stuff

Author: sezen-datadog

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -72,7 +72,6 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
       log.debug("In-app WAF initialization failed. See previous log entries");
       return;
     }
-    wafBuilder = new WafBuilder(createWafConfig(config));
     REPLACEABLE_EVENT_PRODUCER = new ReplaceableEventProducerService();
     EventDispatcher eventDispatcher = new EventDispatcher();
     REPLACEABLE_EVENT_PRODUCER.replaceEventProducerService(eventDispatcher);
@@ -94,6 +93,7 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     APP_SEC_CONFIG_SERVICE =
         new AppSecConfigServiceImpl(
             config, configurationPoller, () -> reloadSubscriptions(REPLACEABLE_EVENT_PRODUCER));
+    wafBuilder = new WafBuilder(createWafConfig(config));
     APP_SEC_CONFIG_SERVICE.init(wafBuilder);
 
     sco.createRemaining(config);
@@ -113,7 +113,7 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
 
     setActive(appSecEnabledConfig == ProductActivation.FULLY_ENABLED);
 
-    APP_SEC_CONFIG_SERVICE.maybeSubscribeConfigPolling(AppSecSystem.wafBuilder);
+    APP_SEC_CONFIG_SERVICE.maybeSubscribeConfigPolling(wafBuilder);
 
     Blocking.setBlockingService(new BlockingServiceImpl(REPLACEABLE_EVENT_PRODUCER));
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -174,8 +174,8 @@ private void subscribeRulesAndData(WafBuilder wafBuilder) {
             } catch (InvalidRuleSetException e) {
               throw new RuntimeException(e);
             }
-            this.currentAppSecConfig.dirtyStatus.data = true;
           }
+          this.currentAppSecConfig.dirtyStatus.data = true;
         });
     this.configurationPoller.addListener(
         Product.ASM,

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecDataDeserializer.java

@@ -28,8 +28,19 @@ public AppSecData deserialize(byte[] content) throws IOException {
   @SuppressWarnings("unchecked")
   private AppSecData deserialize(InputStream is) throws IOException {
     AppSecData appSecData = ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
+    is.reset();
     if (appSecData != null && is.available() > 0) {
       appSecData.setRawConfig(MOSHI.adapter(Map.class).fromJson(Okio.buffer(Okio.source(is))));
+      if (appSecData.getRawConfig().containsKey("rules_data")) {
+        appSecData.getRawConfig().put("rules", appSecData.getRawConfig().get("rules_data"));
+        appSecData.getRawConfig().remove("rules_data");
+      }
+      if (appSecData.getRawConfig().containsKey("exclusion_data")) {
+        appSecData
+            .getRawConfig()
+            .put("exclusions", appSecData.getRawConfig().get("exclusion_data"));
+        appSecData.getRawConfig().remove("exclusion_data");
+      }
     }
     return appSecData;
   }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -176,7 +176,6 @@ public void config(AppSecModuleConfigurer appSecConfigService, WafBuilder wafBui
       if (!initialConfig.isPresent()) {
         throw new AppSecModuleActivationException("No initial config for WAF");
       }
-
       try {
         applyConfig(initialConfig.get(), AppSecModuleConfigurer.Reconfiguration.NOOP);
       } catch (AbstractWafException | ClassCastException e) {
@@ -200,7 +199,9 @@ private void applyConfig(Object config_, AppSecModuleConfigurer.Reconfiguration
 
     boolean success = false;
     boolean init = ctxAndAddresses.get() == null;
-    config.dirtyStatus.markAllDirty();
+    if (init) {
+      config.dirtyStatus.markAllDirty();
+    }
     try {
       success = initOrUpdateWafBuilder(config, reconf);
     } catch (Exception e) {
@@ -278,6 +279,7 @@ private boolean initOrUpdateWafBuilder(
       this.statsReporter.rulesVersion = initReport.rulesetVersion;
     } catch (InvalidRuleSetException irse) {
       initReport = irse.ruleSetInfo;
+      log.info(irse.getMessage());
       throw new AppSecModuleActivationException("Error creating WAF rules", irse);
     } catch (RuntimeException | AbstractWafException e) {
       throw new AppSecModuleActivationException("Error creating WAF rules", e);

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/AppSecSystemSpecification.groovy

@@ -1,6 +1,8 @@
 package com.datadog.appsec
 
 import com.datadog.appsec.config.AppSecConfig
+import com.datadog.appsec.config.CurrentAppSecConfig
+import com.datadog.appsec.ddwaf.WafInitialization
 import com.datadog.appsec.event.EventProducerService
 import com.datadog.appsec.gateway.AppSecRequestContext
 import com.datadog.appsec.report.AppSecEvent
@@ -102,6 +104,7 @@ class AppSecSystemSpecification extends DDSpecification {
   }
 
   void 'updating configuration replaces the EventProducer'() {
+    WafInitialization.ONLINE
     ConfigurationChangesTypedListener<AppSecConfig> savedAsmListener
     ConfigurationEndListener savedConfEndListener
 
@@ -118,7 +121,7 @@ class AppSecSystemSpecification extends DDSpecification {
     }
 
     when:
-    savedAsmListener.accept('ignored config key',
+    savedAsmListener.accept(CurrentAppSecConfig.DEFAULT_KEY,
       AppSecConfig.valueOf([version: '2.1', rules: [
           [
             id: 'foo',

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy

@@ -232,7 +232,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
 
     when:
     listeners.savedFeaturesListener.accept(
-      'ignored config key',
+      CurrentAppSecConfig.DEFAULT_KEY,
       listeners.savedFeaturesDeserializer.deserialize(
       '{"asm":{"enabled": true}}'.bytes), null)
     listeners.savedConfEndListener.onConfigurationEnd()
@@ -302,7 +302,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     when:
     // AppSec is INACTIVE - rules should not trigger subscriptions
     listeners.savedConfChangesListener.accept(
-      'ignored config key',
+      CurrentAppSecConfig.DEFAULT_KEY,
       listeners.savedConfDeserializer.deserialize(
       '{"version": "1.0"}'.bytes), null)
 
@@ -311,7 +311,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
 
     when:
     listeners.savedFeaturesListener.accept(
-      'asm_features_activation',
+      CurrentAppSecConfig.DEFAULT_KEY,
       listeners.savedFeaturesDeserializer.deserialize(
       '{"asm":{"enabled": true}}'.bytes), null)
     listeners.savedConfEndListener.onConfigurationEnd()
@@ -323,14 +323,14 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     when:
     // AppSec is ACTIVE - rules trigger subscriptions
     listeners.savedConfChangesListener.accept(
-      'ignored config key',
+      CurrentAppSecConfig.DEFAULT_KEY,
       listeners.savedConfDeserializer.deserialize(
       '{"version": "2.0"}'.bytes), null)
     listeners.savedWafDataChangesListener.accept(
-      'ignored config key',
-      listeners.savedWafDataDeserializer.deserialize('{"rules_data":[{"id":"foo","type":"","data":[]}]}'.bytes), null)
+      CurrentAppSecConfig.DEFAULT_KEY,
+      listeners.savedWafDataDeserializer.deserialize('{"rules_data":[{"id":"foo", "conditions": "foo", "type":"","data":[]}]}'.bytes), null)
     listeners.savedWafRulesOverrideListener.accept(
-      'ignored config key',
+      CurrentAppSecConfig.DEFAULT_KEY,
       listeners.savedWafRulesOverrideDeserializer.deserialize('{"rules_override": [{"rules_target":[{"rule_id": "foo"}], "enabled":false}]}'.bytes), null)
     listeners.savedConfEndListener.onConfigurationEnd()