-
Notifications
You must be signed in to change notification settings - Fork 912
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new(engine): add selective rule overrides #2981
Conversation
9510569
to
19debcc
Compare
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION. /hold |
/milestone 0.37.0 |
Thank you @LucaGuerra could you let me know when it would be ready to test drive it? |
19debcc
to
997e5bd
Compare
@@ -185,7 +191,7 @@ void rule_loader::collector::append(configuration& cfg, list_info& info) | |||
{ | |||
auto prev = m_list_infos.at(info.name); | |||
THROW(!prev, | |||
"List has 'append' key but no list by that name already exists", | |||
"List has 'append' key or an append override but no list by that name already exists", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note for the reviewer: this string change is making our testing pipelines fail. No big deal, once we pick the right string I can update the pipelines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have updated the code to revert the error messages, I really want to be sure that our tests are happy before merging. Messages can be updated in a subsequent PR coordinated with testing.
dcb1205
to
57a5ce5
Compare
@incertum if you are able to test this it would be appreciated :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First pass review focused on the tests. Could we add some more? See comment.
Code implementation LGTM and @jasondellaluce already approved the approach as well 😄.
#include "rule_loader_reader.h" | ||
#include "rule_loader_compiler.h" | ||
|
||
class engine_loader_test : public ::testing::Test { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very neat setup @LucaGuerra much more elegant ❤️ than what I had tried in the past 🤦♀️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed we actually do something similar in at least three different locations in the test suite (including this one). This is out of scope for this PR but we need to consolidate them and have one fixture to allow loading engine + rulesets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Big +1, it would be super useful to do this cleanup!
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
…d in an override Signed-off-by: Luca Guerra <luca@guerra.sh>
57a5ce5
to
aafc711
Compare
Agreed, just wanted to mention it once again 🙃 |
|
||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); | ||
// std::cout << m_load_result_json.dump(4) << std::endl; | ||
ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["message"]).find("no rule by that name already exists") != std::string::npos); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nit] you are overriding a rule, but no rule by that name already exists
or similar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an "error message contains" not equals :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:)
std::string rule_name = "failing_rule"; | ||
|
||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); | ||
ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["message"]).find("Unexpected key 'priority'") != std::string::npos); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nit] same can we make the error message more expressive?
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
aafc711
to
ca6d383
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Wonderful work @LucaGuerra, thank you!
LGTM label has been added. Git tree hash: 417d7652d4a972fbad0cae0b2c25f0aab668b43b
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/hold
Super job Luca! I'm approving and holding just so that you can decide when you feel confident in merging this, but it looks great to me.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum, jasondellaluce, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold Had spoken with Luca on slack. We are good to merge it. |
The following 2 issues were duplicates of the primary issue #1340:
Link them for tracking. |
Added a docs issue to track the documentation need |
I think this part also needs to be updated: |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
/area tests
What this PR does / why we need it:
This is a rather straightforward implementation of #1340 (comment) . See the comment for examples.
It is now possible to use the
override
key in rules, lists and macros. Some fields can be overridden: for lists and macros there is only one field that we care about, while for rules, the following fields have been selected:append
:{"condition", "output", "desc", "tags", "exceptions"}
replace
:{"condition", "output", "desc", "priority", "tags", "exceptions", "enabled", "warn_evttypes", "skip-if-unknown-filter"}
As per the discussion linked above, it is an error to specify both
append: true
and anyoverride
. Given the syntax it is not possible to attempt to both replace and append the same field in the same entry.Also, if you specify the
override
key you must specify all the fields that you wish to override and only those fields.Which issue(s) this PR fixes:
Fixes #1340
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Also, this needs to be documented ( cc @mikegcoleman )