add ddwaf_update bindings API (#24)

eliottness · web-flow · commit 639a62c6f1d6 · 2023-08-03T17:24:34.000+02:00
* Add low-level bindings for `ddwaf_update`
* Add high-level `(*Handle) Update(ruleset any) (*Handle, error)`
* Add Test for the high level API (please request more if needed)

Signed-off-by: Eliott Bouhana &lt;eliott.bouhana@datadoghq.com&gt;
diff --git a/handle.go b/handle.go
@@ -103,6 +103,43 @@ func (handle *Handle) Addresses() []string {
 	return wafLib.wafRequiredAddresses(handle.cHandle)
 }
 
+// Update the ruleset of a WAF instance into a new handle on its own
+// the previous handle still needs to be closed manually
+func (handle *Handle) Update(newRules any) (*Handle, error) {
+
+	encoder := newMaxEncoder()
+	obj, err := encoder.Encode(newRules)
+	if err != nil {
+		return nil, fmt.Errorf("could not encode the WAF ruleset into a WAF object: %w", err)
+	}
+
+	cRulesetInfo := new(wafRulesetInfo)
+
+	cHandle := wafLib.wafUpdate(handle.cHandle, obj, cRulesetInfo)
+	keepAlive(encoder.cgoRefs)
+	if cHandle == 0 {
+		return nil, errors.New("could not update the WAF instance")
+	}
+
+	defer wafLib.wafRulesetInfoFree(cRulesetInfo)
+
+	errorsMap, err := decodeErrors(&cRulesetInfo.errors)
+	if err != nil { // Something is very wrong
+		return nil, fmt.Errorf("could not decode the WAF ruleset errors: %w", err)
+	}
+
+	return &Handle{
+		cHandle:    cHandle,
+		refCounter: atomic.NewInt32(1), // We count the handle itself in the counter
+		rulesetInfo: RulesetInfo{
+			Loaded:  cRulesetInfo.loaded,
+			Failed:  cRulesetInfo.failed,
+			Errors:  errorsMap,
+			Version: gostring(cast[byte](cRulesetInfo.version)),
+		},
+	}, nil
+}
+
 // closeContext calls ddwaf_context_destroy and eventually ddwaf_destroy on the handle
 func (handle *Handle) closeContext(context *Context) {
 	wafLib.wafContextDestroy(context.cContext)
diff --git a/waf_dl.go b/waf_dl.go
@@ -21,6 +21,7 @@ type wafDl struct {
 
 	Ddwaf_ruleset_info_free  uintptr `dlsym:"ddwaf_ruleset_info_free"`
 	Ddwaf_init               uintptr `dlsym:"ddwaf_init"`
+	Ddwaf_update             uintptr `dlsym:"ddwaf_update"`
 	Ddwaf_destroy            uintptr `dlsym:"ddwaf_destroy"`
 	Ddwaf_required_addresses uintptr `dlsym:"ddwaf_required_addresses"`
 	Ddwaf_get_version        uintptr `dlsym:"ddwaf_get_version"`
@@ -99,14 +100,21 @@ func (waf *wafDl) wafGetVersion() string {
 	return gostring(cast[byte](waf.syscall(waf.Ddwaf_get_version)))
 }
 
-func (waf *wafDl) wafInit(obj *wafObject, config *wafConfig, info *wafRulesetInfo) wafHandle {
-	handle := wafHandle(waf.syscall(waf.Ddwaf_init, ptrToUintptr(obj), ptrToUintptr(config), ptrToUintptr(info)))
-	keepAlive(obj)
+func (waf *wafDl) wafInit(ruleset *wafObject, config *wafConfig, info *wafRulesetInfo) wafHandle {
+	handle := wafHandle(waf.syscall(waf.Ddwaf_init, ptrToUintptr(ruleset), ptrToUintptr(config), ptrToUintptr(info)))
+	keepAlive(ruleset)
 	keepAlive(config)
 	keepAlive(info)
 	return handle
 }
 
+func (waf *wafDl) wafUpdate(handle wafHandle, ruleset *wafObject, info *wafRulesetInfo) wafHandle {
+	newHandle := wafHandle(waf.syscall(waf.Ddwaf_update, uintptr(handle), ptrToUintptr(ruleset), ptrToUintptr(info)))
+	keepAlive(ruleset)
+	keepAlive(info)
+	return newHandle
+}
+
 func (waf *wafDl) wafRulesetInfoFree(info *wafRulesetInfo) {
 	waf.syscall(waf.Ddwaf_ruleset_info_free, ptrToUintptr(info))
 	keepAlive(info)
diff --git a/waf_dl_unsupported.go b/waf_dl_unsupported.go
@@ -22,6 +22,10 @@ func (waf *wafDl) wafInit(obj *wafObject, config *wafConfig, info *wafRulesetInf
 	return 0
 }
 
+func (waf *wafDl) wafUpdate(handle wafHandle, ruleset *wafObject, info *wafRulesetInfo) wafHandle {
+	return 0
+}
+
 func (waf *wafDl) wafRulesetInfoFree(info *wafRulesetInfo) {
 }
 
diff --git a/waf_test.go b/waf_test.go
@@ -89,6 +89,34 @@ var testArachniRuleTmpl = template.Must(template.New("").Parse(`
 }
 `))
 
+// Test with a valid JSON but invalid rule format (field "events" should be an array)
+const malformedRule = `
+{
+  "version": "2.1",
+  "events": [
+	{
+	  "id": "ua0-600-12x",
+	  "name": "Arachni",
+	  "tags": {
+		"type": "security_scanner"
+	  },
+	  "conditions": [
+		{
+		  "operation": "match_regex",
+		  "parameters": {
+			"inputs": [
+			  { "address": "server.request.headers.no_cookies" }
+			],
+			"regex": "^Arachni"
+		  }
+		}
+	  ],
+	  "transformers": []
+	}
+  ]
+}
+`
+
 type ruleInput struct {
 	Address string
 	KeyPath []string
@@ -124,43 +152,85 @@ func TestNewWAF(t *testing.T) {
 	})
 
 	t.Run("invalid-rule", func(t *testing.T) {
-		// Test with a valid JSON but invalid rule format (field events should be an array)
-		const rule = `
-{
-  "version": "2.1",
-  "events": [
-	{
-	  "id": "ua0-600-12x",
-	  "name": "Arachni",
-	  "tags": {
-		"type": "security_scanner"
-	  },
-	  "conditions": [
-		{
-		  "operation": "match_regex",
-		  "parameters": {
-			"inputs": [
-			  { "address": "server.request.headers.no_cookies" }
-			],
-			"regex": "^Arachni"
-		  }
-		}
-	  ],
-	  "transformers": []
-	}
-  ]
-}
-`
 		var parsed any
 
-		require.NoError(t, json.Unmarshal([]byte(rule), &parsed))
+		require.NoError(t, json.Unmarshal([]byte(malformedRule), &parsed))
 
 		waf, err := newDefaultHandle(parsed)
 		require.Error(t, err)
 		require.Nil(t, waf)
 	})
 }
 
+func TestUpdateWAF(t *testing.T) {
+
+	t.Run("valid-rule", func(t *testing.T) {
+		waf, err := newDefaultHandle(testArachniRule)
+		require.NoError(t, err)
+		require.NotNil(t, waf)
+		defer waf.Close()
+
+		waf2, err := waf.Update(newArachniTestRule([]ruleInput{{Address: "my.input"}}, nil))
+		require.NoError(t, err)
+		require.NotNil(t, waf2)
+		defer waf2.Close()
+	})
+
+	t.Run("changes", func(t *testing.T) {
+		waf, err := newDefaultHandle(newArachniTestRule([]ruleInput{{Address: "my.input"}}, nil))
+		require.NoError(t, err)
+		require.NotNil(t, waf)
+		defer waf.Close()
+
+		wafCtx := NewContext(waf)
+		defer wafCtx.Close()
+
+		// Matches
+		values := map[string]interface{}{
+			"my.input": "Arachni",
+		}
+		matches, actions, err := wafCtx.Run(values, time.Second)
+		require.NoError(t, err)
+		require.NotEmpty(t, matches)
+		require.Nil(t, actions)
+
+		// Update
+		waf2, err := waf.Update(newArachniTestRule([]ruleInput{{Address: "my.input"}}, []string{"block"}))
+		require.NoError(t, err)
+		require.NotNil(t, waf2)
+		defer waf2.Close()
+
+		wafCtx2 := NewContext(waf2)
+		defer wafCtx2.Close()
+
+		// Matches & Block
+		values = map[string]interface{}{
+			"my.input": "Arachni",
+		}
+		matches, actions, err = wafCtx2.Run(values, time.Second)
+		require.NoError(t, err)
+		require.NotEmpty(t, matches)
+		require.NotEmpty(t, actions)
+
+	})
+
+	t.Run("invalid-rule", func(t *testing.T) {
+
+		waf, err := newDefaultHandle(testArachniRule)
+		require.NoError(t, err)
+		require.NotNil(t, waf)
+		defer waf.Close()
+
+		var parsed any
+
+		require.NoError(t, json.Unmarshal([]byte(malformedRule), &parsed))
+
+		waf2, err := waf.Update(parsed)
+		require.Error(t, err)
+		require.Nil(t, waf2)
+	})
+}
+
 func TestMatching(t *testing.T) {
 
 	waf, err := newDefaultHandle(newArachniTestRule([]ruleInput{{Address: "my.input"}}, nil))

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,10 @@ func (waf wafDl) wafInit(obj wafObject, config wafConfig, info wafRulesetInf`
`22`	`22`	`return 0`
`23`	`23`	`}`
`24`	`24`
	`25`	`+func (waf wafDl) wafUpdate(handle wafHandle, ruleset wafObject, info *wafRulesetInfo) wafHandle {`
	`26`	`+ return 0`
	`27`	`+}`
	`28`	`+`
`25`	`29`	`func (waf wafDl) wafRulesetInfoFree(info wafRulesetInfo) {`
`26`	`30`	`}`
`27`	`31`