new/feat(load-rules): allow override of enabled and priority in appen…

…d mode Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Aug 1, 2023 · 7cfec03 · 7cfec03
1 parent a54d7d7
commit 7cfec03
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 9 deletions.
diff --git a/unit_tests/engine/engine_helper.h b/unit_tests/engine/engine_helper.h
@@ -19,7 +19,7 @@ limitations under the License.
 #include <gtest/gtest.h>
 
 // When updating unit_tests/falco_rules_test.yaml bump this
-#define N_VALID_TEST_RULES_FALCO_RULES_TEST_YAML 4
+#define N_VALID_TEST_RULES_FALCO_RULES_TEST_YAML 5
 
 #define ASSERT_CONTAINS(a, b)            \
     {                                    \

diff --git a/unit_tests/engine/test_rule_loader_reader.cpp b/unit_tests/engine/test_rule_loader_reader.cpp
@@ -38,7 +38,8 @@ TEST(RuleLoaderReader, append_merge_override_enabled)
     engine1->load_rules_file("../unit_tests/falco_rules_test1.yaml");
     auto rules1 = engine1->get_rules();
     std::unordered_set<std::string> rules_names = {};
-    std::unordered_set<std::string> expected_rules_names = {"Dummy Rule 0", "Dummy Rule 1", "Dummy Rule 2", "Dummy Rule 4 Disabled"};
+    std::unordered_set<std::string> expected_rules_names = {"Dummy Rule 0", "Dummy Rule 1", \
+    "Dummy Rule 2", "Dummy Rule 4 Disabled", "Dummy Rule 5"};
     std::unordered_set<std::string> not_expected_rules_names = {"Dummy Rule 3 Invalid"};
     ASSERT_EQ(rules1.size(), N_VALID_TEST_RULES_FALCO_RULES_TEST_YAML);
 
@@ -77,6 +78,16 @@ TEST(RuleLoaderReader, append_merge_override_enabled)
             // Test if entire rule defined just once is disabled
             ASSERT_FALSE(r.enabled);
         }
+        else if (r.name.compare(std::string("Dummy Rule 5")) == 0)
+        {
+            // Test if we correctly support append mode with override for enabled and priority
+            std::set<std::string> some_desired_tags = {"maturity_sandbox", "host", "container"};
+            ASSERT_TRUE(r.enabled); // ensure new definition
+            ASSERT_EQ(r.priority, falco_common::priority_type::PRIORITY_CRITICAL); // ensure new definition
+            ASSERT_STRING_EQUAL(r.cond, std::string("evt.type in (open, openat, openat2) and proc.name=cat"));  // ensure correct append
+            ASSERT_STRING_EQUAL(r.output, std::string("%evt.type %evt.num %proc.cmdline %container.ip")); // ensure correct append
+            ASSERT_CONTAINS(r.tags, some_desired_tags); // ensure correct append
+        }
     }
     ASSERT_CONTAINS(rules_names, expected_rules_names);
     ASSERT_NOT_CONTAINS(rules_names, not_expected_rules_names);

diff --git a/unit_tests/falco_rules_test1.yaml b/unit_tests/falco_rules_test1.yaml
@@ -36,6 +36,14 @@
   priority: NOTICE
   tags: [maturity_incubating, host, container]
 
+- rule: Dummy Rule 5
+  desc: My test desc 5
+  condition: evt.type in (open, openat, openat2)
+  enabled: false
+  output: '%evt.type %evt.num %proc.cmdline'
+  priority: INFORMATIONAL
+  tags: [maturity_sandbox]
+
 # Test appending to rule
 - rule: Dummy Rule 0
   append: true
@@ -57,3 +65,17 @@
 
 - rule: Dummy Rule 2
   enabled: false
+
+# Test append for "appendable" fields `condition`, `output`, `tags`
+# + partial override for eligible fields `enabled` and `priority`
+- rule: Dummy Rule 5
+  append: true
+  desc: My test desc 5
+  condition: and proc.name=cat
+  enabled: true
+  priority: CRITICAL
+  tags: [maturity_sandbox, host, container]
+
+- rule: Dummy Rule 5
+  append: true
+  output: '%container.ip'
diff --git a/userspace/engine/rule_loader_collector.cpp b/userspace/engine/rule_loader_collector.cpp
@@ -276,6 +276,17 @@ void rule_loader::collector::append(configuration& cfg, rule_info& info)
 	      std::string("Unknown source ") + prev->source,
 	      info.ctx);
 
+	// enabled and priority are the cases where we allow override also when using append
+	// for better user experience given the introduction of the rules maturity framework
+	prev->enabled = info.enabled;
+
+	if (info.priority < falco_common::priority_type::PRIORITY_INVALID)
+	{
+		prev->priority = info.priority;
+	}
+
+	// Below fields are fields were we append items
+
 	if (!info.cond.empty())
 	{
 		prev->cond += " ";

diff --git a/userspace/engine/rule_loader_reader.cpp b/userspace/engine/rule_loader_reader.cpp
@@ -376,26 +376,39 @@ static void read_item(
 		if(append)
 		{
 			// option to append to condition property
-			decode_optional_val(item, "condition", v.cond, ctx);
 			if(item["condition"].IsDefined())
 			{
+				decode_optional_val(item, "condition", v.cond, ctx);
 				v.cond_ctx = rule_loader::context(item["condition"], rule_loader::context::RULE_CONDITION, "", ctx);
 			}
-			read_rule_exceptions(item, v, ctx, append);
 
 			// option to append to output property
-			decode_optional_val(item, "output", v.output, ctx);
 			if(item["output"].IsDefined())
 			{
+				decode_optional_val(item, "output", v.output, ctx);
 				v.output_ctx = rule_loader::context(item["output"], rule_loader::context::RULE_OUTPUT, "", ctx);
+				v.output = trim(v.output);
 			}
-			v.output = trim(v.output);
-			read_rule_exceptions(item, v, ctx, append);
 
 			// option to append to tags property
-			decode_tags(item, v.tags, ctx);
-			read_rule_exceptions(item, v, ctx, append);
+			if(item["tags"].IsDefined())
+			{
+				decode_tags(item, v.tags, ctx);
+			}
+
+			// option to override priority in append mode
+			if(item["priority"].IsDefined())
+			{
+				std::string priority;
+				decode_val(item, "priority", priority, ctx);
+				rule_loader::context prictx(item["priority"], rule_loader::context::RULE_PRIORITY, "", ctx);
+				THROW(!falco_common::parse_priority(priority, v.priority),
+					"Invalid priority", prictx);
+			}
 
+			read_rule_exceptions(item, v, ctx, append);
+			// option to override enabled in append mode
+			decode_optional_val(item, "enabled", v.enabled, ctx);
 			collector.append(cfg, v);
 		}
 		else