fix: dont raise a ValueError on set_user when no span [backport #5548 to 1.10] (#5566)

## Checklist

- [X] Change(s) are motivated and described in the PR description.
- [X] Testing strategy is described if automated tests are not included
in the PR.
- [X] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [X] Change is maintainable (easy to change, telemetry, documentation).
- [X] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/contributing.html#Release-Note-Guidelines)
are followed.
- [X] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [X] PR description includes explicit acknowledgement/acceptance of the
performance implications of this PR as reported in the benchmarks PR
comment.

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.

---------

Signed-off-by: Juanjo Alvarez <[email protected]>
Co-authored-by: Emmett Butler <[email protected]>

Author: juanjux

ddtrace/appsec/trace_utils.py

@@ -146,6 +146,15 @@ def should_block_user(tracer, userid):  # type: (Tracer, str) -> bool
 
     # Early check to avoid calling the WAF if the request is already blocked
     span = tracer.current_root_span()
+    if not span:
+        log.warning(
+            "No root span in the current execution. should_block_user returning False"
+            "See https://docs.datadoghq.com/security_platform/application_security"
+            "/setup_and_configure/"
+            "?tab=set_user&code-lang=python for more information.",
+        )
+        return False
+
     if _context.get_item(WAF_CONTEXT_NAMES.BLOCKED, span=span):
         return True
 

ddtrace/contrib/trace_utils.py

@@ -612,11 +612,6 @@ def set_user(tracer, user_id, name=None, email=None, scope=None, role=None, sess
     https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?tab=set_tag&code-lang=python
     """
 
-    if config._appsec_enabled:
-        from ddtrace.appsec.trace_utils import block_request_if_user_blocked
-
-        block_request_if_user_blocked(tracer, user_id)
-
     span = tracer.current_root_span()
     if span:
         # Required unique identifier of the user
@@ -636,6 +631,11 @@ def set_user(tracer, user_id, name=None, email=None, scope=None, role=None, sess
             span.set_tag_str(user.ROLE, role)
         if session_id:
             span.set_tag_str(user.SESSION_ID, session_id)
+
+        if config._appsec_enabled:
+            from ddtrace.appsec.trace_utils import block_request_if_user_blocked
+
+            block_request_if_user_blocked(tracer, user_id)
     else:
         log.warning(
             "No root span in the current execution. Skipping set_user tags. "

releasenotes/notes/fix-block-request-without-span-c5ea72a06bd389b3.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    ASM: fix calling `set_user` without a created span raising a `ValueError`.