diff options
| author | fengweihao <[email protected]> | 2024-09-29 20:01:49 +0800 |
|---|---|---|
| committer | fengweihao <[email protected]> | 2024-09-29 20:01:49 +0800 |
| commit | a032f97535d2420b5823ed78a2b55d80891e2f66 (patch) | |
| tree | 75bc1206573838753d6cca83b052425ef0e27477 /plugin/business/tsg-http/src/tsg_http.cpp | |
| parent | a94b7d55b501fbe177300058222ff197ac975b5a (diff) | |
TSG-22707 tfe adapts to maat interface changes
Diffstat (limited to 'plugin/business/tsg-http/src/tsg_http.cpp')
| -rw-r--r-- | plugin/business/tsg-http/src/tsg_http.cpp | 723 |
1 files changed, 419 insertions, 304 deletions
diff --git a/plugin/business/tsg-http/src/tsg_http.cpp b/plugin/business/tsg-http/src/tsg_http.cpp index 9c57c56..4e365b1 100644 --- a/plugin/business/tsg-http/src/tsg_http.cpp +++ b/plugin/business/tsg-http/src/tsg_http.cpp @@ -33,17 +33,21 @@ #define MAX_EDIT_ZONE_NUM 64 #define MAX_SCAN_DATA_SIZE ((1 << 16) - 1) -enum proxy_action //Bigger action number is prior. -{ - PX_ACTION_NONE = 0x00, - PX_ACTION_MONIT = 0x01, - PX_ACTION_FORWARD = 0x02, /* N/A */ - PX_ACTION_REJECT = 0x10, - PX_ACTION_DROP = 0x20, /* N/A */ - PX_ACTION_MANIPULATE = 0x30, - PX_ACTION_RATELIMIT = 0x40, /* N/A */ - PX_ACTION_WHITELIST = 0x60, - PX_ACTION_SHUNT = 0x80, +enum proxy_action +{ + PX_ACTION_NONE = 0, + PX_ACTION_MONIT = 1, + PX_ACTION_INTERCEPT = 2, /* N/A */ + PX_ACTION_NO_INTERCEPT = 3, + PX_ACTION_ACTIVE_DEFENCE = 4, + PX_ACTION_WANNAT = 8, + PX_ACTION_REJECT = 16, + PX_ACTION_SHAPING = 32, + PX_ACTION_MANIPULATE = 48, + PX_ACTION_SERVICE_CHAINING=64, + PX_ACTION_WHITELIST = 96, + PX_ACTION_SHUNT = 128, + PX_STATISTICS = 129, __PX_ACTION_MAX }; @@ -103,7 +107,7 @@ enum manipulate_profile_table struct manipulate_profile { - int profile_id; + char *profile_uuid; int ref_cnt; size_t msg_len; char *profile_name; @@ -118,13 +122,14 @@ struct manipulate_profile struct maat_rule_t { - long long config_id; + int vsys_id; + uuid_t config_uuid; + char *config_uuid_string; int service_id; unsigned char do_log; unsigned char do_blacklist; unsigned char action; - char *srv_def_large; - int vsys_id; + char *action_parameter; }; struct policy_action_param @@ -134,7 +139,8 @@ struct policy_action_param char *message; char *position; float enforcement_ratio; - int profile_id; + char *profile_uuid_str; + int status_code; size_t n_rule; @@ -230,28 +236,54 @@ void trusted_CA_update_start_cb(int update_type, void* u_para) } g_proxy_rt->ca_store_reseting++; } - } -void trusted_CA_update_cert_cb(int table_id, const char* table_line, void* u_para) + +void trusted_CA_update_cert_cb(const char *table_name, const char *table_line, enum maat_operation op, void *u_para) { - int ret=0, cfg_id=0, is_valid=0; - char cert_name[128]={0}, cert_file[1024]={0}; - ret=sscanf(table_line, "%d\t%s\t%s\t%d", &cfg_id, cert_name, cert_file, &is_valid); - if(ret!=4) + int ret = 0; + + cJSON* trust_ca_cert = cJSON_Parse(table_line); + if(trust_ca_cert == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store parse cert config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_TRUSTED_CA_CERT parse table_line failed. table_line:%s", table_line); return; } + + char *uuid_sring=NULL; + int is_valid=0; + char cert_name[128]={0}, cert_file[1024]={0}; + + cJSON *uuid = cJSON_GetObjectItem(trust_ca_cert, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + uuid_sring = uuid->valuestring; + } + cJSON *item = cJSON_GetObjectItem(trust_ca_cert, "cert_name"); + if(item && item->type==cJSON_String) + { + memcpy(cert_name, item->valuestring, strlen(item->valuestring)); + } + item = cJSON_GetObjectItem(trust_ca_cert, "cert_file"); + if(item && item->type==cJSON_String) + { + memcpy(cert_file, item->valuestring, strlen(item->valuestring)); + } + item = cJSON_GetObjectItem(trust_ca_cert, "is_valid"); + if(item && item->type==cJSON_Number) + { + is_valid=item->valueint; + } + if(is_valid==1) { ret=tfe_proxy_ssl_add_trust_ca(cert_file); if(ret<0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store add cert failed %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store add cert failed %s:%s:%s", uuid_sring, cert_name, cert_file); } else { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store add cert success %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store add cert success %s:%s:%s", uuid_sring, cert_name, cert_file); } } else @@ -259,13 +291,16 @@ void trusted_CA_update_cert_cb(int table_id, const char* table_line, void* u_par ret=tfe_proxy_ssl_del_trust_ca(cert_file); if(ret<0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store del cert failed %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store del cert failed %s:%s:%s", uuid_sring, cert_name, cert_file); } else { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store del cert success %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store del cert success %s:%s:%s", uuid_sring, cert_name, cert_file); } } + + cJSON_Delete(trust_ca_cert); + trust_ca_cert=NULL; return; } void trusted_CA_update_crl_cb(int table_id,const char* table_line,void* u_para) @@ -413,83 +448,128 @@ char* str_unescape(char* s) return s; } -void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +unsigned char action_type_str2idx(const char *action_str) { - int ret=0, group_num=0; - long long config_id=0; - int service_id=0, action=0; - int do_log=0,do_blacklist=0,is_valid=0; - char effective_range[1024]={0}; - char srv_def_large[8192]={0}; - struct policy_action_param* param=NULL; + const char * action_name[__PX_ACTION_MAX]; + action_name[PX_ACTION_NONE] = "none"; + action_name[PX_ACTION_MONIT] = "monitor"; + action_name[PX_ACTION_INTERCEPT] = "intercept"; + action_name[PX_ACTION_NO_INTERCEPT] = "no_intercept"; + action_name[PX_ACTION_ACTIVE_DEFENCE] = "active_defence"; + action_name[PX_ACTION_WANNAT] = "wannat"; + action_name[PX_ACTION_REJECT] = "deny"; + action_name[PX_ACTION_SHAPING] = "shaping"; + action_name[PX_ACTION_MANIPULATE] = "manipulate"; + action_name[PX_ACTION_SERVICE_CHAINING] = "service_chaining"; + action_name[PX_ACTION_WHITELIST] = "allow"; + action_name[PX_ACTION_SHUNT] = "shunt"; + action_name[PX_STATISTICS] = "statistics"; - ret=sscanf(table_line, "%lld\t%d\t%d\t%d\t%d\t%s\t%s\t%d\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log, effective_range, srv_def_large, &group_num, &is_valid); - if(ret!=9) + int action = 0; + for ( action = PX_ACTION_NONE; action < __PX_ACTION_MAX; action++) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "ctrl policy table parse failed, ret:%d, %s", ret, table_line); - return; + if (0 == strcasecmp(action_str, action_name[action])) + break; } + return action; +} - *ad=NULL; +unsigned char log_option_type_str2idx(const char *log_option) +{ + size_t i = 0; + const char *log_option_name[] = {"none", "metadata", "all"}; + for (i = 0; i < sizeof(log_option_name) / sizeof(const char *); i++) + { + if (0 == strcasecmp(log_option, log_option_name[i])) + break; + } + return i; + +} - str_unescape(srv_def_large); - int serv_def_len=strlen(srv_def_large); - if((unsigned int)serv_def_len<strlen("{}")+1) +void policy_action_param_new(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) +{ + cJSON* pxy_ctrl_rule = cJSON_Parse(table_line); + if(pxy_ctrl_rule == NULL) { + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_CTRL_RULE parse table_line failed. table_line:%s", table_line); return; } - int rule_id; - cJSON *json=NULL, *rules=NULL, *item=NULL, *sub_item=NULL; - json=cJSON_Parse(srv_def_large); - if(json==NULL) + struct policy_action_param* param=ALLOC(struct policy_action_param, 1); + + cJSON *uuid = cJSON_GetObjectItem(pxy_ctrl_rule, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + param->hit_rule.config_uuid_string = strdup(uuid->valuestring); + uuid_parse(uuid->valuestring, param->hit_rule.config_uuid); + } + + cJSON *action = cJSON_GetObjectItem(pxy_ctrl_rule, "action"); + if(action && action->type==cJSON_String) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %lld", config_id); + param->hit_rule.action=action_type_str2idx(action->valuestring); + } + + cJSON *blacklist_option = cJSON_GetObjectItem(pxy_ctrl_rule, "blacklist_option"); + if(blacklist_option && blacklist_option->type==cJSON_Number) + { + param->hit_rule.do_blacklist=blacklist_option->valueint; + } + + cJSON *log_option = cJSON_GetObjectItem(pxy_ctrl_rule, "log_option"); + if(log_option && log_option->type==cJSON_String) + { + param->hit_rule.do_log=log_option_type_str2idx(log_option->valuestring); + } + + cJSON *action_parameter = cJSON_GetObjectItem(pxy_ctrl_rule, "action_parameter"); + if(action_parameter == NULL || action_parameter->type!=cJSON_Object) + { + FREE(¶m); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %s", param->hit_rule.config_uuid_string); return; } - param=ALLOC(struct policy_action_param, 1); param->ref_cnt=1; - param->hit_rule.action=action; - param->hit_rule.config_id=config_id; - param->hit_rule.do_blacklist=do_blacklist; - param->hit_rule.do_log=do_log; - param->hit_rule.srv_def_large=tfe_strdup(srv_def_large); pthread_mutex_init(&(param->lock), NULL); + param->hit_rule.action_parameter = cJSON_PrintUnformatted(action_parameter); - item=cJSON_GetObjectItem(json,"method"); - if(item && item->type==cJSON_String) + cJSON *method=cJSON_GetObjectItem(action_parameter,"method"); + if(method && method->type==cJSON_String) { - param->action=manipulate_action_str2idx(item->valuestring); + param->action=manipulate_action_str2idx(method->valuestring); } + int rule_id=0; + cJSON *rules=NULL, *item=NULL, *sub_item=NULL; switch(param->action) { case MA_ACTION_ALLOW: case MA_ACTION_MONITOR: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } break; case MA_ACTION_REDIRECT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"code"); + item=cJSON_GetObjectItem(action_parameter,"code"); if(item && item->type==cJSON_Number) { param->status_code = item->valueint; } - item=cJSON_GetObjectItem(json,"to"); + item=cJSON_GetObjectItem(action_parameter,"to"); if(item && item->type==cJSON_String) { param->message = tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -500,34 +580,34 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k } break; case MA_ACTION_BLOCK: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"code"); + item=cJSON_GetObjectItem(action_parameter,"code"); if(item && item->type==cJSON_Number) { param->status_code = item->valueint; } - item=cJSON_GetObjectItem(json,"message"); + item=cJSON_GetObjectItem(action_parameter,"message"); if(item && item->type==cJSON_String) { param->message = tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"html_profile"); - if(item && item->type==cJSON_Number) + item=cJSON_GetObjectItem(action_parameter,"html_profile"); + if(item && item->type==cJSON_String) { - param->profile_id = item->valueint; + param->profile_uuid_str = tfe_strdup(item->valuestring); } break; case MA_ACTION_REPLACE: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -536,7 +616,7 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k { param->enforcement_ratio = 1; } - rules = cJSON_GetObjectItem(json, "rules"); + rules = cJSON_GetObjectItem(action_parameter, "rules"); if(rules == NULL) { break; @@ -562,16 +642,17 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k param->n_rule = rule_id; break; case MA_ACTION_HIJACK: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"hijack_profile"); - if(item && item->type==cJSON_Number){ - param->profile_id = item->valueint; + item=cJSON_GetObjectItem(action_parameter,"hijack_profile"); + if(item && item->type==cJSON_String) + { + param->profile_uuid_str =tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -582,20 +663,21 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k } break; case MA_ACTION_INSERT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"insert_profile"); - if(item && item->type==cJSON_Number){ - param->profile_id = item->valueint; + item=cJSON_GetObjectItem(action_parameter,"insert_profile"); + if(item && item->type==cJSON_String) + { + param->profile_uuid_str =tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"position"); + item=cJSON_GetObjectItem(action_parameter,"position"); if(item && item->type==cJSON_String){ param->position = tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -606,12 +688,12 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k } break; case MA_ACTION_ELEMENT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - rules = cJSON_GetObjectItem(json, "rules"); + rules = cJSON_GetObjectItem(action_parameter, "rules"); if(rules == NULL) { break; @@ -649,16 +731,17 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k param->e_rule = rule_id; break; case MA_ACTION_LUA_SCRIPT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"run_script_profile"); - if(item && item->type==cJSON_Number){ - param->profile_id = item->valueint; + item=cJSON_GetObjectItem(action_parameter,"run_script_profile"); + if(item && item->type==cJSON_String) + { + param->profile_uuid_str =tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -672,12 +755,12 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k break; } *ad=param; - TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %lld", config_id); - cJSON_Delete(json); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %s", param->hit_rule.config_uuid_string); + cJSON_Delete(pxy_ctrl_rule); return; } -void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) +void policy_action_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { unsigned int i=0; if(*ad==NULL) @@ -717,8 +800,12 @@ void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) FREE(&(param->message)); if (param->position) FREE(&(param->position)); - if(param->hit_rule.srv_def_large) - FREE(&(param->hit_rule.srv_def_large)) + if(param->profile_uuid_str) + FREE(&(param->profile_uuid_str)); + if(param->hit_rule.config_uuid_string) + FREE(&(param->hit_rule.config_uuid_string)); + if(param->hit_rule.action_parameter) + FREE(¶m->hit_rule.action_parameter); FREE(&(param)); return; @@ -726,11 +813,11 @@ void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) void policy_action_param_free(struct policy_action_param* param) { - policy_action_param_free_cb(0, (void**)¶m, 0, NULL); + policy_action_param_free_cb("PXY_CTRL_RULE_PLUGIN", (void**)¶m, 0, NULL); return; } -void policy_action_param_dup(int idx, void **to, void **from, long argl, void *argp) +void policy_action_param_dup(const char *table_name, void **to, void **from, long argl, void *argp) { struct policy_action_param* from_param=*((struct policy_action_param**)from); if(from_param==NULL) @@ -745,27 +832,42 @@ void policy_action_param_dup(int idx, void **to, void **from, long argl, void *a return; } -void ma_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, formate[128]={0}; - char profile_path[TFE_PATH_MAX]={0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%d", &profile_id, profile_name, formate, profile_path, &is_valid); - if(ret!=5) + cJSON* response_pages = cJSON_Parse(table_line); + if(response_pages == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "TSG_PROFILE_RESPONSE_PAGES parse table_line failed. table_line:%s", table_line); return; } + char *profile_path=NULL; struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); - memset(ply_profile, 0, sizeof(struct manipulate_profile)); + cJSON *uuid = cJSON_GetObjectItem(response_pages, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *profile_name = cJSON_GetObjectItem(response_pages, "profile_name"); + if(profile_name && profile_name->type==cJSON_String) + { + ply_profile->profile_name=tfe_strdup(profile_name->valuestring); + } + cJSON *format = cJSON_GetObjectItem(response_pages, "format"); + if(format && format->type==cJSON_String) + { + ply_profile->profile_type=tfe_strdup(format->valuestring); + } + cJSON *item = cJSON_GetObjectItem(response_pages, "path"); + if(item && item->type==cJSON_String) + { + profile_path=item->valuestring; + } - ply_profile->profile_id=profile_id; ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - if(strcasecmp(formate, "template") == 0) + if(strcasecmp(ply_profile->profile_type, "template") == 0) { ply_profile->tpl = ctemplate::Template::GetTemplate(profile_path, ctemplate::DO_NOT_STRIP); }else @@ -773,38 +875,59 @@ void ma_profile_table_new_cb(const char *table_name, int table_id, const char* k ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len); if (ply_profile->profile_msg == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %d:%s:%s", profile_id, profile_name, profile_path); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %s:%s:%s", ply_profile->profile_uuid, ply_profile->profile_name, profile_path); } } - ply_profile->profile_name=tfe_strdup(profile_name); - ply_profile->profile_type=tfe_strdup(formate); - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + cJSON_Delete(response_pages); + response_pages=NULL; + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); *ad = ply_profile; return; } -void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_insert_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, formate[128]={0}; - char profile_path[TFE_PATH_MAX]={0},profile_position[TFE_PATH_MAX]={0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, profile_name, formate, profile_path, profile_position, &is_valid); - if(ret!=6) + cJSON* insert_script = cJSON_Parse(table_line); + if(insert_script == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_INSERT_SCRIPTS parse table_line failed. table_line:%s", table_line); return; } + + char *profile_path=NULL; struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); - memset(ply_profile, 0, sizeof(struct manipulate_profile)); + cJSON *uuid = cJSON_GetObjectItem(insert_script, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *profile_name = cJSON_GetObjectItem(insert_script, "profile_name"); + if(profile_name && profile_name->type==cJSON_String) + { + ply_profile->profile_name=tfe_strdup(profile_name->valuestring); + } + cJSON *format = cJSON_GetObjectItem(insert_script, "format"); + if(format && format->type==cJSON_String) + { + ply_profile->profile_type=tfe_strdup(format->valuestring); + } + cJSON *insert_on = cJSON_GetObjectItem(insert_script, "insert_on"); + if(insert_on && insert_on->type==cJSON_String) + { + ply_profile->profile_position=tfe_strdup(insert_on->valuestring); + } + cJSON *item = cJSON_GetObjectItem(insert_script, "path"); + if(item && item->type==cJSON_String) + { + profile_path=item->valuestring; + } - ply_profile->profile_id=profile_id; ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - if(strcasecmp(formate, "template") == 0) + if(strcasecmp(ply_profile->profile_type, "template") == 0) { ply_profile->tpl = ctemplate::Template::GetTemplate(profile_path, ctemplate::DO_NOT_STRIP); }else @@ -812,82 +935,114 @@ void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len); if (ply_profile->profile_msg == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %d:%s:%s", profile_id, profile_name, profile_path); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %s:%s:%s", ply_profile->profile_uuid, ply_profile->profile_name, profile_path); } } - ply_profile->profile_name=tfe_strdup(profile_name); - ply_profile->profile_type=tfe_strdup(formate); - ply_profile->profile_position=tfe_strdup(profile_position); - - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + cJSON_Delete(insert_script); + insert_script=NULL; + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); *ad = ply_profile; + return; } -void ma_hijack_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_hijack_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, formate[128]={0}; - char profile_path[TFE_PATH_MAX]={0},hijack_name[512]={0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, profile_name, hijack_name, formate, profile_path, &is_valid); - if(ret!=6) + cJSON* hihijack_files = cJSON_Parse(table_line); + if(hihijack_files == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_HIJACK_FILES parse table_line failed. table_line:%s", table_line); return; } + struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); + cJSON *uuid = cJSON_GetObjectItem(hihijack_files, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *profile_name = cJSON_GetObjectItem(hihijack_files, "profile_name"); + if(profile_name && profile_name->type==cJSON_String) + { + ply_profile->profile_name=tfe_strdup(profile_name->valuestring); + } + cJSON *content_type = cJSON_GetObjectItem(hihijack_files, "content_type"); + if(content_type && content_type->type==cJSON_String) + { + ply_profile->profile_type=tfe_strdup(content_type->valuestring); + } + cJSON *path = cJSON_GetObjectItem(hihijack_files, "path"); + if(path && path->type==cJSON_String) + { + ply_profile->profile_msg=tfe_strdup(path->valuestring); + } + ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - ply_profile->profile_id=profile_id; - ply_profile->profile_msg=tfe_strdup(profile_path); - ply_profile->profile_name=tfe_strdup(hijack_name); - ply_profile->profile_type=tfe_strdup(formate); - - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + cJSON_Delete(hihijack_files); + hihijack_files=NULL; + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); *ad = ply_profile; return; } -void ma_lua_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_lua_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int timeout=0; - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, profile_path[TFE_PATH_MAX]={0}; - - ret=sscanf(table_line, "%d\t%s\t%d\t%d", &profile_id, profile_path, &timeout, &is_valid); - if(ret!=4) + cJSON* run_scripts = cJSON_Parse(table_line); + if(run_scripts == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_RUN_SCRIPTS parse table_line failed. table_line:%s", table_line); return; } + + char *profile_path=NULL; + struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); + cJSON *uuid = cJSON_GetObjectItem(run_scripts, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *max_exec_time = cJSON_GetObjectItem(run_scripts, "max_exec_time"); + if(max_exec_time && max_exec_time->type==cJSON_Number) + { + ply_profile->timeout=max_exec_time->valueint; + } + cJSON *path = cJSON_GetObjectItem(run_scripts, "path"); + if(path && path->type==cJSON_String) + { + profile_path=path->valuestring; + } + ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - ply_profile->profile_id=profile_id; ply_profile->profile_name=tfe_strdup(profile_path); ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len); - ply_profile->timeout=timeout; + if (ply_profile->profile_msg == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %d:%s:%s", profile_id, profile_name, profile_path); + cJSON_Delete(run_scripts); + run_scripts=NULL; + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %s:%s:%s", ply_profile->profile_uuid, ply_profile->profile_name, profile_path); *ad = ply_profile; return; } int thread_num = g_proxy_rt->thread_num; ply_profile->escript_ctx = ALLOC(struct elua_script *, thread_num); - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); + cJSON_Delete(run_scripts); + run_scripts=NULL; *ad = ply_profile; return; } -void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp) +void ma_profile_table_free_cb(const char *table_name, void **ad, long argl, void *argp) { if(*ad==NULL) { @@ -904,6 +1059,9 @@ void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp) pthread_mutex_unlock(&(ply_obj->lock)); pthread_mutex_destroy(&(ply_obj->lock)); + if(ply_obj->profile_uuid) + FREE(&ply_obj->profile_uuid); + if(ply_obj->profile_type) FREE(&ply_obj->profile_type); @@ -939,7 +1097,7 @@ void ma_profile_table_free(struct manipulate_profile* ply_obj) ma_profile_table_free_cb(0, (void **)&ply_obj, 0, NULL); } -void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, void *argp) +void ma_profile_table_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp) { struct manipulate_profile* ply_obj=(struct manipulate_profile*)(*from); pthread_mutex_lock(&(ply_obj->lock)); @@ -948,21 +1106,6 @@ void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, vo *to=ply_obj; } -int maat_table_init(const char* table_name, - maat_start_callback_t *start, maat_update_callback_t *update, maat_finish_callback_t *finish, - void *u_para) -{ - int table_id=0; - - table_id=maat_get_table_id(g_proxy_rt->feather, table_name); - if(table_id>=0) - { - maat_table_callback_register(g_proxy_rt->feather, table_id, - start, update, finish, u_para); - } - return table_id; -} - const char* table_name_idx2str(int profile_idx) { const char *table_name_map[] = {"TSG_PROFILE_RESPONSE_PAGES", @@ -977,7 +1120,7 @@ int maat_table_ex_init(int profile_idx, maat_ex_free_func_t* free_func, maat_ex_dup_func_t* dup_func) { - int table_id = 0; + int ret = 0; const char *table_name = table_name_idx2str(profile_idx); maat_ex_new_func_t *new_func[] = { @@ -987,18 +1130,17 @@ int maat_table_ex_init(int profile_idx, [POLICY_PROFILE_TABLE_LUA] = ma_lua_profile_table_new_cb, }; - table_id=g_proxy_rt->plolicy_table_id[profile_idx]=maat_get_table_id(g_proxy_rt->feather, table_name); - if(table_id >= 0) + ret=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name, + new_func[profile_idx], + free_func, + dup_func, + 0, NULL); + if(ret < 0) { - table_id=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name, - new_func[profile_idx], - free_func, - dup_func, - 0, NULL); - return 0; + TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name); + return -1; } - TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name); - return -1; + return ret; } int proxy_policy_init(const char* profile_path, const char* static_section, const char* dynamic_section) @@ -1006,51 +1148,25 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons int ret = 0; g_proxy_rt->feather = tfe_get_maat_handle(); - const char * table_name[__SCAN_TABLE_MAX]; - table_name[PXY_CTRL_HTTP_URL] = "ATTR_HTTP_URL"; - table_name[PXY_CTRL_HTTP_FQDN] = "ATTR_SERVER_FQDN"; - table_name[PXY_CTRL_HTTP_REQ_HDR] = "ATTR_HTTP_REQ_HDR"; - table_name[PXY_CTRL_HTTP_REQ_BODY] = "ATTR_HTTP_REQ_BODY"; - table_name[PXY_CTRL_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR"; - table_name[PXY_CTRL_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY"; - table_name[PXY_CTRL_APP_ID] = "ATTR_APP_ID"; - - for (int i = 0; i < __SCAN_TABLE_MAX; i++) - { - g_proxy_rt->scan_table_id[i] = maat_get_table_id(g_proxy_rt->feather, table_name[i]); - if (g_proxy_rt->scan_table_id[i] < 0) - { - TFE_LOG_ERROR(NULL, "Pangu HTTP Maat table %s register failed.", table_name[i]); - goto error_out; - } - } - - g_proxy_rt->ctrl_plugin_idx=maat_get_table_id(g_proxy_rt->feather, "PXY_CTRL_COMPILE_PLUGIN"); - maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_COMPILE_PLUGIN", + ret = maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", policy_action_param_new, policy_action_param_free_cb, policy_action_param_dup, 0, NULL); - - ret = maat_table_init("PXY_PROFILE_TRUSTED_CA_CERT", - trusted_CA_update_start_cb, - trusted_CA_update_cert_cb, - trusted_CA_update_finish_cb, - g_proxy_rt); if(ret<0) { - TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed."); + TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_CTRL_RULE_PLUGIN failed."); goto error_out; } - ret = maat_table_init("PXY_OBJ_TRUSTED_CA_CRL", - trusted_CA_update_start_cb, - trusted_CA_update_crl_cb, - trusted_CA_update_finish_cb, - g_proxy_rt); + ret = maat_table_callback_register(g_proxy_rt->feather, "PXY_PROFILE_TRUSTED_CA_CERT", + trusted_CA_update_start_cb, + trusted_CA_update_cert_cb, + trusted_CA_update_finish_cb, + g_proxy_rt); if(ret<0) { - TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CRL failed."); + TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed."); goto error_out; } @@ -1155,7 +1271,7 @@ struct proxy_http_ctx enum proxy_action action; char * action_para; int hit_cnt; - long long result[MAX_SCAN_RESULT]; + uuid_t result[MAX_SCAN_RESULT]; struct maat_state *scan_mid; struct maat_stream *sp; struct maat_rule_t * enforce_rules; @@ -1292,6 +1408,14 @@ void http_element_ctx_free(struct edit_element_ctx *edit_ctx) void http_tsg_ctx_free(struct tsg_script_ctx *tsg_ctx, int thread_id) { + if(tsg_ctx->config_uuid_str) + { + FREE(&tsg_ctx->config_uuid_str) + } + if(tsg_ctx->profile_uuid_str) + { + FREE(&tsg_ctx->profile_uuid_str) + } if (tsg_ctx->http_body) { evbuffer_free(tsg_ctx->http_body); @@ -1383,15 +1507,10 @@ static inline void addr_tfe2sapp(const struct tfe_stream_addr * tfe_addr, struct return; } -static struct manipulate_profile* get_profile_by_id(int profile_table, int profile_id) +static struct manipulate_profile* get_profile_by_id(const char *table_name, char *cfg_id_str) { struct manipulate_profile* result=NULL; - - char cfg_id_str[16] = {0}; - snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id); - int table_id = g_proxy_rt->plolicy_table_id[profile_table]; - - result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_id, (const char*)cfg_id_str, strlen(cfg_id_str)); + result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_name, (const char*)cfg_id_str, strlen(cfg_id_str)); return result; } @@ -1414,7 +1533,7 @@ void proxy_send_metric_log(const struct tfe_stream * stream, struct proxy_http_c for(i=0; i< ctx->n_enforce; i++) { fieldstat->tags[thread_id][TAG_VSYS_ID].value_longlong = ctx->enforce_rules[i].vsys_id; - fieldstat->tags[thread_id][TAG_RULE_ID].value_longlong = ctx->enforce_rules[i].config_id; + fieldstat->tags[thread_id][TAG_RULE_ID].value_str = ctx->enforce_rules[i].config_uuid_string; fieldstat->tags[thread_id][TAG_ACTION].value_longlong = PX_ACTION_MANIPULATE; if(ctx->enforce_rules[i].action == PX_ACTION_MANIPULATE) { @@ -1508,10 +1627,11 @@ static inline int action_cmp(enum proxy_action a1, enum proxy_action a2) } //enforce_rules[0] contains execute action. -static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, +static enum proxy_action decide_ctrl_action(uuid_t *result, size_t n_hit, struct maat_rule_t** enforce_rules, size_t * n_enforce, struct policy_action_param **param) { void *ex_data=NULL; + char result_uuid_string[UUID_STRING_SIZE]={0}; size_t n_monit = 0, exist_enforce_num = 0, i = 0; struct policy_action_param *get_ex_param=NULL; @@ -1520,7 +1640,8 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, hit_rules=ALLOC(struct maat_rule_t, n_hit); for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++) { - get_ex_param =(struct policy_action_param *)maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_plugin_idx, (const char *)&results[i], sizeof(results[i])); + uuid_unparse(result[i], result_uuid_string); + get_ex_param =(struct policy_action_param *)maat_plugin_table_get_ex_data(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", result_uuid_string, strlen(result_uuid_string)); if(get_ex_param==NULL) { continue; @@ -1550,7 +1671,7 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, } else if (action_cmp(__action, prior_action) == 0) { - if (hit_rules[i].config_id > prior_rule->config_id) + if(uuid_compare(hit_rules[i].config_uuid, prior_rule->config_uuid) > 0) { prior_rule = hit_rules + i; } @@ -1569,7 +1690,8 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, } *enforce_rules[0]=*prior_rule; *n_enforce=1; - ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_plugin_idx, (const char *)&prior_rule->config_id, sizeof(prior_rule->config_id)); + + ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", prior_rule->config_uuid_string, strlen(prior_rule->config_uuid_string)); if(ex_data!=NULL) { *param=(struct policy_action_param*)ex_data; @@ -1603,7 +1725,7 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct maat_rule_t)); } - ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_plugin_idx, (const char *)&prior_rule->config_id, sizeof(prior_rule->config_id)); + ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", prior_rule->config_uuid_string, strlen(prior_rule->config_uuid_string)); if(ex_data!=NULL) { *param=(struct policy_action_param*)ex_data; @@ -1655,11 +1777,11 @@ void manipulate_profile_free(struct manipulate_profile* ma_profile) FREE(&ma_profile); } -static int html_generate(int profile_id, const char* msg, char ** page_buff, size_t * page_size) +static int html_generate(char *profile_uuid, const char* msg, char ** page_buff, size_t * page_size) { int ret = 0; - struct manipulate_profile* block_profile=get_profile_by_id(POLICY_PROFLIE_TABLE_REJECT, profile_id); + struct manipulate_profile* block_profile=get_profile_by_id("TSG_PROFILE_RESPONSE_PAGES", profile_uuid); if(block_profile==NULL) { ret=-1; @@ -1706,11 +1828,11 @@ static int http_enforcement_ratio(float enforcement_ratio) return 0; } -int http_lua_profile(int profile_id, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout) +int http_lua_profile(char *profile_uuid_str, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout) { int ret = 0; - struct manipulate_profile* lua_profile=get_profile_by_id(POLICY_PROFILE_TABLE_LUA, profile_id); + struct manipulate_profile* lua_profile=get_profile_by_id("PXY_PROFILE_RUN_SCRIPTS", profile_uuid_str); if(lua_profile==NULL) { ret=-1; @@ -1750,7 +1872,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * { struct policy_action_param *param = ctx->param; ctx->tsg_ctx = tsg_ctx = ALLOC(struct tsg_script_ctx, 1); - tsg_ctx->profile_id = param->profile_id; + tsg_ctx->profile_uuid_str = tfe_strdup(param->profile_uuid_str); tsg_ctx->addr = stream->addr; tsg_ctx->elua_ctx = http_lua_ctx_new(lua_script, ctx->thread_id); } @@ -1764,7 +1886,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * tsg_ctx->events = events; tsg_ctx->session = session; tsg_ctx->local_logger = g_proxy_rt->local_logger; - tsg_ctx->config_id = ctx->enforce_rules[0].config_id; + tsg_ctx->config_uuid_str = ctx->enforce_rules[0].config_uuid_string; struct tfe_http_half * in_req_half = session->req; struct tfe_http_half * in_resp_half = session->resp; @@ -1774,7 +1896,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) { tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0; - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_uuid_str, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); if(ret==0 && tsg_ctx->execut_lua_sucess==1) { tsg_ctx->actually_executed =1; @@ -1798,7 +1920,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * FREE(&tsg_ctx->rewrite_uri); } - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_uuid_str, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); if(ret==0 && tsg_ctx->execut_lua_sucess==1) { tsg_ctx->actually_executed =1; @@ -1836,7 +1958,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * char * __http_body = (char *) evbuffer_pullup(tsg_ctx->http_body, -1); size_t __http_body_len = evbuffer_get_length(tsg_ctx->http_body); - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_uuid_str, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); char * __http_lua_body = NULL; size_t __http_body_lua_len = 0; if(ret == 0 && tsg_ctx->http_lua_body != NULL) @@ -2072,7 +2194,7 @@ static void http_get_subscriber_id(const struct tfe_stream * stream, char *repla } } -static int http_regex_replace(const struct tfe_stream * stream, char *message, int profile_id, char **rewrite_message) +static int http_regex_replace(const struct tfe_stream * stream, char *message, char *profile_id_str, char **rewrite_message) { int i=0, n_rule=0; char replace_with[TFE_SYMBOL_MAX]={0}; @@ -2089,7 +2211,7 @@ static int http_regex_replace(const struct tfe_stream * stream, char *message, i { rule[n_rule].zone = kZoneRequestUri; rule[n_rule].find = tfe_strdup("{{tsg_policy_id}}"); - snprintf(replace_with, TFE_SYMBOL_MAX, "%d", profile_id); + snprintf(replace_with, TFE_SYMBOL_MAX, "%s", profile_id_str); rule[n_rule].replace_with = tfe_strdup(replace_with); n_rule++; } @@ -2144,8 +2266,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt } ctx->manipulate_replaced = 1; if (resp_code <= 0 || rd_url == NULL){ - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %lld paramter", - ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %s paramter", ctx->enforce_rules[0].config_uuid_string); goto error_out; } @@ -2166,7 +2287,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt response = tfe_http_session_response_create(to_write, resp_code); - rewrite_uri_sz = http_regex_replace(stream, rd_url, ctx->enforce_rules[0].config_id, &rewrite_uri); + rewrite_uri_sz = http_regex_replace(stream, rd_url, ctx->enforce_rules[0].config_uuid_string, &rewrite_uri); if(rewrite_uri_sz>0 && rewrite_uri!= NULL) { tfe_http_std_field_write(response, TFE_HTTP_LOCATION, rewrite_uri); @@ -2200,11 +2321,10 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s struct policy_action_param *param = ctx->param; int resp_code = param->status_code; - int profile_id = param->profile_id; char *message = param->message; - if (profile_id < 0){ - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %lld", ctx->enforce_rules[0].config_id); + if (param->profile_uuid_str< 0){ + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %s", ctx->enforce_rules[0].config_uuid_string); ctx->action = PX_ACTION_NONE; return; } @@ -2215,10 +2335,10 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s to_write_sess = tfe_http_session_allow_write(session); response = tfe_http_session_response_create(to_write_sess, resp_code); - ret = html_generate(profile_id, message, &page_buff, &page_size); + ret = html_generate(param->profile_uuid_str, message, &page_buff, &page_size); if (ret != 0) { - rewrite_message_sz = http_regex_replace(stream, message, ctx->enforce_rules[0].config_id, &rewrite_message); + rewrite_message_sz = http_regex_replace(stream, message, ctx->enforce_rules[0].config_uuid_string, &rewrite_message); if(rewrite_message_sz>0 && rewrite_message!= NULL) { message = rewrite_message; @@ -2258,10 +2378,9 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e struct tfe_http_half * response = NULL; struct tfe_http_session * to_write_sess = NULL; - if (param->profile_id <= 0) + if (param->profile_uuid_str == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %lld", - ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %s", ctx->enforce_rules[0].config_uuid_string); ctx->action = PX_ACTION_NONE; return; } @@ -2280,10 +2399,10 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e if(events & EV_HTTP_RESP_HDR) { - struct manipulate_profile* hijack_profile=get_profile_by_id(POLICY_PROFILE_TABLE_HIJACK, param->profile_id); + struct manipulate_profile* hijack_profile=get_profile_by_id("PXY_PROFILE_HIJACK_FILES", param->profile_uuid_str); if (NULL == hijack_profile) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "get table obj faild, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "get table obj faild, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } @@ -2299,7 +2418,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e if (try_send_by_token(hijack_size) <= 0) { FREE(&hijack_buff); - TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } @@ -2346,11 +2465,11 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e return; } -static int format_insert_rule(int profile_id, struct insert_rule *rule) +static int format_insert_rule(char *profile_uuid, struct insert_rule *rule) { int ret = 0; - struct manipulate_profile* insert_profile=get_profile_by_id(POLICY_PROFILE_TABLE_INSERT, profile_id); + struct manipulate_profile* insert_profile=get_profile_by_id("PXY_PROFILE_INSERT_SCRIPTS", profile_uuid); if(insert_profile==NULL) { ret=-1; @@ -2398,16 +2517,16 @@ static void http_insert(const struct tfe_stream * stream, const struct tfe_http_ { ctx->ins_ctx = ins_ctx = ALLOC(struct insert_ctx, 1); ins_ctx->rule = ALLOC(struct insert_rule, 1); - int ret=format_insert_rule(param->profile_id, ins_ctx->rule); + int ret=format_insert_rule(param->profile_uuid_str, ins_ctx->rule); if (ret<0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get policy table, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get policy table, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } if (try_send_by_token(ins_ctx->rule->inject_sz) <= 0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } @@ -2636,8 +2755,7 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h struct policy_action_param *param = ctx->param; if (param == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %lld", - ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %s",ctx->enforce_rules[0].config_uuid_string); ctx->action = PX_ACTION_NONE; return; } @@ -2698,12 +2816,13 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht const unsigned char * body_frag, size_t frag_size, struct proxy_http_ctx * ctx, const struct tfe_stream * stream) { void * iterator = NULL; + const char *attribute_name=NULL; const char * field_val = NULL; struct http_field_name field_name; struct tfe_http_half * http_half; - long long *result = ctx->result; + uuid_t *result = ctx->result; char buff[TFE_STRING_MAX], * p = NULL; - int scan_ret = 0, table_id = 0; + int scan_ret = 0; size_t n_hit_result=0; size_t hit_cnt = ctx->hit_cnt, i = 0; @@ -2713,20 +2832,20 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht int str_host_length = get_fqdn_len(str_host); if (str_host != NULL && str_host_length != 0) { - scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], - str_host, str_host_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN", str_host, str_host_length, + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = tfe_scan_fqdn_tags(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], g_proxy_rt->local_logger); + scan_ret = tfe_scan_fqdn_tags(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if (scan_ret > 0) { hit_cnt += scan_ret; @@ -2735,14 +2854,14 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht const char * str_url = session->req->req_spec.url; int str_url_length = (int) (strlen(session->req->req_spec.url)); - scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL], - str_url, str_url_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_URL", "ATTR_HTTP_URL", str_url, str_url_length, + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL], + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_URL", "ATTR_HTTP_URL", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -2752,8 +2871,8 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) { - table_id = events & EV_HTTP_REQ_HDR ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_HDR] : g_proxy_rt - ->scan_table_id[PXY_CTRL_HTTP_RES_HDR]; + attribute_name= events & EV_HTTP_REQ_HDR ? "ATTR_HTTP_REQ_HDR" : "ATTR_HTTP_RES_HDR"; + http_half = events & EV_HTTP_REQ_HDR ? session->req : session->resp; while (hit_cnt < MAX_SCAN_RESULT) { @@ -2763,18 +2882,15 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht break; } - const char * str_field_name = http_field_name_to_string(&field_name); - scan_ret = maat_state_set_scan_district(ctx->scan_mid, table_id, str_field_name, strlen(str_field_name)); - assert(scan_ret == 0); - scan_ret = maat_scan_string(g_proxy_rt->feather, table_id, field_val, strlen(field_val), - result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, field_val, strlen(field_val), + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } } - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, table_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, - &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, + &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; @@ -2784,12 +2900,11 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht if ((events & EV_HTTP_REQ_BODY_BEGIN) | (events & EV_HTTP_RESP_BODY_BEGIN)) { assert(ctx->sp == NULL); - table_id = events & EV_HTTP_REQ_BODY_BEGIN ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt - ->scan_table_id[PXY_CTRL_HTTP_RES_BODY]; - ctx->sp = maat_stream_new(g_proxy_rt->feather, table_id, ctx->scan_mid); + attribute_name = events & EV_HTTP_REQ_BODY_BEGIN ? "ATTR_HTTP_REQ_BODY" : "ATTR_HTTP_RES_BODY"; + ctx->sp = maat_stream_new(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, ctx->scan_mid); } - const unsigned char *scan_body_frag=NULL; size_t scan_len=0; + const unsigned char *scan_body_frag=NULL; size_t scan_len=0; if (body_frag != NULL) { scan_body_frag = body_frag; @@ -2798,7 +2913,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht scan_len = (scan_body_frag + MAX_SCAN_DATA_SIZE < body_frag + frag_size) ? MAX_SCAN_DATA_SIZE : (body_frag + frag_size - scan_body_frag); scan_ret = maat_stream_scan(ctx->sp, (const char *)scan_body_frag, scan_len, - result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; @@ -2809,9 +2924,8 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht if ((events & EV_HTTP_REQ_BODY_END) | (events & EV_HTTP_RESP_BODY_END)) { - table_id = events & EV_HTTP_REQ_BODY_END ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt - ->scan_table_id[PXY_CTRL_HTTP_RES_BODY]; - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, table_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, + attribute_name = events & EV_HTTP_REQ_BODY_END ? "ATTR_HTTP_REQ_BODY" : "ATTR_HTTP_RES_BODY"; + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", "attribute_name", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -2826,8 +2940,8 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht ctx->action = decide_ctrl_action(result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->param); if (ctx->action == PX_ACTION_WHITELIST) { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%lld.", - session->req->req_spec.url, ctx->enforce_rules[0].config_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%s.", + session->req->req_spec.url, ctx->enforce_rules[0].config_uuid_string); goto __out; } if (hit_cnt > 1) @@ -2835,13 +2949,15 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht p = buff; for (i = 0; i < hit_cnt && i<MAX_SCAN_RESULT; i++) { - p += snprintf(p, sizeof(buff) - (p - buff), "%lld:", result[i]); + char result_uuid_string[UUID_STRING_SIZE]={0}; + uuid_unparse(result[i], result_uuid_string); + p += snprintf(p, sizeof(buff) - (p - buff), "%s:", result_uuid_string); } *p = '\0'; - TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%lld.", - session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%s.", + session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_uuid_string); } ctx->hit_cnt=0; } @@ -2898,7 +3014,7 @@ void enforce_control_policy(const struct tfe_stream * stream, const struct tfe_h evbuffer_add(ctx->log_resp_body, body_frag, frag_size); } - if((((ctx_actually_replaced(ctx)) || (ctx_actually_inserted(ctx)) || (ctx_actually_edited(ctx)) || (ctx_actually_manipulate(ctx)) + if((((ctx_actually_replaced(ctx)) || (ctx_actually_inserted(ctx)) || (ctx_actually_edited(ctx)) || (ctx_actually_manipulate(ctx)) || ctx_actually_ran_script(ctx)) || ctx->action == PX_ACTION_REJECT || (ctx->action == PX_ACTION_MONIT))) { proxy_send_metric_log(stream, ctx, thread_id, 1); @@ -2921,28 +3037,27 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_ assert(ctx == NULL); ATOMIC_INC(&(g_proxy_rt->stat_val[STAT_SESSION])); ctx = proxy_http_ctx_new(thread_id); - long long *result = ctx->result; - scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); + scan_ret = tfe_scan_subscribe_id(stream, ctx->result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret>0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_ip_tags(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); + scan_ret = tfe_scan_ip_tags(stream, ctx->result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret>0) { hit_cnt += scan_ret; } long long app_id=67; - scan_ret = tfe_scan_app_id(result, ctx->scan_mid, hit_cnt, app_id, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID]); + scan_ret = tfe_scan_app_id(ctx->result, ctx->scan_mid, hit_cnt, app_id); if(scan_ret > 0) { hit_cnt += scan_ret; } - - scan_ret = tfe_scan_device(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); + + scan_ret = tfe_scan_device(stream, ctx->result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret > 0) { hit_cnt += scan_ret; @@ -2951,12 +3066,12 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_ addr_tfe2sapp(stream->addr, &sapp_addr); if (sapp_addr.addrtype == ADDR_TYPE_IPV4) { - scan_ret = tfe_scan_ipv4_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr); + scan_ret = tfe_scan_ipv4_addr(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr); if (scan_ret > 0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_port(stream, result, ctx->scan_mid, hit_cnt, sapp_addr.v4->source, sapp_addr.v4->dest); + scan_ret = tfe_scan_port(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr.v4->source, sapp_addr.v4->dest); if(scan_ret > 0) { hit_cnt += scan_ret; @@ -2964,12 +3079,12 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_ } if (sapp_addr.addrtype == ADDR_TYPE_IPV6) { - scan_ret = tfe_scan_ipv6_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr); + scan_ret = tfe_scan_ipv6_addr(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr); if (scan_ret > 0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_port(stream, result, ctx->scan_mid, hit_cnt, sapp_addr.v6->source, sapp_addr.v6->dest); + scan_ret = tfe_scan_port(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr.v6->source, sapp_addr.v6->dest); if(scan_ret > 0) { hit_cnt += scan_ret; |