Lazy API Security initialization

smola · smola · commit 9ad217d79f75 · 2025-06-19T12:15:11.000+02:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java
@@ -43,6 +43,8 @@ public class AppSecSystem {
   private static ReplaceableEventProducerService REPLACEABLE_EVENT_PRODUCER; // testing
   private static Runnable STOP_SUBSCRIPTION_SERVICE;
   private static Runnable RESET_SUBSCRIPTION_SERVICE;
+  private static final AtomicBoolean API_SECURITY_INITIALIZED = new AtomicBoolean(false);
+  private static volatile ApiSecuritySampler API_SECURITY_SAMPLER = new ApiSecuritySampler.NoOp();
 
   public static void start(SubscriptionService gw, SharedCommunicationObjects sco) {
     try {
@@ -69,18 +71,6 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
     EventDispatcher eventDispatcher = new EventDispatcher();
     REPLACEABLE_EVENT_PRODUCER.replaceEventProducerService(eventDispatcher);
 
-    ApiSecuritySampler requestSampler;
-    if (Config.get().isApiSecurityEnabled()) {
-      requestSampler = new ApiSecuritySamplerImpl();
-      // When DD_API_SECURITY_ENABLED=true, ths post-processor is set even when AppSec is inactive.
-      // This should be low overhead since the post-processor exits early if there's no AppSec
-      // context.
-      SpanPostProcessor.Holder.INSTANCE =
-          new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
-    } else {
-      requestSampler = new ApiSecuritySampler.NoOp();
-    }
-
     ConfigurationPoller configurationPoller = sco.configurationPoller(config);
     // may throw and abort startup
     APP_SEC_CONFIG_SERVICE =
@@ -94,7 +84,7 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
         new GatewayBridge(
             gw,
             REPLACEABLE_EVENT_PRODUCER,
-            requestSampler,
+            () -> API_SECURITY_SAMPLER,
             APP_SEC_CONFIG_SERVICE.getTraceSegmentPostProcessors());
 
     loadModules(eventDispatcher, sco.monitoring);
@@ -129,6 +119,9 @@ public static void setActive(boolean status) {
     log.debug("AppSec is now {}", status ? "active" : "inactive");
     ProductChangeCollector.get()
         .update(new ProductChange().productType(ProductChange.ProductType.APPSEC).enabled(status));
+    if (status) {
+      maybeInitializeApiSecurity();
+    }
   }
 
   public static void stop() {
@@ -196,6 +189,27 @@ private static void reloadSubscriptions(
     }
   }
 
+  private static void maybeInitializeApiSecurity() {
+    if (!Config.get().isApiSecurityEnabled()) {
+      return;
+    }
+    if (!ActiveSubsystems.APPSEC_ACTIVE) {
+      return;
+    }
+    // We initialize API Security the first time AppSec becomes active.
+    // We never de-initialize it, as that could lead to a leak of open WAF contexts in-flight.
+    if (API_SECURITY_INITIALIZED.compareAndSet(false, true)) {
+      ApiSecuritySampler requestSampler = new ApiSecuritySamplerImpl();
+      SpanPostProcessor.Holder.INSTANCE =
+          new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
+      if (SpanPostProcessor.Holder.INSTANCE == SpanPostProcessor.Holder.NOOP) {
+        SpanPostProcessor.Holder.INSTANCE =
+            new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
+        API_SECURITY_SAMPLER = requestSampler;
+      }
+    }
+  }
+
   public static boolean isStarted() {
     return STARTED.get();
   }
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
@@ -52,8 +52,10 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Supplier;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
+import javax.annotation.Nonnull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -89,7 +91,7 @@ public class GatewayBridge {
 
   private final SubscriptionService subscriptionService;
   private final EventProducerService producerService;
-  private final ApiSecuritySampler requestSampler;
+  private final Supplier<ApiSecuritySampler> requestSamplerSupplier;
   private final List<TraceSegmentPostProcessor> traceSegmentPostProcessors;
 
   // subscriber cache
@@ -115,11 +117,11 @@ public class GatewayBridge {
   public GatewayBridge(
       SubscriptionService subscriptionService,
       EventProducerService producerService,
-      ApiSecuritySampler requestSampler,
+      @Nonnull Supplier<ApiSecuritySampler> requestSamplerSupplier,
       List<TraceSegmentPostProcessor> traceSegmentPostProcessors) {
     this.subscriptionService = subscriptionService;
     this.producerService = producerService;
-    this.requestSampler = requestSampler;
+    this.requestSamplerSupplier = requestSamplerSupplier;
     this.traceSegmentPostProcessors = traceSegmentPostProcessors;
   }
 
@@ -778,6 +780,7 @@ private boolean maybeSampleForApiSecurity(
     if (route != null) {
       ctx.setRoute(route.toString());
     }
+    ApiSecuritySampler requestSampler = requestSamplerSupplier.get();
     return requestSampler.preSampleRequest(ctx);
   }
 
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
@@ -86,7 +86,7 @@ class GatewayBridgeSpecification extends DDSpecification {
 
   TraceSegmentPostProcessor pp = Mock()
   ApiSecuritySamplerImpl requestSampler = Mock(ApiSecuritySamplerImpl)
-  GatewayBridge bridge = new GatewayBridge(ig, eventDispatcher, requestSampler, [pp])
+  GatewayBridge bridge = new GatewayBridge(ig, eventDispatcher, () -> requestSampler, [pp])
 
   Supplier<Flow<AppSecRequestContext>> requestStartedCB
   BiFunction<RequestContext, AgentSpan, Flow<Void>> requestEndedCB
@@ -258,8 +258,9 @@ class GatewayBridgeSpecification extends DDSpecification {
     ctx.data.rawURI = '/'
     ctx.data.peerAddress = '0.0.0.0'
     eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; NoopFlow.INSTANCE }
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; NoopFlow.INSTANCE
+    }
 
     and:
     reqHeadersDoneCB.apply(ctx)
@@ -277,8 +278,9 @@ class GatewayBridgeSpecification extends DDSpecification {
 
     when:
     eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE }
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE
+    }
 
     and:
     reqHeadersDoneCB.apply(ctx)
@@ -298,8 +300,9 @@ class GatewayBridgeSpecification extends DDSpecification {
 
     when:
     eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE }
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE
+    }
 
     and:
     reqHeadersDoneCB.apply(ctx)
@@ -319,8 +322,9 @@ class GatewayBridgeSpecification extends DDSpecification {
 
     when:
     eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE }
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE
+    }
 
     and:
     reqHeadersDoneCB.apply(ctx)
@@ -339,9 +343,12 @@ class GatewayBridgeSpecification extends DDSpecification {
     def adapter = TestURIDataAdapter.create(uri, supportsRaw)
 
     when:
-    eventDispatcher.getDataSubscribers({ KnownAddresses.REQUEST_URI_RAW in it }) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE }
+    eventDispatcher.getDataSubscribers({
+      KnownAddresses.REQUEST_URI_RAW in it
+    }) >> nonEmptyDsInfo
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE
+    }
 
     and:
     requestMethodURICB.apply(ctx, 'GET', adapter)
@@ -373,9 +380,12 @@ class GatewayBridgeSpecification extends DDSpecification {
     def adapter = TestURIDataAdapter.create(uri)
 
     when:
-    eventDispatcher.getDataSubscribers({ KnownAddresses.REQUEST_URI_RAW in it }) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE }
+    eventDispatcher.getDataSubscribers({
+      KnownAddresses.REQUEST_URI_RAW in it
+    }) >> nonEmptyDsInfo
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE
+    }
 
     and:
     requestMethodURICB.apply(ctx, 'GET', adapter)
@@ -406,9 +416,12 @@ class GatewayBridgeSpecification extends DDSpecification {
     GatewayContext gatewayContext
 
     when:
-    eventDispatcher.getDataSubscribers({ KnownAddresses.REQUEST_PATH_PARAMS in it }) >> nonEmptyDsInfo
-    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
-    { bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE }
+    eventDispatcher.getDataSubscribers({
+      KnownAddresses.REQUEST_PATH_PARAMS in it
+    }) >> nonEmptyDsInfo
+    eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
+      bundle = it[2]; gatewayContext = it[3]; NoopFlow.INSTANCE
+    }
 
     and:
     pathParamsCB.apply(ctx, [a: 'b'])
@@ -663,9 +676,9 @@ class GatewayBridgeSpecification extends DDSpecification {
 
     when:
     Flow<?> flow = requestBodyProcessedCB.apply(ctx, new Object() {
-        @SuppressWarnings('UnusedPrivateField')
-        private String foo = 'bar'
-      })
+      @SuppressWarnings('UnusedPrivateField')
+      private String foo = 'bar'
+    })
 
     then:
     1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
@@ -762,9 +775,9 @@ class GatewayBridgeSpecification extends DDSpecification {
 
     when:
     Flow<?> flow = grpcServerRequestMessageCB.apply(ctx, new Object() {
-        @SuppressWarnings('UnusedPrivateField')
-        private String foo = 'bar'
-      })
+      @SuppressWarnings('UnusedPrivateField')
+      private String foo = 'bar'
+    })
 
     then:
     1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
@@ -919,28 +932,28 @@ class GatewayBridgeSpecification extends DDSpecification {
 
   void 'no appsec events if was not created request context in request_start event'() {
     RequestContext emptyCtx = new RequestContext() {
-        final Object data = null
-        BlockResponseFunction blockResponseFunction
-
-        @Override
-        Object getData(RequestContextSlot slot) {
-          data
-        }
-
-        @Override
-        final TraceSegment getTraceSegment() {
-          GatewayBridgeSpecification.this.traceSegment
-        }
-
-        @Override
-        def <T> T getOrCreateMetaStructTop(String key, Function<String, T> defaultValue) {
-          return null
-        }
-
-        @Override
-        void close() throws IOException {}
+      final Object data = null
+      BlockResponseFunction blockResponseFunction
+
+      @Override
+      Object getData(RequestContextSlot slot) {
+        data
       }
 
+      @Override
+      final TraceSegment getTraceSegment() {
+        GatewayBridgeSpecification.this.traceSegment
+      }
+
+      @Override
+      def <T> T getOrCreateMetaStructTop(String key, Function<String, T> defaultValue) {
+        return null
+      }
+
+      @Override
+      void close() throws IOException {}
+    }
+
     StoredBodySupplier supplier = Stub()
     IGSpanInfo spanInfo = Stub(AgentSpan)
     Object obj = 'obj'
