More fixes again

Author: manuel-alvarez-alvarez

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -288,13 +288,17 @@ private Flow<Void> onLoginEvent(
       } else {
         segment.setTagTop("appsec.events." + eventName + ".usr.id", user, true);
       }
+      segment.setTagTop("_dd.appsec.user.collection_mode", mode.fullName());
     }
 
     // update user span tags
     segment.setTagTop("appsec.events." + eventName + ".usr.login", user, true);
 
     // update current context with new user login
     ctx.setUserLoginSource(mode);
+    if (mode == SDK) {
+      ctx.setUserIdSource(mode); // we are setting the usr.id through the SDK
+    }
     final boolean newUserLogin = !user.equals(ctx.getUserLogin());
     if (!newUserLogin) {
       return NoopFlow.INSTANCE;
@@ -303,20 +307,20 @@ private Flow<Void> onLoginEvent(
 
     // call waf if we have a new user login
     final List<Address<?>> addresses = new ArrayList<>(3);
+    final MapDataBundle.Builder bundleBuilder = new MapDataBundle.Builder(CAPACITY_3_4);
     addresses.add(KnownAddresses.USER_LOGIN);
-    addresses.add(KnownAddresses.USER_ID);
+    bundleBuilder.add(KnownAddresses.USER_LOGIN, user);
+    if (mode == SDK) {
+      addresses.add(KnownAddresses.USER_ID);
+      bundleBuilder.add(KnownAddresses.USER_ID, user);
+    }
+    // we don't support null values for the address so we use an invalid placeholder here
     if (sourceEvent == LoginEvent.LOGIN_SUCCESS) {
       addresses.add(KnownAddresses.LOGIN_SUCCESS);
+      bundleBuilder.add(KnownAddresses.LOGIN_SUCCESS, "invalid");
     } else if (sourceEvent == LoginEvent.LOGIN_FAILURE) {
       addresses.add(KnownAddresses.LOGIN_FAILURE);
-    }
-    final MapDataBundle.Builder bundleBuilder =
-        new MapDataBundle.Builder(addresses.size() == 2 ? CAPACITY_0_2 : CAPACITY_3_4);
-    bundleBuilder.add(KnownAddresses.USER_ID, user);
-    bundleBuilder.add(KnownAddresses.USER_LOGIN, user);
-    if (addresses.size() == 3) {
-      // we don't support null values for the address so we use an invalid placeholder here
-      bundleBuilder.add(addresses.get(2), "invalid");
+      bundleBuilder.add(KnownAddresses.LOGIN_FAILURE, "invalid");
     }
     final DataBundle bundle = bundleBuilder.build();
     final String subInfoKey =
@@ -348,8 +352,6 @@ private Flow<Void> onRequestSession(final RequestContext ctx_, final String sess
     }
     // unlikely that multiple threads will update the value at the same time
     ctx.setSessionId(sessionId);
-    final TraceSegment segment = ctx_.getTraceSegment();
-    segment.setTagTop("usr.session_id", sessionId);
     while (true) {
       DataSubscriberInfo subInfo = sessionIdSubInfo;
       if (subInfo == null) {

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -1044,7 +1044,6 @@ class GatewayBridgeSpecification extends DDSpecification {
     requestSessionCB.apply(ctx, sessionId)
 
     then:
-    1 * traceSegment.setTagTop('usr.session_id', sessionId)
     1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
     { a, b, db, gw -> bundle = db; gatewayContext = gw; NoopFlow.INSTANCE }
     bundle.get(KnownAddresses.SESSION_ID) == sessionId
@@ -1111,7 +1110,9 @@ class GatewayBridgeSpecification extends DDSpecification {
       1 * traceSegment.setTagTop('asm.keep', true)
       1 * traceSegment.setTagTop('_dd.p.appsec', true)
       1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> { a, b, DataBundle db, GatewayContext gw ->
-        assert db.get(KnownAddresses.USER_ID) == expectedUser
+        if (mode == SDK) {
+          assert db.get(KnownAddresses.USER_ID) == expectedUser
+        }
         assert db.get(KnownAddresses.USER_LOGIN) == expectedUser
         assert !gw.isTransient
         return NoopFlow.INSTANCE
@@ -1148,7 +1149,9 @@ class GatewayBridgeSpecification extends DDSpecification {
       1 * traceSegment.setTagTop('asm.keep', true)
       1 * traceSegment.setTagTop('_dd.p.appsec', true)
       1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> { a, b, DataBundle db, GatewayContext gw ->
-        assert db.get(KnownAddresses.USER_ID) == expectedUser
+        if (mode == SDK) {
+          assert db.get(KnownAddresses.USER_ID) == expectedUser
+        }
         assert db.get(KnownAddresses.USER_LOGIN) == expectedUser
         assert db.get(KnownAddresses.LOGIN_SUCCESS) != null
         assert !gw.isTransient
@@ -1187,7 +1190,9 @@ class GatewayBridgeSpecification extends DDSpecification {
       1 * traceSegment.setTagTop('asm.keep', true)
       1 * traceSegment.setTagTop('_dd.p.appsec', true)
       1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> { a, b, DataBundle db, GatewayContext gw ->
-        assert db.get(KnownAddresses.USER_ID) == expectedUser
+        if (mode == SDK) {
+          assert db.get(KnownAddresses.USER_ID) == expectedUser
+        }
         assert db.get(KnownAddresses.USER_LOGIN) == expectedUser
         assert db.get(KnownAddresses.LOGIN_FAILURE) != null
         assert !gw.isTransient
@@ -1254,6 +1259,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * traceSegment.setTagTop('appsec.events.users.login.success.usr.login', firstUser, true)
     1 * traceSegment.setTagTop('usr.id', firstUser, false)
     1 * traceSegment.setTagTop('_dd.appsec.events.users.login.success.sdk', true, true)
+    1 * traceSegment.setTagTop('_dd.appsec.user.collection_mode', 'sdk')
 
     0 * traceSegment.setTagTop('_dd.appsec.usr.login', _)
     0 * traceSegment.setTagTop('_dd.appsec.events.users.login.success.auto.mode', _, _)
@@ -1267,6 +1273,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     0 * traceSegment.setTagTop('appsec.events.users.login.success.usr.login', _, _)
     0 * traceSegment.setTagTop('usr.id', _, _)
     0 * traceSegment.setTagTop('_dd.appsec.events.users.login.success.sdk', _, _)
+    0 * traceSegment.setTagTop('_dd.appsec.user.collection_mode', _)
 
     1 * traceSegment.setTagTop('_dd.appsec.usr.login', secondUser)
     1 * traceSegment.setTagTop('_dd.appsec.events.users.login.success.auto.mode', IDENTIFICATION.fullName(), true)

dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SpringBootBasedTest.groovy

@@ -152,9 +152,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == REGISTER.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.signup.usr.login') == 'admin'
-    span.getTag('appsec.events.users.signup.usr.id') == 'admin'
     span.getTag('_dd.appsec.usr.login') == 'admin'
-    span.getTag('_dd.appsec.usr.id') == 'admin'
     span.getTag('_dd.appsec.events.users.signup.auto.mode') == 'identification'
     span.getTag('appsec.events.users.signup.track') == true
     span.getTag('appsec.events.users.signup')['enabled'] == 'true'
@@ -181,9 +179,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.login.failure.usr.login') == 'not_existing_user'
-    span.getTag('appsec.events.users.login.failure.usr.id') == 'not_existing_user'
     span.getTag('_dd.appsec.usr.login') == 'not_existing_user'
-    span.getTag('_dd.appsec.usr.id') == 'not_existing_user'
     span.getTag('_dd.appsec.events.users.login.failure.auto.mode') == 'identification'
     span.getTag('appsec.events.users.login.failure.track') == true
     span.getTag('appsec.events.users.login.failure.usr.exists') == false
@@ -208,9 +204,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.login.failure.usr.login') == 'admin'
-    span.getTag('appsec.events.users.login.failure.usr.id') == 'admin'
     span.getTag('_dd.appsec.usr.login') == 'admin'
-    span.getTag('_dd.appsec.usr.id') == 'admin'
     span.getTag('_dd.appsec.events.users.login.failure.auto.mode') == 'identification'
     span.getTag('appsec.events.users.login.failure.track') == true
     // TODO: Ideally should be `false` but we have no reliable method to detect it it is just absent. See APPSEC-12765.
@@ -237,9 +231,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.login.success.usr.login') == 'admin'
-    span.getTag('appsec.events.users.login.success.usr.id') == 'admin'
     span.getTag('_dd.appsec.usr.login') == 'admin'
-    span.getTag('_dd.appsec.usr.id') == 'admin'
     span.getTag('_dd.appsec.events.users.login.success.auto.mode') == 'identification'
     span.getTag('appsec.events.users.login.success.track') == true
     span.getTag('appsec.events.users.login.success')['credentialsNonExpired'] == 'true'

dd-java-agent/instrumentation/spring-security-6/src/test/groovy/datadog/trace/instrumentation/springsecurity6/SpringBootBasedTest.groovy

@@ -128,9 +128,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == REGISTER.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.signup.usr.login') == 'admin'
-    span.getTag('appsec.events.users.signup.usr.id') == 'admin'
     span.getTag('_dd.appsec.usr.login') == 'admin'
-    span.getTag('_dd.appsec.usr.id') == 'admin'
     span.getTag('_dd.appsec.events.users.signup.auto.mode') == 'identification'
     span.getTag('appsec.events.users.signup.track') == true
     span.getTag('appsec.events.users.signup')['enabled'] == 'true'
@@ -157,9 +155,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.login.failure.usr.login') == 'not_existing_user'
-    span.getTag('appsec.events.users.login.failure.usr.id') == 'not_existing_user'
     span.getTag('_dd.appsec.usr.login') == 'not_existing_user'
-    span.getTag('_dd.appsec.usr.id') == 'not_existing_user'
     span.getTag('_dd.appsec.events.users.login.failure.auto.mode') == 'identification'
     span.getTag('appsec.events.users.login.failure.track') == true
     span.getTag('appsec.events.users.login.failure.usr.exists') == false
@@ -184,9 +180,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.login.failure.usr.login') == 'admin'
-    span.getTag('appsec.events.users.login.failure.usr.id') == 'admin'
     span.getTag('_dd.appsec.usr.login') == 'admin'
-    span.getTag('_dd.appsec.usr.id') == 'admin'
     span.getTag('_dd.appsec.events.users.login.failure.auto.mode') == 'identification'
     span.getTag('appsec.events.users.login.failure.track') == true
     // TODO: Ideally should be `false` but we have no reliable method to detect it it is just absent. See APPSEC-12765.
@@ -213,9 +207,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag('appsec.events.users.login.success.usr.login') == 'admin'
-    span.getTag('appsec.events.users.login.success.usr.id') == 'admin'
     span.getTag('_dd.appsec.usr.login') == 'admin'
-    span.getTag('_dd.appsec.usr.id') == 'admin'
     span.getTag('_dd.appsec.events.users.login.success.auto.mode') == 'identification'
     span.getTag('appsec.events.users.login.success.track') == true
     span.getTag('appsec.events.users.login.success')['credentialsNonExpired'] == 'true'