tcell_agent 0.2.2

data/lib/tcell_agent/devise.rb

@@ -0,0 +1,83 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'devise'
+require 'devise/rails'
+require 'devise/strategies/database_authenticatable'
+require 'tcell_agent/userinfo'
+require 'tcell_agent/logger'
+#Warden::Manager.after_authentication do |user,auth,opts|
+#    p "<M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M"
+#    p user
+#  # do something with user
+#end
+
+require 'tcell_agent/sensor_events/honeytokens'
+
+module TCellAgent
+  if defined?(Devise)
+    TCellAgent::UserInformation.class_eval do
+      class << self
+        alias_method :original_getUserFromRequest, :getUserFromRequest
+        def getUserFromRequest(request)
+          orig_user_id = original_getUserFromRequest(request)
+          begin
+            if request.session and request.session.has_key?("warden.user.user.key")
+              userkey = request.session["warden.user.user.key"]
+              if (userkey.length == 2)
+                user_id = userkey[0][0]
+              else
+                user_id = userkey[1][0]
+              end
+              if user_id.is_a? Integer
+                return user_id.to_s
+              end
+            end
+          rescue Exception => e
+            return orig_user_id
+          end
+          return orig_user_id
+        end
+      end
+    end
+    Devise::Strategies::DatabaseAuthenticatable.class_eval do
+      alias_method :original_authenticate!, :authenticate!
+      def authenticate!
+        begin
+          tcell_background_worker = TCellAgent.thread_agent
+          # if (tcell_background_worker && tcell_background_worker.honeytokens_policy)
+          #   credstring = ""
+          #   authentication_keys.each do |authentication_key|
+          #     credstring = credstring + authentication_hash[authentication_key] + "::"
+          #   end
+          #   credstring = credstring + password[1..-3] # Chop off first and last 2 characters
+          #   token_id = tcell_background_worker.honeytokens_policy.id_for_credentialstring(credstring)
+          #   if token_id
+          #     begin
+          #       event = TCellAgent::SensorEvents::HoneytokensSensorEvent.new(request, token_id)
+          #       TCellAgent.send_event(event)
+          #     rescue
+          #       #pass
+          #     end
+          #     return
+          #   end
+          # end
+        rescue Exception => e
+          TCellAgent.logger.error("uncaught exception while processing honeytokens: #{e.message}")
+        end
+        original_authenticate!
+      end
+    end
+  end
+end
+module Devise
+  module Models
+    module Recoverable
+      extend ActiveSupport::Concern
+      alias_method :original_send_reset_password_instructions, :send_reset_password_instructions
+      def send_reset_password_instructions
+        x = original_send_reset_password_instructions
+        x
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation.rb

@@ -0,0 +1,44 @@
+# encoding: utf-8
+# See the file "LICENSE" for the full license governing this code.
+require 'rest-client'
+require 'tcell_agent/logger'
+require 'tcell_agent/configuration'
+require 'tcell_agent/version'
+require 'date'
+
+module TCellAgent
+  module Instrumentation
+
+    class TCellData
+      attr_accessor :transaction_id
+      attr_accessor :session_id
+      attr_accessor :hmac_session_id
+      attr_accessor :user_id
+      attr_accessor :route_id
+      attr_accessor :uri
+    end
+
+    def self.instrument_frameworks
+      require 'tcell_agent/authlogic' if defined?(Authlogic)
+      require 'tcell_agent/devise' if defined?(Devise)
+      require 'tcell_agent/rails' if defined?(Rails)
+      require 'tcell_agent/sinatra' if defined?(Sinatra)
+    end
+
+    def self.safe_block(message, &block)
+      begin
+        block.call()
+      rescue Exception => ex
+        TCellAgent.logger.debug "Exception in safe_block #{message}: #{ex.class} happened, message is #{ex.message}"
+        TCellAgent.logger.debug(ex.backtrace)
+      end
+    end
+
+    def self.safe_block_no_log(message, &block)
+      begin
+        block.call()
+      rescue Exception => ex
+      end
+    end
+  end
+end

data/lib/tcell_agent/logger.rb

@@ -0,0 +1,46 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'logger'
+require 'tcell_agent/configuration'
+
+module TCellAgent
+  def self.loggingLevelFromString(levelString)
+    if (levelString == "DEBUG")
+      return Logger::DEBUG
+    elsif (levelString == "WARN")
+      return Logger::WARN
+    elsif (levelString == "INFO")
+      return Logger::INFO
+    elsif (levelString == "ERROR")
+      return Logger::ERROR
+    elsif (levelString == "FATAL")
+      return Logger::FATAL
+    end
+    return Logger::ERROR
+  end
+  def self.logger
+    if defined?(@logger)
+        return @logger
+    end
+    logging_options = TCellAgent.configuration.logging_options
+    if logging_options && logging_options["enabled"]
+      level = loggingLevelFromString(logging_options["level"])
+      logging_file = logging_options["filename"] || TCellAgent.configuration.default_log_filename
+      # limit the total log file to about 9 * 5 = 45 mb
+      @logger = Logger.new(logging_file, shift_age=9, shift_size=5242880)
+      @logger.level = level
+      @logger.formatter = proc do |severity, datetime, progname, msg|
+        # ISO 8601 format
+        date_format = datetime.strftime("%Y-%m-%d %H:%M:%S,%L%z")
+         "[#{date_format}] #{severity}: #{msg}\n"
+      end
+      return @logger
+    end
+    logger = Logger.new(TCellAgent.configuration.default_log_filename)
+    logger.level = Logger::ERROR
+    return logger
+  end
+  def self.logger=(logger)
+    @logger = logger
+  end
+end

data/lib/tcell_agent/policies/add_script_tag_policy.rb

@@ -0,0 +1,47 @@
+require 'tcell_agent/configuration'
+
+module TCellAgent
+    module Policies
+        class AddScriptTagPolicy
+            attr_accessor :enabled
+            attr_accessor :policy_id
+            attr_accessor :js_agent_api_key
+            def initialize
+                self.init_options
+            end
+            def init_options
+                @enabled = false
+                @policy_id = nil
+                @js_agent_api_key = nil
+            end
+            def js_agent_app_id
+                return TCellAgent.configuration.app_id
+            end
+            def js_agent_api_base_url
+                return TCellAgent.configuration.js_agent_api_base_url
+            end
+            def js_agent_url
+                return TCellAgent.configuration.js_agent_url
+            end
+            def self.fromJson(policy_json)
+                if (!policy_json)
+                    return nil
+                end
+                policy = AddScriptTagPolicy.new
+                if policy_json.has_key?("policy_id")
+                    policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("data")
+                    data_json = policy_json["data"]
+                    policy.js_agent_api_key = data_json.fetch("js_agent_api_key", nil)
+                    if policy.js_agent_api_key != nil
+                        policy.enabled = true
+                    end
+                end
+                return policy
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/appsensor_policy.rb

@@ -0,0 +1,76 @@
+
+
+module TCellAgent
+    module Policies
+        class AppSensorPolicy
+            MAX_NORMAL_REQUEST_BYTES = 1024*512
+            MAX_NORMAL_RESPONSE_BYTES = 1024*1024*2
+
+            DP_XSS = "xss"
+            DP_SQLI = "sqli"
+            DP_CMDI = "cmdi"
+
+            DP_LOGIN_FAILURE = "lgnFlr"
+            DP_LOGIN_SUCCESS = "lgnSccss"
+
+            DP_UNUSUAL_REQUEST_SIZE = "reqsz"
+            DP_UNUSUAL_RESPONSE_SIZE = "rspsz"
+            DP_RESPONSE_401 = "s401"
+            DP_RESPONSE_403 = "s403"
+            DP_RESPONSE_404 = "s404"
+            DP_RESPONSE_4xx = "s4xx"
+            DP_RESPONSE_500 = "s500"
+            DP_RESPONSE_5xx = "s5xx"
+
+            @@detection_point_options = [
+                "req_res_size",
+                "resp_codes",
+                "xss",
+                "sqli",
+                "cmdi",
+                "fpt",
+                "login_failure"]
+            attr_accessor :enabled
+            attr_accessor :policy_id            
+            attr_accessor :options
+            def initialize
+                self.init_options
+            end
+            def self.detection_point_options
+                return @@detection_point_options
+            end
+            def init_options
+                @enabled = false
+                @policy_id = nil
+                @options = Hash.new
+            end
+            def option_enabled?(option_name)
+                @options.fetch(option_name, false)
+            end
+            def self.fromJson(policy_json)
+                if (!policy_json)
+                    return nil
+                end
+                sensor_policy = AppSensorPolicy.new
+                if policy_json.has_key?("policy_id")
+                    sensor_policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("data")
+                    data_json = policy_json["data"]
+                    if data_json.has_key?("options")
+                        options_json = data_json["options"]
+                        AppSensorPolicy::detection_point_options.each { |option_name| 
+                            sensor_policy.options[option_name] = options_json.fetch(option_name,false)
+                            if (sensor_policy.option_enabled?(option_name) == true)
+                                sensor_policy.enabled = true
+                            end
+                        }
+                    end
+                end
+                return sensor_policy
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/clickjacking_policy.rb

@@ -0,0 +1,113 @@
+# encoding: utf-8
+# See the file "LICENSE" for the full license governing this code.
+
+require 'uri'
+
+module TCellAgent
+    module Policies
+        class ClickjackingPolicy
+            class ContentSecurityPolicyHeader
+                @@approved_headers = [
+                    "csp"
+                ]
+                attr_accessor :type
+                attr_accessor :raw_value
+                attr_accessor :report_uri
+                def initialize(type, value, report_uri=nil)
+                    if !(type && value)
+                        raise "Type and value were not set"
+                    end
+                    if type.downcase == "content-security-policy"
+                        type = "csp"
+                    end
+                    if not @@approved_headers.include?(type.downcase)
+                        raise "Type was not included in approved_headers"
+                    end
+                    if value != value.gsub(/[^\p{L}\w\d\-_\ :\/,;.'\*"%?@#=$]/,'')
+                        raise "Value is not valid"
+                    end
+                    self.type = type
+                    self.raw_value = value
+                    self.report_uri = report_uri
+                end
+                def value(transaction_id=nil, session_id=nil, user_id=nil)
+                    if !self.report_uri
+                        return self.raw_value
+                    end
+                    begin
+                        uri = URI.parse(self.report_uri)
+                        new_query_ar = URI.decode_www_form(uri.query || '')
+                        if transaction_id
+                            new_query_ar << ["tid", transaction_id]
+                        end
+                        if session_id
+                            new_query_ar << ["sid", session_id]
+                        end
+                        if user_id
+                            new_query_ar << ["uid", user_id.to_s]
+                        end
+                        if new_query_ar != []
+                            uri.query = URI.encode_www_form(new_query_ar)
+                        end
+                        report_uri = uri.to_s
+                        return "#{self.raw_value}; report-uri #{report_uri}"
+                    rescue Exception=>e
+                        return self.raw_value
+                    end
+                end
+            end
+
+            attr_accessor :headers
+            attr_accessor :policy_id
+
+            def each(transaction_id=nil, hmac_session_id=nil, user_id=nil, &block)
+                result = []
+                headers.each do | header |
+                  header_value = header.value(transaction_id, hmac_session_id, user_id)
+                  header_names = ClickjackingPolicy.cspHeadersForType(header.type)
+                  header_names.each do | header_name |
+                    result.push( {"name"=>header_name, "value"=>header_value} )
+                  end #doloop
+                end
+                result.each(&block)
+            end
+            def self.fromJson(policy_json)
+                if (!policy_json) 
+                    return nil
+                end
+                csp = ClickjackingPolicy.new
+                if policy_json.has_key?("policy_id")
+                    csp.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("headers")
+                    headers = policy_json["headers"]
+                    csp_headers = []
+                    headers.each do |header|
+                        if header.has_key?("name") && header.has_key?("value")
+                            begin
+                                csp_header = ContentSecurityPolicyHeader.new(header["name"], header["value"], header["report-uri"])
+                                csp_headers.push(csp_header)
+                            rescue Exception => secure_header_exception
+                                #pass
+                            end
+                        end
+                    end
+                    csp.headers = csp_headers
+                end
+                return csp
+            end
+            def self.cspHeadersForType(csp_type)
+                if (!csp_type)
+                    return []
+                end
+                if csp_type == "csp"
+                    return ["Content-Security-Policy"]#,"X-Content-Security-Policy","X-WebKit-CSP"]
+                else
+                    return []
+                end
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/content_security_policy.rb

@@ -0,0 +1,119 @@
+# encoding: utf-8
+# See the file "LICENSE" for the full license governing this code.
+
+require 'uri'
+require 'tcell_agent/sensor_events/util/sanitizer_utilities'
+
+module TCellAgent
+    module Policies
+        class ContentSecurityPolicy
+            class ContentSecurityPolicyHeader
+                @@approved_headers = [
+                    "csp",
+                    "csp-report"
+                ]
+                attr_accessor :type
+                attr_accessor :raw_value
+                attr_accessor :report_uri
+                def initialize(type, value, report_uri=nil)
+                    if !(type && value)
+                        raise "Type and value were not set"
+                    end
+                    if type.downcase == "content-security-policy"
+                        type = "csp"
+                    elsif type.downcase == "content-security-policy-report-only"
+                        type = "csp-report"
+                    end
+                    if not @@approved_headers.include?(type.downcase)
+                        raise "Type was not included in approved_headers"
+                    end
+                    if value != value.gsub(/[^\p{L}\w\d\-_\ :\/,;.'\*"%?@#=$]/,'')
+                        raise "Value is not valid"
+                    end
+                    self.type = type
+                    self.raw_value = value
+                    self.report_uri = report_uri
+                end
+                def value(transaction_id=nil, session_id=nil, user_id=nil)
+                    if !self.report_uri
+                        return self.raw_value
+                    end
+                    begin
+                        uri = URI.parse(self.report_uri)
+                        new_query_ar = URI.decode_www_form(uri.query || '')
+                        if transaction_id
+                            new_query_ar << ["tid", transaction_id]
+                        end
+                        if session_id
+                            new_query_ar << ["sid", session_id]
+                        end
+                        if user_id
+                            new_query_ar << ["uid", user_id.to_s]
+                        end
+                        if new_query_ar != []
+                            uri.query = URI.encode_www_form(new_query_ar)
+                        end
+                        report_uri = uri.to_s
+                        return "#{self.raw_value}; report-uri #{report_uri}"
+                    rescue Exception=>e
+                        return self.raw_value
+                    end
+                end
+            end
+
+            attr_accessor :headers
+            attr_accessor :policy_id
+
+            def each(transaction_id=nil, hmac_session_id=nil, user_id=nil, &block)
+                result = []
+                headers.each do | header |
+                  header_value = header.value(transaction_id, hmac_session_id, user_id)
+                  header_names = ContentSecurityPolicy.cspHeadersForType(header.type)
+                  header_names.each do | header_name |
+                    result.push( {"name"=>header_name, "value"=>header_value} )
+                  end #doloop
+                end
+                result.each(&block)
+            end
+            def self.fromJson(policy_json)
+                if (!policy_json) 
+                    return nil
+                end
+                csp = ContentSecurityPolicy.new
+                if policy_json.has_key?("policy_id")
+                    csp.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("headers")
+                    headers = policy_json["headers"]
+                    csp_headers = []
+                    headers.each do |header|
+                        if header.has_key?("name") && header.has_key?("value")
+                            begin
+                                csp_header = ContentSecurityPolicyHeader.new(header["name"], header["value"], header["report-uri"])
+                                csp_headers.push(csp_header)
+                            rescue Exception => secure_header_exception
+                                #pass
+                            end
+                        end
+                    end
+                    csp.headers = csp_headers
+                end
+                return csp
+            end
+            def self.cspHeadersForType(csp_type)
+                if (!csp_type)
+                    return []
+                end
+                if csp_type == "csp"
+                    return ["Content-Security-Policy"]#,"X-Content-Security-Policy","X-WebKit-CSP"]
+                elsif csp_type == "csp-report"
+                    return ["Content-Security-Policy-Report-Only"]#,"X-Content-Security-Policy-Report-Only","X-WebKit-CSP-Report-Only"]
+                else
+                    return []
+                end
+            end
+        end
+    end
+end