Skip to content

Commit

Permalink
Replace direct AppSec::Processor::Context calls
Browse files Browse the repository at this point in the history
  • Loading branch information
Strech committed Jan 10, 2025
1 parent 0d7d48b commit 06a5261
Show file tree
Hide file tree
Showing 30 changed files with 150 additions and 152 deletions.
11 changes: 4 additions & 7 deletions lib/datadog/appsec/context.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ module AppSec
class Context
ActiveContextError = Class.new(StandardError)

# XXX: Continue from here:
# 1. Replace naming of processor_context into waf_runner
# 2. Replace calls of waf run
attr_reader :trace, :span, :processor_context
attr_reader :trace, :span

# NOTE: This is an intermediate state and will be changed
attr_reader :waf_runner

class << self
def activate(context)
Expand All @@ -36,9 +36,6 @@ def initialize(trace, span, security_engine)
@span = span
@security_engine = security_engine
@waf_runner = security_engine.new_context

# FIXME: Left for compatibility now
@processor_context = @waf_runner
end

def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/active_record/instrumentation.rb
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ def detect_sql_injection(sql, adapter_name)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = context.processor_context.run({}, ephemeral_data, waf_timeout)
result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)

if result.status == :match
Datadog::AppSec::Event.tag_and_keep!(context, result)
Expand All @@ -35,7 +35,7 @@ def detect_sql_injection(sql, adapter_name)
sql: sql,
actions: result.actions
}
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/graphql/gateway/watcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def watch_multiplex(gateway = Instrumentation.gateway)
engine = AppSec::Reactive::Engine.new

if context
GraphQL::Reactive::Multiplex.subscribe(engine, context.processor_context) do |result|
GraphQL::Reactive::Multiplex.subscribe(engine, context) do |result|
event = {
waf_result: result,
trace: context.trace,
Expand All @@ -38,7 +38,7 @@ def watch_multiplex(gateway = Instrumentation.gateway)
}

Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end

block = GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def self.publish(engine, gateway_multiplex)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
arguments = values[0]
Expand All @@ -30,7 +30,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
12 changes: 6 additions & 6 deletions lib/datadog/appsec/contrib/rack/gateway/watcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def watch_request(gateway = Instrumentation.gateway)
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
engine = AppSec::Reactive::Engine.new

Rack::Reactive::Request.subscribe(engine, context.processor_context) do |result|
Rack::Reactive::Request.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -43,7 +43,7 @@ def watch_request(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand All @@ -60,7 +60,7 @@ def watch_response(gateway = Instrumentation.gateway)
context = gateway_response.context
engine = AppSec::Reactive::Engine.new

Rack::Reactive::Response.subscribe(engine, context.processor_context) do |result|
Rack::Reactive::Response.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -74,7 +74,7 @@ def watch_response(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand All @@ -91,7 +91,7 @@ def watch_request_body(gateway = Instrumentation.gateway)
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
engine = AppSec::Reactive::Engine.new

Rack::Reactive::RequestBody.subscribe(engine, context.processor_context) do |result|
Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -105,7 +105,7 @@ def watch_request_body(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/rack/reactive/request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ def self.publish(engine, gateway_request)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }

Expand All @@ -53,7 +53,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/rack/reactive/request_body.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ def self.publish(engine, gateway_request)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
body = values[0]
Expand All @@ -31,7 +31,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/rack/reactive/response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def self.publish(engine, gateway_response)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }

Expand All @@ -37,7 +37,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
10 changes: 5 additions & 5 deletions lib/datadog/appsec/contrib/rack/request_middleware.rb
Original file line number Diff line number Diff line change
Expand Up @@ -94,22 +94,22 @@ def call(env)

_response_return, response_response = Instrumentation.gateway.push('rack.response', gateway_response)

result = ctx.processor_context.extract_schema
result = ctx.waf_runner.extract_schema

if result
ctx.processor_context.events << {
ctx.waf_runner.events << {
trace: ctx.trace,
span: ctx.span,
waf_result: result,
}
end

ctx.processor_context.events.each do |e|
ctx.waf_runner.events.each do |e|
e[:response] ||= gateway_response
e[:request] ||= gateway_request
end

AppSec::Event.record(ctx.span, *ctx.processor_context.events)
AppSec::Event.record(ctx.span, *ctx.waf_runner.events)

if response_response
blocked_event = response_response.find { |action, _options| action == :block }
Expand Down Expand Up @@ -209,7 +209,7 @@ def add_request_tags(context, env)

def add_waf_runtime_tags(context)
span = context.span
context = context.processor_context
context = context.waf_runner

return unless span && context

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/rails/gateway/watcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def watch_request_action(gateway = Instrumentation.gateway)
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
engine = AppSec::Reactive::Engine.new

Rails::Reactive::Action.subscribe(engine, context.processor_context) do |result|
Rails::Reactive::Action.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -39,7 +39,7 @@ def watch_request_action(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/rails/reactive/action.rb
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def self.publish(engine, gateway_request)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
body = values[0]
Expand All @@ -37,7 +37,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
8 changes: 4 additions & 4 deletions lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ def watch_request_dispatch(gateway = Instrumentation.gateway)
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
engine = AppSec::Reactive::Engine.new

Rack::Reactive::RequestBody.subscribe(engine, context.processor_context) do |result|
Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -41,7 +41,7 @@ def watch_request_dispatch(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand All @@ -58,7 +58,7 @@ def watch_request_routed(gateway = Instrumentation.gateway)
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
engine = AppSec::Reactive::Engine.new

Sinatra::Reactive::Routed.subscribe(engine, context.processor_context) do |result|
Sinatra::Reactive::Routed.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -72,7 +72,7 @@ def watch_request_routed(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/contrib/sinatra/reactive/routed.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def self.publish(engine, data)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
path_params = values[0]
Expand All @@ -32,7 +32,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
1 change: 1 addition & 0 deletions lib/datadog/appsec/ext.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
module Datadog
module AppSec
module Ext
RASP_SQLI = :sql_injection
INTERRUPT = :datadog_appsec_interrupt
CONTEXT_KEY = 'datadog.appsec.context'
ACTIVE_CONTEXT_KEY = :datadog_appsec_active_context
Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/monitor/gateway/watcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ def watch_user_id(gateway = Instrumentation.gateway)
context = Datadog::AppSec.active_context
engine = AppSec::Reactive::Engine.new

Monitor::Reactive::SetUser.subscribe(engine, context.processor_context) do |result|
Monitor::Reactive::SetUser.subscribe(engine, context) do |result|
if result.status == :match
# TODO: should this hash be an Event instance instead?
event = {
Expand All @@ -37,7 +37,7 @@ def watch_user_id(gateway = Instrumentation.gateway)
# We want to keep the trace in case of security event
context.trace.keep! if context.trace
Datadog::AppSec::Event.tag_and_keep!(context, result)
context.processor_context.events << event
context.waf_runner.events << event
end
end

Expand Down
4 changes: 2 additions & 2 deletions lib/datadog/appsec/monitor/reactive/set_user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ def self.publish(engine, user)
end
end

def self.subscribe(engine, waf_context)
def self.subscribe(engine, context)
engine.subscribe(*ADDRESSES) do |*values|
Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }

Expand All @@ -30,7 +30,7 @@ def self.subscribe(engine, waf_context)
}

waf_timeout = Datadog.configuration.appsec.waf_timeout
result = waf_context.run(persistent_data, {}, waf_timeout)
result = context.run_waf(persistent_data, {}, waf_timeout)

next if result.status != :match

Expand Down
14 changes: 4 additions & 10 deletions spec/datadog/appsec/context_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,9 @@

subject(:activate_context) { described_class.activate(described_class.new(trace, span, processor)) }

it 'raises ActiveContextError' do
it 'raises ActiveContextError and does not change the active context' do
expect { activate_context }.to raise_error(Datadog::AppSec::Context::ActiveContextError)
end

it 'does not change the active context' do
expect { activate_context rescue nil }.to_not(change { described_class.active })
.and(not_change { described_class.active })
end
end
end
Expand Down Expand Up @@ -75,12 +72,9 @@
expect(context).to receive(:finalize).and_raise(RuntimeError.new('Ooops'))
end

it 'raises underlying exception' do
it 'raises underlying exception and unsets the active context' do
expect { described_class.deactivate }.to raise_error(RuntimeError)
end

it 'unsets the active context' do
expect { described_class.deactivate rescue nil }.to change { described_class.active }.from(context).to(nil)
.and(change { described_class.active }.from(context).to(nil))
end
end
end
Expand Down
Loading

0 comments on commit 06a5261

Please sign in to comment.