feat(aap): add new track_user_id (#14910)

## Description

To align with other tracers and to allow our customers to track a user
without the login, the ATO SDK is enriched with a new `track_user_id`
that only requires the user id .

## Testing

Tests updated for the new function/.

## Additional Notes

Public documentation should be updated soon after the merge of this PR.


APPSEC-59673

Author: christophe-papazian

ddtrace/appsec/track_user_sdk.py

@@ -127,6 +127,57 @@ def track_user(
                 raise BlockingException(_get_blocked())
 
 
+def track_user_id(
+    user_id: t.Any,
+    session_id: t.Optional[str] = None,
+    metadata: t.Optional[t.Dict[str, t.Any]] = None,
+    _auto: bool = False,
+):
+    """
+    Track an authenticated user with only user id.
+
+    This function should be called when a user is authenticated in the application."
+    """
+    span = _asm_request_context.get_entry_span()
+    if span is None:
+        return
+    if user_id:
+        span.set_tag_str(_constants.APPSEC.USER_LOGIN_USERID, str(user_id))
+    meta = metadata or {}
+    usr_name = meta.pop("name", None) or meta.pop("usr.name", None)
+    usr_email = meta.pop("email", None) or meta.pop("usr.email", None)
+    usr_scope = meta.pop("scope", None) or meta.pop("usr.scope", None)
+    usr_role = meta.pop("role", None) or meta.pop("usr.role", None)
+    _trace_utils.set_user(
+        None,
+        user_id,
+        name=usr_name if isinstance(usr_name, str) else None,
+        email=usr_email if isinstance(usr_email, str) else None,
+        scope=usr_scope if isinstance(usr_scope, str) else None,
+        role=usr_role if isinstance(usr_role, str) else None,
+        session_id=session_id,
+        span=span,
+        may_block=_auto,
+        mode=_constants.LOGIN_EVENTS_MODE.AUTO if _auto else _constants.LOGIN_EVENTS_MODE.SDK,
+    )
+    if meta:
+        _trace_utils.track_custom_event(None, "auth_sdk", metadata=meta)
+    if not _auto:
+        span.set_tag_str(_constants.APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE, _constants.LOGIN_EVENTS_MODE.SDK)
+        if _asm_request_context.in_asm_context():
+            custom_data = {
+                "REQUEST_USER_ID": str(user_id) if user_id else None,
+                "LOGIN_SUCCESS": "sdk",
+            }
+            if session_id:
+                custom_data["REQUEST_SESSION_ID"] = session_id
+            res = _asm_request_context.call_waf_callback(custom_data=custom_data, force_sent=True)
+            if res and any(
+                action in [_WAF_ACTIONS.BLOCK_ACTION, _WAF_ACTIONS.REDIRECT_ACTION] for action in res.actions
+            ):
+                raise BlockingException(_get_blocked())
+
+
 def track_custom_event(event_name: str, metadata: t.Dict[str, t.Any]):
     """
     Track a custom user event.

releasenotes/notes/track_user_id-2004e931ddf254a9.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    AAP: This introduces ``track_user_id`` in the ATO SDK, which is equivalent to ``track_user`` but does not require the login, only the user id.

tests/appsec/appsec/test_appsec_trace_utils.py

@@ -14,6 +14,7 @@
 from ddtrace.appsec.trace_utils import track_user_login_success_event
 from ddtrace.appsec.trace_utils import track_user_signup_event
 from ddtrace.appsec.track_user_sdk import track_user
+from ddtrace.appsec.track_user_sdk import track_user_id
 from ddtrace.contrib.internal.trace_utils import set_user
 from ddtrace.ext import user
 import ddtrace.internal.telemetry
@@ -275,7 +276,7 @@ def test_set_user_blocked(self):
     def test_track_user_blocked(self):
         with asm_context(tracer=self.tracer, span_name="fake_span", config=config_good_rules) as span:
             track_user(
-                self.tracer,
+                "login",
                 user_id=self._BLOCKED_USER,
                 session_id="usr.session_id",
                 metadata={
@@ -298,6 +299,31 @@ def test_track_user_blocked(self):
         assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
         assert is_blocked(span)
 
+    def test_track_user_id_blocked(self):
+        with asm_context(tracer=self.tracer, span_name="fake_span", config=config_good_rules) as span:
+            track_user_id(
+                self._BLOCKED_USER,
+                session_id="usr.session_id",
+                metadata={
+                    "email": "usr.email",
+                    "name": "usr.name",
+                    "role": "usr.role",
+                    "scope": "usr.scope",
+                },
+            )
+        assert span.get_tag(user.ID)
+        assert span.get_tag(user.EMAIL)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(user.NAME)
+        assert span.get_tag(user.ROLE)
+        assert span.get_tag(user.SCOPE)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
+        # assert metadata tags are not set for usual data
+        assert span.get_tag("appsec.events.auth_sdk.track") is None
+        assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
+        assert is_blocked(span)
+
     def test_no_span_doesnt_raise(self):
         from ddtrace.trace import tracer