update(userspace/falco): introduce message struct for outputs

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

userspace/falco/outputs.h

@@ -37,6 +37,21 @@ struct config
 	std::map<std::string, std::string> options;
 };
 
+//
+// The message to be outputted. It can either refer to:
+//  - an event that has matched some rule,
+//  - or a generic message (e.g., a drop alert).
+//
+struct message
+{
+	uint64_t ts;
+	falco_common::priority_type priority;
+	std::string msg;
+	std::string rule;
+	std::string source;
+	map<std::string, std::string> fields;
+};
+
 //
 // This class acts as the primary interface for implementing
 // a Falco output class.
@@ -52,15 +67,13 @@ public:
 		m_hostname = hostname;
 	}
 
-	// Output an event that has matched some rule.
+	// Output a message.
-	virtual void output_event(gen_event *evt, std::string &rule, std::string &source,
+	virtual void output(const message *msg) = 0;
-				  falco_common::priority_type priority, std::string &format, std::string &msg) = 0;
-
-	// Output a generic message. Not necessarily associated with any event.
-	virtual void output_msg(falco_common::priority_type priority, std::string &msg) = 0;
 
+	// Possibly close the output and open it again.
 	virtual void reopen() {}
 
+	// Possibly flush the output.
 	virtual void cleanup() {}
 
 protected:

userspace/falco/outputs_file.cpp

@@ -31,16 +31,10 @@ void falco::outputs::output_file::open_file()
 	}
 }
 
-void falco::outputs::output_file::output_event(gen_event *evt, std::string &rule, std::string &source,
+void falco::outputs::output_file::output(const message *msg)
-					       falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_file::output_msg(falco_common::priority_type priority, std::string &msg)
 {
 	open_file();
-	m_outfile << msg + "\n";
+	m_outfile << msg->msg + "\n";
 
 	if(m_oc.options["keep_alive"] != "true")
 	{

userspace/falco/outputs_file.h

@@ -27,10 +27,7 @@ namespace outputs
 
 class output_file : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
+	void output(const message *msg);
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
 
 	void cleanup();
 

userspace/falco/outputs_grpc.cpp

@@ -21,23 +21,21 @@ limitations under the License.
 #include "formats.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule, std::string &source,
+void falco::outputs::output_grpc::output(const message *msg)
-					       falco_common::priority_type priority, std::string &format,
-					       std::string &msg)
 {
 	falco::outputs::response grpc_res;
 
 	// time
 	auto timestamp = grpc_res.mutable_time();
-	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
+	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(msg->ts);
 
 	// rule
 	auto r = grpc_res.mutable_rule();
-	*r = rule;
+	*r = msg->rule;
 
 	// source
 	falco::schema::source s = falco::schema::source::SYSCALL;
-	if(!falco::schema::source_Parse(source, &s))
+	if(!falco::schema::source_Parse(msg->source, &s))
 	{
 		throw falco_exception("Unknown source passed to output_grpc::output_event()");
 	}
@@ -45,7 +43,7 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule
 
 	// priority
 	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	if(!falco::schema::priority_Parse(falco_common::priority_names[priority], &p))
+	if(!falco::schema::priority_Parse(falco_common::priority_names[msg->priority], &p))
 	{
 		throw falco_exception("Unknown priority passed to output_grpc::output_event()");
 	}
@@ -53,12 +51,11 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule
 
 	// output
 	auto output = grpc_res.mutable_output();
-	*output = msg;
+	*output = msg->msg;
 
 	// output fields
 	auto &fields = *grpc_res.mutable_output_fields();
-	auto resolvedTkns = falco_formats::resolve_tokens(evt, source, format);
+	for(const auto &kv : msg->fields)
-	for(const auto &kv : resolvedTkns)
 	{
 		fields[kv.first] = kv.second;
 	}
@@ -69,8 +66,3 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule
 
 	falco::grpc::queue::get().push(grpc_res);
 }
-
-void falco::outputs::output_grpc::output_msg(falco_common::priority_type priority, std::string &msg)
-{
-	// todo(fntlnz, leodido, leogr) > gRPC does not support subscribing to dropped events yet
-}

userspace/falco/outputs_grpc.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_grpc : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
+	void output(const message *msg);
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
 };
 
 } // namespace outputs

userspace/falco/outputs_http.cpp

@@ -18,13 +18,7 @@ limitations under the License.
 #include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_http::output_event(gen_event *evt, std::string &rule, std::string &source,
+void falco::outputs::output_http::output(const message *msg)
-					       falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_http::output_msg(falco_common::priority_type priority, std::string &msg)
 {
 	CURL *curl = NULL;
 	CURLcode res = CURLE_FAILED_INIT;
@@ -37,7 +31,7 @@ void falco::outputs::output_http::output_msg(falco_common::priority_type priorit
 		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
 		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
 		curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str());
+		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
 		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
 
 		res = curl_easy_perform(curl);

userspace/falco/outputs_http.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_http : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
+	void output(const message *msg);
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
 };
 
 } // namespace outputs

userspace/falco/outputs_program.cpp

@@ -31,17 +31,11 @@ void falco::outputs::output_program::open_pfile()
 	}
 }
 
-void falco::outputs::output_program::output_event(gen_event *evt, std::string &rule, std::string &source,
+void falco::outputs::output_program::output(const message *msg)
-						  falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_program::output_msg(falco_common::priority_type priority, std::string &msg)
 {
 	open_pfile();
 
-	fprintf(m_pfile, "%s\n", msg.c_str());
+	fprintf(m_pfile, "%s\n", msg->msg.c_str());
 
 	if(m_oc.options["keep_alive"] != "true")
 	{

userspace/falco/outputs_program.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_program : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
+	void output(const message *msg);
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
 
 	void cleanup();
 

userspace/falco/outputs_stdout.cpp

@@ -18,13 +18,7 @@ limitations under the License.
 #include <iostream>
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_stdout::output_event(gen_event *evt, std::string &rule, std::string &source,
+void falco::outputs::output_stdout::output(const message *msg)
-						 falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_stdout::output_msg(falco_common::priority_type priority, std::string &msg)
 {
 	//
 	// By default, the stdout stream is fully buffered or line buffered
@@ -36,7 +30,7 @@ void falco::outputs::output_stdout::output_msg(falco_common::priority_type prior
 	{
 		std::cout << std::unitbuf;
 	}
-	std::cout << msg + "\n";
+	std::cout << msg->msg + "\n";
 }
 
 void falco::outputs::output_stdout::cleanup()

userspace/falco/outputs_stdout.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_stdout : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
+	void output(const message *msg);
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
 
 	void cleanup();
 };

userspace/falco/outputs_syslog.cpp

@@ -18,14 +18,8 @@ limitations under the License.
 #include <syslog.h>
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_syslog::output_event(gen_event *evt, std::string &rule, std::string &source,
+void falco::outputs::output_syslog::output(const message *msg)
-						 falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_syslog::output_msg(falco_common::priority_type priority, std::string &msg)
 {
 	// Syslog output should not have any trailing newline
-	::syslog(priority, "%s", msg.c_str());
+	::syslog(msg->priority, "%s", msg->msg.c_str());
 }

userspace/falco/outputs_syslog.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_syslog : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
+	void output(const message *msg);
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
 };
 
 } // namespace outputs