forked from jordansissel/grok
-
Notifications
You must be signed in to change notification settings - Fork 0
/
predicates.c
332 lines (273 loc) · 10.2 KB
/
predicates.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
#include <stdio.h>
#include <string.h>
#include "grok_logging.h"
#include "predicates.h"
static pcre *regexp_predicate_op = NULL;
#define REGEXP_PREDICATE_RE \
"(?:\\s*([!=])~" \
"\\s*" \
"(.)" \
"([^\\/]+|(?:\\/)+)*)" \
"(?:\\g{-2})"
static void grok_predicate_regexp_global_init(void);
/* Operation things */
typedef enum { OP_LT, OP_GT, OP_GE, OP_LE, OP_EQ, OP_NE } operation;
int strop(const char * const args, int args_len);
/* Return length of operation in string. ie; "<=" (OP_LE) == 2 */
#define OP_LEN(op) ((op == OP_GT || op == OP_LT) ? 1 : 2)
/* grok predicates should return 0 for success and 1 for failure.
* normal comparison (like 3 < 4) returns 1 for success, and 0 for failure.
* So we negate the comparison return value here. */
#define OP_RUN(op, cmpval, retvar) \
switch (op) { \
case OP_LT: retvar = !(cmpval < 0); break; \
case OP_GT: retvar = !(cmpval > 0); break; \
case OP_GE: retvar = !(cmpval >= 0); break; \
case OP_LE: retvar = !(cmpval <= 0); break; \
case OP_EQ: retvar = !(cmpval == 0); break; \
case OP_NE: retvar = !(cmpval != 0); break; \
}
typedef struct grok_predicate_regexp {
//pcre *re;
grok_t gre;
char *pattern;
int negative_match;
} grok_predicate_regexp_t;
typedef struct grok_predicate_numcompare {
enum { DOUBLE, LONG } type;
operation op;
union {
long lvalue;
double dvalue;
} u;
} grok_predicate_numcompare_t;
typedef struct grok_predicate_strcompare {
operation op;
char *value;
int len;
} grok_predicate_strcompare_t;
int grok_predicate_regexp(grok_t *grok, const grok_capture *gct,
const char *subject, int start, int end);
int grok_predicate_numcompare(grok_t *grok, const grok_capture *gct,
const char *subject, int start, int end);
int grok_predicate_strcompare(grok_t *grok, const grok_capture *gct,
const char *subject, int start, int end);
static void grok_predicate_regexp_global_init(void) {
if (regexp_predicate_op == NULL) {
int erroffset = -1;
const char *errp;
regexp_predicate_op = pcre_compile(REGEXP_PREDICATE_RE, 0,
&errp, &erroffset, NULL);
if (regexp_predicate_op == NULL) {
fprintf(stderr, "Internal error (compiling predicate regexp op): %s\n",
errp);
}
}
}
int grok_predicate_regexp_init(grok_t *grok, grok_capture *gct,
const char *args, int args_len) {
#define REGEXP_OVEC_SIZE 6
int capture_vector[REGEXP_OVEC_SIZE * 3];
int ret;
grok_log(grok, LOG_PREDICATE, "Regexp predicate found: '%.*s'", args_len, args);
grok_predicate_regexp_global_init();
ret = pcre_exec(regexp_predicate_op, NULL, args, args_len, 0, 0,
capture_vector, REGEXP_OVEC_SIZE * 3);
if (ret < 0) {
fprintf(stderr, "An error occurred in grok_predicate_regexp_init.\n");
fprintf(stderr, "Args: %.*s\n", args_len, args);
fprintf(stderr, "pcre_exec:: %d\n", ret);
return 1;
}
int start, end;
grok_predicate_regexp_t *gprt;
start = capture_vector[6]; /* capture #3 */
end = capture_vector[7];
gprt = calloc(1, sizeof(grok_predicate_regexp_t));
gprt->pattern = calloc(1, end - start + 1);
strncpy(gprt->pattern, args + start, end - start);
//gprt->re = pcre_compile(gprt->pattern, 0, &errptr, &erroffset, NULL);
grok_log(grok, LOG_PREDICATE, "Regexp predicate is '%s'", gprt->pattern);
grok_clone(&gprt->gre, grok);
ret = grok_compile(&gprt->gre, gprt->pattern);
gprt->negative_match = (args[capture_vector[2]] == '!');
if (ret != 0) {
fprintf(stderr, "An error occurred while compiling the predicate for %s:\n",
gct->name);
fprintf(stderr, "Error at pos %d: %s\n",
grok->pcre_erroffset, grok->pcre_errptr);
return 1;
}
grok_log(grok, LOG_PREDICATE,
"Compiled %sregex for '%s': '%s'",
(gprt->negative_match) ? "negative match " : "",
gct->name, gprt->pattern);
/* strdup here and be lazy. Otherwise, we'll have to add a new member
* to grok_capture which indicates which fields of it are set to
* non-heap pointers. */
/* Break const... */
gct->predicate_func_name = strdup("grok_predicate_regexp");
gct->predicate_func_name_len = strlen("grok_predicate_regexp");
grok_capture_set_extra(grok, gct, gprt);
grok_capture_add(grok, gct);
return 0;
}
int grok_predicate_regexp(grok_t *grok, const grok_capture *gct,
const char *subject, int start, int end) {
grok_predicate_regexp_t *gprt; /* XXX: grok_capture extra */
int ret;
gprt = *(grok_predicate_regexp_t **)(gct->extra.extra_val);
ret = grok_execn(&gprt->gre, subject + start, end - start, NULL);
grok_log(grok, LOG_PREDICATE, "RegexCompare: grok_execn returned %d", ret);
/* negate the match if necessary */
if (gprt->negative_match) {
switch(ret) {
case GROK_OK: ret = GROK_ERROR_NOMATCH; break;
case GROK_ERROR_NOMATCH: ret = GROK_OK; break;
}
} else {
grok_log(grok, LOG_PREDICATE, "RegexCompare: PCRE error %d", ret);
}
grok_log(grok, LOG_PREDICATE, "RegexCompare: '%.*s' =~ /%s/ => %s",
(end - start), subject + start, gprt->pattern,
(ret < 0) ? "false" : "true");
/* grok_execn returns GROK_OK for success. */
/* pcre_callout expects:
* 0 == ok,
* >=1 for 'fail but try another match'
*/
switch(ret) {
case GROK_OK:
return 0;
break;
default:
return 1;
}
}
int grok_predicate_numcompare_init(grok_t *grok, grok_capture *gct,
const char *args, int args_len) {
grok_predicate_numcompare_t *gpnt;
/* I know I said that args is a const char, but we need to modify the string
* temporarily so that strtol and strtod don't overflow a buffer when they
* don't see a terminator. */
char *tmp = (char *)args;
int pos;
char a = args[args_len];
grok_log(grok, LOG_PREDICATE, "Number compare predicate found: '%.*s'",
args_len, args);
gpnt = calloc(1, sizeof(grok_predicate_numcompare_t));
gpnt->op = strop(args, args_len);
pos = OP_LEN(gpnt->op);
tmp[args_len] = 0; /* force null byte so strtol doesn't run wild */
/* Optimize and use long type if the number is not a float (no period) */
if (strchr(tmp, '.') == NULL) {
gpnt->type = LONG;
gpnt->u.lvalue = strtol(tmp + pos, NULL, 0);
grok_log(grok, LOG_PREDICATE, "Arg '%.*s' is non-floating, assuming long type",
args_len - pos, tmp + pos);
} else {
gpnt->type = DOUBLE;
gpnt->u.dvalue = strtod(tmp + pos, NULL);
grok_log(grok, LOG_PREDICATE, "Arg '%.*s' looks like a double, assuming double",
args_len - pos, tmp + pos);
}
/* Restore the original character at the end, which probably wasn't a null byte */
tmp[args_len] = a;
gct->predicate_func_name = strdup("grok_predicate_numcompare");
gct->predicate_func_name_len = strlen("grok_predicate_numcompare");
grok_capture_set_extra(grok, gct, gpnt);
grok_capture_add(grok, gct);
return 0;
}
int grok_predicate_numcompare(grok_t *grok, const grok_capture *gct,
const char *subject, int start, int end) {
grok_predicate_numcompare_t *gpnt;
int ret = 0;
gpnt = *(grok_predicate_numcompare_t **)(gct->extra.extra_val);
if (gpnt->type == DOUBLE) {
double a = strtod(subject + start, NULL);
double b = gpnt->u.dvalue;
OP_RUN(gpnt->op, a - b, ret);
grok_log(grok, LOG_PREDICATE, "NumCompare(double): %f vs %f == %s (%d)",
a, b, (ret) ? "false" : "true", ret);
} else {
long a = strtol(subject + start, NULL, 0);
long b = gpnt->u.lvalue;
OP_RUN(gpnt->op, a - b, ret);
grok_log(grok, LOG_PREDICATE, "NumCompare(long): %ld vs %ld == %s (%d)",
a, b, (ret) ? "false" : "true", ret);
}
return ret;
}
int grok_predicate_strcompare_init(grok_t *grok, grok_capture *gct,
const char *args, int args_len) {
grok_predicate_strcompare_t *gpst;
int pos;
grok_log(grok, LOG_PREDICATE, "String compare predicate found: '%.*s'",
args_len, args);
/* XXX: ALLOC */
gpst = calloc(1, sizeof(grok_predicate_strcompare_t));
/* skip first character, which is '$' */
args++;
args_len--;
gpst->op = strop(args, args_len);
pos = OP_LEN(gpst->op);
pos += strspn(args + pos, " ");
grok_log(grok, LOG_PREDICATE, "String compare rvalue: '%.*s'",
args_len - pos, args + pos);
/* XXX: ALLOC */
gpst->len = args_len - pos;
gpst->value = malloc(gpst->len);
memcpy(gpst->value, args + pos, gpst->len);
gct->predicate_func_name = strdup("grok_predicate_strcompare");
gct->predicate_func_name_len = strlen("grok_predicate_strcompare");
grok_capture_set_extra(grok, gct, gpst);
grok_capture_add(grok, gct);
return 0;
}
int grok_predicate_strcompare(grok_t *grok, const grok_capture *gct,
const char *subject, int start, int end) {
grok_predicate_strcompare_t *gpst;
int ret = 0;
gpst = *(grok_predicate_strcompare_t **)(gct->extra.extra_val);
OP_RUN(gpst->op,
strncmp(subject + start, gpst->value, (end - start)),
ret);
grok_log(grok, LOG_PREDICATE, "Compare: '%.*s' vs '%.*s' == %s",
(end - start), subject + start, gpst->len, gpst->value,
(ret) ? "false" : "true");
/* grok predicates should return 0 for success,
* but comparisons return 1 for success, so negate the comparison */
return ret;
}
int strop(const char * const args, int args_len) {
if (args_len == 0)
return -1;
switch (args[0]) {
case '<':
if (args_len >= 2 && args[1] == '=') return OP_LE;
else return OP_LT;
break;
case '>':
if (args_len >= 2 && args[1] == '=') return OP_GE;
else return OP_GT;
break;
case '=':
if (args_len >= 2 && args[1] == '=') return OP_EQ;
else {
fprintf(stderr, "Invalid predicate: '%.*s'\n", args_len, args);
return -1;
}
break;
case '!':
if (args_len >= 2 && args[1] == '=') return OP_NE;
else {
fprintf(stderr, "Invalid predicate: '%.*s'\n", args_len, args);
return -1;
}
break;
default:
fprintf(stderr, "Invalid predicate: '%.*s'\n", args_len, args);
}
return -1;
}