Extract Play json body response schemas

Author: manuel-alvarez-alvarez

dd-java-agent/instrumentation/play-2.4/src/main/java/datadog/trace/instrumentation/play25/appsec/StatusHeaderInstrumentation.java

@@ -0,0 +1,40 @@
+package datadog.trace.instrumentation.play25.appsec;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.agent.tooling.muzzle.Reference;
+
+@AutoService(InstrumenterModule.class)
+public class StatusHeaderInstrumentation extends InstrumenterModule.AppSec
+    implements Instrumenter.ForSingleType, Instrumenter.HasMethodAdvice {
+
+  public StatusHeaderInstrumentation() {
+    super("play");
+  }
+
+  @Override
+  public String muzzleDirective() {
+    return "play25only";
+  }
+
+  @Override
+  public Reference[] additionalMuzzleReferences() {
+    return MuzzleReferences.PLAY_25_ONLY;
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "play.mvc.StatusHeader";
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("sendJson").and(takesArgument(0, named("com.fasterxml.jackson.databind.JsonNode"))),
+        packageName + ".StatusHeaderSendJsonAdvice");
+  }
+}

dd-java-agent/instrumentation/play-2.4/src/main/java_play25/datadog/trace/instrumentation/play25/appsec/StatusHeaderSendJsonAdvice.java

@@ -0,0 +1,64 @@
+package datadog.trace.instrumentation.play25.appsec;
+
+import static datadog.trace.api.gateway.Events.EVENTS;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import datadog.appsec.api.blocking.BlockingException;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.CallbackProvider;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.CallDepthThreadLocalMap;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import java.util.function.BiFunction;
+import net.bytebuddy.asm.Advice;
+import play.mvc.StatusHeader;
+
+@RequiresRequestContext(RequestContextSlot.APPSEC)
+public class StatusHeaderSendJsonAdvice {
+
+  @Advice.OnMethodEnter(suppress = Throwable.class)
+  static void before() {
+    CallDepthThreadLocalMap.incrementCallDepth(StatusHeader.class);
+  }
+
+  @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
+  static void after(
+      @Advice.Argument(0) final JsonNode json, @ActiveRequestContext RequestContext reqCtx) {
+    final int depth = CallDepthThreadLocalMap.decrementCallDepth(StatusHeader.class);
+    if (depth > 0) {
+      return;
+    }
+
+    if (json == null) {
+      return;
+    }
+
+    CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
+    BiFunction<RequestContext, Object, Flow<Void>> callback =
+        cbp.getCallback(EVENTS.responseBody());
+    if (callback == null) {
+      return;
+    }
+
+    Flow<Void> flow = callback.apply(reqCtx, json);
+    Flow.Action action = flow.getAction();
+    if (action instanceof Flow.Action.RequestBlockingAction) {
+      BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+      if (blockResponseFunction == null) {
+        return;
+      }
+      Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+      blockResponseFunction.tryCommitBlockingResponse(
+          reqCtx.getTraceSegment(),
+          rba.getStatusCode(),
+          rba.getBlockingContentType(),
+          rba.getExtraHeaders());
+
+      throw new BlockingException("Blocked request (for StatusHeader/sendJson)");
+    }
+  }
+}

dd-java-agent/instrumentation/play-2.4/src/test/groovy/datadog/trace/instrumentation/play25/server/PlayRouters.groovy

@@ -130,7 +130,7 @@ class PlayRouters {
         ->
         JsonNode json = body().asJson()
         controller(BODY_JSON) {
-          Results.status(BODY_JSON.status, new ObjectMapper().writeValueAsString(json))
+          Results.status(BODY_JSON.status, json)
         }
       } as Supplier)
       .build()

dd-java-agent/instrumentation/play-2.4/src/test/groovy/datadog/trace/instrumentation/play25/server/PlayServerTest.groovy

@@ -93,6 +93,11 @@ class PlayServerTest extends HttpServerTest<Server> {
     true
   }
 
+  @Override
+  boolean testResponseBodyJson() {
+    true
+  }
+
   @Override
   String testPathParam() {
     '/path/?/param'

dd-java-agent/instrumentation/play-2.6/src/baseTest/groovy/datadog/trace/instrumentation/play26/server/PlayRouters.groovy

@@ -1,11 +1,11 @@
 package datadog.trace.instrumentation.play26.server
 
+import com.fasterxml.jackson.databind.ObjectMapper
 import datadog.appsec.api.blocking.Blocking
 import datadog.trace.agent.test.base.HttpServerTest
 import groovy.transform.CompileStatic
 import play.BuiltInComponents
 import play.api.libs.json.JsValue
-import play.api.libs.json.Json$
 import play.api.mvc.AnyContent
 import play.libs.concurrent.HttpExecution
 import play.mvc.Http
@@ -150,7 +150,7 @@ class PlayRouters {
         ->
         controller(BODY_JSON) {
           JsValue json = body().asJson().get()
-          Results.status(BODY_JSON.status, Json$.MODULE$.stringify(json))
+          Results.status(BODY_JSON.status, new ObjectMapper().readTree(json.toString()))
         }
       } as Supplier)
       .POST(BODY_XML.path).routeTo({
@@ -286,7 +286,7 @@ class PlayRouters {
         CompletableFuture.supplyAsync({
           ->
           controller(BODY_JSON) {
-            Results.status(BODY_JSON.status, Json$.MODULE$.stringify(json))
+            Results.status(BODY_JSON.status, new ObjectMapper().readTree(json.toString()))
           }
         }, execContext)
       } as Supplier)

dd-java-agent/instrumentation/play-2.6/src/baseTest/groovy/datadog/trace/instrumentation/play26/server/PlayServerTest.groovy

@@ -96,6 +96,11 @@ class PlayServerTest extends HttpServerTest<Server> {
     true
   }
 
+  @Override
+  boolean testResponseBodyJson() {
+    true
+  }
+
   @Override
   String testPathParam() {
     '/path/?/param'

dd-java-agent/instrumentation/play-2.6/src/latestDepTest/groovy/datadog/trace/instrumentation/play26/server/latestdep/PlayRouters.groovy

@@ -1,7 +1,6 @@
 package datadog.trace.instrumentation.play26.server.latestdep
 
 import com.fasterxml.jackson.databind.JsonNode
-import com.fasterxml.jackson.databind.ObjectMapper
 import datadog.appsec.api.blocking.Blocking
 import datadog.trace.agent.test.base.HttpServerTest
 import datadog.trace.instrumentation.play26.server.TestHttpErrorHandler
@@ -121,7 +120,7 @@ class PlayRouters {
       .POST(BODY_JSON.path).routingTo({ Http.Request req ->
         controller(BODY_JSON) {
           JsonNode json = req.body().asJson()
-          Results.status(BODY_JSON.status, new ObjectMapper().writeValueAsString(json))
+          Results.status(BODY_JSON.status, json)
         }
       } as RequestFunctions.Params0<Result>)
       .POST(BODY_XML.path).routingTo({ Http.Request req ->
@@ -254,7 +253,7 @@ class PlayRouters {
         CompletableFuture.supplyAsync({
           ->
           controller(BODY_JSON) {
-            Results.status(BODY_JSON.status, new ObjectMapper().writeValueAsString(json))
+            Results.status(BODY_JSON.status, json)
           }
         }, execContext)
       } as RequestFunctions.Params0<? extends CompletionStage<Result>>)

dd-java-agent/instrumentation/play-2.6/src/main/java/datadog/trace/instrumentation/play26/appsec/StatusHeaderInstrumentation.java

@@ -0,0 +1,102 @@
+package datadog.trace.instrumentation.play26.appsec;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static datadog.trace.api.gateway.Events.EVENTS;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.google.auto.service.AutoService;
+import datadog.appsec.api.blocking.BlockingException;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.agent.tooling.muzzle.Reference;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.CallbackProvider;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.CallDepthThreadLocalMap;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import datadog.trace.instrumentation.play26.MuzzleReferences;
+import java.util.function.BiFunction;
+import net.bytebuddy.asm.Advice;
+import play.mvc.StatusHeader;
+
+@AutoService(InstrumenterModule.class)
+public class StatusHeaderInstrumentation extends InstrumenterModule.AppSec
+    implements Instrumenter.ForSingleType, Instrumenter.HasMethodAdvice {
+
+  public StatusHeaderInstrumentation() {
+    super("play");
+  }
+
+  @Override
+  public String muzzleDirective() {
+    return "play26Plus";
+  }
+
+  @Override
+  public Reference[] additionalMuzzleReferences() {
+    return MuzzleReferences.PLAY_26_PLUS; // force failure in <2.6
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "play.mvc.StatusHeader";
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("sendJson").and(takesArgument(0, named("com.fasterxml.jackson.databind.JsonNode"))),
+        StatusHeaderInstrumentation.class.getName() + "$StatusHeaderSendJsonAdvice");
+  }
+
+  @RequiresRequestContext(RequestContextSlot.APPSEC)
+  public static class StatusHeaderSendJsonAdvice {
+
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    static void before() {
+      CallDepthThreadLocalMap.incrementCallDepth(StatusHeader.class);
+    }
+
+    @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
+    static void after(
+        @Advice.Argument(0) final JsonNode json, @ActiveRequestContext RequestContext reqCtx) {
+      final int depth = CallDepthThreadLocalMap.decrementCallDepth(StatusHeader.class);
+      if (depth > 0) {
+        return;
+      }
+
+      if (json == null) {
+        return;
+      }
+
+      CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
+      BiFunction<RequestContext, Object, Flow<Void>> callback =
+          cbp.getCallback(EVENTS.responseBody());
+      if (callback == null) {
+        return;
+      }
+
+      Flow<Void> flow = callback.apply(reqCtx, json);
+      Flow.Action action = flow.getAction();
+      if (action instanceof Flow.Action.RequestBlockingAction) {
+        BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+        if (blockResponseFunction == null) {
+          return;
+        }
+        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+        blockResponseFunction.tryCommitBlockingResponse(
+            reqCtx.getTraceSegment(),
+            rba.getStatusCode(),
+            rba.getBlockingContentType(),
+            rba.getExtraHeaders());
+
+        throw new BlockingException("Blocked request (for StatusHeader/sendJson)");
+      }
+    }
+  }
+}

dd-java-agent/testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy

@@ -39,6 +39,7 @@ import datadog.trace.bootstrap.instrumentation.api.URIUtils
 import datadog.trace.core.DDSpan
 import datadog.trace.core.datastreams.StatsGroup
 import datadog.trace.test.util.Flaky
+import groovy.json.JsonSlurper
 import groovy.transform.Canonical
 import groovy.transform.CompileStatic
 import net.bytebuddy.utility.RandomString
@@ -2497,6 +2498,9 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
 
     final BiFunction<RequestContext, Object, Flow<Void>> responseBodyObjectCb =
     ({ RequestContext rqCtxt, Object obj ->
+      if (obj.class.package.name.startsWith('com.fasterxml.jackson.databind')) {
+        obj = new JsonSlurper().parseText(obj.toString())
+      }
       if (obj instanceof Map) {
         obj = obj.collectEntries {
           [