Move network.client.ip out of AppSec into HttpServerDecorator

network.client.ip now shares the same activation logic as http.client_ip
(DD_APPSEC_ENABLED or DD_TRACE_CLIENT_IP_ENABLED) and is no longer
exclusive to AppSec events. Move it from GatewayBridge (where it was
set only when security events fired) into HttpServerDecorator alongside
http.client_ip, using the raw peer/socket IP.

actor.ip remains in AppSec as a deprecated backward-compatibility tag.

Author: smola

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java

@@ -370,6 +370,9 @@ public AgentSpan onRequest(
       } else {
         span.setTag(Tags.PEER_HOST_IPV4, peerIp);
       }
+      if (clientIpResolverEnabled) {
+        span.setTag(Tags.NETWORK_CLIENT_IP, peerIp);
+      }
     }
     setPeerPort(span, peerPort);
     Flow<Void> flow = callIGCallbackAddressAndPort(span, peerIp, peerPort, inferredAddressStr);

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecoratorTest.groovy

@@ -218,6 +218,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     1 * this.span.setTag(Tags.HTTP_FORWARDED_HOST, "somehost")
     if (conn?.peerIp) {
       1 * this.span.setTag(ipv4 ? Tags.PEER_HOST_IPV4 : Tags.PEER_HOST_IPV6, conn.peerIp)
+      1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, conn.peerIp)
     }
     if (conn?.ip) {
       1 * this.span.setTag(Tags.HTTP_CLIENT_IP, conn.ip)
@@ -253,6 +254,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
 
     then:
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, result)
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, peerIpAddr)
 
     where:
     headerIpAddr | peerIpAddr  | result
@@ -277,6 +279,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     0 * extracted.getForwarded()
     0 * span.setTag(Tags.HTTP_FORWARDED, _)
     0 * this.span.setTag(Tags.HTTP_CLIENT_IP, _)
+    0 * this.span.setTag(Tags.NETWORK_CLIENT_IP, _)
   }
 
   void 'disabling appsec disables header collection and ip address resolution'() {
@@ -294,6 +297,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     0 * extracted.getForwarded()
     0 * span.setTag(Tags.HTTP_FORWARDED, _)
     0 * this.span.setTag(Tags.HTTP_CLIENT_IP, _)
+    0 * this.span.setTag(Tags.NETWORK_CLIENT_IP, _)
   }
 
   void 'disabling appsec but enabling client_ip_without_appsec enables header collection and ip address resolution'() {
@@ -313,6 +317,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     2 * extracted.getXForwardedFor() >> '2.3.4.5'
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, '2.3.4.5')
     1 * this.span.setTag(Tags.HTTP_FORWARDED_IP, '2.3.4.5')
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, '4.4.4.4')
 
     // Forwarded doesn't participate in client ip resolution anymore
     1 * extracted.getForwarded() >> 'for=9.9.9.9'
@@ -333,6 +338,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     then:
     1 * extracted.getCustomIpHeader() >> '5.5.5.5'
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, '5.5.5.5')
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, '4.4.4.4')
   }
 
   def "test onResponse"() {

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -986,9 +986,6 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
 
         span.setTag("appsec.event", true);
 
-        String peerAddress = ctx.getPeerAddress();
-        span.setTag("network.client.ip", peerAddress);
-
         // Reflect client_ip as actor.ip for backward compatibility
         Object clientIp = tags.get(Tags.HTTP_CLIENT_IP);
         if (clientIp != null) {

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -189,12 +189,10 @@ class GatewayBridgeSpecification extends DDSpecification {
     then:
     1 * spanInfo.getTags() >> TagMap.fromMap(['http.client_ip': '1.1.1.1'])
     1 * mockAppSecCtx.transferCollectedEvents() >> [event]
-    1 * mockAppSecCtx.peerAddress >> '2001::1'
     1 * mockAppSecCtx.close()
     1 * spanInfo.setMetric("_dd.appsec.enabled", 1)
     1 * spanInfo.setTag("_dd.runtime_family", "jvm")
     1 * spanInfo.setTag('appsec.event', true)
-    1 * spanInfo.setTag('network.client.ip', '2001::1')
     1 * spanInfo.setTag('actor.ip', '1.1.1.1')
     1 * traceSegment.setDataTop('appsec', new AppSecEventWrapper([event]))
     1 * mockAppSecCtx.isWafBlocked()

dd-java-agent/instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy

@@ -296,6 +296,11 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     true
   }
 
+  /** Some frameworks (incorrectly) expose the forwarded header as the request peer address. */
+  boolean forwardedIpAsPeerInformation() {
+    false
+  }
+
   boolean hasExtraErrorInformation() {
     false
   }
@@ -2466,6 +2471,7 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     boolean hasPeerInformation = hasPeerInformation()
     boolean hasPeerPort = hasPeerPort()
     boolean hasForwardedIP = hasForwardedIP()
+    boolean useForwardedIpAsPeerInformation = forwardedIpAsPeerInformation()
     def expectedExtraServerTags = expectedExtraServerTags(endpoint)
     def expectedStatus = expectedStatus(endpoint)
     def expectedQueryTag = expectedQueryTag(endpoint)
@@ -2490,29 +2496,43 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
           if (hasPeerPort) {
             "$Tags.PEER_PORT" Integer
           }
+          def peerHostTag = Tags.PEER_HOST_IPV4
+          def expectedPeerIp = "127.0.0.1"
           if (span.getTag(Tags.PEER_HOST_IPV6) != null) {
-            "$Tags.PEER_HOST_IPV6" {
-              it == "0:0:0:0:0:0:0:1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
-            "$Tags.HTTP_CLIENT_IP" {
-              it == "0:0:0:0:0:0:0:1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
-          } else {
-            "$Tags.PEER_HOST_IPV4" {
-              it == "127.0.0.1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
-            "$Tags.HTTP_CLIENT_IP" {
-              it == "127.0.0.1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
+            peerHostTag = Tags.PEER_HOST_IPV6
+            expectedPeerIp = "0:0:0:0:0:0:0:1"
+          }
+          // Special-case for the FORWARDED endpoint, which is exercised by the
+          // "test forwarded request" feature in this class. That test sends a
+          // GET /forwarded request with an `X-Forwarded-For: 1.2.3.4` header.
+          // Some frameworks (e.g. Dropwizard, Play 2.3/2.5 via
+          // `request.remoteAddress()`) substitute the forwarded IP into their
+          // remote-address API, so the peer/network IP tags become 1.2.3.4
+          // instead of the actual TCP peer (loopback). Frameworks with that
+          // behaviour opt in via `forwardedIpAsPeerInformation()`.
+          // FIXME(santiago.mola): This is actually a bug, and ideally instrumentation
+          // for Dropwizard or Play should be fixed to retrieve the correct peer IP
+          // for network.client.ip tags.
+          if (endpoint == FORWARDED && useForwardedIpAsPeerInformation) {
+            expectedPeerIp = endpoint.body
           }
+          tag(peerHostTag, expectedPeerIp)
+          "$Tags.HTTP_CLIENT_IP" clientIp ?: expectedPeerIp
+          "$Tags.NETWORK_CLIENT_IP" expectedPeerIp
         } else {
+          // http.client_ip is inferred from forwarded headers; network.client.ip requires peerIp.
+          "$Tags.NETWORK_CLIENT_IP" null
           "$Tags.HTTP_CLIENT_IP" clientIp
         }
         "$Tags.HTTP_HOSTNAME" address.host
         "$Tags.HTTP_URL" "$expectedUrl"
         "$Tags.HTTP_METHOD" method
         "$Tags.HTTP_STATUS" expectedStatus
         "$Tags.HTTP_USER_AGENT" String
+        // The FORWARDED endpoint is hit by the "test forwarded request" feature
+        // with an `X-Forwarded-For: 1.2.3.4` header; FORWARDED.body is that
+        // same "1.2.3.4" string, which is what we expect to surface as the
+        // forwarded-IP tag when the framework extracts it.
         if (endpoint == FORWARDED && hasForwardedIP) {
           "$Tags.HTTP_FORWARDED_IP" endpoint.body
         }

dd-java-agent/instrumentation/akka/akka-http/akka-http-10.0/src/lagomTest/groovy/LagomTest.groovy

@@ -74,6 +74,7 @@ class LagomTest extends InstrumentationSpecification {
             "$Tags.PEER_HOST_IPV4" '127.0.0.1'
             "$Tags.PEER_PORT" Integer
             "$Tags.HTTP_CLIENT_IP" '127.0.0.1'
+            "$Tags.NETWORK_CLIENT_IP" '127.0.0.1'
             defaultTags()
           }
         }
@@ -121,6 +122,7 @@ class LagomTest extends InstrumentationSpecification {
             "$Tags.PEER_HOST_IPV4" '127.0.0.1'
             "$Tags.PEER_PORT" Integer
             "$Tags.HTTP_CLIENT_IP" '127.0.0.1'
+            "$Tags.NETWORK_CLIENT_IP" '127.0.0.1'
             defaultTags()
           }
         }

dd-java-agent/instrumentation/cxf-2.1/src/latestDepTest/groovy/CxfContextPropagationTest.groovy

@@ -75,6 +75,7 @@ class CxfContextPropagationTest extends InstrumentationSpecification {
             "$InstrumentationTags.SERVLET_PATH" "/test"
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             withCustomIntegrationName("jetty-server")
             defaultTags()
           }

dd-java-agent/instrumentation/cxf-2.1/src/test/groovy/CxfContextPropagationTest.groovy

@@ -73,6 +73,7 @@ class CxfContextPropagationTest extends InstrumentationSpecification {
             "servlet.path" { it == null || it == "/test" }
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             withCustomIntegrationName("jetty-server")
             defaultTags()
           }

dd-java-agent/instrumentation/dropwizard/dropwizard-0.8/src/test/groovy/DropwizardTest.groovy

@@ -122,6 +122,11 @@ class DropwizardTest extends HttpServerTest<DropwizardTestSupport> {
     return true
   }
 
+  @Override
+  boolean forwardedIpAsPeerInformation() {
+    true
+  }
+
   @Override
   boolean changesAll404s() {
     true

dd-java-agent/instrumentation/jsp-2.3/src/test/groovy/JSPInstrumentationBasicTests.groovy

@@ -37,6 +37,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$jspFileName"
             defaultTags()
@@ -114,6 +115,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/getQuery.jsp"
             defaultTags()
@@ -187,6 +189,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/post.jsp"
             defaultTags()
@@ -256,6 +259,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 500
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$jspFileName"
             "error.type" { String tagExceptionType ->
@@ -345,6 +349,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/includes/includeHtml.jsp"
             defaultTags()
@@ -414,6 +419,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/includes/includeMulti.jsp"
             defaultTags()
@@ -537,6 +543,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 500
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$jspFileName"
             errorTags(JasperException, String)
@@ -602,6 +609,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$staticFile"
             defaultTags()