Prevent spans from having login success and failure events at the same time

Author: manuel-alvarez-alvarez

dd-java-agent/instrumentation/spring-security-5/src/main/java/datadog/trace/instrumentation/springsecurity5/AbstractAuthenticationProcessingFilterInstrumentation.java

@@ -0,0 +1,70 @@
+package datadog.trace.instrumentation.springsecurity5;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isMethod;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.bootstrap.ActiveSubsystems;
+import net.bytebuddy.asm.Advice;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+
+@AutoService(InstrumenterModule.class)
+public class AbstractAuthenticationProcessingFilterInstrumentation extends InstrumenterModule.AppSec
+    implements Instrumenter.ForSingleType {
+
+  public AbstractAuthenticationProcessingFilterInstrumentation() {
+    super("spring-security");
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter";
+  }
+
+  @Override
+  public String[] helperClassNames() {
+    return new String[] {
+      "datadog.trace.instrumentation.springsecurity5.SpringSecurityUserEventDecorator"
+    };
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        isMethod()
+            .and(named("successfulAuthentication"))
+            .and(takesArgument(3, named("org.springframework.security.core.Authentication"))),
+        getClass().getName() + "$SuccessfulAuthenticationAdvice");
+    transformer.applyAdvice(
+        isMethod()
+            .and(named("unsuccessfulAuthentication"))
+            .and(
+                takesArgument(
+                    2, named("org.springframework.security.core.AuthenticationException"))),
+        getClass().getName() + "$UnsuccessfulAuthenticationAdvice");
+  }
+
+  public static class SuccessfulAuthenticationAdvice {
+
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    public static void onExit(@Advice.Argument(3) Authentication authentication) {
+      if (ActiveSubsystems.APPSEC_ACTIVE) {
+        SpringSecurityUserEventDecorator.DECORATE.onLoginSuccess(authentication);
+      }
+    }
+  }
+
+  public static class UnsuccessfulAuthenticationAdvice {
+
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    public static void onExit(@Advice.Argument(2) AuthenticationException exception) {
+      if (ActiveSubsystems.APPSEC_ACTIVE) {
+        SpringSecurityUserEventDecorator.DECORATE.onLoginFailure(exception);
+      }
+    }
+  }
+}

…thenticationProviderInstrumentation.java …uthenticationManagerInstrumentation.javadd-java-agent/instrumentation/spring-security-5/src/main/java/datadog/trace/instrumentation/springsecurity5/AuthenticationProviderInstrumentation.java renamed to dd-java-agent/instrumentation/spring-security-5/src/main/java/datadog/trace/instrumentation/springsecurity5/AuthenticationManagerInstrumentation.java dd-java-agent/instrumentation/spring-security-5/src/main/java/datadog/trace/instrumentation/springsecurity5/AuthenticationProviderInstrumentation.java renamed to dd-java-agent/instrumentation/spring-security-5/src/main/java/datadog/trace/instrumentation/springsecurity5/AuthenticationManagerInstrumentation.java

@@ -11,23 +11,24 @@
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.bootstrap.ActiveSubsystems;
+import datadog.trace.bootstrap.CallDepthThreadLocalMap;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.description.type.TypeDescription;
 import net.bytebuddy.matcher.ElementMatcher;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
 
 @AutoService(InstrumenterModule.class)
-public class AuthenticationProviderInstrumentation extends InstrumenterModule.AppSec
+public class AuthenticationManagerInstrumentation extends InstrumenterModule.AppSec
     implements Instrumenter.ForTypeHierarchy {
 
-  public AuthenticationProviderInstrumentation() {
+  public AuthenticationManagerInstrumentation() {
     super("spring-security");
   }
 
   @Override
   public String hierarchyMarkerType() {
-    return "org.springframework.security.authentication.AuthenticationProvider";
+    return "org.springframework.security.authentication.AuthenticationManager";
   }
 
   @Override
@@ -50,19 +51,26 @@ public void methodAdvice(MethodTransformer transformer) {
             .and(takesArgument(0, named("org.springframework.security.core.Authentication")))
             .and(returns(named("org.springframework.security.core.Authentication")))
             .and(isPublic()),
-        getClass().getName() + "$AuthenticationProviderAdvice");
+        getClass().getName() + "$AuthenticationManagerAdvice");
   }
 
-  public static class AuthenticationProviderAdvice {
+  public static class AuthenticationManagerAdvice {
 
-    @Advice.OnMethodExit(onThrowable = AuthenticationException.class, suppress = Throwable.class)
-    public static void onExit(
-        @Advice.Argument(value = 0, readOnly = false) Authentication authentication,
-        @Advice.Return final Authentication result,
-        @Advice.Thrown final AuthenticationException throwable) {
-      if (ActiveSubsystems.APPSEC_ACTIVE) {
-        SpringSecurityUserEventDecorator.DECORATE.onLogin(authentication, throwable, result);
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    public static int onEnter(@Advice.Argument(0) Authentication authentication) {
+      int depth = CallDepthThreadLocalMap.incrementCallDepth(AuthenticationManager.class);
+      if (depth == 0 && ActiveSubsystems.APPSEC_ACTIVE) {
+        SpringSecurityUserEventDecorator.DECORATE.onAuthentication(authentication);
       }
+      return depth;
+    }
+
+    @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)
+    public static void onExit(@Advice.Enter final int depth) {
+      if (depth > 0) {
+        return;
+      }
+      CallDepthThreadLocalMap.reset(AuthenticationManager.class);
     }
   }
 }

dd-java-agent/instrumentation/spring-security-5/src/main/java/datadog/trace/instrumentation/springsecurity5/SpringSecurityUserEventDecorator.java

@@ -15,6 +15,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
@@ -30,6 +31,12 @@ public class SpringSecurityUserEventDecorator {
   private static final Set<Class<?>> SKIPPED_AUTHS =
       Collections.newSetFromMap(new ConcurrentHashMap<>());
 
+  private static final ThreadLocal<Authentication> AUTHENTICATION = new ThreadLocal<>();
+
+  public void onAuthentication(final Authentication authentication) {
+    AUTHENTICATION.set(authentication);
+  }
+
   public void onUserNotFound() {
     final AppSecEventTracker tracker = AppSecEventTracker.getEventTracker();
     if (tracker == null) {
@@ -65,11 +72,40 @@ public void onSignup(UserDetails user, Throwable throwable) {
     tracker.onSignupEvent(mode, userId, metadata);
   }
 
-  public void onLogin(Authentication authentication, Throwable throwable, Authentication result) {
-    if (authentication == null) {
+  public void onLoginSuccess(Authentication authentication) {
+    AUTHENTICATION.remove();
+
+    final AppSecEventTracker tracker = AppSecEventTracker.getEventTracker();
+    if (tracker == null) {
       return;
     }
 
+    if (shouldSkipAuthentication(authentication)) {
+      return;
+    }
+
+    UserIdCollectionMode mode = UserIdCollectionMode.get();
+    String userId = authentication.getName();
+    Map<String, String> metadata = null;
+    Object principal = authentication.getPrincipal();
+    if (principal instanceof User) {
+      User user = (User) principal;
+      metadata = new HashMap<>();
+      metadata.put("enabled", String.valueOf(user.isEnabled()));
+      metadata.put(
+          "authorities",
+          user.getAuthorities().stream().map(Object::toString).collect(Collectors.joining(",")));
+      metadata.put("accountNonExpired", String.valueOf(user.isAccountNonExpired()));
+      metadata.put("accountNonLocked", String.valueOf(user.isAccountNonLocked()));
+      metadata.put("credentialsNonExpired", String.valueOf(user.isCredentialsNonExpired()));
+    }
+    tracker.onLoginSuccessEvent(mode, userId, metadata);
+  }
+
+  public void onLoginFailure(AuthenticationException exception) {
+    Authentication authentication = AUTHENTICATION.get();
+    AUTHENTICATION.remove();
+
     final AppSecEventTracker tracker = AppSecEventTracker.getEventTracker();
     if (tracker == null) {
       return;
@@ -80,35 +116,9 @@ public void onLogin(Authentication authentication, Throwable throwable, Authenti
     }
 
     UserIdCollectionMode mode = UserIdCollectionMode.get();
-    String userId = result != null ? result.getName() : authentication.getName();
-    if (throwable == null && result != null && result.isAuthenticated()) {
-      Map<String, String> metadata = null;
-      Object principal = result.getPrincipal();
-      if (principal instanceof User) {
-        User user = (User) principal;
-        metadata = new HashMap<>();
-        metadata.put("enabled", String.valueOf(user.isEnabled()));
-        metadata.put(
-            "authorities",
-            user.getAuthorities().stream().map(Object::toString).collect(Collectors.joining(",")));
-        metadata.put("accountNonExpired", String.valueOf(user.isAccountNonExpired()));
-        metadata.put("accountNonLocked", String.valueOf(user.isAccountNonLocked()));
-        metadata.put("credentialsNonExpired", String.valueOf(user.isCredentialsNonExpired()));
-      }
-      tracker.onLoginSuccessEvent(mode, userId, metadata);
-    } else if (throwable != null) {
-      // On bad password, throwable would be
-      // org.springframework.security.authentication.BadCredentialsException,
-      // on user not found, throwable can be BadCredentials or
-      // org.springframework.security.core.userdetails.UsernameNotFoundException depending on the
-      // internal setting
-      // hideUserNotFoundExceptions (or a custom AuthenticationProvider implementation overriding
-      // this).
-      // This would be the ideal place to check whether the user exists or not, but we cannot do
-      // so reliably yet.
-      // See UsernameNotFoundExceptionInstrumentation for more details.
-      tracker.onLoginFailureEvent(mode, userId, null, null);
-    }
+    String userId = authentication.getName();
+
+    tracker.onLoginFailureEvent(mode, userId, null, null);
   }
 
   public void onUser(final Authentication authentication) {
@@ -131,6 +141,9 @@ public void onUser(final Authentication authentication) {
   }
 
   private static boolean shouldSkipAuthentication(final Authentication authentication) {
+    if (authentication == null) {
+      return true;
+    }
     if (authentication instanceof UsernamePasswordAuthenticationToken) {
       return false;
     }

dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SecurityConfig.groovy

@@ -2,9 +2,13 @@ package datadog.trace.instrumentation.springsecurity5
 
 import custom.CustomAuthenticationFilter
 import custom.CustomAuthenticationProvider
+import custom.FailingAuthenticationProvider
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
+import org.springframework.security.authentication.AuthenticationProvider
+import org.springframework.security.authentication.ProviderManager
+import org.springframework.security.config.annotation.ObjectPostProcessor
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
@@ -49,6 +53,7 @@ class SecurityConfig {
     @Override
     void configure(HttpSecurity http) throws Exception {
       AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager)
+      http.authenticationProvider(new FailingAuthenticationProvider())
       http.authenticationProvider(new CustomAuthenticationProvider())
       http.addFilterBefore(new CustomAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter)
     }

dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SpringBootBasedTest.groovy

@@ -235,6 +235,8 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     span.getTag("appsec.events.users.login.success")['enabled'] == 'true'
     span.getTag("appsec.events.users.login.success")['authorities'] == 'ROLE_USER'
     span.getTag("appsec.events.users.login.success")['accountNonLocked'] == 'true'
+
+    span.getTag("appsec.events.users.login.failure.track") == null
   }
 
   void 'test failed signup'() {

dd-java-agent/instrumentation/spring-security-5/src/test/java/custom/FailingAuthenticationProvider.java

@@ -0,0 +1,19 @@
+package custom;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+
+public class FailingAuthenticationProvider implements AuthenticationProvider {
+
+  @Override
+  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+    throw new AuthenticationServiceException("I'm dumb");
+  }
+
+  @Override
+  public boolean supports(Class<?> authentication) {
+    return true;
+  }
+}

dd-java-agent/instrumentation/spring-security-6/src/test/groovy/datadog/trace/instrumentation/springsecurity6/SecurityConfig.groovy

@@ -2,6 +2,7 @@ package datadog.trace.instrumentation.springsecurity6
 
 import custom.CustomAuthenticationFilter
 import custom.CustomAuthenticationProvider
+import custom.FailingAuthenticationProvider
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
@@ -47,6 +48,7 @@ class SecurityConfig {
     @Override
     void configure(HttpSecurity http) throws Exception {
       AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager)
+      http.authenticationProvider(new FailingAuthenticationProvider())
       http.authenticationProvider(new CustomAuthenticationProvider())
       http.addFilterBefore(new CustomAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter)
     }

dd-java-agent/instrumentation/spring-security-6/src/test/groovy/datadog/trace/instrumentation/springsecurity6/SpringBootBasedTest.groovy

@@ -211,6 +211,8 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     span.getTag("appsec.events.users.login.success")['enabled'] == 'true'
     span.getTag("appsec.events.users.login.success")['authorities'] == 'ROLE_USER'
     span.getTag("appsec.events.users.login.success")['accountNonLocked'] == 'true'
+
+    span.getTag("appsec.events.users.login.failure.track") == null
   }
 
   void 'test failed signup'() {

dd-java-agent/instrumentation/spring-security-6/src/test/java/custom/FailingAuthenticationProvider.java

@@ -0,0 +1,19 @@
+package custom;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+
+public class FailingAuthenticationProvider implements AuthenticationProvider {
+
+  @Override
+  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+    throw new AuthenticationServiceException("I'm dumb");
+  }
+
+  @Override
+  public boolean supports(Class<?> authentication) {
+    return true;
+  }
+}