DataDog
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
Lines changed: 9 additions & 0 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
Lines changed: 9 additions & 0 deletions
diff --git a/‎dd-java-agent/instrumentation/play-2.3/src/main/java/datadog/trace/instrumentation/play23/PlayHttpServerDecorator.java
Lines changed: 22 additions & 1 deletion b/‎dd-java-agent/instrumentation/play-2.3/src/main/java/datadog/trace/instrumentation/play23/PlayHttpServerDecorator.java
Lines changed: 22 additions & 1 deletion
diff --git a/‎dd-java-agent/instrumentation/play-2.4/src/main/java/datadog/trace/instrumentation/play24/PlayHttpServerDecorator.java
Lines changed: 22 additions & 1 deletion b/‎dd-java-agent/instrumentation/play-2.4/src/main/java/datadog/trace/instrumentation/play24/PlayHttpServerDecorator.java
Lines changed: 22 additions & 1 deletion
diff --git a/‎dd-java-agent/instrumentation/play-2.6/src/main/java/datadog/trace/instrumentation/play26/PlayHttpServerDecorator.java
Lines changed: 23 additions & 1 deletion b/‎dd-java-agent/instrumentation/play-2.6/src/main/java/datadog/trace/instrumentation/play26/PlayHttpServerDecorator.java
Lines changed: 23 additions & 1 deletion
diff --git a/‎dd-smoke-tests/play-2.4/app/controllers/AppSecController.scala
Lines changed: 11 additions & 0 deletions b/‎dd-smoke-tests/play-2.4/app/controllers/AppSecController.scala
Lines changed: 11 additions & 0 deletions
diff --git a/‎dd-smoke-tests/play-2.4/build.gradle
Lines changed: 1 addition & 0 deletions b/‎dd-smoke-tests/play-2.4/build.gradle
Lines changed: 1 addition & 0 deletions
diff --git a/‎dd-smoke-tests/play-2.4/conf/routes
Lines changed: 3 additions & 0 deletions b/‎dd-smoke-tests/play-2.4/conf/routes
Lines changed: 3 additions & 0 deletions
diff --git a/‎dd-smoke-tests/play-2.4/src/test/groovy/datadog/smoketest/AppSecPlayNettySmokeTest.groovy
Lines changed: 92 additions & 0 deletions b/‎dd-smoke-tests/play-2.4/src/test/groovy/datadog/smoketest/AppSecPlayNettySmokeTest.groovy
Lines changed: 92 additions & 0 deletions
diff --git a/‎dd-smoke-tests/play-2.5/app/controllers/AppSecController.scala
Lines changed: 11 additions & 0 deletions b/‎dd-smoke-tests/play-2.5/app/controllers/AppSecController.scala
Lines changed: 11 additions & 0 deletions
diff --git a/‎dd-smoke-tests/play-2.5/build.gradle
Lines changed: 1 addition & 0 deletions b/‎dd-smoke-tests/play-2.5/build.gradle
Lines changed: 1 addition & 0 deletions
diff --git a/‎dd-smoke-tests/play-2.5/conf/routes
Lines changed: 3 additions & 0 deletions b/‎dd-smoke-tests/play-2.5/conf/routes
Lines changed: 3 additions & 0 deletions
@@ -156,6 +156,7 @@ public void init() {
     subscriptionService.registerCallback(EVENTS.shellCmd(), this::onShellCmd);
     subscriptionService.registerCallback(EVENTS.user(), this::onUser);
     subscriptionService.registerCallback(EVENTS.loginEvent(), this::onLoginEvent);
+    subscriptionService.registerCallback(EVENTS.httpRoute(), this::onHttpRoute);
 
     if (additionalIGEvents.contains(EVENTS.requestPathParams())) {
       subscriptionService.registerCallback(EVENTS.requestPathParams(), this::onRequestPathParams);
@@ -222,6 +223,14 @@ private Flow<Void> onUser(final RequestContext ctx_, final String user) {
     }
   }
 
+  private void onHttpRoute(final RequestContext ctx_, final String route) {
+    final AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null) {
+      return;
+    }
+    ctx.setRoute(route);
+  }
+
   private Flow<Void> onLoginEvent(
       final RequestContext ctx_, final LoginEvent event, final String login) {
     final AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
 
@@ -1,17 +1,22 @@
 package datadog.trace.instrumentation.play23;
 
+import static datadog.trace.api.gateway.Events.EVENTS;
 import static datadog.trace.bootstrap.instrumentation.decorator.http.HttpResourceDecorator.HTTP_RESOURCE_DECORATOR;
 
 import datadog.trace.api.Config;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.bootstrap.instrumentation.api.AgentPropagation;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpanContext;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.api.URIDataAdapter;
 import datadog.trace.bootstrap.instrumentation.api.UTF8BytesString;
 import datadog.trace.bootstrap.instrumentation.decorator.HttpServerDecorator;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.concurrent.CompletionException;
+import java.util.function.BiConsumer;
 import play.api.Routes;
 import play.api.mvc.Headers;
 import play.api.mvc.Request;
@@ -87,12 +92,28 @@ public AgentSpan onRequest(
       final Option pathOption = request.tags().get(Routes.ROUTE_PATTERN());
       if (!pathOption.isEmpty()) {
         final String path = (String) pathOption.get();
-        HTTP_RESOURCE_DECORATOR.withRoute(span, request.method(), path);
+        handleRoute(span, request.method(), path);
       }
     }
     return span;
   }
 
+  private void handleRoute(final AgentSpan span, final String method, final String route) {
+    HTTP_RESOURCE_DECORATOR.withRoute(span, method, route);
+    // play does not set the http.route in the local root span so we need to store it in the context
+    // for API security
+    final RequestContext ctx = span.getRequestContext();
+    if (ctx != null) {
+      final BiConsumer<RequestContext, String> cb =
+          AgentTracer.get()
+              .getCallbackProvider(RequestContextSlot.APPSEC)
+              .getCallback(EVENTS.httpRoute());
+      if (cb != null) {
+        cb.accept(ctx, route);
+      }
+    }
+  }
+
   @Override
   public AgentSpan onError(final AgentSpan span, Throwable throwable) {
     if (REPORT_HTTP_STATUS) {
 
@@ -1,17 +1,22 @@
 package datadog.trace.instrumentation.play24;
 
+import static datadog.trace.api.gateway.Events.EVENTS;
 import static datadog.trace.bootstrap.instrumentation.decorator.http.HttpResourceDecorator.HTTP_RESOURCE_DECORATOR;
 
 import datadog.trace.api.Config;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.bootstrap.instrumentation.api.AgentPropagation;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpanContext;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.api.URIDataAdapter;
 import datadog.trace.bootstrap.instrumentation.api.UTF8BytesString;
 import datadog.trace.bootstrap.instrumentation.decorator.HttpServerDecorator;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.concurrent.CompletionException;
+import java.util.function.BiConsumer;
 import play.api.mvc.Headers;
 import play.api.mvc.Request;
 import play.api.mvc.Result;
@@ -87,12 +92,28 @@ public AgentSpan onRequest(
       final Option pathOption = request.tags().get("ROUTE_PATTERN");
       if (!pathOption.isEmpty()) {
         final String path = (String) pathOption.get();
-        HTTP_RESOURCE_DECORATOR.withRoute(span, request.method(), path);
+        handleRoute(span, request.method(), path);
       }
     }
     return span;
   }
 
+  private void handleRoute(final AgentSpan span, final String method, final String route) {
+    HTTP_RESOURCE_DECORATOR.withRoute(span, method, route);
+    // play does not set the http.route in the local root span so we need to store it in the context
+    // for API security
+    final RequestContext ctx = span.getRequestContext();
+    if (ctx != null) {
+      final BiConsumer<RequestContext, String> cb =
+          AgentTracer.get()
+              .getCallbackProvider(RequestContextSlot.APPSEC)
+              .getCallback(EVENTS.httpRoute());
+      if (cb != null) {
+        cb.accept(ctx, route);
+      }
+    }
+  }
+
   @Override
   public AgentSpan onError(final AgentSpan span, Throwable throwable) {
     if (REPORT_HTTP_STATUS) {
 
@@ -1,15 +1,20 @@
 package datadog.trace.instrumentation.play26;
 
+import static datadog.trace.api.gateway.Events.EVENTS;
 import static datadog.trace.bootstrap.instrumentation.decorator.http.HttpResourceDecorator.HTTP_RESOURCE_DECORATOR;
 
 import datadog.trace.api.Config;
 import datadog.trace.api.cache.DDCache;
 import datadog.trace.api.cache.DDCaches;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.bootstrap.instrumentation.api.AgentPropagation;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpanContext;
 import datadog.trace.bootstrap.instrumentation.api.ResourceNamePriorities;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.api.URIDataAdapter;
+import datadog.trace.bootstrap.instrumentation.api.URIUtils;
 import datadog.trace.bootstrap.instrumentation.api.UTF8BytesString;
 import datadog.trace.bootstrap.instrumentation.decorator.HttpServerDecorator;
 import java.lang.invoke.MethodHandle;
@@ -18,6 +23,7 @@
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.concurrent.CompletionException;
+import java.util.function.BiConsumer;
 import play.api.mvc.Headers;
 import play.api.mvc.Request;
 import play.api.mvc.Result;
@@ -142,12 +148,28 @@ public AgentSpan onRequest(
         CharSequence path =
             PATH_CACHE.computeIfAbsent(
                 defOption.get().path(), p -> addMissingSlash(p, request.path()));
-        HTTP_RESOURCE_DECORATOR.withRoute(span, request.method(), path, true);
+        handleRoute(span, request.method(), path);
       }
     }
     return span;
   }
 
+  private void handleRoute(final AgentSpan span, final String method, final CharSequence route) {
+    HTTP_RESOURCE_DECORATOR.withRoute(span, method, route, true);
+    // play does not set the http.route in the local root span so we need to store it in the context
+    // for API security
+    final RequestContext ctx = span.getRequestContext();
+    if (ctx != null) {
+      final BiConsumer<RequestContext, String> cb =
+          AgentTracer.get()
+              .getCallbackProvider(RequestContextSlot.APPSEC)
+              .getCallback(EVENTS.httpRoute());
+      if (cb != null) {
+        cb.accept(ctx, URIUtils.decode(route.toString()));
+      }
+    }
+  }
+
   /*
      This is a workaround to add a `/` if it is missing when using split routes.
 
 
@@ -0,0 +1,11 @@
+package controllers
+
+import play.api.mvc.{Action, AnyContent, Controller}
+
+class AppSecController extends Controller {
+
+  def apiSecuritySampling(statusCode: Int, test: String): Action[AnyContent] = Action {
+    Status(statusCode)("EXECUTED")
+  }
+
+}
@@ -63,6 +63,7 @@ dependencies {
   implementation group: 'io.opentracing', name: 'opentracing-util', version: '0.32.0'
 
   testImplementation project(':dd-smoke-tests')
+  testImplementation project(':dd-smoke-tests:appsec')
 }
 
 configurations.testImplementation {
 
@@ -6,3 +6,6 @@
 # An example controller showing a sample home page
 GET     /welcomej                           controllers.JController.doGet(id: Int ?= 0)
 GET     /welcomes                           controllers.SController.doGet(id: Option[Int])
+
+# AppSec endpoints for testing
+GET     /api_security/sampling/:statusCode  controllers.AppSecController.apiSecuritySampling(statusCode: Int, test: String)
@@ -0,0 +1,92 @@
+package datadog.smoketest
+
+import datadog.smoketest.appsec.AbstractAppSecServerSmokeTest
+import datadog.trace.agent.test.utils.OkHttpUtils
+import okhttp3.Request
+import okhttp3.Response
+import spock.lang.Shared
+
+import java.nio.file.Files
+
+import static java.util.concurrent.TimeUnit.SECONDS
+
+class AppSecPlayNettySmokeTest  extends AbstractAppSecServerSmokeTest {
+
+  @Shared
+  File playDirectory = new File("${buildDirectory}/stage/main")
+
+  @Override
+  ProcessBuilder createProcessBuilder() {
+    // If the server is not shut down correctly, this file can be left there and will block
+    // the start of a new test
+    def runningPid = new File(playDirectory.getPath(), "RUNNING_PID")
+    if (runningPid.exists()) {
+      runningPid.delete()
+    }
+    def command = isWindows() ? 'main.bat' : 'main'
+    ProcessBuilder processBuilder = new ProcessBuilder("${playDirectory}/bin/${command}")
+    processBuilder.directory(playDirectory)
+    processBuilder.environment().put("JAVA_OPTS",
+      (defaultAppSecProperties + defaultJavaProperties).collect({ it.replace(' ', '\\ ')}).join(" ")
+      + " -Dconfig.file=${playDirectory}/conf/application.conf"
+      + " -Dhttp.port=${httpPort}"
+      + " -Dhttp.address=127.0.0.1"
+      + " -Dplay.server.provider=play.core.server.NettyServerProvider"
+      + " -Ddd.writer.type=MultiWriter:TraceStructureWriter:${output.getAbsolutePath()},DDAgentWriter")
+    return processBuilder
+  }
+
+  @Override
+  File createTemporaryFile() {
+    return new File("${buildDirectory}/tmp/trace-structure-play-2.4-appsec-netty.out")
+  }
+
+  void 'API Security samples only one request per endpoint'() {
+    given:
+    def url = "http://localhost:${httpPort}/api_security/sampling/200?test=value"
+    def client = OkHttpUtils.clientBuilder().build()
+    def request = new Request.Builder()
+      .url(url)
+      .addHeader('X-My-Header', "value")
+      .get()
+      .build()
+
+    when:
+    List<Response> responses = (1..3).collect {
+      client.newCall(request).execute()
+    }
+
+    then:
+    responses.each {
+      assert it.code() == 200
+    }
+    waitForTraceCount(3)
+    def spans = rootSpans.toList().toSorted { it.span.duration }
+    spans.size() == 3
+    def sampledSpans = spans.findAll { it.meta.keySet().any { it.startsWith('_dd.appsec.s.req.') } }
+    sampledSpans.size() == 1
+    def span = sampledSpans[0]
+    span.meta.containsKey('_dd.appsec.s.req.query')
+    span.meta.containsKey('_dd.appsec.s.req.headers')
+  }
+
+  // Ensure to clean up server and not only the shell script that starts it
+  def cleanupSpec() {
+    def pid = runningServerPid()
+    if (pid) {
+      def commands = isWindows() ? ['taskkill', '/PID', pid, '/T', '/F'] : ['kill', '-9', pid]
+      new ProcessBuilder(commands).start().waitFor(10, SECONDS)
+    }
+  }
+
+  def runningServerPid() {
+    def runningPid = new File(playDirectory.getPath(), 'RUNNING_PID')
+    if (runningPid.exists()) {
+      return Files.lines(runningPid.toPath()).findAny().orElse(null)
+    }
+  }
+
+  static isWindows() {
+    return System.getProperty('os.name').toLowerCase().contains('win')
+  }
+}
@@ -0,0 +1,11 @@
+package controllers
+
+import play.api.mvc.{Action, AnyContent, Controller}
+
+class AppSecController extends Controller {
+
+  def apiSecuritySampling(statusCode: Int, test: String): Action[AnyContent] = Action {
+    Status(statusCode)("EXECUTED")
+  }
+
+}
@@ -65,6 +65,7 @@ dependencies {
   implementation group: 'io.opentracing', name: 'opentracing-util', version: '0.32.0'
 
   testImplementation project(':dd-smoke-tests')
+  testImplementation project(':dd-smoke-tests:appsec')
 }
 
 configurations.testImplementation {
 
@@ -6,3 +6,6 @@
 # An example controller showing a sample home page
 GET     /welcomej                           controllers.JController.doGet(id: Int ?= 0)
 GET     /welcomes                           controllers.SController.doGet(id: Option[Int])
+
+# AppSec endpoints for testing
+GET     /api_security/sampling/:statusCode  controllers.AppSecController.apiSecuritySampling(statusCode: Int, test: String)
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ dependencies {`
`63`	`63`	`implementation group: 'io.opentracing', name: 'opentracing-util', version: '0.32.0'`
`64`	`64`
`65`	`65`	`testImplementation project(':dd-smoke-tests')`
	`66`	`+ testImplementation project(':dd-smoke-tests:appsec')`
`66`	`67`	`}`
`67`	`68`
`68`	`69`	`configurations.testImplementation {`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ dependencies {`
`65`	`65`	`implementation group: 'io.opentracing', name: 'opentracing-util', version: '0.32.0'`
`66`	`66`
`67`	`67`	`testImplementation project(':dd-smoke-tests')`
	`68`	`+ testImplementation project(':dd-smoke-tests:appsec')`
`68`	`69`	`}`
`69`	`70`
`70`	`71`	`configurations.testImplementation {`