btest/plugins: Add test for custom ConnKey factory

This just counts DoInits() and adds that information to the conn_id record, but without including it into the hash. Mostly for smoke testing.
2025-10-02 06:38:20 +00:00 · 2025-06-20 09:42:01 +02:00 · 2025-06-20 09:42:01 +02:00 · e7b1b174f0
commit e7b1b174f0
parent a040f550f4
9 changed files with 162 additions and 0 deletions
--- a/testing/btest/plugins/connkey-plugin/.btest-ignore
+++ b/testing/btest/plugins/connkey-plugin/.btest-ignore
--- a/testing/btest/plugins/connkey-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/connkey-plugin/CMakeLists.txt
@ -0,0 +1,15 @@
+project(Zeek-Plugin-Demo-Foo)
+
+cmake_minimum_required(VERSION 3.15)
+
+if (NOT ZEEK_DIST)
+    message(FATAL_ERROR "ZEEK_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${ZEEK_DIST}/cmake)
+
+include(ZeekPlugin)
+
+zeek_add_plugin(
+    Demo Foo
+    SOURCES src/Plugin.cc src/Foo.cc)
--- a/testing/btest/plugins/connkey-plugin/src/Foo.cc
+++ b/testing/btest/plugins/connkey-plugin/src/Foo.cc
@ -0,0 +1,45 @@
+
+#include "Foo.h"
+
+#include <cstdio>
+#include <memory>
+
+#include "zeek/Desc.h"
+#include "zeek/Val.h"
+#include "zeek/iosource/Packet.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
+#include "zeek/session/Key.h"
+
+using namespace btest::plugin::Demo_Foo;
+
+namespace {
+
+// Just track how often DoInit() was called for baselining.
+int all_inits = 0;
+
+class MyConnKey : public zeek::IPConnKey {
+public:
+    MyConnKey(int inits) : zeek::IPConnKey(), inits(inits) {}
+
+    void DoInit(const zeek::Packet& pkt) override { ++all_inits; }
+
+    void DoPopulateConnIdVal(zeek::RecordVal& rv) override {
+        static int offset = rv.GetType<zeek::RecordType>()->FieldOffset("inits");
+        rv.Assign(offset, zeek::make_intrusive<zeek::IntVal>(inits));
+    }
+
+private:
+    int inits;
+};
+
+} // namespace
+
+zeek::ConnKeyPtr FooFactory::DoNewConnKey() const {
+    std::printf("DoNewConnKey (%d key all_inits)\n", all_inits);
+    return std::make_unique<MyConnKey>(all_inits);
+}
+zeek::expected<zeek::ConnKeyPtr, std::string> FooFactory::DoConnKeyFromVal(const zeek::Val& v) const {
+    std::printf("DoConnKeyFromVal for %s\n", zeek::obj_desc_short(&v).c_str());
+    return zeek::conn_key::fivetuple::Factory::DoConnKeyFromVal(v);
+}
+zeek::conn_key::FactoryPtr FooFactory::Instantiate() { return std::make_unique<FooFactory>(); }
--- a/testing/btest/plugins/connkey-plugin/src/Foo.h
+++ b/testing/btest/plugins/connkey-plugin/src/Foo.h
@ -0,0 +1,25 @@
+#pragma once
+
+#include "zeek/IntrusivePtr.h"
+#include "zeek/conn_key/Factory.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
+
+namespace zeek {
+class Val;
+using ValPtr = zeek::IntrusivePtr<Val>;
+} // namespace zeek
+
+namespace btest::plugin::Demo_Foo {
+
+class FooFactory : public zeek::conn_key::fivetuple::Factory {
+public:
+    static zeek::conn_key::FactoryPtr Instantiate();
+
+protected:
+    zeek::ConnKeyPtr DoNewConnKey() const override;
+    zeek::expected<zeek::ConnKeyPtr, std::string> DoConnKeyFromVal(const zeek::Val& v) const override;
+
+private:
+};
+
+} // namespace btest::plugin::Demo_Foo
--- a/testing/btest/plugins/connkey-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/connkey-plugin/src/Plugin.cc
@ -0,0 +1,24 @@
+
+#include "Plugin.h"
+
+#include "zeek/conn_key/Component.h"
+
+#include "Foo.h"
+
+namespace btest::plugin::Demo_Foo {
+Plugin plugin;
+}
+
+using namespace btest::plugin::Demo_Foo;
+
+zeek::plugin::Configuration Plugin::Configure() {
+    AddComponent(new zeek::conn_key::Component("Foo", btest::plugin::Demo_Foo::FooFactory::Instantiate));
+
+    zeek::plugin::Configuration config;
+    config.name = "Demo::Foo";
+    config.description = "A Foo ConnKey factory";
+    config.version.major = 1;
+    config.version.minor = 0;
+    config.version.patch = 0;
+    return config;
+}
--- a/testing/btest/plugins/connkey-plugin/src/Plugin.h
+++ b/testing/btest/plugins/connkey-plugin/src/Plugin.h
@ -0,0 +1,15 @@
+
+#pragma once
+
+#include "zeek/plugin/Plugin.h"
+
+namespace btest::plugin::Demo_Foo {
+
+class Plugin : public zeek::plugin::Plugin {
+protected:
+    zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+} // namespace btest::plugin::Demo_Foo
--- a/testing/btest/plugins/connkey.zeek
+++ b/testing/btest/plugins/connkey.zeek
@ -0,0 +1,16 @@
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Foo
+# @TEST-EXEC: cp -r %DIR/connkey-plugin/* .
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo  >>output
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/ftp/ipv4.trace %INPUT >>output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p id.inits proto service orig_pkts resp_pkts < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff output
+
+
+redef ConnKey::factory = ConnKey::CONNKEY_FOO;
+
+redef record conn_id += {
+	inits: int &log &default=-1;  # Number of inits happened until the key was created. Not part of the hash, just metadata.
+};