new(userspace): added json schema validation for rules.

Also, a new `--rule-schema` cli option was added to print the schema and leave. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
2025-08-24 17:08:52 +00:00 · 2024-09-06 10:27:56 +02:00 · 2024-09-06 10:27:56 +02:00 · 895e50d3a0
commit 895e50d3a0
parent d14825faf0
12 changed files with 149 additions and 12 deletions
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@ -50,6 +50,7 @@ add_library(falco_application STATIC
  app/actions/create_requested_paths.cpp
  app/actions/close_inspectors.cpp
  app/actions/print_config_schema.cpp
  app/actions/print_rule_schema.cpp
  configuration.cpp
  falco_outputs.cpp
  outputs_file.cpp
--- a/userspace/falco/app/actions/actions.h
+++ b/userspace/falco/app/actions/actions.h
@ -45,6 +45,7 @@ falco::app::run_result print_ignored_events(const falco::app::state& s);
 falco::app::run_result print_kernel_version(const falco::app::state& s);
 falco::app::run_result print_page_size(const falco::app::state& s);
 falco::app::run_result print_plugin_info(const falco::app::state& s);
 falco::app::run_result print_rule_schema(falco::app::state& s);
 falco::app::run_result print_support(falco::app::state& s);
 falco::app::run_result print_syscall_events(falco::app::state& s);
 falco::app::run_result print_version(falco::app::state& s);
--- a/userspace/falco/app/actions/helpers.h
+++ b/userspace/falco/app/actions/helpers.h
@ -26,6 +26,9 @@ namespace falco {
 namespace app {
 namespace actions {
 // Map that holds { rule filename | validation status } for each rule file read.
 typedef std::map<std::string, std::string> rule_read_res;
 bool check_rules_plugin_requirements(falco::app::state& s, std::string& err);
 void print_enabled_event_sources(falco::app::state& s);
 void activate_interesting_kernel_tracepoints(falco::app::state& s, std::unique_ptr<sinsp>& inspector);
@ -40,10 +43,14 @@ falco::app::run_result open_live_inspector(
    const std::string& source);
 template<class InputIterator>
-void read_files(InputIterator begin, InputIterator end,
+rule_read_res read_files(InputIterator begin, InputIterator end,
 		std::vector<std::string>& rules_contents,
-		falco::load_result::rules_contents_t& rc)
+		falco::load_result::rules_contents_t& rc,
 		const nlohmann::json& schema={})
 {
 	rule_read_res res;
 	yaml_helper reader;
 	std::string validation;
 	// Read the contents in a first pass
 	for(auto it = begin; it != end; it++)
 	{
@ -57,6 +64,9 @@ void read_files(InputIterator begin, InputIterator end,
 		std::string rules_content((std::istreambuf_iterator<char>(is)),
 						std::istreambuf_iterator<char>());
 		reader.load_from_string(rules_content, schema, &validation);
 		res[filename] = validation;
 		rules_contents.emplace_back(std::move(rules_content));
 	}
@ -75,6 +85,8 @@ void read_files(InputIterator begin, InputIterator end,
 	{
 		throw falco_exception("Unexpected mismatch in rules content name/rules content sets?");
 	}
 	return res;
 }
--- a/userspace/falco/app/actions/load_config.cpp
+++ b/userspace/falco/app/actions/load_config.cpp
@ -66,7 +66,7 @@ falco::app::run_result falco::app::actions::load_config(const falco::app::state&
 			auto config_path = pair.first;
 			auto validation = pair.second;
 			auto priority = validation == yaml_helper::validation_ok ? falco_logger::level::INFO : falco_logger::level::WARNING;
-			falco_logger::log(priority, std::string("   ") + config_path + " | validation: " + validation + "\n");
+			falco_logger::log(priority, std::string("   ") + config_path + " | schema validation: " + validation + "\n");
 		}
 	}
--- a/userspace/falco/app/actions/load_rules_files.cpp
+++ b/userspace/falco/app/actions/load_rules_files.cpp
@ -54,11 +54,12 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&
 	std::vector<std::string> rules_contents;
 	falco::load_result::rules_contents_t rc;
 	rule_read_res validation_res;
 	try {
-		read_files(s.config->m_loaded_rules_filenames.begin(),
+		validation_res = read_files(s.config->m_loaded_rules_filenames.begin(),
 			   s.config->m_loaded_rules_filenames.end(),
 			   rules_contents,
-			   rc);
+			   rc, s.config->m_rule_schema);
 	}
 	catch(falco_exception& e)
 	{
@ -66,9 +67,12 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&
 	}
 	std::string err = "";
 	falco_logger::log(falco_logger::level::INFO, "Loading rules from:\n");
 	for(auto &filename : s.config->m_loaded_rules_filenames)
 	{
-		falco_logger::log(falco_logger::level::INFO, "Loading rules from file " + filename + "\n");
+		auto validation = validation_res[filename];
 		auto priority = validation == yaml_helper::validation_ok ? falco_logger::level::INFO : falco_logger::level::WARNING;
 		falco_logger::log(priority, std::string("   ") + filename + " | schema validation: " + validation + "\n");
 		std::unique_ptr<falco::load_result> res;
 		res = s.engine->load_rules(rc.at(filename), filename);
--- a/userspace/falco/app/actions/print_rule_schema.cpp
+++ b/userspace/falco/app/actions/print_rule_schema.cpp
@ -0,0 +1,31 @@
 // SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2024 The Falco Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 #include "actions.h"
 using namespace falco::app;
 using namespace falco::app::actions;
 falco::app::run_result falco::app::actions::print_rule_schema(falco::app::state &s)
 {
 	if(s.options.print_rule_schema)
 	{
 		printf("%s", s.config->m_rule_schema.dump(2).c_str());
 		return run_result::exit();
 	}
 	return run_result::ok();
 }
--- a/userspace/falco/app/actions/validate_rules_files.cpp
+++ b/userspace/falco/app/actions/validate_rules_files.cpp
@ -33,11 +33,12 @@ falco::app::run_result falco::app::actions::validate_rules_files(falco::app::sta
 		std::vector<std::string> rules_contents;
 		falco::load_result::rules_contents_t rc;
 		rule_read_res validation_res;
 		try {
-			read_files(s.options.validate_rules_filenames.begin(),
+			validation_res = read_files(s.options.validate_rules_filenames.begin(),
 				   s.options.validate_rules_filenames.end(),
 				   rules_contents,
-				   rc);
+				   rc,s.config->m_rule_schema);
 		}
 		catch(falco_exception& e)
 		{
@ -71,7 +72,9 @@ falco::app::run_result falco::app::actions::validate_rules_files(falco::app::sta
 		falco_logger::log(falco_logger::level::INFO, "Validating rules file(s):\n");
 		for(const auto& file : s.options.validate_rules_filenames)
 		{
-			falco_logger::log(falco_logger::level::INFO, "   " + file + "\n");
+			auto validation = validation_res[file];
 			auto priority = validation == yaml_helper::validation_ok ? falco_logger::level::INFO : falco_logger::level::WARNING;
 			falco_logger::log(priority, std::string("   ") + file + " | schema validation: " + validation + "\n");
 		}
 		// The json output encompasses all files so the
--- a/userspace/falco/app/app.cpp
+++ b/userspace/falco/app/app.cpp
@ -61,6 +61,7 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr)
 	// loading plugins, opening inspector, etc.).
 	std::list<app_action> run_steps = {
 		falco::app::actions::print_config_schema,
 		falco::app::actions::print_rule_schema,
 		falco::app::actions::load_config,
 		falco::app::actions::print_help,
 		falco::app::actions::print_kernel_version,
--- a/userspace/falco/app/options.cpp
+++ b/userspace/falco/app/options.cpp
@ -115,6 +115,7 @@ void options::define(cxxopts::Options& opts)
 		("c",                             "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
 #endif
 		("config-schema",                 "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
 		("rule-schema",                   "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
 		("A",                             "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
 		("b,print-base64",                "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
--- a/userspace/falco/app/options.h
+++ b/userspace/falco/app/options.h
@ -41,6 +41,7 @@ public:
 	// Each of these maps directly to a command line option.
 	bool help = false;
 	bool print_config_schema = false;
 	bool print_rule_schema = false;
 	std::string conf_filename;
 	bool all_events = false;
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@ -210,9 +210,9 @@ public:
 	replay_config m_replay = {};
 	gvisor_config m_gvisor = {};
 	// Needed by tests
 	yaml_helper m_config;
 	nlohmann::json m_config_schema;
 	nlohmann::json m_rule_schema;
 private:
 	void merge_config_files(const std::string& config_name, config_loaded_res &res);