update extract function with different return values

Signed-off-by: lorenzo-merici <[email protected]>
falcosecurity · Sep 22, 2023 · bd85d47 · bd85d47
1 parent 2605da1
commit bd85d47
Showing 1 changed file with 61 additions and 138 deletions.
diff --git a/plugins/gcpaudit/pkg/gcpaudit/extract.go b/plugins/gcpaudit/pkg/gcpaudit/extract.go
@@ -1,10 +1,10 @@
 package gcpaudit
 
 import (
-	"fmt"
 	"io"
 
 	"github.com/falcosecurity/plugin-sdk-go/pkg/sdk"
+	"github.com/valyala/fastjson"
 )
 
 func (p *Plugin) Fields() []sdk.FieldEntry {
@@ -35,188 +35,111 @@ func (p *Plugin) Fields() []sdk.FieldEntry {
 	}
 }
 
+// Extract a field value from an event.
 func (p *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) error {
+	// Decode the json, but only if we haven't done it yet for this event
 	if evt.EventNum() != p.lastEventNum {
-		evtBytes, err := io.ReadAll(evt.Reader())
+		// Read the event data
+		data, err := io.ReadAll(evt.Reader())
 		if err != nil {
 			return err
 		}
-		evtString := string(evtBytes)
-		p.jdata, err = p.jparser.Parse(evtString)
+
+		// For this plugin, events are always strings
+		evtStr := string(data)
+
+		p.jdata, err = p.jparser.Parse(evtStr)
 		if err != nil {
+			// Not a json file, so not present.
 			return err
 		}
 		p.lastEventNum = evt.EventNum()
 	}
 
-	switch req.Field() {
-	case "gcp.user":
-		principalEmail := string(p.jdata.Get("protoPayload").Get("authenticationInfo").Get("principalEmail").GetStringBytes())
-		req.SetValue(principalEmail)
+	// Extract the field value
+	present, value := getfieldStr(p.jdata, req.Field())
+	if present {
+		req.SetValue(value)
+	}
 
-	case "gcp.callerIP":
-		principalIP := string(p.jdata.Get("protoPayload").Get("requestMetadata").Get("callerIp").GetStringBytes())
-		req.SetValue(principalIP)
+	return nil
+}
 
-	case "gcp.userAgent":
-		principalUserAgent := p.jdata.Get("protoPayload").Get("requestMetadata").GetStringBytes("callerSuppliedUserAgent")
-		if principalUserAgent != nil {
-			req.SetValue(string(principalUserAgent))
-		}
+func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
+	var res string
 
+	switch field {
+	case "gcp.user":
+		res = string(jdata.Get("protoPayload").Get("authenticationInfo").Get("principalEmail").GetStringBytes())
+	case "gcp.callerIP":
+		res = string(jdata.Get("protoPayload").Get("requestMetadata").Get("callerIp").GetStringBytes())
+	case "gcp.userAgent":
+		res = string(jdata.Get("protoPayload").Get("requestMetadata").Get("callerSuppliedUserAgent").GetStringBytes())
 	case "gcp.authorizationInfo":
-		principalAuthorizationInfo := p.jdata.Get("protoPayload").GetStringBytes("authorizationInfo")
-		if principalAuthorizationInfo != nil {
-			req.SetValue(string(principalAuthorizationInfo))
-		}
-
+		res = string(jdata.Get("protoPayload").Get("authorizationInfo").GetStringBytes())
 	case "gcp.serviceName":
-		serviceName := p.jdata.Get("protoPayload").Get("serviceName")
-		if serviceName.Exists() {
-			req.SetValue(string(serviceName.GetStringBytes()))
-		}
-
+		res = string(jdata.Get("protoPayload").Get("serviceName").GetStringBytes())
 	case "gcp.request":
-		request := p.jdata.Get("protoPayload").GetStringBytes("request")
-		if request != nil {
-			req.SetValue(string(request))
-		}
-
+		res = string(jdata.Get("protoPayload").Get("request").GetStringBytes())
 	case "gcp.policyDelta":
-		resource := string(p.jdata.Get("resource").Get("type").GetStringBytes())
-
+		resource := string(jdata.Get("resource").Get("type").GetStringBytes())
 		if resource == "gcs_bucket" {
-			bindingDeltas := p.jdata.Get("protoPayload").Get("serviceData").Get("policyDelta").GetStringBytes("bindingDeltas")
-			if bindingDeltas != nil {
-				req.SetValue(string(bindingDeltas))
-			}
+			res = string(jdata.Get("protoPayload").Get("serviceData").Get("policyDelta").Get("bindingDeltas").GetStringBytes())
 		} else {
-			bindingDeltas := p.jdata.Get("protoPayload").Get("metadata").Get("datasetChange").GetStringBytes("bindingDeltas")
-			if bindingDeltas != nil {
-				req.SetValue(string(bindingDeltas))
-			}
+			res = string(jdata.Get("protoPayload").Get("metadata").Get("datasetChange").Get("bindingDeltas").GetStringBytes())
 		}
-
 	case "gcp.methodName":
-		methodName := string(p.jdata.Get("protoPayload").Get("methodName").GetStringBytes())
-		req.SetValue(methodName)
-
+		res = string(jdata.Get("protoPayload").Get("methodName").GetStringBytes())
 	case "gcp.cloudfunctions.function":
-		functionName := p.jdata.Get("resource").Get("labels").GetStringBytes("function_name")
-		if functionName != nil {
-			req.SetValue(string(functionName))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("function_name").GetStringBytes())
 	case "gcp.cloudsql.databaseId":
-		databaseId := p.jdata.Get("resource").Get("labels").GetStringBytes("database_id")
-		if databaseId != nil {
-			req.SetValue(string(databaseId))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("database_id").GetStringBytes())
 	case "gcp.compute.instanceId":
-		instanceId := p.jdata.Get("resource").Get("labels").GetStringBytes("instance_id")
-		if instanceId != nil {
-			req.SetValue(string(instanceId))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("instance_id").GetStringBytes())
 	case "gcp.compute.networkId":
-		networkId := p.jdata.Get("resource").Get("labels").GetStringBytes("network_id")
-		if networkId != nil {
-			req.SetValue(string(networkId))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("network_id").GetStringBytes())
 	case "gcp.compute.subnetwork":
-		subnetwork := p.jdata.Get("resource").Get("labels").GetStringBytes("subnetwork_name")
-		if subnetwork != nil {
-			req.SetValue(string(subnetwork))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("subnetwork_name").GetStringBytes())
 	case "gcp.compute.subnetworkId":
-		subnetworkId := p.jdata.Get("resource").Get("labels").GetStringBytes("subnetwork_id")
-		if subnetworkId != nil {
-			req.SetValue(string(subnetworkId))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("subnetwork_id").GetStringBytes())
 	case "gcp.dns.zone":
-		zone := p.jdata.Get("resource").Get("labels").GetStringBytes("zone_name")
-		if zone != nil {
-			req.SetValue(string(zone))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("zone_name").GetStringBytes())
 	case "gcp.iam.serviceAccount":
-		serviceAccount := p.jdata.Get("resource").Get("labels").GetStringBytes("email_id")
-		if serviceAccount != nil {
-			req.SetValue(string(serviceAccount))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("email_id").GetStringBytes())
 	case "gcp.iam.serviceAccountId":
-		serviceAccountId := p.jdata.Get("resource").Get("labels").GetStringBytes("unique_id")
-		if serviceAccountId != nil {
-			req.SetValue(string(serviceAccountId))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("unique_id").GetStringBytes())
 	case "gcp.location":
-		location := p.jdata.Get("resource").Get("labels").GetStringBytes("location")
-		if location != nil {
-			req.SetValue(string(location))
-			return nil
+		res = string(jdata.Get("resource").Get("labels").Get("location").GetStringBytes())
+		if res != "" {
+			break
 		}
 		// if location is not present, check for region
-		region := p.jdata.Get("resource").Get("labels").GetStringBytes("region")
-		if region != nil {
-			req.SetValue(string(region))
-			return nil
+		res = string(jdata.Get("resource").Get("labels").Get("region").GetStringBytes())
+		if res != "" {
+			break
 		}
 		// if region is not present, check for zone
-		val := p.jdata.Get("resource").Get("labels").Get("zone").GetStringBytes()
-		if val != nil {
-			zone := string(val)
-			if len(zone) > 2 {
-				// if in format: "us-central1-a", remove last two chars
-				formattedZone := zone[:len(zone)-2]
-				req.SetValue(formattedZone)
-			} else if zone != "" {
-				req.SetValue(zone)
-			}
+		res = string(jdata.Get("resource").Get("labels").Get("zone").GetStringBytes())
+		if len(res) > 2 {
+			// if in format: "us-central1-a", remove last two chars
+			res = res[:len(res)-2]
 		}
-
 	case "gcp.logging.sink":
-		resource := string(p.jdata.Get("resource").Get("type").GetStringBytes())
-
+		resource := string(jdata.Get("resource").Get("type").GetStringBytes())
 		if resource == "logging_sink" {
-			loggingSink := p.jdata.Get("resource").Get("labels").Get("name")
-			if loggingSink.Exists() {
-				req.SetValue(loggingSink)
-			}
+			res = string(jdata.Get("resource").Get("labels").Get("name").GetStringBytes())
 		}
-
 	case "gcp.projectId":
-		projectId := p.jdata.Get("resource").Get("labels").GetStringBytes("project_id")
-		if projectId != nil {
-			req.SetValue(string(projectId))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("project_id").GetStringBytes())
 	case "gcp.resourceName":
-		resourceName := p.jdata.Get("protoPayload").GetStringBytes("resourceName")
-		if resourceName != nil {
-			req.SetValue(string(resourceName))
-		}
-
+		res = string(jdata.Get("protoPayload").Get("resourceName").GetStringBytes())
 	case "gcp.resourceType":
-		resourceType := p.jdata.Get("resource").GetStringBytes("type")
-		if resourceType != nil {
-			req.SetValue(string(resourceType))
-		}
-
+		res = string(jdata.Get("resource").Get("type").GetStringBytes())
 	case "gcp.storage.bucket":
-		bucket := p.jdata.Get("resource").Get("labels").GetStringBytes("bucket_name")
-		if bucket != nil {
-			req.SetValue(string(bucket))
-		}
-
+		res = string(jdata.Get("resource").Get("labels").Get("bucket_name").GetStringBytes())
 	default:
-		return fmt.Errorf("unknown field: %s", req.Field())
+		return false, ""
 	}
 
-	return nil
+	return true, res
 }