gRPC server and gRPC outputs service

CMakeLists.txt

@@ -598,8 +598,8 @@ else()
 	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
 	message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
 	set(GRPC_INCLUDE "${GRPC_SRC}/include")
-	set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc_unsecure.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++_unsecure.a")
+	set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++.a")
 	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
 
 	get_filename_component(PROTOC_DIR ${PROTOC} DIRECTORY)

falco.yaml

@@ -166,4 +166,23 @@ program_output:
 
 http_output:
   enabled: false
-  url: http://some.url
+  url: http://some.url
+
+# gRPC server configuration.
+# The gRPC server is secure by default (mutual TLS) so you need to generate certificates and update their paths here.
+# By default the gRPC server is off.
+# You can configure the address to bind and expose it.
+# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
+grpc:
+  enabled: false
+  bind_address: "0.0.0.0:5060"
+  threadiness: 8
+  private_key: "/etc/falco/certs/server.key"
+  cert_chain: "/etc/falco/certs/server.crt"
+  root_certs: "/etc/falco/certs/ca.crt"
+
+# gRPC output service.
+# By default it is off.
+# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
+grpc_output:
+  enabled: false

userspace/engine/falco_common.h

@@ -75,7 +75,7 @@ class falco_common
 
 	void set_inspector(sinsp *inspector);
 
-        // Priority levels, as a vector of strings
+    // Priority levels, as a vector of strings
 	static std::vector<std::string> priority_names;
 
 	// Same as numbers/indices into the above vector

userspace/engine/formats.cpp

@@ -20,7 +20,6 @@ limitations under the License.
 #include <json/json.h>
 
 #include "formats.h"
-#include "logger.h"
 #include "falco_engine.h"
 
 
@@ -36,6 +35,7 @@ const static struct luaL_reg ll_falco [] =
 	{"free_formatter", &falco_formats::free_formatter},
 	{"free_formatters", &falco_formats::free_formatters},
 	{"format_event", &falco_formats::format_event},
+	{"resolve_tokens", &falco_formats::resolve_tokens},
 	{NULL,NULL}
 };
 
@@ -265,3 +265,39 @@ int falco_formats::format_event (lua_State *ls)
 	return 1;
 }
 
+int falco_formats::resolve_tokens(lua_State *ls)
+{
+	if(!lua_isstring(ls, -1) ||
+	   !lua_isstring(ls, -2) ||
+	   !lua_islightuserdata(ls, -3))
+	{
+		lua_pushstring(ls, "Invalid arguments passed to resolve_tokens()");
+		lua_error(ls);
+	}
+	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
+	string source = luaL_checkstring(ls, 2);
+	const char *format = (char *)lua_tostring(ls, 3);
+	string sformat = format;
+
+	map<string, string> values;
+	if(source == "syscall")
+	{
+		s_formatters->resolve_tokens((sinsp_evt *)evt, sformat, values);
+	}
+	// k8s_audit
+	else
+	{
+		json_event_formatter json_formatter(s_engine->json_factory(), sformat);
+		values = json_formatter.tomap((json_event*) evt);
+	}
+
+	lua_newtable(ls);
+	for(auto const& v : values)
+	{
+		lua_pushstring(ls, v.first.c_str());
+		lua_pushstring(ls, v.second.c_str());
+		lua_settable(ls, -3);
+	}
+
+	return 1;
+}

userspace/engine/formats.h

@@ -53,6 +53,9 @@ class falco_formats
 	// formatted_string = falco.format_event(evt, formatter)
 	static int format_event(lua_State *ls);
 
+	// resolve_tokens = falco.resolve_tokens(evt, formatter)
+	static int resolve_tokens(lua_State *ls);
+
 	static sinsp* s_inspector;
 	static falco_engine *s_engine;
 	static sinsp_evt_formatter_cache *s_formatters;

userspace/engine/json_evt.cpp

@@ -796,6 +796,7 @@ std::string json_event_formatter::tostring(json_event *ev)
 std::string json_event_formatter::tojson(json_event *ev)
 {
 	nlohmann::json ret;
+	// todo(leodido, fntlnz) > assign tomap() result to ret (implicit conversion using = operator)
 
 	std::list<std::pair<std::string, std::string>> resolved;
 
@@ -806,13 +807,37 @@ std::string json_event_formatter::tojson(json_event *ev)
 		// Only include the fields and not the raw text blocks.
 		if(!res.first.empty())
 		{
+			// todo(leodido, fntlnz) > do we want "<NA>" rather than empty res.second values?
 			ret[res.first] = res.second;
 		}
 	}
 
 	return ret.dump();
 }
 
+std::map<std::string, std::string> json_event_formatter::tomap(json_event *ev)
+{
+	std::map<std::string, std::string> ret;
+	std::list<std::pair<std::string, std::string>> res;
+
+	resolve_tokens(ev, res);
+
+	for(auto &r : res)
+	{
+		// Only include the fields and not the raw text blocks.
+		if(!r.first.empty())
+		{
+			if(r.second.empty())
+			{
+				r.second = "<NA>";
+			}
+			ret.insert(r);
+		}
+	}
+
+	return ret;
+}
+
 void json_event_formatter::parse_format()
 {
 	string tformat = m_format;

userspace/engine/json_evt.h

@@ -287,6 +287,7 @@ class json_event_formatter
 
 	std::string tostring(json_event *ev);
 	std::string tojson(json_event *ev);
+	std::map<std::string, std::string> tomap(json_event *ev);
 
 	void resolve_tokens(json_event *ev, std::list<std::pair<std::string,std::string>> &resolved);
 

userspace/falco/CMakeLists.txt

@@ -21,6 +21,18 @@ endif()
 
 configure_file("${SYSDIG_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
 
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
+	${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.h
+	${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
+	${CMAKE_CURRENT_BINARY_DIR}/output.pb.h
+	${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+	${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+	COMMENT "Generate gRPC code"
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
+	COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/output.proto ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+	COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN} ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
+	WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+
 add_executable(falco
 	configuration.cpp
 	logger.cpp
@@ -29,7 +41,14 @@ add_executable(falco
 	statsfilewriter.cpp
 	falco.cpp
 	"${SYSDIG_DIR}/userspace/sysdig/fields_info.cpp"
-	webserver.cpp)
+	webserver.cpp
+	grpc_context.cpp
+	grpc_server_impl.cpp
+	grpc_server.cpp
+	utils.cpp
+	${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
+	${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
+	${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
 
 target_include_directories(falco PUBLIC
 	"${SYSDIG_DIR}/userspace/sysdig"
@@ -38,10 +57,18 @@ target_include_directories(falco PUBLIC
 	"${PROJECT_BINARY_DIR}/driver/src"
 	"${YAMLCPP_INCLUDE_DIR}"
 	"${CIVETWEB_INCLUDE_DIR}"
+	"${GRPC_INCLUDE}"
+	"${PROTOBUF_INCLUDE}"
+	"${CMAKE_CURRENT_BINARY_DIR}"
 	"${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
 
+
+
 target_link_libraries(falco falco_engine sinsp)
 target_link_libraries(falco
+	"${GRPCPP_LIB}"
+	"${GRPC_LIB}"
+	"${PROTOBUF_LIB}"
 	"${LIBYAML_LIB}"
 	"${YAMLCPP_LIB}"
 	"${CIVETWEB_LIB}")