Add tests for mismatched sources and append

Add additional unit tests to verify that rule loading fails when a second rules object has a different source but the name of an existing rules object. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Oct 16, 2024 · d051c56 · d051c56
1 parent bb1fb86
commit d051c56
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/unit_tests/engine/test_rule_loader.cpp b/unit_tests/engine/test_rule_loader.cpp
@@ -1218,7 +1218,78 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
 
 	ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
 	ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
+	EXPECT_EQ(get_compiled_rule_condition("test_rule"),
+	          "(evt.type = open and not tolower(proc.name) = test)");
+}
+
+TEST_F(test_falco_engine, redefine_rule_different_source) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and 1 = 2
+  output: Some output
+  priority: INFO
+  source: syscall
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
 	ASSERT_FALSE(has_warnings());
 	EXPECT_EQ(get_compiled_rule_condition("test_rule"),
 	          "(evt.type = open and not tolower(proc.name) = test)");
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, append_across_sources) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and 1 = 2
+  output: Some output
+  priority: INFO
+  source: syscall
+  append: true
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_FALSE(has_warnings());
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+// Re-enable this test once downstream supports the replace directive
+#if 0
+TEST_F(test_falco_engine, selective_replace_across_sources)
+{
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  condition: 1 = 2
+  override:
+    condition: replace
+  source: syscall
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_FALSE(has_warnings());
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
 }
+#endif