tcell_agent 1.1.12 → 2.0.0

data/lib/tcell_agent/policies/http_redirect_policy.rb

@@ -1,95 +1,29 @@
-# See the file "LICENSE" for the full license governing this code.
-require 'uri'
-
 require 'tcell_agent/policies/policy'
-require 'tcell_agent/logger'
 
 module TCellAgent
   module Policies
     class HttpRedirectPolicy < Policy
-      attr_accessor :policy_id, :enabled, :whitelist, :block, :data_scheme_allowed
-
-      def initialize
-        @policy_id = nil
-        @enabled = false
-        @whitelist = []
-        @block = false
-        @data_scheme_allowed = false
+      def self.api_identifier
+        'http-redirect'
       end
 
-      def suspicious_redirect?(host, current_host)
-        if !host || host == '' || host == current_host
-          # local redirect
-          return false
-        end
-
-        whitelist.each do |whitelist_regex|
-          if (host =~ whitelist_regex) || ("www.#{host}" =~ whitelist_regex)
-            return false
-          end
-        end
-
-        true
-      end
-
-      def enforce(target_uri, request_uri, current_path, method, route_id, status_code, remote_addr, hmac_session_id = nil)
-        return nil unless @enabled
-
-        current_host = URI.parse(request_uri).host
-        if target_uri.downcase.start_with?('data:')
-          return nil if @data_scheme_allowed
+      attr_accessor :enabled
 
-          target_host = target_uri.split(',')[0]
-
-        else
-          target_host = URI.parse(target_uri).host
-          return nil unless suspicious_redirect?(target_host, current_host)
-        end
-
-        begin
-          event = TCellAgent::SensorEvents::TCellRedirectSensorEvent.new(
-            target_host,
-            current_host,
-            current_path,
-            method,
-            route_id,
-            status_code,
-            remote_addr,
-            hmac_session_id,
-            nil
-          )
-
-          TCellAgent.send_event(event)
-        rescue StandardError => ie
-          TCellAgent.logger.error("uncaught exception while creating redirect event: #{ie.message}")
-        end
-
-        return '/' if @block
-
-        nil
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @enabled = enablements['http_redirect'] || false
       end
 
-      def self.from_json(policy_json)
-        return nil unless policy_json
-
-        http_redirect_policy = HttpRedirectPolicy.new
-        http_redirect_policy.policy_id = policy_json['policy_id']
-        raise 'Policy ID missing' unless http_redirect_policy.policy_id
-
-        policy_data_json = policy_json['data']
-        return http_redirect_policy unless policy_data_json
+      def check_redirect(redirect_url, from_domain, status_code, tcell_context)
+        return redirect_url unless @enabled
 
-        http_redirect_policy.enabled = policy_data_json.fetch('enabled', false)
-        http_redirect_policy.block = policy_data_json.fetch('block', false)
-        http_redirect_policy.data_scheme_allowed = policy_data_json.fetch('data_scheme_allowed', false)
+        redirect_response = @native_agent.check_http_redirect(
+          redirect_url, from_domain, status_code, tcell_context
+        )
 
-        http_redirect_policy.whitelist = []
-        policy_data_json.fetch('whitelist', []).each do |regex_pattern|
-          escaped = Regexp.escape(regex_pattern).gsub('\*', '.*?')
-          http_redirect_policy.whitelist.push(Regexp.new("^#{escaped}$", Regexp::IGNORECASE))
-        end
+        return '/' if redirect_response['block']
 
-        http_redirect_policy
+        redirect_url
       end
     end
   end

data/lib/tcell_agent/policies/js_agent_policy.rb

@@ -0,0 +1,27 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class JsAgentPolicy < Policy
+      def self.api_identifier
+        'jsagentinjection'
+      end
+
+      attr_accessor :enabled
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @enabled = enablements['jsagentinjection'] || false
+      end
+
+      def get_js_agent_script_tag(tcell_context)
+        return nil unless @enabled
+
+        response = @native_agent.get_js_agent_script_tag(
+          tcell_context
+        )
+        response['script_tag']
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/local_file_access.rb

@@ -0,0 +1,28 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class LocalFileInclusion < Policy
+      def self.api_identifier
+        'lfi'
+      end
+
+      attr_accessor :enabled
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @enabled = enablements['local_file_access'] || false
+      end
+
+      def block_file_access?(path, mode, tcell_context)
+        return false unless @native_agent
+
+        response = @native_agent.file_access_apply(
+          path, mode, tcell_context
+        )
+
+        !response['blocked'].nil? && response['blocked']
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/login_policy.rb

@@ -0,0 +1,43 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class LoginPolicy < Policy
+      def self.api_identifier
+        'login'
+      end
+
+      attr_reader :login_success_enabled, :login_failed_enabled
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @login_success_enabled = enablements['login_success_enabled'] || false
+        @login_failed_enabled = enablements['login_failed_enabled'] || false
+      end
+
+      def report_login_success(user_id, headers, tcell_context)
+        return {} unless @login_success_enabled
+
+        success = true
+        password = nil
+        user_valid = true
+        @native_agent.login_fraud_apply(
+          success, user_id, password, headers, user_valid, tcell_context
+        )
+      end
+
+      def report_login_failure(user_id,
+                               password,
+                               headers,
+                               user_valid,
+                               tcell_context)
+        return {} unless @login_failed_enabled
+
+        success = false
+        @native_agent.login_fraud_apply(
+          success, user_id, password, headers, user_valid, tcell_context
+        )
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/patches_policy.rb

@@ -0,0 +1,27 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class PatchesPolicy < Policy
+      def self.api_identifier
+        'patches'
+      end
+
+      attr_accessor :enabled
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @enabled = enablements['patches'] || false
+      end
+
+      def block_request?(appsensor_meta)
+        return false unless @enabled
+
+        response = @native_agent.apply_patches(
+          appsensor_meta
+        )
+        !response['apply_response'].nil? && response['apply_response']['status'] == 'Blocked'
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/policies_manager.rb

@@ -0,0 +1,68 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'tcell_agent/policies/policy_types'
+
+require 'tcell_agent/policies/appfirewall_policy'
+require 'tcell_agent/policies/command_injection_policy'
+require 'tcell_agent/policies/dataloss_policy'
+require 'tcell_agent/policies/headers_policy'
+require 'tcell_agent/policies/http_redirect_policy'
+require 'tcell_agent/policies/js_agent_policy'
+require 'tcell_agent/policies/login_policy'
+require 'tcell_agent/policies/patches_policy'
+require 'tcell_agent/policies/local_file_access'
+require 'tcell_agent/policies/system_enablements'
+
+RUST_POLICY_CLASSES = [
+  TCellAgent::Policies::AppfirewallPolicy,
+  TCellAgent::Policies::CommandInjectionPolicy,
+  TCellAgent::Policies::HeadersPolicy,
+  TCellAgent::Policies::HttpRedirectPolicy,
+  TCellAgent::Policies::JsAgentPolicy,
+  TCellAgent::Policies::LoginPolicy,
+  TCellAgent::Policies::PatchesPolicy,
+  TCellAgent::Policies::LocalFileInclusion,
+  TCellAgent::Policies::SystemEnablements
+].freeze
+
+module TCellAgent
+  class PoliciesManager
+    attr_accessor :policies
+
+    def initialize(native_agent)
+      @native_agent = native_agent
+      @policies = {}
+
+      enablements = {}
+      RUST_POLICY_CLASSES.each do |policy_class|
+        @policies[policy_class.api_identifier] = policy_class.new(
+          @native_agent, enablements
+        )
+      end
+
+      set_dataloss_policy({ 'dlp' => {} })
+    end
+
+    def set_dataloss_policy(policies_json)
+      TCellAgent::Instrumentation.safe_block('Setting DLP policy') do
+        dlp_api_identifier = TCellAgent::Policies::DataLossPolicy.api_identifier
+        return unless policies_json.key?(dlp_api_identifier)
+        @policies[dlp_api_identifier] = TCellAgent::Policies::DataLossPolicy.new(
+          policies_json[dlp_api_identifier]
+        )
+      end
+    end
+
+    def process_policy_json(enablements, policies_json)
+      return if enablements.nil? || enablements == {}
+
+      RUST_POLICY_CLASSES.each do |policy_class|
+        @policies[policy_class.api_identifier] = policy_class.new(
+          @native_agent, enablements
+        )
+      end
+
+      set_dataloss_policy(policies_json)
+    end
+  end
+end

data/lib/tcell_agent/policies/policy_polling.rb

@@ -0,0 +1,58 @@
+module TCellAgent
+  class PolicyPolling
+    include TCellAgent::ModuleLoggerAccess
+
+    def initialize(policies_manager, native_agent)
+      @policies_manager = policies_manager
+      @policy_polling_worker_mutex = Mutex.new
+      @policy_polling_thread = nil
+
+      start_policy_polling(native_agent)
+    end
+
+    def start_policy_polling(native_agent)
+      configuration = TCellAgent.configuration
+      return unless configuration.should_start_policy_poll?
+      return unless configuration.tcell_api_url &&
+                    configuration.app_id &&
+                    configuration.api_key
+      return if policy_polling_running?
+
+      @policy_polling_worker_mutex.synchronize do
+        return if policy_polling_running?
+        start_policy_polling_loop(native_agent)
+      end
+    end
+
+    def policy_polling_running?
+      @policy_polling_thread && @policy_polling_thread.alive?
+    end
+
+    def stop_policy_polling
+      module_logger.debug('Stopping policy polling thread')
+      @policy_polling_thread.exit if policy_polling_running?
+    end
+
+    def start_policy_polling_loop(native_agent)
+      module_logger.debug('Starting policy polling thread')
+      @policy_polling_thread = Thread.new do
+        loop do
+          begin
+            result = native_agent.poll_new_policies
+            policies_and_enablements = result['new_policies_and_enablements'] || {}
+            @policies_manager.process_policy_json(
+              policies_and_enablements['enablements'],
+              policies_and_enablements['policies']
+            )
+          rescue StandardError => standard_error
+            module_logger.error("Error in polling policies: #{standard_error.message}")
+            module_logger.exception(standard_error)
+          end
+
+          # TODO(ralba): this might need to be changed to see how it affects performance
+          sleep 0.1
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/policy_types.rb

@@ -0,0 +1,14 @@
+module TCellAgent
+  class PolicyTypes
+    HTTPREDIRECT = 'http-redirect'.freeze
+    LOGINFRAUD = 'login'.freeze
+    DATALOSS = 'dlp'.freeze
+    APPSENSOR = 'appsensor'.freeze
+    PATCHES = 'patches'.freeze
+    COMMANDINJECTION = 'cmdi'.freeze
+    JSAGENTINJECTION = 'jsagentinjection'.freeze
+    HEADERS = 'headers'.freeze
+    LFI = 'lfi'.freeze
+    SYSTEM_ENABLEMENTS = 'systemEnablement'.freeze
+  end
+end

data/lib/tcell_agent/policies/system_enablements.rb

@@ -0,0 +1,27 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class SystemEnablements < Policy
+      def self.api_identifier
+        'systemEnablement'
+      end
+
+      attr_accessor :send_routes_enabled,
+                    :send_lfi_path_discovery
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @send_routes_enabled = true
+        update_enablements(enablements)
+      end
+
+      def update_enablements(enablements)
+        enablements ||= {}
+
+        @send_routes_enabled = enablements['system_send_routes'] || true
+        @send_lfi_path_discovery = enablements['send_lfi_path_discovery'] || true
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/auth/authlogic.rb

@@ -1,79 +1,54 @@
-if TCellAgent.configuration.should_instrument_authlogic?
+if TCellAgent.configuration.should_instrument_authlogic? && defined?(Authlogic)
 
-  require 'tcell_agent/logger'
   require 'tcell_agent/configuration'
   require 'tcell_agent/instrumentation'
 
   module TCellAgent
-    if defined?(Authlogic)
-
-      TCellAgent.logger.debug('Instrumenting Authlogic')
-
-      require 'tcell_agent/agent'
-      require 'tcell_agent/sensor_events/login_fraud'
-
-      Authlogic::Session::Base.class_eval do
-        alias_method :tcell_save, :save
-        def save(&block)
-          if TCellAgent.configuration.enabled &&
-             TCellAgent.configuration.should_intercept_requests?
-
-            user_logged_in_before = !user.nil?
-            success = tcell_save(&block)
-            user_logged_in_after = !user.nil?
-
-            TCellAgent::Instrumentation.safe_block('Authlogic login info') do
-              login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-              if login_fraud_policy && login_fraud_policy.enabled
-                user_id = nil
-                TCellAgent::Instrumentation.safe_block('getting userid for login form') do
-                  user_id = send(self.class.login_field.to_sym)
-                end
-
-                password = nil
-
-                if user_logged_in_before && user_logged_in_after
-                  # password changed or logged in as another user
-
-                elsif !user_logged_in_before && !user_logged_in_after
-                  if login_fraud_policy.login_failed_enabled
-                    request = Authlogic::Session::Base.controller.request
-                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-                    if tcell_data
-                      event = TCellAgent::SensorEvents::LoginFailure.new(
-                        request.env,
-                        tcell_data,
-                        user_id,
-                        password
-                      )
-                      TCellAgent.send_event(event)
-                    end
-                  end
-
-                elsif !user_logged_in_before && user_logged_in_after
-                  if login_fraud_policy.login_success_enabled
-                    request = Authlogic::Session::Base.controller.request
-                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-                    if tcell_data
-                      event = TCellAgent::SensorEvents::LoginSuccess.new(
-                        request.env,
-                        tcell_data,
-                        user_id,
-                        password
-                      )
-                      TCellAgent.send_event(event)
-                    end
-                  end
-                end
-              end
-            end
-
-            success
+    require 'tcell_agent/agent'
+
+    Authlogic::Session::Base.class_eval do
+      alias_method :tcell_save, :save
+      def save(&block)
+        return tcell_save(&block) unless TCellAgent.configuration.should_intercept_requests?
+
+        user_logged_in_before = !user.nil?
+        success = tcell_save(&block)
+        user_logged_in_after = !user.nil?
+
+        TCellAgent::Instrumentation.safe_block('Authlogic login info') do
+          user_id = nil
+          password = nil
+          user_valid = nil
+          TCellAgent::Instrumentation.safe_block('getting userid for login form') do
+            user_id = send(self.class.login_field.to_sym)
+          end
 
-          else
-            tcell_save(&block)
+          request = Authlogic::Session::Base.controller.request
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+
+          return success unless tcell_data
+
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          if user_logged_in_before && user_logged_in_after
+            # password changed or logged in as another user
+          elsif !user_logged_in_before && !user_logged_in_after
+            login_policy.report_login_failure(
+              user_id,
+              password,
+              request.env,
+              user_valid,
+              tcell_data
+            )
+          elsif !user_logged_in_before && user_logged_in_after
+            login_policy.report_login_success(
+              user_id,
+              request.env,
+              tcell_data
+            )
           end
         end
+
+        success
       end
     end
   end