Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

appsec: differentiate user login and user set event #2956

Merged
merged 1 commit into from
Oct 30, 2024
Merged

appsec: differentiate user login and user set event #2956

merged 1 commit into from
Oct 30, 2024

Conversation

eliottness
Copy link
Contributor

@eliottness eliottness commented Oct 30, 2024
edited
Loading

What does this PR do?

Rework user login WAF addresses passing by differentiating a simple authenticated request and a user login request

Motivation

Better ATO detection

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

@eliottness eliottness marked this pull request as ready for review October 30, 2024 09:56
@eliottness eliottness requested a review from a team as a code owner October 30, 2024 09:56
@pr-commenter
Copy link

pr-commenter bot commented Oct 30, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-10-30 17:19:43

Comparing candidate commit 786aa68 in PR branch eliott.bouhana/differentiate-user-login-user-set with baseline commit 6b5e01a in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 1 unstable metrics.

Julio-Guerra
Julio-Guerra reviewed Oct 30, 2024
View reviewed changes
appsec/appsec.go
@@ -61,11 +65,10 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
return nil
}

op, errPtr := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
op, errPtr := usersec.StartUserLoginOperation(ctx, userEventType, usersec.UserLoginOperationArgs{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

appsec.SetUser doing a fake user login event is a bad design idea.

generally speaking, all those fake operations are coming from the time we didn't have EmitData and I believe they should be replaced by that to simplify everything.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not really a "fake" user login operation, it's just badly named so I renamed it.

We can't use EmitData yet because we are missing context on the listener side of things but it could also be useful if we want to do some autoinstrumentation on auth frameworks later.

Julio-Guerra
Julio-Guerra reviewed Oct 30, 2024
View reviewed changes
internal/appsec/emitter/usersec/user.go
)

const errorLog = `
appsec: user login monitoring ignored: could not find the http handler instrumentation metadata in the request context:
the request handler is not being monitored by a middleware function or the provided context is not the expected request context
the request handler is not being monitored by a middleware function or the provided context is not the expected request context.
If the user has been blocked using remote rules, blocking will still be enforced but it will not be reported.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand it.
Remember this log is mostly there for customer support cases, and not meant to be understood by the users themselves.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes you are right, I removed it

@eliottness eliottness force-pushed the eliott.bouhana/differentiate-user-login-user-set branch from 857c3a3 to 786aa68 Compare October 30, 2024 16:35
@eliottness eliottness merged commit 0bd0a8c into main Oct 30, 2024
171 checks passed
@eliottness eliottness deleted the eliott.bouhana/differentiate-user-login-user-set branch October 30, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Julio-Guerra Julio-Guerra Julio-Guerra left review comments

@RomainMuller RomainMuller RomainMuller approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eliottness @Julio-Guerra @RomainMuller