appsec: don't enable blocking-related RC features when using local se…

…curity rules (#2626) Co-authored-by: Eliott Bouhana <[email protected]>
DataDog · Mar 21, 2024 · 90f431f · 90f431f
1 parent 485e60e
commit 90f431f
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 18 deletions.
diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go
@@ -379,6 +379,10 @@ func (a *appsec) enableRCBlocking() {
 		log.Debug("appsec: Remote config: no valid remote configuration client")
 		return
 	}
+	if _, isSet := os.LookupEnv(internal.EnvRules); isSet {
+		log.Debug("appsec: Remote config: using rules from %s, blocking capabilities won't be enabled", a.cfg.RulesManager.BasePath)
+		return
+	}
 
 	products := []string{rc.ProductASM, rc.ProductASMDD, rc.ProductASMData}
 	for _, p := range products {
@@ -391,11 +395,9 @@ func (a *appsec) enableRCBlocking() {
 		log.Debug("appsec: Remote config: couldn't register callback: %v", err)
 	}
 
-	if _, isSet := os.LookupEnv(internal.EnvRules); !isSet {
-		for _, c := range blockingCapabilities {
-			if err := a.registerRCCapability(c); err != nil {
-				log.Debug("appsec: Remote config: couldn't register capability %v: %v", c, err)
-			}
+	for _, c := range blockingCapabilities {
+		if err := a.registerRCCapability(c); err != nil {
+			log.Debug("appsec: Remote config: couldn't register capability %v: %v", c, err)
 		}
 	}
 }

diff --git a/internal/appsec/remoteconfig_test.go b/internal/appsec/remoteconfig_test.go
@@ -368,25 +368,29 @@ func TestRemoteActivationScenarios(t *testing.T) {
 	})
 }
 
-func TestCapabilities(t *testing.T) {
+func TestCapabilitiesAndProducts(t *testing.T) {
 	for _, tc := range []struct {
-		name     string
-		env      map[string]string
-		expected []remoteconfig.Capability
+		name      string
+		env       map[string]string
+		expectedC []remoteconfig.Capability
+		expectedP []string
 	}{
 		{
-			name:     "appsec-unspecified",
-			expected: []remoteconfig.Capability{remoteconfig.ASMActivation},
+			name:      "appsec-unspecified",
+			expectedC: []remoteconfig.Capability{remoteconfig.ASMActivation},
+			expectedP: []string{rc.ProductASMFeatures},
 		},
 		{
-			name:     "appsec-enabled/default-RulesManager",
-			env:      map[string]string{config.EnvEnabled: "1"},
-			expected: blockingCapabilities[:],
+			name:      "appsec-enabled/default-RulesManager",
+			env:       map[string]string{config.EnvEnabled: "1"},
+			expectedC: blockingCapabilities[:],
+			expectedP: []string{rc.ProductASM, rc.ProductASMData, rc.ProductASMDD},
 		},
 		{
-			name:     "appsec-enabled/RulesManager-from-env",
-			env:      map[string]string{config.EnvEnabled: "1", internal.EnvRules: "testdata/blocking.json"},
-			expected: []remoteconfig.Capability{},
+			name:      "appsec-enabled/RulesManager-from-env",
+			env:       map[string]string{config.EnvEnabled: "1", internal.EnvRules: "testdata/blocking.json"},
+			expectedC: []remoteconfig.Capability{},
+			expectedP: []string{},
 		},
 	} {
 
@@ -401,11 +405,17 @@ func TestCapabilities(t *testing.T) {
 			if !Enabled() && activeAppSec == nil {
 				t.Skip()
 			}
-			for _, cap := range tc.expected {
+
+			for _, cap := range tc.expectedC {
 				found, err := remoteconfig.HasCapability(cap)
 				require.NoError(t, err)
 				require.True(t, found)
 			}
+			for _, p := range tc.expectedP {
+				found, err := remoteconfig.HasProduct(p)
+				require.NoError(t, err)
+				require.True(t, found)
+			}
 		})
 	}
 }