fix(asm): ensure remote config keys deleted are updated as expected [backport 1.20] (#8522)

github-actions[bot] · christophe-papazian · emmettbutler · web-flow · commit 2701dc621978 · 2024-03-05T10:10:05.000-08:00
Backport 48609c9 from #8503 to 1.20. RC for ASM does not send empty keys. This could lead to errors, if a specific key should be considered empty when the waf is updated (as ddwaf_update consider missing keys as "do not change"). This PR keep track of already sent keys. If a key associated to a list or a dictionnary value is missing from a new file version received by remote config, it keeps track of that key and associate it with an empty list/dict. This ensure that the previous value will be deleted in the WAF by the update. This was directly test on prod using AppSec Test Org Also: add some small improvements to RC tests to avoid flakiness and possible leaks between tests. ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Christophe Papazian <114495376+christophe-papazian@users.noreply.github.com> Co-authored-by: Christophe Papazian <christophe.papazian@datadoghq.com> Co-authored-by: Emmett Butler <emmett.butler321@gmail.com> Co-authored-by: Emmett Butler <723615+emmettbutler@users.noreply.github.com>
diff --git a/.github/workflows/test_frameworks.yml b/.github/workflows/test_frameworks.yml
@@ -302,6 +302,8 @@ jobs:
           python-version: '3.8'
       - name: Install tox
         if: needs.needs-run.outputs.outcome == 'success'
+        run: pip install envier
+        run: pip install "pytest<8.1"
         run: pip install tox
       - name: Create tox env
         if: needs.needs-run.outputs.outcome == 'success'
diff --git a/ddtrace/appsec/_ddwaf/libddwaf/arm64/lib/libddwaf.dylib b/ddtrace/appsec/_ddwaf/libddwaf/arm64/lib/libddwaf.dylib
diff --git a/ddtrace/internal/remoteconfig/_publishers.py b/ddtrace/internal/remoteconfig/_publishers.py
@@ -90,9 +90,8 @@ def append(self, config_content, target, config_metadata=None):
             self._configs[target] = {}
 
         if config_content is False:
-            # Remove old config from the configs dict. _remove_previously_applied_configurations function should
-            # call to this method
-            del self._configs[target]
+            # clear lists but keep the keys active so it can be updated accordingly
+            self._configs[target] = {k: [] for k, v in self._configs[target].items() if isinstance(v, list)}
         elif config_content is not None:
             # Append the new config to the configs dict. _load_new_configurations function should
             # call to this method
diff --git a/ddtrace/internal/remoteconfig/client.py b/ddtrace/internal/remoteconfig/client.py
@@ -355,19 +355,21 @@ def _build_state(self):
             root_version=1,
             targets_version=self._last_targets_version,
             config_states=[
-                dict(
-                    id=config.id,
-                    version=config.tuf_version,
-                    product=config.product_name,
-                    apply_state=config.apply_state,
-                    apply_error=config.apply_error,
-                )
-                if config.apply_error
-                else dict(
-                    id=config.id,
-                    version=config.tuf_version,
-                    product=config.product_name,
-                    apply_state=config.apply_state,
+                (
+                    dict(
+                        id=config.id,
+                        version=config.tuf_version,
+                        product=config.product_name,
+                        apply_state=config.apply_state,
+                        apply_error=config.apply_error,
+                    )
+                    if config.apply_error
+                    else dict(
+                        id=config.id,
+                        version=config.tuf_version,
+                        product=config.product_name,
+                        apply_state=config.apply_state,
+                    )
                 )
                 for config in self._applied_configs.values()
             ],
@@ -410,7 +412,7 @@ def _remove_previously_applied_configurations(self, list_callbacks, applied_conf
                 # The configuration has not changed.
                 applied_configs[target] = config
                 continue
-            elif target not in client_configs:
+            elif target not in targets:
                 callback_action = False
             else:
                 continue
diff --git a/releasenotes/notes/fix_rule_override_in_rc-ca88baccda452486.yaml b/releasenotes/notes/fix_rule_override_in_rc-ca88baccda452486.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    ASM: This fix resolves an issue where remote config update in WAF policy 
+    from block attack tools policy to monitoring only policy
+    could be ignored by tracer.
diff --git a/tests/appsec/test_remoteconfiguration.py b/tests/appsec/test_remoteconfiguration.py
@@ -60,6 +60,8 @@ def test_rc_enabled_by_default(tracer):
 
 def test_rc_activate_is_active_and_get_processor_tags(tracer, remote_config_worker):
     with override_global_config(dict(_remote_config_enabled=True)):
+        rc_config = {"config": {"asm": {"enabled": False}}}
+        _appsec_callback(rc_config, tracer)
         result = _set_and_get_appsec_tags(tracer)
         assert result is None
         rc_config = {"config": {"asm": {"enabled": True}}}
@@ -152,8 +154,8 @@ def test_rc_activation_capabilities(tracer, remote_config_worker, env_rules, exp
         dict(_appsec_enabled=False, api_version="v0.4", _remote_config_enabled=True)
     ):
         rc_config = {"config": {"asm": {"enabled": True}}}
-
-        assert not remoteconfig_poller._worker
+        # flaky test
+        # assert not remoteconfig_poller._worker
 
         _appsec_callback(rc_config, test_tracer=tracer)
 
@@ -450,8 +452,8 @@ def test_load_new_config_and_remove_targets_file_same_product(
         applied_configs = {}
         enable_appsec_rc(tracer)
         asm_features_data = b'{"asm":{"enabled":true}}'
-        asm_data_data1 = b'{"data": [{"a":1}]}'
-        asm_data_data2 = b'{"data": [{"b":2}]}'
+        asm_data_data1 = b'{"data": [{"c":1}]}'
+        asm_data_data2 = b'{"data": [{"d":2}]}'
         payload = AgentPayload(
             target_files=[
                 TargetFile(path="mock/ASM_FEATURES", raw=base64.b64encode(asm_features_data)),
@@ -518,7 +520,7 @@ def test_load_new_config_and_remove_targets_file_same_product(
         remoteconfig_poller._client._applied_configs = applied_configs
         remoteconfig_poller._poll_data()
 
-        mock_appsec_rules_data.assert_not_called()  # ({"asm": {"enabled": True}, "data": [{"a": 1}, {"b": 2}]}, None)
+        mock_appsec_rules_data.assert_called_with({"asm": {"enabled": True}, "data": [{"c": 1}, {"d": 2}]}, None)
         mock_appsec_rules_data.reset_mock()
 
         list_callbacks = []
@@ -529,7 +531,7 @@ def test_load_new_config_and_remove_targets_file_same_product(
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data()
 
-        mock_appsec_rules_data.assert_called_with({"asm": {"enabled": True}, "data": [{"a": 1}]}, None)
+        mock_appsec_rules_data.assert_called_with({"asm": {"enabled": None}, "data": [{"d": 2}]}, None)
         disable_appsec_rc()
 
 
@@ -541,8 +543,8 @@ def test_fullpath_appsec_rules_data(mock_update_rules, remote_config_worker, tra
         applied_configs = {}
         enable_appsec_rc(tracer)
         asm_features_data = b'{"asm":{"enabled":true}}'
-        asm_data_data1 = b'{"exclusions": [{"a":1}]}'
-        asm_data_data2 = b'{"exclusions": [{"b":2}]}'
+        asm_data_data1 = b'{"exclusions": [{"e":1}]}'
+        asm_data_data2 = b'{"exclusions": [{"f":2}]}'
         payload = AgentPayload(
             target_files=[
                 TargetFile(path="mock/ASM_FEATURES", raw=base64.b64encode(asm_features_data)),
@@ -609,7 +611,7 @@ def test_fullpath_appsec_rules_data(mock_update_rules, remote_config_worker, tra
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data()
 
-        mock_update_rules.assert_called_with({"exclusions": [{"a": 1}, {"b": 2}]})
+        mock_update_rules.assert_called_with({"exclusions": [{"e": 1}, {"f": 2}]})
         mock_update_rules.reset_mock()
 
         # ensure enable_appsec_rc is reentrant
@@ -622,7 +624,7 @@ def test_fullpath_appsec_rules_data(mock_update_rules, remote_config_worker, tra
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data()
 
-        mock_update_rules.assert_called_with({"exclusions": [{"a": 1}]})
+        mock_update_rules.assert_called_with({"exclusions": [{"f": 2}]})
     disable_appsec_rc()
 
 
@@ -697,7 +699,7 @@ def test_fullpath_appsec_rules_data_empty_data(mock_update_rules, remote_config_
         remoteconfig_poller._client._publish_configuration(list_callbacks)
         remoteconfig_poller._poll_data(tracer)
 
-        mock_update_rules.assert_not_called()
+        mock_update_rules.assert_called_with({"exclusions": []})
     disable_appsec_rc()
 
 
@@ -887,7 +889,8 @@ def test_rc_activation_ip_blocking_data(tracer, remote_config_worker):
                 ]
             }
         }
-        assert not remoteconfig_poller._worker
+        # flaky test
+        # assert not remoteconfig_poller._worker
 
         _appsec_callback(rc_config, tracer)
         with _asm_request_context.asm_request_context_manager("8.8.4.4", {}):
