Merge branch 'release.script/changelog-update-2.9.0' into erikayasuda…

…/2.9.0-releasentoe
DataDog · Jun 10, 2024 · 795aae2 · 795aae2
2 parents d15dcf6 + 989f049
commit 795aae2
Show file tree

Hide file tree

Showing 5 changed files with 353 additions and 1 deletion.
diff --git a/ddtrace/_trace/tracer.py b/ddtrace/_trace/tracer.py
@@ -27,6 +27,7 @@
 from ddtrace._trace.processor import TraceTagsProcessor
 from ddtrace._trace.provider import DefaultContextProvider
 from ddtrace._trace.span import Span
+from ddtrace.appsec._constants import APPSEC
 from ddtrace.constants import ENV_KEY
 from ddtrace.constants import HOSTNAME_KEY
 from ddtrace.constants import PID
@@ -796,7 +797,9 @@ def _start_span(
             if span._local_root is None:
                 span._local_root = span
             for k, v in _get_metas_to_propagate(context):
-                if k != SAMPLING_DECISION_TRACE_TAG_KEY:
+                # We do not want to propagate AppSec propagation headers
+                # to children spans, only across distributed spans
+                if k not in (SAMPLING_DECISION_TRACE_TAG_KEY, APPSEC.PROPAGATION_HEADER):
                     span._meta[k] = v
         else:
             # this is the root span of a new trace

diff --git a/ddtrace/appsec/_trace_utils.py b/ddtrace/appsec/_trace_utils.py
@@ -29,6 +29,7 @@ def _asm_manual_keep(span: Span) -> None:
 
     # set Security propagation tag
     span.set_tag_str(APPSEC.PROPAGATION_HEADER, "1")
+    span.context._meta[APPSEC.PROPAGATION_HEADER] = "1"
 
 
 def _track_user_login_common(

diff --git a/ddtrace/propagation/http.py b/ddtrace/propagation/http.py
@@ -25,6 +25,8 @@
 from ddtrace._trace.span import _get_64_highest_order_bits_as_hex
 from ddtrace._trace.span import _get_64_lowest_order_bits_as_int
 from ddtrace._trace.span import _MetaDictType
+from ddtrace.appsec._constants import APPSEC
+from ddtrace.settings.asm import config as asm_config
 
 from ..constants import AUTO_KEEP
 from ..constants import AUTO_REJECT
@@ -230,6 +232,11 @@ def _inject(span_context, headers):
             log.debug("tried to inject invalid context %r", span_context)
             return
 
+        # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+        # are propagated. If the tag is not present, we should not propagate downstream.
+        if asm_config._appsec_standalone_enabled and (APPSEC.PROPAGATION_HEADER not in span_context._meta):
+            return
+
         if span_context.trace_id > _MAX_UINT_64BITS:
             # set lower order 64 bits in `x-datadog-trace-id` header. For backwards compatibility these
             # bits should be converted to a base 10 integer.
@@ -343,6 +350,16 @@ def _extract(headers):
             if meta:
                 meta = validate_sampling_decision(meta)
 
+            if asm_config._appsec_standalone_enabled:
+                # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+                # are propagated downstream, however we need 1 trace per minute sent to the backend, so
+                # we unset sampling priority so the rate limiter decides.
+                if not meta or APPSEC.PROPAGATION_HEADER not in meta:
+                    sampling_priority = None
+                # If the trace has appsec propagation tag, the default priority is user keep
+                elif meta and APPSEC.PROPAGATION_HEADER in meta:
+                    sampling_priority = 2  # type: ignore[assignment]
+
             return Context(
                 # DEV: Do not allow `0` for trace id or span id, use None instead
                 trace_id=trace_id or None,

diff --git a/ddtrace/settings/asm.py b/ddtrace/settings/asm.py
@@ -107,6 +107,7 @@ class ASMConfig(Env):
     # for tests purposes
     _asm_config_keys = [
         "_asm_enabled",
+        "_appsec_standalone_enabled",
         "_iast_enabled",
         "_ep_enabled",
         "_use_metastruct_for_triggers",