gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-22199 修复tunnel调用no_logic情况下命中路径记录问题,优化Fqdn命中路径构建

Browse Source
This commit is contained in:
fengweihao
2024-08-16 10:32:02 +08:00
parent 6dc39cc922
commit be7368a0cc
9 changed files with 558 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
common/src/log.c
View File

@@ -135,12 +135,6 @@ static int log_create_path(const char *file_path)
}
}
FILE *fp = fopen(file_path, "w");
if (NULL == fp) {
return -1;
}
fclose(fp);
return 1;
}

113
platform/src/verify_matcher.cpp
View File

@@ -199,7 +199,7 @@ enum category_type
CATEGORY_TYPE_ASN,
CATEGORY_TYPE_WEBSITE_CATEGORY,
CATEGORY_TYPE_INTERNET_SERVICE,
CATEGORY_TYPE_IOC,
CATEGORY_TYPE_SECURITY_THREAT,
CATEGORY_TYPE_RISK,
CATEGORY_TYPE_MAX
};
@@ -270,8 +270,7 @@ struct verify_policy_rt
{
int log_level;
int thread_num;
int load_ip_location;
int load_fqdn_cat;
int load_library;
int hit_path_size;
int compile_table_id[__SCAN_POLICY_MAX];
int plugin_table_id[__SCAN_POLICY_MAX];
@@ -1144,6 +1143,7 @@ int hit_object_exists_by_ids(cJSON* hitPaths, int item_id, int superior_object_i
cJSON *hitsObj=NULL;
/*In cases of multiple hits, although the compile_id is inconsistent, the item_id and superior_object_id remain consistent.**/
/*For tunnel_endpointa if hit non and tunnel_endpointb hit not logic the same nth_scan record will exist **/
for(hitsObj = hitPaths->child; hitsObj != NULL; hitsObj = hitsObj->next)
{
cJSON *itemId = cJSON_GetObjectItem(hitsObj, "item_id");
@@ -1204,7 +1204,7 @@ void http_get_scan_status(struct request_object_list *request_object, int compil
ctx->hit_path[i].top_group_id = ctx->hit_path[i].sub_group_id;
}
if(ctx->hit_path[i].compile_id > 0 && hit_object_exists_by_ids(hitPaths, ctx->hit_path[i].item_id, ctx->hit_path[i].top_group_id))
if(hit_object_exists_by_ids(hitPaths, ctx->hit_path[i].item_id, ctx->hit_path[i].top_group_id))
{
break;
}
@@ -1297,7 +1297,7 @@ int add_object_table_name(UT_array *ut_array_by_object, int Nth_scan, int top_gr
cJSON *tag_id = cJSON_GetObjectItem(topObject, "tag_id");
if(tag_id != NULL)
{
return 0;
goto finish;
}
cJSON_AddNumberToObject(topObject, "object_id", top_group_id);
@@ -1313,11 +1313,11 @@ int add_object_table_name(UT_array *ut_array_by_object, int Nth_scan, int top_gr
{
cJSON_AddStringToObject(topObject, "table_name", subchild->valuestring);
}
break;
goto finish;
}
}
}
finish:
return 0;
}
@@ -1445,6 +1445,71 @@ static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, str
return hit_cnt_group;
}
#if 0
int is_tag_id_in_array(long long *tag_id_array, int n_tag_ids, long long tag_id)
{
for(int i=0; i < n_tag_ids; i++)
{
if(tag_id_array[i] == tag_id)
{
return 1;
}
}
return 0;
}
int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn)
{
int ret=0, hit_fqdn_entry=0;
cJSON *fqdn_entry_item=NULL;
int n_tag_ids=0;
long long tag_id_array[MAX_TAG_ID_NUM]={0};
if(fqdn == NULL)
{
return 0;
}
log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] fqdn=%s", fqdn);
struct library_entry_ctx *entry_ctx[MAX_EX_DATA_LEN]={0};
ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)entry_ctx, MAX_EX_DATA_LEN);
for(int i=0; i < ret && i < MAX_EX_DATA_LEN; i++)
{
for(int j=0; j < entry_ctx[i]->n_tag_ids; j++)
{
if(is_tag_id_in_array(tag_id_array, n_tag_ids, entry_ctx[i]->tag_id_array[j]))
{
continue;
}
tag_id_array[n_tag_ids++] = entry_ctx[i]->tag_id_array[j];
}
library_entry_free(entry_ctx[i]);
}
char *tag_ids; int length = 0;
if(n_tag_ids > 0)
{
fqdn_entry_item=cJSON_CreateObject();
for (int i = 0; i < n_tag_ids; i++)
{
if (i == 0)
{
length = asprintf(&tag_ids, "%lld", tag_id_array[i]);
}
else
{
length = asprintf(&tag_ids, "%s,%lld", tag_ids, tag_id_array[i]);
}
}
cJSON_AddStringToObject(fqdn_entry_item, "tag_ids", tag_ids);
cJSON_AddItemToArray(hit_library, fqdn_entry_item);
}
return hit_fqdn_entry;
}
#endif
int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn)
{
int ret=0, hit_fqdn_entry=0;
@@ -1469,6 +1534,7 @@ int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn)
library_entry_free(entry_ctx[i]);
}
return hit_fqdn_entry;
}
@@ -1521,11 +1587,6 @@ int ip_entry_scan(struct request_object_list *request, struct policy_scan_ctx *c
struct library_entry_ctx *source_ip_entry[MAX_EX_DATA_LEN]={0};
struct library_entry_ctx *destination_ip_entry[MAX_EX_DATA_LEN]={0};
if(!g_policy_rt->load_ip_location)
{
return 0;
}
struct ip_addr dip, sip;
ip_addr_to_address(request->ip_addr, &dip, &sip);
@@ -1627,11 +1688,6 @@ int get_fqdn_category_id(struct request_object_list *request, struct policy_scan
int ret=0, hit_cnt_fqdn=0;
struct library_entry_ctx *fqdn_entry_ctx[MAX_EX_DATA_LEN]={0};
if(!g_policy_rt->load_fqdn_cat)
{
return 0;
}
struct library_hit_path fqdn_entry;
memset(&fqdn_entry, 0, sizeof(fqdn_entry));
@@ -1795,16 +1851,17 @@ int tunnel_scan(struct request_object_list *request, struct policy_scan_ctx *ctx
goto finish;
}
if(ctx->tunnel_attr_count == 2)
{
logic=0;
}
for(i = 0; i< hit_cnt_endpoint; i++)
{
memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=result[i];
if(hit_group.group_id != 0)
{
if(ctx->tunnel_attr_count == 2)
{
logic=0;
}
scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], &hit_group, 1,
ctx->result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
@@ -2936,6 +2993,12 @@ static struct maat *create_maat_feather(const char * instance_name, const char *
maat_options_set_stat_file(opts, maat_stat_db_file);
}
if(g_policy_rt->load_library != 1)
{
memset(table_info, 0, sizeof(table_info));
sprintf(table_info, "%s", "./resource/table_info_simple.conf");
}
target = maat_new(opts, table_info);
if (!target)
{
@@ -3016,8 +3079,7 @@ int verify_policy_table_init(struct verify_policy * verify, const char* profile_
g_policy_rt->local_logger = verify->logger;
g_policy_rt->thread_num = verify->nr_work_threads;
MESA_load_profile_int_def(profile_path, "MAAT", "load_ip_location", &(g_policy_rt->load_ip_location), 1);
MESA_load_profile_int_def(profile_path, "MAAT", "load_fqdn_cat", &(g_policy_rt->load_fqdn_cat), 1);
MESA_load_profile_int_def(profile_path, "MAAT", "load_library", &(g_policy_rt->load_library), 1);
MESA_load_profile_int_def(profile_path, "MAAT", "load_vsys_num", &(load_vsys_num), 255);
MESA_load_profile_int_def(profile_path, "MAAT", "load_start_vsys", &(load_start_vsys), 0);
load_vsys_num = load_vsys_num > VSYS_ID_MAX ? VSYS_ID_MAX : load_vsys_num;
@@ -3066,24 +3128,25 @@ int verify_policy_table_init(struct verify_policy * verify, const char* profile_
goto error_out;
}
if(g_policy_rt->load_library)
{
ret = maat_plugin_table_ex_init(PROFILE_FQDN_ENTRY, vsys_id, fqdn_entry_new_cb, library_entry_free_cb, library_entry_dup_cb);
if(ret<0)
{
goto error_out;
}
ret = maat_plugin_table_ex_init(PROFILE_IP_ADDR_ENTRY, vsys_id, ip_addr_entry_new_cb, library_entry_free_cb, library_entry_dup_cb);
if(ret<0)
{
goto error_out;
}
ret = maat_plugin_table_ex_init(PROFILE_LIBRARY_TAG, vsys_id, library_tag_new_cb, library_tag_free_cb, library_tag_dup_cb);
if(ret<0)
{
goto error_out;
}
}
}
ret = 0;
error_out:
return ret;

35
resource/table_info_simple.conf
View File

@@ -989,40 +989,5 @@
"table_name":"ATTR_TUNNEL_IP_IN_IP_ENDPOINT",
"table_type":"virtual",
"physical_table": "TSG_OBJ_IP"
},
{
"table_id": 101,
"table_name": "LIBRARY_TAG",
"table_type": "plugin",
"valid_column": 6,
"custom": {
"key": 1,
"key_type": "integer",
"key_len": 8
}
},
{
"table_id":102,
"table_name":"FQDN_ENTRY",
"table_type":"fqdn_plugin",
"valid_column":5,
"custom": {
"item_id":1,
"suffix_match_method":4,
"fqdn":3
}
},
{
"table_id":103,
"table_name":"IP_ADDR_ENTRY",
"table_type":"ip_plugin",
"valid_column":7,
"custom": {
"item_id":1,
"ip_type":3,
"start_ip":5,
"end_ip":6,
"addr_format":4
}
}
]

3
test/CMakeLists.txt
View File

@@ -10,7 +10,6 @@ file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR})
file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR})
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyManipulation.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyTunnel.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource)
@@ -19,7 +18,5 @@ add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_leve
add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME COPY_CONF COMMAND sh -c "cp ${TEST_RUN_DIR}/conf/verify_policy.conf ${TEST_RUN_DIR}/conf/verify_policy2.conf")
add_test(NAME UPDATE_JSON_FILE2 COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyTunnel\\.json/' ${TEST_RUN_DIR}/conf/verify_policy2.conf")
add_test(NAME VERIFY_POLICY_TEST COMMAND verify_policy_test)

106
test/resource/HitPolicyRequest.json
View File

@@ -82,7 +82,7 @@
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointa",
"attribute_value": {
"ip": "192.168.0.1",
"ip": "192.168.0.4",
"tunnel_type":"gtp",
"addr_type": 4
}
@@ -107,7 +107,7 @@
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointb",
"attribute_value": {
"ip": "192.168.0.2",
"ip": "192.168.0.5",
"tunnel_type":"gtp",
"addr_type": 4
}
@@ -132,7 +132,7 @@
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointa",
"attribute_value": {
"ip": "192.168.0.2",
"ip": "192.168.0.5",
"tunnel_type":"gtp",
"addr_type": 4
}
@@ -142,7 +142,7 @@
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointb",
"attribute_value": {
"ip": "192.168.0.3",
"ip": "192.168.0.6",
"tunnel_type":"gtp",
"addr_type": 4
}
@@ -202,6 +202,104 @@
}
],
"verify_type": "policy"
},
{
"__item_id": 6,
"vsys_id": 1,
"verify_list": [
{
"type": "pxy_manipulation",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_IP_PROTOCOL",
"attribute_name": "ip_protocol",
"attribute_value": {
"addr_type": 4,
"protocol": 6
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointa",
"attribute_value": {
"ip": "192.168.0.5",
"tunnel_type":"gtp",
"addr_type": 4
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointb",
"attribute_value": {
"ip": "192.168.0.6",
"tunnel_type":"gtp",
"addr_type": 4
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_SOURCE_IP",
"attribute_name": "source",
"attribute_value": {
"ip": "192.168.1.1",
"port":"8080",
"addr_type": 4
}
}
]
}
}
],
"verify_type": "policy"
},
{
"__item_id": 7,
"vsys_id": 1,
"verify_list": [
{
"type": "pxy_manipulation",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_IP_PROTOCOL",
"attribute_name": "ip_protocol",
"attribute_value": {
"addr_type": 4,
"protocol": 6
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointa",
"attribute_value": {
"ip": "192.168.0.4",
"tunnel_type":"gtp",
"addr_type": 4
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointb",
"attribute_value": {
"ip": "192.168.0.6",
"tunnel_type":"gtp",
"addr_type": 4
}
}
]
}
}
],
"verify_type": "policy"
}
]
}

137
test/resource/HitPolicyResult.json
View File

@@ -349,6 +349,143 @@
}
},
"success": true
},
{
"code": 200,
"msg": "Success",
"data": {
"hitPolicyList": [
{
"id": 1026,
"policyName": "",
"is_execute_policy": true,
"top_object_list": [
{
"object_id": 3022,
"table_name": "ATTR_TUNNEL",
"not_flag": 0,
"nth_clause": 0
}
]
},
{
"id": 1025,
"policyName": "",
"is_execute_policy": false,
"top_object_list": [
{
"object_id": 3023,
"table_name": "ATTR_TUNNEL",
"not_flag": 0,
"nth_clause": 0
}
]
}
],
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_IP_PROTOCOL",
"attribute_name": "ip_protocol",
"attribute_value": {
"addr_type": 4,
"protocol": 6
},
"hit_paths": [
{
"item_id": 0,
"superior_object_id": 6
}
]
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpoint_object",
"hit_paths": [
{
"item_id": 0,
"superior_object_id": 3022
},
{
"item_id": 0,
"superior_object_id": 3023
}
]
},
{
"attribute_type": "ip",
"table_name": "ATTR_SOURCE_IP",
"attribute_name": "source",
"attribute_value": {
"ip": "192.168.1.1",
"port": "8080",
"addr_type": 4
},
"hit_paths": [
{
"entry_id": 1,
"tag_id": 11
}
]
}
]
}
},
"success": true
},
{
"code": 200,
"msg": "Success",
"data": {
"hitPolicyList": [
{
"id": 1027,
"policyName": "",
"is_execute_policy": true,
"top_object_list": [
{
"object_id": 3022,
"table_name": "ATTR_TUNNEL",
"not_flag": 1,
"nth_clause": 0
}
]
}
],
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_IP_PROTOCOL",
"attribute_name": "ip_protocol",
"attribute_value": {
"addr_type": 4,
"protocol": 6
},
"hit_paths": [
{
"item_id": 0,
"superior_object_id": 6
}
]
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpoint_object",
"hit_paths": [
{
"item_id": 0,
"superior_object_id": 3021
}
]
}
]
}
},
"success": true
}
]
}

175
test/resource/VerifyPolicyManipulation.json
View File

@@ -175,6 +175,181 @@
"virtual_table":"ATTR_SSL_SAN"
}
]
},
{
"compile_id": 3021,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"compile_table_name": "TUNNEL_COMPILE",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 248,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy01",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.4",
"ip2": "192.168.0.4"
}
}
]
}
]
},
{
"compile_id": 3022,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"compile_table_name": "TUNNEL_COMPILE",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 2,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy02",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.5",
"ip2": "192.168.0.5"
}
}
]
}
]
},
{
"compile_id": 3023,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"compile_table_name": "TUNNEL_COMPILE",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 3,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy03",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.5",
"ip2": "192.168.0.5"
}
}
]
},
{
"not_flag": 0,
"group_id": 4,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy04",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"g2c_table_name": "GROUP_TUNNEL_COMPILE_RELATION",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.6",
"ip2": "192.168.0.6"
}
}
]
}
]
},
{
"compile_id": 1025,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"not_flag":0,
"group_id": 3023,
"group_name":"TunnelEndpointVeiryPolicy01",
"virtual_table":"ATTR_TUNNEL"
}
]
},
{
"compile_id": 1026,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"not_flag":0,
"group_id": 3022,
"group_name":"TunnelEndpointVeiryPolicy03",
"virtual_table":"ATTR_TUNNEL"
}
]
},
{
"compile_id": 1027,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"not_flag":1,
"group_id": 3022,
"group_name":"TunnelEndpointVeiryPolicy03",
"virtual_table":"ATTR_TUNNEL"
}
]
}
],
"plugin_table": [

118
test/resource/VerifyPolicyTunnel.json
View File

@@ -1,118 +0,0 @@
{
"compile_table": "TUNNEL_COMPILE",
"group2compile_table": "GROUP_TUNNEL_COMPILE_RELATION",
"group2group_table": "GROUP_GROUP_RELATION",
"rules": [
{
"compile_id": 3021,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 1,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy01",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.1",
"ip2": "192.168.0.1"
}
}
]
}
]
},
{
"compile_id": 3022,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 2,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy02",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.2",
"ip2": "192.168.0.2"
}
}
]
}
]
},
{
"compile_id": 3023,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 3,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy03",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.2",
"ip2": "192.168.0.2"
}
}
]
},
{
"not_flag": 0,
"group_id": 4,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy04",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.3",
"ip2": "192.168.0.3"
}
}
]
}
]
}
]
}

48
test/verify_policy_test.cpp
View File

@@ -299,17 +299,55 @@ TEST(VerifyPolicy, HitMultiplePolicy)
FREE(&hit_policy_result);
}
static void reload_maat_config(const char * main_profile)
TEST(VerifyPolicy, HitTunnelEndpointaPolicy_1025)
{
verify_policy_table_free(main_profile);
int ret = verify_policy_table_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit.");
char *hit_policy_request = select_hit_policy_request_item(6);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(6);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
TEST(VerifyPolicy, HitTunnelEndpointaPolicy_1027)
{
char *hit_policy_request = select_hit_policy_request_item(7);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(7);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
printf("hit_policy_query = %s\n", hit_policy_query);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
/*Tunnel Endpoint Policy Test**/
TEST(VerifyPolicy, HitTunnelEndpointaPolicy)
{
reload_maat_config("./conf/verify_policy2.conf");
char *hit_policy_request = select_hit_policy_request_item(2);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(2);