pr

Author: sezen-datadog

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java

@@ -54,6 +54,7 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
 import java.lang.reflect.UndeclaredThrowableException;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -213,9 +214,10 @@ private void applyConfig(Object config_, AppSecModuleConfigurer.Reconfiguration
     }
 
     boolean success = false;
+    List<String> errors = new ArrayList<>();
     try {
       // ddwaf_init/update
-      success = initializeNewWafCtx(reconf, config, curCtxAndAddresses);
+      success = initializeNewWafCtx(reconf, config, curCtxAndAddresses, errors);
     } catch (Exception e) {
       throw new AppSecModuleActivationException("Could not initialize/update waf", e);
     } finally {
@@ -224,13 +226,18 @@ private void applyConfig(Object config_, AppSecModuleConfigurer.Reconfiguration
       } else {
         WafMetricCollector.get().wafUpdates(currentRulesVersion, success);
       }
+      if (!errors.isEmpty()) {
+        log.error("Errors during WAF initialization: {}", errors);
+        WafMetricCollector.get().addWafConfigError(errors.size());
+      }
     }
   }
 
   private boolean initializeNewWafCtx(
       AppSecModuleConfigurer.Reconfiguration reconf,
       CurrentAppSecConfig config,
-      CtxAndAddresses prevContextAndAddresses)
+      CtxAndAddresses prevContextAndAddresses,
+      List<String> errors)
       throws AppSecModuleActivationException, IOException {
     CtxAndAddresses newContextAndAddresses;
     RuleSetInfo initReport = null;
@@ -254,16 +261,6 @@ private boolean initializeNewWafCtx(
       if (initReport != null && initReport.rulesetVersion != null) {
         currentRulesVersion = initReport.rulesetVersion;
       }
-      if (initReport != null
-          && initReport.getErrors() != null
-          && !initReport.getErrors().isEmpty()
-          && initReport.getErrors().values().stream().mapToLong(List::size).sum() > 0) {
-        for (int i = 0;
-            i < initReport.getErrors().values().stream().mapToLong(List::size).sum();
-            i++) {
-          WafMetricCollector.get().wafConfigError();
-        }
-      }
 
       if (initReport != null) {
         log.info(
@@ -285,6 +282,14 @@ private boolean initializeNewWafCtx(
       if (initReport != null) {
         this.statsReporter.rulesVersion = initReport.rulesetVersion;
       }
+      if (initReport != null
+          && initReport.getErrors() != null
+          && !initReport.getErrors().isEmpty()) {
+        errors.addAll(
+            initReport.getErrors().values().stream()
+                .flatMap(List::stream)
+                .collect(Collectors.toList()));
+      }
     } catch (InvalidRuleSetException irse) {
       initReport = irse.ruleSetInfo;
       throw new AppSecModuleActivationException("Error creating WAF rules", irse);

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy

@@ -449,6 +449,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * wafMetricCollector.wafInit(Powerwaf.LIB_VERSION, _, true)
+    2 * wafMetricCollector.addWafConfigError(1)
     1 * wafMetricCollector.wafUpdates(_, true)
     1 * reconf.reloadSubscriptions()
     0 * _
@@ -534,6 +535,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * wafMetricCollector.wafInit(Powerwaf.LIB_VERSION, _, true)
+    2 * wafMetricCollector.addWafConfigError(1)
     1 * wafMetricCollector.wafUpdates(_, true)
     1 * reconf.reloadSubscriptions()
     0 * _
@@ -612,6 +614,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * wafMetricCollector.wafInit(Powerwaf.LIB_VERSION, _, true)
+    2 * wafMetricCollector.addWafConfigError(1)
     2 * wafMetricCollector.wafUpdates(_, true)
     2 * reconf.reloadSubscriptions()
     0 * _
@@ -1089,6 +1092,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.closeAdditive()
     2 * tracer.activeSpan()
     1 * wafMetricCollector.wafInit(Powerwaf.LIB_VERSION, _, true)
+    1 * wafMetricCollector.addWafConfigError(1)
     1 * reconf.reloadSubscriptions()
     0 * _
   }
@@ -1136,6 +1140,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * wafMetricCollector.wafUpdates(_, true)
+    1 * wafMetricCollector.addWafConfigError(1)
     1 * reconf.reloadSubscriptions()
     1 * ctx.getOrCreateAdditive(_, true, false) >> { pwafAdditive = it[0].openAdditive() }
     2 * tracer.activeSpan()
@@ -1194,6 +1199,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then: 'no match; rule is disabled'
     1 * wafMetricCollector.wafUpdates(_, true)
+    1 * wafMetricCollector.addWafConfigError(1)
     1 * reconf.reloadSubscriptions()
     1 * ctx.getOrCreateAdditive(_, true, false) >> {
       pwafAdditive = it[0].openAdditive() }
@@ -1304,6 +1310,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * wafMetricCollector.wafUpdates(_, true)
+    1 * wafMetricCollector.addWafConfigError(1)
     1 * reconf.reloadSubscriptions()
     // no attack
     1 * ctx.getOrCreateAdditive(_, true, false) >> { pwafAdditive = it[0].openAdditive() }

internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java

@@ -85,6 +85,10 @@ public void wafConfigError() {
     wafConfigErrorCounter.incrementAndGet();
   }
 
+  public void addWafConfigError(int nbErrors) {
+    wafConfigErrorCounter.addAndGet(nbErrors);
+  }
+
   public void wafRequestTriggered() {
     wafTriggeredRequestCounter.increment();
   }