Module-based rule evaluation precedence

[Anilm3]

This PR introduces the new concept of modules to better organise rules based on their precedence. Modules are introduced as a generic mechanism which contains a set of rules in the required order (user / base, blocking, etc). Individual modules can have optional grouping, which is introduced specifically for the purpose of having independent collections within the waf module, as the short-circuit evaluation follows a different criteria due to rules being grouped by type.

The modules introduced are the following: network-acl, authentication-acl, custom-acl, configuration, business-logic, rasp, waf. The network and authentication modules do not follow the provided timeout, and the ordering of each module changes a little bit based on whether user (Custom) or base (DD) rules should take precedence.

Related Jira: APPSEC-55598

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 92.08333% with 19 lines in your changes missing coverage. Please review.

Project coverage is 84.95%. Comparing base (eb80490) to head (d880126).

Files with missing lines	Patch %	Lines
src/module.cpp	89.74%	4 Missing and 4 partials ⚠️
src/ruleset.hpp	33.33%	0 Missing and 6 partials ⚠️
src/context.hpp	33.33%	0 Missing and 2 partials ⚠️
src/rule.hpp	87.50%	0 Missing and 2 partials ⚠️
src/builder/module_builder.cpp	96.87%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #353      +/-   ##
==========================================
+ Coverage   84.68%   84.95%   +0.26%     
==========================================
  Files         153      157       +4     
  Lines        7889     7994     +105     
  Branches     3520     3551      +31     
==========================================
+ Hits         6681     6791     +110     
+ Misses        460      459       -1     
+ Partials      748      744       -4     

Flag	Coverage Δ
waf_test	84.95% <92.08%> (+0.26%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-12-02 11:52:22

Comparing candidate commit d880126 in PR branch anilm3/rule-precedence with baseline commit eb80490 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1 metrics, 0 unstable metrics.

[Anilm3]

These are not currently used, but I plan to start using them soon.

[Leiyks]

lgtm

[cataphract]

Do you need shared ownership so that ruleset_builder can reuse the rules in updates that don't replace the rules? Did you ensure that rules that are mutated in an update (through toggle/set_actions/set_verdict) are not incorrectly shared between rulesets?

[Anilm3]

Do you need shared ownership so that ruleset_builder can reuse the rules in updates that don't replace the rules?

Yes, and between live handles / contexts during or after update.

Did you ensure that rules that are mutated in an update (through toggle/set_actions/set_verdict) are not incorrectly shared between rulesets?

Currently rules are not mutated, they are regenerated when overrides are applied.

[cataphract]

I see. Does it mean the current code is buggy, given that you changed the definition of base_rule_update? I find this strategy on the dangerous side, because the correctness depends on distinct parts of the codebase to act in concert not to do unsafe writes.

Perhaps a better alternative would be to make core_rule immutable; the mutation methods would instead return a new instance. You could then perhaps even avoid recreating the full set of rules; the ruleset_builder would need to store the original rules (before overrides).

[Anilm3]

Does it mean the current code is buggy, given that you changed the definition of base_rule_update?

Not really, the only difference is that now an update to the actions will result in regenerating rules.

I find this strategy on the dangerous side, because the correctness depends on distinct parts of the codebase to act in concert not to do unsafe writes.

Perhaps a better alternative would be to make core_rule immutable; the mutation methods would instead return a new instance. You could then perhaps even avoid recreating the full set of rules; the ruleset_builder would need to store the original rules (before overrides).

I have to refactor everything for the multi-configuration builder, I am making rules safely mutable to avoid the re-computation costs the current strategy results in, or at least this is the direction I'm currently going on, I might change my mind.