tcell_agent 2.1.2 → 2.2.0

data/lib/tcell_agent/config_initializer.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module TCellAgent
+  class ConfigInitializer < Configuration
+    # Common config shared across agents
+    attr_accessor :app_id, :api_key, :tcell_api_url,
+                  :tcell_input_url, :log_dir, :fetch_policies_from_tcell,
+                  :preload_policy_filename, :reverse_proxy,
+                  :reverse_proxy_ip_address_header, :host_identifier,
+                  :hmac_key, :password_hmac_key,
+                  :js_agent_url, :js_agent_api_base_url,
+                  :max_csp_header_bytes, :allow_payloads
+
+    attr_reader :logging_options
+
+    # Ruby only config
+    attr_accessor :disable_all, :enabled, :enable_event_manager,
+                  :enable_policy_polling,
+                  :data_exposure
+
+    attr_reader :instrument_for_events,
+                :enable_instrumentation
+
+    # New config
+    attr_accessor :disabled_instrumentation, :instrument
+
+    def initialize
+      # ruby agent defaults
+      @logging_options = {}
+    end
+
+    def logging_options=(hash)
+      @logging_options = hash.each_with_object({}) do |(key, val), memo|
+        memo[key.to_sym] = val
+      end
+    end
+
+    # legacy config mapping
+    def enabled_instrumentations=(hash)
+      @disabled_instrumentation ||= []
+      hash.each do |key, val|
+        @disabled_instrumentation << key.to_s.strip.downcase unless TCellAgent.configuration.to_bool(val)
+      end
+    end
+
+    def agent_log_dir=(path)
+      @log_dir = path
+    end
+
+    def instrument_for_events=(bool)
+      @instrument = bool
+    end
+
+    def enable_instrumentation=(bool)
+      @instrument = bool
+    end
+
+    def enable_intercept_requests=(bool)
+      @disabled_instrumentation << 'intercept_requests' unless TCellAgent.configuration.to_bool(bool)
+    end
+
+    def get_config_file_dir
+      super
+    end
+  end
+end

data/lib/tcell_agent/configuration.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # See the file "LICENSE" for the full license governing this code.
 require 'fileutils'
 require 'json'
@@ -6,315 +8,118 @@ require 'socket'
 require 'securerandom'
 require 'uri'
 
-require 'tcell_agent/config/unknown_options'
-
 module TCellAgent
   class ConfigurationException < StandardError
   end
 
   class << self
     attr_accessor :configuration
+    attr_accessor :initializer_configuration
   end
 
   def self.configure
-    self.configuration ||= Configuration.new
-    yield(configuration)
-  end
-
-  class Configuration # rubocop:disable Metrics/ClassLength
-    attr_accessor :version,
-                  :app_id,
-                  :api_key,
-                  :hmac_key,
-                  :tcell_api_url,
-                  :tcell_input_url,
-                  :logging_options,
-                  :fetch_policies_from_tcell, :instrument_for_events,
-                  :preload_policy_filename,
-                  :host_identifier,
-                  :uuid,
-                  :event_batch_size_limit, :event_time_limit_seconds,
-                  :base_dir,
-                  :cache_filename,
-                  :cache_folder,
-                  :js_agent_api_base_url,
-                  :js_agent_url,
-                  :config_filename,
-                  :agent_log_dir,
-                  :max_data_ex_db_records_per_request,
-                  :agent_home_dir,
-                  :reverse_proxy,
-                  :reverse_proxy_ip_address_header,
-                  :log_file_name,
-                  :log_tag,
-                  :max_csp_header_bytes,
-                  :demomode,
-                  :allow_payloads,
-                  :password_hmac_key,
-                  :stdout_logger
-
-    attr_accessor :disable_all,
-                  :enabled,
-                  :enable_event_manager,       # false = Do not start the even manager
-                  :enable_event_consumer,      # false = Do not consume events, drop them
-                  :enable_policy_polling,      # false = Do not poll for policies
-                  :enable_instrumentation,     # false = Do not add instrumentation
-                  :enable_intercept_requests   # false = Do not insert middleware
+    require 'tcell_agent/config_initializer'
+    self.initializer_configuration ||= ConfigInitializer.new
 
-    attr_accessor :enabled_instrumentations
+    yield(initializer_configuration)
+  rescue NoMethodError => e
+    logger = TCellAgent::ModuleLogger.new(TCellAgent::RubyLogger.new, name)
+    logger.error("Error configuring tcell_agent with initializers: #{e}")
+  end
 
-    attr_accessor :exp_config_settings
+  class Configuration
+    # internal Ruby configurations
+    attr_accessor :disable_all
 
-    attr_accessor :disable_cmdi_exec_instrumentation # true = disable cmdi Kernel::exec instrumentation
+    # Common config returned by libtcellagent
+    attr_accessor :api_key, :app_id, :disabled_instrumentation, :enabled,
+                  :enable_intercept_requests, :fetch_policies_from_tcell, :hmac_key,
+                  :host_identifier, :instrument, :log_dir, :logging_options,
+                  :password_hmac_key, :reverse_proxy, :reverse_proxy_ip_address_header,
+                  :tcell_api_url
 
-    def should_start_event_manager?
-      @enabled && @enable_event_manager
-    end
+    # Ruby config returned by libtcellagent
+    attr_accessor :enable_policy_polling
 
     def should_start_policy_poll?
       @enabled && @enable_policy_polling && @fetch_policies_from_tcell # fetch_policies_from_tcel = legacy
     end
 
-    def should_instrument?
-      @enabled && @enable_instrumentation && @instrument_for_events # instrument_for_events = legacy
-    end
+    def should_instrument?(func = nil)
+      return false unless @enabled && @instrument # never instrument if disabled
+      return true if func.nil?                    # always instrument if enabled and nothing given
 
-    def should_intercept_requests?
-      @enabled && @enable_instrumentation && @enable_intercept_requests
+      !@disabled_instrumentation.include?(func)
     end
 
-    def should_instrument_doorkeeper?
-      if @enabled_instrumentations.key?('doorkeeper') || @enabled_instrumentations.key?(:doorkeeper)
-        !!(@enabled_instrumentations['doorkeeper'] || @enabled_instrumentations[:doorkeeper]) # rubocop:disable Style/DoubleNegation
-      else
-        true
-      end
-    end
-
-    def should_instrument_devise?
-      if @enabled_instrumentations.key?('devise') || @enabled_instrumentations.key?(:devise)
-        !!(@enabled_instrumentations['devise'] || @enabled_instrumentations[:devise]) # rubocop:disable Style/DoubleNegation
-      else
-        true
-      end
-    end
-
-    def should_instrument_authlogic?
-      if @enabled_instrumentations.key?('authlogic') || @enabled_instrumentations.key?(:authlogic)
-        !!(@enabled_instrumentations['authlogic'] || @enabled_instrumentations[:authlogic]) # rubocop:disable Style/DoubleNegation
-      else
-        true
-      end
-    end
-
-    def should_instrument_cmdi_exec?
-      !@disable_cmdi_exec_instrumentation
+    def should_intercept_requests?
+      @enabled && @enable_intercept_requests
     end
 
-    def initialize(filename = 'config/tcell_agent.config', _useapp = nil)
-      # These will be set when the agent starts up, to give rails initializers
-      # a chance to run
-      @cache_filename = nil
-      @agent_log_dir = nil
-      @log_tag = nil
-
-      @version = 0
-      @demomode = false
-
-      @fetch_policies_from_tcell = true
-      @instrument_for_events = true
-
+    def initialize
+      # ruby agent defaults
       @disable_all = false
-      @enabled = true
-      @enable_event_manager = true
-      @enable_policy_polling = true
-      @enable_instrumentation = true
-      @enable_intercept_requests = true
-
-      @enabled_instrumentations = {
-        :doorkeeper => true,
-        :devise => true,
-        :authlogic => true
-      }
-
-      @disable_cmdi_exec_instrumentation = false
-
-      @log_file_name = 'tcell_agent.log'
-
-      @event_batch_size_limit = 50
-      @event_time_limit_seconds = 15
-
-      @max_data_ex_db_records_per_request = 1000
-      @reverse_proxy = true
-      @reverse_proxy_ip_address_header = 'X-Forwarded-For'
-      @allow_payloads = true
-
-      @max_csp_header_bytes = nil
-      @password_hmac_key = nil
       @logging_options = {}
 
-      @agent_home_dir = ENV['TCELL_AGENT_HOME'] || File.join(Dir.getwd, 'tcell')
-      @cache_folder = File.join(@agent_home_dir, 'cache/')
-      @agent_log_dir = File.join(@agent_home_dir, 'logs')
-
-      @config_filename = ENV['TCELL_AGENT_CONFIG'] || File.join(Dir.getwd, filename)
-
-      read_config_from_file(@config_filename)
-      read_config_using_env
-
-      if @demomode
-        @event_batch_size_limit = 1
-        @event_time_limit_seconds = 2
-      end
-
-      @tcell_api_url ||= 'https://us.agent.tcell.insight.rapid7.com/api/v1'
-      @tcell_input_url ||= 'https://us.input.tcell.insight.rapid7.com/api/v1'
-      @js_agent_url ||= 'https://us.jsagent.tcell.insight.rapid7.com/tcellagent.min.js'
-
-      if @host_identifier.nil?
-        begin
-          @host_identifier = (Socket.gethostname || 'localhost')
-        rescue StandardError
-          @host_identifier = 'host_identifier_not_found'
-        end
-      end
-
-      @uuid = SecureRandom.uuid
+      check_for_disabled_instrumentation(get_config_file_name)
     end
 
-    def read_config_using_env
-      @app_id = ENV['TCELL_AGENT_APP_ID'] || @app_id
-      @api_key = ENV['TCELL_AGENT_API_KEY'] || @api_key
-      @hmac_key = ENV['TCELL_HMAC_KEY'] || @hmac_key
-      @password_hmac_key = ENV['TCELL_PASSWORD_HMAC_KEY'] || @password_hmac_key
-      @host_identifier = ENV['TCELL_AGENT_HOST_IDENTIFIER'] || @host_identifier
-      @tcell_api_url = ENV['TCELL_API_URL'] || @tcell_api_url
-      @tcell_input_url = ENV['TCELL_INPUT_URL'] || @tcell_input_url
-      @demomode = ENV['TCELL_DEMOMODE'] || @demomode
-
-      @agent_log_dir = ENV['TCELL_AGENT_LOG_DIR'] || @agent_log_dir
-      @log_file_name = ENV['TCELL_AGENT_LOG_FILENAME'] || @log_file_name
+    def get_config_file_dir
+      return nil unless ENV['TCELL_AGENT_HOME']
+      return nil if ENV['TCELL_AGENT_CONFIG']
 
-      @logging_options['enabled'] = to_bool(ENV['TCELL_AGENT_LOG_ENABLED']) unless to_bool(ENV['TCELL_AGENT_LOG_ENABLED']).nil?
-      @logging_options['level'] = ENV['TCELL_AGENT_LOG_LEVEL'] || @logging_options['level'] unless @logging_options.nil?
-
-      @enabled = to_bool(ENV['TCELL_AGENT_ENABLED']) unless to_bool(ENV['TCELL_AGENT_ENABLED']).nil?
+      File.join(Dir.getwd, '/config')
+    end
 
-      @allow_payloads = to_bool(ENV['TCELL_AGENT_ALLOW_PAYLOADS']) unless to_bool(ENV['TCELL_AGENT_ALLOW_PAYLOADS']).nil?
-      @disable_cmdi_exec_instrumentation = to_bool(ENV['TCELL_CMDI_EXEC_DISABLED']) || @disable_cmdi_exec_instrumentation
+    def get_config_file_name
+      ENV['TCELL_AGENT_CONFIG'] || File.join(Dir.getwd, '/config/tcell_agent.config')
     end
 
-    def read_config_from_file(filename)
+    def check_for_disabled_instrumentation(filename)
       return unless File.file?(filename)
 
       begin
-        config_text = File.open(filename).read
-        config = JSON.parse(config_text)
-
-        messages = TCellAgent::Config::Validate.get_unknown_options(config)
-        messages.each do |message|
-          puts message
-        end
+        config = JSON.parse(File.open(filename).read)
 
         if config['version'] == 1
-          # Required
-          app_data = config['applications'][0] # Default
-          @version = 1
-          @app_id = app_data['app_id']
-          @api_key = app_data['api_key']
-
-          # Optional
-          @preload_policy_filename = app_data.fetch('preload_policy_filename', nil)
-
-          @disable_all = app_data.fetch('disable_all', @disable_all)
-          @enabled = app_data.fetch('enabled', @enabled)
-
-          @enable_event_manager = app_data.fetch('enable_event_manager', @enable_event_manager)
-          @enable_policy_polling = app_data.fetch('enable_policy_polling', @enable_policy_polling)
-          @enable_instrumentation = app_data.fetch('enable_instrumentation', @enable_instrumentation)
-          @enable_intercept_requests = app_data.fetch('enable_intercept_requests', @enable_intercept_requests)
-          @fetch_policies_from_tcell = app_data.fetch('fetch_policies_from_tcell', @fetch_policies_from_tcell)
-          @instrument_for_events = app_data.fetch('instrument_for_events', @instrument_for_events)
-
-          @logging_options = app_data.fetch('logging_options', {})
-          @agent_log_dir = app_data.fetch('log_dir', @agent_log_dir)
-          @log_file_name = @logging_options['filename'] || @log_file_name
-
-          @tcell_api_url = app_data.fetch('tcell_api_url', @tcell_api_url)
-          @tcell_input_url = app_data.fetch('tcell_input_url', @tcell_input_url)
-
-          @max_csp_header_bytes = app_data.fetch('max_csp_header_bytes', @max_csp_header_bytes)
-
-          @allow_payloads = app_data.fetch(
-            'allow_payloads',
-            @allow_payloads
-          )
-
-          data_exposure = app_data.fetch('data_exposure', {})
-          @max_data_ex_db_records_per_request = data_exposure.fetch('max_data_ex_db_records_per_request', @max_data_ex_db_records_per_request)
-
-          @enabled_instrumentations = app_data.fetch('enabled_instrumentations', @enabled_instrumentations)
-
-          @reverse_proxy = app_data.fetch('reverse_proxy', @reverse_proxy)
-          @reverse_proxy_ip_address_header = app_data.fetch('reverse_proxy_ip_address_header', @reverse_proxy_ip_address_header)
-
-          @host_identifier = app_data.fetch('host_identifier', @host_identifier)
-          @hmac_key = app_data.fetch('hmac_key', @hmac_key)
-
-          @password_hmac_key = app_data.fetch('password_hmac_key', @password_hmac_key)
-
-          @uuid = SecureRandom.uuid
-          @uuid = 'secure-random-failed' if @uuid.nil?
-
-          if app_data.key?('js_agent_api_base_url')
-            @js_agent_api_base_url = app_data['js_agent_api_base_url']
-          end
-          if app_data.key?('js_agent_url')
-            @js_agent_url = app_data['js_agent_url']
-          end
-
-          @demomode = app_data.fetch('demomode', @demomode)
-        else
-          puts ' ********* ********* ********* *********'
-          puts '* tCell.io                               *'
-          puts '* Unsupported config file version        *'
-          puts ' ********* ********* ********* *********'
+          app_data = config['applications'][0]
+          @disable_all = to_bool(app_data.fetch('disable_all', @disable_all))
         end
-      rescue StandardError => e
-        puts ' ********* ********* ********* *********'
-        puts '* tCell.io                               *'
-        puts '* Could not load config file             *'
-        puts ' ********* ********* ********* *********'
-        puts e
+      rescue StandardError # rubocop:disable Lint/HandleExceptions
       end
     end
 
     def to_bool(var)
-      return unless var
-      var.to_s.casecmp('true').zero? if %w[true false].include? var.to_s.downcase
-    end
-
-    def enforce_symbol_keys(hashmap)
-      hashmap.each_with_object({}) do |(k, v), memo|
-        memo[k.to_sym] = v
-      end
-    end
-
-    def logging_enabled?
-      @enabled && enforce_symbol_keys(@logging_options || {})[:enabled]
-    end
-
-    def log_filename
-      @agent_log_dir ||= File.join(@agent_home_dir, 'logs')
-      File.join(@agent_log_dir, @log_file_name)
-    end
-
-    def clean_logging_options
-      {
-        :enabled => true,
-        :level => 'INFO',
-        :filename => log_file_name
-      }.merge(enforce_symbol_keys(@logging_options || {}))
+      { 'true' => true, 'false' => false }[var.to_s.downcase]
+    end
+
+    def populate_configuration(native_agent_config_response)
+      # config
+      @enabled = native_agent_config_response['enabled']
+      @disabled_instrumentation = Set.new(native_agent_config_response['disabled_instrumentation'])
+      @fetch_policies_from_tcell = native_agent_config_response['update_policy']
+      @instrument = native_agent_config_response['instrument']
+
+      # app config
+      apps = native_agent_config_response['applications'] ? native_agent_config_response['applications']['first'] : {}
+      @app_id = apps['app_id']
+      @api_key = apps['api_key']
+      @hmac_key = apps['hmac_key']
+      @password_hmac_key = apps['password_hmac_key']
+
+      # proxy config
+      proxy_config = apps['proxy_config'] || {}
+      @reverse_proxy = proxy_config['reverse_proxy']
+      @reverse_proxy_ip_address_header = proxy_config['reverse_proxy_ip_address_header']
+
+      # endpoint config
+      endpoint = native_agent_config_response['endpoint_config'] || {}
+      @tcell_api_url = endpoint['api_url']
+
+      # ruby config
+      ruby_config = native_agent_config_response['ruby_config'] || {}
+      @enable_policy_polling = ruby_config['enable_policy_polling']
+      @enable_intercept_requests = !@disabled_instrumentation.include?('intercept_requests')
     end
   end