o i>@sddlmZddlmZddlmZddlmZddlmZddlm Z ddlm Z ddl m Z dd l m Z dd l mZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZee Z!dedd fddZ"dedd fddZ#dede$de%dd fddZ&d e j'd d d d fdede(dee%d e$d!ee$d"ee$d#ee$deedeefd$d%Z)d d d d d d d d&e j'd f ded'ee$dee%d!ee$d"ee$d#ee$d(ee$d)ee$d*ee$d+e(d e$deedd fd,d-Z*d d e j'd d d fded'ee$d.ee(dee%d e$d!ee$d"ee$d#ee$dd fd/d0Z+d e j'fded'ee$de(d!ee$d e$dd f d1d2Z,ded3e$de%e$efdd fd4d5Z-d?ded6e$d*ee$de(fd7d8Z.d@d9d:Z/dAd6e$dZ0d S)B)Any)Optional)Span)_asm_request_context)call_waf_callback) get_blocked)in_asm_context)APPSEC)LOGIN_EVENTS_MODE) WAF_ACTIONS) _hash_user_idN)set_user)user)core)BlockingException) get_logger)configspanreturncCsVddlm}ddlm}|tj||d|j|tj dd|j j tj <dS)NrSAMPLING_DECISION_TRACE_TAG_KEYSamplingMechanism-%d02) ddtrace.internal.constantsrddtrace.internal.samplingrset_tag constantsMANUAL_KEEP_KEY _set_tag_strr PROPAGATION_HEADERcontext_metarrrr%O/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_trace_utils.py_asm_manual_keeps   r'cCs:ddlm}ddlm}|tj||d|jdS)Nrrrr) rrrrrrrr AI_GUARDr$r%r%r&_aiguard_manual_keep&s   r) entry_spanprefixmetadatac Csd}|durdS||dfg}|rs|\}}}t|tr9||kr8t|D]\}}||d|||dfq$n6t|tr[||krZ|D]\} }||d| ||dfqFnt|trf|rddnd}||t ||sdSdS)N.truefalse) pop isinstancelist enumerateappenddictitemsboolr str) r*r+r, MAX_DEPTHstackdatalevelivkr%r%r&_handle_metadata/s(        rBtracersuccesslogin_events_modeloginnameemailcCsX|durt}|st}r|j}|r|rdnd} dtj| f} |r,|tjdn|tj d|t j t j fvrG|d| dt j} n|} |rNtjntj} || | dtj| f} |durht|| ||r|tjd| d||t j kr|tj||d| ||r|d | ||r|d | |t||Std dS) NrDfailurez%s.%sr0%s.sdkr/z .usr.loginz%s.loginz%s.emailz %s.usernamezNo root span in the current execution. Skipping track_user_success_login tags. See https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?tab=set_user&code-lang=python for more information.)rget_entry_spanrget_span_service_entry_spanr USER_LOGIN_EVENT_PREFIXr USER_LOGIN_EVENT_SUCCESS_TRACKUSER_LOGIN_EVENT_FAILURE_TRACKr SDKAUTO asm_config_user_event_modeAUTO_LOGIN_EVENTS_SUCCESS_MODEAUTO_LOGIN_EVENTS_FAILURE_MODEUSER_LOGIN_EVENT_PREFIX_PUBLICrBUSER_LOGIN_USERNAMEr'logwarning)rCrDr,rErFrGrHr current_span success_str tag_prefix reported_modemode_tagtag_metadata_prefixr%r%r&_track_user_login_commonDsD     raFuser_idscoperole session_id propagatec  CsZ| tjkr| ntj} | tjkrdS|} |}| tjkr*d}}|dur$dntt|}tdd|| |||| } | s9dS| tjkrGt |trGt|}| t j | |rk| tj kr_| t jt|n | t jdt|td|ppd|||||| | dd tr|rt|nd| | d}|r||d<t|dd }|rtd d |jDrttdSdSdS) ax Add a new login success tracking event. The parameters after metadata (name, email, scope, role, session_id, propagate) will be passed to the `set_user` function that will be called by this one, see: https://docs.datadoghq.com/logs/log_configuration/attributes_naming_convention/#user-related-attributes https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?tab=set_tag&code-lang=python :param tracer: tracer instance to use :param user_id: a string with the UserId :param metadata: a dictionary with additional metadata information to be stored with the event NTz.success.usr.idF) may_block)REQUEST_USER_IDREQUEST_USERNAME LOGIN_SUCCESSREQUEST_SESSION_ID custom_data force_sentcs |] }|tjtjfvVqdSNr BLOCK_ACTIONREDIRECT_ACTION.0actionr%r%r& z1track_user_login_success_event..)r rRrSrTDISABLEDANONr r:rar3r r !AUTO_LOGIN_EVENTS_COLLECTION_MODErQUSER_LOGIN_USERIDrWr rranyactionsrr)rCrbr,rFrGrHrcrdrerfrEr real_mode initial_logininitial_user_idrnresr%r%r&track_user_login_success_eventsD      rexistsc Cs|tjkr|ntj}|tjkrdS|tjkrt|trt|}t dd|||} | s+dS|durA|r3dnd} | dt j t jf| |rm|tjkrQt|trQt|}|tjkr_| t jt|| dt j t jft|| t j||tjtjfvr|r| dt j ||r| dt j ||r| dt j |trd di} |r|| d <t| d } | rtd d | jDrttdSdSdS)aZ Add a new login failure tracking event. :param tracer: tracer instance to use :param user_id: a string with the UserId if exists=True or the username if not :param exists: a boolean indicating if the user exists in the system :param metadata: a dictionary with additional metadata information to be stored with the event NFr0r1z %s.failure.%sz%s.failure.loginz%s.failure.emailz%s.failure.username LOGIN_FAILURErj)rncsrprqrrrur%r%r&rxryz1track_user_login_failure_event..)r rRrSrTrzr{r3r:r rar r rWrEXISTSrQr}IDr|rrr~rrr) rCrbrr,rErFrGrHrr exists_strrnrr%r%r&track_user_login_failure_eventsD     rcCst}|r|r dnd}|tj||r>|tjkr#t|tr#t |}|t j t||tj t||tj t||r`|tjkrNt|trNt |}|tjt||tjt|t||tjkrt|dtjddS|dtjt|dStddS)Nr0r1rJz %s.auto.modezNo root span in the current execution. Skipping track_user_signup tags. See https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?tab=set_user&code-lang=python for more information.)rrKr r USER_SIGNUP_EVENTr r{r3r:r rrUSER_SIGNUP_EVENT_USERIDr}USER_SIGNUP_EVENT_USERNAMErXr'rQUSER_SIGNUP_EVENT_MODErYrZ)rCrbrDrFrErr\r%r%r&track_user_signup_events0  r event_namecCs||s tddS|stddSt}|stddS|dtj|fd|r8t|tjd||t|dS)z Add a new custom tracking event. :param tracer: tracer instance to use :param event_name: the name of the custom event :param metadata: a dictionary with additional metadata information to be stored with the event zDEmpty event name given to track_custom_event. Skipping setting tags.NzBEmpty metadata given to track_custom_event. Skipping setting tags.zNo root span in the current execution. Skipping track_custom_event tags. See https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?tab=set_user&code-lang=python for more information.z %s.%s.trackr0r/) rYrZrrKr r CUSTOM_EVENT_PREFIXrBr')rCrr,rr%r%r&track_custom_events    ruseridcCsbtjs tddStrdSi}|durt||d<|dur%t||d<tj|ddttS)z Return true if the specified User ID should be blocked. :param tracer: tracer instance to use :param userid: the ID of the user as registered by `set_user` zmOne click blocking of user ids is disabled. To use this feature please enable Application Security MonitoringFTNrirlrm) rS _asm_enabledrYrZrr:rrr9)rCrrernr%r%r&should_block_user:s   rcCs tjs tddStdS)at Block the current request and return a 403 Unauthorized response. If the response has already been started to be sent this could not work. The behaviour of this function could be different among frameworks, but it usually involves raising some kind of internal Exception, meaning that if you capture the exception the request blocking could not work. z_block_request() is disabled. To use this feature please enable, Application Security MonitoringN)rSrrYrZr block_requestr%r%r%r&rUs  rsdkmodecCstjr|tjkrtddS|tjkrtj}t }|rO| t j ||rO|tj kr1tt|}| t j ||tjkrF| t jt|| tjt|td||r[tdSdS)aj Check if the specified User ID should be blocked and if positive block the current request using `block_request`. This should only be called with set_user from the sdk API :param userid: the ID of the user as registered by `set_user` :param mode: the mode of the login event ("sdk" by default, "auto" to simulate auto instrumentation) z1should_block_user call requires ASM to be enabledN)rSrr rzrYrZrRrTrrKr r r|r{r r:rQr}rrrr)rrrer*r%r%r&block_request_if_user_blockedcs$       rrq)rN)rN)1typingrrddtrace._trace.spanrddtrace.appsecr#ddtrace.appsec._asm_request_contextrrrddtrace.appsec._constantsr r r ddtrace.appsec._utilsr ddtrace.constantsr)ddtrace.contrib.internal.trace_utils_baser ddtrace.extrddtrace.internalrddtrace.internal._exceptionsrddtrace.internal.loggerrddtrace.internal.settings.asmrrS__name__rYr'r)r:r7rBrQr9rarrrrrrrr%r%r%r&s                    ?     @ 9 "' ! $