tcell_agent 0.2.24 → 0.2.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 13c88a7582aa8c65921222ed524e8000e8d8872a
-  data.tar.gz: 2bf2b713872f81e2950994f56f8d431698410224
+  metadata.gz: 92307eb548621a9832e41c4966bf2aac64933d43
+  data.tar.gz: b0fb089fcbf1967b74ae58538e37425bdb74f466
 SHA512:
-  metadata.gz: 40078c7ef5481e0364eff69549a8a3d3fc4197ad7ebb903958443e1f7eaaf8c7310d77cb1ba9d752a2b34a4a2bec748755311e8c58ff10b5570c9c8b02c58e07
-  data.tar.gz: 4469f30d67cce86ae944efd69dabd92f681cbe9d7cbe1878a1f5155d3f464d1962871c5229570c764c5ef416eb9601f0db11dce3809ac73ba96add1e3e21b57f
+  metadata.gz: 7b411099b2c2525530594416c52ef0801eb9e6fa33d7c07dde867b22e381a9edffe00f497512cab7fe2751543264aaa57f7a1629071fedbb65f57f0aafe5bd46
+  data.tar.gz: 18a19efaf4d730e0165521c6c7da3f189adb13ae0975de945e1954bd392157c9441d5c33823f3fcdef3f50cc2f10d177172366bda909e70c5234ba297a24d157

data/README.md

@@ -41,3 +41,4 @@ Or run the helper command
 Or if running from the repo:
 
     $ bundle exec <path to repo>/rubyagent-tcell/bin/tcell_agent 
+

data/lib/tcell_agent/configuration.rb

@@ -57,6 +57,8 @@ module TCellAgent
       :enable_instrumentation,     # false = Do not add instrumentation
       :enable_intercept_requests   # false = Do not insert middleware
 
+    attr_accessor :enabled_instrumentations
+
     attr_accessor :exp_config_settings
 
     def should_start_event_manager?
@@ -79,6 +81,30 @@ module TCellAgent
       @enabled && @enable_instrumentation && @enable_intercept_requests
     end
 
+    def should_instrument_doorkeeper?
+      if @enabled_instrumentations.has_key?('doorkeeper') || @enabled_instrumentations.has_key?(:doorkeeper)
+        !!(@enabled_instrumentations['doorkeeper'] || @enabled_instrumentations[:doorkeeper])
+      else
+        true
+      end
+    end
+
+    def should_instrument_devise?
+      if @enabled_instrumentations.has_key?('devise') || @enabled_instrumentations.has_key?(:devise)
+        !!(@enabled_instrumentations['devise'] || @enabled_instrumentations[:devise])
+      else
+        true
+      end
+    end
+
+    def should_instrument_authlogic?
+      if @enabled_instrumentations.has_key?('authlogic') || @enabled_instrumentations.has_key?(:authlogic)
+        !!(@enabled_instrumentations['authlogic'] || @enabled_instrumentations[:authlogic])
+      else
+        true
+      end
+    end
+
     def initialize(filename="config/tcell_agent.config", useapp=nil)
       # These will be set when the agent starts up, to give rails initializers
       # a chance to run
@@ -104,6 +130,11 @@ module TCellAgent
       @enable_instrumentation = true
       @enable_intercept_requests = true
 
+      @enabled_instrumentations = {
+        doorkeeper: true,
+        devise: true,
+        authlogic: true
+      }
 
       @agent_home_dir = File.join(Dir.getwd, "tcell")
       @config_filename = File.join(Dir.getwd, filename)
@@ -240,6 +271,8 @@ module TCellAgent
             data_exposure = app_data.fetch('data_exposure', {})
             @max_data_ex_db_records_per_request = data_exposure.fetch('max_data_ex_db_records_per_request', @max_data_ex_db_records_per_request)
 
+            @enabled_instrumentations = app_data.fetch('enabled_instrumentations', {})
+
             @reverse_proxy = app_data.fetch('reverse_proxy', @reverse_proxy)
             @reverse_proxy_ip_address_header = app_data.fetch('reverse_proxy_ip_address_header', @reverse_proxy_ip_address_header)
 
@@ -293,6 +326,7 @@ module TCellAgent
       @agent_log_dir ||= File.join(@agent_home_dir, "logs")
       File.join(@agent_log_dir, "tcell_agent_payloads.log")
     end
+
   end # class
 
   TCellAgent.configuration ||= TCellAgent::Configuration.new

data/lib/tcell_agent/devise.rb

@@ -5,12 +5,6 @@ require 'devise/rails'
 require 'devise/strategies/database_authenticatable'
 require 'tcell_agent/userinfo'
 require 'tcell_agent/logger'
-#Warden::Manager.after_authentication do |user,auth,opts|
-#    p "<M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M>M"
-#    p user
-#  # do something with user
-#end
-
 require 'tcell_agent/sensor_events/honeytokens'
 
 module TCellAgent
@@ -39,45 +33,5 @@ module TCellAgent
         end
       end
     end
-    # Devise::Strategies::DatabaseAuthenticatable.class_eval do
-    #   alias_method :original_authenticate!, :authenticate!
-    #   def authenticate!
-    #     begin
-    #       tcell_background_worker = TCellAgent.thread_agent
-    #       # if (tcell_background_worker && tcell_background_worker.honeytokens_policy)
-    #       #   credstring = ""
-    #       #   authentication_keys.each do |authentication_key|
-    #       #     credstring = credstring + authentication_hash[authentication_key] + "::"
-    #       #   end
-    #       #   credstring = credstring + password[1..-3] # Chop off first and last 2 characters
-    #       #   token_id = tcell_background_worker.honeytokens_policy.id_for_credentialstring(credstring)
-    #       #   if token_id
-    #       #     begin
-    #       #       event = TCellAgent::SensorEvents::HoneytokensSensorEvent.new(request, token_id)
-    #       #       TCellAgent.send_event(event)
-    #       #     rescue
-    #       #       #pass
-    #       #     end
-    #       #     return
-    #       #   end
-    #       # end
-    #     rescue Exception => e
-    #       TCellAgent.logger.error("uncaught exception while processing honeytokens: #{e.message}")
-    #     end
-    #     original_authenticate!
-    #   end
-    # end
   end
 end
-# module Devise
-#   module Models
-#     module Recoverable
-#       extend ActiveSupport::Concern
-#       alias_method :original_send_reset_password_instructions, :send_reset_password_instructions
-#       def send_reset_password_instructions
-#         x = original_send_reset_password_instructions
-#         x
-#       end
-#     end
-#   end
-# end

data/lib/tcell_agent/instrumentation.rb

@@ -62,7 +62,7 @@ module TCellAgent
     class TCellData
       attr_accessor :transaction_id, :session_id, :hmac_session_id, :user_id, :route_id,
         :uri, :context_filters_by_term, :database_filters, :ip_address, :user_agent, :request_method,
-        :path_parameters, :ip_blocking_triggered, :grape_mount_endpoint
+        :path_parameters, :ip_blocking_triggered, :grape_mount_endpoint, :referrer, :path
 
       def self.filterx(sanitize_string, event_flag, replace_flag, term)
         send_event = false

data/lib/tcell_agent/rails/auth/authlogic.rb

@@ -1,57 +1,63 @@
 # See the file "LICENSE" for the full license governing this code.
 
-require 'tcell_agent/logger'
-require 'tcell_agent/configuration'
-require 'tcell_agent/instrumentation'
+if TCellAgent.configuration.should_instrument_authlogic?
 
-module TCellAgent
-  if defined?(Authlogic)
-    TCellAgent.logger.debug("Instrumenting Authlogic")
-    require 'tcell_agent/agent'
-    require 'tcell_agent/sensor_events/login_fraud'
-    Authlogic::Session::Base.class_eval do
-      alias_method :original_save, :save
-      def save(&block)
-        if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
-          user_logged_in_before = (user != nil)
-          success = original_save
-          user_logged_in_after = (user != nil)
-          TCellAgent::Instrumentation.safe_block("Authlogic login info") {
+  require 'tcell_agent/logger'
+  require 'tcell_agent/configuration'
+  require 'tcell_agent/instrumentation'
 
-            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
-            if (login_fraud_policy && login_fraud_policy.enabled)
-              user_id = nil
-              TCellAgent::Instrumentation.safe_block("getting userid for login form") {
-                user_id = self.send(self.class.login_field.to_sym)
-              }
-              if (user_logged_in_before && user_logged_in_after)
-                #password changed or logged in as another user
-              elsif (!user_logged_in_before && !user_logged_in_after)
-                if (login_fraud_policy.login_failed_enabled)
-                  request = Authlogic::Session::Base.controller.request
-                  response = Authlogic::Session::Base.controller.response
-                  hmac_session_id = request.env[TCellAgent::Instrumentation::TCELL_ID].hmac_session_id
-                  event = TCellAgent::SensorEvents::LoginFailure.new(request, response, user_id, hmac_session_id)
-                  TCellAgent.send_event(event)
-                end
-              elsif (!user_logged_in_before && user_logged_in_after)
-                if (login_fraud_policy.login_success_enabled)
-                  request = Authlogic::Session::Base.controller.request
-                  response = Authlogic::Session::Base.controller.response
-                  hmac_session_id = request.env[TCellAgent::Instrumentation::TCELL_ID].hmac_session_id
-                  event = TCellAgent::SensorEvents::LoginSuccess.new(request, response, user_id, hmac_session_id)
-                  TCellAgent.send_event(event)
+  module TCellAgent
+    if defined?(Authlogic)
+      TCellAgent.logger.debug("Instrumenting Authlogic")
+      require 'tcell_agent/agent'
+      require 'tcell_agent/sensor_events/login_fraud'
+      Authlogic::Session::Base.class_eval do
+        alias_method :original_save, :save
+        def save(&block)
+          if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+            user_logged_in_before = (user != nil)
+            success = original_save
+            user_logged_in_after = (user != nil)
+            TCellAgent::Instrumentation.safe_block("Authlogic login info") {
+
+              login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
+              if (login_fraud_policy && login_fraud_policy.enabled)
+                user_id = nil
+                TCellAgent::Instrumentation.safe_block("getting userid for login form") {
+                  user_id = self.send(self.class.login_field.to_sym)
+                }
+                if (user_logged_in_before && user_logged_in_after)
+                  #password changed or logged in as another user
+                elsif (!user_logged_in_before && !user_logged_in_after)
+                  if (login_fraud_policy.login_failed_enabled)
+                    request = Authlogic::Session::Base.controller.request
+                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+                    if tcell_data
+                      event = TCellAgent::SensorEvents::LoginFailure.new(request.env, tcell_data, user_id)
+                      TCellAgent.send_event(event)
+                    end
+                  end
+                elsif (!user_logged_in_before && user_logged_in_after)
+                  if (login_fraud_policy.login_success_enabled)
+                    request = Authlogic::Session::Base.controller.request
+                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+                    if tcell_data
+                      event = TCellAgent::SensorEvents::LoginSuccess.new(request.env, tcell_data, user_id)
+                      TCellAgent.send_event(event)
+                    end
+                  end
                 end
               end
-            end
-          }
+            }
 
-          success
+            success
 
-        else
-          original_save
-        end # if instrument
+          else
+            original_save
+          end # if instrument
+        end
       end
-    end
-  end # if Authlogic
+    end # if Authlogic
+  end
+
 end

data/lib/tcell_agent/rails/auth/devise.rb

@@ -1,80 +1,112 @@
-module TCellAgent
-  if defined?(Devise)
+if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
+  module TCellAgent
 
+    require 'base64'
     require 'tcell_agent/agent'
     require 'tcell_agent/sensor_events/login_fraud'
     require 'tcell_agent/policies/appsensor_policy'
 
-    Devise::SessionsController.class_eval do
+    module DeviseInstrumentation
+      def self.report_login_event(clazz, request_env, user_id)
+        if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
 
-      if (::Rails::VERSION::MAJOR == 5)
-        after_action :log_failed_login, :only => :new
-      elsif (::Rails::VERSION::MAJOR < 5)
-        after_filter :log_failed_login, :only => :new
-      end
-      alias_method :original_new, :new
-      def new
-        original_new
+          login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
+          if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
+            tcell_data = request_env[TCellAgent::Instrumentation::TCELL_ID]
+            if tcell_data
+              TCellAgent.send_event(clazz.new(request_env, tcell_data, user_id))
+            end
+          end
+        end
       end
 
-      alias_method :original_create, :create
-      def create(&block)
-        results = original_create(&block)
+      module TCellFailureAppRespond
+        def respond
+          TCellAgent::Instrumentation.safe_block("Devise Failure App Respond") do
+            if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+              tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+              if tcell_data
+                # in the case of http auth, the user_id is set in
+                # Devise::Strategies::Authenticatable.valid_for_http_auth?
+                user_id = tcell_data.user_id
+                user_id = _get_tcell_username unless user_id
+                TCellAgent::DeviseInstrumentation.report_login_event(
+                  TCellAgent::SensorEvents::LoginFailure,
+                  request.env,
+                  user_id
+                )
+              end
 
-        if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
-          TCellAgent::Instrumentation.safe_block("Devise login successful") {
-            tcell_username = _get_tcell_username
-            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
-            if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_success_enabled)
-              hmac_session_id = request.env[TCellAgent::Instrumentation::TCELL_ID].hmac_session_id
-              request.env[TCellAgent::Instrumentation::TCELL_ID].user_id = TCellAgent::UserInformation.getUserFromRequest(request)
-              user_id = tcell_username || request.env[TCellAgent::Instrumentation::TCELL_ID].user_id
-              event = TCellAgent::SensorEvents::LoginSuccess.new(request, response, user_id, hmac_session_id)
-              TCellAgent.send_event(event)
             end
-          }
+          end
+
+          super if defined?(super)
         end
 
-        results
+        def _get_tcell_username
+          _tcell_username = nil
+          TCellAgent::Instrumentation.safe_block("Devise Get TCell Username") {
+            keys = scope_class.authentication_keys.dup
+            user_params = request.POST.fetch("user",{})
+            keys.each do |key|
+              next_usename = user_params.fetch(key, nil)
+              if next_usename
+                _tcell_username ||= ""
+                _tcell_username += next_usename
+              end
+            end
+          }
+          _tcell_username
+        end
       end
+    end
 
-      def _get_tcell_username
-        _tcell_username = nil
-        TCellAgent::Instrumentation.safe_block("devise login - get username") {
-          keys = resource_class.authentication_keys.dup
-          user_params = request.POST.fetch("user",{})
-          keys.each do |key|
-            next_usename = user_params.fetch(key, nil)
-            if next_usename
-              _tcell_username ||= ""
-              _tcell_username += next_usename
-            end
+    # prepend is ruby 2+ feature
+    Devise::FailureApp.send(:prepend, DeviseInstrumentation::TCellFailureAppRespond)
+
+    Devise::Strategies::Authenticatable.class_eval do
+      alias_method :tcell_valid_for_http_auth?, :valid_for_http_auth?
+      def valid_for_http_auth?
+        is_valid = tcell_valid_for_http_auth?
+
+        TCellAgent::Instrumentation.safe_block("Devise set username for http basic auth") do
+          tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          if http_auth_hash && tcell_data
+            username = http_auth_hash[http_authentication_key]
+            tcell_data.user_id = username if username && !tcell_data.user_id
           end
-        }
-        _tcell_username
+        end
+
+        is_valid
       end
 
-      private
-      def log_failed_login
-        if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
-          TCellAgent::Instrumentation.safe_block("Devise login failed") {
-            tcell_username = _get_tcell_username
-            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
-            if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
-              if failed_login?
-                hmac_session_id = request.env[TCellAgent::Instrumentation::TCELL_ID].hmac_session_id
-                event = TCellAgent::SensorEvents::LoginFailure.new(request, response, tcell_username, hmac_session_id)
-                TCellAgent.send_event(event)
+      alias_method :tcell_validate, :validate
+      def validate(resource, &block)
+        is_valid = tcell_validate(resource, &block)
+
+        TCellAgent::Instrumentation.safe_block("Devise Authenticatable Validate") do
+          if (is_valid && TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+            username = nil
+            (authentication_keys || []).each do |auth_key|
+              attr = authentication_hash[auth_key]
+              if attr
+                username ||= ""
+                username += attr
               end
             end
-          }
+
+            TCellAgent::DeviseInstrumentation.report_login_event(
+              TCellAgent::SensorEvents::LoginSuccess,
+              request.env,
+              username
+            )
+          end
         end
-      end
 
-      def failed_login?
-        (options = env["warden.options"]) && options[:action] == "unauthenticated"
+        is_valid
       end
+
     end
 
-  end #if defined devise
+  end
 end

data/lib/tcell_agent/rails/auth/doorkeeper.rb

@@ -0,0 +1,72 @@
+if TCellAgent.configuration.should_instrument_doorkeeper?
+
+  if defined?(Doorkeeper)
+    require 'tcell_agent/agent'
+    require 'tcell_agent/sensor_events/login_fraud'
+    require 'tcell_agent/policies/appsensor_policy'
+    require 'tcell_agent/sensor_events/login_fraud'
+
+    module TCellAgent
+      module DoorkeeperInstrumentation
+
+        Doorkeeper::TokensController.class_eval do
+          alias_method :tcell_authorize_response, :authorize_response
+          def authorize_response
+            result = tcell_authorize_response
+
+            TCellAgent::Instrumentation.safe_block("Doorkeeper Token Authorize") do
+              if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+                login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
+                if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
+                  tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+                  if tcell_data
+                    if result.is_a?(Doorkeeper::OAuth::TokenResponse)
+                      TCellAgent.send_event(
+                        TCellAgent::SensorEvents::LoginSuccess.new(request.env, tcell_data, result.token.resource_owner_id)
+                      )
+                    elsif result.is_a?(Doorkeeper::OAuth::ErrorResponse)
+                      TCellAgent.send_event(
+                        TCellAgent::SensorEvents::LoginFailure.new(request.env, tcell_data, request.POST['client_id'])
+                      )
+                    end
+
+                  end
+                end
+              end
+            end
+
+            result
+          end
+        end
+
+        module TCellAuthorizationsNew
+          def new
+            super if defined?(super)
+
+            TCellAgent::Instrumentation.safe_block("Doorkeeper Token Authorize") do
+              if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+                if pre_auth.error
+                  login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
+                  if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
+                    tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
+                    if tcell_data && pre_auth.error
+                      TCellAgent.send_event(
+                        TCellAgent::SensorEvents::LoginFailure.new(request.env, tcell_data, current_resource_owner.id)
+                      )
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        # prepend is ruby 2+ feature
+        Doorkeeper::AuthorizationsController.send(:prepend, TCellAuthorizationsNew)
+      end
+
+    end
+
+  end
+
+end

data/lib/tcell_agent/rails/auth/hooks.rb

@@ -0,0 +1,79 @@
+require 'tcell_agent/agent'
+require 'tcell_agent/sensor_events/login_fraud'
+require 'tcell_agent/policies/appsensor_policy'
+require 'tcell_agent/sensor_events/login_fraud'
+
+if defined?(TCellAgent::Hooks::V1::Frameworks::Rails::Login)
+  TCellAgent::Hooks::V1::Frameworks::Rails::Login.module_eval do
+    class << self
+      alias_method :tcell_register_login_event, :register_login_event
+      def register_login_event(status, rails_request, user_id, user_valid=nil)
+        TCellAgent::Instrumentation.safe_block("Rails Auth Hooks") do
+          if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
+            if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
+              tcell_data = rails_request.env[TCellAgent::Instrumentation::TCELL_ID]
+              if tcell_data
+                if status == TCellAgent::Hooks::V1::Login::LOGIN_FAILURE
+                  TCellAgent.send_event(
+                    TCellAgent::SensorEvents::LoginFailure.new(rails_request.env, tcell_data, user_id)
+                  )
+                elsif status == TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS
+                  TCellAgent.send_event(
+                    TCellAgent::SensorEvents::LoginSuccess.new(rails_request.env, tcell_data, user_id)
+                  )
+                else
+                  TCellAgent.logger.error("Unkown login status: #{status}")
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+if defined?(TCellAgent::Hooks::V1::Login)
+  TCellAgent::Hooks::V1::Login.module_eval do
+    class << self
+      alias_method :tcell_register_login_event, :register_login_event
+      def register_login_event(
+          status,
+          session_id,
+          user_agent,
+          referrer,
+          remote_address,
+          header_keys,
+          user_id,
+          document_uri,
+          user_valid=nil)
+        TCellAgent::Instrumentation.safe_block("Login Auth Hooks") do
+          if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
+            login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
+            if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
+              tcell_data = TCellAgent::Instrumentation::TCellData.new
+              tcell_data.user_agent = user_agent
+              tcell_data.referrer = referrer
+              tcell_data.ip_address = remote_address
+              tcell_data.path = document_uri
+              tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac(session_id)
+
+              if status == TCellAgent::Hooks::V1::Login::LOGIN_FAILURE
+                TCellAgent.send_event(
+                  TCellAgent::SensorEvents::LoginFailure.new(header_keys, tcell_data, user_id)
+                )
+              elsif status == TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS
+                TCellAgent.send_event(
+                  TCellAgent::SensorEvents::LoginSuccess.new(header_keys, tcell_data, user_id)
+                )
+              else
+                TCellAgent.logger.error("Unkown login status: #{status}")
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/middleware/global_middleware.rb

@@ -47,6 +47,8 @@ module TCellAgent
               TCellAgent::Instrumentation.safe_block("Setting and ip address user agent") {
                 env[TCellAgent::Instrumentation::TCELL_ID].ip_address = TCellAgent::Utils::Rails.better_ip(request)
                 env[TCellAgent::Instrumentation::TCELL_ID].user_agent = request.user_agent
+                env[TCellAgent::Instrumentation::TCELL_ID].path = request.path
+                env[TCellAgent::Instrumentation::TCELL_ID].referrer = request.referrer
               }
             end
 

data/lib/tcell_agent/rails/on_start.rb

@@ -26,6 +26,8 @@ else
           require 'tcell_agent/rails/auth/devise' if defined?(Devise)
           require 'tcell_agent/authlogic' if defined?(Authlogic)
           require 'tcell_agent/rails/auth/authlogic'  if defined?(Authlogic)
+          require 'tcell_agent/rails/auth/doorkeeper'
+          require 'tcell_agent/rails/auth/hooks'
         end
 
         # TODO: will this get run ever?

data/lib/tcell_agent/rails.rb

@@ -31,6 +31,8 @@ module TCellAgent
         require 'tcell_agent/rails/auth/devise' if defined?(Devise)
         require 'tcell_agent/authlogic' if defined?(Authlogic)
         require 'tcell_agent/rails/auth/authlogic'  if defined?(Authlogic)
+        require 'tcell_agent/rails/auth/doorkeeper'
+        require 'tcell_agent/rails/auth/hooks'
       end
       app.config.middleware.insert_before(0, TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware)
       app.config.middleware.insert_after(0, TCellAgent::Instrumentation::Rails::Middleware::HeadersMiddleware)

data/lib/tcell_agent/sensor_events/appsensor_event.rb

@@ -19,9 +19,9 @@ module TCellAgent
                      pattern=nil)
         super("as")
         self["dp"] = detection_point
-        self["param"] = param if param
-        self["remote_addr"] = remote_addr if remote_addr
-        self["m"] = method if method
+        self["param"] = param.to_s if param
+        self["remote_addr"] = remote_addr.to_s if remote_addr
+        self["m"] = method.to_s if method
         @raw_location = location
         @user_id = user_id
         @hmac_session_id = hmac_session_id

data/lib/tcell_agent/sensor_events/login_fraud.rb

@@ -3,41 +3,52 @@
 require 'tcell_agent/sensor_events/util/sanitizer_utilities'
 require 'tcell_agent/sensor_events/sensor'
 require 'tcell_agent/sensor_events/util/sanitizer_utilities'
+
 module TCellAgent
-    module SensorEvents
-
-        class LoginFailure < TCellSensorEvent
-            def initialize(request, response, user_id, hmac_session_id)
-                super("login")
-                headers = request.env.select {|k,v| k.start_with? 'HTTP_'}
-                  .collect {|k,v| k.sub(/^HTTP_/, '') }
-                self["event_name"] = "login-failure"
-                self["user_agent"] = request.env['HTTP_USER_AGENT']
-                self["referrer"] = request.referer
-                self["remote_addr"] = request.remote_ip
-                self["header_keys"] = headers
-                self["user_id"] = user_id
-                self["document_uri"] = TCellAgent::SensorEvents::Util.strip_uri_values(request.path)
-                self["session"] = hmac_session_id
-            end
-        end
+  module SensorEvents
+
+    class LoginEvent < TCellSensorEvent
+      def initialize(header_keys, tcell_data, user_id, user_valid)
+        super("login")
 
-        class LoginSuccess < TCellSensorEvent
-            attr_accessor :event_name
-            def initialize(request, response, user_id, hmac_session_id)
-                super("login")
-                headers = request.env.select {|k,v| k.start_with? 'HTTP_'}
-                  .collect {|k,v| k.sub(/^HTTP_/, '') }
-                self["event_name"] = "login-success"
-                self["user_agent"] = request.env['HTTP_USER_AGENT']
-                self["referrer"] = request.referer
-                self["remote_addr"] = request.remote_ip
-                self["header_keys"] = headers
-                self["user_id"] = user_id
-                self["document_uri"] = TCellAgent::SensorEvents::Util.strip_uri_values(request.path)
-                self["session"] = hmac_session_id
-            end
+        self["header_keys"] = header_keys
+
+        self["user_agent"] = tcell_data.user_agent.to_s if tcell_data.user_agent
+        self["referrer"] = tcell_data.referrer.to_s if tcell_data.referrer
+        self["remote_addr"] = tcell_data.ip_address.to_s if tcell_data.ip_address
+        self["user_id"] = user_id.to_s if user_id
+        self["document_uri"] = TCellAgent::SensorEvents::Util.strip_uri_values(tcell_data.path) if tcell_data.path
+        self["session"] = tcell_data.hmac_session_id if tcell_data.hmac_session_id
+      end
+
+      protected
+        def clean_header_keys(request_env_or_header_keys)
+          if request_env_or_header_keys.is_a?(Hash)
+            request_env_or_header_keys.select {|k,v| k.start_with? 'HTTP_'}.collect {|k,v| k.sub(/^HTTP_/, '') }
+          else
+            request_env_or_header_keys.map { |k| k.sub(/^HTTP_/, '') }
+          end
         end
+    end
+
+    class LoginFailure < LoginEvent
+      def initialize(request_env_or_header_keys, tcell_data, user_id, user_valid=nil)
+        header_keys = clean_header_keys(request_env_or_header_keys)
+
+        super(header_keys, tcell_data, user_id, user_valid)
+
+        self["event_name"] = "login-failure"
+      end
+    end
+
+    class LoginSuccess < LoginEvent
+      def initialize(request_env_or_header_keys, tcell_data, user_id, user_valid=nil)
+        header_keys = clean_header_keys(request_env_or_header_keys)
+
+        super(header_keys, tcell_data, user_id, user_valid)
 
+        self["event_name"] = "login-success"
+      end
     end
-end
+  end
+end

data/lib/tcell_agent/servers/unicorn.rb

@@ -10,19 +10,19 @@ Unicorn::HttpServer.class_eval do
   # this only runs when preload_app=true because when preload_app=false
   # the gems aren't loaded early enough for tcell to override
   # the class definitions
-  alias_method :original_join, :join
-  def join
+  alias_method :tcell_bind_new_listeners!, :bind_new_listeners!
+  def bind_new_listeners!
     TCellAgent.run_instrumentation("Unicorn")
 
-    original_join
+    tcell_bind_new_listeners!
   end
 
   # This gets called when unicorn receives the HUP signal to reload its config.
   # Tcell also needs to ensure its config is reloaded and services are started
   # or stopped accordingly
-  alias_method :original_load_config!, :load_config!
+  alias_method :tcell_load_config!, :load_config!
   def load_config!
-    original_load_config!
+    tcell_load_config!
 
     TCellAgent::Instrumentation.safe_block("Reloading Tcell Config") do
       new_config = TCellAgent::Configuration.new
@@ -94,9 +94,9 @@ Unicorn::HttpServer.class_eval do
   # this only runs when preload_app=true because when preload_app=false
   # the gems aren't loaded early enough for tcell to override
   # the class definitions
-  alias original_init_worker_process init_worker_process
+  alias tcell_init_worker_process init_worker_process
   def init_worker_process(work)
-    start_process = original_init_worker_process(work)
+    start_process = tcell_init_worker_process(work)
 
     if TCellAgent.configuration.enabled && TCellAgent.configuration.should_instrument?
       begin

data/lib/tcell_agent/version.rb

@@ -1,5 +1,5 @@
 # See the file "LICENSE" for the full license governing this code.
 
 module TCellAgent
-  VERSION = "0.2.24"
+  VERSION = "0.2.25"
 end

data/spec/lib/tcell_agent/rails/auth/hooks_spec.rb

@@ -0,0 +1,246 @@
+require 'spec_helper'
+
+module TCellAgent
+
+  module Hooks
+    module V1
+      module Frameworks
+        module Rails
+          module Login
+            def self.register_login_event(status, rails_request, user_id, user_valid=nil)
+            end
+          end
+        end
+      end
+    end
+  end
+
+  module Hooks
+    module V1
+      module Login
+        LOGIN_SUCCESS = "success"
+        LOGIN_FAILURE = "failure"
+        def self.register_login_event(status, session_id, user_agent, referrer, remote_addr, header_keys, user_id, document_uri, user_valid=nil)
+        end
+      end
+    end
+  end
+
+  describe "manually requiring auth hooks" do
+    before(:all) do
+      require 'tcell_agent/rails/auth/hooks'
+    end
+
+    describe "Using generic interface" do
+      context "with a login failure" do
+        it "should report the login failure" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(TCellAgent).to receive(:send_event).with(
+            {
+              "event_type" => "login",
+              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+              "user_agent" => "user_agent",
+              "referrer" => "referrer",
+              "remote_addr" => "1.1.1.1",
+              "user_id" => "user_id",
+              "document_uri" => "http://tcell.tcell.io/login?param_name=",
+              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+              "event_name" => "login-failure"
+            }
+          )
+
+          status = Hooks::V1::Login::LOGIN_FAILURE
+          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+          Hooks::V1::Login.register_login_event(
+            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+          )
+        end
+      end
+
+      context "with a login success" do
+        it "should report the login success" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(TCellAgent).to receive(:send_event).with(
+            {
+              "event_type" => "login",
+              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+              "user_agent" => "user_agent",
+              "referrer" => "referrer",
+              "remote_addr" => "1.1.1.1",
+              "user_id" => "user_id",
+              "document_uri" => "http://tcell.tcell.io/login?param_name=",
+              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+              "event_name" => "login-success"
+            }
+          )
+
+          status = Hooks::V1::Login::LOGIN_SUCCESS
+          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+          Hooks::V1::Login.register_login_event(
+            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+          )
+        end
+      end
+
+      context "with an unknown status" do
+        it "should log the error" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+          logger = double("logger")
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(TCellAgent).to_not receive(:send_event)
+          expect(TCellAgent).to receive(:logger).and_return(logger)
+          expect(logger).to receive(:error).with("Unkown login status: mumbo-jumbo")
+
+          status = "mumbo-jumbo"
+          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
+          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
+
+          Hooks::V1::Login.register_login_event(
+            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
+          )
+        end
+      end
+    end
+
+    describe "Using rails interface" do
+      context "with a login failure" do
+        it "should report the login failure" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+          rails_request = double("rails_request")
+          tcell_data = TCellAgent::Instrumentation::TCellData.new
+          tcell_data.user_agent = "user_agent"
+          tcell_data.referrer = "referrer"
+          tcell_data.ip_address = "1.1.1.1"
+          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+          request_env = {
+            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+            "HTTP_USER_AGENT" => true,
+            "HTTP_X_FORWARDED_FOR" => true
+          }
+
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(TCellAgent).to receive(:send_event).with(
+            {
+              "event_type" => "login",
+              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+              "user_agent" => "user_agent",
+              "referrer" => "referrer",
+              "remote_addr" => "1.1.1.1",
+              "user_id" => "user_id",
+              "document_uri" => "http://tcell.tcell.io/login?param_name=",
+              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+              "event_name" => "login-failure"
+            }
+          )
+
+          status = Hooks::V1::Login::LOGIN_FAILURE
+
+          Hooks::V1::Frameworks::Rails::Login.register_login_event(
+            status, rails_request, "user_id"
+          )
+        end
+      end
+
+      context "with a login success" do
+        it "should report the login success" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+          rails_request = double("rails_request")
+          tcell_data = TCellAgent::Instrumentation::TCellData.new
+          tcell_data.user_agent = "user_agent"
+          tcell_data.referrer = "referrer"
+          tcell_data.ip_address = "1.1.1.1"
+          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+          request_env = {
+            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+            "HTTP_USER_AGENT" => true,
+            "HTTP_X_FORWARDED_FOR" => true
+          }
+
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(TCellAgent).to receive(:send_event).with(
+            {
+              "event_type" => "login",
+              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
+              "user_agent" => "user_agent",
+              "referrer" => "referrer",
+              "remote_addr" => "1.1.1.1",
+              "user_id" => "user_id",
+              "document_uri" => "http://tcell.tcell.io/login?param_name=",
+              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
+              "event_name" => "login-success"
+            }
+          )
+
+          status = Hooks::V1::Login::LOGIN_SUCCESS
+
+          Hooks::V1::Frameworks::Rails::Login.register_login_event(
+            status, rails_request, "user_id"
+          )
+        end
+      end
+
+      context "with an unknown status" do
+        it "should log the error" do
+          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
+          logger = double("logger")
+          rails_request = double("rails_request")
+          tcell_data = TCellAgent::Instrumentation::TCellData.new
+          tcell_data.user_agent = "user_agent"
+          tcell_data.referrer = "referrer"
+          tcell_data.ip_address = "1.1.1.1"
+          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
+          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
+          request_env = {
+            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
+            "HTTP_USER_AGENT" => true,
+            "HTTP_X_FORWARDED_FOR" => true
+          }
+
+
+          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
+            login_fraud
+          )
+          expect(rails_request).to receive(:env).and_return(request_env)
+          expect(TCellAgent).to_not receive(:send_event)
+          expect(TCellAgent).to receive(:logger).and_return(logger)
+          expect(logger).to receive(:error).with("Unkown login status: mumbo-jumbo")
+
+          status = "mumbo-jumbo"
+
+          Hooks::V1::Frameworks::Rails::Login.register_login_event(
+            status, rails_request, "user_id"
+          )
+        end
+      end
+    end
+
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tcell_agent
 version: !ruby/object:Gem::Version
-  version: 0.2.24
+  version: 0.2.25
 platform: ruby
 authors:
 - Garrett
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-10 00:00:00.000000000 Z
+date: 2016-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -185,6 +185,8 @@ files:
 - lib/tcell_agent/policies/secure_headers_policy.rb
 - lib/tcell_agent/rails/auth/authlogic.rb
 - lib/tcell_agent/rails/auth/devise.rb
+- lib/tcell_agent/rails/auth/doorkeeper.rb
+- lib/tcell_agent/rails/auth/hooks.rb
 - lib/tcell_agent/rails/better_ip.rb
 - lib/tcell_agent/rails/csrf_exception.rb
 - lib/tcell_agent/rails/dlp/process_request.rb
@@ -311,6 +313,7 @@ files:
 - spec/lib/tcell_agent/policies/login_policy_spec.rb
 - spec/lib/tcell_agent/policies/patches_policy_spec.rb
 - spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb
+- spec/lib/tcell_agent/rails/auth/hooks_spec.rb
 - spec/lib/tcell_agent/rails/better_ip_spec.rb
 - spec/lib/tcell_agent/rails/logger_spec.rb
 - spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb
@@ -460,6 +463,7 @@ test_files:
 - spec/lib/tcell_agent/policies/login_policy_spec.rb
 - spec/lib/tcell_agent/policies/patches_policy_spec.rb
 - spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb
+- spec/lib/tcell_agent/rails/auth/hooks_spec.rb
 - spec/lib/tcell_agent/rails/better_ip_spec.rb
 - spec/lib/tcell_agent/rails/logger_spec.rb
 - spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb