From 126cc4cc282fc2e450c159ad1aca1bd80b11877c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20=C3=81lvarez=20=C3=81lvarez?= Date: Wed, 12 Feb 2025 11:55:09 +0100 Subject: [PATCH] Ensure usr.exists tag is not overridden by auto instrumentation --- .../datadog/appsec/gateway/GatewayBridge.java | 7 ++-- .../gateway/GatewayBridgeSpecification.groovy | 35 +++++++++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java index 9f1285649b5..b048b98a464 100644 --- a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java +++ b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java @@ -279,9 +279,6 @@ private Flow onLoginEvent( // update span tags segment.setTagTop("appsec.events." + eventName + ".track", true, true); - if (exists != null) { - segment.setTagTop("appsec.events." + eventName + ".usr.exists", exists, true); - } if (metadata != null && !metadata.isEmpty()) { segment.setTagTop("appsec.events." + eventName, metadata, true); } @@ -315,6 +312,10 @@ private Flow onLoginEvent( segment.setTagTop("_dd.appsec.user.collection_mode", mode.fullName()); } + if (exists != null) { + segment.setTagTop("appsec.events." + eventName + ".usr.exists", exists, true); + } + // update user span tags segment.setTagTop("appsec.events." + eventName + ".usr.login", user, true); diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy index e7a414e7942..0aa8fcdd83c 100644 --- a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy +++ b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy @@ -1285,6 +1285,41 @@ class GatewayBridgeSpecification extends DDSpecification { 0 * eventDispatcher.publishDataEvent } + void "test onLoginFailure (automated login events should not overwrite SDK)"() { + setup: + final firstUser = 'user1' + final secondUser = 'user2' + eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo + + when: + loginEventCB.apply(ctx, SDK, 'users.login.failure', true, firstUser, null) + + then: + 1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.login', firstUser, true) + 1 * traceSegment.setTagTop('_dd.appsec.events.users.login.failure.sdk', true, true) + 1 * traceSegment.setTagTop('_dd.appsec.user.collection_mode', 'sdk') + 1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.exists', true, true) + + 0 * traceSegment.setTagTop('_dd.appsec.usr.login', _) + 0 * traceSegment.setTagTop('_dd.appsec.events.users.login.failure.auto.mode', _, _) + + 1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> NoopFlow.INSTANCE + + when: + loginEventCB.apply(ctx, IDENTIFICATION, 'users.login.failure', false, secondUser, null) + + then: + 0 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.login', _, _) + 0 * traceSegment.setTagTop('_dd.appsec.events.users.login.failure.sdk', _, _) + 0 * traceSegment.setTagTop('_dd.appsec.user.collection_mode', _) + 0 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.exists', _, _) + + 1 * traceSegment.setTagTop('_dd.appsec.usr.login', secondUser) + 1 * traceSegment.setTagTop('_dd.appsec.events.users.login.failure.auto.mode', IDENTIFICATION.fullName(), true) + + 0 * eventDispatcher.publishDataEvent + } + void 'test configuration updates should reset cached subscriptions'() { when: requestSessionCB.apply(ctx, UUID.randomUUID().toString())