Merge branch 'master' into mtoff/stable_cfg_2

Author: mtoffl01

.circleci/config.continue.yml.j2

@@ -36,7 +36,7 @@ instrumentation_modules: &instrumentation_modules "dd-java-agent/instrumentation
 debugger_modules: &debugger_modules "dd-java-agent/agent-debugger|dd-java-agent/agent-bootstrap|dd-java-agent/agent-builder|internal-api|communication|dd-trace-core"
 profiling_modules: &profiling_modules "dd-java-agent/agent-profiling"
 
-default_system_tests_commit: &default_system_tests_commit 69a5e874384dd256e2e3f42fc1c95807a67efbe6
+default_system_tests_commit: &default_system_tests_commit 1ef00a34ad1f83ae999887e510ef1ea1c27b151b
 
 parameters:
   nightly:
@@ -414,7 +414,7 @@ jobs:
           name: Check Project
           command: >-
             MAVEN_OPTS="-Xms64M -Xmx256M"
-            GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G -XX:ErrorFile=/tmp/hs_err_pid%p.log -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp'"
+            GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G -XX:ErrorFile=/tmp/hs_err_pid%p.log -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp'"
             ./gradlew
             << parameters.gradleTarget >>
             -PskipTests

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/agent/ThirdPartyLibraries.java

@@ -7,10 +7,12 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -22,6 +24,20 @@ public class ThirdPartyLibraries {
   private static final JsonAdapter<InternalConfig> ADAPTER =
       new Moshi.Builder().build().adapter(InternalConfig.class);
   private static final String FILE_NAME = "/third_party_libraries.json";
+  private static final Set<String> DEFAULT_SHADING_IDENTIFIERS =
+      new HashSet<>(
+          Arrays.asList(
+              "shaded",
+              "thirdparty",
+              "dependencies",
+              "relocated",
+              "bundled",
+              "embedded",
+              "vendor",
+              "repackaged",
+              "shadow",
+              "shim",
+              "wrapper"));
 
   private ThirdPartyLibraries() {}
 
@@ -46,6 +62,13 @@ public Set<String> getThirdPartyExcludes(Config config) {
         .collect(Collectors.toSet());
   }
 
+  public Set<String> getShadingIdentifiers(Config config) {
+    Stream<String> configStream =
+        config.getThirdPartyShadingIdentifiers().stream().filter(s -> !s.isEmpty());
+    return Stream.concat(configStream, DEFAULT_SHADING_IDENTIFIERS.stream())
+        .collect(Collectors.toSet());
+  }
+
   // Add a*, b*, c*, ..., z* to the exclude trie in ClassNameFiltering. Simply adding * does not
   // work.
   private static Set<String> getExcludeAll() {

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/symbol/SymbolExtractionTransformer.java

@@ -1,6 +1,7 @@
 package com.datadog.debugger.symbol;
 
 import datadog.trace.bootstrap.debugger.DebuggerContext.ClassNameFilter;
+import datadog.trace.util.Strings;
 import java.lang.instrument.ClassFileTransformer;
 import java.security.ProtectionDomain;
 import org.slf4j.Logger;
@@ -34,7 +35,7 @@ public byte[] transform(
         // Don't parse our own classes to avoid duplicate class definition
         return null;
       }
-      if (classNameFiltering.isExcluded(className)) {
+      if (classNameFiltering.isExcluded(Strings.getClassName(className))) {
         return null;
       }
       symbolAggregator.parseClass(className, classfileBuffer, protectionDomain);

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/util/ClassNameFiltering.java

@@ -14,36 +14,60 @@ public class ClassNameFiltering implements ClassNameFilter {
 
   private final ClassNameTrie includeTrie;
   private final ClassNameTrie excludeTrie;
+  private final ClassNameTrie shadingTrie;
 
   public ClassNameFiltering(Config config) {
     this(
         ThirdPartyLibraries.INSTANCE.getThirdPartyLibraries(config),
-        ThirdPartyLibraries.INSTANCE.getThirdPartyExcludes(config));
+        ThirdPartyLibraries.INSTANCE.getThirdPartyExcludes(config),
+        ThirdPartyLibraries.INSTANCE.getShadingIdentifiers(config));
   }
 
   public ClassNameFiltering(Set<String> excludes) {
-    this(excludes, Collections.emptySet());
+    this(excludes, Collections.emptySet(), Collections.emptySet());
   }
 
-  public ClassNameFiltering(Set<String> excludes, Set<String> includes) {
+  public ClassNameFiltering(
+      Set<String> excludes, Set<String> includes, Set<String> shadingIdentifiers) {
     ClassNameTrie.Builder excludeBuilder = new ClassNameTrie.Builder();
     excludes.forEach(s -> excludeBuilder.put(s + "*", 1));
     this.excludeTrie = excludeBuilder.buildTrie();
     ClassNameTrie.Builder includeBuilder = new ClassNameTrie.Builder();
     includes.forEach(s -> includeBuilder.put(s + "*", 1));
     this.includeTrie = includeBuilder.buildTrie();
+    ClassNameTrie.Builder shadingBuilder = new ClassNameTrie.Builder();
+    shadingIdentifiers.forEach(s -> shadingBuilder.put(s + "*", 1));
+    this.shadingTrie = shadingBuilder.buildTrie();
   }
 
+  // className is the fully qualified class name with '.' (Java type) notation
   public boolean isExcluded(String className) {
-    return (includeTrie.apply(className) < 0 && excludeTrie.apply(className) > 0)
+    int shadedIdx = shadedIndexOf(className);
+    shadedIdx = Math.max(shadedIdx, 0);
+    return (includeTrie.apply(className, shadedIdx) < 0
+            && excludeTrie.apply(className, shadedIdx) > 0)
         || isLambdaProxyClass(className);
   }
 
   static boolean isLambdaProxyClass(String className) {
     return LAMBDA_PROXY_CLASS_PATTERN.matcher(className).matches();
   }
 
+  int shadedIndexOf(String className) {
+    int idx = 0;
+    int previousIdx = 0;
+    while ((idx = className.indexOf('.', previousIdx)) > 0) {
+      if (shadingTrie.apply(className, previousIdx) > 0) {
+        return idx + 1;
+      }
+      idx++;
+      previousIdx = idx;
+    }
+    return -1;
+  }
+
   public static ClassNameFiltering allowAll() {
-    return new ClassNameFiltering(Collections.emptySet(), Collections.emptySet());
+    return new ClassNameFiltering(
+        Collections.emptySet(), Collections.emptySet(), Collections.emptySet());
   }
 }

dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/agent/ThirdPartyLibrariesTest.java

@@ -1,5 +1,6 @@
 package com.datadog.debugger.agent;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -20,6 +21,7 @@ class ThirdPartyLibrariesTest {
   void setUp() {
     when(mockConfig.getThirdPartyIncludes()).thenReturn(Collections.emptySet());
     when(mockConfig.getThirdPartyExcludes()).thenReturn(Collections.emptySet());
+    when(mockConfig.getThirdPartyShadingIdentifiers()).thenReturn(Collections.emptySet());
   }
 
   @Test
@@ -29,7 +31,6 @@ void testGetExcludesContainsDefaultExclude() {
 
   @Test
   void testGetExcludesWithExplicitExclude() {
-
     when(mockConfig.getThirdPartyIncludes())
         .thenReturn(Collections.singleton("com.datadog.debugger"));
     assertTrue(
@@ -72,4 +73,22 @@ void testGetExcludeAll() {
     Set<String> excludeAll = ThirdPartyLibraries.INSTANCE.getThirdPartyLibraries(null);
     for (char c : ThirdPartyLibraries.ALPHABET) assertTrue(excludeAll.contains(String.valueOf(c)));
   }
+
+  @Test
+  void testEmptyStrings() {
+    int expectedIncludeDefaultSize =
+        ThirdPartyLibraries.INSTANCE.getThirdPartyLibraries(mockConfig).size();
+    int expectedShadingDefaultSize =
+        ThirdPartyLibraries.INSTANCE.getShadingIdentifiers(mockConfig).size();
+    when(mockConfig.getThirdPartyIncludes()).thenReturn(Collections.singleton(""));
+    when(mockConfig.getThirdPartyExcludes()).thenReturn(Collections.singleton(""));
+    when(mockConfig.getThirdPartyShadingIdentifiers()).thenReturn(Collections.singleton(""));
+    assertEquals(
+        expectedIncludeDefaultSize,
+        ThirdPartyLibraries.INSTANCE.getThirdPartyLibraries(mockConfig).size());
+    assertTrue(ThirdPartyLibraries.INSTANCE.getThirdPartyExcludes(mockConfig).isEmpty());
+    assertEquals(
+        expectedShadingDefaultSize,
+        ThirdPartyLibraries.INSTANCE.getShadingIdentifiers(mockConfig).size());
+  }
 }

dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/symbol/SymDBEnablementTest.java

@@ -169,7 +169,8 @@ public void noDuplicateSymbolExtraction() {
     ClassNameFiltering classNameFiltering =
         new ClassNameFiltering(
             Collections.singleton("org.springframework."),
-            Collections.singleton("com.datadog.debugger."));
+            Collections.singleton("com.datadog.debugger."),
+            Collections.emptySet());
     SymbolAggregator symbolAggregator = new SymbolAggregator(classNameFiltering, mockSymbolSink, 1);
     SymDBEnablement symDBEnablement =
         new SymDBEnablement(instr, config, symbolAggregator, classNameFiltering);

dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/symbol/SymbolExtractionTransformerTest.java

@@ -982,7 +982,8 @@ private SymbolExtractionTransformer createTransformer(
     return createTransformer(
         symbolSink,
         symbolFlushThreshold,
-        new ClassNameFiltering(TRANSFORMER_EXCLUDES, Collections.singleton(SYMBOL_PACKAGE)));
+        new ClassNameFiltering(
+            TRANSFORMER_EXCLUDES, Collections.singleton(SYMBOL_PACKAGE), Collections.emptySet()));
   }
 
   private SymbolExtractionTransformer createTransformer(

dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/util/ClassNameFilteringTest.java

@@ -6,8 +6,8 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-import com.datadog.debugger.agent.ThirdPartyLibraries;
 import datadog.trace.api.Config;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -52,15 +52,18 @@ public void testIncludeOverridesExclude() {
     ClassNameFiltering classNameFiltering =
         new ClassNameFiltering(
             Collections.singleton("com.datadog.debugger"),
-            Collections.singleton("com.datadog.debugger"));
+            Collections.singleton("com.datadog.debugger"),
+            Collections.emptySet());
     assertFalse(classNameFiltering.isExcluded("com.datadog.debugger.FooBar"));
   }
 
   @Test
   public void testIncludePrefixOverridesExclude() {
     ClassNameFiltering classNameFiltering =
         new ClassNameFiltering(
-            Collections.singleton("com.datadog.debugger"), Collections.singleton("com.datadog"));
+            Collections.singleton("com.datadog.debugger"),
+            Collections.singleton("com.datadog"),
+            Collections.emptySet());
     assertFalse(classNameFiltering.isExcluded("com.datadog.debugger.FooBar"));
   }
 
@@ -69,7 +72,8 @@ public void testIncludeSomeExcludeSome() {
     ClassNameFiltering classNameFiltering =
         new ClassNameFiltering(
             Stream.of("com.datadog.debugger", "org.junit").collect(Collectors.toSet()),
-            Collections.singleton("com.datadog.debugger"));
+            Collections.singleton("com.datadog.debugger"),
+            Collections.emptySet());
     assertFalse(classNameFiltering.isExcluded("com.datadog.debugger.FooBar"));
     assertTrue(classNameFiltering.isExcluded("org.junit.FooBar"));
   }
@@ -88,11 +92,25 @@ public void testExcludeDefaults(String input) {
     Config config = mock(Config.class);
     when(config.getThirdPartyExcludes()).thenReturn(Collections.emptySet());
     when(config.getThirdPartyIncludes()).thenReturn(Collections.emptySet());
-    ClassNameFiltering classNameFiltering =
-        new ClassNameFiltering(ThirdPartyLibraries.INSTANCE.getThirdPartyLibraries(config));
+    when(config.getThirdPartyShadingIdentifiers()).thenReturn(Collections.emptySet());
+    ClassNameFiltering classNameFiltering = new ClassNameFiltering(config);
     assertTrue(classNameFiltering.isExcluded(input));
   }
 
+  @Test
+  public void testShaded() {
+    Config config = mock(Config.class);
+    when(config.getThirdPartyExcludes()).thenReturn(Collections.emptySet());
+    when(config.getThirdPartyIncludes())
+        .thenReturn(new HashSet<>(Arrays.asList("com.google", "org.junit")));
+    when(config.getThirdPartyShadingIdentifiers()).thenReturn(Collections.emptySet());
+    ClassNameFiltering classNameFiltering = new ClassNameFiltering(config);
+    assertTrue(classNameFiltering.isExcluded("com.google.FooBar"));
+    assertTrue(classNameFiltering.isExcluded("shaded.com.google.FooBar"));
+    assertFalse(classNameFiltering.isExcluded("com.example.shaded.com.example.FooBar"));
+    assertTrue(classNameFiltering.isExcluded("com.example.shaded.com.google.FooBar"));
+  }
+
   @Test
   void lambdaProxyClasses() {
     // jdk8:  at

dd-java-agent/appsec/build.gradle

@@ -82,6 +82,7 @@ ext {
     'com.datadog.appsec.config.AppSecFeatures.ApiSecurity',
     'com.datadog.appsec.config.AppSecFeatures.AutoUserInstrum',
     'com.datadog.appsec.event.ReplaceableEventProducerService',
+    'com.datadog.appsec.api.security.ApiSecuritySampler.NoOp',
   ]
   excludedClassesBranchCoverage = [
     'com.datadog.appsec.gateway.GatewayBridge',

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -1,6 +1,8 @@
 package com.datadog.appsec;
 
-import com.datadog.appsec.api.security.ApiSecurityRequestSampler;
+import com.datadog.appsec.api.security.ApiSecuritySampler;
+import com.datadog.appsec.api.security.ApiSecuritySamplerImpl;
+import com.datadog.appsec.api.security.AppSecSpanPostProcessor;
 import com.datadog.appsec.blocking.BlockingServiceImpl;
 import com.datadog.appsec.config.AppSecConfigService;
 import com.datadog.appsec.config.AppSecConfigServiceImpl;
@@ -21,6 +23,7 @@
 import datadog.trace.api.telemetry.ProductChange;
 import datadog.trace.api.telemetry.ProductChangeCollector;
 import datadog.trace.bootstrap.ActiveSubsystems;
+import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -66,7 +69,17 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     EventDispatcher eventDispatcher = new EventDispatcher();
     REPLACEABLE_EVENT_PRODUCER.replaceEventProducerService(eventDispatcher);
 
-    ApiSecurityRequestSampler requestSampler = new ApiSecurityRequestSampler(config);
+    ApiSecuritySampler requestSampler;
+    if (Config.get().isApiSecurityEnabled()) {
+      requestSampler = new ApiSecuritySamplerImpl();
+      // When DD_API_SECURITY_ENABLED=true, ths post-processor is set even when AppSec is inactive.
+      // This should be low overhead since the post-processor exits early if there's no AppSec
+      // context.
+      SpanPostProcessor.Holder.INSTANCE =
+          new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
+    } else {
+      requestSampler = new ApiSecuritySampler.NoOp();
+    }
 
     ConfigurationPoller configurationPoller = sco.configurationPoller(config);
     // may throw and abort startup