tcell_agent 1.1.12 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (163) hide show
  1. checksums.yaml +5 -5
  2. data/bin/tcell_agent +26 -14
  3. data/lib/tcell_agent.rb +16 -10
  4. data/lib/tcell_agent/agent.rb +78 -97
  5. data/lib/tcell_agent/agent/route_manager.rb +0 -16
  6. data/lib/tcell_agent/agent/static_agent.rb +9 -30
  7. data/lib/tcell_agent/authlogic.rb +3 -6
  8. data/lib/tcell_agent/config/unknown_options.rb +4 -8
  9. data/lib/tcell_agent/configuration.rb +38 -119
  10. data/lib/tcell_agent/devise.rb +25 -27
  11. data/lib/tcell_agent/hooks/login_fraud.rb +30 -33
  12. data/lib/tcell_agent/instrument_servers.rb +25 -0
  13. data/lib/tcell_agent/instrumentation.rb +12 -10
  14. data/lib/tcell_agent/instrumentation/cmdi.rb +19 -15
  15. data/lib/tcell_agent/instrumentation/lfi.rb +73 -0
  16. data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +25 -0
  17. data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +123 -0
  18. data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +159 -0
  19. data/lib/tcell_agent/logger.rb +50 -114
  20. data/lib/tcell_agent/patches.rb +6 -7
  21. data/lib/tcell_agent/policies/appfirewall_policy.rb +26 -0
  22. data/lib/tcell_agent/policies/command_injection_policy.rb +28 -0
  23. data/lib/tcell_agent/policies/dataloss_policy.rb +44 -44
  24. data/lib/tcell_agent/policies/headers_policy.rb +25 -0
  25. data/lib/tcell_agent/policies/http_redirect_policy.rb +13 -79
  26. data/lib/tcell_agent/policies/js_agent_policy.rb +27 -0
  27. data/lib/tcell_agent/policies/local_file_access.rb +28 -0
  28. data/lib/tcell_agent/policies/login_policy.rb +43 -0
  29. data/lib/tcell_agent/policies/patches_policy.rb +27 -0
  30. data/lib/tcell_agent/policies/policies_manager.rb +68 -0
  31. data/lib/tcell_agent/policies/policy_polling.rb +58 -0
  32. data/lib/tcell_agent/policies/policy_types.rb +14 -0
  33. data/lib/tcell_agent/policies/system_enablements.rb +27 -0
  34. data/lib/tcell_agent/rails/auth/authlogic.rb +43 -68
  35. data/lib/tcell_agent/rails/auth/devise.rb +20 -23
  36. data/lib/tcell_agent/rails/auth/doorkeeper.rb +63 -74
  37. data/lib/tcell_agent/rails/csrf_exception.rb +2 -2
  38. data/lib/tcell_agent/rails/dlp.rb +25 -15
  39. data/lib/tcell_agent/rails/dlp_handler.rb +1 -2
  40. data/lib/tcell_agent/rails/js_agent_insert.rb +12 -13
  41. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +4 -25
  42. data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -12
  43. data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
  44. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +14 -34
  45. data/lib/tcell_agent/rails/on_start.rb +32 -31
  46. data/lib/tcell_agent/rails/routes.rb +7 -6
  47. data/lib/tcell_agent/rails/routes/grape.rb +1 -3
  48. data/lib/tcell_agent/rails/routes/route_id.rb +3 -1
  49. data/lib/tcell_agent/rails/settings_reporter.rb +23 -36
  50. data/lib/tcell_agent/rails/start_agent_after_initializers.rb +12 -0
  51. data/lib/tcell_agent/rails/tcell_body_proxy.rb +6 -4
  52. data/lib/tcell_agent/rust/agent_config.rb +49 -0
  53. data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.2.so → libtcellagent-4.14.0.dylib} +0 -0
  54. data/lib/tcell_agent/rust/libtcellagent-4.14.0.so +0 -0
  55. data/lib/tcell_agent/rust/{libtcellagent-1.3.2.so → libtcellagent-alpine-4.14.0.so} +0 -0
  56. data/lib/tcell_agent/rust/models.rb +0 -55
  57. data/lib/tcell_agent/rust/native_agent.rb +531 -0
  58. data/lib/tcell_agent/rust/native_agent_response.rb +42 -0
  59. data/lib/tcell_agent/rust/native_library.rb +68 -0
  60. data/lib/tcell_agent/rust/tcellagent-4.14.0.dll +0 -0
  61. data/lib/tcell_agent/sensor_events/agent_setting_event.rb +12 -0
  62. data/lib/tcell_agent/sensor_events/{app_config.rb → app_config_setting_event.rb} +0 -6
  63. data/lib/tcell_agent/sensor_events/dlp.rb +2 -6
  64. data/lib/tcell_agent/sensor_events/sensor.rb +0 -62
  65. data/lib/tcell_agent/sensor_events/server_agent.rb +13 -18
  66. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +0 -108
  67. data/lib/tcell_agent/sensor_events/util/utils.rb +0 -2
  68. data/lib/tcell_agent/servers/passenger.rb +1 -28
  69. data/lib/tcell_agent/servers/puma.rb +3 -21
  70. data/lib/tcell_agent/servers/rails_server.rb +1 -1
  71. data/lib/tcell_agent/servers/thin.rb +2 -2
  72. data/lib/tcell_agent/servers/unicorn.rb +19 -80
  73. data/lib/tcell_agent/servers/webrick.rb +1 -1
  74. data/lib/tcell_agent/settings_reporter.rb +24 -24
  75. data/lib/tcell_agent/sinatra.rb +14 -16
  76. data/lib/tcell_agent/tcell_context.rb +40 -14
  77. data/lib/tcell_agent/utils/headers.rb +14 -0
  78. data/lib/tcell_agent/version.rb +1 -1
  79. data/spec/lib/tcell_agent/cmdi_spec.rb +0 -585
  80. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +0 -18
  81. data/spec/lib/tcell_agent/configuration_spec.rb +4 -140
  82. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +46 -173
  83. data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +504 -0
  84. data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb +435 -0
  85. data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +326 -0
  86. data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +556 -0
  87. data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +249 -0
  88. data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +105 -0
  89. data/spec/lib/tcell_agent/patches_spec.rb +25 -43
  90. data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb +183 -0
  91. data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +57 -0
  92. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +84 -773
  93. data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +161 -0
  94. data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +9 -9
  95. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +243 -198
  96. data/spec/lib/tcell_agent/policies/js_agent_policy_spec.rb +75 -0
  97. data/spec/lib/tcell_agent/policies/login_policy_spec.rb +165 -33
  98. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +84 -277
  99. data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +104 -0
  100. data/spec/lib/tcell_agent/policies/policy_polling_spec.rb +6 -0
  101. data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +56 -0
  102. data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +9 -18
  103. data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +13 -30
  104. data/spec/lib/tcell_agent/rails/logger_spec.rb +27 -7
  105. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +17 -12
  106. data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +14 -14
  107. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +0 -35
  108. data/spec/lib/tcell_agent/settings_reporter_spec.rb +127 -153
  109. data/spec/spec_helper.rb +1 -1
  110. data/spec/support/builders.rb +104 -0
  111. data/spec/support/force_logger_mocking.rb +38 -0
  112. data/spec/support/resources/lfi_sample_file.txt +2 -0
  113. data/spec/support/static_agent_overrides.rb +0 -15
  114. metadata +63 -74
  115. data/lib/tcell_agent/agent/event_processor.rb +0 -326
  116. data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -113
  117. data/lib/tcell_agent/agent/policy_manager.rb +0 -219
  118. data/lib/tcell_agent/agent/policy_types.rb +0 -30
  119. data/lib/tcell_agent/api.rb +0 -91
  120. data/lib/tcell_agent/appsensor/injections_reporter.rb +0 -24
  121. data/lib/tcell_agent/config/child_process_events.rb +0 -8
  122. data/lib/tcell_agent/instrumentation/cmdi/backtick.rb +0 -10
  123. data/lib/tcell_agent/instrumentation/cmdi/exec.rb +0 -14
  124. data/lib/tcell_agent/instrumentation/cmdi/popen.rb +0 -28
  125. data/lib/tcell_agent/instrumentation/cmdi/spawn.rb +0 -11
  126. data/lib/tcell_agent/instrumentation/cmdi/system.rb +0 -11
  127. data/lib/tcell_agent/policies/http_tx_policy.rb +0 -60
  128. data/lib/tcell_agent/policies/login_fraud_policy.rb +0 -45
  129. data/lib/tcell_agent/policies/rust_policies.rb +0 -110
  130. data/lib/tcell_agent/rails.rb +0 -40
  131. data/lib/tcell_agent/rust/libtcellagent-1.3.2.dylib +0 -0
  132. data/lib/tcell_agent/rust/tcellagent-1.3.2.dll +0 -0
  133. data/lib/tcell_agent/rust/whisperer.rb +0 -308
  134. data/lib/tcell_agent/sensor_events/appsensor_event.rb +0 -52
  135. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +0 -45
  136. data/lib/tcell_agent/sensor_events/command_injection.rb +0 -75
  137. data/lib/tcell_agent/sensor_events/honeytokens.rb +0 -16
  138. data/lib/tcell_agent/sensor_events/login_fraud.rb +0 -60
  139. data/lib/tcell_agent/sensor_events/metrics.rb +0 -123
  140. data/lib/tcell_agent/sensor_events/patches.rb +0 -21
  141. data/lib/tcell_agent/start_background_thread.rb +0 -55
  142. data/lib/tcell_agent/system_info.rb +0 -11
  143. data/lib/tcell_agent/utils/io.rb +0 -38
  144. data/lib/tcell_agent/utils/passwords.rb +0 -28
  145. data/lib/tcell_agent/utils/queue_with_timeout.rb +0 -142
  146. data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +0 -100
  147. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +0 -535
  148. data/spec/lib/tcell_agent/agent/static_agent_spec.rb +0 -133
  149. data/spec/lib/tcell_agent/api/api_spec.rb +0 -39
  150. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +0 -187
  151. data/spec/lib/tcell_agent/instrumentation_spec.rb +0 -225
  152. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +0 -517
  153. data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +0 -22
  154. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +0 -293
  155. data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +0 -198
  156. data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +0 -180
  157. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +0 -116
  158. data/spec/lib/tcell_agent/rust/models_spec.rb +0 -120
  159. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +0 -704
  160. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +0 -45
  161. data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +0 -272
  162. data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +0 -52
  163. data/spec/lib/tcell_agent/utils/passwords_spec.rb +0 -143
data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb ADDED
@@ -0,0 +1,183 @@
1
+ require 'spec_helper'
2
+
3
+ module TCellAgent
4
+ module Policies
5
+ describe AppfirewallPolicy do
6
+ everything_enabled_policy_json = {
7
+ 'appsensor' => {
8
+ 'policy_id' => '01a1',
9
+ 'version' => 2,
10
+ 'data' => {
11
+ 'options' => {
12
+ 'uri_options' => {
13
+ 'collect_full_uri' => true
14
+ },
15
+ 'payloads' => {
16
+ 'send_payloads' => true,
17
+ 'send_blacklist' => {
18
+ 'ssn' => ['*'],
19
+ 'password' => ['*']
20
+ },
21
+ 'send_whitelist' => {},
22
+ 'log_payloads' => true,
23
+ 'log_blacklist' => {},
24
+ 'log_whitelist' => {
25
+ 'username' => ['*']
26
+ }
27
+ }
28
+ },
29
+ 'sensors' => {
30
+ 'req_size' => {
31
+ 'limit' => 1024,
32
+ 'exclude_routes' => ['2300']
33
+ },
34
+ 'resp_size' => {
35
+ 'limit' => 2048,
36
+ 'exclude_routes' => ['2323']
37
+ },
38
+ 'resp_codes' => {
39
+ 'series_400_enabled' => true,
40
+ 'series_500_enabled' => true
41
+ },
42
+ 'xss' => {
43
+ 'libinjection' => true,
44
+ 'patterns' => %w[1 2 8],
45
+ 'exclusions' => {
46
+ 'bob' => ['*']
47
+ }
48
+ },
49
+ 'sqli' => {
50
+ 'libinjection' => true,
51
+ 'exclude_headers' => true,
52
+ 'patterns' => ['1']
53
+ },
54
+ 'fpt' => {
55
+ 'patterns' => %w[1 2],
56
+ 'exclude_forms' => true,
57
+ 'exclude_cookies' => true,
58
+ 'exclusions' => {
59
+ 'somethingcommon' => ['form']
60
+ }
61
+ },
62
+ 'cmdi' => {
63
+ 'patterns' => %w[1 2]
64
+ },
65
+ 'nullbyte' => {
66
+ 'patterns' => %w[1 2]
67
+ },
68
+ 'retr' => {
69
+ 'patterns' => %w[1 2]
70
+ },
71
+ 'ua' => {
72
+ 'empty_enabled' => true
73
+ },
74
+ 'errors' => {
75
+ 'csrf_exception_enabled' => true,
76
+ 'sql_exception_enabled' => true
77
+ },
78
+ 'database' => {
79
+ 'large_result' => {
80
+ 'limit' => 10
81
+ }
82
+ }
83
+ }
84
+ }
85
+ },
86
+ 'regex' => {
87
+ 'data' => {
88
+ 'patterns' => [
89
+ {
90
+ 'id' => 'tc-xss-1',
91
+ 'pattern' => '(?:<(script))',
92
+ 'sensor' => 'xss',
93
+ 'title' => 'Basic Injection'
94
+ },
95
+ {
96
+ 'safe_pattern' => '^[a-zA-Z0-9_\\s\\r\\n\\t]*$',
97
+ 'pattern' => '(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])',
98
+ 'sensor' => 'sqli',
99
+ 'id' => 'tc-sqli-1',
100
+ 'title' => 'Conditional Attempts'
101
+ }
102
+ ],
103
+ 'version' => 1_518_546_622_571
104
+ },
105
+ 'policy_id' => 'f3a313b0-10eb-11e8-8080-808080808080',
106
+ 'version' => 1
107
+ }
108
+ }
109
+
110
+ describe '#initialize' do
111
+ context 'empty enablements' do
112
+ it 'should disable the policy' do
113
+ native_agent = double('native_agent')
114
+ policy = AppfirewallPolicy.new(native_agent, {})
115
+ expect(policy.enabled).to eq(false)
116
+ end
117
+ end
118
+ end
119
+
120
+ describe '#check_appfirewall_injections' do
121
+ context 'with disabled policy' do
122
+ it 'should not call the native library' do
123
+ native_agent = double('native_agent')
124
+ policy = AppfirewallPolicy.new(native_agent, {})
125
+
126
+ expect(native_agent).to_not receive(:apply_appfirewall)
127
+
128
+ appsensor_meta = double('appsensor_meta')
129
+ policy.check_appfirewall_injections(appsensor_meta)
130
+ end
131
+ end
132
+
133
+ context 'with enabled policy' do
134
+ before(:each) do
135
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
136
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
137
+ configuration
138
+ )
139
+ enablements = @native_agent.update_policies(
140
+ everything_enabled_policy_json
141
+ )['enablements']
142
+ expect(enablements['appfirewall']).to eq(true)
143
+
144
+ @policy = AppfirewallPolicy.new(@native_agent, enablements)
145
+ expect(@policy.enabled).to eq(true)
146
+ end
147
+
148
+ after(:each) do
149
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
150
+ end
151
+
152
+ it 'should be able to call native library' do
153
+ meta_data = TCellAgent::Tests::MetaDataBuilder.new.build
154
+ resp = @policy.check_appfirewall_injections(meta_data)
155
+ expect(resp).to eq({})
156
+ end
157
+
158
+ context 'exception raised in native_agent' do
159
+ it 'should log the exception' do
160
+ expected_error = StandardError.new('UNEXPECTED')
161
+ logger = double('logger')
162
+ expect(TCellAgent::Instrumentation).to receive(:get_safe_block_logger).and_return(logger)
163
+ expect(logger).to receive(:error).with(
164
+ 'Error AppFirewall inspection (StandardError): UNEXPECTED'
165
+ )
166
+ expect(logger).to receive(:exception).with(
167
+ expected_error
168
+ )
169
+
170
+ meta_data = TCellAgent::Tests::MetaDataBuilder.new.build
171
+ expect(@native_agent).to receive(:apply_appfirewall).with(
172
+ meta_data
173
+ ).and_raise(expected_error)
174
+
175
+ resp = @policy.check_appfirewall_injections(meta_data)
176
+ expect(resp).to eq(nil)
177
+ end
178
+ end
179
+ end
180
+ end
181
+ end
182
+ end
183
+ end
data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb ADDED
@@ -0,0 +1,57 @@
1
+
2
+ require 'spec_helper'
3
+
4
+ module TCellAgent
5
+ module Policies
6
+ describe HeadersPolicy do
7
+ describe '#get_headers' do
8
+ context 'with enabled policy' do
9
+ before(:each) do
10
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
11
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
12
+ configuration
13
+ )
14
+ @tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
15
+ 'session_id', 'session-id'
16
+ ).update_attribute(
17
+ 'route_id', 'route-id'
18
+ ).build
19
+ end
20
+
21
+ after(:each) do
22
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
23
+ end
24
+
25
+ it 'should return csp header' do
26
+ enablements = @native_agent.update_policies(
27
+ {
28
+ 'clickjacking' => {
29
+ 'version' => 1,
30
+ 'policy_id' => 'xyzd',
31
+ 'headers' => [
32
+ {
33
+ 'name' => 'Content-Security-Policy',
34
+ 'value' => "frame-ancestors 'none'",
35
+ 'report_uri' => 'https://input.tcell-preview.io/csp/430d'
36
+ }
37
+ ]
38
+ }
39
+ }
40
+ )['enablements']
41
+ expect(enablements['headers']).to eq(true)
42
+
43
+ @policy = HeadersPolicy.new(@native_agent, enablements)
44
+ expect(@policy.enabled).to eq(true)
45
+
46
+ expect(
47
+ @policy.get_headers(@tcell_context)
48
+ ).to eq(
49
+ [{ 'name' => 'Content-Security-Policy',
50
+ 'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]
51
+ )
52
+ end
53
+ end
54
+ end
55
+ end
56
+ end
57
+ end
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb CHANGED
@@ -2,872 +2,183 @@ require 'spec_helper'
2
2
 
3
3
  module TCellAgent
4
4
  module Policies
5
- describe RustPolicies do
6
- before(:each) do
7
- configuration = double(
8
- 'configuration',
9
- {
10
- 'app_id' => 'app_id',
11
- 'api_key' => 'api_key',
12
- 'allow_payloads' => true,
13
- 'js_agent_api_base_url' => 'http://api.tcell.com/',
14
- 'js_agent_url' => 'https://jsagent.tcell.io/tcellagent.min.js',
15
- 'max_csp_header_bytes' => nil
16
- }
17
- )
18
- expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
19
- allow(TCellAgent).to receive(:safe_to_send_cmdi_events?).and_return(true)
20
- @rust_policies = RustPolicies.new
21
- end
22
-
23
- describe '#update_policies' do
24
- context 'with a nil policy' do
25
- it 'should return nil' do
26
- expect(TCellAgent).to_not receive(:logger)
27
-
28
- @rust_policies.update_policies(nil)
29
-
30
- expect(@rust_policies.cmdi_enabled).to eq(false)
31
- end
32
- end
33
-
34
- context 'with an empty policy' do
35
- it 'should raise a policy missing error' do
36
- expect(TCellAgent).to_not receive(:logger)
37
- @rust_policies.update_policies({})
38
-
39
- expect(@rust_policies.cmdi_enabled).to eq(false)
40
- end
41
- end
42
-
43
- context 'with an empty version' do
44
- it 'should have empty version' do
45
- logger = double('logger')
46
-
47
- expect(TCellAgent).to receive(:logger).and_return(logger)
48
- expect(logger).to receive(:error).with(
49
- 'Error updating policies: Failed to decode cmdi policy: missing field `version`'
50
- )
51
- @rust_policies.update_policies(
52
- {
53
- 'cmdi' => { 'policy_id' => 'policy_id' }
54
- }
55
- )
56
-
57
- expect(@rust_policies.cmdi_enabled).to eq(false)
58
- end
59
- end
60
-
61
- context 'with no data' do
62
- it 'should have disabled ip blocking' do
63
- expect(TCellAgent).to_not receive(:logger)
64
-
65
- @rust_policies.update_policies(
66
- {
67
- 'cmdi' => {
68
- 'policy_id' => 'policy_id',
69
- 'version' => 1
70
- }
71
- }
72
- )
73
- expect(@rust_policies.cmdi_enabled).to eq(false)
5
+ describe CommandInjectionPolicy do
6
+ describe '#initialize' do
7
+ context 'empty enablements' do
8
+ it 'should disable the policy' do
9
+ native_agent = double('native_agent')
10
+ policy = CommandInjectionPolicy.new(native_agent, {})
11
+ expect(policy.enabled).to eq(false)
74
12
  end
75
13
  end
14
+ end
76
15
 
77
- context 'with empty data' do
78
- it 'should have default values' do
79
- expect(TCellAgent).to_not receive(:logger)
80
- @rust_policies.update_policies(
81
- {
82
- 'cmdi' => {
83
- 'policy_id' => 'policy_id',
84
- 'version' => 1,
85
- 'data' => {}
86
- }
87
- }
88
- )
89
- expect(@rust_policies.cmdi_enabled).to eq(false)
90
- end
91
- end
16
+ describe '#block_command?' do
17
+ context 'with disabled policy' do
18
+ it 'should not call the native library' do
19
+ native_agent = double('native_agent')
20
+ policy = CommandInjectionPolicy.new(native_agent, {})
92
21
 
93
- context 'with empty command rules' do
94
- it 'should have default values' do
95
- expect(TCellAgent).to_not receive(:logger)
96
- @rust_policies.update_policies(
97
- {
98
- 'cmdi' => {
99
- 'policy_id' => 'policy_id',
100
- 'version' => 1,
101
- 'data' => {
102
- 'command_rules' => []
103
- }
104
- }
105
- }
106
- )
107
- expect(@rust_policies.cmdi_enabled).to eq(false)
108
- end
109
- end
22
+ expect(native_agent).to_not receive(:apply_cmdi)
110
23
 
111
- context 'with empty compount statement rules' do
112
- it 'should have default values' do
113
- expect(TCellAgent).to_not receive(:logger)
114
- @rust_policies.update_policies(
115
- {
116
- 'cmdi' => {
117
- 'policy_id' => 'policy_id',
118
- 'version' => 1,
119
- 'data' => {
120
- 'compound_statement_rules' => []
121
- }
122
- }
123
- }
124
- )
125
- expect(@rust_policies.cmdi_enabled).to eq(false)
24
+ tcell_context = double('tcell_context')
25
+ expect(
26
+ policy.block_command?('cat /etc/passwd && grep root', tcell_context)
27
+ ).to eq(false)
126
28
  end
127
29
  end
128
30
 
129
- context 'with populated command rules' do
130
- it 'should have default values' do
131
- expect(TCellAgent).to_not receive(:logger)
132
- @rust_policies.update_policies(
133
- {
134
- 'cmdi' => {
135
- 'policy_id' => 'policy_id',
136
- 'version' => 1,
137
- 'data' => {
138
- 'command_rules' => [
139
- { 'rule_id' => '1', 'action' => 'block' },
140
- { 'rule_id' => '2', 'command' => 'nc', 'action' => 'ignore' }
141
- ]
142
- }
143
- }
144
- }
31
+ context 'with policies' do
32
+ before(:each) do
33
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
34
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
35
+ configuration
145
36
  )
146
-
147
- expect(@rust_policies.cmdi_enabled).to eq(true)
37
+ @tcell_context = TCellAgent::Tests::TCellContextBuilder.new.build
148
38
  end
149
- end
150
39
 
151
- context 'with populated compound statement rules' do
152
- it 'should have default values' do
153
- expect(TCellAgent).to_not receive(:logger)
154
- @rust_policies.update_policies(
155
- {
156
- 'cmdi' => {
157
- 'policy_id' => 'policy_id',
158
- 'version' => 1,
159
- 'data' => {
160
- 'compound_statement_rules' => [
161
- { 'rule_id' => '3', 'action' => 'block' }
162
- ]
163
- }
164
- }
165
- }
166
- )
167
-
168
- expect(@rust_policies.cmdi_enabled).to eq(true)
40
+ after(:each) do
41
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
169
42
  end
170
- end
171
43
 
172
- context 'with populated collect_full_commandline' do
173
- context 'as nil' do
174
- it 'should have collect_full_commandline disabled' do
175
- expect(TCellAgent).to_not receive(:logger)
176
- @rust_policies.update_policies(
44
+ context 'empty command rules policy' do
45
+ it 'should disable policy' do
46
+ enablements = @native_agent.update_policies(
177
47
  {
178
48
  'cmdi' => {
179
49
  'policy_id' => 'policy_id',
180
50
  'version' => 1,
181
- 'data' => {
182
- 'collect_full_commandline' => nil,
183
- 'compound_statement_rules' => [
184
- { 'rule_id' => '3', 'action' => 'block' }
185
- ]
186
- }
51
+ 'data' => { 'command_rules' => [] }
187
52
  }
188
53
  }
189
- )
54
+ )['enablements']
55
+ expect(enablements['cmdi']).to eq(false)
190
56
 
191
- expect(@rust_policies.cmdi_enabled).to eq(true)
57
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
58
+ expect(@policy.enabled).to eq(false)
192
59
  end
193
60
  end
194
61
 
195
- context 'as false' do
196
- it 'should have collect_full_commandline disabled' do
197
- @rust_policies.update_policies(
62
+ context 'ignore all command rules' do
63
+ it 'should disable policy' do
64
+ enablements = @native_agent.update_policies(
198
65
  {
199
66
  'cmdi' => {
200
67
  'policy_id' => 'policy_id',
201
68
  'version' => 1,
202
69
  'data' => {
203
- 'collect_full_commandline' => false,
204
- 'compound_statement_rules' => [
205
- { 'rule_id' => '3', 'action' => 'block' }
206
- ]
207
- }
208
- }
209
- }
210
- )
211
-
212
- expect(@rust_policies.cmdi_enabled).to eq(true)
213
- end
214
- end
215
-
216
- context 'as true' do
217
- it 'should have collect_full_commandline enabled' do
218
- @rust_policies.update_policies(
219
- {
220
- 'cmdi' => {
221
- 'policy_id' => 'policy_id',
222
- 'version' => 1,
223
- 'data' => {
224
- 'collect_full_commandline' => true,
225
- 'compound_statement_rules' => [
226
- { 'rule_id' => '3', 'action' => 'block' }
227
- ]
70
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'ignore' }]
228
71
  }
229
72
  }
230
73
  }
231
- )
74
+ )['enablements']
75
+ expect(enablements['cmdi']).to eq(false)
232
76
 
233
- expect(@rust_policies.cmdi_enabled).to eq(true)
77
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
78
+ expect(@policy.enabled).to eq(false)
234
79
  end
235
80
  end
236
- end
237
- end
238
81
 
239
- describe '#block_command?' do
240
- context 'with command rules' do
241
- context 'that are blank' do
242
- it 'should not block' do
243
- @rust_policies.update_policies(
82
+ context 'report all command rules' do
83
+ it 'should enable the policy but not block command' do
84
+ enablements = @native_agent.update_policies(
244
85
  {
245
86
  'cmdi' => {
246
87
  'policy_id' => 'policy_id',
247
88
  'version' => 1,
248
89
  'data' => {
249
90
  'collect_full_commandline' => true,
250
- 'command_rules' => []
91
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
251
92
  }
252
93
  }
253
94
  }
254
- )
255
-
256
- expect(TCellAgent).to_not receive(:send_event)
95
+ )['enablements']
96
+ expect(enablements['cmdi']).to eq(true)
257
97
 
98
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
99
+ expect(@policy.enabled).to eq(true)
258
100
  expect(
259
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
101
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
260
102
  ).to eq(false)
261
103
  end
262
104
  end
263
105
 
264
- context 'that ignore all' do
265
- it 'should not block' do
266
- @rust_policies.update_policies(
106
+ context 'block all command rules' do
107
+ it 'should block the command' do
108
+ enablements = @native_agent.update_policies(
267
109
  {
268
110
  'cmdi' => {
269
111
  'policy_id' => 'policy_id',
270
112
  'version' => 1,
271
113
  'data' => {
272
114
  'collect_full_commandline' => true,
273
- 'command_rules' => [{ 'rule_id' => '1', 'action' => 'ignore' }]
115
+ 'command_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
274
116
  }
275
117
  }
276
118
  }
277
- )
278
-
279
- expect(TCellAgent).to_not receive(:send_event)
119
+ )['enablements']
120
+ expect(enablements['cmdi']).to eq(true)
280
121
 
122
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
123
+ expect(@policy.enabled).to eq(true)
281
124
  expect(
282
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
283
- ).to eq(false)
284
- end
285
-
286
- context 'and ignore cat' do
287
- it 'should not send an event' do
288
- @rust_policies.update_policies(
289
- {
290
- 'cmdi' => {
291
- 'policy_id' => 'policy_id',
292
- 'version' => 1,
293
- 'data' => {
294
- 'collect_full_commandline' => true,
295
- 'command_rules' => [
296
- { 'rule_id' => '1', 'action' => 'ignore' },
297
- { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
298
- ]
299
- }
300
- }
301
- }
302
- )
303
-
304
- expect(TCellAgent).to_not receive(:send_event)
305
-
306
- expect(
307
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
308
- ).to eq(false)
309
- end
310
- end
311
-
312
- context 'and report cat' do
313
- it 'should send an event' do
314
- @rust_policies.update_policies(
315
- {
316
- 'cmdi' => {
317
- 'policy_id' => 'policy_id',
318
- 'version' => 1,
319
- 'data' => {
320
- 'collect_full_commandline' => true,
321
- 'command_rules' => [
322
- { 'rule_id' => '1', 'action' => 'ignore' },
323
- { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
324
- ]
325
- }
326
- }
327
- }
328
- )
329
-
330
- expect(TCellAgent).to receive(:send_event).with(
331
- {
332
- 'event_type' => 'cmdi',
333
- 'commands' => [
334
- { 'command' => 'cat', 'arg_count' => 1 },
335
- { 'command' => 'grep', 'arg_count' => 1 }
336
- ],
337
- 'blocked' => false,
338
- 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
339
- 'full_commandline' => 'cat /etc/passwd | grep root'
340
- }
341
- )
342
-
343
- expect(
344
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
345
- ).to eq(false)
346
- end
347
- end
348
-
349
- context 'and block cat' do
350
- it 'should send an event and block' do
351
- @rust_policies.update_policies(
352
- {
353
- 'cmdi' => {
354
- 'policy_id' => 'policy_id',
355
- 'version' => 1,
356
- 'data' => {
357
- 'collect_full_commandline' => true,
358
- 'command_rules' => [
359
- { 'rule_id' => '1', 'action' => 'ignore' },
360
- { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
361
- ]
362
- }
363
- }
364
- }
365
- )
366
-
367
- expect(TCellAgent).to receive(:send_event).with(
368
- {
369
- 'event_type' => 'cmdi',
370
- 'commands' => [
371
- { 'command' => 'cat', 'arg_count' => 1 },
372
- { 'command' => 'grep', 'arg_count' => 1 }
373
- ],
374
- 'blocked' => true,
375
- 'matches' => [{ 'rule_id' => '2', 'command' => 'cat' }],
376
- 'full_commandline' => 'cat /etc/passwd | grep root'
377
- }
378
- )
379
-
380
- expect(
381
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
382
- ).to eq(true)
383
- end
125
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
126
+ ).to eq(true)
384
127
  end
385
128
  end
386
129
 
387
- context 'that report all' do
388
- it 'should send an event' do
389
- @rust_policies.update_policies(
130
+ context 'report compound commands' do
131
+ it 'should enable the policy but no block the command' do
132
+ enablements = @native_agent.update_policies(
390
133
  {
391
134
  'cmdi' => {
392
135
  'policy_id' => 'policy_id',
393
136
  'version' => 1,
394
137
  'data' => {
395
- 'command_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
138
+ 'compound_statement_rules' => [{ 'rule_id' => '1', 'action' => 'report' }]
396
139
  }
397
140
  }
398
141
  }
399
- )
142
+ )['enablements']
143
+ expect(enablements['cmdi']).to eq(true)
400
144
 
401
- expect(TCellAgent).to receive(:send_event).with(
402
- {
403
- 'event_type' => 'cmdi',
404
- 'commands' => [
405
- { 'command' => 'cat', 'arg_count' => 1 },
406
- { 'command' => 'grep', 'arg_count' => 1 }
407
- ],
408
- 'blocked' => false,
409
- 'matches' => [
410
- { 'rule_id' => '1', 'command' => 'cat' },
411
- { 'rule_id' => '1', 'command' => 'grep' }
412
- ]
413
- }
414
- )
145
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
146
+ expect(@policy.enabled).to eq(true)
415
147
 
416
148
  expect(
417
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
149
+ @policy.block_command?('cat /etc/passwd', @tcell_context)
418
150
  ).to eq(false)
419
- end
420
-
421
- context 'and ignore cat' do
422
- it 'should send an event for grep not cat' do
423
- @rust_policies.update_policies(
424
- {
425
- 'cmdi' => {
426
- 'policy_id' => 'policy_id',
427
- 'version' => 1,
428
- 'data' => {
429
- 'command_rules' => [
430
- { 'rule_id' => '1', 'action' => 'report' },
431
- { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
432
- ]
433
- }
434
- }
435
- }
436
- )
437
-
438
- expect(TCellAgent).to receive(:send_event).with(
439
- {
440
- 'event_type' => 'cmdi',
441
- 'commands' => [
442
- { 'command' => 'cat', 'arg_count' => 1 },
443
- { 'command' => 'grep', 'arg_count' => 1 }
444
- ],
445
- 'blocked' => false,
446
- 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
447
- }
448
- )
449
-
450
- expect(
451
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
452
- ).to eq(false)
453
- end
454
- end
455
-
456
- context 'and report cat' do
457
- it 'should send an event for grep and cat' do
458
- @rust_policies.update_policies(
459
- {
460
- 'cmdi' => {
461
- 'policy_id' => 'policy_id',
462
- 'version' => 1,
463
- 'data' => {
464
- 'command_rules' => [
465
- { 'rule_id' => '1', 'action' => 'report' },
466
- { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
467
- ]
468
- }
469
- }
470
- }
471
- )
472
-
473
- expect(TCellAgent).to receive(:send_event).with(
474
- {
475
- 'event_type' => 'cmdi',
476
- 'commands' => [
477
- { 'command' => 'cat', 'arg_count' => 1 },
478
- { 'command' => 'grep', 'arg_count' => 1 }
479
- ],
480
- 'blocked' => false,
481
- 'matches' => [
482
- { 'rule_id' => '2', 'command' => 'cat' },
483
- { 'rule_id' => '1', 'command' => 'grep' }
484
- ]
485
- }
486
- )
487
-
488
- expect(
489
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
490
- ).to eq(false)
491
- end
492
- end
493
-
494
- context 'and block cat' do
495
- it 'should send an event for grep and cat and block' do
496
- @rust_policies.update_policies(
497
- {
498
- 'cmdi' => {
499
- 'policy_id' => 'policy_id',
500
- 'version' => 1,
501
- 'data' => {
502
- 'command_rules' => [
503
- { 'rule_id' => '1', 'action' => 'report' },
504
- { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
505
- ]
506
- }
507
- }
508
- }
509
- )
510
-
511
- expect(TCellAgent).to receive(:send_event).with(
512
- {
513
- 'event_type' => 'cmdi',
514
- 'commands' => [
515
- { 'command' => 'cat', 'arg_count' => 1 },
516
- { 'command' => 'grep', 'arg_count' => 1 }
517
- ],
518
- 'blocked' => true,
519
- 'matches' => [
520
- { 'rule_id' => '2', 'command' => 'cat' },
521
- { 'rule_id' => '1', 'command' => 'grep' }
522
- ]
523
- }
524
- )
525
-
526
- expect(
527
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
528
- ).to eq(true)
529
- end
530
- end
531
- end
532
-
533
- context 'that block all' do
534
- it 'should send an event and block' do
535
- @rust_policies.update_policies(
536
- {
537
- 'cmdi' => {
538
- 'policy_id' => 'policy_id',
539
- 'version' => 1,
540
- 'data' => {
541
- 'command_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
542
- }
543
- }
544
- }
545
- )
546
-
547
- expect(TCellAgent).to receive(:send_event).with(
548
- {
549
- 'event_type' => 'cmdi',
550
- 'commands' => [
551
- { 'command' => 'cat', 'arg_count' => 1 },
552
- { 'command' => 'grep', 'arg_count' => 1 }
553
- ],
554
- 'blocked' => true,
555
- 'matches' => [
556
- { 'rule_id' => '1', 'command' => 'cat' },
557
- { 'rule_id' => '1', 'command' => 'grep' }
558
- ]
559
- }
560
- )
561
151
 
562
152
  expect(
563
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
564
- ).to eq(true)
565
- end
566
-
567
- context 'and ignore cat' do
568
- it 'should send an event for grep not cat and block' do
569
- @rust_policies.update_policies(
570
- {
571
- 'cmdi' => {
572
- 'policy_id' => 'policy_id',
573
- 'version' => 1,
574
- 'data' => {
575
- 'command_rules' => [
576
- { 'rule_id' => '1', 'action' => 'block' },
577
- { 'rule_id' => '2', 'action' => 'ignore', 'command' => 'cat' }
578
- ]
579
- }
580
- }
581
- }
582
- )
583
-
584
- expect(TCellAgent).to receive(:send_event).with(
585
- {
586
- 'event_type' => 'cmdi',
587
- 'commands' => [
588
- { 'command' => 'cat', 'arg_count' => 1 },
589
- { 'command' => 'grep', 'arg_count' => 1 }
590
- ],
591
- 'blocked' => true,
592
- 'matches' => [{ 'rule_id' => '1', 'command' => 'grep' }]
593
- }
594
- )
595
-
596
- expect(
597
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
598
- ).to eq(true)
599
- end
600
- end
601
-
602
- context 'and report cat' do
603
- it 'should send an event for grep and cat and block' do
604
- @rust_policies.update_policies(
605
- {
606
- 'cmdi' => {
607
- 'policy_id' => 'policy_id',
608
- 'version' => 1,
609
- 'data' => {
610
- 'command_rules' => [
611
- { 'rule_id' => '1', 'action' => 'block' },
612
- { 'rule_id' => '2', 'action' => 'report', 'command' => 'cat' }
613
- ]
614
- }
615
- }
616
- }
617
- )
618
-
619
- expect(TCellAgent).to receive(:send_event).with(
620
- {
621
- 'event_type' => 'cmdi',
622
- 'commands' => [
623
- { 'command' => 'cat', 'arg_count' => 1 },
624
- { 'command' => 'grep', 'arg_count' => 1 }
625
- ],
626
- 'blocked' => true,
627
- 'matches' => [
628
- { 'rule_id' => '2', 'command' => 'cat' },
629
- { 'rule_id' => '1', 'command' => 'grep' }
630
- ]
631
- }
632
- )
633
-
634
- expect(
635
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
636
- ).to eq(true)
637
- end
638
- end
639
-
640
- context 'and block cat' do
641
- it 'should send an event for grep and cat and block' do
642
- @rust_policies.update_policies(
643
- {
644
- 'cmdi' => {
645
- 'policy_id' => 'policy_id',
646
- 'version' => 1,
647
- 'data' => {
648
- 'command_rules' => [
649
- { 'rule_id' => '1', 'action' => 'block' },
650
- { 'rule_id' => '2', 'action' => 'block', 'command' => 'cat' }
651
- ]
652
- }
653
- }
654
- }
655
- )
656
-
657
- expect(TCellAgent).to receive(:send_event).with(
658
- {
659
- 'event_type' => 'cmdi',
660
- 'commands' => [
661
- { 'command' => 'cat', 'arg_count' => 1 },
662
- { 'command' => 'grep', 'arg_count' => 1 }
663
- ],
664
- 'blocked' => true,
665
- 'matches' => [
666
- { 'rule_id' => '2', 'command' => 'cat' },
667
- { 'rule_id' => '1', 'command' => 'grep' }
668
- ]
669
- }
670
- )
671
-
672
- expect(
673
- @rust_policies.block_command?('cat /etc/passwd | grep root', nil)
674
- ).to eq(true)
675
- end
676
- end
677
- end
678
- end
679
-
680
- context 'with compound statement rules' do
681
- before(:each) do
682
- @tcell_context = TCellAgent::Instrumentation::TCellData.new
683
- @tcell_context.request_method = 'GET'
684
- @tcell_context.ip_address = '1.1.1.1'
685
- @tcell_context.route_id = '12345'
686
- @tcell_context.hmac_session_id = 'sldfjk2343'
687
- @tcell_context.user_id = 'user_id'
688
- end
689
-
690
- context 'set to ignore' do
691
- before(:each) do
692
- @rust_policies.update_policies(
693
- {
694
- 'cmdi' => {
695
- 'policy_id' => 'policy_id',
696
- 'version' => 1,
697
- 'data' => {
698
- 'compound_statement_rules' => [
699
- { 'rule_id' => '1', 'action' => 'ignore' }
700
- ]
701
- }
702
- }
703
- }
704
- )
705
- end
706
-
707
- context 'one parsed command' do
708
- it 'should not send events or block' do
709
- expect(TCellAgent).to_not receive(:send_event)
710
-
711
- expect(
712
- @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
713
- ).to eq(false)
714
- end
715
- end
716
-
717
- context 'two parsed commands' do
718
- it 'should not send events or block' do
719
- expect(TCellAgent).to_not receive(:send_event)
720
-
721
- expect(
722
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
723
- ).to eq(false)
724
- end
725
- end
726
- end
727
-
728
- context 'set to report' do
729
- before(:each) do
730
- @rust_policies.update_policies(
731
- {
732
- 'cmdi' => {
733
- 'policy_id' => 'policy_id',
734
- 'version' => 1,
735
- 'data' => {
736
- 'compound_statement_rules' => [
737
- { 'rule_id' => '1', 'action' => 'report' }
738
- ]
739
- }
740
- }
741
- }
742
- )
743
- end
744
-
745
- context 'one parsed command' do
746
- it 'should not send events or block' do
747
- expect(TCellAgent).to_not receive(:send_event)
748
-
749
- expect(
750
- @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
751
- ).to eq(false)
752
- end
753
- end
754
-
755
- context 'two parsed commands' do
756
- it 'should send an event but not block' do
757
- expect(TCellAgent).to receive(:send_event).with(
758
- {
759
- 'event_type' => 'cmdi',
760
- 'commands' => [
761
- { 'command' => 'cat', 'arg_count' => 1 },
762
- { 'command' => 'grep', 'arg_count' => 1 }
763
- ],
764
- 'blocked' => false,
765
- 'matches' => [{ 'rule_id' => '1' }],
766
- 'm' => 'GET',
767
- 'remote_addr' => '1.1.1.1',
768
- 'rid' => '12345',
769
- 'sid' => 'sldfjk2343',
770
- 'uid' => 'user_id'
771
- }
772
- )
773
-
774
- expect(
775
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
776
- ).to eq(false)
777
- end
153
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
154
+ ).to eq(false)
778
155
  end
779
156
  end
780
157
 
781
- context 'set to block' do
782
- before(:each) do
783
- @rust_policies.update_policies(
158
+ context 'block compound commands' do
159
+ it 'should enable the policy and block compound commands' do
160
+ enablements = @native_agent.update_policies(
784
161
  {
785
162
  'cmdi' => {
786
163
  'policy_id' => 'policy_id',
787
164
  'version' => 1,
788
165
  'data' => {
789
- 'compound_statement_rules' => [
790
- { 'rule_id' => '1', 'action' => 'block' }
791
- ]
166
+ 'compound_statement_rules' => [{ 'rule_id' => '1', 'action' => 'block' }]
792
167
  }
793
168
  }
794
169
  }
795
- )
796
- end
797
-
798
- context 'one parsed command' do
799
- it 'should not send events or block' do
800
- expect(TCellAgent).to_not receive(:send_event)
801
-
802
- expect(
803
- @rust_policies.block_command?('cat /etc/passwd', @tcell_context)
804
- ).to eq(false)
805
- end
806
- end
807
-
808
- context 'two parsed commands' do
809
- it 'should send an event and block' do
810
- expect(TCellAgent).to receive(:send_event).with(
811
- {
812
- 'event_type' => 'cmdi',
813
- 'commands' => [
814
- { 'command' => 'cat', 'arg_count' => 1 },
815
- { 'command' => 'grep', 'arg_count' => 1 }
816
- ],
817
- 'blocked' => true,
818
- 'matches' => [{ 'rule_id' => '1' }],
819
- 'm' => 'GET',
820
- 'remote_addr' => '1.1.1.1',
821
- 'rid' => '12345',
822
- 'sid' => 'sldfjk2343',
823
- 'uid' => 'user_id'
824
- }
825
- )
826
-
827
- expect(
828
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
829
- ).to eq(true)
830
- end
831
- end
832
- end
170
+ )['enablements']
171
+ expect(enablements['cmdi']).to eq(true)
833
172
 
834
- context 'that conflict' do
835
- it 'only take the first one and ignore the rest' do
836
- ## multiple compound statements present only first one is taken
837
- @rust_policies.update_policies(
838
- {
839
- 'cmdi' => {
840
- 'policy_id' => 'policy_id',
841
- 'version' => 1,
842
- 'data' => {
843
- 'compound_statement_rules' => [
844
- { 'rule_id' => '1', 'action' => 'block' },
845
- { 'rule_id' => '2', 'action' => 'ignore' }
846
- ]
847
- }
848
- }
849
- }
850
- )
173
+ @policy = CommandInjectionPolicy.new(@native_agent, enablements)
174
+ expect(@policy.enabled).to eq(true)
851
175
 
852
- expect(TCellAgent).to receive(:send_event).with(
853
- {
854
- 'event_type' => 'cmdi',
855
- 'commands' => [
856
- { 'command' => 'cat', 'arg_count' => 1 },
857
- { 'command' => 'grep', 'arg_count' => 1 }
858
- ],
859
- 'blocked' => true,
860
- 'matches' => [{ 'rule_id' => '1' }],
861
- 'm' => 'GET',
862
- 'remote_addr' => '1.1.1.1',
863
- 'rid' => '12345',
864
- 'sid' => 'sldfjk2343',
865
- 'uid' => 'user_id'
866
- }
867
- )
176
+ expect(
177
+ @policy.block_command?('cat /etc/passwd', @tcell_context)
178
+ ).to eq(false)
868
179
 
869
180
  expect(
870
- @rust_policies.block_command?('cat /etc/passwd | grep root', @tcell_context)
181
+ @policy.block_command?('cat /etc/passwd && grep root', @tcell_context)
871
182
  ).to eq(true)
872
183
  end
873
184
  end