feat: expose Builder API to manage default recommended ruleset (#131)

Author: RomainMuller

.github/workflows/_test_bare_metal.yml

@@ -28,11 +28,20 @@ jobs:
         run: sudo apt update && sudo apt install -y build-essential
       - name: Install gotestsum
         run: go install gotest.tools/gotestsum@latest
+      - name: Generate a GitHub token
+        id: generate-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ vars.DD_K9_LIBRARY_GO_APP_ID }}
+          private-key: ${{ secrets.DD_K9_LIBRARY_GO_APP_PRIVATE_KEY }}
+          owner: DataDog
+          repositories: appsec-event-rules
+          permission-contents: read
       - name: go test
         shell: bash
         run: ./.github/workflows/ci.sh
         env:
           DD_APPSEC_WAF_LOG_LEVEL: ${{ matrix.waf-log-level }}
           # We need a GITHUB_TOKEN in order to access the latest release of the AppSec rules from
           # the DataDog/appsec-rules repository.
-          GITHUB_TOKEN: ${{ secrets.ACCESS_RULES_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}

builder.go

@@ -11,6 +11,7 @@ import (
 	"runtime"
 
 	"github.com/DataDog/go-libddwaf/v4/internal/bindings"
+	"github.com/DataDog/go-libddwaf/v4/internal/ruleset"
 )
 
 // Builder manages an evolving WAF configuration over time. Its lifecycle is
@@ -20,7 +21,8 @@ import (
 // or similar when sharing it across multiple goroutines. All methods of this
 // type are safe to call with a nil receiver.
 type Builder struct {
-	handle bindings.WAFBuilder
+	handle        bindings.WAFBuilder
+	defaultLoaded bool
 }
 
 // NewBuilder creates a new [Builder] instance. Its lifecycle is typically tied
@@ -58,6 +60,37 @@ var (
 	errBuilderClosed = errors.New("builder has already been closed")
 )
 
+const defaultRecommendedRulesetPath = "::/go-libddwaf/default/recommended.json"
+
+// AddDefaultRecommendedRuleset adds the default recommended ruleset to the
+// receiving [Builder], and returns the [Diagnostics] produced in the process.
+func (b *Builder) AddDefaultRecommendedRuleset() (Diagnostics, error) {
+	var pinner runtime.Pinner
+	defer pinner.Unpin()
+
+	ruleset, err := ruleset.DefaultRuleset(&pinner)
+	if err != nil {
+		return Diagnostics{}, fmt.Errorf("failed to load default recommended ruleset: %w", err)
+	}
+
+	diag, err := b.addOrUpdateConfig(defaultRecommendedRulesetPath, &ruleset)
+	if err == nil {
+		b.defaultLoaded = true
+	}
+	return diag, err
+}
+
+// RemoveDefaultRecommendedRuleset removes the default recommended ruleset from
+// the receiving [Builder]. Returns true if the removal occurred (meaning the
+// default recommended ruleset was indeed present in the builder).
+func (b *Builder) RemoveDefaultRecommendedRuleset() bool {
+	if b.RemoveConfig(defaultRecommendedRulesetPath) {
+		b.defaultLoaded = false
+		return true
+	}
+	return false
+}
+
 // AddOrUpdateConfig adds or updates a configuration fragment to this [Builder].
 // Returns the [Diagnostics] produced by adding or updating this configuration.
 func (b *Builder) AddOrUpdateConfig(path string, fragment any) (Diagnostics, error) {
@@ -82,15 +115,22 @@ func (b *Builder) AddOrUpdateConfig(path string, fragment any) (Diagnostics, err
 		return Diagnostics{}, fmt.Errorf("could not encode the config fragment into a WAF object; %w", err)
 	}
 
+	return b.addOrUpdateConfig(path, frag)
+}
+
+// addOrUpdateConfig adds or updates a configuration fragment to this [Builder].
+// Returns the [Diagnostics] produced by adding or updating this configuration.
+func (b *Builder) addOrUpdateConfig(path string, cfg *bindings.WAFObject) (Diagnostics, error) {
 	var diagnosticsWafObj bindings.WAFObject
 	defer wafLib.ObjectFree(&diagnosticsWafObj)
 
-	res := wafLib.BuilderAddOrUpdateConfig(b.handle, path, frag, &diagnosticsWafObj)
+	res := wafLib.BuilderAddOrUpdateConfig(b.handle, path, cfg, &diagnosticsWafObj)
 
 	var diags Diagnostics
 	if !diagnosticsWafObj.IsInvalid() {
 		// The Diagnostics object will be invalid if the config was completely
 		// rejected.
+		var err error
 		diags, err = decodeDiagnostics(&diagnosticsWafObj)
 		if err != nil {
 			return diags, fmt.Errorf("failed to decode WAF diagnostics: %w", err)

builder_test.go

@@ -46,6 +46,58 @@ func TestBuilder(t *testing.T) {
 		},
 	}
 
+	t.Run("recommended ruleset", func(t *testing.T) {
+		builder, err := NewBuilder("", "")
+		require.NoError(t, err)
+		require.NotNil(t, builder)
+		defer builder.Close()
+
+		// The config is currently empty...
+		require.Equal(t, []string{}, builder.ConfigPaths(""))
+		handle := builder.Build()
+		require.Nil(t, handle)
+
+		// We can add the default recommended ruleset alright...
+		diag, err := builder.AddDefaultRecommendedRuleset()
+		require.NoError(t, err)
+		assert.NotEmpty(t, diag.Version)
+		assert.NotEmpty(t, diag.Rules.Loaded)
+
+		// The default recommended ruleset is now indeed in there...
+		require.Equal(t, []string{defaultRecommendedRulesetPath}, builder.ConfigPaths(""))
+
+		// Adding again is idempotent...
+		diag, err = builder.AddDefaultRecommendedRuleset()
+		require.NoError(t, err)
+		assert.NotEmpty(t, diag.Version)
+		assert.NotEmpty(t, diag.Rules.Loaded)
+		require.Equal(t, []string{defaultRecommendedRulesetPath}, builder.ConfigPaths(""))
+
+		// We can actually build a handle with the default recommended ruleset...
+		hdl := builder.Build()
+		require.NotNil(t, hdl)
+		hdl.Close()
+
+		// And we can remove it...
+		require.True(t, builder.RemoveDefaultRecommendedRuleset())
+		require.Equal(t, []string{}, builder.ConfigPaths(""))
+		hdl = builder.Build()
+		require.Nil(t, hdl)
+
+		// Removing it again is "idempotent" (almost, it returns false)
+		require.False(t, builder.RemoveDefaultRecommendedRuleset())
+		require.Equal(t, []string{}, builder.ConfigPaths(""))
+
+		// Finally, we can add the default recommended ruleset again after deleting it...
+		diag, err = builder.AddDefaultRecommendedRuleset()
+		require.NoError(t, err)
+		assert.NotEmpty(t, diag.Version)
+		assert.NotEmpty(t, diag.Rules.Loaded)
+		hdl = builder.Build()
+		require.NotNil(t, hdl)
+		hdl.Close()
+	})
+
 	t.Run("accepts a valid ruleset", func(t *testing.T) {
 		builder, err := NewBuilder("", "")
 		require.NoError(t, err)

decoder.go

@@ -143,7 +143,11 @@ func decodeStringArray(obj *bindings.WAFObject) ([]string, error) {
 		return nil, waferrors.ErrNilObjectPtr
 	}
 
-	var strArr []string
+	if obj.NbEntries == 0 {
+		return nil, nil
+	}
+
+	strArr := make([]string, 0, obj.NbEntries)
 	for i := uint64(0); i < obj.NbEntries; i++ {
 		objElem := unsafe.CastWithOffset[bindings.WAFObject](obj.Value, i)
 		if objElem.Type != bindings.WAFStringType {