new(userspace/falco,userspace/engine): rule json schema validation #3313
Conversation
|
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION. /hold |
|
/milestone 0.39.0 |
|
Here is how the So, we keep the exact same behavior of the normal rule loading schema validation (and the config schema validation), with Don't really know which is better, i tend to really prefer the consistency of the former. cc @leogr |
|
Also cc @jasondellaluce am not sure whether engine version should really be bumped 🤔 |
| rule_loader::context ctx(cfg.name); | ||
| try | ||
| { | ||
| docs = YAML::LoadAll(cfg.content); | ||
| docs = reader.loadall_from_string(cfg.content, schema, &schema_validation); |
There was a problem hiding this comment.
New yaml_helper method to YAML::LoadAll and then validate each loaded document against provided schema.
| @@ -807,7 +810,7 @@ bool rule_loader::reader::read(rule_loader::configuration& cfg, collector& colle | |||
| cfg.res->add_error(falco::load_result::LOAD_ERR_YAML_PARSE, "unknown YAML parsing error", ctx); | |||
| return false; | |||
| } | |||
|
|
|||
| cfg.res->set_schema_validation_status(schema_validation); | |||
There was a problem hiding this comment.
We will have a schema validation status only if the YAML could be actually loaded, otherwise it will have its default value "none". Not a big deal since an error is thrown if we cannot parse the YAML of course.
| @@ -43,7 +43,7 @@ class reader | |||
| \brief Reads the contents of a ruleset and uses a collector to store | |||
| thew new definitions | |||
| */ | |||
| virtual bool read(configuration& cfg, collector& loader); | |||
| virtual bool read(configuration& cfg, collector& loader, const nlohmann::json& schema={}); | |||
| @@ -89,7 +84,37 @@ class yaml_helper | |||
| inline static const std::string configs_key = "config_files"; | |||
| inline static const std::string validation_ok = "ok"; | |||
| inline static const std::string validation_failed = "failed"; | |||
| inline static const std::string validation_none = "schema not provided"; | |||
| inline static const std::string validation_none = "none"; | |||
There was a problem hiding this comment.
none better reflect the fact that no validation took place, without exposing more info than needed.
| @@ -66,12 +66,14 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state& | |||
| } | |||
|
|
|||
| std::string err = ""; | |||
| falco_logger::log(falco_logger::level::INFO, "Loading rules from:\n"); | |||
There was a problem hiding this comment.
Follow same behavior as Falco config files loading, ie: print a first line with Loading rules from and then proceed to list all loaded rules with their schema validation status each on a new line.
userspace/engine/falco_engine.cpp
Outdated
| @@ -47,6 +47,8 @@ limitations under the License. | |||
|
|
|||
| const std::string falco_engine::s_default_ruleset = "falco-default-ruleset"; | |||
|
|
|||
| static const std::string rule_schema_string = R"({"$schema":"http://json-schema.org/draft-06/schema#","type":"array","items":{"anyOf":[{"$ref":"#definitions/RequiredEngineVersionRef"},{"$ref":"#definitions/ListRef"},{"$ref":"#definitions/MacroRef"},{"$ref":"#definitions/RuleRef"},{"$ref":"#definitions/AppendOnlyRuleRef"},{"$ref":"#definitions/EnableOnlyRuleRef"}]},"definitions":{"RequiredEngineVersionRef":{"type":"object","additionalProperties":false,"properties":{"required_engine_version":{"type":"integer"}},"required":["required_engine_version"],"title":"RequiredEngineVersion"},"ListRef":{"type":"object","additionalProperties":false,"properties":{"list":{"type":"string"},"items":{"type":"array","items":{"anyOf":[{"type":"integer"},{"type":"string"}]}},"append":{"type":"boolean"}},"required":["list","items"],"title":"List"},"MacroRef":{"type":"object","additionalProperties":false,"properties":{"macro":{"type":"string"},"condition":{"type":"string"},"append":{"type":"boolean"}},"required":["macro","condition"],"title":"Macro"},"RuleRef":{"type":"object","additionalProperties":false,"properties":{"rule":{"type":"string"},"condition":{"type":"string"},"desc":{"type":"string"},"enabled":{"type":"boolean"},"append":{"type":"boolean"},"output":{"type":"string"},"priority":{"type":"string","enum":["ALERT","EMERGENCY","NOTICE","WARNING","ERROR","DEBUG","INFO","INFORMATIONAL","CRITICAL"]},"tags":{"type":"array","items":{"anyOf":[{"type":"integer"},{"type":"string"}]}},"warn_evttypes":{"type":"boolean"},"skip-if-unknown-filter":{"type":"boolean"}},"required":["rule","desc","condition","output","priority"],"title":"Rule"},"AppendOnlyRuleRef":{"type":"object","additionalProperties":false,"properties":{"rule":{"type":"string"},"condition":{"type":"string"},"append":{"type":"boolean"}},"required":["rule","append","condition"],"title":"AppendOnlyRule"},"EnableOnlyRuleRef":{"type":"object","additionalProperties":false,"properties":{"rule":{"type":"string"},"enabled":{"type":"boolean"}},"required":["rule","enabled"],"title":"EnableOnlyRule"}}})"; | |||
There was a problem hiding this comment.
It passes all falco engine rule loader tests ;)
FedeDP
force-pushed
the
new/rule_json_schema
branch
from
a681024 to
08aef99
Compare
If we assume that a proper message will be printed when the schema validation fails, another option would be not to expose the |
It is a false positive because you touched some engine files, but no actual feature or behavior was changed. |
|
/hold |
Also, a new `--rule-schema` cli option was added to print the schema and leave. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Also, moved yaml_helper under engine/ folder. Ported rule json schema validation in the engine. Also, updated rule_loader tests to check for validation. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
FedeDP
force-pushed
the
new/rule_json_schema
branch
from
d9377cb to
272986c
Compare
|
Rebased on top of master + added schema validation info ( Text: Json: |
…t` `as_json` and `as_string` outputs. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…rnings from yaml_helper::validate_node(). `-V` option will print all warnings, while normal run will only print foremost warning. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
FedeDP
force-pushed
the
new/rule_json_schema
branch
from
272986c to
6630176
Compare
|
Last commit enables Example outputs:
NOTE: in normal run, while validating config and rule files, only foremost warning will be reported, example: |
|
/unhold |
|
/cc @jasondellaluce |
|
/hold |
…ollowing errors and warnings output layout. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
|
/unhold |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
Follow-up to #3302 , validate rule syntax against a json schema.
This PR also adds a
--rule-schemaCLI option to print the rule schema (just like #3312).Which issue(s) this PR fixes:
Fixes #3149
Special notes for your reviewer:
yaml_helpertoenginefolderSee #3313 (comment) for output examples.
Does this PR introduce a user-facing change?: