From 0195b5490d91f7708f8a19c26f9a4f7825ed6fb9 Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Mon, 21 Oct 2024 14:57:39 +0200
Subject: [PATCH] chore(userspace/libsinsp): add `EPF_FORMAT_SUGGESTED`
 filtercheck_field flag.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 userspace/libsinsp/filter_field.h      |  6 ++++++
 userspace/libsinsp/plugin.cpp          |  4 +++-
 userspace/libsinsp/plugin.h            | 15 +++++++++------
 userspace/libsinsp/test/plugins.ut.cpp |  8 ++++----
 4 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/userspace/libsinsp/filter_field.h b/userspace/libsinsp/filter_field.h
index 95abb635d1..dcecb209c0 100644
--- a/userspace/libsinsp/filter_field.h
+++ b/userspace/libsinsp/filter_field.h
@@ -50,6 +50,7 @@ enum filtercheck_field_flags {
 	        1 << 13,  ///< data pointers extracted by this field may change across subsequent
 	                  ///< extractions (even of other fields), which makes them unsafe to be used
 	                  ///< with filter caching or field-to-field comparisons
+	EPF_FORMAT_SUGGESTED = 1 << 14,  ///< this field is suggested to be used as output field
 };
 
 /**
@@ -105,6 +106,11 @@ struct filtercheck_field_info {
 	// through a memory buffer copy (e.g. with a FTR_STORAGE transformer)
 	//
 	inline bool is_ptr_unstable() const { return m_flags & EPF_NO_PTR_STABILITY; }
+
+	//
+	// Returns true if this field is a suggested as output
+	//
+	inline bool is_format_suggested() const { return m_flags & EPF_FORMAT_SUGGESTED; }
 };
 
 /**
diff --git a/userspace/libsinsp/plugin.cpp b/userspace/libsinsp/plugin.cpp
index bc8d8b7342..8f76e6f389 100644
--- a/userspace/libsinsp/plugin.cpp
+++ b/userspace/libsinsp/plugin.cpp
@@ -521,7 +521,9 @@ bool sinsp_plugin::resolve_dylib_symbols(std::string& errstr) {
 				}
 
 				if(jvoutput.asBool()) {
-					m_output_fields.emplace("%" + fname);
+					tf.m_flags = (filtercheck_field_flags)((int)tf.m_flags |
+					                                       (int)filtercheck_field_flags::
+					                                               EPF_FORMAT_SUGGESTED);
 				}
 			}
 
diff --git a/userspace/libsinsp/plugin.h b/userspace/libsinsp/plugin.h
index 9c35dfaeee..2fa239e59a 100644
--- a/userspace/libsinsp/plugin.h
+++ b/userspace/libsinsp/plugin.h
@@ -116,7 +116,6 @@ class sinsp_plugin {
 	        m_scap_source_plugin(),
 	        m_fields_info(),
 	        m_fields(),
-	        m_output_fields(),
 	        m_extract_event_sources(),
 	        m_extract_event_codes(),
 	        m_parse_event_sources(),
@@ -174,12 +173,17 @@ class sinsp_plugin {
 	std::vector<open_param> list_open_params() const;
 
 	/** Field Extraction **/
-	inline const std::unordered_set<std::string>& append_outputs_fields(std::string& source) const {
-		static std::unordered_set<std::string> empty_set;
+	inline std::unordered_set<std::string> suggested_output_formats(
+	        const std::string& source) const {
+		std::unordered_set<std::string> output_fields;
 		if(m_extract_event_sources.find(source) != m_extract_event_sources.end()) {
-			return m_output_fields;
+			for(const auto& field : m_fields) {
+				if(field.is_format_suggested()) {
+					output_fields.emplace("%" + field.m_name);
+				}
+			}
 		}
-		return empty_set;
+		return output_fields;
 	}
 
 	inline const std::unordered_set<std::string>& extract_event_sources() const {
@@ -245,7 +249,6 @@ class sinsp_plugin {
 	/** Field Extraction **/
 	filter_check_info m_fields_info;
 	std::vector<filtercheck_field_info> m_fields;
-	std::unordered_set<std::string> m_output_fields;
 	std::unordered_set<std::string> m_extract_event_sources;
 	libsinsp::events::set<ppm_event_code> m_extract_event_codes;
 
diff --git a/userspace/libsinsp/test/plugins.ut.cpp b/userspace/libsinsp/test/plugins.ut.cpp
index 799dc13c82..30b9de7743 100644
--- a/userspace/libsinsp/test/plugins.ut.cpp
+++ b/userspace/libsinsp/test/plugins.ut.cpp
@@ -190,13 +190,13 @@ TEST_F(sinsp_with_test_input, plugin_syscall_extract) {
 	// its value should be present in the output.
 	std::string output_fmt;
 	bool first = true;
-	for(const auto& output_field : pl->append_outputs_fields(syscall_source_name)) {
+	for(const auto& fmt : pl->suggested_output_formats(syscall_source_name)) {
 		if(!first) {
 			output_fmt += " ";
 		} else {
 			first = false;
 		}
-		output_fmt += output_field;
+		output_fmt += fmt;
 	}
 	auto formatter = sinsp_evt_formatter(&m_inspector, output_fmt, pl_flist);
 	std::string output;
@@ -381,13 +381,13 @@ TEST_F(sinsp_with_test_input, plugin_custom_source) {
 	// its value should be present in the output.
 	std::string output_fmt;
 	bool first = true;
-	for(const auto& output_field : ext_pl->append_outputs_fields(evt_source)) {
+	for(const auto& fmt : ext_pl->suggested_output_formats(evt_source)) {
 		if(!first) {
 			output_fmt += " ";
 		} else {
 			first = false;
 		}
-		output_fmt += output_field;
+		output_fmt += fmt;
 	}
 	auto formatter = sinsp_evt_formatter(&m_inspector, output_fmt, filterlist);
 	std::string output;