diff --git a/common/CMakeLists.txt b/common/CMakeLists.txt index 0c58ff8..12ebf18 100644 --- a/common/CMakeLists.txt +++ b/common/CMakeLists.txt @@ -1,4 +1,4 @@ -add_library(common src/verify_policy_logging.cpp) +add_library(common src/verify_policy_logging.cpp src/verify_policy_utils.cpp) target_include_directories(common PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) target_link_libraries(common PUBLIC MESA_handle_logger libevent-static) diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index 07aa087..c7625d8 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -11,7 +11,15 @@ #include #include "verify_policy_utils.h" -enum scan_table +enum policy_type +{ + PXY_TABLE_SECURITY, + PXY_TABLE_MANIPULATION, + PXY_TABLE_DEFENCE, + __SCAN_POLICY_MAX +}; + +enum manipulate_sacn_table { PXY_CTRL_IP, PXY_CTRL_HTTP_URL, @@ -24,6 +32,33 @@ enum scan_table __SCAN_TABLE_MAX }; +enum security_scan_table +{ + PXY_SECURITY_IP, + PXY_SECURITY_HTTP_URL, + PXY_SECURITY_HTTP_FQDN, + PXY_SECURITY_HTTP_REQ_HDR, + PXY_SECURITY_HTTP_REQ_BODY, + PXY_SECURITY_HTTP_RES_HDR, + PXY_SECURITY_HTTP_RES_BODY, + PXY_SECURITY_SUBSCRIBE_ID, + PXY_SECURITY_HTTPS_SNI, + PXY_SECURITY_HTTPS_CN, + PXY_SECURITY_HTTPS_SAN, + PXY_SECURITY_DNS_QNAME, + PXY_SECURITY_MAIL_ACCOUNT, + PXY_SECURITY_MAIL_FROM, + PXY_SECURITY_MAIL_TO, + PXY_SECURITY_MAIL_SUBJECT, + PXY_SECURITY_MAIL_CONTENT, + PXY_SECURITY_MAIL_ATT_NAME, + PXY_SECURITY_MAIL_ATT_CONTENT, + PXY_SECURITY_FTP_URI, + PXY_SECURITY_FTP_CONTENT, + PXY_SECURITY_FTP_ACCOUNT, + __SECURITY_TABLE_MAX +}; + enum http_ev_bit_number { IP_BITNUM = 0, @@ -71,8 +106,10 @@ extern struct verify_proxy * g_verify_proxy; void * pangu_http_ctx_new(unsigned int thread_id); -void http_scan(const char * value, enum tfe_http_event events, - const unsigned char * body_frag, size_t frag_size, void *pme); + +void http_scan(const char * value, enum policy_type type, int protocol_field, void *pme, cJSON *data_obj, struct ipaddr *ip_addr); + +int security_policy_init(struct verify_proxy * verify, const char* profile_path); char *web_json_table_add(void *pme); diff --git a/common/include/verify_policy_utils.h b/common/include/verify_policy_utils.h index d5fc219..13f9ee4 100644 --- a/common/include/verify_policy_utils.h +++ b/common/include/verify_policy_utils.h @@ -48,6 +48,8 @@ #define ALLOC(type, number) ((type *)calloc(sizeof(type), number)) #define FREE(p) {free(*p);*p=NULL;} +char* rt_strdup(const char* s); + #define CHECK_OR_EXIT(condition, fmt, ...) \ do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE); } } while(0) \ diff --git a/common/src/verify_policy_utils.cpp b/common/src/verify_policy_utils.cpp new file mode 100644 index 0000000..a05df68 --- /dev/null +++ b/common/src/verify_policy_utils.cpp @@ -0,0 +1,18 @@ +#include +#include +#include +#include + +char* rt_strdup(const char* s) +{ + char*d=NULL; + if(s==NULL) + { + return NULL; + } + + d=(char*)malloc(strlen(s)+1); + memcpy(d,s,strlen(s)+1); + return d; +} + diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index b755bd5..589b6d7 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -17,31 +17,44 @@ #include #include +#include //inet_addr +#include //inet_addr +#include //inet_addr +#include + #include "verify_policy.h" #include "MESA_prof_load.h" #include "MESA_handle_logger.h" +#include "verify_policy_utils.h" #include "verify_policy_logging.h" struct verify_proxy * g_verify_proxy = NULL; struct keyword_obj { - enum scan_table condition_type; - char *condition_scope; - char *keyword; -}; + int protocol_field; + char *content_type; + char *content; + char *protocol_field_name; + + struct ipaddr *ip_addr; -struct verify_policy_query -{ - enum scan_table object_type; int addr_type; - + int protocol; char *clientIp1; unsigned int clientPort1; char *serverIp1; unsigned int serverPort1; - struct keyword_obj keywords[16]; + char *subscriberid; +}; + +struct verify_policy_query +{ + int c_num; + enum policy_type type; + char *policy_type_name; + struct keyword_obj keywords[32]; }; /* VERSION STRING */ @@ -74,32 +87,145 @@ static int verify_policy_init(struct verify_proxy * verify, const char *profile) return xret; } -enum scan_table verify_type_str2idx(const char *action_str) +enum policy_type policy_type_str2idx(const char *action_str) { - const char * table_name[__SCAN_TABLE_MAX]; - table_name[PXY_CTRL_IP] = "ip"; - table_name[PXY_CTRL_HTTP_URL] = "url"; - table_name[PXY_CTRL_HTTP_FQDN] = "fqdn"; - table_name[PXY_CTRL_HTTP_REQ_HDR] = "req_hdr"; - table_name[PXY_CTRL_HTTP_REQ_BODY] = "keywords"; - table_name[PXY_CTRL_HTTP_RES_HDR] = "res_hdr"; - table_name[PXY_CTRL_HTTP_RES_BODY] = "keywords"; - table_name[PXY_CTRL_SUBSCRIBE_ID] = "subscribeid"; + const char * policy_name[__SCAN_POLICY_MAX]; + policy_name[PXY_TABLE_SECURITY] = "tsg_security"; + policy_name[PXY_TABLE_MANIPULATION] = "proxy_manipulation"; + policy_name[PXY_TABLE_DEFENCE] = "active_defence"; size_t i = 0; + for (i = 0; i < sizeof(policy_name) / sizeof(const char *); i++) + { + if (0 == strcasecmp(action_str, policy_name[i])) + break; + } + return (enum policy_type)i; +} + +int field_type_str2idx(enum policy_type type, const char *action_str) +{ + const char * table_name[__SECURITY_TABLE_MAX] ={0}; + + switch(type) + { + case PXY_TABLE_MANIPULATION: + table_name[PXY_CTRL_IP] = "TSG_OBJ_IP_ADDR"; + table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL"; + table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST"; + table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR"; + table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT"; + table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; + table_name[PXY_CTRL_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT"; + table_name[PXY_CTRL_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; + break; + case PXY_TABLE_SECURITY: + table_name[PXY_SECURITY_IP] = "TSG_OBJ_IP_ADDR"; + table_name[PXY_SECURITY_HTTP_URL] = "TSG_FIELD_HTTP_URL"; + table_name[PXY_SECURITY_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST"; + table_name[PXY_SECURITY_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR"; + table_name[PXY_SECURITY_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT"; + table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; + table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT"; + table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; + table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI"; + table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN"; + table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN"; + table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME"; + table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT"; + table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_MAIL_ACCOUNT"; + table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT"; + table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM"; + table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO"; + table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT"; + table_name[PXY_SECURITY_MAIL_CONTENT] = "TSG_FIELD_MAIL_CONTENT"; + table_name[PXY_SECURITY_MAIL_ATT_NAME] = "TSG_FIELD_MAIL_ATT_NAME"; + table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT"; + table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; + table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; + table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME"; + break; + case PXY_TABLE_DEFENCE: + break; + default: + break; + } + size_t i = 0; + for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++) { if (0 == strcasecmp(action_str, table_name[i])) break; } - return (enum scan_table)i; + + return i; } -struct verify_policy_query *get_query_from_request(const char *data) +void verify_policy_query(struct verify_policy_query *policy_query, int thread_id, cJSON *data_obj) +{ + int i = 0; + char buff[VERIFY_STRING_MAX], *p = NULL;; + + void *ctx = pangu_http_ctx_new(thread_id); + + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Query policy table is %s", policy_query->policy_type_name); + for (i = 0; i < policy_query->c_num; i++) + { + p = buff; + if(0 == strcasecmp(policy_query->keywords[i].content_type, "ip")) + { + http_scan(policy_query->keywords[i].content, policy_query->type, PXY_CTRL_IP, ctx, data_obj, policy_query->keywords[i].ip_addr); + } + else if(0 == strcasecmp(policy_query->keywords[i].content_type, "subscriberid")) + { + p += snprintf(p, sizeof(buff) - (p - buff), "contentType=%s, subscriberid=%s", policy_query->keywords[i].content_type, + policy_query->keywords[i].subscriberid); + http_scan(policy_query->keywords[i].content, policy_query->type, PXY_CTRL_SUBSCRIBE_ID, ctx, data_obj, NULL); + }else + { + p += snprintf(p, sizeof(buff) - (p - buff), "contentType=%s, protocolField=%s content=%s", policy_query->keywords[i].content_type, + policy_query->keywords[i].protocol_field_name, policy_query->keywords[i].content); + http_scan(policy_query->keywords[i].content, policy_query->type, policy_query->keywords[i].protocol_field, ctx, data_obj, NULL); + } + *p = '\0'; + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff); + } + + FREE(&ctx); + + return; +} + +struct ipaddr *ip_to_stream_addr(char *clientIp1, unsigned int clientPort1, char *serverIp1, unsigned int serverPort1, int addr_type) +{ + struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1); + if(addr_type == 4) + { + struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1); + ip_addr->addrtype=ADDR_TYPE_IPV4; + inet_pton(AF_INET,clientIp1,&(v4_addr->saddr)); + v4_addr->source=htons(clientPort1); + inet_pton(AF_INET,serverIp1,&(v4_addr->daddr)); + v4_addr->dest=htons(serverPort1); + ip_addr->v4=v4_addr; + } + if(addr_type == 6) + { + struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1); + ip_addr->addrtype=ADDR_TYPE_IPV6; + inet_pton(AF_INET6,clientIp1,&(v6_addr->saddr)); + v6_addr->source=htons(clientPort1); + inet_pton(AF_INET6,serverIp1,&(v6_addr->daddr)); + v6_addr->dest=htons(serverPort1); + ip_addr->v6=v6_addr; + } + return ip_addr; +} + +cJSON *get_query_from_request(const char *data, int thread_id) { int c_num = 0, i = 0; - char buff[VERIFY_STRING_MAX], *p = NULL;; cJSON* data_json = cJSON_Parse(data); if(data_json == NULL) @@ -107,117 +233,119 @@ struct verify_policy_query *get_query_from_request(const char *data) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter"); return NULL; } - struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1); - cJSON* item = NULL, *subitem = NULL; - item = cJSON_GetObjectItem(data_json,"objectType"); - if(item && item->type==cJSON_String) - { - query_ctx->object_type =verify_type_str2idx(item->valuestring); - } - item=cJSON_GetObjectItem(data_json,"addrType"); - if(item && item->type==cJSON_Number) - { - query_ctx->addr_type = item->valueint; - } - item = cJSON_GetObjectItem(data_json,"clientIp1"); - if(item && item->type==cJSON_String) - { - query_ctx->clientIp1 =strdup(item->valuestring); - } - item = cJSON_GetObjectItem(data_json,"serverIp1"); - if(item && item->type==cJSON_String) - { - query_ctx->serverIp1 =strdup(item->valuestring); - } - item = cJSON_GetObjectItem(data_json,"clientPort1"); - if(item && item->type==cJSON_String) - { - query_ctx->clientPort1 =atoi(item->valuestring); - } - item = cJSON_GetObjectItem(data_json,"serverPort1"); - if(item && item->type==cJSON_String) - { - query_ctx->serverPort1 =atoi(item->valuestring); - } - p = buff; - p += snprintf(p, sizeof(buff) - (p - buff), "Query key objectType:%d, addrType:%d, clientIp1:%s, serverIp1:%s, clientPort1:%d, serverPort1:%d", - query_ctx->object_type, query_ctx->addr_type, query_ctx->clientIp1, query_ctx->serverIp1, query_ctx->clientPort1, query_ctx->serverPort1); - item = cJSON_GetObjectItem(data_json,"keywordObj"); + cJSON *policy_obj=NULL, *data_obj=NULL; + policy_obj=cJSON_CreateObject(); + + cJSON_AddNumberToObject(policy_obj, "code", 200); + cJSON_AddStringToObject(policy_obj, "msg", "Success"); + cJSON_AddNumberToObject(policy_obj, "success", 1); + + data_obj = cJSON_CreateObject(); + cJSON_AddItemToObject(policy_obj, "data", data_obj); + + cJSON* item = NULL, *subitem = NULL, *subchild = NULL; + item = cJSON_GetObjectItem(data_json,"verifyList"); if(item && item->type==cJSON_Array) { c_num=cJSON_GetArraySize(item); for (subitem = item->child; subitem != NULL; subitem = subitem->next) { - item = cJSON_GetObjectItem(subitem, "conditionScope"); + struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1); + + item = cJSON_GetObjectItem(subitem,"policyType"); if(item && item->type==cJSON_String) { - query_ctx->keywords[i].condition_scope =strdup(item->valuestring); - query_ctx->keywords[i].condition_type = verify_type_str2idx(item->valuestring); + query_ctx->type = policy_type_str2idx(item->valuestring); + query_ctx->policy_type_name = item->valuestring; } - item = cJSON_GetObjectItem(subitem, "keywords"); - if(item && item->type==cJSON_String) + item = cJSON_GetObjectItem(subitem,"verifyConditions"); + if(item && item->type==cJSON_Array) { - query_ctx->keywords[i].keyword =strdup(item->valuestring); + query_ctx->c_num=c_num=cJSON_GetArraySize(item); + for (subchild = item->child; subchild != NULL; subchild = subchild->next) + { + item = cJSON_GetObjectItem(subchild, "contentType"); + if(item && item->type==cJSON_String) + { + query_ctx->keywords[i].content_type = item->valuestring; + } + if(0 == strcasecmp(query_ctx->keywords[i].content_type, "subscriberid")) + { + item = cJSON_GetObjectItem(subchild,"subscriberid"); + if(item && item->type==cJSON_String) + { + query_ctx->keywords[i].subscriberid = item->valuestring; + } + i++; + continue; + } + if(0 == strcasecmp(query_ctx->keywords[i].content_type, "ip")) + { + int addr_type=0, protocol=0; + char *clientIp1=NULL,*serverIp1=NULL; + unsigned int clientPort1=0,serverPort1=0; + item = cJSON_GetObjectItem(subchild,"clientIp"); + if(item && item->type==cJSON_String) + { + clientIp1 = item->valuestring; + } + item = cJSON_GetObjectItem(subchild,"serverIp"); + if(item && item->type==cJSON_String) + { + serverIp1 = (item->valuestring); + } + item = cJSON_GetObjectItem(subchild,"clientPort"); + if(item && item->type==cJSON_String) + { + clientPort1 =atoi(item->valuestring); + } + item = cJSON_GetObjectItem(subchild,"serverPort"); + if(item && item->type==cJSON_String) + { + serverPort1 =atoi(item->valuestring); + } + item = cJSON_GetObjectItem(subchild,"protocol"); + if(item && item->type==cJSON_Number) + { + protocol = item->valueint; + } + item=cJSON_GetObjectItem(subchild,"addrType"); + if(item && item->type==cJSON_Number) + { + addr_type = item->valueint; + } + + query_ctx->keywords[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type); + i++; + continue; + } + item = cJSON_GetObjectItem(subchild, "protocolField"); + if(item && item->type==cJSON_String) + { + query_ctx->keywords[i].protocol_field = field_type_str2idx(query_ctx->type, item->valuestring); + query_ctx->keywords[i].protocol_field_name = item->valuestring; + } + item = cJSON_GetObjectItem(subchild, "content"); + if(item && item->type==cJSON_String) + { + query_ctx->keywords[i].content = item->valuestring; + } + i++; + } } - i++; + + verify_policy_query(query_ctx, thread_id, data_obj); + + i=0; + FREE(&query_ctx); } } - for (i = 0; i < c_num; i++) - { - p += snprintf(p, sizeof(buff) - (p - buff), ", conditionScope:%s, keywords:%s", query_ctx->keywords[i].condition_scope, query_ctx->keywords[i].keyword); - } - *p = '\0'; - mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff); - return query_ctx; + cJSON_Delete(data_json); + return policy_obj; } -char *verify_policy_scan(struct verify_policy_query *policy_query, int thread_id) -{ - int c_num = 0; char *policy_payload= NULL; - void * ctx = pangu_http_ctx_new(thread_id); - - for (c_num = 0; policy_query->keywords[c_num].keyword != NULL; c_num++) - { - struct keyword_obj *key_obj = &policy_query->keywords[c_num]; - - if (key_obj->condition_scope == NULL) - key_obj->condition_type = policy_query->object_type; - - switch(key_obj->condition_type) - { - case PXY_CTRL_IP: - http_scan(key_obj->keyword, EV_HTTP_IP, NULL, 0, ctx); - break; - case PXY_CTRL_SUBSCRIBE_ID: - http_scan(key_obj->keyword, EV_HTTP_SUBSCRIBE_ID, NULL, 0, ctx); - case PXY_CTRL_HTTP_URL: - http_scan(key_obj->keyword, EV_HTTP_URL, NULL, 0, ctx); - break; - case PXY_CTRL_HTTP_FQDN: - http_scan(key_obj->keyword, EV_HTTP_FQDN, NULL, 0, ctx); - break; - case PXY_CTRL_HTTP_REQ_HDR: - http_scan(key_obj->keyword, EV_HTTP_REQ_HDR, NULL, 0, ctx); - break; - case PXY_CTRL_HTTP_RES_HDR: - http_scan(key_obj->keyword, EV_HTTP_RESP_HDR, NULL, 0, ctx); - break; - case PXY_CTRL_HTTP_REQ_BODY: - case PXY_CTRL_HTTP_RES_BODY: - http_scan(key_obj->keyword, EV_HTTP_CONTENT, NULL, 0, ctx); - break; - default: - break; - } - } - policy_payload = web_json_table_add(ctx); - - return policy_payload; -} - -static int -evhttp_socket_send(struct evhttp_request *req, char *sendbuf) +static int evhttp_socket_send(struct evhttp_request *req, char *sendbuf) { struct evbuffer *evb = NULL; @@ -243,10 +371,9 @@ done: void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) { - char *policy_payload= NULL; + char *policy_payload= NULL; cJSON *policy_obj; struct evbuffer * evbuf_body = NULL; char *input = NULL; ssize_t inputlen=0; - struct verify_policy_query *policy_query = NULL; struct verify_proxy_thread *thread_ctx = (struct verify_proxy_thread *)arg; @@ -261,7 +388,21 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to get post data information."); goto error; } - policy_query = get_query_from_request(input); + + policy_obj = get_query_from_request(input, thread_ctx->id); + if(policy_obj == NULL) + { + goto error; + } + + policy_payload = cJSON_PrintUnformatted(policy_obj); + printf("%s\n", policy_payload); + evhttp_socket_send(evh_req, policy_payload); + + cJSON_Delete(policy_obj); + free(policy_payload); + + #if 0 if (policy_query == NULL) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Data parsing failed."); @@ -275,6 +416,7 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg) evhttp_socket_send(evh_req, policy_payload); free(policy_payload); } + #endif goto finish; error: @@ -484,6 +626,9 @@ int main(int argc, char * argv[]) ret = pangu_policy_init(g_verify_proxy, main_profile); CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit."); + ret = security_policy_init(g_verify_proxy, main_profile); + CHECK_OR_EXIT(ret == 0, "Failed at init security module, Exit."); + ret = pangu_policy_work_thread_run(g_verify_proxy); return ret; diff --git a/scan/src/pangu_http.cpp b/scan/src/pangu_http.cpp index 7978706..908aba5 100644 --- a/scan/src/pangu_http.cpp +++ b/scan/src/pangu_http.cpp @@ -52,13 +52,13 @@ struct pangu_http_ctx struct pangu_rt { - Maat_feather_t maat; + Maat_feather_t maat[__SCAN_POLICY_MAX]; Maat_feather_t dyn_maat; int subscriber_id_table_id; void * local_logger; int log_level; int thread_num; - int scan_table_id[__SCAN_TABLE_MAX]; + int scan_table_id[__SCAN_POLICY_MAX][__SECURITY_TABLE_MAX]; }; struct pangu_rt * g_pangu_rt; @@ -172,7 +172,7 @@ char *web_json_table_add(void *pme) policy_obj=cJSON_CreateObject(); cJSON_AddNumberToObject(policy_obj, "code", 200); - cJSON_AddStringToObject(policy_obj, "msg", ""); + cJSON_AddStringToObject(policy_obj, "msg", "Success"); cJSON_AddNumberToObject(policy_obj, "success", 1); data_obj = cJSON_CreateObject(); @@ -218,86 +218,50 @@ char *web_json_table_add(void *pme) return policy_payload; } -void http_scan(const char * value, enum tfe_http_event events, - const unsigned char * body_frag, size_t frag_size, void *pme) +void http_scan(const char * value, enum policy_type type, int protocol_field, void *pme, cJSON *data_obj, struct ipaddr *ip_addr) { - const char * field_val = NULL; int scan_ret = 0, table_id = 0; - size_t hit_cnt = 0; + struct Maat_rule_t result[MAX_SCAN_RESULT]; + char buff[VERIFY_STRING_MAX], * p = NULL; + size_t hit_cnt = 0, i = 0; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; - if (events & EV_HTTP_IP) + if (protocol_field == PXY_CTRL_IP) { - scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_IP], NULL, 0, + scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat[type], g_pangu_rt->scan_table_id[type][protocol_field], ip_addr, 0, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id); if (scan_ret > 0) { hit_cnt += scan_ret; } + goto decide; } - if (events & EV_HTTP_SUBSCRIBE_ID) + if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || (protocol_field == PXY_CTRL_HTTP_RES_HDR)) { - scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_SUBSCRIBE_ID], - CHARSET_UTF8, value, strlen(value), - ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt, - &(ctx->scan_mid), ctx->thread_id); - if(scan_ret>0) - { - hit_cnt+=scan_ret; - } - } - - if (events & EV_HTTP_FQDN) - { - const char *str_host = value; - int str_host_length = (int) (strlen(value)); - - scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], - CHARSET_UTF8, str_host, str_host_length, ctx->result, NULL, MAX_SCAN_RESULT, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) - { - hit_cnt += scan_ret; - } - } - if (events & EV_HTTP_URL) - { - const char * str_url = value; - int str_url_length = (int) (strlen(value)); - - scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_URL], - CHARSET_UTF8, str_url, str_url_length, ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - - if (scan_ret > 0) - { - hit_cnt += scan_ret; - } - } - - if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) - { - table_id = events & PXY_CTRL_HTTP_REQ_HDR ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_HDR]; + table_id = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_RES_HDR]; const char * str_field_name = NULL; - scan_ret = Maat_set_scan_status(g_pangu_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT, + scan_ret = Maat_set_scan_status(g_pangu_rt->maat[type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT, str_field_name, strlen(str_field_name)); assert(scan_ret == 0); - scan_ret = Maat_full_scan_string(g_pangu_rt->maat, table_id, - CHARSET_UTF8, field_val, strlen(field_val), + scan_ret = Maat_full_scan_string(g_pangu_rt->maat[type], table_id, + CHARSET_UTF8, value, strlen(value), ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); if (scan_ret > 0) { hit_cnt += scan_ret; } + goto decide; } - if ((events & EV_HTTP_CONTENT)) + if ((protocol_field == PXY_CTRL_HTTP_REQ_BODY) || protocol_field == PXY_CTRL_HTTP_RES_BODY) { assert(ctx->sp == NULL); - table_id = events & EV_HTTP_CONTENT ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_BODY]; - ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat, table_id, ctx->thread_id); - scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size, + table_id = protocol_field == PXY_CTRL_HTTP_REQ_BODY ? g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_RES_BODY]; + ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat[type], table_id, ctx->thread_id); + scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) value, (int) strlen(value), ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid)); if (scan_ret > 0) { @@ -305,12 +269,36 @@ void http_scan(const char * value, enum tfe_http_event events, } Maat_stream_scan_string_end(&(ctx->sp)); ctx->sp = NULL; + goto decide; } + scan_ret = Maat_full_scan_string(g_pangu_rt->maat[type], g_pangu_rt->scan_table_id[type][protocol_field], + CHARSET_UTF8, value, strlen(value), + ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt, + &(ctx->scan_mid), ctx->thread_id); + if(scan_ret>0) + { + hit_cnt+=scan_ret; + } +decide: if (hit_cnt > 0) { ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce); ctx->hit_cnt = hit_cnt; + cJSON *execute_obj=NULL, *hit_obj=NULL; + hit_obj = cJSON_CreateObject(); + cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj); + if (ctx->hit_cnt >= 1) + { + for (i = 0; i < ctx->hit_cnt; i++) + { + cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id); + } + } + /*executePolicyList **/ + execute_obj = cJSON_CreateObject(); + cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj); + cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id); } return ; } @@ -320,7 +308,7 @@ char * verify_policy_str_to_addr() return NULL; } -static Maat_feather_t create_maat_feather(const char * instance_name, const char * profile, const char * section, int max_thread, void * logger) +static Maat_feather_t create_maat_feather(const char * instance_name, const char * profile, const char * section, const char *table_name, int max_thread, void * logger) { Maat_feather_t target; int input_mode = 0, maat_perf_on = 0; @@ -336,7 +324,7 @@ static Maat_feather_t create_maat_feather(const char * instance_name, const char MESA_load_profile_int_def(profile, section, "maat_input_mode", &(input_mode), 0); MESA_load_profile_int_def(profile, section, "perf_switch", &(maat_perf_on), 1); - MESA_load_profile_string_def(profile, section, "table_info", table_info, sizeof(table_info), ""); + MESA_load_profile_string_def(profile, section, table_name, table_info, sizeof(table_info), ""); MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), ""); MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), ""); @@ -468,8 +456,8 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) g_pangu_rt->thread_num = verify->nr_work_threads; g_pangu_rt->local_logger = verify->logger; - g_pangu_rt->maat = create_maat_feather("static", profile_path, "MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger); - if (!g_pangu_rt->maat) + g_pangu_rt->maat[PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger); + if (!g_pangu_rt->maat[PXY_TABLE_MANIPULATION]) { goto error_out; } @@ -485,16 +473,18 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) table_name[PXY_CTRL_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; for (int i = 0; i < __SCAN_TABLE_MAX; i++) { - g_pangu_rt->scan_table_id[i] = Maat_table_register(g_pangu_rt->maat, table_name[i]); - if (g_pangu_rt->scan_table_id[i] < 0) + g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i]); + + printf("%p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i], i); + if (g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] < 0) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Maat table %s register failed.", table_name[i]); goto error_out; } } - g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger); - if (!g_pangu_rt->maat) + g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger); + if (!g_pangu_rt->dyn_maat) { goto error_out; } @@ -512,7 +502,54 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat TSG_DYN_SUBSCRIBER_IP EX data register failed."); goto error_out; } - + ret = 0; +error_out: + return ret; +} + +int security_policy_init(struct verify_proxy * verify, const char* profile_path) +{ + int ret = -1; + + g_pangu_rt->maat[PXY_TABLE_SECURITY] = create_maat_feather("static", profile_path, "MAAT", "table_info_tsg", g_pangu_rt->thread_num, g_pangu_rt->local_logger); + if (!g_pangu_rt->maat[PXY_TABLE_SECURITY]) + { + goto error_out; + } + const char * table_name[__SECURITY_TABLE_MAX]; + table_name[PXY_SECURITY_IP] = "TSG_OBJ_IP_ADDR"; + table_name[PXY_SECURITY_HTTP_URL] = "TSG_FIELD_HTTP_URL"; + table_name[PXY_SECURITY_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST"; + table_name[PXY_SECURITY_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR"; + table_name[PXY_SECURITY_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT"; + table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; + table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT"; + table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; + table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI"; + table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN"; + table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN"; + table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME"; + table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT"; + table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM"; + table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO"; + table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT"; + table_name[PXY_SECURITY_MAIL_CONTENT] = "TSG_FIELD_MAIL_CONTENT"; + table_name[PXY_SECURITY_MAIL_ATT_NAME] = "TSG_FIELD_MAIL_ATT_NAME"; + table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT"; + table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; + table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; + table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME"; + + for (int i = 0; i < __SECURITY_TABLE_MAX; i++) + { + g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i]); + printf("SECURITY: %p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i], i); + if (g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] < 0) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Security policy maat table %s register failed.", table_name[i]); + goto error_out; + } + } ret = 0; error_out: return ret;