wip

Author: smola

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -1,6 +1,7 @@
 package com.datadog.appsec;
 
 import com.datadog.appsec.api.security.ApiSecurityRequestSampler;
+import com.datadog.appsec.api.security.AppSecSpanPostProcessor;
 import com.datadog.appsec.blocking.BlockingServiceImpl;
 import com.datadog.appsec.config.AppSecConfigService;
 import com.datadog.appsec.config.AppSecConfigServiceImpl;
@@ -29,6 +30,8 @@
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
+
+import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -68,6 +71,9 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     REPLACEABLE_EVENT_PRODUCER.replaceEventProducerService(eventDispatcher);
 
     ApiSecurityRequestSampler requestSampler = new ApiSecurityRequestSampler(config);
+    if (Config.get().isApiSecurityEnabled()) {
+      SpanPostProcessor.Holder.INSTANCE = new AppSecSpanPostProcessor();
+    }
 
     ConfigurationPoller configurationPoller = sco.configurationPoller(config);
     // may throw and abort startup

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiAccessTracker.java

@@ -1,10 +1,5 @@
 package com.datadog.appsec.api.security;
 
-import java.util.Deque;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentLinkedDeque;
-
 /**
  * The ApiAccessTracker class provides a mechanism to track API access events, managing them within
  * a specified capacity limit. Each event is associated with a unique combination of route, method,
@@ -19,92 +14,5 @@
  * within the specified capacity limit, with older, less relevant events being discarded.
  */
 public class ApiAccessTracker {
-  private static final int INTERVAL_SECONDS = 30;
-  private static final int MAX_SIZE = 4096;
-  private final Map<Long, Long> apiAccessMap; // Map<hash, timestamp>
-  private final Deque<Long> apiAccessQueue; // hashes ordered by access time
-  private final long expirationTimeInMs;
-  private final int capacity;
-
-  public ApiAccessTracker() {
-    this(MAX_SIZE, INTERVAL_SECONDS * 1000);
-  }
-
-  public ApiAccessTracker(int capacity, long expirationTimeInMs) {
-    this.capacity = capacity;
-    this.expirationTimeInMs = expirationTimeInMs;
-    this.apiAccessMap = new ConcurrentHashMap<>();
-    this.apiAccessQueue = new ConcurrentLinkedDeque<>();
-  }
-
-  /**
-   * Updates the API access log with the given route, method, and status code. If the record already
-   * exists and is outdated, it is updated by moving to the end of the list. If the record does not
-   * exist, a new record is added. If the capacity limit is reached, the oldest record is removed.
-   * This method should not be called concurrently by multiple threads, due absence of additional
-   * synchronization for updating data structures is not required.
-   *
-   * @param route The route of the API endpoint request
-   * @param method The method of the API request
-   * @param statusCode The HTTP response status code of the API request
-   * @return return true if the record was updated or added, false otherwise
-   */
-  public boolean updateApiAccessIfExpired(String route, String method, int statusCode) {
-    long currentTime = System.currentTimeMillis();
-    long hash = computeApiHash(route, method, statusCode);
-
-    // New or updated record
-    boolean isNewOrUpdated = false;
-    if (!apiAccessMap.containsKey(hash)
-        || currentTime - apiAccessMap.get(hash) > expirationTimeInMs) {
-
-      cleanupExpiredEntries(currentTime);
-
-      apiAccessMap.put(hash, currentTime); // Update timestamp
-      // move hash to the end of the queue
-      apiAccessQueue.remove(hash);
-      apiAccessQueue.addLast(hash);
-      isNewOrUpdated = true;
-
-      // Remove the oldest hash if capacity is reached
-      while (apiAccessMap.size() > this.capacity) {
-        Long oldestHash = apiAccessQueue.pollFirst();
-        if (oldestHash != null) {
-          apiAccessMap.remove(oldestHash);
-        }
-      }
-    }
-
-    return isNewOrUpdated;
-  }
-
-  public boolean isApiAccessExpired(String route, String method, int statusCode) {
-    long currentTime = System.currentTimeMillis();
-    long hash = computeApiHash(route, method, statusCode);
-    return !apiAccessMap.containsKey(hash)
-        || currentTime - apiAccessMap.get(hash) > expirationTimeInMs;
-  }
-
-  private void cleanupExpiredEntries(long currentTime) {
-    while (!apiAccessQueue.isEmpty()) {
-      Long oldestHash = apiAccessQueue.peekFirst();
-      if (oldestHash == null) break;
-
-      Long lastAccessTime = apiAccessMap.get(oldestHash);
-      if (lastAccessTime == null || currentTime - lastAccessTime > expirationTimeInMs) {
-        apiAccessQueue.pollFirst(); // remove from head
-        apiAccessMap.remove(oldestHash);
-      } else {
-        break; // is up-to-date
-      }
-    }
-  }
 
-  private long computeApiHash(String route, String method, int statusCode) {
-    long result = 17;
-    result = 31 * result + route.hashCode();
-    result = 31 * result + method.hashCode();
-    result = 31 * result + statusCode;
-    return result;
-  }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityRequestSampler.java

@@ -1,41 +1,141 @@
 package com.datadog.appsec.api.security;
 
 import com.datadog.appsec.gateway.AppSecRequestContext;
-import datadog.trace.api.Config;
+import datadog.trace.bootstrap.instrumentation.api.Tags;
+import datadog.trace.util.NonBlockingSemaphore;
+
+import java.util.Deque;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentLinkedDeque;
 
 public class ApiSecurityRequestSampler {
 
-  private final ApiAccessTracker apiAccessTracker;
-  private final Config config;
+  private static final int MAX_POST_PROCESSING_TASKS = 8;
+  private static final int INTERVAL_SECONDS = 30;
+  private static final int MAX_SIZE = 4096;
+  private final Map<Long, Long> apiAccessMap; // Map<hash, timestamp>
+  private final Deque<Long> apiAccessQueue; // hashes ordered by access time
+  private final long expirationTimeInMs;
+  private final int capacity;
+
+  private final NonBlockingSemaphore counter = NonBlockingSemaphore.withPermitCount(MAX_POST_PROCESSING_TASKS);
 
-  public ApiSecurityRequestSampler(final Config config) {
-    this.apiAccessTracker = new ApiAccessTracker();
-    this.config = config;
+  public ApiSecurityRequestSampler() {
+    this(MAX_SIZE, INTERVAL_SECONDS * 1000);
   }
 
-  public boolean sampleRequest(AppSecRequestContext ctx) {
+  public ApiSecurityRequestSampler(int capacity, long expirationTimeInMs) {
+    this.capacity = capacity;
+    this.expirationTimeInMs = expirationTimeInMs;
+    this.apiAccessMap = new ConcurrentHashMap<>();
+    this.apiAccessQueue = new ConcurrentLinkedDeque<>();
+  }
+
+  public void preSampleRequest(final AppSecRequestContext ctx, final Map<String, Object> tags) {
+    final Object route = tags.get(Tags.HTTP_ROUTE);
+    if (route instanceof String) {
+      ctx.setRoute((String) route);
+    }
+
     if (!isValid(ctx)) {
-      return false;
+      return;
     }
 
-    return apiAccessTracker.updateApiAccessIfExpired(
-        ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus());
+    if (!isApiAccessExpired(ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus())) {
+      return;
+    }
+
+    if (counter.acquire()) {
+      ctx.setKeepOpenForApiSecurityPostProcessing(true);
+    }
   }
 
-  public boolean preSampleRequest(AppSecRequestContext ctx) {
+  public boolean sampleRequest(AppSecRequestContext ctx) {
     if (!isValid(ctx)) {
       return false;
     }
 
-    return apiAccessTracker.isApiAccessExpired(
+    return updateApiAccessIfExpired(
         ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus());
   }
 
   private boolean isValid(AppSecRequestContext ctx) {
-    return config.isApiSecurityEnabled()
-        && ctx != null
+    return ctx != null
         && ctx.getRoute() != null
         && ctx.getMethod() != null
         && ctx.getResponseStatus() != 0;
   }
+
+  /**
+   * Updates the API access log with the given route, method, and status code. If the record already
+   * exists and is outdated, it is updated by moving to the end of the list. If the record does not
+   * exist, a new record is added. If the capacity limit is reached, the oldest record is removed.
+   * This method should not be called concurrently by multiple threads, due absence of additional
+   * synchronization for updating data structures is not required.
+   *
+   * @param route The route of the API endpoint request
+   * @param method The method of the API request
+   * @param statusCode The HTTP response status code of the API request
+   * @return return true if the record was updated or added, false otherwise
+   */
+  public boolean updateApiAccessIfExpired(String route, String method, int statusCode) {
+    long currentTime = System.currentTimeMillis();
+    long hash = computeApiHash(route, method, statusCode);
+
+    // New or updated record
+    boolean isNewOrUpdated = false;
+    if (!apiAccessMap.containsKey(hash)
+        || currentTime - apiAccessMap.get(hash) > expirationTimeInMs) {
+
+      cleanupExpiredEntries(currentTime);
+
+      apiAccessMap.put(hash, currentTime); // Update timestamp
+      // move hash to the end of the queue
+      apiAccessQueue.remove(hash);
+      apiAccessQueue.addLast(hash);
+      isNewOrUpdated = true;
+
+      // Remove the oldest hash if capacity is reached
+      while (apiAccessMap.size() > this.capacity) {
+        Long oldestHash = apiAccessQueue.pollFirst();
+        if (oldestHash != null) {
+          apiAccessMap.remove(oldestHash);
+        }
+      }
+    }
+
+    return isNewOrUpdated;
+  }
+
+  public boolean isApiAccessExpired(String route, String method, int statusCode) {
+    long currentTime = System.currentTimeMillis();
+    long hash = computeApiHash(route, method, statusCode);
+    return !apiAccessMap.containsKey(hash)
+        || currentTime - apiAccessMap.get(hash) > expirationTimeInMs;
+  }
+
+  private void cleanupExpiredEntries(long currentTime) {
+    while (!apiAccessQueue.isEmpty()) {
+      Long oldestHash = apiAccessQueue.peekFirst();
+      if (oldestHash == null) break;
+
+      Long lastAccessTime = apiAccessMap.get(oldestHash);
+      if (lastAccessTime == null || currentTime - lastAccessTime > expirationTimeInMs) {
+        apiAccessQueue.pollFirst(); // remove from head
+        apiAccessMap.remove(oldestHash);
+      } else {
+        break; // is up-to-date
+      }
+    }
+  }
+
+  private long computeApiHash(String route, String method, int statusCode) {
+    long result = 17;
+    result = 31 * result + route.hashCode();
+    result = 31 * result + method.hashCode();
+    result = 31 * result + statusCode;
+    return result;
+  }
+
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/AppSecSpanPostProcessor.java

@@ -0,0 +1,75 @@
+package com.datadog.appsec.api.security;
+
+import com.datadog.appsec.event.EventProducerService;
+import com.datadog.appsec.event.ExpiredSubscriberInfoException;
+import com.datadog.appsec.event.data.DataBundle;
+import com.datadog.appsec.event.data.KnownAddresses;
+import com.datadog.appsec.event.data.SingletonDataBundle;
+import com.datadog.appsec.gateway.AppSecRequestContext;
+import com.datadog.appsec.gateway.GatewayContext;
+import datadog.trace.api.Config;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
+import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
+
+import java.util.Collections;
+import java.util.function.BooleanSupplier;
+
+public class AppSecSpanPostProcessor implements SpanPostProcessor {
+
+  @Override
+  public void process(AgentSpan span, BooleanSupplier timeoutCheck) {
+    if (timeoutCheck.getAsBoolean()) {
+      return;
+    }
+    final RequestContext ctx = span.getRequestContext();
+    if (ctx == null) {
+      return;
+    }
+    final AppSecRequestContext appsecCtx = ctx.getData(RequestContextSlot.APPSEC);
+    if (appsecCtx == null) {
+      return;
+    }
+
+    maybeExtractSchemas(appsecCtx);
+    ctx.close();
+    // Decrease the counter to allow the next request to be post-processed
+    postProcessingCounter.release();
+  }
+
+  private void maybeExtractSchemas(AppSecRequestContext ctx) {
+    boolean extractSchema = false;
+    if (Config.get().isApiSecurityEnabled() && requestSampler != null) {
+      extractSchema = requestSampler.sampleRequest(ctx);
+    }
+
+    if (!extractSchema) {
+      return;
+    }
+
+    while (true) {
+      EventProducerService.DataSubscriberInfo subInfo = requestEndSubInfo;
+      if (subInfo == null) {
+        subInfo = producerService.getDataSubscribers(KnownAddresses.WAF_CONTEXT_PROCESSOR);
+        requestEndSubInfo = subInfo;
+      }
+      if (subInfo == null || subInfo.isEmpty()) {
+        return;
+      }
+
+      DataBundle bundle =
+          new SingletonDataBundle<>(
+              KnownAddresses.WAF_CONTEXT_PROCESSOR,
+              Collections.singletonMap("extract-schema", true));
+      try {
+        GatewayContext gwCtx = new GatewayContext(false);
+        producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
+        return;
+      } catch (ExpiredSubscriberInfoException e) {
+        requestEndSubInfo = null;
+      }
+    }
+  }
+
+}