fix(userspace/engine): avoid reading duplicate exception values

[jasondellaluce]

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area engine

What this PR does / why we need it:

The recursive function that reads rule exception values does not clear out the value list, so consecutive list-type exception values may end up containing in duplicate items.

Which issue(s) this PR fixes:

Special notes for your reviewer:

The regression seems to be introduced in #2098

A minimum example to reproduce the issue is reported below:

- rule: Sample Rule
  desc: A sample rule
  output: Sample output (type=%evt.type)
  priority: ERROR
  condition: >
    evt.dir = <
  exceptions:
    - name: sample_exception
      fields: [evt.type, proc.name]
      comps: [in, in]
      values:
        - [[openat], [ls]]

This rule and its exceptions will be compiled into the following condition (note the rolled-over duplication of openat):

(evt.dir = < and not (evt.type in (openat) and proc.name in (openat, ls)))

With this fix, the rule is correctly compiled as:

(evt.dir = < and not (evt.type in (openat) and proc.name in (ls)))

Does this PR introduce a user-facing change?:

fix(userspace/engine): avoid reading duplicate exception values

[jasondellaluce]

/milestone 0.33.0

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: c4154b1b53ee51904e1208d495e94e2d110999cd

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, jasondellaluce

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[VadimZy]

Technically speaking, the implementation of decode_exception_info_entry is error-prone.

• The return value is ignored at the root level,
• a case where tmp.items.empty() is ignored (left to the clients)
• node checks only at the root level, no validation in the tree branches and leafs
• multiple copying of tmp objects, even with possible moving it will require a lot of allocations for the inner entry structures;

std::unique_ptr<rule_loader::rule_exception_info::entry> decode_exception_info_entry(
	const YAML::Node& node)
{
	using entry_t = rule_loader::rule_exception_info::entry;
	if (node.IsDefined())
	{
		if (node.IsScalar())
		{
			std::unique_ptr<entry_t> ret(new entry_t());
			
			ret->is_list = false;
			if (YAML::convert<string>::decode(node, ret->item))
			{
				return ret;
			}
			return {};
		}
		if (node.IsSequence())
		{
			std::unique_ptr<entry_t> ret(new entry_t());
			ret->is_list = true;
			for(const YAML::Node& v : node)
			{
				auto item = decode_exception_info_entry(v);
				if (item != nullptr)
				{
					ret->items.push_back(std::move(item));
				}
			}
			return ret->items.empty() ? std::unique_ptr<entry_t>() : std::move(ret);
		}
	}
	return {};
}

same for read_rule_exceptions function

rule_exception_info, rule_exception_info::entry should have their constructors with throwing validations.