From 6ecc691c683cebea7d3c6945b9e9c63325eaa44c Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Tue, 22 Sep 2020 17:44:45 +0200 Subject: [PATCH] new(userspace/falco): gRPC output C++ impl Signed-off-by: Leonardo Grasso --- userspace/falco/falco_outputs_grpc.cpp | 76 ++++++++++++++++++++++++++ userspace/falco/falco_outputs_grpc.h | 35 ++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 userspace/falco/falco_outputs_grpc.cpp create mode 100644 userspace/falco/falco_outputs_grpc.h diff --git a/userspace/falco/falco_outputs_grpc.cpp b/userspace/falco/falco_outputs_grpc.cpp new file mode 100644 index 00000000..4187e59b --- /dev/null +++ b/userspace/falco/falco_outputs_grpc.cpp @@ -0,0 +1,76 @@ +/* +Copyright (C) 2020 The Falco Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include +#include "falco_outputs_grpc.h" +#include "falco_outputs_queue.h" +#include "falco_common.h" +#include "formats.h" +#include "banned.h" // This raises a compilation error when certain functions are used + +void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule, std::string &source, + falco_common::priority_type priority, std::string &format, + std::string &msg) +{ + falco::outputs::response grpc_res; + + // time + auto timestamp = grpc_res.mutable_time(); + *timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts()); + + // rule + auto r = grpc_res.mutable_rule(); + *r = rule; + + // source + falco::schema::source s = falco::schema::source::SYSCALL; + if(!falco::schema::source_Parse(source, &s)) + { + throw falco_exception("Unknown source passed to output_grpc::output_event()"); + } + grpc_res.set_source(s); + + // priority + falco::schema::priority p = falco::schema::priority::EMERGENCY; + if(!falco::schema::priority_Parse(falco_common::priority_names[priority], &p)) + { + throw falco_exception("Unknown priority passed to output_grpc::output_event()"); + } + grpc_res.set_priority(p); + + // output + auto output = grpc_res.mutable_output(); + *output = msg; + + // output fields + auto &fields = *grpc_res.mutable_output_fields(); + auto resolvedTkns = falco_formats::resolve_tokens(evt, source, format); + for(const auto &kv : resolvedTkns) + { + fields[kv.first] = kv.second; + } + + // hostname + auto host = grpc_res.mutable_hostname(); + *host = m_hostname; + + falco::outputs::queue::get().push(grpc_res); +} + +void falco::outputs::output_grpc::output_msg(falco_common::priority_type priority, std::string &msg) +{ + // todo(fntlnz, leodido, leogr) > gRPC does not support subscribing to dropped events yet +} \ No newline at end of file diff --git a/userspace/falco/falco_outputs_grpc.h b/userspace/falco/falco_outputs_grpc.h new file mode 100644 index 00000000..f865cfe3 --- /dev/null +++ b/userspace/falco/falco_outputs_grpc.h @@ -0,0 +1,35 @@ +/* +Copyright (C) 2020 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#pragma once + +#include "falco_output.h" + +namespace falco +{ +namespace outputs +{ + +class output_grpc : public output +{ + void output_event(gen_event *evt, std::string &rule, std::string &source, + falco_common::priority_type priority, std::string &format, std::string &msg); + + void output_msg(falco_common::priority_type priority, std::string &msg); +}; + +} // namespace outputs +} // namespace falco