tcell_agent 0.2.21 → 0.2.22

data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb

@@ -0,0 +1,222 @@
+require 'spec_helper'
+
+module TCellAgent
+  module AppSensor
+
+    describe InjectionsReporter do
+
+      describe "#check" do
+        before(:each) do
+          @payloads_policy = double("payloads_policy")
+          @injections_matcher = double("injections_matcher")
+          @injections_reporter = InjectionsReporter.new(@injections_matcher, @payloads_policy)
+
+          @appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
+          @appsensor_meta.remote_address = "remote_address"
+          @appsensor_meta.method = "get"
+          @appsensor_meta.location = "location"
+          @appsensor_meta.route_id = "route_id"
+          @appsensor_meta.session_id = "session_id"
+          @appsensor_meta.user_id = "user_id"
+          @appsensor_meta.transaction_id = "transaction_id"
+        end
+
+        context "no matches" do
+          it "should not send any events" do
+            expect(@injections_matcher).to receive(:each_injection)
+            expect(@payloads_policy).to_not receive(:apply)
+            expect(TCellAgent).to_not receive(:send_event)
+
+            @injections_reporter.check(@appsensor_meta)
+          end
+        end
+
+        context "with one GET injection match" do
+          it "should send the appropriate event" do
+            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
+              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
+                InjectionsReporter::GET_PARAM,
+                "xss",
+                {
+                  "param" => "dirty",
+                  "value" => "<script>",
+                  "pattern" => "pattern_id"
+                }
+              )
+
+              block.call(injection_attempt)
+            end
+            expect(@payloads_policy).to receive(:apply).with(
+              "xss", {}, InjectionsReporter::GET_PARAM, "dirty", "<script>", {"l"=>"query"}, "pattern_id"
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type"=>"as",
+                "dp"=>"xss",
+                "param"=>"dirty",
+                "remote_addr"=>"remote_address",
+                "m"=>"get",
+                "pattern"=>"pattern_id",
+                "meta"=>{"l"=>"query"},
+                "rid"=>"route_id"
+              }
+            )
+
+            @injections_reporter.check(@appsensor_meta)
+          end
+        end
+
+        context "with one POST injection match" do
+          it "should send the appropriate event" do
+            @appsensor_meta.method = "post"
+
+            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
+              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
+                InjectionsReporter::POST_PARAM,
+                "xss",
+                {
+                  "param" => "dirty",
+                  "value" => "<script>",
+                  "pattern" => "pattern_id"
+                }
+              )
+
+              block.call(injection_attempt)
+            end
+            expect(@payloads_policy).to receive(:apply).with(
+              "xss", {}, InjectionsReporter::POST_PARAM, "dirty", "<script>", {"l"=>"body"}, "pattern_id"
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type"=>"as",
+                "dp"=>"xss",
+                "param"=>"dirty",
+                "remote_addr"=>"remote_address",
+                "m"=>"post",
+                "pattern"=>"pattern_id",
+                "meta"=>{"l"=>"body"},
+                "rid"=>"route_id"
+              }
+            )
+
+            @injections_reporter.check(@appsensor_meta)
+          end
+        end
+
+        context "with one JSON injection match" do
+          it "should send the appropriate event" do
+            @appsensor_meta.method = "post"
+
+            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
+              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
+                InjectionsReporter::JSON_PARAM,
+                "xss",
+                {
+                  "param" => "dirty",
+                  "value" => "<script>",
+                  "pattern" => "pattern_id"
+                }
+              )
+
+              block.call(injection_attempt)
+            end
+            expect(@payloads_policy).to receive(:apply).with(
+              "xss", {}, InjectionsReporter::JSON_PARAM, "dirty", "<script>", {"l"=>"body"}, "pattern_id"
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type"=>"as",
+                "dp"=>"xss",
+                "param"=>"dirty",
+                "remote_addr"=>"remote_address",
+                "m"=>"post",
+                "pattern"=>"pattern_id",
+                "meta"=>{"l"=>"body"},
+                "rid"=>"route_id"
+              }
+            )
+
+            @injections_reporter.check(@appsensor_meta)
+          end
+        end
+
+        context "with one URI injection match" do
+          it "should send the appropriate event" do
+            @appsensor_meta.method = "get"
+
+            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
+              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
+                InjectionsReporter::URI_PARAM,
+                "xss",
+                {
+                  "param" => "dirty",
+                  "value" => "<script>",
+                  "pattern" => "pattern_id"
+                }
+              )
+
+              block.call(injection_attempt)
+            end
+            expect(@payloads_policy).to receive(:apply).with(
+              "xss", {}, InjectionsReporter::URI_PARAM, "dirty", "<script>", {"l"=>"uri"}, "pattern_id"
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type"=>"as",
+                "dp"=>"xss",
+                "param"=>"dirty",
+                "remote_addr"=>"remote_address",
+                "m"=>"get",
+                "pattern"=>"pattern_id",
+                "meta"=>{"l"=>"uri"},
+                "rid"=>"route_id"
+              }
+            )
+
+            @injections_reporter.check(@appsensor_meta)
+          end
+        end
+
+        context "with one COOKIE injection match" do
+          it "should send the appropriate event" do
+            @appsensor_meta.method = "get"
+
+            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
+              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
+                InjectionsReporter::COOKIE_PARAM,
+                "xss",
+                {
+                  "param" => "dirty",
+                  "value" => "<script>",
+                  "pattern" => "pattern_id"
+                }
+              )
+
+              block.call(injection_attempt)
+            end
+            expect(@payloads_policy).to receive(:apply).with(
+              "xss", {}, InjectionsReporter::COOKIE_PARAM, "dirty", "<script>", {"l"=>"cookie"}, "pattern_id"
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type"=>"as",
+                "dp"=>"xss",
+                "param"=>"dirty",
+                "remote_addr"=>"remote_address",
+                "m"=>"get",
+                "pattern"=>"pattern_id",
+                "meta"=>{"l"=>"cookie"},
+                "rid"=>"route_id"
+              }
+            )
+
+            @injections_reporter.check(@appsensor_meta)
+          end
+        end
+
+      end
+
+    end
+
+  end
+end

data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb

@@ -3,10 +3,15 @@ require 'spec_helper'
 module TCellAgent
 
   describe AppSensorRuleManager do
+    after(:each) do
+      # since rule manager is a singleton, load default rules so rest of the specs work properly
+      AppSensorRuleManager.instance.load_default_rules_file
+    end
     describe "#initialize" do
       context "loading default baserules" do
         it "should initialize all the sensors" do
-          rule_manager = AppSensorRuleManager.new(get_test_resource_path("baserules.json"))
+          rule_manager = AppSensorRuleManager.instance
+          rule_manager.load_rules_file(get_test_resource_path("baserules.json"))
 
           expect(rule_manager.rule_info.empty?).to eq(false)
         end
@@ -16,24 +21,13 @@ module TCellAgent
     describe "#load_rules_file" do
       context "with nonexistent file" do
         it "should do nothing" do
-          rule_manager = AppSensorRuleManager.new()
+          rule_manager = AppSensorRuleManager.instance
           rule_manager.load_rules_file("non-existent-file.json")
 
           expect(rule_manager.rule_info.empty?).to eq(true)
         end
       end
     end
-
-    describe "#load_default_rules_file" do
-      it "should attempt to load default rules file" do
-        expect_any_instance_of(AppSensorRuleManager).to receive(:load_rules_file).with(
-          /tcell_agent\/appsensor\/rules\/baserules.json/
-        )
-
-        rule_manager = AppSensorRuleManager.new()
-        rule_manager.load_default_rules_file()
-      end
-    end
   end
 
 end

data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb

@@ -27,7 +27,7 @@ module TCellAgent
         it "should add the pattern" do
           rule_set = AppSensorRuleSet.new
           rule_set.add_pattern_from_dict({
-            "id" => 1,
+            "id" => "1",
             "common" => "<(iframe)",
             "ruby" => "<(script)"
           })
@@ -37,7 +37,7 @@ module TCellAgent
 
           arp = rule_set.patterns[0]
           expect(arp.enabled).to eq(true)
-          expect(arp.pattern_id).to eq(1)
+          expect(arp.pattern_id).to eq("1")
           expect(arp.pattern_regex).to_not eq(nil)
           expect("<script".match(arp.pattern_regex).captures).to eq(["script"])
         end
@@ -47,7 +47,7 @@ module TCellAgent
         it "should add the pattern" do
           rule_set = AppSensorRuleSet.new
           rule_set.add_pattern_from_dict({
-            "id" => 1,
+            "id" => "1",
             "common" => "<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound)"
           })
 
@@ -56,7 +56,7 @@ module TCellAgent
 
           arp = rule_set.patterns[0]
           expect(arp.enabled).to eq(true)
-          expect(arp.pattern_id).to eq(1)
+          expect(arp.pattern_id).to eq("1")
           expect(arp.pattern_regex).to_not eq(nil)
           expect("<script".match(arp.pattern_regex).captures).to eq(["script"])
         end
@@ -78,50 +78,50 @@ module TCellAgent
         @rule_set = AppSensorRuleSet.new
         @rule_set.set_safe_pattern_from_string("super_safe")
         @rule_set.add_pattern_from_dict({
-          "id" => 1,
+          "id" => "1",
           "common" => "<(script)"
         })
         @rule_set.add_pattern_from_dict({
-          "id" => 2,
+          "id" => "2",
           "common" => "<(iframe)"
         })
       end
 
       context "param value is nil" do
         it "should return nil" do
-          expect(@rule_set.check_violation(nil, nil, {}, true)).to eq(nil)
+          expect(@rule_set.check_violation(nil, nil, Set.new, true)).to eq(nil)
         end
       end
 
       context "param value is empty" do
         it "should return nil" do
-          expect(@rule_set.check_violation(nil, nil, {}, true)).to eq(nil)
+          expect(@rule_set.check_violation(nil, nil, Set.new, true)).to eq(nil)
         end
       end
 
       context "param value is present" do
         context "param value matches safe pattern" do
           it "should return nil" do
-            expect(@rule_set.check_violation("param_name", "super_safe", {}, true)).to eq(nil)
+            expect(@rule_set.check_violation("param_name", "super_safe", Set.new, true)).to eq(nil)
           end
         end
 
         context "param value does not match anything" do
           it "should return nil" do
-            expect(@rule_set.check_violation("param_name", "weeee", {}, true)).to eq(nil)
+            expect(@rule_set.check_violation("param_name", "weeee", Set.new, true)).to eq(nil)
           end
         end
 
         context "param value matches a pattern" do
           it "should return the match" do
-            match_data = @rule_set.check_violation("param_name", "evil <script>", {}, true)
-            expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <script>", "pattern"=>1})
+            match_data = @rule_set.check_violation("param_name", "evil <script>", Set.new, true)
+            expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <script>", "pattern"=>"1"})
           end
 
           context "uppercasing param value still matches pattern" do
             it "should return the match" do
-              match_data = @rule_set.check_violation("param_name", "evil <SCRIPT>", {}, true)
-              expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <SCRIPT>", "pattern"=>1})
+              match_data = @rule_set.check_violation("param_name", "evil <SCRIPT>", Set.new, true)
+              expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <SCRIPT>", "pattern"=>"1"})
             end
           end
         end
@@ -130,7 +130,7 @@ module TCellAgent
           context "all patterns are disabled" do
             context "param value contains evil pattern" do
               it "should return nil" do
-                match_data = @rule_set.check_violation("param_name", "evil <script>", {}, false)
+                match_data = @rule_set.check_violation("param_name", "evil <script>", Set.new, false)
                 expect(match_data).to eq(nil)
               end
             end
@@ -139,15 +139,15 @@ module TCellAgent
           context "one pattern is disabled" do
             context "evil param_value matches disabled pattern" do
               it "should return nil" do
-                match_data = @rule_set.check_violation("param_name", "evil <script>", {2 => true}, false)
+                match_data = @rule_set.check_violation("param_name", "evil <script>", Set.new(["2"]), false)
                 expect(match_data).to eq(nil)
               end
             end
 
             context "evil param_value matches enabled pattern" do
               it "should return the match" do
-                match_data = @rule_set.check_violation("param_name", "evil <iframe>", {2 => true}, false)
-                expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <iframe>", "pattern"=>2})
+                match_data = @rule_set.check_violation("param_name", "evil <iframe>", Set.new(["2"]), false)
+                expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <iframe>", "pattern"=>"2"})
               end
             end
           end

data/spec/lib/tcell_agent/patches/block_rule_spec.rb

@@ -0,0 +1,381 @@
+require 'spec_helper'
+
+module TCellAgent
+  module Patches
+
+    describe "BlockRule" do
+
+      describe ".from_json" do
+        context "empty action provided" do
+          it "should return nil" do
+            logger = double("logger")
+            expect(TCellAgent).to receive(:logger).and_return(logger)
+            expect(logger).to receive(:error).with("Patches Policy action not supported: ")
+
+            expect(BlockRule.from_json({"action" => nil})).to eq(nil)
+          end
+        end
+
+        context "unknown action provided" do
+          it "should return nil" do
+            logger = double("logger")
+            expect(TCellAgent).to receive(:logger).and_return(logger)
+            expect(logger).to receive(:error).with("Patches Policy action not supported: bogus")
+
+            expect(BlockRule.from_json({"action" => "bogus"})).to eq(nil)
+          end
+        end
+
+        context "with no ips or rids provided" do
+          it "should return nil" do
+            logger = double("logger")
+            expect(TCellAgent).to receive(:logger).and_return(logger)
+            expect(logger).to receive(:error).with("Patches Policy block rule cannot be global. Specify either ips and/or route ids")
+
+            expect(BlockRule.from_json({"action" => "block_403s"})).to eq(nil)
+          end
+
+        end
+
+        context "with all the fields provided" do
+          it "should create a block rule properly" do
+            policy_json = {
+              "ips" => ["1.1.1.1", "1.3.3.3"],
+              "rids" => ["1396482959514716287","1396482959514716237"],
+              "sensor_matches" => {
+                "xss" => {}
+              },
+              "action" => "block_403s"
+            }
+
+            block_rule = BlockRule.from_json(policy_json)
+
+            expect(block_rule.ips).to eq(Set.new(["1.1.1.1", "1.3.3.3"]))
+            expect(block_rule.rids).to eq(Set.new(["1396482959514716287", "1396482959514716237"]))
+            expect(block_rule.action).to eq("block_403s")
+            expect(block_rule.sensors_matcher.injections_matcher.enabled).to eq(true)
+            expect(block_rule.sensors_matcher.injections_matcher.sensors.size).to eq(1)
+            expect(block_rule.sensors_matcher.injections_matcher.sensors[0].active_pattern_ids).to eq(Set.new)
+          end
+        end
+
+      end
+
+      describe "#block?" do
+
+        context "with empty ips" do
+          context "with empty rids" do
+            # from_json prevents this case
+          end
+
+          context "with an rid" do
+            context "that matches the request" do
+              context "with empty sensors" do
+                it "should return true" do
+                  injections_matcher = double("injections_matcher")
+
+                  meta_data = TCellAgent::Patches::MetaData.new
+                  meta_data.remote_address = "1.1.1.1"
+                  meta_data.route_id = "route_id"
+
+                  block_rule = BlockRule.new(
+                    Set.new,
+                    Set.new(["route_id"]),
+                    SensorsMatcher.new(injections_matcher),
+                    "block_403s"
+                  )
+
+                  expect(injections_matcher).to receive(:enabled).and_return(false)
+
+                  expect(block_rule.block?(meta_data)).to eq(true)
+                end
+              end
+
+              context "with sensors" do
+                context "that don't have a match" do
+                  it "should return false" do
+                    injections_matcher = double("injections_matcher")
+
+                    meta_data = TCellAgent::Patches::MetaData.new
+                    meta_data.remote_address = "1.1.1.1"
+                    meta_data.route_id = "route_id"
+
+                    block_rule = BlockRule.new(
+                      Set.new,
+                      Set.new(["route_id"]),
+                      SensorsMatcher.new(injections_matcher),
+                      "block_403s"
+                    )
+
+                    expect(injections_matcher).to receive(:enabled).and_return(true)
+                    expect(injections_matcher).to receive(:each_injection)
+
+                    expect(block_rule.block?(meta_data)).to eq(false)
+                  end
+                end
+
+                context "that have a match" do
+                  it "should return true" do
+                    injections_matcher = double("injections_matcher")
+
+                    meta_data = TCellAgent::Patches::MetaData.new
+                    meta_data.remote_address = "1.1.1.1"
+                    meta_data.route_id = "route_id"
+
+                    block_rule = BlockRule.new(
+                      Set.new,
+                      Set.new(["route_id"]),
+                      SensorsMatcher.new(injections_matcher),
+                      "block_403s"
+                    )
+
+                    expect(injections_matcher).to receive(:enabled).and_return(true)
+                    expect(injections_matcher).to receive(:each_injection) do |md, &block|
+                      block.call(double("injection_attempt"))
+                    end
+
+                    expect(block_rule.block?(meta_data)).to eq(true)
+                  end
+                end
+              end
+            end
+
+            context "that does not match the request" do
+              context "with empty sensors" do
+                it "should return false" do
+                  injections_matcher = double("injections_matcher")
+
+                  meta_data = TCellAgent::Patches::MetaData.new
+                  meta_data.remote_address = "1.1.1.1"
+                  meta_data.route_id = "non_matching_route_id"
+
+                  block_rule = BlockRule.new(
+                    Set.new,
+                    Set.new(["route_id"]),
+                    SensorsMatcher.new(injections_matcher),
+                    "block_403s"
+                  )
+
+                  expect(injections_matcher).to_not receive(:enabled)
+
+                  expect(block_rule.block?(meta_data)).to eq(false)
+                end
+              end
+
+              context "with sensors" do
+                context "that don't have a match" do
+                  it "should return false" do
+                    injections_matcher = double("injections_matcher")
+
+                    meta_data = TCellAgent::Patches::MetaData.new
+                    meta_data.remote_address = "1.1.1.1"
+                    meta_data.route_id = "non_matching_route_id"
+
+                    block_rule = BlockRule.new(
+                      Set.new,
+                      Set.new(["route_id"]),
+                      SensorsMatcher.new(injections_matcher),
+                      "block_403s"
+                    )
+
+                    expect(injections_matcher).to_not receive(:enabled)
+
+                    expect(block_rule.block?(meta_data)).to eq(false)
+                  end
+                end
+
+                context "that have a match" do
+                  it "should return false" do
+                    injections_matcher = double("injections_matcher")
+
+                    meta_data = TCellAgent::Patches::MetaData.new
+                    meta_data.remote_address = "1.1.1.1"
+                    meta_data.route_id = "non_matching_route_id"
+
+                    block_rule = BlockRule.new(
+                      Set.new,
+                      Set.new(["route_id"]),
+                      SensorsMatcher.new(injections_matcher),
+                      "block_403s"
+                    )
+
+                    expect(injections_matcher).to_not receive(:enabled)
+
+                    expect(block_rule.block?(meta_data)).to eq(false)
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        context "with ips" do
+          context "that does not match the request" do
+            it "should return false" do
+              injections_matcher = double("injections_matcher")
+
+              meta_data = TCellAgent::Patches::MetaData.new
+              meta_data.remote_address = "1.1.1.1"
+              meta_data.route_id = "route_id"
+
+              block_rule = BlockRule.new(
+                Set.new(["2.2.2.2"]),
+                Set.new(["route_id"]),
+                SensorsMatcher.new(injections_matcher),
+                "block_403s"
+              )
+
+              expect(injections_matcher).to_not receive(:enabled)
+
+              expect(block_rule.block?(meta_data)).to eq(false)
+            end
+          end
+
+          context "that matches the request" do
+            context "with an rid" do
+              context "that matches the request" do
+                context "with empty sensors" do
+                  it "should return true" do
+                    injections_matcher = double("injections_matcher")
+
+                    meta_data = TCellAgent::Patches::MetaData.new
+                    meta_data.remote_address = "1.1.1.1"
+                    meta_data.route_id = "route_id"
+
+                    block_rule = BlockRule.new(
+                      Set.new(["1.1.1.1"]),
+                      Set.new(["route_id"]),
+                      SensorsMatcher.new(injections_matcher),
+                      "block_403s"
+                    )
+
+                    expect(injections_matcher).to receive(:enabled).and_return(false)
+
+                    expect(block_rule.block?(meta_data)).to eq(true)
+                  end
+                end
+
+                context "with sensors" do
+                  context "that don't have a match" do
+                    it "should return false" do
+                      injections_matcher = double("injections_matcher")
+
+                      meta_data = TCellAgent::Patches::MetaData.new
+                      meta_data.remote_address = "1.1.1.1"
+                      meta_data.route_id = "route_id"
+
+                      block_rule = BlockRule.new(
+                        Set.new(["1.1.1.1"]),
+                        Set.new(["route_id"]),
+                        SensorsMatcher.new(injections_matcher),
+                        "block_403s"
+                      )
+
+                      expect(injections_matcher).to receive(:enabled).and_return(true)
+                      expect(injections_matcher).to receive(:each_injection)
+
+                      expect(block_rule.block?(meta_data)).to eq(false)
+                    end
+                  end
+
+                  context "that have a match" do
+                    it "should return true" do
+                      injections_matcher = double("injections_matcher")
+
+                      meta_data = TCellAgent::Patches::MetaData.new
+                      meta_data.remote_address = "1.1.1.1"
+                      meta_data.route_id = "route_id"
+
+                      block_rule = BlockRule.new(
+                        Set.new(["1.1.1.1"]),
+                        Set.new(["route_id"]),
+                        SensorsMatcher.new(injections_matcher),
+                        "block_403s"
+                      )
+
+                      expect(injections_matcher).to receive(:enabled).and_return(true)
+                      expect(injections_matcher).to receive(:each_injection) do |md, &block|
+                        block.call(double("injection_attempt"))
+                      end
+
+                      expect(block_rule.block?(meta_data)).to eq(true)
+                    end
+                  end
+                end
+              end
+
+              context "that does not match the request" do
+                context "with empty sensors" do
+                  it "should return false" do
+                    injections_matcher = double("injections_matcher")
+
+                    meta_data = TCellAgent::Patches::MetaData.new
+                    meta_data.remote_address = "1.1.1.1"
+                    meta_data.route_id = "non_matching_route_id"
+
+                    block_rule = BlockRule.new(
+                      Set.new(["1.1.1.1"]),
+                      Set.new(["route_id"]),
+                      SensorsMatcher.new(injections_matcher),
+                      "block_403s"
+                    )
+
+                    expect(injections_matcher).to_not receive(:enabled)
+
+                    expect(block_rule.block?(meta_data)).to eq(false)
+                  end
+                end
+
+                context "with sensors" do
+                  context "that don't have a match" do
+                    it "should return false" do
+                      injections_matcher = double("injections_matcher")
+
+                      meta_data = TCellAgent::Patches::MetaData.new
+                      meta_data.remote_address = "1.1.1.1"
+                      meta_data.route_id = "non_matching_route_id"
+
+                      block_rule = BlockRule.new(
+                        Set.new(["1.1.1.1"]),
+                        Set.new(["route_id"]),
+                        SensorsMatcher.new(injections_matcher),
+                        "block_403s"
+                      )
+
+                      expect(injections_matcher).to_not receive(:enabled)
+
+                      expect(block_rule.block?(meta_data)).to eq(false)
+                    end
+                  end
+
+                  context "that have a match" do
+                    it "should return false" do
+                      injections_matcher = double("injections_matcher")
+
+                      meta_data = TCellAgent::Patches::MetaData.new
+                      meta_data.remote_address = "1.1.1.1"
+                      meta_data.route_id = "non_matching_route_id"
+
+                      block_rule = BlockRule.new(
+                        Set.new(["1.1.1.1"]),
+                        Set.new(["route_id"]),
+                        SensorsMatcher.new(injections_matcher),
+                        "block_403s"
+                      )
+
+                      expect(injections_matcher).to_not receive(:enabled)
+
+                      expect(block_rule.block?(meta_data)).to eq(false)
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+      end
+
+    end
+
+  end
+end