Merge branch 'main' into aws-streamname-fix

DataDog · Sep 10, 2024 · 43e342a · 43e342a
2 parents dcd3e6a + 0ffa615
commit 43e342a
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 4 deletions.
diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go
@@ -13,6 +13,7 @@ import (
 
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/config"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
+	"gopkg.in/DataDog/dd-trace-go.v1/internal/orchestrion"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/remoteconfig"
 
 	internal "github.com/DataDog/appsec-internal-go/appsec"
@@ -409,7 +410,14 @@ func (a *appsec) enableRASP() {
 	if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSSRF); err != nil {
 		log.Debug("appsec: Remote config: couldn't register RASP SSRF: %v", err)
 	}
-	// TODO: register other RASP capabilities when supported
+	if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSQLI); err != nil {
+		log.Debug("appsec: Remote config: couldn't register RASP SQLI: %v", err)
+	}
+	if orchestrion.Enabled() {
+		if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPLFI); err != nil {
+			log.Debug("appsec: Remote config: couldn't register RASP LFI: %v", err)
+		}
+	}
 }
 
 func (a *appsec) disableRCBlocking() {

diff --git a/internal/remoteconfig/remoteconfig.go b/internal/remoteconfig/remoteconfig.go
@@ -70,14 +70,26 @@ const (
 	APMTracingHTTPHeaderTags
 	// APMTracingCustomTags enables APM client to set custom tags on all spans
 	APMTracingCustomTags
+	// ASMProcessorOverrides adds support for processor overrides through the ASM RC Product
+	ASMProcessorOverrides
+	// ASMCustomDataScanners adds support for custom data scanners through the ASM RC Product
+	ASMCustomDataScanners
+	// ASMExclusionData adds support configurable exclusion filter data from the ASM_DATA Product
+	ASMExclusionData
+	// APMTracingEnabled enables APM tracing
+	APMTracingEnabled
+	// APMTracingDataStreamsEnabled enables Data Streams Monitoring
+	APMTracingDataStreamsEnabled
+	// ASMRASPSQLI enables ASM support for runtime protection against SQL Injection attacks
+	ASMRASPSQLI
+	// ASMRASPLFI enables ASM support for runtime protection against Local File Inclusion attacks
+	ASMRASPLFI
 	// ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks
-	ASMRASPSSRF = 23
+	ASMRASPSSRF
 )
 
 // Additional capability bit index values that are non-consecutive from above.
 const (
-	// APMTracingEnabled enables APM tracing
-	APMTracingEnabled Capability = 19
 	// APMTracingSampleRules represents the sampling rate using matching rules from APM client libraries
 	APMTracingSampleRules = 29
 )

diff --git a/profiler/profiler_test.go b/profiler/profiler_test.go
@@ -30,6 +30,7 @@ import (
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/globalconfig"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/httpmem"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
+	"gopkg.in/DataDog/dd-trace-go.v1/internal/orchestrion"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/traceprof"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/version"
 
@@ -748,3 +749,33 @@ func TestUDSDefault(t *testing.T) {
 
 	<-profiles
 }
+
+func TestOrchestrionProfileInfo(t *testing.T) {
+	testCases := []struct {
+		env  string
+		want string
+	}{
+		{want: "manual"},
+		{env: "1", want: "manual"},
+		{env: "true", want: "manual"},
+		{env: "auto", want: "auto"},
+	}
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("env=\"%s\"", tc.env), func(t *testing.T) {
+			t.Setenv("DD_PROFILING_ENABLED", tc.env)
+			p := doOneShortProfileUpload(t)
+			info := p.event.Info.Profiler
+			t.Logf("%+v", info)
+			if got := info.Activation; got != tc.want {
+				t.Errorf("wanted profiler activation \"%s\", got %s", tc.want, got)
+			}
+			want := "none"
+			if orchestrion.Enabled() {
+				want = "orchestrion"
+			}
+			if got := info.SSI.Mechanism; got != want {
+				t.Errorf("wanted profiler injected = %v, got %v", want, got)
+			}
+		})
+	}
+}
diff --git a/profiler/upload.go b/profiler/upload.go
@@ -16,10 +16,12 @@ import (
 	"mime/multipart"
 	"net/http"
 	"net/textproto"
+	"os"
 	"strings"
 	"time"
 
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
+	"gopkg.in/DataDog/dd-trace-go.v1/internal/orchestrion"
 )
 
 // maxRetries specifies the maximum number of retries to have when an error occurs.
@@ -144,6 +146,20 @@ type uploadEvent struct {
 	Version          string            `json:"version"`
 	EndpointCounts   map[string]uint64 `json:"endpoint_counts,omitempty"`
 	CustomAttributes []string          `json:"custom_attributes,omitempty"`
+	Info             struct {
+		Profiler profilerInfo `json:"profiler"`
+	} `json:"info"`
+}
+
+// profilerInfo holds profiler-specific information which should be attached to
+// the event for backend consumption
+type profilerInfo struct {
+	SSI struct {
+		Mechanism string `json:"mechanism,omitempty"`
+	} `json:"ssi"`
+	// Activation distinguishes how the profiler was enabled, either "auto"
+	// (env var set via admission controller) or "manual"
+	Activation string `json:"activation"`
 }
 
 // encode encodes the profile as a multipart mime request.
@@ -167,6 +183,22 @@ func encode(bat batch, tags []string) (contentType string, body io.Reader, err e
 		CustomAttributes: bat.customAttributes,
 	}
 
+	// DD_PROFILING_ENABLED is only used to enable profiling when added with
+	// Orchestrion. The "auto" value comes from the Datadog Kubernetes
+	// admission controller. Otherwise, the client library doesn't care
+	// about the value and assumes it was something "truthy", or this code
+	// wouldn't run. We just track it to be consistent with other languages
+	if os.Getenv("DD_PROFILING_ENABLED") == "auto" {
+		event.Info.Profiler.Activation = "auto"
+	} else {
+		event.Info.Profiler.Activation = "manual"
+	}
+	if orchestrion.Enabled() {
+		event.Info.Profiler.SSI.Mechanism = "orchestrion"
+	} else {
+		event.Info.Profiler.SSI.Mechanism = "none"
+	}
+
 	for _, p := range bat.profiles {
 		event.Attachments = append(event.Attachments, p.name)
 		f, err := mw.CreateFormFile(p.name, p.name)