ddtrace 1.5.1 → 1.5.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -1
- data/lib/datadog/appsec/contrib/rack/request_middleware.rb +40 -18
- data/lib/datadog/appsec/event.rb +2 -4
- data/lib/datadog/core/configuration/settings.rb +17 -3
- data/lib/datadog/tracing/client_ip.rb +11 -0
- data/lib/datadog/tracing/configuration/ext.rb +2 -1
- data/lib/datadog/tracing/contrib/rack/middlewares.rb +4 -2
- data/lib/ddtrace/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5417d6aa2797b38bfe55167afa723cb2479bd3b7fae3ad3ee16020844084a48e
|
|
4
|
+
data.tar.gz: 3c63a3c9dcce6c180349814da8113ba8e9b6b3334f2a4ab13ceeef4cc006c70c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e82cadb7da0c30c4f22791fab2f1ef356cf33378756673a74fa2dbcf447a25530421f86d809a86dcab5ccd31d332bca5759a589e9dfdaebc47d3b3d8f201c662
|
|
7
|
+
data.tar.gz: b36eafe691e5808bc179e693549e7aa7747d400502d0d21f500dac0129c726a4b433498c6b41896fd3351a382ddede220540d8c0a14b12bf240d320d037ae786
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,20 @@
|
|
|
2
2
|
|
|
3
3
|
## [Unreleased]
|
|
4
4
|
|
|
5
|
+
## [1.5.2] - 2022-10-27
|
|
6
|
+
|
|
7
|
+
### Deprecation notice
|
|
8
|
+
|
|
9
|
+
- `DD_TRACE_CLIENT_IP_HEADER_DISABLED` was changed to `DD_TRACE_CLIENT_IP_ENABLED`. Although the former still works we encourage usage of the latter instead.
|
|
10
|
+
|
|
11
|
+
### Changed
|
|
12
|
+
|
|
13
|
+
- `http.client_ip` tag collection is made opt-in for APM. Note that `http.client_ip` is always collected when ASM is enabled as part of the security service provided ([#2321][], [#2331][])
|
|
14
|
+
|
|
15
|
+
### Fixed
|
|
16
|
+
|
|
17
|
+
- Handle REQUEST_URI with base url ([#2328][], [#2330][])
|
|
18
|
+
|
|
5
19
|
## [1.5.1] - 2022-10-19
|
|
6
20
|
|
|
7
21
|
### Changed
|
|
@@ -2145,7 +2159,8 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
|
|
|
2145
2159
|
|
|
2146
2160
|
Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
|
|
2147
2161
|
|
|
2148
|
-
[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v1.5.
|
|
2162
|
+
[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v1.5.2...master
|
|
2163
|
+
[1.5.2]: https://github.com/DataDog/dd-trace-rb/compare/v1.5.1...v1.5.2
|
|
2149
2164
|
[1.5.1]: https://github.com/DataDog/dd-trace-rb/compare/v1.5.0...v1.5.1
|
|
2150
2165
|
[1.5.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.4.2...v1.5.0
|
|
2151
2166
|
[1.4.1]: https://github.com/DataDog/dd-trace-rb/compare/v1.4.1...v1.4.2
|
|
@@ -3052,6 +3067,10 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
|
|
|
3052
3067
|
[#2311]: https://github.com/DataDog/dd-trace-rb/issues/2311
|
|
3053
3068
|
[#2318]: https://github.com/DataDog/dd-trace-rb/issues/2318
|
|
3054
3069
|
[#2319]: https://github.com/DataDog/dd-trace-rb/issues/2319
|
|
3070
|
+
[#2321]: https://github.com/DataDog/dd-trace-rb/issues/2321
|
|
3071
|
+
[#2328]: https://github.com/DataDog/dd-trace-rb/issues/2328
|
|
3072
|
+
[#2330]: https://github.com/DataDog/dd-trace-rb/issues/2330
|
|
3073
|
+
[#2331]: https://github.com/DataDog/dd-trace-rb/issues/2331
|
|
3055
3074
|
[@AdrianLC]: https://github.com/AdrianLC
|
|
3056
3075
|
[@Azure7111]: https://github.com/Azure7111
|
|
3057
3076
|
[@BabyGroot]: https://github.com/BabyGroot
|
|
@@ -6,6 +6,9 @@ require_relative '../../instrumentation/gateway'
|
|
|
6
6
|
require_relative '../../processor'
|
|
7
7
|
require_relative '../../assets'
|
|
8
8
|
|
|
9
|
+
require_relative '../../../tracing/client_ip'
|
|
10
|
+
require_relative '../../../tracing/contrib/rack/header_collection'
|
|
11
|
+
|
|
9
12
|
module Datadog
|
|
10
13
|
module AppSec
|
|
11
14
|
module Contrib
|
|
@@ -30,7 +33,7 @@ module Datadog
|
|
|
30
33
|
env['datadog.waf.context'] = context
|
|
31
34
|
request = ::Rack::Request.new(env)
|
|
32
35
|
|
|
33
|
-
add_appsec_tags
|
|
36
|
+
add_appsec_tags(active_trace, active_span, env)
|
|
34
37
|
|
|
35
38
|
request_return, request_response = Instrumentation.gateway.push('rack.request', request) do
|
|
36
39
|
@app.call(env)
|
|
@@ -56,7 +59,7 @@ module Datadog
|
|
|
56
59
|
|
|
57
60
|
request_return
|
|
58
61
|
ensure
|
|
59
|
-
add_waf_runtime_tags(context) if context
|
|
62
|
+
add_waf_runtime_tags(active_trace, context) if context
|
|
60
63
|
context.finalize if context
|
|
61
64
|
end
|
|
62
65
|
|
|
@@ -70,41 +73,60 @@ module Datadog
|
|
|
70
73
|
Datadog::Tracing.active_trace
|
|
71
74
|
end
|
|
72
75
|
|
|
73
|
-
def
|
|
74
|
-
|
|
76
|
+
def active_span
|
|
77
|
+
# TODO: factor out tracing availability detection
|
|
78
|
+
|
|
79
|
+
return unless defined?(Datadog::Tracing)
|
|
80
|
+
|
|
81
|
+
Datadog::Tracing.active_span
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
def add_appsec_tags(trace, span, env)
|
|
85
|
+
return unless trace
|
|
86
|
+
|
|
87
|
+
trace.set_tag('_dd.appsec.enabled', 1)
|
|
88
|
+
trace.set_tag('_dd.runtime_family', 'ruby')
|
|
89
|
+
trace.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
|
|
75
90
|
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
91
|
+
if span && span.get_tag(Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
|
|
92
|
+
request_header_collection = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
|
|
93
|
+
|
|
94
|
+
# always collect client ip, as this is part of AppSec provided functionality
|
|
95
|
+
Datadog::Tracing::ClientIp.set_client_ip_tag!(
|
|
96
|
+
span,
|
|
97
|
+
headers: request_header_collection,
|
|
98
|
+
remote_ip: env['REMOTE_ADDR']
|
|
99
|
+
)
|
|
100
|
+
end
|
|
79
101
|
|
|
80
102
|
if @processor.ruleset_info
|
|
81
|
-
|
|
103
|
+
trace.set_tag('_dd.appsec.event_rules.version', @processor.ruleset_info[:version])
|
|
82
104
|
|
|
83
105
|
unless @oneshot_tags_sent
|
|
84
106
|
# Small race condition, but it's inoccuous: worst case the tags
|
|
85
107
|
# are sent a couple of times more than expected
|
|
86
108
|
@oneshot_tags_sent = true
|
|
87
109
|
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
110
|
+
trace.set_tag('_dd.appsec.event_rules.loaded', @processor.ruleset_info[:loaded].to_f)
|
|
111
|
+
trace.set_tag('_dd.appsec.event_rules.error_count', @processor.ruleset_info[:failed].to_f)
|
|
112
|
+
trace.set_tag('_dd.appsec.event_rules.errors', JSON.dump(@processor.ruleset_info[:errors]))
|
|
113
|
+
trace.set_tag('_dd.appsec.event_rules.addresses', JSON.dump(@processor.addresses))
|
|
92
114
|
|
|
93
115
|
# Ensure these tags reach the backend
|
|
94
|
-
|
|
116
|
+
trace.keep!
|
|
95
117
|
end
|
|
96
118
|
end
|
|
97
119
|
end
|
|
98
120
|
|
|
99
|
-
def add_waf_runtime_tags(context)
|
|
100
|
-
return unless
|
|
121
|
+
def add_waf_runtime_tags(trace, context)
|
|
122
|
+
return unless trace
|
|
101
123
|
return unless context
|
|
102
124
|
|
|
103
|
-
|
|
125
|
+
trace.set_tag('_dd.appsec.waf.timeouts', context.timeouts)
|
|
104
126
|
|
|
105
127
|
# these tags expect time in us
|
|
106
|
-
|
|
107
|
-
|
|
128
|
+
trace.set_tag('_dd.appsec.waf.duration', context.time_ns / 1000.0)
|
|
129
|
+
trace.set_tag('_dd.appsec.waf.duration_ext', context.time_ext_ns / 1000.0)
|
|
108
130
|
end
|
|
109
131
|
end
|
|
110
132
|
end
|
data/lib/datadog/appsec/event.rb
CHANGED
|
@@ -51,7 +51,7 @@ module Datadog
|
|
|
51
51
|
end
|
|
52
52
|
end
|
|
53
53
|
|
|
54
|
-
def self.record_via_span(*events)
|
|
54
|
+
def self.record_via_span(*events) # rubocop:disable Metrics/AbcSize
|
|
55
55
|
events.group_by { |e| e[:trace] }.each do |trace, event_group|
|
|
56
56
|
unless trace
|
|
57
57
|
Datadog.logger.debug { "{ error: 'no trace: cannot record', event_group: #{event_group.inspect}}" }
|
|
@@ -75,9 +75,7 @@ module Datadog
|
|
|
75
75
|
|
|
76
76
|
tags['http.host'] = request.host
|
|
77
77
|
tags['http.useragent'] = request.user_agent
|
|
78
|
-
tags['network.client.ip'] = request.
|
|
79
|
-
|
|
80
|
-
# tags['actor.ip'] = request.ip # TODO: uses client IP resolution algorithm
|
|
78
|
+
tags['network.client.ip'] = request.env['REMOTE_ADDR'] if request.env['REMOTE_ADDR']
|
|
81
79
|
end
|
|
82
80
|
|
|
83
81
|
if (response = event[:response])
|
|
@@ -667,13 +667,27 @@ module Datadog
|
|
|
667
667
|
# Whether client IP collection is enabled. When enabled client IPs from HTTP requests will
|
|
668
668
|
# be reported in traces.
|
|
669
669
|
#
|
|
670
|
+
# Usage of the DD_TRACE_CLIENT_IP_HEADER_DISABLED environment variable is deprecated.
|
|
671
|
+
#
|
|
670
672
|
# @see https://docs.datadoghq.com/tracing/configure_data_security#configuring-a-client-ip-header
|
|
671
673
|
#
|
|
672
|
-
# @default
|
|
673
|
-
# variable or `true` if it doesn't exist.
|
|
674
|
+
# @default `DD_TRACE_CLIENT_IP_ENABLED` environment variable, otherwise `false`.
|
|
674
675
|
# @return [Boolean]
|
|
675
676
|
option :enabled do |o|
|
|
676
|
-
o.default
|
|
677
|
+
o.default do
|
|
678
|
+
disabled = env_to_bool(Tracing::Configuration::Ext::ClientIp::ENV_DISABLED)
|
|
679
|
+
|
|
680
|
+
enabled = if disabled.nil?
|
|
681
|
+
false
|
|
682
|
+
else
|
|
683
|
+
Datadog.logger.warn { "#{Tracing::Configuration::Ext::ClientIp::ENV_DISABLED} environment variable is deprecated, found set to #{disabled}, use #{Tracing::Configuration::Ext::ClientIp::ENV_ENABLED}=#{!disabled}" }
|
|
684
|
+
|
|
685
|
+
!disabled
|
|
686
|
+
end
|
|
687
|
+
|
|
688
|
+
# ENABLED env var takes precedence over deprecated DISABLED
|
|
689
|
+
env_to_bool(Tracing::Configuration::Ext::ClientIp::ENV_ENABLED, enabled)
|
|
690
|
+
end
|
|
677
691
|
o.lazy
|
|
678
692
|
end
|
|
679
693
|
|
|
@@ -39,6 +39,17 @@ module Datadog
|
|
|
39
39
|
def self.set_client_ip_tag(span, headers: nil, remote_ip: nil)
|
|
40
40
|
return unless configuration.enabled
|
|
41
41
|
|
|
42
|
+
set_client_ip_tag!(span, headers: headers, remote_ip: remote_ip)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
# Forcefully sets the `http.client_ip` tag on the given span.
|
|
46
|
+
#
|
|
47
|
+
# This function ignores the user's `enabled` setting.
|
|
48
|
+
#
|
|
49
|
+
# @param [Span] span The span that's associated with the request.
|
|
50
|
+
# @param [HeaderCollection, #get, nil] headers A collection with the request headers.
|
|
51
|
+
# @param [String, nil] remote_ip The remote IP the request associated with the span is sent to.
|
|
52
|
+
def self.set_client_ip_tag!(span, headers: nil, remote_ip: nil)
|
|
42
53
|
result = raw_ip_from_request(headers, remote_ip)
|
|
43
54
|
|
|
44
55
|
if result.raw_ip
|
|
@@ -54,7 +54,8 @@ module Datadog
|
|
|
54
54
|
|
|
55
55
|
# @public_api
|
|
56
56
|
module ClientIp
|
|
57
|
-
|
|
57
|
+
ENV_ENABLED = 'DD_TRACE_CLIENT_IP_ENABLED'.freeze
|
|
58
|
+
ENV_DISABLED = 'DD_TRACE_CLIENT_IP_HEADER_DISABLED'.freeze # TODO: deprecated, remove later
|
|
58
59
|
ENV_HEADER_NAME = 'DD_TRACE_CLIENT_IP_HEADER'.freeze
|
|
59
60
|
end
|
|
60
61
|
end
|
|
@@ -268,10 +268,12 @@ module Datadog
|
|
|
268
268
|
|
|
269
269
|
query_string.empty? ? path : "#{path}?#{query_string}"
|
|
270
270
|
else
|
|
271
|
-
|
|
271
|
+
# normally REQUEST_URI starts at the path, but it
|
|
272
|
+
# might contain the full URL in some cases (e.g WEBrick)
|
|
273
|
+
request_uri.sub(/^#{base_url}/, '')
|
|
272
274
|
end
|
|
273
275
|
|
|
274
|
-
|
|
276
|
+
base_url + fullpath
|
|
275
277
|
end
|
|
276
278
|
|
|
277
279
|
def parse_user_agent_header(headers)
|
data/lib/ddtrace/version.rb
CHANGED