From 181e45e52b67f5bfc642942f8e9505fd32aaafb5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 16 Oct 2024 13:45:56 -0700 Subject: [PATCH] Add tests for mismatched sources and append Add additional unit tests to verify that rule loading fails when a second rules object has a different source but the name of an existing rules object. Signed-off-by: Mark Stemm --- unit_tests/engine/test_rule_loader.cpp | 63 ++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/unit_tests/engine/test_rule_loader.cpp b/unit_tests/engine/test_rule_loader.cpp index 8feadd2c592..74728f8fd49 100644 --- a/unit_tests/engine/test_rule_loader.cpp +++ b/unit_tests/engine/test_rule_loader.cpp @@ -1222,3 +1222,66 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) { EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)"); } + +TEST_F(test_falco_engine, redefine_rule_different_source) { + auto rules_content = R"END( +- rule: LD_PRELOAD trick + desc: Some desc + condition: ka.verb = GET + output: some output + priority: INFO + source: k8s_audit + +- rule: LD_PRELOAD trick + desc: Some desc + condition: and 1 = 2 + output: Some output + priority: INFO + source: syscall +)END"; + + ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); + ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source")); +} + +TEST_F(test_falco_engine, append_across_sources) { + auto rules_content = R"END( +- rule: LD_PRELOAD trick + desc: Some desc + condition: ka.verb = GET + output: some output + priority: INFO + source: k8s_audit + +- rule: LD_PRELOAD trick + desc: Some desc + condition: and 1 = 2 + output: Some output + priority: INFO + source: syscall + append: true +)END"; + + ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); + ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source")); +} + +TEST_F(test_falco_engine, selective_replace_across_sources) { + auto rules_content = R"END( +- rule: LD_PRELOAD trick + desc: Some desc + condition: ka.verb = GET + output: some output + priority: INFO + source: k8s_audit + +- rule: LD_PRELOAD trick + condition: 1 = 2 + override: + condition: replace + source: syscall +)END"; + + ASSERT_FALSE(load_rules(rules_content, "rules.yaml")); + ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source")); +}