Class: Datadog::AppSec::Configuration::Settings

Inherits:

Object

• Object
• Datadog::AppSec::Configuration::Settings

Defined in:

lib/datadog/appsec/configuration/settings.rb

Overview

Configuration settings, acting as an integration registry TODO: as with Configuration, this is a trivial implementation

Constant Summary

DEFAULT_OBFUSCATOR_KEY_REGEX =

rubocop:disable Layout/LineLength

'(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?)key)|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization'

DEFAULT_OBFUSCATOR_VALUE_REGEX =

'(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'

DEFAULTS =

rubocop:enable Layout/LineLength

{
  enabled: false,
  ruleset: :recommended,
  waf_timeout: 5_000, # us
  waf_debug: false,
  trace_rate_limit: 100, # traces/s
  obfuscator_key_regex: DEFAULT_OBFUSCATOR_KEY_REGEX,
  obfuscator_value_regex: DEFAULT_OBFUSCATOR_VALUE_REGEX,
}.freeze

ENVS =

{
  'DD_APPSEC_ENABLED' => [:enabled, Settings.boolean],
  'DD_APPSEC_RULES' => [:ruleset, Settings.string],
  'DD_APPSEC_WAF_TIMEOUT' => [:waf_timeout, Settings.duration(:us)],
  'DD_APPSEC_WAF_DEBUG' => [:waf_debug, Settings.boolean],
  'DD_APPSEC_TRACE_RATE_LIMIT' => [:trace_rate_limit, Settings.integer],
  'DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP' => [:obfuscator_key_regex, Settings.string],
  'DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP' => [:obfuscator_value_regex, Settings.string],
}.freeze

Integration =

Struct constant whisker cast for Steep

_ = Struct.new(:integration, :options)

Class Method Summary

• .boolean ⇒ Object
• .duration(base = :ns, type = :integer) ⇒ Object

  rubocop:disable Metrics/MethodLength.

• .integer ⇒ Object
• .string ⇒ Object

  TODO: allow symbols.

Instance Method Summary

• #[](integration_name) ⇒ Object
• #enabled ⇒ Object
• #initialize ⇒ Settings constructor

  A new instance of Settings.

• #ip_denylist ⇒ Object

  EXPERIMENTAL: This configurable is not meant to be publicly used, but is very useful for testing.

• #merge(dsl) ⇒ Object
• #obfuscator_key_regex ⇒ Object
• #obfuscator_value_regex ⇒ Object
• #ruleset ⇒ Object
• #trace_rate_limit ⇒ Object
• #user_id_denylist ⇒ Object

  EXPERIMENTAL: This configurable is not meant to be publicly used, but is very useful for testing.

• #waf_debug ⇒ Object
• #waf_timeout ⇒ Object

Constructor Details

#initialize ⇒ Settings

Returns a new instance of Settings.

# File 'lib/datadog/appsec/configuration/settings.rb', line 121

def initialize
  @integrations = []
  # Stores which options have been configured using Datadog.configure block or ENV variables
  @configured = Set.new
  @options = DEFAULTS.dup.tap do |options|
    ENVS.each do |env, (key, conv)|
      if ENV[env]
        options[key] = conv.call(ENV[env])
        @configured << key
      end
    end
  end
end

Class Method Details

.boolean ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 12

def boolean
  # @type ^(::String) -> bool
  ->(v) do # rubocop:disable Style/Lambda
    case v
    when /(1|true)/i
      true
    when /(0|false)/i, nil
      false
    else
      raise ArgumentError, "invalid boolean: #{v.inspect}"
    end
  end
end

.duration(base = :ns, type = :integer) ⇒ Object

rubocop:disable Metrics/MethodLength

# File 'lib/datadog/appsec/configuration/settings.rb', line 45

def duration(base = :ns, type = :integer)
  # @type ^(::String) -> ::Integer | ::Float
  ->(v) do # rubocop:disable Style/Lambda
    cast = case type
           when :integer, Integer
             method(:Integer)
           when :float, Float
             method(:Float)
           else
             raise ArgumentError, "invalid type: #{v.inspect}"
           end

    scale = case base
            when :s
              1_000_000_000
            when :ms
              1_000_000
            when :us
              1000
            when :ns
              1
            else
              raise ArgumentError, "invalid base: #{v.inspect}"
            end

    case v
    when /^(\d+)h$/
      cast.call(Regexp.last_match(1)) * 1_000_000_000 * 60 * 60 / scale
    when /^(\d+)m$/
      cast.call(Regexp.last_match(1)) * 1_000_000_000 * 60 / scale
    when /^(\d+)s$/
      cast.call(Regexp.last_match(1)) * 1_000_000_000 / scale
    when /^(\d+)ms$/
      cast.call(Regexp.last_match(1)) * 1_000_000 / scale
    when /^(\d+)us$/
      cast.call(Regexp.last_match(1)) * 1_000 / scale
    when /^(\d+)ns$/
      cast.call(Regexp.last_match(1)) / scale
    when /^(\d+)$/
      cast.call(Regexp.last_match(1))
    else
      raise ArgumentError, "invalid duration: #{v.inspect}"
    end
  end
end

.integer ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 32

def integer
  # @type ^(::String) -> ::Integer
  ->(v) do # rubocop:disable Style/Lambda
    case v
    when /(\d+)/
      Regexp.last_match(1).to_i
    else
      raise ArgumentError, "invalid integer: #{v.inspect}"
    end
  end
end

.string ⇒ Object

TODO: allow symbols

# File 'lib/datadog/appsec/configuration/settings.rb', line 27

def string
  # @type ^(::String) -> ::String
  ->(v) { v.to_s }
end

Instance Method Details

#[](integration_name) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/datadog/appsec/configuration/settings.rb', line 184

def [](integration_name)
  integration = Datadog::AppSec::Contrib::Integration.registry[integration_name]

  raise ArgumentError, "'#{integration_name}' is not a valid integration." unless integration

  integration.options
end

#enabled ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 135

def enabled
  # Cast for Steep
  _ = @options[:enabled]
end

#ip_denylist ⇒ Object

EXPERIMENTAL: This configurable is not meant to be publicly used, but

is very useful for testing. It may change at any point in time.

# File 'lib/datadog/appsec/configuration/settings.rb', line 147

def ip_denylist
  # Cast for Steep
  _ = @options[:ip_denylist] || []
end

#merge(dsl) ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 192

def merge(dsl)
  dsl.options.each do |k, v|
    unless v.nil?
      @options[k] = v
      @configured << k
    end
  end

  return self unless @options[:enabled]

  # patcher.patch may call configure again, hence merge might be called again so it needs to be reentrant
  dsl.instruments.each do |instrument|
    # TODO: error handling
    registered_integration = Datadog::AppSec::Contrib::Integration.registry[instrument.name]
    @integrations << Integration.new(registered_integration, instrument.options)

    # TODO: move to a separate apply step
    klass = registered_integration.klass
    if klass.loaded? && klass.compatible?
      instance = klass.new
      instance.patcher.patch
    end
  end

  self
end

#obfuscator_key_regex ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 174

def obfuscator_key_regex
  # Cast for Steep
  _ = @options[:obfuscator_key_regex]
end

#obfuscator_value_regex ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 179

def obfuscator_value_regex
  # Cast for Steep
  _ = @options[:obfuscator_value_regex]
end

#ruleset ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 140

def ruleset
  # Cast for Steep
  _ = @options[:ruleset]
end

#trace_rate_limit ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 169

def trace_rate_limit
  # Cast for Steep
  _ = @options[:trace_rate_limit]
end

#user_id_denylist ⇒ Object

EXPERIMENTAL: This configurable is not meant to be publicly used, but

is very useful for testing. It may change at any point in time.

# File 'lib/datadog/appsec/configuration/settings.rb', line 154

def user_id_denylist
  # Cast for Steep
  _ = @options[:user_id_denylist] || []
end

#waf_debug ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 164

def waf_debug
  # Cast for Steep
  _ = @options[:waf_debug]
end

#waf_timeout ⇒ Object

# File 'lib/datadog/appsec/configuration/settings.rb', line 159

def waf_timeout
  # Cast for Steep
  _ = @options[:waf_timeout]
end