RubyGems - sqreen - Versions diffs - 1.19.2 → 1.21.0.beta2 - Mend

sqreen 1.19.2 → 1.21.0.beta2

Files changed (77) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +21 -0
data/lib/sqreen/agent_message.rb +20 -0
data/lib/sqreen/aggregated_metric.rb +25 -0
data/lib/sqreen/attack_detected.html +1 -2
data/lib/sqreen/ca.crt +24 -0
data/lib/sqreen/configuration.rb +10 -4
data/lib/sqreen/deliveries/batch.rb +12 -2
data/lib/sqreen/deliveries/simple.rb +4 -0
data/lib/sqreen/ecosystem.rb +96 -0
data/lib/sqreen/ecosystem/dispatch_table.rb +43 -0
data/lib/sqreen/ecosystem/exception_reporting.rb +26 -0
data/lib/sqreen/ecosystem/http/net_http.rb +50 -0
data/lib/sqreen/ecosystem/http/rack_request.rb +39 -0
data/lib/sqreen/ecosystem/loggable.rb +13 -0
data/lib/sqreen/ecosystem/module_api.rb +30 -0
data/lib/sqreen/ecosystem/module_api/event_listener.rb +18 -0
data/lib/sqreen/ecosystem/module_api/instrumentation.rb +23 -0
data/lib/sqreen/ecosystem/module_api/message_producer.rb +51 -0
data/lib/sqreen/ecosystem/module_api/signal_producer.rb +24 -0
data/lib/sqreen/ecosystem/module_api/tracing.rb +45 -0
data/lib/sqreen/ecosystem/module_api/tracing/client_data.rb +31 -0
data/lib/sqreen/ecosystem/module_api/tracing/server_data.rb +27 -0
data/lib/sqreen/ecosystem/module_api/tracing_id_generation.rb +16 -0
data/lib/sqreen/ecosystem/module_api/transaction_storage.rb +71 -0
data/lib/sqreen/ecosystem/module_registry.rb +44 -0
data/lib/sqreen/ecosystem/redis/redis_connection.rb +43 -0
data/lib/sqreen/ecosystem/tracing/modules/client.rb +31 -0
data/lib/sqreen/ecosystem/tracing/modules/server.rb +30 -0
data/lib/sqreen/ecosystem/tracing/sampler.rb +160 -0
data/lib/sqreen/ecosystem/tracing/sampling_configuration.rb +150 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_client.rb +53 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_server.rb +53 -0
data/lib/sqreen/ecosystem/tracing_broker.rb +101 -0
data/lib/sqreen/ecosystem/tracing_id_setup.rb +34 -0
data/lib/sqreen/ecosystem/transaction_storage.rb +64 -0
data/lib/sqreen/ecosystem/util/call_writers_from_init.rb +13 -0
data/lib/sqreen/ecosystem_integration.rb +81 -0
data/lib/sqreen/ecosystem_integration/around_callbacks.rb +89 -0
data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +38 -0
data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb +58 -0
data/lib/sqreen/ecosystem_integration/signal_consumption.rb +35 -0
data/lib/sqreen/endpoint_testing.rb +184 -0
data/lib/sqreen/event.rb +7 -5
data/lib/sqreen/events/attack.rb +23 -18
data/lib/sqreen/events/remote_exception.rb +0 -22
data/lib/sqreen/events/request_record.rb +15 -70
data/lib/sqreen/frameworks/generic.rb +15 -1
data/lib/sqreen/frameworks/request_recorder.rb +13 -2
data/lib/sqreen/graft/call.rb +9 -0
data/lib/sqreen/kit/signals/specialized/aggregated_metric.rb +72 -0
data/lib/sqreen/kit/signals/specialized/attack.rb +57 -0
data/lib/sqreen/kit/signals/specialized/binning_metric.rb +76 -0
data/lib/sqreen/kit/signals/specialized/http_trace.rb +26 -0
data/lib/sqreen/kit/signals/specialized/sdk_track_call.rb +50 -0
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +57 -0
data/lib/sqreen/legacy/old_event_submission_strategy.rb +227 -0
data/lib/sqreen/legacy/waf_redactions.rb +49 -0
data/lib/sqreen/log/loggable.rb +1 -1
data/lib/sqreen/metrics/base.rb +3 -0
data/lib/sqreen/metrics_store.rb +22 -12
data/lib/sqreen/performance_notifications/binned_metrics.rb +8 -2
data/lib/sqreen/remote_command.rb +3 -0
data/lib/sqreen/rules.rb +4 -2
data/lib/sqreen/rules/rule_cb.rb +2 -0
data/lib/sqreen/rules/waf_cb.rb +13 -10
data/lib/sqreen/runner.rb +94 -13
data/lib/sqreen/sensitive_data_redactor.rb +19 -31
data/lib/sqreen/session.rb +53 -43
data/lib/sqreen/signals/conversions.rb +288 -0
data/lib/sqreen/signals/http_trace_redaction.rb +111 -0
data/lib/sqreen/signals/signals_submission_strategy.rb +78 -0
data/lib/sqreen/version.rb +1 -1
metadata +83 -10
data/lib/sqreen/backport.rb +0 -9
data/lib/sqreen/backport/clock_gettime.rb +0 -74
data/lib/sqreen/backport/original_name.rb +0 -88

data/lib/sqreen/ecosystem/tracing_broker.rb ADDED

@@ -0,0 +1,101 @@
+require 'sqreen/ecosystem/loggable'
+require 'sqreen/ecosystem/exception_reporting'
+module Sqreen
+  module Ecosystem
+    class TracingBroker
+      include Loggable
+      include ExceptionReporting
+      # Stores a lookup resolution so that lookup (incl. sampling) is done
+      # only once, not in the beginning of the producer code (when it asks
+      # whether it should proceed) and again once it delivers the data
+      ObserverLookup = Struct.new(:modules)
+      # @return [Sqreen::Ecosystem::Tracing::SamplingConfiguration]
+      attr_writer :sampling_configuration
+      # @param [Array<Sqreen::Ecosystem::ModuleApi::Tracing>] tracing_modules
+      def initialize(tracing_modules)
+        @sampling_configuration = nil
+        @type_to_subscribers = {}
+        tracing_modules.each do |mod|
+          consumed_type = mod.consumed_type
+          @type_to_subscribers[consumed_type] ||= []
+          @type_to_subscribers[consumed_type] << mod
+        end
+      end
+      # @param [Object] data
+      # @param [Sqreen::Ecosystem::TracingBroker::ObserverLookup] prev_lookup
+      def publish(data, prev_lookup)
+        prev_lookup.modules.each do |mod|
+          mod_process_data mod, data
+        end
+      end
+      # @param [Module] data_type
+      # @param [Hash] _hints reserved for future use, e.g. virtual scopes
+      # @return [Sqreen::Ecosystem::TracingBroker::ObserverLookup]
+      def interested_consumers(data_type, _hints = {})
+        unless @sampling_configuration
+          logger.debug do
+            "Declaring no one is interested in #{data_type} " \
+            "because tracing hasn't been enabled yet"
+          end
+          return false
+        end
+        # if we have several modules with the same scope, we
+        # should ask whether we should sample only once
+        scope_to_should_sample = Hash.new do |hash, scope|
+          result = @sampling_configuration.should_sample?(scope)
+          if result
+            logger.debug { "Will sample scope #{scope}. Sampling line: #{result}" }
+          else
+            logger.debug { "Will NOT sample scope #{scope}" }
+          end
+          hash[scope] = result
+        end
+        res = subscribers(data_type).select do |mod|
+          scope_to_should_sample[mod.scope]
+        end
+        res.empty? ? false : ObserverLookup.new(res)
+      end
+      private
+      # @param [Sqreen::Ecosystem::ModuleApi::Tracing] mod
+      def mod_process_data(mod, data)
+        mod.receive(data)
+      rescue ::Exception => e # rubocop:disable Lint/RescueException
+        report_exception("Error invoking tracing module #{mod}", e)
+      end
+      # @param [Module] data_type
+      # @return Array<Sqreen::Ecosystem::ModuleApi::Tracing>
+      def subscribers(data_type)
+        subscribers = @type_to_subscribers[data_type]
+        # None of the modules subscribes to data_type directly,
+        # but maybe they subscribe to one of the ancestors
+        # Cache this lookup
+        unless subscribers
+          subscribers = parents(data_type).inject([]) do |accum, type|
+            accum + (@type_to_subscribers[type] || [])
+          end
+          @type_to_subscribers[data_type] = subscribers
+        end
+        subscribers
+      end
+      def parents(type)
+        type.ancestors - Object.ancestors - [type]
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/tracing_id_setup.rb ADDED

@@ -0,0 +1,34 @@
+require 'sqreen/ecosystem/module_registry'
+require 'sqreen/ecosystem/transaction_storage'
+require 'sqreen/ecosystem/module_api/signal_producer'
+module Sqreen
+  module Ecosystem
+    class TracingIdSetup
+      # @param [Array<Sqreen::Ecosystem::ModuleApi::SignalProducer>] signal_producer_modules
+      def initialize(signal_producer_modules)
+        @modules = signal_producer_modules
+        @tracing_id_prefix = nil
+      end
+      def setup_modules
+        inject_out_of_tx_tracing_id_gen
+      end
+      attr_writer :tracing_id_prefix
+      private
+      def inject_out_of_tx_tracing_id_gen
+        @modules.each do |mod|
+          mod.tracing_id_producer = method(:generate_tracing_id)
+        end
+      end
+      def generate_tracing_id
+        return nil unless @tracing_id_prefix
+        "#{@tracing_id_prefix}.#{SecureRandom.uuid}"
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/transaction_storage.rb ADDED

@@ -0,0 +1,64 @@
+require 'sqreen/ecosystem/loggable'
+module Sqreen
+  module Ecosystem
+    # The transaction storage is a mechanism for the modules to share
+    # request-scoped data with each other or to keep request-scoped objects
+    # themselves, although, for this last use case to be effective,
+    # propagation of request start/end events to the modules will likely be
+    # needed. A more generic notification of data availability to modules
+    # also may be needed in the future.
+    #
+    # This is not be used to share data with the Ecosystem client
+    #
+    # This class is not thread safe because it can call the lazy getter
+    # twice if [] is called concurrently.
+    class TransactionStorage
+      include Loggable
+      class << self
+        # @return [Sqreen::Ecosystem::TransactionStorage]
+        def create_thread_local
+          Thread.current[:tx_storage] = new
+        end
+        # @return [Sqreen::Ecosystem::TransactionStorage]
+        def fetch_thread_local
+          Thread.current[:tx_storage]
+        end
+        def destroy_thread_local
+          Thread.current[:tx_storage] = nil
+        end
+      end
+      def initialize
+        @values = {}
+        @values_lazy = {}
+      end
+      def []=(key, value)
+        @values[key] = value
+      end
+      def set_lazy(key, &block)
+        @values_lazy[key] = block
+      end
+      def [](key)
+        v = @values[key]
+        return v unless v.nil?
+        v = @values_lazy[key]
+        return nil if v.nil?
+        begin
+          @values[key] = v.call
+        rescue StandardError => e
+          logger.warn { "Error resolving key #{e} with lazy value: #{e.message}" }
+          raise
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/util/call_writers_from_init.rb ADDED

@@ -0,0 +1,13 @@
+module Sqreen
+  module Ecosystem
+    module Util
+      module CallWritersFromInit
+        def initialize(values = {})
+          values.each do |attr, val|
+            public_send("#{attr}=", val)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration.rb ADDED

@@ -0,0 +1,81 @@
+require 'sqreen/log/loggable'
+require 'sqreen/ecosystem'
+require 'sqreen/ecosystem/dispatch_table'
+require 'sqreen/ecosystem_integration/instrumentation_service'
+require 'sqreen/ecosystem_integration/request_lifecycle_tracking'
+require 'sqreen/ecosystem_integration/signal_consumption'
+module Sqreen
+  # This class is the interface through which the agent interacts
+  # with the ecosystem.
+  #
+  # Other classes in the EcosystemIntegration module implement the
+  # functionality that the ecosystem requires in order to deliver
+  # data to the agent and to be informed by the agent of certain
+  # key events (see Sqreen::Ecosystem::DispatchTable).
+  class EcosystemIntegration
+    include Sqreen::Log::Loggable
+    # @param [Sqreen::Framework] framework
+    def initialize(framework, queue)
+      @framework = framework
+      @queue = queue
+      @request_lifecycle = RequestLifecycleTracking.new
+      @online = false
+    end
+    def init
+      raise 'already initialized' if @online
+      setup_dispatch_table
+      Ecosystem.init
+      logger.info 'Ecosystem successfully initialized'
+      @online = true
+    rescue ::Exception => e # rubocop:disable Lint/RescueException
+      logger.warn { "Error initializing Ecosystem: #{e.message}" }
+      logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+      Sqreen::RemoteException.record(e)
+    end
+    def disable
+      raise NotImplementedYet
+    end
+    def request_start(rack_request)
+      return unless @online
+      Ecosystem.start_transaction
+      @request_lifecycle.notify_request_start(rack_request)
+    end
+    def request_end
+      return unless @online
+      Ecosystem.end_transaction
+    end
+    def handle_tracing_command(trace_id_prefix, scopes_config)
+      return unless @online
+      Ecosystem.configure_sampling(trace_id_prefix, scopes_config)
+    end
+    private
+    def setup_dispatch_table
+      Ecosystem::DispatchTable.consume_signal =
+        create_signal_consumption.method(:consume_signal)
+      Ecosystem::DispatchTable.add_request_start_listener =
+        @request_lifecycle.method(:add_start_observer)
+      Ecosystem::DispatchTable.fetch_logger = lambda { logger }
+      Ecosystem::DispatchTable.instrument = InstrumentationService.method(:instrument)
+    end
+    def create_signal_consumption
+      SignalConsumption.new(@framework, @request_lifecycle, @queue)
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/around_callbacks.rb ADDED

@@ -0,0 +1,89 @@
+require 'sqreen/log/loggable'
+require 'sqreen/events/remote_exception'
+require 'sqreen/mono_time'
+module Sqreen
+  class EcosystemIntegration
+    module AroundCallbacks
+      class << self
+        include Log::Loggable::ClassMethods
+        # for instrumentation hooks
+        # instrumentation hooks already handle budgets, so nothing
+        # to do in that respect
+        def wrap_instrumentation_hook(module_name, action, callable)
+          perf_notif_name = "ecosystem_#{module_name}"
+          Proc.new do |*args|
+            begin
+              start = Sqreen.time
+              callable.call(*args)
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              stop = Sqreen.time
+              Sqreen::PerformanceNotifications.notify(perf_notif_name, action, start, stop)
+            end # end proc
+          end # end begin
+        end
+        # XXX: not used yet
+        def wrap_generic_callback(module_name, action, callable)
+          timer_name = "ecosystem:#{module_name}@#{action}"
+          perf_notif_name = "ecosystem_#{module_name}"
+          Proc.new do |*args|
+            begin
+              req_storage = Thread.current[:sqreen_http_request]
+              timer = Graft::Timer.new(timer_name) do |t|
+                # this is an epilogue to measure()
+                req_storage && req_storage[:timed_hooks] << t
+              end
+              req_timer = nil
+              timer.measure do
+                # not in a request, no budget; call cb
+                next callable.call(*args) unless req_storage
+                # 1) budget enforcement
+                # skip callback if budget already expended
+                next if req_storage[:time_budget_expended]
+                budget = req_storage[:time_budget]
+                if budget
+                  req_timer = req_storage[:timer]
+                  remaining = budget - req_timer.elapsed
+                  unless remaining > 0
+                    req_storage[:time_budget_expended] = true
+                    next # skip callback
+                  end
+                end
+                callable.call(*args)
+              end
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              if timer
+                req_timer.include_measurements(timer) if req_timer
+                Sqreen::PerformanceNotifications.notify(
+                  perf_notif_name, action, *timer.start_and_end
+                )
+              end
+            end # end begin
+          end # end proc
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/instrumentation_service.rb ADDED

@@ -0,0 +1,38 @@
+require 'sqreen/graft/hook'
+require 'sqreen/ecosystem_integration/around_callbacks'
+module Sqreen
+  class EcosystemIntegration
+    module InstrumentationService
+      class << self
+        # @param [String] module_name
+        # @param [String] method in form A::B#c or A::B.c
+        # @param [Hash{Symbol=>Proc}] spec
+        def instrument(module_name, method, spec)
+          hook = Sqreen::Graft::Hook[method].add do
+            if spec[:before]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'pre', spec[:before])
+              before(nil, flow: true, &cb)
+            end
+            if spec[:after]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'post', spec[:after])
+              after(nil, flow: true, &cb)
+            end
+            if spec[:raised]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'failing', spec[:raised])
+              raised(nil, flow: true, &cb)
+            end
+            if spec[:ensured]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'finally', spec[:ensured])
+              ensured(nil, flow: true, &cb)
+            end
+          end
+          hook.install
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb ADDED

@@ -0,0 +1,58 @@
+require 'sqreen/events/remote_exception'
+require 'sqreen/log/loggable'
+module Sqreen
+  class EcosystemIntegration
+    # This class gets notified of request start/end and
+    # 1) distributes such events to listeners (typically ecosystem modules;
+    #    the method add_start_observer is exposed to ecosystem modules through
+    #    +Sqreen::Ecosystem::ModuleApi::EventListener+ and the dispatch table).
+    # 2) keeps track of whether a request is active on this thread. This is
+    #    so that users of this class can have this information without needing
+    #    to subscribe to request start/events and keeping thread local state
+    #    themselves.
+    # XXX: Since the Ecosystem is also notified of request start/end, it could
+    # notify its modules of request start without going through the dispatch
+    # table and call add_start_observer. We need to think if we want to keep
+    # the transaction / request distinction or if they should just be
+    # assumed to be the same, though.
+    class RequestLifecycleTracking
+      include Sqreen::Log::Loggable
+      def initialize
+        @start_observers = []
+        @tl_key = "#{object_id}_req_in_flight"
+      end
+      # API for classes needing to know the request state
+      # @param cb A callback taking a Rack::Request
+      def add_start_observer(cb)
+        @start_observers << cb
+      end
+      def in_request?
+        Thread.current[@tl_key] ? true : false
+      end
+      # API for classes notifying this one of request events
+      def notify_request_start(rack_req)
+        Thread.current[@tl_key] = true
+        return if @start_observers.empty?
+        @start_observers.each do |cb|
+          begin
+            cb.call(rack_req)
+          rescue ::Exception => e # rubocop:disable Lint/RescueException
+            logger.warn { "Error calling #{cb} on request start: #{e.message}" }
+            Sqreen::RemoteException.record(e)
+          end
+        end
+      end
+      def notify_request_end
+        Thread.current[@tl_key] = false
+      end
+    end
+  end
+end