Adds container tags support for DBM (#3708)

* Adds container tags support for DBM

* fix tests

* bwoebi review

* bump libdatadog

* cargo lock

* deactivate process tags for 8.3 as well

Author: dubloom

appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy

@@ -90,6 +90,7 @@ class AppSecContainer<SELF extends AppSecContainer<SELF>> extends GenericContain
         withEnv 'DD_TRACE_DEBUG', '1'
         withEnv 'DD_AUTOLOAD_NO_COMPILE', 'true' // must be exactly 'true'
         withEnv 'DD_TRACE_GIT_METADATA_ENABLED', '0'
+        withEnv 'DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED', '0'
         withEnv 'DD_INSTRUMENTATION_TELEMETRY_ENABLED', '1'
         // very verbose:
         withEnv '_DD_DEBUG_SIDECAR_LOG_METHOD', 'file:///tmp/logs/sidecar.log'

components-rs/ddtrace.h

@@ -47,6 +47,8 @@ ddog_Configurator *ddog_library_configurator_new_dummy(bool debug_logs, ddog_Cha
 
 int posix_spawn_file_actions_addchdir_np(void *file_actions, const char *path);
 
+uint64_t dd_fnv1a_64(const uint8_t *data, uintptr_t len);
+
 const char *ddog_normalize_process_tag_value(ddog_CharSlice tag_value);
 
 void ddog_free_normalized_tag_value(const char *ptr);

components-rs/lib.rs

@@ -156,6 +156,24 @@ pub unsafe extern "C" fn posix_spawn_file_actions_addchdir_np(
 }
 
 const MAX_TAG_VALUE_LENGTH: usize = 100;
+const DD_FNV_PRIME: u64 = 1_099_511_628_211;
+const DD_FNV_OFFSET_BASIS: u64 = 14_695_981_039_346_656_037;
+
+#[no_mangle]
+pub unsafe extern "C" fn dd_fnv1a_64(data: *const u8, len: usize) -> u64 {
+    if data.is_null() || len == 0 {
+        return DD_FNV_OFFSET_BASIS;
+    }
+
+    let bytes = std::slice::from_raw_parts(data, len);
+    let mut hash = DD_FNV_OFFSET_BASIS;
+    for byte in bytes {
+        hash ^= u64::from(*byte);
+        hash = hash.wrapping_mul(DD_FNV_PRIME);
+    }
+
+    hash
+}
 
 #[no_mangle]
 pub extern "C" fn ddog_normalize_process_tag_value(

components-rs/sidecar.h

@@ -401,6 +401,12 @@ struct ddog_AgentInfoReader *ddog_get_agent_info_reader(const struct ddog_Endpoi
  */
 ddog_CharSlice ddog_get_agent_info_env(struct ddog_AgentInfoReader *reader, bool *changed);
 
+/**
+ * Gets the container tags hash from agent info (or empty if not existing)
+ */
+ddog_CharSlice ddog_get_agent_info_container_tags_hash(struct ddog_AgentInfoReader *reader,
+                                                       bool *changed);
+
 void ddog_send_traces_to_sidecar(ddog_TracesBytes *traces,
                                  struct ddog_SenderParameters *parameters);
 

ext/agent_info.c

@@ -2,6 +2,7 @@
 #include "ddtrace.h"
 #include "sidecar.h"
 #include "configuration.h"
+#include "process_tags.h"
 
 ZEND_EXTERN_MODULE_GLOBALS(ddtrace);
 
@@ -20,3 +21,18 @@ void ddtrace_agent_info_rinit() {
         DDTRACE_G(agent_info_reader) = ddog_get_agent_info_reader(ddtrace_endpoint);
     }
 }
+
+void ddtrace_get_container_tags_hash(void) {
+    if (DDTRACE_G(agent_info_reader)) {
+        bool changed;
+        ddog_CharSlice hash = ddog_get_agent_info_container_tags_hash(
+            DDTRACE_G(agent_info_reader),
+            &changed
+        );
+        if (hash.len > 0) {
+            zend_string *hash_str = zend_string_init(hash.ptr, hash.len, 1);
+            ddtrace_process_tags_set_container_tags_hash(hash_str);
+            zend_string_release(hash_str);
+        }
+    }
+}

ext/agent_info.h

@@ -1,7 +1,11 @@
 #ifndef DD_AGENT_INFO_H
 #define DD_AGENT_INFO_H
 
+#include <stddef.h>
+#include "Zend/zend_types.h"
+
 void ddtrace_check_agent_info_env(void);
 void ddtrace_agent_info_rinit(void);
+void ddtrace_get_container_tags_hash(void);
 
 #endif // DD_AGENT_INFO_H

ext/configuration.h

@@ -231,6 +231,7 @@ enum ddtrace_sidecar_connection_mode {
     CONFIG(STRING, DD_TRACE_AGENT_TEST_SESSION_TOKEN, "", .ini_change = ddtrace_alter_test_session_token)      \
     CONFIG(BOOL, DD_TRACE_PROPAGATE_USER_ID_DEFAULT, "false")                                                  \
     CONFIG(CUSTOM(INT), DD_DBM_PROPAGATION_MODE, "disabled", .parser = dd_parse_dbm_mode)                      \
+    CONFIG(BOOL, DD_DBM_INJECT_SQL_BASEHASH, "false")                                                          \
     CONFIG(CUSTOM(INT), DD_TRACE_SIDECAR_CONNECTION_MODE, "auto", .parser = dd_parse_sidecar_connection_mode) \
     CONFIG(SET, DD_TRACE_WORDPRESS_ADDITIONAL_ACTIONS, "")                                                     \
     CONFIG(BOOL, DD_TRACE_WORDPRESS_CALLBACKS, "true")                                                         \

ext/ddtrace.c

@@ -1720,6 +1720,8 @@ static void dd_initialize_request(void) {
 
     ddtrace_agent_info_rinit();
 
+    ddtrace_get_container_tags_hash();
+
     // Reset compile time after request init hook has compiled
     ddtrace_compile_time_reset();
 
@@ -2583,6 +2585,17 @@ PHP_FUNCTION(DDTrace_System_container_id) {
     }
 }
 
+PHP_FUNCTION(DDTrace_System_process_tags_base_hash) {
+    UNUSED(execute_data);
+
+    zend_string *base_hash = ddtrace_process_tags_get_base_hash();
+    if (base_hash) {
+        RETVAL_STRINGL(ZSTR_VAL(base_hash), ZSTR_LEN(base_hash));
+    } else {
+        RETURN_NULL();
+    }
+}
+
 PHP_FUNCTION(DDTrace_Testing_trigger_error) {
     ddtrace_string message;
     ddtrace_zpplong_t error_type;
@@ -3028,6 +3041,20 @@ PHP_FUNCTION(dd_trace_internal_fn) {
             ddtrace_generate_runtime_id();
             ddtrace_force_new_instance_id();
             RETURN_TRUE;
+        } else if (FUNCTION_NAME_MATCHES("reload_process_tags")) {
+            if (ddtrace_process_tags_enabled()) {
+                ddtrace_process_tags_reload();
+                ddtrace_sidecar_update_process_tags();
+            }
+            RETVAL_TRUE;
+        } else if (params_count == 1 && FUNCTION_NAME_MATCHES("set_container_tags_hash")) {
+            zval *container_tags_hash = ZVAL_VARARG_PARAM(params, 0);
+            if (Z_TYPE_P(container_tags_hash) == IS_STRING) {
+                ddtrace_process_tags_set_container_tags_hash(Z_STR_P(container_tags_hash));
+                RETVAL_TRUE;
+            } else {
+                RETVAL_FALSE;
+            }
         } else if (FUNCTION_NAME_MATCHES("synchronous_flush")) {
             uint32_t timeout = 100;
             if (params_count == 1) {

ext/ddtrace.stub.php

@@ -849,6 +849,16 @@ function add_endpoint(string $path, string $operation_name, string $resource_nam
      * @return string|null The container id, or 'null' if no id was found
      */
     function container_id(): string|null {}
+
+    /**
+     * Get the process tags base hash
+     *
+     * Returns the FNV-1a 64-bit hash of serialized process tags combined with container tags hash.
+     * This hash is used for Database Monitoring to correlate queries with application processes.
+     *
+     * @return string|null The base hash as a binary string (8 bytes), or 'null' if process tags are disabled or not computed
+     */
+    function process_tags_base_hash(): string|null {}
 }
 
 namespace DDTrace\Config {

ext/ddtrace_arginfo.h

@@ -177,6 +177,8 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_System_container_id, 0, 0, IS_STRING, 1)
 ZEND_END_ARG_INFO()
 
+#define arginfo_DDTrace_System_process_tags_base_hash arginfo_DDTrace_System_container_id
+
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_DDTrace_Config_integration_analytics_enabled, 0, 1, _IS_BOOL, 0)
 	ZEND_ARG_TYPE_INFO(0, integrationName, IS_STRING, 0)
 ZEND_END_ARG_INFO()
@@ -390,6 +392,7 @@ ZEND_FUNCTION(DDTrace_resource_weak_get);
 ZEND_FUNCTION(DDTrace_are_endpoints_collected);
 ZEND_FUNCTION(DDTrace_add_endpoint);
 ZEND_FUNCTION(DDTrace_System_container_id);
+ZEND_FUNCTION(DDTrace_System_process_tags_base_hash);
 ZEND_FUNCTION(DDTrace_Config_integration_analytics_enabled);
 ZEND_FUNCTION(DDTrace_Config_integration_analytics_sample_rate);
 ZEND_FUNCTION(DDTrace_UserRequest_has_listeners);
@@ -483,6 +486,7 @@ static const zend_function_entry ext_functions[] = {
 	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace", "are_endpoints_collected"), zif_DDTrace_are_endpoints_collected, arginfo_DDTrace_are_endpoints_collected, 0, NULL, NULL)
 	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace", "add_endpoint"), zif_DDTrace_add_endpoint, arginfo_DDTrace_add_endpoint, 0, NULL, NULL)
 	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace\\System", "container_id"), zif_DDTrace_System_container_id, arginfo_DDTrace_System_container_id, 0, NULL, NULL)
+	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace\\System", "process_tags_base_hash"), zif_DDTrace_System_process_tags_base_hash, arginfo_DDTrace_System_process_tags_base_hash, 0, NULL, NULL)
 	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace\\Config", "integration_analytics_enabled"), zif_DDTrace_Config_integration_analytics_enabled, arginfo_DDTrace_Config_integration_analytics_enabled, 0, NULL, NULL)
 	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace\\Config", "integration_analytics_sample_rate"), zif_DDTrace_Config_integration_analytics_sample_rate, arginfo_DDTrace_Config_integration_analytics_sample_rate, 0, NULL, NULL)
 	ZEND_RAW_FENTRY(ZEND_NS_NAME("DDTrace\\UserRequest", "has_listeners"), zif_DDTrace_UserRequest_has_listeners, arginfo_DDTrace_UserRequest_has_listeners, 0, NULL, NULL)