Class: Datadog::AppSec::Configuration::Settings

Inherits:
Object
  • Object
show all
Defined in:
lib/datadog/appsec/configuration/settings.rb

Overview

Configuration settings, acting as an integration registry TODO: as with Configuration, this is a trivial implementation

Constant Summary collapse

DEFAULT_OBFUSCATOR_KEY_REGEX =

rubocop:disable Layout/LineLength

'(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?)key)|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization'.freeze
DEFAULT_OBFUSCATOR_VALUE_REGEX = 
'(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'.freeze
DEFAULTS =

rubocop:enable Layout/LineLength

{
  enabled: false,
  ruleset: :recommended,
  waf_timeout: 5_000, # us
  waf_debug: false,
  trace_rate_limit: 100, # traces/s
  obfuscator_key_regex: DEFAULT_OBFUSCATOR_KEY_REGEX,
  obfuscator_value_regex: DEFAULT_OBFUSCATOR_VALUE_REGEX,
}.freeze
ENVS = 
{
  'DD_APPSEC_ENABLED' => [:enabled, Settings.boolean],
  'DD_APPSEC_RULES' => [:ruleset, Settings.string],
  'DD_APPSEC_WAF_TIMEOUT' => [:waf_timeout, Settings.duration(:us)],
  'DD_APPSEC_WAF_DEBUG' => [:waf_debug, Settings.boolean],
  'DD_APPSEC_TRACE_RATE_LIMIT' => [:trace_rate_limit, Settings.integer],
  'DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP' => [:obfuscator_key_regex, Settings.string],
  'DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP' => [:obfuscator_value_regex, Settings.string],
}.freeze
Integration =

Struct constant whisker cast for Steep

_ = Struct.new(:integration, :options)

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSettings

Returns a new instance of Settings.



117
118
119
120
121
122
123
124
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 117

def initialize
  @integrations = []
  @options = DEFAULTS.dup.tap do |options|
    ENVS.each do |env, (key, conv)|
      options[key] = conv.call(ENV[env]) if ENV[env]
    end
  end
end

Class Method Details

.booleanObject 



8
9
10
11
12
13
14
15
16
17
18
19
20
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 8

def boolean
  # @type ^(::String) -> bool
  ->(v) do # rubocop:disable Style/Lambda
    case v
    when /(1|true)/i
      true
    when /(0|false)/i, nil
      false
    else
      raise ArgumentError, "invalid boolean: #{v.inspect}"
    end
  end
end

.duration(base = :ns, type = :integer) ⇒ Object

rubocop:disable Metrics/MethodLength



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 41

def duration(base = :ns, type = :integer)
  # @type ^(::String) -> ::Integer | ::Float
  ->(v) do # rubocop:disable Style/Lambda
    cast = case type
           when :integer, Integer
             method(:Integer)
           when :float, Float
             method(:Float)
           else
             raise ArgumentError, "invalid type: #{v.inspect}"
           end

    scale = case base
            when :s
              1_000_000_000
            when :ms
              1_000_000
            when :us
              1000
            when :ns
              1
            else
              raise ArgumentError, "invalid base: #{v.inspect}"
            end

    case v
    when /^(\d+)h$/
      cast.call(Regexp.last_match(1)) * 1_000_000_000 * 60 * 60 / scale
    when /^(\d+)m$/
      cast.call(Regexp.last_match(1)) * 1_000_000_000 * 60 / scale
    when /^(\d+)s$/
      cast.call(Regexp.last_match(1)) * 1_000_000_000 / scale
    when /^(\d+)ms$/
      cast.call(Regexp.last_match(1)) * 1_000_000 / scale
    when /^(\d+)us$/
      cast.call(Regexp.last_match(1)) * 1_000 / scale
    when /^(\d+)ns$/
      cast.call(Regexp.last_match(1)) / scale
    when /^(\d+)$/
      cast.call(Regexp.last_match(1))
    else
      raise ArgumentError, "invalid duration: #{v.inspect}"
    end
  end
end

.integerObject 



28
29
30
31
32
33
34
35
36
37
38
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 28

def integer
  # @type ^(::String) -> ::Integer
  ->(v) do # rubocop:disable Style/Lambda
    case v
    when /(\d+)/
      Regexp.last_match(1).to_i
    else
      raise ArgumentError, "invalid integer: #{v.inspect}"
    end
  end
end

.stringObject

TODO: allow symbols



23
24
25
26
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 23

def string
  # @type ^(::String) -> ::String
  ->(v) { v.to_s }
end

Instance Method Details

#[](integration_name) ⇒ Object

Raises:

  • (ArgumentError) 


175
176
177
178
179
180
181
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 175

def [](integration_name)
  integration = Datadog::AppSec::Contrib::Integration.registry[integration_name]

  raise ArgumentError, "'#{integration_name}' is not a valid integration." unless integration

  integration.options
end

#enabledObject 



126
127
128
129
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 126

def enabled
  # Cast for Steep
  _ = @options[:enabled]
end

#ip_denylistObject

EXPERIMENTAL: This configurable is not meant to be publicly used, but

is very useful for testing. It may change at any point in time.



138
139
140
141
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 138

def ip_denylist
  # Cast for Steep
  _ = @options[:ip_denylist] || []
end

#merge(dsl) ⇒ Object 



183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 183

def merge(dsl)
  dsl.options.each do |k, v|
    @options[k] = v unless v.nil?
  end

  return self unless @options[:enabled]

  # patcher.patch may call configure again, hence merge might be called again so it needs to be reentrant
  dsl.instruments.each do |instrument|
    # TODO: error handling
    registered_integration = Datadog::AppSec::Contrib::Integration.registry[instrument.name]
    @integrations << Integration.new(registered_integration, instrument.options)

    # TODO: move to a separate apply step
    klass = registered_integration.klass
    if klass.loaded? && klass.compatible?
      instance = klass.new
      instance.patcher.patch
    end
  end

  self
end

#obfuscator_key_regexObject 



165
166
167
168
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 165

def obfuscator_key_regex
  # Cast for Steep
  _ = @options[:obfuscator_key_regex]
end

#obfuscator_value_regexObject 



170
171
172
173
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 170

def obfuscator_value_regex
  # Cast for Steep
  _ = @options[:obfuscator_value_regex]
end

#rulesetObject 



131
132
133
134
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 131

def ruleset
  # Cast for Steep
  _ = @options[:ruleset]
end

#trace_rate_limitObject 



160
161
162
163
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 160

def trace_rate_limit
  # Cast for Steep
  _ = @options[:trace_rate_limit]
end

#user_id_denylistObject

EXPERIMENTAL: This configurable is not meant to be publicly used, but

is very useful for testing. It may change at any point in time.



145
146
147
148
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 145

def user_id_denylist
  # Cast for Steep
  _ = @options[:user_id_denylist] || []
end

#waf_debugObject 



155
156
157
158
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 155

def waf_debug
  # Cast for Steep
  _ = @options[:waf_debug]
end

#waf_timeoutObject 



150
151
152
153
 
# File 'lib/datadog/appsec/configuration/settings.rb', line 150

def waf_timeout
  # Cast for Steep
  _ = @options[:waf_timeout]
end