wip

DataDog · Oct 15, 2024 · 4d39340 · 4d39340
1 parent e1405d2
commit 4d39340
Show file tree

Hide file tree

Showing 54 changed files with 99 additions and 22 deletions.
diff --git a/appsec/src/extension/configuration.h b/appsec/src/extension/configuration.h
@@ -63,6 +63,7 @@ extern bool runtime_config_first_init;
  CONFIG(INT, DD_APPSEC_MAX_BODY_BUFF_SIZE, "524288") \
  CONFIG(STRING, DD_TRACE_AGENT_URL, "") \
  CONFIG(BOOL, DD_TRACE_ENABLED, "true") \
+ CONFIG(BOOL, DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED, "true") \
  CALIAS(CUSTOM(STRING), DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE, "ident", \
  CALIASES("DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING"), .parser = dd_parse_user_collection_mode) \
  CONFIG(BOOL, DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING_ENABLED, "true") \

diff --git a/appsec/src/extension/ddappsec.c b/appsec/src/extension/ddappsec.c
@@ -378,13 +378,19 @@ __thread void *unspecnull TSRMLS_CACHE = NULL;
 
 static void _check_enabled()
 {
- if ((!get_global_DD_APPSEC_TESTING() && !dd_trace_enabled()) ||
+ if ((!get_global_DD_APPSEC_TESTING() && !dd_trace_enabled() &&
+ !get_DD_APPSEC_ENABLED()) ||
  (strcmp(sapi_module.name, "cli") != 0 && sapi_module.phpinfo_as_text) ||
  (strcmp(sapi_module.name, "frankenphp") == 0)) {
  DDAPPSEC_G(enabled) = APPSEC_FULLY_DISABLED;
  DDAPPSEC_G(active) = false;
  DDAPPSEC_G(to_be_configured) = false;
- } else if (!dd_cfg_enable_via_remcfg()) {
+ } else if (get_DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED() &&
+ dd_trace_loaded() && !get_DD_TRACE_ENABLED() && get_DD_APPSEC_ENABLED()) {
+ DDAPPSEC_G(enabled) = APPSEC_ENABLED_STANDALONE;
+ DDAPPSEC_G(active) = true;
+ DDAPPSEC_G(to_be_configured) = false;
+ } else if (!dd_cfg_enable_via_remcfg() && dd_trace_enabled()) {
  DDAPPSEC_G(enabled) = get_DD_APPSEC_ENABLED() ? APPSEC_FULLY_ENABLED
  : APPSEC_FULLY_DISABLED;
  DDAPPSEC_G(active) = get_DD_APPSEC_ENABLED() ? true : false;

diff --git a/appsec/src/extension/ddappsec.h b/appsec/src/extension/ddappsec.h
@@ -18,7 +18,8 @@
 typedef enum _enabled_configuration {
  APPSEC_ENABLED_VIA_REMCFG = 0,
  APPSEC_FULLY_ENABLED,
- APPSEC_FULLY_DISABLED
+ APPSEC_FULLY_DISABLED,
+ APPSEC_ENABLED_STANDALONE
 } enabled_configuration;
 
 // define zend_ddappsec_globals type

diff --git a/appsec/src/extension/ddtrace.c b/appsec/src/extension/ddtrace.c
@@ -356,7 +356,6 @@ zend_object *nullable dd_trace_get_active_root_span()
  if (UNEXPECTED(_ddtrace_get_root_span == NULL)) {
  return NULL;
  }
-
  return _ddtrace_get_root_span();
 }
 

diff --git a/appsec/src/extension/tags.c b/appsec/src/extension/tags.c
@@ -43,7 +43,8 @@
 #define DD_TAG_HTTP_RH_CONTENT_LANGUAGE "http.response.headers.content-language"
 #define DD_TAG_HTTP_CLIENT_IP "http.client_ip"
 #define DD_TAG_USER_ID "usr.id"
-#define DD_METRIC_ENABLED "_dd.appsec.enabled"
+#define DD_APPSEC_METRIC_ENABLED "_dd.appsec.enabled"
+#define DD_APM_METRIC_ENABLED "_dd.apm.enabled"
 #define DD_APPSEC_EVENTS_PREFIX "appsec.events."
 #define DD_SIGNUP_EVENT DD_APPSEC_EVENTS_PREFIX "users.signup"
 #define DD_LOGIN_SUCCESS_EVENT DD_APPSEC_EVENTS_PREFIX "users.login.success"
@@ -76,7 +77,8 @@ static zend_string *_dd_tag_rh_content_type; // response
 static zend_string *_dd_tag_rh_content_encoding; // response
 static zend_string *_dd_tag_rh_content_language; // response
 static zend_string *_dd_tag_user_id;
-static zend_string *_dd_metric_enabled;
+static zend_string *_dd_appsec_metric_enabled;
+static zend_string *_dd_apm_metric_enabled;
 static zend_string *_dd_signup_event;
 static zend_string *_dd_login_success_event;
 static zend_string *_dd_login_failure_event;
@@ -158,8 +160,10 @@ void dd_tags_startup()
  zend_string_init_interned(LSTRARG(DD_TAG_HTTP_RH_CONTENT_LANGUAGE), 1);
  _dd_tag_user_id = zend_string_init_interned(LSTRARG(DD_TAG_USER_ID), 1);
 
- _dd_metric_enabled =
- zend_string_init_interned(LSTRARG(DD_METRIC_ENABLED), 1);
+ _dd_appsec_metric_enabled =
+ zend_string_init_interned(LSTRARG(DD_APPSEC_METRIC_ENABLED), 1);
+ _dd_apm_metric_enabled =
+ zend_string_init_interned(LSTRARG(DD_APM_METRIC_ENABLED), 1);
 
  _key_request_uri_zstr =
  zend_string_init_interned(LSTRARG("REQUEST_URI"), 1);
@@ -318,9 +322,21 @@ void dd_tags_add_tags(
  // metric _dd.appsec.enabled
  bool added = _set_appsec_enabled(metrics_zv);
  if (added) {
- mlog(dd_log_debug, "Added metric %s", DD_METRIC_ENABLED);
+ mlog(dd_log_debug, "Added metric %s", DD_APPSEC_METRIC_ENABLED);
  } else {
- mlog(dd_log_info, "Failed adding metric %s", DD_METRIC_ENABLED);
+ mlog(dd_log_info, "Failed adding metric %s",
+ DD_APPSEC_METRIC_ENABLED);
+ }
+ if (DDAPPSEC_G(enabled) == APPSEC_ENABLED_STANDALONE) {
+ zval zv;
+ ZVAL_LONG(&zv, 0);
+ zend_hash_add(Z_ARRVAL_P(metrics_zv), _dd_apm_metric_enabled, &zv);
+ if (added) {
+ mlog(dd_log_debug, "Added metric %s", DD_APM_METRIC_ENABLED);
+ } else {
+ mlog(dd_log_info, "Failed adding metric %s",
+ DD_APM_METRIC_ENABLED);
+ }
  }
  }
  // tag _dd.runtime_family
@@ -1197,8 +1213,8 @@ static bool _set_appsec_enabled(zval *metrics_zv)
 {
  zval zv;
  ZVAL_LONG(&zv, DDAPPSEC_G(active) ? 1 : 0);
- return zend_hash_add(Z_ARRVAL_P(metrics_zv), _dd_metric_enabled, &zv) !=
- NULL;
+ return zend_hash_add(
+  Z_ARRVAL_P(metrics_zv), _dd_appsec_metric_enabled, &zv) != NULL;
 }
 
 static PHP_FUNCTION(datadog_appsec_testing_add_all_ancillary_tags)

diff --git a/appsec/tests/extension/0010.phpt b/appsec/tests/extension/0010.phpt
@@ -2,6 +2,7 @@
 Check for ddappsec presence
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 if (extension_loaded('ddappsec')) {

diff --git a/appsec/tests/extension/actions_handling_02.phpt b/appsec/tests/extension/actions_handling_02.phpt
@@ -2,6 +2,7 @@
 When there is a block action, the request is blocked
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/response.html
 --FILE--

diff --git a/appsec/tests/extension/actions_handling_03.phpt b/appsec/tests/extension/actions_handling_03.phpt
@@ -2,6 +2,7 @@
 When there are multiple block action, the first one is the one used
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/response.html
 --FILE--

diff --git a/appsec/tests/extension/actions_handling_04.phpt b/appsec/tests/extension/actions_handling_04.phpt
@@ -2,6 +2,7 @@
 Redirect take precedence over block or ok
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/response.html
 --FILE--

diff --git a/appsec/tests/extension/actions_handling_05.phpt b/appsec/tests/extension/actions_handling_05.phpt
@@ -2,6 +2,7 @@
 Redirect take precedence over block or ok
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/response.html
 --FILE--

diff --git a/appsec/tests/extension/actions_handling_06.phpt b/appsec/tests/extension/actions_handling_06.phpt
@@ -2,6 +2,7 @@
 When multiple redirects, the first one is used
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/response.html
 --FILE--

diff --git a/appsec/tests/extension/phpinfo_enabled_02.phpt b/appsec/tests/extension/phpinfo_enabled_02.phpt
@@ -2,6 +2,7 @@
 Check enablement status when enabled by config
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 include __DIR__ . '/inc/phpinfo.php';

diff --git a/appsec/tests/extension/phpinfo_enabled_03.phpt b/appsec/tests/extension/phpinfo_enabled_03.phpt
@@ -2,6 +2,7 @@
 Check enablement status when disabled by config
 --INI--
 datadog.appsec.enabled=0
+extension=ddtrace.so
 --FILE--
 <?php
 include __DIR__ . '/inc/phpinfo.php';

diff --git a/appsec/tests/extension/req_abort_custom_html_template.phpt b/appsec/tests/extension/req_abort_custom_html_template.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, with a custom template
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/response.html
 --FILE--

diff --git a/appsec/tests/extension/req_abort_custom_json_template.phpt b/appsec/tests/extension/req_abort_custom_json_template.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, with a custom template
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON=tests/extension/templates/response.json
 --FILE--

diff --git a/appsec/tests/extension/req_abort_empty_custom_html_template.phpt b/appsec/tests/extension/req_abort_empty_custom_html_template.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, with an empty template
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/empty_response
 --FILE--

diff --git a/appsec/tests/extension/req_abort_empty_custom_json_template.phpt b/appsec/tests/extension/req_abort_empty_custom_json_template.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, with an empty template
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON=tests/extension/templates/empty_response
 --FILE--

diff --git a/appsec/tests/extension/req_abort_from_ob_handler.phpt b/appsec/tests/extension/req_abort_from_ob_handler.phpt
@@ -4,6 +4,8 @@ Request abort from inside ob handler
 <?php
 require __DIR__ . "/inc/no_valgrind.php";
 ?>
+--INI--
+extension=ddtrace.so
 --FILE--
 <?php
 function error_handler($errno, $errstr, $errfile, $errline) {

diff --git a/appsec/tests/extension/req_abort_from_rinit_auto.phpt b/appsec/tests/extension/req_abort_from_rinit_auto.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, using defaults
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_from_rinit_html_500.phpt b/appsec/tests/extension/req_abort_from_rinit_html_500.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, with custom status code and content type
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_from_rinit_invalid_content_type.phpt b/appsec/tests/extension/req_abort_from_rinit_invalid_content_type.phpt
@@ -3,6 +3,7 @@ Abort request as a result of rinit, with an invalid content type
 --INI--
 datadog.appsec.enabled=1
 datadog.appsec.log_level=error
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_from_rinit_invalid_status_code.phpt b/appsec/tests/extension/req_abort_from_rinit_invalid_status_code.phpt
@@ -3,6 +3,7 @@ Abort request as a result of rinit, with an invalid status code
 --INI--
 datadog.appsec.enabled=1
 datadog.appsec.log_level=error
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_from_rinit_json_404.phpt b/appsec/tests/extension/req_abort_from_rinit_json_404.phpt
@@ -2,6 +2,7 @@
 Abort request as a result of rinit, with custom status code and content type
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_from_rshutdown_auto.phpt b/appsec/tests/extension/req_abort_from_rshutdown_auto.phpt
@@ -4,6 +4,7 @@ Abort request as a result of rshutdown, using defaults
 datadog.appsec.enabled=1
 datadog.appsec.log_file=/tmp/php_appsec_test.log
 datadog.appsec.log_level=debug
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};

diff --git a/appsec/tests/extension/req_abort_from_rshutdown_html_500.phpt b/appsec/tests/extension/req_abort_from_rshutdown_html_500.phpt
@@ -4,6 +4,7 @@ Abort request as a result of rshutdown, with custom status code and content type
 datadog.appsec.enabled=1
 datadog.appsec.log_file=/tmp/php_appsec_test.log
 datadog.appsec.log_level=debug
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};

diff --git a/appsec/tests/extension/req_abort_missing_custom_html_template.phpt b/appsec/tests/extension/req_abort_missing_custom_html_template.phpt
@@ -3,6 +3,7 @@ Abort request as a result of rinit, with a non-existent template
 --INI--
 datadog.appsec.enabled=1
 datadog.appsec.log_level=error
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=tests/extension/templates/missing
 --FILE--

diff --git a/appsec/tests/extension/req_abort_missing_custom_json_template.phpt b/appsec/tests/extension/req_abort_missing_custom_json_template.phpt
@@ -3,6 +3,7 @@ Abort request as a result of rinit, with a non-existent template
 --INI--
 datadog.appsec.enabled=1
 datadog.appsec.log_level=error
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON=tests/extension/templates/missing
 --FILE--

diff --git a/appsec/tests/extension/req_abort_redirection_01.phpt b/appsec/tests/extension/req_abort_redirection_01.phpt
@@ -2,6 +2,7 @@
 Redirect request as a result of rinit, with custom status_code and location
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_redirection_02.phpt b/appsec/tests/extension/req_abort_redirection_02.phpt
@@ -2,6 +2,7 @@
 Redirect request as a result of rinit, with invalid status_code and valid location
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\rinit;

diff --git a/appsec/tests/extension/req_abort_redirection_03.phpt b/appsec/tests/extension/req_abort_redirection_03.phpt
@@ -4,6 +4,7 @@ Redirect request as a result of rinit, with valid status_code and invalid locati
 Since location is empty, it defaults to block request with default behaviour
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit, rshutdown};

diff --git a/appsec/tests/extension/req_abort_redirection_04.phpt b/appsec/tests/extension/req_abort_redirection_04.phpt
@@ -4,6 +4,7 @@ Redirect request as a result of rinit, with invalid status_code and invalid loca
 Since location is empty, it defaults to block request with default behaviour
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit, rshutdown};

diff --git a/appsec/tests/extension/req_abort_redirection_05.phpt b/appsec/tests/extension/req_abort_redirection_05.phpt
@@ -4,6 +4,7 @@ Redirect request as a result of rinit, with valid status_code and missing locati
 Since location is missing, it defaults to block request with default behaviour
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit, rshutdown};

diff --git a/appsec/tests/extension/req_abort_redirection_06.phpt b/appsec/tests/extension/req_abort_redirection_06.phpt
@@ -2,6 +2,7 @@
 Redirect request as a result of rinit, with invalid status_code and valid location
 --INI--
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit, rshutdown};

diff --git a/appsec/tests/extension/rinit_body_json.phpt b/appsec/tests/extension/rinit_body_json.phpt
@@ -3,6 +3,7 @@ request_init data on JSON data
 --INI--
 datadog.appsec.testing_raw_body=1
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --POST_RAW--
 {"foo":"bar"}
 --ENV--

diff --git a/appsec/tests/extension/rinit_body_multipart.phpt b/appsec/tests/extension/rinit_body_multipart.phpt
@@ -3,6 +3,7 @@ request_init delivers $_POST and $_FILES data of multipart request
 --INI--
 datadog.appsec.testing_raw_body=1
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --POST_RAW--
 Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
 -----------------------------20896060251896012921717172737

diff --git a/appsec/tests/extension/rinit_body_urlencoded.phpt b/appsec/tests/extension/rinit_body_urlencoded.phpt
@@ -3,6 +3,7 @@ request_init data on x-www-form-urlencoded data
 --INI--
 datadog.appsec.testing_raw_body=1
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --POST--
 a[]=1&a[]=2&a[a]=3&a[-1]=4&a[2][]=5
 --FILE--

diff --git a/appsec/tests/extension/rinit_body_xml.phpt b/appsec/tests/extension/rinit_body_xml.phpt
@@ -3,6 +3,7 @@ request_init data on XML data
 --INI--
 datadog.appsec.testing_raw_body=1
 datadog.appsec.enabled=1
+extension=ddtrace.so
 --POST_RAW--
 <foo/>
 --ENV--

diff --git a/appsec/tests/extension/rinit_enabled_status_01.phpt b/appsec/tests/extension/rinit_enabled_status_01.phpt
@@ -3,6 +3,7 @@ When extension is enabled by INI, it is sent to helper
 --INI--
 datadog.appsec.enabled=1
 datadog.appsec.log_file=/tmp/php_appsec_test.log
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};

diff --git a/appsec/tests/extension/rinit_enabled_status_02.phpt b/appsec/tests/extension/rinit_enabled_status_02.phpt
@@ -2,6 +2,7 @@
 When extension is enabled by ENV, it is sent to helper
 --INI--
 datadog.appsec.log_file=/tmp/php_appsec_test.log
+extension=ddtrace.so
 --ENV--
 DD_APPSEC_ENABLED=1
 --FILE--

diff --git a/appsec/tests/extension/rinit_enabled_status_03.phpt b/appsec/tests/extension/rinit_enabled_status_03.phpt
@@ -2,6 +2,7 @@
 When extension is not configured, it is sent to the helper
 --INI--
 datadog.appsec.log_file=/tmp/php_appsec_test.log
+extension=ddtrace.so
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};