DataDog
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java‎
Lines changed: 2 additions & 3 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎…pi/security/AppSecSpanPostProcessor.java‎ ‎…c/api/security/ApiSecurityProcessor.java‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/AppSecSpanPostProcessor.java renamed to dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityProcessor.java
Lines changed: 6 additions & 16 deletions b/‎…pi/security/AppSecSpanPostProcessor.java‎ ‎…c/api/security/ApiSecurityProcessor.java‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/AppSecSpanPostProcessor.java renamed to dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecurityProcessor.java
Lines changed: 6 additions & 16 deletions
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySampler.java‎
Lines changed: 194 additions & 20 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySampler.java‎
Lines changed: 194 additions & 20 deletions
@@ -1,8 +1,7 @@
 package com.datadog.appsec;
 
+import com.datadog.appsec.api.security.ApiSecurityProcessor;
 import com.datadog.appsec.api.security.ApiSecuritySampler;
-import com.datadog.appsec.api.security.ApiSecuritySamplerImpl;
-import com.datadog.appsec.api.security.AppSecSpanPostProcessor;
 import com.datadog.appsec.blocking.BlockingServiceImpl;
 import com.datadog.appsec.config.AppSecConfigService;
 import com.datadog.appsec.config.AppSecConfigServiceImpl;
@@ -76,7 +75,7 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
       // This should be low overhead since the post-processor exits early if there's no AppSec
       // context.
       SpanPostProcessor.Holder.INSTANCE =
-          new AppSecSpanPostProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
+          new ApiSecurityProcessor(requestSampler, REPLACEABLE_EVENT_PRODUCER);
     } else {
       requestSampler = new ApiSecuritySampler.NoOp();
     }
 
@@ -11,26 +11,24 @@
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.api.internal.TraceSegment;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
-import datadog.trace.bootstrap.instrumentation.api.SpanPostProcessor;
+
 import java.util.Collections;
-import java.util.function.BooleanSupplier;
 import javax.annotation.Nonnull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class AppSecSpanPostProcessor implements SpanPostProcessor {
+public class ApiSecurityProcessor {
 
-  private static final Logger log = LoggerFactory.getLogger(AppSecSpanPostProcessor.class);
+  private static final Logger log = LoggerFactory.getLogger(ApiSecurityProcessor.class);
   private final ApiSecuritySampler sampler;
   private final EventProducerService producerService;
 
-  public AppSecSpanPostProcessor(ApiSecuritySampler sampler, EventProducerService producerService) {
+  public ApiSecurityProcessor(ApiSecuritySampler sampler, EventProducerService producerService) {
     this.sampler = sampler;
     this.producerService = producerService;
   }
 
-  @Override
-  public void process(@Nonnull AgentSpan span, @Nonnull BooleanSupplier timeoutCheck) {
+  public void process(@Nonnull AgentSpan span) {
     final RequestContext ctx_ = span.getRequestContext();
     if (ctx_ == null) {
       return;
@@ -40,16 +38,8 @@ public void process(@Nonnull AgentSpan span, @Nonnull BooleanSupplier timeoutChe
       return;
     }
 
-    if (!ctx.isKeepOpenForApiSecurityPostProcessing()) {
-      return;
-    }
-
     try {
-      if (timeoutCheck.getAsBoolean()) {
-        log.debug("Timeout detected, skipping API security post-processing");
-        return;
-      }
-      if (!sampler.sampleRequest(ctx)) {
+      if (!sampler.sample(ctx)) {
         log.debug("Request not sampled, skipping API security post-processing");
         return;
       }
 
@@ -1,35 +1,209 @@
 package com.datadog.appsec.api.security;
 
 import com.datadog.appsec.gateway.AppSecRequestContext;
-import javax.annotation.Nonnull;
+import datadog.trace.util.AgentTaskScheduler;
 
-public interface ApiSecuritySampler {
-  /**
-   * Prepare a request context for later sampling decision. This method should be called at request
-   * end, and is thread-safe. If a request can potentially be sampled, this method will return true.
-   * If this method returns true, the caller MUST call {@link #releaseOne()} once the context is not
-   * needed anymore.
-   */
-  boolean preSampleRequest(final @Nonnull AppSecRequestContext ctx);
+import java.util.Random;
+import java.util.concurrent.Executor;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicLong;
+import java.util.concurrent.atomic.AtomicReference;
 
-  /** Get the final sampling decision. This method is NOT required to be thread-safe. */
-  boolean sampleRequest(AppSecRequestContext ctx);
+/**
+ * Internal map for API Security sampling.
+ * See "[RFC-1021] API Security Sampling Algorithm for thread-based concurrency".
+ */
+final public class ApiSecuritySampler {
 
-  /** Release one permit for the sampler. This must be called after processing a span. */
-  void releaseOne();
+  private static final int DEFAULT_MAX_ITEM_COUNT = 4096;
+  private static final int DEFAULT_INTERVAL_SECONDS = 30;
 
-  final class NoOp implements ApiSecuritySampler {
-    @Override
-    public boolean preSampleRequest(@Nonnull AppSecRequestContext ctx) {
+  private final MonotonicClock clock;
+  private final Executor executor;
+  private final int intervalSeconds;
+  private final AtomicReference<Table> table;
+  private final AtomicBoolean rebuild = new AtomicBoolean(false);
+  private final long zero;
+  private final long maxItemCount;
+
+  public ApiSecuritySampler() {
+    this(DEFAULT_MAX_ITEM_COUNT, DEFAULT_INTERVAL_SECONDS, new Random().nextLong(), new DefaultMonotonicClock(), AgentTaskScheduler.INSTANCE);
+  }
+
+  public ApiSecuritySampler(final int maxItemCount, final int intervalSeconds, final long zero, final MonotonicClock clock, Executor executor) {
+    table = new AtomicReference<>(new Table(maxItemCount));
+    this.maxItemCount = maxItemCount;
+    this.intervalSeconds = intervalSeconds;
+    this.zero = zero;
+    this.clock = clock != null ? clock : new DefaultMonotonicClock();
+    this.executor = executor != null ? executor : AgentTaskScheduler.INSTANCE;
+  }
+
+  public boolean sample(AppSecRequestContext ctx) {
+    final String route = ctx.getRoute();
+    if (route == null) {
       return false;
     }
-
-    @Override
-    public boolean sampleRequest(AppSecRequestContext ctx) {
+    final String method = ctx.getMethod();
+    if (method == null) {
       return false;
     }
+    final int statusCode = ctx.getResponseStatus();
+    if (statusCode <= 0) {
+      return false;
+    }
+    final long hash = computeApiHash(route, method, statusCode);
+    return sample(hash);
+  }
 
+  public boolean sample(long key) {
+    if (key == 0L) {
+      key = zero;
+    }
+    final int now = clock.now();
+    final Table table = this.table.get();
+    Table.FindSlotResult findSlotResult;
+    while (true) {
+      findSlotResult = table.findSlot(key);
+      if (!findSlotResult.exists) {
+        final int newCount = table.count.incrementAndGet();
+        if (newCount > maxItemCount && rebuild.compareAndSet(false, true)) {
+          runRebuild();
+        }
+        if (newCount > maxItemCount * 2) {
+          table.count.decrementAndGet();
+          return false;
+        }
+        if (!findSlotResult.entry.key.compareAndSet(0, key)) {
+          if (findSlotResult.entry.key.get() == key) {
+            // Another thread just added this entry
+            return false;
+          }
+          // This entry was just claimed for another key, try another slot.
+          table.count.decrementAndGet();
+          continue;
+        }
+        final long newEntryData = buildDataEntry(now, now);
+        if (findSlotResult.entry.data.compareAndSet(0, newEntryData)) {
+          return true;
+        } else {
+          return false;
+        }
+      }
+      break;
+    }
+    long curData = findSlotResult.entry.data.get();
+    final int stime = getStime(curData);
+    final int deadline = now - intervalSeconds;
+    if (stime <= deadline) {
+      final long newData = buildDataEntry(now, now);
+      while (!findSlotResult.entry.data.compareAndSet(curData, newData)) {
+        curData = findSlotResult.entry.data.get();
+        if (getStime(curData) == getAtime(curData)) {
+          // Another thread just issued a keep decision
+          return false;
+        }
+        if (getStime(curData) > now) {
+          // Another thread is in our fugure, but did not issue a keep decision.
+          return true;
+        }
+      }
+      return true;
+    }
+    final long newData = buildDataEntry(getStime(curData), now);
+    while (getAtime(curData) < now) {
+      if (!findSlotResult.entry.data.compareAndSet(curData, newData)) {
+        curData = findSlotResult.entry.data.get();
+      }
+    }
+    return false;
+  }
+
+  private void runRebuild() {
+    // TODO
+  }
+
+  private static class Table {
+    private final Entry[] table;
+    private final AtomicInteger count = new AtomicInteger(0);
+    private final int maxItemCount;
+
+    public Table(int maxItemCount) {
+      this.maxItemCount = maxItemCount;
+      final int size = 2 * maxItemCount + 1;
+      table = new Entry[size];
+      for (int i = 0; i < size; i++) {
+        table[i] = new Entry();
+      }
+    }
+
+    public FindSlotResult findSlot(final long key) {
+      final int startIndex = (int) (key % (2L * maxItemCount));
+      int index = startIndex;
+      do {
+        final Entry slot = table[index];
+        final long slotKey = slot.key.get();
+        if (slotKey == key) {
+          return new FindSlotResult(slot, true);
+        } else if (slotKey == 0L) {
+          return new FindSlotResult(slot, false);
+        }
+        index++;
+        if (index >= table.length) {
+          index = 0;
+        }
+      } while (index != startIndex);
+      return new FindSlotResult(table[(int)(maxItemCount * 2)], false);
+    }
+
+    static class FindSlotResult {
+      public final Entry entry;
+      public final boolean exists;
+
+      public FindSlotResult(final Entry entry, final boolean exists) {
+        this.entry = entry;
+        this.exists = exists;
+      }
+    }
+
+    static class Entry {
+      private final AtomicLong key = new AtomicLong(0L);
+      private final AtomicLong data = new AtomicLong(0L);
+    }
+  }
+
+  interface MonotonicClock {
+    int now();
+  }
+
+  static class DefaultMonotonicClock implements MonotonicClock {
     @Override
-    public void releaseOne() {}
+    public int now() {
+      return (int) (System.nanoTime() / 1_000_000);
+    }
+  }
+
+  long buildDataEntry(final int stime, final int atime) {
+    long result = stime;
+    result <<= 32;
+    result |= atime & 0xFFFFFFFFL;
+    return result;
+  }
+
+  int getStime(final long data) {
+    return (int) (data >> 32);
+  }
+
+  int getAtime(final long data) {
+    return (int) (data & 0xFFFFFFFFL);
+  }
+
+  private long computeApiHash(final String route, final String method, final int statusCode) {
+    long result = 17;
+    result = 31 * result + route.hashCode();
+    result = 31 * result + method.hashCode();
+    result = 31 * result + statusCode;
+    return result;
   }
 }