Test for rule/macro having unknown source

The rules file has a rule/macro with an unknown source as well as a rule
that matches a trace file, and verifies that the rule/macro with the
unknown source doesn't interfere with rule loading/event matching.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

test/falco_tests.yaml

@@ -1277,3 +1277,10 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     stdout_contains: "2016-08-04T16:17:57.882054739\\+0000: Warning An open was seen"
     stderr_contains: "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\d\\+0000"
+
+  unknown_source:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/unknown_source.yaml
+    trace_file: trace_files/cat_write.scap

test/rules/unknown_source.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- macro: Macro with unknown source
+  condition: some other unknown filter
+  source: unknown-source
+
+- rule: Rule with unknown source
+  condition: some unknown filter
+  output: some unknown output
+  priority: INFO
+  source: unknown-source
+
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING

userspace/engine/lua/rule_loader.lua

@@ -436,6 +436,11 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
+	 -- Ignore macros with unknown sources
+	 if (v['source'] ~= "syscall" and v['source'] ~= "k8s_audit") then
+	    goto next_object
+	 end
+
 	 if state.macros_by_name[v['macro']] == nil then
 	    state.ordered_macro_names[#state.ordered_macro_names+1] = v['macro']
 	 end
@@ -522,6 +527,11 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
+	 -- Ignore rules with unknown sources
+	 if (v['source'] ~= "syscall" and v['source'] ~= "k8s_audit") then
+	    goto next_object
+	 end
+
 	 -- Add an empty exceptions property to the rule if not
 	 -- defined, but add a warning about defining one
 	 if v['exceptions'] == nil then
@@ -668,6 +678,8 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
 	 warnings[#warnings + 1] = arr[1]
       end
+
+      ::next_object::
    end
 
    return true, {}, warnings