falco_plugin/source/

mod.rs

//! # Event sourcing support
//!
//! Plugins with event sourcing capability provide a new event source and make it available to
//! libscap and libsinsp. They have the ability to "open" and "close" a stream of events and return
//! those events to the plugin framework. They also provide a plugin ID, which is globally unique
//! and is used in capture files. Event sources provided by plugins with this capability are tied
//! to the events they generate and can be used by [plugins with field extraction](crate::source)
//! capabilities and within Falco rules.
//! For your plugin to support event sourcing, you will need to implement the [`SourcePlugin`]
//! trait and invoke the [`source_plugin`](crate::source_plugin) macro, for example:
//!
//! ```
//! use std::ffi::{CStr, CString};
//! use anyhow::Error;
//! use falco_event::events::{Event, RawEvent};
//! use falco_plugin::base::{Metric, Plugin};
//! use falco_plugin::{plugin, source_plugin};
//! use falco_plugin::source::{EventBatch, EventInput, PluginEvent, SourcePlugin, SourcePluginInstance};
//! use falco_plugin::tables::TablesInput;
//! use falco_plugin_api::ss_plugin_event_input;
//!
//! struct MySourcePlugin;
//!
//! impl Plugin for MySourcePlugin {
//!     // ...
//! #    const NAME: &'static CStr = c"sample-plugin-rs";
//! #    const PLUGIN_VERSION: &'static CStr = c"0.0.1";
//! #    const DESCRIPTION: &'static CStr = c"A sample Falco plugin that does nothing";
//! #    const CONTACT: &'static CStr = c"you@example.com";
//! #    type ConfigType = ();
//! #
//! #    fn new(input: Option<&TablesInput>, config: Self::ConfigType)
//! #        -> Result<Self, anyhow::Error> {
//! #        Ok(MySourcePlugin)
//! #    }
//! #
//! #    fn set_config(&mut self, config: Self::ConfigType) -> Result<(), anyhow::Error> {
//! #        Ok(())
//! #    }
//! #
//! #    fn get_metrics(&mut self) -> impl IntoIterator<Item=Metric> {
//! #        []
//! #    }
//! }
//!
//! struct MySourcePluginInstance;
//!
//! impl SourcePlugin for MySourcePlugin {
//!     type Instance = MySourcePluginInstance;
//!     const EVENT_SOURCE: &'static CStr = c"my-source-plugin";
//!     const PLUGIN_ID: u32 = 0; // we do not have one assigned for this example :)
//!
//!     type Event<'a> = Event<PluginEvent<&'a [u8]>>;
//!
//!     fn open(&mut self, params: Option<&str>) -> Result<Self::Instance, Error> {
//!         // we do not use the open parameters in this example
//!         Ok((MySourcePluginInstance))
//!     }
//!
//!     fn event_to_string(&mut self, event: &EventInput<Self::Event<'_>>) -> Result<CString, Error> {
//!         // a string representation for our event; just copy out the whole event data
//!         // (it's an ASCII string); please note we need the copy because we need to add
//!         // a NUL terminator to convert the byte buffer to a C string
//!
//!         // get the plugin event
//!         let plugin_event = event.event()?;
//!
//!         // convert the data to a CString and return it
//!         Ok(CString::new(plugin_event.params.event_data)?)
//!     }
//! }
//!
//! impl SourcePluginInstance for MySourcePluginInstance {
//!     type Plugin = MySourcePlugin;
//!
//!     fn next_batch(&mut self, plugin: &mut Self::Plugin, batch: &mut EventBatch)
//!     -> Result<(), Error> {
//!         let event = Self::plugin_event(b"hello, world");
//!         batch.add(event)?;
//!
//!         Ok(())
//!     }}
//!
//! plugin!(MySourcePlugin);
//! source_plugin!(MySourcePlugin);
//! ```

use crate::base::Plugin;
use crate::source::wrappers::SourcePluginExported;
use falco_event::events::{AnyEventPayload, EventMetadata};
use falco_event::events::{Event, RawEvent};
use std::ffi::{CStr, CString};

mod event_batch;
mod open_params;
#[doc(hidden)]
pub mod wrappers;

pub use crate::event::EventInput;
pub use crate::event::PluginEvent;
pub use event_batch::EventBatch;
pub use open_params::{serialize_open_params, OpenParam};

/// Support for event sourcing plugins
pub trait SourcePlugin: Plugin + SourcePluginExported {
    /// # Instance type
    ///
    /// Each source plugin defines an instance type. The instance is the object responsible
    /// for actual generation of events. The plugin type mostly serves as a way to create
    /// and destroy instances.
    ///
    /// **Note**: while there may be multiple instances for a particular plugin, there will be
    /// at most one at any given time.
    type Instance: SourcePluginInstance<Plugin = Self>;

    /// # Event source name
    ///
    /// This string describes the event source. One notable event source name is `syscall`,
    /// for plugins collecting syscall information.
    ///
    /// If the plugin defines both `EVENT_SOURCE` (as a non-empty string) and `PLUGIN_ID`
    /// (as a non-zero value), it will only be allowed to emit plugin events (e.g. [`crate::event::PluginEvent`])
    /// with the `plugin_id` field matching `PLUGIN_ID` in the definition of this trait.
    ///
    /// This constant must be a non-empty string if `PLUGIN_ID` is set.
    const EVENT_SOURCE: &'static CStr;

    /// # Plugin ID
    ///
    /// This is the unique ID of the plugin.
    ///
    /// If the plugin defines both `EVENT_SOURCE` (as a non-empty string) and `PLUGIN_ID`
    /// (as a non-zero value), it will only be allowed to emit plugin events (e.g. [`crate::event::PluginEvent`])
    /// with the `plugin_id` field matching `PLUGIN_ID` in the definition of this trait.
    ///
    /// > EVERY PLUGIN WITH EVENT SOURCING CAPABILITY IMPLEMENTING A SPECIFIC EVENT SOURCE MUST
    /// > OBTAIN AN OFFICIAL ID FROM THE FALCOSECURITY ORGANIZATION, OTHERWISE IT WON'T PROPERLY
    /// > COEXIST WITH OTHER PLUGINS.
    const PLUGIN_ID: u32;

    /// # Event type handled by this plugin
    ///
    /// The SDK does not enforce limits on the events generated, but you can make your life
    /// a bit easier in `event_to_string` by specifying the event type your plugin generates here.
    /// Events will be parsed into this type before being passed to the plugin, so you can
    /// work directly on the deserialized form and don't need to worry about validating
    /// the events.
    ///
    /// If an event fails this conversion, an error will be returned from the SDK and your
    /// string formatting code won't be called.
    ///
    /// If you don't want any specific validation/conversion to be performed, specify the type as
    /// ```
    /// type Event<'a> = falco_event::events::RawEvent<'a>;
    /// ```
    type Event<'a>: AnyEventPayload + TryFrom<&'a RawEvent<'a>>
    where
        Self: 'a;

    /// # List sample open parameters
    ///
    /// Return a list of suggested open parameters supported by this plugin.
    /// Any of the values in the returned list are valid parameters for open().
    ///
    /// The default implementation returns an empty string, but you can use
    /// [`crate::source::serialize_open_params`] and [`crate::source::OpenParam`] to build
    /// a description of what the [`SourcePlugin::open`] method expects.
    ///
    /// **Note**: as of API version 3.4.0, this appears unused.
    fn list_open_params(&mut self) -> Result<&CStr, anyhow::Error> {
        Ok(c"")
    }

    /// # Open a capture instance
    ///
    /// This method receives the `open` parameter from Falco configuration and returns
    /// a new instance of the source plugin.
    fn open(&mut self, params: Option<&str>) -> Result<Self::Instance, anyhow::Error>;

    /// # Close a capture instance
    ///
    /// The default implementation does nothing, leaving all cleanup to the instance type's
    /// [`Drop`] implementation, if any.
    fn close(&mut self, _instance: &mut Self::Instance) {}

    /// # Render an event to string
    ///
    /// This string will be available as `%evt.plugininfo` in Falco rules. You may consider
    /// using the helpers from [`crate::strings`] to build the resulting CString.
    fn event_to_string(
        &mut self,
        event: &EventInput<Self::Event<'_>>,
    ) -> Result<CString, anyhow::Error>;
}

/// Information about capture progress
#[derive(Debug)]
pub struct ProgressInfo<'a> {
    /// Progress percentage (0.0-100.0)
    pub value: f64,
    /// Optional detailed message about the progress
    pub detail: Option<&'a CStr>,
}

struct SourcePluginInstanceWrapper<I: SourcePluginInstance> {
    instance: I,
    batch: bumpalo::Bump,
}

/// # An open instance of a source plugin
pub trait SourcePluginInstance {
    /// # The [`SourcePlugin`] this instance belongs to.
    ///
    /// Source plugin and instance types must correspond 1:1 to each other.
    type Plugin: SourcePlugin<Instance = Self>;

    /// # Fill the next batch of events
    ///
    /// This is the most important method for the source plugin implementation. It is responsible
    /// for actually generating the events for the main event loop.
    ///
    /// For performance, events are returned in batches. Of course, it's entirely valid to have
    /// just a single event in a batch.
    ///
    /// ## Returning one or more events
    ///
    /// For each event that is ready, pass it to `batch.add()` to add it to the current batch
    /// to be returned.
    ///
    /// ```ignore
    /// fn next_batch(
    ///     &mut self,
    ///     plugin: &mut Self::Plugin,
    ///     batch: &mut EventBatch,
    /// ) -> Result<(), anyhow::Error> {
    ///     let mut event = Vec::new();
    ///     // ...
    ///     let event = Self::plugin_event(&event);
    ///     batch.add(event)?;
    ///     Ok(())
    /// }
    /// ```
    ///
    /// ## Returning no events, temporarily
    ///
    /// If there are no events to return at the moment but there might be later, you should
    /// return [`FailureReason::Timeout`](`crate::FailureReason::Timeout`) as the error. The plugin framework will retry the call
    /// to `next_batch` later.
    ///
    /// ```ignore
    /// fn next_batch(
    ///     &mut self,
    ///     plugin: &mut Self::Plugin,
    ///     batch: &mut EventBatch,
    /// ) -> Result<(), anyhow::Error> {
    ///     std::thread::sleep(Duration::from_millis(100));
    ///     Err(anyhow::anyhow!("no events right now").context(FailureReason::Timeout))
    /// }
    /// ```
    ///
    /// ## Returning no events, permanently
    ///
    /// If there will be no more events coming from this instance, you should return\
    /// [`FailureReason::Eof`](`crate::FailureReason::Eof`) as the error. The plugin framework will end the capture and shut down
    /// gracefully.
    ///
    /// ```ignore
    /// fn next_batch(
    ///     &mut self,
    ///     plugin: &mut Self::Plugin,
    ///     batch: &mut EventBatch,
    /// ) -> Result<(), anyhow::Error> {
    ///     Err(anyhow::anyhow!("no more events").context(FailureReason::Eof))
    /// }
    /// ```
    ///
    /// ## Timing considerations
    ///
    /// This method is effectively called in a loop by Falco and there's a delicate balance of
    /// how much time to spend here waiting for events. On the one hand, you don't want to poll
    /// in a tight loop, since that leads to excessive CPU usage. On the other hand, you don't
    /// want to sleep forever waiting for an event, since it may block other tasks running in the
    /// main event loop thread. As a rule of thumb, waiting up to 10-100 milliseconds for an event
    /// works fine.
    fn next_batch(
        &mut self,
        plugin: &mut Self::Plugin,
        batch: &mut EventBatch,
    ) -> Result<(), anyhow::Error>;

    /// # Get progress information
    ///
    /// If your plugin reads from a source that has a well-defined end (like a file),
    /// you can use this method to report progress information.
    ///
    /// It consists of a percentage (0.0-100.0) and an optional description containing more
    /// details about the progress (e.g. bytes read/bytes total).
    fn get_progress(&mut self) -> ProgressInfo<'_> {
        ProgressInfo {
            value: 0.0,
            detail: None,
        }
    }

    /// # A helper for generating plugin events
    ///
    /// If your plugin defines a PLUGIN_ID and a source name, the only allowed events are
    /// plugin events (e.g. [`crate::event::PluginEvent`]), and effectively the only customizable
    /// field is the event data (which is a generic byte buffer).
    ///
    /// This method makes it easy to generate such events: just pass it the event data and get
    /// the complete event, with all the metadata set to reasonable defaults.
    fn plugin_event(data: &[u8]) -> Event<PluginEvent<&[u8]>> {
        let event = PluginEvent {
            plugin_id: Self::Plugin::PLUGIN_ID,
            event_data: data,
        };

        let metadata = EventMetadata::default();

        Event {
            metadata,
            params: event,
        }
    }
}