TSG-13934: 扫描APP命中monitor策略后，扫描IP+APP命中intercept策略，未正常执行intercept动作v5.10.6

4 files changed, 145 insertions, 22 deletions

diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index ed58b9c..59ac035 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -941,7 +941,7 @@ unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_
 {
 	unsigned char state=0;
 	char app_id_buff[32]={0};
-	struct app_id_dict *dict=NULL;	
+	struct app_id_dict *dict=NULL;
 	struct compile_user_region app_user_region={0}, *user_region=NULL;
 	
 	snprintf(app_id_buff, sizeof(app_id_buff), "%d", app_id);
@@ -955,7 +955,7 @@ unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_
 	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
 	if(user_region!=NULL)
 	{
-		app_user_region.capture=user_region->capture;		
+		app_user_region.capture=user_region->capture;
 		security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
 	}
 
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index a83c5f7..5fdb4e5 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -1240,7 +1240,7 @@ int set_log_field_to_project(const struct streaminfo * a_stream, char *domain, v
 	return 0;
 }
 
-static void set_security_result_to_project(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int p_result_num, PULL_RESULT_TYPE result_type, int thread_seq)
+void set_security_result_to_project(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int p_result_num, PULL_RESULT_TYPE result_type, int thread_seq)
 {
 	if(p_result==NULL || p_result_num==0)
 	{
@@ -1252,6 +1252,7 @@ static void set_security_result_to_project(const struct streaminfo *a_stream, st
 	{
 		priority_label=(struct policy_priority_label *)dictator_malloc(thread_seq, sizeof(struct policy_priority_label));
 		memset(priority_label, 0, sizeof(struct policy_priority_label));
+		priority_label->result_type=result_type;
 
 		int ret=tsg_set_xxx_to_bridge((struct streaminfo *)a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
 		if(ret<0)
@@ -1259,6 +1260,21 @@ static void set_security_result_to_project(const struct streaminfo *a_stream, st
 			free_policy_label(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
 		}
 	}
+
+	if(priority_label->result_type!=result_type)
+	{
+		if(p_result[0].action<priority_label->security_result[0].action)
+		{
+			return ;
+		}
+
+		if(p_result[0].action>priority_label->security_result[0].action)
+		{
+			priority_label->security_result_num=0;
+		}
+
+		priority_label->result_type=result_type;
+	}
 	
 	int num=MIN(MAX_RESULT_NUM-priority_label->security_result_num, p_result_num);
 	for(int i=0; i<num; i++)
@@ -1818,13 +1834,18 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 	struct Maat_rule_t security_result[MAX_RESULT_NUM]={0};
 
 	int security_result_num=tsg_fetch_hited_security_result(result, hit_num, security_result, MAX_RESULT_NUM);
-	p_result=tsg_policy_decision_criteria(security_result, hit_num);
+	p_result=tsg_policy_decision_criteria(security_result, security_result_num);
 	if(p_result!=NULL)
 	{
 		print_hit_path(a_stream, context);
 		switch((unsigned char)p_result->action)
 		{
 			case	TSG_ACTION_DENY:
+				if(context->proto==PROTO_DNS)	/* deal action of deny in firewall */
+				{
+					break;
+				}
+				
 				if(is_deny_application(p_result))
 				{
 					if(context->hited_para.hited_app_id==0)
@@ -1867,7 +1888,6 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 				context->is_hited_allow=1;
 				context->hited_result=(struct Maat_rule_t *)dictator_malloc(1, sizeof(struct Maat_rule_t));
 				memcpy(context->hited_result, p_result, sizeof(struct Maat_rule_t));
-				//set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
 				FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
 				state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
 
@@ -1993,6 +2013,11 @@ int session_flags_identify_result_cb(const struct streaminfo *a_stream, int brid
 	context->session_flag=*(unsigned long *)(data);
 	set_session_attribute_label(a_stream, TSG_ATTRIBUTE_TYPE_SESSION_FLAGS, data, sizeof(unsigned long), a_stream->threadnum);
 
+	if(context->mid==NULL)
+	{
+		return 0;
+	}
+
 	int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
 
 	context->sync_cb_state=master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
@@ -2018,25 +2043,25 @@ static int deal_pending_state(const struct streaminfo *a_stream, struct master_c
 		}
 		
 		int table_id=get_table_id(context->proto);	
-		hit_num+=tsg_scan_shared_policy(g_tsg_maat_feather, a_stream, context->domain, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, table_id, a_stream->threadnum);
-		hit_num+=scan_fqdn_category_id(g_tsg_maat_feather, a_stream, context->domain, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, table_id, a_stream->threadnum);
+		hit_num+=tsg_scan_shared_policy(g_tsg_maat_feather, a_stream, context->domain, result+hit_num, result_num-hit_num, &context->mid, table_id, a_stream->threadnum);
+		hit_num+=scan_fqdn_category_id(g_tsg_maat_feather, a_stream, context->domain, result+hit_num, result_num-hit_num, &context->mid, table_id, a_stream->threadnum);
 		if(context->is_esni)
 		{
 			unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI");
-			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, (char *)"ESNI", protocol_id, a_stream->threadnum);
+			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &context->mid, (char *)"ESNI", protocol_id, a_stream->threadnum);
 		}
 
 		if(context->proto==PROTO_HTTP && context->http_url!=NULL)
 		{
-			hit_num+=tsg_scan_shared_policy(g_tsg_maat_feather, a_stream, context->http_url, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, g_tsg_para.table_id[TABLE_HTTP_URL], a_stream->threadnum);
+			hit_num+=tsg_scan_shared_policy(g_tsg_maat_feather, a_stream, context->http_url, result+hit_num, result_num-hit_num, &context->mid, g_tsg_para.table_id[TABLE_HTTP_URL], a_stream->threadnum);
 		}
 	}
 
-	ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, context->proto, &context->mid, result+hit_num, MAX_RESULT_NUM-hit_num);
+	ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, context->proto, &context->mid, result+hit_num, result_num-hit_num);
 	if(ret>0)
 	{
 		hit_num+=ret;
-		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);		
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);
 	}
 
 	struct gather_app_result *gather_result=(struct gather_app_result *)tsg_get_xxx_from_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_GATHER_APP_RESULT].id);
@@ -2046,9 +2071,10 @@ static int deal_pending_state(const struct streaminfo *a_stream, struct master_c
 		{
 			continue;
 		}
-		hit_num+=scan_application_id_and_properties(a_stream, result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), a_stream->threadnum);
+		hit_num+=scan_application_id_and_properties(a_stream, result+hit_num, result_num-hit_num, context, &(gather_result[i]), a_stream->threadnum);
 	}
-			
+	
+	hit_num+=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
 	
 	if((is_only_monitor(result, hit_num)) && context->proto==PROTO_DNS)	// business deal action of monitor 
 	{
@@ -2062,7 +2088,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 {
 	int i=0,ret=0,hit_num=0;
 	unsigned char state=APP_STATE_GIVEME;
-	Maat_rule_t hited_result[MAX_RESULT_NUM];
+	Maat_rule_t hited_result[MAX_TSG_ALL_RESULT_NUM];
 	struct gather_app_result *gather_result=NULL;
 	struct master_context *context=(struct master_context *)*pme;
 	struct app_identify_result unknown_result;
@@ -2095,7 +2121,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 				FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_UDP_LINKS], 0, FS_OP_ADD, 1);
 			}
 			
-			hit_num+=deal_pending_state(a_stream, context, hited_result+hit_num, MAX_RESULT_NUM-hit_num, a_packet);
+			hit_num+=deal_pending_state(a_stream, context, hited_result+hit_num, MAX_TSG_ALL_RESULT_NUM-hit_num, a_packet);
 			state=master_deal_scan_result(a_stream, context, hited_result, hit_num, a_packet);
 			context->deal_pkt_num++;
 			break;
@@ -2135,7 +2161,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 			}
 			
 			context->last_scan_time=get_current_time_ms();
-			ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, context->proto, &context->mid, hited_result+hit_num, MAX_RESULT_NUM-hit_num);
+			ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, context->proto, &context->mid, hited_result+hit_num, MAX_TSG_ALL_RESULT_NUM-hit_num);
 			if(ret>0)
 			{
 				hit_num+=ret;
@@ -2156,7 +2182,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 				hit_num+=tsg_scan_session_flags(g_tsg_maat_feather, 
 													a_stream,
 													hited_result+hit_num,
-													MAX_RESULT_NUM-hit_num,
+													MAX_TSG_ALL_RESULT_NUM-hit_num,
 													&context->mid,
 													g_tsg_para.table_id[TABLE_SESSION_FLAGS],
 													context->session_flag,
diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp
index c0aecc8..8017e81 100644
--- a/src/tsg_send_log.cpp
+++ b/src/tsg_send_log.cpp
@@ -2226,14 +2226,17 @@ int tsg_send_log(struct tsg_log_instance_t *instance, struct TLD_handle_t *handl
 	send_log(_instance, _handle, log_msg->a_stream, log_msg->result,  log_msg->result_num, thread_id);
 
 	//fetch firewall result
-	if(log_msg->result[0].action!=TSG_ACTION_INTERCEPT)
+	if(log_msg->result[0].service_id==2 || log_msg->result[0].service_id==7)
 	{
 		struct policy_priority_label *priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
-		if((log_msg->result[0].service_id==2 || log_msg->result[0].service_id==7) && priority_label!=NULL && priority_label->security_result_num>0)
+		if(priority_label!=NULL && priority_label->security_result_num>0)
 		{
-			send_log(_instance, _handle, log_msg->a_stream, priority_label->security_result,  priority_label->security_result_num, thread_id);
-			free_policy_label(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
-			tsg_set_xxx_to_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
+			if(priority_label->security_result[0].action!=TSG_ACTION_INTERCEPT)
+			{
+				send_log(_instance, _handle, log_msg->a_stream, priority_label->security_result,  priority_label->security_result_num, thread_id);
+				free_policy_label(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
+				tsg_set_xxx_to_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
+			}
 		}
 	}
 	
diff --git a/test/src/gtest_master.cpp b/test/src/gtest_master.cpp
index 0a0a38c..8ed6731 100644
--- a/test/src/gtest_master.cpp
+++ b/test/src/gtest_master.cpp
@@ -344,6 +344,100 @@ TEST(TSGMaster, SecurityDuplicatePolicyMultipleNotify)
 	EXPECT_EQ(nullptr, stream_bridge_async_data_get(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id));
 }
 
+extern void set_security_result_to_project(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int p_result_num, PULL_RESULT_TYPE result_type, int thread_seq);
+
+TEST(TSGMaster, SecurityPolicyIntercept)
+{
+	const struct streaminfo a_stream={0};
+	struct Maat_rule_t security_result[MAX_RESULT_NUM]={0};
+	struct identify_info identify_info;
+
+	security_result[1].action=TSG_ACTION_INTERCEPT;
+	security_result[1].config_id=TSG_ACTION_INTERCEPT;
+
+	// Set Intercept
+	set_security_result_to_project((struct streaminfo *)&a_stream, &security_result[1], 1, PULL_KNI_RESULT, 0);
+
+	int ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_FW_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(0, ret);
+
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_KNI_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(1, ret);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].action);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].config_id);
+	
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_ALL_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(1, ret);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].action);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].config_id);
+
+	struct policy_priority_label *priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
+	EXPECT_NE(nullptr, priority_label);	
+	EXPECT_EQ(1, priority_label->security_result_num);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, priority_label->security_result[0].action);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, priority_label->security_result[0].config_id);
+
+	free_policy_label(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
+	stream_bridge_async_data_put(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
+	EXPECT_EQ(nullptr, stream_bridge_async_data_get(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id));
+}
+
+
+TEST(TSGMaster, SecurityMultiplePolicyMonitorToIntercept)
+{
+	const struct streaminfo a_stream={0};
+	struct Maat_rule_t security_result[MAX_RESULT_NUM]={0};
+	struct identify_info identify_info;
+
+	security_result[0].action=TSG_ACTION_MONITOR;
+	security_result[0].config_id=TSG_ACTION_MONITOR;
+
+	security_result[1].action=TSG_ACTION_INTERCEPT;
+	security_result[1].config_id=TSG_ACTION_INTERCEPT;
+
+	// First Monitor, second Intercpt
+	tsg_notify_hited_security_result(&a_stream, &security_result[0], 1, 0);
+
+	int ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_KNI_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(0, ret);
+	
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_FW_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(1, ret);
+	EXPECT_EQ(TSG_ACTION_MONITOR, security_result[2].action);
+	EXPECT_EQ(TSG_ACTION_MONITOR, security_result[2].config_id);
+
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_ALL_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(1, ret);
+	EXPECT_EQ(TSG_ACTION_MONITOR, security_result[2].action);
+	EXPECT_EQ(TSG_ACTION_MONITOR, security_result[2].config_id);
+
+	// Set Intercept
+	set_security_result_to_project((struct streaminfo *)&a_stream, &security_result[1], 1, PULL_KNI_RESULT, 0);
+
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_FW_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(0, ret);
+
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_KNI_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(1, ret);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].action);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].config_id);
+	
+	ret=tsg_pull_policy_result((struct streaminfo *)&a_stream, PULL_ALL_RESULT, &(security_result[2]), 1, &identify_info);
+	EXPECT_EQ(1, ret);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].action);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, security_result[2].config_id);
+
+	struct policy_priority_label *priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
+	EXPECT_NE(nullptr, priority_label);	
+	EXPECT_EQ(1, priority_label->security_result_num);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, priority_label->security_result[0].action);
+	EXPECT_EQ(TSG_ACTION_INTERCEPT, priority_label->security_result[0].config_id);
+
+	free_policy_label(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
+	stream_bridge_async_data_put(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
+	EXPECT_EQ(nullptr, stream_bridge_async_data_get(&a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id));
+}
+
 int main(int argc, char *argv[])
 {
 	TSG_MASTER_INIT();