tcell_agent 2.1.2 → 2.4.1

data/lib/tcell_agent/rails/auth/devise.rb

@@ -1,127 +1,128 @@
-if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
-  module TCellAgent
-    require 'base64'
-    require 'tcell_agent/agent'
-
-    module DeviseInstrumentation
-      module TCellFailureAppRespond
-        def respond
-          TCellAgent::Instrumentation.safe_block('Devise Failure App Respond') do
-            if TCellAgent.configuration.should_intercept_requests?
-              tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-              if tcell_data
-                # in the case of http auth, user_id is set in
-                # Devise::Strategies::Authenticatable.valid_for_http_auth?
-                user_id = tcell_data.user_id
-                user_id ||= _get_tcell_username
-
-                # in the case of http auth, password is set in
-                # Devise::Strategies::Authenticatable.valid_for_http_auth?
-                password = tcell_data.password
-                password ||= _get_tcell_password
-
-                user_valid = nil
-                login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-                login_policy.report_login_failure(
-                  user_id,
-                  password,
-                  request.env,
-                  user_valid,
-                  tcell_data
-                )
-              end
+module TCellAgent
+  require 'base64'
+  require 'tcell_agent/agent'
+
+  module DeviseInstrumentation
+    module TCellFailureAppRespond
+      def respond
+        TCellAgent::Instrumentation.safe_block('Devise Failure App Respond') do
+          if TCellAgent.configuration.should_intercept_requests?
+            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+            if tcell_data
+              # in the case of http auth, user_id is set in
+              # Devise::Strategies::Authenticatable.valid_for_http_auth?
+              user_id = tcell_data.user_id
+              user_id ||= _get_tcell_username
+
+              # in the case of http auth, password is set in
+              # Devise::Strategies::Authenticatable.valid_for_http_auth?
+              password = tcell_data.password
+              password ||= _get_tcell_password
+
+              user_valid = warden_message != :not_found_in_database if defined?(warden_message)
+
+              login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+              login_policy.report_login_failure(
+                user_id,
+                password,
+                request.env,
+                user_valid,
+                tcell_data
+              )
             end
           end
-
-          super if defined?(super)
         end
 
-        def _get_tcell_username
-          tcell_username = nil
-          TCellAgent::Instrumentation.safe_block('Devise Get TCell Username') do
-            keys = scope_class.authentication_keys.dup
-            user_params = request.POST.fetch('user', {})
-            keys.each do |key|
-              next_usename = user_params.fetch(key, nil)
-              if next_usename
-                tcell_username ||= ''
-                tcell_username += next_usename
-              end
+        super if defined?(super)
+      end
+
+      def _get_tcell_username
+        tcell_username = nil
+        TCellAgent::Instrumentation.safe_block('Devise Get TCell Username') do
+          keys = scope_class.authentication_keys.dup
+          user_params = request.POST.fetch('user', {})
+          keys.each do |key|
+            next_usename = user_params.fetch(key, nil)
+            if next_usename
+              tcell_username ||= ''
+              tcell_username += next_usename
             end
           end
-          tcell_username
         end
+        tcell_username
+      end
 
-        def _get_tcell_password
-          tcell_password = nil
-          TCellAgent::Instrumentation.safe_block('Devise Get TCell Password') do
-            user_params = request.POST.fetch('user', {})
-            tcell_password = user_params['password']
-          end
-          tcell_password
+      def _get_tcell_password
+        tcell_password = nil
+        TCellAgent::Instrumentation.safe_block('Devise Get TCell Password') do
+          user_params = request.POST.fetch('user', {})
+          tcell_password = user_params['password']
         end
+        tcell_password
       end
     end
+  end
 
-    # prepend is ruby 2+ feature
-    Devise::FailureApp.send(:prepend, DeviseInstrumentation::TCellFailureAppRespond)
+  # prepend is ruby 2+ feature
+  Devise::FailureApp.send(:prepend, DeviseInstrumentation::TCellFailureAppRespond)
+
+  Devise::Strategies::Authenticatable.class_eval do
+    alias_method :tcell_valid_for_http_auth?, :valid_for_http_auth?
+    def valid_for_http_auth?
+      is_valid = tcell_valid_for_http_auth?
+
+      TCellAgent::Instrumentation.safe_block('Devise set username for http basic auth') do
+        tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+        if http_auth_hash && tcell_data
+          username = http_auth_hash[http_authentication_key]
+          password = http_auth_hash[:password]
+          tcell_data.user_id = username if username && !tcell_data.user_id
+          tcell_data.password = password if password && !tcell_data.password
+        end
+      end
 
-    Devise::Strategies::Authenticatable.class_eval do
-      alias_method :tcell_valid_for_http_auth?, :valid_for_http_auth?
-      def valid_for_http_auth?
-        is_valid = tcell_valid_for_http_auth?
+      is_valid
+    end
 
-        TCellAgent::Instrumentation.safe_block('Devise set username for http basic auth') do
-          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-          if http_auth_hash && tcell_data
-            username = http_auth_hash[http_authentication_key]
-            password = http_auth_hash[:password]
-            tcell_data.user_id = username if username && !tcell_data.user_id
-            tcell_data.password = password if password && !tcell_data.password
-          end
-        end
+    alias_method :tcell_validate, :validate
+    def validate(resource, &block)
+      is_valid = tcell_validate(resource, &block)
+      send_event = is_valid
 
-        is_valid
+      # gets the first entry in the current backtrace
+      # syntax suggested by rubocop to improve performance
+      if caller(1..1).first.include? 'two_factor_authenticatable'
+        TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported', 'TCellAgent::DeviseInstrumentation')
+        send_event = false
       end
 
-      alias_method :tcell_validate, :validate
-      def validate(resource, &block)
-        is_valid = tcell_validate(resource, &block)
-        send_event = is_valid
-
-        # gets the first entry in the current backtrace
-        # syntax suggested by rubocop to improve performance
-        if caller(1..1).first.include? 'two_factor_authenticatable'
-          TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported', 'TCellAgent::DeviseInstrumentation')
-          send_event = false
-        end
+      TCellAgent::Instrumentation.safe_block('Devise Authenticatable Validate') do
+        if send_event && TCellAgent.configuration.should_intercept_requests?
+          username = nil
+          (authentication_keys || []).each do |auth_key|
+            attr = authentication_hash[auth_key] unless authentication_hash.nil?
 
-        TCellAgent::Instrumentation.safe_block('Devise Authenticatable Validate') do
-          if send_event && TCellAgent.configuration.enabled &&
-             TCellAgent.configuration.should_intercept_requests?
-            username = nil
-            (authentication_keys || []).each do |auth_key|
-              attr = authentication_hash[auth_key]
-              if attr
-                username ||= ''
-                username += attr
-              end
+            if attr
+              username ||= ''
+              username += attr
             end
-
-            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-            return is_valid unless tcell_data
-
-            login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-            login_policy.report_login_success(
-              username,
-              request.env,
-              tcell_data
-            )
           end
-        end
 
-        is_valid
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          return is_valid unless tcell_data
+
+          tcell_data.user_id = username if username && tcell_data.user_id.nil?
+
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          login_policy.report_login_success(
+            username,
+            request.env,
+            tcell_data
+          )
+        end
       end
+
+      is_valid
     end
   end
 end

data/lib/tcell_agent/rails/auth/devise_helper.rb

@@ -0,0 +1,29 @@
+require 'devise'
+require 'devise/rails'
+require 'devise/strategies/database_authenticatable'
+require 'tcell_agent/rails/auth/userinfo'
+
+module TCellAgent
+  TCellAgent::UserInformation.class_eval do
+    class << self
+      alias_method :original_get_user_from_request, :get_user_from_request
+      def get_user_from_request(request)
+        orig_user_id = original_get_user_from_request(request)
+        begin
+          if request.session && request.session.key?('warden.user.user.key')
+            userkey = request.session['warden.user.user.key']
+            user_id = if userkey.length == 2
+                        userkey[0][0]
+                      else
+                        userkey[1][0]
+                      end
+            return user_id.to_s if user_id.is_a? Integer
+          end
+        rescue StandardError
+          return orig_user_id
+        end
+        orig_user_id
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/auth/doorkeeper.rb

@@ -1,65 +1,32 @@
-if TCellAgent.configuration.should_instrument_doorkeeper? && defined?(Doorkeeper)
+require 'tcell_agent/agent'
 
-  require 'tcell_agent/agent'
-  require 'tcell_agent/sensor_events/login_fraud'
+module TCellAgent
+  module DoorkeeperInstrumentation
+    Doorkeeper::TokensController.class_eval do
+      alias_method :tcell_authorize_response, :authorize_response
+      def authorize_response
+        result = tcell_authorize_response
 
-  module TCellAgent
-    module DoorkeeperInstrumentation
-      Doorkeeper::TokensController.class_eval do
-        alias_method :tcell_authorize_response, :authorize_response
-        def authorize_response
-          result = tcell_authorize_response
+        TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
+          return result unless TCellAgent.configuration.should_intercept_requests?
 
-          TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
-            return result unless TCellAgent.configuration.should_intercept_requests?
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
 
-            login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          return unless tcell_data
 
-            return unless tcell_data
-            headers = request.env
+          headers = request.env
 
-            if result.is_a?(Doorkeeper::OAuth::TokenResponse)
-              user_id = result.token.resource_owner_id
-              login_policy.report_login_success(
-                user_id,
-                headers,
-                tcell_data
-              )
-            elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
-              user_id = request.POST['client_id']
-              password = nil
-              user_valid = nil
-              login_policy.report_login_failure(
-                user_id,
-                password,
-                headers,
-                user_valid,
-                tcell_data
-              )
-            end
-          end
-
-          result
-        end
-      end
-
-      module TCellAuthorizationsNew
-        def new
-          super if defined?(super)
-
-          TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
-            return unless TCellAgent.configuration.should_intercept_requests?
-            return unless pre_auth.error
-
-            login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-            tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
-
-            return unless tcell_data
-
-            user_id = current_resource_owner.id
+          if result.is_a?(Doorkeeper::OAuth::TokenResponse)
+            user_id = result.token.resource_owner_id
+            login_policy.report_login_success(
+              user_id,
+              headers,
+              tcell_data
+            )
+          elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
+            user_id = request.POST['client_id']
             password = nil
-            headers = request.env
             user_valid = nil
             login_policy.report_login_failure(
               user_id,
@@ -70,10 +37,40 @@ if TCellAgent.configuration.should_instrument_doorkeeper? && defined?(Doorkeeper
             )
           end
         end
+
+        result
       end
+    end
+
+    module TCellAuthorizationsNew
+      def new
+        super if defined?(super)
+
+        TCellAgent::Instrumentation.safe_block('Doorkeeper Token Authorize') do
+          return unless TCellAgent.configuration.should_intercept_requests?
+          return unless pre_auth.error
 
-      # prepend is ruby 2+ feature
-      Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
+          login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+
+          return unless tcell_data
+
+          user_id = current_resource_owner.id
+          password = nil
+          headers = request.env
+          user_valid = nil
+          login_policy.report_login_failure(
+            user_id,
+            password,
+            headers,
+            user_valid,
+            tcell_data
+          )
+        end
+      end
     end
+
+    # prepend is ruby 2+ feature
+    Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
   end
 end

data/lib/tcell_agent/rails/better_ip.rb

@@ -4,28 +4,16 @@ require 'tcell_agent/instrumentation'
 module TCellAgent
   module Utils
     module Rails
-      def self.better_ip(request)
-        if TCellAgent.configuration.reverse_proxy
-          TCellAgent::Instrumentation.safe_block('Extracting reverse proxy IP') do
-            reverse_proxy_header = TCellAgent.configuration.reverse_proxy_ip_address_header
-            reverse_proxy_header = if TCellAgent::Utils::Strings.present?(reverse_proxy_header)
-                                     'HTTP_' + reverse_proxy_header.upcase.tr('-', '_')
-                                   else
-                                     'HTTP_X_FORWARDED_FOR'
-                                   end
+      def self.reverse_proxy_header(request)
+        return unless TCellAgent.configuration.reverse_proxy
 
-            x_forwarded_for = request.env[reverse_proxy_header]
-            ip = if TCellAgent::Utils::Strings.present?(x_forwarded_for)
-                   x_forwarded_for.split(',')[0].strip
-                 else
-                   request.ip
-                 end
+        TCellAgent::Instrumentation.safe_block('Extracting reverse proxy header') do
+          reverse_proxy_header = TCellAgent.configuration.reverse_proxy_ip_address_header
 
-            return ip
-          end
-        end
+          return if reverse_proxy_header.nil? || reverse_proxy_header.empty?
 
-        request.ip
+          return request.env["HTTP_#{reverse_proxy_header.upcase.tr('-', '_')}"]
+        end
       end
     end
   end

data/lib/tcell_agent/rails/csrf_exception.rb

@@ -16,12 +16,4 @@ module TCellAgent
       super if defined?(super)
     end
   end
-
-  class MyRailtie < Rails::Railtie
-    initializer 'tcell.sensors' do |_app|
-      ActiveSupport.on_load :action_controller do
-        ActionController::Base.send(:include, TCellAgent::CsrfExceptionReporter)
-      end
-    end
-  end
 end

data/lib/tcell_agent/rails/dlp.rb

@@ -1,8 +1,5 @@
 # See the file "LICENSE" for the full license governing this code.
 
-require 'tcell_agent/authlogic' if defined?(Authlogic)
-require 'tcell_agent/devise' if defined?(Devise)
-
 require 'rails'
 require 'uri'
 require 'tcell_agent/agent'
@@ -21,7 +18,6 @@ require 'tcell_agent/rails/settings_reporter'
 
 require 'tcell_agent/instrumentation'
 
-require 'tcell_agent/userinfo'
 require 'cgi'
 require 'thread'
 
@@ -84,6 +80,7 @@ module TCellAgent
               normalized_column_names[namespaced_column_name] = column_name
 
               next unless column_name && (!namespace || namespace == table_name)
+
               rules = dlp_policy.get_actions_for_table(
                 database_name,
                 '*',
@@ -194,6 +191,7 @@ module TCellAgent
             results[0...TCellAgent.configuration.max_data_ex_db_records_per_request].each do |record|
               column_name_to_rules.each do |column_name, rules|
                 next unless rules
+
                 rules.each do |rule|
                   tcell_context.add_response_db_filter(
                     record[column_name.to_sym],
@@ -305,31 +303,29 @@ module TCellAgent
       def log_enforce(tcell_context, sanitize_string)
         if TCellAgent.configuration.should_instrument? &&
            TCellAgent.configuration.should_intercept_requests?
-          if tcell_context && tcell_context.session_id
-            session_id_actions = get_actions_for_session_id
-            if session_id_actions
-              send_event = false
-              sanitize_string.gsub!(tcell_context.session_id) do |m|
-                if session_id_actions.log_redact
-                  send_event = true
-                  m = '[session_id]'
-                elsif session_id_actions.log_hash
-                  send_event = true
-                  m = '[hash]'
-                elsif session_id_actions.log_event
-                  send_event = true
-                end
-                m
-              end
-              if send_event
-                TCellAgent.send_event(
-                  TCellAgent::SensorEvents::DlpEvent.new(
-                    tcell_context.route_id,
-                    tcell_context.uri,
-                    TCellAgent::SensorEvents::DlpEvent::FOUND_IN_LOG
-                  ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
-                )
+          session_id_actions = get_actions_for_session_id
+          if tcell_context && tcell_context.session_id && session_id_actions
+            send_event = false
+            sanitize_string.gsub!(tcell_context.session_id) do |m|
+              if session_id_actions.log_redact
+                send_event = true
+                m = '[session_id]'
+              elsif session_id_actions.log_hash
+                send_event = true
+                m = '[hash]'
+              elsif session_id_actions.log_event
+                send_event = true
               end
+              m
+            end
+            if send_event
+              TCellAgent.send_event(
+                TCellAgent::SensorEvents::DlpEvent.new(
+                  tcell_context.route_id,
+                  tcell_context.uri,
+                  TCellAgent::SensorEvents::DlpEvent::FOUND_IN_LOG
+                ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
+              )
             end
           end
         end
@@ -340,32 +336,32 @@ module TCellAgent
       def response_body_enforce(tcell_context, sanitize_string)
         if TCellAgent.configuration.should_instrument? &&
            TCellAgent.configuration.should_intercept_requests?
-          if tcell_context && tcell_context.session_id
-            session_id_actions = get_actions_for_session_id
-            if session_id_actions
-              send_event = false
-              sanitize_string.gsub!(tcell_context.session_id) do |m|
-                if session_id_actions.body_redact
-                  # m = "[session_id]"
-                  send_event = true
-                elsif session_id_actions.body_hash
-                  # m = "[hash]"
-                  send_event = true
-                elsif session_id_actions.body_event
-                  send_event = true
-                end
-                m
+          session_id_actions = get_actions_for_session_id
+          if tcell_context && tcell_context.session_id && session_id_actions
+            send_event = false
+            sanitize_string.gsub!(tcell_context.session_id) do |m|
+              # rubocop:disable Lint/DuplicateBranch
+              if session_id_actions.body_redact
+                # m = "[session_id]"
+                send_event = true
+              elsif session_id_actions.body_hash
+                # m = "[hash]"
+                send_event = true
+              elsif session_id_actions.body_event
+                send_event = true
               end
+              # rubocop:enable Lint/DuplicateBranch
+              m
             end
-            if send_event
-              TCellAgent.send_event(
-                TCellAgent::SensorEvents::DlpEvent.new(
-                  tcell_context.route_id,
-                  tcell_context.uri,
-                  TCellAgent::SensorEvents::DlpEvent::FOUND_IN_BODY
-                ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
-              )
-            end
+          end
+          if send_event
+            TCellAgent.send_event(
+              TCellAgent::SensorEvents::DlpEvent.new(
+                tcell_context.route_id,
+                tcell_context.uri,
+                TCellAgent::SensorEvents::DlpEvent::FOUND_IN_BODY
+              ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
+            )
           end
         end