Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make appsec work without tracing #3645

Merged
merged 2 commits into from
May 15, 2024
Merged

Make appsec work without tracing #3645

merged 2 commits into from
May 15, 2024

Conversation

lloeki
Copy link
Contributor

@lloeki lloeki commented May 14, 2024
edited
Loading

2.0 Upgrade Guide notes

What does this PR do?

Make appsec work without tracing

Motivation:

Fixes #3564

Additional Notes:

Probably will need to be backported.

How to test the change?

Unsure? Have a question? Request a review!

@lloeki lloeki requested review from a team as code owners May 14, 2024 10:25
@github-actions github-actions bot added appsec Application Security monitoring product integrations Involves tracing integrations labels May 14, 2024
@codecov-commenter
Copy link

codecov-commenter commented May 14, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.10%. Comparing base (3bd8b05) to head (0a9d812).
Report is 5 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3645      +/-   ##
==========================================
- Coverage   98.10%   98.10%   -0.01%     
==========================================
  Files        1225     1232       +7     
  Lines       72464    72556      +92     
  Branches     3439     3447       +8     
==========================================
+ Hits        71094    71184      +90     
- Misses       1370     1372       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

TonyCTHsu
TonyCTHsu reviewed May 14, 2024
View reviewed changes
lib/datadog/appsec/contrib/devise/tracking.rb Outdated
@@ -13,24 +13,32 @@ module Tracking
SIGNUP_EVENT = 'users.signup'

def self.track_login_success(trace, span, user_id:, **others)
return if trace.nil? && span.nil?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to use || instead of && ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, right, I reversed things: both trace and span must be non-nil to continue, so if either is nil we must return.

Copy link
Contributor Author

@lloeki lloeki May 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 0a9d812

@lloeki lloeki force-pushed the make-appsec-devise-work-without-tracing branch from db9dd09 to 6887455 Compare May 14, 2024 11:13
@lloeki lloeki force-pushed the make-appsec-devise-work-without-tracing branch from 6887455 to 0a9d812 Compare May 14, 2024 11:14
ivoanjo
ivoanjo reviewed May 14, 2024
View reviewed changes
lib/datadog/appsec/contrib/devise/tracking.rb
Comment on lines 15 to 44
def self.track_login_success(trace, span, user_id:, **others)
return if trace.nil? || span.nil?

track(LOGIN_SUCCESS_EVENT, trace, span, **others)

Kit::Identity.set_user(trace, span, id: user_id.to_s, **others) if user_id
end

def self.track_login_failure(trace, span, user_id:, user_exists:, **others)
return if trace.nil? || span.nil?

track(LOGIN_FAILURE_EVENT, trace, span, **others)

span.set_tag('appsec.events.users.login.failure.usr.id', user_id) if user_id
span.set_tag('appsec.events.users.login.failure.usr.exists', user_exists)
end

def self.track_signup(trace, span, user_id:, **others)
return if trace.nil? || span.nil?

track(SIGNUP_EVENT, trace, span, **others)
Kit::Identity.set_user(trace, id: user_id.to_s, **others) if user_id
end

def self.track(event, trace, span, **others)
return if trace.nil? || span.nil?

span.set_tag("appsec.events.#{event}.track", 'true')
span.set_tag("_dd.appsec.events.#{event}.auto.mode", Datadog.configuration.appsec.track_user_events.mode)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be cool to add type signatures for this module -- I think they would've caught this bug :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is very true @ivoanjo!

p-datadog
p-datadog approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@p-datadog p-datadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not testable with unit tests?

@lloeki
Copy link
Contributor Author

lloeki commented May 15, 2024

Is this not testable with unit tests?

@p-datadog This needs something more of an integration test such as is done in there with it_behaves_like 'normal with tracing disable':

dd-trace-rb/spec/datadog/appsec/contrib/rack/integration_test_spec.rb

Lines 694 to 705 in c989b96

context 'with an event-triggering request in headers' do
let(:headers) { { 'HTTP_USER_AGENT' => 'Nessus SOAP' } }
it { is_expected.to be_ok }
it { expect(triggers).to be_a Array }
it_behaves_like 'normal with tracing disable'
it_behaves_like 'a GET 200 span'
it_behaves_like 'a trace with AppSec tags'
it_behaves_like 'a trace with AppSec events'
it_behaves_like 'a trace with AppSec api security tags'
end

@lloeki
Copy link
Contributor Author

lloeki commented May 15, 2024

Merging this as is, I took note to add typing + an integration test later.

@lloeki lloeki merged commit 7ca3042 into master May 15, 2024
166 checks passed
@lloeki lloeki deleted the make-appsec-devise-work-without-tracing branch May 15, 2024 10:11
@github-actions github-actions bot added this to the 2.0.0 milestone May 15, 2024
@lloeki lloeki mentioned this pull request May 15, 2024
Merged
lloeki added a commit that referenced this pull request May 16, 2024
@lloeki
Merge pull request #3650 from DataDog/backport/3645
f1b1ac6 
Backport #3645
@marcotc marcotc mentioned this pull request May 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivoanjo ivoanjo ivoanjo left review comments

@TonyCTHsu TonyCTHsu TonyCTHsu approved these changes

@p-datadog p-datadog p-datadog approved these changes

Assignees
No one assigned
Labels
appsec Application Security monitoring product integrations Involves tracing integrations
Projects
None yet
Milestone
2.0.0.rc1
Development

Successfully merging this pull request may close these issues.

nil access when enabling ASM without enabling tracing
5 participants
@lloeki @codecov-commenter @ivoanjo @TonyCTHsu @p-datadog