Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container info in engine #151

Merged
merged 4 commits into from
Dec 1, 2016
Merged

Container info in engine #151

merged 4 commits into from
Dec 1, 2016

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Nov 28, 2016

These changes ensure that if a rule's output field is invalid, it is detected at rule load time instead of when the rule is triggered.

@mstemm
Move container.info handling to falco engine.
dd6b51f 
container.info handling used to be handled by the the falco_outputs
object. However, this caused problems for applications that only used
the falco engine, doing their own output formatting for matching events.

Fix this by moving output formatting into the falco engine itself. The
part that replaces %container.info/adds extra formatting to the end of a
rule's output now happens while loading the rule.
@mstemm
Validate rule outputs when loading rules.
96a40c5 
Validate rule outputs when loading rules by attempting to create a
formatter based on the rule's output field. If there's an error, it will
propagate up through load_rules and cause falco to exit rather than
discover the problem only when trying to format the event and the rule's
output field.

This required moving formats.{cpp,h} into the falco engine directory
from the falco general directory. Note that these functions are loaded
twice in the two lua states used by falco (engine and outputs).

There's also a couple of minor cleanups:

 - falco_formats had a private instance variable that was unused, remove
   it.
 - rename the package for the falco_formats functions to formats instead
   of falco so it's more standalone.
 - don't throw a c++ exception in falco_formats::formatter. Instead
   generate a lua error, which is handled more cleanly.
 - free_formatter doesn't return any values, so set the return value of
   the function to 0.
@mstemm
Add unit test for rule with invalid output.
72b955d 
Add the ability to check falco's return code with exit_status and to
generally match stderr with stderr_contains in a test.

Use those to create a test that has an invalid output expression using
%not_a_real_field. It expects falco to exit with 1 and the output to
contain a message about the invalid output.
luca3m
luca3m approved these changes Dec 1, 2016
View reviewed changes
Copy link

@luca3m luca3m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@mstemm
Prevent rule_result from leaking on error.
9570379 
Change falco_engine::process_event to return a unique_ptr that wraps the
rule result, so it won't be leaked if this method throws an exception.

This means that callers don't need to create their own.
@mstemm mstemm merged commit b3c691e into dev Dec 1, 2016
@mstemm mstemm deleted the container-info-in-engine branch December 1, 2016 19:53
@mstemm mstemm mentioned this pull request Feb 15, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luca3m luca3m luca3m approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mstemm @luca3m