From f4bb49f1f57bbaee05d0de70c2be1baf89b40e8d Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 3 Jan 2017 11:12:56 -0800
Subject: [PATCH] Add test for truncated outputs.

Add a test that specifically tests truncated outputs. A rule contains an
output field %fd.cport which has no value for an open event. Ensure that
the rule's output has <NA> for the cport and the remainder of the rule's
output is filled in.
---
 test/falco_test.py                | 6 ++++++
 test/falco_tests.yaml.in          | 8 ++++++++
 test/rules/null_output_field.yaml | 5 +++++
 3 files changed, 19 insertions(+)
 create mode 100644 test/rules/null_output_field.yaml

diff --git a/test/falco_test.py b/test/falco_test.py
index 079723ce..d6ce9b87 100644
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -17,6 +17,7 @@ class FalcoTest(Test):
         """
         self.falcodir = self.params.get('falcodir', '/', default=os.path.join(self.basedir, '../build'))
 
+        self.stdout_contains = self.params.get('stdout_contains', '*', default='')
         self.stderr_contains = self.params.get('stderr_contains', '*', default='')
         self.exit_status = self.params.get('exit_status', '*', default=0)
         self.should_detect = self.params.get('detect', '*', default=False)
@@ -204,6 +205,11 @@ class FalcoTest(Test):
             if match is None:
                 self.fail("Stderr of falco process did not contain content matching {}".format(self.stderr_contains))
 
+        if self.stdout_contains != '':
+            match = re.search(self.stdout_contains, res.stdout)
+            if match is None:
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout, self.stdout_contains))
+
         if res.exit_status != self.exit_status:
             self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
                 cmd, res.exit_status, self.exit_status))
diff --git a/test/falco_tests.yaml.in b/test/falco_tests.yaml.in
index 8dca99d4..a973e8fe 100644
--- a/test/falco_tests.yaml.in
+++ b/test/falco_tests.yaml.in
@@ -154,6 +154,14 @@ trace_files: !mux
       - rules/single_rule_enabled_flag.yaml
     trace_file: trace_files/cat_write.scap
 
+  null_output_field:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/null_output_field.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."
+
   file_output:
     detect: True
     detect_level: WARNING
diff --git a/test/rules/null_output_field.yaml b/test/rules/null_output_field.yaml
new file mode 100644
index 00000000..a81249bc
--- /dev/null
+++ b/test/rules/null_output_field.yaml
@@ -0,0 +1,5 @@
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (cport=%fd.cport command=%proc.cmdline)"
+  priority: WARNING
\ No newline at end of file