[ASM] API Security Endpoints collection (kestrel)

tracer/build/supported_calltargets.g.json

@@ -1023,6 +1023,84 @@
     "IsAdoNetIntegration": false,
     "InstrumentationCategory": 2
   },
+  {
+    "IntegrationName": "AspNetCore",
+    "AssemblyName": "Microsoft.AspNetCore.Http.Abstractions",
+    "TargetTypeName": "Microsoft.AspNetCore.Builder.MapExtensions",
+    "TargetMethodName": "Map",
+    "TargetReturnType": "Microsoft.AspNetCore.Builder.IApplicationBuilder",
+    "TargetParameterTypes": [
+      "Microsoft.AspNetCore.Builder.IApplicationBuilder",
+      "Microsoft.AspNetCore.Http.PathString",
+      "System.Action`1[Microsoft.AspNetCore.Builder.IApplicationBuilder]"
+    ],
+    "MinimumVersion": {
+      "Item1": 2,
+      "Item2": 2,
+      "Item3": 0
+    },
+    "MaximumVersion": {
+      "Item1": 3,
+      "Item2": 65535,
+      "Item3": 65535
+    },
+    "InstrumentationTypeName": "Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore.EndpointsCollection.MapExtensionsMapIntegrationV2V3",
+    "IntegrationKind": 0,
+    "IsAdoNetIntegration": false,
+    "InstrumentationCategory": 1
+  },
+  {
+    "IntegrationName": "AspNetCore",
+    "AssemblyName": "Microsoft.AspNetCore.Http.Abstractions",
+    "TargetTypeName": "Microsoft.AspNetCore.Builder.MapExtensions",
+    "TargetMethodName": "Map",
+    "TargetReturnType": "Microsoft.AspNetCore.Builder.IApplicationBuilder",
+    "TargetParameterTypes": [
+      "Microsoft.AspNetCore.Builder.IApplicationBuilder",
+      "Microsoft.AspNetCore.Http.PathString",
+      "System.Boolean",
+      "System.Action`1[Microsoft.AspNetCore.Builder.IApplicationBuilder]"
+    ],
+    "MinimumVersion": {
+      "Item1": 5,
+      "Item2": 0,
+      "Item3": 0
+    },
+    "MaximumVersion": {
+      "Item1": 9,
+      "Item2": 65535,
+      "Item3": 65535
+    },
+    "InstrumentationTypeName": "Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore.EndpointsCollection.MapExtensionsMapIntegrationV5Plus",
+    "IntegrationKind": 0,
+    "IsAdoNetIntegration": false,
+    "InstrumentationCategory": 1
+  },
+  {
+    "IntegrationName": "AspNetCore",
+    "AssemblyName": "Microsoft.AspNetCore.Http.Abstractions",
+    "TargetTypeName": "Microsoft.AspNetCore.Builder.RunExtensions",
+    "TargetMethodName": "Run",
+    "TargetReturnType": "System.Void",
+    "TargetParameterTypes": [
+      "Microsoft.AspNetCore.Builder.IApplicationBuilder",
+      "Microsoft.AspNetCore.Http.RequestDelegate"
+    ],
+    "MinimumVersion": {
+      "Item1": 2,
+      "Item2": 2,
+      "Item3": 0
+    },
+    "MaximumVersion": {
+      "Item1": 9,
+      "Item2": 65535,
+      "Item3": 65535
+    },
+    "InstrumentationTypeName": "Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore.EndpointsCollection.RunExtensionsRunIntegration",
+    "IntegrationKind": 0,
+    "IsAdoNetIntegration": false,
+    "InstrumentationCategory": 1
+  },
   {
     "IntegrationName": "AspNetCore",
     "AssemblyName": "Microsoft.AspNetCore.Identity",
@@ -1245,6 +1323,56 @@
     "IsAdoNetIntegration": false,
     "InstrumentationCategory": 6
   },
+  {
+    "IntegrationName": "AspNetCore",
+    "AssemblyName": "Microsoft.AspNetCore.Server.Kestrel.Core",
+    "TargetTypeName": "Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer",
+    "TargetMethodName": "StartAsync",
+    "TargetReturnType": "System.Threading.Tasks.Task",
+    "TargetParameterTypes": [
+      "Microsoft.AspNetCore.Hosting.Server.IHttpApplication`1[!!0]",
+      "System.Threading.CancellationToken"
+    ],
+    "MinimumVersion": {
+      "Item1": 2,
+      "Item2": 2,
+      "Item3": 0
+    },
+    "MaximumVersion": {
+      "Item1": 3,
+      "Item2": 65535,
+      "Item3": 65535
+    },
+    "InstrumentationTypeName": "Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore.EndpointsCollection.KestrelServerImplStartAsyncIntegration",
+    "IntegrationKind": 0,
+    "IsAdoNetIntegration": false,
+    "InstrumentationCategory": 1
+  },
+  {
+    "IntegrationName": "AspNetCore",
+    "AssemblyName": "Microsoft.AspNetCore.Server.Kestrel.Core",
+    "TargetTypeName": "Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl",
+    "TargetMethodName": "StartAsync",
+    "TargetReturnType": "System.Threading.Tasks.Task",
+    "TargetParameterTypes": [
+      "Microsoft.AspNetCore.Hosting.Server.IHttpApplication`1[!!0]",
+      "System.Threading.CancellationToken"
+    ],
+    "MinimumVersion": {
+      "Item1": 5,
+      "Item2": 0,
+      "Item3": 0
+    },
+    "MaximumVersion": {
+      "Item1": 9,
+      "Item2": 65535,
+      "Item3": 65535
+    },
+    "InstrumentationTypeName": "Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore.EndpointsCollection.KestrelServerImplStartAsyncIntegration",
+    "IntegrationKind": 0,
+    "IsAdoNetIntegration": false,
+    "InstrumentationCategory": 1
+  },
   {
     "IntegrationName": "AspNetCore",
     "AssemblyName": "Microsoft.AspNetCore.Session",

tracer/src/Datadog.Trace/AppSec/ApiSecurity.cs → tracer/src/Datadog.Trace/AppSec/ApiSec/ApiSecurity.cs

@@ -8,17 +8,18 @@
 using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.Runtime.CompilerServices;
-using Datadog.Trace.ExtensionMethods;
 using Datadog.Trace.Logging;
-using Datadog.Trace.Sampling;
 
 namespace Datadog.Trace.AppSec;
 
 internal class ApiSecurity
 {
-    private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor<ApiSecurity>();
+    internal static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor<ApiSecurity>();
+
     private readonly int _maxRoutesSize;
     private readonly bool _enabled;
+    private readonly bool _endpointsCollectionEnabled;
+    private readonly int _endpointsCollectionMessageLimit;
     private readonly TimeSpan _minTimeBetweenReprocessTimeSpan;
     private readonly OrderedDictionary _processedRoutes = new();
     private readonly Dictionary<string, bool> _apiSecurityAddress = new() { { "extract-schema", true } };
@@ -29,6 +30,8 @@ public ApiSecurity(SecuritySettings securitySettings, int maxRouteSize = 4096)
         _enabled = securitySettings.ApiSecurityEnabled;
         _minTimeBetweenReprocessTimeSpan = TimeSpan.FromSeconds(securitySettings.ApiSecuritySampleDelay);
         _maxRoutesSize = maxRouteSize;
+        _endpointsCollectionEnabled = securitySettings.ApiSecurityEndpointCollectionEnabled;
+        _endpointsCollectionMessageLimit = securitySettings.ApiSecurityEndpointCollectionMessageLimit;
     }
 
     public bool ShouldAnalyzeSchema(bool lastWafCall, Span localRootSpan, IDictionary<string, object> args, string? statusCode, IDictionary<string, object>? routeValues)
@@ -110,6 +113,15 @@ public bool ShouldAnalyzeSchema(bool lastWafCall, Span localRootSpan, IDictionar
         }
     }
 
+    /// <summary>
+    /// Checks if the Endpoints collection is enabled.
+    /// Note that this feature can be run on its own without Appsec nor API Security being enabled.
+    /// </summary>
+    /// <returns> bool value </returns>
+    public bool CanCollectEndpoints() => _endpointsCollectionEnabled;
+
+    public int GetEndpointsCollectionMessageLimit() => _endpointsCollectionMessageLimit;
+
     [MethodImpl(MethodImplOptions.AggressiveInlining)]
     internal static int CombineHashes(string httpRouteTag, string httpMethod, string statusCode) => HashCode.Combine(httpRouteTag.GetHashCode(), httpMethod.GetHashCode(), statusCode.GetHashCode());
 }

tracer/src/Datadog.Trace/AppSec/ApiSec/DuckType/IEndpointMetadataCollectionHttpMethodMetadata.cs

@@ -0,0 +1,20 @@
+// <copyright file="IEndpointMetadataCollectionHttpMethodMetadata.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#if !NETFRAMEWORK
+
+#nullable enable
+
+using Datadog.Trace.DuckTyping;
+
+namespace Datadog.Trace.AppSec.ApiSec.DuckType;
+
+internal interface IEndpointMetadataCollectionHttpMethodMetadata
+{
+    [Duck(Name = "GetMetadata", GenericParameterTypeNames = ["Microsoft.AspNetCore.Routing.HttpMethodMetadata, Microsoft.AspNetCore.Routing"])]
+    public IHttpMethodMetadata? GetHttpMethodMetadata();
+}
+
+#endif

tracer/src/Datadog.Trace/AppSec/ApiSec/DuckType/IEndpointMetadataCollectionRouteValuesAddressMetadata.cs

@@ -0,0 +1,20 @@
+// <copyright file="IEndpointMetadataCollectionRouteValuesAddressMetadata.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#if !NETFRAMEWORK
+
+#nullable enable
+
+using Datadog.Trace.DuckTyping;
+
+namespace Datadog.Trace.AppSec.ApiSec.DuckType;
+
+internal interface IEndpointMetadataCollectionRouteValuesAddressMetadata
+{
+    [Duck(Name = "GetMetadata", GenericParameterTypeNames = ["Microsoft.AspNetCore.Routing.RouteValuesAddressMetadata, Microsoft.AspNetCore.Routing"])]
+    public IRouteValuesAddressMetadata? GetRouteValuesAddressMetadata();
+}
+
+#endif

tracer/src/Datadog.Trace/AppSec/ApiSec/DuckType/IHttpMethodMetadata.cs

@@ -0,0 +1,17 @@
+// <copyright file="IHttpMethodMetadata.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#if !NETFRAMEWORK
+
+#nullable enable
+
+namespace Datadog.Trace.AppSec.ApiSec.DuckType;
+
+internal interface IHttpMethodMetadata
+{
+    public System.Collections.Generic.IReadOnlyList<string> HttpMethods { get; }
+}
+
+#endif

tracer/src/Datadog.Trace/AppSec/ApiSec/DuckType/IRouteValuesAddressMetadata.cs

@@ -0,0 +1,17 @@
+// <copyright file="IRouteValuesAddressMetadata.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#if !NETFRAMEWORK
+
+#nullable enable
+
+namespace Datadog.Trace.AppSec.ApiSec.DuckType;
+
+internal interface IRouteValuesAddressMetadata
+{
+    public System.Collections.Generic.IReadOnlyDictionary<string, object?> RequiredValues { get; }
+}
+
+#endif

tracer/src/Datadog.Trace/AppSec/ApiSec/DuckType/RoutePatternRequiredValues.cs

@@ -0,0 +1,27 @@
+// <copyright file="RoutePatternRequiredValues.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+
+#if !NETFRAMEWORK
+
+using Datadog.Trace.DuckTyping;
+
+namespace Datadog.Trace.AppSec.ApiSec.DuckType
+{
+    /// <summary>
+    /// RoutePattern for duck typing
+    /// </summary>
+    [DuckCopy]
+    public struct RoutePatternRequiredValues
+    {
+        /// <summary>
+        /// Gets the RoutePattern.RequiredValues
+        /// </summary>
+        public System.Collections.Generic.IReadOnlyDictionary<string, object?> RequiredValues;
+    }
+}
+
+#endif