tcell_agent 1.1.12 → 2.0.0

data/lib/tcell_agent/sensor_events/appsensor_event.rb

@@ -1,52 +0,0 @@
-require 'tcell_agent/sensor_events/sensor'
-
-module TCellAgent
-  module SensorEvents
-    class TCellAppSensorEvent < TCellSensorEvent
-      def initialize(location,
-                     detection_point,
-                     method,
-                     remote_address,
-                     param,
-                     route_id,
-                     meta,
-                     hmac_session_id,
-                     user_id,
-                     payload,
-                     pattern,
-                     full_uri)
-        super('as')
-        self['dp'] = detection_point
-
-        self['param'] = param.to_s if param
-        self['m'] = method.to_s if method
-        self['pattern'] = pattern if pattern
-        self['meta'] = meta if meta
-        self['rid'] = route_id.to_s if route_id
-        self['full_uri'] = full_uri if full_uri
-        self['uri'] = location if location
-        self['uid'] = user_id.to_s if user_id
-        self['sid'] = hmac_session_id if hmac_session_id
-        self['remote_addr'] = remote_address.to_s if remote_address
-        self['payload'] = payload if payload
-      end
-
-      def self.build_from_native_lib_event(event)
-        TCellAppSensorEvent.new(
-          event['uri'],
-          event['detection_point'],
-          event['method'],
-          event['remote_address'],
-          event['parameter'],
-          event['route_id'],
-          event['meta'],
-          event['session_id'],
-          event['user_id'],
-          event['payload'],
-          event['pattern'],
-          event['full_uri']
-        )
-      end
-    end
-  end
-end

data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb

@@ -1,45 +0,0 @@
-require 'tcell_agent/agent'
-require 'tcell_agent/agent/policy_types'
-require 'tcell_agent/tcell_context'
-require 'tcell_agent/sensor_events/sensor'
-
-module TCellAgent
-  module SensorEvents
-    class AppSensorMetaEvent < TCellAgent::SensorEvents::TCellSensorEvent
-      class << self
-        def build(request, response_content_length, response_code, response_headers)
-          meta_data = TCellAgent::MetaData.from_request(request)
-
-          tcell_context = request.env[TCellAgent::Instrumentation::TCELL_ID]
-          meta_data.csrf_exception_name = tcell_context.csrf_exception_name
-          meta_data.user_agent = tcell_context.user_agent
-          meta_data.path_parameters = tcell_context.path_parameters
-          meta_data.sql_exceptions = tcell_context.sql_exceptions
-          meta_data.database_result_sizes = tcell_context.database_result_sizes
-
-          meta_data.response_content_bytes_len = response_content_length
-
-          meta_data.response_code = response_code
-          meta_data.response_headers = response_headers
-
-          AppSensorMetaEvent.new(meta_data)
-        end
-      end
-
-      attr_accessor :meta_data
-
-      def initialize(meta_data)
-        @send = false
-
-        @meta_data = meta_data
-      end
-
-      def post_process
-        rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-        return unless rust_policies
-
-        rust_policies.check_appfirewall_injections(@meta_data)
-      end
-    end
-  end
-end

data/lib/tcell_agent/sensor_events/command_injection.rb

@@ -1,75 +0,0 @@
-require 'tcell_agent/sensor_events/sensor'
-
-module TCellAgent
-  module SensorEvents
-    class CommandInjectionMatchEvent < Hash
-      def initialize(rule_id, command)
-        self['rule_id'] = rule_id
-        self['command'] = command if command
-      end
-    end
-
-    class CommandInjectionEvent < TCellSensorEvent
-      def self.build_from_native_lib_response_and_tcell_context(apply_response,
-                                                                tcell_context)
-        matches = apply_response.fetch('matches', [])
-
-        return nil if !matches || matches.empty?
-
-        method, remote_address, route_id, session_id, user_id, uri = nil
-        if tcell_context
-          method = tcell_context.request_method
-          remote_address = tcell_context.ip_address
-          route_id = tcell_context.route_id
-          session_id = tcell_context.hmac_session_id
-          user_id = tcell_context.user_id
-          uri = tcell_context.uri
-        end
-
-        matches_without_emtpy_values = matches.map do |match|
-          CommandInjectionMatchEvent.new(
-            match['rule_id'], match['command']
-          )
-        end
-
-        CommandInjectionEvent.new(
-          apply_response['commands'],
-          apply_response.fetch('blocked', false),
-          matches_without_emtpy_values,
-          method,
-          remote_address,
-          route_id,
-          session_id,
-          user_id,
-          uri,
-          apply_response['full_commandline']
-        )
-      end
-
-      def initialize(commands,
-                     blocked,
-                     matches,
-                     method = nil,
-                     remote_address = nil,
-                     route_id = nil,
-                     session_id = nil,
-                     user_id = nil,
-                     uri = nil,
-                     full_commandline = nil)
-        super('cmdi')
-
-        self['commands'] = commands
-        self['blocked'] = blocked
-        self['matches'] = matches
-        self['m'] = method if method
-
-        self['remote_addr'] = remote_address if remote_address
-        self['rid'] = route_id if route_id
-        self['sid'] = session_id if session_id
-        self['uid'] = user_id if user_id
-        self['full_commandline'] = full_commandline if full_commandline
-        self['uri'] = TCellAgent::SensorEvents::Util.strip_uri_values(uri) if uri
-      end
-    end
-  end
-end

data/lib/tcell_agent/sensor_events/honeytokens.rb

@@ -1,16 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-
-require 'tcell_agent/sensor_events/util/sanitizer_utilities'
-require 'tcell_agent/sensor_events/sensor'
-
-module TCellAgent
-  module SensorEvents
-    class HoneytokensSensorEvent < TCellSensorEvent
-      def initialize(request, token_id)
-        super('honeytoken')
-        self['id'] = token_id
-        self['ip'] = request.remote_ip
-      end
-    end
-  end
-end

data/lib/tcell_agent/sensor_events/login_fraud.rb

@@ -1,60 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-
-require 'tcell_agent/sensor_events/util/sanitizer_utilities'
-require 'tcell_agent/sensor_events/sensor'
-
-module TCellAgent
-  module SensorEvents
-    class LoginEvent < TCellSensorEvent
-      def initialize(header_keys,
-                     tcell_data,
-                     user_id,
-                     password,
-                     user_valid)
-        super('login')
-
-        self['header_keys'] = header_keys
-
-        self['user_agent'] = tcell_data.user_agent.to_s if tcell_data.user_agent
-        self['referrer'] = TCellAgent::SensorEvents::Util.strip_uri_values(tcell_data.referrer) if tcell_data.referrer
-        self['remote_addr'] = tcell_data.ip_address.to_s if tcell_data.ip_address
-        self['user_id'] = user_id.to_s if user_id
-        self['document_uri'] = TCellAgent::SensorEvents::Util.strip_uri_values(tcell_data.path) if tcell_data.path
-        self['session'] = tcell_data.hmac_session_id if tcell_data.hmac_session_id
-
-        digest = TCellAgent::Utils::Passwords.fingerprint_password(password,
-                                                                   user_id)
-        self['password_id'] = digest if digest
-        self['user_valid'] = user_valid if user_valid
-      end
-    end
-
-    class LoginFailure < LoginEvent
-      def initialize(request_env_or_header_keys,
-                     tcell_data,
-                     user_id,
-                     password,
-                     user_valid = nil)
-        header_keys = Util.clean_header_keys(request_env_or_header_keys)
-
-        super(header_keys, tcell_data, user_id, password, user_valid)
-
-        self['event_name'] = 'login-failure'
-      end
-    end
-
-    class LoginSuccess < LoginEvent
-      def initialize(request_env_or_header_keys,
-                     tcell_data,
-                     user_id,
-                     password,
-                     user_valid = nil)
-        header_keys = Util.clean_header_keys(request_env_or_header_keys)
-
-        super(header_keys, tcell_data, user_id, password, user_valid)
-
-        self['event_name'] = 'login-success'
-      end
-    end
-  end
-end

data/lib/tcell_agent/sensor_events/metrics.rb

@@ -1,123 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-
-module TCellAgent
-  module SensorEvents
-    class Counter
-      attr_reader :counter
-      def initialize
-        @counter = 0
-      end
-
-      def add_object
-        @counter += 1
-      end
-
-      def reset
-        @counter = 0
-      end
-    end
-
-    class RequestRouteTimer < TCellSensorEvent
-      attr_accessor :route_id
-      attr_accessor :response_time
-      def initialize(route_id, response_time)
-        super('RequestRouteTimer')
-        self.route_id = route_id
-        self.response_time = response_time
-        @send = false
-      end
-    end
-
-    class MetricsEvent < TCellSensorEvent
-      def initialize
-        super('metrics')
-      end
-
-      def set_route_count_table(route_count_table)
-        self['rct'] = route_count_table
-      end
-    end
-
-    class SessionsMetric < TCellSensorEvent
-      class UserSessionTrackMetric < Hash
-        def initialize(object_counter, user_id)
-          @object_counter = object_counter
-          @user_agents = {}
-          self['uid'] = user_id
-          self['track'] = []
-        end
-
-        def add_user_agent_ip(truncated_agent, ip_address)
-          if @user_agents.key?(truncated_agent)
-            tracked_agents = @user_agents[truncated_agent]
-            ips = tracked_agents[1]
-            unless ips.include?(ip_address)
-              @object_counter.add_object
-              ips.push(ip_address)
-            end
-          else
-            @object_counter.add_object
-            @user_agents[truncated_agent] = [truncated_agent, [ip_address]]
-            self['track'].push(@user_agents[truncated_agent])
-          end
-        end
-      end
-
-      class UserSessionMetric < Array
-        def initialize(object_counter)
-          @user_ids = {}
-          @object_counter = object_counter
-        end
-
-        def add_user_id_user_agent_ip(user_id, truncated_agent, ip_address)
-          if @user_ids.key?(user_id)
-            user_id_info = @user_ids[user_id]
-            user_id_info.add_user_agent_ip(truncated_agent, ip_address)
-          else
-            @object_counter.add_object
-
-            @user_ids[user_id] = user_id_info = UserSessionTrackMetric.new(@object_counter, user_id)
-            user_id_info.add_user_agent_ip(truncated_agent, ip_address)
-
-            push(user_id_info)
-          end
-        end
-      end
-
-      def initialize
-        super('metrics')
-        @send = false
-        @flush = false
-
-        self['sessions'] = {}
-        @has_sessions = false
-        @object_counter = Counter.new
-      end
-
-      def sessions?
-        @has_sessions
-      end
-
-      def add_session_info(hmac_session_id, user_id, ip_address, user_agent)
-        if @object_counter.counter >= 250
-          TCellAgent.logger.warn('Sessions Metric is full. Information dropped')
-
-        else
-          self['sessions'][hmac_session_id] =
-            self['sessions'].fetch(hmac_session_id, UserSessionMetric.new(@object_counter))
-
-          @has_sessions = true
-
-          truncated_agent = truncated_user_agent(user_agent)
-          self['sessions'][hmac_session_id].add_user_id_user_agent_ip(user_id, truncated_agent, ip_address)
-
-          @flush = true if @object_counter.counter >= 200
-        end
-      end
-
-      def truncated_user_agent(user_agent)
-        user_agent[0...256]
-      end
-    end
-  end
-end

data/lib/tcell_agent/sensor_events/patches.rb

@@ -1,21 +0,0 @@
-require 'tcell_agent/sensor_events/sensor'
-
-module TCellAgent
-  module SensorEvents
-    class PatchesEvent < TCellSensorEvent
-      def initialize(rust_response, appsensor_meta)
-        super('patches')
-
-        self['patches_pid'] = rust_response['patches_policy_id']
-        self['rule_id'] = rust_response['rule_id']
-        self['action'] = 'blocked'
-        self['sz'] = appsensor_meta.request_content_bytes_len if appsensor_meta.request_content_bytes_len
-        self['m'] = appsensor_meta.method if appsensor_meta.method
-        self['remote_addr'] = appsensor_meta.remote_address if appsensor_meta.remote_address
-        self['uri'] = TCellAgent::SensorEvents::Util.strip_uri_values(appsensor_meta.location) if appsensor_meta.location
-        self['regex_pid'] = rust_response['regex_pid'] if rust_response['regex_pid']
-        self['payload'] = rust_response['payload'] if rust_response['payload']
-      end
-    end
-  end
-end

data/lib/tcell_agent/start_background_thread.rb

@@ -1,55 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-require 'tcell_agent/configuration'
-
-unless TCellAgent.configuration.disable_all
-  require 'tcell_agent/logger'
-  require 'tcell_agent/agent'
-  require 'thread'
-
-  module TCellAgent
-    # require 'tcell_agent/sinatra' if defined?(Sinatra)
-    require 'tcell_agent/rails' if defined?(Rails)
-    require 'tcell_agent/instrumentation/cmdi'
-
-    def self.run_instrumentation(server_name, send_startup_events = true)
-      require 'tcell_agent/hooks/login_fraud'
-      require 'tcell_agent/rails/on_start' if defined?(Rails)
-      require 'tcell_agent/settings_reporter'
-
-      TCellAgent::Instrumentation.safe_block('Starting thread agent') do
-        TCellAgent.logger.debug("Instrumenting: #{server_name}")
-        TCellAgent.thread_agent.start
-      end
-
-      report_settings(send_startup_events)
-    end
-  end
-
-  tcell_server = ENV['TCELL_AGENT_SERVER']
-
-  if TCellAgent.configuration.should_instrument?
-    unless tcell_server && tcell_server == 'mock'
-
-      if (tcell_server && tcell_server == 'webrick') || defined?(Rails::Server)
-        require('tcell_agent/servers/rails_server')
-
-      elsif (tcell_server && tcell_server == 'thin') || defined?(Thin)
-        require('tcell_agent/servers/thin')
-
-      elsif (tcell_server && tcell_server == 'puma') || defined?(Puma)
-        require('tcell_agent/servers/puma')
-
-      elsif (tcell_server && tcell_server == 'unicorn') || defined?(Unicorn)
-        require('tcell_agent/servers/unicorn')
-
-      elsif (tcell_server && tcell_server == 'passenger') || defined?(PhusionPassenger)
-        require('tcell_agent/servers/passenger')
-
-      end
-    end
-
-  elsif (tcell_server && tcell_server == 'unicorn') || defined?(Unicorn)
-    # unicorn is always instrumented to support rolling restarts
-    require('tcell_agent/servers/unicorn')
-  end
-end