Skip to content

Commit

Permalink
Add tests for mismatched sources and append
Browse files Browse the repository at this point in the history
Add additional unit tests to verify that rule loading fails when a
second rules object has a different source but the name of an existing
rules object.

Signed-off-by: Mark Stemm <[email protected]>
  • Loading branch information
mstemm committed Oct 16, 2024
1 parent adbaba3 commit 612a61e
Showing 1 changed file with 67 additions and 0 deletions.
67 changes: 67 additions & 0 deletions unit_tests/engine/test_rule_loader.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1218,7 +1218,74 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {

ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
"(evt.type = open and not tolower(proc.name) = test)");
}

TEST_F(test_falco_engine, redefine_rule_different_source) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
desc: Some desc
condition: and 1 = 2
output: Some output
priority: INFO
source: syscall
)END";

ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_FALSE(has_warnings());
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
"(evt.type = open and not tolower(proc.name) = test)");
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}

TEST_F(test_falco_engine, append_across_sources) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
desc: Some desc
condition: and 1 = 2
output: Some output
priority: INFO
source: syscall
append: true
)END";

ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_FALSE(has_warnings());
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}

TEST_F(test_falco_engine, selective_replace_across_sources) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
condition: 1 = 2
override:
condition: replace
source: syscall
)END";

ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_FALSE(has_warnings());
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}

0 comments on commit 612a61e

Please sign in to comment.