fix(aap): fixing missing tracking user tags in the new sdk [backport 3.9] (#13703)

Backport ff35f5b from #13701 to 3.9.

The new SDK for tracking user was reporting name, email, scope and role
of tracked user with different tags than the legacy SDK, leading to
missing information in the security UI.

- this PR fixes that by setting properly legacy tags.
- add a regression test

Ticket #2164160

APPSEC-58040

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Christophe Papazian <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/track_user_sdk.py

@@ -73,8 +73,21 @@ def track_user(
         span.set_tag_str(_constants.APPSEC.USER_LOGIN_USERID, str(user_id))
     if login:
         span.set_tag_str(_constants.APPSEC.USER_LOGIN_USERNAME, str(login))
-
-    _trace_utils.set_user(None, user_id, session_id=session_id, may_block=False)
+    meta = metadata or {}
+    usr_name = meta.get("name") or meta.get("usr.name")
+    usr_email = meta.get("email") or meta.get("usr.email")
+    usr_scope = meta.get("scope") or meta.get("usr.scope")
+    usr_role = meta.get("role") or meta.get("usr.role")
+    _trace_utils.set_user(
+        None,
+        user_id,
+        name=usr_name if isinstance(usr_name, str) else None,
+        email=usr_email if isinstance(usr_email, str) else None,
+        scope=usr_scope if isinstance(usr_scope, str) else None,
+        role=usr_role if isinstance(usr_role, str) else None,
+        session_id=session_id,
+        may_block=False,
+    )
     if metadata:
         _trace_utils.track_custom_event(None, "auth_sdk", metadata=metadata)
     span.set_tag_str(_constants.APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE, _constants.LOGIN_EVENTS_MODE.SDK)

releasenotes/notes/fix_track_user_missing_data-6267b4a000f6bbed.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    AAP: This fix resolves an issue where the new ATO SDK track_user was reporting differently email, name, scope and role of the tracked user.

tests/appsec/appsec/test_appsec_trace_utils.py

@@ -11,6 +11,7 @@
 from ddtrace.appsec.trace_utils import track_user_login_failure_event
 from ddtrace.appsec.trace_utils import track_user_login_success_event
 from ddtrace.appsec.trace_utils import track_user_signup_event
+from ddtrace.appsec.track_user_sdk import track_user
 from ddtrace.contrib.internal.trace_utils import set_user
 from ddtrace.ext import user
 import tests.appsec.rules as rules
@@ -93,6 +94,7 @@ def test_track_user_login_event_success_in_span_without_metadata(self):
             assert (
                 user_span.get_tag(user.SESSION_ID) == "test_session_id" and parent_span.get_tag(user.SESSION_ID) is None
             )
+            user_span.finish()
 
     def test_track_user_login_event_success_auto_mode_safe(self):
         with asm_context(tracer=self.tracer, span_name="test_success1", config=config_asm):
@@ -239,6 +241,31 @@ def test_set_user_blocked(self):
             assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
             assert is_blocked(span)
 
+    def test_track_user_blocked(self):
+        with asm_context(tracer=self.tracer, span_name="fake_span", config=config_good_rules) as span:
+            track_user(
+                self.tracer,
+                user_id=self._BLOCKED_USER,
+                session_id="usr.session_id",
+                metadata={
+                    "email": "usr.email",
+                    "name": "usr.name",
+                    "session_id": "usr.session_id",
+                    "role": "usr.role",
+                    "scope": "usr.scope",
+                },
+            )
+            assert span.get_tag(user.ID)
+            assert span.get_tag(user.EMAIL)
+            assert span.get_tag(user.SESSION_ID)
+            assert span.get_tag(user.NAME)
+            assert span.get_tag(user.ROLE)
+            assert span.get_tag(user.SCOPE)
+            assert span.get_tag(user.SESSION_ID)
+            assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
+            assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
+            assert is_blocked(span)
+
     def test_no_span_doesnt_raise(self):
         from ddtrace.trace import tracer