internal/appsec: implement WAF actions for http/grpc #1533

Hellzy · 2022-10-20T14:11:50Z

What does this PR do?

Add a system of "actions", which are basically callbacks that are executed after the WAF matches specific rules.
Also add a default action - both for grpc and http - that will block a before its execution if said action is called.

Motivation

This change allows the libraries to react proactively when a rule gets matched by the WAF. The primary example is when
blocking a user depending on their IP. If a blocked IP issues a request, the WAF will match a rule that links to an action that will block the request before it gets a chance of being executed.

Describe how to test/QA your changes

Reviewer's Checklist

If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
Changed code has unit tests for its functionality.
If this interacts with the agent in a new way, a system test has been added.

ASM now instanciates an action handler that will perform various actions commanded by the WAF after a match is performed. The "block_request" action type is the only kind of action currently supported, allowing to block an HTTP request.

…action

internal/appsec/dyngo/instrumentation/httpsec/http.go

internal/appsec/dyngo/instrumentation/httpsec/actions.go

internal/appsec/dyngo/instrumentation/httpsec/http.go

internal/appsec/waf.go

internal/appsec/dyngo/instrumentation/common.go

internal/appsec/waf.go

internal/appsec/dyngo/instrumentation/grpcsec/grpc.go

knusbaum

All good from trace side.

pr-commenter · 2022-12-08T23:25:19Z

Benchmarks

Comparing candidate commit e7a01b3 in PR branch francois.mazeau/ip-blocking with baseline commit 989e14a in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 6 cases.

ajgajg1134

👍 for APM

Base automatically changed from francois.mazeau/http-client-ip-rework to main October 24, 2022 19:17

Hellzy force-pushed the francois.mazeau/ip-blocking branch from f6cb235 to 24bd90f Compare October 25, 2022 07:53

Hellzy added this to the v1.44.0 milestone Oct 25, 2022

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 24bd90f to a36fc28 Compare October 26, 2022 13:50

Hellzy changed the base branch from main to francois.mazeau/rc-asm-data October 26, 2022 13:51

Hellzy changed the base branch from francois.mazeau/rc-asm-data to main November 3, 2022 10:32

Hellzy force-pushed the francois.mazeau/ip-blocking branch 5 times, most recently from e859163 to aa4e477 Compare November 3, 2022 11:11

Hellzy changed the title ~~[WIP] internal/appsec: block requests based on client ip~~ [WIP] internal/appsec: implement WAF actions for http/grpc Nov 3, 2022

Hellzy marked this pull request as ready for review November 3, 2022 16:01

Hellzy requested a review from a team as a code owner November 3, 2022 16:01

Hellzy added 3 commits November 10, 2022 10:34

internal/appsec: implement IPFromRequest

2b83f16

internal/appsec: pass http.clientIP through operation args

f224b27

internal/appsec: pass htpt.client_ip address to the WAF

c1c1364

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 2325312 to 1c68d45 Compare November 10, 2022 09:35

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 1c68d45 to 566a6c5 Compare November 10, 2022 13:48

Hellzy added 2 commits November 17, 2022 14:35

internal/appsec/dyngo: write response header before body in blocking …

dea3413

…action

internal/appsec/dyngo: clear actions/events before second waf run

e6f2902

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 464759f to e6f2902 Compare November 17, 2022 14:09

Hellzy changed the title ~~[WIP] internal/appsec: implement WAF actions for http/grpc~~ internal/appsec: implement WAF actions for http/grpc Nov 21, 2022

internal/appsec/httpsec: remove appsec build tag constraint for actions

b7e1d8a

ajgajg1134 modified the milestones: v1.44.0, v1.45.0 Nov 21, 2022

Julio-Guerra added the appsec label Nov 22, 2022

Julio-Guerra requested changes Nov 22, 2022

View reviewed changes

Julio-Guerra reviewed Nov 22, 2022

View reviewed changes

internal/appsec/dyngo/instrumentation/grpcsec/grpc.go Outdated Show resolved Hide resolved

internal/appsec: defer wafCtx.Close()

11a4cfb

Hellzy force-pushed the francois.mazeau/ip-blocking branch 2 times, most recently from 83b510b to 8d590ce Compare December 6, 2022 15:57

Hellzy added 2 commits December 7, 2022 14:34

internal/appsec: add request blocking test case

62e93b0

internal/appsec: golint

ca98bff

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 772a9ea to ca98bff Compare December 7, 2022 13:34

appsec: test grpc IP blocking

e4379ba

Hellzy requested a review from a team December 8, 2022 16:31

Hellzy and others added 2 commits December 8, 2022 18:50

internal/appsec: fix content type when blocking

2286b11

grpcsec: report the http.client_ip span tag

9272678

knusbaum previously approved these changes Dec 8, 2022

View reviewed changes

grpcsec: report the http.client_ip span tag

c7377af

Julio-Guerra dismissed knusbaum’s stale review via c7377af December 8, 2022 23:20

Julio-Guerra and others added 3 commits December 9, 2022 14:06

Merge branch 'main' into francois.mazeau/ip-blocking

cf3ac2f

internal/appsec: close waf ctx when blocking

7f24120

internal/appsec: add actions_test.go

71c6c73

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 1d99f66 to 5b350a9 Compare December 9, 2022 19:18

internal/appsec: report private IP if no global IP found

7281ec4

Hellzy force-pushed the francois.mazeau/ip-blocking branch from 5b350a9 to 7281ec4 Compare December 9, 2022 19:19

Hellzy and others added 3 commits December 9, 2022 21:03

appsec: retrieve remote addr for grpc

fde2717

github: update codeowners file to better cover appsec files in contrib

a266362

appsec: fix client ip tags with peer ip addresses

3d9d7d4

Julio-Guerra requested a review from a team as a code owner December 12, 2022 14:09

Merge branch 'main' into francois.mazeau/ip-blocking

e7a01b3

Julio-Guerra approved these changes Dec 12, 2022

View reviewed changes

Julio-Guerra requested a review from knusbaum December 12, 2022 15:18

ajgajg1134 approved these changes Dec 12, 2022

View reviewed changes

Julio-Guerra merged commit 4b12722 into main Dec 12, 2022

Julio-Guerra deleted the francois.mazeau/ip-blocking branch December 12, 2022 16:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

internal/appsec: implement WAF actions for http/grpc #1533

internal/appsec: implement WAF actions for http/grpc #1533

Hellzy commented Oct 20, 2022 •

edited

knusbaum left a comment

pr-commenter bot commented Dec 8, 2022 •

edited

ajgajg1134 left a comment

internal/appsec: implement WAF actions for http/grpc #1533

internal/appsec: implement WAF actions for http/grpc #1533

Conversation

Hellzy commented Oct 20, 2022 • edited

What does this PR do?

Motivation

Describe how to test/QA your changes

Reviewer's Checklist

knusbaum left a comment

Choose a reason for hiding this comment

pr-commenter bot commented Dec 8, 2022 • edited

Benchmarks

ajgajg1134 left a comment

Choose a reason for hiding this comment

Hellzy commented Oct 20, 2022 •

edited

pr-commenter bot commented Dec 8, 2022 •

edited