tcell_agent 0.4.0 → 1.0.0

data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb

@@ -2,389 +2,458 @@ require 'spec_helper'
 
 module TCellAgent
   module Policies
-
-    describe AppSensorPolicy do
-
+    describe RustPolicies do
       everything_enabled_policy_json = {
-        "policy_id" => "01a1",
-        "version" => 2,
-        "data" => {
-          "options" => {
-            "uri_options" => {
-              "collect_full_uri" => true
-            },
-            "payloads" => {
-              "send_payloads" => true,
-              "send_blacklist" => {
-                  "ssn" => ["*"],
-                  "password" => ["*"]
+        'appsensor' => {
+          'policy_id' => '01a1',
+          'version' => 2,
+          'data' => {
+            'options' => {
+              'uri_options' => {
+                'collect_full_uri' => true
               },
-              "send_whitelist" => {},
-              "log_payloads" => true,
-              "log_blacklist" => {},
-              "log_whitelist" => {
-                  "username" => ["*"]
+              'payloads' => {
+                'send_payloads' => true,
+                'send_blacklist' => {
+                  'ssn' => ['*'],
+                  'password' => ['*']
+                },
+                'send_whitelist' => {},
+                'log_payloads' => true,
+                'log_blacklist' => {},
+                'log_whitelist' => {
+                  'username' => ['*']
+                }
               }
-            }
-          },
-          "sensors" => {
-            "req_size" => {
-                "limit" => 1024,
-                "exclude_routes" => ["2300"]
             },
-            "resp_size" => {
-                "limit" => 2048,
-                "exclude_routes" => ["2323"]
-            },
-            "resp_codes" => {
-                "series_400_enabled" => true,
-                "series_500_enabled" => true
-            },
-            "xss" => {
-                "libinjection" => true,
-                "patterns" => ["1","2","8"],
-                "exclusions" => {
-                    "bob" => ["*"]
+            'sensors' => {
+              'req_size' => {
+                'limit' => 1024,
+                'exclude_routes' => ['2300']
+              },
+              'resp_size' => {
+                'limit' => 2048,
+                'exclude_routes' => ['2323']
+              },
+              'resp_codes' => {
+                'series_400_enabled' => true,
+                'series_500_enabled' => true
+              },
+              'xss' => {
+                'libinjection' => true,
+                'patterns' => %w[1 2 8],
+                'exclusions' => {
+                  'bob' => ['*']
                 }
-            },
-            "sqli" => {
-                "libinjection" => true,
-                "exclude_headers" => true,
-                "patterns" => ["1"]
-            },
-            "fpt" => {
-                "patterns" => ["1","2"],
-                "exclude_forms" => true,
-                "exclude_cookies" => true,
-                "exclusions" => {
-                    "somethingcommon" => ["form"]
+              },
+              'sqli' => {
+                'libinjection' => true,
+                'exclude_headers' => true,
+                'patterns' => ['1']
+              },
+              'fpt' => {
+                'patterns' => %w[1 2],
+                'exclude_forms' => true,
+                'exclude_cookies' => true,
+                'exclusions' => {
+                  'somethingcommon' => ['form']
+                }
+              },
+              'cmdi' => {
+                'patterns' => %w[1 2]
+              },
+              'nullbyte' => {
+                'patterns' => %w[1 2]
+              },
+              'retr' => {
+                'patterns' => %w[1 2]
+              },
+              'ua' => {
+                'empty_enabled' => true
+              },
+              'errors' => {
+                'csrf_exception_enabled' => true,
+                'sql_exception_enabled' => true
+              },
+              'database' => {
+                'large_result' => {
+                  'limit' => 10
                 }
-            },
-            "cmdi" => {
-                 "patterns" => ["1","2"]
-            },
-            "nullbyte" => {
-                 "patterns" => ["1","2"]
-            },
-            "retr" => {
-                 "patterns" => ["1","2"]
-            },
-            "ua" => {
-              "empty_enabled" => true,
-            },
-            "errors" => {
-              "csrf_exception_enabled" => true,
-              "sql_exception_enabled" => true
-            },
-            "database" => {
-              "large_result" => {
-                "limit" => 10
               }
             }
           }
+        },
+        'regex' => {
+          'data' => {
+            'patterns' => [
+              {
+                'id' => 'tc-xss-1',
+                'pattern' => '(?:<(script))',
+                'sensor' => 'xss',
+                'title' => 'Basic Injection'
+              },
+              {
+                'safe_pattern' => '^[a-zA-Z0-9_\\s\\r\\n\\t]*$',
+                'pattern' => '(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])',
+                'sensor' => 'sqli',
+                'id' => 'tc-sqli-1',
+                'title' => 'Conditional Attempts'
+              }
+            ],
+            'version' => 1_518_546_622_571
+          },
+          'policy_id' => 'f3a313b0-10eb-11e8-8080-808080808080',
+          'version' => 1
         }
       }
 
-      describe "#from_json" do
-        context "with v2 policy" do
-          context "that is missing a policy id" do
-            it "should have appfirewall disabled" do
-              policy = AppSensorPolicy.from_json({
-                "version" => 2,
-                "data" => { }
-              })
-
-              expect(policy.appfirewall_enabled).to eq(false)
-              expect(policy.appfirewall_ptr).to be_nil
+      describe '#update_policies' do
+        before(:each) do
+          @rust_policies = RustPolicies.new
+        end
+
+        context 'with v2 policy' do
+          context 'that is missing a policy id' do
+            it 'should have appfirewall disabled' do
+              logger = double('logger')
+
+              expect(TCellAgent).to receive(:logger).and_return(logger)
+              expect(logger).to receive(:error).with(
+                'Error updating policies: Failed to decode appsensor policy: missing field `policy_id`'
+              )
+
+              @rust_policies.update_policies({
+                                               'appsensor' => {
+                                                 'version' => 2,
+                                                 'data' => {}
+                                               }
+                                             })
+
+              expect(@rust_policies.appfirewall_enabled).to eq(false)
             end
           end
 
-          context "that is missing a version id" do
-            it "should have appfirewall disabled" do
-              policy = AppSensorPolicy.from_json({
-                "policy_id" => "01a1",
-                "data" => { }
-              })
+          context 'that is missing a version id' do
+            it 'should have appfirewall disabled' do
+              logger = double('logger')
 
-              expect(policy.appfirewall_enabled).to eq(false)
-              expect(policy.appfirewall_ptr).to be_nil
+              expect(TCellAgent).to receive(:logger).and_return(logger)
+              expect(logger).to receive(:error).with(
+                'Error updating policies: Failed to decode appsensor policy: missing field `version`'
+              )
+
+              @rust_policies.update_policies({
+                                               'appsensor' => {
+                                                 'policy_id' => '01a1',
+                                                 'data' => {}
+                                               }
+                                             })
+
+              expect(@rust_policies.appfirewall_enabled).to eq(false)
             end
           end
 
-          context "that has no sensors" do
-            it "should have all sensors disabled" do
+          context 'that has no sensors' do
+            it 'should have all sensors disabled' do
+              expect(TCellAgent).to_not receive(:logger)
+
               policy_json_empty = {
-                "policy_id" => "01a1",
-                "version" => 2,
-                "data" => {
+                'appsensor' => {
+                  'policy_id' => '01a1',
+                  'version' => 2,
+                  'data' => {
+                  }
                 }
               }
 
-              empty_policy = AppSensorPolicy.from_json(policy_json_empty)
+              @rust_policies.update_policies(policy_json_empty)
 
-              expect(empty_policy.appfirewall_enabled).to eq(false)
-              expect(empty_policy.appfirewall_ptr).to_not be_nil
+              expect(@rust_policies.appfirewall_enabled).to eq(false)
             end
           end
 
-          context "that has empty sensors" do
-            it "should have all sensors disabled" do
+          context 'that has empty sensors' do
+            it 'should have all sensors disabled' do
+              expect(TCellAgent).to_not receive(:logger)
+
               policy_json_empty = {
-                "policy_id" => "01a1",
-                "version" => 2,
-                "data" => {
-                  "sensors" => {}
+                'appsensor' => {
+                  'policy_id' => '01a1',
+                  'version' => 2,
+                  'data' => {
+                    'sensors' => {}
+                  }
                 }
               }
 
-              empty_policy = AppSensorPolicy.from_json(policy_json_empty)
+              @rust_policies.update_policies(policy_json_empty)
 
-              expect(empty_policy.appfirewall_enabled).to eq(true)
-              expect(empty_policy.appfirewall_ptr).to_not be_nil
+              expect(@rust_policies.appfirewall_enabled).to eq(true)
             end
           end
 
-          context "that only has xss enabled" do
-            it "should be enabled" do
+          context 'that only has xss enabled' do
+            it 'should be enabled' do
+              expect(TCellAgent).to_not receive(:logger)
+
               policy_json = {
-                "policy_id" => "01a1",
-                "version" => 2,
-                "data" => {
-                  "sensors" => {
-                    "xss" => {
-                      "libinjection" => true,
-                      "patterns" => ["1","2","8"],
-                      "exclusions" => {
-                          "bob" => ["*"]
+                'appsensor' => {
+                  'policy_id' => '01a1',
+                  'version' => 2,
+                  'data' => {
+                    'sensors' => {
+                      'xss' => {
+                        'libinjection' => true,
+                        'patterns' => %w[1 2 8],
+                        'exclusions' => {
+                          'bob' => ['*']
+                        }
                       }
                     }
                   }
                 }
               }
 
-              policy = AppSensorPolicy.from_json(policy_json)
+              @rust_policies.update_policies(policy_json)
 
-              expect(policy.appfirewall_enabled).to eq(true)
-              expect(policy.appfirewall_ptr).to_not be_nil
+              expect(@rust_policies.appfirewall_enabled).to eq(true)
             end
           end
 
-          context "that has everything enabled" do
-            it "should be enabled" do
-              policy = AppSensorPolicy.from_json(everything_enabled_policy_json)
+          context 'that has everything enabled' do
+            it 'should be enabled' do
+              expect(TCellAgent).to_not receive(:logger)
+
+              @rust_policies.update_policies(everything_enabled_policy_json)
 
-              expect(policy.appfirewall_enabled).to eq(true)
-              expect(policy.appfirewall_ptr).to_not be_nil
+              expect(@rust_policies.appfirewall_enabled).to eq(true)
             end
           end
         end
       end
 
-      describe "#process_meta_event" do
-        context "with everything enabled policy" do
+      describe '#check_appfirewall_injections' do
+        context 'with everything enabled policy' do
           before(:each) do
-            @policy = AppSensorPolicy.from_json(everything_enabled_policy_json)
+            @rust_policies = RustPolicies.new
+            @rust_policies.update_policies(everything_enabled_policy_json)
             @appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new(
-              "get",
-              "remote_address",
-              "route_id",
-              "session_id",
-              "user_id",
-              "transaction_id")
-            @appsensor_meta.user_agent = "Mozilla"
+              'GET',
+              '192.168.1.1',
+              '12345',
+              'session_id',
+              'user_id',
+              'transaction_id',
+              'http://test.com/?some_param=present'
+            )
+            @appsensor_meta.user_agent = 'Mozilla'
             @appsensor_meta.response_code = 200
           end
 
-          context "csrf exception" do
-            context "nil csrf exception" do
-              it "should not send an event" do
+          context 'csrf exception' do
+            context 'nil csrf exception' do
+              it 'should not send an event' do
                 expect(TCellAgent).to_not receive(:send_event)
 
                 @appsensor_meta.csrf_exception_name = nil
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "empty csrf exception" do
-              it "should not send an event" do
+            context 'empty csrf exception' do
+              it 'should not send an event' do
                 expect(TCellAgent).to_not receive(:send_event)
 
-                @appsensor_meta.csrf_exception_name = ""
-                @policy.process_meta_event(
+                @appsensor_meta.csrf_exception_name = ''
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "one csrf exception" do
-              it "should send a csrf exception event" do
+            context 'one csrf exception' do
+              it 'should send a csrf exception event' do
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "excsrf",
-                  "param" => "ActionController::InvalidAuthenticityToken",
-                  "m" => "get",
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address"
-                })
-
-                @appsensor_meta.csrf_exception_name = "ActionController::InvalidAuthenticityToken"
-                @policy.process_meta_event(
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'excsrf',
+                                                                  'param' => 'ActionController::InvalidAuthenticityToken',
+                                                                  'm' => 'GET',
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1'
+                                                                })
+
+                @appsensor_meta.csrf_exception_name = 'ActionController::InvalidAuthenticityToken'
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
           end
 
-          context "sql exception" do
-            context "empty sql exceptions" do
-              it "should not send an event" do
+          context 'sql exception' do
+            context 'empty sql exceptions' do
+              it 'should not send an event' do
                 expect(TCellAgent).to_not receive(:send_event)
 
                 @appsensor_meta.sql_exceptions = []
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "one sql exception" do
-              it "should send one event" do
+            context 'one sql exception' do
+              it 'should send one event' do
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "exsql",
-                  "param" => "ActiveRecord::StatementInvalid",
-                  "m" => "get",
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address",
-                  "payload" => "exception message goes here"
-                })
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'exsql',
+                                                                  'param' => 'ActiveRecord::StatementInvalid',
+                                                                  'm' => 'GET',
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1',
+                                                                  'payload' => 'exception message goes here'
+                                                                })
 
                 @appsensor_meta.sql_exceptions = [{
-                  "exception_name" => "ActiveRecord::StatementInvalid",
-                  "exception_payload" => "exception message goes here"
+                  'exception_name' => 'ActiveRecord::StatementInvalid',
+                  'exception_payload' => 'exception message goes here'
                 }]
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "multiple sql exception" do
-              it "should send multiple event" do
+            context 'multiple sql exception' do
+              it 'should send multiple event' do
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "exsql",
-                  "param" => "ActiveRecord::StatementInvalid",
-                  "m" => "get",
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address",
-                  "payload" => "exception message goes here"
-                })
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'exsql',
+                                                                  'param' => 'ActiveRecord::StatementInvalid',
+                                                                  'm' => 'GET',
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1',
+                                                                  'payload' => 'exception message goes here'
+                                                                })
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "exsql",
-                  "param" => "ActiveRecord::StatementInvalid",
-                  "m" => "get",
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address",
-                  "payload" => "second exception message goes here"
-                })
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'exsql',
+                                                                  'param' => 'ActiveRecord::StatementInvalid',
+                                                                  'm' => 'GET',
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1',
+                                                                  'payload' => 'second exception message goes here'
+                                                                })
 
                 @appsensor_meta.sql_exceptions = [
                   {
-                    "exception_name" => "ActiveRecord::StatementInvalid",
-                    "exception_payload" => "exception message goes here"
+                    'exception_name' => 'ActiveRecord::StatementInvalid',
+                    'exception_payload' => 'exception message goes here'
                   },
                   {
-                    "exception_name" => "ActiveRecord::StatementInvalid",
-                    "exception_payload" => "second exception message goes here"
+                    'exception_name' => 'ActiveRecord::StatementInvalid',
+                    'exception_payload' => 'second exception message goes here'
                   }
                 ]
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
           end
 
-          context "db max result" do
-            context "nil db max result" do
-              it "should not send an event" do
+          context 'db max result' do
+            context 'nil db max result' do
+              it 'should not send an event' do
                 expect(TCellAgent).to_not receive(:send_event)
 
                 @appsensor_meta.database_result_sizes = nil
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "empty db max result" do
-              it "should not send an event" do
+            context 'empty db max result' do
+              it 'should not send an event' do
                 expect(TCellAgent).to_not receive(:send_event)
 
                 @appsensor_meta.database_result_sizes = []
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "one db max result" do
-              it "should send one event" do
+            context 'one db max result' do
+              it 'should send one event' do
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "dbmaxrows",
-                  "m" => "get",
-                  "meta" => {"rows"=>1001},
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address"
-                })
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'dbmaxrows',
+                                                                  'm' => 'GET',
+                                                                  'meta' => { 'rows' => 1001 },
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1'
+                                                                })
 
                 @appsensor_meta.database_result_sizes = [1001]
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end
             end
 
-            context "multiple db max results" do
-              it "should send multiple event" do
+            context 'multiple db max results' do
+              it 'should send multiple event' do
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "dbmaxrows",
-                  "m" => "get",
-                  "meta" => {"rows"=>1001},
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address"
-                })
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'dbmaxrows',
+                                                                  'm' => 'GET',
+                                                                  'meta' => { 'rows' => 1001 },
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1'
+                                                                })
                 expect(TCellAgent).to receive(:send_event).with({
-                  "event_type" => "as",
-                  "dp" => "dbmaxrows",
-                  "m" => "get",
-                  "meta" => {"rows"=>1002},
-                  "rid" => "route_id",
-                  "uid" => "user_id",
-                  "sid" => "session_id",
-                  "remote_addr" => "remote_address"
-                })
+                                                                  'event_type' => 'as',
+                                                                  'dp' => 'dbmaxrows',
+                                                                  'm' => 'GET',
+                                                                  'meta' => { 'rows' => 1002 },
+                                                                  'rid' => '12345',
+                                                                  'full_uri' => 'http://test.com/?some_param=present',
+                                                                  'uri' => 'http://test.com/?some_param=',
+                                                                  'uid' => 'user_id',
+                                                                  'sid' => 'session_id',
+                                                                  'remote_addr' => '192.168.1.1'
+                                                                })
 
                 @appsensor_meta.database_result_sizes = [1001, 1002]
-                @policy.process_meta_event(
+                @rust_policies.check_appfirewall_injections(
                   @appsensor_meta
                 )
               end