fix(asm): insert user information in span [backport 1.18] (#6918)

Backport 85fa4bb from #6616 to 1.18.

Fixes #6551

Make it posible to choose user information span, by default it was
root_span but sometimes this root_span is not the one where user
information should be set. See issue for more details.

## Checklist
- [X] Change(s) are motivated and described in the PR description.
- [X] Testing strategy is described if automated tests are not included
in the PR.
- [X] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [X] Change is maintainable (easy to change, telemetry, documentation).
- [X] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [X] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [X] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Pedro Vicente <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/trace_utils.py

@@ -24,11 +24,19 @@
 
 
 def _track_user_login_common(
-    tracer, success, metadata=None, login_events_mode=LOGIN_EVENTS_MODE.SDK, login=None, name=None, email=None
+    tracer,  # type: Tracer
+    success,  # type: bool
+    metadata=None,  # type: Optional[dict]
+    login_events_mode=LOGIN_EVENTS_MODE.SDK,  # type: str
+    login=None,  # type: Optional[str]
+    name=None,  # type: Optional[str]
+    email=None,  # type: Optional[str]
+    span=None,  # type: Optional[Span]
 ):
-    # type: (Tracer, bool, Optional[dict], str, Optional[str], Optional[str], Optional[str]) -> Optional[Span]
+    # type: (...) -> Optional[Span]
 
-    span = tracer.current_root_span()
+    if span is None:
+        span = tracer.current_root_span()
     if span:
         success_str = "success" if success else "failure"
         tag_prefix = "%s.%s" % (APPSEC.USER_LOGIN_EVENT_PREFIX, success_str)
@@ -65,19 +73,20 @@ def _track_user_login_common(
 
 
 def track_user_login_success_event(
-    tracer,
-    user_id,
-    metadata=None,
-    login=None,
-    name=None,
-    email=None,
-    scope=None,
-    role=None,
-    session_id=None,
-    propagate=False,
-    login_events_mode=LOGIN_EVENTS_MODE.SDK,
+    tracer,  # type: Tracer
+    user_id,  # type: str
+    metadata=None,  # type: Optional[dict]
+    login=None,  # type: Optional[str]
+    name=None,  # type: Optional[str]
+    email=None,  # type: Optional[str]
+    scope=None,  # type: Optional[str]
+    role=None,  # type: Optional[str]
+    session_id=None,  # type: Optional[str]
+    propagate=False,  # type: bool
+    login_events_mode=LOGIN_EVENTS_MODE.SDK,  # type: str
+    span=None,  # type: Optional[Span]
 ):
-    # type: (Tracer, str, Optional[dict], Optional[str], Optional[str], Optional[str], Optional[str], Optional[str], Optional[str], bool, str) -> None # noqa: E501
+    # type: (...) -> None # noqa: E501
     """
     Add a new login success tracking event. The parameters after metadata (name, email,
     scope, role, session_id, propagate) will be passed to the `set_user` function that will be called
@@ -90,12 +99,12 @@ def track_user_login_success_event(
     :param metadata: a dictionary with additional metadata information to be stored with the event
     """
 
-    span = _track_user_login_common(tracer, True, metadata, login_events_mode, login, name, email)
+    span = _track_user_login_common(tracer, True, metadata, login_events_mode, login, name, email, span)
     if not span:
         return
 
     # usr.id will be set by set_user
-    set_user(tracer, user_id, name, email, scope, role, session_id, propagate)
+    set_user(tracer, user_id, name, email, scope, role, session_id, propagate, span)
 
 
 def track_user_login_failure_event(tracer, user_id, exists, metadata=None, login_events_mode=LOGIN_EVENTS_MODE.SDK):

ddtrace/contrib/trace_utils.py

@@ -622,14 +622,24 @@ def set_flattened_tags(
             span.set_tag(tag, processor(v) if processor is not None else v)
 
 
-def set_user(tracer, user_id, name=None, email=None, scope=None, role=None, session_id=None, propagate=False):
-    # type: (Tracer, str, Optional[str], Optional[str], Optional[str], Optional[str], Optional[str], bool) -> None
+def set_user(
+    tracer,  # type: Tracer
+    user_id,  # type: str
+    name=None,  # type: Optional[str]
+    email=None,  # type: Optional[str]
+    scope=None,  # type: Optional[str]
+    role=None,  # type: Optional[str]
+    session_id=None,  # type: Optional[str]
+    propagate=False,  # type bool
+    span=None,  # type: Optional[Span]
+):
+    # type: (...) -> None
     """Set user tags.
     https://docs.datadoghq.com/logs/log_configuration/attributes_naming_convention/#user-related-attributes
     https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?tab=set_tag&code-lang=python
     """
-
-    span = tracer.current_root_span()
+    if span is None:
+        span = tracer.current_root_span()
     if span:
         # Required unique identifier of the user
         str_user_id = str(user_id)

releasenotes/notes/set-user-information-in-span-06ef7cf21b2f56d4.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    ASM: This fix resolves issue where user information was only set in root span.
+    Now span for user information can be selected.

tests/appsec/test_appsec_trace_utils.py

@@ -60,6 +60,39 @@ def test_track_user_login_event_success_without_metadata(self):
             assert root_span.get_tag(user.ROLE) == "boss"
             assert root_span.get_tag(user.SESSION_ID) == "test_session_id"
 
+    def test_track_user_login_event_success_in_span_without_metadata(self):
+        with self.trace("test_success1") as parent_span:
+            user_span = self.trace("user_span")
+            user_span.parent_id = parent_span.span_id
+            track_user_login_success_event(
+                self.tracer,
+                "1234",
+                metadata=None,
+                name="John",
+                email="[email protected]",
+                scope="test_scope",
+                role="boss",
+                session_id="test_session_id",
+                span=user_span,
+            )
+
+            success_prefix = "%s.success" % APPSEC.USER_LOGIN_EVENT_PREFIX
+            failure_prefix = "%s.failure" % APPSEC.USER_LOGIN_EVENT_PREFIX
+
+            assert user_span.get_tag("%s.track" % success_prefix) == "true"
+            assert user_span.get_tag("%s.sdk" % success_prefix) == "true"
+            assert not user_span.get_tag("%s.auto.mode" % success_prefix)
+            assert not user_span.get_tag("%s.track" % failure_prefix)
+            # set_user tags
+            assert user_span.get_tag(user.ID) == "1234" and parent_span.get_tag(user.ID) is None
+            assert user_span.get_tag(user.NAME) == "John" and parent_span.get_tag(user.NAME) is None
+            assert user_span.get_tag(user.EMAIL) == "[email protected]" and parent_span.get_tag(user.EMAIL) is None
+            assert user_span.get_tag(user.SCOPE) == "test_scope" and parent_span.get_tag(user.SCOPE) is None
+            assert user_span.get_tag(user.ROLE) == "boss" and parent_span.get_tag(user.ROLE) is None
+            assert (
+                user_span.get_tag(user.SESSION_ID) == "test_session_id" and parent_span.get_tag(user.SESSION_ID) is None
+            )
+
     def test_track_user_login_event_success_auto_mode_safe(self):
         with self.trace("test_success1"):
             track_user_login_success_event(

tests/tracer/test_tracer.py

@@ -532,6 +532,28 @@ def test_tracer_set_user(self):
         assert span.get_tag(user.SCOPE)
         assert span.context.dd_user_id is None
 
+    def test_tracer_set_user_in_span(self):
+        parent_span = self.trace("root_span")
+        user_span = self.trace("user_span")
+        user_span.parent_id = parent_span.span_id
+        set_user(
+            self.tracer,
+            user_id="usr.id",
+            email="usr.email",
+            name="usr.name",
+            session_id="usr.session_id",
+            role="usr.role",
+            scope="usr.scope",
+            span=user_span,
+        )
+        assert user_span.get_tag(user.ID) and parent_span.get_tag(user.ID) is None
+        assert user_span.get_tag(user.EMAIL) and parent_span.get_tag(user.EMAIL) is None
+        assert user_span.get_tag(user.SESSION_ID) and parent_span.get_tag(user.SESSION_ID) is None
+        assert user_span.get_tag(user.NAME) and parent_span.get_tag(user.NAME) is None
+        assert user_span.get_tag(user.ROLE) and parent_span.get_tag(user.ROLE) is None
+        assert user_span.get_tag(user.SCOPE) and parent_span.get_tag(user.SCOPE) is None
+        assert user_span.context.dd_user_id is None
+
     def test_tracer_set_user_mandatory(self):
         span = self.trace("fake_span")
         set_user(