diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index c3c0421..148bc5a 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -112,6 +112,4 @@ void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol int security_policy_init(struct verify_proxy * verify, const char* profile_path); -char *web_json_table_add(void *pme); - #endif diff --git a/conf/verify_policy.conf b/conf/verify_policy.conf index 142f0f9..b782a0a 100644 --- a/conf/verify_policy.conf +++ b/conf/verify_policy.conf @@ -11,8 +11,8 @@ thread-nu = 4 [maat] # 0:json 1: redis 2: iris maat_input_mode=1 -table_info=./resource/table_info.conf -table_info_tsg=./resource/tsg_static_tableinfo.conf +table_info=./resource/table_info_proxy.conf +table_info_tsg=./resource/table_info_security.conf json_cfg_file=./resource/pangu_http.json stat_file=logs/verify-policy.status full_cfg_dir=verify-policy/ diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index 8b001cf..13384f9 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -126,8 +126,6 @@ int protoco_field_type_str2idx(enum tsg_policy_type type, const char *action_str table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN"; table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME"; table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT"; - table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_MAIL_ACCOUNT"; - table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT"; table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM"; table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO"; table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT"; @@ -136,7 +134,7 @@ int protoco_field_type_str2idx(enum tsg_policy_type type, const char *action_str table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT"; table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; - table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME"; + table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT"; break; case PXY_TABLE_DEFENCE: break; @@ -184,6 +182,20 @@ struct ipaddr *ip_to_stream_addr(char *clientIp1, unsigned int clientPort1, char return ip_addr; } +void ipaddr_free(struct ipaddr *ip_addr) +{ + if(ip_addr->addrtype==ADDR_TYPE_IPV4) + { + free(ip_addr->v4); + } + + if(ip_addr->addrtype==ADDR_TYPE_IPV6) + { + free(ip_addr->v6); + } + free(ip_addr); +} + cJSON *get_query_from_request(const char *data, int thread_id) { int i = 0; @@ -195,7 +207,7 @@ cJSON *get_query_from_request(const char *data, int thread_id) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter"); return NULL; } - cJSON *policy_obj=NULL, *data_obj=NULL; + cJSON *policy_obj=NULL, *data_obj=NULL, *list_arry = NULL; policy_obj=cJSON_CreateObject(); cJSON_AddNumberToObject(policy_obj, "code", 200); @@ -205,6 +217,9 @@ cJSON *get_query_from_request(const char *data, int thread_id) data_obj = cJSON_CreateObject(); cJSON_AddItemToObject(policy_obj, "data", data_obj); + list_arry=cJSON_CreateArray(); + cJSON_AddItemToObject(data_obj, "list", list_arry); + cJSON* item = NULL, *subitem = NULL, *subchild = NULL; item = cJSON_GetObjectItem(data_json,"verifyList"); if(item && item->type==cJSON_Array) @@ -240,14 +255,14 @@ cJSON *get_query_from_request(const char *data, int thread_id) query_list->table_obj[i].subscriberid = item->valuestring; p += snprintf(p, sizeof(buff) - (p - buff), "subscriberid = %s",query_list->table_obj[i].subscriberid); } - http_scan(query_list->table_obj[i].keyword, query_list->type, EV_HTTP_SUBSCRIBE_ID, NULL, data_obj, ctx); + http_scan(query_list->table_obj[i].keyword, query_list->type, EV_HTTP_SUBSCRIBE_ID, NULL, list_arry, ctx); i++; continue; } if(0 == strcasecmp(query_list->table_obj[i].keyword_scope, "ip")) { - int addr_type=0, protocol=0; + int addr_type=0, __attribute__((__unused__))protocol=0; char *clientIp1=NULL,*serverIp1=NULL; unsigned int clientPort1=0,serverPort1=0; @@ -265,8 +280,9 @@ cJSON *get_query_from_request(const char *data, int thread_id) if(item && item->type==cJSON_Number) addr_type = item->valueint; query_list->table_obj[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type); - http_scan(NULL, query_list->type, PXY_CTRL_IP, query_list->table_obj[i].ip_addr, data_obj, ctx); + http_scan(NULL, query_list->type, PXY_CTRL_IP, query_list->table_obj[i].ip_addr, list_arry, ctx); + ipaddr_free(query_list->table_obj[i].ip_addr); i++; continue; } @@ -279,11 +295,11 @@ cJSON *get_query_from_request(const char *data, int thread_id) if(item && item->type==cJSON_String) { query_list->table_obj[i].keyword = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), " content = %s",query_list->table_obj[i].keyword); + p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",query_list->table_obj[i].keyword); } mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] %s", buff); - http_scan(query_list->table_obj[i].keyword, query_list->type, query_list->table_obj[i].protocol_field, NULL, data_obj, ctx); + http_scan(query_list->table_obj[i].keyword, query_list->type, query_list->table_obj[i].protocol_field, NULL, list_arry, ctx); i++; memset(buff, 0, VERIFY_STRING_MAX); diff --git a/resource/table_info.conf b/resource/table_info_proxy.conf similarity index 63% rename from resource/table_info.conf rename to resource/table_info_proxy.conf index fb5b282..c86ce40 100644 --- a/resource/table_info.conf +++ b/resource/table_info_proxy.conf @@ -30,3 +30,20 @@ 11 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS -- 12 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS -- 13 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon +#eliminate the alarm +14 TSG_OBJ_ACCOUNT expr UTF8 UTF8 yes 0 +16 TSG_FIELD_SSL_SNI virtual TSG_OBJ_FQDN -- +17 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN -- +18 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN -- +19 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN -- +20 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT -- +21 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT -- +22 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT -- +23 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS -- +24 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS -- +25 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS -- +26 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS -- +27 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL -- +28 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS -- +29 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT -- + diff --git a/resource/tsg_static_tableinfo.conf b/resource/table_info_security.conf similarity index 96% rename from resource/tsg_static_tableinfo.conf rename to resource/table_info_security.conf index 549f9a0..ec41130 100644 --- a/resource/tsg_static_tableinfo.conf +++ b/resource/table_info_security.conf @@ -39,4 +39,3 @@ 27 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL -- 28 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS -- 29 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT -- -30 FW_PROFILE_DNS_RECORDS plugin {"key":1,"valid":5} -- diff --git a/scan/src/pangu_http.cpp b/scan/src/pangu_http.cpp index a34e1ab..3885b24 100644 --- a/scan/src/pangu_http.cpp +++ b/scan/src/pangu_http.cpp @@ -37,6 +37,21 @@ enum pangu_action //Bigger action number is prior. __PG_ACTION_MAX }; +enum tfe_http_std_field +{ + TFE_HTTP_UNKNOWN_FIELD = 0, + TFE_HTTP_USER_AGENT, + TFE_HTTP_COOKIE, + TFE_HTTP_SET_COOKIE, + TFE_HTTP_CONT_TYPE, +}; + +struct http_field_name +{ + const char * field_name; + enum tfe_http_std_field field_id; +}; + struct pangu_http_ctx { enum pangu_action action; @@ -177,67 +192,17 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules return prior_action; } -char *web_json_table_add(void *pme) +void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol_field, struct ipaddr *ip_addr, cJSON *list_arry, void *pme) { - char *policy_payload = NULL; size_t i = 0; - cJSON *policy_obj=NULL, *data_obj=NULL, *hit_obj=NULL; - cJSON *execute_obj=NULL, *obj_list=NULL, *category_obj=NULL; - - struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; - - policy_obj=cJSON_CreateObject(); - cJSON_AddNumberToObject(policy_obj, "code", 200); - cJSON_AddStringToObject(policy_obj, "msg", "Success"); - cJSON_AddNumberToObject(policy_obj, "success", 1); - - data_obj = cJSON_CreateObject(); - cJSON_AddItemToObject(policy_obj, "data", data_obj); - - /*hitPolicyList **/ - hit_obj = cJSON_CreateObject(); - cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj); - if (ctx->hit_cnt >= 1) - { - for (i = 0; i < ctx->hit_cnt; i++) - { - cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id); - cJSON_AddStringToObject(hit_obj, "policyName", ""); - } - } - /*executePolicyList **/ - execute_obj = cJSON_CreateObject(); - cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj); - cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id); - cJSON_AddStringToObject(execute_obj, "policyName", ""); - - /*objectList**/ - obj_list = cJSON_CreateObject(); - cJSON_AddItemToObject(data_obj, "objectList", obj_list); - cJSON_AddNumberToObject(obj_list, "objectId", 12); - cJSON_AddStringToObject(obj_list, "objectName", ""); - cJSON *itemList = cJSON_CreateObject(); - cJSON_AddItemToObject(obj_list, "itemList", itemList); - cJSON_AddNumberToObject(itemList, "itemId", 12); - cJSON_AddStringToObject(itemList, "reqParam", ""); - - /*categoryList**/ - category_obj = cJSON_CreateObject(); - cJSON_AddItemToObject(data_obj, "categoryList", category_obj); - cJSON_AddNumberToObject(category_obj, "categoryId", 12); - cJSON_AddStringToObject(category_obj, "reqParam", ""); - - policy_payload = cJSON_PrintUnformatted(policy_obj); - printf("%s\n", policy_payload); - cJSON_Delete(policy_obj); - - return policy_payload; -} - -void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol_field, struct ipaddr *ip_addr, cJSON *data_obj, void *pme) -{ - int scan_ret = 0, table_id = 0; + int scan_ret = 0; size_t hit_cnt = 0, i = 0; + struct http_field_name req_fields[]={ {"User-Agent", TFE_HTTP_USER_AGENT}, + {"Cookie", TFE_HTTP_COOKIE}}; + + struct http_field_name resp_fields[]={ {"Set-Cookie", TFE_HTTP_SET_COOKIE}, + {"Content-Type", TFE_HTTP_CONT_TYPE}}; + struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; if (protocol_field == PXY_CTRL_IP) @@ -251,40 +216,26 @@ void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol goto decide; } - if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || (protocol_field == PXY_CTRL_HTTP_RES_HDR)) + if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || protocol_field == PXY_CTRL_HTTP_RES_HDR) { - table_id = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_RES_HDR]; + struct http_field_name *field_name = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? req_fields : resp_fields; - const char * str_field_name = NULL; - scan_ret = Maat_set_scan_status(g_pangu_rt->maat[policy_type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT, - str_field_name, strlen(str_field_name)); - assert(scan_ret == 0); - scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], table_id, - CHARSET_UTF8, value, strlen(value), - ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + for(size_t i=0;imaat[policy_type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT, + str_field_name, strlen(str_field_name)); + assert(scan_ret == 0); + scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][protocol_field], + CHARSET_UTF8, value, strlen(value), + ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); + if (scan_ret > 0) + { + hit_cnt += scan_ret; + } } goto decide; } - - if ((protocol_field == PXY_CTRL_HTTP_REQ_BODY) || protocol_field == PXY_CTRL_HTTP_RES_BODY) - { - assert(ctx->sp == NULL); - table_id = protocol_field == PXY_CTRL_HTTP_REQ_BODY ? g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_RES_BODY]; - ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat[policy_type], table_id, ctx->thread_id); - scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) value, (int) strlen(value), - ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid)); - if (scan_ret > 0) - { - hit_cnt += scan_ret; - } - Maat_stream_scan_string_end(&(ctx->sp)); - ctx->sp = NULL; - goto decide; - } - scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][protocol_field], CHARSET_UTF8, value, strlen(value), ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt, @@ -298,20 +249,29 @@ decide: { ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce); ctx->hit_cnt = hit_cnt; - cJSON *execute_obj=NULL, *hit_obj=NULL; - hit_obj = cJSON_CreateObject(); - cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj); + cJSON *execute_obj=NULL, *hit_obj=NULL; + cJSON *item_obj=NULL, *policy_obj=NULL; + + item_obj=cJSON_CreateObject(); + cJSON_AddItemToArray(list_arry, item_obj); + + hit_obj=cJSON_CreateArray(); + cJSON_AddItemToObject(item_obj, "hitPolicyList", hit_obj); if (ctx->hit_cnt >= 1) { for (i = 0; i < ctx->hit_cnt; i++) { - cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id); + policy_obj=cJSON_CreateObject(); + cJSON_AddNumberToObject(policy_obj, "policyId",ctx->result[i].config_id); + cJSON_AddItemToArray(hit_obj, policy_obj); } } /*executePolicyList **/ - execute_obj = cJSON_CreateObject(); - cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj); - cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id); + execute_obj=cJSON_CreateArray(); + cJSON_AddItemToObject(item_obj, "executePolicyList", execute_obj); + policy_obj=cJSON_CreateObject(); + cJSON_AddNumberToObject(policy_obj, "policyId", ctx->enforce_rules[0].config_id); + cJSON_AddItemToArray(execute_obj, policy_obj); } return ; } @@ -469,7 +429,6 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) g_pangu_rt->thread_num = verify->nr_work_threads; g_pangu_rt->local_logger = verify->logger; -#if 1 g_pangu_rt->maat[PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger); if (!g_pangu_rt->maat[PXY_TABLE_MANIPULATION]) { @@ -488,13 +447,12 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) for (int i = 0; i < __SCAN_TABLE_MAX; i++) { g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i]); - - printf("%p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i], i); if (g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] < 0) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Maat table %s register failed.", table_name[i]); goto error_out; } + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Pangu policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i]); } g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger); @@ -516,7 +474,6 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat TSG_DYN_SUBSCRIBER_IP EX data register failed."); goto error_out; } -#endif ret = 0; error_out: return ret; @@ -553,17 +510,17 @@ int security_policy_init(struct verify_proxy * verify, const char* profile_path) table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT"; table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; - table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME"; + table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT"; for (int i = 0; i < __SECURITY_TABLE_MAX; i++) { g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i]); - printf("SECURITY: %p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i], i); if (g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] < 0) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Security policy maat table %s register failed.", table_name[i]); goto error_out; } + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Security policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i]); } ret = 0; error_out: