tests(inst): add writable data source test

aquasecurity · Dec 13, 2023 · e1d023b · e1d023b
1 parent 9e7e9c4
commit e1d023b
Show file tree

Hide file tree

Showing 7 changed files with 220 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -682,6 +682,8 @@ E2E_INST_SRC := $(shell find $(E2E_INST_DIR) \
 		-type f \
 		-name '*.go' \
 		! -name '*_test.go' \
+		-not -path '$(E2E_INST_DIR)/scripts/*' \
+		-not -path '$(E2E_INST_DIR)/datasourcetest/*' \
 		)
 
 .PHONY: e2e-inst-signatures

diff --git a/tests/e2e-inst-signatures/datasourcetest/write.go b/tests/e2e-inst-signatures/datasourcetest/write.go
@@ -0,0 +1,80 @@
+package datasourcetest
+
+import (
+	"encoding/json"
+
+	lru "github.com/hashicorp/golang-lru/v2"
+
+	"github.com/aquasecurity/tracee/types/detect"
+)
+
+type e2eWritable struct {
+	cache *lru.Cache[string, string]
+}
+
+func New() detect.DataSource {
+	cache, _ := lru.New[string, string](8)
+	return &e2eWritable{
+		cache,
+	}
+}
+
+func (ctx *e2eWritable) Get(key interface{}) (map[string]interface{}, error) {
+	val, ok := key.(string)
+	if !ok {
+		return nil, detect.ErrKeyNotSupported
+	}
+
+	res, ok := ctx.cache.Get(val)
+	if !ok {
+		return nil, detect.ErrDataNotFound
+	}
+
+	return map[string]interface{}{
+		"value": res,
+	}, nil
+}
+
+func (ctx *e2eWritable) Version() uint {
+	return 1
+}
+
+func (ctx *e2eWritable) Keys() []string {
+	return []string{"string"}
+}
+
+func (ctx *e2eWritable) Schema() string {
+	schema := map[string]interface{}{
+		"value": "string",
+	}
+
+	s, _ := json.Marshal(schema)
+	return string(s)
+}
+
+func (ctx *e2eWritable) Namespace() string {
+	return "e2e_inst"
+}
+
+func (ctx *e2eWritable) ID() string {
+	return "demo"
+}
+
+func (ctx *e2eWritable) Write(key interface{}, value interface{}) error {
+	keyStr, ok := key.(string)
+	if !ok {
+		return detect.ErrFailedToUnmarshal
+	}
+
+	valueStr, ok := value.(string)
+	if !ok {
+		return detect.ErrFailedToUnmarshal
+	}
+
+	ctx.cache.Add(keyStr, valueStr)
+	return nil
+}
+
+func (ctx *e2eWritable) Values() []string {
+	return []string{"string"}
+}
diff --git a/tests/e2e-inst-signatures/e2e-writeable_data_source.go b/tests/e2e-inst-signatures/e2e-writeable_data_source.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type e2eWritableDatasourceSig struct {
+	cb       detect.SignatureHandler
+	writable detect.DataSource
+}
+
+func (sig *e2eWritableDatasourceSig) Init(ctx detect.SignatureContext) error {
+	sig.cb = ctx.Callback
+	writable, ok := ctx.GetDataSource("e2e_inst", "demo")
+	if !ok {
+		return fmt.Errorf("containers data source not registered")
+	}
+	if writable.Version() > 1 {
+		return fmt.Errorf("containers data source version not supported, please update this signature")
+	}
+	sig.writable = writable
+	return nil
+}
+
+func (sig *e2eWritableDatasourceSig) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "WRITABLE_DATA_SOURCE",
+		EventName:   "WRITABLE_DATA_SOURCE",
+		Version:     "0.1.0",
+		Name:        "Writable Data Source Test",
+		Description: "Instrumentation events E2E Tests: Writable Data Source Test",
+		Tags:        []string{"e2e", "instrumentation"},
+	}, nil
+}
+
+func (sig *e2eWritableDatasourceSig) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "sched_process_exit"},
+	}, nil
+}
+
+func (sig *e2eWritableDatasourceSig) OnEvent(event protocol.Event) error {
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("failed to cast event's payload")
+	}
+
+	switch eventObj.EventName {
+	case "sched_process_exit":
+		if eventObj.ProcessName != "ds_writer" {
+			return nil
+		}
+
+		container, err := sig.writable.Get("bruh")
+		if err != nil {
+			return fmt.Errorf("failed to query key \"bruh\" in data source: %v", err)
+		}
+
+		data, ok := container["value"].(string)
+		if !ok {
+			return fmt.Errorf("failed to unwrap value from writable data")
+		}
+
+		if data != "moment" {
+			return fmt.Errorf("value written in data source not expected (%s)", data)
+		}
+
+		m, _ := sig.GetMetadata()
+
+		sig.cb(detect.Finding{
+			SigMetadata: m,
+			Event:       event,
+			Data:        map[string]interface{}{},
+		})
+	}
+
+	return nil
+}
+
+func (sig *e2eWritableDatasourceSig) OnSignal(s detect.Signal) error {
+	return nil
+}
+
+func (sig *e2eWritableDatasourceSig) Close() {}
diff --git a/tests/e2e-inst-signatures/export.go b/tests/e2e-inst-signatures/export.go
@@ -1,6 +1,9 @@
 package main
 
-import "github.com/aquasecurity/tracee/types/detect"
+import (
+	"github.com/aquasecurity/tracee/tests/e2e-inst-signatures/datasourcetest"
+	"github.com/aquasecurity/tracee/types/detect"
+)
 
 var ExportedSignatures = []detect.Signature{
 	// Instrumentation e2e signatures
@@ -13,8 +16,9 @@ var ExportedSignatures = []detect.Signature{
 	&e2eHookedSyscall{},
 	&e2eSignatureDerivation{},
 	&e2eDnsDataSource{},
+	&e2eWritableDatasourceSig{},
 }
 
 var ExportedDataSources = []detect.DataSource{
-	// add data-sources here
+	datasourcetest.New(),
 }
diff --git a/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer.go b/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer.go
@@ -0,0 +1,32 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/aquasecurity/tracee/api/v1beta1"
+)
+
+func main() {
+	conn, err := grpc.Dial(
+		"unix:///tmp/tracee.sock",
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		panic(fmt.Errorf("failed to dial tracee grpc server: %v", err))
+	}
+	client := v1beta1.NewDataSourceServiceClient(conn)
+	_, err = client.WriteDataSource(context.Background(), &v1beta1.WriteDataSourceRequest{
+		Id:        "demo",
+		Namespace: "e2e_inst",
+		Key:       structpb.NewStringValue("bruh"),
+		Value:     structpb.NewStringValue("moment"),
+	})
+	if err != nil {
+		panic(fmt.Errorf("failed to write to data source: %v", err))
+	}
+}
diff --git a/tests/e2e-inst-signatures/scripts/writable_data_source.sh b/tests/e2e-inst-signatures/scripts/writable_data_source.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+exit_err() {
+    echo -n "ERROR: "
+    echo $@
+    exit 1
+}
+
+go run ./tests/e2e-inst-signatures/scripts/ds_writer/ds_writer.go
diff --git a/tests/e2e-inst-test.sh b/tests/e2e-inst-test.sh
@@ -13,7 +13,7 @@ SCRIPT_TMP_DIR=/tmp
 TRACEE_TMP_DIR=/tmp/tracee
 
 # Default test to run if no other is given
-TESTS=${INSTTESTS:=VFS_WRITE}
+TESTS=${INSTTESTS:=WRITABLE_DATA_SOURCE}
 
 info_exit() {
     echo -n "INFO: "
@@ -137,8 +137,9 @@ for TEST in $TESTS; do
         --output option:parse-arguments \
         --log file:$SCRIPT_TMP_DIR/tracee-log-$$ \
         --signatures-dir "$SIG_DIR" \
-        --scope comm=echo,mv,ls,tracee,proctreetester,ping \
+        --scope comm=echo,mv,ls,tracee,proctreetester,ping,ds_writer \
         --dnscache enable \
+        --grpc-listen-addr unix:/tmp/tracee.sock \
         --events "$TEST" &
 
     # Wait tracee to start