Register RC capa and check RASP enablement

DataDog · May 24, 2024 · a292479 · a292479
1 parent 373f56c
commit a292479
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 9 deletions.
diff --git a/internal/appsec/appsec.go b/internal/appsec/appsec.go
@@ -162,6 +162,7 @@ func (a *appsec) start(telemetry *appsecTelemetry) error {
 	}
 
 	a.enableRCBlocking()
+	a.enableRASP()
 
 	a.started = true
 	log.Info("appsec: up and running")

diff --git a/internal/appsec/config/config.go b/internal/appsec/config/config.go
@@ -11,8 +11,9 @@ import (
 	"strconv"
 	"time"
 
-	internal "github.com/DataDog/appsec-internal-go/appsec"
+	appsecInternal "github.com/DataDog/appsec-internal-go/appsec"
 
+	"gopkg.in/DataDog/dd-trace-go.v1/internal"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/remoteconfig"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/telemetry"
@@ -62,11 +63,12 @@ type Config struct {
 	// AppSec trace rate limit (traces per second).
 	TraceRateLimit int64
 	// Obfuscator configuration
-	Obfuscator internal.ObfuscatorConfig
+	Obfuscator appsecInternal.ObfuscatorConfig
 	// APISec configuration
-	APISec internal.APISecConfig
+	APISec appsecInternal.APISecConfig
 	// RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default)
-	RC *remoteconfig.ClientConfig
+	RC   *remoteconfig.ClientConfig
+	RASP bool
 }
 
 // WithRCConfig sets the AppSec remote config client configuration to the specified cfg
@@ -99,7 +101,7 @@ func parseBoolEnvVar(env string) (enabled bool, set bool, err error) {
 
 // NewConfig returns a fresh appsec configuration read from the env
 func NewConfig() (*Config, error) {
-	rules, err := internal.RulesFromEnv()
+	rules, err := appsecInternal.RulesFromEnv()
 	if err != nil {
 		return nil, err
 	}
@@ -111,9 +113,11 @@ func NewConfig() (*Config, error) {
 
 	return &Config{
 		RulesManager:   r,
-		WAFTimeout:     internal.WAFTimeoutFromEnv(),
-		TraceRateLimit: int64(internal.RateLimitFromEnv()),
-		Obfuscator:     internal.NewObfuscatorConfig(),
-		APISec:         internal.NewAPISecConfig(),
+		WAFTimeout:     appsecInternal.WAFTimeoutFromEnv(),
+		TraceRateLimit: int64(appsecInternal.RateLimitFromEnv()),
+		Obfuscator:     appsecInternal.NewObfuscatorConfig(),
+		APISec:         appsecInternal.NewAPISecConfig(),
+		// TODO: use appsecInternal.RASPENabled() when merged and released
+		RASP: internal.BoolEnv("DD_APPSEC_RASP_ENABLED", true),
 	}, nil
 }
diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go
@@ -402,6 +402,16 @@ func (a *appsec) enableRCBlocking() {
 	}
 }
 
+func (a *appsec) enableRASP() {
+	if !a.cfg.RASP {
+		return
+	}
+	if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSSRF); err != nil {
+		log.Debug("appsec: Remote config: couldn't register RASP SSRF: %v", err)
+	}
+	// TODO: register other RASP capabilities when supported
+}
+
 func (a *appsec) disableRCBlocking() {
 	if a.cfg.RC == nil {
 		return

diff --git a/internal/remoteconfig/remoteconfig.go b/internal/remoteconfig/remoteconfig.go
@@ -70,6 +70,8 @@ const (
 	APMTracingHTTPHeaderTags
 	// APMTracingCustomTags enables APM client to set custom tags on all spans
 	APMTracingCustomTags
+	// ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks
+	ASMRASPSSRF = 23
 )
 
 // Additional capability bit index values that are non-consecutive from above.