appsec: grpc: remove MonitoringError and fix user blocking

Signed-off-by: Eliott Bouhana <[email protected]>

Author: eliottness

Diff for: contrib/google.golang.org/grpc/appsec.go

@@ -7,7 +7,6 @@ package grpc
 
 import (
 	"context"
-
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/dyngo"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/emitter/grpcsec"
@@ -62,11 +61,13 @@ func appsecUnaryHandlerMiddleware(method string, span ddtrace.Span, handler grpc
 			return nil, err
 		}
 		defer grpcsec.StartReceiveOperation(types.ReceiveOperationArgs{}, op).Finish(types.ReceiveOperationRes{Message: req})
-		rv, err := handler(ctx, req)
-		if e, ok := err.(*types.MonitoringError); ok {
-			err = status.Error(codes.Code(e.GRPCStatus()), e.Error())
+
+		rv, downstreamErr := handler(ctx, req)
+		if blocked {
+			return nil, err
 		}
-		return rv, err
+
+		return rv, downstreamErr
 	}
 }
 
@@ -113,11 +114,12 @@ func appsecStreamHandlerMiddleware(method string, span ddtrace.Span, handler grp
 			return err
 		}
 
-		err = handler(srv, stream)
-		if e, ok := err.(*types.MonitoringError); ok {
-			err = status.Error(codes.Code(e.GRPCStatus()), e.Error())
+		downstreamErr := handler(srv, stream)
+		if blocked {
+			return err
 		}
-		return err
+
+		return downstreamErr
 	}
 }
 

Diff for: internal/appsec/emitter/grpcsec/types/types.go

@@ -72,33 +72,8 @@ type (
 		// Corresponds to the address `grpc.server.request.message`.
 		Message interface{}
 	}
-
-	// MonitoringError is used to vehicle a gRPC error that also embeds a request status code
-	MonitoringError struct {
-		msg    string
-		status uint32
-	}
 )
 
-// NewMonitoringError creates and returns a new gRPC monitoring error, wrapped under
-// sharedesec.MonitoringError
-func NewMonitoringError(msg string, code uint32) error {
-	return &MonitoringError{
-		msg:    msg,
-		status: code,
-	}
-}
-
-// GRPCStatus returns the gRPC status code embedded in the error
-func (e *MonitoringError) GRPCStatus() uint32 {
-	return e.status
-}
-
-// Error implements the error interface
-func (e *MonitoringError) Error() string {
-	return e.msg
-}
-
 // Finish the gRPC handler operation, along with the given results, and emit a
 // finish event up in the operation stack.
 func (op *HandlerOperation) Finish(res HandlerOperationRes) []any {

Diff for: internal/appsec/listener/grpcsec/grpc.go

@@ -120,14 +120,7 @@ func (l *wafEventListener) onEvent(op *types.HandlerOperation, handlerArgs types
 			}
 			wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
 			if wafResult.HasActions() || wafResult.HasEvents() {
-				for aType, params := range wafResult.Actions {
-					for _, action := range shared.ActionsFromEntry(aType, params) {
-						if grpcAction, ok := action.(*sharedsec.GRPCAction); ok {
-							code, err := grpcAction.GRPCWrapper(map[string][]string{})
-							dyngo.EmitData(userIDOp, types.NewMonitoringError(err.Error(), code))
-						}
-					}
-				}
+				shared.ProcessActions(userIDOp, wafResult.Actions)
 				shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, wafResult.Events)
 				log.Debug("appsec: WAF detected an authenticated user attack: %s", args.UserID)
 			}