cirrus: Add smoke testing for builtin plugins

This adds two example plugins within testing/builtin-plugins/Files:

* protocol-plugin copied over from testing/btest/plugins/protocol-plugin

* py-lib-plugin that embeds Python to have a dependency on an external
  shared library which was already available in CI and fun to use, too.

Closes #2837

testing/builtin-plugins/Files/protocol-plugin/src/Foo.cc

@@ -0,0 +1,56 @@
+
+#include "Foo.h"
+
+#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
+
+#include "events.bif.h"
+#include "foo_pac.h"
+
+using namespace btest::plugin::Demo_Foo;
+
+Foo::Foo(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("Foo", conn)
+	{
+	interp = new binpac::Foo::Foo_Conn(this);
+	}
+
+Foo::~Foo()
+	{
+	delete interp;
+	}
+
+void Foo::Done()
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void Foo::EndpointEOF(bool is_orig)
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void Foo::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( TCP() && TCP()->IsPartial() )
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void Foo::Undelivered(uint64_t seq, int len, bool orig)
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	interp->NewGap(orig, len);
+	}

testing/builtin-plugins/Files/protocol-plugin/src/Foo.h

@@ -0,0 +1,35 @@
+
+#pragma once
+
+#include "analyzer/protocol/pia/PIA.h"
+#include "analyzer/protocol/tcp/TCP.h"
+
+namespace binpac
+	{
+namespace Foo
+	{
+class Foo_Conn;
+	}
+	}
+
+namespace btest::plugin::Demo_Foo
+	{
+
+class Foo : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer
+	{
+public:
+	Foo(zeek::Connection* conn);
+	~Foo();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64_t seq, int len, bool orig);
+	virtual void EndpointEOF(bool is_orig);
+
+	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) { return new Foo(conn); }
+
+protected:
+	binpac::Foo::Foo_Conn* interp;
+	};
+
+	}

testing/builtin-plugins/Files/protocol-plugin/src/Plugin.cc

@@ -0,0 +1,36 @@
+
+#include "Plugin.h"
+
+#include "Foo.h"
+#include "analyzer/Component.h"
+#include "analyzer/Manager.h"
+
+namespace btest::plugin::Demo_Foo
+	{
+Plugin plugin;
+	}
+
+using namespace btest::plugin::Demo_Foo;
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	AddComponent(
+		new zeek::analyzer::Component("Foo", btest::plugin::Demo_Foo::Foo::Instantiate, 1));
+
+	zeek::plugin::Configuration config;
+	config.name = "Demo::Foo";
+	config.description = "A Foo test analyzer";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+	return config;
+	}
+
+void Plugin::InitPostScript()
+	{
+	auto tag = ::zeek::analyzer_mgr->GetAnalyzerTag("Foo");
+	if ( ! tag )
+		::zeek::reporter->FatalError("cannot get analyzer Tag");
+
+	zeek::analyzer_mgr->RegisterAnalyzerForPort(tag, TransportProto::TRANSPORT_TCP, 4243);
+	}

testing/builtin-plugins/Files/protocol-plugin/src/Plugin.h

@@ -0,0 +1,20 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Demo_Foo
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+
+	void InitPostScript() override;
+	};
+
+extern Plugin plugin;
+
+	}

testing/builtin-plugins/Files/protocol-plugin/src/events.bif

@@ -0,0 +1,2 @@
+
+event foo_message%(c: connection, data: string%);

testing/builtin-plugins/Files/protocol-plugin/src/foo-analyzer.pac

@@ -0,0 +1,15 @@
+
+refine connection Foo_Conn += {
+
+	function Foo_data(msg: Foo_Message): bool
+		%{
+		auto data = zeek::make_intrusive<zeek::StringVal>(${msg.data}.length(), (const char*) ${msg.data}.data());
+		zeek::BifEvent::enqueue_foo_message(bro_analyzer(), bro_analyzer()->Conn(), std::move(data));
+		return true;
+		%}
+
+};
+
+refine typeattr Foo_Message += &let {
+	proc: bool = $context.connection.Foo_data(this);
+};

testing/builtin-plugins/Files/protocol-plugin/src/foo-protocol.pac

@@ -0,0 +1,4 @@
+
+type Foo_Message(is_orig: bool) = record {
+	data: bytestring &restofdata;
+};

testing/builtin-plugins/Files/protocol-plugin/src/foo.pac

@@ -0,0 +1,26 @@
+%include binpac.pac
+%include zeek.pac
+
+%extern{
+#include "Foo.h"
+
+#include "events.bif.h"
+%}
+
+analyzer Foo withcontext {
+    connection: Foo_Conn;
+    flow:       Foo_Flow;
+};
+
+connection Foo_Conn(bro_analyzer: ZeekAnalyzer) {
+    upflow   = Foo_Flow(true);
+    downflow = Foo_Flow(false);
+};
+
+%include foo-protocol.pac
+
+flow Foo_Flow(is_orig: bool) {
+	datagram = Foo_Message(is_orig) withcontext(connection, this);
+};
+
+%include foo-analyzer.pac