# This is a combination of 2 commits.

anna-git · anna-git · commit f47225afb825 · 2025-03-12T14:03:44.000+01:00
# This is the 1st commit message: first sdk v2 version of login events # This is the commit message #2: # squash! first sdk v2 version of login events
diff --git a/tracer/src/Datadog.Trace.Manual/AppSec/EventTrackingSdkV2.cs b/tracer/src/Datadog.Trace.Manual/AppSec/EventTrackingSdkV2.cs
@@ -0,0 +1,79 @@
+﻿// <copyright file="EventTrackingSdkV2.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+using Datadog.Trace.SourceGenerators;
+
+namespace Datadog.Trace.AppSec;
+
+/// <summary>
+/// Allow
+/// </summary>
+public static class EventTrackingSdkV2
+{
+    /// <summary>
+    /// Sets the details of a successful login on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userLogin associated with the login success</param>
+    [Instrumented]
+    public static void TrackUserLoginSuccess(string userLogin)
+    {
+    }
+
+    /// <summary>
+    /// Sets the details of a successful login on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userLogin associated with the login success</param>
+    /// <param name="metadata">The optional metadata associated with the login success</param>
+    [Instrumented]
+    public static void TrackUserLoginSuccess(string userLogin, IDictionary<string, string> metadata)
+    {
+    }
+
+    /// <summary>
+    /// Sets the details of a successful login on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userLogin associated with the login success</param>
+    /// <param name="userId">The optional userId associated with the login success</param>
+    /// <param name="metadata">The optional metadata associated with the login success</param>
+    [Instrumented]
+    public static void TrackUserLoginSuccess(string userLogin, string userId, IDictionary<string, string>? metadata = null)
+    {
+    }
+
+    /// <summary>
+    /// Sets the details of a successful logon on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userId associated with the login success</param>
+    /// <param name="userDetails">The userLogin associated with the login success</param>
+    /// <param name="metadata">Metadata associated with the login success</param>
+    [Instrumented]
+    public static void TrackUserLoginSuccess(string userLogin, UserDetails userDetails, IDictionary<string, string>? metadata = null)
+    {
+    }
+
+    /// <summary>
+    /// Sets the details of a logon failure on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userId associated with the login failure</param>
+    /// <param name="exists">If the userId associated with the login failure exists</param>
+    /// <param name="metadata">Metadata associated with the login failure</param>
+    [Instrumented]
+    public static void TrackUserLoginFailure(string userLogin, bool exists, IDictionary<string, string>? metadata = null)
+    {
+    }
+
+    /// <summary>
+    /// Sets the details of a logon failure on the local root span
+    /// </summary>
+    /// <param name="userLogin">The user login associated with the login failure</param>
+    /// <param name="exists">If the userId associated with the login failure exists</param>
+    /// <param name="userDetails">The details of the user associated with the login failure</param>
+    /// <param name="metadata">Metadata associated with the login failure</param>
+    [Instrumented]
+    public static void TrackUserLoginFailure(string userLogin, bool exists, UserDetails userDetails, IDictionary<string, string>? metadata = null)
+    {
+    }
+}
diff --git a/tracer/src/Datadog.Trace/AppSec/EventTrackingSdkV2.cs b/tracer/src/Datadog.Trace/AppSec/EventTrackingSdkV2.cs
@@ -0,0 +1,264 @@
+// <copyright file="EventTrackingSdkV2.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Runtime.CompilerServices;
+using System.Text;
+using Datadog.Trace.AppSec.Coordinator;
+using Datadog.Trace.SourceGenerators;
+using Datadog.Trace.Tagging;
+using Datadog.Trace.Telemetry;
+using Datadog.Trace.Telemetry.Metrics;
+
+namespace Datadog.Trace.AppSec;
+
+/// <summary>
+/// Allow
+/// </summary>
+public static class EventTrackingSdkV2
+{
+    /// <summary>
+    /// Sets the details of a successful login on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userLogin associated with the login success</param>
+    [PublicApi]
+    public static void TrackUserLoginSuccess(string userLogin)
+    {
+        TelemetryFactory.Metrics.Record(PublicApiUsage.EventTrackingSdk_TrackUserLoginSuccessEvent);
+        TelemetryFactory.Metrics.RecordCountUserEventSdk(MetricTags.UserEventSdk.UserEventLoginSuccessSdkV2);
+        TrackUserLoginSuccess(userLogin, null, null, Tracer.Instance);
+    }
+
+    /// <summary>
+    /// Sets the details of a successful login on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userLogin associated with the login success</param>
+    /// <param name="metadata">The optional metadata associated with the login success</param>
+    [PublicApi]
+    public static void TrackUserLoginSuccess(string userLogin, IDictionary<string, string> metadata)
+    {
+        TelemetryFactory.Metrics.Record(PublicApiUsage.EventTrackingSdk_TrackUserLoginSuccessEvent);
+        TelemetryFactory.Metrics.RecordCountUserEventSdk(MetricTags.UserEventSdk.UserEventLoginSuccessSdkV2);
+        TrackUserLoginSuccess(userLogin, null, metadata, Tracer.Instance);
+    }
+
+    /// <summary>
+    /// Sets the details of a successful login on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userLogin associated with the login success</param>
+    /// <param name="userId">The optional userId associated with the login success</param>
+    /// <param name="metadata">The optional metadata associated with the login success</param>
+    [PublicApi]
+    public static void TrackUserLoginSuccess(string userLogin, string userId, IDictionary<string, string>? metadata = null)
+    {
+        TelemetryFactory.Metrics.Record(PublicApiUsage.EventTrackingSdk_TrackUserLoginSuccessEvent);
+        TelemetryFactory.Metrics.RecordCountUserEventSdk(MetricTags.UserEventSdk.UserEventLoginSuccessSdkV2);
+        TrackUserLoginSuccess(userLogin, new UserDetails(userId), metadata, Tracer.Instance);
+    }
+
+    /// <summary>
+    /// Sets the details of a successful logon on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userId associated with the login success</param>
+    /// <param name="userDetails">The userLogin associated with the login success</param>
+    /// <param name="metadata">Metadata associated with the login success</param>
+    [PublicApi]
+    public static void TrackUserLoginSuccess(string userLogin, UserDetails userDetails, IDictionary<string, string>? metadata = null)
+    {
+        TelemetryFactory.Metrics.Record(PublicApiUsage.EventTrackingSdk_TrackUserLoginSuccessEvent_Metadata);
+        TelemetryFactory.Metrics.RecordCountUserEventSdk(MetricTags.UserEventSdk.UserEventLoginSuccessSdkV2);
+        TrackUserLoginSuccess(userLogin, userDetails, metadata, Tracer.Instance);
+    }
+
+    private static void TrackUserLoginSuccess(string userLogin, UserDetails? userDetails, IDictionary<string, string>? metadata, Tracer tracer)
+    {
+        if (string.IsNullOrEmpty(userLogin))
+        {
+            ThrowHelper.ThrowArgumentNullException(nameof(userLogin));
+        }
+
+        var span = tracer.ActiveScope?.Span;
+
+        if (span is null)
+        {
+            ThrowHelper.ThrowException("Can't create a tracking event with no active span");
+        }
+
+        var setTag = TaggingUtils.GetSpanSetter(span, out var internalSpan);
+        if (internalSpan is null)
+        {
+            ThrowHelper.ThrowException("Can't create a tracking event without a span setter found");
+        }
+
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.SuccessLogin, userLogin);
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.SuccessTrack, Tags.AppSec.EventsUsers.True);
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.SuccessSdkSource, Tags.AppSec.EventsUsers.True);
+
+        PopulateTags(userDetails, metadata, setTag, true);
+
+        RunSecurityChecksAndReport(internalSpan, userLogin: userLogin, userId: userDetails?.Id, loginSuccess: true);
+    }
+
+    /// <summary>
+    /// Sets the details of a logon failure on the local root span
+    /// </summary>
+    /// <param name="userLogin">The userId associated with the login failure</param>
+    /// <param name="exists">If the userId associated with the login failure exists</param>
+    /// <param name="metadata">Metadata associated with the login failure</param>
+    [PublicApi]
+    public static void TrackUserLoginFailure(string userLogin, bool exists, IDictionary<string, string>? metadata = null)
+    {
+        TelemetryFactory.Metrics.Record(PublicApiUsage.EventTrackingSdk_TrackUserLoginFailureEvent_Metadata);
+        TelemetryFactory.Metrics.RecordCountUserEventSdk(MetricTags.UserEventSdk.UserEventFailureSdkV2);
+        TrackUserLoginFailure(userLogin, exists, userDetails: null, metadata, Tracer.Instance);
+    }
+
+    /// <summary>
+    /// Sets the details of a logon failure on the local root span
+    /// </summary>
+    /// <param name="userLogin">The user login associated with the login failure</param>
+    /// <param name="exists">If the userId associated with the login failure exists</param>
+    /// <param name="userDetails">The details of the user associated with the login failure</param>
+    /// <param name="metadata">Metadata associated with the login failure</param>
+    [PublicApi]
+    public static void TrackUserLoginFailure(string userLogin, bool exists, UserDetails userDetails, IDictionary<string, string>? metadata = null)
+    {
+        TelemetryFactory.Metrics.Record(PublicApiUsage.EventTrackingSdk_TrackUserLoginFailureEvent_Metadata);
+        TelemetryFactory.Metrics.RecordCountUserEventSdk(MetricTags.UserEventSdk.UserEventFailureSdkV2);
+        TrackUserLoginFailure(userLogin, exists, userDetails, metadata, Tracer.Instance);
+    }
+
+    private static void TrackUserLoginFailure(string userLogin, bool exists, UserDetails? userDetails, IDictionary<string, string>? metadata, Tracer tracer)
+    {
+        if (string.IsNullOrEmpty(userLogin))
+        {
+            ThrowHelper.ThrowArgumentNullException(nameof(userLogin));
+        }
+
+        var span = tracer.ActiveScope?.Span;
+
+        if (span is null)
+        {
+            ThrowHelper.ThrowException("Can't create a tracking event with no active span");
+        }
+
+        var setTag = TaggingUtils.GetSpanSetter(span, out var internalSpan);
+        if (internalSpan is null)
+        {
+            ThrowHelper.ThrowException("Can't create a tracking event without a span setter found");
+        }
+
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.FailureTrack, Tags.AppSec.EventsUsers.True);
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.FailureSdkSource, Tags.AppSec.EventsUsers.True);
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.FailureUserId, userLogin);
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.FailureUserExists, exists ? Tags.AppSec.EventsUsers.True : Tags.AppSec.EventsUsers.False);
+        setTag(Tags.AppSec.EventsUsers.LoginEvent.FailureUserLogin, userLogin);
+
+        PopulateTags(userDetails, metadata, setTag, false);
+
+        RunSecurityChecksAndReport(internalSpan, userLogin: userLogin, loginSuccess: false);
+    }
+
+    private static void PopulateTags(UserDetails? userDetails, IDictionary<string, string>? metadata, Action<string, string> setTag, bool loginSuccess)
+    {
+        setTag(Tags.AppSec.EventsUsers.CollectionMode, Tags.AppSec.EventsUsers.Sdk);
+
+        var prefix = loginSuccess ? Tags.AppSec.EventsUsers.LoginEvent.Success : Tags.AppSec.EventsUsers.LoginEvent.Failure;
+        var prefixUser = prefix + ".usr";
+        if (metadata is { Count: > 0 })
+        {
+            foreach (var kvp in metadata)
+            {
+                setTag($"{prefix}.{kvp.Key}", kvp.Value);
+            }
+        }
+
+        if (userDetails is { } userDetailsValue)
+        {
+            // usr.id should always be set, even when PropagateId is true
+            setTag(Tags.User.Id, userDetailsValue.Id);
+            setTag(Tags.AppSec.EventsUsers.CollectionMode, Tags.AppSec.EventsUsers.Sdk);
+            setTag(prefixUser + ".id", userDetailsValue.Id);
+
+            if (userDetailsValue.PropagateId)
+            {
+                var base64UserId = Convert.ToBase64String(Encoding.UTF8.GetBytes(userDetailsValue.Id));
+                const string propagatedUserIdTag = TagPropagation.PropagatedTagPrefix + Tags.User.Id;
+                setTag(propagatedUserIdTag, base64UserId);
+                setTag(prefixUser + ".propagate_id", Tags.AppSec.EventsUsers.True);
+            }
+            else
+            {
+                setTag(prefixUser + ".propagate_id", Tags.AppSec.EventsUsers.False);
+            }
+
+            if (userDetailsValue.Name is not null)
+            {
+                setTag(prefixUser + ".name", userDetailsValue.Name);
+                setTag(Tags.User.Name, userDetailsValue.Name);
+            }
+
+            if (userDetailsValue.Scope is not null)
+            {
+                setTag(Tags.User.Scope, userDetailsValue.Scope);
+                setTag(prefixUser + ".scope", userDetailsValue.Scope);
+            }
+
+            if (userDetailsValue.Role is not null)
+            {
+                setTag(Tags.User.Role, userDetailsValue.Role);
+                setTag(prefixUser + ".role", userDetailsValue.Role);
+            }
+
+            if (userDetailsValue.SessionId is not null)
+            {
+                setTag(Tags.User.SessionId, userDetailsValue.SessionId);
+                setTag(prefixUser + ".session_id", userDetailsValue.SessionId);
+            }
+
+            if (userDetailsValue.Email is not null)
+            {
+                setTag(Tags.User.Email, userDetailsValue.Email);
+                setTag(prefixUser + ".email", userDetailsValue.Email);
+            }
+        }
+    }
+
+    /// <summary>
+    /// Biggest part of this method will only work in a web context
+    /// </summary>
+    /// <param name="span">span</param>
+    /// <param name="userLogin">now mandatory user login</param>
+    /// <param name="userId">user id</param>
+    /// <param name="loginSuccess">whether it's a login success</param>
+    private static void RunSecurityChecksAndReport(Span span, string userLogin, string? userId = null, bool loginSuccess = false)
+    {
+        var securityInstance = Security.Instance;
+        if (!securityInstance.IsTrackUserEventsEnabled)
+        {
+            return;
+        }
+
+        securityInstance.SetTraceSamplingPriority(span);
+
+        var securityCoordinator = SecurityCoordinator.TryGetSafe(securityInstance, span);
+        if (securityCoordinator is not null)
+        {
+            RunWafAndCollectHeaders();
+        }
+
+        return;
+
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        void RunWafAndCollectHeaders()
+        {
+            securityCoordinator.Value.Reporter.CollectHeaders();
+            var result = securityCoordinator.Value.RunWafForUser(userLogin: userLogin, userId: userId, fromSdk: true, otherTags: new() { { loginSuccess ? AddressesConstants.UserBusinessLoginSuccess : AddressesConstants.UserBusinessLoginFailure, string.Empty } });
+            securityCoordinator.Value.BlockAndReport(result);
+        }
+    }
+}
diff --git a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/ManualInstrumentation/Extensions/SpanExtensionsSetUserIntegration.cs b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/ManualInstrumentation/Extensions/SpanExtensionsSetUserIntegration.cs
@@ -43,14 +43,11 @@ internal static CallTargetState OnMethodBegin<TTarget, TSpan>(ref TSpan span, st
             // Not likely, but technically possible for this to happen
             realSpan = autoSpan;
         }
-        else
-        {
-            // This is a worst case, should basically never be necessary
-            // Only required if customers create a custom ISpan
-            // Should we handle it? I chose to just ignore it here because it's a pain
-            // but we could throw, or log?
-        }
 
+        // This is a worst case, should basically never be necessary
+        // Only required if customers create a custom ISpan
+        // Should we handle it? I chose to just ignore it here because it's a pain
+        // but we could throw, or log?
         realSpan?.SetUserInternal(
             new UserDetails(id)
             {
diff --git a/tracer/src/Datadog.Trace/UserDetails.cs b/tracer/src/Datadog.Trace/UserDetails.cs
