wip

smola · smola · commit 75d66b945947 · 2025-02-24T16:37:12.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityRequestSampler.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityRequestSampler.java
@@ -3,6 +3,7 @@
 import com.datadog.appsec.gateway.AppSecRequestContext;
 import datadog.trace.util.NonBlockingSemaphore;
 
+import javax.annotation.Nonnull;
 import java.util.Deque;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -32,38 +33,42 @@ public ApiSecurityRequestSampler() {
   public ApiSecurityRequestSampler(int capacity, long expirationTimeInMs) {
     this.capacity = capacity;
     this.expirationTimeInMs = expirationTimeInMs;
-    this.apiAccessMap = new ConcurrentHashMap<>();
+    this.apiAccessMap = new ConcurrentHashMap<>(MAX_SIZE);
     this.apiAccessQueue = new ConcurrentLinkedDeque<>();
   }
 
-  public void preSampleRequest(final AppSecRequestContext ctx) {
-    if (!isValid(ctx)) {
+  public void preSampleRequest(final @Nonnull AppSecRequestContext ctx) {
+    final String route = ctx.getRoute();
+    if (route == null) {
       return;
     }
-
-    if (!isApiAccessExpired(ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus())) {
+    final String method = ctx.getMethod();
+    if (method == null) {
+      return;
+    }
+    final int statusCode = ctx.getResponseStatus();
+    if (statusCode == 0) {
+      return;
+    }
+    long hash = computeApiHash(route, method, statusCode);
+    ctx.setApiSecurityEndpointHash(hash);
+    if (!isApiAccessExpired(hash)) {
       return;
     }
-
     if (counter.acquire()) {
       ctx.setKeepOpenForApiSecurityPostProcessing(true);
     }
   }
 
   public boolean sampleRequest(AppSecRequestContext ctx) {
-    if (!isValid(ctx)) {
+    if (ctx == null) {
       return false;
     }
-
-    return updateApiAccessIfExpired(
-        ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus());
-  }
-
-  private boolean isValid(AppSecRequestContext ctx) {
-    return ctx != null
-        && ctx.getRoute() != null
-        && ctx.getMethod() != null
-        && ctx.getResponseStatus() != 0;
+    final Long hash = ctx.getApiSecurityEndpointHash();
+    if (hash == null) {
+      return false;
+    }
+    return updateApiAccessIfExpired(hash);
   }
 
   /**
@@ -72,15 +77,9 @@ private boolean isValid(AppSecRequestContext ctx) {
    * exist, a new record is added. If the capacity limit is reached, the oldest record is removed.
    * This method should not be called concurrently by multiple threads, due absence of additional
    * synchronization for updating data structures is not required.
-   *
-   * @param route The route of the API endpoint request
-   * @param method The method of the API request
-   * @param statusCode The HTTP response status code of the API request
-   * @return return true if the record was updated or added, false otherwise
    */
-  public boolean updateApiAccessIfExpired(String route, String method, int statusCode) {
-    long currentTime = System.currentTimeMillis();
-    long hash = computeApiHash(route, method, statusCode);
+  public boolean updateApiAccessIfExpired(final long hash) {
+    final long currentTime = System.currentTimeMillis();
 
     // New or updated record
     boolean isNewOrUpdated = false;
@@ -107,14 +106,13 @@ public boolean updateApiAccessIfExpired(String route, String method, int statusC
     return isNewOrUpdated;
   }
 
-  public boolean isApiAccessExpired(String route, String method, int statusCode) {
+  public boolean isApiAccessExpired(final long hash) {
     long currentTime = System.currentTimeMillis();
-    long hash = computeApiHash(route, method, statusCode);
     return !apiAccessMap.containsKey(hash)
         || currentTime - apiAccessMap.get(hash) > expirationTimeInMs;
   }
 
-  private void cleanupExpiredEntries(long currentTime) {
+  private void cleanupExpiredEntries(final long currentTime) {
     while (!apiAccessQueue.isEmpty()) {
       Long oldestHash = apiAccessQueue.peekFirst();
       if (oldestHash == null) break;
@@ -129,7 +127,7 @@ private void cleanupExpiredEntries(long currentTime) {
     }
   }
 
-  private long computeApiHash(String route, String method, int statusCode) {
+  private long computeApiHash(final String route, final String method, final int statusCode) {
     long result = 17;
     result = 31 * result + route.hashCode();
     result = 31 * result + method.hashCode();
@@ -143,7 +141,7 @@ public NoOp() {
     }
 
     @Override
-    public void preSampleRequest(AppSecRequestContext ctx) {
+    public void preSampleRequest(@Nonnull AppSecRequestContext ctx) {
     }
 
     @Override
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java
@@ -143,6 +143,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private volatile String sessionId;
 
   private volatile boolean keepOpenForApiSecurityPostProcessing;
+  private volatile Long apiSecurityEndpointHash;
 
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> WAF_TIMEOUTS_UPDATER =
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "wafTimeouts");
@@ -388,10 +389,6 @@ public String getRoute() {
   }
 
   public void setRoute(String route) {
-    if (this.route != null && this.route.compareToIgnoreCase(route) != 0) {
-      throw new IllegalStateException(
-          "Forbidden attempt to set different route for given request context");
-    }
     this.route = route;
   }
 
@@ -403,6 +400,14 @@ public boolean isKeepOpenForApiSecurityPostProcessing() {
     return this.keepOpenForApiSecurityPostProcessing;
   }
 
+  public void setApiSecurityEndpointHash(long hash) {
+    this.apiSecurityEndpointHash = hash;
+  }
+
+  public Long getApiSecurityEndpointHash() {
+    return this.apiSecurityEndpointHash;
+  }
+
   void addRequestHeader(String name, String value) {
     if (finishedRequestHeaders) {
       throw new IllegalStateException("Request headers were said to be finished before");
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/api/security/ApiSecurityRequestSamplerTest.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/api/security/ApiSecurityRequestSamplerTest.groovy
@@ -7,55 +7,54 @@ class ApiSecurityRequestSamplerTest extends DDSpecification {
 
   void 'happy path with single request'() {
     given:
-    def ctx = Mock(AppSecRequestContext)
+    def ctx = Spy(createContext('route1', 'GET', 200))
     def sampler = new ApiSecurityRequestSampler()
 
     when:
     sampler.preSampleRequest(ctx)
 
     then:
-    _ * ctx.getRoute() >> 'route1'
-    _ * ctx.getMethod() >> 'GET'
-    _ * ctx.getResponseStatus() >> 200
+    1 * ctx.getRoute()
+    1 * ctx.getMethod()
+    1 * ctx.getResponseStatus()
     1 * ctx.setKeepOpenForApiSecurityPostProcessing(true)
+    1 * ctx.setApiSecurityEndpointHash(_)
     0 * _
 
     when:
     def sampleDecision = sampler.sampleRequest(ctx)
 
     then:
     sampleDecision
-    _ * ctx.getRoute() >> 'route1'
-    _ * ctx.getMethod() >> 'GET'
-    _ * ctx.getResponseStatus() >> 200
     _ * ctx.isKeepOpenForApiSecurityPostProcessing() >> true
+    1 * ctx.getApiSecurityEndpointHash()
     0 * _
   }
 
   void 'second request is not sampled for the same endpoint'() {
+    Long hash
     given:
-    AppSecRequestContext ctx1 = Mock(AppSecRequestContext)
-    AppSecRequestContext ctx2 = Mock(AppSecRequestContext)
+    AppSecRequestContext ctx1 = Spy(createContext('route1', 'GET', 200))
+    AppSecRequestContext ctx2 = Spy(createContext('route1', 'GET', 200))
     def sampler = new ApiSecurityRequestSampler()
 
     when:
     sampler.preSampleRequest(ctx1)
     def sampleDecision = sampler.sampleRequest(ctx1)
+    sampler.counter.release()
 
     then:
     sampleDecision
-    _ * ctx1.getRoute() >> 'route1'
-    _ * ctx1.getMethod() >> 'GET'
-    _ * ctx1.getResponseStatus() >> 200
     _ * _
 
     when:
     sampler.preSampleRequest(ctx2)
 
     then:
-    _ * ctx2.getRoute() >> 'route1'
-    _ * ctx2.getMethod() >> 'GET'
-    _ * ctx2.getResponseStatus() >> 200
+    1 * ctx2.getRoute()
+    1 * ctx2.getMethod()
+    1 * ctx2.getResponseStatus()
+    1 * ctx2.setApiSecurityEndpointHash(_)
     0 * ctx2.setKeepOpenForApiSecurityPostProcessing(_)
     0 * _
 
@@ -64,10 +63,98 @@ class ApiSecurityRequestSamplerTest extends DDSpecification {
 
     then:
     !sampleDecision
-    _ * ctx2.getRoute() >> 'route1'
-    _ * ctx2.getMethod() >> 'GET'
-    _ * ctx2.getResponseStatus() >> 200
+    1 * ctx2.getApiSecurityEndpointHash()
     0 * _
   }
 
+  void 'preSampleRequest with maximum concurrent contexts'() {
+    given:
+    final ctx1 = Spy(createContext('route2', 'GET', 200))
+    final ctx2 = Spy(createContext('route3', 'GET', 200))
+    final sampler = new ApiSecurityRequestSampler()
+    assert sampler.MAX_POST_PROCESSING_TASKS > 0
+
+    when: 'exhaust the maximum number of concurrent contexts'
+    for (int i = 0; i < sampler.MAX_POST_PROCESSING_TASKS; i++) {
+      sampler.preSampleRequest(createContext('route1', 'GET', 200 + i))
+    }
+
+    and: 'try to sample one more'
+    sampler.preSampleRequest(ctx1)
+
+    then:
+    1 * ctx1.getRoute()
+    1 * ctx1.getMethod()
+    1 * ctx1.getResponseStatus()
+    1 * ctx1.setApiSecurityEndpointHash(_)
+    0 * _
+
+    when: 'release one context'
+    sampler.counter.release()
+
+    and: 'next can be sampled'
+    sampler.preSampleRequest(ctx2)
+
+    then:
+    1 * ctx2.getRoute()
+    1 * ctx2.getMethod()
+    1 * ctx2.getResponseStatus()
+    1 * ctx2.setApiSecurityEndpointHash(_)
+    1 * ctx2.setKeepOpenForApiSecurityPostProcessing(true)
+    0 * _
+  }
+
+  void 'preSampleRequest with null route'() {
+    given:
+    def ctx = Spy(createContext(null, 'GET', 200))
+    def sampler = new ApiSecurityRequestSampler()
+
+    when:
+    def sampleDecision = sampler.preSampleRequest(ctx)
+
+    then:
+    !sampleDecision
+    1 * ctx.getRoute()
+    0 * _
+  }
+
+  void 'preSampleRequest with null method'() {
+    given:
+    def ctx = Spy(createContext('route1', null, 200))
+    def sampler = new ApiSecurityRequestSampler()
+
+    when:
+    def sampleDecision = sampler.preSampleRequest(ctx)
+
+    then:
+    !sampleDecision
+    1 * ctx.getRoute()
+    1 * ctx.getMethod()
+    0 * _
+  }
+
+  void 'preSampleRequest with 0 status code'() {
+    given:
+    def ctx = Spy(createContext('route1', 'GET', 0))
+    def sampler = new ApiSecurityRequestSampler()
+
+    when:
+    def sampleDecision = sampler.preSampleRequest(ctx)
+
+    then:
+    !sampleDecision
+    1 * ctx.getRoute()
+    1 * ctx.getMethod()
+    1 * ctx.getResponseStatus()
+    0 * _
+  }
+
+  private AppSecRequestContext createContext(final String route, final String method, int statusCode) {
+    final AppSecRequestContext ctx = new AppSecRequestContext()
+    ctx.setRoute(route)
+    ctx.setMethod(method)
+    ctx.setResponseStatus(statusCode)
+    ctx
+  }
+
 }
