chore(ci_visibility): remove app key requirement for ITR [backport 2.0] (#7122)

Backport 974f580 from #7067 to 2.0.

The Datadog Intelligent Test Runner API endpoints are removing the need
for an application key to be supplied when getting skippable tests and
settings.

There is no associated release note even though this is arguably a
breaking change because it is still in beta.

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
- [x] If this PR touches code that signs or publishes builds or
packages, or handles credentials of any kind, I've requested a review
from `@DataDog/security-design-and-guidance`.
- [x] This PR doesn't touch any of that.

Co-authored-by: Romain Komorn <[email protected]>

Author: github-actions[bot]

ddtrace/internal/ci_visibility/git_client.py

@@ -24,10 +24,7 @@
 from ..utils.http import Response
 from ..utils.http import get_connection
 from .constants import AGENTLESS_API_KEY_HEADER_NAME
-from .constants import AGENTLESS_APP_KEY_HEADER_NAME
 from .constants import AGENTLESS_DEFAULT_SITE
-from .constants import EVP_NEEDS_APP_KEY_HEADER_NAME
-from .constants import EVP_NEEDS_APP_KEY_HEADER_VALUE
 from .constants import EVP_PROXY_AGENT_BASE_PATH
 from .constants import EVP_SUBDOMAIN_HEADER_API_VALUE
 from .constants import EVP_SUBDOMAIN_HEADER_NAME
@@ -48,12 +45,11 @@ class CIVisibilityGitClient(object):
     def __init__(
         self,
         api_key,
-        app_key,
         requests_mode=REQUESTS_MODE.AGENTLESS_EVENTS,
         base_url="",
     ):
-        # type: (str, str, int, str) -> None
-        self._serializer = CIVisibilityGitClientSerializerV1(api_key, app_key)
+        # type: (str, int, str) -> None
+        self._serializer = CIVisibilityGitClientSerializerV1(api_key)
         self._worker = None  # type: Optional[Process]
         self._response = RESPONSE
         self._requests_mode = requests_mode
@@ -152,12 +148,10 @@ def _do_request(cls, requests_mode, base_url, endpoint, payload, serializer, hea
         url = "{}/repository{}".format(base_url, endpoint)
         _headers = {
             AGENTLESS_API_KEY_HEADER_NAME: serializer.api_key,
-            AGENTLESS_APP_KEY_HEADER_NAME: serializer.app_key,
         }
         if requests_mode == REQUESTS_MODE.EVP_PROXY_EVENTS:
             _headers = {
                 EVP_SUBDOMAIN_HEADER_NAME: EVP_SUBDOMAIN_HEADER_API_VALUE,
-                EVP_NEEDS_APP_KEY_HEADER_NAME: EVP_NEEDS_APP_KEY_HEADER_VALUE,
             }
         if headers is not None:
             _headers.update(headers)
@@ -213,10 +207,9 @@ def _unshallow_repository(cls, cwd=None):
 
 
 class CIVisibilityGitClientSerializerV1(object):
-    def __init__(self, api_key, app_key):
-        # type: (str, str) -> None
+    def __init__(self, api_key):
+        # type: (str) -> None
         self.api_key = api_key
-        self.app_key = app_key
 
     def search_commits_encode(self, repo_url, latest_commits):
         # type: (str, list[str]) -> str

ddtrace/internal/ci_visibility/recorder.py

@@ -26,10 +26,7 @@
 
 from .. import agent
 from .constants import AGENTLESS_API_KEY_HEADER_NAME
-from .constants import AGENTLESS_APP_KEY_HEADER_NAME
 from .constants import AGENTLESS_DEFAULT_SITE
-from .constants import EVP_NEEDS_APP_KEY_HEADER_NAME
-from .constants import EVP_NEEDS_APP_KEY_HEADER_VALUE
 from .constants import EVP_PROXY_AGENT_BASE_PATH
 from .constants import EVP_SUBDOMAIN_HEADER_API_VALUE
 from .constants import EVP_SUBDOMAIN_HEADER_EVENT_VALUE
@@ -103,10 +100,6 @@ def __init__(self, tracer=None, config=None, service=None):
             # Create a new CI tracer
             self.tracer = Tracer(context_provider=CIContextProvider())
 
-        self._app_key = os.getenv(
-            "_CI_DD_APP_KEY",
-            os.getenv("DD_APP_KEY", os.getenv("DD_APPLICATION_KEY", os.getenv("DATADOG_APPLICATION_KEY"))),
-        )
         self._api_key = os.getenv("_CI_DD_API_KEY", os.getenv("DD_API_KEY"))
 
         self._dd_site = os.getenv("DD_SITE", AGENTLESS_DEFAULT_SITE)
@@ -145,16 +138,12 @@ def __init__(self, tracer=None, config=None, service=None):
         self._git_client = None
 
         if ddconfig._ci_visibility_intelligent_testrunner_enabled:
-            if self._app_key is None:
-                log.warning("Environment variable DD_APP_KEY not set, so no git metadata will be uploaded.")
-            elif self._requests_mode == REQUESTS_MODE.TRACES:
+            if self._requests_mode == REQUESTS_MODE.TRACES:
                 log.warning("Cannot start git client if mode is not agentless or evp proxy")
             else:
                 if not self._test_skipping_enabled_by_api:
                     log.warning("Intelligent Test Runner test skipping disabled by API")
-                self._git_client = CIVisibilityGitClient(
-                    api_key=self._api_key or "", app_key=self._app_key, requests_mode=self._requests_mode
-                )
+                self._git_client = CIVisibilityGitClient(api_key=self._api_key or "", requests_mode=self._requests_mode)
         try:
             from ddtrace.internal.codeowners import Codeowners
 
@@ -189,17 +178,15 @@ def _check_enabled_features(self):
             url = get_trace_url() + EVP_PROXY_AGENT_BASE_PATH + SETTING_ENDPOINT
             _headers = {
                 EVP_SUBDOMAIN_HEADER_NAME: EVP_SUBDOMAIN_HEADER_API_VALUE,
-                EVP_NEEDS_APP_KEY_HEADER_NAME: EVP_NEEDS_APP_KEY_HEADER_VALUE,
             }
             log.debug("Making EVP request to agent: url=%s, headers=%s", url, _headers)
         elif self._requests_mode == REQUESTS_MODE.AGENTLESS_EVENTS:
-            if not self._app_key or not self._api_key:
-                log.debug("Cannot make request to setting endpoint if application key is not set")
+            if not self._api_key:
+                log.debug("Cannot make request to setting endpoint if API key is not set")
                 return False, False
             url = "https://api." + self._dd_site + SETTING_ENDPOINT
             _headers = {
                 AGENTLESS_API_KEY_HEADER_NAME: self._api_key,
-                AGENTLESS_APP_KEY_HEADER_NAME: self._app_key,
                 "Content-Type": "application/json",
             }
         else:
@@ -306,14 +293,12 @@ def _fetch_tests_to_skip(self, skipping_mode):
 
         _headers = {
             "dd-api-key": self._api_key,
-            "dd-application-key": self._app_key,
             "Content-Type": "application/json",
         }
         if self._requests_mode == REQUESTS_MODE.EVP_PROXY_EVENTS:
             url = get_trace_url() + EVP_PROXY_AGENT_BASE_PATH + SKIPPABLE_ENDPOINT
             _headers = {
                 EVP_SUBDOMAIN_HEADER_NAME: EVP_SUBDOMAIN_HEADER_API_VALUE,
-                EVP_NEEDS_APP_KEY_HEADER_NAME: EVP_NEEDS_APP_KEY_HEADER_VALUE,
             }
         elif self._requests_mode == REQUESTS_MODE.AGENTLESS_EVENTS:
             url = "https://api." + self._dd_site + SKIPPABLE_ENDPOINT

tests/ci_visibility/test_ci_visibility.py

@@ -315,15 +315,15 @@ def test_git_client_get_latest_commits(git_repo):
 def test_git_client_search_commits():
     remote_url = "[email protected]:test-repo-url.git"
     latest_commits = [TEST_SHA]
-    serializer = CIVisibilityGitClientSerializerV1("foo", "bar")
+    serializer = CIVisibilityGitClientSerializerV1("foo")
     backend_commits = CIVisibilityGitClient._search_commits(
         REQUESTS_MODE.AGENTLESS_EVENTS, "", remote_url, latest_commits, serializer, DUMMY_RESPONSE
     )
     assert latest_commits[0] in backend_commits
 
 
 def test_get_client_do_request_agentless_headers():
-    serializer = CIVisibilityGitClientSerializerV1("foo", "bar")
+    serializer = CIVisibilityGitClientSerializerV1("foo")
     response = mock.MagicMock()
     response.status = 200
 
@@ -334,13 +334,11 @@ def test_get_client_do_request_agentless_headers():
             REQUESTS_MODE.AGENTLESS_EVENTS, "http://base_url", "/endpoint", "payload", serializer, {}
         )
 
-    _request.assert_called_once_with(
-        "POST", "http://base_url/repository/endpoint", "payload", {"dd-api-key": "foo", "dd-application-key": "bar"}
-    )
+    _request.assert_called_once_with("POST", "http://base_url/repository/endpoint", "payload", {"dd-api-key": "foo"})
 
 
 def test_get_client_do_request_evp_proxy_headers():
-    serializer = CIVisibilityGitClientSerializerV1("foo", "bar")
+    serializer = CIVisibilityGitClientSerializerV1("foo")
     response = mock.MagicMock()
     response.status = 200
 
@@ -355,7 +353,7 @@ def test_get_client_do_request_evp_proxy_headers():
         "POST",
         "http://base_url/repository/endpoint",
         "payload",
-        {"X-Datadog-EVP-Subdomain": "api", "X-Datadog-NeedsAppKey": "true"},
+        {"X-Datadog-EVP-Subdomain": "api"},
     )
 
 
@@ -413,7 +411,7 @@ def test_git_client_build_packfiles_temp_dir_value_error(_temp_dir_mock, git_rep
 
 
 def test_git_client_upload_packfiles(git_repo):
-    serializer = CIVisibilityGitClientSerializerV1("foo", "bar")
+    serializer = CIVisibilityGitClientSerializerV1("foo")
     remote_url = "[email protected]:test-repo-url.git"
     with CIVisibilityGitClient._build_packfiles("%s\n" % TEST_SHA, cwd=git_repo) as packfiles_path:
         with mock.patch("ddtrace.internal.ci_visibility.git_client.CIVisibilityGitClient._do_request") as dr:
@@ -431,7 +429,7 @@ def test_git_client_upload_packfiles(git_repo):
 
 
 def test_git_do_request_agentless(git_repo):
-    mock_serializer = CIVisibilityGitClientSerializerV1("fakeapikey", "fakeappkey")
+    mock_serializer = CIVisibilityGitClientSerializerV1("fakeapikey")
     response = mock.MagicMock()
     setattr(response, "status", 200)  # noqa: B010
 
@@ -458,14 +456,13 @@ def test_git_do_request_agentless(git_repo):
                 '{"payload": "payload"}',
                 {
                     "dd-api-key": "fakeapikey",
-                    "dd-application-key": "fakeappkey",
                     "mock_header_name": "mock_header_value",
                 },
             )
 
 
 def test_git_do_request_evp(git_repo):
-    mock_serializer = CIVisibilityGitClientSerializerV1("foo", "bar")
+    mock_serializer = CIVisibilityGitClientSerializerV1("foo")
     response = mock.MagicMock()
     setattr(response, "status", 200)  # noqa: B010
 
@@ -491,7 +488,6 @@ def test_git_do_request_evp(git_repo):
                 "base_url/repositoryendpoint",
                 '{"payload": "payload"}',
                 {
-                    "X-Datadog-NeedsAppKey": "true",
                     "X-Datadog-EVP-Subdomain": "api",
                     "mock_header_name": "mock_header_value",
                 },
@@ -615,7 +611,6 @@ def test_civisibility_check_enabled_features_agentless_do_request_called_correct
                     mock_civisibilty._requests_mode = REQUESTS_MODE.AGENTLESS_EVENTS
                     mock_civisibilty._service = "service"
                     mock_civisibilty._api_key = "myfakeapikey"
-                    mock_civisibilty._app_key = "myfakeappkey"
                     mock_civisibilty._dd_site = "datad0g.com"
                     mock_civisibilty._tags = {
                         ci.git.REPOSITORY_URL: "my_repo_url",
@@ -633,7 +628,6 @@ def test_civisibility_check_enabled_features_agentless_do_request_called_correct
                     assert do_request_call_args[1] == "https://api.datad0g.com/api/v2/libraries/tests/services/setting"
                     assert do_request_call_args[3] == {
                         "dd-api-key": "myfakeapikey",
-                        "dd-application-key": "myfakeappkey",
                         "Content-Type": "application/json",
                     }
                     assert do_request_payload == {
@@ -686,7 +680,6 @@ def test_civisibility_check_enabled_features_evp_do_request_called_correctly():
                     )
                     assert do_request_call_args[3] == {
                         "X-Datadog-EVP-Subdomain": "api",
-                        "X-Datadog-NeedsAppKey": "true",
                     }
                     assert do_request_payload == {
                         "data": {
@@ -704,26 +697,6 @@ def test_civisibility_check_enabled_features_evp_do_request_called_correctly():
                     assert enabled_features == (True, True)
 
 
-@mock.patch("ddtrace.internal.ci_visibility.recorder._do_request")
-def test_civisibility_check_enabled_features_no_app_key_request_not_called(_do_request):
-    with override_env(
-        dict(
-            DD_API_KEY="foo.bar",
-            DD_CIVISIBILITY_AGENTLESS_URL="https://foo.bar",
-            DD_CIVISIBILITY_AGENTLESS_ENABLED="1",
-            DD_CIVISIBILITY_ITR_ENABLED="1",
-        )
-    ):
-        ddtrace.internal.ci_visibility.writer.config = ddtrace.settings.Config()
-        ddtrace.internal.ci_visibility.recorder.ddconfig = ddtrace.settings.Config()
-        CIVisibility.enable()
-
-        _do_request.assert_not_called()
-        assert CIVisibility._instance._code_coverage_enabled_by_api is False
-        assert CIVisibility._instance._test_skipping_enabled_by_api is False
-        CIVisibility.disable()
-
-
 @mock.patch("ddtrace.internal.ci_visibility.recorder._do_request")
 def test_civisibility_check_enabled_features_itr_disabled_request_not_called(_do_request):
     with override_env(
@@ -755,7 +728,6 @@ def test_civisibility_check_enabled_features_itr_enabled_request_called(_do_requ
     with override_env(
         dict(
             DD_API_KEY="foo.bar",
-            DD_APP_KEY="foobar.baz",
             DD_CIVISIBILITY_AGENTLESS_URL="https://foo.bar",
             DD_CIVISIBILITY_AGENTLESS_ENABLED="1",
             DD_CIVISIBILITY_ITR_ENABLED="1",
@@ -791,7 +763,7 @@ def test_civisibility_check_enabled_features_itr_enabled_request_called(_do_requ
                     }
                 }
             ),
-            {"dd-api-key": "foo.bar", "dd-application-key": "foobar.baz", "Content-Type": "application/json"},
+            {"dd-api-key": "foo.bar", "Content-Type": "application/json"},
         )
         assert CIVisibility._instance._code_coverage_enabled_by_api is True
         assert CIVisibility._instance._test_skipping_enabled_by_api is True
@@ -810,7 +782,6 @@ def test_civisibility_check_enabled_features_itr_enabled_errors_not_found(_do_re
     with override_env(
         dict(
             DD_API_KEY="foo.bar",
-            DD_APP_KEY="foobar.baz",
             DD_CIVISIBILITY_AGENTLESS_URL="https://foo.bar",
             DD_CIVISIBILITY_AGENTLESS_ENABLED="1",
             DD_CIVISIBILITY_ITR_ENABLED="1",
@@ -838,7 +809,6 @@ def test_civisibility_check_enabled_features_itr_enabled_404_response(_do_reques
     with override_env(
         dict(
             DD_API_KEY="foo.bar",
-            DD_APP_KEY="foobar.baz",
             DD_CIVISIBILITY_AGENTLESS_URL="https://foo.bar",
             DD_CIVISIBILITY_AGENTLESS_ENABLED="1",
             DD_CIVISIBILITY_ITR_ENABLED="1",
@@ -868,7 +838,6 @@ def test_civisibility_check_enabled_features_itr_enabled_malformed_response(_do_
     with override_env(
         dict(
             DD_API_KEY="foo.bar",
-            DD_APP_KEY="foobar.baz",
             DD_CIVISIBILITY_AGENTLESS_URL="https://foo.bar",
             DD_CIVISIBILITY_AGENTLESS_ENABLED="1",
             DD_CIVISIBILITY_ITR_ENABLED="1",