RubyGems - sqreen - Versions diffs - 1.19.4 → 1.20.4.beta1 - Mend

sqreen 1.19.4 → 1.20.4.beta1

Files changed (61) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -1
data/lib/sqreen/actions/block_user.rb +1 -1
data/lib/sqreen/actions/redirect_ip.rb +1 -1
data/lib/sqreen/actions/redirect_user.rb +1 -1
data/lib/sqreen/agent_message.rb +20 -0
data/lib/sqreen/aggregated_metric.rb +25 -0
data/lib/sqreen/attack_detected.html +1 -2
data/lib/sqreen/ca.crt +24 -0
data/lib/sqreen/configuration.rb +11 -5
data/lib/sqreen/deferred_logger.rb +50 -14
data/lib/sqreen/deliveries/batch.rb +4 -1
data/lib/sqreen/deliveries/simple.rb +4 -0
data/lib/sqreen/deprecation.rb +38 -0
data/lib/sqreen/endpoint_testing.rb +184 -0
data/lib/sqreen/event.rb +7 -5
data/lib/sqreen/events/attack.rb +23 -18
data/lib/sqreen/events/remote_exception.rb +0 -22
data/lib/sqreen/events/request_record.rb +15 -70
data/lib/sqreen/frameworks/generic.rb +9 -0
data/lib/sqreen/frameworks/rails.rb +0 -7
data/lib/sqreen/frameworks/request_recorder.rb +13 -2
data/lib/sqreen/graft/call.rb +76 -18
data/lib/sqreen/graft/callback.rb +1 -1
data/lib/sqreen/graft/hook.rb +187 -85
data/lib/sqreen/graft/hook_point.rb +1 -1
data/lib/sqreen/kit/signals/specialized/aggregated_metric.rb +72 -0
data/lib/sqreen/kit/signals/specialized/attack.rb +57 -0
data/lib/sqreen/kit/signals/specialized/binning_metric.rb +76 -0
data/lib/sqreen/kit/signals/specialized/http_trace.rb +26 -0
data/lib/sqreen/kit/signals/specialized/sdk_track_call.rb +50 -0
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +57 -0
data/lib/sqreen/legacy/instrumentation.rb +22 -10
data/lib/sqreen/legacy/old_event_submission_strategy.rb +221 -0
data/lib/sqreen/legacy/waf_redactions.rb +49 -0
data/lib/sqreen/log.rb +3 -2
data/lib/sqreen/log/loggable.rb +2 -1
data/lib/sqreen/logger.rb +24 -0
data/lib/sqreen/metrics/base.rb +3 -0
data/lib/sqreen/metrics_store.rb +33 -12
data/lib/sqreen/null_logger.rb +22 -0
data/lib/sqreen/performance_notifications/binned_metrics.rb +8 -2
data/lib/sqreen/remote_command.rb +1 -0
data/lib/sqreen/rules.rb +5 -3
data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -2
data/lib/sqreen/rules/rule_cb.rb +4 -0
data/lib/sqreen/rules/waf_cb.rb +11 -8
data/lib/sqreen/runner.rb +103 -10
data/lib/sqreen/sensitive_data_redactor.rb +19 -31
data/lib/sqreen/session.rb +51 -43
data/lib/sqreen/signals/conversions.rb +283 -0
data/lib/sqreen/signals/http_trace_redaction.rb +111 -0
data/lib/sqreen/signals/signals_submission_strategy.rb +78 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/budget.rb +46 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +156 -94
data/lib/sqreen/worker.rb +6 -2
metadata +51 -8
data/lib/sqreen/backport.rb +0 -9
data/lib/sqreen/backport/clock_gettime.rb +0 -74
data/lib/sqreen/backport/original_name.rb +0 -88

data/lib/sqreen/legacy/waf_redactions.rb ADDED

@@ -0,0 +1,49 @@
+# typed: ignore
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  module Legacy
+    module WafRedactions
+      class << self
+        def redact_attacks!(attacks, values)
+          return attacks if values.empty?
+          values = values.map { |v| v.downcase if v.is_a?(String) }
+          attacks.each do |e|
+            next(e) unless e[:infos]
+            next(e) unless e[:infos][:waf_data]
+            parsed = JSON.parse(e[:infos][:waf_data])
+            redacted = parsed.each do |w|
+              next unless (filters = w['filter'])
+              filters.each do |f|
+                next unless (v = f['resolved_value'])
+                next unless values.include?(v.downcase)
+                f['match_status'] = SensitiveDataRedactor::MASK
+                f['resolved_value'] = SensitiveDataRedactor::MASK
+              end
+            end
+            e[:infos][:waf_data] = JSON.dump(redacted)
+          end
+        end
+        # see https://github.com/sqreen/TechDoc/blob/master/content/specs/spec000022-waf-data-sanitization.md#changes-to-the-agents
+        def redact_exceptions!(exceptions, values)
+          return exceptions if values.empty?
+          exceptions.each do |e|
+            next(e) unless e[:infos]
+            next(e) unless e[:infos][:waf]
+            e[:infos][:waf].delete(:args)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/log.rb CHANGED

@@ -14,16 +14,17 @@ require 'sqreen/deferred_logger'
 module Sqreen
   def self.log_init
+    deferred_logger = @logger
     @logger = Sqreen::Logger.new(
       Sqreen.config_get(:log_level).to_s.upcase,
       Sqreen.config_get(:log_location)
     )
-    Sqreen::DeferredLogger.instance.flush_to(@logger.instance_eval { @logger })
+    deferred_logger.flush_to(@logger.instance_eval { @logger })
   rescue => e
     warn "Sqreen logger exception: #{e}"
   end
   def self::log
-    @logger || Sqreen::DeferredLogger.instance
+    @logger ||= Sqreen::DeferredLogger.new
   end
 end

data/lib/sqreen/log/loggable.rb CHANGED

@@ -4,6 +4,7 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'logger'
+require 'sqreen/log'
 module Sqreen; end
 module Sqreen::Log; end
@@ -23,6 +24,6 @@ module Sqreen::Log::Loggable
   end
   def logger
-    @logger || self.class.logger
+    @logger || singleton_class.logger
   end
 end

data/lib/sqreen/logger.rb CHANGED

@@ -28,6 +28,26 @@ module Sqreen
       create_error_logger
     end
+    def debug?
+      @logger.debug?
+    end
+    def info?
+      @logger.info?
+    end
+    def warn?
+      @logger.warn?
+    end
+    def error?
+      @logger.error?
+    end
+    def fatal?
+      @logger.fatal?
+    end
     def debug(msg = nil, &block)
       @logger.debug(msg, &block)
     end
@@ -45,6 +65,10 @@ module Sqreen
       @logger.error(msg, &block)
     end
+    def unknown(msg = nil, &block)
+      @logger.unknown(msg, &block)
+    end
     def add(severity, msg = nil, &block)
       send(SEVERITY_TO_METHOD[severity], msg, &block)
     end

data/lib/sqreen/metrics/base.rb CHANGED

@@ -12,6 +12,9 @@ module Sqreen
     FINISH_KEY = 'finish'.freeze
     # Base interface for a metric
     class Base
+      attr_accessor :name, :period # for signals serialization
+      attr_accessor :rule # optional
       def initialize(_opts={})
         @sample = nil
       end

data/lib/sqreen/metrics_store.rb CHANGED

@@ -3,6 +3,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/aggregated_metric'
 require 'sqreen/metrics'
 require 'sqreen/mono_time'
 require 'sqreen/metrics_store/unknown_metric'
@@ -26,12 +27,16 @@ module Sqreen
     def initialize
       @store = []
       @metrics = {} # name => (metric, period, start)
+      @mutex = Mutex.new
     end
     # Definition contains a name,period and aggregate at least
     # @param definition [Hash] a metric definition
+    # @param rule [RuleCB] the rule associated with this metric, if any
     # @param mklass [Object] Override metric object (used in testing)
-    def create_metric(definition, mklass = nil)
+    def create_metric(definition, rule = nil, mklass = nil)
+      @mutex.lock
       name = definition[NAME_KEY]
       kind = definition[KIND_KEY]
       klass = valid_metric(kind, name)
@@ -43,30 +48,41 @@ module Sqreen
         definition[PERIOD_KEY],
         nil # Start
       ]
+      metric.name = name
+      metric.rule = rule
+      metric.period = definition[PERIOD_KEY]
       metric
+    ensure
+      @mutex.unlock
     end
     def metric?(name)
       @metrics.key?(name)
     end
-    # @params at [Time] when is the store emptied
+    # @param at [Time] when is the store emptied
     def update(name, at, key, value)
+      @mutex.lock
       metric, period, start = @metrics[name]
       raise UnregisteredMetric, "Unknown metric #{name}" unless metric
       next_sample(name, at) if start.nil? || (start + period) < at
       metric.update(key, value)
+    ensure
+      @mutex.unlock
     end
     # Drains every metrics and returns the store content
-    # @params at [Time] when is the store emptied
+    # @param at [Time] when is the store emptied
     def publish(flush = true, at = Sqreen.time)
+      @mutex.lock
       @metrics.each do |name, (_, period, start)|
         next_sample(name, at) if flush || !start.nil? && (start + period) < at
       end
       out = @store
       @store = []
       out
+    ensure
+      @mutex.unlock
     end
     protected
@@ -75,15 +91,20 @@ module Sqreen
       metric = @metrics[name][0]
       r = metric.next_sample(at)
       @metrics[name][2] = at # new start
-      if r
-        r[NAME_KEY] = name
-        obs = r[Metric::OBSERVATION_KEY]
-        start_of_mono = Time.now.utc - Sqreen.time
-        r[Metric::START_KEY] = start_of_mono + r[Metric::START_KEY]
-        r[Metric::FINISH_KEY] = start_of_mono + r[Metric::FINISH_KEY]
-        @store << r if obs && (!obs.respond_to?(:empty?) || !obs.empty?)
-      end
-      r
+      return unless r
+      r[NAME_KEY] = name
+      obs = r[Metric::OBSERVATION_KEY]
+      return unless obs && (!obs.respond_to?(:empty?) || !obs.empty?)
+      start_of_mono = Time.now.utc - Sqreen.time
+      agg = AggregatedMetric.new
+      agg.metric = metric
+      agg.rule = agg.metric.rule
+      agg.start = start_of_mono + r[Metric::START_KEY]
+      agg.finish = start_of_mono + r[Metric::FINISH_KEY]
+      agg.data = obs
+      @store << agg
     end
     def valid_metric(kind, name)

data/lib/sqreen/null_logger.rb CHANGED

@@ -9,6 +9,26 @@ module Sqreen
   class NullLogger
     include Singleton
+    def debug?
+      false
+    end
+    def info?
+      false
+    end
+    def warn?
+      false
+    end
+    def error?
+      false
+    end
+    def fatal?
+      false
+    end
     def debug(_msg = nil); end
     def info(_msg = nil); end
@@ -19,6 +39,8 @@ module Sqreen
     def fatal(_msg = nil); end
+    def unknown(_msg = nil); end
     def add(_severity, _msg = nil); end
     def formatter=(_); end

data/lib/sqreen/performance_notifications/binned_metrics.rb CHANGED

@@ -122,10 +122,16 @@ module Sqreen
       attr_reader :metrics_store
       attr_reader :period
-      def ensure_metric(metric_name)
+      def ensure_metric(metric_name, rule = nil)
         return if metrics_store.metric?(metric_name)
         metrics_store.create_metric(
-          'name' => metric_name, 'period' => period, 'kind' => 'Binning', 'options' => @perf_metric_opts
+          {
+            'name' => metric_name,
+            'period' => period,
+            'kind' => 'Binning',
+            'options' => @perf_metric_opts,
+          },
+          rule
         )
       end

data/lib/sqreen/remote_command.rb CHANGED

@@ -18,6 +18,7 @@ module Sqreen
       :features_get => :features,
       :features_change => :change_features,
       :force_logout => :shutdown,
+      :force_restart => :restart,
       :paths_whitelist => :change_whitelisted_paths,
       :ips_whitelist => :change_whitelisted_ips,
       :get_bundle => :upload_bundle,

data/lib/sqreen/rules.rb CHANGED

@@ -114,7 +114,7 @@ module Sqreen
           Sqreen.log.warn('No JavaScript engine is available. ' \
               'JavaScript callbacks will be ignored')
         end
-        Sqreen.log.info("Ignoring JS callback #{rule_name}")
+        Sqreen.log.debug("Ignoring JS callback #{rule_name}")
         return nil
       end
@@ -135,13 +135,15 @@ module Sqreen
         return nil
       end
+      rule_cb = cb_class.new(instr_class, instr_method, hash_rule)
       if metrics_store
         (hash_rule[Attrs::METRICS] || []).each do |metric|
-          metrics_store.create_metric(metric)
+          metrics_store.create_metric(metric, rule_cb)
         end
       end
-      cb_class.new(instr_class, instr_method, hash_rule)
+      rule_cb
     rescue => e
       rule_name = nil
       rulespack_id = nil

data/lib/sqreen/rules/blacklist_ips_cb.rb CHANGED

@@ -33,7 +33,7 @@ module Sqreen
       private
       def insert_values(ranges)
-        Sqreen.log.info 'no ips given for IP blacklisting' if ranges.empty?
+        Sqreen.log.debug 'no ips given for IP blacklisting' if ranges.empty?
         ranges.map { |r| Prefix.from_str(r, r) }.each do |prefix|
           trie_for(prefix).insert prefix
@@ -50,7 +50,7 @@ module Sqreen
         begin
           ipa = IPAddr.new(rip)
         rescue StandardError
-          Sqreen.log.info "invalid IP address given by framework: #{rip}"
+          Sqreen.log.debug "invalid IP address given by framework: #{rip}"
           return nil
         end

data/lib/sqreen/rules/rule_cb.rb CHANGED

@@ -3,6 +3,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/deprecation'
 require 'sqreen/framework_cb'
 require 'sqreen/context'
 require 'sqreen/conditionable'
@@ -61,7 +62,9 @@ module Sqreen
           :infos => infos,
           :rulespack_id => rulespack_id,
           :rule_name => rule_name,
+          :attack_type => @rule['attack_type'], # for signal
           :test => test,
+          :block => @rule['block'], # for signal
           :time => at,
         }
         if payload_tpl.include?('context')
@@ -107,6 +110,7 @@ module Sqreen
         )
         true
       end
+      Sqreen::Deprecation.deprecate(instance_method(:overtime!))
     end
   end
 end

data/lib/sqreen/rules/waf_cb.rb CHANGED

@@ -132,20 +132,23 @@ module Sqreen
       end
       def record_exception(exception, infos = {}, at = Time.now.utc)
-        infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
+        infos.merge!(waf_infos(exception)) if exception.is_a?(Sqreen::WAFError)
         super(exception, infos, at)
       end
       private
-      def exception_to_infos(e)
+      # see https://github.com/sqreen/TechDoc/blob/master/content/specs/spec000016-waf-integration.md#error-management
+      def waf_infos(e)
         {
-          waf_rule: e.rule_name,
-          error_code: ERROR_CODES[e.error],
-        }.tap do |r|
-          r[:error_data] = e.data if e.data
-          r[:args] = e.args if e.args
-        end
+          waf:  {
+            waf_rule: e.rule_name,
+            error_code: ERROR_CODES[e.error],
+          }.tap do |r|
+            r[:error_data] = e.data if e.data
+            r[:args] = e.args if e.arg
+          end,
+        }
       end
       ERROR_CODES = {

data/lib/sqreen/runner.rb CHANGED

@@ -11,6 +11,7 @@ require 'sqreen/events/attack'
 require 'sqreen/log'
+require 'sqreen/agent_message'
 require 'sqreen/rules'
 require 'sqreen/session'
 require 'sqreen/remote_command'
@@ -18,11 +19,13 @@ require 'sqreen/capped_queue'
 require 'sqreen/metrics_store'
 require 'sqreen/deliveries/simple'
 require 'sqreen/deliveries/batch'
+require 'sqreen/endpoint_testing'
 require 'sqreen/performance_notifications/metrics'
 require 'sqreen/performance_notifications/binned_metrics'
 require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
 require 'sqreen/weave/legacy/instrumentation'
+require 'sqreen/kit/configuration'
 module Sqreen
   @features = {}
@@ -37,6 +40,8 @@ module Sqreen
   PERF_METRICS_PERIOD = 60 # 1 min
   DEFAULT_PERF_LEVEL = 0 # disabled
+  DEFAULT_USE_SIGNALS = false
   class << self
     attr_reader :features
     def update_features(features)
@@ -87,7 +92,9 @@ module Sqreen
     attr_accessor :heartbeat_delay
     attr_accessor :metrics_engine
+    # @return [Sqreen::Deliveries::Simple]
     attr_reader :deliverer
+    # @return [Sqreen::Session]
     attr_reader :session
     attr_reader :instrumenter
     attr_accessor :running
@@ -108,15 +115,24 @@ module Sqreen
       @next_metrics = []
       @running = true
+      @proxy_url = @configuration.get(:proxy_url)
+      chosen_endpoints = determine_endpoints
       @token = @configuration.get(:token)
       @app_name = @configuration.get(:app_name)
-      @url = @configuration.get(:url)
+      @url = chosen_endpoints.control.url
+      @cert_store = chosen_endpoints.control.ca_store
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
       Sqreen.update_performance_budget(nil)
-      raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
+      Sqreen::Kit::Configuration.logger = Sqreen.log
+      Sqreen::Kit::Configuration.ingestion_url = chosen_endpoints.ingestion.url
+      Sqreen::Kit::Configuration.certificate_store = chosen_endpoints.ingestion.ca_store
+      Sqreen::Kit::Configuration.proxy_url = @proxy_url
       register_exit_cb if set_at_exit
       self.metrics_engine = MetricsStore.new
@@ -133,6 +149,7 @@ module Sqreen
       Sqreen.log.debug "Using token #{@token}"
       response = create_session(session_class)
+      post_endpoint_testing_msgs(chosen_endpoints)
       wanted_features = response.fetch('features', {})
       conf_initial_features = configuration.get(:initial_features)
       unless conf_initial_features.nil?
@@ -142,10 +159,10 @@ module Sqreen
           Sqreen.log.debug do
             "Override initial features with #{conf_features.inspect}"
           end
-          wanted_features = conf_features
+          wanted_features = wanted_features.merge(conf_features)
         rescue
           Sqreen.log.warn do
-            "NOT using invalid inital features #{conf_initial_features}"
+            "NOT using invalid initial features #{conf_initial_features}"
           end
         end
       end
@@ -161,7 +178,7 @@ module Sqreen
     end
     def create_session(session_class)
-      @session = session_class.new(@url, @token, @app_name)
+      @session = session_class.new(@url, @cert_store, @token, @app_name, @proxy_url)
       session.login(@framework)
     end
@@ -170,8 +187,18 @@ module Sqreen
       @deliverer = new_deliverer
     end
-    def batch_events(batch_size, max_staleness = nil)
+    def batch_events(batch_size, max_staleness = nil, use_signals = false)
       size = batch_size.to_i
+      if size <= 1 && use_signals
+        Sqreen.log.warn do
+          "Using signals with no delivery batching is unsupported. " \
+          "Using instead batching with batch size = 30, max_staleness = 60"
+        end
+        size = 30
+        max_staleness = 60
+      end
       self.deliverer = if size < 1
                          Deliveries::Simple.new(session)
                        else
@@ -301,19 +328,37 @@ module Sqreen
     def do_heartbeat
       @last_heartbeat_request = Time.now
       @next_metrics.concat(metrics_engine.publish(false)) if metrics_engine
-      res = session.heartbeat(next_command_results, next_metrics)
+      metrics_in_hb = use_signals? ? nil : next_metrics
+      res = session.heartbeat(next_command_results, metrics_in_hb)
       next_command_results.clear
+      deliver_metrics_as_event if use_signals?
       next_metrics.clear
       process_commands(res['commands'])
     end
+    def deliver_metrics_as_event
+      # this is disastrous withe simple delivery strategy,
+      # as each aggregated metric would trigger an http request
+      # Sending of metrics is therefore not supported with simple delivery strategy
+      # TODO: Confirm that only batch is used in production
+      next_metrics.each { |x| deliverer.post_event(x) }
+    end
     def features(_context_infos = {})
       Sqreen.features
     end
+    def use_signals?
+      features.fetch('use_signals', DEFAULT_USE_SIGNALS)
+    end
     def features=(features)
       Sqreen.update_features(features)
       session.request_compression = features['request_compression'] if session
+      session.use_signals = use_signals?
       self.performance_metrics_period = features['performance_metrics_period']
       unless @configuration.get(:weave)
@@ -331,7 +376,7 @@ module Sqreen
       hd = features['heartbeat_delay'].to_i
       self.heartbeat_delay = hd if hd > 0
       return if features['batch_size'].nil?
-      batch_events(features['batch_size'], features['max_staleness'])
+      batch_events(features['batch_size'], features['max_staleness'], use_signals?)
     end
     def change_whitelisted_paths(paths, _context_infos = {})
@@ -342,8 +387,25 @@ module Sqreen
     def change_performance_budget(budget, _context_infos = {})
       return false unless budget.nil? || budget.to_f > 0
-      prev = Sqreen.performance_budget
-      Sqreen.update_performance_budget(budget)
+      if @configuration.get(:weave)
+        prev = Sqreen::Weave::Budget.current
+        prev = prev.to_h if prev
+        budget_s = budget.to_f / 1000 if budget
+        feature = features['performance_budget']
+        if feature
+          budget_s = feature['threshold'] if feature.key?('threshold')
+          ratio = feature['ratio'] if feature.key?('ratio')
+        end
+        Sqreen::Weave::Budget.update(threshold: budget_s, ratio: ratio)
+      else
+        prev = Sqreen.performance_budget
+        Sqreen.update_performance_budget(budget)
+      end
       { :was => prev }
     end
@@ -433,6 +495,15 @@ module Sqreen
       logout
     end
+    def restart(_context_infos = {})
+      shutdown
+      heartbeat_delay = @heartbeat_delay
+      Thread.new do
+        sleep(2 * heartbeat_delay)
+        Sqreen::Worker.start(Sqreen.framework)
+      end
+    end
     def logout(retrying = true)
       return unless session
       Sqreen.log.debug("Logging out")
@@ -470,6 +541,28 @@ module Sqreen
     private
+    def post_endpoint_testing_msgs(chosen_endpoints)
+      chosen_endpoints.messages.each do |msg|
+        session.post_agent_message(@framework, msg)
+      end
+    rescue => e
+      Sqreen.log.warn "Error submitting agent message: #{e}"
+      RemoteException.record(e)
+    end
+    def determine_endpoints
+      # there's no sniffing going on; just a misnamed config setting
+      if @configuration.get(:no_sniff_domains)
+        # reproduces behaviour before endpoint testing was introduced
+        EndpointTesting.no_test_endpoints(@configuration.get(:url),
+                                          @configuration.get(:ingestion_url))
+      else
+        EndpointTesting.test_endpoints(@proxy_url,
+                                       @configuration.get(:url),
+                                       @configuration.get(:ingestion_url))
+      end
+    end
     def load_actions(hashes)
       unsupported = Set.new