appsec: use the new waf.SupportsTarget() function

go.mod

@@ -9,7 +9,7 @@ require (
  github.com/DataDog/datadog-agent/pkg/obfuscate v0.45.0-rc.1
  github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.46.0-rc.4
  github.com/DataDog/datadog-go/v5 v5.1.1
- github.com/DataDog/go-libddwaf v1.3.0
+ github.com/DataDog/go-libddwaf v1.3.1-0.20230705103332-28f73a97f513
  github.com/DataDog/gostackparse v0.5.0
  github.com/DataDog/sketches-go v1.2.1
  github.com/Shopify/sarama v1.22.0

go.sum

@@ -633,6 +633,8 @@ github.com/DataDog/datadog-go/v5 v5.1.1 h1:JLZ6s2K1pG2h9GkvEvMdEGqMDyVLEAccdX5Tl
 github.com/DataDog/datadog-go/v5 v5.1.1/go.mod h1:KhiYb2Badlv9/rofz+OznKoEF5XKTonWyhx5K83AP8E=
 github.com/DataDog/go-libddwaf v1.3.0 h1:u489eIs/0k9HTsaf992wA5qSsp0RIaKwGjPX/CCgyfI=
 github.com/DataDog/go-libddwaf v1.3.0/go.mod h1:qLZEuaF5amEVMP5NTYtr/6m30m73voPL4i7SK7dnnt4=
+github.com/DataDog/go-libddwaf v1.3.1-0.20230705103332-28f73a97f513 h1:3+G+AfmuYq2eZa/vet0T9uRhAeA/jNCqbW+LQOql/lw=
+github.com/DataDog/go-libddwaf v1.3.1-0.20230705103332-28f73a97f513/go.mod h1:qLZEuaF5amEVMP5NTYtr/6m30m73voPL4i7SK7dnnt4=
 github.com/DataDog/go-tuf v0.3.0--fix-localmeta-fork h1:yBq5PrAtrM4yVeSzQ+bn050+Ysp++RKF1QmtkL4VqvU=
 github.com/DataDog/go-tuf v0.3.0--fix-localmeta-fork/go.mod h1:yA5JwkZsHTLuqq3zaRgUQf35DfDkpOZqgtBqHKpwrBs=
 github.com/DataDog/gostackparse v0.5.0 h1:jb72P6GFHPHz2W0onsN51cS3FkaMDcjb0QzgxxA4gDk=

internal/appsec/appsec.go

@@ -9,7 +9,6 @@
 package appsec
 
 import (
- "errors"
  "fmt"
  "sync"
 
@@ -48,21 +47,10 @@ func Start(opts ...StartOption) {
  return
  }
 
- // Check whether libddwaf - required for Threats Detection - can be enabled or not
- if ok, err := waf.Load(); err != nil {
- // Handle the error differently according to the following cases:
- // 1. If the error is about the unsupported target: log as an expected error case and quit appsec
- if actual := (*waf.UnsupportedTargetError)(nil); errors.As(err, &actual) {
- log.Error("appsec: unsupported operating-system or architecture: %v\nNo security activities will be collected. Please contact support at https://docs.datadoghq.com/help/ for help.", err)
- return
- }
- // 2. If there is an error and the loading is not ok: log as an unexpected error case and quit appsec
- if !ok {
- logUnexpectedStartError(fmt.Errorf("error while loading libddwaf: %w", err))
- return
- }
- // 3. If there is an error and the loading is ok: log as an informative error where appsec can be used
- log.Error("appsec: non-critical error while loading libddwaf: %v", err)
+ // Check whether libddwaf - required for Threats Detection - is supported or not
+ if supported, err := waf.SupportsTarget(); !supported {
+ log.Error("appsec: threats detection is not supported: %v\nNo security activities will be collected. Please contact support at https://docs.datadoghq.com/help/ for help.", err)
+ return
  }
 
  // From this point we know that AppSec is either enabled or can be enabled through remote config
@@ -148,6 +136,18 @@ func newAppSec(cfg *Config) *appsec {
 
 // Start AppSec by registering its security protections according to the configured the security rules.
 func (a *appsec) start() error {
+ // Load the waf to catch early errors if any
+ if ok, err := waf.Load(); err != nil {
+ // 1. If there is an error and the loading is not ok: log as an unexpected error case and quit appsec
+ // Note that we assume here that the test for the unsupported target has been done before calling
+ // this method, so it is now considered an error for this method
+ if !ok {
+ return fmt.Errorf("error while loading libddwaf: %w", err)
+ }
+ // 2. If there is an error and the loading is ok: log as an informative error where appsec can be used
+ log.Error("appsec: non-critical error while loading libddwaf: %v", err)
+ }
+
  a.limiter = NewTokenTicker(int64(a.cfg.traceRateLimit), int64(a.cfg.traceRateLimit))
  a.limiter.Start()
  // Register the WAF operation event listener

internal/appsec/appsec_test.go

@@ -23,7 +23,8 @@ import (
 
 func TestEnabled(t *testing.T) {
  enabledConfig, _ := strconv.ParseBool(os.Getenv("DD_APPSEC_ENABLED"))
- canBeEnabled := enabledConfig && waf.Health() == nil
+ wafSupported, _ := waf.SupportsTarget()
+ canBeEnabled := enabledConfig && wafSupported
 
  require.False(t, appsec.Enabled())
  tracer.Start()

internal/appsec/remoteconfig_test.go

@@ -25,7 +25,7 @@ import (
 )
 
 func TestASMFeaturesCallback(t *testing.T) {
- if waf.Health() != nil {
+ if supported, _ := waf.SupportsTarget(); !supported {
  t.Skip("WAF cannot be used")
  }
  enabledPayload := []byte(`{"asm":{"enabled":true}}`)
@@ -321,7 +321,7 @@ func TestMergeRulesDataEntries(t *testing.T) {
 
 // This test ensures that the remote activation capabilities are only set if DD_APPSEC_ENABLED is not set in the env.
 func TestRemoteActivationScenarios(t *testing.T) {
- if waf.Health() != nil {
+ if supported, _ := waf.SupportsTarget(); !supported {
  t.Skip("WAF cannot be used")
  }
 
@@ -547,7 +547,7 @@ func TestOnRCUpdate(t *testing.T) {
  }
 
  t.Run("post-stop", func(t *testing.T) {
- if waf.Health() != nil {
+ if supported, _ := waf.SupportsTarget(); !supported {
  t.Skip("WAF needs to be available for this test (remote activation requirement)")
  }
 
@@ -682,7 +682,7 @@ func TestWafRCUpdate(t *testing.T) {
  },
  }
 
- if waf.Health() != nil {
+ if supported, _ := waf.SupportsTarget(); !supported {
  t.Skip("WAF needs to be available for this test")
  }
 

internal/appsec/rule_test.go

@@ -17,7 +17,7 @@ import (
 )
 
 func TestStaticRule(t *testing.T) {
- if waf.Health() != nil {
+ if supported, _ := waf.SupportsTarget(); !supported {
  t.Skip("waf disabled")
  return
  }