RubyGems - sqreen - Versions diffs - 1.19.2 → 1.21.0.beta2 - Mend

sqreen 1.19.2 → 1.21.0.beta2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +21 -0
data/lib/sqreen/agent_message.rb +20 -0
data/lib/sqreen/aggregated_metric.rb +25 -0
data/lib/sqreen/attack_detected.html +1 -2
data/lib/sqreen/ca.crt +24 -0
data/lib/sqreen/configuration.rb +10 -4
data/lib/sqreen/deliveries/batch.rb +12 -2
data/lib/sqreen/deliveries/simple.rb +4 -0
data/lib/sqreen/ecosystem.rb +96 -0
data/lib/sqreen/ecosystem/dispatch_table.rb +43 -0
data/lib/sqreen/ecosystem/exception_reporting.rb +26 -0
data/lib/sqreen/ecosystem/http/net_http.rb +50 -0
data/lib/sqreen/ecosystem/http/rack_request.rb +39 -0
data/lib/sqreen/ecosystem/loggable.rb +13 -0
data/lib/sqreen/ecosystem/module_api.rb +30 -0
data/lib/sqreen/ecosystem/module_api/event_listener.rb +18 -0
data/lib/sqreen/ecosystem/module_api/instrumentation.rb +23 -0
data/lib/sqreen/ecosystem/module_api/message_producer.rb +51 -0
data/lib/sqreen/ecosystem/module_api/signal_producer.rb +24 -0
data/lib/sqreen/ecosystem/module_api/tracing.rb +45 -0
data/lib/sqreen/ecosystem/module_api/tracing/client_data.rb +31 -0
data/lib/sqreen/ecosystem/module_api/tracing/server_data.rb +27 -0
data/lib/sqreen/ecosystem/module_api/tracing_id_generation.rb +16 -0
data/lib/sqreen/ecosystem/module_api/transaction_storage.rb +71 -0
data/lib/sqreen/ecosystem/module_registry.rb +44 -0
data/lib/sqreen/ecosystem/redis/redis_connection.rb +43 -0
data/lib/sqreen/ecosystem/tracing/modules/client.rb +31 -0
data/lib/sqreen/ecosystem/tracing/modules/server.rb +30 -0
data/lib/sqreen/ecosystem/tracing/sampler.rb +160 -0
data/lib/sqreen/ecosystem/tracing/sampling_configuration.rb +150 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_client.rb +53 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_server.rb +53 -0
data/lib/sqreen/ecosystem/tracing_broker.rb +101 -0
data/lib/sqreen/ecosystem/tracing_id_setup.rb +34 -0
data/lib/sqreen/ecosystem/transaction_storage.rb +64 -0
data/lib/sqreen/ecosystem/util/call_writers_from_init.rb +13 -0
data/lib/sqreen/ecosystem_integration.rb +81 -0
data/lib/sqreen/ecosystem_integration/around_callbacks.rb +89 -0
data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +38 -0
data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb +58 -0
data/lib/sqreen/ecosystem_integration/signal_consumption.rb +35 -0
data/lib/sqreen/endpoint_testing.rb +184 -0
data/lib/sqreen/event.rb +7 -5
data/lib/sqreen/events/attack.rb +23 -18
data/lib/sqreen/events/remote_exception.rb +0 -22
data/lib/sqreen/events/request_record.rb +15 -70
data/lib/sqreen/frameworks/generic.rb +15 -1
data/lib/sqreen/frameworks/request_recorder.rb +13 -2
data/lib/sqreen/graft/call.rb +9 -0
data/lib/sqreen/kit/signals/specialized/aggregated_metric.rb +72 -0
data/lib/sqreen/kit/signals/specialized/attack.rb +57 -0
data/lib/sqreen/kit/signals/specialized/binning_metric.rb +76 -0
data/lib/sqreen/kit/signals/specialized/http_trace.rb +26 -0
data/lib/sqreen/kit/signals/specialized/sdk_track_call.rb +50 -0
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +57 -0
data/lib/sqreen/legacy/old_event_submission_strategy.rb +227 -0
data/lib/sqreen/legacy/waf_redactions.rb +49 -0
data/lib/sqreen/log/loggable.rb +1 -1
data/lib/sqreen/metrics/base.rb +3 -0
data/lib/sqreen/metrics_store.rb +22 -12
data/lib/sqreen/performance_notifications/binned_metrics.rb +8 -2
data/lib/sqreen/remote_command.rb +3 -0
data/lib/sqreen/rules.rb +4 -2
data/lib/sqreen/rules/rule_cb.rb +2 -0
data/lib/sqreen/rules/waf_cb.rb +13 -10
data/lib/sqreen/runner.rb +94 -13
data/lib/sqreen/sensitive_data_redactor.rb +19 -31
data/lib/sqreen/session.rb +53 -43
data/lib/sqreen/signals/conversions.rb +288 -0
data/lib/sqreen/signals/http_trace_redaction.rb +111 -0
data/lib/sqreen/signals/signals_submission_strategy.rb +78 -0
data/lib/sqreen/version.rb +1 -1
metadata +83 -10
data/lib/sqreen/backport.rb +0 -9
data/lib/sqreen/backport/clock_gettime.rb +0 -74
data/lib/sqreen/backport/original_name.rb +0 -88

data/lib/sqreen/ecosystem/tracing_broker.rb ADDED

@@ -0,0 +1,101 @@
+require 'sqreen/ecosystem/loggable'
+require 'sqreen/ecosystem/exception_reporting'
+module Sqreen
+  module Ecosystem
+    class TracingBroker
+      include Loggable
+      include ExceptionReporting
+      # Stores a lookup resolution so that lookup (incl. sampling) is done
+      # only once, not in the beginning of the producer code (when it asks
+      # whether it should proceed) and again once it delivers the data
+      ObserverLookup = Struct.new(:modules)
+      # @return [Sqreen::Ecosystem::Tracing::SamplingConfiguration]
+      attr_writer :sampling_configuration
+      # @param [Array<Sqreen::Ecosystem::ModuleApi::Tracing>] tracing_modules
+      def initialize(tracing_modules)
+        @sampling_configuration = nil
+        @type_to_subscribers = {}
+        tracing_modules.each do |mod|
+          consumed_type = mod.consumed_type
+          @type_to_subscribers[consumed_type] ||= []
+          @type_to_subscribers[consumed_type] << mod
+        end
+      end
+      # @param [Object] data
+      # @param [Sqreen::Ecosystem::TracingBroker::ObserverLookup] prev_lookup
+      def publish(data, prev_lookup)
+        prev_lookup.modules.each do |mod|
+          mod_process_data mod, data
+        end
+      end
+      # @param [Module] data_type
+      # @param [Hash] _hints reserved for future use, e.g. virtual scopes
+      # @return [Sqreen::Ecosystem::TracingBroker::ObserverLookup]
+      def interested_consumers(data_type, _hints = {})
+        unless @sampling_configuration
+          logger.debug do
+            "Declaring no one is interested in #{data_type} " \
+            "because tracing hasn't been enabled yet"
+          end
+          return false
+        end
+        # if we have several modules with the same scope, we
+        # should ask whether we should sample only once
+        scope_to_should_sample = Hash.new do |hash, scope|
+          result = @sampling_configuration.should_sample?(scope)
+          if result
+            logger.debug { "Will sample scope #{scope}. Sampling line: #{result}" }
+          else
+            logger.debug { "Will NOT sample scope #{scope}" }
+          end
+          hash[scope] = result
+        end
+        res = subscribers(data_type).select do |mod|
+          scope_to_should_sample[mod.scope]
+        end
+        res.empty? ? false : ObserverLookup.new(res)
+      end
+      private
+      # @param [Sqreen::Ecosystem::ModuleApi::Tracing] mod
+      def mod_process_data(mod, data)
+        mod.receive(data)
+      rescue ::Exception => e # rubocop:disable Lint/RescueException
+        report_exception("Error invoking tracing module #{mod}", e)
+      end
+      # @param [Module] data_type
+      # @return Array<Sqreen::Ecosystem::ModuleApi::Tracing>
+      def subscribers(data_type)
+        subscribers = @type_to_subscribers[data_type]
+        # None of the modules subscribes to data_type directly,
+        # but maybe they subscribe to one of the ancestors
+        # Cache this lookup
+        unless subscribers
+          subscribers = parents(data_type).inject([]) do |accum, type|
+            accum + (@type_to_subscribers[type] || [])
+          end
+          @type_to_subscribers[data_type] = subscribers
+        end
+        subscribers
+      end
+      def parents(type)
+        type.ancestors - Object.ancestors - [type]
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/tracing_id_setup.rb ADDED

@@ -0,0 +1,34 @@
+require 'sqreen/ecosystem/module_registry'
+require 'sqreen/ecosystem/transaction_storage'
+require 'sqreen/ecosystem/module_api/signal_producer'
+module Sqreen
+  module Ecosystem
+    class TracingIdSetup
+      # @param [Array<Sqreen::Ecosystem::ModuleApi::SignalProducer>] signal_producer_modules
+      def initialize(signal_producer_modules)
+        @modules = signal_producer_modules
+        @tracing_id_prefix = nil
+      end
+      def setup_modules
+        inject_out_of_tx_tracing_id_gen
+      end
+      attr_writer :tracing_id_prefix
+      private
+      def inject_out_of_tx_tracing_id_gen
+        @modules.each do |mod|
+          mod.tracing_id_producer = method(:generate_tracing_id)
+        end
+      end
+      def generate_tracing_id
+        return nil unless @tracing_id_prefix
+        "#{@tracing_id_prefix}.#{SecureRandom.uuid}"
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/transaction_storage.rb ADDED

@@ -0,0 +1,64 @@
+require 'sqreen/ecosystem/loggable'
+module Sqreen
+  module Ecosystem
+    # The transaction storage is a mechanism for the modules to share
+    # request-scoped data with each other or to keep request-scoped objects
+    # themselves, although, for this last use case to be effective,
+    # propagation of request start/end events to the modules will likely be
+    # needed. A more generic notification of data availability to modules
+    # also may be needed in the future.
+    #
+    # This is not be used to share data with the Ecosystem client
+    #
+    # This class is not thread safe because it can call the lazy getter
+    # twice if [] is called concurrently.
+    class TransactionStorage
+      include Loggable
+      class << self
+        # @return [Sqreen::Ecosystem::TransactionStorage]
+        def create_thread_local
+          Thread.current[:tx_storage] = new
+        end
+        # @return [Sqreen::Ecosystem::TransactionStorage]
+        def fetch_thread_local
+          Thread.current[:tx_storage]
+        end
+        def destroy_thread_local
+          Thread.current[:tx_storage] = nil
+        end
+      end
+      def initialize
+        @values = {}
+        @values_lazy = {}
+      end
+      def []=(key, value)
+        @values[key] = value
+      end
+      def set_lazy(key, &block)
+        @values_lazy[key] = block
+      end
+      def [](key)
+        v = @values[key]
+        return v unless v.nil?
+        v = @values_lazy[key]
+        return nil if v.nil?
+        begin
+          @values[key] = v.call
+        rescue StandardError => e
+          logger.warn { "Error resolving key #{e} with lazy value: #{e.message}" }
+          raise
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/util/call_writers_from_init.rb ADDED

@@ -0,0 +1,13 @@
+module Sqreen
+  module Ecosystem
+    module Util
+      module CallWritersFromInit
+        def initialize(values = {})
+          values.each do |attr, val|
+            public_send("#{attr}=", val)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration.rb ADDED

@@ -0,0 +1,81 @@
+require 'sqreen/log/loggable'
+require 'sqreen/ecosystem'
+require 'sqreen/ecosystem/dispatch_table'
+require 'sqreen/ecosystem_integration/instrumentation_service'
+require 'sqreen/ecosystem_integration/request_lifecycle_tracking'
+require 'sqreen/ecosystem_integration/signal_consumption'
+module Sqreen
+  # This class is the interface through which the agent interacts
+  # with the ecosystem.
+  #
+  # Other classes in the EcosystemIntegration module implement the
+  # functionality that the ecosystem requires in order to deliver
+  # data to the agent and to be informed by the agent of certain
+  # key events (see Sqreen::Ecosystem::DispatchTable).
+  class EcosystemIntegration
+    include Sqreen::Log::Loggable
+    # @param [Sqreen::Framework] framework
+    def initialize(framework, queue)
+      @framework = framework
+      @queue = queue
+      @request_lifecycle = RequestLifecycleTracking.new
+      @online = false
+    end
+    def init
+      raise 'already initialized' if @online
+      setup_dispatch_table
+      Ecosystem.init
+      logger.info 'Ecosystem successfully initialized'
+      @online = true
+    rescue ::Exception => e # rubocop:disable Lint/RescueException
+      logger.warn { "Error initializing Ecosystem: #{e.message}" }
+      logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+      Sqreen::RemoteException.record(e)
+    end
+    def disable
+      raise NotImplementedYet
+    end
+    def request_start(rack_request)
+      return unless @online
+      Ecosystem.start_transaction
+      @request_lifecycle.notify_request_start(rack_request)
+    end
+    def request_end
+      return unless @online
+      Ecosystem.end_transaction
+    end
+    def handle_tracing_command(trace_id_prefix, scopes_config)
+      return unless @online
+      Ecosystem.configure_sampling(trace_id_prefix, scopes_config)
+    end
+    private
+    def setup_dispatch_table
+      Ecosystem::DispatchTable.consume_signal =
+        create_signal_consumption.method(:consume_signal)
+      Ecosystem::DispatchTable.add_request_start_listener =
+        @request_lifecycle.method(:add_start_observer)
+      Ecosystem::DispatchTable.fetch_logger = lambda { logger }
+      Ecosystem::DispatchTable.instrument = InstrumentationService.method(:instrument)
+    end
+    def create_signal_consumption
+      SignalConsumption.new(@framework, @request_lifecycle, @queue)
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/around_callbacks.rb ADDED

@@ -0,0 +1,89 @@
+require 'sqreen/log/loggable'
+require 'sqreen/events/remote_exception'
+require 'sqreen/mono_time'
+module Sqreen
+  class EcosystemIntegration
+    module AroundCallbacks
+      class << self
+        include Log::Loggable::ClassMethods
+        # for instrumentation hooks
+        # instrumentation hooks already handle budgets, so nothing
+        # to do in that respect
+        def wrap_instrumentation_hook(module_name, action, callable)
+          perf_notif_name = "ecosystem_#{module_name}"
+          Proc.new do |*args|
+            begin
+              start = Sqreen.time
+              callable.call(*args)
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              stop = Sqreen.time
+              Sqreen::PerformanceNotifications.notify(perf_notif_name, action, start, stop)
+            end # end proc
+          end # end begin
+        end
+        # XXX: not used yet
+        def wrap_generic_callback(module_name, action, callable)
+          timer_name = "ecosystem:#{module_name}@#{action}"
+          perf_notif_name = "ecosystem_#{module_name}"
+          Proc.new do |*args|
+            begin
+              req_storage = Thread.current[:sqreen_http_request]
+              timer = Graft::Timer.new(timer_name) do |t|
+                # this is an epilogue to measure()
+                req_storage && req_storage[:timed_hooks] << t
+              end
+              req_timer = nil
+              timer.measure do
+                # not in a request, no budget; call cb
+                next callable.call(*args) unless req_storage
+                # 1) budget enforcement
+                # skip callback if budget already expended
+                next if req_storage[:time_budget_expended]
+                budget = req_storage[:time_budget]
+                if budget
+                  req_timer = req_storage[:timer]
+                  remaining = budget - req_timer.elapsed
+                  unless remaining > 0
+                    req_storage[:time_budget_expended] = true
+                    next # skip callback
+                  end
+                end
+                callable.call(*args)
+              end
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              if timer
+                req_timer.include_measurements(timer) if req_timer
+                Sqreen::PerformanceNotifications.notify(
+                  perf_notif_name, action, *timer.start_and_end
+                )
+              end
+            end # end begin
+          end # end proc
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/instrumentation_service.rb ADDED

@@ -0,0 +1,38 @@
+require 'sqreen/graft/hook'
+require 'sqreen/ecosystem_integration/around_callbacks'
+module Sqreen
+  class EcosystemIntegration
+    module InstrumentationService
+      class << self
+        # @param [String] module_name
+        # @param [String] method in form A::B#c or A::B.c
+        # @param [Hash{Symbol=>Proc}] spec
+        def instrument(module_name, method, spec)
+          hook = Sqreen::Graft::Hook[method].add do
+            if spec[:before]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'pre', spec[:before])
+              before(nil, flow: true, &cb)
+            end
+            if spec[:after]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'post', spec[:after])
+              after(nil, flow: true, &cb)
+            end
+            if spec[:raised]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'failing', spec[:raised])
+              raised(nil, flow: true, &cb)
+            end
+            if spec[:ensured]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'finally', spec[:ensured])
+              ensured(nil, flow: true, &cb)
+            end
+          end
+          hook.install
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb ADDED

@@ -0,0 +1,58 @@
+require 'sqreen/events/remote_exception'
+require 'sqreen/log/loggable'
+module Sqreen
+  class EcosystemIntegration
+    # This class gets notified of request start/end and
+    # 1) distributes such events to listeners (typically ecosystem modules;
+    #    the method add_start_observer is exposed to ecosystem modules through
+    #    +Sqreen::Ecosystem::ModuleApi::EventListener+ and the dispatch table).
+    # 2) keeps track of whether a request is active on this thread. This is
+    #    so that users of this class can have this information without needing
+    #    to subscribe to request start/events and keeping thread local state
+    #    themselves.
+    # XXX: Since the Ecosystem is also notified of request start/end, it could
+    # notify its modules of request start without going through the dispatch
+    # table and call add_start_observer. We need to think if we want to keep
+    # the transaction / request distinction or if they should just be
+    # assumed to be the same, though.
+    class RequestLifecycleTracking
+      include Sqreen::Log::Loggable
+      def initialize
+        @start_observers = []
+        @tl_key = "#{object_id}_req_in_flight"
+      end
+      # API for classes needing to know the request state
+      # @param cb A callback taking a Rack::Request
+      def add_start_observer(cb)
+        @start_observers << cb
+      end
+      def in_request?
+        Thread.current[@tl_key] ? true : false
+      end
+      # API for classes notifying this one of request events
+      def notify_request_start(rack_req)
+        Thread.current[@tl_key] = true
+        return if @start_observers.empty?
+        @start_observers.each do |cb|
+          begin
+            cb.call(rack_req)
+          rescue ::Exception => e # rubocop:disable Lint/RescueException
+            logger.warn { "Error calling #{cb} on request start: #{e.message}" }
+            Sqreen::RemoteException.record(e)
+          end
+        end
+      end
+      def notify_request_end
+        Thread.current[@tl_key] = false
+      end
+    end
+  end
+end