chore(asm): improve api security import condition (#8609) [backport 2…

….6] (#8641) Following #8226, this PR ensure that we never import api security manager module if the WAF is unavailable or asm is disabled or api security is disabled. - Add one finite state (bool) to the asm config `_api_security_active` to keep track of API Security Manager - Update and check that state in `_default_span_processors_factory`. ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit 9d5ff05)
DataDog · Mar 8, 2024 · c97db33 · c97db33
1 parent a3685bc
commit c97db33
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/ddtrace/appsec/_api_security/api_manager.py b/ddtrace/appsec/_api_security/api_manager.py
@@ -52,6 +52,7 @@ def enable(cls):
             log.debug("%s already enabled", cls.__name__)
             return
 
+        asm_config._api_security_active = True
         log.debug("Enabling %s", cls.__name__)
         metrics.enable()
         cls._instance = cls()
@@ -65,6 +66,7 @@ def disable(cls):
             log.debug("%s not enabled", cls.__name__)
             return
 
+        asm_config._api_security_active = False
         log.debug("Disabling %s", cls.__name__)
         cls._instance.stop()
         cls._instance = None

diff --git a/ddtrace/appsec/_utils.py b/ddtrace/appsec/_utils.py
@@ -71,7 +71,12 @@ def _appsec_rc_features_is_enabled() -> bool:
 
 
 def _appsec_apisec_features_is_active() -> bool:
-    return asm_config._asm_enabled and asm_config._api_security_enabled and asm_config._api_security_sample_rate > 0.0
+    return (
+        asm_config._asm_libddwaf_available
+        and asm_config._asm_enabled
+        and asm_config._api_security_enabled
+        and asm_config._api_security_sample_rate > 0.0
+    )
 
 
 def _safe_userid(user_id):

diff --git a/ddtrace/settings/asm.py b/ddtrace/settings/asm.py
@@ -46,6 +46,10 @@ class ASMConfig(Env):
     _api_security_enabled = Env.var(bool, API_SECURITY.ENV_VAR_ENABLED, default=True)
     _api_security_sample_rate = Env.var(float, API_SECURITY.SAMPLE_RATE, validator=_validate_sample_rate, default=0.1)
     _api_security_parse_response_body = Env.var(bool, API_SECURITY.PARSE_RESPONSE_BODY, default=True)
+
+    # internal state of the API security Manager service.
+    # updated in API Manager enable/disable
+    _api_security_active = False
     _asm_libddwaf = build_libddwaf_filename()
     _asm_libddwaf_available = os.path.exists(_asm_libddwaf)
 
@@ -99,3 +103,4 @@ class ASMConfig(Env):
 if not config._asm_libddwaf_available:
     config._asm_enabled = False
     config._iast_enabled = False
+    config._api_security_enabled = False
diff --git a/ddtrace/tracer.py b/ddtrace/tracer.py
@@ -139,7 +139,10 @@ def _default_span_processors_factory(
             if appsec_processor:
                 span_processors.append(appsec_processor)
         else:
-            if asm_config._api_security_enabled:
+            # api_security_active will keep track of the service status of APIManager
+            # we don't want to import the module if it was not started before due to
+            # one click activation of ASM via Remote Config
+            if asm_config._api_security_active:
                 from ddtrace.appsec._api_security.api_manager import APIManager
 
                 APIManager.disable()