[CWS] do not copy macros out of the macro store when creating a state

DataDog · Jan 23, 2025 · 890bb86 · 890bb86
1 parent fa60e46
commit 890bb86
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 19 deletions.
diff --git a/pkg/security/secl/compiler/eval/eval.go b/pkg/security/secl/compiler/eval/eval.go
@@ -71,7 +71,7 @@ func identToEvaluator(obj *ident, opts *Opts, state *State) (interface{}, lexer.
 	}
 
 	if state.macros != nil {
-		if macro, ok := state.macros[*obj.Ident]; ok {
+		if macro, ok := state.macros.GetMacroEvaluator(*obj.Ident); ok {
 			return macro.Value, obj.Pos, nil
 		}
 	}
@@ -129,7 +129,7 @@ func arrayToEvaluator(array *ast.Array, opts *Opts, state *State) (interface{},
 		return &evaluator, array.Pos, nil
 	} else if array.Ident != nil {
 		if state.macros != nil {
-			if macro, ok := state.macros[*array.Ident]; ok {
+			if macro, ok := state.macros.GetMacroEvaluator(*array.Ident); ok {
 				return macro.Value, array.Pos, nil
 			}
 		}

diff --git a/pkg/security/secl/compiler/eval/macro.go b/pkg/security/secl/compiler/eval/macro.go
@@ -95,11 +95,7 @@ func (m *Macro) Parse(parsingContext *ast.ParsingContext, expression string) err
 }
 
 func macroToEvaluator(macro *ast.Macro, model Model, opts *Opts, field Field) (*MacroEvaluator, error) {
-	macros := make(map[MacroID]*MacroEvaluator)
-	for _, macro := range opts.MacroStore.List() {
-		macros[macro.ID] = macro.evaluator
-	}
-	state := NewState(model, field, macros)
+	state := NewState(model, field, opts.MacroStore)
 
 	var eval interface{}
 	var err error

diff --git a/pkg/security/secl/compiler/eval/opts.go b/pkg/security/secl/compiler/eval/opts.go
@@ -27,7 +27,7 @@ func (s *MacroStore) List() []*Macro {
 }
 
 // Get returns the marcro
-func (s *MacroStore) Get(id string) *Macro {
+func (s *MacroStore) Get(id MacroID) *Macro {
 	if s == nil {
 		return nil
 	}
@@ -40,6 +40,15 @@ func (s *MacroStore) Get(id string) *Macro {
 	return nil
 }
 
+// GetMacroEvaluator returns the macro evaluator associated with the macro ID
+func (s *MacroStore) GetMacroEvaluator(id MacroID) (*MacroEvaluator, bool) {
+	macro := s.Get(id)
+	if macro == nil {
+		return nil, false
+	}
+	return macro.evaluator, true
+}
+
 // Contains returns returns true is there is already a macro with this ID in the store
 func (s *MacroStore) Contains(id string) bool {
 	return s.Get(id) != nil

diff --git a/pkg/security/secl/compiler/eval/rule.go b/pkg/security/secl/compiler/eval/rule.go
@@ -202,11 +202,7 @@ func (r *Rule) Parse(parsingContext *ast.ParsingContext) error {
 
 // NewRuleEvaluator returns a new evaluator for a rule
 func NewRuleEvaluator(rule *ast.Rule, model Model, opts *Opts) (*RuleEvaluator, error) {
-	macros := make(map[MacroID]*MacroEvaluator)
-	for _, macro := range opts.MacroStore.List() {
-		macros[macro.ID] = macro.evaluator
-	}
-	state := NewState(model, "", macros)
+	state := NewState(model, "", opts.MacroStore)
 
 	eval, _, err := nodeToEvaluator(rule.BooleanExpression, opts, state)
 	if err != nil {
@@ -331,7 +327,7 @@ func (r *Rule) genPartials(field Field) error {
 		return err
 	}
 
-	state := NewState(r.Model, field, macroPartial)
+	state := NewState(r.Model, field, partialMacroEvaluatorGetter(macroPartial))
 	pEval, _, err := nodeToEvaluator(r.ast.BooleanExpression, r.Opts, state)
 	if err != nil {
 		return fmt.Errorf("couldn't generate partial for field %s and rule %s: %w", field, r.ID, err)
@@ -352,3 +348,10 @@ func (r *Rule) genPartials(field Field) error {
 
 	return nil
 }
+
+type partialMacroEvaluatorGetter map[MacroID]*MacroEvaluator
+
+func (p partialMacroEvaluatorGetter) GetMacroEvaluator(macroID string) (*MacroEvaluator, bool) {
+	v, ok := p[macroID]
+	return v, ok
+}
diff --git a/pkg/security/secl/compiler/eval/state.go b/pkg/security/secl/compiler/eval/state.go
@@ -21,7 +21,7 @@ type State struct {
 	model       Model
 	field       Field
 	fieldValues map[Field][]FieldValue
-	macros      map[MacroID]*MacroEvaluator
+	macros      MacroEvaluatorGetter
 	regexpCache StateRegexpCache
 	registers   []Register
 }
@@ -52,14 +52,16 @@ func (s *State) UpdateFieldValues(field Field, value FieldValue) error {
 }
 
 // NewState returns a new State
-func NewState(model Model, field Field, macros map[MacroID]*MacroEvaluator) *State {
-	if macros == nil {
-		macros = make(map[MacroID]*MacroEvaluator)
-	}
+func NewState(model Model, field Field, macros MacroEvaluatorGetter) *State {
 	return &State{
 		field:       field,
 		macros:      macros,
 		model:       model,
 		fieldValues: make(map[Field][]FieldValue),
 	}
 }
+
+// MacroEvaluatorGetter is an interface to get a MacroEvaluator
+type MacroEvaluatorGetter interface {
+	GetMacroEvaluator(macroID string) (*MacroEvaluator, bool)
+}