Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[APPSEC-9341] Enable configuring blocking response via Remote Configuration #3099

Merged
merged 8 commits into from
Sep 12, 2023
Merged

[APPSEC-9341] Enable configuring blocking response via Remote Configuration #3099

merged 8 commits into from
Sep 12, 2023

Conversation

GustavoCaso
Copy link
Member

@GustavoCaso GustavoCaso commented Aug 31, 2023
edited
Loading

What does this PR do?

Update ASM to be able to configure the blocking response via Remote Configuration.

Motivation:

Allow customers to change the blocking response via the DD UI

The PR includes multiple changes:

  • Update the ASM remote capabilities
  • Store in memory the actions configured via the DD UI. AppSec::Processor::Actions apart from storing in memory, we need to merge existing actions with the ones coming from the Remote Configuration and merging.
    The logic for merging replaces existing actions with new ones coming from remote configuration and keeps the ones not updated.
  • Modify the AppSec::Response.negotiate method to account for the WAF result actions and the configured information

Additional Notes:

I've removed unused returned values from the methods Reactive::<Class>.subscribe, and Reactive::<Class>.publish

The returned values from the reactive engine are plain arrays ex: [:block, event] or [:monitor, event] those could be refactored into their own classes AppSec::Processor::Actions::Block and AppSec::Processor::Actions::Monitor. I left that exercise to a future PR.

How to test the change?

For Datadog employees:

  • If this PR touches code that signs or publishes builds or packages, or handles
    credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.
  • This PR doesn't touch any of that.

Unsure? Have a question? Request a review!

@github-actions github-actions bot added appsec Application Security monitoring product integrations Involves tracing integrations labels Aug 31, 2023
@GustavoCaso GustavoCaso force-pushed the asm-remote-configure-blocking-response branch from 40bee94 to d1bf510 Compare August 31, 2023 12:48
@GustavoCaso GustavoCaso changed the title WIP [WIP] Enable configuring blocking response via Remote Configuration Aug 31, 2023
@GustavoCaso GustavoCaso force-pushed the asm-remote-configure-blocking-response branch from 3f803a9 to 0d6c696 Compare September 4, 2023 09:02
@GustavoCaso GustavoCaso changed the title [WIP] Enable configuring blocking response via Remote Configuration [APPSEC-9341] Enable configuring blocking response via Remote Configuration Sep 4, 2023
@GustavoCaso GustavoCaso requested a review from lloeki September 4, 2023 09:17
@GustavoCaso GustavoCaso self-assigned this Sep 4, 2023
@GustavoCaso GustavoCaso marked this pull request as ready for review September 4, 2023 09:17
@GustavoCaso GustavoCaso requested a review from a team September 4, 2023 09:17
@codecov-commenter
Copy link

codecov-commenter commented Sep 4, 2023
edited
Loading

Codecov Report

Merging #3099 (d498af6) into master (24c162b) will increase coverage by 0.00%.
The diff coverage is 98.80%.

@@           Coverage Diff            @@
##           master    #3099    +/-   ##
========================================
  Coverage   98.16%   98.16%            
========================================
  Files        1323     1325     +2     
  Lines       75237    75457   +220     
  Branches     3430     3455    +25     
========================================
+ Hits        73855    74072   +217     
- Misses       1382     1385     +3
Files Changed Coverage Δ
lib/datadog/appsec.rb 90.32% <50.00%> (ø)
...dog/appsec/contrib/rack/request_body_middleware.rb 95.00% <66.66%> (-5.00%) ⬇️
lib/datadog/appsec/response.rb 97.14% <93.75%> (-2.86%) ⬇️
lib/datadog/appsec/component.rb 100.00% <100.00%> (ø)
lib/datadog/appsec/contrib/rack/gateway/watcher.rb 95.55% <100.00%> (ø)
...ib/datadog/appsec/contrib/rack/reactive/request.rb 100.00% <100.00%> (ø)
...tadog/appsec/contrib/rack/reactive/request_body.rb 100.00% <100.00%> (ø)
...b/datadog/appsec/contrib/rack/reactive/response.rb 100.00% <100.00%> (ø)
.../datadog/appsec/contrib/rack/request_middleware.rb 95.65% <100.00%> (+0.09%) ⬆️
...ib/datadog/appsec/contrib/rails/gateway/watcher.rb 97.14% <100.00%> (ø)
... and 19 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@GustavoCaso GustavoCaso force-pushed the asm-remote-configure-blocking-response branch from bddb865 to d498af6 Compare September 6, 2023 14:29
lloeki
lloeki approved these changes Sep 7, 2023
View reviewed changes
Copy link
Member

@lloeki lloeki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a Q.

I think for those catch/throw protocols we should (but not in this PR) move to instances instead of hashes and arrays, it should make things easier to follow (and properly type-checked)

lib/datadog/appsec/monitor/gateway/watcher.rb
end

throw(Datadog::AppSec::Ext::INTERRUPT, [nil, [:block, event]]) if block
throw(Datadog::AppSec::Ext::INTERRUPT, [nil, [[:block, event]]]) if block
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious about the double array here: was it missing before or is that an intended API change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In was missing 😨

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While missing the functionality still worked because we did not use the values

[:block, {}].any? {|action, _event| action == :block }
# => true

We now care about the returned value with the code changes on the request middleware. We use find rather than any?

blocked_event = request_response.find { |action, _options| action == :block }

Old code

blocked_event = [:block, {}].find {|action, _event| action == :block }
#=> :block

New Code

blocked_event = [[:block, {}]].find {|action, _event| action == :block }
# => [:block, {}]

@GustavoCaso
Copy link
Member Author

I think for those catch/throw protocols we should (but not in this PR) move to instances instead of hashes and arrays, it should make things easier to follow (and properly type-checked)

Absolutely 😄

I mentioned in the PR description

The returned values from the reactive engine are plain arrays ex: [:block, event] or [:monitor, event] those could be refactored into their own classes AppSec::Processor::Actions::Block and AppSec::Processor::Actions::Monitor. I left that exercise to a future PR.

@GustavoCaso GustavoCaso merged commit ab475a1 into master Sep 12, 2023
@GustavoCaso GustavoCaso deleted the asm-remote-configure-blocking-response branch September 12, 2023 10:06
@github-actions github-actions bot added this to the 1.15.0 milestone Sep 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lloeki lloeki lloeki approved these changes

Assignees

@GustavoCaso GustavoCaso

Labels
appsec Application Security monitoring product integrations Involves tracing integrations
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.
3 participants
@GustavoCaso @codecov-commenter @lloeki