DataDog · simon-id · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
diff --git a/index.d.ts b/index.d.ts
@@ -655,12 +655,24 @@ declare namespace tracer {
        */
       eventTracking?: {
         /**
-         * Controls the automated user event tracking mode. Possible values are disabled, safe and extended.
-         * On safe mode, any detected Personally Identifiable Information (PII) about the user will be redacted from the event.
-         * On extended mode, no redaction will take place.
-         * @default 'safe'
+         * Controls the automated user tracking mode for user IDs and logins collections. Possible values:
+         * *  'anonymous': will hash user IDs and user logins before collecting them
+         * *  'anon': alias for 'anonymous'
+         * *  'safe': deprecated alias for 'anonymous'
+         * 
+         * *  'identification': will collect user IDs and logins without redaction
+         * *  'ident': alias for 'identification'
+         * *  'extended': deprecated alias for 'identification'
+         * 
+         * *  'disabled': will not collect user IDs and logins
+         * 
+         * Unknown values will be considered as 'disabled'
+         * @default 'ident'
          */
-        mode?: 'safe' | 'extended' | 'disabled'
+        mode?:
+          'anonymous' | 'anon' | 'safe' |
+          'identification' | 'ident' | 'extended' |
+          'disabled'
       },
       /**
        * Configuration for Api Security

@@ -100,6 +100,7 @@ module.exports = {
   oracledb: () => require('../oracledb'),
   openai: () => require('../openai'),
   paperplane: () => require('../paperplane'),
+  passport: () => require('../passport'),
   'passport-http': () => require('../passport-http'),
   'passport-local': () => require('../passport-local'),
   pg: () => require('../pg'),

@@ -24,6 +24,7 @@ addHook({ name: httpNames }, http => {
   shimmer.wrap(http.Server.prototype, 'emit', wrapEmit)
   shimmer.wrap(http.ServerResponse.prototype, 'writeHead', wrapWriteHead)
   shimmer.wrap(http.ServerResponse.prototype, 'write', wrapWrite)
+  http.ServerResponse.prototype._originalEnd = http.ServerResponse.prototype.end
   shimmer.wrap(http.ServerResponse.prototype, 'end', wrapEnd)
   shimmer.wrap(http.ServerResponse.prototype, 'setHeader', wrapSetHeader)
   shimmer.wrap(http.ServerResponse.prototype, 'removeHeader', wrapAppendOrRemoveHeader)

diff --git a/packages/datadog-instrumentations/src/passport-http.js b/packages/datadog-instrumentations/src/passport-http.js
@@ -1,22 +1,10 @@
 'use strict'
 
-const shimmer = require('../../datadog-shimmer')
 const { addHook } = require('./helpers/instrument')
-const { wrapVerify } = require('./passport-utils')
+const { strategyHook } = require('./passport-utils')
 
 addHook({
   name: 'passport-http',
   file: 'lib/passport-http/strategies/basic.js',
   versions: ['>=0.3.0']
-}, BasicStrategy => {
-  return shimmer.wrapFunction(BasicStrategy, BasicStrategy => function () {
-    const type = 'http'
-
-    if (typeof arguments[0] === 'function') {
-      arguments[0] = wrapVerify(arguments[0], false, type)
-    } else {
-      arguments[1] = wrapVerify(arguments[1], (arguments[0] && arguments[0].passReqToCallback), type)
-    }
-    return BasicStrategy.apply(this, arguments)
-  })
-})
+}, strategyHook)
diff --git a/packages/datadog-instrumentations/src/passport-local.js b/packages/datadog-instrumentations/src/passport-local.js
@@ -1,22 +1,10 @@
 'use strict'
 
-const shimmer = require('../../datadog-shimmer')
 const { addHook } = require('./helpers/instrument')
-const { wrapVerify } = require('./passport-utils')
+const { strategyHook } = require('./passport-utils')
 
 addHook({
   name: 'passport-local',
   file: 'lib/strategy.js',
   versions: ['>=1.0.0']
-}, Strategy => {
-  return shimmer.wrapFunction(Strategy, Strategy => function () {
-    const type = 'local'
-
-    if (typeof arguments[0] === 'function') {
-      arguments[0] = wrapVerify(arguments[0], false, type)
-    } else {
-      arguments[1] = wrapVerify(arguments[1], (arguments[0] && arguments[0].passReqToCallback), type)
-    }
-    return Strategy.apply(this, arguments)
-  })
-})
+}, strategyHook)
diff --git a/packages/datadog-instrumentations/src/passport-utils.js b/packages/datadog-instrumentations/src/passport-utils.js
@@ -5,33 +5,57 @@ const { channel } = require('./helpers/instrument')
 
 const passportVerifyChannel = channel('datadog:passport:verify:finish')
 
-function wrapVerifiedAndPublish (username, password, verified, type) {
-  if (!passportVerifyChannel.hasSubscribers) {
-    return verified
-  }
+function wrapVerifiedAndPublish (framework, username, verified) {
+  return shimmer.wrapFunction(verified, function wrapVerify (verified) {
+    return function wrappedVerified (err, user) {
+      // if there is an error, it's neither an auth success nor a failure
+      if (!err) {
+        const abortController = new AbortController()
+
+        passportVerifyChannel.publish({ framework, login: username, user, success: !!user, abortController })
+
+        if (abortController.signal.aborted) return
+      }
 
-  // eslint-disable-next-line n/handle-callback-err
-  return shimmer.wrapFunction(verified, verified => function (err, user, info) {
-    const credentials = { type, username }
-    passportVerifyChannel.publish({ credentials, user })
-    return verified.apply(this, arguments)
+      return verified.apply(this, arguments)
+    }
   })
 }
 
-function wrapVerify (verify, passReq, type) {
-  if (passReq) {
-    return function (req, username, password, verified) {
-      arguments[3] = wrapVerifiedAndPublish(username, password, verified, type)
-      return verify.apply(this, arguments)
+function wrapVerify (verify) {
+  return function wrappedVerify (req, username, password, verified) {
+    if (passportVerifyChannel.hasSubscribers) {
+      const framework = `passport-${this.name}`
+
+      // replace the callback with our own wrapper to get the result
+      if (this._passReqToCallback) {
+        arguments[3] = wrapVerifiedAndPublish(framework, arguments[1], arguments[3])
+      } else {
+        arguments[2] = wrapVerifiedAndPublish(framework, arguments[0], arguments[2])
+      }
     }
-  } else {
-    return function (username, password, verified) {
-      arguments[2] = wrapVerifiedAndPublish(username, password, verified, type)
-      return verify.apply(this, arguments)
+
+    return verify.apply(this, arguments)
+  }
+}
+
+function wrapStrategy (Strategy) {
+  return function wrappedStrategy () {
+    // verify function can be either the first or second argument
+    if (typeof arguments[0] === 'function') {
+      arguments[0] = wrapVerify(arguments[0])
+    } else {
+      arguments[1] = wrapVerify(arguments[1])
     }
+
+    return Strategy.apply(this, arguments)
   }
 }
 
+function strategyHook (Strategy) {
+  return shimmer.wrapFunction(Strategy, wrapStrategy)
+}
+
 module.exports = {
-  wrapVerify
+  strategyHook
 }
@@ -0,0 +1,87 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel, addHook } = require('./helpers/instrument')
+
+/* TODO: test with:
+passport-jwt JWTs
+  can be used both for login events, or as a session, that complicates things it think
+  maybe instrument this lib directly, and ofc only send the events after it was verified
+@nestjs/passport
+pasport-local
+passport-oauth2
+passport-google-oauth20
+passport-custom
+passport-http
+passport-http-bearer
+koa-passport
+*/
+
+const onPassportDeserializeUserChannel = channel('datadog:passport:deserializeUser:finish')
+
+function wrapDone (req, done) {
+  // eslint-disable-next-line n/handle-callback-err
+  return function wrappedDone (err, user) {
+    if (user) {
+      const abortController = new AbortController()
+
+      // express-session middleware sets req.sessionID, it's required to use passport sessions anyway so might as well use it ?
+      // what if session IDs are using rolling sessions or always changing or something idk ?
+      onPassportDeserializeUserChannel.publish({ req, user, sessionId: req.sessionID, abortController })
+
+      if (abortController.signal.aborted) return
+    }
+
+    return done.apply(this, arguments)
+  }
+}
+
+function wrapDeserializeUser (deserializeUser) {
+  return function wrappedDeserializeUser (fn, req, done) {
+    if (typeof req === 'function') {
+      done = req
+      // req = storage.getStore().get('req')
+      arguments[1] = wrapDone(done)
+    } else {
+      arguments[2] = wrapDone(done)
+    }
+
+    return deserializeUser.apply(this, arguments)
+  }
+}
+
+
+const { block } = require('../../dd-trace/src/appsec/blocking')
+const { getRootSpan } = require('../../dd-trace/src/appsec/sdk/utils')
+
+addHook({
+  name: 'passport',
+  file: 'lib/authenticator.js',
+  versions: ['>=0.3.0'] // TODO
+}, Authenticator => {
+  shimmer.wrap(Authenticator.prototype, 'deserializeUser', wrapDeserializeUser)
+
+  shimmer.wrap(Authenticator.prototype, 'authenticate', function wrapAuthenticate (authenticate) {
+    return function wrappedAuthenticate (name) {
+      const middleware = authenticate.apply(this, arguments)
+
+      const strategy = this._strategy(name)
+
+      strategy._verify
+
+      return function wrappedMiddleware (req, res, next) {
+        return middleware(req, res, function wrappedNext (err) {
+          console.log('NEW', req.user)
+          if (req.user?.name === 'bitch') {
+
+            return block(req, res, getRootSpan(global._ddtrace))
+          }
+
+          return next.apply(this, arguments)
+        })
+      }
+    }
+  })
+
+  return Authenticator
+})
diff --git a/packages/dd-trace/src/appsec/addresses.js b/packages/dd-trace/src/appsec/addresses.js
@@ -1,5 +1,6 @@
 'use strict'
 
+// TODO: reorder all this, it's a mess
 module.exports = {
   HTTP_INCOMING_BODY: 'server.request.body',
   HTTP_INCOMING_QUERY: 'server.request.query',
@@ -20,6 +21,8 @@ module.exports = {
   HTTP_CLIENT_IP: 'http.client_ip',
 
   USER_ID: 'usr.id',
+  USER_LOGIN: 'usr.login',
+
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
 
   HTTP_OUTGOING_URL: 'server.io.net.url',

@@ -115,7 +115,7 @@ function block (req, res, rootSpan, abortController, actionParameters = defaultB
     res.removeHeader(headerName)
   }
 
-  res.writeHead(statusCode, headers).end(body)
+  res.writeHead(statusCode, headers)._originalEnd(body)
 
   responseBlockedSet.add(res)
 

@@ -13,6 +13,7 @@ module.exports = {
   apolloServerCoreChannel: dc.tracingChannel('datadog:apollo-server-core:request'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
+  passportUser: dc.channel('datadog:passport:deserializeUser:finish'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),

@@ -9,6 +9,7 @@
   multerParser,
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
+  passportUser,
   passportVerify,
   queryParser,
   nextBodyParsed,
@@ -27,7 +28,7 @@
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { isBlocked, block, setTemplates, getBlockingAction } = require('./blocking')
-const { passportTrackEvent } = require('./passport')
+const UserTracking = require('./user_tracking')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
@@ -58,11 +59,15 @@
 
     apiSecuritySampler.configure(_config.appsec)
 
+    UserTracking.setCollectionMode(_config.appsec.eventTracking.mode, false)
+
     bodyParser.subscribe(onRequestBodyParsed)
     multerParser.subscribe(onRequestBodyParsed)
     cookieParser.subscribe(onRequestCookieParser)
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
+    passportUser.subscribe(onPassportDeserializeUser)
+    passportVerify.subscribe(onPassportVerify) // possible optimization: only subscribe if collection mode is enabled
     queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
@@ -71,10 +76,6 @@
     responseWriteHead.subscribe(onResponseWriteHead)
     responseSetHeader.subscribe(onResponseSetHeader)
 
-    if (_config.appsec.eventTracking.enabled) {
-      passportVerify.subscribe(onPassportVerify)
-    }
-
     isEnabled = true
     config = _config
   } catch (err) {
@@ -180,7 +181,19 @@
   Reporter.finishRequest(req, res)
 }
 
-function onPassportVerify ({ credentials, user }) {
+function onPassportDeserializeUser ({ req, user, sessionId, abordController }) {
+  UserTracking.trackUser(user)
+
+  if (sessionId && typeof sessionId === 'string') {
+    const results = waf.run({
+      persistent: {
+        'usr.session_id': sessionId
+      }
+    })
+  }
+}
+
+function onPassportVerify ({ framework, login, user, success, abortController }) {
   const store = storage.getStore()
   const rootSpan = store?.req && web.root(store.req)
 
@@ -189,7 +202,9 @@
     return
   }
 
-  passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
+  const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)
+
+  handleResults(results, store.req, store.req.res, rootSpan, abortController)
 }
 
 function onRequestQueryParsed ({ req, res, query, abortController }) {