From 92007d766024172ca1ea6b6a98f4307aee564106 Mon Sep 17 00:00:00 2001
From: Sergey Fedorov <sergey.fedorov@datadoghq.com>
Date: Thu, 13 Feb 2025 13:23:28 +0100
Subject: [PATCH] Return user tracking mode to old values

---
 .../appsec/contrib/devise/configuration.rb    | 26 ++++++++++++---
 lib/datadog/appsec/contrib/devise/tracking.rb |  2 +-
 .../appsec/contrib/devise/configuration.rb    |  0
 .../appsec/contrib/devise/configuration.rbs   |  2 ++
 .../contrib/devise/configuration_spec.rb      | 32 +++++++++++++++++++
 .../devise_auto_login_signup_events_spec.rb   |  6 ++--
 6 files changed, 60 insertions(+), 8 deletions(-)
 create mode 100644 sig/datadog/appsec/contrib/devise/configuration.rb

diff --git a/lib/datadog/appsec/contrib/devise/configuration.rb b/lib/datadog/appsec/contrib/devise/configuration.rb
index 852409c37bf..b9101eefa08 100644
--- a/lib/datadog/appsec/contrib/devise/configuration.rb
+++ b/lib/datadog/appsec/contrib/devise/configuration.rb
@@ -25,14 +25,32 @@ def auto_user_instrumentation_mode
             end
 
             case Datadog.configuration.appsec.track_user_events.mode
-            when AppSec::Configuration::Settings::SAFE_TRACK_USER_EVENTS_MODE
-              AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
-            when AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE
-              AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+            when Datadog::AppSec::Configuration::Settings::SAFE_TRACK_USER_EVENTS_MODE
+              Datadog::AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+            when Datadog::AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE
+              Datadog::AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
             else
               Datadog.configuration.appsec.auto_user_instrumentation.mode
             end
           end
+
+          # NOTE: Remove in next version of tracking
+          def track_user_events_mode
+            unless Datadog.configuration.appsec.auto_user_instrumentation.options[:mode].default_precedence?
+              mode = case Datadog.configuration.appsec.auto_user_instrumentation.mode
+                     when Datadog::AppSec::Configuration::Settings::IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+                       Datadog::AppSec::Configuration::Settings::EXTENDED_TRACK_USER_EVENTS_MODE
+                     when Datadog::AppSec::Configuration::Settings::ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE
+                       Datadog::AppSec::Configuration::Settings::SAFE_TRACK_USER_EVENTS_MODE
+                     else
+                       Datadog.configuration.appsec.track_user_events.mode
+                     end
+
+              return mode
+            end
+
+            Datadog.configuration.appsec.track_user_events.mode
+          end
         end
       end
     end
diff --git a/lib/datadog/appsec/contrib/devise/tracking.rb b/lib/datadog/appsec/contrib/devise/tracking.rb
index 620ab0fd8b3..ffd27b4e8c6 100644
--- a/lib/datadog/appsec/contrib/devise/tracking.rb
+++ b/lib/datadog/appsec/contrib/devise/tracking.rb
@@ -40,7 +40,7 @@ def self.track(event, trace, span, **others)
             return if trace.nil? || span.nil?
 
             span.set_tag("appsec.events.#{event}.track", 'true')
-            span.set_tag("_dd.appsec.events.#{event}.auto.mode", Configuration.auto_user_instrumentation_mode)
+            span.set_tag("_dd.appsec.events.#{event}.auto.mode", Configuration.track_user_events_mode)
 
             others.each do |k, v|
               raise ArgumentError, 'key cannot be :track' if k.to_sym == :track
diff --git a/sig/datadog/appsec/contrib/devise/configuration.rb b/sig/datadog/appsec/contrib/devise/configuration.rb
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/sig/datadog/appsec/contrib/devise/configuration.rbs b/sig/datadog/appsec/contrib/devise/configuration.rbs
index c7f9be9643c..21ffd8a6455 100644
--- a/sig/datadog/appsec/contrib/devise/configuration.rbs
+++ b/sig/datadog/appsec/contrib/devise/configuration.rbs
@@ -6,6 +6,8 @@ module Datadog
           def self?.auto_user_instrumentation_enabled?: () -> bool
 
           def self?.auto_user_instrumentation_mode: () -> ::String
+
+          def self?.track_user_events_mode_mode: () -> ::String
         end
       end
     end
diff --git a/spec/datadog/appsec/contrib/devise/configuration_spec.rb b/spec/datadog/appsec/contrib/devise/configuration_spec.rb
index 02dbc6c2de4..6085446eba2 100644
--- a/spec/datadog/appsec/contrib/devise/configuration_spec.rb
+++ b/spec/datadog/appsec/contrib/devise/configuration_spec.rb
@@ -134,4 +134,36 @@
       it { expect(described_class.auto_user_instrumentation_mode).to eq('anonymization') }
     end
   end
+
+  describe '.track_user_events_mode' do
+    context 'when auto_user_instrumentation is explicitly set to ident and track_user_events is default' do
+      before do
+        settings.appsec.auto_user_instrumentation.mode = 'identification'
+        # NOTE: triggering default value
+        settings.appsec.track_user_events.mode
+      end
+
+      it { expect(described_class.track_user_events_mode).to eq('extended') }
+    end
+
+    context 'when auto_user_instrumentation is explicitly set to anon and track_user_events is default' do
+      before do
+        settings.appsec.auto_user_instrumentation.mode = 'anonymization'
+        # NOTE: triggering default value
+        settings.appsec.track_user_events.mode
+      end
+
+      it { expect(described_class.track_user_events_mode).to eq('safe') }
+    end
+
+    context 'when track_user_events is explicitly set and auto_user_instrumentation is default' do
+      before do
+        settings.appsec.track_user_events.mode = 'safe'
+        # NOTE: triggering default value
+        settings.appsec.auto_user_instrumentation.mode
+      end
+
+      it { expect(described_class.track_user_events_mode).to eq('safe') }
+    end
+  end
 end
diff --git a/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb b/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb
index e8ec05694ea..76a6f7fecc5 100644
--- a/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb
+++ b/spec/datadog/appsec/contrib/integration/devise_auto_login_signup_events_spec.rb
@@ -203,7 +203,7 @@ def index
         expect(http_service_entry_trace.sampling_priority).to eq(Datadog::Tracing::Sampling::Ext::Priority::USER_KEEP)
 
         expect(http_service_entry_span.tags['appsec.events.users.login.success.track']).to eq('true')
-        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.success.auto.mode']).to eq('identification')
+        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.success.auto.mode']).to eq('extended')
         expect(http_service_entry_span.tags['usr.id']).to eq('1')
 
         # NOTE: not implemented yet
@@ -223,7 +223,7 @@ def index
         expect(http_service_entry_trace.sampling_priority).to eq(Datadog::Tracing::Sampling::Ext::Priority::USER_KEEP)
 
         expect(http_service_entry_span.tags['appsec.events.users.login.failure.track']).to eq('true')
-        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.failure.auto.mode']).to eq('identification')
+        expect(http_service_entry_span.tags['_dd.appsec.events.users.login.failure.auto.mode']).to eq('extended')
         expect(http_service_entry_span.tags['appsec.events.users.login.failure.usr.exists']).to eq('false')
 
         # NOTE: not implemented yet
@@ -255,7 +255,7 @@ def index
         expect(http_service_entry_trace.sampling_priority).to eq(Datadog::Tracing::Sampling::Ext::Priority::USER_KEEP)
 
         expect(http_service_entry_span.tags['appsec.events.users.signup.track']).to eq('true')
-        expect(http_service_entry_span.tags['_dd.appsec.events.users.signup.auto.mode']).to eq('identification')
+        expect(http_service_entry_span.tags['_dd.appsec.events.users.signup.auto.mode']).to eq('extended')
 
         # NOTE: not implemented yet
         # expect(http_service_entry_span.tags['appsec.events.users.signup.usr.login']).to eq('john.doe@example.com')