Added preSampler for short-circuit Api Security

Author: ValentinZakharov

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiAccessTracker.java

@@ -77,6 +77,13 @@ public boolean updateApiAccessIfExpired(String route, String method, int statusC
     return isNewOrUpdated;
   }
 
+  public boolean isApiAccessExpired(String route, String method, int statusCode) {
+    long currentTime = System.currentTimeMillis();
+    long hash = computeApiHash(route, method, statusCode);
+    return !apiAccessMap.containsKey(hash)
+        || currentTime - apiAccessMap.get(hash) > expirationTimeInMs;
+  }
+
   private void cleanupExpiredEntries(long currentTime) {
     while (!apiAccessQueue.isEmpty()) {
       Long oldestHash = apiAccessQueue.peekFirst();

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityRequestSampler.java

@@ -14,25 +14,28 @@ public ApiSecurityRequestSampler(final Config config) {
   }
 
   public boolean sampleRequest(AppSecRequestContext ctx) {
-    if (!config.isApiSecurityEnabled() || ctx == null) {
+    if (!isValid(ctx)) {
       return false;
     }
 
-    String route = ctx.getRoute();
-    if (route == null) {
-      return false;
-    }
+    return apiAccessTracker.updateApiAccessIfExpired(
+        ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus());
+  }
 
-    String method = ctx.getMethod();
-    if (method == null) {
+  public boolean preSampleRequest(AppSecRequestContext ctx) {
+    if (!isValid(ctx)) {
       return false;
     }
 
-    int statusCode = ctx.getResponseStatus();
-    if (statusCode == 0) {
-      return false;
-    }
+    return apiAccessTracker.isApiAccessExpired(
+        ctx.getRoute(), ctx.getMethod(), ctx.getResponseStatus());
+  }
 
-    return apiAccessTracker.updateApiAccessIfExpired(route, method, statusCode);
+  private boolean isValid(AppSecRequestContext ctx) {
+    return config.isApiSecurityEnabled()
+        && ctx != null
+        && ctx.getRoute() != null
+        && ctx.getMethod() != null
+        && ctx.getResponseStatus() != 0;
   }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -10,7 +10,6 @@
 import static datadog.trace.api.UserIdCollectionMode.DISABLED;
 import static datadog.trace.api.UserIdCollectionMode.SDK;
 import static datadog.trace.api.telemetry.LogCollector.SEND_TELEMETRY;
-import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.activeSpan;
 import static datadog.trace.util.Strings.toHexString;
 
 import com.datadog.appsec.AppSecSystem;
@@ -767,6 +766,7 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
     }
 
     TraceSegment traceSeg = ctx_.getTraceSegment();
+    Map<String, Object> tags = spanInfo.getTags();
 
     // AppSec report metric and events for web span only
     if (traceSeg != null) {
@@ -788,7 +788,7 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
         traceSeg.setTagTop("network.client.ip", ctx.getPeerAddress());
 
         // Reflect client_ip as actor.ip for backward compatibility
-        Object clientIp = spanInfo.getTags().get(Tags.HTTP_CLIENT_IP);
+        Object clientIp = tags.get(Tags.HTTP_CLIENT_IP);
         if (clientIp != null) {
           traceSeg.setTagTop("actor.ip", clientIp);
         }
@@ -829,10 +829,15 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
     }
 
     // Route used in post-processing
-    Object route = spanInfo.getTags().get(Tags.HTTP_ROUTE);
+    Object route = tags.get(Tags.HTTP_ROUTE);
     if (route instanceof String) {
       ctx.setRoute((String) route);
     }
+    if (requestSampler.preSampleRequest(ctx)) {
+      // The request is pre-sampled - we need to post-process it
+      spanInfo.setRequiresPostProcessing(true);
+    }
+
     return NoopFlow.INSTANCE;
   }
 
@@ -1027,7 +1032,6 @@ private Flow<Void> maybePublishRequestData(AppSecRequestContext ctx) {
 
       try {
         GatewayContext gwCtx = new GatewayContext(false);
-        activeSpan().getLocalRootSpan().setRequiresPostProcessing(true);
         return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
       } catch (ExpiredSubscriberInfoException e) {
         this.initialReqDataSubInfo = null;

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/api/security/ApiSecurityRequestSamplerTest.groovy

@@ -15,7 +15,7 @@ class ApiSecurityRequestSamplerTest extends DDSpecification {
   void 'Api Security Sample Request'() {
     when:
     def span = Mock(AppSecRequestContext) {
-      getSavedRawURI() >> route
+      getRoute() >> route
       getMethod() >> method
       getResponseStatus() >> statusCode
     }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -1,6 +1,7 @@
 package com.datadog.appsec.gateway
 
 import com.datadog.appsec.AppSecSystem
+import com.datadog.appsec.api.security.ApiSecurityRequestSampler
 import com.datadog.appsec.config.TraceSegmentPostProcessor
 import com.datadog.appsec.event.EventDispatcher
 import com.datadog.appsec.event.EventProducerService
@@ -79,7 +80,10 @@ class GatewayBridgeSpecification extends DDSpecification {
   }
 
   TraceSegmentPostProcessor pp = Mock()
-  GatewayBridge bridge = new GatewayBridge(ig, eventDispatcher, null, [pp])
+  ApiSecurityRequestSampler requestSampler = Mock(ApiSecurityRequestSampler) {
+    preSampleRequest(_ as AppSecRequestContext) >> false
+  }
+  GatewayBridge bridge = new GatewayBridge(ig, eventDispatcher, requestSampler, [pp])
 
   Supplier<Flow<AppSecRequestContext>> requestStartedCB
   BiFunction<RequestContext, AgentSpan, Flow<Void>> requestEndedCB
@@ -164,7 +168,6 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * spanInfo.getTags() >> ['http.client_ip': '1.1.1.1']
     1 * mockAppSecCtx.transferCollectedEvents() >> [event]
     1 * mockAppSecCtx.peerAddress >> '2001::1'
-    1 * mockAppSecCtx.close()
     1 * traceSegment.setTagTop("_dd.appsec.enabled", 1)
     1 * traceSegment.setTagTop("_dd.runtime_family", "jvm")
     1 * traceSegment.setTagTop('appsec.event', true)
@@ -974,7 +977,9 @@ class GatewayBridgeSpecification extends DDSpecification {
       getData(RequestContextSlot.APPSEC) >> mockAppSecCtx
       getTraceSegment() >> traceSegment
     }
-    final spanInfo = Mock(AgentSpan)
+    final spanInfo = Mock(AgentSpan) {
+      getTags() >> ['http.route':'/']
+    }
 
     when:
     requestEndedCB.apply(mockCtx, spanInfo)