appsec: add Start() and Stop() to API

[eliottness]

What does this PR do?

This PR adds Start and Stop and options to it on the appsec public API for a programmatic access to enabling ASM Threats.

Motivation

We would like to have a way to enable and configure ASM directly in consul internally in Datadog. A Version 1 of this works already but requires to redeploy everything which can be slow and cannot be done by us. A way to dynamically activate ASM but more granularly than Remote Activation is required to make this happen.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

For Datadog employees:

• If this PR touches code that handles credentials of any kind, such as Datadog API keys, I've requested a review from @DataDog/security-design-and-guidance.
• This PR doesn't touch any of that.

Unsure? Have a question? Request a review!

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-01-25 16:50:37

Comparing candidate commit 33d8249 in PR branch eliott.bouhana/public-appsec-start with baseline commit c03c56b in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 39 metrics, 2 unstable metrics.

[Julio-Guerra]

I think we should align with the new "Go style" used in v2 for options - I think we decided to go with a simple public config struct

[Julio-Guerra]

I propose to hide this detail and hard-code c.CodeAction = true in public_appsec.Start() when called.

Suggested change

	// WithCodeActivation enable or disable Appsec. Can also be set using `DD_APPSEC_ENABLED`.
	func WithCodeActivation(enable bool) StartOption {
	return func(c *internalConfig.Config) {
	c.CodeActivation = &enable
	}
	}

A user should just write appsec.Start(cfg) to be able to start ASM with this option explicitly set.

[Julio-Guerra]

I don't see any usefulness for this. ASM without RC doesn't make sense, as RC brings all the protection features, and protection features are our main ASM value.

[Julio-Guerra]

WDYT of doing it the other way around: asking public_appsec.Start users to do it before tracer.Start so that we can just accept the first config being started with. Today's implementation restarts when private_appsec.Start is called multiple times.

appsec.Start(cfg1)
tracer.Start(cfg2)

or even simpler for this first iteration:

tracer.Start(tracer.WithAppSecConfig(cfg))

[Julio-Guerra]

I haven't read the full logic, but here is what's important: DD_APPSEC_ENABLED=false must always disable AppSec, no matter what else is trying to enable it. So code activation + DD_APPSEC_ENABLED=false => appsec disabled.

[github-actions]

This PR is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 10 days.