Skip to content

Commit

Permalink
Response to comments: improve tests
Browse files Browse the repository at this point in the history
te

te
  • Loading branch information
anna-git committed Jan 16, 2025
1 parent 08063d0 commit a064bf5
Show file tree
Hide file tree
Showing 28 changed files with 191 additions and 51 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
using System.Collections.Generic;
using Datadog.Trace.AppSec.Waf;
using Datadog.Trace.Headers;
using Datadog.Trace.Vendors.Serilog;
#if !NETFRAMEWORK
using Microsoft.AspNetCore.Http;
#else
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using Datadog.Trace.AppSec.Waf;
using Datadog.Trace.Headers;
using Datadog.Trace.Util.Http;
Expand Down
23 changes: 0 additions & 23 deletions tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs
Original file line number Diff line number Diff line change
Expand Up @@ -149,29 +149,6 @@ internal readonly partial struct SecurityCoordinator
return result;
}

internal IContext? GetOrCreateAdditiveContext()
{
var additiveContext = _httpTransport.GetAdditiveContext();

if (additiveContext == null)
{
additiveContext = _security.CreateAdditiveContext();
// prevent very cases where waf has been disposed between here and has been passed as argument until the 2nd line of constructor..
if (additiveContext is not null)
{
_httpTransport.SetAdditiveContext(additiveContext);
}
}

if (!_httpTransport.IsAdditiveContextDisposed())
{
return additiveContext;
}

Log.Warning("Waf could not run as waf additive context is disposed");
return null;
}

private static void RecordTelemetry(IResult? result)
{
if (result == null)
Expand Down
1 change: 0 additions & 1 deletion tracer/src/Datadog.Trace/AppSec/Security.cs
Original file line number Diff line number Diff line change
Expand Up @@ -632,7 +632,6 @@ internal bool IsMetaStructSupported()

private void UpdateActiveAddresses()
{
// So far, RASP is the only one that uses this
if (_waf?.IsKnowAddressesSuported() is true)
{
var addresses = _waf.GetKnownAddresses();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
using System.Net;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
using Datadog.Trace.AppSec.Rcm.Models.AsmData;
using Datadog.Trace.RemoteConfigurationManagement;
using Datadog.Trace.TestHelpers;
using FluentAssertions;
using VerifyTests;
Expand Down Expand Up @@ -91,8 +93,33 @@ protected async Task TestAuthenticatedRequest()
{
await TryStartApp();
var settings = VerifyHelper.GetSpanVerifierSettings();
VerifyScrubber.ScrubSessionFingerprint(settings);
var request = await SubmitRequest("/Account/Index", "Input.UserName=TestUser2&Input.Password=test", contentType: "application/x-www-form-urlencoded");
request.StatusCode.Should().Be(HttpStatusCode.OK);
// this is for testuser2 in the in memory user store and appdb
var userId = "7ccfa5b9-14c2-42b9-8064-834b8293aef4";
var request2 = await _fixture.Agent.SetupRcmAndWait(
Output,
[
(new Payload
{
RulesData =
[
new RuleData
{
Id = "blocked_users",
Type = "data_with_expiration",
Data =
[
new Data { Expiration = 0, Value = userId }, new Data { Expiration = 0, Value = "blocked-user" }
]
}
]
},
RcmProducts.AsmData, nameof(TestAuthenticatedRequest)),
]);
request2.Should().NotBeNull();
request2.CachedTargetFiles.Should().HaveCount(_enableSecurity ? 1 : 0);
await TestAppSecRequestWithVerifyAsync(_fixture.Agent, "/Account/SomeAuthenticatedAction", null, 1, 1, settings, fileNameOverride: GetTestFileName(nameof(TestAuthenticatedRequest)));
// reset memory database (useless for net7 as it runs with EF7 on app.db
await SendRequestsAsync(_fixture.Agent, "/account/reset-memory-db");
Expand Down
Binary file modified tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
// </copyright>

#nullable enable

#if !NETFRAMEWORK
using System.Text.RegularExpressions;
using Datadog.Trace.TestHelpers;
using VerifyTests;
Expand All @@ -11,14 +14,59 @@ namespace Datadog.Trace.Security.IntegrationTests;

internal class VerifyScrubber
{
private static readonly Regex AppSecFingerPrintSession = new(@"_dd.appsec.fp.session: ssn.[\s\-a-z0-9]*", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex AppSecFingerPrintSession = new(@"_dd\.appsec\.fp\.session: ssn-[a-zA-Z0-9]+-(?<CookieFields>[a-zA-Z0-9]*)-(?<CookieValues>[a-zA-Z0-9]*)-(?<SessionFp>[a-zA-Z0-9]*),?", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex AppSecFingerPrintSessionRemove = new(@"(_dd\.appsec\.fp\.session: ssn-)[a-zA-Z0-9-]+(,?)", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex AuthenticationCollectionMode = new(@"_dd.appsec.user.collection_mode: .*,", RegexOptions.IgnoreCase | RegexOptions.Compiled);

public static void ScrubAuthenticatedTags(VerifySettings settings)
/// <summary>
/// for login events we remove everything as diff versions of net core behave differently, setting or not the session on the login call.
/// it doesnt matter as this is tested and ensured by authenticated requests tests (HttpContext.SetUser instrum)
/// </summary>
/// <param name="settings">settings</param>
internal static void ScrubAuthenticatedTags(VerifySettings settings)
{
// these tags are added by HttpContext.SetUser. After a login event it's not always called by all framework versions
// we dont want to test authenticated tags here anyway, as they're tested by TestAuthenticatedRequest
settings.AddRegexScrubber(AuthenticationCollectionMode, string.Empty);
settings.AddRegexScrubber(AppSecFingerPrintSession, "_dd.appsec.fp.session: <SessionFp>");
settings.AddRegexScrubber(AppSecFingerPrintSessionRemove, "$1<fingerprint>$2");
}

/// <summary>
/// Everytime we are going to have a different session id so we need to at least scrub the part with the session generated by the aspnet core everytime auth takes place
/// No need to scrub user id as we know it beforehands
/// this is _dd.appsec.fp.session: ssn-[userid]-[cookiesfield]-[cookies]-[sessionfp],
/// if we have: _dd.appsec.fp.session: ssn-asd1-asd2-asd3-1234 > _dd.appsec.fp.session: ssn-asd1-<cookiesfield>-<cookies>-<sessionFp>,
/// if we have: _dd.appsec.fp.session: ssn-asd1---1234 > _dd.appsec.fp.session: ssn-asd1---<sessionFp>,
/// if we have: _dd.appsec.fp.session: ssn-asd1--- > _dd.appsec.fp.session: ssn-asd1---,
/// </summary>
/// <param name="settings">settings</param>
internal static void ScrubSessionFingerprint(VerifySettings settings)
{
settings.AddScrubber(
s =>
{
var result = AppSecFingerPrintSession.Match(s.ToString());
if (result is { Groups.Count: > 0 })
{
var indexAdjustment = 0;
foreach (var res in result.Groups)
{
if (res is not Match && res is Group { Success: true } g)
{
var oldValue = g.Value;
if (string.IsNullOrEmpty(oldValue))
{
continue;
}

var replaceValue = string.IsNullOrEmpty(g.Value) ? string.Empty : $"<{g.Name}>";
s.Replace(g.Value, replaceValue, g.Index + indexAdjustment, g.Length);
indexAdjustment += replaceValue.Length - oldValue.Length;
}
}
}
});
}
}

#endif
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
_dd.appsec.events.users.login.success.auto.mode: identification,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: <SessionFp>,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.usr.id: Guid_2,
_dd.appsec.usr.login: TestUser,
_dd.runtime_family: dotnet
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[
[
{
TraceId: Id_1,
SpanId: Id_2,
Expand Down Expand Up @@ -32,7 +32,7 @@
_dd.appsec.events.users.login.success.auto.mode: identification,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: <SessionFp>,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.usr.id: Guid_2,
_dd.appsec.usr.login: TestUser,
_dd.runtime_family: dotnet
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@
network.client.ip: 127.0.0.1,
runtime-id: Guid_1,
span.kind: server,
usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
usr.id: anon_74ff86ebe90bfdc4f169315d955bacd1,
_dd.appsec.user.collection_mode: anonymization,
_dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
_dd.appsec.usr.id: anon_74ff86ebe90bfdc4f169315d955bacd1,
_dd.runtime_family: dotnet
},
Metrics: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
appsec.event: true,
appsec.events.users.login.success.some-metadata: some-value,
appsec.events.users.login.success.track: true,
appsec.events.users.login.success.usr.login: anon_eb97d409396a3e5392936dad92b909da,
aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5),
aspnet_core.route: {controller=home}/{action=index}/{id?},
component: aspnet_core,
Expand All @@ -34,12 +35,15 @@
runtime-id: Guid_1,
span.kind: server,
usr.id: blocked-user,
_dd.appsec.events.users.login.success.auto.mode: anonymization,
_dd.appsec.events.users.login.success.sdk: true,
_dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: <SessionFp>,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]},
_dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
_dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da,
_dd.origin: appsec,
_dd.runtime_family: dotnet
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@
usr.id: not-blocked-user,
_dd.appsec.events.users.login.success.auto.mode: anonymization,
_dd.appsec.events.users.login.success.sdk: true,
_dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
_dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da,
_dd.runtime_family: dotnet
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[
[
{
TraceId: Id_1,
SpanId: Id_2,
Expand Down Expand Up @@ -32,7 +32,7 @@
_dd.appsec.events.users.login.success.auto.mode: anonymization,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: <SessionFp>,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
_dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da,
_dd.runtime_family: dotnet
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,34 +7,49 @@
Service: Samples.Security.AspNetCore5,
Type: web,
Tags: {
actor.ip: 86.242.244.246,
appsec.blocked: true,
appsec.event: true,
aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.SomeAuthenticatedAction (Samples.Security.AspNetCore5),
aspnet_core.route: {controller=home}/{action=index}/{id?},
component: aspnet_core,
env: integration_tests,
http.client_ip: 127.0.0.1,
http.endpoint: {controller=home}/{action=index}/{id?},
http.method: GET,
http.request.headers.host: localhost:00000,
http.request.headers.user-agent: Mistake Not...,
http.request.headers.x-forwarded-for: 86.242.244.246,
http.response.headers.content-type: application/json,
http.route: {controller=home}/{action=index}/{id?},
http.status_code: 200,
http.status_code: 403,
http.url: http://localhost:00000/Account/SomeAuthenticatedAction,
http.useragent: Mistake Not...,
language: dotnet,
network.client.ip: 127.0.0.1,
runtime-id: Guid_1,
span.kind: server,
usr.id: Guid_2,
_dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn-74ff86eb-<CookieFields>-<CookieValues>-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["Guid_2"],"key_path":[],"value":"Guid_2"}]}]}]},
_dd.appsec.user.collection_mode: identification,
_dd.appsec.usr.id: Guid_2,
_dd.origin: appsec,
_dd.runtime_family: dotnet
},
Metrics: {
process_id: 0,
_dd.appsec.enabled: 1.0,
_dd.appsec.waf.duration: 0.0,
_dd.appsec.waf.duration_ext: 0.0,
_dd.top_level: 1.0,
_dd.tracer_kr: 1.0,
_sampling_priority_v1: 2.0
},
MetaStruct: {
appsec:
}
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
appsec.event: true,
appsec.events.users.login.success.some-metadata: some-value,
appsec.events.users.login.success.track: true,
appsec.events.users.login.success.usr.login: TestUser,
aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5),
aspnet_core.route: {controller=home}/{action=index}/{id?},
component: aspnet_core,
Expand All @@ -34,12 +35,15 @@
runtime-id: Guid_1,
span.kind: server,
usr.id: blocked-user,
_dd.appsec.events.users.login.success.auto.mode: identification,
_dd.appsec.events.users.login.success.sdk: true,
_dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: <SessionFp>,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]},
_dd.appsec.usr.id: Guid_2,
_dd.appsec.usr.login: TestUser,
_dd.origin: appsec,
_dd.runtime_family: dotnet
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@
usr.id: not-blocked-user,
_dd.appsec.events.users.login.success.auto.mode: identification,
_dd.appsec.events.users.login.success.sdk: true,
_dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.usr.id: Guid_2,
_dd.appsec.usr.login: TestUser,
_dd.runtime_family: dotnet
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[
[
{
TraceId: Id_1,
SpanId: Id_2,
Expand Down Expand Up @@ -32,7 +32,7 @@
_dd.appsec.events.users.login.success.auto.mode: identification,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: <SessionFp>,
_dd.appsec.fp.session: ssn-<fingerprint>,
_dd.appsec.usr.id: Guid_2,
_dd.appsec.usr.login: TestUser,
_dd.runtime_family: dotnet
Expand Down
Loading

0 comments on commit a064bf5

Please sign in to comment.