From be7368a0cce09adaf66f3697a8c2efb05f79fcff Mon Sep 17 00:00:00 2001 From: fengweihao Date: Fri, 16 Aug 2024 10:32:02 +0800 Subject: [PATCH] =?UTF-8?q?TSG-22199=20=E4=BF=AE=E5=A4=8Dtunnel=E8=B0=83?= =?UTF-8?q?=E7=94=A8no=5Flogic=E6=83=85=E5=86=B5=E4=B8=8B=E5=91=BD?= =?UTF-8?q?=E4=B8=AD=E8=B7=AF=E5=BE=84=E8=AE=B0=E5=BD=95=E9=97=AE=E9=A2=98?= =?UTF-8?q?=EF=BC=8C=E4=BC=98=E5=8C=96Fqdn=E5=91=BD=E4=B8=AD=E8=B7=AF?= =?UTF-8?q?=E5=BE=84=E6=9E=84=E5=BB=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common/src/log.c | 6 - platform/src/verify_matcher.cpp | 139 +++++++++++----- resource/table_info_simple.conf | 35 ---- test/CMakeLists.txt | 3 - test/resource/HitPolicyRequest.json | 106 +++++++++++- test/resource/HitPolicyResult.json | 137 +++++++++++++++ test/resource/VerifyPolicyManipulation.json | 175 ++++++++++++++++++++ test/resource/VerifyPolicyTunnel.json | 118 ------------- test/verify_policy_test.cpp | 48 +++++- 9 files changed, 558 insertions(+), 209 deletions(-) delete mode 100644 test/resource/VerifyPolicyTunnel.json diff --git a/common/src/log.c b/common/src/log.c index 07b266e..7773606 100644 --- a/common/src/log.c +++ b/common/src/log.c @@ -135,12 +135,6 @@ static int log_create_path(const char *file_path) } } - FILE *fp = fopen(file_path, "w"); - if (NULL == fp) { - return -1; - } - - fclose(fp); return 1; } diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index c9434d6..bdb751e 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -199,7 +199,7 @@ enum category_type CATEGORY_TYPE_ASN, CATEGORY_TYPE_WEBSITE_CATEGORY, CATEGORY_TYPE_INTERNET_SERVICE, - CATEGORY_TYPE_IOC, + CATEGORY_TYPE_SECURITY_THREAT, CATEGORY_TYPE_RISK, CATEGORY_TYPE_MAX }; @@ -270,8 +270,7 @@ struct verify_policy_rt { int log_level; int thread_num; - int load_ip_location; - int load_fqdn_cat; + int load_library; int hit_path_size; int compile_table_id[__SCAN_POLICY_MAX]; int plugin_table_id[__SCAN_POLICY_MAX]; @@ -1144,6 +1143,7 @@ int hit_object_exists_by_ids(cJSON* hitPaths, int item_id, int superior_object_i cJSON *hitsObj=NULL; /*In cases of multiple hits, although the compile_id is inconsistent, the item_id and superior_object_id remain consistent.**/ + /*For tunnel_endpointa if hit non and tunnel_endpointb hit not logic the same nth_scan record will exist **/ for(hitsObj = hitPaths->child; hitsObj != NULL; hitsObj = hitsObj->next) { cJSON *itemId = cJSON_GetObjectItem(hitsObj, "item_id"); @@ -1204,7 +1204,7 @@ void http_get_scan_status(struct request_object_list *request_object, int compil ctx->hit_path[i].top_group_id = ctx->hit_path[i].sub_group_id; } - if(ctx->hit_path[i].compile_id > 0 && hit_object_exists_by_ids(hitPaths, ctx->hit_path[i].item_id, ctx->hit_path[i].top_group_id)) + if(hit_object_exists_by_ids(hitPaths, ctx->hit_path[i].item_id, ctx->hit_path[i].top_group_id)) { break; } @@ -1297,7 +1297,7 @@ int add_object_table_name(UT_array *ut_array_by_object, int Nth_scan, int top_gr cJSON *tag_id = cJSON_GetObjectItem(topObject, "tag_id"); if(tag_id != NULL) { - return 0; + goto finish; } cJSON_AddNumberToObject(topObject, "object_id", top_group_id); @@ -1313,11 +1313,11 @@ int add_object_table_name(UT_array *ut_array_by_object, int Nth_scan, int top_gr { cJSON_AddStringToObject(topObject, "table_name", subchild->valuestring); } - break; + goto finish; } } } - +finish: return 0; } @@ -1445,6 +1445,71 @@ static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, str return hit_cnt_group; } +#if 0 +int is_tag_id_in_array(long long *tag_id_array, int n_tag_ids, long long tag_id) +{ + for(int i=0; i < n_tag_ids; i++) + { + if(tag_id_array[i] == tag_id) + { + return 1; + } + } + return 0; +} + +int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn) +{ + int ret=0, hit_fqdn_entry=0; + cJSON *fqdn_entry_item=NULL; + int n_tag_ids=0; + long long tag_id_array[MAX_TAG_ID_NUM]={0}; + + if(fqdn == NULL) + { + return 0; + } + + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] fqdn=%s", fqdn); + + struct library_entry_ctx *entry_ctx[MAX_EX_DATA_LEN]={0}; + ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)entry_ctx, MAX_EX_DATA_LEN); + for(int i=0; i < ret && i < MAX_EX_DATA_LEN; i++) + { + for(int j=0; j < entry_ctx[i]->n_tag_ids; j++) + { + if(is_tag_id_in_array(tag_id_array, n_tag_ids, entry_ctx[i]->tag_id_array[j])) + { + continue; + } + tag_id_array[n_tag_ids++] = entry_ctx[i]->tag_id_array[j]; + } + library_entry_free(entry_ctx[i]); + } + + char *tag_ids; int length = 0; + if(n_tag_ids > 0) + { + fqdn_entry_item=cJSON_CreateObject(); + for (int i = 0; i < n_tag_ids; i++) + { + if (i == 0) + { + length = asprintf(&tag_ids, "%lld", tag_id_array[i]); + } + else + { + length = asprintf(&tag_ids, "%s,%lld", tag_ids, tag_id_array[i]); + } + } + cJSON_AddStringToObject(fqdn_entry_item, "tag_ids", tag_ids); + cJSON_AddItemToArray(hit_library, fqdn_entry_item); + } + + return hit_fqdn_entry; +} +#endif + int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn) { int ret=0, hit_fqdn_entry=0; @@ -1469,6 +1534,7 @@ int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn) library_entry_free(entry_ctx[i]); } + return hit_fqdn_entry; } @@ -1521,11 +1587,6 @@ int ip_entry_scan(struct request_object_list *request, struct policy_scan_ctx *c struct library_entry_ctx *source_ip_entry[MAX_EX_DATA_LEN]={0}; struct library_entry_ctx *destination_ip_entry[MAX_EX_DATA_LEN]={0}; - if(!g_policy_rt->load_ip_location) - { - return 0; - } - struct ip_addr dip, sip; ip_addr_to_address(request->ip_addr, &dip, &sip); @@ -1627,11 +1688,6 @@ int get_fqdn_category_id(struct request_object_list *request, struct policy_scan int ret=0, hit_cnt_fqdn=0; struct library_entry_ctx *fqdn_entry_ctx[MAX_EX_DATA_LEN]={0}; - if(!g_policy_rt->load_fqdn_cat) - { - return 0; - } - struct library_hit_path fqdn_entry; memset(&fqdn_entry, 0, sizeof(fqdn_entry)); @@ -1795,16 +1851,17 @@ int tunnel_scan(struct request_object_list *request, struct policy_scan_ctx *ctx goto finish; } + if(ctx->tunnel_attr_count == 2) + { + logic=0; + } + for(i = 0; i< hit_cnt_endpoint; i++) { memset(&hit_group, 0, sizeof(hit_group)); hit_group.group_id=result[i]; if(hit_group.group_id != 0) { - if(ctx->tunnel_attr_count == 2) - { - logic=0; - } scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], &hit_group, 1, ctx->result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) @@ -2936,6 +2993,12 @@ static struct maat *create_maat_feather(const char * instance_name, const char * maat_options_set_stat_file(opts, maat_stat_db_file); } + if(g_policy_rt->load_library != 1) + { + memset(table_info, 0, sizeof(table_info)); + sprintf(table_info, "%s", "./resource/table_info_simple.conf"); + } + target = maat_new(opts, table_info); if (!target) { @@ -3016,8 +3079,7 @@ int verify_policy_table_init(struct verify_policy * verify, const char* profile_ g_policy_rt->local_logger = verify->logger; g_policy_rt->thread_num = verify->nr_work_threads; - MESA_load_profile_int_def(profile_path, "MAAT", "load_ip_location", &(g_policy_rt->load_ip_location), 1); - MESA_load_profile_int_def(profile_path, "MAAT", "load_fqdn_cat", &(g_policy_rt->load_fqdn_cat), 1); + MESA_load_profile_int_def(profile_path, "MAAT", "load_library", &(g_policy_rt->load_library), 1); MESA_load_profile_int_def(profile_path, "MAAT", "load_vsys_num", &(load_vsys_num), 255); MESA_load_profile_int_def(profile_path, "MAAT", "load_start_vsys", &(load_start_vsys), 0); load_vsys_num = load_vsys_num > VSYS_ID_MAX ? VSYS_ID_MAX : load_vsys_num; @@ -3066,22 +3128,23 @@ int verify_policy_table_init(struct verify_policy * verify, const char* profile_ goto error_out; } - ret = maat_plugin_table_ex_init(PROFILE_FQDN_ENTRY, vsys_id, fqdn_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); - if(ret<0) + if(g_policy_rt->load_library) { - goto error_out; - } - - ret = maat_plugin_table_ex_init(PROFILE_IP_ADDR_ENTRY, vsys_id, ip_addr_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); - if(ret<0) - { - goto error_out; - } - - ret = maat_plugin_table_ex_init(PROFILE_LIBRARY_TAG, vsys_id, library_tag_new_cb, library_tag_free_cb, library_tag_dup_cb); - if(ret<0) - { - goto error_out; + ret = maat_plugin_table_ex_init(PROFILE_FQDN_ENTRY, vsys_id, fqdn_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); + if(ret<0) + { + goto error_out; + } + ret = maat_plugin_table_ex_init(PROFILE_IP_ADDR_ENTRY, vsys_id, ip_addr_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); + if(ret<0) + { + goto error_out; + } + ret = maat_plugin_table_ex_init(PROFILE_LIBRARY_TAG, vsys_id, library_tag_new_cb, library_tag_free_cb, library_tag_dup_cb); + if(ret<0) + { + goto error_out; + } } } ret = 0; diff --git a/resource/table_info_simple.conf b/resource/table_info_simple.conf index 73ab4e1..d661c32 100644 --- a/resource/table_info_simple.conf +++ b/resource/table_info_simple.conf @@ -989,40 +989,5 @@ "table_name":"ATTR_TUNNEL_IP_IN_IP_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" - }, - { - "table_id": 101, - "table_name": "LIBRARY_TAG", - "table_type": "plugin", - "valid_column": 6, - "custom": { - "key": 1, - "key_type": "integer", - "key_len": 8 - } - }, - { - "table_id":102, - "table_name":"FQDN_ENTRY", - "table_type":"fqdn_plugin", - "valid_column":5, - "custom": { - "item_id":1, - "suffix_match_method":4, - "fqdn":3 - } - }, - { - "table_id":103, - "table_name":"IP_ADDR_ENTRY", - "table_type":"ip_plugin", - "valid_column":7, - "custom": { - "item_id":1, - "ip_type":3, - "start_ip":5, - "end_ip":6, - "addr_format":4 - } } ] \ No newline at end of file diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index a717f60..751ee83 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -10,7 +10,6 @@ file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR}) file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR}) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyManipulation.json DESTINATION ${TEST_RUN_DIR}/resource) -file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyTunnel.json DESTINATION ${TEST_RUN_DIR}/resource) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource) @@ -19,7 +18,5 @@ add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_leve add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf") -add_test(NAME COPY_CONF COMMAND sh -c "cp ${TEST_RUN_DIR}/conf/verify_policy.conf ${TEST_RUN_DIR}/conf/verify_policy2.conf") -add_test(NAME UPDATE_JSON_FILE2 COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyTunnel\\.json/' ${TEST_RUN_DIR}/conf/verify_policy2.conf") add_test(NAME VERIFY_POLICY_TEST COMMAND verify_policy_test) \ No newline at end of file diff --git a/test/resource/HitPolicyRequest.json b/test/resource/HitPolicyRequest.json index b58607e..6b28f1b 100644 --- a/test/resource/HitPolicyRequest.json +++ b/test/resource/HitPolicyRequest.json @@ -82,7 +82,7 @@ "table_name": "ATTR_TUNNEL", "attribute_name": "tunnel_endpointa", "attribute_value": { - "ip": "192.168.0.1", + "ip": "192.168.0.4", "tunnel_type":"gtp", "addr_type": 4 } @@ -107,7 +107,7 @@ "table_name": "ATTR_TUNNEL", "attribute_name": "tunnel_endpointb", "attribute_value": { - "ip": "192.168.0.2", + "ip": "192.168.0.5", "tunnel_type":"gtp", "addr_type": 4 } @@ -132,7 +132,7 @@ "table_name": "ATTR_TUNNEL", "attribute_name": "tunnel_endpointa", "attribute_value": { - "ip": "192.168.0.2", + "ip": "192.168.0.5", "tunnel_type":"gtp", "addr_type": 4 } @@ -142,7 +142,7 @@ "table_name": "ATTR_TUNNEL", "attribute_name": "tunnel_endpointb", "attribute_value": { - "ip": "192.168.0.3", + "ip": "192.168.0.6", "tunnel_type":"gtp", "addr_type": 4 } @@ -202,6 +202,104 @@ } ], "verify_type": "policy" + }, + { + "__item_id": 6, + "vsys_id": 1, + "verify_list": [ + { + "type": "pxy_manipulation", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_IP_PROTOCOL", + "attribute_name": "ip_protocol", + "attribute_value": { + "addr_type": 4, + "protocol": 6 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointa", + "attribute_value": { + "ip": "192.168.0.5", + "tunnel_type":"gtp", + "addr_type": 4 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointb", + "attribute_value": { + "ip": "192.168.0.6", + "tunnel_type":"gtp", + "addr_type": 4 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_SOURCE_IP", + "attribute_name": "source", + "attribute_value": { + "ip": "192.168.1.1", + "port":"8080", + "addr_type": 4 + } + } + ] + } + } + ], + "verify_type": "policy" + }, + { + "__item_id": 7, + "vsys_id": 1, + "verify_list": [ + { + "type": "pxy_manipulation", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_IP_PROTOCOL", + "attribute_name": "ip_protocol", + "attribute_value": { + "addr_type": 4, + "protocol": 6 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointa", + "attribute_value": { + "ip": "192.168.0.4", + "tunnel_type":"gtp", + "addr_type": 4 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointb", + "attribute_value": { + "ip": "192.168.0.6", + "tunnel_type":"gtp", + "addr_type": 4 + } + } + ] + } + } + ], + "verify_type": "policy" } ] } \ No newline at end of file diff --git a/test/resource/HitPolicyResult.json b/test/resource/HitPolicyResult.json index a617203..bd72357 100644 --- a/test/resource/HitPolicyResult.json +++ b/test/resource/HitPolicyResult.json @@ -349,6 +349,143 @@ } }, "success": true + }, + { + "code": 200, + "msg": "Success", + "data": { + "hitPolicyList": [ + { + "id": 1026, + "policyName": "", + "is_execute_policy": true, + "top_object_list": [ + { + "object_id": 3022, + "table_name": "ATTR_TUNNEL", + "not_flag": 0, + "nth_clause": 0 + } + ] + }, + { + "id": 1025, + "policyName": "", + "is_execute_policy": false, + "top_object_list": [ + { + "object_id": 3023, + "table_name": "ATTR_TUNNEL", + "not_flag": 0, + "nth_clause": 0 + } + ] + } + ], + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_IP_PROTOCOL", + "attribute_name": "ip_protocol", + "attribute_value": { + "addr_type": 4, + "protocol": 6 + }, + "hit_paths": [ + { + "item_id": 0, + "superior_object_id": 6 + } + ] + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpoint_object", + "hit_paths": [ + { + "item_id": 0, + "superior_object_id": 3022 + }, + { + "item_id": 0, + "superior_object_id": 3023 + } + ] + }, + { + "attribute_type": "ip", + "table_name": "ATTR_SOURCE_IP", + "attribute_name": "source", + "attribute_value": { + "ip": "192.168.1.1", + "port": "8080", + "addr_type": 4 + }, + "hit_paths": [ + { + "entry_id": 1, + "tag_id": 11 + } + ] + } + ] + } + }, + "success": true + }, + { + "code": 200, + "msg": "Success", + "data": { + "hitPolicyList": [ + { + "id": 1027, + "policyName": "", + "is_execute_policy": true, + "top_object_list": [ + { + "object_id": 3022, + "table_name": "ATTR_TUNNEL", + "not_flag": 1, + "nth_clause": 0 + } + ] + } + ], + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_IP_PROTOCOL", + "attribute_name": "ip_protocol", + "attribute_value": { + "addr_type": 4, + "protocol": 6 + }, + "hit_paths": [ + { + "item_id": 0, + "superior_object_id": 6 + } + ] + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpoint_object", + "hit_paths": [ + { + "item_id": 0, + "superior_object_id": 3021 + } + ] + } + ] + } + }, + "success": true } ] } \ No newline at end of file diff --git a/test/resource/VerifyPolicyManipulation.json b/test/resource/VerifyPolicyManipulation.json index fa7dd51..c51c220 100644 --- a/test/resource/VerifyPolicyManipulation.json +++ b/test/resource/VerifyPolicyManipulation.json @@ -175,6 +175,181 @@ "virtual_table":"ATTR_SSL_SAN" } ] + }, + { + "compile_id": 3021, + "service": 13, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "anything", + "evaluation_order": "0.0", + "compile_table_name": "TUNNEL_COMPILE", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 248, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy01", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.4", + "ip2": "192.168.0.4" + } + } + ] + } + ] + }, + { + "compile_id": 3022, + "service": 13, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "anything", + "evaluation_order": "0.0", + "compile_table_name": "TUNNEL_COMPILE", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 2, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy02", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.5", + "ip2": "192.168.0.5" + } + } + ] + } + ] + }, + { + "compile_id": 3023, + "service": 13, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "anything", + "evaluation_order": "0.0", + "compile_table_name": "TUNNEL_COMPILE", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 3, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy03", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.5", + "ip2": "192.168.0.5" + } + } + ] + }, + { + "not_flag": 0, + "group_id": 4, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy04", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.6", + "ip2": "192.168.0.6" + } + } + ] + } + ] + }, + { + "compile_id": 1025, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "not_flag":0, + "group_id": 3023, + "group_name":"TunnelEndpointVeiryPolicy01", + "virtual_table":"ATTR_TUNNEL" + } + ] + }, + { + "compile_id": 1026, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "not_flag":0, + "group_id": 3022, + "group_name":"TunnelEndpointVeiryPolicy03", + "virtual_table":"ATTR_TUNNEL" + } + ] + }, + { + "compile_id": 1027, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "not_flag":1, + "group_id": 3022, + "group_name":"TunnelEndpointVeiryPolicy03", + "virtual_table":"ATTR_TUNNEL" + } + ] } ], "plugin_table": [ diff --git a/test/resource/VerifyPolicyTunnel.json b/test/resource/VerifyPolicyTunnel.json deleted file mode 100644 index f7b697f..0000000 --- a/test/resource/VerifyPolicyTunnel.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "compile_table": "TUNNEL_COMPILE", - "group2compile_table": "GROUP_TUNNEL_COMPILE_RELATION", - "group2group_table": "GROUP_GROUP_RELATION", - "rules": [ - { - "compile_id": 3021, - "service": 13, - "action": 1, - "do_blacklist": 0, - "do_log": 1, - "tags": "{}", - "user_region": "anything", - "evaluation_order": "0.0", - "is_valid": "yes", - "groups": [ - { - "not_flag": 0, - "group_id": 1, - "group_name": "TunnelIpv4TCPSoureVeiryPolicy01", - "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", - "regions": [ - { - "table_name": "TSG_OBJ_IP_ADDR", - "table_type": "ip", - "table_content": { - "addr_type": "ipv4", - "addr_format": "range", - "ip1": "192.168.0.1", - "ip2": "192.168.0.1" - } - } - ] - } - ] - }, - { - "compile_id": 3022, - "service": 13, - "action": 1, - "do_blacklist": 0, - "do_log": 1, - "tags": "{}", - "user_region": "anything", - "evaluation_order": "0.0", - "is_valid": "yes", - "groups": [ - { - "not_flag": 0, - "group_id": 2, - "group_name": "TunnelIpv4TCPSoureVeiryPolicy02", - "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", - "regions": [ - { - "table_name": "TSG_OBJ_IP_ADDR", - "table_type": "ip", - "table_content": { - "addr_type": "ipv4", - "addr_format": "range", - "ip1": "192.168.0.2", - "ip2": "192.168.0.2" - } - } - ] - } - ] - }, - { - "compile_id": 3023, - "service": 13, - "action": 1, - "do_blacklist": 0, - "do_log": 1, - "tags": "{}", - "user_region": "anything", - "evaluation_order": "0.0", - "is_valid": "yes", - "groups": [ - { - "not_flag": 0, - "group_id": 3, - "group_name": "TunnelIpv4TCPSoureVeiryPolicy03", - "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", - "regions": [ - { - "table_name": "TSG_OBJ_IP_ADDR", - "table_type": "ip", - "table_content": { - "addr_type": "ipv4", - "addr_format": "range", - "ip1": "192.168.0.2", - "ip2": "192.168.0.2" - } - } - ] - }, - { - "not_flag": 0, - "group_id": 4, - "group_name": "TunnelIpv4TCPSoureVeiryPolicy04", - "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", - "regions": [ - { - "table_name": "TSG_OBJ_IP_ADDR", - "table_type": "ip", - "table_content": { - "addr_type": "ipv4", - "addr_format": "range", - "ip1": "192.168.0.3", - "ip2": "192.168.0.3" - } - } - ] - } - ] - } - ] -} diff --git a/test/verify_policy_test.cpp b/test/verify_policy_test.cpp index e109183..446c70c 100644 --- a/test/verify_policy_test.cpp +++ b/test/verify_policy_test.cpp @@ -299,17 +299,55 @@ TEST(VerifyPolicy, HitMultiplePolicy) FREE(&hit_policy_result); } -static void reload_maat_config(const char * main_profile) +TEST(VerifyPolicy, HitTunnelEndpointaPolicy_1025) { - verify_policy_table_free(main_profile); - int ret = verify_policy_table_init(g_verify_proxy, main_profile); - CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); + char *hit_policy_request = select_hit_policy_request_item(6); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(6); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); +} + +TEST(VerifyPolicy, HitTunnelEndpointaPolicy_1027) +{ + char *hit_policy_request = select_hit_policy_request_item(7); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(7); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + + printf("hit_policy_query = %s\n", hit_policy_query); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); } /*Tunnel Endpoint Policy Test**/ TEST(VerifyPolicy, HitTunnelEndpointaPolicy) { - reload_maat_config("./conf/verify_policy2.conf"); char *hit_policy_request = select_hit_policy_request_item(2); ASSERT_TRUE(hit_policy_request != NULL); char *hit_policy_result = select_hit_policy_result_item(2);