fix(aap): track user default arguments must not generate security event [backport 3.9] (#13743)

Backport 0940d73 from #13742 to 3.9.

Ensure track_user to not generate additional security events when used
with expected metadata (name, email, scope or role).

Also:
- update (and fix) related unit tests

APPSEC-58040

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Christophe Papazian <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/track_user_sdk.py

@@ -74,10 +74,10 @@ def track_user(
     if login:
         span.set_tag_str(_constants.APPSEC.USER_LOGIN_USERNAME, str(login))
     meta = metadata or {}
-    usr_name = meta.get("name") or meta.get("usr.name")
-    usr_email = meta.get("email") or meta.get("usr.email")
-    usr_scope = meta.get("scope") or meta.get("usr.scope")
-    usr_role = meta.get("role") or meta.get("usr.role")
+    usr_name = meta.pop("name", None) or meta.pop("usr.name", None)
+    usr_email = meta.pop("email", None) or meta.pop("usr.email", None)
+    usr_scope = meta.pop("scope", None) or meta.pop("usr.scope", None)
+    usr_role = meta.pop("role", None) or meta.pop("usr.role", None)
     _trace_utils.set_user(
         None,
         user_id,
@@ -88,8 +88,8 @@ def track_user(
         session_id=session_id,
         may_block=False,
     )
-    if metadata:
-        _trace_utils.track_custom_event(None, "auth_sdk", metadata=metadata)
+    if meta:
+        _trace_utils.track_custom_event(None, "auth_sdk", metadata=meta)
     span.set_tag_str(_constants.APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE, _constants.LOGIN_EVENTS_MODE.SDK)
     if _asm_request_context.in_asm_context():
         custom_data = {

releasenotes/notes/ato_sdk2_track_user_fix_no_keep-b6b5206a81da6b36.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    AAP: This fix resolves an issue where track_user was generating additional unexpected security activity for customers.

tests/appsec/appsec/test_appsec_trace_utils.py

@@ -230,16 +230,16 @@ def test_set_user_blocked(self):
                 role="usr.role",
                 scope="usr.scope",
             )
-            assert span.get_tag(user.ID)
-            assert span.get_tag(user.EMAIL)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(user.NAME)
-            assert span.get_tag(user.ROLE)
-            assert span.get_tag(user.SCOPE)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
-            assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
-            assert is_blocked(span)
+        assert span.get_tag(user.ID)
+        assert span.get_tag(user.EMAIL)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(user.NAME)
+        assert span.get_tag(user.ROLE)
+        assert span.get_tag(user.SCOPE)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
+        assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
+        assert is_blocked(span)
 
     def test_track_user_blocked(self):
         with asm_context(tracer=self.tracer, span_name="fake_span", config=config_good_rules) as span:
@@ -250,21 +250,22 @@ def test_track_user_blocked(self):
                 metadata={
                     "email": "usr.email",
                     "name": "usr.name",
-                    "session_id": "usr.session_id",
                     "role": "usr.role",
                     "scope": "usr.scope",
                 },
             )
-            assert span.get_tag(user.ID)
-            assert span.get_tag(user.EMAIL)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(user.NAME)
-            assert span.get_tag(user.ROLE)
-            assert span.get_tag(user.SCOPE)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
-            assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
-            assert is_blocked(span)
+        assert span.get_tag(user.ID)
+        assert span.get_tag(user.EMAIL)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(user.NAME)
+        assert span.get_tag(user.ROLE)
+        assert span.get_tag(user.SCOPE)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
+        # assert metadata tags are not set for usual data
+        assert span.get_tag("appsec.events.auth_sdk.track") is None
+        assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
+        assert is_blocked(span)
 
     def test_no_span_doesnt_raise(self):
         from ddtrace.trace import tracer