iteration 2

jandro996 · jandro996 · commit bc5f9b30922a · 2025-11-24T12:52:46.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java
@@ -54,81 +54,49 @@ public ApiSecuritySamplerImpl(
   public boolean preSampleRequest(final @Nonnull AppSecRequestContext ctx) {
     final String route = ctx.getRoute();
     if (route == null) {
-      log.info("[APPSEC-57815] preSampleRequest returning false - route is null");
       return false;
     }
     final String method = ctx.getMethod();
     if (method == null) {
-      log.info("[APPSEC-57815] preSampleRequest returning false - method is null, route={}", route);
       return false;
     }
     final int statusCode = ctx.getResponseStatus();
     if (statusCode <= 0) {
-      log.info(
-          "[APPSEC-57815] preSampleRequest returning false - invalid statusCode={}, route={}, method={}",
-          statusCode,
-          route,
-          method);
       return false;
     }
     long hash = computeApiHash(route, method, statusCode);
     ctx.setApiSecurityEndpointHash(hash);
 
-    boolean isExpired = isApiAccessExpired(hash);
-    log.info(
-        "[APPSEC-57815] preSampleRequest checking expiration - route={}, method={}, statusCode={}, hash={}, isExpired={}, expirationTimeMs={}",
-        route,
-        method,
-        statusCode,
-        hash,
-        isExpired,
-        expirationTimeInMs);
-
-    if (!isExpired) {
+    if (!isApiAccessExpired(hash)) {
       return false;
     }
 
-    int availablePermits = counter.availablePermits();
-    boolean acquired = counter.tryAcquire();
-    log.info(
-        "[APPSEC-57815] preSampleRequest semaphore check - availablePermits={}, acquired={}, route={}",
-        availablePermits,
-        acquired,
-        route);
-
-    if (acquired) {
+    if (counter.tryAcquire()) {
       log.debug("API security sampling is required for this request (presampled)");
       ctx.setKeepOpenForApiSecurityPostProcessing(true);
-      // Update the map immediately to prevent race condition where multiple concurrent
-      // requests see the same expired state before any of them updates the map
+      // Update immediately to prevent concurrent requests from seeing the same expired state
       updateApiAccessIfExpired(hash);
-      log.info(
-          "[APPSEC-57815] preSampleRequest updated accessMap immediately - route={}, hash={}",
-          route,
-          hash);
       return true;
     }
     return false;
   }
 
-  /** Get the final sampling decision. This method is NOT thread-safe. */
+  /**
+   * Confirms the final sampling decision.
+   *
+   * <p>This method is called after the span completes. The actual sampling decision and map update
+   * already happened in {@link #preSampleRequest(AppSecRequestContext)} to prevent race conditions.
+   * This method only serves as a final confirmation gate before schema extraction.
+   */
   @Override
   public boolean sampleRequest(AppSecRequestContext ctx) {
     if (ctx == null) {
       return false;
     }
     final Long hash = ctx.getApiSecurityEndpointHash();
     if (hash == null) {
-      // This should never happen, it should have been short-circuited before.
       return false;
     }
-    // Note: With the race condition fix, the map was already updated by preSampleRequest()
-    // when the semaphore was acquired. We just need to confirm the sampling decision.
-    // No need to check expiration again since that would fail (we just updated it).
-    log.info(
-        "[APPSEC-57815] sampleRequest called - hash={}, route={}, returning true (map already updated in preSampleRequest)",
-        hash,
-        ctx.getRoute());
     return true;
   }
 
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
@@ -836,23 +836,9 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
     TraceSegment traceSeg = ctx_.getTraceSegment();
     Map<String, Object> tags = spanInfo.getTags();
 
-    // Log upstream propagated tags
-    Object upstreamPropagatedTs = tags.get(Tags.PROPAGATED_TRACE_SOURCE);
-    log.info(
-        "[APPSEC-57815] Request ended - spanId={}, upstream _dd.p.ts={}",
-        spanInfo.getSpanId(),
-        upstreamPropagatedTs);
-
     boolean sampledForApiSec = maybeSampleForApiSecurity(ctx, spanInfo, tags);
     boolean apmTracingEnabled = Config.get().isApmTracingEnabled();
 
-    log.info(
-        "[APPSEC-57815] sampledForApiSec={}, apmTracingEnabled={}, traceSeg={}, isNoOp={}",
-        sampledForApiSec,
-        apmTracingEnabled,
-        traceSeg,
-        traceSeg == TraceSegment.NoOp.INSTANCE);
-
     if (!sampledForApiSec) {
       ctx.closeWafContext();
     }
@@ -959,25 +945,13 @@ private boolean maybeSampleForApiSecurity(
 
     // API Security sampling requires http.route tag.
     final Object route = tags.get(Tags.HTTP_ROUTE);
-    final String existingRoute = ctx.getRoute();
-
-    log.info(
-        "[APPSEC-57815] maybeSampleForApiSecurity called - spanId={}, route from tags={}, existingRoute={}, ctx.hashCode={}",
-        spanInfo.getSpanId(),
-        route,
-        existingRoute,
-        System.identityHashCode(ctx));
 
     if (route != null) {
       ctx.setRoute(route.toString());
     }
 
     ApiSecuritySampler requestSampler = requestSamplerSupplier.get();
-    boolean sampled = requestSampler.preSampleRequest(ctx);
-
-    log.info(
-        "[APPSEC-57815] API Security sampling decision - route={}, sampled={}", route, sampled);
-    return sampled;
+    return requestSampler.preSampleRequest(ctx);
   }
 
   private Flow<Void> onRequestHeadersDone(RequestContext ctx_) {
