HTTP response schema collection and data classification

Author: sezen-datadog

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java

@@ -18,6 +18,7 @@
 import datadog.trace.api.gateway.IGSpanInfo;
 import datadog.trace.api.gateway.RequestContext;
 import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.api.http.StoredBodySupplier;
 import datadog.trace.api.naming.SpanNaming;
 import datadog.trace.bootstrap.ActiveSubsystems;
 import datadog.trace.bootstrap.instrumentation.api.AgentPropagation;
@@ -435,7 +436,8 @@ private Flow<Void> callIGCallbackRequestHeaders(AgentSpan span, REQUEST_CARRIER
           IGKeyClassifier.create(
               requestContext,
               cbp.getCallback(EVENTS.requestHeader()),
-              cbp.getCallback(EVENTS.requestHeaderDone()));
+              cbp.getCallback(EVENTS.requestHeaderDone()),
+              null);
       if (null != igKeyClassifier) {
         getter.forEachKey(carrier, igKeyClassifier);
         return igKeyClassifier.done();
@@ -491,7 +493,8 @@ public <RESP> Flow<Void> callIGCallbackResponseAndHeaders(
         IGKeyClassifier.create(
             requestContext,
             cbp.getCallback(EVENTS.responseHeader()),
-            cbp.getCallback(EVENTS.responseHeaderDone()));
+            cbp.getCallback(EVENTS.responseHeaderDone()),
+            cbp.getCallback(EVENTS.responseBodyDone()));
     if (null != igKeyClassifier) {
       contextVisitor.forEachKey(carrier, igKeyClassifier);
       return igKeyClassifier.done();
@@ -575,7 +578,8 @@ protected static final class IGKeyClassifier implements AgentPropagation.KeyClas
     public static IGKeyClassifier create(
         RequestContext requestContext,
         TriConsumer<RequestContext, String, String> headerCallback,
-        Function<RequestContext, Flow<Void>> doneCallback) {
+        Function<RequestContext, Flow<Void>> doneCallback,
+        BiFunction<RequestContext, StoredBodySupplier, Flow<Void>> bodyDoneCallback) {
       if (null == requestContext || null == headerCallback) {
         return null;
       }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/KnownAddresses.java

@@ -48,7 +48,7 @@ public interface KnownAddresses {
   Address<Object> RESPONSE_BODY_OBJECT = new Address<>("server.response.body");
 
   /** First chars of HTTP response body */
-  Address<String> RESPONSE_BODY_RAW = new Address<>("server.response.body.raw");
+  Address<CharSequence> RESPONSE_BODY_RAW = new Address<>("server.response.body.raw");
 
   /** Reponse headers excluding cookies */
   Address<Map<String, List<String>>> RESPONSE_HEADERS_NO_COOKIES =

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -98,6 +98,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private String inferredClientIp;
 
   private volatile StoredBodySupplier storedRequestBodySupplier;
+  private volatile StoredBodySupplier storedResponseBodySupplier;
   private String dbType;
 
   private int responseStatus;
@@ -106,6 +107,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private boolean rawReqBodyPublished;
   private boolean convertedReqBodyPublished;
   private boolean respDataPublished;
+  private boolean rawResBodyPublished;
   private boolean pathParamsPublished;
   private volatile Map<String, String> derivatives;
 
@@ -451,6 +453,10 @@ void setStoredRequestBodySupplier(StoredBodySupplier storedRequestBodySupplier)
     this.storedRequestBodySupplier = storedRequestBodySupplier;
   }
 
+  void setStoredResponseBodySupplier(StoredBodySupplier storedResponseBodySupplier) {
+    this.storedResponseBodySupplier = storedResponseBodySupplier;
+  }
+
   public String getDbType() {
     return dbType;
   }
@@ -503,10 +509,18 @@ public boolean isRespDataPublished() {
     return respDataPublished;
   }
 
+  public boolean isRawResBodyPublished() {
+    return rawResBodyPublished;
+  }
+
   public void setRespDataPublished(boolean respDataPublished) {
     this.respDataPublished = respDataPublished;
   }
 
+  public void setRawResBodyPublished(boolean rawResBodyPublished) {
+    this.rawResBodyPublished = rawResBodyPublished;
+  }
+
   /**
    * Updates the current used usr.id
    *
@@ -580,6 +594,15 @@ public CharSequence getStoredRequestBody() {
     return storedRequestBodySupplier.get();
   }
 
+  /** @return the portion of the body read so far, if any */
+  public CharSequence getStoredResponseBody() {
+    StoredBodySupplier storedResponseBodySupplier = this.storedResponseBodySupplier;
+    if (storedResponseBodySupplier == null) {
+      return null;
+    }
+    return storedResponseBodySupplier.get();
+  }
+
   public void reportEvents(Collection<AppSecEvent> appSecEvents) {
     for (AppSecEvent event : appSecEvents) {
       StandardizedLogging.attackDetected(log, event);

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -94,6 +94,7 @@ public class GatewayBridge {
   // subscriber cache
   private volatile DataSubscriberInfo initialReqDataSubInfo;
   private volatile DataSubscriberInfo rawRequestBodySubInfo;
+  private volatile DataSubscriberInfo rawResponseBodySubInfo;
   private volatile DataSubscriberInfo requestBodySubInfo;
   private volatile DataSubscriberInfo pathParamsSubInfo;
   private volatile DataSubscriberInfo respDataSubInfo;
@@ -141,6 +142,8 @@ public void init() {
     subscriptionService.registerCallback(EVENTS.responseStarted(), this::onResponseStarted);
     subscriptionService.registerCallback(EVENTS.responseHeader(), this::onResponseHeader);
     subscriptionService.registerCallback(EVENTS.responseHeaderDone(), this::onResponseHeaderDone);
+    subscriptionService.registerCallback(EVENTS.responseBodyStart(), this::onResponseBodyStart);
+    subscriptionService.registerCallback(EVENTS.responseBodyDone(), this::onResponseBodyDone);
     subscriptionService.registerCallback(EVENTS.grpcServerMethod(), this::onGrpcServerMethod);
     subscriptionService.registerCallback(
         EVENTS.grpcServerRequestMessage(), this::onGrpcServerRequestMessage);
@@ -602,7 +605,7 @@ private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier sup
       }
 
       CharSequence bodyContent = supplier.get();
-      if (bodyContent == null || bodyContent.length() == 0) {
+      if (bodyContent.length() == 0) {
         return NoopFlow.INSTANCE;
       }
       DataBundle bundle = new SingletonDataBundle<>(KnownAddresses.REQUEST_BODY_RAW, bodyContent);
@@ -615,6 +618,38 @@ private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier sup
     }
   }
 
+  private Flow<Void> onResponseBodyDone(RequestContext ctx_, StoredBodySupplier supplier) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null || ctx.isRawResBodyPublished()) {
+      return NoopFlow.INSTANCE;
+    }
+    ctx.setRawResBodyPublished(true);
+
+    while (true) {
+      DataSubscriberInfo subInfo = rawResponseBodySubInfo;
+      if (subInfo == null) {
+        subInfo = producerService.getDataSubscribers(KnownAddresses.RESPONSE_BODY_RAW);
+        rawResponseBodySubInfo = subInfo;
+      }
+      if (subInfo == null || subInfo.isEmpty()) {
+        return NoopFlow.INSTANCE;
+      }
+
+      CharSequence bodyContent = supplier.get();
+      if (bodyContent.length() == 0) {
+        return NoopFlow.INSTANCE;
+      }
+      DataBundle bundle =
+          new SingletonDataBundle<>(KnownAddresses.RESPONSE_BODY_OBJECT, bodyContent);
+      try {
+        GatewayContext gwCtx = new GatewayContext(false);
+        return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
+      } catch (ExpiredSubscriberInfoException e) {
+        rawResponseBodySubInfo = null;
+      }
+    }
+  }
+
   private Flow<Void> onRequestPathParams(RequestContext ctx_, Map<String, ?> data) {
     AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
     if (ctx == null || ctx.isPathParamsPublished()) {
@@ -651,6 +686,16 @@ private Void onRequestBodyStart(RequestContext ctx_, StoredBodySupplier supplier
     return null;
   }
 
+  private Void onResponseBodyStart(RequestContext ctx_, StoredBodySupplier supplier) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null) {
+      return null;
+    }
+
+    ctx.setStoredResponseBodySupplier(supplier);
+    return null;
+  }
+
   private Flow<AppSecRequestContext> onRequestStarted() {
     if (!AppSecSystem.isActive()) {
       return RequestContextSupplier.EMPTY;
@@ -962,8 +1007,12 @@ private Flow<Void> maybePublishResponseData(AppSecRequestContext ctx) {
 
     MapDataBundle bundle =
         MapDataBundle.of(
-            KnownAddresses.RESPONSE_STATUS, String.valueOf(ctx.getResponseStatus()),
-            KnownAddresses.RESPONSE_HEADERS_NO_COOKIES, ctx.getResponseHeaders());
+            KnownAddresses.RESPONSE_STATUS,
+            String.valueOf(ctx.getResponseStatus()),
+            KnownAddresses.RESPONSE_HEADERS_NO_COOKIES,
+            ctx.getResponseHeaders(),
+            KnownAddresses.RESPONSE_BODY_OBJECT,
+            ctx.getStoredResponseBody());
 
     while (true) {
       DataSubscriberInfo subInfo = respDataSubInfo;
@@ -1058,6 +1107,9 @@ private static class IGAppSecEventDependencies {
           KnownAddresses.REQUEST_BODY_RAW, l(EVENTS.requestBodyStart(), EVENTS.requestBodyDone()));
       DATA_DEPENDENCIES.put(KnownAddresses.REQUEST_PATH_PARAMS, l(EVENTS.requestPathParams()));
       DATA_DEPENDENCIES.put(KnownAddresses.REQUEST_BODY_OBJECT, l(EVENTS.requestBodyProcessed()));
+      DATA_DEPENDENCIES.put(
+          KnownAddresses.RESPONSE_BODY_RAW,
+          l(EVENTS.responseBodyStart(), EVENTS.responseBodyDone()));
     }
 
     private static Collection<datadog.trace.api.gateway.EventType<?>> l(

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy

@@ -219,6 +219,8 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
 
     List<String> command = new ArrayList<>()
     command.add(javaPath())
+    // TODO delete when ure done testing
+    command.add("-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005")
     command.addAll(defaultJavaProperties)
     command.addAll(defaultAppSecProperties)
     command.addAll((String[]) ["-jar", springBootShadowJar, "--server.port=${httpPort}"])

internal-api/src/main/java/datadog/trace/api/gateway/Events.java

@@ -312,6 +312,29 @@ public EventType<BiFunction<RequestContext, String, Flow<Void>>> shellCmd() {
     return (EventType<BiFunction<RequestContext, String, Flow<Void>>>) SHELL_CMD;
   }
 
+  static final int RESPONSE_BODY_START_ID = 26;
+
+  @SuppressWarnings("rawtypes")
+  private static final EventType RESPONSE_BODY_START =
+      new ET<>("response.body.started", RESPONSE_BODY_START_ID);
+  /** The request body has started being read */
+  @SuppressWarnings("unchecked")
+  public EventType<BiFunction<RequestContext, StoredBodySupplier, Void>> responseBodyStart() {
+    return (EventType<BiFunction<RequestContext, StoredBodySupplier, Void>>) RESPONSE_BODY_START;
+  }
+
+  static final int RESPONSE_BODY_DONE_ID = 27;
+
+  @SuppressWarnings("rawtypes")
+  private static final EventType RESPONSE_BODY_DONE =
+      new ET<>("response.body.done", RESPONSE_BODY_DONE_ID);
+  /** The request body is done being read */
+  @SuppressWarnings("unchecked")
+  public EventType<BiFunction<RequestContext, StoredBodySupplier, Flow<Void>>> responseBodyDone() {
+    return (EventType<BiFunction<RequestContext, StoredBodySupplier, Flow<Void>>>)
+        RESPONSE_BODY_DONE;
+  }
+
   static final int MAX_EVENTS = nextId.get();
 
   private static final class ET<T> extends EventType<T> {

internal-api/src/main/java/datadog/trace/api/gateway/InstrumentationGateway.java

@@ -22,6 +22,8 @@
 import static datadog.trace.api.gateway.Events.REQUEST_PATH_PARAMS_ID;
 import static datadog.trace.api.gateway.Events.REQUEST_SESSION_ID;
 import static datadog.trace.api.gateway.Events.REQUEST_STARTED_ID;
+import static datadog.trace.api.gateway.Events.RESPONSE_BODY_DONE_ID;
+import static datadog.trace.api.gateway.Events.RESPONSE_BODY_START_ID;
 import static datadog.trace.api.gateway.Events.RESPONSE_HEADER_DONE_ID;
 import static datadog.trace.api.gateway.Events.RESPONSE_HEADER_ID;
 import static datadog.trace.api.gateway.Events.RESPONSE_STARTED_ID;
@@ -315,6 +317,7 @@ public boolean equals(Object obj) {
                 return callback.equals(obj);
               }
             };
+      case RESPONSE_BODY_START_ID:
       case REQUEST_BODY_START_ID:
         return (C)
             new BiFunction<RequestContext, StoredBodySupplier, Void>() {
@@ -329,6 +332,7 @@ public Void apply(RequestContext ctx, StoredBodySupplier storedBodySupplier) {
                 }
               }
             };
+      case RESPONSE_BODY_DONE_ID:
       case REQUEST_BODY_DONE_ID:
         return (C)
             new BiFunction<RequestContext, StoredBodySupplier, Flow<Void>>() {