-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
appsec: differentiate user login and user set event #2956
appsec: differentiate user login and user set event #2956
Conversation
BenchmarksBenchmark execution time: 2024-10-30 17:19:43 Comparing candidate commit 786aa68 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 1 unstable metrics. |
@@ -61,11 +65,10 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption | |||
return nil | |||
} | |||
|
|||
op, errPtr := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{}) | |||
op, errPtr := usersec.StartUserLoginOperation(ctx, userEventType, usersec.UserLoginOperationArgs{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
appsec.SetUser doing a fake user login event is a bad design idea.
generally speaking, all those fake operations are coming from the time we didn't have EmitData and I believe they should be replaced by that to simplify everything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not really a "fake" user login operation, it's just badly named so I renamed it.
We can't use EmitData yet because we are missing context on the listener side of things but it could also be useful if we want to do some autoinstrumentation on auth frameworks later.
) | ||
|
||
const errorLog = ` | ||
appsec: user login monitoring ignored: could not find the http handler instrumentation metadata in the request context: | ||
the request handler is not being monitored by a middleware function or the provided context is not the expected request context | ||
the request handler is not being monitored by a middleware function or the provided context is not the expected request context. | ||
If the user has been blocked using remote rules, blocking will still be enforced but it will not be reported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand it.
Remember this log is mostly there for customer support cases, and not meant to be understood by the users themselves.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes you are right, I removed it
Signed-off-by: Eliott Bouhana <[email protected]>
857c3a3
to
786aa68
Compare
What does this PR do?
Rework user login WAF addresses passing by differentiating a simple authenticated request and a user login request
Motivation
Better ATO detection
Reviewer's Checklist
Unsure? Have a question? Request a review!