Add ability to append to rules/macros

Add the ability to append to rules/macros, like we already do with lists. For rules/macros, if the object has an append: true key, the condition value is appended to the condition of an existing rule/macro with the same name. Like lists, it's an error to specify append: true without there being an existing rule/macro. Also add tests that test the same kind of things we did for lists: - That append: true really does append - That append: false overwrites the rule/macro - That it's an error to append with a prior rule/macro existing.
2025-10-21 19:44:57 +00:00 · 2017-09-22 17:08:00 -07:00
parent 2d0963e97c
commit a38f7f181b
8 changed files with 147 additions and 18 deletions
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -599,3 +599,44 @@ trace_files: !mux
    rules_file:
      - rules/list_append_false.yaml
    trace_file: trace_files/cat_write.scap
+
+  macro_append_failure:
+    exit_status: 1
+    stderr_contains: "Macro my_macro has 'append' key but no macro by that name already exists. Exiting"
+    rules_file:
+      - rules/macro_append_failure.yaml
+    trace_file: trace_files/cat_write.scap
+
+  macro_append:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/macro_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  macro_append_false:
+    detect: False
+    rules_file:
+      - rules/macro_append_false.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_append_failure:
+    exit_status: 1
+    stderr_contains: "Rule my_rule has 'append' key but no rule by that name already exists. Exiting"
+    rules_file:
+      - rules/rule_append_failure.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_append:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_append_false:
+    detect: False
+    rules_file:
+      - rules/rule_append_false.yaml
+    trace_file: trace_files/cat_write.scap
+