Skip to content

[APPSEC-62616] Add inferred proxy spans#5681

Merged
Strech merged 26 commits into
masterfrom
appsec-62616-inferred-proxy-span
May 12, 2026
Merged

[APPSEC-62616] Add inferred proxy spans#5681
Strech merged 26 commits into
masterfrom
appsec-62616-inferred-proxy-span

Conversation

@Strech

@Strech Strech commented May 5, 2026

Copy link
Copy Markdown
Member

What does this PR do?

It's adding inferred spans for apps behind the AWS Gateway.

Motivation:

This is missing part for the tracer that comes to from Endpoint Discovery & Correlation from Inferred Spans RFC.

Change log entry

Yes. Add inferred proxy spans for AWS Gateway.

Additional Notes:

  1. I've enforced ST, to be on the safe side
  2. We don't have a way now to propagate arbitrary tags and I have to put some AppSec tags into propagation, but it's just names, maybe we should come up with communication between products via standard interface (like active support notification, it's on my list)

How to test the change?

CI + ST

@dd-octo-sts dd-octo-sts Bot added integrations Involves tracing integrations tracing labels May 5, 2026
@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented May 5, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 97.15% (+0.02%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0fb0d0d | Docs | Datadog PR Page | Give us feedback!

@pr-commenter

pr-commenter Bot commented May 5, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-05-12 16:04:25

Comparing candidate commit 0fb0d0d in PR branch appsec-62616-inferred-proxy-span with baseline commit 421d0e9 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 1 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@Strech
Strech force-pushed the appsec-62616-inferred-proxy-span branch 2 times, most recently from cbf4f0e to 98704bb Compare May 8, 2026 18:34
@Strech
Strech marked this pull request as ready for review May 8, 2026 18:41
@Strech
Strech requested review from a team as code owners May 8, 2026 18:41
@Strech
Strech requested review from mabdinur and y9v May 8, 2026 18:41

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 98704bb977

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb Outdated
Comment thread lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb Outdated
Comment thread lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb Outdated
@dd-octo-sts dd-octo-sts Bot added the core Involves Datadog core libraries label May 11, 2026
Comment thread lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb Outdated
Strech and others added 14 commits May 11, 2026 15:57
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Add tests for: unknown proxy type, absent request timing, partial
optional headers, user_agent propagation, quoted region (API Gateway v1),
and missing HTTP method fallback. Fix double invocation in apigateway
context and strengthen priority test assertions.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Replace AppSec::Ext constant with string literals to avoid module
  coupling between tracing and appsec layers
- Strip single quotes from region header (API Gateway v1 format)
- Guard resource construction when HTTP method header is absent
- Only pass start_time to trace when present (avoid nil in options)
- Restore original comments in request_queuing code path
- Mark new proxy constants as @!visibility private

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
All other tracers (Go, .NET, PHP, Python, Java) propagate exceptions
to the inferred proxy parent span. Add rescue Exception matching the
pattern in Rack::TraceMiddleware so the proxy span carries error tags.

Force inferred proxy system-tests in CI via forced-tests-list.cfg.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Respects user-configured http_error_statuses by copying the rack
span's status directly rather than re-evaluating the status code.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Skip inferred span entirely when x-dd-proxy-request-time-ms is
missing or non-numeric instead of defaulting to current time.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Only set trace resource to proxy resource when no framework (Rails,
Sinatra) has already claimed it, using resource_override? guard
matching Rack::TraceMiddleware behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@Strech
Strech force-pushed the appsec-62616-inferred-proxy-span branch from adce2c3 to e11ef3b Compare May 11, 2026 13:59
@Strech

Strech commented May 11, 2026

Copy link
Copy Markdown
Member Author

System tests require update to the latest SHA. Will wait for tomorrow

I did an update via workflow

@zarirhamza zarirhamza left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a functionality POV, the PR creates the desired experience for APIGW. Serverless approves!

Comment thread lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb Outdated
@Strech
Strech merged commit 95a7a3d into master May 12, 2026
584 checks passed
@Strech
Strech deleted the appsec-62616-inferred-proxy-span branch May 12, 2026 16:30
@dd-octo-sts dd-octo-sts Bot added this to the 2.33.0 milestone May 12, 2026
@Strech Strech mentioned this pull request May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core Involves Datadog core libraries integrations Involves tracing integrations tracing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants