Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(wsgi): remove some appsec code from wsgi contrib #6326

Merged
merged 80 commits into from
Jul 17, 2023
Merged

chore(wsgi): remove some appsec code from wsgi contrib #6326

merged 80 commits into from
Jul 17, 2023

Conversation

emmettbutler
Copy link
Collaborator

@emmettbutler emmettbutler commented Jul 11, 2023
edited
Loading

This change adjusts the flask_block callback-setting logic to use the Core API rather than the AppSec-specific set_value call it had used previously.

In the case of request blocking, the separation of concerns ideally breaks down as follows. The AppSec Product code in the ddtrace/appsec directory knows how to make a block/don't block decision based on communication with libddwaf. The Wsgi code in ddtrace/contrib knows how to take that blocking decision into account when processing requests.

Checklist

  • Change(s) are motivated and described in the PR description.
  • Testing strategy is described if automated tests are not included in the PR.
  • Risk is outlined (performance impact, potential for breakage, maintainability, etc).
  • Change is maintainable (easy to change, telemetry, documentation).
  • Library release note guidelines are followed. If no release note is required, add label changelog/no-changelog.
  • Documentation is included (in-code, generated user docs, public corp docs).
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Title is accurate.
  • No unnecessary changes are introduced.
  • Description motivates each change.
  • Avoids breaking API changes unless absolutely necessary.
  • Testing strategy adequately addresses listed risk(s).
  • Change is maintainable (easy to change, telemetry, documentation).
  • Release note makes sense to a user of the library.
  • Reviewer has explicitly acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment.
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@emmettbutler
early sketches of the core api
9dc7fc0
@emmettbutler
early sketches of the core api
e4533f4
@emmettbutler
fix test assertion about called context end handler
5b3d274
@emmettbutler
add a basic multithread listener test
0f8639b
@emmettbutler
test concurrent event dispatch
562024c
@emmettbutler
test context parenting across threads
aca7c1e
@emmettbutler
hacking on core api
b6708c8
@emmettbutler
reminder comment
7932691
@emmettbutler
make a test that fails with data leaking between asyncio tasks
4613257
@emmettbutler
make test pass by using a contextvar
c6ea21a
@emmettbutler
reset contextvar on context end
23d3dba
@emmettbutler
turn ddtrace.internal._context into a thin wrapper around the core api
f4f888c
@emmettbutler
make appsec context use a core context
df519aa
@emmettbutler
core api tests passing with more sensible use of contextvars
7587563
@emmettbutler
make test_telemetry_metrics_attack test pass by putting context data …
9be88a2 
…on a context that still exists by the time the test assertion runs
@emmettbutler
hacking progress - replacing _ASM contextvar
b47ab26
@emmettbutler
Revert "hacking progress - replacing _ASM contextvar"
1f51779 
This reverts commit b47ab26.
@emmettbutler
use core instead of asm contextvar in datahandler
26a114f
@emmettbutler
fully replace _ASM contextvar
614b16b 
explicitly set expected config because config can leak between tests
@emmettbutler
store everything on the entire context ancestor tree to maintain comp…
dd7f972 
…atibility with tests that rely on the root span continuing to exist
@emmettbutler
give every span an executioncontext
f82dc70
@emmettbutler
deduplicate root context id
35a07e1
@emmettbutler
update test that accesses private stuff
895175d
@emmettbutler
close span-held executioncontext correctly
eb4f007
@emmettbutler
bugfixes
d61805b
@emmettbutler
make _context wrapper code trivial
6b07a6b
@emmettbutler
do typechecking properly
69f8239
@emmettbutler
replace _context with core
50e3652
@emmettbutler
make eventhub context-local
303a186
@emmettbutler
delete test that was based on a faulty premise
3823003
@emmettbutler emmettbutler requested review from tabgok and removed request for a team July 11, 2023 15:41
@emmettbutler emmettbutler marked this pull request as draft July 11, 2023 16:06
Base automatically changed from emmett.butler/core-api to 1.x July 12, 2023 15:43
@emmettbutler emmettbutler marked this pull request as ready for review July 12, 2023 18:20
@emmettbutler emmettbutler added the ASM Application Security Monitoring label Jul 12, 2023
juanjux
juanjux previously approved these changes Jul 13, 2023
View reviewed changes
@emmettbutler emmettbutler enabled auto-merge (squash) July 13, 2023 15:18
@pr-commenter
Copy link

pr-commenter bot commented Jul 13, 2023
edited
Loading

Benchmarks

Comparing candidate commit 2947218 in PR branch emmett.butler/wsgi-no-appsec with baseline commit a0803f9 in branch 1.x.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 93 cases.

scenario:flasksimple-appsec-get

  • 🟩 execution_time [-0.317ms; -0.295ms] or [-5.035%; -4.689%]

@emmettbutler emmettbutler merged commit 9a3693f into 1.x Jul 17, 2023
20 of 23 checks passed
@emmettbutler emmettbutler deleted the emmett.butler/wsgi-no-appsec branch July 17, 2023 22:35
@github-actions github-actions bot added this to the v1.18.0 milestone Jul 17, 2023
romainkomorndatadog pushed a commit that referenced this pull request Aug 8, 2023
@emmettbutler @gnufede @romainkomorndatadog
chore(wsgi): remove some appsec code from wsgi contrib (#6326)
74f6b78 
This change adjusts the `flask_block` callback-setting logic to use the
Core API rather than the AppSec-specific `set_value` call it had used
previously.

In the case of request blocking, the separation of concerns ideally
breaks down as follows. The AppSec Product code in the `ddtrace/appsec`
directory knows how to make a block/don't block decision based on
communication with libddwaf. The Wsgi code in `ddtrace/contrib` knows
how to take that blocking decision into account when processing
requests.

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [ ] Title is accurate.
- [ ] No unnecessary changes are introduced.
- [ ] Description motivates each change.
- [ ] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [ ] Testing strategy adequately addresses listed risk(s).
- [ ] Change is maintainable (easy to change, telemetry, documentation).
- [ ] Release note makes sense to a user of the library.
- [ ] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [ ] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanjux juanjux juanjux approved these changes

@ZStriker19 ZStriker19 ZStriker19 approved these changes

@mabdinur mabdinur Awaiting requested review from mabdinur mabdinur is a code owner automatically assigned from DataDog/apm-core-python

@tabgok tabgok Awaiting requested review from tabgok tabgok is a code owner automatically assigned from DataDog/apm-framework-integrations-reviewers-py

@majorgreys majorgreys Awaiting requested review from majorgreys

@Yun-Kim Yun-Kim Awaiting requested review from Yun-Kim

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
v1.18.0
Development

Successfully merging this pull request may close these issues.
4 participants
@emmettbutler @juanjux @ZStriker19 @gnufede