tcell_agent 1.1.12 → 2.2.0

data/lib/tcell_agent/appsensor/injections_reporter.rb

@@ -1,24 +0,0 @@
-require 'tcell_agent/sensor_events/appsensor_event'
-
-module TCellAgent
-  module AppSensor
-    module InjectionsReporter
-      def self.report_and_log(events)
-        (events || []).each do |event|
-          TCellAgent.send_event(
-            TCellAgent::SensorEvents::TCellAppSensorEvent.build_from_native_lib_event(event)
-          )
-
-          next unless event.key?('full_payload')
-          event_to_log = {}.merge(event)
-          event_to_log['payload'] = event_to_log.delete('full_payload')
-
-          cleaned_event = TCellAgent::SensorEvents::TCellAppSensorEvent.build_from_native_lib_event(
-            event_to_log
-          )
-          TCellAgent.logger.info(JSON.dump(cleaned_event))
-        end
-      end
-    end
-  end
-end

data/lib/tcell_agent/authlogic.rb

@@ -1,26 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-
-require 'tcell_agent/userinfo'
-require 'tcell_agent/logger'
-require 'tcell_agent/sensor_events/honeytokens'
-
-module TCellAgent
-  if defined?(Authlogic)
-    TCellAgent::UserInformation.class_eval do
-      class << self
-        alias_method :original_get_user_from_request, :get_user_from_request
-        def get_user_from_request(request)
-          orig_user_id = original_get_user_from_request(request)
-          begin
-            if request.session && request.session.key?('user_credentials_id')
-              return request.session['user_credentials_id'].to_s
-            end
-          rescue StandardError
-            return orig_user_id
-          end
-          orig_user_id
-        end
-      end
-    end
-  end
-end

data/lib/tcell_agent/config/child_process_events.rb

@@ -1,8 +0,0 @@
-# Forces event manager to start in child processes
-# Conditionally loaded based on config
-class << TCellAgent::Agent
-  alias_method :tcell_parent_process?, :parent_process?
-  def parent_process?
-    true
-  end
-end

data/lib/tcell_agent/config/unknown_options.rb

@@ -1,123 +0,0 @@
-require 'set'
-
-module TCellAgent
-  module Config
-    module Validate
-      def self.get_unknown_options(config_json)
-        messages = []
-
-        known_tcell_env_vars = Set.new(
-          [
-            'TCELL_AGENT_SERVER', # this is only meant for specs
-            'TCELL_AGENT_APP_ID',
-            'TCELL_AGENT_API_KEY',
-            'TCELL_HMAC_KEY',
-            'TCELL_PASSWORD_HMAC_KEY',
-            'TCELL_AGENT_HOST_IDENTIFIER',
-            'TCELL_API_URL',
-            'TCELL_INPUT_URL',
-            'TCELL_DEMOMODE',
-            'TCELL_AGENT_HOME',
-            'TCELL_AGENT_LOG_DIR',
-            'TCELL_AGENT_CONFIG',
-            'TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS',
-            'TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS',
-            'TCELL_AGENT_ALLOW_PAYLOADS',
-            'TCELL_AGENT_HOME_OWNER',
-            'TCELL_AGENT_ENABLED'
-          ]
-        )
-
-        ENV.keys.each do |environment_key|
-          if environment_key =~ /^TCELL_/ && !known_tcell_env_vars.include?(environment_key)
-            messages << "Unrecognized environment parameter (TCELL_*) found: #{environment_key}"
-          end
-        end
-
-        begin
-          key_differences = []
-
-          if config_json
-            first_level_keys = %w[version applications]
-
-            key_differences = config_json.keys - first_level_keys
-
-            applications = config_json.fetch('applications', nil)
-            if applications
-
-              if applications.size > 1
-                messages << 'Multiple applications detected in config file'
-
-              elsif applications.size == 1
-                application = applications[0]
-
-                second_level_keys = %w[
-                  name
-                  app_id
-                  api_key
-                  fetch_policies_from_tcell
-                  preload_policy_filename
-                  log_dir
-                  tcell_api_url
-                  tcell_input_url
-                  host_identifier
-                  hipaaSafeMode
-                  hmac_key
-                  password_hmac_key
-                  js_agent_api_base_url
-                  js_agent_url
-                  max_csp_header_bytes
-                  event_batch_size_limit
-                  allow_unencrypted_appsensor_payloads
-                  allow_unencrypted_appfirewall_payloads
-                  allow_payloads
-                  reverse_proxy
-                  reverse_proxy_ip_address_header
-                  demomode
-                  logging_options
-                  data_exposure
-                  disable_all
-                  enabled
-                  enable_event_manager
-                  enable_event_consumer
-                  enable_policy_polling
-                  enable_instrumentation
-                  enable_intercept_requests
-                  instrument_for_events
-                  agent_home_owner
-                  enabled_instrumentations
-                ]
-
-                key_differences += (application.keys - second_level_keys)
-
-                if application.fetch('logging_options', nil)
-                  logging_options = application['logging_options']
-                  key_differences += (logging_options.keys - %w[enabled level filename])
-                end
-
-                if application.fetch('data_exposure', nil)
-                  data_exposure = application['data_exposure']
-                  key_differences += (data_exposure.keys - ['max_data_ex_db_records_per_request'])
-                end
-
-                if application.fetch('enabled_instrumentations', nil)
-                  enabled_instrumentations = application['enabled_instrumentations']
-                  key_differences += (enabled_instrumentations.keys - %w[doorkeeper devise authlogic])
-                end
-              end
-            end
-
-            key_differences.each do |key|
-              messages << "Unrecognized config setting key: #{key}"
-            end
-
-          end
-        rescue StandardError => exception
-          messages << "Something went wrong verifying config file: #{exception}"
-        end
-
-        messages
-      end
-    end
-  end
-end

data/lib/tcell_agent/devise.rb

@@ -1,35 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-
-require 'devise'
-require 'devise/rails'
-require 'devise/strategies/database_authenticatable'
-require 'tcell_agent/userinfo'
-require 'tcell_agent/logger'
-require 'tcell_agent/sensor_events/honeytokens'
-
-module TCellAgent
-  if defined?(Devise)
-    TCellAgent::UserInformation.class_eval do
-      class << self
-        alias_method :original_get_user_from_request, :get_user_from_request
-        def get_user_from_request(request)
-          orig_user_id = original_get_user_from_request(request)
-          begin
-            if request.session && request.session.key?('warden.user.user.key')
-              userkey = request.session['warden.user.user.key']
-              user_id = if userkey.length == 2
-                          userkey[0][0]
-                        else
-                          userkey[1][0]
-                        end
-              return user_id.to_s if user_id.is_a? Integer
-            end
-          rescue StandardError
-            return orig_user_id
-          end
-          orig_user_id
-        end
-      end
-    end
-  end
-end

data/lib/tcell_agent/instrumentation/cmdi/backtick.rb

@@ -1,10 +0,0 @@
-module Kernel
-  alias_method :tcell_original_backtick, :`
-  def `(cmd)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_backtick(cmd)
-  end
-end

data/lib/tcell_agent/instrumentation/cmdi/exec.rb

@@ -1,14 +0,0 @@
-module Kernel
-  alias_method :tcell_original_exec, :exec
-
-  private
-
-  def exec(*args)
-    cmd = TCellAgent::Cmdi.parse_command(*args)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_exec(*args)
-  end
-end

data/lib/tcell_agent/instrumentation/cmdi/popen.rb

@@ -1,28 +0,0 @@
-class IO
-  class << self
-    alias_method :tcell_original_popen, :popen
-    def popen(*args, &block)
-      unless args.empty?
-        cmd = ''
-
-        TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
-          args_copy = Array.new(args)
-          args_copy.shift if args_copy.first.is_a?(Hash)
-          args_copy.pop if args_copy.last.is_a?(Hash)
-
-          cmd = if args_copy.first.is_a?(String)
-                  args_copy.shift
-                else
-                  TCellAgent::Cmdi.parse_command(*args_copy.shift)
-                end
-        end
-
-        if TCellAgent::Cmdi.block_command?(cmd)
-          raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-        end
-      end
-
-      tcell_original_popen(*args, &block)
-    end
-  end
-end

data/lib/tcell_agent/instrumentation/cmdi/spawn.rb

@@ -1,11 +0,0 @@
-module Kernel
-  alias_method :tcell_original_spawn, :spawn
-  def spawn(*args)
-    cmd = TCellAgent::Cmdi.parse_command(*args)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_spawn(*args)
-  end
-end

data/lib/tcell_agent/instrumentation/cmdi/system.rb

@@ -1,11 +0,0 @@
-module Kernel
-  alias_method :tcell_original_system, :system
-  def system(*args)
-    cmd = TCellAgent::Cmdi.parse_command(*args)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_system(*args)
-  end
-end

data/lib/tcell_agent/policies/http_tx_policy.rb

@@ -1,60 +0,0 @@
-# {}"http-tx": {
-#        "policy_id":"afh023",
-#        "types": {
-#               "firehose": { enabled: true },
-# {}"auth_framework_only": {enabled: true},
-# {}"{}structure": {enabled: true },
-# {}"fingerprint": {enabled: true }
-# }
-# },
-
-require 'tcell_agent/policies/policy'
-
-module TCellAgent
-  module Policies
-    class HttpTxPolicy < Policy
-      attr_accessor :policy_id, :firehose, :auth_framework, :profile, :fingerprint
-
-      def initialize
-        @firehose = { 'enabled' => false, 'lite' => false }
-        @auth_framework = { 'enabled' => false, 'lite' => false }
-        @profile = { 'enabled' => false }
-        @fingerprint = { 'enabled' => false, 'hmacUserAgent' => false, 'hmacUserId' => false, 'sampling' => nil }
-      end
-
-      def self.from_json(policy_json)
-        return nil unless policy_json
-        http_tx_policy = HttpTxPolicy.new
-
-        http_tx_policy.policy_id = policy_json['policy_id']
-        raise 'Policy ID missing' unless http_tx_policy.policy_id
-
-        types = policy_json['types']
-        return http_tx_policy unless types
-
-        if types.key?('firehose')
-          http_tx_policy.firehose['enabled'] = types['firehose'].fetch('enabled', false)
-          http_tx_policy.firehose['lite'] = types['firehose'].fetch('lite', false)
-        end
-
-        if types.key?('auth_framework')
-          http_tx_policy.auth_framework['enabled'] = types['auth_framework'].fetch('enabled', false)
-          http_tx_policy.auth_framework['lite'] = types['auth_framework'].fetch('lite', false)
-        end
-
-        if types.key?('profile')
-          http_tx_policy.profile['enabled'] = types['profile'].fetch('enabled', false)
-        end
-
-        if types.key?('fingerprint')
-          http_tx_policy.fingerprint['enabled'] = types['fingerprint'].fetch('enabled', false)
-          http_tx_policy.fingerprint['hmacUserAgent'] = types['fingerprint'].fetch('hmacUserAgent', false)
-          http_tx_policy.fingerprint['hmacUserId'] = types['fingerprint'].fetch('hmacUserId', false)
-          http_tx_policy.fingerprint['sampling'] = types['fingerprint'].fetch('sampling', 0)
-        end
-
-        http_tx_policy
-      end
-    end
-  end
-end

data/lib/tcell_agent/policies/login_fraud_policy.rb

@@ -1,45 +0,0 @@
-require 'tcell_agent/policies/policy'
-
-module TCellAgent
-  module Policies
-    class LoginFraudPolicy < Policy
-      attr_accessor :policy_id
-
-      attr_accessor :login_success_enabled
-      attr_accessor :login_failed_enabled
-      attr_accessor :session_hijacking_metrics
-
-      def initialize
-        init_options
-      end
-
-      def init_options
-        @policy_id = nil
-        @login_success_enabled = false
-        @login_failed_enabled = false
-        @session_hijacking_metrics = false
-      end
-
-      def enabled
-        @login_success_enabled || @login_failed_enabled
-      end
-
-      def self.from_json(policy_json)
-        return nil unless policy_json
-        sensor_policy = LoginFraudPolicy.new
-
-        sensor_policy.policy_id = policy_json['policy_id']
-        raise 'Policy ID missing' unless sensor_policy.policy_id
-
-        options_json = (policy_json['data'] || {})['options']
-        return sensor_policy unless options_json
-
-        sensor_policy.login_failed_enabled = options_json.fetch('login_failed_enabled', false)
-        sensor_policy.login_success_enabled = options_json.fetch('login_success_enabled', false)
-        sensor_policy.session_hijacking_metrics = options_json.fetch('session_hijacking_enabled', false)
-
-        sensor_policy
-      end
-    end
-  end
-end

data/lib/tcell_agent/policies/rust_policies.rb

@@ -1,110 +0,0 @@
-require 'tcell_agent/appsensor/injections_reporter'
-require 'tcell_agent/instrumentation'
-require 'tcell_agent/policies/policy'
-require 'tcell_agent/rust/models'
-require 'tcell_agent/rust/whisperer'
-require 'tcell_agent/sensor_events/command_injection'
-require 'tcell_agent/sensor_events/patches'
-
-module TCellAgent
-  module Policies
-    class RustPolicies < Policy
-      attr_reader :appfirewall_enabled, :patches_enabled, :cmdi_enabled
-
-      def initialize
-        @appfirewall_enabled = false
-        @patches_enabled = false
-        @cmdi_enabled = false
-        @headers_enabled = false
-        @jsagent_enabled = false
-        @agent_ptr = nil
-
-        whisper = TCellAgent::Rust::Whisperer.create_agent
-        if whisper['error']
-          TCellAgent.logger.error("Error initializing policies: #{whisper['error']}")
-        else
-          @agent_ptr = whisper['agent_ptr']
-        end
-      end
-
-      def update_policies(policies_json)
-        return if @agent_ptr.nil? || policies_json.nil? || policies_json.empty?
-
-        whisper = TCellAgent::Rust::Whisperer.update_policies(@agent_ptr, policies_json)
-        if whisper['errors']
-          whisper['errors'].each do |error|
-            TCellAgent.logger.error("Error updating policies: #{error}")
-          end
-        else
-          enablements = whisper['enablements']
-          @appfirewall_enabled = enablements['appfirewall']
-          @patches_enabled = enablements['patches']
-          @cmdi_enabled = enablements['cmdi']
-          @headers_enabled = enablements['headers']
-          @jsagent_enabled = enablements['jsagentinjection']
-        end
-      end
-
-      def block_request?(appsensor_meta)
-        return false unless @agent_ptr && @patches_enabled
-
-        whisper = TCellAgent::Rust::Whisperer.apply_patches(@agent_ptr, appsensor_meta)
-        if whisper['error']
-          TCellAgent.logger.error("Error processing patches: #{whisper['error']}")
-        else
-          response = whisper['apply_response']
-          if response && response['status'] == 'Blocked'
-            patches_event = TCellAgent::SensorEvents::PatchesEvent.new(response, appsensor_meta)
-            TCellAgent.send_event(patches_event)
-            return true
-          end
-        end
-
-        false
-      end
-
-      def check_appfirewall_injections(appsensor_meta)
-        return unless @agent_ptr && @appfirewall_enabled
-
-        TCellAgent::Instrumentation.safe_block('AppSensor inspection') do
-          whisper = TCellAgent::Rust::Whisperer.apply_appfirewall(@agent_ptr, appsensor_meta)
-          TCellAgent::AppSensor::InjectionsReporter.report_and_log(whisper['apply_response'])
-        end
-      end
-
-      def block_command?(command, tcell_context)
-        return false unless @agent_ptr &&
-                            @cmdi_enabled &&
-                            TCellAgent.safe_to_send_cmdi_events?
-        whisper = TCellAgent::Rust::Whisperer.apply_cmdi(
-          @agent_ptr, command, tcell_context
-        )
-        apply_response = whisper.fetch('apply_response', {})
-        cmdi_event =
-          TCellAgent::SensorEvents::CommandInjectionEvent.build_from_native_lib_response_and_tcell_context(apply_response,
-                                                                                                           tcell_context)
-        TCellAgent.send_event(cmdi_event) if cmdi_event
-
-        apply_response.fetch('blocked', false)
-      end
-
-      def get_headers(tcell_context)
-        return [] unless @agent_ptr &&
-                         @headers_enabled
-        whisper = TCellAgent::Rust::Whisperer.get_headers(
-          @agent_ptr, tcell_context
-        )
-        whisper['headers'] || []
-      end
-
-      def get_js_agent_script_tag(tcell_context)
-        return nil unless @agent_ptr &&
-                          @jsagent_enabled
-        whisper = TCellAgent::Rust::Whisperer.get_js_agent_script_tag(
-          @agent_ptr, tcell_context
-        )
-        whisper['script_tag']
-      end
-    end
-  end
-end