[APPSEC-8112] Appsec block request when user ID matches rules data

[GustavoCaso]

What does this PR do?

This PR works on top of the previous work done to introduce the AppSec::Component and the Appsec::Monitor

The new code added does the following:

• When calling Kit::Identity.set_user if appsec is enabled, we would propagate the user information to the appsec reactive engine
• If the reactive engine considers that we should react based on the information provided, we are going to throw
• The appsec rack middleware listens for the throw from the reactive engine if it encounters it. We would interrupt the request and return a 403

I had to add Datadog::AppSec.settings.send(:reset!) after all the integration contrib tests to avoid having leaky tests.

Motivation

Additional Notes

How to test the change?

CI should be 🟢

[GustavoCaso]

@lloeki I'm creating a dummy object for now. I would work on having the set of objects we discussed on this other PR on a separate PR.

For now OpenStruct allows to move fast 💨

[lloeki]

OpenStruct is very slow, let's replace it quickly! (on a separate PR)

Ref: Struct vs Class vs Hash vs OpenStruct

[GustavoCaso]

Absolutely. I'm not a fun of OpenStruct but for getting out of the way is very handy

[codecov-commenter]

Codecov Report

Merging #2642 (3b09f87) into master (923f2a9) will increase coverage by 0.03%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #2642      +/-   ##
==========================================
+ Coverage   98.05%   98.08%   +0.03%     
==========================================
  Files        1159     1160       +1     
  Lines       63607    63695      +88     
  Branches     2846     2849       +3     
==========================================
+ Hits        62369    62477     +108     
+ Misses       1238     1218      -20     

Impacted Files	Coverage Δ
.../datadog/appsec/contrib/rack/request_middleware.rb	95.94% <100.00%> (+0.11%)	⬆️
lib/datadog/appsec/ext.rb	100.00% <100.00%> (ø)
lib/datadog/appsec/monitor/gateway/watcher.rb	92.85% <100.00%> (+48.12%)	⬆️
lib/datadog/kit/identity.rb	100.00% <100.00%> (ø)
...tadog/appsec/contrib/rack/integration_test_spec.rb	99.25% <100.00%> (+0.06%)	⬆️
...adog/appsec/contrib/rails/integration_test_spec.rb	99.21% <100.00%> (+0.06%)	⬆️
...og/appsec/contrib/sinatra/integration_test_spec.rb	99.22% <100.00%> (+0.05%)	⬆️
spec/datadog/kit/identity_spec.rb	100.00% <100.00%> (ø)
...ng/contrib/active_support/cache/instrumentation.rb	86.30% <0.00%> (+0.09%)	⬆️
lib/datadog/core/diagnostics/environment_logger.rb	98.48% <0.00%> (+0.79%)	⬆️
... and 2 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[lloeki]

LGTM!

[lloeki]

I guess you genericised the name from REQUEST_INTERRUPT to INTERRUPT so that it's context agnostic (request or otherwise)?

[GustavoCaso]

Exactly. Would you like to change it? I thought about BLOCK which is also context agnostic

[lloeki]

As mentioned in other discussions, we will have to see if this is still correct when multiple watchers are present on the same watch point.

[GustavoCaso]

Absolutely.

[GustavoCaso]

I'm eager to have a use case for multiple watchers and see how the reactive engine works

[lloeki]

OpenStruct is very slow, let's replace it quickly! (on a separate PR)

Ref: Struct vs Class vs Hash vs OpenStruct