o i#@sTddlZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZdd lmZddlmZdd lmZdd lmZddlmZddlmZddl m!Z"e#e$Z%dZ&e'e&ej(e)Z*dZ+e,dZ-Gddde.Z/dede e0e1ffddZ2GdddeZ3dS)N)Any)Callable)Optional)Union)MAX_SPAN_META_VALUE_LEN)SimplifiedEndpointComputer)ASM_Environment) API_SECURITY)SPAN_DATA_NAMES)_asm_manual_keep)http)logger) NumericType)Service)configapi_security_callbackiz-infc@s eZdZdS)TooLargeSchemaExceptionN)__name__ __module__ __qualname__rr\/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_api_security/api_manager.pyr&srvreturncCst|ttfr t|St|SN) isinstancelisttupledict)rrrrpath_param_transform*srcs*eZdZUdejefdejefdejefdeje fdej dfgZ e e eeeeegeffed<e dejefd ejd d fgZe e eeeeegeffed <dZeded <edddZedddZdfdd ZdddZdddZdededeefddZ deddfddZ!Z"S) APIManagerREQUEST_HEADERS_NO_COOKIESREQUEST_COOKIES REQUEST_QUERYREQUEST_PATH_PARAMS REQUEST_BODYNBLOCK_COLLECTEDRESPONSE_HEADERS_NO_COOKIES RESPONSE_BODYcCst|r|S|Sr)callable)frrr:szAPIManager. COLLECTED _instancercCsT|jdurtd|jdSdt_td|j||_|jtd|jdS)Nz%s already enabledTz Enabling %sz %s enabled)r-logdebugr asm_config_api_security_activestartclsrrrenable?s  zAPIManager.enablecCsR|jdurtd|jdSdt_td|j|jd|_td|jdS)Nz%s not enabledFz Disabling %sz %s disabled)r-r.r/rr0r1stopr3rrrdisableLs  zAPIManager.disablecsdtt|td|jjt|_ t |_ ddl m m}ddlm m}||_||_dS)Nz%s initializedr)superr __init__r.r/ __class__r collections OrderedDict _hashtablersimplified_endpoint_computer#ddtrace.appsec._asm_request_contextappsec_asm_request_contextddtrace.appsec._metrics_metrics _asm_context)selfrArCr:rrr9Xs  zAPIManager.__init__cCs |jj|jdd|jdSNT)global_callback)rDremove_context_callback_schema_callbackr=clearrErrr _stop_serviceeszAPIManager._stop_servicecCs|jj|jdddSrG)rDadd_context_callbackrJrLrrr_start_serviceiszAPIManager._start_serviceenvpriorityc CsR|dkr tjr dS|jtj}|jtj}|dkp|dk}|jtj}|durK|jdurK|sK|j t j }|durI|j t j }|j|}|}|dusW|dusW|durn|s\|jr^dStdt|t|t|dSt|||f} t} |j| t} | | tjkrdS| turt|jtkr|jjddn|j| | |j| <dS) z Rate limit per route. Returns: None: if missing route, method or status False: if sampled True: if we should collect rF404iNzHunsupported groupkey for api security [method %s] [route %s] [status %s])lastT)r0_apm_tracing_enabled waf_addressesgetr REQUEST_METHODRESPONSE_STATUS REQUEST_ROUTEblocked entry_spanget_tagr ENDPOINTURLr>from_urlr.r/boolhashtime monotonicr= M_INFINITY_api_security_sample_delaylenMAX_HASHTABLE_SIZEpopitem move_to_end) rErPrQmethodstatusis_404routeendpointurlend_point_hash current_time previous_timerrr_should_collect_schemalsD     z!APIManager._should_collect_schemac s|jdustjs dS|j|jr|jn|j}r#tfdd|Dr%dSzPjj dur6|jjj dur6d}n jj p;d|jjj pAdf}t j |vrLt j }n t j |vrUt j }nt |}|||}|duro|jdd|jWdS|stWdSWntydddd }tjt|d d YdSwd d d ii}|D]-\}} } tjs|dkrq|jt|t} | turtd|q| dur| | } | ||<q|j} | durdS| |} | durdSd}| jD]E\}}d}z$t t!"t#j$|dd%&}t'|t(krt)|j*|<|d7}Wqty#ddd|d }tjt|d d Yqw||_+|jd ||j|dkr?tj,sAt-dSdSdS)Nc3s |] \}}}|jvVqdSr)_meta).0_ meta_namerootrr sz.APIManager._schema_callback..)rFr@z:sample_request_failure)product exec_limit more_infoT)extraexc_infoPROCESSOR_SETTINGSzextract-schemar(zno value for %s),:) separatorsr{z:schema_failure:).spanr0_api_security_feature_activer[rZr&r,anycontextsampling_priority constants USER_KEEP USER_REJECTmaxrsrC_report_api_security framework Exceptionr.warningAPI_SECURITY_LOGS!_api_security_parse_response_bodyrUrVr _sentinelr/ waf_callable api_securityitemsbase64 b64encodegzipcompressjsondumpsencodedecoderfrrrtapi_security_reportedrTr )rErP collected prioritiesrQshould_collectr waf_payloadaddressrv transformvaluerresult nb_schemasmetaschemab64_gzip_contentrrxrrJs            zAPIManager._schema_callback)rN)#rrrr r!rr"r#r$rr%r&rrstrrrr__annotations__r'r(r,r- classmethodr5r7r9rMrOrrr`rsrJ __classcell__rrrFrr 0s*     ( *   1r )4rr;rrrbtypingrrrrddtrace._trace._limitsr*ddtrace._trace.processor.resource_renamingrr?rddtrace.appsec._constantsr r ddtrace.appsec._trace_utilsr ddtrace.constantsr ddtrace.extr ddtrace.internalr ddloggerddtrace.internal.compatrddtrace.internal.servicerddtrace.internal.settings.asmrr0 get_loggerrr.rset_tag_rate_limitHOURobjectrrgfloatrdrrrrrr rrrrs<