Computes auditlog during rules load time

Author: zimmerle

CHANGES

@@ -1,6 +1,8 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+  - auditlog: Computes whether or not to save while loading the rules.
+    [@zimmerle]
   - actions: Computes Rule association while loading the rules given a
     performance boost on run time.
     [@zimmerle, @martinhsv, @WGH-]

headers/modsecurity/actions/action.h

@@ -33,20 +33,20 @@ namespace actions {
 class Action {
  public:
     Action()
-        : m_name(""),
-        m_parserPayload("")
+        : m_parserPayload(""),
+        m_name("")
     { }
 
 
     explicit Action(const std::string& action)
-        : m_name(sort_name(action)),
-        m_parserPayload(sort_payload(action))
+        : m_parserPayload(sort_payload(action)),
+        m_name(sort_name(action))
     { }
 
 
     Action(const Action &a)
-        : m_name(a.m_name),
-        m_parserPayload(a.m_parserPayload)
+        : m_parserPayload(a.m_parserPayload),
+        m_name(a.m_name)
     { }
 
 
@@ -76,7 +76,7 @@ class Action {
     }
 
 
-    const std::string *getName() {
+    const std::string *getName() const {
         return &m_name;
     }
 

headers/modsecurity/audit_log.h

@@ -170,9 +170,8 @@ class AuditLog {
     bool init(std::string *error);
     virtual bool close();
 
-    bool saveIfRelevant(Transaction *transaction);
-    bool saveIfRelevant(Transaction *transaction, int parts);
-    bool isRelevant(int status);
+    bool saveIfRelevant(Transaction *transaction) const noexcept;
+    bool isRelevant(int status) const noexcept;
 
     static int addParts(int parts, const std::string& new_parts);
     static int removeParts(int parts, const std::string& new_parts);

headers/modsecurity/rule_message.h

@@ -130,6 +130,8 @@ class RuleMessage {
     std::string getUri() const;
     bool isDisruptive() const;
 
+    bool toBeAuditLog() const;
+
     int m_severity;
     std::list<std::string> m_tags;
 

headers/modsecurity/transaction.h

@@ -322,8 +322,7 @@ class TransactionSecMarkerManagement {
 class TransactionRuleMessageManagement {
  public:
     explicit TransactionRuleMessageManagement(Transaction *t)
-        : m_transaction(t),
-        m_noAuditLog(false) { 
+        : m_transaction(t) {
             messageNew();
         };
 
@@ -332,22 +331,7 @@ class TransactionRuleMessageManagement {
 
     void logMatchLastRuleOnTheChain(RuleWithActions *rule);
 
-    void messageSetNoAuditLog(bool a) {
-        m_noAuditLog = a;
-    }
-
-    bool messageSaveAuditLog() const {
-        return m_noAuditLog;
-    }
-
-    std::list<RuleMessage *> messageGetAll() {
-        std::list<RuleMessage *> messages;
-        for (RuleMessage *a : m_rulesMessages) {
-            messages.push_back(a);
-        }
-
-        return messages;
-    }
+    std::list<RuleMessage *> messageGetAll();
 
     void messageClear() {
         m_rulesMessages.clear();
@@ -362,7 +346,6 @@ class TransactionRuleMessageManagement {
     std::list<RuleMessage *> m_rulesMessages;
 
     Transaction *m_transaction;
-    bool m_noAuditLog;
 };
 
 

src/actions/audit_log.cc

@@ -15,20 +15,10 @@
 
 #include "src/actions/audit_log.h"
 
-#include <string>
-
-#include "modsecurity/transaction.h"
-
 
 namespace modsecurity {
 namespace actions {
 
 
-bool AuditLog::execute(Transaction *transaction) noexcept {
-    transaction->messageSetNoAuditLog(false);
-    return true;
-}
-
-
 }  // namespace actions
 }  // namespace modsecurity

src/actions/audit_log.h

@@ -16,6 +16,10 @@
 
 #include "src/actions/action_allowed_in_sec_default_action.h"
 
+#include "src/actions/action_type_rule_metadata.h"
+#include "src/actions/action_allowed_in_sec_default_action.h"
+
+
 #ifndef SRC_ACTIONS_AUDIT_LOG_H_
 #define SRC_ACTIONS_AUDIT_LOG_H_
 
@@ -24,13 +28,16 @@ namespace modsecurity {
 namespace actions {
 
 
-class AuditLog : public ActionAllowedAsSecDefaultAction {
+class AuditLog : public ActionTypeRuleMetaData,
+    public ActionAllowedAsSecDefaultAction {
  public:
     AuditLog()
         : Action("auditLog")
     { }
 
-    bool execute(Transaction *transaction) noexcept override;
+    void configure(RuleWithActions *rule) override {
+        rule->setHasAuditLogAction(true);
+    }
 };
 
 

src/actions/no_audit_log.cc

@@ -16,18 +16,10 @@
 
 #include "src/actions/no_audit_log.h"
 
-#include "modsecurity/transaction.h"
-
 
 namespace modsecurity {
 namespace actions {
 
 
-bool NoAuditLog::execute(Transaction *transaction) noexcept {
-    transaction->messageSetNoAuditLog(true);
-    return true;
-}
-
-
 }  // namespace actions
 }  // namespace modsecurity

src/actions/no_audit_log.h

@@ -15,7 +15,8 @@
 
 
 #include "modsecurity/actions/action.h"
-#include "modsecurity/transaction.h"
+
+#include "src/actions/action_type_rule_metadata.h"
 #include "src/actions/action_allowed_in_sec_default_action.h"
 
 
@@ -27,13 +28,16 @@ namespace modsecurity {
 namespace actions {
 
 
-class NoAuditLog : public ActionAllowedAsSecDefaultAction {
+class NoAuditLog : public ActionTypeRuleMetaData,
+    public ActionAllowedAsSecDefaultAction {
  public:
     NoAuditLog()
         : Action("noAuditLog")
     { }
 
-    bool execute(Transaction *transaction) noexcept override;
+    void configure(RuleWithActions *rule) override {
+        rule->setHasNoAuditLogAction(true);
+    }
 };
 
 

src/audit_log/audit_log.cc

@@ -266,14 +266,13 @@ bool AuditLog::init(std::string *error) {
 }
 
 
-bool AuditLog::isRelevant(int status) {
+bool AuditLog::isRelevant(int status) const noexcept {
     std::string sstatus = std::to_string(status);
 
     if (m_relevant.empty()) {
         return false;
     }
 
-
     if (sstatus.empty()) {
         return true;
     }
@@ -283,45 +282,34 @@ bool AuditLog::isRelevant(int status) {
 }
 
 
-bool AuditLog::saveIfRelevant(Transaction *transaction) {
-    return saveIfRelevant(transaction, -1);
-}
-
-
-bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
-    bool saveAnyway = false;
+bool AuditLog::saveIfRelevant(Transaction *transaction) const noexcept {
     if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
         ms_dbg_a(transaction, 5, "Audit log engine was not set.");
-        return true;
+        return false;
     }
 
-    saveAnyway = transaction->messageSaveAuditLog();
-
     if ((m_status == RelevantOnlyAuditLogStatus
-        && this->isRelevant(transaction->m_httpCodeReturned) == false)
-        && saveAnyway == false) {
+            && isRelevant(transaction->m_httpCodeReturned) == false)) {
         ms_dbg_a(transaction, 9, "Return code `" +
             std::to_string(transaction->m_httpCodeReturned) + "'" \
             " is not interesting to audit logs, relevant code(s): `" +
             m_relevant + "'.");
-
         return false;
     }
 
-    if (parts == -1) {
-        parts = m_parts;
-    }
     ms_dbg_a(transaction, 5, "Saving this request as part " \
             "of the audit logs.");
+
     if (m_writer == NULL) {
         ms_dbg_a(transaction, 1, "Internal error, audit log writer is null");
-    } else {
-        std::string error;
-        bool a = m_writer->write(transaction, parts, &error);
-        if (a == false) {
-            ms_dbg_a(transaction, 1, "Cannot save the audit log: " + error);
-            return false;
-        }
+        return false;
+    }
+
+    std::string error;
+    bool a = m_writer->write(transaction, transaction->m_auditLogParts, &error);
+    if (a == false) {
+        ms_dbg_a(transaction, 1, "Cannot save the audit log: " + error);
+        return false;
     }
 
     return true;

src/parser/driver.cc

@@ -157,6 +157,12 @@ int Driver::addSecRule(std::unique_ptr<RuleWithActions> r) {
                 firstRule->getChainedParent()->setHasLogAction(
                     firstRule->hasNoLogAction()
                 );
+                firstRule->getChainedParent()->setHasAuditLogAction(
+                    firstRule->hasAuditLogAction()
+                );
+                firstRule->getChainedParent()->setHasNoAuditLogAction(
+                    firstRule->hasNoAuditLogAction()
+                );
                 firstRule = firstRule->getChainedParent();
             }
         }

src/rule_message.cc

@@ -176,6 +176,14 @@ int RuleMessage::getAccuracy() const {
 }
 
 
+bool RuleMessage::toBeAuditLog() const {
+    if (m_rule) {
+        return m_rule->isItToBeAuditLogged();
+    }
+    return false;
+}
+
+
 std::string RuleMessage::getClientIpAddress() const {
     if (m_transaction) {
         return *m_transaction->m_clientIpAddress.get();

src/rule_with_actions.cc

@@ -90,6 +90,8 @@ RuleWithActions::RuleWithActions(
     m_containsCaptureAction(false),
     m_containsLogAction(false),
     m_containsNoLogAction(false),
+    m_containsAuditLogAction(false),
+    m_containsNoAuditLogAction(false),
     m_containsMultiMatchAction(false),
     m_containsStaticBlockAction(false),
     m_defaultSeverity(SEVERITY_NOT_SET),
@@ -100,6 +102,8 @@ RuleWithActions::RuleWithActions(
     m_defaultContainsCaptureAction(false),
     m_defaultContainsLogAction(false),
     m_defaultContainsNoLogAction(false),
+    m_defaultContainsAuditLogAction(false),
+    m_defaultContainsNoAuditLogAction(false),
     m_defaultContainsMultiMatchAction(false),
     m_defaultContainsStaticBlockAction(false),
     m_isChained(false) {