newrelic_security 0.1.0

data/lib/newrelic_security/instrumentation-security/sinatra/prepend.rb

@@ -0,0 +1,21 @@
+module NewRelic::Security
+  module Instrumentation
+    module Sinatra
+      module Base
+        module Prepend
+          include NewRelic::Security::Instrumentation::Sinatra::Base
+
+          def call(env)
+            retval = nil
+            event = call_on_enter(env) { retval = super }
+            call_on_exit(event, retval) { return retval }
+          end
+
+          def route_eval
+            route_eval_on_enter { super }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/instrumentation-security/sqlite3/chain.rb

@@ -0,0 +1,79 @@
+module NewRelic::Security
+  module Instrumentation
+    module SQLite3
+      module Database
+        module Chain
+
+          def self.instrument!
+            ::SQLite3::Database.class_eval do
+              include NewRelic::Security::Instrumentation::SQLite3::Database
+
+              alias_method :execute_without_security, :execute
+
+              def execute(sql, bind_vars = [], *args, &block)
+                retval = nil
+                event = execute_on_enter(sql, bind_vars, *args) { retval = execute_without_security(sql, bind_vars, *args, &block) }
+                execute_on_exit(event) { return retval }
+              end
+
+              alias_method :execute_batch_without_security, :execute_batch
+    
+              def execute_batch(sql, bind_vars = [], *args)
+                retval = nil
+                event = execute_batch_on_enter(sql, bind_vars, *args) { retval = execute_batch_without_security(sql, bind_vars, *args) }
+                execute_batch_on_exit(event) { return retval }
+              end
+
+              if ::SQLite3::VERSION >= '1.4'
+                alias_method :execute_batch2_without_security, :execute_batch2
+    
+                def execute_batch2(sql, &block)
+                  retval = nil
+                  event = execute_batch2_on_enter(sql) { retval = execute_batch2_without_security(sql, &block) }
+                  execute_batch2_on_exit(event) { return retval }
+                end
+              end
+              
+            end
+          end
+        end
+      end
+
+      module Statement
+        module Chain
+
+          def self.instrument!
+            ::SQLite3::Statement.class_eval do
+              include NewRelic::Security::Instrumentation::SQLite3::Statement
+
+              alias_method :initialize_without_security, :initialize
+    
+              def initialize(db, sql)
+                retval = nil
+                event = initialize_on_enter(db, sql) { retval = initialize_without_security(db, sql) }
+                initialize_on_exit(event, retval, sql) { return retval }
+              end
+
+              alias_method :bind_params_without_security, :bind_params
+
+              def bind_params(*bind_vars)
+                retval = nil
+                event = bind_params_on_enter(*bind_vars) { retval = bind_params_without_security(*bind_vars) }
+                bind_params_on_exit(event) { return retval }
+              end
+
+              alias_method :execute_without_security, :execute
+
+              def execute(*bind_vars)
+                retval = nil
+                event = execute_on_enter(*bind_vars) { retval = execute_without_security(*bind_vars) }
+                execute_on_exit(event) { return retval }
+              end
+              
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/instrumentation-security/sqlite3/instrumentation.rb

@@ -0,0 +1,164 @@
+require_relative 'prepend'
+require_relative 'chain'
+
+module NewRelic::Security
+  module Instrumentation
+    module SQLite3::Database
+      # TODO: When bind_param(index, value) is called and then execute is called directly in such case bind_params found are nil because bind_param method is in ext c file.
+      def execute_on_enter(sql, bind_vars, *args)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        hash = {}
+        hash[:sql] = sql
+        hash[:parameters] = bind_vars.is_a?(String) ? [bind_vars] : bind_vars.map(&:to_s)
+        hash[:parameters] = hash[:parameters] + args.map(&:to_s) unless args.empty?
+        event = NewRelic::Security::Agent::Control::Collector.collect(SQL_DB_COMMAND, [hash], SQLITE) unless NewRelic::Security::Instrumentation::InstrumentationUtils.sql_filter_events?(hash[:sql])
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+
+      def execute_on_exit(event)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+        NewRelic::Security::Agent::Utils.create_exit_event(event)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+      def execute_batch_on_enter(sql, bind_vars, *args)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        hash = {}
+        hash[:sql] = sql
+        hash[:parameters] = bind_vars.is_a?(String) ? [bind_vars] : bind_vars.map(&:to_s)
+        hash[:parameters] = hash[:parameters] + args unless args.empty?
+        event = NewRelic::Security::Agent::Control::Collector.collect(SQL_DB_COMMAND, [hash], SQLITE) unless NewRelic::Security::Instrumentation::InstrumentationUtils.sql_filter_events?(hash[:sql])
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+
+      def execute_batch_on_exit(event)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+        NewRelic::Security::Agent::Utils.create_exit_event(event)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+      def execute_batch2_on_enter(sql)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        hash = {}
+        hash[:sql] = sql
+        hash[:parameters] = []
+        event = NewRelic::Security::Agent::Control::Collector.collect(SQL_DB_COMMAND, [hash], SQLITE) unless NewRelic::Security::Instrumentation::InstrumentationUtils.sql_filter_events?(hash[:sql])
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+
+      def execute_batch2_on_exit(event)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+        NewRelic::Security::Agent::Utils.create_exit_event(event)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+    end
+
+    module SQLite3::Statement
+
+      def initialize_on_enter(db, sql)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+
+      def initialize_on_exit(event, retval, sql)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+        NewRelic::Security::Agent::Control::HTTPContext.get_context.cache[retval.object_id] = { :sql => sql } if NewRelic::Security::Agent::Control::HTTPContext.get_context
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+      def bind_params_on_enter(*bind_vars)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        NewRelic::Security::Agent::Control::HTTPContext.get_context.cache[self.object_id][:parameters] = bind_vars.map(&:to_s) if NewRelic::Security::Agent::Control::HTTPContext.get_context && NewRelic::Security::Agent::Control::HTTPContext.get_context.cache.key?(self.object_id)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+
+      def bind_params_on_exit(event)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+      def execute_on_enter(*bind_vars)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        ic_args = []
+        key = self.object_id
+        if NewRelic::Security::Agent::Control::HTTPContext.get_context && NewRelic::Security::Agent::Control::HTTPContext.get_context.cache.key?(self.object_id)
+          if bind_vars.length == 0
+            ic_args.push(NewRelic::Security::Agent::Control::HTTPContext.get_context.cache[key])
+          else
+            hash = {}
+            hash[:sql] = NewRelic::Security::Agent::Control::HTTPContext.get_context.cache[key][:sql]
+            hash[:parameters] = bind_vars.map(&:to_s)
+            ic_args.push(hash)
+          end
+        end
+        if ic_args[0].has_key?(:sql)
+          event = NewRelic::Security::Agent::Control::Collector.collect(SQL_DB_COMMAND, ic_args, SQLITE) unless NewRelic::Security::Instrumentation::InstrumentationUtils.sql_filter_events?(ic_args[0][:sql])
+        else
+          event = NewRelic::Security::Agent::Control::Collector.collect(SQL_DB_COMMAND, ic_args, SQLITE)
+        end
+        NewRelic::Security::Agent::Control::HTTPContext.get_context.cache.delete(key) if NewRelic::Security::Agent::Control::HTTPContext.get_context
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+
+      def execute_on_exit(event)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+        NewRelic::Security::Agent::Utils.create_exit_event(event)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+    end
+
+  end
+end
+
+NewRelic::Security::Instrumentation::InstrumentationLoader.install_instrumentation(:sqlite3, ::SQLite3::Database, ::NewRelic::Security::Instrumentation::SQLite3::Database)
+NewRelic::Security::Instrumentation::InstrumentationLoader.install_instrumentation(:sqlite3, ::SQLite3::Statement, ::NewRelic::Security::Instrumentation::SQLite3::Statement)

data/lib/newrelic_security/instrumentation-security/sqlite3/prepend.rb

@@ -0,0 +1,56 @@
+module NewRelic::Security
+  module Instrumentation
+    module SQLite3
+      module Database
+        module Prepend
+          include NewRelic::Security::Instrumentation::SQLite3::Database
+
+          def execute(sql, bind_vars = [], *args, &block)
+            retval = nil
+            event = execute_on_enter(sql, bind_vars, *args) { retval = super }
+            execute_on_exit(event) { return retval }
+          end
+
+          def execute_batch(sql, bind_vars = [], *args)
+            retval = nil
+            event = execute_batch_on_enter(sql, bind_vars, *args) { retval = super }
+            execute_batch_on_exit(event) { return retval }
+          end
+
+          if ::SQLite3::VERSION >= '1.4'
+            def execute_batch2(sql, &block)
+              retval = nil
+              event = execute_batch2_on_enter(sql) { retval = super }
+              execute_batch2_on_exit(event) { return retval }
+            end
+          end
+        end
+      end
+
+      module Statement
+        module Prepend
+          include NewRelic::Security::Instrumentation::SQLite3::Statement
+
+          def initialize(db, sql)
+            retval = nil
+            event = initialize_on_enter(db, sql) { retval = super }
+            initialize_on_exit(event, retval, sql) { return retval }
+          end
+
+          def bind_params(*bind_vars)
+            retval = nil
+            event = bind_params_on_enter(*bind_vars) { retval = super }
+            bind_params_on_exit(event) { return retval }
+          end
+
+          def execute(*bind_vars)
+            retval = nil
+            event = execute_on_enter(*bind_vars) { retval = super }
+            execute_on_exit(event) { return retval }
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/newrelic-security-api/api.rb

@@ -0,0 +1,72 @@
+module NewRelic::Security
+  #
+  # This module contains most of the public API methods for the Ruby Security Agent.
+  #
+  # @api public
+  # 
+  module API
+
+    #
+    # Check whether security is enabled
+    #
+    # @return [Boolean] true if security is enabled else false
+    #
+    # @api public
+    # 
+    def is_security_active?
+      NewRelic::Security::Agent.config[:'agent.enabled'] && NewRelic::Security::Agent.config[:enabled]
+    end
+
+    #
+    # Manually initializes the security agent
+    #
+    # @param [Hash] Unused options Hash
+    #
+    # @return [nil] 
+    # 
+    # @api public
+    #
+    def manual_start(options = {})
+      raise "Options must be a hash" unless Hash === options
+      NewRelic::Security::Agent.config.enable_security
+      NewRelic::Security::Agent.agent.init
+    end
+
+    #
+    # Deactivates security and stops sending events to security engine
+    #
+    # @return [nil]
+    #
+    # @api public
+    # 
+    def deactivate_security
+      NewRelic::Security::Agent.config.disable_security
+    end
+
+    #
+    # Send and event to security engine
+    #
+    # @param [NewRelic::Security::Agent::Control::Event] event IAST event to be sent to validator
+    #
+    # @return [nil] 
+    # 
+    # @api public
+    #
+    def send_event(event)
+      NewRelic::Security::Agent.agent.event_processor.send_event(event)
+    end
+    
+    #
+    # Send and exit event to security engine
+    #
+    # @param [NewRelic::Security::Agent::Control::ExitEvent] exit_event IAST exit event for api call to be sent to validator
+    #
+    # @return [nil] 
+    # 
+    # @api public
+    #
+    def send_exit_event(exit_event)
+      NewRelic::Security::Agent.agent.event_processor.send_exit_event(exit_event)
+    end
+  end
+end

data/lib/newrelic_security/version.rb

@@ -0,0 +1,5 @@
+module NewRelic
+  module Security
+    VERSION = "0.1.0"
+  end
+end

data/lib/newrelic_security/websocket-client-simple/client.rb

@@ -0,0 +1,128 @@
+require_relative 'websocket-ruby/lib/websocket.rb'
+require 'socket'
+require 'openssl'
+require 'uri'
+require 'newrelic_security/websocket-client-simple/event_emitter'
+
+module NewRelic::Security
+  module WebSocket
+    module Client
+      module Simple
+  
+        def self.connect(url, options={})
+          client = NewRelic::Security::WebSocket::Client::Simple::Client.new
+          yield client if block_given?
+          client.connect url, options
+          return client
+        end
+  
+        class Client
+          include NewRelic::Security::EventEmitter
+          attr_reader :url, :handshake
+
+          def initialize
+            @socket = nil
+          end
+  
+          def connect(url, options={})
+            return if @socket
+            @url = url
+            uri = URI.parse url
+            @socket = TCPSocket.new(uri.host,
+                                    uri.port || (uri.scheme == 'wss' ? 443 : 80))
+            if ['https', 'wss'].include? uri.scheme
+              ctx = OpenSSL::SSL::SSLContext.new
+              ctx.ssl_version = options[:ssl_version] if options[:ssl_version]
+              ctx.verify_mode = options[:verify_mode] if options[:verify_mode]
+              cert_store = options[:cert_store] || OpenSSL::X509::Store.new
+              cert_store.set_default_paths
+              ctx.cert_store = cert_store
+              @socket = ::OpenSSL::SSL::SSLSocket.new(@socket, ctx)
+              @socket.sync_close = true
+              @socket.hostname = uri.host
+              @socket.connect
+            end
+            @handshake = NewRelic::Security::WebSocket::Handshake::Client.new :url => url, :headers => options[:headers]
+            @handshaked = false
+            @pipe_broken = false
+            frame = NewRelic::Security::WebSocket::Frame::Incoming::Client.new
+            @closed = false
+            once :__close do |err|
+              close
+              emit :close, err
+            end
+  
+            @thread = Thread.new do
+              while !@closed do
+                begin
+                  unless recv_data = @socket.getc
+                    sleep 1
+                    next
+                  end
+                  unless @handshaked
+                    @handshake << recv_data
+                    if @handshake.finished?
+                      @handshaked = true
+                      emit :open
+                    end
+                  else
+                    frame << recv_data
+                    while msg = frame.next
+                      emit :message, msg
+                    end
+                  end
+                rescue IOError => e
+                  close false
+                rescue => e
+                  emit :error, e
+                end
+              end
+            end
+  
+            @socket.write @handshake.to_s
+          end
+  
+          def send(data, opt={:type => :text})
+            return if !@handshaked or @closed
+            type = opt[:type]
+            frame = NewRelic::Security::WebSocket::Frame::Outgoing::Client.new(:data => data, :type => type, :version => @handshake.version)
+            begin
+              @socket.write frame.to_s
+            rescue IOError => e
+              @pipe_broken = true
+              emit :__close, e
+            rescue Errno::EPIPE => e
+              @pipe_broken = true
+              emit :__close, e
+            rescue OpenSSL::SSL::SSLError => e
+              @pipe_broken = true
+              emit :__close, e
+            end
+          end
+  
+          def close(reconnect = true)
+            return if @closed
+            if !@pipe_broken
+              send nil, :type => :close
+            end
+            @closed = true
+            @socket.close if @socket
+            @socket = nil
+            emit :__close, reconnect
+            Thread.kill @thread if @thread
+          end
+  
+          def open?
+            @handshake&.finished? and !@closed
+          end
+  
+          def closed?
+            @closed
+          end
+  
+        end
+  
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/event_emitter.rb

@@ -0,0 +1,72 @@
+module NewRelic::Security  
+  module EventEmitter
+    def self.included(klass)
+      # klass.extend ClassMethods
+      klass.__send__ :include, InstanceMethods
+    end
+
+    def self.apply(object)
+      object.extend InstanceMethods
+    end
+
+    module ClassMethods
+    end
+
+    module InstanceMethods
+      def __events
+        @__events ||= []
+      end
+
+      def add_listener(type, params={}, &block)
+        raise ArgumentError, 'listener block not given' unless block_given?
+        id = __events.empty? ? 0 : __events.last[:id]+1
+        __events << {
+          :type => type.to_sym,
+          :listener => block,
+          :params => params,
+          :id => id
+        }
+        id
+      end
+
+      alias :on :add_listener
+
+      def remove_listener(id_or_type)
+        if id_or_type.is_a? Integer
+          __events.delete_if do |e|
+            e[:id] == id_or_type
+          end
+        elsif [String, Symbol].include? id_or_type.class
+          __events.delete_if do |e|
+            e[:type] == id_or_type.to_sym
+          end
+        end
+      end
+
+      def emit(type, *data)
+        type = type.to_sym
+        __events.each do |e|
+          case e[:type]
+          when type
+            listener = e[:listener]
+            e[:type] = nil if e[:params][:once]
+            instance_exec(*data, &listener)
+          when :*
+            listener = e[:listener]
+            e[:type] = nil if e[:params][:once]
+            instance_exec(type, *data, &listener)
+          end
+        end
+        __events.each do |e|
+          remove_listener e[:id] unless e[:type]
+        end
+      end
+
+      def once(type, &block)
+        add_listener type, {:once => true}, &block
+      end
+
+    end
+
+  end
+end