rsigma-runtime 0.12.0

Streaming runtime for rsigma — event sources, sinks, and log processing pipeline
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

//! Command source resolver: runs a local command and captures stdout.

use std::time::{Duration, Instant};

use rsigma_eval::pipeline::sources::{DataFormat, ExtractExpr};
use tokio::io::AsyncReadExt;

use super::extract::apply_extract;
use super::file::parse_data;
use super::{MAX_SOURCE_RESPONSE_BYTES, ResolvedValue, SourceError, SourceErrorKind};

const DEFAULT_COMMAND_TIMEOUT: Duration = Duration::from_secs(30);

/// Resolve a command source by executing it and parsing stdout.
pub async fn resolve_command(
    command: &[String],
    format: DataFormat,
    extract_expr: Option<&ExtractExpr>,
    timeout: Option<Duration>,
) -> Result<ResolvedValue, SourceError> {
    resolve_command_with_limit(
        command,
        format,
        extract_expr,
        timeout,
        MAX_SOURCE_RESPONSE_BYTES,
    )
    .await
}

/// Same as [`resolve_command`] but with a configurable stdout size limit.
pub async fn resolve_command_with_limit(
    command: &[String],
    format: DataFormat,
    extract_expr: Option<&ExtractExpr>,
    timeout: Option<Duration>,
    max_stdout_bytes: usize,
) -> Result<ResolvedValue, SourceError> {
    if command.is_empty() {
        return Err(SourceError {
            source_id: String::new(),
            kind: SourceErrorKind::Fetch("command is empty".into()),
        });
    }

    let mut child = tokio::process::Command::new(&command[0])
        .args(&command[1..])
        .stdout(std::process::Stdio::piped())
        .stderr(std::process::Stdio::piped())
        .spawn()
        .map_err(|e| SourceError {
            source_id: String::new(),
            kind: SourceErrorKind::Fetch(format!("failed to spawn '{}': {e}", command[0])),
        })?;

    let deadline = timeout.unwrap_or(DEFAULT_COMMAND_TIMEOUT);

    let result = tokio::time::timeout(deadline, async {
        let mut stdout_buf = Vec::new();
        let mut stderr_buf = Vec::new();

        if let Some(mut stdout) = child.stdout.take() {
            let mut tmp = vec![0u8; 8192];
            loop {
                let n = stdout.read(&mut tmp).await.map_err(|e| SourceError {
                    source_id: String::new(),
                    kind: SourceErrorKind::Fetch(format!("failed to read stdout: {e}")),
                })?;
                if n == 0 {
                    break;
                }
                if stdout_buf.len() + n > max_stdout_bytes {
                    let _ = child.kill().await;
                    return Err(SourceError {
                        source_id: String::new(),
                        kind: SourceErrorKind::ResourceLimit(format!(
                            "command stdout exceeds {} byte limit",
                            max_stdout_bytes
                        )),
                    });
                }
                stdout_buf.extend_from_slice(&tmp[..n]);
            }
        }

        if let Some(mut stderr) = child.stderr.take() {
            let cap = 64 * 1024; // 64 KB for error messages
            let mut tmp = vec![0u8; 4096];
            loop {
                let n = stderr.read(&mut tmp).await.unwrap_or(0);
                if n == 0 {
                    break;
                }
                if stderr_buf.len() + n > cap {
                    break;
                }
                stderr_buf.extend_from_slice(&tmp[..n]);
            }
        }

        let status = child.wait().await.map_err(|e| SourceError {
            source_id: String::new(),
            kind: SourceErrorKind::Fetch(format!("command execution failed: {e}")),
        })?;

        Ok((status, stdout_buf, stderr_buf))
    })
    .await;

    let (status, stdout_bytes, stderr_bytes) = match result {
        Ok(inner) => inner?,
        Err(_) => {
            let _ = child.kill().await;
            return Err(SourceError {
                source_id: String::new(),
                kind: SourceErrorKind::Timeout,
            });
        }
    };

    if !status.success() {
        let stderr = String::from_utf8_lossy(&stderr_bytes);
        return Err(SourceError {
            source_id: String::new(),
            kind: SourceErrorKind::Fetch(format!(
                "command exited with {}: {}",
                status,
                stderr.trim()
            )),
        });
    }

    let stdout = String::from_utf8(stdout_bytes).map_err(|e| SourceError {
        source_id: String::new(),
        kind: SourceErrorKind::Parse(format!("command output is not valid UTF-8: {e}")),
    })?;

    let parsed = parse_data(&stdout, format)?;

    let data = if let Some(expr) = extract_expr {
        apply_extract(&parsed, expr)?
    } else {
        parsed
    };

    Ok(ResolvedValue {
        data,
        resolved_at: Instant::now(),
        from_cache: false,
    })
}