Class: Datadog::AppSec::SecurityEngine::Engine

Inherits:

Object

• Object
• Datadog::AppSec::SecurityEngine::Engine

Defined in:

lib/datadog/appsec/security_engine/engine.rb

Overview

SecurityEngine::Engine creates WAF builder and manages its configuration. It also rebuilds WAF handle from the WAF builder when configuration changes.

Constant Summary

DEFAULT_RULES_CONFIG_PATH =

'ASM_DD/default'

TELEMETRY_ACTIONS =

%w[init update].freeze

DIAGNOSTICS_CONFIG_KEYS =

%w[
  rules
  custom_rules
  exclusions
  actions
  processors
  scanners
  rules_override
  rules_data
  exclusion_data
].freeze

Instance Attribute Summary

• #ruleset_version ⇒ Object readonly

  Returns the value of attribute ruleset_version.

• #waf_addresses ⇒ Object readonly

  Returns the value of attribute waf_addresses.

Instance Method Summary

• #add_or_update_config(config, path:) ⇒ Object
• #finalize! ⇒ Object
• #initialize(appsec_settings:, telemetry:) ⇒ Engine constructor

  A new instance of Engine.

• #new_runner ⇒ Object
• #reconfigure! ⇒ Object
• #remove_config_at_path(path) ⇒ Object

Constructor Details

#initialize(appsec_settings:, telemetry:) ⇒ Engine

Returns a new instance of Engine.

# File 'lib/datadog/appsec/security_engine/engine.rb', line 25

def initialize(appsec_settings:, telemetry:)
  @default_ruleset = appsec_settings.ruleset

  # NOTE: replace appsec_settings argument with default_ruleset when removing these deprecated settings
  @default_ip_denylist = appsec_settings.ip_denylist
  @default_user_id_denylist = appsec_settings.user_id_denylist
  @default_ip_passlist = appsec_settings.ip_passlist

  @waf_builder = WAF::HandleBuilder.new(
    obfuscator: {
      key_regex: appsec_settings.obfuscator_key_regex,
      value_regex: appsec_settings.obfuscator_value_regex
    }
  )

  diagnostics = load_default_config(telemetry: telemetry)
  report_configuration_diagnostics(diagnostics, action: 'init', telemetry: telemetry)

  @waf_handle = @waf_builder.build_handle
  @waf_addresses = @waf_handle.known_addresses
rescue WAF::Error => e
  error_message = "AppSec security engine failed to initialize"

  Datadog.logger.error("#{error_message}, error #{e.inspect}")
  telemetry.report(e, description: error_message)

  raise e
end

Instance Attribute Details

#ruleset_version ⇒ Object (readonly)

Returns the value of attribute ruleset_version.

# File 'lib/datadog/appsec/security_engine/engine.rb', line 23

def ruleset_version
  @ruleset_version
end

#waf_addresses ⇒ Object (readonly)

Returns the value of attribute waf_addresses.

# File 'lib/datadog/appsec/security_engine/engine.rb', line 23

def waf_addresses
  @waf_addresses
end

Instance Method Details

#add_or_update_config(config, path:) ⇒ Object

# File 'lib/datadog/appsec/security_engine/engine.rb', line 66

def add_or_update_config(config, path:)
  @is_ruleset_update = path.include?('ASM_DD')

  # default config has to be removed when adding an ASM_DD config
  remove_config_at_path(DEFAULT_RULES_CONFIG_PATH) if @is_ruleset_update

  diagnostics = @waf_builder.add_or_update_config(config, path: path)
  @ruleset_version = diagnostics['ruleset_version'] if diagnostics.key?('ruleset_version')
  report_configuration_diagnostics(diagnostics, action: 'update', telemetry: AppSec.telemetry)

  # we need to load default config if diagnostics contains top-level error for rules or processors
  if @is_ruleset_update &&
      (diagnostics.key?('error') ||
      diagnostics.dig('rules', 'error') ||
      diagnostics.dig('processors', 'errors'))
    diagnostics = load_default_config(telemetry: AppSec.telemetry)
    report_configuration_diagnostics(diagnostics, action: 'update', telemetry: AppSec.telemetry)
  end

  diagnostics
rescue WAF::Error => e
  error_message = "libddwaf builder failed to add or update config at path: #{path}"

  Datadog.logger.debug("#{error_message}, error: #{e.inspect}")
  AppSec.telemetry.report(e, description: error_message)
end

#finalize! ⇒ Object

# File 'lib/datadog/appsec/security_engine/engine.rb', line 54

def finalize!
  @waf_handle&.finalize!
  @waf_builder&.finalize!

  @waf_addresses = []
  @ruleset_version = nil
end

#new_runner ⇒ Object

# File 'lib/datadog/appsec/security_engine/engine.rb', line 62

def new_runner
  SecurityEngine::Runner.new(@waf_handle.build_context)
end

#reconfigure! ⇒ Object

# File 'lib/datadog/appsec/security_engine/engine.rb', line 109

def reconfigure!
  old_waf_handle = @waf_handle

  @waf_handle = @waf_builder.build_handle
  @waf_addresses = @waf_handle.known_addresses

  old_waf_handle&.finalize!
rescue WAF::Error => e
  error_message = "AppSec security engine failed to reconfigure"

  Datadog.logger.error("#{error_message}, error #{e.inspect}")
  AppSec.telemetry.report(e, description: error_message)

  if old_waf_handle
    Datadog.logger.warn("Reverting to the previous configuration")

    @waf_handle = old_waf_handle
    @waf_addresses = old_waf_handle.known_addresses
  end
end

#remove_config_at_path(path) ⇒ Object

# File 'lib/datadog/appsec/security_engine/engine.rb', line 93

def remove_config_at_path(path)
  result = @waf_builder.remove_config_at_path(path)

  if result && path != DEFAULT_RULES_CONFIG_PATH && path.include?('ASM_DD')
    diagnostics = load_default_config(telemetry: AppSec.telemetry)
    report_configuration_diagnostics(diagnostics, action: 'update', telemetry: AppSec.telemetry)
  end

  result
rescue WAF::Error => e
  error_message = "libddwaf handle builder failed to remove config at path: #{path}"

  Datadog.logger.error("#{error_message}, error: #{e.inspect}")
  AppSec.telemetry.report(e, description: error_message)
end