update(test): enhance test cases for tags in json outputs

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-08-30 12:30:56 +00:00 · 2021-09-23 07:21:11 +00:00 · 2021-09-23 07:21:11 +00:00 · 0eb170cf5f
commit 0eb170cf5f
parent 21fa6e9505
3 changed files with 34 additions and 5 deletions
--- a/test/confs/psp.yaml
+++ b/test/confs/psp.yaml
@ -43,6 +43,12 @@ json_output: false
 # (user=root ....") in the json output.
 json_include_output_property: true

+# When using json output, whether or not to include the "tags" property
+# itself in the json output. If set to true, outputs caused by rules
+# with no tags will have a "tags" field set to an empty array. If set to
+# false, the "tags" field will not be included in the json output at all.
+json_include_tags_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true
--- a/test/falco_test.py
+++ b/test/falco_test.py
@ -90,6 +90,8 @@ class FalcoTest(Test):
        self.json_output = self.params.get('json_output', '*', default=False)
        self.json_include_output_property = self.params.get(
            'json_include_output_property', '*', default=True)
+        self.json_include_tags_property = self.params.get(
+            'json_include_tags_property', '*', default=True)
        self.all_events = self.params.get('all_events', '*', default=False)
        self.priority = self.params.get('priority', '*', default='debug')
        self.rules_file = self.params.get(
@ -388,10 +390,11 @@ class FalcoTest(Test):
            for line in res.stdout.decode("utf-8").splitlines():
                if line.startswith('{'):
                    obj = json.loads(line)
+                    attrs = ['time', 'rule', 'priority']
                    if self.json_include_output_property:
-                        attrs = ['time', 'rule', 'priority', 'output']
-                    else:
-                        attrs = ['time', 'rule', 'priority']
+                        attrs.append('output')
+                    if self.json_include_tags_property:
+                        attrs.append('tags')
                    for attr in attrs:
                        if not attr in obj:
                            self.fail(
@ -614,8 +617,9 @@ class FalcoTest(Test):
                self.log.debug("Converted Rules: {}".format(psp_rules))

        # Run falco
-        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
-            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
+        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v'.format(
+            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,
+            self.json_include_output_property, self.json_include_tags_property, self.priority)

        for tag in self.disable_tags:
            cmd += ' -T {}'.format(tag)
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@ -1111,6 +1111,25 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)"

+  json_output_no_tags_property:
+    json_output: True
+    json_include_tags_property: False
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "^(?!.*\"tags\":[ ]*\\[.*\\],.*)"
+
+  json_output_empty_tags_property:
+    json_output: True
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "^(.*\"tags\":[ ]*\\[\\],.*)"
+
  in_operator_netmasks:
    detect: True
    detect_level: INFO