config

package
v1.70.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 18, 2024 License: Apache-2.0, BSD-3-Clause, Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// EnvEnabled controls ASM Threats Protection's enablement.
	EnvEnabled = "DD_APPSEC_ENABLED"
	// EnvSCAEnabled controls ASM Software Composition Analysis (SCA)'s enablement.
	EnvSCAEnabled = "DD_APPSEC_SCA_ENABLED"
)

The following environment variables dictate the enablement of different the ASM products.

Variables

This section is empty.

Functions

func IsEnabledByEnvironment added in v1.70.0

func IsEnabledByEnvironment() (enabled bool, set bool, err error)

IsEnabledByEnvironment returns true when appsec is enabled by the environment variable EnvEnabled being set to a truthy value, as well as whether the environment variable was set at all or not (so it is possible to distinguish between explicitly false, and false-by-default). If the EnvEnabled variable is set to a value that is not a valid boolean (according to strconv.ParseBool), it is considered false-y, and a detailed error is also returned.

Types

type AddressSet added in v1.69.0

type AddressSet map[string]struct{}

AddressSet is a set of WAF addresses.

func NewAddressSet added in v1.69.0

func NewAddressSet(addrs []string) AddressSet

func (AddressSet) AnyOf added in v1.69.0

func (set AddressSet) AnyOf(anyOf ...string) bool

AnyOf returns true if any of the addresses in the set are in the given list.

type Config

type Config struct {
	// rules loaded via the env var DD_APPSEC_RULES. When not set, the builtin rules will be used
	// and live-updated with remote configuration.
	RulesManager *RulesManager
	// Maximum WAF execution time
	WAFTimeout time.Duration
	// AppSec trace rate limit (traces per second).
	TraceRateLimit int64
	// Obfuscator configuration
	Obfuscator internal.ObfuscatorConfig
	// APISec configuration
	APISec internal.APISecConfig
	// RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default)
	RC   *remoteconfig.ClientConfig
	RASP bool
	// SupportedAddresses are the addresses that the AppSec listener will bind to.
	SupportedAddresses AddressSet
}

Config is the AppSec configuration.

type DataEntry added in v1.69.0

type DataEntry rc.ASMDataRuleData

DataEntry represents an entry in the "rules_data" top level field of a rules file

type EnablementMode added in v1.70.0

type EnablementMode int8
const (
	// ForcedOff is the mode where AppSec is forced to be disabled, not allowing remote activation.
	ForcedOff EnablementMode = -1
	// RCStandby is the mode where AppSec is in stand-by, waiting remote activation.
	RCStandby EnablementMode = 0
	// ForcedOn is the mode where AppSec is forced to be enabled.
	ForcedOn EnablementMode = 1
)

type Origin added in v1.70.0

type Origin uint8
const (
	// OriginDefault is the origin of configuration values not explicitly set by the user in any way.
	OriginDefault Origin = iota
	// OriginEnvVar is the origin of configuration values set through environment variables.
	OriginEnvVar
	// OriginExplicitOption is the origin of configuration values set though explicit options in code.
	OriginExplicitOption
)

type RulesFragment

type RulesFragment struct {
	Version       string      `json:"version,omitempty"`
	Metadata      any         `json:"metadata,omitempty"`
	Rules         []any       `json:"rules,omitempty"`
	Overrides     []any       `json:"rules_override,omitempty"`
	Exclusions    []any       `json:"exclusions,omitempty"`
	ExclusionData []DataEntry `json:"exclusion_data,omitempty"`
	RulesData     []DataEntry `json:"rules_data,omitempty"`
	Actions       []any       `json:"actions,omitempty"`
	CustomRules   []any       `json:"custom_rules,omitempty"`
	Processors    []any       `json:"processors,omitempty"`
	Scanners      []any       `json:"scanners,omitempty"`
}

RulesFragment can represent a full ruleset or a fragment of it.

func DefaultRulesFragment

func DefaultRulesFragment() RulesFragment

DefaultRulesFragment returns a RulesFragment created using the default static recommended rules

type RulesManager

type RulesManager struct {
	Latest   RulesFragment
	Base     RulesFragment
	BasePath string
	Edits    map[string]RulesFragment
}

RulesManager is used to build a full rules file from a combination of rules fragments The `Base` fragment is the default rules (either local or received through ASM_DD), and the `Edits` fragments each represent a remote configuration update that affects the rules. `BasePath` is either empty if the local Base rules are used, or holds the path of the ASM_DD config.

func NewRulesManager added in v1.69.0

func NewRulesManager(rules []byte) (*RulesManager, error)

NewRulesManager initializes and returns a new RulesManager using the provided rules. If no rules are provided (nil), the default rules are used instead. If the provided rules are invalid, an error is returned

func (*RulesManager) AddEdit

func (r *RulesManager) AddEdit(cfgPath string, f RulesFragment)

AddEdit appends the configuration to the map of edits in the rules manager

func (*RulesManager) ChangeBase

func (r *RulesManager) ChangeBase(f RulesFragment, basePath string)

ChangeBase sets a new rules fragment base for the rules manager

func (*RulesManager) Clone

func (r *RulesManager) Clone() (clone RulesManager)

Clone returns a duplicate of the current rules manager object

func (*RulesManager) Compile

func (r *RulesManager) Compile()

Compile compiles the RulesManager fragments together stores the result in r.Latest

func (*RulesManager) Raw

func (r *RulesManager) Raw() []byte

Raw returns a compact json version of the rules

func (*RulesManager) RemoveEdit

func (r *RulesManager) RemoveEdit(cfgPath string)

RemoveEdit deletes the configuration associated to `cfgPath` in the edits slice

func (*RulesManager) String

func (r *RulesManager) String() string

String returns the string representation of the Latest compiled json rules.

type StartConfig added in v1.70.0

type StartConfig struct {
	// RC is the remote config client configuration to be used.
	RC *remoteconfig.ClientConfig
	// IsEnabled is a function that determines whether AppSec is enabled or not. When unset, the
	// default [IsEnabled] function is used.
	EnablementMode func() (EnablementMode, Origin, error)
}

func NewStartConfig added in v1.70.0

func NewStartConfig(opts ...StartOption) *StartConfig

func (*StartConfig) NewConfig added in v1.70.0

func (c *StartConfig) NewConfig() (*Config, error)

NewConfig returns a fresh appsec configuration read from the env

type StartOption

type StartOption func(c *StartConfig)

StartOption is used to customize the AppSec configuration when invoked with appsec.Start()

func WithEnablementMode added in v1.70.0

func WithEnablementMode(mode EnablementMode) StartOption

WithEnablementMode forces AppSec enablement, replacing the default initialization conditions implemented by IsEnabledByEnvironment.

func WithRCConfig

func WithRCConfig(cfg remoteconfig.ClientConfig) StartOption

WithRCConfig sets the AppSec remote config client configuration to the specified cfg

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL