.github/workflows/appsec.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       matrix:
         runs-on: [ macos-12, macos-11, macos-10.15, ubuntu-22.04, ubuntu-20.04, ubuntu-18.04, windows-latest ]
-        go-version: [ 1.19, 1.18, 1.17 ]
+        go-version: [ "1.20", "1.19", "1.18" ]
         cgo_enabled: # test it compiles with and without cgo
           - 0
           - 1
@@ -68,7 +68,7 @@ jobs:
       image: golang:${{ matrix.go-version }}-${{ matrix.distribution }}
     strategy:
       matrix:
-        go-version: [ 1.19, 1.18, 1.17 ]
+        go-version: [ "1.20", "1.19", "1.18" ]
         distribution: [ bullseye, buster, alpine ]
         build_tags: # test it compiles with and without the appsec build tag
           - ""

.github/workflows/codeql-analysis.yml

@@ -25,11 +25,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -40,7 +40,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/main-branch-tests.yml

@@ -16,7 +16,7 @@ jobs:
   unit-integration-tests:
     strategy:
       matrix:
-        go-version: ["1.17", "1.18", "1.19"]
+        go-version: ["1.18", "1.19", "1.20"]
       fail-fast: false
     uses: ./.github/workflows/unit-integration-tests.yml
     with:
@@ -26,7 +26,7 @@ jobs:
     strategy:
       matrix:
         runs-on: [ macos-latest, windows-latest, ubuntu-latest ]
-        go-version: [ "1.17", "1.18", "1.19"]
+        go-version: ["1.18", "1.19", "1.20"]
       fail-fast: false
     uses: ./.github/workflows/multios-unit-tests.yml
     with:

.github/workflows/pull-request.yml

@@ -14,5 +14,5 @@ jobs:
     name: PR Unit and Integration Tests
     uses: ./.github/workflows/unit-integration-tests.yml
     with:
-      go-version: "1.17"
+      go-version: "1.18"
     secrets: inherit

.gitlab/scripts/analyze-results.sh

@@ -6,7 +6,7 @@ mkdir "${REPORTS_DIR}" || :
 
 # Change threshold for detection of regression
 # @see https://github.com/DataDog/relenv-benchmark-analyzer#what-is-a-significant-difference
-UNCONFIDENCE_THRESHOLD=2.0
+export UNCONFIDENCE_THRESHOLD=2.0
 
 CANDIDATE_COMMIT_SHA=$CI_COMMIT_SHA
 CANDIDATE_BRANCH=$CI_COMMIT_REF_NAME

.gitlab/scripts/run-benchmarks.sh

@@ -1,12 +1,18 @@
 #!/usr/bin/env bash
 
+set -x
+
 ARTIFACTS_DIR="/artifacts/${CI_JOB_ID}"
 mkdir -p "${ARTIFACTS_DIR}"
 
-git clone --branch ${CI_COMMIT_REF_NAME} https://github.com/DataDog/dd-trace-go
+git clone --branch "${CI_COMMIT_REF_NAME}" https://github.com/DataDog/dd-trace-go
 
 cd dd-trace-go/ddtrace/tracer/
 go test -run=XXX -bench "BenchmarkConcurrentTracing|BenchmarkStartSpan" -benchmem -count 10 -benchtime 2s ./... | tee ${ARTIFACTS_DIR}/pr_bench.txt
 
-git checkout main
+CANDIDATE_BRANCH="$CI_COMMIT_REF_NAME"
+BASELINE_BRANCH=$(github-find-merge-into-branch --for-repo="$CI_PROJECT_NAME" --for-pr="$CANDIDATE_BRANCH" || :)
+BASELINE_COMMIT_SHA=$(git merge-base "origin/$BASELINE_BRANCH" "origin/$CANDIDATE_BRANCH")
+
+git checkout "$BASELINE_COMMIT_SHA"
 go test -run=XXX -bench "BenchmarkConcurrentTracing|BenchmarkStartSpan" -benchmem -count 10 -benchtime 2s ./... | tee ${ARTIFACTS_DIR}/main_bench.txt

README.md

@@ -51,16 +51,16 @@ Datadog APM for Go is built upon dependencies defined in specific versions of th
 |--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | <span id="support-ga">General Availability (GA)</span> | Full implementation of all features. Full support for new features, bug & security fixes.                                                                                    |
 | <span id="support-maintenance">Maintenance</span>      | Full implementation of existing features. May receive new features. Support for bug & security fixes only.                                                                   |
-| <span id="support-legacy">Legacy</span>                | Legacy implementation. May have limited function, but no maintenance provided. [Contact our customer support team for special requests.](https://www.datadoghq.com/support/) |
+| <span id="support-legacy">Legacy</span>                | Legacy implementation. May have limited function, but no maintenance provided. Not guaranteed to compile the latest version of dd-trace-go. [Contact our customer support team for special requests.](https://www.datadoghq.com/support/) |
 
 ### Supported Versions
 <!-- NOTE: When updating the below section ensure you update the minimum supported version listed in the public docs here: https://docs.datadoghq.com/tracing/setup_overview/setup/go/?tab=containers#compatibility-requirements -->
 | **Go Version** | **Support level**                   |
 |----------------|-------------------------------------|
+| 1.20           | [GA](#support-ga)                   |
 | 1.19           | [GA](#support-ga)                   |
-| 1.18           | [GA](#support-ga)                   |
-| 1.17           | [Maintenance](#support-maintenance) |
-| 1.16           | [Legacy](#support-legacy)           |
+| 1.18           | [Maintenance](#support-maintenance) |
+| 1.17           | [Legacy](#support-legacy)           |
 
 * Datadog's Trace Agent >= 5.21.1
 

appsec/appsec.go

@@ -18,6 +18,7 @@ import (
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/dyngo/instrumentation/httpsec"
+	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/dyngo/instrumentation/sharedsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
 )
 
@@ -34,20 +35,44 @@ func MonitorParsedHTTPBody(ctx context.Context, body interface{}) {
 	// bonus: use sync.Once to log a debug message once if AppSec is disabled
 }
 
+// SetUser wraps tracer.SetUser() and extends it with user blocking.
+// On top of associating the authenticated user information to the service entry span,
+// it checks whether the given user ID is blocked or not by returning an error when it is.
+// A user ID is blocked when it is present in your denylist of users to block at https://app.datadoghq.com/security/appsec/denylist
+// When an error is returned, the caller must immediately abort its execution and the
+// request handler's. The blocking response will be automatically sent by the
+// APM tracer middleware on use according to your blocking configuration.
+// This function always returns nil when appsec is disabled and doesn't block users.
+func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption) error {
+	s, ok := tracer.SpanFromContext(ctx)
+	if !ok {
+		log.Debug("appsec: could not retrieve span from context. User ID tag won't be set")
+		return nil
+	}
+	tracer.SetUser(s, id, opts...)
+	if !appsec.Enabled() {
+		log.Debug("appsec: not enabled. User blocking checks won't be performed.")
+		return nil
+	}
+	return sharedsec.MonitorUser(ctx, id)
+}
+
 // TrackUserLoginSuccessEvent sets a successful user login event, with the given
 // user id and optional metadata, as service entry span tags. It also calls
-// tracer.SetUser() to set the currently identified user, along with the given
-// tracer.UserMonitoringOption options.
+// SetUser() to set the currently authenticated user, along with the given
+// tracer.UserMonitoringOption options. As documented in SetUser(), an
+// error is returned when the given user ID is blocked by your denylist. Cf.
+// SetUser()'s documentation for more details.
 // The service entry span is obtained through the given Go context which should
 // contain the currently running span. This function does nothing when no span
 // is found in the given Go context and logs an error message instead.
 // Such events trigger the backend-side events monitoring, such as the Account
 // Take-Over (ATO) monitoring, ultimately blocking the IP address and/or user id
 // associated to them.
-func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]string, opts ...tracer.UserMonitoringOption) {
+func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]string, opts ...tracer.UserMonitoringOption) error {
 	span := getRootSpan(ctx)
 	if span == nil {
-		return
+		return nil
 	}
 
 	const tagPrefix = "appsec.events.users.login.success."
@@ -56,7 +81,7 @@ func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]s
 		span.SetTag(tagPrefix+k, v)
 	}
 	span.SetTag(ext.SamplingPriority, ext.PriorityUserKeep)
-	tracer.SetUser(span, uid, opts...)
+	return SetUser(ctx, uid, opts...)
 }
 
 // TrackUserLoginFailureEvent sets a failed user login event, with the given

appsec/appsec_test.go

@@ -14,6 +14,7 @@ import (
 	"gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
+	privateAppsec "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec"
 )
 
 func TestTrackUserLoginSuccessEvent(t *testing.T) {
@@ -135,6 +136,37 @@ func TestCustomEvent(t *testing.T) {
 	})
 }
 
+func TestSetUser(t *testing.T) {
+	t.Run("early-return/appsec-disabled", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+		span, ctx := tracer.StartSpanFromContext(context.Background(), "example")
+		defer span.Finish()
+		err := appsec.SetUser(ctx, "usr.id")
+		require.NoError(t, err)
+	})
+
+	privateAppsec.Start()
+	defer privateAppsec.Stop()
+	if !privateAppsec.Enabled() {
+		t.Skip("AppSec needs to be enabled for this test")
+	}
+
+	t.Run("early-return/nil-ctx", func(t *testing.T) {
+		err := appsec.SetUser(nil, "usr.id")
+		require.NoError(t, err)
+	})
+
+	t.Run("no-early-return", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+		span, ctx := tracer.StartSpanFromContext(context.Background(), "example")
+		defer span.Finish()
+		err := appsec.SetUser(ctx, "usr.id")
+		require.Nil(t, err)
+	})
+}
+
 func ExampleTrackUserLoginSuccessEvent() {
 	// Create an example span and set a user login success appsec event example to it.
 	span, ctx := tracer.StartSpanFromContext(context.Background(), "example")

appsec/example_test.go

@@ -60,3 +60,22 @@ func ExampleMonitorParsedHTTPBody_customContext() {
 
 	r.Start(":8080")
 }
+
+func userIDFromRequest(r *http.Request) string {
+	return r.Header.Get("user-id")
+}
+
+// Monitor and block requests depending on user ID
+func ExampleSetUser() {
+	mux := httptrace.NewServeMux()
+	mux.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
+		// We use SetUser() here to associate the user ID to the request's span. The return value
+		// can then be checked to decide whether to block the request or not.
+		// If it should be blocked, early exit from the handler.
+		if err := appsec.SetUser(r.Context(), userIDFromRequest(r)); err != nil {
+			return
+		}
+
+		w.Write([]byte("User monitored using AppSec SetUser SDK\n"))
+	})
+}

checkmilestone.go

@@ -16,6 +16,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 )
 
 func main() {
@@ -40,6 +41,16 @@ func main() {
 	resp.Body.Close()
 	if data.Milestone == nil {
 		exit(errors.New("Milestone not set."))
+	} else if m, ok := data.Milestone.(map[string]interface{}); ok {
+		title, ok := m["title"].(string)
+		if !ok {
+			exit(errors.New("Could not find milestone \"title\" in milestone map."))
+		}
+		if strings.ToLower(title) == "triage" {
+			exit(errors.New("PR's in the Triage milestone cannot be merged."))
+		}
+	} else {
+		exit(errors.New("Could not resolve milestone. checkmilestone.go likely needs to be updated."))
 	}
 	fmt.Println("Milestone check passed.")
 }

contrib/Shopify/sarama/sarama.go

@@ -50,10 +50,11 @@ func WrapPartitionConsumer(pc sarama.PartitionConsumer, opts ...Option) sarama.P
 				tracer.ServiceName(cfg.consumerServiceName),
 				tracer.ResourceName("Consume Topic " + msg.Topic),
 				tracer.SpanType(ext.SpanTypeMessageConsumer),
-				tracer.Tag("partition", msg.Partition),
+				tracer.Tag(ext.MessagingKafkaPartition, msg.Partition),
 				tracer.Tag("offset", msg.Offset),
 				tracer.Tag(ext.Component, "Shopify/sarama"),
 				tracer.Tag(ext.SpanKind, ext.SpanKindConsumer),
+				tracer.Tag(ext.MessagingSystem, "kafka"),
 				tracer.Measured(),
 			}
 			if !math.IsNaN(cfg.analyticsRate) {
@@ -262,6 +263,7 @@ func startProducerSpan(cfg *config, version sarama.KafkaVersion, msg *sarama.Pro
 		tracer.SpanType(ext.SpanTypeMessageProducer),
 		tracer.Tag(ext.Component, "Shopify/sarama"),
 		tracer.Tag(ext.SpanKind, ext.SpanKindProducer),
+		tracer.Tag(ext.MessagingSystem, "kafka"),
 	}
 	if !math.IsNaN(cfg.analyticsRate) {
 		opts = append(opts, tracer.Tag(ext.EventSampleRate, cfg.analyticsRate))
@@ -279,7 +281,7 @@ func startProducerSpan(cfg *config, version sarama.KafkaVersion, msg *sarama.Pro
 }
 
 func finishProducerSpan(span ddtrace.Span, partition int32, offset int64, err error) {
-	span.SetTag("partition", partition)
+	span.SetTag(ext.MessagingKafkaPartition, partition)
 	span.SetTag("offset", offset)
 	span.Finish(tracer.WithError(err))
 }

contrib/Shopify/sarama/sarama_test.go

@@ -71,14 +71,15 @@ func TestConsumer(t *testing.T) {
 		assert.Equal(t, spanctx.TraceID(), s.TraceID(),
 			"span context should be injected into the consumer message headers")
 
-		assert.Equal(t, int32(0), s.Tag("partition"))
+		assert.Equal(t, int32(0), s.Tag(ext.MessagingKafkaPartition))
 		assert.Equal(t, int64(0), s.Tag("offset"))
 		assert.Equal(t, "kafka", s.Tag(ext.ServiceName))
 		assert.Equal(t, "Consume Topic test-topic", s.Tag(ext.ResourceName))
 		assert.Equal(t, "queue", s.Tag(ext.SpanType))
 		assert.Equal(t, "kafka.consume", s.OperationName())
 		assert.Equal(t, "Shopify/sarama", s.Tag(ext.Component))
 		assert.Equal(t, ext.SpanKindConsumer, s.Tag(ext.SpanKind))
+		assert.Equal(t, "kafka", s.Tag(ext.MessagingSystem))
 	}
 	{
 		s := spans[1]
@@ -87,14 +88,15 @@ func TestConsumer(t *testing.T) {
 		assert.Equal(t, spanctx.TraceID(), s.TraceID(),
 			"span context should be injected into the consumer message headers")
 
-		assert.Equal(t, int32(0), s.Tag("partition"))
+		assert.Equal(t, int32(0), s.Tag(ext.MessagingKafkaPartition))
 		assert.Equal(t, int64(1), s.Tag("offset"))
 		assert.Equal(t, "kafka", s.Tag(ext.ServiceName))
 		assert.Equal(t, "Consume Topic test-topic", s.Tag(ext.ResourceName))
 		assert.Equal(t, "queue", s.Tag(ext.SpanType))
 		assert.Equal(t, "kafka.consume", s.OperationName())
 		assert.Equal(t, "Shopify/sarama", s.Tag(ext.Component))
 		assert.Equal(t, ext.SpanKindConsumer, s.Tag(ext.SpanKind))
+		assert.Equal(t, "kafka", s.Tag(ext.MessagingSystem))
 	}
 }
 
@@ -142,10 +144,11 @@ func TestSyncProducer(t *testing.T) {
 		assert.Equal(t, "queue", s.Tag(ext.SpanType))
 		assert.Equal(t, "Produce Topic my_topic", s.Tag(ext.ResourceName))
 		assert.Equal(t, "kafka.produce", s.OperationName())
-		assert.Equal(t, int32(0), s.Tag("partition"))
+		assert.Equal(t, int32(0), s.Tag(ext.MessagingKafkaPartition))
 		assert.Equal(t, int64(0), s.Tag("offset"))
 		assert.Equal(t, "Shopify/sarama", s.Tag(ext.Component))
 		assert.Equal(t, ext.SpanKindProducer, s.Tag(ext.SpanKind))
+		assert.Equal(t, "kafka", s.Tag(ext.MessagingSystem))
 	}
 }
 
@@ -196,9 +199,10 @@ func TestSyncProducerSendMessages(t *testing.T) {
 		assert.Equal(t, "queue", s.Tag(ext.SpanType))
 		assert.Equal(t, "Produce Topic my_topic", s.Tag(ext.ResourceName))
 		assert.Equal(t, "kafka.produce", s.OperationName())
-		assert.Equal(t, int32(0), s.Tag("partition"))
+		assert.Equal(t, int32(0), s.Tag(ext.MessagingKafkaPartition))
 		assert.Equal(t, "Shopify/sarama", s.Tag(ext.Component))
 		assert.Equal(t, ext.SpanKindProducer, s.Tag(ext.SpanKind))
+		assert.Equal(t, "kafka", s.Tag(ext.MessagingSystem))
 	}
 }
 
@@ -237,10 +241,11 @@ func TestAsyncProducer(t *testing.T) {
 			assert.Equal(t, "queue", s.Tag(ext.SpanType))
 			assert.Equal(t, "Produce Topic my_topic", s.Tag(ext.ResourceName))
 			assert.Equal(t, "kafka.produce", s.OperationName())
-			assert.Equal(t, int32(0), s.Tag("partition"))
+			assert.Equal(t, int32(0), s.Tag(ext.MessagingKafkaPartition))
 			assert.Equal(t, int64(0), s.Tag("offset"))
 			assert.Equal(t, "Shopify/sarama", s.Tag(ext.Component))
 			assert.Equal(t, ext.SpanKindProducer, s.Tag(ext.SpanKind))
+			assert.Equal(t, "kafka", s.Tag(ext.MessagingSystem))
 		}
 	})
 
@@ -277,10 +282,11 @@ func TestAsyncProducer(t *testing.T) {
 			assert.Equal(t, "queue", s.Tag(ext.SpanType))
 			assert.Equal(t, "Produce Topic my_topic", s.Tag(ext.ResourceName))
 			assert.Equal(t, "kafka.produce", s.OperationName())
-			assert.Equal(t, int32(0), s.Tag("partition"))
+			assert.Equal(t, int32(0), s.Tag(ext.MessagingKafkaPartition))
 			assert.Equal(t, int64(0), s.Tag("offset"))
 			assert.Equal(t, "Shopify/sarama", s.Tag(ext.Component))
 			assert.Equal(t, ext.SpanKindProducer, s.Tag(ext.SpanKind))
+			assert.Equal(t, "kafka", s.Tag(ext.MessagingSystem))
 		}
 	})
 }