DataDog
diff --git a/‎dd-java-agent/appsec/build.gradle
Lines changed: 3 additions & 1 deletion b/‎dd-java-agent/appsec/build.gradle
Lines changed: 3 additions & 1 deletion
diff --git a/‎dd-java-agent/appsec/src/jmh/java/datadog/appsec/benchmark/WafBenchmark.java
Lines changed: 31 additions & 16 deletions b/‎dd-java-agent/appsec/src/jmh/java/datadog/appsec/benchmark/WafBenchmark.java
Lines changed: 31 additions & 16 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecModule.java
Lines changed: 7 additions & 0 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecModule.java
Lines changed: 7 additions & 0 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java
Lines changed: 15 additions & 7 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java
Lines changed: 15 additions & 7 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfig.java
Lines changed: 0 additions & 124 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfig.java
Lines changed: 0 additions & 124 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigDeserializer.java
Lines changed: 0 additions & 31 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigDeserializer.java
Lines changed: 0 additions & 31 deletions
@@ -68,9 +68,10 @@ ext {
   minimumBranchCoverage = 0.6
   minimumInstructionCoverage = 0.8
   excludedClassesCoverage = [
-    'com.datadog.appsec.config.MergedAsmData.InvalidAsmDataException',
+    'com.datadog.appsec.config.AppSecConfigServiceImpl.AppSecConfigChangesListener',
     'com.datadog.appsec.ddwaf.WafInitialization',
     'com.datadog.appsec.ddwaf.WAFModule.WAFDataCallback',
+    'com.datadog.appsec.config.AppSecModuleConfigurer.Reconfiguration',
     'com.datadog.appsec.report.*',
     'com.datadog.appsec.config.AppSecConfigServiceImpl.SubscribeFleetServiceRunnable.1',
     'com.datadog.appsec.util.StandardizedLogging',
@@ -82,6 +83,7 @@ ext {
     'com.datadog.appsec.config.AppSecFeatures.Asm',
     'com.datadog.appsec.config.AppSecFeatures.ApiSecurity',
     'com.datadog.appsec.config.AppSecFeatures.AutoUserInstrum',
+    'com.datadog.appsec.AppSecModule.AppSecModuleActivationException',
     'com.datadog.appsec.event.ReplaceableEventProducerService',
     'com.datadog.appsec.api.security.ApiSecuritySampler.NoOp',
   ]
 
@@ -3,21 +3,24 @@
 import static java.util.concurrent.TimeUnit.MICROSECONDS;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import com.datadog.appsec.config.AppSecConfig;
-import com.datadog.appsec.config.AppSecConfigDeserializer;
 import com.datadog.appsec.event.data.KnownAddresses;
 import com.datadog.ddwaf.Waf;
+import com.datadog.ddwaf.WafBuilder;
 import com.datadog.ddwaf.WafContext;
 import com.datadog.ddwaf.WafHandle;
 import com.datadog.ddwaf.WafMetrics;
 import com.datadog.ddwaf.exception.AbstractWafException;
+import com.squareup.moshi.JsonAdapter;
+import com.squareup.moshi.Moshi;
+import com.squareup.moshi.Types;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import okio.Okio;
 import org.openjdk.jmh.annotations.Benchmark;
 import org.openjdk.jmh.annotations.BenchmarkMode;
 import org.openjdk.jmh.annotations.Fork;
@@ -38,45 +41,49 @@
 @OutputTimeUnit(MICROSECONDS)
 @Fork(value = 3)
 public class WafBenchmark {
+  private static final JsonAdapter<Map<String, Object>> ADAPTER =
+      new Moshi.Builder()
+          .build()
+          .adapter(Types.newParameterizedType(Map.class, String.class, Object.class));
 
   static {
     BenchmarkUtil.disableLogging();
     BenchmarkUtil.initializeWaf();
   }
 
-  WafHandle ctx;
+  WafBuilder wafBuilder;
+  WafHandle wafHandle;
+  WafContext wafContext;
   Map<String, Object> wafData = new HashMap<>();
   Waf.Limits limits = new Waf.Limits(50, 500, 1000, 5000000, 5000000);
 
   @Benchmark
   public void withMetrics() throws Exception {
-    WafMetrics metricsCollector = ctx.createMetrics();
-    WafContext add = ctx.openContext();
+    WafMetrics metricsCollector = new WafMetrics();
+    wafContext = new WafContext(wafHandle);
     try {
-      add.run(wafData, limits, metricsCollector);
+      wafContext.run(wafData, limits, metricsCollector);
     } finally {
-      add.close();
+      wafContext.close();
     }
   }
 
   @Benchmark
   public void withoutMetrics() throws Exception {
-    WafContext add = ctx.openContext();
+    wafContext = new WafContext(wafHandle);
     try {
-      add.run(wafData, limits, null);
+      wafContext.run(wafData, limits, null);
     } finally {
-      add.close();
+      wafContext.close();
     }
   }
 
   @Setup(Level.Trial)
   public void setUp() throws AbstractWafException, IOException {
+    wafBuilder = new WafBuilder();
     InputStream stream = getClass().getClassLoader().getResourceAsStream("test_multi_config.json");
-    Map<String, AppSecConfig> cfg =
-        Collections.singletonMap("waf", AppSecConfigDeserializer.INSTANCE.deserialize(stream));
-    AppSecConfig waf = cfg.get("waf");
-    ctx = Waf.createHandle("waf", waf.getRawConfig());
-
+    wafBuilder.addOrUpdateConfig("waf", ADAPTER.fromJson(Okio.buffer(Okio.source(stream))));
+    wafHandle = wafBuilder.buildWafHandleInstance();
     wafData.put(KnownAddresses.REQUEST_METHOD.getKey(), "POST");
     wafData.put(
         KnownAddresses.REQUEST_URI_RAW.getKey(), "/foo/bar?foo=bar&foo=xpto&foo=%3cscript%3e");
@@ -112,6 +119,14 @@ public void setUp() throws AbstractWafException, IOException {
 
   @TearDown(Level.Trial)
   public void teardown() {
-    ctx.close();
+    if (wafHandle != null && wafHandle.isOnline()) {
+      wafHandle.close();
+    }
+    if (wafContext != null && wafContext.isOnline()) {
+      wafContext.close();
+    }
+    if (wafBuilder != null && wafBuilder.isOnline()) {
+      wafBuilder.close();
+    }
   }
 }
@@ -3,17 +3,24 @@
 import com.datadog.appsec.config.AppSecModuleConfigurer;
 import com.datadog.appsec.event.DataListener;
 import com.datadog.appsec.event.data.Address;
+import com.datadog.ddwaf.WafBuilder;
 import java.util.Collection;
 
 public interface AppSecModule {
   void config(AppSecModuleConfigurer appSecConfigService) throws AppSecModuleActivationException;
 
+  void setWafBuilder(WafBuilder wafBuilder);
+
+  void setRuleVersion(String rulesetVersion);
+
   String getName();
 
   String getInfo();
 
   Collection<DataSubscription> getDataSubscriptions();
 
+  boolean isWafBuilderSet();
+
   abstract class DataSubscription implements DataListener {
     private final Collection<Address<?>> subscribedAddresses;
     private final Priority priority;
 
@@ -76,8 +76,9 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     APP_SEC_CONFIG_SERVICE =
         new AppSecConfigServiceImpl(
             config, configurationPoller, () -> reloadSubscriptions(REPLACEABLE_EVENT_PRODUCER));
-    APP_SEC_CONFIG_SERVICE.init();
-
+    if (appSecEnabledConfig == ProductActivation.FULLY_ENABLED) {
+      APP_SEC_CONFIG_SERVICE.init();
+    }
     sco.createRemaining(config);
 
     GatewayBridge gatewayBridge =
@@ -87,7 +88,8 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
             () -> API_SECURITY_SAMPLER,
             APP_SEC_CONFIG_SERVICE.getTraceSegmentPostProcessors());
 
-    loadModules(eventDispatcher, sco.monitoring);
+    loadModules(
+        eventDispatcher, sco.monitoring, appSecEnabledConfig == ProductActivation.FULLY_ENABLED);
 
     gatewayBridge.init();
     STOP_SUBSCRIPTION_SERVICE = gatewayBridge::stop;
@@ -136,20 +138,25 @@ public static void stop() {
       RESET_SUBSCRIPTION_SERVICE = null;
     }
     Blocking.setBlockingService(BlockingService.NOOP);
-
     APP_SEC_CONFIG_SERVICE.close();
   }
 
-  private static void loadModules(EventDispatcher eventDispatcher, Monitoring monitoring) {
+  private static void loadModules(
+      EventDispatcher eventDispatcher, Monitoring monitoring, boolean appSecEnabledConfig) {
     EventDispatcher.DataSubscriptionSet dataSubscriptionSet =
         new EventDispatcher.DataSubscriptionSet();
 
     final List<AppSecModule> modules = Collections.singletonList(new WAFModule(monitoring));
+    APP_SEC_CONFIG_SERVICE.modulesToUpdateVersionIn(modules);
     for (AppSecModule module : modules) {
       log.debug("Starting appsec module {}", module.getName());
       try {
-        AppSecConfigService.TransactionalAppSecModuleConfigurer cfgObject;
-        cfgObject = APP_SEC_CONFIG_SERVICE.createAppSecModuleConfigurer();
+        AppSecConfigService.TransactionalAppSecModuleConfigurer cfgObject =
+            APP_SEC_CONFIG_SERVICE.createAppSecModuleConfigurer();
+        module.setRuleVersion(APP_SEC_CONFIG_SERVICE.getCurrentRuleVersion());
+        if (appSecEnabledConfig) {
+          module.setWafBuilder(APP_SEC_CONFIG_SERVICE.getWafBuilder());
+        }
         module.config(cfgObject);
         cfgObject.commit();
       } catch (RuntimeException | AppSecModule.AppSecModuleActivationException t) {
@@ -174,6 +181,7 @@ private static void reloadSubscriptions(
 
     EventDispatcher newEd = new EventDispatcher();
     for (AppSecModule module : STARTED_MODULES_INFO.keySet()) {
+      module.setRuleVersion(APP_SEC_CONFIG_SERVICE.getCurrentRuleVersion());
       for (AppSecModule.DataSubscription sub : module.getDataSubscriptions()) {
         dataSubscriptionSet.addSubscription(sub.getSubscribedAddresses(), sub);
       }