fix(asm/refactor): avoid store context data if appsec is disabled (#4163)

## Description
Avoid store context data if appsec is disabled

```
+-----------------------------------------------------+----------+-------------------------+
| Benchmark                                           | 1.x      | branch                  |
+=====================================================+==========+=========================+
| sethttpmeta-all-enabled                             | 33.2 us  | 23.1 us: 1.44x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-no-useragentvariant                     | 28.5 us  | 21.5 us: 1.32x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-all-disabled                            | 10.7 us  | 8.15 us: 1.31x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-useragentvariant_exists_1               | 26.9 us  | 22.6 us: 1.19x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-useragentvariant_exists_2               | 26.4 us  | 25.3 us: 1.04x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-useragentvariant_exists_3               | 25.9 us  | 25.1 us: 1.03x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-no-collectipvariant                     | 25.2 us  | 23.3 us: 1.08x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-collectipvariant_exists                 | 35.6 us  | 32.5 us: 1.10x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-worst-case-implicit-query   | 25.1 us  | 23.5 us: 1.07x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-worst-case-explicit-query   | 25.3 us  | 23.3 us: 1.09x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-regular-case-implicit-query | 26.4 us  | 23.1 us: 1.14x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-regular-case-explicit-query | 26.1 us  | 23.4 us: 1.11x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-no-query                    | 25.8 us  | 24.2 us: 1.07x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-send-querystring-disabled   | 26.1 us  | 23.3 us: 1.12x faster   |
+-----------------------------------------------------+----------+-------------------------+
| sethttpmeta-obfuscation-disabled                    | 25.6 us  | 23.3 us: 1.10x faster   |
+-----------------------------------------------------+----------+-------------------------+
| Geometric mean                                      | (ref)    | 1.12x faster            |
+-----------------------------------------------------+----------+-------------------------+
```

## Reviewer Checklist
- [ ] Title is accurate.
- [ ] Description motivates each change.
- [ ] No unnecessary changes were introduced in this PR.
- [ ] PR cannot be broken up into smaller PRs.
- [ ] Avoid breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes unless absolutely necessary.
- [ ] Tests provided or description of manual testing performed is included in the code or PR.
- [ ] Release note has been added for fixes and features, or else `changelog/no-changelog` label added.
- [ ] All relevant GitHub issues are correctly linked.
- [ ] Backports are identified and tagged with Mergifyio.
- [ ] Add to milestone.

Author: avara1986

ddtrace/contrib/trace_utils.py

@@ -461,7 +461,7 @@ def set_http_meta(
     if retries_remain is not None:
         span._set_str_tag(http.RETRIES_REMAIN, str(retries_remain))
 
-    if config._appsec:
+    if config._appsec_enabled:
         status_code = str(status_code) if status_code is not None else None
 
         _context.set_items(

tests/appsec/test_processor.py

@@ -1,6 +1,5 @@
 import json
 import os.path
-import sys
 
 import pytest
 from six import ensure_binary
@@ -27,9 +26,10 @@
 RULES_MISSING_PATH = os.path.join(ROOT_DIR, "nonexistent")
 
 
-class Config(object):
-    def __init__(self):
-        self.is_header_tracing_configured = False
+@pytest.fixture
+def tracer_appsec(tracer):
+    with override_global_config(dict(_appsec_enabled=True)):
+        yield _enable_appsec(tracer)
 
 
 def _enable_appsec(tracer):
@@ -39,6 +39,11 @@ def _enable_appsec(tracer):
     return tracer
 
 
+class Config(object):
+    def __init__(self):
+        self.is_header_tracing_configured = False
+
+
 def test_transform_headers():
     transformed = _transform_headers(
         {
@@ -56,8 +61,8 @@ def test_transform_headers():
     assert set(transformed["foo"]) == {"bar1", "bar2", "bar3"}
 
 
-def test_enable(tracer):
-    _enable_appsec(tracer)
+def test_enable(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
         set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
@@ -85,35 +90,35 @@ def test_enable_bad_rules(rule, exc, tracer):
             _enable_appsec(tracer)
 
 
-def test_retain_traces(tracer):
-    _enable_appsec(tracer)
+def test_retain_traces(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
         set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
 
     assert span.context.sampling_priority == USER_KEEP
 
 
-def test_valid_json(tracer):
-    _enable_appsec(tracer)
+def test_valid_json(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
         set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
 
     assert "triggers" in json.loads(span.get_tag(APPSEC_JSON))
 
 
-def test_header_attack(tracer):
-    _enable_appsec(tracer)
+def test_header_attack(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
         set_http_meta(span, Config(), request_headers={"User-Agent": "Arachni/v1", "user-agent": "aa"})
 
     assert "triggers" in json.loads(span.get_tag(APPSEC_JSON))
 
 
-def test_headers_collection(tracer):
-    _enable_appsec(tracer)
+def test_headers_collection(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
 
@@ -148,17 +153,20 @@ def test_headers_collection(tracer):
     ],
 )
 def test_appsec_cookies_no_collection_snapshot(tracer):
-    _enable_appsec(tracer)
-    with tracer.trace("test", span_type=SpanTypes.WEB) as span:
-        set_http_meta(
-            span,
-            {},
-            raw_uri="http://example.com/.git",
-            status_code="404",
-            request_cookies={"cookie1": "im the cookie1"},
-        )
+    # We use tracer instead of tracer_appsec because snapshot is looking for tracer fixture and not understands
+    # other fixtures
+    with override_global_config(dict(_appsec_enabled=True)):
+        _enable_appsec(tracer)
+        with tracer.trace("test", span_type=SpanTypes.WEB) as span:
+            set_http_meta(
+                span,
+                {},
+                raw_uri="http://example.com/.git",
+                status_code="404",
+                request_cookies={"cookie1": "im the cookie1"},
+            )
 
-    assert "triggers" in json.loads(span.get_tag(APPSEC_JSON))
+        assert "triggers" in json.loads(span.get_tag(APPSEC_JSON))
 
 
 @snapshot(
@@ -191,16 +199,15 @@ def test_appsec_body_no_collection_snapshot(tracer):
     ],
 )
 def test_appsec_span_tags_snapshot(tracer):
-    _enable_appsec(tracer)
-
-    with tracer.trace("test", span_type=SpanTypes.WEB) as span:
-        span.set_tag("http.url", "http://example.com/.git")
-        set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
+    with override_global_config(dict(_appsec_enabled=True)):
+        _enable_appsec(tracer)
+        with tracer.trace("test", span_type=SpanTypes.WEB) as span:
+            span.set_tag("http.url", "http://example.com/.git")
+            set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
 
-    assert "triggers" in json.loads(span.get_tag(APPSEC_JSON))
+        assert "triggers" in json.loads(span.get_tag(APPSEC_JSON))
 
 
-@pytest.mark.skipif(sys.version_info > (3, 5, 0), reason="Python 2.7 and Python 3.5 test")
 @snapshot(
     include_tracer=True,
     ignores=[
@@ -210,19 +217,20 @@ def test_appsec_span_tags_snapshot(tracer):
     ],
 )
 def test_appsec_span_tags_snapshot_with_errors(tracer):
-    with override_env(dict(DD_APPSEC_RULES=os.path.join(ROOT_DIR, "rules-with-2-errors.json"))):
-        _enable_appsec(tracer)
-        with tracer.trace("test", span_type=SpanTypes.WEB) as span:
-            span.set_tag("http.url", "http://example.com/.git")
-            set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
+    with override_global_config(dict(_appsec_enabled=True)):
+        with override_env(dict(DD_APPSEC_RULES=os.path.join(ROOT_DIR, "rules-with-2-errors.json"))):
+            _enable_appsec(tracer)
+            with tracer.trace("test", span_type=SpanTypes.WEB) as span:
+                span.set_tag("http.url", "http://example.com/.git")
+                set_http_meta(span, {}, raw_uri="http://example.com/.git", status_code="404")
 
-    assert span.get_tag(APPSEC_JSON) is None
+        assert span.get_tag(APPSEC_JSON) is None
 
 
 def test_appsec_span_rate_limit(tracer):
-    with override_env(dict(DD_APPSEC_TRACE_RATE_LIMIT="1")):
-        _enable_appsec(tracer)
 
+    with override_global_config(dict(_appsec_enabled=True)), override_env(dict(DD_APPSEC_TRACE_RATE_LIMIT="1")):
+        _enable_appsec(tracer)
         # we have 2 spans going through with a rate limit of 1: this is because the first span will update the rate
         # limiter last update timestamp. In other words, we need a first call to reset the rate limiter's clock
         # DEV: aligning rate limiter clock with this span (this
@@ -299,8 +307,8 @@ def test_obfuscation_parameter_key_and_value_invalid_regex():
     assert processor.enabled
 
 
-def test_obfuscation_parameter_value_unconfigured_not_matching(tracer):
-    _enable_appsec(tracer)
+def test_obfuscation_parameter_value_unconfigured_not_matching(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
         set_http_meta(span, Config(), raw_uri="http://example.com/.git?hello=goodbye", status_code="404")
@@ -312,8 +320,8 @@ def test_obfuscation_parameter_value_unconfigured_not_matching(tracer):
     assert "<Redacted>" not in span.get_tag("_dd.appsec.json")
 
 
-def test_obfuscation_parameter_value_unconfigured_matching(tracer):
-    _enable_appsec(tracer)
+def test_obfuscation_parameter_value_unconfigured_matching(tracer_appsec):
+    tracer = tracer_appsec
 
     with tracer.trace("test", span_type=SpanTypes.WEB) as span:
         set_http_meta(span, Config(), raw_uri="http://example.com/.git?password=goodbye", status_code="404")
@@ -326,7 +334,9 @@ def test_obfuscation_parameter_value_unconfigured_matching(tracer):
 
 
 def test_obfuscation_parameter_value_configured_not_matching(tracer):
-    with override_env(dict(DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP="token")):
+    with override_global_config(dict(_appsec_enabled=True)), override_env(
+        dict(DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP="token")
+    ):
 
         _enable_appsec(tracer)
 
@@ -341,7 +351,9 @@ def test_obfuscation_parameter_value_configured_not_matching(tracer):
 
 
 def test_obfuscation_parameter_value_configured_matching(tracer):
-    with override_env(dict(DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP="token")):
+    with override_global_config(dict(_appsec_enabled=True)), override_env(
+        dict(DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP="token")
+    ):
 
         _enable_appsec(tracer)
 

tests/contrib/django/test_django_appsec.py

@@ -61,7 +61,7 @@ def test_django_request_cookies(client, test_spans, tracer):
 
 
 def test_django_request_cookies_attack(client, test_spans, tracer):
-    with override_global_config(dict(_appsec_enabled=False)):
+    with override_global_config(dict(_appsec_enabled=True)):
         with override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
             client.cookies.load({"attack": "1' or '1' = '1'"})
             root_span, _ = _aux_appsec_get_root_span(client, test_spans, tracer)

tests/contrib/pylons/test_pylons.py

@@ -189,31 +189,32 @@ def test_exc_client_failure(self):
         assert span.get_tag(ERROR_STACK) is None
 
     def test_success_200(self, query_string=""):
-        if query_string:
-            fqs = "?" + query_string
-        else:
-            fqs = ""
-        res = self.app.get(url_for(controller="root", action="index") + fqs)
-        assert res.status == 200
-
-        spans = self.pop_spans()
-        assert spans, spans
-        assert len(spans) == 1
-        span = spans[0]
+        with override_global_config(dict(_appsec_enabled=True)):
+            if query_string:
+                fqs = "?" + query_string
+            else:
+                fqs = ""
+            res = self.app.get(url_for(controller="root", action="index") + fqs)
+            assert res.status == 200
 
-        assert_is_measured(span)
-        assert span.service == "web"
-        assert span.resource == "root.index"
-        assert_span_http_status_code(span, 200)
-        if config.pylons.trace_query_string:
-            assert span.get_tag(http.QUERY_STRING) == query_string
-            if config._appsec:
-                assert _context.get_item("http.request.uri", span=span) == "http://localhost:80/?" + query_string
-        else:
-            assert http.QUERY_STRING not in span.get_tags()
-            if config._appsec:
-                assert _context.get_item("http.request.uri", span=span) == "http://localhost:80/"
-        assert span.error == 0
+            spans = self.pop_spans()
+            assert spans, spans
+            assert len(spans) == 1
+            span = spans[0]
+
+            assert_is_measured(span)
+            assert span.service == "web"
+            assert span.resource == "root.index"
+            assert_span_http_status_code(span, 200)
+            if config.pylons.trace_query_string:
+                assert span.get_tag(http.QUERY_STRING) == query_string
+                if config._appsec:
+                    assert _context.get_item("http.request.uri", span=span) == "http://localhost:80/?" + query_string
+            else:
+                assert http.QUERY_STRING not in span.get_tags()
+                if config._appsec:
+                    assert _context.get_item("http.request.uri", span=span) == "http://localhost:80/"
+            assert span.error == 0
 
     def test_query_string(self):
         return self.test_success_200("foo=bar")
@@ -504,7 +505,7 @@ def test_response_headers(self):
         assert spans[0].get_tag("http.response.headers.custom-header") == "value"
 
     def test_pylons_cookie_sql_injection(self):
-        with override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
+        with override_global_config(dict(_appsec_enabled=True)), override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
             self.tracer._appsec_enabled = True
             # Hack: need to pass an argument to configure so that the processors are recreated
             self.tracer.configure(api_version="v0.4")
@@ -521,18 +522,19 @@ def test_pylons_cookie_sql_injection(self):
             assert span["attack"] == "w00tw00t.at.isc.sans.dfind"
 
     def test_pylons_cookie(self):
-        self.tracer._appsec_enabled = True
-        # Hack: need to pass an argument to configure so that the processors are recreated
-        self.tracer.configure(api_version="v0.4")
-        self.app.cookies = {"testingcookie_key": "testingcookie_value"}
-        self.app.get(url_for(controller="root", action="index"))
+        with override_global_config(dict(_appsec_enabled=True)):
+            self.tracer._appsec_enabled = True
+            # Hack: need to pass an argument to configure so that the processors are recreated
+            self.tracer.configure(api_version="v0.4")
+            self.app.cookies = {"testingcookie_key": "testingcookie_value"}
+            self.app.get(url_for(controller="root", action="index"))
 
-        spans = self.pop_spans()
-        root_span = spans[0]
+            spans = self.pop_spans()
+            root_span = spans[0]
 
-        assert root_span.get_tag("_dd.appsec.json") is None
-        span = _context.get_item("http.request.cookies", span=root_span)
-        assert span["testingcookie_key"] == "testingcookie_value"
+            assert root_span.get_tag("_dd.appsec.json") is None
+            span = _context.get_item("http.request.cookies", span=root_span)
+            assert span["testingcookie_key"] == "testingcookie_value"
 
     def test_pylons_body_urlencoded(self):
         with self.override_global_config(dict(_appsec_enabled=True)):
@@ -752,20 +754,21 @@ def test_request_method_post_200(self):
         assert spans[0].get_tag("http.method") == "POST"
 
     def test_pylon_path_params(self):
-        self.tracer._appsec_enabled = False
-        self.tracer.configure(api_version="v0.4")
-        self.app.get("/path-params/2022/july/")
+        with override_global_config(dict(_appsec_enabled=True)):
+            self.tracer._appsec_enabled = False
+            self.tracer.configure(api_version="v0.4")
+            self.app.get("/path-params/2022/july/")
 
-        spans = self.pop_spans()
-        root_span = spans[0]
-        assert root_span.get_tag("_dd.appsec.json") is None
-        path_params = _context.get_item("http.request.path_params", span=root_span)
+            spans = self.pop_spans()
+            root_span = spans[0]
+            assert root_span.get_tag("_dd.appsec.json") is None
+            path_params = _context.get_item("http.request.path_params", span=root_span)
 
-        assert path_params["month"] == "july"
-        assert path_params["year"] == "2022"
+            assert path_params["month"] == "july"
+            assert path_params["year"] == "2022"
 
     def test_pylon_path_params_attack(self):
-        with override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
+        with override_global_config(dict(_appsec_enabled=True)), override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
             self.tracer._appsec_enabled = True
 
             self.tracer.configure(api_version="v0.4")