Skip to content

add test for network.client.ip tag #6707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
smola wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add test for network.client.ip tag #6707

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4d60a43
add test for network.client.ip tag
smola Apr 9, 2026
2ce879f
Merge branch 'main' into smola/network-client-ip
smola Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions manifests/java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4225,6 +4225,11 @@ manifest:
tests/test_standard_tags.py::Test_StandardTagsMethod::test_method_trace:
- weblog_declaration:
spring-boot-payara: missing_feature (This weblog variant is currently not accepting TRACE)
tests/test_standard_tags.py::Test_StandardTagsNetworkClientIp:
- weblog_declaration:
"*": v0.93.0
spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
tests/test_standard_tags.py::Test_StandardTagsNetworkClientIp::test_network_client_ip: missing_feature (APPSEC-62219)
tests/test_standard_tags.py::Test_StandardTagsReferrerHostname: missing_feature
tests/test_standard_tags.py::Test_StandardTagsRoute:
- weblog_declaration:
Expand Down
1 change: 1 addition & 0 deletions manifests/nodejs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2342,6 +2342,7 @@ manifest:
nextjs: missing_feature # nextjs makes some internal requests, so we have more than 1 rootspans
tests/test_standard_tags.py::Test_StandardTagsClientIp::test_client_ip_with_appsec_event_and_vendor_headers: *ref_4_19_0
tests/test_standard_tags.py::Test_StandardTagsMethod: v2.11.0
tests/test_standard_tags.py::Test_StandardTagsNetworkClientIp::test_network_client_ip: missing_feature (APPSEC-62220)
tests/test_standard_tags.py::Test_StandardTagsReferrerHostname: missing_feature
tests/test_standard_tags.py::Test_StandardTagsRoute:
- weblog_declaration:
Expand Down
1 change: 1 addition & 0 deletions manifests/php.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1057,6 +1057,7 @@ manifest:
tests/test_span_events.py: incomplete_test_app (Weblog `/add_event` not implemented)
tests/test_standard_tags.py::Test_StandardTagsMethod: v0.75.0
tests/test_standard_tags.py::Test_StandardTagsMethod::test_method_trace: irrelevant (Trace method does not reach php-land)
tests/test_standard_tags.py::Test_StandardTagsNetworkClientIp::test_network_client_ip: missing_feature (APPSEC-62222)
tests/test_standard_tags.py::Test_StandardTagsReferrerHostname: v1.9.0
tests/test_standard_tags.py::Test_StandardTagsRoute: missing_feature
tests/test_standard_tags.py::Test_StandardTagsStatusCode: v0.75.0
Expand Down
1 change: 1 addition & 0 deletions manifests/python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2195,6 +2195,7 @@ manifest:
uwsgi-poc: v4.3.1 # Modified by easy win activation script
tests/test_standard_tags.py::Test_StandardTagsClientIp: v2.7.0
tests/test_standard_tags.py::Test_StandardTagsMethod: v1.2.1
tests/test_standard_tags.py::Test_StandardTagsNetworkClientIp: bug (APPSEC-62204)
tests/test_standard_tags.py::Test_StandardTagsReferrerHostname: v3.4.0
tests/test_standard_tags.py::Test_StandardTagsRoute:
- weblog_declaration:
Expand Down
1 change: 1 addition & 0 deletions manifests/ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1961,6 +1961,7 @@ manifest:
tests/test_standard_tags.py::Test_StandardTagsClientIp: v1.10.1
tests/test_standard_tags.py::Test_StandardTagsClientIp::test_client_ip_with_appsec_event_and_vendor_headers: missing_feature (missing fastly-client-ip, cf-connecting-ip, cf-connecting-ipv6)
tests/test_standard_tags.py::Test_StandardTagsMethod: v1.8.0
tests/test_standard_tags.py::Test_StandardTagsNetworkClientIp::test_network_client_ip: missing_feature (APPSEC-62224)
tests/test_standard_tags.py::Test_StandardTagsReferrerHostname: missing_feature
tests/test_standard_tags.py::Test_StandardTagsRoute:
- weblog_declaration:
Expand Down
46 changes: 46 additions & 0 deletions tests/test_standard_tags.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,52 @@ def test_route(self):
interfaces.library.add_span_tag_validation(request=self.r, tags=tags)


@features.security_events_metadata
@scenarios.go_proxies_default
@scenarios.default
class Test_StandardTagsNetworkClientIp:
Comment on lines +210 to +212
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Gate network client IP tests by supported tracer versions

Adding this class enables it by default in DEFAULT and GO_PROXIES_DEFAULT for any library/version that lacks an explicit manifest rule, because unspecified tests are treated as enabled (see docs/edit/manifest.md). That creates a regression for older tracer versions that still do not emit http.client_ip/network.client.ip (the existing Test_StandardTagsClientIp is version-gated per language, e.g. in manifests/nodejs.yml and manifests/java.yml), so test_network_client_ip_with_attack can start failing in release-version runs. Please add class/method manifest gating for this new class with the same support floor as client-ip tagging.

Useful? React with 👍 / 👎.

"""Tests to verify that libraries annotate spans with correct network.client.ip tags.
This can run on any scenario with either DD_APPSEC_ENABLED=true or DD_TRACE_CLIENT_IP_ENABLED=true.
"""

PUBLIC_IP = "43.43.43.43"

def _setup(self, endpoint: str = "/", extra_headers: dict[str, str] | None = None):
headers = {"x-client-ip": self.PUBLIC_IP}
if extra_headers:
headers.update(extra_headers)
self.r = weblog.get(endpoint, headers=headers)

def _test(self):
span = interfaces.library.get_root_span(self.r)
assert span
meta = span.get("meta", {})
assert meta
assert "network.client.ip" in meta
network_client_ip = meta["network.client.ip"]
assert network_client_ip
assert network_client_ip != self.PUBLIC_IP
# http.client_ip resolves proxy headers, while network.client.ip does not, so both should be different here.
http_client_ip = meta.get("http.client_ip")
assert http_client_ip
Comment thread
smola marked this conversation as resolved.
assert network_client_ip != http_client_ip
assert http_client_ip == self.PUBLIC_IP

def setup_network_client_ip(self):
self._setup()

def test_network_client_ip(self):
"""Test network.client.ip is reported and different from http.client_ip."""
self._test()

def setup_network_client_ip_with_attack(self):
self._setup(endpoint="/waf", extra_headers={"user-agent": "Arachni/v1"})

def test_network_client_ip_with_attack(self):
"""Test network.client.ip is reported on ASM attacks. This is a special case to map the legacy behavior where this header would only be added on attacks, and not the general case."""
self._test()


@rfc("https://datadoghq.atlassian.net/wiki/spaces/APS/pages/2118779066/Client+IP+addresses+resolution")
@features.security_events_metadata
@scenarios.go_proxies_default
Expand Down
Loading