wip

Author: smola

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -23,15 +23,14 @@
 import datadog.trace.api.telemetry.ProductChange;
 import datadog.trace.api.telemetry.ProductChangeCollector;
 import datadog.trace.bootstrap.ActiveSubsystems;
+import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
-
-import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -73,7 +72,8 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     ApiSecurityRequestSampler requestSampler;
     if (Config.get().isApiSecurityEnabled()) {
       requestSampler = new ApiSecurityRequestSampler();
-      SpanPostProcessor.Holder.INSTANCE = new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
+      SpanPostProcessor.Holder.INSTANCE =
+          new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
     } else {
       requestSampler = new ApiSecurityRequestSampler.NoOp();
     }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityRequestSampler.java

@@ -4,43 +4,52 @@
 import datadog.trace.api.time.SystemTimeSource;
 import datadog.trace.api.time.TimeSource;
 import datadog.trace.util.NonBlockingSemaphore;
-
-import javax.annotation.Nonnull;
 import java.util.Deque;
-import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentLinkedDeque;
+import javax.annotation.Nonnull;
 
 public class ApiSecurityRequestSampler {
 
   /**
-   * A maximum number of request contexts we'll keep open past the end of request at any given time. This will avoid
-   * excessive memory usage in case of a high number of concurrent requests, and should also prevent memory leaks in
-   * case of a bug.
+   * A maximum number of request contexts we'll keep open past the end of request at any given time.
+   * This will avoid excessive memory usage in case of a high number of concurrent requests, and
+   * should also prevent memory leaks.
    */
   private static final int MAX_POST_PROCESSING_TASKS = 4;
+
   private static final int INTERVAL_SECONDS = 30;
   private static final int MAX_SIZE = 4096;
-  private final Map<Long, Long> apiAccessMap; // Map<hash, timestamp>
-  private final Deque<Long> apiAccessQueue; // hashes ordered by access time
+  /** Mapping from endpoint hash to last access timestamp in millis. */
+  private final ConcurrentHashMap<Long, Long> accessMap;
+  /** Deque of endpoint hashes ordered by access time. Oldest is always first. */
+  private final Deque<Long> accessDeque;
+
   private final long expirationTimeInMs;
   private final int capacity;
   private final TimeSource timeSource;
 
-  final NonBlockingSemaphore counter = NonBlockingSemaphore.withPermitCount(MAX_POST_PROCESSING_TASKS);
+  final NonBlockingSemaphore counter =
+      NonBlockingSemaphore.withPermitCount(MAX_POST_PROCESSING_TASKS);
 
   public ApiSecurityRequestSampler() {
     this(MAX_SIZE, INTERVAL_SECONDS * 1000, SystemTimeSource.INSTANCE);
   }
 
-  public ApiSecurityRequestSampler(int capacity, long expirationTimeInMs, @Nonnull TimeSource timeSource) {
+  public ApiSecurityRequestSampler(
+      int capacity, long expirationTimeInMs, @Nonnull TimeSource timeSource) {
     this.capacity = capacity;
     this.expirationTimeInMs = expirationTimeInMs;
-    this.apiAccessMap = new ConcurrentHashMap<>(MAX_SIZE);
-    this.apiAccessQueue = new ConcurrentLinkedDeque<>();
+    this.accessMap = new ConcurrentHashMap<>();
+    this.accessDeque = new ConcurrentLinkedDeque<>();
     this.timeSource = timeSource;
   }
 
+  /**
+   * Prepare a request context for later sampling decision. This method should be called at request
+   * end, and is thread-safe. If a request can potentially be sampled, this method will call {@link
+   * AppSecRequestContext#setKeepOpenForApiSecurityPostProcessing(boolean)}.
+   */
   public void preSampleRequest(final @Nonnull AppSecRequestContext ctx) {
     final String route = ctx.getRoute();
     if (route == null) {
@@ -64,69 +73,77 @@ public void preSampleRequest(final @Nonnull AppSecRequestContext ctx) {
     }
   }
 
+  /** Get the final sampling decision. This method is NOT thread-safe. */
   public boolean sampleRequest(AppSecRequestContext ctx) {
     if (ctx == null) {
       return false;
     }
     final Long hash = ctx.getApiSecurityEndpointHash();
     if (hash == null) {
+      // This should never happen, it should have been short-circuited before.
       return false;
     }
     return updateApiAccessIfExpired(hash);
   }
 
-  /**
-   * Updates the API access log with the given route, method, and status code. If the record already
-   * exists and is outdated, it is updated by moving to the end of the list. If the record does not
-   * exist, a new record is added. If the capacity limit is reached, the oldest record is removed.
-   * This method should not be called concurrently by multiple threads, due absence of additional
-   * synchronization for updating data structures is not required.
-   */
-  public boolean updateApiAccessIfExpired(final long hash) {
+  private boolean updateApiAccessIfExpired(final long hash) {
     final long currentTime = timeSource.getCurrentTimeMillis();
 
-    // New or updated record
-    boolean isNewOrUpdated = false;
-    if (!apiAccessMap.containsKey(hash)
-        || currentTime - apiAccessMap.get(hash) >= expirationTimeInMs) {
+    Long lastAccess = accessMap.get(hash);
+    if (lastAccess != null && currentTime - lastAccess < expirationTimeInMs) {
+      return false;
+    }
 
+    if (accessMap.put(hash, currentTime) == null) {
+      accessDeque.addLast(hash);
+      // If we added a new entry, we perform purging.
       cleanupExpiredEntries(currentTime);
-
-      apiAccessMap.put(hash, currentTime); // Update timestamp
-      // move hash to the end of the queue
-      apiAccessQueue.remove(hash);
-      apiAccessQueue.addLast(hash);
-      isNewOrUpdated = true;
-
-      // Remove the oldest hash if capacity is reached
-      while (apiAccessMap.size() > this.capacity) {
-        Long oldestHash = apiAccessQueue.pollFirst();
-        if (oldestHash != null) {
-          apiAccessMap.remove(oldestHash);
-        }
-      }
+    } else {
+      // This is now the most recently accessed entry.
+      accessDeque.remove(hash);
+      accessDeque.addLast(hash);
     }
 
-    return isNewOrUpdated;
+    return true;
   }
 
-  public boolean isApiAccessExpired(final long hash) {
-    long currentTime = timeSource.getCurrentTimeMillis();
-    return !apiAccessMap.containsKey(hash)
-        || currentTime - apiAccessMap.get(hash) >= expirationTimeInMs;
+  private boolean isApiAccessExpired(final long hash) {
+    final long currentTime = timeSource.getCurrentTimeMillis();
+    final Long lastAccess = accessMap.get(hash);
+    return lastAccess == null || currentTime - lastAccess >= expirationTimeInMs;
   }
 
   private void cleanupExpiredEntries(final long currentTime) {
-    while (!apiAccessQueue.isEmpty()) {
-      Long oldestHash = apiAccessQueue.peekFirst();
-      if (oldestHash == null) break;
-
-      Long lastAccessTime = apiAccessMap.get(oldestHash);
-      if (lastAccessTime == null || currentTime - lastAccessTime >= expirationTimeInMs) {
-        apiAccessQueue.pollFirst(); // remove from head
-        apiAccessMap.remove(oldestHash);
-      } else {
-        break; // is up-to-date
+    // Purge all expired entries.
+    while (!accessDeque.isEmpty()) {
+      final Long oldestHash = accessDeque.peekFirst();
+      if (oldestHash == null) {
+        // Should never happen
+        continue;
+      }
+
+      final Long lastAccessTime = accessMap.get(oldestHash);
+      if (lastAccessTime == null) {
+        // Should never  happen
+        continue;
+      }
+
+      if (currentTime - lastAccessTime < expirationTimeInMs) {
+        // The oldest hash is up-to-date, so stop here.
+        break;
+      }
+
+      accessDeque.pollFirst();
+      accessMap.remove(oldestHash);
+    }
+
+    // If we went over capacity, remove the oldest entries until we are within the limit.
+    // This should never be more than 1.
+    final int toRemove = accessMap.size() - this.capacity;
+    for (int i = 0; i < toRemove; i++) {
+      Long oldestHash = accessDeque.pollFirst();
+      if (oldestHash != null) {
+        accessMap.remove(oldestHash);
       }
     }
   }
@@ -145,13 +162,11 @@ public NoOp() {
     }
 
     @Override
-    public void preSampleRequest(@Nonnull AppSecRequestContext ctx) {
-    }
+    public void preSampleRequest(@Nonnull AppSecRequestContext ctx) {}
 
     @Override
     public boolean sampleRequest(AppSecRequestContext ctx) {
       return false;
     }
   }
-
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/AppSecSpanPostProcessor.java

@@ -11,19 +11,19 @@
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import java.util.Collections;
 import java.util.function.BooleanSupplier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class AppSecSpanPostProcessor implements SpanPostProcessor {
 
   private static final Logger log = LoggerFactory.getLogger(AppSecSpanPostProcessor.class);
   private final ApiSecurityRequestSampler sampler;
   private final EventProducerService producerService;
 
-  public AppSecSpanPostProcessor(ApiSecurityRequestSampler sampler, EventProducerService producerService) {
+  public AppSecSpanPostProcessor(
+      ApiSecurityRequestSampler sampler, EventProducerService producerService) {
     this.sampler = sampler;
     this.producerService = producerService;
   }
@@ -63,21 +63,20 @@ public void process(AgentSpan span, BooleanSupplier timeoutCheck) {
   }
 
   private void maybeExtractSchemas(AppSecRequestContext ctx) {
-      final EventProducerService.DataSubscriberInfo sub = producerService.getDataSubscribers(KnownAddresses.WAF_CONTEXT_PROCESSOR);
-      if (sub == null|| sub.isEmpty()) {
-        return;
-      }
+    final EventProducerService.DataSubscriberInfo sub =
+        producerService.getDataSubscribers(KnownAddresses.WAF_CONTEXT_PROCESSOR);
+    if (sub == null || sub.isEmpty()) {
+      return;
+    }
 
-      final DataBundle bundle =
-          new SingletonDataBundle<>(
-              KnownAddresses.WAF_CONTEXT_PROCESSOR,
-              Collections.singletonMap("extract-schema", true));
-      try {
-        GatewayContext gwCtx = new GatewayContext(false);
-        producerService.publishDataEvent(sub, ctx, bundle, gwCtx);
-      } catch (ExpiredSubscriberInfoException e) {
-        log.debug("Subscriber info expired", e);
-      }
+    final DataBundle bundle =
+        new SingletonDataBundle<>(
+            KnownAddresses.WAF_CONTEXT_PROCESSOR, Collections.singletonMap("extract-schema", true));
+    try {
+      GatewayContext gwCtx = new GatewayContext(false);
+      producerService.publishDataEvent(sub, ctx, bundle, gwCtx);
+    } catch (ExpiredSubscriberInfoException e) {
+      log.debug("Subscriber info expired", e);
+    }
   }
-
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -600,12 +600,14 @@ public String getSessionId() {
   }
 
   /**
-   * Close the context and release all resources. This method is idempotent and can be called multiple times.
-   * For each root span, this method is always called from CoreTracer#onRootSpaPublished.
+   * Close the context and release all resources. This method is idempotent and can be called
+   * multiple times. For each root span, this method is always called from
+   * CoreTracer#onRootSpaPublished.
    */
   @Override
   public void close() {
-    // For API Security, we sometimes keep contexts open for late processing. In that case, this flag needs to be
+    // For API Security, we sometimes keep contexts open for late processing. In that case, this
+    // flag needs to be
     // later reset by the API Security post-processor and close must be called again.
     if (!keepOpenForApiSecurityPostProcessing) {
       closeAdditive();

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -41,7 +41,6 @@
 import datadog.trace.api.telemetry.WafMetricCollector;
 import datadog.trace.bootstrap.instrumentation.api.Tags;
 import datadog.trace.bootstrap.instrumentation.api.URIDataAdapter;
-import datadog.trace.util.NonBlockingSemaphore;
 import datadog.trace.util.stacktrace.StackTraceEvent;
 import datadog.trace.util.stacktrace.StackUtils;
 import java.net.URI;

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/api/security/ApiSecurityRequestSamplerTest.groovy

@@ -4,8 +4,6 @@ import com.datadog.appsec.gateway.AppSecRequestContext
 import datadog.trace.api.time.ControllableTimeSource
 import datadog.trace.test.util.DDSpecification
 
-import java.time.Duration
-
 class ApiSecurityRequestSamplerTest extends DDSpecification {
 
   void 'happy path with single request'() {
@@ -163,6 +161,20 @@ class ApiSecurityRequestSamplerTest extends DDSpecification {
     !sampleDecision
   }
 
+  void 'sampleRequest with null hash'() {
+    // This case should never happen, as a request without a hash should have been short-circuited at multiple places
+    // before reaching this point. But checking just in case.
+    given:
+    def sampler = new ApiSecurityRequestSampler()
+    def ctx = createContext('route1', 'GET', 200)
+
+    when:
+    def sampleDecision = sampler.sampleRequest(ctx)
+
+    then:
+    !sampleDecision
+  }
+
   void 'sampleRequest honors expiration'() {
     given:
     def ctx = createContext('route1', 'GET', 200)
@@ -201,12 +213,51 @@ class ApiSecurityRequestSamplerTest extends DDSpecification {
     0 * _
   }
 
-  private AppSecRequestContext createContext(final String route, final String method, int statusCode) {
+  void 'internal accessMap never goes beyond capacity'() {
+    given:
+    final timeSource = new ControllableTimeSource()
+    timeSource.set(0)
+    final long expirationTimeInMs = 10_000
+    final int maxCapacity = 10
+    ApiSecurityRequestSampler sampler = new ApiSecurityRequestSampler(10, expirationTimeInMs, timeSource)
+
+    expect:
+    for (int i = 0; i < maxCapacity * 10; i++) {
+      timeSource.advance(1_000_000)
+      final ctx = createContext('route1', 'GET', 200 + 1)
+      ctx.setApiSecurityEndpointHash(i as long)
+      ctx.setKeepOpenForApiSecurityPostProcessing(true)
+      assert sampler.sampleRequest(ctx)
+      assert sampler.accessMap.size() <= maxCapacity
+    }
+  }
+
+  void 'expired entries are purged from internal accessMap'() {
+    given:
+    final timeSource = new ControllableTimeSource()
+    timeSource.set(0)
+    final long expirationTimeInMs = 10_000
+    final int maxCapacity = 10
+    ApiSecurityRequestSampler sampler = new ApiSecurityRequestSampler(10, expirationTimeInMs, timeSource)
+
+    expect:
+    for (int i = 0; i < maxCapacity * 10; i++) {
+      final ctx = createContext('route1', 'GET', 200 + 1)
+      ctx.setApiSecurityEndpointHash(i as long)
+      ctx.setKeepOpenForApiSecurityPostProcessing(true)
+      assert sampler.sampleRequest(ctx)
+      assert sampler.accessMap.size() <= 2
+      if (i % 2) {
+        timeSource.advance(expirationTimeInMs * 1_000_000)
+      }
+    }
+  }
+
+  private static AppSecRequestContext createContext(final String route, final String method, int statusCode) {
     final AppSecRequestContext ctx = new AppSecRequestContext()
     ctx.setRoute(route)
     ctx.setMethod(method)
     ctx.setResponseStatus(statusCode)
     ctx
   }
-
 }