HTTP response schema collection and data classification

Author: sezen-datadog

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java

@@ -36,6 +36,7 @@
 import datadog.trace.bootstrap.instrumentation.api.URIUtils;
 import datadog.trace.bootstrap.instrumentation.api.UTF8BytesString;
 import datadog.trace.bootstrap.instrumentation.decorator.http.ClientIpAddressResolver;
+import java.io.OutputStream;
 import java.net.InetAddress;
 import java.util.BitSet;
 import java.util.LinkedHashMap;
@@ -386,6 +387,12 @@ public AgentSpan onResponse(final AgentSpan span, final RESPONSE response) {
       final int status = status(response);
       onResponseStatus(span, status);
 
+      BiFunction<RequestContext, OutputStream, Void> start =
+          tracer().getUniversalCallbackProvider().getCallback(EVENTS.responseBodyStart());
+
+      final OutputStream responseBody = responseBody(response);
+      start.apply(span.getRequestContext(), responseBody);
+
       AgentPropagation.ContextVisitor<RESPONSE> getter = responseGetter();
       if (getter != null) {
         ResponseHeaderTagClassifier tagger =
@@ -396,23 +403,16 @@ public AgentSpan onResponse(final AgentSpan span, final RESPONSE response) {
       }
 
       if (!isAppSecOnResponseSeparate()) {
-        callIGCallbackResponseAndHeaders(span, response, status);
+        callIGCallbackResponseAndHeaders(span, response, status, responseBody);
       }
     }
     return span;
   }
 
-  //  @Override
-  //  public Span onError(final Span span, final Throwable throwable) {
-  //    assert span != null;
-  //    // FIXME
-  //    final Object status = span.getTag("http.status");
-  //    if (status == null || status.equals(200)) {
-  //      // Ensure status set correctly
-  //      span.setTag("http.status", 500);
-  //    }
-  //    return super.onError(span, throwable);
-  //  }
+  // TODO this should be abstract by the end of developments
+  protected OutputStream responseBody(RESPONSE response) {
+    return null;
+  }
 
   private AgentSpanContext.Extracted callIGCallbackStart(AgentSpanContext.Extracted context) {
     AgentTracer.TracerAPI tracer = tracer();
@@ -467,7 +467,8 @@ private Flow<Void> callIGCallbackRequestHeaders(AgentSpan span, REQUEST_CARRIER
           IGKeyClassifier.create(
               requestContext,
               cbp.getCallback(EVENTS.requestHeader()),
-              cbp.getCallback(EVENTS.requestHeaderDone()));
+              cbp.getCallback(EVENTS.requestHeaderDone()),
+              null);
       if (null != igKeyClassifier) {
         getter.forEachKey(carrier, igKeyClassifier);
         return igKeyClassifier.done();
@@ -496,21 +497,27 @@ private Flow<Void> callIGCallbackRequestSessionId(final AgentSpan span, final RE
   }
 
   private Flow<Void> callIGCallbackResponseAndHeaders(
-      AgentSpan span, RESPONSE carrier, int status) {
-    return callIGCallbackResponseAndHeaders(span, carrier, status, responseGetter());
+      AgentSpan span, RESPONSE carrier, int status, OutputStream responseBody) {
+    return callIGCallbackResponseAndHeaders(span, carrier, status, responseGetter(), responseBody);
   }
 
   public <RESP> Flow<Void> callIGCallbackResponseAndHeaders(
       AgentSpan span,
       RESP carrier,
       int status,
-      AgentPropagation.ContextVisitor<RESP> contextVisitor) {
+      AgentPropagation.ContextVisitor<RESP> contextVisitor,
+      OutputStream responseBody) {
     CallbackProvider cbp = tracer().getCallbackProvider(RequestContextSlot.APPSEC);
     RequestContext requestContext = span.getRequestContext();
     if (cbp == null || requestContext == null) {
       return Flow.ResultFlow.empty();
     }
 
+    BiFunction<RequestContext, OutputStream, Flow<Void>> responseBodyDone =
+        cbp.getCallback(EVENTS.responseBodyDone());
+    if (null != responseBodyDone) {
+      responseBodyDone.apply(requestContext, responseBody);
+    }
     BiFunction<RequestContext, Integer, Flow<Void>> addrCallback =
         cbp.getCallback(EVENTS.responseStarted());
     if (null != addrCallback) {
@@ -523,7 +530,8 @@ public <RESP> Flow<Void> callIGCallbackResponseAndHeaders(
         IGKeyClassifier.create(
             requestContext,
             cbp.getCallback(EVENTS.responseHeader()),
-            cbp.getCallback(EVENTS.responseHeaderDone()));
+            cbp.getCallback(EVENTS.responseHeaderDone()),
+            cbp.getCallback(EVENTS.responseBodyDone()));
     if (null != igKeyClassifier) {
       contextVisitor.forEachKey(carrier, igKeyClassifier);
       return igKeyClassifier.done();
@@ -607,7 +615,8 @@ protected static final class IGKeyClassifier implements AgentPropagation.KeyClas
     public static IGKeyClassifier create(
         RequestContext requestContext,
         TriConsumer<RequestContext, String, String> headerCallback,
-        Function<RequestContext, Flow<Void>> doneCallback) {
+        Function<RequestContext, Flow<Void>> doneCallback,
+        BiFunction<RequestContext, OutputStream, Flow<Void>> bodyDoneCallback) {
       if (null == requestContext || null == headerCallback) {
         return null;
       }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/KnownAddresses.java

@@ -48,7 +48,7 @@ public interface KnownAddresses {
   Address<Object> RESPONSE_BODY_OBJECT = new Address<>("server.response.body");
 
   /** First chars of HTTP response body */
-  Address<String> RESPONSE_BODY_RAW = new Address<>("server.response.body.raw");
+  Address<CharSequence> RESPONSE_BODY_RAW = new Address<>("server.response.body.raw");
 
   /** Reponse headers excluding cookies */
   Address<Map<String, List<String>>> RESPONSE_HEADERS_NO_COOKIES =

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -15,6 +15,7 @@
 import datadog.trace.api.internal.TraceSegment;
 import datadog.trace.util.stacktrace.StackTraceEvent;
 import java.io.Closeable;
+import java.io.OutputStream;
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentLinkedQueue;
@@ -98,14 +99,17 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private String inferredClientIp;
 
   private volatile StoredBodySupplier storedRequestBodySupplier;
+  private volatile OutputStream storedResponseBodySupplier;
   private String dbType;
 
   private int responseStatus;
 
   private boolean reqDataPublished;
   private boolean rawReqBodyPublished;
   private boolean convertedReqBodyPublished;
+  private boolean convertedResBodyPublished;
   private boolean respDataPublished;
+  private boolean rawResBodyPublished;
   private boolean pathParamsPublished;
   private volatile Map<String, String> derivatives;
 
@@ -451,6 +455,10 @@ void setStoredRequestBodySupplier(StoredBodySupplier storedRequestBodySupplier)
     this.storedRequestBodySupplier = storedRequestBodySupplier;
   }
 
+  void setStoredResponseBodySupplier(OutputStream storedResponseBodySupplier) {
+    this.storedResponseBodySupplier = storedResponseBodySupplier;
+  }
+
   public String getDbType() {
     return dbType;
   }
@@ -495,18 +503,34 @@ public boolean isConvertedReqBodyPublished() {
     return convertedReqBodyPublished;
   }
 
+  public boolean isConvertedResBodyPublished() {
+    return convertedResBodyPublished;
+  }
+
   public void setConvertedReqBodyPublished(boolean convertedReqBodyPublished) {
     this.convertedReqBodyPublished = convertedReqBodyPublished;
   }
 
+  public void setConvertedResBodyPublished(boolean convertedResBodyPublished) {
+    this.convertedResBodyPublished = convertedResBodyPublished;
+  }
+
   public boolean isRespDataPublished() {
     return respDataPublished;
   }
 
+  public boolean isRawResBodyPublished() {
+    return rawResBodyPublished;
+  }
+
   public void setRespDataPublished(boolean respDataPublished) {
     this.respDataPublished = respDataPublished;
   }
 
+  public void setRawResBodyPublished(boolean rawResBodyPublished) {
+    this.rawResBodyPublished = rawResBodyPublished;
+  }
+
   /**
    * Updates the current used usr.id
    *
@@ -580,6 +604,14 @@ public CharSequence getStoredRequestBody() {
     return storedRequestBodySupplier.get();
   }
 
+  /** @return the contents of stream */
+  public CharSequence getStoredResponseBody() {
+    CharSequence storedResponseBody = null;
+    storedResponseBody =
+        this.storedResponseBodySupplier != null ? this.storedResponseBodySupplier.toString() : null;
+    return storedResponseBody;
+  }
+
   public void reportEvents(Collection<AppSecEvent> appSecEvents) {
     for (AppSecEvent event : appSecEvents) {
       StandardizedLogging.attackDetected(log, event);

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -37,6 +37,7 @@
 import datadog.trace.bootstrap.instrumentation.api.URIDataAdapter;
 import datadog.trace.util.stacktrace.StackTraceEvent;
 import datadog.trace.util.stacktrace.StackUtils;
+import java.io.OutputStream;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.charset.Charset;
@@ -94,7 +95,9 @@ public class GatewayBridge {
   // subscriber cache
   private volatile DataSubscriberInfo initialReqDataSubInfo;
   private volatile DataSubscriberInfo rawRequestBodySubInfo;
+  private volatile DataSubscriberInfo rawResponseBodySubInfo;
   private volatile DataSubscriberInfo requestBodySubInfo;
+  private volatile DataSubscriberInfo responseBodySubInfo;
   private volatile DataSubscriberInfo pathParamsSubInfo;
   private volatile DataSubscriberInfo respDataSubInfo;
   private volatile DataSubscriberInfo grpcServerMethodSubInfo;
@@ -141,6 +144,8 @@ public void init() {
     subscriptionService.registerCallback(EVENTS.responseStarted(), this::onResponseStarted);
     subscriptionService.registerCallback(EVENTS.responseHeader(), this::onResponseHeader);
     subscriptionService.registerCallback(EVENTS.responseHeaderDone(), this::onResponseHeaderDone);
+    subscriptionService.registerCallback(EVENTS.responseBodyStart(), this::onResponseBodyStart);
+    subscriptionService.registerCallback(EVENTS.responseBodyDone(), this::onResponseBodyDone);
     subscriptionService.registerCallback(EVENTS.grpcServerMethod(), this::onGrpcServerMethod);
     subscriptionService.registerCallback(
         EVENTS.grpcServerRequestMessage(), this::onGrpcServerRequestMessage);
@@ -163,6 +168,10 @@ public void init() {
       subscriptionService.registerCallback(
           EVENTS.requestBodyProcessed(), this::onRequestBodyProcessed);
     }
+    if (additionalIGEvents.contains(EVENTS.responseBodyProcessed())) {
+      subscriptionService.registerCallback(
+          EVENTS.responseBodyProcessed(), this::onResponseBodyProcessed);
+    }
   }
 
   /**
@@ -172,7 +181,9 @@ public void init() {
   public void reset() {
     initialReqDataSubInfo = null;
     rawRequestBodySubInfo = null;
+    rawResponseBodySubInfo = null;
     requestBodySubInfo = null;
+    responseBodySubInfo = null;
     pathParamsSubInfo = null;
     respDataSubInfo = null;
     grpcServerMethodSubInfo = null;
@@ -584,6 +595,40 @@ private Flow<Void> onRequestBodyProcessed(RequestContext ctx_, Object obj) {
     }
   }
 
+  private Flow<Void> onResponseBodyProcessed(RequestContext ctx_, Object obj) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null) {
+      return NoopFlow.INSTANCE;
+    }
+
+    if (ctx.isConvertedResBodyPublished()) {
+      log.debug(
+          "Response body already published; will ignore new value of type {}", obj.getClass());
+      return NoopFlow.INSTANCE;
+    }
+    ctx.setConvertedResBodyPublished(true);
+
+    while (true) {
+      DataSubscriberInfo subInfo = responseBodySubInfo;
+      if (subInfo == null) {
+        subInfo = producerService.getDataSubscribers(KnownAddresses.RESPONSE_BODY_OBJECT);
+        responseBodySubInfo = subInfo;
+      }
+      if (subInfo == null || subInfo.isEmpty()) {
+        return NoopFlow.INSTANCE;
+      }
+      DataBundle bundle =
+          new SingletonDataBundle<>(
+              KnownAddresses.RESPONSE_BODY_OBJECT, ObjectIntrospection.convert(obj, ctx));
+      try {
+        GatewayContext gwCtx = new GatewayContext(false);
+        return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
+      } catch (ExpiredSubscriberInfoException e) {
+        responseBodySubInfo = null;
+      }
+    }
+  }
+
   private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier supplier) {
     AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
     if (ctx == null || ctx.isRawReqBodyPublished()) {
@@ -602,7 +647,7 @@ private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier sup
       }
 
       CharSequence bodyContent = supplier.get();
-      if (bodyContent == null || bodyContent.length() == 0) {
+      if (bodyContent.length() == 0) {
         return NoopFlow.INSTANCE;
       }
       DataBundle bundle = new SingletonDataBundle<>(KnownAddresses.REQUEST_BODY_RAW, bodyContent);
@@ -615,6 +660,38 @@ private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier sup
     }
   }
 
+  private Flow<Void> onResponseBodyDone(RequestContext ctx_, OutputStream supplier) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null || ctx.isRawResBodyPublished()) {
+      return NoopFlow.INSTANCE;
+    }
+    ctx.setRawResBodyPublished(true);
+
+    while (true) {
+      DataSubscriberInfo subInfo = responseBodySubInfo;
+      if (subInfo == null) {
+        subInfo = producerService.getDataSubscribers(KnownAddresses.RESPONSE_BODY_OBJECT);
+        responseBodySubInfo = subInfo;
+      }
+      if (subInfo == null || subInfo.isEmpty()) {
+        return NoopFlow.INSTANCE;
+      }
+
+      CharSequence bodyContent = supplier.toString();
+      if (bodyContent.length() == 0) {
+        return NoopFlow.INSTANCE;
+      }
+      DataBundle bundle =
+          new SingletonDataBundle<>(KnownAddresses.RESPONSE_BODY_OBJECT, bodyContent);
+      try {
+        GatewayContext gwCtx = new GatewayContext(false);
+        return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
+      } catch (ExpiredSubscriberInfoException e) {
+        responseBodySubInfo = null;
+      }
+    }
+  }
+
   private Flow<Void> onRequestPathParams(RequestContext ctx_, Map<String, ?> data) {
     AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
     if (ctx == null || ctx.isPathParamsPublished()) {
@@ -651,6 +728,16 @@ private Void onRequestBodyStart(RequestContext ctx_, StoredBodySupplier supplier
     return null;
   }
 
+  private Void onResponseBodyStart(RequestContext ctx_, OutputStream supplier) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null) {
+      return null;
+    }
+
+    ctx.setStoredResponseBodySupplier(supplier);
+    return null;
+  }
+
   private Flow<AppSecRequestContext> onRequestStarted() {
     if (!AppSecSystem.isActive()) {
       return RequestContextSupplier.EMPTY;
@@ -1014,8 +1101,10 @@ private Flow<Void> maybePublishResponseData(AppSecRequestContext ctx) {
 
     MapDataBundle bundle =
         MapDataBundle.of(
-            KnownAddresses.RESPONSE_STATUS, String.valueOf(ctx.getResponseStatus()),
-            KnownAddresses.RESPONSE_HEADERS_NO_COOKIES, ctx.getResponseHeaders());
+            KnownAddresses.RESPONSE_STATUS,
+            String.valueOf(ctx.getResponseStatus()),
+            KnownAddresses.RESPONSE_HEADERS_NO_COOKIES,
+            ctx.getResponseHeaders());
 
     while (true) {
       DataSubscriberInfo subInfo = respDataSubInfo;
@@ -1110,6 +1199,10 @@ private static class IGAppSecEventDependencies {
           KnownAddresses.REQUEST_BODY_RAW, l(EVENTS.requestBodyStart(), EVENTS.requestBodyDone()));
       DATA_DEPENDENCIES.put(KnownAddresses.REQUEST_PATH_PARAMS, l(EVENTS.requestPathParams()));
       DATA_DEPENDENCIES.put(KnownAddresses.REQUEST_BODY_OBJECT, l(EVENTS.requestBodyProcessed()));
+      DATA_DEPENDENCIES.put(
+          KnownAddresses.RESPONSE_BODY_RAW,
+          l(EVENTS.responseBodyStart(), EVENTS.responseBodyDone()));
+      DATA_DEPENDENCIES.put(KnownAddresses.RESPONSE_BODY_OBJECT, l(EVENTS.responseBodyProcessed()));
     }
 
     private static Collection<datadog.trace.api.gateway.EventType<?>> l(