fix(asm): clear ddwaf contexts on span finish [backport 2.6] (#8728)

Backport 68ec70f from #8724 to 2.6.

## Description

Since the ddwaf ctx is passed to a stored callback and passed to a
dynamic library (libddwaf), it's not cleared when the span finishes,
instead is later collected by the Python GC, which sometimes can cause
some semi-random latency increases when many objects have to be cleared
at the end of a request. This change will make the ddwaf context to
always be cleared on the `on_span_finish` method of the
`AppSecSpanProcessor`.

## Checklist

- [X] Change(s) are motivated and described in the PR description
- [X] Testing strategy is described if automated tests are not included
in the PR
- [X] Risks are described (performance impact, potential for breakage,
maintainability)
- [X] Change is maintainable (easy to change, telemetry, documentation)
- [X] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [X] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [X] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [X] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [X] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Juanjo Alvarez Martinez <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/_processor.py

@@ -12,6 +12,7 @@
 from typing import Set
 from typing import Tuple
 from typing import Union
+import weakref
 
 from ddtrace.appsec import _asm_request_context
 from ddtrace.appsec._capabilities import _appsec_rc_file_is_not_static
@@ -126,6 +127,7 @@ class AppSecSpanProcessor(SpanProcessor):
     )
     _addresses_to_keep: Set[str] = dataclasses.field(default_factory=set)
     _rate_limiter: RateLimiter = dataclasses.field(default_factory=_get_rate_limiter)
+    _span_to_waf_ctx: weakref.WeakKeyDictionary = dataclasses.field(default_factory=weakref.WeakKeyDictionary)
 
     @property
     def enabled(self):
@@ -220,7 +222,7 @@ def on_span_start(self, span: Span) -> None:
             _asm_request_context.register(span, new_asm_context)
 
         ctx = self._ddwaf._at_request_start()
-
+        self._span_to_waf_ctx[span] = ctx
         peer_ip = _asm_request_context.get_ip()
         headers = _asm_request_context.get_headers()
         headers_case_sensitive = _asm_request_context.get_headers_case_sensitive()
@@ -407,3 +409,19 @@ def on_span_finish(self, span: Span) -> None:
         finally:
             # release asm context if it was created by the span
             _asm_request_context.unregister(span)
+
+            if span.span_type != SpanTypes.WEB:
+                return
+
+            to_delete = []
+            for iterspan, ctx in self._span_to_waf_ctx.items():
+                # delete all the ddwaf ctxs associated with this span or finished or deleted ones
+                if iterspan == span or iterspan.finished:
+                    # so we don't change the dictionary size on iteration
+                    to_delete.append(iterspan)
+
+            for s in to_delete:
+                try:
+                    del self._span_to_waf_ctx[s]
+                except Exception:  # nosec B110
+                    pass

releasenotes/notes/asm-clear-ddwaf-ctx-on-span-finish-4d8b7c7e818ae5d7.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    ASM: always clear the DDWaf context at the end of the span to avoid gc-induced latency spikes at the end of some requests.
+    

tests/appsec/appsec/test_processor.py

@@ -77,6 +77,19 @@ def test_enable_custom_rules():
     assert processor.rules == rules.RULES_GOOD_PATH
 
 
+def test_ddwaf_ctx(tracer_appsec):
+    tracer = tracer_appsec
+
+    with override_env(dict(DD_APPSEC_RULES=rules.RULES_GOOD_PATH)):
+        with _asm_request_context.asm_request_context_manager(), tracer.trace("test", span_type=SpanTypes.WEB) as span:
+            processor = AppSecSpanProcessor()
+            processor.on_span_start(span)
+            ctx = processor._span_to_waf_ctx.get(span)
+            assert ctx
+            processor.on_span_finish(span)
+            assert span not in processor._span_to_waf_ctx
+
+
 @pytest.mark.parametrize("rule,exc", [(rules.RULES_MISSING_PATH, IOError), (rules.RULES_BAD_PATH, ValueError)])
 def test_enable_bad_rules(rule, exc, tracer):
     # with override_env(dict(DD_APPSEC_RULES=rule)):