o i" @sddlZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm Z dd l m Z dd l mZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZeeZe j e j!e j"e j#hZ$d$ddZ%d$ddZ&GdddeZ'e'Z(deede)e*e)e*effde)e*effddZ+ifde,ede)e*e)e*effddfddZ-d$d d!Z.d$d"d#Z/dS)%N)Any)Optional)Sequence)_asm_feature_is_required)_rc_capabilities)APPSEC)PRODUCTS)core) get_logger)Payload) PayloadType) RCCallback)remoteconfig_poller)config)telemetry_writer)TELEMETRY_APM_PRODUCT)tracerreturncCstdtttrtjtj t t gdt tj t jrNt jdurNttjt t tjttjt t tjttjt t tjt jrZddlm}|ttjdtjjt _dS)ahRemote config will be used by ASM libraries to receive four different updates from the backend. Each update has it's own product: - ASM_FEATURES product - To allow users enable or disable ASM remotely - ASM product - To allow clients to activate or deactivate rules - ASM_DD product - To allow the library to receive rules updates - ASM_DATA product - To allow the library to receive list of blocked IPs and users If environment variable `DD_APPSEC_ENABLED` is not set, registering ASM_FEATURE can enable ASM remotely. If it's set to true, we will register the rest of the products. z/[%s][P: %s] Register ASM Remote Config Callback) capabilitiesNrload_common_appsec_modulesT)logdebugosgetpidgetppidrrregister_callbackr ASM_FEATURES_appsec_callbackrenable_product asm_config _asm_enabled_asm_static_rule_fileASM_DATAASMASM_DDddtrace.appsec._listenersrrproduct_activatedrr_clientid _rc_client_idrr+W/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_remoteconfiguration.pyenable_appsec_rcs(      r-cCs0tD] }t|t|qttjddS)NF)APPSEC_PRODUCTSrunregister_callbackdisable_productrr'rr) product_namer+r+r,disable_appsec_rcDs  r2c@s0eZdZdZd ddZdeeddfddZdS) AppSecCallbackz+Remote config callback for AppSec products.rNcCs i|_dS)zInitialize the AppSec callback.N)_cache)selfr+r+r,__init__Ps zAppSecCallback.__init__payloadscCs|sdSt||j}d|vrgtjdurg|dddrCttj|t tjttj |t tj ttj |t tj n$t tjt tjt tj t tj t tj t tj dtdd|Ddtd td }t|g}g}g}|D]*}|jjd kr||q|jdur||jj|jfq||jj|j|jfqt||s|rtjrtd ||fdSdSdS) zProcess AppSec configuration payloads. Args: payloads: Sequence of configuration payloads to process NasmenabledFz:appsec._remoteconfiguration.deb::_appsec_callback::payloadcss|]}|jVqdS)N)path).0pr+r+r, psz*AppSecCallback.__call__..[z][P: ]rz waf.update)_update_asm_featuresr4r r"getrrrr#rr$r%r/r0tuplerrrrrmetadatar1appendcontentr:_process_asm_featuresr!r dispatch)r5r7result debug_infofor_the_waf_updatesfor_the_waf_removalsfor_the_tracerpayloadr+r+r,__call__TsP              zAppSecCallback.__call__rN)__name__ __module__ __qualname____doc__r6rr rNr+r+r+r,r3Ms r3 payload_listcachecCsi}|D]A}|jjdkrE|j}|dur;|j|vr3d||jvr&ddi|d<n d||jvr3ddi|d<||jdq|||||j<q|S)Nrr8r9Fauto_user_instrummode)rCr1rEr:popupdate)rTrUresrMpayload_contentr+r+r,r@s     r@cCsXt||}d|vrtjr|dddrtntd|vr*|dddt_dSdS)a0This callback updates appsec enabled in tracer and config instances following this logic: ``` | DD_APPSEC_ENABLED | RC Enabled | Result | |-------------------|------------|----------| | | | Disabled | | | false | Disabled | | | true | Enabled | | false | | Disabled | | true | | Enabled | | false | true | Disabled | | true | true | Enabled | ``` r8r9FrVrWN)r@r _asm_can_be_enabledrA enable_asm disable_asm"_auto_user_instrumentation_rc_mode)rTrUrHr+r+r,rFs rFcCsNtjr%ddlm}|dt_tjrddlm}|tj dddSdS)Nr)AppSecSpanProcessorF APIManager)appsec_enabled) r r!ddtrace.appsec._processorr`disable_api_security_active(ddtrace.appsec._api_security.api_managerrbr configure)r`rbr+r+r,r^s  r^cCsZtjr)tjs+ddlm}dt_tjrddlm}||t j dt j ddSdSdS)Nr) load_appsecTra)rcappsec_enabled_origin) r r\r!r&ri_api_security_enabledrgrbenablerrhrENABLED_ORIGIN_RC)rirbr+r+r,r]s   r]rO)0rtypingrrrddtrace.appsec._capabilitiesrrddtrace.appsec._constantsrrddtrace.internalr ddtrace.internal.loggerr ddtrace.internal.remoteconfigr r r $ddtrace.internal.remoteconfig.workerrddtrace.internal.settings.asmrr ddtrace.internal.telemetryr$ddtrace.internal.telemetry.constantsr ddtrace.tracerrPrrr$r#r%r.r-r2r3rdictstrr@listrFr^r]r+r+r+r,s8                   ( 72.