falcosecurity · poiana · Jun 17, 2024 · Jun 14, 2024
diff --git a/userspace/libsinsp/test/events_fspath.ut.cpp b/userspace/libsinsp/test/events_fspath.ut.cpp
@@ -20,7 +20,6 @@ limitations under the License.
 
 #include <gtest/gtest.h>
 
-#include "filter_compiler.h"
 #include <sinsp_with_test_input.h>
 
 class fspath : public sinsp_with_test_input
@@ -112,13 +111,13 @@ class fspath : public sinsp_with_test_input
 		std::string fieldstr = field;
 
 		std::string eq_filter_str = fieldstr + " = " + expected;
-		filter_run(evt, true, eq_filter_str);
+		EXPECT_TRUE(eval_filter(evt, eq_filter_str));
 
 		std::string in_filter_str = fieldstr + " in (" + expected + ")";
-		filter_run(evt, true, in_filter_str);
+		EXPECT_TRUE(eval_filter(evt, in_filter_str));
 
 		std::string pmatch_filter_str = fieldstr + " pmatch (" + expected + ")";
-		filter_run(evt, true, pmatch_filter_str);
+		EXPECT_TRUE(eval_filter(evt, pmatch_filter_str));
 	}
 
 	void verify_fields(sinsp_evt *evt,

diff --git a/userspace/libsinsp/test/filter_compiler.h b/userspace/libsinsp/test/filter_compiler.h
diff --git a/userspace/libsinsp/test/filter_compiler.ut.cpp b/userspace/libsinsp/test/filter_compiler.ut.cpp
@@ -567,22 +567,14 @@ TEST(sinsp_filter_compiler, complex_filter)
 // Test filter strings against real events.
 //////////////////////////////
 
-static bool evaluate_filter_str(sinsp* inspector, std::string filter_str, sinsp_evt* evt)
-{
-	sinsp_filter_check_list filter_list;
-	sinsp_filter_compiler compiler(std::make_shared<sinsp_filter_factory>(inspector, filter_list), filter_str);
-	auto filter = compiler.compile();
-	return filter->run(evt);
-}
-
 TEST_F(sinsp_with_test_input, filter_simple_evaluation)
 {
 	// Basic case just to assert that the basic setup works
 	add_default_init_thread();
 	open_inspector();
-	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(evt.type = getcwd)", generate_getcwd_failed_entry_event()));
-	ASSERT_TRUE(
-		evaluate_filter_str(&m_inspector, "(evt.arg.res = val(evt.arg.res))", generate_getcwd_failed_entry_event()));
+	sinsp_evt * evt = generate_getcwd_failed_entry_event();
+	ASSERT_TRUE(eval_filter(evt, "(evt.type = getcwd)"));
+	ASSERT_TRUE(eval_filter(evt, "(evt.arg.res = val(evt.arg.res))"));
 }
 
 TEST_F(sinsp_with_test_input, filter_val_transformer)
@@ -591,55 +583,43 @@ TEST_F(sinsp_with_test_input, filter_val_transformer)
 	open_inspector();
 	// Please note that with `evt.args = evt.args` we are evaluating the field `evt.args` against the const value
 	// `evt.args`.
-	ASSERT_FALSE(evaluate_filter_str(&m_inspector, "(evt.args = evt.args)", generate_getcwd_failed_entry_event()));
-	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(evt.args = val(evt.args))", generate_getcwd_failed_entry_event()));
+
+	sinsp_evt * evt = generate_getcwd_failed_entry_event();
+
+	ASSERT_FALSE(eval_filter(evt, "(evt.args = evt.args)"));
+	ASSERT_TRUE(eval_filter(evt, "(evt.args = val(evt.args))"));
 
 	// val() expects a field inside it is not a transformer
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(syscall.type = val(tolower(toupper(syscall.type))))",
-					 generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("(syscall.type = val(tolower(toupper(syscall.type))))"));
 
 	// val() is not supported on the left
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(val(evt.args) = val(evt.args))", generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("(val(evt.args) = val(evt.args))"));
 
 	// val() cannot support a list
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "(syscall.type = val(syscall.type, evt.type))",
-					 generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("(syscall.type = val(syscall.type, evt.type))"));
 }
 
 TEST_F(sinsp_with_test_input, filter_transformers_combination)
 {
 	add_default_init_thread();
 	open_inspector();
 
-	ASSERT_TRUE(
-		evaluate_filter_str(&m_inspector, "(tolower(syscall.type) = getcwd)", generate_getcwd_failed_entry_event()));
-
-	ASSERT_TRUE(
-		evaluate_filter_str(&m_inspector, "(toupper(syscall.type) = GETCWD)", generate_getcwd_failed_entry_event()));
-
-	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(tolower(toupper(syscall.type)) = getcwd)",
-					generate_getcwd_failed_entry_event()));
+	sinsp_evt * evt = generate_getcwd_failed_entry_event();
 
-	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(tolower(syscall.type) = tolower(syscall.type))",
-					generate_getcwd_failed_entry_event()));
-	ASSERT_TRUE(evaluate_filter_str(&m_inspector, "(toupper(syscall.type) = toupper(syscall.type))",
-					generate_getcwd_failed_entry_event()));
-	ASSERT_TRUE(evaluate_filter_str(&m_inspector,
-					"(tolower(toupper(syscall.type)) = tolower(toupper(syscall.type)))",
-					generate_getcwd_failed_entry_event()));
+	ASSERT_TRUE(eval_filter(evt, "(tolower(syscall.type) = getcwd)"));
+	ASSERT_TRUE(eval_filter(evt, "(toupper(syscall.type) = GETCWD)"));
+	ASSERT_TRUE(eval_filter(evt, "(tolower(toupper(syscall.type)) = getcwd)"));
+	ASSERT_TRUE(eval_filter(evt, "(tolower(syscall.type) = tolower(syscall.type))"));
+	ASSERT_TRUE(eval_filter(evt, "(toupper(syscall.type) = toupper(syscall.type))"));
+	ASSERT_TRUE(eval_filter(evt, "(tolower(toupper(syscall.type)) = tolower(toupper(syscall.type)))"));
 }
 
 TEST_F(sinsp_with_test_input, filter_different_types)
 {
 	add_default_init_thread();
 	open_inspector();
 
-	// The 2 fields checks have different types
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "syscall.type = val(evt.is_wait)", generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("syscall.type = val(evt.is_wait)"));
 }
 
 TEST_F(sinsp_with_test_input, filter_not_supported_rhs_field)
@@ -648,14 +628,10 @@ TEST_F(sinsp_with_test_input, filter_not_supported_rhs_field)
 	open_inspector();
 
 	// `evt.around` cannot be used as a rhs filter check
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "evt.buflen.in = val(evt.around[1404996934793590564])",
-					 generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("evt.buflen.in = val(evt.around[1404996934793590564])"));
 
 	// `evt.around` cannot support a rhs filter check
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "evt.around[1404996934793590564] = val(evt.buflen.in)",
-					 generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("evt.around[1404996934793590564] = val(evt.buflen.in)"));
 }
 
 TEST_F(sinsp_with_test_input, filter_not_supported_transformers)
@@ -664,20 +640,15 @@ TEST_F(sinsp_with_test_input, filter_not_supported_transformers)
 	open_inspector();
 
 	// `evt.rawarg` doesn't support a transformer
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "toupper(evt.rawarg.res) = -1", generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("toupper(evt.rawarg.res) = -1"));
 }
 
 TEST_F(sinsp_with_test_input, filter_transformers_wrong_input_type)
 {
 	add_default_init_thread();
 	open_inspector();
 
-	//  These transformers are not supported on `PT_INT64` type
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "toupper(evt.rawres) = -1", generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "tolower(evt.rawres) = -1", generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
-	ASSERT_THROW(evaluate_filter_str(&m_inspector, "b64(evt.rawres) = -1", generate_getcwd_failed_entry_event()),
-		     sinsp_exception);
+	ASSERT_FALSE(filter_compiles("toupper(evt.rawres) = -1"));
+	ASSERT_FALSE(filter_compiles("tolower(evt.rawres) = -1"));
+	ASSERT_FALSE(filter_compiles("b64(evt.rawres) = -1"));
 }
diff --git a/userspace/libsinsp/test/filter_op_bcontains.ut.cpp b/userspace/libsinsp/test/filter_op_bcontains.ut.cpp
@@ -19,44 +19,36 @@ limitations under the License.
 #include <libsinsp/sinsp.h>
 #include <gtest/gtest.h>
 
-#include "filter_compiler.h"
+#include <sinsp_with_test_input.h>
 
-TEST(sinsp_filter_check, bcontains_bstartswith)
+TEST_F(sinsp_with_test_input, bcontains_bstartswith)
 {
-	// craft a fake read exit event containing the "hello" string
-	char scap_evt_err[2048];
+	add_default_init_thread();
+
+	open_inspector();
+
 	uint8_t read_buf[] = {'h', 'e', 'l', 'l', 'o'};
-	uint8_t scap_evt_buf[2048];
-	size_t evt_size;
-	scap_sized_buffer scap_evt;
-	scap_evt.buf = (void*) &scap_evt_buf[0];
-	scap_evt.size = (size_t) sizeof(scap_evt_buf);
-	if (scap_event_encode_params(
-		scap_evt, &evt_size, scap_evt_err, PPME_SYSCALL_READ_X, 3, (int64_t) 0,
-		scap_const_sized_buffer{&read_buf[0],sizeof(read_buf)}) != SCAP_SUCCESS)
-	{
-		FAIL() << "could not create scap event";
-	}
-	sinsp_evt evt;
-	evt.init((uint8_t*) scap_evt.buf, 0); // 68656c6c6f
+	sinsp_evt * evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_READ_X, 2, (int64_t) 0, scap_const_sized_buffer{read_buf, sizeof(read_buf)});
 
 	// test filters with bcontains
-	filter_compile(NULL, "evt.buffer bcontains");
-	filter_compile(NULL, "evt.buffer bcontains 2");
-	filter_compile(NULL, "evt.buffer bcontains 2g");
-	filter_run(&evt, true, "evt.buffer bcontains 68656c6c6f");
-	filter_run(&evt, true, "evt.buffer bcontains 656c6C");
-	filter_run(&evt, false, "evt.buffer bcontains 20");
-	filter_run(&evt, false, "evt.buffer bcontains 656c6cAA");
+	EXPECT_FALSE(filter_compiles("evt.buffer bcontains"));
+	EXPECT_FALSE(filter_compiles("evt.buffer bcontains 2"));
+	EXPECT_FALSE(filter_compiles("evt.buffer bcontains 2g"));
+
+	EXPECT_TRUE(eval_filter(evt, "evt.buffer bcontains 68656c6c6f"));
+	EXPECT_TRUE(eval_filter(evt, "evt.buffer bcontains 656c6C"));
+	EXPECT_FALSE(eval_filter(evt, "evt.buffer bcontains 20"));
+	EXPECT_FALSE(eval_filter(evt, "evt.buffer bcontains 656c6cAA"));
 
 	// test filters with bstartswith
-	filter_compile(NULL, "evt.buffer bstartswith");
-	filter_compile(NULL, "evt.buffer bstartswith 2");
-	filter_compile(NULL, "evt.buffer bstartswith 2g");
-	filter_run(&evt, true, "evt.buffer bstartswith 68");
-	filter_run(&evt, true, "evt.buffer bstartswith 68656c6c6f");
-	filter_run(&evt, false, "evt.buffer bstartswith 65");
-	filter_run(&evt, false, "evt.buffer bstartswith 656c6C");
-	filter_run(&evt, false, "evt.buffer bstartswith 20");
-	filter_run(&evt, false, "evt.buffer bstartswith 656c6cAA");
+	EXPECT_FALSE(filter_compiles("evt.buffer bstartswith"));
+	EXPECT_FALSE(filter_compiles("evt.buffer bstartswith 2"));
+	EXPECT_FALSE(filter_compiles("evt.buffer bstartswith 2g"));
+
+	EXPECT_TRUE(eval_filter(evt, "evt.buffer bstartswith 68"));
+	EXPECT_TRUE(eval_filter(evt, "evt.buffer bstartswith 68656c6c6f"));
+	EXPECT_FALSE(eval_filter(evt, "evt.buffer bstartswith 65"));
+	EXPECT_FALSE(eval_filter(evt, "evt.buffer bstartswith 656c6C"));
+	EXPECT_FALSE(eval_filter(evt, "evt.buffer bstartswith 20"));
+	EXPECT_FALSE(eval_filter(evt, "evt.buffer bstartswith 656c6cAA"));
 }
diff --git a/userspace/libsinsp/test/filter_op_pmatch.ut.cpp b/userspace/libsinsp/test/filter_op_pmatch.ut.cpp
@@ -20,7 +20,6 @@ limitations under the License.
 #include <gtest/gtest.h>
 
 #include <sinsp_with_test_input.h>
-#include "filter_compiler.h"
 
 
 TEST_F(sinsp_with_test_input, pmatch)
@@ -32,27 +31,27 @@ TEST_F(sinsp_with_test_input, pmatch)
 	int64_t fd = 1;
 	sinsp_evt * evt = add_event_advance_ts(increasing_ts(), 3, PPME_SYSCALL_OPEN_X, 6, fd, "/opt/dir/subdir/file.txt", 0, 0, 0, (uint64_t) 0);
 
-	filter_run(evt, true, "fd.name pmatch (/opt/dir)");
-	filter_run(evt, true, "fd.name pmatch (/opt/dir/subdir)");
-	filter_run(evt, false, "fd.name pmatch (/opt/dir2)");
-	filter_run(evt, true, "fd.name pmatch (/opt/dir, /opt/dir2)");
-	filter_run(evt, false, "fd.name pmatch (/opt/dir3, /opt/dir2)");
-	filter_run(evt, true, "fd.name pmatch (/opt/*)");
-	filter_run(evt, true, "fd.name pmatch (/opt/*/subdir)");
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/dir)"));
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/dir/subdir)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/dir2)"));
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/dir, /opt/dir2)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/dir3, /opt/dir2)"));
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/*)"));
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/*/subdir)"));
 	// In Windows systems, the function used to perform path matching differs
 	// from linux and macos: instead of `fnmatch` is used `PathMatchSpecA`
 	// (from the Windows API); this function reflects the Windows behaviour
 	// in path matching (case insentive...). Given that we need to exclude
 	// some tests.
 #if !defined(_WIN32)
-	filter_run(evt, true, "fd.name pmatch (/opt/di?/subdir)");
-	filter_run(evt, false, "fd.name pmatch (/opt/dii?/subdir)");
-	filter_run(evt, true, "fd.name pmatch (/opt/di[r]/subdir)");
-	filter_run(evt, false, "fd.name pmatch (/opt/di[!r]/subdir)");
-	filter_run(evt, false, "fd.name pmatch (/opt/di[t]/subdir)");
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/di?/subdir)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/dii?/subdir)"));
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/di[r]/subdir)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/di[!r]/subdir)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/di[t]/subdir)"));
 #endif
-	filter_run(evt, false, "fd.name pmatch (/opt/di/subdir)");
-	filter_run(evt, false, "fd.name pmatch (/opt/*/subdir2)");
-	filter_run(evt, true, "fd.name pmatch (/opt/*/*)");
-	filter_run(evt, false, "fd.name pmatch (/opt/*/*/subsubdir)");
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/di/subdir)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/*/subdir2)"));
+	EXPECT_TRUE(eval_filter(evt, "fd.name pmatch (/opt/*/*)"));
+	EXPECT_FALSE(eval_filter(evt, "fd.name pmatch (/opt/*/*/subsubdir)"));
 }