From 0bc2d4f162ce75b87e835676b936a40d862f2ead Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 9 Aug 2017 16:47:53 -0700
Subject: [PATCH] Automated tests for list append.

Test the case of appending to a list and appending to a nonexistent
list (should error).
---
 test/falco_tests.yaml               | 20 ++++++++++++++++++++
 test/rules/list_append.yaml         | 12 ++++++++++++
 test/rules/list_append_failure.yaml |  3 +++
 test/rules/list_append_false.yaml   | 12 ++++++++++++
 4 files changed, 47 insertions(+)
 create mode 100644 test/rules/list_append.yaml
 create mode 100644 test/rules/list_append_failure.yaml
 create mode 100644 test/rules/list_append_false.yaml

diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
index 951f0eea..e887ee7d 100644
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -579,3 +579,23 @@ trace_files: !mux
       - open_11: 1
       - open_12: 0
       - open_13: 0
+
+  list_append_failure:
+    exit_status: 1
+    stderr_contains: "List my_list has 'append' key but no list by that name already exists. Exiting"
+    rules_file:
+      - rules/list_append_failure.yaml
+    trace_file: trace_files/cat_write.scap
+
+  list_append:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/list_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  list_append_false:
+    detect: False
+    rules_file:
+      - rules/list_append_false.yaml
+    trace_file: trace_files/cat_write.scap
diff --git a/test/rules/list_append.yaml b/test/rules/list_append.yaml
new file mode 100644
index 00000000..064f12a6
--- /dev/null
+++ b/test/rules/list_append.yaml
@@ -0,0 +1,12 @@
+- list: my_list
+  items: [not-cat]
+
+- list: my_list
+  append: true
+  items: [cat]
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name in (my_list)
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
\ No newline at end of file
diff --git a/test/rules/list_append_failure.yaml b/test/rules/list_append_failure.yaml
new file mode 100644
index 00000000..11bc54ac
--- /dev/null
+++ b/test/rules/list_append_failure.yaml
@@ -0,0 +1,3 @@
+- list: my_list
+  items: [not-cat]
+  append: true
diff --git a/test/rules/list_append_false.yaml b/test/rules/list_append_false.yaml
new file mode 100644
index 00000000..02d3fa79
--- /dev/null
+++ b/test/rules/list_append_false.yaml
@@ -0,0 +1,12 @@
+- list: my_list
+  items: [cat]
+
+- list: my_list
+  append: false
+  items: [not-cat]
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name in (my_list)
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
\ No newline at end of file