-
Notifications
You must be signed in to change notification settings - Fork 292
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Appsec: create top span for process executions
- Loading branch information
1 parent
9d58e35
commit 678ebe0
Showing
14 changed files
with
470 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
ext { | ||
minJavaVersionForTests = JavaVersion.VERSION_1_8 | ||
} | ||
|
||
muzzle { | ||
pass { | ||
coreJdk() | ||
} | ||
} | ||
|
||
apply from: "$rootDir/gradle/java.gradle" |
42 changes: 42 additions & 0 deletions
42
...ang/src/main/java/datadog/trace/instrumentation/java/lang/ProcessImplInstrumentation.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
package datadog.trace.instrumentation.java.lang; | ||
|
||
import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named; | ||
import static net.bytebuddy.matcher.ElementMatchers.takesArguments; | ||
|
||
import com.google.auto.service.AutoService; | ||
import datadog.trace.agent.tooling.Instrumenter; | ||
import datadog.trace.api.Platform; | ||
import java.util.Map; | ||
|
||
@AutoService(Instrumenter.class) | ||
public class ProcessImplInstrumentation extends Instrumenter.Tracing | ||
implements Instrumenter.ForSingleType, Instrumenter.ForBootstrap { | ||
|
||
public ProcessImplInstrumentation() { | ||
super("java-lang-appsec"); | ||
} | ||
|
||
@Override | ||
public String instrumentedType() { | ||
return "java.lang.ProcessImpl"; | ||
} | ||
|
||
@Override | ||
public boolean isEnabled() { | ||
return Platform.isJavaVersionAtLeast(8) && super.isEnabled(); | ||
} | ||
|
||
@Override | ||
public void adviceTransformations(AdviceTransformation transformation) { | ||
transformation.applyAdvice( | ||
named("start") | ||
.and( | ||
takesArguments( | ||
String[].class, | ||
Map.class, | ||
String.class, | ||
ProcessBuilder.Redirect[].class, | ||
boolean.class)), | ||
packageName + ".ProcessImplStartAdvice"); | ||
} | ||
} |
47 changes: 47 additions & 0 deletions
47
...va-lang/src/main/java/datadog/trace/instrumentation/java/lang/ProcessImplStartAdvice.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
package datadog.trace.instrumentation.java.lang; | ||
|
||
import datadog.trace.bootstrap.instrumentation.api.AgentSpan; | ||
import datadog.trace.bootstrap.instrumentation.api.AgentTracer; | ||
import datadog.trace.bootstrap.instrumentation.api.TagContext; | ||
import datadog.trace.bootstrap.instrumentation.api.java.lang.ProcessImplInstrumentationHelpers; | ||
import java.io.IOException; | ||
import java.util.Map; | ||
import net.bytebuddy.asm.Advice; | ||
|
||
class ProcessImplStartAdvice { | ||
@Advice.OnMethodEnter(suppress = Throwable.class) | ||
public static AgentSpan startSpan(@Advice.Argument(0) final String[] command) throws IOException { | ||
if (!ProcessImplInstrumentationHelpers.ONLINE) { | ||
return null; | ||
} | ||
|
||
if (command.length == 0) { | ||
return null; | ||
} | ||
|
||
AgentTracer.TracerAPI tracer = AgentTracer.get(); | ||
|
||
Map<String, String> tags = ProcessImplInstrumentationHelpers.createTags(command); | ||
TagContext tagContext = new TagContext("appsec", tags); | ||
AgentSpan span = tracer.startSpan("command_execution", tagContext); | ||
span.setSpanType("system"); | ||
span.setResourceName(ProcessImplInstrumentationHelpers.determineResource(command)); | ||
return span; | ||
} | ||
|
||
@Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class) | ||
public static void endSpan( | ||
@Advice.Return Process p, @Advice.Enter AgentSpan span, @Advice.Thrown Throwable t) { | ||
if (span == null) { | ||
return; | ||
} | ||
if (t != null) { | ||
span.setError(true); | ||
span.setErrorMessage(t.getMessage()); | ||
span.finish(); | ||
return; | ||
} | ||
|
||
ProcessImplInstrumentationHelpers.addProcessCompletionHook(p, span); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
165 changes: 165 additions & 0 deletions
165
...vy/datadog/trace/instrumentation/java/lang/ProcessImplInstrumentationSpecification.groovy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
package datadog.trace.instrumentation.java.lang | ||
|
||
import datadog.trace.agent.test.AgentTestRunner | ||
import datadog.trace.api.gateway.RequestContextSlot | ||
import datadog.trace.bootstrap.ActiveSubsystems | ||
import datadog.trace.core.DDSpan | ||
import spock.lang.Requires | ||
|
||
import java.util.concurrent.TimeUnit | ||
|
||
import static datadog.trace.api.Platform.isJavaVersionAtLeast | ||
|
||
@Requires({ | ||
isJavaVersionAtLeast(8) | ||
}) | ||
class ProcessImplInstrumentationSpecification extends AgentTestRunner { | ||
def ss = TEST_TRACER.getSubscriptionService(RequestContextSlot.APPSEC) | ||
|
||
void cleanup() { | ||
ss.reset() | ||
} | ||
|
||
void 'creates a span in a normal case'() { | ||
when: | ||
def builder = new ProcessBuilder('/bin/sh', '-c', 'echo 42') | ||
Process p = builder.start() | ||
String output = p.inputStream.text | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
output == "42\n" | ||
span.tags['cmd.exec'] == '["/bin/sh","-c","echo 42"]' | ||
span.tags['cmd.exit_code'] == 0 | ||
span.spanType == 'system' | ||
span.resourceName == 'sh' | ||
span.spanName == 'command_execution' | ||
} | ||
|
||
void 'span only has executable if appsec is disabled'() { | ||
setup: | ||
ActiveSubsystems.APPSEC_ACTIVE = false | ||
|
||
when: | ||
def builder = new ProcessBuilder('/bin/sh', '-c', 'echo 42') | ||
Process p = builder.start() | ||
Thread.start { p.inputStream.text } | ||
p.waitFor(5, TimeUnit.SECONDS) | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.exec'] == '["/bin/sh"]' | ||
} | ||
|
||
void 'variant with Runtime exec'() { | ||
when: | ||
Process p = Runtime.runtime.exec('/bin/sh -c true') | ||
p.waitFor(5, TimeUnit.SECONDS) | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.exec'] == '["/bin/sh","-c","true"]' | ||
} | ||
|
||
void 'the exit code is correctly reported'() { | ||
when: | ||
def builder = new ProcessBuilder('/bin/sh', '-c', 'exit 33') | ||
Process p = builder.start() | ||
p.waitFor(5, TimeUnit.SECONDS) | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.exit_code'] == 33 | ||
} | ||
|
||
void 'can handle waiting on another thread'() { | ||
when: | ||
// sleep a bit so that it doesn't all happen on the same thread | ||
def builder = new ProcessBuilder('/bin/sh', '-c', 'sleep 0.5; echo 42') | ||
Process p = builder.start() | ||
def out | ||
Thread.start { | ||
out = p.inputStream.text | ||
p.waitFor() | ||
}.join(5000) | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
out == '42\n' | ||
span.getDurationNano() >= 500_000_000 // 500 ms (we sleep for 0.5 s) | ||
span.tags['cmd.exit_code'] == 0 | ||
} | ||
|
||
void 'command cannot be executed'() { | ||
when: | ||
def builder = new ProcessBuilder('/bin/does-not-exist') | ||
builder.start() | ||
|
||
then: | ||
thrown IOException | ||
|
||
when: | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.exec'] == '["/bin/does-not-exist"]' | ||
span.tags['error.msg'] != null | ||
span.isError() == true | ||
} | ||
|
||
void 'process is destroyed'() { | ||
when: | ||
def builder = new ProcessBuilder('/bin/sh', '-c', 'sleep 3600') | ||
Process p = builder.start() | ||
Thread.start { | ||
p.destroy() | ||
} | ||
p.waitFor(5, TimeUnit.SECONDS) | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.exit_code'] != 0 | ||
} | ||
|
||
void 'command is truncated'() { | ||
when: | ||
def builder = new ProcessBuilder('/bin/sh', '-c', 'echo ' + ('a' * (4096 - 14 + 1))) | ||
Process p = builder.start() | ||
Thread.start { p.inputStream.text } | ||
p.waitFor(5, TimeUnit.SECONDS) | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.truncated'] == 'true' | ||
span.tags['cmd.exec'] == '["/bin/sh","-c"]' | ||
} | ||
|
||
void redactions() { | ||
when: | ||
def builder = new ProcessBuilder(command) | ||
builder.start() | ||
|
||
then: | ||
thrown IOException | ||
|
||
when: | ||
TEST_WRITER.waitForTraces(1) | ||
DDSpan span = TEST_WRITER[0][0] | ||
|
||
then: | ||
span.tags['cmd.exec'] == expected | ||
|
||
where: | ||
command | expected | ||
['cmd', '--pass', 'abc', '--token=def'] | '["cmd","--pass","?","--token=?"]' | ||
['/does/not/exist/md5', '-s', 'pony'] | '["/does/not/exist/md5","?","?"]' | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.