datadog 2.9.0 → 2.11.0

data/ext/datadog_profiling_native_extension/private_vm_api_access.c

@@ -40,6 +40,13 @@
   #endif
 #endif
 
+// This file can't include datadog_ruby_common.h so we replicate this here
+#ifdef __GNUC__
+  #define DDTRACE_UNUSED  __attribute__((unused))
+#else
+  #define DDTRACE_UNUSED
+#endif
+
 #define PRIVATE_VM_API_ACCESS_SKIP_RUBY_INCLUDES
 #include "private_vm_api_access.h"
 
@@ -803,3 +810,52 @@ static inline int ddtrace_imemo_type(VALUE imemo) {
 
 // Is the VM smack in the middle of raising an exception?
 bool is_raised_flag_set(VALUE thread) { return thread_struct_from_object(thread)->ec->raised_flag > 0; }
+
+#ifndef NO_CURRENT_FIBER_FOR
+  // The following three declarations are all
+  // taken from upstream cont.c at commit d97884a58be32e829fd03a80cd521f4733d65c79 (February 2025, master branch)
+  // (See the Ruby project copyright and license above)
+  // to enable building `current_fiber_for`.
+  //
+  // We needed to copy them because they aren't otherwise exposed in any VM APIs or headers.
+  // @ivoanjo: I manually checked the Ruby 3.1, 3.2, 3.3 and 3.4 branches + master, and the parts we care about in these
+  // structures have not changed in many years (in fact, last change I spotted was for 2.7).
+  enum context_type {
+      CONTINUATION_CONTEXT = 0,
+      FIBER_CONTEXT = 1
+  };
+
+  typedef struct rb_context_struct { // This declaration is incomplete -- only contains up to `self` which is the part we care about
+      enum context_type type;
+      int argc;
+      int kw_splat;
+      VALUE self;
+  } rb_context_t;
+
+  struct rb_fiber_struct { // This declaration is incomplete -- only contains the first entry which is the part we care about
+    rb_context_t cont;
+  };
+
+  VALUE current_fiber_for(VALUE thread) {
+    VALUE self = thread_struct_from_object(thread)->ec->fiber_ptr->cont.self;
+    return self == 0 ? Qnil : self;
+  }
+
+  void self_test_current_fiber_for(void) {
+    VALUE expected_current_fiber = current_fiber_for(rb_thread_current());
+    VALUE actual_current_fiber = rb_fiber_current();
+
+    if (expected_current_fiber == Qnil) {
+      // On purpose above we tried reading before calling `rb_fiber_current()` so the fiber may have not existed yet.
+      // But now it should be there.
+      expected_current_fiber = current_fiber_for(rb_thread_current());
+    }
+
+    if (expected_current_fiber != actual_current_fiber) rb_raise(rb_eRuntimeError, "current_fiber_for() self-test failed");
+  }
+#else
+  NORETURN(VALUE current_fiber_for(DDTRACE_UNUSED VALUE thread));
+
+  VALUE current_fiber_for(DDTRACE_UNUSED VALUE thread) { rb_raise(rb_eRuntimeError, "Not implemented for Ruby < 3.1"); }
+  void self_test_current_fiber_for(void) { } // Nothing to do
+#endif

data/ext/datadog_profiling_native_extension/private_vm_api_access.h

@@ -44,6 +44,7 @@ bool is_thread_alive(VALUE thread);
 VALUE thread_name_for(VALUE thread);
 
 int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, frame_info *stack_buffer);
+
 // Returns true if the current thread belongs to the main Ractor or if Ruby has no Ractor support
 bool ddtrace_rb_ractor_main_p(void);
 
@@ -70,3 +71,9 @@ const char *imemo_kind(VALUE imemo);
   { if (RB_UNLIKELY(!rb_typeddata_is_kind_of(value, RTYPEDDATA_TYPE(rb_thread_current())))) raise_unexpected_type(value, ADD_QUOTES(value), "Thread", __FILE__, __LINE__, __func__); }
 
 bool is_raised_flag_set(VALUE thread);
+
+// Can be nil if `rb_fiber_current()` or similar has not been called (gets allocated lazily)
+// Only implemented for Ruby 3.1+
+VALUE current_fiber_for(VALUE thread);
+
+void self_test_current_fiber_for(void);

data/ext/datadog_profiling_native_extension/profiling.c

@@ -41,6 +41,12 @@ static VALUE _native_malloc_stats(DDTRACE_UNUSED VALUE _self);
 static VALUE _native_safe_object_info(DDTRACE_UNUSED VALUE _self, VALUE obj);
 
 void DDTRACE_EXPORT Init_datadog_profiling_native_extension(void) {
+  // The profiler still has a lot of limitations around being used in Ractors BUT for now we're choosing to take care of those
+  // on our side, rather than asking Ruby to block calling our APIs from Ractors.
+  #ifdef HAVE_RB_EXT_RACTOR_SAFE
+    rb_ext_ractor_safe(true);
+  #endif
+
   VALUE datadog_module = rb_define_module("Datadog");
   VALUE profiling_module = rb_define_module_under(datadog_module, "Profiling");
   VALUE native_extension_module = rb_define_module_under(profiling_module, "NativeExtension");
@@ -80,6 +86,7 @@ void DDTRACE_EXPORT Init_datadog_profiling_native_extension(void) {
 
 static VALUE native_working_p(DDTRACE_UNUSED VALUE _self) {
   self_test_clock_id();
+  self_test_current_fiber_for();
   self_test_mn_enabled();
 
   return Qtrue;

data/ext/datadog_profiling_native_extension/stack_recorder.c

@@ -332,23 +332,16 @@ static VALUE _native_new(VALUE klass) {
     .serialization_time_ns_min = INT64_MAX,
   };
 
-  // Note: At this point, slot_one_profile and slot_two_profile contain null pointers. Libdatadog validates pointers
+  // Note: At this point, slot_one_profile/slot_two_profile contain null pointers. Libdatadog validates pointers
   // before using them so it's ok for us to go ahead and create the StackRecorder object.
 
-  // Note: As of this writing, no new Ruby objects get created and stored in the state. If that ever changes, remember
-  // to keep them on the stack and mark them with RB_GC_GUARD -- otherwise it's possible for a GC to run and
-  // since the instance representing the state does not yet exist, such objects will not get marked.
-
   VALUE stack_recorder = TypedData_Wrap_Struct(klass, &stack_recorder_typed_data, state);
 
-  // NOTE: We initialize this because we want a new recorder to be operational even without initialization and our
+  // NOTE: We initialize this because we want a new recorder to be operational even before #initialize runs and our
   //       default is everything enabled. However, if during recording initialization it turns out we don't want
-  //       heap samples, we will free and reset heap_recorder to NULL, effectively disabling all behaviour specific
-  //       to heap profiling (all calls to heap_recorder_* with a NULL heap recorder are noops).
+  //       heap samples, we will free and reset heap_recorder back to NULL.
   state->heap_recorder = heap_recorder_new();
 
-  // Note: Don't raise exceptions after this point, since it'll lead to libdatadog memory leaking!
-
   initialize_profiles(state, sample_types);
 
   return stack_recorder;
@@ -372,22 +365,17 @@ static void initialize_profiles(stack_recorder_state *state, ddog_prof_Slice_Val
     rb_raise(rb_eRuntimeError, "Failed to initialize slot one profile: %"PRIsVALUE, get_error_details_and_drop(&slot_one_profile_result.err));
   }
 
+  state->profile_slot_one = (profile_slot) { .profile = slot_one_profile_result.ok };
+
   ddog_prof_Profile_NewResult slot_two_profile_result =
     ddog_prof_Profile_new(sample_types, NULL /* period is optional */, NULL /* start_time is optional */);
 
   if (slot_two_profile_result.tag == DDOG_PROF_PROFILE_NEW_RESULT_ERR) {
-    // Uff! Though spot. We need to make sure to properly clean up the other profile as well first
-    ddog_prof_Profile_drop(&slot_one_profile_result.ok);
-    // And now we can raise...
+    // Note: No need to take any special care of slot one, it'll get cleaned up by stack_recorder_typed_data_free
     rb_raise(rb_eRuntimeError, "Failed to initialize slot two profile: %"PRIsVALUE, get_error_details_and_drop(&slot_two_profile_result.err));
   }
 
-  state->profile_slot_one = (profile_slot) {
-    .profile = slot_one_profile_result.ok,
-  };
-  state->profile_slot_two = (profile_slot) {
-    .profile = slot_two_profile_result.ok,
-  };
+  state->profile_slot_two = (profile_slot) { .profile = slot_two_profile_result.ok };
 }
 
 static void stack_recorder_typed_data_free(void *state_ptr) {
@@ -651,7 +639,7 @@ void record_sample(VALUE recorder_instance, ddog_prof_Slice_Location locations,
   }
 }
 
-void track_object(VALUE recorder_instance, VALUE new_object, unsigned int sample_weight, ddog_CharSlice *alloc_class) {
+void track_object(VALUE recorder_instance, VALUE new_object, unsigned int sample_weight, ddog_CharSlice alloc_class) {
   stack_recorder_state *state;
   TypedData_Get_Struct(recorder_instance, stack_recorder_state, &stack_recorder_typed_data, state);
   // FIXME: Heap sampling currently has to be done in 2 parts because the construction of locations is happening
@@ -926,8 +914,7 @@ static VALUE _native_record_endpoint(DDTRACE_UNUSED VALUE _self, VALUE recorder_
 
 static VALUE _native_track_object(DDTRACE_UNUSED VALUE _self, VALUE recorder_instance, VALUE new_obj, VALUE weight, VALUE alloc_class) {
   ENFORCE_TYPE(weight, T_FIXNUM);
-  ddog_CharSlice alloc_class_slice = char_slice_from_ruby_string(alloc_class);
-  track_object(recorder_instance, new_obj, NUM2UINT(weight), &alloc_class_slice);
+  track_object(recorder_instance, new_obj, NUM2UINT(weight), char_slice_from_ruby_string(alloc_class));
   return Qtrue;
 }
 

data/ext/datadog_profiling_native_extension/stack_recorder.h

@@ -26,6 +26,6 @@ typedef struct {
 
 void record_sample(VALUE recorder_instance, ddog_prof_Slice_Location locations, sample_values values, sample_labels labels);
 void record_endpoint(VALUE recorder_instance, uint64_t local_root_span_id, ddog_CharSlice endpoint);
-void track_object(VALUE recorder_instance, VALUE new_object, unsigned int sample_weight, ddog_CharSlice *alloc_class);
+void track_object(VALUE recorder_instance, VALUE new_object, unsigned int sample_weight, ddog_CharSlice alloc_class);
 void recorder_after_gc_step(VALUE recorder_instance);
 VALUE enforce_recorder_instance(VALUE object);

data/ext/libdatadog_api/crashtracker.c

@@ -98,7 +98,7 @@ static VALUE _native_start_or_update_on_fork(int argc, VALUE *argv, DDTRACE_UNUS
     .optional_stdout_filename = {},
   };
 
-  ddog_crasht_Result result =
+  ddog_VoidResult result =
     action == start_action ?
       ddog_crasht_init(config, receiver_config, metadata) :
       ddog_crasht_update_on_fork(config, receiver_config, metadata);
@@ -108,7 +108,7 @@ static VALUE _native_start_or_update_on_fork(int argc, VALUE *argv, DDTRACE_UNUS
   ddog_endpoint_drop(endpoint);
   // }} End of exception-free zone to prevent leaks
 
-  if (result.tag == DDOG_CRASHT_RESULT_ERR) {
+  if (result.tag == DDOG_VOID_RESULT_ERR) {
     rb_raise(rb_eRuntimeError, "Failed to start/update the crash tracker: %"PRIsVALUE, get_error_details_and_drop(&result.err));
   }
 
@@ -116,9 +116,9 @@ static VALUE _native_start_or_update_on_fork(int argc, VALUE *argv, DDTRACE_UNUS
 }
 
 static VALUE _native_stop(DDTRACE_UNUSED VALUE _self) {
-  ddog_crasht_Result result = ddog_crasht_shutdown();
+  ddog_VoidResult result = ddog_crasht_shutdown();
 
-  if (result.tag == DDOG_CRASHT_RESULT_ERR) {
+  if (result.tag == DDOG_VOID_RESULT_ERR) {
     rb_raise(rb_eRuntimeError, "Failed to stop the crash tracker: %"PRIsVALUE, get_error_details_and_drop(&result.err));
   }
 

data/ext/libdatadog_extconf_helpers.rb

@@ -8,7 +8,7 @@ module Datadog
   module LibdatadogExtconfHelpers
     # Used to make sure the correct gem version gets loaded, as extconf.rb does not get run with "bundle exec" and thus
     # may see multiple libdatadog versions. See https://github.com/DataDog/dd-trace-rb/pull/2531 for the horror story.
-    LIBDATADOG_VERSION = '~> 14.3.1.1.0'
+    LIBDATADOG_VERSION = '~> 16.0.1.1.0'
 
     # Used as an workaround for a limitation with how dynamic linking works in environments where the datadog gem and
     # libdatadog are moved after the extension gets compiled.

data/lib/datadog/appsec/actions_handler.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    # this module encapsulates functions for handling actions that libddawf returns
+    module ActionsHandler
+      module_function
+
+      def handle(actions_hash)
+        # handle actions according their precedence
+        # stack and schema generation should be done before we throw an interrupt signal
+        generate_stack(actions_hash['generate_stack']) if actions_hash.key?('generate_stack')
+        generate_schema(actions_hash['generate_schema']) if actions_hash.key?('generate_schema')
+        interrupt_execution(actions_hash['redirect_request']) if actions_hash.key?('redirect_request')
+        interrupt_execution(actions_hash['block_request']) if actions_hash.key?('block_request')
+      end
+
+      def interrupt_execution(action_params)
+        throw(Datadog::AppSec::Ext::INTERRUPT, action_params)
+      end
+
+      def generate_stack(_action_params); end
+
+      def generate_schema(_action_params); end
+    end
+  end
+end

data/lib/datadog/appsec/component.rb

@@ -3,6 +3,7 @@
 require_relative 'processor'
 require_relative 'processor/rule_merger'
 require_relative 'processor/rule_loader'
+require_relative 'actions_handler'
 
 module Datadog
   module AppSec
@@ -23,7 +24,7 @@ module Datadog
           devise_integration = Datadog::AppSec::Contrib::Devise::Integration.new
           settings.appsec.instrument(:devise) unless devise_integration.patcher.patched?
 
-          new(processor: processor)
+          new(processor, telemetry)
         end
 
         private
@@ -72,21 +73,26 @@ module Datadog
         end
       end
 
-      attr_reader :processor
+      attr_reader :processor, :telemetry
 
-      def initialize(processor:)
+      def initialize(processor, telemetry)
         @processor = processor
+        @telemetry = telemetry
+
         @mutex = Mutex.new
       end
 
       def reconfigure(ruleset:, telemetry:)
         @mutex.synchronize do
-          new = Processor.new(ruleset: ruleset, telemetry: telemetry)
+          new_processor = Processor.new(ruleset: ruleset, telemetry: telemetry)
+
+          if new_processor && new_processor.ready?
+            old_processor = @processor
+
+            @telemetry = telemetry
+            @processor = new_processor
 
-          if new && new.ready?
-            old = @processor
-            @processor = new
-            old.finalize if old
+            old_processor.finalize if old_processor
           end
         end
       end

data/lib/datadog/appsec/configuration/settings.rb

@@ -12,14 +12,29 @@ module Datadog
         DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)pass|pw(?:or)?d|secret|(?:api|private|public|access)[_-]?key|token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt'
         DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:[_-]?phrase)?|secret(?:[_-]?key)?|(?:(?:api|private|public|access)[_-]?)key(?:[_-]?id)?|(?:(?:auth|access|id|refresh)[_-]?)?token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|jsessionid|phpsessid|asp\.net(?:[_-]|-)sessionid|sid|jwt)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'
         # rubocop:enable Layout/LineLength
+
+        DISABLED_AUTO_USER_INSTRUMENTATION_MODE = 'disabled'
+        ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE = 'anonymization'
+        IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE = 'identification'
+        AUTO_USER_INSTRUMENTATION_MODES = [
+          DISABLED_AUTO_USER_INSTRUMENTATION_MODE,
+          ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
+          IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+        ].freeze
+        AUTO_USER_INSTRUMENTATION_MODES_ALIASES = {
+          'ident' => IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE,
+          'anon' => ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
+        }.freeze
+
+        # NOTE: These two constants are deprecated
+        SAFE_TRACK_USER_EVENTS_MODE = 'safe'
+        EXTENDED_TRACK_USER_EVENTS_MODE = 'extended'
         APPSEC_VALID_TRACK_USER_EVENTS_MODE = [
-          'safe',
-          'extended'
+          SAFE_TRACK_USER_EVENTS_MODE, EXTENDED_TRACK_USER_EVENTS_MODE
         ].freeze
-        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = [
-          '1',
-          'true'
-        ].concat(APPSEC_VALID_TRACK_USER_EVENTS_MODE).freeze
+        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = ['1', 'true'].concat(
+          APPSEC_VALID_TRACK_USER_EVENTS_MODE
+        ).freeze
 
         def self.extended(base)
           base = base.singleton_class unless base.is_a?(Class)
@@ -49,6 +64,15 @@ module Datadog
                 end
               end
 
+              # RASP or Runtime Application Self-Protection
+              # is a collection of techniques and heuristics aimed at detecting malicious inputs and preventing
+              # any potential side-effects on the application resulting from the use of said malicious inputs.
+              option :rasp_enabled do |o|
+                o.type :bool, nilable: true
+                o.env 'DD_APPSEC_RASP_ENABLED'
+                o.default true
+              end
+
               option :ruleset do |o|
                 o.env 'DD_APPSEC_RULES'
                 o.default :recommended
@@ -140,6 +164,29 @@ module Datadog
                 end
               end
 
+              settings :auto_user_instrumentation do
+                define_method(:enabled?) { get_option(:mode) != DISABLED_AUTO_USER_INSTRUMENTATION_MODE }
+
+                option :mode do |o|
+                  o.type :string
+                  o.env 'DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE'
+                  o.default IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+                  o.setter do |value|
+                    mode = AUTO_USER_INSTRUMENTATION_MODES_ALIASES.fetch(value, value)
+                    next mode if AUTO_USER_INSTRUMENTATION_MODES.include?(mode)
+
+                    Datadog.logger.warn(
+                      'The appsec.auto_user_instrumentation.mode value provided is not supported. ' \
+                      "Supported values are: #{AUTO_USER_INSTRUMENTATION_MODES.join(' | ')}. " \
+                      "Using default value: #{IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE}."
+                    )
+
+                    IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+                  end
+                end
+              end
+
+              # DEV-3.0: Remove `track_user_events.enabled` and `track_user_events.mode` options
               settings :track_user_events do
                 option :enabled do |o|
                   o.default true
@@ -152,24 +199,39 @@ module Datadog
                       APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES.include?(env_value.strip.downcase)
                     end
                   end
+                  o.after_set do
+                    Core.log_deprecation(key: :appsec_track_user_events_enabled) do
+                      'The appsec.track_user_events.enabled setting has been deprecated for removal. ' \
+                      'Please remove it from your Datadog.configure block and use ' \
+                      'appsec.auto_user_instrumentation.mode instead.'
+                    end
+                  end
                 end
 
                 option :mode do |o|
                   o.type :string
                   o.env 'DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING'
-                  o.default 'safe'
+                  o.default SAFE_TRACK_USER_EVENTS_MODE
                   o.setter do |v|
                     if APPSEC_VALID_TRACK_USER_EVENTS_MODE.include?(v)
                       v
                     elsif v == 'disabled'
-                      'safe'
+                      SAFE_TRACK_USER_EVENTS_MODE
                     else
                       Datadog.logger.warn(
                         'The appsec.track_user_events.mode value provided is not supported.' \
-                        'Supported values are: safe | extended.' \
-                        'Using default value `safe`'
+                        "Supported values are: #{APPSEC_VALID_TRACK_USER_EVENTS_MODE.join(' | ')}." \
+                        "Using default value: #{SAFE_TRACK_USER_EVENTS_MODE}."
                       )
-                      'safe'
+
+                      SAFE_TRACK_USER_EVENTS_MODE
+                    end
+                  end
+                  o.after_set do
+                    Core.log_deprecation(key: :appsec_track_user_events_mode) do
+                      'The appsec.track_user_events.mode setting has been deprecated for removal. ' \
+                      'Please remove it from your Datadog.configure block and use ' \
+                      'appsec.auto_user_instrumentation.mode instead.'
                     end
                   end
                 end

data/lib/datadog/appsec/context.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'metrics'
+
 module Datadog
   module AppSec
     # This class accumulates the context over the request life-cycle and exposes
@@ -7,10 +9,7 @@ module Datadog
     class Context
       ActiveContextError = Class.new(StandardError)
 
-      attr_reader :trace, :span
-
-      # NOTE: This is an intermediate state and will be changed
-      attr_reader :waf_runner
+      attr_reader :trace, :span, :events
 
       class << self
         def activate(context)
@@ -34,16 +33,37 @@ module Datadog
       def initialize(trace, span, security_engine)
         @trace = trace
         @span = span
+        @events = []
         @security_engine = security_engine
-        @waf_runner = security_engine.new_context
+        @waf_runner = security_engine.new_runner
+        @metrics = Metrics::Collector.new
       end
 
       def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
-        @waf_runner.run(persistent_data, ephemeral_data, timeout)
+        result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
+
+        @metrics.record_waf(result)
+        result
+      end
+
+      def run_rasp(type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+        result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
+
+        Metrics::Telemetry.report_rasp(type, result)
+        @metrics.record_rasp(result)
+
+        result
       end
 
-      def run_rasp(_type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
-        @waf_runner.run(persistent_data, ephemeral_data, timeout)
+      def extract_schema
+        @waf_runner.run({ 'waf.context.processor' => { 'extract-schema' => true } }, {})
+      end
+
+      def export_metrics
+        return if @span.nil?
+
+        Metrics::Exporter.export_waf_metrics(@metrics.waf, @span)
+        Metrics::Exporter.export_rasp_metrics(@metrics.rasp, @span)
       end
 
       def finalize

data/lib/datadog/appsec/contrib/active_record/instrumentation.rb

@@ -9,6 +9,8 @@ module Datadog
           module_function
 
           def detect_sql_injection(sql, adapter_name)
+            return unless AppSec.rasp_enabled?
+
             context = AppSec.active_context
             return unless context
 
@@ -25,7 +27,7 @@ module Datadog
             waf_timeout = Datadog.configuration.appsec.waf_timeout
             result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)
 
-            if result.status == :match
+            if result.match?
               Datadog::AppSec::Event.tag_and_keep!(context, result)
 
               event = {
@@ -35,7 +37,9 @@ module Datadog
                 sql: sql,
                 actions: result.actions
               }
-              context.waf_runner.events << event
+              context.events << event
+
+              ActionsHandler.handle(result.actions)
             end
           end
 

data/lib/datadog/appsec/contrib/active_record/patcher.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../patcher'
 require_relative 'instrumentation'
 
 module Datadog
@@ -9,8 +8,6 @@ module Datadog
       module ActiveRecord
         # AppSec patcher module for ActiveRecord
         module Patcher
-          include Datadog::AppSec::Contrib::Patcher
-
           module_function
 
           def patched?

data/lib/datadog/appsec/contrib/devise/configuration.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        # A temporary configuration module to accomodate new RFC changes.
+        # NOTE: DEV-3 Remove module
+        module Configuration
+          MODES_CONVERSION_RULES = {
+            track_user_to_auto_instrumentation: {
+              AppSec::Configuration::Settings::SAFE_TRACK_USER_EVENTS_MODE =>
+              AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
+              AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE =>
+              AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+            }.freeze,
+            auto_instrumentation_to_track_user: {
+              AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE =>
+              AppSec::Configuration::Settings::SAFE_TRACK_USER_EVENTS_MODE,
+              AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE =>
+              AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE
+            }.freeze
+          }.freeze
+
+          module_function
+
+          # NOTE: DEV-3 Replace method use with `auto_user_instrumentation.enabled?`
+          def auto_user_instrumentation_enabled?
+            appsec = Datadog.configuration.appsec
+            appsec.auto_user_instrumentation.mode
+
+            unless appsec.auto_user_instrumentation.options[:mode].default_precedence?
+              return appsec.auto_user_instrumentation.enabled?
+            end
+
+            appsec.track_user_events.enabled
+          end
+
+          # NOTE: DEV-3 Replace method use with `auto_user_instrumentation.mode`
+          def auto_user_instrumentation_mode
+            appsec = Datadog.configuration.appsec
+
+            # NOTE: Reading both to trigger precedence set
+            appsec.auto_user_instrumentation.mode
+            appsec.track_user_events.mode
+
+            if !appsec.auto_user_instrumentation.options[:mode].default_precedence? &&
+                appsec.track_user_events.options[:mode].default_precedence?
+              return appsec.auto_user_instrumentation.mode
+            end
+
+            if appsec.auto_user_instrumentation.options[:mode].default_precedence?
+              return MODES_CONVERSION_RULES[:track_user_to_auto_instrumentation].fetch(
+                appsec.track_user_events.mode, appsec.auto_user_instrumentation.mode
+              )
+            end
+
+            identification_mode = AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+            if appsec.auto_user_instrumentation.mode == identification_mode ||
+                appsec.track_user_events.mode == AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE
+              return identification_mode
+            end
+
+            AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+          end
+
+          # NOTE: Remove in next version of tracking
+          def track_user_events_mode
+            MODES_CONVERSION_RULES[:auto_instrumentation_to_track_user]
+              .fetch(auto_user_instrumentation_mode, Datadog.configuration.appsec.track_user_events.mode)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/event.rb

@@ -8,9 +8,6 @@ module Datadog
         class Event
           UUID_REGEX = /^\h{8}-\h{4}-\h{4}-\h{4}-\h{12}$/.freeze
 
-          SAFE_MODE = 'safe'
-          EXTENDED_MODE = 'extended'
-
           attr_reader :user_id
 
           def initialize(resource, mode)
@@ -38,15 +35,15 @@ module Datadog
             @user_id = @resource.id
 
             case @mode
-            when EXTENDED_MODE
+            when AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
               @email = @resource.email
               @username = @resource.username
-            when SAFE_MODE
+            when AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
               @user_id = nil unless @user_id && @user_id.to_s =~ UUID_REGEX
             else
               Datadog.logger.warn(
-                "Invalid automated user evenst mode: `#{@mode}`. "\
-                              'Supported modes are: `safe` and `extended`.'
+                "Invalid auto_user_instrumentation.mode: `#{@mode}`. " \
+                "Supported modes are: #{AppSec::Configuration::Settings::AUTO_USER_INSTRUMENTATION_MODES.join(' | ')}."
               )
             end
           end