Use raw pointers instead of shared pointers for rule targets (#141)

DataDog · Feb 21, 2023 · c556f39 · c556f39
1 parent 15b2282
commit c556f39
Show file tree

Hide file tree

Showing 14 changed files with 200 additions and 192 deletions.
diff --git a/src/collection.cpp b/src/collection.cpp
@@ -13,8 +13,8 @@ namespace ddwaf {
 namespace {
 std::optional<event> match_rule(const rule::ptr &rule, const object_store &store,
     std::unordered_map<rule::ptr, rule::cache_type> &cache,
-    const std::unordered_set<rule::ptr> &rules_to_exclude,
-    const std::unordered_map<rule::ptr, collection::object_set> &objects_to_exclude,
+    const std::unordered_set<ddwaf::rule *> &rules_to_exclude,
+    const std::unordered_map<ddwaf::rule *, collection::object_set> &objects_to_exclude,
     const std::unordered_map<std::string, rule_processor::base::ptr> &dynamic_processors,
     ddwaf::timer &deadline)
 {
@@ -29,7 +29,7 @@ std::optional<event> match_rule(const rule::ptr &rule, const object_store &store
         return std::nullopt;
     }
 
-    if (rules_to_exclude.find(rule) != rules_to_exclude.end()) {
+    if (rules_to_exclude.find(rule.get()) != rules_to_exclude.end()) {
         DDWAF_DEBUG("Excluding Rule %s", id.c_str());
         return std::nullopt;
     }
@@ -45,7 +45,7 @@ std::optional<event> match_rule(const rule::ptr &rule, const object_store &store
 
         rule::cache_type &rule_cache = it->second;
         std::optional<event> event;
-        auto exclude_it = objects_to_exclude.find(rule);
+        auto exclude_it = objects_to_exclude.find(rule.get());
         if (exclude_it != objects_to_exclude.end()) {
             const auto &objects_excluded = exclude_it->second;
             event = rule->match(store, rule_cache, objects_excluded, dynamic_processors, deadline);
@@ -65,8 +65,8 @@ std::optional<event> match_rule(const rule::ptr &rule, const object_store &store
 
 void collection::match(std::vector<event> &events,
     std::unordered_set<std::string_view> & /*seen_actions*/, const object_store &store,
-    collection_cache &cache, const std::unordered_set<rule::ptr> &rules_to_exclude,
-    const std::unordered_map<rule::ptr, object_set> &objects_to_exclude,
+    collection_cache &cache, const std::unordered_set<rule *> &rules_to_exclude,
+    const std::unordered_map<rule *, object_set> &objects_to_exclude,
     const std::unordered_map<std::string, rule_processor::base::ptr> &dynamic_processors,
     ddwaf::timer &deadline) const
 {
@@ -88,8 +88,8 @@ void collection::match(std::vector<event> &events,
 
 void priority_collection::match(std::vector<event> &events,
     std::unordered_set<std::string_view> &seen_actions, const object_store &store,
-    collection_cache &cache, const std::unordered_set<rule::ptr> &rules_to_exclude,
-    const std::unordered_map<rule::ptr, object_set> &objects_to_exclude,
+    collection_cache &cache, const std::unordered_set<rule *> &rules_to_exclude,
+    const std::unordered_map<rule *, object_set> &objects_to_exclude,
     const std::unordered_map<std::string, rule_processor::base::ptr> &dynamic_processors,
     ddwaf::timer &deadline) const
 {

diff --git a/src/collection.hpp b/src/collection.hpp
@@ -52,8 +52,8 @@ class collection {
     virtual void match(std::vector<event> &events /* output */,
         std::unordered_set<std::string_view> &seen_actions /* input & output */,
         const object_store &store, collection_cache &cache,
-        const std::unordered_set<rule::ptr> &rules_to_exclude,
-        const std::unordered_map<rule::ptr, object_set> &objects_to_exclude,
+        const std::unordered_set<ddwaf::rule *> &rules_to_exclude,
+        const std::unordered_map<ddwaf::rule *, object_set> &objects_to_exclude,
         const std::unordered_map<std::string, rule_processor::base::ptr> &dynamic_processors,
         ddwaf::timer &deadline) const;
 
@@ -81,8 +81,8 @@ class priority_collection : public collection {
     void match(std::vector<event> &events /* output */,
         std::unordered_set<std::string_view> &seen_actions /* input & output */,
         const object_store &store, collection_cache &cache,
-        const std::unordered_set<rule::ptr> &rules_to_exclude,
-        const std::unordered_map<rule::ptr, object_set> &objects_to_exclude,
+        const std::unordered_set<ddwaf::rule *> &rules_to_exclude,
+        const std::unordered_map<ddwaf::rule *, object_set> &objects_to_exclude,
         const std::unordered_map<std::string, rule_processor::base::ptr> &dynamic_processors,
         ddwaf::timer &deadline) const override;
 

diff --git a/src/context.cpp b/src/context.cpp
@@ -66,7 +66,7 @@ DDWAF_RET_CODE context::run(
     return code;
 }
 
-const std::unordered_set<rule::ptr> &context::filter_rules(ddwaf::timer &deadline)
+const std::unordered_set<rule *> &context::filter_rules(ddwaf::timer &deadline)
 {
     for (const auto &[id, filter] : ruleset_->rule_filters) {
         if (deadline.expired()) {
@@ -87,8 +87,8 @@ const std::unordered_set<rule::ptr> &context::filter_rules(ddwaf::timer &deadlin
     return rules_to_exclude_;
 }
 
-const std::unordered_map<rule::ptr, context::object_set> &context::filter_inputs(
-    const std::unordered_set<rule::ptr> &rules_to_exclude, ddwaf::timer &deadline)
+const std::unordered_map<rule *, context::object_set> &context::filter_inputs(
+    const std::unordered_set<rule *> &rules_to_exclude, ddwaf::timer &deadline)
 {
     for (const auto &[id, filter] : ruleset_->input_filters) {
         if (deadline.expired()) {
@@ -119,8 +119,8 @@ const std::unordered_map<rule::ptr, context::object_set> &context::filter_inputs
     return objects_to_exclude_;
 }
 
-std::vector<event> context::match(const std::unordered_set<rule::ptr> &rules_to_exclude,
-    const std::unordered_map<rule::ptr, object_set> &objects_to_exclude, ddwaf::timer &deadline)
+std::vector<event> context::match(const std::unordered_set<rule *> &rules_to_exclude,
+    const std::unordered_map<rule *, object_set> &objects_to_exclude, ddwaf::timer &deadline)
 {
     std::vector<ddwaf::event> events;
 

diff --git a/src/context.hpp b/src/context.hpp
@@ -44,13 +44,12 @@ class context {
 
     // These two functions below return references to internal objects,
     // however using them this way helps with testing
-    const std::unordered_set<rule::ptr> &filter_rules(ddwaf::timer &deadline);
-    const std::unordered_map<rule::ptr, object_set> &filter_inputs(
-        const std::unordered_set<rule::ptr> &rules_to_exclude, ddwaf::timer &deadline);
+    const std::unordered_set<rule *> &filter_rules(ddwaf::timer &deadline);
+    const std::unordered_map<rule *, object_set> &filter_inputs(
+        const std::unordered_set<rule *> &rules_to_exclude, ddwaf::timer &deadline);
 
-    std::vector<event> match(const std::unordered_set<rule::ptr> &rules_to_exclude,
-        const std::unordered_map<rule::ptr, object_set> &objects_to_exclude,
-        ddwaf::timer &deadline);
+    std::vector<event> match(const std::unordered_set<rule *> &rules_to_exclude,
+        const std::unordered_map<rule *, object_set> &objects_to_exclude, ddwaf::timer &deadline);
 
 protected:
     bool is_first_run() const { return collection_cache_.empty(); }
@@ -65,8 +64,8 @@ class context {
     std::unordered_map<rule_filter::ptr, rule_filter::cache_type> rule_filter_cache_;
     std::unordered_map<input_filter::ptr, input_filter::cache_type> input_filter_cache_;
 
-    std::unordered_set<rule::ptr> rules_to_exclude_;
-    std::unordered_map<rule::ptr, object_set> objects_to_exclude_;
+    std::unordered_set<rule *> rules_to_exclude_;
+    std::unordered_map<rule *, object_set> objects_to_exclude_;
 
     // Cache of collections to avoid processing once a result has been obtained
     std::unordered_map<std::string_view, collection::cache_type> collection_cache_;

diff --git a/src/exclusion/input_filter.cpp b/src/exclusion/input_filter.cpp
@@ -12,7 +12,7 @@ namespace ddwaf::exclusion {
 using excluded_set = input_filter::excluded_set;
 
 input_filter::input_filter(std::string id, std::vector<condition::ptr> conditions,
-    std::set<rule::ptr> rule_targets, std::shared_ptr<object_filter> filter)
+    std::set<rule *> rule_targets, std::shared_ptr<object_filter> filter)
     : id_(std::move(id)), conditions_(std::move(conditions)),
       rule_targets_(std::move(rule_targets)), filter_(std::move(filter))
 {}

diff --git a/src/exclusion/input_filter.hpp b/src/exclusion/input_filter.hpp
@@ -22,7 +22,7 @@ class input_filter {
     using ptr = std::shared_ptr<input_filter>;
 
     struct excluded_set {
-        const std::set<rule::ptr> &rules;
+        const std::set<rule *> &rules;
         std::unordered_set<const ddwaf_object *> objects;
     };
 
@@ -33,7 +33,7 @@ class input_filter {
     };
 
     input_filter(std::string id, std::vector<condition::ptr> conditions,
-        std::set<rule::ptr> rule_targets, std::shared_ptr<object_filter> filter);
+        std::set<rule *> rule_targets, std::shared_ptr<object_filter> filter);
 
     std::optional<excluded_set> match(
         const object_store &store, cache_type &cache, ddwaf::timer &deadline) const;
@@ -43,7 +43,7 @@ class input_filter {
 protected:
     std::string id_;
     std::vector<condition::ptr> conditions_;
-    const std::set<rule::ptr> rule_targets_;
+    const std::set<rule *> rule_targets_;
     std::shared_ptr<object_filter> filter_;
 };
 

diff --git a/src/exclusion/rule_filter.cpp b/src/exclusion/rule_filter.cpp
@@ -10,7 +10,7 @@
 namespace ddwaf::exclusion {
 
 rule_filter::rule_filter(
-    std::string id, std::vector<condition::ptr> conditions, std::set<rule::ptr> rule_targets)
+    std::string id, std::vector<condition::ptr> conditions, std::set<rule *> rule_targets)
     : id_(std::move(id)), conditions_(std::move(conditions))
 {
     rule_targets_.reserve(rule_targets.size());
@@ -19,7 +19,7 @@ rule_filter::rule_filter(
     }
 }
 
-std::unordered_set<rule::ptr> rule_filter::match(
+std::unordered_set<rule *> rule_filter::match(
     const object_store &store, cache_type &cache, ddwaf::timer &deadline) const
 {
     if (cache.result) {

diff --git a/src/exclusion/rule_filter.hpp b/src/exclusion/rule_filter.hpp
@@ -18,25 +18,25 @@ namespace ddwaf::exclusion {
 class rule_filter {
 public:
     using ptr = std::shared_ptr<rule_filter>;
-    using optional_set = std::optional<std::reference_wrapper<const std::set<rule::ptr>>>;
+    using optional_set = std::optional<std::reference_wrapper<const std::set<rule *>>>;
 
     struct cache_type {
         bool result{false};
         std::unordered_map<condition::ptr, bool> conditions;
     };
 
     rule_filter(
-        std::string id, std::vector<condition::ptr> conditions, std::set<rule::ptr> rule_targets);
+        std::string id, std::vector<condition::ptr> conditions, std::set<rule *> rule_targets);
 
-    std::unordered_set<rule::ptr> match(
+    std::unordered_set<rule *> match(
         const object_store &store, cache_type &cache, ddwaf::timer &deadline) const;
 
     std::string_view get_id() { return id_; }
 
 protected:
     std::string id_;
     std::vector<condition::ptr> conditions_;
-    std::unordered_set<rule::ptr> rule_targets_;
+    std::unordered_set<rule *> rule_targets_;
 };
 
 } // namespace ddwaf::exclusion
diff --git a/src/ruleset.hpp b/src/ruleset.hpp
@@ -21,7 +21,7 @@
 
 namespace ddwaf {
 
-using rule_tag_map = ddwaf::multi_key_map<std::string_view, rule::ptr>;
+using rule_tag_map = ddwaf::multi_key_map<std::string_view, rule *>;
 
 struct ruleset {
     using ptr = std::shared_ptr<ruleset>;

diff --git a/src/ruleset_builder.cpp b/src/ruleset_builder.cpp
@@ -33,26 +33,26 @@ constexpr ruleset_builder::change_state operator&(
 
 namespace {
 
-std::set<rule::ptr> target_to_rules(const std::vector<parser::rule_target_spec> &targets,
+std::set<rule *> target_to_rules(const std::vector<parser::rule_target_spec> &targets,
     const std::unordered_map<std::string_view, rule::ptr> &rules, const rule_tag_map &rules_by_tags)
 {
-    std::set<rule::ptr> rule_targets;
+    std::set<rule *> rule_targets;
     if (!targets.empty()) {
         for (const auto &target : targets) {
             if (target.type == parser::target_type::id) {
                 auto rule_it = rules.find(target.rule_id);
                 if (rule_it == rules.end()) {
                     continue;
                 }
-                rule_targets.emplace(rule_it->second);
+                rule_targets.emplace(rule_it->second.get());
             } else if (target.type == parser::target_type::tags) {
                 auto current_targets = rules_by_tags.multifind(target.tags);
                 rule_targets.merge(current_targets);
             }
         }
     } else {
         // An empty rules target applies to all rules
-        for (const auto &[id, rule] : rules) { rule_targets.emplace(rule); }
+        for (const auto &[id, rule] : rules) { rule_targets.emplace(rule.get()); }
     }
     return rule_targets;
 }
@@ -93,7 +93,7 @@ std::shared_ptr<ruleset> ruleset_builder::build(parameter::map &root, ruleset_in
 
             // The string_view should be owned by the rule_ptr
             final_rules_.emplace(rule_ptr->id, rule_ptr);
-            rules_by_tags_.insert(rule_ptr->tags, rule_ptr);
+            rules_by_tags_.insert(rule_ptr->tags, rule_ptr.get());
         }
 
         for (const auto &ovrd : overrides_.by_tags) {