wip

Author: smola

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -2,7 +2,6 @@
 
 import static com.datadog.appsec.util.StandardizedLogging.RulesInvalidReason.INVALID_JSON_FILE;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_ACTIVATION;
-import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_CUSTOM_RULES;
@@ -196,7 +195,6 @@ private void subscribeAsmFeatures() {
       log.debug("Will not subscribe report CAPABILITY_ASM_ACTIVATION (AppSec explicitly enabled)");
     }
     this.configurationPoller.addCapabilities(CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE);
-    this.configurationPoller.addCapabilities(CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE);
   }
 
   private void distributeSubConfigurations(
@@ -358,7 +356,6 @@ public void close() {
             | CAPABILITY_ASM_CUSTOM_RULES
             | CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE
             | CAPABILITY_ASM_TRUSTED_IPS
-            | CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
             | CAPABILITY_ASM_RASP_SQLI
             | CAPABILITY_ASM_RASP_SSRF
             | CAPABILITY_ASM_RASP_LFI

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/api/security/AppSecSpanPostProcessorTest.groovy

@@ -2,8 +2,10 @@ package com.datadog.appsec.api.security
 
 import com.datadog.appsec.event.EventProducerService
 import com.datadog.appsec.event.ExpiredSubscriberInfoException
+import com.datadog.appsec.event.data.KnownAddresses
 import com.datadog.appsec.gateway.AppSecRequestContext
 import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.internal.TraceSegment
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
 import datadog.trace.test.util.DDSpecification
 
@@ -16,6 +18,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     def subInfo = Mock(EventProducerService.DataSubscriberInfo)
     def span = Mock(AgentSpan)
     def reqCtx = Mock(RequestContext)
+    def traceSegment = Mock(TraceSegment)
     def ctx = Mock(AppSecRequestContext)
     def processor = new AppSecSpanPostProcessor(sampler, producer)
 
@@ -28,9 +31,11 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     1 * reqCtx.getData(_) >> ctx
     1 * ctx.isKeepOpenForApiSecurityPostProcessing() >> true
     1 * sampler.sampleRequest(_) >> true
-    1 * producer.getDataSubscribers(_) >> subInfo
+    1 * reqCtx.getTraceSegment() >> traceSegment
+    1 * producer.getDataSubscribers(KnownAddresses.WAF_CONTEXT_PROCESSOR) >> subInfo
     1 * subInfo.isEmpty() >> false
     1 * producer.publishDataEvent(_, ctx, _, _)
+    1 * ctx.commitDerivatives(traceSegment)
     1 * ctx.setKeepOpenForApiSecurityPostProcessing(false)
     1 * ctx.close()
     1 * sampler.releaseOne()
@@ -67,6 +72,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     def producer = Mock(EventProducerService)
     def span = Mock(AgentSpan)
     def reqCtx = Mock(RequestContext)
+    def traceSegment = Mock(TraceSegment)
     def ctx = Mock(AppSecRequestContext)
     def processor = new AppSecSpanPostProcessor(sampler, producer)
 
@@ -79,6 +85,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     1 * reqCtx.getData(_) >> ctx
     1 * ctx.isKeepOpenForApiSecurityPostProcessing() >> true
     1 * sampler.sampleRequest(_) >> true
+    1 * reqCtx.getTraceSegment() >> traceSegment
     1 * producer.getDataSubscribers(_) >> null
     1 * ctx.setKeepOpenForApiSecurityPostProcessing(false)
     1 * ctx.close() >> { throw new RuntimeException() }
@@ -184,6 +191,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     def subInfo = Mock(EventProducerService.DataSubscriberInfo)
     def span = Mock(AgentSpan)
     def reqCtx = Mock(RequestContext)
+    def traceSegment = Mock(TraceSegment)
     def ctx = Mock(AppSecRequestContext)
     def processor = new AppSecSpanPostProcessor(sampler, producer)
 
@@ -196,6 +204,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     1 * reqCtx.getData(_) >> ctx
     1 * ctx.isKeepOpenForApiSecurityPostProcessing() >> true
     1 * sampler.sampleRequest(_) >> true
+    1 * reqCtx.getTraceSegment() >> traceSegment
     1 * producer.getDataSubscribers(_) >> subInfo
     1 * subInfo.isEmpty() >> true
     1 * ctx.setKeepOpenForApiSecurityPostProcessing(false)
@@ -211,6 +220,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     def subInfo = Mock(EventProducerService.DataSubscriberInfo)
     def span = Mock(AgentSpan)
     def reqCtx = Mock(RequestContext)
+    def traceSegment = Mock(TraceSegment)
     def ctx = Mock(AppSecRequestContext)
     def processor = new AppSecSpanPostProcessor(sampler, producer)
 
@@ -223,6 +233,7 @@ class AppSecSpanPostProcessorTest extends DDSpecification {
     1 * reqCtx.getData(_) >> ctx
     1 * ctx.isKeepOpenForApiSecurityPostProcessing() >> true
     1 * sampler.sampleRequest(_) >> true
+    1 * reqCtx.getTraceSegment() >> traceSegment
     1 * producer.getDataSubscribers(_) >> subInfo
     1 * subInfo.isEmpty() >> false
     1 * producer.publishDataEvent(_, ctx, _, _) >> { throw new ExpiredSubscriberInfoException() }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -81,9 +81,7 @@ class GatewayBridgeSpecification extends DDSpecification {
   }
 
   TraceSegmentPostProcessor pp = Mock()
-  ApiSecurityRequestSampler requestSampler = Mock(ApiSecurityRequestSampler) {
-    preSampleRequest(_ as AppSecRequestContext) >> false
-  }
+  ApiSecurityRequestSampler requestSampler = Mock(ApiSecurityRequestSampler)
   GatewayBridge bridge = new GatewayBridge(ig, eventDispatcher, requestSampler, [pp])
 
   Supplier<Flow<AppSecRequestContext>> requestStartedCB
@@ -451,7 +449,6 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * ig.registerCallback(EVENTS.shellCmd(), _) >> { shellCmdCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.user(), _) >> { userCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.loginEvent(), _) >> { loginEventCB = it[1]; null }
-    1 * ig.registerCallback(EVENTS.postProcessing(), _) >> { postProcessingCB = it[1]; null }
     0 * ig.registerCallback(_, _)
 
     bridge.init()

dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java

@@ -107,7 +107,6 @@ public final class ConfigDefaults {
   static final boolean DEFAULT_APPSEC_WAF_METRICS = true;
   static final int DEFAULT_APPSEC_WAF_TIMEOUT = 100000; // 0.1 s
   static final boolean DEFAULT_API_SECURITY_ENABLED = false;
-  static final float DEFAULT_API_SECURITY_REQUEST_SAMPLE_RATE = 0.1f; // 10 %
   static final float DEFAULT_API_SECURITY_SAMPLE_DELAY = 30.0f;
   static final boolean DEFAULT_APPSEC_RASP_ENABLED = true;
   static final boolean DEFAULT_APPSEC_STACK_TRACE_ENABLED = true;

dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java

@@ -26,7 +26,6 @@ public final class AppSecConfig {
   public static final String API_SECURITY_ENABLED = "api-security.enabled";
   public static final String API_SECURITY_ENABLED_EXPERIMENTAL =
       "experimental.api-security.enabled";
-  public static final String API_SECURITY_REQUEST_SAMPLE_RATE = "api-security.request.sample.rate";
   public static final String API_SECURITY_SAMPLE_DELAY = "api-security.sample.delay";
 
   public static final String APPSEC_SCA_ENABLED = "appsec.sca.enabled";

internal-api/src/main/java/datadog/trace/api/Config.java

@@ -288,7 +288,6 @@ public static String getHostName() {
   private final int appSecMaxStackTraces;
   private final int appSecMaxStackTraceDepth;
   private final boolean apiSecurityEnabled;
-  private final float apiSecurityRequestSampleRate;
   private final float apiSecuritySampleDelay;
 
   private final IastDetectionMode iastDetectionMode;
@@ -1315,9 +1314,6 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment())
     apiSecurityEnabled =
         configProvider.getBoolean(
             API_SECURITY_ENABLED, DEFAULT_API_SECURITY_ENABLED, API_SECURITY_ENABLED_EXPERIMENTAL);
-    apiSecurityRequestSampleRate =
-        configProvider.getFloat(
-            API_SECURITY_REQUEST_SAMPLE_RATE, DEFAULT_API_SECURITY_REQUEST_SAMPLE_RATE);
     apiSecuritySampleDelay =
         configProvider.getFloat(API_SECURITY_SAMPLE_DELAY, DEFAULT_API_SECURITY_SAMPLE_DELAY);
 
@@ -2650,10 +2646,6 @@ public boolean isApiSecurityEnabled() {
     return apiSecurityEnabled;
   }
 
-  public float getApiSecurityRequestSampleRate() {
-    return apiSecurityRequestSampleRate;
-  }
-
   public float getApiSecuritySampleDelay() {
     return apiSecuritySampleDelay;
   }

internal-api/src/main/java/datadog/trace/bootstrap/instrumentation/api/SpanPostProcessor.java

@@ -27,7 +27,7 @@ class Holder {
 
     // XXX: At the moment, a single post-processor can be registered, and only AppSec defines one.
     // If other products add their own, we'll need to refactor this to support multiple processors.
-    @Nonnull public static volatile SpanPostProcessor INSTANCE = NOOP;
+    public static volatile SpanPostProcessor INSTANCE = NOOP;
   }
 
   class NoOpSpanPostProcessor implements SpanPostProcessor {