gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

*初始化两个maat能命中版本

Browse Source
This commit is contained in:
fengweihao
2020-01-17 10:59:34 +08:00
parent 3308970cdc
commit 7740e213da
6 changed files with 429 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/CMakeLists.txt
View File

@@ -1,4 +1,4 @@
add_library(common src/verify_policy_logging.cpp)
add_library(common src/verify_policy_logging.cpp src/verify_policy_utils.cpp)
target_include_directories(common PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)
target_link_libraries(common PUBLIC MESA_handle_logger libevent-static)

43
common/include/verify_policy.h
View File

@@ -11,7 +11,15 @@
#include <event2/event.h>
#include "verify_policy_utils.h"
enum scan_table
enum policy_type
{
PXY_TABLE_SECURITY,
PXY_TABLE_MANIPULATION,
PXY_TABLE_DEFENCE,
__SCAN_POLICY_MAX
};
enum manipulate_sacn_table
{
PXY_CTRL_IP,
PXY_CTRL_HTTP_URL,
@@ -24,6 +32,33 @@ enum scan_table
__SCAN_TABLE_MAX
};
enum security_scan_table
{
PXY_SECURITY_IP,
PXY_SECURITY_HTTP_URL,
PXY_SECURITY_HTTP_FQDN,
PXY_SECURITY_HTTP_REQ_HDR,
PXY_SECURITY_HTTP_REQ_BODY,
PXY_SECURITY_HTTP_RES_HDR,
PXY_SECURITY_HTTP_RES_BODY,
PXY_SECURITY_SUBSCRIBE_ID,
PXY_SECURITY_HTTPS_SNI,
PXY_SECURITY_HTTPS_CN,
PXY_SECURITY_HTTPS_SAN,
PXY_SECURITY_DNS_QNAME,
PXY_SECURITY_MAIL_ACCOUNT,
PXY_SECURITY_MAIL_FROM,
PXY_SECURITY_MAIL_TO,
PXY_SECURITY_MAIL_SUBJECT,
PXY_SECURITY_MAIL_CONTENT,
PXY_SECURITY_MAIL_ATT_NAME,
PXY_SECURITY_MAIL_ATT_CONTENT,
PXY_SECURITY_FTP_URI,
PXY_SECURITY_FTP_CONTENT,
PXY_SECURITY_FTP_ACCOUNT,
__SECURITY_TABLE_MAX
};
enum http_ev_bit_number
{
IP_BITNUM = 0,
@@ -71,8 +106,10 @@ extern struct verify_proxy * g_verify_proxy;
void * pangu_http_ctx_new(unsigned int thread_id);
void http_scan(const char * value, enum tfe_http_event events,
const unsigned char * body_frag, size_t frag_size, void *pme);
void http_scan(const char * value, enum policy_type type, int protocol_field, void *pme, cJSON *data_obj, struct ipaddr *ip_addr);
int security_policy_init(struct verify_proxy * verify, const char* profile_path);
char *web_json_table_add(void *pme);

2
common/include/verify_policy_utils.h
View File

@@ -48,6 +48,8 @@
#define ALLOC(type, number) ((type *)calloc(sizeof(type), number))
#define FREE(p) {free(*p);*p=NULL;}
char* rt_strdup(const char* s);
#define CHECK_OR_EXIT(condition, fmt, ...) \
do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE); } } while(0) \

18
common/src/verify_policy_utils.cpp Normal file
View File

@@ -0,0 +1,18 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
char* rt_strdup(const char* s)
{
char*d=NULL;
if(s==NULL)
{
return NULL;
}
d=(char*)malloc(strlen(s)+1);
memcpy(d,s,strlen(s)+1);
return d;
}

375
platform/src/verify_policy.cpp
View File

@@ -17,31 +17,44 @@
#include <cjson/cJSON.h>
#include <event2/buffer.h>
#include <sys/socket.h>//inet_addr
#include <netinet/in.h>//inet_addr
#include <arpa/inet.h>//inet_addr
#include <MESA/stream.h>
#include "verify_policy.h"
#include "MESA_prof_load.h"
#include "MESA_handle_logger.h"
#include "verify_policy_utils.h"
#include "verify_policy_logging.h"
struct verify_proxy * g_verify_proxy = NULL;
struct keyword_obj
{
enum scan_table condition_type;
char *condition_scope;
char *keyword;
};
int protocol_field;
char *content_type;
char *content;
char *protocol_field_name;
struct ipaddr *ip_addr;
struct verify_policy_query
{
enum scan_table object_type;
int addr_type;
int protocol;
char *clientIp1;
unsigned int clientPort1;
char *serverIp1;
unsigned int serverPort1;
struct keyword_obj keywords[16];
char *subscriberid;
};
struct verify_policy_query
{
int c_num;
enum policy_type type;
char *policy_type_name;
struct keyword_obj keywords[32];
};
/* VERSION STRING */
@@ -74,32 +87,145 @@ static int verify_policy_init(struct verify_proxy * verify, const char *profile)
return xret;
}
enum scan_table verify_type_str2idx(const char *action_str)
enum policy_type policy_type_str2idx(const char *action_str)
{
const char * table_name[__SCAN_TABLE_MAX];
table_name[PXY_CTRL_IP] = "ip";
table_name[PXY_CTRL_HTTP_URL] = "url";
table_name[PXY_CTRL_HTTP_FQDN] = "fqdn";
table_name[PXY_CTRL_HTTP_REQ_HDR] = "req_hdr";
table_name[PXY_CTRL_HTTP_REQ_BODY] = "keywords";
table_name[PXY_CTRL_HTTP_RES_HDR] = "res_hdr";
table_name[PXY_CTRL_HTTP_RES_BODY] = "keywords";
table_name[PXY_CTRL_SUBSCRIBE_ID] = "subscribeid";
const char * policy_name[__SCAN_POLICY_MAX];
policy_name[PXY_TABLE_SECURITY] = "tsg_security";
policy_name[PXY_TABLE_MANIPULATION] = "proxy_manipulation";
policy_name[PXY_TABLE_DEFENCE] = "active_defence";
size_t i = 0;
for (i = 0; i < sizeof(policy_name) / sizeof(const char *); i++)
{
if (0 == strcasecmp(action_str, policy_name[i]))
break;
}
return (enum policy_type)i;
}
int field_type_str2idx(enum policy_type type, const char *action_str)
{
const char * table_name[__SECURITY_TABLE_MAX] ={0};
switch(type)
{
case PXY_TABLE_MANIPULATION:
table_name[PXY_CTRL_IP] = "TSG_OBJ_IP_ADDR";
table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL";
table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT";
table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
table_name[PXY_CTRL_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT";
table_name[PXY_CTRL_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
break;
case PXY_TABLE_SECURITY:
table_name[PXY_SECURITY_IP] = "TSG_OBJ_IP_ADDR";
table_name[PXY_SECURITY_HTTP_URL] = "TSG_FIELD_HTTP_URL";
table_name[PXY_SECURITY_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
table_name[PXY_SECURITY_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_SECURITY_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT";
table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT";
table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI";
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT";
table_name[PXY_SECURITY_MAIL_CONTENT] = "TSG_FIELD_MAIL_CONTENT";
table_name[PXY_SECURITY_MAIL_ATT_NAME] = "TSG_FIELD_MAIL_ATT_NAME";
table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT";
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI";
table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT";
table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME";
break;
case PXY_TABLE_DEFENCE:
break;
default:
break;
}
size_t i = 0;
for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++)
{
if (0 == strcasecmp(action_str, table_name[i]))
break;
}
return (enum scan_table)i;
return i;
}
struct verify_policy_query *get_query_from_request(const char *data)
void verify_policy_query(struct verify_policy_query *policy_query, int thread_id, cJSON *data_obj)
{
int i = 0;
char buff[VERIFY_STRING_MAX], *p = NULL;;
void *ctx = pangu_http_ctx_new(thread_id);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Query policy table is %s", policy_query->policy_type_name);
for (i = 0; i < policy_query->c_num; i++)
{
p = buff;
if(0 == strcasecmp(policy_query->keywords[i].content_type, "ip"))
{
http_scan(policy_query->keywords[i].content, policy_query->type, PXY_CTRL_IP, ctx, data_obj, policy_query->keywords[i].ip_addr);
}
else if(0 == strcasecmp(policy_query->keywords[i].content_type, "subscriberid"))
{
p += snprintf(p, sizeof(buff) - (p - buff), "contentType=%s, subscriberid=%s", policy_query->keywords[i].content_type,
policy_query->keywords[i].subscriberid);
http_scan(policy_query->keywords[i].content, policy_query->type, PXY_CTRL_SUBSCRIBE_ID, ctx, data_obj, NULL);
}else
{
p += snprintf(p, sizeof(buff) - (p - buff), "contentType=%s, protocolField=%s content=%s", policy_query->keywords[i].content_type,
policy_query->keywords[i].protocol_field_name, policy_query->keywords[i].content);
http_scan(policy_query->keywords[i].content, policy_query->type, policy_query->keywords[i].protocol_field, ctx, data_obj, NULL);
}
*p = '\0';
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff);
}
FREE(&ctx);
return;
}
struct ipaddr *ip_to_stream_addr(char *clientIp1, unsigned int clientPort1, char *serverIp1, unsigned int serverPort1, int addr_type)
{
struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1);
if(addr_type == 4)
{
struct stream_tuple4_v4 *v4_addr = ALLOC(struct stream_tuple4_v4, 1);
ip_addr->addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,clientIp1,&(v4_addr->saddr));
v4_addr->source=htons(clientPort1);
inet_pton(AF_INET,serverIp1,&(v4_addr->daddr));
v4_addr->dest=htons(serverPort1);
ip_addr->v4=v4_addr;
}
if(addr_type == 6)
{
struct stream_tuple4_v6 *v6_addr = ALLOC(struct stream_tuple4_v6, 1);
ip_addr->addrtype=ADDR_TYPE_IPV6;
inet_pton(AF_INET6,clientIp1,&(v6_addr->saddr));
v6_addr->source=htons(clientPort1);
inet_pton(AF_INET6,serverIp1,&(v6_addr->daddr));
v6_addr->dest=htons(serverPort1);
ip_addr->v6=v6_addr;
}
return ip_addr;
}
cJSON *get_query_from_request(const char *data, int thread_id)
{
int c_num = 0, i = 0;
char buff[VERIFY_STRING_MAX], *p = NULL;;
cJSON* data_json = cJSON_Parse(data);
if(data_json == NULL)
@@ -107,117 +233,119 @@ struct verify_policy_query *get_query_from_request(const char *data)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter");
return NULL;
}
struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1);
cJSON* item = NULL, *subitem = NULL;
item = cJSON_GetObjectItem(data_json,"objectType");
if(item && item->type==cJSON_String)
{
query_ctx->object_type =verify_type_str2idx(item->valuestring);
}
item=cJSON_GetObjectItem(data_json,"addrType");
if(item && item->type==cJSON_Number)
{
query_ctx->addr_type = item->valueint;
}
item = cJSON_GetObjectItem(data_json,"clientIp1");
if(item && item->type==cJSON_String)
{
query_ctx->clientIp1 =strdup(item->valuestring);
}
item = cJSON_GetObjectItem(data_json,"serverIp1");
if(item && item->type==cJSON_String)
{
query_ctx->serverIp1 =strdup(item->valuestring);
}
item = cJSON_GetObjectItem(data_json,"clientPort1");
if(item && item->type==cJSON_String)
{
query_ctx->clientPort1 =atoi(item->valuestring);
}
item = cJSON_GetObjectItem(data_json,"serverPort1");
if(item && item->type==cJSON_String)
{
query_ctx->serverPort1 =atoi(item->valuestring);
}
p = buff;
p += snprintf(p, sizeof(buff) - (p - buff), "Query key objectType:%d, addrType:%d, clientIp1:%s, serverIp1:%s, clientPort1:%d, serverPort1:%d",
query_ctx->object_type, query_ctx->addr_type, query_ctx->clientIp1, query_ctx->serverIp1, query_ctx->clientPort1, query_ctx->serverPort1);
item = cJSON_GetObjectItem(data_json,"keywordObj");
cJSON *policy_obj=NULL, *data_obj=NULL;
policy_obj=cJSON_CreateObject();
cJSON_AddNumberToObject(policy_obj, "code", 200);
cJSON_AddStringToObject(policy_obj, "msg", "Success");
cJSON_AddNumberToObject(policy_obj, "success", 1);
data_obj = cJSON_CreateObject();
cJSON_AddItemToObject(policy_obj, "data", data_obj);
cJSON* item = NULL, *subitem = NULL, *subchild = NULL;
item = cJSON_GetObjectItem(data_json,"verifyList");
if(item && item->type==cJSON_Array)
{
c_num=cJSON_GetArraySize(item);
for (subitem = item->child; subitem != NULL; subitem = subitem->next)
{
item = cJSON_GetObjectItem(subitem, "conditionScope");
struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1);
item = cJSON_GetObjectItem(subitem,"policyType");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].condition_scope =strdup(item->valuestring);
query_ctx->keywords[i].condition_type = verify_type_str2idx(item->valuestring);
query_ctx->type = policy_type_str2idx(item->valuestring);
query_ctx->policy_type_name = item->valuestring;
}
item = cJSON_GetObjectItem(subitem, "keywords");
item = cJSON_GetObjectItem(subitem,"verifyConditions");
if(item && item->type==cJSON_Array)
{
query_ctx->c_num=c_num=cJSON_GetArraySize(item);
for (subchild = item->child; subchild != NULL; subchild = subchild->next)
{
item = cJSON_GetObjectItem(subchild, "contentType");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].keyword =strdup(item->valuestring);
query_ctx->keywords[i].content_type = item->valuestring;
}
if(0 == strcasecmp(query_ctx->keywords[i].content_type, "subscriberid"))
{
item = cJSON_GetObjectItem(subchild,"subscriberid");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].subscriberid = item->valuestring;
}
i++;
continue;
}
if(0 == strcasecmp(query_ctx->keywords[i].content_type, "ip"))
{
int addr_type=0, protocol=0;
char *clientIp1=NULL,*serverIp1=NULL;
unsigned int clientPort1=0,serverPort1=0;
item = cJSON_GetObjectItem(subchild,"clientIp");
if(item && item->type==cJSON_String)
{
clientIp1 = item->valuestring;
}
item = cJSON_GetObjectItem(subchild,"serverIp");
if(item && item->type==cJSON_String)
{
serverIp1 = (item->valuestring);
}
item = cJSON_GetObjectItem(subchild,"clientPort");
if(item && item->type==cJSON_String)
{
clientPort1 =atoi(item->valuestring);
}
item = cJSON_GetObjectItem(subchild,"serverPort");
if(item && item->type==cJSON_String)
{
serverPort1 =atoi(item->valuestring);
}
item = cJSON_GetObjectItem(subchild,"protocol");
if(item && item->type==cJSON_Number)
{
protocol = item->valueint;
}
item=cJSON_GetObjectItem(subchild,"addrType");
if(item && item->type==cJSON_Number)
{
addr_type = item->valueint;
}
query_ctx->keywords[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type);
i++;
continue;
}
item = cJSON_GetObjectItem(subchild, "protocolField");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].protocol_field = field_type_str2idx(query_ctx->type, item->valuestring);
query_ctx->keywords[i].protocol_field_name = item->valuestring;
}
item = cJSON_GetObjectItem(subchild, "content");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].content = item->valuestring;
}
i++;
}
}
for (i = 0; i < c_num; i++)
{
p += snprintf(p, sizeof(buff) - (p - buff), ", conditionScope:%s, keywords:%s", query_ctx->keywords[i].condition_scope, query_ctx->keywords[i].keyword);
}
*p = '\0';
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff);
return query_ctx;
}
char *verify_policy_scan(struct verify_policy_query *policy_query, int thread_id)
{
int c_num = 0; char *policy_payload= NULL;
void * ctx = pangu_http_ctx_new(thread_id);
verify_policy_query(query_ctx, thread_id, data_obj);
for (c_num = 0; policy_query->keywords[c_num].keyword != NULL; c_num++)
{
struct keyword_obj *key_obj = &policy_query->keywords[c_num];
if (key_obj->condition_scope == NULL)
key_obj->condition_type = policy_query->object_type;
switch(key_obj->condition_type)
{
case PXY_CTRL_IP:
http_scan(key_obj->keyword, EV_HTTP_IP, NULL, 0, ctx);
break;
case PXY_CTRL_SUBSCRIBE_ID:
http_scan(key_obj->keyword, EV_HTTP_SUBSCRIBE_ID, NULL, 0, ctx);
case PXY_CTRL_HTTP_URL:
http_scan(key_obj->keyword, EV_HTTP_URL, NULL, 0, ctx);
break;
case PXY_CTRL_HTTP_FQDN:
http_scan(key_obj->keyword, EV_HTTP_FQDN, NULL, 0, ctx);
break;
case PXY_CTRL_HTTP_REQ_HDR:
http_scan(key_obj->keyword, EV_HTTP_REQ_HDR, NULL, 0, ctx);
break;
case PXY_CTRL_HTTP_RES_HDR:
http_scan(key_obj->keyword, EV_HTTP_RESP_HDR, NULL, 0, ctx);
break;
case PXY_CTRL_HTTP_REQ_BODY:
case PXY_CTRL_HTTP_RES_BODY:
http_scan(key_obj->keyword, EV_HTTP_CONTENT, NULL, 0, ctx);
break;
default:
break;
i=0;
FREE(&query_ctx);
}
}
policy_payload = web_json_table_add(ctx);
return policy_payload;
cJSON_Delete(data_json);
return policy_obj;
}
static int
evhttp_socket_send(struct evhttp_request *req, char *sendbuf)
static int evhttp_socket_send(struct evhttp_request *req, char *sendbuf)
{
struct evbuffer *evb = NULL;
@@ -243,10 +371,9 @@ done:
void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
{
char *policy_payload= NULL;
char *policy_payload= NULL; cJSON *policy_obj;
struct evbuffer * evbuf_body = NULL;
char *input = NULL; ssize_t inputlen=0;
struct verify_policy_query *policy_query = NULL;
struct verify_proxy_thread *thread_ctx = (struct verify_proxy_thread *)arg;
@@ -261,7 +388,21 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to get post data information.");
goto error;
}
policy_query = get_query_from_request(input);
policy_obj = get_query_from_request(input, thread_ctx->id);
if(policy_obj == NULL)
{
goto error;
}
policy_payload = cJSON_PrintUnformatted(policy_obj);
printf("%s\n", policy_payload);
evhttp_socket_send(evh_req, policy_payload);
cJSON_Delete(policy_obj);
free(policy_payload);
#if 0
if (policy_query == NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Data parsing failed.");
@@ -275,6 +416,7 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
evhttp_socket_send(evh_req, policy_payload);
free(policy_payload);
}
#endif
goto finish;
error:
@@ -484,6 +626,9 @@ int main(int argc, char * argv[])
ret = pangu_policy_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit.");
ret = security_policy_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init security module, Exit.");
ret = pangu_policy_work_thread_run(g_verify_proxy);
return ret;

167
scan/src/pangu_http.cpp
View File

@@ -52,13 +52,13 @@ struct pangu_http_ctx
struct pangu_rt
{
Maat_feather_t maat;
Maat_feather_t maat[__SCAN_POLICY_MAX];
Maat_feather_t dyn_maat;
int subscriber_id_table_id;
void * local_logger;
int log_level;
int thread_num;
int scan_table_id[__SCAN_TABLE_MAX];
int scan_table_id[__SCAN_POLICY_MAX][__SECURITY_TABLE_MAX];
};
struct pangu_rt * g_pangu_rt;
@@ -172,7 +172,7 @@ char *web_json_table_add(void *pme)
policy_obj=cJSON_CreateObject();
cJSON_AddNumberToObject(policy_obj, "code", 200);
cJSON_AddStringToObject(policy_obj, "msg", "");
cJSON_AddStringToObject(policy_obj, "msg", "Success");
cJSON_AddNumberToObject(policy_obj, "success", 1);
data_obj = cJSON_CreateObject();
@@ -218,86 +218,50 @@ char *web_json_table_add(void *pme)
return policy_payload;
}
void http_scan(const char * value, enum tfe_http_event events,
const unsigned char * body_frag, size_t frag_size, void *pme)
void http_scan(const char * value, enum policy_type type, int protocol_field, void *pme, cJSON *data_obj, struct ipaddr *ip_addr)
{
const char * field_val = NULL;
int scan_ret = 0, table_id = 0;
size_t hit_cnt = 0;
struct Maat_rule_t result[MAX_SCAN_RESULT];
char buff[VERIFY_STRING_MAX], * p = NULL;
size_t hit_cnt = 0, i = 0;
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
if (events & EV_HTTP_IP)
if (protocol_field == PXY_CTRL_IP)
{
scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_IP], NULL, 0,
scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat[type], g_pangu_rt->scan_table_id[type][protocol_field], ip_addr, 0,
ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
goto decide;
}
if (events & EV_HTTP_SUBSCRIBE_ID)
if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || (protocol_field == PXY_CTRL_HTTP_RES_HDR))
{
scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_SUBSCRIBE_ID],
CHARSET_UTF8, value, strlen(value),
ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
&(ctx->scan_mid), ctx->thread_id);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
}
if (events & EV_HTTP_FQDN)
{
const char *str_host = value;
int str_host_length = (int) (strlen(value));
scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
CHARSET_UTF8, str_host, str_host_length, ctx->result, NULL, MAX_SCAN_RESULT, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
}
if (events & EV_HTTP_URL)
{
const char * str_url = value;
int str_url_length = (int) (strlen(value));
scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_URL],
CHARSET_UTF8, str_url, str_url_length, ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
}
if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR))
{
table_id = events & PXY_CTRL_HTTP_REQ_HDR ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_HDR];
table_id = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_RES_HDR];
const char * str_field_name = NULL;
scan_ret = Maat_set_scan_status(g_pangu_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
scan_ret = Maat_set_scan_status(g_pangu_rt->maat[type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
str_field_name, strlen(str_field_name));
assert(scan_ret == 0);
scan_ret = Maat_full_scan_string(g_pangu_rt->maat, table_id,
CHARSET_UTF8, field_val, strlen(field_val),
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[type], table_id,
CHARSET_UTF8, value, strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
goto decide;
}
if ((events & EV_HTTP_CONTENT))
if ((protocol_field == PXY_CTRL_HTTP_REQ_BODY) || protocol_field == PXY_CTRL_HTTP_RES_BODY)
{
assert(ctx->sp == NULL);
table_id = events & EV_HTTP_CONTENT ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat, table_id, ctx->thread_id);
scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size,
table_id = protocol_field == PXY_CTRL_HTTP_REQ_BODY ? g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat[type], table_id, ctx->thread_id);
scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) value, (int) strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
if (scan_ret > 0)
{
@@ -305,12 +269,36 @@ void http_scan(const char * value, enum tfe_http_event events,
}
Maat_stream_scan_string_end(&(ctx->sp));
ctx->sp = NULL;
goto decide;
}
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[type], g_pangu_rt->scan_table_id[type][protocol_field],
CHARSET_UTF8, value, strlen(value),
ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
&(ctx->scan_mid), ctx->thread_id);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
decide:
if (hit_cnt > 0)
{
ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
ctx->hit_cnt = hit_cnt;
cJSON *execute_obj=NULL, *hit_obj=NULL;
hit_obj = cJSON_CreateObject();
cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj);
if (ctx->hit_cnt >= 1)
{
for (i = 0; i < ctx->hit_cnt; i++)
{
cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id);
}
}
/*executePolicyList **/
execute_obj = cJSON_CreateObject();
cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj);
cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id);
}
return ;
}
@@ -320,7 +308,7 @@ char * verify_policy_str_to_addr()
return NULL;
}
static Maat_feather_t create_maat_feather(const char * instance_name, const char * profile, const char * section, int max_thread, void * logger)
static Maat_feather_t create_maat_feather(const char * instance_name, const char * profile, const char * section, const char *table_name, int max_thread, void * logger)
{
Maat_feather_t target;
int input_mode = 0, maat_perf_on = 0;
@@ -336,7 +324,7 @@ static Maat_feather_t create_maat_feather(const char * instance_name, const char
MESA_load_profile_int_def(profile, section, "maat_input_mode", &(input_mode), 0);
MESA_load_profile_int_def(profile, section, "perf_switch", &(maat_perf_on), 1);
MESA_load_profile_string_def(profile, section, "table_info", table_info, sizeof(table_info), "");
MESA_load_profile_string_def(profile, section, table_name, table_info, sizeof(table_info), "");
MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), "");
MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), "");
@@ -468,8 +456,8 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
g_pangu_rt->thread_num = verify->nr_work_threads;
g_pangu_rt->local_logger = verify->logger;
g_pangu_rt->maat = create_maat_feather("static", profile_path, "MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat)
g_pangu_rt->maat[PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat[PXY_TABLE_MANIPULATION])
{
goto error_out;
}
@@ -485,16 +473,18 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
table_name[PXY_CTRL_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
for (int i = 0; i < __SCAN_TABLE_MAX; i++)
{
g_pangu_rt->scan_table_id[i] = Maat_table_register(g_pangu_rt->maat, table_name[i]);
if (g_pangu_rt->scan_table_id[i] < 0)
g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i]);
printf("%p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i], i);
if (g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] < 0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Maat table %s register failed.", table_name[i]);
goto error_out;
}
}
g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat)
g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->dyn_maat)
{
goto error_out;
}
@@ -512,7 +502,54 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat TSG_DYN_SUBSCRIBER_IP EX data register failed.");
goto error_out;
}
ret = 0;
error_out:
return ret;
}
int security_policy_init(struct verify_proxy * verify, const char* profile_path)
{
int ret = -1;
g_pangu_rt->maat[PXY_TABLE_SECURITY] = create_maat_feather("static", profile_path, "MAAT", "table_info_tsg", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat[PXY_TABLE_SECURITY])
{
goto error_out;
}
const char * table_name[__SECURITY_TABLE_MAX];
table_name[PXY_SECURITY_IP] = "TSG_OBJ_IP_ADDR";
table_name[PXY_SECURITY_HTTP_URL] = "TSG_FIELD_HTTP_URL";
table_name[PXY_SECURITY_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
table_name[PXY_SECURITY_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_SECURITY_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_CONTENT";
table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT";
table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI";
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT";
table_name[PXY_SECURITY_MAIL_CONTENT] = "TSG_FIELD_MAIL_CONTENT";
table_name[PXY_SECURITY_MAIL_ATT_NAME] = "TSG_FIELD_MAIL_ATT_NAME";
table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT";
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI";
table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT";
table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME";
for (int i = 0; i < __SECURITY_TABLE_MAX; i++)
{
g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i]);
printf("SECURITY: %p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i], i);
if (g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] < 0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Security policy maat table %s register failed.", table_name[i]);
goto error_out;
}
}
ret = 0;
error_out:
return ret;