fix patch logic

ddtrace/_monkey.py

@@ -5,6 +5,7 @@
 
 from wrapt.importer import when_imported
 
+from ddtrace.appsec import load_common_appsec_modules
 from ddtrace.internal.telemetry.constants import TELEMETRY_NAMESPACE
 from ddtrace.settings.asm import config as asm_config
 
@@ -246,10 +247,7 @@ def patch_all(**patch_modules):
         patch_iast()
         enable_iast_propagation()
 
-    if asm_config._load_modules:
-        from ddtrace.appsec import load_common_appsec_modules
-
-        load_common_appsec_modules()
+    load_common_appsec_modules()
 
 
 def patch(raise_errors=True, **patch_modules):

ddtrace/appsec/__init__.py

@@ -1,5 +1,6 @@
+# this module must not load any other appsec module
+
 from ddtrace.internal import core
-from ddtrace.settings.asm import config as asm_config
 
 
 _APPSEC_TO_BE_LOADED = True
@@ -28,7 +29,9 @@ def load_iast():
 
 def load_common_appsec_modules():
     """Lazily load the common module patches."""
-    if (asm_config._ep_enabled and asm_config._asm_enabled) or asm_config._iast_enabled:
+    from ddtrace.settings.asm import config as asm_config
+
+    if asm_config._load_modules:
         from ddtrace.appsec._common_module_patches import patch_common_modules
 
         patch_common_modules()

ddtrace/appsec/_common_module_patches.py

@@ -44,6 +44,10 @@ def is_iast_request_enabled() -> bool:
 
 def patch_common_modules():
     global _is_patched
+    # ensure that the subprocess patch is applied even after one click activation
+    subprocess_patch.patch()
+    subprocess_patch.add_str_callback(_RASP_SYSTEM, wrapped_system_5542593D237084A7)
+    subprocess_patch.add_lst_callback(_RASP_POPEN, popen_FD233052260D8B4D)
     if _is_patched:
         return
     # for testing purposes, we need to update is_iast_request_enabled
@@ -60,10 +64,6 @@ def is_iast_request_enabled() -> bool:
     try_wrap_function_wrapper("urllib.request", "OpenerDirector.open", wrapped_open_ED4CF71136E15EBF)
     try_wrap_function_wrapper("_io", "BytesIO.read", wrapped_read_F3E51D71B4EC16EF)
     try_wrap_function_wrapper("_io", "StringIO.read", wrapped_read_F3E51D71B4EC16EF)
-    # ensure that the subprocess patch is applied even after one click activation
-    subprocess_patch.patch()
-    subprocess_patch.add_str_callback(_RASP_SYSTEM, wrapped_system_5542593D237084A7)
-    subprocess_patch.add_lst_callback(_RASP_POPEN, popen_FD233052260D8B4D)
     core.on("asm.block.dbapi.execute", execute_4C9BAC8E228EB347)
     if asm_config._iast_enabled:
         from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink

ddtrace/settings/asm.py

@@ -224,25 +224,25 @@ class ASMConfig(Env):
 
     def __init__(self):
         super().__init__()
-        # Is one click available?
-        self._eval_asm_can_be_enabled()
         if not self._asm_libddwaf_available:
             self._asm_enabled = False
             self._asm_can_be_enabled = False
             self._iast_enabled = False
             self._api_security_enabled = False
         if not self._iast_supported:
             self._iast_enabled = False
-        self._load_modules: bool = bool(
-            self._iast_supported or (self._ep_enabled and (self._asm_enabled or self._asm_can_be_enabled))
-        )
+        # Is one click available?
+        self._eval_asm_can_be_enabled()
 
     def reset(self):
         """For testing purposes, reset the configuration to its default values given current environment variables."""
         self.__init__()
 
     def _eval_asm_can_be_enabled(self):
         self._asm_can_be_enabled = APPSEC_ENV not in os.environ and tracer_config._remote_config_enabled
+        self._load_modules: bool = bool(
+            self._iast_supported or (self._ep_enabled and (self._asm_enabled or self._asm_can_be_enabled))
+        )
 
     @property
     def _api_security_feature_active(self) -> bool: