appsec/resteasy: capture arbitrary body objects too

cataphract · cataphract · commit 7fa2f9b4ecff · 2022-02-21T18:04:52.000Z
diff --git a/dd-java-agent/instrumentation/resteasy-appsec/resteasy-appsec.gradle b/dd-java-agent/instrumentation/resteasy-appsec/resteasy-appsec.gradle
@@ -22,6 +22,7 @@ dependencies {
   compileOnly group: 'org.jboss.resteasy', name: 'resteasy-jaxrs', version: '3.0.0.Final'
 
   testFixturesApi group: 'org.jboss.resteasy', name: 'resteasy-jaxrs', version: '3.0.0.Final'
+  testFixturesApi group: 'org.jboss.resteasy', name: 'resteasy-jackson-provider', version: '3.0.0.Final'
   testFixturesImplementation project(':dd-java-agent:testing'), {
     exclude group: 'org.eclipse.jetty', module: 'jetty-server'
   }
diff --git a/dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/MessageBodyReaderInvocationInstrumentation.java b/dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/MessageBodyReaderInvocationInstrumentation.java
@@ -0,0 +1,64 @@
+package datadog.trace.instrumentation.resteasy;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.nameEndsWith;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static datadog.trace.api.gateway.Events.EVENTS;
+import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.activeSpan;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.api.function.BiFunction;
+import datadog.trace.api.gateway.CallbackProvider;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import net.bytebuddy.asm.Advice;
+
+@AutoService(Instrumenter.class)
+public class MessageBodyReaderInvocationInstrumentation extends Instrumenter.AppSec
+    implements Instrumenter.ForKnownTypes {
+
+  public MessageBodyReaderInvocationInstrumentation() {
+    super("resteasy");
+  }
+
+  @Override
+  public String[] knownMatchingTypes() {
+    return new String[] {"org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext"};
+  }
+
+  @Override
+  public void adviceTransformations(AdviceTransformation transformation) {
+    transformation.applyAdvice(
+        named("readFrom")
+            .and(takesArguments(1))
+            .and(takesArgument(0, nameEndsWith(".MessageBodyReader"))),
+        MessageBodyReaderInvocationInstrumentation.class.getName()
+            + "$AbstractReaderInterceptorAdvice");
+  }
+
+  public static class AbstractReaderInterceptorAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    static void after(@Advice.Return final Object ret) {
+      if (ret == null) {
+        return;
+      }
+      AgentSpan agentSpan = activeSpan();
+      if (agentSpan == null) {
+        return;
+      }
+
+      CallbackProvider cbp = AgentTracer.get().instrumentationGateway();
+      BiFunction<RequestContext<Object>, Object, Flow<Void>> callback =
+          cbp.getCallback(EVENTS.requestBodyProcessed());
+      RequestContext<Object> requestContext = agentSpan.getRequestContext();
+      if (requestContext == null || callback == null) {
+        return;
+      }
+      callback.apply(requestContext, ret);
+    }
+  }
+}
diff --git a/dd-java-agent/instrumentation/resteasy-appsec/src/testFixtures/groovy/datadog/trace/instrumentation/resteasy/AbstractResteasyAppsecTest.groovy b/dd-java-agent/instrumentation/resteasy-appsec/src/testFixtures/groovy/datadog/trace/instrumentation/resteasy/AbstractResteasyAppsecTest.groovy
@@ -13,19 +13,22 @@ import okhttp3.HttpUrl
 import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.RequestBody
+import org.codehaus.jackson.map.ObjectMapper
 import spock.lang.Shared
 
 import javax.ws.rs.Consumes
 import javax.ws.rs.FormParam
 import javax.ws.rs.POST
 import javax.ws.rs.Path
+import javax.ws.rs.Produces
 import javax.ws.rs.core.Application
 import javax.ws.rs.core.MediaType
 import javax.ws.rs.core.Response
+import javax.ws.rs.ext.ContextResolver
 import java.util.concurrent.TimeUnit
 
+import static datadog.trace.agent.test.base.HttpServerTest.ServerEndpoint.BODY_JSON
 import static datadog.trace.agent.test.base.HttpServerTest.ServerEndpoint.BODY_URLENCODED
-import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.activeSpan
 
 abstract class AbstractResteasyAppsecTest extends AgentTestRunner {
 
@@ -88,17 +91,64 @@ abstract class AbstractResteasyAppsecTest extends AgentTestRunner {
     }
   }
 
-  @Path("/body-urlencoded")
-  static class BodyUrlEncodedResource {
+  def 'test instrumentation gateway json request body'() {
+    setup:
+    def request = request(
+      BODY_JSON, 'POST',
+      RequestBody.create(okhttp3.MediaType.get('application/json'), '{"a":"x"}\n'))
+      .build()
+    def response = client.newCall(request).execute()
+
+    expect:
+    response.body().charStream().text == '{"a":"x"}'
+
+    when:
+    TEST_WRITER.waitForTraces(1)
+
+    then:
+    TEST_WRITER.get(0).any {
+      it.getTag('request.body.converted') == '[a:[x]]'
+    }
+  }
+
+  @Path("/")
+  static class BodyResource {
     @POST
+    @Path("body-urlencoded")
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     Response bodyUrlencoded(@FormParam("a") List<String> a) {
       Response.status(BODY_URLENCODED.status).entity([a: a] as String).build()
     }
+
+    @POST
+    @Path("body-json")
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Produces(MediaType.APPLICATION_JSON)
+    Response bodyJson(ClassForBodyToBeConvertedTo obj) {
+      Response.status(BODY_JSON.status).entity(obj).build()
+    }
+  }
+
+  static class ClassForBodyToBeConvertedTo {
+    String a
+
+    @Override
+    String toString() {
+      "[a:[$a]]"
+    }
+  }
+
+  /* avoid the jackson provider looking for jaxb annotations */
+  static class ObjectMapperContextResolver implements ContextResolver<ObjectMapper> {
+    @Override
+    ObjectMapper getContext(Class<?> type) {
+      new ObjectMapper()
+    }
   }
 
   static class TestJaxRsApplication extends Application {
-    private static final RESOURCE = new AbstractResteasyAppsecTest.BodyUrlEncodedResource()
-    final Set<Object> singletons = [RESOURCE] as Set
+    private static final RESOURCE = new BodyResource()
+    private static final OBJECT_MAPPER_CONTEXT_RESOLVER = new ObjectMapperContextResolver()
+    final Set<Object> singletons = [RESOURCE, OBJECT_MAPPER_CONTEXT_RESOLVER] as Set
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ dependencies {`
`22`	`22`	`compileOnly group: 'org.jboss.resteasy', name: 'resteasy-jaxrs', version: '3.0.0.Final'`
`23`	`23`
`24`	`24`	`testFixturesApi group: 'org.jboss.resteasy', name: 'resteasy-jaxrs', version: '3.0.0.Final'`
	`25`	`+ testFixturesApi group: 'org.jboss.resteasy', name: 'resteasy-jackson-provider', version: '3.0.0.Final'`
`25`	`26`	`testFixturesImplementation project(':dd-java-agent:testing'), {`
`26`	`27`	`exclude group: 'org.eclipse.jetty', module: 'jetty-server'`
`27`	`28`	`}`