tcell_agent 0.4.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (199) hide show
  1. checksums.yaml +4 -4
  2. data/Rakefile +9 -22
  3. data/bin/tcell_agent +127 -132
  4. data/lib/tcell_agent/agent/event_processor.rb +23 -22
  5. data/lib/tcell_agent/agent/fork_pipe_manager.rb +7 -7
  6. data/lib/tcell_agent/agent/policy_manager.rb +20 -15
  7. data/lib/tcell_agent/agent/policy_types.rb +5 -11
  8. data/lib/tcell_agent/agent/static_agent.rb +5 -1
  9. data/lib/tcell_agent/agent.rb +6 -4
  10. data/lib/tcell_agent/api.rb +7 -9
  11. data/lib/tcell_agent/appsensor/meta_data.rb +11 -4
  12. data/lib/tcell_agent/authlogic.rb +3 -3
  13. data/lib/tcell_agent/cmdi.rb +6 -4
  14. data/lib/tcell_agent/config/unknown_options.rb +3 -1
  15. data/lib/tcell_agent/configuration.rb +47 -49
  16. data/lib/tcell_agent/devise.rb +2 -2
  17. data/lib/tcell_agent/hooks/login_fraud.rb +58 -29
  18. data/lib/tcell_agent/instrumentation.rb +11 -10
  19. data/lib/tcell_agent/logger.rb +2 -2
  20. data/lib/tcell_agent/patches/meta_data.rb +9 -13
  21. data/lib/tcell_agent/patches.rb +7 -10
  22. data/lib/tcell_agent/policies/clickjacking_policy.rb +4 -5
  23. data/lib/tcell_agent/policies/content_security_policy.rb +6 -12
  24. data/lib/tcell_agent/policies/dataloss_policy.rb +2 -2
  25. data/lib/tcell_agent/policies/http_redirect_policy.rb +2 -2
  26. data/lib/tcell_agent/policies/policy.rb +0 -2
  27. data/lib/tcell_agent/policies/rust_policies.rb +90 -0
  28. data/lib/tcell_agent/policies/secure_headers_policy.rb +2 -2
  29. data/lib/tcell_agent/rails/auth/authlogic.rb +42 -24
  30. data/lib/tcell_agent/rails/auth/devise.rb +44 -23
  31. data/lib/tcell_agent/rails/auth/doorkeeper.rb +33 -15
  32. data/lib/tcell_agent/rails/better_ip.rb +1 -1
  33. data/lib/tcell_agent/rails/csrf_exception.rb +2 -2
  34. data/lib/tcell_agent/rails/dlp/process_request.rb +1 -1
  35. data/lib/tcell_agent/rails/dlp.rb +6 -6
  36. data/lib/tcell_agent/rails/dlp_handler.rb +1 -1
  37. data/lib/tcell_agent/rails/js_agent_insert.rb +1 -1
  38. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +1 -1
  39. data/lib/tcell_agent/rails/middleware/context_middleware.rb +3 -2
  40. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +10 -9
  41. data/lib/tcell_agent/rails/routes/grape.rb +6 -6
  42. data/lib/tcell_agent/rails/routes.rb +8 -11
  43. data/lib/tcell_agent/rust/libtcellagent-0.11.1.dylib +0 -0
  44. data/lib/tcell_agent/rust/{libtcellagent-0.6.1.so → libtcellagent-0.11.1.so} +0 -0
  45. data/lib/tcell_agent/rust/models.rb +16 -0
  46. data/lib/tcell_agent/rust/tcellagent-0.11.1.dll +0 -0
  47. data/lib/tcell_agent/rust/whisperer.rb +119 -48
  48. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +17 -20
  49. data/lib/tcell_agent/sensor_events/command_injection.rb +50 -5
  50. data/lib/tcell_agent/sensor_events/login_fraud.rb +34 -18
  51. data/lib/tcell_agent/sensor_events/patches.rb +21 -0
  52. data/lib/tcell_agent/sensor_events/server_agent.rb +3 -3
  53. data/lib/tcell_agent/sensor_events/util/utils.rb +4 -3
  54. data/lib/tcell_agent/servers/puma.rb +2 -2
  55. data/lib/tcell_agent/servers/unicorn.rb +1 -1
  56. data/lib/tcell_agent/utils/passwords.rb +28 -0
  57. data/lib/tcell_agent/version.rb +1 -1
  58. data/lib/tcell_agent.rb +1 -5
  59. data/spec/apps/rails-3.2/config/tcell_agent.config +15 -0
  60. data/spec/apps/rails-3.2/log/development.log +0 -0
  61. data/spec/apps/rails-3.2/log/test.log +12 -0
  62. data/spec/apps/rails-4.1/log/test.log +0 -0
  63. data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +46 -45
  64. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +276 -164
  65. data/spec/lib/tcell_agent/agent/static_agent_spec.rb +44 -47
  66. data/spec/lib/tcell_agent/api/api_spec.rb +16 -16
  67. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +131 -116
  68. data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +55 -51
  69. data/spec/lib/tcell_agent/cmdi_spec.rb +413 -436
  70. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +145 -128
  71. data/spec/lib/tcell_agent/configuration_spec.rb +165 -169
  72. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +144 -153
  73. data/spec/lib/tcell_agent/instrumentation_spec.rb +84 -85
  74. data/spec/lib/tcell_agent/patches_spec.rb +70 -111
  75. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +313 -244
  76. data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +28 -28
  77. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +643 -513
  78. data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +55 -102
  79. data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +111 -134
  80. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +141 -146
  81. data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +8 -8
  82. data/spec/lib/tcell_agent/policies/login_policy_spec.rb +15 -17
  83. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +231 -559
  84. data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +27 -27
  85. data/spec/lib/tcell_agent/rails/better_ip_spec.rb +30 -34
  86. data/spec/lib/tcell_agent/rails/logger_spec.rb +50 -49
  87. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +182 -199
  88. data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +110 -84
  89. data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +107 -85
  90. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +68 -40
  91. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +81 -67
  92. data/spec/lib/tcell_agent/rails/responses_spec.rb +33 -37
  93. data/spec/lib/tcell_agent/rails/routes/grape_spec.rb +116 -121
  94. data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +25 -28
  95. data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +87 -85
  96. data/spec/lib/tcell_agent/rails_spec.rb +1 -6
  97. data/spec/lib/tcell_agent/rust/models_spec.rb +112 -0
  98. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +502 -179
  99. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +44 -33
  100. data/spec/lib/tcell_agent/sensor_events/dlp_spec.rb +4 -4
  101. data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +183 -169
  102. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +25 -25
  103. data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +17 -20
  104. data/spec/lib/tcell_agent/utils/params_spec.rb +28 -28
  105. data/spec/lib/tcell_agent/utils/passwords_spec.rb +143 -0
  106. data/spec/lib/tcell_agent/utils/strings_spec.rb +35 -35
  107. data/spec/lib/tcell_agent_spec.rb +8 -8
  108. data/spec/spec_helper.rb +4 -4
  109. data/spec/support/middleware_helper.rb +10 -10
  110. data/spec/support/static_agent_overrides.rb +16 -12
  111. data/tcell_agent.gemspec +17 -33
  112. metadata +43 -198
  113. data/LICENSE_libinjection +0 -32
  114. data/Readme.txt +0 -7
  115. data/ext/libinjection/extconf.rb +0 -3
  116. data/ext/libinjection/libinjection.h +0 -65
  117. data/ext/libinjection/libinjection_html5.c +0 -847
  118. data/ext/libinjection/libinjection_html5.h +0 -54
  119. data/ext/libinjection/libinjection_sqli.c +0 -2317
  120. data/ext/libinjection/libinjection_sqli.h +0 -295
  121. data/ext/libinjection/libinjection_sqli_data.h +0 -9004
  122. data/ext/libinjection/libinjection_wrap.c +0 -3525
  123. data/ext/libinjection/libinjection_xss.c +0 -531
  124. data/ext/libinjection/libinjection_xss.h +0 -21
  125. data/lib/tcell_agent/appsensor/injections_matcher.rb +0 -155
  126. data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +0 -49
  127. data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +0 -67
  128. data/lib/tcell_agent/appsensor/rules/baserules.json +0 -467
  129. data/lib/tcell_agent/patches/block_rule.rb +0 -93
  130. data/lib/tcell_agent/patches/sensors_matcher.rb +0 -31
  131. data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +0 -23
  132. data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +0 -23
  133. data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +0 -117
  134. data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +0 -26
  135. data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +0 -22
  136. data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +0 -34
  137. data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +0 -34
  138. data/lib/tcell_agent/policies/appsensor_policy.rb +0 -49
  139. data/lib/tcell_agent/policies/command_injection_policy.rb +0 -196
  140. data/lib/tcell_agent/policies/honeytokens_policy.rb +0 -69
  141. data/lib/tcell_agent/policies/patches_policy.rb +0 -84
  142. data/lib/tcell_agent/rust/libtcellagent-0.6.1.dylib +0 -0
  143. data/lib/tcell_agent/rust/tcellagent-0.6.1.dll +0 -0
  144. data/spec/apps/rails-3.2/Gemfile +0 -25
  145. data/spec/apps/rails-3.2/Gemfile.lock +0 -126
  146. data/spec/apps/rails-3.2/Rakefile +0 -7
  147. data/spec/apps/rails-3.2/app/assets/images/rails.png +0 -0
  148. data/spec/apps/rails-3.2/app/assets/javascripts/application.js +0 -15
  149. data/spec/apps/rails-3.2/app/assets/stylesheets/application.css +0 -13
  150. data/spec/apps/rails-3.2/app/controllers/application_controller.rb +0 -3
  151. data/spec/apps/rails-3.2/app/controllers/t_cell_app_controller.rb +0 -5
  152. data/spec/apps/rails-3.2/app/helpers/application_helper.rb +0 -2
  153. data/spec/apps/rails-3.2/app/views/layouts/application.html.erb +0 -14
  154. data/spec/apps/rails-3.2/app/views/t_cell_app/index.html.erb +0 -1
  155. data/spec/apps/rails-3.2/config/application.rb +0 -63
  156. data/spec/apps/rails-3.2/config/boot.rb +0 -6
  157. data/spec/apps/rails-3.2/config/environment.rb +0 -5
  158. data/spec/apps/rails-3.2/config/environments/test.rb +0 -37
  159. data/spec/apps/rails-3.2/config/routes.rb +0 -11
  160. data/spec/apps/rails-3.2/config.ru +0 -4
  161. data/spec/apps/rails-4.1/Gemfile +0 -7
  162. data/spec/apps/rails-4.1/Gemfile.lock +0 -114
  163. data/spec/apps/rails-4.1/Rakefile +0 -6
  164. data/spec/apps/rails-4.1/app/assets/javascripts/application.js +0 -16
  165. data/spec/apps/rails-4.1/app/assets/stylesheets/application.css +0 -15
  166. data/spec/apps/rails-4.1/app/controllers/application_controller.rb +0 -5
  167. data/spec/apps/rails-4.1/app/controllers/t_cell_app_controller.rb +0 -5
  168. data/spec/apps/rails-4.1/app/helpers/application_helper.rb +0 -2
  169. data/spec/apps/rails-4.1/app/views/layouts/application.html.erb +0 -14
  170. data/spec/apps/rails-4.1/app/views/t_cell_app/index.html.erb +0 -1
  171. data/spec/apps/rails-4.1/config/application.rb +0 -24
  172. data/spec/apps/rails-4.1/config/boot.rb +0 -4
  173. data/spec/apps/rails-4.1/config/environment.rb +0 -5
  174. data/spec/apps/rails-4.1/config/environments/test.rb +0 -41
  175. data/spec/apps/rails-4.1/config/initializers/assets.rb +0 -8
  176. data/spec/apps/rails-4.1/config/initializers/backtrace_silencers.rb +0 -7
  177. data/spec/apps/rails-4.1/config/initializers/cookies_serializer.rb +0 -3
  178. data/spec/apps/rails-4.1/config/initializers/filter_parameter_logging.rb +0 -4
  179. data/spec/apps/rails-4.1/config/initializers/inflections.rb +0 -16
  180. data/spec/apps/rails-4.1/config/initializers/mime_types.rb +0 -4
  181. data/spec/apps/rails-4.1/config/initializers/session_store.rb +0 -3
  182. data/spec/apps/rails-4.1/config/initializers/wrap_parameters.rb +0 -14
  183. data/spec/apps/rails-4.1/config/locales/en.yml +0 -23
  184. data/spec/apps/rails-4.1/config/routes.rb +0 -12
  185. data/spec/apps/rails-4.1/config/secrets.yml +0 -22
  186. data/spec/apps/rails-4.1/config.ru +0 -4
  187. data/spec/controllers/application_controller.rb +0 -12
  188. data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +0 -522
  189. data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +0 -23
  190. data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +0 -159
  191. data/spec/lib/tcell_agent/patches/block_rule_spec.rb +0 -458
  192. data/spec/lib/tcell_agent/patches/sensors_matcher_spec.rb +0 -35
  193. data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +0 -139
  194. data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +0 -139
  195. data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +0 -167
  196. data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +0 -139
  197. data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +0 -246
  198. data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +0 -882
  199. data/spec/lib/tcell_agent/policies/honeytokens_policy_spec.rb +0 -22
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb CHANGED
@@ -2,735 +2,865 @@ require 'spec_helper'
2
2
 
3
3
  module TCellAgent
4
4
  module Policies
5
+ describe RustPolicies do
6
+ before(:each) do
7
+ allow(TCellAgent).to receive(:is_it_safe_to_send_cmdi_events?).and_return(true)
8
+ @rust_policies = RustPolicies.new
9
+ end
10
+
11
+ describe '#update_policies' do
12
+ context 'with a nil policy' do
13
+ it 'should return nil' do
14
+ expect(TCellAgent).to_not receive(:logger)
15
+
16
+ @rust_policies.update_policies(nil)
5
17
 
6
- describe CommandInjectionPolicy do
7
- describe "#from_json" do
8
- context "with a nil policy" do
9
- it "should return nil" do
10
- expect(CommandInjectionPolicy.from_json(nil)).to be_nil
18
+ expect(@rust_policies.cmdi_enabled).to eq(false)
11
19
  end
12
20
  end
13
21
 
14
- context "with an empty policy" do
15
- it "should raise a policy missing error" do
16
- expect {
17
- CommandInjectionPolicy.from_json({})
18
- }.to raise_error(RuntimeError)
22
+ context 'with an empty policy' do
23
+ it 'should raise a policy missing error' do
24
+ expect(TCellAgent).to_not receive(:logger)
25
+ @rust_policies.update_policies({})
26
+
27
+ expect(@rust_policies.cmdi_enabled).to eq(false)
19
28
  end
20
29
  end
21
30
 
22
- context "with an empty version" do
23
- it "should have empty version" do
24
- cmdi = CommandInjectionPolicy.from_json({ "policy_id" => "policy_id" })
25
- expect(cmdi.policy_id).to eq("policy_id")
26
- expect(cmdi.version).to be_nil
27
- expect(cmdi.enabled).to eq(false)
28
- expect(cmdi.overall_action).to be_nil
29
- expect(cmdi.compound_statement_rule).to be_nil
30
- expect(cmdi.command_rules).to eq({})
31
- expect(cmdi.collect_full_commandline).to eq(false)
31
+ context 'with an empty version' do
32
+ it 'should have empty version' do
33
+ logger = double('logger')
34
+
35
+ expect(TCellAgent).to receive(:logger).and_return(logger)
36
+ expect(logger).to receive(:error).with(
37
+ 'Error updating policies: Failed to decode cmdi policy: missing field `version`'
38
+ )
39
+ @rust_policies.update_policies(
40
+ {
41
+ 'cmdi' => { 'policy_id' => 'policy_id' }
42
+ }
43
+ )
44
+
45
+ expect(@rust_policies.cmdi_enabled).to eq(false)
32
46
  end
33
47
  end
34
48
 
35
- context "with no data" do
36
- it "should have disabled ip blocking" do
37
- cmdi = CommandInjectionPolicy.from_json({
38
- "policy_id" => "policy_id",
39
- "version" => 1
40
- })
41
- expect(cmdi.policy_id).to eq("policy_id")
42
- expect(cmdi.version).to eq(1)
43
- expect(cmdi.enabled).to eq(false)
44
- expect(cmdi.overall_action).to be_nil
45
- expect(cmdi.compound_statement_rule).to be_nil
46
- expect(cmdi.command_rules).to eq({})
47
- expect(cmdi.collect_full_commandline).to eq(false)
49
+ context 'with no data' do
50
+ it 'should have disabled ip blocking' do
51
+ expect(TCellAgent).to_not receive(:logger)
52
+
53
+ @rust_policies.update_policies(
54
+ {
55
+ 'cmdi' => {
56
+ 'policy_id' => 'policy_id',
57
+ 'version' => 1
58
+ }
59
+ }
60
+ )
61
+ expect(@rust_policies.cmdi_enabled).to eq(false)
48
62
  end
49
63
  end
50
64
 
51
- context "with empty data" do
52
- it "should have default values" do
53
- cmdi = CommandInjectionPolicy.from_json({
54
- "policy_id" => "policy_id",
55
- "version" => 1,
56
- "data" => {}
57
- })
58
- expect(cmdi.policy_id).to eq("policy_id")
59
- expect(cmdi.version).to eq(1)
60
- expect(cmdi.enabled).to eq(false)
61
- expect(cmdi.overall_action).to be_nil
62
- expect(cmdi.compound_statement_rule).to be_nil
63
- expect(cmdi.command_rules).to eq({})
64
- expect(cmdi.collect_full_commandline).to eq(false)
65
+ context 'with empty data' do
66
+ it 'should have default values' do
67
+ expect(TCellAgent).to_not receive(:logger)
68
+ @rust_policies.update_policies(
69
+ {
70
+ 'cmdi' => {
71
+ 'policy_id' => 'policy_id',
72
+ 'version' => 1,
73
+ 'data' => {}
74
+ }
75
+ }
76
+ )
77
+ expect(@rust_policies.cmdi_enabled).to eq(false)
65
78
  end
66
79
  end
67
80
 
68
- context "with empty command rules" do
69
- it "should have default values" do
70
- cmdi = CommandInjectionPolicy.from_json({
71
- "policy_id" => "policy_id",
72
- "version" => 1,
73
- "data" => {
74
- "command_rules" => []
81
+ context 'with empty command rules' do
82
+ it 'should have default values' do
83
+ expect(TCellAgent).to_not receive(:logger)
84
+ @rust_policies.update_policies(
85
+ {
86
+ 'cmdi' => {
87
+ 'policy_id' => 'policy_id',
88
+ 'version' => 1,
89
+ 'data' => {
90
+ 'command_rules' => []
91
+ }
92
+ }
75
93
  }
76
- })
77
- expect(cmdi.policy_id).to eq("policy_id")
78
- expect(cmdi.version).to eq(1)
79
- expect(cmdi.enabled).to eq(false)
80
- expect(cmdi.overall_action).to be_nil
81
- expect(cmdi.compound_statement_rule).to be_nil
82
- expect(cmdi.command_rules).to eq({})
83
- expect(cmdi.collect_full_commandline).to eq(false)
94
+ )
95
+ expect(@rust_policies.cmdi_enabled).to eq(false)
84
96
  end
85
97
  end
86
98
 
87
- context "with empty compount statement rules" do
88
- it "should have default values" do
89
- cmdi = CommandInjectionPolicy.from_json({
90
- "policy_id" => "policy_id",
91
- "version" => 1,
92
- "data" => {
93
- "compound_statement_rules" => []
99
+ context 'with empty compount statement rules' do
100
+ it 'should have default values' do
101
+ expect(TCellAgent).to_not receive(:logger)
102
+ @rust_policies.update_policies(
103
+ {
104
+ 'cmdi' => {
105
+ 'policy_id' => 'policy_id',
106
+ 'version' => 1,
107
+ 'data' => {
108
+ 'compound_statement_rules' => []
109
+ }
110
+ }
94
111
  }
95
- })
96
- expect(cmdi.policy_id).to eq("policy_id")
97
- expect(cmdi.version).to eq(1)
98
- expect(cmdi.enabled).to eq(false)
99
- expect(cmdi.overall_action).to be_nil
100
- expect(cmdi.compound_statement_rule).to be_nil
101
- expect(cmdi.command_rules).to eq({})
102
- expect(cmdi.collect_full_commandline).to eq(false)
112
+ )
113
+ expect(@rust_policies.cmdi_enabled).to eq(false)
103
114
  end
104
115
  end
105
116
 
106
- context "with populated command rules" do
107
- it "should have default values" do
108
- cmdi = CommandInjectionPolicy.from_json({
109
- "policy_id" => "policy_id",
110
- "version" => 1,
111
- "data" => {
112
- "command_rules" => [
113
- {"rule_id" => "1", "action" => "block"},
114
- {"rule_id" => "2", "command" => "nc", "action" => "ignore"}
115
- ]
117
+ context 'with populated command rules' do
118
+ it 'should have default values' do
119
+ expect(TCellAgent).to_not receive(:logger)
120
+ @rust_policies.update_policies(
121
+ {
122
+ 'cmdi' => {
123
+ 'policy_id' => 'policy_id',
124
+ 'version' => 1,
125
+ 'data' => {
126
+ 'command_rules' => [
127
+ { 'rule_id' => '1', 'action' => 'block' },
128
+ { 'rule_id' => '2', 'command' => 'nc', 'action' => 'ignore' }
129
+ ]
130
+ }
131
+ }
116
132
  }
117
- })
118
-
119
- expect(cmdi.policy_id).to eq("policy_id")
120
- expect(cmdi.version).to eq(1)
121
- expect(cmdi.enabled).to eq(true)
122
- expect(cmdi.overall_action).to_not be_nil
123
- expect(cmdi.overall_action.rule_id).to eq("1")
124
- expect(cmdi.overall_action.action).to eq(CommandRule::BLOCK)
125
- expect(cmdi.overall_action.command).to be_nil
126
- expect(cmdi.command_rules.size).to eq(1)
127
- expect(cmdi.command_rules["nc"]).to_not be_nil
128
- expect(cmdi.command_rules["nc"].rule_id).to eq("2")
129
- expect(cmdi.command_rules["nc"].action).to eq(CommandRule::IGNORE)
130
- expect(cmdi.command_rules["nc"].command).to eq("nc")
131
- expect(cmdi.compound_statement_rule).to be_nil
132
- expect(cmdi.collect_full_commandline).to eq(false)
133
+ )
134
+
135
+ expect(@rust_policies.cmdi_enabled).to eq(true)
133
136
  end
134
137
  end
135
138
 
136
- context "with populated compound statement rules" do
137
- it "should have default values" do
138
- cmdi = CommandInjectionPolicy.from_json({
139
- "policy_id" => "policy_id",
140
- "version" => 1,
141
- "data" => {
142
- "compound_statement_rules" => [
143
- {"rule_id" => "3", "action" => "block"}
144
- ]
139
+ context 'with populated compound statement rules' do
140
+ it 'should have default values' do
141
+ expect(TCellAgent).to_not receive(:logger)
142
+ @rust_policies.update_policies(
143
+ {
144
+ 'cmdi' => {
145
+ 'policy_id' => 'policy_id',
146
+ 'version' => 1,
147
+ 'data' => {
148
+ 'compound_statement_rules' => [
149
+ { 'rule_id' => '3', 'action' => 'block' }
150
+ ]
151
+ }
152
+ }
145
153
  }
146
- })
147
-
148
- expect(cmdi.policy_id).to eq("policy_id")
149
- expect(cmdi.version).to eq(1)
150
- expect(cmdi.enabled).to eq(true)
151
- expect(cmdi.overall_action).to be_nil
152
- expect(cmdi.command_rules).to eq({})
153
- expect(cmdi.compound_statement_rule).to_not be_nil
154
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
155
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
156
- expect(cmdi.compound_statement_rule.command).to be_nil
157
- expect(cmdi.collect_full_commandline).to eq(false)
154
+ )
155
+
156
+ expect(@rust_policies.cmdi_enabled).to eq(true)
158
157
  end
159
158
  end
160
159
 
161
- context "with populated collect_full_commandline" do
162
- context "as nil" do
163
- it "should have collect_full_commandline disabled" do
164
- cmdi = CommandInjectionPolicy.from_json({
165
- "policy_id" => "policy_id",
166
- "version" => 1,
167
- "data" => {
168
- "collect_full_commandline" => nil,
169
- "compound_statement_rules" => [
170
- {"rule_id" => "3", "action" => "block"}
171
- ]
160
+ context 'with populated collect_full_commandline' do
161
+ context 'as nil' do
162
+ it 'should have collect_full_commandline disabled' do
163
+ expect(TCellAgent).to_not receive(:logger)
164
+ @rust_policies.update_policies(
165
+ {
166
+ 'cmdi' => {
167
+ 'policy_id' => 'policy_id',
168
+ 'version' => 1,
169
+ 'data' => {
170
+ 'collect_full_commandline' => nil,
171
+ 'compound_statement_rules' => [
172
+ { 'rule_id' => '3', 'action' => 'block' }
173
+ ]
174
+ }
175
+ }
172
176
  }
173
- })
174
-
175
- expect(cmdi.policy_id).to eq("policy_id")
176
- expect(cmdi.version).to eq(1)
177
- expect(cmdi.enabled).to eq(true)
178
- expect(cmdi.overall_action).to be_nil
179
- expect(cmdi.command_rules).to eq({})
180
- expect(cmdi.compound_statement_rule).to_not be_nil
181
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
182
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
183
- expect(cmdi.compound_statement_rule.command).to be_nil
184
- expect(cmdi.collect_full_commandline).to eq(false)
177
+ )
178
+
179
+ expect(@rust_policies.cmdi_enabled).to eq(true)
185
180
  end
186
181
  end
187
182
 
188
- context "as false" do
189
- it "should have collect_full_commandline disabled" do
190
- cmdi = CommandInjectionPolicy.from_json({
191
- "policy_id" => "policy_id",
192
- "version" => 1,
193
- "data" => {
194
- "collect_full_commandline" => false,
195
- "compound_statement_rules" => [
196
- {"rule_id" => "3", "action" => "block"}
197
- ]
183
+ context 'as false' do
184
+ it 'should have collect_full_commandline disabled' do
185
+ @rust_policies.update_policies(
186
+ {
187
+ 'cmdi' => {
188
+ 'policy_id' => 'policy_id',
189
+ 'version' => 1,
190
+ 'data' => {
191
+ 'collect_full_commandline' => false,
192
+ 'compound_statement_rules' => [
193
+ { 'rule_id' => '3', 'action' => 'block' }
194
+ ]
195
+ }
196
+ }
198
197
  }
199
- })
200
-
201
- expect(cmdi.policy_id).to eq("policy_id")
202
- expect(cmdi.version).to eq(1)
203
- expect(cmdi.enabled).to eq(true)
204
- expect(cmdi.overall_action).to be_nil
205
- expect(cmdi.command_rules).to eq({})
206
- expect(cmdi.compound_statement_rule).to_not be_nil
207
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
208
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
209
- expect(cmdi.compound_statement_rule.command).to be_nil
210
- expect(cmdi.collect_full_commandline).to eq(false)
198
+ )
199
+
200
+ expect(@rust_policies.cmdi_enabled).to eq(true)
211
201
  end
212
202
  end
213
203
 
214
- context "as true" do
215
- it "should have collect_full_commandline enabled" do
216
- cmdi = CommandInjectionPolicy.from_json({
217
- "policy_id" => "policy_id",
218
- "version" => 1,
219
- "data" => {
220
- "collect_full_commandline" => true,
221
- "compound_statement_rules" => [
222
- {"rule_id" => "3", "action" => "block"}
223
- ]
204
+ context 'as true' do
205
+ it 'should have collect_full_commandline enabled' do
206
+ @rust_policies.update_policies(
207
+ {
208
+ 'cmdi' => {
209
+ 'policy_id' => 'policy_id',
210
+ 'version' => 1,
211
+ 'data' => {
212
+ 'collect_full_commandline' => true,
213
+ 'compound_statement_rules' => [
214
+ { 'rule_id' => '3', 'action' => 'block' }
215
+ ]
216
+ }
217
+ }
224
218
  }
225
- })
226
-
227
- expect(cmdi.policy_id).to eq("policy_id")
228
- expect(cmdi.version).to eq(1)
229
- expect(cmdi.enabled).to eq(true)
230
- expect(cmdi.overall_action).to be_nil
231
- expect(cmdi.command_rules).to eq({})
232
- expect(cmdi.compound_statement_rule).to_not be_nil
233
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
234
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
235
- expect(cmdi.compound_statement_rule.command).to be_nil
236
- expect(cmdi.collect_full_commandline).to eq(true)
219
+ )
220
+
221
+ expect(@rust_policies.cmdi_enabled).to eq(true)
237
222
  end
238
223
  end
239
224
  end
240
-
241
225
  end
242
226
 
243
- describe "#block?" do
244
- context "with command rules" do
245
- context "that are blank" do
246
- it "should not block" do
247
- cmdi = CommandInjectionPolicy.from_json({
248
- "policy_id" => "policy_id",
249
- "version" => 1,
250
- "data" => {
251
- "collect_full_commandline" => true,
252
- "command_rules" => []
227
+ describe '#block_command?' do
228
+ context 'with command rules' do
229
+ context 'that are blank' do
230
+ it 'should not block' do
231
+ @rust_policies.update_policies(
232
+ {
233
+ 'cmdi' => {
234
+ 'policy_id' => 'policy_id',
235
+ 'version' => 1,
236
+ 'data' => {
237
+ 'collect_full_commandline' => true,
238
+ 'command_rules' => []
239
+ }
240
+ }
253
241
  }
254
- })
242
+ )
255
243
 
256
244
  expect(TCellAgent).to_not receive(:send_event)
257
245
 
258
246
  expect(
259
- cmdi.block?("cat /etc/passwd | grep root", nil)
247
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
260
248
  ).to eq(false)
261
249
  end
262
250
  end
263
251
 
264
- context "that ignore all" do
265
- it "should not block" do
266
- cmdi = CommandInjectionPolicy.from_json({
267
- "policy_id" => "policy_id",
268
- "version" => 1,
269
- "data" => {
270
- "collect_full_commandline" => true,
271
- "command_rules" => [{"rule_id" => "1", "action" => "ignore"}]
252
+ context 'that ignore all' do
253
+ it 'should not block' do
254
+ @rust_policies.update_policies(
255
+ {
256
+ 'cmdi' => {
257
+ 'policy_id' => 'policy_id',
258
+ 'version' => 1,
259
+ 'data' => {
260
+ 'collect_full_commandline' => true,
261
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'ignore' }]
262
+ }
263
+ }
272
264
  }
273
- })
265
+ )
274
266
 
275
267
  expect(TCellAgent).to_not receive(:send_event)
276
268
 
277
269
  expect(
278
- cmdi.block?("cat /etc/passwd | grep root", nil)
270
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
279
271
  ).to eq(false)
280
272
  end
281
273
 
282
- context "and ignore cat" do
283
- it "should not send an event" do
284
- cmdi = CommandInjectionPolicy.from_json({
285
- "policy_id" => "policy_id",
286
- "version" => 1,
287
- "data" => {
288
- "collect_full_commandline" => true,
289
- "command_rules" => [
290
- {"rule_id" => "1", "action" => "ignore"},
291
- {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
292
- ]
274
+ context 'and ignore cat' do
275
+ it 'should not send an event' do
276
+ @rust_policies.update_policies(
277
+ {
278
+ 'cmdi' => {
279
+ 'policy_id' => 'policy_id',
280
+ 'version' => 1,
281
+ 'data' => {
282
+ 'collect_full_commandline' => true,
283
+ 'command_rules' => [
284
+ { 'rule_id' => '1', 'action' => 'ignore' },
285
+ { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
286
+ ]
287
+ }
288
+ }
293
289
  }
294
- })
290
+ )
295
291
 
296
292
  expect(TCellAgent).to_not receive(:send_event)
297
293
 
298
294
  expect(
299
- cmdi.block?("cat /etc/passwd | grep root", nil)
295
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
300
296
  ).to eq(false)
301
297
  end
302
298
  end
303
299
 
304
- context "and report cat" do
305
- it "should send an event" do
306
- cmdi = CommandInjectionPolicy.from_json({
307
- "policy_id" => "policy_id",
308
- "version" => 1,
309
- "data" => {
310
- "collect_full_commandline" => true,
311
- "command_rules" => [
312
- {"rule_id" => "1", "action" => "ignore"},
313
- {"rule_id" => "2", "action" => "report", "command" => "cat"}
314
- ]
300
+ context 'and report cat' do
301
+ it 'should send an event' do
302
+ @rust_policies.update_policies(
303
+ {
304
+ 'cmdi' => {
305
+ 'policy_id' => 'policy_id',
306
+ 'version' => 1,
307
+ 'data' => {
308
+ 'collect_full_commandline' => true,
309
+ 'command_rules' => [
310
+ { 'rule_id' => '1', 'action' => 'ignore' },
311
+ { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
312
+ ]
313
+ }
314
+ }
315
315
  }
316
- })
317
-
318
- expect(TCellAgent).to receive(:send_event).with({
319
- "event_type" => "cmdi",
320
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
321
- "blocked" => false,
322
- "matches" => [{"rule_id" => "2", "command" => "cat"}],
323
- "full_commandline" => "cat /etc/passwd | grep root"
324
- })
316
+ )
317
+
318
+ expect(TCellAgent).to receive(:send_event).with(
319
+ {
320
+ 'event_type' => 'cmdi',
321
+ 'commands' => [
322
+ { 'command' => 'cat', 'arg_count' => 1 },
323
+ { 'command' => 'grep', 'arg_count' => 1 }
324
+ ],
325
+ 'blocked' => false,
326
+ 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
327
+ 'full_commandline' => 'cat /etc/passwd | grep root'
328
+ }
329
+ )
325
330
 
326
331
  expect(
327
- cmdi.block?("cat /etc/passwd | grep root", nil)
332
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
328
333
  ).to eq(false)
329
334
  end
330
335
  end
331
336
 
332
- context "and block cat" do
333
- it "should send an event and block" do
334
- cmdi = CommandInjectionPolicy.from_json({
335
- "policy_id" => "policy_id",
336
- "version" => 1,
337
- "data" => {
338
- "collect_full_commandline" => true,
339
- "command_rules" => [
340
- {"rule_id" => "1", "action" => "ignore"},
341
- {"rule_id" => "2", "action" => "block", "command" => "cat"}
342
- ]
337
+ context 'and block cat' do
338
+ it 'should send an event and block' do
339
+ @rust_policies.update_policies(
340
+ {
341
+ 'cmdi' => {
342
+ 'policy_id' => 'policy_id',
343
+ 'version' => 1,
344
+ 'data' => {
345
+ 'collect_full_commandline' => true,
346
+ 'command_rules' => [
347
+ { 'rule_id' => '1', 'action' => 'ignore' },
348
+ { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
349
+ ]
350
+ }
351
+ }
343
352
  }
344
- })
345
-
346
- expect(TCellAgent).to receive(:send_event).with({
347
- "event_type" => "cmdi",
348
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
349
- "blocked" => true,
350
- "matches" => [{"rule_id" => "2", "command" => "cat"}],
351
- "full_commandline"=>"cat /etc/passwd | grep root"
352
- })
353
+ )
354
+
355
+ expect(TCellAgent).to receive(:send_event).with(
356
+ {
357
+ 'event_type' => 'cmdi',
358
+ 'commands' => [
359
+ { 'command' => 'cat', 'arg_count' => 1 },
360
+ { 'command' => 'grep', 'arg_count' => 1 }
361
+ ],
362
+ 'blocked' => true,
363
+ 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
364
+ 'full_commandline' => 'cat /etc/passwd | grep root'
365
+ }
366
+ )
353
367
 
354
368
  expect(
355
- cmdi.block?("cat /etc/passwd | grep root", nil)
369
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
356
370
  ).to eq(true)
357
371
  end
358
372
  end
359
373
  end
360
374
 
361
- context "that report all" do
362
- it "should send an event" do
363
- cmdi = CommandInjectionPolicy.from_json({
364
- "policy_id" => "policy_id",
365
- "version" => 1,
366
- "data" => {
367
- "command_rules" => [{"rule_id" => "1", "action" => "report"}]
375
+ context 'that report all' do
376
+ it 'should send an event' do
377
+ @rust_policies.update_policies(
378
+ {
379
+ 'cmdi' => {
380
+ 'policy_id' => 'policy_id',
381
+ 'version' => 1,
382
+ 'data' => {
383
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
384
+ }
385
+ }
368
386
  }
369
- })
370
-
371
- expect(TCellAgent).to receive(:send_event).with({
372
- "event_type" => "cmdi",
373
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
374
- "blocked" => false,
375
- "matches" => [{"rule_id" => "1", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
376
- })
387
+ )
388
+
389
+ expect(TCellAgent).to receive(:send_event).with(
390
+ {
391
+ 'event_type' => 'cmdi',
392
+ 'commands' => [
393
+ { 'command' => 'cat', 'arg_count' => 1 },
394
+ { 'command' => 'grep', 'arg_count' => 1 }
395
+ ],
396
+ 'blocked' => false,
397
+ 'matches' => [
398
+ { 'rule_id' => '1', 'command' => 'cat' },
399
+ { 'rule_id' => '1', 'command' => 'grep' }
400
+ ]
401
+ }
402
+ )
377
403
 
378
404
  expect(
379
- cmdi.block?("cat /etc/passwd | grep root", nil)
405
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
380
406
  ).to eq(false)
381
407
  end
382
408
 
383
- context "and ignore cat" do
384
- it "should send an event for grep not cat" do
385
- cmdi = CommandInjectionPolicy.from_json({
386
- "policy_id" => "policy_id",
387
- "version" => 1,
388
- "data" => {
389
- "command_rules" => [
390
- {"rule_id" => "1", "action" => "report"},
391
- {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
392
- ]
409
+ context 'and ignore cat' do
410
+ it 'should send an event for grep not cat' do
411
+ @rust_policies.update_policies(
412
+ {
413
+ 'cmdi' => {
414
+ 'policy_id' => 'policy_id',
415
+ 'version' => 1,
416
+ 'data' => {
417
+ 'command_rules' => [
418
+ { 'rule_id' => '1', 'action' => 'report' },
419
+ { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
420
+ ]
421
+ }
422
+ }
393
423
  }
394
- })
395
-
396
- expect(TCellAgent).to receive(:send_event).with({
397
- "event_type" => "cmdi",
398
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
399
- "blocked" => false,
400
- "matches" => [{"rule_id" => "1", "command" => "grep"}]
401
- })
424
+ )
425
+
426
+ expect(TCellAgent).to receive(:send_event).with(
427
+ {
428
+ 'event_type' => 'cmdi',
429
+ 'commands' => [
430
+ { 'command' => 'cat', 'arg_count' => 1 },
431
+ { 'command' => 'grep', 'arg_count' => 1 }
432
+ ],
433
+ 'blocked' => false,
434
+ 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
435
+ }
436
+ )
402
437
 
403
438
  expect(
404
- cmdi.block?("cat /etc/passwd | grep root", nil)
439
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
405
440
  ).to eq(false)
406
441
  end
407
442
  end
408
443
 
409
- context "and report cat" do
410
- it "should send an event for grep and cat" do
411
- cmdi = CommandInjectionPolicy.from_json({
412
- "policy_id" => "policy_id",
413
- "version" => 1,
414
- "data" => {
415
- "command_rules" => [
416
- {"rule_id" => "1", "action" => "report"},
417
- {"rule_id" => "2", "action" => "report", "command" => "cat"}
444
+ context 'and report cat' do
445
+ it 'should send an event for grep and cat' do
446
+ @rust_policies.update_policies(
447
+ {
448
+ 'cmdi' => {
449
+ 'policy_id' => 'policy_id',
450
+ 'version' => 1,
451
+ 'data' => {
452
+ 'command_rules' => [
453
+ { 'rule_id' => '1', 'action' => 'report' },
454
+ { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
455
+ ]
456
+ }
457
+ }
458
+ }
459
+ )
460
+
461
+ expect(TCellAgent).to receive(:send_event).with(
462
+ {
463
+ 'event_type' => 'cmdi',
464
+ 'commands' => [
465
+ { 'command' => 'cat', 'arg_count' => 1 },
466
+ { 'command' => 'grep', 'arg_count' => 1 }
467
+ ],
468
+ 'blocked' => false,
469
+ 'matches' => [
470
+ { 'rule_id' => '2', 'command' => 'cat' },
471
+ { 'rule_id' => '1', 'command' => 'grep' }
418
472
  ]
419
473
  }
420
- })
421
-
422
- expect(TCellAgent).to receive(:send_event).with({
423
- "event_type" => "cmdi",
424
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
425
- "blocked" => false,
426
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
427
- })
474
+ )
428
475
 
429
476
  expect(
430
- cmdi.block?("cat /etc/passwd | grep root", nil)
477
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
431
478
  ).to eq(false)
432
479
  end
433
480
  end
434
481
 
435
- context "and block cat" do
436
- it "should send an event for grep and cat and block" do
437
- cmdi = CommandInjectionPolicy.from_json({
438
- "policy_id" => "policy_id",
439
- "version" => 1,
440
- "data" => {
441
- "command_rules" => [
442
- {"rule_id" => "1", "action" => "report"},
443
- {"rule_id" => "2", "action" => "block", "command" => "cat"}
482
+ context 'and block cat' do
483
+ it 'should send an event for grep and cat and block' do
484
+ @rust_policies.update_policies(
485
+ {
486
+ 'cmdi' => {
487
+ 'policy_id' => 'policy_id',
488
+ 'version' => 1,
489
+ 'data' => {
490
+ 'command_rules' => [
491
+ { 'rule_id' => '1', 'action' => 'report' },
492
+ { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
493
+ ]
494
+ }
495
+ }
496
+ }
497
+ )
498
+
499
+ expect(TCellAgent).to receive(:send_event).with(
500
+ {
501
+ 'event_type' => 'cmdi',
502
+ 'commands' => [
503
+ { 'command' => 'cat', 'arg_count' => 1 },
504
+ { 'command' => 'grep', 'arg_count' => 1 }
505
+ ],
506
+ 'blocked' => true,
507
+ 'matches' => [
508
+ { 'rule_id' => '2', 'command' => 'cat' },
509
+ { 'rule_id' => '1', 'command' => 'grep' }
444
510
  ]
445
511
  }
446
- })
447
-
448
- expect(TCellAgent).to receive(:send_event).with({
449
- "event_type" => "cmdi",
450
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
451
- "blocked" => true,
452
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
453
- })
512
+ )
454
513
 
455
514
  expect(
456
- cmdi.block?("cat /etc/passwd | grep root", nil)
515
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
457
516
  ).to eq(true)
458
517
  end
459
518
  end
460
519
  end
461
520
 
462
- context "that block all" do
463
- it "should send an event and block" do
464
- cmdi = CommandInjectionPolicy.from_json({
465
- "policy_id" => "policy_id",
466
- "version" => 1,
467
- "data" => {
468
- "command_rules" => [{"rule_id" => "1", "action" => "block"}]
521
+ context 'that block all' do
522
+ it 'should send an event and block' do
523
+ @rust_policies.update_policies(
524
+ {
525
+ 'cmdi' => {
526
+ 'policy_id' => 'policy_id',
527
+ 'version' => 1,
528
+ 'data' => {
529
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
530
+ }
531
+ }
469
532
  }
470
- })
471
-
472
- expect(TCellAgent).to receive(:send_event).with({
473
- "event_type" => "cmdi",
474
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
475
- "blocked" => true,
476
- "matches" => [{"rule_id" => "1", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
477
- })
533
+ )
534
+
535
+ expect(TCellAgent).to receive(:send_event).with(
536
+ {
537
+ 'event_type' => 'cmdi',
538
+ 'commands' => [
539
+ { 'command' => 'cat', 'arg_count' => 1 },
540
+ { 'command' => 'grep', 'arg_count' => 1 }
541
+ ],
542
+ 'blocked' => true,
543
+ 'matches' => [
544
+ { 'rule_id' => '1', 'command' => 'cat' },
545
+ { 'rule_id' => '1', 'command' => 'grep' }
546
+ ]
547
+ }
548
+ )
478
549
 
479
550
  expect(
480
- cmdi.block?("cat /etc/passwd | grep root", nil)
551
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
481
552
  ).to eq(true)
482
553
  end
483
554
 
484
- context "and ignore cat" do
485
- it "should send an event for grep not cat and block" do
486
- cmdi = CommandInjectionPolicy.from_json({
487
- "policy_id" => "policy_id",
488
- "version" => 1,
489
- "data" => {
490
- "command_rules" => [
491
- {"rule_id" => "1", "action" => "block"},
492
- {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
493
- ]
555
+ context 'and ignore cat' do
556
+ it 'should send an event for grep not cat and block' do
557
+ @rust_policies.update_policies(
558
+ {
559
+ 'cmdi' => {
560
+ 'policy_id' => 'policy_id',
561
+ 'version' => 1,
562
+ 'data' => {
563
+ 'command_rules' => [
564
+ { 'rule_id' => '1', 'action' => 'block' },
565
+ { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
566
+ ]
567
+ }
568
+ }
494
569
  }
495
- })
496
-
497
- expect(TCellAgent).to receive(:send_event).with({
498
- "event_type" => "cmdi",
499
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
500
- "blocked" => true,
501
- "matches" => [{"rule_id" => "1", "command" => "grep"}]
502
- })
570
+ )
571
+
572
+ expect(TCellAgent).to receive(:send_event).with(
573
+ {
574
+ 'event_type' => 'cmdi',
575
+ 'commands' => [
576
+ { 'command' => 'cat', 'arg_count' => 1 },
577
+ { 'command' => 'grep', 'arg_count' => 1 }
578
+ ],
579
+ 'blocked' => true,
580
+ 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
581
+ }
582
+ )
503
583
 
504
584
  expect(
505
- cmdi.block?("cat /etc/passwd | grep root", nil)
585
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
506
586
  ).to eq(true)
507
587
  end
508
588
  end
509
589
 
510
- context "and report cat" do
511
- it "should send an event for grep and cat and block" do
512
- cmdi = CommandInjectionPolicy.from_json({
513
- "policy_id" => "policy_id",
514
- "version" => 1,
515
- "data" => {
516
- "command_rules" => [
517
- {"rule_id" => "1", "action" => "block"},
518
- {"rule_id" => "2", "action" => "report", "command" => "cat"}
590
+ context 'and report cat' do
591
+ it 'should send an event for grep and cat and block' do
592
+ @rust_policies.update_policies(
593
+ {
594
+ 'cmdi' => {
595
+ 'policy_id' => 'policy_id',
596
+ 'version' => 1,
597
+ 'data' => {
598
+ 'command_rules' => [
599
+ { 'rule_id' => '1', 'action' => 'block' },
600
+ { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
601
+ ]
602
+ }
603
+ }
604
+ }
605
+ )
606
+
607
+ expect(TCellAgent).to receive(:send_event).with(
608
+ {
609
+ 'event_type' => 'cmdi',
610
+ 'commands' => [
611
+ { 'command' => 'cat', 'arg_count' => 1 },
612
+ { 'command' => 'grep', 'arg_count' => 1 }
613
+ ],
614
+ 'blocked' => true,
615
+ 'matches' => [
616
+ { 'rule_id' => '2', 'command' => 'cat' },
617
+ { 'rule_id' => '1', 'command' => 'grep' }
519
618
  ]
520
619
  }
521
- })
522
-
523
- expect(TCellAgent).to receive(:send_event).with({
524
- "event_type" => "cmdi",
525
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
526
- "blocked" => true,
527
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
528
- })
620
+ )
529
621
 
530
622
  expect(
531
- cmdi.block?("cat /etc/passwd | grep root", nil)
623
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
532
624
  ).to eq(true)
533
625
  end
534
626
  end
535
627
 
536
- context "and block cat" do
537
- it "should send an event for grep and cat and block" do
538
- cmdi = CommandInjectionPolicy.from_json({
539
- "policy_id" => "policy_id",
540
- "version" => 1,
541
- "data" => {
542
- "command_rules" => [
543
- {"rule_id" => "1", "action" => "block"},
544
- {"rule_id" => "2", "action" => "block", "command" => "cat"}
628
+ context 'and block cat' do
629
+ it 'should send an event for grep and cat and block' do
630
+ @rust_policies.update_policies(
631
+ {
632
+ 'cmdi' => {
633
+ 'policy_id' => 'policy_id',
634
+ 'version' => 1,
635
+ 'data' => {
636
+ 'command_rules' => [
637
+ { 'rule_id' => '1', 'action' => 'block' },
638
+ { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
639
+ ]
640
+ }
641
+ }
642
+ }
643
+ )
644
+
645
+ expect(TCellAgent).to receive(:send_event).with(
646
+ {
647
+ 'event_type' => 'cmdi',
648
+ 'commands' => [
649
+ { 'command' => 'cat', 'arg_count' => 1 },
650
+ { 'command' => 'grep', 'arg_count' => 1 }
651
+ ],
652
+ 'blocked' => true,
653
+ 'matches' => [
654
+ { 'rule_id' => '2', 'command' => 'cat' },
655
+ { 'rule_id' => '1', 'command' => 'grep' }
545
656
  ]
546
657
  }
547
- })
548
-
549
- expect(TCellAgent).to receive(:send_event).with({
550
- "event_type" => "cmdi",
551
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
552
- "blocked" => true,
553
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
554
- })
658
+ )
555
659
 
556
660
  expect(
557
- cmdi.block?("cat /etc/passwd | grep root", nil)
661
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
558
662
  ).to eq(true)
559
663
  end
560
664
  end
561
665
  end
562
666
  end
563
667
 
564
- context "with compound statement rules" do
668
+ context 'with compound statement rules' do
565
669
  before(:each) do
566
670
  @tcell_context = TCellAgent::Instrumentation::TCellData.new
567
- @tcell_context.request_method = "GET"
568
- @tcell_context.ip_address = "1.1.1.1"
569
- @tcell_context.route_id = "12345"
570
- @tcell_context.hmac_session_id = "sldfjk2343"
571
- @tcell_context.user_id = "user_id"
671
+ @tcell_context.request_method = 'GET'
672
+ @tcell_context.ip_address = '1.1.1.1'
673
+ @tcell_context.route_id = '12345'
674
+ @tcell_context.hmac_session_id = 'sldfjk2343'
675
+ @tcell_context.user_id = 'user_id'
572
676
  end
573
677
 
574
- context "set to ignore" do
678
+ context 'set to ignore' do
575
679
  before(:each) do
576
- @cmdi = CommandInjectionPolicy.from_json({
577
- "policy_id" => "policy_id",
578
- "version" => 1,
579
- "data" => {
580
- "compound_statement_rules" => [
581
- {"rule_id" => "1", "action" => "ignore"}
582
- ]
680
+ @rust_policies.update_policies(
681
+ {
682
+ 'cmdi' => {
683
+ 'policy_id' => 'policy_id',
684
+ 'version' => 1,
685
+ 'data' => {
686
+ 'compound_statement_rules' => [
687
+ { 'rule_id' => '1', 'action' => 'ignore' }
688
+ ]
689
+ }
690
+ }
583
691
  }
584
- })
692
+ )
585
693
  end
586
694
 
587
- context "one parsed command" do
588
- it "should not send events or block" do
695
+ context 'one parsed command' do
696
+ it 'should not send events or block' do
589
697
  expect(TCellAgent).to_not receive(:send_event)
590
698
 
591
699
  expect(
592
- @cmdi.block?("cat /etc/passwd", @tcell_context)
700
+ @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
593
701
  ).to eq(false)
594
702
  end
595
703
  end
596
704
 
597
- context "two parsed commands" do
598
- it "should not send events or block" do
705
+ context 'two parsed commands' do
706
+ it 'should not send events or block' do
599
707
  expect(TCellAgent).to_not receive(:send_event)
600
708
 
601
709
  expect(
602
- @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
710
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
603
711
  ).to eq(false)
604
712
  end
605
713
  end
606
714
  end
607
715
 
608
- context "set to report" do
716
+ context 'set to report' do
609
717
  before(:each) do
610
- @cmdi = CommandInjectionPolicy.from_json({
611
- "policy_id" => "policy_id",
612
- "version" => 1,
613
- "data" => {
614
- "compound_statement_rules" => [
615
- {"rule_id" => "1", "action" => "report"}
616
- ]
718
+ @rust_policies.update_policies(
719
+ {
720
+ 'cmdi' => {
721
+ 'policy_id' => 'policy_id',
722
+ 'version' => 1,
723
+ 'data' => {
724
+ 'compound_statement_rules' => [
725
+ { 'rule_id' => '1', 'action' => 'report' }
726
+ ]
727
+ }
728
+ }
617
729
  }
618
- })
730
+ )
619
731
  end
620
732
 
621
- context "one parsed command" do
622
- it "should not send events or block" do
733
+ context 'one parsed command' do
734
+ it 'should not send events or block' do
623
735
  expect(TCellAgent).to_not receive(:send_event)
624
736
 
625
737
  expect(
626
- @cmdi.block?("cat /etc/passwd", @tcell_context)
738
+ @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
627
739
  ).to eq(false)
628
740
  end
629
741
  end
630
742
 
631
- context "two parsed commands" do
632
- it "should send an event but not block" do
633
- expect(TCellAgent).to receive(:send_event).with({
634
- "event_type" => "cmdi",
635
- "commands" => [
636
- {"command" => "cat", "arg_count" => 1},
637
- {"command" => "grep", "arg_count" => 1}
638
- ],
639
- "blocked" => false,
640
- "matches" => [{"rule_id" => "1"}],
641
- "method" => "GET",
642
- "remote_address" => "1.1.1.1",
643
- "route_id" => "12345",
644
- "session_id" => "sldfjk2343",
645
- "user_id" => "user_id"
646
- })
743
+ context 'two parsed commands' do
744
+ it 'should send an event but not block' do
745
+ expect(TCellAgent).to receive(:send_event).with(
746
+ {
747
+ 'event_type' => 'cmdi',
748
+ 'commands' => [
749
+ { 'command' => 'cat', 'arg_count' => 1 },
750
+ { 'command' => 'grep', 'arg_count' => 1 }
751
+ ],
752
+ 'blocked' => false,
753
+ 'matches' => [{ 'rule_id' => '1' }],
754
+ 'm' => 'GET',
755
+ 'remote_addr' => '1.1.1.1',
756
+ 'rid' => '12345',
757
+ 'sid' => 'sldfjk2343',
758
+ 'uid' => 'user_id'
759
+ }
760
+ )
647
761
 
648
762
  expect(
649
- @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
763
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
650
764
  ).to eq(false)
651
765
  end
652
766
  end
653
767
  end
654
768
 
655
- context "set to block" do
769
+ context 'set to block' do
656
770
  before(:each) do
657
- @cmdi = CommandInjectionPolicy.from_json({
658
- "policy_id" => "policy_id",
659
- "version" => 1,
660
- "data" => {
661
- "compound_statement_rules" => [
662
- {"rule_id" => "1", "action" => "block"}
663
- ]
771
+ @rust_policies.update_policies(
772
+ {
773
+ 'cmdi' => {
774
+ 'policy_id' => 'policy_id',
775
+ 'version' => 1,
776
+ 'data' => {
777
+ 'compound_statement_rules' => [
778
+ { 'rule_id' => '1', 'action' => 'block' }
779
+ ]
780
+ }
781
+ }
664
782
  }
665
- })
783
+ )
666
784
  end
667
785
 
668
- context "one parsed command" do
669
- it "should not send events or block" do
786
+ context 'one parsed command' do
787
+ it 'should not send events or block' do
670
788
  expect(TCellAgent).to_not receive(:send_event)
671
789
 
672
790
  expect(
673
- @cmdi.block?("cat /etc/passwd", @tcell_context)
791
+ @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
674
792
  ).to eq(false)
675
793
  end
676
794
  end
677
795
 
678
- context "two parsed commands" do
679
- it "should send an event and block" do
680
- expect(TCellAgent).to receive(:send_event).with({
681
- "event_type" => "cmdi",
682
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
683
- "blocked" => true,
684
- "matches" => [{"rule_id" => "1"}],
685
- "method" => "GET",
686
- "remote_address" => "1.1.1.1",
687
- "route_id" => "12345",
688
- "session_id" => "sldfjk2343",
689
- "user_id" => "user_id"
690
- })
796
+ context 'two parsed commands' do
797
+ it 'should send an event and block' do
798
+ expect(TCellAgent).to receive(:send_event).with(
799
+ {
800
+ 'event_type' => 'cmdi',
801
+ 'commands' => [
802
+ { 'command' => 'cat', 'arg_count' => 1 },
803
+ { 'command' => 'grep', 'arg_count' => 1 }
804
+ ],
805
+ 'blocked' => true,
806
+ 'matches' => [{ 'rule_id' => '1' }],
807
+ 'm' => 'GET',
808
+ 'remote_addr' => '1.1.1.1',
809
+ 'rid' => '12345',
810
+ 'sid' => 'sldfjk2343',
811
+ 'uid' => 'user_id'
812
+ }
813
+ )
691
814
 
692
815
  expect(
693
- @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
816
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
694
817
  ).to eq(true)
695
818
  end
696
819
  end
697
820
  end
698
821
 
699
- context "that conflict" do
700
- it "only take the first one and ignore the rest" do
822
+ context 'that conflict' do
823
+ it 'only take the first one and ignore the rest' do
701
824
  ## multiple compound statements present only first one is taken
702
- cmdi = CommandInjectionPolicy.from_json({
703
- "policy_id" => "policy_id",
704
- "version" => 1,
705
- "data" => {
706
- "compound_statement_rules" => [
707
- {"rule_id" => "1", "action" => "block"},
708
- {"rule_id" => "2", "action" => "ignore"}
709
- ]
825
+ @rust_policies.update_policies(
826
+ {
827
+ 'cmdi' => {
828
+ 'policy_id' => 'policy_id',
829
+ 'version' => 1,
830
+ 'data' => {
831
+ 'compound_statement_rules' => [
832
+ { 'rule_id' => '1', 'action' => 'block' },
833
+ { 'rule_id' => '2', 'action' => 'ignore' }
834
+ ]
835
+ }
836
+ }
837
+ }
838
+ )
839
+
840
+ expect(TCellAgent).to receive(:send_event).with(
841
+ {
842
+ 'event_type' => 'cmdi',
843
+ 'commands' => [
844
+ { 'command' => 'cat', 'arg_count' => 1 },
845
+ { 'command' => 'grep', 'arg_count' => 1 }
846
+ ],
847
+ 'blocked' => true,
848
+ 'matches' => [{ 'rule_id' => '1' }],
849
+ 'm' => 'GET',
850
+ 'remote_addr' => '1.1.1.1',
851
+ 'rid' => '12345',
852
+ 'sid' => 'sldfjk2343',
853
+ 'uid' => 'user_id'
710
854
  }
711
- })
712
-
713
- expect(TCellAgent).to receive(:send_event).with({
714
- "event_type" => "cmdi",
715
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
716
- "blocked" => true,
717
- "matches" => [{"rule_id" => "1"}],
718
- "method" => "GET",
719
- "remote_address" => "1.1.1.1",
720
- "route_id" => "12345",
721
- "session_id" => "sldfjk2343",
722
- "user_id" => "user_id"
723
- })
855
+ )
724
856
 
725
857
  expect(
726
- cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
858
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
727
859
  ).to eq(true)
728
860
  end
729
-
730
861
  end
731
862
  end
732
863
  end
733
-
734
864
  end
735
865
  end
736
866
  end