github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/rules/collected_events_functests.go (about) 1 // Unless explicitly stated otherwise all files in this repository are licensed 2 // under the Apache License Version 2.0. 3 // This product includes software developed at Datadog (https://www.datadoghq.com/). 4 // Copyright 2016-present Datadog, Inc. 5 6 //go:build functionaltests 7 8 // Package rules holds rules related files 9 package rules 10 11 import ( 12 "errors" 13 "sync" 14 15 "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" 16 ) 17 18 type EventCollector struct { 19 sync.Mutex 20 eventsCollected []CollectedEvent 21 } 22 23 func (ec *EventCollector) CollectEvent(rs *RuleSet, event eval.Event, result bool) { 24 ec.Lock() 25 defer ec.Unlock() 26 var fieldNotSupportedError *eval.ErrNotSupported 27 28 eventType := event.GetType() 29 collectedEvent := CollectedEvent{ 30 Type: eventType, 31 EvalResult: result, 32 Fields: make(map[string]interface{}, len(rs.fields)), 33 } 34 35 for _, field := range rs.fields { 36 fieldEventType, err := event.GetFieldEventType(field) 37 if err != nil { 38 rs.logger.Errorf("failed to get event type for field %s: %v", field, err) 39 } 40 41 if fieldEventType != "*" && fieldEventType != eventType { 42 continue 43 } 44 45 value, err := event.GetFieldValue(field) 46 if err != nil { 47 // GetFieldValue returns the default type value with ErrNotSupported in case the field Check test fails 48 if !errors.As(err, &fieldNotSupportedError) { 49 rs.logger.Errorf("failed to get value for %s: %v", field, err) 50 continue 51 } 52 } 53 54 collectedEvent.Fields[field] = value 55 } 56 57 ec.eventsCollected = append(ec.eventsCollected, collectedEvent) 58 } 59 60 func (ec *EventCollector) Stop() []CollectedEvent { 61 ec.Lock() 62 defer ec.Unlock() 63 64 collected := ec.eventsCollected 65 ec.eventsCollected = nil 66 return collected 67 }