[INS-240] Datadog detector verification fix #4616
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MuneebUllahKhan222
changed the title
kashifkhan0771
requested changes
Dec 24, 2025
MuneebUllahKhan222
changed the base branch from
main
to
datadog-detector-multi-endpoint
2 tasks
MuneebUllahKhan222
changed the base branch from
datadog-detector-multi-endpoint
to
main
kashifkhan0771
requested changes
Dec 26, 2025
Comment on lines
+115
to
+124
| if len(uniqueFoundUrls) == 0 { | ||
| // In case no endpoints were found in data, use the default cloud endpoint | ||
| s.UseCloudEndpoint(true) | ||
| endpoints = s.Endpoints() | ||
| } else { | ||
| // In case endpoints were found in data, use them | ||
| // also add cloud endpoint at the end so if not validated against found endpoints, try cloud endpoint as well | ||
| endpoints = s.configureEndpoints(uniqueFoundUrls) | ||
| endpoints = append(endpoints, s.CloudEndpoint()) | ||
| } |
Contributor
There was a problem hiding this comment.
UseCloudEndpoint defaults to true when no endpoints are configured. I think it’s clearer to reverse the condition and explicitly disable it only when we find endpoints in the data:
// If we found any endpoints in the data, disable the cloud endpoint
// and validate only against the found endpoints.
if len(uniqueFoundUrls) > 0 {
s.UseCloudEndpoint(false)
}
// Endpoints behavior:
// A) If the user configured endpoints, only those will be returned.
// B) If endpoints were found in the data, only those will be returned.
// C) If neither applies, it will return only cloud endpoint.
endpoints = s.Endpoints(uniqueFoundUrls...)
Contributor
There was a problem hiding this comment.
After this, we can drop the configureEndpoints function and normalize the endpoints:
for i, endpoint := range endpoints {
// Normalize endpoints so they all share the same format.
// - User-configured endpoints may be missing "https://"
// - Discovered endpoints also omit the scheme
if !strings.HasPrefix(endpoint, "https://") {
endpoint = "https://" + endpoint
}
// Ensure all endpoints end with "/api"
// (user-configured and cloud endpoints may omit it)
if !strings.HasSuffix(endpoint, "/api") {
endpoint = endpoint + "/api"
}
endpoints[i] = endpoint
}
// At this point, all endpoints start with "https://" and end with "/api",
// so they’re ready for direct use.
Contributor
There was a problem hiding this comment.
This can be normalized even more I believe but this seems like a reasonable good approach to me.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Datadog token verification previously relied on an App-key–dependent endpoint (/api/v2/users) to validate the Application Key + API Key combination. If this endpoint returned an error (for example, due to insufficient App Key permissions), the detector would mark the token as unverified and skip API key validation entirely.
This behavior caused valid Datadog API keys to be reported as unverified, resulting in false negatives.
To resolve this issue I have done the following changes:
Treat /api/v2/users as the primary verification path for App + API key combinations
Add a fallback verification step using the API-key–only validation endpoint when App key verification fails
Avoid calling the fallback endpoint when App key verification succeeds
Ensure valid API keys are marked verified even when the App key lacks required permissions
Checklist:
make test-community)?make lintthis requires golangci-lint)?