Skip to content

Commit

Permalink
appsec: grpc: remove MonitoringError and fix user blocking
Browse files Browse the repository at this point in the history 
Signed-off-by: Eliott Bouhana <[email protected]>
  • Loading branch information
@eliottness
eliottness committed Jun 3, 2024
1 parent e21ebec commit a42d199
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 42 deletions.
20 changes: 11 additions & 9 deletions contrib/google.golang.org/grpc/appsec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ package grpc

import (
"context"

"gopkg.in/DataDog/dd-trace-go.v1/ddtrace"
"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/dyngo"
"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/emitter/grpcsec"
Expand Down Expand Up @@ -62,11 +61,13 @@ func appsecUnaryHandlerMiddleware(method string, span ddtrace.Span, handler grpc
return nil, err
}
defer grpcsec.StartReceiveOperation(types.ReceiveOperationArgs{}, op).Finish(types.ReceiveOperationRes{Message: req})
rv, err := handler(ctx, req)
if e, ok := err.(*types.MonitoringError); ok {
err = status.Error(codes.Code(e.GRPCStatus()), e.Error())

rv, downstreamErr := handler(ctx, req)
if blocked {
return nil, err
}
return rv, err

return rv, downstreamErr
}
}

Expand Down Expand Up @@ -113,11 +114,12 @@ func appsecStreamHandlerMiddleware(method string, span ddtrace.Span, handler grp
return err
}

err = handler(srv, stream)
if e, ok := err.(*types.MonitoringError); ok {
err = status.Error(codes.Code(e.GRPCStatus()), e.Error())
downstreamErr := handler(srv, stream)
if blocked {
return err
}
return err

return downstreamErr
}
}

Expand Down
25 changes: 0 additions & 25 deletions internal/appsec/emitter/grpcsec/types/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,33 +72,8 @@ type (
// Corresponds to the address `grpc.server.request.message`.
Message interface{}
}

// MonitoringError is used to vehicle a gRPC error that also embeds a request status code
MonitoringError struct {
msg string
status uint32
}
)

// NewMonitoringError creates and returns a new gRPC monitoring error, wrapped under
// sharedesec.MonitoringError
func NewMonitoringError(msg string, code uint32) error {
return &MonitoringError{
msg: msg,
status: code,
}
}

// GRPCStatus returns the gRPC status code embedded in the error
func (e *MonitoringError) GRPCStatus() uint32 {
return e.status
}

// Error implements the error interface
func (e *MonitoringError) Error() string {
return e.msg
}

// Finish the gRPC handler operation, along with the given results, and emit a
// finish event up in the operation stack.
func (op *HandlerOperation) Finish(res HandlerOperationRes) []any {
Expand Down
9 changes: 1 addition & 8 deletions internal/appsec/listener/grpcsec/grpc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,14 +120,7 @@ func (l *wafEventListener) onEvent(op *types.HandlerOperation, handlerArgs types
}
wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
if wafResult.HasActions() || wafResult.HasEvents() {
for aType, params := range wafResult.Actions {
for _, action := range shared.ActionsFromEntry(aType, params) {
if grpcAction, ok := action.(*sharedsec.GRPCAction); ok {
code, err := grpcAction.GRPCWrapper(map[string][]string{})
dyngo.EmitData(userIDOp, types.NewMonitoringError(err.Error(), code))
}
}
}
shared.ProcessActions(userIDOp, wafResult.Actions)
shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, wafResult.Events)
log.Debug("appsec: WAF detected an authenticated user attack: %s", args.UserID)
}
Expand Down

0 comments on commit a42d199

Please sign in to comment.