github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 14:52:20 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(tests): use test_falco_engine in test_enable_rule

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2024-02-09 16:20:55 +00:00 committed by poiana
parent baf9e77810
commit fe5c58e20e
1 changed files with 99 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

231
unit_tests/engine/test_enable_rule.cpp
View File

@ -23,7 +23,7 @@ limitations under the License.
#include <filter_check_list.h> #include <filter_check_list.h>
#include <filter.h> #include <filter.h>
#include <falco_engine.h> #include "../test_falco_engine.h"
static std::string single_rule = R"END( static std::string single_rule = R"END(
- rule: test rule - rule: test rule
@ -52,200 +52,167 @@ static const std::string ruleset_2 = "ruleset-2";
static const std::string ruleset_3 = "ruleset-3"; static const std::string ruleset_3 = "ruleset-3";
static const std::string ruleset_4 = "ruleset-4"; static const std::string ruleset_4 = "ruleset-4";
static void load_rules(falco_engine& engine, sinsp& inspector, sinsp_filter_check_list& filterchecks) TEST_F(test_falco_engine, enable_rule_name)
{ {
std::unique_ptr<falco::load_result> res; load_rules(single_rule, "single_rule.yaml");
auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
new sinsp_filter_factory(&inspector, filterchecks));
auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
new sinsp_evt_formatter_factory(&inspector, filterchecks));
engine.add_source("syscall", filter_factory, formatter_factory);
res = engine.load_rules(single_rule, "single_rule.yaml");
EXPECT_TRUE(res->successful());
}
TEST(EnableRule, enable_rule_name)
{
falco_engine engine;
sinsp inspector;
sinsp_filter_check_list filterchecks;
load_rules(engine, inspector, filterchecks);
// No rules should be enabled yet for any custom rulesets // No rules should be enabled yet for any custom rulesets
EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
// Enable for first ruleset, only that ruleset should have an // Enable for first ruleset, only that ruleset should have an
// enabled rule afterward // enabled rule afterward
engine.enable_rule("test", true, ruleset_1); m_engine->enable_rule("test", true, ruleset_1);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
// Enable for second ruleset // Enable for second ruleset
engine.enable_rule("test", true, ruleset_2); m_engine->enable_rule("test", true, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
// When the substring is blank, all rules are enabled // When the substring is blank, all rules are enabled
// (including the disabled rule) // (including the disabled rule)
engine.enable_rule("", true, ruleset_3); m_engine->enable_rule("", true, ruleset_3);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));
// Now disable for second ruleset // Now disable for second ruleset
engine.enable_rule("test", false, ruleset_2); m_engine->enable_rule("test", false, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));
} }
TEST(EnableRule, enable_rule_tags) TEST_F(test_falco_engine, enable_rule_tags)
{ {
falco_engine engine;
sinsp inspector;
sinsp_filter_check_list filterchecks;
std::set<std::string> process_tags = {"process"}; std::set<std::string> process_tags = {"process"};
load_rules(engine, inspector, filterchecks); load_rules(single_rule, "single_rule.yaml");
// No rules should be enabled yet for any custom rulesets // No rules should be enabled yet for any custom rulesets
EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
// Enable for first ruleset, only that ruleset should have an // Enable for first ruleset, only that ruleset should have an
// enabled rule afterward // enabled rule afterward
engine.enable_rule_by_tag(process_tags, true, ruleset_1); m_engine->enable_rule_by_tag(process_tags, true, ruleset_1);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
// Enable for second ruleset // Enable for second ruleset
engine.enable_rule_by_tag(process_tags, true, ruleset_2); m_engine->enable_rule_by_tag(process_tags, true, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
// Now disable for second ruleset // Now disable for second ruleset
engine.enable_rule_by_tag(process_tags, false, ruleset_2); m_engine->enable_rule_by_tag(process_tags, false, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
} }
TEST(EnableRule, enable_disabled_rule_by_tag) TEST_F(test_falco_engine, enable_disabled_rule_by_tag)
{ {
falco_engine engine;
sinsp inspector;
sinsp_filter_check_list filterchecks;
std::set<std::string> exec_process_tags = {"exec process"}; std::set<std::string> exec_process_tags = {"exec process"};
load_rules(engine, inspector, filterchecks); load_rules(single_rule, "single_rule.yaml");
// Only the first rule should be enabled // Only the first rule should be enabled
EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
// Enable the disabled rule by tag // Enable the disabled rule by tag
engine.enable_rule_by_tag(exec_process_tags, true); m_engine->enable_rule_by_tag(exec_process_tags, true);
// Both rules should be enabled now // Both rules should be enabled now
EXPECT_EQ(2, engine.num_rules_for_ruleset(default_ruleset)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(default_ruleset));
} }
TEST(EnableRule, enable_rule_id) TEST_F(test_falco_engine, enable_rule_id)
{ {
falco_engine engine;
sinsp inspector;
sinsp_filter_check_list filterchecks;
uint16_t ruleset_1_id; uint16_t ruleset_1_id;
uint16_t ruleset_2_id; uint16_t ruleset_2_id;
uint16_t ruleset_3_id; uint16_t ruleset_3_id;
load_rules(engine, inspector, filterchecks); load_rules(single_rule, "single_rule.yaml");
// The cases are identical to above, just using ruleset ids // The cases are identical to above, just using ruleset ids
// instead of names. // instead of names.
ruleset_1_id = engine.find_ruleset_id(ruleset_1); ruleset_1_id = m_engine->find_ruleset_id(ruleset_1);
ruleset_2_id = engine.find_ruleset_id(ruleset_2); ruleset_2_id = m_engine->find_ruleset_id(ruleset_2);
ruleset_3_id = engine.find_ruleset_id(ruleset_3); ruleset_3_id = m_engine->find_ruleset_id(ruleset_3);
EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
engine.enable_rule("test rule", true, ruleset_1_id); m_engine->enable_rule("test rule", true, ruleset_1_id);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
engine.enable_rule("test rule", true, ruleset_2_id); m_engine->enable_rule("test rule", true, ruleset_2_id);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
engine.enable_rule("", true, ruleset_3_id); m_engine->enable_rule("", true, ruleset_3_id);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));
engine.enable_rule("test", false, ruleset_2_id); m_engine->enable_rule("test", false, ruleset_2_id);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));
} }
TEST(EnableRule, enable_rule_name_exact) TEST_F(test_falco_engine, enable_rule_name_exact)
{ {
falco_engine engine; load_rules(single_rule, "single_rule.yaml");
sinsp inspector;
sinsp_filter_check_list filterchecks;
load_rules(engine, inspector, filterchecks); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset)); m_engine->enable_rule_exact("test rule", true, ruleset_1);
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
engine.enable_rule_exact("test rule", true, ruleset_1); m_engine->enable_rule_exact("test rule", true, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
engine.enable_rule_exact("test rule", true, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
// This should **not** enable as this is a substring and not // This should **not** enable as this is a substring and not
// an exact match. // an exact match.
engine.enable_rule_exact("test", true, ruleset_3); m_engine->enable_rule_exact("test", true, ruleset_3);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
engine.enable_rule_exact("", true, ruleset_4); m_engine->enable_rule_exact("", true, ruleset_4);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_4)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_4));
engine.enable_rule("test rule", false, ruleset_2); m_engine->enable_rule("test rule", false, ruleset_2);
EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1)); EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3)); EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_4)); EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_4));
} }