load static rules data from configuration when initializing Datadog::…

…AppSec::Processor

lib/datadog/appsec/processor.rb

@@ -51,7 +51,7 @@ def initialize
           return
         end
 
-        update_ip_denylist
+        update_rules_data_with_static_configured_values
       end
 
       def ready?
@@ -70,20 +70,6 @@ def toggle_rules(map)
         @handle.toggle_rules(map)
       end
 
-      def update_ip_denylist(denylist = Datadog::AppSec.settings.ip_denylist, id: 'blocked_ips')
-        denylist ||= []
-
-        ruledata_setting = [
-          {
-            'id' => id,
-            'type' => 'data_with_expiration',
-            'data' => denylist.map { |ip| { 'value' => ip.to_s, 'expiration' => 2**63 } }
-          }
-        ]
-
-        update_rule_data(ruledata_setting)
-      end
-
       def finalize
         @handle.finalize
       end
@@ -94,6 +80,30 @@ def finalize
 
       private
 
+      def update_rules_data_with_static_configured_values
+        ruledata_setting = []
+        ruledata_setting << ip_denylist_data(Datadog::AppSec.settings.ip_denylist || [])
+        ruledata_setting << user_id_denylist_data(Datadog::AppSec.settings.user_id_denylist || [])
+
+        update_rule_data(ruledata_setting)
+      end
+
+      def ip_denylist_data(denylist, id: 'blocked_ips')
+        {
+          'id' => id,
+          'type' => 'data_with_expiration',
+          'data' => denylist.map { |ip| { 'value' => ip.to_s, 'expiration' => 2**63 } }
+        }
+      end
+
+      def user_id_denylist_data(denylist, id: 'blocked_users')
+        {
+          'id' => id,
+          'type' => 'data_with_expiration',
+          'data' => denylist.map { |ip| { 'value' => ip.to_s, 'expiration' => 2**63 } }
+        }
+      end
+
       def load_libddwaf
         Processor.require_libddwaf && Processor.libddwaf_provides_waf?
       end

sig/datadog/appsec/processor.rbs

@@ -29,7 +29,9 @@ module Datadog
       def new_context: () -> Context
       def update_rule_data: (untyped data) -> untyped
       def toggle_rules: (untyped map) -> untyped
-      def update_ip_denylist: (?untyped denylist, ?id: ::String) -> untyped
+      def update_rules_data_with_static_configured_values: () -> untyped
+      def ip_denylist_data: (::Array[String?] denylist, ?id: ::String) -> ::Hash[::String, untyped]
+      def user_id_denylist_data: (::Array[String?] denylist, ?id: ::String) -> ::Hash[::String, untyped]
       def finalize: () -> void
 
       attr_reader handle: untyped

spec/datadog/appsec/processor_spec.rb

@@ -249,6 +249,36 @@
       it { is_expected.to_not be_ready }
     end
 
+    context 'when loading static data rule configuration' do
+      before do
+        allow(Datadog::AppSec.settings).to receive(:ip_denylist).and_return(['192.192.1.1'])
+        allow(Datadog::AppSec.settings).to receive(:user_id_denylist).and_return(['user3'])
+      end
+
+      it 'calls #update_rule_data with the right value' do
+        expect_any_instance_of(described_class).to receive(:update_rule_data) do |_, args|
+          expect(args.size).to eq(2)
+
+          blocked_ips = args.find { |hash| hash['id'] == 'blocked_ips' }
+          blocked_users = args.find { |hash| hash['id'] == 'blocked_users' }
+
+          expect(blocked_ips).to_not be_nil
+          expect(blocked_users).to_not be_nil
+          expect(blocked_ips['type']).to eq('data_with_expiration')
+          expect(blocked_users['type']).to eq('data_with_expiration')
+
+          blocked_ips_data = blocked_ips['data']
+          blocked_user_data = blocked_users['data']
+          expect(blocked_ips_data.size).to eq(1)
+          expect(blocked_user_data.size).to eq(1)
+          expect(blocked_ips_data[0]['value']).to eq('192.192.1.1')
+          expect(blocked_user_data[0]['value']).to eq('user3')
+        end
+
+        described_class.new
+      end
+    end
+
     context 'when things are OK' do
       before do
         expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:recommended).and_call_original