dd-trace 5.47.0 → 5.48.0

package/index.d.ts

@@ -869,6 +869,39 @@ declare namespace tracer {
     flush(): void
   }
 
+  export interface EventTrackingV2 {
+    /**
+     * Links a successful login event to the current trace. Will link the passed user to the current trace with Appsec.setUser() internally.
+     * @param {string} login The login key (username, email...) used by the user to authenticate.
+     * @param {User} user Properties of the authenticated user. Accepts custom fields. Can be null.
+     * @param {any} metadata Custom fields to link to the login success event.
+     */
+    trackUserLoginSuccess(login: string, user?: User | null, metadata?: any): void;
+
+    /**
+     * Links a successful login event to the current trace. Will link the passed user to the current trace with Appsec.setUser() internally.
+     * @param {string} login The login key (username, email...) used by the user to authenticate.
+     * @param {string} userId Identifier of the authenticated user.
+     * @param {any} metadata Custom fields to link to the login success event.
+     */
+    trackUserLoginSuccess(login: string, userId: string, metadata?: any): void;
+
+    /**
+     * Links a failed login event to the current trace.
+     * @param {string} login The login key (username, email...) used by the user to authenticate.
+     * @param {boolean} exists If the user exists.
+     * @param {any} metadata Custom fields to link to the login failure event.
+     */
+    trackUserLoginFailure(login: string, exists: boolean, metadata?: any): void;
+
+    /**
+     * Links a failed login event to the current trace.
+     * @param {string} login The login key (username, email...) used by the user to authenticate.
+     * @param {any} metadata Custom fields to link to the login failure event.
+     */
+    trackUserLoginFailure(login: string, metadata?: any): void;
+  }
+
   export interface Appsec {
     /**
      * Links a successful login event to the current trace. Will link the passed user to the current trace with Appsec.setUser() internally.
@@ -876,6 +909,8 @@ declare namespace tracer {
      * @param {[key: string]: string} metadata Custom fields to link to the login success event.
      *
      * @beta This method is in beta and could change in future versions.
+     *
+     * @deprecated In favor of eventTrackingV2.trackUserLoginSuccess
      */
     trackUserLoginSuccessEvent(user: User, metadata?: { [key: string]: string }): void
 
@@ -886,6 +921,8 @@ declare namespace tracer {
      * @param {[key: string]: string} metadata Custom fields to link to the login failure event.
      *
      * @beta This method is in beta and could change in future versions.
+     *
+     * @deprecated In favor of eventTrackingV2.trackUserLoginFailure
      */
     trackUserLoginFailureEvent(userId: string, exists: boolean, metadata?: { [key: string]: string }): void
 
@@ -926,6 +963,8 @@ declare namespace tracer {
      * @beta This method is in beta and could change in the future
      */
     setUser(user: User): void
+
+    eventTrackingV2: EventTrackingV2
   }
 
   /** @hidden */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "5.47.0",
+  "version": "5.48.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",

package/packages/dd-trace/src/appsec/sdk/index.js

@@ -1,16 +1,38 @@
 'use strict'
 
-const { trackUserLoginSuccessEvent, trackUserLoginFailureEvent, trackCustomEvent } = require('./track_event')
+const {
+  trackUserLoginSuccessEvent,
+  trackUserLoginFailureEvent,
+  trackCustomEvent,
+  trackUserLoginSuccessV2,
+  trackUserLoginFailureV2
+} = require('./track_event')
 const { checkUserAndSetUser, blockRequest } = require('./user_blocking')
 const { setTemplates } = require('../blocking')
 const { setUser } = require('./set_user')
 
+class EventTrackingV2 {
+  constructor (tracer) {
+    this._tracer = tracer
+  }
+
+  trackUserLoginSuccess (login, user, metadata) {
+    trackUserLoginSuccessV2(this._tracer, login, user, metadata)
+  }
+
+  trackUserLoginFailure (login, exists, metadata) {
+    trackUserLoginFailureV2(this._tracer, login, exists, metadata)
+  }
+}
+
 class AppsecSdk {
   constructor (tracer, config) {
     this._tracer = tracer
     if (config) {
       setTemplates(config)
     }
+
+    this.eventTrackingV2 = new EventTrackingV2(tracer)
   }
 
   trackUserLoginSuccessEvent (user, metadata) {

package/packages/dd-trace/src/appsec/sdk/noop.js

@@ -1,6 +1,16 @@
 'use strict'
 
+class NoopEventTrackingV2 {
+  trackUserLoginSuccess () {}
+
+  trackUserLoginFailure () {}
+}
+
 class NoopAppsecSdk {
+  constructor () {
+    this.eventTrackingV2 = new NoopEventTrackingV2()
+  }
+
   trackUserLoginSuccessEvent () {}
 
   trackUserLoginFailureEvent () {}

package/packages/dd-trace/src/appsec/sdk/set_user.js

@@ -9,6 +9,8 @@ function setUserTags (user, rootSpan) {
   for (const k of Object.keys(user)) {
     rootSpan.setTag(`usr.${k}`, '' + user[k])
   }
+
+  rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
 }
 
 function setUser (tracer, user) {
@@ -24,7 +26,6 @@ function setUser (tracer, user) {
   }
 
   setUserTags(user, rootSpan)
-  rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
 
   const persistent = {
     [addresses.USER_ID]: '' + user.id

package/packages/dd-trace/src/appsec/sdk/track_event.js

@@ -9,6 +9,9 @@ const addresses = require('../addresses')
 const { ASM } = require('../../standalone/product')
 const { incrementSdkEventMetric } = require('../telemetry')
 
+/**
+ * @deprecated in favor of trackUserLoginSuccessV2
+ */
 function trackUserLoginSuccessEvent (tracer, user, metadata) {
   // TODO: better user check here and in _setUser() ?
   if (!user || !user.id) {
@@ -16,7 +19,7 @@ function trackUserLoginSuccessEvent (tracer, user, metadata) {
     return
   }
 
-  incrementSdkEventMetric('login_success')
+  incrementSdkEventMetric('login_success', 'v1')
 
   const rootSpan = getRootSpan(tracer)
   if (!rootSpan) {
@@ -35,6 +38,9 @@ function trackUserLoginSuccessEvent (tracer, user, metadata) {
   runWaf('users.login.success', { id: user.id, login })
 }
 
+/**
+ * @deprecated in favor of trackUserLoginFailureV2
+ */
 function trackUserLoginFailureEvent (tracer, userId, exists, metadata) {
   if (!userId || typeof userId !== 'string') {
     log.warn('[ASM] Invalid userId provided to trackUserLoginFailureEvent')
@@ -52,7 +58,7 @@ function trackUserLoginFailureEvent (tracer, userId, exists, metadata) {
 
   runWaf('users.login.failure', { login: userId })
 
-  incrementSdkEventMetric('login_failure')
+  incrementSdkEventMetric('login_failure', 'v1')
 }
 
 function trackCustomEvent (tracer, eventName, metadata) {
@@ -63,7 +69,112 @@ function trackCustomEvent (tracer, eventName, metadata) {
 
   trackEvent(eventName, metadata, 'trackCustomEvent', getRootSpan(tracer))
 
-  incrementSdkEventMetric('custom')
+  incrementSdkEventMetric('custom', 'v1')
+
+  if (eventName === 'users.login.success' || eventName === 'users.login.failure') {
+    runWaf(eventName)
+  }
+}
+
+function trackUserLoginSuccessV2 (tracer, login, user, metadata) {
+  if (!login || typeof login !== 'string') {
+    log.warn('[ASM] Invalid login provided to eventTrackingV2.trackUserLoginSuccess')
+    return
+  }
+
+  incrementSdkEventMetric('login_success', 'v2')
+
+  const rootSpan = getRootSpan(tracer)
+  if (!rootSpan) {
+    log.warn('[ASM] Root span not available in eventTrackingV2.trackUserLoginSuccess')
+    return
+  }
+
+  const wafData = { login }
+
+  metadata = {
+    'usr.login': login,
+    ...metadata
+  }
+
+  if (user) {
+    if (typeof user !== 'object') {
+      user = { id: user }
+    }
+
+    if (user.id) {
+      wafData.id = user.id
+      setUserTags(user, rootSpan)
+      metadata.usr = user
+    }
+  }
+
+  trackEvent('users.login.success', metadata, 'eventTrackingV2.trackUserLoginSuccess', rootSpan)
+
+  runWaf('users.login.success', wafData)
+}
+
+function trackUserLoginFailureV2 (tracer, login, exists, metadata) {
+  if (!login || typeof login !== 'string') {
+    log.warn('[ASM] Invalid login provided to eventTrackingV2.trackUserLoginFailure')
+    return
+  }
+
+  incrementSdkEventMetric('login_failure', 'v2')
+
+  const rootSpan = getRootSpan(tracer)
+  if (!rootSpan) {
+    log.warn('[ASM] Root span not available in eventTrackingV2.trackUserLoginFailure')
+    return
+  }
+
+  const wafData = { login }
+
+  if (typeof exists === 'object' && metadata === undefined) {
+    metadata = exists
+    exists = false
+  }
+
+  metadata = {
+    'usr.login': login,
+    'usr.exists': exists ? 'true' : 'false',
+    ...metadata
+  }
+
+  trackEvent('users.login.failure', metadata, 'eventTrackingV2.trackUserLoginFailure', rootSpan)
+
+  runWaf('users.login.failure', wafData)
+}
+
+function flattenFields (fields, depth = 0) {
+  if (depth > 4) {
+    return {
+      truncated: true
+    }
+  }
+
+  const result = {}
+  let truncated = false
+  for (const key of Object.keys(fields)) {
+    const value = fields[key]
+
+    if (value && typeof value === 'object') {
+      const { result: flatValue, truncated: inheritTruncated } = flattenFields(value, depth + 1)
+      truncated = truncated || inheritTruncated
+
+      if (flatValue) {
+        for (const flatKey of Object.keys(flatValue)) {
+          result[`${key}.${flatKey}`] = flatValue[flatKey]
+        }
+      }
+    } else {
+      if (value !== undefined) {
+        result[key] = value
+      }
+    }
+  }
+
+  return { result, truncated }
 }
 
 function trackEvent (eventName, fields, sdkMethodName, rootSpan) {
@@ -78,8 +189,14 @@ function trackEvent (eventName, fields, sdkMethodName, rootSpan) {
   }
 
   if (fields) {
-    for (const metadataKey of Object.keys(fields)) {
-      tags[`appsec.events.${eventName}.${metadataKey}`] = '' + fields[metadataKey]
+    const { result: flatFields, truncated } = flattenFields(fields)
+
+    if (truncated) {
+      log.warn('[ASM] Too deep object provided in the SDK method %s, object truncated', sdkMethodName)
+    }
+
+    for (const metadataKey of Object.keys(flatFields)) {
+      tags[`appsec.events.${eventName}.${metadataKey}`] = '' + flatFields[metadataKey]
     }
   }
 
@@ -93,11 +210,11 @@ function runWaf (eventName, user) {
     [`server.business_logic.${eventName}`]: null
   }
 
-  if (user.id) {
+  if (user?.id) {
     persistent[addresses.USER_ID] = '' + user.id
   }
 
-  if (user.login) {
+  if (user?.login) {
     persistent[addresses.USER_LOGIN] = '' + user.login
   }
 
@@ -107,5 +224,9 @@ function runWaf (eventName, user) {
 module.exports = {
   trackUserLoginSuccessEvent,
   trackUserLoginFailureEvent,
-  trackCustomEvent
+  trackCustomEvent,
+  trackUserLoginSuccessV2,
+  trackUserLoginFailureV2,
+  trackEvent,
+  runWaf
 }

package/packages/dd-trace/src/appsec/sdk/user_blocking.js

@@ -23,7 +23,6 @@ function checkUserAndSetUser (tracer, user) {
   if (rootSpan) {
     if (!rootSpan.context()._tags['usr.id']) {
       setUserTags(user, rootSpan)
-      rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
     }
   } else {
     log.warn('[ASM] Root span not available in isUserBlocked')

package/packages/dd-trace/src/appsec/telemetry/index.js

@@ -143,10 +143,10 @@ function incrementMissingUserIdMetric (framework, eventType) {
   incrementMissingUserId(framework, eventType)
 }
 
-function incrementSdkEventMetric (framework, eventType) {
+function incrementSdkEventMetric (eventType, sdkVersion) {
   if (!enabled) return
 
-  incrementSdkEvent(framework, eventType)
+  incrementSdkEvent(eventType, sdkVersion)
 }
 
 function getRequestMetrics (req) {

package/packages/dd-trace/src/appsec/telemetry/user.js

@@ -18,10 +18,10 @@ function incrementMissingUserId (framework, eventType) {
   }).inc()
 }
 
-function incrementSdkEvent (eventType) {
+function incrementSdkEvent (eventType, sdkVersion = 'v1') {
   appsecMetrics.count('sdk.event', {
     event_type: eventType,
-    sdk_version: 'v1'
+    sdk_version: sdkVersion
   }).inc()
 }
 

package/packages/dd-trace/src/debugger/devtools_client/breakpoints.js

@@ -3,7 +3,7 @@
 const { getGeneratedPosition } = require('./source-maps')
 const lock = require('./lock')()
 const session = require('./session')
-const compileCondition = require('./condition')
+const { compile: compileCondition, compileSegments, templateRequiresEvaluation } = require('./condition')
 const { MAX_SNAPSHOTS_PER_SECOND_PER_PROBE, MAX_NON_SNAPSHOTS_PER_SECOND_PER_PROBE } = require('./defaults')
 const { findScriptFromPartialPath, locationToBreakpoint, breakpointToProbes, probeToLocation } = require('./state')
 const log = require('../../log')
@@ -26,6 +26,13 @@ async function addBreakpoint (probe) {
   probe.location = { file, lines: [String(lineNumber)] }
   delete probe.where
 
+  // Optimize for fast calculations when probe is hit
+  probe.templateRequiresEvaluation = templateRequiresEvaluation(probe.segments)
+  if (probe.templateRequiresEvaluation) {
+    probe.template = compileSegments(probe.segments)
+  }
+  delete probe.segments
+
   // Optimize for fast calculations when probe is hit
   const snapshotsPerSecond = probe.sampling?.snapshotsPerSecond ?? (probe.captureSnapshot
     ? MAX_SNAPSHOTS_PER_SECOND_PER_PROBE
@@ -41,6 +48,10 @@ async function addBreakpoint (probe) {
   const { url, scriptId, sourceMapURL, source } = script
 
   if (sourceMapURL) {
+    log.debug(
+      '[debugger:devtools_client] Translating location using source map for %s:%d:%d (probe: %s, version: %d)',
+      file, lineNumber, columnNumber, probe.id, probe.version
+    );
     ({ line: lineNumber, column: columnNumber } = await getGeneratedPosition(url, source, lineNumber, sourceMapURL))
   }
 
@@ -156,6 +167,8 @@ function stop () {
 
 // Only if all probes have a condition can we use a compound condition.
 // Otherwise, we need to evaluate each probe individually once the breakpoint is hit.
+// TODO: Handle errors - if there's 2 conditons, and one fails but the other returns true, we should still pause the
+// breakpoint
 function compileCompoundCondition (probes) {
   return probes.every(p => p.condition)
     ? probes.map(p => p.condition).filter(Boolean).join(' || ')

package/packages/dd-trace/src/debugger/devtools_client/condition.js

@@ -1,6 +1,10 @@
 'use strict'
 
-module.exports = compile
+module.exports = {
+  compile,
+  compileSegments,
+  templateRequiresEvaluation
+}
 
 const identifierRegex = /^[@a-zA-Z_$][\w$]*$/
 
@@ -35,7 +39,37 @@ const reservedWords = new Set([
 
 const PRIMITIVE_TYPES = new Set(['string', 'number', 'bigint', 'boolean', 'undefined', 'symbol', 'null'])
 
-// TODO: Consider storing some of these functions on `process` so they can be reused across probes
+function templateRequiresEvaluation (segments) {
+  if (segments === undefined) return false // There should always be segments, but just in case
+  for (const { str } of segments) {
+    if (str === undefined) return true
+  }
+  return false
+}
+
+function compileSegments (segments) {
+  let result = '['
+  for (let i = 0; i < segments.length; i++) {
+    const { str, dsl, json } = segments[i]
+    result += str !== undefined
+      ? JSON.stringify(str)
+      : `(() => {
+          try {
+            const result = ${compile(json)}
+            return typeof result === 'string' ? result : $dd_inspect(result, $dd_segmentInspectOptions)
+          } catch (e) {
+            return { expr: ${JSON.stringify(dsl)}, message: \`\${e.name}: \${e.message}\` }
+          }
+        })()`
+    if (i !== segments.length - 1) {
+      result += ','
+    }
+  }
+  return `${result}]`
+}
+
+// TODO: Consider storing some of these functions that doesn't require closure access to the current scope on `process`
+// so they can be reused across probes
 function compile (node) {
   if (node === null || typeof node === 'number' || typeof node === 'boolean') {
     return node

package/packages/dd-trace/src/debugger/devtools_client/index.js

@@ -16,10 +16,20 @@ const { NODE_MAJOR } = require('../../../../../version')
 require('./remote_config')
 
 // Expression to run on a call frame of the paused thread to get its active trace and span id.
-const expression = `
-  const context = global.require('dd-trace').scope().active()?.context();
-  ({ trace_id: context?.toTraceId(), span_id: context?.toSpanId() })
+const templateExpressionSetupCode = `
+  const $dd_inspect = global.require('node:util').inspect;
+  const $dd_segmentInspectOptions = {
+    depth: 0,
+    customInspect: false,
+    maxArrayLength: 3,
+    maxStringLength: 8 * 1024,
+    breakLength: Infinity
+  };
 `
+const getDDTagsExpression = `(() => {
+  const context = global.require('dd-trace').scope().active()?.context();
+  return { trace_id: context?.toTraceId(), span_id: context?.toSpanId() }
+})()`
 
 // There doesn't seem to be an official standard for the content of these fields, so we're just populating them with
 // something that should be useful to a Node.js developer.
@@ -45,6 +55,7 @@ session.on('Debugger.paused', async ({ params }) => {
   let sampled = false
   let numberOfProbesWithSnapshots = 0
   const probes = []
+  let templateExpressions = ''
 
   // V8 doesn't allow setting more than one breakpoint at a specific location, however, it's possible to set two
   // breakpoints just next to each other that will "snap" to the same logical location, which in turn will be hit at the
@@ -79,15 +90,6 @@ session.on('Debugger.paused', async ({ params }) => {
         continue
       }
 
-      if (shouldVerifyConditions && probe.condition !== undefined) {
-        const { result } = await session.post('Debugger.evaluateOnCallFrame', {
-          callFrameId: params.callFrames[0].callFrameId,
-          expression: probe.condition,
-          returnByValue: true
-        })
-        if (result.value !== true) continue
-      }
-
       if (probe.captureSnapshot === true) {
         // This algorithm to calculate number of sampled snapshots within the last second is not perfect, as it's not a
         // sliding window. But it's quick and easy :)
@@ -107,9 +109,24 @@ session.on('Debugger.paused', async ({ params }) => {
         maxLength = highestOrUndefined(probe.capture.maxLength, maxLength)
       }
 
+      if (shouldVerifyConditions && probe.condition !== undefined) {
+        // TODO: Bundle all conditions and evaluate them in a single call
+        // TODO: Handle errors
+        const { result } = await session.post('Debugger.evaluateOnCallFrame', {
+          callFrameId: params.callFrames[0].callFrameId,
+          expression: probe.condition,
+          returnByValue: true
+        })
+        if (result.value !== true) continue
+      }
+
       sampled = true
       probe.lastCaptureNs = start
 
+      if (probe.templateRequiresEvaluation) {
+        templateExpressions += `,${probe.template}`
+      }
+
       probes.push(probe)
     }
   }
@@ -119,7 +136,22 @@ session.on('Debugger.paused', async ({ params }) => {
   }
 
   const timestamp = Date.now()
-  const dd = await getDD(params.callFrames[0].callFrameId)
+
+  let evalResults = null
+  const { result } = await session.post('Debugger.evaluateOnCallFrame', {
+    callFrameId: params.callFrames[0].callFrameId,
+    expression: templateExpressions.length === 0
+      ? `[${getDDTagsExpression}]`
+      : `${templateExpressionSetupCode}[${getDDTagsExpression}${templateExpressions}]`,
+    returnByValue: true,
+    includeCommandLineAPI: true
+  })
+  if (result?.subtype === 'error') {
+    log.error('[debugger:devtools_client] Error evaluating code on call frame: %s', result?.description)
+    evalResults = []
+  } else {
+    evalResults = result?.value ?? []
+  }
 
   let processLocalState
   if (numberOfProbesWithSnapshots !== 0) {
@@ -155,6 +187,8 @@ session.on('Debugger.paused', async ({ params }) => {
   }
 
   const stack = getStackFromCallFrames(params.callFrames)
+  const dd = processDD(evalResults[0]) // the first result is the dd tags, the rest are the probe template results
+  let messageIndex = 1
 
   // TODO: Send multiple probes in one HTTP request as an array (DEBUG-2848)
   for (const probe of probes) {
@@ -179,9 +213,33 @@ session.on('Debugger.paused', async ({ params }) => {
       }
     }
 
+    let message = ''
+    if (probe.templateRequiresEvaluation) {
+      const results = evalResults[messageIndex++]
+      if (results === undefined) {
+        log.error('[debugger:devtools_client] No evaluation results for probe %s', probe.id)
+      } else {
+        for (const result of results) {
+          if (typeof result === 'string') {
+            message += result
+          } else {
+            // If `result` isn't a string, it's an evaluation error object
+            if (snapshot.evaluationErrors === undefined) {
+              snapshot.evaluationErrors = [result]
+            } else {
+              snapshot.evaluationErrors.push(result)
+            }
+            message += `{${result.message}}`
+          }
+        }
+      }
+    } else {
+      message = probe.template
+    }
+
     ackEmitting(probe)
-    // TODO: Process template (DEBUG-2628)
-    send(probe.template, logger, dd, snapshot)
+
+    send(message, logger, dd, snapshot)
   }
 })
 
@@ -189,22 +247,6 @@ function highestOrUndefined (num, max) {
   return num === undefined ? max : Math.max(num, max ?? 0)
 }
 
-async function getDD (callFrameId) {
-  // TODO: Consider if an `objectGroup` should be used, so it can be explicitly released using
-  // `Runtime.releaseObjectGroup`
-  const { result } = await session.post('Debugger.evaluateOnCallFrame', {
-    callFrameId,
-    expression,
-    returnByValue: true,
-    includeCommandLineAPI: true
-  })
-
-  if (result?.value?.trace_id === undefined) {
-    if (result?.subtype === 'error') {
-      log.error('[debugger:devtools_client] Error getting trace/span id:', result.description)
-    }
-    return
-  }
-
-  return result.value
+function processDD (result) {
+  return result?.trace_id === undefined ? undefined : result
 }

package/packages/dd-trace/src/debugger/devtools_client/send.js

@@ -12,6 +12,7 @@ const { version } = require('../../../../../package.json')
 
 module.exports = send
 
+const MAX_MESSAGE_LENGTH = 8 * 1024 // 8KB
 const MAX_LOG_PAYLOAD_SIZE = 1024 * 1024 // 1MB
 
 const ddsource = 'dd_debugger'
@@ -36,7 +37,9 @@ function send (message, logger, dd, snapshot) {
     ddsource,
     hostname,
     service,
-    message,
+    message: message?.length > MAX_MESSAGE_LENGTH
+      ? message.slice(0, MAX_MESSAGE_LENGTH) + '…'
+      : message,
     logger,
     dd,
     debugger: { snapshot }

package/packages/dd-trace/src/debugger/devtools_client/source-maps.js

@@ -27,7 +27,7 @@ const self = module.exports = {
 
   async getGeneratedPosition (url, source, line, sourceMapURL) {
     const dir = dirname(new URL(url).pathname)
-    return await SourceMapConsumer.with(
+    return SourceMapConsumer.with(
       await self.loadSourceMap(dir, sourceMapURL),
       null,
       (consumer) => consumer.generatedPositionFor({ source, line, column: 0 })