WIP

Author: jandro996

dd-java-agent/instrumentation/resteasy-appsec/build.gradle

@@ -40,6 +40,8 @@ dependencies {
     exclude group: 'org.eclipse.jetty', module: 'jetty-server'
   }
 
+  testFixturesImplementation project(':dd-java-agent:instrumentation:jax-rs-annotations-2')
+
   nettyTestImplementation group: 'io.netty', name: 'netty', version: '3.8.0.Final' // upgrade netty to a version we support
   nettyTestImplementation group: 'org.jboss.resteasy', name: 'resteasy-netty', version :'3.0.0.Final'
   nettyTestImplementation project(':dd-java-agent:instrumentation:netty-3.8')

dd-smoke-tests/resteasy/build.gradle

@@ -16,6 +16,7 @@ dependencies {
   implementation group: 'org.jboss.resteasy', name: 'resteasy-undertow', version:'3.1.0.Final'
   implementation group: 'org.jboss.resteasy', name: 'resteasy-cdi', version:'3.1.0.Final'
   implementation group: 'org.jboss.weld.servlet', name: 'weld-servlet', version: '2.4.8.Final'
+  implementation 'org.jboss.resteasy:resteasy-jackson2-provider:3.1.0.Final'
 
   implementation group: 'javax.el', name: 'javax.el-api', version:'3.0.0'
 
@@ -24,6 +25,7 @@ dependencies {
 
   testImplementation project(':dd-smoke-tests')
   testImplementation(testFixtures(project(":dd-smoke-tests:iast-util")))
+  testImplementation project(':dd-smoke-tests:appsec')
 }
 
 tasks.withType(Test).configureEach {

dd-smoke-tests/resteasy/src/main/java/smoketest/resteasy/App.java

@@ -1,5 +1,7 @@
 package smoketest.resteasy;
 
+import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider;
+
 import java.util.HashSet;
 import java.util.Set;
 import javax.ws.rs.core.Application;
@@ -10,6 +12,8 @@ public class App extends Application {
 
   public App() {
     singletons.add(new Resource());
+    singletons.add(org.jboss.resteasy.plugins.providers.StringTextStar.class); // Writer for String
+    singletons.add(new JacksonJsonProvider()); // Writer for json
   }
 
   @Override

dd-smoke-tests/resteasy/src/main/java/smoketest/resteasy/Resource.java

@@ -94,4 +94,18 @@ public Response responseLocation(@QueryParam("param") String param) throws URISy
   public Response getCookie() throws SQLException {
     return Response.ok().cookie(new NewCookie("user-id", "7")).build();
   }
+
+  @Path("/api_security/response")
+  @GET
+  @Produces(MediaType.APPLICATION_JSON)
+  public Response bodyJson() {
+    TestEntity testEntity = new TestEntity("testing", "test");
+    return Response.ok().entity(testEntity).build();
+  }
+
+  @GET
+  @Path("/api_security/sampling/{i}")
+  public Response apiSecuritySamplingWithStatus(@PathParam("i") int i) {
+    return Response.status(i).header("content-type", "text/plain").entity("Hello!\n").build();
+  }
 }

dd-smoke-tests/resteasy/src/main/java/smoketest/resteasy/TestEntity.java

@@ -0,0 +1,15 @@
+package smoketest.resteasy;
+
+public class TestEntity {
+  public String param1;
+  public String param2;
+
+  public TestEntity() {
+    super();
+  }
+
+  public TestEntity(String param1, String param2) {
+    this.param1 = param1;
+    this.param2 = param2;
+  }
+}

dd-smoke-tests/resteasy/src/test/groovy/smoketest/ResteasyAppsecSmokeTest.groovy

@@ -0,0 +1,82 @@
+package smoketest
+
+import datadog.smoketest.appsec.AbstractAppSecServerSmokeTest
+import datadog.trace.api.Platform
+import okhttp3.Request
+import okhttp3.Response
+import spock.lang.IgnoreIf
+
+@IgnoreIf({
+  System.getProperty("java.vendor").contains("IBM") && System.getProperty("java.version").contains("1.8.")
+})
+class ResteasyAppsecSmokeTest extends AbstractAppSecServerSmokeTest {
+
+  @Override
+  ProcessBuilder createProcessBuilder() {
+    String jarPath = System.getProperty("datadog.smoketest.resteasy.jar.path")
+
+    List<String> command = new ArrayList<>()
+    command.add(javaPath())
+    command.addAll(defaultJavaProperties)
+
+    if (Platform.isJavaVersionAtLeast(17)) {
+      command.addAll(["--add-opens", "java.base/java.lang=ALL-UNNAMED"])
+    }
+    command.addAll(["-jar", jarPath, Integer.toString(httpPort)])
+    ProcessBuilder processBuilder = new ProcessBuilder(command)
+    processBuilder.directory(new File(buildDirectory))
+  }
+
+  void 'API Security samples only one request per endpoint'() {
+    given:
+    def url = "http://localhost:${httpPort}/hello/api_security/sampling/200?test=value"
+    def request = new Request.Builder()
+      .url(url)
+      .addHeader('X-My-Header', "value")
+      .get()
+      .build()
+
+    when:
+    List<Response> responses = (1..3).collect {
+      client.newCall(request).execute()
+    }
+
+    then:
+    responses.each {
+      assert it.code() == 200
+    }
+    waitForTraceCount(3)
+    def spans = rootSpans.toList().toSorted { it.span.duration }
+    spans.size() == 3
+    def sampledSpans = spans.findAll {
+      it.meta.keySet().any {
+        it.startsWith('_dd.appsec.s.req.')
+      }
+    }
+    sampledSpans.size() == 1
+    def span = sampledSpans[0]
+    span.meta.containsKey('_dd.appsec.s.req.query')
+    span.meta.containsKey('_dd.appsec.s.req.params')
+    span.meta.containsKey('_dd.appsec.s.req.headers')
+  }
+
+
+  void 'test response schema extraction'() {
+    given:
+    def url = "http://localhost:${httpPort}/hello/api_security/response"
+    def request = new Request.Builder()
+      .url(url)
+      .get()
+      .build()
+
+    when:
+    final response = client.newCall(request).execute()
+    waitForTraceCount(1)
+
+    then:
+    response.code() == 200
+    def span = rootSpans.first()
+    span.meta.containsKey('_dd.appsec.s.res.headers')
+    span.meta.containsKey('_dd.appsec.s.res.body')
+  }
+}