Skip to content

Commit ff211ed

Browse files
mstemmmstemm
committed
Add tests for mismatched sources and append
Add additional unit tests to verify that rule loading fails when a second rules object has a different source but the name of an existing rules object. Also add tests for additional rules having an empty source. Signed-off-by: Mark Stemm <[email protected]>
1 parent c05da5f commit ff211ed

File tree

1 file changed

+107
-0
lines changed

1 file changed

+107
-0
lines changed

unit_tests/engine/test_rule_loader.cpp

+107
Original file line numberDiff line numberDiff line change
@@ -1222,3 +1222,110 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
12221222
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
12231223
"(evt.type = open and not tolower(proc.name) = test)");
12241224
}
1225+
1226+
TEST_F(test_falco_engine, redefine_rule_different_source) {
1227+
auto rules_content = R"END(
1228+
- rule: LD_PRELOAD trick
1229+
desc: Some desc
1230+
condition: ka.verb = GET
1231+
output: some output
1232+
priority: INFO
1233+
source: k8s_audit
1234+
1235+
- rule: LD_PRELOAD trick
1236+
desc: Some desc
1237+
condition: and 1 = 2
1238+
output: Some output
1239+
priority: INFO
1240+
source: syscall
1241+
)END";
1242+
1243+
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
1244+
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
1245+
}
1246+
1247+
TEST_F(test_falco_engine, append_across_sources) {
1248+
auto rules_content = R"END(
1249+
- rule: LD_PRELOAD trick
1250+
desc: Some desc
1251+
condition: ka.verb = GET
1252+
output: some output
1253+
priority: INFO
1254+
source: k8s_audit
1255+
1256+
- rule: LD_PRELOAD trick
1257+
desc: Some desc
1258+
condition: and 1 = 2
1259+
output: Some output
1260+
priority: INFO
1261+
source: syscall
1262+
append: true
1263+
)END";
1264+
1265+
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
1266+
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
1267+
}
1268+
1269+
TEST_F(test_falco_engine, selective_replace_across_sources) {
1270+
auto rules_content = R"END(
1271+
- rule: LD_PRELOAD trick
1272+
desc: Some desc
1273+
condition: ka.verb = GET
1274+
output: some output
1275+
priority: INFO
1276+
source: k8s_audit
1277+
1278+
- rule: LD_PRELOAD trick
1279+
condition: 1 = 2
1280+
override:
1281+
condition: replace
1282+
source: syscall
1283+
)END";
1284+
1285+
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
1286+
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
1287+
}
1288+
1289+
TEST_F(test_falco_engine, empty_source_addl_rule)
1290+
{
1291+
auto rules_content = R"END(
1292+
- rule: LD_PRELOAD trick
1293+
desc: Some desc
1294+
condition: evt.type=execve
1295+
output: some output
1296+
priority: INFO
1297+
source: syscall
1298+
1299+
- rule: LD_PRELOAD trick
1300+
desc: Some desc
1301+
condition: and proc.name=apache
1302+
output: Some output
1303+
priority: INFO
1304+
source:
1305+
append: true
1306+
)END";
1307+
1308+
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
1309+
}
1310+
1311+
TEST_F(test_falco_engine, empty_string_source_addl_rule)
1312+
{
1313+
auto rules_content = R"END(
1314+
- rule: LD_PRELOAD trick
1315+
desc: Some desc
1316+
condition: evt.type=execve
1317+
output: some output
1318+
priority: INFO
1319+
source: syscall
1320+
1321+
- rule: LD_PRELOAD trick
1322+
desc: Some desc
1323+
condition: and proc.name=apache
1324+
output: Some output
1325+
priority: INFO
1326+
source: ""
1327+
append: true
1328+
)END";
1329+
1330+
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
1331+
}

0 commit comments

Comments
 (0)