DataDog
diff --git a/‎.github/workflows/test.yml
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/test.yml
Lines changed: 3 additions & 2 deletions
diff --git a/‎context.go
Lines changed: 1 addition & 3 deletions b/‎context.go
Lines changed: 1 addition & 3 deletions
diff --git a/‎internal/lib/.version
Lines changed: 1 addition & 1 deletion b/‎internal/lib/.version
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/lib/libddwaf-darwin-amd64.dylib
90.9 KB b/‎internal/lib/libddwaf-darwin-amd64.dylib
90.9 KB
diff --git a/‎internal/lib/libddwaf-darwin-arm64.dylib
73.2 KB b/‎internal/lib/libddwaf-darwin-arm64.dylib
73.2 KB
diff --git a/‎internal/lib/libddwaf-linux-amd64.so
84.1 KB b/‎internal/lib/libddwaf-linux-amd64.so
84.1 KB
diff --git a/‎internal/lib/libddwaf-linux-arm64.so
75.6 KB b/‎internal/lib/libddwaf-linux-arm64.so
75.6 KB
diff --git a/‎internal/log/ddwaf.h
Lines changed: 3 additions & 1 deletion b/‎internal/log/ddwaf.h
Lines changed: 3 additions & 1 deletion
diff --git a/‎waf.go
Lines changed: 2 additions & 2 deletions b/‎waf.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎waf_test.go
Lines changed: 6 additions & 5 deletions b/‎waf_test.go
Lines changed: 6 additions & 5 deletions
@@ -20,6 +20,7 @@ jobs:
     name: Containerized
     uses: ./.github/workflows/_test_containerized.yml
   smoke-tests:
+    if: "!contains(github.event.pull_request.labels.*.name, 'skip-smoke-tests')"
     name: Smoke Tests
     uses: DataDog/dd-trace-go/.github/workflows/smoke-tests.yml@main
     with:
@@ -37,10 +38,10 @@ jobs:
     if: '!cancelled()'
     steps:
       - name: Done
-        if: needs.bare-metal.result == 'success' && needs.containerized.result == 'success' && needs.smoke-tests.result == 'success'
+        if: needs.bare-metal.result == 'success' && needs.containerized.result == 'success' && (needs.smoke-tests.result == 'success' || needs.smoke-tests.result == 'skipped')
         run: echo "Done!"
       - name: Done
-        if: needs.bare-metal.result != 'success' || needs.containerized.result != 'success' || needs.smoke-tests.result != 'success'
+        if: needs.bare-metal.result != 'success' || needs.containerized.result != 'success' || (needs.smoke-tests.result != 'success' && needs.smoke-tests.result != 'skipped')
         run: |-
           echo "Failed!"
           exit 1
@@ -276,9 +276,7 @@ func unwrapWafResult(ret bindings.WafReturnCode, result *bindings.WafResult) (re
 		return res, err
 	}
 	if size := result.Actions.NbEntries; size > 0 {
-		// using ruleIdArray cause it decodes string array (I think)
-		res.Actions, err = decodeStringArray(&result.Actions)
-		// TODO: use decode array, and eventually genericize the function
+		res.Actions, err = decodeMap(&result.Actions)
 		if err != nil {
 			return res, err
 		}
 
@@ -1 +1 @@
-1.16.1
+1.17.0
@@ -162,7 +162,9 @@ struct _ddwaf_result
     bool timeout;
     /** Array of events generated, this is guaranteed to be an array **/
     ddwaf_object events;
-    /** Array of actions generated, this is guaranteed to be an array **/
+    /** Map of actions generated, this is guaranteed to be a map in the format:
+     * {action type: { <parameter map> }, ...}
+     **/
     ddwaf_object actions;
     /** Map containing all derived objects in the format (address, value) **/
     ddwaf_object derivatives;
 
@@ -88,8 +88,8 @@ type Result struct {
 	Derivatives map[string]any
 
 	// Actions is the set of actions the WAF decided on when evaluating rules
-	// against the provided address data.
-	Actions []string
+	// against the provided address data. It maps action types to their dynamic parameter values
+	Actions map[string]any
 
 	// TimeSpent is the time the WAF self-reported as spent processing the call to ddwaf_run
 	TimeSpent time.Duration
 
@@ -676,7 +676,7 @@ func TestMatchingEphemeralOnly(t *testing.T) {
 }
 
 func TestActions(t *testing.T) {
-	testActions := func(expectedActions []string) func(t *testing.T) {
+	testActions := func(expectedActions []string, expectedActionsTypes []string) func(t *testing.T) {
 		return func(t *testing.T) {
 
 			waf, err := newDefaultHandle(newArachniTestRule([]ruleInput{{Address: "my.input"}}, expectedActions))
@@ -698,13 +698,14 @@ func TestActions(t *testing.T) {
 			res, err := wafCtx.Run(RunAddressData{Persistent: values, Ephemeral: ephemeral}, time.Second)
 			require.NoError(t, err)
 			require.NotEmpty(t, res.Events)
-			// FIXME: check with libddwaf why the order of returned actions is not kept the same
-			require.ElementsMatch(t, expectedActions, res.Actions)
+			for _, aType := range expectedActionsTypes {
+				require.Contains(t, res.Actions, aType)
+			}
 		}
 	}
 
-	t.Run("single", testActions([]string{"block"}))
-	t.Run("multiple-actions", testActions([]string{"action 1", "action 2", "action 3"}))
+	t.Run("single", testActions([]string{"block"}, []string{"block_request"}))
+	t.Run("multiple-actions", testActions([]string{"block", "extract_schema"}, []string{"block_request", "generate_schema"}))
 }
 
 func TestAddresses(t *testing.T) {
Original file line number	Diff line number	Diff line change
`@@ -276,9 +276,7 @@ func unwrapWafResult(ret bindings.WafReturnCode, result *bindings.WafResult) (re`
`276`	`276`	`return res, err`
`277`	`277`	`}`
`278`	`278`	`if size := result.Actions.NbEntries; size > 0 {`
`279`		`- // using ruleIdArray cause it decodes string array (I think)`
`280`		`- res.Actions, err = decodeStringArray(&result.Actions)`
`281`		`- // TODO: use decode array, and eventually genericize the function`
	`279`	`+ res.Actions, err = decodeMap(&result.Actions)`
`282`	`280`	`if err != nil {`
`283`	`281`	`return res, err`
`284`	`282`	`}`
Original file line number	Diff line number	Diff line change
`@@ -676,7 +676,7 @@ func TestMatchingEphemeralOnly(t *testing.T) {`
`676`	`676`	`}`
`677`	`677`
`678`	`678`	`func TestActions(t *testing.T) {`
`679`		`- testActions := func(expectedActions []string) func(t *testing.T) {`
	`679`	`+ testActions := func(expectedActions []string, expectedActionsTypes []string) func(t *testing.T) {`
`680`	`680`	`return func(t *testing.T) {`
`681`	`681`
`682`	`682`	`waf, err := newDefaultHandle(newArachniTestRule([]ruleInput{{Address: "my.input"}}, expectedActions))`
`@@ -698,13 +698,14 @@ func TestActions(t *testing.T) {`
`698`	`698`	`res, err := wafCtx.Run(RunAddressData{Persistent: values, Ephemeral: ephemeral}, time.Second)`
`699`	`699`	`require.NoError(t, err)`
`700`	`700`	`require.NotEmpty(t, res.Events)`
`701`		`- // FIXME: check with libddwaf why the order of returned actions is not kept the same`
`702`		`- require.ElementsMatch(t, expectedActions, res.Actions)`
	`701`	`+ for _, aType := range expectedActionsTypes {`
	`702`	`+ require.Contains(t, res.Actions, aType)`
	`703`	`+ }`
`703`	`704`	`}`
`704`	`705`	`}`
`705`	`706`
`706`		`- t.Run("single", testActions([]string{"block"}))`
`707`		`- t.Run("multiple-actions", testActions([]string{"action 1", "action 2", "action 3"}))`
	`707`	`+ t.Run("single", testActions([]string{"block"}, []string{"block_request"}))`
	`708`	`+ t.Run("multiple-actions", testActions([]string{"block", "extract_schema"}, []string{"block_request", "generate_schema"}))`
`708`	`709`	`}`
`709`	`710`
`710`	`711`	`func TestAddresses(t *testing.T) {`