Improve specs for AppSec ActiveRecord instrumentation

Author: y9v

spec/datadog/appsec/configuration/settings_spec.rb

@@ -90,13 +90,13 @@ def patcher
         context 'is not defined' do
           let(:rasp_enabled_env_var) { nil }
 
-          it { is_expected.to eq true }
+          it { expect(settings.appsec.rasp_enabled).to eq(true) }
         end
 
         context 'is defined' do
           let(:rasp_enabled_env_var) { 'false' }
 
-          it { is_expected.to eq(false) }
+          it { expect(settings.appsec.rasp_enabled).to eq(false) }
         end
       end
     end

spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb

@@ -16,7 +16,6 @@
   let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) }
   let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) }
   let(:context) { Datadog::AppSec::Context.new(trace, span, processor) }
-  let(:rasp_enabled) { true }
 
   let(:span) { Datadog::Tracing::SpanOperation.new('root') }
   let(:trace) { Datadog::Tracing::TraceOperation.new }
@@ -55,8 +54,6 @@
 
     Datadog::AppSec::Context.activate(context)
 
-    allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled)
-
     raise_on_rails_deprecation!
   end
 
@@ -68,7 +65,9 @@
   end
 
   context 'when RASP is disabled' do
-    let(:rasp_enabled) { false }
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
 
     it 'does not call waf when querying using .where' do
       expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
@@ -83,46 +82,52 @@
     end
   end
 
-  it 'calls waf with correct arguments when querying using .where' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT `users`.* FROM `users` WHERE `users`.`name` = 'Bob'",
-          'server.db.system' => 'mysql2'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.where(name: 'Bob').to_a
-  end
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
 
-  it 'calls waf with correct arguments when querying using .find_by_sql' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
-          'server.db.system' => 'mysql2'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
-  end
+    it 'calls waf with correct arguments when querying using .where' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT `users`.* FROM `users` WHERE `users`.`name` = 'Bob'",
+            'server.db.system' => 'mysql2'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'calls waf with correct arguments when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
+            'server.db.system' => 'mysql2'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
 
-  it 'adds an event to processor context if waf result is a match' do
-    result = Datadog::AppSec::SecurityEngine::Result::Match.new(
-      events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
-    )
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
 
-    expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
-    expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+    it 'adds an event to processor context if waf result is a match' do
+      result = Datadog::AppSec::SecurityEngine::Result::Match.new(
+        events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
+      )
 
-    User.where(name: 'Bob').to_a
+      expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
+      expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+
+      User.where(name: 'Bob').to_a
+    end
   end
 end

spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb

@@ -16,7 +16,6 @@
   let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) }
   let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) }
   let(:context) { Datadog::AppSec::Context.new(trace, span, processor) }
-  let(:rasp_enabled) { true }
 
   let(:span) { Datadog::Tracing::SpanOperation.new('root') }
   let(:trace) { Datadog::Tracing::TraceOperation.new }
@@ -56,8 +55,6 @@
 
     Datadog::AppSec::Context.activate(context)
 
-    allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled)
-
     raise_on_rails_deprecation!
   end
 
@@ -69,7 +66,9 @@
   end
 
   context 'when RASP is disabled' do
-    let(:rasp_enabled) { false }
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
 
     it 'does not call waf when querying using .where' do
       expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
@@ -84,52 +83,58 @@
     end
   end
 
-  it 'calls waf with correct arguments when querying using .where' do
-    expected_db_statement = if PlatformHelpers.jruby?
-                              'SELECT "users".* FROM "users" WHERE "users"."name" = ?'
-                            else
-                              'SELECT "users".* FROM "users" WHERE "users"."name" = $1'
-                            end
-
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => expected_db_statement,
-          'server.db.system' => 'postgresql'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.where(name: 'Bob').to_a
-  end
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
 
-  it 'calls waf with correct arguments when querying using .find_by_sql' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
-          'server.db.system' => 'postgresql'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
-  end
+    it 'calls waf with correct arguments when querying using .where' do
+      expected_db_statement = if PlatformHelpers.jruby?
+                                'SELECT "users".* FROM "users" WHERE "users"."name" = ?'
+                              else
+                                'SELECT "users".* FROM "users" WHERE "users"."name" = $1'
+                              end
+
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => expected_db_statement,
+            'server.db.system' => 'postgresql'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'calls waf with correct arguments when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
+            'server.db.system' => 'postgresql'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
 
-  it 'adds an event to processor context if waf result is a match' do
-    result = Datadog::AppSec::SecurityEngine::Result::Match.new(
-      events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
-    )
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
 
-    expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
-    expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+    it 'adds an event to processor context if waf result is a match' do
+      result = Datadog::AppSec::SecurityEngine::Result::Match.new(
+        events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
+      )
 
-    User.where(name: 'Bob').to_a
+      expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
+      expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+
+      User.where(name: 'Bob').to_a
+    end
   end
 end

spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb

@@ -16,7 +16,6 @@
   let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) }
   let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) }
   let(:context) { Datadog::AppSec::Context.new(trace, span, processor) }
-  let(:rasp_enabled) { true }
 
   let(:span) { Datadog::Tracing::SpanOperation.new('root') }
   let(:trace) { Datadog::Tracing::TraceOperation.new }
@@ -49,8 +48,6 @@
 
     Datadog::AppSec::Context.activate(context)
 
-    allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled)
-
     raise_on_rails_deprecation!
   end
 
@@ -62,7 +59,9 @@
   end
 
   context 'when RASP is disabled' do
-    let(:rasp_enabled) { false }
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
 
     it 'does not call waf when querying using .where' do
       expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
@@ -77,46 +76,52 @@
     end
   end
 
-  it 'calls waf with correct arguments when querying using .where' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => 'SELECT "users".* FROM "users" WHERE "users"."name" = ?',
-          'server.db.system' => 'sqlite'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.where(name: 'Bob').to_a
-  end
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
 
-  it 'calls waf with correct arguments when querying using .find_by_sql' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
-          'server.db.system' => 'sqlite'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
-  end
+    it 'calls waf with correct arguments when querying using .where' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => 'SELECT "users".* FROM "users" WHERE "users"."name" = ?',
+            'server.db.system' => 'sqlite'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'calls waf with correct arguments when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
+            'server.db.system' => 'sqlite'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
 
-  it 'adds an event to processor context if waf result is a match' do
-    result = Datadog::AppSec::SecurityEngine::Result::Match.new(
-      events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
-    )
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
 
-    expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
-    expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+    it 'adds an event to processor context if waf result is a match' do
+      result = Datadog::AppSec::SecurityEngine::Result::Match.new(
+        events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
+      )
 
-    User.where(name: 'Bob').to_a
+      expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
+      expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+
+      User.where(name: 'Bob').to_a
+    end
   end
 end