btest/http: Demo StreamEvent analyzer with HTTP::upgrade_analyzers

Relates to #4068
2025-10-02 14:48:21 +00:00 · 2024-12-05 18:50:19 +01:00 · 2024-12-05 18:50:19 +01:00 · 079ae460a7
commit 079ae460a7
parent 51836d08ae
5 changed files with 90 additions and 0 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/http.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/http.log.cut
@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+uid	status_code	method	uri
+CHhAvVGS1DHFjwGM9	200	HEAD	/_ping
+CHhAvVGS1DHFjwGM9	201	POST	/v1.41/containers/create
+C4J4Th3PJpwUYZZ6gc	204	POST	/v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/start
+C4J4Th3PJpwUYZZ6gc	200	POST	/v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/resize?h=69&w=134
+CHhAvVGS1DHFjwGM9	200	POST	/v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/wait?condition=next-exit
+ClEkJM2Vm5giqnMf4h	101	POST	/v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/attach?stderr=1&stdin=1&stdout=1&stream=1
--- a/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/out
+++ b/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/out
@ -0,0 +1,27 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ClEkJM2Vm5giqnMf4h, Connection upgraded to tcp
+ClEkJM2Vm5giqnMf4h, responder, / # 
+ClEkJM2Vm5giqnMf4h, originator, ls
+ClEkJM2Vm5giqnMf4h, responder, / # \x1b[Jls
+ClEkJM2Vm5giqnMf4h, responder, \x1b[1;34mbin\x1b[m    \x1b[1;34mdev\x1b[m    \x1b[1;34metc\x1b[m    \x1b[1;34mhome\x1b[m   \x1b[1;34mlib\x1b[m    \x1b[1;36mlib64\x1b[m  \x1b[1;34mproc\x1b[m   \x1b[1;34mroot\x1b[m   \x1b[1;34msys\x1b[m    \x1b[1;34mtmp\x1b[m    \x1b[1;34musr\x1b[m    \x1b[1;34mvar\x1b[m
+ClEkJM2Vm5giqnMf4h, originator, cd /home
+ClEkJM2Vm5giqnMf4h, responder, / # cd /home
+ClEkJM2Vm5giqnMf4h, originator, ls -a
+ClEkJM2Vm5giqnMf4h, responder, /home # ls -a
+ClEkJM2Vm5giqnMf4h, responder, \x1b[1;34m.\x1b[m   \x1b[1;34m..\x1b[m
+ClEkJM2Vm5giqnMf4h, originator, cd
+ClEkJM2Vm5giqnMf4h, responder, /home # cd
+ClEkJM2Vm5giqnMf4h, originator, ls -a
+ClEkJM2Vm5giqnMf4h, responder, ~ # ls -a
+ClEkJM2Vm5giqnMf4h, responder, \x1b[1;34m.\x1b[m             \x1b[1;34m..\x1b[m            \x1b[0;0m.ash_history\x1b[m
+ClEkJM2Vm5giqnMf4h, responder, ~ # cat .as
+ClEkJM2Vm5giqnMf4h, originator, cat .as\x09
+ClEkJM2Vm5giqnMf4h, responder, ~ # cat .ash_history \x1b[J
+ClEkJM2Vm5giqnMf4h, responder, ls
+ClEkJM2Vm5giqnMf4h, responder, cd /home
+ClEkJM2Vm5giqnMf4h, responder, ls -a
+ClEkJM2Vm5giqnMf4h, responder, cd
+ClEkJM2Vm5giqnMf4h, responder, ls -a
+ClEkJM2Vm5giqnMf4h, responder, cat .ash_history 
+ClEkJM2Vm5giqnMf4h, originator, exit
+ClEkJM2Vm5giqnMf4h, responder, ~ # exit
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@ -35,3 +35,6 @@ Trace Index/Sources:
 - http/cooper-grill-dvwa.pcapng
  Provided by cooper-grill on #3995
  https://github.com/zeek/zeek/pull/3995
+- http/docker-http-upgrade.pcap
+  Provided by blightzero on #4068
+  https://github.com/zeek/zeek/issues/4068
--- a/testing/btest/Traces/http/docker-http-upgrade.pcap
+++ b/testing/btest/Traces/http/docker-http-upgrade.pcap
--- a/testing/btest/scripts/base/protocols/http/upgrade-to-tcp.zeek
+++ b/testing/btest/scripts/base/protocols/http/upgrade-to-tcp.zeek
@ -0,0 +1,52 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/docker-http-upgrade.pcap %INPUT >out
+# @TEST-EXEC: zeek-cut -m uid status_code method uri < http.log > http.log.cut
+# @TEST-EXEC: btest-diff http.log.cut
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/http
+
+# Forward "tcp" data as events via the stream event analyzer.
+redef HTTP::upgrade_analyzers += {
+	["tcp"] = Analyzer::ANALYZER_STREAM_EVENT,
+};
+
+event http_connection_upgrade(c: connection, protocol: string)
+	{
+	print c$uid, fmt("Connection upgraded to %s", protocol);
+	}
+
+redef record connection += {
+	orig_data: string &default="";
+	resp_data: string &default="";
+};
+
+function flush(c: connection)
+	{
+	# Don't copy this, it's not efficient.
+	local orig_parts = split_string(c$orig_data, /[\r\n]+/);
+	local resp_parts = split_string(c$resp_data, /[\r\n]+/);
+	local i = 0;
+
+	while ( i + 1 < |orig_parts| ) {
+		print c$uid, "originator", orig_parts[i];
+		++i;
+	}
+	c$orig_data = orig_parts[-1];
+
+	i = 0;
+	while ( i + 1 < |resp_parts| ) {
+		print c$uid, "responder", resp_parts[i];
+		++i;
+	}
+	c$resp_data = resp_parts[-1];
+	}
+
+event stream_deliver(c: connection, is_orig: bool, data: string)
+	{
+	if ( is_orig )
+		c$orig_data += data;
+	else
+		c$resp_data += data;
+
+	flush(c);
+	}