TSG-11996 策略验证支持Tunnel Object,修复合并tunnel问题v2.3.6-20220926

3 files changed, 41 insertions, 7 deletions

diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h
index dec653d..8a1ab6a 100644
--- a/common/include/verify_policy.h
+++ b/common/include/verify_policy.h
@@ -149,7 +149,7 @@ struct verify_policy_query_obj
 
 	char *subscriberid;
 
-    int nth_scan[8];
+    int nth_scan[256];
     int nth_scan_num;
     cJSON* attributes;
 
@@ -180,4 +180,6 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
 
 int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme);
 
+void verify_policy_tunnle_add(void * pme);
+
 #endif
diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp
index b5ae9cb..c18b1b0 100644
--- a/platform/src/verify_policy.cpp
+++ b/platform/src/verify_policy.cpp
@@ -372,6 +372,23 @@ cJSON *get_query_from_request(const char *data, int thread_id)
 
 				for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
 				{
+					item = cJSON_GetObjectItem(subchild, "attributeName");
+					if(item && item->type==cJSON_String)
+					{
+						if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
+						{
+							verify_policy_tunnle_add(ctx);
+						}
+
+						if(0 == strcasecmp(item->valuestring, "tunnel_endpointb"))
+						{
+							verify_policy_tunnle_add(ctx);
+						}
+					}
+				}
+
+				for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
+				{
 					xret = get_attribute_from_json(i, subchild, verify_policy);
 					if (xret < 0)
 					{
diff --git a/scan/src/policy_scan.cpp b/scan/src/policy_scan.cpp
index 89f3349..78857af 100644
--- a/scan/src/policy_scan.cpp
+++ b/scan/src/policy_scan.cpp
@@ -129,7 +129,7 @@ struct verify_policy_scan_ctx
 	int n_read;
 	struct Maat_hit_path_t hit_path[2048];
 
-	int tunnel_hit_hath;
+	int tunnel_endpoint_x;
 	int bool_id_array_idx;
     unsigned long long bool_id_array[128];
 
@@ -156,6 +156,13 @@ struct verify_policy_rt * g_policy_rt;
 #define MAAT_INPUT_REDIS    	1
 #define MAAT_INPUT_FILE        	2
 
+void verify_policy_tunnle_add(void * pme)
+{
+	struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
+	ctx->tunnel_endpoint_x++;
+}
+
+
 void * pangu_http_ctx_new(unsigned int thread_id)
 {
 	struct verify_policy_scan_ctx * ctx = ALLOC(struct verify_policy_scan_ctx, 1);
@@ -927,22 +934,30 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, c
 	int i=0, j=0, k=0;
 	int result_hit_nth[MAX_SCAN_RESULT] = {-1};
 	cJSON *attributeObj=NULL,*hitPaths=NULL;
+	cJSON *item = NULL;
 
 	struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
 
-	if(ctx->tunnel_hit_hath)
+	attributeObj=query_obj->attributes;
+
+	if(ctx->tunnel_endpoint_x == 2)
 	{
-		return;
+		item = cJSON_GetObjectItem(attributeObj, "attributeName");
+		if(item && item->type==cJSON_String)
+		{
+			if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
+			{
+				return;
+			}
+		}
 	}
 
-	attributeObj=query_obj->attributes;
 	if(type == PXY_TABLE_SECURITY && query_obj->protocol_field == TSG_SECURITY_TUNNEL)
 	{
 		attributeObj=query_obj->attributes;
 		cJSON_DeleteItemFromObject(attributeObj, "attributeName");
 		cJSON_AddStringToObject(attributeObj, "attributeName", "tunnel_endpoint_object");
 		cJSON_DeleteItemFromObject(attributeObj, "attributeValue");
-		ctx->tunnel_hit_hath=1;
 	}
 	cJSON_AddItemToArray(attributes, attributeObj);
 
@@ -1347,8 +1362,8 @@ int verify_tunnle_id_scan(struct Maat_rule_t *result, struct ip_address *sip, in
 			ctx->n_read=n_read;
 			hit_path_cnt++;
 		}
+		tunnel_table_free(tunnel_catalog[i]);
 	}
-	tunnel_table_free(tunnel_catalog[i]);
 	query_obj->nth_scan_num = hit_path_cnt;
 	return hit_cnt_tunnel;
 }