change logs

jandro996 · jandro996 · commit fe7549460172 · 2025-11-24T11:33:42.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java
@@ -54,22 +54,49 @@ public ApiSecuritySamplerImpl(
   public boolean preSampleRequest(final @Nonnull AppSecRequestContext ctx) {
     final String route = ctx.getRoute();
     if (route == null) {
+      log.info("[APPSEC-57815] preSampleRequest returning false - route is null");
       return false;
     }
     final String method = ctx.getMethod();
     if (method == null) {
+      log.info("[APPSEC-57815] preSampleRequest returning false - method is null, route={}", route);
       return false;
     }
     final int statusCode = ctx.getResponseStatus();
     if (statusCode <= 0) {
+      log.info(
+          "[APPSEC-57815] preSampleRequest returning false - invalid statusCode={}, route={}, method={}",
+          statusCode,
+          route,
+          method);
       return false;
     }
     long hash = computeApiHash(route, method, statusCode);
     ctx.setApiSecurityEndpointHash(hash);
-    if (!isApiAccessExpired(hash)) {
+
+    boolean isExpired = isApiAccessExpired(hash);
+    log.info(
+        "[APPSEC-57815] preSampleRequest checking expiration - route={}, method={}, statusCode={}, hash={}, isExpired={}, expirationTimeMs={}",
+        route,
+        method,
+        statusCode,
+        hash,
+        isExpired,
+        expirationTimeInMs);
+
+    if (!isExpired) {
       return false;
     }
-    if (counter.tryAcquire()) {
+
+    int availablePermits = counter.availablePermits();
+    boolean acquired = counter.tryAcquire();
+    log.info(
+        "[APPSEC-57815] preSampleRequest semaphore check - availablePermits={}, acquired={}, route={}",
+        availablePermits,
+        acquired,
+        route);
+
+    if (acquired) {
       log.debug("API security sampling is required for this request (presampled)");
       ctx.setKeepOpenForApiSecurityPostProcessing(true);
       return true;
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
@@ -861,28 +861,17 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
     if (traceSeg != null) {
       // Set API Security sampling tags if needed
       if (sampledForApiSec && !apmTracingEnabled) {
-        log.info(
-            "[APPSEC-57815] Setting ASM_KEEP=true (API Security sampled, APM tracing disabled)");
         traceSeg.setTagTop(Tags.ASM_KEEP, true);
         // Must set _dd.p.ts locally so TraceCollector respects force-keep in standalone mode
         // (TraceCollector.java lines 67-74 ignore force-keep without _dd.p.ts when APM disabled)
         traceSeg.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
-        // Verify the tag was set
-        Object asmKeepAfterSet = traceSeg.getTagTop(Tags.ASM_KEEP);
-        Object propagatedTsAfterSet = traceSeg.getTagTop(Tags.PROPAGATED_TRACE_SOURCE);
-        log.info(
-            "[APPSEC-57815] After setTagTop - ASM_KEEP: {}, _dd.p.ts: {}",
-            asmKeepAfterSet,
-            propagatedTsAfterSet);
       }
 
       traceSeg.setTagTop("_dd.appsec.enabled", 1);
       traceSeg.setTagTop("_dd.runtime_family", "jvm");
 
       Collection<AppSecEvent> collectedEvents = ctx.transferCollectedEvents();
 
-      log.info("[APPSEC-57815] Collected {} AppSec events", collectedEvents.size());
-
       for (TraceSegmentPostProcessor pp : this.traceSegmentPostProcessors) {
         pp.processTraceSegment(traceSeg, ctx, collectedEvents);
       }
@@ -895,11 +884,8 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
       // If detected any events - mark span at appsec.event
       if (!collectedEvents.isEmpty()) {
         boolean manuallyKept = ctx.isManuallyKept();
-        log.info("[APPSEC-57815] AppSec events detected - manuallyKept={}", manuallyKept);
         if (manuallyKept) {
           // Set asm keep in case that root span was not available when events are detected
-          log.info(
-              "[APPSEC-57815] Setting ASM_KEEP=true and _dd.p.ts=ASM (AppSec events + manually kept)");
           traceSeg.setTagTop(Tags.ASM_KEEP, true);
           traceSeg.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
         }
@@ -963,29 +949,32 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
               );
     }
 
-    // Log final state of propagation tags from TraceSegment (not from spanInfo.getTags() which is
-    // immutable)
-    Object finalPropagatedTs = traceSeg.getTagTop(Tags.PROPAGATED_TRACE_SOURCE);
-    Object finalAsmKeep = traceSeg.getTagTop(Tags.ASM_KEEP);
-    log.info(
-        "[APPSEC-57815] Request ended - final state from TraceSegment: _dd.p.ts={}, _dd.appsec.keep={}",
-        finalPropagatedTs,
-        finalAsmKeep);
-
     ctx.close();
     return NoopFlow.INSTANCE;
   }
 
   private boolean maybeSampleForApiSecurity(
       AppSecRequestContext ctx, IGSpanInfo spanInfo, Map<String, Object> tags) {
     log.debug("Checking API Security for end of request handler on span: {}", spanInfo.getSpanId());
+
     // API Security sampling requires http.route tag.
     final Object route = tags.get(Tags.HTTP_ROUTE);
+    final String existingRoute = ctx.getRoute();
+
+    log.info(
+        "[APPSEC-57815] maybeSampleForApiSecurity called - spanId={}, route from tags={}, existingRoute={}, ctx.hashCode={}",
+        spanInfo.getSpanId(),
+        route,
+        existingRoute,
+        System.identityHashCode(ctx));
+
     if (route != null) {
       ctx.setRoute(route.toString());
     }
+
     ApiSecuritySampler requestSampler = requestSamplerSupplier.get();
     boolean sampled = requestSampler.preSampleRequest(ctx);
+
     log.info(
         "[APPSEC-57815] API Security sampling decision - route={}, sampled={}", route, sampled);
     return sampled;
