From 41caf21f43df13785d2e1bee814a3005abc9b43e Mon Sep 17 00:00:00 2001 From: fengweihao Date: Fri, 2 Aug 2024 10:55:58 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DVerify=20Policy=E4=B8=ADfqdn?= =?UTF-8?q?=20entry=E7=9A=84=E5=91=BD=E4=B8=AD=E8=B7=AF=E5=BE=84=E9=94=99?= =?UTF-8?q?=E8=AF=AF=EF=BC=8C=E5=A2=9E=E5=8A=A0Verify=20Policy=E6=B5=8B?= =?UTF-8?q?=E8=AF=95=E7=94=A8=E4=BE=8B=E4=BB=A3=E7=A0=81=E6=A1=86=E6=9E=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CMakeLists.txt | 3 +- .../{verify_policy_utils.h => utils.h} | 21 - common/include/verify_policy.h | 15 +- platform/CMakeLists.txt | 7 +- platform/src/verify_matcher.cpp | 880 ++++++++++++++++-- platform/src/verify_policy.cpp | 681 +------------- test/CMakeLists.txt | 19 + test/resource/HitPolicyRequest.json | 70 ++ test/resource/HitPolicyResult.json | 134 +++ test/resource/VerifyPolicyHit.json | 101 ++ test/verify_policy_test.cpp | 308 ++++++ test/verify_policy_tool.cpp | 185 ++++ 12 files changed, 1638 insertions(+), 786 deletions(-) rename common/include/{verify_policy_utils.h => utils.h} (70%) create mode 100644 test/CMakeLists.txt create mode 100644 test/resource/HitPolicyRequest.json create mode 100644 test/resource/HitPolicyResult.json create mode 100644 test/resource/VerifyPolicyHit.json create mode 100644 test/verify_policy_test.cpp create mode 100644 test/verify_policy_tool.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index e425d60..d929af6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -48,9 +48,8 @@ add_custom_target("install-profile" COMMAND ${CMAKE_COMMAND} ARGS -DCOMPONENT=Pr add_custom_target("tarball" COMMAND sh ${CMAKE_SCRIPT_PATH}/tarball/tarball.sh ${TARGET_VERSION} ${TARGET_DESCRIBE}) enable_testing() -#add_subdirectory(conf) -#add_subdirectory(resource) add_subdirectory(vendor) add_subdirectory(common) add_subdirectory(platform) +add_subdirectory(test) diff --git a/common/include/verify_policy_utils.h b/common/include/utils.h similarity index 70% rename from common/include/verify_policy_utils.h rename to common/include/utils.h index 4d6966e..ece1b36 100644 --- a/common/include/verify_policy_utils.h +++ b/common/include/utils.h @@ -24,27 +24,6 @@ #define FOREVER for(;;) #endif -#ifdef SOCK_NONBLOCK -#define EVUTIL_SOCK_NONBLOCK SOCK_NONBLOCK -#else -#define EVUTIL_SOCK_NONBLOCK 0x4000000 -#endif -#ifdef SOCK_CLOEXEC -#define EVUTIL_SOCK_CLOEXEC SOCK_CLOEXEC -#else -#define EVUTIL_SOCK_CLOEXEC 0x80000000 -#endif -#ifdef EFD_NONBLOCK -#define EVUTIL_EFD_NONBLOCK EFD_NONBLOCK -#else -#define EVUTIL_EFD_NONBLOCK 0x4000 -#endif -#ifdef EFD_CLOEXEC -#define EVUTIL_EFD_CLOEXEC EFD_CLOEXEC -#else -#define EVUTIL_EFD_CLOEXEC 0x8000 -#endif - #define __rt_always_inline__ __attribute__((always_inline)) inline #define ALLOC(type, number) ((type *)calloc(sizeof(type), number)) diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index 618d9e6..13221d4 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -9,8 +9,8 @@ #define _VERIFY_POLICY_H #include -#include -#include "verify_policy_utils.h" +#include "log.h" +#include "utils.h" struct breakpad_instance; @@ -146,15 +146,8 @@ struct verify_policy_query extern struct verify_policy * g_verify_proxy; int maat_table_init(struct verify_policy * verify, const char* profile_path); -int policy_verify_regex_expression(const char *expression); -int get_ip_entry_tag_ids(cJSON *hit_library, int vsys_id, struct ipaddr *ip_addr); -int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn); -int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, size_t hit_cnt, cJSON *data_obj, void *pme); -size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *query_obj, void *pme); -void policy_scan_ctx_free(void * pme); +cJSON *get_library_search_query(const char *data, ssize_t data_len); +cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id); void verify_reload_loglevel(); -void verify_policy_tunnle_add(void * pme); -void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme); -void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id); #endif diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index 76c1920..30a8a9b 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -7,10 +7,5 @@ add_executable(verify-policy src/verify_policy.cpp src/verify_matcher.cpp) #target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) target_link_libraries(verify-policy common cjson maatframe) -target_link_libraries(verify-policy pthread dl - libevent-static - MESA_prof_load - breakpad-client-static - cjson - ${SYSTEMD_LIBRARIES}) +target_link_libraries(verify-policy pthread dl libevent-static MESA_prof_load breakpad-client-static cjson ${SYSTEMD_LIBRARIES}) diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index 6cc3461..3c8ba07 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -10,6 +10,9 @@ #include #include #include +#include +#include +#include #include #include @@ -17,8 +20,8 @@ #include +#include "utils.h" #include "verify_policy.h" -#include "verify_policy_utils.h" #define MAX_EX_DATA_LEN 16 #define HIT_PATH_SIZE 4096 @@ -147,8 +150,8 @@ struct library_entry_ctx int ref_cnt; int entry_id; int n_tag_ids; - long long tag_id_array[MAX_TAG_ID_NUM]; char *tag_ids; + long long tag_id_array[MAX_TAG_ID_NUM]; pthread_mutex_t lock; }; @@ -157,45 +160,42 @@ struct library_tag_ctx { int ref_cnt; int tag_id; - char tag_key[VERIFY_SYMBOL_MAX]; - char tag_value[VERIFY_ARRAY_MAX]; + char *tag_key; + char *tag_value; enum category_type category; enum statistics_option_type option_type; + pthread_mutex_t lock; }; -struct policy_scan_ctx -{ - int thread_id; - enum policy_action action; - char * action_para; - struct maat_state *scan_mid; - size_t hit_cnt; - long long result[MAX_SCAN_RESULT]; - struct rule_data_ctx *hit_rules; - - size_t n_enforce; - struct rule_data_ctx * enforce_rules; - int n_read; - struct maat_hit_path hit_path[HIT_PATH_SIZE]; - - int ip_protocol_num; - int tunnel_endpoint_x; - int bool_id_array_idx; - unsigned long long bool_id_array[256]; - - struct ip_data_ctx ip_ctx; - - /*exception handling*/ - int tunnel_scan; - long long tunnel_result[2]; - struct maat_state *tunnel_scan_mid; +struct policy_scan_ctx +{ + int thread_id; + int ip_protocol_num; + int tunnel_endpoint_x; + int bool_id_array_idx; + int tunnel_scan; + int n_read; + enum policy_action action; + + char *action_para; + struct maat_state *scan_mid; + struct maat_state *tunnel_scan_mid; + struct rule_data_ctx *hit_rules; + struct rule_data_ctx *enforce_rules; + + size_t hit_cnt; + size_t n_enforce; + long long result[MAX_SCAN_RESULT]; + long long tunnel_result[2]; + unsigned long long bool_id_array[256]; + + struct ip_data_ctx ip_ctx; + struct maat_hit_path hit_path[HIT_PATH_SIZE]; }; struct verify_policy_rt { - struct maat *feather[VSYS_ID_MAX]; - struct log_handle *local_logger; int log_level; int thread_num; int load_ip_location; @@ -205,6 +205,8 @@ struct verify_policy_rt int plugin_table_id[__SCAN_POLICY_MAX]; int profile_table_id [PROFILE_TABLE_MAX]; int scan_table_id[__TSG_OBJ_MAX]; + struct maat *feather[VSYS_ID_MAX]; + struct log_handle *local_logger; }; struct verify_policy_rt * g_policy_rt; @@ -568,7 +570,7 @@ int get_tag_id_array(char *tag_ids, long long *tag_id_array) int n_tag_ids=0; char *tag_ids_tmp = ALLOC(char, strlen(tag_ids)+1); - strncpy(tag_ids_tmp, tag_ids, strlen(tag_ids)); + strcpy(tag_ids_tmp, tag_ids); char *tag_ids_str=strtok(tag_ids_tmp, ","); while(tag_ids_str!=NULL && n_tag_ids < MAX_TAG_ID_NUM) @@ -580,7 +582,7 @@ int get_tag_id_array(char *tag_ids, long long *tag_id_array) return n_tag_ids; } -void library_entry_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void fqdn_entry_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0; size_t offset=0, len=0; @@ -610,6 +612,37 @@ void library_entry_new_cb(const char *table_name, int table_id, const char* key, return; } +void ip_addr_entry_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +{ + int ret=0; + size_t offset=0, len=0; + char *entry_id_str=NULL; + struct library_entry_ctx *entry_ctx=ALLOC(struct library_entry_ctx, 1); + + ret = maat_helper_read_column(table_line, 1, &offset, &len); + if(ret >= 0) + { + entry_id_str=ALLOC(char, len+1); + memcpy(entry_id_str, table_line+offset, len); + entry_ctx->entry_id=atoi(entry_id_str); + FREE(&entry_id_str); + } + + ret = maat_helper_read_column(table_line, 2, &offset, &len); + if(ret >= 0) + { + entry_ctx->tag_ids=ALLOC(char, len+1); + memcpy(entry_ctx->tag_ids, table_line+offset, len); + } + entry_ctx->n_tag_ids = get_tag_id_array(entry_ctx->tag_ids, entry_ctx->tag_id_array); + + entry_ctx->ref_cnt=1; + pthread_mutex_init(&(entry_ctx->lock), NULL); + *ad=entry_ctx; + return; +} + + void library_entry_free_cb(int table_id, void **ad, long argl, void* argp) { if(*ad==NULL) @@ -677,22 +710,51 @@ int get_category_type_str2idx(const char *category) void library_tag_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0,is_valid=0; + int ret=0; + size_t offset=0, len=0; char statistics_option[VERIFY_ARRAY_MAX]={0}; char category[VERIFY_ARRAY_MAX]={0}; struct library_tag_ctx *tag_ctx = ALLOC(struct library_tag_ctx, 1); - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d",&tag_ctx->tag_id, statistics_option, category, tag_ctx->tag_key, tag_ctx->tag_value, &is_valid); - if(ret!=6) + ret = maat_helper_read_column(table_line, 1, &offset, &len); + if(ret >= 0) { - FREE(&tag_ctx); - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Parse library tag failed, ret: %d table_id: %d table_line: %s", ret, table_id, table_line); - return; + char *tag_id_str=ALLOC(char, len+1); + memcpy(tag_id_str, table_line+offset, len); + tag_ctx->tag_id=atoi(tag_id_str); + FREE(&tag_id_str); } + + ret = maat_helper_read_column(table_line, 2, &offset, &len); + if(ret >= 0) + { + memcpy(statistics_option, table_line+offset, len); + tag_ctx->option_type=(enum statistics_option_type)get_statistics_option_type_str2idx(statistics_option); + } + + ret = maat_helper_read_column(table_line, 3, &offset, &len); + if(ret >= 0) + { + memcpy(category, table_line+offset, len); + tag_ctx->category=(enum category_type)get_category_type_str2idx(category); + } + + ret = maat_helper_read_column(table_line, 4, &offset, &len); + if(ret >= 0) + { + tag_ctx->tag_key=ALLOC(char, len+1); + memcpy(tag_ctx->tag_key, table_line+offset, len); + } + + ret = maat_helper_read_column(table_line, 5, &offset, &len); + if(ret >= 0) + { + tag_ctx->tag_value=ALLOC(char, len+1); + memcpy(tag_ctx->tag_value, table_line+offset, len); + } + tag_ctx->ref_cnt=1; - tag_ctx->option_type=(enum statistics_option_type)get_statistics_option_type_str2idx(statistics_option); - tag_ctx->category=(enum category_type)get_category_type_str2idx(category); pthread_mutex_init(&(tag_ctx->lock), NULL); *ad=tag_ctx; @@ -717,6 +779,15 @@ void library_tag_free_cb(int table_id, void **ad, long argl, void* argp) pthread_mutex_unlock(&(tag_ctx->lock)); pthread_mutex_destroy(&(tag_ctx->lock)); + if(tag_ctx->tag_key) + { + FREE(&tag_ctx->tag_key); + } + if(tag_ctx->tag_value) + { + FREE(&tag_ctx->tag_value); + } + FREE(&tag_ctx); *ad=NULL; return; @@ -932,24 +1003,14 @@ static inline int request_in_fqdn_cat(int table_id) } } -void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, cJSON *attributeObj, struct ip_data_ctx *ip_ctx) +void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct ip_data_ctx *ip_ctx) { int i=0; cJSON *histObj=NULL; - cJSON *item=NULL; - char *attri_name=NULL; - item = cJSON_GetObjectItem(attributeObj, "attribute_type"); - if(item == NULL || item->type!=cJSON_String || strcasecmp(item->valuestring, "ip") != 0) + switch (table_id) { - return; - } - item = cJSON_GetObjectItem(attributeObj, "attribute_name"); - if(item && item->type==cJSON_String) - { - attri_name = item->valuestring; - if(strcasecmp(attri_name, "source") == 0) - { + case TSG_OBJ_SOURCE_ADDR: for(i=0; i < ip_ctx->source_entry.entry_num; i++) { histObj=cJSON_CreateObject(); @@ -957,9 +1018,8 @@ void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, cJSON *attributeObj, struct cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->source_entry.entry_id[i]); cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->source_entry.tag_id[i]); } - } - if(strcasecmp(attri_name, "internal") == 0) - { + break; + case TSG_OBJ_INTERNAL_ADDR: for(i=0; i < ip_ctx->internal_entry.entry_num; i++) { histObj=cJSON_CreateObject(); @@ -967,9 +1027,8 @@ void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, cJSON *attributeObj, struct cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->internal_entry.entry_id[i]); cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->internal_entry.tag_id[i]); } - } - if(strcasecmp(attri_name, "destination") == 0) - { + break; + case TSG_OBJ_DESTINATION_ADDR: for(i=0; i < ip_ctx->destination_entry.entry_num; i++) { histObj=cJSON_CreateObject(); @@ -977,9 +1036,8 @@ void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, cJSON *attributeObj, struct cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->destination_entry.entry_id[i]); cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->destination_entry.tag_id[i]); } - } - if(strcasecmp(attri_name, "external") == 0) - { + break; + case TSG_OBJ_EXTERNAL_ADDR: for(i=0; i < ip_ctx->external_entry.entry_num; i++) { histObj=cJSON_CreateObject(); @@ -987,8 +1045,10 @@ void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, cJSON *attributeObj, struct cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->external_entry.entry_id[i]); cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->external_entry.tag_id[i]); } - } - } + break; + default: + break; + } return; } @@ -1093,14 +1153,20 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table { cJSON_DeleteItemFromObject(attributeObj, "attribute_name"); cJSON_AddStringToObject(attributeObj, "attribute_name", "tunnel_endpoint_object"); - cJSON_DeleteItemFromObject(attributeObj, "atrribute_value"); + cJSON_DeleteItemFromObject(attributeObj, "attribute_value"); } cJSON_AddItemToArray(attributes, attributeObj); + /*If the request contains "hit_paths:null", it needs to be removed*/ + hitPaths = cJSON_GetObjectItem(attributeObj, "hit_paths"); + if(hitPaths != NULL) + { + cJSON_DeleteItemFromObject(attributeObj, "hit_paths"); + } hitPaths=cJSON_CreateArray(); cJSON_AddItemToObject(attributeObj, "hit_paths", hitPaths); - http_add_ip_entry_to_hit_paths(hitPaths, attributeObj, &ctx->ip_ctx); + http_add_ip_entry_to_hit_paths(hitPaths, query_obj->table_id, &ctx->ip_ctx); http_add_fqdn_entry_to_hit_paths(hitPaths, query_obj->table_id, &query_obj->fqdn_entry); cJSON *histObj=NULL; @@ -1128,7 +1194,7 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table } histObj=cJSON_CreateObject(); cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "itemt_id", ctx->hit_path[i].item_id); + cJSON_AddNumberToObject(histObj, "item_id", ctx->hit_path[i].item_id); if (ctx->hit_path[i].top_group_id < 0) { ctx->hit_path[i].top_group_id = ctx->hit_path[i].sub_group_id; @@ -1190,6 +1256,20 @@ int get_attributes_table_name(struct request_query_obj *request, struct ip_data_ goto finish; } } + + /*set fqdn entry table name*/ + for(i = 0; ifeather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)entry_ctx, 8); - for(int i=0; i < ret && i < 8; i++) + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] fqdn=%s", fqdn); + + struct library_entry_ctx *entry_ctx[MAX_EX_DATA_LEN]={0}; + ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)entry_ctx, MAX_EX_DATA_LEN); + for(int i=0; i < ret && i < MAX_EX_DATA_LEN; i++) { fqdn_entry_item=cJSON_CreateObject(); cJSON_AddNumberToObject(fqdn_entry_item, "entry_id", entry_ctx[i]->entry_id); @@ -1377,9 +1459,9 @@ int get_ip_entry_tag_ids(cJSON *hit_library, int vsys_id, struct ipaddr *ip_addr struct ip_addr dest_ip, source_ip; ip_addr_to_address(ip_addr, &dest_ip, &source_ip); - struct library_entry_ctx *entry_ctx[8]={0}; - ret = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &source_ip, (void **)&entry_ctx, 8); - for(int i=0; i < ret && i < 8; i++) + struct library_entry_ctx *entry_ctx[MAX_EX_DATA_LEN]={0}; + ret = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &source_ip, (void **)&entry_ctx, MAX_EX_DATA_LEN); + for(int i=0; i < ret && i < MAX_EX_DATA_LEN; i++) { ip_entry_item=cJSON_CreateObject(); cJSON_AddNumberToObject(ip_entry_item, "entry_id", entry_ctx[i]->entry_id); @@ -2123,6 +2205,650 @@ decide: return hit_cnt; } +int http_get_int_param(cJSON* http_request, const char *key) +{ + int vsys_id=-1; + + cJSON *item = cJSON_GetObjectItem(http_request, key); + if(item && item->type==cJSON_Number) + { + vsys_id = item->valueint; + } + return vsys_id; +} + +char *http_get_string_param(cJSON* http_request, const char *key) +{ + char *param=NULL; + + cJSON *item = cJSON_GetObjectItem(http_request, key); + if(item && item->type==cJSON_String) + { + param = item->valuestring; + } + return param; +} + +int get_ip_type(const char *ip) +{ + struct sockaddr_in sa; + struct sockaddr_in6 sa6; + int addr_type = 0; + + if (inet_pton(AF_INET, ip, &(sa.sin_addr)) > 0) + { + addr_type = 4; + } + else if (inet_pton(AF_INET6, ip, &(sa6.sin6_addr)) > 0) + { + addr_type = 6; + } + return addr_type; +} + +struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1, const char *serverIp1, unsigned int serverPort1, int addr_type, char *buff, int *protocol) +{ + struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1); + if(addr_type == 4) + { + struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1); + ip_addr->addrtype=ADDR_TYPE_IPV4; + inet_pton(AF_INET,clientIp1,&(v4_addr->saddr)); + v4_addr->source=clientPort1; + inet_pton(AF_INET,serverIp1,&(v4_addr->daddr)); + v4_addr->dest=serverPort1; + ip_addr->v4=v4_addr; + } + if(addr_type == 6) + { + struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1); + ip_addr->addrtype=ADDR_TYPE_IPV6; + inet_pton(AF_INET6,clientIp1,&(v6_addr->saddr)); + v6_addr->source=clientPort1; + inet_pton(AF_INET6,serverIp1,&(v6_addr->daddr)); + v6_addr->dest=serverPort1; + ip_addr->v6=v6_addr; + } + if(buff != NULL) + { + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type=%d, protocol=%d", buff, + clientIp1, clientPort1, serverIp1, serverPort1, addr_type, *protocol); + } + else + { + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] Ip=%s, Port=%d, addr_type=%d", clientIp1, clientPort1, addr_type); + } + return ip_addr; +} + +void ipaddr_free(struct ipaddr *ip_addr) +{ + if(ip_addr==NULL) + { + return; + } + if(ip_addr->addrtype==ADDR_TYPE_IPV4) + { + free(ip_addr->v4); + } + + if(ip_addr->addrtype==ADDR_TYPE_IPV6) + { + free(ip_addr->v6); + } + free(ip_addr); +} + +cJSON *get_library_search_query(const char *data, ssize_t data_len) +{ + int hit_library_cnt=0; + + cJSON* http_request = cJSON_Parse(data); + if(http_request == NULL) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Failed to parse the request data."); + return NULL; + } + + cJSON *http_respone=cJSON_CreateObject(); + cJSON_AddNumberToObject(http_respone, "code", 200); + cJSON_AddStringToObject(http_respone, "msg", "Success"); + + cJSON *http_body = cJSON_CreateObject(); + cJSON_AddItemToObject(http_respone, "data", http_body); + + cJSON *hit_library=cJSON_CreateArray(); + cJSON_AddItemToObject(http_body, "hit_library", hit_library); + + int vsys_id = http_get_int_param(http_request, "vsys_id"); + if(vsys_id < 0) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id"); + return NULL; + } + + char *ip = http_get_string_param(http_request, "ip"); + if(ip) + { + struct ipaddr *ip_addr = ip_to_stream_addr(ip, 0, "0.0.0.0", 0, get_ip_type(ip), NULL, 0); + hit_library_cnt=get_ip_entry_tag_ids(hit_library, vsys_id, ip_addr); + ipaddr_free(ip_addr); + } + + char *fqdn = http_get_string_param(http_request, "fqdn"); + if(fqdn) + { + hit_library_cnt=get_fqdn_entry_tag_ids(hit_library, vsys_id, fqdn); + } + + if (hit_library_cnt >= 0) + { + cJSON_AddBoolToObject(http_respone, "success", true); + } + else + { + cJSON_AddBoolToObject(http_respone, "success", false); + } + return http_respone; +} + +int tsg_policy_type_str2idx(const char *action_str) +{ + const char * policy_name[__SCAN_POLICY_MAX]; + policy_name[TSG_TABLE_SECURITY] = "security"; + policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation"; + policy_name[TSG_TRAFFIC_SHAPING] = "traffic_shaping"; + policy_name[TSG_SERVICE_CHAINGNG] = "service_chaining"; + policy_name[PXY_TABLE_INTERCEPT] = "pxy_intercept"; + policy_name[TSG_STATISTICS] = "statistics"; + policy_name[TSG_MONITOR] = "monitor"; + policy_name[DOS_PROTECTION] = "dos_protection"; + policy_name[PXY_TABLE_DEFENCE] = "active_defence"; + + size_t i = 0; + + for (i = 0; i < sizeof(policy_name) / sizeof(const char *); i++) + { + if (0 == strcasecmp(action_str, policy_name[i])) + break; + } + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] policyType= %s", action_str); + return i; +} + +int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) +{ + const char * table_name[__TSG_OBJ_MAX] ={0}; + + table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP"; + table_name[TSG_OBJ_DESTINATION_ADDR]="ATTR_DESTINATION_IP"; + table_name[TSG_OBJ_SUBSCRIBE_ID] = "ATTR_SUBSCRIBER_ID"; + table_name[TSG_OBJ_APP_ID] = "ATTR_APP_ID"; + table_name[TSG_OBJ_HTTP_URL] = "ATTR_HTTP_URL"; + table_name[TSG_OBJ_HTTP_REQ_HDR] = "ATTR_HTTP_REQ_HDR"; + table_name[TSG_OBJ_HTTP_REQ_BODY] = "ATTR_HTTP_REQ_BODY"; + table_name[TSG_OBJ_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR"; + table_name[TSG_OBJ_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY"; + table_name[TSG_OBJ_SSL_CN] = "ATTR_SSL_CN"; + table_name[TSG_OBJ_SSL_SAN] = "ATTR_SSL_SAN"; + table_name[TSG_OBJ_DOH_QNAME]="ATTR_DOH_QNAME"; + table_name[TSG_OBJ_DNS_QNAME] = "ATTR_DNS_QNAME"; + table_name[TSG_OBJ_MAIL_ACCOUNT] = "ATTR_MAIL_ACCOUNT"; + table_name[TSG_OBJ_MAIL_FROM] = "ATTR_MAIL_FROM"; + table_name[TSG_OBJ_MAIL_TO] = "ATTR_MAIL_TO"; + table_name[TSG_OBJ_MAIL_SUBJECT] = "ATTR_MAIL_SUBJECT"; + table_name[TSG_OBJ_MAIL_CONTENT] = "ATTR_MAIL_CONTENT"; + table_name[TSG_OBJ_MAIL_ATT_NAME] = "ATTR_MAIL_ATT_NAME"; + table_name[TSG_OBJ_MAIL_ATT_CONTENT] = "ATTR_MAIL_ATT_CONTENT"; + table_name[TSG_OBJ_FTP_URI] = "ATTR_FTP_URI"; + table_name[TSG_OBJ_FTP_CONTENT] = "ATTR_FTP_CONTENT"; + table_name[TSG_OBJ_FTP_ACCOUNT] = "ATTR_FTP_ACCOUNT"; + table_name[TSG_OBJ_SIP_FROM]="ATTR_SIP_ORIGINATOR_DESCRIPTION"; + table_name[TSG_OBJ_SIP_TO]="ATTR_SIP_RESPONDER_DESCRIPTION"; + table_name[TSG_OBJ_IMSI]="ATTR_GTP_IMSI"; + table_name[TSG_OBJ_PHONE_NUMBER]="ATTR_GTP_PHONE_NUMBER"; + table_name[TSG_OBJ_APN]="ATTR_GTP_APN"; + table_name[TSG_OBJ_TUNNEL]="ATTR_TUNNEL", + table_name[TSG_OBJ_FLAG]="ATTR_FLAG"; + table_name[TSG_OBJ_GTP_IMEI]="ATTR_GTP_IMEI"; + table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN"; + table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP"; + table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP"; + table_name[TSG_OBJ_SOURCE_PORT]="ATTR_SOURCE_PORT"; + table_name[TSG_OBJ_DESTINATION_PORT]="ATTR_DESTINATION_PORT"; + table_name[TSG_OBJ_INTERNAL_PORT]="ATTR_INTERNAL_PORT"; + table_name[TSG_OBJ_EXTERNAL_PORT]="ATTR_EXTERNAL_PORT"; + table_name[TSG_OBJ_IP_PROTOCOL]="ATTR_IP_PROTOCOL"; + table_name[TSG_OBJ_SSL_ECH]="ATTR_SSL_ECH"; + table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; + table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; + table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; + table_name[TSG_OBJ_TUNNEL_GTP_ENDPOINT]="ATTR_TUNNEL_GTP_ENDPOINT"; + table_name[TSG_OBJ_TUNNEL_GRE_ENDPOINT]="ATTR_TUNNEL_GRE_ENDPOINT"; + table_name[TSG_OBJ_TUNNEL_IP_IN_IP_ENDPOINT]="ATTR_TUNNEL_IP_IN_IP_ENDPOINT"; + + size_t i = 0; + for (i = 0; i < __TSG_OBJ_MAX; i++) + { + if (0 == strcasecmp(action_str, table_name[i])) + break; + } + *p += snprintf(*p, sizeof(buff) - (*p - buff), ", protocolField=%s,%d",action_str, (int)i); + + return i; +} + +int match_ip_attribute_name(char *attri_name) +{ + size_t i = 0; + const char *attribute_name_map[] ={"source", "destination", "tunnel_endpointa", "tunnel_endpointb", "internal", "external"}; + for(i = 0; i < sizeof(attribute_name_map)/sizeof(attribute_name_map[0]); i++) + { + if(0 == strcasecmp(attri_name, attribute_name_map[i])) + { + return i; + } + } + return -1; +} + +struct ipaddr *tunnel_to_stream_addr(const char *Ip, int addr_type) +{ + struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1); + if(addr_type == 4) + { + struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1); + ip_addr->addrtype=ADDR_TYPE_IPV4; + inet_pton(AF_INET,Ip,&(v4_addr->saddr)); + ip_addr->v4=v4_addr; + } + if(addr_type == 6) + { + struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1); + ip_addr->addrtype=ADDR_TYPE_IPV6; + inet_pton(AF_INET6,Ip,&(v6_addr->saddr)); + ip_addr->v6=v6_addr; + } + log_debug(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] attribute_name = ip, clientIp1=%s, addr_type = %d", Ip, addr_type); + + return ip_addr; +} + +static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attributeName, int *protocol, char *buff) +{ + cJSON* item = NULL; + int addr_type=0; + const char *Ip=NULL; + unsigned int Port=0; + + if(attributeName==NULL) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "The attribute_type is of type iP, but the attribute_name is empty, resulting in IP type parsing failure."); + return NULL; + } + + item = cJSON_GetObjectItem(attributeValue,"ip"); + if(item && item->type==cJSON_String) Ip = item->valuestring; + item = cJSON_GetObjectItem(attributeValue,"port"); + if(item && item->type==cJSON_String) Port =atoi(item->valuestring); + item = cJSON_GetObjectItem(attributeValue,"protocol"); + if(item && item->type==cJSON_Number) *protocol = item->valueint; + item=cJSON_GetObjectItem(attributeValue,"addr_type"); + if(item && item->type==cJSON_Number) addr_type = item->valueint; + + if(strcasecmp(attributeName, "ip_protocol") == 0) + { + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, protocol=%d", buff, *protocol); + return NULL; + } + + struct ipaddr *ip_addr = NULL; + if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 || + strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0) + { + ip_addr = ip_to_stream_addr(Ip, Port, "0.0.0.0", 0, addr_type, buff, protocol); + } + + if(strcasecmp(attributeName, "destination") == 0 || strcasecmp(attributeName, "external") == 0) + { + ip_addr = ip_to_stream_addr("0.0.0.0", 0, Ip, Port, addr_type, buff, protocol); + } + return ip_addr; +} + +static char* get_port_from_json(cJSON *attributeValue, int *protocol, char *buff) +{ + cJSON* item = NULL; + char *string=NULL; + + item = cJSON_GetObjectItem(attributeValue,"port"); + if(item && item->type==cJSON_String) + { + string = item->valuestring; + } + item = cJSON_GetObjectItem(attributeValue,"protocol"); + if(item && item->type==cJSON_Number) + { + *protocol = item->valueint; + } + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, port=%s, protocol=%d", buff, string, *protocol); + + return string; +} + +static inline int match_attributeType_in_numeric(const char *attribute_type, int table_id) +{ + if(0 == strcasecmp(attribute_type, "numeric") || 0 == strcasecmp(attribute_type, "flag") || + 0 == strcasecmp(attribute_type, "boolean") || table_id == TSG_OBJ_IP_PROTOCOL) + { + return 1; + } + else + { + return 0; + } +} + +static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_policy_query *policy_query) +{ + int xret = -1; + const char *attribute_type=NULL; + char buff[VERIFY_STRING_MAX*2], *p = NULL; + cJSON* item = NULL, *attributeValue=NULL, *tunnelType_item=NULL; + + p = buff; + item = cJSON_GetObjectItem(subchild, "attribute_type"); + if(item && item->type==cJSON_String) + { + attribute_type = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), "attribute_type = %s", attribute_type); + } + + item = cJSON_GetObjectItem(subchild, "attribute_name"); + if(item && item->type==cJSON_String) + { + policy_query->request_object[curr_id].attri_name = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), ", attribute_name = %s",policy_query->request_object[curr_id].attri_name); + } + policy_query->request_object[curr_id].attributes=cJSON_Duplicate(subchild, 1); + + item = cJSON_GetObjectItem(subchild, "table_name"); + if(item && item->type==cJSON_String) + { + policy_query->request_object[curr_id].table_id = protoco_field_type_str2idx(item->valuestring, buff, &p); + if(policy_query->request_object[curr_id].table_id == __TSG_OBJ_MAX) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Get table id failed form table name:%s", item->valuestring); + return xret; + } + } + + attributeValue = cJSON_GetObjectItem(subchild, "attribute_value"); + if(attributeValue == NULL || attributeValue->type!=cJSON_Object) + { + goto finish; + } + + tunnelType_item = cJSON_GetObjectItem(attributeValue,"tunnel_type"); + if(tunnelType_item && tunnelType_item->type==cJSON_String) + { + policy_query->request_object[curr_id].tunnel_type=tunnelType_item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), ", tunnel_type=%s",policy_query->request_object[curr_id].tunnel_type); + } + + if(0 == strcasecmp(attribute_type, "ip")) + { + policy_query->request_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->request_object[curr_id].attri_name, &(policy_query->request_object[curr_id].numeric), buff); + goto end; + } + if(0 == strcasecmp(attribute_type, "port")) + { + policy_query->request_object[curr_id].string = get_port_from_json(attributeValue, &(policy_query->request_object[curr_id].numeric), buff); + goto end; + } + + item = cJSON_GetObjectItem(attributeValue,"district"); + if(item!=NULL) + { + policy_query->request_object[curr_id].district = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), ", district = %s",policy_query->request_object[curr_id].district); + } + + if(match_attributeType_in_numeric(attribute_type, policy_query->request_object[curr_id].table_id)) + { + item = cJSON_GetObjectItem(attributeValue, "numeric"); + if(item && item->type==cJSON_Number) + { + policy_query->request_object[curr_id].numeric = item->valueint; + p += snprintf(p, sizeof(buff) - (p - buff), ", content = %d", policy_query->request_object[curr_id].numeric); + } + } + else + { + item = cJSON_GetObjectItem(attributeValue, "string"); + if(item!=NULL) + { + policy_query->request_object[curr_id].string = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",policy_query->request_object[curr_id].string); + } + } + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s", buff); + memset(buff, 0, VERIFY_STRING_MAX*2); +end: + xret = 1; +finish: + return xret; +} + +enum verify_type get_verify_type(cJSON* http_respone) +{ + cJSON *item = NULL; + enum verify_type type = VERIFY_TYPE_POLICY; + + item = cJSON_GetObjectItem(http_respone,"verify_type"); + if(item && item->type==cJSON_String) + { + if(0 == strcasecmp(item->valuestring, "policy")) + { + type = VERIFY_TYPE_POLICY; + } + + if(0 == strcasecmp(item->valuestring, "regex")) + { + type = VERIFY_TYPE_REGEX; + } + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] verify_type= %s", item->valuestring); + } + return type; +} + +static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body) +{ + int cur_id=0, i=0, is_valid[32]={0}; + cJSON *regexstr_obj[32],*attributes=NULL; + cJSON *item = NULL, *subchild = NULL; + + attributes = cJSON_GetObjectItem(verifylist_array_item, "verify_regex"); + if(attributes==NULL || attributes->type != cJSON_Array) + { + return -1; + } + + for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) + { + item = cJSON_GetObjectItem(subchild, "regex_str"); + if(item && item->type==cJSON_String) + { + is_valid[cur_id] = policy_verify_regex_expression(item->valuestring); + } + regexstr_obj[cur_id]=cJSON_Duplicate(item, 1); + cur_id++; + } + + cJSON *verify_regex_obj=NULL; + + cJSON *verifyRegex=cJSON_CreateArray(); + cJSON_AddItemToObject(http_body, "verify_regex", verifyRegex); + for (i = 0; i < cur_id; i++) + { + verify_regex_obj=cJSON_CreateObject(); + cJSON_AddItemToObject(verify_regex_obj, "regex_str", regexstr_obj[i]); + cJSON_AddNumberToObject(verify_regex_obj, "is_valid", is_valid[i]); + cJSON_AddItemToArray(verifyRegex, verify_regex_obj); + } + return 1; +} + +static void get_count_form_attributeName(void *ctx, cJSON *subchild) +{ + cJSON *item = NULL; + + item = cJSON_GetObjectItem(subchild, "attribute_name"); + if(item && item->type==cJSON_String) + { + if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) + { + verify_policy_tunnle_add(ctx); + } + if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) + { + verify_policy_tunnle_add(ctx); + } + } + return; +} + +int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int thread_id) +{ + int attribute_num = 0; + int hit_cnt = 0, xret =0; + cJSON *item = NULL, *subchild = NULL, *attributes=NULL; + struct verify_policy_query *verify_policy = NULL; + + verify_policy = ALLOC(struct verify_policy_query, 1); + item = cJSON_GetObjectItem(verifylist_array_item,"type"); + if(item && item->type==cJSON_String) + { + verify_policy->compile_table_id = tsg_policy_type_str2idx(item->valuestring); + if (verify_policy->compile_table_id >= __SCAN_POLICY_MAX) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "policy type error, policy id = %d", verify_policy->compile_table_id); + goto free; + } + } + + item = cJSON_GetObjectItem(verifylist_array_item, "vsys_id"); + if(item && item->type==cJSON_Number) + { + verify_policy->vsys_id = item->valueint; + } + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] vsys_id= %d", verify_policy->vsys_id); + + item = cJSON_GetObjectItem(verifylist_array_item,"verify_session"); + if(item == NULL || item->type!=cJSON_Object) + { + goto free; + } + + attributes = cJSON_GetObjectItem(item,"attributes"); + if(attributes && attributes->type==cJSON_Array) + { + void *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id); + + for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) + { + get_count_form_attributeName(ctx, subchild); + } + + for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) + { + xret = get_attribute_from_json(attribute_num, subchild, verify_policy); + if (xret < 0) + { + goto free; + } + hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->request_object[attribute_num], ctx); + if(match_ip_attribute_name(verify_policy->request_object[attribute_num].attri_name) >= 0) + { + ipaddr_free(verify_policy->request_object[attribute_num].ip_addr); + } + attribute_num++; + } + http_hit_policy_list(verify_policy, attribute_num, hit_cnt, http_body, ctx); + + int item = 0; + cJSON *verfifySession = cJSON_CreateObject(); + cJSON_AddItemToObject(http_body, "verify_session", verfifySession); + cJSON *attributes=cJSON_CreateArray(); + cJSON_AddItemToObject(verfifySession, "attributes", attributes); + for (item = 0; item < attribute_num; item++) + { + http_get_scan_status(&verify_policy->request_object[item], verify_policy->compile_table_id, attributes, http_body, ctx); + } + policy_scan_ctx_free(ctx); + } + + attribute_num=0; +free: + if (verify_policy) + { + FREE(&verify_policy); + } + + return hit_cnt; +} + +cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id) +{ + int hit_cnt = 0; + + cJSON* http_request = cJSON_Parse(data); + if(http_request == NULL) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Failed to parse the request data."); + return NULL; + } + cJSON *http_respone=NULL, *http_body=NULL; + http_respone=cJSON_CreateObject(); + + cJSON_AddNumberToObject(http_respone, "code", 200); + cJSON_AddStringToObject(http_respone, "msg", "Success"); + + http_body = cJSON_CreateObject(); + cJSON_AddItemToObject(http_respone, "data", http_body); + + int type=get_verify_type(http_request); + cJSON *item = NULL, *subitem = NULL; + + item = cJSON_GetObjectItem(http_request,"verify_list"); + if(item && item->type==cJSON_Array) + { + for (subitem = item->child; subitem != NULL; subitem = subitem->next) + { + if(type == VERIFY_TYPE_REGEX) + { + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] data= %.*s", (int)data_len, data); + hit_cnt = get_query_result_regex(subitem, http_body); + } + + if(type == VERIFY_TYPE_POLICY) + { + hit_cnt = get_query_result_policy(subitem, http_body, thread_id); + } + } + if (hit_cnt >= 0) + { + cJSON_AddBoolToObject(http_respone, "success", true); + } + else + { + cJSON_AddBoolToObject(http_respone, "success", false); + } + } + cJSON_Delete(http_request); + return http_respone; +} + static struct maat *create_maat_feather(const char * instance_name, const char * profile, const char * section, int max_thread, char *log_path, int db_index) { struct maat *target=NULL; @@ -2403,13 +3129,13 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) goto error_out; } - ret = maat_plugin_table_ex_init(PROFILE_FQDN_ENTRY, vsys_id, library_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); + ret = maat_plugin_table_ex_init(PROFILE_FQDN_ENTRY, vsys_id, fqdn_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); if(ret<0) { goto error_out; } - ret = maat_plugin_table_ex_init(PROFILE_IP_ADDR_ENTRY, vsys_id, library_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); + ret = maat_plugin_table_ex_init(PROFILE_IP_ADDR_ENTRY, vsys_id, ip_addr_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); if(ret<0) { goto error_out; diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index 47ba8a1..a90fd8d 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -30,9 +30,8 @@ #include #include -#include "verify_policy.h" #include -#include "verify_policy_utils.h" +#include "verify_policy.h" struct verify_policy * g_verify_proxy = NULL; @@ -68,671 +67,6 @@ static int load_system_conf(struct verify_policy * verify, const char *profile) return xret; } -int tsg_policy_type_str2idx(const char *action_str) -{ - const char * policy_name[__SCAN_POLICY_MAX]; - policy_name[TSG_TABLE_SECURITY] = "security"; - policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation"; - policy_name[TSG_TRAFFIC_SHAPING] = "traffic_shaping"; - policy_name[TSG_SERVICE_CHAINGNG] = "service_chaining"; - policy_name[PXY_TABLE_INTERCEPT] = "pxy_intercept"; - policy_name[TSG_STATISTICS] = "statistics"; - policy_name[TSG_MONITOR] = "monitor"; - policy_name[DOS_PROTECTION] = "dos_protection"; - policy_name[PXY_TABLE_DEFENCE] = "active_defence"; - - size_t i = 0; - - for (i = 0; i < sizeof(policy_name) / sizeof(const char *); i++) - { - if (0 == strcasecmp(action_str, policy_name[i])) - break; - } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] policyType= %s", action_str); - return i; -} - -int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) -{ - const char * table_name[__TSG_OBJ_MAX] ={0}; - - table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP"; - table_name[TSG_OBJ_DESTINATION_ADDR]="ATTR_DESTINATION_IP"; - table_name[TSG_OBJ_SUBSCRIBE_ID] = "ATTR_SUBSCRIBER_ID"; - table_name[TSG_OBJ_APP_ID] = "ATTR_APP_ID"; - table_name[TSG_OBJ_HTTP_URL] = "ATTR_HTTP_URL"; - table_name[TSG_OBJ_HTTP_REQ_HDR] = "ATTR_HTTP_REQ_HDR"; - table_name[TSG_OBJ_HTTP_REQ_BODY] = "ATTR_HTTP_REQ_BODY"; - table_name[TSG_OBJ_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR"; - table_name[TSG_OBJ_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY"; - table_name[TSG_OBJ_SSL_CN] = "ATTR_SSL_CN"; - table_name[TSG_OBJ_SSL_SAN] = "ATTR_SSL_SAN"; - table_name[TSG_OBJ_DOH_QNAME]="ATTR_DOH_QNAME"; - table_name[TSG_OBJ_DNS_QNAME] = "ATTR_DNS_QNAME"; - table_name[TSG_OBJ_MAIL_ACCOUNT] = "ATTR_MAIL_ACCOUNT"; - table_name[TSG_OBJ_MAIL_FROM] = "ATTR_MAIL_FROM"; - table_name[TSG_OBJ_MAIL_TO] = "ATTR_MAIL_TO"; - table_name[TSG_OBJ_MAIL_SUBJECT] = "ATTR_MAIL_SUBJECT"; - table_name[TSG_OBJ_MAIL_CONTENT] = "ATTR_MAIL_CONTENT"; - table_name[TSG_OBJ_MAIL_ATT_NAME] = "ATTR_MAIL_ATT_NAME"; - table_name[TSG_OBJ_MAIL_ATT_CONTENT] = "ATTR_MAIL_ATT_CONTENT"; - table_name[TSG_OBJ_FTP_URI] = "ATTR_FTP_URI"; - table_name[TSG_OBJ_FTP_CONTENT] = "ATTR_FTP_CONTENT"; - table_name[TSG_OBJ_FTP_ACCOUNT] = "ATTR_FTP_ACCOUNT"; - table_name[TSG_OBJ_SIP_FROM]="ATTR_SIP_ORIGINATOR_DESCRIPTION"; - table_name[TSG_OBJ_SIP_TO]="ATTR_SIP_RESPONDER_DESCRIPTION"; - table_name[TSG_OBJ_IMSI]="ATTR_GTP_IMSI"; - table_name[TSG_OBJ_PHONE_NUMBER]="ATTR_GTP_PHONE_NUMBER"; - table_name[TSG_OBJ_APN]="ATTR_GTP_APN"; - table_name[TSG_OBJ_TUNNEL]="ATTR_TUNNEL", - table_name[TSG_OBJ_FLAG]="ATTR_FLAG"; - table_name[TSG_OBJ_GTP_IMEI]="ATTR_GTP_IMEI"; - table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN"; - table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP"; - table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP"; - table_name[TSG_OBJ_SOURCE_PORT]="ATTR_SOURCE_PORT"; - table_name[TSG_OBJ_DESTINATION_PORT]="ATTR_DESTINATION_PORT"; - table_name[TSG_OBJ_INTERNAL_PORT]="ATTR_INTERNAL_PORT"; - table_name[TSG_OBJ_EXTERNAL_PORT]="ATTR_EXTERNAL_PORT"; - table_name[TSG_OBJ_IP_PROTOCOL]="ATTR_IP_PROTOCOL"; - table_name[TSG_OBJ_SSL_ECH]="ATTR_SSL_ECH"; - table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; - table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; - table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; - table_name[TSG_OBJ_TUNNEL_GTP_ENDPOINT]="ATTR_TUNNEL_GTP_ENDPOINT"; - table_name[TSG_OBJ_TUNNEL_GRE_ENDPOINT]="ATTR_TUNNEL_GRE_ENDPOINT"; - table_name[TSG_OBJ_TUNNEL_IP_IN_IP_ENDPOINT]="ATTR_TUNNEL_IP_IN_IP_ENDPOINT"; - - size_t i = 0; - for (i = 0; i < __TSG_OBJ_MAX; i++) - { - if (0 == strcasecmp(action_str, table_name[i])) - break; - } - *p += snprintf(*p, sizeof(buff) - (*p - buff), ", protocolField=%s,%d",action_str, (int)i); - - return i; -} - -int match_ip_attribute_name(char *attri_name) -{ - size_t i = 0; - const char *attribute_name_map[] ={"source", "destination", "tunnel_endpointa", "tunnel_endpointb", "internal", "external"}; - for(i = 0; i < sizeof(attribute_name_map)/sizeof(attribute_name_map[0]); i++) - { - if(0 == strcasecmp(attri_name, attribute_name_map[i])) - { - return i; - } - } - return -1; -} - -struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1, const char *serverIp1, unsigned int serverPort1, int addr_type, char *buff, int *protocol) -{ - struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1); - if(addr_type == 4) - { - struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1); - ip_addr->addrtype=ADDR_TYPE_IPV4; - inet_pton(AF_INET,clientIp1,&(v4_addr->saddr)); - v4_addr->source=clientPort1; - inet_pton(AF_INET,serverIp1,&(v4_addr->daddr)); - v4_addr->dest=serverPort1; - ip_addr->v4=v4_addr; - } - if(addr_type == 6) - { - struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1); - ip_addr->addrtype=ADDR_TYPE_IPV6; - inet_pton(AF_INET6,clientIp1,&(v6_addr->saddr)); - v6_addr->source=clientPort1; - inet_pton(AF_INET6,serverIp1,&(v6_addr->daddr)); - v6_addr->dest=serverPort1; - ip_addr->v6=v6_addr; - } - if(buff != NULL) - { - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type=%d, protocol=%d", buff, - clientIp1, clientPort1, serverIp1, serverPort1, addr_type, *protocol); - } - else - { - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] Ip=%s, Port=%d, addr_type=%d", clientIp1, clientPort1, addr_type); - } - return ip_addr; -} - -struct ipaddr *tunnel_to_stream_addr(const char *Ip, int addr_type) -{ - struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1); - if(addr_type == 4) - { - struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1); - ip_addr->addrtype=ADDR_TYPE_IPV4; - inet_pton(AF_INET,Ip,&(v4_addr->saddr)); - ip_addr->v4=v4_addr; - } - if(addr_type == 6) - { - struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1); - ip_addr->addrtype=ADDR_TYPE_IPV6; - inet_pton(AF_INET6,Ip,&(v6_addr->saddr)); - ip_addr->v6=v6_addr; - } - log_debug(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] attribute_name = ip, clientIp1=%s, addr_type = %d", Ip, addr_type); - - return ip_addr; -} - -void ipaddr_free(struct ipaddr *ip_addr) -{ - if(ip_addr==NULL) - { - return; - } - if(ip_addr->addrtype==ADDR_TYPE_IPV4) - { - free(ip_addr->v4); - } - - if(ip_addr->addrtype==ADDR_TYPE_IPV6) - { - free(ip_addr->v6); - } - free(ip_addr); -} - -static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attributeName, int *protocol, char *buff) -{ - cJSON* item = NULL; - int addr_type=0; - const char *Ip=NULL; - unsigned int Port=0; - - if(attributeName==NULL) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "The attribute_type is of type iP, but the attribute_name is empty, resulting in IP type parsing failure."); - return NULL; - } - - item = cJSON_GetObjectItem(attributeValue,"ip"); - if(item && item->type==cJSON_String) Ip = item->valuestring; - item = cJSON_GetObjectItem(attributeValue,"port"); - if(item && item->type==cJSON_String) Port =atoi(item->valuestring); - item = cJSON_GetObjectItem(attributeValue,"protocol"); - if(item && item->type==cJSON_Number) *protocol = item->valueint; - item=cJSON_GetObjectItem(attributeValue,"addr_type"); - if(item && item->type==cJSON_Number) addr_type = item->valueint; - - if(strcasecmp(attributeName, "ip_protocol") == 0) - { - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, protocol=%d", buff, *protocol); - return NULL; - } - - struct ipaddr *ip_addr = NULL; - if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 || - strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0) - { - ip_addr = ip_to_stream_addr(Ip, Port, "0.0.0.0", 0, addr_type, buff, protocol); - } - - if(strcasecmp(attributeName, "destination") == 0 || strcasecmp(attributeName, "external") == 0) - { - ip_addr = ip_to_stream_addr("0.0.0.0", 0, Ip, Port, addr_type, buff, protocol); - } - return ip_addr; -} - -static char* get_port_from_json(cJSON *attributeValue, int *protocol, char *buff) -{ - cJSON* item = NULL; - char *string=NULL; - - item = cJSON_GetObjectItem(attributeValue,"port"); - if(item && item->type==cJSON_String) - { - string = item->valuestring; - } - item = cJSON_GetObjectItem(attributeValue,"protocol"); - if(item && item->type==cJSON_Number) - { - *protocol = item->valueint; - } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s, port=%s, protocol=%d", buff, string, *protocol); - - return string; -} - -static inline int match_attributeType_in_numeric(const char *attribute_type, int table_id) -{ - if(0 == strcasecmp(attribute_type, "numeric") || 0 == strcasecmp(attribute_type, "flag") || - 0 == strcasecmp(attribute_type, "boolean") || table_id == TSG_OBJ_IP_PROTOCOL) - { - return 1; - } - else - { - return 0; - } -} - -static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_policy_query *policy_query) -{ - int xret = -1; - const char *attribute_type=NULL; - char buff[VERIFY_STRING_MAX*2], *p = NULL; - cJSON* item = NULL, *attributeValue=NULL, *tunnelType_item=NULL; - - p = buff; - item = cJSON_GetObjectItem(subchild, "attribute_type"); - if(item && item->type==cJSON_String) - { - attribute_type = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), "attribute_type = %s", attribute_type); - } - - item = cJSON_GetObjectItem(subchild, "attribute_name"); - if(item && item->type==cJSON_String) - { - policy_query->request_object[curr_id].attri_name = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", attribute_name = %s",policy_query->request_object[curr_id].attri_name); - } - policy_query->request_object[curr_id].attributes=cJSON_Duplicate(subchild, 1); - - item = cJSON_GetObjectItem(subchild, "table_name"); - if(item && item->type==cJSON_String) - { - policy_query->request_object[curr_id].table_id = protoco_field_type_str2idx(item->valuestring, buff, &p); - if(policy_query->request_object[curr_id].table_id == __TSG_OBJ_MAX) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Get table id failed form table name:%s", item->valuestring); - return xret; - } - } - - attributeValue = cJSON_GetObjectItem(subchild, "atrribute_value"); - if(attributeValue == NULL || attributeValue->type!=cJSON_Object) - { - goto finish; - } - - tunnelType_item = cJSON_GetObjectItem(attributeValue,"tunnel_type"); - if(tunnelType_item && tunnelType_item->type==cJSON_String) - { - policy_query->request_object[curr_id].tunnel_type=tunnelType_item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", tunnel_type=%s",policy_query->request_object[curr_id].tunnel_type); - } - - if(0 == strcasecmp(attribute_type, "ip")) - { - policy_query->request_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->request_object[curr_id].attri_name, &(policy_query->request_object[curr_id].numeric), buff); - goto end; - } - if(0 == strcasecmp(attribute_type, "port")) - { - policy_query->request_object[curr_id].string = get_port_from_json(attributeValue, &(policy_query->request_object[curr_id].numeric), buff); - goto end; - } - - item = cJSON_GetObjectItem(attributeValue,"district"); - if(item!=NULL) - { - policy_query->request_object[curr_id].district = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", district = %s",policy_query->request_object[curr_id].district); - } - - if(match_attributeType_in_numeric(attribute_type, policy_query->request_object[curr_id].table_id)) - { - item = cJSON_GetObjectItem(attributeValue, "numeric"); - if(item && item->type==cJSON_Number) - { - policy_query->request_object[curr_id].numeric = item->valueint; - p += snprintf(p, sizeof(buff) - (p - buff), ", content = %d", policy_query->request_object[curr_id].numeric); - } - } - else - { - item = cJSON_GetObjectItem(attributeValue, "string"); - if(item!=NULL) - { - policy_query->request_object[curr_id].string = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",policy_query->request_object[curr_id].string); - } - } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] %s", buff); - memset(buff, 0, VERIFY_STRING_MAX*2); -end: - xret = 1; -finish: - return xret; -} - -enum verify_type get_verify_type(cJSON* http_respone) -{ - cJSON *item = NULL; - enum verify_type type = VERIFY_TYPE_POLICY; - - item = cJSON_GetObjectItem(http_respone,"verify_type"); - if(item && item->type==cJSON_String) - { - if(0 == strcasecmp(item->valuestring, "policy")) - { - type = VERIFY_TYPE_POLICY; - } - - if(0 == strcasecmp(item->valuestring, "regex")) - { - type = VERIFY_TYPE_REGEX; - } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] verify_type= %s", item->valuestring); - } - return type; -} - -static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body) -{ - int cur_id=0, i=0, is_valid[32]={0}; - cJSON *regexstr_obj[32],*attributes=NULL; - cJSON *item = NULL, *subchild = NULL; - - attributes = cJSON_GetObjectItem(verifylist_array_item, "verify_regex"); - if(attributes==NULL || attributes->type != cJSON_Array) - { - return -1; - } - - for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) - { - item = cJSON_GetObjectItem(subchild, "regex_str"); - if(item && item->type==cJSON_String) - { - is_valid[cur_id] = policy_verify_regex_expression(item->valuestring); - } - regexstr_obj[cur_id]=cJSON_Duplicate(item, 1); - cur_id++; - } - - cJSON *verify_regex_obj=NULL; - - cJSON *verifyRegex=cJSON_CreateArray(); - cJSON_AddItemToObject(http_body, "verify_regex", verifyRegex); - for (i = 0; i < cur_id; i++) - { - verify_regex_obj=cJSON_CreateObject(); - cJSON_AddItemToObject(verify_regex_obj, "regex_str", regexstr_obj[i]); - cJSON_AddNumberToObject(verify_regex_obj, "is_valid", is_valid[i]); - cJSON_AddItemToArray(verifyRegex, verify_regex_obj); - } - return 1; -} - -static void get_count_form_attributeName(void *ctx, cJSON *subchild) -{ - cJSON *item = NULL; - - item = cJSON_GetObjectItem(subchild, "attribute_name"); - if(item && item->type==cJSON_String) - { - if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) - { - verify_policy_tunnle_add(ctx); - } - if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) - { - verify_policy_tunnle_add(ctx); - } - } - return; -} - -int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int thread_id) -{ - int attribute_num = 0; - int hit_cnt = 0, xret =0; - cJSON *item = NULL, *subchild = NULL, *attributes=NULL; - struct verify_policy_query *verify_policy = NULL; - - verify_policy = ALLOC(struct verify_policy_query, 1); - item = cJSON_GetObjectItem(verifylist_array_item,"type"); - if(item && item->type==cJSON_String) - { - verify_policy->compile_table_id = tsg_policy_type_str2idx(item->valuestring); - if (verify_policy->compile_table_id >= __SCAN_POLICY_MAX) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "policy type error, policy id = %d", verify_policy->compile_table_id); - goto free; - } - } - - item = cJSON_GetObjectItem(verifylist_array_item, "vsys_id"); - if(item && item->type==cJSON_Number) - { - verify_policy->vsys_id = item->valueint; - } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] vsys_id= %d", verify_policy->vsys_id); - - item = cJSON_GetObjectItem(verifylist_array_item,"verify_session"); - if(item == NULL || item->type!=cJSON_Object) - { - goto free; - } - - attributes = cJSON_GetObjectItem(item,"attributes"); - if(attributes && attributes->type==cJSON_Array) - { - void *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id); - - for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) - { - get_count_form_attributeName(ctx, subchild); - } - - for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) - { - xret = get_attribute_from_json(attribute_num, subchild, verify_policy); - if (xret < 0) - { - goto free; - } - hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->request_object[attribute_num], ctx); - if(match_ip_attribute_name(verify_policy->request_object[attribute_num].attri_name) >= 0) - { - ipaddr_free(verify_policy->request_object[attribute_num].ip_addr); - } - attribute_num++; - } - http_hit_policy_list(verify_policy, attribute_num, hit_cnt, http_body, ctx); - - int item = 0; - cJSON *verfifySession = cJSON_CreateObject(); - cJSON_AddItemToObject(http_body, "verify_session", verfifySession); - cJSON *attributes=cJSON_CreateArray(); - cJSON_AddItemToObject(verfifySession, "attributes", attributes); - for (item = 0; item < attribute_num; item++) - { - http_get_scan_status(&verify_policy->request_object[item], verify_policy->compile_table_id, attributes, http_body, ctx); - } - policy_scan_ctx_free(ctx); - } - - attribute_num=0; -free: - if (verify_policy) - { - FREE(&verify_policy); - } - - return hit_cnt; -} - -cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id) -{ - int hit_cnt = 0; - - cJSON* http_request = cJSON_Parse(data); - if(http_request == NULL) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Failed to parse the request data."); - return NULL; - } - cJSON *http_respone=NULL, *http_body=NULL; - http_respone=cJSON_CreateObject(); - - cJSON_AddNumberToObject(http_respone, "code", 200); - cJSON_AddStringToObject(http_respone, "msg", "Success"); - - http_body = cJSON_CreateObject(); - cJSON_AddItemToObject(http_respone, "data", http_body); - - int type=get_verify_type(http_request); - cJSON *item = NULL, *subitem = NULL; - - item = cJSON_GetObjectItem(http_request,"verify_list"); - if(item && item->type==cJSON_Array) - { - for (subitem = item->child; subitem != NULL; subitem = subitem->next) - { - if(type == VERIFY_TYPE_REGEX) - { - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] data= %.*s", (int)data_len, data); - hit_cnt = get_query_result_regex(subitem, http_body); - } - - if(type == VERIFY_TYPE_POLICY) - { - hit_cnt = get_query_result_policy(subitem, http_body, thread_id); - } - } - if (hit_cnt >= 0) - { - cJSON_AddBoolToObject(http_respone, "success", true); - } - else - { - cJSON_AddBoolToObject(http_respone, "success", false); - } - } - cJSON_Delete(http_request); - return http_respone; -} - -int http_get_headers(struct evhttp_request *evh_req, struct evkeyvalq *headers) -{ - int xret = -1; - - const char *uri = evhttp_request_get_uri(evh_req); - if(!uri) - { - return xret; - } - return evhttp_parse_query(uri, headers); -} - -int http_get_int_param(struct evhttp_request *evh_req, const char *key) -{ - int xret=-1, vsys_id=-1; - struct evkeyvalq headers; - - xret = http_get_headers(evh_req, &headers); - if(xret != 0) - { - return -1; - } - const char *value = evhttp_find_header(&headers, key); - if (value) - { - vsys_id = atoi(value); - } - evhttp_clear_headers(&headers); - return vsys_id; -} - -char *http_get_string_param(struct evhttp_request *evh_req, const char *key) -{ - int xret=-1; - char *param=NULL; - struct evkeyvalq headers; - - xret = http_get_headers(evh_req, &headers); - if(xret != 0) - { - return NULL; - } - const char *value = evhttp_find_header(&headers, key); - if (value) - { - param = strdup(value); - } - evhttp_clear_headers(&headers); - return param; -} - -int get_ip_type(const char *ip) -{ - struct sockaddr_in sa; - struct sockaddr_in6 sa6; - int addr_type = 0; - - if (inet_pton(AF_INET, ip, &(sa.sin_addr)) > 0) - { - addr_type = 4; - } - else if (inet_pton(AF_INET6, ip, &(sa6.sin6_addr)) > 0) - { - addr_type = 6; - } - return addr_type; -} - -cJSON *get_library_search_query(struct evhttp_request *evh_req) -{ - int hit_library_cnt=0; - cJSON *http_respone=cJSON_CreateObject(); - cJSON_AddNumberToObject(http_respone, "code", 200); - cJSON_AddStringToObject(http_respone, "msg", "Success"); - - cJSON *http_body = cJSON_CreateObject(); - cJSON_AddItemToObject(http_respone, "data", http_body); - - cJSON *hit_library=cJSON_CreateArray(); - cJSON_AddItemToObject(http_body, "hit_library", hit_library); - - int vsys_id = http_get_int_param(evh_req, "vsys_id"); - if(vsys_id < 0) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id"); - return NULL; - } - - char *ip = http_get_string_param(evh_req, "ip"); - if(ip) - { - struct ipaddr *ip_addr = ip_to_stream_addr(ip, 0, "0.0.0.0", 0, get_ip_type(ip), NULL, 0); - hit_library_cnt=get_ip_entry_tag_ids(hit_library, vsys_id, ip_addr); - FREE(&ip); - ipaddr_free(ip_addr); - } - - char *fqdn = http_get_string_param(evh_req, "fqdn"); - if(fqdn) - { - hit_library_cnt=get_fqdn_entry_tag_ids(hit_library, vsys_id, fqdn); - FREE(&fqdn); - } - - if (hit_library_cnt > 0) - { - cJSON_AddBoolToObject(http_body, "success", true); - } - else - { - cJSON_AddBoolToObject(http_body, "success", false); - } - return http_respone; -} - static int evhttp_socket_send(struct evhttp_request *req, char *sendbuf) { struct evbuffer *evb = NULL; @@ -802,6 +136,8 @@ finish: void library_search_request_cb(struct evhttp_request *evh_req, void *arg) { + struct evbuffer * evbuf_body = NULL; + char *input = NULL; ssize_t inputlen=0; char *http_payload_string= NULL; cJSON *http_payload=NULL; if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST) @@ -809,9 +145,16 @@ void library_search_request_cb(struct evhttp_request *evh_req, void *arg) log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "FAILED (post type)"); goto error; } + + evbuf_body = evhttp_request_get_input_buffer(evh_req); + if (!evbuf_body || 0==(inputlen = evbuffer_get_length(evbuf_body)) ||!(input = (char *)evbuffer_pullup(evbuf_body,inputlen))) + { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Failed to get post data information."); + goto error; + } log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] Request library search: %s", evhttp_request_get_uri(evh_req)); - http_payload = get_library_search_query(evh_req); + http_payload = get_library_search_query(input, inputlen); if(http_payload == NULL) { goto error; @@ -864,7 +207,7 @@ int create_and_listen_socket(const struct sockaddr *sa, int socklen, int backlog int fd; int on = 1; int family = sa ? sa->sa_family : AF_UNSPEC; - int socktype = SOCK_STREAM | EVUTIL_SOCK_NONBLOCK; + int socktype = SOCK_STREAM | SOCK_NONBLOCK; fd = socket(family, socktype, 0); if (fd == -1) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt new file mode 100644 index 0000000..5dbee6f --- /dev/null +++ b/test/CMakeLists.txt @@ -0,0 +1,19 @@ +cmake_minimum_required(VERSION 3.5) + +include_directories(${CMAKE_SOURCE_DIR}/common/include) +add_executable(verify_policy_test verify_policy_test.cpp ${CMAKE_SOURCE_DIR}/platform/src/verify_matcher.cpp) +target_link_libraries(verify_policy_test common MESA_prof_load maatframe cjson gtest) + +set(CMAKE_BUILD_DIR ${CMAKE_SOURCE_DIR}/build) +set(TEST_RUN_DIR ${CMAKE_BUILD_DIR}/test) +file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR}) +file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR}) +file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyHit.json DESTINATION ${TEST_RUN_DIR}/resource) +file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource) +file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource) + +add_test(NAME UPDATE_MAAT_MODE COMMAND bash -c "sed -i 's/maat_input_mode=1/maat_input_mode=0/' ${TEST_RUN_DIR}/conf/verify_policy.conf") +add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_level=1/' ${TEST_RUN_DIR}/conf/verify_policy.conf") +add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf") +add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf") +add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyHit\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf") diff --git a/test/resource/HitPolicyRequest.json b/test/resource/HitPolicyRequest.json new file mode 100644 index 0000000..ba29494 --- /dev/null +++ b/test/resource/HitPolicyRequest.json @@ -0,0 +1,70 @@ +{ + "Verify_Policy_Request": [ + { + "vsys_id": 1, + "verify_list": [ + { + "type": "pxy_manipulation", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_SOURCE_IP", + "attribute_name": "source", + "attribute_value": { + "ip": "192.168.0.1", + "port":"8080", + "addr_type": 4 + } + } + ] + } + } + ], + "verify_type": "policy" + }, + { + "vsys_id": 1, + "verify_list": [ + { + "type": "pxy_manipulation", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_SOURCE_IP", + "attribute_name": "source", + "attribute_value": { + "ip": "192.168.1.1", + "port":"8080", + "addr_type": 4 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_INTERNAL_IP", + "attribute_name": "internal", + "attribute_value": { + "ip": "192.168.1.2", + "port": "80", + "addr_type": 4 + } + }, + { + "attribute_type": "string", + "table_name": "ATTR_SERVER_FQDN", + "attribute_name": "server_fqdn", + "attribute_value": { + "string": "www.126.com" + } + } + ] + } + } + ], + "verify_type": "policy" + } + ] +} \ No newline at end of file diff --git a/test/resource/HitPolicyResult.json b/test/resource/HitPolicyResult.json new file mode 100644 index 0000000..1642616 --- /dev/null +++ b/test/resource/HitPolicyResult.json @@ -0,0 +1,134 @@ +{ + "Verify_Policy_Result": [ + { + "code": 200, + "msg": "Success", + "data": { + "hitPolicyList": [ + { + "id": 1021, + "policyName": "", + "is_execute_policy": true, + "top_object_list": [ + { + "object_id": 101, + "table_name": "ATTR_SOURCE_IP", + "not_flag": 0, + "nth_clause": 0 + } + ] + } + ], + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_SOURCE_IP", + "attribute_name": "source", + "attribute_value": { + "ip": "192.168.0.1", + "port": "8080", + "addr_type": 4 + }, + "hit_paths": [ + { + "item_id": 1, + "superior_object_id": 101 + } + ] + } + ] + } + }, + "success": true + }, + { + "code": 200, + "msg": "Success", + "data": { + "hitPolicyList": [ + { + "id": 1022, + "policyName": "", + "is_execute_policy": true, + "top_object_list": [ + { + "tag_id": 11, + "table_name": "ATTR_SOURCE_IP", + "not_flag": 0, + "nth_clause": 0 + }, + { + "tag_id": 12, + "table_name": "ATTR_INTERNAL_IP", + "not_flag": 0, + "nth_clause": 1 + }, + { + "tag_id": 1, + "table_name": "ATTR_SERVER_FQDN", + "not_flag": 0, + "nth_clause": 2 + } + ] + } + ], + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_SOURCE_IP", + "attribute_name": "source", + "attribute_value": { + "ip": "192.168.1.1", + "port": "8080", + "addr_type": 4 + }, + "hit_paths": [ + { + "entry_id": 1, + "tag_id": 11 + } + ] + }, + { + "attribute_type": "ip", + "table_name": "ATTR_INTERNAL_IP", + "attribute_name": "internal", + "attribute_value": { + "ip": "192.168.1.2", + "port": "80", + "addr_type": 4 + }, + "hit_paths": [ + { + "entry_id": 2, + "tag_id": 12 + }, + { + "entry_id": 2, + "tag_id": 13 + } + ] + }, + { + "attribute_type": "string", + "table_name": "ATTR_SERVER_FQDN", + "attribute_name": "server_fqdn", + "attribute_value": { + "string": "www.126.com" + }, + "hit_paths": [ + { + "entry_id": 1, + "tag_id": 1 + } + ] + } + ] + } + }, + "success": true + } + ] +} \ No newline at end of file diff --git a/test/resource/VerifyPolicyHit.json b/test/resource/VerifyPolicyHit.json new file mode 100644 index 0000000..81487b4 --- /dev/null +++ b/test/resource/VerifyPolicyHit.json @@ -0,0 +1,101 @@ +{ + "compile_table": "PXY_CTRL_COMPILE", + "group2compile_table": "GROUP_PXY_CTRL_COMPILE_RELATION", + "group2group_table": "GROUP_GROUP_RELATION", + "rules": [ + { + "compile_id": 1021, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 101, + "group_name":"IPv4TCPSoureVeiryPolicy01", + "virtual_table": "ATTR_SOURCE_IP", + "regions": [ + { + "table_type": "ip", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.1", + "ip2": "192.168.0.1" + } + } + ] + } + ] + }, + { + "compile_id": 1022, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_id": 11, + "group_name": "IPv4TCPSoureEntry.11", + "virtual_table": "ATTR_SOURCE_IP" + }, + { + "group_id": 12, + "group_name": "IPv4TCPSoureEntry.12", + "virtual_table": "ATTR_INTERNAL_IP" + }, + { + "group_id": 1, + "group_name": "FQDNEntry.1", + "virtual_table": "ATTR_SERVER_FQDN" + } + ] + } + ], + "plugin_table": [ + { + "table_name": "FQDN_ENTRY", + "table_content": [ + "1\t1\twww.126.com\t1\t1", + "2\t2,3\twww.baidu.com\t1\t1", + "4\t4,5,6\twww.qq.com\t1\t1" + ] + }, + { + "table_name": "IP_ADDR_ENTRY", + "table_content": [ + "1\t11\t4\tsingle\t192.168.1.1\t192.168.1.1\t1", + "2\t12,13\t4\tsingle\t192.168.1.2\t192.168.1.2\t1", + "4\t14,15,16\t4\trange\t192.168.1.3\t192.168.1.3\t1" + ] + }, + { + "table_name": "LIBRARY_TAG", + "table_content": [ + "1\tnone\twebsite_category\tfqdn1\tsearch\\bengines\t1", + "2\tnone\twebsite_category\tfqdn2\tRecreation\band\bHobbies\t1", + "3\tnone\twebsite_category\tfqdn3\tbusiness\t1", + "4\tnone\twebsite_category\tfqdn4\tsearch bengines\t1", + "5\tnone\twebsite_category\tfqdn5\tsearch\\bengines\t1", + "6\tnone\twebsite_category\tfqdn6\tsearch\\bengines\t1", + "11\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes\t1", + "12\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes.Mitú\t1", + "13\tnone\tgeoip\tadministrative_area\tColombia.Antioquia.Marinilla\t1", + "14\tnone\tgeoip\tsuper_administrative_area\tColombia.Departamento\bdel\bVaupes\t1", + "15\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mauern\t1", + "16\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mellrichstadt\t1" + ] + } + ] +} diff --git a/test/verify_policy_test.cpp b/test/verify_policy_test.cpp new file mode 100644 index 0000000..c76a1ef --- /dev/null +++ b/test/verify_policy_test.cpp @@ -0,0 +1,308 @@ +/************************************************************************* + > File Name: + > Author: + > Mail: + > Created Time: 2020��05��28�� ������ 19ʱ21��37�� + ************************************************************************/ +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "verify_policy.h" +#include "utils.h" + +cJSON *verify_policy_result; +cJSON *verify_policy_request; + +struct verify_policy * g_verify_proxy = NULL; +extern cJSON *get_library_search_query(const char *data, ssize_t data_len); +extern cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id); + +int load_json_file_system_cmd(const char *load_json_file, const char *run_json_file) +{ + char command[1024] = {0}; + snprintf(command, sizeof(command), "cp ./resource/%s ./resource/%s", load_json_file, run_json_file); + system(command); + sleep(2); + return 0; +} + +static char *select_hit_policy_result_item(int gtest_id) +{ + if(verify_policy_result == NULL || verify_policy_result->type!=cJSON_Array) + { + return NULL; + } + + int foreach=0; + char *hit_policy_result = NULL; + cJSON *subitem = NULL; + + for (subitem = verify_policy_result->child; subitem != NULL; subitem = subitem->next) + { + if(foreach == gtest_id) + { + hit_policy_result = cJSON_PrintUnformatted(subitem); + break; + } + foreach++; + } + return hit_policy_result; +} + +static char *select_hit_policy_request_item(int gtest_id) +{ + if(verify_policy_request == NULL || verify_policy_request->type!=cJSON_Array) + { + return NULL; + } + + int foreach=0; + char *hit_policy_request = NULL; + cJSON *subitem = NULL; + + for (subitem = verify_policy_request->child; subitem != NULL; subitem = subitem->next) + { + if(foreach == gtest_id) + { + hit_policy_request = cJSON_PrintUnformatted(subitem); + break; + } + foreach++; + } + return hit_policy_request; +} + +TEST(LibrarySearch, HitFqdnEntry) +{ + const char *cm_http_request = "{\"ip\":null,\"fqdn\":\"www.126.com\",\"vsys_id\":1}"; + const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"1\"}]},\"success\":true}"; + + cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_list = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_list != NULL); + + int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_list); + + cm_http_request = "{\"ip\":null,\"fqdn\":\"www.baidu.com\",\"vsys_id\":1}"; + expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"2,3\"}]},\"success\":true}"; + + result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + ASSERT_TRUE(result_json != NULL); + + hit_policy_list = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_list != NULL); + + equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_list); + + cm_http_request = "{\"ip\":null,\"fqdn\":\"www.qq.com\",\"vsys_id\":1}"; + expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"4,5,6\"}]},\"success\":true}"; + + result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + ASSERT_TRUE(result_json != NULL); + + hit_policy_list = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_list != NULL); + + equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_list); +} + +TEST(LibrarySearch, HitIpEntry) +{ + const char *cm_http_request = "{\"ip\":\"192.168.1.1\",\"fqdn\":null,\"vsys_id\":1}"; + const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"11\"}]},\"success\":true}"; + + cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_list = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_list != NULL); + + int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_list); + + cm_http_request ="{\"ip\":\"192.168.1.2\",\"fqdn\":null,\"vsys_id\":1}"; + expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"12,13\"}]},\"success\":true}"; + + result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + ASSERT_TRUE(result_json != NULL); + + hit_policy_list = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_list != NULL); + + equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_list); + + cm_http_request = "{\"ip\":\"192.168.1.3\",\"fqdn\":null,\"vsys_id\":1}"; + expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"14,15,16\"}]},\"success\":true}"; + + result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + ASSERT_TRUE(result_json != NULL); + + hit_policy_list = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_list != NULL); + + equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_list); +} + +TEST(VerifyPolicy, HitIpPolicy) +{ + char *hit_policy_request = select_hit_policy_request_item(0); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(0); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); +} + +TEST(VerifyPolicy, HitLibraryPolicy) +{ + char *hit_policy_request = select_hit_policy_request_item(1); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(1); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + //printf("hit_policy_query =%s\n", hit_policy_query); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); +} + +static char *read_json_file(const char *filename, size_t *input_sz) +{ + FILE* fp=NULL; + struct stat file_info; + stat(filename, &file_info); + *input_sz=file_info.st_size; + + fp=fopen(filename,"r"); + if(fp==NULL) + { + return NULL; + } + char* input=(char*)malloc(*input_sz); + fread(input,1,*input_sz,fp); + fclose(fp); + return input; +} + +cJSON *load_verify_policy_result_by_file(const char *filename, int hit_policy_result) +{ + size_t input_sz = 0; + char *input = read_json_file(filename, &input_sz); + if(input == NULL) + { + return NULL; + } + + cJSON* data = cJSON_Parse(input); + if(data == NULL) + { + FREE(&input); + return NULL; + } + + if(hit_policy_result) + { + verify_policy_result = cJSON_GetObjectItem(data,"Verify_Policy_Result"); + } + else + { + verify_policy_request = cJSON_GetObjectItem(data,"Verify_Policy_Request"); + } + + FREE(&input); + return data; +} + +int main(int argc, char ** argv) +{ + int ret = 0; + int log_level=0; + const char * main_profile = "./conf/verify_policy.conf"; + + g_verify_proxy = ALLOC(struct verify_policy, 1); + assert(g_verify_proxy); + strcpy(g_verify_proxy->name, "verify_policy"); + + const char *log_path="./logs/verify_policy.log"; + MESA_load_profile_int_def(main_profile, "SYSTEM", "log_level", &log_level, LOG_FATAL); + g_verify_proxy->logger = log_handle_create(log_path, log_level); + CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit."); + + ret = maat_table_init(g_verify_proxy, main_profile); + CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); + + const char *filename1 = "./resource/HitPolicyResult.json"; + cJSON *data1=load_verify_policy_result_by_file(filename1, 1); + const char *filename2 = "./resource/HitPolicyRequest.json"; + cJSON *data2=load_verify_policy_result_by_file(filename2, 0); + + testing::InitGoogleTest(&argc, argv); + ret=RUN_ALL_TESTS(); + + if(data1 != NULL) + { + cJSON_Delete(data1); + } + if(data2 != NULL) + { + cJSON_Delete(data2); + } + + return ret; +} + diff --git a/test/verify_policy_tool.cpp b/test/verify_policy_tool.cpp new file mode 100644 index 0000000..b70ed67 --- /dev/null +++ b/test/verify_policy_tool.cpp @@ -0,0 +1,185 @@ +/************************************************************************* + > File Name: + > Author: + > Mail: + > Created Time: 2020��05��28�� ������ 19ʱ21��37�� + ************************************************************************/ +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include "utils.h" + +enum curl_post_type +{ + CURL_POST_HTTP, + CURL_POST_SSL, + __CURL_POST_MAX +}; + +struct curl_post_data +{ + char *input_result_data; + char *curl_post_file; + enum curl_post_type protocol_type; +}; + +char *curl_read_file(char *result_json_file) +{ + FILE* fp=NULL; + struct stat file_info; + stat(result_json_file, &file_info); + size_t input_sz=file_info.st_size; + + fp=fopen(result_json_file,"r"); + if(fp==NULL) + { + return NULL; + } + char* input=(char*)malloc(input_sz); + fread(input,1,input_sz,fp); + fclose(fp); + + return input; +} + +int curl_post_system_cmd(char *result, size_t result_len, char *curl_post_json) +{ + int line_num=0; + char command[1024] = {0}; + char *cmd_str=NULL; + + snprintf(command, sizeof(command), "curl -X POST -H 'Content-Type: application/json' http://127.0.0.1:9994/v1/policy/verify -d@%s", curl_post_json); + + char *p=result; + char line[2048] = {0}; + FILE *fp = NULL; + + if((fp = popen(command, "r")) == NULL) + { + printf("popen error!\n"); + return 0; + } + memset(result, 0, result_len); + while (fgets(line, sizeof(line), fp)) + { + if((p - result) < (int)result_len) + { + if(line_num) + { + p += snprintf(p, result_len - (p - result), ","); + } + + p += snprintf(p, result_len - (p - result), "%s", line); + } + line_num++; + } + pclose(fp); + + free(cmd_str); + return 1; +} + +int curl_exec_expect_result(char *result, char *input_json_file) +{ + int ret=-1; + cJSON *result_json=NULL, *input_json=NULL; + cJSON_bool successful = false; + + result_json = cJSON_Parse(result); + if(!result_json) + { + goto finish; + } + input_json = cJSON_Parse(input_json_file); + if(!input_json) + { + goto finish; + } + successful = cJSON_Compare(result_json, result_json, true); + if(successful) + { + ret=0; + } +finish: + cJSON_Delete(result_json); + cJSON_Delete(input_json); + return ret; +} + +int call_curl_post(struct curl_post_data *post_data) +{ + int ret=-1; + char result[81920]={0}; + + curl_post_system_cmd(result, sizeof(result), post_data->curl_post_file); + + switch(post_data->protocol_type) + { + case CURL_POST_HTTP: + ret = curl_exec_expect_result(result, post_data->input_result_data); + break; + case CURL_POST_SSL: + break; + default: + break; + } + return ret; +} + +static void help() +{ + fprintf(stderr, + "verify_policy_test <-j| -t | -c > arg\n" + "Usage:\n" + " -j \n" + " -t \n" + " -c \n"); + exit(1); +} + +int main(int argc, char ** argv) +{ + int i=0, ret = 0; + int curl_post_type=0; + char result_json_file[256]={0}; + char curl_post_file[256]={0}; + + if(argc < 3) {help();} + for (i = 1; i < argc; i++) + { + int lastarg = i==argc-1; + if (!strcmp(argv[i], "-j") && !lastarg) + { + strncpy(curl_post_file, argv[++i], sizeof(curl_post_file)); + } + else if (!strcmp(argv[i], "-t") && !lastarg) + { + sscanf(argv[++i], "%u", &curl_post_type); + } + else if (!strcmp(argv[i], "-c") && !lastarg) + { + strncpy(result_json_file, argv[++i], sizeof(result_json_file)); + } + else + { + help(); + } + } + struct curl_post_data *post_data=NULL; + post_data = ALLOC(struct curl_post_data, 1); + post_data->protocol_type=(enum curl_post_type)curl_post_type; + post_data->input_result_data=curl_read_file(result_json_file); + post_data->curl_post_file=curl_post_file; + + ret = call_curl_post(post_data); + + return ret; +}