feat(asm): support for session id waf address (#12760)

- add support for session_id waf address
- add auto instrumentation for session_id in Django. This also support
anonymous sessions.
- This will also be tested by new system tests on all django weblogs


APPSEC-57027
## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: christophe-papazian

ddtrace/appsec/_constants.py

@@ -194,6 +194,7 @@ class WAF_DATA_NAMES(metaclass=Constant_Class):
     REQUEST_HTTP_IP: Literal["http.client_ip"] = "http.client_ip"
     REQUEST_USER_ID: Literal["usr.id"] = "usr.id"
     REQUEST_USERNAME: Literal["usr.login"] = "usr.login"
+    REQUEST_SESSION_ID: Literal["usr.session_id"] = "usr.session_id"
     RESPONSE_STATUS: Literal["server.response.status"] = "server.response.status"
     RESPONSE_HEADERS_NO_COOKIES: Literal["server.response.headers.no_cookies"] = "server.response.headers.no_cookies"
     RESPONSE_BODY: Literal["server.response.body"] = "server.response.body"
@@ -209,6 +210,7 @@ class WAF_DATA_NAMES(metaclass=Constant_Class):
             REQUEST_HTTP_IP,
             REQUEST_USER_ID,
             REQUEST_USERNAME,
+            REQUEST_SESSION_ID,
             RESPONSE_STATUS,
             RESPONSE_HEADERS_NO_COOKIES,
             RESPONSE_BODY,

ddtrace/appsec/_trace_utils.py

@@ -138,12 +138,15 @@ def track_user_login_success_event(
         span.set_tag_str(APPSEC.USER_LOGIN_USERID, str(user_id))
     set_user(tracer, user_id, name, email, scope, role, session_id, propagate, span, may_block=False)
     if in_asm_context():
+        custom_data = {
+            "REQUEST_USER_ID": str(initial_user_id) if initial_user_id else None,
+            "REQUEST_USERNAME": initial_login,
+            "LOGIN_SUCCESS": real_mode,
+        }
+        if session_id:
+            custom_data["REQUEST_SESSION_ID"] = session_id
         res = call_waf_callback(
-            custom_data={
-                "REQUEST_USER_ID": str(initial_user_id) if initial_user_id else None,
-                "REQUEST_USERNAME": initial_login,
-                "LOGIN_SUCCESS": real_mode,
-            },
+            custom_data=custom_data,
             force_sent=True,
         )
         if res and any(action in [WAF_ACTIONS.BLOCK_ACTION, WAF_ACTIONS.REDIRECT_ACTION] for action in res.actions):
@@ -342,7 +345,7 @@ def _on_django_login(pin, request, user, mode, info_retriever, django_config):
         )
         if user_is_authenticated(user):
             with pin.tracer.trace("django.contrib.auth.login", span_type=SpanTypes.AUTH):
-                session_key = getattr(request, "session_key", None)
+                session_key = getattr(getattr(request, "session", None), "session_key", None)
                 track_user_login_success_event(
                     pin.tracer,
                     user_id=user_id,
@@ -411,10 +414,11 @@ def get_user_info(info_retriever, django_config, kwargs={}):
     return user_id_found or user_id, user_extra
 
 
-def _on_django_process(result_user, mode, kwargs, pin, info_retriever, django_config):
+def _on_django_process(result_user, session_key, mode, kwargs, pin, info_retriever, django_config):
     if (not asm_config._asm_enabled) or mode == LOGIN_EVENTS_MODE.DISABLED:
         return
     user_id, user_extra = get_user_info(info_retriever, django_config, kwargs)
+    res = None
     if result_user and result_user.is_authenticated:
         span = pin.tracer.current_root_span()
         if mode == LOGIN_EVENTS_MODE.ANON and isinstance(user_id, str):
@@ -441,9 +445,13 @@ def _on_django_process(result_user, mode, kwargs, pin, info_retriever, django_co
                 "REQUEST_USERNAME": user_extra.get("login"),
                 "LOGIN_SUCCESS": real_mode,
             }
+            if session_key:
+                custom_data["REQUEST_SESSION_ID"] = session_key
             res = call_waf_callback(custom_data=custom_data, force_sent=True)
-            if res and any(action in [WAF_ACTIONS.BLOCK_ACTION, WAF_ACTIONS.REDIRECT_ACTION] for action in res.actions):
-                raise BlockingException(get_blocked())
+    elif in_asm_context() and session_key:
+        res = call_waf_callback(custom_data={"REQUEST_SESSION_ID": session_key})
+    if res and any(action in [WAF_ACTIONS.BLOCK_ACTION, WAF_ACTIONS.REDIRECT_ACTION] for action in res.actions):
+        raise BlockingException(get_blocked())
 
 
 def _on_django_signup_user(django_config, pin, func, instance, args, kwargs, user, info_retriever):

ddtrace/contrib/internal/django/patch.py

@@ -860,10 +860,15 @@ def traced_process_request(django, pin, func, instance, args, kwargs):
                     request_user = request.user._wrapped
                 else:
                     request_user = request.user
+                if hasattr(request, "session") and hasattr(request.session, "session_key"):
+                    session_key = request.session.session_key
+                else:
+                    session_key = None
                 core.dispatch(
                     "django.process_request",
                     (
                         request_user,
+                        session_key,
                         mode,
                         kwargs,
                         pin,

releasenotes/notes/session_id_for_django-df996bc9819dc84e.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    ASM: This introduces support for automatic instrumentation of session monitoring and blocking for Django.