Merge branch 'master' into kr-igor/dsm-service-name-override

Author: kr-igor

.gitlab-ci.yml

@@ -216,10 +216,8 @@ package-oci:
 onboarding_tests_installer:
   parallel:
     matrix:
-      - ONBOARDING_FILTER_WEBLOG: [test-app-java, test-app-java-container, test-app-java-container-jdk15, test-app-java-alpine]
+      - ONBOARDING_FILTER_WEBLOG: [test-app-java, test-app-java-container, test-app-java-alpine]
         SCENARIO: [ SIMPLE_INSTALLER_AUTO_INJECTION, SIMPLE_AUTO_INJECTION_PROFILING ]
-      - ONBOARDING_FILTER_WEBLOG: [test-app-java-buildpack]
-        SCENARIO: [ SIMPLE_INSTALLER_AUTO_INJECTION ]
 
 onboarding_tests_k8s_injection:
   variables:

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecorator.java

@@ -6,6 +6,10 @@
 
 import datadog.trace.api.Config;
 import datadog.trace.api.DDTags;
+import datadog.trace.api.InstrumenterConfig;
+import datadog.trace.api.ProductActivation;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.sink.SsrfModule;
 import datadog.trace.api.naming.SpanNaming;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.InternalSpanTypes;
@@ -89,6 +93,8 @@ public AgentSpan onRequest(final AgentSpan span, final REQUEST request) {
         log.debug("Error tagging url", e);
       }
 
+      ssrfIastCheck(request);
+
       if (CLIENT_TAG_HEADERS) {
         for (Map.Entry<String, String> headerTag :
             traceConfig(span).getRequestHeaderTags().entrySet()) {
@@ -168,4 +174,23 @@ public long getResponseContentLength(final RESPONSE response) {
 
     return 0;
   }
+
+  /* This method must be overriden after making the proper propagations to the client before **/
+  protected Object sourceUrl(REQUEST request) {
+    return null;
+  }
+
+  private void ssrfIastCheck(final REQUEST request) {
+    final Object sourceUrl = sourceUrl(request);
+    if (sourceUrl == null) {
+      return;
+    }
+    if (InstrumenterConfig.get().getIastActivation() != ProductActivation.FULLY_ENABLED) {
+      return;
+    }
+    final SsrfModule ssrfModule = InstrumentationBridge.SSRF;
+    if (ssrfModule != null) {
+      ssrfModule.onURLConnection(sourceUrl);
+    }
+  }
 }

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/java/concurrent/QueueTimerHelper.java

@@ -1,20 +1,45 @@
 package datadog.trace.bootstrap.instrumentation.java.concurrent;
 
+import datadog.trace.api.Platform;
+import datadog.trace.api.config.ProfilingConfig;
 import datadog.trace.api.profiling.QueueTiming;
 import datadog.trace.api.profiling.Timer;
+import datadog.trace.api.profiling.Timing;
+import datadog.trace.api.sampling.PerRecordingRateLimiter;
 import datadog.trace.bootstrap.ContextStore;
+import datadog.trace.bootstrap.config.provider.ConfigProvider;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.jfr.InstrumentationBasedProfiling;
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
 
 public class QueueTimerHelper {
 
+  private static final class RateLimiterHolder {
+    // indirection to prevent needing to instantiate the class and its transitive dependencies
+    // in graal native image
+    private static final PerRecordingRateLimiter RATE_LIMITER =
+        new PerRecordingRateLimiter(
+            Duration.of(500, ChronoUnit.MILLIS),
+            10_000, // hard limit on queue events
+            Duration.ofSeconds(
+                ConfigProvider.getInstance()
+                    .getInteger(
+                        ProfilingConfig.PROFILING_UPLOAD_PERIOD,
+                        ProfilingConfig.PROFILING_UPLOAD_PERIOD_DEFAULT)));
+  }
+
   public static <T> void startQueuingTimer(
       ContextStore<T, State> taskContextStore, Class<?> schedulerClass, T task) {
     State state = taskContextStore.get(task);
     startQueuingTimer(state, schedulerClass, task);
   }
 
   public static void startQueuingTimer(State state, Class<?> schedulerClass, Object task) {
+    if (Platform.isNativeImage()) {
+      // explicitly not supported for Graal native image
+      return;
+    }
     // avoid calling this before JFR is initialised because it will lead to reading the wrong
     // TSC frequency before JFR has set it up properly
     if (task != null && state != null && InstrumentationBasedProfiling.isJFRReady()) {
@@ -25,4 +50,14 @@ public static void startQueuingTimer(State state, Class<?> schedulerClass, Objec
       state.setTiming(timing);
     }
   }
+
+  public static void stopQueuingTimer(Timing timing) {
+    if (Platform.isNativeImage()) {
+      // explicitly not supported for Graal native image
+      return;
+    }
+    if (timing != null && timing.sample() && RateLimiterHolder.RATE_LIMITER.permit()) {
+      timing.report();
+    }
+  }
 }

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/java/concurrent/State.java

@@ -85,7 +85,7 @@ public boolean isTimed() {
   public void stopTiming() {
     Timing timing = TIMING.getAndSet(this, null);
     if (timing != null) {
-      timing.close();
+      QueueTimerHelper.stopQueuingTimer(timing);
     }
   }
 }

dd-java-agent/agent-bootstrap/src/main/java11/datadog/trace/bootstrap/instrumentation/jfr/WindowSampler.java

@@ -2,7 +2,6 @@
 
 import datadog.trace.api.sampling.AdaptiveSampler;
 import java.time.Duration;
-import java.time.temporal.ChronoUnit;
 import jdk.jfr.Event;
 import jdk.jfr.EventType;
 
@@ -24,18 +23,4 @@ public void start() {
   public boolean sample() {
     return sampleType.isEnabled() && sampler.sample();
   }
-
-  protected static int samplingWindowsPerRecording(
-      long uploadPeriodSeconds, Duration samplingWindow) {
-    /*
-     * Java8 doesn't have dividedBy#Duration so we have to implement poor man's version.
-     * None of these durations should be big enough to warrant dealing with bigints.
-     * We also do not care about nanoseconds here.
-     */
-    return (int)
-        Math.min(
-            Duration.of(uploadPeriodSeconds, ChronoUnit.SECONDS).toMillis()
-                / samplingWindow.toMillis(),
-            Integer.MAX_VALUE);
-  }
 }

dd-java-agent/agent-bootstrap/src/main/java11/datadog/trace/bootstrap/instrumentation/jfr/backpressure/BackpressureSampler.java

@@ -1,5 +1,7 @@
 package datadog.trace.bootstrap.instrumentation.jfr.backpressure;
 
+import static datadog.trace.api.sampling.PerRecordingRateLimiter.samplingWindowsPerRecording;
+
 import datadog.trace.api.Config;
 import datadog.trace.bootstrap.instrumentation.jfr.WindowSampler;
 import java.time.Duration;

dd-java-agent/agent-bootstrap/src/main/java11/datadog/trace/bootstrap/instrumentation/jfr/directallocation/DirectAllocationSampler.java

@@ -1,5 +1,7 @@
 package datadog.trace.bootstrap.instrumentation.jfr.directallocation;
 
+import static datadog.trace.api.sampling.PerRecordingRateLimiter.samplingWindowsPerRecording;
+
 import datadog.trace.api.Config;
 import datadog.trace.bootstrap.instrumentation.jfr.WindowSampler;
 import java.time.Duration;

dd-java-agent/agent-bootstrap/src/main/java11/datadog/trace/bootstrap/instrumentation/jfr/exceptions/ExceptionSampler.java

@@ -1,5 +1,7 @@
 package datadog.trace.bootstrap.instrumentation.jfr.exceptions;
 
+import static datadog.trace.api.sampling.PerRecordingRateLimiter.samplingWindowsPerRecording;
+
 import datadog.trace.api.Config;
 import datadog.trace.bootstrap.instrumentation.jfr.WindowSampler;
 import java.time.Duration;

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecoratorTest.groovy

@@ -1,6 +1,8 @@
 package datadog.trace.bootstrap.instrumentation.decorator
 
 import datadog.trace.api.DDTags
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.SsrfModule
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer
 import datadog.trace.bootstrap.instrumentation.api.ResourceNamePriorities
@@ -29,6 +31,8 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
     if (req) {
       1 * span.setTag(Tags.HTTP_METHOD, req.method)
       1 * span.setTag(Tags.HTTP_URL, {it.toString() == "$req.url"})
+      1 * span.setTag(DDTags.HTTP_QUERY, null)
+      1 * span.setTag(DDTags.HTTP_FRAGMENT, null)
       1 * span.setTag(Tags.PEER_HOSTNAME, req.url.host)
       1 * span.setTag(Tags.PEER_PORT, req.url.port)
       1 * span.setResourceName({ it as String == req.method.toUpperCase() + " " + req.path }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
@@ -169,6 +173,32 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
     null   | null           | false
   }
 
+  def "test ssrfIastCheck is called"() {
+    setup:
+    injectSysConfig('dd.iast.enabled', input)
+    def decorator = newDecorator()
+    final module = Mock(SsrfModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    when:
+    decorator.onRequest(span, req)
+
+    then:
+    if (input == 'true') {
+      1 * module.onURLConnection(_)
+    } else {
+      0 * module.onURLConnection(_)
+    }
+    if (req) {
+      1 * span.traceConfig() >> AgentTracer.traceConfig()
+    }
+
+    where:
+    input  | req
+    'true' | [method: "test-method", url: testUrl, path: '/somepath']
+    'false' | [method: "test-method", url: testUrl, path: '/somepath']
+  }
+
   @Override
   def newDecorator(String serviceName = "test-service") {
     return new HttpClientDecorator<Map, Map>() {
@@ -197,6 +227,11 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
           return m.url
         }
 
+        @Override
+        protected String sourceUrl(Map m) {
+          return m.url
+        }
+
         @Override
         protected int status(Map m) {
           null == m.status ? 0 : m.status.intValue()

dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/config/ConfigurationApiImpl.java

@@ -160,11 +160,13 @@ public SkippableTests getSkippableTests(TracerEnvironment tracerEnvironment) thr
             telemetryListener,
             false);
 
+    Configurations requestConf = tracerEnvironment.getConfigurations();
+
     Map<String, Map<TestIdentifier, TestMetadata>> testIdentifiersByModule = new HashMap<>();
     for (DataDto<TestIdentifierJson> dataDto : response.data) {
       TestIdentifierJson testIdentifierJson = dataDto.getAttributes();
-      Configurations configurations = testIdentifierJson.getConfigurations();
-      String moduleName = configurations.getTestBundle();
+      Configurations conf = testIdentifierJson.getConfigurations();
+      String moduleName = (conf != null ? conf : requestConf).getTestBundle();
       testIdentifiersByModule
           .computeIfAbsent(moduleName, k -> new HashMap<>())
           .put(testIdentifierJson.toTestIdentifier(), testIdentifierJson.toTestMetadata());