* 提交策略验证框架及实现

CMakeLists.txt

@@ -0,0 +1,54 @@
+#cmake_minimum_required(VERSION 3.5)
+project(verify-policy)
+
+set(CMAKE_MODULE_PATH ${PROJECT_SOURCE_DIR}/cmake)
+include(Version)
+include(Package)
+
+add_definitions(-D_GNU_SOURCE)
+set(CMAKE_CXX_STANDARD 11)
+set(CMAKE_C_STANDARD 11)
+
+if(NOT CMAKE_BUILD_TYPE)
+	set(CMAKE_BUILD_TYPE RelWithDebInfo)
+endif()
+
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+	set (CMAKE_INSTALL_PREFIX "/home/mesasoft/tfe" CACHE PATH "default install path" FORCE )
+endif()
+
+# Global compile options
+option(ENABLE_PIC "Generate position independent code (necessary for shared libraries)" TRUE)
+option(ENABLE_WARNING_ALL "Enable all optional warnings which are desirable for normal code" TRUE)
+option(ENABLE_SANITIZE_ADDRESS "Enable AddressSanitizer" FALSE)
+option(ENABLE_SANITIZE_THREAD "Enable ThreadSanitizer" FALSE)
+
+if(ENABLE_WARNING_ALL)
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall")
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall")
+endif()
+
+if(ENABLE_SANITIZE_ADDRESS)
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -lasan")
+elseif(ENABLE_SANITIZE_THREAD)
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=thread -fno-omit-frame-pointer")
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=thread -fno-omit-frame-pointer")
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -lasan")
+endif()
+
+if(ENABLE_SANITIZE_ADDRESS AND ENABLE_SANITIZE_THREAD)
+	message(WARNING "Both ENABLE_SANITIZE_ADDRESS and ENABLE_SANITIZE_THREAD set, only ENABLE_SANITIZE_ADDRESS effected.")
+endif()
+
+add_custom_target("install-program" COMMAND ${CMAKE_COMMAND} ARGS -DCOMPONENT=Program -P cmake_install.cmake)
+add_custom_target("install-profile" COMMAND ${CMAKE_COMMAND} ARGS -DCOMPONENT=Profile -P cmake_install.cmake)
+
+enable_testing()
+#add_subdirectory(conf)
+#add_subdirectory(resource)
+add_subdirectory(vendor)
+add_subdirectory(common)
+add_subdirectory(platform)
+add_subdirectory(scan)

cmake/Package.cmake

@@ -0,0 +1,37 @@
+if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+    set(CPACK_PACKAGE_NAME "verify-policy-debug")
+else()
+    set(CPACK_PACKAGE_NAME "verify-policy")
+endif()
+
+message(STATUS "Package: ${CPACK_PACKAGE_NAME}")
+
+set(CPACK_PACKAGE_VENDOR "MESASOFT")
+set(CPACK_PACKAGE_VERSION_MAJOR "${VERIFY_POLIC_VERSION_MAJOR}")
+set(CPACK_PACKAGE_VERSION_MINOR "${VERIFY_POLIC_VERSION_MINOR}")
+set(CPACK_PACKAGE_VERSION_PATCH "${VERIFY_POLIC_VERSION_PATCH}.${VERIFY_POLIC_DESCRIBE}")
+set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX})
+
+# RPM Build
+set(CPACK_GENERATOR "RPM")
+set(CPACK_RPM_AUTO_GENERATED_FILE_NAME ON)
+set(CPACK_RPM_FILE_NAME "RPM-DEFAULT")
+set(CPACK_RPM_PACKAGE_AUTOREQPROV "no")
+set(CPACK_RPM_PACKAGE_RELEASE_DIST on)
+set(CPACK_RPM_DEBUGINFO_PACKAGE on)
+#set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PostInstall.in)
+#set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PostUninstall.in)
+#set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/cmake/PreUninstall.in)
+
+# Must uninstall the debug package before install release package
+if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+    set(CPACK_RPM_PACKAGE_CONFLICTS "verify-policy")
+else()
+    set(CPACK_RPM_PACKAGE_CONFLICTS "verify-policy-debug")
+endif()
+
+# setup %config(noreplace)
+set(CPACK_RPM_USER_FILELIST "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/pangu/pangu_pxy.conf"
+							"%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/tfe/decrypt_mirror.conf"
+                            "%config(noreplace) ${CMAKE_INSTALL_PREFIX}/conf/tfe/tfe.conf")
+include(CPack)

cmake/PostInstall.in

@@ -0,0 +1,2 @@
+%systemd_post mrenv.service mrzcpd.service mrtunnat.service
+/sbin/ldconfig

cmake/PostUninstall.in

@@ -0,0 +1,2 @@
+%systemd_postun_with_restart mrenv.service mrzcpd.service mrtunnat.service
+/sbin/ldconfig

cmake/PreUninstall.in

@@ -0,0 +1 @@
+%systemd_preun mrenv.service mrzcpd.service mrtunnat.service

cmake/Version.cmake

@@ -0,0 +1,38 @@
+
+# Using autorevision.sh to generate version information
+
+set(__SOURCE_AUTORESIVISION ${CMAKE_SOURCE_DIR}/autorevision.sh)
+set(__AUTORESIVISION ${CMAKE_BINARY_DIR}/autorevision.sh)
+set(__VERSION_CACHE ${CMAKE_SOURCE_DIR}/version.txt)
+set(__VERSION_CONFIG ${CMAKE_BINARY_DIR}/version.cmake)
+
+file(COPY ${__SOURCE_AUTORESIVISION} DESTINATION ${CMAKE_BINARY_DIR}
+	FILE_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE
+	WORLD_READ WORLD_EXECUTE)
+
+# execute autorevision.sh to generate version information
+execute_process(COMMAND ${__AUTORESIVISION} -t cmake -o ${__VERSION_CACHE} OUTPUT_FILE ${__VERSION_CONFIG})
+include(${__VERSION_CONFIG})
+
+# extract major, minor, patch version from git tag
+string(REGEX REPLACE "^v([0-9]+)\\..*" "\\1" VERIFY_POLICY_VERSION_MAJOR "${VCS_TAG}")
+string(REGEX REPLACE "^v[0-9]+\\.([0-9]+).*" "\\1" VERIFY_POLIC_VERSION_MINOR "${VCS_TAG}")
+string(REGEX REPLACE "^v[0-9]+\\.[0-9]+\\.([0-9]+).*" "\\1" VERIFY_POLIC_VERSION_PATCH "${VCS_TAG}")
+
+if(NOT VERIFY_POLIC_VERSION_MAJOR)
+    set(VERIFY_POLIC_VERSION_MAJOR 1)
+endif()
+
+if(NOT VERIFY_POLIC_VERSION_MINOR)
+    set(VERIFY_POLIC_VERSION_MINOR 0)
+endif()
+
+if(NOT VERIFY_POLIC_VERSION_PATCH)
+    set(VERIFY_POLIC_VERSION_PATCH 0)
+endif()
+
+set(VERIFY_POLIC_VERSION "${VERIFY_POLIC_VERSION_MAJOR}.${VERIFY_POLIC_VERSION_MINOR}.${VERIFY_POLIC_VERSION_PATCH}")
+
+# print information
+message(STATUS "Welcome to Verify Policy Engine, Version: ${VERIFY_POLIC_VERSION}")
+add_definitions(-DVERIFY_POLIC_VERSION=${VERIFY_POLIC_VERSION})

common/CMakeLists.txt

@@ -0,0 +1,4 @@
+add_library(common src/verify_policy_logging.cpp)
+target_include_directories(common PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)
+target_link_libraries(common PUBLIC MESA_handle_logger)
+

common/include/verify_policy.h

@@ -0,0 +1,79 @@
+/*************************************************************************
+	> File Name: verify_policy.h
+	> Author: 
+	> Mail: 
+	> Created Time: 2019年08月23日 星期五 18时06分03秒
+ ************************************************************************/
+
+#ifndef _VERIFY_POLICY_H
+#define _VERIFY_POLICY_H
+
+#include <event2/event.h>
+#include "verify_policy_utils.h"
+
+enum scan_table
+{
+	PXY_CTRL_IP,
+	PXY_CTRL_HTTP_URL,
+	PXY_CTRL_HTTP_FQDN,
+	PXY_CTRL_HTTP_REQ_HDR,
+	PXY_CTRL_HTTP_REQ_BODY,
+	PXY_CTRL_HTTP_RES_HDR,
+	PXY_CTRL_HTTP_RES_BODY,
+	PXY_CTRL_SUBSCRIBE_ID,
+	__SCAN_TABLE_MAX
+};
+
+enum http_ev_bit_number
+{
+	IP_BITNUM = 0,
+	URL_BITNUM,
+	FQDN_BITNUM,
+	REQ_HDR_BITNUM,
+	RESP_HDR_BITNUM,
+	CONTENT_BITNUM,
+	SUBSCRIBE_ID
+};
+
+enum tfe_http_event
+{
+	EV_HTTP_IP = 1ULL << IP_BITNUM,
+	EV_HTTP_URL = 1ULL << URL_BITNUM,		
+	EV_HTTP_FQDN = 1ULL << FQDN_BITNUM,
+	EV_HTTP_REQ_HDR = 1ULL << REQ_HDR_BITNUM,
+	EV_HTTP_RESP_HDR = 1ULL << RESP_HDR_BITNUM,
+	EV_HTTP_CONTENT = 1ULL << CONTENT_BITNUM,
+	EV_HTTP_SUBSCRIBE_ID = 1ULL << SUBSCRIBE_ID,
+};
+
+struct verify_proxy_thread
+{
+	int  id;
+	pthread_t pid;        
+	evutil_socket_t accept_fd;
+	pthread_attr_t *attr;	
+	struct evhttp *http;
+	struct event_base *base;
+	void * (*routine)(void *);  
+};
+
+struct verify_proxy
+{	
+	char name[VERIFY_SYMBOL_MAX];		
+	void * logger;
+	unsigned int log_level;
+	unsigned int nr_work_threads;
+	unsigned int listen_port;	
+	struct verify_proxy_thread *work_threads[TFE_THREAD_MAX];
+};
+
+extern struct verify_proxy * g_verify_proxy;
+
+void * pangu_http_ctx_new(unsigned int thread_id);
+
+void http_scan(const char * value, enum tfe_http_event events,
+	const unsigned char * body_frag, size_t frag_size, void *pme);
+
+char *web_json_table_add(void *pme);
+
+#endif

common/include/verify_policy_logging.h

@@ -0,0 +1,51 @@
+/*************************************************************************
+	> File Name: logging.h
+	> Author:
+	> Mail:
+	> Created Time: 2018年06月18日 星期一 22时45分58秒
+ ************************************************************************/
+
+#ifndef _LOGGING_H
+#define _LOGGING_H
+
+#define MODULE_NAME "verify_policy"
+
+#define RLOG_LV_DEBUG       10
+#define RLOG_LV_INFO        20
+#define RLOG_LV_FATAL       30
+
+typedef struct RTLogInit2Data_ {
+    int debug_switch;
+
+	int run_log_level;
+
+	char run_log_path[256];
+
+	void *run_log_handle;
+} RTLogInit2Data;
+
+extern RTLogInit2Data logging_sc_lid;
+
+/* The maximum length of the log message */
+#define RT_LOG_MAX_LOG_MSG_LEN 2048
+
+extern void mesa_logging_print(int log_level, const char *module, const char *msg);
+
+#define mesa_log(x, y, z, ...)         do {                                       \
+                                  char _sc_log_msg[RT_LOG_MAX_LOG_MSG_LEN] = ""; \
+                                  char *_sc_log_temp = _sc_log_msg;      \
+                                  if ( !x )                       \
+                                  { } else {                             \
+                                      snprintf(_sc_log_temp,             \
+                                               (RT_LOG_MAX_LOG_MSG_LEN - \
+                                                (_sc_log_temp - _sc_log_msg)), \
+                                               __VA_ARGS__);             \
+                                      mesa_logging_print(y, z, _sc_log_msg); \
+                                  }                                      \
+                              } while(0)
+
+#define mesa_runtime_log(level, module, ...)   mesa_log(logging_sc_lid.debug_switch, level, module, __VA_ARGS__)
+
+extern void * verify_syslog_init(const char *config);
+
+#endif

common/include/verify_policy_utils.h

@@ -0,0 +1,54 @@
+#ifndef __RT_COMMON_H__
+#define __RT_COMMON_H__
+
+#include <assert.h>
+#define EVAL_TM_STYLE   "%Y-%m-%d"
+
+#define VERIFY_SYMBOL_MAX			64
+#define VERIFY_STRING_MAX			2048
+#define TFE_THREAD_MAX			128
+
+/** Alway treated the expr as true */
+#ifndef likely
+#define likely(expr) __builtin_expect(!!(expr), 1)
+#endif
+
+/** Alway treated the expr as false */
+#ifndef unlikely
+#define unlikely(expr) __builtin_expect(!!(expr), 0)
+#endif
+
+#ifndef FOREVER
+#define FOREVER for(;;)
+#endif
+
+#ifdef SOCK_NONBLOCK
+#define EVUTIL_SOCK_NONBLOCK SOCK_NONBLOCK
+#else
+#define EVUTIL_SOCK_NONBLOCK 0x4000000
+#endif
+#ifdef SOCK_CLOEXEC
+#define EVUTIL_SOCK_CLOEXEC SOCK_CLOEXEC
+#else
+#define EVUTIL_SOCK_CLOEXEC 0x80000000
+#endif
+#ifdef EFD_NONBLOCK
+#define EVUTIL_EFD_NONBLOCK EFD_NONBLOCK
+#else
+#define EVUTIL_EFD_NONBLOCK 0x4000
+#endif
+#ifdef EFD_CLOEXEC
+#define EVUTIL_EFD_CLOEXEC EFD_CLOEXEC
+#else
+#define EVUTIL_EFD_CLOEXEC 0x8000
+#endif
+
+#define	__rt_always_inline__	__attribute__((always_inline)) inline
+
+#define ALLOC(type, number) ((type *)calloc(sizeof(type), number))
+#define	FREE(p)	{free(*p);*p=NULL;}
+
+#define CHECK_OR_EXIT(condition, fmt, ...)                                                                          \
+do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE);   }  } while(0) \
+
+#endif

common/src/verify_policy_logging.cpp

@@ -0,0 +1,55 @@
+/*************************************************************************
+	> File Name: logging.c
+	> Author:
+	> Mail:
+	> Created Time: 2018年06月18日 星期一 22时45分43秒
+ ************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <dirent.h>
+#include <ctype.h>
+
+#include "verify_policy_logging.h"
+#include "MESA_prof_load.h"
+#include "MESA_handle_logger.h"
+
+RTLogInit2Data logging_sc_lid;
+
+void mesa_logging_print(int log_level, const char *module, const char *msg)
+{
+    MESA_handle_runtime_log(logging_sc_lid.run_log_handle, log_level, (const char *)module, msg);
+    return;
+}
+
+void * verify_syslog_init(const char *config)
+{
+    char run_log_path[256] = {0};
+
+    MESA_load_profile_int_def(config, (const char *)"SYSTEM",(const char *)"DEBUG_SWITCH",
+                              &logging_sc_lid.debug_switch, 1);
+    MESA_load_profile_int_def(config, (const char *)"SYSTEM",(const char *)"RUN_LOG_LEVEL",
+                              &logging_sc_lid.run_log_level, 10);
+    MESA_load_profile_string_def(config, (const char *)"SYSTEM",(const char *)"RUN_LOG_PATH",
+                                 logging_sc_lid.run_log_path, 128, NULL);
+
+    snprintf(run_log_path, 255, "%s/%s", logging_sc_lid.run_log_path, "verify_policy.log");
+
+    logging_sc_lid.run_log_handle = MESA_create_runtime_log_handle(run_log_path, logging_sc_lid.run_log_level);
+    if(logging_sc_lid.run_log_handle == NULL){
+        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Create log runtime_log_handle error, init failed!");
+        goto finish;
+    }else{
+        mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Log module initialization");
+    }
+	return logging_sc_lid.run_log_handle;
+finish:
+	return NULL;
+}
+
+

conf/verify-policy.conf

@@ -0,0 +1,54 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+#10:DEBUG, 20:INFO, 30:FATAL
+RUN_LOG_LEVEL = 10
+RUN_LOG_PATH = ./logs
+[CONFIG]
+#Number of running threads
+thread-nu = 4
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=0
+table_info=resource/pangu/table_info.conf
+json_cfg_file=resource/pangu/pangu_http.json
+stat_file=log/pangu_scan.status
+full_cfg_dir=pangu_policy/
+inc_cfg_dir=pangu_policy/
+
+maat_redis_server=192.168.10.31
+maat_redis_port=6379
+maat_redis_db_index=0
+effect_interval_s=1
+accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[NTC_MAAT]
+#Configure the load mode,
+#0: using the configuration distribution network
+#1: using local json
+#2: using Redis reads
+maat_json_switch=2
+#When the loading mode is sent to the network, set the scanning configuration modification interval (s).
+effective_interval=1
+#Specify the location of the configuration library table file
+table_info=./conf/table_info.conf
+#Incremental profile path
+inc_cfg_dir=./rule/inc/index
+#Full profile path
+full_cfg_dir=./rule/full/index
+#Json file path when json schema is used
+pxy_obj_keyring=./conf/pxy_obj_keyring.json
+[LIBEVENT]
+#Local monitor port number, default is 9991
+port = 9991
+[CERTSTORE_REDIS]
+#The Redis server IP address and port number where the certificate is stored locally
+ip = 127.0.0.1
+port = 6379
+[MAAT_REDIS]
+#Maat monitors the Redsi server IP address and port number
+ip = 192.168.11.243
+port = 6379
+dbindex = 4
+

platform/CMakeLists.txt

@@ -0,0 +1,13 @@
+add_executable(verify-policy src/verify_policy.cpp)
+
+#target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)
+
+target_link_libraries(verify-policy common pangu-http)
+target_link_libraries(verify-policy pthread dl
+		libevent-static
+		MESA_handle_logger
+		MESA_prof_load
+		cjson
+		MESA_htable 
+		MESA_field_stat)
+

platform/src/verify_policy.cpp

@@ -0,0 +1,492 @@
+/*************************************************************************
+	> File Name: verify-policy.cpp
+	> Author: 
+	> Mail: 
+	> Created Time: 2019年08月23日 星期五 14时41分17秒
+ ************************************************************************/
+
+#include<iostream>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <event2/listener.h>
+#include <event2/http.h>
+#include <cjson/cJSON.h>
+#include <event2/buffer.h>
+
+#include "verify_policy.h"
+#include "MESA_prof_load.h"
+#include "MESA_handle_logger.h"
+#include "verify_policy_logging.h"
+
+struct verify_proxy * g_verify_proxy = NULL;
+
+struct keyword_obj
+{
+	enum scan_table condition_type;
+	char *condition_scope;
+	char *keyword;
+};
+
+struct verify_policy_query
+{
+	enum scan_table object_type;
+	int addr_type;
+	
+	char *clientIp1;
+	unsigned int clientPort1;
+	char *serverIp1;
+	unsigned int serverPort1;
+
+	struct keyword_obj keywords[16];
+};
+
+#if 0
+#ifdef VERIFY_POLIC_VERSION
+char *git_version = VERIFY_POLIC_VERSION;
+#else
+char *default_version = "1.1.1";
+#endif
+#endif
+const char *default_version = "1.1.1";
+const char * version()
+{
+	return default_version;
+}
+
+extern int pangu_policy_init(struct verify_proxy * verify, const char* profile_path);
+
+static int verify_policy_init(struct verify_proxy * verify, const char *profile)
+{
+    int xret = -1;
+	
+    xret = MESA_load_profile_uint_nodef(profile, "CONFIG", "thread-nu", &(verify->nr_work_threads));
+    if (xret < 0){
+        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
+    }
+	xret = MESA_load_profile_short_nodef(profile, "LISTEN", "port", (short *)&(verify->listen_port));
+	if (xret < 0){
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Listen Port invalid");
+	}
+	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Listen Port %d", verify->listen_port);
+    return xret;
+}
+
+enum scan_table verify_type_str2idx(const char *action_str)
+{
+	const char * table_name[__SCAN_TABLE_MAX];
+	table_name[PXY_CTRL_IP] = "ip";
+	table_name[PXY_CTRL_HTTP_URL] = "url";
+	table_name[PXY_CTRL_HTTP_FQDN] = "fqdn";
+	table_name[PXY_CTRL_HTTP_REQ_HDR] = "req_hdr";
+	table_name[PXY_CTRL_HTTP_REQ_BODY] = "keywords";
+	table_name[PXY_CTRL_HTTP_RES_HDR] = "res_hdr";
+	table_name[PXY_CTRL_HTTP_RES_BODY] = "keywords";
+	table_name[PXY_CTRL_SUBSCRIBE_ID] = "subscribeid";
+	
+	size_t i = 0;
+
+	for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++)
+	{
+		if (0 == strcasecmp(action_str, table_name[i]))
+			break;
+	}
+	return (enum scan_table)i;
+}
+
+struct verify_policy_query *get_query_from_request(const char *data)
+{
+	int c_num = 0, i = 0;
+	char buff[VERIFY_STRING_MAX], *p = NULL;;
+
+	cJSON* data_json = cJSON_Parse(data);
+	if(data_json == NULL)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter");
+		return NULL;
+	}	
+	struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1);
+	
+	cJSON* item = NULL, *subitem = NULL;
+	item = cJSON_GetObjectItem(data_json,"objectType");
+	if(item && item->type==cJSON_String)
+	{
+		query_ctx->object_type =verify_type_str2idx(item->valuestring);
+	}
+	item=cJSON_GetObjectItem(data_json,"addrType");
+	if(item && item->type==cJSON_Number)
+	{
+		query_ctx->addr_type = item->valueint;
+	}
+	item = cJSON_GetObjectItem(data_json,"clientIp1");
+	if(item && item->type==cJSON_String)
+	{
+		query_ctx->clientIp1 =strdup(item->valuestring);
+	}
+	item = cJSON_GetObjectItem(data_json,"serverIp1");
+	if(item && item->type==cJSON_String)
+	{
+		query_ctx->serverIp1 =strdup(item->valuestring);
+	}
+	item = cJSON_GetObjectItem(data_json,"clientPort1");
+	if(item && item->type==cJSON_String)
+	{
+		query_ctx->clientPort1 =atoi(item->valuestring);
+	}
+	item = cJSON_GetObjectItem(data_json,"serverPort1");
+	if(item && item->type==cJSON_String)
+	{
+		query_ctx->serverPort1 =atoi(item->valuestring);
+	}
+	p = buff;
+	p += snprintf(p, sizeof(buff) - (p - buff), "Query key objectType:%d, addrType:%d, clientIp1:%s, serverIp1:%s, clientPort1:%d, serverPort1:%d",
+	query_ctx->object_type, query_ctx->addr_type, query_ctx->clientIp1, query_ctx->serverIp1, query_ctx->clientPort1, query_ctx->serverPort1);
+	item = cJSON_GetObjectItem(data_json,"keywordObj");
+	if(item && item->type==cJSON_Array)
+	{
+		c_num=cJSON_GetArraySize(item);
+		for (subitem = item->child; subitem != NULL; subitem = subitem->next)
+		{
+			item = cJSON_GetObjectItem(subitem, "conditionScope");
+			if(item && item->type==cJSON_String)
+			{
+				query_ctx->keywords[i].condition_scope =strdup(item->valuestring);
+				query_ctx->keywords[i].condition_type = verify_type_str2idx(item->valuestring);
+			}			
+			item = cJSON_GetObjectItem(subitem, "keywords");
+			if(item && item->type==cJSON_String)
+			{
+				query_ctx->keywords[i].keyword =strdup(item->valuestring);
+			}
+			i++;
+		}			
+	}
+	for (i = 0; i < c_num; i++)
+	{
+		p += snprintf(p, sizeof(buff) - (p - buff), ", conditionScope:%s, keywords:%s", query_ctx->keywords[i].condition_scope, query_ctx->keywords[i].keyword);		
+	}
+	*p = '\0';	
+	mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff);
+	return query_ctx;
+}
+
+char *verify_policy_scan(struct verify_policy_query *policy_query, int thread_id)
+{
+	int c_num = 0; char *policy_payload= NULL;
+	void * ctx = pangu_http_ctx_new(thread_id);
+
+	for (c_num = 0; policy_query->keywords[c_num].keyword != NULL; c_num++)
+	{
+		struct keyword_obj *key_obj = &policy_query->keywords[c_num];
+
+		if (key_obj->condition_scope == NULL)
+			key_obj->condition_type = policy_query->object_type;
+		
+		switch(key_obj->condition_type)
+		{
+			case PXY_CTRL_IP:
+				http_scan(key_obj->keyword, EV_HTTP_IP, NULL, 0, ctx);
+				break;
+			case PXY_CTRL_SUBSCRIBE_ID:
+				http_scan(key_obj->keyword, EV_HTTP_SUBSCRIBE_ID, NULL, 0, ctx);
+			case PXY_CTRL_HTTP_URL:
+				http_scan(key_obj->keyword, EV_HTTP_URL, NULL, 0, ctx);
+				break;
+			case PXY_CTRL_HTTP_FQDN:
+				http_scan(key_obj->keyword, EV_HTTP_FQDN, NULL, 0, ctx);
+				break;
+			case PXY_CTRL_HTTP_REQ_HDR:			
+				http_scan(key_obj->keyword, EV_HTTP_REQ_HDR, NULL, 0, ctx);
+				break;
+			case PXY_CTRL_HTTP_RES_HDR:
+				http_scan(key_obj->keyword, EV_HTTP_RESP_HDR, NULL, 0, ctx);
+				break;
+			case PXY_CTRL_HTTP_REQ_BODY:	
+			case PXY_CTRL_HTTP_RES_BODY:
+				http_scan(key_obj->keyword, EV_HTTP_CONTENT, NULL, 0, ctx);
+				break;
+			default:
+				break;
+		}	
+	}
+	policy_payload = web_json_table_add(ctx);
+
+	return policy_payload;
+}
+
+static int
+evhttp_socket_send(struct evhttp_request *req, char *sendbuf)
+{
+    struct evbuffer *evb = NULL;
+
+    /* This holds the content we're sending. */
+	evb = evbuffer_new();
+
+    if (sendbuf[0] == '\0' && req == NULL){
+        goto err;
+    }
+    evhttp_add_header(evhttp_request_get_output_headers(req),
+		              "Content-Type", "text/html");	
+	evhttp_add_header(evhttp_request_get_output_headers(req), "Connection", "keep-alive");
+    evbuffer_add_printf(evb, "%s", sendbuf);
+    evhttp_send_reply(req, HTTP_OK, "OK", evb);
+    goto done;
+
+err:
+    evhttp_send_error(req, HTTP_NOTFOUND, "Document was not found");
+done:
+    evbuffer_free(evb);
+    return 0;
+}
+
+void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
+{	
+	char *policy_payload= NULL;
+	struct evbuffer * evbuf_body = NULL;
+	char *input = NULL; ssize_t inputlen=0;	
+	struct verify_policy_query *policy_query = NULL;
+	
+	struct verify_proxy_thread *thread_ctx  = (struct verify_proxy_thread *)arg;
+
+	if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST)
+	{
+		mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "FAILED (post type)");
+		goto error;
+	}
+	evbuf_body = evhttp_request_get_input_buffer(evh_req);	
+	if (!evbuf_body || 0==(inputlen = evbuffer_get_length(evbuf_body)) ||!(input = (char *)evbuffer_pullup(evbuf_body,inputlen)))
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to get post data information.");
+		goto error;
+	}
+ 	policy_query = get_query_from_request(input);
+	if (policy_query == NULL)
+	{	
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Data parsing failed.");
+		goto error;
+	}
+	
+	policy_payload = verify_policy_scan(policy_query, thread_ctx->id);
+	if (policy_payload)
+	{
+		mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", policy_payload);
+		evhttp_socket_send(evh_req, policy_payload);
+		free(policy_payload);
+	}
+	goto finish;
+		
+error:
+	evhttp_send_error(evh_req, HTTP_BADREQUEST, 0);
+finish:
+	return;
+}
+
+void * verify_policy_thread(void * arg)
+{
+	struct evhttp_bound_socket *bound = NULL;
+	struct verify_proxy_thread *thread_ctx  = (struct verify_proxy_thread *)arg;
+	
+    thread_ctx->base = event_base_new();
+	if (! thread_ctx->base) 
+	{
+        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Can'thread_ctx allocate event base");
+        goto finish;
+    }
+    thread_ctx->http = evhttp_new(thread_ctx->base);
+	if (!thread_ctx->http) 
+	{
+        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "couldn'thread_ctx create evhttp. Exiting.");
+		goto error;
+	}
+	
+	evhttp_set_cb(thread_ctx->http, "/v1/policy/verification", evhttp_request_cb, thread_ctx);
+	
+	bound = evhttp_accept_socket_with_handle(thread_ctx->http, thread_ctx->accept_fd);
+	if (bound != NULL) 
+	{
+		mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Bound(%p) to port %d - Awaiting connections ... ", bound,
+						g_verify_proxy->listen_port);
+	}
+	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Work thread %u is run...", thread_ctx->id);
+	
+	event_base_dispatch(thread_ctx->base);
+error:
+	event_base_free(thread_ctx->base);
+finish:
+	return NULL;
+}
+
+static int
+evutil_fast_socket_nonblocking(evutil_socket_t fd)
+{
+#ifdef _WIN32
+	return evutil_make_socket_nonblocking(fd);
+#else
+	if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
+		return -1;
+	}
+	return 0;
+#endif
+}
+
+static int
+evutil_fast_socket_closeonexec(evutil_socket_t fd)
+{
+#if !defined(_WIN32) && defined(EVENT__HAVE_SETFD)
+	if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
+		return -1;
+	}
+#endif
+	return 0;
+}
+
+evutil_socket_t
+evutil_socket_(int domain, int type, int protocol)
+{
+	evutil_socket_t r;
+#if defined(SOCK_NONBLOCK) && defined(SOCK_CLOEXEC)
+	r = socket(domain, type, protocol);
+	if (r >= 0)
+		return r;
+	else if ((type & (SOCK_NONBLOCK|SOCK_CLOEXEC)) == 0)
+		return -1;
+#endif
+#define SOCKET_TYPE_MASK (~(EVUTIL_SOCK_NONBLOCK|EVUTIL_SOCK_CLOEXEC))
+	r = socket(domain, type & SOCKET_TYPE_MASK, protocol);
+	if (r < 0)
+		return -1;
+	if (type & EVUTIL_SOCK_NONBLOCK) {
+		if (evutil_fast_socket_nonblocking(r) < 0) {
+			evutil_closesocket(r);
+			return -1;
+		}
+	}
+	if (type & EVUTIL_SOCK_CLOEXEC) {
+		if (evutil_fast_socket_closeonexec(r) < 0) {
+			evutil_closesocket(r);
+			return -1;
+		}
+	}
+	return r;
+}
+
+static evutil_socket_t
+evhttp_listen_socket_byuser(const struct sockaddr *sa, int socklen,
+                            unsigned flags, int backlog)
+{
+	evutil_socket_t fd;
+	int on = 1;
+	int family = sa ? sa->sa_family : AF_UNSPEC;
+	int socktype = SOCK_STREAM | EVUTIL_SOCK_NONBLOCK;
+
+	if (flags & LEV_OPT_CLOSE_ON_EXEC)
+		socktype |= EVUTIL_SOCK_CLOEXEC;
+
+	fd = evutil_socket_(family, socktype, 0);
+	if (fd == -1)
+		return fd;
+
+	if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (void*)&on, sizeof(on))<0)
+		goto err;
+	if (flags & LEV_OPT_REUSEABLE) {
+		if (evutil_make_listen_socket_reuseable(fd) < 0)
+			goto err;
+	}
+	if (flags & LEV_OPT_REUSEABLE_PORT) {
+		if (evutil_make_listen_socket_reuseable_port(fd) < 0){
+			goto err;
+        }
+	}
+	if (sa) {
+		if (bind(fd, sa, socklen)<0)
+			goto err;
+	}
+    if (listen(fd, backlog) == -1) {
+        goto err;
+    }
+	return fd;
+err:
+	evutil_closesocket(fd);
+	return fd;
+}
+
+int pangu_policy_work_thread_run(struct verify_proxy * verify)
+{
+	int xret = 0;
+	unsigned int tid = 0;
+	struct verify_proxy_thread *thread_ctx = NULL;
+
+	struct sockaddr_in sin;
+    memset(&sin, 0, sizeof(struct sockaddr_in));
+    sin.sin_family = AF_INET;
+    sin.sin_port   = htons(verify->listen_port);
+    evutil_socket_t accept_fd = evhttp_listen_socket_byuser((struct sockaddr*)&sin, sizeof(struct sockaddr_in),LEV_OPT_REUSEABLE_PORT|LEV_OPT_CLOSE_ON_FREE, -1);
+    if (accept_fd < 0)
+	{
+        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Could not create a listen!");
+        goto finish;
+    }
+
+	for (tid = 0; tid < verify->nr_work_threads; tid++)
+	{
+		verify->work_threads[tid] = ALLOC(struct verify_proxy_thread, 1);
+		thread_ctx = verify->work_threads[tid];
+		thread_ctx->id = tid;
+		thread_ctx->accept_fd =accept_fd;
+        thread_ctx->routine = verify_policy_thread;
+
+		if (pthread_create(&thread_ctx->pid, thread_ctx->attr, thread_ctx->routine, thread_ctx))
+		{
+            mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s", strerror(errno));
+			goto finish;
+		}
+		if (pthread_detach(thread_ctx->pid))
+		{
+            mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s", strerror(errno));
+			goto finish;
+		}
+	}
+    FOREVER{
+        sleep(1);
+    }
+finish:
+    return xret;
+}
+
+int main(int argc, char * argv[])
+{
+	const char * main_profile = "./conf/verify_policy.conf";
+
+	int ret = 0, opt = 0;
+	while ((opt = getopt(argc, argv, "v")) != -1)
+	{
+		switch (opt)
+		{
+			case 'v':
+				fprintf(stderr, "Tango Frontend Engine, Version: %s\n", version());
+				return 0;
+			default:
+				break;
+		}
+	}
+	g_verify_proxy = ALLOC(struct verify_proxy, 1);
+	assert(g_verify_proxy);
+	strcpy(g_verify_proxy->name, "verify_policy");
+
+	g_verify_proxy->logger = verify_syslog_init(main_profile);
+	CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit.");
+
+	ret = verify_policy_init(g_verify_proxy, main_profile);
+	CHECK_OR_EXIT(ret == 0, "Failed at loading profile %s, Exit.", main_profile);
+	
+	ret = pangu_policy_init(g_verify_proxy, main_profile);
+	CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit.");
+
+	ret = pangu_policy_work_thread_run(g_verify_proxy);
+	
+	return ret;
+}
+

scan/CMakeLists.txt

@@ -0,0 +1,6 @@
+add_library(pangu-http src/pangu_http.cpp)
+target_include_directories(pangu-http PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce)
+target_link_libraries(pangu-http PUBLIC common pthread cjson maatframe) 
+
+
+

scan/include/pangu_http.h

@@ -0,0 +1,13 @@
+/*************************************************************************
+	> File Name: panggu_http.h
+	> Author: 
+	> Mail: 
+	> Created Time: 2019年08月26日 星期一 19时30分49秒
+ ************************************************************************/
+
+#ifndef _PANGGU_HTTP_H
+#define _PANGGU_HTTP_H
+
+extern int pangu_policy_init(struct verify_proxy * verify, const char* profile_path);
+
+#endif

scan/src/pangu_http.cpp

@@ -0,0 +1,518 @@
+/*************************************************************************
+	> File Name: pangu_http.cpp
+	> Author: 
+	> Mail: 
+	> Created Time: 2019年08月23日 星期五 16时53分25秒
+ ************************************************************************/
+#include <assert.h>
+#include <time.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <MESA/Maat_rule.h>
+#include <MESA/MESA_handle_logger.h>
+#include <MESA/MESA_prof_load.h>
+#include <MESA/stream.h>
+
+#include <cjson/cJSON.h>
+
+#include "verify_policy.h"
+#include "verify_policy_utils.h"
+#include "verify_policy_logging.h"
+
+#define	MAX_SCAN_RESULT				16
+
+enum pangu_action //Bigger action number is prior.
+{
+	PG_ACTION_NONE = 0x00,
+	PG_ACTION_MONIT = 0x01,
+	PG_ACTION_FORWARD = 0x02,    /* N/A */
+	PG_ACTION_REJECT = 0x10,
+	PG_ACTION_DROP = 0x20,    /* N/A */
+	PG_ACTION_MANIPULATE = 0x30,
+	PG_ACTION_RATELIMIT = 0x40,    /* N/A */
+	PG_ACTION_LOOP = 0x60,    /* N/A */
+	PG_ACTION_WHITELIST = 0x80,
+	__PG_ACTION_MAX
+};
+
+struct pangu_http_ctx
+{
+	enum pangu_action action;
+	char * action_para;
+	scan_status_t scan_mid;
+	stream_para_t sp;
+	size_t hit_cnt;
+	struct Maat_rule_t result[MAX_SCAN_RESULT];
+	size_t n_enforce;	
+	struct Maat_rule_t * enforce_rules;
+	int thread_id;
+};
+
+struct pangu_rt
+{
+	Maat_feather_t maat;
+	Maat_feather_t dyn_maat;
+	int subscriber_id_table_id;
+	void * local_logger;
+	int log_level;
+	int thread_num;
+	int scan_table_id[__SCAN_TABLE_MAX];
+};
+struct pangu_rt * g_pangu_rt;
+
+#define MAAT_INPUT_JSON			0
+#define MAAT_INPUT_REDIS    	1
+#define MAAT_INPUT_FILE        	2
+
+void * pangu_http_ctx_new(unsigned int thread_id)
+{
+	struct pangu_http_ctx * ctx = ALLOC(struct pangu_http_ctx, 1);
+	ctx->scan_mid = NULL;
+	ctx->thread_id = (int) thread_id;
+	return (void *)ctx;
+}
+
+static int pangu_action_weight[__PG_ACTION_MAX] = {0};
+void __pangu_action_weight_init()  __attribute__((constructor, used));
+void __pangu_action_weight_init()
+{
+	pangu_action_weight[PG_ACTION_NONE] = 0;
+	pangu_action_weight[PG_ACTION_MONIT] = 1;
+	pangu_action_weight[PG_ACTION_MANIPULATE] = 2;
+	pangu_action_weight[PG_ACTION_REJECT] = 3;
+	pangu_action_weight[PG_ACTION_WHITELIST] = 4;
+}
+
+static inline int action_cmp(enum pangu_action a1, enum pangu_action a2)
+{
+	return pangu_action_weight[a1] - pangu_action_weight[a2];
+}
+
+static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit,
+	struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
+{
+	size_t n_monit = 0, exist_enforce_num = 0, i = 0;
+	const struct Maat_rule_t * prior_rule = hit_rules;
+	struct Maat_rule_t monit_rule[n_hit];
+	enum pangu_action prior_action = PG_ACTION_NONE;
+
+	for (i = 0; i < n_hit; i++)
+	{
+		unsigned char __expand_action = (unsigned char) hit_rules[i].action;
+		enum pangu_action __action = (enum pangu_action) __expand_action;
+
+		if (__action == PG_ACTION_MONIT)
+		{
+			memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct Maat_rule_t));
+			n_monit++;
+		}
+		if (action_cmp(__action, prior_action) > 0)
+		{
+			prior_rule = hit_rules + i;
+			prior_action = __action;
+		}
+		else if (action_cmp(__action, prior_action) == 0)
+		{
+			if (hit_rules[i].config_id > prior_rule->config_id)
+			{
+				prior_rule = hit_rules + i;
+			}
+		}
+		else
+		{
+			continue;
+		}
+	}
+
+	if (prior_action == PG_ACTION_WHITELIST)
+	{
+		if(*n_enforce==0)
+		{
+			*enforce_rules=ALLOC(struct Maat_rule_t, 1);
+		}
+		*enforce_rules[0]=*prior_rule;
+		*n_enforce=1;
+		return PG_ACTION_WHITELIST;
+	}
+
+	exist_enforce_num = *n_enforce;
+	if (prior_action == PG_ACTION_MONIT)
+	{
+		*n_enforce += n_monit;
+	}
+	else
+	{
+		*n_enforce += n_monit + 1;
+	}
+
+	*enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
+	if (prior_action == PG_ACTION_MONIT)
+	{
+		memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+	}
+	else
+	{
+		memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
+		memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
+		memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+	}
+
+	return prior_action;
+}
+
+char *web_json_table_add(void *pme)
+{
+	char *policy_payload = NULL; size_t i = 0;
+	cJSON  *policy_obj=NULL, *data_obj=NULL, *hit_obj=NULL;
+	cJSON  *execute_obj=NULL, *obj_list=NULL, *category_obj=NULL;
+
+	struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
+	
+	policy_obj=cJSON_CreateObject();
+	cJSON_AddNumberToObject(policy_obj, "code", 200);	
+	cJSON_AddStringToObject(policy_obj, "msg", "");	
+	cJSON_AddNumberToObject(policy_obj, "success", 1);
+	
+	data_obj = cJSON_CreateObject();
+	cJSON_AddItemToObject(policy_obj, "data", data_obj);
+
+	/*hitPolicyList **/	
+	hit_obj = cJSON_CreateObject();
+	cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj);
+	if (ctx->hit_cnt >= 1)
+	{
+		for (i = 0; i < ctx->hit_cnt; i++)
+		{
+			cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id);		
+			cJSON_AddStringToObject(hit_obj, "policyName", "");
+		}				
+	}
+	/*executePolicyList **/
+	execute_obj = cJSON_CreateObject();
+	cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj);
+	cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id);		
+	cJSON_AddStringToObject(execute_obj, "policyName", "");
+
+	/*objectList**/
+	obj_list = cJSON_CreateObject();
+	cJSON_AddItemToObject(data_obj, "objectList", obj_list);
+	cJSON_AddNumberToObject(obj_list, "objectId", 12);		
+	cJSON_AddStringToObject(obj_list, "objectName", "");
+	cJSON *itemList = cJSON_CreateObject();	
+	cJSON_AddItemToObject(obj_list, "itemList", itemList);
+	cJSON_AddNumberToObject(itemList, "itemId", 12);		
+	cJSON_AddStringToObject(itemList, "reqParam", "");
+	
+	/*categoryList**/
+	category_obj = cJSON_CreateObject();
+	cJSON_AddItemToObject(data_obj, "categoryList", category_obj);
+	cJSON_AddNumberToObject(category_obj, "categoryId", 12);		
+	cJSON_AddStringToObject(category_obj, "reqParam", "");
+
+	policy_payload = cJSON_PrintUnformatted(policy_obj);
+	printf("%s\n", policy_payload);
+	cJSON_Delete(policy_obj);
+
+	return policy_payload;
+}
+
+void http_scan(const char * value, enum tfe_http_event events,
+	const unsigned char * body_frag, size_t frag_size, void *pme)
+{
+	const char * field_val = NULL;
+	int scan_ret = 0, table_id = 0;
+	size_t hit_cnt = 0;
+	
+	struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
+
+	if (events & EV_HTTP_IP)
+	{
+		scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_IP], NULL, 0,
+				   ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id);
+		if (scan_ret > 0)
+		{
+			hit_cnt += scan_ret;
+		}
+	}
+
+	if (events & EV_HTTP_SUBSCRIBE_ID)
+	{
+		scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_SUBSCRIBE_ID],
+										CHARSET_UTF8, value, strlen(value),
+										ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
+										&(ctx->scan_mid), ctx->thread_id);
+		if(scan_ret>0)
+		{
+			hit_cnt+=scan_ret;
+		}
+	}
+
+	if (events & EV_HTTP_FQDN)
+	{
+		const char *str_host = value;
+		int str_host_length = (int) (strlen(value));
+
+		scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
+					CHARSET_UTF8, str_host, str_host_length, ctx->result, NULL, MAX_SCAN_RESULT, &(ctx->scan_mid), ctx->thread_id);
+		if (scan_ret > 0)
+		{
+			hit_cnt += scan_ret;
+		}
+	}
+	if (events & EV_HTTP_URL)
+	{
+		const char * str_url = value;
+		int str_url_length = (int) (strlen(value));
+
+		scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_URL],
+			CHARSET_UTF8, str_url, str_url_length, ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
+
+		if (scan_ret > 0)
+		{
+			hit_cnt += scan_ret;
+		}
+	}
+
+	if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR))
+	{
+		table_id = events & PXY_CTRL_HTTP_REQ_HDR ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_HDR];
+	
+		const char * str_field_name = NULL;
+		scan_ret = Maat_set_scan_status(g_pangu_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
+				   str_field_name, strlen(str_field_name));
+		assert(scan_ret == 0);
+		scan_ret = Maat_full_scan_string(g_pangu_rt->maat, table_id,
+			CHARSET_UTF8, field_val, strlen(field_val),
+			ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
+		if (scan_ret > 0)
+		{
+			hit_cnt += scan_ret;
+		}
+	}
+
+	if ((events & EV_HTTP_CONTENT))
+	{
+		assert(ctx->sp == NULL);
+		table_id = events & EV_HTTP_CONTENT ? g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_RES_BODY];
+		ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat, table_id, ctx->thread_id);
+		scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size,
+				ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
+		if (scan_ret > 0)
+		{
+			hit_cnt += scan_ret;
+		}
+		Maat_stream_scan_string_end(&(ctx->sp));
+		ctx->sp = NULL;
+	}
+
+	if (hit_cnt > 0)
+	{
+		ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
+		ctx->hit_cnt = hit_cnt;
+	}
+	return ;
+}
+	
+char * verify_policy_str_to_addr()
+{
+	return NULL;
+}
+
+static Maat_feather_t create_maat_feather(const char * instance_name, const char * profile, const char * section, int max_thread, void * logger)
+{
+	Maat_feather_t target;
+	int input_mode = 0, maat_perf_on = 0;
+	int ret = 0, scan_detail = 0, effect_interval = 60;
+	char table_info[VERIFY_STRING_MAX] = {0}, inc_cfg_dir[VERIFY_STRING_MAX] = {0}, ful_cfg_dir[VERIFY_STRING_MAX] = {0};
+	char redis_server[VERIFY_STRING_MAX] = {0};
+	char redis_port_range[VERIFY_STRING_MAX] = {0};
+	char accept_tags[VERIFY_STRING_MAX] = {0};
+	int redis_port_begin=0, redis_port_end=0;
+	int redis_port_select=0;
+	int redis_db_idx = 0;
+	char json_cfg_file[VERIFY_STRING_MAX] = {0};
+	MESA_load_profile_int_def(profile, section, "maat_input_mode", &(input_mode), 0);
+	MESA_load_profile_int_def(profile, section, "perf_switch", &(maat_perf_on), 1);
+
+	MESA_load_profile_string_def(profile, section, "table_info", table_info, sizeof(table_info), "");
+	MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), "");
+
+	MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), "");
+
+	MESA_load_profile_string_def(profile, section, "maat_redis_server", redis_server, sizeof(redis_server), "");
+	MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server), "6379");
+	ret=sscanf(redis_port_range,"%d-%d", &redis_port_begin, &redis_port_end);
+	if(ret==1)
+	{
+		redis_port_select=redis_port_begin;
+	}
+	else if(ret==2)
+	{
+		srand(time(NULL));
+		redis_port_select=redis_port_begin+rand()%(redis_port_end-redis_port_begin);
+	}
+	else
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid redis port range %s, MAAT init failed.", redis_port_range);
+	}
+	MESA_load_profile_int_def(profile, section, "maat_redis_db_index", &(redis_db_idx), 0);
+
+	MESA_load_profile_string_def(profile, section, "inc_cfg_dir", inc_cfg_dir, sizeof(inc_cfg_dir), "");
+	MESA_load_profile_string_def(profile, section, "full_cfg_dir", ful_cfg_dir, sizeof(ful_cfg_dir), "");
+	MESA_load_profile_int_def(profile, section, "effect_interval_s", &(effect_interval), 60);
+
+	effect_interval *= 1000;//convert s to ms
+	assert(strlen(inc_cfg_dir) != 0 || strlen(ful_cfg_dir) != 0 || strlen(redis_server)!=0 || strlen(json_cfg_file)!=0);
+
+	target = Maat_feather(max_thread, table_info, logger);
+	Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1);
+	switch (input_mode)
+	{
+		case MAAT_INPUT_JSON:
+			Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
+			break;
+		case MAAT_INPUT_REDIS:
+			Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
+			Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
+			Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx));
+			break;
+		case MAAT_INPUT_FILE: Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
+			Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
+			break;
+		default: mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid MAAT Input Mode: %d.", input_mode);
+			goto error_out;
+			break;
+	}
+
+	Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./pangu_files", strlen("./pangu_files")+1);
+
+	Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
+	Maat_set_feather_opt(target, MAAT_OPT_SCAN_DETAIL, &scan_detail, sizeof(scan_detail));
+
+	ret = Maat_initiate_feather(target);
+	if (ret < 0)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
+		goto error_out;
+	}
+
+	return target;
+error_out:
+	Maat_burn_feather(target);
+	return NULL;
+}
+
+static int get_column_pos(const char* line, int column_seq, size_t *offset, size_t *len)
+{
+	const char* seps=" \t";
+	char* saveptr=NULL, *subtoken=NULL, *str=NULL;
+	char* dup_line=strdup(line);
+	int i=0, ret=-1;
+	for (str = dup_line; ; str = NULL)
+	{
+		subtoken = strtok_r(str, seps, &saveptr);
+		if (subtoken == NULL)
+			break;
+		if(i==column_seq-1)
+		{
+			*offset=subtoken-dup_line;
+			*len=strlen(subtoken);
+			ret=0;
+			break;
+		}
+		i++;
+	}
+	free(dup_line);
+	return ret;
+}
+
+void subscribe_id_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+{
+	int ret=0;
+	size_t subscribe_id_offset, len;
+	ret=get_column_pos(table_line, 4, &subscribe_id_offset, &len);
+	if(ret<0)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Add subscribe ID faild: %s", table_line);
+		return;
+	}
+	*ad=ALLOC(char, len+1);
+	memcpy(*ad, table_line+subscribe_id_offset, len);
+	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Add subscribe ID: %s", (char*)*ad);
+	return;
+}
+
+void subscribe_id_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+{
+	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Delete subscribe ID: %s", (char*)*ad);
+	free(*ad);
+	*ad=NULL;
+}
+
+void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp)
+{
+	*to = strdup((char*)*from);
+	return;
+}
+
+int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
+{
+	int ret = -1;
+	
+	g_pangu_rt = ALLOC(struct pangu_rt, 1);
+
+	g_pangu_rt->thread_num = verify->nr_work_threads;
+	g_pangu_rt->local_logger = verify->logger;
+
+	g_pangu_rt->maat = create_maat_feather("static", profile_path, "MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
+	if (!g_pangu_rt->maat)
+	{
+		goto error_out;
+	}
+
+	const char * table_name[__SCAN_TABLE_MAX];
+	table_name[PXY_CTRL_IP] = "PXY_CTRL_IP";
+	table_name[PXY_CTRL_HTTP_URL] = "PXY_CTRL_HTTP_URL";
+	table_name[PXY_CTRL_HTTP_FQDN] = "TSG_OBJ_FQDN";
+	table_name[PXY_CTRL_HTTP_REQ_HDR] = "PXY_CTRL_HTTP_REQ_HDR";
+	table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_OBJ_CONTENT";
+	table_name[PXY_CTRL_HTTP_RES_HDR] = "PXY_CTRL_HTTP_RES_HDR";
+	table_name[PXY_CTRL_HTTP_RES_BODY] = "TSG_OBJ_CONTENT";
+	table_name[PXY_CTRL_SUBSCRIBE_ID] = "PXY_CTRL_SUBSCRIBE_ID";
+	for (int i = 0; i < __SCAN_TABLE_MAX; i++)
+	{
+		g_pangu_rt->scan_table_id[i] = Maat_table_register(g_pangu_rt->maat, table_name[i]);
+		if (g_pangu_rt->scan_table_id[i] < 0)
+		{
+			mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Maat table %s register failed.", table_name[i]);
+			goto error_out;
+		}
+	}
+	
+	g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
+	if (!g_pangu_rt->maat)
+	{
+		goto error_out;
+	}
+	g_pangu_rt->subscriber_id_table_id=Maat_table_register(g_pangu_rt->dyn_maat, "TSG_DYN_SUBSCRIBER_IP");
+	ret=Maat_plugin_EX_register(g_pangu_rt->dyn_maat,
+							g_pangu_rt->subscriber_id_table_id,
+							subscribe_id_new_cb,
+							subscribe_id_free_cb,
+							subscribe_id_dup_cb,
+							NULL,
+							0,
+							NULL);
+	if(ret!=0)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat  TSG_DYN_SUBSCRIBER_IP EX data register failed.");
+		goto error_out;
+	}
+
+	ret = 0;
+error_out:
+	return ret;
+}
+

vendor/CMakeLists.txt

@@ -0,0 +1,118 @@
+# CMakeFiles for 3rd vendor library
+
+include(ExternalProject)
+
+### Libevent 2.1.8
+ExternalProject_Add(libevent PREFIX libevent
+        URL ${CMAKE_CURRENT_SOURCE_DIR}/libevent-2.1.8-stable.tar.gz
+        URL_MD5 f3eeaed018542963b7d2416ef1135ecc
+        CONFIGURE_COMMAND PKG_CONFIG_PATH=${OPENSSL_PKGCONFIG_PATH}
+		                  ./configure --prefix=<INSTALL_DIR> --disable-shared --disable-samples
+        BUILD_IN_SOURCE 1)
+
+ExternalProject_Get_Property(libevent INSTALL_DIR)
+file(MAKE_DIRECTORY ${INSTALL_DIR}/include)
+
+add_library(libevent-static STATIC IMPORTED GLOBAL)
+add_dependencies(libevent-static libevent)
+set_property(TARGET libevent-static PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libevent.a)
+set_property(TARGET libevent-static PROPERTY IMPORTED_INTERFACE_LINK_LIBRARIES pthread crypto)
+set_property(TARGET libevent-static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
+
+### cJSON
+ExternalProject_Add(cJSON PREFIX cJSON
+        URL ${CMAKE_CURRENT_SOURCE_DIR}/cJSON-1.7.7.tar.gz
+        URL_MD5 715009c99728bf81d6c97352718650ff
+        CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>
+				   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+				   -DBUILD_SHARED_AND_STATIC_LIBS=1)
+
+ExternalProject_Get_Property(cJSON INSTALL_DIR)
+file(MAKE_DIRECTORY ${INSTALL_DIR}/include)
+
+add_library(cjson SHARED IMPORTED GLOBAL)
+add_dependencies(cjson cJSON)
+set_property(TARGET cjson PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib64/libcjson.a)
+set_property(TARGET cjson PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
+
+#### GoogleTest
+ExternalProject_Add(googletest PREFIX googletest
+        URL ${CMAKE_CURRENT_SOURCE_DIR}/googletest-release-1.8.0.tar.gz
+        URL_MD5 16877098823401d1bf2ed7891d7dce36
+        CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR> -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE})
+
+ExternalProject_Get_Property(googletest INSTALL_DIR)
+file(MAKE_DIRECTORY ${INSTALL_DIR}/include)
+
+add_library(gtest STATIC IMPORTED GLOBAL)
+add_dependencies(gtest googletest)
+set_property(TARGET gtest PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libgtest.a)
+set_property(TARGET gtest PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
+set_property(TARGET gtest PROPERTY INTERFACE_LINK_LIBRARIES pthread)
+
+add_library(gmock STATIC IMPORTED GLOBAL)
+add_dependencies(gmock googletest)
+set_property(TARGET gmock PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libgmock.a)
+set_property(TARGET gmock PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
+
+
+### MESA Framework
+# Consider the MESA Framework is installed in the system. We declare a imported target instead of
+# ExternalProject target. we may retrive the MESAFramework source code from git.mesalab.cn and
+# compile staticly to TFE binarys in the future.
+
+set(MESA_FRAMEWORK_LIB_DIR /opt/MESA/lib)
+set(MESA_FRAMEWORK_INCLUDE_DIR /opt/MESA/include)
+set(MRZCPD_LIB_DIR /opt/mrzcpd/lib)
+set(MRZCPD_INCLUDE_DIR /opt/mrzcpd/include)
+
+add_library(MESA_handle_logger SHARED IMPORTED GLOBAL)
+set_property(TARGET MESA_handle_logger PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libMESA_handle_logger.so)
+set_property(TARGET MESA_handle_logger PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(MESA_prof_load SHARED IMPORTED GLOBAL)
+set_property(TARGET MESA_prof_load PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libMESA_prof_load.so)
+set_property(TARGET MESA_prof_load PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(wiredcfg SHARED IMPORTED GLOBAL)
+set_property(TARGET wiredcfg PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libwiredcfg.so)
+set_property(TARGET wiredcfg PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(MESA_htable SHARED IMPORTED GLOBAL)
+set_property(TARGET MESA_htable PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libMESA_htable.so)
+set_property(TARGET MESA_htable PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(wiredLB SHARED IMPORTED GLOBAL)
+set_property(TARGET wiredLB PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libWiredLB.so)
+set_property(TARGET wiredLB PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(maatframe SHARED IMPORTED GLOBAL)
+set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaatframe.so)
+set_property(TARGET maatframe PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(MESA_field_stat SHARED IMPORTED GLOBAL)
+set_property(TARGET MESA_field_stat PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libMESA_field_stat2.so)
+set_property(TARGET MESA_field_stat PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(librdkafka SHARED IMPORTED GLOBAL)
+set_property(TARGET librdkafka PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/librdkafka.so)
+set_property(TARGET librdkafka PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
+
+add_library(mrzcpd SHARED IMPORTED GLOBAL)
+set_property(TARGET mrzcpd PROPERTY IMPORTED_LOCATION ${MRZCPD_LIB_DIR}/libmarsio.so)
+set_property(TARGET mrzcpd PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MRZCPD_INCLUDE_DIR})
+
+### pcre2
+ExternalProject_Add(pcre2 PREFIX pcre2
+        URL ${CMAKE_CURRENT_SOURCE_DIR}/pcre2-10.32.tar.gz
+        URL_MD5 a660db882ff171e6a0de5fb1decd5ff5
+        CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR> -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE})
+
+ExternalProject_Get_Property(pcre2 INSTALL_DIR)
+file(MAKE_DIRECTORY ${INSTALL_DIR}/include)
+
+add_library(pcre2-static STATIC IMPORTED GLOBAL)
+add_dependencies(pcre2-static pcre2)
+set_property(TARGET pcre2-static PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libpcre2-8.a)
+set_property(TARGET pcre2-static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
+