From b9c8ac1f76813999fbf4361c5198515128141145 Mon Sep 17 00:00:00 2001
From: Lorenzo Susini <susinilorenzo1@gmail.com>
Date: Tue, 16 May 2023 09:22:00 +0000
Subject: [PATCH] update(userspace/engine): add event codes to json output

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
---
 .../engine/test_filter_details_resolver.cpp   | 19 +++++++++++++++++++
 userspace/engine/falco_engine.cpp             |  7 +++++++
 userspace/engine/rule_loader.h                |  1 +
 userspace/engine/rule_loader_compiler.cpp     |  7 ++++++-
 4 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 unit_tests/engine/test_filter_details_resolver.cpp

diff --git a/unit_tests/engine/test_filter_details_resolver.cpp b/unit_tests/engine/test_filter_details_resolver.cpp
new file mode 100644
index 00000000000..0b6582ffb39
--- /dev/null
+++ b/unit_tests/engine/test_filter_details_resolver.cpp
@@ -0,0 +1,19 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERT_EQd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <engine/filter_details_resolver.h>
+
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
index 31c3eb94c6c..1ec654eacc8 100644
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -601,6 +601,13 @@ Json::Value falco_engine::get_json_rule_details(const falco_rule& r, filter_deta
 	}
 	output["lists"] = lists;
 
+	Json::Value events = Json::arrayValue;
+	for(const auto &e : rule_info->evttypes)
+	{
+		events.append(e);
+	}
+	output["eventCodes"] = events;
+
 	details.reset();
 
 	return output;
diff --git a/userspace/engine/rule_loader.h b/userspace/engine/rule_loader.h
index c0c30522cb3..95d2e923b9c 100644
--- a/userspace/engine/rule_loader.h
+++ b/userspace/engine/rule_loader.h
@@ -456,6 +456,7 @@ namespace rule_loader
 		std::set<std::string> tags;
 		std::vector<rule_exception_info> exceptions;
 		falco_common::priority_type priority;
+		libsinsp::events::set<ppm_event_code> evttypes;
 		bool enabled;
 		bool warn_evttypes;
 		bool skip_if_unknown_filter;
diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp
index 47dec22a89b..176f9be0437 100644
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@@ -386,7 +386,11 @@ void rule_loader::compiler::compile_rule_infos(
 	std::string err, condition;
 	std::set<falco::load_result::load_result::warning_code> warn_codes;
 	filter_warning_resolver warn_resolver;
-	for (auto &r : col.rules())
+
+	// note: cast away the const qualifier in the for loop
+	// this is needed because we want to store information about evttypes
+	// used by any rules, which might come in handy when describing rules.
+	for (auto &r : const_cast<indexed_vector<rule_info>&>(col.rules()))
 	{
 		// skip the rule if below the minimum priority
 		if (r.priority > cfg.min_priority)
@@ -507,6 +511,7 @@ void rule_loader::compiler::compile_rule_infos(
 					"Rule matches too many evt.type values. This has a significant performance penalty.",
 					r.ctx);
 			}
+			r.evttypes = evttypes;
 		}
 	}
 }