Handle business logic events

* Update system-tests target

Author: Strech

.github/workflows/system-tests.yml

@@ -22,7 +22,7 @@ permissions: {}
 env:
   REGISTRY: ghcr.io
   REPO: ghcr.io/datadog/dd-trace-rb
-  SYSTEM_TESTS_REF: appsec-57504-enable-session-tracking-and-fingerprinting # This must always be set to `main` on dd-trace-rb's master branch
+  SYSTEM_TESTS_REF: appsec-57237-ruby-enable-session-fingerprinting # This must always be set to `main` on dd-trace-rb's master branch
 
 jobs:
   changes:

lib/datadog/appsec/monitor/gateway/watcher.rb

@@ -10,11 +10,17 @@ module Monitor
       module Gateway
         # Watcher for Apssec internal events
         module Watcher
+          ARBITRARY_VALUE = 'invalid'
+          EVENT_LOGIN_SUCCESS = 'users.login.success'
+          EVENT_LOGIN_FAILURE = 'users.login.failure'
+          WATCHED_LOGIN_EVENTS = [EVENT_LOGIN_SUCCESS, EVENT_LOGIN_FAILURE].freeze
+
           class << self
             def watch
               gateway = Instrumentation.gateway
 
               watch_user_id(gateway)
+              watch_user_login(gateway)
             end
 
             def watch_user_id(gateway = Instrumentation.gateway)
@@ -47,6 +53,30 @@ def watch_user_id(gateway = Instrumentation.gateway)
                 stack.call(user)
               end
             end
+
+            def watch_user_login(gateway = Instrumentation.gateway)
+              gateway.watch('appsec.events.user_lifecycle', :appsec) do |stack, kind|
+                context = AppSec.active_context
+
+                next stack.call(kind) unless WATCHED_LOGIN_EVENTS.include?(kind)
+
+                persistent_data = { "server.business_logic.#{kind}" => ARBITRARY_VALUE }
+                result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                if result.match? || !result.derivatives.empty?
+                  context.events.push(
+                    AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                  )
+                end
+
+                if result.match?
+                  AppSec::Event.tag_and_keep!(context, result)
+                  AppSec::ActionsHandler.handle(result.actions)
+                end
+
+                stack.call(kind)
+              end
+            end
           end
         end
       end

sig/datadog/appsec/monitor/gateway/watcher.rbs

@@ -3,9 +3,19 @@ module Datadog
     module Monitor
       module Gateway
         module Watcher
+          ARBITRARY_VALUE: ::String
+
+          EVENT_LOGIN_SUCCESS: ::String
+
+          EVENT_LOGIN_FAILURE: ::String
+
+          WATCHED_LOGIN_EVENTS: ::Array[::String]
+
           def self.watch: () -> untyped
 
-          def self.watch_user_id: (?Datadog::AppSec::Instrumentation::Gateway gateway) -> untyped
+          def self.watch_user_id: (?Instrumentation::Gateway gateway) -> void
+
+          def self.watch_user_login: (?Instrumentation::Gateway gateway) -> void
         end
       end
     end

spec/datadog/appsec/contrib/integration/rack/session_fingerprint_collection_for_business_events_spec.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'datadog/tracing/contrib/support/spec_helper'
+require 'datadog/appsec/spec_helper'
+require 'rack/test'
+
+require 'datadog/tracing'
+require 'datadog/appsec'
+require 'datadog/kit/appsec/events'
+
+RSpec.describe 'Session fingerprint collection for business events' do
+  include Rack::Test::Methods
+
+  before do
+    Datadog.configure do |c|
+      c.tracing.enabled = true
+
+      c.appsec.enabled = true
+      c.appsec.instrument :rack
+
+      c.appsec.waf_timeout = 10_000_000 # in us
+      c.appsec.ip_passlist = []
+      c.appsec.ip_denylist = []
+      c.appsec.user_id_denylist = []
+      c.appsec.ruleset = :recommended
+      c.appsec.api_security.enabled = false
+      c.appsec.api_security.sample_rate = 0.0
+
+      c.remote.enabled = false
+    end
+
+    allow(Datadog::AppSec::Instrumentation).to receive(:gateway).and_return(gateway)
+
+    # NOTE: Don't reach the agent in any way
+    allow_any_instance_of(Datadog::Tracing::Transport::HTTP::Client).to receive(:send_request)
+    allow_any_instance_of(Datadog::Tracing::Transport::Traces::Transport).to receive(:native_events_supported?)
+      .and_return(true)
+
+    Datadog::AppSec::Monitor::Gateway::Watcher.watch
+  end
+
+  after do
+    Datadog.configuration.reset!
+    Datadog.registry[:rack].reset_configuration!
+  end
+
+  let(:gateway) { Datadog::AppSec::Instrumentation::Gateway.new }
+
+  let(:http_service_entry_span) do
+    Datadog::Tracing::Transport::TraceFormatter.format!(trace)
+    spans.find { |s| s.name == 'rack.request' }
+  end
+
+  let(:app) do
+    stack = Rack::Builder.new do
+      use Datadog::Tracing::Contrib::Rack::TraceMiddleware
+      use Datadog::AppSec::Contrib::Rack::RequestMiddleware
+
+      map '/with-track-login-success' do
+        run(
+          lambda do |_env|
+            Datadog::Kit::AppSec::Events.track_login_success(
+              Datadog::Tracing.active_trace, Datadog::Tracing.active_span, user: { id: '42' }
+            )
+
+            [200, { 'Content-Type' => 'text/html' }, ['OK']]
+          end
+        )
+      end
+
+      map '/without-track-login-success' do
+        run ->(_env) { [200, { 'Content-Type' => 'text/html' }, ['OK']] }
+      end
+    end
+
+    stack.to_app
+  end
+
+  subject(:response) { last_response }
+
+  context 'when business event was pushed' do
+    before { get('/with-track-login-success') }
+
+    it 'collects session fingerprint' do
+      expect(response).to be_ok
+      expect(http_service_entry_span.tags).to include('_dd.appsec.fp.session' => String)
+    end
+  end
+
+  context 'when business event was not pushed' do
+    before { get('/without-track-login-success') }
+
+    it 'does not collect session fingerprint' do
+      expect(response).to be_ok
+      expect(http_service_entry_span.tags).not_to have_key('_dd.appsec.fp.session')
+    end
+  end
+end