Fix APM Disablement V1 (ASM Standalone)

[vpellan]

What does this PR do?

This PR fixes multiple bugs on APM Disablement V1 (aka ASM Standalone) when it was activated:

• When HTTP frameworks (Net::HTTP, RestClient, Excon, Faraday...) were instrumented, the sampling_priority was set to MANUAL_REJECT if tags contained _dd.p.appsec (which was used to check for upstream propagated appsec events), then not sampled later due to a change in the sampler in this PR This was fixed by making this check during the building step of a trace from a digest (which also means that it now works even if an HTTP framework is not instrumented)
• Distributed tracing was skipped only for Net::HTTP (in case of upstream or local security event). It now skips it on every HTTP frameworks supported, but also Sidekiq and GRPC.
• The APM Tracing disabled tag (_dd.apm.enabled=0) was not added when appsec was disabled. It is now fixed and the code related to it was moved to Tracing
• Added tests that actually tests APM disablement heartbeat traces (ASM Standalone too) and cleaned related tests

Motivation:

When I tried to activate SCA Standalone system-tests, I discovered that disabling AppSec and disabling APM Tracing would result in heartbeat traces not sending dd.apm.enabled=0 tag. During my investigation, I discovered more bugs (listed above).
This is also a step towards APM Disablement V2. For now, the variables are still called after appsec standalone, but this will change to APM disablement in the future and lose all reference to asm standalone, as it is in fact an APM feature.

Change log entry

None.

Additional Notes:

This PR should be followed soon by APM Disablement V2, which will replace the env var by DD_APM_TRACING_ENABLED, and every config/variable referencing asm standalone to apm disablement.

I understand that there might be some concerns about AppSec stuff being in APM territory but this is mostly a matter of naming that will be fixed when APM Disablement V2 will be released. In the V2, I will replace any instance of Datadog.configuration.appsec.standalone.enabled by Datadog.configuration.tracing.apm.disabled, Datadog::AppSec::Ext::TAG_DISTRIBUTED_APPSEC_EVENT by something like Datadog::Tracing::Ext::TAG_DISTRIBUTED_TRACE_SOURCE (_dd.p.ts, which will be a bitmask). The only exception might be in the propagate_sampling_priority? method, in tracer.rb, where we check if AppSec is activated.

How to test the change?

CI and system-tests

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 99.71751% with 1 line in your changes missing coverage. Please review.

Project coverage is 97.69%. Comparing base (2f427f8) to head (def4da4).
Report is 65 commits behind head on master.

Files with missing lines	Patch %	Lines
lib/datadog/tracing/distributed/circuit_breaker.rb	91.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4479      +/-   ##
==========================================
- Coverage   97.70%   97.69%   -0.01%     
==========================================
  Files        1375     1382       +7     
  Lines       83812    83987     +175     
  Branches     4251     4249       -2     
==========================================
+ Hits        81887    82054     +167     
- Misses       1925     1933       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[datadog-datadog-prod-us1]

Datadog Report

Branch report: vpellan/fix-sca-standalone
Commit report: def4da4
Test service: dd-trace-rb

✅ 0 Failed, 20565 Passed, 1370 Skipped, 3m 18.38s Total Time

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-03-12 14:46:19

Comparing candidate commit def4da4 in PR branch vpellan/fix-sca-standalone with baseline commit 2f427f8 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 31 metrics, 2 unstable metrics.

[TonyCTHsu]

FYI: Currently, there is a karafka integration under review which contains distributed tracing mechanism

[TonyCTHsu]

I feel like I am seeing this piece of logic repeatedly several times, perhaps it make sense to encapsulate this from an AppSec module and be reused at multiple places?

The method can be stateless or depends on configuration and the contract is basically returning a boolean.

[vpellan]

Thanks, I will investigate that, although I don't think it should be in an AppSec module, as in the V2, this will not contain any reference to AppSec (appsec.standalone will be replaced by tracing.apm and APPSEC_EVENT will be replaced by TRACE_SOURCE)

[vpellan]

Fixed in 91f2f68

[vpellan]

FYI: Currently, there is a karafka integration under review which contains distributed tracing mechanism

What is the process for this kind of situation ? If I merge to master first, should I myself add a commit on the Karafka integration to add APM Disablement capabilities ? (Of course if the other way around happens I could just rebase and add it here)

[TonyCTHsu]

What is the process for this kind of situation ?

I would suggest not to wait on it. However, it would be much welcomed to encapsulate the logic so that the pattern can be adopted easily.

[p-datadog]

If the method takes configuration as arguments, why is this line reading global config?

The method would be much more understandable if the types of parameters were listed.

[p-datadog]

"there APM" is a typo or broken grammar?

[p-datadog]

This method is hard to understand not knowing the type of upstream_tags.