gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Optimize:使用Utarray存储library命中路径, 优化Tunnel命中路径的合并, 增加测试用例的CI构建

Browse Source
This commit is contained in:
fengweihao
2024-08-06 17:51:18 +08:00
parent 41caf21f43
commit f5070565eb
11 changed files with 1008 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.gitlab-ci.yml
View File

@@ -7,6 +7,7 @@ variables:
stages: stages:
- build - build
- test
############################################################################### ###############################################################################
# The script is set to el7 or el8 # The script is set to el7 or el8
@@ -28,6 +29,18 @@ stages:
tags: tags:
- share - share
###############################################################################
# make test: centos8
###############################################################################
run_test_for_centos8:
stage: test
extends: .build_by_travis_for_centos8
script:
- yum makecache
- ./ci/travis.sh
- cd build
- make test
############################################################################### ###############################################################################
# compile use image: centos8 # compile use image: centos8
############################################################################### ###############################################################################

247
common/include/utarray.h Normal file
View File

@@ -0,0 +1,247 @@
/*
Copyright (c) 2008-2018, Troy D. Hanson http://troydhanson.github.com/uthash/
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* a dynamic array implementation using macros
*/
#ifndef UTARRAY_H
#define UTARRAY_H
#define UTARRAY_VERSION 2.1.0
#include <stddef.h> /* size_t */
#include <string.h> /* memset, etc */
#include <stdlib.h> /* exit */
#ifdef __GNUC__
#define UTARRAY_UNUSED __attribute__((__unused__))
#else
#define UTARRAY_UNUSED
#endif
#ifdef oom
#error "The name of macro 'oom' has been changed to 'utarray_oom'. Please update your code."
#define utarray_oom() oom()
#endif
#ifndef utarray_oom
#define utarray_oom() exit(-1)
#endif
typedef void (ctor_f)(void *dst, const void *src);
typedef void (dtor_f)(void *elt);
typedef void (init_f)(void *elt);
typedef struct {
size_t sz;
init_f *init;
ctor_f *copy;
dtor_f *dtor;
} UT_icd;
typedef struct {
unsigned i,n;/* i: index of next available slot, n: num slots */
UT_icd icd; /* initializer, copy and destructor functions */
char *d; /* n slots of size icd->sz*/
} UT_array;
#define utarray_init(a,_icd) do { \
memset(a,0,sizeof(UT_array)); \
(a)->icd = *(_icd); \
} while(0)
#define utarray_done(a) do { \
if ((a)->n) { \
if ((a)->icd.dtor) { \
unsigned _ut_i; \
for(_ut_i=0; _ut_i < (a)->i; _ut_i++) { \
(a)->icd.dtor(utarray_eltptr(a,_ut_i)); \
} \
} \
free((a)->d); \
} \
(a)->n=0; \
} while(0)
#define utarray_new(a,_icd) do { \
(a) = (UT_array*)malloc(sizeof(UT_array)); \
if ((a) == NULL) { \
utarray_oom(); \
} \
utarray_init(a,_icd); \
} while(0)
#define utarray_free(a) do { \
utarray_done(a); \
free(a); \
} while(0)
#define utarray_reserve(a,by) do { \
if (((a)->i+(by)) > (a)->n) { \
char *utarray_tmp; \
while (((a)->i+(by)) > (a)->n) { (a)->n = ((a)->n ? (2*(a)->n) : 8); } \
utarray_tmp=(char*)realloc((a)->d, (a)->n*(a)->icd.sz); \
if (utarray_tmp == NULL) { \
utarray_oom(); \
} \
(a)->d=utarray_tmp; \
} \
} while(0)
#define utarray_push_back(a,p) do { \
utarray_reserve(a,1); \
if ((a)->icd.copy) { (a)->icd.copy( _utarray_eltptr(a,(a)->i++), p); } \
else { memcpy(_utarray_eltptr(a,(a)->i++), p, (a)->icd.sz); }; \
} while(0)
#define utarray_pop_back(a) do { \
if ((a)->icd.dtor) { (a)->icd.dtor( _utarray_eltptr(a,--((a)->i))); } \
else { (a)->i--; } \
} while(0)
#define utarray_extend_back(a) do { \
utarray_reserve(a,1); \
if ((a)->icd.init) { (a)->icd.init(_utarray_eltptr(a,(a)->i)); } \
else { memset(_utarray_eltptr(a,(a)->i),0,(a)->icd.sz); } \
(a)->i++; \
} while(0)
#define utarray_len(a) ((a)->i)
#define utarray_eltptr(a,j) (((j) < (a)->i) ? _utarray_eltptr(a,j) : NULL)
#define _utarray_eltptr(a,j) ((void*)((a)->d + ((a)->icd.sz * (j))))
#define utarray_insert(a,p,j) do { \
if ((j) > (a)->i) utarray_resize(a,j); \
utarray_reserve(a,1); \
if ((j) < (a)->i) { \
memmove( _utarray_eltptr(a,(j)+1), _utarray_eltptr(a,j), \
((a)->i - (j))*((a)->icd.sz)); \
} \
if ((a)->icd.copy) { (a)->icd.copy( _utarray_eltptr(a,j), p); } \
else { memcpy(_utarray_eltptr(a,j), p, (a)->icd.sz); }; \
(a)->i++; \
} while(0)
#define utarray_inserta(a,w,j) do { \
if (utarray_len(w) == 0) break; \
if ((j) > (a)->i) utarray_resize(a,j); \
utarray_reserve(a,utarray_len(w)); \
if ((j) < (a)->i) { \
memmove(_utarray_eltptr(a,(j)+utarray_len(w)), \
_utarray_eltptr(a,j), \
((a)->i - (j))*((a)->icd.sz)); \
} \
if ((a)->icd.copy) { \
unsigned _ut_i; \
for(_ut_i=0;_ut_i<(w)->i;_ut_i++) { \
(a)->icd.copy(_utarray_eltptr(a, (j) + _ut_i), _utarray_eltptr(w, _ut_i)); \
} \
} else { \
memcpy(_utarray_eltptr(a,j), _utarray_eltptr(w,0), \
utarray_len(w)*((a)->icd.sz)); \
} \
(a)->i += utarray_len(w); \
} while(0)
#define utarray_resize(dst,num) do { \
unsigned _ut_i; \
if ((dst)->i > (unsigned)(num)) { \
if ((dst)->icd.dtor) { \
for (_ut_i = (num); _ut_i < (dst)->i; ++_ut_i) { \
(dst)->icd.dtor(_utarray_eltptr(dst, _ut_i)); \
} \
} \
} else if ((dst)->i < (unsigned)(num)) { \
utarray_reserve(dst, (num) - (dst)->i); \
if ((dst)->icd.init) { \
for (_ut_i = (dst)->i; _ut_i < (unsigned)(num); ++_ut_i) { \
(dst)->icd.init(_utarray_eltptr(dst, _ut_i)); \
} \
} else { \
memset(_utarray_eltptr(dst, (dst)->i), 0, (dst)->icd.sz*((num) - (dst)->i)); \
} \
} \
(dst)->i = (num); \
} while(0)
#define utarray_concat(dst,src) do { \
utarray_inserta(dst, src, utarray_len(dst)); \
} while(0)
#define utarray_erase(a,pos,len) do { \
if ((a)->icd.dtor) { \
unsigned _ut_i; \
for (_ut_i = 0; _ut_i < (len); _ut_i++) { \
(a)->icd.dtor(utarray_eltptr(a, (pos) + _ut_i)); \
} \
} \
if ((a)->i > ((pos) + (len))) { \
memmove(_utarray_eltptr(a, pos), _utarray_eltptr(a, (pos) + (len)), \
((a)->i - ((pos) + (len))) * (a)->icd.sz); \
} \
(a)->i -= (len); \
} while(0)
#define utarray_renew(a,u) do { \
if (a) utarray_clear(a); \
else utarray_new(a, u); \
} while(0)
#define utarray_clear(a) do { \
if ((a)->i > 0) { \
if ((a)->icd.dtor) { \
unsigned _ut_i; \
for(_ut_i=0; _ut_i < (a)->i; _ut_i++) { \
(a)->icd.dtor(_utarray_eltptr(a, _ut_i)); \
} \
} \
(a)->i = 0; \
} \
} while(0)
#define utarray_sort(a,cmp) do { \
qsort((a)->d, (a)->i, (a)->icd.sz, cmp); \
} while(0)
#define utarray_find(a,v,cmp) bsearch((v),(a)->d,(a)->i,(a)->icd.sz,cmp)
#define utarray_front(a) (((a)->i) ? (_utarray_eltptr(a,0)) : NULL)
#define utarray_next(a,e) (((e)==NULL) ? utarray_front(a) : (((a)->i != utarray_eltidx(a,e)+1) ? _utarray_eltptr(a,utarray_eltidx(a,e)+1) : NULL))
#define utarray_prev(a,e) (((e)==NULL) ? utarray_back(a) : ((utarray_eltidx(a,e) != 0) ? _utarray_eltptr(a,utarray_eltidx(a,e)-1) : NULL))
#define utarray_back(a) (((a)->i) ? (_utarray_eltptr(a,(a)->i-1)) : NULL)
#define utarray_eltidx(a,e) (((char*)(e) - (a)->d) / (a)->icd.sz)
/* last we pre-define a few icd for common utarrays of ints and strings */
static void utarray_str_cpy(void *dst, const void *src) {
char **_src = (char**)src, **_dst = (char**)dst;
*_dst = (*_src == NULL) ? NULL : strdup(*_src);
}
static void utarray_str_dtor(void *elt) {
char **eltc = (char**)elt;
if (*eltc != NULL) free(*eltc);
}
static const UT_icd ut_str_icd UTARRAY_UNUSED = {sizeof(char*),NULL,utarray_str_cpy,utarray_str_dtor};
static const UT_icd ut_int_icd UTARRAY_UNUSED = {sizeof(int),NULL,NULL,NULL};
static const UT_icd ut_ptr_icd UTARRAY_UNUSED = {sizeof(void*),NULL,NULL,NULL};
#endif /* UTARRAY_H */

27
common/include/verify_policy.h
View File

@@ -110,44 +110,39 @@ struct verify_policy
struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX]; struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX];
}; };
struct fqdn_category_entry
{
int fqdn_entry_num;
long long entry_id[MAX_TAG_ID_NUM];
long long tag_id[MAX_TAG_ID_NUM];
};
#define MERGE_SCAN_NTH 128 #define MERGE_SCAN_NTH 128
#define REQUEST_QUERY_OBJ_MAX 32
struct request_query_obj struct request_query_obj
{ {
int table_id; int table_id;
int numeric; int numeric;
int merge_nth_scan_num;
int merge_nth_scan[MERGE_SCAN_NTH];
int exclude_nth_scan[MERGE_SCAN_NTH];
char *string; char *string;
char *district; char *district;
char *attri_name; char *attri_name;
struct ipaddr *ip_addr;
char *subscriberid;
char *tunnel_type; char *tunnel_type;
int merge_nth_scan_num; struct ipaddr *ip_addr;
int exclude_nth_scan[MERGE_SCAN_NTH]; cJSON *attributes;
int merge_nth_scan[MERGE_SCAN_NTH];
cJSON* attributes;
struct fqdn_category_entry fqdn_entry;
}; };
struct verify_policy_query struct verify_policy_query
{ {
int vsys_id; int vsys_id;
int compile_table_id; int compile_table_id;
struct request_query_obj request_object[32]; struct request_query_obj request_object[REQUEST_QUERY_OBJ_MAX];
}; };
extern struct verify_policy * g_verify_proxy; extern struct verify_policy * g_verify_proxy;
int maat_table_init(struct verify_policy * verify, const char* profile_path); int verify_policy_table_init(struct verify_policy * verify, const char* profile_path);
void verify_policy_table_free(const char* profile_path);
cJSON *get_library_search_query(const char *data, ssize_t data_len); cJSON *get_library_search_query(const char *data, ssize_t data_len);
cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id); cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id);
void verify_reload_loglevel(); void verify_reload_loglevel();
#endif #endif

451
platform/src/verify_matcher.cpp
View File

@@ -21,6 +21,7 @@
#include <cjson/cJSON.h> #include <cjson/cJSON.h>
#include "utils.h" #include "utils.h"
#include "utarray.h"
#include "verify_policy.h" #include "verify_policy.h"
#define MAX_EX_DATA_LEN 16 #define MAX_EX_DATA_LEN 16
@@ -76,22 +77,28 @@ struct http_field_name
/** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol, /** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol,
* the current hit path scan count needs to be recorded to correspond to the virtual table name */ * the current hit path scan count needs to be recorded to correspond to the virtual table name */
struct ip_entry_hit_path struct library_tag_entry
{ {
int entry_num; int tag_id;
int Nth_scan_num; int category;
int category[MAX_TAG_ID_NUM]; long long entry_id;
int Nth_scan[MAX_TAG_ID_NUM];
long long entry_id[MAX_TAG_ID_NUM];
int tag_id[MAX_TAG_ID_NUM];
}; };
struct ip_data_ctx struct library_hit_path
{ {
struct ip_entry_hit_path source_entry; int table_id;
struct ip_entry_hit_path internal_entry; int entry_num;
struct ip_entry_hit_path destination_entry;
struct ip_entry_hit_path external_entry; int Nth_scan_num;
int Nth_scan[MAX_TAG_ID_NUM];
struct library_tag_entry tag[MAX_TAG_ID_NUM];
};
struct library_scan_path
{
int ut_array_cnt;
UT_array *ut_array_by_context;
}; };
struct tunnel_data_ctx struct tunnel_data_ctx
@@ -170,28 +177,19 @@ struct library_tag_ctx
struct policy_scan_ctx struct policy_scan_ctx
{ {
int thread_id;
int ip_protocol_num;
int tunnel_endpoint_x;
int bool_id_array_idx;
int tunnel_scan;
int n_read; int n_read;
int thread_id;
enum policy_action action; enum policy_action action;
char *action_para;
struct maat_state *scan_mid; struct maat_state *scan_mid;
struct maat_state *tunnel_scan_mid; struct maat_state *tunnel_scan_mid;
struct rule_data_ctx *hit_rules;
struct rule_data_ctx *enforce_rules;
size_t hit_cnt; size_t hit_cnt;
size_t n_enforce; struct rule_data_ctx *hit_rules;
long long result[MAX_SCAN_RESULT];
long long tunnel_result[2];
unsigned long long bool_id_array[256];
struct ip_data_ctx ip_ctx;
struct maat_hit_path hit_path[HIT_PATH_SIZE]; struct maat_hit_path hit_path[HIT_PATH_SIZE];
size_t n_enforce;
struct rule_data_ctx *enforce_rules;
int tunnel_attr_count;
long long result[MAX_SCAN_RESULT];
struct library_scan_path scan_path;
}; };
struct verify_policy_rt struct verify_policy_rt
@@ -222,26 +220,21 @@ struct verify_policy_rt * g_policy_rt;
#define PROTOCOL_TCP_GROUP_ID 6 #define PROTOCOL_TCP_GROUP_ID 6
#define PROTOCOL_UDP_GROUP_ID 7 #define PROTOCOL_UDP_GROUP_ID 7
void verify_policy_tunnle_add(void * pme) UT_icd ut_ulonglong_id_icd = {sizeof(struct library_hit_path), NULL, NULL, NULL};
{
struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
ctx->tunnel_endpoint_x++;
}
void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id) struct policy_scan_ctx *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id)
{ {
struct policy_scan_ctx * ctx = ALLOC(struct policy_scan_ctx, 1); struct policy_scan_ctx * ctx = ALLOC(struct policy_scan_ctx, 1);
ctx->thread_id = thread_id;; ctx->thread_id = thread_id;
utarray_new(ctx->scan_path.ut_array_by_context, &ut_ulonglong_id_icd);
ctx->scan_mid = maat_state_new(g_policy_rt->feather[vsys_id], thread_id); ctx->scan_mid = maat_state_new(g_policy_rt->feather[vsys_id], thread_id);
maat_state_set_scan_compile_table(ctx->scan_mid, g_policy_rt->compile_table_id[compile_table_id]); maat_state_set_scan_compile_table(ctx->scan_mid, g_policy_rt->compile_table_id[compile_table_id]);
return (void *)ctx; return ctx;
} }
void policy_scan_ctx_free(void * pme) void policy_scan_ctx_free(struct policy_scan_ctx * ctx)
{ {
struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
if(ctx->enforce_rules) if(ctx->enforce_rules)
FREE(&ctx->enforce_rules); FREE(&ctx->enforce_rules);
@@ -256,6 +249,8 @@ void policy_scan_ctx_free(void * pme)
maat_state_free(ctx->tunnel_scan_mid); maat_state_free(ctx->tunnel_scan_mid);
ctx->tunnel_scan_mid = NULL; ctx->tunnel_scan_mid = NULL;
} }
utarray_free(ctx->scan_path.ut_array_by_context);
FREE(&ctx); FREE(&ctx);
} }
@@ -1003,74 +998,28 @@ static inline int request_in_fqdn_cat(int table_id)
} }
} }
void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct ip_data_ctx *ip_ctx) void add_library_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct library_scan_path *ip_ctx)
{ {
int i=0;
cJSON *histObj=NULL; cJSON *histObj=NULL;
struct library_hit_path *ip_entry=NULL;
switch (table_id) while ((ip_entry=(struct library_hit_path *)utarray_next(ip_ctx->ut_array_by_context, ip_entry)) != NULL)
{ {
case TSG_OBJ_SOURCE_ADDR: if(ip_entry->table_id == table_id)
for(i=0; i < ip_ctx->source_entry.entry_num; i++) {
for(int i=0; i < ip_entry->entry_num; i++)
{ {
histObj=cJSON_CreateObject(); histObj=cJSON_CreateObject();
cJSON_AddItemToArray(hitPaths, histObj); cJSON_AddItemToArray(hitPaths, histObj);
cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->source_entry.entry_id[i]); cJSON_AddNumberToObject(histObj, "entry_id", ip_entry->tag[i].entry_id);
cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->source_entry.tag_id[i]); cJSON_AddNumberToObject(histObj, "tag_id", ip_entry->tag[i].tag_id);
} }
break;
case TSG_OBJ_INTERNAL_ADDR:
for(i=0; i < ip_ctx->internal_entry.entry_num; i++)
{
histObj=cJSON_CreateObject();
cJSON_AddItemToArray(hitPaths, histObj);
cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->internal_entry.entry_id[i]);
cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->internal_entry.tag_id[i]);
} }
break;
case TSG_OBJ_DESTINATION_ADDR:
for(i=0; i < ip_ctx->destination_entry.entry_num; i++)
{
histObj=cJSON_CreateObject();
cJSON_AddItemToArray(hitPaths, histObj);
cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->destination_entry.entry_id[i]);
cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->destination_entry.tag_id[i]);
}
break;
case TSG_OBJ_EXTERNAL_ADDR:
for(i=0; i < ip_ctx->external_entry.entry_num; i++)
{
histObj=cJSON_CreateObject();
cJSON_AddItemToArray(hitPaths, histObj);
cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->external_entry.entry_id[i]);
cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->external_entry.tag_id[i]);
}
break;
default:
break;
} }
return; return;
} }
void http_add_fqdn_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct fqdn_category_entry *fqdn_entry)
{
int i=0;
cJSON *histObj=NULL;
if(!request_in_fqdn_cat(table_id))
{
return;
}
for(i=0; i<fqdn_entry->fqdn_entry_num; i++)
{
histObj=cJSON_CreateObject();
cJSON_AddItemToArray(hitPaths, histObj);
cJSON_AddNumberToObject(histObj, "entry_id", fqdn_entry->entry_id[i]);
cJSON_AddNumberToObject(histObj, "tag_id",fqdn_entry->tag_id[i]);
}
}
/*In the case of multiple hits, the hit path is append behavior to obtain the last hit path force***/ /*In the case of multiple hits, the hit path is append behavior to obtain the last hit path force***/
int http_hit_policy_match(int result_config[], int cnt, int config) int http_hit_policy_match(int result_config[], int cnt, int config)
{ {
@@ -1110,64 +1059,56 @@ int hit_rule_match_is_duplicate(struct maat_hit_path *src, struct maat_hit_path
return 0; return 0;
} }
void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, void *pme) cJSON *find_tunnel_attribute(cJSON *attributes)
{
cJSON *item=NULL, *subchild=NULL;
for (item = attributes->child; item != NULL; item = item->next)
{
subchild = cJSON_GetObjectItem(item, "attribute_name");
if(subchild && subchild->type==cJSON_String && strncasecmp(subchild->valuestring, "tunnel_endpoint_object", 22) == 0)
{
return item;
}
}
return NULL;
}
void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, struct policy_scan_ctx * ctx)
{ {
int i=0, j=0, result_cnt=0; int i=0, j=0, result_cnt=0;
struct maat_hit_path result_hit_path[MAX_SCAN_RESULT]={0}; struct maat_hit_path result_hit_path[MAX_SCAN_RESULT]={0};
cJSON *attributeObj=NULL,*hitPaths=NULL; cJSON *attributeObj=NULL;
cJSON *item = NULL;
struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
attributeObj=query_obj->attributes; attributeObj=query_obj->attributes;
if(query_obj->table_id == TSG_OBJ_TUNNEL)
if(ctx->tunnel_endpoint_x == 2)
{
/*temp repair**/
if (ctx->tunnel_scan ==2 && ctx->tunnel_result[0] == 1 && ctx->tunnel_result[1] == 0)
{
item = cJSON_GetObjectItem(attributeObj, "attribute_name");
if(item && item->type==cJSON_String)
{
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
{ {
cJSON_Delete(attributeObj); cJSON_Delete(attributeObj);
return; attributeObj=NULL;
}
}
}
else
{
item = cJSON_GetObjectItem(attributeObj, "attribute_name");
if(item && item->type==cJSON_String)
{
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
{
cJSON_Delete(attributeObj);
return;
}
}
}
}
if(compile_table_id == TSG_TABLE_SECURITY && query_obj->table_id == TSG_OBJ_TUNNEL) attributeObj = find_tunnel_attribute(attributes);
if(attributeObj == NULL)
{ {
cJSON_DeleteItemFromObject(attributeObj, "attribute_name"); attributeObj = cJSON_CreateObject();
cJSON_AddStringToObject(attributeObj, "attribute_type", "ip");
cJSON_AddStringToObject(attributeObj, "table_name", "ATTR_TUNNEL");
cJSON_AddStringToObject(attributeObj, "attribute_name", "tunnel_endpoint_object"); cJSON_AddStringToObject(attributeObj, "attribute_name", "tunnel_endpoint_object");
cJSON_DeleteItemFromObject(attributeObj, "attribute_value");
} }
cJSON_AddItemToArray(attributes, attributeObj); }
/*If the request contains "hit_paths:null", it needs to be removed*/ cJSON* hitPaths = cJSON_GetObjectItem(attributeObj, "hit_paths");
hitPaths = cJSON_GetObjectItem(attributeObj, "hit_paths"); if(hitPaths != NULL && hitPaths->type != cJSON_Array)
if(hitPaths != NULL)
{ {
cJSON_DeleteItemFromObject(attributeObj, "hit_paths"); cJSON_DeleteItemFromObject(attributeObj, "hit_paths");
hitPaths=NULL;
} }
hitPaths=cJSON_CreateArray(); if (hitPaths == NULL)
{
cJSON_AddItemToArray(attributes, attributeObj);
hitPaths = cJSON_CreateArray();
cJSON_AddItemToObject(attributeObj, "hit_paths", hitPaths); cJSON_AddItemToObject(attributeObj, "hit_paths", hitPaths);
}
http_add_ip_entry_to_hit_paths(hitPaths, query_obj->table_id, &ctx->ip_ctx); add_library_entry_to_hit_paths(hitPaths, query_obj->table_id, &ctx->scan_path);
http_add_fqdn_entry_to_hit_paths(hitPaths, query_obj->table_id, &query_obj->fqdn_entry);
cJSON *histObj=NULL; cJSON *histObj=NULL;
for(i=0; i< ctx->n_read; i++) for(i=0; i< ctx->n_read; i++)
@@ -1211,61 +1152,59 @@ int policy_verify_regex_expression(const char *expression)
return maat_helper_verify_regex_expression(expression); return maat_helper_verify_regex_expression(expression);
} }
int get_attributes_table_name(struct request_query_obj *request, struct ip_data_ctx *ip_ctx, int attribute_num, int Nth_scan, int top_group_id, cJSON *topObject) int get_ip_addr_table_name(struct library_scan_path *ip_ctx, int Nth_scan, int top_group_id, cJSON *topObject)
{
const char * table_name[__TSG_OBJ_MAX] = {0};
table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP";
table_name[TSG_OBJ_DESTINATION_ADDR] = "ATTR_DESTINATION_IP";
table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP";
table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP";
struct library_hit_path *ip_entry=NULL;
while ((ip_entry=(struct library_hit_path *)utarray_next(ip_ctx->ut_array_by_context, ip_entry)) != NULL)
{
for(int i = 0; i < ip_entry->Nth_scan_num; i++)
{
if(ip_entry->Nth_scan[i] == Nth_scan)
{
cJSON_AddNumberToObject(topObject, "tag_id", top_group_id);
cJSON_AddStringToObject(topObject, "table_name", table_name[ip_entry->table_id]);
return 1;
}
}
}
return 0;
}
const char *get_library_virtual_table_name(int table_id)
{
const char * table_name[__TSG_OBJ_MAX] = {0};
table_name[TSG_OBJ_SOURCE_ADDR] = "ATTR_SOURCE_IP";
table_name[TSG_OBJ_DESTINATION_ADDR] = "ATTR_DESTINATION_IP";
table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP";
table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP";
table_name[TSG_OBJ_SSL_CN]="ATTR_SERVER_FQDN";
table_name[TSG_OBJ_SSL_SAN]="ATTR_SERVER_FQDN";
table_name[TSG_OBJ_DNS_QNAME]="ATTR_SERVER_FQDN";
table_name[TSG_OBJ_DOH_QNAME]="ATTR_SERVER_FQDN";
table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN";
return table_name[table_id];
}
int add_table_name_ToObject(struct request_query_obj *request, struct library_scan_path *ip_ctx, int attribute_num, int Nth_scan, int top_group_id, cJSON *topObject)
{ {
int i=0, j=0; int i=0, j=0;
cJSON *attributeObj=NULL, *subchild=NULL; cJSON *attributeObj=NULL, *subchild=NULL;
/* set soruce entry table name **/ struct library_hit_path *ip_entry=NULL;
for(i = 0; i < ip_ctx->source_entry.Nth_scan_num; i++) while ((ip_entry=(struct library_hit_path *)utarray_next(ip_ctx->ut_array_by_context, ip_entry)) != NULL)
{ {
if(ip_ctx->source_entry.Nth_scan[i] == Nth_scan) for(int i = 0; i < ip_entry->Nth_scan_num; i++)
{
if(ip_entry->Nth_scan[i] == Nth_scan)
{ {
cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); cJSON_AddNumberToObject(topObject, "tag_id", top_group_id);
cJSON_AddStringToObject(topObject, "table_name", "ATTR_SOURCE_IP"); cJSON_AddStringToObject(topObject, "table_name", get_library_virtual_table_name(ip_entry->table_id));
goto finish;
}
}
/* set internal entry table name **/
for(i = 0; i < ip_ctx->internal_entry.Nth_scan_num; i++)
{
if(ip_ctx->internal_entry.Nth_scan[i] == Nth_scan)
{
cJSON_AddNumberToObject(topObject, "tag_id", top_group_id);
cJSON_AddStringToObject(topObject, "table_name", "ATTR_INTERNAL_IP");
goto finish;
}
}
/* set destination entry table name **/
for(i = 0; i < ip_ctx->destination_entry.Nth_scan_num; i++)
{
if(ip_ctx->destination_entry.Nth_scan[i] == Nth_scan)
{
cJSON_AddNumberToObject(topObject, "tag_id", top_group_id);
cJSON_AddStringToObject(topObject, "table_name", "ATTR_DESTINATION_IP");
goto finish;
}
}
/* set external entry table name **/
for(i = 0; i < ip_ctx->external_entry.Nth_scan_num; i++)
{
if(ip_ctx->external_entry.Nth_scan[i] == Nth_scan)
{
cJSON_AddNumberToObject(topObject, "tag_id", top_group_id);
cJSON_AddStringToObject(topObject, "table_name", "ATTR_EXTERNAL_IP");
goto finish;
}
}
/*set fqdn entry table name*/
for(i = 0; i<attribute_num; i++)
{
for(j=0; j<request[i].fqdn_entry.fqdn_entry_num; j++)
{
if(top_group_id == request[i].fqdn_entry.tag_id[j])
{
cJSON_AddNumberToObject(topObject, "tag_id", top_group_id);
cJSON_AddStringToObject(topObject, "table_name", "ATTR_SERVER_FQDN");
goto finish; goto finish;
} }
} }
@@ -1292,7 +1231,7 @@ finish:
return 0; return 0;
} }
int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribute_num, size_t hit_cnt, cJSON *data_obj, void *pme) int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribute_num, size_t hit_cnt, cJSON *data_obj, struct policy_scan_ctx * ctx)
{ {
bool succeeded = false; bool succeeded = false;
size_t rules=0, i=0,j=0; size_t rules=0, i=0,j=0;
@@ -1301,8 +1240,6 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribut
int vsys_id = verify_policy->vsys_id; int vsys_id = verify_policy->vsys_id;
int compile_table_id = verify_policy->compile_table_id; int compile_table_id = verify_policy->compile_table_id;
struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
hit_cnt = ctx->hit_cnt; hit_cnt = ctx->hit_cnt;
if (hit_cnt <= 0) if (hit_cnt <= 0)
{ {
@@ -1362,7 +1299,7 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribut
result_cnt++; result_cnt++;
} }
topObject=cJSON_CreateObject(); topObject=cJSON_CreateObject();
get_attributes_table_name(verify_policy->request_object, &ctx->ip_ctx, attribute_num, ctx->hit_path[j].Nth_scan, ctx->hit_path[j].top_group_id, topObject); add_table_name_ToObject(verify_policy->request_object, &ctx->scan_path, attribute_num, ctx->hit_path[j].Nth_scan, ctx->hit_path[j].top_group_id, topObject);
cJSON_AddNumberToObject(topObject, "not_flag", ctx->hit_path[j].NOT_flag); cJSON_AddNumberToObject(topObject, "not_flag", ctx->hit_path[j].NOT_flag);
cJSON_AddNumberToObject(topObject, "nth_clause", ctx->hit_path[j].clause_index); cJSON_AddNumberToObject(topObject, "nth_clause", ctx->hit_path[j].clause_index);
cJSON_AddItemToArray(topObjectList, topObject); cJSON_AddItemToArray(topObjectList, topObject);
@@ -1493,8 +1430,8 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx
int scan_ret=0, hit_cnt_ip=0; int scan_ret=0, hit_cnt_ip=0;
struct maat_hit_group hit_group; struct maat_hit_group hit_group;
struct maat_hit_path hit_path[HIT_PATH_SIZE]; struct maat_hit_path hit_path[HIT_PATH_SIZE];
struct library_entry_ctx *source_entry_ctx[MAX_EX_DATA_LEN]={0}; struct library_entry_ctx *source_ip_entry[MAX_EX_DATA_LEN]={0};
struct library_entry_ctx *destination_entry_ctx[MAX_EX_DATA_LEN]={0}; struct library_entry_ctx *destination_ip_entry[MAX_EX_DATA_LEN]={0};
if(!g_policy_rt->load_ip_location) if(!g_policy_rt->load_ip_location)
{ {
@@ -1505,22 +1442,25 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx
ip_addr_to_address(request->ip_addr, &dip, &sip); ip_addr_to_address(request->ip_addr, &dip, &sip);
memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE); memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE);
int ret1 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &sip, (void **)&source_entry_ctx, MAX_EX_DATA_LEN); int ret1 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &sip, (void **)&source_ip_entry, MAX_EX_DATA_LEN);
int ret2 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &dip, (void **)&destination_entry_ctx, MAX_EX_DATA_LEN); int ret2 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &dip, (void **)&destination_ip_entry, MAX_EX_DATA_LEN);
struct library_hit_path ip_entry;
memset(&ip_entry, 0, sizeof(ip_entry));
if(ret1 > 0) if(ret1 > 0)
{ {
for(int i=0; i < ret1 && i < MAX_EX_DATA_LEN; i++) for(int i=0; i < ret1 && i < MAX_EX_DATA_LEN; i++)
{ {
if(source_entry_ctx[i] == NULL) if(source_ip_entry[i] == NULL)
{ {
continue; continue;
} }
for(int tag_id=0; tag_id<source_entry_ctx[i]->n_tag_ids; tag_id++) for(int tag_id=0; tag_id<source_ip_entry[i]->n_tag_ids; tag_id++)
{ {
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=source_entry_ctx[i]->tag_id_array[tag_id]; hit_group.group_id=source_ip_entry[i]->tag_id_array[tag_id];
if(hit_group.group_id <= 0) if(hit_group.group_id <= 0)
{ {
continue; continue;
@@ -1532,16 +1472,20 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx
hit_cnt_ip+=scan_ret; hit_cnt_ip+=scan_ret;
} }
struct ip_entry_hit_path *entry_hit_path = (request->table_id == TSG_OBJ_SOURCE_ADDR) ? &ctx->ip_ctx.source_entry : &ctx->ip_ctx.internal_entry; ip_entry.table_id = request->table_id;
entry_hit_path->entry_id[entry_hit_path->entry_num]=source_entry_ctx[i]->entry_id; ip_entry.tag[ip_entry.entry_num].entry_id = source_ip_entry[i]->entry_id;
entry_hit_path->tag_id[entry_hit_path->entry_num]=source_entry_ctx[i]->tag_id_array[tag_id]; ip_entry.tag[ip_entry.entry_num].tag_id=source_ip_entry[i]->tag_id_array[tag_id];
entry_hit_path->category[entry_hit_path->entry_num]= get_library_tag_category(source_entry_ctx[i]->tag_id_array[tag_id], vsys_id); ip_entry.tag[ip_entry.entry_num].category = get_library_tag_category(source_ip_entry[i]->tag_id_array[tag_id], vsys_id);
entry_hit_path->entry_num++; ip_entry.entry_num++;
ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE);
entry_hit_path->Nth_scan[entry_hit_path->Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); ip_entry.Nth_scan[ip_entry.Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid);
} }
library_entry_free(source_entry_ctx[i]); library_entry_free(source_ip_entry[i]);
}
if(ip_entry.entry_num > 0)
{
utarray_push_back(ctx->scan_path.ut_array_by_context, &ip_entry);
} }
} }
@@ -1549,15 +1493,15 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx
{ {
for(int i=0; i < ret2 && i < MAX_EX_DATA_LEN; i++) for(int i=0; i < ret2 && i < MAX_EX_DATA_LEN; i++)
{ {
if(destination_entry_ctx[i] == NULL) if(destination_ip_entry[i] == NULL)
{ {
continue; continue;
} }
for(int tag_id=0; tag_id<destination_entry_ctx[i]->n_tag_ids; tag_id++) for(int tag_id=0; tag_id<destination_ip_entry[i]->n_tag_ids; tag_id++)
{ {
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=destination_entry_ctx[i]->tag_id_array[tag_id]; hit_group.group_id=destination_ip_entry[i]->tag_id_array[tag_id];
if(hit_group.group_id <= 0) if(hit_group.group_id <= 0)
{ {
continue; continue;
@@ -1569,16 +1513,20 @@ int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx
hit_cnt_ip+=scan_ret; hit_cnt_ip+=scan_ret;
} }
struct ip_entry_hit_path *entry_hit_path = (request->table_id == TSG_OBJ_DESTINATION_ADDR) ? &ctx->ip_ctx.destination_entry : &ctx->ip_ctx.external_entry; ip_entry.table_id = request->table_id;
entry_hit_path->entry_id[entry_hit_path->entry_num]=destination_entry_ctx[i]->entry_id; ip_entry.tag[ip_entry.entry_num].entry_id = destination_ip_entry[i]->entry_id;
entry_hit_path->tag_id[entry_hit_path->entry_num]=destination_entry_ctx[i]->tag_id_array[tag_id]; ip_entry.tag[ip_entry.entry_num].tag_id=destination_ip_entry[i]->tag_id_array[tag_id];
entry_hit_path->category[entry_hit_path->entry_num]= get_library_tag_category(destination_entry_ctx[i]->tag_id_array[tag_id], vsys_id); ip_entry.tag[ip_entry.entry_num].category = get_library_tag_category(destination_ip_entry[i]->tag_id_array[tag_id], vsys_id);
entry_hit_path->entry_num++; ip_entry.entry_num++;
ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE);
entry_hit_path->Nth_scan[entry_hit_path->Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); ip_entry.Nth_scan[ip_entry.Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid);
} }
library_entry_free(destination_entry_ctx[i]); library_entry_free(destination_ip_entry[i]);
}
if(ip_entry.entry_num > 0)
{
utarray_push_back(ctx->scan_path.ut_array_by_context, &ip_entry);
} }
} }
@@ -1589,7 +1537,7 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c
{ {
size_t n_read=0, n_hit_result=0; size_t n_read=0, n_hit_result=0;
int hit_path_cnt=0; int hit_path_cnt=0;
int i=0, j=0, ret=0, hit_cnt_fqdn=0; int ret=0, hit_cnt_fqdn=0;
enum category_type category=CATEGORY_TYPE_UNKNOWN; enum category_type category=CATEGORY_TYPE_UNKNOWN;
struct library_entry_ctx *fqdn_entry_ctx[MAX_EX_DATA_LEN]={0}; struct library_entry_ctx *fqdn_entry_ctx[MAX_EX_DATA_LEN]={0};
@@ -1598,8 +1546,11 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c
return 0; return 0;
} }
struct library_hit_path fqdn_entry;
memset(&fqdn_entry, 0, sizeof(fqdn_entry));
ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)fqdn_entry_ctx, MAX_EX_DATA_LEN); ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)fqdn_entry_ctx, MAX_EX_DATA_LEN);
for(i=0; i < ret && i < MAX_EX_DATA_LEN; i++) for(int i=0; i < ret && i < MAX_EX_DATA_LEN; i++)
{ {
if(fqdn_entry_ctx[i] == NULL) if(fqdn_entry_ctx[i] == NULL)
{ {
@@ -1613,22 +1564,20 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c
{ {
continue; continue;
} }
request->fqdn_entry.entry_id[j] = fqdn_entry_ctx[i]->entry_id; fqdn_entry.table_id = request->table_id;
request->fqdn_entry.tag_id[j] = fqdn_entry_ctx[i]->tag_id_array[tag_id]; fqdn_entry.tag[fqdn_entry.entry_num].entry_id = fqdn_entry_ctx[i]->entry_id;
j++; fqdn_entry.tag[fqdn_entry.entry_num].tag_id=fqdn_entry_ctx[i]->tag_id_array[tag_id];
fqdn_entry.entry_num++;
} }
library_entry_free(fqdn_entry_ctx[i]); library_entry_free(fqdn_entry_ctx[i]);
} }
request->fqdn_entry.fqdn_entry_num = j< MAX_EX_DATA_LEN ? j : MAX_EX_DATA_LEN;
struct maat_hit_group hit_group; struct maat_hit_group hit_group;
for(int i=0; i<fqdn_entry.entry_num; i++)
if(request->fqdn_entry.fqdn_entry_num > 0)
{
for(i=0; i<request->fqdn_entry.fqdn_entry_num; i++)
{ {
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=request->fqdn_entry.tag_id[i]; hit_group.group_id=fqdn_entry.tag[i].tag_id;
ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1,
ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid);
if(ret == MAAT_SCAN_HIT) if(ret == MAAT_SCAN_HIT)
@@ -1644,12 +1593,17 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c
n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
if(ret >= MAAT_SCAN_OK) if(ret >= MAAT_SCAN_OK)
{ {
request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);; request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);
fqdn_entry.Nth_scan[fqdn_entry.Nth_scan_num++] = request->merge_nth_scan[hit_path_cnt];
request->exclude_nth_scan[hit_path_cnt] = 1; request->exclude_nth_scan[hit_path_cnt] = 1;
ctx->n_read=n_read; ctx->n_read=n_read;
hit_path_cnt++; hit_path_cnt++;
} }
} }
if(fqdn_entry.entry_num > 0)
{
utarray_push_back(ctx->scan_path.ut_array_by_context, &fqdn_entry);
} }
request->merge_nth_scan_num = hit_path_cnt; request->merge_nth_scan_num = hit_path_cnt;
return hit_cnt_fqdn; return hit_cnt_fqdn;
@@ -1770,7 +1724,7 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx,
hit_group.group_id=result[i]; hit_group.group_id=result[i];
if(hit_group.group_id != 0) if(hit_group.group_id != 0)
{ {
if(ctx->tunnel_endpoint_x == 2 && ctx->tunnel_scan == 0) if(ctx->tunnel_attr_count == 2)
{ {
logic=0; logic=0;
} }
@@ -1782,7 +1736,6 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx,
} }
if(scan_ret >= MAAT_SCAN_OK) if(scan_ret >= MAAT_SCAN_OK)
{ {
ctx->tunnel_result[ctx->tunnel_scan]=1;
n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);
ctx->n_read=n_read; ctx->n_read=n_read;
@@ -1790,7 +1743,7 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx,
} }
} }
} }
if(logic) if(logic && scan_ret >= MAAT_SCAN_OK)
{ {
scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], ctx->result+hit_cnt+hit_cnt_group, scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], ctx->result+hit_cnt+hit_cnt_group,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid); MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid);
@@ -1799,8 +1752,7 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx,
hit_cnt_tunnel+=n_hit_result; hit_cnt_tunnel+=n_hit_result;
} }
} }
ctx->tunnel_attr_count--;
ctx->tunnel_scan++;
request->merge_nth_scan_num = hit_path_cnt; request->merge_nth_scan_num = hit_path_cnt;
finish: finish:
return hit_cnt_tunnel; return hit_cnt_tunnel;
@@ -1928,7 +1880,7 @@ static int protocol_scan(struct request_query_obj *request, struct policy_scan_c
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=get_group_id_by_protocol(request->numeric); hit_group.group_id=get_group_id_by_protocol(request->numeric);
if(hit_group.group_id != 0 && ctx->ip_protocol_num == 0) if(hit_group.group_id != 0)
{ {
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL, 1); scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL, 1);
if(scan_ret > 0) if(scan_ret > 0)
@@ -2075,12 +2027,10 @@ static int port_scan(struct request_query_obj *request, struct policy_scan_ctx *
return hit_cnt_port; return hit_cnt_port;
} }
size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *request, void *pme) size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *request, struct policy_scan_ctx * ctx)
{ {
size_t n_hit_result=0; size_t n_hit_result=0;
int scan_ret=0, n_read; int scan_ret=0, n_read;
struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
size_t hit_cnt = ctx->hit_cnt; size_t hit_cnt = ctx->hit_cnt;
int table_id = request->table_id; int table_id = request->table_id;
@@ -2323,6 +2273,7 @@ cJSON *get_library_search_query(const char *data, ssize_t data_len)
int vsys_id = http_get_int_param(http_request, "vsys_id"); int vsys_id = http_get_int_param(http_request, "vsys_id");
if(vsys_id < 0) if(vsys_id < 0)
{ {
cJSON_Delete(http_request);
log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id"); log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id");
return NULL; return NULL;
} }
@@ -2349,6 +2300,8 @@ cJSON *get_library_search_query(const char *data, ssize_t data_len)
{ {
cJSON_AddBoolToObject(http_respone, "success", false); cJSON_AddBoolToObject(http_respone, "success", false);
} }
cJSON_Delete(http_request);
return http_respone; return http_respone;
} }
@@ -2699,7 +2652,7 @@ static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body
return 1; return 1;
} }
static void get_count_form_attributeName(void *ctx, cJSON *subchild) static void get_count_form_attributeName(struct policy_scan_ctx *ctx, cJSON *subchild)
{ {
cJSON *item = NULL; cJSON *item = NULL;
@@ -2708,11 +2661,11 @@ static void get_count_form_attributeName(void *ctx, cJSON *subchild)
{ {
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
{ {
verify_policy_tunnle_add(ctx); ctx->tunnel_attr_count++;
} }
if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) if(0 == strcasecmp(item->valuestring, "tunnel_endpointb"))
{ {
verify_policy_tunnle_add(ctx); ctx->tunnel_attr_count++;
} }
} }
return; return;
@@ -2753,7 +2706,7 @@ int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int
attributes = cJSON_GetObjectItem(item,"attributes"); attributes = cJSON_GetObjectItem(item,"attributes");
if(attributes && attributes->type==cJSON_Array) if(attributes && attributes->type==cJSON_Array)
{ {
void *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id); struct policy_scan_ctx *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->compile_table_id);
for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
{ {
@@ -3059,7 +3012,7 @@ void verify_reload_loglevel()
} }
} }
int maat_table_init(struct verify_policy * verify, const char* profile_path) int verify_policy_table_init(struct verify_policy * verify, const char* profile_path)
{ {
int ret = -1; int vsys_id=0; int ret = -1; int vsys_id=0;
int load_vsys_num=0, load_start_vsys=0; int load_vsys_num=0, load_start_vsys=0;
@@ -3152,3 +3105,25 @@ error_out:
return ret; return ret;
} }
void verify_policy_table_free(const char* profile_path)
{
int load_vsys_num=0, load_start_vsys=0;
MESA_load_profile_int_def(profile_path, "MAAT", "load_vsys_num", &(load_vsys_num), 255);
MESA_load_profile_int_def(profile_path, "MAAT", "load_start_vsys", &(load_start_vsys), 0);
load_vsys_num = load_vsys_num > VSYS_ID_MAX ? VSYS_ID_MAX : load_vsys_num;
load_start_vsys = load_start_vsys > load_vsys_num ? 0 : load_start_vsys;
for(int vsys_id=load_start_vsys; vsys_id < load_vsys_num; vsys_id++)
{
if(g_policy_rt->feather[vsys_id])
{
/*Deleting maat handles can be problematic*/
//maat_free(g_policy_rt->feather[vsys_id]);
}
}
FREE(&g_policy_rt);
return;
}

2
platform/src/verify_policy.cpp
View File

@@ -539,7 +539,7 @@ int main(int argc, char * argv[])
CHECK_OR_EXIT(ret == 0, "Failed at loading profile %s, Exit.", main_profile); CHECK_OR_EXIT(ret == 0, "Failed at loading profile %s, Exit.", main_profile);
clock_gettime(CLOCK_REALTIME, &(start_time)); clock_gettime(CLOCK_REALTIME, &(start_time));
ret = maat_table_init(g_verify_proxy, main_profile); ret = verify_policy_table_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit.");
clock_gettime(CLOCK_REALTIME, &(end_time)); clock_gettime(CLOCK_REALTIME, &(end_time));

10
test/CMakeLists.txt
View File

@@ -8,7 +8,9 @@ set(CMAKE_BUILD_DIR ${CMAKE_SOURCE_DIR}/build)
set(TEST_RUN_DIR ${CMAKE_BUILD_DIR}/test) set(TEST_RUN_DIR ${CMAKE_BUILD_DIR}/test)
file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR}) file(COPY ${CMAKE_SOURCE_DIR}/resource DESTINATION ${TEST_RUN_DIR})
file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR}) file(COPY ${CMAKE_SOURCE_DIR}/conf DESTINATION ${TEST_RUN_DIR})
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyHit.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyManipulation.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/VerifyPolicyTunnel.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyResult.json DESTINATION ${TEST_RUN_DIR}/resource)
file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource) file(COPY ${CMAKE_SOURCE_DIR}/test/resource/HitPolicyRequest.json DESTINATION ${TEST_RUN_DIR}/resource)
@@ -16,4 +18,8 @@ add_test(NAME UPDATE_MAAT_MODE COMMAND bash -c "sed -i 's/maat_input_mode=1/maa
add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_level=1/' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_LOG_LEVEL COMMAND bash -c "sed -i 's/log_level=5/log_level=1/' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_VSYS_NUM COMMAND bash -c "sed -i '32i load_vsys_num=2' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_START_VSYS COMMAND bash -c "sed -i '33i load_start_vsys=1' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyHit\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf") add_test(NAME UPDATE_JSON_FILE COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/verify-policy\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/' ${TEST_RUN_DIR}/conf/verify_policy.conf")
add_test(NAME COPY_CONF COMMAND sh -c "cp ${TEST_RUN_DIR}/conf/verify_policy.conf ${TEST_RUN_DIR}/conf/verify_policy2.conf")
add_test(NAME UPDATE_JSON_FILE2 COMMAND bash -c "sed -i 's/json_cfg_file=\\.\\/resource\\/VerifyPolicyManipulation\\.json/json_cfg_file=\\.\\/resource\\/VerifyPolicyTunnel\\.json/' ${TEST_RUN_DIR}/conf/verify_policy2.conf")
add_test(NAME VERIFY_POLICY_TEST COMMAND verify_policy_test)

87
test/resource/HitPolicyRequest.json
View File

@@ -1,6 +1,7 @@
{ {
"Verify_Policy_Request": [ "Verify_Policy_Request": [
{ {
"__item_id": 0,
"vsys_id": 1, "vsys_id": 1,
"verify_list": [ "verify_list": [
{ {
@@ -25,6 +26,7 @@
"verify_type": "policy" "verify_type": "policy"
}, },
{ {
"__item_id": 1,
"vsys_id": 1, "vsys_id": 1,
"verify_list": [ "verify_list": [
{ {
@@ -65,6 +67,91 @@
} }
], ],
"verify_type": "policy" "verify_type": "policy"
},
{
"__item_id": 2,
"vsys_id": 1,
"verify_list": [
{
"type": "security",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointa",
"attribute_value": {
"ip": "192.168.0.1",
"tunnel_type":"gtp",
"addr_type": 4
}
}
]
}
}
],
"verify_type": "policy"
},
{
"__item_id": 3,
"vsys_id": 1,
"verify_list": [
{
"type": "security",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointb",
"attribute_value": {
"ip": "192.168.0.2",
"tunnel_type":"gtp",
"addr_type": 4
}
}
]
}
}
],
"verify_type": "policy"
},
{
"__item_id": 4,
"vsys_id": 1,
"verify_list": [
{
"type": "security",
"vsys_id": 1,
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointa",
"attribute_value": {
"ip": "192.168.0.2",
"tunnel_type":"gtp",
"addr_type": 4
}
},
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpointb",
"attribute_value": {
"ip": "192.168.0.3",
"tunnel_type":"gtp",
"addr_type": 4
}
}
]
}
}
],
"verify_type": "policy"
} }
] ]
} }

62
test/resource/HitPolicyResult.json
View File

@@ -129,6 +129,68 @@
} }
}, },
"success": true "success": true
},
{
"code": 200,
"msg": "Success",
"data": {
"verify_session": {
"attributes": [{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpoint_object",
"hit_paths": [{
"item_id": 0,
"superior_object_id": 3021
}]
}]
}
},
"success": true
},
{
"code": 200,
"msg": "Success",
"data": {
"verify_session": {
"attributes": [{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpoint_object",
"hit_paths": [{
"item_id": 0,
"superior_object_id": 3022
}]
}]
}
},
"success": true
},
{
"code": 200,
"msg": "Success",
"data": {
"verify_session": {
"attributes": [
{
"attribute_type": "ip",
"table_name": "ATTR_TUNNEL",
"attribute_name": "tunnel_endpoint_object",
"hit_paths": [
{
"item_id": 0,
"superior_object_id": 3022
},
{
"item_id": 0,
"superior_object_id": 3023
}
]
}
]
}
},
"success": true
} }
] ]
} }

101
test/resource/VerifyPolicyManipulation.json Normal file
View File

@@ -0,0 +1,101 @@
{
"compile_table": "PXY_CTRL_COMPILE",
"group2compile_table": "GROUP_PXY_CTRL_COMPILE_RELATION",
"group2group_table": "GROUP_GROUP_RELATION",
"rules": [
{
"compile_id": 1021,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 101,
"group_name":"IPv4TCPSoureVeiryPolicy01",
"virtual_table": "ATTR_SOURCE_IP",
"regions": [
{
"table_type": "ip",
"table_name": "TSG_OBJ_IP_ADDR",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.1",
"ip2": "192.168.0.1"
}
}
]
}
]
},
{
"compile_id": 1022,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"anything",
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"group_id": 11,
"group_name": "IPv4TCPSoureEntry.11",
"virtual_table": "ATTR_SOURCE_IP"
},
{
"group_id": 12,
"group_name": "IPv4TCPSoureEntry.12",
"virtual_table": "ATTR_INTERNAL_IP"
},
{
"group_id": 1,
"group_name": "FQDNEntry.1",
"virtual_table": "ATTR_SERVER_FQDN"
}
]
}
],
"plugin_table": [
{
"table_name": "FQDN_ENTRY",
"table_content": [
"1\t1\twww.126.com\t1\t1",
"2\t2,3\twww.baidu.com\t1\t1",
"4\t4,5,6\twww.qq.com\t1\t1"
]
},
{
"table_name": "IP_ADDR_ENTRY",
"table_content": [
"1\t11\t4\tsingle\t192.168.1.1\t192.168.1.1\t1",
"2\t12,13\t4\tsingle\t192.168.1.2\t192.168.1.2\t1",
"4\t14,15,16\t4\trange\t192.168.1.3\t192.168.1.3\t1"
]
},
{
"table_name": "LIBRARY_TAG",
"table_content": [
"1\tnone\twebsite_category\tfqdn1\tsearch\\bengines\t1",
"2\tnone\twebsite_category\tfqdn2\tRecreation\band\bHobbies\t1",
"3\tnone\twebsite_category\tfqdn3\tbusiness\t1",
"4\tnone\twebsite_category\tfqdn4\tsearch bengines\t1",
"5\tnone\twebsite_category\tfqdn5\tsearch\\bengines\t1",
"6\tnone\twebsite_category\tfqdn6\tsearch\\bengines\t1",
"11\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes\t1",
"12\tnone\tgeoip\tadministrative_area\tColombia.Departamento\bdel\bVaupes.Mitú\t1",
"13\tnone\tgeoip\tadministrative_area\tColombia.Antioquia.Marinilla\t1",
"14\tnone\tgeoip\tsuper_administrative_area\tColombia.Departamento\bdel\bVaupes\t1",
"15\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mauern\t1",
"16\tnone\tgeoip\tadministrative_area\tGermany.Bavaria.Mellrichstadt\t1"
]
}
]
}

118
test/resource/VerifyPolicyTunnel.json Normal file
View File

@@ -0,0 +1,118 @@
{
"compile_table": "TUNNEL_COMPILE",
"group2compile_table": "GROUP_TUNNEL_COMPILE_RELATION",
"group2group_table": "GROUP_GROUP_RELATION",
"rules": [
{
"compile_id": 3021,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 1,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy01",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.1",
"ip2": "192.168.0.1"
}
}
]
}
]
},
{
"compile_id": 3022,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 2,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy02",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.2",
"ip2": "192.168.0.2"
}
}
]
}
]
},
{
"compile_id": 3023,
"service": 13,
"action": 1,
"do_blacklist": 0,
"do_log": 1,
"tags": "{}",
"user_region": "anything",
"evaluation_order": "0.0",
"is_valid": "yes",
"groups": [
{
"not_flag": 0,
"group_id": 3,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy03",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.2",
"ip2": "192.168.0.2"
}
}
]
},
{
"not_flag": 0,
"group_id": 4,
"group_name": "TunnelIpv4TCPSoureVeiryPolicy04",
"virtual_table": "ATTR_TUNNEL_GTP_ENDPOINT",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip",
"table_content": {
"addr_type": "ipv4",
"addr_format": "range",
"ip1": "192.168.0.3",
"ip2": "192.168.0.3"
}
}
]
}
]
}
]
}

141
test/verify_policy_test.cpp
View File

@@ -25,12 +25,19 @@ struct verify_policy * g_verify_proxy = NULL;
extern cJSON *get_library_search_query(const char *data, ssize_t data_len); extern cJSON *get_library_search_query(const char *data, ssize_t data_len);
extern cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id); extern cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id);
int load_json_file_system_cmd(const char *load_json_file, const char *run_json_file) int load_json_file_system_cmd(const char *load_json_file, const char *run_json_file, int backup)
{ {
char command[1024] = {0}; char command[1024] = {0};
if(backup)
{
snprintf(command, sizeof(command), "cp ./resource/%s ./resource/backup.json", run_json_file);
system(command);
}
memset(command, 0, sizeof(command));
snprintf(command, sizeof(command), "cp ./resource/%s ./resource/%s", load_json_file, run_json_file); snprintf(command, sizeof(command), "cp ./resource/%s ./resource/%s", load_json_file, run_json_file);
system(command); system(command);
sleep(2);
return 0; return 0;
} }
@@ -82,46 +89,46 @@ static char *select_hit_policy_request_item(int gtest_id)
TEST(LibrarySearch, HitFqdnEntry) TEST(LibrarySearch, HitFqdnEntry)
{ {
const char *cm_http_request = "{\"ip\":null,\"fqdn\":\"www.126.com\",\"vsys_id\":1}"; const char *hit_policy_request = "{\"ip\":null,\"fqdn\":\"www.126.com\",\"vsys_id\":1}";
const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"1\"}]},\"success\":true}"; const char *hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"1\"}]},\"success\":true}";
cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); cJSON *result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request));
ASSERT_TRUE(result_json != NULL); ASSERT_TRUE(result_json != NULL);
char *hit_policy_list = cJSON_PrintUnformatted(result_json); char *hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL); ASSERT_TRUE(hit_policy_list != NULL);
int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); int equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
cJSON_Delete(result_json); cJSON_Delete(result_json);
FREE(&hit_policy_list); FREE(&hit_policy_list);
cm_http_request = "{\"ip\":null,\"fqdn\":\"www.baidu.com\",\"vsys_id\":1}"; hit_policy_request = "{\"ip\":null,\"fqdn\":\"www.baidu.com\",\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"2,3\"}]},\"success\":true}"; hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"2,3\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request));
ASSERT_TRUE(result_json != NULL); ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json); hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL); ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
cJSON_Delete(result_json); cJSON_Delete(result_json);
FREE(&hit_policy_list); FREE(&hit_policy_list);
cm_http_request = "{\"ip\":null,\"fqdn\":\"www.qq.com\",\"vsys_id\":1}"; hit_policy_request = "{\"ip\":null,\"fqdn\":\"www.qq.com\",\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"4,5,6\"}]},\"success\":true}"; hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"4,5,6\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request));
ASSERT_TRUE(result_json != NULL); ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json); hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL); ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
cJSON_Delete(result_json); cJSON_Delete(result_json);
@@ -130,46 +137,46 @@ TEST(LibrarySearch, HitFqdnEntry)
TEST(LibrarySearch, HitIpEntry) TEST(LibrarySearch, HitIpEntry)
{ {
const char *cm_http_request = "{\"ip\":\"192.168.1.1\",\"fqdn\":null,\"vsys_id\":1}"; const char *hit_policy_request = "{\"ip\":\"192.168.1.1\",\"fqdn\":null,\"vsys_id\":1}";
const char *expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"11\"}]},\"success\":true}"; const char *hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":1,\"tag_ids\":\"11\"}]},\"success\":true}";
cJSON *result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); cJSON *result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request));
ASSERT_TRUE(result_json != NULL); ASSERT_TRUE(result_json != NULL);
char *hit_policy_list = cJSON_PrintUnformatted(result_json); char *hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL); ASSERT_TRUE(hit_policy_list != NULL);
int equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); int equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
cJSON_Delete(result_json); cJSON_Delete(result_json);
FREE(&hit_policy_list); FREE(&hit_policy_list);
cm_http_request ="{\"ip\":\"192.168.1.2\",\"fqdn\":null,\"vsys_id\":1}"; hit_policy_request ="{\"ip\":\"192.168.1.2\",\"fqdn\":null,\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"12,13\"}]},\"success\":true}"; hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":2,\"tag_ids\":\"12,13\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request));
ASSERT_TRUE(result_json != NULL); ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json); hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL); ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
cJSON_Delete(result_json); cJSON_Delete(result_json);
FREE(&hit_policy_list); FREE(&hit_policy_list);
cm_http_request = "{\"ip\":\"192.168.1.3\",\"fqdn\":null,\"vsys_id\":1}"; hit_policy_request = "{\"ip\":\"192.168.1.3\",\"fqdn\":null,\"vsys_id\":1}";
expect_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"14,15,16\"}]},\"success\":true}"; hit_policy_result="{\"code\":200,\"msg\":\"Success\",\"data\":{\"hit_library\":[{\"entry_id\":4,\"tag_ids\":\"14,15,16\"}]},\"success\":true}";
result_json = get_library_search_query(cm_http_request, strlen(cm_http_request)); result_json = get_library_search_query(hit_policy_request, strlen(hit_policy_request));
ASSERT_TRUE(result_json != NULL); ASSERT_TRUE(result_json != NULL);
hit_policy_list = cJSON_PrintUnformatted(result_json); hit_policy_list = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_list != NULL); ASSERT_TRUE(hit_policy_list != NULL);
equal = strncasecmp(hit_policy_list, expect_result, strlen(expect_result)); equal = strncasecmp(hit_policy_list, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
cJSON_Delete(result_json); cJSON_Delete(result_json);
@@ -210,7 +217,82 @@ TEST(VerifyPolicy, HitLibraryPolicy)
char *hit_policy_query = cJSON_PrintUnformatted(result_json); char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL); ASSERT_TRUE(hit_policy_query != NULL);
//printf("hit_policy_query =%s\n", hit_policy_query);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
static void reload_maat_config(const char * main_profile)
{
verify_policy_table_free(main_profile);
int ret = verify_policy_table_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit.");
}
/*Tunnel Endpoint Policy Test**/
TEST(VerifyPolicy, HitTunnelEndpointaPolicy)
{
reload_maat_config("./conf/verify_policy2.conf");
char *hit_policy_request = select_hit_policy_request_item(2);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(2);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
TEST(VerifyPolicy, HitTunnelEndpointbPolicy)
{
char *hit_policy_request = select_hit_policy_request_item(3);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(3);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0);
cJSON_Delete(result_json);
FREE(&hit_policy_query);
FREE(&hit_policy_request);
FREE(&hit_policy_result);
}
TEST(VerifyPolicy, HitTunnelEndpointPolicy)
{
char *hit_policy_request = select_hit_policy_request_item(4);
ASSERT_TRUE(hit_policy_request != NULL);
char *hit_policy_result = select_hit_policy_result_item(4);
ASSERT_TRUE(hit_policy_result != NULL);
cJSON *result_json = get_verify_policy_query(hit_policy_request, strlen(hit_policy_request), 1);
ASSERT_TRUE(result_json != NULL);
char *hit_policy_query = cJSON_PrintUnformatted(result_json);
ASSERT_TRUE(hit_policy_query != NULL);
printf("hit_policy_query =%s\n", hit_policy_query);
int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result)); int equal = strncasecmp(hit_policy_query, hit_policy_result, strlen(hit_policy_result));
EXPECT_EQ(equal, 0); EXPECT_EQ(equal, 0);
@@ -283,7 +365,8 @@ int main(int argc, char ** argv)
g_verify_proxy->logger = log_handle_create(log_path, log_level); g_verify_proxy->logger = log_handle_create(log_path, log_level);
CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit."); CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit.");
ret = maat_table_init(g_verify_proxy, main_profile); g_verify_proxy->nr_work_threads=1;
ret = verify_policy_table_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit."); CHECK_OR_EXIT(ret == 0, "Failed at init maat module, Exit.");
const char *filename1 = "./resource/HitPolicyResult.json"; const char *filename1 = "./resource/HitPolicyResult.json";
@@ -293,7 +376,6 @@ int main(int argc, char ** argv)
testing::InitGoogleTest(&argc, argv); testing::InitGoogleTest(&argc, argv);
ret=RUN_ALL_TESTS(); ret=RUN_ALL_TESTS();
if(data1 != NULL) if(data1 != NULL)
{ {
cJSON_Delete(data1); cJSON_Delete(data1);
@@ -302,7 +384,6 @@ int main(int argc, char ** argv)
{ {
cJSON_Delete(data2); cJSON_Delete(data2);
} }
return ret; return ret;
} }