fix(userspace/falco): distinguish between sinsp and json events when resolving tokens

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

userspace/engine/formats.cpp

@@ -20,7 +20,6 @@ limitations under the License.
 #include <json/json.h>
 
 #include "formats.h"
-#include "logger.h"
 #include "falco_engine.h"
 
 
@@ -266,31 +265,46 @@ int falco_formats::format_event (lua_State *ls)
 	return 1;
 }
 
+#include <iostream>
 
 int falco_formats::resolve_tokens(lua_State *ls)
 {
-	if (!lua_isuserdata(ls, 1) ||
-	    !lua_isstring(ls, 2)) {
-		lua_pushstring(ls, "Invalid arguments passed to resolve_tokens()");
-		lua_error(ls);
-	}
-	gen_event* evt = (gen_event*) lua_topointer(ls, 1);
-	const char *format = (char *) lua_tostring(ls, 2);
+	// if(!lua_isstring(ls, -1) ||
+	//    !lua_isstring(ls, -2) ||
+	//    !lua_islightuserdata(ls, -3))
+	// {
+	// 	lua_pushstring(ls, "Invalid arguments passed to resolve_tokens()");
+	// 	lua_error(ls);
+	// }
+	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
+	string source = luaL_checkstring(ls, 2);
+	const char *format = (char *)lua_tostring(ls, 3);
 	string sformat = format;
 
-	map<string,string> values;
-
-	s_formatters->resolve_tokens((sinsp_evt *)evt, sformat, values);
+	map<string, string> values;
+	if(source == "syscall")
+	{
+		s_formatters->resolve_tokens((sinsp_evt *)evt, sformat, values);
+	}
+	// k8s_audit
+	else
+	{
+		json_event_formatter json_formatter(s_engine->json_factory(), sformat);
+		values = json_formatter.tomap((json_event*) evt);
+	}
 
 	lua_newtable(ls);
 	int top = lua_gettop(ls);
-	for (std::map<string, string>::iterator it = values.begin(); it != values.end(); ++it) {
-		const char* key = it->first.c_str();
-		const char* value = it->second.c_str();
+	for(map<string, string>::iterator it = values.begin(); it != values.end(); ++it)
+	{
+		std::cout << it->first << ":"<< it->second << ", ";
+		const char *key = it->first.c_str();
+		const char *value = it->second.c_str();
 		lua_pushlstring(ls, key, it->first.size());
 		lua_pushlstring(ls, value, it->second.size());
 		lua_settable(ls, top);
 	}
+	std::cout << std::endl;
 
 	return 1;
 }

userspace/falco/falco_outputs.cpp

@@ -306,16 +306,16 @@ int falco_outputs::handle_http(lua_State *ls)
 int falco_outputs::handle_grpc(lua_State *ls)
 {
 	// check parameters
-	if(!lua_isuserdata(ls, 1) ||
-	   !lua_isstring(ls, 2) ||
-	   !lua_isstring(ls, 3) ||
-	   !lua_isstring(ls, 4) ||
-	   !lua_isstring(ls, 5) ||
-	   !lua_istable(ls, 6))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_grpc()");
-		lua_error(ls);
-	}
+	// if(!lua_isuserdata(ls, 1) ||
+	//    !lua_isstring(ls, 2) ||
+	//    !lua_isstring(ls, 3) ||
+	//    !lua_isstring(ls, 4) ||
+	//    !lua_isstring(ls, 5) ||
+	//    !lua_istable(ls, 6))
+	// {
+	// 	lua_pushstring(ls, "Invalid arguments passed to handle_grpc()");
+	// 	lua_error(ls);
+	// }
 
 	response grpc_res = response();
 

userspace/falco/lua/output.lua

@@ -170,7 +170,7 @@ function mod.http_reopen()
 end
 
 function mod.grpc(event, rule, source, priority, priority_num, msg, format, options)
-   fields = formats.resolve_tokens(event, format)
+   fields = formats.resolve_tokens(event, source, format)
    c_outputs.handle_grpc(event, rule, source, priority, msg, fields, options)
 end
 
@@ -178,6 +178,7 @@ function mod.grpc_message(priority, priority_num, msg, options)
    -- todo
 end
 
+
 function mod.grpc_cleanup()
 end
 
@@ -215,6 +216,16 @@ function output_event(event, rule, source, priority, priority_num, format)
 
    msg = formats.format_event(event, rule, source, priority, format)
 
+   print("---")
+   print(event)
+   print(rule)
+   print(source)
+   print(priority)
+   print(priority_num)
+   print(msg)
+   print(format)
+   print("---")
+
    for index, o in ipairs(outputs) do
       o.output(event, rule, source, priority, priority_num, msg, format, o.options)
    end