tcell_agent 2.1.1 → 2.4.0

data/lib/tcell_agent/routes/table.rb

@@ -2,6 +2,7 @@ module TCellAgent
   module Routes
     class FieldEndpoint
       attr_accessor :discovered
+
       def initialize
         super()
         @discovered = false
@@ -11,6 +12,7 @@ module TCellAgent
     class RouteEndpoint
       attr_accessor :database
       attr_accessor :database_queries_discovered
+
       def initialize
         @database_queries_discovered = {}
         @database = Hash.new do |d_h, d_k| # Database
@@ -27,6 +29,7 @@ module TCellAgent
 
     class RouteTable
       attr_accessor :routes
+
       def initialize
         @routes = Hash.new { |h, k| h[k] = RouteEndpoint.new }
       end

data/lib/tcell_agent/rust/agent_config.rb

@@ -1,48 +1,68 @@
+# frozen_string_literal: true
+
 require 'tcell_agent/version'
+require 'tcell_agent/rust/models'
 
 module TCellAgent
   module Rust
     class AgentConfig < Hash
       def initialize(configuration)
-        send_mode = 'Normal'
-        send_mode = 'Demo' if configuration.demomode
+        self['agent_type'] = 'Ruby'
+        self['agent_version'] = TCellAgent::VERSION
+        self['default_cache_dir'] = File.join(Dir.getwd, 'tcell/cache')
+        self['default_config_file_dir'] = File.join(Dir.getwd, 'config')
+        self['default_log_dir'] = File.join(Dir.getwd, 'tcell/logs')
+        self['default_preload_policy_file_dir'] = Dir.getwd
 
-        logging_options = configuration.clean_logging_options
-        unless configuration.js_agent_api_base_url
-          parsed_uri = URI.parse(configuration.tcell_api_url)
-          api_url = [parsed_uri.scheme, '://', parsed_uri.host]
-          api_url.push(":#{parsed_uri.port}") unless [80, 443].include?(parsed_uri.port)
-          configuration.js_agent_api_base_url = "#{api_url.join('')}/api/v1"
+        if defined?(ConfigInitializer)
+          overrides = Models.clean_nils(AgentConfigOverrides.new(configuration))
+          self['overrides'] = overrides
+        else
+          self['overrides'] = { 'applications' => [{ :enable_json_body_inspection => true }],
+                                'config_file_path' => configuration.get_config_file_path }
         end
 
-        self['disable_event_sending'] = !configuration.should_start_event_manager?
-        self['send_mode'] = send_mode
-        self['agent_type'] = 'Ruby'
-        self['agent_version'] = TCellAgent::VERSION
-        self['diagnostics_enabled'] = false
-        self['application'] = {
+        set_agent_details
+      end
+
+      def set_agent_details
+        self['agent_details'] = { 'language' => 'Ruby',
+                                  'language_version' => RUBY_VERSION,
+                                  'app_framework' => 'Rails',
+                                  'app_framework_version' => ::Rails.version }
+      end
+    end
+
+    class AgentConfigOverrides < Hash
+      def initialize(configuration)
+        applications = {
+          :allow_payloads => configuration.allow_payloads,
+          :api_key => configuration.api_key,
           :app_id => configuration.app_id,
-          :api_key =>  configuration.api_key,
-          :tcell_api_url => configuration.tcell_api_url,
-          :tcell_input_url => configuration.tcell_input_url,
+          :enable_json_body_inspection => true,
           :hmac_key => configuration.hmac_key,
+          :max_header_size => configuration.max_csp_header_bytes,
           :password_hmac_key => configuration.password_hmac_key,
-          :allow_payloads => configuration.allow_payloads,
-          :js_agent_api_base_url => configuration.js_agent_api_base_url,
-          :js_agent_url => configuration.js_agent_url,
-          :cache_dir => configuration.cache_folder,
-          :log_dir => configuration.agent_log_dir,
-          :logging_options => logging_options,
-          :host_identifier => configuration.host_identifier,
-          :reverse_proxy_ip_address_header => configuration.reverse_proxy_ip_address_header,
-          :fetch_policies_from_tcell => configuration.should_start_policy_poll?,
-          :preload_policy_filename => configuration.preload_policy_filename
-        }
-        self['appfirewall'] = {
-          :enable_body_json_inspection => true,
-          :allow_log_payloads => true
+          :reverse_proxy => configuration.reverse_proxy,
+          :reverse_proxy_ip_address_header => configuration.reverse_proxy_ip_address_header
         }
-        self['max_header_size'] = configuration.max_csp_header_bytes || (1024 * 1024)
+
+        self['api_url'] = configuration.tcell_api_url
+        self['applications'] = [Models.clean_nils(applications)]
+        self['config_file_path'] = configuration.get_config_file_path
+        self['disabled_instrumentation'] = configuration.disabled_instrumentation
+        self['enabled'] = configuration.enabled
+        self['host_identifier'] = configuration.host_identifier
+        self['input_url'] = configuration.tcell_input_url
+        self['instrument'] = configuration.instrument
+        self['js_agent_api_url'] = configuration.js_agent_api_base_url
+        self['js_agent_url'] = configuration.js_agent_url
+        self['log_destination'] = configuration.logging_options[:destination]
+        self['log_dir'] = configuration.log_dir
+        self['log_enabled'] = configuration.logging_options[:enabled]
+        self['log_filename'] = configuration.logging_options[:log_filename]
+        self['log_level'] = configuration.logging_options[:level]
+        self['update_policy'] = configuration.fetch_policies_from_tcell
       end
     end
   end

data/lib/tcell_agent/rust/models.rb

@@ -13,6 +13,15 @@ module TCellAgent
 
         flattened_params
       end
+
+      def self.clean_nils(hash)
+        if hash.respond_to?(:compact!)
+          hash.compact!
+        else
+          hash.delete_if { |_, v| v.nil? }
+        end
+        hash
+      end
     end
   end
 end

data/lib/tcell_agent/rust/native_agent.rb

@@ -9,53 +9,18 @@ require 'tcell_agent/utils/headers'
 module TCellAgent
   module Rust
     class NativeAgent # rubocop:disable Metrics/ClassLength
-      def self.test_event_sender(events)
-        config = TCellAgent.configuration
-        event_sender = {
-          :uuid =>            config.uuid,
-          :hostname =>        config.host_identifier,
-          :agent_type =>      'Ruby',
-          :agent_version =>   TCellAgent::VERSION,
-          :app_id =>          config.app_id,
-          :api_key =>         config.api_key,
-          :tcell_input_url => config.tcell_input_url,
-          :events =>          events
-        }
-        event_sender_pointer = FFI::MemoryPointer.from_string(
-          JSON.dump(event_sender)
-        )
-
-        buf = FFI::MemoryPointer.new(:uint8, 1024 * 8)
-        # config_pointer.size - 1: strips null terminator
-        result_size = TCellAgent::Rust::NativeLibrary.test_event_sender(
-          event_sender_pointer, event_sender_pointer.size - 1, buf, buf.size
-        )
-
-        response = NativeAgentResponse.new('test_event_sender', buf, result_size)
-
-        response.errors
-      end
+      def self.test_agent(config)
+        agent_config = TCellAgent::Rust::AgentConfig.new(config)
 
-      def self.test_policies
-        config = TCellAgent.configuration
-        policies_info = {
-          :app_id =>        config.app_id,
-          :api_key =>       config.api_key,
-          :tcell_api_url => config.tcell_api_url
-        }
-        policies_info_pointer = FFI::MemoryPointer.from_string(
-          JSON.dump(policies_info)
+        config_pointer = FFI::MemoryPointer.from_string(
+          JSON.dump(agent_config)
         )
 
         buf = FFI::MemoryPointer.new(:uint8, 1024 * 8)
         # config_pointer.size - 1: strips null terminator
-        result_size = TCellAgent::Rust::NativeLibrary.test_policies(
-          policies_info_pointer, policies_info_pointer.size - 1, buf, buf.size
+        TCellAgent::Rust::NativeLibrary.test_agent(
+          config_pointer, config_pointer.size - 1, buf, buf.size
         )
-
-        response = NativeAgentResponse.new('test_event_sender', buf, result_size)
-
-        response.errors
       end
 
       def self.free_agent(agent_ptr)
@@ -88,6 +53,9 @@ module TCellAgent
           return nil
         end
 
+        return unless response['config'] && response['agent_enabled']
+
+        TCellAgent.configuration.populate_configuration(response['config'])
         NativeAgent.new(response['agent_ptr'])
       end
 
@@ -116,6 +84,7 @@ module TCellAgent
           :headers => header_params,
           :cookies => cookie_params,
           :path_params => path_params,
+          :reverse_proxy_header_value => appsensor_meta.reverse_proxy_header_value,
           :remote_address => appsensor_meta.remote_address,
           :full_uri => appsensor_meta.location,
           :session_id => appsensor_meta.session_id,
@@ -126,7 +95,6 @@ module TCellAgent
           :content_type => appsensor_meta.content_type,
           :request_body => appsensor_meta.raw_request_body
         }
-
         request_response_json[:sql_exceptions] = appsensor_meta.sql_exceptions if appsensor_meta.sql_exceptions
         request_response_json[:database_result_sizes] = appsensor_meta.database_result_sizes if appsensor_meta.database_result_sizes
 
@@ -167,13 +135,15 @@ module TCellAgent
           :method => appsensor_meta.method,
           :path => appsensor_meta.path,
           :remote_address => appsensor_meta.remote_address,
+          :reverse_proxy_header_value => appsensor_meta.reverse_proxy_header_value,
           :request_bytes_length => appsensor_meta.request_content_bytes_len,
           :query_params => query_params,
-          :post_params =>  post_params,
+          :post_params => post_params,
           :headers => header_params,
           :cookies => cookie_params,
           :content_type => appsensor_meta.content_type,
-          :full_uri => appsensor_meta.location
+          :full_uri => appsensor_meta.location,
+          :request_body => appsensor_meta.raw_request_body
         }
 
         patches_request_pointer = FFI::MemoryPointer.from_string(
@@ -196,6 +166,37 @@ module TCellAgent
         response.response
       end
 
+      def apply_suspicious_quick_check(appsensor_meta)
+        return {} unless appsensor_meta
+
+        sus_quick_check_request_json = {
+          :reverse_proxy_header_value => appsensor_meta.reverse_proxy_header_value,
+          :method => appsensor_meta.method,
+          :path => appsensor_meta.path,
+          :full_uri => appsensor_meta.location,
+          :request_bytes_length => appsensor_meta.request_content_bytes_len
+        }
+
+        if appsensor_meta.reverse_proxy_header_value.nil?
+          sus_quick_check_request_json.merge(
+            {
+              :client_ip_override => appsensor_meta.remote_address
+            }
+          )
+        end
+
+        sus_quick_check_request_ptr = FFI::MemoryPointer.from_string(
+          JSON.dump(sus_quick_check_request_json)
+        )
+
+        # sus_quick_check_request_ptr.size - 1: strips null terminator
+        TCellAgent::Rust::NativeLibrary.suspicious_quick_check_apply(
+          FFI::Pointer.new(@agent_ptr),
+          sus_quick_check_request_ptr,
+          sus_quick_check_request_ptr.size - 1
+        )
+      end
+
       def apply_cmdi(command, tcell_context)
         return unless TCellAgent::Utils::Strings.present?(command)
 
@@ -203,12 +204,14 @@ module TCellAgent
           :command => command,
           :method => tcell_context.request_method,
           :path => tcell_context.path,
+          :reverse_proxy_header_value => tcell_context.reverse_proxy_header_value,
           :remote_address => tcell_context.remote_address,
           :route_id => tcell_context.route_id,
           :session_id => tcell_context.session_id,
           :user_id => tcell_context.user_id,
           :full_uri => tcell_context.uri
         }
+
         command_pointer = FFI::MemoryPointer.from_string(
           JSON.dump(command_info)
         )
@@ -229,10 +232,11 @@ module TCellAgent
         response.response
       end
 
-      def get_headers(tcell_context)
+      def get_headers(content_type, tcell_context)
         return unless tcell_context
 
         headers_request = {
+          :content_type => content_type,
           :method => tcell_context.request_method,
           :path => tcell_context.path,
           :route_id => tcell_context.route_id.to_s,
@@ -270,8 +274,9 @@ module TCellAgent
           :status_code => status_code,
           :method => tcell_context.request_method,
           :path => tcell_context.path,
+          :reverse_proxy_header_value => tcell_context.reverse_proxy_header_value,
           :remote_addr => tcell_context.remote_address,
-          :full_uri => tcell_context.fullpath,
+          :full_uri => tcell_context.uri,
           :route_id => tcell_context.route_id,
           :session_id => tcell_context.session_id,
           :user_id => tcell_context.user_id
@@ -335,11 +340,12 @@ module TCellAgent
           :event_name => event_name,
           :user_id => user_id,
           :user_agent => tcell_context.user_agent,
+          :reverse_proxy_header_value => tcell_context.reverse_proxy_header_value,
           :remote_address => tcell_context.remote_address,
           :header_keys => header_keys,
-          :passsword => password,
+          :password => password,
           :session_id => tcell_context.session_id,
-          :full_uri => tcell_context.fullpath,
+          :full_uri => tcell_context.uri,
           :referrer => tcell_context.referrer,
           :user_valid => user_valid
         }
@@ -377,7 +383,8 @@ module TCellAgent
         if tcell_context
           file_access_info = file_access_info.merge(
             {
-              :full_uri => tcell_context.fullpath,
+              :full_uri => tcell_context.uri,
+              :reverse_proxy_header_value => tcell_context.reverse_proxy_header_value,
               :remote_address => tcell_context.remote_address,
               :route_id => tcell_context.route_id,
               :session_id => tcell_context.session_id,
@@ -453,6 +460,7 @@ module TCellAgent
           :session_id => tcell_context && tcell_context.session_id,
           :user_id => tcell_context && tcell_context.user_id,
           :user_agent => tcell_context && tcell_context.user_agent,
+          :reverse_proxy_header_value => tcell_context.reverse_proxy_header_value,
           :remote_address => tcell_context && tcell_context.remote_address
         }
         message_pointer = FFI::MemoryPointer.from_string(
@@ -504,7 +512,7 @@ module TCellAgent
         end
       end
 
-      # Note: for tests
+      # NOTE: for tests
       def update_policies(policies)
         return {} unless TCellAgent::Utils::Strings.present?(policies)
 

data/lib/tcell_agent/rust/native_library.rb

@@ -6,22 +6,20 @@ module TCellAgent
       require 'ffi'
       extend FFI::Library
 
-      VERSION = '4.18.0'.freeze
-      prefix = 'lib'
       extension = '.so'
       variant = ''
       if /cygwin|mswin|mingw|bccwin|wince|emx/ =~ RUBY_PLATFORM
+        variant = '-x64'
         extension = '.dll'
-        prefix = ''
       elsif /darwin/ =~ RUBY_PLATFORM
         extension = '.dylib'
       elsif /musl/ =~ RUBY_PLATFORM
-        variant = 'alpine-'
+        variant = '-alpine'
       end
 
       begin
         ffi_lib File.join(File.dirname(__FILE__),
-                          "#{prefix}tcellagent-#{variant}#{VERSION}#{extension}")
+                          "libtcellagent#{variant}#{extension}")
 
         # All the rust library calls have the following response api:
         #
@@ -36,6 +34,7 @@ module TCellAgent
         attach_function :poll_new_policies, %i[pointer pointer size_t], :int
         attach_function :appfirewall_apply, %i[pointer pointer size_t pointer size_t], :int
         attach_function :patches_apply, %i[pointer pointer size_t pointer size_t], :int
+        attach_function :suspicious_quick_check_apply, %i[pointer pointer size_t], :int
         attach_function :cmdi_apply, %i[pointer pointer size_t pointer size_t], :int
         attach_function :get_headers, %i[pointer pointer size_t pointer size_t], :int
         attach_function :get_js_agent_script_tag, %i[pointer pointer size_t pointer size_t], :int
@@ -48,16 +47,15 @@ module TCellAgent
         attach_function :log_message, %i[pointer pointer size_t pointer size_t], :int
 
         attach_function :update_policies, %i[pointer pointer size_t pointer size_t], :int
-        attach_function :test_event_sender, %i[pointer size_t pointer size_t], :int
-        attach_function :test_policies, %i[pointer size_t pointer size_t], :int
+        attach_function :test_agent, %i[pointer size_t pointer size_t], :int
 
         def self.common_lib_available?
           true
         end
-      rescue LoadError => load_error
+      rescue LoadError => e
         logger = TCellAgent::ModuleLogger.new(TCellAgent::RubyLogger.new, name)
-        logger.error("Failed loading agent library. #{load_error.message}")
-        logger.exception(load_error)
+        logger.error("Failed loading agent library. #{e.message}")
+        logger.exception(e)
 
         def self.common_lib_available? # rubocop:disable Lint/DuplicateMethods
           false

data/lib/tcell_agent/sensor_events/server_agent.rb

@@ -7,59 +7,6 @@ require 'etc'
 
 module TCellAgent
   module SensorEvents
-    class ServerAgentDetailsSensorEvent < TCellSensorEvent
-      include TCellAgent::ModuleLoggerAccess
-
-      def initialize
-        super('server_agent_details')
-        @flush = true
-        @ensure = true
-
-        self['user'] = 'unknown'
-        self['group'] = 'unknown'
-
-        begin
-          login = Etc.getlogin
-          if login
-            self['user'] = login
-            begin
-              info = Etc.getpwnam(login)
-              self['group'] = info.gid.to_s
-            rescue StandardError => te
-              module_logger.debug("Could not get group id: #{te.message}")
-              module_logger.exception(te)
-            end
-          end
-        rescue StandardError => to
-          module_logger.debug("Could not get user & group: #{to.message}")
-          module_logger.exception(te)
-        end
-
-        module_logger.debug("User #{self['user']}")
-        module_logger.debug("Group #{self['group']}")
-      end
-    end
-
-    class ServerAgentDetailsLanguageEvent < TCellSensorEvent
-      def initialize(language, language_version)
-        super('server_agent_details')
-        @flush = true
-        @ensure = true
-        self['language'] = language
-        self['language_version'] = language_version
-      end
-    end
-
-    class ServerAgentAppFrameworkEvent < TCellSensorEvent
-      def initialize(framework_name, framework_version)
-        super('server_agent_details')
-        @flush = true
-        @ensure = true
-        self['app_framework'] = framework_name
-        self['app_framework_version'] = framework_version
-      end
-    end
-
     class ServerAgentPackagesSensorEvent < TCellSensorEvent
       include TCellAgent::ModuleLoggerAccess
 
@@ -75,59 +22,15 @@ module TCellAgent
               packages.push(package)
               module_logger.debug("Adding packages #{x.name}")
             end
-          rescue StandardError => te
-            module_logger.error("Exception adding package: #{te.message}")
-            module_logger.exception(te)
+          rescue StandardError => e
+            module_logger.error("Exception adding package: #{e.message}")
+            module_logger.exception(e)
           end
         end
         self['packages'] = packages
       end
     end
 
-    class AppFramework < TCellSensorEvent
-      def initialize(name, version)
-        super('appserver_framework')
-        @flush = false
-        @ensure = true
-        self['n'] = name
-        self['v'] = version
-      end
-    end
-
-    class AppAuthFramework < TCellSensorEvent
-      def initialize(name, version)
-        super('appserver_auth_framework')
-        @flush = false
-        @ensure = true
-        self['n'] = name
-        self['v'] = version
-      end
-    end
-
-    class AppFrameworkSetting < TCellSensorEvent
-      def initialize(framework_name, setting, value)
-        super('appserver_framework_setting')
-        @flush = false
-        @ensure = true
-        self['framework'] = framework_name
-        self['s'] = setting
-        self['v'] = value
-      end
-    end
-
-    class AppCookie < TCellSensorEvent
-      def initialize(name, value, secure, http_only, session)
-        super('appserver_framework_setting')
-        @flush = false
-        @ensure = true
-        self['n'] = name
-        self['v'] = value
-        self['http_only'] = http_only
-        self['secure'] = secure
-        self['session'] = session
-      end
-    end
-
     class AppRoutesSensorEvent < TCellSensorEvent
       def initialize(uri, method, route_id, params = nil, destination = nil)
         super('appserver_routes')