WAF Builder: independent configuration manager to generate WAF instances

[Anilm3]

This PR introduces a large change which is hereby referred to as the WAF builder. This new builder allows for the generation of WAF instances through independent configurations, while keeping track of all independent configurations so that they can be updated and / or removed in order to update an existing instance.

Configurations are uniquely identified by their path and can provide any and all of the supported primitives, which will be subsequently consolidated in order to generate a consistent instance. Generally, the WAF builder holds both the configurations (and specifications), as well as common evaluation primitives, for example, generated rules are kept and reused on each new instance for as long as they don't need to be updated. Similarly, expressions within filters, rules and processors are also preserved across updates, when relevant.

The change has also involved a large refactoring of the ruleset parser into multiple independent parsers all feeding into a single configuration, while keeping track of their individual changes. This refactor has resulted in configuration parsers and a separate set of "builders" which can be used to generate instances of each evaluation primitive based on all of the required elements that feed into their creation.

An example of using the new builder interface can be the following:

ddwaf_builder builder = ddwaf_builder_init(nullptr);

ddwaf_object rules = read_file("custom_rules.yaml");
ddwaf_builder_add_or_update_config(builder, "rules", sizeof("rules") - 1, &rules, nullptr);
ddwaf_object_free(&rules);

ddwaf_object custom_rules = read_file("custom_rules.yaml");
ddwaf_builder_add_or_update_config(builder, "custom_rules", sizeof("custom_rules") - 1, &custom_rules, nullptr);
ddwaf_object_free(&custom_rules);

ddwaf_handle handle = ddwaf_builder_build_instance(builder);

// Use the handle...

ddwaf_destroy(&handle); // the handle can be destroyed at any point

ddwaf_object custom_rules2 = read_file("custom_rules_2.yaml");
ddwaf_builder_add_or_update_config(builder, "custom_rules", sizeof("custom_rules") - 1, &custom_rules2, nullptr);
ddwaf_object_free(&custom_rules2);

handle = ddwaf_builder_build_instance(builder);

// Use the handle...

ddwaf_destroy(handle);

// Remove the custom rules
ddwaf_builder_remove_config(builder, "custom_rules", sizeof("custom_rules") - 1);
handle = ddwaf_builder_build_instance(builder);

// Use the handle...

ddwaf_destroy(handle);

ddwaf_builder_destroy(builder);

Pending tasks (to be addressed in new PRs)

Required:

• More test variants for configuration updates
• Diagnostics severity level (error, warning)
• Smoketest update to include builder symbols

Optional:

• WAF builder "fuzzer" test
• Rename ddwaf_config?

Related Jira: APPSEC-55064

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 87.05752% with 117 lines in your changes missing coverage. Please review.

Project coverage is 85.32%. Comparing base (73ad8e7) to head (b3101b5).

Files with missing lines	Patch %	Lines
src/interface.cpp	41.81%	23 Missing and 9 partials ⚠️
src/configuration/configuration_manager.cpp	83.43%	2 Missing and 26 partials ⚠️
src/configuration/legacy_rule_parser.cpp	71.73%	10 Missing and 3 partials ⚠️
src/transformer/common/utf8.cpp	73.68%	2 Missing and 3 partials ⚠️
src/builder/ruleset_builder.cpp	95.91%	1 Missing and 3 partials ⚠️
src/configuration/common/common.hpp	69.23%	2 Missing and 2 partials ⚠️
src/builder/action_mapper_builder.cpp	84.21%	1 Missing and 2 partials ⚠️
src/configuration/actions_parser.cpp	87.50%	0 Missing and 3 partials ⚠️
...c/configuration/common/configuration_collector.hpp	96.00%	1 Missing and 2 partials ⚠️
src/configuration/rule_override_parser.cpp	76.92%	2 Missing and 1 partial ⚠️
... and 11 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #363      +/-   ##
==========================================
+ Coverage   85.13%   85.32%   +0.18%     
==========================================
  Files         157      163       +6     
  Lines        7993     8169     +176     
  Branches     3551     3600      +49     
==========================================
+ Hits         6805     6970     +165     
+ Misses        459      439      -20     
- Partials      729      760      +31     

Flag	Coverage Δ
waf_test	85.32% <87.05%> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-01-30 13:30:14

Comparing candidate commit fd841fc in PR branch anilm3/waf_builder with baseline commit 73ad8e7 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 0 metrics, 0 unstable metrics.

scenario:global-benchmark.random

• 🟩 execution_time [-17.852ms; -17.794ms] or [-5.975%; -5.955%]

[cataphract]

do you really want to modify spec_.tags here?

[Anilm3]

As mentioned below, the rule builders are single use, I added a comment to make sure it's clear.

[cataphract]

your builders get to a bad state after calls to build(). Perhaps this is something you want to tackle in the future to prevent misusage

[Anilm3]

In reference to this comment and the one about tags.

This particular builder is currently single-use so after build it's expected that it won't be useful (e.g. same as after move). I guess I could reset the state and throw if a second build is attempted, but it seems unnecessary.

[Anilm3]

I've added a comment to make it clear that after build it should be considered invalid.

I did consider caching the rule builders and reusing them later but I'll leave that for a future improvement.

[cataphract]

why are rules individually managed through shared_ptr instead of final_base_rules_ being themselves behind a shared pointer (like the actions). Because AFAICT, whenever we have a base_rule_update, we rebuild the rules from scratch:

    if ((current_changes & base_rule_update) != change_set::none) {
        final_base_rules_.clear();
        // ...
        for (const auto &builder : rule_builders) {
            if (builder->is_enabled()) {
                final_base_rules_.emplace(builder->build(*actions_));
            }
        }

Same applies to the user rules.

As mentioned earlier, I would feel much safer if these rules had their immutability enforced by the compiler, to prevent races.

[Anilm3]

I'll address this in the next PR.

[cataphract]

same comment as with the rules. These are always build all together, so they could all be behind one single (for instance) shared_ptr<const map<string, unique_ptr<matcher::base>>>.

It seems the only case where this doesn't apply is the scanners, where a copy of the vector is needed because global_config.scanners can be modified at any point and actions, which already do it that way

[Anilm3]

Same as above, I'll address this in the next PR.

[Anilm3]

The remaining comments will be addressed in the next PR as this one is just too large at this stage.