Class: Datadog::AppSec::Contrib::Rack::RequestMiddleware

Inherits:

Object

• Object
• Datadog::AppSec::Contrib::Rack::RequestMiddleware

Defined in:

lib/datadog/appsec/contrib/rack/request_middleware.rb

Overview

Topmost Rack middleware for AppSec This should be inserted just below Datadog::Tracing::Contrib::Rack::TraceMiddleware

Instance Method Summary

• #call(env) ⇒ Object

  rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength.

• #initialize(app, opt = {}) ⇒ RequestMiddleware constructor

  A new instance of RequestMiddleware.

Constructor Details

#initialize(app, opt = {}) ⇒ RequestMiddleware

Returns a new instance of RequestMiddleware.

# File 'lib/datadog/appsec/contrib/rack/request_middleware.rb', line 32

def initialize(app, opt = {})
  @app = app

  @oneshot_tags_sent = false
  @rack_headers = {}
end

Instance Method Details

#call(env) ⇒ Object

rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength

# File 'lib/datadog/appsec/contrib/rack/request_middleware.rb', line 40

def call(env)
  return @app.call(env) unless Datadog::AppSec.enabled?

  boot = Datadog::Core::Remote::Tie.boot
  Datadog::Core::Remote::Tie::Tracing.tag(boot, active_span)

  processor = nil
  ready = false
  scope = nil

  # For a given request, keep using the first Rack stack scope for
  # nested apps. Don't set `context` local variable so that on popping
  # out of this nested stack we don't finalize the parent's context
  return @app.call(env) if active_scope(env)

  Datadog::AppSec.reconfigure_lock do
    processor = Datadog::AppSec.processor

    if !processor.nil? && processor.ready?
      scope = Datadog::AppSec::Scope.activate_scope(active_trace, active_span, processor)
      env[Datadog::AppSec::Ext::SCOPE_KEY] = scope
      ready = true
    end
  end

  # TODO: handle exceptions, except for @app.call

  return @app.call(env) unless ready

  gateway_request = Gateway::Request.new(env)

  add_appsec_tags(processor, scope)
  add_request_tags(scope, env)

  request_return, request_response = catch(::Datadog::AppSec::Ext::INTERRUPT) do
    Instrumentation.gateway.push('rack.request', gateway_request) do
      @app.call(env)
    end
  end

  if request_response
    blocked_event = request_response.find { |action, _options| action == :block }
    request_return = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_rack if blocked_event
  end

  gateway_response = Gateway::Response.new(
    request_return[2],
    request_return[0],
    request_return[1],
    scope: scope,
  )

  _response_return, response_response = Instrumentation.gateway.push('rack.response', gateway_response)

  result = scope.processor_context.extract_schema

  if result
    scope.processor_context.events << {
      trace: scope.trace,
      span: scope.service_entry_span,
      waf_result: result,
    }
  end

  scope.processor_context.events.each do |e|
    e[:response] ||= gateway_response
    e[:request]  ||= gateway_request
  end

  AppSec::Event.record(scope.service_entry_span, *scope.processor_context.events)

  if response_response
    blocked_event = response_response.find { |action, _options| action == :block }
    request_return = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_rack if blocked_event
  end

  request_return
ensure
  if scope
    add_waf_runtime_tags(scope)
    Datadog::AppSec::Scope.deactivate_scope
  end
end