Add tag block_failure

Author: Mariovido

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java

@@ -490,6 +490,7 @@ public void onDataAvailable(
             }
           } else {
             log.info("Ignoring action with type {}", actionInfo.type);
+            WafMetricCollector.get().wafRequestBlockFailure();
           }
         }
         Collection<AppSecEvent> events = buildEvents(resultWithData);
@@ -549,6 +550,7 @@ private Flow.Action.RequestBlockingAction createBlockRequestAction(ActionInfo ac
         return new Flow.Action.RequestBlockingAction(statusCode, blockingContentType);
       } catch (RuntimeException cce) {
         log.warn("Invalid blocking action data", cce);
+        WafMetricCollector.get().wafRequestBlockFailure();
         return null;
       }
     }
@@ -574,6 +576,7 @@ private Flow.Action.RequestBlockingAction createRedirectRequestAction(ActionInfo
         return Flow.Action.RequestBlockingAction.forRedirect(statusCode, location);
       } catch (RuntimeException cce) {
         log.warn("Invalid blocking action data", cce);
+        WafMetricCollector.get().wafRequestBlockFailure();
         return null;
       }
     }

internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java

@@ -37,6 +37,8 @@ private WafMetricCollector() {
   private static final AtomicRequestCounter wafErrorRequestCounter = new AtomicRequestCounter();
   private static final AtomicRequestCounter wafRateLimitedRequestCounter =
       new AtomicRequestCounter();
+  private static final AtomicRequestCounter wafBlockFailureRequestCounter =
+      new AtomicRequestCounter();
   private static final AtomicLongArray raspRuleEvalCounter =
       new AtomicLongArray(RuleType.getNumValues());
   private static final AtomicLongArray raspRuleMatchCounter =
@@ -103,6 +105,10 @@ public void wafRequestRateLimited() {
     wafRateLimitedRequestCounter.increment();
   }
 
+  public void wafRequestBlockFailure() {
+    wafBlockFailureRequestCounter.increment();
+  }
+
   public void raspRuleEval(final RuleType ruleType) {
     raspRuleEvalCounter.incrementAndGet(ruleType.ordinal());
   }
@@ -139,6 +145,7 @@ public Collection<WafMetric> drain() {
   @Override
   public void prepareMetrics() {
     final boolean isRateLimited = wafRateLimitedRequestCounter.getAndReset() > 0;
+    final boolean isBlockFailure = wafBlockFailureRequestCounter.getAndReset() > 0;
 
     // Requests
     if (wafRequestCounter.get() > 0) {
@@ -151,6 +158,7 @@ public void prepareMetrics() {
               false,
               false,
               false,
+              isBlockFailure,
               isRateLimited))) {
         return;
       }
@@ -167,6 +175,7 @@ public void prepareMetrics() {
               false,
               false,
               false,
+              isBlockFailure,
               isRateLimited))) {
         return;
       }
@@ -183,6 +192,7 @@ public void prepareMetrics() {
               true,
               false,
               false,
+              isBlockFailure,
               isRateLimited))) {
         return;
       }
@@ -199,6 +209,7 @@ public void prepareMetrics() {
               false,
               false,
               true,
+              isBlockFailure,
               isRateLimited))) {
         return;
       }
@@ -215,6 +226,7 @@ public void prepareMetrics() {
               false,
               true,
               false,
+              isBlockFailure,
               isRateLimited))) {
         return;
       }
@@ -346,6 +358,7 @@ public WafRequestsRawMetric(
         final boolean blocked,
         final boolean wafError,
         final boolean wafTimeout,
+        final boolean blockFailure,
         final boolean rateLimited) {
       super(
           "waf.requests",
@@ -356,6 +369,7 @@ public WafRequestsRawMetric(
           "request_blocked:" + blocked,
           "waf_error:" + wafError,
           "waf_timeout:" + wafTimeout,
+          "block_failure:" + blockFailure,
           "rate_limited:" + rateLimited);
     }
   }

internal-api/src/test/groovy/datadog/trace/api/telemetry/WafMetricCollectorTest.groovy

@@ -29,6 +29,7 @@ class WafMetricCollectorTest extends DDSpecification {
     WafMetricCollector.get().wafRequestTimeout()
     WafMetricCollector.get().wafRequestError()
     WafMetricCollector.get().wafRequestRateLimited()
+    WafMetricCollector.get().wafRequestBlockFailure()
     WafMetricCollector.get().raspRuleEval(RuleType.SQL_INJECTION)
     WafMetricCollector.get().raspRuleEval(RuleType.SQL_INJECTION)
     WafMetricCollector.get().raspRuleMatch(RuleType.SQL_INJECTION)
@@ -73,6 +74,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'request_blocked:false',
       'waf_error:false',
       'waf_timeout:false',
+      'block_failure:true',
       'rate_limited:true'
     ].toSet()
 
@@ -87,6 +89,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'request_blocked:false',
       'waf_error:false',
       'waf_timeout:false',
+      'block_failure:true',
       'rate_limited:true'
     ].toSet()
 
@@ -103,6 +106,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'request_blocked:true',
       'waf_error:false',
       'waf_timeout:false',
+      'block_failure:true',
       'rate_limited:true'
     ].toSet()
 
@@ -118,6 +122,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'request_blocked:false',
       'waf_error:false',
       'waf_timeout:true',
+      'block_failure:true',
       'rate_limited:true'
     ].toSet()
 
@@ -133,6 +138,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'request_blocked:false',
       'waf_error:true',
       'waf_timeout:false',
+      'block_failure:true',
       'rate_limited:true'
     ].toSet()
 

telemetry/src/test/groovy/datadog/telemetry/metric/WafMetricPeriodicActionSpecification.groovy

@@ -51,6 +51,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
     WafMetricCollector.get().wafRequestTimeout()
     WafMetricCollector.get().wafRequestError()
     WafMetricCollector.get().wafRequestRateLimited()
+    WafMetricCollector.get().wafRequestBlockFailure()
     WafMetricCollector.get().prepareMetrics()
     periodicAction.doIteration(telemetryService)
 
@@ -70,6 +71,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:false',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -84,6 +86,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:false',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -98,6 +101,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:true',
           'waf_error:false',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -112,6 +116,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:false',
           'waf_timeout:true',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -126,6 +131,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:true',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -139,6 +145,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
     WafMetricCollector.get().wafRequestTimeout()
     WafMetricCollector.get().wafRequestError()
     WafMetricCollector.get().wafRequestRateLimited()
+    WafMetricCollector.get().wafRequestBlockFailure()
     WafMetricCollector.get().prepareMetrics()
     periodicAction.doIteration(telemetryService)
 
@@ -158,6 +165,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:false',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -172,6 +180,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:false',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -186,6 +195,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:true',
           'waf_error:false',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -200,6 +210,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:false',
           'waf_timeout:true',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )
@@ -214,6 +225,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'request_blocked:false',
           'waf_error:true',
           'waf_timeout:false',
+          'block_failure:true',
           'rate_limited:true'
         ]
     } )