gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修复Verify Policy中fqdn entry的命中路径错误,增加Verify Policy测试用例代码框架

Browse Source
This commit is contained in:
fengweihao
2024-08-02 10:55:58 +08:00
parent 60cd4283db
commit 41caf21f43
12 changed files with 1638 additions and 786 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CMakeLists.txt
View File

@@ -48,9 +48,8 @@ add_custom_target("install-profile" COMMAND ${CMAKE_COMMAND} ARGS -DCOMPONENT=Pr
add_custom_target("tarball" COMMAND sh ${CMAKE_SCRIPT_PATH}/tarball/tarball.sh ${TARGET_VERSION} ${TARGET_DESCRIBE})
enable_testing()
#add_subdirectory(conf)
#add_subdirectory(resource)
add_subdirectory(vendor)
add_subdirectory(common)
add_subdirectory(platform)
add_subdirectory(test)

21
common/include/verify_policy_utils.h → common/include/utils.h
View File

@@ -24,27 +24,6 @@
#define FOREVER for(;;)
#endif
#ifdef SOCK_NONBLOCK
#define EVUTIL_SOCK_NONBLOCK SOCK_NONBLOCK
#else
#define EVUTIL_SOCK_NONBLOCK 0x4000000
#endif
#ifdef SOCK_CLOEXEC
#define EVUTIL_SOCK_CLOEXEC SOCK_CLOEXEC
#else
#define EVUTIL_SOCK_CLOEXEC 0x80000000
#endif
#ifdef EFD_NONBLOCK
#define EVUTIL_EFD_NONBLOCK EFD_NONBLOCK
#else
#define EVUTIL_EFD_NONBLOCK 0x4000
#endif
#ifdef EFD_CLOEXEC
#define EVUTIL_EFD_CLOEXEC EFD_CLOEXEC
#else
#define EVUTIL_EFD_CLOEXEC 0x8000
#endif
#define __rt_always_inline__ __attribute__((always_inline)) inline
#define ALLOC(type, number) ((type *)calloc(sizeof(type), number))

15
common/include/verify_policy.h
View File

@@ -9,8 +9,8 @@
#define _VERIFY_POLICY_H
#include <event2/event.h>
#include <log.h>
#include "verify_policy_utils.h"
#include "log.h"
#include "utils.h"
struct breakpad_instance;
@@ -146,15 +146,8 @@ struct verify_policy_query
extern struct verify_policy * g_verify_proxy;
int maat_table_init(struct verify_policy * verify, const char* profile_path);
int policy_verify_regex_expression(const char *expression);
int get_ip_entry_tag_ids(cJSON *hit_library, int vsys_id, struct ipaddr *ip_addr);
int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn);
int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, size_t hit_cnt, cJSON *data_obj, void *pme);
size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *query_obj, void *pme);
void policy_scan_ctx_free(void * pme);
cJSON *get_library_search_query(const char *data, ssize_t data_len);
cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id);
void verify_reload_loglevel();
void verify_policy_tunnle_add(void * pme);
void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme);
void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id);
#endif

7
platform/CMakeLists.txt
View File

@@ -7,10 +7,5 @@ add_executable(verify-policy src/verify_policy.cpp src/verify_matcher.cpp)
#target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)
target_link_libraries(verify-policy common cjson maatframe)
target_link_libraries(verify-policy pthread dl
libevent-static
MESA_prof_load
breakpad-client-static
cjson
${SYSTEMD_LIBRARIES})
target_link_libraries(verify-policy pthread dl libevent-static MESA_prof_load breakpad-client-static cjson ${SYSTEMD_LIBRARIES})

880
platform/src/verify_matcher.cpp
View File

File diff suppressed because it is too large Load Diff

681
platform/src/verify_policy.cpp
View File

@@ -30,9 +30,8 @@
#include <sys/stat.h>
#include <libgen.h>
#include "verify_policy.h"
#include <MESA/MESA_prof_load.h>
#include "verify_policy_utils.h"
#include "verify_policy.h"
struct verify_policy * g_verify_proxy = NULL;
@@ -68,671 +67,6 @@ static int load_system_conf(struct verify_policy * verify, const char *profile)
return xret;
}
int tsg_policy_type_str2idx(const char *action_str)
{
const char * policy_name[__SCAN_POLICY_MAX];
policy_name[TSG_TABLE_SECURITY] = "security";
policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation";
policy_name[TSG_TRAFFIC_SHAPING] = "traffic_shaping";
policy_name[TSG_SERVICE_CHAINGNG] = "service_chaining";
policy_name[PXY_TABLE_INTERCEPT] = "pxy_intercept";
policy_name[TSG_STATISTICS] = "statistics";
policy_name[TSG_MONITOR] = "monitor";
policy_name[DOS_PROTECTION] = "dos_protection";
policy_name[PXY_TABLE_DEFENCE] = "active_defence";
size_t i = 0;
for (i = 0; i < sizeof(policy_name) / sizeof(const char *); i++)
{
if (0 == strcasecmp(action_str, policy_name[i]))
break;
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] policyType= %s", action_str);
return i;
}
int protoco_field_type_str2idx(const char *action_str, char *buff, char **p)
{
const char * table_name[__TSG_OBJ_MAX] ={0};
table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP";
table_name[TSG_OBJ_DESTINATION_ADDR]="ATTR_DESTINATION_IP";
table_name[TSG_OBJ_SUBSCRIBE_ID] = "ATTR_SUBSCRIBER_ID";
table_name[TSG_OBJ_APP_ID] = "ATTR_APP_ID";
table_name[TSG_OBJ_HTTP_URL] = "ATTR_HTTP_URL";
table_name[TSG_OBJ_HTTP_REQ_HDR] = "ATTR_HTTP_REQ_HDR";
table_name[TSG_OBJ_HTTP_REQ_BODY] = "ATTR_HTTP_REQ_BODY";
table_name[TSG_OBJ_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR";
table_name[TSG_OBJ_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY";
table_name[TSG_OBJ_SSL_CN] = "ATTR_SSL_CN";
table_name[TSG_OBJ_SSL_SAN] = "ATTR_SSL_SAN";
table_name[TSG_OBJ_DOH_QNAME]="ATTR_DOH_QNAME";
table_name[TSG_OBJ_DNS_QNAME] = "ATTR_DNS_QNAME";
table_name[TSG_OBJ_MAIL_ACCOUNT] = "ATTR_MAIL_ACCOUNT";
table_name[TSG_OBJ_MAIL_FROM] = "ATTR_MAIL_FROM";
table_name[TSG_OBJ_MAIL_TO] = "ATTR_MAIL_TO";
table_name[TSG_OBJ_MAIL_SUBJECT] = "ATTR_MAIL_SUBJECT";
table_name[TSG_OBJ_MAIL_CONTENT] = "ATTR_MAIL_CONTENT";
table_name[TSG_OBJ_MAIL_ATT_NAME] = "ATTR_MAIL_ATT_NAME";
table_name[TSG_OBJ_MAIL_ATT_CONTENT] = "ATTR_MAIL_ATT_CONTENT";
table_name[TSG_OBJ_FTP_URI] = "ATTR_FTP_URI";
table_name[TSG_OBJ_FTP_CONTENT] = "ATTR_FTP_CONTENT";
table_name[TSG_OBJ_FTP_ACCOUNT] = "ATTR_FTP_ACCOUNT";
table_name[TSG_OBJ_SIP_FROM]="ATTR_SIP_ORIGINATOR_DESCRIPTION";
table_name[TSG_OBJ_SIP_TO]="ATTR_SIP_RESPONDER_DESCRIPTION";
table_name[TSG_OBJ_IMSI]="ATTR_GTP_IMSI";
table_name[TSG_OBJ_PHONE_NUMBER]="ATTR_GTP_PHONE_NUMBER";
table_name[TSG_OBJ_APN]="ATTR_GTP_APN";
table_name[TSG_OBJ_TUNNEL]="ATTR_TUNNEL",
table_name[TSG_OBJ_FLAG]="ATTR_FLAG";
table_name[TSG_OBJ_GTP_IMEI]="ATTR_GTP_IMEI";
table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN";
table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP";
table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP";
table_name[TSG_OBJ_SOURCE_PORT]="ATTR_SOURCE_PORT";
table_name[TSG_OBJ_DESTINATION_PORT]="ATTR_DESTINATION_PORT";
table_name[TSG_OBJ_INTERNAL_PORT]="ATTR_INTERNAL_PORT";
table_name[TSG_OBJ_EXTERNAL_PORT]="ATTR_EXTERNAL_PORT";
table_name[TSG_OBJ_IP_PROTOCOL]="ATTR_IP_PROTOCOL";
table_name[TSG_OBJ_SSL_ECH]="ATTR_SSL_ECH";
table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI";
table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI";
table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL";
table_name[TSG_OBJ_TUNNEL_GTP_ENDPOINT]="ATTR_TUNNEL_GTP_ENDPOINT";
table_name[TSG_OBJ_TUNNEL_GRE_ENDPOINT]="ATTR_TUNNEL_GRE_ENDPOINT";
table_name[TSG_OBJ_TUNNEL_IP_IN_IP_ENDPOINT]="ATTR_TUNNEL_IP_IN_IP_ENDPOINT";
size_t i = 0;
for (i = 0; i < __TSG_OBJ_MAX; i++)
{
if (0 == strcasecmp(action_str, table_name[i]))
break;
}
*p += snprintf(*p, sizeof(buff) - (*p - buff), ", protocolField=%s,%d",action_str, (int)i);
return i;
}
int match_ip_attribute_name(char *attri_name)
{
size_t i = 0;
const char *attribute_name_map[] ={"source", "destination", "tunnel_endpointa", "tunnel_endpointb", "internal", "external"};
for(i = 0; i < sizeof(attribute_name_map)/sizeof(attribute_name_map[0]); i++)
{
if(0 == strcasecmp(attri_name, attribute_name_map[i]))
{
return i;
}
}
return -1;
}
struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1, const char *serverIp1, unsigned int serverPort1, int addr_type, char *buff, int *protocol)
{
struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1);
if(addr_type == 4)
{
struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1);
ip_addr->addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,clientIp1,&(v4_addr->saddr));
v4_addr->source=clientPort1;
inet_pton(AF_INET,serverIp1,&(v4_addr->daddr));
v4_addr->dest=serverPort1;
ip_addr->v4=v4_addr;
}
if(addr_type == 6)
{
struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1);
ip_addr->addrtype=ADDR_TYPE_IPV6;
inet_pton(AF_INET6,clientIp1,&(v6_addr->saddr));
v6_addr->source=clientPort1;
inet_pton(AF_INET6,serverIp1,&(v6_addr->daddr));
v6_addr->dest=serverPort1;
ip_addr->v6=v6_addr;
}
if(buff != NULL)
{
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type=%d, protocol=%d", buff,
clientIp1, clientPort1, serverIp1, serverPort1, addr_type, *protocol);
}
else
{
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] Ip=%s, Port=%d, addr_type=%d", clientIp1, clientPort1, addr_type);
}
return ip_addr;
}
struct ipaddr *tunnel_to_stream_addr(const char *Ip, int addr_type)
{
struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1);
if(addr_type == 4)
{
struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1);
ip_addr->addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,Ip,&(v4_addr->saddr));
ip_addr->v4=v4_addr;
}
if(addr_type == 6)
{
struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1);
ip_addr->addrtype=ADDR_TYPE_IPV6;
inet_pton(AF_INET6,Ip,&(v6_addr->saddr));
ip_addr->v6=v6_addr;
}
log_debug(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] attribute_name = ip, clientIp1=%s, addr_type = %d", Ip, addr_type);
return ip_addr;
}
void ipaddr_free(struct ipaddr *ip_addr)
{
if(ip_addr==NULL)
{
return;
}
if(ip_addr->addrtype==ADDR_TYPE_IPV4)
{
free(ip_addr->v4);
}
if(ip_addr->addrtype==ADDR_TYPE_IPV6)
{
free(ip_addr->v6);
}
free(ip_addr);
}
static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attributeName, int *protocol, char *buff)
{
cJSON* item = NULL;
int addr_type=0;
const char *Ip=NULL;
unsigned int Port=0;
if(attributeName==NULL)
{
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "The attribute_type is of type iP, but the attribute_name is empty, resulting in IP type parsing failure.");
return NULL;
}
item = cJSON_GetObjectItem(attributeValue,"ip");
if(item && item->type==cJSON_String) Ip = item->valuestring;
item = cJSON_GetObjectItem(attributeValue,"port");
if(item && item->type==cJSON_String) Port =atoi(item->valuestring);
item = cJSON_GetObjectItem(attributeValue,"protocol");
if(item && item->type==cJSON_Number) *protocol = item->valueint;
item=cJSON_GetObjectItem(attributeValue,"addr_type");
if(item && item->type==cJSON_Number) addr_type = item->valueint;
if(strcasecmp(attributeName, "ip_protocol") == 0)
{
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, protocol=%d", buff, *protocol);
return NULL;
}
struct ipaddr *ip_addr = NULL;
if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 ||
strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0)
{
ip_addr = ip_to_stream_addr(Ip, Port, "0.0.0.0", 0, addr_type, buff, protocol);
}
if(strcasecmp(attributeName, "destination") == 0 || strcasecmp(attributeName, "external") == 0)
{
ip_addr = ip_to_stream_addr("0.0.0.0", 0, Ip, Port, addr_type, buff, protocol);
}
return ip_addr;
}
static char* get_port_from_json(cJSON *attributeValue, int *protocol, char *buff)
{
cJSON* item = NULL;
char *string=NULL;
item = cJSON_GetObjectItem(attributeValue,"port");
if(item && item->type==cJSON_String)
{
string = item->valuestring;
}
item = cJSON_GetObjectItem(attributeValue,"protocol");
if(item && item->type==cJSON_Number)
{
*protocol = item->valueint;
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, port=%s, protocol=%d", buff, string, *protocol);
return string;
}
static inline int match_attributeType_in_numeric(const char *attribute_type, int table_id)
{
if(0 == strcasecmp(attribute_type, "numeric") || 0 == strcasecmp(attribute_type, "flag") ||
0 == strcasecmp(attribute_type, "boolean") || table_id == TSG_OBJ_IP_PROTOCOL)
{
return 1;
}
else
{
return 0;
}
}
static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_policy_query *policy_query)
{
int xret = -1;
const char *attribute_type=NULL;
char buff[VERIFY_STRING_MAX*2], *p = NULL;
cJSON* item = NULL, *attributeValue=NULL, *tunnelType_item=NULL;
p = buff;
item = cJSON_GetObjectItem(subchild, "attribute_type");
if(item && item->type==cJSON_String)
{
attribute_type = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), "attribute_type = %s", attribute_type);
}
item = cJSON_GetObjectItem(subchild, "attribute_name");
if(item && item->type==cJSON_String)
{
policy_query->request_object[curr_id].attri_name = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), ", attribute_name = %s",policy_query->request_object[curr_id].attri_name);
}
policy_query->request_object[curr_id].attributes=cJSON_Duplicate(subchild, 1);
item = cJSON_GetObjectItem(subchild, "table_name");
if(item && item->type==cJSON_String)
{
policy_query->request_object[curr_id].table_id = protoco_field_type_str2idx(item->valuestring, buff, &p);
if(policy_query->request_object[curr_id].table_id == __TSG_OBJ_MAX)
{
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Get table id failed form table name:%s", item->valuestring);
return xret;
}
}
attributeValue = cJSON_GetObjectItem(subchild, "atrribute_value");
if(attributeValue == NULL || attributeValue->type!=cJSON_Object)
{
goto finish;
}
tunnelType_item = cJSON_GetObjectItem(attributeValue,"tunnel_type");
if(tunnelType_item && tunnelType_item->type==cJSON_String)
{
policy_query->request_object[curr_id].tunnel_type=tunnelType_item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), ", tunnel_type=%s",policy_query->request_object[curr_id].tunnel_type);
}
if(0 == strcasecmp(attribute_type, "ip"))
{
policy_query->request_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->request_object[curr_id].attri_name, &(policy_query->request_object[curr_id].numeric), buff);
goto end;
}
if(0 == strcasecmp(attribute_type, "port"))
{
policy_query->request_object[curr_id].string = get_port_from_json(attributeValue, &(policy_query->request_object[curr_id].numeric), buff);
goto end;
}
item = cJSON_GetObjectItem(attributeValue,"district");
if(item!=NULL)
{
policy_query->request_object[curr_id].district = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), ", district = %s",policy_query->request_object[curr_id].district);
}
if(match_attributeType_in_numeric(attribute_type, policy_query->request_object[curr_id].table_id))
{
item = cJSON_GetObjectItem(attributeValue, "numeric");
if(item && item->type==cJSON_Number)
{
policy_query->request_object[curr_id].numeric = item->valueint;
p += snprintf(p, sizeof(buff) - (p - buff), ", content = %d", policy_query->request_object[curr_id].numeric);
}
}
else
{
item = cJSON_GetObjectItem(attributeValue, "string");
if(item!=NULL)
{
policy_query->request_object[curr_id].string = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",policy_query->request_object[curr_id].string);
}
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s", buff);
memset(buff, 0, VERIFY_STRING_MAX*2);
end:
xret = 1;
finish:
return xret;
}
enum verify_type get_verify_type(cJSON* http_respone)
{
cJSON *item = NULL;
enum verify_type type = VERIFY_TYPE_POLICY;
item = cJSON_GetObjectItem(http_respone,"verify_type");
if(item && item->type==cJSON_String)
{
if(0 == strcasecmp(item->valuestring, "policy"))
{
type = VERIFY_TYPE_POLICY;
}
if(0 == strcasecmp(item->valuestring, "regex"))
{
type = VERIFY_TYPE_REGEX;
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] verify_type= %s", item->valuestring);
}
return type;
}
static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body)
{
int cur_id=0, i=0, is_valid[32]={0};
cJSON *regexstr_obj[32],*attributes=NULL;
cJSON *item = NULL, *subchild = NULL;
attributes = cJSON_GetObjectItem(verifylist_array_item, "verify_regex");
if(attributes==NULL || attributes->type != cJSON_Array)
{
return -1;
}
for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
{
item = cJSON_GetObjectItem(subchild, "regex_str");
if(item && item->type==cJSON_String)
{
is_valid[cur_id] = policy_verify_regex_expression(item->valuestring);
}
regexstr_obj[cur_id]=cJSON_Duplicate(item, 1);
cur_id++;
}
cJSON *verify_regex_obj=NULL;
cJSON *verifyRegex=cJSON_CreateArray();
cJSON_AddItemToObject(http_body, "verify_regex", verifyRegex);
for (i = 0; i < cur_id; i++)
{
verify_regex_obj=cJSON_CreateObject();
cJSON_AddItemToObject(verify_regex_obj, "regex_str", regexstr_obj[i]);
cJSON_AddNumberToObject(verify_regex_obj, "is_valid", is_valid[i]);
cJSON_AddItemToArray(verifyRegex, verify_regex_obj);
}
return 1;
}
static void get_count_form_attributeName(void *ctx, cJSON *subchild)
{
cJSON *item = NULL;
item = cJSON_GetObjectItem(subchild, "attribute_name");
if(item && item->type==cJSON_String)
{
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
{
verify_policy_tunnle_add(ctx);
}
if(0 == strcasecmp(item->valuestring, "tunnel_endpointb"))
{
verify_policy_tunnle_add(ctx);
}
}
return;
}
int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int thread_id)
{
int attribute_num = 0;
int hit_cnt = 0, xret =0;
cJSON *item = NULL, *subchild = NULL, *attributes=NULL;
struct verify_policy_query *verify_policy = NULL;
verify_policy = ALLOC(struct verify_policy_query, 1);
item = cJSON_GetObjectItem(verifylist_array_item,"type");
if(item && item->type==cJSON_String)
{
verify_policy->compile_table_id = tsg_policy_type_str2idx(item->valuestring);
if (verify_policy->compile_table_id >= __SCAN_POLICY_MAX)
{
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "policy type error, policy id = %d", verify_policy->compile_table_id);
goto free;
}
}
item = cJSON_GetObjectItem(verifylist_array_item, "vsys_id");
if(item && item->type==cJSON_Number)
{
verify_policy->vsys_id = item->valueint;
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] vsys_id= %d", verify_policy->vsys_id);
item = cJSON_GetObjectItem(verifylist_array_item,"verify_session");
if(item == NULL || item->type!=cJSON_Object)
{
goto free;
}
attributes = cJSON_GetObjectItem(item,"attributes");
if(attributes && attributes->type==cJSON_Array)
{
void *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id);
for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
{
get_count_form_attributeName(ctx, subchild);
}
for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
{
xret = get_attribute_from_json(attribute_num, subchild, verify_policy);
if (xret < 0)
{
goto free;
}
hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->request_object[attribute_num], ctx);
if(match_ip_attribute_name(verify_policy->request_object[attribute_num].attri_name) >= 0)
{
ipaddr_free(verify_policy->request_object[attribute_num].ip_addr);
}
attribute_num++;
}
http_hit_policy_list(verify_policy, attribute_num, hit_cnt, http_body, ctx);
int item = 0;
cJSON *verfifySession = cJSON_CreateObject();
cJSON_AddItemToObject(http_body, "verify_session", verfifySession);
cJSON *attributes=cJSON_CreateArray();
cJSON_AddItemToObject(verfifySession, "attributes", attributes);
for (item = 0; item < attribute_num; item++)
{
http_get_scan_status(&verify_policy->request_object[item], verify_policy->compile_table_id, attributes, http_body, ctx);
}
policy_scan_ctx_free(ctx);
}
attribute_num=0;
free:
if (verify_policy)
{
FREE(&verify_policy);
}
return hit_cnt;
}
cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id)
{
int hit_cnt = 0;
cJSON* http_request = cJSON_Parse(data);
if(http_request == NULL)
{
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Failed to parse the request data.");
return NULL;
}
cJSON *http_respone=NULL, *http_body=NULL;
http_respone=cJSON_CreateObject();
cJSON_AddNumberToObject(http_respone, "code", 200);
cJSON_AddStringToObject(http_respone, "msg", "Success");
http_body = cJSON_CreateObject();
cJSON_AddItemToObject(http_respone, "data", http_body);
int type=get_verify_type(http_request);
cJSON *item = NULL, *subitem = NULL;
item = cJSON_GetObjectItem(http_request,"verify_list");
if(item && item->type==cJSON_Array)
{
for (subitem = item->child; subitem != NULL; subitem = subitem->next)
{
if(type == VERIFY_TYPE_REGEX)
{
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] data= %.*s", (int)data_len, data);
hit_cnt = get_query_result_regex(subitem, http_body);
}
if(type == VERIFY_TYPE_POLICY)
{
hit_cnt = get_query_result_policy(subitem, http_body, thread_id);
}
}
if (hit_cnt >= 0)
{
cJSON_AddBoolToObject(http_respone, "success", true);
}
else
{
cJSON_AddBoolToObject(http_respone, "success", false);
}
}
cJSON_Delete(http_request);
return http_respone;
}
int http_get_headers(struct evhttp_request *evh_req, struct evkeyvalq *headers)
{
int xret = -1;
const char *uri = evhttp_request_get_uri(evh_req);
if(!uri)
{
return xret;
}
return evhttp_parse_query(uri, headers);
}
int http_get_int_param(struct evhttp_request *evh_req, const char *key)
{
int xret=-1, vsys_id=-1;
struct evkeyvalq headers;
xret = http_get_headers(evh_req, &headers);
if(xret != 0)
{
return -1;
}
const char *value = evhttp_find_header(&headers, key);
if (value)
{
vsys_id = atoi(value);
}
evhttp_clear_headers(&headers);
return vsys_id;
}
char *http_get_string_param(struct evhttp_request *evh_req, const char *key)
{
int xret=-1;
char *param=NULL;
struct evkeyvalq headers;
xret = http_get_headers(evh_req, &headers);
if(xret != 0)
{
return NULL;
}
const char *value = evhttp_find_header(&headers, key);
if (value)
{
param = strdup(value);
}
evhttp_clear_headers(&headers);
return param;
}
int get_ip_type(const char *ip)
{
struct sockaddr_in sa;
struct sockaddr_in6 sa6;
int addr_type = 0;
if (inet_pton(AF_INET, ip, &(sa.sin_addr)) > 0)
{
addr_type = 4;
}
else if (inet_pton(AF_INET6, ip, &(sa6.sin6_addr)) > 0)
{
addr_type = 6;
}
return addr_type;
}
cJSON *get_library_search_query(struct evhttp_request *evh_req)
{
int hit_library_cnt=0;
cJSON *http_respone=cJSON_CreateObject();
cJSON_AddNumberToObject(http_respone, "code", 200);
cJSON_AddStringToObject(http_respone, "msg", "Success");
cJSON *http_body = cJSON_CreateObject();
cJSON_AddItemToObject(http_respone, "data", http_body);
cJSON *hit_library=cJSON_CreateArray();
cJSON_AddItemToObject(http_body, "hit_library", hit_library);
int vsys_id = http_get_int_param(evh_req, "vsys_id");
if(vsys_id < 0)
{
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id");
return NULL;
}
char *ip = http_get_string_param(evh_req, "ip");
if(ip)
{
struct ipaddr *ip_addr = ip_to_stream_addr(ip, 0, "0.0.0.0", 0, get_ip_type(ip), NULL, 0);
hit_library_cnt=get_ip_entry_tag_ids(hit_library, vsys_id, ip_addr);
FREE(&ip);
ipaddr_free(ip_addr);
}
char *fqdn = http_get_string_param(evh_req, "fqdn");
if(fqdn)
{
hit_library_cnt=get_fqdn_entry_tag_ids(hit_library, vsys_id, fqdn);
FREE(&fqdn);
}
if (hit_library_cnt > 0)
{
cJSON_AddBoolToObject(http_body, "success", true);
}
else
{
cJSON_AddBoolToObject(http_body, "success", false);
}
return http_respone;
}
static int evhttp_socket_send(struct evhttp_request *req, char *sendbuf)
{
struct evbuffer *evb = NULL;
@@ -802,6 +136,8 @@ finish:
void library_search_request_cb(struct evhttp_request *evh_req, void *arg)
{
struct evbuffer * evbuf_body = NULL;
char *input = NULL; ssize_t inputlen=0;
char *http_payload_string= NULL; cJSON *http_payload=NULL;
if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST)
@@ -809,9 +145,16 @@ void library_search_request_cb(struct evhttp_request *evh_req, void *arg)
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "FAILED (post type)");
goto error;
}
evbuf_body = evhttp_request_get_input_buffer(evh_req);
if (!evbuf_body || 0==(inputlen = evbuffer_get_length(evbuf_body)) ||!(input = (char *)evbuffer_pullup(evbuf_body,inputlen)))
{
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Failed to get post data information.");
goto error;
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] Request library search: %s", evhttp_request_get_uri(evh_req));
http_payload = get_library_search_query(evh_req);
http_payload = get_library_search_query(input, inputlen);
if(http_payload == NULL)
{
goto error;
@@ -864,7 +207,7 @@ int create_and_listen_socket(const struct sockaddr *sa, int socklen, int backlog
int fd;
int on = 1;
int family = sa ? sa->sa_family : AF_UNSPEC;
int socktype = SOCK_STREAM | EVUTIL_SOCK_NONBLOCK;
int socktype = SOCK_STREAM | SOCK_NONBLOCK;
fd = socket(family, socktype, 0);
if (fd == -1)

19
test/CMakeLists.txt Normal file
View File

@@ -0,0 +1,19 @@
cmake_minimum_required(VERSION 3.5)
include_directories(${CMAKE_SOURCE_DIR}/common/include)
add_executable(verify_policy_test verify_policy_test.cpp ${CMAKE_SOURCE_DIR}/platform/src/verify_matcher.cpp)
target_link_libraries(verify_policy_test common MESA_prof_load maatframe cjson gtest)
set(CMAKE_BUILD_DIR ${CMAKE_SOURCE_DIR}/build)
set(TEST_RUN_DIR ${CMAKE_BUILD_DIR}/test)
file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR})
file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR})
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyHit.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource)
add_test(NAME UPDATE_MAAT_MODE COMMAND bash -c "sed -i 's/maat_input_mode=1/maat_input_mode=0/' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_level=1/' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyHit\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf")

70
test/resource/HitPolicyRequest.json Normal file
View File

@@ -0,0 +1,70 @@
{
"Verify_Policy_Request": [
{
"vsys_id": 1,
"verify_list": [
{
"type": "pxy_manipulation",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_SOURCE_IP",
"attribute_name": "source",
"attribute_value": {
"ip": "192.168.0.1",
"port":"8080",
"addr_type": 4
}
}
]
}
}
],
"verify_type": "policy"
},
{
"vsys_id": 1,
"verify_list": [
{
"type": "pxy_manipulation",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_SOURCE_IP",
"attribute_name": "source",
"attribute_value": {
"ip": "192.168.1.1",
"port":"8080",
"addr_type": 4
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_INTERNAL_IP",
"attribute_name": "internal",
"attribute_value": {
"ip": "192.168.1.2",
"port": "80",
"addr_type": 4
}
},
{
"attribute_type": "string",
"table_name": "ATTR_SERVER_FQDN",
"attribute_name": "server_fqdn",
"attribute_value": {
"string": "www.126.com"
}
}
]
}
}
],
"verify_type": "policy"
}
]
}

134
test/resource/HitPolicyResult.json Normal file
View File

@@ -0,0 +1,134 @@
{
"Verify_Policy_Result": [
{
"code": 200,
"msg": "Success",
"data": {
"hitPolicyList": [
{
"id": 1021,
"policyName": "",
"is_execute_policy": true,
"top_object_list": [
{
"object_id": 101,
"table_name": "ATTR_SOURCE_IP",
"not_flag": 0,
"nth_clause": 0
}
]
}
],
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_SOURCE_IP",
"attribute_name": "source",
"attribute_value": {
"ip": "192.168.0.1",
"port": "8080",
"addr_type": 4
},
"hit_paths": [
{
"item_id": 1,
"superior_object_id": 101
}
]
}
]
}
},
"success": true
},
{
"code": 200,
"msg": "Success",
"data": {
"hitPolicyList": [
{
"id": 1022,
"policyName": "",
"is_execute_policy": true,
"top_object_list": [
{
"tag_id": 11,
"table_name": "ATTR_SOURCE_IP",
"not_flag": 0,
"nth_clause": 0
},
{
"tag_id": 12,
"table_name": "ATTR_INTERNAL_IP",
"not_flag": 0,
"nth_clause": 1
},
{
"tag_id": 1,
"table_name": "ATTR_SERVER_FQDN",
"not_flag": 0,
"nth_clause": 2
}
]
}
],
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_SOURCE_IP",
"attribute_name": "source",
"attribute_value": {
"ip": "192.168.1.1",
"port": "8080",
"addr_type": 4
},
"hit_paths": [
{
"entry_id": 1,
"tag_id": 11
}
]
},
{
"attribute_type": "ip",
"table_name": "ATTR_INTERNAL_IP",
"attribute_name": "internal",
"attribute_value": {
"ip": "192.168.1.2",
"port": "80",
"addr_type": 4
},
"hit_paths": [
{
"entry_id": 2,
"tag_id": 12
},
{
"entry_id": 2,
"tag_id": 13
}
]
},
{
"attribute_type": "string",
"table_name": "ATTR_SERVER_FQDN",
"attribute_name": "server_fqdn",
"attribute_value": {
"string": "www.126.com"
},
"hit_paths": [
{
"entry_id": 1,
"tag_id": 1
}
]
}
]
}
},
"success": true
}
]
}

101
test/resource/VerifyPolicyHit.json Normal file
View File

@@ -0,0 +1,101 @@
{
"compile_table": "PXY_CTRL_COMPILE",
"group2compile_table": "GROUP_PXY_CTRL_COMPILE_RELATION",
"group2group_table": "GROUP_GROUP_RELATION",
"rules": [
{
"compile_id": 1021,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 101,
"group_name":"IPv4TCPSoureVeiryPolicy01",
"virtual_table": "ATTR_SOURCE_IP",
"regions": [
{
"table_type": "ip",
"table_name": "TSG_OBJ_IP_ADDR",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.1",
"ip2": "192.168.0.1"
}
}
]
}
]
},
{
"compile_id": 1022,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"group_id": 11,
"group_name": "IPv4TCPSoureEntry.11",
"virtual_table": "ATTR_SOURCE_IP"
},
{
"group_id": 12,
"group_name": "IPv4TCPSoureEntry.12",
"virtual_table": "ATTR_INTERNAL_IP"
},
{
"group_id": 1,
"group_name": "FQDNEntry.1",
"virtual_table": "ATTR_SERVER_FQDN"
}
]
}
],
"plugin_table": [
{
"table_name": "FQDN_ENTRY",
"table_content": [
"1\t1\twww.126.com\t1\t1",
"2\t2,3\twww.baidu.com\t1\t1",
"4\t4,5,6\twww.qq.com\t1\t1"
]
},
{
"table_name": "IP_ADDR_ENTRY",
"table_content": [
"1\t11\t4\tsingle\t192.168.1.1\t192.168.1.1\t1",
"2\t12,13\t4\tsingle\t192.168.1.2\t192.168.1.2\t1",
"4\t14,15,16\t4\trange\t192.168.1.3\t192.168.1.3\t1"
]
},
{
"table_name": "LIBRARY_TAG",
"table_content": [
"1\tnone\twebsite_category\tfqdn1\tsearch\\bengines\t1",
"2\tnone\twebsite_category\tfqdn2\tRecreation\band\bHobbies\t1",
"3\tnone\twebsite_category\tfqdn3\tbusiness\t1",
"4\tnone\twebsite_category\tfqdn4\tsearch bengines\t1",
"5\tnone\twebsite_category\tfqdn5\tsearch\\bengines\t1",
"6\tnone\twebsite_category\tfqdn6\tsearch\\bengines\t1",
"11\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes\t1",
"12\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes.Mitú\t1",
"13\tnone\tgeoip\tadministrative_area\tColombia.Antioquia.Marinilla\t1",
"14\tnone\tgeoip\tsuper_administrative_area\tColombia.Departamento\bdel\bVaupes\t1",
"15\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mauern\t1",
"16\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mellrichstadt\t1"
]
}
]
}

308
test/verify_policy_test.cpp Normal file
View File

@@ -0,0 +1,308 @@
/*************************************************************************
> File Name:
> Author:
> Mail:
> Created Time: 2020<32><30>05<30><35>28<32><38> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 19ʱ21<32><31>37<33><37>
************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <cjson/cJSON.h>
#include <sys/stat.h>
#include <gtest/gtest.h>
#include <MESA/MESA_prof_load.h>
#include "verify_policy.h"
#include "utils.h"
cJSON *verify_policy_result;
cJSON *verify_policy_request;
struct verify_policy * g_verify_proxy = NULL;
extern cJSON *get_library_search_query(const char *data, ssize_t data_len);
extern cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id);
int load_json_file_system_cmd(const char *load_json_file, const char *run_json_file)
{
char command[1024] = {0};
snprintf(command, sizeof(command), "cp ./resource/%s ./resource/%s", load_json_file, run_json_file);
system(command);
sleep(2);
return 0;
}
static char *select_hit_policy_result_item(int gtest_id)
{
if(verify_policy_result == NULL || verify_policy_result->type!=cJSON_Array)
{
return NULL;
}
int foreach=0;
char *hit_policy_result = NULL;
cJSON *subitem = NULL;
for (subitem = verify_policy_result->child; subitem != NULL; subitem = subitem->next)
{
if(foreach == gtest_id)
{
hit_policy_result = cJSON_PrintUnformatted(subitem);
break;
}
foreach++;
}
return hit_policy_result;
}
static char *select_hit_policy_request_item(int gtest_id)
{
if(verify_policy_request == NULL || verify_policy_request->type!=cJSON_Array)
{
return NULL;
}
int foreach=0;
char *hit_policy_request = NULL;
cJSON *subitem = NULL;
for (subitem = verify_policy_request->child; subitem != NULL; subitem = subitem->next)
{
if(foreach == gtest_id)
{
hit_policy_request = cJSON_PrintUnformatted(subitem);
break;
}
foreach++;
}
return hit_policy_request;
}
TEST(LibrarySearch, HitFqdnEntry)
{
const char *cm_http_request = "{\"ip\":null,\"fqdn\":\"www.126.com\",\"vsys_id\":1}";
const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"1\"}]},\"success\":true}";
cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request));
ASSERT_TRUE(result_json != NULL);
char *hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL);
int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_list);
cm_http_request = "{\"ip\":null,\"fqdn\":\"www.baidu.com\",\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"2,3\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request));
ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_list);
cm_http_request = "{\"ip\":null,\"fqdn\":\"www.qq.com\",\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"4,5,6\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request));
ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_list);
}
TEST(LibrarySearch, HitIpEntry)
{
const char *cm_http_request = "{\"ip\":\"192.168.1.1\",\"fqdn\":null,\"vsys_id\":1}";
const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"11\"}]},\"success\":true}";
cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request));
ASSERT_TRUE(result_json != NULL);
char *hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL);
int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_list);
cm_http_request ="{\"ip\":\"192.168.1.2\",\"fqdn\":null,\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"12,13\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request));
ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_list);
cm_http_request = "{\"ip\":\"192.168.1.3\",\"fqdn\":null,\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"14,15,16\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request));
ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_list);
}
TEST(VerifyPolicy, HitIpPolicy)
{
char *hit_policy_request = select_hit_policy_request_item(0);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(0);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
TEST(VerifyPolicy, HitLibraryPolicy)
{
char *hit_policy_request = select_hit_policy_request_item(1);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(1);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
//printf("hit_policy_query =%s\n", hit_policy_query);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
static char *read_json_file(const char *filename, size_t *input_sz)
{
FILE* fp=NULL;
struct stat file_info;
stat(filename, &file_info);
*input_sz=file_info.st_size;
fp=fopen(filename,"r");
if(fp==NULL)
{
return NULL;
}
char* input=(char*)malloc(*input_sz);
fread(input,1,*input_sz,fp);
fclose(fp);
return input;
}
cJSON *load_verify_policy_result_by_file(const char *filename, int hit_policy_result)
{
size_t input_sz = 0;
char *input = read_json_file(filename, &input_sz);
if(input == NULL)
{
return NULL;
}
cJSON* data = cJSON_Parse(input);
if(data == NULL)
{
FREE(&input);
return NULL;
}
if(hit_policy_result)
{
verify_policy_result = cJSON_GetObjectItem(data,"Verify_Policy_Result");
}
else
{
verify_policy_request = cJSON_GetObjectItem(data,"Verify_Policy_Request");
}
FREE(&input);
return data;
}
int main(int argc, char ** argv)
{
int ret = 0;
int log_level=0;
const char * main_profile = "./conf/verify_policy.conf";
g_verify_proxy = ALLOC(struct verify_policy, 1);
assert(g_verify_proxy);
strcpy(g_verify_proxy->name, "verify_policy");
const char *log_path="./logs/verify_policy.log";
MESA_load_profile_int_def(main_profile, "SYSTEM", "log_level", &log_level, LOG_FATAL);
g_verify_proxy->logger = log_handle_create(log_path, log_level);
CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit.");
ret = maat_table_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit.");
const char *filename1 = "./resource/HitPolicyResult.json";
cJSON *data1=load_verify_policy_result_by_file(filename1, 1);
const char *filename2 = "./resource/HitPolicyRequest.json";
cJSON *data2=load_verify_policy_result_by_file(filename2, 0);
testing::InitGoogleTest(&argc, argv);
ret=RUN_ALL_TESTS();
if(data1 != NULL)
{
cJSON_Delete(data1);
}
if(data2 != NULL)
{
cJSON_Delete(data2);
}
return ret;
}

185
test/verify_policy_tool.cpp Normal file
View File

@@ -0,0 +1,185 @@
/*************************************************************************
> File Name:
> Author:
> Mail:
> Created Time: 2020<32><30>05<30><35>28<32><38> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 19ʱ21<32><31>37<33><37>
************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <cjson/cJSON.h>
#include <sys/stat.h>
#include "utils.h"
enum curl_post_type
{
CURL_POST_HTTP,
CURL_POST_SSL,
__CURL_POST_MAX
};
struct curl_post_data
{
char *input_result_data;
char *curl_post_file;
enum curl_post_type protocol_type;
};
char *curl_read_file(char *result_json_file)
{
FILE* fp=NULL;
struct stat file_info;
stat(result_json_file, &file_info);
size_t input_sz=file_info.st_size;
fp=fopen(result_json_file,"r");
if(fp==NULL)
{
return NULL;
}
char* input=(char*)malloc(input_sz);
fread(input,1,input_sz,fp);
fclose(fp);
return input;
}
int curl_post_system_cmd(char *result, size_t result_len, char *curl_post_json)
{
int line_num=0;
char command[1024] = {0};
char *cmd_str=NULL;
snprintf(command, sizeof(command), "curl -X POST -H 'Content-Type: application/json' http://127.0.0.1:9994/v1/policy/verify -d@%s", curl_post_json);
char *p=result;
char line[2048] = {0};
FILE *fp = NULL;
if((fp = popen(command, "r")) == NULL)
{
printf("popen error!\n");
return 0;
}
memset(result, 0, result_len);
while (fgets(line, sizeof(line), fp))
{
if((p - result) < (int)result_len)
{
if(line_num)
{
p += snprintf(p, result_len - (p - result), ",");
}
p += snprintf(p, result_len - (p - result), "%s", line);
}
line_num++;
}
pclose(fp);
free(cmd_str);
return 1;
}
int curl_exec_expect_result(char *result, char *input_json_file)
{
int ret=-1;
cJSON *result_json=NULL, *input_json=NULL;
cJSON_bool successful = false;
result_json = cJSON_Parse(result);
if(!result_json)
{
goto finish;
}
input_json = cJSON_Parse(input_json_file);
if(!input_json)
{
goto finish;
}
successful = cJSON_Compare(result_json, result_json, true);
if(successful)
{
ret=0;
}
finish:
cJSON_Delete(result_json);
cJSON_Delete(input_json);
return ret;
}
int call_curl_post(struct curl_post_data *post_data)
{
int ret=-1;
char result[81920]={0};
curl_post_system_cmd(result, sizeof(result), post_data->curl_post_file);
switch(post_data->protocol_type)
{
case CURL_POST_HTTP:
ret = curl_exec_expect_result(result, post_data->input_result_data);
break;
case CURL_POST_SSL:
break;
default:
break;
}
return ret;
}
static void help()
{
fprintf(stderr,
"verify_policy_test <-j| -t | -c > arg\n"
"Usage:\n"
" -j <post json data>\n"
" -t <protocol type>\n"
" -c <input json>\n");
exit(1);
}
int main(int argc, char ** argv)
{
int i=0, ret = 0;
int curl_post_type=0;
char result_json_file[256]={0};
char curl_post_file[256]={0};
if(argc < 3) {help();}
for (i = 1; i < argc; i++)
{
int lastarg = i==argc-1;
if (!strcmp(argv[i], "-j") && !lastarg)
{
strncpy(curl_post_file, argv[++i], sizeof(curl_post_file));
}
else if (!strcmp(argv[i], "-t") && !lastarg)
{
sscanf(argv[++i], "%u", &curl_post_type);
}
else if (!strcmp(argv[i], "-c") && !lastarg)
{
strncpy(result_json_file, argv[++i], sizeof(result_json_file));
}
else
{
help();
}
}
struct curl_post_data *post_data=NULL;
post_data = ALLOC(struct curl_post_data, 1);
post_data->protocol_type=(enum curl_post_type)curl_post_type;
post_data->input_result_data=curl_read_file(result_json_file);
post_data->curl_post_file=curl_post_file;
ret = call_curl_post(post_data);
return ret;
}