github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity

new(tests): add unit test for exceptions condition

Browse Source 
Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
This commit is contained in:
Gianmatteo Palmieri 2024-02-26 18:11:06 +01:00 committed by poiana
parent ea781477d6
commit 928cb8bb8e
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
unit_tests/engine/test_rule_loader.cpp
View File

@ -846,3 +846,23 @@ TEST_F(test_falco_engine, list_value_with_escaping)
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0].template get<std::string>(), "non_escaped_val"); ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0].template get<std::string>(), "non_escaped_val");
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1].template get<std::string>(), "escaped val"); ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1].template get<std::string>(), "escaped val");
} }
TEST_F(test_falco_engine, exceptions_condition)
{
std::string rules_content = R"END(
- rule: test_rule
desc: test rule
condition: proc.cmdline contains curl or proc.cmdline contains wget
output: command=%proc.cmdline
priority: INFO
exceptions:
- name: test_exception
fields: [proc.cmdline]
comps: [contains]
values:
- [curl 127.0.0.1]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"((proc.cmdline contains curl or proc.cmdline contains wget) and not proc.cmdline contains \"curl 127.0.0.1\")");
}