Adding cache bypass when no profile available (#679)

* Adding cache bypass when no profile available

Signed-off-by: Amit Schendel <[email protected]>

* Fixing test

Signed-off-by: Amit Schendel <[email protected]>

---------

Signed-off-by: Amit Schendel <[email protected]>

Author: amitschendel

pkg/rulemanager/cel/libraries/applicationprofile/ap.go

@@ -53,7 +53,10 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasExecuted(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_executed")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					// Convert "profile not available" error to false after cache layer
+					// This ensures: 1) error is not cached, 2) rule evaluation continues normally
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -68,7 +71,10 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasExecutedWithArgs(args[0], args[1], args[2])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_executed_with_args")
-					return cachedFunc(values[0], values[1], values[2])
+					result := cachedFunc(values[0], values[1], values[2])
+					// Convert "profile not available" error to false after cache layer
+					// This ensures: 1) error is not cached, 2) rule evaluation continues normally
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -83,7 +89,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasPathOpened(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_path_opened")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -98,7 +105,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasPathOpenedWithFlags(args[0], args[1], args[2])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_path_opened_with_flags")
-					return cachedFunc(values[0], values[1], values[2])
+					result := cachedFunc(values[0], values[1], values[2])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -113,7 +121,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasPathOpenedWithSuffix(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_path_opened_with_suffix")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -128,7 +137,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasPathOpenedWithPrefix(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_path_opened_with_prefix")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -143,7 +153,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasSyscallUsed(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_syscall_used")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -158,7 +169,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasCapabilityUsed(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_capability_used")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -173,7 +185,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasEndpointAccessed(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_endpoint_accessed")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -188,7 +201,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasEndpointAccessedWithMethod(args[0], args[1], args[2])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_endpoint_accessed_with_method")
-					return cachedFunc(values[0], values[1], values[2])
+					result := cachedFunc(values[0], values[1], values[2])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -203,7 +217,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasEndpointAccessedWithMethods(args[0], args[1], args[2])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_endpoint_accessed_with_methods")
-					return cachedFunc(values[0], values[1], values[2])
+					result := cachedFunc(values[0], values[1], values[2])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -218,7 +233,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasEndpointAccessedWithPrefix(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_endpoint_accessed_with_prefix")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -233,7 +249,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasEndpointAccessedWithSuffix(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_endpoint_accessed_with_suffix")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},
@@ -248,7 +265,8 @@ func (l *apLibrary) Declarations() map[string][]cel.FunctionOpt {
 						return l.wasHostAccessed(args[0], args[1])
 					}
 					cachedFunc := l.functionCache.WithCache(wrapperFunc, "ap.was_host_accessed")
-					return cachedFunc(values[0], values[1])
+					result := cachedFunc(values[0], values[1])
+					return cache.ConvertProfileNotAvailableErrToBool(result, false)
 				}),
 			),
 		},

pkg/rulemanager/cel/libraries/applicationprofile/capability.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager/profilehelper"
 )
 
@@ -24,7 +25,7 @@ func (l *apLibrary) wasCapabilityUsed(containerID, capabilityName ref.Val) ref.V
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	if slices.Contains(container.Capabilities, capabilityNameStr) {

pkg/rulemanager/cel/libraries/applicationprofile/exec.go

@@ -8,6 +8,7 @@ import (
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/celparse"
 	"github.com/kubescape/node-agent/pkg/rulemanager/profilehelper"
 )
@@ -33,7 +34,9 @@ func (l *apLibrary) wasExecuted(containerID, path ref.Val) ref.Val {
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		// Return a special error that will NOT be cached, allowing retry when profile becomes available.
+		// The caller should convert this to false after the cache layer.
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, exec := range container.Execs {
@@ -76,7 +79,9 @@ func (l *apLibrary) wasExecutedWithArgs(containerID, path, args ref.Val) ref.Val
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		// Return a special error that will NOT be cached, allowing retry when profile becomes available.
+		// The caller should convert this to false after the cache layer.
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, exec := range container.Execs {

pkg/rulemanager/cel/libraries/applicationprofile/http.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/celparse"
 	"github.com/kubescape/node-agent/pkg/rulemanager/profilehelper"
 	"github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector"
@@ -29,7 +30,7 @@ func (l *apLibrary) wasEndpointAccessed(containerID, endpoint ref.Val) ref.Val {
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, ep := range container.Endpoints {
@@ -62,7 +63,7 @@ func (l *apLibrary) wasEndpointAccessedWithMethod(containerID, endpoint, method
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, ep := range container.Endpoints {
@@ -98,7 +99,7 @@ func (l *apLibrary) wasEndpointAccessedWithMethods(containerID, endpoint, method
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, ep := range container.Endpoints {
@@ -131,7 +132,7 @@ func (l *apLibrary) wasEndpointAccessedWithPrefix(containerID, prefix ref.Val) r
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, ep := range container.Endpoints {
@@ -160,7 +161,7 @@ func (l *apLibrary) wasEndpointAccessedWithSuffix(containerID, suffix ref.Val) r
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, ep := range container.Endpoints {
@@ -189,19 +190,22 @@ func (l *apLibrary) wasHostAccessed(containerID, host ref.Val) ref.Val {
 
 	// Check HTTP endpoints for host access
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
-	if err == nil {
-		for _, ep := range container.Endpoints {
-			// Parse the endpoint URL to extract host
-			if parsedURL, err := url.Parse(ep.Endpoint); err == nil && parsedURL.Host != "" {
-				if parsedURL.Host == hostStr || parsedURL.Hostname() == hostStr {
-					return types.Bool(true)
-				}
-			}
-			// Also check if the endpoint contains the host as a substring (for cases where it's not a full URL)
-			if strings.Contains(ep.Endpoint, hostStr) {
+	if err != nil {
+		return cache.NewProfileNotAvailableErr("%v", err)
+	}
+
+	for _, ep := range container.Endpoints {
+		// Parse the endpoint URL to extract host
+		if parsedURL, err := url.Parse(ep.Endpoint); err == nil && parsedURL.Host != "" {
+			if parsedURL.Host == hostStr || parsedURL.Hostname() == hostStr {
 				return types.Bool(true)
 			}
 		}
+		// Also check if the endpoint contains the host as a substring (for cases where it's not a full URL)
+		if strings.Contains(ep.Endpoint, hostStr) {
+			return types.Bool(true)
+		}
 	}
+
 	return types.Bool(false)
 }

pkg/rulemanager/cel/libraries/applicationprofile/open.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/celparse"
 	"github.com/kubescape/node-agent/pkg/rulemanager/profilehelper"
 	"github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector"
@@ -26,7 +27,7 @@ func (l *apLibrary) wasPathOpened(containerID, path ref.Val) ref.Val {
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, open := range container.Opens {
@@ -60,7 +61,7 @@ func (l *apLibrary) wasPathOpenedWithFlags(containerID, path, flags ref.Val) ref
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, open := range container.Opens {
@@ -90,7 +91,7 @@ func (l *apLibrary) wasPathOpenedWithSuffix(containerID, suffix ref.Val) ref.Val
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, open := range container.Opens {
@@ -118,7 +119,7 @@ func (l *apLibrary) wasPathOpenedWithPrefix(containerID, prefix ref.Val) ref.Val
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	for _, open := range container.Opens {

pkg/rulemanager/cel/libraries/applicationprofile/syscall.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager/profilehelper"
 )
 
@@ -24,7 +25,7 @@ func (l *apLibrary) wasSyscallUsed(containerID, syscallName ref.Val) ref.Val {
 
 	container, _, err := profilehelper.GetContainerApplicationProfile(l.objectCache, containerIDStr)
 	if err != nil {
-		return types.Bool(false)
+		return cache.NewProfileNotAvailableErr("%v", err)
 	}
 
 	if slices.Contains(container.Syscalls, syscallNameStr) {

pkg/rulemanager/cel/libraries/cache/function_cache.go

@@ -10,6 +10,41 @@ import (
 	"github.com/hashicorp/golang-lru/v2/expirable"
 )
 
+// ProfileNotAvailableErr is a sentinel error message used to indicate that a profile
+// is not yet available. This error is NOT cached, allowing retry when profile becomes available.
+// After the cache layer, this error should be converted to a default value (e.g., false)
+// to allow rule evaluation to continue without failing.
+const ProfileNotAvailableErr = "profile not available"
+
+// NewProfileNotAvailableErr creates a new "profile not available" error.
+// This error will NOT be cached, allowing the function to be re-evaluated
+// when the profile becomes available.
+func NewProfileNotAvailableErr(format string, args ...any) ref.Val {
+	return types.NewErr(ProfileNotAvailableErr+": "+format, args...)
+}
+
+// IsProfileNotAvailableErr checks if the given value is a "profile not available" error.
+func IsProfileNotAvailableErr(val ref.Val) bool {
+	if !types.IsError(val) {
+		return false
+	}
+	errVal, ok := val.Value().(error)
+	if !ok {
+		return false
+	}
+	return strings.Contains(errVal.Error(), ProfileNotAvailableErr)
+}
+
+// ConvertProfileNotAvailableErrToBool converts a "profile not available" error to a boolean value.
+// This should be called AFTER the cache layer to ensure the error is not cached,
+// but the rule evaluation can continue with a default value.
+func ConvertProfileNotAvailableErrToBool(val ref.Val, defaultVal bool) ref.Val {
+	if IsProfileNotAvailableErr(val) {
+		return types.Bool(defaultVal)
+	}
+	return val
+}
+
 type FunctionCacheConfig struct {
 	MaxSize int           `mapstructure:"maxSize"`
 	TTL     time.Duration `mapstructure:"ttl"`