mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-09 10:39:28 +00:00
cleanup(userspace,unit_tests): moved rule schema under engine.
Also, moved yaml_helper under engine/ folder. Ported rule json schema validation in the engine. Also, updated rule_loader tests to check for validation. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro
committed by
poiana
poiana
parent
895e50d3a0
commit
5bd2d5a63e
@@ -1,6 +1,9 @@
|
||||
#include <gtest/gtest.h>
|
||||
|
||||
#include "../test_falco_engine.h"
|
||||
#include "yaml_helper.h"
|
||||
|
||||
#define ASSERT_VALIDATION_STATUS(status) ASSERT_TRUE(sinsp_utils::startswith(m_load_result->schema_validation(), status))
|
||||
|
||||
std::string s_sample_ruleset = "sample-ruleset";
|
||||
std::string s_sample_source = falco_common::syscall_source;
|
||||
@@ -24,6 +27,7 @@ TEST_F(test_falco_engine, list_append)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"),"(evt.type = open and proc.name in (ash, bash, csh, ksh, sh, tcsh, zsh, dash, pwsh))");
|
||||
}
|
||||
|
||||
@@ -48,6 +52,7 @@ TEST_F(test_falco_engine, condition_append)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"),"(evt.type = open and (((proc.aname = sshd and proc.name != sshd) or proc.name = systemd-logind or proc.name = login) or proc.name = ssh))");
|
||||
}
|
||||
|
||||
@@ -72,6 +77,7 @@ TEST_F(test_falco_engine, rule_override_append)
|
||||
|
||||
std::string rule_name = "legit_rule";
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
|
||||
// Here we don't use the deprecated `append` flag, so we don't expect the warning.
|
||||
ASSERT_FALSE(check_warning_message(WARNING_APPEND));
|
||||
@@ -102,6 +108,7 @@ TEST_F(test_falco_engine, rule_append)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
|
||||
// We should have at least one warning because the 'append' flag is deprecated.
|
||||
ASSERT_TRUE(check_warning_message(WARNING_APPEND));
|
||||
@@ -128,6 +135,7 @@ TEST_F(test_falco_engine, rule_override_replace)
|
||||
|
||||
std::string rule_name = "legit_rule";
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
|
||||
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["condition"].template get<std::string>(),
|
||||
@@ -161,6 +169,7 @@ TEST_F(test_falco_engine, rule_override_append_replace)
|
||||
|
||||
std::string rule_name = "legit_rule";
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
|
||||
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["condition"].template get<std::string>(),
|
||||
@@ -196,6 +205,7 @@ TEST_F(test_falco_engine, rule_incorrect_override_type)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("Key 'priority' cannot be appended to, use 'replace' instead"));
|
||||
ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["context"]["snippet"]).find("priority: append") != std::string::npos);
|
||||
}
|
||||
@@ -219,6 +229,7 @@ TEST_F(test_falco_engine, rule_incorrect_append_override)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
|
||||
// We should have at least one warning because the 'append' flag is deprecated.
|
||||
ASSERT_TRUE(check_warning_message(WARNING_APPEND));
|
||||
@@ -248,6 +259,7 @@ TEST_F(test_falco_engine, macro_override_append_before_macro_definition)
|
||||
|
||||
// We cannot define a macro override before the macro definition.
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_MACRO));
|
||||
}
|
||||
|
||||
@@ -273,6 +285,7 @@ TEST_F(test_falco_engine, macro_override_replace_before_macro_definition)
|
||||
|
||||
// The first override defines a macro that is overridden by the second macro definition
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"evt.type in (open, openat)");
|
||||
}
|
||||
|
||||
@@ -297,6 +310,7 @@ TEST_F(test_falco_engine, macro_append_before_macro_definition)
|
||||
|
||||
// We cannot define a macro override before the macro definition.
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_MACRO));
|
||||
}
|
||||
|
||||
@@ -322,6 +336,7 @@ TEST_F(test_falco_engine, macro_override_append_after_macro_definition)
|
||||
|
||||
// We cannot define a macro override before the macro definition.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) or evt.type = openat2)");
|
||||
}
|
||||
|
||||
@@ -346,6 +361,7 @@ TEST_F(test_falco_engine, macro_append_after_macro_definition)
|
||||
|
||||
// We cannot define a macro override before the macro definition.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) or evt.type = openat2)");
|
||||
}
|
||||
|
||||
@@ -366,6 +382,7 @@ TEST_F(test_falco_engine, rule_override_append_before_rule_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_APPEND));
|
||||
}
|
||||
|
||||
@@ -386,6 +403,7 @@ TEST_F(test_falco_engine, rule_override_replace_before_rule_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_REPLACE));
|
||||
}
|
||||
|
||||
@@ -405,6 +423,7 @@ TEST_F(test_falco_engine, rule_append_before_rule_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_APPEND));
|
||||
}
|
||||
|
||||
@@ -424,6 +443,7 @@ TEST_F(test_falco_engine, rule_override_append_after_rule_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) and proc.name = cat)");
|
||||
}
|
||||
|
||||
@@ -442,6 +462,7 @@ TEST_F(test_falco_engine, rule_append_after_rule_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) and proc.name = cat)");
|
||||
}
|
||||
|
||||
@@ -470,6 +491,7 @@ TEST_F(test_falco_engine, list_override_append_wrong_key)
|
||||
// considered. so in this situation, we are defining the list 2 times. The
|
||||
// second one overrides the first one.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid))");
|
||||
}
|
||||
|
||||
@@ -494,6 +516,7 @@ TEST_F(test_falco_engine, list_override_append_before_list_definition)
|
||||
|
||||
// We cannot define a list override before the list definition.
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_LIST));
|
||||
}
|
||||
|
||||
@@ -518,6 +541,7 @@ TEST_F(test_falco_engine, list_override_replace_before_list_definition)
|
||||
|
||||
// With override replace we define a first list that then is overridden by the second one.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid))");
|
||||
}
|
||||
|
||||
@@ -541,6 +565,7 @@ TEST_F(test_falco_engine, list_append_before_list_definition)
|
||||
|
||||
// We cannot define a list append before the list definition.
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_LIST));
|
||||
}
|
||||
|
||||
@@ -564,6 +589,7 @@ TEST_F(test_falco_engine, list_override_append_after_list_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid, csi-provisioner, csi-attacher))");
|
||||
}
|
||||
|
||||
@@ -585,6 +611,7 @@ TEST_F(test_falco_engine, list_append_after_list_definition)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid, csi-provisioner, csi-attacher))");
|
||||
}
|
||||
|
||||
@@ -605,6 +632,7 @@ TEST_F(test_falco_engine, rule_override_without_field)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("An append override for 'condition' was specified but 'condition' is not defined"));
|
||||
}
|
||||
|
||||
@@ -627,6 +655,7 @@ TEST_F(test_falco_engine, rule_override_extra_field)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("Unexpected key 'priority'"));
|
||||
}
|
||||
|
||||
@@ -651,6 +680,7 @@ TEST_F(test_falco_engine, missing_enabled_key_with_override)
|
||||
|
||||
// In the rule override we miss `enabled: true`
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("'enabled' was specified but 'enabled' is not defined"));
|
||||
}
|
||||
|
||||
@@ -675,6 +705,7 @@ TEST_F(test_falco_engine, rule_override_with_enabled)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
// The rule should be enabled at the end.
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
@@ -712,6 +743,7 @@ TEST_F(test_falco_engine, rule_override_exceptions_required_fields)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
ASSERT_TRUE(check_error_message("Item has no mapping for key 'fields'")) << m_load_result_json.dump();
|
||||
}
|
||||
@@ -728,6 +760,7 @@ TEST_F(test_falco_engine, rule_not_enabled)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 0);
|
||||
}
|
||||
@@ -747,6 +780,7 @@ TEST_F(test_falco_engine, rule_enabled_warning)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message(WARNING_ENABLED));
|
||||
// The rule should be enabled at the end.
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
@@ -772,6 +806,7 @@ TEST_F(test_falco_engine, rule_enabled_is_ignored_by_append)
|
||||
// 'enabled' is ignored by the append, this syntax is not supported
|
||||
// so the rule is not enabled.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 0);
|
||||
}
|
||||
|
||||
@@ -797,6 +832,7 @@ TEST_F(test_falco_engine, rewrite_rule)
|
||||
// The above syntax is not supported, we cannot override the content
|
||||
// of a rule in this way.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
// In this case the rule is completely overridden but this syntax is not supported.
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"proc.name = cat");
|
||||
@@ -817,6 +853,7 @@ TEST_F(test_falco_engine, required_engine_version_semver)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
}
|
||||
|
||||
@@ -835,6 +872,7 @@ TEST_F(test_falco_engine, required_engine_version_not_semver)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
}
|
||||
|
||||
@@ -853,6 +891,7 @@ TEST_F(test_falco_engine, required_engine_version_invalid)
|
||||
)END";
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("Unable to parse engine version"));
|
||||
}
|
||||
|
||||
@@ -865,22 +904,23 @@ TEST_F(test_falco_engine, list_value_with_escaping)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(m_load_result->successful());
|
||||
ASSERT_TRUE(m_load_result->has_warnings()); // a warning for the unused list
|
||||
ASSERT_TRUE(m_load_result->has_warnings()); // a warning for the unused list
|
||||
|
||||
auto rule_description = m_engine->describe_rule(nullptr, {});
|
||||
ASSERT_TRUE(m_load_result->successful());
|
||||
ASSERT_EQ(rule_description["rules"].size(), 0);
|
||||
ASSERT_EQ(rule_description["macros"].size(), 0);
|
||||
ASSERT_EQ(rule_description["lists"].size(), 1);
|
||||
auto rule_description = m_engine->describe_rule(nullptr, {});
|
||||
ASSERT_TRUE(m_load_result->successful());
|
||||
ASSERT_EQ(rule_description["rules"].size(), 0);
|
||||
ASSERT_EQ(rule_description["macros"].size(), 0);
|
||||
ASSERT_EQ(rule_description["lists"].size(), 1);
|
||||
|
||||
// escaped values must not be interpreted as list refs by mistake
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["lists"].size(), 0);
|
||||
// escaped values must not be interpreted as list refs by mistake
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["lists"].size(), 0);
|
||||
|
||||
// values should be escaped correctly
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"].size(), 2);
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0].template get<std::string>(), "non_escaped_val");
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1].template get<std::string>(), "escaped val");
|
||||
// values should be escaped correctly
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"].size(), 2);
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0].template get<std::string>(), "non_escaped_val");
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1].template get<std::string>(), "escaped val");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_condition)
|
||||
@@ -900,6 +940,7 @@ TEST_F(test_falco_engine, exceptions_condition)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"((proc.cmdline contains curl or proc.cmdline contains wget) and not proc.cmdline contains \"curl 127.0.0.1\")");
|
||||
}
|
||||
|
||||
@@ -911,6 +952,7 @@ TEST_F(test_falco_engine, macro_name_invalid)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Macro has an invalid name. Macro names should match a regular expression"));
|
||||
}
|
||||
|
||||
@@ -930,6 +972,7 @@ TEST_F(test_falco_engine, list_name_invalid)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("List has an invalid name. List names should match a regular expression"));
|
||||
}
|
||||
|
||||
@@ -958,6 +1001,7 @@ TEST_F(test_falco_engine, exceptions_append_no_values)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Overriding/appending exception with no values"));
|
||||
}
|
||||
|
||||
@@ -985,6 +1029,7 @@ TEST_F(test_falco_engine, exceptions_override_no_values)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Overriding/appending exception with no values"));
|
||||
}
|
||||
|
||||
@@ -1010,6 +1055,7 @@ TEST_F(test_falco_engine, exceptions_names_not_unique)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Multiple definitions of exception"));
|
||||
}
|
||||
|
||||
@@ -1033,6 +1079,7 @@ TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)");
|
||||
EXPECT_TRUE(check_warning_message("'proc.pname' may be a valid field misused as a const string value"));
|
||||
}
|
||||
@@ -1049,6 +1096,7 @@ TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)");
|
||||
EXPECT_TRUE(check_warning_message("'proc.pname' may be a valid field misused as a const string value"));
|
||||
}
|
||||
@@ -1065,6 +1113,7 @@ TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_quoted)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"proc.pname \")");
|
||||
EXPECT_TRUE(check_warning_message("'proc.pname ' may be a valid field misused as a const string value"));
|
||||
}
|
||||
@@ -1081,6 +1130,7 @@ TEST_F(test_falco_engine, exceptions_values_rhs_transformer)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))");
|
||||
}
|
||||
|
||||
@@ -1096,6 +1146,7 @@ TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))");
|
||||
}
|
||||
|
||||
@@ -1111,6 +1162,7 @@ TEST_F(test_falco_engine, exceptions_values_transformer_space)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
|
||||
EXPECT_TRUE(check_warning_message("'toupper( proc.pname)' may be a valid field transformer misused as a const string value"));
|
||||
}
|
||||
@@ -1127,6 +1179,7 @@ TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
|
||||
EXPECT_TRUE(check_warning_message("'toupper( proc.pname)' may be a valid field transformer misused as a const string value"));
|
||||
}
|
||||
@@ -1143,6 +1196,7 @@ TEST_F(test_falco_engine, exceptions_fields_transformer)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
|
||||
}
|
||||
@@ -1159,6 +1213,7 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_quoted)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
|
||||
}
|
||||
@@ -1175,6 +1230,7 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted)
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user