Class: Datadog::AppSec::Contrib::Rack::RequestMiddleware

Inherits:
Object
  • Object
show all
Defined in:
lib/datadog/appsec/contrib/rack/request_middleware.rb

Overview

Topmost Rack middleware for AppSec This should be inserted just below Datadog::Tracing::Contrib::Rack::TraceMiddleware

Instance Method Summary collapse

Constructor Details

#initialize(app, opt = {}) ⇒ RequestMiddleware

Returns a new instance of RequestMiddleware.



31
32
33
34
35
36
# File 'lib/datadog/appsec/contrib/rack/request_middleware.rb', line 31

def initialize(app, opt = {})
  @app = app

  @oneshot_tags_sent = false
  @rack_headers = {}
end

Instance Method Details

#call(env) ⇒ Object

rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength



39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'lib/datadog/appsec/contrib/rack/request_middleware.rb', line 39

def call(env)
  return @app.call(env) unless Datadog::AppSec.enabled?

  boot = Datadog::Core::Remote::Tie.boot
  Datadog::Core::Remote::Tie::Tracing.tag(boot, active_span)

  processor = nil
  ready = false
  scope = nil

  # For a given request, keep using the first Rack stack scope for
  # nested apps. Don't set `context` local variable so that on popping
  # out of this nested stack we don't finalize the parent's context
  return @app.call(env) if active_scope(env)

  Datadog::AppSec.reconfigure_lock do
    processor = Datadog::AppSec.processor

    if !processor.nil? && processor.ready?
      scope = Datadog::AppSec::Scope.activate_scope(active_trace, active_span, processor)
      env[Datadog::AppSec::Ext::SCOPE_KEY] = scope
      ready = true
    end
  end

  # TODO: handle exceptions, except for @app.call

  return @app.call(env) unless ready

  gateway_request = Gateway::Request.new(env)

  add_appsec_tags(processor, scope)
  add_request_tags(scope, env)

  request_return, request_response = catch(::Datadog::AppSec::Ext::INTERRUPT) do
    Instrumentation.gateway.push('rack.request', gateway_request) do
      @app.call(env)
    end
  end

  if request_response
    blocked_event = request_response.find { |action, _options| action == :block }
    request_return = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_rack if blocked_event
  end

  gateway_response = Gateway::Response.new(
    request_return[2],
    request_return[0],
    request_return[1],
    scope: scope,
  )

  _response_return, response_response = Instrumentation.gateway.push('rack.response', gateway_response)

  result = scope.processor_context.extract_schema

  if result
    scope.processor_context.events << {
      trace: scope.trace,
      span: scope.service_entry_span,
      waf_result: result,
    }
  end

  scope.processor_context.events.each do |e|
    e[:response] ||= gateway_response
    e[:request]  ||= gateway_request
  end

  AppSec::Event.record(scope.service_entry_span, *scope.processor_context.events)

  if response_response
    blocked_event = response_response.find { |action, _options| action == :block }
    request_return = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_rack if blocked_event
  end

  request_return
ensure
  if scope
    add_waf_runtime_tags(scope)
    Datadog::AppSec::Scope.deactivate_scope
  end
end