TSG-14952 策略验证支持正则表达式验证功能

2023-05-11 11:50:34 +08:00
parent 1baa062723
commit d94c81d7e6
3 changed files with 180 additions and 91 deletions
--- a/common/include/verify_policy.h
+++ b/common/include/verify_policy.h
@@ -15,6 +15,12 @@ struct breakpad_instance;
 #define VSYS_ID_MAX 255
 enum verify_type
 {
    VERIFY_TYPE_POLICY,
    VERIFY_TYPE_REGEX
 };
 enum compile_table_typle
 {
    TSG_TABLE_SECURITY,
@@ -133,11 +139,12 @@ struct verify_policy_query
 extern struct verify_policy * g_verify_proxy;
 void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id);
-void pangu_http_ctx_free(void * pme);
+void policy_scan_ctx_free(void * pme);
 size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *query_obj, cJSON *data_obj, void *pme);
 void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON  *data_obj, void *pme);
 int maat_table_init(struct verify_policy * verify, const char* profile_path);
 int http_hit_policy_list(int vsys_id, int compile_table_id, size_t hit_cnt, cJSON *data_obj, void *pme);
 void verify_policy_tunnle_add(void * pme);
 int policy_verify_regex_expression(const char *expression);
 #endif
--- a/platform/src/verify_matcher.cpp
+++ b/platform/src/verify_matcher.cpp
@@ -187,7 +187,7 @@ void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table
 	return (void *)ctx;
 }
-void pangu_http_ctx_free(void * pme)
+void policy_scan_ctx_free(void * pme)
 {
 	struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
@@ -1068,6 +1068,11 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table
 	http_get_fqdn_cat_id(query_obj, compile_table_id, attributeObj);
 }
 int policy_verify_regex_expression(const char *expression)
 {
 	return maat_helper_verify_regex_expression(expression);
 }
 int http_hit_policy_list(int vsys_id,  int compile_table_id, size_t hit_cnt, cJSON *data_obj, void *pme)
 {
 	bool succeeded = false;
--- a/platform/src/verify_policy.cpp
+++ b/platform/src/verify_policy.cpp
@@ -316,33 +316,72 @@ finish:
 	return xret;
 }
-cJSON *get_query_from_request(const char *data, int thread_id)
+enum verify_type get_verify_type(cJSON* data_json)
 {
 	cJSON *item = NULL;
 	enum verify_type q_type = VERIFY_TYPE_POLICY;
 	item = cJSON_GetObjectItem(data_json,"verifyType");
 	if(item && item->type==cJSON_String)
 	{
 		if(0 == strcasecmp(item->valuestring, "policy"))
 		{
 			q_type = VERIFY_TYPE_POLICY;
 		}
 		if(0 == strcasecmp(item->valuestring, "regex"))
 		{
 			q_type = VERIFY_TYPE_REGEX;
 		}
 	}
 	return q_type;
 }
 static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *data_obj)
 {
 	int cur_id=0, i=0, is_valid[32]={0};
 	cJSON *regexstr_obj[32];
 	cJSON *item = NULL, *subchild = NULL;
 	cJSON *attributes=NULL;
 	attributes = cJSON_GetObjectItem(verifylist_array_item, "verifyRegex");
 	if(attributes==NULL || attributes->type != cJSON_Array)
 	{
 		return -1;
 	}
 	for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
 	{
 		item = cJSON_GetObjectItem(subchild, "regexStr");
 		if(item && item->type==cJSON_String)
 		{
 			is_valid[cur_id] = policy_verify_regex_expression(item->valuestring);
 		}
 		regexstr_obj[cur_id]=cJSON_Duplicate(item, 1);
 		cur_id++;
 	}
 	cJSON *verify_regex_obj=NULL;
 	cJSON *verifyRegex=cJSON_CreateArray();
 	cJSON_AddItemToObject(data_obj, "attributes", verifyRegex);
 	for (i = 0; i < cur_id; i++)
 	{
 		verify_regex_obj=cJSON_CreateObject();
 		cJSON_AddItemToObject(verify_regex_obj, "regexStr", regexstr_obj[i]);
 		cJSON_AddNumberToObject(verify_regex_obj, "isValid", is_valid[i]);
 		cJSON_AddItemToArray(verifyRegex, verify_regex_obj);
 	}
 	return 1;
 }
 int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id)
 {
 	int i = 0;
 	int hit_cnt = 0, xret =0;
 	cJSON *item = NULL, *subchild = NULL, *attributes=NULL;
 	struct verify_policy_query *verify_policy = NULL;
 	cJSON* data_json = cJSON_Parse(data);
 	if(data_json == NULL)
 	{
 		mesa_runtime_log(RLOG_LV_FATAL, "invalid policy parameter");
 		return NULL;
 	}
 	cJSON  *policy_obj=NULL, *data_obj=NULL;
 	policy_obj=cJSON_CreateObject();
 	cJSON_AddNumberToObject(policy_obj, "code", 200);
 	cJSON_AddStringToObject(policy_obj, "msg", "Success");
 	data_obj = cJSON_CreateObject();
 	cJSON_AddItemToObject(policy_obj, "data", data_obj);
 	cJSON* item = NULL, *subitem = NULL, *subchild = NULL, *attributes=NULL;
 	item = cJSON_GetObjectItem(data_json,"verifyList");
 	if(item && item->type==cJSON_Array)
 	{
 		for (subitem = item->child; subitem != NULL; subitem = subitem->next)
 		{
 	verify_policy = ALLOC(struct verify_policy_query, 1);
 	item = cJSON_GetObjectItem(subitem,"policyType");
 	if(item && item->type==cJSON_String)
@@ -361,6 +400,7 @@ cJSON *get_query_from_request(const char *data, int thread_id)
 		verify_policy->vsys_id = item->valueint;
 	}
 	mesa_runtime_log(RLOG_LV_DEBUG, " [I]   vsysId= %d", verify_policy->vsys_id);
 	item = cJSON_GetObjectItem(subitem,"verifySession");
 	if(item == NULL || item->type!=cJSON_Object)
 	{
@@ -421,19 +461,56 @@ cJSON *get_query_from_request(const char *data, int thread_id)
 		{
 			http_get_scan_status(&verify_policy->verify_object[item], verify_policy->compile_table_id, attributes,data_obj, ctx);
 		}
-				pangu_http_ctx_free(ctx);
+		policy_scan_ctx_free(ctx);
 	}
 	i=0;
 			FREE(&verify_policy);
 		}
 		goto end;
 free:
 	if (verify_policy)
 	{
 		FREE(&verify_policy);
 	}
-end:
+
 	return hit_cnt;
 }
 cJSON *get_query_from_request(const char *data, int thread_id)
 {
 	int hit_cnt = 0;
 	cJSON* data_json = cJSON_Parse(data);
 	if(data_json == NULL)
 	{
 		mesa_runtime_log(RLOG_LV_FATAL, "invalid policy parameter");
 		return NULL;
 	}
 	cJSON  *policy_obj=NULL, *data_obj=NULL;
 	policy_obj=cJSON_CreateObject();
 	cJSON_AddNumberToObject(policy_obj, "code", 200);
 	cJSON_AddStringToObject(policy_obj, "msg", "Success");
 	data_obj = cJSON_CreateObject();
 	cJSON_AddItemToObject(policy_obj, "data", data_obj);
 	int verify_type=get_verify_type(data_json);
 	cJSON *item = NULL, *subitem = NULL;
 	item = cJSON_GetObjectItem(data_json,"verifyList");
 	if(item && item->type==cJSON_Array)
 	{
 		for (subitem = item->child; subitem != NULL; subitem = subitem->next)
 		{
 			if(verify_type == VERIFY_TYPE_REGEX)
 			{
 				hit_cnt = get_query_result_regex(subitem, data_obj);
 			}
 			if(verify_type == VERIFY_TYPE_POLICY)
 			{
 				hit_cnt = get_query_result_policy(subitem, data_obj, thread_id);
 			}
 		}
 		if (hit_cnt >= 0)
 		{
 			cJSON_AddBoolToObject(policy_obj, "success", true);
@@ -538,7 +615,7 @@ void * verify_policy_thread_func(void * arg)
 		mesa_runtime_log(RLOG_LV_INFO, "Bound(%p) to port %d - Awaiting connections ... ", bound,
 						g_verify_proxy->listen_port);
 	}
-	mesa_runtime_log(RLOG_LV_INFO, "Work thread %u is run...", thread_ctx->id);
+	mesa_runtime_log(RLOG_LV_FATAL, "Work thread %u is run...", thread_ctx->id);
 	event_base_dispatch(thread_ctx->base);
 error:
@@ -949,7 +1026,7 @@ int main(int argc, char * argv[])
 	ret = maat_table_init(g_verify_proxy, main_profile);
 	CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit.");
 	clock_gettime(CLOCK_REALTIME, &(end_time));
-	mesa_runtime_log(RLOG_LV_DEBUG, "Read table_info.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
+	mesa_runtime_log(RLOG_LV_FATAL, "Read table_info.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
 	printf("Read table_info.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec);
 	g_verify_proxy->breakpad = breakpad_init(main_profile);