tcell_agent 1.1.12 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (169) hide show
  1. checksums.yaml +5 -5
  2. data/bin/tcell_agent +45 -137
  3. data/lib/tcell_agent.rb +12 -14
  4. data/lib/tcell_agent/agent.rb +108 -97
  5. data/lib/tcell_agent/agent/route_manager.rb +0 -16
  6. data/lib/tcell_agent/agent/static_agent.rb +9 -30
  7. data/lib/tcell_agent/config_initializer.rb +66 -0
  8. data/lib/tcell_agent/configuration.rb +69 -345
  9. data/lib/tcell_agent/hooks/login_fraud.rb +30 -33
  10. data/lib/tcell_agent/instrument_servers.rb +23 -0
  11. data/lib/tcell_agent/instrumentation.rb +12 -10
  12. data/lib/tcell_agent/instrumentation/cmdi.rb +29 -25
  13. data/lib/tcell_agent/instrumentation/lfi.rb +84 -0
  14. data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +25 -0
  15. data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +131 -0
  16. data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +102 -0
  17. data/lib/tcell_agent/logger.rb +49 -114
  18. data/lib/tcell_agent/patches.rb +6 -7
  19. data/lib/tcell_agent/policies/appfirewall_policy.rb +26 -0
  20. data/lib/tcell_agent/policies/command_injection_policy.rb +28 -0
  21. data/lib/tcell_agent/policies/dataloss_policy.rb +44 -44
  22. data/lib/tcell_agent/policies/headers_policy.rb +25 -0
  23. data/lib/tcell_agent/policies/http_redirect_policy.rb +13 -79
  24. data/lib/tcell_agent/policies/js_agent_policy.rb +27 -0
  25. data/lib/tcell_agent/policies/local_file_access.rb +28 -0
  26. data/lib/tcell_agent/policies/login_policy.rb +43 -0
  27. data/lib/tcell_agent/policies/patches_policy.rb +27 -0
  28. data/lib/tcell_agent/policies/policies_manager.rb +68 -0
  29. data/lib/tcell_agent/policies/policy_polling.rb +58 -0
  30. data/lib/tcell_agent/policies/policy_types.rb +14 -0
  31. data/lib/tcell_agent/policies/system_enablements.rb +27 -0
  32. data/lib/tcell_agent/rails/auth/authlogic.rb +46 -75
  33. data/lib/tcell_agent/rails/auth/authlogic_helper.rb +20 -0
  34. data/lib/tcell_agent/rails/auth/devise.rb +100 -105
  35. data/lib/tcell_agent/rails/auth/devise_helper.rb +29 -0
  36. data/lib/tcell_agent/rails/auth/doorkeeper.rb +62 -76
  37. data/lib/tcell_agent/{userinfo.rb → rails/auth/userinfo.rb} +0 -0
  38. data/lib/tcell_agent/rails/csrf_exception.rb +2 -10
  39. data/lib/tcell_agent/rails/dlp.rb +35 -23
  40. data/lib/tcell_agent/rails/dlp_handler.rb +1 -2
  41. data/lib/tcell_agent/rails/js_agent_insert.rb +12 -13
  42. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +4 -25
  43. data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -12
  44. data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
  45. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +14 -34
  46. data/lib/tcell_agent/{rails.rb → rails/railties/tcell_agent_railties.rb} +11 -16
  47. data/lib/tcell_agent/rails/railties/tcell_agent_unicorn_railties.rb +8 -0
  48. data/lib/tcell_agent/rails/routes.rb +10 -12
  49. data/lib/tcell_agent/rails/routes/grape.rb +4 -14
  50. data/lib/tcell_agent/rails/routes/route_id.rb +3 -1
  51. data/lib/tcell_agent/rails/settings_reporter.rb +23 -36
  52. data/lib/tcell_agent/rails/tcell_body_proxy.rb +5 -4
  53. data/lib/tcell_agent/rust/agent_config.rb +60 -0
  54. data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.2.so → libtcellagent-5.0.2.dylib} +0 -0
  55. data/lib/tcell_agent/rust/{libtcellagent-1.3.2.so → libtcellagent-5.0.2.so} +0 -0
  56. data/lib/tcell_agent/rust/libtcellagent-alpine-5.0.2.so +0 -0
  57. data/lib/tcell_agent/rust/models.rb +6 -52
  58. data/lib/tcell_agent/rust/native_agent.rb +549 -0
  59. data/lib/tcell_agent/rust/native_agent_response.rb +42 -0
  60. data/lib/tcell_agent/rust/native_library.rb +69 -0
  61. data/lib/tcell_agent/rust/tcellagent-5.0.2.dll +0 -0
  62. data/lib/tcell_agent/sensor_events/agent_setting_event.rb +12 -0
  63. data/lib/tcell_agent/sensor_events/{app_config.rb → app_config_setting_event.rb} +0 -6
  64. data/lib/tcell_agent/sensor_events/dlp.rb +2 -6
  65. data/lib/tcell_agent/sensor_events/sensor.rb +0 -62
  66. data/lib/tcell_agent/sensor_events/server_agent.rb +13 -18
  67. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +0 -108
  68. data/lib/tcell_agent/sensor_events/util/utils.rb +0 -2
  69. data/lib/tcell_agent/servers/passenger.rb +1 -28
  70. data/lib/tcell_agent/servers/puma.rb +3 -21
  71. data/lib/tcell_agent/servers/rails_server.rb +1 -2
  72. data/lib/tcell_agent/servers/thin.rb +2 -2
  73. data/lib/tcell_agent/servers/unicorn.rb +19 -80
  74. data/lib/tcell_agent/servers/webrick.rb +1 -2
  75. data/lib/tcell_agent/settings_reporter.rb +11 -90
  76. data/lib/tcell_agent/sinatra.rb +14 -16
  77. data/lib/tcell_agent/tcell_context.rb +40 -14
  78. data/lib/tcell_agent/utils/headers.rb +14 -0
  79. data/lib/tcell_agent/version.rb +1 -1
  80. data/spec/lib/tcell_agent/configuration_spec.rb +55 -346
  81. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +46 -173
  82. data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +504 -0
  83. data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb +435 -0
  84. data/spec/lib/tcell_agent/instrumentation/cmdi_spec.rb +201 -0
  85. data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +326 -0
  86. data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +562 -0
  87. data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +264 -0
  88. data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +150 -0
  89. data/spec/lib/tcell_agent/patches_spec.rb +25 -43
  90. data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb +183 -0
  91. data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +57 -0
  92. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +84 -773
  93. data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +161 -0
  94. data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +9 -9
  95. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +243 -198
  96. data/spec/lib/tcell_agent/policies/js_agent_policy_spec.rb +75 -0
  97. data/spec/lib/tcell_agent/policies/login_policy_spec.rb +165 -33
  98. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +84 -277
  99. data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +104 -0
  100. data/spec/lib/tcell_agent/policies/policy_polling_spec.rb +6 -0
  101. data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +56 -0
  102. data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +9 -18
  103. data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +13 -30
  104. data/spec/lib/tcell_agent/rails/logger_spec.rb +27 -7
  105. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +17 -12
  106. data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +14 -14
  107. data/spec/lib/tcell_agent/rust/agent_config_spec.rb +27 -0
  108. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +0 -35
  109. data/spec/lib/tcell_agent/settings_reporter_spec.rb +56 -155
  110. data/spec/spec_helper.rb +1 -1
  111. data/spec/support/builders.rb +103 -0
  112. data/spec/support/force_logger_mocking.rb +38 -0
  113. data/spec/support/resources/lfi_sample_file.txt +2 -0
  114. data/spec/support/static_agent_overrides.rb +0 -15
  115. metadata +72 -83
  116. data/lib/tcell_agent/agent/event_processor.rb +0 -326
  117. data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -113
  118. data/lib/tcell_agent/agent/policy_manager.rb +0 -219
  119. data/lib/tcell_agent/agent/policy_types.rb +0 -30
  120. data/lib/tcell_agent/api.rb +0 -91
  121. data/lib/tcell_agent/appsensor/injections_reporter.rb +0 -24
  122. data/lib/tcell_agent/authlogic.rb +0 -26
  123. data/lib/tcell_agent/config/child_process_events.rb +0 -8
  124. data/lib/tcell_agent/config/unknown_options.rb +0 -123
  125. data/lib/tcell_agent/devise.rb +0 -35
  126. data/lib/tcell_agent/instrumentation/cmdi/backtick.rb +0 -10
  127. data/lib/tcell_agent/instrumentation/cmdi/exec.rb +0 -14
  128. data/lib/tcell_agent/instrumentation/cmdi/popen.rb +0 -28
  129. data/lib/tcell_agent/instrumentation/cmdi/spawn.rb +0 -11
  130. data/lib/tcell_agent/instrumentation/cmdi/system.rb +0 -11
  131. data/lib/tcell_agent/policies/http_tx_policy.rb +0 -60
  132. data/lib/tcell_agent/policies/login_fraud_policy.rb +0 -45
  133. data/lib/tcell_agent/policies/rust_policies.rb +0 -110
  134. data/lib/tcell_agent/rails/on_start.rb +0 -41
  135. data/lib/tcell_agent/rust/libtcellagent-1.3.2.dylib +0 -0
  136. data/lib/tcell_agent/rust/tcellagent-1.3.2.dll +0 -0
  137. data/lib/tcell_agent/rust/whisperer.rb +0 -308
  138. data/lib/tcell_agent/sensor_events/appsensor_event.rb +0 -52
  139. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +0 -45
  140. data/lib/tcell_agent/sensor_events/command_injection.rb +0 -75
  141. data/lib/tcell_agent/sensor_events/honeytokens.rb +0 -16
  142. data/lib/tcell_agent/sensor_events/login_fraud.rb +0 -60
  143. data/lib/tcell_agent/sensor_events/metrics.rb +0 -123
  144. data/lib/tcell_agent/sensor_events/patches.rb +0 -21
  145. data/lib/tcell_agent/start_background_thread.rb +0 -55
  146. data/lib/tcell_agent/system_info.rb +0 -11
  147. data/lib/tcell_agent/utils/io.rb +0 -38
  148. data/lib/tcell_agent/utils/passwords.rb +0 -28
  149. data/lib/tcell_agent/utils/queue_with_timeout.rb +0 -142
  150. data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +0 -100
  151. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +0 -535
  152. data/spec/lib/tcell_agent/agent/static_agent_spec.rb +0 -133
  153. data/spec/lib/tcell_agent/api/api_spec.rb +0 -39
  154. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +0 -187
  155. data/spec/lib/tcell_agent/cmdi_spec.rb +0 -736
  156. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +0 -213
  157. data/spec/lib/tcell_agent/instrumentation_spec.rb +0 -225
  158. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +0 -517
  159. data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +0 -22
  160. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +0 -293
  161. data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +0 -198
  162. data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +0 -180
  163. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +0 -116
  164. data/spec/lib/tcell_agent/rust/models_spec.rb +0 -120
  165. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +0 -704
  166. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +0 -45
  167. data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +0 -272
  168. data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +0 -52
  169. data/spec/lib/tcell_agent/utils/passwords_spec.rb +0 -143
@@ -0,0 +1,161 @@
1
+
2
+ require 'spec_helper'
3
+
4
+ module TCellAgent
5
+ module Policies
6
+ describe HeadersPolicy do
7
+ describe '#initialize' do
8
+ context 'empty enablements' do
9
+ it 'should disable the policy' do
10
+ native_agent = double('native_agent')
11
+ policy = HeadersPolicy.new(native_agent, {})
12
+ expect(policy.enabled).to eq(false)
13
+ end
14
+ end
15
+ end
16
+
17
+ describe '#get_headers' do
18
+ context 'with disabled policy' do
19
+ it 'should not call the native library' do
20
+ native_agent = double('native_agent')
21
+ policy = HeadersPolicy.new(native_agent, {})
22
+
23
+ expect(native_agent).to_not receive(:get_headers)
24
+
25
+ tcell_context = double('tcell_context')
26
+ policy.get_headers(tcell_context)
27
+ end
28
+ end
29
+
30
+ context 'with enabled policy' do
31
+ before(:each) do
32
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.update_attribute(
33
+ 'max_csp_header_bytes', 105
34
+ ).build
35
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
36
+ configuration
37
+ )
38
+ @tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
39
+ 'session_id', 'session-id'
40
+ ).update_attribute(
41
+ 'route_id', 'route-id'
42
+ ).build
43
+ end
44
+
45
+ after(:each) do
46
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
47
+ end
48
+
49
+ it 'should return csp header' do
50
+ enablements = @native_agent.update_policies(
51
+ {
52
+ 'csp-headers' => {
53
+ 'version' => 1,
54
+ 'policy_id' => 'xyzd',
55
+ 'headers' => [
56
+ { 'name' => 'Content-Security-Policy',
57
+ 'value' => 'test321' }
58
+ ]
59
+ }
60
+ }
61
+ )['enablements']
62
+ expect(enablements['headers']).to eq(true)
63
+
64
+ @policy = HeadersPolicy.new(@native_agent, enablements)
65
+ expect(@policy.enabled).to eq(true)
66
+
67
+ expect(
68
+ @policy.get_headers(@tcell_context)
69
+ ).to eq(
70
+ [{ 'name' => 'Content-Security-Policy', 'value' => 'test321' }]
71
+ )
72
+ end
73
+
74
+ context 'header with report uri' do
75
+ it 'should return csp header' do
76
+ enablements = @native_agent.update_policies(
77
+ {
78
+ 'csp-headers' => {
79
+ 'version' => 1,
80
+ 'policy_id' => 'xyzd',
81
+ 'headers' => [
82
+ { 'name' => 'Content-Security-Policy',
83
+ 'value' => 'normalvalue',
84
+ 'report_uri' => 'https://www.example.com/xys' }
85
+ ]
86
+ }
87
+ }
88
+ )['enablements']
89
+ expect(enablements['headers']).to eq(true)
90
+
91
+ @policy = HeadersPolicy.new(@native_agent, enablements)
92
+ expect(@policy.enabled).to eq(true)
93
+
94
+ expect(
95
+ @policy.get_headers(@tcell_context)
96
+ ).to eq(
97
+ [{ 'name' => 'Content-Security-Policy',
98
+ 'value' => 'normalvalue; report-uri https://www.example.com/xys?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
99
+ )
100
+ end
101
+ end
102
+
103
+ context 'header equal to max csp header bytes' do
104
+ it 'should return csp header' do
105
+ enablements = @native_agent.update_policies(
106
+ {
107
+ 'csp-headers' => {
108
+ 'version' => 1,
109
+ 'policy_id' => 'xyzd',
110
+ 'headers' => [
111
+ { 'name' => 'Content-Security-Policy',
112
+ 'value' => 'normalvalue',
113
+ 'report_uri' => 'https://www.example.com/1234567' }
114
+ ]
115
+ }
116
+ }
117
+ )['enablements']
118
+ expect(enablements['headers']).to eq(true)
119
+
120
+ @policy = HeadersPolicy.new(@native_agent, enablements)
121
+ expect(@policy.enabled).to eq(true)
122
+
123
+ expect(
124
+ @policy.get_headers(@tcell_context)
125
+ ).to eq(
126
+ [{ 'name' => 'Content-Security-Policy',
127
+ 'value' => 'normalvalue; report-uri https://www.example.com/1234567?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
128
+ )
129
+ end
130
+ end
131
+
132
+ context 'header exceeding to max csp header bytes' do
133
+ it 'should not return csp header' do
134
+ enablements = @native_agent.update_policies(
135
+ {
136
+ 'csp-headers' => {
137
+ 'version' => 1,
138
+ 'policy_id' => 'xyzd',
139
+ 'headers' => [
140
+ { 'name' => 'Content-Security-Policy',
141
+ 'value' => 'normalvalue',
142
+ 'report_uri' => 'https://www.example.com/12345678' }
143
+ ]
144
+ }
145
+ }
146
+ )['enablements']
147
+ expect(enablements['headers']).to eq(true)
148
+
149
+ @policy = HeadersPolicy.new(@native_agent, enablements)
150
+ expect(@policy.enabled).to eq(true)
151
+
152
+ expect(
153
+ @policy.get_headers(@tcell_context)
154
+ ).to eq([])
155
+ end
156
+ end
157
+ end
158
+ end
159
+ end
160
+ end
161
+ end
@@ -10,7 +10,7 @@ module TCellAgent
10
10
  'session_id_protections' => { 'body' => ['redact'], 'log' => ['event'] }
11
11
  }
12
12
  }
13
- policy_two = DataLossPolicy.from_json(policy_json_two)
13
+ policy_two = DataLossPolicy.new(policy_json_two)
14
14
  context 'check session_id_protections' do
15
15
  it 'gives the right actions' do
16
16
  expect(policy_two.get_actions_for_session_id.body_redact).to eq(true)
@@ -37,7 +37,7 @@ module TCellAgent
37
37
  ]
38
38
  }
39
39
  }
40
- db_one_policy = DataLossPolicy.from_json(policy_json_requests)
40
+ db_one_policy = DataLossPolicy.new(policy_json_requests)
41
41
  expect(db_one_policy.get_actions_for_table('dave', 'sam', 'tommy', 'fred')).to eq(nil)
42
42
  end
43
43
  it 'Partial Policy' do
@@ -56,7 +56,7 @@ module TCellAgent
56
56
  ]
57
57
  }
58
58
  }
59
- db_one_policy = DataLossPolicy.from_json(policy_json_requests)
59
+ db_one_policy = DataLossPolicy.new(policy_json_requests)
60
60
  expect(db_one_policy.get_actions_for_table('dave', 'sam', 'tommy', 'fred').to_a[0].log_redact).to eq(true)
61
61
  expect(db_one_policy.get_actions_for_table('dave', 'sam', 'tommy', 'fred', 'abcd').to_a[0].log_redact).to eq(true)
62
62
  end
@@ -80,7 +80,7 @@ module TCellAgent
80
80
  ]
81
81
  }
82
82
  }
83
- db_two_policy = DataLossPolicy.from_json(policy_json_request_ids)
83
+ db_two_policy = DataLossPolicy.new(policy_json_request_ids)
84
84
  expect(db_two_policy.get_actions_for_table('dave', 'sam', 'tommy', 'fred').to_a.size).to eq(0)
85
85
  expect(db_two_policy.get_actions_for_table('dave', 'sam', 'tommy', 'fred', 'other_route').to_a.size).to eq(0)
86
86
  expect(db_two_policy.get_actions_for_table('dave', 'sam', 'tommy', 'fred', 'abcd').to_a.size).to eq(1)
@@ -107,7 +107,7 @@ module TCellAgent
107
107
  ]
108
108
  }
109
109
  }
110
- policy_three = DataLossPolicy.from_json(policy_json_requests)
110
+ policy_three = DataLossPolicy.new(policy_json_requests)
111
111
  expect(policy_three.get_actions_for_request('form', 'test123').to_a[0].body_event).to eq(true)
112
112
  expect(policy_three.get_actions_for_request('form', 'test123').to_a[0].log_event).to eq(nil)
113
113
  end
@@ -129,7 +129,7 @@ module TCellAgent
129
129
  ]
130
130
  }
131
131
  }
132
- policy_three = DataLossPolicy.from_json(policy_json_requests)
132
+ policy_three = DataLossPolicy.new(policy_json_requests)
133
133
  entry_wildcard_route = policy_three.get_actions_for_request('form', 'TeSt123')
134
134
  entry_given_route = policy_three.get_actions_for_request('form', 'TeSt123', 'routex')
135
135
  expect(entry_wildcard_route).to eq(nil)
@@ -156,7 +156,7 @@ module TCellAgent
156
156
  ]
157
157
  }
158
158
  }
159
- policy_three = DataLossPolicy.from_json(policy_json_requests)
159
+ policy_three = DataLossPolicy.new(policy_json_requests)
160
160
  entry_wildcard_route = policy_three.get_actions_for_request('cookie', 'test123')
161
161
  entry_given_route = policy_three.get_actions_for_request('cookie', 'test123', 'routex')
162
162
  expect(entry_wildcard_route).to eq(nil)
@@ -183,7 +183,7 @@ module TCellAgent
183
183
  ]
184
184
  }
185
185
  }
186
- policy_three = DataLossPolicy.from_json(policy_json_requests)
186
+ policy_three = DataLossPolicy.new(policy_json_requests)
187
187
  entry_wildcard_route = policy_three.get_actions_for_request('cookie', 'test123')
188
188
  entry_given_route = policy_three.get_actions_for_request('cookie', 'test123', 'routex')
189
189
  expect(entry_wildcard_route).to eq(nil)
@@ -208,7 +208,7 @@ module TCellAgent
208
208
  ]
209
209
  }
210
210
  }
211
- policy_three = DataLossPolicy.from_json(policy_json_requests)
211
+ policy_three = DataLossPolicy.new(policy_json_requests)
212
212
  entry_wildcard_route = policy_three.get_actions_for_request('header', 'TeSt123')
213
213
  entry_given_route = policy_three.get_actions_for_request('header', 'TeSt123', 'routex')
214
214
  expect(entry_wildcard_route).to eq(nil)
@@ -3,232 +3,277 @@ require 'spec_helper'
3
3
  module TCellAgent
4
4
  module Policies
5
5
  describe HttpRedirectPolicy do
6
- context 'with defaults' do
7
- it 'returns true' do
8
- http_redirect_plain = HttpRedirectPolicy.new
9
- expect(http_redirect_plain.policy_id).to eq(nil)
10
- expect(http_redirect_plain.enabled).to eq(false)
11
- expect(http_redirect_plain.block).to eq(false)
12
- expect(http_redirect_plain.whitelist).to eq([])
13
- expect(http_redirect_plain.data_scheme_allowed).to eq(false)
6
+ describe '#initialize' do
7
+ context 'empty enablements' do
8
+ it 'should disable the policy' do
9
+ native_agent = double('native_agent')
10
+ policy = HttpRedirectPolicy.new(native_agent, {})
11
+ expect(policy.enabled).to eq(false)
12
+ end
14
13
  end
15
14
  end
16
15
 
17
- describe '#suspicious_redirect?' do
18
- it "see's other domain" do
19
- http_redirect_policy = HttpRedirectPolicy.from_json({
20
- 'policy_id' => 'x1a1',
21
- 'data' => {
22
- 'enabled' => true
23
- }
24
- })
25
- expect(http_redirect_policy.policy_id).to eq('x1a1')
26
- expect(http_redirect_policy.enabled).to eq(true)
27
-
28
- expect(http_redirect_policy.suspicious_redirect?('test.google.com', 'www.test.com')).to eq(true)
29
- end
30
-
31
- context 'with wildcard domain' do
32
- it 'should be false' do
33
- http_redirect_policy = HttpRedirectPolicy.from_json({
34
- 'policy_id' => 'x1a1',
35
- 'data' => {
36
- 'enabled' => true,
37
- 'whitelist' => ['*.google.com']
38
- }
39
- })
16
+ describe '#check_redirect' do
17
+ context 'with disabled policy' do
18
+ it 'should not call the native library' do
19
+ native_agent = double('native_agent')
20
+ policy = HttpRedirectPolicy.new(native_agent, {})
40
21
 
41
- expect(http_redirect_policy.suspicious_redirect?('test.google.com', 'www.test.com')).to eq(false)
22
+ expect(native_agent).to_not receive(:check_http_redirect)
42
23
 
43
- expect(http_redirect_policy.suspicious_redirect?('test.google.net', 'www.test.com')).to eq(true)
24
+ tcell_context = double('tcell_context')
25
+ expect(
26
+ policy.check_redirect(
27
+ 'http://localhost:8011/abc/def',
28
+ 'localhost:8011',
29
+ 200,
30
+ tcell_context
31
+ )
32
+ ).to eq('http://localhost:8011/abc/def')
44
33
  end
45
34
  end
46
- end
47
35
 
48
- describe '#enforce' do
49
- context 'with a disabled policy' do
50
- it 'should not enfore the policy' do
51
- http_redirect_policy = HttpRedirectPolicy.from_json({
52
- 'policy_id' => 'x1a1',
53
- 'data' => {
54
- 'enabled' => false,
55
- 'block' => true,
56
- 'whitelist' => ['*.google.com']
57
- }
58
- })
59
-
60
- expect(http_redirect_policy.enforce(
61
- 'https://test.google.com', 'www.test.com', '/path/a', 'GET', 'routex', '1.1.1.1', 400
62
- )).to eq(nil)
36
+ context 'with native agent' do
37
+ before(:each) do
38
+ configuration = TCellAgent::Tests::ConfigurationBuilder.new.build
39
+ @native_agent = TCellAgent::Rust::NativeAgent.create_agent(
40
+ configuration
41
+ )
63
42
  end
64
- end
65
43
 
66
- context 'with an enabled policy' do
67
- context 'redirecting to non whitelisted domain' do
68
- it 'should block the redirect' do
69
- http_redirect_policy = HttpRedirectPolicy.from_json({
70
- 'policy_id' => 'x1a1',
71
- 'data' => {
72
- 'enabled' => true,
73
- 'block' => true,
74
- 'whitelist' => ['good.com']
75
- }
76
- })
77
-
78
- expect(http_redirect_policy.enforce(
79
- 'https://www.google.com/abc/def', 'localhost', '/path/a', 'GET', 'routey', '1.1.1.1', 400
80
- )).to eq('/')
81
- end
44
+ after(:each) do
45
+ TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
82
46
  end
83
47
 
84
- context 'with a wildcard whitelist' do
85
- it 'should not enfore allowed domains properly' do
86
- http_redirect_policy = HttpRedirectPolicy.from_json({
87
- 'policy_id' => 'x1a1',
88
- 'data' => {
89
- 'enabled' => true,
90
- 'block' => true,
91
- 'whitelist' => ['*.allowed*.com']
92
- }
93
- })
94
-
95
- expect(http_redirect_policy.enforce(
96
- 'https://allowed.com', 'localhost', '/path/a', 'GET', 'routey', '1.1.1.1', 400
97
- )).to eq(nil)
98
-
99
- expect(http_redirect_policy.enforce(
100
- 'https://www.alloweddomain.com', 'localhost', '/path/a', 'GET', 'routey', '1.1.1.1', 400
101
- )).to eq(nil)
48
+ context 'redirect to the same' do
49
+ it 'should not block the redirect' do
50
+ enablements = @native_agent.update_policies(
51
+ {
52
+ 'http-redirect' => {
53
+ 'version' => 1,
54
+ 'policy_id' => 'nyzd',
55
+ 'data' => {
56
+ 'enabled' => true,
57
+ 'whitelist' => ['whitelisted'],
58
+ 'block' => true
59
+ }
60
+ }
61
+ }
62
+ )['enablements']
63
+ expect(enablements['http_redirect']).to eq(true)
64
+
65
+ @policy = HttpRedirectPolicy.new(@native_agent, enablements)
66
+ expect(@policy.enabled).to eq(true)
67
+
68
+ tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
69
+ 'path', '/etc/123'
70
+ ).update_attribute(
71
+ 'remote_address', '0.1.1.0'
72
+ ).update_attribute(
73
+ 'fullpath', '/etc/123'
74
+ ).build
75
+ check = @policy.check_redirect(
76
+ 'http://localhost:8011/abc/def',
77
+ 'localhost:8011',
78
+ 200,
79
+ tcell_context
80
+ )
81
+
82
+ expect(check).to eq('http://localhost:8011/abc/def')
102
83
  end
103
84
  end
104
- end
105
85
 
106
- context 'with ports' do
107
- it 'should remove ports in redirect event' do
108
- http_redirect_policy = HttpRedirectPolicy.from_json({
109
- 'policy_id' => 'x1a1',
110
- 'data' => {
111
- 'enabled' => true,
112
- 'block' => false
113
- }
114
- })
115
-
116
- expect(TCellAgent).to receive(:send_event).with({
117
- 'event_type' => 'redirect',
118
- 'method' => 'GET',
119
- 'from_domain' => 'www.test.com',
120
- 'status_code' => 400,
121
- 'remote_addr' => '1.1.1.1',
122
- 'to' => 'www.google.com',
123
- 'from' => '/path/a',
124
- 'rid' => 'routex'
125
- })
126
-
127
- result = http_redirect_policy.enforce(
128
- 'https://www.google.com:80', 'http://www.test.com', '/path/a', 'GET', 'routex', 400, '1.1.1.1'
129
- )
130
- expect(result).to eq(nil)
86
+ context 'asterisk in whitelisted domain' do
87
+ it 'should allow the redirect' do
88
+ enablements = @native_agent.update_policies(
89
+ {
90
+ 'http-redirect' => {
91
+ 'version' => 1,
92
+ 'policy_id' => 'nyzd',
93
+ 'data' => {
94
+ 'enabled' => true,
95
+ 'whitelist' => ['*.allowed*.com'],
96
+ 'block' => true
97
+ }
98
+ }
99
+ }
100
+ )['enablements']
101
+ expect(enablements['http_redirect']).to eq(true)
102
+
103
+ @policy = HttpRedirectPolicy.new(@native_agent, enablements)
104
+ expect(@policy.enabled).to eq(true)
105
+
106
+ tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
107
+ 'path', '/etc/123'
108
+ ).update_attribute(
109
+ 'remote_address', '0.1.1.0'
110
+ ).update_attribute(
111
+ 'fullpath', '/etc/123'
112
+ ).build
113
+ check = @policy.check_redirect(
114
+ 'http://allowed.com',
115
+ 'localhost:8011',
116
+ 200,
117
+ tcell_context
118
+ )
119
+
120
+ expect(check).to eq('http://allowed.com')
121
+ end
131
122
  end
132
- end
133
123
 
134
- context 'data_scheme_allowed' do
135
- context 'is not allowed' do
136
- it 'should send an event' do
137
- @http_redirect_policy = HttpRedirectPolicy.from_json({
138
- 'policy_id' => 'x1a1',
139
- 'data' => {
140
- 'enabled' => true,
141
- 'whitelist' => [],
142
- 'block' => false,
143
- 'data_scheme_allowed' => false
144
- }
145
- })
146
-
147
- expect(TCellAgent).to receive(:send_event).with({
148
- 'event_type' => 'redirect',
149
- 'method' => 'GET',
150
- 'from_domain' => 'www.test.com',
151
- 'status_code' => 400,
152
- 'remote_addr' => '1.1.1.1',
153
- 'to' => 'data:text/html base64',
154
- 'from' => '/path/a',
155
- 'rid' => 'routex'
156
- })
157
-
158
- result = @http_redirect_policy.enforce(
159
- 'data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K',
160
- 'http://www.test.com',
161
- '/path/a',
162
- 'GET',
163
- 'routex',
164
- 400,
165
- '1.1.1.1'
124
+ context 'domain with a port' do
125
+ it 'should block the redirect' do
126
+ enablements = @native_agent.update_policies(
127
+ {
128
+ 'http-redirect' => {
129
+ 'version' => 1,
130
+ 'policy_id' => 'nyzd',
131
+ 'data' => {
132
+ 'enabled' => true,
133
+ 'whitelist' => [],
134
+ 'block' => true
135
+ }
136
+ }
137
+ }
138
+ )['enablements']
139
+ expect(enablements['http_redirect']).to eq(true)
140
+
141
+ @policy = HttpRedirectPolicy.new(@native_agent, enablements)
142
+ expect(@policy.enabled).to eq(true)
143
+
144
+ tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
145
+ 'path', '/some/path'
146
+ ).update_attribute(
147
+ 'remote_address', '0.1.1.0'
148
+ ).update_attribute(
149
+ 'fullpath', '/some/path'
150
+ ).build
151
+ check = @policy.check_redirect(
152
+ 'http://user:pass@192.168.99.100:3000',
153
+ 'localhost:8011',
154
+ 200,
155
+ tcell_context
166
156
  )
167
- expect(result).to eq(nil)
157
+
158
+ expect(check).to eq('/')
168
159
  end
160
+ end
161
+
162
+ context 'data scheme redirect' do
163
+ context 'not allowed' do
164
+ it 'should block the redirect' do
165
+ enablements = @native_agent.update_policies(
166
+ {
167
+ 'http-redirect' => {
168
+ 'version' => 1,
169
+ 'policy_id' => 'nyzd',
170
+ 'data' => {
171
+ 'enabled' => true,
172
+ 'whitelist' => ['whitelisted'],
173
+ 'block' => true,
174
+ 'data_scheme_allowed' => false
175
+ }
176
+ }
177
+ }
178
+ )['enablements']
179
+ expect(enablements['http_redirect']).to eq(true)
180
+
181
+ @policy = HttpRedirectPolicy.new(@native_agent, enablements)
182
+ expect(@policy.enabled).to eq(true)
169
183
 
170
- context 'and blocking is enabled' do
171
- it 'should send an event and redirect to root' do
172
- @http_redirect_policy = HttpRedirectPolicy.from_json({
173
- 'policy_id' => 'x1a1',
174
- 'data' => {
175
- 'enabled' => true,
176
- 'whitelist' => [],
177
- 'block' => true,
178
- 'data_scheme_allowed' => false
179
- }
180
- })
181
-
182
- expect(TCellAgent).to receive(:send_event).with({
183
- 'event_type' => 'redirect',
184
- 'method' => 'GET',
185
- 'from_domain' => 'www.test.com',
186
- 'status_code' => 400,
187
- 'remote_addr' => '1.1.1.1',
188
- 'to' => 'data:text/html base64',
189
- 'from' => '/path/a',
190
- 'rid' => 'routex'
191
- })
192
-
193
- result = @http_redirect_policy.enforce(
184
+ tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
185
+ 'path', '/some/path'
186
+ ).update_attribute(
187
+ 'remote_address', '0.1.1.0'
188
+ ).update_attribute(
189
+ 'fullpath', '/some/path'
190
+ ).build
191
+ check = @policy.check_redirect(
194
192
  'data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K',
195
- 'http://www.test.com',
196
- '/path/a',
197
- 'GET',
198
- 'routex',
199
- 400,
200
- '1.1.1.1'
193
+ 'localhost:8011',
194
+ 200,
195
+ tcell_context
201
196
  )
202
- expect(result).to eq('/')
197
+
198
+ expect(check).to eq('/')
199
+ end
200
+ end
201
+
202
+ context 'is allowed' do
203
+ it 'should allow the redirect' do
204
+ enablements = @native_agent.update_policies(
205
+ {
206
+ 'http-redirect' => {
207
+ 'version' => 1,
208
+ 'policy_id' => 'nyzd',
209
+ 'data' => {
210
+ 'enabled' => true,
211
+ 'whitelist' => ['whitelisted'],
212
+ 'block' => true,
213
+ 'data_scheme_allowed' => true
214
+ }
215
+ }
216
+ }
217
+ )['enablements']
218
+ expect(enablements['http_redirect']).to eq(true)
219
+
220
+ @policy = HttpRedirectPolicy.new(@native_agent, enablements)
221
+ expect(@policy.enabled).to eq(true)
222
+
223
+ tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
224
+ 'path', '/some/path'
225
+ ).update_attribute(
226
+ 'remote_address', '0.1.1.0'
227
+ ).update_attribute(
228
+ 'fullpath', '/some/path'
229
+ ).build
230
+ check = @policy.check_redirect(
231
+ 'data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K',
232
+ 'localhost:8011',
233
+ 200,
234
+ tcell_context
235
+ )
236
+
237
+ expect(check).to eq('data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K')
203
238
  end
204
239
  end
205
240
  end
206
241
 
207
- context 'is allowed' do
208
- it 'should not send an event' do
209
- @http_redirect_policy = HttpRedirectPolicy.from_json({
210
- 'policy_id' => 'x1a1',
211
- 'data' => {
212
- 'enabled' => true,
213
- 'whitelist' => [],
214
- 'block' => false,
215
- 'data_scheme_allowed' => true
216
- }
217
- })
218
-
219
- expect(TCellAgent).to_not receive(:send_event)
220
-
221
- result = @http_redirect_policy.enforce(
222
- 'data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K',
223
- 'http://www.test.com',
224
- '/path/a',
225
- 'GET',
226
- 'routex',
227
- 400,
228
- '1.1.1.1'
242
+ context 'relative redirect' do
243
+ it 'should allow the redirect' do
244
+ enablements = @native_agent.update_policies(
245
+ {
246
+ 'http-redirect' => {
247
+ 'version' => 1,
248
+ 'policy_id' => 'nyzd',
249
+ 'data' => {
250
+ 'enabled' => true,
251
+ 'whitelist' => [],
252
+ 'block' => true
253
+ }
254
+ }
255
+ }
256
+ )['enablements']
257
+ expect(enablements['http_redirect']).to eq(true)
258
+
259
+ @policy = HttpRedirectPolicy.new(@native_agent, enablements)
260
+ expect(@policy.enabled).to eq(true)
261
+
262
+ tcell_context = TCellAgent::Tests::TCellContextBuilder.new.update_attribute(
263
+ 'path', '/some/path'
264
+ ).update_attribute(
265
+ 'remote_address', '0.1.1.0'
266
+ ).update_attribute(
267
+ 'fullpath', '/some/path'
268
+ ).build
269
+ check = @policy.check_redirect(
270
+ '/admin/login/?next=/admin/',
271
+ 'localhost:8011',
272
+ 200,
273
+ tcell_context
229
274
  )
230
275
 
231
- expect(result).to eq(nil)
276
+ expect(check).to eq('/admin/login/?next=/admin/')
232
277
  end
233
278
  end
234
279
  end