RubyGems - datadog - Versions diffs - 2.12.0 → 2.22.0 - Mend

datadog 2.12.0 → 2.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (570) hide show

data/lib/datadog/appsec/contrib/devise/data_extractor.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require_relative '../../anonymizer'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        # Extracts user identification data from Devise resources.
+        # Supports both regular and anonymized data extraction modes.
+        class DataExtractor
+          PRIORITY_ORDERED_ID_KEYS = [:id, 'id', :uuid, 'uuid'].freeze
+          PRIORITY_ORDERED_LOGIN_KEYS = [:email, 'email', :username, 'username', :login, 'login'].freeze
+          def initialize(mode:)
+            @mode = mode
+            @devise_scopes = {}
+          end
+          def extract_id(object)
+            return if object.nil?
+            if object.respond_to?(:[])
+              id = object[PRIORITY_ORDERED_ID_KEYS.find { |key| object[key] }]
+              scope = find_devise_scope(object)
+              id = "#{scope}:#{id}" if id && scope
+              return transform(id)
+            end
+            id = object.id if object.respond_to?(:id)
+            id ||= object.uuid if object.respond_to?(:uuid)
+            scope = find_devise_scope(object)
+            id = "#{scope}:#{id}" if id && scope
+            transform(id)
+          end
+          def extract_login(object)
+            return if object.nil?
+            if object.respond_to?(:[])
+              login = object[PRIORITY_ORDERED_LOGIN_KEYS.find { |key| object[key] }]
+              return transform(login)
+            end
+            login = object.email if object.respond_to?(:email)
+            login ||= object.username if object.respond_to?(:username)
+            login ||= object.login if object.respond_to?(:login)
+            transform(login)
+          end
+          private
+          def find_devise_scope(object)
+            return if ::Devise.mappings.count == 1
+            @devise_scopes[object.class.name] ||= ::Devise.mappings
+              .each_value.find { |mapping| mapping.class_name == object.class.name }&.name
+          end
+          def transform(value)
+            return if value.nil?
+            return value.to_s unless anonymize?
+            Anonymizer.anonymize(value.to_s)
+          end
+          def anonymize?
+            @mode == AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/ext.rb CHANGED Viewed

@@ -6,6 +6,28 @@ module Datadog
       module Devise
         # Devise integration constants
         module Ext
+          EVENT_LOGIN_SUCCESS = 'users.login.success'
+          EVENT_LOGIN_FAILURE = 'users.login.failure'
+          EVENT_SIGNUP = 'users.signup'
+          TAG_DD_USR_ID = '_dd.appsec.usr.id'
+          TAG_DD_USR_LOGIN = '_dd.appsec.usr.login'
+          TAG_DD_SIGNUP_MODE = '_dd.appsec.events.users.signup.auto.mode'
+          TAG_DD_COLLECTION_MODE = '_dd.appsec.user.collection_mode'
+          TAG_DD_LOGIN_SUCCESS_MODE = '_dd.appsec.events.users.login.success.auto.mode'
+          TAG_DD_LOGIN_FAILURE_MODE = '_dd.appsec.events.users.login.failure.auto.mode'
+          TAG_USR_ID = 'usr.id'
+          TAG_SESSION_ID = 'usr.session_id'
+          TAG_SIGNUP_TRACK = 'appsec.events.users.signup.track'
+          TAG_SIGNUP_USR_ID = 'appsec.events.users.signup.usr.id'
+          TAG_SIGNUP_USR_LOGIN = 'appsec.events.users.signup.usr.login'
+          TAG_LOGIN_FAILURE_TRACK = 'appsec.events.users.login.failure.track'
+          TAG_LOGIN_FAILURE_USR_ID = 'appsec.events.users.login.failure.usr.id'
+          TAG_LOGIN_FAILURE_USR_LOGIN = 'appsec.events.users.login.failure.usr.login'
+          TAG_LOGIN_FAILURE_USR_EXISTS = 'appsec.events.users.login.failure.usr.exists'
+          TAG_LOGIN_SUCCESS_TRACK = 'appsec.events.users.login.success.track'
+          TAG_LOGIN_SUCCESS_USR_LOGIN = 'appsec.events.users.login.success.usr.login'
         end
       end
     end

data/lib/datadog/appsec/contrib/devise/integration.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 require_relative '../integration'
 require_relative 'patcher'
 module Datadog
@@ -17,7 +16,7 @@ module Datadog
           register_as :devise, auto_patch: true
           def self.version
-            Gem.loaded_specs['devise'] && Gem.loaded_specs['devise'].version
+            Gem.loaded_specs['devise']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/devise/patcher.rb CHANGED Viewed

@@ -1,15 +1,22 @@
 # frozen_string_literal: true
-require_relative 'patcher/authenticatable_patch'
-require_relative 'patcher/rememberable_patch'
-require_relative 'patcher/registration_controller_patch'
+require_relative '../../../core/utils/only_once'
+require_relative 'tracking_middleware'
+require_relative 'patches/signup_tracking_patch'
+require_relative 'patches/signin_tracking_patch'
+require_relative 'patches/skip_signin_tracking_patch'
 module Datadog
   module AppSec
     module Contrib
       module Devise
-        # Patcher for AppSec on Devise
+        # Devise patcher
         module Patcher
+          GUARD_ONCE_PER_APP = Hash.new do |hash, key|
+            hash[key] = Datadog::Core::Utils::OnlyOnce.new
+          end
           module_function
           def patched?
@@ -21,29 +28,33 @@ module Datadog
           end
           def patch
-            patch_authenticatable_strategy
-            patch_rememberable_strategy
-            patch_registration_controller
-            Patcher.instance_variable_set(:@patched, true)
-          end
-          def patch_authenticatable_strategy
-            ::Devise::Strategies::Authenticatable.prepend(AuthenticatablePatch)
-          end
+            ::ActiveSupport.on_load(:before_initialize) do |app|
+              GUARD_ONCE_PER_APP[app].run do
+                app.middleware.insert_after(Warden::Manager, TrackingMiddleware)
+              rescue RuntimeError
+                AppSec.telemetry.error('AppSec: unable to insert Devise TrackingMiddleware')
+              end
+            end
-          def patch_rememberable_strategy
-            return unless ::Devise::STRATEGIES.include?(:rememberable)
+            ::ActiveSupport.on_load(:after_initialize) do
+              if ::Devise::RegistrationsController.descendants.empty?
+                ::Devise::RegistrationsController.prepend(Patches::SignupTrackingPatch)
+              else
+                ::Devise::RegistrationsController.descendants.each do |controller|
+                  controller.prepend(Patches::SignupTrackingPatch)
+                end
+              end
+            end
-            # Rememberable strategy is required in autoloaded Rememberable model
-            ::Devise::Models::Rememberable # rubocop:disable Lint/Void
-            ::Devise::Strategies::Rememberable.prepend(RememberablePatch)
-          end
+            ::Devise::Strategies::Authenticatable.prepend(Patches::SigninTrackingPatch)
-          def patch_registration_controller
-            ::ActiveSupport.on_load(:after_initialize) do
-              ::Devise::RegistrationsController.prepend(RegistrationControllerPatch)
+            if ::Devise::STRATEGIES.include?(:rememberable)
+              # Rememberable strategy is required in autoloaded Rememberable model
+              require 'devise/models/rememberable'
+              ::Devise::Strategies::Rememberable.prepend(Patches::SkipSigninTrackingPatch)
             end
+            Patcher.instance_variable_set(:@patched, true)
           end
         end
       end

data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb ADDED Viewed

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+require_relative '../ext'
+require_relative '../configuration'
+require_relative '../data_extractor'
+require_relative '../../../trace_keeper'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        module Patches
+          # A patch for Devise::Authenticatable strategy with tracking functionality
+          module SigninTrackingPatch
+            def validate(resource, &block)
+              result = super
+              return result unless AppSec.enabled?
+              return result if @_datadog_appsec_skip_track_login_event
+              return result unless Configuration.auto_user_instrumentation_enabled?
+              return result unless AppSec.active_context
+              context = AppSec.active_context
+              if context.trace.nil? || context.span.nil?
+                Datadog.logger.debug { 'AppSec: unable to track signin events, due to missing trace or span' }
+                return result
+              end
+              TraceKeeper.keep!(context.trace)
+              if result
+                record_successful_signin(context, resource)
+                Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_LOGIN_SUCCESS)
+                return result
+              end
+              record_failed_signin(context, resource)
+              Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_LOGIN_FAILURE)
+              result
+            end
+            private
+            def record_successful_signin(context, resource)
+              extractor = DataExtractor.new(mode: Configuration.auto_user_instrumentation_mode)
+              id = extractor.extract_id(resource)
+              login = extractor.extract_login(authentication_hash) || extractor.extract_login(resource)
+              if id
+                context.span[Ext::TAG_USR_ID] ||= id
+                context.span[Ext::TAG_DD_USR_ID] = id
+              end
+              context.span[Ext::TAG_LOGIN_SUCCESS_USR_LOGIN] ||= login
+              context.span[Ext::TAG_LOGIN_SUCCESS_TRACK] = 'true'
+              context.span[Ext::TAG_DD_USR_LOGIN] = login
+              context.span[Ext::TAG_DD_LOGIN_SUCCESS_MODE] = Configuration.auto_user_instrumentation_mode
+              # NOTE: We don't have a way to make one-shot receivers for events,
+              #       and because of that we will trigger an additional event even
+              #       if it was already done via the SDK
+              AppSec::Instrumentation.gateway.push(
+                'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, login)
+              )
+            end
+            def record_failed_signin(context, resource)
+              extractor = DataExtractor.new(mode: Configuration.auto_user_instrumentation_mode)
+              context.span[Ext::TAG_LOGIN_FAILURE_TRACK] = 'true'
+              context.span[Ext::TAG_DD_LOGIN_FAILURE_MODE] = Configuration.auto_user_instrumentation_mode
+              unless resource
+                login = extractor.extract_login(authentication_hash)
+                context.span[Ext::TAG_DD_USR_LOGIN] = login
+                context.span[Ext::TAG_LOGIN_FAILURE_USR_LOGIN] ||= login
+                context.span[Ext::TAG_LOGIN_FAILURE_USR_EXISTS] ||= 'false'
+                return
+              end
+              id = extractor.extract_id(resource)
+              login = extractor.extract_login(authentication_hash) || extractor.extract_login(resource)
+              if id
+                context.span[Ext::TAG_DD_USR_ID] = id
+                context.span[Ext::TAG_LOGIN_FAILURE_USR_ID] ||= id
+              end
+              context.span[Ext::TAG_DD_USR_LOGIN] = login
+              context.span[Ext::TAG_LOGIN_FAILURE_USR_LOGIN] ||= login
+              context.span[Ext::TAG_LOGIN_FAILURE_USR_EXISTS] ||= 'true'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/patches/signup_tracking_patch.rb ADDED Viewed

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+require_relative '../ext'
+require_relative '../configuration'
+require_relative '../data_extractor'
+require_relative '../../../trace_keeper'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        module Patches
+          # A patch for Devise::RegistrationsController with tracking functionality
+          module SignupTrackingPatch
+            def create
+              return super unless AppSec.enabled?
+              return super unless Configuration.auto_user_instrumentation_enabled?
+              return super unless AppSec.active_context
+              super do |resource|
+                context = AppSec.active_context
+                if context.trace.nil? || context.span.nil?
+                  Datadog.logger.debug { 'AppSec: unable to track signup events, due to missing trace or span' }
+                  next yield(resource) if block_given?
+                end
+                next yield(resource) if resource.new_record? && block_given?
+                TraceKeeper.keep!(context.trace)
+                record_successful_signup(context, resource)
+                Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_SIGNUP)
+                yield(resource) if block_given?
+              end
+            end
+            private
+            def record_successful_signup(context, resource)
+              extractor = DataExtractor.new(mode: Configuration.auto_user_instrumentation_mode)
+              id = extractor.extract_id(resource)
+              login = extractor.extract_login(resource_params) || extractor.extract_login(resource)
+              context.span[Ext::TAG_SIGNUP_TRACK] = 'true'
+              context.span[Ext::TAG_DD_USR_LOGIN] = login
+              context.span[Ext::TAG_SIGNUP_USR_LOGIN] ||= login
+              context.span[Ext::TAG_DD_SIGNUP_MODE] = Configuration.auto_user_instrumentation_mode
+              if id
+                context.span[Ext::TAG_DD_USR_ID] = id
+                id_tag = resource.active_for_authentication? ? Ext::TAG_USR_ID : Ext::TAG_SIGNUP_USR_ID
+                context.span[id_tag] ||= id
+              end
+              # NOTE: We don't have a way to make one-shot receivers for events,
+              #       and because of that we will trigger an additional event even
+              #       if it was already done via the SDK
+              AppSec::Instrumentation.gateway.push(
+                'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, login)
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/{patcher/rememberable_patch.rb → patches/skip_signin_tracking_patch.rb} RENAMED Viewed

@@ -4,10 +4,10 @@ module Datadog
   module AppSec
     module Contrib
       module Devise
-        module Patcher
+        module Patches
           # To avoid tracking new sessions that are created by
           # Rememberable strategy as Login Success events.
-          module RememberablePatch
+          module SkipSigninTrackingPatch
             def validate(*args)
               @_datadog_appsec_skip_track_login_event = true

data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb ADDED Viewed

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+require_relative 'ext'
+require_relative '../../anonymizer'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        # A Rack middleware capable of tracking currently signed user
+        class TrackingMiddleware
+          WARDEN_KEY = 'warden'
+          SESSION_ID_KEY = 'session_id'
+          def initialize(app)
+            @app = app
+            @devise_session_scope_keys = {}
+          end
+          def call(env)
+            return @app.call(env) unless AppSec.enabled?
+            return @app.call(env) unless Configuration.auto_user_instrumentation_enabled?
+            return @app.call(env) unless AppSec.active_context
+            unless env.key?(WARDEN_KEY)
+              Datadog.logger.debug { 'AppSec: unable to track requests, due to missing warden manager' }
+              return @app.call(env)
+            end
+            context = AppSec.active_context
+            if context.trace.nil? || context.span.nil?
+              Datadog.logger.debug { 'AppSec: unable to track requests, due to missing trace or span' }
+              return @app.call(env)
+            end
+            # NOTE: Rails session id will be set for unauthenticated users as well,
+            #       so we need to make sure we are tracking only authenticated users.
+            id = transform(extract_id(env[WARDEN_KEY]))
+            session_id = env[WARDEN_KEY].raw_session[SESSION_ID_KEY] if id
+            if id
+              # NOTE: There is no option to set session id without setting user id via SDK.
+              unless context.span.has_tag?(Ext::TAG_USR_ID) && context.span.has_tag?(Ext::TAG_SESSION_ID)
+                user_id = context.span[Ext::TAG_USR_ID] || id
+                user_session_id = context.span[Ext::TAG_SESSION_ID] || session_id
+                # FIXME: The current implementation of event arguments is forsing us
+                #        to bloat User class, and pass nil-value instead of skip
+                #        passing them at first place.
+                #        This is a temporary situation until we refactor events model.
+                AppSec::Instrumentation.gateway.push(
+                  'identity.set_user', AppSec::Instrumentation::Gateway::User.new(user_id, nil, user_session_id)
+                )
+              end
+              context.span[Ext::TAG_USR_ID] ||= id
+              context.span[Ext::TAG_DD_USR_ID] = id
+              context.span[Ext::TAG_DD_COLLECTION_MODE] ||= Configuration.auto_user_instrumentation_mode
+            end
+            @app.call(env)
+          end
+          private
+          def extract_id(warden)
+            session_serializer = warden.session_serializer
+            key = session_key_for(session_serializer, ::Devise.default_scope)
+            id = session_serializer.session[key]&.dig(0, 0)
+            return id if ::Devise.mappings.size == 1
+            return "#{::Devise.default_scope}:#{id}" if id
+            ::Devise.mappings.each_key do |scope|
+              next if scope == ::Devise.default_scope
+              key = session_key_for(session_serializer, scope)
+              id = session_serializer.session[key]&.dig(0, 0)
+              return "#{scope}:#{id}" if id
+            end
+            nil
+          end
+          def session_key_for(session_serializer, scope)
+            @devise_session_scope_keys[scope] ||= session_serializer.key_for(scope)
+          end
+          def transform(value)
+            return if value.nil?
+            return value.to_s unless anonymize?
+            Anonymizer.anonymize(value.to_s)
+          end
+          def anonymize?
+            Configuration.auto_user_instrumentation_mode ==
+              AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/excon/integration.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Datadog
           register_as :excon
           def self.version
-            Gem.loaded_specs['excon'] && Gem.loaded_specs['excon'].version
+            Gem.loaded_specs['excon']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb CHANGED Viewed

@@ -1,8 +1,11 @@
-# rubocop:disable Naming/FileName
 # frozen_string_literal: true
 require 'excon'
+require_relative '../../event'
+require_relative '../../trace_keeper'
+require_relative '../../security_event'
 module Datadog
   module AppSec
     module Contrib
@@ -15,22 +18,19 @@ module Datadog
             context = AppSec.active_context
             request_url = URI.join("#{data[:scheme]}://#{data[:host]}", data[:path]).to_s
-            ephemeral_data = { 'server.io.net.url' => request_url }
+            ephemeral_data = {'server.io.net.url' => request_url}
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
             if result.match?
-              Datadog::AppSec::Event.tag_and_keep!(context, result)
+              AppSec::Event.tag(context, result)
+              TraceKeeper.keep!(context.trace) if result.keep?
-              context.events << {
-                waf_result: result,
-                trace: context.trace,
-                span: context.span,
-                request_url: request_url,
-                actions: result.actions
-              }
+              context.events.push(
+                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+              )
-              ActionsHandler.handle(result.actions)
+              AppSec::ActionsHandler.handle(result.actions)
             end
             super
@@ -40,4 +40,3 @@ module Datadog
     end
   end
 end
-# rubocop:enable Naming/FileName

data/lib/datadog/appsec/contrib/faraday/integration.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Datadog
           register_as :faraday, auto_patch: true
           def self.version
-            Gem.loaded_specs['faraday'] && Gem.loaded_specs['faraday'].version
+            Gem.loaded_specs['faraday']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb CHANGED Viewed

@@ -1,6 +1,9 @@
-# rubocop:disable Naming/FileName
 # frozen_string_literal: true
+require_relative '../../event'
+require_relative '../../trace_keeper'
+require_relative '../../security_event'
 module Datadog
   module AppSec
     module Contrib
@@ -19,17 +22,14 @@ module Datadog
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
             if result.match?
-              Datadog::AppSec::Event.tag_and_keep!(context, result)
+              AppSec::Event.tag(context, result)
+              TraceKeeper.keep!(context.trace) if result.keep?
-              context.events << {
-                waf_result: result,
-                trace: context.trace,
-                span: context.span,
-                request_url: request_env.url,
-                actions: result.actions
-              }
+              context.events.push(
+                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+              )
-              ActionsHandler.handle(result.actions)
+              AppSec::ActionsHandler.handle(result.actions)
             end
             @app.call(request_env)

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb CHANGED Viewed

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
 require 'json'
+require_relative '../../../event'
+require_relative '../../../trace_keeper'
+require_relative '../../../security_event'
 require_relative '../../../instrumentation/gateway'
 module Datadog
@@ -29,17 +33,14 @@ module Datadog
                     result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
                     if result.match?
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
+                      AppSec::Event.tag(context, result)
+                      TraceKeeper.keep!(context.trace) if result.keep?
-                      context.events << {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        multiplex: gateway_multiplex,
-                        actions: result.actions
-                      }
+                      context.events.push(
+                        AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                      )
-                      Datadog::AppSec::ActionsHandler.handle(result.actions)
+                      AppSec::ActionsHandler.handle(result.actions)
                     end
                   end

data/lib/datadog/appsec/contrib/graphql/integration.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module Datadog
           register_as :graphql, auto_patch: false
           def self.version
-            Gem.loaded_specs['graphql'] && Gem.loaded_specs['graphql'].version
+            Gem.loaded_specs['graphql']&.version
           end
           def self.loaded?