Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module-based rule evaluation precedence #353

Open
wants to merge 29 commits into
base: master
Choose a base branch
from
Open

Module-based rule evaluation precedence #353

wants to merge 29 commits into from
+5,188 −1,559

Conversation

Anilm3
Copy link
Collaborator

@Anilm3 Anilm3 commented Oct 28, 2024
edited by jira bot
Loading

This PR introduces the new concept of modules to better organise rules based on their precedence. Modules are introduced as a generic mechanism which contains a set of rules in the required order (user / base, blocking, etc). Individual modules can have optional grouping, which is introduced specifically for the purpose of having independent collections within the waf module, as the short-circuit evaluation follows a different criteria due to rules being grouped by type.

The modules introduced are the following: network-acl, authentication-acl, custom-acl, configuration, business-logic, rasp, waf. The network and authentication modules do not follow the provided timeout, and the ordering of each module changes a little bit based on whether user (Custom) or base (DD) rules should take precedence.

Related Jira: APPSEC-55598

@codecov-commenter
Copy link

codecov-commenter commented Oct 28, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 91.17647% with 21 lines in your changes missing coverage. Please review.

Project coverage is 84.91%. Comparing base (eb80490) to head (8551f2e).

Files with missing lines Patch % Lines
src/module.cpp 89.74% 4 Missing and 4 partials ⚠️
src/ruleset.hpp 33.33% 0 Missing and 6 partials ⚠️
src/clock.hpp 75.00% 0 Missing and 2 partials ⚠️
src/context.hpp 50.00% 0 Missing and 2 partials ⚠️
src/rule.hpp 87.50% 0 Missing and 2 partials ⚠️
src/builder/module_builder.cpp 96.96% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #353      +/-   ##
==========================================
+ Coverage   84.68%   84.91%   +0.22%     
==========================================
  Files         153      157       +4     
  Lines        7889     7993     +104     
  Branches     3520     3556      +36     
==========================================
+ Hits         6681     6787     +106     
+ Misses        460      459       -1     
+ Partials      748      747       -1
Flag Coverage Δ
waf_test 84.91% <91.17%> (+0.22%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pr-commenter
Copy link

pr-commenter bot commented Oct 28, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-11-27 22:03:31

Comparing candidate commit 8551f2e in PR branch anilm3/rule-precedence with baseline commit eb80490 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 0 metrics, 0 unstable metrics.

scenario:global-benchmark.random

  • 🟩 execution_time [-11.638ms; -11.508ms] or [-3.915%; -3.872%]

Anilm3
Anilm3 commented Nov 25, 2024
View reviewed changes
src/target_address.hpp
return std::hash<std::string_view>{}(address);
}

struct target_address {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are not currently used, but I plan to start using them soon.

@Anilm3 Anilm3 changed the title [WIP] Rule precedence Module-based rule evaluation precedence Nov 25, 2024
@Anilm3 Anilm3 marked this pull request as ready for review November 27, 2024 13:54
@Anilm3 Anilm3 requested a review from a team as a code owner November 27, 2024 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Anilm3 @codecov-commenter