diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs index db62f36d9df1..143f455d9aa9 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs @@ -8,7 +8,6 @@ using System.Collections.Generic; using Datadog.Trace.AppSec.Waf; using Datadog.Trace.Headers; -using Datadog.Trace.Vendors.Serilog; #if !NETFRAMEWORK using Microsoft.AspNetCore.Http; #else diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs index ccaa9fc3fb57..e39f497f8664 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs @@ -10,6 +10,7 @@ using System.Collections; using System.Collections.Generic; using System.Linq; +using System.Runtime.CompilerServices; using Datadog.Trace.AppSec.Waf; using Datadog.Trace.Headers; using Datadog.Trace.Util.Http; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index 911c25743e92..8341a1fbcfef 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -149,29 +149,6 @@ internal readonly partial struct SecurityCoordinator return result; } - internal IContext? GetOrCreateAdditiveContext() - { - var additiveContext = _httpTransport.GetAdditiveContext(); - - if (additiveContext == null) - { - additiveContext = _security.CreateAdditiveContext(); - // prevent very cases where waf has been disposed between here and has been passed as argument until the 2nd line of constructor.. - if (additiveContext is not null) - { - _httpTransport.SetAdditiveContext(additiveContext); - } - } - - if (!_httpTransport.IsAdditiveContextDisposed()) - { - return additiveContext; - } - - Log.Warning("Waf could not run as waf additive context is disposed"); - return null; - } - private static void RecordTelemetry(IResult? result) { if (result == null) diff --git a/tracer/src/Datadog.Trace/AppSec/Security.cs b/tracer/src/Datadog.Trace/AppSec/Security.cs index 0b2fe842ea37..c99984e9c34a 100644 --- a/tracer/src/Datadog.Trace/AppSec/Security.cs +++ b/tracer/src/Datadog.Trace/AppSec/Security.cs @@ -632,7 +632,6 @@ internal bool IsMetaStructSupported() private void UpdateActiveAddresses() { - // So far, RASP is the only one that uses this if (_waf?.IsKnowAddressesSuported() is true) { var addresses = _waf.GetKnownAddresses(); diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetCore5AutoUserEvents.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetCore5AutoUserEvents.cs index 2b707f4b7870..86b35774116a 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetCore5AutoUserEvents.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetCore5AutoUserEvents.cs @@ -10,6 +10,8 @@ using System.Net; using System.Text.RegularExpressions; using System.Threading.Tasks; +using Datadog.Trace.AppSec.Rcm.Models.AsmData; +using Datadog.Trace.RemoteConfigurationManagement; using Datadog.Trace.TestHelpers; using FluentAssertions; using VerifyTests; @@ -91,8 +93,33 @@ protected async Task TestAuthenticatedRequest() { await TryStartApp(); var settings = VerifyHelper.GetSpanVerifierSettings(); + VerifyScrubber.ScrubSessionFingerprint(settings); var request = await SubmitRequest("/Account/Index", "Input.UserName=TestUser2&Input.Password=test", contentType: "application/x-www-form-urlencoded"); request.StatusCode.Should().Be(HttpStatusCode.OK); + // this is for testuser2 in the in memory user store and appdb + var userId = "7ccfa5b9-14c2-42b9-8064-834b8293aef4"; + var request2 = await _fixture.Agent.SetupRcmAndWait( + Output, + [ + (new Payload + { + RulesData = + [ + new RuleData + { + Id = "blocked_users", + Type = "data_with_expiration", + Data = + [ + new Data { Expiration = 0, Value = userId }, new Data { Expiration = 0, Value = "blocked-user" } + ] + } + ] + }, + RcmProducts.AsmData, nameof(TestAuthenticatedRequest)), + ]); + request2.Should().NotBeNull(); + request2.CachedTargetFiles.Should().HaveCount(_enableSecurity ? 1 : 0); await TestAppSecRequestWithVerifyAsync(_fixture.Agent, "/Account/SomeAuthenticatedAction", null, 1, 1, settings, fileNameOverride: GetTestFileName(nameof(TestAuthenticatedRequest))); // reset memory database (useless for net7 as it runs with EF7 on app.db await SendRequestsAsync(_fixture.Agent, "/account/reset-memory-db"); diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db b/tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db index 1f232f5fa8b9..f25c8f6e0853 100644 Binary files a/tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db and b/tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db differ diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs index a53986a5b8f7..359be1fef13e 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs @@ -2,6 +2,7 @@ // Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License. // This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc. // + #nullable enable using System.Text.RegularExpressions; using Datadog.Trace.TestHelpers; @@ -11,14 +12,23 @@ namespace Datadog.Trace.Security.IntegrationTests; internal class VerifyScrubber { - private static readonly Regex AppSecFingerPrintSession = new(@"_dd.appsec.fp.session: ssn.[\s\-a-z0-9]*", RegexOptions.IgnoreCase | RegexOptions.Compiled); + private static readonly Regex AppSecFingerPrintSession = new(@"(_dd\.appsec\.fp\.session: ssn-(?:[a-zA-Z0-9]+-){1})([a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+)(,)?", RegexOptions.IgnoreCase | RegexOptions.Compiled); + private static readonly Regex AppSecPartialFingerPrintSession = new(@"(_dd\.appsec\.fp\.session: ssn-(?:[a-zA-Z0-9]*-){3})(?:[a-zA-Z0-9]+)(,)?", RegexOptions.IgnoreCase | RegexOptions.Compiled); private static readonly Regex AuthenticationCollectionMode = new(@"_dd.appsec.user.collection_mode: .*,", RegexOptions.IgnoreCase | RegexOptions.Compiled); - public static void ScrubAuthenticatedTags(VerifySettings settings) + internal static void ScrubAuthenticatedTags(VerifySettings settings) { // these tags are added by HttpContext.SetUser. After a login event it's not always called by all framework versions // we dont want to test authenticated tags here anyway, as they're tested by TestAuthenticatedRequest settings.AddRegexScrubber(AuthenticationCollectionMode, string.Empty); - settings.AddRegexScrubber(AppSecFingerPrintSession, "_dd.appsec.fp.session: "); + PartialScrubSessionFingerprint(settings); } + + /// + /// Everytime we are going to have a different session id so we need to at least scrub the part with the session + /// + /// settings + internal static void ScrubSessionFingerprint(VerifySettings settings) => settings.AddRegexScrubber(AppSecFingerPrintSession, "$1-$3"); + + internal static void PartialScrubSessionFingerprint(VerifySettings settings) => settings.AddRegexScrubber(AppSecPartialFingerPrintSession, "$1"); } diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityEnabled._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityEnabled._.verified.txt index 8a8164bb4fb0..09ad7a5a13e8 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityEnabled._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityEnabled._.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f--, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityRemoteActivated._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityRemoteActivated._.verified.txt index b8c9bd42bbc3..12c05a74eead 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityRemoteActivated._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityRemoteActivated._.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f--, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestAuthenticatedRequest.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestAuthenticatedRequest.verified.txt index 913f30499085..5225faecee4e 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestAuthenticatedRequest.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestAuthenticatedRequest.verified.txt @@ -24,9 +24,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, - usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9, + usr.id: anon_74ff86ebe90bfdc4f169315d955bacd1, _dd.appsec.user.collection_mode: anonymization, - _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9, + _dd.appsec.usr.id: anon_74ff86ebe90bfdc4f169315d955bacd1, _dd.runtime_family: dotnet }, Metrics: { diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.blocked-user.verified.txt index 58504e328e0a..753896507d9b 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.blocked-user.verified.txt @@ -12,6 +12,7 @@ appsec.event: true, appsec.events.users.login.success.some-metadata: some-value, appsec.events.users.login.success.track: true, + appsec.events.users.login.success.usr.login: anon_eb97d409396a3e5392936dad92b909da, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, @@ -34,12 +35,15 @@ runtime-id: Guid_1, span.kind: server, usr.id: blocked-user, + _dd.appsec.events.users.login.success.auto.mode: anonymization, _dd.appsec.events.users.login.success.sdk: true, _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-ef8eb89f---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]}, + _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9, + _dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da, _dd.origin: appsec, _dd.runtime_family: dotnet }, diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.not-blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.not-blocked-user.verified.txt index 5705760adc61..a317105b265e 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.not-blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.not-blocked-user.verified.txt @@ -32,6 +32,10 @@ usr.id: not-blocked-user, _dd.appsec.events.users.login.success.auto.mode: anonymization, _dd.appsec.events.users.login.success.sdk: true, + _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, + _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-ef8eb89f---, _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9, _dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-login.auto.success.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-login.auto.success.verified.txt index 8d6e88f022e6..364ab87814d1 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-login.auto.success.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-login.auto.success.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.events.users.login.success.auto.mode: anonymization, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-ef8eb89f---, _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9, _dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestAuthenticatedRequest.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestAuthenticatedRequest.verified.txt index 19fafdccfc21..4819226bb04a 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestAuthenticatedRequest.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestAuthenticatedRequest.verified.txt @@ -7,17 +7,22 @@ Service: Samples.Security.AspNetCore5, Type: web, Tags: { + actor.ip: 86.242.244.246, + appsec.blocked: true, + appsec.event: true, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.SomeAuthenticatedAction (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, env: integration_tests, http.client_ip: 127.0.0.1, + http.endpoint: {controller=home}/{action=index}/{id?}, http.method: GET, http.request.headers.host: localhost:00000, http.request.headers.user-agent: Mistake Not..., http.request.headers.x-forwarded-for: 86.242.244.246, + http.response.headers.content-type: application/json, http.route: {controller=home}/{action=index}/{id?}, - http.status_code: 200, + http.status_code: 403, http.url: http://localhost:00000/Account/SomeAuthenticatedAction, http.useragent: Mistake Not..., language: dotnet, @@ -25,16 +30,26 @@ runtime-id: Guid_1, span.kind: server, usr.id: Guid_2, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-74ff86eb--, + _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["Guid_2"],"key_path":[],"value":"Guid_2"}]}]}]}, _dd.appsec.user.collection_mode: identification, _dd.appsec.usr.id: Guid_2, + _dd.origin: appsec, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, + _dd.appsec.waf.duration: 0.0, + _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 + }, + MetaStruct: { + appsec: } } ] \ No newline at end of file diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.blocked-user.verified.txt index 58504e328e0a..140ecc1498e5 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.blocked-user.verified.txt @@ -12,6 +12,7 @@ appsec.event: true, appsec.events.users.login.success.some-metadata: some-value, appsec.events.users.login.success.track: true, + appsec.events.users.login.success.usr.login: TestUser, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, @@ -34,12 +35,15 @@ runtime-id: Guid_1, span.kind: server, usr.id: blocked-user, + _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.events.users.login.success.sdk: true, _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]}, + _dd.appsec.usr.id: Guid_2, + _dd.appsec.usr.login: TestUser, _dd.origin: appsec, _dd.runtime_family: dotnet }, diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.not-blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.not-blocked-user.verified.txt index 03d7d69b6ee2..d13f8afa29bf 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.not-blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.not-blocked-user.verified.txt @@ -32,6 +32,10 @@ usr.id: not-blocked-user, _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.events.users.login.success.sdk: true, + _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, + _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-login.auto.success.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-login.auto.success.verified.txt index fda04aba14be..7c9b0480447c 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-login.auto.success.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-login.auto.success.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestAuthenticatedRequest.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestAuthenticatedRequest.verified.txt index 19fafdccfc21..4819226bb04a 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestAuthenticatedRequest.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestAuthenticatedRequest.verified.txt @@ -7,17 +7,22 @@ Service: Samples.Security.AspNetCore5, Type: web, Tags: { + actor.ip: 86.242.244.246, + appsec.blocked: true, + appsec.event: true, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.SomeAuthenticatedAction (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, env: integration_tests, http.client_ip: 127.0.0.1, + http.endpoint: {controller=home}/{action=index}/{id?}, http.method: GET, http.request.headers.host: localhost:00000, http.request.headers.user-agent: Mistake Not..., http.request.headers.x-forwarded-for: 86.242.244.246, + http.response.headers.content-type: application/json, http.route: {controller=home}/{action=index}/{id?}, - http.status_code: 200, + http.status_code: 403, http.url: http://localhost:00000/Account/SomeAuthenticatedAction, http.useragent: Mistake Not..., language: dotnet, @@ -25,16 +30,26 @@ runtime-id: Guid_1, span.kind: server, usr.id: Guid_2, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-74ff86eb--, + _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["Guid_2"],"key_path":[],"value":"Guid_2"}]}]}]}, _dd.appsec.user.collection_mode: identification, _dd.appsec.usr.id: Guid_2, + _dd.origin: appsec, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, + _dd.appsec.waf.duration: 0.0, + _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 + }, + MetaStruct: { + appsec: } } ] \ No newline at end of file diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.blocked-user.verified.txt index 58504e328e0a..0ac958f427eb 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.blocked-user.verified.txt @@ -12,6 +12,7 @@ appsec.event: true, appsec.events.users.login.success.some-metadata: some-value, appsec.events.users.login.success.track: true, + appsec.events.users.login.success.usr.login: TestUser, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, @@ -34,12 +35,15 @@ runtime-id: Guid_1, span.kind: server, usr.id: blocked-user, + _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.events.users.login.success.sdk: true, _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f--- _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]}, + _dd.appsec.usr.id: Guid_2, + _dd.appsec.usr.login: TestUser, _dd.origin: appsec, _dd.runtime_family: dotnet }, diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.not-blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.not-blocked-user.verified.txt index 03d7d69b6ee2..970987b23d60 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.not-blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.not-blocked-user.verified.txt @@ -32,6 +32,10 @@ usr.id: not-blocked-user, _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.events.users.login.success.sdk: true, + _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, + _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-7bcd1c9f--- _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-login.auto.success.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-login.auto.success.verified.txt index fda04aba14be..7c9b0480447c 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-login.auto.success.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-login.auto.success.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestAuthenticatedRequest.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestAuthenticatedRequest.verified.txt index 19fafdccfc21..4819226bb04a 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestAuthenticatedRequest.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestAuthenticatedRequest.verified.txt @@ -7,17 +7,22 @@ Service: Samples.Security.AspNetCore5, Type: web, Tags: { + actor.ip: 86.242.244.246, + appsec.blocked: true, + appsec.event: true, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.SomeAuthenticatedAction (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, env: integration_tests, http.client_ip: 127.0.0.1, + http.endpoint: {controller=home}/{action=index}/{id?}, http.method: GET, http.request.headers.host: localhost:00000, http.request.headers.user-agent: Mistake Not..., http.request.headers.x-forwarded-for: 86.242.244.246, + http.response.headers.content-type: application/json, http.route: {controller=home}/{action=index}/{id?}, - http.status_code: 200, + http.status_code: 403, http.url: http://localhost:00000/Account/SomeAuthenticatedAction, http.useragent: Mistake Not..., language: dotnet, @@ -25,16 +30,26 @@ runtime-id: Guid_1, span.kind: server, usr.id: Guid_2, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-74ff86eb--, + _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["Guid_2"],"key_path":[],"value":"Guid_2"}]}]}]}, _dd.appsec.user.collection_mode: identification, _dd.appsec.usr.id: Guid_2, + _dd.origin: appsec, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, + _dd.appsec.waf.duration: 0.0, + _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 + }, + MetaStruct: { + appsec: } } ] \ No newline at end of file diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.blocked-user.verified.txt index 58504e328e0a..140ecc1498e5 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.blocked-user.verified.txt @@ -12,6 +12,7 @@ appsec.event: true, appsec.events.users.login.success.some-metadata: some-value, appsec.events.users.login.success.track: true, + appsec.events.users.login.success.usr.login: TestUser, aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5), aspnet_core.route: {controller=home}/{action=index}/{id?}, component: aspnet_core, @@ -34,12 +35,15 @@ runtime-id: Guid_1, span.kind: server, usr.id: blocked-user, + _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.events.users.login.success.sdk: true, _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]}, + _dd.appsec.usr.id: Guid_2, + _dd.appsec.usr.login: TestUser, _dd.origin: appsec, _dd.runtime_family: dotnet }, diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.not-blocked-user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.not-blocked-user.verified.txt index 03d7d69b6ee2..d13f8afa29bf 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.not-blocked-user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-TestLoginWithSdk.not-blocked-user.verified.txt @@ -32,6 +32,10 @@ usr.id: not-blocked-user, _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.events.users.login.success.sdk: true, + _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-, + _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-login.auto.success.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-login.auto.success.verified.txt index fda04aba14be..7c9b0480447c 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-login.auto.success.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AutoUserEvents.SecurityOn.identmode-login.auto.success.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.events.users.login.success.auto.mode: identification, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: , + _dd.appsec.fp.session: ssn-7bcd1c9f---, _dd.appsec.usr.id: Guid_2, _dd.appsec.usr.login: TestUser, _dd.runtime_family: dotnet diff --git a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/AccountController.cs b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/AccountController.cs index 4d7efbd84a4d..7d9b75fd8c7c 100644 --- a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/AccountController.cs +++ b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/AccountController.cs @@ -70,14 +70,15 @@ public async Task Index(LoginModel model, string userIdSdk = null if (ModelState.IsValid) { + // This doesn't count login failures towards account lockout + // To enable password failures to trigger account lockout, set lockoutOnFailure: true + var result = await _signInManager.PasswordSignInAsync(model.Input.UserName, model.Input.Password, model.Input.RememberMe, lockoutOnFailure: false); + if (userIdSdk is not null) { SampleHelpers.TrackUserLoginSuccessEvent(userIdSdk, new Dictionary { { "some-metadata", "some-value" } }); } - // This doesn't count login failures towards account lockout - // To enable password failures to trigger account lockout, set lockoutOnFailure: true - var result = await _signInManager.PasswordSignInAsync(model.Input.UserName, model.Input.Password, model.Input.RememberMe, lockoutOnFailure: false); if (result.Succeeded) { return LocalRedirect(returnUrl); diff --git a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Data/app.db b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Data/app.db index fabb0e55f510..f25c8f6e0853 100644 Binary files a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Data/app.db and b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Data/app.db differ diff --git a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/IdentityStores/UserStoreMemory.cs b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/IdentityStores/UserStoreMemory.cs index 6ce2f2dce13f..f138bf4e5f26 100644 --- a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/IdentityStores/UserStoreMemory.cs +++ b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/IdentityStores/UserStoreMemory.cs @@ -38,6 +38,17 @@ public static void ResetUsers() SecurityStamp = "PPJ7EANBPPIM25HTJRHDSZVPOBQJMP7Q", UserName = "TestUser", ConcurrencyStamp = "eeb5d586-783a-4a75-93e3-df74ef4d9f73" + }, + new("test2@test.com") + { + Email = "test2@test.com", + PasswordHash = "AQAAAAIAAYagAAAAEOpkI+Vw7e7YUro1OpY0UCr8FxtBeSV0bTdzcgf4HmwCfFgS12Yipf1E0bcs9uuUiA==", + Id = "7ccfa5b9-14c2-42b9-8064-834b8293aef4", + NormalizedEmail = "TEST2@TEST.COM", + NormalizedUserName = "TESTUSER2", + SecurityStamp = "2AFTZIXH6MBODNXN5XENLPL7QZ7TVRN3", + UserName = "TestUser2", + ConcurrencyStamp = "e520fe87-a80e-4d42-8976-51e30f066bb7" } }; }