datadog 2.17.0 → 2.19.0

data/ext/libdatadog_api/library_config.c

@@ -7,6 +7,10 @@
 static VALUE _native_configurator_new(VALUE klass);
 static VALUE _native_configurator_get(VALUE self);
 
+// Used for testing in RSpec
+static VALUE _native_configurator_with_local_path(DDTRACE_UNUSED VALUE _self, VALUE rb_configurator, VALUE path);
+static VALUE _native_configurator_with_fleet_path(DDTRACE_UNUSED VALUE _self, VALUE rb_configurator, VALUE path);
+
 static VALUE config_vec_class = Qnil;
 
 // ddog_Configurator memory management
@@ -52,20 +56,42 @@ void library_config_init(VALUE core_module) {
   rb_define_alloc_func(configurator_class, _native_configurator_new);
   rb_define_method(configurator_class, "get", _native_configurator_get, 0);
 
+  // Used for testing in RSpec
+  VALUE testing_module = rb_define_module_under(stable_config_module, "Testing");
+  rb_define_singleton_method(testing_module, "with_local_path", _native_configurator_with_local_path, 2);
+  rb_define_singleton_method(testing_module, "with_fleet_path", _native_configurator_with_fleet_path, 2);
+
   rb_undef_alloc_func(config_vec_class); // It cannot be created from Ruby code and only serves as an intermediate object for the Ruby GC
 }
 
-// TODO: After libdatadog 17.1 release, delete rb_raise, uncomment code and change `DDTRACE_UNUSED VALUE _klass` by `VALUE klass`
-static VALUE _native_configurator_new(DDTRACE_UNUSED VALUE _klass) {
-  /*
+static VALUE _native_configurator_new(VALUE klass) {
   ddog_Configurator *configurator = ddog_library_configurator_new(false, DDOG_CHARSLICE_C("ruby"));
 
   ddog_library_configurator_with_detect_process_info(configurator);
 
   return TypedData_Wrap_Struct(klass, &configurator_typed_data, configurator);
-  */
+}
+
+static VALUE _native_configurator_with_local_path(DDTRACE_UNUSED VALUE _self, VALUE rb_configurator, VALUE path) {
+  ddog_Configurator *configurator;
+  TypedData_Get_Struct(rb_configurator, ddog_Configurator, &configurator_typed_data, configurator);
+
+  ENFORCE_TYPE(path, T_STRING);
 
-  rb_raise(rb_eNotImpError, "TODO: Not in use yet, waiting for libdatadog 17.1");
+  ddog_library_configurator_with_local_path(configurator, cstr_from_ruby_string(path));
+
+  return Qnil;
+}
+
+static VALUE _native_configurator_with_fleet_path(DDTRACE_UNUSED VALUE _self, VALUE rb_configurator, VALUE path) {
+  ddog_Configurator *configurator;
+  TypedData_Get_Struct(rb_configurator, ddog_Configurator, &configurator_typed_data, configurator);
+
+  ENFORCE_TYPE(path, T_STRING);
+
+  ddog_library_configurator_with_fleet_path(configurator, cstr_from_ruby_string(path));
+
+  return Qnil;
 }
 
 static VALUE _native_configurator_get(VALUE self) {
@@ -96,26 +122,42 @@ static VALUE _native_configurator_get(VALUE self) {
 
   VALUE local_config_hash = rb_hash_new();
   VALUE fleet_config_hash = rb_hash_new();
-  // TODO: Uncomment next block after libdatadog 17.1 release
-  /*
+
+  bool local_config_id_set = false;
+  bool fleet_config_id_set = false;
+  VALUE local_hash = rb_hash_new();
+  VALUE fleet_hash = rb_hash_new();
   for (uintptr_t i = 0; i < config_vec->len; i++) {
     ddog_LibraryConfig config = config_vec->ptr[i];
     VALUE selected_hash;
     if (config.source == DDOG_LIBRARY_CONFIG_SOURCE_LOCAL_STABLE_CONFIG) {
       selected_hash = local_config_hash;
+      if (!local_config_id_set) {
+        local_config_id_set = true;
+        if (config.config_id.length > 0) {
+          rb_hash_aset(local_hash, ID2SYM(rb_intern("id")), rb_utf8_str_new_cstr(config.config_id.ptr));
+        }
+      }
     }
     else {
       selected_hash = fleet_config_hash;
+      if (!fleet_config_id_set) {
+        fleet_config_id_set = true;
+        if (config.config_id.length > 0) {
+          rb_hash_aset(fleet_hash, ID2SYM(rb_intern("id")), rb_utf8_str_new_cstr(config.config_id.ptr));
+        }
+      }
     }
 
-    ddog_CStr name = ddog_library_config_name_to_env(config.name);
-    rb_hash_aset(selected_hash, rb_str_new(name.ptr, name.length), rb_str_new(config.value.ptr, config.value.length));
+    rb_hash_aset(selected_hash, rb_utf8_str_new_cstr(config.name.ptr), rb_utf8_str_new_cstr(config.value.ptr));
   }
-  */
+
+  rb_hash_aset(local_hash, ID2SYM(rb_intern("config")), local_config_hash);
+  rb_hash_aset(fleet_hash, ID2SYM(rb_intern("config")), fleet_config_hash);
 
   VALUE result = rb_hash_new();
-  rb_hash_aset(result, ID2SYM(rb_intern("local")), local_config_hash);
-  rb_hash_aset(result, ID2SYM(rb_intern("fleet")), fleet_config_hash);
+  rb_hash_aset(result, ID2SYM(rb_intern("local")), local_hash);
+  rb_hash_aset(result, ID2SYM(rb_intern("fleet")), fleet_hash);
 
   RB_GC_GUARD(config_vec_rb);
   return result;

data/ext/libdatadog_api/library_config.h

@@ -17,3 +17,9 @@ static inline VALUE log_warning_without_config(VALUE warning) {
 
   return rb_funcall(logger, rb_intern("warn"), 1, warning);
 }
+
+static inline ddog_CStr cstr_from_ruby_string(VALUE string) {
+  ENFORCE_TYPE(string, T_STRING);
+  ddog_CStr cstr = {.ptr = RSTRING_PTR(string), .length = RSTRING_LEN(string)};
+  return cstr;
+}

data/ext/libdatadog_api/process_discovery.c

@@ -1,7 +1,7 @@
 #include <errno.h>
 #include <stdlib.h>
 #include <ruby.h>
-#include <datadog/common.h>
+#include <datadog/library-config.h>
 
 #include "datadog_ruby_common.h"
 
@@ -36,8 +36,7 @@ void process_discovery_init(VALUE core_module) {
   rb_define_singleton_method(process_discovery_class, "_native_close_tracer_memfd", _native_close_tracer_memfd, 2);
 }
 
-// TODO: Remove DDTRACE_UNUSED and rename _self to self once we have updated libdatadog to 17.1
-static VALUE _native_store_tracer_metadata(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _self) {
+static VALUE _native_store_tracer_metadata(int argc, VALUE *argv, VALUE self) {
   VALUE logger;
   VALUE options;
   rb_scan_args(argc, argv, "1:", &logger, &options);
@@ -61,7 +60,6 @@ static VALUE _native_store_tracer_metadata(int argc, VALUE *argv, DDTRACE_UNUSED
   ENFORCE_TYPE(service_env, T_STRING);
   ENFORCE_TYPE(service_version, T_STRING);
 
-  /*
   ddog_Result_TracerMemfdHandle result = ddog_store_tracer_metadata(
     (uint8_t) NUM2UINT(schema_version),
     char_slice_from_ruby_string(runtime_id),
@@ -86,9 +84,6 @@ static VALUE _native_store_tracer_metadata(int argc, VALUE *argv, DDTRACE_UNUSED
   VALUE tracer_memfd_class = rb_const_get(self, rb_intern("TracerMemfd"));
   VALUE tracer_memfd = TypedData_Wrap_Struct(tracer_memfd_class, &tracer_memfd_type, fd);
   return tracer_memfd;
-  */
-
-  rb_raise(rb_eNotImpError, "TODO: Not in use yet, waiting for libdatadog 17.1");
 }
 
 static VALUE _native_to_rb_int(DDTRACE_UNUSED VALUE _self, VALUE tracer_memfd) {

data/ext/libdatadog_extconf_helpers.rb

@@ -104,7 +104,7 @@ module Datadog
 
     # mkmf sets $PKGCONFIG after the `pkg_config` gets used in extconf.rb. When `pkg_config` is unsuccessful, we use
     # this helper to decide if we can show more specific error message vs a generic "something went wrong".
-    def self.pkg_config_missing?(command: $PKGCONFIG) # rubocop:disable Style/GlobalVars
+    def self.pkg_config_missing?(command: $PKGCONFIG) # standard:disable Style/GlobalVars
       pkg_config_available = command && xsystem("#{command} --version")
 
       pkg_config_available != true

data/lib/datadog/appsec/api_security/lru_cache.rb

@@ -30,6 +30,14 @@ module Datadog
           end
         end
 
+        def store(key, value)
+          return @store[key] = value if @store.delete(key)
+
+          # NOTE: evict the oldest entry if store reached the maximum allowed size
+          @store.shift if @store.size >= @max_size
+          @store[key] = value
+        end
+
         # NOTE: If the key exists, it's moved to the end of the list and
         #       if does not, the given block will be executed and the result
         #       will be stored (which will add it to the end of the list).
@@ -40,8 +48,7 @@ module Datadog
 
           # NOTE: evict the oldest entry if store reached the maximum allowed size
           @store.shift if @store.size >= @max_size
-
-          @store[key] ||= yield
+          @store[key] = yield
         end
       end
     end

data/lib/datadog/appsec/api_security/route_extractor.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module APISecurity
+      # This is a helper module to extract the route pattern from the Rack::Request.
+      module RouteExtractor
+        SINATRA_ROUTE_KEY = 'sinatra.route'
+        SINATRA_ROUTE_SEPARATOR = ' '
+        GRAPE_ROUTE_KEY = 'grape.routing_args'
+        RAILS_ROUTE_KEY = 'action_dispatch.route_uri_pattern'
+        RAILS_ROUTES_KEY = 'action_dispatch.routes'
+        RAILS_PATH_PARAMS_KEY = 'action_dispatch.request.path_parameters'
+        RAILS_FORMAT_SUFFIX = '(.:format)'
+
+        # HACK: We rely on the fact that each contrib will modify `request.env`
+        #       and store information sufficient to compute the canonical
+        #       route (ex: `/users/:id`).
+        #
+        #       When contribs like Sinatra or Grape are used, they could be mounted
+        #       into the Rails app, hence you can see the use of the `script_name`
+        #       that will contain the path prefix of the mounted app.
+        #
+        #       Rack
+        #         does not support named arguments, so we have to use `path`
+        #       Sinatra
+        #         uses `sinatra.route` with a string like "GET /users/:id"
+        #       Grape
+        #         uses `grape.routing_args` with a hash with a `:route_info` key
+        #         that contains a `Grape::Router::Route` object that contains
+        #         `Grape::Router::Pattern` object with an `origin` method
+        #       Rails < 7.1 (slow path)
+        #         uses `action_dispatch.routes` to store `ActionDispatch::Routing::RouteSet`
+        #         which can recognize requests
+        #       Rails > 7.1 (fast path)
+        #         uses `action_dispatch.route_uri_pattern` with a string like
+        #         "/users/:id(.:format)"
+        #
+        # WARNING: This method works only *after* the request has been routed.
+        #
+        # WARNING: In Rails > 7.1 when a route was not found,
+        #          action_dispatch.route_uri_pattern will not be set.
+        #          In Rails < 7.1 it also will not be set even if a route was found,
+        #          but in this case  action_dispatch.request.path_parameters won't be empty.
+        def self.route_pattern(request)
+          if request.env.key?(GRAPE_ROUTE_KEY)
+            pattern = request.env[GRAPE_ROUTE_KEY][:route_info]&.pattern&.origin
+            "#{request.script_name}#{pattern}"
+          elsif request.env.key?(SINATRA_ROUTE_KEY)
+            pattern = request.env[SINATRA_ROUTE_KEY].split(SINATRA_ROUTE_SEPARATOR, 2)[1]
+            "#{request.script_name}#{pattern}"
+          elsif request.env.key?(RAILS_ROUTE_KEY)
+            request.env[RAILS_ROUTE_KEY].delete_suffix(RAILS_FORMAT_SUFFIX)
+          elsif request.env.key?(RAILS_ROUTES_KEY) && !request.env.fetch(RAILS_PATH_PARAMS_KEY, {}).empty?
+            pattern = request.env[RAILS_ROUTES_KEY].router
+              .recognize(request) { |route, _| break route.path.spec.to_s }
+
+            # NOTE: If rails is unable to recognize request it returns empty Array
+            pattern = nil if pattern&.empty?
+
+            # NOTE: If rails can't recognize the request, we are going to fallback
+            #       to generic request path
+            (pattern || request.path).delete_suffix(RAILS_FORMAT_SUFFIX)
+          else
+            request.path
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/api_security/sampler.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'zlib'
+require_relative 'lru_cache'
+require_relative 'route_extractor'
+require_relative '../../core/utils/time'
+
+module Datadog
+  module AppSec
+    module APISecurity
+      # A thread-local sampler for API security based on defined delay between
+      # samples with caching capability.
+      class Sampler
+        THREAD_KEY = :datadog_appsec_api_security_sampler
+        MAX_CACHE_SIZE = 4096
+
+        class << self
+          def thread_local
+            sampler = Thread.current.thread_variable_get(THREAD_KEY)
+            return sampler unless sampler.nil?
+
+            Thread.current.thread_variable_set(THREAD_KEY, new(sample_delay))
+          end
+
+          # @api private
+          def reset!
+            Thread.current.thread_variable_set(THREAD_KEY, nil)
+          end
+
+          private
+
+          def sample_delay
+            Datadog.configuration.appsec.api_security.sample_delay
+          end
+        end
+
+        def initialize(sample_delay)
+          raise ArgumentError, 'sample_delay must be an Integer' unless sample_delay.is_a?(Integer)
+
+          @cache = LRUCache.new(MAX_CACHE_SIZE)
+          @sample_delay_seconds = sample_delay
+        end
+
+        def sample?(request, response)
+          return true if @sample_delay_seconds.zero?
+
+          key = Zlib.crc32("#{request.request_method}#{RouteExtractor.route_pattern(request)}#{response.status}")
+          current_timestamp = Core::Utils::Time.now.to_i
+          cached_timestamp = @cache[key] || 0
+
+          return false if current_timestamp - cached_timestamp <= @sample_delay_seconds
+
+          @cache.store(key, current_timestamp)
+          true
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/api_security.rb

@@ -1,9 +1,23 @@
 # frozen_string_literal: true
 
+require_relative 'api_security/sampler'
+
 module Datadog
   module AppSec
     # A namespace for API Security features.
     module APISecurity
+      def self.enabled?
+        Datadog.configuration.appsec.api_security.enabled?
+      end
+
+      def self.sample?(request, response)
+        Sampler.thread_local.sample?(request, response)
+      end
+
+      def self.sample_trace?(trace)
+        # NOTE: Reads as "if trace is priority sampled or if in standalone mode"
+        trace&.priority_sampled? || !Datadog.configuration.apm.tracing.enabled
+      end
     end
   end
 end