chore(asm): standalone asm propagation (#9482)

## Description:
ASM: adds Standalone ASM distributed propagation changes as described in
"RFC: Standalone ASM billing V2".

For the full picture of this feature, see:
#9211 ,
#9444 and
#9445

See also System Tests related changes:
DataDog/system-tests#2522

## Details:
The main change is that if ASM Standalone is enabled, propagation of
distributed spans would reset (from upstream) unless they are part of a
distributed span where there are AppSec events (signaled through the
propagation tag _dd.p.appsec: 1).

It will also cut propagation downstream if there are no appsec events in
the current or upstream spans.

Notice that AppSec events trigger a force keep, and that takes
precedence over the received propagation in this PR.

Also notice that most tests start by creating a first span without an
appsec event. This is due to the fact that ASM Standalone needs to
maintain a minimum rate of 1 trace per minute regardless of upstream
propagation or appsec events present, so that way we are not affected by
that rate in the test.

## Checklist

- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: gnufede

ddtrace/_trace/tracer.py

@@ -27,6 +27,7 @@
 from ddtrace._trace.processor import TraceTagsProcessor
 from ddtrace._trace.provider import DefaultContextProvider
 from ddtrace._trace.span import Span
+from ddtrace.appsec._constants import APPSEC
 from ddtrace.constants import ENV_KEY
 from ddtrace.constants import HOSTNAME_KEY
 from ddtrace.constants import PID
@@ -796,7 +797,9 @@ def _start_span(
             if span._local_root is None:
                 span._local_root = span
             for k, v in _get_metas_to_propagate(context):
-                if k != SAMPLING_DECISION_TRACE_TAG_KEY:
+                # We do not want to propagate AppSec propagation headers
+                # to children spans, only across distributed spans
+                if k not in (SAMPLING_DECISION_TRACE_TAG_KEY, APPSEC.PROPAGATION_HEADER):
                     span._meta[k] = v
         else:
             # this is the root span of a new trace

ddtrace/appsec/_trace_utils.py

@@ -29,6 +29,7 @@ def _asm_manual_keep(span: Span) -> None:
 
     # set Security propagation tag
     span.set_tag_str(APPSEC.PROPAGATION_HEADER, "1")
+    span.context._meta[APPSEC.PROPAGATION_HEADER] = "1"
 
 
 def _track_user_login_common(

ddtrace/propagation/http.py

@@ -25,6 +25,8 @@
 from ddtrace._trace.span import _get_64_highest_order_bits_as_hex
 from ddtrace._trace.span import _get_64_lowest_order_bits_as_int
 from ddtrace._trace.span import _MetaDictType
+from ddtrace.appsec._constants import APPSEC
+from ddtrace.settings.asm import config as asm_config
 
 from ..constants import AUTO_KEEP
 from ..constants import AUTO_REJECT
@@ -230,6 +232,11 @@ def _inject(span_context, headers):
             log.debug("tried to inject invalid context %r", span_context)
             return
 
+        # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+        # are propagated. If the tag is not present, we should not propagate downstream.
+        if asm_config._appsec_standalone_enabled and (APPSEC.PROPAGATION_HEADER not in span_context._meta):
+            return
+
         if span_context.trace_id > _MAX_UINT_64BITS:
             # set lower order 64 bits in `x-datadog-trace-id` header. For backwards compatibility these
             # bits should be converted to a base 10 integer.
@@ -343,6 +350,16 @@ def _extract(headers):
             if meta:
                 meta = validate_sampling_decision(meta)
 
+            if asm_config._appsec_standalone_enabled:
+                # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+                # are propagated downstream, however we need 1 trace per minute sent to the backend, so
+                # we unset sampling priority so the rate limiter decides.
+                if not meta or APPSEC.PROPAGATION_HEADER not in meta:
+                    sampling_priority = None
+                # If the trace has appsec propagation tag, the default priority is user keep
+                elif meta and APPSEC.PROPAGATION_HEADER in meta:
+                    sampling_priority = 2  # type: ignore[assignment]
+
             return Context(
                 # DEV: Do not allow `0` for trace id or span id, use None instead
                 trace_id=trace_id or None,

ddtrace/settings/asm.py

@@ -107,6 +107,7 @@ class ASMConfig(Env):
     # for tests purposes
     _asm_config_keys = [
         "_asm_enabled",
+        "_appsec_standalone_enabled",
         "_iast_enabled",
         "_ep_enabled",
         "_use_metastruct_for_triggers",