DataDog · anna-git · Oct 2, 2024 · Sep 24, 2024 · Sep 24, 2024 · Sep 30, 2024
@@ -46,20 +46,8 @@ public void ProcessUpdates(ConfigurationStatus configurationStatus, List<RemoteC
 
             if (asmConfig.Actions != null)
             {
-                foreach (var action in asmConfig.Actions)
-                {
-                    if (action.Id is not null)
-                    {
-                        configurationStatus.Actions[action.Id] = action;
-                    }
-                }
-
+                configurationStatus.ActionsByFile[asmConfigName] = asmConfig.Actions;
                 configurationStatus.IncomingUpdateState.WafKeysToApply.Add(ConfigurationStatus.WafActionsKey);
-
-                if (asmConfig.Actions.Length == 0)
-                {
-                    configurationStatus.Actions.Clear();
-                }
             }
         }
     }
@@ -69,11 +57,13 @@ public void ProcessRemovals(ConfigurationStatus configurationStatus, List<Remote
         var removedRulesOverride = false;
         var removedExclusions = false;
         var removedCustomRules = false;
+        var removedActions = false;
         foreach (var configurationPath in removedConfigsForThisProduct)
         {
             removedRulesOverride |= configurationStatus.RulesOverridesByFile.Remove(configurationPath.Path);
             removedExclusions |= configurationStatus.ExclusionsByFile.Remove(configurationPath.Path);
             removedCustomRules |= configurationStatus.CustomRulesByFile.Remove(configurationPath.Path);
+            removedActions |= configurationStatus.ActionsByFile.Remove(configurationPath.Path);
         }
 
         if (removedRulesOverride)
@@ -90,5 +80,10 @@ public void ProcessRemovals(ConfigurationStatus configurationStatus, List<Remote
         {
             configurationStatus.IncomingUpdateState.WafKeysToApply.Add(ConfigurationStatus.WafCustomRulesKey);
         }
+
+        if (removedActions)
+        {
+            configurationStatus.IncomingUpdateState.WafKeysToApply.Add(ConfigurationStatus.WafActionsKey);
+        }
     }
 }
@@ -67,9 +67,9 @@ internal record ConfigurationStatus
 
     internal Dictionary<string, JArray> CustomRulesByFile { get; } = new();
 
-    internal IncomingUpdateStatus IncomingUpdateState { get; } = new();
+    internal Dictionary<string, Action[]> ActionsByFile { get; init; } = new();
 
-    internal IDictionary<string, Action> Actions { get; set; } = new Dictionary<string, Action>();
+    internal IncomingUpdateStatus IncomingUpdateState { get; } = new();
 
     internal static List<RuleData> MergeRuleData(IEnumerable<RuleData> res)
     {
@@ -125,7 +125,8 @@ internal Dictionary<string, object> BuildDictionaryForWafAccordingToIncomingUpda
 
         if (IncomingUpdateState.WafKeysToApply.Contains(WafActionsKey))
         {
-            dictionary.Add(WafActionsKey, Actions.Select(a => a.Value.ToKeyValuePair()).ToArray());
+            var actions = ActionsByFile.SelectMany(x => x.Value).ToList();
+            dictionary.Add(WafActionsKey, actions.Select(r => r.ToKeyValuePair()).ToArray());
         }
 
         if (IncomingUpdateState.WafKeysToApply.Contains(WafCustomRulesKey))

@@ -19,5 +19,5 @@ internal class Action
     [JsonProperty("parameters")]
     public Parameter? Parameters { get; set; }
 
-    public List<KeyValuePair<string, object?>> ToKeyValuePair() => new() { new("type", Type), new("id", Id), new("parameters", Parameters?.ToKeyValuePair()) };
+    public List<KeyValuePair<string, object?>> ToKeyValuePair() => [new("type", Type), new("id", Id), new("parameters", Parameters?.ToKeyValuePair())];
 }
@@ -13,7 +13,7 @@ namespace Datadog.Trace.AppSec.Waf.ReturnTypes.Managed
 {
     internal class UpdateResult
     {
-        internal UpdateResult(DdwafObjectStruct? diagObject, bool success, bool unusableRules = false)
+        private UpdateResult(DdwafObjectStruct? diagObject, bool success, bool unusableRules = false, bool nothingToUpdate = false)
         {
             if (diagObject != null)
             {
@@ -33,12 +33,15 @@ internal UpdateResult(DdwafObjectStruct? diagObject, bool success, bool unusable
 
             Success = success;
             UnusableRules = unusableRules;
+            NothingToUpdate = nothingToUpdate;
         }
 
         internal bool Success { get; }
 
         internal bool UnusableRules { get; }
 
+        public bool NothingToUpdate { get; }
+
         internal ushort? FailedToLoadRules { get; }
 
         /// <summary>
@@ -56,6 +59,12 @@ internal UpdateResult(DdwafObjectStruct? diagObject, bool success, bool unusable
 
         public static UpdateResult FromUnusableRules() => new(null, false, true);
 
+        public static UpdateResult FromNothingToUpdate() => new(null, true, nothingToUpdate: true);
+
         public static UpdateResult FromFailed() => new(null, false);
+
+        public static UpdateResult FromFailed(DdwafObjectStruct diagObj) => new(diagObj, false);
+
+        public static UpdateResult FromSuccess(DdwafObjectStruct diagObj) => new(diagObj, true);
     }
 }
@@ -15,6 +15,7 @@
 using Datadog.Trace.AppSec.Waf.NativeBindings;
 using Datadog.Trace.AppSec.Waf.ReturnTypes.Managed;
 using Datadog.Trace.AppSec.WafEncoding;
+using Datadog.Trace.ExtensionMethods;
 using Datadog.Trace.Logging;
 using Datadog.Trace.Telemetry;
 
@@ -146,7 +147,7 @@ private unsafe UpdateResult UpdateWafAndDispose(IEncodeResult updateData)
                         _wafHandle = newHandle;
                         _wafLocker.ExitWriteLock();
                         _wafLibraryInvoker.Destroy(oldHandle);
-                        return new(diagnosticsValue, true);
+                        return UpdateResult.FromSuccess(diagnosticsValue);
                     }
 
                     _wafLibraryInvoker.Destroy(newHandle);
@@ -158,7 +159,7 @@ private unsafe UpdateResult UpdateWafAndDispose(IEncodeResult updateData)
             }
             finally
             {
-                res ??= new(diagnosticsValue, false);
+                res ??= UpdateResult.FromFailed(diagnosticsValue);
                 _wafLibraryInvoker.ObjectFree(ref diagnosticsValue);
                 updateData.Dispose();
             }
@@ -169,6 +170,12 @@ private unsafe UpdateResult UpdateWafAndDispose(IEncodeResult updateData)
         public UpdateResult UpdateWafFromConfigurationStatus(ConfigurationStatus configurationStatus)
         {
             var dic = configurationStatus.BuildDictionaryForWafAccordingToIncomingUpdate();
+            if (dic.IsEmpty())
+            {
+                Log.Warning("A waf update came from remote configuration but final merged dictionary for waf is empty, no update will be performed.");
+                return UpdateResult.FromNothingToUpdate();
+            }
+
             return Update(dic);
         }
 

@@ -20,20 +20,20 @@ namespace Datadog.Trace.Security.Unit.Tests;
 public class ActionChangeTests : WafLibraryRequiredTest
 {
     [Theory]
-    [InlineData("dummy_rule", "test-dummy-rule", "rasp-rule-set.json", "block", BlockingAction.BlockRequestType, 500)]
-    [InlineData("dummyrule2", "test-dummy-rule2", "rasp-rule-set.json", "customblock", BlockingAction.BlockRequestType, 500)]
-    // Redirect status code is restricted in newer versions of the WAF to 301, 302, 303, 307
-    [InlineData("dummyrule2", "test-dummy-rule2", "rasp-rule-set.json", "customblock", BlockingAction.RedirectRequestType, 303)]
-    [InlineData("dummy_rule", "test-dummy-rule", "rasp-rule-set.json", "block", BlockingAction.RedirectRequestType, 303)]
-    public void GivenADummyRule_WhenActionReturnCodeIsChanged_ThenChangesAreApplied(string paramValue, string rule, string ruleFile, string action, string actionType, int newStatus)
+    [InlineData("dummy_rule", "test-dummy-rule", "block", BlockingAction.BlockRequestType, 500)]
+    [InlineData("dummyrule2", "test-dummy-rule2", "customblock", BlockingAction.BlockRequestType, 500)]
+    // Redirect status code is restricted in newer versions of the waf to 301, 302, 303, 307
+    [InlineData("dummyrule2", "test-dummy-rule2", "customblock", BlockingAction.RedirectRequestType, 303)]
+    [InlineData("dummy_rule", "test-dummy-rule", "block", BlockingAction.RedirectRequestType, 303)]
+    public void GivenADummyRule_WhenActionReturnCodeIsChanged_ThenChangesAreApplied(string paramValue, string rule, string action, string actionType, int newStatus)
     {
         var args = CreateArgs(paramValue);
         var initResult = Waf.Create(
             WafLibraryInvoker,
             string.Empty,
             string.Empty,
             useUnsafeEncoder: true,
-            embeddedRulesetPath: ruleFile);
+            embeddedRulesetPath: "rasp-rule-set.json");
 
         var waf = initResult.Waf;
         waf.Should().NotBeNull();
@@ -44,13 +44,9 @@ public void GivenADummyRule_WhenActionReturnCodeIsChanged_ThenChangesAreApplied(
         var jsonString = JsonConvert.SerializeObject(result.Data);
         var resultData = JsonConvert.DeserializeObject<WafMatch[]>(jsonString).FirstOrDefault();
         resultData.Rule.Id.Should().Be(rule);
-
-        ConfigurationStatus configurationStatus = new(string.Empty);
         var newAction = CreateNewStatusAction(action, actionType, newStatus);
-        configurationStatus.Actions[action] = newAction;
-        configurationStatus.IncomingUpdateState.WafKeysToApply.Add(ConfigurationStatus.WafActionsKey);
-        var res = waf.UpdateWafFromConfigurationStatus(configurationStatus);
-        res.Success.Should().BeTrue();
+        UpdateWafWithActions([newAction], waf);
+
         using var contextNew = waf.CreateContext();
         result = contextNew.Run(args, TimeoutMicroSeconds);
         result.Timeout.Should().BeFalse("Timeout should be false");
@@ -65,62 +61,41 @@ public void GivenADummyRule_WhenActionReturnCodeIsChanged_ThenChangesAreApplied(
         }
     }
 
-    [Theory]
-    [InlineData("dummyrule2", "rasp-rule-set.json", "customblock", BlockingAction.BlockRequestType)]
-    public void GivenADummyRule_WhenActionReturnCodeIsChangedAfterInit_ThenChangesAreApplied(string paramValue, string ruleFile, string action, string actionType)
+    [Fact]
+    public void GivenADummyRule_WhenActionReturnCodeIsChangedAfterInit_ThenChangesAreApplied()
     {
-        var args = CreateArgs(paramValue);
+        var args = CreateArgs("dummyrule2");
         var initResult = Waf.Create(
             WafLibraryInvoker,
             string.Empty,
             string.Empty,
             useUnsafeEncoder: true,
-            embeddedRulesetPath: ruleFile);
+            embeddedRulesetPath: "rasp-rule-set.json");
 
         var waf = initResult.Waf;
         waf.Should().NotBeNull();
 
-        UpdateAction(action, actionType, waf);
+        UpdateWafWithActions([CreateNewStatusAction("customblock", BlockingAction.BlockRequestType, 500)], waf);
 
         using var context = waf.CreateContext();
         var result = context.Run(args, TimeoutMicroSeconds);
         result.Timeout.Should().BeFalse("Timeout should be false");
         result.BlockInfo["status_code"].Should().Be("500");
     }
 
-    private Dictionary<string, object> CreateArgs(string requestParam)
-    {
-        return new Dictionary<string, object>
-        {
-            { AddressesConstants.RequestUriRaw, "http://localhost:54587/" },
-            { AddressesConstants.RequestBody, new[] { "param", requestParam } },
-            { AddressesConstants.RequestMethod, "GET" }
-        };
-    }
+    private Dictionary<string, object> CreateArgs(string requestParam) => new() { { AddressesConstants.RequestUriRaw, "http://localhost:54587/" }, { AddressesConstants.RequestBody, new[] { "param", requestParam } }, { AddressesConstants.RequestMethod, "GET" } };
 
-    private void UpdateAction(string action, string actionType, Waf waf)
+    private void UpdateWafWithActions(Action[] actions, Waf waf)
     {
-        ConfigurationStatus configurationStatus = new(string.Empty);
-        var newAction = new Action();
-        newAction.Id = action;
-        newAction.Type = actionType;
-        newAction.Parameters = new AppSec.Rcm.Models.Asm.Parameter();
-        newAction.Parameters.StatusCode = 500;
-        newAction.Parameters.Type = "auto";
-        configurationStatus.Actions[action] = newAction;
+        ConfigurationStatus configurationStatus = new(string.Empty) { ActionsByFile = { ["file"] = actions } };
         configurationStatus.IncomingUpdateState.WafKeysToApply.Add(ConfigurationStatus.WafActionsKey);
         var res = waf.UpdateWafFromConfigurationStatus(configurationStatus);
         res.Success.Should().BeTrue();
     }
 
     private Action CreateNewStatusAction(string action, string actionType, int newStatus)
     {
-        var newAction = new Action();
-        newAction.Id = action;
-        newAction.Type = actionType;
-        newAction.Parameters = new AppSec.Rcm.Models.Asm.Parameter();
-        newAction.Parameters.StatusCode = newStatus;
-        newAction.Parameters.Type = "auto";
+        var newAction = new Action { Id = action, Type = actionType, Parameters = new AppSec.Rcm.Models.Asm.Parameter { StatusCode = newStatus, Type = "auto" } };
 
         if (newAction.Type == BlockingAction.RedirectRequestType)
         {

@@ -64,7 +64,7 @@ public void GivenALfiRule_WhenActionReturnCodeIsChanged_ThenChangesAreApplied(st
 
         ConfigurationStatus configurationStatus = new(string.Empty);
         var newAction = CreateNewStatusAction(action, actionType, 500);
-        configurationStatus.Actions[action] = newAction;
+        configurationStatus.ActionsByFile[action] = [newAction];
         configurationStatus.IncomingUpdateState.WafKeysToApply.Add(ConfigurationStatus.WafActionsKey);
         var res = waf.UpdateWafFromConfigurationStatus(configurationStatus);
         res.Success.Should().BeTrue();