immunio 1.1.7 → 1.1.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b00b1a9669f4e9f0ec6b571a88b2d1df883cbf94
-  data.tar.gz: 6fdf549ca4de7c8bf912a1fdcaf7bc00521c4e4b
+  metadata.gz: 8c73cecf0da251ae6c4e8fc65c1215a84cca2a9a
+  data.tar.gz: cc1742b1789f90dce3c6a2ad8a698c7e4e4730da
 SHA512:
-  metadata.gz: d947098d70f20d0a073789d8742570bb64373fce01429f2207133ac603d612d25534dd362dad87ebfacb57ed0bde6c34038355e336238b28b42a0678bed42f7d
-  data.tar.gz: f4a9b98cce16ba098561bb64bafcadf5fe50f1f9becbbc87549c5df9234f1f55062715274a59c44eadcb37088dc60a19bfe61ce44d59214f5056e9d733579b62
+  metadata.gz: 6ba46ef732b848a7bddce203578b91b801ad5c8571b5b49443c300b9f74bcbba3519ecffac8e0bd25476e2de40d7d8b8f16ae4a4bc45cf4aa93f3d26270c7291
+  data.tar.gz: d127335b24855d7b3cdd4725bca45b946e13d5712bc203fa972d0c79b16e719986b3d1c114bcb12df6ece8524c0af032c79f7fffd4ec46208dd03bb90d738c43

data/README.md

@@ -39,6 +39,25 @@ gem immunio', group: :production
 
 You can also modify the secret and key for different environments to report to different apps, or you can disable the agent by setting `agent_enabled: false` in the configuration or `IMMUNIO_AGENT_ENABLED=0` in the environment.
 
+
+### Unicorn configuration
+
+In order for the agent to function correctly in a pre-forked environment, use the `Immunio.reset!` method.
+For example, in your `config/unicorn.rb`:
+
+```
+after_fork do |server, worker|
+  Signal.trap 'TERM' do
+    puts 'Unicorn worker intercepting TERM and doing nothing. Wait for master to send QUIT'
+  end
+
+  defined?(ActiveRecord::Base) and ActiveRecord::Base.establish_connection
+
+  Immunio.reset!
+end
+```
+
+
 ## Handling blocked requests
 
 By default, Immunio will return a plain text *403 Forbidden* response whenever it blocks a request for security reasons.
@@ -55,6 +74,7 @@ Immunio.blocked_app = -> env do
 end
 ```
 
+
 ## Authentication API
 
 If you're using [Devise](https://github.com/plataformatec/devise) or [Authlogic](https://github.com/binarylogic/authlogic), Immunio will automatically hook into your authentication system to protect you against attacks.

data/lib/immunio.rb

@@ -26,6 +26,10 @@ module Immunio
     # Load and activate Rails engine
     require_relative "immunio/rails"
   end
+
+  def self.reset!
+    agent.reset if agent
+  end
 end
 
 Immunio.activate!

data/lib/immunio/agent.rb

@@ -153,6 +153,7 @@ module Immunio
       end
 
       @processor = Processor.new(@channel, @vmfactory, config)
+      @process_id = Process.pid
     end
 
     def load_config

data/lib/immunio/channel.rb

@@ -17,6 +17,7 @@ module Immunio
     attr_reader :rejected_message_count
 
     def initialize(config)
+      Immunio.logger.debug { "Creating channel" }
       @config = config
 
       @agent_uuid = nil
@@ -42,6 +43,13 @@ module Immunio
       @started = false
       @ready = false
 
+      # In the case of a forking web server like Unicorn,
+      # we need to remember the process id because it may
+      # happen that the master process starts its polling
+      # thread first, for example when a request is sent
+      # before forking the workers.
+      @process_id = Process.pid
+
       @callbacks = []
 
       # Anything looking to add to the messages sent to the server:
@@ -67,8 +75,18 @@ module Immunio
     def start
       return if @started
 
+      Immunio.logger.debug { "Starting channel" }
+
+      Immunio.logger.trace { "Thread count is: #{Thread.list.size}" }
+      Immunio.logger.trace { "Threads: #{Thread.list.map(&:object_id)}" }
+      Immunio.logger.trace { "@thread in thread list?: #{Thread.list.include? @thread}" }
+      Immunio.logger.trace { "@process_id is: #{@process_id}" }
+      Immunio.logger.trace { "@thread is: #{@thread.inspect}" }
+
       @started = true
       @thread = Thread.new { run }
+
+      Immunio.logger.trace { "Thread count is now: #{Thread.list.size}" }
     end
 
     # Stop and wait for the last messages to be sent.
@@ -86,22 +104,45 @@ module Immunio
       end
     end
 
+    def needs_reset?
+      @process_id != Process.pid
+    end
+
+    def reset
+      Immunio.logger.debug { "Resetting channel" }
+
+      stop
+
+      @process_id = Process.pid
+      @message_queue.clear
+    end
+
     def send_message(message)
       send_encoded_message message.to_msgpack
     end
 
     def send_encoded_message(message)
+      Immunio.logger.debug do
+        "Queueing message: (queue size: #{@message_queue.size}, max: #{@config.max_send_queue_size})"
+      end
+
       if @message_queue.size > @config.max_send_queue_size
         Immunio.logger.warn { "Dropping message for agent manager due to queue overflow (#{@message_queue.size} > #{@config.max_send_queue_size})" }
-        Immunio.logger.debug { "Dropped message: (#{message})" }
         # No room for this message on the queue. Discard.
         @dropped_message_count += 1
+        Immunio.logger.debug { "Dropped message: (#{message}, dropped count: #{@dropped_message_count})" }
         return
       end
 
-      Immunio.logger.debug {"Sending message to backend: #{MessagePack.unpack(message)}"}
+      Immunio.logger.debug do
+        "Queueing message: message.size: #{message.size}, #{MessagePack.unpack(message)}"
+      end
 
       @message_queue << message
+
+      Immunio.logger.debug do
+        "Queueing message: (queue size now: #{@message_queue.size}, max: #{@config.max_send_queue_size})"
+      end
     end
 
     def on_message(&block)
@@ -140,6 +181,7 @@ module Immunio
       # Core method running in a thread
       def run
         Immunio.logger.debug { "Starting channel on thread #{Thread.current.object_id}" }
+
         # Create an empty cert_store to prevent Faraday from using the system default OpenSSL store.
         cert_store = OpenSSL::X509::Store.new
         # Setup the connection for making requests to the server.
@@ -263,8 +305,10 @@ module Immunio
       end
 
       def add_to_send_buffer(message)
+        Immunio.logger.debug { "Adding message to send buffer (bytesize: #{message.bytesize})" }
         @send_buffer_bytes += message.bytesize
         @send_buffer << message
+        Immunio.logger.debug { "Adding message to send buffer (send buffer size: #{@send_buffer.size})" }
       end
 
       # Fill send_buffer with messages to send
@@ -276,8 +320,10 @@ module Immunio
             add_to_send_buffer @next_message
           else
             Immunio.logger.warn { "Dropped message over max byte send size, next message size #{@next_message.bytesize}" }
-            Immunio.logger.debug { "Dropped next message used: #{used_bytes} over max byte: #{@next_message}" }
             @dropped_message_count += 1
+            Immunio.logger.debug do
+              "Dropped next message (used: #{used_bytes} over max byte: #{@next_message}, dropped count: #{@dropped_message_count})"
+            end
           end
           @next_message = nil
         end
@@ -285,6 +331,9 @@ module Immunio
         # Empty the queue as much as possible.
         while !@message_queue.empty?
           @next_message = @message_queue.pop
+
+          Immunio.logger.debug { "Emptying message queue: (queue size: #{@message_queue.size})" }
+
           if !send_buffer_has_room used_bytes
             break
           end
@@ -303,6 +352,9 @@ module Immunio
           while @send_buffer.size < @config.min_report_size
             # If there are no messages in the queue, this will block until one arrives.
             @next_message = @message_queue.pop
+
+            Immunio.logger.debug { "Waiting for messages: (queue size: #{@message_queue.size})" }
+
             if !send_buffer_has_room used_bytes
               break
             end
@@ -329,6 +381,8 @@ module Immunio
 
       # Poll the server sending queued messages at the same time.
       def poll
+        Immunio.logger.trace { "Polling" }
+
         # Prep data
         body = {
           send_seq: @send_seq,
@@ -382,28 +436,35 @@ module Immunio
 
           req.body = gzip(encoded_body)
 
+          Immunio.logger.debug do
+            "Sending request to agent manager (size: #{req.body.size})"
+          end
           Immunio.logger.trace {"Sending request to agent manager (data: #{MessagePack.unpack(encoded_body)}, request: #{req})"}
         end
 
         if response.status >= 400 and response.status < 500 then
           # 4XX response codes should NOT be retried. Discard the report.
           @rejected_message_count += @send_buffer.size
+          Immunio.logger.debug { "Rejected message count is: #{@rejected_message_count}" }
           Immunio.logger.trace { "Rejecting #{@send_buffer.size} messages" }
           @send_buffer = []
           @send_buffer_bytes = 0
 
+          Immunio.logger.debug {"Received response from agent manager (status: #{response.status})"}
           Immunio.logger.trace {"Received response from agent manager (status: #{response.status}, raw body: #{raw_log response.body})"}
           raise Error, "Bad response from Immunio server: #{response.status} #{response.body}"
         end
 
         if response.status >= 500 then
           # 5XX response codes are treated like errors.
+          Immunio.logger.debug {"Received response from agent manager (status: #{response.status})"}
           Immunio.logger.trace {"Received response from agent manager (status: #{response.status}, raw body: #{raw_log response.body})"}
           raise Error, "Bad response from Immunio server: #{response.status} #{response.body}"
         end
 
         body = MessagePack.unpack(response.body)
 
+        Immunio.logger.debug {"Received response from agent manager (status: #{response.status})"}
         Immunio.logger.trace {"Received response from agent manager (status: #{response.status}, body: #{body}, raw body: #{raw_log response.body})"}
 
         # Update local data from response
@@ -426,7 +487,6 @@ module Immunio
         if received_messages
           received_messages.each { |message| notify message }
         end
-
       end
   end
 end

data/lib/immunio/logger.rb

@@ -34,7 +34,7 @@ module Immunio
 
   def self.setup_logger_formatter
     logger.formatter = proc do |severity, datetime, _progname, msg|
-      "[#{datetime}] #{severity}: #{msg}\n"
+      "[#{datetime}] [#{Process.pid} (#{Thread.current.object_id})]: #{severity}: #{msg}\n"
     end
   end
 

data/lib/immunio/processor.rb

@@ -50,6 +50,11 @@ module Immunio
     end
 
     def new_request(request)
+      Immunio.logger.debug { "New request: (started: #{@channel.started?})" }
+
+      # Reset channel if it was created by parent process
+      @channel.reset if @channel.needs_reset?
+
       # Start channel on first request
       @channel.start unless @channel.started?
 

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.1.7"
+  VERSION = "1.1.10"
   VM_VERSION = "2.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.1.7
+  version: 1.1.10
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-16 00:00:00.000000000 Z
+date: 2017-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails