merge mess up

Author: sezen-datadog

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/ddwaf/WAFModuleSpecification.groovy

@@ -53,6 +53,7 @@ import spock.lang.Unroll
 import java.util.concurrent.CountDownLatch
 import java.util.concurrent.atomic.AtomicLong
 
+import static datadog.trace.api.config.AppSecConfig.APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP
 import static datadog.trace.api.config.AppSecConfig.APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP
 import static org.hamcrest.Matchers.hasSize
 
@@ -688,6 +689,31 @@ class WAFModuleSpecification extends DDSpecification {
     wafModule.name == 'ddwaf'
   }
 
+  void 'report waf stats on first span'() {
+    TraceSegment segment = Mock()
+    TraceSegmentPostProcessor pp
+    initialRuleAdd()
+    readyToHandle()
+
+    when:
+    pp = service.traceSegmentPostProcessors.first()
+    pp.processTraceSegment(segment, ctx, [])
+
+    then:
+    1 * segment.setTagTop('_dd.appsec.waf.version', _ as String)
+    1 * segment.setTagTop('_dd.appsec.event_rules.loaded', 117)
+    1 * segment.setTagTop('_dd.appsec.event_rules.error_count', 1)
+    1 * segment.setTagTop('_dd.appsec.event_rules.errors', { it =~ /\{"[^"]+":\["bad rule"\]\}/})
+    1 * segment.setTagTop('asm.keep', true)
+    0 * segment._(*_)
+
+    when:
+    pp.processTraceSegment(segment, ctx, [])
+
+    then:
+    0 * segment._(*_)
+  }
+
   void 'triggers a rule through the user agent header'() {
     initialRuleAdd()
     ChangeableFlow flow = new ChangeableFlow()
@@ -712,7 +738,6 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'no metrics are set if waf metrics are off'() {
-    setup:
     metrics = null
     injectSysConfig('appsec.waf.metrics', 'false')
     wafModule = new WAFModule() // replace the one created too soon
@@ -736,6 +761,39 @@ class WAFModuleSpecification extends DDSpecification {
     metrics == null
   }
 
+  void 'reports waf metrics'() {
+    setup:
+    TraceSegment segment = Mock()
+    TraceSegmentPostProcessor pp
+    Flow flow = new ChangeableFlow()
+    initialRuleAdd()
+    readyToHandle()
+
+    when:
+    pp = service.traceSegmentPostProcessors[1]
+    dataListener.onDataAvailable(flow, ctx, ATTACK_BUNDLE, gwCtx)
+    ctx.closeWafContext()
+    pp.processTraceSegment(segment, ctx, [])
+
+    then:
+    1 * ctx.getOrCreateWafContext(_, false)
+    1 * ctx.closeWafContext()
+    3 * ctx.getWafMetrics() >> {
+      metrics.with {
+        totalDdwafRunTimeNs = new AtomicLong(1000)
+        totalRunTimeNs = new AtomicLong(2000)
+        truncatedStringTooLongCount = new AtomicLong(0)
+        truncatedListMapTooLargeCount = new AtomicLong(0)
+        truncatedObjectTooDeepCount = new AtomicLong(0)
+        it } }
+
+    1 * segment.setTagTop('_dd.appsec.waf.duration', 1)
+    1 * segment.setTagTop('_dd.appsec.waf.duration_ext', 2)
+    1 * segment.setTagTop('_dd.appsec.event_rules.version', '0.42.0')
+
+    0 * segment._(*_)
+  }
+
   void 'can trigger a nonwafContext waf run'() {
     initialRuleAdd()
     ChangeableFlow flow = new ChangeableFlow()
@@ -756,7 +814,6 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'reports events'() {
-    setup:
     initialRuleAdd()
     AppSecEvent event
     StackTraceEvent stackTrace
@@ -816,6 +873,27 @@ class WAFModuleSpecification extends DDSpecification {
     event.ruleMatches[0].parameters[0].value == '<Redacted>'
   }
 
+  void 'disabling of key regex'() {
+    injectSysConfig(APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP, '')
+    initialRuleAdd()
+    readyToHandle()
+    AppSecEvent event
+
+    when:
+    def bundle = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
+    new CaseInsensitiveMap<List<String>>(['user-agent': [password: 'Arachni/v0']]))
+    dataListener.onDataAvailable(Stub(ChangeableFlow), ctx, bundle, gwCtx)
+    ctx.closeWafContext()
+
+    then:
+    ctx.reportEvents(_ as Collection<AppSecEvent>) >> { event = it[0].iterator().next() }
+
+    event.ruleMatches[0].parameters[0].address == 'server.request.headers.no_cookies'
+    event.ruleMatches[0].parameters[0].highlight == ['Arachni/v']
+    event.ruleMatches[0].parameters[0].key_path == ['user-agent', 'password']
+    event.ruleMatches[0].parameters[0].value == 'Arachni/v0'
+  }
+
   void 'redaction of values'() {
     injectSysConfig(APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP, 'Arachni')
 
@@ -880,21 +958,43 @@ class WAFModuleSpecification extends DDSpecification {
     !flow.blocking
   }
 
-  void 'powerwaf exceptions do not propagate'() {
+  void 'waf exceptions do not propagate'() {
     initialRuleAdd()
+    readyToHandle()
     ChangeableFlow flow = new ChangeableFlow()
     DataBundle db = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES, [get: { null }] as List)
 
     when:
+    dataListener.onDataAvailable(flow, ctx, db, gwCtx)
+
+    then:
+    1 * ctx.getOrCreateWafContext(_, false)
+    2 * ctx.getWafMetrics()
+    1 * ctx.setWafErrors()
+    1 * wafMetricCollector.wafErrorCode(-127)
+    2 * ctx.isWafContextClosed()
+    assert !flow.blocking
+  }
+
+  void 'timeout is honored (waf)'() {
+    injectSysConfig('appsec.waf.timeout', '1')
+    WAFModule.createLimitsObject()
+    initialRuleAdd()
     readyToHandle()
+    DataBundle db = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
+    new CaseInsensitiveMap<List<String>>(['user-agent': 'Arachni/v' + ('a' * 4000)]))
+    ChangeableFlow flow = new ChangeableFlow()
+
+    TraceSegment segment = Mock()
+    TraceSegmentPostProcessor pp = service.traceSegmentPostProcessors.last()
+
+    when:
     dataListener.onDataAvailable(flow, ctx, db, gwCtx)
 
     then:
-    1 * ctx.getOrCreateWafContext(_, _)
     assert !flow.blocking
     1 * ctx.isWafContextClosed()
-    1 * ctx.getOrCreateWafContext(_, true, false) >> {
-      wafContext = it[0].openContext() }
+    1 * ctx.getOrCreateWafContext(_, false)
     2 * ctx.getWafMetrics()
     1 * ctx.increaseWafTimeouts()
     0 * _
@@ -912,12 +1012,12 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'timeout is honored (rasp)'() {
-    setup:
     injectSysConfig('appsec.waf.timeout', '1')
     WAFModule.createLimitsObject()
-    setupWithStubConfigService()
+    initialRuleAdd()
+    readyToHandle()
     DataBundle db = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
-      new CaseInsensitiveMap<List<String>>(['user-agent': 'Arachni/v' + ('a' * 4000)]))
+    new CaseInsensitiveMap<List<String>>(['user-agent': 'Arachni/v' + ('a' * 4000)]))
     ChangeableFlow flow = new ChangeableFlow()
 
     TraceSegment segment = Mock()
@@ -929,12 +1029,9 @@ class WAFModuleSpecification extends DDSpecification {
     dataListener.onDataAvailable(flow, ctx, db, gwCtx)
 
     then:
-    ctx.getOrCreateWafContext(_, true) >> {
-      wafContext = it[0].openContext() }
     assert !flow.blocking
     1 * ctx.isWafContextClosed()
-    1 * ctx.getOrCreateWafContext(_, true, true) >> {
-      wafContext = it[0].openContext() }
+    1 * ctx.getOrCreateWafContext(_, true)
     1 * ctx.getRaspMetrics()
     1 * ctx.getRaspMetricsCounter()
     1 * ctx.increaseRaspTimeouts()
@@ -1412,7 +1509,6 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'honors appsec.trace.rate.limit'() {
-    setup:
     injectSysConfig('dd.appsec.trace.rate.limit', '5')
     def monitoring = Mock(Monitoring)
 
@@ -1579,7 +1675,6 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'raspRuleSkipped if rasp available and WAF context is closed'() {
-    setup:
     ChangeableFlow flow = Mock()
     GatewayContext gwCtxMock = new GatewayContext(false, RuleType.SQL_INJECTION)
 
@@ -1603,7 +1698,6 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'test raspErrorCode metric is increased when waf call throws #wafErrorCode '() {
-    setup:
     ChangeableFlow flow = Mock()
     GatewayContext gwCtxMock = new GatewayContext(false, RuleType.SQL_INJECTION)
     WafContext wafContext = Mock()
@@ -1634,7 +1728,6 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'test wafErrorCode metric is increased when waf  call throws #wafErrorCode '() {
-    setup:
     ChangeableFlow flow = Mock()
     WafContext wafContext = Mock()
 
@@ -1672,11 +1765,11 @@ class WAFModuleSpecification extends DDSpecification {
   }
 
   void 'report waf stats on first span'() {
-    setup:
     TraceSegment segment = Mock()
+    initialRuleAdd()
+    readyToHandle()
 
     when:
-    initialRuleAdd()
     service.traceSegmentPostProcessors.first().processTraceSegment(segment, ctx, [])
 
     then: