update 4x branch 20240513

.ci/Makefile

@@ -1,10 +1,7 @@
 SHELL = /bin/bash -eo pipefail
 MAKEFLAGS += --no-print-directory
 AWS_FOLDER = ../build/aws
-DIST_DIR = /build/dist/nodejs
 LAMBDA_LAYER_ZIP_FILE = ../build/dist/elastic-apm-node-lambda-layer.zip
-DOCKER_IMAGE_NAME = observability/apm-agent-nodejs
-DOCKER_REGISTRY = docker.elastic.co
 SUFFIX_ARN_FILE = arn-file.md
 AGENT_VERSION = $(subst v,,$(GITHUB_REF_NAME))
 MAJOR_VERSION = $(shell cut -d '.' -f 1 <<< $(AGENT_VERSION))
@@ -35,14 +32,6 @@ clean:
 env:
 	@env | sort
 
-# Create Docker image
-build-docker: validate-version
-	docker build -t $(DOCKER_REGISTRY)/$(DOCKER_IMAGE_NAME):$(AGENT_VERSION) \
-  --build-arg AGENT_DIR=$(DIST_DIR) ..
-
-push-docker: build-docker
-	../dev-utils/push-docker.sh $(DOCKER_REGISTRY) $(DOCKER_IMAGE_NAME) $(AGENT_VERSION)
-
 # List all the AWS regions
 get-all-aws-regions:
 	@mkdir -p $(AWS_FOLDER)
@@ -99,11 +88,6 @@ create-arn-file: validate-release-notes-url
 github-release: validate-ref-name
 	../dev-utils/github-release.sh "$(GITHUB_REF_NAME)" "$(AWS_FOLDER)/$(SUFFIX_ARN_FILE)"
 
-validate-version:
-ifndef AGENT_VERSION
-	$(error AGENT_VERSION is undefined)
-endif
-
 validate-ref-name:
 ifndef GITHUB_REF_NAME
 	$(error GITHUB_REF_NAME is undefined)

.ci/tav.json

@@ -1,5 +1,5 @@
 {
-  "versions": [ "21", "20", "18", "16", "14" ],
+  "versions": [ "22", "20", "18", "16", "14" ],
   "// modules": [
     "List of instrumented modules with the minimum Node major version supported.",
     "minMajorVersion for each module should be kept in sync with .tav.yml"

.github/workflows/edge.yml

@@ -32,7 +32,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node: [ "22" ]
+        node: [ "23" ]
     steps:
       - uses: actions/checkout@v4
       - run: .ci/scripts/test.sh -b "nightly" "${{ matrix.node }}"
@@ -50,7 +50,8 @@ jobs:
       fail-fast: false
       matrix:
         node:
-          - "21"
+          - "23"
+          - "22"
           - "20"
           - "18"
     steps:

.github/workflows/release.yml

@@ -4,14 +4,20 @@ on:
   push:
     tags:
       - v*.*.*
+    branches:
+      - main
 
 permissions:
+  attestations: write
   contents: write
+  id-token: write
   pull-requests: read
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-nodejs
     steps:
       - uses: actions/checkout@v4
         with:
@@ -33,7 +39,41 @@ jobs:
 
       - run: make -C .ci dist
 
-      - run: make -C .ci push-docker
+      - name: Attest Lambda layer zip
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/build/aws/elastic-apm-node-lambda-layer-*.zip"
+
+      - name: Extract metadata (tags, labels)
+        id: docker-meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          flavor: |
+            latest=auto
+          tags: |
+            # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
+            type=semver,pattern={{version}}
+            # "edge" Docker tag on git push to default branch
+            type=edge
+
+      - name: Build and Push Docker Image
+        id: docker-push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+          build-args: |
+            AGENT_DIR=/build/dist/nodejs
+
+      - name: Attest Docker image
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.docker-push.outputs.digest }}
+          push-to-registry: true
 
       - name: Read AWS vault secrets
         uses: hashicorp/vault-action@v3.0.0
@@ -46,12 +86,15 @@ jobs:
             secret/observability-team/ci/service-account/apm-aws-lambda access_key_id | AWS_ACCESS_KEY_ID ;
             secret/observability-team/ci/service-account/apm-aws-lambda secret_access_key | AWS_SECRET_ACCESS_KEY
 
-      - name: Publish AWS lambda
+      - name: Publish AWS lambda (only for tag release)
+        if: startsWith(github.ref, 'refs/tags')
         run: make -C .ci publish-in-all-aws-regions create-arn-file
         env:
           GH_TOKEN: ${{ github.token }}
 
-      - run: make -C .ci github-release
+      - name: create github release (only for tag release)
+        run: make -C .ci github-release
+        if: startsWith(github.ref, 'refs/tags')
         env:
           GH_TOKEN: ${{ github.token }}
 
@@ -66,12 +109,13 @@ jobs:
             secret/jenkins-ci/npmjs/elasticmachine token | NPMJS_TOKEN ;
             totp/code/npmjs-elasticmachine code | TOTP_CODE
 
-      - name: npm publish
+      - name: npm publish (only for tag release)
+        if: startsWith(github.ref, 'refs/tags')
         run: |-
           echo "//registry.npmjs.org/:_authToken=${{ env.NPMJS_TOKEN }}" > .npmrc
-          npm publish --otp=${{ env.TOTP_CODE }}
+          npm publish --otp=${{ env.TOTP_CODE }} --provenance
 
-      - if: always()
+      - if: ${{ always() && startsWith(github.ref, 'refs/tags') }}
         uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
         with:
           vaultUrl: ${{ secrets.VAULT_ADDR }}

.github/workflows/test.yml

@@ -133,7 +133,7 @@ jobs:
           - "2181:2181"
         volumes:
           - nodezookeeperdata:/var/lib/zookeeper/data
-        
+
       kafka:
         image: bitnami/kafka:3.3.2
         ports:
@@ -154,8 +154,8 @@ jobs:
       fail-fast: false
       matrix:
         node:
-          - '21'
-          - '21.0'
+          - '22'
+          - '22.0'
           - '20'
           - '20.0'
           - '18'

CHANGELOG.asciidoc

@@ -33,6 +33,38 @@ Notes:
 
 See the <<upgrade-to-v4>> guide.
 
+[[release-notes-4.5.4]]
+==== 4.5.4 - 2024/05/13
+
+[float]
+===== Bug fixes
+
+- Change how the "cookie" HTTP request header is represented in APM transaction
+  data to avoid a rare, but possible, intake bug where the transaction could be
+  rejected due to a mapping conflict.
+
+  Before this change a `Cookie: foo=bar; sessionid=42` HTTP request header
+  would be represented in the transaction document in Elasticsearch with these
+  document fields (the example assumes <<sanitize-field-names>> matches
+  "sessionid", as it does by default):
+
+  ```
+  http.request.headers.cookie: "[REDACTED]"
+  ...
+  http.request.cookies.foo: "bar"
+  http.request.cookies.sessionid: "[REDACTED]"
+  ```
+
+  After this change it is represented as:
+
+  ```
+  http.request.headers.cookie: "foo=bar; sessionid=REDACTED"
+  ```
+
+  In other words, `http.request.cookies` are no longer separated out.
+  ({issues}4006[#4006])
+
+
 [[release-notes-4.5.3]]
 ==== 4.5.3 - 2024/04/23
 

lib/filters/sanitize-field-names.js

@@ -48,16 +48,17 @@ function redactKeysFromPostedFormVariables(body, requestHeaders, regexes) {
  *
  * @param {Object} obj The source object be copied with redacted fields
  * @param {Array<RegExp>} regexes RegExps to check if the entry value needd to be redacted
+ * @param {String} redactedStr The string to use for redacted values. Defaults to '[REDACTED]'.
  * @returns {Object} Copy of the source object with REDACTED entries or the original if falsy or regexes is not an array
  */
-function redactKeysFromObject(obj, regexes) {
+function redactKeysFromObject(obj, regexes, redactedStr = REDACTED) {
   if (!obj || !Array.isArray(regexes)) {
     return obj;
   }
   const result = {};
   for (const key of Object.keys(obj)) {
     const shouldRedact = regexes.some((regex) => regex.test(key));
-    result[key] = shouldRedact ? REDACTED : obj[key];
+    result[key] = shouldRedact ? redactedStr : obj[key];
   }
   return result;
 }

lib/parsers.js

@@ -20,6 +20,15 @@ const {
   redactKeysFromPostedFormVariables,
 } = require('./filters/sanitize-field-names');
 
+// When redacting individual cookie field values, this string is used instead
+// of `[REDACTED]`. The APM spec says:
+//    > The replacement string SHOULD be `[REDACTED]`.
+// We diverge from spec here because, for better or worse, the `cookie` module
+// does `encodeURIComponent/decodeURIComponent` encoding on cookie fields. If we
+// used the brackets, then the reconstructed cookie would look like
+// `foo=bar; session-id=%5BREDACTED%5D`, which isn't helpful.
+const COOKIE_VAL_REDACTED = 'REDACTED';
+
 /**
  * Extract appropriate `{transaction,error}.context.request` from an HTTP
  * request object. This handles header and body capture and redaction
@@ -61,14 +70,21 @@ function getContextFromRequest(req, conf, type) {
       conf.sanitizeFieldNamesRegExp,
     );
 
-    if (context.headers.cookie) {
-      context.cookies = cookie.parse(req.headers.cookie);
-      context.cookies = redactKeysFromObject(
-        context.cookies,
+    if (context.headers.cookie && context.headers.cookie !== REDACTED) {
+      let cookies = cookie.parse(req.headers.cookie);
+      cookies = redactKeysFromObject(
+        cookies,
         conf.sanitizeFieldNamesRegExp,
+        COOKIE_VAL_REDACTED,
       );
-      // Redact the cookie to avoid data duplication
-      context.headers.cookie = REDACTED;
+      try {
+        context.headers.cookie = Object.keys(cookies)
+          .map((k) => cookie.serialize(k, cookies[k]))
+          .join('; ');
+      } catch (_err) {
+        // Fallback to full redaction if there is an issue re-serializing.
+        context.headers.cookie = REDACTED;
+      }
     }
   }