[Draft; don't merge] v1 as frontend of v2

.github/workflows/appsec.yml

@@ -70,7 +70,7 @@ jobs:
         id: cfg
         run: |
           echo "key=go-pkg-mod-${{ hashFiles('**/go.sum') }}" >> $GITHUB_OUTPUT
-          echo "path=go_pkg_mod_cache" >> $GITHUB_OUTPUT
+          echo "path=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
 
       - uses: actions/setup-go@v5
         with:
@@ -87,8 +87,6 @@ jobs:
 
       - name: Download Go modules
         if: steps.cache.outputs.cache-hit != 'true'
-        env:
-          GOMODCACHE: ${{ github.workspace }}/${{ steps.cfg.outputs.path }}
         run: go mod download -x
 
   macos:
@@ -122,8 +120,6 @@ jobs:
       # reruns under different settings.
       - name: go test
         shell: bash
-        env:
-          GOMODCACHE: ${{ github.workspace }}/${{ needs.go-mod-caching.outputs.path }}
         run: |
           set -euxo pipefail
           cgocheck="GOEXPERIMENT=cgocheck2"
@@ -164,15 +160,11 @@ jobs:
           go-version: stable
           cache: false # we manage the caching ourselves
 
-      - run: go env -w GOMODCACHE=${{ github.workspace }}\${{ needs.go-mod-caching.outputs.path }}
-        if: runner.os == 'Windows'
-      - run: go env -w GOMODCACHE=${{ github.workspace }}/${{ needs.go-mod-caching.outputs.path }}
-        if: runner.os != 'Windows'
-
       - name: go test
         shell: bash
         run: |
           set -euxo pipefail
+          go mod tidy
           for appsec_enabled_env in "" "DD_APPSEC_ENABLED=true" "DD_APPSEC_ENABLED=false"; do
             for go_tags in "" "-tags datadog.no_waf"; do
               if ! env $appsec_enabled_env go test -v $go_tags $TESTS; then
@@ -223,8 +215,6 @@ jobs:
           sudo apt install -y docker-ce docker-ce-cli containerd.io
 
       - name: Create container
-        env:
-          GOMODCACHE: ${{ github.workspace }}/${{ needs.go-mod-caching.outputs.path }}
         run: |-
           sudo docker run                                                       \
             --rm                                                                \
@@ -241,7 +231,8 @@ jobs:
         run: sudo docker exec -i test.runner apk add gcc musl-dev libc6-compat
       - name: Output go env
         run: sudo docker exec -i test.runner go env
-
+      - name: Ensure go.mod is up to date
+        run: sudo docker exec -i test.runner go mod tidy
       - name: NOCGO, undefined appsec state
         run: sudo docker exec -i test.runner env CGO_ENABLED=0 go test -v $TESTS
       - name: NOCGO, appsec disabled

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+    "go.toolsEnvVars": {
+        "GOTOOLCHAIN": "go1.22.6",
+        "CGO_CXXFLAGS_ALLOW": "-lpthread|-ltcmalloc",
+        "CGO_CFLAGS_ALLOW": "-ltcmalloc",
+        "CGO_CPPFLAGS": "-I/opt/homebrew/Cellar/[email protected]/6.20.3/include -I/opt/homebrew/Cellar/[email protected]/6.2.30/include -I/opt/homebrew/opt/gperftools/include -DCMAKE_EXE_LINKER_FLAG"
+    }
+}

appsec/appsec.go

@@ -13,18 +13,11 @@ package appsec
 
 import (
 	"context"
-	"sync"
 
-	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
+	v2 "github.com/DataDog/dd-trace-go/v2/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
-	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec"
-	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/emitter/httpsec"
-	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/emitter/usersec"
-	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
 )
 
-var appsecDisabledLog sync.Once
-
 // MonitorParsedHTTPBody runs the security monitoring rules on the given *parsed*
 // HTTP request body and returns if the HTTP request is suspicious and configured to be blocked.
 // The given context must be the HTTP request context as returned
@@ -34,11 +27,7 @@ var appsecDisabledLog sync.Once
 // result in inaccurate attack detection.
 // This function always returns nil when appsec is disabled.
 func MonitorParsedHTTPBody(ctx context.Context, body any) error {
-	if !appsec.Enabled() {
-		appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. Body blocking checks won't be performed.") })
-		return nil
-	}
-	return httpsec.MonitorParsedBody(ctx, body)
+	return v2.MonitorParsedHTTPBody(ctx, body)
 }
 
 // SetUser wraps tracer.SetUser() and extends it with user blocking.
@@ -50,25 +39,7 @@ func MonitorParsedHTTPBody(ctx context.Context, body any) error {
 // APM tracer middleware on use according to your blocking configuration.
 // This function always returns nil when appsec is disabled and doesn't block users.
 func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption) error {
-	s, ok := tracer.SpanFromContext(ctx)
-	if !ok {
-		log.Debug("appsec: could not retrieve span from context. User ID tag won't be set")
-		return nil
-	}
-	tracer.SetUser(s, id, opts...)
-	if !appsec.Enabled() {
-		appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. User blocking checks won't be performed.") })
-		return nil
-	}
-
-	op, errPtr := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
-	op.Finish(usersec.UserLoginOperationRes{
-		UserID:    id,
-		SessionID: getSessionID(opts...),
-		Success:   true,
-	})
-
-	return *errPtr
+	return v2.SetUser(ctx, id, opts...)
 }
 
 // TrackUserLoginSuccessEvent sets a successful user login event, with the given
@@ -84,8 +55,7 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
 // Take-Over (ATO) monitoring, ultimately blocking the IP address and/or user id
 // associated to them.
 func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]string, opts ...tracer.UserMonitoringOption) error {
-	TrackCustomEvent(ctx, "users.login.success", md)
-	return SetUser(ctx, uid, opts...)
+	return v2.TrackUserLoginSuccessEvent(ctx, uid, md, opts...)
 }
 
 // TrackUserLoginFailureEvent sets a failed user login event, with the given
@@ -99,20 +69,7 @@ func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]s
 // Take-Over (ATO) monitoring, ultimately blocking the IP address and/or user id
 // associated to them.
 func TrackUserLoginFailureEvent(ctx context.Context, uid string, exists bool, md map[string]string) {
-	span := getRootSpan(ctx)
-	if span == nil {
-		return
-	}
-
-	// We need to do the first call to SetTag ourselves because the map taken by TrackCustomEvent is map[string]string
-	// and not map [string]any, so the `exists` boolean variable does not fit int
-	span.SetTag("appsec.events.users.login.failure.usr.exists", exists)
-	span.SetTag("appsec.events.users.login.failure.usr.id", uid)
-
-	TrackCustomEvent(ctx, "users.login.failure", md)
-
-	op, _ := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
-	op.Finish(usersec.UserLoginOperationRes{UserID: uid, Success: false})
+	v2.TrackUserLoginFailureEvent(ctx, uid, exists, md)
 }
 
 // TrackCustomEvent sets a custom event as service entry span tags. This span is
@@ -122,35 +79,7 @@ func TrackUserLoginFailureEvent(ctx context.Context, uid string, exists bool, md
 // Such events trigger the backend-side events monitoring ultimately blocking
 // the IP address and/or user id associated to them.
 func TrackCustomEvent(ctx context.Context, name string, md map[string]string) {
-	span := getRootSpan(ctx)
-	if span == nil {
-		return
-	}
-
-	tagPrefix := "appsec.events." + name + "."
-	span.SetTag(tagPrefix+"track", true)
-	span.SetTag(ext.SamplingPriority, ext.PriorityUserKeep)
-	for k, v := range md {
-		span.SetTag(tagPrefix+k, v)
-	}
-}
-
-// Return the root span from the span stored in the given Go context if it
-// implements the Root method. It returns nil otherwise.
-func getRootSpan(ctx context.Context) tracer.Span {
-	span, _ := tracer.SpanFromContext(ctx)
-	if span == nil {
-		log.Error("appsec: could not find a span in the given Go context")
-		return nil
-	}
-	type rooter interface {
-		Root() tracer.Span
-	}
-	if lrs, ok := span.(rooter); ok {
-		return lrs.Root()
-	}
-	log.Error("appsec: could not access the root span")
-	return nil
+	v2.TrackCustomEvent(ctx, name, md)
 }
 
 func getSessionID(opts ...tracer.UserMonitoringOption) string {

appsec/appsec_test.go

@@ -7,12 +7,12 @@ package appsec_test
 
 import (
 	"context"
+	"strconv"
 	"testing"
 
 	"gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
-	privateAppsec "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec"
 
 	"github.com/stretchr/testify/require"
 )
@@ -30,7 +30,7 @@ func TestTrackUserLoginSuccessEvent(t *testing.T) {
 		require.Len(t, mt.FinishedSpans(), 1)
 		finished := mt.FinishedSpans()[0]
 		expectedEventPrefix := "appsec.events.users.login.success."
-		require.Equal(t, true, finished.Tag(expectedEventPrefix+"track"))
+		require.Equal(t, "true", finished.Tag(expectedEventPrefix+"track"))
 		require.Equal(t, "user id", finished.Tag("usr.id"))
 		require.Equal(t, "us-east-1", finished.Tag(expectedEventPrefix+"region"))
 		require.Equal(t, "username", finished.Tag("usr.name"))
@@ -48,7 +48,7 @@ func TestTrackUserLoginSuccessEvent(t *testing.T) {
 		require.Len(t, mt.FinishedSpans(), 1)
 		finished := mt.FinishedSpans()[0]
 		expectedEventPrefix := "appsec.events.users.login.success."
-		require.Equal(t, true, finished.Tag(expectedEventPrefix+"track"))
+		require.Equal(t, "true", finished.Tag(expectedEventPrefix+"track"))
 		require.Equal(t, "user id", finished.Tag("usr.id"))
 	})
 
@@ -80,9 +80,9 @@ func TestTrackUserLoginFailureEvent(t *testing.T) {
 				require.Len(t, mt.FinishedSpans(), 1)
 				finished := mt.FinishedSpans()[0]
 				expectedEventPrefix := "appsec.events.users.login.failure."
-				require.Equal(t, true, finished.Tag(expectedEventPrefix+"track"))
+				require.Equal(t, "true", finished.Tag(expectedEventPrefix+"track"))
 				require.Equal(t, "user id", finished.Tag(expectedEventPrefix+"usr.id"))
-				require.Equal(t, userExists, finished.Tag(expectedEventPrefix+"usr.exists"))
+				require.Equal(t, strconv.FormatBool(userExists), finished.Tag(expectedEventPrefix+"usr.exists"))
 				require.Equal(t, "us-east-1", finished.Tag(expectedEventPrefix+"region"))
 			}
 		}
@@ -117,7 +117,7 @@ func TestCustomEvent(t *testing.T) {
 		require.Len(t, mt.FinishedSpans(), 1)
 		finished := mt.FinishedSpans()[0]
 		expectedEventPrefix := "appsec.events.my-custom-event."
-		require.Equal(t, true, finished.Tag(expectedEventPrefix+"track"))
+		require.Equal(t, "true", finished.Tag(expectedEventPrefix+"track"))
 		for k, v := range md {
 			require.Equal(t, v, finished.Tag(expectedEventPrefix+k))
 		}
@@ -136,37 +136,6 @@ func TestCustomEvent(t *testing.T) {
 	})
 }
 
-func TestSetUser(t *testing.T) {
-	t.Run("early-return/appsec-disabled", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
-		span, ctx := tracer.StartSpanFromContext(context.Background(), "example")
-		defer span.Finish()
-		err := appsec.SetUser(ctx, "usr.id")
-		require.NoError(t, err)
-	})
-
-	privateAppsec.Start()
-	defer privateAppsec.Stop()
-	if !privateAppsec.Enabled() {
-		t.Skip("AppSec needs to be enabled for this test")
-	}
-
-	t.Run("early-return/nil-ctx", func(t *testing.T) {
-		err := appsec.SetUser(nil, "usr.id")
-		require.NoError(t, err)
-	})
-
-	t.Run("no-early-return", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
-		span, ctx := tracer.StartSpanFromContext(context.Background(), "example")
-		defer span.Finish()
-		err := appsec.SetUser(ctx, "usr.id")
-		require.Nil(t, err)
-	})
-}
-
 func ExampleTrackUserLoginSuccessEvent() {
 	// Create an example span and set a user login success appsec event example to it.
 	span, ctx := tracer.StartSpanFromContext(context.Background(), "example")