Skip to content

Commit

Permalink
update(tests/falco): cover new skip-if-unknown-filter semantics
Browse files Browse the repository at this point in the history
Signed-off-by: Jason Dellaluce <[email protected]>
  • Loading branch information
jasondellaluce committed Aug 31, 2023
1 parent bbb796b commit 7422b1f
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 9 deletions.
40 changes: 37 additions & 3 deletions tests/data/rules/falco.go
Original file line number Diff line number Diff line change
Expand Up @@ -1163,24 +1163,58 @@ var SingleRuleWithTags = run.NewStringFileAccessor(
var SkipUnknownError = run.NewStringFileAccessor(
"skip_unknown_error.yaml",
`
- rule: Contains Unknown Event And Not Skipping
- rule: Contains Unknown Event And Not Skipping (field)
desc: Contains an unknown event
condition: proc.nobody=cat
condition: evt.type=open and proc.nobody=cat
output: Never
skip-if-unknown-filter: false
priority: INFO
- rule: Contains Unknown Event And Not Skipping (evt type)
desc: Contains an unknown event
condition: evt.type=some_invalid_event
output: Never
skip-if-unknown-filter: false
priority: INFO
- rule: Contains Unknown Event And Not Skipping (output)
desc: Contains an unknown event
condition: evt.type=open
output: proc.nobody=%proc.nobody
skip-if-unknown-filter: false
priority: INFO
`,
)

var SkipUnknownEvt = run.NewStringFileAccessor(
"skip_unknown_evt.yaml",
`
- rule: Contains Unknown Event And Skipping
- rule: Contains Unknown Event And Skipping (field)
desc: Contains an unknown event
condition: evt.type=open and proc.nobody=cat
output: Never
skip-if-unknown-filter: true
priority: INFO
- rule: Contains Unknown Event And Skipping (evt type)
desc: Contains an unknown event
condition: evt.type=some_invalid_event
output: Never
skip-if-unknown-filter: true
priority: INFO
- rule: Contains Unknown Event And Skipping (output)
desc: Contains an unknown event
condition: evt.type=open
output: proc.nobody=%proc.nobody
skip-if-unknown-filter: true
priority: INFO
- rule: Legit Rule (output)
desc: A legit rule
condition: evt.type=open
output: Never
priority: INFO
`,
)

Expand Down
24 changes: 18 additions & 6 deletions tests/falco/legacy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -272,9 +272,12 @@ func TestFalco_Legacy_DetectSkipUnknownNoevt(t *testing.T) {
checkDefaultConfig(t)
res := falco.Test(
tests.NewFalcoExecutableRunner(t),
falco.WithOutputJSON(),
falco.WithRules(rules.SkipUnknownEvt),
falco.WithCaptureFile(captures.CatWrite),
)
assert.Equal(t, 8, res.Detections().Count())
assert.NotZero(t, res.Detections().OfPriority("INFO").Count())
assert.NoError(t, res.Err(), "%s", res.Stderr())
assert.Equal(t, 0, res.ExitCode())
}
Expand Down Expand Up @@ -317,10 +320,11 @@ func TestFalco_Legacy_SkipUnknownError(t *testing.T) {
falco.WithOutputJSON(),
falco.WithRulesValidation(rules.SkipUnknownError),
)
assert.Equal(t, 1, res.RuleValidation().AllErrors().Count())
assert.NotNil(t, res.RuleValidation().AllErrors().
OfCode("LOAD_ERR_COMPILE_CONDITION").
OfItemType("rule").
OfItemName("Contains Unknown Event And Not Skipping").
OfItemName("Contains Unknown Event And Not Skipping (field)").
OfMessage("filter_check called with nonexistent field proc.nobody"))
assert.Error(t, res.Err(), "%s", res.Stderr())
assert.Equal(t, 1, res.ExitCode())
Expand Down Expand Up @@ -1657,11 +1661,19 @@ func TestFalco_Legacy_ValidateSkipUnknownNoevt(t *testing.T) {
falco.WithOutputJSON(),
falco.WithRulesValidation(rules.SkipUnknownEvt),
)
assert.NotNil(t, res.RuleValidation().AllWarnings().
OfCode("LOAD_UNKNOWN_FIELD").
OfItemType("rule").
OfItemName("Contains Unknown Event And Skipping").
OfMessage("filter_check called with nonexistent field proc.nobody"))
assert.Equal(t, 3, res.RuleValidation().AllWarnings().Count())
ruleWarnings := res.RuleValidation().AllWarnings().
OfCode("LOAD_UNKNOWN_FILTER").
OfItemType("rule")
assert.NotNil(t, ruleWarnings.
OfItemName("Contains Unknown Event And Skipping (field)").
OfMessage("filter_check called with nonexistent field proc.nobody"), res.Stderr())
assert.NotNil(t, ruleWarnings.
OfItemName("Contains Unknown Event And Skipping (evt type)").
OfMessage("unknown event type some_invalid_event"), res.Stderr())
assert.NotNil(t, ruleWarnings.
OfItemName("Contains Unknown Event And Skipping (output)").
OfMessage("invalid formatting token proc.nobody"), res.Stderr())
assert.NoError(t, res.Err(), "%s", res.Stderr())
assert.Equal(t, 0, res.ExitCode())
}
Expand Down

0 comments on commit 7422b1f

Please sign in to comment.