Add support for session tracking in jetty

Author: manuel-alvarez-alvarez

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -125,6 +125,8 @@ public class AppSecRequestContext implements DataBundle, Closeable {
 
   // keep a reference to the last published usr.id
   private volatile String userId;
+  // keep a reference to the last published usr.session_id
+  private volatile String sessionId;
 
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> TIMEOUTS_UPDATER =
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "timeouts");
@@ -433,6 +435,14 @@ public void setUserId(String userId) {
     this.userId = userId;
   }
 
+  public void setSessionId(String sessionId) {
+    this.sessionId = sessionId;
+  }
+
+  public String getSessionId() {
+    return sessionId;
+  }
+
   @Override
   public void close() {
     final AgentSpan span = AgentTracer.activeSpan();

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -154,7 +154,7 @@ private TriFunction<RequestContext, UserIdCollectionMode, String, Flow<Void>> on
       final Address<String> address) {
     return (ctx_, mode, userId) -> {
       final AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
-      if (ctx == null) {
+      if (userId == null || ctx == null) {
         return NoopFlow.INSTANCE;
       }
       final TraceSegment segment = ctx_.getTraceSegment();
@@ -203,9 +203,14 @@ private TriFunction<RequestContext, UserIdCollectionMode, String, Flow<Void>> on
 
   private Flow<Void> onRequestSession(final RequestContext ctx_, final String sessionId) {
     final AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
-    if (ctx == null) {
+    if (sessionId == null || ctx == null) {
+      return NoopFlow.INSTANCE;
+    }
+    if (sessionId.equals(ctx.getSessionId())) {
       return NoopFlow.INSTANCE;
     }
+    // unlikely that multiple threads will update the value at the same time
+    ctx.setSessionId(sessionId);
     final TraceSegment segment = ctx_.getTraceSegment();
     segment.setTagTop("usr.session_id", sessionId);
     while (true) {

dd-java-agent/instrumentation/jetty-11/src/main/java/datadog/trace/instrumentation/jetty11/RequestInstrumentation.java

@@ -27,5 +27,8 @@ public void methodAdvice(MethodTransformer transformer) {
             .and(takesArgument(0, named("org.eclipse.jetty.server.handler.ContextHandler$Context")))
             .and(takesArgument(1, String.class)),
         packageName + ".SetContextPathAdvice");
+    transformer.applyAdvice(
+        named("setRequestedSessionId").and(takesArgument(0, String.class)),
+        packageName + ".SetRequestedSessionIdAdvice");
   }
 }

dd-java-agent/instrumentation/jetty-11/src/main/java11/datadog/trace/instrumentation/jetty11/SetRequestedSessionIdAdvice.java

@@ -0,0 +1,22 @@
+package datadog.trace.instrumentation.jetty11;
+
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.instrumentation.jetty.JettyBlockingHelper;
+import net.bytebuddy.asm.Advice;
+
+/**
+ * Because we are processing the initial request before the requestedSessionId is set, we must
+ * update it when it is actually set.
+ */
+@RequiresRequestContext(RequestContextSlot.APPSEC)
+public class SetRequestedSessionIdAdvice {
+  @Advice.OnMethodEnter(suppress = Throwable.class)
+  public static void setRequestedSessionId(
+      @ActiveRequestContext RequestContext reqCtx,
+      @Advice.Argument(0) final String requestedSessionId) {
+    JettyBlockingHelper.maybeBlockOnSession(reqCtx, requestedSessionId);
+  }
+}

dd-java-agent/instrumentation/jetty-11/src/test/groovy/Jetty11Test.groovy

@@ -84,6 +84,11 @@ abstract class Jetty11Test extends HttpServerTest<Server> {
   boolean hasExtraErrorInformation() {
     true
   }
+
+  @Override
+  boolean testSessionId() {
+    true
+  }
 }
 
 class Jetty11V0ForkedTest extends Jetty11Test implements TestingGenericHttpNamingConventions.ServerV0 {

dd-java-agent/instrumentation/jetty-11/src/testFixtures/groovy/JettyServer.groovy

@@ -11,6 +11,7 @@ import org.eclipse.jetty.server.Handler
 import org.eclipse.jetty.server.Server
 import org.eclipse.jetty.server.handler.AbstractHandler
 import org.eclipse.jetty.server.handler.ErrorHandler
+import org.eclipse.jetty.server.session.SessionHandler
 import org.eclipse.jetty.servlet.FilterMapping
 import org.eclipse.jetty.servlet.ServletContextHandler
 
@@ -19,7 +20,8 @@ class JettyServer implements HttpServer {
   final server = new Server(0) // select random open port
 
   JettyServer(Handler handler) {
-    server.handler = handler
+    sessionHandler.handler = handler
+    server.handler = sessionHandler
     server.addBean(errorHandler)
   }
 
@@ -47,6 +49,7 @@ class JettyServer implements HttpServer {
 
   static AbstractHandler servletHandler(Class<? extends Servlet> servlet) {
     ServletContextHandler handler = new ServletContextHandler(null, "/context-path")
+    handler.sessionHandler = sessionHandler
     handler.errorHandler = errorHandler
     handler.servletHandler.addFilterWithMapping(EnableMultipartFilter, '/*', FilterMapping.ALL)
     handler.servletHandler.addServletWithMapping(servlet, '/*')
@@ -72,4 +75,6 @@ class JettyServer implements HttpServer {
       }
     }
   }
+
+  static sessionHandler = new SessionHandler()
 }

dd-java-agent/instrumentation/jetty-12/build.gradle

@@ -39,6 +39,9 @@ dependencies {
   main_java17CompileOnly ("org.eclipse.jetty:jetty-server:12.0.0") {
     exclude group: 'org.slf4j', module: 'slf4j-api'
   }
+  main_java17CompileOnly ("org.eclipse.jetty:jetty-session:12.0.0") {
+    exclude group: 'org.slf4j', module: 'slf4j-api'
+  }
   main_java17Implementation project(':dd-java-agent:instrumentation:jetty-common')
   implementation project(':dd-java-agent:instrumentation:jetty-common')
 
@@ -62,6 +65,9 @@ dependencies {
   latestDepTestImplementation ("org.eclipse.jetty:jetty-server:12.+") {
     exclude group: 'org.slf4j', module: 'slf4j-api'
   }
+  latestDepTestImplementation ("org.eclipse.jetty:jetty-session:12.+") {
+    exclude group: 'org.slf4j', module: 'slf4j-api'
+  }
 
   ee8TestImplementation group: 'org.eclipse.jetty.ee8', name: 'jetty-ee8-servlet', version: '12.0.0' , {
     exclude group: 'org.slf4j', module: 'slf4j-api'

dd-java-agent/instrumentation/jetty-12/src/main/java/datadog/trace/instrumentation/jetty12/AbstractSessionManagerInstrumentation.java

@@ -0,0 +1,34 @@
+package datadog.trace.instrumentation.jetty12;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isProtected;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+
+@AutoService(InstrumenterModule.class)
+public final class AbstractSessionManagerInstrumentation extends InstrumenterModule.Tracing
+    implements Instrumenter.ForSingleType {
+
+  public AbstractSessionManagerInstrumentation() {
+    super("jetty");
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "org.eclipse.jetty.session.AbstractSessionManager";
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("resolveRequestedSessionId")
+            .and(isProtected())
+            .and(takesArguments(1))
+            .and(takesArgument(0, named("org.eclipse.jetty.server.Request"))),
+        packageName + ".ResolveRequestedSessionIdAdvice");
+  }
+}

dd-java-agent/instrumentation/jetty-12/src/main/java17/datadog/trace/instrumentation/jetty12/ResolveRequestedSessionIdAdvice.java

@@ -0,0 +1,46 @@
+package datadog.trace.instrumentation.jetty12;
+
+import static datadog.trace.api.gateway.Events.EVENTS;
+import static org.eclipse.jetty.session.AbstractSessionManager.RequestedSession;
+
+import datadog.appsec.api.blocking.BlockingException;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.api.gateway.CallbackProvider;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import java.util.function.BiFunction;
+import net.bytebuddy.asm.Advice;
+
+/**
+ * Because we are processing the initial request before the requestedSession is set, we must update
+ * it when it is actually set.
+ */
+@RequiresRequestContext(RequestContextSlot.APPSEC)
+public class ResolveRequestedSessionIdAdvice {
+  @Advice.OnMethodExit(suppress = Throwable.class)
+  public static void resolveRequestedSessionId(
+      @ActiveRequestContext RequestContext reqCtx,
+      @Advice.Return final RequestedSession requestedSession) {
+    final String requestedSessionId =
+        requestedSession == null ? null : requestedSession.sessionId();
+    if (requestedSessionId != null && reqCtx != null) {
+      final CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
+      if (cbp == null) {
+        return;
+      }
+      final BiFunction<RequestContext, String, Flow<Void>> addrCallback =
+          cbp.getCallback(EVENTS.requestSession());
+      if (addrCallback == null) {
+        return;
+      }
+      final Flow<Void> flow = addrCallback.apply(reqCtx, requestedSessionId);
+      Flow.Action action = flow.getAction();
+      if (action instanceof Flow.Action.RequestBlockingAction) {
+        throw new BlockingException("Blocked request (for sessionId)");
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/jetty-12/src/test/ee8/groovy/Jetty12Test.groovy

@@ -48,6 +48,11 @@ abstract class Jetty12Test extends HttpServerTest<Server> implements TestingGene
   boolean hasExtraErrorInformation() {
     true
   }
+
+  @Override
+  boolean testSessionId() {
+    true
+  }
 }
 
 class Jetty12SyncTest extends Jetty12Test {