tcell_agent 1.1.12 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (163) hide show
  1. checksums.yaml +5 -5
  2. data/bin/tcell_agent +26 -14
  3. data/lib/tcell_agent.rb +16 -10
  4. data/lib/tcell_agent/agent.rb +78 -97
  5. data/lib/tcell_agent/agent/route_manager.rb +0 -16
  6. data/lib/tcell_agent/agent/static_agent.rb +9 -30
  7. data/lib/tcell_agent/authlogic.rb +3 -6
  8. data/lib/tcell_agent/config/unknown_options.rb +4 -8
  9. data/lib/tcell_agent/configuration.rb +38 -119
  10. data/lib/tcell_agent/devise.rb +25 -27
  11. data/lib/tcell_agent/hooks/login_fraud.rb +30 -33
  12. data/lib/tcell_agent/instrument_servers.rb +25 -0
  13. data/lib/tcell_agent/instrumentation.rb +12 -10
  14. data/lib/tcell_agent/instrumentation/cmdi.rb +19 -15
  15. data/lib/tcell_agent/instrumentation/lfi.rb +73 -0
  16. data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +25 -0
  17. data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +123 -0
  18. data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +159 -0
  19. data/lib/tcell_agent/logger.rb +50 -114
  20. data/lib/tcell_agent/patches.rb +6 -7
  21. data/lib/tcell_agent/policies/appfirewall_policy.rb +26 -0
  22. data/lib/tcell_agent/policies/command_injection_policy.rb +28 -0
  23. data/lib/tcell_agent/policies/dataloss_policy.rb +44 -44
  24. data/lib/tcell_agent/policies/headers_policy.rb +25 -0
  25. data/lib/tcell_agent/policies/http_redirect_policy.rb +13 -79
  26. data/lib/tcell_agent/policies/js_agent_policy.rb +27 -0
  27. data/lib/tcell_agent/policies/local_file_access.rb +28 -0
  28. data/lib/tcell_agent/policies/login_policy.rb +43 -0
  29. data/lib/tcell_agent/policies/patches_policy.rb +27 -0
  30. data/lib/tcell_agent/policies/policies_manager.rb +68 -0
  31. data/lib/tcell_agent/policies/policy_polling.rb +58 -0
  32. data/lib/tcell_agent/policies/policy_types.rb +14 -0
  33. data/lib/tcell_agent/policies/system_enablements.rb +27 -0
  34. data/lib/tcell_agent/rails/auth/authlogic.rb +43 -68
  35. data/lib/tcell_agent/rails/auth/devise.rb +20 -23
  36. data/lib/tcell_agent/rails/auth/doorkeeper.rb +63 -74
  37. data/lib/tcell_agent/rails/csrf_exception.rb +2 -2
  38. data/lib/tcell_agent/rails/dlp.rb +25 -15
  39. data/lib/tcell_agent/rails/dlp_handler.rb +1 -2
  40. data/lib/tcell_agent/rails/js_agent_insert.rb +12 -13
  41. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +4 -25
  42. data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -12
  43. data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
  44. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +14 -34
  45. data/lib/tcell_agent/rails/on_start.rb +32 -31
  46. data/lib/tcell_agent/rails/routes.rb +7 -6
  47. data/lib/tcell_agent/rails/routes/grape.rb +1 -3
  48. data/lib/tcell_agent/rails/routes/route_id.rb +3 -1
  49. data/lib/tcell_agent/rails/settings_reporter.rb +23 -36
  50. data/lib/tcell_agent/rails/start_agent_after_initializers.rb +12 -0
  51. data/lib/tcell_agent/rails/tcell_body_proxy.rb +6 -4
  52. data/lib/tcell_agent/rust/agent_config.rb +49 -0
  53. data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.2.so → libtcellagent-4.14.0.dylib} +0 -0
  54. data/lib/tcell_agent/rust/libtcellagent-4.14.0.so +0 -0
  55. data/lib/tcell_agent/rust/{libtcellagent-1.3.2.so → libtcellagent-alpine-4.14.0.so} +0 -0
  56. data/lib/tcell_agent/rust/models.rb +0 -55
  57. data/lib/tcell_agent/rust/native_agent.rb +531 -0
  58. data/lib/tcell_agent/rust/native_agent_response.rb +42 -0
  59. data/lib/tcell_agent/rust/native_library.rb +68 -0
  60. data/lib/tcell_agent/rust/tcellagent-4.14.0.dll +0 -0
  61. data/lib/tcell_agent/sensor_events/agent_setting_event.rb +12 -0
  62. data/lib/tcell_agent/sensor_events/{app_config.rb → app_config_setting_event.rb} +0 -6
  63. data/lib/tcell_agent/sensor_events/dlp.rb +2 -6
  64. data/lib/tcell_agent/sensor_events/sensor.rb +0 -62
  65. data/lib/tcell_agent/sensor_events/server_agent.rb +13 -18
  66. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +0 -108
  67. data/lib/tcell_agent/sensor_events/util/utils.rb +0 -2
  68. data/lib/tcell_agent/servers/passenger.rb +1 -28
  69. data/lib/tcell_agent/servers/puma.rb +3 -21
  70. data/lib/tcell_agent/servers/rails_server.rb +1 -1
  71. data/lib/tcell_agent/servers/thin.rb +2 -2
  72. data/lib/tcell_agent/servers/unicorn.rb +19 -80
  73. data/lib/tcell_agent/servers/webrick.rb +1 -1
  74. data/lib/tcell_agent/settings_reporter.rb +24 -24
  75. data/lib/tcell_agent/sinatra.rb +14 -16
  76. data/lib/tcell_agent/tcell_context.rb +40 -14
  77. data/lib/tcell_agent/utils/headers.rb +14 -0
  78. data/lib/tcell_agent/version.rb +1 -1
  79. data/spec/lib/tcell_agent/cmdi_spec.rb +0 -585
  80. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +0 -18
  81. data/spec/lib/tcell_agent/configuration_spec.rb +4 -140
  82. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +46 -173
  83. data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +504 -0
  84. data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb +435 -0
  85. data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +326 -0
  86. data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +556 -0
  87. data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +249 -0
  88. data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +105 -0
  89. data/spec/lib/tcell_agent/patches_spec.rb +25 -43
  90. data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb +183 -0
  91. data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +57 -0
  92. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +84 -773
  93. data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +161 -0
  94. data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +9 -9
  95. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +243 -198
  96. data/spec/lib/tcell_agent/policies/js_agent_policy_spec.rb +75 -0
  97. data/spec/lib/tcell_agent/policies/login_policy_spec.rb +165 -33
  98. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +84 -277
  99. data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +104 -0
  100. data/spec/lib/tcell_agent/policies/policy_polling_spec.rb +6 -0
  101. data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +56 -0
  102. data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +9 -18
  103. data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +13 -30
  104. data/spec/lib/tcell_agent/rails/logger_spec.rb +27 -7
  105. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +17 -12
  106. data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +14 -14
  107. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +0 -35
  108. data/spec/lib/tcell_agent/settings_reporter_spec.rb +127 -153
  109. data/spec/spec_helper.rb +1 -1
  110. data/spec/support/builders.rb +104 -0
  111. data/spec/support/force_logger_mocking.rb +38 -0
  112. data/spec/support/resources/lfi_sample_file.txt +2 -0
  113. data/spec/support/static_agent_overrides.rb +0 -15
  114. metadata +63 -74
  115. data/lib/tcell_agent/agent/event_processor.rb +0 -326
  116. data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -113
  117. data/lib/tcell_agent/agent/policy_manager.rb +0 -219
  118. data/lib/tcell_agent/agent/policy_types.rb +0 -30
  119. data/lib/tcell_agent/api.rb +0 -91
  120. data/lib/tcell_agent/appsensor/injections_reporter.rb +0 -24
  121. data/lib/tcell_agent/config/child_process_events.rb +0 -8
  122. data/lib/tcell_agent/instrumentation/cmdi/backtick.rb +0 -10
  123. data/lib/tcell_agent/instrumentation/cmdi/exec.rb +0 -14
  124. data/lib/tcell_agent/instrumentation/cmdi/popen.rb +0 -28
  125. data/lib/tcell_agent/instrumentation/cmdi/spawn.rb +0 -11
  126. data/lib/tcell_agent/instrumentation/cmdi/system.rb +0 -11
  127. data/lib/tcell_agent/policies/http_tx_policy.rb +0 -60
  128. data/lib/tcell_agent/policies/login_fraud_policy.rb +0 -45
  129. data/lib/tcell_agent/policies/rust_policies.rb +0 -110
  130. data/lib/tcell_agent/rails.rb +0 -40
  131. data/lib/tcell_agent/rust/libtcellagent-1.3.2.dylib +0 -0
  132. data/lib/tcell_agent/rust/tcellagent-1.3.2.dll +0 -0
  133. data/lib/tcell_agent/rust/whisperer.rb +0 -308
  134. data/lib/tcell_agent/sensor_events/appsensor_event.rb +0 -52
  135. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +0 -45
  136. data/lib/tcell_agent/sensor_events/command_injection.rb +0 -75
  137. data/lib/tcell_agent/sensor_events/honeytokens.rb +0 -16
  138. data/lib/tcell_agent/sensor_events/login_fraud.rb +0 -60
  139. data/lib/tcell_agent/sensor_events/metrics.rb +0 -123
  140. data/lib/tcell_agent/sensor_events/patches.rb +0 -21
  141. data/lib/tcell_agent/start_background_thread.rb +0 -55
  142. data/lib/tcell_agent/system_info.rb +0 -11
  143. data/lib/tcell_agent/utils/io.rb +0 -38
  144. data/lib/tcell_agent/utils/passwords.rb +0 -28
  145. data/lib/tcell_agent/utils/queue_with_timeout.rb +0 -142
  146. data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +0 -100
  147. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +0 -535
  148. data/spec/lib/tcell_agent/agent/static_agent_spec.rb +0 -133
  149. data/spec/lib/tcell_agent/api/api_spec.rb +0 -39
  150. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +0 -187
  151. data/spec/lib/tcell_agent/instrumentation_spec.rb +0 -225
  152. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +0 -517
  153. data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +0 -22
  154. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +0 -293
  155. data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +0 -198
  156. data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +0 -180
  157. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +0 -116
  158. data/spec/lib/tcell_agent/rust/models_spec.rb +0 -120
  159. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +0 -704
  160. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +0 -45
  161. data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +0 -272
  162. data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +0 -52
  163. data/spec/lib/tcell_agent/utils/passwords_spec.rb +0 -143
data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb ADDED
@@ -0,0 +1,183 @@
1
+ require 'spec_helper'
2
+
3
+ module TCellAgent
4
+ module Policies
5
+ describe AppfirewallPolicy do
6
+ everything_enabled_policy_json = {
7
+ 'appsensor' => {
8
+ 'policy_id' => '01a1',
9
+ 'version' => 2,
10
+ 'data' => {
11
+ 'options' => {
12
+ 'uri_options' => {
13
+ 'collect_full_uri' => true
14
+ },
15
+ 'payloads' => {
16
+ 'send_payloads' => true,
17
+ 'send_blacklist' => {
18
+ 'ssn' => ['*'],
19
+ 'password' => ['*']
20
+ },
21
+ 'send_whitelist' => {},
22
+ 'log_payloads' => true,
23
+ 'log_blacklist' => {},
24
+ 'log_whitelist' => {
25
+ 'username' => ['*']
26
+ }
27
+ }
28
+ },
29
+ 'sensors' => {
30
+ 'req_size' => {
31
+ 'limit' => 1024,
32
+ 'exclude_routes' => ['2300']
33
+ },
34
+ 'resp_size' => {
35
+ 'limit' => 2048,
36
+ 'exclude_routes' => ['2323']
37
+ },
38
+ 'resp_codes' => {
39
+ 'series_400_enabled' => true,
40
+ 'series_500_enabled' => true
41
+ },
42
+ 'xss' => {
43
+ 'libinjection' => true,
44
+ 'patterns' => %w[1 2 8],
45
+ 'exclusions' => {
46
+ 'bob' => ['*']
47
+ }
48
+ },
49
+ 'sqli' => {
50
+ 'libinjection' => true,
51
+ 'exclude_headers' => true,
52
+ 'patterns' => ['1']
53
+ },
54
+ 'fpt' => {
55
+ 'patterns' => %w[1 2],
56
+ 'exclude_forms' => true,
57
+ 'exclude_cookies' => true,
58
+ 'exclusions' => {
59
+ 'somethingcommon' => ['form']
60
+ }
61
+ },
62
+ 'cmdi' => {
63
+ 'patterns' => %w[1 2]
64
+ },
65
+ 'nullbyte' => {
66
+ 'patterns' => %w[1 2]
67
+ },
68
+ 'retr' => {
69
+ 'patterns' => %w[1 2]
70
+ },
71
+ 'ua' => {
72
+ 'empty_enabled' => true
73
+ },
74
+ 'errors' => {
75
+ 'csrf_exception_enabled' => true,
76
+ 'sql_exception_enabled' => true
77
+ },
78
+ 'database' => {
79
+ 'large_result' => {
80
+ 'limit' => 10
81
+ }
82
+ }
83
+ }
84
+ }
85
+ },
86
+ 'regex' => {
87
+ 'data' => {
88
+ 'patterns' => [
89
+ {
90
+ 'id' => 'tc-xss-1',
91
+ 'pattern' => '(?:<(script))',
92
+ 'sensor' => 'xss',
93
+ 'title' => 'Basic Injection'
94
+ },
95
+ {
96
+ 'safe_pattern' => '^[a-zA-Z0-9_\\s\\r\\n\\t]*$',
97
+ 'pattern' => '(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])',
98
+ 'sensor' => 'sqli',
99
+ 'id' => 'tc-sqli-1',
100
+ 'title' => 'Conditional Attempts'
101
+ }
102
+ ],
103
+ 'version' => 1_518_546_622_571
104
+ },
105
+ 'policy_id' => 'f3a313b0-10eb-11e8-8080-808080808080',
106
+ 'version' => 1
107
+ }
108
+ }
109
+
110
+ describe '#initialize' do
111
+ context 'empty enablements' do
112
+ it 'should disable the policy' do
113
+ native_agent = double('native_agent')
114
+ policy = AppfirewallPolicy.new(native_agent, {})
115
+ expect(policy.enabled).to eq(false)
116
+ end
117
+ end
118
+ end
119
+
120
+ describe '#check_appfirewall_injections' do
121
+ context 'with disabled policy' do
122
+ it 'should not call the native library' do
123
+ native_agent = double('native_agent')
124
+ policy = AppfirewallPolicy.new(native_agent, {})
125
+
126
+ expect(native_agent).to_not receive(:apply_appfirewall)
127
+
128
+ appsensor_meta = double('appsensor_meta')
129
+ policy.check_appfirewall_injections(appsensor_meta)
130
+ end
131
+ end
132
+
133
+ context 'with enabled policy' do
134
+ before(:each) do
135
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
136
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
137
+ configuration
138
+ )
139
+ enablements = @native_agent.update_policies(
140
+ everything_enabled_policy_json
141
+ )['enablements']
142
+ expect(enablements['appfirewall']).to eq(true)
143
+
144
+ @policy = AppfirewallPolicy.new(@native_agent, enablements)
145
+ expect(@policy.enabled).to eq(true)
146
+ end
147
+
148
+ after(:each) do
149
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
150
+ end
151
+
152
+ it 'should be able to call native library' do
153
+ meta_data = TCellAgent::Tests::MetaDataBuilder.new.build
154
+ resp = @policy.check_appfirewall_injections(meta_data)
155
+ expect(resp).to eq({})
156
+ end
157
+
158
+ context 'exception raised in native_agent' do
159
+ it 'should log the exception' do
160
+ expected_error = StandardError.new('UNEXPECTED')
161
+ logger = double('logger')
162
+ expect(TCellAgent::Instrumentation).to receive(:get_safe_block_logger).and_return(logger)
163
+ expect(logger).to receive(:error).with(
164
+ 'Error AppFirewall inspection (StandardError): UNEXPECTED'
165
+ )
166
+ expect(logger).to receive(:exception).with(
167
+ expected_error
168
+ )
169
+
170
+ meta_data = TCellAgent::Tests::MetaDataBuilder.new.build
171
+ expect(@native_agent).to receive(:apply_appfirewall).with(
172
+ meta_data
173
+ ).and_raise(expected_error)
174
+
175
+ resp = @policy.check_appfirewall_injections(meta_data)
176
+ expect(resp).to eq(nil)
177
+ end
178
+ end
179
+ end
180
+ end
181
+ end
182
+ end
183
+ end
data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb ADDED
@@ -0,0 +1,57 @@
1
+
2
+ require 'spec_helper'
3
+
4
+ module TCellAgent
5
+ module Policies
6
+ describe HeadersPolicy do
7
+ describe '#get_headers' do
8
+ context 'with enabled policy' do
9
+ before(:each) do
10
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
11
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
12
+ configuration
13
+ )
14
+ @tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
15
+ 'session_id', 'session-id'
16
+ ).update_attribute(
17
+ 'route_id', 'route-id'
18
+ ).build
19
+ end
20
+
21
+ after(:each) do
22
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
23
+ end
24
+
25
+ it 'should return csp header' do
26
+ enablements = @native_agent.update_policies(
27
+ {
28
+ 'clickjacking' => {
29
+ 'version' => 1,
30
+ 'policy_id' => 'xyzd',
31
+ 'headers' => [
32
+ {
33
+ 'name' => 'Content-Security-Policy',
34
+ 'value' => "frame-ancestors 'none'",
35
+ 'report_uri' => 'https://input.tcell-preview.io/csp/430d'
36
+ }
37
+ ]
38
+ }
39
+ }
40
+ )['enablements']
41
+ expect(enablements['headers']).to eq(true)
42
+
43
+ @policy = HeadersPolicy.new(@native_agent, enablements)
44
+ expect(@policy.enabled).to eq(true)
45
+
46
+ expect(
47
+ @policy.get_headers(@tcell_context)
48
+ ).to eq(
49
+ [{ 'name' => 'Content-Security-Policy',
50
+ 'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]
51
+ )
52
+ end
53
+ end
54
+ end
55
+ end
56
+ end
57
+ end
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb CHANGED
@@ -2,872 +2,183 @@ require 'spec_helper'
2
2
 
3
3
  module TCellAgent
4
4
  module Policies
5
- describe RustPolicies do
6
- before(:each) do
7
- configuration = double(
8
- 'configuration',
9
- {
10
- 'app_id' => 'app_id',
11
- 'api_key' => 'api_key',
12
- 'allow_payloads' => true,
13
- 'js_agent_api_base_url' => 'http://api.tcell.com/',
14
- 'js_agent_url' => 'https://jsagent.tcell.io/tcellagent.min.js',
15
- 'max_csp_header_bytes' => nil
16
- }
17
- )
18
- expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
19
- allow(TCellAgent).to receive(:safe_to_send_cmdi_events?).and_return(true)
20
- @rust_policies = RustPolicies.new
21
- end
22
-
23
- describe '#update_policies' do
24
- context 'with a nil policy' do
25
- it 'should return nil' do
26
- expect(TCellAgent).to_not receive(:logger)
27
-
28
- @rust_policies.update_policies(nil)
29
-
30
- expect(@rust_policies.cmdi_enabled).to eq(false)
31
- end
32
- end
33
-
34
- context 'with an empty policy' do
35
- it 'should raise a policy missing error' do
36
- expect(TCellAgent).to_not receive(:logger)
37
- @rust_policies.update_policies({})
38
-
39
- expect(@rust_policies.cmdi_enabled).to eq(false)
40
- end
41
- end
42
-
43
- context 'with an empty version' do
44
- it 'should have empty version' do
45
- logger = double('logger')
46
-
47
- expect(TCellAgent).to receive(:logger).and_return(logger)
48
- expect(logger).to receive(:error).with(
49
- 'Error updating policies: Failed to decode cmdi policy: missing field `version`'
50
- )
51
- @rust_policies.update_policies(
52
- {
53
- 'cmdi' => { 'policy_id' => 'policy_id' }
54
- }
55
- )
56
-
57
- expect(@rust_policies.cmdi_enabled).to eq(false)
58
- end
59
- end
60
-
61
- context 'with no data' do
62
- it 'should have disabled ip blocking' do
63
- expect(TCellAgent).to_not receive(:logger)
64
-
65
- @rust_policies.update_policies(
66
- {
67
- 'cmdi' => {
68
- 'policy_id' => 'policy_id',
69
- 'version' => 1
70
- }
71
- }
72
- )
73
- expect(@rust_policies.cmdi_enabled).to eq(false)
5
+ describe CommandInjectionPolicy do
6
+ describe '#initialize' do
7
+ context 'empty enablements' do
8
+ it 'should disable the policy' do
9
+ native_agent = double('native_agent')
10
+ policy = CommandInjectionPolicy.new(native_agent, {})
11
+ expect(policy.enabled).to eq(false)
74
12
  end
75
13
  end
14
+ end
76
15
 
77
- context 'with empty data' do
78
- it 'should have default values' do
79
- expect(TCellAgent).to_not receive(:logger)
80
- @rust_policies.update_policies(
81
- {
82
- 'cmdi' => {
83
- 'policy_id' => 'policy_id',
84
- 'version' => 1,
85
- 'data' => {}
86
- }
87
- }
88
- )
89
- expect(@rust_policies.cmdi_enabled).to eq(false)
90
- end
91
- end
16
+ describe '#block_command?' do
17
+ context 'with disabled policy' do
18
+ it 'should not call the native library' do
19
+ native_agent = double('native_agent')
20
+ policy = CommandInjectionPolicy.new(native_agent, {})
92
21
 
93
- context 'with empty command rules' do
94
- it 'should have default values' do
95
- expect(TCellAgent).to_not receive(:logger)
96
- @rust_policies.update_policies(
97
- {
98
- 'cmdi' => {
99
- 'policy_id' => 'policy_id',
100
- 'version' => 1,
101
- 'data' => {
102
- 'command_rules' => []
103
- }
104
- }
105
- }
106
- )
107
- expect(@rust_policies.cmdi_enabled).to eq(false)
108
- end
109
- end
22
+ expect(native_agent).to_not receive(:apply_cmdi)
110
23
 
111
- context 'with empty compount statement rules' do
112
- it 'should have default values' do
113
- expect(TCellAgent).to_not receive(:logger)
114
- @rust_policies.update_policies(
115
- {
116
- 'cmdi' => {
117
- 'policy_id' => 'policy_id',
118
- 'version' => 1,
119
- 'data' => {
120
- 'compound_statement_rules' => []
121
- }
122
- }
123
- }
124
- )
125
- expect(@rust_policies.cmdi_enabled).to eq(false)
24
+ tcell_context = double('tcell_context')
25
+ expect(
26
+ policy.block_command?('cat /etc/passwd && grep root', tcell_context)
27
+ ).to eq(false)
126
28
  end
127
29
  end
128
30
 
129
- context 'with populated command rules' do
130
- it 'should have default values' do
131
- expect(TCellAgent).to_not receive(:logger)
132
- @rust_policies.update_policies(
133
- {
134
- 'cmdi' => {
135
- 'policy_id' => 'policy_id',
136
- 'version' => 1,
137
- 'data' => {
138
- 'command_rules' => [
139
- { 'rule_id' => '1', 'action' => 'block' },
140
- { 'rule_id' => '2', 'command' => 'nc', 'action' => 'ignore' }
141
- ]
142
- }
143
- }
144
- }
31
+ context 'with policies' do
32
+ before(:each) do
33
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
34
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
35
+ configuration
145
36
  )
146
-
147
- expect(@rust_policies.cmdi_enabled).to eq(true)
37
+ @tcell_context = TCellAgent::Tests::TCellContextBuilder.new.build
148
38
  end
149
- end
150
39
 
151
- context 'with populated compound statement rules' do
152
- it 'should have default values' do
153
- expect(TCellAgent).to_not receive(:logger)
154
- @rust_policies.update_policies(
155
- {
156
- 'cmdi' => {
157
- 'policy_id' => 'policy_id',
158
- 'version' => 1,
159
- 'data' => {
160
- 'compound_statement_rules' => [
161
- { 'rule_id' => '3', 'action' => 'block' }
162
- ]
163
- }
164
- }
165
- }
166
- )
167
-
168
- expect(@rust_policies.cmdi_enabled).to eq(true)
40
+ after(:each) do
41
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
169
42
  end
170
- end
171
43
 
172
- context 'with populated collect_full_commandline' do
173
- context 'as nil' do
174
- it 'should have collect_full_commandline disabled' do
175
- expect(TCellAgent).to_not receive(:logger)
176
- @rust_policies.update_policies(
44
+ context 'empty command rules policy' do
45
+ it 'should disable policy' do
46
+ enablements = @native_agent.update_policies(
177
47
  {
178
48
  'cmdi' => {
179
49
  'policy_id' => 'policy_id',
180
50
  'version' => 1,
181
- 'data' => {
182
- 'collect_full_commandline' => nil,
183
- 'compound_statement_rules' => [
184
- { 'rule_id' => '3', 'action' => 'block' }
185
- ]
186
- }
51
+ 'data' => { 'command_rules' => [] }
187
52
  }
188
53
  }
189
- )
54
+ )['enablements']
55
+ expect(enablements['cmdi']).to eq(false)
190
56
 
191
- expect(@rust_policies.cmdi_enabled).to eq(true)
57
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
58
+ expect(@policy.enabled).to eq(false)
192
59
  end
193
60
  end
194
61
 
195
- context 'as false' do
196
- it 'should have collect_full_commandline disabled' do
197
- @rust_policies.update_policies(
62
+ context 'ignore all command rules' do
63
+ it 'should disable policy' do
64
+ enablements = @native_agent.update_policies(
198
65
  {
199
66
  'cmdi' => {
200
67
  'policy_id' => 'policy_id',
201
68
  'version' => 1,
202
69
  'data' => {
203
- 'collect_full_commandline' => false,
204
- 'compound_statement_rules' => [
205
- { 'rule_id' => '3', 'action' => 'block' }
206
- ]
207
- }
208
- }
209
- }
210
- )
211
-
212
- expect(@rust_policies.cmdi_enabled).to eq(true)
213
- end
214
- end
215
-
216
- context 'as true' do
217
- it 'should have collect_full_commandline enabled' do
218
- @rust_policies.update_policies(
219
- {
220
- 'cmdi' => {
221
- 'policy_id' => 'policy_id',
222
- 'version' => 1,
223
- 'data' => {
224
- 'collect_full_commandline' => true,
225
- 'compound_statement_rules' => [
226
- { 'rule_id' => '3', 'action' => 'block' }
227
- ]
70
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'ignore' }]
228
71
  }
229
72
  }
230
73
  }
231
- )
74
+ )['enablements']
75
+ expect(enablements['cmdi']).to eq(false)
232
76
 
233
- expect(@rust_policies.cmdi_enabled).to eq(true)
77
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
78
+ expect(@policy.enabled).to eq(false)
234
79
  end
235
80
  end
236
- end
237
- end
238
81
 
239
- describe '#block_command?' do
240
- context 'with command rules' do
241
- context 'that are blank' do
242
- it 'should not block' do
243
- @rust_policies.update_policies(
82
+ context 'report all command rules' do
83
+ it 'should enable the policy but not block command' do
84
+ enablements = @native_agent.update_policies(
244
85
  {
245
86
  'cmdi' => {
246
87
  'policy_id' => 'policy_id',
247
88
  'version' => 1,
248
89
  'data' => {
249
90
  'collect_full_commandline' => true,
250
- 'command_rules' => []
91
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
251
92
  }
252
93
  }
253
94
  }
254
- )
255
-
256
- expect(TCellAgent).to_not receive(:send_event)
95
+ )['enablements']
96
+ expect(enablements['cmdi']).to eq(true)
257
97
 
98
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
99
+ expect(@policy.enabled).to eq(true)
258
100
  expect(
259
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
101
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
260
102
  ).to eq(false)
261
103
  end
262
104
  end
263
105
 
264
- context 'that ignore all' do
265
- it 'should not block' do
266
- @rust_policies.update_policies(
106
+ context 'block all command rules' do
107
+ it 'should block the command' do
108
+ enablements = @native_agent.update_policies(
267
109
  {
268
110
  'cmdi' => {
269
111
  'policy_id' => 'policy_id',
270
112
  'version' => 1,
271
113
  'data' => {
272
114
  'collect_full_commandline' => true,
273
- 'command_rules' => [{ 'rule_id' => '1', 'action' => 'ignore' }]
115
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
274
116
  }
275
117
  }
276
118
  }
277
- )
278
-
279
- expect(TCellAgent).to_not receive(:send_event)
119
+ )['enablements']
120
+ expect(enablements['cmdi']).to eq(true)
280
121
 
122
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
123
+ expect(@policy.enabled).to eq(true)
281
124
  expect(
282
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
283
- ).to eq(false)
284
- end
285
-
286
- context 'and ignore cat' do
287
- it 'should not send an event' do
288
- @rust_policies.update_policies(
289
- {
290
- 'cmdi' => {
291
- 'policy_id' => 'policy_id',
292
- 'version' => 1,
293
- 'data' => {
294
- 'collect_full_commandline' => true,
295
- 'command_rules' => [
296
- { 'rule_id' => '1', 'action' => 'ignore' },
297
- { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
298
- ]
299
- }
300
- }
301
- }
302
- )
303
-
304
- expect(TCellAgent).to_not receive(:send_event)
305
-
306
- expect(
307
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
308
- ).to eq(false)
309
- end
310
- end
311
-
312
- context 'and report cat' do
313
- it 'should send an event' do
314
- @rust_policies.update_policies(
315
- {
316
- 'cmdi' => {
317
- 'policy_id' => 'policy_id',
318
- 'version' => 1,
319
- 'data' => {
320
- 'collect_full_commandline' => true,
321
- 'command_rules' => [
322
- { 'rule_id' => '1', 'action' => 'ignore' },
323
- { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
324
- ]
325
- }
326
- }
327
- }
328
- )
329
-
330
- expect(TCellAgent).to receive(:send_event).with(
331
- {
332
- 'event_type' => 'cmdi',
333
- 'commands' => [
334
- { 'command' => 'cat', 'arg_count' => 1 },
335
- { 'command' => 'grep', 'arg_count' => 1 }
336
- ],
337
- 'blocked' => false,
338
- 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
339
- 'full_commandline' => 'cat /etc/passwd | grep root'
340
- }
341
- )
342
-
343
- expect(
344
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
345
- ).to eq(false)
346
- end
347
- end
348
-
349
- context 'and block cat' do
350
- it 'should send an event and block' do
351
- @rust_policies.update_policies(
352
- {
353
- 'cmdi' => {
354
- 'policy_id' => 'policy_id',
355
- 'version' => 1,
356
- 'data' => {
357
- 'collect_full_commandline' => true,
358
- 'command_rules' => [
359
- { 'rule_id' => '1', 'action' => 'ignore' },
360
- { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
361
- ]
362
- }
363
- }
364
- }
365
- )
366
-
367
- expect(TCellAgent).to receive(:send_event).with(
368
- {
369
- 'event_type' => 'cmdi',
370
- 'commands' => [
371
- { 'command' => 'cat', 'arg_count' => 1 },
372
- { 'command' => 'grep', 'arg_count' => 1 }
373
- ],
374
- 'blocked' => true,
375
- 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
376
- 'full_commandline' => 'cat /etc/passwd | grep root'
377
- }
378
- )
379
-
380
- expect(
381
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
382
- ).to eq(true)
383
- end
125
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
126
+ ).to eq(true)
384
127
  end
385
128
  end
386
129
 
387
- context 'that report all' do
388
- it 'should send an event' do
389
- @rust_policies.update_policies(
130
+ context 'report compound commands' do
131
+ it 'should enable the policy but no block the command' do
132
+ enablements = @native_agent.update_policies(
390
133
  {
391
134
  'cmdi' => {
392
135
  'policy_id' => 'policy_id',
393
136
  'version' => 1,
394
137
  'data' => {
395
- 'command_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
138
+ 'compound_statement_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
396
139
  }
397
140
  }
398
141
  }
399
- )
142
+ )['enablements']
143
+ expect(enablements['cmdi']).to eq(true)
400
144
 
401
- expect(TCellAgent).to receive(:send_event).with(
402
- {
403
- 'event_type' => 'cmdi',
404
- 'commands' => [
405
- { 'command' => 'cat', 'arg_count' => 1 },
406
- { 'command' => 'grep', 'arg_count' => 1 }
407
- ],
408
- 'blocked' => false,
409
- 'matches' => [
410
- { 'rule_id' => '1', 'command' => 'cat' },
411
- { 'rule_id' => '1', 'command' => 'grep' }
412
- ]
413
- }
414
- )
145
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
146
+ expect(@policy.enabled).to eq(true)
415
147
 
416
148
  expect(
417
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
149
+ @policy.block_command?('cat /etc/passwd', @tcell_context)
418
150
  ).to eq(false)
419
- end
420
-
421
- context 'and ignore cat' do
422
- it 'should send an event for grep not cat' do
423
- @rust_policies.update_policies(
424
- {
425
- 'cmdi' => {
426
- 'policy_id' => 'policy_id',
427
- 'version' => 1,
428
- 'data' => {
429
- 'command_rules' => [
430
- { 'rule_id' => '1', 'action' => 'report' },
431
- { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
432
- ]
433
- }
434
- }
435
- }
436
- )
437
-
438
- expect(TCellAgent).to receive(:send_event).with(
439
- {
440
- 'event_type' => 'cmdi',
441
- 'commands' => [
442
- { 'command' => 'cat', 'arg_count' => 1 },
443
- { 'command' => 'grep', 'arg_count' => 1 }
444
- ],
445
- 'blocked' => false,
446
- 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
447
- }
448
- )
449
-
450
- expect(
451
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
452
- ).to eq(false)
453
- end
454
- end
455
-
456
- context 'and report cat' do
457
- it 'should send an event for grep and cat' do
458
- @rust_policies.update_policies(
459
- {
460
- 'cmdi' => {
461
- 'policy_id' => 'policy_id',
462
- 'version' => 1,
463
- 'data' => {
464
- 'command_rules' => [
465
- { 'rule_id' => '1', 'action' => 'report' },
466
- { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
467
- ]
468
- }
469
- }
470
- }
471
- )
472
-
473
- expect(TCellAgent).to receive(:send_event).with(
474
- {
475
- 'event_type' => 'cmdi',
476
- 'commands' => [
477
- { 'command' => 'cat', 'arg_count' => 1 },
478
- { 'command' => 'grep', 'arg_count' => 1 }
479
- ],
480
- 'blocked' => false,
481
- 'matches' => [
482
- { 'rule_id' => '2', 'command' => 'cat' },
483
- { 'rule_id' => '1', 'command' => 'grep' }
484
- ]
485
- }
486
- )
487
-
488
- expect(
489
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
490
- ).to eq(false)
491
- end
492
- end
493
-
494
- context 'and block cat' do
495
- it 'should send an event for grep and cat and block' do
496
- @rust_policies.update_policies(
497
- {
498
- 'cmdi' => {
499
- 'policy_id' => 'policy_id',
500
- 'version' => 1,
501
- 'data' => {
502
- 'command_rules' => [
503
- { 'rule_id' => '1', 'action' => 'report' },
504
- { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
505
- ]
506
- }
507
- }
508
- }
509
- )
510
-
511
- expect(TCellAgent).to receive(:send_event).with(
512
- {
513
- 'event_type' => 'cmdi',
514
- 'commands' => [
515
- { 'command' => 'cat', 'arg_count' => 1 },
516
- { 'command' => 'grep', 'arg_count' => 1 }
517
- ],
518
- 'blocked' => true,
519
- 'matches' => [
520
- { 'rule_id' => '2', 'command' => 'cat' },
521
- { 'rule_id' => '1', 'command' => 'grep' }
522
- ]
523
- }
524
- )
525
-
526
- expect(
527
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
528
- ).to eq(true)
529
- end
530
- end
531
- end
532
-
533
- context 'that block all' do
534
- it 'should send an event and block' do
535
- @rust_policies.update_policies(
536
- {
537
- 'cmdi' => {
538
- 'policy_id' => 'policy_id',
539
- 'version' => 1,
540
- 'data' => {
541
- 'command_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
542
- }
543
- }
544
- }
545
- )
546
-
547
- expect(TCellAgent).to receive(:send_event).with(
548
- {
549
- 'event_type' => 'cmdi',
550
- 'commands' => [
551
- { 'command' => 'cat', 'arg_count' => 1 },
552
- { 'command' => 'grep', 'arg_count' => 1 }
553
- ],
554
- 'blocked' => true,
555
- 'matches' => [
556
- { 'rule_id' => '1', 'command' => 'cat' },
557
- { 'rule_id' => '1', 'command' => 'grep' }
558
- ]
559
- }
560
- )
561
151
 
562
152
  expect(
563
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
564
- ).to eq(true)
565
- end
566
-
567
- context 'and ignore cat' do
568
- it 'should send an event for grep not cat and block' do
569
- @rust_policies.update_policies(
570
- {
571
- 'cmdi' => {
572
- 'policy_id' => 'policy_id',
573
- 'version' => 1,
574
- 'data' => {
575
- 'command_rules' => [
576
- { 'rule_id' => '1', 'action' => 'block' },
577
- { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
578
- ]
579
- }
580
- }
581
- }
582
- )
583
-
584
- expect(TCellAgent).to receive(:send_event).with(
585
- {
586
- 'event_type' => 'cmdi',
587
- 'commands' => [
588
- { 'command' => 'cat', 'arg_count' => 1 },
589
- { 'command' => 'grep', 'arg_count' => 1 }
590
- ],
591
- 'blocked' => true,
592
- 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
593
- }
594
- )
595
-
596
- expect(
597
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
598
- ).to eq(true)
599
- end
600
- end
601
-
602
- context 'and report cat' do
603
- it 'should send an event for grep and cat and block' do
604
- @rust_policies.update_policies(
605
- {
606
- 'cmdi' => {
607
- 'policy_id' => 'policy_id',
608
- 'version' => 1,
609
- 'data' => {
610
- 'command_rules' => [
611
- { 'rule_id' => '1', 'action' => 'block' },
612
- { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
613
- ]
614
- }
615
- }
616
- }
617
- )
618
-
619
- expect(TCellAgent).to receive(:send_event).with(
620
- {
621
- 'event_type' => 'cmdi',
622
- 'commands' => [
623
- { 'command' => 'cat', 'arg_count' => 1 },
624
- { 'command' => 'grep', 'arg_count' => 1 }
625
- ],
626
- 'blocked' => true,
627
- 'matches' => [
628
- { 'rule_id' => '2', 'command' => 'cat' },
629
- { 'rule_id' => '1', 'command' => 'grep' }
630
- ]
631
- }
632
- )
633
-
634
- expect(
635
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
636
- ).to eq(true)
637
- end
638
- end
639
-
640
- context 'and block cat' do
641
- it 'should send an event for grep and cat and block' do
642
- @rust_policies.update_policies(
643
- {
644
- 'cmdi' => {
645
- 'policy_id' => 'policy_id',
646
- 'version' => 1,
647
- 'data' => {
648
- 'command_rules' => [
649
- { 'rule_id' => '1', 'action' => 'block' },
650
- { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
651
- ]
652
- }
653
- }
654
- }
655
- )
656
-
657
- expect(TCellAgent).to receive(:send_event).with(
658
- {
659
- 'event_type' => 'cmdi',
660
- 'commands' => [
661
- { 'command' => 'cat', 'arg_count' => 1 },
662
- { 'command' => 'grep', 'arg_count' => 1 }
663
- ],
664
- 'blocked' => true,
665
- 'matches' => [
666
- { 'rule_id' => '2', 'command' => 'cat' },
667
- { 'rule_id' => '1', 'command' => 'grep' }
668
- ]
669
- }
670
- )
671
-
672
- expect(
673
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
674
- ).to eq(true)
675
- end
676
- end
677
- end
678
- end
679
-
680
- context 'with compound statement rules' do
681
- before(:each) do
682
- @tcell_context = TCellAgent::Instrumentation::TCellData.new
683
- @tcell_context.request_method = 'GET'
684
- @tcell_context.ip_address = '1.1.1.1'
685
- @tcell_context.route_id = '12345'
686
- @tcell_context.hmac_session_id = 'sldfjk2343'
687
- @tcell_context.user_id = 'user_id'
688
- end
689
-
690
- context 'set to ignore' do
691
- before(:each) do
692
- @rust_policies.update_policies(
693
- {
694
- 'cmdi' => {
695
- 'policy_id' => 'policy_id',
696
- 'version' => 1,
697
- 'data' => {
698
- 'compound_statement_rules' => [
699
- { 'rule_id' => '1', 'action' => 'ignore' }
700
- ]
701
- }
702
- }
703
- }
704
- )
705
- end
706
-
707
- context 'one parsed command' do
708
- it 'should not send events or block' do
709
- expect(TCellAgent).to_not receive(:send_event)
710
-
711
- expect(
712
- @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
713
- ).to eq(false)
714
- end
715
- end
716
-
717
- context 'two parsed commands' do
718
- it 'should not send events or block' do
719
- expect(TCellAgent).to_not receive(:send_event)
720
-
721
- expect(
722
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
723
- ).to eq(false)
724
- end
725
- end
726
- end
727
-
728
- context 'set to report' do
729
- before(:each) do
730
- @rust_policies.update_policies(
731
- {
732
- 'cmdi' => {
733
- 'policy_id' => 'policy_id',
734
- 'version' => 1,
735
- 'data' => {
736
- 'compound_statement_rules' => [
737
- { 'rule_id' => '1', 'action' => 'report' }
738
- ]
739
- }
740
- }
741
- }
742
- )
743
- end
744
-
745
- context 'one parsed command' do
746
- it 'should not send events or block' do
747
- expect(TCellAgent).to_not receive(:send_event)
748
-
749
- expect(
750
- @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
751
- ).to eq(false)
752
- end
753
- end
754
-
755
- context 'two parsed commands' do
756
- it 'should send an event but not block' do
757
- expect(TCellAgent).to receive(:send_event).with(
758
- {
759
- 'event_type' => 'cmdi',
760
- 'commands' => [
761
- { 'command' => 'cat', 'arg_count' => 1 },
762
- { 'command' => 'grep', 'arg_count' => 1 }
763
- ],
764
- 'blocked' => false,
765
- 'matches' => [{ 'rule_id' => '1' }],
766
- 'm' => 'GET',
767
- 'remote_addr' => '1.1.1.1',
768
- 'rid' => '12345',
769
- 'sid' => 'sldfjk2343',
770
- 'uid' => 'user_id'
771
- }
772
- )
773
-
774
- expect(
775
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
776
- ).to eq(false)
777
- end
153
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
154
+ ).to eq(false)
778
155
  end
779
156
  end
780
157
 
781
- context 'set to block' do
782
- before(:each) do
783
- @rust_policies.update_policies(
158
+ context 'block compound commands' do
159
+ it 'should enable the policy and block compound commands' do
160
+ enablements = @native_agent.update_policies(
784
161
  {
785
162
  'cmdi' => {
786
163
  'policy_id' => 'policy_id',
787
164
  'version' => 1,
788
165
  'data' => {
789
- 'compound_statement_rules' => [
790
- { 'rule_id' => '1', 'action' => 'block' }
791
- ]
166
+ 'compound_statement_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
792
167
  }
793
168
  }
794
169
  }
795
- )
796
- end
797
-
798
- context 'one parsed command' do
799
- it 'should not send events or block' do
800
- expect(TCellAgent).to_not receive(:send_event)
801
-
802
- expect(
803
- @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
804
- ).to eq(false)
805
- end
806
- end
807
-
808
- context 'two parsed commands' do
809
- it 'should send an event and block' do
810
- expect(TCellAgent).to receive(:send_event).with(
811
- {
812
- 'event_type' => 'cmdi',
813
- 'commands' => [
814
- { 'command' => 'cat', 'arg_count' => 1 },
815
- { 'command' => 'grep', 'arg_count' => 1 }
816
- ],
817
- 'blocked' => true,
818
- 'matches' => [{ 'rule_id' => '1' }],
819
- 'm' => 'GET',
820
- 'remote_addr' => '1.1.1.1',
821
- 'rid' => '12345',
822
- 'sid' => 'sldfjk2343',
823
- 'uid' => 'user_id'
824
- }
825
- )
826
-
827
- expect(
828
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
829
- ).to eq(true)
830
- end
831
- end
832
- end
170
+ )['enablements']
171
+ expect(enablements['cmdi']).to eq(true)
833
172
 
834
- context 'that conflict' do
835
- it 'only take the first one and ignore the rest' do
836
- ## multiple compound statements present only first one is taken
837
- @rust_policies.update_policies(
838
- {
839
- 'cmdi' => {
840
- 'policy_id' => 'policy_id',
841
- 'version' => 1,
842
- 'data' => {
843
- 'compound_statement_rules' => [
844
- { 'rule_id' => '1', 'action' => 'block' },
845
- { 'rule_id' => '2', 'action' => 'ignore' }
846
- ]
847
- }
848
- }
849
- }
850
- )
173
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
174
+ expect(@policy.enabled).to eq(true)
851
175
 
852
- expect(TCellAgent).to receive(:send_event).with(
853
- {
854
- 'event_type' => 'cmdi',
855
- 'commands' => [
856
- { 'command' => 'cat', 'arg_count' => 1 },
857
- { 'command' => 'grep', 'arg_count' => 1 }
858
- ],
859
- 'blocked' => true,
860
- 'matches' => [{ 'rule_id' => '1' }],
861
- 'm' => 'GET',
862
- 'remote_addr' => '1.1.1.1',
863
- 'rid' => '12345',
864
- 'sid' => 'sldfjk2343',
865
- 'uid' => 'user_id'
866
- }
867
- )
176
+ expect(
177
+ @policy.block_command?('cat /etc/passwd', @tcell_context)
178
+ ).to eq(false)
868
179
 
869
180
  expect(
870
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
181
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
871
182
  ).to eq(true)
872
183
  end
873
184
  end