diff --git a/userspace/libsinsp/test/filterchecks/evt.cpp b/userspace/libsinsp/test/filterchecks/evt.cpp index f4392b5645..8a8832de1f 100644 --- a/userspace/libsinsp/test/filterchecks/evt.cpp +++ b/userspace/libsinsp/test/filterchecks/evt.cpp @@ -96,3 +96,39 @@ TEST_F(sinsp_with_test_input, EVT_FILTER_check_evt_arg) // All the args of an event ASSERT_EQ(get_field_as_string(evt, "evt.args"), "res=3 target=sym linkpath=/new/sym"); } + +TEST_F(sinsp_with_test_input, EVT_FILTER_check_evt_arg_uid) +{ + add_default_init_thread(); + open_inspector(); + + uint32_t user_id = 5; + std::string container_id = ""; + auto evt = add_event_advance_ts(increasing_ts(), INIT_TID, PPME_SYSCALL_SETUID_E, 1, user_id); + ASSERT_EQ(get_field_as_string(evt, "evt.type"), "setuid"); + + // The rawarg provides the field directly from the table. + ASSERT_EQ(get_field_as_string(evt, "evt.rawarg.uid"), std::to_string(user_id)); + + // The `evt.arg.uid` tries to find a user in the user table, in this + // case the user table is empty. + ASSERT_EQ(get_field_as_string(evt, "evt.arg.uid"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.arg[0]"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.args"), "uid=5()"); + + // we are adding a user on the host so the `pid` parameter is not considered + ASSERT_TRUE(m_inspector.m_usergroup_manager.add_user(container_id, 0, user_id, 6, "test", "/test", "/bin/test")); + + // Now we should have the necessary info + ASSERT_EQ(get_field_as_string(evt, "evt.arg.uid"), "test"); + ASSERT_EQ(get_field_as_string(evt, "evt.arg[0]"), "test"); + ASSERT_EQ(get_field_as_string(evt, "evt.args"), "uid=5(test)"); + + // We remove the user, and the fields should be empty again + m_inspector.m_usergroup_manager.rm_user(container_id, user_id); + ASSERT_FALSE(m_inspector.m_usergroup_manager.get_user(container_id, user_id)); + + ASSERT_EQ(get_field_as_string(evt, "evt.arg.uid"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.arg[0]"), ""); + ASSERT_EQ(get_field_as_string(evt, "evt.args"), "uid=5()"); +}