Add ability to check if field is defined

Add a function is_defined_field(source, fldname) that returns whether a field with name fldname exists for the given event source. This uses the filter factory to create a filtercheck, and returns true if an object was created. This prevents having to push down the entire set of defined fields before calling load_rules(). Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-19 09:06:48 +00:00 · 2021-08-25 17:58:54 -07:00 · 2021-08-25 17:58:54 -07:00 · 04f3cc503c
commit 04f3cc503c
parent 84d7020e3e
2 changed files with 48 additions and 0 deletions
--- a/userspace/engine/rules.cpp
+++ b/userspace/engine/rules.cpp
@ -35,6 +35,7 @@ const static struct luaL_Reg ll_falco_rules[] =
 		{"enable_rule", &falco_rules::enable_rule},
 		{"engine_version", &falco_rules::engine_version},
 		{"is_format_valid", &falco_rules::is_format_valid},
+		{"is_defined_field", &falco_rules::is_defined_field},
 		{NULL, NULL}};

 falco_rules::falco_rules(falco_engine *engine,
@ -260,6 +261,48 @@ bool falco_rules::is_format_valid(const std::string &source, const std::string &
 	return ret;
 }

+int falco_rules::is_defined_field(lua_State *ls)
+{
+	if (! lua_islightuserdata(ls, -3) ||
+	    ! lua_isstring(ls, -2) ||
+	    ! lua_isstring(ls, -1))
+	{
+		lua_pushstring(ls, "Invalid arguments passed to is_defined_field");
+		lua_error(ls);
+	}
+
+	falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);
+	string source = luaL_checkstring(ls, -2);
+	string fldname = luaL_checkstring(ls, -1);
+
+	bool ret = rules->is_defined_field(source, fldname);
+
+	lua_pushboolean(ls, (ret ? 1 : 0));
+
+	return 1;
+}
+
+bool falco_rules::is_defined_field(const std::string &source, const std::string &fldname)
+{
+	auto it = m_filter_factories.find(source);
+
+	if(it == m_filter_factories.end())
+	{
+		return false;
+	}
+
+	auto *chk = it->second->new_filtercheck(fldname.c_str());
+
+	if (chk == NULL)
+	{
+		return false;
+	}
+
+	delete(chk);
+
+	return true;
+}
+
 static std::list<std::string> get_lua_table_values(lua_State *ls, int idx)
 {
 	std::list<std::string> ret;
--- a/userspace/engine/rules.h
+++ b/userspace/engine/rules.h
@ -47,6 +47,8 @@ class falco_rules

 	bool is_format_valid(const std::string &source, const std::string &format, std::string &errstr);

+	bool is_defined_field(const std::string &source, const std::string &field);
+
 	static void init(lua_State *ls);
 	static int clear_filters(lua_State *ls);
 	static int create_lua_parser(lua_State *ls);
@ -57,6 +59,9 @@ class falco_rules
 	// err = falco_rules.is_format_valid(source, format_string)
 	static int is_format_valid(lua_State *ls);

+	// err = falco_rules.is_defined_field(source, field)
+	static int is_defined_field(lua_State *ls);
+
 private:
 	void clear_filters();
 	// XXX/mstemm can I make this a shared_ptr?