Skip to content

Upgrade libddwaf java to 14.0.0 #8654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade libddwaf java to 14.0.0 #8654

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion dd-java-agent/appsec/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ dependencies {
implementation project(':internal-api')
implementation project(':communication')
implementation project(':telemetry')
implementation group: 'io.sqreen', name: 'libsqreen', version: '13.0.1'
implementation group: 'io.sqreen', name: 'libsqreen', version: '14.0.0'
implementation libs.moshi

testImplementation libs.bytebuddy
Expand Down Expand Up @@ -70,6 +70,7 @@ ext {
'com.datadog.appsec.config.MergedAsmData.InvalidAsmDataException',
'com.datadog.appsec.ddwaf.WafInitialization',
'com.datadog.appsec.ddwaf.WAFModule.WAFDataCallback',
'com.datadog.appsec.config.AppSecModuleConfigurer.Reconfiguration',
'com.datadog.appsec.report.*',
'com.datadog.appsec.config.AppSecConfigServiceImpl.SubscribeFleetServiceRunnable.1',
'com.datadog.appsec.util.StandardizedLogging',
Expand All @@ -81,6 +82,7 @@ ext {
'com.datadog.appsec.config.AppSecFeatures.Asm',
'com.datadog.appsec.config.AppSecFeatures.ApiSecurity',
'com.datadog.appsec.config.AppSecFeatures.AutoUserInstrum',
'com.datadog.appsec.AppSecModule.AppSecModuleActivationException',
'com.datadog.appsec.event.ReplaceableEventProducerService',
'com.datadog.appsec.api.security.ApiSecuritySampler.NoOp',
]
Expand Down
47 changes: 31 additions & 16 deletions dd-java-agent/appsec/src/jmh/java/datadog/appsec/benchmark/WafBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,24 @@
import static java.util.concurrent.TimeUnit.MICROSECONDS;
import static java.util.concurrent.TimeUnit.SECONDS;

import com.datadog.appsec.config.AppSecConfig;
import com.datadog.appsec.config.AppSecConfigDeserializer;
import com.datadog.appsec.event.data.KnownAddresses;
import com.datadog.ddwaf.Waf;
import com.datadog.ddwaf.WafBuilder;
import com.datadog.ddwaf.WafContext;
import com.datadog.ddwaf.WafHandle;
import com.datadog.ddwaf.WafMetrics;
import com.datadog.ddwaf.exception.AbstractWafException;
import com.squareup.moshi.JsonAdapter;
import com.squareup.moshi.Moshi;
import com.squareup.moshi.Types;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import okio.Okio;
import org.openjdk.jmh.annotations.Benchmark;
import org.openjdk.jmh.annotations.BenchmarkMode;
import org.openjdk.jmh.annotations.Fork;
Expand All @@ -38,45 +41,49 @@
@OutputTimeUnit(MICROSECONDS)
@Fork(value = 3)
public class WafBenchmark {
private static final JsonAdapter<Map<String, Object>> ADAPTER =
new Moshi.Builder()
.build()
.adapter(Types.newParameterizedType(Map.class, String.class, Object.class));

static {
BenchmarkUtil.disableLogging();
BenchmarkUtil.initializeWaf();
}

WafHandle ctx;
WafBuilder wafBuilder;
WafHandle wafHandle;
WafContext wafContext;
Map<String, Object> wafData = new HashMap<>();
Waf.Limits limits = new Waf.Limits(50, 500, 1000, 5000000, 5000000);

@Benchmark
public void withMetrics() throws Exception {
WafMetrics metricsCollector = ctx.createMetrics();
WafContext add = ctx.openContext();
WafMetrics metricsCollector = new WafMetrics();
wafContext = new WafContext(wafHandle);
try {
add.run(wafData, limits, metricsCollector);
wafContext.run(wafData, limits, metricsCollector);
} finally {
add.close();
wafContext.close();
}
}

@Benchmark
public void withoutMetrics() throws Exception {
WafContext add = ctx.openContext();
wafContext = new WafContext(wafHandle);
try {
add.run(wafData, limits, null);
wafContext.run(wafData, limits, null);
} finally {
add.close();
wafContext.close();
}
}

@Setup(Level.Trial)
public void setUp() throws AbstractWafException, IOException {
wafBuilder = new WafBuilder();
InputStream stream = getClass().getClassLoader().getResourceAsStream("test_multi_config.json");
Map<String, AppSecConfig> cfg =
Collections.singletonMap("waf", AppSecConfigDeserializer.INSTANCE.deserialize(stream));
AppSecConfig waf = cfg.get("waf");
ctx = Waf.createHandle("waf", waf.getRawConfig());

wafBuilder.addOrUpdateConfig("waf", ADAPTER.fromJson(Okio.buffer(Okio.source(stream))));
wafHandle = wafBuilder.buildWafHandleInstance();
wafData.put(KnownAddresses.REQUEST_METHOD.getKey(), "POST");
wafData.put(
KnownAddresses.REQUEST_URI_RAW.getKey(), "/foo/bar?foo=bar&foo=xpto&foo=%3cscript%3e");
Expand Down Expand Up @@ -112,6 +119,14 @@ public void setUp() throws AbstractWafException, IOException {

@TearDown(Level.Trial)
public void teardown() {
ctx.close();
if (wafHandle != null && wafHandle.isOnline()) {
wafHandle.close();
}
if (wafContext != null && wafContext.isOnline()) {
wafContext.close();
}
if (wafBuilder != null && wafBuilder.isOnline()) {
wafBuilder.close();
}
}
}
7 changes: 7 additions & 0 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecModule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,24 @@
import com.datadog.appsec.config.AppSecModuleConfigurer;
import com.datadog.appsec.event.DataListener;
import com.datadog.appsec.event.data.Address;
import com.datadog.ddwaf.WafBuilder;
import java.util.Collection;

public interface AppSecModule {
void config(AppSecModuleConfigurer appSecConfigService) throws AppSecModuleActivationException;

void setWafBuilder(WafBuilder wafBuilder);

void setRuleVersion(String rulesetVersion);

String getName();

String getInfo();

Collection<DataSubscription> getDataSubscriptions();

boolean isWafBuilderSet();

abstract class DataSubscription implements DataListener {
private final Collection<Address<?>> subscribedAddresses;
private final Priority priority;
Expand Down
22 changes: 15 additions & 7 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,9 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
APP_SEC_CONFIG_SERVICE =
new AppSecConfigServiceImpl(
config, configurationPoller, () -> reloadSubscriptions(REPLACEABLE_EVENT_PRODUCER));
APP_SEC_CONFIG_SERVICE.init();

if (appSecEnabledConfig == ProductActivation.FULLY_ENABLED) {
APP_SEC_CONFIG_SERVICE.init();
}
sco.createRemaining(config);

GatewayBridge gatewayBridge =
Expand All @@ -87,7 +88,8 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
() -> API_SECURITY_SAMPLER,
APP_SEC_CONFIG_SERVICE.getTraceSegmentPostProcessors());

loadModules(eventDispatcher, sco.monitoring);
loadModules(
eventDispatcher, sco.monitoring, appSecEnabledConfig == ProductActivation.FULLY_ENABLED);

gatewayBridge.init();
STOP_SUBSCRIPTION_SERVICE = gatewayBridge::stop;
Expand Down Expand Up @@ -136,20 +138,25 @@ public static void stop() {
RESET_SUBSCRIPTION_SERVICE = null;
}
Blocking.setBlockingService(BlockingService.NOOP);

APP_SEC_CONFIG_SERVICE.close();
}

private static void loadModules(EventDispatcher eventDispatcher, Monitoring monitoring) {
private static void loadModules(
EventDispatcher eventDispatcher, Monitoring monitoring, boolean appSecEnabledConfig) {
EventDispatcher.DataSubscriptionSet dataSubscriptionSet =
new EventDispatcher.DataSubscriptionSet();

final List<AppSecModule> modules = Collections.singletonList(new WAFModule(monitoring));
APP_SEC_CONFIG_SERVICE.modulesToUpdateVersionIn(modules);
for (AppSecModule module : modules) {
log.debug("Starting appsec module {}", module.getName());
try {
AppSecConfigService.TransactionalAppSecModuleConfigurer cfgObject;
cfgObject = APP_SEC_CONFIG_SERVICE.createAppSecModuleConfigurer();
AppSecConfigService.TransactionalAppSecModuleConfigurer cfgObject =
APP_SEC_CONFIG_SERVICE.createAppSecModuleConfigurer();
module.setRuleVersion(APP_SEC_CONFIG_SERVICE.getCurrentRuleVersion());
if (appSecEnabledConfig) {
module.setWafBuilder(APP_SEC_CONFIG_SERVICE.getWafBuilder());
}
module.config(cfgObject);
cfgObject.commit();
} catch (RuntimeException | AppSecModule.AppSecModuleActivationException t) {
Expand All @@ -174,6 +181,7 @@ private static void reloadSubscriptions(

EventDispatcher newEd = new EventDispatcher();
for (AppSecModule module : STARTED_MODULES_INFO.keySet()) {
module.setRuleVersion(APP_SEC_CONFIG_SERVICE.getCurrentRuleVersion());
for (AppSecModule.DataSubscription sub : module.getDataSubscriptions()) {
dataSubscriptionSet.addSubscription(sub.getSubscribedAddresses(), sub);
}
Expand Down
124 changes: 0 additions & 124 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfig.java
View file
Open in desktop

This file was deleted.

31 changes: 0 additions & 31 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigDeserializer.java
View file
Open in desktop

This file was deleted.

Loading
Loading