diff --git a/.github/workflows/appsec.yml b/.github/workflows/appsec.yml
index 7519e0ef91..8e84e776cf 100644
--- a/.github/workflows/appsec.yml
+++ b/.github/workflows/appsec.yml
@@ -42,6 +42,9 @@ concurrency:
# Automatically cancel previous runs if a new one is triggered to conserve resources.
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
+permissions:
+ contents: read
+
jobs:
# Prepare the cache of Go modules to share it will the other jobs.
# This maximizes cache hits and minimizes the time spent downloading Go modules.
diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml
index 8094914c28..9a00adaad1 100644
--- a/.github/workflows/datadog-static-analysis.yml
+++ b/.github/workflows/datadog-static-analysis.yml
@@ -2,6 +2,10 @@ on: [push]
name: Datadog Static Analysis
+permissions:
+ contents: read
+ pull-requests: write
+
jobs:
static-analysis:
runs-on: ubuntu-latest
diff --git a/.github/workflows/ecosystems-label-issue copy.yml b/.github/workflows/ecosystems-label-issue.yml
similarity index 90%
rename from .github/workflows/ecosystems-label-issue copy.yml
rename to .github/workflows/ecosystems-label-issue.yml
index f63226c003..29853e45bc 100644
--- a/.github/workflows/ecosystems-label-issue copy.yml
+++ b/.github/workflows/ecosystems-label-issue.yml
@@ -5,6 +5,9 @@ on:
- reopened
- opened
- edited
+permissions:
+ contents: read
+ issues: write
jobs:
label_issues:
if: contains(github.event.issue.title, 'contrib')
diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml
index 36f35b5422..4cadafd3e7 100644
--- a/.github/workflows/ecosystems-label-pr.yml
+++ b/.github/workflows/ecosystems-label-pr.yml
@@ -7,6 +7,9 @@ on:
- opened
- reopened
- edited
+permissions:
+ contents: read
+ pull-requests: write
jobs:
label_issues:
runs-on: ubuntu-latest
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 8e18bed26c..aec9d5d36d 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -14,6 +14,9 @@ on:
- cron: '00 00 * * *'
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
govulncheck-tests:
runs-on: ubuntu-latest
diff --git a/.github/workflows/multios-unit-tests.yml b/.github/workflows/multios-unit-tests.yml
index 3ca8900602..1cdd9191b6 100644
--- a/.github/workflows/multios-unit-tests.yml
+++ b/.github/workflows/multios-unit-tests.yml
@@ -29,6 +29,9 @@ on:
env:
DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness
+permissions:
+ contents: read
+
jobs:
test-multi-os:
runs-on: "${{ inputs.runs-on }}"
diff --git a/.github/workflows/parametric-tests.yml b/.github/workflows/parametric-tests.yml
index 7ac69d738b..152bc0ec2d 100644
--- a/.github/workflows/parametric-tests.yml
+++ b/.github/workflows/parametric-tests.yml
@@ -21,6 +21,9 @@ on:
schedule:
- cron: '00 04 * * 2-6'
+permissions:
+ contents: read
+
jobs:
parametric-tests:
if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml
index bed0c20b43..19680b973b 100644
--- a/.github/workflows/smoke-tests.yml
+++ b/.github/workflows/smoke-tests.yml
@@ -27,6 +27,9 @@ on:
env:
TEST_RESULTS: /tmp/test-results # path to where test results will be saved
+permissions:
+ contents: read
+
jobs:
go-get-u:
# Run go get -u to upgrade dd-trace-go dependencies to their
@@ -90,7 +93,7 @@ jobs:
ref: ${{ inputs.ref || github.ref }}
- uses: actions/setup-go@v3
with:
- go-version: "1.21"
+ go-version: "1.22"
cache: true
- name: go mod tidy
run: |-
@@ -185,7 +188,7 @@ jobs:
uses: docker/build-push-action@v5
with:
context: .
- file: ./internal/apps/setup-smoke-test/Dockerfile
+ file: ./internal/setup-smoke-test/Dockerfile
push: false
load: true
tags: smoke-test
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index caec4742e2..24ffaae4da 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,10 @@ on:
schedule:
- cron: '30 1 * * *'
+permissions:
+ contents: read
+ issues: write
+
jobs:
stale:
runs-on: ubuntu-latest
diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
index 82652d7fc3..c5d95b7ca0 100644
--- a/.github/workflows/system-tests.yml
+++ b/.github/workflows/system-tests.yml
@@ -27,6 +27,9 @@ on:
schedule:
- cron: '00 04 * * 2-6'
+permissions:
+ contents: read
+
jobs:
system-tests:
if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
@@ -43,6 +46,8 @@ jobs:
- uds-echo
scenario:
- DEFAULT
+ - INTEGRATIONS
+ - CROSSED_TRACING_LIBRARIES
- APPSEC_DISABLED
- APPSEC_BLOCKING
- APPSEC_BLOCKING_FULL_DENYLIST
@@ -103,6 +108,8 @@ jobs:
DD_API_KEY: ${{ secrets.DD_API_KEY }}
SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
+ SYSTEM_TESTS_AWS_ACCESS_KEY_ID: ${{ secrets.SYSTEM_TESTS_IDM_AWS_ACCESS_KEY_ID }}
+ SYSTEM_TESTS_AWS_SECRET_ACCESS_KEY: ${{ secrets.SYSTEM_TESTS_IDM_AWS_SECRET_ACCESS_KEY }}
name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }})
steps:
- name: Checkout system tests
diff --git a/.github/workflows/test-apps.cue b/.github/workflows/test-apps.cue
index 72e6953cef..1f45dea13b 100644
--- a/.github/workflows/test-apps.cue
+++ b/.github/workflows/test-apps.cue
@@ -115,6 +115,10 @@ env: {
DD_TAGS: "github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs['arg: tags'] }}",
}
+permissions: {
+ contents: "read",
+}
+
jobs: {
for i, scenario in #scenarios {
for j, env in #envs {
diff --git a/.github/workflows/test-apps.yml b/.github/workflows/test-apps.yml
index 95044a8564..bff3c60c53 100644
--- a/.github/workflows/test-apps.yml
+++ b/.github/workflows/test-apps.yml
@@ -64,6 +64,8 @@ name: Test Apps
env:
DD_ENV: github
DD_TAGS: 'github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs[''arg: tags''] }}'
+permissions:
+ contents: read
jobs:
job-0-0:
name: unit-of-work/v1 (prod)
diff --git a/.github/workflows/unit-integration-tests.yml b/.github/workflows/unit-integration-tests.yml
index ac3c391982..cf0996709e 100644
--- a/.github/workflows/unit-integration-tests.yml
+++ b/.github/workflows/unit-integration-tests.yml
@@ -20,6 +20,9 @@ env:
# without having to download a newer one.
GOTOOLCHAIN: local
+permissions:
+ contents: read
+
jobs:
copyright:
runs-on: ubuntu-latest
@@ -28,10 +31,14 @@ jobs:
uses: actions/checkout@v3
with:
ref: ${{ inputs.ref || github.ref }}
- - name: Setup Go
+ - name: Setup Go
uses: ./.github/actions/setup-go
with:
go-version: ${{ inputs.go-version }}
+ - name: Setup go
+ uses: actions/setup-go@v5
+ with:
+ go-version: stable
- name: Copyright
run: |
go run checkcopyright.go
diff --git a/appsec/appsec.go b/appsec/appsec.go
index 9298fe79d3..6fe2663a65 100644
--- a/appsec/appsec.go
+++ b/appsec/appsec.go
@@ -33,7 +33,7 @@ var appsecDisabledLog sync.Once
// Note that passing the raw bytes of the HTTP request body is not expected and would
// result in inaccurate attack detection.
// This function always returns nil when appsec is disabled.
-func MonitorParsedHTTPBody(ctx context.Context, body interface{}) error {
+func MonitorParsedHTTPBody(ctx context.Context, body any) error {
if !appsec.Enabled() {
appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. Body blocking checks won't be performed.") })
return nil
@@ -60,7 +60,15 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. User blocking checks won't be performed.") })
return nil
}
- return sharedsec.MonitorUser(ctx, id)
+
+ op, errPtr := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
+ op.Finish(usersec.UserLoginOperationRes{
+ UserID: id,
+ SessionID: getSessionID(opts...),
+ Success: true,
+ })
+
+ return *errPtr
}
// TrackUserLoginSuccessEvent sets a successful user login event, with the given
@@ -76,17 +84,7 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
// Take-Over (ATO) monitoring, ultimately blocking the IP address and/or user id
// associated to them.
func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]string, opts ...tracer.UserMonitoringOption) error {
- span := getRootSpan(ctx)
- if span == nil {
- return nil
- }
-
- const tagPrefix = "appsec.events.users.login.success."
- span.SetTag(tagPrefix+"track", true)
- for k, v := range md {
- span.SetTag(tagPrefix+k, v)
- }
- span.SetTag(ext.ManualKeep, true)
+ TrackCustomEvent(ctx, "users.login.success", md)
return SetUser(ctx, uid, opts...)
}
@@ -106,14 +104,15 @@ func TrackUserLoginFailureEvent(ctx context.Context, uid string, exists bool, md
return
}
- const tagPrefix = "appsec.events.users.login.failure."
- span.SetTag(tagPrefix+"track", true)
- span.SetTag(tagPrefix+"usr.id", uid)
- span.SetTag(tagPrefix+"usr.exists", exists)
- for k, v := range md {
- span.SetTag(tagPrefix+k, v)
- }
- span.SetTag(ext.ManualKeep, true)
+ // We need to do the first call to SetTag ourselves because the map taken by TrackCustomEvent is map[string]string
+ // and not map [string]any, so the `exists` boolean variable does not fit int
+ span.SetTag("appsec.events.users.login.failure.usr.exists", exists)
+ span.SetTag("appsec.events.users.login.failure.usr.id", uid)
+
+ TrackCustomEvent(ctx, "users.login.failure", md)
+
+ op, _ := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
+ op.Finish(usersec.UserLoginOperationRes{UserID: uid, Success: false})
}
// TrackCustomEvent sets a custom event as service entry span tags. This span is
@@ -145,3 +144,13 @@ func getRootSpan(ctx context.Context) *tracer.Span {
}
return span.Root()
}
+
+func getSessionID(opts ...tracer.UserMonitoringOption) string {
+ cfg := &tracer.UserMonitoringConfig{
+ Metadata: make(map[string]string),
+ }
+ for _, opt := range opts {
+ opt(cfg)
+ }
+ return cfg.SessionID
+}
diff --git a/contrib/99designs/gqlgen/appsec_test.go b/contrib/99designs/gqlgen/appsec_test.go
new file mode 100644
index 0000000000..cb6beb1ca8
--- /dev/null
+++ b/contrib/99designs/gqlgen/appsec_test.go
@@ -0,0 +1,332 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2022 Datadog, Inc.
+
+package gqlgen
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "os"
+ "path"
+ "testing"
+
+ "github.com/99designs/gqlgen/client"
+ "github.com/99designs/gqlgen/graphql"
+ "github.com/99designs/gqlgen/graphql/handler"
+ "github.com/99designs/gqlgen/graphql/handler/transport"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec"
+ "github.com/stretchr/testify/require"
+ "github.com/vektah/gqlparser/v2"
+ "github.com/vektah/gqlparser/v2/ast"
+ "github.com/vektah/gqlparser/v2/gqlerror"
+)
+
+func TestAppSec(t *testing.T) {
+ restore := enableAppSec(t)
+ defer restore()
+
+ t.Run("monitoring", func(t *testing.T) {
+ const (
+ topLevelAttack = "he protec"
+ nestedAttack = "he attac, but most importantly: he Tupac"
+ )
+ schema := gqlparser.MustLoadSchema(&ast.Source{Input: `type Query {
+ topLevel(id: String!): TopLevel!
+ topLevelMapped(map: MapInput!, key: String!, index: Int!): TopLevel!
+ }
+
+ type TopLevel {
+ nested(id: String!): String!
+ }
+
+ input MapInput {
+ ids: [String!]!
+ bool: Boolean!
+ float: Float!
+ }`})
+ server := handler.New(&graphql.ExecutableSchemaMock{
+ ExecFunc: execFunc,
+ SchemaFunc: func() *ast.Schema { return schema },
+ })
+ server.Use(NewTracer())
+ server.AddTransport(transport.POST{})
+ c := client.New(server)
+ testCases := map[string]struct {
+ query string
+ variables map[string]any
+ }{
+ "basic": {
+ query: `query TestQuery($topLevelId: String!, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`,
+ variables: map[string]any{
+ "topLevelId": topLevelAttack,
+ "nestedId": nestedAttack,
+ },
+ },
+ "with-default-parameter": {
+ query: fmt.Sprintf(`query TestQuery($topLevelId: String = %#v, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`, topLevelAttack),
+ variables: map[string]any{
+ // "topLevelId" omitted (default value used)
+ "nestedId": nestedAttack,
+ },
+ },
+ "embedded-variable": {
+ query: `query TestQuery($topLevelId: String!, $nestedId: String!) {
+ topLevel: topLevelMapped(map: { ids: ["foo", $topLevelId, "baz"], bool: true, float: 3.14 }, key: "ids", index: 1) {
+ nested(id: $nestedId)
+ }
+ }`,
+ variables: map[string]any{
+ "topLevelId": topLevelAttack,
+ "nestedId": nestedAttack,
+ },
+ },
+ }
+ for name, tc := range testCases {
+ t.Run(name, func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ var resp map[string]any
+ err := c.Post(
+ tc.query, &resp,
+ client.Var("topLevelId", topLevelAttack), client.Var("nestedId", nestedAttack),
+ client.Operation("TestQuery"),
+ )
+ require.NoError(t, err)
+
+ require.Equal(t, map[string]any{"topLevel": map[string]any{"nested": fmt.Sprintf("%s/%s", topLevelAttack, nestedAttack)}}, resp)
+
+ // Ensure the query produced the expected appsec events
+ spans := mt.FinishedSpans()
+ require.NotEmpty(t, spans)
+
+ // The last finished span (which is GraphQL entry) should have the "_dd.appsec.enabled" tag.
+ span := spans[len(spans)-1]
+ require.Equal(t, 1, span.Tag("_dd.appsec.enabled"))
+
+ type ddAppsecJSON struct {
+ Triggers []struct {
+ Rule struct {
+ ID string `json:"id"`
+ } `json:"rule"`
+ } `json:"triggers"`
+ }
+
+ jsonText, ok := span.Tag("_dd.appsec.json").(string)
+ require.True(t, ok, "expected _dd.appsec.json tag on span")
+
+ var parsed ddAppsecJSON
+ err = json.Unmarshal([]byte(jsonText), &parsed)
+ require.NoError(t, err)
+
+ ids := make([]string, 0, len(parsed.Triggers))
+ for _, trigger := range parsed.Triggers {
+ ids = append(ids, trigger.Rule.ID)
+ }
+
+ require.ElementsMatch(t, ids, []string{"test-rule-001", "test-rule-002"})
+ })
+ }
+ })
+}
+
+type appSecQuery struct{}
+
+func (q *appSecQuery) TopLevel(_ context.Context, args struct{ ID string }) (*appSecTopLevel, error) {
+ return &appSecTopLevel{args.ID}, nil
+}
+func (q *appSecQuery) TopLevelMapped(
+ ctx context.Context,
+ args struct {
+ Map struct {
+ IDs []string
+ Bool bool
+ Float float64
+ }
+ Key string
+ Index int32
+ },
+) (*appSecTopLevel, error) {
+ id := args.Map.IDs[args.Index]
+ return q.TopLevel(ctx, struct{ ID string }{id})
+}
+
+type appSecTopLevel struct {
+ id string
+}
+
+func (a *appSecTopLevel) Nested(_ context.Context, args struct{ ID string }) (string, error) {
+ return fmt.Sprintf("%s/%s", a.id, args.ID), nil
+}
+
+// enableAppSec ensures the environment variable to enable appsec is active, and
+// returns a function to restore the previous environment state.
+func enableAppSec(t *testing.T) func() {
+ const rules = `{
+ "version": "2.2",
+ "metadata": {
+ "rules_version": "0.1337.42"
+ },
+ "rules": [
+ {
+ "id": "test-rule-001",
+ "name": "Phony rule number 1",
+ "tags": {
+ "category": "canary",
+ "type": "meme-protec"
+ },
+ "conditions": [{
+ "operator": "phrase_match",
+ "parameters": {
+ "inputs": [{ "address": "graphql.server.resolver" }],
+ "list": ["he protec"]
+ }
+ }],
+ "transformers": ["lowercase"],
+ "on_match": []
+ },
+ {
+ "id": "test-rule-002",
+ "name": "Phony rule number 2",
+ "tags": {
+ "category": "canary",
+ "type": "meme-attac"
+ },
+ "conditions": [{
+ "operator": "phrase_match",
+ "parameters": {
+ "inputs": [{ "address": "graphql.server.resolver" }],
+ "list": ["he attac"]
+ }
+ }],
+ "transformers": ["lowercase"],
+ "on_match": []
+ },
+ {
+ "id": "test-rule-003",
+ "name": "Phony rule number 3",
+ "tags": {
+ "category": "canary",
+ "type": "meme-tupac"
+ },
+ "conditions": [{
+ "operator": "phrase_match",
+ "parameters": {
+ "inputs": [{ "address": "graphql.server.all_resolvers" }],
+ "list": ["he tupac"]
+ }
+ }],
+ "transformers": ["lowercase"],
+ "on_match": []
+ }
+ ]
+ }`
+ tmpDir, err := os.MkdirTemp("", "dd-trace-go.graphql-go.graphql.appsec_test.rules-*")
+ require.NoError(t, err)
+ rulesFile := path.Join(tmpDir, "rules.json")
+ err = os.WriteFile(rulesFile, []byte(rules), 0644)
+ require.NoError(t, err)
+ t.Setenv("DD_APPSEC_ENABLED", "1")
+ t.Setenv("DD_APPSEC_RULES", rulesFile)
+ appsec.Start()
+ cleanup := func() {
+ appsec.Stop()
+ _ = os.RemoveAll(tmpDir)
+ }
+ if !appsec.Enabled() {
+ cleanup()
+ t.Skip("could not enable appsec: this platform is likely not supported")
+ }
+ return cleanup
+}
+
+func execFunc(ctx context.Context) graphql.ResponseHandler {
+ type topLevel struct {
+ id string
+ }
+ op := graphql.GetOperationContext(ctx)
+ switch op.Operation.Operation {
+ case ast.Query:
+ return func(ctx context.Context) *graphql.Response {
+ fields := graphql.CollectFields(op, op.Operation.SelectionSet, []string{"Query"})
+ var (
+ val = make(map[string]any, len(fields))
+ errors gqlerror.List
+ )
+ for _, field := range fields {
+ ctx = graphql.WithFieldContext(ctx, &graphql.FieldContext{
+ Object: "Query",
+ Field: field,
+ Args: field.ArgumentMap(op.Variables),
+ })
+ fieldVal, err := op.ResolverMiddleware(ctx, func(ctx context.Context) (any, error) {
+ switch field.Name {
+ case "topLevel":
+ arg := field.Arguments.ForName("id")
+ id, err := arg.Value.Value(op.Variables)
+ return &topLevel{id.(string)}, err
+ case "topLevelMapped":
+ obj, err := field.Arguments.ForName("map").Value.Value(op.Variables)
+ if err != nil {
+ return nil, err
+ }
+ key, err := field.Arguments.ForName("key").Value.Value(op.Variables)
+ if err != nil {
+ return nil, err
+ }
+ index, err := field.Arguments.ForName("index").Value.Value(op.Variables)
+ if err != nil {
+ return nil, err
+ }
+ id := ((obj.(map[string]any))[key.(string)].([]any))[index.(int64)]
+ return &topLevel{id.(string)}, nil
+ default:
+ return nil, fmt.Errorf("unknown field: %s", field.Name)
+ }
+ })
+ if err != nil {
+ errors = append(errors, gqlerror.Errorf("%v", err))
+ } else {
+ redux := make(map[string]any, len(field.SelectionSet))
+ for _, nested := range graphql.CollectFields(op, field.SelectionSet, []string{"TopLevel"}) {
+ ctx = graphql.WithFieldContext(ctx, &graphql.FieldContext{
+ Object: "TopLevel",
+ Field: nested,
+ Args: nested.ArgumentMap(op.Variables),
+ })
+ nestedVal, err := op.ResolverMiddleware(ctx, func(ctx context.Context) (any, error) {
+ switch nested.Name {
+ case "nested":
+ arg := nested.Arguments.ForName("id")
+ id, err := arg.Value.Value(op.Variables)
+ return fmt.Sprintf("%s/%s", fieldVal.(*topLevel).id, id.(string)), err
+ default:
+ return nil, fmt.Errorf("unknown field: %s", nested.Name)
+ }
+ })
+ if err != nil {
+ errors = append(errors, gqlerror.Errorf("%v", err))
+ } else {
+ redux[nested.Alias] = nestedVal
+ }
+ }
+ val[field.Alias] = redux
+ }
+ }
+ data, err := json.Marshal(val)
+ if err != nil {
+ errors = append(errors, gqlerror.Errorf("%v", err))
+ }
+ return &graphql.Response{
+ Data: data,
+ Errors: errors,
+ }
+ }
+ default:
+ return graphql.OneShot(graphql.ErrorResponse(ctx, "not implemented"))
+ }
+}
diff --git a/contrib/99designs/gqlgen/tracer.go b/contrib/99designs/gqlgen/tracer.go
index dc23685340..ed91ee5b1c 100644
--- a/contrib/99designs/gqlgen/tracer.go
+++ b/contrib/99designs/gqlgen/tracer.go
@@ -26,7 +26,6 @@ import (
"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
"github.com/DataDog/dd-trace-go/v2/instrumentation"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
)
const componentName = instrumentation.Package99DesignsGQLGen
@@ -76,12 +75,12 @@ func (t *gqlTracer) Validate(_ graphql.ExecutableSchema) error {
func (t *gqlTracer) InterceptOperation(ctx context.Context, next graphql.OperationHandler) graphql.ResponseHandler {
opCtx := graphql.GetOperationContext(ctx)
span, ctx := t.createRootSpan(ctx, opCtx)
- ctx, req := graphqlsec.StartRequestOperation(ctx, span, types.RequestOperationArgs{
+ ctx, req := graphqlsec.StartRequestOperation(ctx, graphqlsec.RequestOperationArgs{
RawQuery: opCtx.RawQuery,
OperationName: opCtx.OperationName,
Variables: opCtx.Variables,
})
- ctx, query := graphqlsec.StartExecutionOperation(ctx, span, types.ExecutionOperationArgs{
+ ctx, query := graphqlsec.StartExecutionOperation(ctx, graphqlsec.ExecutionOperationArgs{
Query: opCtx.RawQuery,
OperationName: opCtx.OperationName,
Variables: opCtx.Variables,
@@ -96,14 +95,21 @@ func (t *gqlTracer) InterceptOperation(ctx context.Context, next graphql.Operati
}
defer span.Finish(tracer.WithError(err))
}
- query.Finish(types.ExecutionOperationRes{
- Data: response.Data, // NB - This is raw data, but rather not parse it (possibly expensive).
- Error: response.Errors,
- })
- req.Finish(types.RequestOperationRes{
- Data: response.Data, // NB - This is raw data, but rather not parse it (possibly expensive).
- Error: response.Errors,
- })
+
+ var (
+ executionOperationRes graphqlsec.ExecutionOperationRes
+ requestOperationRes graphqlsec.RequestOperationRes
+ )
+ if response != nil {
+ executionOperationRes.Data = response.Data
+ executionOperationRes.Error = response.Errors
+
+ requestOperationRes.Data = response.Data
+ requestOperationRes.Error = response.Errors
+ }
+
+ query.Finish(executionOperationRes)
+ req.Finish(span, requestOperationRes)
return response
}
}
@@ -139,13 +145,13 @@ func (t *gqlTracer) InterceptField(ctx context.Context, next graphql.Resolver) (
span, ctx := tracer.StartSpanFromContext(ctx, fieldOp, opts...)
defer func() { span.Finish(tracer.WithError(err)) }()
- ctx, op := graphqlsec.StartResolveOperation(ctx, span, types.ResolveOperationArgs{
+ ctx, op := graphqlsec.StartResolveOperation(ctx, graphqlsec.ResolveOperationArgs{
Arguments: fieldCtx.Args,
TypeName: fieldCtx.Object,
FieldName: fieldCtx.Field.Name,
Trivial: isTrivial,
})
- defer func() { op.Finish(types.ResolveOperationRes{Data: res, Error: err}) }()
+ defer func() { op.Finish(graphqlsec.ResolveOperationRes{Data: res, Error: err}) }()
res, err = next(ctx)
return
diff --git a/contrib/99designs/gqlgen/tracer_test.go b/contrib/99designs/gqlgen/tracer_test.go
index e36ff984a6..b9aa149d36 100644
--- a/contrib/99designs/gqlgen/tracer_test.go
+++ b/contrib/99designs/gqlgen/tracer_test.go
@@ -206,3 +206,91 @@ func newTestClient(t *testing.T, h *testserver.TestServer, tracer graphql.Handle
h.Use(tracer)
return client.New(h)
}
+
+func TestInterceptOperation(t *testing.T) {
+ assertions := assert.New(t)
+ graphqlTestSrv := testserver.New()
+ c := newTestClient(t, graphqlTestSrv, NewTracer())
+
+ t.Run("intercept operation with graphQL Query", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ err := c.Post(`{ name }`, &testServerResponse{})
+ assertions.Nil(err)
+
+ allSpans := mt.FinishedSpans()
+ var root mocktracer.Span
+ var resNames []string
+ var opNames []string
+ for _, span := range allSpans {
+ if span.ParentID() == 0 {
+ root = span
+ }
+ resNames = append(resNames, span.Tag(ext.ResourceName).(string))
+ opNames = append(opNames, span.OperationName())
+ assertions.Equal("99designs/gqlgen", span.Tag(ext.Component))
+ }
+ assertions.ElementsMatch(resNames, []string{readOp, parsingOp, validationOp, "Query.name", `{ name }`})
+ assertions.ElementsMatch(opNames, []string{readOp, parsingOp, validationOp, fieldOp, "graphql.query"})
+ assertions.NotNil(root)
+ assertions.Nil(root.Tag(ext.Error))
+ })
+
+ t.Run("intercept operation with graphQL Mutation", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ err := c.Post(`mutation Name { name }`, &testServerResponse{})
+ // due to testserver.New() implementation, mutation is not supported
+ assertions.NotNil(err)
+
+ allSpans := mt.FinishedSpans()
+ var root mocktracer.Span
+ var resNames []string
+ var opNames []string
+ for _, span := range allSpans {
+ if span.ParentID() == 0 {
+ root = span
+ }
+ resNames = append(resNames, span.Tag(ext.ResourceName).(string))
+ opNames = append(opNames, span.OperationName())
+ assertions.Equal("99designs/gqlgen", span.Tag(ext.Component))
+ }
+ assertions.ElementsMatch(resNames, []string{readOp, parsingOp, validationOp, `mutation Name { name }`})
+ assertions.ElementsMatch(opNames, []string{readOp, parsingOp, validationOp, "graphql.mutation"})
+ assertions.NotNil(root)
+ assertions.NotNil(root.Tag(ext.Error))
+ })
+
+ t.Run("intercept operation with graphQL Subscription", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ go func() {
+ graphqlTestSrv.SendCompleteSubscriptionMessage()
+ }()
+
+ // using raw post because post try to access nil response's Data field
+ resp, err := c.RawPost(`subscription Name { name }`)
+ assertions.Nil(err)
+ assertions.Nil(resp)
+
+ allSpans := mt.FinishedSpans()
+ var root mocktracer.Span
+ var resNames []string
+ var opNames []string
+ for _, span := range allSpans {
+ if span.ParentID() == 0 {
+ root = span
+ }
+ resNames = append(resNames, span.Tag(ext.ResourceName).(string))
+ opNames = append(opNames, span.OperationName())
+ assertions.Equal("99designs/gqlgen", span.Tag(ext.Component))
+ }
+ assertions.ElementsMatch(resNames, []string{`subscription Name { name }`, `subscription Name { name }`, "subscription Name { name }"})
+ assertions.ElementsMatch(opNames, []string{readOp, parsingOp, validationOp})
+ assertions.NotNil(root)
+ assertions.Nil(root.Tag(ext.Error))
+ })
+}
diff --git a/contrib/aws/aws-sdk-go-v2/aws/aws.go b/contrib/aws/aws-sdk-go-v2/aws/aws.go
index 5a5c4aa98d..c131418a30 100644
--- a/contrib/aws/aws-sdk-go-v2/aws/aws.go
+++ b/contrib/aws/aws-sdk-go-v2/aws/aws.go
@@ -369,3 +369,16 @@ func coalesceNameOrArnResource(name *string, arnVal *string) string {
return ""
}
+
+func coalesceNameOrArnResource(name *string, arnVal *string) string {
+ if name != nil {
+ return *name
+ }
+
+ if arnVal != nil {
+ parts := strings.Split(*arnVal, "/")
+ return parts[len(parts)-1]
+ }
+
+ return ""
+}
diff --git a/contrib/aws/aws-sdk-go-v2/aws/aws_test.go b/contrib/aws/aws-sdk-go-v2/aws/aws_test.go
index c3f7c14301..294aa71a6c 100644
--- a/contrib/aws/aws-sdk-go-v2/aws/aws_test.go
+++ b/contrib/aws/aws-sdk-go-v2/aws/aws_test.go
@@ -1001,3 +1001,64 @@ func TestStreamName(t *testing.T) {
})
}
}
+
+func TestStreamName(t *testing.T) {
+ dummyName := `my-stream`
+ dummyArn := `arn:aws:kinesis:us-east-1:111111111111:stream/` + dummyName
+
+ tests := []struct {
+ name string
+ input any
+ expected string
+ }{
+ {
+ name: "PutRecords with ARN",
+ input: &kinesis.PutRecordsInput{StreamARN: &dummyArn},
+ expected: dummyName,
+ },
+ {
+ name: "PutRecords with Name",
+ input: &kinesis.PutRecordsInput{StreamName: &dummyName},
+ expected: dummyName,
+ },
+ {
+ name: "PutRecords with both",
+ input: &kinesis.PutRecordsInput{StreamName: &dummyName, StreamARN: &dummyArn},
+ expected: dummyName,
+ },
+ {
+ name: "PutRecord with Name",
+ input: &kinesis.PutRecordInput{StreamName: &dummyName},
+ expected: dummyName,
+ },
+ {
+ name: "CreateStream",
+ input: &kinesis.CreateStreamInput{StreamName: &dummyName},
+ expected: dummyName,
+ },
+ {
+ name: "CreateStream with nothing",
+ input: &kinesis.CreateStreamInput{},
+ expected: "",
+ },
+ {
+ name: "GetRecords",
+ input: &kinesis.GetRecordsInput{StreamARN: &dummyArn},
+ expected: dummyName,
+ },
+ {
+ name: "GetRecords with nothing",
+ input: &kinesis.GetRecordsInput{},
+ expected: "",
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ req := middleware.InitializeInput{
+ Parameters: tt.input,
+ }
+ val := streamName(req)
+ assert.Equal(t, tt.expected, val)
+ })
+ }
+}
diff --git a/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/config.go b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/config.go
new file mode 100644
index 0000000000..22fd14b944
--- /dev/null
+++ b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/config.go
@@ -0,0 +1,43 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package tracing
+
+import (
+ "github.com/DataDog/dd-trace-go/v2/internal/namingschema"
+)
+
+type config struct {
+ serviceName string
+ publishSpanName string
+ receiveSpanName string
+ measured bool
+}
+
+func defaultConfig() *config {
+ return &config{
+ serviceName: namingschema.ServiceNameOverrideV0("", ""),
+ publishSpanName: namingschema.OpName(namingschema.GCPPubSubOutbound),
+ receiveSpanName: namingschema.OpName(namingschema.GCPPubSubInbound),
+ measured: false,
+ }
+}
+
+// Option is used to customize spans started by WrapReceiveHandler or Publish.
+type Option func(cfg *config)
+
+// WithServiceName sets the service name tag for traces started by WrapReceiveHandler or Publish.
+func WithServiceName(serviceName string) Option {
+ return func(cfg *config) {
+ cfg.serviceName = serviceName
+ }
+}
+
+// WithMeasured sets the measured tag for traces started by WrapReceiveHandler or Publish.
+func WithMeasured() Option {
+ return func(cfg *config) {
+ cfg.measured = true
+ }
+}
diff --git a/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/tracing.go b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/tracing.go
new file mode 100644
index 0000000000..0e19e15220
--- /dev/null
+++ b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/tracing.go
@@ -0,0 +1,120 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package tracing
+
+import (
+ "context"
+ "sync"
+ "time"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+ "github.com/DataDog/dd-trace-go/v2/internal/telemetry"
+)
+
+const componentName = "cloud.google.com/go/pubsub.v1"
+
+func init() {
+ telemetry.LoadIntegration(componentName)
+ tracer.MarkIntegrationImported(componentName)
+}
+
+type Message struct {
+ ID string
+ Data []byte
+ OrderingKey string
+ Attributes map[string]string
+ DeliveryAttempt *int
+ PublishTime time.Time
+}
+
+type Topic interface {
+ String() string
+}
+
+type Subscription interface {
+ String() string
+}
+
+func TracePublish(ctx context.Context, topic Topic, msg *Message, opts ...Option) (context.Context, func(serverID string, err error)) {
+ cfg := defaultConfig()
+ for _, opt := range opts {
+ opt(cfg)
+ }
+ spanOpts := []ddtrace.StartSpanOption{
+ tracer.ResourceName(topic.String()),
+ tracer.SpanType(ext.SpanTypeMessageProducer),
+ tracer.Tag("message_size", len(msg.Data)),
+ tracer.Tag("ordering_key", msg.OrderingKey),
+ tracer.Tag(ext.Component, componentName),
+ tracer.Tag(ext.SpanKind, ext.SpanKindProducer),
+ tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
+ }
+ if cfg.serviceName != "" {
+ spanOpts = append(spanOpts, tracer.ServiceName(cfg.serviceName))
+ }
+ if cfg.measured {
+ spanOpts = append(spanOpts, tracer.Measured())
+ }
+ span, ctx := tracer.StartSpanFromContext(
+ ctx,
+ cfg.publishSpanName,
+ spanOpts...,
+ )
+ if msg.Attributes == nil {
+ msg.Attributes = make(map[string]string)
+ }
+ if err := tracer.Inject(span.Context(), tracer.TextMapCarrier(msg.Attributes)); err != nil {
+ log.Debug("contrib/cloud.google.com/go/pubsub.v1/trace: failed injecting tracing attributes: %v", err)
+ }
+ span.SetTag("num_attributes", len(msg.Attributes))
+
+ var once sync.Once
+ closeSpan := func(serverID string, err error) {
+ once.Do(func() {
+ span.SetTag("server_id", serverID)
+ span.Finish(tracer.WithError(err))
+ })
+ }
+ return ctx, closeSpan
+}
+
+func TraceReceiveFunc(s Subscription, opts ...Option) func(ctx context.Context, msg *Message) (context.Context, func()) {
+ cfg := defaultConfig()
+ for _, opt := range opts {
+ opt(cfg)
+ }
+ log.Debug("contrib/cloud.google.com/go/pubsub.v1/trace: Wrapping Receive Handler: %#v", cfg)
+ return func(ctx context.Context, msg *Message) (context.Context, func()) {
+ parentSpanCtx, _ := tracer.Extract(tracer.TextMapCarrier(msg.Attributes))
+ opts := []ddtrace.StartSpanOption{
+ tracer.ResourceName(s.String()),
+ tracer.SpanType(ext.SpanTypeMessageConsumer),
+ tracer.Tag("message_size", len(msg.Data)),
+ tracer.Tag("num_attributes", len(msg.Attributes)),
+ tracer.Tag("ordering_key", msg.OrderingKey),
+ tracer.Tag("message_id", msg.ID),
+ tracer.Tag("publish_time", msg.PublishTime.String()),
+ tracer.Tag(ext.Component, componentName),
+ tracer.Tag(ext.SpanKind, ext.SpanKindConsumer),
+ tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
+ tracer.ChildOf(parentSpanCtx),
+ }
+ if cfg.serviceName != "" {
+ opts = append(opts, tracer.ServiceName(cfg.serviceName))
+ }
+ if cfg.measured {
+ opts = append(opts, tracer.Measured())
+ }
+ span, ctx := tracer.StartSpanFromContext(ctx, cfg.receiveSpanName, opts...)
+ if msg.DeliveryAttempt != nil {
+ span.SetTag("delivery_attempt", *msg.DeliveryAttempt)
+ }
+ return ctx, func() { span.Finish() }
+ }
+}
diff --git a/contrib/cloud.google.com/go/pubsub.v1/option.go b/contrib/cloud.google.com/go/pubsub.v1/option.go
index 796fc47a2c..32c63e9679 100644
--- a/contrib/cloud.google.com/go/pubsub.v1/option.go
+++ b/contrib/cloud.google.com/go/pubsub.v1/option.go
@@ -7,12 +7,8 @@ package pubsub
import "github.com/DataDog/dd-trace-go/v2/instrumentation"
-type config struct {
- serviceName string
- publishSpanName string
- receiveSpanName string
- measured bool
-}
+// Option is used to customize spans started by WrapReceiveHandler or Publish.
+type Option = tracing.Option
func defaultConfig() *config {
return &config{
diff --git a/contrib/cloud.google.com/go/pubsub.v1/pubsub.go b/contrib/cloud.google.com/go/pubsub.v1/pubsub.go
index a6f0f0507e..eda72364c3 100644
--- a/contrib/cloud.google.com/go/pubsub.v1/pubsub.go
+++ b/contrib/cloud.google.com/go/pubsub.v1/pubsub.go
@@ -32,58 +32,27 @@ func init() {
// It is required to call (*PublishResult).Get(ctx) on the value returned by Publish to complete
// the span.
func Publish(ctx context.Context, t *pubsub.Topic, msg *pubsub.Message, opts ...Option) *PublishResult {
- cfg := defaultConfig()
- for _, opt := range opts {
- opt.apply(cfg)
- }
- spanOpts := []tracer.StartSpanOption{
- tracer.ResourceName(t.String()),
- tracer.SpanType(ext.SpanTypeMessageProducer),
- tracer.Tag("message_size", len(msg.Data)),
- tracer.Tag("ordering_key", msg.OrderingKey),
- tracer.Tag(ext.Component, componentName),
- tracer.Tag(ext.SpanKind, ext.SpanKindProducer),
- tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
- }
- if cfg.serviceName != "" {
- spanOpts = append(spanOpts, tracer.ServiceName(cfg.serviceName))
- }
- if cfg.measured {
- spanOpts = append(spanOpts, tracer.Measured())
- }
- span, ctx := tracer.StartSpanFromContext(
- ctx,
- cfg.publishSpanName,
- spanOpts...,
- )
- if msg.Attributes == nil {
- msg.Attributes = make(map[string]string)
- }
- if err := tracer.Inject(span.Context(), tracer.TextMapCarrier(msg.Attributes)); err != nil {
- instr.Logger().Debug("contrib/cloud.google.com/go/pubsub.v1/: failed injecting tracing attributes: %v", err)
- }
- span.SetTag("num_attributes", len(msg.Attributes))
+ traceMsg := newTraceMessage(msg)
+ ctx, closeSpan := tracing.TracePublish(ctx, t, traceMsg, opts...)
+ msg.Attributes = traceMsg.Attributes
+
return &PublishResult{
PublishResult: t.Publish(ctx, msg),
- span: span,
+ closeSpan: closeSpan,
}
}
// PublishResult wraps *pubsub.PublishResult
type PublishResult struct {
*pubsub.PublishResult
- once sync.Once
- span *tracer.Span
+ closeSpan func(serverID string, err error)
}
// Get wraps (pubsub.PublishResult).Get(ctx). When this function returns the publish
// span created in Publish is completed.
func (r *PublishResult) Get(ctx context.Context) (string, error) {
serverID, err := r.PublishResult.Get(ctx)
- r.once.Do(func() {
- r.span.SetTag("server_id", serverID)
- r.span.Finish(tracer.WithError(err))
- })
+ r.closeSpan(serverID, err)
return serverID, err
}
@@ -91,38 +60,24 @@ func (r *PublishResult) Get(ctx context.Context) (string, error) {
// extracts any tracing metadata attached to the received message, and starts a
// receive span.
func WrapReceiveHandler(s *pubsub.Subscription, f func(context.Context, *pubsub.Message), opts ...Option) func(context.Context, *pubsub.Message) {
- cfg := defaultConfig()
- for _, opt := range opts {
- opt.apply(cfg)
- }
- instr.Logger().Debug("contrib/cloud.google.com/go/pubsub.v1: Wrapping Receive Handler: %#v", cfg)
+ traceFn := tracing.TraceReceiveFunc(s, opts...)
return func(ctx context.Context, msg *pubsub.Message) {
- parentSpanCtx, _ := tracer.Extract(tracer.TextMapCarrier(msg.Attributes))
- opts := []tracer.StartSpanOption{
- tracer.ResourceName(s.String()),
- tracer.SpanType(ext.SpanTypeMessageConsumer),
- tracer.Tag("message_size", len(msg.Data)),
- tracer.Tag("num_attributes", len(msg.Attributes)),
- tracer.Tag("ordering_key", msg.OrderingKey),
- tracer.Tag("message_id", msg.ID),
- tracer.Tag("publish_time", msg.PublishTime.String()),
- tracer.Tag(ext.Component, componentName),
- tracer.Tag(ext.SpanKind, ext.SpanKindConsumer),
- tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
- tracer.ChildOf(parentSpanCtx),
- }
- if cfg.serviceName != "" {
- opts = append(opts, tracer.ServiceName(cfg.serviceName))
- }
- if cfg.measured {
- opts = append(opts, tracer.Measured())
- }
-
- span, ctx := tracer.StartSpanFromContext(ctx, cfg.receiveSpanName, opts...)
- if msg.DeliveryAttempt != nil {
- span.SetTag("delivery_attempt", *msg.DeliveryAttempt)
- }
- defer span.Finish()
+ ctx, closeSpan := traceFn(ctx, newTraceMessage(msg))
+ defer closeSpan()
f(ctx, msg)
}
}
+
+func newTraceMessage(msg *pubsub.Message) *tracing.Message {
+ if msg == nil {
+ return nil
+ }
+ return &tracing.Message{
+ ID: msg.ID,
+ Data: msg.Data,
+ OrderingKey: msg.OrderingKey,
+ Attributes: msg.Attributes,
+ DeliveryAttempt: msg.DeliveryAttempt,
+ PublishTime: msg.PublishTime,
+ }
+}
diff --git a/contrib/google.golang.org/grpc/appsec.go b/contrib/google.golang.org/grpc/appsec.go
index 0ae8e67c02..6f1ade9724 100644
--- a/contrib/google.golang.org/grpc/appsec.go
+++ b/contrib/google.golang.org/grpc/appsec.go
@@ -7,67 +7,77 @@ package grpc
import (
"context"
+ "sync/atomic"
"github.com/DataDog/appsec-internal-go/netip"
"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/grpcsec"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/grpcsec/types"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/sharedsec"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace/grpctrace"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace/httptrace"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/peer"
"google.golang.org/grpc/status"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/actions"
)
+func applyAction(blockAtomic *atomic.Pointer[actions.BlockGRPC], err *error) bool {
+ if blockAtomic == nil {
+ return false
+ }
+
+ block := blockAtomic.Load()
+ if block == nil {
+ return false
+ }
+
+ code, e := block.GRPCWrapper()
+ *err = status.Error(codes.Code(code), e.Error())
+ return true
+}
+
// UnaryHandler wrapper to use when AppSec is enabled to monitor its execution.
func appsecUnaryHandlerMiddleware(method string, span *tracer.Span, handler grpc.UnaryHandler) grpc.UnaryHandler {
trace.SetAppSecEnabledTags(span)
return func(ctx context.Context, req any) (res any, rpcErr error) {
- var blockedErr error
md, _ := metadata.FromIncomingContext(ctx)
- clientIP := setClientIP(ctx, span, md)
- args := types.HandlerOperationArgs{
- Method: method,
- Metadata: md,
- ClientIP: clientIP,
+ var remoteAddr string
+ if p, ok := peer.FromContext(ctx); ok {
+ remoteAddr = p.Addr.String()
}
- ctx, op := grpcsec.StartHandlerOperation(ctx, args, nil, func(op *types.HandlerOperation) {
- dyngo.OnData(op, func(a *sharedsec.GRPCAction) {
- code, err := a.GRPCWrapper()
- blockedErr = status.Error(codes.Code(code), err.Error())
- })
+
+ ctx, op, blockAtomic := grpcsec.StartHandlerOperation(ctx, grpcsec.HandlerOperationArgs{
+ Method: method,
+ Metadata: md,
+ RemoteAddr: remoteAddr,
})
+
defer func() {
- events := op.Finish(types.HandlerOperationRes{})
- if len(events) > 0 {
- grpctrace.SetSecurityEventsTags(span, events)
+ var statusCode int
+ if statusErr, ok := rpcErr.(interface{ GRPCStatus() *status.Status }); ok && !applyAction(blockAtomic, &rpcErr) {
+ statusCode = int(statusErr.GRPCStatus().Code())
}
- if blockedErr != nil {
- op.SetTag(trace.BlockedRequestTag, true)
- rpcErr = blockedErr
- }
- grpctrace.SetRequestMetadataTags(span, md)
- trace.SetTags(span, op.Tags())
+ op.Finish(span, grpcsec.HandlerOperationRes{StatusCode: statusCode})
+ applyAction(blockAtomic, &rpcErr)
}()
// Check if a blocking condition was detected so far with the start operation event (ip blocking, metadata blocking, etc.)
- if blockedErr != nil {
- return nil, blockedErr
+ if applyAction(blockAtomic, &rpcErr) {
+ return
}
// As of our gRPC abstract operation definition, we must fake a receive operation for unary RPCs (the same model fits both unary and streaming RPCs)
- grpcsec.StartReceiveOperation(types.ReceiveOperationArgs{}, op).Finish(types.ReceiveOperationRes{Message: req})
- // Check if a blocking condition was detected so far with the receive operation events
- if blockedErr != nil {
- return nil, blockedErr
+ if _ = grpcsec.MonitorRequestMessage(ctx, req); applyAction(blockAtomic, &rpcErr) {
+ return
}
+ defer func() {
+ _ = grpcsec.MonitorResponseMessage(ctx, res)
+ applyAction(blockAtomic, &rpcErr)
+ }()
+
// Call the original handler - let the deferred function above handle the blocking condition and return error
return handler(ctx, req)
}
@@ -77,81 +87,72 @@ func appsecUnaryHandlerMiddleware(method string, span *tracer.Span, handler grpc
func appsecStreamHandlerMiddleware(method string, span *tracer.Span, handler grpc.StreamHandler) grpc.StreamHandler {
trace.SetAppSecEnabledTags(span)
return func(srv any, stream grpc.ServerStream) (rpcErr error) {
- // Create a ServerStream wrapper with appsec RPC handler operation and the Go context (to implement the ServerStream interface)
- appsecStream := &appsecServerStream{
- ServerStream: stream,
- // note: the blockedErr field is captured by the RPC handler's OnData closure below
- }
-
ctx := stream.Context()
md, _ := metadata.FromIncomingContext(ctx)
- clientIP := setClientIP(ctx, span, md)
- grpctrace.SetRequestMetadataTags(span, md)
+ var remoteAddr string
+ if p, ok := peer.FromContext(ctx); ok {
+ remoteAddr = p.Addr.String()
+ }
// Create the handler operation and listen to blocking gRPC actions to detect a blocking condition
- args := types.HandlerOperationArgs{
- Method: method,
- Metadata: md,
- ClientIP: clientIP,
- }
- ctx, op := grpcsec.StartHandlerOperation(ctx, args, nil, func(op *types.HandlerOperation) {
- dyngo.OnData(op, func(a *sharedsec.GRPCAction) {
- code, e := a.GRPCWrapper()
- appsecStream.blockedErr = status.Error(codes.Code(code), e.Error())
- })
+ ctx, op, blockAtomic := grpcsec.StartHandlerOperation(ctx, grpcsec.HandlerOperationArgs{
+ Method: method,
+ Metadata: md,
+ RemoteAddr: remoteAddr,
})
- // Finish constructing the appsec stream wrapper and replace the original one
- appsecStream.handlerOperation = op
- appsecStream.ctx = ctx
+ // Create a ServerStream wrapper with appsec RPC handler operation and the Go context (to implement the ServerStream interface)
defer func() {
- events := op.Finish(types.HandlerOperationRes{})
-
- if len(events) > 0 {
- grpctrace.SetSecurityEventsTags(span, events)
+ var statusCode int
+ if res, ok := rpcErr.(interface{ Status() codes.Code }); ok && !applyAction(blockAtomic, &rpcErr) {
+ statusCode = int(res.Status())
}
- if appsecStream.blockedErr != nil {
- op.SetTag(trace.BlockedRequestTag, true)
- // Change the RPC return error with appsec's
- rpcErr = appsecStream.blockedErr
- }
-
- trace.SetTags(span, op.Tags())
+ op.Finish(span, grpcsec.HandlerOperationRes{StatusCode: statusCode})
+ applyAction(blockAtomic, &rpcErr)
}()
// Check if a blocking condition was detected so far with the start operation event (ip blocking, metadata blocking, etc.)
- if appsecStream.blockedErr != nil {
- return appsecStream.blockedErr
+ if applyAction(blockAtomic, &rpcErr) {
+ return
}
// Call the original handler - let the deferred function above handle the blocking condition and return error
- return handler(srv, appsecStream)
+ return handler(srv, &appsecServerStream{
+ ServerStream: stream,
+ handlerOperation: op,
+ ctx: ctx,
+ action: blockAtomic,
+ rpcErr: &rpcErr,
+ })
}
}
type appsecServerStream struct {
grpc.ServerStream
- handlerOperation *types.HandlerOperation
+ handlerOperation *grpcsec.HandlerOperation
ctx context.Context
-
- // blockedErr is used to store the error to return when a blocking sec event is detected.
- blockedErr error
+ action *atomic.Pointer[actions.BlockGRPC]
+ rpcErr *error
}
// RecvMsg implements grpc.ServerStream interface method to monitor its
// execution with AppSec.
-func (ss *appsecServerStream) RecvMsg(m interface{}) (err error) {
- op := grpcsec.StartReceiveOperation(types.ReceiveOperationArgs{}, ss.handlerOperation)
+func (ss *appsecServerStream) RecvMsg(msg any) (err error) {
defer func() {
- op.Finish(types.ReceiveOperationRes{Message: m})
- if ss.blockedErr != nil {
- // Change the function call return error with appsec's
- err = ss.blockedErr
+ if _ = grpcsec.MonitorRequestMessage(ss.ctx, msg); applyAction(ss.action, ss.rpcErr) {
+ err = *ss.rpcErr
}
}()
- return ss.ServerStream.RecvMsg(m)
+ return ss.ServerStream.RecvMsg(msg)
+}
+
+func (ss *appsecServerStream) SendMsg(msg any) error {
+ if _ = grpcsec.MonitorResponseMessage(ss.ctx, msg); applyAction(ss.action, ss.rpcErr) {
+ return *ss.rpcErr
+ }
+ return ss.ServerStream.SendMsg(msg)
}
func (ss *appsecServerStream) Context() context.Context {
diff --git a/contrib/google.golang.org/grpc/appsec_test.go b/contrib/google.golang.org/grpc/appsec_test.go
index 3d26a1a3d9..63c29cbec3 100644
--- a/contrib/google.golang.org/grpc/appsec_test.go
+++ b/contrib/google.golang.org/grpc/appsec_test.go
@@ -9,6 +9,7 @@ import (
"context"
"encoding/json"
"fmt"
+ "io"
"net"
"strings"
"testing"
@@ -18,6 +19,7 @@ import (
"github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
"github.com/DataDog/dd-trace-go/v2/instrumentation/testutils"
+ "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
@@ -27,24 +29,27 @@ import (
func TestAppSec(t *testing.T) {
testutils.StartAppSec(t)
+ t.Setenv("DD_APPSEC_WAF_TIMEOUT", "1h") // Functionally unlimited
+ appsec.Start()
+ defer appsec.Stop()
if !instr.AppSecEnabled() {
t.Skip("appsec disabled")
}
setup := func() (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
- rig, err := newAppsecRig(false)
+ rig, err := newAppsecRig(t, false)
require.NoError(t, err)
mt := mocktracer.Start()
return rig.client, mt, func() {
- rig.Close()
+ assert.NoError(t, rig.Close())
mt.Stop()
}
}
t.Run("unary", func(t *testing.T) {
- client, mt, cleanup := setup()
+ client, mt, cleanup := setup(t)
defer cleanup()
// Send a XSS attack in the payload along with the canary value in the RPC metadata
@@ -65,7 +70,7 @@ func TestAppSec(t *testing.T) {
})
t.Run("stream", func(t *testing.T) {
- client, mt, cleanup := setup()
+ client, mt, cleanup := setup(t)
defer cleanup()
// Send a XSS attack in the payload along with the canary value in the RPC metadata
@@ -122,9 +127,9 @@ func TestAppSec(t *testing.T) {
histogram[tr.Rule.ID]++
}
- require.EqualValues(t, 1, histogram["crs-941-180"]) // XSS attack attempt
- require.EqualValues(t, 5, histogram["crs-942-270"]) // SQL-injection attack attempt
- require.EqualValues(t, 1, histogram["ua0-600-55x"]) // canary rule attack attempt
+ assert.EqualValues(t, 1, histogram["crs-941-180"]) // XSS attack attempt
+ assert.EqualValues(t, 5, histogram["crs-942-270"]) // SQL-injection attack attempt
+ assert.EqualValues(t, 1, histogram["ua0-600-55x"]) // canary rule attack attempt
require.Len(t, histogram, 3)
})
@@ -231,13 +236,13 @@ func TestUserBlocking(t *testing.T) {
}
setup := func() (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
- rig, err := newAppsecRig(false)
+ rig, err := newAppsecRig(t, false)
require.NoError(t, err)
mt := mocktracer.Start()
return rig.client, mt, func() {
- rig.Close()
+ assert.NoError(t, rig.Close())
mt.Stop()
}
}
@@ -275,7 +280,7 @@ func TestUserBlocking(t *testing.T) {
} {
t.Run(tc.name, func(t *testing.T) {
// Helper assertion function to run for the unary and stream tests
- assert := func(t *testing.T, do func(client fixturepb.FixtureClient)) {
+ withClient := func(t *testing.T, do func(client fixturepb.FixtureClient)) {
client, mt, cleanup := setup()
defer cleanup()
@@ -296,7 +301,7 @@ func TestUserBlocking(t *testing.T) {
}
t.Run("unary", func(t *testing.T) {
- assert(t, func(client fixturepb.FixtureClient) {
+ withClient(t, func(client fixturepb.FixtureClient) {
ctx := metadata.NewOutgoingContext(context.Background(), tc.md)
reply, err := client.Ping(ctx, &fixturepb.FixtureRequest{Name: tc.message})
require.Nil(t, reply)
@@ -305,19 +310,18 @@ func TestUserBlocking(t *testing.T) {
})
t.Run("stream", func(t *testing.T) {
- assert(t, func(client fixturepb.FixtureClient) {
+ withClient(t, func(client fixturepb.FixtureClient) {
ctx := metadata.NewOutgoingContext(context.Background(), tc.md)
// Open the stream
stream, err := client.StreamPing(ctx)
require.NoError(t, err)
- defer func() {
- require.NoError(t, stream.CloseSend())
- }()
+ defer func() { assert.NoError(t, stream.CloseSend()) }()
// Send a message
- err = stream.Send(&fixturepb.FixtureRequest{Name: tc.message})
- require.NoError(t, err)
+ if err := stream.Send(&fixturepb.FixtureRequest{Name: tc.message}); err != io.EOF {
+ require.NoError(t, err)
+ }
// Receive a message
reply, err := stream.Recv()
@@ -340,20 +344,20 @@ func TestPasslist(t *testing.T) {
t.Skip("appsec disabled")
}
- setup := func() (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
- rig, err := newAppsecRig(false)
+ setup := func(t *testing.T) (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
+ rig, err := newAppsecRig(t, false)
require.NoError(t, err)
mt := mocktracer.Start()
return rig.client, mt, func() {
- rig.Close()
+ assert.NoError(t, rig.Close())
mt.Stop()
}
}
t.Run("unary", func(t *testing.T) {
- client, mt, cleanup := setup()
+ client, mt, cleanup := setup(t)
defer cleanup()
// Send the payload triggering the sec event thanks to the "zouzou" value in the RPC metadata
@@ -375,7 +379,7 @@ func TestPasslist(t *testing.T) {
})
t.Run("stream", func(t *testing.T) {
- client, mt, cleanup := setup()
+ client, mt, cleanup := setup(t)
defer cleanup()
// Open the steam triggering the sec event thanks to the "zouzou" value in the RPC metadata
@@ -385,8 +389,9 @@ func TestPasslist(t *testing.T) {
// Send some messages
for i := 0; i < 5; i++ {
- err = stream.Send(&fixturepb.FixtureRequest{Name: "hello"})
- require.NoError(t, err)
+ if err := stream.Send(&fixturepb.FixtureRequest{Name: "hello"}); err != io.EOF {
+ require.NoError(t, err)
+ }
// Check that the handler was properly called
res, err := stream.Recv()
@@ -410,8 +415,8 @@ func TestPasslist(t *testing.T) {
})
}
-func newAppsecRig(traceClient bool, interceptorOpts ...Option) (*appsecRig, error) {
- interceptorOpts = append([]Option{WithService("grpc")}, interceptorOpts...)
+func newAppsecRig(t *testing.T, traceClient bool, interceptorOpts ...Option) (*appsecRig, error) {
+ interceptorOpts = append([]Option{WithServiceName("grpc")}, interceptorOpts...)
server := grpc.NewServer(
grpc.UnaryInterceptor(UnaryServerInterceptor(interceptorOpts...)),
@@ -427,7 +432,7 @@ func newAppsecRig(traceClient bool, interceptorOpts ...Option) (*appsecRig, erro
}
_, port, _ := net.SplitHostPort(li.Addr().String())
// start our test fixtureServer.
- go server.Serve(li)
+ go func() { assert.NoError(t, server.Serve(li)) }()
opts := []grpc.DialOption{grpc.WithInsecure()}
if traceClient {
@@ -461,9 +466,9 @@ type appsecRig struct {
client fixturepb.FixtureClient
}
-func (r *appsecRig) Close() {
- r.server.Stop()
- r.conn.Close()
+func (r *appsecRig) Close() error {
+ defer r.server.GracefulStop()
+ return r.conn.Close()
}
type appsecFixtureServer struct {
diff --git a/contrib/google.golang.org/grpc/go.mod b/contrib/google.golang.org/grpc/go.mod
index 0afe937a54..604862efde 100644
--- a/contrib/google.golang.org/grpc/go.mod
+++ b/contrib/google.golang.org/grpc/go.mod
@@ -1,22 +1,24 @@
module github.com/DataDog/dd-trace-go/contrib/google.golang.org/grpc/v2
-go 1.21
+go 1.22.0
+
+toolchain go1.23.1
require (
- github.com/DataDog/appsec-internal-go v1.7.0
+ github.com/DataDog/appsec-internal-go v1.8.0
github.com/DataDog/dd-trace-go/instrumentation/testutils/grpc/v2 v2.0.0-20240827110213-c6fc4fe2047a
github.com/DataDog/dd-trace-go/v2 v2.0.0-20240909105439-c452671ebc14
github.com/stretchr/testify v1.9.0
- github.com/tinylib/msgp v1.1.9
+ github.com/tinylib/msgp v1.2.1
google.golang.org/grpc v1.65.0
google.golang.org/protobuf v1.34.2
)
require (
github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
+ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
- github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+ github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
github.com/DataDog/go-sqllexer v0.0.11 // indirect
github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
github.com/DataDog/sketches-go v1.4.5 // indirect
@@ -32,16 +34,16 @@ require (
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/outcaste-io/ristretto v0.2.3 // indirect
- github.com/philhofer/fwd v1.1.2 // indirect
+ github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
- golang.org/x/mod v0.14.0 // indirect
- golang.org/x/net v0.25.0 // indirect
- golang.org/x/sys v0.20.0 // indirect
- golang.org/x/text v0.15.0 // indirect
+ golang.org/x/mod v0.18.0 // indirect
+ golang.org/x/net v0.26.0 // indirect
+ golang.org/x/sys v0.23.0 // indirect
+ golang.org/x/text v0.16.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
diff --git a/contrib/google.golang.org/grpc/go.sum b/contrib/google.golang.org/grpc/go.sum
index 11c6766d56..7f036f650b 100644
--- a/contrib/google.golang.org/grpc/go.sum
+++ b/contrib/google.golang.org/grpc/go.sum
@@ -1,13 +1,16 @@
github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
@@ -71,6 +74,8 @@ github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOv
github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -104,6 +109,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -117,11 +124,13 @@ golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -135,11 +144,14 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/contrib/google.golang.org/grpc/grpc_test.go b/contrib/google.golang.org/grpc/grpc_test.go
index 6bbe6b112c..b32187320c 100644
--- a/contrib/google.golang.org/grpc/grpc_test.go
+++ b/contrib/google.golang.org/grpc/grpc_test.go
@@ -61,7 +61,7 @@ func TestUnary(t *testing.T) {
t.Run(name, func(t *testing.T) {
rig, err := newRig(true, WithService("grpc"), WithRequestTags())
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(rig.Close()) }()
client := rig.client
mt := mocktracer.Start()
@@ -222,7 +222,7 @@ func TestStreaming(t *testing.T) {
rig, err := newRig(true, WithService("grpc"))
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
span, ctx := tracer.StartSpanFromContext(context.Background(), "a",
tracer.ServiceName("b"),
@@ -247,7 +247,7 @@ func TestStreaming(t *testing.T) {
rig, err := newRig(true, WithService("grpc"), WithStreamMessages(false))
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
span, ctx := tracer.StartSpanFromContext(context.Background(), "a",
tracer.ServiceName("b"),
@@ -272,7 +272,7 @@ func TestStreaming(t *testing.T) {
rig, err := newRig(true, WithService("grpc"), WithStreamCalls(false))
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
span, ctx := tracer.StartSpanFromContext(context.Background(), "a",
tracer.ServiceName("b"),
@@ -314,7 +314,7 @@ func TestSpanTree(t *testing.T) {
rig, err := newRig(true, WithService("grpc"))
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(rig.Close()) }()
{
// Unary Ping rpc leading to trace:
@@ -349,7 +349,7 @@ func TestSpanTree(t *testing.T) {
rig, err := newRig(true, WithService("grpc"), WithRequestTags(), WithMetadataTags())
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(rig.Close()) }()
client := rig.client
{
@@ -433,7 +433,7 @@ func TestPass(t *testing.T) {
rig, err := newRig(false, WithService("grpc"))
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(rig.Close()) }()
client := rig.client
ctx := context.Background()
@@ -467,7 +467,7 @@ func TestPreservesMetadata(t *testing.T) {
if err != nil {
t.Fatalf("error setting up rig: %s", err)
}
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
ctx := context.Background()
ctx = metadata.AppendToOutgoingContext(ctx, "test-key", "test-value")
@@ -495,7 +495,7 @@ func TestStreamSendsErrorCode(t *testing.T) {
rig, err := newRig(true)
require.NoError(t, err, "error setting up rig")
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
ctx := context.Background()
@@ -524,7 +524,7 @@ func TestStreamSendsErrorCode(t *testing.T) {
containsErrorCode = true
}
}
- assert.True(t, containsErrorCode, "at least one span should contain error code")
+ assert.True(t, containsErrorCode, "at least one span should contain error code, the spans were:\n%v", spans)
// ensure that last span contains error code also
gotLastSpanCode := spans[len(spans)-1].Tag(tagCode)
@@ -542,9 +542,9 @@ type rig struct {
client fixturepb.FixtureClient
}
-func (r *rig) Close() {
- r.server.Stop()
- r.conn.Close()
+func (r *rig) Close() error {
+ defer r.server.GracefulStop()
+ return r.conn.Close()
}
func newRigWithInterceptors(
@@ -608,7 +608,7 @@ func TestAnalyticsSettings(t *testing.T) {
if err != nil {
t.Fatalf("error setting up rig: %s", err)
}
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
client := rig.client
resp, err := client.Ping(context.Background(), &fixturepb.FixtureRequest{Name: "pass"})
@@ -1079,7 +1079,7 @@ func TestIssue2050(t *testing.T) {
}
rig, err := newRigWithInterceptors(serverInterceptors, clientInterceptors)
require.NoError(t, err)
- defer rig.Close()
+ defer func() { assert.NoError(t, rig.Close()) }()
// call tracer.Start after integration is initialized, to reproduce the issue
tracer.Start(tracer.WithHTTPClient(httpClient), tracer.WithLogger(testutils.DiscardLogger()))
diff --git a/contrib/graph-gophers/graphql-go/appsec_test.go b/contrib/graph-gophers/graphql-go/appsec_test.go
new file mode 100644
index 0000000000..3c781b9899
--- /dev/null
+++ b/contrib/graph-gophers/graphql-go/appsec_test.go
@@ -0,0 +1,243 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+package graphql
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "os"
+ "path"
+ "testing"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec"
+ "github.com/graph-gophers/graphql-go"
+ "github.com/stretchr/testify/require"
+)
+
+func TestAppSec(t *testing.T) {
+ schema := graphql.MustParseSchema(
+ `type Query {
+ topLevel(id: String!): TopLevel!
+ topLevelMapped(map: MapInput!, key: String!, index: Int!): TopLevel!
+ }
+
+ type TopLevel {
+ nested(id: String!): String!
+ }
+
+ input MapInput {
+ ids: [String!]!
+ bool: Boolean!
+ float: Float!
+ }`,
+ &appSecQuery{},
+ graphql.Tracer(NewTracer()),
+ )
+ restore := enableAppSec(t)
+ defer restore()
+
+ t.Run("monitoring", func(t *testing.T) {
+ const (
+ topLevelAttack = "he protec"
+ nestedAttack = "he attac, but most importantly: he Tupac"
+ )
+ testCases := map[string]struct {
+ query string
+ variables map[string]any
+ }{
+ "basic": {
+ query: `query TestQuery($topLevelId: String!, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`,
+ variables: map[string]any{
+ "topLevelId": topLevelAttack,
+ "nestedId": nestedAttack,
+ },
+ },
+ "with-default-parameter": {
+ query: fmt.Sprintf(`query TestQuery($topLevelId: String = %#v, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`, topLevelAttack),
+ variables: map[string]any{
+ // "topLevelId" omitted (default value used)
+ "nestedId": nestedAttack,
+ },
+ },
+ "embedded-variable": {
+ query: `query TestQuery($topLevelId: String!, $nestedId: String!) {
+ topLevel: topLevelMapped(map: { ids: ["foo", $topLevelId, "baz"], bool: true, float: 3.14 }, key: "ids", index: 1) {
+ nested(id: $nestedId)
+ }
+ }`,
+ variables: map[string]any{
+ "topLevelId": topLevelAttack,
+ "nestedId": nestedAttack,
+ },
+ },
+ }
+ for name, tc := range testCases {
+ t.Run(name, func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+ resp := schema.Exec(context.Background(), tc.query, "TestQuery", tc.variables)
+ require.Empty(t, resp.Errors)
+
+ var data map[string]any
+ err := json.Unmarshal(resp.Data, &data)
+ require.NoError(t, err)
+ require.Equal(t, map[string]any{"topLevel": map[string]any{"nested": fmt.Sprintf("%s/%s", topLevelAttack, nestedAttack)}}, data)
+
+ // Ensure the query produced the expected appsec events
+ spans := mt.FinishedSpans()
+ require.NotEmpty(t, spans)
+
+ // The last finished span (which is GraphQL entry) should have the "_dd.appsec.enabled" tag.
+ span := spans[len(spans)-1]
+ require.Equal(t, 1, span.Tag("_dd.appsec.enabled"))
+ type ddAppsecJSON struct {
+ Triggers []struct {
+ Rule struct {
+ ID string `json:"id"`
+ } `json:"rule"`
+ } `json:"triggers"`
+ }
+ jsonText, ok := span.Tag("_dd.appsec.json").(string)
+ require.True(t, ok, "expected _dd.appsec.json tag on span")
+
+ var parsed ddAppsecJSON
+ err = json.Unmarshal([]byte(jsonText), &parsed)
+ require.NoError(t, err)
+
+ ids := make([]string, 0, len(parsed.Triggers))
+ for _, trigger := range parsed.Triggers {
+ ids = append(ids, trigger.Rule.ID)
+ }
+
+ require.ElementsMatch(t, ids, []string{"test-rule-001", "test-rule-002"})
+ })
+ }
+ })
+}
+
+type appSecQuery struct{}
+
+func (q *appSecQuery) TopLevel(_ context.Context, args struct{ ID string }) (*appSecTopLevel, error) {
+ return &appSecTopLevel{args.ID}, nil
+}
+func (q *appSecQuery) TopLevelMapped(
+ ctx context.Context,
+ args struct {
+ Map struct {
+ IDs []string
+ Bool bool
+ Float float64
+ }
+ Key string
+ Index int32
+ },
+) (*appSecTopLevel, error) {
+ id := args.Map.IDs[args.Index]
+ return q.TopLevel(ctx, struct{ ID string }{id})
+}
+
+type appSecTopLevel struct {
+ id string
+}
+
+func (a *appSecTopLevel) Nested(_ context.Context, args struct{ ID string }) (string, error) {
+ return fmt.Sprintf("%s/%s", a.id, args.ID), nil
+}
+
+// enableAppSec ensures the environment variable to enable appsec is active, and
+// returns a function to restore the previous environment state.
+func enableAppSec(t *testing.T) func() {
+ const rules = `{
+ "version": "2.2",
+ "metadata": {
+ "rules_version": "0.1337.42"
+ },
+ "rules": [
+ {
+ "id": "test-rule-001",
+ "name": "Phony rule number 1",
+ "tags": {
+ "category": "canary",
+ "type": "meme-protec"
+ },
+ "conditions": [{
+ "operator": "phrase_match",
+ "parameters": {
+ "inputs": [{ "address": "graphql.server.resolver" }],
+ "list": ["he protec"]
+ }
+ }],
+ "transformers": ["lowercase"],
+ "on_match": []
+ },
+ {
+ "id": "test-rule-002",
+ "name": "Phony rule number 2",
+ "tags": {
+ "category": "canary",
+ "type": "meme-attac"
+ },
+ "conditions": [{
+ "operator": "phrase_match",
+ "parameters": {
+ "inputs": [{ "address": "graphql.server.resolver" }],
+ "list": ["he attac"]
+ }
+ }],
+ "transformers": ["lowercase"],
+ "on_match": []
+ },
+ {
+ "id": "test-rule-003",
+ "name": "Phony rule number 3",
+ "tags": {
+ "category": "canary",
+ "type": "meme-tupac"
+ },
+ "conditions": [{
+ "operator": "phrase_match",
+ "parameters": {
+ "inputs": [{ "address": "graphql.server.all_resolvers" }],
+ "list": ["he tupac"]
+ }
+ }],
+ "transformers": ["lowercase"],
+ "on_match": []
+ }
+ ]
+ }`
+ tmpDir, err := os.MkdirTemp("", "dd-trace-go.graphql-go.graphql.appsec_test.rules-*")
+ require.NoError(t, err)
+ rulesFile := path.Join(tmpDir, "rules.json")
+ err = os.WriteFile(rulesFile, []byte(rules), 0644)
+ require.NoError(t, err)
+ restoreDdAppsecEnabled := setEnv("DD_APPSEC_ENABLED", "1")
+ restoreDdAppsecRules := setEnv("DD_APPSEC_RULES", rulesFile)
+ appsec.Start()
+ restore := func() {
+ appsec.Stop()
+ restoreDdAppsecEnabled()
+ restoreDdAppsecRules()
+ _ = os.RemoveAll(tmpDir)
+ }
+ if !appsec.Enabled() {
+ restore()
+ t.Skip("could not enable appsec: this platform is likely not supported")
+ }
+ return restore
+}
+
+// setEnv sets an the environment variable named `name` to `value` and returns
+// a function that restores the variable to it's original value.
+func setEnv(name string, value string) func() {
+ oldVal := os.Getenv(name)
+ os.Setenv(name, value)
+ return func() {
+ os.Setenv(name, oldVal)
+ }
+}
diff --git a/contrib/graph-gophers/graphql-go/graphql.go b/contrib/graph-gophers/graphql-go/graphql.go
index 117f323c07..15beb6a18d 100644
--- a/contrib/graph-gophers/graphql-go/graphql.go
+++ b/contrib/graph-gophers/graphql-go/graphql.go
@@ -20,7 +20,6 @@ import (
ddtracer "github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
"github.com/DataDog/dd-trace-go/v2/instrumentation"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
"github.com/graph-gophers/graphql-go/errors"
"github.com/graph-gophers/graphql-go/introspection"
@@ -68,12 +67,12 @@ func (t *Tracer) TraceQuery(ctx context.Context, queryString, operationName stri
}
span, ctx := ddtracer.StartSpanFromContext(ctx, t.cfg.querySpanName, opts...)
- ctx, request := graphqlsec.StartRequestOperation(ctx, span, types.RequestOperationArgs{
+ ctx, request := graphqlsec.StartRequestOperation(ctx, graphqlsec.RequestOperationArgs{
RawQuery: queryString,
OperationName: operationName,
Variables: variables,
})
- ctx, query := graphqlsec.StartExecutionOperation(ctx, span, types.ExecutionOperationArgs{
+ ctx, query := graphqlsec.StartExecutionOperation(ctx, graphqlsec.ExecutionOperationArgs{
Query: queryString,
OperationName: operationName,
Variables: variables,
@@ -90,8 +89,8 @@ func (t *Tracer) TraceQuery(ctx context.Context, queryString, operationName stri
err = fmt.Errorf("%s (and %d more errors)", errs[0], n-1)
}
defer span.Finish(ddtracer.WithError(err))
- defer request.Finish(types.RequestOperationRes{Error: err})
- query.Finish(types.ExecutionOperationRes{Error: err})
+ defer request.Finish(span, graphqlsec.RequestOperationRes{Error: err})
+ query.Finish(graphqlsec.ExecutionOperationRes{Error: err})
}
}
@@ -117,7 +116,7 @@ func (t *Tracer) TraceField(ctx context.Context, _, typeName, fieldName string,
}
span, ctx := ddtracer.StartSpanFromContext(ctx, "graphql.field", opts...)
- ctx, field := graphqlsec.StartResolveOperation(ctx, span, types.ResolveOperationArgs{
+ ctx, field := graphqlsec.StartResolveOperation(ctx, graphqlsec.ResolveOperationArgs{
TypeName: typeName,
FieldName: fieldName,
Arguments: arguments,
@@ -125,7 +124,7 @@ func (t *Tracer) TraceField(ctx context.Context, _, typeName, fieldName string,
})
return ctx, func(err *errors.QueryError) {
- field.Finish(types.ResolveOperationRes{Error: err})
+ field.Finish(graphqlsec.ResolveOperationRes{Error: err})
// must explicitly check for nil, see issue golang/go#22729
if err != nil {
diff --git a/contrib/graphql-go/graphql/appsec_test.go b/contrib/graphql-go/graphql/appsec_test.go
index 7327f91a58..e7c4411973 100644
--- a/contrib/graphql-go/graphql/appsec_test.go
+++ b/contrib/graphql-go/graphql/appsec_test.go
@@ -93,7 +93,6 @@ func TestAppSec(t *testing.T) {
testCases := map[string]struct {
query string
variables map[string]any
- events map[string]string
}{
"basic": {
query: `query TestQuery($topLevelId: String!, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`,
@@ -101,10 +100,6 @@ func TestAppSec(t *testing.T) {
"topLevelId": topLevelAttack,
"nestedId": nestedAttack,
},
- events: map[string]string{
- "test-rule-001": "graphql.resolve(topLevel)",
- "test-rule-002": "graphql.resolve(nested)",
- },
},
"with-default-parameter": {
query: fmt.Sprintf(`query TestQuery($topLevelId: String = %#v, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`, topLevelAttack),
@@ -112,10 +107,6 @@ func TestAppSec(t *testing.T) {
// "topLevelId" omitted (default value used)
"nestedId": nestedAttack,
},
- events: map[string]string{
- "test-rule-001": "graphql.resolve(topLevel)",
- "test-rule-002": "graphql.resolve(nested)",
- },
},
"embedded-variable": {
query: `query TestQuery($topLevelId: String!, $nestedId: String!) {
@@ -127,10 +118,6 @@ func TestAppSec(t *testing.T) {
"topLevelId": topLevelAttack,
"nestedId": nestedAttack,
},
- events: map[string]string{
- "test-rule-001": "graphql.resolve(topLevelMapped)",
- "test-rule-002": "graphql.resolve(nested)",
- },
},
}
@@ -152,7 +139,8 @@ func TestAppSec(t *testing.T) {
spans := mt.FinishedSpans()
require.NotEmpty(t, spans)
// The last finished span (which is GraphQL entry) should have the "_dd.appsec.enabled" tag.
- require.Equal(t, float64(1), spans[len(spans)-1].Tag("_dd.appsec.enabled"))
+ span := spans[len(spans)-1]
+ require.Equal(t, 1, span.Tag("_dd.appsec.enabled"))
events := make(map[string]string)
type ddAppsecJSON struct {
Triggers []struct {
@@ -161,34 +149,20 @@ func TestAppSec(t *testing.T) {
} `json:"rule"`
} `json:"triggers"`
}
- // Search for AppSec events in the set of spans
- for _, span := range spans {
- jsonText, ok := span.Tag("_dd.appsec.json").(string)
- if !ok || jsonText == "" {
- continue
- }
- var parsed ddAppsecJSON
- err := json.Unmarshal([]byte(jsonText), &parsed)
- require.NoError(t, err)
- require.Len(t, parsed.Triggers, 1, "expected exactly 1 trigger on %s span", span.OperationName())
- ruleID := parsed.Triggers[0].Rule.ID
- _, duplicate := events[ruleID]
- require.False(t, duplicate, "found duplicated hit for rule %s", ruleID)
- var origin string
- switch name := span.OperationName(); name {
- case spanResolve:
- field := span.Tag(tagGraphqlField).(string)
- origin = fmt.Sprintf("%s(%s)", spanResolve, field)
- case spanExecute:
- origin = spanExecute
- default:
- require.Fail(t, "rule trigger recorded on unecpected span", "rule %s recorded a hit on unexpected span %s", ruleID, name)
- }
- events[ruleID] = origin
+ jsonText, ok := span.Tag("_dd.appsec.json").(string)
+ require.True(t, ok, "expected _dd.appsec.json tag on span")
+
+ var parsed ddAppsecJSON
+ err = json.Unmarshal([]byte(jsonText), &parsed)
+ require.NoError(t, err)
+
+ ids := make([]string, 0, len(parsed.Triggers))
+ for _, trigger := range parsed.Triggers {
+ ids = append(ids, trigger.Rule.ID)
}
- // Ensure they match the expected outcome
- require.Equal(t, tc.events, events)
+
+ require.ElementsMatch(t, ids, []string{"test-rule-001", "test-rule-002"})
})
}
})
diff --git a/contrib/graphql-go/graphql/graphql.go b/contrib/graphql-go/graphql/graphql.go
index 322664bbb4..67977219d0 100644
--- a/contrib/graphql-go/graphql/graphql.go
+++ b/contrib/graphql-go/graphql/graphql.go
@@ -15,7 +15,6 @@ import (
"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
"github.com/DataDog/dd-trace-go/v2/instrumentation"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
"github.com/graphql-go/graphql"
"github.com/graphql-go/graphql/gqlerrors"
@@ -61,7 +60,7 @@ type datadogExtension struct{ config }
type contextKey struct{}
type contextData struct {
serverSpan *tracer.Span
- requestOp *types.RequestOperation
+ requestOp *graphqlsec.RequestOperation
variables map[string]any
query string
operationName string
@@ -70,7 +69,7 @@ type contextData struct {
// finish closes the top-level request operation, as well as the server span.
func (c *contextData) finish(data any, err error) {
defer c.serverSpan.Finish(tracer.WithError(err))
- c.requestOp.Finish(types.RequestOperationRes{Data: data, Error: err})
+ c.requestOp.Finish(c.serverSpan, graphqlsec.RequestOperationRes{Data: data, Error: err})
}
var extensionName = reflect.TypeOf((*datadogExtension)(nil)).Elem().Name()
@@ -95,7 +94,7 @@ func (i datadogExtension) Init(ctx context.Context, params *graphql.Params) cont
tracer.Tag(ext.Component, instrumentation.PackageGraphQLGoGraphQL),
tracer.Measured(),
)
- ctx, request := graphqlsec.StartRequestOperation(ctx, span, types.RequestOperationArgs{
+ ctx, request := graphqlsec.StartRequestOperation(ctx, graphqlsec.RequestOperationArgs{
RawQuery: params.RequestString,
Variables: params.VariableValues,
OperationName: params.OperationName,
@@ -190,7 +189,7 @@ func (i datadogExtension) ExecutionDidStart(ctx context.Context) (context.Contex
opts = append(opts, tracer.Tag(ext.EventSampleRate, i.config.analyticsRate))
}
span, ctx := tracer.StartSpanFromContext(ctx, spanExecute, opts...)
- ctx, op := graphqlsec.StartExecutionOperation(ctx, span, types.ExecutionOperationArgs{
+ ctx, op := graphqlsec.StartExecutionOperation(ctx, graphqlsec.ExecutionOperationArgs{
Query: data.query,
OperationName: data.operationName,
Variables: data.variables,
@@ -201,7 +200,7 @@ func (i datadogExtension) ExecutionDidStart(ctx context.Context) (context.Contex
defer data.finish(result.Data, err)
span.Finish(tracer.WithError(err))
}()
- op.Finish(types.ExecutionOperationRes{Data: result.Data, Error: err})
+ op.Finish(graphqlsec.ExecutionOperationRes{Data: result.Data, Error: err})
}
}
@@ -237,14 +236,14 @@ func (i datadogExtension) ResolveFieldDidStart(ctx context.Context, info *graphq
opts = append(opts, tracer.Tag(ext.EventSampleRate, i.config.analyticsRate))
}
span, ctx := tracer.StartSpanFromContext(ctx, spanResolve, opts...)
- ctx, op := graphqlsec.StartResolveOperation(ctx, span, types.ResolveOperationArgs{
+ ctx, op := graphqlsec.StartResolveOperation(ctx, graphqlsec.ResolveOperationArgs{
TypeName: info.ParentType.Name(),
FieldName: info.FieldName,
Arguments: collectArguments(info),
})
return ctx, func(result any, err error) {
defer span.Finish(tracer.WithError(err))
- op.Finish(types.ResolveOperationRes{Error: err, Data: result})
+ op.Finish(graphqlsec.ResolveOperationRes{Error: err, Data: result})
}
}
diff --git a/contrib/internal/telemetrytest/telemetry_test.go b/contrib/internal/telemetrytest/telemetry_test.go
new file mode 100644
index 0000000000..a775fc132e
--- /dev/null
+++ b/contrib/internal/telemetrytest/telemetry_test.go
@@ -0,0 +1,93 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2023 Datadog, Inc.
+package telemetrytest
+
+import (
+ "encoding/json"
+ "os"
+ "os/exec"
+ "strings"
+ "testing"
+
+ "github.com/DataDog/dd-trace-go/contrib/gorilla/mux/v2"
+ "github.com/DataDog/dd-trace-go/v2/internal/telemetry"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+// TestIntegrationInfo verifies that an integration leveraging instrumentation telemetry
+// sends the correct data to the telemetry client.
+func TestIntegrationInfo(t *testing.T) {
+ // mux.NewRouter() uses the net/http and gorilla/mux integration
+ mux.NewRouter()
+ integrations := telemetry.Integrations()
+ require.Len(t, integrations, 2)
+ assert.Equal(t, integrations[0].Name, "net/http")
+ assert.True(t, integrations[0].Enabled)
+ assert.Equal(t, integrations[1].Name, "gorilla/mux")
+ assert.True(t, integrations[1].Enabled)
+}
+
+type contribPkg struct {
+ ImportPath string
+ Name string
+ Imports []string
+ Dir string
+}
+
+var TelemetryImport = "github.com/DataDog/dd-trace-go/v2/internal/telemetry"
+
+func readPackage(t *testing.T, path string) contribPkg {
+ cmd := exec.Command("go", "list", "-json", path)
+ cmd.Stderr = os.Stderr
+ output, err := cmd.Output()
+ require.NoError(t, err)
+ p := contribPkg{}
+ err = json.Unmarshal(output, &p)
+ require.NoError(t, err)
+ return p
+}
+
+func (p *contribPkg) hasTelemetryImport(t *testing.T) bool {
+ for _, imp := range p.Imports {
+ if imp == TelemetryImport {
+ return true
+ }
+ }
+ // if we didn't find it imported directly, it might be imported in one of sub-package imports
+ for _, imp := range p.Imports {
+ if strings.HasPrefix(imp, p.ImportPath) {
+ p := readPackage(t, imp)
+ if p.hasTelemetryImport(t) {
+ return true
+ }
+ }
+ }
+ return false
+}
+
+// TestTelemetryEnabled verifies that the expected contrib packages leverage instrumentation telemetry
+func TestTelemetryEnabled(t *testing.T) {
+ body, err := exec.Command("go", "list", "-json", "../../...").Output()
+ require.NoError(t, err)
+
+ var packages []contribPkg
+ stream := json.NewDecoder(strings.NewReader(string(body)))
+ for stream.More() {
+ var out contribPkg
+ err := stream.Decode(&out)
+ require.NoError(t, err)
+ packages = append(packages, out)
+ }
+ for _, pkg := range packages {
+ if strings.Contains(pkg.ImportPath, "/test") || strings.Contains(pkg.ImportPath, "/internal") {
+ continue
+ }
+ if !pkg.hasTelemetryImport(t) {
+ t.Fatalf(`package %q is expected use instrumentation telemetry. For more info see https://github.com/DataDog/dd-trace-go/blob/main/contrib/README.md#instrumentation-telemetry`, pkg.ImportPath)
+ }
+ }
+}
diff --git a/contrib/labstack/echo.v4/appsec_test.go b/contrib/labstack/echo.v4/appsec_test.go
index 20ebaa0014..921dc28965 100644
--- a/contrib/labstack/echo.v4/appsec_test.go
+++ b/contrib/labstack/echo.v4/appsec_test.go
@@ -125,8 +125,8 @@ func TestAppSec(t *testing.T) {
// The span should contain the security event
finished := mt.FinishedSpans()
require.Len(t, finished, 1)
- event := finished[0].Tag("_dd.appsec.json").(string)
- require.NotNil(t, event)
+ event, ok := finished[0].Tag("_dd.appsec.json").(string)
+ require.True(t, ok, "expected string, found %T", finished[0].Tag("_dd.appsec.json"))
require.True(t, strings.Contains(event, "crs-913-120"))
// Wildcards are not named in echo
require.False(t, strings.Contains(event, "myPathParam3"))
@@ -138,7 +138,7 @@ func TestAppSec(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
- req, err := http.NewRequest("POST", srv.URL+"/etc/", nil)
+ req, err := http.NewRequest("POST", srv.URL+"/etc/passwd", nil)
if err != nil {
panic(err)
}
@@ -149,8 +149,8 @@ func TestAppSec(t *testing.T) {
finished := mt.FinishedSpans()
require.Len(t, finished, 1)
- event := finished[0].Tag("_dd.appsec.json").(string)
- require.NotNil(t, event)
+ event, ok := finished[0].Tag("_dd.appsec.json").(string)
+ require.True(t, ok, "expected string, found %T", finished[0].Tag("_dd.appsec.json"))
require.True(t, strings.Contains(event, "server.response.status"))
require.True(t, strings.Contains(event, "nfd-000-001"))
})
diff --git a/contrib/net/http/http_test.go b/contrib/net/http/http_test.go
index bd668fbe9e..6990087d06 100644
--- a/contrib/net/http/http_test.go
+++ b/contrib/net/http/http_test.go
@@ -325,22 +325,9 @@ func TestServeMuxGo122Patterns(t *testing.T) {
// Check the /foo span
fooSpan := spans[1]
- if fooW.Code == http.StatusOK {
- assert.Equal("/foo", fooSpan.Tag(ext.HTTPRoute))
- assert.Equal("GET /foo", fooSpan.Tag(ext.ResourceName))
- } else {
- // Until our go.mod version is go1.22 or greater, the mux will not
- // understand the "GET /foo" pattern, causing the request to be handled
- // by the 404 handler. Let's assert what we can, and mark the test as
- // skipped to highlight the issue.
- assert.Equal(http.StatusNotFound, fooW.Code)
- assert.Equal(nil, fooSpan.Tag(ext.HTTPRoute))
- // Using "GET " as a resource name doesn't seem ideal, but that's how
- // the mux instrumentation deals with 404s right now.
- assert.Equal("GET ", fooSpan.Tag(ext.ResourceName))
- t.Skip("run `go mod edit -go=1.22` to run the full test")
- }
-
+ assert.Equal(http.StatusOK, fooW.Code)
+ assert.Equal("/foo", fooSpan.Tag(ext.HTTPRoute))
+ assert.Equal("GET /foo", fooSpan.Tag(ext.ResourceName))
}
func TestWrapHandlerWithResourceNameNoRace(_ *testing.T) {
@@ -360,6 +347,8 @@ func TestWrapHandlerWithResourceNameNoRace(_ *testing.T) {
r := httptest.NewRequest("GET", "/", nil)
w := httptest.NewRecorder()
defer wg.Done()
+ w := httptest.NewRecorder()
+ r := httptest.NewRequest("GET", "/", nil)
mux.ServeHTTP(w, r)
}()
}
@@ -521,10 +510,14 @@ func handler200(w http.ResponseWriter, _ *http.Request) {
w.Write([]byte("OK\n"))
}
-func handler500(w http.ResponseWriter, _ *http.Request) {
+func handler500(w http.ResponseWriter, r *http.Request) {
http.Error(w, "500!", http.StatusInternalServerError)
}
+func handler400(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "400!", http.StatusBadRequest)
+}
+
func BenchmarkHttpServeTrace(b *testing.B) {
err := tracer.Start(tracer.WithLogger(testutils.DiscardLogger()), tracer.WithHeaderTags([]string{"3header"}))
assert.NoError(b, err)
diff --git a/contrib/net/http/option.go b/contrib/net/http/option.go
index f139f693c9..dca5d9e2f6 100644
--- a/contrib/net/http/option.go
+++ b/contrib/net/http/option.go
@@ -8,6 +8,7 @@ package http
import (
"math"
"net/http"
+ "os"
"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
@@ -179,6 +180,12 @@ func newRoundTripperConfig() *roundTripperConfig {
analyticsRate: instr.GlobalAnalyticsRate(),
resourceNamer: defaultResourceNamer,
ignoreRequest: func(_ *http.Request) bool { return false },
+ queryString: internal.BoolEnv(envClientQueryStringEnabled, true),
+ isStatusError: isClientError,
+ }
+ v := os.Getenv(envClientErrorStatuses)
+ if fn := httptrace.GetErrorCodesFromInput(v); fn != nil {
+ sharedCfg.isStatusError = fn
}
return &roundTripperConfig{
commonConfig: sharedCfg,
@@ -227,3 +234,7 @@ func WithErrorCheck(fn func(err error) bool) RoundTripperOptionFn {
cfg.errCheck = fn
}
}
+
+func isClientError(statusCode int) bool {
+ return statusCode >= 400 && statusCode < 500
+}
diff --git a/contrib/net/http/roundtripper.go b/contrib/net/http/roundtripper.go
index 16bb6fe336..2ba2be908f 100644
--- a/contrib/net/http/roundtripper.go
+++ b/contrib/net/http/roundtripper.go
@@ -11,6 +11,7 @@ import (
"net/http"
"os"
"strconv"
+ "strings"
"github.com/DataDog/dd-trace-go/v2/appsec/events"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/httpsec"
@@ -37,7 +38,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
tracer.SpanType(ext.SpanTypeHTTP),
tracer.ResourceName(resourceName),
tracer.Tag(ext.HTTPMethod, req.Method),
- tracer.Tag(ext.HTTPURL, url.String()),
+ tracer.Tag(ext.HTTPURL, urlFromRequest(req, rt.cfg.queryString)),
tracer.Tag(ext.Component, componentName),
tracer.Tag(ext.SpanKind, ext.SpanKindClient),
tracer.Tag(ext.NetworkDestinationName, url.Hostname()),
@@ -85,7 +86,6 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
}
res, err = rt.base.RoundTrip(r2)
-
if err != nil {
span.SetTag("http.errors", err.Error())
if rt.cfg.errCheck == nil || rt.cfg.errCheck(err) {
@@ -93,8 +93,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
}
} else {
span.SetTag(ext.HTTPCode, strconv.Itoa(res.StatusCode))
- // treat 5XX as errors
- if res.StatusCode/100 == 5 {
+ if rt.cfg.isStatusError(res.StatusCode) {
span.SetTag("http.errors", res.Status)
span.SetTag(ext.Error, fmt.Errorf("%d: %s", res.StatusCode, http.StatusText(res.StatusCode)))
}
@@ -134,3 +133,32 @@ func WrapClient(c *http.Client, opts ...RoundTripperOption) *http.Client {
c.Transport = WrapRoundTripper(c.Transport, opts...)
return c
}
+
+// urlFromRequest returns the URL from the HTTP request. The URL query string is included in the return object iff queryString is true
+// See https://docs.datadoghq.com/tracing/configure_data_security#redacting-the-query-in-the-url for more information.
+func urlFromRequest(r *http.Request, queryString bool) string {
+ // Quoting net/http comments about net.Request.URL on server requests:
+ // "For most requests, fields other than Path and RawQuery will be
+ // empty. (See RFC 7230, Section 5.3)"
+ // This is why we don't rely on url.URL.String(), url.URL.Host, url.URL.Scheme, etc...
+ var url string
+ path := r.URL.EscapedPath()
+ scheme := r.URL.Scheme
+ if r.TLS != nil {
+ scheme = "https"
+ }
+ if r.Host != "" {
+ url = strings.Join([]string{scheme, "://", r.Host, path}, "")
+ } else {
+ url = path
+ }
+ // Collect the query string if we are allowed to report it and obfuscate it if possible/allowed
+ if queryString && r.URL.RawQuery != "" {
+ query := r.URL.RawQuery
+ url = strings.Join([]string{url, query}, "?")
+ }
+ if frag := r.URL.EscapedFragment(); frag != "" {
+ url = strings.Join([]string{url, frag}, "#")
+ }
+ return url
+}
diff --git a/contrib/net/http/roundtripper_test.go b/contrib/net/http/roundtripper_test.go
index 6eb3ff82e2..5a88b83b37 100644
--- a/contrib/net/http/roundtripper_test.go
+++ b/contrib/net/http/roundtripper_test.go
@@ -11,6 +11,8 @@ import (
"net/http"
"net/http/httptest"
"net/url"
+ "os"
+ "regexp"
"strconv"
"strings"
"testing"
@@ -96,58 +98,67 @@ func TestRoundTripper(t *testing.T) {
assert.Equal(t, float64(wantPort), s1.Tag(ext.NetworkDestinationPort))
}
-func TestRoundTripperServerError(t *testing.T) {
- mt := mocktracer.Start()
- defer mt.Stop()
-
- s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- spanctx, err := tracer.Extract(tracer.HTTPHeadersCarrier(r.Header))
- assert.NoError(t, err)
-
- span := tracer.StartSpan("test",
- tracer.ChildOf(spanctx))
- defer span.Finish()
-
- w.WriteHeader(http.StatusInternalServerError)
- w.Write([]byte("Error"))
- }))
- defer s.Close()
-
- rt := WrapRoundTripper(http.DefaultTransport,
- WithBefore(func(req *http.Request, span *tracer.Span) {
- span.SetTag("CalledBefore", true)
- }),
- WithAfter(func(res *http.Response, span *tracer.Span) {
- span.SetTag("CalledAfter", true)
- }))
-
+func makeRequests(rt http.RoundTripper, url string, t *testing.T) {
client := &http.Client{
Transport: rt,
}
+ resp, err := client.Get(url + "/400")
+ assert.Nil(t, err)
+ defer resp.Body.Close()
- resp, err := client.Get(s.URL + "/hello/world")
+ resp, err = client.Get(url + "/500")
assert.Nil(t, err)
defer resp.Body.Close()
- spans := mt.FinishedSpans()
- assert.Len(t, spans, 2)
- assert.Equal(t, spans[0].TraceID(), spans[1].TraceID())
+ resp, err = client.Get(url + "/200")
+ assert.Nil(t, err)
+ defer resp.Body.Close()
+}
- s0 := spans[0]
- assert.Equal(t, "test", s0.OperationName())
- assert.Equal(t, "test", s0.Tag(ext.ResourceName))
+func TestRoundTripperErrors(t *testing.T) {
+ mux := http.NewServeMux()
+ mux.HandleFunc("/200", handler200)
+ mux.HandleFunc("/400", handler400)
+ mux.HandleFunc("/500", handler500)
+ s := httptest.NewServer(mux)
+ defer s.Close()
- s1 := spans[1]
- assert.Equal(t, "http.request", s1.OperationName())
- assert.Equal(t, "http.request", s1.Tag(ext.ResourceName))
- assert.Equal(t, "500", s1.Tag(ext.HTTPCode))
- assert.Equal(t, "GET", s1.Tag(ext.HTTPMethod))
- assert.Equal(t, s.URL+"/hello/world", s1.Tag(ext.HTTPURL))
- assert.Equal(t, "500: Internal Server Error", s1.Tag(ext.ErrorMsg))
- assert.Equal(t, "true", s1.Tag("CalledBefore"))
- assert.Equal(t, "true", s1.Tag("CalledAfter"))
- assert.Equal(t, ext.SpanKindClient, s1.Tag(ext.SpanKind))
- assert.Equal(t, "net/http", s1.Tag(ext.Component))
+ t.Run("default", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+ rt := WrapRoundTripper(http.DefaultTransport)
+ makeRequests(rt, s.URL, t)
+ spans := mt.FinishedSpans()
+ assert.Len(t, spans, 3)
+ s := spans[0] // 400 is error
+ assert.Equal(t, "400: Bad Request", s.Tag(ext.Error).(error).Error())
+ assert.Equal(t, "400", s.Tag(ext.HTTPCode))
+ s = spans[1] // 500 is not error
+ assert.Empty(t, s.Tag(ext.Error))
+ assert.Equal(t, "500", s.Tag(ext.HTTPCode))
+ s = spans[2] // 200 is not error
+ assert.Empty(t, s.Tag(ext.Error))
+ assert.Equal(t, "200", s.Tag(ext.HTTPCode))
+ })
+ t.Run("custom", func(t *testing.T) {
+ os.Setenv("DD_TRACE_HTTP_CLIENT_ERROR_STATUSES", "500-510")
+ defer os.Unsetenv("DD_TRACE_HTTP_CLIENT_ERROR_STATUSES")
+ mt := mocktracer.Start()
+ defer mt.Stop()
+ rt := WrapRoundTripper(http.DefaultTransport)
+ makeRequests(rt, s.URL, t)
+ spans := mt.FinishedSpans()
+ assert.Len(t, spans, 3)
+ s := spans[0] // 400 is not error
+ assert.Empty(t, s.Tag(ext.Error))
+ assert.Equal(t, "400", s.Tag(ext.HTTPCode))
+ s = spans[1] // 500 is error
+ assert.Equal(t, "500: Internal Server Error", s.Tag(ext.Error).(error).Error())
+ assert.Equal(t, "500", s.Tag(ext.HTTPCode))
+ s = spans[2] // 200 is not error
+ assert.Empty(t, s.Tag(ext.Error))
+ assert.Equal(t, "200", s.Tag(ext.HTTPCode))
+ })
}
func TestRoundTripperNetworkError(t *testing.T) {
@@ -537,6 +548,70 @@ func TestSpanOptions(t *testing.T) {
assert.Equal(t, tagValue, spans[0].Tag(tagKey))
}
+func TestClientQueryString(t *testing.T) {
+ s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Write([]byte("Hello World"))
+ }))
+ defer s.Close()
+ t.Run("default", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ rt := WrapRoundTripper(http.DefaultTransport)
+ client := &http.Client{
+ Transport: rt,
+ }
+ resp, err := client.Get(s.URL + "/hello/world?querystring=xyz")
+ assert.Nil(t, err)
+ defer resp.Body.Close()
+ spans := mt.FinishedSpans()
+ assert.Len(t, spans, 1)
+
+ assert.Regexp(t, regexp.MustCompile(`^http://.*?/hello/world\?querystring=xyz$`), spans[0].Tag(ext.HTTPURL))
+ })
+ t.Run("false", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ os.Setenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING", "false")
+ defer os.Unsetenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING")
+
+ rt := WrapRoundTripper(http.DefaultTransport)
+ client := &http.Client{
+ Transport: rt,
+ }
+ resp, err := client.Get(s.URL + "/hello/world?querystring=xyz")
+ assert.Nil(t, err)
+ defer resp.Body.Close()
+ spans := mt.FinishedSpans()
+ assert.Len(t, spans, 1)
+
+ assert.Regexp(t, regexp.MustCompile(`^http://.*?/hello/world$`), spans[0].Tag(ext.HTTPURL))
+ })
+ // DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED applies only to server spans, not client
+ t.Run("Not impacted by DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ os.Setenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING", "true")
+ os.Setenv("DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED", "true")
+ defer os.Unsetenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING")
+ defer os.Unsetenv("DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED")
+
+ rt := WrapRoundTripper(http.DefaultTransport)
+ client := &http.Client{
+ Transport: rt,
+ }
+ resp, err := client.Get(s.URL + "/hello/world?querystring=xyz")
+ assert.Nil(t, err)
+ defer resp.Body.Close()
+ spans := mt.FinishedSpans()
+ assert.Len(t, spans, 1)
+
+ assert.Contains(t, spans[0].Tag(ext.HTTPURL), "/hello/world?querystring=xyz")
+ })
+}
+
func TestRoundTripperPropagation(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
@@ -629,7 +704,7 @@ func TestAppsec(t *testing.T) {
require.Contains(t, serviceSpan.Tags(), "_dd.appsec.json")
appsecJSON := serviceSpan.Tag("_dd.appsec.json")
- require.Contains(t, appsecJSON, "server.io.net.url")
+ require.Contains(t, appsecJSON, addresses.ServerIoNetURLAddr)
require.Contains(t, serviceSpan.Tags(), "_dd.stack")
require.NotContains(t, serviceSpan.Tags(), "error.message")
diff --git a/ddtrace/mocktracer/main_test.go b/ddtrace/mocktracer/main_test.go
new file mode 100644
index 0000000000..d584962bf7
--- /dev/null
+++ b/ddtrace/mocktracer/main_test.go
@@ -0,0 +1,15 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package mocktracer
+
+import (
+ "go.uber.org/goleak"
+ "testing"
+)
+
+func TestMain(m *testing.M) {
+ goleak.VerifyTestMain(m)
+}
diff --git a/ddtrace/mocktracer/mockspan_test.go b/ddtrace/mocktracer/mockspan_test.go
new file mode 100644
index 0000000000..4c0d91e8ab
--- /dev/null
+++ b/ddtrace/mocktracer/mockspan_test.go
@@ -0,0 +1,272 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+package mocktracer
+
+import (
+ "errors"
+ "testing"
+ "time"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+// basicSpan returns a span with no configuration, having the set operation name.
+func basicSpan(operationName string) *mockspan {
+ return newSpan(&mocktracer{}, operationName, &ddtrace.StartSpanConfig{})
+}
+
+func TestNewSpan(t *testing.T) {
+ t.Run("basic", func(t *testing.T) {
+ s := basicSpan("http.request")
+
+ assert := assert.New(t)
+ assert.Equal("http.request", s.name)
+ assert.False(s.startTime.IsZero())
+ assert.Zero(s.parentID)
+ assert.NotNil(s.context)
+ assert.NotZero(s.context.spanID)
+ assert.Equal(s.context.spanID, s.context.traceID)
+ })
+
+ t.Run("options", func(t *testing.T) {
+ tr := new(mocktracer)
+ startTime := time.Now()
+ tags := map[string]interface{}{"k": "v", "k1": "v1"}
+ opts := &ddtrace.StartSpanConfig{
+ StartTime: startTime,
+ Tags: tags,
+ }
+ s := newSpan(tr, "http.request", opts)
+
+ assert := assert.New(t)
+ assert.Equal(tr, s.tracer)
+ assert.Equal("http.request", s.name)
+ assert.Equal(startTime, s.startTime)
+ assert.Equal(tags, s.tags)
+ })
+
+ t.Run("parent", func(t *testing.T) {
+ baggage := map[string]string{"A": "B", "C": "D"}
+ parentctx := &spanContext{spanID: 1, traceID: 2, baggage: baggage}
+ opts := &ddtrace.StartSpanConfig{Parent: parentctx}
+ s := newSpan(&mocktracer{}, "http.request", opts)
+
+ assert := assert.New(t)
+ assert.NotNil(s.context)
+ assert.Equal(uint64(1), s.parentID)
+ assert.Equal(uint64(2), s.context.traceID)
+ assert.Equal(baggage, s.context.baggage)
+ })
+}
+
+func TestSpanSetTag(t *testing.T) {
+ s := basicSpan("http.request")
+ s.SetTag("a", "b")
+ s.SetTag("c", "d")
+
+ assert := assert.New(t)
+ assert.Len(s.Tags(), 3)
+ assert.Equal("http.request", s.Tag(ext.ResourceName))
+ assert.Equal("b", s.Tag("a"))
+ assert.Equal("d", s.Tag("c"))
+}
+
+func TestSpanSetTagPriority(t *testing.T) {
+ assert := assert.New(t)
+ s := basicSpan("http.request")
+ assert.False(s.context.hasSamplingPriority())
+ s.SetTag(ext.SamplingPriority, -1)
+ assert.True(s.context.hasSamplingPriority())
+ assert.Equal(-1, s.context.samplingPriority())
+}
+
+func TestSpanTagImmutability(t *testing.T) {
+ s := basicSpan("http.request")
+ s.SetTag("a", "b")
+ tags := s.Tags()
+ tags["a"] = 123
+ tags["b"] = 456
+
+ assert := assert.New(t)
+ assert.Equal("b", s.tags["a"])
+ assert.Zero(s.tags["b"])
+}
+
+func TestSpanStartTime(t *testing.T) {
+ startTime := time.Now()
+ s := newSpan(&mocktracer{}, "http.request", &ddtrace.StartSpanConfig{StartTime: startTime})
+
+ assert := assert.New(t)
+ assert.Equal(startTime, s.startTime)
+ assert.Equal(startTime, s.StartTime())
+}
+
+func TestSpanFinishTime(t *testing.T) {
+ s := basicSpan("http.request")
+ finishTime := time.Now()
+ s.Finish(tracer.FinishTime(finishTime))
+
+ assert := assert.New(t)
+ assert.Equal(finishTime, s.finishTime)
+ assert.Equal(finishTime, s.FinishTime())
+}
+
+func TestSpanOperationName(t *testing.T) {
+ t.Run("default", func(t *testing.T) {
+ s := basicSpan("http.request")
+ assert.Equal(t, "http.request", s.name)
+ assert.Equal(t, "http.request", s.OperationName())
+ })
+
+ t.Run("default", func(t *testing.T) {
+ s := basicSpan("http.request")
+ s.SetOperationName("db.query")
+ assert.Equal(t, "db.query", s.name)
+ assert.Equal(t, "db.query", s.OperationName())
+ })
+}
+
+func TestSpanBaggageFunctions(t *testing.T) {
+ t.Run("SetBaggageItem", func(t *testing.T) {
+ s := basicSpan("http.request")
+ s.SetBaggageItem("a", "b")
+ assert.Equal(t, "b", s.context.baggage["a"])
+ })
+
+ t.Run("BaggageItem", func(t *testing.T) {
+ s := basicSpan("http.request")
+ s.SetBaggageItem("a", "b")
+ assert.Equal(t, "b", s.BaggageItem("a"))
+ })
+}
+
+func TestSpanContext(t *testing.T) {
+ t.Run("Context", func(t *testing.T) {
+ s := basicSpan("http.request")
+ assert.Equal(t, s.context, s.Context())
+ })
+
+ t.Run("IDs", func(t *testing.T) {
+ parent := basicSpan("http.request")
+ child := newSpan(&mocktracer{}, "db.query", &ddtrace.StartSpanConfig{
+ Parent: parent.Context(),
+ })
+
+ assert := assert.New(t)
+ assert.Equal(parent.SpanID(), child.ParentID())
+ assert.Equal(parent.TraceID(), child.TraceID())
+ assert.NotZero(child.SpanID())
+ })
+}
+
+func TestSpanFinish(t *testing.T) {
+ s := basicSpan("http.request")
+ want := errors.New("some error")
+ s.Finish(tracer.WithError(want))
+
+ assert := assert.New(t)
+ assert.False(s.FinishTime().IsZero())
+ assert.True(s.FinishTime().Before(time.Now().Add(1 * time.Nanosecond)))
+ assert.Equal(want, s.Tag(ext.Error))
+}
+
+func TestSpanFinishTwice(t *testing.T) {
+ s := basicSpan("http.request")
+ wantError := errors.New("some error")
+ s.Finish(tracer.WithError(wantError))
+
+ assert := assert.New(t)
+ wantTime := s.finishTime
+ time.Sleep(2 * time.Millisecond)
+ s.Finish(tracer.WithError(errors.New("new error")))
+ assert.Equal(wantTime, s.finishTime)
+ assert.Equal(wantError, s.Tag(ext.Error))
+ assert.Equal(len(s.tracer.finishedSpans), 1)
+}
+
+func TestSpanString(t *testing.T) {
+ s := basicSpan("http.request")
+ s.Finish(tracer.WithError(errors.New("some error")))
+
+ assert := assert.New(t)
+ assert.NotEmpty(s.String())
+}
+
+func TestSpanWithID(t *testing.T) {
+ tr := newMockTracer()
+ defer tr.Stop()
+ spanID := uint64(123456789)
+ span := tr.StartSpan("", tracer.WithSpanID(spanID))
+
+ assert := assert.New(t)
+ assert.Equal(spanID, span.Context().SpanID())
+}
+
+func TestSetUser(t *testing.T) {
+ const (
+ id = "john.doe#12345"
+ name = "John Doe"
+ email = "john.doe@hostname.com"
+ scope = "read:message, write:files"
+ role = "admin"
+ sessionID = "session#12345"
+ )
+ expected := []struct{ key, value string }{
+ {key: "usr.id", value: id},
+ {key: "usr.name", value: name},
+ {key: "usr.email", value: email},
+ {key: "usr.scope", value: scope},
+ {key: "usr.role", value: role},
+ {key: "usr.session_id", value: sessionID},
+ }
+
+ t.Run("root", func(t *testing.T) {
+ s := basicSpan("root operation")
+ tracer.SetUser(s,
+ id,
+ tracer.WithUserEmail(email),
+ tracer.WithUserName(name),
+ tracer.WithUserScope(scope),
+ tracer.WithUserRole(role),
+ tracer.WithUserSessionID(sessionID))
+ s.Finish()
+ for _, pair := range expected {
+ assert.Equal(t, pair.value, s.Tag(pair.key))
+ }
+ })
+
+ t.Run("nested", func(t *testing.T) {
+ tr := newMockTracer()
+ defer tr.Stop()
+
+ s0 := tr.StartSpan("root operation")
+ s1 := tr.StartSpan("nested operation", tracer.ChildOf(s0.Context()))
+ s2 := tr.StartSpan("nested nested operation", tracer.ChildOf(s1.Context()))
+ tracer.SetUser(s2,
+ id,
+ tracer.WithUserEmail(email),
+ tracer.WithUserName(name),
+ tracer.WithUserScope(scope),
+ tracer.WithUserRole(role),
+ tracer.WithUserSessionID(sessionID))
+ s2.Finish()
+ s1.Finish()
+ s0.Finish()
+ finished := tr.FinishedSpans()
+ require.Len(t, finished, 3)
+ for _, pair := range expected {
+ assert.Equal(t, pair.value, finished[2].Tag(pair.key))
+ assert.Nil(t, finished[1].Tag(pair.key))
+ assert.Nil(t, finished[0].Tag(pair.key))
+ }
+ })
+
+}
diff --git a/ddtrace/mocktracer/mocktracer.go b/ddtrace/mocktracer/mocktracer.go
index 3dcd3a2bfb..b12c96dce6 100644
--- a/ddtrace/mocktracer/mocktracer.go
+++ b/ddtrace/mocktracer/mocktracer.go
@@ -97,6 +97,13 @@ func (t *mocktracer) FinishSpan(s *tracer.Span) {
t.addFinishedSpan(s)
}
+// Stop deactivates the mock tracer and sets the active tracer to a no-op.
+func (t *mocktracer) Stop() {
+ internal.SetGlobalTracer(&internal.NoopTracer{})
+ internal.Testing = false
+ t.dsmProcessor.Stop()
+}
+
// Stop deactivates the mock tracer and sets the active tracer to a no-op.
func (t *mocktracer) Stop() {
tracer.StopTestTracer()
diff --git a/ddtrace/mocktracer/mocktracer_test.go b/ddtrace/mocktracer/mocktracer_test.go
index 45281186e9..23a16d3311 100644
--- a/ddtrace/mocktracer/mocktracer_test.go
+++ b/ddtrace/mocktracer/mocktracer_test.go
@@ -21,6 +21,8 @@ func TestStart(t *testing.T) {
if tt, ok := tracer.GetGlobalTracer().(Tracer); !ok || tt != trc {
t.Fail()
}
+ // If the tracer isn't stopped it leaks goroutines, and breaks other tests.
+ trc.Stop()
}
func TestTracerStop(t *testing.T) {
@@ -39,6 +41,7 @@ func TestTracerStartSpan(t *testing.T) {
t.Run("with-service", func(t *testing.T) {
mt := newMockTracer()
+ defer mt.Stop()
parent := MockSpan(newSpan("http.request", &tracer.StartSpanConfig{Tags: parentTags}))
s := MockSpan(mt.StartSpan(
"db.query",
@@ -61,6 +64,7 @@ func TestTracerStartSpan(t *testing.T) {
t.Run("inherit", func(t *testing.T) {
mt := newMockTracer()
+ defer mt.Stop()
parent := MockSpan(newSpan("http.request", &tracer.StartSpanConfig{Tags: parentTags}))
s := MockSpan(mt.StartSpan("db.query", tracer.ChildOf(parent.Context())))
@@ -126,6 +130,7 @@ func TestTracerOpenSpans(t *testing.T) {
func TestTracerSetUser(t *testing.T) {
mt := Start()
+ defer mt.Stop() // TODO (hannahkm): confirm this is correct
span := mt.StartSpan("http.request")
tracer.SetUser(span, "test-user",
tracer.WithUserEmail("email"),
@@ -172,6 +177,8 @@ func TestTracerReset(t *testing.T) {
func TestTracerInject(t *testing.T) {
t.Run("errors", func(t *testing.T) {
mt := newMockTracer()
+ defer mt.Stop()
+
assert := assert.New(t)
err := mt.Inject(&tracer.SpanContext{}, 2)
diff --git a/ddtrace/tracer/civisibility_payload.go b/ddtrace/tracer/civisibility_payload.go
index 73b5095a46..ce1ed04b0d 100644
--- a/ddtrace/tracer/civisibility_payload.go
+++ b/ddtrace/tracer/civisibility_payload.go
@@ -64,6 +64,27 @@ func newCiVisibilityPayload() *ciVisibilityPayload {
// An error if reading from the buffer or encoding the payload fails.
func (p *ciVisibilityPayload) getBuffer(config *config) (*bytes.Buffer, error) {
log.Debug("ciVisibilityPayload: .getBuffer (count: %v)", p.itemCount())
+
+ // Create a buffer to read the current payload
+ payloadBuf := new(bytes.Buffer)
+ if _, err := payloadBuf.ReadFrom(p.payload); err != nil {
+ return nil, err
+ }
+
+ // Create the visibility payload
+ visibilityPayload := p.writeEnvelope(config.env, payloadBuf.Bytes())
+
+ // Create a new buffer to encode the visibility payload in MessagePack format
+ encodedBuf := new(bytes.Buffer)
+ if err := msgp.Encode(encodedBuf, visibilityPayload); err != nil {
+ return nil, err
+ }
+
+ return encodedBuf, nil
+}
+
+func (p *ciVisibilityPayload) writeEnvelope(env string, events []byte) *ciTestCyclePayload {
+
/*
The Payload format in the CI Visibility protocol is like this:
{
@@ -84,36 +105,35 @@ func (p *ciVisibilityPayload) getBuffer(config *config) (*bytes.Buffer, error) {
The event format can be found in the `civisibility_tslv.go` file in the ciVisibilityEvent documentation
*/
- // Create a buffer to read the current payload
- payloadBuf := new(bytes.Buffer)
- if _, err := payloadBuf.ReadFrom(p.payload); err != nil {
- return nil, err
- }
-
// Create the metadata map
allMetadata := map[string]string{
"language": "go",
"runtime-id": globalconfig.RuntimeID(),
"library_version": version.Tag,
}
- if config.env != "" {
- allMetadata["env"] = config.env
+ if env != "" {
+ allMetadata["env"] = env
}
// Create the visibility payload
- visibilityPayload := ciTestCyclePayload{
+ visibilityPayload := &ciTestCyclePayload{
Version: 1,
Metadata: map[string]map[string]string{
"*": allMetadata,
},
- Events: payloadBuf.Bytes(),
+ Events: events,
}
- // Create a new buffer to encode the visibility payload in MessagePack format
- encodedBuf := new(bytes.Buffer)
- if err := msgp.Encode(encodedBuf, &visibilityPayload); err != nil {
- return nil, err
+ // Check for the test session name and append the tag at the metadata level
+ if testSessionName, ok := utils.GetCITags()[constants.TestSessionName]; ok {
+ testSessionMap := map[string]string{
+ constants.TestSessionName: testSessionName,
+ }
+ visibilityPayload.Metadata["test_session_end"] = testSessionMap
+ visibilityPayload.Metadata["test_module_end"] = testSessionMap
+ visibilityPayload.Metadata["test_suite_end"] = testSessionMap
+ visibilityPayload.Metadata["test"] = testSessionMap
}
- return encodedBuf, nil
+ return visibilityPayload
}
diff --git a/ddtrace/tracer/civisibility_payload_test.go b/ddtrace/tracer/civisibility_payload_test.go
index 04594b8135..869d835676 100644
--- a/ddtrace/tracer/civisibility_payload_test.go
+++ b/ddtrace/tracer/civisibility_payload_test.go
@@ -7,12 +7,17 @@ package tracer
import (
"bytes"
+ "encoding/json"
"io"
"strconv"
"strings"
"sync/atomic"
"testing"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
+ "github.com/DataDog/dd-trace-go/v2/internal/globalconfig"
+ "github.com/DataDog/dd-trace-go/v2/internal/version"
"github.com/stretchr/testify/assert"
"github.com/tinylib/msgp/msgp"
)
@@ -80,6 +85,50 @@ func TestCiVisibilityPayloadDecode(t *testing.T) {
}
}
+func TestCiVisibilityPayloadEnvelope(t *testing.T) {
+ assert := assert.New(t)
+ p := newCiVisibilityPayload()
+ payload := p.writeEnvelope("none", []byte{})
+
+ // Encode the payload to message pack
+ encodedBuf := new(bytes.Buffer)
+ err := msgp.Encode(encodedBuf, payload)
+ assert.NoError(err)
+
+ // Convert the message pack to json
+ jsonBuf := new(bytes.Buffer)
+ _, err = msgp.CopyToJSON(jsonBuf, encodedBuf)
+ assert.NoError(err)
+
+ // Decode the json payload
+ var testCyclePayload ciTestCyclePayload
+ err = json.Unmarshal(jsonBuf.Bytes(), &testCyclePayload)
+ assert.NoError(err)
+
+ // Now let's assert the decoded envelope metadata
+ assert.Contains(testCyclePayload.Metadata, "*")
+ assert.Subset(testCyclePayload.Metadata["*"], map[string]string{
+ "language": "go",
+ "runtime-id": globalconfig.RuntimeID(),
+ "library_version": version.Tag,
+ })
+
+ testSessionName := utils.GetCITags()[constants.TestSessionName]
+ testSessionMap := map[string]string{constants.TestSessionName: testSessionName}
+
+ assert.Contains(testCyclePayload.Metadata, "test_session_end")
+ assert.Subset(testCyclePayload.Metadata["test_session_end"], testSessionMap)
+
+ assert.Contains(testCyclePayload.Metadata, "test_module_end")
+ assert.Subset(testCyclePayload.Metadata["test_module_end"], testSessionMap)
+
+ assert.Contains(testCyclePayload.Metadata, "test_suite_end")
+ assert.Subset(testCyclePayload.Metadata["test_suite_end"], testSessionMap)
+
+ assert.Contains(testCyclePayload.Metadata, "test")
+ assert.Subset(testCyclePayload.Metadata["test"], testSessionMap)
+}
+
func BenchmarkCiVisibilityPayloadThroughput(b *testing.B) {
b.Run("10K", benchmarkCiVisibilityPayloadThroughput(1))
b.Run("100K", benchmarkCiVisibilityPayloadThroughput(10))
diff --git a/ddtrace/tracer/civisibility_transport.go b/ddtrace/tracer/civisibility_transport.go
index d238329ca6..5dd1a25a0d 100644
--- a/ddtrace/tracer/civisibility_transport.go
+++ b/ddtrace/tracer/civisibility_transport.go
@@ -106,6 +106,8 @@ func newCiVisibilityTransport(config *config) *ciVisibilityTransport {
}
log.Debug("ciVisibilityTransport: creating transport instance [agentless: %v, testcycleurl: %v]", agentlessEnabled, testCycleURL)
+ log.Debug("ciVisibilityTransport: creating transport instance [agentless: %v, testcycleurl: %v]", agentlessEnabled, testCycleURL)
+
return &ciVisibilityTransport{
config: config,
testCycleURLPath: testCycleURL,
@@ -159,6 +161,7 @@ func (t *ciVisibilityTransport) send(p *payload) (body io.ReadCloser, err error)
}
log.Debug("ciVisibilityTransport: sending transport request: %v bytes", buffer.Len())
+ log.Debug("ciVisibilityTransport: sending transport request: %v bytes", buffer.Len())
response, err := t.config.httpClient.Do(req)
if err != nil {
return nil, err
diff --git a/ddtrace/tracer/civisibility_tslv.go b/ddtrace/tracer/civisibility_tslv.go
index 888154e5e3..075aace398 100644
--- a/ddtrace/tracer/civisibility_tslv.go
+++ b/ddtrace/tracer/civisibility_tslv.go
@@ -271,6 +271,7 @@ func getCiVisibilityEvent(span *Span) *ciVisibilityEvent {
// A pointer to the created ciVisibilityEvent.
func createTestEventFromSpan(span *Span) *ciVisibilityEvent {
tSpan := createTslvSpan(span)
+ tSpan.ParentID = 0
tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
tSpan.ModuleID = getAndRemoveMetaToUInt64(span, constants.TestModuleIDTag)
tSpan.SuiteID = getAndRemoveMetaToUInt64(span, constants.TestSuiteIDTag)
@@ -296,6 +297,7 @@ func createTestEventFromSpan(span *Span) *ciVisibilityEvent {
// A pointer to the created ciVisibilityEvent.
func createTestSuiteEventFromSpan(span *Span) *ciVisibilityEvent {
tSpan := createTslvSpan(span)
+ tSpan.ParentID = 0
tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
tSpan.ModuleID = getAndRemoveMetaToUInt64(span, constants.TestModuleIDTag)
tSpan.SuiteID = getAndRemoveMetaToUInt64(span, constants.TestSuiteIDTag)
@@ -318,6 +320,7 @@ func createTestSuiteEventFromSpan(span *Span) *ciVisibilityEvent {
// A pointer to the created ciVisibilityEvent.
func createTestModuleEventFromSpan(span *Span) *ciVisibilityEvent {
tSpan := createTslvSpan(span)
+ tSpan.ParentID = 0
tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
tSpan.ModuleID = getAndRemoveMetaToUInt64(span, constants.TestModuleIDTag)
return &ciVisibilityEvent{
@@ -339,6 +342,7 @@ func createTestModuleEventFromSpan(span *Span) *ciVisibilityEvent {
// A pointer to the created ciVisibilityEvent.
func createTestSessionEventFromSpan(span *Span) *ciVisibilityEvent {
tSpan := createTslvSpan(span)
+ tSpan.ParentID = 0
tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
return &ciVisibilityEvent{
span: span,
diff --git a/ddtrace/tracer/civisibility_writer.go b/ddtrace/tracer/civisibility_writer.go
index 0a547ac551..c79ffe7cc0 100644
--- a/ddtrace/tracer/civisibility_writer.go
+++ b/ddtrace/tracer/civisibility_writer.go
@@ -63,7 +63,7 @@ func (w *ciVisibilityTraceWriter) add(trace []*Span) {
for _, s := range trace {
cvEvent := getCiVisibilityEvent(s)
if err := w.payload.push(cvEvent); err != nil {
- log.Error("Error encoding msgpack: %v", err)
+ log.Error("ciVisibilityTraceWriter: Error encoding msgpack: %v", err)
}
if w.payload.size() > agentlessPayloadSizeLimit {
w.flush()
@@ -105,16 +105,16 @@ func (w *ciVisibilityTraceWriter) flush() {
var err error
for attempt := 0; attempt <= w.config.sendRetries; attempt++ {
size, count = p.size(), p.itemCount()
- log.Debug("Sending payload: size: %d events: %d\n", size, count)
+ log.Debug("ciVisibilityTraceWriter: sending payload: size: %d events: %d\n", size, count)
_, err = w.config.transport.send(p.payload)
if err == nil {
- log.Debug("sent events after %d attempts", attempt+1)
+ log.Debug("ciVisibilityTraceWriter: sent events after %d attempts", attempt+1)
return
}
- log.Error("failure sending events (attempt %d), will retry: %v", attempt+1, err)
+ log.Error("ciVisibilityTraceWriter: failure sending events (attempt %d), will retry: %v", attempt+1, err)
p.reset()
time.Sleep(time.Millisecond)
}
- log.Error("lost %d events: %v", count, err)
+ log.Error("ciVisibilityTraceWriter: lost %d events: %v", count, err)
}(oldp)
}
diff --git a/ddtrace/tracer/option.go b/ddtrace/tracer/option.go
index 1557ac6344..f7a6059ec3 100644
--- a/ddtrace/tracer/option.go
+++ b/ddtrace/tracer/option.go
@@ -273,6 +273,9 @@ type config struct {
// ciVisibilityEnabled controls if the tracer is loaded with CI Visibility mode. default false
ciVisibilityEnabled bool
+
+ // logDirectory is directory for tracer logs specified by user-setting DD_TRACE_LOG_DIRECTORY. default empty/unused
+ logDirectory string
}
// orchestrionConfig contains Orchestrion configuration.
@@ -377,6 +380,7 @@ func newConfig(opts ...StartOption) (*config, error) {
c.logStartup = internal.BoolEnv("DD_TRACE_STARTUP_LOGS", true)
c.runtimeMetrics = internal.BoolVal(getDDorOtelConfig("metrics"), false)
c.debug = internal.BoolVal(getDDorOtelConfig("debugMode"), false)
+ c.logDirectory = os.Getenv("DD_TRACE_LOG_DIRECTORY")
c.enabled = newDynamicConfig("tracing_enabled", internal.BoolVal(getDDorOtelConfig("enabled"), true), func(b bool) bool { return true }, equal[bool])
if _, ok := os.LookupEnv("DD_TRACE_ENABLED"); ok {
c.enabled.cfgOrigin = telemetry.OriginEnvVar
@@ -506,7 +510,6 @@ func newConfig(opts ...StartOption) (*config, error) {
if c.debug {
log.SetLevel(log.LevelDebug)
}
-
// if using stdout or traces are disabled, agent is disabled
agentDisabled := c.logToStdout || !c.enabled.current
c.agent = loadAgentFeatures(agentDisabled, c.agentURL, c.httpClient)
diff --git a/ddtrace/tracer/rand.go b/ddtrace/tracer/rand.go
index 056f2aeb1c..192a6725f9 100644
--- a/ddtrace/tracer/rand.go
+++ b/ddtrace/tracer/rand.go
@@ -3,68 +3,17 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016 Datadog, Inc.
-//go:build !go1.22
-
-// TODO(knusbaum): This file should be deleted once go1.21 falls out of support
package tracer
import (
- cryptorand "crypto/rand"
"math"
- "math/big"
- "math/rand"
- "sync"
- "time"
-
- "github.com/DataDog/dd-trace-go/v2/internal/log"
+ "math/rand/v2"
)
-// random holds a thread-safe source of random numbers.
-var random *rand.Rand
-
-func init() {
- var seed int64
- n, err := cryptorand.Int(cryptorand.Reader, big.NewInt(math.MaxInt64))
- if err == nil {
- seed = n.Int64()
- } else {
- log.Warn("cannot generate random seed: %v; using current time", err)
- seed = time.Now().UnixNano()
- }
- random = rand.New(&safeSource{
- source: rand.NewSource(seed),
- })
-}
-
-// safeSource holds a thread-safe implementation of rand.Source64.
-type safeSource struct {
- source rand.Source
- sync.Mutex
-}
-
-func (rs *safeSource) Int63() int64 {
- rs.Lock()
- n := rs.source.Int63()
- rs.Unlock()
-
- return n
-}
-
-func (rs *safeSource) Uint64() uint64 { return uint64(rs.Int63()) }
-
-func (rs *safeSource) Seed(seed int64) {
- rs.Lock()
- rs.source.Seed(seed)
- rs.Unlock()
+func randUint64() uint64 {
+ return rand.Uint64()
}
-// generateSpanID returns a random uint64 that has been XORd with the startTime.
-// This is done to get around the 32-bit random seed limitation that may create collisions if there is a large number
-// of go services all generating spans.
func generateSpanID(startTime int64) uint64 {
- return random.Uint64() ^ uint64(startTime)
-}
-
-func randUint64() uint64 {
- return random.Uint64()
+ return rand.Uint64() & math.MaxInt64
}
diff --git a/ddtrace/tracer/rand_go1_22.go b/ddtrace/tracer/rand_go1_22.go
deleted file mode 100644
index 9e7948e47e..0000000000
--- a/ddtrace/tracer/rand_go1_22.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Unless explicitly stated otherwise all files in this repository are licensed
-// under the Apache License Version 2.0.
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
-
-//go:build go1.22
-
-package tracer
-
-import (
- "math"
- "math/rand/v2"
-)
-
-func randUint64() uint64 {
- return rand.Uint64()
-}
-
-func generateSpanID(startTime int64) uint64 {
- return rand.Uint64() & math.MaxInt64
-}
diff --git a/ddtrace/tracer/rules_sampler.go b/ddtrace/tracer/rules_sampler.go
index 07f5d02b74..b600a3da57 100644
--- a/ddtrace/tracer/rules_sampler.go
+++ b/ddtrace/tracer/rules_sampler.go
@@ -19,6 +19,7 @@ import (
"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
"github.com/DataDog/dd-trace-go/v2/internal/log"
"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
+ "github.com/DataDog/dd-trace-go/v2/internal/telemetry"
"golang.org/x/time/rate"
)
@@ -516,6 +517,7 @@ const defaultRateLimit = 100.0
// The limit is DD_TRACE_RATE_LIMIT if set, `defaultRateLimit` otherwise.
func newRateLimiter() *rateLimiter {
limit := defaultRateLimit
+ origin := telemetry.OriginDefault
v := os.Getenv("DD_TRACE_RATE_LIMIT")
if v != "" {
l, err := strconv.ParseFloat(v, 64)
@@ -525,9 +527,11 @@ func newRateLimiter() *rateLimiter {
log.Warn("DD_TRACE_RATE_LIMIT negative, using default value %f", limit)
} else {
// override the default limit
+ origin = telemetry.OriginEnvVar
limit = l
}
}
+ reportTelemetryOnAppStarted(telemetry.Configuration{Name: "trace_rate_limit", Value: limit, Origin: origin})
return &rateLimiter{
limiter: rate.NewLimiter(rate.Limit(limit), int(math.Ceil(limit))),
prevTime: time.Now(),
diff --git a/ddtrace/tracer/spancontext_test.go b/ddtrace/tracer/spancontext_test.go
index 5a0175fbeb..c5dedf977e 100644
--- a/ddtrace/tracer/spancontext_test.go
+++ b/ddtrace/tracer/spancontext_test.go
@@ -156,6 +156,25 @@ func TestSpanTracePushOne(t *testing.T) {
assert.Equal(0, len(trace.spans), "no more spans in the trace")
}
+// Tests to confirm that when the payload queue is full, chunks are dropped
+// and the associated trace is counted as dropped.
+func TestTraceFinishChunk(t *testing.T) {
+ assert := assert.New(t)
+ tracer := newUnstartedTracer()
+ defer tracer.statsd.Close()
+
+ root := newSpan("name", "service", "resource", 0, 0, 0)
+ trace := root.context.trace
+
+ for i := 0; i < payloadQueueSize+1; i++ {
+ trace.mu.Lock()
+ c := chunk{spans: make([]*span, 1)}
+ trace.finishChunk(tracer, &c)
+ trace.mu.Unlock()
+ }
+ assert.Equal(uint32(1), tracer.totalTracesDropped)
+}
+
func TestPartialFlush(t *testing.T) {
t.Setenv("DD_TRACE_PARTIAL_FLUSH_ENABLED", "true")
t.Setenv("DD_TRACE_PARTIAL_FLUSH_MIN_SPANS", "2")
diff --git a/ddtrace/tracer/stats_payload_msgp.go b/ddtrace/tracer/stats_payload_msgp.go
index 462e1d680a..70a3a0b4c4 100644
--- a/ddtrace/tracer/stats_payload_msgp.go
+++ b/ddtrace/tracer/stats_payload_msgp.go
@@ -1,3 +1,7 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
package tracer
// Code generated by github.com/tinylib/msgp DO NOT EDIT.
diff --git a/ddtrace/tracer/telemetry.go b/ddtrace/tracer/telemetry.go
index 17d43abe3e..65a2bb1a30 100644
--- a/ddtrace/tracer/telemetry.go
+++ b/ddtrace/tracer/telemetry.go
@@ -12,6 +12,12 @@ import (
"github.com/DataDog/dd-trace-go/v2/internal/telemetry"
)
+var additionalConfigs []telemetry.Configuration
+
+func reportTelemetryOnAppStarted(c telemetry.Configuration) {
+ additionalConfigs = append(additionalConfigs, c)
+}
+
// startTelemetry starts the global instrumentation telemetry client with tracer data
// unless instrumentation telemetry is disabled via the DD_INSTRUMENTATION_TELEMETRY_ENABLED
// env var.
@@ -44,7 +50,8 @@ func startTelemetry(c *config) {
{Name: "service", Value: c.serviceName},
{Name: "universal_version", Value: c.universalVersion},
{Name: "env", Value: c.env},
- {Name: "agent_url", Value: c.agentURL.String()},
+ {Name: "version", Value: c.version},
+ {Name: "trace_agent_url", Value: c.agentURL.String()},
{Name: "agent_hostname", Value: c.hostname},
{Name: "runtime_metrics_enabled", Value: c.runtimeMetrics},
{Name: "dogstatsd_addr", Value: c.dogstatsdAddr},
@@ -55,6 +62,7 @@ func startTelemetry(c *config) {
{Name: "trace_peer_service_defaults_enabled", Value: c.peerServiceDefaultsEnabled},
{Name: "orchestrion_enabled", Value: c.orchestrionCfg.Enabled},
{Name: "trace_enabled", Value: c.enabled.current, Origin: c.enabled.cfgOrigin},
+ {Name: "trace_log_directory", Value: c.logDirectory},
c.traceSampleRate.toTelemetry(),
c.headerAsTags.toTelemetry(),
c.globalTags.toTelemetry(),
@@ -102,5 +110,6 @@ func startTelemetry(c *config) {
telemetryConfigs = append(telemetryConfigs, telemetry.Configuration{Name: "orchestrion_" + k, Value: v})
}
}
+ telemetryConfigs = append(telemetryConfigs, additionalConfigs...)
telemetry.GlobalClient.ProductChange(telemetry.NamespaceTracers, true, telemetryConfigs)
}
diff --git a/ddtrace/tracer/tracer.go b/ddtrace/tracer/tracer.go
index 0bc02e4246..ef5416bade 100644
--- a/ddtrace/tracer/tracer.go
+++ b/ddtrace/tracer/tracer.go
@@ -15,6 +15,7 @@ import (
rt "runtime/trace"
"strconv"
"sync"
+ "sync/atomic"
"time"
"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
@@ -143,6 +144,11 @@ type tracer struct {
// abandonedSpansDebugger specifies where and how potentially abandoned spans are stored
// when abandoned spans debugging is enabled.
abandonedSpansDebugger *abandonedSpansDebugger
+
+ // logFile contains a pointer to the file for writing tracer logs along with helper functionality for closing the file
+ // logFile is closed when tracer stops
+ // by default, tracer logs to stderr and this setting is unused
+ logFile *log.ManagedFile
}
const (
@@ -305,6 +311,14 @@ func newUnstartedTracer(opts ...StartOption) (*tracer, error) {
if c.dataStreamsMonitoringEnabled {
dataStreamsProcessor = datastreams.NewProcessor(statsd, c.env, c.serviceName, c.version, c.agentURL, c.httpClient)
}
+ var logFile *log.ManagedFile
+ if v := c.logDirectory; v != "" {
+ logFile, err = log.OpenFileAtPath(v)
+ if err != nil {
+ log.Warn("%v", err)
+ c.logDirectory = ""
+ }
+ }
t := &tracer{
config: c,
traceWriter: writer,
@@ -314,6 +328,7 @@ func newUnstartedTracer(opts ...StartOption) (*tracer, error) {
rulesSampling: rulesSampler,
prioritySampling: sampler,
pid: os.Getpid(),
+ logDroppedTraces: time.NewTicker(1 * time.Second),
stats: newConcentrator(c, defaultStatsBucketSize),
obfuscator: obfuscate.NewObfuscator(obfuscate.Config{
SQL: obfuscate.SQLConfig{
@@ -326,6 +341,7 @@ func newUnstartedTracer(opts ...StartOption) (*tracer, error) {
}),
statsd: statsd,
dataStreams: dataStreamsProcessor,
+ logFile: logFile,
}
return t, nil
}
@@ -496,7 +512,15 @@ func (t *tracer) pushChunk(trace *Chunk) {
select {
case t.out <- trace:
default:
- log.Error("payload queue full, dropping %d traces", len(trace.spans))
+ log.Debug("payload queue full, trace dropped %d spans", len(trace.spans))
+ atomic.AddUint32(&t.totalTracesDropped, 1)
+ }
+ select {
+ case <-t.logDroppedTraces.C:
+ if t := atomic.SwapUint32(&t.totalTracesDropped, 0); t > 0 {
+ log.Error("%d traces dropped through payload queue", t)
+ }
+ default:
}
}
@@ -720,6 +744,10 @@ func (t *tracer) Stop() {
}
appsec.Stop()
remoteconfig.Stop()
+ // Close log file last to account for any logs from the above calls
+ if t.logFile != nil {
+ t.logFile.Close()
+ }
}
// Inject uses the configured or default TextMap Propagator.
diff --git a/ddtrace/tracer/tracer_test.go b/ddtrace/tracer/tracer_test.go
index 476f0b8c40..ac626ea36a 100644
--- a/ddtrace/tracer/tracer_test.go
+++ b/ddtrace/tracer/tracer_test.go
@@ -239,6 +239,27 @@ func TestTracerStart(t *testing.T) {
})
}
+func TestTracerLogFile(t *testing.T) {
+ t.Run("valid", func(t *testing.T) {
+ dir, err := os.MkdirTemp("", "example")
+ if err != nil {
+ t.Fatalf("Failure to make temp dir: %v", err)
+ }
+ t.Setenv("DD_TRACE_LOG_DIRECTORY", dir)
+ tracer := newTracer()
+ assert.Equal(t, dir, tracer.config.logDirectory)
+ assert.NotNil(t, tracer.logFile)
+ assert.Equal(t, dir+"/"+log.LoggerFile, tracer.logFile.Name())
+ })
+ t.Run("invalid", func(t *testing.T) {
+ t.Setenv("DD_TRACE_LOG_DIRECTORY", "some/nonexistent/path")
+ tracer := newTracer()
+ defer Stop()
+ assert.Empty(t, tracer.config.logDirectory)
+ assert.Nil(t, tracer.logFile)
+ })
+}
+
func TestTracerStartSpan(t *testing.T) {
t.Run("generic", func(t *testing.T) {
tracer, err := newTracer()
diff --git a/go.mod b/go.mod
index 77627f483f..666bfdcca0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,13 +1,13 @@
module github.com/DataDog/dd-trace-go/v2
-go 1.21
+go 1.22.0
require (
- github.com/DataDog/appsec-internal-go v1.7.0
+ github.com/DataDog/appsec-internal-go v1.8.0
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1
+ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0
github.com/DataDog/datadog-go/v5 v5.3.0
- github.com/DataDog/go-libddwaf/v3 v3.3.0
+ github.com/DataDog/go-libddwaf/v3 v3.4.0
github.com/DataDog/gostackparse v0.7.0
github.com/DataDog/sketches-go v1.4.5
github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4
@@ -18,14 +18,15 @@ require (
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3
github.com/spaolacci/murmur3 v1.1.0
github.com/stretchr/testify v1.9.0
- github.com/tinylib/msgp v1.1.8
+ github.com/tinylib/msgp v1.2.1
github.com/valyala/fasthttp v1.51.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
go.opentelemetry.io/otel v1.20.0
go.opentelemetry.io/otel/trace v1.20.0
go.uber.org/atomic v1.11.0
- golang.org/x/mod v0.14.0
- golang.org/x/sys v0.20.0
+ go.uber.org/goleak v1.3.0
+ golang.org/x/mod v0.18.0
+ golang.org/x/sys v0.23.0
golang.org/x/time v0.3.0
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
google.golang.org/grpc v1.57.1
@@ -33,7 +34,7 @@ require (
)
require (
- github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect
+ github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/andybalholm/brotli v1.0.6 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -44,12 +45,13 @@ require (
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
+ github.com/gorilla/mux v1.8.0 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/klauspost/compress v1.17.1 // indirect
github.com/kr/pretty v0.3.0 // indirect
github.com/outcaste-io/ristretto v0.2.3 // indirect
- github.com/philhofer/fwd v1.1.2 // indirect
+ github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/rogpeppe/go-internal v1.9.0 // indirect
@@ -58,9 +60,10 @@ require (
github.com/stretchr/objx v0.5.2 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
go.opentelemetry.io/otel/metric v1.20.0 // indirect
- golang.org/x/net v0.23.0 // indirect
- golang.org/x/text v0.14.0 // indirect
- golang.org/x/tools v0.16.1 // indirect
+ golang.org/x/net v0.26.0 // indirect
+ golang.org/x/sync v0.7.0 // indirect
+ golang.org/x/text v0.16.0 // indirect
+ golang.org/x/tools v0.22.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
diff --git a/go.sum b/go.sum
index d68e731518..7e827e58a2 100644
--- a/go.sum
+++ b/go.sum
@@ -1,15 +1,15 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 h1:5nE6N3JSs2IG3xzMthNFhXfOaXlrsdgqmJ73lndFf8c=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp0Bey4MrrJyiV2tVxxJb6BmLomPvN1RgAvjGaQ=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
-github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I=
-github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
+github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
+github.com/DataDog/go-tuf v1.1.0-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZMfWR0aitKFMM=
github.com/DataDog/sketches-go v1.4.5 h1:ki7VfeNz7IcNafq7yI/j5U/YCkO3LJiMDtXz9OMQbyE=
@@ -60,6 +60,8 @@ github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBB
github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
@@ -69,6 +71,8 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
github.com/klauspost/compress v1.17.1 h1:NE3C767s2ak2bweCZo3+rdP4U/HoyVXLv/X9f2gPS5g=
github.com/klauspost/compress v1.17.1/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -80,21 +84,27 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
@@ -122,14 +132,13 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
-github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA=
github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 h1:KfYpVmrjI7JuToy5k8XV3nkapjWx48k4E4JOtVstzQI=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48=
go.opentelemetry.io/otel v1.20.0 h1:vsb/ggIY+hUjD/zCAQHpzTmndPqv/ml2ArbsbfBYTAc=
@@ -145,28 +154,20 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -175,31 +176,21 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -224,3 +215,23 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+lukechampine.com/uint128 v1.3.0 h1:cDdUVfRwDUDovz610ABgFD17nXD4/uDgVHl2sC3+sbo=
+lukechampine.com/uint128 v1.3.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+modernc.org/cc/v3 v3.41.0 h1:QoR1Sn3YWlmA1T4vLaKZfawdVtSiGx8H+cEojbC7v1Q=
+modernc.org/cc/v3 v3.41.0/go.mod h1:Ni4zjJYJ04CDOhG7dn640WGfwBzfE0ecX8TyMB0Fv0Y=
+modernc.org/ccgo/v3 v3.16.15 h1:KbDR3ZAVU+wiLyMESPtbtE/Add4elztFyfsWoNTgxS0=
+modernc.org/ccgo/v3 v3.16.15/go.mod h1:yT7B+/E2m43tmMOT51GMoM98/MtHIcQQSleGnddkUNI=
+modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw=
+modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
+modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
+modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
+modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
+modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
diff --git a/go.work b/go.work
index 606d240ecc..64bf501111 100644
--- a/go.work
+++ b/go.work
@@ -1,6 +1,6 @@
-go 1.22.5 // Go version must match the highest supported version, not the minimum supported version, with format X.Y.
+go 1.23.0 // Go version must match the highest supported version, not the minimum supported version, with format X.Y.
-toolchain go1.22.6
+toolchain go1.23.1
use (
.
diff --git a/go.work.sum b/go.work.sum
index 0c14d2ebba..9964dc9113 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -1613,6 +1613,7 @@ github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwD
github.com/tink-crypto/tink-go-gcpkms/v2 v2.1.0/go.mod h1:QXPc/i5yUEWWZ4lbe2WOam1kDdrXjGHRjl0Lzo7IQDU=
github.com/tink-crypto/tink-go-hcvault/v2 v2.1.0/go.mod h1:OJLS+EYJo/BTViJj7EBG5deKLeQfYwVNW8HMS1qHAAo=
github.com/tink-crypto/tink-go/v2 v2.1.0/go.mod h1:y1TnYFt1i2eZVfx4OGc+C+EMp4CoKWAw2VSEuoicHHI=
+github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA=
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
github.com/tonistiigi/go-actions-cache v0.0.0-20240227172821-a0b64f338598/go.mod h1:anhKd3mnC1shAbQj1Q4IJ+w6xqezxnyDYlx/yKa7IXM=
@@ -1795,7 +1796,6 @@ golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw=
golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
@@ -1848,6 +1848,7 @@ golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
diff --git a/instrumentation/appsec/dyngo/operation_test.go b/instrumentation/appsec/dyngo/operation_test.go
index 1db1c05800..13d344fd97 100644
--- a/instrumentation/appsec/dyngo/operation_test.go
+++ b/instrumentation/appsec/dyngo/operation_test.go
@@ -119,7 +119,7 @@ func TestUsage(t *testing.T) {
// HTTP body read listener appending the read results to a buffer
rawBodyListener := func(called *int, buf *[]byte) dyngo.EventListener[operation, HTTPHandlerArgs] {
return func(op operation, _ HTTPHandlerArgs) {
- dyngo.OnFinish(op, func(op operation, res BodyReadRes) {
+ dyngo.OnFinish(op, func(_ operation, res BodyReadRes) {
*called++
*buf = append(*buf, res.Buf...)
})
@@ -128,7 +128,7 @@ func TestUsage(t *testing.T) {
// Dummy waf looking for the string `attack` in HTTPHandlerArgs
wafListener := func(called *int, blocked *bool) dyngo.EventListener[operation, HTTPHandlerArgs] {
- return func(op operation, args HTTPHandlerArgs) {
+ return func(_ operation, args HTTPHandlerArgs) {
*called++
if strings.Contains(args.URL.RawQuery, "attack") {
@@ -148,14 +148,14 @@ func TestUsage(t *testing.T) {
jsonBodyValueListener := func(called *int, value *interface{}) dyngo.EventListener[operation, HTTPHandlerArgs] {
return func(op operation, _ HTTPHandlerArgs) {
- dyngo.On(op, func(op operation, v JSONParserArgs) {
+ dyngo.On(op, func(op operation, _ JSONParserArgs) {
didBodyRead := false
dyngo.On(op, func(_ operation, _ BodyReadArgs) {
didBodyRead = true
})
- dyngo.OnFinish(op, func(op operation, res JSONParserRes) {
+ dyngo.OnFinish(op, func(_ operation, res JSONParserRes) {
*called++
if !didBodyRead || res.Err != nil {
return
@@ -429,22 +429,22 @@ func TestSwapRootOperation(t *testing.T) {
dyngo.OnFinish(root, func(operation, MyOperationRes) { onFinishCalled++ })
dyngo.SwapRootOperation(root)
- runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+ runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
require.Equal(t, 1, onStartCalled)
require.Equal(t, 1, onFinishCalled)
dyngo.SwapRootOperation(dyngo.NewRootOperation())
- runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+ runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
require.Equal(t, 1, onStartCalled)
require.Equal(t, 1, onFinishCalled)
dyngo.SwapRootOperation(nil)
- runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+ runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
require.Equal(t, 1, onStartCalled)
require.Equal(t, 1, onFinishCalled)
dyngo.SwapRootOperation(root)
- runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+ runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
require.Equal(t, 2, onStartCalled)
require.Equal(t, 2, onFinishCalled)
}
diff --git a/instrumentation/appsec/emitter/graphqlsec/execution.go b/instrumentation/appsec/emitter/graphqlsec/execution.go
index 2e982df0bf..06b6981b97 100644
--- a/instrumentation/appsec/emitter/graphqlsec/execution.go
+++ b/instrumentation/appsec/emitter/graphqlsec/execution.go
@@ -11,28 +11,51 @@ import (
"github.com/DataDog/dd-trace-go/v2/internal/log"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
)
+type (
+ ExecutionOperation struct {
+ dyngo.Operation
+ }
+
+ // ExecutionOperationArgs describes arguments passed to a GraphQL query operation.
+ ExecutionOperationArgs struct {
+ // Variables is the user-provided variables object for the query.
+ Variables map[string]any
+ // Query is the query that is being executed.
+ Query string
+ // OperationName is the user-provided operation name for the query.
+ OperationName string
+ }
+
+ ExecutionOperationRes struct {
+ // Data is the data returned from processing the GraphQL operation.
+ Data any
+ // Error is the error returned by processing the GraphQL Operation, if any.
+ Error error
+ }
+)
+
+// Finish the GraphQL query operation, along with the given results, and emit a finish event up in
+// the operation stack.
+func (q *ExecutionOperation) Finish(res ExecutionOperationRes) {
+ dyngo.FinishOperation(q, res)
+}
+
+func (ExecutionOperationArgs) IsArgOf(*ExecutionOperation) {}
+func (ExecutionOperationRes) IsResultOf(*ExecutionOperation) {}
+
// StartExecutionOperation starts a new GraphQL query operation, along with the given arguments, and
// emits a start event up in the operation stack. The operation is tracked on the returned context,
// and can be extracted later on using FromContext.
-func StartExecutionOperation(ctx context.Context, span trace.TagSetter, args types.ExecutionOperationArgs) (context.Context, *types.ExecutionOperation) {
- if span == nil {
- // The span may be nil (e.g: in case of GraphQL subscriptions with certian contribs). Child
- // operations might have spans however... and these should be used then.
- span = trace.NoopTagSetter{}
- }
-
+func StartExecutionOperation(ctx context.Context, args ExecutionOperationArgs) (context.Context, *ExecutionOperation) {
parent, ok := dyngo.FromContext(ctx)
if !ok {
log.Debug("appsec: StartExecutionOperation: no parent operation found in context")
}
- op := &types.ExecutionOperation{
+ op := &ExecutionOperation{
Operation: dyngo.NewOperation(parent),
- TagSetter: span,
}
return dyngo.StartAndRegisterOperation(ctx, op, args), op
diff --git a/instrumentation/appsec/emitter/graphqlsec/request.go b/instrumentation/appsec/emitter/graphqlsec/request.go
index 16dd99131f..ce4796a1bc 100644
--- a/instrumentation/appsec/emitter/graphqlsec/request.go
+++ b/instrumentation/appsec/emitter/graphqlsec/request.go
@@ -17,19 +17,52 @@ import (
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
)
+type (
+ RequestOperation struct {
+ dyngo.Operation
+ // used in case we don't have a parent operation
+ *waf.ContextOperation
+ }
+
+ // RequestOperationArgs describes arguments passed to a GraphQL request.
+ RequestOperationArgs struct {
+ RawQuery string // The raw, not-yet-parsed GraphQL query
+ OperationName string // The user-provided operation name for the query
+ Variables map[string]any // The user-provided variables object for this request
+ }
+
+ RequestOperationRes struct {
+ // Data is the data returned from processing the GraphQL operation.
+ Data any
+ // Error is the error returned by processing the GraphQL Operation, if any.
+ Error error
+ }
+)
+
+// Finish the GraphQL query operation, along with the given results, and emit a finish event up in
+// the operation stack.
+func (op *RequestOperation) Finish(span trace.TagSetter, res RequestOperationRes) {
+ dyngo.FinishOperation(op, res)
+ if op.ContextOperation != nil {
+ op.ContextOperation.Finish(span)
+ }
+}
+
+func (RequestOperationArgs) IsArgOf(*RequestOperation) {}
+func (RequestOperationRes) IsResultOf(*RequestOperation) {}
+
// StartRequestOperation starts a new GraphQL request operation, along with the given arguments, and
// emits a start event up in the operation stack. The operation is usually linked to tge global root
// operation. The operation is tracked on the returned context, and can be extracted later on using
// FromContext.
-func StartRequestOperation(ctx context.Context, span trace.TagSetter, args types.RequestOperationArgs) (context.Context, *types.RequestOperation) {
- if span == nil {
- // The span may be nil (e.g: in case of GraphQL subscriptions with certian contribs)
- span = trace.NoopTagSetter{}
- }
-
- op := &types.RequestOperation{
- Operation: dyngo.NewOperation(nil),
- TagSetter: span,
+func StartRequestOperation(ctx context.Context, args RequestOperationArgs) (context.Context, *RequestOperation) {
+ parent, ok := dyngo.FromContext(ctx)
+ op := &RequestOperation{}
+ if !ok { // Usually we can find the HTTP Handler Operation as the parent but it's technically optional
+ op.ContextOperation, ctx = waf.StartContextOperation(ctx)
+ op.Operation = dyngo.NewOperation(op.ContextOperation)
+ } else {
+ op.Operation = dyngo.NewOperation(parent)
}
return dyngo.StartAndRegisterOperation(ctx, op, args), op
diff --git a/instrumentation/appsec/emitter/graphqlsec/resolve.go b/instrumentation/appsec/emitter/graphqlsec/resolve.go
index 313d4112ea..fd1b1b6376 100644
--- a/instrumentation/appsec/emitter/graphqlsec/resolve.go
+++ b/instrumentation/appsec/emitter/graphqlsec/resolve.go
@@ -11,22 +11,53 @@ import (
"github.com/DataDog/dd-trace-go/v2/internal/log"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
)
+type (
+ ResolveOperation struct {
+ dyngo.Operation
+ }
+
+ // ResolveOperationArgs describes arguments passed to a GraphQL field operation.
+ ResolveOperationArgs struct {
+ // TypeName is the name of the field's type
+ TypeName string
+ // FieldName is the name of the field
+ FieldName string
+ // Arguments is the arguments provided to the field resolver
+ Arguments map[string]any
+ // Trivial determines whether the resolution is trivial or not. Leave as false if undetermined.
+ Trivial bool
+ }
+
+ ResolveOperationRes struct {
+ // Data is the data returned from processing the GraphQL operation.
+ Data any
+ // Error is the error returned by processing the GraphQL Operation, if any.
+ Error error
+ }
+)
+
+// Finish the GraphQL Field operation, along with the given results, and emit a finish event up in
+// the operation stack.
+func (q *ResolveOperation) Finish(res ResolveOperationRes) {
+ dyngo.FinishOperation(q, res)
+}
+
+func (ResolveOperationArgs) IsArgOf(*ResolveOperation) {}
+func (ResolveOperationRes) IsResultOf(*ResolveOperation) {}
+
// StartResolveOperation starts a new GraphQL Resolve operation, along with the given arguments, and
// emits a start event up in the operation stack. The operation is tracked on the returned context,
// and can be extracted later on using FromContext.
-func StartResolveOperation(ctx context.Context, span trace.TagSetter, args types.ResolveOperationArgs) (context.Context, *types.ResolveOperation) {
+func StartResolveOperation(ctx context.Context, args ResolveOperationArgs) (context.Context, *ResolveOperation) {
parent, ok := dyngo.FromContext(ctx)
if !ok {
log.Debug("appsec: StartResolveOperation: no parent operation found in context")
}
- op := &types.ResolveOperation{
+ op := &ResolveOperation{
Operation: dyngo.NewOperation(parent),
- TagSetter: span,
}
return dyngo.StartAndRegisterOperation(ctx, op, args), op
}
diff --git a/instrumentation/appsec/emitter/grpcsec/grpc.go b/instrumentation/appsec/emitter/grpcsec/grpc.go
index 08a885858f..610706d22b 100644
--- a/instrumentation/appsec/emitter/grpcsec/grpc.go
+++ b/instrumentation/appsec/emitter/grpcsec/grpc.go
@@ -7,37 +7,108 @@
// defining an abstract run-time representation of gRPC handlers.
// gRPC integrations must use this package to enable AppSec features for gRPC,
// which listens to this package's operation events.
+//
+// Abstract gRPC server handler operation definitions. It is based on two
+// operations allowing to describe every type of RPC: the HandlerOperation type
+// which represents the RPC handler, and the ReceiveOperation type which
+// represents the messages the RPC handler receives during its lifetime.
+// This means that the ReceiveOperation(s) will happen within the
+// HandlerOperation.
+// Every type of RPC, unary, client streaming, server streaming, and
+// bidirectional streaming RPCs, can be all represented with a HandlerOperation
+// having one or several ReceiveOperation.
+// The send operation is not required for now and therefore not defined, which
+// means that server and bidirectional streaming RPCs currently have the same
+// run-time representation as unary and client streaming RPCs.
package grpcsec
import (
"context"
+ "sync/atomic"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/grpcsec/types"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
)
+type (
+ // HandlerOperation represents a gRPC server handler operation.
+ // It must be created with StartHandlerOperation() and finished with its
+ // Finish() method.
+ // Security events observed during the operation lifetime should be added
+ // to the operation using its AddSecurityEvent() method.
+ HandlerOperation struct {
+ dyngo.Operation
+ *waf.ContextOperation
+ }
+
+ // HandlerOperationArgs is the grpc handler arguments.
+ HandlerOperationArgs struct {
+ // Method is the gRPC method name.
+ // Corresponds to the address `grpc.server.method`.
+ Method string
+
+ // RPC metadata received by the gRPC handler.
+ // Corresponds to the address `grpc.server.request.metadata`.
+ Metadata map[string][]string
+
+ // RemoteAddr is the IP address of the client that initiated the gRPC request.
+ // May be used as the address `http.client_ip`.
+ RemoteAddr string
+ }
+
+ // HandlerOperationRes is the grpc handler results. Empty as of today.
+ HandlerOperationRes struct {
+ // Raw gRPC status code.
+ // Corresponds to the address `grpc.server.response.status`.
+ StatusCode int
+ }
+)
+
+func (HandlerOperationArgs) IsArgOf(*HandlerOperation) {}
+func (HandlerOperationRes) IsResultOf(*HandlerOperation) {}
+
// StartHandlerOperation starts an gRPC server handler operation, along with the
// given arguments and parent operation, and emits a start event up in the
// operation stack. When parent is nil, the operation is linked to the global
// root operation.
-func StartHandlerOperation(ctx context.Context, args types.HandlerOperationArgs, parent dyngo.Operation, setup ...func(*types.HandlerOperation)) (context.Context, *types.HandlerOperation) {
- op := &types.HandlerOperation{
- Operation: dyngo.NewOperation(parent),
- TagsHolder: trace.NewTagsHolder(),
- }
- for _, cb := range setup {
- cb(op)
+func StartHandlerOperation(ctx context.Context, args HandlerOperationArgs) (context.Context, *HandlerOperation, *atomic.Pointer[actions.BlockGRPC]) {
+ wafOp, ctx := waf.StartContextOperation(ctx)
+ op := &HandlerOperation{
+ Operation: dyngo.NewOperation(wafOp),
+ ContextOperation: wafOp,
}
- return dyngo.StartAndRegisterOperation(ctx, op, args), op
+
+ var block atomic.Pointer[actions.BlockGRPC]
+ dyngo.OnData(op, func(err *actions.BlockGRPC) {
+ block.Store(err)
+ })
+
+ return dyngo.StartAndRegisterOperation(ctx, op, args), op, &block
+}
+
+// MonitorRequestMessage monitors the gRPC request message body as the WAF address `grpc.server.request.message`.
+func MonitorRequestMessage(ctx context.Context, msg any) error {
+ return waf.RunSimple(ctx,
+ addresses.NewAddressesBuilder().
+ WithGRPCRequestMessage(msg).
+ Build(),
+ "appsec: failed to monitor gRPC request message body")
+}
+
+// MonitorResponseMessage monitors the gRPC response message body as the WAF address `grpc.server.response.message`.
+func MonitorResponseMessage(ctx context.Context, msg any) error {
+ return waf.RunSimple(ctx,
+ addresses.NewAddressesBuilder().
+ WithGRPCResponseMessage(msg).
+ Build(),
+ "appsec: failed to monitor gRPC response message body")
+
}
-// StartReceiveOperation starts a receive operation of a gRPC handler, along
-// with the given arguments and parent operation, and emits a start event up in
-// the operation stack. When parent is nil, the operation is linked to the
-// global root operation.
-func StartReceiveOperation(args types.ReceiveOperationArgs, parent dyngo.Operation) types.ReceiveOperation {
- op := types.ReceiveOperation{Operation: dyngo.NewOperation(parent)}
- dyngo.StartOperation(op, args)
- return op
+// Finish the gRPC handler operation, along with the given results, and emit a
+// finish event up in the operation stack.
+func (op *HandlerOperation) Finish(span trace.TagSetter, res HandlerOperationRes) {
+ dyngo.FinishOperation(op, res)
+ op.ContextOperation.Finish(span)
}
diff --git a/instrumentation/appsec/emitter/httpsec/http.go b/instrumentation/appsec/emitter/httpsec/http.go
index 9b76995ee1..5472a803c9 100644
--- a/instrumentation/appsec/emitter/httpsec/http.go
+++ b/instrumentation/appsec/emitter/httpsec/http.go
@@ -12,11 +12,11 @@ package httpsec
import (
"context"
-
// Blank import needed to use embed for the default blocked response payloads
_ "embed"
"net/http"
- "strings"
+ "sync"
+ "sync/atomic"
"github.com/DataDog/dd-trace-go/v2/appsec/events"
"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
@@ -31,30 +31,87 @@ import (
"github.com/DataDog/appsec-internal-go/netip"
)
+// HandlerOperation type representing an HTTP operation. It must be created with
+// StartOperation() and finished with its Finish().
+type (
+ HandlerOperation struct {
+ dyngo.Operation
+ *waf.ContextOperation
+ mu sync.RWMutex
+ }
+
+ // HandlerOperationArgs is the HTTP handler operation arguments.
+ HandlerOperationArgs struct {
+ Method string
+ RequestURI string
+ Host string
+ RemoteAddr string
+ Headers map[string][]string
+ Cookies map[string][]string
+ QueryParams map[string][]string
+ PathParams map[string]string
+ }
+
+ // HandlerOperationRes is the HTTP handler operation results.
+ HandlerOperationRes struct {
+ Headers map[string][]string
+ StatusCode int
+ }
+)
+
+func (HandlerOperationArgs) IsArgOf(*HandlerOperation) {}
+func (HandlerOperationRes) IsResultOf(*HandlerOperation) {}
+
+func StartOperation(ctx context.Context, args HandlerOperationArgs) (*HandlerOperation, *atomic.Pointer[actions.BlockHTTP], context.Context) {
+ wafOp, ctx := waf.StartContextOperation(ctx)
+ op := &HandlerOperation{
+ Operation: dyngo.NewOperation(wafOp),
+ ContextOperation: wafOp,
+ }
+
+ // We need to use an atomic pointer to store the action because the action may be created asynchronously in the future
+ var action atomic.Pointer[actions.BlockHTTP]
+ dyngo.OnData(op, func(a *actions.BlockHTTP) {
+ action.Store(a)
+ })
+
+ return op, &action, dyngo.StartAndRegisterOperation(ctx, op, args)
+}
+
+// Finish the HTTP handler operation and its children operations and write everything to the service entry span.
+func (op *HandlerOperation) Finish(res HandlerOperationRes, span ddtrace.Span) {
+ dyngo.FinishOperation(op, res)
+ op.ContextOperation.Finish(span)
+}
+
+const monitorBodyErrorLog = `
+"appsec: parsed http body monitoring ignored: could not find the http handler instrumentation metadata in the request context:
+ the request handler is not being monitored by a middleware function or the provided context is not the expected request context
+`
+
// MonitorParsedBody starts and finishes the SDK body operation.
// This function should not be called when AppSec is disabled in order to
// get preciser error logs.
func MonitorParsedBody(ctx context.Context, body any) error {
- parent, _ := dyngo.FromContext(ctx)
- if parent == nil {
- log.Error("appsec: parsed http body monitoring ignored: could not find the http handler instrumentation metadata in the request context: the request handler is not being monitored by a middleware function or the provided context is not the expected request context")
- return nil
- }
-
- return ExecuteSDKBodyOperation(parent, types.SDKBodyOperationArgs{Body: body})
+ return waf.RunSimple(ctx,
+ addresses.NewAddressesBuilder().
+ WithRequestBody(body).
+ Build(),
+ monitorBodyErrorLog,
+ )
}
-// ExecuteSDKBodyOperation starts and finishes the SDK Body operation by emitting a dyngo start and finish events
-// An error is returned if the body associated to that operation must be blocked
-func ExecuteSDKBodyOperation(parent dyngo.Operation, args types.SDKBodyOperationArgs) error {
- var err error
- op := &types.SDKBodyOperation{Operation: dyngo.NewOperation(parent)}
- dyngo.OnData(op, func(e *events.BlockingSecurityEvent) {
- err = e
- })
- dyngo.StartOperation(op, args)
- dyngo.FinishOperation(op, types.SDKBodyOperationRes{})
- return err
+// Return the map of parsed cookies if any and following the specification of
+// the rule address `server.request.cookies`.
+func makeCookies(parsed []*http.Cookie) map[string][]string {
+ if len(parsed) == 0 {
+ return nil
+ }
+ cookies := make(map[string][]string, len(parsed))
+ for _, c := range parsed {
+ cookies[c.Name] = append(cookies[c.Name], c.Value)
+ }
+ return cookies
}
// WrapHandler wraps the given HTTP handler with the abstract HTTP operation defined by HandlerOperationArgs and
@@ -71,132 +128,47 @@ func WrapHandler(handler http.Handler, span *tracer.Span, pathParams map[string]
opts.ResponseHeaderCopier = defaultWrapHandlerConfig.ResponseHeaderCopier
}
- trace.SetAppSecEnabledTags(span)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- ipTags, clientIP := httptrace.ClientIPTags(r.Header, true, r.RemoteAddr)
- log.Debug("appsec: http client ip detection returned `%s` given the http headers `%v`", clientIP, r.Header)
- trace.SetTags(span, ipTags)
-
- var bypassHandler http.Handler
- var blocking bool
- var stackTrace *stacktrace.Event
- args := MakeHandlerOperationArgs(r, clientIP, pathParams)
- ctx, op := StartOperation(r.Context(), args, func(op *types.Operation) {
- dyngo.OnData(op, func(a *sharedsec.HTTPAction) {
- blocking = true
- bypassHandler = a.Handler
- })
- dyngo.OnData(op, func(a *sharedsec.StackTraceAction) {
- stackTrace = &a.Event
- })
+ op, blockAtomic, ctx := StartOperation(r.Context(), HandlerOperationArgs{
+ Method: r.Method,
+ RequestURI: r.RequestURI,
+ Host: r.Host,
+ RemoteAddr: r.RemoteAddr,
+ Headers: r.Header,
+ Cookies: makeCookies(r.Cookies()),
+ QueryParams: r.URL.Query(),
+ PathParams: pathParams,
})
r = r.WithContext(ctx)
defer func() {
- events := op.Finish(MakeHandlerOperationRes(w, opts.ResponseHeaderCopier))
+ var statusCode int
+ if res, ok := w.(interface{ Status() int }); ok {
+ statusCode = res.Status()
+ }
+ op.Finish(HandlerOperationRes{
+ Headers: opts.ResponseHeaderCopier(w),
+ StatusCode: statusCode,
+ }, span)
// Execute the onBlock functions to make sure blocking works properly
// in case we are instrumenting the Gin framework
- if blocking {
- op.SetTag(trace.BlockedRequestTag, true)
+ if blockPtr := blockAtomic.Load(); blockPtr != nil {
for _, f := range opts.OnBlock {
f()
}
- }
- // Add stacktraces to the span, if any
- if stackTrace != nil {
- stacktrace.AddToSpan(span, span.Root(), stackTrace)
- }
-
- if bypassHandler != nil {
- bypassHandler.ServeHTTP(w, r)
- }
-
- // Add the request headers span tags out of args.Headers instead of r.Header as it was normalized and some
- // extra headers have been added such as the Host header which is removed from the original Go request headers
- // map
- setRequestHeadersTags(span, args.Headers)
- setResponseHeadersTags(span, opts.ResponseHeaderCopier(w))
- trace.SetTags(span, op.Tags())
- if len(events) > 0 {
- httptrace.SetSecurityEventsTags(span, events)
+ if blockPtr.Handler != nil {
+ blockPtr.Handler.ServeHTTP(w, r)
+ }
}
}()
- if bypassHandler != nil {
- handler = bypassHandler
- bypassHandler = nil
+ if blockPtr := blockAtomic.Load(); blockPtr != nil && blockPtr.Handler != nil {
+ handler = blockPtr.Handler
+ blockPtr.Handler = nil
}
+
handler.ServeHTTP(w, r)
})
}
-
-// MakeHandlerOperationArgs creates the HandlerOperationArgs value.
-func MakeHandlerOperationArgs(r *http.Request, clientIP netip.Addr, pathParams map[string]string) types.HandlerOperationArgs {
- cookies := makeCookies(r) // TODO(Julio-Guerra): avoid actively parsing the cookies thanks to dynamic instrumentation
- headers := headersRemoveCookies(r.Header)
- headers["host"] = []string{r.Host}
- return types.HandlerOperationArgs{
- Method: r.Method,
- RequestURI: r.RequestURI,
- Headers: headers,
- Cookies: cookies,
- Query: r.URL.Query(), // TODO(Julio-Guerra): avoid actively parsing the query values thanks to dynamic instrumentation
- PathParams: pathParams,
- ClientIP: clientIP,
- }
-}
-
-// MakeHandlerOperationRes creates the HandlerOperationRes value.
-func MakeHandlerOperationRes(w http.ResponseWriter, responseHeadersCopier func(http.ResponseWriter) http.Header) types.HandlerOperationRes {
- var status int
- if mw, ok := w.(interface{ Status() int }); ok {
- status = mw.Status()
- }
- return types.HandlerOperationRes{Status: status, Headers: headersRemoveCookies(responseHeadersCopier(w))}
-}
-
-// Remove cookies from the request headers and return the map of headers
-// Used from `server.request.headers.no_cookies` and server.response.headers.no_cookies` addresses for the WAF
-func headersRemoveCookies(headers http.Header) map[string][]string {
- headersNoCookies := make(http.Header, len(headers))
- for k, v := range headers {
- k := strings.ToLower(k)
- if k == "cookie" {
- continue
- }
- headersNoCookies[k] = v
- }
- return headersNoCookies
-}
-
-// Return the map of parsed cookies if any and following the specification of
-// the rule address `server.request.cookies`.
-func makeCookies(r *http.Request) map[string][]string {
- parsed := r.Cookies()
- if len(parsed) == 0 {
- return nil
- }
- cookies := make(map[string][]string, len(parsed))
- for _, c := range parsed {
- cookies[c.Name] = append(cookies[c.Name], c.Value)
- }
- return cookies
-}
-
-// StartOperation starts an HTTP handler operation, along with the given
-// context and arguments and emits a start event up in the operation stack.
-// The operation is linked to the global root operation since an HTTP operation
-// is always expected to be first in the operation stack.
-func StartOperation(ctx context.Context, args types.HandlerOperationArgs, setup ...func(*types.Operation)) (context.Context, *types.Operation) {
- op := &types.Operation{
- Operation: dyngo.NewOperation(nil),
- TagsHolder: trace.NewTagsHolder(),
- }
- for _, cb := range setup {
- cb(op)
- }
-
- return dyngo.StartAndRegisterOperation(ctx, op, args), op
-}
diff --git a/instrumentation/appsec/emitter/httpsec/roundtripper.go b/instrumentation/appsec/emitter/httpsec/roundtripper.go
index 2e4edcd738..6b27d99047 100644
--- a/instrumentation/appsec/emitter/httpsec/roundtripper.go
+++ b/instrumentation/appsec/emitter/httpsec/roundtripper.go
@@ -11,14 +11,31 @@ import (
"github.com/DataDog/dd-trace-go/v2/appsec/events"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/httpsec/types"
"github.com/DataDog/dd-trace-go/v2/internal/log"
)
var badInputContextOnce sync.Once
+type (
+ RoundTripOperation struct {
+ dyngo.Operation
+ }
+
+ // RoundTripOperationArgs is the round trip operation arguments.
+ RoundTripOperationArgs struct {
+ // URL corresponds to the address `server.io.net.url`.
+ URL string
+ }
+
+ // RoundTripOperationRes is the round trip operation results.
+ RoundTripOperationRes struct{}
+)
+
+func (RoundTripOperationArgs) IsArgOf(*RoundTripOperation) {}
+func (RoundTripOperationRes) IsResultOf(*RoundTripOperation) {}
+
func ProtectRoundTrip(ctx context.Context, url string) error {
- opArgs := types.RoundTripOperationArgs{
+ opArgs := RoundTripOperationArgs{
URL: url,
}
@@ -32,7 +49,7 @@ func ProtectRoundTrip(ctx context.Context, url string) error {
return nil
}
- op := &types.RoundTripOperation{
+ op := &RoundTripOperation{
Operation: dyngo.NewOperation(parent),
}
@@ -43,7 +60,7 @@ func ProtectRoundTrip(ctx context.Context, url string) error {
})
dyngo.StartOperation(op, opArgs)
- dyngo.FinishOperation(op, types.RoundTripOperationRes{})
+ dyngo.FinishOperation(op, RoundTripOperationRes{})
if err != nil {
log.Debug("appsec: outgoing http request blocked by the WAF on URL: %s", url)
diff --git a/instrumentation/appsec/emitter/sharedsec/actions.go b/instrumentation/appsec/emitter/sharedsec/actions.go
index 1da48e7b0a..cd8d4991ab 100644
--- a/instrumentation/appsec/emitter/sharedsec/actions.go
+++ b/instrumentation/appsec/emitter/sharedsec/actions.go
@@ -1,12 +1,12 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2022 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
-package sharedsec
+package actions
import (
- _ "embed" // Blank import
+ _ "embed" // embed is used to embed the blocked-template.json and blocked-template.html files
"net/http"
"os"
"strings"
@@ -14,7 +14,6 @@ import (
"github.com/DataDog/dd-trace-go/v2/appsec/events"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
"github.com/DataDog/dd-trace-go/v2/internal/log"
- "github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
"github.com/mitchellh/mapstructure"
)
@@ -42,38 +41,12 @@ func init() {
*template = t
}
}
-
}
+
+ registerActionHandler("block_request", NewBlockAction)
}
type (
- // Action is a generic interface that represents any WAF action
- Action interface {
- Blocking() bool
- EmitData(op dyngo.Operation)
- }
-
- // HTTPAction are actions that interact with an HTTP request flow (block, redirect...)
- HTTPAction struct {
- http.Handler
- }
- // GRPCAction are actions that interact with a GRPC request flow
- GRPCAction struct {
- GRPCWrapper
- }
- // StackTraceAction are actions that generate a stacktrace
- StackTraceAction struct {
- Event stacktrace.Event
- }
-
- // GRPCWrapper is an opaque prototype abstraction for a gRPC handler (to avoid importing grpc)
- // that returns a status code and an error
- // TODO: rely on strongly typed actions (with the actual grpc types) by introducing WAF constructors
- // living in the contrib packages, along with their dependencies - something like `appsec.RegisterWAFConstructor(newGRPCWAF)`
- // Such constructors would receive the full appsec config and rules, so that they would be able to build
- // specific blocking actions.
- GRPCWrapper func() (uint32, error)
-
// blockActionParams are the dynamic parameters to be provided to a "block_request"
// action type upon invocation
blockActionParams struct {
@@ -83,40 +56,58 @@ type (
StatusCode int `mapstructure:"status_code"`
Type string `mapstructure:"type,omitempty"`
}
- // redirectActionParams are the dynamic parameters to be provided to a "redirect_request"
- // action type upon invocation
- redirectActionParams struct {
- Location string `mapstructure:"location,omitempty"`
- StatusCode int `mapstructure:"status_code"`
+ // GRPCWrapper is an opaque prototype abstraction for a gRPC handler (to avoid importing grpc)
+ // that returns a status code and an error
+ GRPCWrapper func() (uint32, error)
+
+ // BlockGRPC are actions that interact with a GRPC request flow
+ BlockGRPC struct {
+ GRPCWrapper
+ }
+
+ // BlockHTTP are actions that interact with an HTTP request flow
+ BlockHTTP struct {
+ http.Handler
}
)
-func (a *HTTPAction) Blocking() bool { return true }
-func (a *HTTPAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+func (a *BlockGRPC) EmitData(op dyngo.Operation) {
+ dyngo.EmitData(op, a)
+ dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
-func (a *GRPCAction) Blocking() bool { return true }
-func (a *GRPCAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+func (a *BlockHTTP) EmitData(op dyngo.Operation) {
+ dyngo.EmitData(op, a)
+ dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
-func (a *StackTraceAction) Blocking() bool { return false }
-func (a *StackTraceAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+func newGRPCBlockRequestAction(status int) *BlockGRPC {
+ return &BlockGRPC{GRPCWrapper: newGRPCBlockHandler(status)}
+}
-// NewStackTraceAction creates an action for the "stacktrace" action type
-func NewStackTraceAction(params map[string]any) Action {
- id, ok := params["stack_id"]
- if !ok {
- log.Debug("appsec: could not read stack_id parameter for generate_stack action")
- return nil
+func newGRPCBlockHandler(status int) GRPCWrapper {
+ return func() (uint32, error) {
+ return uint32(status), &events.BlockingSecurityEvent{}
}
+}
- strID, ok := id.(string)
- if !ok {
- log.Debug("appsec: could not cast stacktrace ID to string")
- return nil
+func blockParamsFromMap(params map[string]any) (blockActionParams, error) {
+ grpcCode := 10
+ p := blockActionParams{
+ Type: "auto",
+ StatusCode: 403,
+ GRPCStatusCode: &grpcCode,
}
- event := stacktrace.NewEvent(stacktrace.ExploitEvent, stacktrace.WithID(strID))
+ if err := mapstructure.WeakDecode(params, &p); err != nil {
+ return p, err
+ }
- return &StackTraceAction{Event: *event}
+ if p.GRPCStatusCode == nil {
+ p.GRPCStatusCode = &grpcCode
+ }
+
+ return p, nil
}
// NewBlockAction creates an action for the "block_request" action type
@@ -132,36 +123,8 @@ func NewBlockAction(params map[string]any) []Action {
}
}
-// NewRedirectAction creates an action for the "redirect_request" action type
-func NewRedirectAction(params map[string]any) *HTTPAction {
- p, err := redirectParamsFromMap(params)
- if err != nil {
- log.Debug("appsec: couldn't decode redirect action parameters")
- return nil
- }
- return newRedirectRequestAction(p.StatusCode, p.Location)
-}
-
-func newHTTPBlockRequestAction(status int, template string) *HTTPAction {
- return &HTTPAction{Handler: newBlockHandler(status, template)}
-}
-
-func newGRPCBlockRequestAction(status int) *GRPCAction {
- return &GRPCAction{GRPCWrapper: newGRPCBlockHandler(status)}
-
-}
-
-func newRedirectRequestAction(status int, loc string) *HTTPAction {
- // Default to 303 if status is out of redirection codes bounds
- if status < 300 || status >= 400 {
- status = 303
- }
-
- // If location is not set we fall back on a default block action
- if loc == "" {
- return &HTTPAction{Handler: newBlockHandler(403, string(blockedTemplateJSON))}
- }
- return &HTTPAction{Handler: http.RedirectHandler(loc, status)}
+func newHTTPBlockRequestAction(status int, template string) *BlockHTTP {
+ return &BlockHTTP{Handler: newBlockHandler(status, template)}
}
// newBlockHandler creates, initializes and returns a new BlockRequestAction
@@ -189,40 +152,9 @@ func newBlockHandler(status int, template string) http.Handler {
}
func newBlockRequestHandler(status int, ct string, payload []byte) http.Handler {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", ct)
w.WriteHeader(status)
w.Write(payload)
})
}
-
-func newGRPCBlockHandler(status int) GRPCWrapper {
- return func() (uint32, error) {
- return uint32(status), &events.BlockingSecurityEvent{}
- }
-}
-
-func blockParamsFromMap(params map[string]any) (blockActionParams, error) {
- grpcCode := 10
- p := blockActionParams{
- Type: "auto",
- StatusCode: 403,
- GRPCStatusCode: &grpcCode,
- }
-
- if err := mapstructure.WeakDecode(params, &p); err != nil {
- return p, err
- }
-
- if p.GRPCStatusCode == nil {
- p.GRPCStatusCode = &grpcCode
- }
- return p, nil
-
-}
-
-func redirectParamsFromMap(params map[string]any) (redirectActionParams, error) {
- var p redirectActionParams
- err := mapstructure.WeakDecode(params, &p)
- return p, err
-}
diff --git a/instrumentation/appsec/emitter/sharedsec/actions_test.go b/instrumentation/appsec/emitter/sharedsec/actions_test.go
index 7f40a4f26f..1e77c8e2d1 100644
--- a/instrumentation/appsec/emitter/sharedsec/actions_test.go
+++ b/instrumentation/appsec/emitter/sharedsec/actions_test.go
@@ -1,9 +1,9 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
-package sharedsec
+package actions
import (
"io"
@@ -161,11 +161,11 @@ func TestNewRedirectRequestAction(t *testing.T) {
mux.HandleFunc("/redirect-no-location", newRedirectRequestAction(303, "").ServeHTTP)
mux.HandleFunc("/redirect1", newRedirectRequestAction(http.StatusFound, "/redirect2").ServeHTTP)
mux.HandleFunc("/redirect2", newRedirectRequestAction(http.StatusFound, "/redirected").ServeHTTP)
- mux.HandleFunc("/redirected", func(w http.ResponseWriter, r *http.Request) {
+ mux.HandleFunc("/redirected", func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK) // Shouldn't matter since we write 302 before arriving here
w.Write([]byte("Redirected"))
})
- srv.Client().CheckRedirect = func(req *http.Request, via []*http.Request) error {
+ srv.Client().CheckRedirect = func(_ *http.Request, via []*http.Request) error {
require.GreaterOrEqual(t, len(via), 1)
require.Equal(t, "/redirect1", via[0].URL.Path)
if len(via) == 2 {
@@ -206,7 +206,7 @@ func TestNewRedirectRequestAction(t *testing.T) {
// - empty location: revert to default blocking action instead
// - status code outside of [300, 399]: default to 303
t.Run("no-location", func(t *testing.T) {
- srv.Client().CheckRedirect = func(req *http.Request, via []*http.Request) error {
+ srv.Client().CheckRedirect = func(_ *http.Request, _ []*http.Request) error {
return nil
}
req, err := http.NewRequest("POST", srv.URL+"/redirect-no-location", nil)
diff --git a/instrumentation/appsec/emitter/sharedsec/blocked-template.json b/instrumentation/appsec/emitter/sharedsec/blocked-template.json
index 885d766c18..12ae29696f 100644
--- a/instrumentation/appsec/emitter/sharedsec/blocked-template.json
+++ b/instrumentation/appsec/emitter/sharedsec/blocked-template.json
@@ -1 +1 @@
-{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
\ No newline at end of file
diff --git a/instrumentation/appsec/emitter/sqlsec/sql.go b/instrumentation/appsec/emitter/sqlsec/sql.go
index 29b163c4b0..3b1db53068 100644
--- a/instrumentation/appsec/emitter/sqlsec/sql.go
+++ b/instrumentation/appsec/emitter/sqlsec/sql.go
@@ -11,14 +11,30 @@ import (
"github.com/DataDog/dd-trace-go/v2/appsec/events"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/sqlsec/types"
"github.com/DataDog/dd-trace-go/v2/internal/log"
)
var badInputContextOnce sync.Once
+type (
+ SQLOperation struct {
+ dyngo.Operation
+ }
+
+ SQLOperationArgs struct {
+ // Query corresponds to the addres `server.db.statement`
+ Query string
+ // Driver corresponds to the addres `server.db.system`
+ Driver string
+ }
+ SQLOperationRes struct{}
+)
+
+func (SQLOperationArgs) IsArgOf(*SQLOperation) {}
+func (SQLOperationRes) IsResultOf(*SQLOperation) {}
+
func ProtectSQLOperation(ctx context.Context, query, driver string) error {
- opArgs := types.SQLOperationArgs{
+ opArgs := SQLOperationArgs{
Query: query,
Driver: driver,
}
@@ -33,7 +49,7 @@ func ProtectSQLOperation(ctx context.Context, query, driver string) error {
return nil
}
- op := &types.SQLOperation{
+ op := &SQLOperation{
Operation: dyngo.NewOperation(parent),
}
@@ -44,7 +60,7 @@ func ProtectSQLOperation(ctx context.Context, query, driver string) error {
})
dyngo.StartOperation(op, opArgs)
- dyngo.FinishOperation(op, types.SQLOperationRes{})
+ dyngo.FinishOperation(op, SQLOperationRes{})
if err != nil {
log.Debug("appsec: outgoing SQL operation blocked by the WAF")
diff --git a/instrumentation/appsec/trace/grpctrace/grpc_test.go b/instrumentation/appsec/trace/grpctrace/grpc_test.go
index 19ffef36bf..673727abb0 100644
--- a/instrumentation/appsec/trace/grpctrace/grpc_test.go
+++ b/instrumentation/appsec/trace/grpctrace/grpc_test.go
@@ -1,9 +1,9 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
-package grpctrace
+package grpcsec
import (
"fmt"
@@ -14,6 +14,23 @@ import (
"github.com/stretchr/testify/require"
)
+type MockSpan struct {
+ Tags map[string]any
+}
+
+func (m *MockSpan) SetTag(key string, value interface{}) {
+ if m.Tags == nil {
+ m.Tags = make(map[string]any)
+ }
+ if key == ext.ManualKeep {
+ if value == samplernames.AppSec {
+ m.Tags[ext.ManualKeep] = true
+ }
+ } else {
+ m.Tags[key] = value
+ }
+}
+
func TestTags(t *testing.T) {
for _, eventCase := range []struct {
name string
@@ -74,8 +91,8 @@ func TestTags(t *testing.T) {
} {
metadataCase := metadataCase
t.Run(fmt.Sprintf("%s-%s", eventCase.name, metadataCase.name), func(t *testing.T) {
- var span testlib.MockSpan
- err := setSecurityEventsTags(&span, eventCase.events)
+ var span MockSpan
+ err := waf.SetEventSpanTags(&span, eventCase.events)
if eventCase.expectedError {
require.Error(t, err)
return
@@ -84,7 +101,7 @@ func TestTags(t *testing.T) {
SetRequestMetadataTags(&span, metadataCase.md)
if eventCase.events != nil {
- testlib.RequireContainsMapSubset(t, span.Tags, map[string]interface{}{
+ require.Subset(t, span.Tags, map[string]interface{}{
"_dd.appsec.json": eventCase.expectedTag,
"manual.keep": true,
"appsec.event": true,
@@ -93,10 +110,8 @@ func TestTags(t *testing.T) {
}
if l := len(metadataCase.expectedTags); l > 0 {
- testlib.RequireContainsMapSubset(t, span.Tags, metadataCase.expectedTags)
+ require.Subset(t, span.Tags, metadataCase.expectedTags)
}
-
- require.False(t, span.Finished)
})
}
}
diff --git a/instrumentation/appsec/trace/httptrace/http.go b/instrumentation/appsec/trace/httptrace/http.go
index 0044c2dcaf..cb0e7d8a5d 100644
--- a/instrumentation/appsec/trace/httptrace/http.go
+++ b/instrumentation/appsec/trace/httptrace/http.go
@@ -1,11 +1,12 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
-package httptrace
+package httpsec
import (
+ "net/http"
"net/netip"
"os"
"strings"
@@ -13,7 +14,6 @@ import (
"github.com/DataDog/appsec-internal-go/httpsec"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
- "github.com/DataDog/dd-trace-go/v2/internal/log"
)
const (
@@ -23,7 +23,7 @@ const (
var (
// defaultIPHeaders is the default list of IP-related headers leveraged to
- // retrieve the public client IP address in ClientIP.
+ // retrieve the public client IP address in RemoteAddr.
defaultIPHeaders = []string{
"x-forwarded-for",
"x-real-ip",
@@ -34,7 +34,7 @@ var (
"x-cluster-client-ip",
"fastly-client-ip",
"cf-connecting-ip",
- "cf-connecting-ip6",
+ "cf-connecting-ipv6",
}
// defaultCollectedHeaders is the default list of HTTP headers collected as
@@ -67,7 +67,7 @@ var (
collectedHeadersLookupMap map[string]struct{}
// monitoredClientIPHeadersCfg is the list of IP-related headers leveraged to
- // retrieve the public client IP address in ClientIP. This is defined at init
+ // retrieve the public client IP address in RemoteAddr. This is defined at init
// time in function of the value of the envClientIPHeader environment variable.
monitoredClientIPHeadersCfg []string
)
@@ -75,7 +75,7 @@ var (
// ClientIPTags returns the resulting Datadog span tags `http.client_ip`
// containing the client IP and `network.client.ip` containing the remote IP.
// The tags are present only if a valid ip address has been returned by
-// ClientIP().
+// RemoteAddr().
func ClientIPTags(headers map[string][]string, hasCanonicalHeaders bool, remoteAddr string) (tags map[string]string, clientIP netip.Addr) {
remoteIP, clientIP := httpsec.ClientIP(headers, hasCanonicalHeaders, remoteAddr, monitoredClientIPHeadersCfg)
tags = httpsec.ClientIPTags(remoteIP, clientIP)
@@ -101,6 +101,20 @@ func NormalizeHTTPHeaders(headers map[string][]string) (normalized map[string]st
return normalized
}
+// Remove cookies from the request headers and return the map of headers
+// Used from `server.request.headers.no_cookies` and server.response.headers.no_cookies` addresses for the WAF
+func headersRemoveCookies(headers http.Header) map[string][]string {
+ headersNoCookies := make(http.Header, len(headers))
+ for k, v := range headers {
+ k := strings.ToLower(k)
+ if k == "cookie" {
+ continue
+ }
+ headersNoCookies[k] = v
+ }
+ return headersNoCookies
+}
+
func normalizeHTTPHeaderName(name string) string {
return strings.ToLower(name)
}
@@ -109,13 +123,6 @@ func normalizeHTTPHeaderValue(values []string) string {
return strings.Join(values, ",")
}
-// SetSecurityEventsTags sets the AppSec-specific span tags when a security event occurred into the service entry span.
-func SetSecurityEventsTags(span trace.TagSetter, events []any) {
- if err := trace.SetEventSpanTags(span, events); err != nil {
- log.Error("appsec: unexpected error while creating the appsec events tags: %v", err)
- }
-}
-
func init() {
makeCollectedHTTPHeadersLookupMap()
readMonitoredClientIPHeadersConfig()
@@ -130,7 +137,7 @@ func makeCollectedHTTPHeadersLookupMap() {
func readMonitoredClientIPHeadersConfig() {
if header := os.Getenv(envClientIPHeader); header != "" {
- // Make this header the only one to consider in ClientIP
+ // Make this header the only one to consider in RemoteAddr
monitoredClientIPHeadersCfg = []string{header}
// Add this header to the list of collected headers
@@ -141,3 +148,20 @@ func readMonitoredClientIPHeadersConfig() {
monitoredClientIPHeadersCfg = defaultIPHeaders
}
}
+
+// setRequestHeadersTags sets the AppSec-specific request headers span tags.
+func setRequestHeadersTags(span trace.TagSetter, headers map[string][]string) {
+ setHeadersTags(span, "http.request.headers.", headers)
+}
+
+// setResponseHeadersTags sets the AppSec-specific response headers span tags.
+func setResponseHeadersTags(span trace.TagSetter, headers map[string][]string) {
+ setHeadersTags(span, "http.response.headers.", headers)
+}
+
+// setHeadersTags sets the AppSec-specific headers span tags.
+func setHeadersTags(span trace.TagSetter, tagPrefix string, headers map[string][]string) {
+ for h, v := range NormalizeHTTPHeaders(headers) {
+ span.SetTag(tagPrefix+h, v)
+ }
+}
diff --git a/instrumentation/httptrace/config.go b/instrumentation/httptrace/config.go
index c5aad3a486..94ed09e4d6 100644
--- a/instrumentation/httptrace/config.go
+++ b/instrumentation/httptrace/config.go
@@ -8,6 +8,8 @@ package httptrace
import (
"os"
"regexp"
+ "strconv"
+ "strings"
"github.com/DataDog/dd-trace-go/v2/internal"
"github.com/DataDog/dd-trace-go/v2/internal/log"
@@ -22,6 +24,8 @@ const (
envQueryStringRegexp = "DD_TRACE_OBFUSCATION_QUERY_STRING_REGEXP"
// envTraceClientIPEnabled is the name of the env var used to specify whether or not to collect client ip in span tags
envTraceClientIPEnabled = "DD_TRACE_CLIENT_IP_ENABLED"
+ // envServerErrorStatuses is the name of the env var used to specify error status codes on http server spans
+ envServerErrorStatuses = "DD_TRACE_HTTP_SERVER_ERROR_STATUSES"
)
// defaultQueryStringRegexp is the regexp used for query string obfuscation if `envQueryStringRegexp` is empty.
@@ -31,6 +35,7 @@ type config struct {
queryStringRegexp *regexp.Regexp // specifies the regexp to use for query string obfuscation.
queryString bool // reports whether the query string should be included in the URL span tag.
traceClientIP bool
+ isStatusError func(statusCode int) bool
}
func newConfig() config {
@@ -38,6 +43,11 @@ func newConfig() config {
queryString: !internal.BoolEnv(envQueryStringDisabled, false),
queryStringRegexp: defaultQueryStringRegexp,
traceClientIP: internal.BoolEnv(envTraceClientIPEnabled, false),
+ isStatusError: isServerError,
+ }
+ v := os.Getenv(envServerErrorStatuses)
+ if fn := GetErrorCodesFromInput(v); fn != nil {
+ c.isStatusError = fn
}
if s, ok := os.LookupEnv(envQueryStringRegexp); !ok {
return c
@@ -51,3 +61,62 @@ func newConfig() config {
}
return c
}
+
+func isServerError(statusCode int) bool {
+ return statusCode >= 500 && statusCode < 600
+}
+
+// GetErrorCodesFromInput parses a comma-separated string s to determine which codes are to be considered errors
+// Its purpose is to support the DD_TRACE_HTTP_SERVER_ERROR_STATUSES env var
+// If error condition cannot be determined from s, `nil` is returned
+// e.g, input of "100,200,300-400" returns a function that returns true on 100, 200, and all values between 300-400, inclusive
+// any input that cannot be translated to integer values returns nil
+func GetErrorCodesFromInput(s string) func(statusCode int) bool {
+ if s == "" {
+ return nil
+ }
+ var codes []int
+ var ranges [][]int
+ vals := strings.Split(s, ",")
+ for _, val := range vals {
+ // "-" indicates a range of values
+ if strings.Contains(val, "-") {
+ bounds := strings.Split(val, "-")
+ if len(bounds) != 2 {
+ log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+ return nil
+ }
+ before, err := strconv.Atoi(bounds[0])
+ if err != nil {
+ log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+ return nil
+ }
+ after, err := strconv.Atoi(bounds[1])
+ if err != nil {
+ log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+ return nil
+ }
+ ranges = append(ranges, []int{before, after})
+ } else {
+ intVal, err := strconv.Atoi(val)
+ if err != nil {
+ log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+ return nil
+ }
+ codes = append(codes, intVal)
+ }
+ }
+ return func(statusCode int) bool {
+ for _, c := range codes {
+ if c == statusCode {
+ return true
+ }
+ }
+ for _, bounds := range ranges {
+ if statusCode >= bounds[0] && statusCode <= bounds[1] {
+ return true
+ }
+ }
+ return false
+ }
+}
diff --git a/instrumentation/httptrace/httptrace.go b/instrumentation/httptrace/httptrace.go
index 9478463642..5068a42e31 100644
--- a/instrumentation/httptrace/httptrace.go
+++ b/instrumentation/httptrace/httptrace.go
@@ -38,7 +38,7 @@ func StartRequestSpan(r *http.Request, opts ...tracer.StartSpanOption) (*tracer.
var ipTags map[string]string
if cfg.traceClientIP {
- ipTags, _ = httptrace.ClientIPTags(r.Header, true, r.RemoteAddr)
+ ipTags, _ = httpsec.ClientIPTags(r.Header, true, r.RemoteAddr)
}
nopts := make([]tracer.StartSpanOption, 0, len(opts)+1)
nopts = append(nopts,
@@ -69,15 +69,21 @@ func StartRequestSpan(r *http.Request, opts ...tracer.StartSpanOption) (*tracer.
// code. Any further span finish option can be added with opts.
func FinishRequestSpan(s *tracer.Span, status int, opts ...tracer.FinishOption) {
var statusStr string
+ // if status is 0, treat it like 200 unless 0 was called out in DD_TRACE_HTTP_SERVER_ERROR_STATUSES
if status == 0 {
- statusStr = "200"
+ if cfg.isStatusError(status) {
+ statusStr = "0"
+ s.SetTag(ext.Error, fmt.Errorf("%s: %s", statusStr, http.StatusText(status)))
+ } else {
+ statusStr = "200"
+ }
} else {
statusStr = strconv.Itoa(status)
+ if cfg.isStatusError(status) {
+ s.SetTag(ext.Error, fmt.Errorf("%s: %s", statusStr, http.StatusText(status)))
+ }
}
s.SetTag(ext.HTTPCode, statusStr)
- if status >= 500 && status < 600 {
- opts = append(opts, tracer.WithError(fmt.Errorf("%s: %s", statusStr, http.StatusText(status))))
- }
s.Finish(opts...)
}
diff --git a/instrumentation/httptrace/httptrace_test.go b/instrumentation/httptrace/httptrace_test.go
index 9329e4dec8..15c01a1e16 100644
--- a/instrumentation/httptrace/httptrace_test.go
+++ b/instrumentation/httptrace/httptrace_test.go
@@ -6,9 +6,11 @@
package httptrace
import (
+ "fmt"
"net/http"
"net/http/httptest"
"net/url"
+ "os"
"strconv"
"testing"
@@ -24,6 +26,117 @@ import (
"github.com/stretchr/testify/require"
)
+func TestGetErrorCodesFromInput(t *testing.T) {
+ codesOnly := "400,401,402"
+ rangesOnly := "400-405,408-410"
+ mixed := "400,403-405,407-410,412"
+ invalid1 := "1,100-200-300-"
+ invalid2 := "abc:@3$5^,"
+ empty := ""
+ t.Run("codesOnly", func(t *testing.T) {
+ fn := GetErrorCodesFromInput(codesOnly)
+ for i := 400; i <= 402; i++ {
+ assert.True(t, fn(i))
+ }
+ assert.False(t, fn(500))
+ assert.False(t, fn(0))
+ })
+ t.Run("rangesOnly", func(t *testing.T) {
+ fn := GetErrorCodesFromInput(rangesOnly)
+ for i := 400; i <= 405; i++ {
+ assert.True(t, fn(i))
+ }
+ for i := 408; i <= 410; i++ {
+ assert.True(t, fn(i))
+ }
+ assert.False(t, fn(406))
+ assert.False(t, fn(411))
+ assert.False(t, fn(500))
+ })
+ t.Run("mixed", func(t *testing.T) {
+ fn := GetErrorCodesFromInput(mixed)
+ assert.True(t, fn(400))
+ assert.False(t, fn(401))
+ for i := 403; i <= 405; i++ {
+ assert.True(t, fn(i))
+ }
+ assert.False(t, fn(406))
+ for i := 407; i <= 410; i++ {
+ assert.True(t, fn(i))
+ }
+ assert.False(t, fn(411))
+ assert.False(t, fn(500))
+ })
+ // invalid entries below should result in nils
+ t.Run("invalid1", func(t *testing.T) {
+ fn := GetErrorCodesFromInput(invalid1)
+ assert.Nil(t, fn)
+ })
+ t.Run("invalid2", func(t *testing.T) {
+ fn := GetErrorCodesFromInput(invalid2)
+ assert.Nil(t, fn)
+ })
+ t.Run("empty", func(t *testing.T) {
+ fn := GetErrorCodesFromInput(empty)
+ assert.Nil(t, fn)
+ })
+}
+
+func TestConfiguredErrorStatuses(t *testing.T) {
+ defer os.Unsetenv("DD_TRACE_HTTP_SERVER_ERROR_STATUSES")
+ t.Run("configured", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ os.Setenv("DD_TRACE_HTTP_SERVER_ERROR_STATUSES", "199-399,400,501")
+
+ // reset config based on new DD_TRACE_HTTP_SERVER_ERROR_STATUSES value
+ oldConfig := cfg
+ defer func() { cfg = oldConfig }()
+ cfg = newConfig()
+
+ statuses := []int{0, 200, 400, 500}
+ r := httptest.NewRequest(http.MethodGet, "/test", nil)
+ for i, status := range statuses {
+ sp, _ := StartRequestSpan(r)
+ FinishRequestSpan(sp, status)
+ spans := mt.FinishedSpans()
+ require.Len(t, spans, i+1)
+
+ switch status {
+ case 0:
+ assert.Equal(t, "200", spans[i].Tag(ext.HTTPCode))
+ assert.Nil(t, spans[i].Tag(ext.Error))
+ case 200, 400:
+ assert.Equal(t, strconv.Itoa(status), spans[i].Tag(ext.HTTPCode))
+ assert.Equal(t, fmt.Errorf("%s: %s", strconv.Itoa(status), http.StatusText(status)), spans[i].Tag(ext.Error).(error))
+ case 500:
+ assert.Equal(t, strconv.Itoa(status), spans[i].Tag(ext.HTTPCode))
+ assert.Nil(t, spans[i].Tag(ext.Error))
+ }
+ }
+ })
+ t.Run("zero", func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+
+ os.Setenv("DD_TRACE_HTTP_SERVER_ERROR_STATUSES", "0")
+
+ // reset config based on new DD_TRACE_HTTP_SERVER_ERROR_STATUSES value
+ oldConfig := cfg
+ defer func() { cfg = oldConfig }()
+ cfg = newConfig()
+
+ r := httptest.NewRequest(http.MethodGet, "/test", nil)
+ sp, _ := StartRequestSpan(r)
+ FinishRequestSpan(sp, 0)
+ spans := mt.FinishedSpans()
+ require.Len(t, spans, 1)
+ assert.Equal(t, "0", spans[0].Tag(ext.HTTPCode))
+ assert.Equal(t, fmt.Errorf("0: %s", http.StatusText(0)), spans[0].Tag(ext.Error).(error))
+ })
+}
+
func TestHeaderTagsFromRequest(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
diff --git a/internal/apps/Dockerfile b/internal/apps/Dockerfile
index 2f32c31648..35993e4c94 100644
--- a/internal/apps/Dockerfile
+++ b/internal/apps/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.21
+FROM golang:1.23
COPY . /dd-trace-go
WORKDIR /dd-trace-go/internal/apps
# -t will download all dependencies, including test dependencies
diff --git a/internal/apps/apps.go b/internal/apps/apps.go
index f6683803fc..d769cb2906 100644
--- a/internal/apps/apps.go
+++ b/internal/apps/apps.go
@@ -25,9 +25,11 @@ type Config struct {
// default we configure non-stop execution tracing for the test apps unless
// a DD_PROFILING_EXECUTION_TRACE_PERIOD env is set or this option is true.
DisableExecutionTracing bool
+
+ httpAddr net.Addr
}
-func (c Config) RunHTTP(handler func() http.Handler) {
+func (c *Config) RunHTTP(handler func() http.Handler) {
// Parse common test app flags
var (
httpF = flag.String("http", "localhost:8080", "HTTP addr to listen on.")
@@ -69,6 +71,7 @@ func (c Config) RunHTTP(handler func() http.Handler) {
log.Fatalf("failed to listen: %s", err)
}
defer l.Close()
+ c.httpAddr = l.Addr()
log.Printf("Listening on: http://%s", *httpF)
// handler is a func, because if we create a traced handler before starting
// the tracer, the service name will default to http.router.
@@ -79,3 +82,7 @@ func (c Config) RunHTTP(handler func() http.Handler) {
<-ctx.Done()
log.Printf("Received interrupt, shutting down")
}
+
+func (c Config) HTTPAddr() net.Addr {
+ return c.httpAddr
+}
diff --git a/internal/apps/gc-overhead/main.go b/internal/apps/gc-overhead/main.go
new file mode 100644
index 0000000000..5d69677e80
--- /dev/null
+++ b/internal/apps/gc-overhead/main.go
@@ -0,0 +1,177 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2023 Datadog, Inc.
+
+// gc-overhead implements a http service that demonstrates high GC overhead. The
+// primary use case is to take screenshots of CPU and Memory profiles for blog
+// posts. The code is intentionally inefficient, but should produce plausible
+// FlameGraphs. Loop and data sizes are chosen so that the hotspots in the CPU
+// profile, the Allocated Memory Profile, and the Heap Live Objects profile are
+// different.
+package main
+
+import (
+ "bytes"
+ "encoding/json"
+ "fmt"
+ "maps"
+ "math"
+ "math/rand/v2"
+ "net/http"
+ "runtime/debug"
+ "slices"
+ "sync"
+ "time"
+
+ httptrace "github.com/DataDog/dd-trace-go/v2/contrib/net/http"
+ "github.com/DataDog/dd-trace-go/v2/internal/apps"
+)
+
+func main() {
+ // Initialize fake data
+ initFakeData()
+
+ // Experimentally determined value to keep GC overhead around 30%.
+ debug.SetGCPercent(35)
+
+ // Start app
+ app := apps.Config{}
+ app.RunHTTP(func() http.Handler {
+ mux := httptrace.NewServeMux()
+ mux.HandleFunc("/vehicles/update_location", VehiclesUpdateLocationHandler)
+ mux.HandleFunc("/vehicles/list", VehiclesListHandler)
+ return mux
+ })
+}
+
+func VehiclesUpdateLocationHandler(w http.ResponseWriter, r *http.Request) {
+ load := int(sineLoad() * 2e5)
+ for i := 0; i < load; i++ {
+ u := &VehicleLocationUpdate{}
+ data := fakeData.vehicleLocationUpdates[i%len(fakeData.vehicleLocationUpdates)]
+ if err := parseVehicleLocationUpdate(data, u); err != nil {
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }
+ store.Update(u)
+ }
+ w.Write([]byte("ok"))
+}
+
+func parseVehicleLocationUpdate(data []byte, u *VehicleLocationUpdate) error {
+ return json.Unmarshal(data, u)
+}
+
+func VehiclesListHandler(w http.ResponseWriter, r *http.Request) {
+ w.Write(renderVehiclesList().Bytes())
+}
+
+func renderVehiclesList() *bytes.Buffer {
+ buf := &bytes.Buffer{}
+ list := store.List()
+ load := sineLoad() * float64(len(list))
+ list = list[0:int(load)]
+ for _, v := range list {
+ fmt.Fprintf(buf, "%s: %v\n", v.ID, v.History)
+ }
+ return buf
+}
+
+var fakeData struct {
+ vehicleLocationUpdates [1000][]byte
+}
+
+var store = MemoryStore{}
+
+func initFakeData() {
+ for i := 0; i < len(fakeData.vehicleLocationUpdates); i++ {
+ update := VehicleLocationUpdate{
+ ID: fmt.Sprintf("vehicle-%d", i),
+ Position: Position{
+ Longitude: rand.Float64()*180 - 90,
+ Latitude: rand.Float64()*360 - 180,
+ },
+ }
+ fakeData.vehicleLocationUpdates[i], _ = json.Marshal(update)
+ }
+}
+
+type MemoryStore struct {
+ mu sync.RWMutex
+ vehicles map[string]*Vehicle
+}
+
+func (m *MemoryStore) Update(u *VehicleLocationUpdate) {
+ m.mu.Lock()
+ defer m.mu.Unlock()
+
+ if m.vehicles == nil {
+ m.vehicles = make(map[string]*Vehicle)
+ }
+
+ vehicle, ok := m.vehicles[u.ID]
+ if !ok {
+ vehicle = NewVehicle(u.ID)
+ m.vehicles[u.ID] = vehicle
+ }
+ vehicle.History = append(vehicle.History, &u.Position)
+ const historyLimit = 2000
+ if len(vehicle.History) > historyLimit {
+ // Keep only the last positions
+ copy(vehicle.History, vehicle.History[len(vehicle.History)-historyLimit:])
+ vehicle.History = vehicle.History[:historyLimit]
+ }
+}
+
+func NewVehicle(id string) *Vehicle {
+ return &Vehicle{ID: id, Data: make([]byte, 1024*1024)}
+}
+
+func (m *MemoryStore) List() (vehicles []*Vehicle) {
+ m.mu.RLock()
+ defer m.mu.RUnlock()
+
+ for _, key := range slices.Sorted(maps.Keys(m.vehicles)) {
+ vehicles = append(vehicles, m.vehicles[key].Copy())
+ }
+ return vehicles
+}
+
+type Position struct {
+ Longitude float64
+ Latitude float64
+}
+
+type VehicleLocationUpdate struct {
+ ID string
+ Position Position
+}
+
+type Vehicle struct {
+ ID string
+ History []*Position
+ Data []byte
+}
+
+func (v *Vehicle) Copy() *Vehicle {
+ history := make([]*Position, len(v.History))
+ copy(history, v.History)
+ return &Vehicle{
+ ID: v.ID,
+ History: history,
+ }
+}
+
+// sineLoad returns a value between 0 and 1 that varies sinusoidally over time.
+func sineLoad() float64 {
+ period := 5 * time.Minute
+ // Get the current time in seconds since Unix epoch
+ currentTime := time.Now().UnixNano()
+ // Compute the phase of the sine wave, current time modulo period
+ phase := float64(currentTime) / float64(period) * 2 * math.Pi
+ // Generate the sine wave value (-1 to 1)
+ sineValue := math.Sin(phase)
+ // Normalize the sine wave value to be between 0 and 1
+ return (sineValue + 1) * 0.5
+}
diff --git a/internal/apps/go.mod b/internal/apps/go.mod
index 283e38ecd6..f7bfcf6435 100644
--- a/internal/apps/go.mod
+++ b/internal/apps/go.mod
@@ -1,6 +1,6 @@
module github.com/DataDog/dd-trace-go/internal/apps
-go 1.21
+go 1.23.0
require (
github.com/DataDog/dd-trace-go/contrib/net/http/v2 v2.0.0-20240909105439-c452671ebc14
@@ -11,8 +11,8 @@ require (
require github.com/DataDog/go-sqllexer v0.0.11 // indirect
require (
- github.com/DataDog/appsec-internal-go v1.7.0 // indirect
- github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+ github.com/DataDog/appsec-internal-go v1.8.0 // indirect
+ github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
@@ -24,15 +24,15 @@ require (
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
- golang.org/x/mod v0.14.0 // indirect
- golang.org/x/tools v0.16.1 // indirect
+ golang.org/x/mod v0.18.0 // indirect
+ golang.org/x/tools v0.22.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
require (
- github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
- github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
+ github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
+ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
+ github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
github.com/DataDog/gostackparse v0.7.0 // indirect
github.com/DataDog/sketches-go v1.4.5 // indirect
@@ -41,16 +41,16 @@ require (
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
- github.com/google/uuid v1.6.0 // indirect
- github.com/philhofer/fwd v1.1.2 // indirect
+ github.com/google/uuid v1.5.0 // indirect
+ github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/spaolacci/murmur3 v1.1.0 // indirect
github.com/stretchr/testify v1.9.0
- github.com/tinylib/msgp v1.1.9 // indirect
- golang.org/x/sys v0.20.0 // indirect
- golang.org/x/time v0.5.0 // indirect
+ github.com/tinylib/msgp v1.2.1 // indirect
+ golang.org/x/sys v0.23.0 // indirect
+ golang.org/x/time v0.3.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/protobuf v1.33.0 // indirect
)
diff --git a/internal/apps/go.sum b/internal/apps/go.sum
index 21b6b95485..9329033539 100644
--- a/internal/apps/go.sum
+++ b/internal/apps/go.sum
@@ -1,15 +1,13 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
-github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
-github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
-github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
-github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
+github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
+github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
github.com/DataDog/go-tuf v1.1.0-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
@@ -72,8 +70,9 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -106,8 +105,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
-github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -116,16 +115,14 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
@@ -139,18 +136,18 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/internal/apps/scenario_test.go b/internal/apps/scenario_test.go
index 438b39a845..b7dbd03a0d 100644
--- a/internal/apps/scenario_test.go
+++ b/internal/apps/scenario_test.go
@@ -66,6 +66,42 @@ func TestScenario(t *testing.T) {
})
}
})
+
+ t.Run("gc-overhead", func(t *testing.T) {
+ scenarios := []struct {
+ version string
+ endpoints []string
+ }{
+ {"v1", []string{"/vehicles/update_location", "/vehicles/list"}},
+ }
+ for _, s := range scenarios {
+ t.Run(s.version, func(t *testing.T) {
+ lc := newLaunchConfig(t)
+ lc.Version = s.version
+ process := lc.Launch(t)
+ defer process.Stop(t)
+ wc.HitEndpoints(t, process, s.endpoints...)
+ })
+ }
+ })
+
+ t.Run("worker-pool-bottleneck", func(t *testing.T) {
+ scenarios := []struct {
+ version string
+ endpoints []string
+ }{
+ {"v1", []string{"/queue/push"}},
+ }
+ for _, s := range scenarios {
+ t.Run(s.version, func(t *testing.T) {
+ lc := newLaunchConfig(t)
+ lc.Version = s.version
+ process := lc.Launch(t)
+ defer process.Stop(t)
+ wc.HitEndpoints(t, process, s.endpoints...)
+ })
+ }
+ })
}
func newWorkloadConfig(t *testing.T) (wc workloadConfig) {
@@ -152,6 +188,13 @@ func appName(t *testing.T) string {
}
func serviceName(t *testing.T) string {
+ // Allow overriding the service name via env var
+ ddService := os.Getenv("DD_SERVICE")
+ if ddService != "" {
+ return ddService
+ }
+
+ // Otherwise derive the service name from the test name
return "dd-trace-go/" + strings.Join(strings.Split(t.Name(), "/")[1:], "/")
}
diff --git a/internal/apps/worker-pool-bottleneck/main.go b/internal/apps/worker-pool-bottleneck/main.go
new file mode 100644
index 0000000000..f217fd485d
--- /dev/null
+++ b/internal/apps/worker-pool-bottleneck/main.go
@@ -0,0 +1,143 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+// worker-pool-bottleneck implements a http service that demonstrates a worker
+// pool bottleneck. In particular the service simulates an application that
+// has a queue processing pipeline that consists of:
+//
+// 1. ConsumeMessageWorker: Pulls messages from a queue.
+// 2. DecodeMessageWorker: Decodes messages.
+// 3. LLMMessageWorker: Makes a long-latency call.
+// 4. PublishMessageWorker: Publishes messages.
+//
+// The LLMMessageWorker is the bottleneck in the pipeline because it doesn't
+// have enough workers to keep up with the other workers. This causes the
+// ConsumeMessageWorker and DecodeMessageWorker to block on send operations.
+//
+// The primary use case is to take screenshots of the timeline feature.
+package main
+
+import (
+ "encoding/json"
+ "io"
+ "log"
+ "math/rand/v2"
+ "net"
+ "net/http"
+ "time"
+
+ "github.com/DataDog/dd-trace-go/internal/apps"
+ httptrace "github.com/DataDog/dd-trace-go/v2/contrib/net/http"
+)
+
+func main() {
+ // Init queue
+ queue, err := NewQueue()
+ if err != nil {
+ log.Fatalf("failed to create queue: %v", err)
+ }
+
+ // Start app
+ app := apps.Config{}
+ app.RunHTTP(func() http.Handler {
+ // Setup workers
+ consumeDecode := make(chan []byte)
+ decodeLLM := make(chan any)
+ llmPublish := make(chan any)
+ go ConsumeMessageWorker(queue, consumeDecode)
+ for range 4 {
+ go DecodeMessageWorker(consumeDecode, decodeLLM)
+ go LLMMessageWorker(decodeLLM, llmPublish, app.HTTPAddr())
+ go PublishMessageWorker(llmPublish)
+ }
+
+ // Setup HTTP handlers
+ mux := httptrace.NewServeMux()
+ mux.HandleFunc("/queue/push", QueuePushHandler(queue))
+ mux.HandleFunc("/llm", LLMHandler())
+ return mux
+ })
+}
+
+func QueuePushHandler(queue *Queue) http.HandlerFunc {
+ data, _ := fakePayload(16 * 1024)
+ return func(w http.ResponseWriter, r *http.Request) {
+ for i := 0; i < 100; i++ {
+ if err := queue.Push(data); err != nil {
+ log.Fatalf("failed to push message: %v", err)
+ }
+ }
+ }
+}
+
+func LLMHandler() http.HandlerFunc {
+ return func(w http.ResponseWriter, r *http.Request) {
+ // Flush out the headers and a short message
+ w.WriteHeader(http.StatusOK)
+ rc := http.NewResponseController(w)
+ w.Write([]byte("hello\n"))
+ rc.Flush()
+ // Wait to simulate a long time to respond
+ time.Sleep(time.Duration(rand.Float64() * 100 * float64(time.Millisecond)))
+ // Flush out another short message and finish the response
+ w.Write([]byte("world\n"))
+ rc.Flush()
+ }
+}
+
+func fakePayload(elements int) ([]byte, error) {
+ var payload []int
+ for i := 0; i < elements; i++ {
+ payload = append(payload, i)
+ }
+ return json.Marshal(payload)
+}
+
+func ConsumeMessageWorker(queue *Queue, decode chan<- []byte) {
+ for {
+ msg, err := queue.Pull()
+ if err != nil {
+ log.Fatalf("failed to pull message: %v", err)
+ }
+ decode <- msg
+ }
+}
+
+func DecodeMessageWorker(decode <-chan []byte, llm chan<- any) {
+ for {
+ msg := <-decode
+ var data interface{}
+ if err := json.Unmarshal(msg, &data); err != nil {
+ log.Fatalf("failed to decode message: %v: %q", err, string(msg))
+ }
+ llm <- data
+ }
+}
+
+func LLMMessageWorker(llm <-chan any, db chan<- any, addr net.Addr) {
+ for {
+ msg := <-llm
+ llmCall(addr)
+ db <- msg
+ }
+}
+
+func PublishMessageWorker(db <-chan any) {
+ for {
+ <-db
+ }
+}
+
+func llmCall(addr net.Addr) error {
+ res, err := http.Get("http://" + addr.String() + "/llm")
+ if err != nil {
+ return err
+ }
+ defer res.Body.Close()
+ // Ensure that llmCall will spend most of its time in a networking state
+ // so it looks purple in the timeline.
+ _, err = io.ReadAll(res.Body)
+ return err
+}
diff --git a/internal/apps/worker-pool-bottleneck/queue.go b/internal/apps/worker-pool-bottleneck/queue.go
new file mode 100644
index 0000000000..c6a2436c2c
--- /dev/null
+++ b/internal/apps/worker-pool-bottleneck/queue.go
@@ -0,0 +1,98 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package main
+
+import (
+ "encoding/binary"
+ "fmt"
+ "io"
+ "log"
+ "net"
+ "sync"
+)
+
+// Queue pretends to be a networked message queue. In particular it arranges
+// for calls Pull() to be blocked in a stack trace doing a net.Conn.Read().
+type Queue struct {
+ listener net.Listener
+ conn net.Conn
+ pushMutex sync.Mutex
+ pullMutex sync.Mutex
+}
+
+func NewQueue() (q *Queue, err error) {
+ q = &Queue{}
+ q.listener, err = net.Listen("tcp", "localhost:0")
+ if err != nil {
+ return nil, fmt.Errorf("failed to start TCP server: %v", err)
+ }
+
+ go q.echoServer()
+
+ q.conn, err = net.Dial("tcp", q.listener.Addr().String())
+ if err != nil {
+ return nil, fmt.Errorf("failed to dial TCP server: %v", err)
+ }
+
+ return q, nil
+}
+
+func (q *Queue) echoServer() {
+ conn, err := q.listener.Accept()
+ if err != nil {
+ log.Fatalf("failed to accept connection: %v\n", err)
+ return
+ }
+ defer conn.Close()
+
+ if _, err := io.Copy(conn, conn); err != nil {
+ log.Fatalf("failed to copy data: %v\n", err)
+ return
+ }
+}
+
+func (q *Queue) Push(data []byte) error {
+ q.pushMutex.Lock()
+ defer q.pushMutex.Unlock()
+
+ // Send the length of the message first
+ err := binary.Write(q.conn, binary.BigEndian, uint64(len(data)))
+ if err != nil {
+ return fmt.Errorf("failed to send message length: %v", err)
+ }
+
+ // Send the actual message
+ _, err = q.conn.Write(data)
+ if err != nil {
+ return fmt.Errorf("failed to send message: %v", err)
+ }
+ return nil
+}
+
+func (q *Queue) Pull() ([]byte, error) {
+ q.pullMutex.Lock()
+ defer q.pullMutex.Unlock()
+
+ // Read the length of the message first
+ var length uint64
+ err := binary.Read(q.conn, binary.BigEndian, &length)
+ if err != nil {
+ return nil, fmt.Errorf("failed to read message length: %v", err)
+ }
+
+ // Read the actual message
+ data := make([]byte, length)
+ _, err = io.ReadFull(q.conn, data)
+ if err != nil {
+ return nil, fmt.Errorf("failed to read message: %v", err)
+ }
+ return data, nil
+}
+
+func (q *Queue) Close() {
+ q.listener.Close()
+ q.conn.Close()
+}
diff --git a/internal/appsec/README.md b/internal/appsec/README.md
new file mode 100644
index 0000000000..dc65d03551
--- /dev/null
+++ b/internal/appsec/README.md
@@ -0,0 +1,147 @@
+# Appsec Go Design
+
+This document describes the design of the `internal/appsec` package and everything under it. This package is responsible
+for securing the application by monitoring the operations that are executed by the application and applying actions in
+case a security threats is detected.
+
+Most of the work is to forward information to the module `github.com/DataDog/go-libddwaf` which contains the WAF
+(Web Application Firewall) engine. The WAF does most of the decision making about events and actions. Our goal is to
+connect the different parts of the application and the WAF engine while keeping up to date the various sources of
+configuration that the WAF engine uses.
+
+### Instrumentation Gateway: Dyngo
+
+Having the customer (or orchestrion) instrument their code is the hardest part of the job. That's why we want to provide
+the simplest API possible for them to use. This means loosing the flexibility or enabling and disabling multiple
+products and features at runtime. Flexibility that we still want to provide to the customer, that's why behind every
+API entrypoint present in `dd-trace-go/contrib` that support appsec is a call to the `internal/appsec/dyngo` package.
+
+```mermaid
+flowchart LR
+
+UserCode[User Code] --> Instrumentation --> IG{Instrumentation Gateway} -----> Listener
+```
+
+Dyngo is a context-scoped event listener system that provide a way to listen dynamically to events that are happening in
+the customer code and to react to configuration changes and hot-swap event listeners at runtime.
+
+```mermaid
+flowchart LR
+
+UserCode[User Code] --> appsec/emitter --> IG{dyngo} -----> appsec/listener
+```
+
+### Operation definition requirements
+
+* Each operation must have a `Start*` and a `Finish` method covering calls to dyngo.
+* The content of the arguments and results should not require any external package, at most the standard library.
+
+Example operation:
+
+```go
+package main
+
+import (
+ "context"
+
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+type (
+ ExampleOperation struct {
+ dyngo.Operation
+ }
+
+ ExampleOperationArgs struct {
+ Type string
+ }
+
+ ExampleOperationResult struct {
+ Code int
+ }
+)
+
+func (ExampleOperationArgs) IsArgOf(*ExampleOperation) {}
+func (ExampleOperationResult) IsResultOf(*ExampleOperation) {}
+
+func StartExampleOperation(ctx context.Context, args ExampleOperationArgs) *ExampleOperation {
+ parent, ok := dyngo.FromContext(ctx)
+ if !ok {
+ log.Error("No parent operation found")
+ return nil
+ }
+ op := &ExampleOperation{
+ Operation: dyngo.NewOperation(parent),
+ }
+ return dyngo.StartOperation(op, args)
+}
+
+func (op *ExampleOperation) Finish(result ExampleOperationResult) {
+ dyngo.FinishOperation(op, result)
+}
+```
+
+> [!CAUTION]
+> Importing external packages in the operation definition will probably cause circular dependencies. This is because
+> the operation definition can be used in the package is will instrument, and the package that will instrument it will
+> probably import the operation definition.
+
+### Operation Stack
+
+Current state of the possible operation stacks
+
+```mermaid
+flowchart TD
+
+ subgraph Top Level Operation
+ SES[trace.ServiceEntrySpanOperation]
+
+ Context[waf.ContextOperation]
+
+ HTTPH[httpsec.HandlerOperation]
+ GRPCH[grpcsec.HandlerOperation]
+ GQL[graphqlsec.RequestOperation]
+ end
+
+ subgraph HTTP
+ RequestBody([httpsec.MonitorRequestBody])
+ Roundtripper[httpsec.RoundTripOperation]
+ end
+
+ subgraph GRPC
+ RequestMessage([grpcsec.MonitorRequestMessage])
+ ResponseMessage([grpcsec.MonitorResponseMessage])
+ end
+
+ subgraph GraphQL
+ Exec[graphqlsec.ExecutionOperation]
+ Resolve[graphqlsec.ResolveOperation]
+ end
+
+ Code{User Code}
+
+ SES --> Context
+ Context --> HTTPH --> Code
+ Context --> GRPCH --> Code
+ Context --> GQL
+
+ GQL --> Exec --> Resolve --> Code
+
+ Code --> RequestBody
+
+ Code --> RequestMessage
+ Code --> ResponseMessage
+
+ Code --> Span[trace.SpanOperation]
+
+ Span --> Roundtripper
+ Span --> OS[ossec.OpenOperation]
+ Span --> SQL[sqlsec.SQLOperation]
+ Span --> User[usersec.UserOperation]
+```
+
+> [!IMPORTANT]
+> Please note that this is how the operation SHOULD be stacked. If the user code does not have a Top Level Operation
+> then nothing will be monitored. In this case an error log should be produced to explain thouroughly the issue to
+> the user.
diff --git a/internal/appsec/_testlib/require.go b/internal/appsec/_testlib/require.go
deleted file mode 100644
index 77cde3e06c..0000000000
--- a/internal/appsec/_testlib/require.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// Unless explicitly stated otherwise all files in this repository are licensed
-// under the Apache License Version 2.0.
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
-
-package testlib
-
-import (
- "testing"
-
- "github.com/stretchr/testify/require"
-)
-
-// RequireContainsMapSubset requires that the given map m contains the given subset map keys and values.
-func RequireContainsMapSubset(t *testing.T, m map[string]interface{}, subset map[string]interface{}) {
- for k, v := range subset {
- require.Contains(t, m, k)
- require.Equal(t, v, m[k])
- }
-}
diff --git a/internal/appsec/appsec.go b/internal/appsec/appsec.go
index 34a9018a92..93e8d1e33d 100644
--- a/internal/appsec/appsec.go
+++ b/internal/appsec/appsec.go
@@ -9,8 +9,8 @@ import (
"fmt"
"sync"
- "github.com/DataDog/appsec-internal-go/limiter"
appsecLog "github.com/DataDog/appsec-internal-go/log"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
waf "github.com/DataDog/go-libddwaf/v3"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
@@ -134,10 +134,10 @@ func setActiveAppSec(a *appsec) {
}
type appsec struct {
- cfg *config.Config
- limiter *limiter.TokenTicker
- wafHandle *waf.Handle
- started bool
+ cfg *config.Config
+ features []listener.Feature
+ featuresMu sync.Mutex
+ started bool
}
func newAppSec(cfg *config.Config) *appsec {
@@ -160,11 +160,8 @@ func (a *appsec) start(telemetry *appsecTelemetry) error {
log.Error("appsec: non-critical error while loading libddwaf: %v", err)
}
- a.limiter = limiter.NewTokenTicker(a.cfg.TraceRateLimit, a.cfg.TraceRateLimit)
- a.limiter.Start()
-
- // Register the WAF operation event listener
- if err := a.swapWAF(a.cfg.RulesManager.Latest); err != nil {
+ // Register dyngo listeners
+ if err := a.SwapRootOperation(); err != nil {
return err
}
@@ -193,15 +190,23 @@ func (a *appsec) stop() {
// Disable RC blocking first so that the following is guaranteed not to be concurrent anymore.
a.disableRCBlocking()
+ a.featuresMu.Lock()
+ defer a.featuresMu.Unlock()
+
// Disable the currently applied instrumentation
dyngo.SwapRootOperation(nil)
- if a.wafHandle != nil {
- a.wafHandle.Close()
- a.wafHandle = nil
- }
+
+ // Reset rules edits received from the remote configuration
+ // We skip the error because we can't do anything about and it was already logged in config.NewRulesManager
+ a.cfg.RulesManager, _ = config.NewRulesManager(nil)
+
// TODO: block until no more requests are using dyngo operations
- a.limiter.Stop()
+ for _, feature := range a.features {
+ feature.Stop()
+ }
+
+ a.features = nil
}
func init() {
diff --git a/internal/appsec/config/config.go b/internal/appsec/config/config.go
index 331f7c2591..08a6b635da 100644
--- a/internal/appsec/config/config.go
+++ b/internal/appsec/config/config.go
@@ -68,6 +68,30 @@ type Config struct {
// RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default)
RC *remoteconfig.ClientConfig
RASP bool
+ // SupportedAddresses are the addresses that the AppSec listener will bind to.
+ SupportedAddresses AddressSet
+}
+
+// AddressSet is a set of WAF addresses.
+type AddressSet map[string]struct{}
+
+func NewAddressSet(addrs []string) AddressSet {
+ set := make(AddressSet, len(addrs))
+ for _, addr := range addrs {
+ set[addr] = struct{}{}
+ }
+ return set
+}
+
+// AnyOf returns true if any of the addresses in the set are in the given list.
+func (set AddressSet) AnyOf(anyOf ...string) bool {
+ for _, addr := range anyOf {
+ if _, ok := set[addr]; ok {
+ return true
+ }
+ }
+
+ return false
}
// WithRCConfig sets the AppSec remote config client configuration to the specified cfg
@@ -105,7 +129,7 @@ func NewConfig() (*Config, error) {
return nil, err
}
- r, err := NewRulesManeger(rules)
+ r, err := NewRulesManager(rules)
if err != nil {
return nil, err
}
diff --git a/internal/appsec/config/rules_manager.go b/internal/appsec/config/rules_manager.go
index 75018011f0..9fdd872834 100644
--- a/internal/appsec/config/rules_manager.go
+++ b/internal/appsec/config/rules_manager.go
@@ -8,6 +8,7 @@ package config
import (
"encoding/json"
"fmt"
+ "slices"
"github.com/DataDog/dd-trace-go/v2/internal/log"
@@ -28,24 +29,21 @@ type (
}
// RulesFragment can represent a full ruleset or a fragment of it.
RulesFragment struct {
- Version string `json:"version,omitempty"`
- Metadata any `json:"metadata,omitempty"`
- Rules []any `json:"rules,omitempty"`
- Overrides []any `json:"rules_override,omitempty"`
- Exclusions []any `json:"exclusions,omitempty"`
- RulesData []RuleDataEntry `json:"rules_data,omitempty"`
- Actions []any `json:"actions,omitempty"`
- CustomRules []any `json:"custom_rules,omitempty"`
- Processors []any `json:"processors,omitempty"`
- Scanners []any `json:"scanners,omitempty"`
+ Version string `json:"version,omitempty"`
+ Metadata any `json:"metadata,omitempty"`
+ Rules []any `json:"rules,omitempty"`
+ Overrides []any `json:"rules_override,omitempty"`
+ Exclusions []any `json:"exclusions,omitempty"`
+ ExclusionData []DataEntry `json:"exclusion_data,omitempty"`
+ RulesData []DataEntry `json:"rules_data,omitempty"`
+ Actions []any `json:"actions,omitempty"`
+ CustomRules []any `json:"custom_rules,omitempty"`
+ Processors []any `json:"processors,omitempty"`
+ Scanners []any `json:"scanners,omitempty"`
}
- // RuleDataEntry represents an entry in the "rules_data" top level field of a rules file
- RuleDataEntry rc.ASMDataRuleData
- // RulesData is a slice of RulesDataEntry
- RulesData struct {
- RulesData []RuleDataEntry `json:"rules_data"`
- }
+ // DataEntry represents an entry in the "rules_data" top level field of a rules file
+ DataEntry rc.ASMDataRuleData
)
// DefaultRulesFragment returns a RulesFragment created using the default static recommended rules
@@ -60,27 +58,20 @@ func DefaultRulesFragment() RulesFragment {
func (f *RulesFragment) clone() (clone RulesFragment) {
clone.Version = f.Version
clone.Metadata = f.Metadata
- clone.Overrides = cloneSlice(f.Overrides)
- clone.Exclusions = cloneSlice(f.Exclusions)
- clone.RulesData = cloneSlice(f.RulesData)
- clone.CustomRules = cloneSlice(f.CustomRules)
- clone.Processors = cloneSlice(f.Processors)
- clone.Scanners = cloneSlice(f.Scanners)
- // TODO (Francois Mazeau): copy more fields once we handle them
+ clone.Overrides = slices.Clone(f.Overrides)
+ clone.Exclusions = slices.Clone(f.Exclusions)
+ clone.ExclusionData = slices.Clone(f.ExclusionData)
+ clone.RulesData = slices.Clone(f.RulesData)
+ clone.CustomRules = slices.Clone(f.CustomRules)
+ clone.Processors = slices.Clone(f.Processors)
+ clone.Scanners = slices.Clone(f.Scanners)
return
}
-func cloneSlice[T any](slice []T) []T {
- // TODO: use slices.Clone once go1.21 is the min supported go runtime.
- clone := make([]T, len(slice), cap(slice))
- copy(clone, slice)
- return clone
-}
-
-// NewRulesManeger initializes and returns a new RulesManager using the provided rules.
+// NewRulesManager initializes and returns a new RulesManager using the provided rules.
// If no rules are provided (nil), the default rules are used instead.
// If the provided rules are invalid, an error is returned
-func NewRulesManeger(rules []byte) (*RulesManager, error) {
+func NewRulesManager(rules []byte) (*RulesManager, error) {
var f RulesFragment
if rules == nil {
f = DefaultRulesFragment()
@@ -135,6 +126,7 @@ func (r *RulesManager) Compile() {
for _, v := range r.Edits {
r.Latest.Overrides = append(r.Latest.Overrides, v.Overrides...)
r.Latest.Exclusions = append(r.Latest.Exclusions, v.Exclusions...)
+ r.Latest.ExclusionData = append(r.Latest.ExclusionData, v.ExclusionData...)
r.Latest.Actions = append(r.Latest.Actions, v.Actions...)
r.Latest.RulesData = append(r.Latest.RulesData, v.RulesData...)
r.Latest.CustomRules = append(r.Latest.CustomRules, v.CustomRules...)
diff --git a/internal/appsec/emitter/trace/service_entry_span.go b/internal/appsec/emitter/trace/service_entry_span.go
new file mode 100644
index 0000000000..a1f25db400
--- /dev/null
+++ b/internal/appsec/emitter/trace/service_entry_span.go
@@ -0,0 +1,158 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+import (
+ "context"
+ "encoding/json"
+ "sync"
+
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+type (
+ // ServiceEntrySpanOperation is a dyngo.Operation that holds a the first span of a service. Usually a http or grpc span.
+ ServiceEntrySpanOperation struct {
+ dyngo.Operation
+ tags map[string]any
+ jsonTags map[string]any
+ mu sync.Mutex
+ }
+
+ // ServiceEntrySpanArgs is the arguments for a ServiceEntrySpanOperation
+ ServiceEntrySpanArgs struct{}
+
+ // ServiceEntrySpanTag is a key value pair event that is used to tag a service entry span
+ ServiceEntrySpanTag struct {
+ Key string
+ Value any
+ }
+
+ // JSONServiceEntrySpanTag is a key value pair event that is used to tag a service entry span
+ // It will be serialized as JSON when added to the span
+ JSONServiceEntrySpanTag struct {
+ Key string
+ Value any
+ }
+
+ // ServiceEntrySpanTagsBulk is a bulk event that is used to send tags to a service entry span
+ ServiceEntrySpanTagsBulk struct {
+ Tags []JSONServiceEntrySpanTag
+ SerializableTags []JSONServiceEntrySpanTag
+ }
+)
+
+func (ServiceEntrySpanArgs) IsArgOf(*ServiceEntrySpanOperation) {}
+
+// SetTag adds the key/value pair to the tags to add to the service entry span
+func (op *ServiceEntrySpanOperation) SetTag(key string, value any) {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ op.tags[key] = value
+}
+
+// SetSerializableTag adds the key/value pair to the tags to add to the service entry span.
+// The value MAY be serialized as JSON if necessary but simple types will not be serialized.
+func (op *ServiceEntrySpanOperation) SetSerializableTag(key string, value any) {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ op.setSerializableTag(key, value)
+}
+
+// SetSerializableTags adds the key/value pairs to the tags to add to the service entry span.
+// Values MAY be serialized as JSON if necessary but simple types will not be serialized.
+func (op *ServiceEntrySpanOperation) SetSerializableTags(tags map[string]any) {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ for key, value := range tags {
+ op.setSerializableTag(key, value)
+ }
+}
+
+func (op *ServiceEntrySpanOperation) setSerializableTag(key string, value any) {
+ switch value.(type) {
+ case string, int8, int16, int32, int64, uint8, uint16, uint32, uint64, float32, float64, bool:
+ op.tags[key] = value
+ default:
+ op.jsonTags[key] = value
+ }
+}
+
+// SetTags fills the span tags using the key/value pairs found in `tags`
+func (op *ServiceEntrySpanOperation) SetTags(tags map[string]any) {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ for k, v := range tags {
+ op.tags[k] = v
+ }
+}
+
+// SetStringTags fills the span tags using the key/value pairs found in `tags`
+func (op *ServiceEntrySpanOperation) SetStringTags(tags map[string]string) {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ for k, v := range tags {
+ op.tags[k] = v
+ }
+}
+
+// OnServiceEntrySpanTagEvent is a callback that is called when a dyngo.OnData is triggered with a ServiceEntrySpanTag event
+func (op *ServiceEntrySpanOperation) OnServiceEntrySpanTagEvent(tag ServiceEntrySpanTag) {
+ op.SetTag(tag.Key, tag.Value)
+}
+
+// OnJSONServiceEntrySpanTagEvent is a callback that is called when a dyngo.OnData is triggered with a JSONServiceEntrySpanTag event
+func (op *ServiceEntrySpanOperation) OnJSONServiceEntrySpanTagEvent(tag JSONServiceEntrySpanTag) {
+ op.SetSerializableTag(tag.Key, tag.Value)
+}
+
+// OnServiceEntrySpanTagsBulkEvent is a callback that is called when a dyngo.OnData is triggered with a ServiceEntrySpanTagsBulk event
+func (op *ServiceEntrySpanOperation) OnServiceEntrySpanTagsBulkEvent(bulk ServiceEntrySpanTagsBulk) {
+ for _, v := range bulk.Tags {
+ op.SetTag(v.Key, v.Value)
+ }
+
+ for _, v := range bulk.SerializableTags {
+ op.SetSerializableTag(v.Key, v.Value)
+ }
+}
+
+// OnSpanTagEvent is a listener for SpanTag events.
+func (op *ServiceEntrySpanOperation) OnSpanTagEvent(tag SpanTag) {
+ op.SetTag(tag.Key, tag.Value)
+}
+
+func StartServiceEntrySpanOperation(ctx context.Context) (*ServiceEntrySpanOperation, context.Context) {
+ parent, _ := dyngo.FromContext(ctx)
+ op := &ServiceEntrySpanOperation{
+ Operation: dyngo.NewOperation(parent),
+ tags: make(map[string]any),
+ jsonTags: make(map[string]any),
+ }
+ return op, dyngo.StartAndRegisterOperation(ctx, op, ServiceEntrySpanArgs{})
+}
+
+func (op *ServiceEntrySpanOperation) Finish(span TagSetter) {
+ if _, ok := span.(*NoopTagSetter); ok { // If the span is a NoopTagSetter or is nil, we don't need to set any tags
+ return
+ }
+
+ op.mu.Lock()
+ defer op.mu.Unlock()
+
+ for k, v := range op.tags {
+ span.SetTag(k, v)
+ }
+
+ for k, v := range op.jsonTags {
+ strValue, err := json.Marshal(v)
+ if err != nil {
+ log.Debug("appsec: failed to marshal tag %s: %v", k, err)
+ }
+ span.SetTag(k, string(strValue))
+ }
+}
diff --git a/internal/appsec/emitter/trace/span.go b/internal/appsec/emitter/trace/span.go
new file mode 100644
index 0000000000..01e70b770a
--- /dev/null
+++ b/internal/appsec/emitter/trace/span.go
@@ -0,0 +1,67 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+import (
+ "context"
+ "sync"
+
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+)
+
+type (
+ // SpanOperation is a dyngo.Operation that holds a ddtrace.Span.
+ // It used as a middleware for appsec code and the tracer code
+ // hopefully some day this operation will create spans instead of simply using them
+ SpanOperation struct {
+ dyngo.Operation
+ tags map[string]any
+ mu sync.Mutex
+ }
+
+ // SpanArgs is the arguments for a SpanOperation
+ SpanArgs struct{}
+
+ // SpanTag is a key value pair event that is used to tag the current span
+ SpanTag struct {
+ Key string
+ Value any
+ }
+)
+
+func (SpanArgs) IsArgOf(*SpanOperation) {}
+
+// SetTag adds the key/value pair to the tags to add to the span
+func (op *SpanOperation) SetTag(key string, value any) {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ op.tags[key] = value
+}
+
+// OnSpanTagEvent is a listener for SpanTag events.
+func (op *SpanOperation) OnSpanTagEvent(tag SpanTag) {
+ op.SetTag(tag.Key, tag.Value)
+}
+
+func StartSpanOperation(ctx context.Context) (*SpanOperation, context.Context) {
+ op := &SpanOperation{
+ tags: make(map[string]any),
+ }
+ return op, dyngo.StartAndRegisterOperation(ctx, op, SpanArgs{})
+}
+
+func (op *SpanOperation) Finish(span TagSetter) {
+ if _, ok := span.(*NoopTagSetter); ok { // If the span is a NoopTagSetter or is nil, we don't need to set any tags
+ return
+ }
+
+ op.mu.Lock()
+ defer op.mu.Unlock()
+
+ for k, v := range op.tags {
+ span.SetTag(k, v)
+ }
+}
diff --git a/internal/appsec/emitter/trace/tag_setter.go b/internal/appsec/emitter/trace/tag_setter.go
new file mode 100644
index 0000000000..a7f5bc1944
--- /dev/null
+++ b/internal/appsec/emitter/trace/tag_setter.go
@@ -0,0 +1,29 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+// TagSetter is the interface needed to set a span tag.
+type TagSetter interface {
+ SetTag(string, any)
+}
+
+// NoopTagSetter is a TagSetter that does nothing. Useful when no tracer
+// Span is available, but a TagSetter is assumed.
+type NoopTagSetter struct{}
+
+func (NoopTagSetter) SetTag(string, any) {
+ // Do nothing
+}
+
+type TestTagSetter map[string]any
+
+func (t TestTagSetter) SetTag(key string, value any) {
+ t[key] = value
+}
+
+func (t TestTagSetter) Tags() map[string]any {
+ return t
+}
diff --git a/internal/appsec/emitter/usersec/user.go b/internal/appsec/emitter/usersec/user.go
new file mode 100644
index 0000000000..2d87043c28
--- /dev/null
+++ b/internal/appsec/emitter/usersec/user.go
@@ -0,0 +1,51 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package usersec
+
+import (
+ "context"
+
+ "github.com/DataDog/dd-trace-go/v2/appsec/events"
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+)
+
+const errorLog = `
+appsec: user login monitoring ignored: could not find the http handler instrumentation metadata in the request context:
+ the request handler is not being monitored by a middleware function or the provided context is not the expected request context
+`
+
+type (
+ // UserLoginOperation type representing a call to appsec.SetUser(). It gets both created and destroyed in a single
+ // call to ExecuteUserIDOperation
+ UserLoginOperation struct {
+ dyngo.Operation
+ }
+ // UserLoginOperationArgs is the user ID operation arguments.
+ UserLoginOperationArgs struct{}
+
+ // UserLoginOperationRes is the user ID operation results.
+ UserLoginOperationRes struct {
+ UserID string
+ SessionID string
+ Success bool
+ }
+)
+
+func StartUserLoginOperation(ctx context.Context, args UserLoginOperationArgs) (*UserLoginOperation, *error) {
+ parent, _ := dyngo.FromContext(ctx)
+ op := &UserLoginOperation{Operation: dyngo.NewOperation(parent)}
+ var err error
+ dyngo.OnData(op, func(e *events.BlockingSecurityEvent) { err = e })
+ dyngo.StartOperation(op, args)
+ return op, &err
+}
+
+func (op *UserLoginOperation) Finish(args UserLoginOperationRes) {
+ dyngo.FinishOperation(op, args)
+}
+
+func (UserLoginOperationArgs) IsArgOf(*UserLoginOperation) {}
+func (UserLoginOperationRes) IsResultOf(*UserLoginOperation) {}
diff --git a/internal/appsec/emitter/waf/actions/actions.go b/internal/appsec/emitter/waf/actions/actions.go
new file mode 100644
index 0000000000..34a3abdcc3
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/actions.go
@@ -0,0 +1,56 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+type (
+ // Action is a generic interface that represents any WAF action
+ Action interface {
+ EmitData(op dyngo.Operation)
+ }
+)
+
+type actionHandler func(map[string]any) []Action
+
+// actionHandlers is a map of action types to their respective handler functions
+// It is populated by the init functions of the actions packages
+var actionHandlers = map[string]actionHandler{}
+
+func registerActionHandler(aType string, handler actionHandler) {
+ if _, ok := actionHandlers[aType]; ok {
+ log.Warn("appsec: action type `%s` already registered", aType)
+ return
+ }
+ actionHandlers[aType] = handler
+}
+
+// SendActionEvents sends the relevant actions to the operation's data listener.
+// It returns true if at least one of those actions require interrupting the request handler
+// When SDKError is not nil, this error is sent to the op with EmitData so that the invoked SDK can return it
+func SendActionEvents(op dyngo.Operation, actions map[string]any) {
+ for aType, params := range actions {
+ log.Debug("appsec: processing %s action with params %v", aType, params)
+ params, ok := params.(map[string]any)
+ if !ok {
+ log.Debug("appsec: could not cast action params to map[string]any from %T", params)
+ continue
+ }
+
+ actionHandler, ok := actionHandlers[aType]
+ if !ok {
+ log.Debug("appsec: unknown action type `%s`", aType)
+ continue
+ }
+
+ for _, a := range actionHandler(params) {
+ a.EmitData(op)
+ }
+ }
+}
diff --git a/internal/appsec/emitter/waf/actions/actions_test.go b/internal/appsec/emitter/waf/actions/actions_test.go
new file mode 100644
index 0000000000..1e77c8e2d1
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/actions_test.go
@@ -0,0 +1,315 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+)
+
+func TestNewHTTPBlockRequestAction(t *testing.T) {
+ mux := http.NewServeMux()
+ srv := httptest.NewServer(mux)
+ mux.HandleFunc("/json", newHTTPBlockRequestAction(403, "json").ServeHTTP)
+ mux.HandleFunc("/html", newHTTPBlockRequestAction(403, "html").ServeHTTP)
+ mux.HandleFunc("/auto", newHTTPBlockRequestAction(403, "auto").ServeHTTP)
+ defer srv.Close()
+
+ t.Run("json", func(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ accept string
+ }{
+ {
+ name: "no-accept",
+ },
+ {
+ name: "irrelevant-accept",
+ accept: "text/html",
+ },
+ {
+ name: "accept",
+ accept: "application/json",
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ req, err := http.NewRequest("POST", srv.URL+"/json", nil)
+ req.Header.Set("Accept", tc.accept)
+ require.NoError(t, err)
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ body, err := io.ReadAll(res.Body)
+ require.Equal(t, 403, res.StatusCode)
+ require.Equal(t, blockedTemplateJSON, body)
+ })
+ }
+ })
+
+ t.Run("html", func(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ accept string
+ }{
+ {
+ name: "no-accept",
+ },
+ {
+ name: "irrelevant-accept",
+ accept: "application/json",
+ },
+ {
+ name: "accept",
+ accept: "text/html",
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ req, err := http.NewRequest("POST", srv.URL+"/html", nil)
+ require.NoError(t, err)
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ body, err := io.ReadAll(res.Body)
+ require.Equal(t, 403, res.StatusCode)
+ require.Equal(t, blockedTemplateHTML, body)
+ })
+ }
+ })
+
+ t.Run("auto", func(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ accept string
+ expected []byte
+ }{
+ {
+ name: "no-accept",
+ expected: blockedTemplateJSON,
+ },
+ {
+ name: "json-accept-1",
+ accept: "application/json",
+ expected: blockedTemplateJSON,
+ },
+ {
+ name: "json-accept-2",
+ accept: "application/json,text/html",
+ expected: blockedTemplateJSON,
+ },
+ {
+ name: "json-accept-3",
+ accept: "irrelevant/content,application/json,text/html",
+ expected: blockedTemplateJSON,
+ },
+ {
+ name: "json-accept-4",
+ accept: "irrelevant/content,application/json,text/html,application/json",
+ expected: blockedTemplateJSON,
+ },
+ {
+ name: "html-accept-1",
+ accept: "text/html",
+ expected: blockedTemplateHTML,
+ },
+ {
+ name: "html-accept-2",
+ accept: "text/html,application/json",
+ expected: blockedTemplateHTML,
+ },
+ {
+ name: "html-accept-3",
+ accept: "irrelevant/content,text/html,application/json",
+ expected: blockedTemplateHTML,
+ },
+ {
+ name: "html-accept-4",
+ accept: "irrelevant/content,text/html,application/json,text/html",
+ expected: blockedTemplateHTML,
+ },
+ {
+ name: "irrelevant-accept",
+ accept: "irrelevant/irrelevant,application/html",
+ expected: blockedTemplateJSON,
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ req, err := http.NewRequest("POST", srv.URL+"/auto", nil)
+ req.Header.Set("Accept", tc.accept)
+ require.NoError(t, err)
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ body, err := io.ReadAll(res.Body)
+ require.Equal(t, 403, res.StatusCode)
+ require.Equal(t, tc.expected, body)
+ })
+ }
+ })
+}
+
+func TestNewRedirectRequestAction(t *testing.T) {
+ mux := http.NewServeMux()
+ srv := httptest.NewServer(mux)
+ mux.HandleFunc("/redirect-default-status", newRedirectRequestAction(100, "/redirected").ServeHTTP)
+ mux.HandleFunc("/redirect-no-location", newRedirectRequestAction(303, "").ServeHTTP)
+ mux.HandleFunc("/redirect1", newRedirectRequestAction(http.StatusFound, "/redirect2").ServeHTTP)
+ mux.HandleFunc("/redirect2", newRedirectRequestAction(http.StatusFound, "/redirected").ServeHTTP)
+ mux.HandleFunc("/redirected", func(w http.ResponseWriter, _ *http.Request) {
+ w.WriteHeader(http.StatusOK) // Shouldn't matter since we write 302 before arriving here
+ w.Write([]byte("Redirected"))
+ })
+ srv.Client().CheckRedirect = func(_ *http.Request, via []*http.Request) error {
+ require.GreaterOrEqual(t, len(via), 1)
+ require.Equal(t, "/redirect1", via[0].URL.Path)
+ if len(via) == 2 {
+ require.Equal(t, "/redirect2", via[1].URL.Path)
+ require.NotNil(t, via[1].Response)
+ require.Equal(t, http.StatusFound, via[1].Response.StatusCode)
+ }
+ return nil
+ }
+ defer srv.Close()
+
+ for _, tc := range []struct {
+ name string
+ url string
+ }{
+ {
+ name: "no-redirect",
+ url: "/redirected",
+ },
+ {
+ name: "redirect",
+ url: "/redirect1",
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ req, err := http.NewRequest("POST", srv.URL+tc.url, nil)
+ require.NoError(t, err)
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ body, err := io.ReadAll(res.Body)
+ require.Equal(t, http.StatusOK, res.StatusCode)
+ require.Equal(t, "Redirected", string(body))
+ })
+ }
+
+ // These tests check that redirect actions can handle bad parameter values
+ // - empty location: revert to default blocking action instead
+ // - status code outside of [300, 399]: default to 303
+ t.Run("no-location", func(t *testing.T) {
+ srv.Client().CheckRedirect = func(_ *http.Request, _ []*http.Request) error {
+ return nil
+ }
+ req, err := http.NewRequest("POST", srv.URL+"/redirect-no-location", nil)
+ require.NoError(t, err)
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ body, err := io.ReadAll(res.Body)
+ require.Equal(t, http.StatusForbidden, res.StatusCode)
+ require.Equal(t, blockedTemplateJSON, body)
+ })
+
+ t.Run("bad-status-code", func(t *testing.T) {
+ srv.Client().CheckRedirect = func(req *http.Request, via []*http.Request) error {
+ require.Equal(t, len(via), 1)
+ require.Equal(t, "/redirect-default-status", via[0].URL.Path)
+ require.Equal(t, 303, req.Response.StatusCode)
+ return nil
+ }
+ req, err := http.NewRequest("POST", srv.URL+"/redirect-default-status", nil)
+ require.NoError(t, err)
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ body, err := io.ReadAll(res.Body)
+ require.Equal(t, "Redirected", string(body))
+ })
+}
+
+func TestNewBlockParams(t *testing.T) {
+ for name, tc := range map[string]struct {
+ params map[string]any
+ expected blockActionParams
+ }{
+ "block-1": {
+ params: map[string]any{
+ "status_code": "403",
+ "type": "auto",
+ },
+ expected: blockActionParams{
+ Type: "auto",
+ StatusCode: 403,
+ },
+ },
+ "block-2": {
+ params: map[string]any{
+ "status_code": "405",
+ "type": "html",
+ },
+ expected: blockActionParams{
+ Type: "html",
+ StatusCode: 405,
+ },
+ },
+ } {
+ t.Run(name, func(t *testing.T) {
+ actionParams, err := blockParamsFromMap(tc.params)
+ require.NoError(t, err)
+ require.Equal(t, tc.expected.Type, actionParams.Type)
+ require.Equal(t, tc.expected.StatusCode, actionParams.StatusCode)
+ })
+ }
+}
+
+func TestNewRedirectParams(t *testing.T) {
+ for name, tc := range map[string]struct {
+ params map[string]any
+ expected redirectActionParams
+ }{
+ "redirect-1": {
+ params: map[string]any{
+ "status_code": "308",
+ "location": "/redirected",
+ },
+ expected: redirectActionParams{
+ Location: "/redirected",
+ StatusCode: 308,
+ },
+ },
+ "redirect-2": {
+ params: map[string]any{
+ "status_code": "303",
+ "location": "/tmp",
+ },
+ expected: redirectActionParams{
+ Location: "/tmp",
+ StatusCode: 303,
+ },
+ },
+ "no-location": {
+ params: map[string]any{
+ "status_code": "303",
+ },
+ expected: redirectActionParams{
+ Location: "",
+ StatusCode: 303,
+ },
+ },
+ } {
+ t.Run(name, func(t *testing.T) {
+ actionParams, err := redirectParamsFromMap(tc.params)
+ require.NoError(t, err)
+ require.Equal(t, tc.expected, actionParams)
+ })
+ }
+}
diff --git a/internal/appsec/emitter/waf/actions/block.go b/internal/appsec/emitter/waf/actions/block.go
new file mode 100644
index 0000000000..cd8d4991ab
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/block.go
@@ -0,0 +1,160 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+ _ "embed" // embed is used to embed the blocked-template.json and blocked-template.html files
+ "net/http"
+ "os"
+ "strings"
+
+ "github.com/DataDog/dd-trace-go/v2/appsec/events"
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+ "github.com/mitchellh/mapstructure"
+)
+
+// blockedTemplateJSON is the default JSON template used to write responses for blocked requests
+//
+//go:embed blocked-template.json
+var blockedTemplateJSON []byte
+
+// blockedTemplateHTML is the default HTML template used to write responses for blocked requests
+//
+//go:embed blocked-template.html
+var blockedTemplateHTML []byte
+
+const (
+ envBlockedTemplateHTML = "DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML"
+ envBlockedTemplateJSON = "DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON"
+)
+
+func init() {
+ for env, template := range map[string]*[]byte{envBlockedTemplateJSON: &blockedTemplateJSON, envBlockedTemplateHTML: &blockedTemplateHTML} {
+ if path, ok := os.LookupEnv(env); ok {
+ if t, err := os.ReadFile(path); err != nil {
+ log.Error("Could not read template at %s: %v", path, err)
+ } else {
+ *template = t
+ }
+ }
+ }
+
+ registerActionHandler("block_request", NewBlockAction)
+}
+
+type (
+ // blockActionParams are the dynamic parameters to be provided to a "block_request"
+ // action type upon invocation
+ blockActionParams struct {
+ // GRPCStatusCode is the gRPC status code to be returned. Since 0 is the OK status, the value is nullable to
+ // be able to distinguish between unset and defaulting to Abort (10), or set to OK (0).
+ GRPCStatusCode *int `mapstructure:"grpc_status_code,omitempty"`
+ StatusCode int `mapstructure:"status_code"`
+ Type string `mapstructure:"type,omitempty"`
+ }
+ // GRPCWrapper is an opaque prototype abstraction for a gRPC handler (to avoid importing grpc)
+ // that returns a status code and an error
+ GRPCWrapper func() (uint32, error)
+
+ // BlockGRPC are actions that interact with a GRPC request flow
+ BlockGRPC struct {
+ GRPCWrapper
+ }
+
+ // BlockHTTP are actions that interact with an HTTP request flow
+ BlockHTTP struct {
+ http.Handler
+ }
+)
+
+func (a *BlockGRPC) EmitData(op dyngo.Operation) {
+ dyngo.EmitData(op, a)
+ dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
+
+func (a *BlockHTTP) EmitData(op dyngo.Operation) {
+ dyngo.EmitData(op, a)
+ dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
+
+func newGRPCBlockRequestAction(status int) *BlockGRPC {
+ return &BlockGRPC{GRPCWrapper: newGRPCBlockHandler(status)}
+}
+
+func newGRPCBlockHandler(status int) GRPCWrapper {
+ return func() (uint32, error) {
+ return uint32(status), &events.BlockingSecurityEvent{}
+ }
+}
+
+func blockParamsFromMap(params map[string]any) (blockActionParams, error) {
+ grpcCode := 10
+ p := blockActionParams{
+ Type: "auto",
+ StatusCode: 403,
+ GRPCStatusCode: &grpcCode,
+ }
+
+ if err := mapstructure.WeakDecode(params, &p); err != nil {
+ return p, err
+ }
+
+ if p.GRPCStatusCode == nil {
+ p.GRPCStatusCode = &grpcCode
+ }
+
+ return p, nil
+}
+
+// NewBlockAction creates an action for the "block_request" action type
+func NewBlockAction(params map[string]any) []Action {
+ p, err := blockParamsFromMap(params)
+ if err != nil {
+ log.Debug("appsec: couldn't decode redirect action parameters")
+ return nil
+ }
+ return []Action{
+ newHTTPBlockRequestAction(p.StatusCode, p.Type),
+ newGRPCBlockRequestAction(*p.GRPCStatusCode),
+ }
+}
+
+func newHTTPBlockRequestAction(status int, template string) *BlockHTTP {
+ return &BlockHTTP{Handler: newBlockHandler(status, template)}
+}
+
+// newBlockHandler creates, initializes and returns a new BlockRequestAction
+func newBlockHandler(status int, template string) http.Handler {
+ htmlHandler := newBlockRequestHandler(status, "text/html", blockedTemplateHTML)
+ jsonHandler := newBlockRequestHandler(status, "application/json", blockedTemplateJSON)
+ switch template {
+ case "json":
+ return jsonHandler
+ case "html":
+ return htmlHandler
+ default:
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ h := jsonHandler
+ hdr := r.Header.Get("Accept")
+ htmlIdx := strings.Index(hdr, "text/html")
+ jsonIdx := strings.Index(hdr, "application/json")
+ // Switch to html handler if text/html comes before application/json in the Accept header
+ if htmlIdx != -1 && (jsonIdx == -1 || htmlIdx < jsonIdx) {
+ h = htmlHandler
+ }
+ h.ServeHTTP(w, r)
+ })
+ }
+}
+
+func newBlockRequestHandler(status int, ct string, payload []byte) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+ w.Header().Set("Content-Type", ct)
+ w.WriteHeader(status)
+ w.Write(payload)
+ })
+}
diff --git a/internal/appsec/emitter/waf/actions/blocked-template.html b/internal/appsec/emitter/waf/actions/blocked-template.html
new file mode 100644
index 0000000000..b43edd96dd
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/blocked-template.html
@@ -0,0 +1 @@
+
You've been blockedSorry, you cannot access this page. Please contact the customer service team.
\ No newline at end of file
diff --git a/internal/appsec/emitter/waf/actions/blocked-template.json b/internal/appsec/emitter/waf/actions/blocked-template.json
new file mode 100644
index 0000000000..12ae29696f
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/blocked-template.json
@@ -0,0 +1 @@
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
\ No newline at end of file
diff --git a/internal/appsec/emitter/waf/actions/http_redirect.go b/internal/appsec/emitter/waf/actions/http_redirect.go
new file mode 100644
index 0000000000..e9fb1c4965
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/http_redirect.go
@@ -0,0 +1,54 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+ "net/http"
+
+ "github.com/mitchellh/mapstructure"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+// redirectActionParams are the dynamic parameters to be provided to a "redirect_request"
+// action type upon invocation
+type redirectActionParams struct {
+ Location string `mapstructure:"location,omitempty"`
+ StatusCode int `mapstructure:"status_code"`
+}
+
+func init() {
+ registerActionHandler("redirect_request", NewRedirectAction)
+}
+
+func redirectParamsFromMap(params map[string]any) (redirectActionParams, error) {
+ var p redirectActionParams
+ err := mapstructure.WeakDecode(params, &p)
+ return p, err
+}
+
+func newRedirectRequestAction(status int, loc string) *BlockHTTP {
+ // Default to 303 if status is out of redirection codes bounds
+ if status < http.StatusMultipleChoices || status >= http.StatusBadRequest {
+ status = http.StatusSeeOther
+ }
+
+ // If location is not set we fall back on a default block action
+ if loc == "" {
+ return &BlockHTTP{Handler: newBlockHandler(http.StatusForbidden, string(blockedTemplateJSON))}
+ }
+ return &BlockHTTP{Handler: http.RedirectHandler(loc, status)}
+}
+
+// NewRedirectAction creates an action for the "redirect_request" action type
+func NewRedirectAction(params map[string]any) []Action {
+ p, err := redirectParamsFromMap(params)
+ if err != nil {
+ log.Debug("appsec: couldn't decode redirect action parameters")
+ return nil
+ }
+ return []Action{newRedirectRequestAction(p.StatusCode, p.Location)}
+}
diff --git a/internal/appsec/emitter/waf/actions/stacktrace.go b/internal/appsec/emitter/waf/actions/stacktrace.go
new file mode 100644
index 0000000000..9ddd07cf3e
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/stacktrace.go
@@ -0,0 +1,44 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+ "github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
+)
+
+func init() {
+ registerActionHandler("generate_stack", NewStackTraceAction)
+}
+
+// StackTraceAction are actions that generate a stacktrace
+type StackTraceAction struct {
+ Event *stacktrace.Event
+}
+
+func (a *StackTraceAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+
+// NewStackTraceAction creates an action for the "stacktrace" action type
+func NewStackTraceAction(params map[string]any) []Action {
+ id, ok := params["stack_id"]
+ if !ok {
+ log.Debug("appsec: could not read stack_id parameter for generate_stack action")
+ return nil
+ }
+
+ strID, ok := id.(string)
+ if !ok {
+ log.Debug("appsec: could not cast stacktrace ID to string")
+ return nil
+ }
+
+ return []Action{
+ &StackTraceAction{
+ stacktrace.NewEvent(stacktrace.ExploitEvent, stacktrace.WithID(strID)),
+ },
+ }
+}
diff --git a/internal/appsec/emitter/waf/addresses/addresses.go b/internal/appsec/emitter/waf/addresses/addresses.go
new file mode 100644
index 0000000000..03163df23a
--- /dev/null
+++ b/internal/appsec/emitter/waf/addresses/addresses.go
@@ -0,0 +1,40 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package addresses
+
+const (
+ ServerRequestMethodAddr = "server.request.method"
+ ServerRequestRawURIAddr = "server.request.uri.raw"
+ ServerRequestHeadersNoCookiesAddr = "server.request.headers.no_cookies"
+ ServerRequestCookiesAddr = "server.request.cookies"
+ ServerRequestQueryAddr = "server.request.query"
+ ServerRequestPathParamsAddr = "server.request.path_params"
+ ServerRequestBodyAddr = "server.request.body"
+ ServerResponseStatusAddr = "server.response.status"
+ ServerResponseHeadersNoCookiesAddr = "server.response.headers.no_cookies"
+
+ ClientIPAddr = "http.client_ip"
+
+ UserIDAddr = "usr.id"
+ UserSessionIDAddr = "usr.session_id"
+ UserLoginSuccessAddr = "server.business_logic.users.login.success"
+ UserLoginFailureAddr = "server.business_logic.users.login.failure"
+
+ ServerIoNetURLAddr = "server.io.net.url"
+ ServerIOFSFileAddr = "server.io.fs.file"
+ ServerDBStatementAddr = "server.db.statement"
+ ServerDBTypeAddr = "server.db.system"
+
+ GRPCServerMethodAddr = "grpc.server.method"
+ GRPCServerRequestMetadataAddr = "grpc.server.request.metadata"
+ GRPCServerRequestMessageAddr = "grpc.server.request.message"
+ GRPCServerResponseMessageAddr = "grpc.server.response.message"
+ GRPCServerResponseMetadataHeadersAddr = "grpc.server.response.metadata.headers"
+ GRPCServerResponseMetadataTrailersAddr = "grpc.server.response.metadata.trailers"
+ GRPCServerResponseStatusCodeAddr = "grpc.server.response.status"
+
+ GraphQLServerResolverAddr = "graphql.server.resolver"
+)
diff --git a/internal/appsec/emitter/waf/addresses/builder.go b/internal/appsec/emitter/waf/addresses/builder.go
new file mode 100644
index 0000000000..946a62bcf9
--- /dev/null
+++ b/internal/appsec/emitter/waf/addresses/builder.go
@@ -0,0 +1,243 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package addresses
+
+import (
+ "net/netip"
+ "strconv"
+
+ waf "github.com/DataDog/go-libddwaf/v3"
+)
+
+const contextProcessKey = "waf.context.processor"
+
+type RunAddressDataBuilder struct {
+ waf.RunAddressData
+}
+
+func NewAddressesBuilder() *RunAddressDataBuilder {
+ return &RunAddressDataBuilder{
+ RunAddressData: waf.RunAddressData{
+ Persistent: make(map[string]any, 1),
+ Ephemeral: make(map[string]any, 1),
+ },
+ }
+}
+
+func (b *RunAddressDataBuilder) WithMethod(method string) *RunAddressDataBuilder {
+ b.Persistent[ServerRequestMethodAddr] = method
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithRawURI(uri string) *RunAddressDataBuilder {
+ b.Persistent[ServerRequestRawURIAddr] = uri
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithHeadersNoCookies(headers map[string][]string) *RunAddressDataBuilder {
+ if len(headers) == 0 {
+ headers = nil
+ }
+ b.Persistent[ServerRequestHeadersNoCookiesAddr] = headers
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithCookies(cookies map[string][]string) *RunAddressDataBuilder {
+ if len(cookies) == 0 {
+ cookies = nil
+ }
+ b.Persistent[ServerRequestCookiesAddr] = cookies
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithQuery(query map[string][]string) *RunAddressDataBuilder {
+ if len(query) == 0 {
+ query = nil
+ }
+ b.Persistent[ServerRequestQueryAddr] = query
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithPathParams(params map[string]string) *RunAddressDataBuilder {
+ if len(params) == 0 {
+ return b
+ }
+ b.Persistent[ServerRequestPathParamsAddr] = params
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithRequestBody(body any) *RunAddressDataBuilder {
+ if body == nil {
+ return b
+ }
+ b.Persistent[ServerRequestBodyAddr] = body
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithResponseStatus(status int) *RunAddressDataBuilder {
+ if status == 0 {
+ return b
+ }
+ b.Persistent[ServerResponseStatusAddr] = strconv.Itoa(status)
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithResponseHeadersNoCookies(headers map[string][]string) *RunAddressDataBuilder {
+ if len(headers) == 0 {
+ return b
+ }
+ b.Persistent[ServerResponseHeadersNoCookiesAddr] = headers
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithClientIP(ip netip.Addr) *RunAddressDataBuilder {
+ if !ip.IsValid() {
+ return b
+ }
+ b.Persistent[ClientIPAddr] = ip.String()
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithUserID(id string) *RunAddressDataBuilder {
+ if id == "" {
+ return b
+ }
+ b.Persistent[UserIDAddr] = id
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithUserSessionID(id string) *RunAddressDataBuilder {
+ if id == "" {
+ return b
+ }
+ b.Persistent[UserSessionIDAddr] = id
+ return b
+
+}
+
+func (b *RunAddressDataBuilder) WithUserLoginSuccess() *RunAddressDataBuilder {
+ b.Persistent[UserLoginSuccessAddr] = nil
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithUserLoginFailure() *RunAddressDataBuilder {
+ b.Persistent[UserLoginFailureAddr] = nil
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithFilePath(file string) *RunAddressDataBuilder {
+ if file == "" {
+ return b
+ }
+ b.Ephemeral[ServerIOFSFileAddr] = file
+ b.Scope = waf.RASPScope
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithURL(url string) *RunAddressDataBuilder {
+ if url == "" {
+ return b
+ }
+ b.Ephemeral[ServerIoNetURLAddr] = url
+ b.Scope = waf.RASPScope
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithDBStatement(statement string) *RunAddressDataBuilder {
+ if statement == "" {
+ return b
+ }
+ b.Ephemeral[ServerDBStatementAddr] = statement
+ b.Scope = waf.RASPScope
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithDBType(driver string) *RunAddressDataBuilder {
+ if driver == "" {
+ return b
+ }
+ b.Ephemeral[ServerDBTypeAddr] = driver
+ b.Scope = waf.RASPScope
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCMethod(method string) *RunAddressDataBuilder {
+ if method == "" {
+ return b
+ }
+ b.Persistent[GRPCServerMethodAddr] = method
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCRequestMessage(message any) *RunAddressDataBuilder {
+ if message == nil {
+ return b
+ }
+ b.Ephemeral[GRPCServerRequestMessageAddr] = message
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCRequestMetadata(metadata map[string][]string) *RunAddressDataBuilder {
+ if len(metadata) == 0 {
+ return b
+ }
+ b.Persistent[GRPCServerRequestMetadataAddr] = metadata
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseMessage(message any) *RunAddressDataBuilder {
+ if message == nil {
+ return b
+ }
+ b.Ephemeral[GRPCServerResponseMessageAddr] = message
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseMetadataHeaders(headers map[string][]string) *RunAddressDataBuilder {
+ if len(headers) == 0 {
+ return b
+ }
+ b.Persistent[GRPCServerResponseMetadataHeadersAddr] = headers
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseMetadataTrailers(trailers map[string][]string) *RunAddressDataBuilder {
+ if len(trailers) == 0 {
+ return b
+ }
+ b.Persistent[GRPCServerResponseMetadataTrailersAddr] = trailers
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseStatusCode(status int) *RunAddressDataBuilder {
+ if status == 0 {
+ return b
+ }
+ b.Persistent[GRPCServerResponseStatusCodeAddr] = strconv.Itoa(status)
+ return b
+}
+
+func (b *RunAddressDataBuilder) WithGraphQLResolver(fieldName string, args map[string]any) *RunAddressDataBuilder {
+ if _, ok := b.Ephemeral[GraphQLServerResolverAddr]; !ok {
+ b.Ephemeral[GraphQLServerResolverAddr] = map[string]any{}
+ }
+
+ b.Ephemeral[GraphQLServerResolverAddr].(map[string]any)[fieldName] = args
+ return b
+}
+
+func (b *RunAddressDataBuilder) ExtractSchema() *RunAddressDataBuilder {
+ if _, ok := b.Persistent[contextProcessKey]; !ok {
+ b.Persistent[contextProcessKey] = map[string]bool{}
+ }
+
+ b.Persistent[contextProcessKey].(map[string]bool)["extract-schema"] = true
+ return b
+}
+
+func (b *RunAddressDataBuilder) Build() waf.RunAddressData {
+ return b.RunAddressData
+}
diff --git a/internal/appsec/emitter/waf/context.go b/internal/appsec/emitter/waf/context.go
new file mode 100644
index 0000000000..c2fe17be2d
--- /dev/null
+++ b/internal/appsec/emitter/waf/context.go
@@ -0,0 +1,160 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+ "context"
+ "maps"
+ "slices"
+ "sync"
+ "sync/atomic"
+
+ "github.com/DataDog/appsec-internal-go/limiter"
+ waf "github.com/DataDog/go-libddwaf/v3"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+ "github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
+
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/trace"
+)
+
+type (
+ ContextOperation struct {
+ dyngo.Operation
+ *trace.ServiceEntrySpanOperation
+
+ // context is an atomic pointer to the current WAF context.
+ // Makes sure the calls to context.Run are safe.
+ context atomic.Pointer[waf.Context]
+ // limiter comes from the WAF feature and is used to limit the number of events as a whole.
+ limiter limiter.Limiter
+ // events is where we store WAF events received from the WAF over the course of the request.
+ events []any
+ // stacks is where we store stack traces received from the WAF over the course of the request.
+ stacks []*stacktrace.Event
+ // derivatives is where we store any span tags generated by the WAF over the course of the request.
+ derivatives map[string]any
+ // supportedAddresses is the set of addresses supported by the WAF.
+ supportedAddresses config.AddressSet
+ // mu protects the events, stacks, and derivatives, supportedAddresses slices.
+ mu sync.Mutex
+ // logOnce is used to log a warning once when a request has too many WAF events via the built-in limiter or the max value.
+ logOnce sync.Once
+ }
+
+ ContextArgs struct{}
+
+ ContextRes struct{}
+
+ // RunEvent is the type of event that should be emitted to child operations to run the WAF
+ RunEvent struct {
+ waf.RunAddressData
+ dyngo.Operation
+ }
+)
+
+func (ContextArgs) IsArgOf(*ContextOperation) {}
+func (ContextRes) IsResultOf(*ContextOperation) {}
+
+func StartContextOperation(ctx context.Context) (*ContextOperation, context.Context) {
+ entrySpanOp, ctx := trace.StartServiceEntrySpanOperation(ctx)
+ op := &ContextOperation{
+ Operation: dyngo.NewOperation(entrySpanOp),
+ ServiceEntrySpanOperation: entrySpanOp,
+ }
+ return op, dyngo.StartAndRegisterOperation(ctx, op, ContextArgs{})
+}
+
+func (op *ContextOperation) Finish(span trace.TagSetter) {
+ dyngo.FinishOperation(op, ContextRes{})
+ op.ServiceEntrySpanOperation.Finish(span)
+}
+
+func (op *ContextOperation) SwapContext(ctx *waf.Context) *waf.Context {
+ return op.context.Swap(ctx)
+}
+
+func (op *ContextOperation) SetLimiter(limiter limiter.Limiter) {
+ op.limiter = limiter
+}
+
+func (op *ContextOperation) AddEvents(events ...any) {
+ if len(events) == 0 {
+ return
+ }
+
+ if !op.limiter.Allow() {
+ log.Warn("appsec: too many WAF events, stopping further reporting")
+ return
+ }
+
+ op.mu.Lock()
+ defer op.mu.Unlock()
+
+ const maxWAFEventsPerRequest = 10
+ if len(op.events) >= maxWAFEventsPerRequest {
+ op.logOnce.Do(func() {
+ log.Warn("appsec: ignoring new WAF event due to the maximum number of security events per request was reached")
+ })
+ return
+ }
+
+ op.events = append(op.events, events...)
+}
+
+func (op *ContextOperation) AddStackTraces(stacks ...*stacktrace.Event) {
+ if len(stacks) == 0 {
+ return
+ }
+
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ op.stacks = append(op.stacks, stacks...)
+}
+
+func (op *ContextOperation) AbsorbDerivatives(derivatives map[string]any) {
+ if len(derivatives) == 0 {
+ return
+ }
+
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ if op.derivatives == nil {
+ op.derivatives = make(map[string]any)
+ }
+
+ for k, v := range derivatives {
+ op.derivatives[k] = v
+ }
+}
+
+func (op *ContextOperation) Derivatives() map[string]any {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ return maps.Clone(op.derivatives)
+}
+
+func (op *ContextOperation) Events() []any {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ return slices.Clone(op.events)
+}
+
+func (op *ContextOperation) StackTraces() []*stacktrace.Event {
+ op.mu.Lock()
+ defer op.mu.Unlock()
+ return slices.Clone(op.stacks)
+}
+
+func (op *ContextOperation) OnEvent(event RunEvent) {
+ op.Run(event.Operation, event.RunAddressData)
+}
+
+func (op *ContextOperation) SetSupportedAddresses(addrs config.AddressSet) {
+ op.supportedAddresses = addrs
+}
diff --git a/internal/appsec/emitter/waf/run.go b/internal/appsec/emitter/waf/run.go
new file mode 100644
index 0000000000..cfa1c227ec
--- /dev/null
+++ b/internal/appsec/emitter/waf/run.go
@@ -0,0 +1,78 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+ "context"
+ "errors"
+ "maps"
+
+ waf "github.com/DataDog/go-libddwaf/v3"
+ wafErrors "github.com/DataDog/go-libddwaf/v3/errors"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/actions"
+
+ "github.com/DataDog/dd-trace-go/v2/appsec/events"
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+// Run runs the WAF with the given address data and sends the results to the event receiver
+// the event receiver can be the same os the method receiver but not always
+// the event receiver is the one that will receive the actions events generated by the WAF
+func (op *ContextOperation) Run(eventReceiver dyngo.Operation, addrs waf.RunAddressData) {
+ ctx := op.context.Load()
+ if ctx == nil { // Context was closed concurrently
+ return
+ }
+
+ // Remove unsupported addresses in case the listener was registered but some addresses are still unsupported
+ // Technically the WAF does this step for us but doing this check before calling the WAF makes us skip encoding huge
+ // values that may be discarded by the WAF afterward.
+ // e.g. gRPC response body address that is not in the default ruleset but will still be sent to the WAF and may be huge
+ for _, addrType := range []map[string]any{addrs.Persistent, addrs.Ephemeral} {
+ maps.DeleteFunc(addrType, func(key string, _ any) bool {
+ _, ok := op.supportedAddresses[key]
+ return !ok
+ })
+ }
+
+ result, err := ctx.Run(addrs)
+ if errors.Is(err, wafErrors.ErrTimeout) {
+ log.Debug("appsec: WAF timeout value reached: %v", err)
+ } else if err != nil {
+ log.Error("appsec: unexpected WAF error: %v", err)
+ }
+
+ op.AddEvents(result.Events...)
+ op.AbsorbDerivatives(result.Derivatives)
+
+ actions.SendActionEvents(eventReceiver, result.Actions)
+
+ if result.HasEvents() {
+ log.Debug("appsec: WAF detected a suspicious event")
+ }
+}
+
+// RunSimple runs the WAF with the given address data and returns an error that should be forwarded to the caller
+func RunSimple(ctx context.Context, addrs waf.RunAddressData, errorLog string) error {
+ parent, _ := dyngo.FromContext(ctx)
+ if parent == nil {
+ log.Error(errorLog)
+ return nil
+ }
+
+ var err error
+ op := dyngo.NewOperation(parent)
+ dyngo.OnData(op, func(e *events.BlockingSecurityEvent) {
+ err = e
+ })
+ dyngo.EmitData(op, RunEvent{
+ Operation: op,
+ RunAddressData: addrs,
+ })
+ return err
+}
diff --git a/internal/appsec/features.go b/internal/appsec/features.go
new file mode 100644
index 0000000000..4f91dc269e
--- /dev/null
+++ b/internal/appsec/features.go
@@ -0,0 +1,81 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package appsec
+
+import (
+ "errors"
+
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/graphqlsec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/grpcsec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/httpsec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/ossec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sqlsec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/trace"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/usersec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/waf"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+var features = []listener.NewFeature{
+ trace.NewAppsecSpanTransport,
+ waf.NewWAFFeature,
+ httpsec.NewHTTPSecFeature,
+ grpcsec.NewGRPCSecFeature,
+ graphqlsec.NewGraphQLSecFeature,
+ usersec.NewUserSecFeature,
+ sqlsec.NewSQLSecFeature,
+ ossec.NewOSSecFeature,
+ httpsec.NewSSRFProtectionFeature,
+}
+
+func (a *appsec) SwapRootOperation() error {
+ newRoot := dyngo.NewRootOperation()
+ newFeatures := make([]listener.Feature, 0, len(features))
+ var featureErrors []error
+ for _, newFeature := range features {
+ feature, err := newFeature(a.cfg, newRoot)
+ if err != nil {
+ featureErrors = append(featureErrors, err)
+ continue
+ }
+
+ // If error is nil and feature is nil, it means the feature did not activate itself
+ if feature == nil {
+ continue
+ }
+
+ newFeatures = append(newFeatures, feature)
+ }
+
+ err := errors.Join(featureErrors...)
+ if err != nil {
+ for _, feature := range newFeatures {
+ feature.Stop()
+ }
+ return err
+ }
+
+ a.featuresMu.Lock()
+ defer a.featuresMu.Unlock()
+
+ oldFeatures := a.features
+ a.features = newFeatures
+
+ log.Debug("appsec: stopping the following features: %v", oldFeatures)
+ log.Debug("appsec: starting the following features: %v", newFeatures)
+
+ dyngo.SwapRootOperation(newRoot)
+
+ log.Debug("appsec: swapped root operation")
+
+ for _, oldFeature := range oldFeatures {
+ oldFeature.Stop()
+ }
+
+ return nil
+}
diff --git a/internal/appsec/listener/feature.go b/internal/appsec/listener/feature.go
new file mode 100644
index 0000000000..d22067cd8d
--- /dev/null
+++ b/internal/appsec/listener/feature.go
@@ -0,0 +1,24 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package listener
+
+import (
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+)
+
+// Feature is an interface that represents a feature that can be started and stopped.
+type Feature interface {
+ // String should return a user-friendly name for the feature.
+ String() string
+ // Stop stops the feature.
+ Stop()
+}
+
+// NewFeature is a function that creates a new feature.
+// The error returned will be fatal for the application if not nil.
+// If both the feature and the error are nil, the feature will be considered inactive.
+type NewFeature func(*config.Config, dyngo.Operation) (Feature, error)
diff --git a/internal/appsec/listener/graphqlsec/graphql.go b/internal/appsec/listener/graphqlsec/graphql.go
index 9cd4f2e245..083734c5b2 100644
--- a/internal/appsec/listener/graphqlsec/graphql.go
+++ b/internal/appsec/listener/graphqlsec/graphql.go
@@ -1,7 +1,7 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
package graphqlsec
@@ -23,108 +23,30 @@ import (
"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
)
-// GraphQL rule addresses currently supported by the WAF
-const (
- graphQLServerResolverAddr = "graphql.server.resolver"
-)
+type Feature struct{}
-// List of GraphQL rule addresses currently supported by the WAF
-var supportedAddresses = listener.AddressSet{
- graphQLServerResolverAddr: {},
- httpsec.ServerIoNetURLAddr: {},
+func (*Feature) String() string {
+ return "GraphQL Security"
}
-// Install registers the GraphQL WAF Event Listener on the given root operation.
-func Install(wafHandle *waf.Handle, cfg *config.Config, lim limiter.Limiter, root dyngo.Operation) {
- if listener := newWafEventListener(wafHandle, cfg, lim); listener != nil {
- log.Debug("appsec: registering the GraphQL WAF Event Listener")
- dyngo.On(root, listener.onEvent)
- }
-}
+func (*Feature) Stop() {}
-type wafEventListener struct {
- wafHandle *waf.Handle
- config *config.Config
- addresses listener.AddressSet
- limiter limiter.Limiter
- wafDiags waf.Diagnostics
- once sync.Once
+func (f *Feature) OnResolveField(op *graphqlsec.ResolveOperation, args graphqlsec.ResolveOperationArgs) {
+ dyngo.EmitData(op, waf.RunEvent{
+ Operation: op,
+ RunAddressData: addresses.NewAddressesBuilder().
+ WithGraphQLResolver(args.FieldName, args.Arguments).
+ Build(),
+ })
}
-func newWafEventListener(wafHandle *waf.Handle, cfg *config.Config, limiter limiter.Limiter) *wafEventListener {
- if wafHandle == nil {
- log.Debug("appsec: no WAF Handle available, the GraphQL WAF Event Listener will not be registered")
- return nil
- }
-
- addresses := listener.FilterAddressSet(supportedAddresses, wafHandle)
- if len(addresses) == 0 {
- log.Debug("appsec: no supported GraphQL address is used by currently loaded WAF rules, the GraphQL WAF Event Listener will not be registered")
- return nil
+func NewGraphQLSecFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !config.SupportedAddresses.AnyOf(addresses.GraphQLServerResolverAddr) {
+ return nil, nil
}
- return &wafEventListener{
- wafHandle: wafHandle,
- config: cfg,
- addresses: addresses,
- limiter: limiter,
- wafDiags: wafHandle.Diagnostics(),
- }
-}
-
-// NewWAFEventListener returns the WAF event listener to register in order
-// to enable it.
-func (l *wafEventListener) onEvent(request *types.RequestOperation, _ types.RequestOperationArgs) {
- wafCtx, err := l.wafHandle.NewContextWithBudget(l.config.WAFTimeout)
- if err != nil {
- log.Debug("appsec: could not create budgeted WAF context: %v", err)
- }
- // Early return in the following cases:
- // - wafCtx is nil, meaning it was concurrently released
- // - err is not nil, meaning context creation failed
- if wafCtx == nil || err != nil {
- return
- }
+ feature := &Feature{}
+ dyngo.On(rootOp, feature.OnResolveField)
- if _, ok := l.addresses[httpsec.ServerIoNetURLAddr]; ok {
- httpsec.RegisterRoundTripperListener(request, &request.SecurityEventsHolder, wafCtx, l.limiter)
- }
-
- // Add span tags notifying this trace is AppSec-enabled
- trace.SetAppSecEnabledTags(request)
- l.once.Do(func() {
- shared.AddRulesMonitoringTags(request, &l.wafDiags)
- request.SetTag(ext.ManualKeep, samplernames.AppSec)
- })
-
- dyngo.On(request, func(query *types.ExecutionOperation, args types.ExecutionOperationArgs) {
- dyngo.On(query, func(field *types.ResolveOperation, args types.ResolveOperationArgs) {
- if _, found := l.addresses[graphQLServerResolverAddr]; found {
- wafResult := shared.RunWAF(
- wafCtx,
- waf.RunAddressData{
- Ephemeral: map[string]any{
- graphQLServerResolverAddr: map[string]any{args.FieldName: args.Arguments},
- },
- },
- )
- shared.AddSecurityEvents(&field.SecurityEventsHolder, l.limiter, wafResult.Events)
- }
-
- dyngo.OnFinish(field, func(field *types.ResolveOperation, res types.ResolveOperationRes) {
- trace.SetEventSpanTags(field, field.Events())
- })
- })
-
- dyngo.OnFinish(query, func(query *types.ExecutionOperation, res types.ExecutionOperationRes) {
- trace.SetEventSpanTags(query, query.Events())
- })
- })
-
- dyngo.OnFinish(request, func(request *types.RequestOperation, res types.RequestOperationRes) {
- defer wafCtx.Close()
-
- shared.AddWAFMonitoringTags(request, l.wafDiags.Version, wafCtx.Stats().Metrics())
- trace.SetEventSpanTags(request, request.Events())
- })
+ return feature, nil
}
diff --git a/internal/appsec/listener/grpcsec/grpc.go b/internal/appsec/listener/grpcsec/grpc.go
index cc1831cf09..0a9ed1e6c0 100644
--- a/internal/appsec/listener/grpcsec/grpc.go
+++ b/internal/appsec/listener/grpcsec/grpc.go
@@ -1,7 +1,7 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
package grpcsec
@@ -27,183 +27,60 @@ import (
"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
)
-// gRPC rule addresses currently supported by the WAF
-const (
- GRPCServerMethodAddr = "grpc.server.method"
- GRPCServerRequestMessageAddr = "grpc.server.request.message"
- GRPCServerRequestMetadataAddr = "grpc.server.request.metadata"
-)
+type Feature struct{}
-// List of gRPC rule addresses currently supported by the WAF
-var supportedAddresses = listener.AddressSet{
- GRPCServerMethodAddr: {},
- GRPCServerRequestMessageAddr: {},
- GRPCServerRequestMetadataAddr: {},
- httpsec.HTTPClientIPAddr: {},
- httpsec.UserIDAddr: {},
- httpsec.ServerIoNetURLAddr: {},
- ossec.ServerIOFSFileAddr: {},
- sqlsec.ServerDBStatementAddr: {},
- sqlsec.ServerDBTypeAddr: {},
+func (*Feature) String() string {
+ return "gRPC Security"
}
-// Install registers the gRPC WAF Event Listener on the given root operation.
-func Install(wafHandle *waf.Handle, cfg *config.Config, lim limiter.Limiter, root dyngo.Operation) {
- if listener := newWafEventListener(wafHandle, cfg, lim); listener != nil {
- log.Debug("appsec: registering the gRPC WAF Event Listener")
- dyngo.On(root, listener.onEvent)
+func (*Feature) Stop() {}
+
+func NewGRPCSecFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !config.SupportedAddresses.AnyOf(
+ addresses.ClientIPAddr,
+ addresses.GRPCServerMethodAddr,
+ addresses.GRPCServerRequestMessageAddr,
+ addresses.GRPCServerRequestMetadataAddr,
+ addresses.GRPCServerResponseMessageAddr,
+ addresses.GRPCServerResponseMetadataHeadersAddr,
+ addresses.GRPCServerResponseMetadataTrailersAddr,
+ addresses.GRPCServerResponseStatusCodeAddr) {
+ return nil, nil
}
-}
-type wafEventListener struct {
- wafHandle *waf.Handle
- config *config.Config
- addresses listener.AddressSet
- limiter limiter.Limiter
- wafDiags waf.Diagnostics
- once sync.Once
+ feature := &Feature{}
+ dyngo.On(rootOp, feature.OnStart)
+ dyngo.OnFinish(rootOp, feature.OnFinish)
+ return feature, nil
}
-func newWafEventListener(wafHandle *waf.Handle, cfg *config.Config, limiter limiter.Limiter) *wafEventListener {
- if wafHandle == nil {
- log.Debug("appsec: no WAF Handle available, the gRPC WAF Event Listener will not be registered")
- return nil
- }
+func (f *Feature) OnStart(op *grpcsec.HandlerOperation, args grpcsec.HandlerOperationArgs) {
+ ipTags, clientIP := httpsec.ClientIPTags(args.Metadata, false, args.RemoteAddr)
+ log.Debug("appsec: http client ip detection returned `%s`", clientIP)
- addresses := listener.FilterAddressSet(supportedAddresses, wafHandle)
- if len(addresses) == 0 {
- log.Debug("appsec: no supported gRPC address is used by currently loaded WAF rules, the gRPC WAF Event Listener will not be registered")
- return nil
- }
+ op.SetStringTags(ipTags)
- return &wafEventListener{
- wafHandle: wafHandle,
- config: cfg,
- addresses: addresses,
- limiter: limiter,
- wafDiags: wafHandle.Diagnostics(),
- }
-}
+ SetRequestMetadataTags(op, args.Metadata)
-// NewWAFEventListener returns the WAF event listener to register in order to enable it, listening to gRPC handler
-// events.
-func (l *wafEventListener) onEvent(op *types.HandlerOperation, handlerArgs types.HandlerOperationArgs) {
- // Limit the maximum number of security events, as a streaming RPC could
- // receive unlimited number of messages where we could find security events
- var (
- nbEvents atomic.Uint32
- logOnce sync.Once // per request
+ op.Run(op,
+ addresses.NewAddressesBuilder().
+ WithGRPCMethod(args.Method).
+ WithGRPCRequestMetadata(args.Metadata).
+ WithClientIP(clientIP).
+ Build(),
)
- addEvents := func(events []any) {
- const maxWAFEventsPerRequest = 10
- if nbEvents.Load() >= maxWAFEventsPerRequest {
- logOnce.Do(func() {
- log.Debug("appsec: ignoring new WAF event due to the maximum number of security events per grpc call reached")
- })
- return
- }
- nbEvents.Add(uint32(len(events)))
- shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, events)
- }
-
- wafCtx, err := l.wafHandle.NewContextWithBudget(l.config.WAFTimeout)
- if err != nil {
- log.Debug("appsec: could not create budgeted WAF context: %v", err)
- }
- // Early return in the following cases:
- // - wafCtx is nil, meaning it was concurrently released
- // - err is not nil, meaning context creation failed
- if wafCtx == nil || err != nil {
- return
- }
-
- if httpsec.SSRFAddressesPresent(l.addresses) {
- httpsec.RegisterRoundTripperListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
- }
-
- if ossec.OSAddressesPresent(l.addresses) {
- ossec.RegisterOpenListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
- }
-
- if sqlsec.SQLAddressesPresent(l.addresses) {
- sqlsec.RegisterSQLListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
- }
-
- // Listen to the UserID address if the WAF rules are using it
- if l.isSecAddressListened(httpsec.UserIDAddr) {
- // UserIDOperation happens when appsec.SetUser() is called. We run the WAF and apply actions to
- // see if the associated user should be blocked. Since we don't control the execution flow in this case
- // (SetUser is SDK), we delegate the responsibility of interrupting the handler to the user.
- dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args sharedsec.UserIDOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Persistent: map[string]any{httpsec.UserIDAddr: args.UserID}}
- }))
- }
-
- values := make(map[string]any, 2) // 2 because the method and client ip addresses are commonly present in the rules
- if l.isSecAddressListened(GRPCServerMethodAddr) {
- // Note that this address is passed asap for the passlist, which are created per grpc method
- values[GRPCServerMethodAddr] = handlerArgs.Method
- }
- if l.isSecAddressListened(httpsec.HTTPClientIPAddr) && handlerArgs.ClientIP.IsValid() {
- values[httpsec.HTTPClientIPAddr] = handlerArgs.ClientIP.String()
- }
-
- wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
- if wafResult.HasEvents() {
- addEvents(wafResult.Events)
- log.Debug("appsec: WAF detected an attack before executing the request")
- }
- if wafResult.HasActions() {
- interrupt := shared.ProcessActions(op, wafResult.Actions)
- if interrupt {
- wafCtx.Close()
- return
- }
- }
+}
- // When the gRPC handler receives a message
- dyngo.OnFinish(op, func(_ types.ReceiveOperation, res types.ReceiveOperationRes) {
- // Run the WAF on the rule addresses available and listened to by the sec rules
- var values waf.RunAddressData
- // Add the gRPC message to the values if the WAF rules are using it.
- // Note that it is an ephemeral address as they can happen more than once per RPC.
- if l.isSecAddressListened(GRPCServerRequestMessageAddr) {
- values.Ephemeral = map[string]any{GRPCServerRequestMessageAddr: res.Message}
- }
-
- // Add the metadata to the values if the WAF rules are using it.
- if l.isSecAddressListened(GRPCServerRequestMetadataAddr) {
- if md := handlerArgs.Metadata; len(md) > 0 {
- values.Persistent = map[string]any{GRPCServerRequestMetadataAddr: md}
- }
- }
-
- // Run the WAF, ignoring the returned actions - if any - since blocking after the request handler's
- // response is not supported at the moment.
- wafResult := shared.RunWAF(wafCtx, values)
- if wafResult.HasEvents() {
- log.Debug("appsec: attack detected by the grpc waf")
- addEvents(wafResult.Events)
- }
- if wafResult.HasActions() {
- shared.ProcessActions(op, wafResult.Actions)
- }
- })
-
- // When the gRPC handler finishes
- dyngo.OnFinish(op, func(op *types.HandlerOperation, _ types.HandlerOperationRes) {
- defer wafCtx.Close()
-
- shared.AddWAFMonitoringTags(op, l.wafDiags.Version, wafCtx.Stats().Metrics())
- // Log the following metrics once per instantiation of a WAF handle
- l.once.Do(func() {
- shared.AddRulesMonitoringTags(op, &l.wafDiags)
- op.SetTag(ext.ManualKeep, samplernames.AppSec)
- })
- })
+func (f *Feature) OnFinish(op *grpcsec.HandlerOperation, res grpcsec.HandlerOperationRes) {
+ op.Run(op,
+ addresses.NewAddressesBuilder().
+ WithGRPCResponseStatusCode(res.StatusCode).
+ Build(),
+ )
}
-func (l *wafEventListener) isSecAddressListened(addr string) bool {
- _, listened := l.addresses[addr]
- return listened
+func SetRequestMetadataTags(span trace.TagSetter, metadata map[string][]string) {
+ for h, v := range httpsec.NormalizeHTTPHeaders(metadata) {
+ span.SetTag("grpc.metadata."+h, v)
+ }
}
diff --git a/internal/appsec/listener/grpcsec/grpc_test.go b/internal/appsec/listener/grpcsec/grpc_test.go
new file mode 100644
index 0000000000..673727abb0
--- /dev/null
+++ b/internal/appsec/listener/grpcsec/grpc_test.go
@@ -0,0 +1,118 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package grpcsec
+
+import (
+ "fmt"
+ "testing"
+
+ testlib "github.com/DataDog/dd-trace-go/v2/internal/appsec/_testlib"
+
+ "github.com/stretchr/testify/require"
+)
+
+type MockSpan struct {
+ Tags map[string]any
+}
+
+func (m *MockSpan) SetTag(key string, value interface{}) {
+ if m.Tags == nil {
+ m.Tags = make(map[string]any)
+ }
+ if key == ext.ManualKeep {
+ if value == samplernames.AppSec {
+ m.Tags[ext.ManualKeep] = true
+ }
+ } else {
+ m.Tags[key] = value
+ }
+}
+
+func TestTags(t *testing.T) {
+ for _, eventCase := range []struct {
+ name string
+ events []any
+ expectedTag string
+ expectedError bool
+ }{
+ {
+ name: "no-event",
+ events: nil,
+ },
+ {
+ name: "one-event",
+ events: []any{"one"},
+ expectedTag: `{"triggers":["one"]}`,
+ },
+ {
+ name: "two-events",
+ events: []any{"one", "two"},
+ expectedTag: `{"triggers":["one","two"]}`,
+ },
+ } {
+ eventCase := eventCase
+ for _, metadataCase := range []struct {
+ name string
+ md map[string][]string
+ expectedTags map[string]interface{}
+ }{
+ {
+ name: "zero-metadata",
+ },
+ {
+ name: "xff-metadata",
+ md: map[string][]string{
+ "x-forwarded-for": {"1.2.3.4", "4.5.6.7"},
+ ":authority": {"something"},
+ },
+ expectedTags: map[string]interface{}{
+ "grpc.metadata.x-forwarded-for": "1.2.3.4,4.5.6.7",
+ },
+ },
+ {
+ name: "xff-metadata",
+ md: map[string][]string{
+ "x-forwarded-for": {"1.2.3.4"},
+ ":authority": {"something"},
+ },
+ expectedTags: map[string]interface{}{
+ "grpc.metadata.x-forwarded-for": "1.2.3.4",
+ },
+ },
+ {
+ name: "no-monitored-metadata",
+ md: map[string][]string{
+ ":authority": {"something"},
+ },
+ },
+ } {
+ metadataCase := metadataCase
+ t.Run(fmt.Sprintf("%s-%s", eventCase.name, metadataCase.name), func(t *testing.T) {
+ var span MockSpan
+ err := waf.SetEventSpanTags(&span, eventCase.events)
+ if eventCase.expectedError {
+ require.Error(t, err)
+ return
+ }
+ require.NoError(t, err)
+ SetRequestMetadataTags(&span, metadataCase.md)
+
+ if eventCase.events != nil {
+ require.Subset(t, span.Tags, map[string]interface{}{
+ "_dd.appsec.json": eventCase.expectedTag,
+ "manual.keep": true,
+ "appsec.event": true,
+ "_dd.origin": "appsec",
+ })
+ }
+
+ if l := len(metadataCase.expectedTags); l > 0 {
+ require.Subset(t, span.Tags, metadataCase.expectedTags)
+ }
+ })
+ }
+ }
+}
diff --git a/internal/appsec/listener/httpsec/http.go b/internal/appsec/listener/httpsec/http.go
index ff5a3dd39d..9a382977ba 100644
--- a/internal/appsec/listener/httpsec/http.go
+++ b/internal/appsec/listener/httpsec/http.go
@@ -1,233 +1,94 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
package httpsec
import (
- "fmt"
"math/rand"
- "sync"
- "github.com/DataDog/appsec-internal-go/limiter"
- waf "github.com/DataDog/go-libddwaf/v3"
+ internal "github.com/DataDog/appsec-internal-go/appsec"
- "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/httpsec/types"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/sharedsec"
"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/addresses"
"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
- "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/ossec"
- shared "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sharedsec"
- "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sqlsec"
"github.com/DataDog/dd-trace-go/v2/internal/log"
- "github.com/DataDog/dd-trace-go/v2/internal/samplernames"
)
-// HTTP rule addresses currently supported by the WAF
-const (
- ServerRequestMethodAddr = "server.request.method"
- ServerRequestRawURIAddr = "server.request.uri.raw"
- ServerRequestHeadersNoCookiesAddr = "server.request.headers.no_cookies"
- ServerRequestCookiesAddr = "server.request.cookies"
- ServerRequestQueryAddr = "server.request.query"
- ServerRequestPathParamsAddr = "server.request.path_params"
- ServerRequestBodyAddr = "server.request.body"
- ServerResponseStatusAddr = "server.response.status"
- ServerResponseHeadersNoCookiesAddr = "server.response.headers.no_cookies"
- HTTPClientIPAddr = "http.client_ip"
- UserIDAddr = "usr.id"
- ServerIoNetURLAddr = "server.io.net.url"
-)
-
-// List of HTTP rule addresses currently supported by the WAF
-var supportedAddresses = listener.AddressSet{
- ServerRequestMethodAddr: {},
- ServerRequestRawURIAddr: {},
- ServerRequestHeadersNoCookiesAddr: {},
- ServerRequestCookiesAddr: {},
- ServerRequestQueryAddr: {},
- ServerRequestPathParamsAddr: {},
- ServerRequestBodyAddr: {},
- ServerResponseStatusAddr: {},
- ServerResponseHeadersNoCookiesAddr: {},
- HTTPClientIPAddr: {},
- UserIDAddr: {},
- ServerIoNetURLAddr: {},
- ossec.ServerIOFSFileAddr: {},
- sqlsec.ServerDBStatementAddr: {},
- sqlsec.ServerDBTypeAddr: {},
-}
-
-// Install registers the HTTP WAF Event Listener on the given root operation.
-func Install(wafHandle *waf.Handle, cfg *config.Config, lim limiter.Limiter, root dyngo.Operation) {
- if listener := newWafEventListener(wafHandle, cfg, lim); listener != nil {
- log.Debug("appsec: registering the HTTP WAF Event Listener")
- dyngo.On(root, listener.onEvent)
- }
+type Feature struct {
+ APISec internal.APISecConfig
}
-type wafEventListener struct {
- wafHandle *waf.Handle
- config *config.Config
- addresses listener.AddressSet
- limiter limiter.Limiter
- wafDiags waf.Diagnostics
- once sync.Once
+func (*Feature) String() string {
+ return "HTTP Security"
}
-// newWAFEventListener returns the WAF event listener to register in order to enable it.
-func newWafEventListener(wafHandle *waf.Handle, cfg *config.Config, limiter limiter.Limiter) *wafEventListener {
- if wafHandle == nil {
- log.Debug("appsec: no WAF Handle available, the HTTP WAF Event Listener will not be registered")
- return nil
+func (*Feature) Stop() {}
+
+func NewHTTPSecFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !config.SupportedAddresses.AnyOf(addresses.ServerRequestMethodAddr,
+ addresses.ServerRequestRawURIAddr,
+ addresses.ServerRequestHeadersNoCookiesAddr,
+ addresses.ServerRequestCookiesAddr,
+ addresses.ServerRequestQueryAddr,
+ addresses.ServerRequestPathParamsAddr,
+ addresses.ServerRequestBodyAddr,
+ addresses.ServerResponseStatusAddr,
+ addresses.ServerResponseHeadersNoCookiesAddr) {
+ return nil, nil
}
- addresses := listener.FilterAddressSet(supportedAddresses, wafHandle)
- if len(addresses) == 0 {
- log.Debug("appsec: no supported HTTP address is used by currently loaded WAF rules, the HTTP WAF Event Listener will not be registered")
- return nil
+ feature := &Feature{
+ APISec: config.APISec,
}
- return &wafEventListener{
- wafHandle: wafHandle,
- config: cfg,
- addresses: addresses,
- limiter: limiter,
- wafDiags: wafHandle.Diagnostics(),
- }
+ dyngo.On(rootOp, feature.OnRequest)
+ dyngo.OnFinish(rootOp, feature.OnResponse)
+ return feature, nil
}
-func (l *wafEventListener) onEvent(op *types.Operation, args types.HandlerOperationArgs) {
- wafCtx, err := l.wafHandle.NewContextWithBudget(l.config.WAFTimeout)
- if err != nil {
- log.Debug("appsec: could not create budgeted WAF context: %v", err)
- }
- // Early return in the following cases:
- // - wafCtx is nil, meaning it was concurrently released
- // - err is not nil, meaning context creation failed
- if wafCtx == nil || err != nil {
- // The WAF event listener got concurrently released
- return
- }
-
- if SSRFAddressesPresent(l.addresses) {
- dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args types.RoundTripOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Ephemeral: map[string]any{ServerIoNetURLAddr: args.URL}}
- }))
- }
-
- if ossec.OSAddressesPresent(l.addresses) {
- ossec.RegisterOpenListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
- }
-
- if sqlsec.SQLAddressesPresent(l.addresses) {
- sqlsec.RegisterSQLListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
- }
-
- if _, ok := l.addresses[UserIDAddr]; ok {
- // OnUserIDOperationStart happens when appsec.SetUser() is called. We run the WAF and apply actions to
- // see if the associated user should be blocked. Since we don't control the execution flow in this case
- // (SetUser is SDK), we delegate the responsibility of interrupting the handler to the user.
- dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args sharedsec.UserIDOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Persistent: map[string]any{UserIDAddr: args.UserID}}
- }))
- }
+func (feature *Feature) OnRequest(op *httpsec.HandlerOperation, args httpsec.HandlerOperationArgs) {
+ tags, ip := ClientIPTags(args.Headers, true, args.RemoteAddr)
+ log.Debug("appsec: http client ip detection returned `%s` given the http headers `%v`", ip, args.Headers)
+
+ op.SetStringTags(tags)
+ headers := headersRemoveCookies(args.Headers)
+ headers["host"] = []string{args.Host}
+
+ setRequestHeadersTags(op, headers)
+
+ op.Run(op,
+ addresses.NewAddressesBuilder().
+ WithMethod(args.Method).
+ WithRawURI(args.RequestURI).
+ WithHeadersNoCookies(headers).
+ WithCookies(args.Cookies).
+ WithQuery(args.QueryParams).
+ WithPathParams(args.PathParams).
+ WithClientIP(ip).
+ Build(),
+ )
+}
- values := make(map[string]any, 8)
- for addr := range l.addresses {
- switch addr {
- case HTTPClientIPAddr:
- if args.ClientIP.IsValid() {
- values[HTTPClientIPAddr] = args.ClientIP.String()
- }
- case ServerRequestMethodAddr:
- values[ServerRequestMethodAddr] = args.Method
- case ServerRequestRawURIAddr:
- values[ServerRequestRawURIAddr] = args.RequestURI
- case ServerRequestHeadersNoCookiesAddr:
- if headers := args.Headers; headers != nil {
- values[ServerRequestHeadersNoCookiesAddr] = headers
- }
- case ServerRequestCookiesAddr:
- if cookies := args.Cookies; cookies != nil {
- values[ServerRequestCookiesAddr] = cookies
- }
- case ServerRequestQueryAddr:
- if query := args.Query; query != nil {
- values[ServerRequestQueryAddr] = query
- }
- case ServerRequestPathParamsAddr:
- if pathParams := args.PathParams; pathParams != nil {
- values[ServerRequestPathParamsAddr] = pathParams
- }
- }
- }
+func (feature *Feature) OnResponse(op *httpsec.HandlerOperation, resp httpsec.HandlerOperationRes) {
+ headers := headersRemoveCookies(resp.Headers)
+ setResponseHeadersTags(op, headers)
- wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
- if wafResult.HasActions() || wafResult.HasEvents() {
- interrupt := shared.ProcessActions(op, wafResult.Actions)
- shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, wafResult.Events)
- log.Debug("appsec: WAF detected an attack before executing the request")
- if interrupt {
- wafCtx.Close()
- return
- }
- }
+ builder := addresses.NewAddressesBuilder().
+ WithResponseHeadersNoCookies(headers).
+ WithResponseStatus(resp.StatusCode)
- if _, ok := l.addresses[ServerRequestBodyAddr]; ok {
- dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args types.SDKBodyOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Persistent: map[string]any{ServerRequestBodyAddr: args.Body}}
- }))
+ if feature.canExtractSchemas() {
+ builder = builder.ExtractSchema()
}
- dyngo.OnFinish(op, func(op *types.Operation, res types.HandlerOperationRes) {
- defer wafCtx.Close()
-
- values = make(map[string]any, 3)
- if l.canExtractSchemas() {
- // This address will be passed as persistent. The WAF will keep it in store and trigger schema extraction
- // for each run.
- values["waf.context.processor"] = map[string]any{"extract-schema": true}
- }
-
- if _, ok := l.addresses[ServerResponseStatusAddr]; ok {
- // serverResponseStatusAddr is a string address, so we must format the status code...
- values[ServerResponseStatusAddr] = fmt.Sprintf("%d", res.Status)
- }
-
- if _, ok := l.addresses[ServerResponseHeadersNoCookiesAddr]; ok && res.Headers != nil {
- values[ServerResponseHeadersNoCookiesAddr] = res.Headers
- }
-
- // Run the WAF, ignoring the returned actions - if any - since blocking after the request handler's
- // response is not supported at the moment.
- wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
-
- // Add WAF metrics.
- shared.AddWAFMonitoringTags(op, l.wafDiags.Version, wafCtx.Stats().Metrics())
-
- // Add the following metrics once per instantiation of a WAF handle
- l.once.Do(func() {
- shared.AddRulesMonitoringTags(op, &l.wafDiags)
- op.SetTag(ext.ManualKeep, samplernames.AppSec)
- })
-
- // Log the attacks if any
- if wafResult.HasEvents() {
- log.Debug("appsec: attack detected by the waf")
- shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, wafResult.Events)
- }
- for tag, value := range wafResult.Derivatives {
- op.AddSerializableTag(tag, value)
- }
- })
+ op.Run(op, builder.Build())
}
// canExtractSchemas checks that API Security is enabled and that sampling rate
// allows extracting schemas
-func (l *wafEventListener) canExtractSchemas() bool {
- return l.config.APISec.Enabled && l.config.APISec.SampleRate >= rand.Float64()
+func (feature *Feature) canExtractSchemas() bool {
+ return feature.APISec.Enabled && feature.APISec.SampleRate >= rand.Float64()
}
diff --git a/internal/appsec/listener/httpsec/request.go b/internal/appsec/listener/httpsec/request.go
new file mode 100644
index 0000000000..cb0e7d8a5d
--- /dev/null
+++ b/internal/appsec/listener/httpsec/request.go
@@ -0,0 +1,167 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package httpsec
+
+import (
+ "net/http"
+ "net/netip"
+ "os"
+ "strings"
+
+ "github.com/DataDog/appsec-internal-go/httpsec"
+
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
+)
+
+const (
+ // envClientIPHeader is the name of the env var used to specify the IP header to be used for client IP collection.
+ envClientIPHeader = "DD_TRACE_CLIENT_IP_HEADER"
+)
+
+var (
+ // defaultIPHeaders is the default list of IP-related headers leveraged to
+ // retrieve the public client IP address in RemoteAddr.
+ defaultIPHeaders = []string{
+ "x-forwarded-for",
+ "x-real-ip",
+ "true-client-ip",
+ "x-client-ip",
+ "x-forwarded",
+ "forwarded-for",
+ "x-cluster-client-ip",
+ "fastly-client-ip",
+ "cf-connecting-ip",
+ "cf-connecting-ipv6",
+ }
+
+ // defaultCollectedHeaders is the default list of HTTP headers collected as
+ // request span tags when appsec is enabled.
+ defaultCollectedHeaders = append([]string{
+ "host",
+ "content-length",
+ "content-type",
+ "content-encoding",
+ "content-language",
+ "forwarded",
+ "via",
+ "user-agent",
+ "accept",
+ "accept-encoding",
+ "accept-language",
+ "x-amzn-trace-id",
+ "cloudfront-viewer-ja3-fingerprint",
+ "cf-ray",
+ "x-cloud-trace-context",
+ "x-appgw-trace-id",
+ "akamai-user-risk",
+ "x-sigsci-requestid",
+ "x-sigsci-tags",
+ }, defaultIPHeaders...)
+
+ // collectedHeadersLookupMap is a helper lookup map of HTTP headers to
+ // collect as request span tags when appsec is enabled. It is computed at
+ // init-time based on defaultCollectedHeaders and leveraged by NormalizeHTTPHeaders.
+ collectedHeadersLookupMap map[string]struct{}
+
+ // monitoredClientIPHeadersCfg is the list of IP-related headers leveraged to
+ // retrieve the public client IP address in RemoteAddr. This is defined at init
+ // time in function of the value of the envClientIPHeader environment variable.
+ monitoredClientIPHeadersCfg []string
+)
+
+// ClientIPTags returns the resulting Datadog span tags `http.client_ip`
+// containing the client IP and `network.client.ip` containing the remote IP.
+// The tags are present only if a valid ip address has been returned by
+// RemoteAddr().
+func ClientIPTags(headers map[string][]string, hasCanonicalHeaders bool, remoteAddr string) (tags map[string]string, clientIP netip.Addr) {
+ remoteIP, clientIP := httpsec.ClientIP(headers, hasCanonicalHeaders, remoteAddr, monitoredClientIPHeadersCfg)
+ tags = httpsec.ClientIPTags(remoteIP, clientIP)
+ return tags, clientIP
+}
+
+// NormalizeHTTPHeaders returns the HTTP headers following Datadog's
+// normalization format.
+func NormalizeHTTPHeaders(headers map[string][]string) (normalized map[string]string) {
+ if len(headers) == 0 {
+ return nil
+ }
+ normalized = make(map[string]string, len(collectedHeadersLookupMap))
+ for k, v := range headers {
+ k = normalizeHTTPHeaderName(k)
+ if _, found := collectedHeadersLookupMap[k]; found {
+ normalized[k] = normalizeHTTPHeaderValue(v)
+ }
+ }
+ if len(normalized) == 0 {
+ return nil
+ }
+ return normalized
+}
+
+// Remove cookies from the request headers and return the map of headers
+// Used from `server.request.headers.no_cookies` and server.response.headers.no_cookies` addresses for the WAF
+func headersRemoveCookies(headers http.Header) map[string][]string {
+ headersNoCookies := make(http.Header, len(headers))
+ for k, v := range headers {
+ k := strings.ToLower(k)
+ if k == "cookie" {
+ continue
+ }
+ headersNoCookies[k] = v
+ }
+ return headersNoCookies
+}
+
+func normalizeHTTPHeaderName(name string) string {
+ return strings.ToLower(name)
+}
+
+func normalizeHTTPHeaderValue(values []string) string {
+ return strings.Join(values, ",")
+}
+
+func init() {
+ makeCollectedHTTPHeadersLookupMap()
+ readMonitoredClientIPHeadersConfig()
+}
+
+func makeCollectedHTTPHeadersLookupMap() {
+ collectedHeadersLookupMap = make(map[string]struct{}, len(defaultCollectedHeaders))
+ for _, h := range defaultCollectedHeaders {
+ collectedHeadersLookupMap[h] = struct{}{}
+ }
+}
+
+func readMonitoredClientIPHeadersConfig() {
+ if header := os.Getenv(envClientIPHeader); header != "" {
+ // Make this header the only one to consider in RemoteAddr
+ monitoredClientIPHeadersCfg = []string{header}
+
+ // Add this header to the list of collected headers
+ header = normalizeHTTPHeaderName(header)
+ collectedHeadersLookupMap[header] = struct{}{}
+ } else {
+ // No specific IP header was configured, use the default list
+ monitoredClientIPHeadersCfg = defaultIPHeaders
+ }
+}
+
+// setRequestHeadersTags sets the AppSec-specific request headers span tags.
+func setRequestHeadersTags(span trace.TagSetter, headers map[string][]string) {
+ setHeadersTags(span, "http.request.headers.", headers)
+}
+
+// setResponseHeadersTags sets the AppSec-specific response headers span tags.
+func setResponseHeadersTags(span trace.TagSetter, headers map[string][]string) {
+ setHeadersTags(span, "http.response.headers.", headers)
+}
+
+// setHeadersTags sets the AppSec-specific headers span tags.
+func setHeadersTags(span trace.TagSetter, tagPrefix string, headers map[string][]string) {
+ for h, v := range NormalizeHTTPHeaders(headers) {
+ span.SetTag(tagPrefix+h, v)
+ }
+}
diff --git a/internal/appsec/listener/httpsec/request_test.go b/internal/appsec/listener/httpsec/request_test.go
new file mode 100644
index 0000000000..402c05e4ff
--- /dev/null
+++ b/internal/appsec/listener/httpsec/request_test.go
@@ -0,0 +1,241 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package httpsec
+
+import (
+ "fmt"
+ "net"
+ "net/netip"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+ "google.golang.org/grpc/metadata"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/waf"
+ "github.com/DataDog/dd-trace-go/v2/internal/samplernames"
+)
+
+func TestClientIP(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ addr net.Addr
+ md metadata.MD
+ expectedClientIP string
+ }{
+ {
+ name: "tcp-ipv4-address",
+ addr: &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 6789},
+ expectedClientIP: "1.2.3.4",
+ },
+ {
+ name: "tcp-ipv4-address",
+ addr: &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 6789},
+ md: map[string][]string{"x-client-ip": {"127.0.0.1, 2.3.4.5"}},
+ expectedClientIP: "2.3.4.5",
+ },
+ {
+ name: "tcp-ipv6-address",
+ addr: &net.TCPAddr{IP: net.ParseIP("::1"), Port: 6789},
+ expectedClientIP: "::1",
+ },
+ {
+ name: "udp-ipv4-address",
+ addr: &net.UDPAddr{IP: net.ParseIP("1.2.3.4"), Port: 6789},
+ expectedClientIP: "1.2.3.4",
+ },
+ {
+ name: "udp-ipv6-address",
+ addr: &net.UDPAddr{IP: net.ParseIP("::1"), Port: 6789},
+ expectedClientIP: "::1",
+ },
+ {
+ name: "unix-socket-address",
+ addr: &net.UnixAddr{Name: "/var/my.sock"},
+ },
+ } {
+ tc := tc
+ t.Run(tc.name, func(t *testing.T) {
+ _, clientIP := ClientIPTags(tc.md, false, tc.addr.String())
+ expectedClientIP, _ := netip.ParseAddr(tc.expectedClientIP)
+ require.Equal(t, expectedClientIP.String(), clientIP.String())
+ })
+ }
+}
+
+func TestNormalizeHTTPHeaders(t *testing.T) {
+ for _, tc := range []struct {
+ headers map[string][]string
+ expected map[string]string
+ }{
+ {
+ headers: nil,
+ expected: nil,
+ },
+ {
+ headers: map[string][]string{
+ "cookie": {"not-collected"},
+ },
+ expected: nil,
+ },
+ {
+ headers: map[string][]string{
+ "cookie": {"not-collected"},
+ "x-forwarded-for": {"1.2.3.4,5.6.7.8"},
+ },
+ expected: map[string]string{
+ "x-forwarded-for": "1.2.3.4,5.6.7.8",
+ },
+ },
+ {
+ headers: map[string][]string{
+ "cookie": {"not-collected"},
+ "x-forwarded-for": {"1.2.3.4,5.6.7.8", "9.10.11.12,13.14.15.16"},
+ },
+ expected: map[string]string{
+ "x-forwarded-for": "1.2.3.4,5.6.7.8,9.10.11.12,13.14.15.16",
+ },
+ },
+ } {
+ headers := NormalizeHTTPHeaders(tc.headers)
+ require.Equal(t, tc.expected, headers)
+ }
+}
+
+type MockSpan struct {
+ Tags map[string]any
+}
+
+func (m *MockSpan) SetTag(key string, value interface{}) {
+ if m.Tags == nil {
+ m.Tags = make(map[string]any)
+ }
+ if key == ext.ManualKeep {
+ if value == samplernames.AppSec {
+ m.Tags[ext.ManualKeep] = true
+ }
+ } else {
+ m.Tags[key] = value
+ }
+}
+
+func TestTags(t *testing.T) {
+ for _, eventCase := range []struct {
+ name string
+ events []any
+ expectedTag string
+ expectedError bool
+ }{
+ {
+ name: "no-event",
+ events: nil,
+ },
+ {
+ name: "one-event",
+ events: []any{"one"},
+ expectedTag: `{"triggers":["one"]}`,
+ },
+ {
+ name: "two-events",
+ events: []any{"one", "two"},
+ expectedTag: `{"triggers":["one","two"]}`,
+ },
+ } {
+ eventCase := eventCase
+ for _, reqHeadersCase := range []struct {
+ name string
+ headers map[string][]string
+ expectedTags map[string]interface{}
+ }{
+ {
+ name: "zero-headers",
+ },
+ {
+ name: "xff-header",
+ headers: map[string][]string{
+ "X-Forwarded-For": {"1.2.3.4", "4.5.6.7"},
+ "my-header": {"something"},
+ },
+ expectedTags: map[string]interface{}{
+ "http.request.headers.x-forwarded-for": "1.2.3.4,4.5.6.7",
+ },
+ },
+ {
+ name: "xff-header",
+ headers: map[string][]string{
+ "X-Forwarded-For": {"1.2.3.4"},
+ "my-header": {"something"},
+ },
+ expectedTags: map[string]interface{}{
+ "http.request.headers.x-forwarded-for": "1.2.3.4",
+ },
+ },
+ {
+ name: "no-monitored-headers",
+ headers: map[string][]string{
+ "my-header": {"something"},
+ },
+ },
+ } {
+ reqHeadersCase := reqHeadersCase
+ for _, respHeadersCase := range []struct {
+ name string
+ headers map[string][]string
+ expectedTags map[string]interface{}
+ }{
+ {
+ name: "zero-headers",
+ },
+ {
+ name: "ct-header",
+ headers: map[string][]string{
+ "Content-Type": {"application/json"},
+ "my-header": {"something"},
+ },
+ expectedTags: map[string]interface{}{
+ "http.response.headers.content-type": "application/json",
+ },
+ },
+ {
+ name: "no-monitored-headers",
+ headers: map[string][]string{
+ "my-header": {"something"},
+ },
+ },
+ } {
+ respHeadersCase := respHeadersCase
+ t.Run(fmt.Sprintf("%s-%s-%s", eventCase.name, reqHeadersCase.name, respHeadersCase.name), func(t *testing.T) {
+ var span MockSpan
+ err := waf.SetEventSpanTags(&span, eventCase.events)
+ if eventCase.expectedError {
+ require.Error(t, err)
+ return
+ }
+ require.NoError(t, err)
+ setRequestHeadersTags(&span, reqHeadersCase.headers)
+ setResponseHeadersTags(&span, respHeadersCase.headers)
+
+ if eventCase.events != nil {
+ require.Subset(t, span.Tags, map[string]interface{}{
+ "_dd.appsec.json": eventCase.expectedTag,
+ "manual.keep": true,
+ "appsec.event": true,
+ "_dd.origin": "appsec",
+ })
+ }
+
+ if l := len(reqHeadersCase.expectedTags); l > 0 {
+ require.Subset(t, span.Tags, reqHeadersCase.expectedTags)
+ }
+
+ if l := len(respHeadersCase.expectedTags); l > 0 {
+ require.Subset(t, span.Tags, respHeadersCase.expectedTags)
+ }
+ })
+ }
+ }
+ }
+}
diff --git a/internal/appsec/listener/httpsec/roundtripper.go b/internal/appsec/listener/httpsec/roundtripper.go
index 8e51a4f2f7..2d2dcc8358 100644
--- a/internal/appsec/listener/httpsec/roundtripper.go
+++ b/internal/appsec/listener/httpsec/roundtripper.go
@@ -16,14 +16,27 @@ import (
"github.com/DataDog/go-libddwaf/v3"
)
-// RegisterRoundTripperListener registers a listener on outgoing HTTP client requests to run the WAF.
-func RegisterRoundTripperListener(op dyngo.Operation, events *trace.SecurityEventsHolder, wafCtx *waf.Context, limiter limiter.Limiter) {
- dyngo.On(op, sharedsec.MakeWAFRunListener(events, wafCtx, limiter, func(args types.RoundTripOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Ephemeral: map[string]any{ServerIoNetURLAddr: args.URL}}
- }))
+type SSRFProtectionFeature struct{}
+
+func (*SSRFProtectionFeature) String() string {
+ return "SSRF Protection"
+}
+
+func (*SSRFProtectionFeature) Stop() {}
+
+func NewSSRFProtectionFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !config.RASP || !config.SupportedAddresses.AnyOf(addresses.ServerIoNetURLAddr) {
+ return nil, nil
+ }
+
+ feature := &SSRFProtectionFeature{}
+ dyngo.On(rootOp, feature.OnStart)
+ return feature, nil
}
-func SSRFAddressesPresent(addresses listener.AddressSet) bool {
- _, urlAddr := addresses[ServerIoNetURLAddr]
- return urlAddr
+func (*SSRFProtectionFeature) OnStart(op *httpsec.RoundTripOperation, args httpsec.RoundTripOperationArgs) {
+ dyngo.EmitData(op, waf.RunEvent{
+ Operation: op,
+ RunAddressData: addresses.NewAddressesBuilder().WithURL(args.URL).Build(),
+ })
}
diff --git a/internal/appsec/listener/ossec/lfi.go b/internal/appsec/listener/ossec/lfi.go
index 80398f1c86..a8f5ee2257 100644
--- a/internal/appsec/listener/ossec/lfi.go
+++ b/internal/appsec/listener/ossec/lfi.go
@@ -19,28 +19,37 @@ import (
"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sharedsec"
)
-const (
- ServerIOFSFileAddr = "server.io.fs.file"
-)
+type Feature struct{}
-func RegisterOpenListener(op dyngo.Operation, eventsHolder *trace.SecurityEventsHolder, wafCtx *waf.Context, limiter limiter.Limiter) {
- runWAF := sharedsec.MakeWAFRunListener(eventsHolder, wafCtx, limiter, func(args ossec.OpenOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Ephemeral: map[string]any{ServerIOFSFileAddr: args.Path}}
- })
+func (*Feature) String() string {
+ return "LFI Protection"
+}
+
+func (*Feature) Stop() {}
+
+func NewOSSecFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !cfg.RASP || !cfg.SupportedAddresses.AnyOf(addresses.ServerIOFSFileAddr) {
+ return nil, nil
+ }
- dyngo.On(op, func(op *ossec.OpenOperation, args ossec.OpenOperationArgs) {
- dyngo.OnData(op, func(e *events.BlockingSecurityEvent) {
- dyngo.OnFinish(op, func(_ *ossec.OpenOperation, res ossec.OpenOperationRes[*os.File]) {
- if res.Err != nil {
- *res.Err = e
- }
- })
+ feature := &Feature{}
+ dyngo.On(rootOp, feature.OnStart)
+ return feature, nil
+}
+
+func (*Feature) OnStart(op *ossec.OpenOperation, args ossec.OpenOperationArgs) {
+ dyngo.OnData(op, func(err *events.BlockingSecurityEvent) {
+ dyngo.OnFinish(op, func(_ *ossec.OpenOperation, res ossec.OpenOperationRes[*os.File]) {
+ if res.Err != nil {
+ *res.Err = err
+ }
})
- runWAF(op, args)
})
-}
-func OSAddressesPresent(addresses listener.AddressSet) bool {
- _, fileAddr := addresses[ServerIOFSFileAddr]
- return fileAddr
+ dyngo.EmitData(op, waf.RunEvent{
+ Operation: op,
+ RunAddressData: addresses.NewAddressesBuilder().
+ WithFilePath(args.Path).
+ Build(),
+ })
}
diff --git a/internal/appsec/listener/sqlsec/sql.go b/internal/appsec/listener/sqlsec/sql.go
index 7ec6e45711..b5aaa7cdce 100644
--- a/internal/appsec/listener/sqlsec/sql.go
+++ b/internal/appsec/listener/sqlsec/sql.go
@@ -16,21 +16,30 @@ import (
waf "github.com/DataDog/go-libddwaf/v3"
)
-const (
- ServerDBStatementAddr = "server.db.statement"
- ServerDBTypeAddr = "server.db.system"
-)
+type Feature struct{}
-func RegisterSQLListener(op dyngo.Operation, events *trace.SecurityEventsHolder, wafCtx *waf.Context, limiter limiter.Limiter) {
- dyngo.On(op, sharedsec.MakeWAFRunListener(events, wafCtx, limiter, func(args types.SQLOperationArgs) waf.RunAddressData {
- return waf.RunAddressData{Ephemeral: map[string]any{ServerDBStatementAddr: args.Query, ServerDBTypeAddr: args.Driver}}
- }))
+func (*Feature) String() string {
+ return "SQLi Protection"
}
-func SQLAddressesPresent(addresses listener.AddressSet) bool {
- _, queryAddr := addresses[ServerDBStatementAddr]
- _, driverAddr := addresses[ServerDBTypeAddr]
+func (*Feature) Stop() {}
+
+func NewSQLSecFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !cfg.RASP || !cfg.SupportedAddresses.AnyOf(addresses.ServerDBTypeAddr, addresses.ServerDBStatementAddr) {
+ return nil, nil
+ }
- return queryAddr || driverAddr
+ feature := &Feature{}
+ dyngo.On(rootOp, feature.OnStart)
+ return feature, nil
+}
+func (*Feature) OnStart(op *sqlsec.SQLOperation, args sqlsec.SQLOperationArgs) {
+ dyngo.EmitData(op, waf.RunEvent{
+ Operation: op,
+ RunAddressData: addresses.NewAddressesBuilder().
+ WithDBStatement(args.Query).
+ WithDBType(args.Driver).
+ Build(),
+ })
}
diff --git a/internal/appsec/listener/trace/trace.go b/internal/appsec/listener/trace/trace.go
new file mode 100644
index 0000000000..83d580f7b4
--- /dev/null
+++ b/internal/appsec/listener/trace/trace.go
@@ -0,0 +1,53 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+import (
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/trace"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+)
+
+// AppSec-specific span tags that are expected to
+// be in the web service entry span (span of type `web`) when AppSec is enabled.
+var staticAppsecTags = map[string]any{
+ "_dd.appsec.enabled": 1,
+ "_dd.runtime_family": "go",
+}
+
+type AppsecSpanTransport struct{}
+
+func (*AppsecSpanTransport) String() string {
+ return "Appsec Span Transport"
+}
+
+func (*AppsecSpanTransport) Stop() {}
+
+func NewAppsecSpanTransport(_ *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ ast := &AppsecSpanTransport{}
+
+ dyngo.On(rootOp, ast.OnServiceEntryStart)
+ dyngo.On(rootOp, ast.OnSpanStart)
+
+ return ast, nil
+}
+
+// OnServiceEntryStart is the start listener of the trace.ServiceEntrySpanOperation start event.
+// It listens for tags and serializable tags and sets them on the span when finishing the operation.
+func (*AppsecSpanTransport) OnServiceEntryStart(op *trace.ServiceEntrySpanOperation, _ trace.ServiceEntrySpanArgs) {
+ op.SetTags(staticAppsecTags)
+ dyngo.OnData(op, op.OnSpanTagEvent)
+ dyngo.OnData(op, op.OnServiceEntrySpanTagEvent)
+ dyngo.OnData(op, op.OnJSONServiceEntrySpanTagEvent)
+ dyngo.OnData(op, op.OnServiceEntrySpanTagsBulkEvent)
+}
+
+// OnSpanStart is the start listener of the trace.SpanOperation start event.
+// It listens for tags and sets them on the current span when finishing the operation.
+func (*AppsecSpanTransport) OnSpanStart(op *trace.SpanOperation, _ trace.SpanArgs) {
+ dyngo.OnData(op, op.OnSpanTagEvent)
+}
diff --git a/internal/appsec/listener/usersec/usec.go b/internal/appsec/listener/usersec/usec.go
new file mode 100644
index 0000000000..19fc6c91ae
--- /dev/null
+++ b/internal/appsec/listener/usersec/usec.go
@@ -0,0 +1,54 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package usersec
+
+import (
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/usersec"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/addresses"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+)
+
+type Feature struct{}
+
+func (*Feature) String() string {
+ return "User Security"
+}
+
+func (*Feature) Stop() {}
+
+func NewUserSecFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if !cfg.SupportedAddresses.AnyOf(
+ addresses.UserIDAddr,
+ addresses.UserSessionIDAddr,
+ addresses.UserLoginSuccessAddr,
+ addresses.UserLoginFailureAddr) {
+ return nil, nil
+ }
+
+ feature := &Feature{}
+ dyngo.OnFinish(rootOp, feature.OnFinish)
+ return feature, nil
+}
+
+func (*Feature) OnFinish(op *usersec.UserLoginOperation, res usersec.UserLoginOperationRes) {
+ builder := addresses.NewAddressesBuilder().
+ WithUserID(res.UserID).
+ WithUserSessionID(res.SessionID)
+
+ if res.Success {
+ builder = builder.WithUserLoginSuccess()
+ } else {
+ builder = builder.WithUserLoginFailure()
+ }
+
+ dyngo.EmitData(op, waf.RunEvent{
+ Operation: op,
+ RunAddressData: builder.Build(),
+ })
+}
diff --git a/internal/appsec/listener/waf/tags.go b/internal/appsec/listener/waf/tags.go
new file mode 100644
index 0000000000..1600d418b3
--- /dev/null
+++ b/internal/appsec/listener/waf/tags.go
@@ -0,0 +1,101 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+ "encoding/json"
+ "fmt"
+
+ waf "github.com/DataDog/go-libddwaf/v3"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/trace"
+ "github.com/DataDog/dd-trace-go/v2/internal/samplernames"
+)
+
+const (
+ wafSpanTagPrefix = "_dd.appsec."
+ eventRulesVersionTag = wafSpanTagPrefix + "event_rules.version"
+ eventRulesErrorsTag = wafSpanTagPrefix + "event_rules.errors"
+ eventRulesLoadedTag = wafSpanTagPrefix + "event_rules.loaded"
+ eventRulesFailedTag = wafSpanTagPrefix + "event_rules.error_count"
+ wafVersionTag = wafSpanTagPrefix + "waf.version"
+
+ // BlockedRequestTag used to convey whether a request is blocked
+ BlockedRequestTag = "appsec.blocked"
+)
+
+// AddRulesMonitoringTags adds the tags related to security rules monitoring
+func AddRulesMonitoringTags(th trace.TagSetter, wafDiags waf.Diagnostics) {
+ rInfo := wafDiags.Rules
+ if rInfo == nil {
+ return
+ }
+
+ var rulesetErrors []byte
+ var err error
+ rulesetErrors, err = json.Marshal(wafDiags.Rules.Errors)
+ if err != nil {
+ log.Error("appsec: could not marshal the waf ruleset info errors to json")
+ }
+ th.SetTag(eventRulesErrorsTag, string(rulesetErrors))
+ th.SetTag(eventRulesLoadedTag, len(rInfo.Loaded))
+ th.SetTag(eventRulesFailedTag, len(rInfo.Failed))
+ th.SetTag(wafVersionTag, waf.Version())
+ th.SetTag(ext.ManualKeep, samplernames.AppSec)
+}
+
+// AddWAFMonitoringTags adds the tags related to the monitoring of the Feature
+func AddWAFMonitoringTags(th trace.TagSetter, rulesVersion string, stats map[string]any) {
+ // Rules version is set for every request to help the backend associate Feature duration metrics with rule version
+ th.SetTag(eventRulesVersionTag, rulesVersion)
+
+ // Report the stats sent by the Feature
+ for k, v := range stats {
+ th.SetTag(wafSpanTagPrefix+k, v)
+ }
+}
+
+// SetEventSpanTags sets the security event span tags into the service entry span.
+func SetEventSpanTags(span trace.TagSetter, events []any) error {
+ if len(events) == 0 {
+ return nil
+ }
+
+ // Set the appsec event span tag
+ val, err := makeEventTagValue(events)
+ if err != nil {
+ return err
+ }
+ span.SetTag("_dd.appsec.json", string(val))
+ // Keep this span due to the security event
+ //
+ // This is a workaround to tell the tracer that the trace was kept by AppSec.
+ // Passing any other value than `appsec.SamplerAppSec` has no effect.
+ // Customers should use `span.SetTag(ext.ManualKeep, true)` pattern
+ // to keep the trace, manually.
+ span.SetTag(ext.ManualKeep, samplernames.AppSec)
+ span.SetTag("_dd.origin", "appsec")
+ // Set the appsec.event tag needed by the appsec backend
+ span.SetTag("appsec.event", true)
+ return nil
+}
+
+// Create the value of the security event tag.
+func makeEventTagValue(events []any) (json.RawMessage, error) {
+ type eventTagValue struct {
+ Triggers []any `json:"triggers"`
+ }
+
+ tag, err := json.Marshal(eventTagValue{events})
+ if err != nil {
+ return nil, fmt.Errorf("unexpected error while serializing the appsec event span tag: %v", err)
+ }
+
+ return tag, nil
+}
diff --git a/internal/appsec/listener/sharedsec/shared_test.go b/internal/appsec/listener/waf/tags_test.go
similarity index 77%
rename from internal/appsec/listener/sharedsec/shared_test.go
rename to internal/appsec/listener/waf/tags_test.go
index 8d0cae627b..5402ed4a2d 100644
--- a/internal/appsec/listener/sharedsec/shared_test.go
+++ b/internal/appsec/listener/waf/tags_test.go
@@ -1,9 +1,9 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
-package sharedsec
+package waf
import (
"testing"
@@ -22,7 +22,7 @@ const (
// Test that internal functions used to set span tags use the correct types
func TestTagsTypes(t *testing.T) {
- th := trace.NewTagsHolder()
+ th := make(trace.TestTagSetter)
wafDiags := waf.Diagnostics{
Version: "1.3.0",
Rules: &waf.DiagnosticEntry{
@@ -32,14 +32,16 @@ func TestTagsTypes(t *testing.T) {
},
}
- AddRulesMonitoringTags(&th, &wafDiags)
+ AddRulesMonitoringTags(&th, wafDiags)
stats := map[string]any{
- wafDurationTag: 10,
- wafDurationExtTag: 20,
- wafTimeoutTag: 0,
- "_dd.appsec.waf.truncations.depth": []int{1, 2, 3},
- "_dd.appsec.waf.run": 12000,
+ "waf.duration": 10,
+ "rasp.duration": 10,
+ "waf.duration_ext": 20,
+ "rasp.duration_ext": 20,
+ "waf.timeouts": 0,
+ "waf.truncations.depth": []int{1, 2, 3},
+ "waf.run": 12000,
}
AddWAFMonitoringTags(&th, "1.2.3", stats)
diff --git a/internal/appsec/listener/waf/waf.go b/internal/appsec/listener/waf/waf.go
new file mode 100644
index 0000000000..7055ec1836
--- /dev/null
+++ b/internal/appsec/listener/waf/waf.go
@@ -0,0 +1,128 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+ "fmt"
+ "sync"
+ "time"
+
+ "github.com/DataDog/appsec-internal-go/limiter"
+ wafv3 "github.com/DataDog/go-libddwaf/v3"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+
+ "github.com/DataDog/dd-trace-go/v2/appsec/events"
+ "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf"
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/actions"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+ "github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
+)
+
+type Feature struct {
+ timeout time.Duration
+ limiter *limiter.TokenTicker
+ handle *wafv3.Handle
+ supportedAddrs config.AddressSet
+ reportRulesTags sync.Once
+}
+
+func NewWAFFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+ if ok, err := wafv3.Load(); err != nil {
+ // 1. If there is an error and the loading is not ok: log as an unexpected error case and quit appsec
+ // Note that we assume here that the test for the unsupported target has been done before calling
+ // this method, so it is now considered an error for this method
+ if !ok {
+ return nil, fmt.Errorf("error while loading libddwaf: %w", err)
+ }
+ // 2. If there is an error and the loading is ok: log as an informative error where appsec can be used
+ log.Error("appsec: non-critical error while loading libddwaf: %v", err)
+ }
+
+ newHandle, err := wafv3.NewHandle(cfg.RulesManager.Latest, cfg.Obfuscator.KeyRegex, cfg.Obfuscator.ValueRegex)
+ if err != nil {
+ return nil, err
+ }
+
+ cfg.SupportedAddresses = config.NewAddressSet(newHandle.Addresses())
+
+ tokenTicker := limiter.NewTokenTicker(cfg.TraceRateLimit, cfg.TraceRateLimit)
+ tokenTicker.Start()
+
+ feature := &Feature{
+ handle: newHandle,
+ timeout: cfg.WAFTimeout,
+ limiter: tokenTicker,
+ supportedAddrs: cfg.SupportedAddresses,
+ }
+
+ dyngo.On(rootOp, feature.onStart)
+ dyngo.OnFinish(rootOp, feature.onFinish)
+
+ return feature, nil
+}
+
+func (waf *Feature) onStart(op *waf.ContextOperation, _ waf.ContextArgs) {
+ waf.reportRulesTags.Do(func() {
+ AddRulesMonitoringTags(op, waf.handle.Diagnostics())
+ })
+
+ ctx, err := waf.handle.NewContextWithBudget(waf.timeout)
+ if err != nil {
+ log.Debug("appsec: failed to create Feature context: %v", err)
+ }
+
+ op.SwapContext(ctx)
+ op.SetLimiter(waf.limiter)
+ op.SetSupportedAddresses(waf.supportedAddrs)
+
+ // Run the WAF with the given address data
+ dyngo.OnData(op, op.OnEvent)
+
+ waf.SetupActionHandlers(op)
+}
+
+func (waf *Feature) SetupActionHandlers(op *waf.ContextOperation) {
+ // Set the blocking tag on the operation when a blocking event is received
+ dyngo.OnData(op, func(_ *events.BlockingSecurityEvent) {
+ op.SetTag(BlockedRequestTag, true)
+ })
+
+ // Register the stacktrace if one is requested by a WAF action
+ dyngo.OnData(op, func(err *actions.StackTraceAction) {
+ op.AddStackTraces(err.Event)
+ })
+}
+
+func (waf *Feature) onFinish(op *waf.ContextOperation, _ waf.ContextRes) {
+ ctx := op.SwapContext(nil)
+ if ctx == nil {
+ return
+ }
+
+ ctx.Close()
+
+ AddWAFMonitoringTags(op, waf.handle.Diagnostics().Version, ctx.Stats().Metrics())
+ if err := SetEventSpanTags(op, op.Events()); err != nil {
+ log.Debug("appsec: failed to set event span tags: %v", err)
+ }
+
+ op.SetSerializableTags(op.Derivatives())
+ if stacks := op.StackTraces(); len(stacks) > 0 {
+ op.SetTag(stacktrace.SpanKey, stacktrace.GetSpanValue(stacks...))
+ }
+}
+
+func (*Feature) String() string {
+ return "Web Application Firewall"
+}
+
+func (waf *Feature) Stop() {
+ waf.limiter.Stop()
+ waf.handle.Close()
+}
diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go
index 10b1252b6a..6902d6793d 100644
--- a/internal/appsec/remoteconfig.go
+++ b/internal/appsec/remoteconfig.go
@@ -9,6 +9,7 @@ import (
"encoding/json"
"errors"
"fmt"
+ "maps"
"os"
"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
@@ -41,20 +42,13 @@ func statusesFromUpdate(u remoteconfig.ProductUpdate, ack bool, err error) map[s
return statuses
}
-func mergeMaps[K comparable, V any](m1 map[K]V, m2 map[K]V) map[K]V {
- for key, value := range m2 {
- m1[key] = value
- }
- return m1
-}
-
// combineRCRulesUpdates updates the state of the given RulesManager with the combination of all the provided rules updates
func combineRCRulesUpdates(r *config.RulesManager, updates map[string]remoteconfig.ProductUpdate) (statuses map[string]rc.ApplyStatus, err error) {
// Spare some re-allocations (but there may still be some because 1 update may contain N configs)
statuses = make(map[string]rc.ApplyStatus, len(updates))
// Set the default statuses for all updates to unacknowledged
for _, u := range updates {
- statuses = mergeMaps(statuses, statusesFromUpdate(u, false, nil))
+ maps.Copy(statuses, statusesFromUpdate(u, false, nil))
}
updateLoop:
@@ -66,9 +60,9 @@ updateLoop:
switch p {
case rc.ProductASMData:
// Merge all rules data entries together and store them as a RulesManager edit entry
- rulesData, status := mergeRulesData(u)
- statuses = mergeMaps(statuses, status)
- r.AddEdit("asmdata", config.RulesFragment{RulesData: rulesData})
+ fragment, status := mergeASMDataUpdates(u)
+ maps.Copy(statuses, status)
+ r.AddEdit("asmdata", fragment)
case rc.ProductASMDD:
var (
removalFound = false
@@ -83,7 +77,7 @@ updateLoop:
}
// Already seen a removal or an update, return an error
if err != nil {
- statuses = mergeMaps(statuses, statusesFromUpdate(u, true, err))
+ maps.Copy(statuses, statusesFromUpdate(u, true, err))
break updateLoop
}
@@ -103,7 +97,7 @@ updateLoop:
if removalFound {
log.Debug("appsec: Remote config: ASM_DD config removed. Switching back to default rules")
r.ChangeBase(config.DefaultRulesFragment(), "")
- statuses = mergeMaps(statuses, statusesFromUpdate(u, true, nil))
+ maps.Copy(statuses, statusesFromUpdate(u, true, nil))
}
continue
}
@@ -145,7 +139,7 @@ updateLoop:
// Set all statuses to ack if no error occured
if err == nil {
for _, u := range updates {
- statuses = mergeMaps(statuses, statusesFromUpdate(u, true, nil))
+ maps.Copy(statuses, statusesFromUpdate(u, true, nil))
}
}
@@ -182,17 +176,18 @@ func (a *appsec) onRCRulesUpdate(updates map[string]remoteconfig.ProductUpdate)
r.Compile()
log.Debug("appsec: Remote config: final compiled rules: %s", r.String())
+ // Replace the RulesManager with the new one holding the new state
+ a.cfg.RulesManager = &r
+
// If an error occurs while updating the WAF handle, don't swap the RulesManager and propagate the error
// to all config statuses since we can't know which config is the faulty one
- if err = a.swapWAF(r.Latest); err != nil {
+ if err = a.SwapRootOperation(); err != nil {
log.Error("appsec: Remote config: could not apply the new security rules: %v", err)
for k := range statuses {
statuses[k] = genApplyStatus(true, err)
}
return statuses
}
- // Replace the RulesManager with the new one holding the new state
- a.cfg.RulesManager = &r
return statuses
}
@@ -240,12 +235,41 @@ func (a *appsec) handleASMFeatures(u remoteconfig.ProductUpdate) map[string]rc.A
return statuses
}
-func mergeRulesData(u remoteconfig.ProductUpdate) ([]config.RuleDataEntry, map[string]rc.ApplyStatus) {
+func mergeASMDataUpdates(u remoteconfig.ProductUpdate) (config.RulesFragment, map[string]rc.ApplyStatus) {
// Following the RFC, merging should only happen when two rules data with the same ID and same Type are received
- // allRulesData[ID][Type] will return the rules data of said id and type, if it exists
- allRulesData := make(map[string]map[string]config.RuleDataEntry)
+ type mapKey struct {
+ id string
+ typ string
+ }
+ mergedRulesData := make(map[mapKey]config.DataEntry)
+ mergedExclusionData := make(map[mapKey]config.DataEntry)
statuses := statusesFromUpdate(u, true, nil)
+ mergeUpdateEntry := func(mergeMap map[mapKey]config.DataEntry, data []config.DataEntry) {
+ for _, ruleData := range data {
+ key := mapKey{id: ruleData.ID, typ: ruleData.Type}
+ if data, ok := mergeMap[key]; ok {
+ // Merge rules data entries with the same ID and Type
+ mergeMap[key] = config.DataEntry{
+ ID: data.ID,
+ Type: data.Type,
+ Data: mergeRulesDataEntries(data.Data, ruleData.Data),
+ }
+ continue
+ }
+
+ mergeMap[key] = ruleData
+ }
+ }
+
+ mapValues := func(m map[mapKey]config.DataEntry) []config.DataEntry {
+ values := make([]config.DataEntry, 0, len(m))
+ for _, v := range m {
+ values = append(values, v)
+ }
+ return values
+ }
+
for path, raw := range u {
log.Debug("appsec: Remote config: processing %s", path)
@@ -257,36 +281,30 @@ func mergeRulesData(u remoteconfig.ProductUpdate) ([]config.RuleDataEntry, map[s
continue
}
- var rulesData config.RulesData
- if err := json.Unmarshal(raw, &rulesData); err != nil {
+ var asmdataUpdate struct {
+ RulesData []config.DataEntry `json:"rules_data,omitempty"`
+ ExclusionData []config.DataEntry `json:"exclusion_data,omitempty"`
+ }
+ if err := json.Unmarshal(raw, &asmdataUpdate); err != nil {
log.Debug("appsec: Remote config: error while unmarshalling payload for %s: %v. Configuration won't be applied.", path, err)
statuses[path] = genApplyStatus(false, err)
continue
}
- // Check each entry against allRulesData to see if merging is necessary
- for _, ruleData := range rulesData.RulesData {
- if allRulesData[ruleData.ID] == nil {
- allRulesData[ruleData.ID] = make(map[string]config.RuleDataEntry)
- }
- if data, ok := allRulesData[ruleData.ID][ruleData.Type]; ok {
- // Merge rules data entries with the same ID and Type
- data.Data = mergeRulesDataEntries(data.Data, ruleData.Data)
- allRulesData[ruleData.ID][ruleData.Type] = data
- } else {
- allRulesData[ruleData.ID][ruleData.Type] = ruleData
- }
- }
+ mergeUpdateEntry(mergedExclusionData, asmdataUpdate.ExclusionData)
+ mergeUpdateEntry(mergedRulesData, asmdataUpdate.RulesData)
}
- // Aggregate all the rules data before passing it over to the WAF
- var rulesData []config.RuleDataEntry
- for _, m := range allRulesData {
- for _, data := range m {
- rulesData = append(rulesData, data)
- }
+ var fragment config.RulesFragment
+ if len(mergedRulesData) > 0 {
+ fragment.RulesData = mapValues(mergedRulesData)
+ }
+
+ if len(mergedExclusionData) > 0 {
+ fragment.ExclusionData = mapValues(mergedExclusionData)
}
- return rulesData, statuses
+
+ return fragment, statuses
}
// mergeRulesDataEntries merges two slices of rules data entries together, removing duplicates and
@@ -372,6 +390,11 @@ var blockingCapabilities = [...]remoteconfig.Capability{
remoteconfig.ASMCustomRules,
remoteconfig.ASMCustomBlockingResponse,
remoteconfig.ASMTrustedIPs,
+ remoteconfig.ASMExclusionData,
+ remoteconfig.ASMEndpointFingerprinting,
+ remoteconfig.ASMSessionFingerprinting,
+ remoteconfig.ASMNetworkFingerprinting,
+ remoteconfig.ASMHeaderFingerprinting,
}
func (a *appsec) enableRCBlocking() {
@@ -409,7 +432,14 @@ func (a *appsec) enableRASP() {
if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSSRF); err != nil {
log.Debug("appsec: Remote config: couldn't register RASP SSRF: %v", err)
}
- // TODO: register other RASP capabilities when supported
+ if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSQLI); err != nil {
+ log.Debug("appsec: Remote config: couldn't register RASP SQLI: %v", err)
+ }
+ if orchestrion.Enabled() {
+ if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPLFI); err != nil {
+ log.Debug("appsec: Remote config: couldn't register RASP LFI: %v", err)
+ }
+ }
}
func (a *appsec) disableRCBlocking() {
diff --git a/internal/appsec/remoteconfig_test.go b/internal/appsec/remoteconfig_test.go
index 02805504ae..8b7ce7ba71 100644
--- a/internal/appsec/remoteconfig_test.go
+++ b/internal/appsec/remoteconfig_test.go
@@ -10,7 +10,7 @@ import (
"errors"
"os"
"reflect"
- "sort"
+ "slices"
"strings"
"testing"
@@ -119,63 +119,63 @@ func TestMergeRulesData(t *testing.T) {
for _, tc := range []struct {
name string
update remoteconfig.ProductUpdate
- expected []config.RuleDataEntry
+ expected config.RulesFragment
statuses map[string]rc.ApplyStatus
}{
{
name: "empty-rule-data",
update: map[string][]byte{},
- statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+ statuses: map[string]rc.ApplyStatus{},
},
{
name: "bad-json",
update: map[string][]byte{
"some/path": []byte(`[}]`),
},
- statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateError}},
+ statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateError, Error: "invalid character '}' looking for beginning of value"}},
},
{
- name: "single-value",
+ name: "single-rules-value",
update: map[string][]byte{
"some/path": []byte(`{"rules_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"}]}]}`),
},
- expected: []config.RuleDataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ expected: config.RulesFragment{RulesData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
{Expiration: 3494138481, Value: "user1"},
- }}},
+ }}}},
statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
},
{
- name: "multiple-values",
+ name: "multiple-rules-values",
update: map[string][]byte{
"some/path": []byte(`{"rules_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"},{"expiration":3494138441,"value":"user2"}]}]}`),
},
- expected: []config.RuleDataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ expected: config.RulesFragment{RulesData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
{Expiration: 3494138481, Value: "user1"},
{Expiration: 3494138441, Value: "user2"},
- }}},
+ }}}},
statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
},
{
- name: "multiple-entries",
+ name: "multiple-rules-entries",
update: map[string][]byte{
"some/path": []byte(`{"rules_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
},
- expected: []config.RuleDataEntry{
+ expected: config.RulesFragment{RulesData: []config.DataEntry{
{ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
{Expiration: 3494138444, Value: "user3"},
}}, {ID: "test2", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
{Expiration: 3495138481, Value: "user4"},
}},
- },
+ }},
statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
},
{
- name: "merging-entries",
+ name: "merging-rules-entries",
update: map[string][]byte{
"some/path/1": []byte(`{"rules_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
"some/path/2": []byte(`{"rules_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138445,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":0,"value":"user5"}]}]}`),
},
- expected: []config.RuleDataEntry{
+ expected: config.RulesFragment{RulesData: []config.DataEntry{
{ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
{Expiration: 3494138445, Value: "user3"},
}},
@@ -183,7 +183,62 @@ func TestMergeRulesData(t *testing.T) {
{Expiration: 3495138481, Value: "user4"},
{Expiration: 0, Value: "user5"},
}},
+ }},
+ statuses: map[string]rc.ApplyStatus{
+ "some/path/1": {State: rc.ApplyStateAcknowledged},
+ "some/path/2": {State: rc.ApplyStateAcknowledged},
+ },
+ },
+ {
+ name: "single-exclusions-value",
+ update: map[string][]byte{
+ "some/path": []byte(`{"exclusion_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"}]}]}`),
+ },
+ expected: config.RulesFragment{ExclusionData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ {Expiration: 3494138481, Value: "user1"},
+ }}}},
+ statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+ },
+ {
+ name: "multiple-exclusions-values",
+ update: map[string][]byte{
+ "some/path": []byte(`{"exclusion_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"},{"expiration":3494138441,"value":"user2"}]}]}`),
},
+ expected: config.RulesFragment{ExclusionData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ {Expiration: 3494138481, Value: "user1"},
+ {Expiration: 3494138441, Value: "user2"},
+ }}}},
+ statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+ },
+ {
+ name: "multiple-exclusions-entries",
+ update: map[string][]byte{
+ "some/path": []byte(`{"exclusion_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
+ },
+ expected: config.RulesFragment{ExclusionData: []config.DataEntry{
+ {ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ {Expiration: 3494138444, Value: "user3"},
+ }}, {ID: "test2", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ {Expiration: 3495138481, Value: "user4"},
+ }},
+ }},
+ statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+ },
+ {
+ name: "merging-exclusions-entries",
+ update: map[string][]byte{
+ "some/path/1": []byte(`{"exclusion_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
+ "some/path/2": []byte(`{"exclusion_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138445,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":0,"value":"user5"}]}]}`),
+ },
+ expected: config.RulesFragment{ExclusionData: []config.DataEntry{
+ {ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ {Expiration: 3494138445, Value: "user3"},
+ }},
+ {ID: "test2", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+ {Expiration: 3495138481, Value: "user4"},
+ {Expiration: 0, Value: "user5"},
+ }},
+ }},
statuses: map[string]rc.ApplyStatus{
"some/path/1": {State: rc.ApplyStateAcknowledged},
"some/path/2": {State: rc.ApplyStateAcknowledged},
@@ -191,30 +246,27 @@ func TestMergeRulesData(t *testing.T) {
},
} {
t.Run(tc.name, func(t *testing.T) {
- merged, statuses := mergeRulesData(tc.update)
- // Sort the compared elements since ordering is not guaranteed and the slice hold types that embed
- // more slices
- require.Len(t, merged, len(tc.expected))
- sort.Slice(merged, func(i, j int) bool {
- return strings.Compare(merged[i].ID, merged[j].ID) < 0
- })
- sort.Slice(tc.expected, func(i, j int) bool {
- return strings.Compare(merged[i].ID, merged[j].ID) < 0
- })
-
- for i := range tc.expected {
- require.Equal(t, tc.expected[i].ID, merged[i].ID)
- require.Equal(t, tc.expected[i].Type, merged[i].Type)
- require.ElementsMatch(t, tc.expected[i].Data, merged[i].Data)
- }
- for k := range statuses {
- require.Equal(t, tc.statuses[k].State, statuses[k].State)
- if statuses[k].State == rc.ApplyStateError {
- require.NotEmpty(t, statuses[k].Error)
- } else {
- require.Empty(t, statuses[k].Error)
+ fragment, statuses := mergeASMDataUpdates(tc.update)
+
+ // Sort the data entries to make the comparison easier
+ sort := func(actual []config.DataEntry) {
+ slices.SortStableFunc(actual, func(a, b config.DataEntry) int {
+ return strings.Compare(a.ID, b.ID)
+ })
+ for _, data := range actual {
+ slices.SortStableFunc(data.Data, func(a, b rc.ASMDataRuleDataEntry) int {
+ return strings.Compare(a.Value, b.Value)
+ })
}
}
+
+ sort(fragment.RulesData)
+ sort(fragment.ExclusionData)
+ sort(tc.expected.RulesData)
+ sort(tc.expected.ExclusionData)
+
+ require.Equal(t, tc.expected, fragment)
+ require.Equal(t, tc.statuses, statuses)
})
}
}
@@ -437,7 +489,7 @@ func craftRCUpdates(fragments map[string]config.RulesFragment) map[string]remote
update[rc.ProductASM] = make(remoteconfig.ProductUpdate)
}
update[rc.ProductASM][path] = data
- } else if len(frag.RulesData) > 0 {
+ } else if len(frag.RulesData) > 0 || len(frag.ExclusionData) > 0 {
if _, ok := update[rc.ProductASMData]; !ok {
update[rc.ProductASMData] = make(remoteconfig.ProductUpdate)
}
@@ -457,7 +509,7 @@ type testRulesOverrideEntry struct {
func TestOnRCUpdate(t *testing.T) {
- BaseRuleset, err := config.NewRulesManeger(nil)
+ BaseRuleset, err := config.NewRulesManager(nil)
require.NoError(t, err)
BaseRuleset.Compile()
@@ -671,7 +723,7 @@ func TestOnRCUpdate(t *testing.T) {
}
func TestOnRCUpdateStatuses(t *testing.T) {
- invalidRuleset, err := config.NewRulesManeger([]byte(`{"version": "2.2", "metadata": {"rules_version": "1.4.2"}, "rules": [{"id": "id","name":"name","tags":{},"conditions":[],"transformers":[],"on_match":[]}]}`))
+ invalidRuleset, err := config.NewRulesManager([]byte(`{"version": "2.2", "metadata": {"rules_version": "1.4.2"}, "rules": [{"id": "id","name":"name","tags":{},"conditions":[],"transformers":[],"on_match":[]}]}`))
require.NoError(t, err)
invalidRules := invalidRuleset.Base
overrides := config.RulesFragment{
@@ -787,10 +839,12 @@ func TestWafRCUpdate(t *testing.T) {
require.NoError(t, err)
defer wafCtx.Close()
values := map[string]interface{}{
- httpsec.ServerRequestPathParamsAddr: "/rfiinc.txt",
+ addresses.ServerRequestPathParamsAddr: "/rfiinc.txt",
}
+
// Make sure the rule matches as expected
- result := sharedsec.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
+ result, err := wafCtx.Run(waf.RunAddressData{Persistent: values})
+ require.NoError(t, err)
require.Contains(t, jsonString(t, result.Events), "crs-913-120")
require.Empty(t, result.Actions)
// Simulate an RC update that disables the rule
@@ -807,7 +861,8 @@ func TestWafRCUpdate(t *testing.T) {
require.NoError(t, err)
defer newWafCtx.Close()
// Make sure the rule returns a blocking action when matching
- result = sharedsec.RunWAF(newWafCtx, waf.RunAddressData{Persistent: values})
+ result, err = newWafCtx.Run(waf.RunAddressData{Persistent: values})
+ require.NoError(t, err)
require.Contains(t, jsonString(t, result.Events), "crs-913-120")
require.Contains(t, result.Actions, "block_request")
})
diff --git a/internal/appsec/testdata/fp.json b/internal/appsec/testdata/fp.json
new file mode 100644
index 0000000000..52af47f36c
--- /dev/null
+++ b/internal/appsec/testdata/fp.json
@@ -0,0 +1,207 @@
+{
+ "version": "2.2",
+ "metadata": {
+ "rules_version": "1.4.2"
+ },
+ "rules": [
+ {
+ "id": "crs-933-130-block",
+ "name": "PHP Injection Attack: Global Variables Found",
+ "tags": {
+ "type": "php_code_injection",
+ "crs_id": "933130",
+ "category": "attack_attempt",
+ "confidence": "1"
+ },
+ "conditions": [
+ {
+ "parameters": {
+ "inputs": [
+ {
+ "address": "server.request.query"
+ }
+ ],
+ "list": [
+ "$globals"
+ ]
+ },
+ "operator": "phrase_match"
+ }
+ ],
+ "transformers": [
+ "lowercase"
+ ]
+ }
+ ],
+ "processors": [
+ {
+ "id": "http-endpoint-fingerprint",
+ "generator": "http_endpoint_fingerprint",
+ "conditions": [
+ {
+ "operator": "exists",
+ "parameters": {
+ "inputs": [
+ {
+ "address": "waf.context.event"
+ },
+ {
+ "address": "server.business_logic.users.login.failure"
+ },
+ {
+ "address": "server.business_logic.users.login.success"
+ }
+ ]
+ }
+ }
+ ],
+ "parameters": {
+ "mappings": [
+ {
+ "method": [
+ {
+ "address": "server.request.method"
+ }
+ ],
+ "uri_raw": [
+ {
+ "address": "server.request.uri.raw"
+ }
+ ],
+ "body": [
+ {
+ "address": "server.request.body"
+ }
+ ],
+ "query": [
+ {
+ "address": "server.request.query"
+ }
+ ],
+ "output": "_dd.appsec.fp.http.endpoint"
+ }
+ ]
+ },
+ "evaluate": false,
+ "output": true
+ },
+ {
+ "id": "http-header-fingerprint",
+ "generator": "http_header_fingerprint",
+ "conditions": [
+ {
+ "operator": "exists",
+ "parameters": {
+ "inputs": [
+ {
+ "address": "waf.context.event"
+ },
+ {
+ "address": "server.business_logic.users.login.failure"
+ },
+ {
+ "address": "server.business_logic.users.login.success"
+ }
+ ]
+ }
+ }
+ ],
+ "parameters": {
+ "mappings": [
+ {
+ "headers": [
+ {
+ "address": "server.request.headers.no_cookies"
+ }
+ ],
+ "output": "_dd.appsec.fp.http.header"
+ }
+ ]
+ },
+ "evaluate": false,
+ "output": true
+ },
+ {
+ "id": "http-network-fingerprint",
+ "generator": "http_network_fingerprint",
+ "conditions": [
+ {
+ "operator": "exists",
+ "parameters": {
+ "inputs": [
+ {
+ "address": "waf.context.event"
+ },
+ {
+ "address": "server.business_logic.users.login.failure"
+ },
+ {
+ "address": "server.business_logic.users.login.success"
+ }
+ ]
+ }
+ }
+ ],
+ "parameters": {
+ "mappings": [
+ {
+ "headers": [
+ {
+ "address": "server.request.headers.no_cookies"
+ }
+ ],
+ "output": "_dd.appsec.fp.http.network"
+ }
+ ]
+ },
+ "evaluate": false,
+ "output": true
+ },
+ {
+ "id": "session-fingerprint",
+ "generator": "session_fingerprint",
+ "conditions": [
+ {
+ "operator": "exists",
+ "parameters": {
+ "inputs": [
+ {
+ "address": "waf.context.event"
+ },
+ {
+ "address": "server.business_logic.users.login.failure"
+ },
+ {
+ "address": "server.business_logic.users.login.success"
+ }
+ ]
+ }
+ }
+ ],
+ "parameters": {
+ "mappings": [
+ {
+ "cookies": [
+ {
+ "address": "server.request.cookies"
+ }
+ ],
+ "session_id": [
+ {
+ "address": "usr.session_id"
+ }
+ ],
+ "user_id": [
+ {
+ "address": "usr.id"
+ }
+ ],
+ "output": "_dd.appsec.fp.session"
+ }
+ ]
+ },
+ "evaluate": false,
+ "output": true
+ }
+ ]
+}
diff --git a/internal/appsec/testdata/sab.json b/internal/appsec/testdata/sab.json
new file mode 100644
index 0000000000..8c1ce8e0df
--- /dev/null
+++ b/internal/appsec/testdata/sab.json
@@ -0,0 +1,136 @@
+{
+ "version": "2.2",
+ "metadata": {
+ "rules_version": "1.4.2"
+ },
+ "rules": [
+ {
+ "id": "crs-933-130-block",
+ "name": "PHP Injection Attack: Global Variables Found",
+ "tags": {
+ "type": "php_code_injection",
+ "crs_id": "933130",
+ "category": "attack_attempt",
+ "confidence": "1"
+ },
+ "conditions": [
+ {
+ "parameters": {
+ "inputs": [
+ {
+ "address": "server.request.query"
+ },
+ {
+ "address": "server.request.body"
+ },
+ {
+ "address": "server.request.path_params"
+ },
+ {
+ "address": "grpc.server.request.message"
+ }
+ ],
+ "list": [
+ "$globals",
+ "$_cookie",
+ "$_env",
+ "$_files",
+ "$_get",
+ "$_post",
+ "$_request",
+ "$_server",
+ "$_session",
+ "$argc",
+ "$argv",
+ "$http_\\u200bresponse_\\u200bheader",
+ "$php_\\u200berrormsg",
+ "$http_cookie_vars",
+ "$http_env_vars",
+ "$http_get_vars",
+ "$http_post_files",
+ "$http_post_vars",
+ "$http_raw_post_data",
+ "$http_request_vars",
+ "$http_server_vars"
+ ]
+ },
+ "operator": "phrase_match"
+ }
+ ],
+ "transformers": [
+ "lowercase"
+ ]
+ }
+ ],
+ "actions": [
+ {
+ "id": "block_402",
+ "type": "block_request",
+ "parameters": {
+ "status_code": 402,
+ "type": "auto"
+ }
+ },
+ {
+ "id": "block_401",
+ "type": "block_request",
+ "parameters": {
+ "status_code": 401,
+ "type": "auto"
+ }
+ }
+ ],
+ "exclusions": [
+ {
+ "conditions": [
+ {
+ "operator": "ip_match",
+ "parameters": {
+ "data": "suspicious_ips",
+ "inputs": [
+ {
+ "address": "http.client_ip"
+ }
+ ]
+ }
+ }
+ ],
+ "id": "suspicious_ip_blocking",
+ "on_match": "block_402"
+ },
+ {
+ "conditions": [
+ {
+ "operator": "exact_match",
+ "parameters": {
+ "data": "suspicious_users",
+ "inputs": [
+ {
+ "address": "usr.id"
+ }
+ ]
+ }
+ }
+ ],
+ "transformers": [],
+ "id": "suspicious_user_blocking",
+ "on_match": "block_401"
+ }
+ ],
+ "exclusion_data": [
+ {
+ "id": "suspicious_ips",
+ "type": "ip_with_expiration",
+ "data": [
+ { "value": "1.2.3.4" }
+ ]
+ },
+ {
+ "id": "suspicious_users",
+ "type": "data_with_expiration",
+ "data": [
+ { "value": "blocked-user-1" }
+ ]
+ }
+ ]
+}
diff --git a/internal/appsec/waf_test.go b/internal/appsec/waf_test.go
index 4b3e7517cc..1a449f5436 100644
--- a/internal/appsec/waf_test.go
+++ b/internal/appsec/waf_test.go
@@ -45,7 +45,7 @@ func TestCustomRules(t *testing.T) {
// Start and trace an HTTP server
mux := httptrace.NewServeMux()
- mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+ mux.HandleFunc("/", func(w http.ResponseWriter, _ *http.Request) {
w.Write([]byte("Hello World!\n"))
})
@@ -102,10 +102,10 @@ func TestUserRules(t *testing.T) {
// Start and trace an HTTP server
mux := httptrace.NewServeMux()
- mux.HandleFunc("/hello", func(w http.ResponseWriter, r *http.Request) {
+ mux.HandleFunc("/hello", func(w http.ResponseWriter, _ *http.Request) {
w.Write([]byte("Hello World!\n"))
})
- mux.HandleFunc("/response-header", func(w http.ResponseWriter, r *http.Request) {
+ mux.HandleFunc("/response-header", func(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("match-response-header", "match-response-header")
w.WriteHeader(204)
})
@@ -168,7 +168,7 @@ func TestWAF(t *testing.T) {
// Start and trace an HTTP server
mux := httptrace.NewServeMux()
- mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+ mux.HandleFunc("/", func(w http.ResponseWriter, _ *http.Request) {
w.Write([]byte("Hello World!\n"))
})
mux.HandleFunc("/body", func(w http.ResponseWriter, r *http.Request) {
@@ -324,7 +324,7 @@ func TestBlocking(t *testing.T) {
// Start and trace an HTTP server
mux := httptrace.NewServeMux()
- mux.HandleFunc("/ip", func(w http.ResponseWriter, r *http.Request) {
+ mux.HandleFunc("/ip", func(w http.ResponseWriter, _ *http.Request) {
w.Write([]byte("Hello World!\n"))
})
mux.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
@@ -598,6 +598,124 @@ func TestRASPLFI(t *testing.T) {
}
}
+func TestSuspiciousAttackerBlocking(t *testing.T) {
+ t.Setenv("DD_APPSEC_RULES", "testdata/sab.json")
+ appsec.Start()
+ defer appsec.Stop()
+ if !appsec.Enabled() {
+ t.Skip("AppSec needs to be enabled for this test")
+ }
+
+ const bodyBlockingRule = "crs-933-130-block"
+
+ // Start and trace an HTTP server
+ mux := httptrace.NewServeMux()
+ mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+ if err := pAppsec.SetUser(r.Context(), r.Header.Get("test-usr")); err != nil {
+ return
+ }
+ buf := new(strings.Builder)
+ io.Copy(buf, r.Body)
+ if err := pAppsec.MonitorParsedHTTPBody(r.Context(), buf.String()); err != nil {
+ return
+ }
+ w.Write([]byte("Hello World!\n"))
+ })
+ srv := httptest.NewServer(mux)
+ defer srv.Close()
+
+ for _, tc := range []struct {
+ name string
+ headers map[string]string
+ status int
+ ruleMatch string
+ attack string
+ }{
+ {
+ name: "ip/not-suspicious/no-attack",
+ status: 200,
+ },
+ {
+ name: "ip/suspicious/no-attack",
+ headers: map[string]string{"x-forwarded-for": "1.2.3.4"},
+ status: 200,
+ },
+ {
+ name: "ip/not-suspicious/attack",
+ status: 200,
+ attack: "$globals",
+ ruleMatch: bodyBlockingRule,
+ },
+ {
+ name: "ip/suspicious/attack",
+ headers: map[string]string{"x-forwarded-for": "1.2.3.4"},
+ status: 402,
+ attack: "$globals",
+ ruleMatch: bodyBlockingRule,
+ },
+ {
+ name: "user/not-suspicious/no-attack",
+ status: 200,
+ },
+ {
+ name: "user/suspicious/no-attack",
+ headers: map[string]string{"test-usr": "blocked-user-1"},
+ status: 200,
+ },
+ {
+ name: "user/not-suspicious/attack",
+ status: 200,
+ attack: "$globals",
+ ruleMatch: bodyBlockingRule,
+ },
+ {
+ name: "user/suspicious/attack",
+ headers: map[string]string{"test-usr": "blocked-user-1"},
+ status: 401,
+ attack: "$globals",
+ ruleMatch: bodyBlockingRule,
+ },
+ {
+ name: "ip+user/suspicious/no-attack",
+ headers: map[string]string{"x-forwarded-for": "1.2.3.4", "test-usr": "blocked-user-1"},
+ status: 200,
+ },
+ {
+ name: "ip+user/suspicious/attack",
+ headers: map[string]string{"x-forwarded-for": "1.2.3.4", "test-usr": "blocked-user-1"},
+ status: 402,
+ attack: "$globals",
+ ruleMatch: bodyBlockingRule,
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ mt := mocktracer.Start()
+ defer mt.Stop()
+ req, err := http.NewRequest("POST", srv.URL, strings.NewReader(tc.attack))
+ require.NoError(t, err)
+ for k, v := range tc.headers {
+ req.Header.Set(k, v)
+ }
+ res, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer res.Body.Close()
+ if tc.ruleMatch != "" {
+ spans := mt.FinishedSpans()
+ require.Len(t, spans, 1)
+ require.Contains(t, spans[0].Tag("_dd.appsec.json"), tc.ruleMatch)
+ }
+ require.Equal(t, tc.status, res.StatusCode)
+ b, err := io.ReadAll(res.Body)
+ require.NoError(t, err)
+ if tc.status == 200 {
+ require.Equal(t, "Hello World!\n", string(b))
+ } else {
+ require.NotEqual(t, "Hello World!\n", string(b))
+ }
+ })
+ }
+}
+
// BenchmarkSampleWAFContext benchmarks the creation of a WAF context and running the WAF on a request/response pair
// This is a basic sample of what could happen in a real-world scenario.
func BenchmarkSampleWAFContext(b *testing.B) {
@@ -623,10 +741,10 @@ func BenchmarkSampleWAFContext(b *testing.B) {
_, err = ctx.Run(
waf.RunAddressData{
Persistent: map[string]any{
- httpsec.HTTPClientIPAddr: "1.1.1.1",
- httpsec.ServerRequestMethodAddr: "GET",
- httpsec.ServerRequestRawURIAddr: "/",
- httpsec.ServerRequestHeadersNoCookiesAddr: map[string][]string{
+ addresses.ClientIPAddr: "1.1.1.1",
+ addresses.ServerRequestMethodAddr: "GET",
+ addresses.ServerRequestRawURIAddr: "/",
+ addresses.ServerRequestHeadersNoCookiesAddr: map[string][]string{
"host": {"example.com"},
"content-length": {"0"},
"Accept": {"application/json"},
@@ -634,13 +752,13 @@ func BenchmarkSampleWAFContext(b *testing.B) {
"Accept-Encoding": {"gzip"},
"Connection": {"close"},
},
- httpsec.ServerRequestCookiesAddr: map[string][]string{
+ addresses.ServerRequestCookiesAddr: map[string][]string{
"cookie": {"session=1234"},
},
- httpsec.ServerRequestQueryAddr: map[string][]string{
+ addresses.ServerRequestQueryAddr: map[string][]string{
"query": {"value"},
},
- httpsec.ServerRequestPathParamsAddr: map[string]string{
+ addresses.ServerRequestPathParamsAddr: map[string]string{
"param": "value",
},
},
@@ -654,12 +772,12 @@ func BenchmarkSampleWAFContext(b *testing.B) {
_, err = ctx.Run(
waf.RunAddressData{
Persistent: map[string]any{
- httpsec.ServerResponseHeadersNoCookiesAddr: map[string][]string{
+ addresses.ServerResponseHeadersNoCookiesAddr: map[string][]string{
"content-type": {"application/json"},
"content-length": {"0"},
"Connection": {"close"},
},
- httpsec.ServerResponseStatusAddr: 200,
+ addresses.ServerResponseStatusAddr: 200,
},
})
@@ -671,6 +789,54 @@ func BenchmarkSampleWAFContext(b *testing.B) {
}
}
+func TestAttackerFingerprinting(t *testing.T) {
+ t.Setenv("DD_APPSEC_RULES", "testdata/fp.json")
+ appsec.Start()
+ defer appsec.Stop()
+ if !appsec.Enabled() {
+ t.Skip("AppSec needs to be enabled for this test")
+ }
+
+ // Start and trace an HTTP server
+ mux := httptrace.NewServeMux()
+ mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+ pAppsec.TrackUserLoginSuccessEvent(
+ r.Context(),
+ "toto",
+ map[string]string{},
+ tracer.WithUserSessionID("sessionID"))
+
+ pAppsec.MonitorParsedHTTPBody(r.Context(), map[string]string{"key": "value"})
+
+ w.Write([]byte("Hello World!\n"))
+ })
+ srv := httptest.NewServer(mux)
+ defer srv.Close()
+
+ mt := mocktracer.Start()
+ defer mt.Stop()
+ req, err := http.NewRequest("POST", srv.URL+"/test?x=1", nil)
+ require.NoError(t, err)
+ req.AddCookie(&http.Cookie{Name: "cookie", Value: "value"})
+ resp, err := srv.Client().Do(req)
+ require.NoError(t, err)
+ defer resp.Body.Close()
+
+ require.Len(t, mt.FinishedSpans(), 1)
+
+ tags := mt.FinishedSpans()[0].Tags()
+
+ require.Contains(t, tags, "_dd.appsec.fp.http.header")
+ require.Contains(t, tags, "_dd.appsec.fp.http.endpoint")
+ require.Contains(t, tags, "_dd.appsec.fp.http.network")
+ require.Contains(t, tags, "_dd.appsec.fp.session")
+
+ require.Regexp(t, `^hdr-`, tags["_dd.appsec.fp.http.header"])
+ require.Regexp(t, `^http-`, tags["_dd.appsec.fp.http.endpoint"])
+ require.Regexp(t, `^ssn-`, tags["_dd.appsec.fp.session"])
+ require.Regexp(t, `^net-`, tags["_dd.appsec.fp.http.network"])
+}
+
func init() {
// This permits running the tests locally without defining the env var manually
// We do this because the default go-libddwaf timeout value is too small and makes the tests timeout for no reason
diff --git a/internal/appsec/waf_unit_test.go b/internal/appsec/waf_unit_test.go
index c4c96fa63a..ae7e2b3917 100644
--- a/internal/appsec/waf_unit_test.go
+++ b/internal/appsec/waf_unit_test.go
@@ -10,11 +10,11 @@ import (
"testing"
internal "github.com/DataDog/appsec-internal-go/appsec"
- "github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
- "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/httpsec"
waf "github.com/DataDog/go-libddwaf/v3"
"github.com/stretchr/testify/require"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/addresses"
)
func TestAPISecuritySchemaCollection(t *testing.T) {
@@ -113,7 +113,7 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
{
name: "headers",
addresses: map[string]any{
- httpsec.ServerRequestHeadersNoCookiesAddr: map[string][]string{
+ addresses.ServerRequestHeadersNoCookiesAddr: map[string][]string{
"my-header": {"is-beautiful"},
},
},
@@ -124,7 +124,7 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
{
name: "path-params",
addresses: map[string]any{
- httpsec.ServerRequestPathParamsAddr: map[string]string{
+ addresses.ServerRequestPathParamsAddr: map[string]string{
"my-path-param": "is-beautiful",
},
},
@@ -135,7 +135,7 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
{
name: "query",
addresses: map[string]any{
- httpsec.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
+ addresses.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
},
tags: map[string]string{
"_dd.appsec.s.req.query": `[{"my-query":[[[8]],{"len":1}],"my-query-2":[[[8]],{"len":1}]}]`,
@@ -144,13 +144,13 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
{
name: "combined",
addresses: map[string]any{
- httpsec.ServerRequestHeadersNoCookiesAddr: map[string][]string{
+ addresses.ServerRequestHeadersNoCookiesAddr: map[string][]string{
"my-header": {"is-beautiful"},
},
- httpsec.ServerRequestPathParamsAddr: map[string]string{
+ addresses.ServerRequestPathParamsAddr: map[string]string{
"my-path-param": "is-beautiful",
},
- httpsec.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
+ addresses.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
},
tags: map[string]string{
"_dd.appsec.s.req.headers": `[{"my-header":[[[8]],{"len":1}]}]`,
@@ -176,13 +176,10 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
wafRes, err := wafCtx.Run(runData)
require.NoError(t, err)
require.True(t, wafRes.HasDerivatives())
- tagsHolder := trace.NewTagsHolder()
for k, v := range wafRes.Derivatives {
- tagsHolder.AddSerializableTag(k, v)
- }
-
- for tag, val := range tagsHolder.Tags() {
- require.Equal(t, tc.tags[tag], val)
+ res, err := json.Marshal(v)
+ require.NoError(t, err)
+ require.Equal(t, tc.tags[k], string(res))
}
})
}
diff --git a/internal/civisibility/constants/env.go b/internal/civisibility/constants/env.go
index ebc00fcb69..66e6de7636 100644
--- a/internal/civisibility/constants/env.go
+++ b/internal/civisibility/constants/env.go
@@ -24,4 +24,17 @@ const (
// This environment variable should be set to your Datadog API key, allowing the agentless mode to authenticate and
// send data directly to the Datadog platform.
APIKeyEnvironmentVariable = "DD_API_KEY"
+
+ // CIVisibilityTestSessionNameEnvironmentVariable indicate the test session name to be used on CI Visibility payloads
+ CIVisibilityTestSessionNameEnvironmentVariable = "DD_TEST_SESSION_NAME"
+
+ // CIVisibilityFlakyRetryEnabledEnvironmentVariable kill-switch that allows to explicitly disable retries even if the remote setting is enabled.
+ // This environment variable should be set to "0" or "false" to disable the flaky retry feature.
+ CIVisibilityFlakyRetryEnabledEnvironmentVariable = "DD_CIVISIBILITY_FLAKY_RETRY_ENABLED"
+
+ // CIVisibilityFlakyRetryCountEnvironmentVariable indicates the maximum number of retry attempts for a single test case.
+ CIVisibilityFlakyRetryCountEnvironmentVariable = "DD_CIVISIBILITY_FLAKY_RETRY_COUNT"
+
+ // CIVisibilityTotalFlakyRetryCountEnvironmentVariable indicates the maximum number of retry attempts for the entire session.
+ CIVisibilityTotalFlakyRetryCountEnvironmentVariable = "DD_CIVISIBILITY_TOTAL_FLAKY_RETRY_COUNT"
)
diff --git a/internal/civisibility/constants/git.go b/internal/civisibility/constants/git.go
index 6265be391a..a373132950 100644
--- a/internal/civisibility/constants/git.go
+++ b/internal/civisibility/constants/git.go
@@ -49,4 +49,13 @@ const (
// GitTag indicates the current git tag.
// This constant is used to tag traces with the tag name associated with the current commit.
GitTag = "git.tag"
+
+ // GitHeadCommit indicates the GIT head commit hash.
+ GitHeadCommit = "git.commit.head_sha"
+
+ // GitPrBaseCommit indicates the GIT PR base commit hash.
+ GitPrBaseCommit = "git.pull_request.base_branch_sha"
+
+ // GitPrBaseBranch indicates the GIT PR base branch name.
+ GitPrBaseBranch = "git.pull_request.base_branch"
)
diff --git a/internal/civisibility/constants/tags.go b/internal/civisibility/constants/tags.go
index 4563cb8839..0a6d690835 100644
--- a/internal/civisibility/constants/tags.go
+++ b/internal/civisibility/constants/tags.go
@@ -10,6 +10,10 @@ const (
// This tag helps in identifying the source of the trace data.
Origin = "_dd.origin"
+ // LogicalCPUCores is a tag used to indicate the number of logical cpu cores
+ // This tag is used by the backend to perform calculations
+ LogicalCPUCores = "_dd.host.vcpu_count"
+
// CIAppTestOrigin defines the CIApp test origin value.
// This constant is used to tag traces that originate from CIApp test executions.
CIAppTestOrigin = "ciapp-test"
diff --git a/internal/civisibility/constants/test_tags.go b/internal/civisibility/constants/test_tags.go
index 3a621a20be..7248d82450 100644
--- a/internal/civisibility/constants/test_tags.go
+++ b/internal/civisibility/constants/test_tags.go
@@ -46,6 +46,10 @@ const (
// This constant is used to tag traces with the line number in the source file where the test starts.
TestSourceStartLine = "test.source.start"
+ // TestSourceEndLine indicates the line of the source file where the test ends.
+ // This constant is used to tag traces with the line number in the source file where the test ends.
+ TestSourceEndLine = "test.source.end"
+
// TestCodeOwners indicates the test code owners.
// This constant is used to tag traces with the code owners responsible for the test.
TestCodeOwners = "test.codeowners"
@@ -61,6 +65,21 @@ const (
// TestCommandWorkingDirectory indicates the test command working directory relative to the source root.
// This constant is used to tag traces with the working directory path relative to the source root.
TestCommandWorkingDirectory = "test.working_directory"
+
+ // TestSessionName indicates the test session name
+ // This constant is used to tag traces with the test session name
+ TestSessionName = "test_session.name"
+
+ // TestIsNew indicates a new test
+ // This constant is used to tag test events that are detected as new by early flake detection
+ TestIsNew = "test.is_new"
+
+ // TestIsRetry indicates a retry execution
+ // This constant is used to tag test events that are part of a retry execution
+ TestIsRetry = "test.is_retry"
+
+ // TestEarlyFlakeDetectionRetryAborted indicates a retry abort reason by the early flake detection feature
+ TestEarlyFlakeDetectionRetryAborted = "test.early_flake.abort_reason"
)
// Define valid test status types.
diff --git a/internal/civisibility/integrations/civisibility.go b/internal/civisibility/integrations/civisibility.go
index f2b4663666..5469261f41 100644
--- a/internal/civisibility/integrations/civisibility.go
+++ b/internal/civisibility/integrations/civisibility.go
@@ -55,6 +55,14 @@ func InitializeCIVisibilityMock() mocktracer.Tracer {
func internalCiVisibilityInitialization(tracerInitializer func([]tracer.StartOption)) {
ciVisibilityInitializationOnce.Do(func() {
+ // check the debug flag to enable debug logs. The tracer initialization happens
+ // after the CI Visibility initialization so we need to handle this flag ourselves
+ if internal.BoolEnv("DD_TRACE_DEBUG", false) {
+ log.SetLevel(log.LevelDebug)
+ }
+
+ log.Debug("civisibility: initializing")
+
// Since calling this method indicates we are in CI Visibility mode, set the environment variable.
_ = os.Setenv(constants.CIVisibilityEnabledEnvironmentVariable, "1")
@@ -66,22 +74,29 @@ func internalCiVisibilityInitialization(tracerInitializer func([]tracer.StartOpt
// Preload all CI, Git, and CodeOwners tags.
ciTags := utils.GetCITags()
+ _ = utils.GetCIMetrics()
// Check if DD_SERVICE has been set; otherwise default to the repo name (from the spec).
var opts []tracer.StartOption
- if v := os.Getenv("DD_SERVICE"); v == "" {
+ serviceName := os.Getenv("DD_SERVICE")
+ if serviceName == "" {
if repoURL, ok := ciTags[constants.GitRepositoryURL]; ok {
// regex to sanitize the repository url to be used as a service name
- repoRegex := regexp.MustCompile(`(?m)/([a-zA-Z0-9\\\-_.]*)$`)
+ repoRegex := regexp.MustCompile(`(?m)/([a-zA-Z0-9\-_.]*)$`)
matches := repoRegex.FindStringSubmatch(repoURL)
if len(matches) > 1 {
repoURL = strings.TrimSuffix(matches[1], ".git")
}
- opts = append(opts, tracer.WithService(repoURL))
+ serviceName = repoURL
+ opts = append(opts, tracer.WithService(serviceName))
}
}
+ // Initializing additional features asynchronously
+ go func() { ensureAdditionalFeaturesInitialization(serviceName) }()
+
// Initialize the tracer
+ log.Debug("civisibility: initializing tracer")
tracerInitializer(opts)
// Handle SIGINT and SIGTERM signals to ensure we close all open spans and flush the tracer before exiting
@@ -104,13 +119,16 @@ func PushCiVisibilityCloseAction(action ciVisibilityCloseAction) {
// ExitCiVisibility executes all registered close actions and stops the tracer.
func ExitCiVisibility() {
+ log.Debug("civisibility: exiting")
closeActionsMutex.Lock()
defer closeActionsMutex.Unlock()
defer func() {
closeActions = []ciVisibilityCloseAction{}
+ log.Debug("civisibility: flushing and stopping tracer")
tracer.Flush()
tracer.Stop()
+ log.Debug("civisibility: done.")
}()
for _, v := range closeActions {
v()
diff --git a/internal/civisibility/integrations/civisibility_features.go b/internal/civisibility/integrations/civisibility_features.go
new file mode 100644
index 0000000000..420982337c
--- /dev/null
+++ b/internal/civisibility/integrations/civisibility_features.go
@@ -0,0 +1,118 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package integrations
+
+import (
+ "sync"
+
+ "github.com/DataDog/dd-trace-go/v2/internal"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils/net"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+const (
+ DefaultFlakyRetryCount = 5
+ DefaultFlakyTotalRetryCount = 1_000
+)
+
+type (
+ // FlakyRetriesSetting struct to hold all the settings related to flaky tests retries
+ FlakyRetriesSetting struct {
+ RetryCount int64
+ TotalRetryCount int64
+ RemainingTotalRetryCount int64
+ }
+)
+
+var (
+ // additionalFeaturesInitializationOnce ensures we do the additional features initialization just once
+ additionalFeaturesInitializationOnce sync.Once
+
+ // ciVisibilityRapidClient contains the http rapid client to do CI Visibility queries and upload to the rapid backend
+ ciVisibilityClient net.Client
+
+ // ciVisibilitySettings contains the CI Visibility settings for this session
+ ciVisibilitySettings net.SettingsResponseData
+
+ // ciVisibilityEarlyFlakyDetectionSettings contains the CI Visibility Early Flake Detection data for this session
+ ciVisibilityEarlyFlakyDetectionSettings net.EfdResponseData
+
+ // ciVisibilityFlakyRetriesSettings contains the CI Visibility Flaky Retries settings for this session
+ ciVisibilityFlakyRetriesSettings FlakyRetriesSetting
+)
+
+// ensureAdditionalFeaturesInitialization initialize all the additional features
+func ensureAdditionalFeaturesInitialization(serviceName string) {
+ additionalFeaturesInitializationOnce.Do(func() {
+ log.Debug("civisibility: initializing additional features")
+
+ // Create the CI Visibility client
+ ciVisibilityClient = net.NewClientWithServiceName(serviceName)
+ if ciVisibilityClient == nil {
+ log.Error("civisibility: error getting the ci visibility http client")
+ return
+ }
+
+ // Get the CI Visibility settings payload for this test session
+ ciSettings, err := ciVisibilityClient.GetSettings()
+ if err != nil {
+ log.Error("civisibility: error getting CI visibility settings: %v", err)
+ } else if ciSettings != nil {
+ ciVisibilitySettings = *ciSettings
+ }
+
+ // if early flake detection is enabled then we run the early flake detection request
+ if ciVisibilitySettings.EarlyFlakeDetection.Enabled {
+ ciEfdData, err := ciVisibilityClient.GetEarlyFlakeDetectionData()
+ if err != nil {
+ log.Error("civisibility: error getting CI visibility early flake detection data: %v", err)
+ } else if ciEfdData != nil {
+ ciVisibilityEarlyFlakyDetectionSettings = *ciEfdData
+ log.Debug("civisibility: early flake detection data loaded.")
+ }
+ }
+
+ // if flaky test retries is enabled then let's load the flaky retries settings
+ if ciVisibilitySettings.FlakyTestRetriesEnabled {
+ flakyRetryEnabledByEnv := internal.BoolEnv(constants.CIVisibilityFlakyRetryEnabledEnvironmentVariable, true)
+ if flakyRetryEnabledByEnv {
+ totalRetriesCount := (int64)(internal.IntEnv(constants.CIVisibilityTotalFlakyRetryCountEnvironmentVariable, DefaultFlakyTotalRetryCount))
+ retryCount := (int64)(internal.IntEnv(constants.CIVisibilityFlakyRetryCountEnvironmentVariable, DefaultFlakyRetryCount))
+ ciVisibilityFlakyRetriesSettings = FlakyRetriesSetting{
+ RetryCount: retryCount,
+ TotalRetryCount: totalRetriesCount,
+ RemainingTotalRetryCount: totalRetriesCount,
+ }
+ log.Debug("civisibility: automatic test retries enabled [retryCount: %v, totalRetryCount: %v]", retryCount, totalRetriesCount)
+ } else {
+ log.Warn("civisibility: flaky test retries was disabled by the environment variable")
+ ciVisibilitySettings.FlakyTestRetriesEnabled = false
+ }
+ }
+ })
+}
+
+// GetSettings gets the settings from the backend settings endpoint
+func GetSettings() *net.SettingsResponseData {
+ // call to ensure the additional features initialization is completed (service name can be null here)
+ ensureAdditionalFeaturesInitialization("")
+ return &ciVisibilitySettings
+}
+
+// GetEarlyFlakeDetectionSettings gets the early flake detection known tests data
+func GetEarlyFlakeDetectionSettings() *net.EfdResponseData {
+ // call to ensure the additional features initialization is completed (service name can be null here)
+ ensureAdditionalFeaturesInitialization("")
+ return &ciVisibilityEarlyFlakyDetectionSettings
+}
+
+// GetFlakyRetriesSettings gets the flaky retries settings
+func GetFlakyRetriesSettings() *FlakyRetriesSetting {
+ // call to ensure the additional features initialization is completed (service name can be null here)
+ ensureAdditionalFeaturesInitialization("")
+ return &ciVisibilityFlakyRetriesSettings
+}
diff --git a/internal/civisibility/integrations/gotesting/instrumentation.go b/internal/civisibility/integrations/gotesting/instrumentation.go
index 4a4e7c9775..177b65cdb1 100644
--- a/internal/civisibility/integrations/gotesting/instrumentation.go
+++ b/internal/civisibility/integrations/gotesting/instrumentation.go
@@ -7,279 +7,452 @@ package gotesting
import (
"fmt"
- "os"
"reflect"
"runtime"
- "strings"
+ "slices"
+ "sync"
"sync/atomic"
"testing"
"time"
+ "unsafe"
"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
)
-// The following functions are being used by the gotesting package for manual instrumentation and the orchestrion
-// automatic instrumentation
+type (
+ // instrumentationMetadata contains the internal instrumentation metadata
+ instrumentationMetadata struct {
+ IsInternal bool
+ }
-// instrumentTestingM helper function to instrument internalTests and internalBenchmarks in a `*testing.M` instance.
-func instrumentTestingM(m *testing.M) func(exitCode int) {
- // Initialize CI Visibility
- integrations.EnsureCiVisibilityInitialization()
+ // testExecutionMetadata contains metadata regarding an unique *testing.T or *testing.B execution
+ testExecutionMetadata struct {
+ test integrations.DdTest // internal CI Visibility test event
+ error atomic.Int32 // flag to check if the test event has error data already
+ skipped atomic.Int32 // flag to check if the test event has skipped data already
+ panicData any // panic data recovered from an internal test execution when using an additional feature wrapper
+ panicStacktrace string // stacktrace from the panic recovered from an internal test
+ isARetry bool // flag to tag if a current test execution is a retry
+ isANewTest bool // flag to tag if a current test execution is part of a new test (EFD not known test)
+ hasAdditionalFeatureWrapper bool // flag to check if the current execution is part of an additional feature wrapper
+ }
- // Create a new test session for CI visibility.
- session = integrations.CreateTestSession()
+ // runTestWithRetryOptions contains the options for calling runTestWithRetry function
+ runTestWithRetryOptions struct {
+ targetFunc func(t *testing.T) // target function to retry
+ t *testing.T // test to be executed
+ initialRetryCount int64 // initial retry count
+ adjustRetryCount func(duration time.Duration) int64 // adjust retry count function depending on the duration of the first execution
+ shouldRetry func(ptrToLocalT *testing.T, executionIndex int, remainingRetries int64) bool // function to decide whether we want to perform a retry
+ perExecution func(ptrToLocalT *testing.T, executionIndex int, duration time.Duration) // function to run after each test execution
+ onRetryEnd func(t *testing.T, executionIndex int, lastPtrToLocalT *testing.T) // function executed when all execution have finished
+ execMetaAdjust func(execMeta *testExecutionMetadata, executionIndex int) // function to modify the execution metadata for each execution
+ }
+)
- ddm := (*M)(m)
+var (
+ // ciVisibilityEnabledValue holds a value to check if ci visibility is enabled or not (1 = enabled / 0 = disabled)
+ ciVisibilityEnabledValue int32 = -1
- // Instrument the internal tests for CI visibility.
- ddm.instrumentInternalTests(getInternalTestArray(m))
+ // instrumentationMap holds a map of *runtime.Func for tracking instrumented functions
+ instrumentationMap = map[*runtime.Func]*instrumentationMetadata{}
- // Instrument the internal benchmarks for CI visibility.
- for _, v := range os.Args {
- // check if benchmarking is enabled to instrument
- if strings.Contains(v, "-bench") || strings.Contains(v, "test.bench") {
- ddm.instrumentInternalBenchmarks(getInternalBenchmarkArray(m))
- break
+ // instrumentationMapMutex is a read-write mutex for synchronizing access to instrumentationMap.
+ instrumentationMapMutex sync.RWMutex
+
+ // ciVisibilityTests holds a map of *testing.T or *testing.B to execution metadata for tracking tests.
+ ciVisibilityTestMetadata = map[unsafe.Pointer]*testExecutionMetadata{}
+
+ // ciVisibilityTestMetadataMutex is a read-write mutex for synchronizing access to ciVisibilityTestMetadata.
+ ciVisibilityTestMetadataMutex sync.RWMutex
+)
+
+// isCiVisibilityEnabled gets if CI Visibility has been enabled or disabled by the "DD_CIVISIBILITY_ENABLED" environment variable
+func isCiVisibilityEnabled() bool {
+ // let's check if the value has already been loaded from the env-vars
+ enabledValue := atomic.LoadInt32(&ciVisibilityEnabledValue)
+ if enabledValue == -1 {
+ // Get the DD_CIVISIBILITY_ENABLED env var, if not present we default to false (for now). This is because if we are here, it means
+ // that the process was instrumented for ci visibility or by using orchestrion.
+ // So effectively this env-var will act as a kill switch for cases where the code is instrumented, but
+ // we don't want the civisibility instrumentation to be enabled.
+ // *** For preview releases we will default to false, meaning that the use of ci visibility must be opt-in ***
+ if internal.BoolEnv(constants.CIVisibilityEnabledEnvironmentVariable, false) {
+ atomic.StoreInt32(&ciVisibilityEnabledValue, 1)
+ return true
+ } else {
+ atomic.StoreInt32(&ciVisibilityEnabledValue, 0)
+ return false
}
}
- return func(exitCode int) {
- // Close the session and return the exit code.
- session.Close(exitCode)
+ return enabledValue == 1
+}
- // Finalize CI Visibility
- integrations.ExitCiVisibility()
+// getInstrumentationMetadata gets the stored instrumentation metadata for a given *runtime.Func.
+func getInstrumentationMetadata(fn *runtime.Func) *instrumentationMetadata {
+ instrumentationMapMutex.RLock()
+ defer instrumentationMapMutex.RUnlock()
+ if v, ok := instrumentationMap[fn]; ok {
+ return v
}
+ return nil
}
-// instrumentTestingTFunc helper function to instrument a testing function func(*testing.T)
-func instrumentTestingTFunc(f func(*testing.T)) func(*testing.T) {
- // Reflect the function to obtain its pointer.
- fReflect := reflect.Indirect(reflect.ValueOf(f))
- moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
- originalFunc := runtime.FuncForPC(fReflect.Pointer())
-
- // Increment the test count in the module.
- atomic.AddInt32(modulesCounters[moduleName], 1)
-
- // Increment the test count in the suite.
- atomic.AddInt32(suitesCounters[suiteName], 1)
-
- return func(t *testing.T) {
- // Create or retrieve the module, suite, and test for CI visibility.
- module := session.GetOrCreateModuleWithFramework(moduleName, testFramework, runtime.Version())
- suite := module.GetOrCreateSuite(suiteName)
- test := suite.CreateTest(t.Name())
- test.SetTestFunc(originalFunc)
- setCiVisibilityTest(t, test)
- defer func() {
- if r := recover(); r != nil {
- // Handle panic and set error information.
- test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
- test.Close(integrations.ResultStatusFail)
- checkModuleAndSuite(module, suite)
- integrations.ExitCiVisibility()
- panic(r)
- } else {
- // Normal finalization: determine the test result based on its state.
- if t.Failed() {
- test.SetTag(ext.Error, true)
- suite.SetTag(ext.Error, true)
- module.SetTag(ext.Error, true)
- test.Close(integrations.ResultStatusFail)
- } else if t.Skipped() {
- test.Close(integrations.ResultStatusSkip)
- } else {
- test.Close(integrations.ResultStatusPass)
- }
- checkModuleAndSuite(module, suite)
- }
- }()
+// setInstrumentationMetadata stores an instrumentation metadata for a given *runtime.Func.
+func setInstrumentationMetadata(fn *runtime.Func, metadata *instrumentationMetadata) {
+ instrumentationMapMutex.RLock()
+ defer instrumentationMapMutex.RUnlock()
+ instrumentationMap[fn] = metadata
+}
- // Execute the original test function.
- f(t)
- }
+// createTestMetadata creates the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common
+func createTestMetadata(tb testing.TB) *testExecutionMetadata {
+ ciVisibilityTestMetadataMutex.RLock()
+ defer ciVisibilityTestMetadataMutex.RUnlock()
+ execMetadata := &testExecutionMetadata{}
+ ciVisibilityTestMetadata[reflect.ValueOf(tb).UnsafePointer()] = execMetadata
+ return execMetadata
}
-// instrumentTestingTSetErrorInfo helper function to set an error in the `testing.T` CI Visibility span
-func instrumentTestingTSetErrorInfo(t *testing.T, errType string, errMessage string, skip int) {
- ciTest := getCiVisibilityTest(t)
- if ciTest != nil {
- ciTest.SetErrorInfo(errType, errMessage, utils.GetStacktrace(2+skip))
+// getTestMetadata retrieves the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common
+func getTestMetadata(tb testing.TB) *testExecutionMetadata {
+ return getTestMetadataFromPointer(reflect.ValueOf(tb).UnsafePointer())
+}
+
+// getTestMetadataFromPointer retrieves the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common using a pointer
+func getTestMetadataFromPointer(ptr unsafe.Pointer) *testExecutionMetadata {
+ ciVisibilityTestMetadataMutex.RLock()
+ defer ciVisibilityTestMetadataMutex.RUnlock()
+ if v, ok := ciVisibilityTestMetadata[ptr]; ok {
+ return v
}
+ return nil
}
-// instrumentTestingTCloseAndSkip helper function to close and skip with a reason a `testing.T` CI Visibility span
-func instrumentTestingTCloseAndSkip(t *testing.T, skipReason string) {
- ciTest := getCiVisibilityTest(t)
- if ciTest != nil {
- ciTest.CloseWithFinishTimeAndSkipReason(integrations.ResultStatusSkip, time.Now(), skipReason)
+// deleteTestMetadata delete the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common
+func deleteTestMetadata(tb testing.TB) {
+ ciVisibilityTestMetadataMutex.RLock()
+ defer ciVisibilityTestMetadataMutex.RUnlock()
+ delete(ciVisibilityTestMetadata, reflect.ValueOf(tb).UnsafePointer())
+}
+
+// checkIfCIVisibilityExitIsRequiredByPanic checks the additional features settings to decide if we allow individual tests to panic or not
+func checkIfCIVisibilityExitIsRequiredByPanic() bool {
+ // Apply additional features
+ settings := integrations.GetSettings()
+
+ // If we don't plan to do retries then we allow to panic
+ return !settings.FlakyTestRetriesEnabled && !settings.EarlyFlakeDetection.Enabled
+}
+
+// applyAdditionalFeaturesToTestFunc applies all the additional features as wrapper of a func(*testing.T)
+func applyAdditionalFeaturesToTestFunc(f func(*testing.T), testInfo *commonInfo) func(*testing.T) {
+ // Apply additional features
+ settings := integrations.GetSettings()
+
+ // Check if we have something to do, if not we bail out
+ if !settings.FlakyTestRetriesEnabled && !settings.EarlyFlakeDetection.Enabled {
+ return f
+ }
+
+ // Target function
+ targetFunc := f
+
+ // Flaky test retries
+ if settings.FlakyTestRetriesEnabled {
+ targetFunc = applyFlakyTestRetriesAdditionalFeature(targetFunc)
+ }
+
+ // Early flake detection
+ if settings.EarlyFlakeDetection.Enabled {
+ targetFunc = applyEarlyFlakeDetectionAdditionalFeature(testInfo, targetFunc, settings)
}
+
+ // Register the instrumented func as an internal instrumented func (to avoid double instrumentation)
+ setInstrumentationMetadata(runtime.FuncForPC(reflect.ValueOf(targetFunc).Pointer()), &instrumentationMetadata{IsInternal: true})
+ return targetFunc
}
-// instrumentTestingTSkipNow helper function to close and skip a `testing.T` CI Visibility span
-func instrumentTestingTSkipNow(t *testing.T) {
- ciTest := getCiVisibilityTest(t)
- if ciTest != nil {
- ciTest.Close(integrations.ResultStatusSkip)
+// applyFlakyTestRetriesAdditionalFeature applies the flaky test retries feature as a wrapper of a func(*testing.T)
+func applyFlakyTestRetriesAdditionalFeature(targetFunc func(*testing.T)) func(*testing.T) {
+ flakyRetrySettings := integrations.GetFlakyRetriesSettings()
+
+ // If the retry count per test is > 1 and if we still have remaining total retry count
+ if flakyRetrySettings.RetryCount > 1 && flakyRetrySettings.RemainingTotalRetryCount > 0 {
+ return func(t *testing.T) {
+ runTestWithRetry(&runTestWithRetryOptions{
+ targetFunc: targetFunc,
+ t: t,
+ initialRetryCount: flakyRetrySettings.RetryCount,
+ adjustRetryCount: nil, // No adjustRetryCount
+ shouldRetry: func(ptrToLocalT *testing.T, executionIndex int, remainingRetries int64) bool {
+ remainingTotalRetries := atomic.AddInt64(&flakyRetrySettings.RemainingTotalRetryCount, -1)
+ // Decide whether to retry
+ return ptrToLocalT.Failed() && remainingRetries >= 0 && remainingTotalRetries >= 0
+ },
+ perExecution: nil, // No perExecution needed
+ onRetryEnd: func(t *testing.T, executionIndex int, lastPtrToLocalT *testing.T) {
+ // Update original `t` with results from last execution
+ tCommonPrivates := getTestPrivateFields(t)
+ tCommonPrivates.SetFailed(lastPtrToLocalT.Failed())
+ tCommonPrivates.SetSkipped(lastPtrToLocalT.Skipped())
+
+ // Update parent status if failed
+ if lastPtrToLocalT.Failed() {
+ tParentCommonPrivates := getTestParentPrivateFields(t)
+ tParentCommonPrivates.SetFailed(true)
+ }
+
+ // Print summary after retries
+ if executionIndex > 0 {
+ status := "passed"
+ if t.Failed() {
+ status = "failed"
+ } else if t.Skipped() {
+ status = "skipped"
+ }
+
+ fmt.Printf(" [ %v after %v retries by Datadog's auto test retries ]\n", status, executionIndex)
+ }
+
+ // Check if total retry count was exceeded
+ if flakyRetrySettings.RemainingTotalRetryCount < 1 {
+ fmt.Println(" the maximum number of total retries was exceeded.")
+ }
+ },
+ execMetaAdjust: nil, // No execMetaAdjust needed
+ })
+ }
}
+ return targetFunc
}
-// instrumentTestingBFunc helper function to instrument a benchmark function func(*testing.B)
-func instrumentTestingBFunc(pb *testing.B, name string, f func(*testing.B)) (string, func(*testing.B)) {
- // Avoid instrumenting twice
- if hasCiVisibilityBenchmarkFunc(&f) {
- return name, f
+// applyEarlyFlakeDetectionAdditionalFeature applies the early flake detection feature as a wrapper of a func(*testing.T)
+func applyEarlyFlakeDetectionAdditionalFeature(testInfo *commonInfo, targetFunc func(*testing.T), settings *net.SettingsResponseData) func(*testing.T) {
+ earlyFlakeDetectionData := integrations.GetEarlyFlakeDetectionSettings()
+ if earlyFlakeDetectionData != nil &&
+ len(earlyFlakeDetectionData.Tests) > 0 {
+
+ // Define is a known test flag
+ isAKnownTest := false
+
+ // Check if the test is a known test or a new one
+ if knownSuites, ok := earlyFlakeDetectionData.Tests[testInfo.moduleName]; ok {
+ if knownTests, ok := knownSuites[testInfo.suiteName]; ok {
+ if slices.Contains(knownTests, testInfo.testName) {
+ isAKnownTest = true
+ }
+ }
+ }
+
+ // If it's a new test, then we apply the EFD wrapper
+ if !isAKnownTest {
+ return func(t *testing.T) {
+ var testPassCount, testSkipCount, testFailCount int
+
+ runTestWithRetry(&runTestWithRetryOptions{
+ targetFunc: targetFunc,
+ t: t,
+ initialRetryCount: 0,
+ adjustRetryCount: func(duration time.Duration) int64 {
+ slowTestRetriesSettings := settings.EarlyFlakeDetection.SlowTestRetries
+ durationSecs := duration.Seconds()
+ if durationSecs < 5 {
+ return int64(slowTestRetriesSettings.FiveS)
+ } else if durationSecs < 10 {
+ return int64(slowTestRetriesSettings.TenS)
+ } else if durationSecs < 30 {
+ return int64(slowTestRetriesSettings.ThirtyS)
+ } else if duration.Minutes() < 5 {
+ return int64(slowTestRetriesSettings.FiveM)
+ }
+ return 0
+ },
+ shouldRetry: func(ptrToLocalT *testing.T, executionIndex int, remainingRetries int64) bool {
+ return remainingRetries >= 0
+ },
+ perExecution: func(ptrToLocalT *testing.T, executionIndex int, duration time.Duration) {
+ // Collect test results
+ if ptrToLocalT.Failed() {
+ testFailCount++
+ } else if ptrToLocalT.Skipped() {
+ testSkipCount++
+ } else {
+ testPassCount++
+ }
+ },
+ onRetryEnd: func(t *testing.T, executionIndex int, lastPtrToLocalT *testing.T) {
+ // Update test status based on collected counts
+ tCommonPrivates := getTestPrivateFields(t)
+ tParentCommonPrivates := getTestParentPrivateFields(t)
+ status := "passed"
+ if testPassCount == 0 {
+ if testSkipCount > 0 {
+ status = "skipped"
+ tCommonPrivates.SetSkipped(true)
+ }
+ if testFailCount > 0 {
+ status = "failed"
+ tCommonPrivates.SetFailed(true)
+ tParentCommonPrivates.SetFailed(true)
+ }
+ }
+
+ // Print summary after retries
+ if executionIndex > 0 {
+ fmt.Printf(" [ %v after %v retries by Datadog's early flake detection ]\n", status, executionIndex)
+ }
+ },
+ execMetaAdjust: func(execMeta *testExecutionMetadata, executionIndex int) {
+ // Set the flag new test to true
+ execMeta.isANewTest = true
+ },
+ })
+ }
+ }
}
+ return targetFunc
+}
- // Reflect the function to obtain its pointer.
- fReflect := reflect.Indirect(reflect.ValueOf(f))
- moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
- originalFunc := runtime.FuncForPC(fReflect.Pointer())
+// runTestWithRetry encapsulates the common retry logic for test functions.
+func runTestWithRetry(options *runTestWithRetryOptions) {
+ executionIndex := -1
+ var panicExecution *testExecutionMetadata
+ var lastPtrToLocalT *testing.T
- // Increment the test count in the module.
- atomic.AddInt32(modulesCounters[moduleName], 1)
+ // Module and suite for this test
+ var module integrations.DdTestModule
+ var suite integrations.DdTestSuite
- // Increment the test count in the suite.
- atomic.AddInt32(suitesCounters[suiteName], 1)
+ // Check if we have execution metadata to propagate
+ originalExecMeta := getTestMetadata(options.t)
- return subBenchmarkAutoName, func(b *testing.B) {
- // The sub-benchmark implementation relies on creating a dummy sub benchmark (called [DD:TestVisibility]) with
- // a Run over the original sub benchmark function to get the child results without interfering measurements
- // By doing this the name of the sub-benchmark are changed
- // from:
- // benchmark/child
- // to:
- // benchmark/[DD:TestVisibility]/child
- // We use regex and decrement the depth level of the benchmark to restore the original name
+ retryCount := options.initialRetryCount
- // Decrement level.
- bpf := getBenchmarkPrivateFields(b)
- bpf.AddLevel(-1)
+ for {
+ // Clear the matcher subnames map before each execution to avoid subname tests being called "parent/subname#NN" due to retries
+ getTestContextMatcherPrivateFields(options.t).ClearSubNames()
- startTime := time.Now()
- module := session.GetOrCreateModuleWithFrameworkAndStartTime(moduleName, testFramework, runtime.Version(), startTime)
- suite := module.GetOrCreateSuiteWithStartTime(suiteName, startTime)
- test := suite.CreateTestWithStartTime(fmt.Sprintf("%s/%s", pb.Name(), name), startTime)
- test.SetTestFunc(originalFunc)
+ // Increment execution index
+ executionIndex++
+
+ // Create a new local copy of `t` to isolate execution results
+ ptrToLocalT := &testing.T{}
+ copyTestWithoutParent(options.t, ptrToLocalT)
- // Restore the original name without the sub-benchmark auto name.
- *bpf.name = subBenchmarkAutoNameRegex.ReplaceAllString(*bpf.name, "")
+ // Create a dummy parent so we can run the test using this local copy
+ // without affecting the test parent
+ localTPrivateFields := getTestPrivateFields(ptrToLocalT)
+ *localTPrivateFields.parent = unsafe.Pointer(&testing.T{})
- // Run original benchmark.
- var iPfOfB *benchmarkPrivateFields
- var recoverFunc *func(r any)
- instrumentedFunc := func(b *testing.B) {
- // Stop the timer to do the initialization and replacements.
- b.StopTimer()
+ // Create an execution metadata instance
+ execMeta := createTestMetadata(ptrToLocalT)
+ execMeta.hasAdditionalFeatureWrapper = true
+ // Propagate set tags from a parent wrapper
+ if originalExecMeta != nil {
+ if originalExecMeta.isANewTest {
+ execMeta.isANewTest = true
+ }
+ if originalExecMeta.isARetry {
+ execMeta.isARetry = true
+ }
+ }
+
+ // If we are in a retry execution, set the `isARetry` flag
+ if executionIndex > 0 {
+ execMeta.isARetry = true
+ }
+
+ // Adjust execution metadata
+ if options.execMetaAdjust != nil {
+ options.execMetaAdjust(execMeta, executionIndex)
+ }
+
+ // Run original func similar to how it gets run internally in tRunner
+ startTime := time.Now()
+ chn := make(chan struct{}, 1)
+ go func() {
defer func() {
- if r := recover(); r != nil {
- if recoverFunc != nil {
- fn := *recoverFunc
- fn(r)
- }
- panic(r)
- }
+ chn <- struct{}{}
}()
+ options.targetFunc(ptrToLocalT)
+ }()
+ <-chn
+ duration := time.Since(startTime)
- // First time we get the private fields of the inner testing.B.
- iPfOfB = getBenchmarkPrivateFields(b)
- // Replace this function with the original one (executed only once - the first iteration[b.run1]).
- *iPfOfB.benchFunc = f
- // Set b to the CI visibility test.
- setCiVisibilityBenchmark(b, test)
+ // Call cleanup functions after this execution
+ if err := testingTRunCleanup(ptrToLocalT, 1); err != nil {
+ fmt.Printf("cleanup error: %v\n", err)
+ }
- // Enable the timer again.
- b.ResetTimer()
- b.StartTimer()
+ // Copy the current test to the wrapper if necessary
+ if originalExecMeta != nil {
+ originalExecMeta.test = execMeta.test
+ }
- // Execute original func
- f(b)
+ // Extract module and suite if present
+ currentSuite := execMeta.test.Suite()
+ if suite == nil && currentSuite != nil {
+ suite = currentSuite
+ }
+ if module == nil && currentSuite != nil && currentSuite.Module() != nil {
+ module = currentSuite.Module()
}
- setCiVisibilityBenchmarkFunc(&instrumentedFunc)
- defer deleteCiVisibilityBenchmarkFunc(&instrumentedFunc)
- b.Run(name, instrumentedFunc)
-
- endTime := time.Now()
- results := iPfOfB.result
-
- // Set benchmark data for CI visibility.
- test.SetBenchmarkData("duration", map[string]any{
- "run": results.N,
- "mean": results.NsPerOp(),
- })
- test.SetBenchmarkData("memory_total_operations", map[string]any{
- "run": results.N,
- "mean": results.AllocsPerOp(),
- "statistics.max": results.MemAllocs,
- })
- test.SetBenchmarkData("mean_heap_allocations", map[string]any{
- "run": results.N,
- "mean": results.AllocedBytesPerOp(),
- })
- test.SetBenchmarkData("total_heap_allocations", map[string]any{
- "run": results.N,
- "mean": iPfOfB.result.MemBytes,
- })
- if len(results.Extra) > 0 {
- mapConverted := map[string]any{}
- for k, v := range results.Extra {
- mapConverted[k] = v
+ // Remove execution metadata
+ deleteTestMetadata(ptrToLocalT)
+
+ // Handle panic data
+ if execMeta.panicData != nil {
+ ptrToLocalT.Fail()
+ if panicExecution == nil {
+ panicExecution = execMeta
}
- test.SetBenchmarkData("extra", mapConverted)
}
- // Define a function to handle panic during benchmark finalization.
- panicFunc := func(r any) {
- test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
- suite.SetTag(ext.Error, true)
- module.SetTag(ext.Error, true)
- test.Close(integrations.ResultStatusFail)
- checkModuleAndSuite(module, suite)
- integrations.ExitCiVisibility()
+ // Adjust retry count after first execution if necessary
+ if options.adjustRetryCount != nil && executionIndex == 0 {
+ retryCount = options.adjustRetryCount(duration)
}
- recoverFunc = &panicFunc
-
- // Normal finalization: determine the benchmark result based on its state.
- if iPfOfB.B.Failed() {
- test.SetTag(ext.Error, true)
- suite.SetTag(ext.Error, true)
- module.SetTag(ext.Error, true)
- test.CloseWithFinishTime(integrations.ResultStatusFail, endTime)
- } else if iPfOfB.B.Skipped() {
- test.CloseWithFinishTime(integrations.ResultStatusSkip, endTime)
- } else {
- test.CloseWithFinishTime(integrations.ResultStatusPass, endTime)
+
+ // Decrement retry count
+ retryCount--
+
+ // Call perExecution function
+ if options.perExecution != nil {
+ options.perExecution(ptrToLocalT, executionIndex, duration)
}
- checkModuleAndSuite(module, suite)
+ // Update lastPtrToLocalT
+ lastPtrToLocalT = ptrToLocalT
+
+ // Decide whether to continue
+ if !options.shouldRetry(ptrToLocalT, executionIndex, retryCount) {
+ break
+ }
}
-}
-// instrumentTestingBSetErrorInfo helper function to set an error in the `testing.B` CI Visibility span
-func instrumentTestingBSetErrorInfo(b *testing.B, errType string, errMessage string, skip int) {
- ciTest := getCiVisibilityBenchmark(b)
- if ciTest != nil {
- ciTest.SetErrorInfo(errType, errMessage, utils.GetStacktrace(2+skip))
+ // Call onRetryEnd
+ if options.onRetryEnd != nil {
+ options.onRetryEnd(options.t, executionIndex, lastPtrToLocalT)
}
-}
-// instrumentTestingBCloseAndSkip helper function to close and skip with a reason a `testing.B` CI Visibility span
-func instrumentTestingBCloseAndSkip(b *testing.B, skipReason string) {
- ciTest := getCiVisibilityBenchmark(b)
- if ciTest != nil {
- ciTest.CloseWithFinishTimeAndSkipReason(integrations.ResultStatusSkip, time.Now(), skipReason)
+ // After all test executions, check if we need to close the suite and the module
+ if originalExecMeta == nil {
+ checkModuleAndSuite(module, suite)
}
-}
-// instrumentTestingBSkipNow helper function to close and skip a `testing.B` CI Visibility span
-func instrumentTestingBSkipNow(b *testing.B) {
- ciTest := getCiVisibilityBenchmark(b)
- if ciTest != nil {
- ciTest.Close(integrations.ResultStatusSkip)
+ // Re-panic if test failed and panic data exists
+ if options.t.Failed() && panicExecution != nil {
+ // Ensure we flush all CI visibility data and close the session event
+ integrations.ExitCiVisibility()
+ panic(fmt.Sprintf("test failed and panicked after %d retries.\n%v\n%v", executionIndex, panicExecution.panicData, panicExecution.panicStacktrace))
}
}
+
+//go:linkname testingTRunCleanup testing.(*common).runCleanup
+func testingTRunCleanup(c *testing.T, ph int) (panicVal any)
diff --git a/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go b/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go
new file mode 100644
index 0000000000..2b3345549b
--- /dev/null
+++ b/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go
@@ -0,0 +1,389 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package gotesting
+
+import (
+ "fmt"
+ "os"
+ "reflect"
+ "runtime"
+ "strings"
+ "sync/atomic"
+ "testing"
+ "time"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
+)
+
+// ******************************************************************************************************************
+// WARNING: DO NOT CHANGE THE SIGNATURE OF THESE FUNCTIONS!
+//
+// The following functions are being used by both the manual api and most importantly the Orchestrion automatic
+// instrumentation integration.
+// ******************************************************************************************************************
+
+// instrumentTestingM helper function to instrument internalTests and internalBenchmarks in a `*testing.M` instance.
+func instrumentTestingM(m *testing.M) func(exitCode int) {
+ // Check if CI Visibility was disabled using the kill switch before trying to initialize it
+ atomic.StoreInt32(&ciVisibilityEnabledValue, -1)
+ if !isCiVisibilityEnabled() {
+ return func(exitCode int) {}
+ }
+
+ // Initialize CI Visibility
+ integrations.EnsureCiVisibilityInitialization()
+
+ // Create a new test session for CI visibility.
+ session = integrations.CreateTestSession()
+
+ ddm := (*M)(m)
+
+ // Instrument the internal tests for CI visibility.
+ ddm.instrumentInternalTests(getInternalTestArray(m))
+
+ // Instrument the internal benchmarks for CI visibility.
+ for _, v := range os.Args {
+ // check if benchmarking is enabled to instrument
+ if strings.Contains(v, "-bench") || strings.Contains(v, "test.bench") {
+ ddm.instrumentInternalBenchmarks(getInternalBenchmarkArray(m))
+ break
+ }
+ }
+
+ return func(exitCode int) {
+ // Check for code coverage if enabled.
+ if testing.CoverMode() != "" {
+ coveragePercentage := testing.Coverage() * 100
+ session.SetTag(constants.CodeCoveragePercentageOfTotalLines, coveragePercentage)
+ }
+
+ // Close the session and return the exit code.
+ session.Close(exitCode)
+
+ // Finalize CI Visibility
+ integrations.ExitCiVisibility()
+ }
+}
+
+// instrumentTestingTFunc helper function to instrument a testing function func(*testing.T)
+func instrumentTestingTFunc(f func(*testing.T)) func(*testing.T) {
+ // Check if CI Visibility was disabled using the kill switch before instrumenting
+ if !isCiVisibilityEnabled() {
+ return f
+ }
+
+ // Reflect the function to obtain its pointer.
+ fReflect := reflect.Indirect(reflect.ValueOf(f))
+ moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
+ originalFunc := runtime.FuncForPC(fReflect.Pointer())
+
+ // Avoid instrumenting twice
+ metadata := getInstrumentationMetadata(originalFunc)
+ if metadata != nil && metadata.IsInternal {
+ // If is an internal test, we don't instrument because f is already the instrumented func by executeInternalTest
+ return f
+ }
+
+ instrumentedFn := func(t *testing.T) {
+ // Initialize module counters if not already present.
+ if _, ok := modulesCounters[moduleName]; !ok {
+ var v int32
+ modulesCounters[moduleName] = &v
+ }
+ // Increment the test count in the module.
+ atomic.AddInt32(modulesCounters[moduleName], 1)
+
+ // Initialize suite counters if not already present.
+ if _, ok := suitesCounters[suiteName]; !ok {
+ var v int32
+ suitesCounters[suiteName] = &v
+ }
+ // Increment the test count in the suite.
+ atomic.AddInt32(suitesCounters[suiteName], 1)
+
+ // Create or retrieve the module, suite, and test for CI visibility.
+ module := session.GetOrCreateModuleWithFramework(moduleName, testFramework, runtime.Version())
+ suite := module.GetOrCreateSuite(suiteName)
+ test := suite.CreateTest(t.Name())
+ test.SetTestFunc(originalFunc)
+
+ // Get the metadata regarding the execution (in case is already created from the additional features)
+ execMeta := getTestMetadata(t)
+ if execMeta == nil {
+ // in case there's no additional features then we create the metadata for this execution and defer the disposal
+ execMeta = createTestMetadata(t)
+ defer deleteTestMetadata(t)
+ }
+
+ // Because this is a subtest let's propagate some execution metadata from the parent test
+ testPrivateFields := getTestPrivateFields(t)
+ if testPrivateFields.parent != nil {
+ parentExecMeta := getTestMetadataFromPointer(*testPrivateFields.parent)
+ if parentExecMeta != nil {
+ if parentExecMeta.isANewTest {
+ execMeta.isANewTest = true
+ }
+ if parentExecMeta.isARetry {
+ execMeta.isARetry = true
+ }
+ }
+ }
+
+ // Set the CI visibility test.
+ execMeta.test = test
+
+ // If the execution is for a new test we tag the test event from early flake detection
+ if execMeta.isANewTest {
+ // Set the is new test tag
+ test.SetTag(constants.TestIsNew, "true")
+ }
+
+ // If the execution is a retry we tag the test event
+ if execMeta.isARetry {
+ // Set the retry tag
+ test.SetTag(constants.TestIsRetry, "true")
+ }
+
+ defer func() {
+ if r := recover(); r != nil {
+ // Handle panic and set error information.
+ test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
+ test.Close(integrations.ResultStatusFail)
+ checkModuleAndSuite(module, suite)
+ // this is not an internal test. Retries are not applied to subtest (because the parent internal test is going to be retried)
+ // so for this case we avoid closing CI Visibility, but we don't stop the panic from happening.
+ // it will be handled by `t.Run`
+ if checkIfCIVisibilityExitIsRequiredByPanic() {
+ integrations.ExitCiVisibility()
+ }
+ panic(r)
+ } else {
+ // Normal finalization: determine the test result based on its state.
+ if t.Failed() {
+ test.SetTag(ext.Error, true)
+ suite.SetTag(ext.Error, true)
+ module.SetTag(ext.Error, true)
+ test.Close(integrations.ResultStatusFail)
+ } else if t.Skipped() {
+ test.Close(integrations.ResultStatusSkip)
+ } else {
+ test.Close(integrations.ResultStatusPass)
+ }
+ checkModuleAndSuite(module, suite)
+ }
+ }()
+
+ // Execute the original test function.
+ f(t)
+ }
+
+ setInstrumentationMetadata(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFn)).Pointer()), &instrumentationMetadata{IsInternal: true})
+ return instrumentedFn
+}
+
+// instrumentSetErrorInfo helper function to set an error in the `*testing.T, *testing.B, *testing.common` CI Visibility span
+func instrumentSetErrorInfo(tb testing.TB, errType string, errMessage string, skip int) {
+ // Check if CI Visibility was disabled using the kill switch before
+ if !isCiVisibilityEnabled() {
+ return
+ }
+
+ // Get the CI Visibility span and check if we can set the error type, message and stack
+ ciTestItem := getTestMetadata(tb)
+ if ciTestItem != nil && ciTestItem.test != nil && ciTestItem.error.CompareAndSwap(0, 1) {
+ ciTestItem.test.SetErrorInfo(errType, errMessage, utils.GetStacktrace(2+skip))
+ }
+}
+
+// instrumentCloseAndSkip helper function to close and skip with a reason a `*testing.T, *testing.B, *testing.common` CI Visibility span
+func instrumentCloseAndSkip(tb testing.TB, skipReason string) {
+ // Check if CI Visibility was disabled using the kill switch before
+ if !isCiVisibilityEnabled() {
+ return
+ }
+
+ // Get the CI Visibility span and check if we can mark it as skipped and close it
+ ciTestItem := getTestMetadata(tb)
+ if ciTestItem != nil && ciTestItem.test != nil && ciTestItem.skipped.CompareAndSwap(0, 1) {
+ ciTestItem.test.CloseWithFinishTimeAndSkipReason(integrations.ResultStatusSkip, time.Now(), skipReason)
+ }
+}
+
+// instrumentSkipNow helper function to close and skip a `*testing.T, *testing.B, *testing.common` CI Visibility span
+func instrumentSkipNow(tb testing.TB) {
+ // Check if CI Visibility was disabled using the kill switch before
+ if !isCiVisibilityEnabled() {
+ return
+ }
+
+ // Get the CI Visibility span and check if we can mark it as skipped and close it
+ ciTestItem := getTestMetadata(tb)
+ if ciTestItem != nil && ciTestItem.test != nil && ciTestItem.skipped.CompareAndSwap(0, 1) {
+ ciTestItem.test.Close(integrations.ResultStatusSkip)
+ }
+}
+
+// instrumentTestingBFunc helper function to instrument a benchmark function func(*testing.B)
+func instrumentTestingBFunc(pb *testing.B, name string, f func(*testing.B)) (string, func(*testing.B)) {
+ // Check if CI Visibility was disabled using the kill switch before instrumenting
+ if !isCiVisibilityEnabled() {
+ return name, f
+ }
+
+ // Reflect the function to obtain its pointer.
+ fReflect := reflect.Indirect(reflect.ValueOf(f))
+ moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
+ originalFunc := runtime.FuncForPC(fReflect.Pointer())
+
+ // Avoid instrumenting twice
+ if hasCiVisibilityBenchmarkFunc(originalFunc) {
+ return name, f
+ }
+
+ instrumentedFunc := func(b *testing.B) {
+ // The sub-benchmark implementation relies on creating a dummy sub benchmark (called [DD:TestVisibility]) with
+ // a Run over the original sub benchmark function to get the child results without interfering measurements
+ // By doing this the name of the sub-benchmark are changed
+ // from:
+ // benchmark/child
+ // to:
+ // benchmark/[DD:TestVisibility]/child
+ // We use regex and decrement the depth level of the benchmark to restore the original name
+
+ // Initialize module counters if not already present.
+ if _, ok := modulesCounters[moduleName]; !ok {
+ var v int32
+ modulesCounters[moduleName] = &v
+ }
+ // Increment the test count in the module.
+ atomic.AddInt32(modulesCounters[moduleName], 1)
+
+ // Initialize suite counters if not already present.
+ if _, ok := suitesCounters[suiteName]; !ok {
+ var v int32
+ suitesCounters[suiteName] = &v
+ }
+ // Increment the test count in the suite.
+ atomic.AddInt32(suitesCounters[suiteName], 1)
+
+ // Decrement level.
+ bpf := getBenchmarkPrivateFields(b)
+ bpf.AddLevel(-1)
+
+ startTime := time.Now()
+ module := session.GetOrCreateModuleWithFrameworkAndStartTime(moduleName, testFramework, runtime.Version(), startTime)
+ suite := module.GetOrCreateSuiteWithStartTime(suiteName, startTime)
+ test := suite.CreateTestWithStartTime(fmt.Sprintf("%s/%s", pb.Name(), name), startTime)
+ test.SetTestFunc(originalFunc)
+
+ // Restore the original name without the sub-benchmark auto name.
+ *bpf.name = subBenchmarkAutoNameRegex.ReplaceAllString(*bpf.name, "")
+
+ // Run original benchmark.
+ var iPfOfB *benchmarkPrivateFields
+ var recoverFunc *func(r any)
+ instrumentedFunc := func(b *testing.B) {
+ // Stop the timer to do the initialization and replacements.
+ b.StopTimer()
+
+ defer func() {
+ if r := recover(); r != nil {
+ if recoverFunc != nil {
+ fn := *recoverFunc
+ fn(r)
+ }
+ panic(r)
+ }
+ }()
+
+ // First time we get the private fields of the inner testing.B.
+ iPfOfB = getBenchmarkPrivateFields(b)
+ // Replace this function with the original one (executed only once - the first iteration[b.run1]).
+ *iPfOfB.benchFunc = f
+
+ // Get the metadata regarding the execution (in case is already created from the additional features)
+ execMeta := getTestMetadata(b)
+ if execMeta == nil {
+ // in case there's no additional features then we create the metadata for this execution and defer the disposal
+ execMeta = createTestMetadata(b)
+ defer deleteTestMetadata(b)
+ }
+
+ // Set the CI visibility test.
+ execMeta.test = test
+
+ // Enable the timer again.
+ b.ResetTimer()
+ b.StartTimer()
+
+ // Execute original func
+ f(b)
+ }
+
+ setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()))
+ b.Run(name, instrumentedFunc)
+
+ endTime := time.Now()
+ results := iPfOfB.result
+
+ // Set benchmark data for CI visibility.
+ test.SetBenchmarkData("duration", map[string]any{
+ "run": results.N,
+ "mean": results.NsPerOp(),
+ })
+ test.SetBenchmarkData("memory_total_operations", map[string]any{
+ "run": results.N,
+ "mean": results.AllocsPerOp(),
+ "statistics.max": results.MemAllocs,
+ })
+ test.SetBenchmarkData("mean_heap_allocations", map[string]any{
+ "run": results.N,
+ "mean": results.AllocedBytesPerOp(),
+ })
+ test.SetBenchmarkData("total_heap_allocations", map[string]any{
+ "run": results.N,
+ "mean": iPfOfB.result.MemBytes,
+ })
+ if len(results.Extra) > 0 {
+ mapConverted := map[string]any{}
+ for k, v := range results.Extra {
+ mapConverted[k] = v
+ }
+ test.SetBenchmarkData("extra", mapConverted)
+ }
+
+ // Define a function to handle panic during benchmark finalization.
+ panicFunc := func(r any) {
+ test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
+ suite.SetTag(ext.Error, true)
+ module.SetTag(ext.Error, true)
+ test.Close(integrations.ResultStatusFail)
+ checkModuleAndSuite(module, suite)
+ integrations.ExitCiVisibility()
+ }
+ recoverFunc = &panicFunc
+
+ // Normal finalization: determine the benchmark result based on its state.
+ if iPfOfB.B.Failed() {
+ test.SetTag(ext.Error, true)
+ suite.SetTag(ext.Error, true)
+ module.SetTag(ext.Error, true)
+ test.CloseWithFinishTime(integrations.ResultStatusFail, endTime)
+ } else if iPfOfB.B.Skipped() {
+ test.CloseWithFinishTime(integrations.ResultStatusSkip, endTime)
+ } else {
+ test.CloseWithFinishTime(integrations.ResultStatusPass, endTime)
+ }
+
+ checkModuleAndSuite(module, suite)
+ }
+ setCiVisibilityBenchmarkFunc(originalFunc)
+ setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()))
+ return subBenchmarkAutoName, instrumentedFunc
+}
diff --git a/internal/civisibility/integrations/gotesting/reflections.go b/internal/civisibility/integrations/gotesting/reflections.go
index 6aaac3ed4c..745aab1468 100644
--- a/internal/civisibility/integrations/gotesting/reflections.go
+++ b/internal/civisibility/integrations/gotesting/reflections.go
@@ -7,17 +7,25 @@ package gotesting
import (
"errors"
+ "io"
"reflect"
"sync"
+ "sync/atomic"
"testing"
+ "time"
"unsafe"
)
// getFieldPointerFrom gets an unsafe.Pointer (gc-safe type of pointer) to a struct field
// useful to get or set values to private field
func getFieldPointerFrom(value any, fieldName string) (unsafe.Pointer, error) {
- indirectValue := reflect.Indirect(reflect.ValueOf(value))
- member := indirectValue.FieldByName(fieldName)
+ return getFieldPointerFromValue(reflect.Indirect(reflect.ValueOf(value)), fieldName)
+}
+
+// getFieldPointerFromValue gets an unsafe.Pointer (gc-safe type of pointer) to a struct field
+// useful to get or set values to private field
+func getFieldPointerFromValue(value reflect.Value, fieldName string) (unsafe.Pointer, error) {
+ member := value.FieldByName(fieldName)
if member.IsValid() {
return unsafe.Pointer(member.UnsafeAddr()), nil
}
@@ -25,7 +33,61 @@ func getFieldPointerFrom(value any, fieldName string) (unsafe.Pointer, error) {
return unsafe.Pointer(nil), errors.New("member is invalid")
}
+// copyFieldUsingPointers copies a private field value from one struct to another of the same type
+func copyFieldUsingPointers[V any](source any, target any, fieldName string) error {
+ sourcePtr, err := getFieldPointerFrom(source, fieldName)
+ if err != nil {
+ return err
+ }
+ targetPtr, err := getFieldPointerFrom(target, fieldName)
+ if err != nil {
+ return err
+ }
+
+ *(*V)(targetPtr) = *(*V)(sourcePtr)
+ return nil
+}
+
+// ****************
+// COMMON
+// ****************
+
+// commonPrivateFields is collection of required private fields from testing.common
+type commonPrivateFields struct {
+ mu *sync.RWMutex
+ level *int
+ name *string // Name of test or benchmark.
+ failed *bool // Test or benchmark has failed.
+ skipped *bool // Test or benchmark has been skipped.
+ parent *unsafe.Pointer // Parent common
+}
+
+// AddLevel increase or decrease the testing.common.level field value, used by
+// testing.B to create the name of the benchmark test
+func (c *commonPrivateFields) AddLevel(delta int) int {
+ c.mu.Lock()
+ defer c.mu.Unlock()
+ *c.level = *c.level + delta
+ return *c.level
+}
+
+// SetFailed set the boolean value in testing.common.failed field value
+func (c *commonPrivateFields) SetFailed(value bool) {
+ c.mu.Lock()
+ defer c.mu.Unlock()
+ *c.failed = value
+}
+
+// SetSkipped set the boolean value in testing.common.skipped field value
+func (c *commonPrivateFields) SetSkipped(value bool) {
+ c.mu.Lock()
+ defer c.mu.Unlock()
+ *c.skipped = value
+}
+
+// ****************
// TESTING
+// ****************
// getInternalTestArray gets the pointer to the testing.InternalTest array inside a
// testing.M instance containing all the "root" tests
@@ -36,7 +98,147 @@ func getInternalTestArray(m *testing.M) *[]testing.InternalTest {
return nil
}
+// getTestPrivateFields is a method to retrieve all required privates field from
+// testing.T, returning a commonPrivateFields instance
+func getTestPrivateFields(t *testing.T) *commonPrivateFields {
+ testFields := &commonPrivateFields{}
+
+ // testing.common
+ if ptr, err := getFieldPointerFrom(t, "mu"); err == nil {
+ testFields.mu = (*sync.RWMutex)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(t, "level"); err == nil {
+ testFields.level = (*int)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(t, "name"); err == nil {
+ testFields.name = (*string)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(t, "failed"); err == nil {
+ testFields.failed = (*bool)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(t, "skipped"); err == nil {
+ testFields.skipped = (*bool)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(t, "parent"); err == nil {
+ testFields.parent = (*unsafe.Pointer)(ptr)
+ }
+
+ return testFields
+}
+
+// getTestParentPrivateFields is a method to retrieve all required parent privates field from
+// testing.T.parent, returning a commonPrivateFields instance
+func getTestParentPrivateFields(t *testing.T) *commonPrivateFields {
+ indirectValue := reflect.Indirect(reflect.ValueOf(t))
+ member := indirectValue.FieldByName("parent")
+ if member.IsValid() {
+ value := member.Elem()
+ testFields := &commonPrivateFields{}
+
+ // testing.common
+ if ptr, err := getFieldPointerFromValue(value, "mu"); err == nil {
+ testFields.mu = (*sync.RWMutex)(ptr)
+ }
+ if ptr, err := getFieldPointerFromValue(value, "level"); err == nil {
+ testFields.level = (*int)(ptr)
+ }
+ if ptr, err := getFieldPointerFromValue(value, "name"); err == nil {
+ testFields.name = (*string)(ptr)
+ }
+ if ptr, err := getFieldPointerFromValue(value, "failed"); err == nil {
+ testFields.failed = (*bool)(ptr)
+ }
+ if ptr, err := getFieldPointerFromValue(value, "skipped"); err == nil {
+ testFields.skipped = (*bool)(ptr)
+ }
+
+ return testFields
+ }
+ return nil
+}
+
+// contextMatcher is collection of required private fields from testing.context.match
+type contextMatcher struct {
+ mu *sync.RWMutex
+ subNames *map[string]int32
+}
+
+// ClearSubNames clears the subname map used for creating unique names for subtests
+func (c *contextMatcher) ClearSubNames() {
+ c.mu.Lock()
+ defer c.mu.Unlock()
+ *c.subNames = map[string]int32{}
+}
+
+// getTestContextMatcherPrivateFields is a method to retrieve all required privates field from
+// testing.T.context.match, returning a contextMatcher instance
+func getTestContextMatcherPrivateFields(t *testing.T) *contextMatcher {
+ indirectValue := reflect.Indirect(reflect.ValueOf(t))
+ contextMember := indirectValue.FieldByName("context")
+ if !contextMember.IsValid() {
+ return nil
+ }
+ contextMember = contextMember.Elem()
+ matchMember := contextMember.FieldByName("match")
+ if !matchMember.IsValid() {
+ return nil
+ }
+ matchMember = matchMember.Elem()
+
+ fields := &contextMatcher{}
+ if ptr, err := getFieldPointerFromValue(matchMember, "mu"); err == nil {
+ fields.mu = (*sync.RWMutex)(ptr)
+ }
+ if ptr, err := getFieldPointerFromValue(matchMember, "subNames"); err == nil {
+ fields.subNames = (*map[string]int32)(ptr)
+ }
+
+ return fields
+}
+
+// copyTestWithoutParent tries to copy all private fields except the t.parent from a *testing.T to another
+func copyTestWithoutParent(source *testing.T, target *testing.T) {
+ // Copy important field values
+ _ = copyFieldUsingPointers[[]byte](source, target, "output") // Output generated by test or benchmark.
+ _ = copyFieldUsingPointers[io.Writer](source, target, "w") // For flushToParent.
+ _ = copyFieldUsingPointers[bool](source, target, "ran") // Test or benchmark (or one of its subtests) was executed.
+ _ = copyFieldUsingPointers[bool](source, target, "failed") // Test or benchmark has failed.
+ _ = copyFieldUsingPointers[bool](source, target, "skipped") // Test or benchmark has been skipped.
+ _ = copyFieldUsingPointers[bool](source, target, "done") // Test is finished and all subtests have completed.
+ _ = copyFieldUsingPointers[map[uintptr]struct{}](source, target, "helperPCs") // functions to be skipped when writing file/line info
+ _ = copyFieldUsingPointers[map[string]struct{}](source, target, "helperNames") // helperPCs converted to function names
+ _ = copyFieldUsingPointers[[]func()](source, target, "cleanups") // optional functions to be called at the end of the test
+ _ = copyFieldUsingPointers[string](source, target, "cleanupName") // Name of the cleanup function.
+ _ = copyFieldUsingPointers[[]uintptr](source, target, "cleanupPc") // The stack trace at the point where Cleanup was called.
+ _ = copyFieldUsingPointers[bool](source, target, "finished") // Test function has completed.
+ _ = copyFieldUsingPointers[bool](source, target, "inFuzzFn") // Whether the fuzz target, if this is one, is running.
+
+ _ = copyFieldUsingPointers[unsafe.Pointer](source, target, "chatty") // A copy of chattyPrinter, if the chatty flag is set.
+ _ = copyFieldUsingPointers[bool](source, target, "bench") // Whether the current test is a benchmark.
+ _ = copyFieldUsingPointers[atomic.Bool](source, target, "hasSub") // whether there are sub-benchmarks.
+ _ = copyFieldUsingPointers[atomic.Bool](source, target, "cleanupStarted") // Registered cleanup callbacks have started to execute
+ _ = copyFieldUsingPointers[string](source, target, "runner") // Function name of tRunner running the test.
+ _ = copyFieldUsingPointers[bool](source, target, "isParallel") // Whether the test is parallel.
+
+ _ = copyFieldUsingPointers[int](source, target, "level") // Nesting depth of test or benchmark.
+ _ = copyFieldUsingPointers[[]uintptr](source, target, "creator") // If level > 0, the stack trace at the point where the parent called t.Run.
+ _ = copyFieldUsingPointers[string](source, target, "name") // Name of test or benchmark.
+ _ = copyFieldUsingPointers[unsafe.Pointer](source, target, "start") // Time test or benchmark started
+ _ = copyFieldUsingPointers[time.Duration](source, target, "duration")
+ _ = copyFieldUsingPointers[[]*testing.T](source, target, "sub") // Queue of subtests to be run in parallel.
+ _ = copyFieldUsingPointers[atomic.Int64](source, target, "lastRaceErrors") // Max value of race.Errors seen during the test or its subtests.
+ _ = copyFieldUsingPointers[atomic.Bool](source, target, "raceErrorLogged")
+ _ = copyFieldUsingPointers[string](source, target, "tempDir")
+ _ = copyFieldUsingPointers[error](source, target, "tempDirErr")
+ _ = copyFieldUsingPointers[int32](source, target, "tempDirSeq")
+
+ _ = copyFieldUsingPointers[bool](source, target, "isEnvSet")
+ _ = copyFieldUsingPointers[unsafe.Pointer](source, target, "context") // For running tests and subtests.
+}
+
+// ****************
// BENCHMARKS
+// ****************
// get the pointer to the internal benchmark array
// getInternalBenchmarkArray gets the pointer to the testing.InternalBenchmark array inside
@@ -48,22 +250,6 @@ func getInternalBenchmarkArray(m *testing.M) *[]testing.InternalBenchmark {
return nil
}
-// commonPrivateFields is collection of required private fields from testing.common
-type commonPrivateFields struct {
- mu *sync.RWMutex
- level *int
- name *string // Name of test or benchmark.
-}
-
-// AddLevel increase or decrease the testing.common.level field value, used by
-// testing.B to create the name of the benchmark test
-func (c *commonPrivateFields) AddLevel(delta int) int {
- c.mu.Lock()
- defer c.mu.Unlock()
- *c.level = *c.level + delta
- return *c.level
-}
-
// benchmarkPrivateFields is a collection of required private fields from testing.B
// also contains a pointer to the original testing.B for easy access
type benchmarkPrivateFields struct {
@@ -80,7 +266,7 @@ func getBenchmarkPrivateFields(b *testing.B) *benchmarkPrivateFields {
B: b,
}
- // common
+ // testing.common
if ptr, err := getFieldPointerFrom(b, "mu"); err == nil {
benchFields.mu = (*sync.RWMutex)(ptr)
}
@@ -90,8 +276,17 @@ func getBenchmarkPrivateFields(b *testing.B) *benchmarkPrivateFields {
if ptr, err := getFieldPointerFrom(b, "name"); err == nil {
benchFields.name = (*string)(ptr)
}
+ if ptr, err := getFieldPointerFrom(b, "failed"); err == nil {
+ benchFields.failed = (*bool)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(b, "skipped"); err == nil {
+ benchFields.skipped = (*bool)(ptr)
+ }
+ if ptr, err := getFieldPointerFrom(b, "parent"); err == nil {
+ benchFields.parent = (*unsafe.Pointer)(ptr)
+ }
- // benchmark
+ // testing.B
if ptr, err := getFieldPointerFrom(b, "benchFunc"); err == nil {
benchFields.benchFunc = (*func(b *testing.B))(ptr)
}
diff --git a/internal/civisibility/integrations/gotesting/testcontroller_test.go b/internal/civisibility/integrations/gotesting/testcontroller_test.go
new file mode 100644
index 0000000000..3a679715e2
--- /dev/null
+++ b/internal/civisibility/integrations/gotesting/testcontroller_test.go
@@ -0,0 +1,492 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package gotesting
+
+import (
+ "encoding/json"
+ "fmt"
+ "net/http"
+ "net/http/httptest"
+ "os"
+ "os/exec"
+ "testing"
+
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
+ "github.com/DataDog/dd-trace-go/v2/internal"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils/net"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+var currentM *testing.M
+var mTracer mocktracer.Tracer
+
+// TestMain is the entry point for testing and runs before any test.
+func TestMain(m *testing.M) {
+ log.SetLevel(log.LevelDebug)
+
+ // We need to spawn separated test process for each scenario
+ scenarios := []string{"TestFlakyTestRetries", "TestEarlyFlakeDetection", "TestFlakyTestRetriesAndEarlyFlakeDetection"}
+
+ if internal.BoolEnv(scenarios[0], false) {
+ fmt.Printf("Scenario %s started.\n", scenarios[0])
+ runFlakyTestRetriesTests(m)
+ } else if internal.BoolEnv(scenarios[1], false) {
+ fmt.Printf("Scenario %s started.\n", scenarios[1])
+ runEarlyFlakyTestDetectionTests(m)
+ } else if internal.BoolEnv(scenarios[2], false) {
+ fmt.Printf("Scenario %s started.\n", scenarios[2])
+ runFlakyTestRetriesWithEarlyFlakyTestDetectionTests(m)
+ } else {
+ fmt.Println("Starting tests...")
+ for _, v := range scenarios {
+ cmd := exec.Command(os.Args[0], os.Args[1:]...)
+ cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+ cmd.Env = append(cmd.Env, os.Environ()...)
+ cmd.Env = append(cmd.Env, fmt.Sprintf("%s=true", v))
+ fmt.Printf("Running scenario: %s:\n", v)
+ err := cmd.Run()
+ fmt.Printf("Done.\n\n")
+ if err != nil {
+ if exiterr, ok := err.(*exec.ExitError); ok {
+ fmt.Printf("Scenario %s failed with exit code: %d\n", v, exiterr.ExitCode())
+ os.Exit(exiterr.ExitCode())
+ } else {
+ fmt.Printf("cmd.Run: %v\n", err)
+ os.Exit(1)
+ }
+ break
+ }
+ }
+ }
+
+ os.Exit(0)
+}
+
+func runFlakyTestRetriesTests(m *testing.M) {
+ // mock the settings api to enable automatic test retries
+ server := setUpHttpServer(true, false, nil)
+ defer server.Close()
+
+ // set a custom retry count
+ os.Setenv(constants.CIVisibilityFlakyRetryCountEnvironmentVariable, "10")
+
+ // initialize the mock tracer for doing assertions on the finished spans
+ currentM = m
+ mTracer = integrations.InitializeCIVisibilityMock()
+
+ // execute the tests, we are expecting some tests to fail and check the assertion later
+ exitCode := RunM(m)
+ if exitCode != 1 {
+ panic("expected the exit code to be 1. We have a failing test on purpose.")
+ }
+
+ // get all finished spans
+ finishedSpans := mTracer.FinishedSpans()
+
+ // 1 session span
+ // 1 module span
+ // 2 suite span (testing_test.go and reflections_test.go)
+ // 5 tests from reflections_test.go
+ // 1 TestMyTest01
+ // 1 TestMyTest02 + 2 subtests
+ // 1 Test_Foo + 3 subtests
+ // 1 TestWithExternalCalls + 2 subtests
+ // 1 TestSkip
+ // 1 TestRetryWithPanic + 3 retry tests from testing_test.go
+ // 1 TestRetryWithFail + 3 retry tests from testing_test.go
+ // 1 TestRetryAlwaysFail + 10 retry tests from testing_test.go
+ // 1 TestNormalPassingAfterRetryAlwaysFail
+ // 1 TestEarlyFlakeDetection
+ // 2 normal spans from testing_test.go
+
+ // check spans by resource name
+ checkSpansByResourceName(finishedSpans, "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting", 1)
+ checkSpansByResourceName(finishedSpans, "reflections_test.go", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest01", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01/sub03", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/yellow_should_return_color", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/banana_should_return_fruit", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/duck_should_return_animal", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/default", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/custom-name", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestSkip", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithPanic", 4)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithFail", 4)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryAlwaysFail", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestNormalPassingAfterRetryAlwaysFail", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestEarlyFlakeDetection", 1)
+
+ // check spans by tag
+ checkSpansByTagName(finishedSpans, constants.TestIsRetry, 16)
+
+ // check spans by type
+ checkSpansByType(finishedSpans,
+ 44,
+ 1,
+ 1,
+ 2,
+ 38,
+ 2)
+
+ os.Exit(0)
+}
+
+func runEarlyFlakyTestDetectionTests(m *testing.M) {
+ // mock the settings api to enable automatic test retries
+ server := setUpHttpServer(false, true, &net.EfdResponseData{
+ Tests: net.EfdResponseDataModules{
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting": net.EfdResponseDataSuites{
+ "reflections_test.go": []string{
+ "TestGetFieldPointerFrom",
+ "TestGetInternalTestArray",
+ "TestGetInternalBenchmarkArray",
+ "TestCommonPrivateFields_AddLevel",
+ "TestGetBenchmarkPrivateFields",
+ },
+ },
+ },
+ })
+ defer server.Close()
+
+ // initialize the mock tracer for doing assertions on the finished spans
+ currentM = m
+ mTracer = integrations.InitializeCIVisibilityMock()
+
+ // execute the tests, we are expecting some tests to fail and check the assertion later
+ exitCode := RunM(m)
+ if exitCode != 1 {
+ panic("expected the exit code to be 1. We have a failing test on purpose.")
+ }
+
+ // get all finished spans
+ finishedSpans := mTracer.FinishedSpans()
+
+ // 1 session span
+ // 1 module span
+ // 2 suite span (testing_test.go and reflections_test.go)
+ // 5 tests from reflections_test.go
+ // 11 TestMyTest01
+ // 11 TestMyTest02 + 22 subtests
+ // 11 Test_Foo + 33 subtests
+ // 11 TestWithExternalCalls + 22 subtests
+ // 11 TestSkip
+ // 11 TestRetryWithPanic
+ // 11 TestRetryWithFail
+ // 11 TestRetryAlwaysFail
+ // 11 TestNormalPassingAfterRetryAlwaysFail
+ // 11 TestEarlyFlakeDetection
+ // 22 normal spans from testing_test.go
+
+ // check spans by resource name
+ checkSpansByResourceName(finishedSpans, "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting", 1)
+ checkSpansByResourceName(finishedSpans, "reflections_test.go", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest01", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01/sub03", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/yellow_should_return_color", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/banana_should_return_fruit", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/duck_should_return_animal", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/default", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/custom-name", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestSkip", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithPanic", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithFail", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryAlwaysFail", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestNormalPassingAfterRetryAlwaysFail", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestEarlyFlakeDetection", 11)
+
+ // check spans by tag
+ checkSpansByTagName(finishedSpans, constants.TestIsNew, 187)
+ checkSpansByTagName(finishedSpans, constants.TestIsRetry, 170)
+
+ // check spans by type
+ checkSpansByType(finishedSpans,
+ 218,
+ 1,
+ 1,
+ 2,
+ 192,
+ 22)
+
+ os.Exit(0)
+}
+
+func runFlakyTestRetriesWithEarlyFlakyTestDetectionTests(m *testing.M) {
+ // mock the settings api to enable automatic test retries
+ server := setUpHttpServer(true, true, &net.EfdResponseData{
+ Tests: net.EfdResponseDataModules{
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting": net.EfdResponseDataSuites{
+ "reflections_test.go": []string{
+ "TestGetFieldPointerFrom",
+ "TestGetInternalTestArray",
+ "TestGetInternalBenchmarkArray",
+ "TestCommonPrivateFields_AddLevel",
+ "TestGetBenchmarkPrivateFields",
+ },
+ "testing_test.go": []string{
+ "TestMyTest01",
+ "TestMyTest02",
+ "Test_Foo",
+ "TestWithExternalCalls",
+ "TestSkip",
+ "TestRetryWithPanic",
+ "TestRetryWithFail",
+ "TestRetryAlwaysFail",
+ "TestNormalPassingAfterRetryAlwaysFail",
+ },
+ },
+ },
+ })
+ defer server.Close()
+
+ // set a custom retry count
+ os.Setenv(constants.CIVisibilityFlakyRetryCountEnvironmentVariable, "10")
+
+ // initialize the mock tracer for doing assertions on the finished spans
+ currentM = m
+ mTracer = integrations.InitializeCIVisibilityMock()
+
+ // execute the tests, we are expecting some tests to fail and check the assertion later
+ exitCode := RunM(m)
+ if exitCode != 1 {
+ panic("expected the exit code to be 1. We have a failing test on purpose.")
+ }
+
+ // get all finished spans
+ finishedSpans := mTracer.FinishedSpans()
+
+ // 1 session span
+ // 1 module span
+ // 2 suite span (testing_test.go and reflections_test.go)
+ // 5 tests from reflections_test.go
+ // 1 TestMyTest01
+ // 1 TestMyTest02 + 2 subtests
+ // 1 Test_Foo + 3 subtests
+ // 1 TestWithExternalCalls + 2 subtests
+ // 1 TestSkip
+ // 1 TestRetryWithPanic + 3 retry tests from testing_test.go
+ // 1 TestRetryWithFail + 3 retry tests from testing_test.go
+ // 1 TestRetryAlwaysFail + 10 retry tests from testing_test.go
+ // 1 TestNormalPassingAfterRetryAlwaysFail
+ // 11 TestEarlyFlakeDetection + 10 retries
+ // 2 normal spans from testing_test.go
+
+ // check spans by resource name
+ checkSpansByResourceName(finishedSpans, "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting", 1)
+ checkSpansByResourceName(finishedSpans, "reflections_test.go", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest01", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01/sub03", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/yellow_should_return_color", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/banana_should_return_fruit", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/duck_should_return_animal", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/default", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/custom-name", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestSkip", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithPanic", 4)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithFail", 4)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryAlwaysFail", 11)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestNormalPassingAfterRetryAlwaysFail", 1)
+ checkSpansByResourceName(finishedSpans, "testing_test.go.TestEarlyFlakeDetection", 21)
+
+ // check spans by tag
+ checkSpansByTagName(finishedSpans, constants.TestIsNew, 21)
+ checkSpansByTagName(finishedSpans, constants.TestIsRetry, 36)
+
+ // check spans by type
+ checkSpansByType(finishedSpans,
+ 64,
+ 1,
+ 1,
+ 2,
+ 58,
+ 2)
+
+ os.Exit(0)
+}
+
+func checkSpansByType(finishedSpans []mocktracer.Span,
+ totalFinishedSpansCount int, sessionSpansCount int, moduleSpansCount int,
+ suiteSpansCount int, testSpansCount int, normalSpansCount int) {
+ calculatedFinishedSpans := len(finishedSpans)
+ fmt.Printf("Number of spans received: %d\n", calculatedFinishedSpans)
+ if calculatedFinishedSpans < totalFinishedSpansCount {
+ panic(fmt.Sprintf("expected at least %d finished spans, got %d", totalFinishedSpansCount, calculatedFinishedSpans))
+ }
+
+ sessionSpans := getSpansWithType(finishedSpans, constants.SpanTypeTestSession)
+ calculatedSessionSpans := len(sessionSpans)
+ fmt.Printf("Number of sessions received: %d\n", calculatedSessionSpans)
+ showResourcesNameFromSpans(sessionSpans)
+ if calculatedSessionSpans != sessionSpansCount {
+ panic(fmt.Sprintf("expected exactly %d session span, got %d", sessionSpansCount, calculatedSessionSpans))
+ }
+
+ moduleSpans := getSpansWithType(finishedSpans, constants.SpanTypeTestModule)
+ calculatedModuleSpans := len(moduleSpans)
+ fmt.Printf("Number of modules received: %d\n", calculatedModuleSpans)
+ showResourcesNameFromSpans(moduleSpans)
+ if calculatedModuleSpans != moduleSpansCount {
+ panic(fmt.Sprintf("expected exactly %d module span, got %d", moduleSpansCount, calculatedModuleSpans))
+ }
+
+ suiteSpans := getSpansWithType(finishedSpans, constants.SpanTypeTestSuite)
+ calculatedSuiteSpans := len(suiteSpans)
+ fmt.Printf("Number of suites received: %d\n", calculatedSuiteSpans)
+ showResourcesNameFromSpans(suiteSpans)
+ if calculatedSuiteSpans != suiteSpansCount {
+ panic(fmt.Sprintf("expected exactly %d suite spans, got %d", suiteSpansCount, calculatedSuiteSpans))
+ }
+
+ testSpans := getSpansWithType(finishedSpans, constants.SpanTypeTest)
+ calculatedTestSpans := len(testSpans)
+ fmt.Printf("Number of tests received: %d\n", calculatedTestSpans)
+ showResourcesNameFromSpans(testSpans)
+ if calculatedTestSpans != testSpansCount {
+ panic(fmt.Sprintf("expected exactly %d test spans, got %d", testSpansCount, calculatedTestSpans))
+ }
+
+ normalSpans := getSpansWithType(finishedSpans, ext.SpanTypeHTTP)
+ calculatedNormalSpans := len(normalSpans)
+ fmt.Printf("Number of http spans received: %d\n", calculatedNormalSpans)
+ showResourcesNameFromSpans(normalSpans)
+ if calculatedNormalSpans != normalSpansCount {
+ panic(fmt.Sprintf("expected exactly %d normal spans, got %d", normalSpansCount, calculatedNormalSpans))
+ }
+}
+
+func checkSpansByResourceName(finishedSpans []mocktracer.Span, resourceName string, count int) []mocktracer.Span {
+ spans := getSpansWithResourceName(finishedSpans, resourceName)
+ numOfSpans := len(spans)
+ if numOfSpans != count {
+ panic(fmt.Sprintf("expected exactly %d spans with resource name: %s, got %d", count, resourceName, numOfSpans))
+ }
+
+ return spans
+}
+
+func checkSpansByTagName(finishedSpans []mocktracer.Span, tagName string, count int) []mocktracer.Span {
+ spans := getSpansWithTagName(finishedSpans, tagName)
+ numOfSpans := len(spans)
+ if numOfSpans != count {
+ panic(fmt.Sprintf("expected exactly %d spans with tag name: %s, got %d", count, tagName, numOfSpans))
+ }
+
+ return spans
+}
+
+func setUpHttpServer(flakyRetriesEnabled bool, earlyFlakyDetectionEnabled bool, earlyFlakyDetectionData *net.EfdResponseData) *httptest.Server {
+ // mock the settings api to enable automatic test retries
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ fmt.Printf("MockApi received request: %s\n", r.URL.Path)
+
+ // Settings request
+ if r.URL.Path == "/api/v2/libraries/tests/services/setting" {
+ w.Header().Set("Content-Type", "application/json")
+ response := struct {
+ Data struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ Attributes net.SettingsResponseData `json:"attributes"`
+ } `json:"data,omitempty"`
+ }{}
+
+ // let's enable flaky test retries
+ response.Data.Attributes = net.SettingsResponseData{
+ FlakyTestRetriesEnabled: flakyRetriesEnabled,
+ }
+ response.Data.Attributes.EarlyFlakeDetection.Enabled = earlyFlakyDetectionEnabled
+ response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveS = 10
+ response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.TenS = 5
+ response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.ThirtyS = 3
+ response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveM = 2
+
+ fmt.Printf("MockApi sending response: %v\n", response)
+ json.NewEncoder(w).Encode(&response)
+ } else if earlyFlakyDetectionEnabled && r.URL.Path == "/api/v2/ci/libraries/tests" {
+ w.Header().Set("Content-Type", "application/json")
+ response := struct {
+ Data struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ Attributes net.EfdResponseData `json:"attributes"`
+ } `json:"data,omitempty"`
+ }{}
+
+ if earlyFlakyDetectionData != nil {
+ response.Data.Attributes = *earlyFlakyDetectionData
+ }
+
+ fmt.Printf("MockApi sending response: %v\n", response)
+ json.NewEncoder(w).Encode(&response)
+ } else {
+ http.NotFound(w, r)
+ }
+ }))
+
+ // set the custom agentless url and the flaky retry count env-var
+ fmt.Printf("Using mockapi at: %s\n", server.URL)
+ os.Setenv(constants.CIVisibilityAgentlessEnabledEnvironmentVariable, "1")
+ os.Setenv(constants.CIVisibilityAgentlessURLEnvironmentVariable, server.URL)
+ os.Setenv(constants.APIKeyEnvironmentVariable, "12345")
+
+ return server
+}
+
+func getSpansWithType(spans []mocktracer.Span, spanType string) []mocktracer.Span {
+ var result []mocktracer.Span
+ for _, span := range spans {
+ if span.Tag(ext.SpanType) == spanType {
+ result = append(result, span)
+ }
+ }
+
+ return result
+}
+
+func getSpansWithResourceName(spans []mocktracer.Span, resourceName string) []mocktracer.Span {
+ var result []mocktracer.Span
+ for _, span := range spans {
+ if span.Tag(ext.ResourceName) == resourceName {
+ result = append(result, span)
+ }
+ }
+
+ return result
+}
+
+func getSpansWithTagName(spans []mocktracer.Span, tag string) []mocktracer.Span {
+ var result []mocktracer.Span
+ for _, span := range spans {
+ if span.Tag(tag) != nil {
+ result = append(result, span)
+ }
+ }
+
+ return result
+}
+
+func showResourcesNameFromSpans(spans []mocktracer.Span) {
+ for i, span := range spans {
+ fmt.Printf(" [%d] = %v\n", i, span.Tag(ext.ResourceName))
+ }
+}
diff --git a/internal/civisibility/integrations/gotesting/testing.go b/internal/civisibility/integrations/gotesting/testing.go
index 8b83c4d29b..76e85dbccc 100644
--- a/internal/civisibility/integrations/gotesting/testing.go
+++ b/internal/civisibility/integrations/gotesting/testing.go
@@ -128,23 +128,60 @@ func (ddm *M) instrumentInternalTests(internalTests *[]testing.InternalTest) {
// executeInternalTest wraps the original test function to include CI visibility instrumentation.
func (ddm *M) executeInternalTest(testInfo *testingTInfo) func(*testing.T) {
originalFunc := runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(testInfo.originalFunc)).Pointer())
- return func(t *testing.T) {
+ instrumentedFunc := func(t *testing.T) {
+ // Get the metadata regarding the execution (in case is already created from the additional features)
+ execMeta := getTestMetadata(t)
+ if execMeta == nil {
+ // in case there's no additional features then we create the metadata for this execution and defer the disposal
+ execMeta = createTestMetadata(t)
+ defer deleteTestMetadata(t)
+ }
+
// Create or retrieve the module, suite, and test for CI visibility.
module := session.GetOrCreateModuleWithFramework(testInfo.moduleName, testFramework, runtime.Version())
suite := module.GetOrCreateSuite(testInfo.suiteName)
test := suite.CreateTest(testInfo.testName)
test.SetTestFunc(originalFunc)
- setCiVisibilityTest(t, test)
+
+ // Set the CI Visibility test to the execution metadata
+ execMeta.test = test
+
+ // If the execution is for a new test we tag the test event from early flake detection
+ if execMeta.isANewTest {
+ // Set the is new test tag
+ test.SetTag(constants.TestIsNew, "true")
+ }
+
+ // If the execution is a retry we tag the test event
+ if execMeta.isARetry {
+ // Set the retry tag
+ test.SetTag(constants.TestIsRetry, "true")
+ }
+
+ startTime := time.Now()
defer func() {
+ duration := time.Since(startTime)
+ // check if is a new EFD test and the duration >= 5 min
+ if execMeta.isANewTest && duration.Minutes() >= 5 {
+ // Set the EFD retry abort reason
+ test.SetTag(constants.TestEarlyFlakeDetectionRetryAborted, "slow")
+ }
+
if r := recover(); r != nil {
// Handle panic and set error information.
- test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
+ execMeta.panicData = r
+ execMeta.panicStacktrace = utils.GetStacktrace(1)
+ test.SetErrorInfo("panic", fmt.Sprint(r), execMeta.panicStacktrace)
suite.SetTag(ext.Error, true)
module.SetTag(ext.Error, true)
test.Close(integrations.ResultStatusFail)
- checkModuleAndSuite(module, suite)
- integrations.ExitCiVisibility()
- panic(r)
+ if !execMeta.hasAdditionalFeatureWrapper {
+ // we are going to let the additional feature wrapper to handle
+ // the panic, and module and suite closing (we don't want to close the suite earlier in case of a retry)
+ checkModuleAndSuite(module, suite)
+ integrations.ExitCiVisibility()
+ panic(r)
+ }
} else {
// Normal finalization: determine the test result based on its state.
if t.Failed() {
@@ -158,13 +195,23 @@ func (ddm *M) executeInternalTest(testInfo *testingTInfo) func(*testing.T) {
test.Close(integrations.ResultStatusPass)
}
- checkModuleAndSuite(module, suite)
+ if !execMeta.hasAdditionalFeatureWrapper {
+ // we are going to let the additional feature wrapper to handle
+ // the module and suite closing (we don't want to close the suite earlier in case of a retry)
+ checkModuleAndSuite(module, suite)
+ }
}
}()
// Execute the original test function.
testInfo.originalFunc(t)
}
+
+ // Register the instrumented func as an internal instrumented func (to avoid double instrumentation)
+ setInstrumentationMetadata(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()), &instrumentationMetadata{IsInternal: true})
+
+ // Get the additional feature wrapper
+ return applyAdditionalFeaturesToTestFunc(instrumentedFunc, &testInfo.commonInfo)
}
// instrumentInternalBenchmarks instruments the internal benchmarks for CI visibility.
@@ -216,13 +263,13 @@ func (ddm *M) instrumentInternalBenchmarks(internalBenchmarks *[]testing.Interna
// executeInternalBenchmark wraps the original benchmark function to include CI visibility instrumentation.
func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testing.B) {
- return func(b *testing.B) {
+ originalFunc := runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(benchmarkInfo.originalFunc)).Pointer())
+ instrumentedInternalFunc := func(b *testing.B) {
// decrement level
getBenchmarkPrivateFields(b).AddLevel(-1)
startTime := time.Now()
- originalFunc := runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(benchmarkInfo.originalFunc)).Pointer())
module := session.GetOrCreateModuleWithFrameworkAndStartTime(benchmarkInfo.moduleName, testFramework, runtime.Version(), startTime)
suite := module.GetOrCreateSuiteWithStartTime(benchmarkInfo.suiteName, startTime)
test := suite.CreateTestWithStartTime(benchmarkInfo.testName, startTime)
@@ -231,7 +278,7 @@ func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testin
// Run the original benchmark function.
var iPfOfB *benchmarkPrivateFields
var recoverFunc *func(r any)
- b.Run(b.Name(), func(b *testing.B) {
+ instrumentedFunc := func(b *testing.B) {
// Stop the timer to perform initialization and replacements.
b.StopTimer()
@@ -252,14 +299,26 @@ func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testin
iPfOfB = getBenchmarkPrivateFields(b)
// Replace the benchmark function with the original one (this must be executed only once - the first iteration[b.run1]).
*iPfOfB.benchFunc = benchmarkInfo.originalFunc
- // Set the CI visibility benchmark.
- setCiVisibilityBenchmark(b, test)
+
+ // Get the metadata regarding the execution (in case is already created from the additional features)
+ execMeta := getTestMetadata(b)
+ if execMeta == nil {
+ // in case there's no additional features then we create the metadata for this execution and defer the disposal
+ execMeta = createTestMetadata(b)
+ defer deleteTestMetadata(b)
+ }
+
+ // Sets the CI Visibility test
+ execMeta.test = test
// Restart the timer and execute the original benchmark function.
b.ResetTimer()
b.StartTimer()
benchmarkInfo.originalFunc(b)
- })
+ }
+
+ setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()))
+ b.Run(b.Name(), instrumentedFunc)
endTime := time.Now()
results := iPfOfB.result
@@ -315,6 +374,9 @@ func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testin
checkModuleAndSuite(module, suite)
}
+ setCiVisibilityBenchmarkFunc(originalFunc)
+ setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedInternalFunc)).Pointer()))
+ return instrumentedInternalFunc
}
// RunM runs the tests and benchmarks using CI visibility.
diff --git a/internal/civisibility/integrations/gotesting/testingB.go b/internal/civisibility/integrations/gotesting/testingB.go
index a4336405b9..22c2044ec1 100644
--- a/internal/civisibility/integrations/gotesting/testingB.go
+++ b/internal/civisibility/integrations/gotesting/testingB.go
@@ -9,6 +9,7 @@ import (
"context"
"fmt"
"regexp"
+ "runtime"
"sync"
"testing"
"time"
@@ -17,20 +18,14 @@ import (
)
var (
- // ciVisibilityBenchmarks holds a map of *testing.B to civisibility.DdTest for tracking benchmarks.
- ciVisibilityBenchmarks = map[*testing.B]integrations.DdTest{}
-
- // ciVisibilityBenchmarksMutex is a read-write mutex for synchronizing access to ciVisibilityBenchmarks.
- ciVisibilityBenchmarksMutex sync.RWMutex
-
// subBenchmarkAutoName is a placeholder name for CI Visibility sub-benchmarks.
subBenchmarkAutoName = "[DD:TestVisibility]"
// subBenchmarkAutoNameRegex is a regex pattern to match the sub-benchmark auto name.
subBenchmarkAutoNameRegex = regexp.MustCompile(`(?si)\/\[DD:TestVisibility\].*`)
- // civisibilityBenchmarksFuncs holds a map of *func(*testing.B) for tracking instrumented functions
- civisibilityBenchmarksFuncs = map[*func(*testing.B)]struct{}{}
+ // civisibilityBenchmarksFuncs holds a map of *runtime.Func for tracking instrumented functions
+ civisibilityBenchmarksFuncs = map[*runtime.Func]struct{}{}
// civisibilityBenchmarksFuncsMutex is a read-write mutex for synchronizing access to civisibilityBenchmarksFuncs.
civisibilityBenchmarksFuncsMutex sync.RWMutex
@@ -59,9 +54,9 @@ func (ddb *B) Run(name string, f func(*testing.B)) bool {
// integration tests.
func (ddb *B) Context() context.Context {
b := (*testing.B)(ddb)
- ciTest := getCiVisibilityBenchmark(b)
- if ciTest != nil {
- return ciTest.Context()
+ ciTestItem := getTestMetadata(b)
+ if ciTestItem != nil && ciTestItem.test != nil {
+ return ciTestItem.test.Context()
}
return context.Background()
@@ -113,7 +108,7 @@ func (ddb *B) Skipf(format string, args ...any) {
// during the test. Calling SkipNow does not stop those other goroutines.
func (ddb *B) SkipNow() {
b := (*testing.B)(ddb)
- instrumentTestingBSkipNow(b)
+ instrumentSkipNow(b)
b.SkipNow()
}
@@ -179,37 +174,18 @@ func (ddb *B) SetParallelism(p int) { (*testing.B)(ddb).SetParallelism(p) }
func (ddb *B) getBWithError(errType string, errMessage string) *testing.B {
b := (*testing.B)(ddb)
- instrumentTestingBSetErrorInfo(b, errType, errMessage, 1)
+ instrumentSetErrorInfo(b, errType, errMessage, 1)
return b
}
func (ddb *B) getBWithSkip(skipReason string) *testing.B {
b := (*testing.B)(ddb)
- instrumentTestingBCloseAndSkip(b, skipReason)
+ instrumentCloseAndSkip(b, skipReason)
return b
}
-// getCiVisibilityBenchmark retrieves the CI visibility benchmark associated with a given *testing.B.
-func getCiVisibilityBenchmark(b *testing.B) integrations.DdTest {
- ciVisibilityBenchmarksMutex.RLock()
- defer ciVisibilityBenchmarksMutex.RUnlock()
-
- if v, ok := ciVisibilityBenchmarks[b]; ok {
- return v
- }
-
- return nil
-}
-
-// setCiVisibilityBenchmark associates a CI visibility benchmark with a given *testing.B.
-func setCiVisibilityBenchmark(b *testing.B, ciTest integrations.DdTest) {
- ciVisibilityBenchmarksMutex.Lock()
- defer ciVisibilityBenchmarksMutex.Unlock()
- ciVisibilityBenchmarks[b] = ciTest
-}
-
-// hasCiVisibilityBenchmarkFunc gets if a func(*testing.B) is being instrumented.
-func hasCiVisibilityBenchmarkFunc(fn *func(*testing.B)) bool {
+// hasCiVisibilityBenchmarkFunc gets if a *runtime.Func is being instrumented.
+func hasCiVisibilityBenchmarkFunc(fn *runtime.Func) bool {
civisibilityBenchmarksFuncsMutex.RLock()
defer civisibilityBenchmarksFuncsMutex.RUnlock()
@@ -220,16 +196,9 @@ func hasCiVisibilityBenchmarkFunc(fn *func(*testing.B)) bool {
return false
}
-// setCiVisibilityBenchmarkFunc tracks a func(*testing.B) as instrumented benchmark.
-func setCiVisibilityBenchmarkFunc(fn *func(*testing.B)) {
+// setCiVisibilityBenchmarkFunc tracks a *runtime.Func as instrumented benchmark.
+func setCiVisibilityBenchmarkFunc(fn *runtime.Func) {
civisibilityBenchmarksFuncsMutex.RLock()
defer civisibilityBenchmarksFuncsMutex.RUnlock()
civisibilityBenchmarksFuncs[fn] = struct{}{}
}
-
-// deleteCiVisibilityBenchmarkFunc untracks a func(*testing.B) as instrumented benchmark.
-func deleteCiVisibilityBenchmarkFunc(fn *func(*testing.B)) {
- civisibilityBenchmarksFuncsMutex.RLock()
- defer civisibilityBenchmarksFuncsMutex.RUnlock()
- delete(civisibilityBenchmarksFuncs, fn)
-}
diff --git a/internal/civisibility/integrations/gotesting/testingT.go b/internal/civisibility/integrations/gotesting/testingT.go
index ff3506adcc..0bb9f44bee 100644
--- a/internal/civisibility/integrations/gotesting/testingT.go
+++ b/internal/civisibility/integrations/gotesting/testingT.go
@@ -8,21 +8,12 @@ package gotesting
import (
"context"
"fmt"
- "sync"
"testing"
"time"
"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
)
-var (
- // ciVisibilityTests holds a map of *testing.T to civisibility.DdTest for tracking tests.
- ciVisibilityTests = map[*testing.T]integrations.DdTest{}
-
- // ciVisibilityTestsMutex is a read-write mutex for synchronizing access to ciVisibilityTests.
- ciVisibilityTestsMutex sync.RWMutex
-)
-
// T is a type alias for testing.T to provide additional methods for CI visibility.
type T testing.T
@@ -49,9 +40,9 @@ func (ddt *T) Run(name string, f func(*testing.T)) bool {
// integration tests.
func (ddt *T) Context() context.Context {
t := (*testing.T)(ddt)
- ciTest := getCiVisibilityTest(t)
- if ciTest != nil {
- return ciTest.Context()
+ ciTestItem := getTestMetadata(t)
+ if ciTestItem != nil && ciTestItem.test != nil {
+ return ciTestItem.test.Context()
}
return context.Background()
@@ -103,7 +94,7 @@ func (ddt *T) Skipf(format string, args ...any) {
// during the test. Calling SkipNow does not stop those other goroutines.
func (ddt *T) SkipNow() {
t := (*testing.T)(ddt)
- instrumentTestingTSkipNow(t)
+ instrumentSkipNow(t)
t.SkipNow()
}
@@ -128,31 +119,12 @@ func (ddt *T) Setenv(key, value string) { (*testing.T)(ddt).Setenv(key, value) }
func (ddt *T) getTWithError(errType string, errMessage string) *testing.T {
t := (*testing.T)(ddt)
- instrumentTestingTSetErrorInfo(t, errType, errMessage, 1)
+ instrumentSetErrorInfo(t, errType, errMessage, 1)
return t
}
func (ddt *T) getTWithSkip(skipReason string) *testing.T {
t := (*testing.T)(ddt)
- instrumentTestingTCloseAndSkip(t, skipReason)
+ instrumentCloseAndSkip(t, skipReason)
return t
}
-
-// getCiVisibilityTest retrieves the CI visibility test associated with a given *testing.T.
-func getCiVisibilityTest(t *testing.T) integrations.DdTest {
- ciVisibilityTestsMutex.RLock()
- defer ciVisibilityTestsMutex.RUnlock()
-
- if v, ok := ciVisibilityTests[t]; ok {
- return v
- }
-
- return nil
-}
-
-// setCiVisibilityTest associates a CI visibility test with a given *testing.T.
-func setCiVisibilityTest(t *testing.T, ciTest integrations.DdTest) {
- ciVisibilityTestsMutex.Lock()
- defer ciVisibilityTestsMutex.Unlock()
- ciVisibilityTests[t] = ciTest
-}
diff --git a/internal/civisibility/integrations/gotesting/testing_test.go b/internal/civisibility/integrations/gotesting/testing_test.go
index b102c8b6a2..b478ef1a07 100644
--- a/internal/civisibility/integrations/gotesting/testing_test.go
+++ b/internal/civisibility/integrations/gotesting/testing_test.go
@@ -10,6 +10,8 @@ import (
"net/http"
"net/http/httptest"
"os"
+ "runtime"
+ "slices"
"strconv"
"testing"
@@ -109,19 +111,28 @@ func Test_Foo(gt *testing.T) {
assertTest(gt)
t := (*T)(gt)
var tests = []struct {
+ index byte
name string
input string
want string
}{
- {"yellow should return color", "yellow", "color"},
- {"banana should return fruit", "banana", "fruit"},
- {"duck should return animal", "duck", "animal"},
+ {1, "yellow should return color", "yellow", "color"},
+ {2, "banana should return fruit", "banana", "fruit"},
+ {3, "duck should return animal", "duck", "animal"},
}
+ buf := []byte{}
for _, test := range tests {
+ test := test
t.Run(test.name, func(t *testing.T) {
t.Log(test.name)
+ buf = append(buf, test.index)
})
}
+
+ expected := []byte{1, 2, 3}
+ if !slices.Equal(buf, expected) {
+ t.Error("error in subtests closure")
+ }
}
// Code inspired by contrib/net/http/roundtripper.go
@@ -265,6 +276,59 @@ func TestSkip(gt *testing.T) {
t.Skip("Nothing to do here, skipping!")
}
+// Tests for test retries feature
+
+var testRetryWithPanicRunNumber = 0
+
+func TestRetryWithPanic(t *testing.T) {
+ t.Cleanup(func() {
+ if testRetryWithPanicRunNumber == 1 {
+ fmt.Println("CleanUp from the initial execution")
+ } else {
+ fmt.Println("CleanUp from the retry")
+ }
+ })
+ testRetryWithPanicRunNumber++
+ if testRetryWithPanicRunNumber < 4 {
+ panic("Test Panic")
+ }
+}
+
+var testRetryWithFailRunNumber = 0
+
+func TestRetryWithFail(t *testing.T) {
+ t.Cleanup(func() {
+ if testRetryWithFailRunNumber == 1 {
+ fmt.Println("CleanUp from the initial execution")
+ } else {
+ fmt.Println("CleanUp from the retry")
+ }
+ })
+ testRetryWithFailRunNumber++
+ if testRetryWithFailRunNumber < 4 {
+ t.Fatal("Failed due the wrong execution number")
+ }
+}
+
+func TestRetryAlwaysFail(t *testing.T) {
+ t.Parallel()
+ t.Fatal("Always fail to test the auto retries feature")
+}
+
+func TestNormalPassingAfterRetryAlwaysFail(t *testing.T) {}
+
+var run int
+
+func TestEarlyFlakeDetection(t *testing.T) {
+ run++
+ fmt.Printf(" Run: %d", run)
+ if run%2 == 0 {
+ fmt.Println(" Failed")
+ t.FailNow()
+ }
+ fmt.Println(" Passed")
+}
+
// BenchmarkFirst demonstrates benchmark instrumentation with sub-benchmarks.
func BenchmarkFirst(gb *testing.B) {
@@ -371,8 +435,9 @@ func assertCommon(assert *assert.Assertions, span *mocktracer.Span) {
spanTags := span.Tags()
assert.Subset(spanTags, map[string]interface{}{
- constants.Origin: constants.CIAppTestOrigin,
- constants.TestType: constants.TestTypeTest,
+ constants.Origin: constants.CIAppTestOrigin,
+ constants.TestType: constants.TestTypeTest,
+ constants.LogicalCPUCores: float64(runtime.NumCPU()),
})
assert.Contains(spanTags, ext.ResourceName)
diff --git a/internal/civisibility/integrations/manual_api.go b/internal/civisibility/integrations/manual_api.go
index 8f4fe6a678..c7194c6888 100644
--- a/internal/civisibility/integrations/manual_api.go
+++ b/internal/civisibility/integrations/manual_api.go
@@ -211,6 +211,15 @@ func fillCommonTags(opts []tracer.StartSpanOption) []tracer.StartSpanOption {
// Apply CI tags
for k, v := range utils.GetCITags() {
+ // Ignore the test session name (sent at the payload metadata level, see `civisibility_payload.go`)
+ if k == constants.TestSessionName {
+ continue
+ }
+ opts = append(opts, tracer.Tag(k, v))
+ }
+
+ // Apply CI metrics
+ for k, v := range utils.GetCIMetrics() {
opts = append(opts, tracer.Tag(k, v))
}
diff --git a/internal/civisibility/integrations/manual_api_ddtest.go b/internal/civisibility/integrations/manual_api_ddtest.go
index c787e4a49d..da1d88908b 100644
--- a/internal/civisibility/integrations/manual_api_ddtest.go
+++ b/internal/civisibility/integrations/manual_api_ddtest.go
@@ -8,6 +8,9 @@ package integrations
import (
"context"
"fmt"
+ "go/ast"
+ "go/parser"
+ "go/token"
"runtime"
"strings"
"time"
@@ -134,11 +137,58 @@ func (t *tslvTest) SetTestFunc(fn *runtime.Func) {
return
}
- file, line := fn.FileLine(fn.Entry())
- file = utils.GetRelativePathFromCITagsSourceRoot(file)
+ // let's get the file path and the start line of the function
+ absolutePath, startLine := fn.FileLine(fn.Entry())
+ file := utils.GetRelativePathFromCITagsSourceRoot(absolutePath)
t.SetTag(constants.TestSourceFile, file)
- t.SetTag(constants.TestSourceStartLine, line)
+ t.SetTag(constants.TestSourceStartLine, startLine)
+
+ // now, let's try to get the end line of the function using ast
+ // parse the entire file where the function is defined to create an abstract syntax tree (AST)
+ // if we can't parse the file (source code is not available) we silently bail out
+ fset := token.NewFileSet()
+ fileNode, err := parser.ParseFile(fset, absolutePath, nil, parser.AllErrors)
+ if err == nil {
+ // get the function name without the package name
+ fullName := fn.Name()
+ firstDot := strings.LastIndex(fullName, ".") + 1
+ name := fullName[firstDot:]
+
+ // variable to store the ending line of the function
+ var endLine int
+ // traverse the AST to find the function declaration for the target function
+ ast.Inspect(fileNode, func(n ast.Node) bool {
+ // check if the current node is a function declaration
+ if funcDecl, ok := n.(*ast.FuncDecl); ok {
+ // if the function name matches the target function name
+ if funcDecl.Name.Name == name {
+ // get the line number of the end of the function body
+ endLine = fset.Position(funcDecl.Body.End()).Line
+ // stop further inspection since we have found the target function
+ return false
+ }
+ }
+ // check if the current node is a function literal (FuncLit)
+ if funcLit, ok := n.(*ast.FuncLit); ok {
+ // get the line number of the start of the function literal
+ funcStartLine := fset.Position(funcLit.Body.Pos()).Line
+ // if the start line matches the known start line, record the end line
+ if funcStartLine == startLine {
+ endLine = fset.Position(funcLit.Body.End()).Line
+ return false // stop further inspection since we have found the function
+ }
+ }
+ // continue inspecting other nodes
+ return true
+ })
+
+ // if we found an endLine we check is greater than the calculated startLine
+ if endLine >= startLine {
+ t.SetTag(constants.TestSourceEndLine, endLine)
+ }
+ }
+ // get the codeowner of the function
codeOwners := utils.GetCodeOwners()
if codeOwners != nil {
match, found := codeOwners.Match("/" + file)
diff --git a/internal/civisibility/integrations/manual_api_ddtestsession.go b/internal/civisibility/integrations/manual_api_ddtestsession.go
index 2c34a5795e..02a4af2f54 100644
--- a/internal/civisibility/integrations/manual_api_ddtestsession.go
+++ b/internal/civisibility/integrations/manual_api_ddtestsession.go
@@ -9,8 +9,6 @@ import (
"context"
"fmt"
"os"
- "path/filepath"
- "regexp"
"strings"
"time"
@@ -37,23 +35,11 @@ type tslvTestSession struct {
// CreateTestSession initializes a new test session. It automatically determines the command and working directory.
func CreateTestSession() DdTestSession {
- var cmd string
- if len(os.Args) == 1 {
- cmd = filepath.Base(os.Args[0])
- } else {
- cmd = fmt.Sprintf("%s %s ", filepath.Base(os.Args[0]), strings.Join(os.Args[1:], " "))
- }
-
- // Filter out some parameters to make the command more stable.
- cmd = regexp.MustCompile(`(?si)-test.gocoverdir=(.*)\s`).ReplaceAllString(cmd, "")
- cmd = regexp.MustCompile(`(?si)-test.v=(.*)\s`).ReplaceAllString(cmd, "")
- cmd = regexp.MustCompile(`(?si)-test.testlogfile=(.*)\s`).ReplaceAllString(cmd, "")
- cmd = strings.TrimSpace(cmd)
wd, err := os.Getwd()
if err == nil {
wd = utils.GetRelativePathFromCITagsSourceRoot(wd)
}
- return CreateTestSessionWith(cmd, wd, "", time.Now())
+ return CreateTestSessionWith(utils.GetCITags()[constants.TestCommand], wd, "", time.Now())
}
// CreateTestSessionWith initializes a new test session with specified command, working directory, framework, and start time.
diff --git a/internal/civisibility/integrations/manual_api_mocktracer_test.go b/internal/civisibility/integrations/manual_api_mocktracer_test.go
index eed940e715..29bd8d2590 100644
--- a/internal/civisibility/integrations/manual_api_mocktracer_test.go
+++ b/internal/civisibility/integrations/manual_api_mocktracer_test.go
@@ -245,8 +245,41 @@ func Test(t *testing.T) {
test.Close(ResultStatusSkip)
}
-func testAssertions(assert *assert.Assertions, now time.Time, testSpan *mocktracer.Span) {
- assert.Equal(now.Unix(), testSpan.StartTime().Unix())
+func TestWithInnerFunc(t *testing.T) {
+ mockTracer.Reset()
+ assert := assert.New(t)
+
+ now := time.Now()
+ session, module, suite, test := createDDTest(now)
+ defer func() {
+ session.Close(0)
+ module.Close()
+ suite.Close()
+ }()
+ test.SetError(errors.New("we keep the last error"))
+ test.SetErrorInfo("my-type", "my-message", "my-stack")
+ func() {
+ pc, _, _, _ := runtime.Caller(0)
+ test.SetTestFunc(runtime.FuncForPC(pc))
+ }()
+
+ assert.NotNil(test.Context())
+ assert.Equal("my-test", test.Name())
+ assert.Equal(now, test.StartTime())
+ assert.Equal(suite, test.Suite())
+
+ test.Close(ResultStatusPass)
+
+ finishedSpans := mockTracer.FinishedSpans()
+ assert.Equal(1, len(finishedSpans))
+ testAssertions(assert, now, finishedSpans[0])
+
+ //no-op call
+ test.Close(ResultStatusSkip)
+}
+
+func testAssertions(assert *assert.Assertions, now time.Time, testSpan mocktracer.Span) {
+ assert.Equal(now, testSpan.StartTime())
assert.Equal("my-module-framework.test", testSpan.OperationName())
tags := map[string]interface{}{
@@ -268,6 +301,12 @@ func testAssertions(assert *assert.Assertions, now time.Time, testSpan *mocktrac
assert.Contains(spanTags, constants.TestModuleIDTag)
assert.Contains(spanTags, constants.TestSuiteIDTag)
assert.Contains(spanTags, constants.TestSourceFile)
+
+ // make sure we have both start and end line
assert.Contains(spanTags, constants.TestSourceStartLine)
+ assert.Contains(spanTags, constants.TestSourceEndLine)
+ // make sure the startLine < endLine
+ assert.Less(spanTags[constants.TestSourceStartLine].(int), spanTags[constants.TestSourceEndLine].(int))
+
commonAssertions(assert, testSpan)
}
diff --git a/internal/civisibility/utils/ci_providers.go b/internal/civisibility/utils/ci_providers.go
index d7e285fd8a..a8fd4364ff 100644
--- a/internal/civisibility/utils/ci_providers.go
+++ b/internal/civisibility/utils/ci_providers.go
@@ -77,6 +77,14 @@ func getProviderTags() map[string]string {
}
}
+ if log.DebugEnabled() {
+ if providerName, ok := tags[constants.CIProviderName]; ok {
+ log.Debug("civisibility: detected ci provider: %v", providerName)
+ } else {
+ log.Debug("civisibility: no ci provider was detected.")
+ }
+ }
+
return tags
}
@@ -399,6 +407,38 @@ func extractGithubActions() map[string]string {
tags[constants.CIEnvVars] = string(jsonString)
}
+ // Extract PR information from the github event json file
+ eventFilePath := os.Getenv("GITHUB_EVENT_PATH")
+ if stats, ok := os.Stat(eventFilePath); ok == nil && !stats.IsDir() {
+ if eventFile, err := os.Open(eventFilePath); err == nil {
+ defer eventFile.Close()
+
+ var eventJson struct {
+ PullRequest struct {
+ Base struct {
+ Sha string `json:"sha"`
+ Ref string `json:"ref"`
+ } `json:"base"`
+ Head struct {
+ Sha string `json:"sha"`
+ } `json:"head"`
+ } `json:"pull_request"`
+ }
+
+ eventDecoder := json.NewDecoder(eventFile)
+ if eventDecoder.Decode(&eventJson) == nil {
+ tags[constants.GitHeadCommit] = eventJson.PullRequest.Head.Sha
+ tags[constants.GitPrBaseCommit] = eventJson.PullRequest.Base.Sha
+ tags[constants.GitPrBaseBranch] = eventJson.PullRequest.Base.Ref
+ }
+ }
+ }
+
+ // Fallback if GitPrBaseBranch is not set
+ if tmpVal, ok := tags[constants.GitPrBaseBranch]; !ok || tmpVal == "" {
+ tags[constants.GitPrBaseBranch] = os.Getenv("GITHUB_BASE_REF")
+ }
+
return tags
}
diff --git a/internal/civisibility/utils/ci_providers_test.go b/internal/civisibility/utils/ci_providers_test.go
index b85acc1efc..c4029a2f8f 100644
--- a/internal/civisibility/utils/ci_providers_test.go
+++ b/internal/civisibility/utils/ci_providers_test.go
@@ -13,6 +13,8 @@ import (
"path/filepath"
"strings"
"testing"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
)
func setEnvs(t *testing.T, env map[string]string) {
@@ -114,3 +116,43 @@ func TestTags(t *testing.T) {
})
}
}
+
+func TestGitHubEventFile(t *testing.T) {
+ originalEventPath := os.Getenv("GITHUB_EVENT_PATH")
+ originalBaseRef := os.Getenv("GITHUB_BASE_REF")
+ defer func() {
+ os.Setenv("GITHUB_EVENT_PATH", originalEventPath)
+ os.Setenv("GITHUB_BASE_REF", originalBaseRef)
+ }()
+
+ os.Unsetenv("GITHUB_EVENT_PATH")
+ os.Unsetenv("GITHUB_BASE_REF")
+
+ checkValue := func(tags map[string]string, key, expectedValue string) {
+ if tags[key] != expectedValue {
+ t.Fatalf("Key: %s, the actual value (%s) is different to the expected value (%s)", key, tags[key], expectedValue)
+ }
+ }
+
+ t.Run("with event file", func(t *testing.T) {
+ eventFile := "testdata/fixtures/github-event.json"
+ t.Setenv("GITHUB_EVENT_PATH", eventFile)
+ t.Setenv("GITHUB_BASE_REF", "my-base-ref") // this should be ignored in favor of the event file value
+
+ tags := extractGithubActions()
+ expectedHeadCommit := "df289512a51123083a8e6931dd6f57bb3883d4c4"
+ expectedBaseCommit := "52e0974c74d41160a03d59ddc73bb9f5adab054b"
+ expectedBaseRef := "main"
+
+ checkValue(tags, constants.GitHeadCommit, expectedHeadCommit)
+ checkValue(tags, constants.GitPrBaseCommit, expectedBaseCommit)
+ checkValue(tags, constants.GitPrBaseBranch, expectedBaseRef)
+ })
+
+ t.Run("no event file", func(t *testing.T) {
+ t.Setenv("GITHUB_BASE_REF", "my-base-ref") // this should be ignored in favor of the event file value
+
+ tags := extractGithubActions()
+ checkValue(tags, constants.GitPrBaseBranch, "my-base-ref")
+ })
+}
diff --git a/internal/civisibility/utils/codeowners.go b/internal/civisibility/utils/codeowners.go
index 4e446a6194..3d63da319a 100644
--- a/internal/civisibility/utils/codeowners.go
+++ b/internal/civisibility/utils/codeowners.go
@@ -76,6 +76,9 @@ func GetCodeOwners() *CodeOwners {
if _, err := os.Stat(path); err == nil {
codeowners, err = NewCodeOwners(path)
if err == nil {
+ if logger.DebugEnabled() {
+ logger.Debug("civisibility: codeowner file '%v' was loaded successfully.", path)
+ }
return codeowners
}
logger.Debug("Error parsing codeowners: %s", err)
diff --git a/internal/civisibility/utils/environmentTags.go b/internal/civisibility/utils/environmentTags.go
index e35698a61d..e0193f5d22 100644
--- a/internal/civisibility/utils/environmentTags.go
+++ b/internal/civisibility/utils/environmentTags.go
@@ -6,11 +6,16 @@
package utils
import (
+ "fmt"
+ "os"
"path/filepath"
+ "regexp"
"runtime"
+ "strings"
"sync"
"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
"github.com/DataDog/dd-trace-go/v2/internal/osinfo"
)
@@ -18,6 +23,10 @@ var (
// ciTags holds the CI/CD environment variable information.
ciTags map[string]string
ciTagsMutex sync.Mutex
+
+ // ciMetrics holds the CI/CD environment numeric variable information
+ ciMetrics map[string]float64
+ ciMetricsMutex sync.Mutex
)
// GetCITags retrieves and caches the CI/CD tags from environment variables.
@@ -38,6 +47,24 @@ func GetCITags() map[string]string {
return ciTags
}
+// GetCIMetrics retrieves and caches the CI/CD metrics from environment variables.
+// It initializes the ciMetrics map if it is not already initialized.
+// This function is thread-safe due to the use of a mutex.
+//
+// Returns:
+//
+// A map[string]float64 containing the CI/CD metrics.
+func GetCIMetrics() map[string]float64 {
+ ciMetricsMutex.Lock()
+ defer ciMetricsMutex.Unlock()
+
+ if ciMetrics == nil {
+ ciMetrics = createCIMetricsMap()
+ }
+
+ return ciMetrics
+}
+
// GetRelativePathFromCITagsSourceRoot calculates the relative path from the CI workspace root to the specified path.
// If the CI workspace root is not available in the tags, it returns the original path.
//
@@ -68,12 +95,44 @@ func GetRelativePathFromCITagsSourceRoot(path string) string {
// A map[string]string containing the extracted CI/CD tags.
func createCITagsMap() map[string]string {
localTags := getProviderTags()
+
+ // Populate runtime values
localTags[constants.OSPlatform] = runtime.GOOS
localTags[constants.OSVersion] = osinfo.OSVersion()
localTags[constants.OSArchitecture] = runtime.GOARCH
localTags[constants.RuntimeName] = runtime.Compiler
localTags[constants.RuntimeVersion] = runtime.Version()
+ log.Debug("civisibility: os platform: %v", runtime.GOOS)
+ log.Debug("civisibility: os architecture: %v", runtime.GOARCH)
+ log.Debug("civisibility: runtime version: %v", runtime.Version())
+ // Get command line test command
+ var cmd string
+ if len(os.Args) == 1 {
+ cmd = filepath.Base(os.Args[0])
+ } else {
+ cmd = fmt.Sprintf("%s %s ", filepath.Base(os.Args[0]), strings.Join(os.Args[1:], " "))
+ }
+
+ // Filter out some parameters to make the command more stable.
+ cmd = regexp.MustCompile(`(?si)-test.gocoverdir=(.*)\s`).ReplaceAllString(cmd, "")
+ cmd = regexp.MustCompile(`(?si)-test.v=(.*)\s`).ReplaceAllString(cmd, "")
+ cmd = regexp.MustCompile(`(?si)-test.testlogfile=(.*)\s`).ReplaceAllString(cmd, "")
+ cmd = strings.TrimSpace(cmd)
+ localTags[constants.TestCommand] = cmd
+ log.Debug("civisibility: test command: %v", cmd)
+
+ // Populate the test session name
+ if testSessionName, ok := os.LookupEnv(constants.CIVisibilityTestSessionNameEnvironmentVariable); ok {
+ localTags[constants.TestSessionName] = testSessionName
+ } else if jobName, ok := localTags[constants.CIJobName]; ok {
+ localTags[constants.TestSessionName] = fmt.Sprintf("%s-%s", jobName, cmd)
+ } else {
+ localTags[constants.TestSessionName] = cmd
+ }
+ log.Debug("civisibility: test session name: %v", localTags[constants.TestSessionName])
+
+ // Populate missing git data
gitData, _ := getLocalGitData()
// Populate Git metadata from the local Git repository if not already present in localTags
@@ -115,5 +174,20 @@ func createCITagsMap() map[string]string {
}
}
+ log.Debug("civisibility: workspace directory: %v", localTags[constants.CIWorkspacePath])
+ log.Debug("civisibility: common tags created with %v items", len(localTags))
return localTags
}
+
+// createCIMetricsMap creates a map of CI/CD tags by extracting information from environment variables and runtime information.
+//
+// Returns:
+//
+// A map[string]float64 containing the metrics extracted
+func createCIMetricsMap() map[string]float64 {
+ localMetrics := make(map[string]float64)
+ localMetrics[constants.LogicalCPUCores] = float64(runtime.NumCPU())
+
+ log.Debug("civisibility: common metrics created with %v items", len(localMetrics))
+ return localMetrics
+}
diff --git a/internal/civisibility/utils/environmentTags_test.go b/internal/civisibility/utils/environmentTags_test.go
index 9c3606dbd2..76edf4f026 100644
--- a/internal/civisibility/utils/environmentTags_test.go
+++ b/internal/civisibility/utils/environmentTags_test.go
@@ -25,6 +25,18 @@ func TestGetCITagsCache(t *testing.T) {
assert.Equal(t, "newvalue", tags["key"])
}
+func TestGetCIMetricsCache(t *testing.T) {
+ ciMetrics = map[string]float64{"key": float64(1)}
+
+ // First call to initialize ciMetrics
+ tags := GetCIMetrics()
+ assert.Equal(t, float64(1), tags["key"])
+
+ tags["key"] = float64(42)
+ tags = GetCIMetrics()
+ assert.Equal(t, float64(42), tags["key"])
+}
+
func TestGetRelativePathFromCITagsSourceRoot(t *testing.T) {
ciTags = map[string]string{constants.CIWorkspacePath: "/ci/workspace"}
absPath := "/ci/workspace/subdir/file.txt"
diff --git a/internal/civisibility/utils/home.go b/internal/civisibility/utils/home.go
index 8625010feb..9fa29fd7cc 100644
--- a/internal/civisibility/utils/home.go
+++ b/internal/civisibility/utils/home.go
@@ -13,6 +13,8 @@ import (
"runtime"
"strconv"
"strings"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
)
// This code is based on: https://github.com/mitchellh/go-homedir/blob/v1.1.0/homedir.go (MIT License)
@@ -55,7 +57,11 @@ func ExpandPath(path string) string {
// Returns:
//
// The home directory of the current user.
-func getHomeDir() string {
+func getHomeDir() (homeDir string) {
+ defer func() {
+ log.Debug("civisibility: home directory: %v", homeDir)
+ }()
+
if runtime.GOOS == "windows" {
if home := os.Getenv("HOME"); home != "" {
// First prefer the HOME environment variable
diff --git a/internal/civisibility/utils/names.go b/internal/civisibility/utils/names.go
index 1edcb2b972..94eacdb189 100644
--- a/internal/civisibility/utils/names.go
+++ b/internal/civisibility/utils/names.go
@@ -10,9 +10,15 @@ import (
"fmt"
"path/filepath"
"runtime"
+ "slices"
"strings"
)
+var (
+ // ignoredFunctionsFromStackTrace array with functions we want to ignore on the final stacktrace (because doesn't add anything useful)
+ ignoredFunctionsFromStackTrace = []string{"runtime.gopanic", "runtime.panicmem", "runtime.sigpanic"}
+)
+
// GetModuleAndSuiteName extracts the module name and suite name from a given program counter (pc).
// This function utilizes runtime.FuncForPC to retrieve the full function name associated with the
// program counter, then splits the string to separate the package name from the function name.
@@ -72,6 +78,11 @@ func GetStacktrace(skip int) string {
buffer := new(bytes.Buffer)
for {
if frame, ok := frames.Next(); ok {
+ // let's check if we need to ignore this frame
+ if slices.Contains(ignoredFunctionsFromStackTrace, frame.Function) {
+ continue
+ }
+ // writing frame to the buffer
_, _ = fmt.Fprintf(buffer, "%s\n\t%s:%d\n", frame.Function, frame.File, frame.Line)
} else {
break
diff --git a/internal/civisibility/utils/net/client.go b/internal/civisibility/utils/net/client.go
new file mode 100644
index 0000000000..c7e0e642e8
--- /dev/null
+++ b/internal/civisibility/utils/net/client.go
@@ -0,0 +1,235 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "context"
+ "fmt"
+ "math"
+ "math/rand/v2"
+ "net"
+ "net/http"
+ "net/url"
+ "os"
+ "regexp"
+ "strings"
+ "time"
+
+ "github.com/DataDog/dd-trace-go/v2/internal"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+ "github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+const (
+ DefaultMaxRetries int = 5
+ DefaultBackoff time.Duration = 150 * time.Millisecond
+)
+
+type (
+ Client interface {
+ GetSettings() (*SettingsResponseData, error)
+ GetEarlyFlakeDetectionData() (*EfdResponseData, error)
+ GetCommits(localCommits []string) ([]string, error)
+ SendPackFiles(packFiles []string) (bytes int64, err error)
+ }
+
+ client struct {
+ id string
+ agentless bool
+ baseURL string
+ environment string
+ serviceName string
+ workingDirectory string
+ repositoryURL string
+ commitSha string
+ branchName string
+ testConfigurations testConfigurations
+ headers map[string]string
+ handler *RequestHandler
+ }
+
+ testConfigurations struct {
+ OsPlatform string `json:"os.platform,omitempty"`
+ OsVersion string `json:"os.version,omitempty"`
+ OsArchitecture string `json:"os.architecture,omitempty"`
+ RuntimeName string `json:"runtime.name,omitempty"`
+ RuntimeArchitecture string `json:"runtime.architecture,omitempty"`
+ RuntimeVersion string `json:"runtime.version,omitempty"`
+ Custom map[string]string `json:"custom,omitempty"`
+ }
+)
+
+var _ Client = &client{}
+
+func NewClientWithServiceName(serviceName string) Client {
+ ciTags := utils.GetCITags()
+
+ // get the environment
+ environment := os.Getenv("DD_ENV")
+ if environment == "" {
+ environment = "none"
+ }
+
+ // get the service name
+ if serviceName == "" {
+ serviceName = os.Getenv("DD_SERVICE")
+ if serviceName == "" {
+ if repoURL, ok := ciTags[constants.GitRepositoryURL]; ok {
+ // regex to sanitize the repository url to be used as a service name
+ repoRegex := regexp.MustCompile(`(?m)/([a-zA-Z0-9\-_.]*)$`)
+ matches := repoRegex.FindStringSubmatch(repoURL)
+ if len(matches) > 1 {
+ repoURL = strings.TrimSuffix(matches[1], ".git")
+ }
+ serviceName = repoURL
+ }
+ }
+ }
+
+ // get all custom configuration (test.configuration.*)
+ var customConfiguration map[string]string
+ if v := os.Getenv("DD_TAGS"); v != "" {
+ prefix := "test.configuration."
+ for k, v := range internal.ParseTagString(v) {
+ if strings.HasPrefix(k, prefix) {
+ if customConfiguration == nil {
+ customConfiguration = map[string]string{}
+ }
+
+ customConfiguration[strings.TrimPrefix(k, prefix)] = v
+ }
+ }
+ }
+
+ // create default http headers and get base url
+ defaultHeaders := map[string]string{}
+ var baseURL string
+ var requestHandler *RequestHandler
+
+ agentlessEnabled := internal.BoolEnv(constants.CIVisibilityAgentlessEnabledEnvironmentVariable, false)
+ if agentlessEnabled {
+ // Agentless mode is enabled.
+ APIKeyValue := os.Getenv(constants.APIKeyEnvironmentVariable)
+ if APIKeyValue == "" {
+ log.Error("An API key is required for agentless mode. Use the DD_API_KEY env variable to set it")
+ return nil
+ }
+
+ defaultHeaders["dd-api-key"] = APIKeyValue
+
+ // Check for a custom agentless URL.
+ agentlessURL := os.Getenv(constants.CIVisibilityAgentlessURLEnvironmentVariable)
+
+ if agentlessURL == "" {
+ // Use the standard agentless URL format.
+ site := "datadoghq.com"
+ if v := os.Getenv("DD_SITE"); v != "" {
+ site = v
+ }
+
+ baseURL = fmt.Sprintf("https://api.%s", site)
+ } else {
+ // Use the custom agentless URL.
+ baseURL = agentlessURL
+ }
+
+ requestHandler = NewRequestHandler()
+ } else {
+ // Use agent mode with the EVP proxy.
+ defaultHeaders["X-Datadog-EVP-Subdomain"] = "api"
+
+ agentURL := internal.AgentURLFromEnv()
+ if agentURL.Scheme == "unix" {
+ // If we're connecting over UDS we can just rely on the agent to provide the hostname
+ log.Debug("connecting to agent over unix, do not set hostname on any traces")
+ dialer := &net.Dialer{
+ Timeout: 30 * time.Second,
+ KeepAlive: 30 * time.Second,
+ DualStack: true,
+ }
+ requestHandler = NewRequestHandlerWithClient(&http.Client{
+ Transport: &http.Transport{
+ Proxy: http.ProxyFromEnvironment,
+ DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+ return dialer.DialContext(ctx, "unix", (&net.UnixAddr{
+ Name: agentURL.Path,
+ Net: "unix",
+ }).String())
+ },
+ MaxIdleConns: 100,
+ IdleConnTimeout: 90 * time.Second,
+ TLSHandshakeTimeout: 10 * time.Second,
+ ExpectContinueTimeout: 1 * time.Second,
+ },
+ Timeout: 10 * time.Second,
+ })
+ agentURL = &url.URL{
+ Scheme: "http",
+ Host: fmt.Sprintf("UDS_%s", strings.NewReplacer(":", "_", "/", "_", `\`, "_").Replace(agentURL.Path)),
+ }
+ } else {
+ requestHandler = NewRequestHandler()
+ }
+
+ baseURL = agentURL.String()
+ }
+
+ // create random id (the backend associate all transactions with the client request)
+ id := fmt.Sprint(rand.Uint64() & math.MaxInt64)
+ defaultHeaders["trace_id"] = id
+ defaultHeaders["parent_id"] = id
+
+ log.Debug("ciVisibilityHttpClient: new client created [id: %v, agentless: %v, url: %v, env: %v, serviceName: %v]",
+ id, agentlessEnabled, baseURL, environment, serviceName)
+ return &client{
+ id: id,
+ agentless: agentlessEnabled,
+ baseURL: baseURL,
+ environment: environment,
+ serviceName: serviceName,
+ workingDirectory: ciTags[constants.CIWorkspacePath],
+ repositoryURL: ciTags[constants.GitRepositoryURL],
+ commitSha: ciTags[constants.GitCommitSHA],
+ branchName: ciTags[constants.GitBranch],
+ testConfigurations: testConfigurations{
+ OsPlatform: ciTags[constants.OSPlatform],
+ OsVersion: ciTags[constants.OSVersion],
+ OsArchitecture: ciTags[constants.OSArchitecture],
+ RuntimeName: ciTags[constants.RuntimeName],
+ RuntimeVersion: ciTags[constants.RuntimeVersion],
+ Custom: customConfiguration,
+ },
+ headers: defaultHeaders,
+ handler: requestHandler,
+ }
+}
+
+func NewClient() Client {
+ return NewClientWithServiceName("")
+}
+
+func (c *client) getURLPath(urlPath string) string {
+ if c.agentless {
+ return fmt.Sprintf("%s/%s", c.baseURL, urlPath)
+ }
+
+ return fmt.Sprintf("%s/%s/%s", c.baseURL, "evp_proxy/v2", urlPath)
+}
+
+func (c *client) getPostRequestConfig(url string, body interface{}) *RequestConfig {
+ return &RequestConfig{
+ Method: "POST",
+ URL: c.getURLPath(url),
+ Headers: c.headers,
+ Body: body,
+ Format: FormatJSON,
+ Compressed: false,
+ Files: nil,
+ MaxRetries: DefaultMaxRetries,
+ Backoff: DefaultBackoff,
+ }
+}
diff --git a/internal/civisibility/utils/net/client_test.go b/internal/civisibility/utils/net/client_test.go
new file mode 100644
index 0000000000..732e17d03a
--- /dev/null
+++ b/internal/civisibility/utils/net/client_test.go
@@ -0,0 +1,231 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "os"
+ "reflect"
+ "strings"
+ "testing"
+)
+
+func saveEnv() []string {
+ return os.Environ()
+}
+
+func restoreEnv(env []string) {
+ os.Clearenv()
+ for _, e := range env {
+ kv := strings.SplitN(e, "=", 2)
+ os.Setenv(kv[0], kv[1])
+ }
+}
+
+func TestNewClient_DefaultValues(t *testing.T) {
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ os.Clearenv()
+ os.Setenv("PATH", path)
+ // Do not set any environment variables to simulate default behavior
+
+ cInterface := NewClient()
+ if cInterface == nil {
+ t.Fatal("Expected non-nil client")
+ }
+
+ c, ok := cInterface.(*client)
+ if !ok {
+ t.Fatal("Expected client to be of type *client")
+ }
+
+ if c.environment != "none" {
+ t.Errorf("Expected environment 'none', got '%s'", c.environment)
+ }
+
+ if c.agentless {
+ t.Errorf("Expected agentless to be false")
+ }
+
+ // Since serviceName depends on CI tags, which we cannot mock without access to internal functions,
+ // we check if serviceName is set or not empty.
+ if c.serviceName == "" {
+ t.Errorf("Expected serviceName to be set, got empty string")
+ }
+}
+
+func TestNewClient_AgentlessEnabled(t *testing.T) {
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ os.Clearenv()
+ os.Setenv("PATH", path)
+ os.Setenv("DD_CIVISIBILITY_AGENTLESS_ENABLED", "true")
+ os.Setenv("DD_API_KEY", "test_api_key")
+ os.Setenv("DD_SITE", "site.com")
+
+ cInterface := NewClient()
+ if cInterface == nil {
+ t.Fatal("Expected non-nil client")
+ }
+
+ c, ok := cInterface.(*client)
+ if !ok {
+ t.Fatal("Expected client to be of type *client")
+ }
+
+ if !c.agentless {
+ t.Errorf("Expected agentless to be true")
+ }
+
+ expectedBaseURL := "https://api.site.com"
+ if c.baseURL != expectedBaseURL {
+ t.Errorf("Expected baseUrl '%s', got '%s'", expectedBaseURL, c.baseURL)
+ }
+
+ if c.headers["dd-api-key"] != "test_api_key" {
+ t.Errorf("Expected dd-api-key 'test_api_key', got '%s'", c.headers["dd-api-key"])
+ }
+}
+
+func TestNewClient_AgentlessEnabledWithNoApiKey(t *testing.T) {
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ os.Clearenv()
+ os.Setenv("PATH", path)
+ os.Setenv("DD_CIVISIBILITY_AGENTLESS_ENABLED", "true")
+
+ cInterface := NewClient()
+ if cInterface != nil {
+ t.Fatal("Expected nil client")
+ }
+}
+
+func TestNewClient_CustomAgentlessURL(t *testing.T) {
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, "https://custom.agentless.url")
+
+ cInterface := NewClient()
+ if cInterface == nil {
+ t.Fatal("Expected non-nil client")
+ }
+
+ c, ok := cInterface.(*client)
+ if !ok {
+ t.Fatal("Expected client to be of type *client")
+ }
+
+ if c.baseURL != "https://custom.agentless.url" {
+ t.Errorf("Expected baseUrl 'https://custom.agentless.url', got '%s'", c.baseURL)
+ }
+}
+
+func TestClient_getUrlPath_Agentless(t *testing.T) {
+ c := &client{
+ agentless: true,
+ baseURL: "https://api.customhost.com",
+ }
+
+ urlPath := c.getURLPath("some/path")
+ expected := "https://api.customhost.com/some/path"
+ if urlPath != expected {
+ t.Errorf("Expected urlPath '%s', got '%s'", expected, urlPath)
+ }
+}
+
+func TestClient_getUrlPath_Agent(t *testing.T) {
+ c := &client{
+ agentless: false,
+ baseURL: "http://agent.url",
+ }
+
+ urlPath := c.getURLPath("some/path")
+ expected := "http://agent.url/evp_proxy/v2/some/path"
+ if urlPath != expected {
+ t.Errorf("Expected urlPath '%s', got '%s'", expected, urlPath)
+ }
+}
+
+func TestClient_getPostRequestConfig(t *testing.T) {
+ c := &client{
+ agentless: false,
+ baseURL: "http://agent.url",
+ headers: map[string]string{
+ "trace_id": "12345",
+ "parent_id": "12345",
+ },
+ }
+
+ body := map[string]string{"key": "value"}
+ config := c.getPostRequestConfig("some/path", body)
+
+ if config.Method != "POST" {
+ t.Errorf("Expected Method 'POST', got '%s'", config.Method)
+ }
+
+ expectedURL := "http://agent.url/evp_proxy/v2/some/path"
+ if config.URL != expectedURL {
+ t.Errorf("Expected URL '%s', got '%s'", expectedURL, config.URL)
+ }
+
+ if !reflect.DeepEqual(config.Headers, c.headers) {
+ t.Errorf("Headers do not match")
+ }
+
+ if config.Format != FormatJSON {
+ t.Errorf("Expected Format 'FormatJSON', got '%v'", config.Format)
+ }
+
+ if config.Compressed {
+ t.Errorf("Expected Compressed to be false")
+ }
+
+ if config.MaxRetries != DefaultMaxRetries {
+ t.Errorf("Expected MaxRetries '%d', got '%d'", DefaultMaxRetries, config.MaxRetries)
+ }
+
+ if config.Backoff != DefaultBackoff {
+ t.Errorf("Expected Backoff '%v', got '%v'", DefaultBackoff, config.Backoff)
+ }
+}
+
+func TestNewClient_TestConfigurations(t *testing.T) {
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, "https://custom.agentless.url")
+ os.Setenv("DD_TAGS", "test.configuration.MyTag:MyValue")
+
+ cInterface := NewClient()
+ if cInterface == nil {
+ t.Fatal("Expected non-nil client")
+ }
+
+ c, ok := cInterface.(*client)
+ if !ok {
+ t.Fatal("Expected client to be of type *client")
+ }
+
+ if c.testConfigurations.Custom["MyTag"] != "MyValue" {
+ t.Errorf("Expected 'MyValue', got '%s'", c.testConfigurations.Custom["MyTag"])
+ }
+}
+
+func setCiVisibilityEnv(path string, url string) {
+ os.Clearenv()
+ os.Setenv("PATH", path)
+ os.Setenv("DD_CIVISIBILITY_AGENTLESS_ENABLED", "true")
+ os.Setenv("DD_API_KEY", "test_api_key")
+ os.Setenv("DD_CIVISIBILITY_AGENTLESS_URL", url)
+}
diff --git a/internal/civisibility/utils/net/efd_api.go b/internal/civisibility/utils/net/efd_api.go
new file mode 100644
index 0000000000..5e2ad94547
--- /dev/null
+++ b/internal/civisibility/utils/net/efd_api.go
@@ -0,0 +1,77 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "fmt"
+)
+
+const (
+ efdRequestType string = "ci_app_libraries_tests_request"
+ efdURLPath string = "api/v2/ci/libraries/tests"
+)
+
+type (
+ efdRequest struct {
+ Data efdRequestHeader `json:"data"`
+ }
+
+ efdRequestHeader struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ Attributes EfdRequestData `json:"attributes"`
+ }
+
+ EfdRequestData struct {
+ Service string `json:"service"`
+ Env string `json:"env"`
+ RepositoryURL string `json:"repository_url"`
+ Configurations testConfigurations `json:"configurations"`
+ }
+
+ efdResponse struct {
+ Data struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ Attributes EfdResponseData `json:"attributes"`
+ } `json:"data"`
+ }
+
+ EfdResponseData struct {
+ Tests EfdResponseDataModules `json:"tests"`
+ }
+
+ EfdResponseDataModules map[string]EfdResponseDataSuites
+ EfdResponseDataSuites map[string][]string
+)
+
+func (c *client) GetEarlyFlakeDetectionData() (*EfdResponseData, error) {
+ body := efdRequest{
+ Data: efdRequestHeader{
+ ID: c.id,
+ Type: efdRequestType,
+ Attributes: EfdRequestData{
+ Service: c.serviceName,
+ Env: c.environment,
+ RepositoryURL: c.repositoryURL,
+ Configurations: c.testConfigurations,
+ },
+ },
+ }
+
+ response, err := c.handler.SendRequest(*c.getPostRequestConfig(efdURLPath, body))
+ if err != nil {
+ return nil, fmt.Errorf("sending early flake detection request: %s", err.Error())
+ }
+
+ var responseObject efdResponse
+ err = response.Unmarshal(&responseObject)
+ if err != nil {
+ return nil, fmt.Errorf("unmarshalling early flake detection data response: %s", err.Error())
+ }
+
+ return &responseObject.Data.Attributes, nil
+}
diff --git a/internal/civisibility/utils/net/efd_api_test.go b/internal/civisibility/utils/net/efd_api_test.go
new file mode 100644
index 0000000000..93008d25ce
--- /dev/null
+++ b/internal/civisibility/utils/net/efd_api_test.go
@@ -0,0 +1,106 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "encoding/json"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestEfdApiRequest(t *testing.T) {
+ var c *client
+ expectedResponse := efdResponse{}
+ expectedResponse.Data.Type = settingsRequestType
+ expectedResponse.Data.Attributes.Tests = EfdResponseDataModules{
+ "MyModule1": EfdResponseDataSuites{
+ "MySuite1": []string{"Test1", "Test2"},
+ },
+ "MyModule2": EfdResponseDataSuites{
+ "MySuite2": []string{"Test3", "Test4"},
+ },
+ }
+
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ body, err := io.ReadAll(r.Body)
+ if err != nil {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ return
+ }
+
+ if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+ var request efdRequest
+ json.Unmarshal(body, &request)
+ assert.Equal(t, c.id, request.Data.ID)
+ assert.Equal(t, efdRequestType, request.Data.Type)
+ assert.Equal(t, efdURLPath, r.URL.Path[1:])
+ assert.Equal(t, c.environment, request.Data.Attributes.Env)
+ assert.Equal(t, c.repositoryURL, request.Data.Attributes.RepositoryURL)
+ assert.Equal(t, c.serviceName, request.Data.Attributes.Service)
+ assert.Equal(t, c.testConfigurations, request.Data.Attributes.Configurations)
+
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ expectedResponse.Data.ID = request.Data.ID
+ json.NewEncoder(w).Encode(expectedResponse)
+ }
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ c = cInterface.(*client)
+ efdData, err := cInterface.GetEarlyFlakeDetectionData()
+ assert.Nil(t, err)
+ assert.Equal(t, expectedResponse.Data.Attributes, *efdData)
+}
+
+func TestEfdApiRequestFailToUnmarshal(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ efdData, err := cInterface.GetEarlyFlakeDetectionData()
+ assert.Nil(t, efdData)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "cannot unmarshal response")
+}
+
+func TestEfdApiRequestFailToGet(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "internal processing error", http.StatusInternalServerError)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ efdData, err := cInterface.GetEarlyFlakeDetectionData()
+ assert.Nil(t, efdData)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "sending early flake detection request")
+}
diff --git a/internal/civisibility/utils/net/http.go b/internal/civisibility/utils/net/http.go
new file mode 100644
index 0000000000..fdccf1ec47
--- /dev/null
+++ b/internal/civisibility/utils/net/http.go
@@ -0,0 +1,398 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "bytes"
+ "compress/gzip"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io"
+ "mime"
+ "mime/multipart"
+ "net/http"
+ "net/textproto"
+ "strconv"
+ "time"
+
+ "github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+// Constants for common strings
+const (
+ ContentTypeJSON = "application/json"
+ ContentTypeJSONAlternative = "application/vnd.api+json"
+ ContentTypeOctetStream = "application/octet-stream"
+ ContentEncodingGzip = "gzip"
+ HeaderContentType = "Content-Type"
+ HeaderContentEncoding = "Content-Encoding"
+ HeaderAcceptEncoding = "Accept-Encoding"
+ HeaderRateLimitReset = "x-ratelimit-reset"
+ HTTPStatusTooManyRequests = 429
+ FormatJSON = "json"
+)
+
+// FormFile represents a file to be uploaded in a multipart form request.
+type FormFile struct {
+ FieldName string // The name of the form field
+ FileName string // The name of the file
+ Content interface{} // The content of the file (can be []byte, map, struct, etc.)
+ ContentType string // The MIME type of the file (e.g., "application/json", "application/octet-stream")
+}
+
+// RequestConfig holds configuration for a request.
+type RequestConfig struct {
+ Method string // HTTP method: GET or POST
+ URL string // Request URL
+ Headers map[string]string // Additional HTTP headers
+ Body interface{} // Request body for JSON, MessagePack, or raw bytes
+ Format string // Format: "json" or "msgpack"
+ Compressed bool // Whether to use gzip compression
+ Files []FormFile // Files to be uploaded in a multipart form data request
+ MaxRetries int // Maximum number of retries
+ Backoff time.Duration // Initial backoff duration for retries
+}
+
+// Response represents the HTTP response with deserialization capabilities and status code.
+type Response struct {
+ Body []byte // Response body in raw format
+ Format string // Format of the response (json or msgpack)
+ StatusCode int // HTTP status code
+ CanUnmarshal bool // Whether the response body can be unmarshalled
+}
+
+// Unmarshal deserializes the response body into the provided target based on the response format.
+func (r *Response) Unmarshal(target interface{}) error {
+ if !r.CanUnmarshal {
+ return fmt.Errorf("cannot unmarshal response with status code %d", r.StatusCode)
+ }
+
+ switch r.Format {
+ case FormatJSON:
+ return json.Unmarshal(r.Body, target)
+ default:
+ return fmt.Errorf("unsupported format '%s' for unmarshalling", r.Format)
+ }
+}
+
+// RequestHandler handles HTTP requests with retries and different formats.
+type RequestHandler struct {
+ Client *http.Client
+}
+
+// NewRequestHandler creates a new RequestHandler with a default HTTP client.
+func NewRequestHandler() *RequestHandler {
+ return &RequestHandler{
+ Client: &http.Client{
+ Timeout: 45 * time.Second, // Customize timeout as needed
+ },
+ }
+}
+
+// NewRequestHandlerWithClient creates a new RequestHandler with a custom http.Client
+func NewRequestHandlerWithClient(client *http.Client) *RequestHandler {
+ return &RequestHandler{
+ Client: client,
+ }
+}
+
+// SendRequest sends an HTTP request based on the provided configuration.
+func (rh *RequestHandler) SendRequest(config RequestConfig) (*Response, error) {
+ if config.MaxRetries <= 0 {
+ config.MaxRetries = DefaultMaxRetries // Default retries
+ }
+ if config.Backoff <= 0 {
+ config.Backoff = DefaultBackoff // Default backoff
+ }
+ if config.Method == "" {
+ return nil, errors.New("HTTP method is required")
+ }
+ if config.URL == "" {
+ return nil, errors.New("URL is required")
+ }
+
+ for attempt := 0; attempt <= config.MaxRetries; attempt++ {
+ log.Debug("ciVisibilityHttpClient: new request [method: %v, url: %v, attempt: %v, maxRetries: %v]",
+ config.Method, config.URL, attempt, config.MaxRetries)
+ stopRetries, rs, err := rh.internalSendRequest(&config, attempt)
+ if stopRetries {
+ return rs, err
+ }
+ }
+
+ return nil, errors.New("max retries exceeded")
+}
+
+func (rh *RequestHandler) internalSendRequest(config *RequestConfig, attempt int) (stopRetries bool, response *Response, requestError error) {
+ var req *http.Request
+
+ // Check if it's a multipart form data request
+ if len(config.Files) > 0 {
+ // Create multipart form data body
+ body, contentType, err := createMultipartFormData(config.Files, config.Compressed)
+ if err != nil {
+ return true, nil, err
+ }
+
+ if log.DebugEnabled() {
+ var files []string
+ for _, f := range config.Files {
+ files = append(files, f.FileName)
+ }
+ log.Debug("ciVisibilityHttpClient: sending files %v", files)
+ }
+ req, err = http.NewRequest(config.Method, config.URL, bytes.NewBuffer(body))
+ if err != nil {
+ return true, nil, err
+ }
+ req.Header.Set(HeaderContentType, contentType)
+ if config.Compressed {
+ req.Header.Set(HeaderContentEncoding, ContentEncodingGzip)
+ }
+ } else if config.Body != nil {
+ // Handle JSON body
+ serializedBody, err := serializeData(config.Body, config.Format)
+ if err != nil {
+ return true, nil, err
+ }
+
+ if log.DebugEnabled() {
+ log.Debug("ciVisibilityHttpClient: serialized body [compressed: %v] %v", config.Compressed, string(serializedBody))
+ }
+
+ // Compress body if needed
+ if config.Compressed {
+ serializedBody, err = compressData(serializedBody)
+ if err != nil {
+ return true, nil, err
+ }
+ }
+
+ req, err = http.NewRequest(config.Method, config.URL, bytes.NewBuffer(serializedBody))
+ if err != nil {
+ return true, nil, err
+ }
+ if config.Format == FormatJSON {
+ req.Header.Set(HeaderContentType, ContentTypeJSON)
+ }
+ if config.Compressed {
+ req.Header.Set(HeaderContentEncoding, ContentEncodingGzip)
+ }
+ } else {
+ // Handle requests without a body (e.g., GET requests)
+ var err error
+ req, err = http.NewRequest(config.Method, config.URL, nil)
+ if err != nil {
+ return true, nil, err
+ }
+ }
+
+ // Set that is possible to handle gzip responses
+ req.Header.Set(HeaderAcceptEncoding, ContentEncodingGzip)
+
+ // Add custom headers if provided
+ for key, value := range config.Headers {
+ req.Header.Set(key, value)
+ }
+
+ resp, err := rh.Client.Do(req)
+ if err != nil {
+ log.Debug("ciVisibilityHttpClient: error [%v].", err)
+ // Retry if there's an error
+ exponentialBackoff(attempt, config.Backoff)
+ return false, nil, nil
+ }
+ // Close response body
+ defer resp.Body.Close()
+
+ // Capture the status code
+ statusCode := resp.StatusCode
+ log.Debug("ciVisibilityHttpClient: response status code [%v]", resp.StatusCode)
+
+ // Check for rate-limiting (HTTP 429)
+ if resp.StatusCode == HTTPStatusTooManyRequests {
+ rateLimitReset := resp.Header.Get(HeaderRateLimitReset)
+ if rateLimitReset != "" {
+ if resetTime, err := strconv.ParseInt(rateLimitReset, 10, 64); err == nil {
+ var waitDuration time.Duration
+ if resetTime > time.Now().Unix() {
+ // Assume it's a Unix timestamp
+ waitDuration = time.Until(time.Unix(resetTime, 0))
+ } else {
+ // Assume it's a duration in seconds
+ waitDuration = time.Duration(resetTime) * time.Second
+ }
+ if waitDuration > 0 {
+ time.Sleep(waitDuration)
+ }
+ return false, nil, nil
+ }
+ }
+
+ // Fallback to exponential backoff if header is missing or invalid
+ exponentialBackoff(attempt, config.Backoff)
+ return false, nil, nil
+ }
+
+ // Check status code for retries
+ if statusCode >= 406 {
+ // Retry if the status code is >= 406
+ exponentialBackoff(attempt, config.Backoff)
+ return false, nil, nil
+ }
+
+ responseBody, err := io.ReadAll(resp.Body)
+ if err != nil {
+ return true, nil, err
+ }
+
+ // Decompress response if it is gzip compressed
+ if resp.Header.Get(HeaderContentEncoding) == ContentEncodingGzip {
+ responseBody, err = decompressData(responseBody)
+ if err != nil {
+ return true, nil, err
+ }
+ }
+
+ // Determine response format from headers
+ responseFormat := "unknown"
+ mediaType, _, err := mime.ParseMediaType(resp.Header.Get(HeaderContentType))
+ if err == nil {
+ if mediaType == ContentTypeJSON || mediaType == ContentTypeJSONAlternative {
+ responseFormat = FormatJSON
+ if log.DebugEnabled() {
+ log.Debug("ciVisibilityHttpClient: serialized response [%v]", string(responseBody))
+ }
+ }
+ }
+
+ // Determine if we can unmarshal based on status code (2xx)
+ canUnmarshal := statusCode >= 200 && statusCode < 300
+
+ // Return the successful response with status code and unmarshal capability
+ return true, &Response{Body: responseBody, Format: responseFormat, StatusCode: statusCode, CanUnmarshal: canUnmarshal}, nil
+}
+
+// Helper functions for data serialization, compression, and handling multipart form data
+
+// serializeData serializes the data based on the format.
+func serializeData(data interface{}, format string) ([]byte, error) {
+ switch v := data.(type) {
+ case []byte:
+ // If it's already a byte array, use it directly
+ return v, nil
+ default:
+ // Otherwise, serialize it according to the specified format
+ if format == FormatJSON {
+ return json.Marshal(data)
+ }
+ }
+ return nil, fmt.Errorf("unsupported format '%s' for data type '%T'", format, data)
+}
+
+// compressData compresses the data using gzip.
+func compressData(data []byte) ([]byte, error) {
+ if data == nil {
+ return nil, errors.New("attempt to compress a nil data array")
+ }
+
+ var buf bytes.Buffer
+ writer := gzip.NewWriter(&buf)
+ _, err := writer.Write(data)
+ if err != nil {
+ return nil, err
+ }
+ writer.Close()
+ return buf.Bytes(), nil
+}
+
+// decompressData decompresses gzip data.
+func decompressData(data []byte) ([]byte, error) {
+ reader, err := gzip.NewReader(bytes.NewReader(data))
+ if err != nil {
+ return nil, fmt.Errorf("failed to create gzip reader: %v", err)
+ }
+ defer reader.Close()
+ decompressedData, err := io.ReadAll(reader)
+ if err != nil {
+ return nil, fmt.Errorf("failed to decompress data: %v", err)
+ }
+ return decompressedData, nil
+}
+
+// exponentialBackoff performs an exponential backoff with retries.
+func exponentialBackoff(retryCount int, initialDelay time.Duration) {
+ maxDelay := 30 * time.Second
+ delay := initialDelay * (1 << uint(retryCount)) // Exponential backoff
+ if delay > maxDelay {
+ delay = maxDelay
+ }
+ time.Sleep(delay)
+}
+
+// prepareContent prepares the content for a FormFile by serializing it if needed.
+func prepareContent(content interface{}, contentType string) ([]byte, error) {
+ if contentType == ContentTypeJSON {
+ return serializeData(content, FormatJSON)
+ } else if contentType == ContentTypeOctetStream {
+ // For binary data, ensure it's already in byte format
+ if data, ok := content.([]byte); ok {
+ return data, nil
+ }
+ return nil, errors.New("content must be []byte for octet-stream content type")
+ }
+ return nil, errors.New("unsupported content type for serialization")
+}
+
+// createMultipartFormData creates a multipart form data request body with the given files.
+// It also compresses the data using gzip if compression is enabled.
+func createMultipartFormData(files []FormFile, compressed bool) ([]byte, string, error) {
+ var buf bytes.Buffer
+ writer := multipart.NewWriter(&buf)
+
+ for _, file := range files {
+ partHeaders := textproto.MIMEHeader{}
+ if file.FileName == "" {
+ partHeaders.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"`, file.FieldName))
+ } else {
+ partHeaders.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"; filename="%s"`, file.FieldName, file.FileName))
+ }
+ partHeaders.Set("Content-Type", file.ContentType)
+
+ part, err := writer.CreatePart(partHeaders)
+ if err != nil {
+ return nil, "", err
+ }
+
+ // Prepare the file content (serialize if necessary based on content type)
+ fileContent, err := prepareContent(file.Content, file.ContentType)
+ if err != nil {
+ return nil, "", err
+ }
+
+ if _, err := part.Write(fileContent); err != nil {
+ return nil, "", err
+ }
+ }
+
+ // Close the writer to set the terminating boundary
+ err := writer.Close()
+ if err != nil {
+ return nil, "", err
+ }
+
+ // Compress the multipart form data if compression is enabled
+ if compressed {
+ compressedData, err := compressData(buf.Bytes())
+ if err != nil {
+ return nil, "", err
+ }
+ return compressedData, writer.FormDataContentType(), nil
+ }
+
+ return buf.Bytes(), writer.FormDataContentType(), nil
+}
diff --git a/internal/civisibility/utils/net/http_test.go b/internal/civisibility/utils/net/http_test.go
new file mode 100644
index 0000000000..45a6c167bc
--- /dev/null
+++ b/internal/civisibility/utils/net/http_test.go
@@ -0,0 +1,896 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "bytes"
+ "compress/gzip"
+ "encoding/json"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/assert"
+)
+
+const DefaultMultipartMemorySize = 10 << 20 // 10MB
+
+// Mock server handlers for different test scenarios
+
+// Mock server for basic JSON and MessagePack requests with gzip handling
+func mockJSONMsgPackHandler(w http.ResponseWriter, r *http.Request) {
+ var body []byte
+ var err error
+
+ // Check if the request is gzip compressed and decompress it
+ if r.Header.Get(HeaderContentEncoding) == ContentEncodingGzip {
+ gzipReader, err := gzip.NewReader(r.Body)
+ if err != nil {
+ http.Error(w, "failed to decompress gzip", http.StatusBadRequest)
+ return
+ }
+ defer gzipReader.Close()
+ body, err = io.ReadAll(gzipReader)
+ } else {
+ body, err = io.ReadAll(r.Body)
+ }
+
+ if err != nil {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ return
+ }
+
+ // Process JSON based on Content-Type
+ if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+ var data map[string]interface{}
+ json.Unmarshal(body, &data)
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ json.NewEncoder(w).Encode(map[string]interface{}{"received": data})
+ }
+}
+
+// Mock server for multipart form data with gzip handling
+func mockMultipartHandler(w http.ResponseWriter, r *http.Request) {
+ var err error
+
+ // Check if the request is gzip compressed and decompress it
+ if r.Header.Get(HeaderContentEncoding) == ContentEncodingGzip {
+ gzipReader, err := gzip.NewReader(r.Body)
+ if err != nil {
+ http.Error(w, "failed to decompress gzip", http.StatusBadRequest)
+ return
+ }
+ defer gzipReader.Close()
+
+ // Replace the request body with the decompressed body for further processing
+ r.Body = io.NopCloser(gzipReader)
+ }
+
+ // Parse multipart form data
+ err = r.ParseMultipartForm(DefaultMultipartMemorySize)
+ if err != nil {
+ http.Error(w, "cannot parse multipart form", http.StatusBadRequest)
+ return
+ }
+
+ response := make(map[string]string)
+ for key := range r.MultipartForm.File {
+ file, _, _ := r.FormFile(key)
+ content, _ := io.ReadAll(file)
+ response[key] = string(content)
+ }
+
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ json.NewEncoder(w).Encode(response)
+}
+
+// Mock server for rate limiting with predictable reset timing
+func mockRateLimitHandler(w http.ResponseWriter, _ *http.Request) {
+ // Set the rate limit reset time to 2 seconds
+ w.Header().Set(HeaderRateLimitReset, "2")
+ http.Error(w, "Too Many Requests", HTTPStatusTooManyRequests)
+}
+
+// Test Suite
+
+func TestSendJSONRequest(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: server.URL,
+ Body: map[string]interface{}{"key": "value"},
+ Format: "json",
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+ assert.Equal(t, "json", response.Format)
+
+ var result map[string]interface{}
+ err = response.Unmarshal(&result)
+ assert.NoError(t, err)
+ assert.Equal(t, "value", result["received"].(map[string]interface{})["key"])
+}
+
+func TestSendMultipartFormDataRequest(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockMultipartHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: server.URL,
+ Files: []FormFile{
+ {
+ FieldName: "file1",
+ FileName: "test.json",
+ Content: map[string]interface{}{"key": "value"},
+ ContentType: ContentTypeJSON,
+ },
+ {
+ FieldName: "file2",
+ FileName: "test.bin",
+ Content: []byte{0x01, 0x02, 0x03},
+ ContentType: ContentTypeOctetStream,
+ },
+ },
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+ assert.Equal(t, "json", response.Format)
+
+ var result map[string]interface{}
+ err = response.Unmarshal(&result)
+ assert.NoError(t, err)
+ assert.Equal(t, `{"key":"value"}`, result["file1"])
+ assert.Equal(t, "\x01\x02\x03", result["file2"])
+}
+
+func TestSendJSONRequestWithGzipCompression(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: server.URL,
+ Body: map[string]interface{}{"key": "value"},
+ Format: "json",
+ Compressed: true,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+ assert.Equal(t, "json", response.Format)
+
+ var result map[string]interface{}
+ err = response.Unmarshal(&result)
+ assert.NoError(t, err)
+ assert.NotNil(t, result["received"], "Expected 'received' key to be present in the response")
+ assert.Equal(t, "value", result["received"].(map[string]interface{})["key"])
+}
+
+func TestSendMultipartFormDataRequestWithGzipCompression(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockMultipartHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: server.URL,
+ Files: []FormFile{
+ {
+ FieldName: "file1",
+ FileName: "test.json",
+ Content: map[string]interface{}{"key": "value"},
+ ContentType: ContentTypeJSON,
+ },
+ {
+ FieldName: "file2",
+ FileName: "test.bin",
+ Content: []byte{0x01, 0x02, 0x03},
+ ContentType: ContentTypeOctetStream,
+ },
+ },
+ Compressed: true,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+ assert.Equal(t, "json", response.Format)
+
+ var result map[string]interface{}
+ err = response.Unmarshal(&result)
+ assert.NoError(t, err)
+ assert.Equal(t, `{"key":"value"}`, result["file1"])
+ assert.Equal(t, "\x01\x02\x03", result["file2"])
+}
+
+func TestRateLimitHandlingWithRetries(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockRateLimitHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET", // No body needed for GET
+ URL: server.URL,
+ Compressed: true, // Enable gzip compression for GET
+ MaxRetries: 2,
+ Backoff: 1 * time.Second, // Exponential backoff fallback
+ }
+
+ start := time.Now()
+ response, err := handler.SendRequest(config)
+ elapsed := time.Since(start)
+
+ // Since the rate limit is set to reset after 2 seconds, and we retry twice,
+ // the minimum elapsed time should be at least 4 seconds (2s for each retry).
+ assert.Error(t, err)
+ assert.Nil(t, response)
+ assert.True(t, elapsed >= 4*time.Second, "Expected at least 4 seconds due to rate limit retry delay")
+}
+
+func TestGzipDecompressionError(t *testing.T) {
+ // Simulate corrupted gzip data
+ corruptedData := []byte{0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x03, 0x00}
+
+ _, err := decompressData(corruptedData)
+ assert.Error(t, err)
+}
+
+func TestExponentialBackoffDelays(t *testing.T) {
+ start := time.Now()
+
+ // Simulate exponential backoff with 3 retries and 1-second initial delay
+ for i := 0; i < 3; i++ {
+ exponentialBackoff(i, 1*time.Second)
+ }
+
+ elapsed := time.Since(start)
+ assert.True(t, elapsed >= 7*time.Second, "Expected at least 7 seconds due to exponential backoff")
+}
+
+func TestCreateMultipartFormDataWithUnsupportedContentType(t *testing.T) {
+ files := []FormFile{
+ {
+ FieldName: "file1",
+ FileName: "test.unknown",
+ Content: map[string]interface{}{"key": "value"},
+ ContentType: "unsupported/content-type", // Unsupported content type
+ },
+ }
+
+ _, _, err := createMultipartFormData(files, false)
+ assert.Error(t, err)
+}
+
+func TestRateLimitHandlingWithoutResetHeader(t *testing.T) {
+ // Mock server without 'x-ratelimit-reset' header
+ mockRateLimitHandlerWithoutHeader := func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "Too Many Requests", HTTPStatusTooManyRequests)
+ }
+
+ server := httptest.NewServer(http.HandlerFunc(mockRateLimitHandlerWithoutHeader))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET", // No body needed for GET
+ URL: server.URL,
+ Compressed: false,
+ MaxRetries: 2,
+ Backoff: 1 * time.Second,
+ }
+
+ start := time.Now()
+ response, err := handler.SendRequest(config)
+ elapsed := time.Since(start)
+
+ // With exponential backoff fallback, the minimum elapsed time should be at least 3 seconds (1s + 2s)
+ assert.Error(t, err)
+ assert.Nil(t, response)
+ assert.True(t, elapsed >= 3*time.Second, "Expected at least 3 seconds due to exponential backoff delay")
+}
+
+func TestSendRequestWithInvalidURL(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: "http://[::1]:namedport", // Invalid URL
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Nil(t, response)
+}
+
+func TestSendEmptyBodyWithGzipCompression(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: server.URL,
+ Body: nil, // Empty body
+ Format: "json",
+ Compressed: true,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestCompressDataWithInvalidInput(t *testing.T) {
+ // Attempt to compress an invalid data type (e.g., an empty interface{})
+ _, err := compressData(nil)
+ assert.Error(t, err)
+}
+
+func TestSendPUTRequestWithJSONBody(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "PUT",
+ URL: server.URL,
+ Body: map[string]interface{}{"key": "value"},
+ Format: "json",
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestSendDELETERequest(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "DELETE",
+ URL: server.URL,
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestSendHEADRequest(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "HEAD",
+ URL: server.URL,
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestSendRequestWithCustomHeaders(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ customHeaderKey := "X-Custom-Header"
+ customHeaderValue := "CustomValue"
+
+ config := RequestConfig{
+ Method: "POST",
+ URL: server.URL,
+ Headers: map[string]string{
+ customHeaderKey: customHeaderValue,
+ },
+ Body: map[string]interface{}{"key": "value"},
+ Format: "json",
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+
+ // Verify that the custom header was correctly set
+ assert.Equal(t, customHeaderValue, config.Headers[customHeaderKey])
+}
+
+func TestSendRequestWithTimeout(t *testing.T) {
+ // Mock server that delays response
+ mockSlowHandler := func(w http.ResponseWriter, r *http.Request) {
+ time.Sleep(5 * time.Second) // Delay longer than the client timeout
+ w.WriteHeader(http.StatusOK)
+ }
+
+ server := httptest.NewServer(http.HandlerFunc(mockSlowHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ handler.Client.Timeout = 2 * time.Second // Set client timeout to 2 seconds
+
+ config := RequestConfig{
+ Method: "GET",
+ URL: server.URL,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Nil(t, response)
+}
+
+func TestSendRequestWithMaxRetriesExceeded(t *testing.T) {
+ // Mock server that always returns a 500 error
+ mockAlwaysFailHandler := func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ }
+
+ server := httptest.NewServer(http.HandlerFunc(mockAlwaysFailHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: server.URL,
+ Compressed: false,
+ MaxRetries: 2, // Only retry twice
+ Backoff: 500 * time.Millisecond,
+ }
+
+ start := time.Now()
+ response, err := handler.SendRequest(config)
+ elapsed := time.Since(start)
+
+ // Ensure retries were attempted
+ assert.Error(t, err)
+ assert.Nil(t, response)
+ assert.True(t, elapsed >= 1*time.Second, "Expected at least 1 second due to retry delay")
+}
+
+func TestGzipResponseDecompressionHandling(t *testing.T) {
+ // Mock server that returns a gzip-compressed response
+ mockGzipResponseHandler := func(w http.ResponseWriter, r *http.Request) {
+ originalResponse := `{"message": "Hello, Gzip!"}`
+ var buf bytes.Buffer
+ gzipWriter := gzip.NewWriter(&buf)
+ _, err := gzipWriter.Write([]byte(originalResponse))
+ if err != nil {
+ http.Error(w, "Failed to compress response", http.StatusInternalServerError)
+ return
+ }
+ gzipWriter.Close()
+
+ // Set headers and write compressed data
+ w.Header().Set(HeaderContentEncoding, ContentEncodingGzip)
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ w.Write(buf.Bytes())
+ }
+
+ server := httptest.NewServer(http.HandlerFunc(mockGzipResponseHandler))
+ defer server.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: server.URL,
+ Compressed: false, // Compression not needed for request, only testing response decompression
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, response.StatusCode)
+ assert.Equal(t, "json", response.Format)
+
+ // Check that the response body was correctly decompressed
+ var result map[string]string
+ err = response.Unmarshal(&result)
+ assert.NoError(t, err)
+ assert.Equal(t, "Hello, Gzip!", result["message"])
+}
+
+func TestSendRequestWithUnsupportedFormat(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: "http://example.com",
+ Body: map[string]interface{}{"key": "value"},
+ Format: "unsupported_format", // Unsupported format
+ Compressed: false,
+ }
+
+ response, err := handler.SendRequest(config)
+ assert.Error(t, err) // Unsupported format error
+ assert.Nil(t, response)
+}
+
+func TestSendRequestWithInvalidMethod(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "",
+ URL: "http://example.com",
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.EqualError(t, err, "HTTP method is required")
+}
+
+func TestSendRequestWithEmptyURL(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: "",
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.EqualError(t, err, "URL is required")
+}
+
+func TestSendRequestWithNetworkError(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: "http://invalid-url",
+ Backoff: 10 * time.Millisecond,
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestSerializeNilDataToJSON(t *testing.T) {
+ data, err := serializeData(nil, FormatJSON)
+ assert.NoError(t, err)
+ assert.Equal(t, []byte("null"), data)
+}
+
+func TestCompressEmptyData(t *testing.T) {
+ data, err := compressData([]byte{})
+ assert.NoError(t, err)
+ assert.NotEmpty(t, data)
+}
+
+func TestDecompressValidGzipData(t *testing.T) {
+ var buf bytes.Buffer
+ writer := gzip.NewWriter(&buf)
+ writer.Write([]byte("test data"))
+ writer.Close()
+
+ data, err := decompressData(buf.Bytes())
+ assert.NoError(t, err)
+ assert.Equal(t, []byte("test data"), data)
+}
+
+func TestExponentialBackoffWithNegativeRetryCount(t *testing.T) {
+ start := time.Now()
+ exponentialBackoff(-1, 100*time.Millisecond)
+ duration := time.Since(start)
+ assert.LessOrEqual(t, duration, 100*time.Millisecond)
+}
+
+func TestResponseUnmarshalWithUnsupportedFormat(t *testing.T) {
+ resp := &Response{
+ Body: []byte("data"),
+ Format: "unknown",
+ StatusCode: http.StatusOK,
+ CanUnmarshal: true,
+ }
+
+ var data interface{}
+ err := resp.Unmarshal(&data)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "unsupported format 'unknown'")
+}
+
+func TestSendRequestWithUnsupportedResponseFormat(t *testing.T) {
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Header().Set(HeaderContentType, "application/xml")
+ w.WriteHeader(http.StatusOK)
+ w.Write([]byte("test"))
+ }))
+ defer ts.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ }
+
+ resp, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, "unknown", resp.Format)
+ assert.Equal(t, http.StatusOK, resp.StatusCode)
+ assert.True(t, resp.CanUnmarshal)
+
+ var data interface{}
+ err = resp.Unmarshal(&data)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "unsupported format 'unknown'")
+}
+
+func TestPrepareContentWithNonByteContentForOctetStream(t *testing.T) {
+ _, err := prepareContent(12345, ContentTypeOctetStream)
+ assert.Error(t, err)
+ assert.EqualError(t, err, "content must be []byte for octet-stream content type")
+}
+
+func TestCreateMultipartFormDataWithCompression(t *testing.T) {
+ files := []FormFile{
+ {
+ FieldName: "file1",
+ FileName: "test.txt",
+ Content: []byte("test content"),
+ ContentType: ContentTypeOctetStream,
+ },
+ }
+
+ data, contentType, err := createMultipartFormData(files, true)
+ assert.NoError(t, err)
+ assert.Contains(t, contentType, "multipart/form-data; boundary=")
+ assert.NotEmpty(t, data)
+
+ // Decompress the data to verify the content
+ decompressedData, err := decompressData(data)
+ assert.NoError(t, err)
+ assert.Contains(t, string(decompressedData), "test content")
+}
+
+func TestSendRequestWithBodySerializationError(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "POST",
+ URL: "http://example.com",
+ Body: make(chan int), // Channels cannot be serialized
+ Format: FormatJSON,
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "unsupported type: chan int")
+}
+
+func TestSendRequestWithCompressedResponse(t *testing.T) {
+ // Server that returns a compressed response
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ w.Header().Set(HeaderContentEncoding, ContentEncodingGzip)
+ var buf bytes.Buffer
+ writer := gzip.NewWriter(&buf)
+ writer.Write([]byte(`{"message": "compressed response"}`))
+ writer.Close()
+ w.WriteHeader(http.StatusOK)
+ w.Write(buf.Bytes())
+ }))
+ defer ts.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ Compressed: true,
+ }
+
+ resp, err := handler.SendRequest(config)
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, resp.StatusCode)
+ assert.Equal(t, FormatJSON, resp.Format)
+ assert.True(t, resp.CanUnmarshal)
+
+ var data map[string]string
+ err = resp.Unmarshal(&data)
+ assert.NoError(t, err)
+ assert.Equal(t, "compressed response", data["message"])
+}
+
+func TestSendRequestWithRetryAfterHeader(t *testing.T) {
+ attempts := 0
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ if attempts == 0 {
+ w.Header().Set(HeaderRateLimitReset, "1") // Wait 1 second
+ w.WriteHeader(HTTPStatusTooManyRequests)
+ attempts++
+ return
+ }
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ w.WriteHeader(http.StatusOK)
+ w.Write([]byte(`{"success": true}`))
+ }))
+ defer ts.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ MaxRetries: 2,
+ Backoff: 100 * time.Millisecond,
+ }
+
+ start := time.Now()
+ resp, err := handler.SendRequest(config)
+ duration := time.Since(start)
+
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, resp.StatusCode)
+ assert.True(t, resp.CanUnmarshal)
+ assert.GreaterOrEqual(t, duration, time.Second) // Ensures wait time was respected
+
+ var data map[string]bool
+ err = resp.Unmarshal(&data)
+ assert.NoError(t, err)
+ assert.True(t, data["success"])
+}
+
+func TestSendRequestWithInvalidRetryAfterHeader(t *testing.T) {
+ attempts := 0
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ if attempts == 0 {
+ w.Header().Set(HeaderRateLimitReset, "invalid") // Invalid value
+ w.WriteHeader(HTTPStatusTooManyRequests)
+ attempts++
+ return
+ }
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ w.WriteHeader(http.StatusOK)
+ w.Write([]byte(`{"success": true}`))
+ }))
+ defer ts.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ MaxRetries: 2,
+ Backoff: 100 * time.Millisecond,
+ }
+
+ start := time.Now()
+ resp, err := handler.SendRequest(config)
+ duration := time.Since(start)
+
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, resp.StatusCode)
+ assert.True(t, resp.CanUnmarshal)
+ assert.GreaterOrEqual(t, duration, 100*time.Millisecond) // Backoff was used
+
+ var data map[string]bool
+ err = resp.Unmarshal(&data)
+ assert.NoError(t, err)
+ assert.True(t, data["success"])
+}
+
+func TestExponentialBackoffWithMaxDelay(t *testing.T) {
+ start := time.Now()
+ exponentialBackoff(10, 1*time.Second) // Should be limited to maxDelay (30s)
+ duration := time.Since(start)
+ assert.LessOrEqual(t, duration, 31*time.Second)
+}
+
+func TestSendRequestWithContextTimeout(t *testing.T) {
+ handler := &RequestHandler{
+ Client: &http.Client{
+ Timeout: 50 * time.Millisecond,
+ },
+ }
+
+ // Server that sleeps longer than client timeout
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ time.Sleep(100 * time.Millisecond)
+ w.WriteHeader(http.StatusOK)
+ }))
+ defer ts.Close()
+
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestSendRequestWithRateLimitButNoResetHeader(t *testing.T) {
+ attempts := 0
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ if attempts < 2 {
+ w.WriteHeader(HTTPStatusTooManyRequests)
+ attempts++
+ return
+ }
+ w.WriteHeader(http.StatusOK)
+ w.Write([]byte("OK"))
+ }))
+ defer ts.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ MaxRetries: 3,
+ Backoff: 100 * time.Millisecond,
+ }
+
+ start := time.Now()
+ resp, err := handler.SendRequest(config)
+ duration := time.Since(start)
+
+ assert.NoError(t, err)
+ assert.Equal(t, http.StatusOK, resp.StatusCode)
+ assert.GreaterOrEqual(t, duration, 300*time.Millisecond)
+ assert.Equal(t, []byte("OK"), resp.Body)
+}
+
+func TestSendRequestWhenServerClosesConnection(t *testing.T) {
+ ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ h1 := w.(http.Hijacker)
+ conn, _, _ := h1.Hijack()
+ conn.Close()
+ }))
+ ts.EnableHTTP2 = false // Disable HTTP/2 to allow hijacking
+ ts.Start()
+ defer ts.Close()
+
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: ts.URL,
+ MaxRetries: 1,
+ Backoff: 100 * time.Millisecond,
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestSendRequestWithInvalidPortAndMaxRetriesExceeded(t *testing.T) {
+ handler := NewRequestHandler()
+ config := RequestConfig{
+ Method: "GET",
+ URL: "http://localhost:0", // Invalid port to force error
+ MaxRetries: 2,
+ Backoff: 10 * time.Millisecond,
+ }
+
+ _, err := handler.SendRequest(config)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestPrepareContentWithNilContent(t *testing.T) {
+ data, err := prepareContent(nil, ContentTypeJSON)
+ assert.NoError(t, err)
+ assert.Equal(t, []byte("null"), data)
+}
+
+func TestSerializeDataWithInvalidDataType(t *testing.T) {
+ _, err := serializeData(make(chan int), FormatJSON)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "unsupported type: chan int")
+}
diff --git a/internal/civisibility/utils/net/searchcommits_api.go b/internal/civisibility/utils/net/searchcommits_api.go
new file mode 100644
index 0000000000..2aa787b77b
--- /dev/null
+++ b/internal/civisibility/utils/net/searchcommits_api.go
@@ -0,0 +1,62 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "fmt"
+)
+
+const (
+ searchCommitsType string = "commit"
+ searchCommitsURLPath string = "api/v2/git/repository/search_commits"
+)
+
+type (
+ searchCommits struct {
+ Data []searchCommitsData `json:"data"`
+ Meta searchCommitsMeta `json:"meta"`
+ }
+ searchCommitsData struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ }
+ searchCommitsMeta struct {
+ RepositoryURL string `json:"repository_url"`
+ }
+)
+
+func (c *client) GetCommits(localCommits []string) ([]string, error) {
+ body := searchCommits{
+ Data: []searchCommitsData{},
+ Meta: searchCommitsMeta{
+ RepositoryURL: c.repositoryURL,
+ },
+ }
+
+ for _, localCommit := range localCommits {
+ body.Data = append(body.Data, searchCommitsData{
+ ID: localCommit,
+ Type: searchCommitsType,
+ })
+ }
+
+ response, err := c.handler.SendRequest(*c.getPostRequestConfig(searchCommitsURLPath, body))
+ if err != nil {
+ return nil, fmt.Errorf("sending search commits request: %s", err.Error())
+ }
+
+ var responseObject searchCommits
+ err = response.Unmarshal(&responseObject)
+ if err != nil {
+ return nil, fmt.Errorf("unmarshalling search commits response: %s", err.Error())
+ }
+
+ var commits []string
+ for _, commit := range responseObject.Data {
+ commits = append(commits, commit.ID)
+ }
+ return commits, nil
+}
diff --git a/internal/civisibility/utils/net/searchcommits_api_test.go b/internal/civisibility/utils/net/searchcommits_api_test.go
new file mode 100644
index 0000000000..ec0e612fcd
--- /dev/null
+++ b/internal/civisibility/utils/net/searchcommits_api_test.go
@@ -0,0 +1,105 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "encoding/json"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestSearchCommitsApiRequest(t *testing.T) {
+ var c *client
+ expectedResponse := searchCommits{
+ Data: []searchCommitsData{
+ {
+ ID: "commit3",
+ Type: searchCommitsType,
+ },
+ {
+ ID: "commit4",
+ Type: searchCommitsType,
+ },
+ },
+ }
+
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ body, err := io.ReadAll(r.Body)
+ if err != nil {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ return
+ }
+
+ if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+ var request searchCommits
+ json.Unmarshal(body, &request)
+ assert.Equal(t, c.repositoryURL, request.Meta.RepositoryURL)
+ assert.Equal(t, "commit1", request.Data[0].ID)
+ assert.Equal(t, searchCommitsType, request.Data[0].Type)
+ assert.Equal(t, "commit2", request.Data[1].ID)
+ assert.Equal(t, searchCommitsType, request.Data[1].Type)
+
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ json.NewEncoder(w).Encode(expectedResponse)
+ }
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ c = cInterface.(*client)
+ remoteCommits, err := cInterface.GetCommits([]string{"commit1", "commit2"})
+ assert.Nil(t, err)
+ assert.Equal(t, []string{"commit3", "commit4"}, remoteCommits)
+}
+
+func TestSearchCommitsApiRequestFailToUnmarshal(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ remoteCommits, err := cInterface.GetCommits([]string{"commit1", "commit2"})
+ assert.Nil(t, remoteCommits)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "cannot unmarshal response")
+}
+
+func TestSearchCommitsApiRequestFailToGet(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "internal processing error", http.StatusInternalServerError)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ remoteCommits, err := cInterface.GetCommits([]string{"commit1", "commit2"})
+ assert.Nil(t, remoteCommits)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "sending search commits request")
+}
diff --git a/internal/civisibility/utils/net/sendpackfiles_api.go b/internal/civisibility/utils/net/sendpackfiles_api.go
new file mode 100644
index 0000000000..71970e34bc
--- /dev/null
+++ b/internal/civisibility/utils/net/sendpackfiles_api.go
@@ -0,0 +1,88 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "fmt"
+ "net/http"
+ "os"
+)
+
+const (
+ sendPackFilesURLPath string = "api/v2/git/repository/packfile"
+)
+
+type (
+ pushedShaBody struct {
+ Data pushedShaData `json:"data"`
+ Meta pushedShaMeta `json:"meta"`
+ }
+ pushedShaData struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ }
+ pushedShaMeta struct {
+ RepositoryURL string `json:"repository_url"`
+ }
+)
+
+func (c *client) SendPackFiles(packFiles []string) (bytes int64, err error) {
+ if len(packFiles) == 0 {
+ return 0, nil
+ }
+
+ pushedShaFormFile := FormFile{
+ FieldName: "pushedSha",
+ Content: pushedShaBody{
+ Data: pushedShaData{
+ ID: c.commitSha,
+ Type: searchCommitsType,
+ },
+ Meta: pushedShaMeta{
+ RepositoryURL: c.repositoryURL,
+ },
+ },
+ ContentType: ContentTypeJSON,
+ }
+
+ for _, file := range packFiles {
+ fileContent, fileErr := os.ReadFile(file)
+ if fileErr != nil {
+ err = fmt.Errorf("failed to read pack file: %s", fileErr.Error())
+ return
+ }
+
+ request := RequestConfig{
+ Method: "POST",
+ URL: c.getURLPath(sendPackFilesURLPath),
+ Headers: c.headers,
+ Files: []FormFile{
+ pushedShaFormFile,
+ {
+ FieldName: "packfile",
+ Content: fileContent,
+ ContentType: ContentTypeOctetStream,
+ },
+ },
+ MaxRetries: DefaultMaxRetries,
+ Backoff: DefaultBackoff,
+ }
+
+ response, responseErr := c.handler.SendRequest(request)
+ if responseErr != nil {
+ err = fmt.Errorf("failed to send packfile request: %s", responseErr.Error())
+ return
+ }
+
+ if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusNoContent {
+ err = fmt.Errorf("unexpected response code %d: %s", response.StatusCode, string(response.Body))
+ }
+
+ bytes += int64(len(fileContent))
+ }
+
+ return
+}
diff --git a/internal/civisibility/utils/net/sendpackfiles_api_test.go b/internal/civisibility/utils/net/sendpackfiles_api_test.go
new file mode 100644
index 0000000000..bfc5288cca
--- /dev/null
+++ b/internal/civisibility/utils/net/sendpackfiles_api_test.go
@@ -0,0 +1,152 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "bytes"
+ "encoding/json"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestSendPackFilesApiRequest(t *testing.T) {
+ var c *client
+
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ reader, err := r.MultipartReader()
+ if err != nil {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ return
+ }
+
+ containsPushedSha := false
+ containsPackFile := false
+ for {
+ part, errPart := reader.NextPart()
+ if errPart == io.EOF {
+ break
+ }
+ partName := part.FormName()
+ buf := new(bytes.Buffer)
+ buf.ReadFrom(part)
+ if partName == "pushedSha" {
+ assert.Equal(t, ContentTypeJSON, part.Header.Get(HeaderContentType))
+ var request pushedShaBody
+ json.Unmarshal(buf.Bytes(), &request)
+ assert.Equal(t, c.repositoryURL, request.Meta.RepositoryURL)
+ assert.Equal(t, c.commitSha, request.Data.ID)
+ assert.Equal(t, searchCommitsType, request.Data.Type)
+ containsPushedSha = true
+ } else if partName == "packfile" {
+ assert.Equal(t, ContentTypeOctetStream, part.Header.Get(HeaderContentType))
+ assert.NotZero(t, buf.Bytes())
+ containsPackFile = true
+ }
+ }
+
+ assert.True(t, containsPushedSha)
+ assert.True(t, containsPackFile)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ c = cInterface.(*client)
+ _, err := cInterface.SendPackFiles([]string{
+ "sendpackfiles_api_test.go",
+ })
+ assert.Nil(t, err)
+}
+
+func TestSendPackFilesApiRequestFailToUnmarshal(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ _, err := cInterface.SendPackFiles([]string{
+ "sendpackfiles_api_test.go",
+ })
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "unexpected response code")
+}
+
+func TestSendPackFilesApiRequestFailToGet(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "internal processing error", http.StatusInternalServerError)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ bytes, err := cInterface.SendPackFiles([]string{
+ "sendpackfiles_api_test.go",
+ })
+ assert.Zero(t, bytes)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "failed to send packfile request")
+}
+
+func TestSendPackFilesApiRequestFileError(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "internal processing error", http.StatusInternalServerError)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ bytes, err := cInterface.SendPackFiles([]string{
+ "unknown.file",
+ })
+ assert.Zero(t, bytes)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "failed to read pack file")
+}
+
+func TestSendPackFilesApiRequestNoFile(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "internal processing error", http.StatusInternalServerError)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ bytes, err := cInterface.SendPackFiles(nil)
+ assert.Zero(t, bytes)
+ assert.Nil(t, err)
+}
diff --git a/internal/civisibility/utils/net/settings_api.go b/internal/civisibility/utils/net/settings_api.go
new file mode 100644
index 0000000000..effc7b6fc7
--- /dev/null
+++ b/internal/civisibility/utils/net/settings_api.go
@@ -0,0 +1,92 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "fmt"
+)
+
+const (
+ settingsRequestType string = "ci_app_test_service_libraries_settings"
+ settingsURLPath string = "api/v2/libraries/tests/services/setting"
+)
+
+type (
+ settingsRequest struct {
+ Data settingsRequestHeader `json:"data"`
+ }
+
+ settingsRequestHeader struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ Attributes SettingsRequestData `json:"attributes"`
+ }
+
+ SettingsRequestData struct {
+ Service string `json:"service,omitempty"`
+ Env string `json:"env,omitempty"`
+ RepositoryURL string `json:"repository_url,omitempty"`
+ Branch string `json:"branch,omitempty"`
+ Sha string `json:"sha,omitempty"`
+ Configurations testConfigurations `json:"configurations,omitempty"`
+ }
+
+ settingsResponse struct {
+ Data struct {
+ ID string `json:"id"`
+ Type string `json:"type"`
+ Attributes SettingsResponseData `json:"attributes"`
+ } `json:"data,omitempty"`
+ }
+
+ SettingsResponseData struct {
+ CodeCoverage bool `json:"code_coverage"`
+ EarlyFlakeDetection struct {
+ Enabled bool `json:"enabled"`
+ SlowTestRetries struct {
+ TenS int `json:"10s"`
+ ThirtyS int `json:"30s"`
+ FiveM int `json:"5m"`
+ FiveS int `json:"5s"`
+ } `json:"slow_test_retries"`
+ FaultySessionThreshold int `json:"faulty_session_threshold"`
+ } `json:"early_flake_detection"`
+ FlakyTestRetriesEnabled bool `json:"flaky_test_retries_enabled"`
+ ItrEnabled bool `json:"itr_enabled"`
+ RequireGit bool `json:"require_git"`
+ TestsSkipping bool `json:"tests_skipping"`
+ }
+)
+
+func (c *client) GetSettings() (*SettingsResponseData, error) {
+ body := settingsRequest{
+ Data: settingsRequestHeader{
+ ID: c.id,
+ Type: settingsRequestType,
+ Attributes: SettingsRequestData{
+ Service: c.serviceName,
+ Env: c.environment,
+ RepositoryURL: c.repositoryURL,
+ Branch: c.branchName,
+ Sha: c.commitSha,
+ Configurations: c.testConfigurations,
+ },
+ },
+ }
+
+ response, err := c.handler.SendRequest(*c.getPostRequestConfig(settingsURLPath, body))
+ if err != nil {
+ return nil, fmt.Errorf("sending get settings request: %s", err.Error())
+ }
+
+ var responseObject settingsResponse
+ err = response.Unmarshal(&responseObject)
+ if err != nil {
+ return nil, fmt.Errorf("unmarshalling settings response: %s", err.Error())
+ }
+
+ return &responseObject.Data.Attributes, nil
+}
diff --git a/internal/civisibility/utils/net/settings_api_test.go b/internal/civisibility/utils/net/settings_api_test.go
new file mode 100644
index 0000000000..92ce8993d9
--- /dev/null
+++ b/internal/civisibility/utils/net/settings_api_test.go
@@ -0,0 +1,111 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+ "encoding/json"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestSettingsApiRequest(t *testing.T) {
+ var c *client
+ expectedResponse := settingsResponse{}
+ expectedResponse.Data.Type = settingsRequestType
+ expectedResponse.Data.Attributes.FlakyTestRetriesEnabled = true
+ expectedResponse.Data.Attributes.CodeCoverage = true
+ expectedResponse.Data.Attributes.TestsSkipping = true
+ expectedResponse.Data.Attributes.ItrEnabled = true
+ expectedResponse.Data.Attributes.RequireGit = true
+ expectedResponse.Data.Attributes.EarlyFlakeDetection.FaultySessionThreshold = 30
+ expectedResponse.Data.Attributes.EarlyFlakeDetection.Enabled = true
+ expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveS = 25
+ expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.TenS = 20
+ expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.ThirtyS = 10
+ expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveM = 5
+
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ body, err := io.ReadAll(r.Body)
+ if err != nil {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ return
+ }
+
+ if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+ var request settingsRequest
+ json.Unmarshal(body, &request)
+ assert.Equal(t, c.id, request.Data.ID)
+ assert.Equal(t, settingsRequestType, request.Data.Type)
+ assert.Equal(t, settingsURLPath, r.URL.Path[1:])
+ assert.Equal(t, c.commitSha, request.Data.Attributes.Sha)
+ assert.Equal(t, c.branchName, request.Data.Attributes.Branch)
+ assert.Equal(t, c.environment, request.Data.Attributes.Env)
+ assert.Equal(t, c.repositoryURL, request.Data.Attributes.RepositoryURL)
+ assert.Equal(t, c.serviceName, request.Data.Attributes.Service)
+ assert.Equal(t, c.testConfigurations, request.Data.Attributes.Configurations)
+
+ w.Header().Set(HeaderContentType, ContentTypeJSON)
+ expectedResponse.Data.ID = request.Data.ID
+ json.NewEncoder(w).Encode(expectedResponse)
+ }
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ c = cInterface.(*client)
+ settings, err := cInterface.GetSettings()
+ assert.Nil(t, err)
+ assert.Equal(t, expectedResponse.Data.Attributes, *settings)
+}
+
+func TestSettingsApiRequestFailToUnmarshal(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "failed to read body", http.StatusBadRequest)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ settings, err := cInterface.GetSettings()
+ assert.Nil(t, settings)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "cannot unmarshal response")
+}
+
+func TestSettingsApiRequestFailToGet(t *testing.T) {
+ server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ http.Error(w, "internal processing error", http.StatusInternalServerError)
+ }))
+ defer server.Close()
+
+ origEnv := saveEnv()
+ path := os.Getenv("PATH")
+ defer restoreEnv(origEnv)
+
+ setCiVisibilityEnv(path, server.URL)
+
+ cInterface := NewClient()
+ settings, err := cInterface.GetSettings()
+ assert.Nil(t, settings)
+ assert.NotNil(t, err)
+ assert.Contains(t, err.Error(), "sending get settings request")
+}
diff --git a/internal/civisibility/utils/testdata/fixtures/github-event.json b/internal/civisibility/utils/testdata/fixtures/github-event.json
new file mode 100644
index 0000000000..b9fe79f2aa
--- /dev/null
+++ b/internal/civisibility/utils/testdata/fixtures/github-event.json
@@ -0,0 +1,490 @@
+{
+ "action": "synchronize",
+ "after": "df289512a51123083a8e6931dd6f57bb3883d4c4",
+ "before": "f659d2fdd7bedffb40d9ab223dbde6afa5eadc32",
+ "number": 1,
+ "pull_request": {
+ "_links": {
+ "comments": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1/comments"
+ },
+ "commits": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/commits"
+ },
+ "html": {
+ "href": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1"
+ },
+ "issue": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1"
+ },
+ "review_comment": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/comments{/number}"
+ },
+ "review_comments": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/comments"
+ },
+ "self": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1"
+ },
+ "statuses": {
+ "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/df289512a51123083a8e6931dd6f57bb3883d4c4"
+ }
+ },
+ "active_lock_reason": null,
+ "additions": 2,
+ "assignee": null,
+ "assignees": [],
+ "author_association": "OWNER",
+ "auto_merge": null,
+ "base": {
+ "label": "nikita-tkachenko-datadog:main",
+ "ref": "main",
+ "repo": {
+ "allow_auto_merge": false,
+ "allow_forking": true,
+ "allow_merge_commit": true,
+ "allow_rebase_merge": true,
+ "allow_squash_merge": true,
+ "allow_update_branch": false,
+ "archive_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/{archive_format}{/ref}",
+ "archived": false,
+ "assignees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/assignees{/user}",
+ "blobs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/blobs{/sha}",
+ "branches_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/branches{/branch}",
+ "clone_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+ "collaborators_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/collaborators{/collaborator}",
+ "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/comments{/number}",
+ "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/commits{/sha}",
+ "compare_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/compare/{base}...{head}",
+ "contents_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contents/{+path}",
+ "contributors_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contributors",
+ "created_at": "2023-01-09T10:24:06Z",
+ "default_branch": "main",
+ "delete_branch_on_merge": false,
+ "deployments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/deployments",
+ "description": null,
+ "disabled": false,
+ "downloads_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/downloads",
+ "events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/events",
+ "fork": false,
+ "forks": 0,
+ "forks_count": 0,
+ "forks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/forks",
+ "full_name": "nikita-tkachenko-datadog/ci-test-project",
+ "git_commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/commits{/sha}",
+ "git_refs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/refs{/sha}",
+ "git_tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/tags{/sha}",
+ "git_url": "git://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+ "has_discussions": false,
+ "has_downloads": true,
+ "has_issues": true,
+ "has_pages": false,
+ "has_projects": true,
+ "has_wiki": false,
+ "homepage": null,
+ "hooks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/hooks",
+ "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+ "id": 586827266,
+ "is_template": false,
+ "issue_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/comments{/number}",
+ "issue_events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/events{/number}",
+ "issues_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues{/number}",
+ "keys_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/keys{/key_id}",
+ "labels_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/labels{/name}",
+ "language": "Shell",
+ "languages_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/languages",
+ "license": null,
+ "merge_commit_message": "PR_TITLE",
+ "merge_commit_title": "MERGE_MESSAGE",
+ "merges_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/merges",
+ "milestones_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/milestones{/number}",
+ "mirror_url": null,
+ "name": "ci-test-project",
+ "node_id": "R_kgDOIvpGAg",
+ "notifications_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/notifications{?since,all,participating}",
+ "open_issues": 1,
+ "open_issues_count": 1,
+ "owner": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ },
+ "private": true,
+ "pulls_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls{/number}",
+ "pushed_at": "2024-09-11T15:12:25Z",
+ "releases_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/releases{/id}",
+ "size": 90,
+ "squash_merge_commit_message": "COMMIT_MESSAGES",
+ "squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
+ "ssh_url": "git@github.com:nikita-tkachenko-datadog/ci-test-project.git",
+ "stargazers_count": 0,
+ "stargazers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/stargazers",
+ "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/{sha}",
+ "subscribers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscribers",
+ "subscription_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscription",
+ "svn_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+ "tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/tags",
+ "teams_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/teams",
+ "topics": [],
+ "trees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/trees{/sha}",
+ "updated_at": "2024-09-11T13:41:11Z",
+ "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project",
+ "use_squash_pr_title_as_default": false,
+ "visibility": "private",
+ "watchers": 0,
+ "watchers_count": 0,
+ "web_commit_signoff_required": false
+ },
+ "sha": "52e0974c74d41160a03d59ddc73bb9f5adab054b",
+ "user": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ }
+ },
+ "body": "# What Does This Do\r\n\r\n# Motivation\r\n\r\n# Additional Notes\r\n",
+ "changed_files": 3,
+ "closed_at": null,
+ "comments": 0,
+ "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1/comments",
+ "commits": 2,
+ "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/commits",
+ "created_at": "2024-09-11T15:08:02Z",
+ "deletions": 0,
+ "diff_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1.diff",
+ "draft": false,
+ "head": {
+ "label": "nikita-tkachenko-datadog:test-branch",
+ "ref": "test-branch",
+ "repo": {
+ "allow_auto_merge": false,
+ "allow_forking": true,
+ "allow_merge_commit": true,
+ "allow_rebase_merge": true,
+ "allow_squash_merge": true,
+ "allow_update_branch": false,
+ "archive_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/{archive_format}{/ref}",
+ "archived": false,
+ "assignees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/assignees{/user}",
+ "blobs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/blobs{/sha}",
+ "branches_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/branches{/branch}",
+ "clone_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+ "collaborators_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/collaborators{/collaborator}",
+ "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/comments{/number}",
+ "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/commits{/sha}",
+ "compare_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/compare/{base}...{head}",
+ "contents_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contents/{+path}",
+ "contributors_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contributors",
+ "created_at": "2023-01-09T10:24:06Z",
+ "default_branch": "main",
+ "delete_branch_on_merge": false,
+ "deployments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/deployments",
+ "description": null,
+ "disabled": false,
+ "downloads_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/downloads",
+ "events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/events",
+ "fork": false,
+ "forks": 0,
+ "forks_count": 0,
+ "forks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/forks",
+ "full_name": "nikita-tkachenko-datadog/ci-test-project",
+ "git_commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/commits{/sha}",
+ "git_refs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/refs{/sha}",
+ "git_tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/tags{/sha}",
+ "git_url": "git://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+ "has_discussions": false,
+ "has_downloads": true,
+ "has_issues": true,
+ "has_pages": false,
+ "has_projects": true,
+ "has_wiki": false,
+ "homepage": null,
+ "hooks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/hooks",
+ "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+ "id": 586827266,
+ "is_template": false,
+ "issue_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/comments{/number}",
+ "issue_events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/events{/number}",
+ "issues_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues{/number}",
+ "keys_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/keys{/key_id}",
+ "labels_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/labels{/name}",
+ "language": "Shell",
+ "languages_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/languages",
+ "license": null,
+ "merge_commit_message": "PR_TITLE",
+ "merge_commit_title": "MERGE_MESSAGE",
+ "merges_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/merges",
+ "milestones_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/milestones{/number}",
+ "mirror_url": null,
+ "name": "ci-test-project",
+ "node_id": "R_kgDOIvpGAg",
+ "notifications_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/notifications{?since,all,participating}",
+ "open_issues": 1,
+ "open_issues_count": 1,
+ "owner": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ },
+ "private": true,
+ "pulls_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls{/number}",
+ "pushed_at": "2024-09-11T15:12:25Z",
+ "releases_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/releases{/id}",
+ "size": 90,
+ "squash_merge_commit_message": "COMMIT_MESSAGES",
+ "squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
+ "ssh_url": "git@github.com:nikita-tkachenko-datadog/ci-test-project.git",
+ "stargazers_count": 0,
+ "stargazers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/stargazers",
+ "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/{sha}",
+ "subscribers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscribers",
+ "subscription_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscription",
+ "svn_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+ "tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/tags",
+ "teams_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/teams",
+ "topics": [],
+ "trees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/trees{/sha}",
+ "updated_at": "2024-09-11T13:41:11Z",
+ "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project",
+ "use_squash_pr_title_as_default": false,
+ "visibility": "private",
+ "watchers": 0,
+ "watchers_count": 0,
+ "web_commit_signoff_required": false
+ },
+ "sha": "df289512a51123083a8e6931dd6f57bb3883d4c4",
+ "user": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ }
+ },
+ "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1",
+ "id": 2066570986,
+ "issue_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1",
+ "labels": [],
+ "locked": false,
+ "maintainer_can_modify": false,
+ "merge_commit_sha": "d9a3212d0d5d1483426dbbdf0beea32ee50abcde",
+ "mergeable": null,
+ "mergeable_state": "unknown",
+ "merged": false,
+ "merged_at": null,
+ "merged_by": null,
+ "milestone": null,
+ "node_id": "PR_kwDOIvpGAs57LV7q",
+ "number": 1,
+ "patch_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1.patch",
+ "rebaseable": null,
+ "requested_reviewers": [],
+ "requested_teams": [],
+ "review_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/comments{/number}",
+ "review_comments": 0,
+ "review_comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/comments",
+ "state": "open",
+ "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/df289512a51123083a8e6931dd6f57bb3883d4c4",
+ "title": "Test commit",
+ "updated_at": "2024-09-11T15:12:26Z",
+ "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1",
+ "user": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ }
+ },
+ "repository": {
+ "allow_forking": true,
+ "archive_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/{archive_format}{/ref}",
+ "archived": false,
+ "assignees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/assignees{/user}",
+ "blobs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/blobs{/sha}",
+ "branches_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/branches{/branch}",
+ "clone_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+ "collaborators_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/collaborators{/collaborator}",
+ "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/comments{/number}",
+ "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/commits{/sha}",
+ "compare_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/compare/{base}...{head}",
+ "contents_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contents/{+path}",
+ "contributors_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contributors",
+ "created_at": "2023-01-09T10:24:06Z",
+ "default_branch": "main",
+ "deployments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/deployments",
+ "description": null,
+ "disabled": false,
+ "downloads_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/downloads",
+ "events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/events",
+ "fork": false,
+ "forks": 0,
+ "forks_count": 0,
+ "forks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/forks",
+ "full_name": "nikita-tkachenko-datadog/ci-test-project",
+ "git_commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/commits{/sha}",
+ "git_refs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/refs{/sha}",
+ "git_tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/tags{/sha}",
+ "git_url": "git://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+ "has_discussions": false,
+ "has_downloads": true,
+ "has_issues": true,
+ "has_pages": false,
+ "has_projects": true,
+ "has_wiki": false,
+ "homepage": null,
+ "hooks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/hooks",
+ "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+ "id": 586827266,
+ "is_template": false,
+ "issue_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/comments{/number}",
+ "issue_events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/events{/number}",
+ "issues_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues{/number}",
+ "keys_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/keys{/key_id}",
+ "labels_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/labels{/name}",
+ "language": "Shell",
+ "languages_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/languages",
+ "license": null,
+ "merges_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/merges",
+ "milestones_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/milestones{/number}",
+ "mirror_url": null,
+ "name": "ci-test-project",
+ "node_id": "R_kgDOIvpGAg",
+ "notifications_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/notifications{?since,all,participating}",
+ "open_issues": 1,
+ "open_issues_count": 1,
+ "owner": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ },
+ "private": true,
+ "pulls_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls{/number}",
+ "pushed_at": "2024-09-11T15:12:25Z",
+ "releases_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/releases{/id}",
+ "size": 90,
+ "ssh_url": "git@github.com:nikita-tkachenko-datadog/ci-test-project.git",
+ "stargazers_count": 0,
+ "stargazers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/stargazers",
+ "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/{sha}",
+ "subscribers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscribers",
+ "subscription_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscription",
+ "svn_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+ "tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/tags",
+ "teams_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/teams",
+ "topics": [],
+ "trees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/trees{/sha}",
+ "updated_at": "2024-09-11T13:41:11Z",
+ "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project",
+ "visibility": "private",
+ "watchers": 0,
+ "watchers_count": 0,
+ "web_commit_signoff_required": false
+ },
+ "sender": {
+ "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+ "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+ "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+ "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+ "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+ "gravatar_id": "",
+ "html_url": "https://github.com/nikita-tkachenko-datadog",
+ "id": 121111529,
+ "login": "nikita-tkachenko-datadog",
+ "node_id": "U_kgDOBzgD6Q",
+ "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+ "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+ "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+ "site_admin": false,
+ "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+ "type": "User",
+ "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+ }
+}
diff --git a/internal/datastreams/processor.go b/internal/datastreams/processor.go
index 1585deb221..0f0bc38faa 100644
--- a/internal/datastreams/processor.go
+++ b/internal/datastreams/processor.go
@@ -340,7 +340,11 @@ func (p *Processor) Start() {
}
p.stop = make(chan struct{})
p.flushRequest = make(chan chan<- struct{})
- go p.reportStats()
+ p.wg.Add(1)
+ go func() {
+ defer p.wg.Done()
+ p.reportStats()
+ }()
p.wg.Add(1)
go func() {
defer p.wg.Done()
@@ -372,7 +376,14 @@ func (p *Processor) Stop() {
}
func (p *Processor) reportStats() {
- for range time.NewTicker(time.Second * 10).C {
+ tick := time.NewTicker(time.Second * 10)
+ defer tick.Stop()
+ for {
+ select {
+ case <-p.stop:
+ return
+ case <-tick.C:
+ }
p.statsd.Count("datadog.datastreams.processor.payloads_in", atomic.SwapInt64(&p.stats.payloadsIn, 0), nil, 1)
p.statsd.Count("datadog.datastreams.processor.flushed_payloads", atomic.SwapInt64(&p.stats.flushedPayloads, 0), nil, 1)
p.statsd.Count("datadog.datastreams.processor.flushed_buckets", atomic.SwapInt64(&p.stats.flushedBuckets, 0), nil, 1)
diff --git a/internal/exectracetest/go.mod b/internal/exectracetest/go.mod
index 59bef79243..21f78dc032 100644
--- a/internal/exectracetest/go.mod
+++ b/internal/exectracetest/go.mod
@@ -1,6 +1,6 @@
module github.com/DataDog/dd-trace-go/internal/exectracetest/v2
-go 1.21
+go 1.22.0
require (
github.com/DataDog/dd-trace-go/contrib/database/sql/v2 v2.0.0-20240909105439-c452671ebc14
@@ -11,28 +11,35 @@ require (
)
require (
- github.com/DataDog/appsec-internal-go v1.7.0 // indirect
- github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
- github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
- github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
- github.com/DataDog/go-sqllexer v0.0.11 // indirect
+ github.com/DataDog/appsec-internal-go v1.8.0 // indirect
+ github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
+ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
+ github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
+ github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
github.com/DataDog/sketches-go v1.4.5 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
- github.com/ebitengine/purego v0.7.1 // indirect
- github.com/google/uuid v1.6.0 // indirect
+ github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
+ github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
+ github.com/google/uuid v1.5.0 // indirect
+ github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+ github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+ github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/outcaste-io/ristretto v0.2.3 // indirect
- github.com/philhofer/fwd v1.1.2 // indirect
+ github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
github.com/pkg/errors v0.9.1 // indirect
- github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
- github.com/tinylib/msgp v1.1.9 // indirect
+ github.com/ryanuber/go-glob v1.0.0 // indirect
+ github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+ github.com/tinylib/msgp v1.2.1 // indirect
go.uber.org/atomic v1.11.0 // indirect
- golang.org/x/mod v0.17.0 // indirect
- golang.org/x/sys v0.20.0 // indirect
- golang.org/x/time v0.5.0 // indirect
+ golang.org/x/mod v0.18.0 // indirect
+ golang.org/x/sync v0.7.0 // indirect
+ golang.org/x/sys v0.23.0 // indirect
+ golang.org/x/time v0.3.0 // indirect
+ golang.org/x/tools v0.22.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/protobuf v1.34.1 // indirect
)
diff --git a/internal/exectracetest/go.sum b/internal/exectracetest/go.sum
index 5afa9af863..c090132bc8 100644
--- a/internal/exectracetest/go.sum
+++ b/internal/exectracetest/go.sum
@@ -1,15 +1,13 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
-github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
-github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
-github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
-github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
+github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
+github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
github.com/DataDog/go-tuf v1.1.0-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
@@ -17,8 +15,10 @@ github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZ
github.com/DataDog/sketches-go v1.4.5 h1:ki7VfeNz7IcNafq7yI/j5U/YCkO3LJiMDtXz9OMQbyE=
github.com/DataDog/sketches-go v1.4.5/go.mod h1:7Y8GN8Jf66DLyDhc94zuWA3uHEt/7ttt8jHOBWWrSOg=
github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -35,8 +35,9 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 h1:8EXxF+tCLqaVk8AOC29zl2mnhQjwyLxxOTuhUazWRsg=
github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4/go.mod h1:I5sHm0Y0T1u5YjlyqC5GVArM7aNZRUYtTjmJ8mPJFds=
-github.com/ebitengine/purego v0.7.1 h1:6/55d26lG3o9VCZX8lping+bZcmShseiqlh2bnUDiPA=
-github.com/ebitengine/purego v0.7.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/ebitengine/purego v0.6.0-alpha.5 h1:EYID3JOAdmQ4SNZYJHu9V6IqOeRQDBYxqKAg9PyoHFY=
+github.com/ebitengine/purego v0.6.0-alpha.5/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
@@ -48,10 +49,13 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBBos92HalKpaGKHrp+3Uo6yTodo=
github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
@@ -64,27 +68,32 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mattn/go-sqlite3 v1.14.18 h1:JL0eqdCOq6DJVNPSvArO/bIV9/P7fbGrV00LZHc+5aI=
github.com/mattn/go-sqlite3 v1.14.18/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
@@ -105,8 +114,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
-github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -115,22 +124,21 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -139,25 +147,27 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/internal/log/log.go b/internal/log/log.go
index 49083164f8..3471d3d28b 100644
--- a/internal/log/log.go
+++ b/internal/log/log.go
@@ -58,6 +58,40 @@ type Logger interface {
Log(msg string)
}
+// File name for writing tracer logs, if DD_TRACE_LOG_DIRECTORY has been configured
+const LoggerFile = "ddtrace.log"
+
+// ManagedFile functions like a *os.File but is safe for concurrent use
+type ManagedFile struct {
+ mu sync.RWMutex
+ file *os.File
+ closed bool
+}
+
+// Close closes the ManagedFile's *os.File in a concurrent-safe manner, ensuring the file is closed only once
+func (m *ManagedFile) Close() error {
+ m.mu.Lock()
+ defer m.mu.Unlock()
+ if m.file == nil || m.closed {
+ return nil
+ }
+ err := m.file.Close()
+ if err != nil {
+ return err
+ }
+ m.closed = true
+ return nil
+}
+
+func (m *ManagedFile) Name() string {
+ m.mu.RLock()
+ defer m.mu.RUnlock()
+ if m.file == nil {
+ return ""
+ }
+ return m.file.Name()
+}
+
var (
mu sync.RWMutex // guards below fields
levelThreshold = LevelWarn
@@ -77,6 +111,25 @@ func UseLogger(l Logger) (undo func()) {
}
}
+// OpenFileAtPath creates a new file at the specified dirPath and configures the logger to write to this file. The dirPath must already exist on the underlying os.
+// It returns the file that was created, or nil and an error if the file creation was unsuccessful.
+// The caller of OpenFileAtPath is responsible for calling Close() on the ManagedFile
+func OpenFileAtPath(dirPath string) (*ManagedFile, error) {
+ path, err := os.Stat(dirPath)
+ if err != nil || !path.IsDir() {
+ return nil, fmt.Errorf("file path %v invalid or does not exist on the underlying os; using default logger to stderr", dirPath)
+ }
+ filepath := dirPath + "/" + LoggerFile
+ f, err := os.OpenFile(filepath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
+ if err != nil {
+ return nil, fmt.Errorf("using default logger to stderr due to error creating or opening log file: %v", err)
+ }
+ UseLogger(&defaultLogger{l: log.New(f, "", log.LstdFlags)})
+ return &ManagedFile{
+ file: f,
+ }, nil
+}
+
// SetLevel sets the given lvl as log threshold for logging.
func SetLevel(lvl Level) {
mu.Lock()
diff --git a/internal/log/log_test.go b/internal/log/log_test.go
index 61690a0c25..ed2c88f8f1 100644
--- a/internal/log/log_test.go
+++ b/internal/log/log_test.go
@@ -6,7 +6,9 @@
package log
import (
+ "bytes"
"fmt"
+ "os"
"strings"
"sync"
"testing"
@@ -44,6 +46,76 @@ func (tp *testLogger) Reset() {
tp.mu.Unlock()
}
+func TestLogDirectory(t *testing.T) {
+ t.Run("invalid", func(t *testing.T) {
+ f, err := OpenFileAtPath("/some/nonexistent/path")
+ assert.Nil(t, f)
+ assert.Error(t, err)
+ })
+ t.Run("valid", func(t *testing.T) {
+ // ensure File is created successfully
+ dir, err := os.MkdirTemp("", "example")
+ if err != nil {
+ t.Fatalf("Failure creating directory %v", err)
+ }
+ f, err := OpenFileAtPath(dir)
+ assert.Nil(t, err)
+ fp := dir + "/" + LoggerFile
+ assert.NotNil(t, f.file)
+ assert.Equal(t, fp, f.file.Name())
+ assert.False(t, f.closed)
+
+ // ensure this setting plays nicely with other log features
+ oldLvl := level
+ SetLevel(LevelDebug)
+ defer func() {
+ SetLevel(oldLvl)
+ }()
+ Info("info!")
+ Warn("warn!")
+ Debug("debug!")
+ // shorten errrate to test Error() behavior in a reasonable amount of time
+ oldRate := errrate
+ errrate = time.Microsecond
+ defer func() {
+ errrate = oldRate
+ }()
+ Error("error!")
+ time.Sleep(1 * time.Second)
+
+ b, err := os.ReadFile(fp)
+ if err != nil {
+ t.Fatalf("Failure reading file: %v", err)
+ }
+ // convert file content to []string{}, split by \n, to easily check its contents
+ lines := bytes.Split(b, []byte{'\n'})
+ var logs []string
+ for _, line := range lines {
+ logs = append(logs, string(line))
+ }
+
+ assert.True(t, containsMessage("INFO", "info!", logs))
+ assert.True(t, containsMessage("WARN", "warn!", logs))
+ assert.True(t, containsMessage("DEBUG", "debug!", logs))
+ assert.True(t, containsMessage("ERROR", "error!", logs))
+
+ f.Close()
+ assert.True(t, f.closed)
+
+ //ensure f.Close() is concurrent-safe and free of deadlocks
+ var wg sync.WaitGroup
+ for i := 0; i < 100; i++ {
+ wg.Add(1)
+ go func() {
+ defer wg.Done()
+ f.Close()
+ }()
+ }
+ wg.Wait()
+ assert.True(t, f.closed)
+ })
+}
+
func TestLog(t *testing.T) {
defer func(old Logger) { UseLogger(old) }(logger)
tp := &testLogger{}
@@ -197,3 +269,12 @@ func hasMsg(lvl, m string, lines []string) bool {
func msg(lvl, msg string) string {
return fmt.Sprintf("%s %s: %s", prefixMsg, lvl, msg)
}
+
+func containsMessage(lvl, m string, lines []string) bool {
+ for _, line := range lines {
+ if strings.Contains(line, msg(lvl, m)) {
+ return true
+ }
+ }
+ return false
+}
diff --git a/internal/remoteconfig/remoteconfig.go b/internal/remoteconfig/remoteconfig.go
index dd3c06f5eb..5a2a5076d0 100644
--- a/internal/remoteconfig/remoteconfig.go
+++ b/internal/remoteconfig/remoteconfig.go
@@ -70,16 +70,48 @@ const (
APMTracingHTTPHeaderTags
// APMTracingCustomTags enables APM client to set custom tags on all spans
APMTracingCustomTags
- // ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks
- ASMRASPSSRF = 23
-)
-
-// Additional capability bit index values that are non-consecutive from above.
-const (
+ // ASMProcessorOverrides adds support for processor overrides through the ASM RC Product
+ ASMProcessorOverrides
+ // ASMCustomDataScanners adds support for custom data scanners through the ASM RC Product
+ ASMCustomDataScanners
+ // ASMExclusionData adds support configurable exclusion filter data from the ASM_DATA Product
+ ASMExclusionData
// APMTracingEnabled enables APM tracing
- APMTracingEnabled Capability = 19
+ APMTracingEnabled
+ // APMTracingDataStreamsEnabled enables Data Streams Monitoring
+ APMTracingDataStreamsEnabled
+ // ASMRASPSQLI enables ASM support for runtime protection against SQL Injection attacks
+ ASMRASPSQLI
+ // ASMRASPLFI enables ASM support for runtime protection against Local File Inclusion attacks
+ ASMRASPLFI
+ // ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks
+ ASMRASPSSRF
+ // ASMRASPSHI enables ASM support for runtime protection against XSS attacks
+ ASMRASPSHI
+ // ASMRASPXXE enables ASM support for runtime protection against XXE attacks
+ ASMRASPXXE
+ // ASMRASPRCE enables ASM support for runtime protection against Remote Code Execution
+ ASMRASPRCE
+ // ASMRASPNOSQLI enables ASM support for runtime protection against NoSQL Injection attacks
+ ASMRASPNOSQLI
+ // ASMRASPXSS enables ASM support for runtime protection against Cross Site Scripting attacks
+ ASMRASPXSS
// APMTracingSampleRules represents the sampling rate using matching rules from APM client libraries
- APMTracingSampleRules = 29
+ APMTracingSampleRules
+ // CSMActivation represents the capability to activate CSM through remote configuration
+ CSMActivation
+ // ASMAutoUserInstrumMode represents the capability to enable the automatic user instrumentation mode
+ ASMAutoUserInstrumMode
+ // ASMEndpointFingerprinting represents the capability to enable endpoint fingerprinting
+ ASMEndpointFingerprinting
+ // ASMSessionFingerprinting represents the capability to enable session fingerprinting
+ ASMSessionFingerprinting
+ // ASMNetworkFingerprinting represents the capability to enable network fingerprinting
+ ASMNetworkFingerprinting
+ // ASMHeaderFingerprinting represents the capability to enable header fingerprinting
+ ASMHeaderFingerprinting
+ // ASMTruncationRules is the support for truncation payload rules
+ ASMTruncationRules
)
// ErrClientNotStarted is returned when the remote config client is not started.
diff --git a/internal/apps/setup-smoke-test/Dockerfile b/internal/setup-smoke-test/Dockerfile
similarity index 88%
rename from internal/apps/setup-smoke-test/Dockerfile
rename to internal/setup-smoke-test/Dockerfile
index 059adafb84..764c793188 100644
--- a/internal/apps/setup-smoke-test/Dockerfile
+++ b/internal/setup-smoke-test/Dockerfile
@@ -17,7 +17,7 @@
# select one by default, but also allows to provide a --build-arg option
# too instead of relying on the --target option. This way, the CI matrix
# can systematically use --build-arg for all of the parameters.
-ARG go="1.21" # golang docker image parameter in `golang:{go}-{buildenv}`
+ARG go="1.22" # golang docker image parameter in `golang:{go}-{buildenv}`
ARG build_env="bookworm" # golang docker image parameter in `golang:{go}-{buildenv}`
ARG build_with_cgo="0" # 0 or 1
ARG build_with_vendoring="" # y or empty
@@ -30,7 +30,7 @@ FROM golang:$go-$build_env AS build-env
WORKDIR /src
COPY . .
-WORKDIR /src/internal/apps/setup-smoke-test
+WORKDIR /src/internal/setup-smoke-test
ARG build_with_cgo
RUN go env -w CGO_ENABLED=$build_with_cgo
@@ -72,7 +72,7 @@ RUN ldd smoke-test || true
# this image to preperly highlight the fact that the compiled program is running
# out of the box in it without any further installation.
FROM debian:11 AS debian11
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
CMD /usr/local/bin/smoke-test
# debian12 deployment environment
@@ -80,7 +80,7 @@ CMD /usr/local/bin/smoke-test
# this image to preperly highlight the fact that the compiled program is running
# out of the box in it without any further installation.
FROM debian:12 AS debian12
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
CMD /usr/local/bin/smoke-test
# alpine deployment environment
@@ -92,7 +92,7 @@ ARG build_with_cgo
RUN set -ex; if [ "$build_with_cgo" = "1" ]; then \
apk update && apk add libc6-compat; \
fi
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
CMD /usr/local/bin/smoke-test
# amazonlinux:2 deployment environment
@@ -100,7 +100,7 @@ CMD /usr/local/bin/smoke-test
# this image to preperly highlight the fact that the compiled program is running
# out of the box in it without any further installation.
FROM amazonlinux:2 AS al2
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
CMD /usr/local/bin/smoke-test
# amazonlinux:2023 deployment environment
@@ -108,7 +108,7 @@ CMD /usr/local/bin/smoke-test
# this image to preperly highlight the fact that the compiled program is running
# out of the box in it without any further installation.
FROM amazonlinux:2023 AS al2023
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
CMD /usr/local/bin/smoke-test
# busybox deployment environment
@@ -117,7 +117,7 @@ CMD /usr/local/bin/smoke-test
# out of the box in it without any further installation.
FROM busybox AS busybox
RUN mkdir -p /usr/local/bin
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
CMD /usr/local/bin/smoke-test
# scratch deployment environment - meant to be used with CGO_ENABLED=0
@@ -125,7 +125,7 @@ CMD /usr/local/bin/smoke-test
# this image to preperly highlight the fact that the compiled program is running
# out of the box in it without any further installation.
FROM scratch AS scratch
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /
ENTRYPOINT [ "/smoke-test" ]
# Final deployment environment - helper target to end up a single one
diff --git a/internal/setup-smoke-test/go.mod b/internal/setup-smoke-test/go.mod
new file mode 100644
index 0000000000..81da442cc8
--- /dev/null
+++ b/internal/setup-smoke-test/go.mod
@@ -0,0 +1,40 @@
+module github.com/DataDog/dd-trace-go/internal/setup-smoke-test
+
+go 1.22.0
+
+require (
+ github.com/DataDog/appsec-internal-go v1.7.0 // indirect
+ github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
+ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 // indirect
+ github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
+ github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+ github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect
+ github.com/DataDog/gostackparse v0.7.0 // indirect
+ github.com/DataDog/sketches-go v1.4.5 // indirect
+ github.com/Microsoft/go-winio v0.6.1 // indirect
+ github.com/cespare/xxhash/v2 v2.2.0 // indirect
+ github.com/dustin/go-humanize v1.0.1 // indirect
+ github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
+ github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
+ github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
+ github.com/google/uuid v1.5.0 // indirect
+ github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+ github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+ github.com/mitchellh/mapstructure v1.5.0 // indirect
+ github.com/outcaste-io/ristretto v0.2.3 // indirect
+ github.com/philhofer/fwd v1.1.2 // indirect
+ github.com/pkg/errors v0.9.1 // indirect
+ github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 // indirect
+ github.com/ryanuber/go-glob v1.0.0 // indirect
+ github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+ github.com/spaolacci/murmur3 v1.1.0 // indirect
+ github.com/tinylib/msgp v1.1.8 // indirect
+ go.uber.org/atomic v1.11.0 // indirect
+ golang.org/x/mod v0.14.0 // indirect
+ golang.org/x/sys v0.20.0 // indirect
+ golang.org/x/time v0.3.0 // indirect
+ golang.org/x/tools v0.16.1 // indirect
+ golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+ google.golang.org/protobuf v1.33.0 // indirect
+)
diff --git a/internal/setup-smoke-test/go.sum b/internal/setup-smoke-test/go.sum
new file mode 100644
index 0000000000..b19c19b177
--- /dev/null
+++ b/internal/setup-smoke-test/go.sum
@@ -0,0 +1,203 @@
+github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
+github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 h1:5nE6N3JSs2IG3xzMthNFhXfOaXlrsdgqmJ73lndFf8c=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp0Bey4MrrJyiV2tVxxJb6BmLomPvN1RgAvjGaQ=
+github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
+github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
+github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
+github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
+github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I=
+github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
+github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
+github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZMfWR0aitKFMM=
+github.com/DataDog/sketches-go v1.4.5 h1:ki7VfeNz7IcNafq7yI/j5U/YCkO3LJiMDtXz9OMQbyE=
+github.com/DataDog/sketches-go v1.4.5/go.mod h1:7Y8GN8Jf66DLyDhc94zuWA3uHEt/7ttt8jHOBWWrSOg=
+github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA=
+github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 h1:8EXxF+tCLqaVk8AOC29zl2mnhQjwyLxxOTuhUazWRsg=
+github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4/go.mod h1:I5sHm0Y0T1u5YjlyqC5GVArM7aNZRUYtTjmJ8mPJFds=
+github.com/ebitengine/purego v0.6.0-alpha.5 h1:EYID3JOAdmQ4SNZYJHu9V6IqOeRQDBYxqKAg9PyoHFY=
+github.com/ebitengine/purego v0.6.0-alpha.5/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
+github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBBos92HalKpaGKHrp+3Uo6yTodo=
+github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
+github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
+github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
+github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
+github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
+github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
+github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
+github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg=
+github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
+github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
+github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
+golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/DataDog/dd-trace-go.v1 v1.67.1 h1:frgcpZ18wmpj+/TwyDJM8057M65aOdgaxLiZ8pb1PFU=
+gopkg.in/DataDog/dd-trace-go.v1 v1.67.1/go.mod h1:6DdiJPKOeJfZyd/IUGCAd5elY8qPGkztK6wbYYsMjag=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw=
+modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
+modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
+modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
+modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
diff --git a/internal/apps/setup-smoke-test/main.go b/internal/setup-smoke-test/main.go
similarity index 100%
rename from internal/apps/setup-smoke-test/main.go
rename to internal/setup-smoke-test/main.go
diff --git a/internal/stacktrace/event.go b/internal/stacktrace/event.go
index f2800b3886..421f152ecb 100644
--- a/internal/stacktrace/event.go
+++ b/internal/stacktrace/event.go
@@ -27,6 +27,8 @@ const (
ExploitEvent EventCategory = "exploit"
)
+const SpanKey = "_dd.stack"
+
// Event is the toplevel structure to contain a stacktrace and the additional information needed to correlate it with other data
type Event struct {
// Category is a well-known type of the event, not optional
@@ -82,25 +84,32 @@ func WithID(id string) Options {
}
}
-// AddToSpan adds the event to the given span's root span as a tag if stacktrace collection is enabled
-func AddToSpan(span, root trace.TagSetter, events ...*Event) {
+// GetSpanValue returns the value to be set as a tag on a span for the given stacktrace events
+func GetSpanValue(events ...*Event) any {
if !Enabled() {
- return
+ return nil
}
- // TODO(eliott.bouhana): switch to a map[EventCategory][]*Event type when the tinylib/msgp@1.1.10 is out
- groupByCategory := make(map[string]any, 3)
-
+ groupByCategory := make(map[string][]*Event, 3)
for _, event := range events {
if _, ok := groupByCategory[string(event.Category)]; !ok {
groupByCategory[string(event.Category)] = []*Event{event}
continue
}
+ groupByCategory[string(event.Category)] = append(groupByCategory[string(event.Category)], event)
+ }
- groupByCategory[string(event.Category)] = append(groupByCategory[string(event.Category)].([]*Event), event)
+ return internal.MetaStructValue{Value: groupByCategory}
+}
+
+// AddToSpan adds the event to the given span's root span as a tag if stacktrace collection is enabled
+func AddToSpan(span ddtrace.Span, events ...*Event) {
+ value := GetSpanValue(events...)
+ type rooter interface {
+ Root() ddtrace.Span
}
- if root != nil {
- span = root
+ if lrs, ok := span.(rooter); ok {
+ span = lrs.Root()
}
- span.SetTag("_dd.stack", internal.MetaStructValue{Value: groupByCategory})
+ span.SetTag(SpanKey, value)
}
diff --git a/internal/stacktrace/event_test.go b/internal/stacktrace/event_test.go
index 7eaef6d445..71bb9be7d9 100644
--- a/internal/stacktrace/event_test.go
+++ b/internal/stacktrace/event_test.go
@@ -26,40 +26,29 @@ func TestNewEvent(t *testing.T) {
}
func TestEventToSpan(t *testing.T) {
- mt := mocktracer.Start()
- defer mt.Stop()
+ event1 := NewEvent(ExceptionEvent, WithMessage("message1"))
+ event2 := NewEvent(ExploitEvent, WithMessage("message2"))
+ spanValue := GetSpanValue(event1, event2)
- span := ddtracer.StartSpan("op")
- event := NewEvent(ExceptionEvent, WithMessage("message"))
- AddToSpan(span, span.Root(), event)
- span.Finish()
+ eventsMap := spanValue.(internal.MetaStructValue).Value.(map[string][]*Event)
+ require.Len(t, eventsMap, 2)
- spans := mt.FinishedSpans()
- require.Len(t, spans, 1)
- require.Equal(t, "op", spans[0].OperationName())
+ eventsCat := eventsMap[string(ExceptionEvent)]
+ require.Len(t, eventsCat, 1)
- eventsMap := spans[0].Tag("_dd.stack").(map[string]any)
- require.Len(t, eventsMap, 1)
+ require.Equal(t, *event1, *eventsCat[0])
- eventsCat := eventsMap[string(ExceptionEvent)].([]*Event)
+ eventsCat = eventsMap[string(ExploitEvent)]
require.Len(t, eventsCat, 1)
- require.Equal(t, *event, *eventsCat[0])
+ require.Equal(t, *event2, *eventsCat[0])
}
func TestMsgPackSerialization(t *testing.T) {
- mt := mocktracer.Start()
- defer mt.Stop()
-
- span := ddtracer.StartSpan("op")
event := NewEvent(ExceptionEvent, WithMessage("message"), WithType("type"), WithID("id"))
- AddToSpan(span, span.Root(), event)
- span.Finish()
-
- spans := mt.FinishedSpans()
- require.Len(t, spans, 1)
+ spanValue := GetSpanValue(event)
- eventsMap := spans[0].Tag("_dd.stack").(map[string]any)
+ eventsMap := spanValue.(internal.MetaStructValue).Value
_, err := msgp.AppendIntf(nil, eventsMap)
require.NoError(t, err)
diff --git a/internal/stacktrace/stacktrace.go b/internal/stacktrace/stacktrace.go
index dd983876d1..72b5a97abc 100644
--- a/internal/stacktrace/stacktrace.go
+++ b/internal/stacktrace/stacktrace.go
@@ -33,6 +33,7 @@ var (
"github.com/DataDog/datadog-agent",
"github.com/DataDog/appsec-internal-go",
"github.com/datadog/orchestrion",
+ "github.com/DataDog/orchestrion",
}
)
diff --git a/internal/telemetry/telemetry_test.go b/internal/telemetry/telemetry_test.go
index cad9cd43ea..87d40ff02a 100644
--- a/internal/telemetry/telemetry_test.go
+++ b/internal/telemetry/telemetry_test.go
@@ -112,6 +112,7 @@ func TestProductChange(t *testing.T) {
GlobalClient.ProductChange(NamespaceProfilers, true, []Configuration{{Name: "key", Value: "value"}})
},
},
+ /* This case is flaky (see #2688)
{
name: "profiler start, tracer start",
wantedMessages: []RequestType{RequestTypeAppStarted, RequestTypeDependenciesLoaded, RequestTypeAppClientConfigurationChange},
@@ -120,6 +121,7 @@ func TestProductChange(t *testing.T) {
GlobalClient.ProductChange(NamespaceTracers, true, []Configuration{{Name: "key", Value: "value"}})
},
},
+ */
}
for _, test := range tests {
diff --git a/profiler/metrics.go b/profiler/metrics.go
index 2c60bff410..ec68c38592 100644
--- a/profiler/metrics.go
+++ b/profiler/metrics.go
@@ -61,12 +61,18 @@ func (m *metrics) reset(now time.Time) {
func (m *metrics) report(now time.Time, buf *bytes.Buffer) error {
period := now.Sub(m.collectedAt)
-
- if period < time.Second {
- // Profiler could be mis-configured to report more frequently than every second
- // or a system clock issue causes time to run backwards.
- // We can't emit valid metrics in either case.
- return collectionTooFrequent{min: time.Second, observed: period}
+ if period <= 0 {
+ // It is technically possible, though very unlikely, for period
+ // to be 0 if the monotonic clock did not advance at all or if
+ // we somehow collected two metrics profiles closer together
+ // than the clock can measure. If the period is negative, this
+ // might be a Go runtime bug, since time.Time.Sub is supposed to
+ // work with monotonic time. Either way, bail out since
+ // something is probably going wrong
+ return fmt.Errorf(
+ "unexpected duration %v between metrics collections, first at %v, second at %v",
+ period, m.collectedAt, now,
+ )
}
previousStats := m.snapshot
@@ -74,34 +80,31 @@ func (m *metrics) report(now time.Time, buf *bytes.Buffer) error {
points := m.compute(&previousStats, &m.snapshot, period, now)
data, err := json.Marshal(removeInvalid(points))
-
if err != nil {
- // NB the minimum period check and removeInvalid ensures we don't hit this case
- return err
- }
-
- if _, err := buf.Write(data); err != nil {
+ // NB removeInvalid ensures we don't hit this case by dropping inf/NaN
return err
}
- return nil
+ _, err = buf.Write(data)
+ return err
}
func computeMetrics(prev *metricsSnapshot, curr *metricsSnapshot, period time.Duration, now time.Time) []point {
+ periodSeconds := float64(period) / float64(time.Second)
return []point{
- {metric: "go_alloc_bytes_per_sec", value: rate(curr.TotalAlloc, prev.TotalAlloc, period/time.Second)},
- {metric: "go_allocs_per_sec", value: rate(curr.Mallocs, prev.Mallocs, period/time.Second)},
- {metric: "go_frees_per_sec", value: rate(curr.Frees, prev.Frees, period/time.Second)},
- {metric: "go_heap_growth_bytes_per_sec", value: rate(curr.HeapAlloc, prev.HeapAlloc, period/time.Second)},
- {metric: "go_gcs_per_sec", value: rate(uint64(curr.NumGC), uint64(prev.NumGC), period/time.Second)},
- {metric: "go_gc_pause_time", value: rate(curr.PauseTotalNs, prev.PauseTotalNs, period)}, // % of time spent paused
+ {metric: "go_alloc_bytes_per_sec", value: rate(curr.TotalAlloc, prev.TotalAlloc, periodSeconds)},
+ {metric: "go_allocs_per_sec", value: rate(curr.Mallocs, prev.Mallocs, periodSeconds)},
+ {metric: "go_frees_per_sec", value: rate(curr.Frees, prev.Frees, periodSeconds)},
+ {metric: "go_heap_growth_bytes_per_sec", value: rate(curr.HeapAlloc, prev.HeapAlloc, periodSeconds)},
+ {metric: "go_gcs_per_sec", value: rate(uint64(curr.NumGC), uint64(prev.NumGC), periodSeconds)},
+ {metric: "go_gc_pause_time", value: rate(curr.PauseTotalNs, prev.PauseTotalNs, float64(period))}, // % of time spent paused
{metric: "go_max_gc_pause_time", value: float64(maxPauseNs(&curr.MemStats, now.Add(-period)))},
{metric: "go_num_goroutine", value: float64(curr.NumGoroutine)},
}
}
-func rate(curr, prev uint64, period time.Duration) float64 {
- return float64(int64(curr)-int64(prev)) / float64(period)
+func rate(curr, prev uint64, period float64) float64 {
+ return float64(int64(curr)-int64(prev)) / period
}
// maxPauseNs returns maximum pause time within the recent period, assumes stats populated at period end
diff --git a/profiler/metrics_test.go b/profiler/metrics_test.go
index 2c7e4cbe92..37d1d29d6c 100644
--- a/profiler/metrics_test.go
+++ b/profiler/metrics_test.go
@@ -143,22 +143,3 @@ func TestMetricsReport(t *testing.T) {
assert.NoError(t, err)
assert.Equal(t, "[[\"metric_name\",1.1]]", buf.String())
}
-
-func TestMetricsCollectFrequency(t *testing.T) {
- now := now()
- var err error
- var buf bytes.Buffer
- m := newTestMetrics(now)
-
- err = m.report(now.Add(-time.Second), &buf)
- assert.Error(t, err, "collection call times must be monotonically increasing")
- assert.Empty(t, buf)
-
- err = m.report(now.Add(time.Second-1), &buf)
- assert.Error(t, err, "must be at least one second between collection calls")
- assert.Empty(t, buf)
-
- err = m.report(now.Add(time.Second), &buf)
- assert.NoError(t, err, "one second between calls should work")
- assert.NotEmpty(t, buf)
-}
diff --git a/profiler/profile.go b/profiler/profile.go
index 336b96b14b..269c094d6e 100644
--- a/profiler/profile.go
+++ b/profiler/profile.go
@@ -177,8 +177,11 @@ var profileTypes = map[ProfileType]profileType{
Filename: "metrics.json",
Collect: func(p *profiler) ([]byte, error) {
var buf bytes.Buffer
- p.interruptibleSleep(p.cfg.period)
+ interrupted := p.interruptibleSleep(p.cfg.period)
err := p.met.report(now(), &buf)
+ if err != nil && interrupted {
+ err = errProfilerStopped
+ }
return buf.Bytes(), err
},
},
diff --git a/profiler/profiler.go b/profiler/profiler.go
index fba7a5e61b..505d53fdcd 100644
--- a/profiler/profiler.go
+++ b/profiler/profiler.go
@@ -36,6 +36,10 @@ var (
activeProfiler *profiler
containerID = internal.ContainerID() // replaced in tests
entityID = internal.EntityID() // replaced in tests
+
+ // errProfilerStopped is a sentinel for suppressng errors if we are
+ // about to stop the profiler
+ errProfilerStopped = errors.New("profiler stopped")
)
// Start starts the profiler. If the profiler is already running, it will be
@@ -342,9 +346,12 @@ func (p *profiler) collect(ticker <-chan time.Time) {
}
profs, err := p.runProfile(t)
if err != nil {
- log.Error("Error getting %s profile: %v; skipping.", t, err)
- tags := append(p.cfg.tags.Slice(), t.Tag())
- p.cfg.statsd.Count("datadog.profiling.go.collect_error", 1, tags, 1)
+ if err != errProfilerStopped {
+ log.Error("Error getting %s profile: %v; skipping.", t, err)
+ tags := append(p.cfg.tags.Slice(), t.Tag())
+ p.cfg.statsd.Count("datadog.profiling.go.collect_error", 1, tags, 1)
+ }
+ return
}
mu.Lock()
defer mu.Unlock()
@@ -479,10 +486,13 @@ func (p *profiler) outputDir(bat batch) error {
// interruptibleSleep sleeps for the given duration or until interrupted by the
// p.exit channel being closed.
-func (p *profiler) interruptibleSleep(d time.Duration) {
+// Returns whether the sleep was interrupted
+func (p *profiler) interruptibleSleep(d time.Duration) bool {
select {
case <-p.exit:
+ return true
case <-time.After(d):
+ return false
}
}
diff --git a/profiler/profiler_test.go b/profiler/profiler_test.go
index 23b6b88eca..d3c9720eda 100644
--- a/profiler/profiler_test.go
+++ b/profiler/profiler_test.go
@@ -392,6 +392,7 @@ func TestAllUploaded(t *testing.T) {
"delta-mutex.pprof",
"goroutines.pprof",
"goroutineswait.pprof",
+ "metrics.json",
}
if executionTraceEnabledDefault {
expected = append(expected, "go.trace")
@@ -763,3 +764,58 @@ func TestUDSDefault(t *testing.T) {
<-profiles
}
+
+func TestOrchestrionProfileInfo(t *testing.T) {
+ testCases := []struct {
+ env string
+ want string
+ }{
+ {want: "manual"},
+ {env: "1", want: "manual"},
+ {env: "true", want: "manual"},
+ {env: "auto", want: "auto"},
+ }
+ for _, tc := range testCases {
+ t.Run(fmt.Sprintf("env=\"%s\"", tc.env), func(t *testing.T) {
+ t.Setenv("DD_PROFILING_ENABLED", tc.env)
+ p := doOneShortProfileUpload(t)
+ info := p.event.Info.Profiler
+ t.Logf("%+v", info)
+ if got := info.Activation; got != tc.want {
+ t.Errorf("wanted profiler activation \"%s\", got %s", tc.want, got)
+ }
+ want := "none"
+ if orchestrion.Enabled() {
+ want = "orchestrion"
+ }
+ if got := info.SSI.Mechanism; got != want {
+ t.Errorf("wanted profiler injected = %v, got %v", want, got)
+ }
+ })
+ }
+}
+
+func TestShortMetricsProfile(t *testing.T) {
+ profiles := startTestProfiler(t, 1, WithPeriod(10*time.Millisecond), WithProfileTypes(MetricsProfile))
+ for range 3 {
+ p := <-profiles
+ if _, ok := p.attachments["metrics.json"]; !ok {
+ t.Errorf("didn't get metrics profile, got %v", p.event.Attachments)
+ }
+ }
+}
+
+func TestMetricsProfileStopEarlyNoLog(t *testing.T) {
+ rl := new(log.RecordLogger)
+ defer log.UseLogger(rl)()
+ startTestProfiler(t, 1, WithPeriod(2*time.Second), WithProfileTypes(MetricsProfile))
+ // Stop the profiler immediately
+ Stop()
+ log.Flush()
+ for _, msg := range rl.Logs() {
+ // We should not see any error about stopping the metrics profile short
+ if strings.Contains(msg, "ERROR:") {
+ t.Errorf("unexpected error log: %s", msg)
+ }
+ }
+}
diff --git a/tools/v2check/go.mod b/tools/v2check/go.mod
index 78a17b1417..f6917f63e0 100644
--- a/tools/v2check/go.mod
+++ b/tools/v2check/go.mod
@@ -1,36 +1,43 @@
module github.com/DataDog/dd-trace-go/v2/tools/v2check
-go 1.21
+go 1.22.0
+
+toolchain go1.23.1
require (
github.com/DataDog/dd-trace-go/v2 v2.0.0-20240909105439-c452671ebc14
- golang.org/x/tools v0.20.0
- gopkg.in/DataDog/dd-trace-go.v1 v1.67.0
+ golang.org/x/tools v0.22.0
)
require (
- github.com/DataDog/appsec-internal-go v1.7.0 // indirect
+ github.com/DataDog/appsec-internal-go v1.8.0 // indirect
github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
+ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
- github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+ github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
github.com/DataDog/go-sqllexer v0.0.11 // indirect
github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
github.com/DataDog/sketches-go v1.4.5 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
+ github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
github.com/ebitengine/purego v0.7.1 // indirect
github.com/google/uuid v1.6.0 // indirect
+ github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+ github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+ github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/outcaste-io/ristretto v0.2.3 // indirect
- github.com/philhofer/fwd v1.1.2 // indirect
+ github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
github.com/pkg/errors v0.9.1 // indirect
+ github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
- github.com/tinylib/msgp v1.1.9 // indirect
+ github.com/tinylib/msgp v1.2.1 // indirect
go.uber.org/atomic v1.11.0 // indirect
- golang.org/x/mod v0.17.0 // indirect
+ golang.org/x/mod v0.18.0 // indirect
golang.org/x/sync v0.7.0 // indirect
- golang.org/x/sys v0.20.0 // indirect
+ golang.org/x/sys v0.23.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/protobuf v1.33.0 // indirect
diff --git a/tools/v2check/go.sum b/tools/v2check/go.sum
index e1d629a336..9194914cd4 100644
--- a/tools/v2check/go.sum
+++ b/tools/v2check/go.sum
@@ -1,13 +1,13 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
@@ -19,6 +19,8 @@ github.com/DataDog/sketches-go v1.4.5/go.mod h1:7Y8GN8Jf66DLyDhc94zuWA3uHEt/7ttt
github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -31,11 +33,11 @@ github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUn
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 h1:8EXxF+tCLqaVk8AOC29zl2mnhQjwyLxxOTuhUazWRsg=
github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4/go.mod h1:I5sHm0Y0T1u5YjlyqC5GVArM7aNZRUYtTjmJ8mPJFds=
github.com/ebitengine/purego v0.7.1 h1:6/55d26lG3o9VCZX8lping+bZcmShseiqlh2bnUDiPA=
github.com/ebitengine/purego v0.7.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -45,8 +47,11 @@ github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBB
github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
@@ -55,23 +60,28 @@ github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
@@ -92,8 +102,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
-github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -102,20 +112,21 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -124,8 +135,8 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -134,17 +145,17 @@ golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
-golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/DataDog/dd-trace-go.v1 v1.67.0 h1:3Cb46zyKIlEWac21tvDF2O4KyMlOHQxrQkyiaUpdwM0=
-gopkg.in/DataDog/dd-trace-go.v1 v1.67.0/go.mod h1:6DdiJPKOeJfZyd/IUGCAd5elY8qPGkztK6wbYYsMjag=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/tools/v2check/v2check/known_change.go b/tools/v2check/v2check/known_change.go
index c9e6d3f55e..0b9dd793f2 100644
--- a/tools/v2check/v2check/known_change.go
+++ b/tools/v2check/v2check/known_change.go
@@ -13,9 +13,9 @@ import (
"go/types"
"strings"
+ "github.com/DataDog/dd-trace-go/v2/ddtrace"
"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
"golang.org/x/tools/go/analysis"
- "gopkg.in/DataDog/dd-trace-go.v1/ddtrace"
)
// KnownChange models code expressions that must be changed to migrate to v2.
@@ -115,7 +115,7 @@ func (c V1ImportURL) Fixes() []analysis.SuggestedFix {
if path == "" {
return nil
}
- path = strings.Replace(path, "gopkg.in/DataDog/dd-trace-go.v1", "github.com/DataDog/dd-trace-go/v2", 1)
+ path = strings.Replace(path, "github.com/DataDog/dd-trace-go/v2", "github.com/DataDog/dd-trace-go/v2", 1)
return []analysis.SuggestedFix{
{
Message: "update import URL to v2",
@@ -133,7 +133,7 @@ func (c V1ImportURL) Fixes() []analysis.SuggestedFix {
func (V1ImportURL) Probes() []Probe {
return []Probe{
IsImport,
- HasPackagePrefix("gopkg.in/DataDog/dd-trace-go.v1/"),
+ HasPackagePrefix("github.com/DataDog/dd-trace-go/v2/"),
}
}
@@ -173,7 +173,7 @@ func (DDTraceTypes) Probes() []Probe {
Is[*ast.ValueSpec],
Is[*ast.Field],
),
- ImportedFrom("gopkg.in/DataDog/dd-trace-go.v1"),
+ ImportedFrom("github.com/DataDog/dd-trace-go/v2"),
Not(DeclaresType[ddtrace.SpanContext]()),
}
}
diff --git a/tools/v2check/v2check/v2check_test.go b/tools/v2check/v2check/v2check_test.go
index 31df482fbf..5445fa1e74 100644
--- a/tools/v2check/v2check/v2check_test.go
+++ b/tools/v2check/v2check/v2check_test.go
@@ -41,7 +41,7 @@ func (c V1Usage) Fixes() []analysis.SuggestedFix {
func (c V1Usage) Probes() []v2check.Probe {
return []v2check.Probe{
v2check.IsFuncCall,
- v2check.HasPackagePrefix("gopkg.in/DataDog/dd-trace-go.v1/"),
+ v2check.HasPackagePrefix("github.com/DataDog/dd-trace-go/v2/"),
}
}