java-sec
diff --git a/‎dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java‎
Lines changed: 40 additions & 20 deletions b/‎dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java‎
Lines changed: 40 additions & 20 deletions
diff --git a/‎dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolver.java‎
Lines changed: 1 addition & 1 deletion b/‎dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolver.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecoratorTest.groovy‎
Lines changed: 51 additions & 51 deletions b/‎dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecoratorTest.groovy‎
Lines changed: 51 additions & 51 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/KnownAddresses.java‎
Lines changed: 6 additions & 1 deletion b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/KnownAddresses.java‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java‎
Lines changed: 9 additions & 0 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java‎
Lines changed: 11 additions & 1 deletion b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java‎
Lines changed: 11 additions & 1 deletion
@@ -36,6 +36,7 @@ public abstract class HttpServerDecorator<REQUEST, CONNECTION, RESPONSE, REQUEST
     extends ServerDecorator {
 
   private static final Logger log = LoggerFactory.getLogger(HttpServerDecorator.class);
+  private static final int UNSET_PORT = 0;
 
   public static final String DD_SPAN_ATTRIBUTE = "datadog.span";
   public static final String DD_DISPATCH_SPAN_ATTRIBUTE = "datadog.span.dispatch";
@@ -176,36 +177,40 @@ public AgentSpan onRequest(
     }
 
     String ip = null;
+    int port = UNSET_PORT;
     if (connection != null) {
       ip = peerHostIP(connection);
-      final int port = peerPort(connection);
-      if (ip != null) {
-        if (ip.indexOf(':') > 0) {
-          span.setTag(Tags.PEER_HOST_IPV6, ip);
-        } else {
-          span.setTag(Tags.PEER_HOST_IPV4, ip);
-        }
-      }
-      setPeerPort(span, port);
-      Flow<Void> flow = callIGCallbackSocketAddress(span, ip, port);
-      if (flow.getAction().isBlocking()) {
-        span.markForBlocking();
-      }
+      port = peerPort(connection);
     }
 
+    String inferredAddressStr = null;
     if (config.isTraceClientIpResolverEnabled()) {
-      InetAddress inferredAddress = ClientIpAddressResolver.doResolve(context);
+      InetAddress inferredAddress = ClientIpAddressResolver.resolve(context);
       // As a fallback, if no IP was resolved, the peer IP address should be checked
       // to see if it is public and used as the resolved IP if it is.
       // If no public IP address, then a private IP address should reported as a fall back.
       if (inferredAddress == null && ip != null) {
         inferredAddress = ClientIpAddressResolver.parseIpAddress(ip);
       }
       if (inferredAddress != null) {
-        span.setTag(Tags.HTTP_CLIENT_IP, inferredAddress.getHostAddress());
+        inferredAddressStr = inferredAddress.getHostAddress();
+        span.setTag(Tags.HTTP_CLIENT_IP, inferredAddressStr);
       }
     }
 
+    if (ip != null) {
+      if (ip.indexOf(':') > 0) {
+        span.setTag(Tags.PEER_HOST_IPV6, ip);
+      } else {
+        span.setTag(Tags.PEER_HOST_IPV4, ip);
+      }
+    }
+    setPeerPort(span, port);
+    Flow<Void> flow = callIGCallbackAddressAndPort(span, ip, port, inferredAddressStr);
+    if (flow.getAction().isBlocking()) {
+      span.markForBlocking();
+    }
+
     return span;
   }
 
@@ -362,17 +367,32 @@ private void onRequestEndForInstrumentationGateway(@Nonnull final AgentSpan span
     }
   }
 
-  private Flow<Void> callIGCallbackSocketAddress(
-      @Nonnull final AgentSpan span, @Nonnull final String ip, final int port) {
+  private Flow<Void> callIGCallbackAddressAndPort(
+      @Nonnull final AgentSpan span,
+      final String ip,
+      final int port,
+      final String inferredClientIp) {
     CallbackProvider cbp = tracer().getCallbackProvider(RequestContextSlot.APPSEC);
-    if (cbp == null || (ip == null && port == UNSET_PORT)) {
+    if (cbp == null || (ip == null && inferredClientIp == null && port == UNSET_PORT)) {
       return Flow.ResultFlow.empty();
     }
     RequestContext ctx = span.getRequestContext();
-    if (ctx != null) {
+    if (ctx == null) {
+      return Flow.ResultFlow.empty();
+    }
+
+    if (inferredClientIp != null) {
+      BiFunction<RequestContext, String, Flow<Void>> inferredAddrCallback =
+          cbp.getCallback(EVENTS.requestInferredClientAddress());
+      if (inferredAddrCallback != null) {
+        inferredAddrCallback.apply(ctx, inferredClientIp);
+      }
+    }
+
+    if (ip != null || port != UNSET_PORT) {
       TriFunction<RequestContext, String, Integer, Flow<Void>> addrCallback =
           cbp.getCallback(EVENTS.requestClientSocketAddress());
-      if (null != addrCallback) {
+      if (addrCallback != null) {
         return addrCallback.apply(ctx, ip != null ? ip : "0.0.0.0", port);
       }
     }
 
@@ -37,7 +37,7 @@ public static InetAddress resolve(AgentSpan.Context.Extracted context) {
     }
   }
 
-  public static InetAddress doResolve(AgentSpan.Context.Extracted context) {
+  private static InetAddress doResolve(AgentSpan.Context.Extracted context) {
     if (context == null) {
       return null;
     }
 
@@ -33,17 +33,17 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     def decorator = newDecorator()
 
     when:
-    decorator.onRequest(span, null, req, null)
+    decorator.onRequest(this.span, null, req, null)
 
     then:
     if (req) {
-      1 * span.setTag(Tags.HTTP_METHOD, "test-method")
-      1 * span.setTag(DDTags.HTTP_QUERY, _)
-      1 * span.setTag(DDTags.HTTP_FRAGMENT, _)
-      1 * span.setTag(Tags.HTTP_URL, url)
-      1 * span.setTag(Tags.HTTP_HOSTNAME, req.url.host)
-      1 * span.getRequestContext()
-      1 * span.setResourceName({ it as String == req.method.toUpperCase() + " " + req.path }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
+      1 * this.span.setTag(Tags.HTTP_METHOD, "test-method")
+      1 * this.span.setTag(DDTags.HTTP_QUERY, _)
+      1 * this.span.setTag(DDTags.HTTP_FRAGMENT, _)
+      1 * this.span.setTag(Tags.HTTP_URL, url)
+      1 * this.span.setTag(Tags.HTTP_HOSTNAME, req.url.host)
+      1 * this.span.getRequestContext()
+      1 * this.span.setResourceName({ it as String == req.method.toUpperCase() + " " + req.path }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
     }
     0 * _
 
@@ -63,26 +63,26 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     def decorator = newDecorator()
 
     when:
-    decorator.onRequest(span, null, req, null)
+    decorator.onRequest(this.span, null, req, null)
 
     then:
     if (expectedUrl) {
-      1 * span.setTag(Tags.HTTP_URL, expectedUrl)
-      1 * span.getRequestContext()
+      1 * this.span.setTag(Tags.HTTP_URL, expectedUrl)
+      1 * this.span.getRequestContext()
     }
     if (expectedUrl && tagQueryString) {
-      1 * span.setTag(DDTags.HTTP_QUERY, expectedQuery)
-      1 * span.setTag(DDTags.HTTP_FRAGMENT, expectedFragment)
+      1 * this.span.setTag(DDTags.HTTP_QUERY, expectedQuery)
+      1 * this.span.setTag(DDTags.HTTP_FRAGMENT, expectedFragment)
     }
     if (url != null) {
-      1 * span.setResourceName({ it as String == expectedPath }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
+      1 * this.span.setResourceName({ it as String == expectedPath }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
       if (req.url.host != null) {
-        1 * span.setTag(Tags.HTTP_HOSTNAME, req.url.host)
+        1 * this.span.setTag(Tags.HTTP_HOSTNAME, req.url.host)
       }
     } else {
-      1 * span.setResourceName({ it as String == expectedPath })
+      1 * this.span.setResourceName({ it as String == expectedPath })
     }
-    1 * span.setTag(Tags.HTTP_METHOD, null)
+    1 * this.span.setTag(Tags.HTTP_METHOD, null)
     0 * _
 
     where:
@@ -112,16 +112,16 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     def decorator = newDecorator()
 
     when:
-    decorator.onRequest(span, null, req, null)
+    decorator.onRequest(this.span, null, req, null)
 
     then:
-    1 * span.setTag(Tags.HTTP_URL, expectedUrl)
-    1 * span.setTag(Tags.HTTP_HOSTNAME, req.url.host)
-    1 * span.setTag(DDTags.HTTP_QUERY, expectedQuery)
-    1 * span.setTag(DDTags.HTTP_FRAGMENT, null)
-    1 * span.getRequestContext()
-    1 * span.setResourceName({ it as String == expectedResource }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
-    1 * span.setTag(Tags.HTTP_METHOD, null)
+    1 * this.span.setTag(Tags.HTTP_URL, expectedUrl)
+    1 * this.span.setTag(Tags.HTTP_HOSTNAME, req.url.host)
+    1 * this.span.setTag(DDTags.HTTP_QUERY, expectedQuery)
+    1 * this.span.setTag(DDTags.HTTP_FRAGMENT, null)
+    1 * this.span.getRequestContext()
+    1 * this.span.setResourceName({ it as String == expectedResource }, ResourceNamePriorities.HTTP_PATH_NORMALIZER)
+    1 * this.span.setTag(Tags.HTTP_METHOD, null)
     0 * _
 
     where:
@@ -140,7 +140,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     def decorator = newDecorator()
 
     when:
-    decorator.onRequest(span, conn, null, ctx)
+    decorator.onRequest(this.span, conn, null, ctx)
 
     then:
     _ * ctx.getForwarded() >> null
@@ -159,20 +159,20 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     _ * ctx.getTrueClientIp() >> null
     _ * ctx.getVia() >> null
     if (conn) {
-      1 * span.setTag(Tags.PEER_PORT, 555)
+      1 * this.span.setTag(Tags.PEER_PORT, 555)
       if (ipv4) {
-        1 * span.setTag(Tags.PEER_HOST_IPV4, "10.0.0.1")
-        1 * span.setTag(Tags.HTTP_CLIENT_IP, "10.0.0.1")
+        1 * this.span.setTag(Tags.PEER_HOST_IPV4, "10.0.0.1")
+        1 * this.span.setTag(Tags.HTTP_CLIENT_IP, "10.0.0.1")
       } else if (ipv4 != null) {
-        1 * span.setTag(Tags.PEER_HOST_IPV6, "3ffe:1900:4545:3:200:f8ff:fe21:67cf")
-        1 * span.setTag(Tags.HTTP_CLIENT_IP, "3ffe:1900:4545:3:200:f8ff:fe21:67cf")
+        1 * this.span.setTag(Tags.PEER_HOST_IPV6, "3ffe:1900:4545:3:200:f8ff:fe21:67cf")
+        1 * this.span.setTag(Tags.HTTP_CLIENT_IP, "3ffe:1900:4545:3:200:f8ff:fe21:67cf")
       }
     }
-    _ * span.getRequestContext() >> null
+    _ * this.span.getRequestContext() >> null
     0 * _
 
     when:
-    decorator.onRequest(span, conn, null, ctx)
+    decorator.onRequest(this.span, conn, null, ctx)
 
     then:
     _ * ctx.getForwarded() >> "by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>"
@@ -190,27 +190,27 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     _ * ctx.getCustomIpHeader() >> null
     _ * ctx.getTrueClientIp() >> null
     _ * ctx.getVia() >> null
-    1 * span.setTag(Tags.HTTP_FORWARDED, "by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>")
-    1 * span.setTag(Tags.HTTP_FORWARDED_PROTO, "https")
-    1 * span.setTag(Tags.HTTP_FORWARDED_HOST, "somehost")
+    1 * this.span.setTag(Tags.HTTP_FORWARDED, "by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>")
+    1 * this.span.setTag(Tags.HTTP_FORWARDED_PROTO, "https")
+    1 * this.span.setTag(Tags.HTTP_FORWARDED_HOST, "somehost")
     if (ipv4) {
-      1 * span.setTag(Tags.HTTP_FORWARDED_IP, "10.1.1.1, 192.168.1.1")
-      1 * span.setTag(Tags.PEER_HOST_IPV4, "10.0.0.1")
+      1 * this.span.setTag(Tags.HTTP_FORWARDED_IP, "10.1.1.1, 192.168.1.1")
+      1 * this.span.setTag(Tags.PEER_HOST_IPV4, "10.0.0.1")
     } else if (conn?.ip) {
-      1 * span.setTag(Tags.HTTP_FORWARDED_IP, "0::1")
-      1 * span.setTag(Tags.PEER_HOST_IPV6, "3ffe:1900:4545:3:200:f8ff:fe21:67cf")
+      1 * this.span.setTag(Tags.HTTP_FORWARDED_IP, "0::1")
+      1 * this.span.setTag(Tags.PEER_HOST_IPV6, "3ffe:1900:4545:3:200:f8ff:fe21:67cf")
     } else {
-      1 * span.setTag(Tags.HTTP_FORWARDED_IP, "0::1")
+      1 * this.span.setTag(Tags.HTTP_FORWARDED_IP, "0::1")
     }
-    1 * span.setTag(Tags.HTTP_FORWARDED_PORT, "123")
+    1 * this.span.setTag(Tags.HTTP_FORWARDED_PORT, "123")
     if (conn) {
-      1 * span.setTag(Tags.PEER_PORT, 555)
+      1 * this.span.setTag(Tags.PEER_PORT, 555)
       if (conn.ip) {
-        1 * span.setTag(Tags.HTTP_CLIENT_IP, conn.ip)
+        1 * this.span.setTag(Tags.HTTP_CLIENT_IP, conn.ip)
       }
     }
-    1 * span.setTag(Tags.HTTP_USER_AGENT, "some-user-agent")
-    _ * span.getRequestContext() >> null
+    1 * this.span.setTag(Tags.HTTP_USER_AGENT, "some-user-agent")
+    _ * this.span.getRequestContext() >> null
     0 * _
 
     where:
@@ -226,20 +226,20 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     def decorator = newDecorator()
 
     when:
-    decorator.onResponse(span, resp)
+    decorator.onResponse(this.span, resp)
 
     then:
     if (status) {
-      1 * span.setHttpStatusCode(status)
+      1 * this.span.setHttpStatusCode(status)
     }
     if (error) {
-      1 * span.setError(true)
+      1 * this.span.setError(true)
     }
     if (status == 404) {
-      1 * span.setResourceName({ it as String == "404" }, ResourceNamePriorities.HTTP_404)
+      1 * this.span.setResourceName({ it as String == "404" }, ResourceNamePriorities.HTTP_404)
     }
     if (resp) {
-      1 * span.getRequestContext()
+      1 * this.span.getRequestContext()
     }
     0 * _
 
 
@@ -17,12 +17,15 @@ public interface KnownAddresses {
   /** The unparsed request uri, incl. the query string. */
   Address<String> REQUEST_URI_RAW = new Address<>("server.request.uri.raw");
 
-  /** The deduced IP address of the client. */
+  /** The socket IP address of the client. */
   Address<String> REQUEST_CLIENT_IP = new Address<>("server.request.client_ip");
 
   /** The peer port */
   Address<Integer> REQUEST_CLIENT_PORT = new Address<>("_server.request.client_port");
 
+  /** The inferred IP address of the client */
+  Address<String> REQUEST_INFERRED_CLIENT_IP = new Address<>("http.client_ip");
+
   /** The verb of the HTTP request. */
   Address<String> REQUEST_METHOD = new Address<>("server.request.method");
 
@@ -104,6 +107,8 @@ static Address<?> forName(String name) {
         return REQUEST_CLIENT_IP;
       case "_server.request.client_port":
         return REQUEST_CLIENT_PORT;
+      case "http.client_ip":
+        return REQUEST_INFERRED_CLIENT_IP;
       case "server.request.method":
         return REQUEST_METHOD;
       case "server.request.path_params":
 
@@ -60,6 +60,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private boolean finishedResponseHeaders;
   private String peerAddress;
   private int peerPort;
+  private String inferredClientIp;
 
   private volatile StoredBodySupplier storedRequestBodySupplier;
 
@@ -272,6 +273,14 @@ public void setPeerPort(int peerPort) {
     this.peerPort = peerPort;
   }
 
+  void setInferredClientIp(String ipAddress) {
+    this.inferredClientIp = ipAddress;
+  }
+
+  String getInferredClientIp() {
+    return inferredClientIp;
+  }
+
   void setStoredRequestBodySupplier(StoredBodySupplier storedRequestBodySupplier) {
     this.storedRequestBodySupplier = storedRequestBodySupplier;
   }
 
@@ -286,6 +286,14 @@ public void init() {
           return maybePublishRequestData(ctx);
         });
 
+    subscriptionService.registerCallback(
+        EVENTS.requestInferredClientAddress(),
+        (ctx_, ip) -> {
+          AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+          ctx.setInferredClientIp(ip);
+          return NoopFlow.INSTANCE; // expected to be called before requestClientSocketAddress
+        });
+
     subscriptionService.registerCallback(
         EVENTS.responseStarted(),
         (ctx_, status) -> {
@@ -465,7 +473,8 @@ private Flow<Void> maybePublishRequestData(AppSecRequestContext ctx) {
               KnownAddresses.REQUEST_URI_RAW,
               KnownAddresses.REQUEST_QUERY,
               KnownAddresses.REQUEST_CLIENT_IP,
-              KnownAddresses.REQUEST_CLIENT_PORT);
+              KnownAddresses.REQUEST_CLIENT_PORT,
+              KnownAddresses.REQUEST_INFERRED_CLIENT_IP);
     }
     MapDataBundle bundle =
         new MapDataBundle.Builder(CAPACITY_6_10)
@@ -477,6 +486,7 @@ private Flow<Void> maybePublishRequestData(AppSecRequestContext ctx) {
             .add(KnownAddresses.REQUEST_QUERY, queryParams)
             .add(KnownAddresses.REQUEST_CLIENT_IP, ctx.getPeerAddress())
             .add(KnownAddresses.REQUEST_CLIENT_PORT, ctx.getPeerPort())
+            .add(KnownAddresses.REQUEST_INFERRED_CLIENT_IP, ctx.getInferredClientIp())
             .build();
 
     return producerService.publishDataEvent(initialReqDataSubInfo, ctx, bundle, false);
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ public static InetAddress resolve(AgentSpan.Context.Extracted context) {`
`37`	`37`	`}`
`38`	`38`	`}`
`39`	`39`
`40`		`- public static InetAddress doResolve(AgentSpan.Context.Extracted context) {`
	`40`	`+ private static InetAddress doResolve(AgentSpan.Context.Extracted context) {`
`41`	`41`	`if (context == null) {`
`42`	`42`	`return null;`
`43`	`43`	`}`