use DataDog/go-libddwaf#44

DataDog · Nov 14, 2023 · afcb76e · afcb76e
1 parent 76ef1f3
commit afcb76e
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 39 deletions.
diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0
 	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1
 	github.com/DataDog/datadog-go/v5 v5.3.0
-	github.com/DataDog/go-libddwaf v1.7.1-0.20231108160842-f4a695824ff1
+	github.com/DataDog/go-libddwaf v1.7.1-0.20231109130850-65b7c618f4c6
 	github.com/DataDog/gostackparse v0.7.0
 	github.com/DataDog/sketches-go v1.4.2
 	github.com/IBM/sarama v1.40.0

diff --git a/go.sum b/go.sum
@@ -624,8 +624,6 @@ github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9s
 github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1/go.mod h1:4qFor3D/HDsvBME35Xy9rwW9DecL+M2sNw1ybjPtwA0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DataDog/appsec-internal-go v1.0.1 h1:j60HUtXEQ2uRIm8SsNnLp1Ummx/EU8iV9IFvEYmSdUM=
-github.com/DataDog/appsec-internal-go v1.0.1/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM=
 github.com/DataDog/appsec-internal-go v1.0.2-0.20231108170133-ede7803cc86f h1:FXvVgTMcZiUOCxrbXmAopdLRl0qskz80+otQvqDhESk=
 github.com/DataDog/appsec-internal-go v1.0.2-0.20231108170133-ede7803cc86f/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
@@ -635,8 +633,8 @@ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
 github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
-github.com/DataDog/go-libddwaf v1.7.1-0.20231108160842-f4a695824ff1 h1:3yNgmZQJV8rjnG/sZsjBXNPC+6n1oiZsyJGW9avrRuM=
-github.com/DataDog/go-libddwaf v1.7.1-0.20231108160842-f4a695824ff1/go.mod h1:0YGwA9Q3PfORLEETvd+zE4+3XcCN9MOtCBUAawGwll4=
+github.com/DataDog/go-libddwaf v1.7.1-0.20231109130850-65b7c618f4c6 h1:bxMJ7yCkDNBhQ3YT7YTQKsNsIpKNhELJbUPw0UkLPOY=
+github.com/DataDog/go-libddwaf v1.7.1-0.20231109130850-65b7c618f4c6/go.mod h1:0YGwA9Q3PfORLEETvd+zE4+3XcCN9MOtCBUAawGwll4=
 github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I=
 github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
 github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=

diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go
@@ -18,7 +18,6 @@ import (
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/remoteconfig"
 
 	rc "github.com/DataDog/datadog-agent/pkg/remoteconfig/state"
-	waf "github.com/DataDog/go-libddwaf"
 )
 
 func genApplyStatus(ack bool, err error) rc.ApplyStatus {
@@ -165,37 +164,11 @@ func (a *appsec) onRCRulesUpdate(updates map[string]remoteconfig.ProductUpdate)
 		for k := range statuses {
 			statuses[k] = genApplyStatus(true, err)
 		}
-	} else {
-		wafDiags := a.wafHandle.Diagnostics()
-		for field, entry := range map[string]*waf.DiagnosticEntry{
-			"rules":           wafDiags.Rules,
-			"custom_rules":    wafDiags.CustomRules,
-			"exclusions":      wafDiags.Exclusions,
-			"rules_overrides": wafDiags.RulesOverrides,
-			"rules_data":      wafDiags.RulesData,
-			"processors":      wafDiags.Processors,
-			"scanners":        wafDiags.Scanners,
-		} {
-			if entry == nil {
-				continue
-			}
-			if entry.Error != "" {
-				for k := range statuses {
-					statuses[k] = genApplyStatus(true, fmt.Errorf("the WAF rejected invalid %s: %s", field, entry.Error))
-				}
-				break // We are reporting failure, bail out now...
-			}
-			if len(entry.Failed) > 0 {
-				for k := range statuses {
-					statuses[k] = genApplyStatus(true, fmt.Errorf("the WAF failed to load some %s: %#v", field, entry.Failed))
-				}
-				break // We are reporting failure, bail out now...
-			}
-		}
-
-		// Replace the rulesManager with the new one holding the new state
-		a.cfg.rulesManager = r
+		return statuses
 	}
+	// Replace the rulesManager with the new one holding the new state
+	a.cfg.rulesManager = r
+
 	return statuses
 }
 

diff --git a/internal/appsec/remoteconfig_test.go b/internal/appsec/remoteconfig_test.go
@@ -633,7 +633,7 @@ func TestOnRCUpdateStatuses(t *testing.T) {
 		{
 			name:     "single/error",
 			updates:  craftRCUpdates(map[string]rulesFragment{"invalid": invalidOverrides}),
-			expected: map[string]rc.ApplyStatus{"invalid": genApplyStatus(true, errors.New("the WAF rejected invalid rules_overrides: bad cast, expected 'map', obtained 'float'"))},
+			expected: map[string]rc.ApplyStatus{"invalid": genApplyStatus(true, errors.New(`the WAF reported a top-level error: in "rules_override": bad cast, expected 'map', obtained 'float'`))},
 		},
 		{
 			name:     "multiple/ack",
@@ -644,8 +644,8 @@ func TestOnRCUpdateStatuses(t *testing.T) {
 			name:    "multiple/single-error",
 			updates: craftRCUpdates(map[string]rulesFragment{"overrides": overrides, "invalid": invalidOverrides}),
 			expected: map[string]rc.ApplyStatus{
-				"overrides": genApplyStatus(true, errors.New("the WAF rejected invalid rules_overrides: bad cast, expected 'map', obtained 'float'")),
-				"invalid":   genApplyStatus(true, errors.New("the WAF rejected invalid rules_overrides: bad cast, expected 'map', obtained 'float'")),
+				"overrides": genApplyStatus(true, errors.New(`the WAF reported a top-level error: in "rules_override": bad cast, expected 'map', obtained 'float'`)),
+				"invalid":   genApplyStatus(true, errors.New(`the WAF reported a top-level error: in "rules_override": bad cast, expected 'map', obtained 'float'`)),
 			},
 		},
 		{