tcell_agent 1.1.12 → 2.2.0

data/lib/tcell_agent/rails/auth/authlogic_helper.rb

@@ -0,0 +1,20 @@
+require 'tcell_agent/rails/auth/userinfo'
+
+module TCellAgent
+  TCellAgent::UserInformation.class_eval do
+    class << self
+      alias_method :original_get_user_from_request, :get_user_from_request
+      def get_user_from_request(request)
+        orig_user_id = original_get_user_from_request(request)
+        begin
+          if request.session && request.session.key?('user_credentials_id')
+            return request.session['user_credentials_id'].to_s
+          end
+        rescue StandardError
+          return orig_user_id
+        end
+        orig_user_id
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/auth/devise.rb

@@ -1,130 +1,125 @@
-if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
-  module TCellAgent
-    require 'base64'
-    require 'tcell_agent/agent'
-    require 'tcell_agent/sensor_events/login_fraud'
-
-    module DeviseInstrumentation
-      module TCellFailureAppRespond
-        def respond
-          TCellAgent::Instrumentation.safe_block('Devise Failure App Respond') do
-            if TCellAgent.configuration.enabled &&
-               TCellAgent.configuration.should_intercept_requests?
-              tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-              if tcell_data
-                # in the case of http auth, user_id is set in
-                # Devise::Strategies::Authenticatable.valid_for_http_auth?
-                user_id = tcell_data.user_id
-                user_id ||= _get_tcell_username
-
-                # in the case of http auth, password is set in
-                # Devise::Strategies::Authenticatable.valid_for_http_auth?
-                password = tcell_data.password
-                password ||= _get_tcell_password
-
-                login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                if login_fraud_policy && login_fraud_policy.login_failed_enabled
-                  TCellAgent.send_event(
-                    TCellAgent::SensorEvents::LoginFailure.new(
-                      request.env,
-                      tcell_data,
-                      user_id,
-                      password
-                    )
-                  )
-                end
-              end
-
+module TCellAgent
+  require 'base64'
+  require 'tcell_agent/agent'
+
+  module DeviseInstrumentation
+    module TCellFailureAppRespond
+      def respond
+        TCellAgent::Instrumentation.safe_block('Devise Failure App Respond') do
+          if TCellAgent.configuration.should_intercept_requests?
+            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+            if tcell_data
+              # in the case of http auth, user_id is set in
+              # Devise::Strategies::Authenticatable.valid_for_http_auth?
+              user_id = tcell_data.user_id
+              user_id ||= _get_tcell_username
+
+              # in the case of http auth, password is set in
+              # Devise::Strategies::Authenticatable.valid_for_http_auth?
+              password = tcell_data.password
+              password ||= _get_tcell_password
+
+              user_valid = nil
+              login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+              login_policy.report_login_failure(
+                user_id,
+                password,
+                request.env,
+                user_valid,
+                tcell_data
+              )
             end
           end
-
-          super if defined?(super)
         end
 
-        def _get_tcell_username
-          tcell_username = nil
-          TCellAgent::Instrumentation.safe_block('Devise Get TCell Username') do
-            keys = scope_class.authentication_keys.dup
-            user_params = request.POST.fetch('user', {})
-            keys.each do |key|
-              next_usename = user_params.fetch(key, nil)
-              if next_usename
-                tcell_username ||= ''
-                tcell_username += next_usename
-              end
+        super if defined?(super)
+      end
+
+      def _get_tcell_username
+        tcell_username = nil
+        TCellAgent::Instrumentation.safe_block('Devise Get TCell Username') do
+          keys = scope_class.authentication_keys.dup
+          user_params = request.POST.fetch('user', {})
+          keys.each do |key|
+            next_usename = user_params.fetch(key, nil)
+            if next_usename
+              tcell_username ||= ''
+              tcell_username += next_usename
             end
           end
-          tcell_username
         end
+        tcell_username
+      end
 
-        def _get_tcell_password
-          tcell_password = nil
-          TCellAgent::Instrumentation.safe_block('Devise Get TCell Password') do
-            user_params = request.POST.fetch('user', {})
-            tcell_password = user_params['password']
-          end
-          tcell_password
+      def _get_tcell_password
+        tcell_password = nil
+        TCellAgent::Instrumentation.safe_block('Devise Get TCell Password') do
+          user_params = request.POST.fetch('user', {})
+          tcell_password = user_params['password']
         end
+        tcell_password
       end
     end
+  end
 
-    # prepend is ruby 2+ feature
-    Devise::FailureApp.send(:prepend, DeviseInstrumentation::TCellFailureAppRespond)
-
-    Devise::Strategies::Authenticatable.class_eval do
-      alias_method :tcell_valid_for_http_auth?, :valid_for_http_auth?
-      def valid_for_http_auth?
-        is_valid = tcell_valid_for_http_auth?
-
-        TCellAgent::Instrumentation.safe_block('Devise set username for http basic auth') do
-          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-          if http_auth_hash && tcell_data
-            username = http_auth_hash[http_authentication_key]
-            password = http_auth_hash[:password]
-            tcell_data.user_id = username if username && !tcell_data.user_id
-            tcell_data.password = password if password && !tcell_data.password
-          end
+  # prepend is ruby 2+ feature
+  Devise::FailureApp.send(:prepend, DeviseInstrumentation::TCellFailureAppRespond)
+
+  Devise::Strategies::Authenticatable.class_eval do
+    alias_method :tcell_valid_for_http_auth?, :valid_for_http_auth?
+    def valid_for_http_auth?
+      is_valid = tcell_valid_for_http_auth?
+
+      TCellAgent::Instrumentation.safe_block('Devise set username for http basic auth') do
+        tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+        if http_auth_hash && tcell_data
+          username = http_auth_hash[http_authentication_key]
+          password = http_auth_hash[:password]
+          tcell_data.user_id = username if username && !tcell_data.user_id
+          tcell_data.password = password if password && !tcell_data.password
         end
-
-        is_valid
       end
 
-      alias_method :tcell_validate, :validate
-      def validate(resource, &block)
-        is_valid = tcell_validate(resource, &block)
-        send_event = is_valid
+      is_valid
+    end
 
-        # gets the first entry in the current backtrace
-        # syntax suggested by rubocop to improve performance
-        if caller(1..1).first.include? 'two_factor_authenticatable'
-          TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported')
-          send_event = false
-        end
+    alias_method :tcell_validate, :validate
+    def validate(resource, &block)
+      is_valid = tcell_validate(resource, &block)
+      send_event = is_valid
 
-        TCellAgent::Instrumentation.safe_block('Devise Authenticatable Validate') do
-          if send_event && TCellAgent.configuration.enabled &&
-             TCellAgent.configuration.should_intercept_requests?
-            username = nil
-            (authentication_keys || []).each do |auth_key|
-              attr = authentication_hash[auth_key]
-              if attr
-                username ||= ''
-                username += attr
-              end
-            end
+      # gets the first entry in the current backtrace
+      # syntax suggested by rubocop to improve performance
+      if caller(1..1).first.include? 'two_factor_authenticatable'
+        TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported', 'TCellAgent::DeviseInstrumentation')
+        send_event = false
+      end
 
-            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-            if login_fraud_policy && login_fraud_policy.login_success_enabled
-              tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-              if tcell_data
-                TCellAgent.send_event(TCellAgent::SensorEvents::LoginSuccess.new(request.env, tcell_data, username, nil))
-              end
+      TCellAgent::Instrumentation.safe_block('Devise Authenticatable Validate') do
+        if send_event && TCellAgent.configuration.enabled &&
+           TCellAgent.configuration.should_intercept_requests?
+          username = nil
+          (authentication_keys || []).each do |auth_key|
+            attr = authentication_hash[auth_key]
+            if attr
+              username ||= ''
+              username += attr
             end
           end
-        end
 
-        is_valid
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          return is_valid unless tcell_data
+
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          login_policy.report_login_success(
+            username,
+            request.env,
+            tcell_data
+          )
+        end
       end
+
+      is_valid
     end
   end
 end

data/lib/tcell_agent/rails/auth/devise_helper.rb

@@ -0,0 +1,29 @@
+require 'devise'
+require 'devise/rails'
+require 'devise/strategies/database_authenticatable'
+require 'tcell_agent/rails/auth/userinfo'
+
+module TCellAgent
+  TCellAgent::UserInformation.class_eval do
+    class << self
+      alias_method :original_get_user_from_request, :get_user_from_request
+      def get_user_from_request(request)
+        orig_user_id = original_get_user_from_request(request)
+        begin
+          if request.session && request.session.key?('warden.user.user.key')
+            userkey = request.session['warden.user.user.key']
+            user_id = if userkey.length == 2
+                        userkey[0][0]
+                      else
+                        userkey[1][0]
+                      end
+            return user_id.to_s if user_id.is_a? Integer
+          end
+        rescue StandardError
+          return orig_user_id
+        end
+        orig_user_id
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/auth/doorkeeper.rb

@@ -1,90 +1,76 @@
-if TCellAgent.configuration.should_instrument_doorkeeper?
+require 'tcell_agent/agent'
+require 'tcell_agent/sensor_events/login_fraud'
 
-  if defined?(Doorkeeper)
-    require 'tcell_agent/agent'
-    require 'tcell_agent/sensor_events/login_fraud'
+module TCellAgent
+  module DoorkeeperInstrumentation
+    Doorkeeper::TokensController.class_eval do
+      alias_method :tcell_authorize_response, :authorize_response
+      def authorize_response
+        result = tcell_authorize_response
 
-    module TCellAgent
-      module DoorkeeperInstrumentation
-        Doorkeeper::TokensController.class_eval do
-          alias_method :tcell_authorize_response, :authorize_response
-          def authorize_response
-            result = tcell_authorize_response
+        TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
+          return result unless TCellAgent.configuration.should_intercept_requests?
 
-            TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
-              if TCellAgent.configuration.enabled &&
-                 TCellAgent.configuration.should_intercept_requests?
-                login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                if login_fraud_policy &&
-                   login_fraud_policy.enabled &&
-                   login_fraud_policy.login_failed_enabled
-                  tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
 
-                  if tcell_data
-                    password = nil
-                    if result.is_a?(Doorkeeper::OAuth::TokenResponse)
-                      TCellAgent.send_event(
-                        TCellAgent::SensorEvents::LoginSuccess.new(
-                          request.env,
-                          tcell_data,
-                          result.token.resource_owner_id,
-                          password
-                        )
-                      )
-                    elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
-                      TCellAgent.send_event(
-                        TCellAgent::SensorEvents::LoginFailure.new(
-                          request.env,
-                          tcell_data,
-                          request.POST['client_id'],
-                          password
-                        )
-                      )
-                    end
+          return unless tcell_data
+          headers = request.env
 
-                  end
-                end
-              end
-            end
-
-            result
+          if result.is_a?(Doorkeeper::OAuth::TokenResponse)
+            user_id = result.token.resource_owner_id
+            login_policy.report_login_success(
+              user_id,
+              headers,
+              tcell_data
+            )
+          elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
+            user_id = request.POST['client_id']
+            password = nil
+            user_valid = nil
+            login_policy.report_login_failure(
+              user_id,
+              password,
+              headers,
+              user_valid,
+              tcell_data
+            )
           end
         end
 
-        module TCellAuthorizationsNew
-          def new
-            super if defined?(super)
+        result
+      end
+    end
 
-            TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
-              if TCellAgent.configuration.enabled &&
-                 TCellAgent.configuration.should_intercept_requests?
-                if pre_auth.error
-                  login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                  if login_fraud_policy &&
-                     login_fraud_policy.enabled &&
-                     login_fraud_policy.login_failed_enabled
-                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-                    if tcell_data && pre_auth.error
-                      password = nil
-                      TCellAgent.send_event(
-                        TCellAgent::SensorEvents::LoginFailure.new(
-                          request.env,
-                          tcell_data,
-                          current_resource_owner.id,
-                          password
-                        )
-                      )
-                    end
-                  end
-                end
-              end
-            end
-          end
-        end
+    module TCellAuthorizationsNew
+      def new
+        super if defined?(super)
 
-        # prepend is ruby 2+ feature
-        Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
+        TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
+          return unless TCellAgent.configuration.should_intercept_requests?
+          return unless pre_auth.error
+
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+
+          return unless tcell_data
+
+          user_id = current_resource_owner.id
+          password = nil
+          headers = request.env
+          user_valid = nil
+          login_policy.report_login_failure(
+            user_id,
+            password,
+            headers,
+            user_valid,
+            tcell_data
+          )
+        end
       end
     end
+
+    # prepend is ruby 2+ feature
+    Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
   end
 end

data/lib/tcell_agent/rails/csrf_exception.rb

@@ -4,8 +4,8 @@ module TCellAgent
   module CsrfExceptionReporter
     def handle_unverified_request
       TCellAgent::Instrumentation.safe_block('AppSensor CSRF Exception processing') do
-        rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-        if rust_policies && rust_policies.appfirewall_enabled
+        appfirewall_policy = TCellAgent.policy(TCellAgent::PolicyTypes::APPSENSOR)
+        if appfirewall_policy.enabled
           tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
           if tcell_data
             tcell_data.csrf_exception_name = 'ActionController::InvalidAuthenticityToken'
@@ -16,12 +16,4 @@ module TCellAgent
       super if defined?(super)
     end
   end
-
-  class MyRailtie < Rails::Railtie
-    initializer 'tcell.sensors' do |_app|
-      ActiveSupport.on_load :action_controller do
-        ActionController::Base.send(:include, TCellAgent::CsrfExceptionReporter)
-      end
-    end
-  end
 end