Merge branch 'master' into alexeyk/debug-ci-timeout

Author: AlexeyKuznetsov-DD

build.gradle.kts

@@ -12,7 +12,7 @@ plugins {
   id("io.github.gradle-nexus.publish-plugin") version "2.0.0"
 
   id("com.gradleup.shadow") version "8.3.6" apply false
-  id("me.champeau.jmh") version "0.7.0" apply false
+  id("me.champeau.jmh") version "0.7.3" apply false
   id("org.gradle.playframework") version "0.13" apply false
   id("info.solidsoft.pitest") version "1.9.11" apply false
 }

dd-java-agent/agent-bootstrap/build.gradle

@@ -63,7 +63,7 @@ idea {
 }
 
 jmh {
-  jmhVersion = '1.32'
+  jmhVersion = libs.versions.jmh.get()
   duplicateClassesStrategy = DuplicatesStrategy.EXCLUDE
 }
 

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/sink/DebuggerSink.java

@@ -23,6 +23,11 @@ public class DebuggerSink {
   private static final long LOW_RATE_INITIAL_FLUSH_INTERVAL = 1000;
   static final long LOW_RATE_STEP_SIZE = 200;
   private static final String PREFIX = "debugger.sink.";
+  private static final String DROPPED_REQ_METRIC = PREFIX + "dropped.requests";
+  private static final String UPLOAD_REMAINING_CAP_METRIC =
+      PREFIX + "upload.queue.remaining.capacity";
+  private static final String CURRENT_FLUSH_INTERVAL_METRIC = PREFIX + "current.flush.interval";
+  private static final String SKIP_METRIC = PREFIX + "skip";
 
   private final ProbeStatusSink probeStatusSink;
   private final SnapshotSink snapshotSink;
@@ -109,7 +114,7 @@ public SymbolSink getSymbolSink() {
   public void addSnapshot(Snapshot snapshot) {
     boolean added = snapshotSink.addLowRate(snapshot);
     if (!added) {
-      debuggerMetrics.count(PREFIX + "dropped.requests", 1);
+      debuggerMetrics.count(DROPPED_REQ_METRIC, 1);
     } else {
       probeStatusSink.addEmitting(snapshot.getProbe().getProbeId());
     }
@@ -120,7 +125,7 @@ public void addHighRateSnapshot(Snapshot snapshot) {
     if (!added) {
       long dropped = highRateDropped.incrementAndGet();
       if (dropped % 100 == 0) {
-        debuggerMetrics.count(PREFIX + "dropped.requests", 100);
+        debuggerMetrics.count(DROPPED_REQ_METRIC, 100);
       }
     } else {
       probeStatusSink.addEmitting(snapshot.getProbe().getProbeId());
@@ -151,9 +156,8 @@ void lowRateFlush(DebuggerSink ignored) {
   }
 
   private void reconsiderLowRateFlushInterval(DebuggerSink debuggerSink) {
-    debuggerMetrics.histogram(
-        PREFIX + "upload.queue.remaining.capacity", snapshotSink.remainingCapacity());
-    debuggerMetrics.histogram(PREFIX + "current.flush.interval", currentLowRateFlushInterval);
+    debuggerMetrics.histogram(UPLOAD_REMAINING_CAP_METRIC, snapshotSink.remainingCapacity());
+    debuggerMetrics.histogram(CURRENT_FLUSH_INTERVAL_METRIC, currentLowRateFlushInterval);
     doReconsiderLowRateFlushInterval();
   }
 
@@ -225,7 +229,7 @@ private void reportError(ProbeId probeId, DiagnosticMessage msg) {
 
   /** Notifies the snapshot was skipped for one of the SkipCause reason */
   public void skipSnapshot(String probeId, SkipCause cause) {
-    debuggerMetrics.incrementCounter(PREFIX + "skip", cause.tag(), "probe_id:" + probeId);
+    debuggerMetrics.incrementCounter(SKIP_METRIC, cause.tag(), "probe_id:" + probeId);
   }
 
   long getCurrentLowRateFlushInterval() {

dd-java-agent/agent-iast/build.gradle

@@ -112,7 +112,7 @@ spotless {
 }
 
 jmh {
-  jmhVersion = '1.28'
+  jmhVersion = libs.versions.jmh.get()
   duplicateClassesStrategy = DuplicatesStrategy.EXCLUDE
 }
 

dd-java-agent/agent-tooling/build.gradle

@@ -63,7 +63,7 @@ dependencies {
 }
 
 jmh {
-  jmhVersion = '1.32'
+  jmhVersion = libs.versions.jmh.get()
   includeTests = true
 }
 compileJmhJava.dependsOn compileTestJava

dd-java-agent/appsec/build.gradle

@@ -51,7 +51,7 @@ processResources {
 }
 
 jmh {
-  jmhVersion = '1.32'
+  jmhVersion = libs.versions.jmh.get()
   duplicateClassesStrategy = DuplicatesStrategy.EXCLUDE
   jvmArgs = ['-Ddd.appsec.enabled=true -Xms64m -Xmx64m']
   failOnError = false

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -60,11 +60,11 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicBoolean;
 import okio.Okio;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -99,7 +99,11 @@ public class AppSecConfigServiceImpl implements AppSecConfigService {
 
   private boolean hasUserWafConfig;
   private boolean defaultConfigActivated;
-  private final Set<String> usedDDWafConfigKeys = new HashSet<>();
+  private final AtomicBoolean subscribedToRulesAndData = new AtomicBoolean();
+  private final Set<String> usedDDWafConfigKeys =
+      Collections.newSetFromMap(new ConcurrentHashMap<>());
+  private final Set<String> ignoredConfigKeys =
+      Collections.newSetFromMap(new ConcurrentHashMap<>());
   private final String DEFAULT_WAF_CONFIG_RULE = "DEFAULT_WAF_CONFIG";
   private String currentRuleVersion;
   private List<AppSecModule> modulesToUpdateVersionIn;
@@ -122,13 +126,15 @@ private void subscribeConfigurationPoller() {
     subscribeAsmFeatures();
 
     if (!hasUserWafConfig) {
-      subscribeRulesAndData();
+      updateRulesAndDataSubscription();
     } else {
       log.debug("Will not subscribe to ASM, ASM_DD and ASM_DATA (AppSec custom rules in use)");
     }
 
     this.configurationPoller.addConfigurationEndListener(applyRemoteConfigListener);
+  }
 
+  private long getRulesAndDataCapabilities() {
     long capabilities =
         CAPABILITY_ASM_DD_RULES
             | CAPABILITY_ASM_IP_BLOCKING
@@ -154,13 +160,36 @@ private void subscribeConfigurationPoller() {
         capabilities |= CAPABILITY_ASM_RASP_LFI;
       }
     }
-    this.configurationPoller.addCapabilities(capabilities);
+    return capabilities;
+  }
+
+  private void updateRulesAndDataSubscription() {
+    if (hasUserWafConfig) {
+      return; // do nothing if the customer has custom rules
+    }
+    if (AppSecSystem.isActive()) {
+      subscribeRulesAndData();
+    } else {
+      unsubscribeRulesAndData();
+    }
   }
 
   private void subscribeRulesAndData() {
-    this.configurationPoller.addListener(Product.ASM_DD, new AppSecConfigChangesDDListener());
-    this.configurationPoller.addListener(Product.ASM_DATA, new AppSecConfigChangesListener());
-    this.configurationPoller.addListener(Product.ASM, new AppSecConfigChangesListener());
+    if (subscribedToRulesAndData.compareAndSet(false, true)) {
+      this.configurationPoller.addListener(Product.ASM_DD, new AppSecConfigChangesDDListener());
+      this.configurationPoller.addListener(Product.ASM_DATA, new AppSecConfigChangesListener());
+      this.configurationPoller.addListener(Product.ASM, new AppSecConfigChangesListener());
+      this.configurationPoller.addCapabilities(getRulesAndDataCapabilities());
+    }
+  }
+
+  private void unsubscribeRulesAndData() {
+    if (subscribedToRulesAndData.compareAndSet(true, false)) {
+      this.configurationPoller.removeListeners(Product.ASM_DD);
+      this.configurationPoller.removeListeners(Product.ASM_DATA);
+      this.configurationPoller.removeListeners(Product.ASM);
+      this.configurationPoller.removeCapabilities(getRulesAndDataCapabilities());
+    }
   }
 
   public void modulesToUpdateVersionIn(List<AppSecModule> modules) {
@@ -175,19 +204,21 @@ private class AppSecConfigChangesListener implements ProductListener {
     @Override
     public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollingRateHinter)
         throws IOException {
-      maybeInitializeDefaultConfig();
-
       if (content == null) {
-        try {
-          wafBuilder.removeConfig(configKey.toString());
-        } catch (UnclassifiedWafException e) {
-          throw new RuntimeException(e);
-        }
+        remove(configKey, pollingRateHinter);
+        return;
+      }
+      final String key = configKey.toString();
+      Map<String, Object> contentMap =
+          ADAPTER.fromJson(Okio.buffer(Okio.source(new ByteArrayInputStream(content))));
+      if (contentMap == null || contentMap.isEmpty()) {
+        ignoredConfigKeys.add(key);
       } else {
-        Map<String, Object> contentMap =
-            ADAPTER.fromJson(Okio.buffer(Okio.source(new ByteArrayInputStream(content))));
+        ignoredConfigKeys.remove(key);
         try {
-          handleWafUpdateResultReport(configKey.toString(), contentMap);
+          beforeApply(key, contentMap);
+          maybeInitializeDefaultConfig();
+          handleWafUpdateResultReport(key, contentMap);
         } catch (AppSecModule.AppSecModuleActivationException e) {
           throw new RuntimeException(e);
         }
@@ -197,19 +228,32 @@ public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollin
     @Override
     public void remove(ConfigKey configKey, PollingRateHinter pollingRateHinter)
         throws IOException {
-      accept(configKey, null, pollingRateHinter);
+      final String key = configKey.toString();
+      if (ignoredConfigKeys.remove(key)) {
+        return;
+      }
+      try {
+        maybeInitializeDefaultConfig();
+        wafBuilder.removeConfig(key);
+        afterRemove(key);
+      } catch (UnclassifiedWafException e) {
+        throw new RuntimeException(e);
+      }
     }
 
     @Override
     public void commit(PollingRateHinter pollingRateHinter) {
       // no action needed
     }
+
+    protected void beforeApply(final String key, final Map<String, Object> contentMap) {}
+
+    protected void afterRemove(final String key) {}
   }
 
   private class AppSecConfigChangesDDListener extends AppSecConfigChangesListener {
     @Override
-    public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollingRateHinter)
-        throws IOException {
+    protected void beforeApply(final String key, final Map<String, Object> config) {
       if (defaultConfigActivated) { // if we get any config, remove the default one
         log.debug("Removing default config");
         try {
@@ -219,15 +263,12 @@ public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollin
         }
         defaultConfigActivated = false;
       }
-      usedDDWafConfigKeys.add(configKey.toString());
-      super.accept(configKey, content, pollingRateHinter);
+      usedDDWafConfigKeys.add(key);
     }
 
     @Override
-    public void remove(ConfigKey configKey, PollingRateHinter pollingRateHinter)
-        throws IOException {
-      super.remove(configKey, pollingRateHinter);
-      usedDDWafConfigKeys.remove(configKey.toString());
+    protected void afterRemove(final String key) {
+      usedDDWafConfigKeys.remove(key);
     }
   }
 
@@ -282,7 +323,6 @@ private void subscribeAsmFeatures() {
         Product.ASM_FEATURES,
         AppSecFeaturesDeserializer.INSTANCE,
         (configKey, newConfig, hinter) -> {
-          maybeInitializeDefaultConfig();
           if (newConfig == null) {
             mergedAsmFeatures.removeConfig(configKey);
           } else {
@@ -339,8 +379,6 @@ public void init() {
     } else {
       hasUserWafConfig = true;
     }
-    this.mergedAsmFeatures.clear();
-    this.usedDDWafConfigKeys.clear();
 
     if (wafConfig.isEmpty()) {
       throw new IllegalStateException("Expected default waf config to be available");
@@ -353,9 +391,12 @@ public void init() {
   }
 
   public void maybeSubscribeConfigPolling() {
+    final ProductActivation appSecActivation = tracerConfig.getAppSecActivation();
+    if (appSecActivation == ProductActivation.FULLY_DISABLED) {
+      return; // shouldn't happen but just in case.
+    }
     if (this.configurationPoller != null) {
-      if (hasUserWafConfig
-          && tracerConfig.getAppSecActivation() == ProductActivation.FULLY_ENABLED) {
+      if (hasUserWafConfig && appSecActivation == ProductActivation.FULLY_ENABLED) {
         log.info(
             "AppSec will not use remote config because "
                 + "there is a custom user configuration and AppSec is explicitly enabled");
@@ -494,6 +535,7 @@ public void close() {
     this.configurationPoller.removeListeners(Product.ASM);
     this.configurationPoller.removeListeners(Product.ASM_FEATURES);
     this.configurationPoller.removeConfigurationEndListener(applyRemoteConfigListener);
+    this.subscribedToRulesAndData.set(false);
     this.configurationPoller.stop();
     if (this.wafBuilder != null) {
       this.wafBuilder.close();
@@ -526,6 +568,7 @@ private void setAppSecActivation(final AppSecFeatures.Asm asm) {
     if (AppSecSystem.isActive() != newState) {
       log.info("AppSec {} (runtime)", newState ? "enabled" : "disabled");
       AppSecSystem.setActive(newState);
+      updateRulesAndDataSubscription();
     }
   }
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WafInitialization.java

@@ -15,7 +15,7 @@ private static boolean initWAF() {
     try {
       boolean simpleLoad = System.getProperty("POWERWAF_SIMPLE_LOAD") != null;
       Waf.initialize(simpleLoad);
-    } catch (Exception e) {
+    } catch (Throwable e) {
       Logger logger = LoggerFactory.getLogger(WafInitialization.class);
       logger.warn("Error initializing WAF library", e);
       StandardizedLogging.libddwafCannotBeLoaded(logger, getLibc());