test(libsinsp): cover new changes in filter compiler and existing vis…

…itors

Co-authored-by: Andrea Terzolo <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>

userspace/libsinsp/test/filter_compiler.ut.cpp

@@ -43,6 +43,11 @@ class mock_compiler_filter_check : public sinsp_filter_check
 		m_value = string(str, l);
 	}
 
+	inline void add_filter_value(std::unique_ptr<sinsp_filter_check> f) override
+	{
+		throw sinsp_exception("unexpected right-hand side filter comparison");
+	}
+
 	inline bool extract(sinsp_evt *e, OUT vector<extract_value_t>& v, bool) override
 	{
 		return false;
@@ -277,4 +282,103 @@ TEST_F(sinsp_with_test_input, filter_simple_evaluation)
 	add_default_init_thread();
 	open_inspector();
 	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(evt.type = getcwd)", generate_getcwd_failed_entry_event()));
+	ASSERT_TRUE(
+		evaluate_filter_str(&m_inspector, "(evt.arg.res = val(evt.arg.res))", generate_getcwd_failed_entry_event()));
+}
+
+TEST_F(sinsp_with_test_input, filter_val_transformer)
+{
+	add_default_init_thread();
+	open_inspector();
+	// Please note that with `evt.args = evt.args` we are evaluating the field `evt.args` against the const value
+	// `evt.args`.
+	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(evt.args = evt.args)", generate_getcwd_failed_entry_event()));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(evt.args = val(evt.args))", generate_getcwd_failed_entry_event()));
+
+	// val() expects a field inside it is not a transformer
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(syscall.type = val(tolower(toupper(syscall.type))))",
+					 generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+
+	// val() is not supported on the left
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(val(evt.args) = val(evt.args))", generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+
+	// val() cannot support a list
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(syscall.type = val(syscall.type, evt.type))",
+					 generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+}
+
+TEST_F(sinsp_with_test_input, filter_transformers_combination)
+{
+	add_default_init_thread();
+	open_inspector();
+
+	ASSERT_TRUE(
+		evaluate_filter_str(&m_inspector, "(tolower(syscall.type) = getcwd)", generate_getcwd_failed_entry_event()));
+
+	ASSERT_TRUE(
+		evaluate_filter_str(&m_inspector, "(toupper(syscall.type) = GETCWD)", generate_getcwd_failed_entry_event()));
+
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(tolower(toupper(syscall.type)) = getcwd)",
+					generate_getcwd_failed_entry_event()));
+
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(tolower(syscall.type) = tolower(syscall.type))",
+					generate_getcwd_failed_entry_event()));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(toupper(syscall.type) = toupper(syscall.type))",
+					generate_getcwd_failed_entry_event()));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector,
+					"(tolower(toupper(syscall.type)) = tolower(toupper(syscall.type)))",
+					generate_getcwd_failed_entry_event()));
+}
+
+TEST_F(sinsp_with_test_input, filter_different_types)
+{
+	add_default_init_thread();
+	open_inspector();
+
+	// The 2 fields checks have different types
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "syscall.type = val(evt.is_wait)", generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+}
+
+TEST_F(sinsp_with_test_input, filter_not_supported_rhs_field)
+{
+	add_default_init_thread();
+	open_inspector();
+
+	// `evt.around` cannot be used as a rhs filter check
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "evt.buflen.in = val(evt.around[1404996934793590564])",
+					 generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+
+	// `evt.around` cannot support a rhs filter check
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "evt.around[1404996934793590564] = val(evt.buflen.in)",
+					 generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+}
+
+TEST_F(sinsp_with_test_input, filter_not_supported_transformers)
+{
+	add_default_init_thread();
+	open_inspector();
+
+	// `evt.rawarg` doesn't support a transformer
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "toupper(evt.rawarg.res) = -1", generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+}
+
+TEST_F(sinsp_with_test_input, filter_transformers_wrong_input_type)
+{
+	add_default_init_thread();
+	open_inspector();
+
+	//  These transformers are not supported on `PT_INT64` type
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "toupper(evt.rawres) = -1", generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "tolower(evt.rawres) = -1", generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "b64(evt.rawres) = -1", generate_getcwd_failed_entry_event()),
+		     sinsp_exception);
 }

userspace/libsinsp/test/filter_ppm_codes.ut.cpp

@@ -288,3 +288,44 @@ TEST_CODES(filter_ppm_codes, check_properties)
     ASSERT_FILTER_EQ(t, "not (proc.name=cat or fd.type=file)", "not (fd.type=file or proc.name=cat)");
     ASSERT_FILTER_EQ(t, "not proc.name=cat or not fd.type=file", "not fd.type=file or not proc.name=cat");
 }
+
+TEST_CODES(filter_ppm_codes, field_transformers)
+{
+    auto parse = [](const std::string& f) {
+        libsinsp::filter::ast::ppm_event_codes(libsinsp::filter::parser(f).parse().get());
+    };
+
+    ASSERT_NO_THROW(parse("evt.type = close"));
+    ASSERT_NO_THROW(parse("b64(proc.name) = cat"));
+    ASSERT_NO_THROW(parse("proc.name = b64(fd.name)"));
+    ASSERT_NO_THROW(parse("b64(proc.name) = b64(fd.name)"));
+    ASSERT_NO_THROW(parse("evt.type != close"));
+    ASSERT_NO_THROW(parse("b64(proc.name) != cat"));
+    ASSERT_NO_THROW(parse("proc.name != b64(fd.name)"));
+    ASSERT_NO_THROW(parse("b64(proc.name) != b64(fd.name)"));
+    ASSERT_NO_THROW(parse("not evt.type = close"));
+    ASSERT_NO_THROW(parse("not b64(proc.name) = cat"));
+    ASSERT_NO_THROW(parse("not proc.name = b64(fd.name)"));
+    ASSERT_NO_THROW(parse("not b64(proc.name) = b64(fd.name)"));
+    ASSERT_NO_THROW(parse("not evt.type != close"));
+    ASSERT_NO_THROW(parse("not b64(proc.name) != cat"));
+    ASSERT_NO_THROW(parse("not proc.name != b64(fd.name)"));
+    ASSERT_NO_THROW(parse("not b64(proc.name) != b64(fd.name)"));
+
+    ASSERT_ANY_THROW(parse("b64(evt.type) = close"));
+    ASSERT_ANY_THROW(parse("evt.type = b64(proc.name)"));
+    ASSERT_ANY_THROW(parse("evt.type = val(proc.name)"));
+    ASSERT_ANY_THROW(parse("b64(evt.type) = val(proc.name)"));
+    ASSERT_ANY_THROW(parse("b64(evt.type) != close"));
+    ASSERT_ANY_THROW(parse("evt.type != b64(proc.name)"));
+    ASSERT_ANY_THROW(parse("evt.type != val(proc.name)"));
+    ASSERT_ANY_THROW(parse("b64(evt.type) != val(proc.name)"));
+    ASSERT_ANY_THROW(parse("not b64(evt.type) = close"));
+    ASSERT_ANY_THROW(parse("not evt.type = b64(proc.name)"));
+    ASSERT_ANY_THROW(parse("not evt.type = val(proc.name)"));
+    ASSERT_ANY_THROW(parse("not b64(evt.type) = val(proc.name)"));
+    ASSERT_ANY_THROW(parse("not b64(evt.type) != close"));
+    ASSERT_ANY_THROW(parse("not evt.type != b64(proc.name)"));
+    ASSERT_ANY_THROW(parse("not evt.type != val(proc.name)"));
+    ASSERT_ANY_THROW(parse("not b64(evt.type) != val(proc.name)"));
+}

userspace/libsinsp/test/plugins.ut.cpp

@@ -148,6 +148,13 @@ TEST(plugins, broken_async_capability)
 	ASSERT_ANY_THROW(register_plugin_api(&inspector, api));
 }
 
+static bool evaluate_filter_str(sinsp* inspector, std::string filter_str, sinsp_evt* evt, filter_check_list& list)
+{
+	sinsp_filter_compiler compiler(std::make_shared<sinsp_filter_factory>(inspector, list), filter_str);
+	auto filter = compiler.compile();
+	return filter->run(evt);
+}
+
 // scenario: a plugin with field extraction capability compatible with the
 // "syscall" event source should be able to extract filter values from
 // regular syscall events produced by any scap engine.
@@ -183,6 +190,29 @@ TEST_F(sinsp_with_test_input, plugin_syscall_extract)
 	ASSERT_FALSE(field_has_value(evt, "sample.evt_count", pl_flist));
 	ASSERT_EQ(get_field_as_string(evt, "sample.tick", pl_flist), "false");
 
+	// Check rhs filter checks support on plugins
+
+	// Check on strings
+	ASSERT_EQ(get_field_as_string(evt, "sample.proc_name", pl_flist), "init");
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(sample.proc_name = init)", evt, pl_flist));
+	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(sample.proc_name = sample.proc_name)", evt, pl_flist));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(sample.proc_name = val(sample.proc_name))", evt, pl_flist));
+	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(sample.proc_name = val(sample.tick))", evt, pl_flist));
+	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(sample.proc_name = val(evt.pluginname))", evt, pl_flist));
+	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(evt.pluginname = val(sample.proc_name))", evt, pl_flist));
+
+	// Check on uin64_t
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(sample.is_open = 1)", evt, pl_flist));
+	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(sample.is_open = sample.is_open)", evt, pl_flist), sinsp_exception);
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(sample.is_open = val(sample.is_open))", evt, pl_flist));
+
+	// Check transformers on plugins filter checks
+	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(toupper(sample.proc_name) = init)", evt, pl_flist));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(toupper(sample.proc_name) = INIT)", evt, pl_flist));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(tolower(toupper(sample.proc_name)) = init)", evt, pl_flist));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(tolower(toupper(sample.proc_name)) = tolower(toupper(sample.proc_name)))", evt, pl_flist));
+	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(toupper(sample.proc_name) = toupper(sample.proc_name))", evt, pl_flist));
+
 	// Here `sample.is_open` should be false
 	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT1_X, 2, (int64_t)12, (uint16_t)32);
 	ASSERT_EQ(evt->get_source_idx(), syscall_source_idx);