Add session tracking to the devise contrib

Author: Strech

lib/datadog/appsec/contrib/devise/ext.rb

@@ -18,6 +18,7 @@ module Ext
           TAG_DD_LOGIN_FAILURE_MODE = '_dd.appsec.events.users.login.failure.auto.mode'
 
           TAG_USR_ID = 'usr.id'
+          TAG_SESSION_ID = 'usr.session_id'
           TAG_SIGNUP_TRACK = 'appsec.events.users.signup.track'
           TAG_SIGNUP_USR_ID = 'appsec.events.users.signup.usr.id'
           TAG_SIGNUP_USR_LOGIN = 'appsec.events.users.signup.usr.login'

lib/datadog/appsec/contrib/devise/tracking_middleware.rb

@@ -10,6 +10,7 @@ module Devise
         # A Rack middleware capable of tracking currently signed user
         class TrackingMiddleware
           WARDEN_KEY = 'warden'
+          SESSION_ID_KEY = 'session_id'
 
           def initialize(app)
             @app = app
@@ -32,16 +33,28 @@ def call(env)
               return @app.call(env)
             end
 
+            # NOTE: Rails session id will be set for unauthenticated users as well,
+            #       so we need to make sure we are tracking only authenticated users.
             id = transform(extract_id(env[WARDEN_KEY]))
+            session_id = env[WARDEN_KEY].raw_session[SESSION_ID_KEY] if id
+
             if id
-              unless context.span.has_tag?(Ext::TAG_USR_ID)
-                context.span[Ext::TAG_USR_ID] = id
+              # NOTE: There is no option to set session id without setting user id via SDK.
+              unless context.span.has_tag?(Ext::TAG_USR_ID) && context.span.has_tag?(Ext::TAG_SESSION_ID)
+                user_id = context.span[Ext::TAG_USR_ID] || id
+                user_session_id = context.span[Ext::TAG_SESSION_ID] || session_id
+
+                # FIXME: The current implementation of event arguments is forsing us
+                #        to bloat User class, and pass nil-value instead of skip
+                #        passing them at first place.
+                #        This is a temporary situation until we refactor events model.
                 AppSec::Instrumentation.gateway.push(
-                  'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, nil)
+                  'identity.set_user', AppSec::Instrumentation::Gateway::User.new(user_id, nil, user_session_id)
                 )
               end
 
-              context.span[Ext::TAG_DD_USR_ID] = id.to_s
+              context.span[Ext::TAG_USR_ID] ||= id
+              context.span[Ext::TAG_DD_USR_ID] = id
               context.span[Ext::TAG_DD_COLLECTION_MODE] ||= Configuration.auto_user_instrumentation_mode
             end
 

lib/datadog/appsec/monitor/gateway/watcher.rb

@@ -21,24 +21,26 @@ def watch_user_id(gateway = Instrumentation.gateway)
               gateway.watch('identity.set_user', :appsec) do |stack, user|
                 context = AppSec.active_context
 
-                if user.id.nil? && user.login.nil?
+                if user.id.nil? && user.login.nil? && user.session_id.nil?
                   Datadog.logger.debug { 'AppSec: skipping WAF check because no user information was provided' }
                   next stack.call(user)
                 end
 
                 persistent_data = {}
                 persistent_data['usr.id'] = user.id if user.id
                 persistent_data['usr.login'] = user.login if user.login
+                persistent_data['usr.session_id'] = user.session_id if user.session_id
 
                 result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
 
-                if result.match?
-                  AppSec::Event.tag_and_keep!(context, result)
-
+                if result.match? || !result.derivatives.empty?
                   context.events.push(
                     AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
                   )
+                end
 
+                if result.match?
+                  AppSec::Event.tag_and_keep!(context, result)
                   AppSec::ActionsHandler.handle(result.actions)
                 end
 

sig/datadog/appsec/contrib/devise/ext.rbs

@@ -11,6 +11,8 @@ module Datadog
 
           TAG_USR_ID: ::String
 
+          TAG_SESSION_ID: ::String
+
           TAG_LOGIN_SUCCESS_TRACK: ::String
 
           TAG_LOGIN_SUCCESS_USR_LOGIN: ::String

sig/datadog/appsec/contrib/devise/tracking_middleware.rbs

@@ -5,6 +5,8 @@ module Datadog
         class TrackingMiddleware
           WARDEN_KEY: ::String
 
+          SESSION_ID_KEY: ::String
+
           @app: untyped
 
           def initialize: (untyped app) -> void