From 542d9f594ebc4f9971577fdad876c9b64483fc0d Mon Sep 17 00:00:00 2001
From: Sergey Fedorov <sergey.fedorov@datadoghq.com>
Date: Thu, 13 Feb 2025 13:23:28 +0100
Subject: [PATCH] Return user tracking mode to old values

---
 gemfiles/ruby_3.3_rails_app.gemfile.lock      |  2 +-
 .../appsec/contrib/devise/configuration.rb    | 18 +++++++++++
 lib/datadog/appsec/contrib/devise/tracking.rb |  2 +-
 .../appsec/contrib/devise/configuration.rbs   |  2 ++
 .../contrib/devise/configuration_spec.rb      | 32 +++++++++++++++++++
 .../patcher/authenticatable_patch_spec.rb     |  3 ++
 .../registration_controller_patch_spec.rb     |  3 ++
 .../appsec/contrib/devise/tracking_spec.rb    |  3 ++
 .../devise_auto_login_signup_events_spec.rb   |  6 ++--
 9 files changed, 66 insertions(+), 5 deletions(-)

diff --git a/gemfiles/ruby_3.3_rails_app.gemfile.lock b/gemfiles/ruby_3.3_rails_app.gemfile.lock
index e4d110d54e6..acca9a22e4c 100644
--- a/gemfiles/ruby_3.3_rails_app.gemfile.lock
+++ b/gemfiles/ruby_3.3_rails_app.gemfile.lock
@@ -370,4 +370,4 @@ DEPENDENCIES
   webrick (>= 1.7.0)
 
 BUNDLED WITH
-   2.6.3
+   2.5.21
diff --git a/lib/datadog/appsec/contrib/devise/configuration.rb b/lib/datadog/appsec/contrib/devise/configuration.rb
index 852409c37bf..9ee92298073 100644
--- a/lib/datadog/appsec/contrib/devise/configuration.rb
+++ b/lib/datadog/appsec/contrib/devise/configuration.rb
@@ -33,6 +33,24 @@ def auto_user_instrumentation_mode
               Datadog.configuration.appsec.auto_user_instrumentation.mode
             end
           end
+
+          # NOTE: Remove in next version of tracking
+          def track_user_events_mode
+            unless Datadog.configuration.appsec.auto_user_instrumentation.options[:mode].default_precedence?
+              mode = case Datadog.configuration.appsec.auto_user_instrumentation.mode
+                     when AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+                       AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE
+                     when AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+                       AppSec::Configuration::Settings::SAFE_TRACK_USER_EVENTS_MODE
+                     else
+                       Datadog.configuration.appsec.track_user_events.mode
+                     end
+
+              return mode
+            end
+
+            Datadog.configuration.appsec.track_user_events.mode
+          end
         end
       end
     end
diff --git a/lib/datadog/appsec/contrib/devise/tracking.rb b/lib/datadog/appsec/contrib/devise/tracking.rb
index 620ab0fd8b3..ffd27b4e8c6 100644
--- a/lib/datadog/appsec/contrib/devise/tracking.rb
+++ b/lib/datadog/appsec/contrib/devise/tracking.rb
@@ -40,7 +40,7 @@ def self.track(event, trace, span, **others)
             return if trace.nil? || span.nil?
 
             span.set_tag("appsec.events.#{event}.track", 'true')
-            span.set_tag("_dd.appsec.events.#{event}.auto.mode", Configuration.auto_user_instrumentation_mode)
+            span.set_tag("_dd.appsec.events.#{event}.auto.mode", Configuration.track_user_events_mode)
 
             others.each do |k, v|
               raise ArgumentError, 'key cannot be :track' if k.to_sym == :track
diff --git a/sig/datadog/appsec/contrib/devise/configuration.rbs b/sig/datadog/appsec/contrib/devise/configuration.rbs
index c7f9be9643c..21ffd8a6455 100644
--- a/sig/datadog/appsec/contrib/devise/configuration.rbs
+++ b/sig/datadog/appsec/contrib/devise/configuration.rbs
@@ -6,6 +6,8 @@ module Datadog
           def self?.auto_user_instrumentation_enabled?: () -> bool
 
           def self?.auto_user_instrumentation_mode: () -> ::String
+
+          def self?.track_user_events_mode_mode: () -> ::String
         end
       end
     end
diff --git a/spec/datadog/appsec/contrib/devise/configuration_spec.rb b/spec/datadog/appsec/contrib/devise/configuration_spec.rb
index 02dbc6c2de4..6085446eba2 100644
--- a/spec/datadog/appsec/contrib/devise/configuration_spec.rb
+++ b/spec/datadog/appsec/contrib/devise/configuration_spec.rb
@@ -134,4 +134,36 @@
       it { expect(described_class.auto_user_instrumentation_mode).to eq('anonymization') }
     end
   end
+
+  describe '.track_user_events_mode' do
+    context 'when auto_user_instrumentation is explicitly set to ident and track_user_events is default' do
+      before do
+        settings.appsec.auto_user_instrumentation.mode = 'identification'
+        # NOTE: triggering default value
+        settings.appsec.track_user_events.mode
+      end
+
+      it { expect(described_class.track_user_events_mode).to eq('extended') }
+    end
+
+    context 'when auto_user_instrumentation is explicitly set to anon and track_user_events is default' do
+      before do
+        settings.appsec.auto_user_instrumentation.mode = 'anonymization'
+        # NOTE: triggering default value
+        settings.appsec.track_user_events.mode
+      end
+
+      it { expect(described_class.track_user_events_mode).to eq('safe') }
+    end
+
+    context 'when track_user_events is explicitly set and auto_user_instrumentation is default' do
+      before do
+        settings.appsec.track_user_events.mode = 'safe'
+        # NOTE: triggering default value
+        settings.appsec.auto_user_instrumentation.mode
+      end
+
+      it { expect(described_class.track_user_events_mode).to eq('safe') }
+    end
+  end
 end
diff --git a/spec/datadog/appsec/contrib/devise/patcher/authenticatable_patch_spec.rb b/spec/datadog/appsec/contrib/devise/patcher/authenticatable_patch_spec.rb
index 572f85b92bc..730c0388774 100644
--- a/spec/datadog/appsec/contrib/devise/patcher/authenticatable_patch_spec.rb
+++ b/spec/datadog/appsec/contrib/devise/patcher/authenticatable_patch_spec.rb
@@ -10,6 +10,9 @@
   before do
     allow(Datadog).to receive(:logger).and_return(instance_double(Datadog::Core::Logger).as_null_object)
     allow(Datadog).to receive(:configuration).and_return(settings)
+
+    # NOTE: trigger default value
+    settings.appsec.auto_user_instrumentation.mode
   end
 
   let(:settings) { Datadog::Core::Configuration::Settings.new }
diff --git a/spec/datadog/appsec/contrib/devise/patcher/registration_controller_patch_spec.rb b/spec/datadog/appsec/contrib/devise/patcher/registration_controller_patch_spec.rb
index ac117bb0409..504d4424491 100644
--- a/spec/datadog/appsec/contrib/devise/patcher/registration_controller_patch_spec.rb
+++ b/spec/datadog/appsec/contrib/devise/patcher/registration_controller_patch_spec.rb
@@ -10,6 +10,9 @@
   before do
     allow(Datadog).to receive(:logger).and_return(instance_double(Datadog::Core::Logger).as_null_object)
     allow(Datadog).to receive(:configuration).and_return(settings)
+
+    # NOTE: trigger default value
+    settings.appsec.auto_user_instrumentation.mode
   end
 
   let(:settings) { Datadog::Core::Configuration::Settings.new }
diff --git a/spec/datadog/appsec/contrib/devise/tracking_spec.rb b/spec/datadog/appsec/contrib/devise/tracking_spec.rb
index 8df801f2466..6c022439e84 100644
--- a/spec/datadog/appsec/contrib/devise/tracking_spec.rb
+++ b/spec/datadog/appsec/contrib/devise/tracking_spec.rb
@@ -3,6 +3,9 @@
 require 'datadog/appsec/contrib/devise/tracking'
 
 RSpec.describe Datadog::AppSec::Contrib::Devise::Tracking do
+  # NOTE: trigger default values
+  before { Datadog.configuration.appsec.auto_user_instrumentation.mode }
+
   let(:trace_op) { Datadog::Tracing::TraceOperation.new }
   let(:auto_mode) { Datadog.configuration.appsec.track_user_events.mode.to_s }
 
diff --git a/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb b/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb
index e8ec05694ea..76a6f7fecc5 100644
--- a/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb
+++ b/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb
@@ -203,7 +203,7 @@ def index
         expect(http_service_entry_trace.sampling_priority).to eq(Datadog::Tracing::Sampling::Ext::Priority::USER_KEEP)
 
         expect(http_service_entry_span.tags['appsec.events.users.login.success.track']).to eq('true')
-        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.success.auto.mode']).to eq('identification')
+        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.success.auto.mode']).to eq('extended')
         expect(http_service_entry_span.tags['usr.id']).to eq('1')
 
         # NOTE: not implemented yet
@@ -223,7 +223,7 @@ def index
         expect(http_service_entry_trace.sampling_priority).to eq(Datadog::Tracing::Sampling::Ext::Priority::USER_KEEP)
 
         expect(http_service_entry_span.tags['appsec.events.users.login.failure.track']).to eq('true')
-        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.failure.auto.mode']).to eq('identification')
+        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.failure.auto.mode']).to eq('extended')
         expect(http_service_entry_span.tags['appsec.events.users.login.failure.usr.exists']).to eq('false')
 
         # NOTE: not implemented yet
@@ -255,7 +255,7 @@ def index
         expect(http_service_entry_trace.sampling_priority).to eq(Datadog::Tracing::Sampling::Ext::Priority::USER_KEEP)
 
         expect(http_service_entry_span.tags['appsec.events.users.signup.track']).to eq('true')
-        expect(http_service_entry_span.tags['_dd.appsec.events.users.signup.auto.mode']).to eq('identification')
+        expect(http_service_entry_span.tags['_dd.appsec.events.users.signup.auto.mode']).to eq('extended')
 
         # NOTE: not implemented yet
         # expect(http_service_entry_span.tags['appsec.events.users.signup.usr.login']).to eq('john.doe@example.com')