fix #124 (#127)

* fix #124
2020-07-09 12:41:18 +02:00 · 2020-07-09 12:41:18 +02:00 · 44304a30e7
parent a099a164e1
commit 44304a30e7
3 changed files with 26 additions and 7 deletions
--- a/pkg/parser/node.go
+++ b/pkg/parser/node.go
@ -144,7 +144,8 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 	if n.Name != "" {
 		NodesHits.With(prometheus.Labels{"source": p.Line.Src, "name": n.Name}).Inc()
 	}
-	set := false
+	isWhitelisted := false
+	hasWhitelist := false
 	var src net.IP
 	/*overflow and log don't hold the source ip in the same field, should be changed */
 	/* perform whitelist checks for ips, cidr accordingly */
@ -160,18 +161,22 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 			if v.Equal(src) {
 				clog.Debugf("Event from [%s] is whitelisted by Ips !", src)
 				p.Whitelisted = true
-				set = true
+				isWhitelisted = true
+			} else {
+				clog.Debugf("whitelist: %s is not eq [%s]", src, v)
 			}
+			hasWhitelist = true
 		}

 		for _, v := range n.Whitelist.B_Cidrs {
 			if v.Contains(src) {
 				clog.Debugf("Event from [%s] is whitelisted by Cidrs !", src)
 				p.Whitelisted = true
-				set = true
+				isWhitelisted = true
 			} else {
 				clog.Debugf("whitelist: %s not in [%s]", src, v)
 			}
+			hasWhitelist = true
 		}
 	} else {
 		clog.Debugf("no ip in event, cidr/ip whitelists not checked")
@ -190,13 +195,14 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 			if out {
 				clog.Debugf("Event is whitelisted by Expr !")
 				p.Whitelisted = true
-				set = true
+				isWhitelisted = true
 			}
+			hasWhitelist = true
 		default:
 			log.Errorf("unexpected type %t (%v) while running '%s'", output, output, n.Whitelist.Exprs[eidx])
 		}
 	}
-	if set {
+	if isWhitelisted {
 		p.WhiteListReason = n.Whitelist.Reason
 		/*huglily wipe the ban order if the event is whitelisted and it's an overflow */
 		if p.Type == types.OVFLW { /*don't do this at home kids */
@ -298,9 +304,9 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 	if n.Name != "" {
 		NodesHitsOk.With(prometheus.Labels{"source": p.Line.Src, "name": n.Name}).Inc()
 	}
-	if len(n.Statics) > 0 {
+	if hasWhitelist && isWhitelisted && len(n.Statics) > 0 || len(n.Statics) > 0 && !hasWhitelist {
 		clog.Debugf("+ Processing %d statics", len(n.Statics))
-		// if all else is good, process node's statics
+		// if all else is good in whitelist, process node's statics
 		err := ProcessStatics(n.Statics, p, clog)
 		if err != nil {
 			clog.Fatalf("Failed to process statics : %v", err)
--- a/pkg/parser/tests/whitelist-base/base-grok.yaml
+++ b/pkg/parser/tests/whitelist-base/base-grok.yaml
@ -9,3 +9,6 @@ whitelist:
    - "1.2.3.0/24"
  expression:
    - "'supertoken1234' == evt.Enriched.test_token"
+statics:
+  - meta: statics
+    value: success
--- a/pkg/parser/tests/whitelist-base/test.yaml
+++ b/pkg/parser/tests/whitelist-base/test.yaml
@ -3,41 +3,51 @@ lines:
  - Meta:
      test: test1
      source_ip: 8.8.8.8
+      statics: toto
  - Meta:
      test: test2
      source_ip: 1.2.3.4
+      statics: toto
  - Meta:
      test: test3
      source_ip: 2.2.3.4
+      statics: toto
  - Meta:
      test: test4
      source_ip: 8.8.8.9
+      statics: toto
  - Enriched:
      test_token: supertoken1234
    Meta:
      test: test5
+      statics: toto
 #these are the results we expect from the parser
 results:
  - Whitelisted: true
    Process: true
    Meta:
      test: test1
+      statics: success
  - Whitelisted: true
    Process: true 
    Meta:
      test: test2
+      statics: success
  - Whitelisted: false
    Process: true
    Meta:
      test: test3
+      statics: toto
  - Whitelisted: false
    Process: true
    Meta:
      test: test4
+      statics: toto
  - Whitelisted: true
    Process: true
    Meta:
      test: test5
+      statics: success