RubyGems - sqreen - Versions diffs - 1.19.0 → 1.20.1 - Mend

sqreen 1.19.0 → 1.20.1

Files changed (42) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -0
data/lib/sqreen/agent_message.rb +20 -0
data/lib/sqreen/aggregated_metric.rb +25 -0
data/lib/sqreen/ca.crt +24 -0
data/lib/sqreen/configuration.rb +10 -4
data/lib/sqreen/deliveries/batch.rb +4 -1
data/lib/sqreen/deliveries/simple.rb +4 -0
data/lib/sqreen/endpoint_testing.rb +184 -0
data/lib/sqreen/event.rb +7 -5
data/lib/sqreen/events/attack.rb +23 -18
data/lib/sqreen/events/remote_exception.rb +0 -22
data/lib/sqreen/events/request_record.rb +15 -70
data/lib/sqreen/frameworks/request_recorder.rb +13 -2
data/lib/sqreen/kit/signals/specialized/aggregated_metric.rb +72 -0
data/lib/sqreen/kit/signals/specialized/attack.rb +57 -0
data/lib/sqreen/kit/signals/specialized/binning_metric.rb +76 -0
data/lib/sqreen/kit/signals/specialized/http_trace.rb +26 -0
data/lib/sqreen/kit/signals/specialized/sdk_track_call.rb +50 -0
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +57 -0
data/lib/sqreen/legacy/old_event_submission_strategy.rb +221 -0
data/lib/sqreen/legacy/waf_redactions.rb +49 -0
data/lib/sqreen/log/loggable.rb +1 -1
data/lib/sqreen/metrics/base.rb +3 -0
data/lib/sqreen/metrics_store.rb +22 -12
data/lib/sqreen/performance_notifications/binned_metrics.rb +8 -2
data/lib/sqreen/rules.rb +4 -2
data/lib/sqreen/rules/not_found_cb.rb +2 -0
data/lib/sqreen/rules/rule_cb.rb +2 -0
data/lib/sqreen/rules/waf_cb.rb +13 -10
data/lib/sqreen/runner.rb +75 -8
data/lib/sqreen/sensitive_data_redactor.rb +19 -31
data/lib/sqreen/session.rb +51 -43
data/lib/sqreen/signals/conversions.rb +283 -0
data/lib/sqreen/signals/http_trace_redaction.rb +111 -0
data/lib/sqreen/signals/signals_submission_strategy.rb +78 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/legacy/instrumentation.rb +7 -7
metadata +50 -6
data/lib/sqreen/backport.rb +0 -9
data/lib/sqreen/backport/clock_gettime.rb +0 -74
data/lib/sqreen/backport/original_name.rb +0 -88

data/lib/sqreen/rules/not_found_cb.rb CHANGED

@@ -24,6 +24,8 @@ module Sqreen
         exception   = env['action_dispatch.exception']
         record_from_env(ua, script_name, path_info, verb, override, host, exception)
+        nil
       end
       def record_from_env(ua, script_name, path_info, verb, override, host, exception)

data/lib/sqreen/rules/rule_cb.rb CHANGED

@@ -61,7 +61,9 @@ module Sqreen
           :infos => infos,
           :rulespack_id => rulespack_id,
           :rule_name => rule_name,
+          :attack_type => @rule['attack_type'], # for signal
           :test => test,
+          :block => @rule['block'], # for signal
           :time => at,
         }
         if payload_tpl.include?('context')

data/lib/sqreen/rules/waf_cb.rb CHANGED

@@ -98,10 +98,10 @@ module Sqreen
         case action
         when :monitor
-          record_event({ 'waf_data' => data })
+          record_event({ waf_data: data })
           advise_action(nil)
         when :block
-          record_event({ 'waf_data' => data })
+          record_event({ waf_data: data })
           advise_action(:raise)
         when :good
           advise_action(nil)
@@ -132,20 +132,23 @@ module Sqreen
       end
       def record_exception(exception, infos = {}, at = Time.now.utc)
-        infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
+        infos.merge!(waf_infos(exception)) if exception.is_a?(Sqreen::WAFError)
         super(exception, infos, at)
       end
       private
-      def exception_to_infos(e)
+      # see https://github.com/sqreen/TechDoc/blob/master/content/specs/spec000016-waf-integration.md#error-management
+      def waf_infos(e)
         {
-          waf_rule: e.rule_name,
-          error_code: ERROR_CODES[e.error],
-        }.tap do |r|
-          r[:error_data] = e.data if e.data
-          r[:args] = e.args if e.args
-        end
+          waf:  {
+            waf_rule: e.rule_name,
+            error_code: ERROR_CODES[e.error],
+          }.tap do |r|
+            r[:error_data] = e.data if e.data
+            r[:args] = e.args if e.arg
+          end,
+        }
       end
       ERROR_CODES = {

data/lib/sqreen/runner.rb CHANGED

@@ -11,6 +11,7 @@ require 'sqreen/events/attack'
 require 'sqreen/log'
+require 'sqreen/agent_message'
 require 'sqreen/rules'
 require 'sqreen/session'
 require 'sqreen/remote_command'
@@ -18,11 +19,13 @@ require 'sqreen/capped_queue'
 require 'sqreen/metrics_store'
 require 'sqreen/deliveries/simple'
 require 'sqreen/deliveries/batch'
+require 'sqreen/endpoint_testing'
 require 'sqreen/performance_notifications/metrics'
 require 'sqreen/performance_notifications/binned_metrics'
 require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
 require 'sqreen/weave/legacy/instrumentation'
+require 'sqreen/kit/configuration'
 module Sqreen
   @features = {}
@@ -37,6 +40,8 @@ module Sqreen
   PERF_METRICS_PERIOD = 60 # 1 min
   DEFAULT_PERF_LEVEL = 0 # disabled
+  DEFAULT_USE_SIGNALS = false
   class << self
     attr_reader :features
     def update_features(features)
@@ -87,7 +92,9 @@ module Sqreen
     attr_accessor :heartbeat_delay
     attr_accessor :metrics_engine
+    # @return [Sqreen::Deliveries::Simple]
     attr_reader :deliverer
+    # @return [Sqreen::Session]
     attr_reader :session
     attr_reader :instrumenter
     attr_accessor :running
@@ -108,15 +115,24 @@ module Sqreen
       @next_metrics = []
       @running = true
+      @proxy_url = @configuration.get(:proxy_url)
+      chosen_endpoints = determine_endpoints
       @token = @configuration.get(:token)
       @app_name = @configuration.get(:app_name)
-      @url = @configuration.get(:url)
+      @url = chosen_endpoints.control.url
+      @cert_store = chosen_endpoints.control.ca_store
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
       Sqreen.update_performance_budget(nil)
-      raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
+      Sqreen::Kit::Configuration.logger = Sqreen.log
+      Sqreen::Kit::Configuration.ingestion_url = chosen_endpoints.ingestion.url
+      Sqreen::Kit::Configuration.certificate_store = chosen_endpoints.ingestion.ca_store
+      Sqreen::Kit::Configuration.proxy_url = @proxy_url
       register_exit_cb if set_at_exit
       self.metrics_engine = MetricsStore.new
@@ -133,6 +149,7 @@ module Sqreen
       Sqreen.log.debug "Using token #{@token}"
       response = create_session(session_class)
+      post_endpoint_testing_msgs(chosen_endpoints)
       wanted_features = response.fetch('features', {})
       conf_initial_features = configuration.get(:initial_features)
       unless conf_initial_features.nil?
@@ -142,10 +159,10 @@ module Sqreen
           Sqreen.log.debug do
             "Override initial features with #{conf_features.inspect}"
           end
-          wanted_features = conf_features
+          wanted_features = wanted_features.merge(conf_features)
         rescue
           Sqreen.log.warn do
-            "NOT using invalid inital features #{conf_initial_features}"
+            "NOT using invalid initial features #{conf_initial_features}"
           end
         end
       end
@@ -161,7 +178,7 @@ module Sqreen
     end
     def create_session(session_class)
-      @session = session_class.new(@url, @token, @app_name)
+      @session = session_class.new(@url, @cert_store, @token, @app_name, @proxy_url)
       session.login(@framework)
     end
@@ -170,8 +187,18 @@ module Sqreen
       @deliverer = new_deliverer
     end
-    def batch_events(batch_size, max_staleness = nil)
+    def batch_events(batch_size, max_staleness = nil, use_signals = false)
       size = batch_size.to_i
+      if size <= 1 && use_signals
+        Sqreen.log.warn do
+          "Using signals with no delivery batching is unsupported. " \
+          "Using instead batching with batch size = 30, max_staleness = 60"
+        end
+        size = 30
+        max_staleness = 60
+      end
       self.deliverer = if size < 1
                          Deliveries::Simple.new(session)
                        else
@@ -301,19 +328,37 @@ module Sqreen
     def do_heartbeat
       @last_heartbeat_request = Time.now
       @next_metrics.concat(metrics_engine.publish(false)) if metrics_engine
-      res = session.heartbeat(next_command_results, next_metrics)
+      metrics_in_hb = use_signals? ? nil : next_metrics
+      res = session.heartbeat(next_command_results, metrics_in_hb)
       next_command_results.clear
+      deliver_metrics_as_event if use_signals?
       next_metrics.clear
       process_commands(res['commands'])
     end
+    def deliver_metrics_as_event
+      # this is disastrous withe simple delivery strategy,
+      # as each aggregated metric would trigger an http request
+      # Sending of metrics is therefore not supported with simple delivery strategy
+      # TODO: Confirm that only batch is used in production
+      next_metrics.each { |x| deliverer.post_event(x) }
+    end
     def features(_context_infos = {})
       Sqreen.features
     end
+    def use_signals?
+      features.fetch('use_signals', DEFAULT_USE_SIGNALS)
+    end
     def features=(features)
       Sqreen.update_features(features)
       session.request_compression = features['request_compression'] if session
+      session.use_signals = use_signals?
       self.performance_metrics_period = features['performance_metrics_period']
       unless @configuration.get(:weave)
@@ -331,7 +376,7 @@ module Sqreen
       hd = features['heartbeat_delay'].to_i
       self.heartbeat_delay = hd if hd > 0
       return if features['batch_size'].nil?
-      batch_events(features['batch_size'], features['max_staleness'])
+      batch_events(features['batch_size'], features['max_staleness'], use_signals?)
     end
     def change_whitelisted_paths(paths, _context_infos = {})
@@ -470,6 +515,28 @@ module Sqreen
     private
+    def post_endpoint_testing_msgs(chosen_endpoints)
+      chosen_endpoints.messages.each do |msg|
+        session.post_agent_message(@framework, msg)
+      end
+    rescue => e
+      Sqreen.log.warn "Error submitting agent message: #{e}"
+      RemoteException.record(e)
+    end
+    def determine_endpoints
+      # there's no sniffing going on; just a misnamed config setting
+      if @configuration.get(:no_sniff_domains)
+        # reproduces behaviour before endpoint testing was introduced
+        EndpointTesting.no_test_endpoints(@configuration.get(:url),
+                                          @configuration.get(:ingestion_url))
+      else
+        EndpointTesting.test_endpoints(@proxy_url,
+                                       @configuration.get(:url),
+                                       @configuration.get(:ingestion_url))
+      end
+    end
     def load_actions(hashes)
       unsupported = Set.new

data/lib/sqreen/sensitive_data_redactor.rb CHANGED

@@ -61,7 +61,7 @@ module Sqreen
         obj.each do |k, v|
           ck = k.is_a?(String) ? k.downcase : k
           if @keys.include?(ck)
-            redacted << v
+            redacted += SensitiveDataRedactor.all_strings(v)
             v = MASK
           else
             v, r = redact(v)
@@ -74,39 +74,27 @@ module Sqreen
       [result, redacted]
     end
-    def redact_attacks!(attacks, values)
-      return attacks if values.empty?
-      values = values.map { |v| v.downcase if v.is_a?(String) }
-      attacks.each do |e|
-        next(e) unless e[:infos]
-        next(e) unless e[:infos][:waf_data]
-        parsed = JSON.parse(e[:infos][:waf_data])
-        redacted = parsed.each do |w|
-          next unless (filters = w['filter'])
-          filters.each do |f|
-            next unless (v = f['resolved_value'])
-            next unless values.include?(v.downcase)
+    class << self
+      def all_strings(v)
+        accum = []
+        all_strings_impl(v, accum)
+        accum
+      end
-            f['match_status'] = MASK
-            f['resolved_value'] = MASK
+      private
+      def all_strings_impl(obj, accum)
+        case obj
+        when String
+          accum << obj
+        when Array
+          obj.each { |el| all_strings_impl(el, accum) }
+        when Hash
+          obj.each do |k, v|
+            all_strings_impl(k, accum)
+            all_strings_impl(v, accum)
           end
         end
-        e[:infos][:waf_data] = JSON.dump(redacted)
-      end
-    end
-    def redact_exceptions!(exceptions, values)
-      return exceptions if values.empty?
-      exceptions.each do |e|
-        next(e) unless e[:infos]
-        next(e) unless e[:infos][:waf]
-        e[:infos][:waf].delete(:args)
       end
     end
   end

data/lib/sqreen/session.rb CHANGED

@@ -11,6 +11,10 @@ require 'sqreen/events/attack'
 require 'sqreen/events/request_record'
 require 'sqreen/exception'
 require 'sqreen/safe_json'
+require 'sqreen/kit'
+require 'sqreen/kit/configuration'
+require 'sqreen/signals/signals_submission_strategy'
+require 'sqreen/legacy/old_event_submission_strategy'
 require 'net/https'
 require 'uri'
@@ -41,13 +45,12 @@ module Sqreen
     RETRY_MANY = 301
     MUTEX = Mutex.new
-    METRICS_KEY = 'metrics'.freeze
     @@path_prefix = '/sqreen/v0/'
     attr_accessor :request_compression
-    def initialize(server_url, token, app_name = nil)
+    def initialize(server_url, cert_store, token, app_name = nil, proxy_url = nil)
       @token = token
       @app_name = app_name
       @session_id = nil
@@ -59,15 +62,29 @@ module Sqreen
       uri = parse_uri(server_url)
       use_ssl = (uri.scheme == 'https')
+      proxy_params = []
+      if proxy_url
+        proxy_uri = parse_uri(proxy_url)
+        proxy_params = [proxy_uri.host, proxy_uri.port, proxy_uri.user, proxy_uri.password]
+      end
       @req_nb = 0
-      @http = Net::HTTP.new(uri.host, uri.port)
+      @http = Net::HTTP.new(uri.host, uri.port, *proxy_params)
       @http.use_ssl = use_ssl
-      if use_ssl
-        cert_file = File.join(File.dirname(__FILE__), 'ca.crt')
-        cert_store = OpenSSL::X509::Store.new
-        cert_store.add_file cert_file
-        @http.cert_store = cert_store
+      @http.verify_mode = OpenSSL::SSL::VERIFY_NONE if ENV['SQREEN_SSL_NO_VERIFY'] # for testing
+      @http.cert_store = cert_store if use_ssl
+      self.use_signals = false
+    end
+    def use_signals=(do_use)
+      return if do_use == @use_signals
+      @use_signals = do_use
+      if do_use
+        @evt_sub_strategy = Sqreen::Signals::SignalsSubmissionStrategy.new
+      else
+        @evt_sub_strategy = Sqreen::Legacy::OldEventSubmissionStrategy.new(method(:post))
       end
     end
@@ -218,10 +235,7 @@ module Sqreen
     end
     def login(framework)
-      headers = {
-        'x-api-key'  => @token,
-        'x-app-name' => @app_name || framework.application_name,
-      }.reject { |k, v| v ==  nil }
+      headers = prelogin_auth_headers(framework)
       Sqreen.log.warn "Using app name: #{headers['x-app-name']}"
@@ -235,6 +249,8 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
+      Kit::Configuration.session_key = @session_id
+      Kit.reset
       Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res
@@ -246,20 +262,24 @@ module Sqreen
     def heartbeat(cmd_res = {}, metrics = [])
       payload = {}
-      payload['metrics'] = metrics unless metrics.nil? || metrics.empty?
+      unless metrics.nil? || metrics.empty?
+        # never reached with signals
+        payload['metrics'] = metrics.map do |m|
+          Sqreen::Legacy::EventToHash.convert_agg_metric(m)
+        end
+      end
       payload['command_results'] = cmd_res unless cmd_res.nil? || cmd_res.empty?
       post('app-beat', payload.empty? ? nil : payload, {}, RETRY_MANY)
     end
     def post_metrics(metrics)
-      return if metrics.nil? || metrics.empty?
-      payload = { METRICS_KEY => metrics }
-      post(METRICS_KEY, payload, {}, RETRY_MANY)
+      @evt_sub_strategy.post_metrics(metrics)
     end
+    # XXX never called
     def post_attack(attack)
-      post('attack', attack.to_hash, {}, RETRY_MANY)
+      @evt_sub_strategy.post_attack(attack)
     end
     def post_bundle(bundle_sig, dependencies)
@@ -271,33 +291,22 @@ module Sqreen
     end
     def post_request_record(request_record)
-      post('request_record', request_record.to_hash, {}, RETRY_MANY)
+      @evt_sub_strategy.post_request_record(request_record)
     end
     # Post an exception to Sqreen for analysis
     # @param exception [RemoteException] Exception and context to be sent over
     def post_sqreen_exception(exception)
-      post('sqreen_exception', exception.to_hash, {}, 5)
-    rescue StandardError => e
-      Sqreen.log.warn(format('Could not post exception (network down? %s) %s',
-                             e.inspect,
-                             exception.to_hash.inspect))
-      nil
+      @evt_sub_strategy.post_sqreen_exception(exception)
     end
-    BATCH_KEY = 'batch'.freeze
-    EVENT_TYPE_KEY = 'event_type'.freeze
     def post_batch(events)
-      batch = events.map do |event|
-        h = event.to_hash
-        h[EVENT_TYPE_KEY] = event_kind(event)
-        h
-      end
-      Sqreen.log.debug do
-        tally = Hash[events.group_by(&:class).map{ |k,v| [k, v.count] }]
-        "Doing batch with the following tally of event types: #{tally}"
-      end
-      post(BATCH_KEY, { BATCH_KEY => batch }, {}, RETRY_MANY)
+      @evt_sub_strategy.post_batch(events)
+    end
+    def post_agent_message(framework, agent_message)
+      headers = prelogin_auth_headers(framework)
+      post('app_agent_message', agent_message.to_h, headers, 0)
     end
     # Perform agent logout
@@ -314,14 +323,13 @@ module Sqreen
       disconnect
     end
-    protected
+    private
-    def event_kind(event)
-      case event
-      when Sqreen::RemoteException then 'sqreen_exception'
-      when Sqreen::Attack then 'attack'
-      when Sqreen::RequestRecord then 'request_record'
-      end
+    def prelogin_auth_headers(framework)
+      {
+        'x-api-key' => @token,
+        'x-app-name' => @app_name || framework.application_name,
+      }.reject { |_k, v| v == nil }
     end
   end
 end