Network USM : add java TLS support (#14620)

Adding support to attach a live java process and send it "agent-usm.jar" runtime agent payload

Supporting JVMTI Hotspot mechanism

Configuration:
DD_SERVICE_MONITORING_CONFIG_ENABLE_JAVA_TLS_SUPPORT = true
service_monitoring_config:
  enable_java_tls_support: true


Co-authored-by: Guy Arbitman <[email protected]>

.github/CODEOWNERS

@@ -295,6 +295,7 @@
 /pkg/network/encoding/*usm*             @DataDog/universal-service-monitoring
 /pkg/network/etw/                       @DataDog/windows-kernel-integrations
 /pkg/network/go/                        @DataDog/universal-service-monitoring
+/pkg/network/java/                      @DataDog/universal-service-monitoring
 /pkg/network/protocols/                 @DataDog/universal-service-monitoring
 /pkg/network/protocols/http/driver_*.go         @DataDog/windows-kernel-integrations
 /pkg/network/protocols/http/etw_*.go            @DataDog/windows-kernel-integrations

omnibus/config/software/system-probe.rb

@@ -15,9 +15,12 @@
   mkdir "#{install_dir}/embedded/share/system-probe/ebpf/runtime"
   mkdir "#{install_dir}/embedded/share/system-probe/ebpf/co-re"
   mkdir "#{install_dir}/embedded/share/system-probe/ebpf/co-re/btf"
+  mkdir "#{install_dir}/embedded/share/system-probe/java"
   mkdir "#{install_dir}/embedded/nikos/embedded/bin"
   mkdir "#{install_dir}/embedded/nikos/embedded/lib"
 
+  copy 'pkg/network/java/agent-usm.jar', "#{install_dir}/embedded/share/system-probe/java/"
+
   if ENV.has_key?('SYSTEM_PROBE_BIN') and not ENV['SYSTEM_PROBE_BIN'].empty?
     copy "#{ENV['SYSTEM_PROBE_BIN']}/system-probe", "#{install_dir}/embedded/bin/system-probe"
     copy "#{ENV['SYSTEM_PROBE_BIN']}/http.o", "#{install_dir}/embedded/share/system-probe/ebpf/"

omnibus/package-scripts/agent-deb/postinst

@@ -94,6 +94,7 @@ fi
 chown root:root ${INSTALL_DIR}/embedded/bin/system-probe
 chown root:root ${INSTALL_DIR}/embedded/bin/security-agent
 chown -R root:root ${INSTALL_DIR}/embedded/share/system-probe/ebpf
+chown -R root:root ${INSTALL_DIR}/embedded/share/system-probe/java
 
 # Enable and restart the agent service here on Debian platforms
 # On RHEL, this is done in the posttrans script

omnibus/package-scripts/agent-rpm/postinst

@@ -38,5 +38,6 @@ fi
 chown root:root ${INSTALL_DIR}/embedded/bin/system-probe
 chown root:root ${INSTALL_DIR}/embedded/bin/security-agent
 chown -R root:root ${INSTALL_DIR}/embedded/share/system-probe/ebpf
+chown -R root:root ${INSTALL_DIR}/embedded/share/system-probe/java
 
 exit 0

pkg/config/system_probe.go

@@ -25,6 +25,9 @@ const (
 	// defaultSystemProbeBPFDir is the default path for eBPF programs
 	defaultSystemProbeBPFDir = "/opt/datadog-agent/embedded/share/system-probe/ebpf"
 
+	// defaultSystemProbeJavaDir is the default path for java agent program
+	defaultSystemProbeJavaDir = "/opt/datadog-agent/embedded/share/system-probe/java"
+
 	// defaultRuntimeCompilerOutputDir is the default path for output from the system-probe runtime compiler
 	defaultRuntimeCompilerOutputDir = "/var/tmp/datadog-agent/system-probe/build"
 
@@ -92,6 +95,7 @@ func InitSystemProbeConfig(cfg Config) {
 	// ebpf general settings
 	cfg.BindEnvAndSetDefault(join(spNS, "bpf_debug"), false)
 	cfg.BindEnvAndSetDefault(join(spNS, "bpf_dir"), defaultSystemProbeBPFDir, "DD_SYSTEM_PROBE_BPF_DIR")
+	cfg.BindEnvAndSetDefault(join(spNS, "java_dir"), defaultSystemProbeJavaDir, "DD_SYSTEM_PROBE_JAVA_DIR")
 	cfg.BindEnvAndSetDefault(join(spNS, "excluded_linux_versions"), []string{})
 	cfg.BindEnvAndSetDefault(join(spNS, "enable_tracepoints"), false)
 	cfg.BindEnvAndSetDefault(join(spNS, "enable_co_re"), true, "DD_ENABLE_CO_RE")
@@ -147,6 +151,8 @@ func InitSystemProbeConfig(cfg Config) {
 
 	cfg.BindEnvAndSetDefault(join(spNS, "enable_go_tls_support"), false)
 
+	cfg.BindEnvAndSetDefault(join(smNS, "enable_java_tls_support"), false)
+
 	cfg.BindEnvAndSetDefault(join(netNS, "enable_gateway_lookup"), true, "DD_SYSTEM_PROBE_NETWORK_ENABLE_GATEWAY_LOOKUP")
 	cfg.BindEnvAndSetDefault(join(netNS, "max_http_stats_buffered"), 100000, "DD_SYSTEM_PROBE_NETWORK_MAX_HTTP_STATS_BUFFERED")
 	httpRules := join(netNS, "http_replace_rules")

pkg/ebpf/config.go

@@ -24,6 +24,9 @@ type Config struct {
 	// BPFDir is the directory to load the eBPF program from
 	BPFDir string
 
+	// JavaDir is the directory to load the java agent program from
+	JavaDir string
+
 	// ExcludedBPFLinuxVersions lists Linux kernel versions that should not use BPF features
 	ExcludedBPFLinuxVersions []string
 
@@ -85,6 +88,7 @@ func NewConfig() *Config {
 	return &Config{
 		BPFDebug:                 cfg.GetBool(key(spNS, "bpf_debug")),
 		BPFDir:                   cfg.GetString(key(spNS, "bpf_dir")),
+		JavaDir:                  cfg.GetString(key(spNS, "java_dir")),
 		ExcludedBPFLinuxVersions: cfg.GetStringSlice(key(spNS, "excluded_linux_versions")),
 		EnableTracepoints:        cfg.GetBool(key(spNS, "enable_tracepoints")),
 		ProcRoot:                 util.GetProcRoot(),

pkg/metadata/inventories/README.md

@@ -94,6 +94,7 @@ The payload is a JSON dict with the following fields
   - `feature_networks_http_enabled` - **bool**: True if HTTP monitoring is enabled for Network Performance Monitoring (see: `network_config.enable_http_monitoring` config option in `system-proble.yaml`).
   - `feature_networks_https_enabled` - **bool**: True if HTTPS monitoring is enabled for Network Performance Monitoring (see: `network_config.enable_https_monitoring` config option in `system-proble.yaml`).
   - `feature_networks_gotls_enabled` - **bool**: True if HTTPS monitoring through GoTLS is enabled for Network Performance Monitoring (see: `system_probe_config.enable_go_tls_support` config option in `system-proble.yaml`).
+  - `feature_usm_java_tls_enabled` - **bool**: True if HTTPS monitoring through java TLS is enabled for Universal Service Monitoring (see: `service_monitoring_config.enable_java_tls_support` config option in `system-proble.yaml`).
   - `feature_logs_enabled` - **bool**: True if the logs collection is enabled (see: `logs_enabled` config option).
   - `feature_cspm_enabled` - **bool**: True if the Cloud Security Posture Management is enabled (see:
     `compliance_config.enabled` config option).

pkg/metadata/inventories/inventories.go

@@ -93,6 +93,7 @@ const (
 	AgentNetworksHTTPEnabled           AgentMetadataName = "feature_networks_http_enabled"
 	AgentNetworksHTTPSEnabled          AgentMetadataName = "feature_networks_https_enabled"
 	AgentNetworksGoTLSEnabled          AgentMetadataName = "feature_networks_gotls_enabled"
+	AgentUSMJavaTLSEnabled             AgentMetadataName = "feature_usm_java_tls_enabled"
 	AgentLogsEnabled                   AgentMetadataName = "feature_logs_enabled"
 	AgentCSPMEnabled                   AgentMetadataName = "feature_cspm_enabled"
 	AgentAPMEnabled                    AgentMetadataName = "feature_apm_enabled"
@@ -414,6 +415,7 @@ func initializeConfig(cfg config.Config) {
 	SetAgentMetadata(AgentNetworksHTTPEnabled, config.Datadog.GetBool("network_config.enable_http_monitoring"))
 	SetAgentMetadata(AgentNetworksHTTPSEnabled, config.Datadog.GetBool("network_config.enable_https_monitoring"))
 	SetAgentMetadata(AgentNetworksGoTLSEnabled, config.Datadog.GetBool("system_probe_config.enable_go_tls_support"))
+	SetAgentMetadata(AgentUSMJavaTLSEnabled, config.Datadog.GetBool("service_monitoring_config.enable_java_tls_support"))
 	SetAgentMetadata(AgentLogsEnabled, config.Datadog.GetBool("logs_enabled"))
 	SetAgentMetadata(AgentCSPMEnabled, config.Datadog.GetBool("compliance_config.enabled"))
 	SetAgentMetadata(AgentAPMEnabled, config.Datadog.GetBool("apm_config.enabled"))

pkg/network/config/config.go

@@ -79,6 +79,10 @@ type Config struct {
 	// traffic done through Go's standard library's TLS implementation
 	EnableGoTLSSupport bool
 
+	// EnableJavaTLSSupport specifies whether the tracer should monitor HTTPS
+	// traffic done through Java's TLS implementation
+	EnableJavaTLSSupport bool
+
 	// MaxTrackedHTTPConnections max number of http(s) flows that will be concurrently tracked.
 	// value is currently Windows only
 	MaxTrackedHTTPConnections int64
@@ -267,6 +271,9 @@ func New() *Config {
 
 		HTTPMapCleanerInterval: time.Duration(cfg.GetInt(join(spNS, "http_map_cleaner_interval_in_s"))) * time.Second,
 		HTTPIdleConnectionTTL:  time.Duration(cfg.GetInt(join(spNS, "http_idle_connection_ttl_in_s"))) * time.Second,
+
+		// Service Monitoring
+		EnableJavaTLSSupport: cfg.GetBool(join(smNS, "enable_java_tls_support")),
 	}
 
 	if !cfg.IsSet(join(spNS, "max_closed_connections_buffered")) {

pkg/network/config/config_test.go

@@ -131,6 +131,42 @@ func TestEnableHTTPMonitoring(t *testing.T) {
 	})
 }
 
+func TestEnableJavaTLSSupport(t *testing.T) {
+	t.Run("via YAML", func(t *testing.T) {
+		newConfig()
+		defer restoreGlobalConfig()
+
+		_, err := sysconfig.New("./testdata/TestDDAgentConfigYamlAndSystemProbeConfig-EnableJavaTLS.yaml")
+		require.NoError(t, err)
+		cfg := New()
+
+		assert.True(t, cfg.EnableJavaTLSSupport)
+	})
+
+	t.Run("via ENV variable", func(t *testing.T) {
+		newConfig()
+		defer restoreGlobalConfig()
+
+		t.Setenv("DD_SERVICE_MONITORING_CONFIG_ENABLE_JAVA_TLS_SUPPORT", "true")
+		_, err := sysconfig.New("")
+		require.NoError(t, err)
+		cfg := New()
+
+		assert.True(t, cfg.EnableJavaTLSSupport)
+	})
+}
+
+func TestDefaultDisabledJavaTLSSupport(t *testing.T) {
+	newConfig()
+	defer restoreGlobalConfig()
+
+	_, err := sysconfig.New("")
+	require.NoError(t, err)
+	cfg := New()
+
+	assert.False(t, cfg.EnableJavaTLSSupport)
+}
+
 func TestDisableGatewayLookup(t *testing.T) {
 	t.Run("via YAML", func(t *testing.T) {
 		newConfig()

pkg/network/config/testdata/TestDDAgentConfigYamlAndSystemProbeConfig-EnableJavaTLS.yaml

@@ -0,0 +1,2 @@
+service_monitoring_config:
+  enable_java_tls_support: true

pkg/network/java/agent-usm.jar

@@ -0,0 +1 @@
+fake agent-usm.jar will be overwritten in next PR