builder.go

// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.

package libddwaf

import (
	"errors"
	"fmt"
	"runtime"

	"github.com/DataDog/go-libddwaf/v4/internal/bindings"
	"github.com/DataDog/go-libddwaf/v4/internal/ruleset"
)

// Builder manages an evolving WAF configuration over time. Its lifecycle is
// typically tied to that of a remote configuration client, as its purpose is to
// keep an up-to-date view of the current coniguration with low overhead. This
// type is not safe for concurrent use, and users should protect it with a mutex
// or similar when sharing it across multiple goroutines. All methods of this
// type are safe to call with a nil receiver.
type Builder struct {
	handle        bindings.WAFBuilder
	defaultLoaded bool
}

// NewBuilder creates a new [Builder] instance. Its lifecycle is typically tied
// to that of a remote configuration client, as its purpose is to keep an
// up-to-date view of the current coniguration with low overhead. Returns nil if
// an error occurs when initializing the builder. The caller is responsible for
// calling [Builder.Close] when the builder is no longer needed.
func NewBuilder(keyObfuscatorRegex string, valueObfuscatorRegex string) (*Builder, error) {
	if ok, err := Load(); !ok {
		return nil, err
	}

	var pinner runtime.Pinner
	defer pinner.Unpin()
	hdl := bindings.Lib.BuilderInit(newConfig(&pinner, keyObfuscatorRegex, valueObfuscatorRegex))

	if hdl == 0 {
		return nil, errors.New("failed to initialize the WAF builder")
	}

	return &Builder{handle: hdl}, nil
}

// Close releases all resources associated with this builder.
func (b *Builder) Close() {
	if b == nil || b.handle == 0 {
		return
	}
	bindings.Lib.BuilderDestroy(b.handle)
	b.handle = 0
}

var (
	errUpdateFailed  = errors.New("failed to update WAF Builder instance")
	errBuilderClosed = errors.New("builder has already been closed")
)

const defaultRecommendedRulesetPath = "::/go-libddwaf/default/recommended.json"

// AddDefaultRecommendedRuleset adds the default recommended ruleset to the
// receiving [Builder], and returns the [Diagnostics] produced in the process.
func (b *Builder) AddDefaultRecommendedRuleset() (Diagnostics, error) {
	defaultRuleset, err := ruleset.DefaultRuleset()
	defer bindings.Lib.ObjectFree(&defaultRuleset)
	if err != nil {
		return Diagnostics{}, fmt.Errorf("failed to load default recommended ruleset: %w", err)
	}

	diag, err := b.addOrUpdateConfig(defaultRecommendedRulesetPath, &defaultRuleset)
	if err == nil {
		b.defaultLoaded = true
	}
	return diag, err
}

// RemoveDefaultRecommendedRuleset removes the default recommended ruleset from
// the receiving [Builder]. Returns true if the removal occurred (meaning the
// default recommended ruleset was indeed present in the builder).
func (b *Builder) RemoveDefaultRecommendedRuleset() bool {
	if b.RemoveConfig(defaultRecommendedRulesetPath) {
		b.defaultLoaded = false
		return true
	}
	return false
}

// AddOrUpdateConfig adds or updates a configuration fragment to this [Builder].
// Returns the [Diagnostics] produced by adding or updating this configuration.
func (b *Builder) AddOrUpdateConfig(path string, fragment any) (Diagnostics, error) {
	if b == nil || b.handle == 0 {
		return Diagnostics{}, errBuilderClosed
	}

	if path == "" {
		return Diagnostics{}, errors.New("path cannot be blank")
	}

	var pinner runtime.Pinner
	defer pinner.Unpin()

	encoder, err := newEncoder(newUnlimitedEncoderConfig(&pinner))
	if err != nil {
		return Diagnostics{}, fmt.Errorf("could not create encoder: %w", err)
	}

	frag, err := encoder.Encode(fragment)
	if err != nil {
		return Diagnostics{}, fmt.Errorf("could not encode the config fragment into a WAF object; %w", err)
	}

	return b.addOrUpdateConfig(path, frag)
}

// addOrUpdateConfig adds or updates a configuration fragment to this [Builder].
// Returns the [Diagnostics] produced by adding or updating this configuration.
func (b *Builder) addOrUpdateConfig(path string, cfg *bindings.WAFObject) (Diagnostics, error) {
	var diagnosticsWafObj bindings.WAFObject
	defer bindings.Lib.ObjectFree(&diagnosticsWafObj)

	res := bindings.Lib.BuilderAddOrUpdateConfig(b.handle, path, cfg, &diagnosticsWafObj)

	var diags Diagnostics
	if !diagnosticsWafObj.IsInvalid() {
		// The Diagnostics object will be invalid if the config was completely
		// rejected.
		var err error
		diags, err = decodeDiagnostics(&diagnosticsWafObj)
		if err != nil {
			return diags, fmt.Errorf("failed to decode WAF diagnostics: %w", err)
		}
	}

	if !res {
		return diags, errUpdateFailed
	}
	return diags, nil
}

// RemoveConfig removes the configuration associated with the given path from
// this [Builder]. Returns true if the removal was successful.
func (b *Builder) RemoveConfig(path string) bool {
	if b == nil || b.handle == 0 {
		return false
	}

	return bindings.Lib.BuilderRemoveConfig(b.handle, path)
}

// ConfigPaths returns the list of currently loaded configuration paths.
func (b *Builder) ConfigPaths(filter string) []string {
	if b == nil || b.handle == 0 {
		return nil
	}

	return bindings.Lib.BuilderGetConfigPaths(b.handle, filter)
}

// Build creates a new [Handle] instance that uses the current configuration.
// Returns nil if an error occurs when building the handle. The caller is
// responsible for calling [Handle.Close] when the handle is no longer needed.
// This function may return nil.
func (b *Builder) Build() *Handle {
	if b == nil || b.handle == 0 {
		return nil
	}

	hdl := bindings.Lib.BuilderBuildInstance(b.handle)
	if hdl == 0 {
		return nil
	}

	return wrapHandle(hdl)
}