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger); if (!g_pangu_rt->maat) { diff --git a/script/tarball.sh b/script/tarball.sh new file mode 100644 index 0000000..c9675fa --- /dev/null +++ b/script/tarball.sh @@ -0,0 +1,36 @@ +X=verify-policy +#X=certstore + +typeset -l version +version=`lsb_release -i -s` +version_id=`lsb_release -r -s` +machine=`uname -m` +issue_date=`date "+%Y%m%d"` + +tarball="$X-$2-$version$version_id-$machine-$issue_date".tar.gz + +do_mkdir(){ + if [ ! -d "../package" ]; then + mkdir ../package + fi + cd ../package + rm $X -rf + mkdir $X + mkdir $X/bin +} + +do_copy(){ + cp ../resource/ $X -rf + cp ../build/platform/verify-policy $X/bin + cp ../conf $X -rf +} + +do_tarball(){ + tar -zcvf $1 $X + rm $X -rf + echo "`date` BUILD=$X COMMIT=$2 ARCHIVE=$tarball" >> release.log +} + +do_mkdir +do_copy $1 +do_tarball $tarball diff --git a/script/verify-policy.service b/script/verify-policy.service new file mode 100644 index 0000000..2f2f6d3 --- /dev/null +++ b/script/verify-policy.service @@ -0,0 +1,12 @@ +[Unit] +Description=Verify Policy Engine +After=redis.service + +[Service] +WorkingDirectory=/home/tsg/verify-policy +ExecStart=/home/tsg/verify-policy/bin/verify-policy +Restart=always +RestartSec=5s + +[Install] +WantedBy=multi-user.target