Allow login event SDK to be used with appsec disabled

Author: manuel-alvarez-alvarez

.circleci/config.continue.yml.j2

@@ -860,6 +860,8 @@ jobs:
               APPSEC_API_SECURITY
               APPSEC_API_SECURITY_RC
               APPSEC_API_SECURITY_WITH_SAMPLING
+              APPSEC_AUTO_EVENTS_RC
+              APPSEC_AUTO_EVENTS_EXTENDED
               APPSEC_WAF_TELEMETRY
               APPSEC_STANDALONE_V2
               IAST_STANDALONE_V2

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/Agent.java

@@ -16,6 +16,7 @@
 import datadog.trace.api.Platform;
 import datadog.trace.api.StatsDClientManager;
 import datadog.trace.api.WithGlobalTracer;
+import datadog.trace.api.appsec.AppSecEventTracker;
 import datadog.trace.api.config.AppSecConfig;
 import datadog.trace.api.config.CiVisibilityConfig;
 import datadog.trace.api.config.CwsConfig;
@@ -812,6 +813,10 @@ private static StatsDClientManager statsDClientManager() throws Exception {
   }
 
   private static void maybeStartAppSec(Class<?> scoClass, Object o) {
+
+    // event tracking SDK must be available for customers even if AppSec is fully disabled
+    AppSecEventTracker.install();
+
     if (!(appSecEnabled || (remoteConfigEnabled && !appSecFullyDisabled))) {
       return;
     }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -17,7 +17,6 @@
 import datadog.remoteconfig.ConfigurationPoller;
 import datadog.trace.api.Config;
 import datadog.trace.api.ProductActivation;
-import datadog.trace.api.appsec.AppSecEventTracker;
 import datadog.trace.api.gateway.SubscriptionService;
 import datadog.trace.api.telemetry.ProductChange;
 import datadog.trace.api.telemetry.ProductChangeCollector;
@@ -100,8 +99,6 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
 
     Blocking.setBlockingService(new BlockingServiceImpl(REPLACEABLE_EVENT_PRODUCER));
 
-    AppSecEventTracker.setEventTracker(new AppSecEventTracker());
-
     STARTED.set(true);
 
     String startedAppSecModules = String.join(", ", STARTED_MODULES_INFO.values());

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/KnownAddresses.java

@@ -133,6 +133,9 @@ public interface KnownAddresses {
   /** Login success business event */
   Address<String> LOGIN_SUCCESS = new Address<>("server.business_logic.users.login.success");
 
+  /** Sign up business event */
+  Address<String> SIGN_UP = new Address<>("server.business_logic.users.signup");
+
   /** The Exec command being executed */
   Address<String> EXEC_CMD = new Address<>("server.sys.exec.cmd");
 
@@ -215,6 +218,8 @@ static Address<?> forName(String name) {
         return LOGIN_SUCCESS;
       case "server.business_logic.users.login.failure":
         return LOGIN_FAILURE;
+      case "server.business_logic.users.signup":
+        return SIGN_UP;
       case "server.sys.exec.cmd":
         return EXEC_CMD;
       case "server.sys.shell.cmd":

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -8,7 +8,6 @@
 import com.datadog.appsec.report.AppSecEvent;
 import com.datadog.appsec.util.StandardizedLogging;
 import datadog.trace.api.Config;
-import datadog.trace.api.UserIdCollectionMode;
 import datadog.trace.api.http.StoredBodySupplier;
 import datadog.trace.api.internal.TraceSegment;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
@@ -136,10 +135,8 @@ public class AppSecRequestContext implements DataBundle, Closeable {
 
   // keep a reference to the last published usr.id
   private volatile String userId;
-  private volatile UserIdCollectionMode userIdSource;
   // keep a reference to the last published usr.login
   private volatile String userLogin;
-  private volatile UserIdCollectionMode userLoginSource;
   // keep a reference to the last published usr.session_id
   private volatile String sessionId;
 
@@ -533,36 +530,30 @@ public void setRespDataPublished(boolean respDataPublished) {
     this.respDataPublished = respDataPublished;
   }
 
-  public String getUserId() {
-    return userId;
-  }
-
-  public void setUserId(String userId) {
+  /**
+   * Updates the current used usr.id
+   *
+   * @return {@code false} if the user id has not been updated
+   */
+  public boolean updateUserId(String userId) {
+    if (Objects.equals(this.userId, userId)) {
+      return false;
+    }
     this.userId = userId;
+    return true;
   }
 
-  public UserIdCollectionMode getUserIdSource() {
-    return userIdSource;
-  }
-
-  public void setUserIdSource(UserIdCollectionMode userIdSource) {
-    this.userIdSource = userIdSource;
-  }
-
-  public String getUserLogin() {
-    return userLogin;
-  }
-
-  public void setUserLogin(String userLogin) {
+  /**
+   * Updates current used usr.login
+   *
+   * @return {@code false} if the user login has not been updated
+   */
+  public boolean updateUserLogin(String userLogin) {
+    if (Objects.equals(this.userLogin, userLogin)) {
+      return false;
+    }
     this.userLogin = userLogin;
-  }
-
-  public UserIdCollectionMode getUserLoginSource() {
-    return userLoginSource;
-  }
-
-  public void setUserLoginSource(UserIdCollectionMode userLoginSource) {
-    this.userLoginSource = userLoginSource;
+    return true;
   }
 
   public void setSessionId(String sessionId) {