tcell_agent 0.2.29 → 0.4.0

data/spec/lib/tcell_agent/config/unknown_options_spec.rb

@@ -10,6 +10,7 @@ module TCellAgent
 
             orig_allow_uap = ENV.fetch("TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS", nil)
             orig_allow_uafp = ENV.fetch("TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS", nil)
+            orig_allow_ap = ENV.fetch("TCELL_AGENT_ALLOW_PAYLOADS", nil)
             orig_demomode = ENV.fetch("TCELL_DEMOMODE", nil)
             orig_agent_home = ENV.fetch("TCELL_AGENT_HOME", nil)
             orig_agent_log_dir = ENV.fetch("TCELL_AGENT_LOG_DIR", nil)
@@ -24,6 +25,7 @@ module TCellAgent
             ENV["TCELL_HACK"] = "hack the system"
             ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] = "valid"
             ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"] = "valid"
+            ENV["TCELL_AGENT_ALLOW_PAYLOADS"] = "valid"
             ENV["TCELL_DEMOMODE"] = "valid"
             ENV["TCELL_AGENT_HOME"] = "valid"
             ENV["TCELL_AGENT_LOG_DIR"] = "valid"
@@ -49,6 +51,11 @@ module TCellAgent
             else
               ENV.delete "TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"
             end
+            if orig_allow_ap
+                ENV["TCELL_AGENT_ALLOW_PAYLOADS"] = orig_allow_ap
+            else
+              ENV.delete "TCELL_AGENT_ALLOW_PAYLOADS"
+            end
             if orig_demomode
               ENV["TCELL_DEMOMODE"] = orig_demomode
             else
@@ -135,6 +142,7 @@ module TCellAgent
                     "event_batch_size_limit" => 50,
                     "allow_unencrypted_appsensor_payloads" => true,
                     "allow_unencrypted_appfirewall_payloads" => true,
+                    "allow_payloads" => true,
                     "data_exposure" => {
                         "data_ex_level" => "boo",
                         "max_data_ex_db_records_per_request" => 10000},

data/spec/lib/tcell_agent/configuration_spec.rb

@@ -178,10 +178,10 @@ module TCellAgent
       end
     end
 
-    describe "#allow_unencrypted_appfirewall_payloads" do
+    describe "#allow_payloads" do
       context "setting it via config" do
         context "using allow_unencrypted_appsensor_payloads" do
-          it "should be true" do
+          it "should be false" do
             allow_unencrypted_appfirewall_payloads_enabled = double(
               "no_data_ex",
               read: {
@@ -189,7 +189,7 @@ module TCellAgent
                 applications: [
                   app_id: "app_id",
                   api_key: "api_key",
-                  allow_unencrypted_appsensor_payloads: true
+                  allow_unencrypted_appsensor_payloads: false
                 ]
               }.to_json
             )
@@ -202,12 +202,102 @@ module TCellAgent
 
             configuration = Configuration.new
 
-            expect(configuration.allow_unencrypted_appfirewall_payloads).to eq(true)
+            expect(configuration.allow_payloads).to eq(false)
           end
         end
 
         context "using allow_unencrypted_appfirewall_payloads" do
-          it "should be true" do
+          it "should be false" do
+            allow_unencrypted_appfirewall_payloads_enabled = double(
+              "no_data_ex",
+              read: {
+                version: 1,
+                applications: [
+                  app_id: "app_id",
+                  api_key: "api_key",
+                  allow_unencrypted_appfirewall_payloads: false
+                ]
+              }.to_json
+            )
+            expect(File).to receive(:file?).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(true)
+            expect(File).to receive(:open).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(allow_unencrypted_appfirewall_payloads_enabled)
+
+            configuration = Configuration.new
+
+            expect(configuration.allow_payloads).to eq(false)
+          end
+        end
+
+        context "using allow_payloads" do
+          it "should be false" do
+            allow_unencrypted_appfirewall_payloads_enabled = double(
+              "no_data_ex",
+              read: {
+                version: 1,
+                applications: [
+                  app_id: "app_id",
+                  api_key: "api_key",
+                  allow_payloads: false
+                ]
+              }.to_json
+            )
+            expect(File).to receive(:file?).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(true)
+            expect(File).to receive(:open).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(allow_unencrypted_appfirewall_payloads_enabled)
+
+            configuration = Configuration.new
+
+            expect(configuration.allow_payloads).to eq(false)
+          end
+        end
+      end
+
+      context "setting it via env var" do
+        context "TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS overrides config file" do
+          it "should be false" do
+            old_allow_unencrypted_appsensor_payloads = ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"]
+
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] = "false"
+
+            allow_unencrypted_appfirewall_payloads_enabled = double(
+              "no_data_ex",
+              read: {
+                version: 1,
+                applications: [
+                  app_id: "app_id",
+                  api_key: "api_key",
+                  allow_unencrypted_appsensor_payloads: true
+                ]
+              }.to_json
+            )
+            expect(File).to receive(:file?).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(true)
+            expect(File).to receive(:open).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(allow_unencrypted_appfirewall_payloads_enabled)
+
+            configuration = Configuration.new
+
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] = old_allow_unencrypted_appsensor_payloads
+
+            expect(configuration.allow_payloads).to eq(false)
+          end
+        end
+
+        context "TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS overrides config file" do
+          it "should be false" do
+            old_allow_unencrypted_appfirewall_payloads = ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"]
+
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"] = "false"
+
             allow_unencrypted_appfirewall_payloads_enabled = double(
               "no_data_ex",
               read: {
@@ -228,7 +318,49 @@ module TCellAgent
 
             configuration = Configuration.new
 
-            expect(configuration.allow_unencrypted_appfirewall_payloads).to eq(true)
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"] = old_allow_unencrypted_appfirewall_payloads
+
+            expect(configuration.allow_payloads).to eq(false)
+          end
+        end
+
+        context "TCELL_AGENT_ALLOW_PAYLOADS overrides everything else" do
+          it "should be false" do
+            old_allow_unencrypted_appsensor_payloads = ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"]
+            old_allow_unencrypted_appfirewall_payloads = ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"]
+            old_tcell_agent_allow_payloads = ENV["TCELL_AGENT_ALLOW_PAYLOADS"]
+
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] = "true"
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"] = "true"
+            ENV["TCELL_AGENT_ALLOW_PAYLOADS"] = "false"
+
+            allow_unencrypted_appfirewall_payloads_enabled = double(
+              "no_data_ex",
+              read: {
+                version: 1,
+                applications: [
+                  app_id: "app_id",
+                  api_key: "api_key",
+                  allow_unencrypted_appsensor_payloads: true,
+                  allow_unencrypted_appfirewall_payloads: true,
+                  allow_payloads: true
+                ]
+              }.to_json
+            )
+            expect(File).to receive(:file?).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(true)
+            expect(File).to receive(:open).with(
+              File.join(Dir.getwd, "config/tcell_agent.config")
+            ).and_return(allow_unencrypted_appfirewall_payloads_enabled)
+
+            configuration = Configuration.new
+
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] = old_allow_unencrypted_appsensor_payloads
+            ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"] = old_allow_unencrypted_appfirewall_payloads
+            ENV["TCELL_AGENT_ALLOW_PAYLOADS"] = old_tcell_agent_allow_payloads
+
+            expect(configuration.allow_payloads).to eq(false)
           end
         end
       end

data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb

@@ -0,0 +1,357 @@
+require 'spec_helper'
+
+module TCellAgent
+
+  module Hooks
+    module V1
+      module Frameworks
+        module Rails
+          module Login
+            def self.register_login_event(status, rails_request, user_id, user_valid=nil)
+            end
+          end
+        end
+      end
+    end
+  end
+
+  module Hooks
+    module V1
+      module Login
+        LOGIN_SUCCESS = "success"
+        LOGIN_FAILURE = "failure"
+        def self.register_login_event(status, session_id, user_agent, referrer, remote_addr, header_keys, user_id, document_uri, user_valid=nil)
+        end
+      end
+    end
+  end
+
+  describe "manually requiring auth hooks" do
+    before(:all) do
+      require 'tcell_agent/hooks/login_fraud'
+    end
+
+    describe "Using generic interface" do
+      context "with a login failure" do
+        context "with login_failed_enabled set to true" do
+          it "should report the login failure" do
+            login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type" => "login",
+                "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+                "user_agent" => "user_agent",
+                "referrer" => "referrer",
+                "remote_addr" => "1.1.1.1",
+                "user_id" => "user_id",
+                "document_uri" => "http://tcell.tcell.io/login?param_name=",
+                "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+                "event_name" => "login-failure"
+              }
+            )
+
+            status = Hooks::V1::Login::LOGIN_FAILURE
+            header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+            document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+            Hooks::V1::Login.register_login_event(
+              status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+            )
+          end
+        end
+
+        context "with login_failed_enabled set to false" do
+          it "should NOT report the login failure" do
+            login_fraud = double("login_fraud", enabled: true, login_failed_enabled: false)
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(TCellAgent).to_not receive(:send_event)
+
+            status = Hooks::V1::Login::LOGIN_FAILURE
+            header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+            document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+            Hooks::V1::Login.register_login_event(
+              status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+            )
+          end
+        end
+      end
+
+      context "with a login success" do
+        context "with login_success_enabled set to true" do
+          it "should report the login success" do
+            login_fraud = double("login_fraud", enabled: true, login_success_enabled: true)
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type" => "login",
+                "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+                "user_agent" => "user_agent",
+                "referrer" => "referrer",
+                "remote_addr" => "1.1.1.1",
+                "user_id" => "user_id",
+                "document_uri" => "http://tcell.tcell.io/login?param_name=",
+                "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+                "event_name" => "login-success"
+              }
+            )
+
+            status = Hooks::V1::Login::LOGIN_SUCCESS
+            header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+            document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+            Hooks::V1::Login.register_login_event(
+              status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+            )
+          end
+        end
+
+        context "with login_success_enabled set to false" do
+          it "should NOT report the login success" do
+            login_fraud = double("login_fraud", enabled: true, login_success_enabled: false)
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(TCellAgent).to_not receive(:send_event)
+
+            status = Hooks::V1::Login::LOGIN_SUCCESS
+            header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+            document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+            Hooks::V1::Login.register_login_event(
+              status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+            )
+          end
+        end
+      end
+
+      context "with an unknown status" do
+        it "should log the error" do
+          login_fraud = double("login_fraud", enabled: true)
+          logger = double("logger")
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(TCellAgent).to_not receive(:send_event)
+          expect(TCellAgent).to receive(:logger).and_return(logger)
+          expect(logger).to receive(:error).with("Unkown login status: mumbo-jumbo")
+
+          status = "mumbo-jumbo"
+          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+          Hooks::V1::Login.register_login_event(
+            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+          )
+        end
+      end
+    end
+
+    describe "Using rails interface" do
+      context "with a login failure" do
+        context "with login_failed_enabled set to true" do
+          it "should report the login failure" do
+            login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+            rails_request = double("rails_request")
+            tcell_data = TCellAgent::Instrumentation::TCellData.new
+            tcell_data.user_agent = "user_agent"
+            tcell_data.referrer = "referrer"
+            tcell_data.ip_address = "1.1.1.1"
+            tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+            tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+            request_env = {
+              TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+              "HTTP_USER_AGENT" => true,
+              "HTTP_X_FORWARDED_FOR" => true
+            }
+
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type" => "login",
+                "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+                "user_agent" => "user_agent",
+                "referrer" => "referrer",
+                "remote_addr" => "1.1.1.1",
+                "user_id" => "user_id",
+                "document_uri" => "http://tcell.tcell.io/login?param_name=",
+                "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+                "event_name" => "login-failure"
+              }
+            )
+
+            status = Hooks::V1::Login::LOGIN_FAILURE
+
+            Hooks::V1::Frameworks::Rails::Login.register_login_event(
+              status, rails_request, "user_id"
+            )
+          end
+        end
+
+        context "with login_failed_enabled set to false" do
+          it "should NOT report the login failure" do
+            login_fraud = double("login_fraud", enabled: true, login_failed_enabled: false)
+            rails_request = double("rails_request")
+            tcell_data = TCellAgent::Instrumentation::TCellData.new
+            tcell_data.user_agent = "user_agent"
+            tcell_data.referrer = "referrer"
+            tcell_data.ip_address = "1.1.1.1"
+            tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+            tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+            request_env = {
+              TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+              "HTTP_USER_AGENT" => true,
+              "HTTP_X_FORWARDED_FOR" => true
+            }
+
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(TCellAgent).to_not receive(:send_event)
+
+            status = Hooks::V1::Login::LOGIN_FAILURE
+
+            Hooks::V1::Frameworks::Rails::Login.register_login_event(
+              status, rails_request, "user_id"
+            )
+          end
+        end
+      end
+
+      context "with a login success" do
+        context "with login_success_enabled set to true" do
+          it "should report the login success" do
+            login_fraud = double("login_fraud", enabled: true, login_success_enabled: true)
+            rails_request = double("rails_request")
+            tcell_data = TCellAgent::Instrumentation::TCellData.new
+            tcell_data.user_agent = "user_agent"
+            tcell_data.referrer = "referrer"
+            tcell_data.ip_address = "1.1.1.1"
+            tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+            tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+            request_env = {
+              TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+              "HTTP_USER_AGENT" => true,
+              "HTTP_X_FORWARDED_FOR" => true
+            }
+
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(TCellAgent).to receive(:send_event).with(
+              {
+                "event_type" => "login",
+                "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+                "user_agent" => "user_agent",
+                "referrer" => "referrer",
+                "remote_addr" => "1.1.1.1",
+                "user_id" => "user_id",
+                "document_uri" => "http://tcell.tcell.io/login?param_name=",
+                "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+                "event_name" => "login-success"
+              }
+            )
+
+            status = Hooks::V1::Login::LOGIN_SUCCESS
+
+            Hooks::V1::Frameworks::Rails::Login.register_login_event(
+              status, rails_request, "user_id"
+            )
+          end
+        end
+
+        context "with login_success_enabled set to false" do
+          it "should NOT report the login success" do
+            login_fraud = double("login_fraud", enabled: true, login_success_enabled: false)
+            rails_request = double("rails_request")
+            tcell_data = TCellAgent::Instrumentation::TCellData.new
+            tcell_data.user_agent = "user_agent"
+            tcell_data.referrer = "referrer"
+            tcell_data.ip_address = "1.1.1.1"
+            tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+            tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+            request_env = {
+              TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+              "HTTP_USER_AGENT" => true,
+              "HTTP_X_FORWARDED_FOR" => true
+            }
+
+
+            expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+              login_fraud
+            )
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(rails_request).to receive(:env).and_return(request_env)
+            expect(TCellAgent).to_not receive(:send_event)
+
+            status = Hooks::V1::Login::LOGIN_SUCCESS
+
+            Hooks::V1::Frameworks::Rails::Login.register_login_event(
+              status, rails_request, "user_id"
+            )
+          end
+        end
+      end
+
+      context "with an unknown status" do
+        it "should log the error" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+          logger = double("logger")
+          rails_request = double("rails_request")
+          tcell_data = TCellAgent::Instrumentation::TCellData.new
+          tcell_data.user_agent = "user_agent"
+          tcell_data.referrer = "referrer"
+          tcell_data.ip_address = "1.1.1.1"
+          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+          request_env = {
+            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+            "HTTP_USER_AGENT" => true,
+            "HTTP_X_FORWARDED_FOR" => true
+          }
+
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(TCellAgent).to_not receive(:send_event)
+          expect(TCellAgent).to receive(:logger).and_return(logger)
+          expect(logger).to receive(:error).with("Unkown login status: mumbo-jumbo")
+
+          status = "mumbo-jumbo"
+
+          Hooks::V1::Frameworks::Rails::Login.register_login_event(
+            status, rails_request, "user_id"
+          )
+        end
+      end
+    end
+
+  end
+
+end