tests: add some new tests on override replace

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
2025-09-09 10:39:28 +00:00 · 2024-01-10 15:36:38 +01:00
parent 8ebdbe3e6f
commit ee78c862ad
3 changed files with 84 additions and 10 deletions
--- a/unit_tests/engine/test_rule_loader.cpp
+++ b/unit_tests/engine/test_rule_loader.cpp
@@ -374,6 +374,34 @@ TEST_F(engine_loader_test, macro_override_append_before_macro_definition)
 	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_MACRO));
 }

+TEST_F(engine_loader_test, macro_override_replace_before_macro_definition)
+{
+    std::string rules_content = R"END(
+
+- macro: open_simple
+  condition: or evt.type = openat2
+  override:
+    condition: replace
+
+- macro: open_simple
+  condition: evt.type in (open,openat)
+
+- rule: test_rule
+  desc: simple rule
+  condition: open_simple
+  output: command=%proc.cmdline
+  priority: INFO
+
+)END";
+
+	// The first override defines a macro that is overridden by the second macro definition
+	ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
+	std::string rule_name = "test_rule";
+	auto rule_description = m_engine->describe_rule(&rule_name, {});
+	ASSERT_EQ(rule_description["rules"][0]["details"]["condition_compiled"].template get<std::string>(),
+	 	"evt.type in (open, openat)");
+}
+
 TEST_F(engine_loader_test, macro_append_before_macro_definition)
 {
    std::string rules_content = R"END(
@@ -470,7 +498,27 @@ TEST_F(engine_loader_test, rule_override_append_before_rule_definition)
 )END";

 	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
-	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE));
+	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_APPEND));
+}
+
+TEST_F(engine_loader_test, rule_override_replace_before_rule_definition)
+{
+    std::string rules_content = R"END(
+- rule: test_rule
+  condition: and proc.name = cat
+  override:
+    condition: replace
+
+- rule: test_rule
+  desc: simple rule
+  condition: evt.type in (open,openat)
+  output: command=%proc.cmdline
+  priority: INFO
+
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_REPLACE));
 }

 TEST_F(engine_loader_test, rule_append_before_rule_definition)
@@ -489,7 +537,7 @@ TEST_F(engine_loader_test, rule_append_before_rule_definition)
 )END";

 	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
-	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE));
+	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_APPEND));
 }

 TEST_F(engine_loader_test, rule_override_append_after_rule_definition)
@@ -594,6 +642,33 @@ TEST_F(engine_loader_test, list_override_append_before_list_definition)
 	ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_LIST));
 }

+TEST_F(engine_loader_test, list_override_replace_before_list_definition)
+{
+    std::string rules_content = R"END(
+- list: dev_creation_binaries
+  items: ["csi-provisioner", "csi-attacher"]
+  override:
+    items: replace
+
+- list: dev_creation_binaries
+  items: [blkid]
+
+- rule: test_rule
+  desc: simple rule
+  condition: evt.type = execve and proc.name in (dev_creation_binaries)
+  output: command=%proc.cmdline
+  priority: INFO
+
+)END";
+
+	// With override replace we define a first list that then is overridden by the second one.
+	ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
+	std::string rule_name = "test_rule";
+	auto rule_description = m_engine->describe_rule(&rule_name, {});
+	ASSERT_EQ(rule_description["rules"][0]["details"]["condition_compiled"].template get<std::string>(),
+	 	"(evt.type = execve and proc.name in (blkid))");
+}
+
 TEST_F(engine_loader_test, list_append_before_list_definition)
 {
    std::string rules_content = R"END(