Add support for suspicious attacker blocking to appsec (#7401)

Author: manuel-alvarez-alvarez

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -8,6 +8,7 @@
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_CUSTOM_RULES;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_DD_RULES;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_EXCLUSIONS;
+import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_EXCLUSION_DATA;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING;
@@ -97,6 +98,7 @@ private void subscribeConfigurationPoller() {
         CAPABILITY_ASM_DD_RULES
             | CAPABILITY_ASM_IP_BLOCKING
             | CAPABILITY_ASM_EXCLUSIONS
+            | CAPABILITY_ASM_EXCLUSION_DATA
             | CAPABILITY_ASM_REQUEST_BLOCKING
             | CAPABILITY_ASM_USER_BLOCKING
             | CAPABILITY_ASM_CUSTOM_RULES
@@ -335,6 +337,7 @@ public void close() {
             | CAPABILITY_ASM_DD_RULES
             | CAPABILITY_ASM_IP_BLOCKING
             | CAPABILITY_ASM_EXCLUSIONS
+            | CAPABILITY_ASM_EXCLUSION_DATA
             | CAPABILITY_ASM_REQUEST_BLOCKING
             | CAPABILITY_ASM_USER_BLOCKING
             | CAPABILITY_ASM_CUSTOM_RULES

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecData.java

@@ -0,0 +1,30 @@
+package com.datadog.appsec.config;
+
+import com.squareup.moshi.Json;
+import java.util.List;
+import java.util.Map;
+
+public class AppSecData {
+
+  @Json(name = "rules_data")
+  private List<Map<String, Object>> rules;
+
+  @Json(name = "exclusion_data")
+  private List<Map<String, Object>> exclusion;
+
+  public List<Map<String, Object>> getRules() {
+    return rules;
+  }
+
+  public void setRules(List<Map<String, Object>> rules) {
+    this.rules = rules;
+  }
+
+  public List<Map<String, Object>> getExclusion() {
+    return exclusion;
+  }
+
+  public void setExclusion(List<Map<String, Object>> exclusion) {
+    this.exclusion = exclusion;
+  }
+}

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecDataDeserializer.java

@@ -3,36 +3,25 @@
 import static com.datadog.appsec.config.AppSecConfig.MOSHI;
 
 import com.squareup.moshi.JsonAdapter;
-import com.squareup.moshi.Types;
 import datadog.remoteconfig.ConfigurationDeserializer;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.List;
-import java.util.Map;
 import okio.Okio;
 
-public class AppSecDataDeserializer
-    implements ConfigurationDeserializer<List<Map<String, Object>>> {
+public class AppSecDataDeserializer implements ConfigurationDeserializer<AppSecData> {
   public static final AppSecDataDeserializer INSTANCE = new AppSecDataDeserializer();
 
-  private static final JsonAdapter<Map<String, List<Map<String, Object>>>> ADAPTER =
-      MOSHI.adapter(
-          Types.newParameterizedType(
-              Map.class,
-              String.class,
-              Types.newParameterizedType(
-                  List.class, Types.newParameterizedType(Map.class, String.class, Object.class))));
+  private static final JsonAdapter<AppSecData> ADAPTER = MOSHI.adapter(AppSecData.class);
 
   private AppSecDataDeserializer() {}
 
   @Override
-  public List<Map<String, Object>> deserialize(byte[] content) throws IOException {
+  public AppSecData deserialize(byte[] content) throws IOException {
     return deserialize(new ByteArrayInputStream(content));
   }
 
-  private List<Map<String, Object>> deserialize(InputStream is) throws IOException {
-    Map<String, List<Map<String, Object>>> cfg = ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
-    return cfg.get("rules_data");
+  private AppSecData deserialize(InputStream is) throws IOException {
+    return ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
   }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/CurrentAppSecConfig.java

@@ -24,15 +24,21 @@ public class CurrentAppSecConfig {
   MergedAsmData mergedAsmData = new MergedAsmData(new HashMap<>());
   public final DirtyStatus dirtyStatus = new DirtyStatus();
 
+  @SuppressWarnings("unchecked")
   public void setDdConfig(AppSecConfig newConfig) {
     this.ddConfig = newConfig;
 
-    List<Map<String, Object>> rulesData =
-        (List<Map<String, Object>>) newConfig.getRawConfig().get("rules_data");
-    if (rulesData != null) {
-      mergedAsmData.addConfig(MergedAsmData.KEY_BUNDLED_RULE_DATA, rulesData);
+    final Map<String, Object> rawConfig = newConfig.getRawConfig();
+    List<Map<String, Object>> rules = (List<Map<String, Object>>) rawConfig.get("rules_data");
+    List<Map<String, Object>> exclusions =
+        (List<Map<String, Object>>) rawConfig.get("exclusion_data");
+    if (rules != null || exclusions != null) {
+      final AppSecData data = new AppSecData();
+      data.setRules(rules);
+      data.setExclusion(exclusions);
+      mergedAsmData.addConfig(MergedAsmData.KEY_BUNDLED_DATA, data);
     } else {
-      mergedAsmData.removeConfig(MergedAsmData.KEY_BUNDLED_RULE_DATA);
+      mergedAsmData.removeConfig(MergedAsmData.KEY_BUNDLED_DATA);
     }
   }
 
@@ -100,7 +106,9 @@ public AppSecConfig getMergedUpdateConfig() throws IOException {
       mso.put("rules_override", getMergedRuleOverrides());
     }
     if (dirtyStatus.data) {
-      mso.put("rules_data", mergedAsmData.getMergedData());
+      final AppSecData data = mergedAsmData.getMergedData();
+      mso.put("rules_data", data.getRules());
+      mso.put("exclusion_data", data.getExclusion());
     }
     if (dirtyStatus.actions) {
       mso.put("actions", getMergedActions());
@@ -111,12 +119,13 @@ public AppSecConfig getMergedUpdateConfig() throws IOException {
     if (log.isDebugEnabled()) {
       log.debug(
           "Providing WAF config with: "
-              + "rules: {}, custom_rules: {}, exclusions: {}, ruleOverrides: {}, rules_data: {}, actions: {}",
+              + "rules: {}, custom_rules: {}, exclusions: {}, ruleOverrides: {}, rules_data: {}, exclusion_data: {}, actions: {}",
           debugRuleSummary(mso),
           debugCustomRuleSummary(mso),
           debugExclusionsSummary(mso),
           debugRuleOverridesSummary(mso),
           debugRulesDataSummary(mso),
+          debugExclusionDataSummary(mso),
           debugActionsSummary(mso));
     }
     return AppSecConfig.valueOf(mso);
@@ -141,13 +150,27 @@ private static String debugRulesDataSummary(Map<String, Object> mso) {
     }
     return "["
         + rulesData.size()
-        + " data sets with ids "
+        + " rules data sets with ids "
         + rulesData.stream()
             .map(rd -> String.valueOf(rd.get("id")))
             .collect(Collectors.joining(", "))
         + "]";
   }
 
+  private static String debugExclusionDataSummary(Map<String, Object> mso) {
+    List<Map<String, Object>> exclusionData = (List<Map<String, Object>>) mso.get("exclusion_data");
+    if (exclusionData == null) {
+      return "<absent>";
+    }
+    return "["
+        + exclusionData.size()
+        + " exclusion data sets with ids "
+        + exclusionData.stream()
+            .map(rd -> String.valueOf(rd.get("id")))
+            .collect(Collectors.joining(", "))
+        + "]";
+  }
+
   private static String debugRuleOverridesSummary(Map<String, Object> mso) {
     List<Map<String, Object>> overrides = (List<Map<String, Object>>) mso.get("rules_override");
     if (overrides == null) {

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/MergedAsmData.java

@@ -3,25 +3,27 @@
 import static java.util.stream.Collectors.groupingBy;
 import static java.util.stream.Collectors.toList;
 
-import java.util.AbstractList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-public class MergedAsmData extends AbstractList<Map<String, Object>> {
-  public static final String KEY_BUNDLED_RULE_DATA = "<rule data bundled in rule config>";
+public class MergedAsmData {
+  public static final String KEY_BUNDLED_DATA = "<data bundled in config>";
 
-  private final Map<String /* cfg key */, List<Map<String, Object>>> configs;
-  private List<Map<String, Object>> mergedData;
+  private final Map<String /* cfg key */, AppSecData> configs;
+  private AppSecData mergedData;
 
-  public MergedAsmData(Map<String, List<Map<String, Object>>> configs) {
+  public MergedAsmData(Map<String, AppSecData> configs) {
     this.configs = configs;
   }
 
-  public void addConfig(String cfgKey, List<Map<String, Object>> config) {
+  public void addConfig(String cfgKey, AppSecData config) {
     this.configs.put(cfgKey, config);
     this.mergedData = null;
   }
@@ -40,19 +42,15 @@ public void removeConfig(String cfgKey) {
    *     - value: 192.168.1.1
    *       expiration: 555
    */
-  public List<Map<String, Object>> getMergedData() throws InvalidAsmDataException {
+  public AppSecData getMergedData() throws InvalidAsmDataException {
     if (mergedData != null) {
       return mergedData;
     }
 
     try {
-      // map of id -> list of maps across all the configs with such id
-      Map<String, List<Map<String, Object>>> dataPerId =
-          configs.values().stream()
-              .flatMap(l -> l.stream())
-              .collect(groupingBy(d -> (String) d.get("id")));
-
-      this.mergedData = buildMergedData(dataPerId);
+      this.mergedData = new AppSecData();
+      this.mergedData.setRules(buildMergedData(groupById(AppSecData::getRules)));
+      this.mergedData.setExclusion(buildMergedData(groupById(AppSecData::getExclusion)));
     } catch (InvalidAsmDataException iade) {
       throw iade;
     } catch (RuntimeException rte) {
@@ -62,6 +60,16 @@ public List<Map<String, Object>> getMergedData() throws InvalidAsmDataException
     return this.mergedData;
   }
 
+  /** map of id -> list of maps across all the configs with such id */
+  private Map<String, List<Map<String, Object>>> groupById(
+      final Function<AppSecData, List<Map<String, Object>>> property) {
+    return configs.values().stream()
+        .map(property)
+        .map(it -> it == null ? Collections.<Map<String, Object>>emptyList() : it)
+        .flatMap(Collection::stream)
+        .collect(groupingBy(d -> (String) d.get("id")));
+  }
+
   private List<Map<String, Object>> buildMergedData(
       Map<String, List<Map<String, Object>>> dataPerId) {
     return dataPerId.entrySet().stream()
@@ -137,16 +145,6 @@ private List<Map<String, Object>> mergeExpirationData(Stream<Map<String, Object>
         .collect(toList());
   }
 
-  @Override
-  public Map<String, Object> get(int index) {
-    return getMergedData().get(index);
-  }
-
-  @Override
-  public int size() {
-    return getMergedData().size();
-  }
-
   public class InvalidAsmDataException extends RuntimeException {
     public InvalidAsmDataException(String s) {
       super(s);

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy

@@ -22,6 +22,7 @@ import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_CUSTOM_BLOCKING_R
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_CUSTOM_RULES
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_DD_RULES
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_EXCLUSIONS
+import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_EXCLUSION_DATA
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING
@@ -254,6 +255,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     1 * poller.addCapabilities(CAPABILITY_ASM_DD_RULES
       | CAPABILITY_ASM_IP_BLOCKING
       | CAPABILITY_ASM_EXCLUSIONS
+      | CAPABILITY_ASM_EXCLUSION_DATA
       | CAPABILITY_ASM_REQUEST_BLOCKING
       | CAPABILITY_ASM_USER_BLOCKING
       | CAPABILITY_ASM_CUSTOM_RULES
@@ -307,7 +309,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
           enabled     : false
         ]
       ]
-      casc.mergedAsmData == [[data: [], id: 'foo', type: '']]
+      casc.mergedAsmData.mergedData.rules == [[data: [], id: 'foo', type: '']]
     }, _)
 
     when:
@@ -398,6 +400,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     1 * poller.addCapabilities(CAPABILITY_ASM_DD_RULES
       | CAPABILITY_ASM_IP_BLOCKING
       | CAPABILITY_ASM_EXCLUSIONS
+      | CAPABILITY_ASM_EXCLUSION_DATA
       | CAPABILITY_ASM_REQUEST_BLOCKING
       | CAPABILITY_ASM_USER_BLOCKING
       | CAPABILITY_ASM_CUSTOM_RULES
@@ -430,7 +433,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     }
     mergedUpdateConfig.numberOfRules == 0
     mergedUpdateConfig.rawConfig['rules_override'].isEmpty() == false
-    mergedAsmData.isEmpty() == false
+    mergedAsmData.mergedData.rules.isEmpty() == false
 
     when:
     listeners.savedConfChangesListener.accept('asm_dd config', null, null)
@@ -447,7 +450,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
 
     mergedUpdateConfig.numberOfRules > 0
     mergedUpdateConfig.rawConfig['rules_override'].isEmpty() == true
-    mergedAsmData.isEmpty() == true
+    mergedAsmData.mergedData.rules.isEmpty() == true
   }
 
   void 'stopping appsec unsubscribes from the poller'() {
@@ -463,6 +466,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_DD_RULES
       | CAPABILITY_ASM_IP_BLOCKING
       | CAPABILITY_ASM_EXCLUSIONS
+      | CAPABILITY_ASM_EXCLUSION_DATA
       | CAPABILITY_ASM_REQUEST_BLOCKING
       | CAPABILITY_ASM_USER_BLOCKING
       | CAPABILITY_ASM_CUSTOM_RULES

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecDataDeserializerSpecification.groovy

@@ -39,7 +39,7 @@ class AppSecDataDeserializerSpecification extends Specification {
 
     then:
     result != null
-    result == [
+    result.rules == [
       [
         data: [
           [
@@ -55,9 +55,44 @@ class AppSecDataDeserializerSpecification extends Specification {
             value     : "3.3.3.3"
           ]
         ],
-        id: "blocked_ips",
+        id  : "blocked_ips",
         type: "ip_with_expiration"
       ]
     ]
   }
+
+  void 'deserialize exclusions data'() {
+    final deser = AppSecDataDeserializer.INSTANCE
+    final input = """
+{
+  "exclusion_data": [
+    {
+      "id": "suspicious_ips_data_id",
+      "type": "ip_with_expiration",
+      "data": [
+        {
+          "value": "34.65.27.85"
+        }
+      ]
+    }
+  ]
+}
+    """
+
+    when:
+    def result = deser.deserialize(input.getBytes(StandardCharsets.UTF_8))
+
+    then:
+    result != null
+    result.exclusion == [
+      [
+        id  : "suspicious_ips_data_id",
+        type: "ip_with_expiration",
+        data: [[
+            value: "34.65.27.85"
+          ]],
+
+      ]
+    ]
+  }
 }