Added AppSec post-processing

Author: ValentinZakharov

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -10,6 +10,7 @@
 import static datadog.trace.api.UserIdCollectionMode.DISABLED;
 import static datadog.trace.api.UserIdCollectionMode.SDK;
 import static datadog.trace.api.telemetry.LogCollector.SEND_TELEMETRY;
+import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.activeSpan;
 import static datadog.trace.util.Strings.toHexString;
 
 import com.datadog.appsec.AppSecSystem;
@@ -163,6 +164,7 @@ public void init() {
     subscriptionService.registerCallback(EVENTS.shellCmd(), this::onShellCmd);
     subscriptionService.registerCallback(EVENTS.user(), this::onUser);
     subscriptionService.registerCallback(EVENTS.loginEvent(), this::onLoginEvent);
+    subscriptionService.registerCallback(EVENTS.postProcessing(), this::onPostProcessing);
 
     if (additionalIGEvents.contains(EVENTS.requestPathParams())) {
       subscriptionService.registerCallback(EVENTS.requestPathParams(), this::onRequestPathParams);
@@ -890,6 +892,10 @@ private void onRequestHeader(RequestContext ctx_, String name, String value) {
     }
   }
 
+  private void onPostProcessing(RequestContext ctx_) {
+    // Do AppSec post-processing
+  }
+
   public void stop() {
     subscriptionService.reset();
   }
@@ -1015,6 +1021,7 @@ private Flow<Void> maybePublishRequestData(AppSecRequestContext ctx) {
 
       try {
         GatewayContext gwCtx = new GatewayContext(false);
+        activeSpan().getLocalRootSpan().setRequiresPostProcessing(true);
         return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
       } catch (ExpiredSubscriberInfoException e) {
         this.initialReqDataSubInfo = null;

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -27,6 +27,7 @@ import datadog.trace.test.util.DDSpecification
 
 import java.util.function.BiConsumer
 import java.util.function.BiFunction
+import java.util.function.Consumer
 import java.util.function.Function
 import java.util.function.Supplier
 
@@ -105,6 +106,7 @@ class GatewayBridgeSpecification extends DDSpecification {
   BiFunction<RequestContext, String[], Flow<Void>> execCmdCB
   BiFunction<RequestContext, String, Flow<Void>> shellCmdCB
   TriFunction<RequestContext, UserIdCollectionMode, String, Flow<Void>> userCB
+  Consumer<RequestContext> postProcessingCB
   LoginEventCallback loginEventCB
 
   void setup() {
@@ -446,6 +448,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * ig.registerCallback(EVENTS.shellCmd(), _) >> { shellCmdCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.user(), _) >> { userCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.loginEvent(), _) >> { loginEventCB = it[1]; null }
+    1 * ig.registerCallback(EVENTS.postProcessing(), _) >> { postProcessingCB = it[1]; null }
     0 * ig.registerCallback(_, _)
 
     bridge.init()

dd-trace-core/src/main/java/datadog/trace/common/writer/DDAgentWriter.java

@@ -14,6 +14,8 @@
 import datadog.trace.common.writer.ddagent.DDAgentMapperDiscovery;
 import datadog.trace.common.writer.ddagent.Prioritization;
 import datadog.trace.core.monitor.HealthMetrics;
+import datadog.trace.core.postprocessor.AppSecSpanPostProcessor;
+import datadog.trace.core.postprocessor.SpanPostProcessor;
 import java.util.concurrent.TimeUnit;
 import okhttp3.HttpUrl;
 import okhttp3.OkHttpClient;
@@ -153,6 +155,7 @@ public DDAgentWriter build() {
       final DDAgentMapperDiscovery mapperDiscovery = new DDAgentMapperDiscovery(featureDiscovery);
       final PayloadDispatcher dispatcher =
           new PayloadDispatcherImpl(mapperDiscovery, agentApi, healthMetrics, monitoring);
+      final SpanPostProcessor spanPostProcessor = new AppSecSpanPostProcessor();
       final TraceProcessingWorker traceProcessingWorker =
           new TraceProcessingWorker(
               traceBufferSize,
@@ -163,7 +166,7 @@ public DDAgentWriter build() {
               flushIntervalMilliseconds,
               TimeUnit.MILLISECONDS,
               singleSpanSampler,
-              null);
+              spanPostProcessor);
 
       return new DDAgentWriter(
           traceProcessingWorker,

dd-trace-core/src/main/java/datadog/trace/common/writer/DDIntakeWriter.java

@@ -9,6 +9,8 @@
 import datadog.trace.common.writer.ddagent.Prioritization;
 import datadog.trace.common.writer.ddintake.DDIntakeMapperDiscovery;
 import datadog.trace.core.monitor.HealthMetrics;
+import datadog.trace.core.postprocessor.AppSecSpanPostProcessor;
+import datadog.trace.core.postprocessor.SpanPostProcessor;
 import java.util.EnumMap;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
@@ -113,6 +115,8 @@ public DDIntakeWriter build() {
         dispatcher = new CompositePayloadDispatcher(dispatchers);
       }
 
+      SpanPostProcessor spanPostProcessor = new AppSecSpanPostProcessor();
+
       final TraceProcessingWorker traceProcessingWorker =
           new TraceProcessingWorker(
               traceBufferSize,
@@ -123,7 +127,7 @@ public DDIntakeWriter build() {
               flushIntervalMilliseconds,
               TimeUnit.MILLISECONDS,
               singleSpanSampler,
-              null);
+              spanPostProcessor);
 
       return new DDIntakeWriter(
           traceProcessingWorker,

dd-trace-core/src/main/java/datadog/trace/core/postprocessor/AppSecSpanPostProcessor.java

@@ -0,0 +1,40 @@
+package datadog.trace.core.postprocessor;
+
+import static datadog.trace.api.gateway.Events.EVENTS;
+
+import datadog.trace.api.gateway.CallbackProvider;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import datadog.trace.core.DDSpan;
+import java.util.function.BooleanSupplier;
+import java.util.function.Consumer;
+
+public class AppSecSpanPostProcessor implements SpanPostProcessor {
+
+  // For testing purpose
+  protected AgentTracer.TracerAPI tracer() {
+    return AgentTracer.get();
+  }
+
+  @Override
+  public boolean process(DDSpan span, BooleanSupplier timeoutCheck) {
+    CallbackProvider cbp = tracer().getCallbackProvider(RequestContextSlot.APPSEC);
+    if (cbp == null) {
+      return false;
+    }
+
+    RequestContext ctx = span.getRequestContext();
+    if (ctx == null) {
+      return false;
+    }
+
+    Consumer<RequestContext> postProcessingCallback = cbp.getCallback(EVENTS.postProcessing());
+    if (postProcessingCallback == null) {
+      return false;
+    }
+
+    postProcessingCallback.accept(ctx);
+    return true;
+  }
+}

dd-trace-core/src/test/groovy/datadog/trace/core/postprocessor/AppSecSpanPostProcessorTest.groovy

@@ -0,0 +1,119 @@
+package datadog.trace.core.postprocessor
+
+import datadog.trace.api.gateway.CallbackProvider
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer
+import datadog.trace.core.DDSpan
+import datadog.trace.core.DDSpanContext
+import datadog.trace.core.PendingTrace
+import datadog.trace.test.util.DDSpecification
+
+import java.util.function.Consumer
+import java.util.function.BooleanSupplier
+import static datadog.trace.api.gateway.Events.EVENTS
+
+class AppSecSpanPostProcessorTest extends DDSpecification {
+  def "process returns false if span context is null"() {
+    given:
+    def processor = new AppSecSpanPostProcessor()
+    def span = Mock(DDSpan)
+    def timeoutCheck = Mock(BooleanSupplier)
+    (span.context()) >> null
+
+    expect:
+    !processor.process(span, timeoutCheck)
+  }
+
+  def "process returns false if callback provider is null"() {
+    given:
+    AgentTracer.TracerAPI tracer = Mock(AgentTracer.TracerAPI)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> null
+    def processor = new AppSecSpanPostProcessor() {
+        @Override
+        protected AgentTracer.TracerAPI tracer() {
+          return tracer
+        }
+      }
+    def span = Mock(DDSpan) {
+      context() >> Mock(DDSpanContext)
+    }
+    def timeoutCheck = Mock(BooleanSupplier)
+
+    expect:
+    !processor.process(span, timeoutCheck)
+  }
+
+  def "process returns false if request context is null"() {
+    given:
+    AgentTracer.TracerAPI tracer = Mock(AgentTracer.TracerAPI)
+    def cbp = Mock(CallbackProvider)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> cbp
+    def processor = new AppSecSpanPostProcessor() {
+        @Override
+        protected AgentTracer.TracerAPI tracer() {
+          return tracer
+        }
+      }
+    def span = Mock(DDSpan) {
+      context() >> Mock(DDSpanContext)
+      getRequestContext() >> null
+    }
+    def timeoutCheck = Mock(BooleanSupplier)
+
+    expect:
+    !processor.process(span, timeoutCheck)
+  }
+
+  def "process returns false if post-processing callback is null"() {
+    given:
+    AgentTracer.TracerAPI tracer = Mock(AgentTracer.TracerAPI)
+    def cbp = Mock(CallbackProvider)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> cbp
+    cbp.getCallback(EVENTS.postProcessing()) >> null
+    def processor = new AppSecSpanPostProcessor() {
+        @Override
+        protected AgentTracer.TracerAPI tracer() {
+          return tracer
+        }
+      }
+    def span = Mock(DDSpan) {
+      context() >> Mock(DDSpanContext)
+      getRequestContext() >> Mock(RequestContext)
+    }
+    def timeoutCheck = Mock(BooleanSupplier)
+
+    expect:
+    !processor.process(span, timeoutCheck)
+  }
+
+  def "process returns true when all components are properly configured"() {
+    given:
+    def callback = Mock(Consumer)
+    AgentTracer.TracerAPI tracer = Mock(AgentTracer.TracerAPI)
+    def cbp = Mock(CallbackProvider)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> cbp
+    cbp.getCallback(EVENTS.postProcessing()) >> callback
+    def processor = new AppSecSpanPostProcessor() {
+        @Override
+        protected AgentTracer.TracerAPI tracer() {
+          return tracer
+        }
+      }
+    def span = DDSpan.create("test", 0, Mock(DDSpanContext) {
+      isRequiresPostProcessing() >> true
+      getTraceCollector() >> Mock(PendingTrace) {
+        getCurrentTimeNano() >> 0
+      }
+      getRequestContext() >> Mock(RequestContext)
+    }, [])
+    def timeoutCheck = Mock(BooleanSupplier)
+
+    when:
+    boolean result = processor.process(span, timeoutCheck)
+
+    then:
+    result
+    1 * callback.accept(_)
+  }
+}

internal-api/src/main/java/datadog/trace/api/gateway/Events.java

@@ -10,6 +10,7 @@
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Supplier;
 
@@ -314,6 +315,18 @@ public EventType<BiFunction<RequestContext, String, Flow<Void>>> shellCmd() {
     return (EventType<BiFunction<RequestContext, String, Flow<Void>>>) SHELL_CMD;
   }
 
+  static final int POST_PROCESSING_ID = 26;
+
+  @SuppressWarnings("rawtypes")
+  private static final EventType POST_PROCESSING =
+      new ET<>("trace.post.processing", POST_PROCESSING_ID);
+
+  /** The span post-processing */
+  @SuppressWarnings("unchecked")
+  public EventType<Consumer<RequestContext>> postProcessing() {
+    return (EventType<Consumer<RequestContext>>) POST_PROCESSING;
+  }
+
   static final int MAX_EVENTS = nextId.get();
 
   private static final class ET<T> extends EventType<T> {

internal-api/src/main/java/datadog/trace/api/gateway/InstrumentationGateway.java

@@ -10,6 +10,7 @@
 import static datadog.trace.api.gateway.Events.LOGIN_EVENT_ID;
 import static datadog.trace.api.gateway.Events.MAX_EVENTS;
 import static datadog.trace.api.gateway.Events.NETWORK_CONNECTION_ID;
+import static datadog.trace.api.gateway.Events.POST_PROCESSING_ID;
 import static datadog.trace.api.gateway.Events.REQUEST_BODY_CONVERTED_ID;
 import static datadog.trace.api.gateway.Events.REQUEST_BODY_DONE_ID;
 import static datadog.trace.api.gateway.Events.REQUEST_BODY_START_ID;
@@ -38,6 +39,7 @@
 import java.util.concurrent.atomic.AtomicReferenceArray;
 import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Supplier;
 import org.slf4j.Logger;
@@ -468,6 +470,18 @@ public Flow<Void> apply(RequestContext ctx, String[] arg) {
                 }
               }
             };
+      case POST_PROCESSING_ID:
+        return (C)
+            new Consumer<RequestContext>() {
+              @Override
+              public void accept(RequestContext ctx) {
+                try {
+                  ((Consumer<RequestContext>) callback).accept(ctx);
+                } catch (Throwable t) {
+                  log.warn("Callback for {} threw.", eventType, t);
+                }
+              }
+            };
       default:
         log.warn("Unwrapped callback for {}", eventType);
         return callback;