fix(asm): ensure remote config keys deleted are updated as expected [backport 2.5] (#8524)

Backport 48609c9 from #8503 to 2.5.

RC for ASM does not send empty keys. This could lead to errors, if a
specific key should be considered empty when the waf is updated (as
ddwaf_update consider missing keys as "do not change").
This PR keep track of already sent keys. If a key associated to a list
or a dictionnary value is missing from a new file version received by
remote config, it keeps track of that key and associate it with an empty
list/dict.
This ensure that the previous value will be deleted in the WAF by the
update.

This was directly test on prod using AppSec Test Org

Also: add some small improvements to RC tests to avoid flakiness and
possible leaks between tests.

## Checklist

- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [x] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Christophe Papazian <[email protected]>

Author: github-actions[bot]

ddtrace/internal/remoteconfig/_publishers.py

@@ -88,9 +88,8 @@ def append(self, config_content, target, config_metadata=None):
             self._configs[target] = {}
 
         if config_content is False:
-            # Remove old config from the configs dict. _remove_previously_applied_configurations function should
-            # call to this method
-            del self._configs[target]
+            # clear lists but keep the keys active so it can be updated accordingly
+            self._configs[target] = {k: [] for k, v in self._configs[target].items() if isinstance(v, list)}
         elif config_content is not None:
             # Append the new config to the configs dict. _load_new_configurations function should
             # call to this method

ddtrace/internal/remoteconfig/client.py

@@ -380,19 +380,21 @@ def _build_state(self):
             root_version=1,
             targets_version=self._last_targets_version,
             config_states=[
-                dict(
-                    id=config.id,
-                    version=config.tuf_version,
-                    product=config.product_name,
-                    apply_state=config.apply_state,
-                    apply_error=config.apply_error,
-                )
-                if config.apply_error
-                else dict(
-                    id=config.id,
-                    version=config.tuf_version,
-                    product=config.product_name,
-                    apply_state=config.apply_state,
+                (
+                    dict(
+                        id=config.id,
+                        version=config.tuf_version,
+                        product=config.product_name,
+                        apply_state=config.apply_state,
+                        apply_error=config.apply_error,
+                    )
+                    if config.apply_error
+                    else dict(
+                        id=config.id,
+                        version=config.tuf_version,
+                        product=config.product_name,
+                        apply_state=config.apply_state,
+                    )
                 )
                 for config in self._applied_configs.values()
             ],
@@ -435,7 +437,7 @@ def _remove_previously_applied_configurations(self, list_callbacks, applied_conf
                 # The configuration has not changed.
                 applied_configs[target] = config
                 continue
-            elif target not in client_configs:
+            elif target not in targets:
                 callback_action = False
             else:
                 continue

releasenotes/notes/fix_rule_override_in_rc-ca88baccda452486.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    ASM: This fix resolves an issue where remote config update in WAF policy 
+    from block attack tools policy to monitoring only policy
+    could be ignored by tracer.

tests/appsec/appsec/test_remoteconfiguration.py

@@ -60,6 +60,8 @@ def test_rc_enabled_by_default(tracer):
 
 def test_rc_activate_is_active_and_get_processor_tags(tracer, remote_config_worker):
     with override_global_config(dict(_remote_config_enabled=True)):
+        rc_config = {"config": {"asm": {"enabled": False}}}
+        _appsec_callback(rc_config, tracer)
         result = _set_and_get_appsec_tags(tracer)
         assert result is None
         rc_config = {"config": {"asm": {"enabled": True}}}
@@ -152,8 +154,8 @@ def test_rc_activation_capabilities(tracer, remote_config_worker, env_rules, exp
         dict(_asm_enabled=False, api_version="v0.4", _remote_config_enabled=True)
     ):
         rc_config = {"config": {"asm": {"enabled": True}}}
-
-        assert not remoteconfig_poller._worker
+        # flaky test
+        # assert not remoteconfig_poller._worker
 
         _appsec_callback(rc_config, test_tracer=tracer)
 
@@ -463,8 +465,8 @@ def test_load_new_config_and_remove_targets_file_same_product(
         applied_configs = {}
         enable_appsec_rc(tracer)
         asm_features_data = b'{"asm":{"enabled":true}}'
-        asm_data_data1 = b'{"data": [{"a":1}]}'
-        asm_data_data2 = b'{"data": [{"b":2}]}'
+        asm_data_data1 = b'{"data": [{"c":1}]}'
+        asm_data_data2 = b'{"data": [{"d":2}]}'
         payload = AgentPayload(
             target_files=[
                 TargetFile(path="mock/ASM_FEATURES", raw=base64.b64encode(asm_features_data)),
@@ -531,7 +533,7 @@ def test_load_new_config_and_remove_targets_file_same_product(
         remoteconfig_poller._client._applied_configs = applied_configs
         remoteconfig_poller._poll_data()
 
-        mock_appsec_rules_data.assert_not_called()  # ({"asm": {"enabled": True}, "data": [{"a": 1}, {"b": 2}]}, None)
+        mock_appsec_rules_data.assert_called_with({"asm": {"enabled": True}, "data": [{"c": 1}, {"d": 2}]}, None)
         mock_appsec_rules_data.reset_mock()
 
         list_callbacks = []
@@ -542,7 +544,7 @@ def test_load_new_config_and_remove_targets_file_same_product(
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data()
 
-        mock_appsec_rules_data.assert_called_with({"asm": {"enabled": True}, "data": [{"a": 1}]}, None)
+        mock_appsec_rules_data.assert_called_with({"asm": {"enabled": None}, "data": [{"d": 2}]}, None)
         disable_appsec_rc()
 
 
@@ -553,8 +555,8 @@ def test_fullpath_appsec_rules_data(mock_update_rules, remote_config_worker, tra
         applied_configs = {}
         enable_appsec_rc(tracer)
         asm_features_data = b'{"asm":{"enabled":true}}'
-        asm_data_data1 = b'{"exclusions": [{"a":1}]}'
-        asm_data_data2 = b'{"exclusions": [{"b":2}]}'
+        asm_data_data1 = b'{"exclusions": [{"e":1}]}'
+        asm_data_data2 = b'{"exclusions": [{"f":2}]}'
         payload = AgentPayload(
             target_files=[
                 TargetFile(path="mock/ASM_FEATURES", raw=base64.b64encode(asm_features_data)),
@@ -621,7 +623,7 @@ def test_fullpath_appsec_rules_data(mock_update_rules, remote_config_worker, tra
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data()
 
-        mock_update_rules.assert_called_with({"exclusions": [{"a": 1}, {"b": 2}]})
+        mock_update_rules.assert_called_with({"exclusions": [{"e": 1}, {"f": 2}]})
         mock_update_rules.reset_mock()
 
         # ensure enable_appsec_rc is reentrant
@@ -634,7 +636,7 @@ def test_fullpath_appsec_rules_data(mock_update_rules, remote_config_worker, tra
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data()
 
-        mock_update_rules.assert_called_with({"exclusions": [{"a": 1}]})
+        mock_update_rules.assert_called_with({"exclusions": [{"f": 2}]})
     disable_appsec_rc()
 
 
@@ -708,7 +710,7 @@ def test_fullpath_appsec_rules_data_empty_data(mock_update_rules, remote_config_
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data(tracer)
 
-        mock_update_rules.assert_not_called()
+        mock_update_rules.assert_called_with({"exclusions": []})
     disable_appsec_rc()
 
 
@@ -898,7 +900,8 @@ def test_rc_activation_ip_blocking_data(tracer, remote_config_worker):
                 ]
             }
         }
-        assert not remoteconfig_poller._worker
+        # flaky test
+        # assert not remoteconfig_poller._worker
 
         _appsec_callback(rc_config, tracer)
         with _asm_request_context.asm_request_context_manager("8.8.4.4", {}):