fix(iast): set iast instrumented metrics at runtime, not at request time

[avara1986]

The instrumented metrics are independent of whether IAST is active in a request or not; they only depend on whether instrumentation is applied (which should only depend on DD_IAST_ENABLED=true). There are two sets of metrics: those with "instrumented" and those with "executed":

• Instrumented metrics: A point has been patched where cookies (for example) can be tainted. It doesn't matter whether it is executed or not, the sampling rate, or whether there are cookies or not.
• Executed metrics: The callback for handling cookies is actually executed.

Checklist

• Change(s) are motivated and described in the PR description
• Testing strategy is described if automated tests are not included in the PR
• Risks are described (performance impact, potential for breakage, maintainability)
• Change is maintainable (easy to change, telemetry, documentation)
• Library release note guidelines are followed or label changelog/no-changelog is set
• Documentation is included (in-code, generated user docs, public corp docs)
• Backport labels are set (if applicable)
• If this PR changes the public interface, I've notified @DataDog/apm-tees.
• If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.

Reviewer Checklist

• Title is accurate
• All changes are related to the pull request's stated goal
• Description motivates each change
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Change is maintainable (easy to change, telemetry, documentation)
• Release note makes sense to a user of the library
• Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[datadog-dd-trace-py-rkomorn]

Datadog Report

Branch report: avara1986/APPSEC-52379-iast_instrumented_metrics
Commit report: dd06ba3
Test service: dd-trace-py

✅ 0 Failed, 55972 Passed, 55517 Skipped, 1h 2m 10.82s Total duration (52m 30.92s time saved)

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-04-02 07:27:46

Comparing candidate commit dd06ba3 in PR branch avara1986/APPSEC-52379-iast_instrumented_metrics with baseline commit b374a5a in branch main.

Found 3 performance improvements and 3 performance regressions! Performance is the same for 195 metrics, 9 unstable metrics.

scenario:flasksimple-appsec-telemetry

• 🟥 execution_time [+223.734µs; +278.509µs] or [+3.564%; +4.436%]

scenario:httppropagationextract-b3_headers

• 🟥 max_rss_usage [+701.819KB; +773.151KB] or [+3.322%; +3.659%]

scenario:httppropagationextract-invalid_priority_header

• 🟥 max_rss_usage [+476.527KB; +844.024KB] or [+2.246%; +3.978%]

scenario:httppropagationextract-none_propagation_style

• 🟩 max_rss_usage [-781.388KB; -695.220KB] or [-3.575%; -3.181%]

scenario:sethttpmeta-obfuscation-disabled

• 🟩 max_rss_usage [-760.390KB; -598.663KB] or [-3.436%; -2.706%]

scenario:sethttpmeta-obfuscation-worst-case-explicit-query

• 🟩 max_rss_usage [-777.000KB; -528.805KB] or [-3.473%; -2.364%]