1 /*
2 * Copyright (c) 2005-2018 Balabit
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
17 *
18 * As an additional exemption you are allowed to compile & link against the
19 * OpenSSL libraries as published by the OpenSSL project. See the file
20 * COPYING for details.
21 *
22 */
23
24 #include "filter/filter-expr.h"
25 #include "filter/filter-expr-grammar.h"
26 #include "filter/filter-netmask.h"
27 #include "filter/filter-netmask6.h"
28 #include "filter/filter-op.h"
29 #include "filter/filter-cmp.h"
30 #include "filter/filter-tags.h"
31 #include "filter/filter-re.h"
32 #include "filter/filter-pri.h"
33 #include "cfg.h"
34 #include "messages.h"
35 #include "syslog-names.h"
36 #include "logmsg/logmsg.h"
37 #include "apphook.h"
38 #include "plugin.h"
39 #include "scratch-buffers.h"
40 #include <criterion/criterion.h>
41
42 #include <time.h>
43 #include <string.h>
44 #include <stdlib.h>
45 #include <stdio.h>
46
47 MsgFormatOptions parse_options;
48
49 gint
facility_bits(const gchar * fac)50 facility_bits(const gchar *fac)
51 {
52 return 1 << (syslog_name_lookup_facility_by_name(fac) >> 3);
53 }
54
55 gint
level_bits(const gchar * lev)56 level_bits(const gchar *lev)
57 {
58 return 1 << syslog_name_lookup_severity_by_name(lev);
59 }
60
61 gint
level_range(const gchar * from,const gchar * to)62 level_range(const gchar *from, const gchar *to)
63 {
64 int r1, r2;
65
66 r1 = syslog_name_lookup_severity_by_name(from);
67 r2 = syslog_name_lookup_severity_by_name(to);
68 return syslog_make_range(r1, r2);
69 }
70
71 FilterExprNode *
compile_pattern(FilterExprNode * f,const gchar * regexp,const gchar * type,gint flags)72 compile_pattern(FilterExprNode *f, const gchar *regexp, const gchar *type, gint flags)
73 {
74 LogMatcherOptions *matcher_options = filter_re_get_matcher_options(f);
75 gboolean result;
76
77 log_matcher_options_defaults(matcher_options);
78 matcher_options->flags = flags;
79 log_matcher_options_set_type(matcher_options, type);
80
81 result = filter_re_compile_pattern(f, regexp, NULL);
82
83 if (result)
84 return f;
85
86 filter_expr_unref(f);
87 return NULL;
88 }
89
90 FilterExprNode *
create_pcre_regexp_filter(gint field,const gchar * regexp,gint flags)91 create_pcre_regexp_filter(gint field, const gchar *regexp, gint flags)
92 {
93 return compile_pattern(filter_re_new(field), regexp, "pcre", flags);
94 }
95
96 FilterExprNode *
create_pcre_regexp_match(const gchar * regexp,gint flags)97 create_pcre_regexp_match(const gchar *regexp, gint flags)
98 {
99 return compile_pattern(filter_match_new(), regexp, "pcre", flags);
100 }
101
102 LogTemplate *
create_template(const gchar * template)103 create_template(const gchar *template)
104 {
105 LogTemplate *t;
106
107 t = log_template_new(configuration, NULL);
108 cr_assert(log_template_compile(t, template, NULL));
109 return t;
110 }
111
112 #if SYSLOG_NG_ENABLE_IPV6
113 static gboolean
_is_ipv6(const gchar * sockaddr)114 _is_ipv6(const gchar *sockaddr)
115 {
116 return (NULL != strchr(sockaddr, ':'));
117 }
118 #endif
119
120 static GSockAddr *
_get_sockaddr(const gchar * sockaddr)121 _get_sockaddr(const gchar *sockaddr)
122 {
123 if (!sockaddr)
124 return NULL;
125
126 #if SYSLOG_NG_ENABLE_IPV6
127 if (_is_ipv6(sockaddr))
128 {
129 return g_sockaddr_inet6_new(sockaddr, 5000);
130 }
131 #endif
132 return g_sockaddr_inet_new(sockaddr, 5000);
133 }
134
135 void
testcase_with_socket(const gchar * msg,const gchar * sockaddr,FilterExprNode * f,gboolean expected_result)136 testcase_with_socket(const gchar *msg, const gchar *sockaddr,
137 FilterExprNode *f,
138 gboolean expected_result)
139 {
140 LogMessage *logmsg;
141 gboolean res;
142
143 res = filter_expr_init(f, configuration);
144 cr_assert(res, "Filter init failed; msg='%s'\n", msg);
145
146 logmsg = log_msg_new(msg, strlen(msg), &parse_options);
147 log_msg_set_saddr_ref(logmsg, _get_sockaddr(sockaddr));
148
149 res = filter_expr_eval(f, logmsg);
150 cr_assert_eq(res, expected_result, "Filter test failed; msg='%s'\n", msg);
151
152 f->comp = 1;
153 res = filter_expr_eval(f, logmsg);
154 cr_assert_eq(res, !expected_result, "Filter test failed (negated); msg='%s'\n", msg);
155
156 log_msg_unref(logmsg);
157 filter_expr_unref(f);
158 }
159
160 void
testcase(const gchar * msg,FilterExprNode * f,gboolean expected_result)161 testcase(const gchar *msg,
162 FilterExprNode *f,
163 gboolean expected_result)
164 {
165 testcase_with_socket(msg, NULL, f, expected_result);
166 }
167
168 void
testcase_with_backref_chk(const gchar * msg,FilterExprNode * f,gboolean expected_result,const gchar * name,const gchar * value)169 testcase_with_backref_chk(const gchar *msg,
170 FilterExprNode *f,
171 gboolean expected_result,
172 const gchar *name,
173 const gchar *value
174 )
175 {
176 LogMessage *logmsg;
177 const gchar *value_msg;
178 NVTable *nv_table;
179 gboolean res;
180 gssize length;
181 NVHandle nonasciiz = log_msg_get_value_handle("NON-ASCIIZ");
182 gssize msglen;
183 gchar buf[1024];
184
185 logmsg = log_msg_new(msg, strlen(msg), &parse_options);
186 log_msg_set_saddr_ref(logmsg, g_sockaddr_inet_new("10.10.0.1", 5000));
187
188 /* NOTE: we test how our filters cope with non-zero terminated values. We don't change message_len, only the value */
189 g_snprintf(buf, sizeof(buf), "%sAAAAAAAAAAAA", log_msg_get_value(logmsg, LM_V_MESSAGE, &msglen));
190 log_msg_set_value_by_name(logmsg, "MESSAGE2", buf, -1);
191
192 /* add a non-zero terminated indirect value which contains the whole message */
193 log_msg_set_value_indirect(logmsg, nonasciiz, log_msg_get_value_handle("MESSAGE2"), 0, 0, msglen);
194
195 nv_table = nv_table_ref(logmsg->payload);
196 res = filter_expr_eval(f, logmsg);
197 cr_assert_eq(res, expected_result, "Filter test failed; msg='%s'\n", msg);
198
199 nv_table_unref(nv_table);
200 f->comp = 1;
201
202 nv_table = nv_table_ref(logmsg->payload);
203 res = filter_expr_eval(f, logmsg);
204 cr_assert_eq(res, !expected_result, "Filter test failed (negated); msg='%s'\n", msg);
205
206 value_msg = log_msg_get_value_by_name(logmsg, name, &length);
207 nv_table_unref(nv_table);
208 if(value == NULL || value[0] == 0)
209 {
210 cr_assert_not(value_msg != NULL
211 && value_msg[0] != 0, "Filter test failed (NULL value chk); msg='%s', expected_value='%s', value_in_msg='%s'",
212 msg, value, value_msg);
213 }
214 else
215 {
216 const gint value_len = strlen(value);
217 cr_assert_eq(length, value_len);
218 cr_assert_eq(strncmp(value_msg, value, value_len), 0,
219 "Filter test failed (value chk); msg='%s', expected_value='%s', value_in_msg='%s'",
220 msg, value, value_msg);
221 }
222 log_msg_unref(logmsg);
223 filter_expr_unref(f);
224 }
225
226 void
setup(void)227 setup(void)
228 {
229 app_startup();
230
231 configuration = cfg_new_snippet();
232 cfg_load_module(configuration, "syslogformat");
233 msg_format_options_defaults(&parse_options);
234 msg_format_options_init(&parse_options, configuration);
235 }
236
237 void
teardown(void)238 teardown(void)
239 {
240 scratch_buffers_explicit_gc();
241 app_shutdown();
242 }
243