Ensure usr.exists tag is not overridden by UsernameNotFoundException instrumentation (#8376)

Author: manuel-alvarez-alvarez

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -288,6 +288,12 @@ private Flow<Void> onLoginEvent(
       segment.setTagTop("_dd.appsec.events." + eventName + ".auto.mode", mode.fullName(), true);
     }
 
+    if (exists != null) {
+      if (mode == SDK || ctx.getUserLoginSource() != SDK) {
+        segment.setTagTop("appsec.events." + eventName + ".usr.exists", exists, true);
+      }
+    }
+
     final String user = anonymizeUser(mode, originalUser);
     if (user == null) {
       // can happen in custom events
@@ -312,10 +318,6 @@ private Flow<Void> onLoginEvent(
       segment.setTagTop("_dd.appsec.user.collection_mode", mode.fullName());
     }
 
-    if (exists != null) {
-      segment.setTagTop("appsec.events." + eventName + ".usr.exists", exists, true);
-    }
-
     // update user span tags
     segment.setTagTop("appsec.events." + eventName + ".usr.login", user, true);
 

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -1320,6 +1320,21 @@ class GatewayBridgeSpecification extends DDSpecification {
     0 * eventDispatcher.publishDataEvent
   }
 
+  void 'test onUserNotFound'() {
+    setup:
+    eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo
+
+    when:
+    loginEventCB.apply(ctx, IDENTIFICATION, 'users.login.failure', exists, null, null)
+
+    then:
+    1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.exists', exists, true)
+    0 * eventDispatcher.publishDataEvent
+
+    where:
+    exists << [true, false]
+  }
+
   void 'test configuration updates should reset cached subscriptions'() {
     when:
     requestSessionCB.apply(ctx, UUID.randomUUID().toString())

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/user/AppSecEventTrackerSpecification.groovy

@@ -198,7 +198,7 @@ class AppSecEventTrackerSpecification extends DDSpecification {
 
     then:
     if (mode != DISABLED) {
-      1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.exists', false)
+      1 * loginEvent.apply(_ as RequestContext, mode, 'users.login.failure', false, null, null) >> NoopFlow.INSTANCE
     }
     0 * _
 

internal-api/src/main/java/datadog/trace/api/appsec/AppSecEventTracker.java

@@ -14,7 +14,6 @@
 import datadog.trace.api.gateway.Flow;
 import datadog.trace.api.gateway.RequestContext;
 import datadog.trace.api.gateway.RequestContextSlot;
-import datadog.trace.api.internal.TraceSegment;
 import datadog.trace.bootstrap.ActiveSubsystems;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
@@ -63,15 +62,9 @@ public void onUserNotFound(final UserIdCollectionMode mode) {
     if (!isEnabled(mode)) {
       return;
     }
-    final AgentTracer.TracerAPI tracer = tracer();
-    if (tracer == null) {
-      return;
-    }
-    final TraceSegment segment = tracer.getTraceSegment();
-    if (segment == null) {
-      return;
-    }
-    segment.setTagTop("appsec.events.users.login.failure.usr.exists", false);
+    dispatch(
+        EVENTS.loginEvent(),
+        (ctx, callback) -> callback.apply(ctx, mode, "users.login.failure", false, null, null));
   }
 
   public void onUserEvent(final UserIdCollectionMode mode, final String userId) {