[ASM][ATO] user id collection on authenticated request

[anna-git]

Summary of changes

• Add user login tags
• Instrument HttpContext.SetUser to watch for authenticated request (not authenticating), monitoring user id and session id (not reporting the latter)
• Run the waf on login / signup events including SDK, as soon as we have them
• Don't always include the user id coming from the span, to NOT override the sdk
• RunWafForUser to test for sdk precedence

this is all only for .net core for now

Reason for change

https://docs.google.com/document/d/1RT38U6dTTcB-8muiYV4-aVDCsT_XrliyakjtAPyjUpw

Implementation details

• New instrumentation Microsoft.AspNetCore.Http.HttpContext.SetUser
• RunWafForUser
• add new address

Test coverage

• new integration tests for authenticated request / conflict with sdk
• new unit tests

Other details

[github-actions]

Snapshots difference summary

The following differences have been observed in committed snapshots. It is meant to help the reviewer.
The diff is simplistic, so please check some files anyway while we improve it.

6 occurrences of :

+      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
+      _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn-<fingerprint>,

[datadog-ddstaging]

Datadog Report

Branch report: anna/asm/userid-monitoring
Commit report: f29295d
Test service: dd-trace-dotnet

✅ 0 Failed, 565083 Passed, 4617 Skipped, 47h 37m 35s Total Time
❄️ 1 New Flaky

New Flaky Tests (1)

• TestInstrumentedUnitTests - Datadog.Trace.Security.IntegrationTests.Iast.IastInstrumentationUnitTests - Last Failure

  Expand for error

   Expected exit code: 0, actual exit code: 1.
  

[andrewlock]

Execution-Time Benchmarks Report ⏱️

Execution-time results for samples comparing the following branches/commits:

• This PR (6431)
• master

Execution-time benchmarks measure the whole time it takes to execute a program. And are intended to measure the one-off costs. Cases where the execution time results for the PR are worse than latest master results are shown in red. The following thresholds were used for comparing the execution times:

• Welch test with statistical test for significance of 5%
• Only results indicating a difference greater than 5% and 5 ms are considered.

Note that these results are based on a single point-in-time result for each branch. For full results, see the dashboard.

Graphs show the p99 interval based on the mean and StdDev of the test run, as well as the mean value of the run (shown as a diamond below the graph).

gantt
    title Execution time (ms) FakeDbCommand (.NET Framework 4.6.2) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6431) - mean (70ms)  : 65, 74
     .   : milestone, 70,
    master - mean (69ms)  : 67, 72
     .   : milestone, 69,

    section CallTarget+Inlining+NGEN
    This PR (6431) - mean (1,024ms)  : 1005, 1043
     .   : milestone, 1024,
    master - mean (1,026ms)  : 1003, 1049
     .   : milestone, 1026,

Loading

gantt
    title Execution time (ms) FakeDbCommand (.NET Core 3.1) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6431) - mean (108ms)  : 105, 111
     .   : milestone, 108,
    master - mean (108ms)  : 106, 109
     .   : milestone, 108,

    section CallTarget+Inlining+NGEN
    This PR (6431) - mean (727ms)  : 712, 742
     .   : milestone, 727,
    master - mean (728ms)  : 704, 752
     .   : milestone, 728,

Loading

gantt
    title Execution time (ms) FakeDbCommand (.NET 6) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6431) - mean (91ms)  : 89, 93
     .   : milestone, 91,
    master - mean (92ms)  : 91, 94
     .   : milestone, 92,

    section CallTarget+Inlining+NGEN
    This PR (6431) - mean (671ms)  : 652, 691
     .   : milestone, 671,
    master - mean (674ms)  : 656, 692
     .   : milestone, 674,

Loading

gantt
    title Execution time (ms) HttpMessageHandler (.NET Framework 4.6.2) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6431) - mean (190ms)  : 185, 195
     .   : milestone, 190,
    master - mean (190ms)  : 184, 195
     .   : milestone, 190,

    section CallTarget+Inlining+NGEN
    This PR (6431) - mean (1,131ms)  : 1110, 1153
     .   : milestone, 1131,
    master - mean (1,126ms)  : 1097, 1155
     .   : milestone, 1126,

Loading

gantt
    title Execution time (ms) HttpMessageHandler (.NET Core 3.1) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6431) - mean (277ms)  : 272, 281
     .   : milestone, 277,
    master - mean (276ms)  : 271, 281
     .   : milestone, 276,

    section CallTarget+Inlining+NGEN
    This PR (6431) - mean (915ms)  : 885, 944
     .   : milestone, 915,
    master - mean (912ms)  : 884, 940
     .   : milestone, 912,

Loading

gantt
    title Execution time (ms) HttpMessageHandler (.NET 6) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6431) - mean (265ms)  : 261, 270
     .   : milestone, 265,
    master - mean (264ms)  : 261, 268
     .   : milestone, 264,

    section CallTarget+Inlining+NGEN
    This PR (6431) - mean (889ms)  : 851, 926
     .   : milestone, 889,
    master - mean (886ms)  : 857, 916
     .   : milestone, 886,

Loading

[andrewlock]

Benchmarks Report for appsec 🐌

Benchmarks for #6431 compared to master:

• 2 benchmarks are faster, with geometric mean 1.233
• 2 benchmarks are slower, with geometric mean 1.123
• 1 benchmarks have fewer allocations
• 7 benchmarks have more allocations

The following thresholds were used for comparing the benchmark speeds:

• Mann–Whitney U test with statistical test for significance of 5%
• Only results indicating a difference greater than 10% and 0.3 ns are considered.

Allocation changes below 0.5% are ignored.

Benchmark details

Benchmarks.Trace.Asm.AppSecBodyBenchmark - Slower ⚠️ Same allocations ✔️

Slower ⚠️ in #6431

Benchmark	diff/base	Base Median (ns)	Diff Median (ns)	Modality
Benchmarks.Trace.Asm.AppSecBodyBenchmark.AllCycleSimpleBody‑netcoreapp3.1	1.125	274,762.62	309,106.39
Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorSimpleBody‑netcoreapp3.1	1.122	195.75	219.62

Faster 🎉 in #6431

Benchmark	base/diff	Base Median (ns)	Diff Median (ns)	Modality
Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorSimpleBody‑net6.0	1.314	181.85	138.37

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	AllCycleSimpleBody	net6.0	181μs	124ns	462ns	2.63	0	0	188.83 KB
master	AllCycleSimpleBody	netcoreapp3.1	275μs	193ns	746ns	2.6	0	0	196.16 KB
master	AllCycleSimpleBody	net472	251μs	201ns	777ns	35.9	2	0	225.91 KB
master	AllCycleMoreComplexBody	net6.0	192μs	69.6ns	260ns	2.65	0	0	192.34 KB
master	AllCycleMoreComplexBody	netcoreapp3.1	307μs	178ns	667ns	2.61	0	0	199.58 KB
master	AllCycleMoreComplexBody	net472	256μs	199ns	770ns	36.4	2.04	0	229.43 KB
master	ObjectExtractorSimpleBody	net6.0	182ns	0.13ns	0.505ns	0.00396	0	0	280 B
master	ObjectExtractorSimpleBody	netcoreapp3.1	196ns	0.205ns	0.795ns	0.00383	0	0	272 B
master	ObjectExtractorSimpleBody	net472	169ns	0.178ns	0.691ns	0.0446	0	0	281 B
master	ObjectExtractorMoreComplexBody	net6.0	2.9μs	1.44ns	5.39ns	0.0525	0	0	3.78 KB
master	ObjectExtractorMoreComplexBody	netcoreapp3.1	3.95μs	2.27ns	8.49ns	0.0493	0	0	3.69 KB
master	ObjectExtractorMoreComplexBody	net472	4.04μs	2.7ns	10.1ns	0.601	0.00605	0	3.8 KB
#6431	AllCycleSimpleBody	net6.0	202μs	149ns	537ns	2.59	0	0	188.69 KB
#6431	AllCycleSimpleBody	netcoreapp3.1	309μs	168ns	649ns	2.62	0	0	196.02 KB
#6431	AllCycleSimpleBody	net472	270μs	219ns	849ns	35.8	2.02	0	225.75 KB
#6431	AllCycleMoreComplexBody	net6.0	207μs	106ns	383ns	2.69	0	0	192.19 KB
#6431	AllCycleMoreComplexBody	netcoreapp3.1	319μs	216ns	779ns	2.7	0	0	199.43 KB
#6431	AllCycleMoreComplexBody	net472	277μs	182ns	656ns	36.4	2.07	0	229.27 KB
#6431	ObjectExtractorSimpleBody	net6.0	138ns	0.0751ns	0.281ns	0.00395	0	0	280 B
#6431	ObjectExtractorSimpleBody	netcoreapp3.1	220ns	0.123ns	0.462ns	0.00374	0	0	272 B
#6431	ObjectExtractorSimpleBody	net472	163ns	0.203ns	0.788ns	0.0446	0	0	281 B
#6431	ObjectExtractorMoreComplexBody	net6.0	2.84μs	1.1ns	4.11ns	0.0528	0	0	3.78 KB
#6431	ObjectExtractorMoreComplexBody	netcoreapp3.1	3.9μs	1.55ns	5.79ns	0.0505	0	0	3.69 KB
#6431	ObjectExtractorMoreComplexBody	net472	3.67μs	4.54ns	17ns	0.602	0.00548	0	3.8 KB

Benchmarks.Trace.Asm.AppSecEncoderBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EncodeArgs	net6.0	37.9μs	23ns	85.9ns	0.453	0	0	32.4 KB
master	EncodeArgs	netcoreapp3.1	54μs	26.6ns	103ns	0.436	0	0	32.4 KB
master	EncodeArgs	net472	66.6μs	52ns	194ns	5.15	0.0665	0	32.5 KB
master	EncodeLegacyArgs	net6.0	71.8μs	43.8ns	158ns	0	0	0	2.14 KB
master	EncodeLegacyArgs	netcoreapp3.1	108μs	220ns	853ns	0	0	0	2.14 KB
master	EncodeLegacyArgs	net472	153μs	111ns	430ns	0.303	0	0	2.15 KB
#6431	EncodeArgs	net6.0	37.6μs	14.1ns	54.7ns	0.452	0	0	32.4 KB
#6431	EncodeArgs	netcoreapp3.1	54.3μs	21.7ns	78.3ns	0.433	0	0	32.4 KB
#6431	EncodeArgs	net472	67.1μs	60.8ns	235ns	5.14	0.0668	0	32.5 KB
#6431	EncodeLegacyArgs	net6.0	74.5μs	24.9ns	89.8ns	0	0	0	2.14 KB
#6431	EncodeLegacyArgs	netcoreapp3.1	107μs	69.3ns	259ns	0	0	0	2.14 KB
#6431	EncodeLegacyArgs	net472	152μs	90.1ns	349ns	0.306	0	0	2.15 KB

Benchmarks.Trace.Asm.AppSecWafBenchmark - Same speed ✔️ More allocations ⚠️

More allocations ⚠️ in #6431

Benchmark	Base Allocated	Diff Allocated	Change	Change %
Benchmarks.Trace.Asm.AppSecWafBenchmark.RunWafRealisticBenchmarkWithAttack‑net6.0	1.47 KB	1.57 KB	96 B	6.52%
Benchmarks.Trace.Asm.AppSecWafBenchmark.RunWafRealisticBenchmarkWithAttack‑netcoreapp3.1	1.46 KB	1.55 KB	95 B	6.52%
Benchmarks.Trace.Asm.AppSecWafBenchmark.RunWafRealisticBenchmarkWithAttack‑net472	1.49 KB	1.58 KB	96 B	6.46%
Benchmarks.Trace.Asm.AppSecWafBenchmark.RunWafRealisticBenchmark‑netcoreapp3.1	2.39 KB	2.49 KB	96 B	4.01%
Benchmarks.Trace.Asm.AppSecWafBenchmark.RunWafRealisticBenchmark‑net6.0	2.44 KB	2.54 KB	96 B	3.93%
Benchmarks.Trace.Asm.AppSecWafBenchmark.RunWafRealisticBenchmark‑net472	2.46 KB	2.55 KB	96 B	3.91%

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	RunWafRealisticBenchmark	net6.0	176μs	230ns	892ns	0	0	0	2.44 KB
master	RunWafRealisticBenchmark	netcoreapp3.1	189μs	251ns	973ns	0	0	0	2.39 KB
master	RunWafRealisticBenchmark	net472	202μs	85.8ns	321ns	0.302	0	0	2.46 KB
master	RunWafRealisticBenchmarkWithAttack	net6.0	115μs	167ns	646ns	0	0	0	1.47 KB
master	RunWafRealisticBenchmarkWithAttack	netcoreapp3.1	124μs	201ns	777ns	0	0	0	1.46 KB
master	RunWafRealisticBenchmarkWithAttack	net472	133μs	94.6ns	354ns	0.198	0	0	1.49 KB
#6431	RunWafRealisticBenchmark	net6.0	174μs	146ns	565ns	0	0	0	2.54 KB
#6431	RunWafRealisticBenchmark	netcoreapp3.1	192μs	116ns	420ns	0	0	0	2.49 KB
#6431	RunWafRealisticBenchmark	net472	202μs	102ns	383ns	0.403	0	0	2.55 KB
#6431	RunWafRealisticBenchmarkWithAttack	net6.0	116μs	49.6ns	192ns	0	0	0	1.57 KB
#6431	RunWafRealisticBenchmarkWithAttack	netcoreapp3.1	123μs	122ns	472ns	0	0	0	1.55 KB
#6431	RunWafRealisticBenchmarkWithAttack	net472	133μs	64.8ns	251ns	0.2	0	0	1.58 KB

Benchmarks.Trace.Iast.StringAspectsBenchmark - Faster 🎉 More allocations ⚠️

Faster 🎉 in #6431

Benchmark	base/diff	Base Median (ns)	Diff Median (ns)	Modality
Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatBenchmark‑netcoreapp3.1	1.157	63,800.00	55,150.00	bimodal

More allocations ⚠️ in #6431

Benchmark	Base Allocated	Diff Allocated	Change	Change %
Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatAspectBenchmark‑net6.0	253.55 KB	255.23 KB	1.68 KB	0.66%

Fewer allocations 🎉 in #6431

Benchmark	Base Allocated	Diff Allocated	Change	Change %
Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatBenchmark‑net472	61.66 KB	59.07 KB	-2.59 KB	-4.20%

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	StringConcatBenchmark	net6.0	59.5μs	825ns	8.21μs	0	0	0	43.44 KB
master	StringConcatBenchmark	netcoreapp3.1	65.5μs	792ns	7.84μs	0	0	0	42.64 KB
master	StringConcatBenchmark	net472	36.8μs	136ns	508ns	0	0	0	61.66 KB
master	StringConcatAspectBenchmark	net6.0	303μs	1.67μs	9.44μs	0	0	0	253.55 KB
master	StringConcatAspectBenchmark	netcoreapp3.1	343μs	1.41μs	7.35μs	0	0	0	254.01 KB
master	StringConcatAspectBenchmark	net472	295μs	6.5μs	64μs	0	0	0	278.53 KB
#6431	StringConcatBenchmark	net6.0	61μs	759ns	7.59μs	0	0	0	43.44 KB
#6431	StringConcatBenchmark	netcoreapp3.1	55.2μs	236ns	818ns	0	0	0	42.64 KB
#6431	StringConcatBenchmark	net472	37.1μs	82ns	295ns	0	0	0	59.07 KB
#6431	StringConcatAspectBenchmark	net6.0	315μs	1.33μs	4.8μs	0	0	0	255.23 KB
#6431	StringConcatAspectBenchmark	netcoreapp3.1	341μs	1.52μs	6.28μs	0	0	0	253.15 KB
#6431	StringConcatAspectBenchmark	net472	284μs	5.89μs	57.8μs	0	0	0	278.53 KB

[andrewlock]

Throughput/Crank Report ⚡

Throughput results for AspNetCoreSimpleController comparing the following branches/commits:

• This PR (6431)
• master
• benchmarks/2.9.0

Cases where throughput results for the PR are worse than latest master (5% drop or greater), results are shown in red.

Note that these results are based on a single point-in-time result for each branch. For full results, see one of the many, many dashboards!

gantt
    title Throughput Linux x64 (Total requests) 
    dateFormat  X
    axisFormat %s
    section Baseline
    This PR (6431) (11.048M)   : 0, 11048062
    master (11.224M)   : 0, 11223639
    benchmarks/2.9.0 (11.045M)   : 0, 11045405

    section Automatic
    This PR (6431) (7.284M)   : 0, 7283680
    master (7.293M)   : 0, 7292913
    benchmarks/2.9.0 (7.885M)   : 0, 7885346

    section Trace stats
    master (7.604M)   : 0, 7603851

    section Manual
    master (11.184M)   : 0, 11183795

    section Manual + Automatic
    This PR (6431) (6.714M)   : 0, 6714409
    master (6.743M)   : 0, 6742819

    section DD_TRACE_ENABLED=0
    master (10.314M)   : 0, 10313598

Loading

gantt
    title Throughput Linux arm64 (Total requests) 
    dateFormat  X
    axisFormat %s
    section Baseline
    This PR (6431) (9.529M)   : 0, 9529201
    master (9.674M)   : 0, 9674286
    benchmarks/2.9.0 (9.586M)   : 0, 9586476

    section Automatic
    This PR (6431) (6.570M)   : 0, 6570308
    master (6.494M)   : 0, 6493569

    section Trace stats
    master (6.700M)   : 0, 6700405

    section Manual
    master (9.562M)   : 0, 9562190

    section Manual + Automatic
    This PR (6431) (5.862M)   : 0, 5862398
    master (6.146M)   : 0, 6146451

    section DD_TRACE_ENABLED=0
    master (9.154M)   : 0, 9153592

Loading

gantt
    title Throughput Windows x64 (Total requests) 
    dateFormat  X
    axisFormat %s
    section Baseline
    This PR (6431) (9.977M)   : 0, 9977353

    section Automatic
    This PR (6431) (6.537M)   : 0, 6537225

    section Manual + Automatic
    This PR (6431) (6.060M)   : 0, 6060302

Loading

[andrewlock]

Benchmarks Report for tracer 🐌

Benchmarks for #6431 compared to master:

• 2 benchmarks are faster, with geometric mean 1.179
• 3 benchmarks are slower, with geometric mean 1.145
• 1 benchmarks have fewer allocations

The following thresholds were used for comparing the benchmark speeds:

• Mann–Whitney U test with statistical test for significance of 5%
• Only results indicating a difference greater than 10% and 0.3 ns are considered.

Allocation changes below 0.5% are ignored.

Benchmark details

Benchmarks.Trace.ActivityBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	StartStopWithChild	net6.0	8μs	45.4ns	321ns	0.0157	0.00783	0	5.61 KB
master	StartStopWithChild	netcoreapp3.1	9.92μs	54.8ns	347ns	0.0192	0.00962	0	5.8 KB
master	StartStopWithChild	net472	16.3μs	64.2ns	249ns	1.05	0.314	0.0966	6.21 KB
#6431	StartStopWithChild	net6.0	7.91μs	44ns	288ns	0.016	0.004	0	5.61 KB
#6431	StartStopWithChild	netcoreapp3.1	10.2μs	51.7ns	242ns	0.0198	0.0099	0	5.8 KB
#6431	StartStopWithChild	net472	16.2μs	62.1ns	240ns	1.04	0.295	0.0877	6.21 KB

Benchmarks.Trace.AgentWriterBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	WriteAndFlushEnrichedTraces	net6.0	499μs	283ns	1.1μs	0	0	0	2.7 KB
master	WriteAndFlushEnrichedTraces	netcoreapp3.1	643μs	388ns	1.45μs	0	0	0	2.7 KB
master	WriteAndFlushEnrichedTraces	net472	844μs	1.08μs	4.03μs	0.417	0	0	3.3 KB
#6431	WriteAndFlushEnrichedTraces	net6.0	503μs	172ns	644ns	0	0	0	2.7 KB
#6431	WriteAndFlushEnrichedTraces	netcoreapp3.1	646μs	327ns	1.26μs	0	0	0	2.7 KB
#6431	WriteAndFlushEnrichedTraces	net472	860μs	656ns	2.54μs	0.428	0	0	3.3 KB

Benchmarks.Trace.AspNetCoreBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	SendRequest	net6.0	128μs	482ns	1.87μs	0.127	0	0	14.47 KB
master	SendRequest	netcoreapp3.1	143μs	505ns	1.96μs	0.211	0	0	17.27 KB
master	SendRequest	net472	0.0105ns	0.00325ns	0.0126ns	0	0	0	0 b
#6431	SendRequest	net6.0	125μs	388ns	1.45μs	0.187	0	0	14.47 KB
#6431	SendRequest	netcoreapp3.1	145μs	235ns	878ns	0.217	0	0	17.27 KB
#6431	SendRequest	net472	0.00393ns	0.00205ns	0.00794ns	0	0	0	0 b

Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark - Same speed ✔️ Fewer allocations 🎉

Fewer allocations 🎉 in #6431

Benchmark	Base Allocated	Diff Allocated	Change	Change %
Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces‑net6.0	41.81 KB	41.59 KB	-220 B	-0.53%

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	WriteAndFlushEnrichedTraces	net6.0	563μs	3μs	17.7μs	0.718	0	0	41.81 KB
master	WriteAndFlushEnrichedTraces	netcoreapp3.1	649μs	3.17μs	13.4μs	0.329	0	0	41.71 KB
master	WriteAndFlushEnrichedTraces	net472	848μs	4.02μs	16.6μs	8.25	2.6	0.434	53.29 KB
#6431	WriteAndFlushEnrichedTraces	net6.0	555μs	2.92μs	14.6μs	0.563	0	0	41.59 KB
#6431	WriteAndFlushEnrichedTraces	netcoreapp3.1	666μs	3.56μs	19.5μs	0.324	0	0	41.68 KB
#6431	WriteAndFlushEnrichedTraces	net472	837μs	3.17μs	11.9μs	8.41	2.4	0.401	53.3 KB

Benchmarks.Trace.DbCommandBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	ExecuteNonQuery	net6.0	1.38μs	1.04ns	3.91ns	0.0145	0	0	1.02 KB
master	ExecuteNonQuery	netcoreapp3.1	1.79μs	1.62ns	6.07ns	0.0135	0	0	1.02 KB
master	ExecuteNonQuery	net472	2.07μs	1.56ns	6.05ns	0.156	0.00103	0	987 B
#6431	ExecuteNonQuery	net6.0	1.25μs	1.21ns	4.69ns	0.0143	0	0	1.02 KB
#6431	ExecuteNonQuery	netcoreapp3.1	1.71μs	1.39ns	5.38ns	0.0137	0	0	1.02 KB
#6431	ExecuteNonQuery	net472	2.05μs	1.92ns	7.42ns	0.156	0.00102	0	987 B

Benchmarks.Trace.ElasticsearchBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	CallElasticsearch	net6.0	1.23μs	0.42ns	1.52ns	0.0136	0	0	976 B
master	CallElasticsearch	netcoreapp3.1	1.67μs	4.67ns	18.1ns	0.0132	0	0	976 B
master	CallElasticsearch	net472	2.51μs	1.55ns	6ns	0.157	0	0	995 B
master	CallElasticsearchAsync	net6.0	1.35μs	0.841ns	3.26ns	0.0135	0	0	952 B
master	CallElasticsearchAsync	netcoreapp3.1	1.56μs	0.797ns	2.98ns	0.0134	0	0	1.02 KB
master	CallElasticsearchAsync	net472	2.76μs	2.19ns	8.48ns	0.166	0	0	1.05 KB
#6431	CallElasticsearch	net6.0	1.22μs	0.555ns	2ns	0.0134	0	0	976 B
#6431	CallElasticsearch	netcoreapp3.1	1.59μs	0.419ns	1.45ns	0.0136	0	0	976 B
#6431	CallElasticsearch	net472	2.51μs	1.6ns	6.18ns	0.158	0	0	995 B
#6431	CallElasticsearchAsync	net6.0	1.31μs	0.222ns	0.831ns	0.0131	0	0	952 B
#6431	CallElasticsearchAsync	netcoreapp3.1	1.65μs	1.32ns	4.94ns	0.0139	0	0	1.02 KB
#6431	CallElasticsearchAsync	net472	2.6μs	1.31ns	5.09ns	0.166	0	0	1.05 KB

Benchmarks.Trace.GraphQLBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	ExecuteAsync	net6.0	1.31μs	0.885ns	3.43ns	0.0131	0	0	952 B
master	ExecuteAsync	netcoreapp3.1	1.63μs	0.929ns	3.6ns	0.0125	0	0	952 B
master	ExecuteAsync	net472	1.84μs	0.395ns	1.53ns	0.145	0	0	915 B
#6431	ExecuteAsync	net6.0	1.26μs	1.42ns	5.48ns	0.0134	0	0	952 B
#6431	ExecuteAsync	netcoreapp3.1	1.59μs	0.436ns	1.63ns	0.0127	0	0	952 B
#6431	ExecuteAsync	net472	1.79μs	0.36ns	1.39ns	0.145	0	0	915 B

Benchmarks.Trace.HttpClientBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	SendAsync	net6.0	4.35μs	1.84ns	6.9ns	0.0328	0	0	2.31 KB
master	SendAsync	netcoreapp3.1	5.21μs	2.47ns	9.24ns	0.0367	0	0	2.85 KB
master	SendAsync	net472	7.44μs	1.71ns	6.61ns	0.495	0	0	3.12 KB
#6431	SendAsync	net6.0	4.45μs	1.26ns	4.7ns	0.0312	0	0	2.31 KB
#6431	SendAsync	netcoreapp3.1	5.17μs	5.1ns	19.7ns	0.0387	0	0	2.85 KB
#6431	SendAsync	net472	7.41μs	2.06ns	7.69ns	0.494	0	0	3.12 KB

Benchmarks.Trace.ILoggerBenchmark - Faster 🎉 Same allocations ✔️

Faster 🎉 in #6431

Benchmark	base/diff	Base Median (ns)	Diff Median (ns)	Modality
Benchmarks.Trace.ILoggerBenchmark.EnrichedLog‑net6.0	1.123	1,600.21	1,425.33

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	1.6μs	0.721ns	2.7ns	0.0231	0	0	1.64 KB
master	EnrichedLog	netcoreapp3.1	2.23μs	0.814ns	3.15ns	0.0222	0	0	1.64 KB
master	EnrichedLog	net472	2.49μs	0.735ns	2.65ns	0.249	0	0	1.57 KB
#6431	EnrichedLog	net6.0	1.43μs	0.571ns	2.14ns	0.023	0	0	1.64 KB
#6431	EnrichedLog	netcoreapp3.1	2.28μs	13ns	90.8ns	0.0223	0	0	1.64 KB
#6431	EnrichedLog	net472	2.5μs	0.7ns	2.62ns	0.249	0	0	1.57 KB

Benchmarks.Trace.Log4netBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	116μs	94.6ns	366ns	0.0577	0	0	4.28 KB
master	EnrichedLog	netcoreapp3.1	120μs	159ns	615ns	0	0	0	4.28 KB
master	EnrichedLog	net472	151μs	105ns	406ns	0.677	0.226	0	4.46 KB
#6431	EnrichedLog	net6.0	117μs	117ns	452ns	0	0	0	4.28 KB
#6431	EnrichedLog	netcoreapp3.1	120μs	79.4ns	275ns	0.0596	0	0	4.28 KB
#6431	EnrichedLog	net472	150μs	173ns	599ns	0.673	0.224	0	4.46 KB

Benchmarks.Trace.NLogBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	2.93μs	0.891ns	3.45ns	0.0305	0	0	2.2 KB
master	EnrichedLog	netcoreapp3.1	4.02μs	2.64ns	10.2ns	0.0302	0	0	2.2 KB
master	EnrichedLog	net472	5.04μs	0.962ns	3.73ns	0.319	0	0	2.02 KB
#6431	EnrichedLog	net6.0	3.18μs	2.71ns	10.5ns	0.0317	0	0	2.2 KB
#6431	EnrichedLog	netcoreapp3.1	4.19μs	1.21ns	4.68ns	0.0293	0	0	2.2 KB
#6431	EnrichedLog	net472	4.79μs	1.18ns	4.43ns	0.32	0	0	2.02 KB

Benchmarks.Trace.RedisBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	SendReceive	net6.0	1.38μs	0.971ns	3.76ns	0.0158	0	0	1.14 KB
master	SendReceive	netcoreapp3.1	1.76μs	0.679ns	2.63ns	0.015	0	0	1.14 KB
master	SendReceive	net472	2.14μs	0.847ns	3.28ns	0.183	0	0	1.16 KB
#6431	SendReceive	net6.0	1.29μs	1.11ns	4.31ns	0.0162	0	0	1.14 KB
#6431	SendReceive	netcoreapp3.1	1.77μs	3.45ns	13.4ns	0.015	0	0	1.14 KB
#6431	SendReceive	net472	2.13μs	0.804ns	3.11ns	0.183	0	0	1.16 KB

Benchmarks.Trace.SerilogBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	2.78μs	0.874ns	3.38ns	0.0223	0	0	1.6 KB
master	EnrichedLog	netcoreapp3.1	3.99μs	1.01ns	3.89ns	0.0219	0	0	1.65 KB
master	EnrichedLog	net472	4.5μs	2.67ns	9.64ns	0.322	0	0	2.04 KB
#6431	EnrichedLog	net6.0	2.77μs	0.933ns	3.49ns	0.0224	0	0	1.6 KB
#6431	EnrichedLog	netcoreapp3.1	3.76μs	1.5ns	5.8ns	0.0225	0	0	1.65 KB
#6431	EnrichedLog	net472	4.41μs	2.9ns	11.2ns	0.323	0	0	2.04 KB

Benchmarks.Trace.SpanBenchmark - Slower ⚠️ Same allocations ✔️

Slower ⚠️ in #6431

Benchmark	diff/base	Base Median (ns)	Diff Median (ns)	Modality
Benchmarks.Trace.SpanBenchmark.StartFinishScope‑net472	1.183	773.60	915.34
Benchmarks.Trace.SpanBenchmark.StartFinishSpan‑netcoreapp3.1	1.137	557.75	633.95
Benchmarks.Trace.SpanBenchmark.StartFinishScope‑netcoreapp3.1	1.115	691.03	770.40

Faster 🎉 in #6431

Benchmark	base/diff	Base Median (ns)	Diff Median (ns)	Modality
Benchmarks.Trace.SpanBenchmark.StartFinishScope‑net6.0	1.238	599.00	483.68

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	StartFinishSpan	net6.0	416ns	0.6ns	2.32ns	0.0081	0	0	576 B
master	StartFinishSpan	netcoreapp3.1	557ns	1ns	3.87ns	0.00775	0	0	576 B
master	StartFinishSpan	net472	590ns	1.24ns	4.8ns	0.0917	0	0	578 B
master	StartFinishScope	net6.0	599ns	0.827ns	3.2ns	0.00976	0	0	696 B
master	StartFinishScope	netcoreapp3.1	689ns	1.23ns	4.77ns	0.00947	0	0	696 B
master	StartFinishScope	net472	770ns	1.78ns	6.65ns	0.104	0	0	658 B
#6431	StartFinishSpan	net6.0	393ns	0.575ns	2.07ns	0.00812	0	0	576 B
#6431	StartFinishSpan	netcoreapp3.1	635ns	1.7ns	6.58ns	0.0076	0	0	576 B
#6431	StartFinishSpan	net472	566ns	0.383ns	1.48ns	0.0917	0	0	578 B
#6431	StartFinishScope	net6.0	483ns	0.815ns	3.16ns	0.00969	0	0	696 B
#6431	StartFinishScope	netcoreapp3.1	770ns	1.11ns	4.28ns	0.00922	0	0	696 B
#6431	StartFinishScope	net472	914ns	1.23ns	4.77ns	0.104	0	0	658 B

Benchmarks.Trace.TraceAnnotationsBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	RunOnMethodBegin	net6.0	693ns	1.47ns	5.69ns	0.00966	0	0	696 B
master	RunOnMethodBegin	netcoreapp3.1	939ns	1.31ns	5.07ns	0.00937	0	0	696 B
master	RunOnMethodBegin	net472	1.05μs	1.78ns	6.91ns	0.104	0	0	658 B
#6431	RunOnMethodBegin	net6.0	681ns	0.939ns	3.64ns	0.0098	0	0	696 B
#6431	RunOnMethodBegin	netcoreapp3.1	939ns	1.27ns	4.92ns	0.00931	0	0	696 B
#6431	RunOnMethodBegin	net472	1.09μs	1.15ns	4.47ns	0.104	0	0	658 B

[NachoEchevarria]

NIT: Guess that this is not needed.

[andrewlock]

I'm still not entirely sure how "safe" this really is 😅 but until we see crashes related to it I guess we'll carry on! 😄

[anna-git]

should be safe enough until we refactor this 😅

[andrewlock]

How is this different to the ReportAndBlock() bellow, and how do you know which one to choose? 😅

[anna-git]

yes I must say it's a bit confusing, ReportAndBlock is used by rasp, as the blocking middleware is not always here to catch the exception, so to make sure it's reported before blocking it.
But I think the preferred method should always be BlockAndReport as we're reporting the actual http status code and other stuff, we want to make sure we report what currently is and not what will be theoretically after blocking...

[andrewlock]

userAddresses is already a Dictionary<>, right, and isn't shared anywhere afaict? Can we avoid creating another dictionary here, and just use the one provided instead?

[anna-git]

fixed in fa8501f thanks!

[andrewlock]

Nice 👍 but can addresses still be null? If so you'll still need a similar pattern, right?

[anna-git]

addresses shouldn't be null as per

dd-trace-dotnet/tracer/src/Datadog.Trace/AppSec/Waf/NativeBindings/WafLibraryInvoker.cs

Line 245 in 3e1be05

internal string[] GetKnownAddresses(IntPtr wafHandle)

[andrewlock]

Is it worth creating "null" versions of the UserRecord? Are the types mutable? If not, that could save a bunch of allocations - currently we're allocating four objects every time, and then potentially replacing them later?

[anna-git]

they're mutable, but changed in 55b9f6e, they're not initialized until we actually need them,
thanks!

[andrewlock]

Derived integration are much more expensive in general - IIRC, we have to analyze the class hierarchy for every loaded type to see if it derives from the type we're interested in. What I don't know is if the incremental perf hit is significant, or if it's just "as soon as we have a derived instrumentation we pay the cost".

I wonder if it would be sufficient to just instrument the "known" public HttpContext implementations e.g. DefaultHttpContext - realistically no-one outside of Microsoft is implementing their own HttpContext is going to be implementing their own HttpContext, so will probably be good enough? 🤔

[anna-git]

yes good point thanks, changed in bf30476 and f29295d

[NachoEchevarria]

Thanks!

[andrewlock]

LGTM, a few questions but mostly minor, nice work 👍

[andrewlock]

This comment is interesting 🤔 I thought we instrumented the builder to ensure we always add the blocking middleware between each other middleware?

[anna-git]

For now it's only added at the beginning and at the end of the chain as it works for most cases , I was a bit nervous adding it every other middleware 😅

[andrewlock]

nit: I think we can combine these to reduce the nesting? e.g.

if (state.State is ClaimsAndHttpContext stateTuple
    && Security.Instance is { IsTrackUserEventsEnabled: true } security
    && state.Scope is { } scope)

[anna-git]

thanks, changed in f808aa8

[andrewlock]

Out of interest, are there scenarios where this could be called and HttpContext is null? 🤔

[anna-git]

it shouldn't.. as this is instrumenting httpcontext stuff but as I placed in the state... in case it got lost on the way 😅

[andrewlock]

Not applicable to this PR, just I saw that they are considering making "changes" to the ClaimsPrinicipal type in .NET 10 to make it more performant. Just something to keep an eye on in the future 🙂

[anna-git]

good to know thanks!

[andrewlock]

I can't quite tell with all the brackets, but it looks like this is outside the IsTrackUserEventsEnabled = true check? Is that correct? 🤔 In fact, do we need to check that appsec is enabled as well, or is that encapsulated in the check?

[anna-git]

everything is inside

if (!returnValue.Succeeded
         && Security.Instance is { IsTrackUserEventsEnabled: true } security
         && state is { Scope.Span: { } span }){}

but it's indeed hard to read like this 😅
yes it encapsulates appsecenabled
internal bool IsTrackUserEventsEnabled => AppsecEnabled && CalculateIsTrackUserEventsEnabled(_configurationState.AutoUserInstrumMode, Settings.UserEventsAutoInstrumentationMode);
it's always a bit confusing all these booleans.. not sure if it's so good to make them contain each other but..

[andrewlock]

Same as above, we should probably move this to be constraint-based ducktyping (it's more performant)

[anna-git]

unfortunately iirc I tried and asked on the channel and it doesnt work with generics 🤔 and this stands for the SignInManger as in the docs:

Methods in a Generic type will not expose the Generic type instance (the instance will be casted as a nongeneric base type or object type).

[andrewlock]

Is this a "real" problem we need to solve 🤔

[anna-git]

I dont think it s a real problem as in "development" they will want to see the developer page so it doesn't matter if the Response is not rewrittten.. But for integration tests, we want the verify files to be as in production

[andrewlock]

Do we want/need to commit this db file?

[anna-git]

we use sql lite with app.db from net7+ and on windows.. the rest is in memory store, I wanted to use an app.db for every platform but it was quite complex with entity framework changing a lot and the sql lite provider not working on other than windows. I didnt give in to only use in memory stores as I thought many users would have the typical aspnet core identity with entity framework..

[andrewlock]

:oops: 😅

[datadog-ddstaging]

Datadog Report

Branch report: anna/asm/userid-monitoring
Commit report: f808aa8
Test service: dd-trace-dotnet

✅ 0 Failed, 560417 Passed, 4808 Skipped, 48h 11m 22.42s Total Time
❄️ 3 New Flaky

New Flaky Tests (3)

• TestIastLdapRequest - Datadog.Trace.Security.IntegrationTests.Iast.AspNetCore5IastTestsFullSamplingIastDisabled - Last Failure

  Expand for error

   
   ---------------- System.Net.Sockets.SocketException : The I/O operation has been aborted because of either a thread exit or an application request.ad exit or an application request..
  

• TestIastLdapRequest - Datadog.Trace.Security.IntegrationTests.Iast.AspNetCore5IastTestsFullSamplingIastEnabled - Last Failure

  Expand for error

   
   ---------------- System.Net.Sockets.SocketException : The I/O operation has been aborted because of either a thread exit or an application request.ad exit or an application request..
  

• TestIastLdapRequest - Datadog.Trace.Security.IntegrationTests.Iast.AspNetCore5IastTestsFullSamplingRedactionEnabled - Last Failure

  Expand for error

   
   ---------------- System.Net.Sockets.SocketException : The I/O operation has been aborted because of either a thread exit or an application request.ad exit or an application request..