Support LIKE syntax for source rather than glob

kolide · Jul 1, 2024 · 3019cf0 · 3019cf0
1 parent eda263e
commit 3019cf0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/ee/katc/config.go b/ee/katc/config.go
@@ -86,7 +86,7 @@ func (r *rowTransformStep) UnmarshalJSON(data []byte) error {
 // sends down these configurations.
 type katcTableConfig struct {
 	SourceType        katcSourceType     `json:"source_type"`
-	Source            string             `json:"source"` // Describes how to connect to source (e.g. path to db) -- wildcards supported
+	Source            string             `json:"source"` // Describes how to connect to source (e.g. path to db) -- % and _ wildcards supported
 	Platform          string             `json:"platform"`
 	Columns           []string           `json:"columns"`
 	Query             string             `json:"query"` // Query to run against `path`

diff --git a/ee/katc/sqlite.go b/ee/katc/sqlite.go
@@ -6,13 +6,15 @@ import (
 	"fmt"
 	"log/slog"
 	"path/filepath"
+	"strings"
 
 	"github.com/osquery/osquery-go/plugin/table"
 	_ "modernc.org/sqlite"
 )
 
 // sqliteData is the dataFunc for sqlite KATC tables
-func sqliteData(ctx context.Context, slogger *slog.Logger, pathPattern string, query string, sourceConstraints *table.ConstraintList) ([]sourceData, error) {
+func sqliteData(ctx context.Context, slogger *slog.Logger, sourcePattern string, query string, sourceConstraints *table.ConstraintList) ([]sourceData, error) {
+	pathPattern := sourcePatternToGlobbablePattern(sourcePattern)
 	sqliteDbs, err := filepath.Glob(pathPattern)
 	if err != nil {
 		return nil, fmt.Errorf("globbing for files with pattern %s: %w", pathPattern, err)
@@ -42,6 +44,17 @@ func sqliteData(ctx context.Context, slogger *slog.Logger, pathPattern string, q
 	return results, nil
 }
 
+// sourcePatternToGlobbablePattern translates the source pattern, which adheres to LIKE
+// sqlite syntax for consistency with other osquery tables, into a pattern that can be
+// accepted by filepath.Glob.
+func sourcePatternToGlobbablePattern(sourcePattern string) string {
+	// % matches zero or more characters in LIKE, corresponds to * in glob syntax
+	globbablePattern := strings.Replace(sourcePattern, "%", `*`, -1)
+	// _ matches a single character in LIKE, corresponds to ? in glob syntax
+	globbablePattern = strings.Replace(globbablePattern, "_", `?`, -1)
+	return globbablePattern
+}
+
 // querySqliteDb queries the database at the given path, returning rows of results
 func querySqliteDb(ctx context.Context, slogger *slog.Logger, path string, query string) ([]map[string][]byte, error) {
 	dsn := fmt.Sprintf("file:%s?mode=ro", path)

diff --git a/ee/katc/table_test.go b/ee/katc/table_test.go
@@ -88,7 +88,7 @@ func Test_generate_SqliteBackedIndexedDB(t *testing.T) {
 		},
 		Platform: runtime.GOOS,
 		Columns:  []string{expectedColumn},
-		Source:   filepath.Join(databaseDir, "*.sqlite"), // All sqlite files in the test directory
+		Source:   filepath.Join(databaseDir, "%.sqlite"), // All sqlite files in the test directory
 		Query:    "SELECT data FROM object_data;",
 		RowTransformSteps: []rowTransformStep{
 			{