appsec: do not attempt to deduplicate native modsec rules

pkg/acquisition/modules/appsec/appsec_runner.go

@@ -37,6 +37,7 @@ func (r *AppsecRunner) MergeDedupRules(collections []appsec.AppsecCollection, lo
 	dedupRules := make(map[string]struct{})
 
 	for _, collection := range collections {
+		// Dedup *our* rules
 		for _, rule := range collection.Rules {
 			if _, ok := dedupRules[rule]; !ok {
 				rulesArr = append(rulesArr, rule)
@@ -45,6 +46,8 @@ func (r *AppsecRunner) MergeDedupRules(collections []appsec.AppsecCollection, lo
 				logger.Debugf("Discarding duplicate rule : %s", rule)
 			}
 		}
+		// Don't mess up with native modsec rules
+		rulesArr = append(rulesArr, collection.NativeRules...)
 	}
 	if len(rulesArr) != len(dedupRules) {
 		logger.Warningf("%d rules were discarded as they were duplicates", len(rulesArr)-len(dedupRules))

pkg/acquisition/modules/appsec/appsec_runner_test.go

@@ -8,9 +8,29 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestAppsecRuleLoad(t *testing.T) {
+func TestAppsecConflictRuleLoad(t *testing.T) {
 	log.SetLevel(log.TraceLevel)
 	tests := []appsecRuleTest{
+		{
+			name:             "simple native rule load",
+			expected_load_ok: true,
+			inband_native_rules: []string{
+				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
+				`Secrule REQUEST_HEADERS:Content-Type "@rx ^multipart/form-data" "id:101,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=MULTIPART"`,
+			},
+			afterload_asserts: func(runner AppsecRunner) {
+				require.Len(t, runner.AppsecInbandEngine.GetRuleGroup().GetRules(), 2)
+			},
+		},
+		{
+			name:             "id conflict on native rule load",
+			expected_load_ok: false,
+			inband_native_rules: []string{
+				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
+				`Secrule REQUEST_HEADERS:Content-Type "@rx ^multipart/form-data" "id:101,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=MULTIPART"`,
+				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
+			},
+		},
 		{
 			name:             "simple rule load",
 			expected_load_ok: true,
@@ -26,33 +46,65 @@ func TestAppsecRuleLoad(t *testing.T) {
 			},
 		},
 		{
-			name:             "simple native rule load",
+			name:             "duplicate rule load",
 			expected_load_ok: true,
-			inband_native_rules: []string{
-				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
+			inband_rules: []appsec_rule.CustomRule{
+				{
+					Name:  "rule1",
+					Zones: []string{"ARGS"},
+					Match: appsec_rule.Match{Type: "equals", Value: "toto"},
+				},
+				{
+					Name:  "rule1",
+					Zones: []string{"ARGS"},
+					Match: appsec_rule.Match{Type: "equals", Value: "toto"},
+				},
 			},
 			afterload_asserts: func(runner AppsecRunner) {
 				require.Len(t, runner.AppsecInbandEngine.GetRuleGroup().GetRules(), 1)
 			},
 		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			loadAppSecEngine(test, t)
+		})
+	}
+}
+
+func TestAppsecRuleLoad(t *testing.T) {
+	log.SetLevel(log.TraceLevel)
+	tests := []appsecRuleTest{
 		{
-			name:             "simple native rule load (2)",
+			name:             "simple rule load",
+			expected_load_ok: true,
+			inband_rules: []appsec_rule.CustomRule{
+				{
+					Name:  "rule1",
+					Zones: []string{"ARGS"},
+					Match: appsec_rule.Match{Type: "equals", Value: "toto"},
+				},
+			},
+			afterload_asserts: func(runner AppsecRunner) {
+				require.Len(t, runner.AppsecInbandEngine.GetRuleGroup().GetRules(), 1)
+			},
+		},
+		{
+			name:             "simple native rule load",
 			expected_load_ok: true,
 			inband_native_rules: []string{
 				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
-				`Secrule REQUEST_HEADERS:Content-Type "@rx ^multipart/form-data" "id:101,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=MULTIPART"`,
 			},
 			afterload_asserts: func(runner AppsecRunner) {
-				require.Len(t, runner.AppsecInbandEngine.GetRuleGroup().GetRules(), 2)
+				require.Len(t, runner.AppsecInbandEngine.GetRuleGroup().GetRules(), 1)
 			},
 		},
 		{
-			name:             "simple native rule load + dedup",
+			name:             "simple native rule load (2)",
 			expected_load_ok: true,
 			inband_native_rules: []string{
 				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
 				`Secrule REQUEST_HEADERS:Content-Type "@rx ^multipart/form-data" "id:101,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=MULTIPART"`,
-				`Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"`,
 			},
 			afterload_asserts: func(runner AppsecRunner) {
 				require.Len(t, runner.AppsecInbandEngine.GetRuleGroup().GetRules(), 2)

pkg/acquisition/modules/appsec/appsec_test.go

@@ -41,7 +41,9 @@ func loadAppSecEngine(test appsecRuleTest, t *testing.T) {
 		log.SetLevel(log.WarnLevel)
 	}
 	inbandRules := []string{}
+	nativeInbandRules := []string{}
 	outofbandRules := []string{}
+	nativeOutofbandRules := []string{}
 	InChan := make(chan appsec.ParsedRequest)
 	OutChan := make(chan types.Event)
 
@@ -56,8 +58,8 @@ func loadAppSecEngine(test appsecRuleTest, t *testing.T) {
 		inbandRules = append(inbandRules, strRule)
 
 	}
-	inbandRules = append(inbandRules, test.inband_native_rules...)
-	outofbandRules = append(outofbandRules, test.outofband_native_rules...)
+	nativeInbandRules = append(nativeInbandRules, test.inband_native_rules...)
+	nativeOutofbandRules = append(nativeOutofbandRules, test.outofband_native_rules...)
 	for ridx, rule := range test.outofband_rules {
 		strRule, _, err := rule.Convert(appsec_rule.ModsecurityRuleType, rule.Name)
 		if err != nil {
@@ -82,8 +84,8 @@ func loadAppSecEngine(test appsecRuleTest, t *testing.T) {
 	if err != nil {
 		t.Fatalf("unable to build appsec runtime : %s", err)
 	}
-	AppsecRuntime.InBandRules = []appsec.AppsecCollection{{Rules: inbandRules}}
-	AppsecRuntime.OutOfBandRules = []appsec.AppsecCollection{{Rules: outofbandRules}}
+	AppsecRuntime.InBandRules = []appsec.AppsecCollection{{Rules: inbandRules, NativeRules: nativeInbandRules}}
+	AppsecRuntime.OutOfBandRules = []appsec.AppsecCollection{{Rules: outofbandRules, NativeRules: nativeOutofbandRules}}
 	appsecRunnerUUID := uuid.New().String()
 	//we copy AppsecRutime for each runner
 	wrt := *AppsecRuntime

pkg/appsec/appsec_rules_collection.go

@@ -15,6 +15,7 @@
 type AppsecCollection struct {
 	collectionName string
 	Rules          []string
+	NativeRules    []string
 }
 
 var APPSEC_RULE = "appsec-rule"
@@ -88,14 +89,14 @@
 					if strings.TrimSpace(line) == "" {
 						continue
 					}
-					appsecCol.Rules = append(appsecCol.Rules, line)
+					appsecCol.NativeRules = append(appsecCol.NativeRules, line)
 				}
 			}
 		}
 
 		if appsecRule.SecLangRules != nil {
 			logger.Tracef("Adding inline rules %+v", appsecRule.SecLangRules)
-			appsecCol.Rules = append(appsecCol.Rules, appsecRule.SecLangRules...)
+			appsecCol.NativeRules = append(appsecCol.NativeRules, appsecRule.SecLangRules...)
 		}
 
 		if appsecRule.Rules != nil {