fix(asm): improve django login events logic [backport 2.6] (#8704)

github-actions[bot] · gnufede · web-flow · commit fa3c8a134485 · 2024-03-21T18:46:04.000Z
Backport 0d681e0 from #8698 to 2.6. ASM: This fix resolves an issue where a failed login attempt could be sent for a valid user if the name of the user was `AnonymousUser`. ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
diff --git a/ddtrace/appsec/_trace_utils.py b/ddtrace/appsec/_trace_utils.py
@@ -296,25 +296,21 @@ def _on_django_login(
         return
 
     if user:
-        if str(user) != "AnonymousUser":
+        from ddtrace.contrib.django.compat import user_is_authenticated
+
+        if user_is_authenticated(user):
             user_id, user_extra = info_retriever.get_user_info()
 
             with pin.tracer.trace("django.contrib.auth.login", span_type=SpanTypes.AUTH):
-                from ddtrace.contrib.django.compat import user_is_authenticated
-
-                if user_is_authenticated(user):
-                    session_key = getattr(request, "session_key", None)
-                    track_user_login_success_event(
-                        pin.tracer,
-                        user_id=user_id,
-                        session_id=session_key,
-                        propagate=True,
-                        login_events_mode=mode,
-                        **user_extra,
-                    )
-                else:
-                    # Login failed but the user exists
-                    track_user_login_failure_event(pin.tracer, user_id=user_id, exists=True, login_events_mode=mode)
+                session_key = getattr(request, "session_key", None)
+                track_user_login_success_event(
+                    pin.tracer,
+                    user_id=user_id,
+                    session_id=session_key,
+                    propagate=True,
+                    login_events_mode=mode,
+                    **user_extra,
+                )
         else:
             # Login failed and the user is unknown
             user_id = info_retriever.get_userid()
diff --git a/releasenotes/notes/appsec-django-login-anonymous-user-fix-3c1faae6df4106e9.yaml b/releasenotes/notes/appsec-django-login-anonymous-user-fix-3c1faae6df4106e9.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    ASM: This fix resolves an issue where a valid user may trigger a failed login event.
diff --git a/tests/contrib/django/test_django_appsec.py b/tests/contrib/django/test_django_appsec.py
@@ -198,6 +198,21 @@ def test_django_login_sucess_safe_is_default_if_wrong(client, test_spans, tracer
         assert login_span.get_tag(user.ID) == "1"
 
 
+@pytest.mark.django_db
+def test_django_login_sucess_anonymous_username(client, test_spans, tracer):
+    from django.contrib.auth import get_user
+    from django.contrib.auth.models import User
+
+    with override_global_config(dict(_asm_enabled=True, _automatic_login_events_mode="foobar")):
+        test_user = User.objects.create(username="AnonymousUser")
+        test_user.set_password("secret")
+        test_user.save()
+        client.login(username="AnonymousUser", password="secret")
+        assert get_user(client).is_authenticated
+        login_span = test_spans.find_span(name="django.contrib.auth.login")
+        assert login_span.get_tag(user.ID) == "1"
+
+
 @pytest.mark.django_db
 def test_django_login_sucess_safe_is_default_if_missing(client, test_spans, tracer):
     from django.contrib.auth import get_user

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    ASM: This fix resolves an issue where a valid user may trigger a failed login event.