hoss-agent 1.0.1

data/lib/hoss/transport/base.rb

@@ -0,0 +1,191 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+require 'hoss/metadata'
+require 'hoss/transport/user_agent'
+require 'hoss/transport/headers'
+require 'hoss/transport/connection'
+require 'hoss/transport/worker'
+require 'hoss/transport/serializers'
+require 'hoss/transport/filters'
+require 'hoss/transport/connection/http'
+
+require 'hoss/util/throttle'
+
+module Hoss
+  module Transport
+    # @api private
+    class Base
+      include Logging
+
+      WATCHER_EXECUTION_INTERVAL = 5
+      WATCHER_TIMEOUT_INTERVAL = 4
+      WORKER_JOIN_TIMEOUT = 5
+
+      def initialize(config)
+        @config = config
+        @queue = SizedQueue.new(config.max_queue_size)
+
+        @serializers = Serializers.new(config)
+        @filters = Filters.new(config)
+
+        @stopped = Concurrent::AtomicBoolean.new
+        @workers = Array.new(config.pool_size)
+
+        @worker_mutex = Mutex.new
+      end
+
+      attr_reader :config, :queue, :filters, :workers, :watcher, :stopped
+
+      def start
+        debug '%s: Starting Transport', pid_str
+        # Set @stopped to false first, in case transport is restarted;
+        # ensure_worker_count requires @stopped to be false
+        # ~estolfo
+        @stopped.make_false unless @stopped.false?
+
+        ensure_worker_count
+        create_watcher
+      end
+
+      def stop
+        debug '%s: Stopping Transport', pid_str
+
+        @stopped.make_true
+
+        stop_watcher
+        stop_workers
+      end
+
+      def submit(resource)
+        if @stopped.true?
+          warn '%s: Transport stopping, no new events accepted', pid_str
+          debug 'Dropping: %s', resource.inspect
+          return false
+        end
+
+        queue.push(resource, true)
+
+        true
+      rescue ThreadError
+        throttled_queue_full_warning
+        nil
+      rescue Exception => e
+        error '%s: Failed adding to the transport queue: %p', pid_str, e.inspect
+        nil
+      end
+
+      def add_filter(key, callback)
+        @filters.add(key, callback)
+      end
+
+      def handle_forking!
+        # We can't just stop and start again because the StopMessage
+        # will then be the first message processed when the transport is
+        # restarted.
+        stop_watcher
+        ensure_worker_count
+        create_watcher
+      end
+
+      private
+
+      def pid_str
+        format('[PID:%s]', Process.pid)
+      end
+
+      def create_watcher
+        @watcher = Concurrent::TimerTask.execute(
+          execution_interval: WATCHER_EXECUTION_INTERVAL,
+          timeout_interval: WATCHER_TIMEOUT_INTERVAL
+        ) { ensure_worker_count }
+      end
+
+      def ensure_worker_count
+        @worker_mutex.synchronize do
+          return if all_workers_alive?
+          return if stopped.true?
+
+          @workers.map! do |thread|
+            next thread if thread&.alive?
+
+            boot_worker
+          end
+        end
+      end
+
+      def all_workers_alive?
+        !!workers.all? { |t| t&.alive? }
+      end
+
+      def boot_worker
+        debug '%s: Booting worker...', pid_str
+
+        Thread.new do
+          Worker.new(
+            config, queue,
+            serializers: @serializers,
+            filters: @filters
+          ).work_forever
+        end
+      end
+
+      def stop_workers
+        debug '%s: Stopping workers', pid_str
+
+        send_stop_messages
+
+        @worker_mutex.synchronize do
+          workers.each do |thread|
+            next if thread.nil?
+            next if thread.join(WORKER_JOIN_TIMEOUT)
+
+            debug(
+              '%s: Worker did not stop in %ds, killing...',
+              pid_str, WORKER_JOIN_TIMEOUT
+            )
+            thread.kill
+          end
+
+          # Maintain the @worker array size for when transport is restarted
+          @workers.fill(nil)
+        end
+      end
+
+      def send_stop_messages
+        config.pool_size.times { queue.push(Worker::StopMessage.new, true) }
+      rescue ThreadError
+        warn 'Cannot push stop messages to worker queue as it is full'
+      end
+
+      def stop_watcher
+        watcher&.shutdown
+      end
+
+      def throttled_queue_full_warning
+        (@queue_full_log ||= Util::Throttle.new(5) do
+          warn(
+            '%s: Queue is full (%i items), skipping…',
+            pid_str, config.max_queue_size
+          )
+        end).call
+      end
+    end
+  end
+end

data/lib/hoss/transport/connection/http.rb

@@ -0,0 +1,139 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+require 'hoss/transport/connection/proxy_pipe'
+
+module Hoss
+  module Transport
+    class Connection
+      # @api private
+      class Http
+        include Logging
+
+        def initialize(config, headers: nil)
+          @config = config
+          @headers = headers || Headers.new(config)
+          @client = build_client
+          @closed = Concurrent::AtomicBoolean.new(true)
+        end
+
+        def open(url)
+          @closed.make_false
+          @rd, @wr = ProxyPipe.pipe(compress: @config.http_compression?)
+          @request = open_request_in_thread(url)
+        end
+
+        def self.open(config, url)
+          new(config).tap do |http|
+            http.open(url)
+          end
+        end
+
+        def post(url, body: nil, headers: nil)
+          request(:post, url, body: body, headers: headers)
+        end
+
+        def get(url, headers: nil)
+          request(:get, url, headers: headers)
+        end
+
+        def request(method, url, body: nil, headers: nil)
+          @client.send(
+            method,
+            url,
+            body: body,
+            headers: (headers ? @headers.merge(headers) : @headers).to_h,
+            ssl_context: @config.ssl_context
+          ).flush
+        end
+
+        def write(str)
+          @wr.write(str)
+          @wr.bytes_sent
+        end
+
+        def close(reason)
+          return if closed?
+
+          debug '%s: Closing request with reason %s', thread_str, reason
+          @closed.make_true
+
+          @wr&.close(reason)
+          return if @request.nil? || @request&.join(5)
+
+          error(
+            '%s: APM Server not responding in time, terminating request',
+            thread_str
+          )
+          @request.kill
+        end
+
+        def closed?
+          @closed.true?
+        end
+
+        def inspect
+          format(
+            '%s closed: %s>',
+            super.split.first,
+            closed?
+          )
+        end
+
+        private
+
+        def thread_str
+          format('[THREAD:%s]', Thread.current.object_id)
+        end
+
+        def open_request_in_thread(url)
+          debug '%s: Opening new request', thread_str
+          Thread.new do
+            begin
+              resp = post(url, body: @rd, headers: @headers.chunked.to_h)
+
+              if resp&.status == 202
+                debug 'APM Server responded with status 202'
+              elsif resp
+                error "APM Server responded with an error:\n%p", resp.body.to_s
+              end
+            rescue Exception => e
+              error(
+                "Couldn't establish connection to APM Server:\n%p", e.inspect
+              )
+            end
+          end
+        end
+
+        def build_client
+          client = HTTP.headers(@headers)
+          return client unless @config.proxy_address && @config.proxy_port
+
+          client.via(
+            @config.proxy_address,
+            @config.proxy_port,
+            @config.proxy_username,
+            @config.proxy_password,
+            @config.proxy_headers
+          )
+        end
+      end
+    end
+  end
+end

data/lib/hoss/transport/connection/proxy_pipe.rb

@@ -0,0 +1,94 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+module Hoss
+  module Transport
+    class Connection
+      # @api private
+      class ProxyPipe
+        def initialize(enc = nil, compress: true)
+          rd, wr = IO.pipe(enc)
+
+          @read = rd
+          @write = Write.new(wr, compress: compress)
+
+          # Http.rb<4 calls rewind on the request bodies, but IO::Pipe raises
+          # ~mikker
+          return if HTTP::VERSION.to_i >= 4
+          def rd.rewind; end
+        end
+
+        attr_reader :read, :write
+
+        # @api private
+        class Write
+          include Logging
+
+          def initialize(io, compress: true)
+            @io = io
+            @compress = compress
+            @bytes_sent = Concurrent::AtomicFixnum.new(0)
+            @config = Hoss.agent&.config # this is silly, fix Logging
+
+            return unless compress
+            enable_compression!
+            ObjectSpace.define_finalizer(self, self.class.finalize(@io))
+          end
+
+          def self.finalize(io)
+            proc { io.close }
+          end
+
+          attr_reader :io
+
+          def enable_compression!
+            io.binmode
+            @io = Zlib::GzipWriter.new(io)
+          end
+
+          def close(reason = nil)
+            debug("Closing writer with reason #{reason}")
+            io.close
+          end
+
+          def closed?
+            io.closed?
+          end
+
+          def write(str)
+            io.puts(str).tap do
+              @bytes_sent.update do |curr|
+                @compress ? io.tell : curr + str.bytesize
+              end
+            end
+          end
+
+          def bytes_sent
+            @bytes_sent.value
+          end
+        end
+
+        def self.pipe(**args)
+          pipe = new(**args)
+          [pipe.read, pipe.write]
+        end
+      end
+    end
+  end
+end

data/lib/hoss/transport/connection.rb

@@ -0,0 +1,55 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+module Hoss
+  module Transport
+    # @api private
+    class Connection
+      include Logging
+
+      def initialize(config)
+        @config = config
+        @metadata = JSON.fast_generate(
+          Serializers::MetadataSerializer.new(config).build(
+            Metadata.new(config)
+          )
+        )
+        @url = @config.ingress_host
+        @mutex = Mutex.new
+      end
+
+      attr_reader :http
+      def write(str)
+        debug "Sending report"
+        uri = URI(@url)
+        req = Net::HTTP::Post.new(
+          uri,
+          'Authorization' => "Bearer #{@config.api_key}", #"Basic " + Base64.encode64("#{@config.api_key}:"),
+          'Content-Type' => 'application/json',
+          'HOSS-SKIP-INSTRUMENTATION' => 'true',
+        )
+        req.body = str
+        res = Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') do |http|
+          http.request(req)
+        end
+        raise unless res.code == "200"
+      end
+    end
+  end
+end

data/lib/hoss/transport/filters/hash_sanitizer.rb

@@ -0,0 +1,77 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+module Hoss
+  module Transport
+    module Filters
+      class HashSanitizer
+        FILTERED = '[FILTERED]'
+
+        KEY_FILTERS = [
+          /passw(or)?d/i,
+          /auth/i,
+          /^pw$/,
+          /secret/i,
+          /token/i,
+          /api[-._]?key/i,
+          /session[-._]?id/i,
+          /(set[-_])?cookie/i
+        ].freeze
+
+        VALUE_FILTERS = [
+          # (probably) credit card number
+          /^\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}$/
+        ].freeze
+
+        attr_accessor :key_filters
+
+        def initialize
+          @key_filters = KEY_FILTERS
+        end
+
+        def strip_from!(obj, key_filters = KEY_FILTERS)
+          return unless obj&.is_a?(Hash)
+
+          obj.each do |k, v|
+            if filter_key?(k)
+              next obj[k] = FILTERED
+            end
+
+            case v
+            when Hash
+              strip_from!(v)
+            when String
+              if filter_value?(v)
+                obj[k] = FILTERED
+              end
+            end
+          end
+        end
+
+        def filter_key?(key)
+          @key_filters.any? { |regex| regex.match(key) }
+        end
+
+        def filter_value?(value)
+          VALUE_FILTERS.any? { |regex| regex.match(value) }
+        end
+      end
+    end
+  end
+end

data/lib/hoss/transport/filters/secrets_filter.rb

@@ -0,0 +1,48 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+require 'hoss/transport/filters/hash_sanitizer'
+
+module Hoss
+  module Transport
+    module Filters
+      # @api private
+      class SecretsFilter
+        def initialize(config)
+          @config = config
+          @sanitizer = HashSanitizer.new
+          @sanitizer.key_filters += config.custom_key_filters +
+                                     config.sanitize_field_names
+        end
+
+        def call(payload)
+          @sanitizer.strip_from! payload.dig(:transaction, :context, :request, :headers)
+          @sanitizer.strip_from! payload.dig(:transaction, :context, :request, :env)
+          @sanitizer.strip_from! payload.dig(:transaction, :context, :request, :cookies)
+          @sanitizer.strip_from! payload.dig(:transaction, :context, :response, :headers)
+          @sanitizer.strip_from! payload.dig(:error, :context, :request, :headers)
+          @sanitizer.strip_from! payload.dig(:error, :context, :response, :headers)
+          @sanitizer.strip_from! payload.dig(:transaction, :context, :request, :body)
+
+          payload
+        end
+      end
+    end
+  end
+end

data/lib/hoss/transport/filters.rb

@@ -0,0 +1,60 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# frozen_string_literal: true
+
+require 'hoss/transport/filters/secrets_filter'
+
+module Hoss
+  module Transport
+    # @api private
+    module Filters
+      SKIP = :skip
+
+      def self.new(config)
+        Container.new(config)
+      end
+
+      # @api private
+      class Container
+        def initialize(config)
+          @filters = { secrets: SecretsFilter.new(config) }
+        end
+
+        def add(key, filter)
+          @filters = @filters.merge(key => filter)
+        end
+
+        def remove(key)
+          @filters.delete(key)
+        end
+
+        def apply!(payload)
+          @filters.reduce(payload) do |result, (_key, filter)|
+            result = filter.call(result)
+            break SKIP if result.nil?
+            result
+          end
+        end
+
+        def length
+          @filters.length
+        end
+      end
+    end
+  end
+end