refactor(appsec): extract tryBlock() helper and add unit tests for GlassFishBlockingHelper

Extract the repeated brf/fallback blocking pattern from the GlassFish multipart advice
into GlassFishBlockingHelper.tryBlock(). This eliminates the duplication between the
filenames and content blocking paths, and fixes the ordering issue where blocked=true
was assigned after effectivelyBlocked() — if effectivelyBlocked() threw, blocked would
stay false and the content callback would fire after filenames already blocked.

tryBlock() uses a two-phase try/catch: the outer block handles commit failures (returning
false), while the inner block wraps effectivelyBlocked() so a thrown exception does not
suppress the true return value when the response was already committed.

Add GlassFishBlockingHelperTest covering all branches of commitBlocking() and tryBlock().

Author: jandro996

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/build.gradle

@@ -36,6 +36,8 @@ dependencies {
 
   testImplementation group: 'org.apache.tomcat', name: 'tomcat-catalina', version: '7.0.4'
   testImplementation group: 'org.apache.tomcat', name: 'tomcat-coyote', version: '7.0.4'
+  testImplementation group: 'javax.servlet', name: 'javax.servlet-api', version: '3.1.0'
+  testImplementation libs.bundles.mockito
 }
 
 // testing happens in tomcat-5.5 module

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishBlockingHelper.java

@@ -2,7 +2,9 @@
 
 import datadog.appsec.api.blocking.BlockingContentType;
 import datadog.trace.api.Config;
+import datadog.trace.api.gateway.BlockResponseFunction;
 import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
 import datadog.trace.bootstrap.blocking.BlockingActionHelper;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
@@ -13,6 +15,39 @@ public final class GlassFishBlockingHelper {
   public static final int MAX_FILE_CONTENT_COUNT = Config.get().getAppSecMaxFileContentCount();
   public static final int MAX_FILE_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
 
+  /**
+   * Attempts to commit a blocking response via the registered {@link BlockResponseFunction} or via
+   * the Servlet API fallback, then marks the trace segment as effectively blocked.
+   *
+   * <p>Returns {@code true} if the response was committed (regardless of whether {@link
+   * datadog.trace.api.internal.TraceSegment#effectivelyBlocked()} succeeded). Returns {@code false}
+   * if no response could be committed.
+   */
+  public static boolean tryBlock(
+      RequestContext reqCtx,
+      HttpServletRequest fallbackReq,
+      HttpServletResponse fallbackResp,
+      Flow.Action.RequestBlockingAction rba) {
+    try {
+      BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
+      if (brf != null) {
+        brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+      } else if (!commitBlocking(fallbackReq, fallbackResp, rba)) {
+        return false;
+      }
+    } catch (Exception ignored) {
+      return false;
+    }
+    // Response was committed — mark as blocked on a best-effort basis.
+    // effectivelyBlocked() can throw if the span is already finished; that must not suppress the
+    // true return value since the response has already been sent to the client.
+    try {
+      reqCtx.getTraceSegment().effectivelyBlocked();
+    } catch (Exception ignored) {
+    }
+    return true;
+  }
+
   public static boolean commitBlocking(
       HttpServletRequest request,
       HttpServletResponse response,

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishMultipartInstrumentation.java

@@ -8,7 +8,6 @@
 import com.google.auto.service.AutoService;
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
-import datadog.trace.api.gateway.BlockResponseFunction;
 import datadog.trace.api.gateway.CallbackProvider;
 import datadog.trace.api.gateway.Flow;
 import datadog.trace.api.gateway.RequestContext;
@@ -173,16 +172,9 @@ static void after(
         Flow<Void> flow = filenamesCb.apply(reqCtx, filenames);
         Flow.Action action = flow.getAction();
         if (action instanceof Flow.Action.RequestBlockingAction) {
-          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
-          BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
-          if (brf != null) {
-            brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+          if (GlassFishBlockingHelper.tryBlock(
+              reqCtx, fallbackReq, fallbackResp, (Flow.Action.RequestBlockingAction) action)) {
             parts = Collections.emptyList();
-            reqCtx.getTraceSegment().effectivelyBlocked();
-            blocked = true;
-          } else if (GlassFishBlockingHelper.commitBlocking(fallbackReq, fallbackResp, rba)) {
-            parts = Collections.emptyList();
-            reqCtx.getTraceSegment().effectivelyBlocked();
             blocked = true;
           }
         }
@@ -192,15 +184,12 @@ static void after(
         Flow<Void> contentFlow = contentCb.apply(reqCtx, contents);
         Flow.Action contentAction = contentFlow.getAction();
         if (contentAction instanceof Flow.Action.RequestBlockingAction) {
-          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) contentAction;
-          BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
-          if (brf != null) {
-            brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-            parts = Collections.emptyList();
-            reqCtx.getTraceSegment().effectivelyBlocked();
-          } else if (GlassFishBlockingHelper.commitBlocking(fallbackReq, fallbackResp, rba)) {
+          if (GlassFishBlockingHelper.tryBlock(
+              reqCtx,
+              fallbackReq,
+              fallbackResp,
+              (Flow.Action.RequestBlockingAction) contentAction)) {
             parts = Collections.emptyList();
-            reqCtx.getTraceSegment().effectivelyBlocked();
           }
         }
       }

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/test/java/datadog/trace/instrumentation/tomcat7/GlassFishBlockingHelperTest.java

@@ -0,0 +1,211 @@
+package datadog.trace.instrumentation.tomcat7;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.contains;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import datadog.appsec.api.blocking.BlockingContentType;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.internal.TraceSegment;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.WriteListener;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.junit.jupiter.api.Test;
+
+class GlassFishBlockingHelperTest {
+
+  // ------- commitBlocking() -------
+
+  @Test
+  void commitBlocking_nullResponse_returnsFalse() {
+    assertFalse(GlassFishBlockingHelper.commitBlocking(null, null, rba(403)));
+  }
+
+  @Test
+  void commitBlocking_committedResponse_returnsFalse() {
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(true);
+    assertFalse(GlassFishBlockingHelper.commitBlocking(null, resp, rba(403)));
+  }
+
+  @Test
+  void commitBlocking_blockingContentTypeNone_setsStatusWithoutBody() throws IOException {
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(false);
+
+    assertTrue(
+        GlassFishBlockingHelper.commitBlocking(
+            null, resp, new Flow.Action.RequestBlockingAction(403, BlockingContentType.NONE)));
+
+    verify(resp).setStatus(403);
+    verify(resp).flushBuffer();
+    verify(resp, never()).setHeader(eq("Content-Type"), any());
+    verify(resp, never()).getOutputStream();
+  }
+
+  @Test
+  void commitBlocking_withJsonAccept_writesJsonBody() throws IOException {
+    HttpServletRequest req = mock(HttpServletRequest.class);
+    when(req.getHeader("Accept")).thenReturn("application/json");
+    TestServletOutputStream out = new TestServletOutputStream();
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(false);
+    when(resp.getOutputStream()).thenReturn(out);
+
+    assertTrue(GlassFishBlockingHelper.commitBlocking(req, resp, rba(403)));
+
+    verify(resp).setStatus(403);
+    verify(resp).setHeader(eq("Content-Type"), contains("json"));
+    verify(resp).setHeader(eq("Content-Length"), any());
+    assertTrue(out.getBytes().length > 0);
+    verify(resp).flushBuffer();
+  }
+
+  @Test
+  void commitBlocking_withHtmlAccept_writesHtmlBody() throws IOException {
+    HttpServletRequest req = mock(HttpServletRequest.class);
+    when(req.getHeader("Accept")).thenReturn("text/html");
+    TestServletOutputStream out = new TestServletOutputStream();
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(false);
+    when(resp.getOutputStream()).thenReturn(out);
+
+    assertTrue(GlassFishBlockingHelper.commitBlocking(req, resp, rba(403)));
+
+    verify(resp).setHeader(eq("Content-Type"), contains("html"));
+    assertTrue(out.getBytes().length > 0);
+  }
+
+  @Test
+  void commitBlocking_nullRequest_defaultsToJsonBody() throws IOException {
+    TestServletOutputStream out = new TestServletOutputStream();
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(false);
+    when(resp.getOutputStream()).thenReturn(out);
+
+    assertTrue(GlassFishBlockingHelper.commitBlocking(null, resp, rba(403)));
+
+    verify(resp).setStatus(403);
+    assertTrue(out.getBytes().length > 0);
+  }
+
+  @Test
+  void commitBlocking_ioException_returnsFalse() throws IOException {
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(false);
+    when(resp.getOutputStream()).thenThrow(new IOException("stream error"));
+
+    assertFalse(GlassFishBlockingHelper.commitBlocking(null, resp, rba(403)));
+  }
+
+  // ------- tryBlock() -------
+
+  @Test
+  void tryBlock_withBrf_commitsViaFunctionAndReturnsTrue() throws Exception {
+    TraceSegment segment = mock(TraceSegment.class);
+    BlockResponseFunction brf = mock(BlockResponseFunction.class);
+    RequestContext reqCtx = mockReqCtx(brf, segment);
+
+    Flow.Action.RequestBlockingAction action = rba(403);
+    assertTrue(GlassFishBlockingHelper.tryBlock(reqCtx, null, null, action));
+
+    verify(brf).tryCommitBlockingResponse(segment, action);
+    verify(segment).effectivelyBlocked();
+  }
+
+  @Test
+  void tryBlock_noBrf_fallbackSucceeds_returnsTrue() throws IOException {
+    TraceSegment segment = mock(TraceSegment.class);
+    RequestContext reqCtx = mockReqCtx(null, segment);
+    TestServletOutputStream out = new TestServletOutputStream();
+    HttpServletResponse resp = mock(HttpServletResponse.class);
+    when(resp.isCommitted()).thenReturn(false);
+    when(resp.getOutputStream()).thenReturn(out);
+
+    assertTrue(GlassFishBlockingHelper.tryBlock(reqCtx, null, resp, rba(403)));
+    verify(segment).effectivelyBlocked();
+  }
+
+  @Test
+  void tryBlock_noBrf_nullFallbackResponse_returnsFalse() {
+    RequestContext reqCtx = mock(RequestContext.class);
+    when(reqCtx.getBlockResponseFunction()).thenReturn(null);
+
+    assertFalse(GlassFishBlockingHelper.tryBlock(reqCtx, null, null, rba(403)));
+    verify(reqCtx, never()).getTraceSegment();
+  }
+
+  @Test
+  void tryBlock_brfThrows_returnsFalse() throws Exception {
+    TraceSegment segment = mock(TraceSegment.class);
+    BlockResponseFunction brf = mock(BlockResponseFunction.class);
+    RequestContext reqCtx = mockReqCtx(brf, segment);
+    doThrow(new RuntimeException("commit failed"))
+        .when(brf)
+        .tryCommitBlockingResponse(any(), any(Flow.Action.RequestBlockingAction.class));
+
+    assertFalse(GlassFishBlockingHelper.tryBlock(reqCtx, null, null, rba(403)));
+    verify(segment, never()).effectivelyBlocked();
+  }
+
+  @Test
+  void tryBlock_effectivelyBlockedThrows_stillReturnsTrue() throws Exception {
+    TraceSegment segment = mock(TraceSegment.class);
+    BlockResponseFunction brf = mock(BlockResponseFunction.class);
+    RequestContext reqCtx = mockReqCtx(brf, segment);
+    doThrow(new RuntimeException("span already finished")).when(segment).effectivelyBlocked();
+
+    assertTrue(GlassFishBlockingHelper.tryBlock(reqCtx, null, null, rba(403)));
+  }
+
+  // ------- Helpers -------
+
+  private static Flow.Action.RequestBlockingAction rba(int statusCode) {
+    return new Flow.Action.RequestBlockingAction(statusCode, BlockingContentType.AUTO);
+  }
+
+  private static RequestContext mockReqCtx(BlockResponseFunction brf, TraceSegment segment) {
+    RequestContext reqCtx = mock(RequestContext.class);
+    when(reqCtx.getBlockResponseFunction()).thenReturn(brf);
+    when(reqCtx.getTraceSegment()).thenReturn(segment);
+    return reqCtx;
+  }
+
+  private static final class TestServletOutputStream extends ServletOutputStream {
+    private final ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+
+    @Override
+    public boolean isReady() {
+      return true;
+    }
+
+    @Override
+    public void setWriteListener(WriteListener listener) {}
+
+    @Override
+    public void write(int b) throws IOException {
+      buffer.write(b);
+    }
+
+    @Override
+    public void write(byte[] b, int off, int len) throws IOException {
+      buffer.write(b, off, len);
+    }
+
+    public byte[] getBytes() {
+      return buffer.toByteArray();
+    }
+  }
+}