DataDog · simon-id · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -210,7 +210,17 @@ jobs:
         version:
           - 18
           - latest
-        range: ['>=10.2.0 <11', '>=11.0.0 <13', '11.1.4', '>=13.0.0 <14', '13.2.0', '>=14.0.0 <=14.2.6', '>=14.2.7 <15', '>=15.0.0']
+        range:
+          [
+            '>=10.2.0 <11',
+            '>=11.0.0 <13',
+            '11.1.4',
+            '>=13.0.0 <14',
+            '13.2.0',
+            '>=14.0.0 <=14.2.6',
+            '>=14.2.7 <15',
+            '>=15.0.0',
+          ]
         include:
           - range: '>=10.2.0 <11'
             range_clean: gte.10.2.0.and.lt.11

@@ -878,6 +878,30 @@ jobs:
           suffix: plugins-${{ github.job }}
       - uses: codecov/codecov-action@v3
 
+  passport:
+    runs-on: ubuntu-latest
+    env:
+      PLUGINS: passport
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/plugins/test
+
+  passport-http:
+    runs-on: ubuntu-latest
+    env:
+      PLUGINS: passport-http
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/plugins/test
+
+  passport-local:
+    runs-on: ubuntu-latest
+    env:
+      PLUGINS: passport-local
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/plugins/test
+
   # TODO: re-enable upstream tests if it ever stops being flaky
   pino:
     runs-on: ubuntu-latest

@@ -102,6 +102,7 @@ module.exports = {
   oracledb: () => require('../oracledb'),
   openai: () => require('../openai'),
   paperplane: () => require('../paperplane'),
+  passport: () => require('../passport'),
   'passport-http': () => require('../passport-http'),
   'passport-local': () => require('../passport-local'),
   pg: () => require('../pg'),

@@ -0,0 +1,45 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel, addHook } = require('./helpers/instrument')
+
+const onPassportDeserializeUserChannel = channel('datadog:passport:deserializeUser:finish')
+
+function wrapDone (done) {
+  return function wrappedDone (err, user) {
+    if (!err && user) {
+      const abortController = new AbortController()
+
+      onPassportDeserializeUserChannel.publish({ user, abortController })
+
+      if (abortController.signal.aborted) return
+    }
+
+    return done.apply(this, arguments)
+  }
+}
+
+function wrapDeserializeUser (deserializeUser) {
+  return function wrappedDeserializeUser (fn, req, done) {
+    if (typeof fn === 'function') return deserializeUser.apply(this, arguments)
+
+    if (typeof req === 'function') {
+      done = req
+      arguments[1] = wrapDone(done)
+    } else {
+      arguments[2] = wrapDone(done)
+    }
+
+    return deserializeUser.apply(this, arguments)
+  }
+}
+
+addHook({
+  name: 'passport',
+  file: 'lib/authenticator.js',
+  versions: ['>=0.2.0']
+}, Authenticator => {
+  shimmer.wrap(Authenticator.prototype, 'deserializeUser', wrapDeserializeUser)
+
+  return Authenticator
+})
@@ -0,0 +1,118 @@
+'use strict'
+
+const agent = require('../../dd-trace/test/plugins/agent')
+const axios = require('axios').create({ validateStatus: null })
+const dc = require('dc-polyfill')
+const { storage } = require('../../datadog-core')
+
+const users = [{
+  id: 1,
+  username: 'test',
+  password: '1234',
+  email: 'testuser@ddog.com'
+}]
+
+withVersions('passport', 'passport', version => {
+  describe('passport instrumentation', () => {
+    const passportDeserializeUserChannel = dc.channel('datadog:passport:deserializeUser:finish')
+    let port, server, subscriberStub
+
+    before(() => {
+      return agent.load(['http', 'express', 'express-session', 'passport', 'passport-local'], { client: false })
+    })
+
+    before((done) => {
+      const express = require('../../../versions/express').get()
+      const expressSession = require('../../../versions/express-session').get()
+      const passport = require(`../../../versions/passport@${version}`).get()
+      const LocalStrategy = require(`../../../versions/passport-local@${version}`).get().Strategy
+
+      const app = express()
+      app.use(expressSession({
+        secret: 'secret',
+        resave: false,
+        rolling: true,
+        saveUninitialized: true
+      }))
+
+      app.use(passport.initialize())
+      app.use(passport.session())
+
+      passport.serializeUser((user, done) => {
+        done(null, user.id)
+      })
+
+      passport.deserializeUser((id, done) => {
+        const user = users.find((user) => user.id === id)
+
+        done(null, user)
+      })
+
+      passport.use('local', new LocalStrategy((username, password, done) => {
+        const user = users.find((user) => user.username === username && user.password === password)
+
+        return done(null, user)
+      }))
+
+      app.get('/', passport.authenticate('local'))
+
+      passportDeserializeUserChannel.subscribe((data) => subscriberStub(data))
+
+      server = app.listen(0, () => {
+        port = server.address().port
+        done()
+      })
+    })
+
+    beforeEach(async () => {
+      subscriberStub = sinon.stub()
+
+      const res = await axios.post(`http://localhost:${port}/`, { username: 'test', password: '1234' })
+
+      console.log(res.headers['set-cookie'])
+    })
+
+    after(() => {
+      server.close()
+      return agent.close({ ritmReset: false })
+    })
+
+    it('should not call subscriber when an error occurs', async () => {
+      const res = await axios.post(`http://localhost:${port}/`, { username: 'error', password: '1234' })
+
+      expect(res.status).to.equal(500)
+      expect(subscriberStub).to.not.be.called
+    })
+
+    it('should call subscriber with proper arguments on success', async () => {
+      const res = await axios.post(`http://localhost:${port}/`, { username: 'test', password: '1234' })
+
+      expect(res.status).to.equal(200)
+      expect(res.data).to.equal('Granted')
+      expect(subscriberStub).to.be.calledOnceWithExactly({
+        framework: 'passport-local',
+        login: 'test',
+        user: { _id: 1, username: 'test', password: '1234', email: 'testuser@ddog.com' },
+        success: true,
+        abortController: new AbortController()
+      })
+    })
+
+    it('should block when subscriber aborts', async () => {
+      subscriberStub = sinon.spy(({ abortController }) => {
+        storage.getStore().req.res.writeHead(403).end('Blocked')
+        abortController.abort()
+      })
+
+
+      const res = await axios.post(`http://localhost:${port}/`, { username: 'test', password: '1234' })
+
+      expect(res.status).to.equal(403)
+      expect(res.data).to.equal('Blocked')
+      expect(subscriberStub).to.be.calledOnceWithExactly({
+        user: { _id: 1, username: 'test', password: '1234', email: 'testuser@ddog.com' },
+        abortController: new AbortController()
+      })
+    })
+  })
+})
@@ -115,7 +115,10 @@ function block (req, res, rootSpan, abortController, actionParameters = defaultB
     res.removeHeader(headerName)
   }
 
-  res.writeHead(statusCode, headers).end(body)
+  res.writeHead(statusCode, headers)
+
+  // this is needed to call the original end method, since express-session replaces it
+  res.constructor.prototype.end.call(res, body)
 
   responseBlockedSet.add(res)
 

@@ -14,6 +14,7 @@ module.exports = {
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
+  passportUser: dc.channel('datadog:passport:deserializeUser:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),

@@ -22,7 +22,8 @@ const EXCLUDED_LOCATIONS = getNodeModulesPaths(
   'sqreen/lib/package-reader/index.js',
   'ws/lib/websocket-server.js',
   'google-gax/build/src/grpc.js',
-  'cookie-signature/index.js'
+  'cookie-signature/index.js',
+  'express-session/index.js'
 )
 
 const EXCLUDED_PATHS_FROM_STACK = [

@@ -10,6 +10,7 @@ const {
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
+  passportUser,
   queryParser,
   nextBodyParsed,
   nextQueryParsed,
@@ -67,6 +68,7 @@ function enable (_config) {
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     passportVerify.subscribe(onPassportVerify) // possible optimization: only subscribe if collection mode is enabled
+    passportUser.subscribe(onPassportDeserializeUser)
     queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
@@ -197,6 +199,20 @@ function onPassportVerify ({ framework, login, user, success, abortController })
   handleResults(results, store.req, store.req.res, rootSpan, abortController)
 }
 
+function onPassportDeserializeUser ({ user, abortController }) {
+  const store = storage.getStore()
+  const rootSpan = store?.req && web.root(store.req)
+
+  if (!rootSpan) {
+    log.warn('[ASM] No rootSpan found in onPassportDeserializeUser')
+    return
+  }
+
+  const results = UserTracking.trackUser(user, rootSpan)
+
+  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+}
+
 function onRequestQueryParsed ({ req, res, query, abortController }) {
   if (!query || typeof query !== 'object') return
 
@@ -310,6 +326,7 @@ function disable () {
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
+  if (passportUser.hasSubscribers) passportUser.unsubscribe(onPassportDeserializeUser)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
   if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
   if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)

@@ -2,6 +2,8 @@
 
 const { getRootSpan } = require('./utils')
 const log = require('../../log')
+const waf = require('../waf')
+const addresses = require('../addresses')
 
 function setUserTags (user, rootSpan) {
   for (const k of Object.keys(user)) {
@@ -22,6 +24,19 @@ function setUser (tracer, user) {
   }
 
   setUserTags(user, rootSpan)
+  rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
+
+  const persistent = {}
+
+  if (user.id) {
+    persistent[addresses.USER_ID] = '' + user.id
+  }
+
+  if (user.login) {
+    persistent[addresses.USER_LOGIN] = '' + user.login
+  }
+
+  waf.run({ persistent })
 }
 
 module.exports = {

@@ -23,6 +23,7 @@ function checkUserAndSetUser (tracer, user) {
   if (rootSpan) {
     if (!rootSpan.context()._tags['usr.id']) {
       setUserTags(user, rootSpan)
+      rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
     }
   } else {
     log.warn('[ASM] Root span not available in isUserBlocked')

@@ -186,6 +186,15 @@ function incrementMissingUserLoginMetric (framework, eventType) {
   }).inc()
 }
 
+function incrementMissingUserIdMetric (framework, eventType) {
+  if (!enabled) return
+
+  appsecMetrics.count('instrum.user_auth.missing_user_id', {
+    framework,
+    event_type: eventType
+  }).inc()
+}
+
 function getRequestMetrics (req) {
   if (req) {
     const store = getStore(req)
@@ -203,6 +212,7 @@ module.exports = {
   incrementWafUpdatesMetric,
   incrementWafRequestsMetric,
   incrementMissingUserLoginMetric,
+  incrementMissingUserIdMetric,
 
   getRequestMetrics
 }