Configuration to Disable APM Tracing (#8219)

What Does This Do
Change Env var DD_EXPERIMENTAL_APPSEC_ENABLED = true for DD_APM_TRACING_ENABLED = false
AsmStandaloneSampler should be use when APM tracing is disabled, so it's renamed to ApmTracingDisabledSampler
Change _dd.p.appsec = 1 when there is an ASM event for a a two-character-long hex string _dd.p.ts

Author: jandro996

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java

@@ -8,6 +8,7 @@
 import com.datadog.iast.model.VulnerabilityBatch;
 import com.datadog.iast.taint.TaintedObjects;
 import datadog.trace.api.Config;
+import datadog.trace.api.ProductTraceSource;
 import datadog.trace.api.gateway.RequestContext;
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.api.internal.TraceSegment;
@@ -125,7 +126,7 @@ private VulnerabilityBatch getOrCreateVulnerabilityBatch(final AgentSpan span) {
       // TODO: We need to check if we can have an API with more fine-grained semantics on why traces
       // are kept.
       segment.setTagTop(Tags.ASM_KEEP, true);
-      segment.setTagTop(Tags.PROPAGATED_APPSEC, true);
+      segment.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
       return batch;
     }
 

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/ReporterTest.groovy

@@ -6,6 +6,7 @@ import com.datadog.iast.model.Vulnerability
 import com.datadog.iast.model.VulnerabilityBatch
 import com.datadog.iast.model.VulnerabilityType
 import datadog.trace.api.Config
+import datadog.trace.api.ProductTraceSource
 import datadog.trace.api.gateway.RequestContext
 import datadog.trace.api.gateway.RequestContextSlot
 import datadog.trace.api.internal.TraceSegment
@@ -85,7 +86,7 @@ class ReporterTest extends DDSpecification {
       ]
     }''', batch.toString(), true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('_dd.p.appsec', true)
+    1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
     1 * reqCtx.getOrCreateMetaStructTop('_dd.stack', _)  >> { stackTraceBatch }
     assertStackTrace(stackTraceBatch, v)
     0 * _
@@ -135,7 +136,7 @@ class ReporterTest extends DDSpecification {
       ]
     }''', batch.toString(), true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('_dd.p.appsec', true)
+    1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
     0 * _
   }
 
@@ -206,7 +207,7 @@ class ReporterTest extends DDSpecification {
       ]
     }''', batch.toString(), true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('_dd.p.appsec', true)
+    1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
     assertStackTrace(stackTraceBatch, [v1, v2] as Vulnerability[])
     0 * _
   }
@@ -331,7 +332,7 @@ class ReporterTest extends DDSpecification {
     1 * traceSegment.getDataTop('iast') >> null
     1 * traceSegment.setDataTop('iast', _ as VulnerabilityBatch)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('_dd.p.appsec', true)
+    1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
     1 * traceSegment.setTagTop('_dd.iast.enabled', 1)
     1 * reqCtx.getOrCreateMetaStructTop('_dd.stack', _) >> new ConcurrentHashMap<>()
     0 * _

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -27,6 +27,7 @@
 import com.datadog.appsec.report.AppSecEvent;
 import com.datadog.appsec.report.AppSecEventWrapper;
 import datadog.trace.api.Config;
+import datadog.trace.api.ProductTraceSource;
 import datadog.trace.api.UserIdCollectionMode;
 import datadog.trace.api.gateway.Events;
 import datadog.trace.api.gateway.Flow;
@@ -214,7 +215,7 @@ private Flow<Void> onUser(
 
     // span with ASM data
     segment.setTagTop(Tags.ASM_KEEP, true);
-    segment.setTagTop(Tags.PROPAGATED_APPSEC, true);
+    segment.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
 
     // skip event if we have an SDK one
     if (mode != SDK) {
@@ -275,7 +276,7 @@ private Flow<Void> onLoginEvent(
 
     // span with ASM data
     segment.setTagTop(Tags.ASM_KEEP, true);
-    segment.setTagTop(Tags.PROPAGATED_APPSEC, true);
+    segment.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
 
     // update span tags
     segment.setTagTop("appsec.events." + eventName + ".track", true, true);
@@ -789,7 +790,7 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
       if (!collectedEvents.isEmpty()) {
         // Set asm keep in case that root span was not available when events are detected
         traceSeg.setTagTop(Tags.ASM_KEEP, true);
-        traceSeg.setTagTop(Tags.PROPAGATED_APPSEC, true);
+        traceSeg.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
         traceSeg.setTagTop("appsec.event", true);
         traceSeg.setTagTop("network.client.ip", ctx.getPeerAddress());
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java

@@ -26,6 +26,7 @@
 import datadog.communication.monitor.Monitoring;
 import datadog.trace.api.Config;
 import datadog.trace.api.ProductActivation;
+import datadog.trace.api.ProductTraceSource;
 import datadog.trace.api.gateway.Flow;
 import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.api.telemetry.WafMetricCollector;
@@ -498,7 +499,9 @@ public void onDataAvailable(
             // If APM is disabled, inform downstream services that the current
             // distributed trace contains at least one ASM event and must inherit
             // the given force-keep priority
-            activeSpan.getLocalRootSpan().setTag(Tags.PROPAGATED_APPSEC, true);
+            activeSpan
+                .getLocalRootSpan()
+                .setTag(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
           } else {
             // If active span is not available the ASK_KEEP tag will be set in the GatewayBridge
             // when the request ends

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -8,6 +8,7 @@ import com.datadog.appsec.event.data.DataBundle
 import com.datadog.appsec.event.data.KnownAddresses
 import com.datadog.appsec.report.AppSecEvent
 import com.datadog.appsec.report.AppSecEventWrapper
+import datadog.trace.api.ProductTraceSource
 import datadog.trace.api.UserIdCollectionMode
 import datadog.trace.api.appsec.LoginEventCallback
 import datadog.trace.api.function.TriConsumer
@@ -1112,7 +1113,7 @@ class GatewayBridgeSpecification extends DDSpecification {
       1 * traceSegment.setTagTop('appsec.events.users.signup.track', true, true)
       1 * traceSegment.setTagTop('appsec.events.users.signup', ['key1': 'value1', 'key2': 'value2'], true)
       1 * traceSegment.setTagTop('asm.keep', true)
-      1 * traceSegment.setTagTop('_dd.p.appsec', true)
+      1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
       1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> { a, b, DataBundle db, GatewayContext gw ->
         if (mode == SDK) {
           assert db.get(KnownAddresses.USER_ID) == expectedUser
@@ -1151,7 +1152,7 @@ class GatewayBridgeSpecification extends DDSpecification {
       1 * traceSegment.setTagTop('appsec.events.users.login.success.track', true, true)
       1 * traceSegment.setTagTop('appsec.events.users.login.success', ['key1': 'value1', 'key2': 'value2'], true)
       1 * traceSegment.setTagTop('asm.keep', true)
-      1 * traceSegment.setTagTop('_dd.p.appsec', true)
+      1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
       1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> { a, b, DataBundle db, GatewayContext gw ->
         if (mode == SDK) {
           assert db.get(KnownAddresses.USER_ID) == expectedUser
@@ -1192,7 +1193,7 @@ class GatewayBridgeSpecification extends DDSpecification {
       1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.exists', false, true)
       1 * traceSegment.setTagTop('appsec.events.users.login.failure', ['key1': 'value1', 'key2': 'value2'], true)
       1 * traceSegment.setTagTop('asm.keep', true)
-      1 * traceSegment.setTagTop('_dd.p.appsec', true)
+      1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
       1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> { a, b, DataBundle db, GatewayContext gw ->
         if (mode == SDK) {
           assert db.get(KnownAddresses.USER_ID) == expectedUser
@@ -1221,7 +1222,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * traceSegment.setTagTop('appsec.events.my.event.track', true, true)
     1 * traceSegment.setTagTop('appsec.events.my.event', ['key1': 'value1', 'key2': 'value2'], true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('_dd.p.appsec', true)
+    1 * traceSegment.setTagTop('_dd.p.ts', ProductTraceSource.ASM)
     0 * eventDispatcher.publishDataEvent
   }
 

…ests/asm-standalone-billing/build.gradle …-tests/apm-tracing-disabled/build.gradledd-smoke-tests/asm-standalone-billing/build.gradle renamed to dd-smoke-tests/apm-tracing-disabled/build.gradle dd-smoke-tests/asm-standalone-billing/build.gradle renamed to dd-smoke-tests/apm-tracing-disabled/build.gradle

@@ -1,4 +1,4 @@
-package datadog.smoketest.asmstandalonebilling;
+package datadog.smoketest.apmtracingdisabled;
 
 import java.util.EnumSet;
 import javax.servlet.ServletContext;

…s/asm-standalone-billing/gradle.lockfile …sts/apm-tracing-disabled/gradle.lockfiledd-smoke-tests/asm-standalone-billing/gradle.lockfile renamed to dd-smoke-tests/apm-tracing-disabled/gradle.lockfile dd-smoke-tests/asm-standalone-billing/gradle.lockfile renamed to dd-smoke-tests/apm-tracing-disabled/gradle.lockfile

@@ -1,4 +1,4 @@
-package datadog.smoketest.asmstandalonebilling;
+package datadog.smoketest.apmtracingdisabled;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import io.opentracing.Span;

…test/asmstandalonebilling/AppConfig.java …ketest/apmtracingdisabled/AppConfig.javadd-smoke-tests/asm-standalone-billing/src/main/java/datadog/smoketest/asmstandalonebilling/AppConfig.java renamed to dd-smoke-tests/apm-tracing-disabled/src/main/java/datadog/smoketest/apmtracingdisabled/AppConfig.java dd-smoke-tests/asm-standalone-billing/src/main/java/datadog/smoketest/asmstandalonebilling/AppConfig.java renamed to dd-smoke-tests/apm-tracing-disabled/src/main/java/datadog/smoketest/apmtracingdisabled/AppConfig.java

@@ -1,4 +1,4 @@
-package datadog.smoketest.asmstandalonebilling;
+package datadog.smoketest.apmtracingdisabled;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;