Address feedback from PR

- Instead of having a possibly null string pointer as the argument to
   enable_* and process_event, have wrapper versions that assume a
   default falco ruleset. The default ruleset name is a static member of
   the falco_engine class, and the default ruleset id is created/found
   in the constructor.
 - This makes the whole mechanism simple enough that it doesn't require
   seprarate testing, so remove the capability within falco to read a
   ruleset from the environment and remove automated tests that specify
   a ruleset.
 - Make pattern/tags/ruleset arguments to enable_* functions const.

(I'll squash this down before I commit)

userspace/engine/falco_engine.cpp

@@ -56,6 +56,8 @@ falco_engine::falco_engine(bool seed_rng)
 	{
 		srandom((unsigned) getpid());
 	}
+
+	m_default_ruleset_id = find_ruleset_id(m_default_ruleset);
 }
 
 falco_engine::~falco_engine()
@@ -108,38 +110,39 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
 	load_rules(rules_content, verbose, all_events);
 }
 
-void falco_engine::enable_rule(string &pattern, bool enabled, string *ruleset)
+void falco_engine::enable_rule(const string &pattern, bool enabled, const string &ruleset)
 {
-	uint16_t ruleset_id = 0;
-
-	if(ruleset)
-	{
-		ruleset_id = find_ruleset_id(*ruleset);
-	}
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
 
 	m_evttype_filter->enable(pattern, enabled, ruleset_id);
 }
 
-void falco_engine::enable_rule_by_tag(set<string> &tags, bool enabled, string *ruleset)
+void falco_engine::enable_rule(const string &pattern, bool enabled)
 {
-	uint16_t ruleset_id = 0;
+	enable_rule(pattern, enabled, m_default_ruleset);
+}
 
-	if(ruleset)
-	{
-		ruleset_id = find_ruleset_id(*ruleset);
-	}
+void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
+{
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
 
 	m_evttype_filter->enable_tags(tags, enabled, ruleset_id);
 }
 
-uint16_t falco_engine::find_ruleset_id(std::string &ruleset)
+void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled)
 {
-	auto it = m_known_rulesets.find(ruleset);
+	enable_rule_by_tag(tags, enabled, m_default_ruleset);
+}
 
-	if(it == m_known_rulesets.end())
+uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
+{
+	auto it = m_known_rulesets.lower_bound(ruleset);
+
+	if(it == m_known_rulesets.end() ||
+	   it->first != ruleset)
 	{
-		m_known_rulesets[ruleset] = ++m_next_ruleset_id;
-		it = m_known_rulesets.find(ruleset);
+		it = m_known_rulesets.emplace_hint(it,
+						   std::make_pair(ruleset, m_next_ruleset_id++));
 	}
 
 	return it->second;
@@ -187,6 +190,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev,
 	return res;
 }
 
+unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
+{
+	return process_event(ev, m_default_ruleset_id);
+}
+
 void falco_engine::describe_rule(string *rule)
 {
 	return m_rules->describe_rule(rule);

userspace/engine/falco_engine.h

@@ -49,17 +49,23 @@ public:
 
 	//
 	// Enable/Disable any rules matching the provided pattern
-	// (regex). If ruleset is non-NULL, enable/disable these
-	// rules in the context of the provided ruleset. The ruleset
-	// can later be passed as an argument to process_event(). This
-	// allows for different sets of rules being active at once.
+	// (regex). When provided, enable/disable these rules in the
+	// context of the provided ruleset. The ruleset (id) can later
+	// be passed as an argument to process_event(). This allows
+	// for different sets of rules being active at once.
 	//
-	void enable_rule(std::string &pattern, bool enabled, std::string *ruleset = NULL);
+	void enable_rule(const std::string &pattern, bool enabled, const std::string &ruleset);
+
+	// Wrapper that assumes the default ruleset
+	void enable_rule(const std::string &pattern, bool enabled);
 
 	//
 	// Enable/Disable any rules with any of the provided tags (set, exact matches only)
 	//
-	void enable_rule_by_tag(std::set<std::string> &tags, bool enabled, std::string *ruleset = NULL);
+	void enable_rule_by_tag(const std::set<std::string> &tags, bool enabled, const std::string &ruleset);
+
+	// Wrapper that assumes the default ruleset
+	void enable_rule_by_tag(const std::set<std::string> &tags, bool enabled);
 
 	struct rule_result {
 		sinsp_evt *evt;
@@ -74,20 +80,25 @@ public:
 	// to enable_rule/enable_rule_by_tag(), you should look up the
 	// ruleset id and pass it to process_event().
 	//
-	uint16_t find_ruleset_id(std::string &ruleset);
+	uint16_t find_ruleset_id(const std::string &ruleset);
 
 	//
 	// Given an event, check it against the set of rules in the
 	// engine and if a matching rule is found, return details on
 	// the rule that matched. If no rule matched, returns NULL.
 	//
-	// If ruleset is non-NULL, use the enabled/disabled status
+	// When ruleset_id is provided, use the enabled/disabled status
 	// associated with the provided ruleset. This is only useful
 	// when you have previously called enable_rule/enable_rule_by_tag
-	// with a non-NULL ruleset.
+	// with a ruleset string.
 	//
 	// the returned rule_result is allocated and must be delete()d.
-	std::unique_ptr<rule_result> process_event(sinsp_evt *ev, uint16_t ruleset_id = 0);
+	std::unique_ptr<rule_result> process_event(sinsp_evt *ev, uint16_t ruleset_id);
+
+	//
+	// Wrapper assuming the default ruleset
+	//
+	std::unique_ptr<rule_result> process_event(sinsp_evt *ev);
 
 	//
 	// Print details on the given rule. If rule is NULL, print
@@ -172,6 +183,8 @@ private:
 	double m_sampling_multiplier;
 
 	std::string m_lua_main_filename = "rule_loader.lua";
+	std::string m_default_ruleset = "falco-default-ruleset";
+	uint32_t m_default_ruleset_id;
 
 	std::string m_extra;
 	bool m_replace_container_info;