From 7422b1fd0d528198131fa9c3471d73c1c4b3fc96 Mon Sep 17 00:00:00 2001
From: Jason Dellaluce <jasondellaluce@gmail.com>
Date: Thu, 31 Aug 2023 12:41:16 +0000
Subject: [PATCH] update(tests/falco): cover new skip-if-unknown-filter
 semantics

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 tests/data/rules/falco.go  | 40 +++++++++++++++++++++++++++++++++++---
 tests/falco/legacy_test.go | 24 +++++++++++++++++------
 2 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/tests/data/rules/falco.go b/tests/data/rules/falco.go
index 372728f..ff9d6f3 100644
--- a/tests/data/rules/falco.go
+++ b/tests/data/rules/falco.go
@@ -1163,24 +1163,58 @@ var SingleRuleWithTags = run.NewStringFileAccessor(
 var SkipUnknownError = run.NewStringFileAccessor(
 	"skip_unknown_error.yaml",
 	`
-- rule: Contains Unknown Event And Not Skipping
+- rule: Contains Unknown Event And Not Skipping (field)
   desc: Contains an unknown event
-  condition: proc.nobody=cat
+  condition: evt.type=open and proc.nobody=cat
+  output: Never
+  skip-if-unknown-filter: false
+  priority: INFO
+
+- rule: Contains Unknown Event And Not Skipping (evt type)
+  desc: Contains an unknown event
+  condition: evt.type=some_invalid_event
   output: Never
   skip-if-unknown-filter: false
   priority: INFO
+
+- rule: Contains Unknown Event And Not Skipping (output)
+  desc: Contains an unknown event
+  condition: evt.type=open
+  output: proc.nobody=%proc.nobody
+  skip-if-unknown-filter: false
+  priority: INFO
 `,
 )
 
 var SkipUnknownEvt = run.NewStringFileAccessor(
 	"skip_unknown_evt.yaml",
 	`
-- rule: Contains Unknown Event And Skipping
+- rule: Contains Unknown Event And Skipping (field)
   desc: Contains an unknown event
   condition: evt.type=open and proc.nobody=cat
   output: Never
   skip-if-unknown-filter: true
   priority: INFO
+
+- rule: Contains Unknown Event And Skipping (evt type)
+  desc: Contains an unknown event
+  condition: evt.type=some_invalid_event
+  output: Never
+  skip-if-unknown-filter: true
+  priority: INFO
+
+- rule: Contains Unknown Event And Skipping (output)
+  desc: Contains an unknown event
+  condition: evt.type=open
+  output: proc.nobody=%proc.nobody
+  skip-if-unknown-filter: true
+  priority: INFO
+
+- rule: Legit Rule (output)
+  desc: A legit rule
+  condition: evt.type=open
+  output: Never
+  priority: INFO
 `,
 )
 
diff --git a/tests/falco/legacy_test.go b/tests/falco/legacy_test.go
index 4fba4b9..5b666ef 100644
--- a/tests/falco/legacy_test.go
+++ b/tests/falco/legacy_test.go
@@ -272,9 +272,12 @@ func TestFalco_Legacy_DetectSkipUnknownNoevt(t *testing.T) {
 	checkDefaultConfig(t)
 	res := falco.Test(
 		tests.NewFalcoExecutableRunner(t),
+		falco.WithOutputJSON(),
 		falco.WithRules(rules.SkipUnknownEvt),
 		falco.WithCaptureFile(captures.CatWrite),
 	)
+	assert.Equal(t, 8, res.Detections().Count())
+	assert.NotZero(t, res.Detections().OfPriority("INFO").Count())
 	assert.NoError(t, res.Err(), "%s", res.Stderr())
 	assert.Equal(t, 0, res.ExitCode())
 }
@@ -317,10 +320,11 @@ func TestFalco_Legacy_SkipUnknownError(t *testing.T) {
 		falco.WithOutputJSON(),
 		falco.WithRulesValidation(rules.SkipUnknownError),
 	)
+	assert.Equal(t, 1, res.RuleValidation().AllErrors().Count())
 	assert.NotNil(t, res.RuleValidation().AllErrors().
 		OfCode("LOAD_ERR_COMPILE_CONDITION").
 		OfItemType("rule").
-		OfItemName("Contains Unknown Event And Not Skipping").
+		OfItemName("Contains Unknown Event And Not Skipping (field)").
 		OfMessage("filter_check called with nonexistent field proc.nobody"))
 	assert.Error(t, res.Err(), "%s", res.Stderr())
 	assert.Equal(t, 1, res.ExitCode())
@@ -1657,11 +1661,19 @@ func TestFalco_Legacy_ValidateSkipUnknownNoevt(t *testing.T) {
 		falco.WithOutputJSON(),
 		falco.WithRulesValidation(rules.SkipUnknownEvt),
 	)
-	assert.NotNil(t, res.RuleValidation().AllWarnings().
-		OfCode("LOAD_UNKNOWN_FIELD").
-		OfItemType("rule").
-		OfItemName("Contains Unknown Event And Skipping").
-		OfMessage("filter_check called with nonexistent field proc.nobody"))
+	assert.Equal(t, 3, res.RuleValidation().AllWarnings().Count())
+	ruleWarnings := res.RuleValidation().AllWarnings().
+		OfCode("LOAD_UNKNOWN_FILTER").
+		OfItemType("rule")
+	assert.NotNil(t, ruleWarnings.
+		OfItemName("Contains Unknown Event And Skipping (field)").
+		OfMessage("filter_check called with nonexistent field proc.nobody"), res.Stderr())
+	assert.NotNil(t, ruleWarnings.
+		OfItemName("Contains Unknown Event And Skipping (evt type)").
+		OfMessage("unknown event type some_invalid_event"), res.Stderr())
+	assert.NotNil(t, ruleWarnings.
+		OfItemName("Contains Unknown Event And Skipping (output)").
+		OfMessage("invalid formatting token proc.nobody"), res.Stderr())
 	assert.NoError(t, res.Err(), "%s", res.Stderr())
 	assert.Equal(t, 0, res.ExitCode())
 }