btest/plugins: Add test for custom ConnKey factory

This just counts DoInits() and adds that information to the conn_id
record, but without including it into the hash. Mostly for smoke
testing.

testing/btest/Baseline/plugins.connkey/conn.log.cut

@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.inits	proto	service	orig_pkts	resp_pkts
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	1	tcp	ftp-data	4	4
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	22	tcp	ftp-data	4	4
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	40	tcp	ftp-data	5	3
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	60	tcp	ftp-data	5	3
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	0	tcp	ftp	38	25

testing/btest/Baseline/plugins.connkey/output

@@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Demo::Foo - A Foo ConnKey factory (dynamic, version 1.0.0)
+    [ConnKey Factory] Foo (CONNKEY_FOO, enabled)
+
+===
+DoNewConnKey (0 key all_inits)
+DoNewConnKey (1 key all_inits)
+DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, proto=6, inits=0]
+DoNewConnKey (2 key all_inits)
+DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, proto=6, inits=0]
+DoNewConnKey (6 key all_inits)
+DoNewConnKey (22 key all_inits)
+DoNewConnKey (40 key all_inits)
+DoNewConnKey (60 key all_inits)
+DoNewConnKey (78 key all_inits)

testing/btest/plugins/connkey-plugin/CMakeLists.txt

@@ -0,0 +1,15 @@
+project(Zeek-Plugin-Demo-Foo)
+
+cmake_minimum_required(VERSION 3.15)
+
+if (NOT ZEEK_DIST)
+    message(FATAL_ERROR "ZEEK_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${ZEEK_DIST}/cmake)
+
+include(ZeekPlugin)
+
+zeek_add_plugin(
+    Demo Foo
+    SOURCES src/Plugin.cc src/Foo.cc)

testing/btest/plugins/connkey-plugin/src/Foo.cc

@@ -0,0 +1,45 @@
+
+#include "Foo.h"
+
+#include <cstdio>
+#include <memory>
+
+#include "zeek/Desc.h"
+#include "zeek/Val.h"
+#include "zeek/iosource/Packet.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
+#include "zeek/session/Key.h"
+
+using namespace btest::plugin::Demo_Foo;
+
+namespace {
+
+// Just track how often DoInit() was called for baselining.
+int all_inits = 0;
+
+class MyConnKey : public zeek::IPConnKey {
+public:
+    MyConnKey(int inits) : zeek::IPConnKey(), inits(inits) {}
+
+    void DoInit(const zeek::Packet& pkt) override { ++all_inits; }
+
+    void DoPopulateConnIdVal(zeek::RecordVal& rv) override {
+        static int offset = rv.GetType<zeek::RecordType>()->FieldOffset("inits");
+        rv.Assign(offset, zeek::make_intrusive<zeek::IntVal>(inits));
+    }
+
+private:
+    int inits;
+};
+
+} // namespace
+
+zeek::ConnKeyPtr FooFactory::DoNewConnKey() const {
+    std::printf("DoNewConnKey (%d key all_inits)\n", all_inits);
+    return std::make_unique<MyConnKey>(all_inits);
+}
+zeek::expected<zeek::ConnKeyPtr, std::string> FooFactory::DoConnKeyFromVal(const zeek::Val& v) const {
+    std::printf("DoConnKeyFromVal for %s\n", zeek::obj_desc_short(&v).c_str());
+    return zeek::conn_key::fivetuple::Factory::DoConnKeyFromVal(v);
+}
+zeek::conn_key::FactoryPtr FooFactory::Instantiate() { return std::make_unique<FooFactory>(); }

testing/btest/plugins/connkey-plugin/src/Foo.h

@@ -0,0 +1,25 @@
+#pragma once
+
+#include "zeek/IntrusivePtr.h"
+#include "zeek/conn_key/Factory.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
+
+namespace zeek {
+class Val;
+using ValPtr = zeek::IntrusivePtr<Val>;
+} // namespace zeek
+
+namespace btest::plugin::Demo_Foo {
+
+class FooFactory : public zeek::conn_key::fivetuple::Factory {
+public:
+    static zeek::conn_key::FactoryPtr Instantiate();
+
+protected:
+    zeek::ConnKeyPtr DoNewConnKey() const override;
+    zeek::expected<zeek::ConnKeyPtr, std::string> DoConnKeyFromVal(const zeek::Val& v) const override;
+
+private:
+};
+
+} // namespace btest::plugin::Demo_Foo

testing/btest/plugins/connkey-plugin/src/Plugin.cc

@@ -0,0 +1,24 @@
+
+#include "Plugin.h"
+
+#include "zeek/conn_key/Component.h"
+
+#include "Foo.h"
+
+namespace btest::plugin::Demo_Foo {
+Plugin plugin;
+}
+
+using namespace btest::plugin::Demo_Foo;
+
+zeek::plugin::Configuration Plugin::Configure() {
+    AddComponent(new zeek::conn_key::Component("Foo", btest::plugin::Demo_Foo::FooFactory::Instantiate));
+
+    zeek::plugin::Configuration config;
+    config.name = "Demo::Foo";
+    config.description = "A Foo ConnKey factory";
+    config.version.major = 1;
+    config.version.minor = 0;
+    config.version.patch = 0;
+    return config;
+}

testing/btest/plugins/connkey-plugin/src/Plugin.h

@@ -0,0 +1,15 @@
+
+#pragma once
+
+#include "zeek/plugin/Plugin.h"
+
+namespace btest::plugin::Demo_Foo {
+
+class Plugin : public zeek::plugin::Plugin {
+protected:
+    zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+} // namespace btest::plugin::Demo_Foo

testing/btest/plugins/connkey.zeek

@@ -0,0 +1,16 @@
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Foo
+# @TEST-EXEC: cp -r %DIR/connkey-plugin/* .
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo  >>output
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/ftp/ipv4.trace %INPUT >>output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p id.inits proto service orig_pkts resp_pkts < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff output
+
+
+redef ConnKey::factory = ConnKey::CONNKEY_FOO;
+
+redef record conn_id += {
+	inits: int &log &default=-1;  # Number of inits happened until the key was created. Not part of the hash, just metadata.
+};