(chore): rework NewContext and NewContextWithBudget (#90)

Hellzy · web-flow · commit e58003086b7f · 2024-05-06T10:34:27.000+02:00
Part of APPSEC-52238

- Add an error return value
- Make NewContext and NewContextWithBudget handle methods
diff --git a/context.go b/context.go
@@ -6,13 +6,13 @@
 package waf
 
 import (
-	"github.com/DataDog/go-libddwaf/v2/timer"
 	"sync"
 	"time"
 
 	"github.com/DataDog/go-libddwaf/v2/errors"
 	"github.com/DataDog/go-libddwaf/v2/internal/bindings"
 	"github.com/DataDog/go-libddwaf/v2/internal/unsafe"
+	"github.com/DataDog/go-libddwaf/v2/timer"
 
 	"sync/atomic"
 )
@@ -42,40 +42,6 @@ type Context struct {
 	truncations map[TruncationReason][]int
 }
 
-// NewContext returns a new WAF context of to the given WAF handle.
-// A nil value is returned when the WAF handle was released or when the
-// WAF context couldn't be created.
-// handle. A nil value is returned when the WAF handle can no longer be used
-// or the WAF context couldn't be created.
-func NewContext(handle *Handle) *Context {
-	return NewContextWithBudget(handle, timer.UnlimitedBudget)
-}
-
-// NewContextWithBudget returns a new WAF context of to the given WAF handle.
-// A nil value is returned when the WAF handle was released or when the
-// WAF context couldn't be created.
-// handle. A nil value is returned when the WAF handle can no longer be used
-// or the WAF context couldn't be created.
-func NewContextWithBudget(handle *Handle, budget time.Duration) *Context {
-	// Handle has been released
-	if !handle.retain() {
-		return nil
-	}
-
-	cContext := wafLib.WafContextInit(handle.cHandle)
-	if cContext == 0 {
-		handle.release() // We couldn't get a context, so we no longer have an implicit reference to the Handle in it...
-		return nil
-	}
-
-	timer, err := timer.NewTreeTimer(timer.WithBudget(budget), timer.WithComponents(wafRunTag))
-	if err != nil {
-		return nil
-	}
-
-	return &Context{handle: handle, cContext: cContext, timer: timer, metrics: metricsStore{data: make(map[string]time.Duration, 5)}}
-}
-
 // RunAddressData provides address data to the Context.Run method. If a given key is present in both
 // RunAddressData.Persistent and RunAddressData.Ephemeral, the value from RunAddressData.Persistent will take precedence.
 type RunAddressData struct {
diff --git a/encoder_decoder_test.go b/encoder_decoder_test.go
@@ -28,7 +28,8 @@ func wafTest(t *testing.T, obj *bindings.WafObject) {
 	waf, err := newDefaultHandle(newArachniTestRule([]ruleInput{{Address: "my.input"}, {Address: "my.other.input"}}, nil))
 	require.NoError(t, err)
 	defer waf.Close()
-	wafCtx := NewContext(waf)
+	wafCtx, err := waf.NewContext()
+	require.NoError(t, err)
 	require.NotNil(t, wafCtx)
 	defer wafCtx.Close()
 	_, err = wafCtx.Run(RunAddressData{
diff --git a/handle.go b/handle.go
@@ -8,10 +8,12 @@ package waf
 import (
 	"errors"
 	"fmt"
+	"time"
 
 	wafErrors "github.com/DataDog/go-libddwaf/v2/errors"
 	"github.com/DataDog/go-libddwaf/v2/internal/bindings"
 	"github.com/DataDog/go-libddwaf/v2/internal/unsafe"
+	"github.com/DataDog/go-libddwaf/v2/timer"
 
 	"sync/atomic"
 )
@@ -104,6 +106,36 @@ func NewHandle(rules any, keyObfuscatorRegex string, valueObfuscatorRegex string
 	return handle, nil
 }
 
+// NewContext returns a new WAF context for the given WAF handle.
+// A nil value is returned when the WAF handle was released or when the
+// WAF context couldn't be created.
+func (handle *Handle) NewContext() (*Context, error) {
+	return handle.NewContextWithBudget(timer.UnlimitedBudget)
+}
+
+// NewContextWithBudget returns a new WAF context for the given WAF handle.
+// A nil value is returned when the WAF handle was released or when the
+// WAF context couldn't be created.
+func (handle *Handle) NewContextWithBudget(budget time.Duration) (*Context, error) {
+	// Handle has been released
+	if !handle.retain() {
+		return nil, fmt.Errorf("handle was released")
+	}
+
+	cContext := wafLib.WafContextInit(handle.cHandle)
+	if cContext == 0 {
+		handle.release() // We couldn't get a context, so we no longer have an implicit reference to the Handle in it...
+		return nil, fmt.Errorf("could not get C context")
+	}
+
+	timer, err := timer.NewTreeTimer(timer.WithBudget(budget), timer.WithComponents(wafRunTag))
+	if err != nil {
+		return nil, err
+	}
+
+	return &Context{handle: handle, cContext: cContext, timer: timer, metrics: metricsStore{data: make(map[string]time.Duration, 5)}}, nil
+}
+
 // Diagnostics returns the rules initialization metrics for the current WAF handle
 func (handle *Handle) Diagnostics() Diagnostics {
 	return handle.diagnostics
diff --git a/waf_test.go b/waf_test.go
@@ -274,7 +274,8 @@ func TestUpdateWAF(t *testing.T) {
 		require.NotNil(t, waf)
 		defer waf.Close()
 
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		defer wafCtx.Close()
 
 		// Matches
@@ -295,7 +296,8 @@ func TestUpdateWAF(t *testing.T) {
 		require.NotNil(t, waf2)
 		defer waf2.Close()
 
-		wafCtx2 := NewContext(waf2)
+		wafCtx2, err := waf2.NewContext()
+		require.NoError(t, err)
 		defer wafCtx2.Close()
 
 		// Matches & Block
@@ -369,11 +371,12 @@ func TestTimeout(t *testing.T) {
 	}
 
 	t.Run("not-empty-metrics-match", func(t *testing.T) {
-		context := NewContextWithBudget(waf, time.Hour)
+		context, err := waf.NewContextWithBudget(time.Hour)
+		require.NoError(t, err)
 		require.NotNil(t, context)
 		defer context.Close()
 
-		_, err := context.Run(RunAddressData{Persistent: normalValue, Ephemeral: normalValue}, 0)
+		_, err = context.Run(RunAddressData{Persistent: normalValue, Ephemeral: normalValue}, 0)
 		require.NoError(t, err)
 		require.NotEmpty(t, context.Stats())
 		require.NotZero(t, context.Stats().Timers["_dd.appsec.waf.decode"])
@@ -383,11 +386,12 @@ func TestTimeout(t *testing.T) {
 	})
 
 	t.Run("not-empty-metrics-no-match", func(t *testing.T) {
-		context := NewContextWithBudget(waf, time.Hour)
+		context, err := waf.NewContextWithBudget(time.Hour)
+		require.NoError(t, err)
 		require.NotNil(t, context)
 		defer context.Close()
 
-		_, err := context.Run(RunAddressData{Persistent: map[string]any{"my.input": "curl/7.88"}}, 0)
+		_, err = context.Run(RunAddressData{Persistent: map[string]any{"my.input": "curl/7.88"}}, 0)
 		require.NoError(t, err)
 		require.NotEmpty(t, context.Stats())
 		require.NotZero(t, context.Stats().Timers["_dd.appsec.waf.decode"])
@@ -397,34 +401,35 @@ func TestTimeout(t *testing.T) {
 	})
 
 	t.Run("timeout-persistent-encoder", func(t *testing.T) {
-		context := NewContextWithBudget(waf, time.Millisecond)
+		context, err := waf.NewContextWithBudget(time.Millisecond)
+		require.NoError(t, err)
 		require.NotNil(t, context)
 		defer context.Close()
 
-		_, err := context.Run(RunAddressData{Persistent: largeValue}, 0)
+		_, err = context.Run(RunAddressData{Persistent: largeValue}, 0)
 		require.Equal(t, errors.ErrTimeout, err)
 		require.GreaterOrEqual(t, context.Stats().Timers["_dd.appsec.waf.duration_ext"], time.Millisecond)
 		require.GreaterOrEqual(t, context.Stats().Timers["_dd.appsec.waf.encode"], time.Millisecond)
 	})
 
 	t.Run("timeout-ephemeral-encoder", func(t *testing.T) {
-		context := NewContextWithBudget(waf, time.Millisecond)
+		context, err := waf.NewContextWithBudget(time.Millisecond)
+		require.NoError(t, err)
 		require.NotNil(t, context)
 		defer context.Close()
 
-		_, err := context.Run(RunAddressData{Ephemeral: largeValue}, 0)
+		_, err = context.Run(RunAddressData{Ephemeral: largeValue}, 0)
 		require.Equal(t, errors.ErrTimeout, err)
 		require.GreaterOrEqual(t, context.Stats().Timers["_dd.appsec.waf.duration_ext"], time.Millisecond)
 		require.GreaterOrEqual(t, context.Stats().Timers["_dd.appsec.waf.encode"], time.Millisecond)
 	})
 
 	t.Run("many-runs", func(t *testing.T) {
-		context := NewContextWithBudget(waf, time.Millisecond)
+		context, err := waf.NewContextWithBudget(time.Millisecond)
+		require.NoError(t, err)
 		require.NotNil(t, context)
 		defer context.Close()
 
-		var err error
-
 		for i := 0; i < 1000 && err != errors.ErrTimeout; i++ {
 			_, err = context.Run(RunAddressData{Persistent: normalValue}, 0)
 		}
@@ -441,7 +446,8 @@ func TestMatching(t *testing.T) {
 
 	require.Equal(t, []string{"my.input"}, waf.Addresses())
 
-	wafCtx := NewContext(waf)
+	wafCtx, err := waf.NewContext()
+	require.NoError(t, err)
 	require.NotNil(t, wafCtx)
 
 	// Not matching because the address value doesn't match the rule
@@ -496,7 +502,9 @@ func TestMatching(t *testing.T) {
 	wafCtx.Close()
 	waf.Close()
 	// Using the WAF instance after it was closed leads to a nil WAF context
-	require.Nil(t, NewContext(waf))
+	ctx, err := waf.NewContext()
+	require.Nil(t, ctx)
+	require.Error(t, err)
 }
 
 func TestMatchingEphemeralAndPersistent(t *testing.T) {
@@ -505,7 +513,8 @@ func TestMatchingEphemeralAndPersistent(t *testing.T) {
 	require.NoError(t, err)
 	defer waf.Close()
 
-	wafCtx := NewContext(waf)
+	wafCtx, err := waf.NewContext()
+	require.NoError(t, err)
 	require.NotNil(t, wafCtx)
 	defer wafCtx.Close()
 
@@ -557,7 +566,8 @@ func TestMatchingEphemeral(t *testing.T) {
 	sort.Strings(addrs)
 	require.Equal(t, []string{input1, input2}, addrs)
 
-	wafCtx := NewContext(waf)
+	wafCtx, err := waf.NewContext()
+	require.NoError(t, err)
 	require.NotNil(t, wafCtx)
 
 	// Not matching because the address value doesn't match the rule
@@ -614,7 +624,9 @@ func TestMatchingEphemeral(t *testing.T) {
 	wafCtx.Close()
 	waf.Close()
 	// Using the WAF instance after it was closed leads to a nil WAF context
-	require.Nil(t, NewContext(waf))
+	ctx, err := waf.NewContext()
+	require.Nil(t, ctx)
+	require.Error(t, err)
 }
 
 func TestMatchingEphemeralOnly(t *testing.T) {
@@ -631,7 +643,8 @@ func TestMatchingEphemeralOnly(t *testing.T) {
 	sort.Strings(addrs)
 	require.Equal(t, []string{input1, input2}, addrs)
 
-	wafCtx := NewContext(waf)
+	wafCtx, err := waf.NewContext()
+	require.NoError(t, err)
 	require.NotNil(t, wafCtx)
 
 	// Not matching because the address value doesn't match the rule
@@ -672,7 +685,9 @@ func TestMatchingEphemeralOnly(t *testing.T) {
 	wafCtx.Close()
 	waf.Close()
 	// Using the WAF instance after it was closed leads to a nil WAF context
-	require.Nil(t, NewContext(waf))
+	ctx, err := waf.NewContext()
+	require.Nil(t, ctx)
+	require.Error(t, err)
 }
 
 func TestActions(t *testing.T) {
@@ -684,7 +699,8 @@ func TestActions(t *testing.T) {
 			require.NotNil(t, waf)
 			defer waf.Close()
 
-			wafCtx := NewContext(waf)
+			wafCtx, err := waf.NewContext()
+			require.NoError(t, err)
 			require.NotNil(t, wafCtx)
 			defer wafCtx.Close()
 
@@ -727,7 +743,8 @@ func TestConcurrency(t *testing.T) {
 		require.NoError(t, err)
 		defer waf.Close()
 
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		defer wafCtx.Close()
 
 		// User agents that won't match the rule so that it doesn't get pruned.
@@ -821,7 +838,8 @@ func TestConcurrency(t *testing.T) {
 				startBarrier.Wait()      // Sync the starts of the goroutines
 				defer stopBarrier.Done() // Signal we are done when returning
 
-				wafCtx := NewContext(waf)
+				wafCtx, err := waf.NewContext()
+				require.NoError(t, err)
 				defer wafCtx.Close()
 
 				for c := 0; c < nbRun; c++ {
@@ -890,8 +908,8 @@ func TestConcurrency(t *testing.T) {
 				startBarrier.Wait()      // Sync the starts of the goroutines
 				defer stopBarrier.Done() // Signal we are done when returning
 
-				wafCtx := NewContext(waf)
-				if wafCtx == nil {
+				wafCtx, err := waf.NewContext()
+				if wafCtx == nil || err != nil {
 					return
 				}
 				wafCtx.Close()
@@ -923,7 +941,8 @@ func TestConcurrency(t *testing.T) {
 		waf, err := newDefaultHandle(testArachniRule)
 		require.NoError(t, err)
 
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		require.NotNil(t, wafCtx)
 
 		var startBarrier, stopBarrier sync.WaitGroup
@@ -1087,7 +1106,8 @@ func TestMetrics(t *testing.T) {
 	})
 
 	t.Run("RunDuration", func(t *testing.T) {
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		require.NotNil(t, wafCtx)
 		defer wafCtx.Close()
 		// Craft matching data to force work on the WAF
@@ -1113,7 +1133,8 @@ func TestMetrics(t *testing.T) {
 	})
 
 	t.Run("Timeouts", func(t *testing.T) {
-		wafCtx := NewContextWithBudget(waf, time.Nanosecond)
+		wafCtx, err := waf.NewContextWithBudget(time.Nanosecond)
+		require.NoError(t, err)
 		require.NotNil(t, wafCtx)
 		defer wafCtx.Close()
 		// Craft matching data to force work on the WAF
@@ -1138,7 +1159,8 @@ func TestObfuscatorConfig(t *testing.T) {
 		waf, err := NewHandle(rule, "key", "")
 		require.NoError(t, err)
 		defer waf.Close()
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		require.NotNil(t, wafCtx)
 		defer wafCtx.Close()
 		data := map[string]interface{}{
@@ -1160,7 +1182,8 @@ func TestObfuscatorConfig(t *testing.T) {
 		waf, err := NewHandle(rule, "", "sensitive")
 		require.NoError(t, err)
 		defer waf.Close()
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		require.NotNil(t, wafCtx)
 		defer wafCtx.Close()
 		data := map[string]interface{}{
@@ -1182,7 +1205,8 @@ func TestObfuscatorConfig(t *testing.T) {
 		waf, err := NewHandle(rule, "", "")
 		require.NoError(t, err)
 		defer waf.Close()
-		wafCtx := NewContext(waf)
+		wafCtx, err := waf.NewContext()
+		require.NoError(t, err)
 		require.NotNil(t, wafCtx)
 		defer wafCtx.Close()
 		data := map[string]interface{}{
@@ -1206,7 +1230,8 @@ func TestTruncationInformation(t *testing.T) {
 	require.NoError(t, err)
 	defer waf.Close()
 
-	ctx := NewContext(waf)
+	ctx, err := waf.NewContext()
+	require.NoError(t, err)
 	defer ctx.Close()
 
 	extra := rand.Intn(10) + 1 // Random int between 1 and 10
