From f5070565eb2544ca7642fff67b6d454af37914bd Mon Sep 17 00:00:00 2001 From: fengweihao Date: Tue, 6 Aug 2024 17:51:18 +0800 Subject: [PATCH] =?UTF-8?q?Optimize=EF=BC=9A=E4=BD=BF=E7=94=A8Utarray?= =?UTF-8?q?=E5=AD=98=E5=82=A8library=E5=91=BD=E4=B8=AD=E8=B7=AF=E5=BE=84,?= =?UTF-8?q?=20=E4=BC=98=E5=8C=96Tunnel=E5=91=BD=E4=B8=AD=E8=B7=AF=E5=BE=84?= =?UTF-8?q?=E7=9A=84=E5=90=88=E5=B9=B6,=20=E5=A2=9E=E5=8A=A0=E6=B5=8B?= =?UTF-8?q?=E8=AF=95=E7=94=A8=E4=BE=8B=E7=9A=84CI=E6=9E=84=E5=BB=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitlab-ci.yml | 13 + common/include/utarray.h | 247 ++++++++++ common/include/verify_policy.h | 41 +- platform/src/verify_matcher.cpp | 509 ++++++++++---------- platform/src/verify_policy.cpp | 2 +- test/CMakeLists.txt | 10 +- test/resource/HitPolicyRequest.json | 87 ++++ test/resource/HitPolicyResult.json | 62 +++ test/resource/VerifyPolicyManipulation.json | 101 ++++ test/resource/VerifyPolicyTunnel.json | 118 +++++ test/verify_policy_test.cpp | 141 ++++-- 11 files changed, 1008 insertions(+), 323 deletions(-) create mode 100644 common/include/utarray.h create mode 100644 test/resource/VerifyPolicyManipulation.json create mode 100644 test/resource/VerifyPolicyTunnel.json diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 83e0a37..bc925f2 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,6 +7,7 @@ variables: stages: - build +- test ############################################################################### # The script is set to el7 or el8 @@ -28,6 +29,18 @@ stages: tags: - share +############################################################################### +# make test: centos8 +############################################################################### +run_test_for_centos8: + stage: test + extends: .build_by_travis_for_centos8 + script: + - yum makecache + - ./ci/travis.sh + - cd build + - make test + ############################################################################### # compile use image: centos8 ############################################################################### diff --git a/common/include/utarray.h b/common/include/utarray.h new file mode 100644 index 0000000..6b62018 --- /dev/null +++ b/common/include/utarray.h @@ -0,0 +1,247 @@ +/* +Copyright (c) 2008-2018, Troy D. Hanson http://troydhanson.github.com/uthash/ +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER +OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +/* a dynamic array implementation using macros + */ +#ifndef UTARRAY_H +#define UTARRAY_H + +#define UTARRAY_VERSION 2.1.0 + +#include /* size_t */ +#include /* memset, etc */ +#include /* exit */ + +#ifdef __GNUC__ +#define UTARRAY_UNUSED __attribute__((__unused__)) +#else +#define UTARRAY_UNUSED +#endif + +#ifdef oom +#error "The name of macro 'oom' has been changed to 'utarray_oom'. Please update your code." +#define utarray_oom() oom() +#endif + +#ifndef utarray_oom +#define utarray_oom() exit(-1) +#endif + +typedef void (ctor_f)(void *dst, const void *src); +typedef void (dtor_f)(void *elt); +typedef void (init_f)(void *elt); +typedef struct { + size_t sz; + init_f *init; + ctor_f *copy; + dtor_f *dtor; +} UT_icd; + +typedef struct { + unsigned i,n;/* i: index of next available slot, n: num slots */ + UT_icd icd; /* initializer, copy and destructor functions */ + char *d; /* n slots of size icd->sz*/ +} UT_array; + +#define utarray_init(a,_icd) do { \ + memset(a,0,sizeof(UT_array)); \ + (a)->icd = *(_icd); \ +} while(0) + +#define utarray_done(a) do { \ + if ((a)->n) { \ + if ((a)->icd.dtor) { \ + unsigned _ut_i; \ + for(_ut_i=0; _ut_i < (a)->i; _ut_i++) { \ + (a)->icd.dtor(utarray_eltptr(a,_ut_i)); \ + } \ + } \ + free((a)->d); \ + } \ + (a)->n=0; \ +} while(0) + +#define utarray_new(a,_icd) do { \ + (a) = (UT_array*)malloc(sizeof(UT_array)); \ + if ((a) == NULL) { \ + utarray_oom(); \ + } \ + utarray_init(a,_icd); \ +} while(0) + +#define utarray_free(a) do { \ + utarray_done(a); \ + free(a); \ +} while(0) + +#define utarray_reserve(a,by) do { \ + if (((a)->i+(by)) > (a)->n) { \ + char *utarray_tmp; \ + while (((a)->i+(by)) > (a)->n) { (a)->n = ((a)->n ? (2*(a)->n) : 8); } \ + utarray_tmp=(char*)realloc((a)->d, (a)->n*(a)->icd.sz); \ + if (utarray_tmp == NULL) { \ + utarray_oom(); \ + } \ + (a)->d=utarray_tmp; \ + } \ +} while(0) + +#define utarray_push_back(a,p) do { \ + utarray_reserve(a,1); \ + if ((a)->icd.copy) { (a)->icd.copy( _utarray_eltptr(a,(a)->i++), p); } \ + else { memcpy(_utarray_eltptr(a,(a)->i++), p, (a)->icd.sz); }; \ +} while(0) + +#define utarray_pop_back(a) do { \ + if ((a)->icd.dtor) { (a)->icd.dtor( _utarray_eltptr(a,--((a)->i))); } \ + else { (a)->i--; } \ +} while(0) + +#define utarray_extend_back(a) do { \ + utarray_reserve(a,1); \ + if ((a)->icd.init) { (a)->icd.init(_utarray_eltptr(a,(a)->i)); } \ + else { memset(_utarray_eltptr(a,(a)->i),0,(a)->icd.sz); } \ + (a)->i++; \ +} while(0) + +#define utarray_len(a) ((a)->i) + +#define utarray_eltptr(a,j) (((j) < (a)->i) ? _utarray_eltptr(a,j) : NULL) +#define _utarray_eltptr(a,j) ((void*)((a)->d + ((a)->icd.sz * (j)))) + +#define utarray_insert(a,p,j) do { \ + if ((j) > (a)->i) utarray_resize(a,j); \ + utarray_reserve(a,1); \ + if ((j) < (a)->i) { \ + memmove( _utarray_eltptr(a,(j)+1), _utarray_eltptr(a,j), \ + ((a)->i - (j))*((a)->icd.sz)); \ + } \ + if ((a)->icd.copy) { (a)->icd.copy( _utarray_eltptr(a,j), p); } \ + else { memcpy(_utarray_eltptr(a,j), p, (a)->icd.sz); }; \ + (a)->i++; \ +} while(0) + +#define utarray_inserta(a,w,j) do { \ + if (utarray_len(w) == 0) break; \ + if ((j) > (a)->i) utarray_resize(a,j); \ + utarray_reserve(a,utarray_len(w)); \ + if ((j) < (a)->i) { \ + memmove(_utarray_eltptr(a,(j)+utarray_len(w)), \ + _utarray_eltptr(a,j), \ + ((a)->i - (j))*((a)->icd.sz)); \ + } \ + if ((a)->icd.copy) { \ + unsigned _ut_i; \ + for(_ut_i=0;_ut_i<(w)->i;_ut_i++) { \ + (a)->icd.copy(_utarray_eltptr(a, (j) + _ut_i), _utarray_eltptr(w, _ut_i)); \ + } \ + } else { \ + memcpy(_utarray_eltptr(a,j), _utarray_eltptr(w,0), \ + utarray_len(w)*((a)->icd.sz)); \ + } \ + (a)->i += utarray_len(w); \ +} while(0) + +#define utarray_resize(dst,num) do { \ + unsigned _ut_i; \ + if ((dst)->i > (unsigned)(num)) { \ + if ((dst)->icd.dtor) { \ + for (_ut_i = (num); _ut_i < (dst)->i; ++_ut_i) { \ + (dst)->icd.dtor(_utarray_eltptr(dst, _ut_i)); \ + } \ + } \ + } else if ((dst)->i < (unsigned)(num)) { \ + utarray_reserve(dst, (num) - (dst)->i); \ + if ((dst)->icd.init) { \ + for (_ut_i = (dst)->i; _ut_i < (unsigned)(num); ++_ut_i) { \ + (dst)->icd.init(_utarray_eltptr(dst, _ut_i)); \ + } \ + } else { \ + memset(_utarray_eltptr(dst, (dst)->i), 0, (dst)->icd.sz*((num) - (dst)->i)); \ + } \ + } \ + (dst)->i = (num); \ +} while(0) + +#define utarray_concat(dst,src) do { \ + utarray_inserta(dst, src, utarray_len(dst)); \ +} while(0) + +#define utarray_erase(a,pos,len) do { \ + if ((a)->icd.dtor) { \ + unsigned _ut_i; \ + for (_ut_i = 0; _ut_i < (len); _ut_i++) { \ + (a)->icd.dtor(utarray_eltptr(a, (pos) + _ut_i)); \ + } \ + } \ + if ((a)->i > ((pos) + (len))) { \ + memmove(_utarray_eltptr(a, pos), _utarray_eltptr(a, (pos) + (len)), \ + ((a)->i - ((pos) + (len))) * (a)->icd.sz); \ + } \ + (a)->i -= (len); \ +} while(0) + +#define utarray_renew(a,u) do { \ + if (a) utarray_clear(a); \ + else utarray_new(a, u); \ +} while(0) + +#define utarray_clear(a) do { \ + if ((a)->i > 0) { \ + if ((a)->icd.dtor) { \ + unsigned _ut_i; \ + for(_ut_i=0; _ut_i < (a)->i; _ut_i++) { \ + (a)->icd.dtor(_utarray_eltptr(a, _ut_i)); \ + } \ + } \ + (a)->i = 0; \ + } \ +} while(0) + +#define utarray_sort(a,cmp) do { \ + qsort((a)->d, (a)->i, (a)->icd.sz, cmp); \ +} while(0) + +#define utarray_find(a,v,cmp) bsearch((v),(a)->d,(a)->i,(a)->icd.sz,cmp) + +#define utarray_front(a) (((a)->i) ? (_utarray_eltptr(a,0)) : NULL) +#define utarray_next(a,e) (((e)==NULL) ? utarray_front(a) : (((a)->i != utarray_eltidx(a,e)+1) ? _utarray_eltptr(a,utarray_eltidx(a,e)+1) : NULL)) +#define utarray_prev(a,e) (((e)==NULL) ? utarray_back(a) : ((utarray_eltidx(a,e) != 0) ? _utarray_eltptr(a,utarray_eltidx(a,e)-1) : NULL)) +#define utarray_back(a) (((a)->i) ? (_utarray_eltptr(a,(a)->i-1)) : NULL) +#define utarray_eltidx(a,e) (((char*)(e) - (a)->d) / (a)->icd.sz) + +/* last we pre-define a few icd for common utarrays of ints and strings */ +static void utarray_str_cpy(void *dst, const void *src) { + char **_src = (char**)src, **_dst = (char**)dst; + *_dst = (*_src == NULL) ? NULL : strdup(*_src); +} +static void utarray_str_dtor(void *elt) { + char **eltc = (char**)elt; + if (*eltc != NULL) free(*eltc); +} +static const UT_icd ut_str_icd UTARRAY_UNUSED = {sizeof(char*),NULL,utarray_str_cpy,utarray_str_dtor}; +static const UT_icd ut_int_icd UTARRAY_UNUSED = {sizeof(int),NULL,NULL,NULL}; +static const UT_icd ut_ptr_icd UTARRAY_UNUSED = {sizeof(void*),NULL,NULL,NULL}; + + +#endif /* UTARRAY_H */ diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index 13221d4..388b0c3 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -110,44 +110,39 @@ struct verify_policy struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX]; }; -struct fqdn_category_entry -{ - int fqdn_entry_num; - long long entry_id[MAX_TAG_ID_NUM]; - long long tag_id[MAX_TAG_ID_NUM]; -}; - #define MERGE_SCAN_NTH 128 +#define REQUEST_QUERY_OBJ_MAX 32 struct request_query_obj -{ - int table_id; - int numeric; - char *string; - char *district; - char *attri_name; - struct ipaddr *ip_addr; - char *subscriberid; - char *tunnel_type; - int merge_nth_scan_num; - int exclude_nth_scan[MERGE_SCAN_NTH]; - int merge_nth_scan[MERGE_SCAN_NTH]; - cJSON* attributes; - struct fqdn_category_entry fqdn_entry; +{ + int table_id; + int numeric; + int merge_nth_scan_num; + int merge_nth_scan[MERGE_SCAN_NTH]; + int exclude_nth_scan[MERGE_SCAN_NTH]; + char *string; + char *district; + char *attri_name; + char *tunnel_type; + struct ipaddr *ip_addr; + cJSON *attributes; }; struct verify_policy_query { int vsys_id; int compile_table_id; - struct request_query_obj request_object[32]; + struct request_query_obj request_object[REQUEST_QUERY_OBJ_MAX]; }; extern struct verify_policy * g_verify_proxy; -int maat_table_init(struct verify_policy * verify, const char* profile_path); +int verify_policy_table_init(struct verify_policy * verify, const char* profile_path); +void verify_policy_table_free(const char* profile_path); + cJSON *get_library_search_query(const char *data, ssize_t data_len); cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id); + void verify_reload_loglevel(); #endif diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index 3c8ba07..460f31c 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -21,6 +21,7 @@ #include #include "utils.h" +#include "utarray.h" #include "verify_policy.h" #define MAX_EX_DATA_LEN 16 @@ -76,22 +77,28 @@ struct http_field_name /** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol, * the current hit path scan count needs to be recorded to correspond to the virtual table name */ -struct ip_entry_hit_path +struct library_tag_entry { - int entry_num; - int Nth_scan_num; - int category[MAX_TAG_ID_NUM]; - int Nth_scan[MAX_TAG_ID_NUM]; - long long entry_id[MAX_TAG_ID_NUM]; - int tag_id[MAX_TAG_ID_NUM]; + int tag_id; + int category; + long long entry_id; }; -struct ip_data_ctx +struct library_hit_path { - struct ip_entry_hit_path source_entry; - struct ip_entry_hit_path internal_entry; - struct ip_entry_hit_path destination_entry; - struct ip_entry_hit_path external_entry; + int table_id; + int entry_num; + + int Nth_scan_num; + int Nth_scan[MAX_TAG_ID_NUM]; + + struct library_tag_entry tag[MAX_TAG_ID_NUM]; +}; + +struct library_scan_path +{ + int ut_array_cnt; + UT_array *ut_array_by_context; }; struct tunnel_data_ctx @@ -168,30 +175,21 @@ struct library_tag_ctx pthread_mutex_t lock; }; -struct policy_scan_ctx +struct policy_scan_ctx { - int thread_id; - int ip_protocol_num; - int tunnel_endpoint_x; - int bool_id_array_idx; - int tunnel_scan; - int n_read; - enum policy_action action; - - char *action_para; - struct maat_state *scan_mid; - struct maat_state *tunnel_scan_mid; - struct rule_data_ctx *hit_rules; - struct rule_data_ctx *enforce_rules; - - size_t hit_cnt; + int n_read; + int thread_id; + enum policy_action action; + struct maat_state *scan_mid; + struct maat_state *tunnel_scan_mid; + size_t hit_cnt; + struct rule_data_ctx *hit_rules; + struct maat_hit_path hit_path[HIT_PATH_SIZE]; size_t n_enforce; + struct rule_data_ctx *enforce_rules; + int tunnel_attr_count; long long result[MAX_SCAN_RESULT]; - long long tunnel_result[2]; - unsigned long long bool_id_array[256]; - - struct ip_data_ctx ip_ctx; - struct maat_hit_path hit_path[HIT_PATH_SIZE]; + struct library_scan_path scan_path; }; struct verify_policy_rt @@ -222,26 +220,21 @@ struct verify_policy_rt * g_policy_rt; #define PROTOCOL_TCP_GROUP_ID 6 #define PROTOCOL_UDP_GROUP_ID 7 -void verify_policy_tunnle_add(void * pme) -{ - struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; - ctx->tunnel_endpoint_x++; -} +UT_icd ut_ulonglong_id_icd = {sizeof(struct library_hit_path), NULL, NULL, NULL}; -void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id) +struct policy_scan_ctx *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id) { struct policy_scan_ctx * ctx = ALLOC(struct policy_scan_ctx, 1); - ctx->thread_id = thread_id;; + ctx->thread_id = thread_id; + utarray_new(ctx->scan_path.ut_array_by_context, &ut_ulonglong_id_icd); ctx->scan_mid = maat_state_new(g_policy_rt->feather[vsys_id], thread_id); maat_state_set_scan_compile_table(ctx->scan_mid, g_policy_rt->compile_table_id[compile_table_id]); - return (void *)ctx; + return ctx; } -void policy_scan_ctx_free(void * pme) +void policy_scan_ctx_free(struct policy_scan_ctx * ctx) { - struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; - if(ctx->enforce_rules) FREE(&ctx->enforce_rules); @@ -256,6 +249,8 @@ void policy_scan_ctx_free(void * pme) maat_state_free(ctx->tunnel_scan_mid); ctx->tunnel_scan_mid = NULL; } + + utarray_free(ctx->scan_path.ut_array_by_context); FREE(&ctx); } @@ -1003,74 +998,28 @@ static inline int request_in_fqdn_cat(int table_id) } } -void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct ip_data_ctx *ip_ctx) +void add_library_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct library_scan_path *ip_ctx) { - int i=0; cJSON *histObj=NULL; + struct library_hit_path *ip_entry=NULL; - switch (table_id) + while ((ip_entry=(struct library_hit_path *)utarray_next(ip_ctx->ut_array_by_context, ip_entry)) != NULL) { - case TSG_OBJ_SOURCE_ADDR: - for(i=0; i < ip_ctx->source_entry.entry_num; i++) + if(ip_entry->table_id == table_id) + { + for(int i=0; i < ip_entry->entry_num; i++) { histObj=cJSON_CreateObject(); cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->source_entry.entry_id[i]); - cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->source_entry.tag_id[i]); + cJSON_AddNumberToObject(histObj, "entry_id", ip_entry->tag[i].entry_id); + cJSON_AddNumberToObject(histObj, "tag_id", ip_entry->tag[i].tag_id); } - break; - case TSG_OBJ_INTERNAL_ADDR: - for(i=0; i < ip_ctx->internal_entry.entry_num; i++) - { - histObj=cJSON_CreateObject(); - cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->internal_entry.entry_id[i]); - cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->internal_entry.tag_id[i]); - } - break; - case TSG_OBJ_DESTINATION_ADDR: - for(i=0; i < ip_ctx->destination_entry.entry_num; i++) - { - histObj=cJSON_CreateObject(); - cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->destination_entry.entry_id[i]); - cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->destination_entry.tag_id[i]); - } - break; - case TSG_OBJ_EXTERNAL_ADDR: - for(i=0; i < ip_ctx->external_entry.entry_num; i++) - { - histObj=cJSON_CreateObject(); - cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->external_entry.entry_id[i]); - cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->external_entry.tag_id[i]); - } - break; - default: - break; - } + } + } + return; } -void http_add_fqdn_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct fqdn_category_entry *fqdn_entry) -{ - int i=0; - cJSON *histObj=NULL; - - if(!request_in_fqdn_cat(table_id)) - { - return; - } - - for(i=0; ifqdn_entry_num; i++) - { - histObj=cJSON_CreateObject(); - cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "entry_id", fqdn_entry->entry_id[i]); - cJSON_AddNumberToObject(histObj, "tag_id",fqdn_entry->tag_id[i]); - } -} - /*In the case of multiple hits, the hit path is append behavior to obtain the last hit path force***/ int http_hit_policy_match(int result_config[], int cnt, int config) { @@ -1110,64 +1059,56 @@ int hit_rule_match_is_duplicate(struct maat_hit_path *src, struct maat_hit_path return 0; } -void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, void *pme) +cJSON *find_tunnel_attribute(cJSON *attributes) +{ + cJSON *item=NULL, *subchild=NULL; + + for (item = attributes->child; item != NULL; item = item->next) + { + subchild = cJSON_GetObjectItem(item, "attribute_name"); + if(subchild && subchild->type==cJSON_String && strncasecmp(subchild->valuestring, "tunnel_endpoint_object", 22) == 0) + { + return item; + } + } + return NULL; +} + +void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, struct policy_scan_ctx * ctx) { int i=0, j=0, result_cnt=0; struct maat_hit_path result_hit_path[MAX_SCAN_RESULT]={0}; - cJSON *attributeObj=NULL,*hitPaths=NULL; - cJSON *item = NULL; + cJSON *attributeObj=NULL; - struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; attributeObj=query_obj->attributes; - - if(ctx->tunnel_endpoint_x == 2) + if(query_obj->table_id == TSG_OBJ_TUNNEL) { - /*temp repair**/ - if (ctx->tunnel_scan ==2 && ctx->tunnel_result[0] == 1 && ctx->tunnel_result[1] == 0) + cJSON_Delete(attributeObj); + attributeObj=NULL; + + attributeObj = find_tunnel_attribute(attributes); + if(attributeObj == NULL) { - item = cJSON_GetObjectItem(attributeObj, "attribute_name"); - if(item && item->type==cJSON_String) - { - if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) - { - cJSON_Delete(attributeObj); - return; - } - } - } - else - { - item = cJSON_GetObjectItem(attributeObj, "attribute_name"); - if(item && item->type==cJSON_String) - { - if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) - { - cJSON_Delete(attributeObj); - return; - } - } + attributeObj = cJSON_CreateObject(); + cJSON_AddStringToObject(attributeObj, "attribute_type", "ip"); + cJSON_AddStringToObject(attributeObj, "table_name", "ATTR_TUNNEL"); + cJSON_AddStringToObject(attributeObj, "attribute_name", "tunnel_endpoint_object"); } } - if(compile_table_id == TSG_TABLE_SECURITY && query_obj->table_id == TSG_OBJ_TUNNEL) + cJSON* hitPaths = cJSON_GetObjectItem(attributeObj, "hit_paths"); + if(hitPaths != NULL && hitPaths->type != cJSON_Array) { - cJSON_DeleteItemFromObject(attributeObj, "attribute_name"); - cJSON_AddStringToObject(attributeObj, "attribute_name", "tunnel_endpoint_object"); - cJSON_DeleteItemFromObject(attributeObj, "attribute_value"); + cJSON_DeleteItemFromObject(attributeObj, "hit_paths"); + hitPaths=NULL; } - cJSON_AddItemToArray(attributes, attributeObj); - - /*If the request contains "hit_paths:null", it needs to be removed*/ - hitPaths = cJSON_GetObjectItem(attributeObj, "hit_paths"); - if(hitPaths != NULL) + if (hitPaths == NULL) { - cJSON_DeleteItemFromObject(attributeObj, "hit_paths"); + cJSON_AddItemToArray(attributes, attributeObj); + hitPaths = cJSON_CreateArray(); + cJSON_AddItemToObject(attributeObj, "hit_paths", hitPaths); } - hitPaths=cJSON_CreateArray(); - cJSON_AddItemToObject(attributeObj, "hit_paths", hitPaths); - - http_add_ip_entry_to_hit_paths(hitPaths, query_obj->table_id, &ctx->ip_ctx); - http_add_fqdn_entry_to_hit_paths(hitPaths, query_obj->table_id, &query_obj->fqdn_entry); + add_library_entry_to_hit_paths(hitPaths, query_obj->table_id, &ctx->scan_path); cJSON *histObj=NULL; for(i=0; i< ctx->n_read; i++) @@ -1211,61 +1152,59 @@ int policy_verify_regex_expression(const char *expression) return maat_helper_verify_regex_expression(expression); } -int get_attributes_table_name(struct request_query_obj *request, struct ip_data_ctx *ip_ctx, int attribute_num, int Nth_scan, int top_group_id, cJSON *topObject) +int get_ip_addr_table_name(struct library_scan_path *ip_ctx, int Nth_scan, int top_group_id, cJSON *topObject) +{ + const char * table_name[__TSG_OBJ_MAX] = {0}; + table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP"; + table_name[TSG_OBJ_DESTINATION_ADDR] = "ATTR_DESTINATION_IP"; + table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP"; + table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP"; + + struct library_hit_path *ip_entry=NULL; + while ((ip_entry=(struct library_hit_path *)utarray_next(ip_ctx->ut_array_by_context, ip_entry)) != NULL) + { + for(int i = 0; i < ip_entry->Nth_scan_num; i++) + { + if(ip_entry->Nth_scan[i] == Nth_scan) + { + cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); + cJSON_AddStringToObject(topObject, "table_name", table_name[ip_entry->table_id]); + return 1; + } + } + } + return 0; +} + +const char *get_library_virtual_table_name(int table_id) +{ + const char * table_name[__TSG_OBJ_MAX] = {0}; + table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP"; + table_name[TSG_OBJ_DESTINATION_ADDR] = "ATTR_DESTINATION_IP"; + table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP"; + table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP"; + table_name[TSG_OBJ_SSL_CN]="ATTR_SERVER_FQDN"; + table_name[TSG_OBJ_SSL_SAN]="ATTR_SERVER_FQDN"; + table_name[TSG_OBJ_DNS_QNAME]="ATTR_SERVER_FQDN"; + table_name[TSG_OBJ_DOH_QNAME]="ATTR_SERVER_FQDN"; + table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN"; + return table_name[table_id]; +} + +int add_table_name_ToObject(struct request_query_obj *request, struct library_scan_path *ip_ctx, int attribute_num, int Nth_scan, int top_group_id, cJSON *topObject) { int i=0, j=0; cJSON *attributeObj=NULL, *subchild=NULL; - /* set soruce entry table name **/ - for(i = 0; i < ip_ctx->source_entry.Nth_scan_num; i++) + struct library_hit_path *ip_entry=NULL; + while ((ip_entry=(struct library_hit_path *)utarray_next(ip_ctx->ut_array_by_context, ip_entry)) != NULL) { - if(ip_ctx->source_entry.Nth_scan[i] == Nth_scan) + for(int i = 0; i < ip_entry->Nth_scan_num; i++) { - cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); - cJSON_AddStringToObject(topObject, "table_name", "ATTR_SOURCE_IP"); - goto finish; - } - } - /* set internal entry table name **/ - for(i = 0; i < ip_ctx->internal_entry.Nth_scan_num; i++) - { - if(ip_ctx->internal_entry.Nth_scan[i] == Nth_scan) - { - cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); - cJSON_AddStringToObject(topObject, "table_name", "ATTR_INTERNAL_IP"); - goto finish; - } - } - /* set destination entry table name **/ - for(i = 0; i < ip_ctx->destination_entry.Nth_scan_num; i++) - { - if(ip_ctx->destination_entry.Nth_scan[i] == Nth_scan) - { - cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); - cJSON_AddStringToObject(topObject, "table_name", "ATTR_DESTINATION_IP"); - goto finish; - } - } - /* set external entry table name **/ - for(i = 0; i < ip_ctx->external_entry.Nth_scan_num; i++) - { - if(ip_ctx->external_entry.Nth_scan[i] == Nth_scan) - { - cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); - cJSON_AddStringToObject(topObject, "table_name", "ATTR_EXTERNAL_IP"); - goto finish; - } - } - - /*set fqdn entry table name*/ - for(i = 0; iNth_scan[i] == Nth_scan) { cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); - cJSON_AddStringToObject(topObject, "table_name", "ATTR_SERVER_FQDN"); + cJSON_AddStringToObject(topObject, "table_name", get_library_virtual_table_name(ip_entry->table_id)); goto finish; } } @@ -1292,7 +1231,7 @@ finish: return 0; } -int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribute_num, size_t hit_cnt, cJSON *data_obj, void *pme) +int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribute_num, size_t hit_cnt, cJSON *data_obj, struct policy_scan_ctx * ctx) { bool succeeded = false; size_t rules=0, i=0,j=0; @@ -1301,8 +1240,6 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribut int vsys_id = verify_policy->vsys_id; int compile_table_id = verify_policy->compile_table_id; - struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; - hit_cnt = ctx->hit_cnt; if (hit_cnt <= 0) { @@ -1362,7 +1299,7 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribut result_cnt++; } topObject=cJSON_CreateObject(); - get_attributes_table_name(verify_policy->request_object, &ctx->ip_ctx, attribute_num, ctx->hit_path[j].Nth_scan, ctx->hit_path[j].top_group_id, topObject); + add_table_name_ToObject(verify_policy->request_object, &ctx->scan_path, attribute_num, ctx->hit_path[j].Nth_scan, ctx->hit_path[j].top_group_id, topObject); cJSON_AddNumberToObject(topObject, "not_flag", ctx->hit_path[j].NOT_flag); cJSON_AddNumberToObject(topObject, "nth_clause", ctx->hit_path[j].clause_index); cJSON_AddItemToArray(topObjectList, topObject); @@ -1493,8 +1430,8 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx int scan_ret=0, hit_cnt_ip=0; struct maat_hit_group hit_group; struct maat_hit_path hit_path[HIT_PATH_SIZE]; - struct library_entry_ctx *source_entry_ctx[MAX_EX_DATA_LEN]={0}; - struct library_entry_ctx *destination_entry_ctx[MAX_EX_DATA_LEN]={0}; + struct library_entry_ctx *source_ip_entry[MAX_EX_DATA_LEN]={0}; + struct library_entry_ctx *destination_ip_entry[MAX_EX_DATA_LEN]={0}; if(!g_policy_rt->load_ip_location) { @@ -1505,22 +1442,25 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx ip_addr_to_address(request->ip_addr, &dip, &sip); memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE); - int ret1 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &sip, (void **)&source_entry_ctx, MAX_EX_DATA_LEN); - int ret2 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &dip, (void **)&destination_entry_ctx, MAX_EX_DATA_LEN); + int ret1 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &sip, (void **)&source_ip_entry, MAX_EX_DATA_LEN); + int ret2 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &dip, (void **)&destination_ip_entry, MAX_EX_DATA_LEN); + + struct library_hit_path ip_entry; + memset(&ip_entry, 0, sizeof(ip_entry)); if(ret1 > 0) { for(int i=0; i < ret1 && i < MAX_EX_DATA_LEN; i++) { - if(source_entry_ctx[i] == NULL) + if(source_ip_entry[i] == NULL) { continue; } - for(int tag_id=0; tag_idn_tag_ids; tag_id++) + for(int tag_id=0; tag_idn_tag_ids; tag_id++) { memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=source_entry_ctx[i]->tag_id_array[tag_id]; + hit_group.group_id=source_ip_entry[i]->tag_id_array[tag_id]; if(hit_group.group_id <= 0) { continue; @@ -1532,16 +1472,20 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx hit_cnt_ip+=scan_ret; } - struct ip_entry_hit_path *entry_hit_path = (request->table_id == TSG_OBJ_SOURCE_ADDR) ? &ctx->ip_ctx.source_entry : &ctx->ip_ctx.internal_entry; - entry_hit_path->entry_id[entry_hit_path->entry_num]=source_entry_ctx[i]->entry_id; - entry_hit_path->tag_id[entry_hit_path->entry_num]=source_entry_ctx[i]->tag_id_array[tag_id]; - entry_hit_path->category[entry_hit_path->entry_num]= get_library_tag_category(source_entry_ctx[i]->tag_id_array[tag_id], vsys_id); - entry_hit_path->entry_num++; + ip_entry.table_id = request->table_id; + ip_entry.tag[ip_entry.entry_num].entry_id = source_ip_entry[i]->entry_id; + ip_entry.tag[ip_entry.entry_num].tag_id=source_ip_entry[i]->tag_id_array[tag_id]; + ip_entry.tag[ip_entry.entry_num].category = get_library_tag_category(source_ip_entry[i]->tag_id_array[tag_id], vsys_id); + ip_entry.entry_num++; ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - entry_hit_path->Nth_scan[entry_hit_path->Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); + ip_entry.Nth_scan[ip_entry.Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); } - library_entry_free(source_entry_ctx[i]); + library_entry_free(source_ip_entry[i]); + } + if(ip_entry.entry_num > 0) + { + utarray_push_back(ctx->scan_path.ut_array_by_context, &ip_entry); } } @@ -1549,15 +1493,15 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx { for(int i=0; i < ret2 && i < MAX_EX_DATA_LEN; i++) { - if(destination_entry_ctx[i] == NULL) + if(destination_ip_entry[i] == NULL) { continue; } - for(int tag_id=0; tag_idn_tag_ids; tag_id++) + for(int tag_id=0; tag_idn_tag_ids; tag_id++) { memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=destination_entry_ctx[i]->tag_id_array[tag_id]; + hit_group.group_id=destination_ip_entry[i]->tag_id_array[tag_id]; if(hit_group.group_id <= 0) { continue; @@ -1569,16 +1513,20 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx hit_cnt_ip+=scan_ret; } - struct ip_entry_hit_path *entry_hit_path = (request->table_id == TSG_OBJ_DESTINATION_ADDR) ? &ctx->ip_ctx.destination_entry : &ctx->ip_ctx.external_entry; - entry_hit_path->entry_id[entry_hit_path->entry_num]=destination_entry_ctx[i]->entry_id; - entry_hit_path->tag_id[entry_hit_path->entry_num]=destination_entry_ctx[i]->tag_id_array[tag_id]; - entry_hit_path->category[entry_hit_path->entry_num]= get_library_tag_category(destination_entry_ctx[i]->tag_id_array[tag_id], vsys_id); - entry_hit_path->entry_num++; + ip_entry.table_id = request->table_id; + ip_entry.tag[ip_entry.entry_num].entry_id = destination_ip_entry[i]->entry_id; + ip_entry.tag[ip_entry.entry_num].tag_id=destination_ip_entry[i]->tag_id_array[tag_id]; + ip_entry.tag[ip_entry.entry_num].category = get_library_tag_category(destination_ip_entry[i]->tag_id_array[tag_id], vsys_id); + ip_entry.entry_num++; ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - entry_hit_path->Nth_scan[entry_hit_path->Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); + ip_entry.Nth_scan[ip_entry.Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); } - library_entry_free(destination_entry_ctx[i]); + library_entry_free(destination_ip_entry[i]); + } + if(ip_entry.entry_num > 0) + { + utarray_push_back(ctx->scan_path.ut_array_by_context, &ip_entry); } } @@ -1589,7 +1537,7 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c { size_t n_read=0, n_hit_result=0; int hit_path_cnt=0; - int i=0, j=0, ret=0, hit_cnt_fqdn=0; + int ret=0, hit_cnt_fqdn=0; enum category_type category=CATEGORY_TYPE_UNKNOWN; struct library_entry_ctx *fqdn_entry_ctx[MAX_EX_DATA_LEN]={0}; @@ -1598,8 +1546,11 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c return 0; } + struct library_hit_path fqdn_entry; + memset(&fqdn_entry, 0, sizeof(fqdn_entry)); + ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)fqdn_entry_ctx, MAX_EX_DATA_LEN); - for(i=0; i < ret && i < MAX_EX_DATA_LEN; i++) + for(int i=0; i < ret && i < MAX_EX_DATA_LEN; i++) { if(fqdn_entry_ctx[i] == NULL) { @@ -1613,43 +1564,46 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c { continue; } - request->fqdn_entry.entry_id[j] = fqdn_entry_ctx[i]->entry_id; - request->fqdn_entry.tag_id[j] = fqdn_entry_ctx[i]->tag_id_array[tag_id]; - j++; + fqdn_entry.table_id = request->table_id; + fqdn_entry.tag[fqdn_entry.entry_num].entry_id = fqdn_entry_ctx[i]->entry_id; + fqdn_entry.tag[fqdn_entry.entry_num].tag_id=fqdn_entry_ctx[i]->tag_id_array[tag_id]; + fqdn_entry.entry_num++; + } library_entry_free(fqdn_entry_ctx[i]); } - request->fqdn_entry.fqdn_entry_num = j< MAX_EX_DATA_LEN ? j : MAX_EX_DATA_LEN; struct maat_hit_group hit_group; - - if(request->fqdn_entry.fqdn_entry_num > 0) + for(int i=0; ifqdn_entry.fqdn_entry_num; i++) + memset(&hit_group, 0, sizeof(hit_group)); + hit_group.group_id=fqdn_entry.tag[i].tag_id; + ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, + ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); + if(ret == MAAT_SCAN_HIT) { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=request->fqdn_entry.tag_id[i]; - ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, - ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); - if(ret == MAAT_SCAN_HIT) - { - hit_cnt_fqdn+=n_hit_result; - } - ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], - ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); - if (ret == MAAT_SCAN_HIT) - { - hit_cnt_fqdn+=n_hit_result; - } - n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - if(ret >= MAAT_SCAN_OK) - { - request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);; - request->exclude_nth_scan[hit_path_cnt] = 1; - ctx->n_read=n_read; - hit_path_cnt++; - } + hit_cnt_fqdn+=n_hit_result; } + ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], + ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); + if (ret == MAAT_SCAN_HIT) + { + hit_cnt_fqdn+=n_hit_result; + } + n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); + if(ret >= MAAT_SCAN_OK) + { + request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); + fqdn_entry.Nth_scan[fqdn_entry.Nth_scan_num++] = request->merge_nth_scan[hit_path_cnt]; + request->exclude_nth_scan[hit_path_cnt] = 1; + ctx->n_read=n_read; + hit_path_cnt++; + } + } + + if(fqdn_entry.entry_num > 0) + { + utarray_push_back(ctx->scan_path.ut_array_by_context, &fqdn_entry); } request->merge_nth_scan_num = hit_path_cnt; return hit_cnt_fqdn; @@ -1770,19 +1724,18 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, hit_group.group_id=result[i]; if(hit_group.group_id != 0) { - if(ctx->tunnel_endpoint_x == 2 && ctx->tunnel_scan == 0) + if(ctx->tunnel_attr_count == 2) { logic=0; } scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], &hit_group, 1, - ctx->result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid); + ctx->result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_tunnel+=n_hit_result; } if(scan_ret >= MAAT_SCAN_OK) { - ctx->tunnel_result[ctx->tunnel_scan]=1; n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; @@ -1790,7 +1743,7 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, } } } - if(logic) + if(logic && scan_ret >= MAAT_SCAN_OK) { scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], ctx->result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid); @@ -1799,8 +1752,7 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, hit_cnt_tunnel+=n_hit_result; } } - - ctx->tunnel_scan++; + ctx->tunnel_attr_count--; request->merge_nth_scan_num = hit_path_cnt; finish: return hit_cnt_tunnel; @@ -1928,7 +1880,7 @@ static int protocol_scan(struct request_query_obj *request, struct policy_scan_c memset(&hit_group, 0, sizeof(hit_group)); hit_group.group_id=get_group_id_by_protocol(request->numeric); - if(hit_group.group_id != 0 && ctx->ip_protocol_num == 0) + if(hit_group.group_id != 0) { scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL, 1); if(scan_ret > 0) @@ -2075,12 +2027,10 @@ static int port_scan(struct request_query_obj *request, struct policy_scan_ctx * return hit_cnt_port; } -size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *request, void *pme) +size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *request, struct policy_scan_ctx * ctx) { size_t n_hit_result=0; int scan_ret=0, n_read; - - struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; size_t hit_cnt = ctx->hit_cnt; int table_id = request->table_id; @@ -2323,6 +2273,7 @@ cJSON *get_library_search_query(const char *data, ssize_t data_len) int vsys_id = http_get_int_param(http_request, "vsys_id"); if(vsys_id < 0) { + cJSON_Delete(http_request); log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id"); return NULL; } @@ -2349,6 +2300,8 @@ cJSON *get_library_search_query(const char *data, ssize_t data_len) { cJSON_AddBoolToObject(http_respone, "success", false); } + cJSON_Delete(http_request); + return http_respone; } @@ -2699,20 +2652,20 @@ static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body return 1; } -static void get_count_form_attributeName(void *ctx, cJSON *subchild) +static void get_count_form_attributeName(struct policy_scan_ctx *ctx, cJSON *subchild) { cJSON *item = NULL; - + item = cJSON_GetObjectItem(subchild, "attribute_name"); if(item && item->type==cJSON_String) { if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) { - verify_policy_tunnle_add(ctx); + ctx->tunnel_attr_count++; } if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) { - verify_policy_tunnle_add(ctx); + ctx->tunnel_attr_count++; } } return; @@ -2753,7 +2706,7 @@ int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int attributes = cJSON_GetObjectItem(item,"attributes"); if(attributes && attributes->type==cJSON_Array) { - void *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id); + struct policy_scan_ctx *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id); for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) { @@ -3059,7 +3012,7 @@ void verify_reload_loglevel() } } -int maat_table_init(struct verify_policy * verify, const char* profile_path) +int verify_policy_table_init(struct verify_policy * verify, const char* profile_path) { int ret = -1; int vsys_id=0; int load_vsys_num=0, load_start_vsys=0; @@ -3152,3 +3105,25 @@ error_out: return ret; } +void verify_policy_table_free(const char* profile_path) +{ + int load_vsys_num=0, load_start_vsys=0; + + MESA_load_profile_int_def(profile_path, "MAAT", "load_vsys_num", &(load_vsys_num), 255); + MESA_load_profile_int_def(profile_path, "MAAT", "load_start_vsys", &(load_start_vsys), 0); + load_vsys_num = load_vsys_num > VSYS_ID_MAX ? VSYS_ID_MAX : load_vsys_num; + load_start_vsys = load_start_vsys > load_vsys_num ? 0 : load_start_vsys; + + for(int vsys_id=load_start_vsys; vsys_id < load_vsys_num; vsys_id++) + { + if(g_policy_rt->feather[vsys_id]) + { + /*Deleting maat handles can be problematic*/ + //maat_free(g_policy_rt->feather[vsys_id]); + } + } + FREE(&g_policy_rt); + + return; +} + diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index a90fd8d..4d34cfa 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -539,7 +539,7 @@ int main(int argc, char * argv[]) CHECK_OR_EXIT(ret == 0, "Failed at loading profile %s, Exit.", main_profile); clock_gettime(CLOCK_REALTIME, &(start_time)); - ret = maat_table_init(g_verify_proxy, main_profile); + ret = verify_policy_table_init(g_verify_proxy, main_profile); CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); clock_gettime(CLOCK_REALTIME, &(end_time)); diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 5dbee6f..a717f60 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -8,7 +8,9 @@ set(CMAKE_BUILD_DIR ${CMAKE_SOURCE_DIR}/build) set(TEST_RUN_DIR ${CMAKE_BUILD_DIR}/test) file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR}) file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR}) -file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyHit.json DESTINATION ${TEST_RUN_DIR}/resource) + +file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyManipulation.json DESTINATION ${TEST_RUN_DIR}/resource) +file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyTunnel.json DESTINATION ${TEST_RUN_DIR}/resource) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource) @@ -16,4 +18,8 @@ add_test(NAME UPDATE_MAAT_MODE COMMAND bash -c "sed -i 's/maat_input_mode=1/maa add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_level=1/' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf") -add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyHit\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf") +add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf") +add_test(NAME COPY_CONF COMMAND sh -c "cp ${TEST_RUN_DIR}/conf/verify_policy.conf ${TEST_RUN_DIR}/conf/verify_policy2.conf") +add_test(NAME UPDATE_JSON_FILE2 COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyTunnel\\.json/' ${TEST_RUN_DIR}/conf/verify_policy2.conf") + +add_test(NAME VERIFY_POLICY_TEST COMMAND verify_policy_test) \ No newline at end of file diff --git a/test/resource/HitPolicyRequest.json b/test/resource/HitPolicyRequest.json index ba29494..e9996c3 100644 --- a/test/resource/HitPolicyRequest.json +++ b/test/resource/HitPolicyRequest.json @@ -1,6 +1,7 @@ { "Verify_Policy_Request": [ { + "__item_id": 0, "vsys_id": 1, "verify_list": [ { @@ -25,6 +26,7 @@ "verify_type": "policy" }, { + "__item_id": 1, "vsys_id": 1, "verify_list": [ { @@ -65,6 +67,91 @@ } ], "verify_type": "policy" + }, + { + "__item_id": 2, + "vsys_id": 1, + "verify_list": [ + { + "type": "security", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointa", + "attribute_value": { + "ip": "192.168.0.1", + "tunnel_type":"gtp", + "addr_type": 4 + } + } + ] + } + } + ], + "verify_type": "policy" + }, + { + "__item_id": 3, + "vsys_id": 1, + "verify_list": [ + { + "type": "security", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointb", + "attribute_value": { + "ip": "192.168.0.2", + "tunnel_type":"gtp", + "addr_type": 4 + } + } + ] + } + } + ], + "verify_type": "policy" + }, + { + "__item_id": 4, + "vsys_id": 1, + "verify_list": [ + { + "type": "security", + "vsys_id": 1, + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointa", + "attribute_value": { + "ip": "192.168.0.2", + "tunnel_type":"gtp", + "addr_type": 4 + } + }, + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpointb", + "attribute_value": { + "ip": "192.168.0.3", + "tunnel_type":"gtp", + "addr_type": 4 + } + } + ] + } + } + ], + "verify_type": "policy" } ] } \ No newline at end of file diff --git a/test/resource/HitPolicyResult.json b/test/resource/HitPolicyResult.json index 1642616..db4da0c 100644 --- a/test/resource/HitPolicyResult.json +++ b/test/resource/HitPolicyResult.json @@ -129,6 +129,68 @@ } }, "success": true + }, + { + "code": 200, + "msg": "Success", + "data": { + "verify_session": { + "attributes": [{ + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpoint_object", + "hit_paths": [{ + "item_id": 0, + "superior_object_id": 3021 + }] + }] + } + }, + "success": true + }, + { + "code": 200, + "msg": "Success", + "data": { + "verify_session": { + "attributes": [{ + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpoint_object", + "hit_paths": [{ + "item_id": 0, + "superior_object_id": 3022 + }] + }] + } + }, + "success": true + }, + { + "code": 200, + "msg": "Success", + "data": { + "verify_session": { + "attributes": [ + { + "attribute_type": "ip", + "table_name": "ATTR_TUNNEL", + "attribute_name": "tunnel_endpoint_object", + "hit_paths": [ + { + "item_id": 0, + "superior_object_id": 3022 + }, + { + "item_id": 0, + "superior_object_id": 3023 + } + ] + } + ] + } + }, + "success": true } ] } \ No newline at end of file diff --git a/test/resource/VerifyPolicyManipulation.json b/test/resource/VerifyPolicyManipulation.json new file mode 100644 index 0000000..81487b4 --- /dev/null +++ b/test/resource/VerifyPolicyManipulation.json @@ -0,0 +1,101 @@ +{ + "compile_table": "PXY_CTRL_COMPILE", + "group2compile_table": "GROUP_PXY_CTRL_COMPILE_RELATION", + "group2group_table": "GROUP_GROUP_RELATION", + "rules": [ + { + "compile_id": 1021, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 101, + "group_name":"IPv4TCPSoureVeiryPolicy01", + "virtual_table": "ATTR_SOURCE_IP", + "regions": [ + { + "table_type": "ip", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.1", + "ip2": "192.168.0.1" + } + } + ] + } + ] + }, + { + "compile_id": 1022, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"anything", + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_id": 11, + "group_name": "IPv4TCPSoureEntry.11", + "virtual_table": "ATTR_SOURCE_IP" + }, + { + "group_id": 12, + "group_name": "IPv4TCPSoureEntry.12", + "virtual_table": "ATTR_INTERNAL_IP" + }, + { + "group_id": 1, + "group_name": "FQDNEntry.1", + "virtual_table": "ATTR_SERVER_FQDN" + } + ] + } + ], + "plugin_table": [ + { + "table_name": "FQDN_ENTRY", + "table_content": [ + "1\t1\twww.126.com\t1\t1", + "2\t2,3\twww.baidu.com\t1\t1", + "4\t4,5,6\twww.qq.com\t1\t1" + ] + }, + { + "table_name": "IP_ADDR_ENTRY", + "table_content": [ + "1\t11\t4\tsingle\t192.168.1.1\t192.168.1.1\t1", + "2\t12,13\t4\tsingle\t192.168.1.2\t192.168.1.2\t1", + "4\t14,15,16\t4\trange\t192.168.1.3\t192.168.1.3\t1" + ] + }, + { + "table_name": "LIBRARY_TAG", + "table_content": [ + "1\tnone\twebsite_category\tfqdn1\tsearch\\bengines\t1", + "2\tnone\twebsite_category\tfqdn2\tRecreation\band\bHobbies\t1", + "3\tnone\twebsite_category\tfqdn3\tbusiness\t1", + "4\tnone\twebsite_category\tfqdn4\tsearch bengines\t1", + "5\tnone\twebsite_category\tfqdn5\tsearch\\bengines\t1", + "6\tnone\twebsite_category\tfqdn6\tsearch\\bengines\t1", + "11\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes\t1", + "12\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes.MitĂș\t1", + "13\tnone\tgeoip\tadministrative_area\tColombia.Antioquia.Marinilla\t1", + "14\tnone\tgeoip\tsuper_administrative_area\tColombia.Departamento\bdel\bVaupes\t1", + "15\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mauern\t1", + "16\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mellrichstadt\t1" + ] + } + ] +} diff --git a/test/resource/VerifyPolicyTunnel.json b/test/resource/VerifyPolicyTunnel.json new file mode 100644 index 0000000..f7b697f --- /dev/null +++ b/test/resource/VerifyPolicyTunnel.json @@ -0,0 +1,118 @@ +{ + "compile_table": "TUNNEL_COMPILE", + "group2compile_table": "GROUP_TUNNEL_COMPILE_RELATION", + "group2group_table": "GROUP_GROUP_RELATION", + "rules": [ + { + "compile_id": 3021, + "service": 13, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "anything", + "evaluation_order": "0.0", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 1, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy01", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.1", + "ip2": "192.168.0.1" + } + } + ] + } + ] + }, + { + "compile_id": 3022, + "service": 13, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "anything", + "evaluation_order": "0.0", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 2, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy02", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.2", + "ip2": "192.168.0.2" + } + } + ] + } + ] + }, + { + "compile_id": 3023, + "service": 13, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "anything", + "evaluation_order": "0.0", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 3, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy03", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.2", + "ip2": "192.168.0.2" + } + } + ] + }, + { + "not_flag": 0, + "group_id": 4, + "group_name": "TunnelIpv4TCPSoureVeiryPolicy04", + "virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.0.3", + "ip2": "192.168.0.3" + } + } + ] + } + ] + } + ] +} diff --git a/test/verify_policy_test.cpp b/test/verify_policy_test.cpp index c76a1ef..032dffb 100644 --- a/test/verify_policy_test.cpp +++ b/test/verify_policy_test.cpp @@ -25,12 +25,19 @@ struct verify_policy * g_verify_proxy = NULL; extern cJSON *get_library_search_query(const char *data, ssize_t data_len); extern cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id); -int load_json_file_system_cmd(const char *load_json_file, const char *run_json_file) +int load_json_file_system_cmd(const char *load_json_file, const char *run_json_file, int backup) { char command[1024] = {0}; + + if(backup) + { + snprintf(command, sizeof(command), "cp ./resource/%s ./resource/backup.json", run_json_file); + system(command); + } + + memset(command, 0, sizeof(command)); snprintf(command, sizeof(command), "cp ./resource/%s ./resource/%s", load_json_file, run_json_file); system(command); - sleep(2); return 0; } @@ -82,46 +89,46 @@ static char *select_hit_policy_request_item(int gtest_id) TEST(LibrarySearch, HitFqdnEntry) { - const char *cm_http_request = "{\"ip\":null,\"fqdn\":\"www.126.com\",\"vsys_id\":1}"; - const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"1\"}]},\"success\":true}"; + const char *hit_policy_request = "{\"ip\":null,\"fqdn\":\"www.126.com\",\"vsys_id\":1}"; + const char *hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"1\"}]},\"success\":true}"; - cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + cJSON *result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request)); ASSERT_TRUE(result_json != NULL); char *hit_policy_list = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_list != NULL); - int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + int equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); cJSON_Delete(result_json); FREE(&hit_policy_list); - cm_http_request = "{\"ip\":null,\"fqdn\":\"www.baidu.com\",\"vsys_id\":1}"; - expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"2,3\"}]},\"success\":true}"; + hit_policy_request = "{\"ip\":null,\"fqdn\":\"www.baidu.com\",\"vsys_id\":1}"; + hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"2,3\"}]},\"success\":true}"; - result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request)); ASSERT_TRUE(result_json != NULL); hit_policy_list = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_list != NULL); - equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); cJSON_Delete(result_json); FREE(&hit_policy_list); - cm_http_request = "{\"ip\":null,\"fqdn\":\"www.qq.com\",\"vsys_id\":1}"; - expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"4,5,6\"}]},\"success\":true}"; + hit_policy_request = "{\"ip\":null,\"fqdn\":\"www.qq.com\",\"vsys_id\":1}"; + hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"4,5,6\"}]},\"success\":true}"; - result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request)); ASSERT_TRUE(result_json != NULL); hit_policy_list = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_list != NULL); - equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); cJSON_Delete(result_json); @@ -130,46 +137,46 @@ TEST(LibrarySearch, HitFqdnEntry) TEST(LibrarySearch, HitIpEntry) { - const char *cm_http_request = "{\"ip\":\"192.168.1.1\",\"fqdn\":null,\"vsys_id\":1}"; - const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"11\"}]},\"success\":true}"; + const char *hit_policy_request = "{\"ip\":\"192.168.1.1\",\"fqdn\":null,\"vsys_id\":1}"; + const char *hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"11\"}]},\"success\":true}"; - cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + cJSON *result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request)); ASSERT_TRUE(result_json != NULL); char *hit_policy_list = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_list != NULL); - int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + int equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); cJSON_Delete(result_json); FREE(&hit_policy_list); - cm_http_request ="{\"ip\":\"192.168.1.2\",\"fqdn\":null,\"vsys_id\":1}"; - expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"12,13\"}]},\"success\":true}"; + hit_policy_request ="{\"ip\":\"192.168.1.2\",\"fqdn\":null,\"vsys_id\":1}"; + hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"12,13\"}]},\"success\":true}"; - result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request)); ASSERT_TRUE(result_json != NULL); hit_policy_list = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_list != NULL); - equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); cJSON_Delete(result_json); FREE(&hit_policy_list); - cm_http_request = "{\"ip\":\"192.168.1.3\",\"fqdn\":null,\"vsys_id\":1}"; - expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"14,15,16\"}]},\"success\":true}"; + hit_policy_request = "{\"ip\":\"192.168.1.3\",\"fqdn\":null,\"vsys_id\":1}"; + hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"14,15,16\"}]},\"success\":true}"; - result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); + result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request)); ASSERT_TRUE(result_json != NULL); hit_policy_list = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_list != NULL); - equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); + equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); cJSON_Delete(result_json); @@ -210,7 +217,82 @@ TEST(VerifyPolicy, HitLibraryPolicy) char *hit_policy_query = cJSON_PrintUnformatted(result_json); ASSERT_TRUE(hit_policy_query != NULL); - //printf("hit_policy_query =%s\n", hit_policy_query); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); +} + +static void reload_maat_config(const char * main_profile) +{ + verify_policy_table_free(main_profile); + int ret = verify_policy_table_init(g_verify_proxy, main_profile); + CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); +} + +/*Tunnel Endpoint Policy Test**/ +TEST(VerifyPolicy, HitTunnelEndpointaPolicy) +{ + reload_maat_config("./conf/verify_policy2.conf"); + char *hit_policy_request = select_hit_policy_request_item(2); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(2); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); +} + +TEST(VerifyPolicy, HitTunnelEndpointbPolicy) +{ + char *hit_policy_request = select_hit_policy_request_item(3); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(3); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + + int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); + EXPECT_EQ(equal, 0); + + cJSON_Delete(result_json); + FREE(&hit_policy_query); + FREE(&hit_policy_request); + FREE(&hit_policy_result); +} + +TEST(VerifyPolicy, HitTunnelEndpointPolicy) +{ + char *hit_policy_request = select_hit_policy_request_item(4); + ASSERT_TRUE(hit_policy_request != NULL); + char *hit_policy_result = select_hit_policy_result_item(4); + ASSERT_TRUE(hit_policy_result != NULL); + + cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1); + ASSERT_TRUE(result_json != NULL); + + char *hit_policy_query = cJSON_PrintUnformatted(result_json); + ASSERT_TRUE(hit_policy_query != NULL); + printf("hit_policy_query =%s\n", hit_policy_query); int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); EXPECT_EQ(equal, 0); @@ -283,7 +365,8 @@ int main(int argc, char ** argv) g_verify_proxy->logger = log_handle_create(log_path, log_level); CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit."); - ret = maat_table_init(g_verify_proxy, main_profile); + g_verify_proxy->nr_work_threads=1; + ret = verify_policy_table_init(g_verify_proxy, main_profile); CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); const char *filename1 = "./resource/HitPolicyResult.json"; @@ -293,7 +376,6 @@ int main(int argc, char ** argv) testing::InitGoogleTest(&argc, argv); ret=RUN_ALL_TESTS(); - if(data1 != NULL) { cJSON_Delete(data1); @@ -302,7 +384,6 @@ int main(int argc, char ** argv) { cJSON_Delete(data2); } - return ret; }