RubyGems - sqreen - Versions diffs - 1.19.1-java → 1.21.0.beta3-java - Mend

sqreen 1.19.1-java → 1.21.0.beta3-java

Files changed (101) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +34 -0
data/lib/sqreen/actions/block_user.rb +1 -1
data/lib/sqreen/actions/redirect_ip.rb +1 -1
data/lib/sqreen/actions/redirect_user.rb +1 -1
data/lib/sqreen/agent_message.rb +20 -0
data/lib/sqreen/aggregated_metric.rb +25 -0
data/lib/sqreen/attack_detected.html +1 -2
data/lib/sqreen/ca.crt +24 -0
data/lib/sqreen/condition_evaluator.rb +9 -2
data/lib/sqreen/conditionable.rb +24 -6
data/lib/sqreen/configuration.rb +11 -5
data/lib/sqreen/deferred_logger.rb +50 -14
data/lib/sqreen/deliveries/batch.rb +12 -2
data/lib/sqreen/deliveries/simple.rb +4 -0
data/lib/sqreen/deprecation.rb +38 -0
data/lib/sqreen/ecosystem.rb +96 -0
data/lib/sqreen/ecosystem/dispatch_table.rb +43 -0
data/lib/sqreen/ecosystem/exception_reporting.rb +26 -0
data/lib/sqreen/ecosystem/http/net_http.rb +50 -0
data/lib/sqreen/ecosystem/http/rack_request.rb +39 -0
data/lib/sqreen/ecosystem/loggable.rb +13 -0
data/lib/sqreen/ecosystem/module_api.rb +30 -0
data/lib/sqreen/ecosystem/module_api/event_listener.rb +18 -0
data/lib/sqreen/ecosystem/module_api/instrumentation.rb +23 -0
data/lib/sqreen/ecosystem/module_api/message_producer.rb +51 -0
data/lib/sqreen/ecosystem/module_api/signal_producer.rb +24 -0
data/lib/sqreen/ecosystem/module_api/tracing.rb +45 -0
data/lib/sqreen/ecosystem/module_api/tracing/client_data.rb +31 -0
data/lib/sqreen/ecosystem/module_api/tracing/server_data.rb +27 -0
data/lib/sqreen/ecosystem/module_api/tracing_id_generation.rb +16 -0
data/lib/sqreen/ecosystem/module_api/transaction_storage.rb +71 -0
data/lib/sqreen/ecosystem/module_registry.rb +44 -0
data/lib/sqreen/ecosystem/redis/redis_connection.rb +43 -0
data/lib/sqreen/ecosystem/tracing/modules/client.rb +31 -0
data/lib/sqreen/ecosystem/tracing/modules/server.rb +30 -0
data/lib/sqreen/ecosystem/tracing/sampler.rb +160 -0
data/lib/sqreen/ecosystem/tracing/sampling_configuration.rb +150 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_client.rb +53 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_server.rb +53 -0
data/lib/sqreen/ecosystem/tracing_broker.rb +101 -0
data/lib/sqreen/ecosystem/tracing_id_setup.rb +34 -0
data/lib/sqreen/ecosystem/transaction_storage.rb +64 -0
data/lib/sqreen/ecosystem/util/call_writers_from_init.rb +13 -0
data/lib/sqreen/ecosystem_integration.rb +87 -0
data/lib/sqreen/ecosystem_integration/around_callbacks.rb +99 -0
data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +42 -0
data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb +58 -0
data/lib/sqreen/ecosystem_integration/signal_consumption.rb +35 -0
data/lib/sqreen/endpoint_testing.rb +184 -0
data/lib/sqreen/event.rb +7 -5
data/lib/sqreen/events/attack.rb +23 -18
data/lib/sqreen/events/remote_exception.rb +0 -22
data/lib/sqreen/events/request_record.rb +15 -71
data/lib/sqreen/frameworks/generic.rb +24 -1
data/lib/sqreen/frameworks/rails.rb +0 -7
data/lib/sqreen/frameworks/request_recorder.rb +15 -2
data/lib/sqreen/graft/call.rb +106 -19
data/lib/sqreen/graft/callback.rb +1 -1
data/lib/sqreen/graft/hook.rb +212 -100
data/lib/sqreen/graft/hook_point.rb +18 -11
data/lib/sqreen/kit/signals/specialized/aggregated_metric.rb +72 -0
data/lib/sqreen/kit/signals/specialized/attack.rb +57 -0
data/lib/sqreen/kit/signals/specialized/binning_metric.rb +76 -0
data/lib/sqreen/kit/signals/specialized/http_trace.rb +26 -0
data/lib/sqreen/kit/signals/specialized/sdk_track_call.rb +50 -0
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +57 -0
data/lib/sqreen/legacy/instrumentation.rb +22 -10
data/lib/sqreen/legacy/old_event_submission_strategy.rb +228 -0
data/lib/sqreen/legacy/waf_redactions.rb +49 -0
data/lib/sqreen/log.rb +3 -2
data/lib/sqreen/log/loggable.rb +2 -1
data/lib/sqreen/logger.rb +24 -0
data/lib/sqreen/metrics.rb +1 -0
data/lib/sqreen/metrics/base.rb +3 -0
data/lib/sqreen/metrics/req_detailed.rb +41 -0
data/lib/sqreen/metrics_store.rb +33 -12
data/lib/sqreen/null_logger.rb +22 -0
data/lib/sqreen/performance_notifications/binned_metrics.rb +8 -2
data/lib/sqreen/remote_command.rb +4 -0
data/lib/sqreen/rules.rb +12 -6
data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -2
data/lib/sqreen/rules/custom_error_cb.rb +3 -3
data/lib/sqreen/rules/not_found_cb.rb +2 -0
data/lib/sqreen/rules/rule_cb.rb +6 -2
data/lib/sqreen/rules/waf_cb.rb +16 -13
data/lib/sqreen/runner.rb +138 -16
data/lib/sqreen/sensitive_data_redactor.rb +19 -31
data/lib/sqreen/session.rb +53 -43
data/lib/sqreen/signals/conversions.rb +288 -0
data/lib/sqreen/signals/http_trace_redaction.rb +111 -0
data/lib/sqreen/signals/signals_submission_strategy.rb +78 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/budget.rb +35 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +277 -135
data/lib/sqreen/worker.rb +6 -2
metadata +86 -10
data/lib/sqreen/backport.rb +0 -9
data/lib/sqreen/backport/clock_gettime.rb +0 -74
data/lib/sqreen/backport/original_name.rb +0 -88
data/lib/sqreen/encoding_sanitizer.rb +0 -27

data/lib/sqreen/ecosystem/util/call_writers_from_init.rb ADDED

@@ -0,0 +1,13 @@
+module Sqreen
+  module Ecosystem
+    module Util
+      module CallWritersFromInit
+        def initialize(values = {})
+          values.each do |attr, val|
+            public_send("#{attr}=", val)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration.rb ADDED

@@ -0,0 +1,87 @@
+require 'sqreen/log/loggable'
+require 'sqreen/metrics_store'
+require 'sqreen/ecosystem'
+require 'sqreen/ecosystem/dispatch_table'
+require 'sqreen/ecosystem_integration/around_callbacks'
+require 'sqreen/ecosystem_integration/instrumentation_service'
+require 'sqreen/ecosystem_integration/request_lifecycle_tracking'
+require 'sqreen/ecosystem_integration/signal_consumption'
+module Sqreen
+  # This class is the interface through which the agent interacts
+  # with the ecosystem.
+  #
+  # Other classes in the EcosystemIntegration module implement the
+  # functionality that the ecosystem requires in order to deliver
+  # data to the agent and to be informed by the agent of certain
+  # key events (see Sqreen::Ecosystem::DispatchTable).
+  class EcosystemIntegration
+    include Sqreen::Log::Loggable
+    # @param [Sqreen::Framework] framework
+    # @param [Proc] create_binning_metric
+    def initialize(framework, queue, create_binning_metric)
+      @framework = framework
+      @queue = queue
+      # XXX: created metrics are insulated from feature upgrades
+      @create_binning_metric = create_binning_metric
+      @request_lifecycle = RequestLifecycleTracking.new
+      @online = false
+    end
+    def init
+      raise 'already initialized' if @online
+      setup_dispatch_table
+      AroundCallbacks.create_metric = @create_binning_metric
+      Ecosystem.init
+      logger.info 'Ecosystem successfully initialized'
+      @online = true
+    rescue ::Exception => e # rubocop:disable Lint/RescueException
+      logger.warn { "Error initializing Ecosystem: #{e.message}" }
+      logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+      Sqreen::RemoteException.record(e)
+    end
+    def disable
+      raise NotImplementedYet
+    end
+    def request_start(rack_request)
+      return unless @online
+      Ecosystem.start_transaction
+      @request_lifecycle.notify_request_start(rack_request)
+    end
+    def request_end
+      return unless @online
+      Ecosystem.end_transaction
+    end
+    def handle_tracing_command(trace_id_prefix, scopes_config)
+      return unless @online
+      Ecosystem.configure_sampling(trace_id_prefix, scopes_config)
+    end
+    private
+    def setup_dispatch_table
+      Ecosystem::DispatchTable.consume_signal =
+        create_signal_consumption.method(:consume_signal)
+      Ecosystem::DispatchTable.add_request_start_listener =
+        @request_lifecycle.method(:add_start_observer)
+      Ecosystem::DispatchTable.fetch_logger = lambda { logger }
+      Ecosystem::DispatchTable.instrument = InstrumentationService.method(:instrument)
+    end
+    def create_signal_consumption
+      SignalConsumption.new(@framework, @request_lifecycle, @queue)
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/around_callbacks.rb ADDED

@@ -0,0 +1,99 @@
+require 'sqreen/metrics_store'
+require 'sqreen/log/loggable'
+require 'sqreen/events/remote_exception'
+require 'sqreen/mono_time'
+require 'sqreen/graft/call'
+module Sqreen
+  class EcosystemIntegration
+    module AroundCallbacks
+      class << self
+        include Log::Loggable::ClassMethods
+        # @return [Proc]
+        attr_accessor :create_metric
+        # for instrumentation hooks
+        # instrumentation hooks already handle budgets/metrics
+        def wrap_instrumentation_hook(module_name, action, callable)
+          # make tag similar to that of rules
+          # TODO: move to structured tags to avoid silly string manips
+          action_for_metric = if %w[pre post failing finally].include?(action)
+                                action
+                              else
+                                'pre'
+                              end
+          metric_name = "sq.ecosystem_#{module_name}.#{action_for_metric}"
+          create_metric.call(metric_name)
+          Proc.new do |*args|
+            begin
+              callable.call(*args)
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            end # end begin
+          end # end proc
+        end
+        # XXX: not used yet
+        def wrap_generic_callback(module_name, action, callable)
+          timer_name = "ecosystem:#{module_name}@#{action}"
+          perf_notif_name = "ecosystem_#{module_name}"
+          # XXX: register metric
+          Proc.new do |*args|
+            begin
+              req_storage = Thread.current[:sqreen_http_request]
+              timer = Graft::Timer.new(timer_name) do |t|
+                # this is an epilogue to measure()
+                req_storage && req_storage[:timed_hooks] << t
+              end
+              req_timer = nil
+              timer.measure do
+                # not in a request, no budget; call cb
+                next callable.call(*args) unless req_storage
+                # 1) budget enforcement
+                # skip callback if budget already expended
+                next if req_storage[:time_budget_expended]
+                budget = req_storage[:time_budget]
+                if budget
+                  req_timer = req_storage[:timer]
+                  remaining = budget - req_timer.elapsed
+                  unless remaining > 0
+                    req_storage[:time_budget_expended] = true
+                    next # skip callback
+                  end
+                end
+                callable.call(*args)
+              end
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              if timer
+                req_timer.include_measurements(timer) if req_timer
+                # XXX: PerformanceNotifications is used no more
+                Sqreen::PerformanceNotifications.notify(
+                  perf_notif_name, action, *timer.start_and_end
+                )
+              end
+            end # end begin
+          end # end proc
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/instrumentation_service.rb ADDED

@@ -0,0 +1,42 @@
+require 'sqreen/graft/hook'
+require 'sqreen/ecosystem_integration/around_callbacks'
+module Sqreen
+  class EcosystemIntegration
+    module InstrumentationService
+      class << self
+        # @param [String] module_name
+        # @param [String] method in form A::B#c or A::B.c
+        # @param [Hash{Symbol=>Proc}] spec
+        def instrument(module_name, method, spec)
+          hook = Sqreen::Graft::Hook[method].add do
+            if spec[:before]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'pre', spec[:before])
+              tag = "weave,rule=ecosystem_#{module_name}"
+              before(tag, flow: true, &cb)
+            end
+            if spec[:after]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'post', spec[:after])
+              tag = "weave,rule=ecosystem_#{module_name}"
+              after(tag, flow: true, &cb)
+            end
+            if spec[:raised]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'failing', spec[:raised])
+              tag = "weave,rule=ecosystem_#{module_name}"
+              raised(tag, flow: true, &cb)
+            end
+            if spec[:ensured]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'finally', spec[:ensured])
+              tag = "weave,rule=ecosystem_#{module_name}"
+              ensured(tag, flow: true, &cb)
+            end
+          end
+          hook.install
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb ADDED

@@ -0,0 +1,58 @@
+require 'sqreen/events/remote_exception'
+require 'sqreen/log/loggable'
+module Sqreen
+  class EcosystemIntegration
+    # This class gets notified of request start/end and
+    # 1) distributes such events to listeners (typically ecosystem modules;
+    #    the method add_start_observer is exposed to ecosystem modules through
+    #    +Sqreen::Ecosystem::ModuleApi::EventListener+ and the dispatch table).
+    # 2) keeps track of whether a request is active on this thread. This is
+    #    so that users of this class can have this information without needing
+    #    to subscribe to request start/events and keeping thread local state
+    #    themselves.
+    # XXX: Since the Ecosystem is also notified of request start/end, it could
+    # notify its modules of request start without going through the dispatch
+    # table and call add_start_observer. We need to think if we want to keep
+    # the transaction / request distinction or if they should just be
+    # assumed to be the same, though.
+    class RequestLifecycleTracking
+      include Sqreen::Log::Loggable
+      def initialize
+        @start_observers = []
+        @tl_key = "#{object_id}_req_in_flight"
+      end
+      # API for classes needing to know the request state
+      # @param cb A callback taking a Rack::Request
+      def add_start_observer(cb)
+        @start_observers << cb
+      end
+      def in_request?
+        Thread.current[@tl_key] ? true : false
+      end
+      # API for classes notifying this one of request events
+      def notify_request_start(rack_req)
+        Thread.current[@tl_key] = true
+        return if @start_observers.empty?
+        @start_observers.each do |cb|
+          begin
+            cb.call(rack_req)
+          rescue ::Exception => e # rubocop:disable Lint/RescueException
+            logger.warn { "Error calling #{cb} on request start: #{e.message}" }
+            Sqreen::RemoteException.record(e)
+          end
+        end
+      end
+      def notify_request_end
+        Thread.current[@tl_key] = false
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/signal_consumption.rb ADDED

@@ -0,0 +1,35 @@
+require 'sqreen/log/loggable'
+module Sqreen
+  class EcosystemIntegration
+    class SignalConsumption
+      include Sqreen::Log::Loggable
+      PAYLOAD_CREATOR_SECTIONS = %w[request response params headers].freeze
+      # @param [Sqreen::Frameworks::GenericFramework] framework
+      # @param [Sqreen::EcosystemIntegration::RequestLifecycleTracking]
+      # @param [Sqreen::CappedQueue]
+      def initialize(framework, req_lifecycle, queue)
+        @framework = framework
+        @req_lifecycle = req_lifecycle
+        @queue = queue
+      end
+      def consume_signal(signal)
+        # transitional
+        unless Sqreen.features.fetch('use_signals', DEFAULT_USE_SIGNALS)
+          logger.debug { "Discarding signal #{signal} (signals disabled)" }
+          return
+        end
+        if @req_lifecycle.in_request?
+          # add it to the request record
+          @framework.observe(:signals, signal, PAYLOAD_CREATOR_SECTIONS, true)
+        else
+          @queue.push signal
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/endpoint_testing.rb ADDED

@@ -0,0 +1,184 @@
+require 'net/https'
+require 'sqreen/agent_message'
+require 'sqreen/log/loggable'
+module Sqreen
+  class EndpointTesting
+    Endpoint = Struct.new(:url, :ca_store)
+    class ChosenEndpoints
+      def initialize
+        @messages = []
+      end
+      # @return [Sqreen::EndpointTesting::Endpoint]
+      attr_accessor :control
+      # @return [Sqreen::EndpointTesting::Endpoint]
+      attr_accessor :ingestion
+      # @return [Array<Sqreen::AgentMessage>]
+      attr_reader :messages
+      # @param [Sqreen::AgentMessage] message
+      def add_message(message)
+        @messages << message
+      end
+    end
+    MAIN_CONTROL_HOST = 'back.sqreen.com'.freeze
+    MAIN_INJECTION_HOST = 'ingestion.sqreen.com'.freeze
+    FALLBACK_ENDPOINT_URL = 'https://back.sqreen.io/'.freeze
+    GLOBAL_TIMEOUT = 30
+    CONTROL_ERROR_KIND = 'back_sqreen_com_unavailable'.freeze
+    INGESTION_ERROR_KIND = 'ingestion_sqreen_com_unavailable'.freeze
+    class << self
+      include Log::Loggable
+      # reproduces behaviour before endpoint testing was introduced
+      def no_test_endpoints(config_url, config_ingestion_url)
+        endpoints = ChosenEndpoints.new
+        endpoints.control = Endpoint.new(
+          config_url || "https://#{MAIN_CONTROL_HOST}/", cert_store
+        )
+        endpoints.ingestion = Endpoint.new(
+          config_ingestion_url || "https://#{MAIN_INJECTION_HOST}/", nil
+        )
+        endpoints
+      end
+      def test_endpoints(proxy_url, config_url, config_ingestion_url)
+        proxy_params = create_proxy_params(proxy_url)
+        # execute the tests in separate threads and wait for them
+        thread_control = Thread.new do
+          thread_main(config_url, proxy_params, MAIN_CONTROL_HOST)
+        end
+        thread_injection = Thread.new do
+          thread_main(config_ingestion_url, proxy_params, MAIN_INJECTION_HOST)
+        end
+        wait_for_threads(thread_control, thread_injection)
+        # build and return result
+        fallback = Endpoint.new(FALLBACK_ENDPOINT_URL, cert_store)
+        endpoints = ChosenEndpoints.new
+        endpoints.control = thread_control[:endpoint] || fallback
+        endpoints.ingestion = thread_injection[:endpoint] || fallback
+        if thread_control[:endpoint_error]
+          msg = AgentMessage.new(CONTROL_ERROR_KIND, thread_control[:endpoint_error])
+          endpoints.add_message msg
+        end
+        if thread_injection[:endpoint_error]
+          msg = AgentMessage.new(INGESTION_ERROR_KIND, thread_injection[:endpoint_error])
+          endpoints.add_message msg
+        end
+        endpoints
+      end
+      private
+      def thread_main(configured_url, proxy_params, host)
+        res = if configured_url
+                Endpoint.new(configured_url, nil)
+              else
+                EndpointTesting.send(:test_with_store_variants, proxy_params, host)
+              end
+        Thread.current[:endpoint] = res
+      rescue StandardError => e
+        Thread.current[:endpoint_error] = e.message
+      end
+      def create_proxy_params(proxy_url)
+        return [] unless proxy_url
+        proxy = URI.parse(proxy_url)
+        return [] unless proxy.scheme == 'http'
+        [proxy.host, proxy.port, proxy.user, proxy.password]
+      end
+      def test_with_store_variants(proxy_params, server_name)
+        # first without custom store
+        do_test(proxy_params, server_name, false)
+      rescue StandardError => _e
+        do_test(proxy_params, server_name, true)
+      end
+      # @param [Array] proxy_params
+      # @param [String] server_name
+      # @param [Boolean] custom_store
+      def do_test(proxy_params, server_name, custom_store)
+        http = Net::HTTP.new(server_name, 443, *proxy_params)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE if ENV['SQREEN_SSL_NO_VERIFY']
+        http.verify_callback = lambda do |preverify_ok, ctx|
+          unless preverify_ok
+            logger.warn do
+              "Certificate validation failure for certificate issued to " \
+              "#{ctx.chain[0].subject}: #{ctx.error_string}"
+            end
+          end
+          preverify_ok
+        end
+        http.open_timeout = 13
+        http.ssl_timeout = 7
+        http.read_timeout = 7
+        http.close_on_empty_response = true
+        http.cert_store = cert_store if custom_store
+        resp = http.get('/ping')
+        logger.info do
+          "Got response from #{server_name}'s ping endpoint. " \
+          "Status code is #{resp.code} (custom CA store: #{custom_store})"
+        end
+        unless resp.code == '200'
+          raise "Response code for /ping is #{resp.code}, not 200"
+        end
+        Endpoint.new("https://#{server_name}/", http.cert_store)
+      rescue StandardError => e
+        logger.info do
+          "Error in request to #{server_name} " \
+          "(custom store: #{custom_store}): #{e.message}"
+        end
+        raise "Error in request to #{server_name}: #{e.message}"
+      end
+      def wait_for_threads(thread_control, thread_injection)
+        deadline = Time.now + GLOBAL_TIMEOUT
+        [thread_control, thread_injection].each do |thread|
+          rem = deadline - Time.now
+          rem = 0.1 if rem < 0.1
+          next if thread.join(rem)
+          logger.debug { "Timeout for thread #{thread}" }
+          thread.kill
+          thread[:endpoint_error] = "Timeout doing endpoint testing"
+        end
+      end
+      def cert_store
+        @cert_store ||= begin
+          cert_file = File.join(File.dirname(__FILE__), 'ca.crt')
+          cert_store = OpenSSL::X509::Store.new
+          cert_store.add_file cert_file
+          cert_store
+        end
+      end
+    end
+  end
+end