Merge branch '2.x' into christophe-papazian/APPSEC-11098-rcm-collect-…

…and-report-multiple-service-names

.github/workflows/system-tests.yml

@@ -27,6 +27,7 @@ jobs:
   system-tests:
     runs-on: ubuntu-latest
     needs: needs-run
+    if: needs.needs-run.outputs.outcome == 'success' || github.event_name == 'schedule'
     strategy:
       matrix:
         include:
@@ -46,146 +47,117 @@ jobs:
       CMAKE_BUILD_PARALLEL_LEVEL: 12
     steps:
       - name: Setup python 3.9
-        if: needs.needs-run.outputs.outcome == 'success'
         uses: actions/setup-python@v4
         with:
           python-version: '3.9'
 
       - name: Checkout system tests
-        if: needs.needs-run.outputs.outcome == 'success'
         uses: actions/checkout@v3
         with:
           repository: 'DataDog/system-tests'
 
       - name: Checkout dd-trace-py
-        if: needs.needs-run.outputs.outcome == 'success'
         uses: actions/checkout@v3
         with:
           path: 'binaries/dd-trace-py'
           fetch-depth: 0
 
       - name: Build
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./build.sh
 
       - name: Run
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh
 
       - name: Run REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
 
       - name: Run REMOTE_CONFIG_MOCKED_BACKEND_LIVE_DEBUGGING
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh REMOTE_CONFIG_MOCKED_BACKEND_LIVE_DEBUGGING
 
       - name: Run REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
 
       - name: Run APPSEC_MISSING_RULES
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_MISSING_RULES
 
       - name: Run APPSEC_CUSTOM_RULES
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_CUSTOM_RULES
 
       - name: Run APPSEC_CORRUPTED_RULES
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_CORRUPTED_RULES
 
       - name: Run APPSEC_RULES_MONITORING_WITH_ERRORS
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_RULES_MONITORING_WITH_ERRORS
 
       - name: Run APPSEC_BLOCKING
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_BLOCKING
 
       - name: Run APPSEC_DISABLED
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_DISABLED
 
       - name: Run APPSEC_LOW_WAF_TIMEOUT
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_LOW_WAF_TIMEOUT
 
       - name: Run APPSEC_CUSTOM_OBFUSCATION
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_CUSTOM_OBFUSCATION
 
       - name: Run APPSEC_RATE_LIMITER
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_RATE_LIMITER
 
       - name: Run APPSEC_BLOCKING_FULL_DENYLIST
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_BLOCKING_FULL_DENYLIST
 
       - name: Run APPSEC_REQUEST_BLOCKING
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_REQUEST_BLOCKING
 
       - name: Run APPSEC_RUNTIME_ACTIVATION
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_RUNTIME_ACTIVATION
 
       - name: Run APPSEC_WAF_TELEMETRY
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh APPSEC_WAF_TELEMETRY
 
       - name: Run SAMPLING
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh SAMPLING
 
       # even on failures, we want to have artifact to be able to investigate
       # The compress step speed up a lot the upload artifact process
       - name: Compress artifact
-        if: needs.needs-run.outputs.outcome == 'success'
         run: tar -czvf artifact.tar.gz $(ls | grep logs)
 
       - name: Upload artifact
         uses: actions/upload-artifact@v3
-        if: needs.needs-run.outputs.outcome == 'success'
         with:
           name: logs_${{ matrix.weblog-variant }}
           path: artifact.tar.gz
 
   parametric:
     runs-on: ubuntu-latest
     needs: needs-run
+    if: needs.needs-run.outputs.outcome == 'success' || github.event_name == 'schedule'
     env:
       TEST_LIBRARY: python
       PYTHON_DDTRACE_PACKAGE: git+https://github.com/Datadog/dd-trace-py.git@${{ github.sha }}
     steps:
       - name: Checkout system tests
-        if: needs.needs-run.outputs.outcome == 'success'
         uses: actions/checkout@v3
         with:
           repository: 'DataDog/system-tests'
 
       - uses: actions/setup-python@v4
-        if: needs.needs-run.outputs.outcome == 'success'
         with:
           python-version: '3.9'
 
       - name: Build
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./build.sh -i runner
 
       - name: Run
-        if: needs.needs-run.outputs.outcome == 'success'
         run: ./run.sh PARAMETRIC
 
       - name: Compress artifact
-        if: needs.needs-run.outputs.outcome == 'success'
         run: tar -czvf artifact.tar.gz $(ls | grep logs)
 
       - name: Upload artifact
         uses: actions/upload-artifact@v3
-        if: needs.needs-run.outputs.outcome == 'success'
         with:
           name: logs_parametric
           path: artifact.tar.gz

ddtrace/appsec/_iast/_taint_tracking/CMakeLists.txt

@@ -22,11 +22,16 @@ else()
 endif(BUILD_MACOS)
 unset(BUILD_MACOS CACHE)
 
-FetchContent_Declare(
-        absl
-        URL "https://github.com/abseil/abseil-cpp/archive/refs/tags/20211102.0.zip"
-)
-FetchContent_MakeAvailable(absl)
+if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    message("Release mode: using abseil")
+        FetchContent_Declare(
+                absl
+                URL "https://github.com/abseil/abseil-cpp/archive/refs/tags/20211102.0.zip"
+        )
+        FetchContent_MakeAvailable(absl)
+else()
+    message("Debug mode: not using abseil")
+endif()
 
 include_directories(".")
 
@@ -60,5 +65,6 @@ set_target_properties(
         LIBRARY_OUTPUT_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}"
 )
 
-target_link_libraries(${APP_NAME} PRIVATE absl::node_hash_map)
-
+if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    target_link_libraries(${APP_NAME} PRIVATE absl::node_hash_map)
+endif()

ddtrace/appsec/_iast/_taint_tracking/TaintTracking/TaintRange.h

@@ -5,7 +5,6 @@
 
 #include <pybind11/stl.h>
 
-#include "absl/container/node_hash_map.h"
 #include "structmember.h"
 
 #include "Constants.h"
@@ -20,8 +19,19 @@ class TaintedObject;
 
 // Alias
 using TaintedObjectPtr = TaintedObject*;
+
+#ifdef NDEBUG // Decide wether to use abseil
+
+#include "absl/container/node_hash_map.h"
 using TaintRangeMapType = absl::node_hash_map<uintptr_t, TaintedObjectPtr>;
 
+#else
+
+#include <unordered_map>
+using TaintRangeMapType = std::map<uintptr_t, TaintedObjectPtr>;
+
+#endif // NDEBUG
+
 inline static uintptr_t
 get_unique_id(const PyObject* str)
 {

ddtrace/appsec/_utils.py

@@ -127,3 +127,82 @@ def _appsec_rc_features_is_enabled():
     if config._remote_config_enabled:
         return APPSEC_ENV not in os.environ
     return False
+
+
+class _UserInfoRetriever(object):
+    def __init__(self, user):
+        self.user = user
+
+        self.possible_user_id_fields = ["pk", "id", "uid", "userid", "user_id", "PK", "ID", "UID", "USERID"]
+        self.possible_login_fields = ["username", "user", "login", "USERNAME", "USER", "LOGIN"]
+        self.possible_email_fields = ["email", "mail", "address", "EMAIL", "MAIL", "ADDRESS"]
+        self.possible_name_fields = ["name", "fullname", "full_name", "NAME", "FULLNAME", "FULL_NAME"]
+
+    def find_in_user_model(self, possible_fields):
+        for field in possible_fields:
+            value = getattr(self.user, field, None)
+            if value:
+                return value
+
+        return None  # explicit to make clear it has a meaning
+
+    def get_userid(self):
+        user_login = getattr(self.user, config._user_model_login_field, None)
+        if user_login:
+            return user_login
+
+        return self.find_in_user_model(self.possible_user_id_fields)
+
+    def get_username(self):
+        username = getattr(self.user, config._user_model_name_field, None)
+        if username:
+            return username
+
+        if hasattr(self.user, "get_username"):
+            try:
+                return self.user.get_username()
+            except Exception:
+                log.debug("User model get_username member produced an exception: ", exc_info=True)
+
+        return self.find_in_user_model(self.possible_login_fields)
+
+    def get_user_email(self):
+        email = getattr(self.user, config._user_model_email_field, None)
+        if email:
+            return email
+
+        return self.find_in_user_model(self.possible_email_fields)
+
+    # JJJ cambiar
+    def get_name(self):
+        name = getattr(self.user, config._user_model_name_field, None)
+        if name:
+            return name
+
+        return self.find_in_user_model(self.possible_name_fields)
+
+    def get_user_info(self):
+        """
+        In safe mode, try to get the user id from the user object.
+        In extended mode, try to also get the username (which will be the returned user_id),
+        email and name.
+        """
+        user_extra_info = {}
+
+        if config._automatic_login_events_mode == "extended":
+            user_id = self.get_username()
+            if not user_id:
+                user_id = self.find_in_user_model(self.possible_user_id_fields)
+
+            user_extra_info = {
+                "login": user_id,
+                "email": self.get_user_email(),
+                "name": self.get_name(),
+            }
+        else:  # safe mode, default
+            user_id = self.get_userid()
+
+        if not user_id:
+            return None, {}
+
+        return user_id, user_extra_info