Fix GetGid/GetUid not implemented for event type. eventType: symlink

[matthyx]

Summary by CodeRabbit

• New Features

  • Added support for extracting Elastic Container Service (ECS) metadata from events.

• Bug Fixes

  • Improved stability by gracefully handling missing event fields; system now returns safe defaults instead of crashing.

• Refactor

  • Streamlined event field access logic for improved consistency and maintainability across event types.

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactored event accessor methods in two core files to use generalized field access with error handling instead of hard-coded reads. Updated datasource_event.go to add new ECS-related accessors and implement field-access-based retrieval with warnings on missing fields. Simplified struct_event.go accessors to return struct fields directly, removing per-event-type gating logic and type-check switches.

Changes

Cohort / File(s)	Summary
Event Data Source Accessors pkg/utils/datasource_event.go	Refactored 40+ getter methods to use getFieldAccessor with graceful error handling and warning logs instead of panic-prone hard-coded field reads. Added 11 new ECS-related accessor methods (GetEcsAvailabilityZone, GetEcsClusterARN, GetEcsClusterName, etc.). Re-introduced GetAttrSize() with field-access-based implementation. Enhanced IP accessors with version-based reads and improved error handling.
Event Struct Accessors pkg/utils/struct_event.go	Simplified 30+ accessor methods to return struct fields directly, removing per-event-type switches and default-case warnings. Refactored GetDstEndpoint to consistently return types.L4Endpoint. Removed ECS-related placeholder method stubs, transitioning to simpler direct-field-exposure pattern.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• improve field accessor retrieval with nil checks and type assertions #694: Directly related — this PR relies on hardened getFieldAccessor nil/type-check logic while extensively refactoring accessor methods to use it as the shared field-access layer.

Suggested reviewers

• slashben

Poem

🐰 With fields now safely accessed, no crashes to fear,
ECS metadata flows, crystal clear,
Error handling gentle, warnings take their place,
Resilient accessors in every case! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title specifically mentions fixing GetGid/GetUid for symlink events, but the changeset addresses a much broader refactoring—replacing per-event-type gating logic with generalized field access across dozens of getter methods and adding ECS-related accessors.	Update the title to reflect the main scope of changes, e.g., 'Refactor getter methods to use generalized field access with error handling' or 'Replace event-type gating with shared field accessor pattern'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-enrichevent

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

pkg/utils/datasource_event.go (2)

561-568: GetFlagsRaw reads Int32 but returns uint32 — potential sign truncation.

If flags_raw is stored as a signed int32 with the high bit set (e.g., O_NOFOLLOW = 0x20000), the cast uint32(flags) is fine in Go (bit-preserving). However, using Uint32 directly would be more semantically correct and avoid the indirection.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/datasource_event.go` around lines 561 - 568, The GetFlagsRaw
function currently reads flags_raw via Int32 then casts to uint32, which is
semantically off and can be clearer by reading it as an unsigned value; update
GetFlagsRaw to use the field accessor's Uint32 (or equivalent unsigned) method
instead of Int32, handle the error the same way (logging via logger.L().Warning
with helpers.String("eventType", string(e.EventType)) and returning 0 on error),
and return the unsigned result directly so the code in
DatasourceEvent.GetFlagsRaw and its call to e.getFieldAccessor("flags_raw")
consistently treats the field as uint32.

---

418-515: Consider extracting a helper to reduce ECS getter boilerplate.

All 11 GetEcs* methods follow the identical pattern: getFieldAccessor("ecs.X").String(e.Data) → warn on error → return empty string. This is ~100 lines of near-identical code.

♻️ Possible helper to reduce duplication

func (e *DatasourceEvent) getEcsString(field, method string) string {
	val, err := e.getFieldAccessor(field).String(e.Data)
	if err != nil {
		logger.L().Warning(method+" - "+field+" field not found in event type",
			helpers.String("eventType", string(e.EventType)))
		return ""
	}
	return val
}

Each getter then becomes a one-liner:

func (e *DatasourceEvent) GetEcsClusterARN() string {
	return e.getEcsString("ecs.clusterARN", "GetEcsClusterARN")
}

This pattern could also be generalized to non-ECS string getters.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/datasource_event.go` around lines 418 - 515, The 11 GetEcs* methods
in DatasourceEvent are duplicate boilerplate calling
getFieldAccessor(...).String(e.Data) and logging on error; extract a helper
(e.g., DatasourceEvent.getEcsString(field, methodName) or a more general
getString(field, methodName)) that performs the accessor call, error logging
using logger.L().Warning with helpers.String("eventType", string(e.EventType)),
and returns the string or "" on error, then replace each
GetEcsClusterARN/GetEcsClusterName/GetEcsContainerARN/GetEcsContainerInstance/GetEcsContainerName/GetEcsAvailabilityZone/GetEcsLaunchType/GetEcsServiceName/GetEcsTaskARN/GetEcsTaskDefinitionARN/GetEcsTaskFamily
with a one-liner that returns e.getEcsString("ecs.<field>", "GetEcs<...>") (or
e.getString for the generalized helper).

pkg/utils/struct_event.go (1)

173-215: ECS stub methods return empty strings for interface compliance.

These are no-op stubs since StructEvent doesn't carry ECS metadata. This is fine for satisfying the interface contract. Consider whether a shared no-op mixin could reduce boilerplate if this pattern grows further.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/struct_event.go` around lines 173 - 215, The file contains many
identical no-op ECS accessor methods on StructEvent (GetEcsAvailabilityZone,
GetEcsClusterARN, GetEcsClusterName, GetEcsContainerARN,
GetEcsContainerInstance, GetEcsContainerName, GetEcsLaunchType,
GetEcsServiceName, GetEcsTaskARN, GetEcsTaskDefinitionARN, GetEcsTaskFamily);
refactor by extracting these into a single reusable no-op mixin type (e.g., type
ecsNoop struct with the same method set returning ""), then embed that mixin in
StructEvent (or have StructEvent alias/compose it) and remove the duplicated
methods from StructEvent so interface compliance is preserved but boilerplate is
eliminated. Ensure the mixin defines all listed method names exactly to satisfy
the interface.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/utils/datasource_event.go`:
- Around line 316-369: GetDstEndpoint currently returns empty L4Endpoint if any
sub-field is missing; change it so core network fields (addr via
"endpoint.addr_raw.v4", version "endpoint.version", port "endpoint.port", and
proto "endpoint.proto_raw") still cause an early return on error but make K8s
enrichment fields ("endpoint.k8s.kind", "endpoint.k8s.name",
"endpoint.k8s.namespace", "endpoint.k8s.labels") best-effort: call
getFieldAccessor for each enrichment field, and if it errors log a warning and
continue with zero-value/defaults (e.g., empty strings or empty map from
parseStringToMap) instead of returning; ensure the final return constructs
types.L4Endpoint using rawIPv4ToString(addr), parseStringToMap(podLabels) and
types.EndpointKind(kind) so addr/port/proto are preserved even if enrichment is
missing.

---

Nitpick comments:
In `@pkg/utils/datasource_event.go`:
- Around line 561-568: The GetFlagsRaw function currently reads flags_raw via
Int32 then casts to uint32, which is semantically off and can be clearer by
reading it as an unsigned value; update GetFlagsRaw to use the field accessor's
Uint32 (or equivalent unsigned) method instead of Int32, handle the error the
same way (logging via logger.L().Warning with helpers.String("eventType",
string(e.EventType)) and returning 0 on error), and return the unsigned result
directly so the code in DatasourceEvent.GetFlagsRaw and its call to
e.getFieldAccessor("flags_raw") consistently treats the field as uint32.
- Around line 418-515: The 11 GetEcs* methods in DatasourceEvent are duplicate
boilerplate calling getFieldAccessor(...).String(e.Data) and logging on error;
extract a helper (e.g., DatasourceEvent.getEcsString(field, methodName) or a
more general getString(field, methodName)) that performs the accessor call,
error logging using logger.L().Warning with helpers.String("eventType",
string(e.EventType)), and returns the string or "" on error, then replace each
GetEcsClusterARN/GetEcsClusterName/GetEcsContainerARN/GetEcsContainerInstance/GetEcsContainerName/GetEcsAvailabilityZone/GetEcsLaunchType/GetEcsServiceName/GetEcsTaskARN/GetEcsTaskDefinitionARN/GetEcsTaskFamily
with a one-liner that returns e.getEcsString("ecs.<field>", "GetEcs<...>") (or
e.getString for the generalized helper).

In `@pkg/utils/struct_event.go`:
- Around line 173-215: The file contains many identical no-op ECS accessor
methods on StructEvent (GetEcsAvailabilityZone, GetEcsClusterARN,
GetEcsClusterName, GetEcsContainerARN, GetEcsContainerInstance,
GetEcsContainerName, GetEcsLaunchType, GetEcsServiceName, GetEcsTaskARN,
GetEcsTaskDefinitionARN, GetEcsTaskFamily); refactor by extracting these into a
single reusable no-op mixin type (e.g., type ecsNoop struct with the same method
set returning ""), then embed that mixin in StructEvent (or have StructEvent
alias/compose it) and remove the duplicated methods from StructEvent so
interface compliance is preserved but boilerplate is eliminated. Ensure the
mixin defines all listed method names exactly to satisfy the interface.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 68206c0 and 12b45d1.

📒 Files selected for processing (2)

• pkg/utils/datasource_event.go
• pkg/utils/struct_event.go