diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index 789b74fb..c539b5af 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -386,84 +386,6 @@ void falco_engine::populate_rule_result(unique_ptr &res, gen } } -bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list &evts, bool top) -{ - // Note that nlohmann::basic_json::value can throw nlohmann::basic_json::type_error (302, 306) - try - { - // If the object is an array, call parse_k8s_audit_json again for each item. - if(j.is_array()) - { - if(top) - { - for(auto &item : j) - { - // Note we only handle a single top level array, to - // avoid excessive recursion. - if(! parse_k8s_audit_json(item, evts, false)) - { - return false; - } - } - - return true; - } - else - { - return false; - } - } - - // If the kind is EventList, split it into individual events - if(j.value("kind", "") == "EventList") - { - for(auto &je : j["items"]) - { - evts.emplace_back(); - je["kind"] = "Event"; - - uint64_t ns = 0; - if(!sinsp_utils::parse_iso_8601_utc_string(je.value(k8s_audit_time, ""), ns)) - { - return false; - } - - std::string tmp; - sinsp_utils::ts_to_string(ns, &tmp, false, true); - - evts.back().set_jevt(je, ns); - } - - return true; - } - else if(j.value("kind", "") == "Event") - { - evts.emplace_back(); - uint64_t ns = 0; - if(!sinsp_utils::parse_iso_8601_utc_string(j.value(k8s_audit_time, ""), ns)) - { - return false; - } - - evts.back().set_jevt(j, ns); - return true; - } - else - { - return false; - } - } - catch(exception &e) - { - return false; - } -} - -unique_ptr falco_engine::process_k8s_audit_event(json_event *ev) -{ - return process_k8s_audit_event(ev, m_default_ruleset_id); -} - void falco_engine::describe_rule(string *rule) { return m_rules->describe_rule(rule); diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h index d975b59f..effa8395 100644 --- a/userspace/engine/falco_engine.h +++ b/userspace/engine/falco_engine.h @@ -164,16 +164,6 @@ public: std::set tags; }; - // - // Given a raw json object, return a list of k8s audit event - // objects that represent the object. This method handles - // things such as EventList splitting. - // - // Returns true if the json object was recognized as a k8s - // audit event(s), false otherwise. - // - bool parse_k8s_audit_json(nlohmann::json &j, std::list &evts, bool top=true); - // // Given an event, check it against the set of rules in the // engine and if a matching rule is found, return details on diff --git a/userspace/engine/json_evt.cpp b/userspace/engine/json_evt.cpp index 36a64451..5eaf7ea7 100644 --- a/userspace/engine/json_evt.cpp +++ b/userspace/engine/json_evt.cpp @@ -50,6 +50,81 @@ uint64_t json_event::get_ts() const return m_event_ts; } +static nlohmann::json::json_pointer k8s_audit_time = "/stageTimestamp"_json_pointer; + +bool falco_k8s_audit::parse_k8s_audit_json(nlohmann::json &j, std::list &evts, bool top) +{ + // Note that nlohmann::basic_json::value can throw nlohmann::basic_json::type_error (302, 306) + try + { + // If the object is an array, call parse_k8s_audit_json again for each item. + if(j.is_array()) + { + if(top) + { + for(auto &item : j) + { + // Note we only handle a single top level array, to + // avoid excessive recursion. + if(! parse_k8s_audit_json(item, evts, false)) + { + return false; + } + } + + return true; + } + else + { + return false; + } + } + + // If the kind is EventList, split it into individual events + if(j.value("kind", "") == "EventList") + { + for(auto &je : j["items"]) + { + evts.emplace_back(); + je["kind"] = "Event"; + + uint64_t ns = 0; + if(!sinsp_utils::parse_iso_8601_utc_string(je.value(k8s_audit_time, ""), ns)) + { + return false; + } + + std::string tmp; + sinsp_utils::ts_to_string(ns, &tmp, false, true); + + evts.back().set_jevt(je, ns); + } + + return true; + } + else if(j.value("kind", "") == "Event") + { + evts.emplace_back(); + uint64_t ns = 0; + if(!sinsp_utils::parse_iso_8601_utc_string(j.value(k8s_audit_time, ""), ns)) + { + return false; + } + + evts.back().set_jevt(j, ns); + return true; + } + else + { + return false; + } + } + catch(exception &e) + { + return false; + } +} + json_event_value::json_event_value() { } diff --git a/userspace/engine/json_evt.h b/userspace/engine/json_evt.h index 34d59aec..2f9e1710 100644 --- a/userspace/engine/json_evt.h +++ b/userspace/engine/json_evt.h @@ -57,6 +57,19 @@ protected: uint64_t m_event_ts; }; +namespace falco_k8s_audit { + + // + // Given a raw json object, return a list of k8s audit event + // objects that represent the object. This method handles + // things such as EventList splitting. + // + // Returns true if the json object was recognized as a k8s + // audit event(s), false otherwise. + // + bool parse_k8s_audit_json(nlohmann::json &j, std::list &evts, bool top=true); +}; + // A class representing an extracted value or a value on the rhs of a // filter_check. This intentionally doesn't use the same types as // ppm_events_public.h to take advantage of actual classes instead of diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp index bd9c6e49..7eca9dcf 100644 --- a/userspace/falco/webserver.cpp +++ b/userspace/falco/webserver.cpp @@ -69,7 +69,7 @@ bool k8s_audit_handler::accept_data(falco_engine *engine, bool ok; try { - ok = engine->parse_k8s_audit_json(j, jevts); + ok = falco_k8s_audit::parse_k8s_audit_json(j, jevts); } catch(json::type_error &e) {