Skip to content

Commit

Permalink
Merge branch 'main' into romain.marcadier/graphql/APPSEC-11164
Browse files Browse the repository at this point in the history
  • Loading branch information
RomainMuller committed Oct 31, 2023
2 parents ffb2ddf + 7f31c76 commit 2f0d043
Show file tree
Hide file tree
Showing 20 changed files with 53 additions and 7,759 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,6 @@ dd-trace-go.iml
vendor

/contrib/google.golang.org/grpc.v12/vendor/
/contrib_coverage.txt
/core_coverage.txt
/gotestsum-report.xml
2 changes: 1 addition & 1 deletion ddtrace/tracer/span.go
Original file line number Diff line number Diff line change
Expand Up @@ -592,7 +592,7 @@ func obfuscatedResource(o *obfuscate.Obfuscator, typ, resource string) string {
// shouldKeep reports whether the trace should be kept.
// a single span being kept implies the whole trace being kept.
func shouldKeep(s *span) bool {
if p, ok := s.context.samplingPriority(); ok && p > 0 {
if p, ok := s.context.SamplingPriority(); ok && p > 0 {
// positive sampling priorities stay
return true
}
Expand Down
2 changes: 1 addition & 1 deletion ddtrace/tracer/spancontext.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ func (c *spanContext) setSamplingPriority(p int, sampler samplernames.SamplerNam
c.trace.setSamplingPriority(p, sampler)
}

func (c *spanContext) samplingPriority() (p int, ok bool) {
func (c *spanContext) SamplingPriority() (p int, ok bool) {
if c.trace == nil {
return 0, false
}
Expand Down
2 changes: 1 addition & 1 deletion ddtrace/tracer/sqlcomment.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func (c *SQLCommentCarrier) Inject(spanCtx ddtrace.SpanContext) error {
traceID uint64
)
if ctx, ok := spanCtx.(*spanContext); ok {
if sp, ok := ctx.samplingPriority(); ok && sp > 0 {
if sp, ok := ctx.SamplingPriority(); ok && sp > 0 {
sampled = 1
}
traceID = ctx.TraceID()
Expand Down
6 changes: 3 additions & 3 deletions ddtrace/tracer/sqlcomment_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func TestSQLCommentCarrier(t *testing.T) {
assert.Equal(t, carrier.SpanID, xctx.spanID)
assert.Equal(t, traceID, xctx.traceID.Lower())

p, ok := xctx.samplingPriority()
p, ok := xctx.SamplingPriority()
assert.True(t, ok)
assert.Equal(t, tc.samplingPriority, p)
}
Expand Down Expand Up @@ -168,7 +168,7 @@ func TestExtractOpenTelemetryTraceInformation(t *testing.T) {
assert.Equal(t, lower, xctx.traceID.Lower())
assert.Equal(t, upper, xctx.traceID.Upper())

p, ok := xctx.samplingPriority()
p, ok := xctx.SamplingPriority()
assert.True(t, ok)
assert.Equal(t, priority, p)
}
Expand Down Expand Up @@ -246,7 +246,7 @@ func FuzzSpanContextFromTraceComment(f *testing.F) {
wanted: %d`, xctx.traceID.Upper(), traceIDUpper)
}

p, ok := xctx.samplingPriority()
p, ok := xctx.SamplingPriority()
if !ok {
t.Fatalf("Error retrieving sampling priority")
}
Expand Down
10 changes: 5 additions & 5 deletions ddtrace/tracer/textmap.go
Original file line number Diff line number Diff line change
Expand Up @@ -310,7 +310,7 @@ func (p *propagator) injectTextMap(spanCtx ddtrace.SpanContext, writer TextMapWr
}
writer.Set(p.cfg.TraceHeader, strconv.FormatUint(ctx.traceID.Lower(), 10))
writer.Set(p.cfg.ParentHeader, strconv.FormatUint(ctx.spanID, 10))
if sp, ok := ctx.samplingPriority(); ok {
if sp, ok := ctx.SamplingPriority(); ok {
writer.Set(p.cfg.PriorityHeader, strconv.Itoa(sp))
}
if ctx.origin != "" {
Expand Down Expand Up @@ -502,7 +502,7 @@ func (*propagatorB3) injectTextMap(spanCtx ddtrace.SpanContext, writer TextMapWr
writer.Set(b3TraceIDHeader, w3Cctx.TraceID128())
}
writer.Set(b3SpanIDHeader, fmt.Sprintf("%016x", ctx.spanID))
if p, ok := ctx.samplingPriority(); ok {
if p, ok := ctx.SamplingPriority(); ok {
if p >= ext.PriorityAutoKeep {
writer.Set(b3SampledHeader, "1")
} else {
Expand Down Expand Up @@ -585,7 +585,7 @@ func (*propagatorB3SingleHeader) injectTextMap(spanCtx ddtrace.SpanContext, writ
traceID = w3Cctx.TraceID128()
}
sb.WriteString(fmt.Sprintf("%s-%016x", traceID, ctx.spanID))
if p, ok := ctx.samplingPriority(); ok {
if p, ok := ctx.SamplingPriority(); ok {
if p >= ext.PriorityAutoKeep {
sb.WriteString("-1")
} else {
Expand Down Expand Up @@ -681,7 +681,7 @@ func (*propagatorW3c) injectTextMap(spanCtx ddtrace.SpanContext, writer TextMapW
return ErrInvalidSpanContext
}
flags := ""
p, ok := ctx.samplingPriority()
p, ok := ctx.SamplingPriority()
if ok && p >= ext.PriorityAutoKeep {
flags = "01"
} else {
Expand Down Expand Up @@ -982,7 +982,7 @@ func parseTracestate(ctx *spanContext, header string) {
// The sampling priority and decision maker values are set based on
// the specification in the internal W3C context propagation RFC.
// See the document for more details.
parentP, _ := ctx.samplingPriority()
parentP, _ := ctx.SamplingPriority()
if (parentP == 1 && stateP > 0) || (parentP == 0 && stateP <= 0) {
// As extracted from tracestate
ctx.setSamplingPriority(stateP, samplernames.Unknown)
Expand Down
10 changes: 5 additions & 5 deletions ddtrace/tracer/textmap_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -837,7 +837,7 @@ func TestEnvVars(t *testing.T) {
// assert.Equal(test.traceID128Full, id128FromSpan(assert, ctx)) // add when 128-bit trace id support is enabled
assert.Equal(tc.out[0], sctx.traceID.Lower())
assert.Equal(tc.out[1], sctx.spanID)
p, ok := sctx.samplingPriority()
p, ok := sctx.SamplingPriority()
assert.True(ok)
assert.Equal(int(tc.out[2]), p)
})
Expand Down Expand Up @@ -1108,7 +1108,7 @@ func TestEnvVars(t *testing.T) {
assert.Equal(tc.tid, sctx.traceID)
assert.Equal(tc.out[0], sctx.spanID)
assert.Equal(tc.origin, sctx.origin)
p, ok := sctx.samplingPriority()
p, ok := sctx.SamplingPriority()
assert.True(ok)
assert.Equal(int(tc.out[1]), p)

Expand Down Expand Up @@ -1217,7 +1217,7 @@ func TestEnvVars(t *testing.T) {

assert.Equal(tc.tid, sctx.traceID)
assert.Equal(tc.sid, sctx.spanID)
p, ok := sctx.samplingPriority()
p, ok := sctx.SamplingPriority()
assert.True(ok)
assert.Equal(tc.priority, p)

Expand Down Expand Up @@ -1703,7 +1703,7 @@ func TestEnvVars(t *testing.T) {

assert.Equal(tc.tid, sctx.traceID)
assert.Equal(tc.out[0], sctx.spanID)
p, ok := sctx.samplingPriority()
p, ok := sctx.SamplingPriority()
assert.True(ok)
assert.Equal(int(tc.out[1]), p)
})
Expand Down Expand Up @@ -2032,7 +2032,7 @@ func FuzzParseTraceparent(f *testing.F) {
if parseTraceparent(ctx, header) != nil {
t.Skipf("Error parsing parent")
}
parsedSamplingPriority, ok := ctx.samplingPriority()
parsedSamplingPriority, ok := ctx.SamplingPriority()
if !ok {
t.Skipf("Error retrieving sampling priority")
}
Expand Down
8 changes: 4 additions & 4 deletions ddtrace/tracer/tracer.go
Original file line number Diff line number Diff line change
Expand Up @@ -398,7 +398,7 @@ type chunk struct {
// sampleChunk applies single-span sampling to the provided trace.
func (t *tracer) sampleChunk(c *chunk) {
if len(c.spans) > 0 {
if p, ok := c.spans[0].context.samplingPriority(); ok && p > 0 {
if p, ok := c.spans[0].context.SamplingPriority(); ok && p > 0 {
// The trace is kept, no need to run single span sampling rules.
return
}
Expand Down Expand Up @@ -501,7 +501,7 @@ func (t *tracer) StartSpan(operationName string, options ...ddtrace.StartSpanOpt
// this is a child span
span.TraceID = context.traceID.Lower()
span.ParentID = context.spanID
if p, ok := context.samplingPriority(); ok {
if p, ok := context.SamplingPriority(); ok {
span.setMetric(keySamplingPriority, float64(p))
}
if context.span != nil {
Expand Down Expand Up @@ -552,7 +552,7 @@ func (t *tracer) StartSpan(operationName string, options ...ddtrace.StartSpanOpt
if t.config.env != "" {
span.setMeta(ext.Environment, t.config.env)
}
if _, ok := span.context.samplingPriority(); !ok {
if _, ok := span.context.SamplingPriority(); !ok {
// if not already sampled or a brand new trace, sample it
t.sample(span)
}
Expand Down Expand Up @@ -660,7 +660,7 @@ const sampleRateMetricKey = "_sample_rate"

// Sample samples a span with the internal sampler.
func (t *tracer) sample(span *span) {
if _, ok := span.context.samplingPriority(); ok {
if _, ok := span.context.SamplingPriority(); ok {
// sampling decision was already made
return
}
Expand Down
6 changes: 3 additions & 3 deletions ddtrace/tracer/tracer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -414,7 +414,7 @@ func TestSamplingDecision(t *testing.T) {
span := tracer.StartSpan("name_1").(*span)
child := tracer.StartSpan("name_2", ChildOf(span.context))
child.SetTag(ext.EventSampleRate, 1)
p, ok := span.context.samplingPriority()
p, ok := span.context.SamplingPriority()
require.True(t, ok)
assert.Equal(t, ext.PriorityAutoReject, p)
child.Finish()
Expand Down Expand Up @@ -1143,7 +1143,7 @@ func TestTracerPrioritySampler(t *testing.T) {
assert.Equal(1., s.Metrics[keySamplingPriorityRate])
assert.Equal(1., s.Metrics[keySamplingPriority])
assert.Equal("-1", s.context.trace.propagatingTags[keyDecisionMaker])
p, ok := s.context.samplingPriority()
p, ok := s.context.SamplingPriority()
assert.True(ok)
assert.EqualValues(p, s.Metrics[keySamplingPriority])
s.Finish()
Expand Down Expand Up @@ -1185,7 +1185,7 @@ func TestTracerPrioritySampler(t *testing.T) {
}
assert.True(ok)
assert.Contains([]float64{0, 1}, prio)
p, ok := s.context.samplingPriority()
p, ok := s.context.SamplingPriority()
assert.True(ok)
assert.EqualValues(p, prio)

Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.19
require (
cloud.google.com/go/pubsub v1.33.0
github.com/99designs/gqlgen v0.17.36
github.com/DataDog/appsec-internal-go v1.0.0
github.com/DataDog/appsec-internal-go v1.0.1
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1
github.com/DataDog/datadog-go/v5 v5.3.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -624,8 +624,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9s
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1/go.mod h1:4qFor3D/HDsvBME35Xy9rwW9DecL+M2sNw1ybjPtwA0=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/DataDog/appsec-internal-go v1.0.0 h1:2u5IkF4DBj3KVeQn5Vg2vjPUtt513zxEYglcqnd500U=
github.com/DataDog/appsec-internal-go v1.0.0/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM=
github.com/DataDog/appsec-internal-go v1.0.1 h1:j60HUtXEQ2uRIm8SsNnLp1Ummx/EU8iV9IFvEYmSdUM=
github.com/DataDog/appsec-internal-go v1.0.1/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 h1:5nE6N3JSs2IG3xzMthNFhXfOaXlrsdgqmJ73lndFf8c=
Expand Down
4 changes: 2 additions & 2 deletions internal/apps/unit-of-work/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ require (
)

require (
github.com/DataDog/appsec-internal-go v1.0.0 // indirect
github.com/DataDog/appsec-internal-go v1.0.1 // indirect
github.com/DataDog/go-libddwaf v1.5.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/ebitengine/purego v0.5.0-alpha.1 // indirect
Expand All @@ -24,7 +24,7 @@ require (

require (
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df // indirect
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 // indirect
github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect
github.com/DataDog/gostackparse v0.7.0 // indirect
Expand Down
2 changes: 2 additions & 0 deletions internal/apps/unit-of-work/go.sum
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
github.com/DataDog/appsec-internal-go v1.0.0 h1:2u5IkF4DBj3KVeQn5Vg2vjPUtt513zxEYglcqnd500U=
github.com/DataDog/appsec-internal-go v1.0.0/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM=
github.com/DataDog/appsec-internal-go v1.0.1/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0 h1:rUNnUcHC4AlxoImuXmZeOfi6H80BDBHzeagWXWCVhnA=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0/go.mod h1:e933RWa4kAWuHi5jpzEuOiULlv21HcCFEVIYegmaB5c=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df h1:PbzrhHhs2+RRdKKti7JBSM8ATIeiji2T2cVt/d8GT8k=
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df/go.mod h1:5Q39ZOIOwZMnFyRadp+5gH1bFdjmb+Pgxe+j5XOwaTg=
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp0Bey4MrrJyiV2tVxxJb6BmLomPvN1RgAvjGaQ=
github.com/DataDog/datadog-go/v5 v5.1.1/go.mod h1:KhiYb2Badlv9/rofz+OznKoEF5XKTonWyhx5K83AP8E=
github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
Expand Down
11 changes: 6 additions & 5 deletions internal/appsec/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ import (

"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
"gopkg.in/DataDog/dd-trace-go.v1/internal/remoteconfig"

rules "github.com/DataDog/appsec-internal-go/appsec"
)

const (
Expand Down Expand Up @@ -74,9 +76,9 @@ func isEnabled() (enabled bool, set bool, err error) {
return false, set, nil
} else if enabled, err = strconv.ParseBool(enabledStr); err != nil {
return false, set, fmt.Errorf("could not parse %s value `%s` as a boolean value", enabledEnvVar, enabledStr)
} else {
return enabled, set, nil
}

return enabled, set, nil
}

func newConfig() (*Config, error) {
Expand Down Expand Up @@ -162,12 +164,11 @@ func readObfuscatorConfigRegexp(name, defaultValue string) string {
return val
}

func readRulesConfig() (rules []byte, err error) {
rules = []byte(staticRecommendedRules)
func readRulesConfig() ([]byte, error) {
filepath := os.Getenv(rulesEnvVar)
if filepath == "" {
log.Debug("appsec: using the default built-in recommended security rules")
return rules, nil
return []byte(rules.StaticRecommendedRules), nil
}
buf, err := os.ReadFile(filepath)
if err != nil {
Expand Down
5 changes: 3 additions & 2 deletions internal/appsec/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"testing"
"time"

rules "github.com/DataDog/appsec-internal-go/appsec"
"github.com/stretchr/testify/require"
)

Expand Down Expand Up @@ -126,9 +127,9 @@ func TestConfig(t *testing.T) {
os.Remove(file.Name())
}()
expCfg := *expectedDefaultConfig
expCfg.rulesManager, err = newRulesManager([]byte(staticRecommendedRules))
expCfg.rulesManager, err = newRulesManager([]byte(rules.StaticRecommendedRules))
require.NoError(t, err)
_, err = file.WriteString(staticRecommendedRules)
_, err = file.WriteString(rules.StaticRecommendedRules)
require.NoError(t, err)
os.Setenv(rulesEnvVar, file.Name())
cfg, err := newConfig()
Expand Down
7 changes: 4 additions & 3 deletions internal/appsec/rule_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"encoding/json"
"testing"

rules "github.com/DataDog/appsec-internal-go/appsec"
waf "github.com/DataDog/go-libddwaf"
"github.com/stretchr/testify/require"
)
Expand All @@ -22,9 +23,9 @@ func TestStaticRule(t *testing.T) {
return
}

var rules rulesFragment
require.NoError(t, json.Unmarshal([]byte(staticRecommendedRules), &rules))
waf, err := waf.NewHandle(rules, "", "")
var parsedRules rulesFragment
require.NoError(t, json.Unmarshal([]byte(rules.StaticRecommendedRules), &parsedRules))
waf, err := waf.NewHandle(parsedRules, "", "")
require.NoError(t, err)
require.NotNil(t, waf)
waf.Close()
Expand Down
17 changes: 0 additions & 17 deletions internal/appsec/rules.go

This file was deleted.

Loading

0 comments on commit 2f0d043

Please sign in to comment.