config

package
v2.0.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2024 License: Apache-2.0, BSD-3-Clause, Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// EnvEnabled controls ASM Threats Protection's enablement.
	EnvEnabled = "DD_APPSEC_ENABLED"
	// EnvSCAEnabled controls ASM Software Composition Analysis (SCA)'s enablement.
	EnvSCAEnabled = "DD_APPSEC_SCA_ENABLED"
)

The following environment variables dictate the enablement of different the ASM products.

Variables

This section is empty.

Functions

func IsEnabledByEnvironment 

func IsEnabledByEnvironment() (enabled bool, set bool, err error)

IsEnabledByEnvironment returns true when appsec is enabled by the environment variable EnvEnabled being set to a truthy value, as well as whether the environment variable was set at all or not (so it is possible to distinguish between explicitly false, and false-by-default). If the EnvEnabled variable is set to a value that is not a valid boolean (according to strconv.ParseBool), it is considered false-y, and a detailed error is also returned.

Types

type AddressSet 

type AddressSet map[string]struct{}

AddressSet is a set of WAF addresses.

func NewAddressSet 

func NewAddressSet(addrs []string) AddressSet

func (AddressSet) AnyOf 

func (set AddressSet) AnyOf(anyOf ...string) bool

AnyOf returns true if any of the addresses in the set are in the given list.

type Config 

type Config struct {
	// rules loaded via the env var DD_APPSEC_RULES. When not set, the builtin rules will be used
	// and live-updated with remote configuration.
	RulesManager *RulesManager
	// Maximum WAF execution time
	WAFTimeout time.Duration
	// AppSec trace rate limit (traces per second).
	TraceRateLimit int64
	// Obfuscator configuration
	Obfuscator internal.ObfuscatorConfig
	// APISec configuration
	APISec internal.APISecConfig
	// RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default)
	RC   *remoteconfig.ClientConfig
	RASP bool
	// SupportedAddresses are the addresses that the AppSec listener will bind to.
	SupportedAddresses AddressSet
}

Config is the AppSec configuration.

type DataEntry 

type DataEntry rc.ASMDataRuleData

DataEntry represents an entry in the "rules_data" top level field of a rules file

type EnablementMode 

type EnablementMode int8
const (
	// ForcedOff is the mode where AppSec is forced to be disabled, not allowing remote activation.
	ForcedOff EnablementMode = -1
	// RCStandby is the mode where AppSec is in stand-by, waiting remote activation.
	RCStandby EnablementMode = 0
	// ForcedOn is the mode where AppSec is forced to be enabled.
	ForcedOn EnablementMode = 1
)

type Origin 

type Origin uint8
const (
	// OriginDefault is the origin of configuration values not explicitly set by the user in any way.
	OriginDefault Origin = iota
	// OriginEnvVar is the origin of configuration values set through environment variables.
	OriginEnvVar
	// OriginExplicitOption is the origin of configuration values set though explicit options in code.
	OriginExplicitOption
)

type RulesFragment 

type RulesFragment struct {
	Version       string      `json:"version,omitempty"`
	Metadata      any         `json:"metadata,omitempty"`
	Rules         []any       `json:"rules,omitempty"`
	Overrides     []any       `json:"rules_override,omitempty"`
	Exclusions    []any       `json:"exclusions,omitempty"`
	ExclusionData []DataEntry `json:"exclusion_data,omitempty"`
	RulesData     []DataEntry `json:"rules_data,omitempty"`
	Actions       []any       `json:"actions,omitempty"`
	CustomRules   []any       `json:"custom_rules,omitempty"`
	Processors    []any       `json:"processors,omitempty"`
	Scanners      []any       `json:"scanners,omitempty"`
}

RulesFragment can represent a full ruleset or a fragment of it.

func DefaultRulesFragment 

func DefaultRulesFragment() RulesFragment

DefaultRulesFragment returns a RulesFragment created using the default static recommended rules

type RulesManager 

type RulesManager struct {
	Latest   RulesFragment
	Base     RulesFragment
	BasePath string
	Edits    map[string]RulesFragment
}

RulesManager is used to build a full rules file from a combination of rules fragments The `Base` fragment is the default rules (either local or received through ASM_DD), and the `Edits` fragments each represent a remote configuration update that affects the rules. `BasePath` is either empty if the local Base rules are used, or holds the path of the ASM_DD config.

func NewRulesManager 

func NewRulesManager(rules []byte) (*RulesManager, error)

NewRulesManager initializes and returns a new RulesManager using the provided rules. If no rules are provided (nil), the default rules are used instead. If the provided rules are invalid, an error is returned

func (*RulesManager) AddEdit 

func (r *RulesManager) AddEdit(cfgPath string, f RulesFragment)

AddEdit appends the configuration to the map of edits in the rules manager

func (*RulesManager) ChangeBase 

func (r *RulesManager) ChangeBase(f RulesFragment, basePath string)

ChangeBase sets a new rules fragment base for the rules manager

func (*RulesManager) Clone 

func (r *RulesManager) Clone() (clone RulesManager)

Clone returns a duplicate of the current rules manager object

func (*RulesManager) Compile 

func (r *RulesManager) Compile()

Compile compiles the RulesManager fragments together stores the result in r.Latest

func (*RulesManager) Raw 

func (r *RulesManager) Raw() []byte

Raw returns a compact json version of the rules

func (*RulesManager) RemoveEdit 

func (r *RulesManager) RemoveEdit(cfgPath string)

RemoveEdit deletes the configuration associated to `cfgPath` in the edits slice

func (*RulesManager) String 

func (r *RulesManager) String() string

String returns the string representation of the Latest compiled json rules.

type StartConfig 

type StartConfig struct {
	// RC is the remote config client configuration to be used.
	RC *remoteconfig.ClientConfig
	// IsEnabled is a function that determines whether AppSec is enabled or not. When unset, the
	// default [IsEnabled] function is used.
	EnablementMode func() (EnablementMode, Origin, error)
}

func NewStartConfig 

func NewStartConfig(opts ...StartOption) *StartConfig

func (*StartConfig) NewConfig 

func (c *StartConfig) NewConfig() (*Config, error)

NewConfig returns a fresh appsec configuration read from the env

type StartOption 

type StartOption func(c *StartConfig)

StartOption is used to customize the AppSec configuration when invoked with appsec.Start()

func WithEnablementMode 

func WithEnablementMode(mode EnablementMode) StartOption

WithEnablementMode forces AppSec enablement, replacing the default initialization conditions implemented by IsEnabledByEnvironment.

func WithRCConfig 

func WithRCConfig(cfg remoteconfig.ClientConfig) StartOption

WithRCConfig sets the AppSec remote config client configuration to the specified cfg

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.