Skip to content

[APPSEC-8112] Appsec allow to set user id denylist #2612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Feb 13, 2023
Merged

[APPSEC-8112] Appsec allow to set user id denylist #2612

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a7f13b4
add new user_id_denylist configuration to appsec
GustavoCaso Feb 9, 2023
65eabdb
load static rules data from configuration when initializing Datadog::…
GustavoCaso Feb 9, 2023
ecf17ad
set default value for denylist configurations at the the time os sett…
GustavoCaso Feb 13, 2023
36aaf27
Change the method signature for loading rule data.
GustavoCaso Feb 13, 2023
296b62b
make sure the default value for client_ip_denylist and user_id_denyli…
GustavoCaso Feb 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions lib/datadog/appsec/configuration.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ def ip_denylist=(value)
options[:ip_denylist] = value
end

def user_id_denylist=(value)
options[:user_id_denylist] = value
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we should rather resolve to a default here:

Suggested change
options[:user_id_denylist] = value
options[:user_id_denylist] = value || []

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that. That way the setting of sane defaults happen at the right layer 😄

Copy link
Member Author

@GustavoCaso GustavoCaso Feb 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lloeki I actually change the location in which we return the default empty array. Rather than on the setter I returned an empty array at the time of reading the value of client_ip_denylist or user_id_denylist if nothing has been configured.

Check 296b62b

end

# in microseconds
def waf_timeout=(value)
options[:waf_timeout] = value
Expand Down
9 changes: 8 additions & 1 deletion lib/datadog/appsec/configuration/settings.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,14 @@ def ruleset
# is very useful for testing. It may change at any point in time.
def ip_denylist
# Cast for Steep
_ = @options[:ip_denylist]
_ = @options[:ip_denylist] || []
end

# EXPERIMENTAL: This configurable is not meant to be publicly used, but
# is very useful for testing. It may change at any point in time.
def user_id_denylist
# Cast for Steep
_ = @options[:user_id_denylist] || []
end

def waf_timeout
Expand Down
10 changes: 10 additions & 0 deletions lib/datadog/appsec/extensions.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ def ip_denylist=(arg)
@settings.merge(dsl)
end

def user_id_denylist=(arg)
dsl = AppSec::Configuration::DSL.new
dsl.user_id_denylist = arg
@settings.merge(dsl)
end

def waf_timeout=(arg)
dsl = AppSec::Configuration::DSL.new
dsl.waf_timeout = arg
Expand Down Expand Up @@ -102,6 +108,10 @@ def ip_denylist
@settings.ip_denylist
end

def user_id_denylist
@settings.user_id_denylist
end

def waf_timeout
@settings.waf_timeout
end
Expand Down
47 changes: 25 additions & 22 deletions lib/datadog/appsec/processor.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,15 @@ def finalize
def initialize
@ruleset_info = nil
@addresses = []
settings = Datadog::AppSec.settings

unless load_libddwaf && load_ruleset && create_waf_handle
unless load_libddwaf && load_ruleset(settings) && create_waf_handle(settings)
Datadog.logger.warn { 'AppSec is disabled, see logged errors above' }

return
end

update_ip_denylist
apply_denylist_data(settings)
end

def ready?
Expand All @@ -70,20 +71,6 @@ def toggle_rules(map)
@handle.toggle_rules(map)
end

def update_ip_denylist(denylist = Datadog::AppSec.settings.ip_denylist, id: 'blocked_ips')
denylist ||= []

ruledata_setting = [
{
'id' => id,
'type' => 'data_with_expiration',
'data' => denylist.map { |ip| { 'value' => ip.to_s, 'expiration' => 2**63 } }
}
]

update_rule_data(ruledata_setting)
end

def finalize
@handle.finalize
end
Expand All @@ -94,12 +81,28 @@ def finalize

private

def apply_denylist_data(settings)
ruledata_setting = []
ruledata_setting << denylist_data('blocked_ips', settings.ip_denylist)
ruledata_setting << denylist_data('blocked_users', settings.user_id_denylist)

update_rule_data(ruledata_setting)
end

def denylist_data(id, denylist)
{
'id' => id,
'type' => 'data_with_expiration',
'data' => denylist.map { |v| { 'value' => v.to_s, 'expiration' => 2**63 } }
}
end

def load_libddwaf
Processor.require_libddwaf && Processor.libddwaf_provides_waf?
end

def load_ruleset
ruleset_setting = Datadog::AppSec.settings.ruleset
def load_ruleset(settings)
ruleset_setting = settings.ruleset

begin
@ruleset = case ruleset_setting
Expand Down Expand Up @@ -132,13 +135,13 @@ def load_ruleset
end
end

def create_waf_handle
def create_waf_handle(settings)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. I think this also makes it more testable

# TODO: this may need to be reset if the main Datadog logging level changes after initialization
Datadog::AppSec::WAF.logger = Datadog.logger if Datadog.logger.debug? && Datadog::AppSec.settings.waf_debug
Datadog::AppSec::WAF.logger = Datadog.logger if Datadog.logger.debug? && settings.waf_debug

obfuscator_config = {
key_regex: Datadog::AppSec.settings.obfuscator_key_regex,
value_regex: Datadog::AppSec.settings.obfuscator_value_regex,
key_regex: settings.obfuscator_key_regex,
value_regex: settings.obfuscator_value_regex,
}
@handle = Datadog::AppSec::WAF::Handle.new(@ruleset, obfuscator: obfuscator_config)
@ruleset_info = @handle.ruleset_info
Expand Down
1 change: 1 addition & 0 deletions sig/datadog/appsec/configuration.rbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ module Datadog
def enabled=: (bool) -> void
def ruleset=: (::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO) -> void
def ip_denylist=: (::Array[::String]) -> void
def user_id_denylist=: (::Array[::String]) -> void
def waf_timeout=: (::Integer) -> void
def waf_debug=: (bool) -> void
def trace_rate_limit=: (::Integer) -> void
Expand Down
1 change: 1 addition & 0 deletions sig/datadog/appsec/configuration/settings.rbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ module Datadog
def enabled: () -> bool
def ruleset: () -> (::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO)
def ip_denylist: () -> ::Array[::String]
def user_id_denylist: () -> ::Array[::String]
def waf_timeout: () -> ::Integer
def waf_debug: () -> bool
def trace_rate_limit: () -> ::Integer
Expand Down
2 changes: 2 additions & 0 deletions sig/datadog/appsec/extensions.rbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ module Datadog
def enabled=: (bool arg) -> untyped
def ruleset=: ((::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO) arg) -> untyped
def ip_denylist=: (::Array[::String] arg) -> untyped
def user_id_denylist=: (::Array[::String] arg) -> untyped
def waf_timeout=: (::Integer arg) -> untyped
def waf_debug=: (bool arg) -> untyped
def trace_rate_limit=: (::Integer arg) -> untyped
Expand All @@ -30,6 +31,7 @@ module Datadog
def enabled: () -> bool
def ruleset: () -> (::Symbol | ::String | ::Hash[::String, untyped] | ::File | ::StringIO)
def ip_denylist: () -> ::Array[::String]
def user_id_denylist: () -> ::Array[::String]
def waf_timeout: () -> ::Integer
def waf_debug: () -> bool
def trace_rate_limit: () -> ::Integer
Expand Down
7 changes: 4 additions & 3 deletions sig/datadog/appsec/processor.rbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,16 +29,17 @@ module Datadog
def new_context: () -> Context
def update_rule_data: (untyped data) -> untyped
def toggle_rules: (untyped map) -> untyped
def update_ip_denylist: (?untyped denylist, ?id: ::String) -> untyped
def finalize: () -> void

attr_reader handle: untyped

private

def apply_denylist_data: (Configuration::Settings settings) -> untyped
def denylist_data: (String id, ::Array[untyped] denylist) -> ::Hash[::String, untyped | "data_with_expiration"]
def load_libddwaf: () -> bool
def load_ruleset: () -> bool
def create_waf_handle: () -> bool
def load_ruleset: (Configuration::Settings settings) -> bool
def create_waf_handle: (Configuration::Settings settings) -> bool

def self.libddwaf_provides_waf?: () -> bool
def self.require_libddwaf: () -> bool
Expand Down
20 changes: 20 additions & 0 deletions spec/datadog/appsec/configuration/settings_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,26 @@
it { expect { trace_rate_limit_ }.to change { settings.trace_rate_limit }.from(100).to(2) }
end

describe '#ip_denylist' do
subject(:ip_denylist) { settings.ip_denylist }
it { is_expected.to eq([]) }
end

describe '#ip_denylist=' do
subject(:ip_denylist_) { settings.merge(dsl.tap { |c| c.ip_denylist = ['192.192.1.1'] }) }
it { expect { ip_denylist_ }.to change { settings.ip_denylist }.from([]).to(['192.192.1.1']) }
end

describe '#user_id_denylist' do
subject(:user_id_denylist) { settings.user_id_denylist }
it { is_expected.to eq([]) }
end

describe '#user_id_denylist=' do
subject(:user_id_denylist_) { settings.merge(dsl.tap { |c| c.user_id_denylist = ['8764937902709'] }) }
it { expect { user_id_denylist_ }.to change { settings.user_id_denylist }.from([]).to(['8764937902709']) }
end

describe '#obfuscator_key_regex' do
subject(:obfuscator_key_regex) { settings.obfuscator_key_regex }
it { is_expected.to include('token') }
Expand Down
20 changes: 20 additions & 0 deletions spec/datadog/appsec/extensions_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,26 @@
it { expect { trace_rate_limit_ }.to change { settings.trace_rate_limit }.from(100).to(2) }
end

describe '#ip_denylist' do
subject(:ip_denylist) { settings.ip_denylist }
it { is_expected.to eq([]) }
end

describe '#ip_denylist=' do
subject(:ip_denylist_) { settings.ip_denylist = ['192.192.1.1'] }
it { expect { ip_denylist_ }.to change { settings.ip_denylist }.from([]).to(['192.192.1.1']) }
end

describe '#user_id_denylist' do
subject(:user_id_denylist) { settings.user_id_denylist }
it { is_expected.to eq([]) }
end

describe '#user_id_denylist=' do
subject(:user_id_denylist_) { settings.user_id_denylist = ['24528736564812'] }
it { expect { user_id_denylist_ }.to change { settings.user_id_denylist }.from([]).to(['24528736564812']) }
end

describe '#[]' do
describe 'when the integration exists' do
subject(:get) { settings[integration_name] }
Expand Down
62 changes: 47 additions & 15 deletions spec/datadog/appsec/processor_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,10 +83,7 @@
end

describe '#load_ruleset' do
before do
allow(Datadog::AppSec.settings).to receive(:ruleset).and_return(ruleset)
end

let(:settings) { Datadog::AppSec.settings }
let(:basic_ruleset) do
{
'version' => '1.0',
Expand All @@ -104,14 +101,18 @@
}
end

before do
allow(settings).to receive(:ruleset).and_return(ruleset)
end

context 'when ruleset is :recommended' do
let(:ruleset) { :recommended }

before do
expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:recommended).and_call_original.twice
end

it { expect(described_class.new.send(:load_ruleset)).to be true }
it { expect(described_class.new.send(:load_ruleset, settings)).to be true }
end

context 'when ruleset is :strict' do
Expand All @@ -121,7 +122,7 @@
expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:strict).and_call_original.twice
end

it { expect(described_class.new.send(:load_ruleset)).to be true }
it { expect(described_class.new.send(:load_ruleset, settings)).to be true }
end

context 'when ruleset is :risky' do
Expand All @@ -131,45 +132,46 @@
expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:recommended).and_call_original.twice
end

it { expect(described_class.new.send(:load_ruleset)).to be true }
it { expect(described_class.new.send(:load_ruleset, settings)).to be true }
end

context 'when ruleset is an existing path' do
let(:ruleset) { "#{__dir__}/../../../lib/datadog/appsec/assets/waf_rules/recommended.json" }

it { expect(described_class.new.send(:load_ruleset)).to be true }
it { expect(described_class.new.send(:load_ruleset, settings)).to be true }
end

context 'when ruleset is a non existing path' do
let(:ruleset) { '/does/not/exist' }

it { expect(described_class.new.send(:load_ruleset)).to be false }
it { expect(described_class.new.send(:load_ruleset, settings)).to be false }
end

context 'when ruleset is IO-like' do
let(:ruleset) { StringIO.new(JSON.dump(basic_ruleset)) }

it { expect(described_class.new.send(:load_ruleset)).to be true }
it { expect(described_class.new.send(:load_ruleset, settings)).to be true }
end

context 'when ruleset is Ruby' do
let(:ruleset) { basic_ruleset }

it { expect(described_class.new.send(:load_ruleset)).to be true }
it { expect(described_class.new.send(:load_ruleset, settings)).to be true }
end

context 'when ruleset is not parseable' do
let(:ruleset) { StringIO.new('this is not json') }

it { expect(described_class.new.send(:load_ruleset)).to be false }
it { expect(described_class.new.send(:load_ruleset, settings)).to be false }
end
end

describe '#create_waf_handle' do
let(:ruleset) { :recommended }
let(:settings) { Datadog::AppSec.settings }

before do
allow(Datadog::AppSec.settings).to receive(:ruleset).and_return(ruleset)
allow(settings).to receive(:ruleset).and_return(ruleset)
end

context 'when ruleset is default' do
Expand All @@ -179,13 +181,13 @@
expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:recommended).and_call_original
end

it { expect(described_class.new.send(:create_waf_handle)).to be true }
it { expect(described_class.new.send(:create_waf_handle, settings)).to be true }
end

context 'when ruleset is invalid' do
let(:ruleset) { { 'not' => 'valid' } }

it { expect(described_class.new.send(:create_waf_handle)).to be false }
it { expect(described_class.new.send(:create_waf_handle, settings)).to be false }
end
end

Expand Down Expand Up @@ -249,6 +251,36 @@
it { is_expected.to_not be_ready }
end

context 'when loading static data rule configuration' do
before do
allow(Datadog::AppSec.settings).to receive(:ip_denylist).and_return(['192.192.1.1'])
allow(Datadog::AppSec.settings).to receive(:user_id_denylist).and_return(['user3'])
end

it 'calls #update_rule_data with the right value' do
expect_any_instance_of(described_class).to receive(:update_rule_data) do |_, args|
expect(args.size).to eq(2)

blocked_ips = args.find { |hash| hash['id'] == 'blocked_ips' }
blocked_users = args.find { |hash| hash['id'] == 'blocked_users' }

expect(blocked_ips).to_not be_nil
expect(blocked_users).to_not be_nil
expect(blocked_ips['type']).to eq('data_with_expiration')
expect(blocked_users['type']).to eq('data_with_expiration')

blocked_ips_data = blocked_ips['data']
blocked_user_data = blocked_users['data']
expect(blocked_ips_data.size).to eq(1)
expect(blocked_user_data.size).to eq(1)
expect(blocked_ips_data[0]['value']).to eq('192.192.1.1')
expect(blocked_user_data[0]['value']).to eq('user3')
end

described_class.new
end
end

context 'when things are OK' do
before do
expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:recommended).and_call_original
Expand Down