chore(asm): improve api security import condition (#8609) [backport 2.7] (#8638)

Following #8226, this PR
ensure that we never import api security manager module if the WAF is
unavailable or asm is disabled or api security is disabled.

- Add one finite state (bool) to the asm config `_api_security_active`
to keep track of API Security Manager
- Update and check that state in `_default_span_processors_factory`.


## Checklist


- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [x] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.


## Reviewer Checklist


- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance

policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: christophe-papazian

ddtrace/_trace/tracer.py

@@ -136,7 +136,10 @@ def _default_span_processors_factory(
             if appsec_processor:
                 span_processors.append(appsec_processor)
         else:
-            if asm_config._api_security_enabled:
+            # api_security_active will keep track of the service status of APIManager
+            # we don't want to import the module if it was not started before due to
+            # one click activation of ASM via Remote Config
+            if asm_config._api_security_active:
                 from ddtrace.appsec._api_security.api_manager import APIManager
 
                 APIManager.disable()

ddtrace/appsec/_api_security/api_manager.py

@@ -53,6 +53,7 @@ def enable(cls):
             log.debug("%s already enabled", cls.__name__)
             return
 
+        asm_config._api_security_active = True
         log.debug("Enabling %s", cls.__name__)
         metrics.enable()
         cls._instance = cls()
@@ -66,6 +67,7 @@ def disable(cls):
             log.debug("%s not enabled", cls.__name__)
             return
 
+        asm_config._api_security_active = False
         log.debug("Disabling %s", cls.__name__)
         cls._instance.stop()
         cls._instance = None

ddtrace/appsec/_utils.py

@@ -71,7 +71,12 @@ def _appsec_rc_features_is_enabled() -> bool:
 
 
 def _appsec_apisec_features_is_active() -> bool:
-    return asm_config._asm_enabled and asm_config._api_security_enabled and asm_config._api_security_sample_rate > 0.0
+    return (
+        asm_config._asm_libddwaf_available
+        and asm_config._asm_enabled
+        and asm_config._api_security_enabled
+        and asm_config._api_security_sample_rate > 0.0
+    )
 
 
 def _safe_userid(user_id):

ddtrace/settings/asm.py

@@ -49,6 +49,10 @@ class ASMConfig(Env):
     _api_security_enabled = Env.var(bool, API_SECURITY.ENV_VAR_ENABLED, default=True)
     _api_security_sample_rate = Env.var(float, API_SECURITY.SAMPLE_RATE, validator=_validate_sample_rate, default=0.1)
     _api_security_parse_response_body = Env.var(bool, API_SECURITY.PARSE_RESPONSE_BODY, default=True)
+
+    # internal state of the API security Manager service.
+    # updated in API Manager enable/disable
+    _api_security_active = False
     _asm_libddwaf = build_libddwaf_filename()
     _asm_libddwaf_available = os.path.exists(_asm_libddwaf)
 
@@ -110,3 +114,4 @@ class ASMConfig(Env):
     config._asm_enabled = False
     config._asm_can_be_enabled = False
     config._iast_enabled = False
+    config._api_security_enabled = False