send to RC and telemetry logs

Author: sezen-datadog

dd-java-agent/appsec/build.gradle

@@ -11,6 +11,7 @@ apply from: "$rootDir/gradle/java.gradle"
 apply from: "$rootDir/gradle/version.gradle"
 
 dependencies {
+  api project(':remote-config:remote-config-core')
   api libs.slf4j
   implementation project(':internal-api')
   implementation project(':communication')

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -21,6 +21,7 @@
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_TRUSTED_IPS;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_USER_BLOCKING;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ENDPOINT_FINGERPRINT;
+import static datadog.trace.logging.LogLevel.ERROR;
 
 import com.datadog.appsec.AppSecModule;
 import com.datadog.appsec.AppSecSystem;
@@ -47,6 +48,7 @@
 import datadog.trace.api.Config;
 import datadog.trace.api.ProductActivation;
 import datadog.trace.api.UserIdCollectionMode;
+import datadog.trace.api.telemetry.LogCollector;
 import java.io.ByteArrayInputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
@@ -60,8 +62,6 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
-
-import datadog.trace.api.telemetry.LogCollector;
 import okio.Okio;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -101,6 +101,10 @@ public class AppSecConfigServiceImpl implements AppSecConfigService {
   private final String DEFAULT_WAF_CONFIG_RULE = "DEFAULT_WAF_CONFIG";
   private String currentRuleVersion;
   private List<AppSecModule> modulesToUpdateVersionIn;
+  private final LogCollector telemetryLogger = LogCollector.get();
+
+  Moshi moshi = new Moshi.Builder().build();
+  JsonAdapter<Map> mapToJsonAdapter;
 
   public AppSecConfigServiceImpl(
       Config tracerConfig,
@@ -113,6 +117,7 @@ public AppSecConfigServiceImpl(
     if (tracerConfig.isAppSecWafMetrics()) {
       traceSegmentPostProcessors.add(statsReporter);
     }
+    mapToJsonAdapter = moshi.adapter(Map.class);
   }
 
   private void subscribeConfigurationPoller() {
@@ -156,11 +161,11 @@ private void subscribeConfigurationPoller() {
   }
 
   private void subscribeRulesAndData() {
-    this.configurationPoller.addListener(Product.ASM_DD, new AsmDDTypedListener());
+    this.configurationPoller.addListener(Product.ASM_DD, new AsmDDTypedListener(Product.ASM_DD));
     this.configurationPoller.addListener(
-        Product.ASM_DATA, new AppSecConfigConfigurationChangesTypedListener());
+        Product.ASM_DATA, new AppSecConfigConfigurationChangesTypedListener(Product.ASM_DATA));
     this.configurationPoller.addListener(
-        Product.ASM, new AppSecConfigConfigurationChangesTypedListener());
+        Product.ASM, new AppSecConfigConfigurationChangesTypedListener(Product.ASM));
   }
 
   public void modulesToUpdateVersionIn(List<AppSecModule> modules) {
@@ -172,6 +177,12 @@ public String getCurrentRuleVersion() {
   }
 
   private class AppSecConfigConfigurationChangesTypedListener implements ProductListener {
+    private Product productType;
+
+    public AppSecConfigConfigurationChangesTypedListener(Product product) {
+      this.productType = product;
+    }
+
     @Override
     public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollingRateHinter)
         throws IOException {
@@ -189,7 +200,7 @@ public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollin
         Map<String, Object> contentMap =
             ADAPTER.fromJson(Okio.buffer(Okio.source(new ByteArrayInputStream(content))));
         try {
-          handleWafUpdateResultReport(configKey.toString(), contentMap);
+          handleWafUpdateResultReport(configKey.toString(), contentMap, productType);
         } catch (AppSecModule.AppSecModuleActivationException e) {
           throw new RuntimeException(e);
         }
@@ -209,6 +220,10 @@ public void commit(PollingRateHinter pollingRateHinter) {
   }
 
   private class AsmDDTypedListener extends AppSecConfigConfigurationChangesTypedListener {
+    public AsmDDTypedListener(Product product) {
+      super(product);
+    }
+
     @Override
     public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollingRateHinter)
         throws IOException {
@@ -222,7 +237,11 @@ public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollin
         defaultConfigActivated = false;
       }
       super.accept(configKey, content, pollingRateHinter);
-      usedDDWafConfigKeys.add(configKey.toString());
+      if (content == null) {
+        usedDDWafConfigKeys.remove(configKey.toString());
+      } else {
+        usedDDWafConfigKeys.add(configKey.toString());
+      }
     }
 
     @Override
@@ -233,7 +252,8 @@ public void remove(ConfigKey configKey, PollingRateHinter pollingRateHinter)
     }
   }
 
-  private void handleWafUpdateResultReport(String configKey, Map<String, Object> rawConfig)
+  private void handleWafUpdateResultReport(
+      String configKey, Map<String, Object> rawConfig, Product productType)
       throws AppSecModule.AppSecModuleActivationException {
     wafBuilder = getWafBuilder();
     if (modulesToUpdateVersionIn != null
@@ -247,9 +267,6 @@ private void handleWafUpdateResultReport(String configKey, Map<String, Object> r
         StandardizedLogging.numLoadedRules(log, configKey, countRules(rawConfig));
       }
 
-      // TODO: Send diagnostics via telemetry
-      final LogCollector telemetryLogger = LogCollector.get();
-
       initReporter.setReportForPublication(wafDiagnostics);
       if (wafDiagnostics.rulesetVersion != null
           && !wafDiagnostics.rulesetVersion.isEmpty()
@@ -261,13 +278,17 @@ private void handleWafUpdateResultReport(String configKey, Map<String, Object> r
           modulesToUpdateVersionIn.forEach(module -> module.setRuleVersion(currentRuleVersion));
         }
       }
+      if (wafDiagnostics.getNumConfigError() > 0) {
+        addTelemetryErrorLog(wafDiagnostics);
+      }
     } catch (InvalidRuleSetException e) {
       log.debug(
           "Invalid rule during waf config update for config key {}: {}",
           configKey,
           e.wafDiagnostics);
 
-      // TODO: Propagate diagostics back to remote config apply_error
+      addTelemetryErrorLog(e.wafDiagnostics);
+      sendErrorToRemoteConfig(e.wafDiagnostics, productType);
 
       initReporter.setReportForPublication(e.wafDiagnostics);
       throw new RuntimeException(e);
@@ -277,6 +298,117 @@ private void handleWafUpdateResultReport(String configKey, Map<String, Object> r
     }
   }
 
+  private void sendErrorToRemoteConfig(WafDiagnostics wafDiagnostics, Product productType) {
+    if (wafDiagnostics.rules != null) {
+      getRemoteConfigErrorLogFor("rules", wafDiagnostics.rules.getErrors(), productType);
+    }
+    if (wafDiagnostics.customRules != null) {
+      getRemoteConfigErrorLogFor(
+          "customRules", wafDiagnostics.customRules.getErrors(), productType);
+    }
+    if (wafDiagnostics.rulesData != null) {
+      getRemoteConfigErrorLogFor("rulesData", wafDiagnostics.rulesData.getErrors(), productType);
+    }
+    if (wafDiagnostics.rulesOverride != null) {
+      getRemoteConfigErrorLogFor(
+          "rulesOverride", wafDiagnostics.rulesOverride.getErrors(), productType);
+    }
+    if (wafDiagnostics.exclusions != null) {
+      getRemoteConfigErrorLogFor("exclusions", wafDiagnostics.exclusions.getErrors(), productType);
+    }
+    if (wafDiagnostics.exclusionData != null) {
+      getRemoteConfigErrorLogFor(
+          "exclusionData", wafDiagnostics.exclusionData.getErrors(), productType);
+    }
+    if (wafDiagnostics.actions != null) {
+      getRemoteConfigErrorLogFor("actions", wafDiagnostics.actions.getErrors(), productType);
+    }
+    if (wafDiagnostics.processors != null) {
+      getRemoteConfigErrorLogFor("processors", wafDiagnostics.processors.getErrors(), productType);
+    }
+    if (wafDiagnostics.scanners != null) {
+      getRemoteConfigErrorLogFor("scanners", wafDiagnostics.scanners.getErrors(), productType);
+    }
+  }
+
+  private void getRemoteConfigErrorLogFor(
+      String configType, Map<String, List<String>> errors, Product productType) {
+    if (productType == null) {
+      return; // no need for RC error upon initialization
+    }
+
+    String error = "{";
+    Set<String> messageKeySet = errors.keySet();
+    for (String key : messageKeySet) {
+      error = error + "\"message\": \"" + key + "\" : [";
+      List<String> errorsPerKey = errors.get(key);
+      for (int i = 0; i < errorsPerKey.size(); i++) {
+        error = error + "\"" + errorsPerKey.get(i) + "\"";
+        if (i < errorsPerKey.size() - 1) {
+          error = error + ",";
+        }
+      }
+      error = error + "],";
+
+      error = error + "\"level\": \"ERROR\",";
+
+      error =
+          error
+              + "\"tags\" : {"
+              + "\"log_type\": \"rc::"
+              + productType.name().toLowerCase()
+              + "::diagnostic\""
+              + "\"appsec_config_key\": \""
+              + configType
+              + "\""
+              + "\"rc_config_id\": \"\"}";
+      error = error + "},";
+    }
+
+    error = error.substring(0, error.length() - 1); // remove last comma
+
+    throw new RuntimeException(error);
+  }
+
+  private void addTelemetryErrorLog(WafDiagnostics wafDiagnostics) {
+    if (wafDiagnostics.rules != null) {
+      addTelemetryErrorLogFor("rules", wafDiagnostics.rules.getErrors());
+    }
+    if (wafDiagnostics.customRules != null) {
+      addTelemetryErrorLogFor("customRules", wafDiagnostics.customRules.getErrors());
+    }
+    if (wafDiagnostics.rulesData != null) {
+      addTelemetryErrorLogFor("rulesData", wafDiagnostics.rulesData.getErrors());
+    }
+    if (wafDiagnostics.rulesOverride != null) {
+      addTelemetryErrorLogFor("rulesOverride", wafDiagnostics.rulesOverride.getErrors());
+    }
+    if (wafDiagnostics.exclusions != null) {
+      addTelemetryErrorLogFor("exclusions", wafDiagnostics.exclusions.getErrors());
+    }
+    if (wafDiagnostics.exclusionData != null) {
+      addTelemetryErrorLogFor("exclusionData", wafDiagnostics.exclusionData.getErrors());
+    }
+    if (wafDiagnostics.actions != null) {
+      addTelemetryErrorLogFor("actions", wafDiagnostics.actions.getErrors());
+    }
+    if (wafDiagnostics.processors != null) {
+      addTelemetryErrorLogFor("processors", wafDiagnostics.processors.getErrors());
+    }
+    if (wafDiagnostics.scanners != null) {
+      addTelemetryErrorLogFor("scanners", wafDiagnostics.scanners.getErrors());
+    }
+  }
+
+  private void addTelemetryErrorLogFor(String section, Map<String, List<String>> errors) {
+    if (!errors.isEmpty()) {
+      String error =
+          "{\"" + section + "\" : {\"errors\" :" + mapToJsonAdapter.toJson(errors) + "}}";
+      telemetryLogger.addLogMessage(
+          ERROR.name(), error, new AppSecModule.AppSecModuleActivationException(error));
+    }
+  }
+
   private void subscribeAsmFeatures() {
     this.configurationPoller.addListener(
         Product.ASM_FEATURES,
@@ -348,10 +480,7 @@ public void init() {
       throw new IllegalStateException("Expected default waf config to be available");
     }
     try {
-      handleWafUpdateResultReport(
-          DEFAULT_WAF_CONFIG_RULE,
-          wafConfig,
-          defaultConfigActivated ? DEFAULT_CONFIG_LOCATION : tracerConfig.getAppSecRulesFile());
+      handleWafUpdateResultReport(DEFAULT_WAF_CONFIG_RULE, wafConfig, null);
     } catch (AppSecModule.AppSecModuleActivationException e) {
       throw new RuntimeException(e);
     }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy

@@ -122,7 +122,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     when:
     appSecConfigService.init()
     then:
-    2 * config.getAppSecRulesFile() >> (p as String)
+    1 * config.getAppSecRulesFile() >> (p as String)
 
     when:
     appSecConfigService.maybeSubscribeConfigPolling()