Introduce separate AppSec gateway events for identity namespace

Author: y9v

lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb

@@ -63,7 +63,7 @@ def record_successful_signin(context, resource)
               #       and because of that we will trigger an additional event even
               #       if it was already done via the SDK
               AppSec::Instrumentation.gateway.push(
-                'identity.set_user', {id: id, login: login, framework: 'devise', event_type: 'login_success'}
+                'identity.devise.login_success', {id: id, login: login}
               )
             end
 
@@ -81,7 +81,7 @@ def record_failed_signin(context, resource)
                 context.span[Ext::TAG_LOGIN_FAILURE_USR_EXISTS] ||= 'false'
 
                 AppSec::Instrumentation.gateway.push(
-                  'identity.login_failure', {login: login, framework: 'devise'}
+                  'identity.devise.login_failure', {login: login}
                 )
 
                 return
@@ -100,7 +100,7 @@ def record_failed_signin(context, resource)
               context.span[Ext::TAG_LOGIN_FAILURE_USR_EXISTS] ||= 'true'
 
               AppSec::Instrumentation.gateway.push(
-                'identity.login_failure', {id: id, login: login, framework: 'devise'}
+                'identity.devise.login_failure', {id: id, login: login}
               )
             end
           end

lib/datadog/appsec/contrib/devise/patches/signup_tracking_patch.rb

@@ -59,7 +59,7 @@ def record_successful_signup(context, resource)
               #       and because of that we will trigger an additional event even
               #       if it was already done via the SDK
               AppSec::Instrumentation.gateway.push(
-                'identity.set_user', {id: id, login: login, framework: 'devise', event_type: 'signup'}
+                'identity.devise.signup', {id: id, login: login}
               )
             end
           end

lib/datadog/appsec/contrib/devise/tracking_middleware.rb

@@ -45,8 +45,8 @@ def call(env)
                 user_session_id = context.span[Ext::TAG_SESSION_ID] || session_id
 
                 AppSec::Instrumentation.gateway.push(
-                  'identity.set_user',
-                  {id: user_id, session_id: user_session_id, framework: 'devise', event_type: 'authenticated_request'}
+                  'identity.devise.authenticated_request',
+                  {id: user_id, session_id: user_session_id}
                 )
               end
 

lib/datadog/appsec/monitor/gateway/telemetry_watcher.rb

@@ -13,51 +13,57 @@ class << self
             def watch
               gateway = Instrumentation.gateway
 
-              watch_set_user(gateway)
-              watch_login_failure(gateway)
+              watch_user_lifecycle(gateway)
+              watch_authenticated_request(gateway)
             end
 
-            def watch_set_user(gateway = Instrumentation.gateway)
-              gateway.watch('identity.set_user') do |stack, user_info|
-                event_type = user_info[:event_type]
-                report_missing_user_telemetry(user_info, event_type) if event_type
+            def watch_user_lifecycle(gateway = Instrumentation.gateway)
+              %w[
+                identity.devise.login_success
+                identity.devise.login_failure
+                identity.devise.signup
+              ].each do |event_name|
+                gateway.watch(event_name) do |stack, user_info|
+                  _, framework, event_type = event_name.split('.')
+                  tags = {framework: framework, event_type: event_type}
 
-                stack.call(user_info)
-              end
-            end
+                  if user_info[:login].nil?
+                    AppSec.telemetry.inc(
+                      Ext::TELEMETRY_METRICS_NAMESPACE,
+                      'instrum.user_auth.missing_user_login',
+                      1,
+                      tags: tags,
+                    )
+                  end
 
-            def watch_login_failure(gateway = Instrumentation.gateway)
-              gateway.watch('identity.login_failure') do |stack, user_info|
-                report_missing_user_telemetry(user_info, 'login_failure')
+                  if user_info[:id].nil? && user_info[:login].nil?
+                    AppSec.telemetry.inc(
+                      Ext::TELEMETRY_METRICS_NAMESPACE,
+                      'instrum.user_auth.missing_user_id',
+                      1,
+                      tags: tags,
+                    )
+                  end
 
-                stack.call(user_info)
+                  stack.call(user_info)
+                end
               end
             end
 
-            private
+            def watch_authenticated_request(gateway = Instrumentation.gateway)
+              gateway.watch('identity.devise.authenticated_request') do |stack, user_info|
+                tags = {framework: 'devise', event_type: 'authenticated_request'}
 
-            def report_missing_user_telemetry(user_info, event_type)
-              tags = {framework: user_info[:framework], event_type: event_type}
+                if user_info[:id].nil?
+                  AppSec.telemetry.inc(
+                    Ext::TELEMETRY_METRICS_NAMESPACE,
+                    'instrum.user_auth.missing_user_id',
+                    1,
+                    tags: tags,
+                  )
+                end
 
-              missing_login = user_info[:login].nil?
-              missing_id = user_info[:id].nil?
-
-              if missing_login && event_type != 'authenticated_request'
-                AppSec.telemetry.inc(
-                  Ext::TELEMETRY_METRICS_NAMESPACE,
-                  'instrum.user_auth.missing_user_login',
-                  1,
-                  tags: tags,
-                )
-              end
-
-              if missing_id && (event_type == 'authenticated_request' || missing_login)
-                AppSec.telemetry.inc(
-                  Ext::TELEMETRY_METRICS_NAMESPACE,
-                  'instrum.user_auth.missing_user_id',
-                  1,
-                  tags: tags,
-                )
+                stack.call(user_info)
               end
             end
           end

lib/datadog/appsec/monitor/gateway/watcher.rb

@@ -15,6 +15,15 @@ module Watcher
           EVENT_LOGIN_FAILURE = 'users.login.failure'
           WATCHED_LOGIN_EVENTS = [EVENT_LOGIN_SUCCESS, EVENT_LOGIN_FAILURE].freeze
 
+          IDENTITY_EVENTS = %w[
+            identity.sdk.set_user
+            identity.sdk.login_failure
+            identity.devise.login_success
+            identity.devise.login_failure
+            identity.devise.signup
+            identity.devise.authenticated_request
+          ].freeze
+
           class << self
             def watch
               gateway = Instrumentation.gateway
@@ -24,33 +33,35 @@ def watch
             end
 
             def watch_user_id(gateway = Instrumentation.gateway)
-              gateway.watch('identity.set_user') do |stack, user_info|
-                context = AppSec.active_context
-
-                if user_info[:id].nil? && user_info[:login].nil? && user_info[:session_id].nil?
-                  Datadog.logger.debug { 'AppSec: skipping WAF check because no user information was provided' }
-                  next stack.call(user_info)
-                end
-
-                persistent_data = {}
-                persistent_data['usr.id'] = user_info[:id] if user_info[:id]
-                persistent_data['usr.login'] = user_info[:login] if user_info[:login]
-                persistent_data['usr.session_id'] = user_info[:session_id] if user_info[:session_id]
-
-                result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
-
-                if result.match? || result.attributes.any?
-                  context.events.push(
-                    AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-                  )
+              IDENTITY_EVENTS.each do |event_name|
+                gateway.watch(event_name) do |stack, user_info|
+                  context = AppSec.active_context
+
+                  if user_info[:id].nil? && user_info[:login].nil? && user_info[:session_id].nil?
+                    Datadog.logger.debug { 'AppSec: skipping WAF check because no user information was provided' }
+                    next stack.call(user_info)
+                  end
+
+                  persistent_data = {}
+                  persistent_data['usr.id'] = user_info[:id] if user_info[:id]
+                  persistent_data['usr.login'] = user_info[:login] if user_info[:login]
+                  persistent_data['usr.session_id'] = user_info[:session_id] if user_info[:session_id]
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match? || result.attributes.any?
+                    context.events.push(
+                      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                    )
+                  end
+
+                  if result.match?
+                    AppSec::Event.tag(context, result)
+                    AppSec::ActionsHandler.handle(result.actions)
+                  end
+
+                  stack.call(user_info)
                 end
-
-                if result.match?
-                  AppSec::Event.tag(context, result)
-                  AppSec::ActionsHandler.handle(result.actions)
-                end
-
-                stack.call(user_info)
               end
             end
 

lib/datadog/kit/appsec/events/v2.rb

@@ -70,8 +70,7 @@ def track_user_login_success(login, user_or_id = nil, metadata = {})
 
               # NOTE: This is a fallback for the case when we don't have an ID,
               #       but need to trigger WAF.
-              user_info = {login: login, framework: 'sdk', event_type: 'login_success'}
-              ::Datadog::AppSec::Instrumentation.gateway.push('identity.set_user', user_info)
+              ::Datadog::AppSec::Instrumentation.gateway.push('identity.sdk.set_user', {login: login})
             end
 
             # Attach user login failure information to the service entry span
@@ -121,9 +120,7 @@ def track_user_login_failure(login, user_exists = false, metadata = {})
               record_event_telemetry_metric(LOGIN_FAILURE_EVENT)
               ::Datadog::AppSec::Instrumentation.gateway.push('appsec.events.user_lifecycle', LOGIN_FAILURE_EVENT)
 
-              user_info = {login: login, framework: 'sdk', event_type: 'login_failure'}
-              ::Datadog::AppSec::Instrumentation.gateway.push('identity.set_user', user_info)
-              ::Datadog::AppSec::Instrumentation.gateway.push('identity.login_failure', user_info)
+              ::Datadog::AppSec::Instrumentation.gateway.push('identity.sdk.login_failure', {login: login})
             end
 
             private

lib/datadog/kit/identity.rb

@@ -70,8 +70,9 @@ def set_user(
             if Datadog::AppSec.active_context
               active_span.set_tag('_dd.appsec.user.collection_mode', 'sdk')
 
-              user_info = {id: id, login: others[:login], session_id: session_id, framework: 'sdk'}
-              ::Datadog::AppSec::Instrumentation.gateway.push('identity.set_user', user_info)
+              ::Datadog::AppSec::Instrumentation.gateway.push(
+                'identity.sdk.set_user', {id: id, login: others[:login], session_id: session_id}
+              )
             end
           end
         end

spec/datadog/appsec/integration/contrib/devise/signin_single_user_tracking_spec.rb

@@ -119,7 +119,7 @@ def index
     allow(Datadog::AppSec::Instrumentation).to receive(:gateway).and_return(gateway)
     Datadog::AppSec::Monitor::Gateway::TelemetryWatcher.watch
 
-    allow(Datadog::AppSec.telemetry).to receive(:inc).and_call_original
+    allow(Datadog::AppSec.telemetry).to receive(:inc)
 
     # NOTE: Don't reach the agent in any way
     allow_any_instance_of(Datadog::Tracing::Transport::HTTP::Client).to receive(:send_request)

spec/datadog/appsec/monitor/gateway/telemetry_watcher_spec.rb

@@ -12,104 +12,72 @@
     allow(telemetry).to receive(:inc)
   end
 
-  describe '.watch_set_user' do
-    before { described_class.watch_set_user(gateway) }
+  describe '.watch_user_lifecycle' do
+    before { described_class.watch_user_lifecycle(gateway) }
 
-    %w[login_success signup].each do |event_type|
-      context "with #{event_type} event_type" do
+    %w[
+      identity.devise.login_success
+      identity.devise.login_failure
+      identity.devise.signup
+    ].each do |event_name|
+      _, framework, event_type = event_name.split('.')
+
+      context "with #{event_name}" do
         it 'reports missing_user_login when login is nil' do
           expect(telemetry).to receive(:inc).with(
             'appsec', 'instrum.user_auth.missing_user_login', 1,
-            tags: {framework: 'devise', event_type: event_type},
+            tags: {framework: framework, event_type: event_type},
           )
 
-          gateway.push('identity.set_user', {id: '123', framework: 'devise', event_type: event_type})
+          gateway.push(event_name, {id: '123'})
         end
 
         it 'reports both metrics when login and id are nil' do
           expect(telemetry).to receive(:inc).with(
             'appsec', 'instrum.user_auth.missing_user_login', 1,
-            tags: {framework: 'devise', event_type: event_type},
+            tags: {framework: framework, event_type: event_type},
           )
           expect(telemetry).to receive(:inc).with(
             'appsec', 'instrum.user_auth.missing_user_id', 1,
-            tags: {framework: 'devise', event_type: event_type},
+            tags: {framework: framework, event_type: event_type},
           )
 
-          gateway.push('identity.set_user', {framework: 'devise', event_type: event_type})
+          gateway.push(event_name, {})
         end
 
         it 'does not report any telemetry when login is present' do
           expect(telemetry).not_to receive(:inc)
 
-          gateway.push('identity.set_user', {login: 'alice', framework: 'devise', event_type: event_type})
+          gateway.push(event_name, {login: 'alice'})
         end
       end
     end
-
-    context 'with authenticated_request event_type' do
-      it 'reports missing_user_id when id is nil' do
-        expect(telemetry).to receive(:inc).with(
-          'appsec', 'instrum.user_auth.missing_user_id', 1,
-          tags: {framework: 'devise', event_type: 'authenticated_request'},
-        )
-
-        gateway.push('identity.set_user', {framework: 'devise', event_type: 'authenticated_request'})
-      end
-
-      it 'does not report missing_user_login even when login is nil' do
-        expect(telemetry).not_to receive(:inc).with(
-          'appsec', 'instrum.user_auth.missing_user_login', anything, anything,
-        )
-
-        gateway.push('identity.set_user', {framework: 'devise', event_type: 'authenticated_request'})
-      end
-
-      it 'does not report any telemetry when id is present' do
-        expect(telemetry).not_to receive(:inc)
-
-        gateway.push('identity.set_user', {id: '123', framework: 'devise', event_type: 'authenticated_request'})
-      end
-    end
-
-    context 'when event_type is not set' do
-      it 'does not report any telemetry' do
-        expect(telemetry).not_to receive(:inc)
-
-        gateway.push('identity.set_user', {id: '123', framework: 'sdk'})
-      end
-    end
   end
 
-  describe '.watch_login_failure' do
-    before { described_class.watch_login_failure(gateway) }
+  describe '.watch_authenticated_request' do
+    before { described_class.watch_authenticated_request(gateway) }
 
-    it 'reports missing_user_login when login is nil' do
+    it 'reports missing_user_id when id is nil' do
       expect(telemetry).to receive(:inc).with(
-        'appsec', 'instrum.user_auth.missing_user_login', 1,
-        tags: {framework: 'devise', event_type: 'login_failure'},
+        'appsec', 'instrum.user_auth.missing_user_id', 1,
+        tags: {framework: 'devise', event_type: 'authenticated_request'},
       )
 
-      gateway.push('identity.login_failure', {id: '123', framework: 'devise'})
+      gateway.push('identity.devise.authenticated_request', {})
     end
 
-    it 'reports both metrics when login and id are nil' do
-      expect(telemetry).to receive(:inc).with(
-        'appsec', 'instrum.user_auth.missing_user_login', 1,
-        tags: {framework: 'devise', event_type: 'login_failure'},
-      )
-      expect(telemetry).to receive(:inc).with(
-        'appsec', 'instrum.user_auth.missing_user_id', 1,
-        tags: {framework: 'devise', event_type: 'login_failure'},
+    it 'does not report missing_user_login even when login is nil' do
+      expect(telemetry).not_to receive(:inc).with(
+        'appsec', 'instrum.user_auth.missing_user_login', anything, anything,
       )
 
-      gateway.push('identity.login_failure', {framework: 'devise'})
+      gateway.push('identity.devise.authenticated_request', {})
     end
 
-    it 'does not report any telemetry when login is present' do
+    it 'does not report any telemetry when id is present' do
       expect(telemetry).not_to receive(:inc)
 
-      gateway.push('identity.login_failure', {login: 'alice', framework: 'devise'})
+      gateway.push('identity.devise.authenticated_request', {id: '123'})
     end
   end
 end