tcell_agent 0.4.0 → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (199) hide show
  1. checksums.yaml +4 -4
  2. data/Rakefile +9 -22
  3. data/bin/tcell_agent +127 -132
  4. data/lib/tcell_agent/agent/event_processor.rb +23 -22
  5. data/lib/tcell_agent/agent/fork_pipe_manager.rb +7 -7
  6. data/lib/tcell_agent/agent/policy_manager.rb +20 -15
  7. data/lib/tcell_agent/agent/policy_types.rb +5 -11
  8. data/lib/tcell_agent/agent/static_agent.rb +5 -1
  9. data/lib/tcell_agent/agent.rb +6 -4
  10. data/lib/tcell_agent/api.rb +7 -9
  11. data/lib/tcell_agent/appsensor/meta_data.rb +11 -4
  12. data/lib/tcell_agent/authlogic.rb +3 -3
  13. data/lib/tcell_agent/cmdi.rb +6 -4
  14. data/lib/tcell_agent/config/unknown_options.rb +3 -1
  15. data/lib/tcell_agent/configuration.rb +47 -49
  16. data/lib/tcell_agent/devise.rb +2 -2
  17. data/lib/tcell_agent/hooks/login_fraud.rb +58 -29
  18. data/lib/tcell_agent/instrumentation.rb +11 -10
  19. data/lib/tcell_agent/logger.rb +2 -2
  20. data/lib/tcell_agent/patches/meta_data.rb +9 -13
  21. data/lib/tcell_agent/patches.rb +7 -10
  22. data/lib/tcell_agent/policies/clickjacking_policy.rb +4 -5
  23. data/lib/tcell_agent/policies/content_security_policy.rb +6 -12
  24. data/lib/tcell_agent/policies/dataloss_policy.rb +2 -2
  25. data/lib/tcell_agent/policies/http_redirect_policy.rb +2 -2
  26. data/lib/tcell_agent/policies/policy.rb +0 -2
  27. data/lib/tcell_agent/policies/rust_policies.rb +90 -0
  28. data/lib/tcell_agent/policies/secure_headers_policy.rb +2 -2
  29. data/lib/tcell_agent/rails/auth/authlogic.rb +42 -24
  30. data/lib/tcell_agent/rails/auth/devise.rb +44 -23
  31. data/lib/tcell_agent/rails/auth/doorkeeper.rb +33 -15
  32. data/lib/tcell_agent/rails/better_ip.rb +1 -1
  33. data/lib/tcell_agent/rails/csrf_exception.rb +2 -2
  34. data/lib/tcell_agent/rails/dlp/process_request.rb +1 -1
  35. data/lib/tcell_agent/rails/dlp.rb +6 -6
  36. data/lib/tcell_agent/rails/dlp_handler.rb +1 -1
  37. data/lib/tcell_agent/rails/js_agent_insert.rb +1 -1
  38. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +1 -1
  39. data/lib/tcell_agent/rails/middleware/context_middleware.rb +3 -2
  40. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +10 -9
  41. data/lib/tcell_agent/rails/routes/grape.rb +6 -6
  42. data/lib/tcell_agent/rails/routes.rb +8 -11
  43. data/lib/tcell_agent/rust/libtcellagent-0.11.1.dylib +0 -0
  44. data/lib/tcell_agent/rust/{libtcellagent-0.6.1.so → libtcellagent-0.11.1.so} +0 -0
  45. data/lib/tcell_agent/rust/models.rb +16 -0
  46. data/lib/tcell_agent/rust/tcellagent-0.11.1.dll +0 -0
  47. data/lib/tcell_agent/rust/whisperer.rb +119 -48
  48. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +17 -20
  49. data/lib/tcell_agent/sensor_events/command_injection.rb +50 -5
  50. data/lib/tcell_agent/sensor_events/login_fraud.rb +34 -18
  51. data/lib/tcell_agent/sensor_events/patches.rb +21 -0
  52. data/lib/tcell_agent/sensor_events/server_agent.rb +3 -3
  53. data/lib/tcell_agent/sensor_events/util/utils.rb +4 -3
  54. data/lib/tcell_agent/servers/puma.rb +2 -2
  55. data/lib/tcell_agent/servers/unicorn.rb +1 -1
  56. data/lib/tcell_agent/utils/passwords.rb +28 -0
  57. data/lib/tcell_agent/version.rb +1 -1
  58. data/lib/tcell_agent.rb +1 -5
  59. data/spec/apps/rails-3.2/config/tcell_agent.config +15 -0
  60. data/spec/apps/rails-3.2/log/development.log +0 -0
  61. data/spec/apps/rails-3.2/log/test.log +12 -0
  62. data/spec/apps/rails-4.1/log/test.log +0 -0
  63. data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +46 -45
  64. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +276 -164
  65. data/spec/lib/tcell_agent/agent/static_agent_spec.rb +44 -47
  66. data/spec/lib/tcell_agent/api/api_spec.rb +16 -16
  67. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +131 -116
  68. data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +55 -51
  69. data/spec/lib/tcell_agent/cmdi_spec.rb +413 -436
  70. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +145 -128
  71. data/spec/lib/tcell_agent/configuration_spec.rb +165 -169
  72. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +144 -153
  73. data/spec/lib/tcell_agent/instrumentation_spec.rb +84 -85
  74. data/spec/lib/tcell_agent/patches_spec.rb +70 -111
  75. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +313 -244
  76. data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +28 -28
  77. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +643 -513
  78. data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +55 -102
  79. data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +111 -134
  80. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +141 -146
  81. data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +8 -8
  82. data/spec/lib/tcell_agent/policies/login_policy_spec.rb +15 -17
  83. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +231 -559
  84. data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +27 -27
  85. data/spec/lib/tcell_agent/rails/better_ip_spec.rb +30 -34
  86. data/spec/lib/tcell_agent/rails/logger_spec.rb +50 -49
  87. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +182 -199
  88. data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +110 -84
  89. data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +107 -85
  90. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +68 -40
  91. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +81 -67
  92. data/spec/lib/tcell_agent/rails/responses_spec.rb +33 -37
  93. data/spec/lib/tcell_agent/rails/routes/grape_spec.rb +116 -121
  94. data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +25 -28
  95. data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +87 -85
  96. data/spec/lib/tcell_agent/rails_spec.rb +1 -6
  97. data/spec/lib/tcell_agent/rust/models_spec.rb +112 -0
  98. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +502 -179
  99. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +44 -33
  100. data/spec/lib/tcell_agent/sensor_events/dlp_spec.rb +4 -4
  101. data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +183 -169
  102. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +25 -25
  103. data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +17 -20
  104. data/spec/lib/tcell_agent/utils/params_spec.rb +28 -28
  105. data/spec/lib/tcell_agent/utils/passwords_spec.rb +143 -0
  106. data/spec/lib/tcell_agent/utils/strings_spec.rb +35 -35
  107. data/spec/lib/tcell_agent_spec.rb +8 -8
  108. data/spec/spec_helper.rb +4 -4
  109. data/spec/support/middleware_helper.rb +10 -10
  110. data/spec/support/static_agent_overrides.rb +16 -12
  111. data/tcell_agent.gemspec +17 -33
  112. metadata +43 -198
  113. data/LICENSE_libinjection +0 -32
  114. data/Readme.txt +0 -7
  115. data/ext/libinjection/extconf.rb +0 -3
  116. data/ext/libinjection/libinjection.h +0 -65
  117. data/ext/libinjection/libinjection_html5.c +0 -847
  118. data/ext/libinjection/libinjection_html5.h +0 -54
  119. data/ext/libinjection/libinjection_sqli.c +0 -2317
  120. data/ext/libinjection/libinjection_sqli.h +0 -295
  121. data/ext/libinjection/libinjection_sqli_data.h +0 -9004
  122. data/ext/libinjection/libinjection_wrap.c +0 -3525
  123. data/ext/libinjection/libinjection_xss.c +0 -531
  124. data/ext/libinjection/libinjection_xss.h +0 -21
  125. data/lib/tcell_agent/appsensor/injections_matcher.rb +0 -155
  126. data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +0 -49
  127. data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +0 -67
  128. data/lib/tcell_agent/appsensor/rules/baserules.json +0 -467
  129. data/lib/tcell_agent/patches/block_rule.rb +0 -93
  130. data/lib/tcell_agent/patches/sensors_matcher.rb +0 -31
  131. data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +0 -23
  132. data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +0 -23
  133. data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +0 -117
  134. data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +0 -26
  135. data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +0 -22
  136. data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +0 -34
  137. data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +0 -34
  138. data/lib/tcell_agent/policies/appsensor_policy.rb +0 -49
  139. data/lib/tcell_agent/policies/command_injection_policy.rb +0 -196
  140. data/lib/tcell_agent/policies/honeytokens_policy.rb +0 -69
  141. data/lib/tcell_agent/policies/patches_policy.rb +0 -84
  142. data/lib/tcell_agent/rust/libtcellagent-0.6.1.dylib +0 -0
  143. data/lib/tcell_agent/rust/tcellagent-0.6.1.dll +0 -0
  144. data/spec/apps/rails-3.2/Gemfile +0 -25
  145. data/spec/apps/rails-3.2/Gemfile.lock +0 -126
  146. data/spec/apps/rails-3.2/Rakefile +0 -7
  147. data/spec/apps/rails-3.2/app/assets/images/rails.png +0 -0
  148. data/spec/apps/rails-3.2/app/assets/javascripts/application.js +0 -15
  149. data/spec/apps/rails-3.2/app/assets/stylesheets/application.css +0 -13
  150. data/spec/apps/rails-3.2/app/controllers/application_controller.rb +0 -3
  151. data/spec/apps/rails-3.2/app/controllers/t_cell_app_controller.rb +0 -5
  152. data/spec/apps/rails-3.2/app/helpers/application_helper.rb +0 -2
  153. data/spec/apps/rails-3.2/app/views/layouts/application.html.erb +0 -14
  154. data/spec/apps/rails-3.2/app/views/t_cell_app/index.html.erb +0 -1
  155. data/spec/apps/rails-3.2/config/application.rb +0 -63
  156. data/spec/apps/rails-3.2/config/boot.rb +0 -6
  157. data/spec/apps/rails-3.2/config/environment.rb +0 -5
  158. data/spec/apps/rails-3.2/config/environments/test.rb +0 -37
  159. data/spec/apps/rails-3.2/config/routes.rb +0 -11
  160. data/spec/apps/rails-3.2/config.ru +0 -4
  161. data/spec/apps/rails-4.1/Gemfile +0 -7
  162. data/spec/apps/rails-4.1/Gemfile.lock +0 -114
  163. data/spec/apps/rails-4.1/Rakefile +0 -6
  164. data/spec/apps/rails-4.1/app/assets/javascripts/application.js +0 -16
  165. data/spec/apps/rails-4.1/app/assets/stylesheets/application.css +0 -15
  166. data/spec/apps/rails-4.1/app/controllers/application_controller.rb +0 -5
  167. data/spec/apps/rails-4.1/app/controllers/t_cell_app_controller.rb +0 -5
  168. data/spec/apps/rails-4.1/app/helpers/application_helper.rb +0 -2
  169. data/spec/apps/rails-4.1/app/views/layouts/application.html.erb +0 -14
  170. data/spec/apps/rails-4.1/app/views/t_cell_app/index.html.erb +0 -1
  171. data/spec/apps/rails-4.1/config/application.rb +0 -24
  172. data/spec/apps/rails-4.1/config/boot.rb +0 -4
  173. data/spec/apps/rails-4.1/config/environment.rb +0 -5
  174. data/spec/apps/rails-4.1/config/environments/test.rb +0 -41
  175. data/spec/apps/rails-4.1/config/initializers/assets.rb +0 -8
  176. data/spec/apps/rails-4.1/config/initializers/backtrace_silencers.rb +0 -7
  177. data/spec/apps/rails-4.1/config/initializers/cookies_serializer.rb +0 -3
  178. data/spec/apps/rails-4.1/config/initializers/filter_parameter_logging.rb +0 -4
  179. data/spec/apps/rails-4.1/config/initializers/inflections.rb +0 -16
  180. data/spec/apps/rails-4.1/config/initializers/mime_types.rb +0 -4
  181. data/spec/apps/rails-4.1/config/initializers/session_store.rb +0 -3
  182. data/spec/apps/rails-4.1/config/initializers/wrap_parameters.rb +0 -14
  183. data/spec/apps/rails-4.1/config/locales/en.yml +0 -23
  184. data/spec/apps/rails-4.1/config/routes.rb +0 -12
  185. data/spec/apps/rails-4.1/config/secrets.yml +0 -22
  186. data/spec/apps/rails-4.1/config.ru +0 -4
  187. data/spec/controllers/application_controller.rb +0 -12
  188. data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +0 -522
  189. data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +0 -23
  190. data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +0 -159
  191. data/spec/lib/tcell_agent/patches/block_rule_spec.rb +0 -458
  192. data/spec/lib/tcell_agent/patches/sensors_matcher_spec.rb +0 -35
  193. data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +0 -139
  194. data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +0 -139
  195. data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +0 -167
  196. data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +0 -139
  197. data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +0 -246
  198. data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +0 -882
  199. data/spec/lib/tcell_agent/policies/honeytokens_policy_spec.rb +0 -22
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb CHANGED
@@ -2,735 +2,865 @@ require 'spec_helper'
2
2
 
3
3
  module TCellAgent
4
4
  module Policies
5
+ describe RustPolicies do
6
+ before(:each) do
7
+ allow(TCellAgent).to receive(:is_it_safe_to_send_cmdi_events?).and_return(true)
8
+ @rust_policies = RustPolicies.new
9
+ end
10
+
11
+ describe '#update_policies' do
12
+ context 'with a nil policy' do
13
+ it 'should return nil' do
14
+ expect(TCellAgent).to_not receive(:logger)
15
+
16
+ @rust_policies.update_policies(nil)
5
17
 
6
- describe CommandInjectionPolicy do
7
- describe "#from_json" do
8
- context "with a nil policy" do
9
- it "should return nil" do
10
- expect(CommandInjectionPolicy.from_json(nil)).to be_nil
18
+ expect(@rust_policies.cmdi_enabled).to eq(false)
11
19
  end
12
20
  end
13
21
 
14
- context "with an empty policy" do
15
- it "should raise a policy missing error" do
16
- expect {
17
- CommandInjectionPolicy.from_json({})
18
- }.to raise_error(RuntimeError)
22
+ context 'with an empty policy' do
23
+ it 'should raise a policy missing error' do
24
+ expect(TCellAgent).to_not receive(:logger)
25
+ @rust_policies.update_policies({})
26
+
27
+ expect(@rust_policies.cmdi_enabled).to eq(false)
19
28
  end
20
29
  end
21
30
 
22
- context "with an empty version" do
23
- it "should have empty version" do
24
- cmdi = CommandInjectionPolicy.from_json({ "policy_id" => "policy_id" })
25
- expect(cmdi.policy_id).to eq("policy_id")
26
- expect(cmdi.version).to be_nil
27
- expect(cmdi.enabled).to eq(false)
28
- expect(cmdi.overall_action).to be_nil
29
- expect(cmdi.compound_statement_rule).to be_nil
30
- expect(cmdi.command_rules).to eq({})
31
- expect(cmdi.collect_full_commandline).to eq(false)
31
+ context 'with an empty version' do
32
+ it 'should have empty version' do
33
+ logger = double('logger')
34
+
35
+ expect(TCellAgent).to receive(:logger).and_return(logger)
36
+ expect(logger).to receive(:error).with(
37
+ 'Error updating policies: Failed to decode cmdi policy: missing field `version`'
38
+ )
39
+ @rust_policies.update_policies(
40
+ {
41
+ 'cmdi' => { 'policy_id' => 'policy_id' }
42
+ }
43
+ )
44
+
45
+ expect(@rust_policies.cmdi_enabled).to eq(false)
32
46
  end
33
47
  end
34
48
 
35
- context "with no data" do
36
- it "should have disabled ip blocking" do
37
- cmdi = CommandInjectionPolicy.from_json({
38
- "policy_id" => "policy_id",
39
- "version" => 1
40
- })
41
- expect(cmdi.policy_id).to eq("policy_id")
42
- expect(cmdi.version).to eq(1)
43
- expect(cmdi.enabled).to eq(false)
44
- expect(cmdi.overall_action).to be_nil
45
- expect(cmdi.compound_statement_rule).to be_nil
46
- expect(cmdi.command_rules).to eq({})
47
- expect(cmdi.collect_full_commandline).to eq(false)
49
+ context 'with no data' do
50
+ it 'should have disabled ip blocking' do
51
+ expect(TCellAgent).to_not receive(:logger)
52
+
53
+ @rust_policies.update_policies(
54
+ {
55
+ 'cmdi' => {
56
+ 'policy_id' => 'policy_id',
57
+ 'version' => 1
58
+ }
59
+ }
60
+ )
61
+ expect(@rust_policies.cmdi_enabled).to eq(false)
48
62
  end
49
63
  end
50
64
 
51
- context "with empty data" do
52
- it "should have default values" do
53
- cmdi = CommandInjectionPolicy.from_json({
54
- "policy_id" => "policy_id",
55
- "version" => 1,
56
- "data" => {}
57
- })
58
- expect(cmdi.policy_id).to eq("policy_id")
59
- expect(cmdi.version).to eq(1)
60
- expect(cmdi.enabled).to eq(false)
61
- expect(cmdi.overall_action).to be_nil
62
- expect(cmdi.compound_statement_rule).to be_nil
63
- expect(cmdi.command_rules).to eq({})
64
- expect(cmdi.collect_full_commandline).to eq(false)
65
+ context 'with empty data' do
66
+ it 'should have default values' do
67
+ expect(TCellAgent).to_not receive(:logger)
68
+ @rust_policies.update_policies(
69
+ {
70
+ 'cmdi' => {
71
+ 'policy_id' => 'policy_id',
72
+ 'version' => 1,
73
+ 'data' => {}
74
+ }
75
+ }
76
+ )
77
+ expect(@rust_policies.cmdi_enabled).to eq(false)
65
78
  end
66
79
  end
67
80
 
68
- context "with empty command rules" do
69
- it "should have default values" do
70
- cmdi = CommandInjectionPolicy.from_json({
71
- "policy_id" => "policy_id",
72
- "version" => 1,
73
- "data" => {
74
- "command_rules" => []
81
+ context 'with empty command rules' do
82
+ it 'should have default values' do
83
+ expect(TCellAgent).to_not receive(:logger)
84
+ @rust_policies.update_policies(
85
+ {
86
+ 'cmdi' => {
87
+ 'policy_id' => 'policy_id',
88
+ 'version' => 1,
89
+ 'data' => {
90
+ 'command_rules' => []
91
+ }
92
+ }
75
93
  }
76
- })
77
- expect(cmdi.policy_id).to eq("policy_id")
78
- expect(cmdi.version).to eq(1)
79
- expect(cmdi.enabled).to eq(false)
80
- expect(cmdi.overall_action).to be_nil
81
- expect(cmdi.compound_statement_rule).to be_nil
82
- expect(cmdi.command_rules).to eq({})
83
- expect(cmdi.collect_full_commandline).to eq(false)
94
+ )
95
+ expect(@rust_policies.cmdi_enabled).to eq(false)
84
96
  end
85
97
  end
86
98
 
87
- context "with empty compount statement rules" do
88
- it "should have default values" do
89
- cmdi = CommandInjectionPolicy.from_json({
90
- "policy_id" => "policy_id",
91
- "version" => 1,
92
- "data" => {
93
- "compound_statement_rules" => []
99
+ context 'with empty compount statement rules' do
100
+ it 'should have default values' do
101
+ expect(TCellAgent).to_not receive(:logger)
102
+ @rust_policies.update_policies(
103
+ {
104
+ 'cmdi' => {
105
+ 'policy_id' => 'policy_id',
106
+ 'version' => 1,
107
+ 'data' => {
108
+ 'compound_statement_rules' => []
109
+ }
110
+ }
94
111
  }
95
- })
96
- expect(cmdi.policy_id).to eq("policy_id")
97
- expect(cmdi.version).to eq(1)
98
- expect(cmdi.enabled).to eq(false)
99
- expect(cmdi.overall_action).to be_nil
100
- expect(cmdi.compound_statement_rule).to be_nil
101
- expect(cmdi.command_rules).to eq({})
102
- expect(cmdi.collect_full_commandline).to eq(false)
112
+ )
113
+ expect(@rust_policies.cmdi_enabled).to eq(false)
103
114
  end
104
115
  end
105
116
 
106
- context "with populated command rules" do
107
- it "should have default values" do
108
- cmdi = CommandInjectionPolicy.from_json({
109
- "policy_id" => "policy_id",
110
- "version" => 1,
111
- "data" => {
112
- "command_rules" => [
113
- {"rule_id" => "1", "action" => "block"},
114
- {"rule_id" => "2", "command" => "nc", "action" => "ignore"}
115
- ]
117
+ context 'with populated command rules' do
118
+ it 'should have default values' do
119
+ expect(TCellAgent).to_not receive(:logger)
120
+ @rust_policies.update_policies(
121
+ {
122
+ 'cmdi' => {
123
+ 'policy_id' => 'policy_id',
124
+ 'version' => 1,
125
+ 'data' => {
126
+ 'command_rules' => [
127
+ { 'rule_id' => '1', 'action' => 'block' },
128
+ { 'rule_id' => '2', 'command' => 'nc', 'action' => 'ignore' }
129
+ ]
130
+ }
131
+ }
116
132
  }
117
- })
118
-
119
- expect(cmdi.policy_id).to eq("policy_id")
120
- expect(cmdi.version).to eq(1)
121
- expect(cmdi.enabled).to eq(true)
122
- expect(cmdi.overall_action).to_not be_nil
123
- expect(cmdi.overall_action.rule_id).to eq("1")
124
- expect(cmdi.overall_action.action).to eq(CommandRule::BLOCK)
125
- expect(cmdi.overall_action.command).to be_nil
126
- expect(cmdi.command_rules.size).to eq(1)
127
- expect(cmdi.command_rules["nc"]).to_not be_nil
128
- expect(cmdi.command_rules["nc"].rule_id).to eq("2")
129
- expect(cmdi.command_rules["nc"].action).to eq(CommandRule::IGNORE)
130
- expect(cmdi.command_rules["nc"].command).to eq("nc")
131
- expect(cmdi.compound_statement_rule).to be_nil
132
- expect(cmdi.collect_full_commandline).to eq(false)
133
+ )
134
+
135
+ expect(@rust_policies.cmdi_enabled).to eq(true)
133
136
  end
134
137
  end
135
138
 
136
- context "with populated compound statement rules" do
137
- it "should have default values" do
138
- cmdi = CommandInjectionPolicy.from_json({
139
- "policy_id" => "policy_id",
140
- "version" => 1,
141
- "data" => {
142
- "compound_statement_rules" => [
143
- {"rule_id" => "3", "action" => "block"}
144
- ]
139
+ context 'with populated compound statement rules' do
140
+ it 'should have default values' do
141
+ expect(TCellAgent).to_not receive(:logger)
142
+ @rust_policies.update_policies(
143
+ {
144
+ 'cmdi' => {
145
+ 'policy_id' => 'policy_id',
146
+ 'version' => 1,
147
+ 'data' => {
148
+ 'compound_statement_rules' => [
149
+ { 'rule_id' => '3', 'action' => 'block' }
150
+ ]
151
+ }
152
+ }
145
153
  }
146
- })
147
-
148
- expect(cmdi.policy_id).to eq("policy_id")
149
- expect(cmdi.version).to eq(1)
150
- expect(cmdi.enabled).to eq(true)
151
- expect(cmdi.overall_action).to be_nil
152
- expect(cmdi.command_rules).to eq({})
153
- expect(cmdi.compound_statement_rule).to_not be_nil
154
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
155
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
156
- expect(cmdi.compound_statement_rule.command).to be_nil
157
- expect(cmdi.collect_full_commandline).to eq(false)
154
+ )
155
+
156
+ expect(@rust_policies.cmdi_enabled).to eq(true)
158
157
  end
159
158
  end
160
159
 
161
- context "with populated collect_full_commandline" do
162
- context "as nil" do
163
- it "should have collect_full_commandline disabled" do
164
- cmdi = CommandInjectionPolicy.from_json({
165
- "policy_id" => "policy_id",
166
- "version" => 1,
167
- "data" => {
168
- "collect_full_commandline" => nil,
169
- "compound_statement_rules" => [
170
- {"rule_id" => "3", "action" => "block"}
171
- ]
160
+ context 'with populated collect_full_commandline' do
161
+ context 'as nil' do
162
+ it 'should have collect_full_commandline disabled' do
163
+ expect(TCellAgent).to_not receive(:logger)
164
+ @rust_policies.update_policies(
165
+ {
166
+ 'cmdi' => {
167
+ 'policy_id' => 'policy_id',
168
+ 'version' => 1,
169
+ 'data' => {
170
+ 'collect_full_commandline' => nil,
171
+ 'compound_statement_rules' => [
172
+ { 'rule_id' => '3', 'action' => 'block' }
173
+ ]
174
+ }
175
+ }
172
176
  }
173
- })
174
-
175
- expect(cmdi.policy_id).to eq("policy_id")
176
- expect(cmdi.version).to eq(1)
177
- expect(cmdi.enabled).to eq(true)
178
- expect(cmdi.overall_action).to be_nil
179
- expect(cmdi.command_rules).to eq({})
180
- expect(cmdi.compound_statement_rule).to_not be_nil
181
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
182
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
183
- expect(cmdi.compound_statement_rule.command).to be_nil
184
- expect(cmdi.collect_full_commandline).to eq(false)
177
+ )
178
+
179
+ expect(@rust_policies.cmdi_enabled).to eq(true)
185
180
  end
186
181
  end
187
182
 
188
- context "as false" do
189
- it "should have collect_full_commandline disabled" do
190
- cmdi = CommandInjectionPolicy.from_json({
191
- "policy_id" => "policy_id",
192
- "version" => 1,
193
- "data" => {
194
- "collect_full_commandline" => false,
195
- "compound_statement_rules" => [
196
- {"rule_id" => "3", "action" => "block"}
197
- ]
183
+ context 'as false' do
184
+ it 'should have collect_full_commandline disabled' do
185
+ @rust_policies.update_policies(
186
+ {
187
+ 'cmdi' => {
188
+ 'policy_id' => 'policy_id',
189
+ 'version' => 1,
190
+ 'data' => {
191
+ 'collect_full_commandline' => false,
192
+ 'compound_statement_rules' => [
193
+ { 'rule_id' => '3', 'action' => 'block' }
194
+ ]
195
+ }
196
+ }
198
197
  }
199
- })
200
-
201
- expect(cmdi.policy_id).to eq("policy_id")
202
- expect(cmdi.version).to eq(1)
203
- expect(cmdi.enabled).to eq(true)
204
- expect(cmdi.overall_action).to be_nil
205
- expect(cmdi.command_rules).to eq({})
206
- expect(cmdi.compound_statement_rule).to_not be_nil
207
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
208
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
209
- expect(cmdi.compound_statement_rule.command).to be_nil
210
- expect(cmdi.collect_full_commandline).to eq(false)
198
+ )
199
+
200
+ expect(@rust_policies.cmdi_enabled).to eq(true)
211
201
  end
212
202
  end
213
203
 
214
- context "as true" do
215
- it "should have collect_full_commandline enabled" do
216
- cmdi = CommandInjectionPolicy.from_json({
217
- "policy_id" => "policy_id",
218
- "version" => 1,
219
- "data" => {
220
- "collect_full_commandline" => true,
221
- "compound_statement_rules" => [
222
- {"rule_id" => "3", "action" => "block"}
223
- ]
204
+ context 'as true' do
205
+ it 'should have collect_full_commandline enabled' do
206
+ @rust_policies.update_policies(
207
+ {
208
+ 'cmdi' => {
209
+ 'policy_id' => 'policy_id',
210
+ 'version' => 1,
211
+ 'data' => {
212
+ 'collect_full_commandline' => true,
213
+ 'compound_statement_rules' => [
214
+ { 'rule_id' => '3', 'action' => 'block' }
215
+ ]
216
+ }
217
+ }
224
218
  }
225
- })
226
-
227
- expect(cmdi.policy_id).to eq("policy_id")
228
- expect(cmdi.version).to eq(1)
229
- expect(cmdi.enabled).to eq(true)
230
- expect(cmdi.overall_action).to be_nil
231
- expect(cmdi.command_rules).to eq({})
232
- expect(cmdi.compound_statement_rule).to_not be_nil
233
- expect(cmdi.compound_statement_rule.rule_id).to eq("3")
234
- expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
235
- expect(cmdi.compound_statement_rule.command).to be_nil
236
- expect(cmdi.collect_full_commandline).to eq(true)
219
+ )
220
+
221
+ expect(@rust_policies.cmdi_enabled).to eq(true)
237
222
  end
238
223
  end
239
224
  end
240
-
241
225
  end
242
226
 
243
- describe "#block?" do
244
- context "with command rules" do
245
- context "that are blank" do
246
- it "should not block" do
247
- cmdi = CommandInjectionPolicy.from_json({
248
- "policy_id" => "policy_id",
249
- "version" => 1,
250
- "data" => {
251
- "collect_full_commandline" => true,
252
- "command_rules" => []
227
+ describe '#block_command?' do
228
+ context 'with command rules' do
229
+ context 'that are blank' do
230
+ it 'should not block' do
231
+ @rust_policies.update_policies(
232
+ {
233
+ 'cmdi' => {
234
+ 'policy_id' => 'policy_id',
235
+ 'version' => 1,
236
+ 'data' => {
237
+ 'collect_full_commandline' => true,
238
+ 'command_rules' => []
239
+ }
240
+ }
253
241
  }
254
- })
242
+ )
255
243
 
256
244
  expect(TCellAgent).to_not receive(:send_event)
257
245
 
258
246
  expect(
259
- cmdi.block?("cat /etc/passwd | grep root", nil)
247
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
260
248
  ).to eq(false)
261
249
  end
262
250
  end
263
251
 
264
- context "that ignore all" do
265
- it "should not block" do
266
- cmdi = CommandInjectionPolicy.from_json({
267
- "policy_id" => "policy_id",
268
- "version" => 1,
269
- "data" => {
270
- "collect_full_commandline" => true,
271
- "command_rules" => [{"rule_id" => "1", "action" => "ignore"}]
252
+ context 'that ignore all' do
253
+ it 'should not block' do
254
+ @rust_policies.update_policies(
255
+ {
256
+ 'cmdi' => {
257
+ 'policy_id' => 'policy_id',
258
+ 'version' => 1,
259
+ 'data' => {
260
+ 'collect_full_commandline' => true,
261
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'ignore' }]
262
+ }
263
+ }
272
264
  }
273
- })
265
+ )
274
266
 
275
267
  expect(TCellAgent).to_not receive(:send_event)
276
268
 
277
269
  expect(
278
- cmdi.block?("cat /etc/passwd | grep root", nil)
270
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
279
271
  ).to eq(false)
280
272
  end
281
273
 
282
- context "and ignore cat" do
283
- it "should not send an event" do
284
- cmdi = CommandInjectionPolicy.from_json({
285
- "policy_id" => "policy_id",
286
- "version" => 1,
287
- "data" => {
288
- "collect_full_commandline" => true,
289
- "command_rules" => [
290
- {"rule_id" => "1", "action" => "ignore"},
291
- {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
292
- ]
274
+ context 'and ignore cat' do
275
+ it 'should not send an event' do
276
+ @rust_policies.update_policies(
277
+ {
278
+ 'cmdi' => {
279
+ 'policy_id' => 'policy_id',
280
+ 'version' => 1,
281
+ 'data' => {
282
+ 'collect_full_commandline' => true,
283
+ 'command_rules' => [
284
+ { 'rule_id' => '1', 'action' => 'ignore' },
285
+ { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
286
+ ]
287
+ }
288
+ }
293
289
  }
294
- })
290
+ )
295
291
 
296
292
  expect(TCellAgent).to_not receive(:send_event)
297
293
 
298
294
  expect(
299
- cmdi.block?("cat /etc/passwd | grep root", nil)
295
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
300
296
  ).to eq(false)
301
297
  end
302
298
  end
303
299
 
304
- context "and report cat" do
305
- it "should send an event" do
306
- cmdi = CommandInjectionPolicy.from_json({
307
- "policy_id" => "policy_id",
308
- "version" => 1,
309
- "data" => {
310
- "collect_full_commandline" => true,
311
- "command_rules" => [
312
- {"rule_id" => "1", "action" => "ignore"},
313
- {"rule_id" => "2", "action" => "report", "command" => "cat"}
314
- ]
300
+ context 'and report cat' do
301
+ it 'should send an event' do
302
+ @rust_policies.update_policies(
303
+ {
304
+ 'cmdi' => {
305
+ 'policy_id' => 'policy_id',
306
+ 'version' => 1,
307
+ 'data' => {
308
+ 'collect_full_commandline' => true,
309
+ 'command_rules' => [
310
+ { 'rule_id' => '1', 'action' => 'ignore' },
311
+ { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
312
+ ]
313
+ }
314
+ }
315
315
  }
316
- })
317
-
318
- expect(TCellAgent).to receive(:send_event).with({
319
- "event_type" => "cmdi",
320
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
321
- "blocked" => false,
322
- "matches" => [{"rule_id" => "2", "command" => "cat"}],
323
- "full_commandline" => "cat /etc/passwd | grep root"
324
- })
316
+ )
317
+
318
+ expect(TCellAgent).to receive(:send_event).with(
319
+ {
320
+ 'event_type' => 'cmdi',
321
+ 'commands' => [
322
+ { 'command' => 'cat', 'arg_count' => 1 },
323
+ { 'command' => 'grep', 'arg_count' => 1 }
324
+ ],
325
+ 'blocked' => false,
326
+ 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
327
+ 'full_commandline' => 'cat /etc/passwd | grep root'
328
+ }
329
+ )
325
330
 
326
331
  expect(
327
- cmdi.block?("cat /etc/passwd | grep root", nil)
332
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
328
333
  ).to eq(false)
329
334
  end
330
335
  end
331
336
 
332
- context "and block cat" do
333
- it "should send an event and block" do
334
- cmdi = CommandInjectionPolicy.from_json({
335
- "policy_id" => "policy_id",
336
- "version" => 1,
337
- "data" => {
338
- "collect_full_commandline" => true,
339
- "command_rules" => [
340
- {"rule_id" => "1", "action" => "ignore"},
341
- {"rule_id" => "2", "action" => "block", "command" => "cat"}
342
- ]
337
+ context 'and block cat' do
338
+ it 'should send an event and block' do
339
+ @rust_policies.update_policies(
340
+ {
341
+ 'cmdi' => {
342
+ 'policy_id' => 'policy_id',
343
+ 'version' => 1,
344
+ 'data' => {
345
+ 'collect_full_commandline' => true,
346
+ 'command_rules' => [
347
+ { 'rule_id' => '1', 'action' => 'ignore' },
348
+ { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
349
+ ]
350
+ }
351
+ }
343
352
  }
344
- })
345
-
346
- expect(TCellAgent).to receive(:send_event).with({
347
- "event_type" => "cmdi",
348
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
349
- "blocked" => true,
350
- "matches" => [{"rule_id" => "2", "command" => "cat"}],
351
- "full_commandline"=>"cat /etc/passwd | grep root"
352
- })
353
+ )
354
+
355
+ expect(TCellAgent).to receive(:send_event).with(
356
+ {
357
+ 'event_type' => 'cmdi',
358
+ 'commands' => [
359
+ { 'command' => 'cat', 'arg_count' => 1 },
360
+ { 'command' => 'grep', 'arg_count' => 1 }
361
+ ],
362
+ 'blocked' => true,
363
+ 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
364
+ 'full_commandline' => 'cat /etc/passwd | grep root'
365
+ }
366
+ )
353
367
 
354
368
  expect(
355
- cmdi.block?("cat /etc/passwd | grep root", nil)
369
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
356
370
  ).to eq(true)
357
371
  end
358
372
  end
359
373
  end
360
374
 
361
- context "that report all" do
362
- it "should send an event" do
363
- cmdi = CommandInjectionPolicy.from_json({
364
- "policy_id" => "policy_id",
365
- "version" => 1,
366
- "data" => {
367
- "command_rules" => [{"rule_id" => "1", "action" => "report"}]
375
+ context 'that report all' do
376
+ it 'should send an event' do
377
+ @rust_policies.update_policies(
378
+ {
379
+ 'cmdi' => {
380
+ 'policy_id' => 'policy_id',
381
+ 'version' => 1,
382
+ 'data' => {
383
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
384
+ }
385
+ }
368
386
  }
369
- })
370
-
371
- expect(TCellAgent).to receive(:send_event).with({
372
- "event_type" => "cmdi",
373
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
374
- "blocked" => false,
375
- "matches" => [{"rule_id" => "1", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
376
- })
387
+ )
388
+
389
+ expect(TCellAgent).to receive(:send_event).with(
390
+ {
391
+ 'event_type' => 'cmdi',
392
+ 'commands' => [
393
+ { 'command' => 'cat', 'arg_count' => 1 },
394
+ { 'command' => 'grep', 'arg_count' => 1 }
395
+ ],
396
+ 'blocked' => false,
397
+ 'matches' => [
398
+ { 'rule_id' => '1', 'command' => 'cat' },
399
+ { 'rule_id' => '1', 'command' => 'grep' }
400
+ ]
401
+ }
402
+ )
377
403
 
378
404
  expect(
379
- cmdi.block?("cat /etc/passwd | grep root", nil)
405
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
380
406
  ).to eq(false)
381
407
  end
382
408
 
383
- context "and ignore cat" do
384
- it "should send an event for grep not cat" do
385
- cmdi = CommandInjectionPolicy.from_json({
386
- "policy_id" => "policy_id",
387
- "version" => 1,
388
- "data" => {
389
- "command_rules" => [
390
- {"rule_id" => "1", "action" => "report"},
391
- {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
392
- ]
409
+ context 'and ignore cat' do
410
+ it 'should send an event for grep not cat' do
411
+ @rust_policies.update_policies(
412
+ {
413
+ 'cmdi' => {
414
+ 'policy_id' => 'policy_id',
415
+ 'version' => 1,
416
+ 'data' => {
417
+ 'command_rules' => [
418
+ { 'rule_id' => '1', 'action' => 'report' },
419
+ { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
420
+ ]
421
+ }
422
+ }
393
423
  }
394
- })
395
-
396
- expect(TCellAgent).to receive(:send_event).with({
397
- "event_type" => "cmdi",
398
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
399
- "blocked" => false,
400
- "matches" => [{"rule_id" => "1", "command" => "grep"}]
401
- })
424
+ )
425
+
426
+ expect(TCellAgent).to receive(:send_event).with(
427
+ {
428
+ 'event_type' => 'cmdi',
429
+ 'commands' => [
430
+ { 'command' => 'cat', 'arg_count' => 1 },
431
+ { 'command' => 'grep', 'arg_count' => 1 }
432
+ ],
433
+ 'blocked' => false,
434
+ 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
435
+ }
436
+ )
402
437
 
403
438
  expect(
404
- cmdi.block?("cat /etc/passwd | grep root", nil)
439
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
405
440
  ).to eq(false)
406
441
  end
407
442
  end
408
443
 
409
- context "and report cat" do
410
- it "should send an event for grep and cat" do
411
- cmdi = CommandInjectionPolicy.from_json({
412
- "policy_id" => "policy_id",
413
- "version" => 1,
414
- "data" => {
415
- "command_rules" => [
416
- {"rule_id" => "1", "action" => "report"},
417
- {"rule_id" => "2", "action" => "report", "command" => "cat"}
444
+ context 'and report cat' do
445
+ it 'should send an event for grep and cat' do
446
+ @rust_policies.update_policies(
447
+ {
448
+ 'cmdi' => {
449
+ 'policy_id' => 'policy_id',
450
+ 'version' => 1,
451
+ 'data' => {
452
+ 'command_rules' => [
453
+ { 'rule_id' => '1', 'action' => 'report' },
454
+ { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
455
+ ]
456
+ }
457
+ }
458
+ }
459
+ )
460
+
461
+ expect(TCellAgent).to receive(:send_event).with(
462
+ {
463
+ 'event_type' => 'cmdi',
464
+ 'commands' => [
465
+ { 'command' => 'cat', 'arg_count' => 1 },
466
+ { 'command' => 'grep', 'arg_count' => 1 }
467
+ ],
468
+ 'blocked' => false,
469
+ 'matches' => [
470
+ { 'rule_id' => '2', 'command' => 'cat' },
471
+ { 'rule_id' => '1', 'command' => 'grep' }
418
472
  ]
419
473
  }
420
- })
421
-
422
- expect(TCellAgent).to receive(:send_event).with({
423
- "event_type" => "cmdi",
424
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
425
- "blocked" => false,
426
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
427
- })
474
+ )
428
475
 
429
476
  expect(
430
- cmdi.block?("cat /etc/passwd | grep root", nil)
477
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
431
478
  ).to eq(false)
432
479
  end
433
480
  end
434
481
 
435
- context "and block cat" do
436
- it "should send an event for grep and cat and block" do
437
- cmdi = CommandInjectionPolicy.from_json({
438
- "policy_id" => "policy_id",
439
- "version" => 1,
440
- "data" => {
441
- "command_rules" => [
442
- {"rule_id" => "1", "action" => "report"},
443
- {"rule_id" => "2", "action" => "block", "command" => "cat"}
482
+ context 'and block cat' do
483
+ it 'should send an event for grep and cat and block' do
484
+ @rust_policies.update_policies(
485
+ {
486
+ 'cmdi' => {
487
+ 'policy_id' => 'policy_id',
488
+ 'version' => 1,
489
+ 'data' => {
490
+ 'command_rules' => [
491
+ { 'rule_id' => '1', 'action' => 'report' },
492
+ { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
493
+ ]
494
+ }
495
+ }
496
+ }
497
+ )
498
+
499
+ expect(TCellAgent).to receive(:send_event).with(
500
+ {
501
+ 'event_type' => 'cmdi',
502
+ 'commands' => [
503
+ { 'command' => 'cat', 'arg_count' => 1 },
504
+ { 'command' => 'grep', 'arg_count' => 1 }
505
+ ],
506
+ 'blocked' => true,
507
+ 'matches' => [
508
+ { 'rule_id' => '2', 'command' => 'cat' },
509
+ { 'rule_id' => '1', 'command' => 'grep' }
444
510
  ]
445
511
  }
446
- })
447
-
448
- expect(TCellAgent).to receive(:send_event).with({
449
- "event_type" => "cmdi",
450
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
451
- "blocked" => true,
452
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
453
- })
512
+ )
454
513
 
455
514
  expect(
456
- cmdi.block?("cat /etc/passwd | grep root", nil)
515
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
457
516
  ).to eq(true)
458
517
  end
459
518
  end
460
519
  end
461
520
 
462
- context "that block all" do
463
- it "should send an event and block" do
464
- cmdi = CommandInjectionPolicy.from_json({
465
- "policy_id" => "policy_id",
466
- "version" => 1,
467
- "data" => {
468
- "command_rules" => [{"rule_id" => "1", "action" => "block"}]
521
+ context 'that block all' do
522
+ it 'should send an event and block' do
523
+ @rust_policies.update_policies(
524
+ {
525
+ 'cmdi' => {
526
+ 'policy_id' => 'policy_id',
527
+ 'version' => 1,
528
+ 'data' => {
529
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
530
+ }
531
+ }
469
532
  }
470
- })
471
-
472
- expect(TCellAgent).to receive(:send_event).with({
473
- "event_type" => "cmdi",
474
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
475
- "blocked" => true,
476
- "matches" => [{"rule_id" => "1", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
477
- })
533
+ )
534
+
535
+ expect(TCellAgent).to receive(:send_event).with(
536
+ {
537
+ 'event_type' => 'cmdi',
538
+ 'commands' => [
539
+ { 'command' => 'cat', 'arg_count' => 1 },
540
+ { 'command' => 'grep', 'arg_count' => 1 }
541
+ ],
542
+ 'blocked' => true,
543
+ 'matches' => [
544
+ { 'rule_id' => '1', 'command' => 'cat' },
545
+ { 'rule_id' => '1', 'command' => 'grep' }
546
+ ]
547
+ }
548
+ )
478
549
 
479
550
  expect(
480
- cmdi.block?("cat /etc/passwd | grep root", nil)
551
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
481
552
  ).to eq(true)
482
553
  end
483
554
 
484
- context "and ignore cat" do
485
- it "should send an event for grep not cat and block" do
486
- cmdi = CommandInjectionPolicy.from_json({
487
- "policy_id" => "policy_id",
488
- "version" => 1,
489
- "data" => {
490
- "command_rules" => [
491
- {"rule_id" => "1", "action" => "block"},
492
- {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
493
- ]
555
+ context 'and ignore cat' do
556
+ it 'should send an event for grep not cat and block' do
557
+ @rust_policies.update_policies(
558
+ {
559
+ 'cmdi' => {
560
+ 'policy_id' => 'policy_id',
561
+ 'version' => 1,
562
+ 'data' => {
563
+ 'command_rules' => [
564
+ { 'rule_id' => '1', 'action' => 'block' },
565
+ { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
566
+ ]
567
+ }
568
+ }
494
569
  }
495
- })
496
-
497
- expect(TCellAgent).to receive(:send_event).with({
498
- "event_type" => "cmdi",
499
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
500
- "blocked" => true,
501
- "matches" => [{"rule_id" => "1", "command" => "grep"}]
502
- })
570
+ )
571
+
572
+ expect(TCellAgent).to receive(:send_event).with(
573
+ {
574
+ 'event_type' => 'cmdi',
575
+ 'commands' => [
576
+ { 'command' => 'cat', 'arg_count' => 1 },
577
+ { 'command' => 'grep', 'arg_count' => 1 }
578
+ ],
579
+ 'blocked' => true,
580
+ 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
581
+ }
582
+ )
503
583
 
504
584
  expect(
505
- cmdi.block?("cat /etc/passwd | grep root", nil)
585
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
506
586
  ).to eq(true)
507
587
  end
508
588
  end
509
589
 
510
- context "and report cat" do
511
- it "should send an event for grep and cat and block" do
512
- cmdi = CommandInjectionPolicy.from_json({
513
- "policy_id" => "policy_id",
514
- "version" => 1,
515
- "data" => {
516
- "command_rules" => [
517
- {"rule_id" => "1", "action" => "block"},
518
- {"rule_id" => "2", "action" => "report", "command" => "cat"}
590
+ context 'and report cat' do
591
+ it 'should send an event for grep and cat and block' do
592
+ @rust_policies.update_policies(
593
+ {
594
+ 'cmdi' => {
595
+ 'policy_id' => 'policy_id',
596
+ 'version' => 1,
597
+ 'data' => {
598
+ 'command_rules' => [
599
+ { 'rule_id' => '1', 'action' => 'block' },
600
+ { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
601
+ ]
602
+ }
603
+ }
604
+ }
605
+ )
606
+
607
+ expect(TCellAgent).to receive(:send_event).with(
608
+ {
609
+ 'event_type' => 'cmdi',
610
+ 'commands' => [
611
+ { 'command' => 'cat', 'arg_count' => 1 },
612
+ { 'command' => 'grep', 'arg_count' => 1 }
613
+ ],
614
+ 'blocked' => true,
615
+ 'matches' => [
616
+ { 'rule_id' => '2', 'command' => 'cat' },
617
+ { 'rule_id' => '1', 'command' => 'grep' }
519
618
  ]
520
619
  }
521
- })
522
-
523
- expect(TCellAgent).to receive(:send_event).with({
524
- "event_type" => "cmdi",
525
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
526
- "blocked" => true,
527
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
528
- })
620
+ )
529
621
 
530
622
  expect(
531
- cmdi.block?("cat /etc/passwd | grep root", nil)
623
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
532
624
  ).to eq(true)
533
625
  end
534
626
  end
535
627
 
536
- context "and block cat" do
537
- it "should send an event for grep and cat and block" do
538
- cmdi = CommandInjectionPolicy.from_json({
539
- "policy_id" => "policy_id",
540
- "version" => 1,
541
- "data" => {
542
- "command_rules" => [
543
- {"rule_id" => "1", "action" => "block"},
544
- {"rule_id" => "2", "action" => "block", "command" => "cat"}
628
+ context 'and block cat' do
629
+ it 'should send an event for grep and cat and block' do
630
+ @rust_policies.update_policies(
631
+ {
632
+ 'cmdi' => {
633
+ 'policy_id' => 'policy_id',
634
+ 'version' => 1,
635
+ 'data' => {
636
+ 'command_rules' => [
637
+ { 'rule_id' => '1', 'action' => 'block' },
638
+ { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
639
+ ]
640
+ }
641
+ }
642
+ }
643
+ )
644
+
645
+ expect(TCellAgent).to receive(:send_event).with(
646
+ {
647
+ 'event_type' => 'cmdi',
648
+ 'commands' => [
649
+ { 'command' => 'cat', 'arg_count' => 1 },
650
+ { 'command' => 'grep', 'arg_count' => 1 }
651
+ ],
652
+ 'blocked' => true,
653
+ 'matches' => [
654
+ { 'rule_id' => '2', 'command' => 'cat' },
655
+ { 'rule_id' => '1', 'command' => 'grep' }
545
656
  ]
546
657
  }
547
- })
548
-
549
- expect(TCellAgent).to receive(:send_event).with({
550
- "event_type" => "cmdi",
551
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
552
- "blocked" => true,
553
- "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
554
- })
658
+ )
555
659
 
556
660
  expect(
557
- cmdi.block?("cat /etc/passwd | grep root", nil)
661
+ @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
558
662
  ).to eq(true)
559
663
  end
560
664
  end
561
665
  end
562
666
  end
563
667
 
564
- context "with compound statement rules" do
668
+ context 'with compound statement rules' do
565
669
  before(:each) do
566
670
  @tcell_context = TCellAgent::Instrumentation::TCellData.new
567
- @tcell_context.request_method = "GET"
568
- @tcell_context.ip_address = "1.1.1.1"
569
- @tcell_context.route_id = "12345"
570
- @tcell_context.hmac_session_id = "sldfjk2343"
571
- @tcell_context.user_id = "user_id"
671
+ @tcell_context.request_method = 'GET'
672
+ @tcell_context.ip_address = '1.1.1.1'
673
+ @tcell_context.route_id = '12345'
674
+ @tcell_context.hmac_session_id = 'sldfjk2343'
675
+ @tcell_context.user_id = 'user_id'
572
676
  end
573
677
 
574
- context "set to ignore" do
678
+ context 'set to ignore' do
575
679
  before(:each) do
576
- @cmdi = CommandInjectionPolicy.from_json({
577
- "policy_id" => "policy_id",
578
- "version" => 1,
579
- "data" => {
580
- "compound_statement_rules" => [
581
- {"rule_id" => "1", "action" => "ignore"}
582
- ]
680
+ @rust_policies.update_policies(
681
+ {
682
+ 'cmdi' => {
683
+ 'policy_id' => 'policy_id',
684
+ 'version' => 1,
685
+ 'data' => {
686
+ 'compound_statement_rules' => [
687
+ { 'rule_id' => '1', 'action' => 'ignore' }
688
+ ]
689
+ }
690
+ }
583
691
  }
584
- })
692
+ )
585
693
  end
586
694
 
587
- context "one parsed command" do
588
- it "should not send events or block" do
695
+ context 'one parsed command' do
696
+ it 'should not send events or block' do
589
697
  expect(TCellAgent).to_not receive(:send_event)
590
698
 
591
699
  expect(
592
- @cmdi.block?("cat /etc/passwd", @tcell_context)
700
+ @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
593
701
  ).to eq(false)
594
702
  end
595
703
  end
596
704
 
597
- context "two parsed commands" do
598
- it "should not send events or block" do
705
+ context 'two parsed commands' do
706
+ it 'should not send events or block' do
599
707
  expect(TCellAgent).to_not receive(:send_event)
600
708
 
601
709
  expect(
602
- @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
710
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
603
711
  ).to eq(false)
604
712
  end
605
713
  end
606
714
  end
607
715
 
608
- context "set to report" do
716
+ context 'set to report' do
609
717
  before(:each) do
610
- @cmdi = CommandInjectionPolicy.from_json({
611
- "policy_id" => "policy_id",
612
- "version" => 1,
613
- "data" => {
614
- "compound_statement_rules" => [
615
- {"rule_id" => "1", "action" => "report"}
616
- ]
718
+ @rust_policies.update_policies(
719
+ {
720
+ 'cmdi' => {
721
+ 'policy_id' => 'policy_id',
722
+ 'version' => 1,
723
+ 'data' => {
724
+ 'compound_statement_rules' => [
725
+ { 'rule_id' => '1', 'action' => 'report' }
726
+ ]
727
+ }
728
+ }
617
729
  }
618
- })
730
+ )
619
731
  end
620
732
 
621
- context "one parsed command" do
622
- it "should not send events or block" do
733
+ context 'one parsed command' do
734
+ it 'should not send events or block' do
623
735
  expect(TCellAgent).to_not receive(:send_event)
624
736
 
625
737
  expect(
626
- @cmdi.block?("cat /etc/passwd", @tcell_context)
738
+ @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
627
739
  ).to eq(false)
628
740
  end
629
741
  end
630
742
 
631
- context "two parsed commands" do
632
- it "should send an event but not block" do
633
- expect(TCellAgent).to receive(:send_event).with({
634
- "event_type" => "cmdi",
635
- "commands" => [
636
- {"command" => "cat", "arg_count" => 1},
637
- {"command" => "grep", "arg_count" => 1}
638
- ],
639
- "blocked" => false,
640
- "matches" => [{"rule_id" => "1"}],
641
- "method" => "GET",
642
- "remote_address" => "1.1.1.1",
643
- "route_id" => "12345",
644
- "session_id" => "sldfjk2343",
645
- "user_id" => "user_id"
646
- })
743
+ context 'two parsed commands' do
744
+ it 'should send an event but not block' do
745
+ expect(TCellAgent).to receive(:send_event).with(
746
+ {
747
+ 'event_type' => 'cmdi',
748
+ 'commands' => [
749
+ { 'command' => 'cat', 'arg_count' => 1 },
750
+ { 'command' => 'grep', 'arg_count' => 1 }
751
+ ],
752
+ 'blocked' => false,
753
+ 'matches' => [{ 'rule_id' => '1' }],
754
+ 'm' => 'GET',
755
+ 'remote_addr' => '1.1.1.1',
756
+ 'rid' => '12345',
757
+ 'sid' => 'sldfjk2343',
758
+ 'uid' => 'user_id'
759
+ }
760
+ )
647
761
 
648
762
  expect(
649
- @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
763
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
650
764
  ).to eq(false)
651
765
  end
652
766
  end
653
767
  end
654
768
 
655
- context "set to block" do
769
+ context 'set to block' do
656
770
  before(:each) do
657
- @cmdi = CommandInjectionPolicy.from_json({
658
- "policy_id" => "policy_id",
659
- "version" => 1,
660
- "data" => {
661
- "compound_statement_rules" => [
662
- {"rule_id" => "1", "action" => "block"}
663
- ]
771
+ @rust_policies.update_policies(
772
+ {
773
+ 'cmdi' => {
774
+ 'policy_id' => 'policy_id',
775
+ 'version' => 1,
776
+ 'data' => {
777
+ 'compound_statement_rules' => [
778
+ { 'rule_id' => '1', 'action' => 'block' }
779
+ ]
780
+ }
781
+ }
664
782
  }
665
- })
783
+ )
666
784
  end
667
785
 
668
- context "one parsed command" do
669
- it "should not send events or block" do
786
+ context 'one parsed command' do
787
+ it 'should not send events or block' do
670
788
  expect(TCellAgent).to_not receive(:send_event)
671
789
 
672
790
  expect(
673
- @cmdi.block?("cat /etc/passwd", @tcell_context)
791
+ @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
674
792
  ).to eq(false)
675
793
  end
676
794
  end
677
795
 
678
- context "two parsed commands" do
679
- it "should send an event and block" do
680
- expect(TCellAgent).to receive(:send_event).with({
681
- "event_type" => "cmdi",
682
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
683
- "blocked" => true,
684
- "matches" => [{"rule_id" => "1"}],
685
- "method" => "GET",
686
- "remote_address" => "1.1.1.1",
687
- "route_id" => "12345",
688
- "session_id" => "sldfjk2343",
689
- "user_id" => "user_id"
690
- })
796
+ context 'two parsed commands' do
797
+ it 'should send an event and block' do
798
+ expect(TCellAgent).to receive(:send_event).with(
799
+ {
800
+ 'event_type' => 'cmdi',
801
+ 'commands' => [
802
+ { 'command' => 'cat', 'arg_count' => 1 },
803
+ { 'command' => 'grep', 'arg_count' => 1 }
804
+ ],
805
+ 'blocked' => true,
806
+ 'matches' => [{ 'rule_id' => '1' }],
807
+ 'm' => 'GET',
808
+ 'remote_addr' => '1.1.1.1',
809
+ 'rid' => '12345',
810
+ 'sid' => 'sldfjk2343',
811
+ 'uid' => 'user_id'
812
+ }
813
+ )
691
814
 
692
815
  expect(
693
- @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
816
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
694
817
  ).to eq(true)
695
818
  end
696
819
  end
697
820
  end
698
821
 
699
- context "that conflict" do
700
- it "only take the first one and ignore the rest" do
822
+ context 'that conflict' do
823
+ it 'only take the first one and ignore the rest' do
701
824
  ## multiple compound statements present only first one is taken
702
- cmdi = CommandInjectionPolicy.from_json({
703
- "policy_id" => "policy_id",
704
- "version" => 1,
705
- "data" => {
706
- "compound_statement_rules" => [
707
- {"rule_id" => "1", "action" => "block"},
708
- {"rule_id" => "2", "action" => "ignore"}
709
- ]
825
+ @rust_policies.update_policies(
826
+ {
827
+ 'cmdi' => {
828
+ 'policy_id' => 'policy_id',
829
+ 'version' => 1,
830
+ 'data' => {
831
+ 'compound_statement_rules' => [
832
+ { 'rule_id' => '1', 'action' => 'block' },
833
+ { 'rule_id' => '2', 'action' => 'ignore' }
834
+ ]
835
+ }
836
+ }
837
+ }
838
+ )
839
+
840
+ expect(TCellAgent).to receive(:send_event).with(
841
+ {
842
+ 'event_type' => 'cmdi',
843
+ 'commands' => [
844
+ { 'command' => 'cat', 'arg_count' => 1 },
845
+ { 'command' => 'grep', 'arg_count' => 1 }
846
+ ],
847
+ 'blocked' => true,
848
+ 'matches' => [{ 'rule_id' => '1' }],
849
+ 'm' => 'GET',
850
+ 'remote_addr' => '1.1.1.1',
851
+ 'rid' => '12345',
852
+ 'sid' => 'sldfjk2343',
853
+ 'uid' => 'user_id'
710
854
  }
711
- })
712
-
713
- expect(TCellAgent).to receive(:send_event).with({
714
- "event_type" => "cmdi",
715
- "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
716
- "blocked" => true,
717
- "matches" => [{"rule_id" => "1"}],
718
- "method" => "GET",
719
- "remote_address" => "1.1.1.1",
720
- "route_id" => "12345",
721
- "session_id" => "sldfjk2343",
722
- "user_id" => "user_id"
723
- })
855
+ )
724
856
 
725
857
  expect(
726
- cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
858
+ @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
727
859
  ).to eq(true)
728
860
  end
729
-
730
861
  end
731
862
  end
732
863
  end
733
-
734
864
  end
735
865
  end
736
866
  end