Documentation ¶
Index ¶
- Constants
- func IsEnabledByEnvironment() (enabled bool, set bool, err error)
- type AddressSet
- type Config
- type DataEntry
- type EnablementMode
- type Origin
- type RulesFragment
- type RulesManager
- func (r *RulesManager) AddEdit(cfgPath string, f RulesFragment)
- func (r *RulesManager) ChangeBase(f RulesFragment, basePath string)
- func (r *RulesManager) Clone() (clone RulesManager)
- func (r *RulesManager) Compile()
- func (r *RulesManager) Raw() []byte
- func (r *RulesManager) RemoveEdit(cfgPath string)
- func (r *RulesManager) String() string
- type StartConfig
- type StartOption
Constants ¶
const ( // EnvEnabled controls ASM Threats Protection's enablement. EnvEnabled = "DD_APPSEC_ENABLED" // EnvSCAEnabled controls ASM Software Composition Analysis (SCA)'s enablement. EnvSCAEnabled = "DD_APPSEC_SCA_ENABLED" )
The following environment variables dictate the enablement of different the ASM products.
Variables ¶
This section is empty.
Functions ¶
func IsEnabledByEnvironment ¶ added in v1.70.0
IsEnabledByEnvironment returns true when appsec is enabled by the environment variable EnvEnabled being set to a truthy value, as well as whether the environment variable was set at all or not (so it is possible to distinguish between explicitly false, and false-by-default). If the EnvEnabled variable is set to a value that is not a valid boolean (according to strconv.ParseBool), it is considered false-y, and a detailed error is also returned.
Types ¶
type AddressSet ¶ added in v1.69.0
type AddressSet map[string]struct{}
AddressSet is a set of WAF addresses.
func NewAddressSet ¶ added in v1.69.0
func NewAddressSet(addrs []string) AddressSet
func (AddressSet) AnyOf ¶ added in v1.69.0
func (set AddressSet) AnyOf(anyOf ...string) bool
AnyOf returns true if any of the addresses in the set are in the given list.
type Config ¶
type Config struct { // rules loaded via the env var DD_APPSEC_RULES. When not set, the builtin rules will be used // and live-updated with remote configuration. RulesManager *RulesManager // Maximum WAF execution time WAFTimeout time.Duration // AppSec trace rate limit (traces per second). TraceRateLimit int64 // Obfuscator configuration Obfuscator internal.ObfuscatorConfig // APISec configuration APISec internal.APISecConfig // RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default) RC *remoteconfig.ClientConfig RASP bool // SupportedAddresses are the addresses that the AppSec listener will bind to. SupportedAddresses AddressSet }
Config is the AppSec configuration.
type DataEntry ¶ added in v1.69.0
type DataEntry rc.ASMDataRuleData
DataEntry represents an entry in the "rules_data" top level field of a rules file
type EnablementMode ¶ added in v1.70.0
type EnablementMode int8
const ( // ForcedOff is the mode where AppSec is forced to be disabled, not allowing remote activation. ForcedOff EnablementMode = -1 // RCStandby is the mode where AppSec is in stand-by, waiting remote activation. RCStandby EnablementMode = 0 // ForcedOn is the mode where AppSec is forced to be enabled. ForcedOn EnablementMode = 1 )
type Origin ¶ added in v1.70.0
type Origin uint8
const ( // OriginDefault is the origin of configuration values not explicitly set by the user in any way. OriginDefault Origin = iota // OriginEnvVar is the origin of configuration values set through environment variables. OriginEnvVar // OriginExplicitOption is the origin of configuration values set though explicit options in code. OriginExplicitOption )
type RulesFragment ¶
type RulesFragment struct { Version string `json:"version,omitempty"` Metadata any `json:"metadata,omitempty"` Rules []any `json:"rules,omitempty"` Overrides []any `json:"rules_override,omitempty"` Exclusions []any `json:"exclusions,omitempty"` ExclusionData []DataEntry `json:"exclusion_data,omitempty"` RulesData []DataEntry `json:"rules_data,omitempty"` Actions []any `json:"actions,omitempty"` CustomRules []any `json:"custom_rules,omitempty"` Processors []any `json:"processors,omitempty"` Scanners []any `json:"scanners,omitempty"` }
RulesFragment can represent a full ruleset or a fragment of it.
func DefaultRulesFragment ¶
func DefaultRulesFragment() RulesFragment
DefaultRulesFragment returns a RulesFragment created using the default static recommended rules
type RulesManager ¶
type RulesManager struct { Latest RulesFragment Base RulesFragment BasePath string Edits map[string]RulesFragment }
RulesManager is used to build a full rules file from a combination of rules fragments The `Base` fragment is the default rules (either local or received through ASM_DD), and the `Edits` fragments each represent a remote configuration update that affects the rules. `BasePath` is either empty if the local Base rules are used, or holds the path of the ASM_DD config.
func NewRulesManager ¶ added in v1.69.0
func NewRulesManager(rules []byte) (*RulesManager, error)
NewRulesManager initializes and returns a new RulesManager using the provided rules. If no rules are provided (nil), the default rules are used instead. If the provided rules are invalid, an error is returned
func (*RulesManager) AddEdit ¶
func (r *RulesManager) AddEdit(cfgPath string, f RulesFragment)
AddEdit appends the configuration to the map of edits in the rules manager
func (*RulesManager) ChangeBase ¶
func (r *RulesManager) ChangeBase(f RulesFragment, basePath string)
ChangeBase sets a new rules fragment base for the rules manager
func (*RulesManager) Clone ¶
func (r *RulesManager) Clone() (clone RulesManager)
Clone returns a duplicate of the current rules manager object
func (*RulesManager) Compile ¶
func (r *RulesManager) Compile()
Compile compiles the RulesManager fragments together stores the result in r.Latest
func (*RulesManager) Raw ¶
func (r *RulesManager) Raw() []byte
Raw returns a compact json version of the rules
func (*RulesManager) RemoveEdit ¶
func (r *RulesManager) RemoveEdit(cfgPath string)
RemoveEdit deletes the configuration associated to `cfgPath` in the edits slice
func (*RulesManager) String ¶
func (r *RulesManager) String() string
String returns the string representation of the Latest compiled json rules.
type StartConfig ¶ added in v1.70.0
type StartConfig struct { // RC is the remote config client configuration to be used. RC *remoteconfig.ClientConfig // IsEnabled is a function that determines whether AppSec is enabled or not. When unset, the // default [IsEnabled] function is used. EnablementMode func() (EnablementMode, Origin, error) }
func NewStartConfig ¶ added in v1.70.0
func NewStartConfig(opts ...StartOption) *StartConfig
func (*StartConfig) NewConfig ¶ added in v1.70.0
func (c *StartConfig) NewConfig() (*Config, error)
NewConfig returns a fresh appsec configuration read from the env
type StartOption ¶
type StartOption func(c *StartConfig)
StartOption is used to customize the AppSec configuration when invoked with appsec.Start()
func WithEnablementMode ¶ added in v1.70.0
func WithEnablementMode(mode EnablementMode) StartOption
WithEnablementMode forces AppSec enablement, replacing the default initialization conditions implemented by IsEnabledByEnvironment.
func WithRCConfig ¶
func WithRCConfig(cfg remoteconfig.ClientConfig) StartOption
WithRCConfig sets the AppSec remote config client configuration to the specified cfg