add support for reloading ruleset

Author: Dimss

src/test.c

@@ -2,6 +2,7 @@
 #include <wafielib.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include <pthread.h>
 
 
@@ -34,10 +35,29 @@ char *read_file(const char *filename) {
 
 void *evalu_request(void *ptr) {
     WafieEvaluationRequest *request = ptr;
-    wafie_init_transaction(request);
-    wafie_process_request_headers(request);
-    wafie_process_request_body(request);
-    wafie_cleanup(request);
+    for (int i = 0; i < 3; i++) {
+        wafie_init_transaction(request);
+        if (request->transaction != NULL) {
+            wafie_process_request_headers(request);
+            wafie_process_request_body(request);
+            wafie_cleanup(request);
+            break;
+        }
+        sleep(1);
+    }
+
+    return NULL;
+}
+
+void *reload_ruleset(void *ptr) {
+    WafieRuleSetConfig cfg[3];
+    cfg[0].protection_id = 1;
+    cfg[0].config_path = "/config1";
+    cfg[1].protection_id = 2;
+    cfg[1].config_path = "/config2";
+    cfg[2].protection_id = 3;
+    cfg[2].config_path = "/config3";
+    wafie_load_rule_sets(cfg, 3);
     return NULL;
 }
 
@@ -85,7 +105,7 @@ int main() {
         .headers_count = 2,
         .headers = headers1,
         .body = "",
-        .protection_id = 2,
+        .protection_id = 3,
     };
     WafieEvaluationRequest request4 = {
         .client_ip = "192.168.1.3",
@@ -95,7 +115,7 @@ int main() {
         .headers_count = 2,
         .headers = headers1,
         .body = "",
-        .protection_id = 2,
+        .protection_id = 3,
     };
     WafieEvaluationRequest request5 = {
         .client_ip = "192.168.1.3",
@@ -105,7 +125,7 @@ int main() {
         .headers_count = 2,
         .headers = headers1,
         .body = "",
-        .protection_id = 2,
+        .protection_id = 3,
     };
     WafieEvaluationRequest request6 = {
         .client_ip = "192.168.1.3",
@@ -128,22 +148,28 @@ int main() {
     pthread_t thread4;
     pthread_t thread5;
     pthread_t thread6;
+    pthread_t thread_reload_ruleset;
+
     const int t1 = pthread_create(&thread1, NULL, evalu_request, &request1);
-    // const int t2 = pthread_create(&thread2, NULL, evalu_request, &request2);
-    // const int t3 = pthread_create(&thread3, NULL, evalu_request, &request3);
-    // const int t4 = pthread_create(&thread4, NULL, evalu_request, &request4);
-    // const int t5 = pthread_create(&thread5, NULL, evalu_request, &request5);
-    // const int t6 = pthread_create(&thread6, NULL, evalu_request, &request6);
-    // if (t1 || t2 || t3 || t4 || t5 || t6) {
-    //     fprintf(stderr, "Error - pthread_create() return code: %d\n", t1 || t2);
-    //     exit(EXIT_FAILURE);
-    // }
+    const int t2 = pthread_create(&thread2, NULL, evalu_request, &request2);
+    const int th7 = pthread_create(&thread_reload_ruleset, NULL, reload_ruleset, NULL);
+    const int t3 = pthread_create(&thread3, NULL, evalu_request, &request3);
+    const int t4 = pthread_create(&thread4, NULL, evalu_request, &request4);
+    const int t5 = pthread_create(&thread5, NULL, evalu_request, &request5);
+    const int t6 = pthread_create(&thread6, NULL, evalu_request, &request6);
+    if (t1 || t2 || t3 || t4 || t5 || t6 || th7) {
+        fprintf(stderr, "Error - pthread_create() return code: %d\n", t1 || t2);
+        exit(EXIT_FAILURE);
+    }
+
     pthread_join(thread1, NULL);
-    // pthread_join(thread2, NULL);
-    // pthread_join(thread3, NULL);
-    // pthread_join(thread4, NULL);
-    // pthread_join(thread5, NULL);
-    // pthread_join(thread6, NULL);
+    pthread_join(thread2, NULL);
+    pthread_join(thread3, NULL);
+    pthread_join(thread4, NULL);
+    pthread_join(thread5, NULL);
+    pthread_join(thread6, NULL);
+    pthread_join(thread_reload_ruleset, NULL);
+
     free(headers1);
 
     char *audit_content = read_file("/tmp/modsec_audit.log");

src/wafielib.c

@@ -3,14 +3,20 @@
 #include <stdio.h>
 #include <dirent.h>
 #include <pthread.h>
+#include <sys/time.h>
 #include "modsecurity/rules_set.h"
 #include "modsecurity/modsecurity.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/intervention.h"
 
+#ifndef WAFIE_RULESET_BUFFER_SIZE
+#define WAFIE_RULESET_BUFFER_SIZE 1000
+#endif
+
 
 ModSecurity *modsec;
-WafieRuleSet *wrs[1000];
+WafieRuleSet *wrs[WAFIE_RULESET_BUFFER_SIZE];
+WafieRuleSet *wrs_swap[WAFIE_RULESET_BUFFER_SIZE];
 pthread_rwlock_t ruleset_lock = PTHREAD_RWLOCK_INITIALIZER;
 
 ModSecurityIntervention wafie_new_intervention() {
@@ -23,13 +29,15 @@ ModSecurityIntervention wafie_new_intervention() {
     return intervention;
 }
 
+
 // register logs call back
 void wafie_log_cb(void *data, const void *msg) {
     fprintf(stderr, "%s\n", (const char *) msg);
 }
 
 static void wafie_load_main_configs(RulesSet *rule_set, char *config_path, int protection_id) {
-    fprintf(stdout, "[libwafie.protection.id: %d] loading main configuration \n", protection_id);
+    fprintf(stdout, "[libwafie.wafie_load_main_configs.protection.id: %d] loading main configuration \n",
+            protection_id);
     char **main_config_files = (char *[]){
         "modsecurity.conf",
         "crs-setup.conf",
@@ -47,12 +55,12 @@ static void wafie_load_main_configs(RulesSet *rule_set, char *config_path, int p
                 msc_rules_error_cleanup(error);
             }
         }
-        // request->total_loaded_rules += ret;
     }
 }
 
 static void wafie_load_modescurity_rules_configs(RulesSet *rule_set, char *config_path, int protection_id) {
-    fprintf(stdout, "[libwafie.protection.id: %d] loading rules \n", protection_id);
+    fprintf(stdout, "[libwafie.wafie_load_modescurity_rules_configs.protection.id: %d] loading rules \n",
+            protection_id);
     const char *error = NULL;
     // const char *config_file_suffix = ".conf";
     // 7 = strlen("/rules") + 1
@@ -95,53 +103,73 @@ void wafie_init() {
 }
 
 void wafie_load_rule_sets(WafieRuleSetConfig cfg[], const int cfg_size) {
-    // lock rules for RW
-    pthread_rwlock_wrlock(&ruleset_lock);
-    WafieRuleSet *wrs_swap[1000];
+    struct timespec start, end;
+    clock_gettime(CLOCK_MONOTONIC, &start);
+    fprintf(stdout, "[libwafie.wafie_load_rule_sets] reloading ruleset \n");
     for (int i = 0; i < cfg_size; i++) {
-        wrs[i] = malloc(sizeof(WafieRuleSet));
-        wrs[i]->protection_id = cfg[i].protection_id;
-        wrs[i]->rules = msc_create_rules_set();
+        wrs_swap[i] = malloc(sizeof(WafieRuleSet));
+        wrs_swap[i]->protection_id = cfg[i].protection_id;
+        wrs_swap[i]->rules = msc_create_rules_set();
         // load main configurations files
-        wafie_load_main_configs(wrs[i]->rules, cfg[i].config_path, wrs[i]->protection_id);
+        wafie_load_main_configs(wrs_swap[i]->rules, cfg[i].config_path, wrs_swap[i]->protection_id);
         // load the rules files
-        wafie_load_modescurity_rules_configs(wrs[i]->rules, cfg[i].config_path, wrs[i]->protection_id);
+        wafie_load_modescurity_rules_configs(wrs_swap[i]->rules, cfg[i].config_path, wrs_swap[i]->protection_id);
+    }
+    // lock rules for RW
+    pthread_rwlock_wrlock(&ruleset_lock);
+    WafieRuleSet *old_rules[WAFIE_RULESET_BUFFER_SIZE];
+    for (int i = 0; i < WAFIE_RULESET_BUFFER_SIZE; i++) {
+        old_rules[i] = wrs[i]; // Save old pointers
+        wrs[i] = (i < cfg_size) ? wrs_swap[i] : NULL; // Atomic pointer swap
+        wrs_swap[i] = NULL;
     }
     // unlock rules for RW
     pthread_rwlock_unlock(&ruleset_lock);
+    // Clean up old rules after lock is released
+    for (int i = 0; i < WAFIE_RULESET_BUFFER_SIZE; i++) {
+        if (old_rules[i] != NULL) {
+            msc_rules_cleanup(old_rules[i]->rules);
+            free(old_rules[i]);
+        }
+    }
+    clock_gettime(CLOCK_MONOTONIC, &end);
+    long long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
+    double elapsed_ms = elapsed_ns / 1000000.0;
+    fprintf(stdout, "[libwafie.wafie_load_rule_sets] reload ruleset took  %.3f ms\n", elapsed_ms);
 }
 
 // init transaction
 void wafie_init_transaction(WafieEvaluationRequest *request) {
     struct timespec start, end;
-
     clock_gettime(CLOCK_MONOTONIC, &start);
+    // read lock
     pthread_rwlock_rdlock(&ruleset_lock);
-    fprintf(stdout, "[libwafie: protection id - %d] initializing evaluation request\n", request->protection_id);
-    // init modesc
-    // request->modsec = msc_init();
-    // msc_set_log_cb(request->modsec, wafie_log_cb);
-    // msc_set_connector_info(request->modsec, "wafie v0.0.2-alpha");
-    // load rules
-    // request->total_loaded_rules = 0;
-    // request->rules = msc_create_rules_set();
-    // wafie_load_modsecuirty_configuration(request);
+    fprintf(stdout, "[libwafie.wafie_init_transaction.protection id - %d] initializing evaluation request\n",
+            request->protection_id);
     // init transaction
-    int rule_set_idx = 0;
-    for (int i = 0; i < 1; i++) {
-        if (wrs[i]->protection_id == request->protection_id) {
+    int rule_set_idx = -1;
+    for (int i = 0; i < WAFIE_RULESET_BUFFER_SIZE; i++) {
+        if (wrs[i] != NULL && wrs[i]->protection_id == request->protection_id) {
             rule_set_idx = i;
             break;
         }
     }
-    request->transaction = msc_new_transaction(modsec, wrs[rule_set_idx]->rules, NULL);
+    if (rule_set_idx == -1) {
+        fprintf(
+            stderr, "[libwafie.wafie_init_transaction.protection id - %d] error: no ruleset found for protection_id\n",
+            request->protection_id);
+    } else {
+        request->transaction = msc_new_transaction(modsec, wrs[rule_set_idx]->rules, NULL);
+    }
+    // read unlock
     pthread_rwlock_unlock(&ruleset_lock);
     clock_gettime(CLOCK_MONOTONIC, &end);
-
     long long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
     double elapsed_ms = elapsed_ns / 1000000.0;
-    fprintf(stdout, "[libwafie: protection id - %d] evaluation request initialization took  %.3f ms\n",
-            request->protection_id, elapsed_ms);
+    fprintf(
+        stdout,
+        "[libwafie.wafie_init_transaction.protection id - %d] evaluation request initialization took  %.3f ms\n",
+        request->protection_id, elapsed_ms);
 }
 
 // cleanup transaction
@@ -181,9 +209,9 @@ int wafie_process_intervention(Transaction *transaction) {
 // process headers
 int wafie_process_request_headers(WafieEvaluationRequest const *request) {
     struct timespec start, end;
-
     clock_gettime(CLOCK_MONOTONIC, &start);
-    fprintf(stdout, "[libwafie.protection.id: %d] processing request headers \n", request->protection_id);
+    fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] processing request \n",
+            request->protection_id);
     int intervention_status = 0;
     // process connection
     msc_process_connection(request->transaction, request->client_ip, 0, "0.0.0.0", 0);
@@ -192,10 +220,13 @@ int wafie_process_request_headers(WafieEvaluationRequest const *request) {
         return intervention_status;
     }
     // process URI and request headers
-    fprintf(stdout, "[libwafie.protection.id: %d] request uri -> %s\n", request->protection_id, request->uri);
-    fprintf(stdout, "[libwafie.protection.id: %d] request method -> %s\n", request->protection_id,
+    fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] uri -> %s\n",
+            request->protection_id, request->uri);
+    fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] method -> %s\n",
+            request->protection_id,
             request->http_method);
-    fprintf(stdout, "[libwafie.protection.id: %d] request version -> %s\n", request->protection_id,
+    fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] version -> %s\n",
+            request->protection_id,
             request->http_version);
     msc_process_uri(request->transaction, request->uri, request->http_method, request->http_version);
     intervention_status = wafie_process_intervention(request->transaction);
@@ -204,7 +235,7 @@ int wafie_process_request_headers(WafieEvaluationRequest const *request) {
     }
     for (size_t i = 0; i < request->headers_count; i++) {
         msc_add_request_header(request->transaction, request->headers[i].key, request->headers[i].value);
-        fprintf(stdout, "[libwafie.protection.id: %d] request header -> %s: %s\n",
+        fprintf(stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] header -> %s: %s\n",
                 request->protection_id,
                 (const char *) request->headers[i].key,
                 (const char *) request->headers[i].value);
@@ -215,8 +246,9 @@ int wafie_process_request_headers(WafieEvaluationRequest const *request) {
 
     long long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
     double elapsed_ms = elapsed_ns / 1000000.0;
-    fprintf(stdout, "[libwafie.protection.id: %d] processing request headers took  %.3f ms\n",
-            request->protection_id, elapsed_ms);
+    fprintf(
+        stdout, "[libwafie.wafie_process_request_headers.protection.id: %d] processing request took  %.3f ms\n",
+        request->protection_id, elapsed_ms);
 
     if (intervention_status != 0) {
         return intervention_status;
@@ -227,9 +259,8 @@ int wafie_process_request_headers(WafieEvaluationRequest const *request) {
 // process body
 int wafie_process_request_body(WafieEvaluationRequest const *request) {
     struct timespec start, end;
-
-
-    fprintf(stdout, "[libwafie.protection.id: %d] processing request body \n", request->protection_id);
+    fprintf(stdout, "[libwafie.wafie_process_request_body.protection.id: %d] processing request\n",
+            request->protection_id);
     int intervention_status = 0;
     // process request body
     if (request->body != NULL) {
@@ -246,7 +277,7 @@ int wafie_process_request_body(WafieEvaluationRequest const *request) {
 
         long long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec);
         double elapsed_ms = elapsed_ns / 1000000.0;
-        fprintf(stdout, "[libwafie.protection.id: %d] processing request body took  %.3f ms\n",
+        fprintf(stdout, "[libwafie.wafie_process_request_body.protection.id: %d] processing request took  %.3f ms\n",
                 request->protection_id, elapsed_ms);
 
         if (intervention_status != 0) {