helper: refactor ffi resolution; wait for sidecar in telemetry

Author: cataphract

appsec/.clang-tidy

@@ -1,7 +1,7 @@
 ---
 # readability-function-cognitive-complexity temporarily disabled until clang-tidy is fixed
 # right now emalloc causes it to misbehave
-Checks:          '*,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-modernize-macro-to-enum,-misc-include-cleaner,-bugprone-empty-catch,-cppcoreguidelines-avoid-do-while,-hicpp-no-array-decay,-llvmlibc-*'
+Checks:          '*,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-modernize-macro-to-enum,-misc-include-cleaner,-bugprone-empty-catch,-cppcoreguidelines-avoid-do-while,-hicpp-no-array-decay,-hicpp-avoid-c-arrays,-modernize-avoid-c-arrays,-hicpp-no-reinterpret-cast,-llvmlibc-*'
 WarningsAsErrors: '*'
 HeaderFilterRegex: ''
 CheckOptions:

appsec/src/helper/ffi.hpp

@@ -0,0 +1,108 @@
+#include <array>
+#include <atomic>
+#include <concepts>
+#include <cstddef>
+#include <functional>
+#include <stdexcept>
+#include <string>
+#include <type_traits>
+#include <utility>
+
+extern "C" {
+#include <dlfcn.h>
+// push -Wno-nested-anon-types and -Wno-gnu-anonymous-struct on clang
+#if defined(__clang__)
+#    pragma clang diagnostic push
+#    pragma clang diagnostic ignored "-Wnested-anon-types"
+#    pragma clang diagnostic ignored "-Wgnu-anonymous-struct"
+#endif
+#include <sidecar.h>
+#if defined(__clang__)
+#    pragma clang diagnostic pop
+#endif
+}
+
+#define SIDECAR_FFI_SYMBOL(symbol_name)                                        \
+    namespace dds::ffi {                                                       \
+    constinit inline ::dds::ffi::sidecar_function<decltype((symbol_name)),     \
+        ::dds::ffi::fixed_string{#symbol_name}>                                \
+        symbol_name = {} /* NOLINT(misc-use-internal-linkage,                  \
+                              cert-err58-cpp) */                               \
+    ;                                                                          \
+    } // namespace ::dds::ffi
+
+namespace dds::ffi {
+
+template <std::size_t N> struct fixed_string {
+    std::array<char, N> value{};
+
+    // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
+    explicit consteval fixed_string(const char (&str)[N])
+    {
+        for (std::size_t i = 0; i < N; i++) { value.at(i) = str[i]; }
+    }
+
+    [[nodiscard]] constexpr const char *c_str() const { return value.data(); }
+};
+
+template <typename Func, auto SymbolName>
+    requires std::is_function_v<std::remove_reference_t<Func>>
+class sidecar_function {
+public:
+    using function_type = std::remove_reference_t<Func>;
+
+    constexpr sidecar_function() noexcept = default;
+
+    template <typename... Args>
+        requires std::invocable<std::remove_reference_t<Func> *, Args...>
+    decltype(auto) operator()(Args &&...args) const
+    {
+        resolve();
+        return std::invoke(get_fn(), std::forward<Args>(args)...);
+    }
+
+    [[nodiscard]] function_type *get_fn() const { return resolve(); }
+
+private:
+    static function_type *failed_sentinel() noexcept
+    {
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+        return reinterpret_cast<function_type *>(
+            static_cast<std::uintptr_t>(-1));
+    }
+
+    mutable std::atomic<function_type *> resolved_fn_{nullptr};
+
+    function_type *resolve() const
+    {
+        function_type *fn = resolved_fn_.load(std::memory_order_relaxed);
+        if (fn == failed_sentinel()) {
+            throw std::runtime_error{
+                std::string{"Failed to resolve symbol: "} + SymbolName.c_str()};
+        }
+        if (fn != nullptr) {
+            return fn;
+        }
+
+        void *found = dlsym(RTLD_DEFAULT, SymbolName.c_str());
+        if (found == nullptr) {
+            fn = failed_sentinel();
+        } else {
+            // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+            fn = reinterpret_cast<function_type *>(found);
+        }
+
+        (void)resolved_fn_.store(fn, std::memory_order_relaxed);
+
+        return fn;
+    }
+};
+
+} // namespace dds::ffi
+
+namespace dds {
+inline std::string_view to_sv(ddog_CharSlice &slice) noexcept
+{
+    return std::string_view{slice.ptr, static_cast<std::size_t>(slice.len)};
+}
+} // namespace dds

appsec/src/helper/main.cpp

@@ -187,10 +187,6 @@ int appsec_helper_main_impl()
         return 1;
     }
 
-    dds::remote_config::resolve_symbols();
-    dds::runner::resolve_symbols();
-    dds::service::resolve_symbols();
-
     auto runner = std::make_shared<dds::runner>(config, interrupted);
     SPDLOG_INFO("starting runner on new thread");
 

appsec/src/helper/remote_config/client.cpp

@@ -3,7 +3,9 @@
 //
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
+
 #include "client.hpp"
+#include "../ffi.hpp"
 #include "product.hpp"
 #include <set>
 #include <spdlog/spdlog.h>
@@ -14,16 +16,11 @@ extern "C" {
 #include <dlfcn.h>
 }
 
+SIDECAR_FFI_SYMBOL(ddog_remote_config_reader_for_path);
+SIDECAR_FFI_SYMBOL(ddog_remote_config_read);
+SIDECAR_FFI_SYMBOL(ddog_remote_config_reader_drop);
+
 namespace {
-struct ddog_CharSlice { // NOLINT(readability-identifier-naming)
-    const char *ptr;
-    uintptr_t len;
-};
-ddog_RemoteConfigReader *(*ddog_remote_config_reader_for_path)(
-    const char *path);
-bool (*ddog_remote_config_read)(
-    ddog_RemoteConfigReader *reader, ddog_CharSlice *data);
-void (*ddog_remote_config_reader_drop)(struct ddog_RemoteConfigReader *);
 
 bool sets_are_indentical_for_subbed_products(
     const std::unordered_set<dds::remote_config::product> &products,
@@ -48,40 +45,12 @@ bool sets_are_indentical_for_subbed_products(
 
 namespace dds::remote_config {
 
-void resolve_symbols()
-{
-    ddog_remote_config_reader_for_path =
-        // NOLINTNEXTLINE
-        reinterpret_cast<decltype(ddog_remote_config_reader_for_path)>(
-            dlsym(RTLD_DEFAULT, "ddog_remote_config_reader_for_path"));
-    if (ddog_remote_config_reader_for_path == nullptr) {
-        throw std::runtime_error{
-            "Failed to resolve ddog_remote_config_reader_for_path"};
-    }
-
-    ddog_remote_config_read =
-        // NOLINTNEXTLINE
-        reinterpret_cast<decltype(ddog_remote_config_read)>(
-            dlsym(RTLD_DEFAULT, "ddog_remote_config_read"));
-    if (ddog_remote_config_read == nullptr) {
-        throw std::runtime_error{"Failed to resolve ddog_remote_config_read"};
-    }
-
-    ddog_remote_config_reader_drop =
-        // NOLINTNEXTLINE
-        reinterpret_cast<decltype(ddog_remote_config_reader_drop)>(
-            dlsym(RTLD_DEFAULT, "ddog_remote_config_reader_drop"));
-    if (ddog_remote_config_reader_drop == nullptr) {
-        throw std::runtime_error{
-            "Failed to resolve ddog_remote_config_reader_drop"};
-    }
-}
-
 client::client(remote_config::settings settings,
     std::vector<std::shared_ptr<listener_base>> listeners,
     std::shared_ptr<telemetry::telemetry_submitter> msubmitter)
-    : reader_{ddog_remote_config_reader_for_path(settings.shmem_path.c_str()),
-          ddog_remote_config_reader_drop},
+    : reader_{ffi::ddog_remote_config_reader_for_path(
+                  settings.shmem_path.c_str()),
+          ffi::ddog_remote_config_reader_drop.get_fn()},
       settings_{std::move(settings)}, listeners_{std::move(listeners)},
       msubmitter_{std::move(msubmitter)}
 {
@@ -113,7 +82,7 @@ bool client::poll()
     SPDLOG_DEBUG("Polling remote config");
 
     ddog_CharSlice slice{};
-    const bool has_update = ddog_remote_config_read(reader_.get(), &slice);
+    const bool has_update = ffi::ddog_remote_config_read(reader_.get(), &slice);
     if (!has_update) {
         SPDLOG_DEBUG("No update available for {}", settings_.shmem_path);
         return false;

appsec/src/helper/remote_config/client.hpp

@@ -21,8 +21,6 @@ struct ddog_RemoteConfigReader;
 
 namespace dds::remote_config {
 
-void resolve_symbols();
-
 struct config_path {
     static config_path from_path(const std::string &path);
 

appsec/src/helper/runner.cpp

@@ -6,27 +6,27 @@
 #include "runner.hpp"
 
 #include "client.hpp"
+#include "ffi.hpp"
+#include <chrono>
 #include <csignal>
-#include <cstdio>
 #include <spdlog/spdlog.h>
 #include <stdexcept>
 #include <sys/stat.h>
+#include <thread>
 
 extern "C" {
+#include <common.h>
 #include <dlfcn.h>
 }
 
-namespace {
-struct ConfigInvariants;
-struct Arc_Target;
-
 using in_proc_notify_fn = void (*)(
-    const ConfigInvariants *invariants, const Arc_Target *target);
+    const ddog_ConfigInvariants *invariants, const ddog_Arc_Target *target);
 
-void (*ddog_set_rc_notify_fn)(in_proc_notify_fn notify_fn);
-char *(*ddog_remote_config_path)(const ConfigInvariants *, const Arc_Target *);
-void (*ddog_remote_config_path_free)(char *);
-} // namespace
+extern "C" void ddog_set_rc_notify_fn(in_proc_notify_fn notify_fn);
+
+SIDECAR_FFI_SYMBOL(ddog_set_rc_notify_fn);
+SIDECAR_FFI_SYMBOL(ddog_remote_config_path);
+SIDECAR_FFI_SYMBOL(ddog_remote_config_path_free);
 
 namespace dds {
 
@@ -109,31 +109,25 @@ void runner::register_for_rc_notifications()
     SPDLOG_INFO("Register RC update callback");
     std::atomic_store(&runner::RUNNER_FOR_NOTIFICATIONS, shared_from_this());
 
-    ddog_set_rc_notify_fn(
-        [](const ConfigInvariants *invariants, const Arc_Target *target) {
-            char *path = ddog_remote_config_path(invariants, target);
-
-            if (path == nullptr) {
-                // NOLINTNEXTLINE(bugprone-lambda-function-name)
-                SPDLOG_ERROR("Failed to get remote config path");
-                return;
-            }
-
-            const std::shared_ptr<runner> runner =
-                std::atomic_load(&RUNNER_FOR_NOTIFICATIONS);
-            if (!runner) {
-                // NOLINTNEXTLINE(bugprone-lambda-function-name)
-                SPDLOG_WARN("No runner to notify of remote config updates");
-                ddog_remote_config_path_free(path);
-                return;
-            }
+    ffi::ddog_set_rc_notify_fn([](const ddog_ConfigInvariants *invariants,
+                                   const ddog_Arc_Target *target) {
+        char *path = ffi::ddog_remote_config_path(invariants, target);
 
+        const std::shared_ptr<runner> runner =
+            std::atomic_load(&RUNNER_FOR_NOTIFICATIONS);
+        if (!runner) {
             // NOLINTNEXTLINE(bugprone-lambda-function-name)
-            SPDLOG_INFO("Remote config updated notification for {}", path);
-            // TODO: move the updates to a separate thread
-            runner->service_manager_->notify_of_rc_updates(path);
-            ddog_remote_config_path_free(path);
-        });
+            SPDLOG_WARN("No runner to notify of remote config updates");
+            ffi::ddog_remote_config_path_free(path);
+            return;
+        }
+
+        // NOLINTNEXTLINE(bugprone-lambda-function-name)
+        SPDLOG_INFO("Remote config updated notification for {}", path);
+        // TODO: move the updates to a separate thread
+        runner->service_manager_->notify_of_rc_updates(path);
+        ffi::ddog_remote_config_path_free(path);
+    });
 }
 
 void runner::unregister_for_rc_notifications()
@@ -189,31 +183,4 @@ void runner::run()
     SPDLOG_INFO("Pool stopped");
 }
 
-void runner::resolve_symbols()
-{
-    // NOLINTNEXTLINE
-    ddog_set_rc_notify_fn = reinterpret_cast<decltype(ddog_set_rc_notify_fn)>(
-        dlsym(RTLD_DEFAULT, "ddog_set_rc_notify_fn"));
-    if (ddog_set_rc_notify_fn == nullptr) {
-        throw std::runtime_error{"Failed to resolve ddog_set_rc_notify_fn"};
-    }
-
-    ddog_remote_config_path =
-        // NOLINTNEXTLINE
-        reinterpret_cast<decltype(ddog_remote_config_path)>(
-            dlsym(RTLD_DEFAULT, "ddog_remote_config_path"));
-    if (ddog_remote_config_path == nullptr) {
-        throw std::runtime_error{"Failed to resolve ddog_remote_config_path"};
-    }
-
-    ddog_remote_config_path_free =
-        // NOLINTNEXTLINE
-        reinterpret_cast<decltype(ddog_remote_config_path_free)>(
-            dlsym(RTLD_DEFAULT, "ddog_remote_config_path_free"));
-    if (ddog_remote_config_path_free == nullptr) {
-        throw std::runtime_error{
-            "Failed to resolve ddog_remote_config_path_free"};
-    }
-}
-
 } // namespace dds

appsec/src/helper/runner.hpp

@@ -25,8 +25,6 @@ class runner : public std::enable_shared_from_this<runner> {
     runner &operator=(runner &&) = delete;
     ~runner() = default;
 
-    static void resolve_symbols();
-
     void run() noexcept(false);
 
     void register_for_rc_notifications();