Add api10 redirect test (#5768)

IlyasShabi · web-flow · commit 23d13e68ca76 · 2025-11-26T10:28:08.000+01:00
diff --git a/docs/weblog/README.md b/docs/weblog/README.md
@@ -134,6 +134,31 @@ if the request to `internal_server` is a failure, it must return a json body wit
 - `status` the status code of the `internal_server` response if available or a null value
 - `error` a string describing the error, for debug purposes
 
+### GET /external_request/redirect
+
+This endpoint tests HTTP redirect chains with downstream requests, using the fastapi application in `/utils/build/docker/internal_server/app.py`
+
+Query parameters:
+- `totalRedirects`: number of redirects (default 0)
+
+The endpoint calls `/redirect?totalRedirects={totalRedirects}` and follows all 302 redirects until receiving a 200 response.
+
+How it works:
+- `/redirect` decrements `totalRedirects` and redirects to itself until `totalRedirects=0`
+- When `totalRedirects=0`, redirects to `/mirror/200` which returns 200 OK
+
+Example with `totalRedirects=2`:
+1. `/redirect?totalRedirects=2` → 302
+2. `/redirect?totalRedirects=1` → 302
+3. `/redirect?totalRedirects=0` → 302
+4. `/mirror/200` → 200 OK
+
+Total: 4 downstream requests (totalRedirects + 2).
+
+All query parameters are sent as headers to `internal_server` requests.
+
+Returns 200 status code.
+
 ### GET /spans
 
 The endpoint may accept two query string parameters:
diff --git a/manifests/dotnet.yml b/manifests/dotnet.yml
@@ -205,6 +205,7 @@ tests/:
         Test_API10_all: missing_feature
         Test_API10_downstream_request_tag: missing_feature
         Test_API10_downstream_ssrf_telemetry: missing_feature
+        Test_API10_redirect: missing_feature
         Test_API10_request_body: missing_feature
         Test_API10_request_headers: missing_feature
         Test_API10_request_method: missing_feature
diff --git a/manifests/golang.yml b/manifests/golang.yml
@@ -216,6 +216,7 @@ tests/:
         Test_API10_all: v2.4.0
         Test_API10_downstream_request_tag: v2.5.0-dev
         Test_API10_downstream_ssrf_telemetry: v2.4.0
+        Test_API10_redirect: missing_feature
         Test_API10_request_body: v2.4.0
         Test_API10_request_headers: v2.4.0
         Test_API10_request_method: v2.4.0
diff --git a/manifests/java.yml b/manifests/java.yml
@@ -783,6 +783,7 @@ tests/:
           '*': missing_feature
           vertx3: v1.54.0
         Test_API10_downstream_ssrf_telemetry: missing_feature
+        Test_API10_redirect: missing_feature
         Test_API10_request_body:
           '*': missing_feature
           vertx3: v1.54.0
diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
@@ -523,6 +523,7 @@ tests/:
         Test_API10_all: missing_feature
         Test_API10_downstream_request_tag: missing_feature
         Test_API10_downstream_ssrf_telemetry: missing_feature
+        Test_API10_redirect: missing_feature
         Test_API10_request_body: missing_feature
         Test_API10_request_headers: missing_feature
         Test_API10_request_method: missing_feature
diff --git a/manifests/php.yml b/manifests/php.yml
@@ -215,6 +215,7 @@ tests/:
         Test_API10_all: missing_feature
         Test_API10_downstream_request_tag: missing_feature
         Test_API10_downstream_ssrf_telemetry: missing_feature
+        Test_API10_redirect: missing_feature
         Test_API10_request_body: missing_feature
         Test_API10_request_headers: missing_feature
         Test_API10_request_method: missing_feature
diff --git a/manifests/python.yml b/manifests/python.yml
@@ -305,6 +305,7 @@ tests/:
           'fastapi': v3.15.0.dev (with requests support)
         Test_API10_downstream_request_tag: v3.18.0
         Test_API10_downstream_ssrf_telemetry: v3.18.0
+        Test_API10_redirect: missing_feature
         Test_API10_request_body:
           '*': v3.14.0.rc
           'fastapi': v3.15.0.dev (with requests support)
diff --git a/manifests/ruby.yml b/manifests/ruby.yml
@@ -225,6 +225,7 @@ tests/:
         Test_API10_all: missing_feature
         Test_API10_downstream_request_tag: missing_feature
         Test_API10_downstream_ssrf_telemetry: missing_feature
+        Test_API10_redirect: missing_feature
         Test_API10_request_body: missing_feature
         Test_API10_request_headers: missing_feature
         Test_API10_request_method: missing_feature
diff --git a/tests/appsec/rasp/test_api10.py b/tests/appsec/rasp/test_api10.py
@@ -31,6 +31,7 @@
 
 class API10:
     TAGS_EXPECTED: list[tuple[str, str]] = []
+    TAGS_EXPECTED_METRIC: list[tuple[str, str]] = []
 
     def validate(self, span: dict):
         if span.get("parent_id") not in (0, None):
@@ -49,7 +50,7 @@ def validate(self, span: dict):
         return True
 
     def validate_metric(self, span: dict):
-        for tag, expected in self.TAGS_EXPECTED:
+        for tag, expected in self.TAGS_EXPECTED_METRIC:
             # check also in meta to be safe
             assert tag in span["metrics"] or tag in span["meta"], f"Missing {tag} from span's meta/metrics"
             values = span["metrics"] if tag in span["metrics"] else span["meta"]
@@ -241,7 +242,7 @@ def test_api10(self):
 class Test_API10_downstream_request_tag(API10):
     """API 10 span tag validation"""
 
-    TAGS_EXPECTED = [
+    TAGS_EXPECTED_METRIC = [
         ("_dd.appsec.downstream_request", "1"),
     ]
 
@@ -348,3 +349,29 @@ def test_api10_res_body(self):
         assert "error" not in body
         assert int(body["status"]) == 200
         interfaces.library.validate_one_span(self.r, validator=self.validate_absence)
+
+
+@rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
+@features.api10
+@scenarios.appsec_rasp
+@scenarios.appsec_standalone_rasp
+class Test_API10_redirect(API10):
+    """API 10 for multiple redirect responses"""
+
+    TAGS_EXPECTED = [
+        ("_dd.appsec.trace.req_headers", "TAG_API10_REQ_HEADERS"),
+    ]
+
+    TAGS_EXPECTED_METRIC = [
+        ("_dd.appsec.downstream_request", "5"),
+    ]
+
+    PARAMS = {"Witness": "pwq3ojtropiw3hjtowir", "totalRedirects": "3"}
+
+    def setup_api10_redirect(self):
+        self.r = weblog.get("/external_request/redirect", params=self.PARAMS)
+
+    def test_api10_redirect(self):
+        assert self.r.status_code == 200
+        interfaces.library.validate_one_span(self.r, validator=self.validate)
+        interfaces.library.validate_one_span(self.r, validator=self.validate_metric)
diff --git a/utils/build/docker/internal_server/app.py b/utils/build/docker/internal_server/app.py
@@ -31,6 +31,25 @@ async def mirror(status: int, request: fastapi.Request):
     return fastapi.responses.JSONResponse({"status": "OK", "payload": body}, status_code=status, headers=query)
 
 
+@app.get("/redirect", response_class=fastapi.responses.RedirectResponse)
+async def redirect(request: fastapi.Request):
+    """Redirect endpoint for testing API 10 with redirects
+
+    Query parameter:
+    - totalRedirects: number of redirects remaining (default 0)
+    """
+    query = request.query_params
+    total_redirects = int(query.get("totalRedirects", "0"))
+
+    if total_redirects > 0:
+        # Redirect to itself with totalRedirects-1
+        location = f"/redirect?totalRedirects={total_redirects - 1}"
+    else:
+        location = "/mirror/200"
+
+    return fastapi.responses.RedirectResponse(url=location, status_code=302)
+
+
 @app.get("/shutdown")
 async def shutdown():
     os.kill(os.getpid(), signal.SIGTERM)
