RubyGems - datadog - Versions diffs - 2.12.1 → 2.13.0 - Mend

datadog 2.12.1 → 2.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +45 -2
data/ext/datadog_profiling_native_extension/collectors_thread_context.c +14 -13
data/ext/datadog_profiling_native_extension/private_vm_api_access.c +8 -0
data/lib/datadog/appsec/actions_handler/serializable_backtrace.rb +89 -0
data/lib/datadog/appsec/actions_handler.rb +22 -1
data/lib/datadog/appsec/anonymizer.rb +16 -0
data/lib/datadog/appsec/configuration/settings.rb +62 -10
data/lib/datadog/appsec/contrib/auto_instrument.rb +1 -1
data/lib/datadog/appsec/contrib/devise/configuration.rb +7 -31
data/lib/datadog/appsec/contrib/devise/data_extractor.rb +79 -0
data/lib/datadog/appsec/contrib/devise/ext.rb +21 -0
data/lib/datadog/appsec/contrib/devise/integration.rb +0 -1
data/lib/datadog/appsec/contrib/devise/patcher.rb +36 -23
data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb +102 -0
data/lib/datadog/appsec/contrib/devise/patches/signup_tracking_patch.rb +69 -0
data/lib/datadog/appsec/contrib/devise/{patcher/rememberable_patch.rb → patches/skip_signin_tracking_patch.rb} +2 -2
data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb +93 -0
data/lib/datadog/appsec/contrib/rack/ext.rb +34 -0
data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +27 -0
data/lib/datadog/appsec/contrib/rack/request_middleware.rb +3 -2
data/lib/datadog/appsec/event.rb +1 -1
data/lib/datadog/appsec/ext.rb +4 -2
data/lib/datadog/appsec/instrumentation/gateway/argument.rb +4 -2
data/lib/datadog/appsec/instrumentation/gateway/middleware.rb +24 -0
data/lib/datadog/appsec/instrumentation/gateway.rb +17 -22
data/lib/datadog/appsec/monitor/gateway/watcher.rb +8 -3
data/lib/datadog/appsec/processor/rule_merger.rb +2 -1
data/lib/datadog/appsec/remote.rb +7 -0
data/lib/datadog/appsec/security_engine/runner.rb +2 -2
data/lib/datadog/appsec/utils.rb +0 -2
data/lib/datadog/core/configuration/components.rb +2 -1
data/lib/datadog/core/configuration/ext.rb +4 -0
data/lib/datadog/core/configuration/options.rb +2 -2
data/lib/datadog/core/configuration/settings.rb +53 -30
data/lib/datadog/core/environment/agent_info.rb +4 -3
data/lib/datadog/core/remote/component.rb +3 -6
data/lib/datadog/core/remote/configuration/repository.rb +2 -1
data/lib/datadog/core/remote/negotiation.rb +9 -9
data/lib/datadog/core/remote/transport/config.rb +4 -3
data/lib/datadog/core/remote/transport/http/client.rb +4 -3
data/lib/datadog/core/remote/transport/http/config.rb +6 -32
data/lib/datadog/core/remote/transport/http/negotiation.rb +6 -32
data/lib/datadog/core/remote/transport/http.rb +22 -57
data/lib/datadog/core/remote/transport/negotiation.rb +4 -3
data/lib/datadog/core/runtime/metrics.rb +8 -1
data/lib/datadog/core/telemetry/http/adapters/net.rb +1 -1
data/lib/datadog/core/transport/http/api/instance.rb +17 -0
data/lib/datadog/core/transport/http/api/spec.rb +17 -0
data/lib/datadog/core/transport/http/builder.rb +5 -3
data/lib/datadog/core/transport/http.rb +39 -2
data/lib/datadog/di/component.rb +0 -2
data/lib/datadog/di/probe_notifier_worker.rb +16 -16
data/lib/datadog/di/transport/diagnostics.rb +4 -3
data/lib/datadog/di/transport/http/api.rb +2 -12
data/lib/datadog/di/transport/http/client.rb +4 -3
data/lib/datadog/di/transport/http/diagnostics.rb +7 -33
data/lib/datadog/di/transport/http/input.rb +7 -33
data/lib/datadog/di/transport/http.rb +14 -56
data/lib/datadog/di/transport/input.rb +4 -3
data/lib/datadog/di/utils.rb +5 -0
data/lib/datadog/kit/appsec/events.rb +9 -0
data/lib/datadog/kit/identity.rb +5 -1
data/lib/datadog/opentelemetry/api/baggage.rb +90 -0
data/lib/datadog/opentelemetry/api/baggage.rbs +26 -0
data/lib/datadog/opentelemetry/api/context.rb +16 -2
data/lib/datadog/opentelemetry/sdk/trace/span.rb +1 -1
data/lib/datadog/opentelemetry.rb +2 -1
data/lib/datadog/profiling/collectors/thread_context.rb +1 -1
data/lib/datadog/profiling.rb +5 -2
data/lib/datadog/tracing/component.rb +15 -12
data/lib/datadog/tracing/configuration/ext.rb +7 -1
data/lib/datadog/tracing/configuration/settings.rb +18 -2
data/lib/datadog/tracing/context_provider.rb +1 -1
data/lib/datadog/tracing/contrib/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +4 -5
data/lib/datadog/tracing/contrib/excon/middleware.rb +5 -3
data/lib/datadog/tracing/contrib/faraday/middleware.rb +5 -3
data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +7 -1
data/lib/datadog/tracing/contrib/grpc/distributed/propagation.rb +3 -0
data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +0 -15
data/lib/datadog/tracing/contrib/http/distributed/propagation.rb +4 -1
data/lib/datadog/tracing/contrib/http/instrumentation.rb +5 -5
data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +5 -11
data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +6 -10
data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +5 -3
data/lib/datadog/tracing/contrib/sidekiq/client_tracer.rb +6 -1
data/lib/datadog/tracing/contrib/sidekiq/distributed/propagation.rb +3 -0
data/lib/datadog/tracing/correlation.rb +9 -2
data/lib/datadog/tracing/distributed/baggage.rb +131 -0
data/lib/datadog/tracing/distributed/datadog.rb +2 -0
data/lib/datadog/tracing/distributed/propagation.rb +25 -4
data/lib/datadog/tracing/distributed/propagation_policy.rb +42 -0
data/lib/datadog/tracing/metadata/ext.rb +5 -0
data/lib/datadog/tracing/metadata/metastruct.rb +36 -0
data/lib/datadog/tracing/metadata/metastruct_tagging.rb +42 -0
data/lib/datadog/tracing/metadata.rb +2 -0
data/lib/datadog/tracing/sampling/span/rule.rb +0 -1
data/lib/datadog/tracing/span.rb +10 -1
data/lib/datadog/tracing/span_operation.rb +8 -2
data/lib/datadog/tracing/sync_writer.rb +1 -2
data/lib/datadog/tracing/trace_digest.rb +9 -2
data/lib/datadog/tracing/trace_operation.rb +29 -17
data/lib/datadog/tracing/trace_segment.rb +6 -4
data/lib/datadog/tracing/tracer.rb +38 -2
data/lib/datadog/tracing/transport/http/api.rb +2 -10
data/lib/datadog/tracing/transport/http/client.rb +5 -4
data/lib/datadog/tracing/transport/http/traces.rb +13 -41
data/lib/datadog/tracing/transport/http.rb +11 -44
data/lib/datadog/tracing/transport/serializable_trace.rb +3 -1
data/lib/datadog/tracing/transport/trace_formatter.rb +7 -0
data/lib/datadog/tracing/transport/traces.rb +21 -9
data/lib/datadog/tracing/workers/trace_writer.rb +2 -6
data/lib/datadog/tracing/writer.rb +2 -6
data/lib/datadog/tracing.rb +16 -3
data/lib/datadog/version.rb +2 -2
metadata +20 -13
data/lib/datadog/appsec/contrib/devise/event.rb +0 -54
data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb +0 -72
data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb +0 -47
data/lib/datadog/appsec/contrib/devise/resource.rb +0 -35
data/lib/datadog/appsec/contrib/devise/tracking.rb +0 -57
data/lib/datadog/appsec/utils/trace_operation.rb +0 -15

data/lib/datadog/appsec/contrib/devise/patcher.rb CHANGED Viewed

@@ -1,15 +1,22 @@
 # frozen_string_literal: true
-require_relative 'patcher/authenticatable_patch'
-require_relative 'patcher/rememberable_patch'
-require_relative 'patcher/registration_controller_patch'
+require_relative '../../../core/utils/only_once'
+require_relative 'tracking_middleware'
+require_relative 'patches/signup_tracking_patch'
+require_relative 'patches/signin_tracking_patch'
+require_relative 'patches/skip_signin_tracking_patch'
 module Datadog
   module AppSec
     module Contrib
       module Devise
-        # Patcher for AppSec on Devise
+        # Devise patcher
         module Patcher
+          GUARD_ONCE_PER_APP = Hash.new do |hash, key|
+            hash[key] = Datadog::Core::Utils::OnlyOnce.new
+          end
           module_function
           def patched?
@@ -21,29 +28,35 @@ module Datadog
           end
           def patch
-            patch_authenticatable_strategy
-            patch_rememberable_strategy
-            patch_registration_controller
-            Patcher.instance_variable_set(:@patched, true)
-          end
-          def patch_authenticatable_strategy
-            ::Devise::Strategies::Authenticatable.prepend(AuthenticatablePatch)
-          end
+            ::ActiveSupport.on_load(:before_initialize) do |app|
+              GUARD_ONCE_PER_APP[app].run do
+                begin
+                  app.middleware.insert_after(Warden::Manager, TrackingMiddleware)
+                rescue RuntimeError
+                  AppSec.telemetry.error('AppSec: unable to insert Devise TrackingMiddleware')
+                end
+              end
+            end
-          def patch_rememberable_strategy
-            return unless ::Devise::STRATEGIES.include?(:rememberable)
+            ::ActiveSupport.on_load(:after_initialize) do
+              if ::Devise::RegistrationsController.descendants.empty?
+                ::Devise::RegistrationsController.prepend(Patches::SignupTrackingPatch)
+              else
+                ::Devise::RegistrationsController.descendants.each do |controller|
+                  controller.prepend(Patches::SignupTrackingPatch)
+                end
+              end
+            end
-            # Rememberable strategy is required in autoloaded Rememberable model
-            ::Devise::Models::Rememberable # rubocop:disable Lint/Void
-            ::Devise::Strategies::Rememberable.prepend(RememberablePatch)
-          end
+            ::Devise::Strategies::Authenticatable.prepend(Patches::SigninTrackingPatch)
-          def patch_registration_controller
-            ::ActiveSupport.on_load(:after_initialize) do
-              ::Devise::RegistrationsController.prepend(RegistrationControllerPatch)
+            if ::Devise::STRATEGIES.include?(:rememberable)
+              # Rememberable strategy is required in autoloaded Rememberable model
+              require 'devise/models/rememberable'
+              ::Devise::Strategies::Rememberable.prepend(Patches::SkipSigninTrackingPatch)
             end
+            Patcher.instance_variable_set(:@patched, true)
           end
         end
       end

data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb ADDED Viewed

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+require_relative '../ext'
+require_relative '../configuration'
+require_relative '../data_extractor'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        module Patches
+          # A patch for Devise::Authenticatable strategy with tracking functionality
+          module SigninTrackingPatch
+            def validate(resource, &block)
+              result = super
+              return result unless AppSec.enabled?
+              return result if @_datadog_appsec_skip_track_login_event
+              return result unless Configuration.auto_user_instrumentation_enabled?
+              return result unless AppSec.active_context
+              context = AppSec.active_context
+              if context.trace.nil? || context.span.nil?
+                Datadog.logger.debug { 'AppSec: unable to track signin events, due to missing trace or span' }
+                return result
+              end
+              context.trace.keep!
+              if result
+                record_successful_signin(context, resource)
+                Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_LOGIN_SUCCESS)
+                return result
+              end
+              record_failed_signin(context, resource)
+              Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_LOGIN_FAILURE)
+              result
+            end
+            private
+            def record_successful_signin(context, resource)
+              extractor = DataExtractor.new(mode: Configuration.auto_user_instrumentation_mode)
+              id = extractor.extract_id(resource)
+              login = extractor.extract_login(authentication_hash) || extractor.extract_login(resource)
+              if id
+                context.span[Ext::TAG_USR_ID] ||= id
+                context.span[Ext::TAG_DD_USR_ID] = id
+              end
+              context.span[Ext::TAG_LOGIN_SUCCESS_USR_LOGIN] ||= login
+              context.span[Ext::TAG_LOGIN_SUCCESS_TRACK] = 'true'
+              context.span[Ext::TAG_DD_USR_LOGIN] = login
+              context.span[Ext::TAG_DD_LOGIN_SUCCESS_MODE] = Configuration.auto_user_instrumentation_mode
+              # NOTE: We don't have a way to make one-shot receivers for events,
+              #       and because of that we will trigger an additional event even
+              #       if it was already done via the SDK
+              AppSec::Instrumentation.gateway.push(
+                'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, login)
+              )
+            end
+            def record_failed_signin(context, resource)
+              extractor = DataExtractor.new(mode: Configuration.auto_user_instrumentation_mode)
+              context.span[Ext::TAG_LOGIN_FAILURE_TRACK] = 'true'
+              context.span[Ext::TAG_DD_LOGIN_FAILURE_MODE] = Configuration.auto_user_instrumentation_mode
+              unless resource
+                login = extractor.extract_login(authentication_hash)
+                context.span[Ext::TAG_DD_USR_LOGIN] = login
+                context.span[Ext::TAG_LOGIN_FAILURE_USR_LOGIN] ||= login
+                context.span[Ext::TAG_LOGIN_FAILURE_USR_EXISTS] ||= 'false'
+                return
+              end
+              id = extractor.extract_id(resource)
+              login = extractor.extract_login(authentication_hash) || extractor.extract_login(resource)
+              if id
+                context.span[Ext::TAG_DD_USR_ID] = id
+                context.span[Ext::TAG_LOGIN_FAILURE_USR_ID] ||= id
+              end
+              context.span[Ext::TAG_DD_USR_LOGIN] = login
+              context.span[Ext::TAG_LOGIN_FAILURE_USR_LOGIN] ||= login
+              context.span[Ext::TAG_LOGIN_FAILURE_USR_EXISTS] ||= 'true'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/patches/signup_tracking_patch.rb ADDED Viewed

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+require_relative '../ext'
+require_relative '../configuration'
+require_relative '../data_extractor'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        module Patches
+          # A patch for Devise::RegistrationsController with tracking functionality
+          module SignupTrackingPatch
+            def create
+              return super unless AppSec.enabled?
+              return super unless Configuration.auto_user_instrumentation_enabled?
+              return super unless AppSec.active_context
+              super do |resource|
+                context = AppSec.active_context
+                if context.trace.nil? || context.span.nil?
+                  Datadog.logger.debug { 'AppSec: unable to track signup events, due to missing trace or span' }
+                  next yield(resource) if block_given?
+                end
+                next yield(resource) if resource.new_record? && block_given?
+                context.trace.keep!
+                record_successful_signup(context, resource)
+                Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_SIGNUP)
+                yield(resource) if block_given?
+              end
+            end
+            private
+            def record_successful_signup(context, resource)
+              extractor = DataExtractor.new(mode: Configuration.auto_user_instrumentation_mode)
+              id = extractor.extract_id(resource)
+              login = extractor.extract_login(resource_params) || extractor.extract_login(resource)
+              context.span[Ext::TAG_SIGNUP_TRACK] = 'true'
+              context.span[Ext::TAG_DD_USR_LOGIN] = login
+              context.span[Ext::TAG_SIGNUP_USR_LOGIN] ||= login
+              context.span[Ext::TAG_DD_SIGNUP_MODE] = Configuration.auto_user_instrumentation_mode
+              if id
+                context.span[Ext::TAG_DD_USR_ID] = id
+                id_tag = resource.active_for_authentication? ? Ext::TAG_USR_ID : Ext::TAG_SIGNUP_USR_ID
+                context.span[id_tag] ||= id
+              end
+              # NOTE: We don't have a way to make one-shot receivers for events,
+              #       and because of that we will trigger an additional event even
+              #       if it was already done via the SDK
+              AppSec::Instrumentation.gateway.push(
+                'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, login)
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/{patcher/rememberable_patch.rb → patches/skip_signin_tracking_patch.rb} RENAMED Viewed

@@ -4,10 +4,10 @@ module Datadog
   module AppSec
     module Contrib
       module Devise
-        module Patcher
+        module Patches
           # To avoid tracking new sessions that are created by
           # Rememberable strategy as Login Success events.
-          module RememberablePatch
+          module SkipSigninTrackingPatch
             def validate(*args)
               @_datadog_appsec_skip_track_login_event = true

data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb ADDED Viewed

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+require_relative 'ext'
+require_relative '../../anonymizer'
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        # A Rack middleware capable of tracking currently signed user
+        class TrackingMiddleware
+          WARDEN_KEY = 'warden'
+          def initialize(app)
+            @app = app
+            @devise_session_scope_keys = {}
+          end
+          def call(env)
+            return @app.call(env) unless AppSec.enabled?
+            return @app.call(env) unless Configuration.auto_user_instrumentation_enabled?
+            return @app.call(env) unless AppSec.active_context
+            unless env.key?(WARDEN_KEY)
+              Datadog.logger.debug { 'AppSec: unable to track requests, due to missing warden manager' }
+              return @app.call(env)
+            end
+            context = AppSec.active_context
+            if context.trace.nil? || context.span.nil?
+              Datadog.logger.debug { 'AppSec: unable to track requests, due to missing trace or span' }
+              return @app.call(env)
+            end
+            id = transform(extract_id(env[WARDEN_KEY]))
+            if id
+              unless context.span.has_tag?(Ext::TAG_USR_ID)
+                context.span[Ext::TAG_USR_ID] = id
+                AppSec::Instrumentation.gateway.push(
+                  'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, nil)
+                )
+              end
+              context.span[Ext::TAG_DD_USR_ID] = id.to_s
+              context.span[Ext::TAG_DD_COLLECTION_MODE] ||= Configuration.auto_user_instrumentation_mode
+            end
+            @app.call(env)
+          end
+          private
+          def extract_id(warden)
+            session_serializer = warden.session_serializer
+            key = session_key_for(session_serializer, ::Devise.default_scope)
+            id = session_serializer.session[key]&.dig(0, 0)
+            return id if ::Devise.mappings.size == 1
+            return "#{::Devise.default_scope}:#{id}" if id
+            ::Devise.mappings.each_key do |scope|
+              next if scope == ::Devise.default_scope
+              key = session_key_for(session_serializer, scope)
+              id = session_serializer.session[key]&.dig(0, 0)
+              return "#{scope}:#{id}" if id
+            end
+            nil
+          end
+          def session_key_for(session_serializer, scope)
+            @devise_session_scope_keys[scope] ||= session_serializer.key_for(scope)
+          end
+          def transform(value)
+            return if value.nil?
+            return value.to_s unless anonymize?
+            Anonymizer.anonimyze(value.to_s)
+          end
+          def anonymize?
+            Configuration.auto_user_instrumentation_mode ==
+              AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/rack/ext.rb CHANGED Viewed

@@ -6,6 +6,40 @@ module Datadog
       module Rack
         # Rack integration constants
         module Ext
+          COLLECTABLE_REQUEST_HEADERS = [
+            'accept',
+            'akamai-user-risk',
+            'cf-ray',
+            'cloudfront-viewer-ja3-fingerprint',
+            'content-type',
+            'user-agent',
+            'x-amzn-trace-Id',
+            'x-appgw-trace-id',
+            'x-cloud-trace-context',
+            'x-sigsci-requestid',
+            'x-sigsci-tags'
+          ].freeze
+          IDENTITY_COLLECTABLE_REQUEST_HEADERS = [
+            'accept-encoding',
+            'accept-language',
+            'cf-connecting-ip',
+            'cf-connecting-ipv6',
+            'content-encoding',
+            'content-language',
+            'content-length',
+            'fastly-client-ip',
+            'forwarded',
+            'forwarded-for',
+            'host',
+            'true-client-ip',
+            'via',
+            'x-client-ip',
+            'x-cluster-client-ip',
+            'x-forwarded',
+            'x-forwarded-for',
+            'x-real-ip'
+          ].freeze
         end
       end
     end

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require_relative '../ext'
 require_relative '../../../instrumentation/gateway'
 require_relative '../../../event'
@@ -17,6 +18,7 @@ module Datadog
                 watch_request(gateway)
                 watch_response(gateway)
                 watch_request_body(gateway)
+                watch_request_finish(gateway)
               end
               def watch_request(gateway = Instrumentation.gateway)
@@ -110,6 +112,31 @@ module Datadog
                   stack.call(gateway_request.request)
                 end
               end
+              # NOTE: In the current state we unable to substibe twice to the same
+              #       event within the same group. Ideally this code should live
+              #       somewhere closer to identity related monitor.
+              # WARNING: The Gateway is a subject of refactoring
+              def watch_request_finish(gateway = Instrumentation.gateway)
+                gateway.watch('rack.request.finish', :appsec) do |stack, gateway_request|
+                  context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
+                  if context.span.nil? || !gateway.pushed?('appsec.events.user_lifecycle')
+                    next stack.call(gateway_request.request)
+                  end
+                  gateway_request.headers.each do |name, value|
+                    if !Ext::COLLECTABLE_REQUEST_HEADERS.include?(name) &&
+                        !Ext::IDENTITY_COLLECTABLE_REQUEST_HEADERS.include?(name)
+                      next
+                    end
+                    context.span["http.request.headers.#{name}"] ||= value
+                  end
+                  stack.call(gateway_request.request)
+                end
+              end
             end
           end
         end

data/lib/datadog/appsec/contrib/rack/request_middleware.rb CHANGED Viewed

@@ -77,6 +77,8 @@ module Datadog
             gateway_response = nil
             interrupt_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+              # TODO: This event should be renamed into `rack.request.start` to
+              #       reflect that it's the beginning of the request-cycle
               http_response, _gateway_request = Instrumentation.gateway.push('rack.request', gateway_request) do
                 @app.call(env)
               end
@@ -85,6 +87,7 @@ module Datadog
                 http_response[2], http_response[0], http_response[1], context: ctx
               )
+              Instrumentation.gateway.push('rack.request.finish', gateway_request)
               Instrumentation.gateway.push('rack.response', gateway_response)
               nil
@@ -147,8 +150,6 @@ module Datadog
             return unless trace && span
             span.set_metric(Datadog::AppSec::Ext::TAG_APPSEC_ENABLED, 1)
-            # We add this tag when ASM standalone is enabled to make sure we don't bill APM
-            span.set_metric(Datadog::AppSec::Ext::TAG_APM_ENABLED, 0) if Datadog.configuration.appsec.standalone.enabled
             span.set_tag('_dd.runtime_family', 'ruby')
             span.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)

data/lib/datadog/appsec/event.rb CHANGED Viewed

@@ -187,7 +187,7 @@ module Datadog
             Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
             Datadog::Tracing::Sampling::Ext::Decision::ASM
           )
-          trace.set_tag(Datadog::AppSec::Ext::TAG_DISTRIBUTED_APPSEC_EVENT, '1')
+          trace.set_distributed_source(Datadog::AppSec::Ext::PRODUCT_BIT)
         end
       end
     end

data/lib/datadog/appsec/ext.rb CHANGED Viewed

@@ -7,13 +7,15 @@ module Datadog
       RASP_LFI = 'lfi'
       RASP_SSRF = 'ssrf'
+      PRODUCT_BIT = 0b00000010
       INTERRUPT = :datadog_appsec_interrupt
       CONTEXT_KEY = 'datadog.appsec.context'
       ACTIVE_CONTEXT_KEY = :datadog_appsec_active_context
+      EXPLOIT_PREVENTION_EVENT_CATEGORY = 'exploit'
       TAG_APPSEC_ENABLED = '_dd.appsec.enabled'
-      TAG_APM_ENABLED = '_dd.apm.enabled'
-      TAG_DISTRIBUTED_APPSEC_EVENT = '_dd.p.appsec'
+      TAG_METASTRUCT_STACK_TRACE = '_dd.stack'
       TELEMETRY_METRICS_NAMESPACE = 'appsec'
     end

data/lib/datadog/appsec/instrumentation/gateway/argument.rb CHANGED Viewed

@@ -9,11 +9,13 @@ module Datadog
         # Gateway User argument
         class User < Argument
-          attr_reader :id
+          attr_reader :id, :login
-          def initialize(id)
+          def initialize(id, login)
             super()
             @id = id
+            @login = login
           end
         end
       end

data/lib/datadog/appsec/instrumentation/gateway/middleware.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module Instrumentation
+      class Gateway
+        # NOTE: This class extracted as-is and will be deprecated
+        # Instrumentation gateway middleware
+        class Middleware
+          attr_reader :key, :block
+          def initialize(key, &block)
+            @key = key
+            @block = block
+          end
+          def call(stack, env)
+            @block.call(stack, env)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/instrumentation/gateway.rb CHANGED Viewed

@@ -1,35 +1,29 @@
 # frozen_string_literal: true
+require_relative 'gateway/middleware'
 module Datadog
   module AppSec
     # Instrumentation for AppSec
     module Instrumentation
       # Instrumentation gateway implementation
       class Gateway
-        # Instrumentation gateway middleware
-        class Middleware
-          attr_reader :key, :block
-          def initialize(key, &block)
-            @key = key
-            @block = block
-          end
-          def call(stack, env)
-            @block.call(stack, env)
-          end
-        end
-        private_constant :Middleware
         def initialize
           @middlewares = Hash.new { |h, k| h[k] = [] }
+          @pushed_events = {}
         end
+        # NOTE: Be careful with pushed names because every pushed event name
+        #       is recorded in order to provide an ability to any subscriber
+        #       to check wether an arbitrary event had happened.
+        #
+        # WARNING: If we start pushing generated names we should consider
+        #          limiting the storage of pushed names.
         def push(name, env, &block)
-          block ||= -> {}
+          @pushed_events[name] = true
-          middlewares_for_name = middlewares[name]
+          block ||= -> {}
+          middlewares_for_name = @middlewares[name]
           return [block.call, nil] if middlewares_for_name.empty?
@@ -48,14 +42,15 @@ module Datadog
         end
         def watch(name, key, &block)
-          @middlewares[name] << Middleware.new(key, &block) unless middlewares[name].any? { |m| m.key == key }
+          @middlewares[name] << Middleware.new(key, &block) unless @middlewares[name].any? { |m| m.key == key }
         end
-        private
-        attr_reader :middlewares
+        def pushed?(name)
+          @pushed_events.key?(name)
+        end
       end
+      # NOTE: This left as-is and will be depricated soon.
       def self.gateway
         @gateway ||= Gateway.new # TODO: not thread safe
       end

data/lib/datadog/appsec/monitor/gateway/watcher.rb CHANGED Viewed

@@ -19,9 +19,14 @@ module Datadog
               gateway.watch('identity.set_user', :appsec) do |stack, user|
                 context = Datadog::AppSec.active_context
-                persistent_data = {
-                  'usr.id' => user.id
-                }
+                if user.id.nil? && user.login.nil?
+                  Datadog.logger.debug { 'AppSec: skipping WAF check because no user information was provided' }
+                  next stack.call(user)
+                end
+                persistent_data = {}
+                persistent_data['usr.id'] = user.id if user.id
+                persistent_data['usr.login'] = user.login if user.login
                 result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)

data/lib/datadog/appsec/processor/rule_merger.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Datadog
           # TODO: `processors` and `scanners` are not provided by the caller, consider removing them
           def merge(
             telemetry:,
-            rules:, data: [], overrides: [], exclusions: [], custom_rules: [],
+            rules:, actions: [], data: [], overrides: [], exclusions: [], custom_rules: [],
             processors: nil, scanners: nil
           )
             processors ||= begin
@@ -54,6 +54,7 @@ module Datadog
             combined_exclusions = combine_exclusions(exclusions) if exclusions.any?
             combined_custom_rules = combine_custom_rules(custom_rules) if custom_rules.any?
+            combined_rules['actions'] = actions if actions.any?
             combined_rules['rules_data'] = combined_data if combined_data
             combined_rules['rules_override'] = combined_overrides if combined_overrides
             combined_rules['exclusions'] = combined_exclusions if combined_exclusions