add new user_id_denylist configuration to appsec

DataDog · GustavoCaso · Feb 13, 2023 · Feb 9, 2023 · Feb 9, 2023 · Feb 13, 2023
commit a7f13b41eeb04a905e4caaabd31e0b582b192534
@@ -40,6 +40,10 @@ def ip_denylist=(value)
           options[:ip_denylist] = value
         end
 
+        def user_id_denylist=(value)
+          options[:user_id_denylist] = value
-          options[:user_id_denylist] = value
+          options[:user_id_denylist] = value || []
-          options[:user_id_denylist] = value
+          options[:user_id_denylist] = value || []
+        end
+
         # in microseconds
         def waf_timeout=(value)
           options[:waf_timeout] = value

@@ -142,6 +142,13 @@ def ip_denylist
           _ = @options[:ip_denylist]
         end
 
+        # EXPERIMENTAL: This configurable is not meant to be publicly used, but
+        #               is very useful for testing. It may change at any point in time.
+        def user_id_denylist
+          # Cast for Steep
+          _ = @options[:user_id_denylist]
+        end
+
         def waf_timeout
           # Cast for Steep
           _ = @options[:waf_timeout]

@@ -54,6 +54,12 @@ def ip_denylist=(arg)
           @settings.merge(dsl)
         end
 
+        def user_id_denylist=(arg)
+          dsl = AppSec::Configuration::DSL.new
+          dsl.user_id_denylist = arg
+          @settings.merge(dsl)
+        end
+
         def waf_timeout=(arg)
           dsl = AppSec::Configuration::DSL.new
           dsl.waf_timeout = arg
@@ -102,6 +108,10 @@ def ip_denylist
           @settings.ip_denylist
         end
 
+        def user_id_denylist
+          @settings.user_id_denylist
+        end
+
         def waf_timeout
           @settings.waf_timeout
         end

@@ -27,6 +27,7 @@ module Datadog
         def enabled=: (bool) -> void
         def ruleset=: (::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO) -> void
         def ip_denylist=: (::Array[::String]) -> void
+        def user_id_denylist=: (::Array[::String]) -> void
         def waf_timeout=: (::Integer) -> void
         def waf_debug=: (bool) -> void
         def trace_rate_limit=: (::Integer) -> void

@@ -29,6 +29,7 @@ module Datadog
         def enabled: () -> bool
         def ruleset: () -> (::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO)
         def ip_denylist: () -> ::Array[::String]
+        def user_id_denylist: () -> ::Array[::String]
         def waf_timeout: () -> ::Integer
         def waf_debug: () -> bool
         def trace_rate_limit: () -> ::Integer

@@ -19,6 +19,7 @@ module Datadog
         def enabled=: (bool arg) -> untyped
         def ruleset=: ((::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO) arg) -> untyped
         def ip_denylist=: (::Array[::String] arg) -> untyped
+        def user_id_denylist=: (::Array[::String] arg) -> untyped
         def waf_timeout=: (::Integer arg) -> untyped
         def waf_debug=: (bool arg) -> untyped
         def trace_rate_limit=: (::Integer arg) -> untyped
@@ -30,6 +31,7 @@ module Datadog
         def enabled: () -> bool
         def ruleset: () -> (::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO)
         def ip_denylist: () -> ::Array[::String]
+        def user_id_denylist: () -> ::Array[::String]
         def waf_timeout: () -> ::Integer
         def waf_debug: () -> bool
         def trace_rate_limit: () -> ::Integer

@@ -82,6 +82,26 @@
       it { expect { trace_rate_limit_ }.to change { settings.trace_rate_limit }.from(100).to(2) }
     end
 
+    describe '#ip_denylist' do
+      subject(:ip_denylist) { settings.ip_denylist }
+      it { is_expected.to eq(nil) }
+    end
+
+    describe '#ip_denylist=' do
+      subject(:ip_denylist_) { settings.merge(dsl.tap { |c| c.ip_denylist = ['192.192.1.1'] }) }
+      it { expect { ip_denylist_ }.to change { settings.ip_denylist }.from(nil).to(['192.192.1.1']) }
+    end
+
+    describe '#user_id_denylist' do
+      subject(:user_id_denylist) { settings.user_id_denylist }
+      it { is_expected.to eq(nil) }
+    end
+
+    describe '#user_id_denylist=' do
+      subject(:user_id_denylist_) { settings.merge(dsl.tap { |c| c.user_id_denylist = ['8764937902709'] }) }
+      it { expect { user_id_denylist_ }.to change { settings.user_id_denylist }.from(nil).to(['8764937902709']) }
+    end
+
     describe '#obfuscator_key_regex' do
       subject(:obfuscator_key_regex) { settings.obfuscator_key_regex }
       it { is_expected.to include('token') }

@@ -103,6 +103,26 @@
         it { expect { trace_rate_limit_ }.to change { settings.trace_rate_limit }.from(100).to(2) }
       end
 
+      describe '#ip_denylist' do
+        subject(:ip_denylist) { settings.ip_denylist }
+        it { is_expected.to eq(nil) }
+      end
+
+      describe '#ip_denylist=' do
+        subject(:ip_denylist_) { settings.ip_denylist = ['192.192.1.1'] }
+        it { expect { ip_denylist_ }.to change { settings.ip_denylist }.from(nil).to(['192.192.1.1']) }
+      end
+
+      describe '#user_id_denylist' do
+        subject(:user_id_denylist) { settings.user_id_denylist }
+        it { is_expected.to eq(nil) }
+      end
+
+      describe '#user_id_denylist=' do
+        subject(:user_id_denylist_) { settings.user_id_denylist = ['24528736564812'] }
+        it { expect { user_id_denylist_ }.to change { settings.user_id_denylist }.from(nil).to(['24528736564812']) }
+      end
+
       describe '#[]' do
         describe 'when the integration exists' do
           subject(:get) { settings[integration_name] }