tcell_agent 1.1.11 → 2.1.2

data/lib/tcell_agent/rails/auth/devise.rb

@@ -2,14 +2,12 @@ if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
   module TCellAgent
     require 'base64'
     require 'tcell_agent/agent'
-    require 'tcell_agent/sensor_events/login_fraud'
 
     module DeviseInstrumentation
       module TCellFailureAppRespond
         def respond
           TCellAgent::Instrumentation.safe_block('Devise Failure App Respond') do
-            if TCellAgent.configuration.enabled &&
-               TCellAgent.configuration.should_intercept_requests?
+            if TCellAgent.configuration.should_intercept_requests?
               tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
               if tcell_data
                 # in the case of http auth, user_id is set in
@@ -22,19 +20,16 @@ if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
                 password = tcell_data.password
                 password ||= _get_tcell_password
 
-                login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                if login_fraud_policy && login_fraud_policy.login_failed_enabled
-                  TCellAgent.send_event(
-                    TCellAgent::SensorEvents::LoginFailure.new(
-                      request.env,
-                      tcell_data,
-                      user_id,
-                      password
-                    )
-                  )
-                end
+                user_valid = nil
+                login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+                login_policy.report_login_failure(
+                  user_id,
+                  password,
+                  request.env,
+                  user_valid,
+                  tcell_data
+                )
               end
-
             end
           end
 
@@ -97,7 +92,7 @@ if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
         # gets the first entry in the current backtrace
         # syntax suggested by rubocop to improve performance
         if caller(1..1).first.include? 'two_factor_authenticatable'
-          TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported')
+          TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported', 'TCellAgent::DeviseInstrumentation')
           send_event = false
         end
 
@@ -113,13 +108,15 @@ if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
               end
             end
 
-            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-            if login_fraud_policy && login_fraud_policy.login_success_enabled
-              tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-              if tcell_data
-                TCellAgent.send_event(TCellAgent::SensorEvents::LoginSuccess.new(request.env, tcell_data, username, nil))
-              end
-            end
+            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+            return is_valid unless tcell_data
+
+            login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+            login_policy.report_login_success(
+              username,
+              request.env,
+              tcell_data
+            )
           end
         end
 

data/lib/tcell_agent/rails/auth/doorkeeper.rb

@@ -1,90 +1,79 @@
-if TCellAgent.configuration.should_instrument_doorkeeper?
+if TCellAgent.configuration.should_instrument_doorkeeper? && defined?(Doorkeeper)
 
-  if defined?(Doorkeeper)
-    require 'tcell_agent/agent'
-    require 'tcell_agent/sensor_events/login_fraud'
+  require 'tcell_agent/agent'
+  require 'tcell_agent/sensor_events/login_fraud'
 
-    module TCellAgent
-      module DoorkeeperInstrumentation
-        Doorkeeper::TokensController.class_eval do
-          alias_method :tcell_authorize_response, :authorize_response
-          def authorize_response
-            result = tcell_authorize_response
+  module TCellAgent
+    module DoorkeeperInstrumentation
+      Doorkeeper::TokensController.class_eval do
+        alias_method :tcell_authorize_response, :authorize_response
+        def authorize_response
+          result = tcell_authorize_response
 
-            TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
-              if TCellAgent.configuration.enabled &&
-                 TCellAgent.configuration.should_intercept_requests?
-                login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                if login_fraud_policy &&
-                   login_fraud_policy.enabled &&
-                   login_fraud_policy.login_failed_enabled
-                  tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
+            return result unless TCellAgent.configuration.should_intercept_requests?
 
-                  if tcell_data
-                    password = nil
-                    if result.is_a?(Doorkeeper::OAuth::TokenResponse)
-                      TCellAgent.send_event(
-                        TCellAgent::SensorEvents::LoginSuccess.new(
-                          request.env,
-                          tcell_data,
-                          result.token.resource_owner_id,
-                          password
-                        )
-                      )
-                    elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
-                      TCellAgent.send_event(
-                        TCellAgent::SensorEvents::LoginFailure.new(
-                          request.env,
-                          tcell_data,
-                          request.POST['client_id'],
-                          password
-                        )
-                      )
-                    end
+            login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
 
-                  end
-                end
-              end
-            end
+            return unless tcell_data
+            headers = request.env
 
-            result
+            if result.is_a?(Doorkeeper::OAuth::TokenResponse)
+              user_id = result.token.resource_owner_id
+              login_policy.report_login_success(
+                user_id,
+                headers,
+                tcell_data
+              )
+            elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
+              user_id = request.POST['client_id']
+              password = nil
+              user_valid = nil
+              login_policy.report_login_failure(
+                user_id,
+                password,
+                headers,
+                user_valid,
+                tcell_data
+              )
+            end
           end
+
+          result
         end
+      end
 
-        module TCellAuthorizationsNew
-          def new
-            super if defined?(super)
+      module TCellAuthorizationsNew
+        def new
+          super if defined?(super)
 
-            TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
-              if TCellAgent.configuration.enabled &&
-                 TCellAgent.configuration.should_intercept_requests?
-                if pre_auth.error
-                  login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                  if login_fraud_policy &&
-                     login_fraud_policy.enabled &&
-                     login_fraud_policy.login_failed_enabled
-                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-                    if tcell_data && pre_auth.error
-                      password = nil
-                      TCellAgent.send_event(
-                        TCellAgent::SensorEvents::LoginFailure.new(
-                          request.env,
-                          tcell_data,
-                          current_resource_owner.id,
-                          password
-                        )
-                      )
-                    end
-                  end
-                end
-              end
-            end
+          TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
+            return unless TCellAgent.configuration.should_intercept_requests?
+            return unless pre_auth.error
+
+            login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+
+            return unless tcell_data
+
+            user_id = current_resource_owner.id
+            password = nil
+            headers = request.env
+            user_valid = nil
+            login_policy.report_login_failure(
+              user_id,
+              password,
+              headers,
+              user_valid,
+              tcell_data
+            )
           end
         end
-
-        # prepend is ruby 2+ feature
-        Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
       end
+
+      # prepend is ruby 2+ feature
+      Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
     end
   end
 end

data/lib/tcell_agent/rails/csrf_exception.rb

@@ -4,8 +4,8 @@ module TCellAgent
   module CsrfExceptionReporter
     def handle_unverified_request
       TCellAgent::Instrumentation.safe_block('AppSensor CSRF Exception processing') do
-        rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-        if rust_policies && rust_policies.appfirewall_enabled
+        appfirewall_policy = TCellAgent.policy(TCellAgent::PolicyTypes::APPSENSOR)
+        if appfirewall_policy.enabled
           tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
           if tcell_data
             tcell_data.csrf_exception_name = 'ActionController::InvalidAuthenticityToken'

data/lib/tcell_agent/rails/dlp.rb

@@ -5,7 +5,6 @@ require 'tcell_agent/devise' if defined?(Devise)
 
 require 'rails'
 require 'uri'
-require 'tcell_agent/logger'
 require 'tcell_agent/agent'
 require 'tcell_agent/sensor_events/sensor'
 require 'tcell_agent/sensor_events/server_agent'
@@ -31,11 +30,20 @@ require 'tcell_agent/rails/responses'
 
 module TCellAgent
   module DLP
+    def self.get_dlp_logger
+      unless defined?(@rails_dlp_logger)
+        @rails_dlp_logger = TCellAgent::ModuleLogger.new(
+          TCellAgent.logger, name
+        )
+      end
+
+      @rails_dlp_logger
+    end
+
     def self.instrument_pluck(results, column_names, model)
       return if results.empty?
 
-      if TCellAgent.configuration.enabled &&
-         TCellAgent.configuration.should_instrument? &&
+      if TCellAgent.configuration.should_instrument? &&
          TCellAgent.configuration.should_intercept_requests?
 
         dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS)
@@ -88,7 +96,7 @@ module TCellAgent
             end
 
             if results.size > TCellAgent.configuration.max_data_ex_db_records_per_request
-              TCellAgent.logger.warn("Route (#{tcell_context.route_id}) retrieved too many records")
+              get_dlp_logger.warn("Route (#{tcell_context.route_id}) retrieved too many records")
             end
 
             return if column_name_to_rules.empty?
@@ -138,8 +146,7 @@ module TCellAgent
     def self.instrument_find_by_sql(results)
       return if results.empty?
 
-      if TCellAgent.configuration.enabled &&
-         TCellAgent.configuration.should_instrument? &&
+      if TCellAgent.configuration.should_instrument? &&
          TCellAgent.configuration.should_intercept_requests?
 
         dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS)
@@ -167,7 +174,7 @@ module TCellAgent
             end
 
             if results.size > TCellAgent.configuration.max_data_ex_db_records_per_request
-              TCellAgent.logger.warn("Route (#{tcell_context.route_id}) retrieved too many records")
+              get_dlp_logger.warn("Route (#{tcell_context.route_id}) retrieved too many records")
             end
 
             column_name_to_rules = column_names.each_with_object({}) do |column_name, memo|
@@ -214,16 +221,22 @@ module TCellAgent
             result = tcell_translate_exception(exception, message)
 
             TCellAgent::Instrumentation.safe_block('Set sql_exception_detected in meta') do
-              rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-              if rust_policies && rust_policies.appfirewall_enabled
+              appfirewall_policy = TCellAgent.policy(TCellAgent::PolicyTypes::APPSENSOR)
+              if appfirewall_policy.enabled
                 request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
                   Thread.current.object_id, {}
                 )
                 tcell_data = request_env[TCellAgent::Instrumentation::TCELL_ID]
                 if tcell_data && result.is_a?(ActiveRecord::StatementInvalid)
-                  tcell_data.sql_exceptions.push(
-                    { 'exception_name' => result.class.name, 'exception_payload' => message }
-                  )
+                  if message.is_a? Hash
+                    tcell_data.sql_exceptions.push(
+                      { 'exception_name' => result.class.name, 'exception_payload' => message[:message] }
+                    )
+                  else
+                    tcell_data.sql_exceptions.push(
+                      { 'exception_name' => result.class.name, 'exception_payload' => message }
+                    )
+                  end
                 end
               end
             end
@@ -246,7 +259,7 @@ module TCellAgent
         end
 
         ActiveRecord::Querying.module_eval do
-          if ::Rails::VERSION::MAJOR == 5
+          if ::Rails::VERSION::MAJOR >= 5
             alias_method :tcell_find_by_sql, :find_by_sql
             def find_by_sql(*args)
               results = tcell_find_by_sql(*args)
@@ -290,8 +303,7 @@ module TCellAgent
   module Policies
     class DataLossPolicy
       def log_enforce(tcell_context, sanitize_string)
-        if TCellAgent.configuration.enabled &&
-           TCellAgent.configuration.should_instrument? &&
+        if TCellAgent.configuration.should_instrument? &&
            TCellAgent.configuration.should_intercept_requests?
           if tcell_context && tcell_context.session_id
             session_id_actions = get_actions_for_session_id
@@ -326,8 +338,7 @@ module TCellAgent
       end
 
       def response_body_enforce(tcell_context, sanitize_string)
-        if TCellAgent.configuration.enabled &&
-           TCellAgent.configuration.should_instrument? &&
+        if TCellAgent.configuration.should_instrument? &&
            TCellAgent.configuration.should_intercept_requests?
           if tcell_context && tcell_context.session_id
             session_id_actions = get_actions_for_session_id
@@ -367,6 +378,8 @@ end
 class Logger
   alias_method :tcell_old_add, :add
   def add(severity, message = nil, progname = nil)
+    return tcell_old_add(severity, message, progname) unless severity >= level
+
     if severity >= level
       progname ||= @progname
       if message.nil?
@@ -383,9 +396,12 @@ class Logger
          TCellAgent.configuration.should_intercept_requests?
 
         TCellAgent::Instrumentation.safe_block_no_log('Handling DLP log message filtering') do
-          dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS)
+          dataloss_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS)
+          return tcell_old_add(severity, message, progname) unless dataloss_policy && dataloss_policy.enabled
+
           request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(Thread.current.object_id, nil)
-          if message && dlp_policy && request_env
+
+          if message && request_env
             tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
             tcell_context.filter_log(message) if tcell_context
           end

data/lib/tcell_agent/rails/dlp_handler.rb

@@ -38,8 +38,7 @@ module TCellAgent
           tcell_context = nil
 
           TCellAgent::Instrumentation.safe_block('DLP Handler get handler and context') do
-            if TCellAgent.configuration.enabled &&
-               TCellAgent.configuration.should_instrument? &&
+            if TCellAgent.configuration.should_instrument? &&
                TCellAgent.configuration.should_intercept_requests?
 
               # do all this work so that dlp doesn't run at all unless it's on and there

data/lib/tcell_agent/rails/js_agent_insert.rb

@@ -44,19 +44,18 @@ module TCellAgent
           script_insert = nil
 
           TCellAgent::Instrumentation.safe_block('JSAgent get handler and script insert') do
-            if (response_headers['Content-Type'] || '').start_with?('text/html')
-              rust_policy = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-              if rust_policy
-                script_insert = rust_policy.get_js_agent_script_tag(
-                  request.env[TCellAgent::Instrumentation::TCELL_ID]
-                )
-                if script_insert
-                  js_agent_handler = proc { |si, resp|
-                    handle_js_agent_insert(si, resp)
-                  }
-                end
-              end
-            end
+            return [nil, nil] unless (response_headers['Content-Type'] || '').start_with?('text/html')
+
+            js_agent_policy = TCellAgent.policy(TCellAgent::PolicyTypes::JSAGENTINJECTION)
+            script_insert = js_agent_policy.get_js_agent_script_tag(
+              request.env[TCellAgent::Instrumentation::TCELL_ID]
+            )
+
+            return [nil, nil] unless script_insert
+
+            js_agent_handler = proc { |si, resp|
+              handle_js_agent_insert(si, resp)
+            }
           end
 
           [js_agent_handler, script_insert]

data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb

@@ -2,7 +2,6 @@
 
 require 'rails'
 require 'uri'
-require 'tcell_agent/logger'
 require 'tcell_agent/agent'
 require 'tcell_agent/sensor_events/sensor'
 require 'tcell_agent/sensor_events/server_agent'
@@ -22,34 +21,14 @@ module TCellAgent
           end
 
           def call(env)
-            orig = (Time.now.to_f * 1000).to_i
+            start_time = (Time.now.to_f * 1000).to_i
 
             response = @app.call(env)
 
             if TCellAgent.configuration.should_intercept_requests?
-              response_time = (Time.now.to_f * 1000).to_i - orig
-              TCellAgent::Instrumentation.safe_block('Handling Route Time') do
-                route_id = env[TCellAgent::Instrumentation::TCELL_ID].route_id
-                if route_id
-                  TCellAgent.increment_route(route_id, response_time)
-                else
-                  TCellAgent.increment_route('', response_time)
-                end
-              end
-              TCellAgent::Instrumentation.safe_block('Handling Sessions Info') do
-                login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                if login_fraud_policy && login_fraud_policy.session_hijacking_metrics
-                  hmac_session_id = env[TCellAgent::Instrumentation::TCELL_ID].hmac_session_id
-                  user_id = env[TCellAgent::Instrumentation::TCELL_ID].user_id
-                  if user_id && hmac_session_id
-                    TCellAgent.increment_session_info(
-                      hmac_session_id,
-                      user_id,
-                      env[TCellAgent::Instrumentation::TCELL_ID].ip_address,
-                      env[TCellAgent::Instrumentation::TCELL_ID].user_agent
-                    )
-                  end
-                end
+              TCellAgent::Instrumentation.safe_block('Handling reporting metrics') do
+                response_time = (Time.now.to_f * 1000).to_i - start_time
+                TCellAgent.report_metrics(response_time, env[TCellAgent::Instrumentation::TCELL_ID])
               end
             end