Add appsec.auto_user_instrumentation.mode config

Strech · Strech · commit 1b6e5a219f11 · 2025-02-06T12:01:54.000+01:00
diff --git a/lib/datadog/appsec/configuration/settings.rb b/lib/datadog/appsec/configuration/settings.rb
@@ -12,14 +12,18 @@ module Settings
         DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)pass|pw(?:or)?d|secret|(?:api|private|public|access)[_-]?key|token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt'
         DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:[_-]?phrase)?|secret(?:[_-]?key)?|(?:(?:api|private|public|access)[_-]?)key(?:[_-]?id)?|(?:(?:auth|access|id|refresh)[_-]?)?token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|jsessionid|phpsessid|asp\.net(?:[_-]|-)sessionid|sid|jwt)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'
         # rubocop:enable Layout/LineLength
-        APPSEC_VALID_TRACK_USER_EVENTS_MODE = [
-          'safe',
-          'extended'
-        ].freeze
-        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = [
-          '1',
-          'true'
-        ].concat(APPSEC_VALID_TRACK_USER_EVENTS_MODE).freeze
+
+        DEFAULT_AUTO_USER_INSTRUMENTATION_MODE = 'identification'
+        AUTO_USER_INSTRUMENTATION_MODES = ['disabled', 'identification', 'anonymization'].freeze
+        AUTO_USER_INSTRUMENTATION_MODES_ALIASES = {
+          'ident' => 'identification', 'anon' => 'anonymization',
+        }.freeze
+
+        # NOTE: These two constants are deprecated
+        APPSEC_VALID_TRACK_USER_EVENTS_MODE = ['safe', 'extended'].freeze
+        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = ['1', 'true'].concat(
+          APPSEC_VALID_TRACK_USER_EVENTS_MODE
+        ).freeze
 
         def self.extended(base)
           base = base.singleton_class unless base.is_a?(Class)
@@ -149,6 +153,27 @@ def self.add_settings!(base)
                 end
               end
 
+              settings :auto_user_instrumentation do
+                option :mode do |o|
+                  o.type :string
+                  o.env 'DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE'
+                  o.default DEFAULT_AUTO_USER_INSTRUMENTATION_MODE
+                  o.setter do |value|
+                    mode = AUTO_USER_INSTRUMENTATION_MODES_ALIASES.fetch(value, value)
+                    next mode if AUTO_USER_INSTRUMENTATION_MODES.include?(mode)
+
+                    Datadog.logger.warn(
+                      'The appsec.auto_user_instrumentation.mode value provided is not supported. ' \
+                      "Supported values are: #{AUTO_USER_INSTRUMENTATION_MODES.join(' | ')}. " \
+                      "Using default value: #{DEFAULT_AUTO_USER_INSTRUMENTATION_MODE}."
+                    )
+
+                    DEFAULT_AUTO_USER_INSTRUMENTATION_MODE
+                  end
+                end
+              end
+
+              # DEV-3.0: Remove `track_user_events.enabled` and `track_user_events.mode` options
               settings :track_user_events do
                 option :enabled do |o|
                   o.default true
@@ -161,6 +186,13 @@ def self.add_settings!(base)
                       APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES.include?(env_value.strip.downcase)
                     end
                   end
+                  o.after_set do
+                    Core.log_deprecation(key: :appsec_track_user_events_enabled) do
+                      'The appsec.track_user_events.enabled setting has been deprecated for removal. ' \
+                      'Please remove it from your Datadog.configure block and use ' \
+                      'appsec.auto_user_instrumentation.mode instead.'
+                    end
+                  end
                 end
 
                 option :mode do |o|
@@ -181,6 +213,13 @@ def self.add_settings!(base)
                       'safe'
                     end
                   end
+                  o.after_set do
+                    Core.log_deprecation(key: :appsec_track_user_events_mode) do
+                      'The appsec.track_user_events.mode setting has been deprecated for removal. ' \
+                      'Please remove it from your Datadog.configure block and use ' \
+                      'appsec.auto_user_instrumentation.mode instead.'
+                    end
+                  end
                 end
               end
 
diff --git a/sig/datadog/appsec/configuration/settings.rbs b/sig/datadog/appsec/configuration/settings.rbs
@@ -1,17 +1,25 @@
 module Datadog
   module AppSec
     module Configuration
-      # Settings
       module Settings
         extend Datadog::Core::Configuration::Base::ClassMethods
         include Datadog::Core::Configuration::Base::InstanceMethods
         extend Datadog::Core::Configuration::Options::ClassMethods
         include Datadog::Core::Configuration::Options::InstanceMethods
 
         DEFAULT_OBFUSCATOR_KEY_REGEX: ::String
+
         DEFAULT_OBFUSCATOR_VALUE_REGEX: ::String
-        APPSEC_VALID_TRACK_USER_EVENTS_MODE: ::Array[String]
-        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES: ::Array[String]
+
+        DEFAULT_AUTO_USER_INSTRUMENTATION_MODE: ::String
+
+        AUTO_USER_INSTRUMENTATION_MODES: ::Array[::String]
+
+        AUTO_USER_INSTRUMENTATION_MODES_ALIASES: ::Hash[::String, ::String]
+
+        APPSEC_VALID_TRACK_USER_EVENTS_MODE: ::Array[::String]
+
+        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES: ::Array[::String]
 
         def self.extended: (untyped base) -> untyped
 
diff --git a/spec/datadog/appsec/configuration/settings_spec.rb b/spec/datadog/appsec/configuration/settings_spec.rb
@@ -469,6 +469,8 @@ def patcher
     end
 
     describe 'track_user_events' do
+      before { allow(Datadog).to receive(:logger).and_return(spy(Datadog::Core::Logger)) }
+
       describe '#enabled' do
         subject(:enabled) { settings.appsec.track_user_events.enabled }
 
@@ -479,6 +481,17 @@ def patcher
             end
           end
 
+          context 'when deprication message should be emitted' do
+            let(:track_user_events_enabled) { 'true' }
+
+            it 'writes the deprication message' do
+              expect(Datadog::Core).to receive(:log_deprecation) do |_, &block|
+                expect(block.call).to match(/setting has been deprecated for removal/)
+              end
+              expect(enabled).to eq(true)
+            end
+          end
+
           context 'is not defined' do
             let(:track_user_events_enabled) { nil }
 
@@ -562,6 +575,18 @@ def patcher
           settings.appsec.track_user_events.mode = track_user_events_mode
         end
 
+        context 'when deprication message should be emitted' do
+          let(:track_user_events_mode) { 'extended' }
+
+          it 'writes the deprication message' do
+            expect(Datadog::Core).to receive(:log_deprecation) do |_, &block|
+              expect(block.call).to match(/setting has been deprecated for removal/)
+            end
+
+            set_appsec_track_user_events_mode
+          end
+        end
+
         context 'when given a supported value' do
           let(:track_user_events_mode) { 'extended' }
 
@@ -582,6 +607,74 @@ def patcher
       end
     end
 
+    describe 'auto_user_instrumentation.mode' do
+      before { allow(Datadog).to receive(:logger).and_return(logger) }
+
+      let(:logger) { instance_double(Datadog::Core::Logger) }
+
+      context 'when valid value is set' do
+        before { settings.appsec.auto_user_instrumentation.mode = 'disabled' }
+
+        it { expect(settings.appsec.auto_user_instrumentation.mode).to eq('disabled') }
+      end
+
+      context 'when valid short value is set' do
+        before { settings.appsec.auto_user_instrumentation.mode = 'anon' }
+
+        it 'expands the alias value to the long version' do
+          expect(settings.appsec.auto_user_instrumentation.mode).to eq('anonymization')
+        end
+      end
+
+      context 'when invalid value is set' do
+        it 'sets the value to the default and writes a warning message' do
+          expect(logger).to receive(:warn).with(/value provided is not supported/)
+          settings.appsec.auto_user_instrumentation.mode = 'unknown'
+
+          expect(settings.appsec.auto_user_instrumentation.mode).to eq('identification')
+        end
+      end
+
+      context 'when valid DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE is set' do
+        around do |example|
+          ClimateControl.modify('DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE' => 'disabled') do
+            example.run
+          end
+        end
+
+        it { expect(settings.appsec.auto_user_instrumentation.mode).to eq('disabled') }
+      end
+
+      context 'when valid DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE short value is set' do
+        around do |example|
+          ClimateControl.modify('DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE' => 'anon') do
+            example.run
+          end
+        end
+
+        it 'expands the alias value to the long version' do
+          expect(settings.appsec.auto_user_instrumentation.mode).to eq('anonymization')
+        end
+      end
+
+      context 'when invalid DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE is set' do
+        around do |example|
+          ClimateControl.modify('DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE' => 'unknown') do
+            example.run
+          end
+        end
+
+        it 'sets the value to the default and writes a warning message' do
+          expect(logger).to receive(:warn).with(/value provided is not supported/)
+          expect(settings.appsec.auto_user_instrumentation.mode).to eq('identification')
+        end
+      end
+
+      context 'when no value or env variable is set' do
+        it { expect(settings.appsec.auto_user_instrumentation.mode).to eq('identification') }
+      end
+    end
+
     describe 'block' do
       describe 'templates' do
         [
