new(engine): add selective rule overrides #2981
Conversation
LucaGuerra
force-pushed
the
new/rule-override
branch
from
9510569
to
19debcc
Compare
|
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION. /hold |
|
/milestone 0.37.0 |
|
Thank you @LucaGuerra could you let me know when it would be ready to test drive it? |
LucaGuerra
force-pushed
the
new/rule-override
branch
from
19debcc
to
997e5bd
Compare
| @@ -185,7 +191,7 @@ void rule_loader::collector::append(configuration& cfg, list_info& info) | |||
| { | |||
| auto prev = m_list_infos.at(info.name); | |||
| THROW(!prev, | |||
| "List has 'append' key but no list by that name already exists", | |||
| "List has 'append' key or an append override but no list by that name already exists", | |||
There was a problem hiding this comment.
Note for the reviewer: this string change is making our testing pipelines fail. No big deal, once we pick the right string I can update the pipelines.
There was a problem hiding this comment.
I have updated the code to revert the error messages, I really want to be sure that our tests are happy before merging. Messages can be updated in a subsequent PR coordinated with testing.
LucaGuerra
force-pushed
the
new/rule-override
branch
2 times, most recently
from
dcb1205
to
57a5ce5
Compare
LucaGuerra
changed the title
|
@incertum if you are able to test this it would be appreciated :) |
leogr
changed the title
There was a problem hiding this comment.
First pass review focused on the tests. Could we add some more? See comment.
Code implementation LGTM and @jasondellaluce already approved the approach as well 😄.
| #include "rule_loader_reader.h" | ||
| #include "rule_loader_compiler.h" | ||
|
|
||
| class engine_loader_test : public ::testing::Test { |
There was a problem hiding this comment.
Very neat setup @LucaGuerra much more elegant ❤️ than what I had tried in the past 🤦♀️
There was a problem hiding this comment.
I noticed we actually do something similar in at least three different locations in the test suite (including this one). This is out of scope for this PR but we need to consolidate them and have one fixture to allow loading engine + rulesets.
There was a problem hiding this comment.
Big +1, it would be super useful to do this cleanup!
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
…d in an override Signed-off-by: Luca Guerra <luca@guerra.sh>
LucaGuerra
force-pushed
the
new/rule-override
branch
from
57a5ce5
to
aafc711
Compare
Agreed, just wanted to mention it once again 🙃 |
|
|
||
| ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); | ||
| // std::cout << m_load_result_json.dump(4) << std::endl; | ||
| ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["message"]).find("no rule by that name already exists") != std::string::npos); |
There was a problem hiding this comment.
[nit] you are overriding a rule, but no rule by that name already exists or similar
There was a problem hiding this comment.
This is an "error message contains" not equals :)
| std::string rule_name = "failing_rule"; | ||
|
|
||
| ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); | ||
| ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["message"]).find("Unexpected key 'priority'") != std::string::npos); |
There was a problem hiding this comment.
[nit] same can we make the error message more expressive?
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
LucaGuerra
force-pushed
the
new/rule-override
branch
from
aafc711
to
ca6d383
Compare
|
LGTM label has been added. Git tree hash: 417d7652d4a972fbad0cae0b2c25f0aab668b43b
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum, jasondellaluce, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold Had spoken with Luca on slack. We are good to merge it. |
|
The following 2 issues were duplicates of the primary issue #1340:
Link them for tracking. |
|
Added a docs issue to track the documentation need |
|
I think this part also needs to be updated: |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
/area tests
What this PR does / why we need it:
This is a rather straightforward implementation of #1340 (comment) . See the comment for examples.
It is now possible to use the
overridekey in rules, lists and macros. Some fields can be overridden: for lists and macros there is only one field that we care about, while for rules, the following fields have been selected:append:{"condition", "output", "desc", "tags", "exceptions"}replace:{"condition", "output", "desc", "priority", "tags", "exceptions", "enabled", "warn_evttypes", "skip-if-unknown-filter"}As per the discussion linked above, it is an error to specify both
append: trueand anyoverride. Given the syntax it is not possible to attempt to both replace and append the same field in the same entry.Also, if you specify the
overridekey you must specify all the fields that you wish to override and only those fields.Which issue(s) this PR fixes:
Fixes #1340
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Also, this needs to be documented ( cc @mikegcoleman )