Merge branch 'main' into APPSEC-53118-iast_integration_tests

.github/CODEOWNERS

@@ -43,6 +43,7 @@ ddtrace/internal/codeowners.py      @DataDog/apm-core-python @datadog/ci-app-lib
 ddtrace/internal/coverage           @DataDog/apm-core-python @datadog/ci-app-libraries @Datadog/debugger-python
 tests/internal/test_codeowners.py   @datadog/ci-app-libraries
 tests/ci_visibility                 @DataDog/ci-app-libraries
+tests/coverage                      @DataDog/apm-core-python @DataDog/ci-app-libraries @Datadog/debugger-python
 tests/tracer/test_ci.py             @DataDog/ci-app-libraries
 ddtrace/ext/git.py                  @DataDog/ci-app-libraries @DataDog/apm-core-python
 
@@ -88,11 +89,13 @@ ddtrace/llmobs/                                     @DataDog/ml-observability
 ddtrace/contrib/openai                              @DataDog/ml-observability
 ddtrace/contrib/langchain                           @DataDog/ml-observability
 ddtrace/contrib/botocore/services/bedrock.py        @DataDog/ml-observability
+ddtrace/contrib/anthropic                           @DataDog/ml-observability
 tests/llmobs                                        @DataDog/ml-observability
 tests/contrib/openai                                @DataDog/ml-observability
 tests/contrib/langchain                             @DataDog/ml-observability
 tests/contrib/botocore/test_bedrock.py              @DataDog/ml-observability
 tests/contrib/botocore/bedrock_cassettes            @DataDog/ml-observability
+tests/contrib/anthropic                             @DataDog/ml-observability
 
 # Remote Config
 ddtrace/internal/remoteconfig       @DataDog/remote-config @DataDog/apm-core-python

.github/workflows/lib-injection.yml

@@ -51,7 +51,7 @@ jobs:
             repository: 'DataDog/system-tests'
 
       - name: Install runner
-        uses: ./.github/actions/install_runner 
+        uses: ./.github/actions/install_runner
 
       - name: Run K8s Lib Injection Tests
         run: ./run.sh K8S_LIB_INJECTION_BASIC
@@ -79,7 +79,7 @@ jobs:
           'dd-lib-python-init-test-django-uvicorn',
           'dd-lib-python-init-test-django-no-perms',
           'dd-lib-python-init-test-django-pre-installed',
-          'dd-lib-python-init-test-django-unsupported-python',
+          'dd-lib-python-init-test-django-unsupported-package-force',
         ]
       fail-fast: false
     steps:
@@ -115,13 +115,64 @@ jobs:
         run: |
           curl http://localhost:18080
           sleep 1  # wait for traces to be sent
+      - name: Check mocked telemetry
+        run: |
+           cd lib-injection
+           docker exec lib-injection-app_local-1 sh -c "cd .. && [ ! -f src/validate_telemetry.py ] || cat src/mock-telemetry.out | python src/validate_telemetry.py"
       - name: Print traces
         run: curl http://localhost:8126/test/traces
       - name: Check test agent received a trace
         run: |
           N=$(curl http://localhost:8126/test/traces | jq -r -e 'length')
           [[ $N == "1" ]]
-      - name: Output app logs (LOOK HERE IF THE JOB FAILS)
-        if: success() || failure()
+
+  test_unit_no_instrumentation:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant: [
+          'dd-lib-python-init-test-django-unsupported-python',
+          'dd-lib-python-init-test-django-unsupported-package',
+        ]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build and run the app
         run: |
+          SRC="$(pwd)"
+          cd lib-injection
+          export DDTRACE_PYTHON_VERSION="v2.6.3"
+          export APP_CONTEXT="${SRC}/tests/lib-injection/${{matrix.variant}}"
+          export TEMP_DIR="${SRC}/tmp/ddtrace"
+          mkdir -p "${TEMP_DIR}"
+          # Give the temp dir permissions, by default the docker user doesn't have permissions
+          # to write to the filesystem.
+          chmod 777 $TEMP_DIR
+          # Start the lib_inject to get the files copied. This avoids a race condition with the startup of the
+          # application.
+          docker compose up --build lib_inject
+          docker compose up --build -d
+          # Wait for the app to start
+          sleep 60
           docker compose logs
+      - name: Check Permissions on ddtrace pkgs
+        run: |
+           cd lib-injection
+           # Ensure /datadog-lib/ddtrace_pkgs is a valid directory that is not empty
+           docker compose run lib_inject find /datadog-init/ddtrace_pkgs -maxdepth 0 -empty | wc -l && if [ $? -ne 0 ]; then exit 1; fi
+           # Ensure files are not world writeable
+           docker compose run lib_inject find /datadog-init/ddtrace_pkgs ! -perm /o+w | wc -l && if [ $? -ne 0 ]; then exit 1; fi
+           # Ensure all users have read and execute permissions to files stored in /datadog-lib/ddtrace_pkgs
+           docker compose run lib_inject find /datadog-init/ddtrace_pkgs ! -perm u=rwx,o=rx | wc -l && if [ $? -ne 0 ]; then exit 1; fi
+      - name: Test the app
+        run: |
+          curl http://localhost:18080
+          sleep 1  # wait for traces to be sent
+      - name: Check mocked telemetry
+        run: |
+           cd lib-injection
+           docker exec lib-injection-app_local-1 sh -c "cd .. && [ ! -f src/validate_telemetry.py ] || cat src/mock-telemetry.out | python src/validate_telemetry.py"
+      - name: Check test agent received no trace
+        run: |
+          N=$(curl http://localhost:8126/test/traces | jq -r -e 'length')
+          [[ $N == "0" ]]

.gitlab/build-oci.sh

@@ -41,6 +41,8 @@ fi
 echo -n $PYTHON_PACKAGE_VERSION > auto_inject-python.version
 cp ../lib-injection/sitecustomize.py $BUILD_DIR/
 cp auto_inject-python.version $BUILD_DIR/version
+cp ../min_compatible_versions.csv $BUILD_DIR/
+cp ../lib-injection/telemetry-forwarder.sh $BUILD_DIR/
 chmod -R o-w $BUILD_DIR
 chmod -R g-w $BUILD_DIR