helper-rust: restore initial ruleset when ASM_DD config addition fails; fix racy telemetry log test

cataphract · claude · cataphract · commit 2a7c56b4808e · 2026-04-24T13:18:52.000+01:00
updateable_waf: when an ASM_DD config fails to be added to the builder,
restore the initial ruleset if it was removed, matching the existing
restore logic in remove_config.

TelemetryTests: wait for the specific bad_config diagnostic log rather
than any 3 RC logs, avoiding a race where leftover exception logs from
the previous test satisfy the condition before the diagnostic arrives.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/appsec/helper-rust/src/service/updateable_waf.rs b/appsec/helper-rust/src/service/updateable_waf.rs
@@ -6,7 +6,7 @@ use libddwaf::{
     Builder, Config, Handle,
 };
 
-use crate::client::log::warning;
+use crate::{client::log::warning, error_once};
 
 /// A WAF instance that can be shared (through clone()) and updated by any thread.
 ///
@@ -104,14 +104,24 @@ impl UpdateableWafInstance {
             guard.initial_ruleset_added = false;
             let res = guard.builder.remove_config(Self::INITIAL_RULESET);
             if !res {
-                warning!("Failed to remove initial ruleset: probably not present, but we it should have been");
+                error_once!("Failed to remove initial ruleset: probably not present, but we it should have been");
             }
         }
 
         let res = guard
             .builder
             .add_or_update_config(path, ruleset, diagnostics);
         if !res {
+            if !guard.initial_ruleset_added && !Self::has_asm_dd_configs(&mut guard.builder) {
+                guard.initial_ruleset_added = true;
+                if !guard.builder.add_or_update_config(
+                    Self::INITIAL_RULESET,
+                    &self.inner.initial_ruleset,
+                    None,
+                ) {
+                    error_once!("Failed to restore initial ruleset after failed config addition");
+                }
+            }
             anyhow::bail!("Failed to add/update config {path}");
         }
         Ok(())
diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/TelemetryTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/TelemetryTests.groovy
@@ -357,7 +357,7 @@ class TelemetryTests {
 
         def messages = TelemetryHelpers.waitForLogs(CONTAINER, 30) { List<TelemetryHelpers.Logs> logs ->
             def relevantLogs = logs.collectMany { it.logs.findAll { it.tags.contains('log_type:rc::') } }
-            relevantLogs.size() >= 3
+            relevantLogs.any { it.tags.contains('rc_config_id:bad_config') }
         }.collectMany { it.logs }
 
         assert requestSup.get() != null
