wip: test

Signed-off-by: Jason Dellaluce <[email protected]>
falcosecurity · Jul 3, 2023 · 3d0b534 · 3d0b534
1 parent 9a0ec0d
commit 3d0b534
Show file tree

Hide file tree

Showing 8 changed files with 200 additions and 0 deletions.
diff --git a/.github/FALCO_VERSIONS b/.github/FALCO_VERSIONS
@@ -0,0 +1,2 @@
+master
+0.35.0
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -17,4 +17,92 @@ jobs:
  makecommand: make packages
  suffix: ${{ github.event.number }}
  secrets: inherit
+
+ get-values:
+ uses: ./.github/workflows/reusable_get_values.yaml
 
+ build-rules-tool:
+ needs: [get-values]
+ if: needs.get-values.outputs.changed-plugins != '[]' && needs.get-values.outputs.changed-plugins != ''
+ uses: ./.github/workflows/reusable_build_rules_tool.yaml
+ with:
+ repository: falcosecurity/rules
+ output: rules-checker
+
+ # todo: make this reusable too
+ validate-plugin-rules:
+ needs: [get-values, build-rules-tool]
+ if: needs.get-values.outputs.changed-plugins != '[]' && needs.get-values.outputs.changed-plugins != ''
+ strategy:
+ fail-fast: false
+ matrix:
+ plugin: ${{ fromJson(needs.get-values.outputs.changed-plugins) }}
+ falco-version: ${{ fromJson(needs.get-values.outputs.falco-versions) }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Download rules tool
+ uses: actions/download-artifact@v3
+ with:
+ name: rules-tool.tar.gz
+
+ # todo: also support pulling the latest 0.X.0 plugin with falcoctl instead
+ # of local build
+ - name: Download x86_64 plugins
+ uses: actions/download-artifact@v3
+ with:
+ name: plugins-x86_64-${{ github.event.number }}.tar.gz
+ path: /tmp/plugins-x86_64
+
+ - name: Install plugin and rules (local build)
+ run: |
+ mkdir -p tmp
+ cd tmp
+ for archive in $(ls /tmp/plugins-x86_64/${{ matrix.plugin }}-*); do
+ tar -xvf $archive
+ sudo cp -r *.so /usr/share/falco/plugins
+ sudo cp -r *.yaml /etc/falco/falco
+ done
+ cd ..
+ rm -fr tmp
+ 
+ - name: Validate plugin and rules
+ run: |
+ config_file="./plugins/${{ matrix.plugin }}/test/falco.yaml"
+ rules_dir="./plugins/${{ matrix.plugin }}/rules" 
+ rules_files=""
+ validation_flags=""
+ 
+ # craft an empty rules file if none is available.
+ # this ensures that the plugin gets still loaded even if it has no rules.
+ if [ ! -d "$rules_dir" ]; then
+ touch tmp_rules.yaml
+ rules_files="${{ github.workspace }}/tmp_rules.yaml"
+ else
+ rules_files=$(ls $rules_dir)
+ fi
+ 
+ # craft a default falco.yaml if no custom one is available
+ if [ ! -f "$config_file" ]; then
+ echo "plugins:" >> $config_file
+ echo " - name: ${{ matrix.plugin }}" >> $config_file
+ echo " library_path: lib${{ matrix.plugin }}.so" >> $config_file
+ fi
+
+ # craft rules validation command
+ for rules_file in $rules_files; do
+ validation_flags="${validation_flags} -r ${rules_file}"
+ done
+
+ # append plugin files to validaiton command
+ configured_plugins="$(cat /etc/falco/falco.yaml | grep "library_path: " | cut -d ':' -f 2 | xargs)""
+ for plugin_lib in $configured_plugins; do
+ validation_flags="${validation_flags} -f /usr/share/falco/plugins/${plugin_lib}"
+ done
+ 
+ echo $config_file
+ cat $config_file
+
+ ./rules-checker validate -c "$config_file" $validation_flags
diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml
@@ -39,6 +39,8 @@ jobs:
  path: output/*.tar.gz
 
  build-packages-arm64:
+ # TODO(jasondellaluce): restore this
+ if: github.token == ''
  runs-on: ubuntu-latest
  steps:
  - name: Checkout Plugins ⤵️

diff --git a/.github/workflows/reusable_build_rules_tool.yaml b/.github/workflows/reusable_build_rules_tool.yaml
@@ -0,0 +1,44 @@
+# This is a reusable workflow used by master and release CI
+on:
+ workflow_call:
+ inputs:
+ output:
+ description: Name of the output binary
+ required: false
+ default: rules-check
+ type: string
+ repository:
+ description: Falco rules repository
+ required: false
+ default: falcosecurity/rules
+ type: string
+
+jobs:
+ build-rules-checker:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Setup Golang
+ uses: actions/setup-go@v3
+ with:
+ go-version: '^1.19'
+
+ - name: Checkout rules
+ uses: actions/checkout@v3
+ with:
+ repository: ${{ inputs.repository }}
+ # TODO(jasondellaluce): remove this and merge changes in falcosecurity/rules
+ ref: 'update/check-plugin-rules'
+
+ - name: Build checker tool
+ working-directory: build/checker
+ run: go build -o ${{ inputs.output }}
+
+ - name: Test checker tool
+ working-directory: build/checker
+ run: go test ./... -cover
+
+ - name: Upload artifacts
+ uses: actions/upload-artifact@v3
+ with:
+ name: rules-tool.tar.gz
+ path: build/checker/${{ inputs.output }}
diff --git a/.github/workflows/reusable_get_values.yaml b/.github/workflows/reusable_get_values.yaml
@@ -0,0 +1,57 @@
+# This is a reusable workflow used by master CCI
+on:
+ workflow_call:
+ outputs:
+ changed-plugins:
+ description: "A json-encoded array with the names of plugins to be used by the CI"
+ value: ${{ jobs.get-values.outputs.changed-plugins }}
+ falco-versions:
+ description: "A json-encoded array with the versions of Falco to be used by the CI"
+ value: ${{ jobs.get-values.outputs.falco-versions }}
+
+jobs:
+ get-values:
+ runs-on: ubuntu-latest
+ outputs:
+ changed-plugins: ${{ steps.set-changed-plugins.outputs.changed-plugins }}
+ falco-versions: ${{ steps.set-falco-versions.outputs.versions }}
+ steps:
+ - name: Checkout rules
+ uses: actions/checkout@v3
+
+ - name: Get changed files
+ id: changed-plugins
+ if: github.event_name == 'pull_request'
+ uses: jitterbit/get-changed-files@v1
+ with:
+ format: space-delimited
+ token: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Get Falco versions
+ id: set-falco-versions
+ run: |
+ values=""
+ while read -r line
+ do
+ values="${values}${line}"$'\n'
+ done < "./.github/FALCO_VERSIONS"
+ echo "versions=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
+
+ - name: Get changed plugins
+ id: set-changed-plugins
+ run: |
+ # if we skip changed-plugins because we're not in a pull-request,
+ # then we consider all the rules contained in the repo
+ all_files="${{ steps.changed-plugins.outputs.all }}"
+ values=""
+ if [ -z $all_files ]; then
+ values=$(ls plugins)
+ else
+ for changed_file in $all_files; do
+ if [[ ${changed_file} =~ ^plugins/.* ]]; then
+ plugindir=$(echo ${changed_file} | sed -e 's/^plugins//' | sed -E 's_(/[^/]+).*_\1_')
+ values="${values}${plugindir:1}"$'\n'
+ fi
+ done
+ fi
+ echo "changed-files=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
diff --git a/plugins/cloudtrail/README.md b/plugins/cloudtrail/README.md
@@ -10,6 +10,7 @@ The plugin can be configured to obtain log files from:
 
 The plugin also exports fields that extract information from a cloudtrail event, such as the event time, the aws region, S3 bucket/EC2 instance names, etc.
 
+
 ## Event Source
 
 The event source for cloudtrail events is `aws_cloudtrail`.

diff --git a/plugins/cloudtrail/test/falco.yaml b/plugins/cloudtrail/test/falco.yaml
@@ -0,0 +1,5 @@
+plugins:
+ - name: cloudtrail
+ library_path: libcloudtrail.so
+ - name: json
+ library_path: libjson.so
diff --git a/plugins/github/README.md b/plugins/github/README.md
@@ -8,6 +8,7 @@ This plugin exports several fields that can be used to analyze GitHub activity.
 
 The plugin works by installing a webhook on one or more repositories. It then receives and parses the messages from each webhook and, for push messages, the plugin is able to retrieve the files that have been added/changed and parse them.
 
+
 ## Usage
 
 ### Prerequisites