[ASM] Standalone Billing (part 2: Propagation) (#5743)

e-n-0 · web-flow · commit 935deec6e659 · 2024-07-17T19:08:08.000+02:00
## Summary of changes Part 2 of the implementation of [Standalone ASM billing](https://docs.google.com/document/d/12NBx-nD-IoQEMiCRnJXneq4Be7cbtSc6pJLOFUWTpNE/edit?pli=1#heading=h.hs091bhdmugz). Part 1 was #5565 This PR adds the propagated span tag `_dd.p.appsec: 1` allowing to propagate to downstream services the information that the current distributed trace is containing at least one ASM security event. ## Test coverage This fully pass the system tests for ASM Standalone.
diff --git a/tracer/src/Datadog.Trace/AppSec/Security.cs b/tracer/src/Datadog.Trace/AppSec/Security.cs
@@ -482,6 +482,7 @@ internal void SetTraceSamplingPriority(Span span)
             else if (_rateLimiter?.Allowed(span) ?? false)
             {
                 span.Context.TraceContext?.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);
+                span.Context.TraceContext?.Tags.SetTag(Tags.Propagated.AppSec, "1");
             }
         }
 
diff --git a/tracer/src/Datadog.Trace/Iast/IastModule.cs b/tracer/src/Datadog.Trace/Iast/IastModule.cs
@@ -562,6 +562,7 @@ private static IastModuleResponse AddWebVulnerability(string? evidenceValue, Int
         {
             traceContext.IastRequestContext?.AddVulnerability(vulnerability);
             traceContext.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);
+            traceContext.Tags.SetTag(Tags.Propagated.AppSec, "1");
 
             return IastModuleResponse.Vulnerable;
         }
@@ -636,6 +637,8 @@ private static IastModuleResponse GetScope(string evidenceValue, IntegrationId i
             if (isRequest)
             {
                 traceContext?.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);
+                traceContext?.Tags.SetTag(Tags.Propagated.AppSec, "1");
+
                 traceContext?.IastRequestContext?.AddVulnerability(vulnerability);
                 return IastModuleResponse.Vulnerable;
             }
@@ -691,6 +694,7 @@ private static IastModuleResponse AddVulnerabilityAsSingleSpan(Tracer tracer, In
         scope.Span.Type = SpanTypes.IastVulnerability;
         tracer.TracerManager.Telemetry.IntegrationGeneratedSpan(integrationId);
         scope.Span.Context.TraceContext?.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);
+        scope.Span.Context.TraceContext?.Tags.SetTag(Tags.Propagated.AppSec, "1");
         return new IastModuleResponse(scope);
     }
 
diff --git a/tracer/src/Datadog.Trace/Propagators/DatadogContextPropagator.cs b/tracer/src/Datadog.Trace/Propagators/DatadogContextPropagator.cs
@@ -43,7 +43,6 @@ public void Inject<TCarrier, TCarrierSetter>(SpanContext context, TCarrier carri
             }
 
             var propagatedTagsHeader = context.PrepareTagsHeaderForPropagation();
-
             if (!string.IsNullOrEmpty(propagatedTagsHeader))
             {
                 carrierSetter.Set(carrier, HttpHeaderNames.PropagatedTags, propagatedTagsHeader!);
diff --git a/tracer/src/Datadog.Trace/Propagators/SpanContextPropagator.cs b/tracer/src/Datadog.Trace/Propagators/SpanContextPropagator.cs
@@ -115,6 +115,12 @@ internal void Inject<TCarrier, TCarrierSetter>(SpanContext context, TCarrier car
             if (context == null!) { ThrowHelper.ThrowArgumentNullException(nameof(context)); }
             if (carrier == null) { ThrowHelper.ThrowArgumentNullException(nameof(carrier)); }
 
+            // If appsec standalone is enabled and appsec propagation is disabled (no ASM events) -> stop propagation
+            if (context.TraceContext?.Tracer.Settings?.AppsecStandaloneEnabledInternal == true && context.TraceContext.Tags.GetTag(Tags.Propagated.AppSec) != "1")
+            {
+                return;
+            }
+
             // trigger a sampling decision if it hasn't happened yet
             _ = context.GetOrMakeSamplingDecision();
 
diff --git a/tracer/src/Datadog.Trace/Tags.cs b/tracer/src/Datadog.Trace/Tags.cs
@@ -725,6 +725,12 @@ internal static class Propagated
             /// lower-case hexadecimal string with no zero-padding or `0x` prefix.
             /// </summary>
             internal const string TraceIdUpper = "_dd.p.tid";
+
+            /// <summary>
+            /// A boolean allowing the propagation to downstream services the information that the current distributed trace
+            /// is containing at least one ASM security event, no matter its type (threats, business logic events, IAST, etc.).
+            /// </summary>
+            internal const string AppSec = "_dd.p.appsec";
         }
     }
 }
diff --git a/tracer/src/Datadog.Trace/Tracer.cs b/tracer/src/Datadog.Trace/Tracer.cs
@@ -419,13 +419,25 @@ internal SpanContext CreateSpanContext(ISpanContext parent = null, string servic
 
                 if (traceContext == null)
                 {
-                    // If parent is SpanContext but its TraceContext is null, then it was extracted from
-                    // propagation headers. Create a new TraceContext (this will start a new trace) and initialize
+                    var propagatedTags = parentSpanContext.PropagatedTags;
+                    var samplingPriority = parentSpanContext.SamplingPriority;
+
+                    // When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+                    // are propagated downstream, however we need 1 trace per minute sent to the backend, so
+                    // we unset sampling priority so the rate limiter decides.
+                    if (Settings?.AppsecStandaloneEnabledInternal == true)
+                    {
+                        // If the trace has appsec propagation tag, the default priority is user keep
+                        samplingPriority = propagatedTags?.GetTag(Tags.Propagated.AppSec) == "1" ? SamplingPriorityValues.UserKeep : null;
+                    }
+
+                    // If parent is SpanContext but its TraceContext is null, then it was extracted from propagation headers.
+                    // Create a new TraceContext (this will start a new trace) and initialize
                     // it with the propagated values (sampling priority, origin, tags, W3C trace state, etc).
-                    traceContext = new TraceContext(this, parentSpanContext.PropagatedTags);
+                    traceContext = new TraceContext(this, propagatedTags);
                     TelemetryFactory.Metrics.RecordCountTraceSegmentCreated(MetricTags.TraceContinuation.Continued);
 
-                    var samplingPriority = parentSpanContext.SamplingPriority ?? DistributedTracer.Instance.GetSamplingPriority();
+                    samplingPriority ??= DistributedTracer.Instance.GetSamplingPriority();
                     traceContext.SetSamplingPriority(samplingPriority);
                     traceContext.Origin = parentSpanContext.Origin;
                     traceContext.AdditionalW3CTraceState = parentSpanContext.AdditionalW3CTraceState;

Original file line number	Diff line number	Diff line change
`@@ -482,6 +482,7 @@ internal void SetTraceSamplingPriority(Span span)`
`482`	`482`	`else if (_rateLimiter?.Allowed(span) ?? false)`
`483`	`483`	`{`
`484`	`484`	`span.Context.TraceContext?.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);`
	`485`	`+ span.Context.TraceContext?.Tags.SetTag(Tags.Propagated.AppSec, "1");`
`485`	`486`	`}`
`486`	`487`	`}`
`487`	`488`
Original file line number	Diff line number	Diff line change
`@@ -562,6 +562,7 @@ private static IastModuleResponse AddWebVulnerability(string? evidenceValue, Int`
`562`	`562`	`{`
`563`	`563`	`traceContext.IastRequestContext?.AddVulnerability(vulnerability);`
`564`	`564`	`traceContext.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);`
	`565`	`+ traceContext.Tags.SetTag(Tags.Propagated.AppSec, "1");`
`565`	`566`
`566`	`567`	`return IastModuleResponse.Vulnerable;`
`567`	`568`	`}`
`@@ -636,6 +637,8 @@ private static IastModuleResponse GetScope(string evidenceValue, IntegrationId i`
`636`	`637`	`if (isRequest)`
`637`	`638`	`{`
`638`	`639`	`traceContext?.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);`
	`640`	`+ traceContext?.Tags.SetTag(Tags.Propagated.AppSec, "1");`
	`641`	`+`
`639`	`642`	`traceContext?.IastRequestContext?.AddVulnerability(vulnerability);`
`640`	`643`	`return IastModuleResponse.Vulnerable;`
`641`	`644`	`}`
`@@ -691,6 +694,7 @@ private static IastModuleResponse AddVulnerabilityAsSingleSpan(Tracer tracer, In`
`691`	`694`	`scope.Span.Type = SpanTypes.IastVulnerability;`
`692`	`695`	`tracer.TracerManager.Telemetry.IntegrationGeneratedSpan(integrationId);`
`693`	`696`	`scope.Span.Context.TraceContext?.SetSamplingPriority(SamplingPriorityValues.UserKeep, SamplingMechanism.Asm);`
	`697`	`+ scope.Span.Context.TraceContext?.Tags.SetTag(Tags.Propagated.AppSec, "1");`
`694`	`698`	`return new IastModuleResponse(scope);`
`695`	`699`	`}`
`696`	`700`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,6 @@ public void Inject<TCarrier, TCarrierSetter>(SpanContext context, TCarrier carri`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`var propagatedTagsHeader = context.PrepareTagsHeaderForPropagation();`
`46`		`-`
`47`	`46`	`if (!string.IsNullOrEmpty(propagatedTagsHeader))`
`48`	`47`	`{`
`49`	`48`	`carrierSetter.Set(carrier, HttpHeaderNames.PropagatedTags, propagatedTagsHeader!);`
Original file line number	Diff line number	Diff line change
`@@ -725,6 +725,12 @@ internal static class Propagated`
`725`	`725`	/// lower-case hexadecimal string with no zero-padding or `0x` prefix.
`726`	`726`	`/// </summary>`
`727`	`727`	`internal const string TraceIdUpper = "_dd.p.tid";`
	`728`	`+`
	`729`	`+ /// <summary>`
	`730`	`+ /// A boolean allowing the propagation to downstream services the information that the current distributed trace`
	`731`	`+ /// is containing at least one ASM security event, no matter its type (threats, business logic events, IAST, etc.).`
	`732`	`+ /// </summary>`
	`733`	`+ internal const string AppSec = "_dd.p.appsec";`
`728`	`734`	`}`
`729`	`735`	`}`
`730`	`736`	`}`