# Copyright (c) 2015 Sqreen. All Rights Reserved. # Please refer to our terms for more information: https://www.sqreen.io/terms.html require 'sqreen/log' require 'sqreen/serializer' require 'sqreen/runtime_infos' require 'sqreen/events/remote_exception' require 'sqreen/events/attack' require 'sqreen/events/request_record' require 'sqreen/exception' require 'sqreen/safe_json' require 'net/https' require 'uri' require 'openssl' require 'zlib' # $ curl -H"x-api-key: ${KEY}" http://127.0.0.1:5000/sqreen/v0/app-login # { # "session_id": "c9171007c27d4da8906312ff343ed41307f65b2f6fdf4a05a445bb7016186657", # "status": true # } # # $ curl -H"x-session-key: ${SESS}" http://127.0.0.1:5000/sqreen/v0/get-rulespack # # FIXME: we should be proxy capable # FIXME: we should be multithread aware (when callbacks perform server requests?) # module Sqreen class Session RETRY_CONNECT_SECONDS = 10 RETRY_REQUEST_SECONDS = 10 MAX_DELAY = 60 * 30 RETRY_LONG = 128 MUTEX = Mutex.new METRICS_KEY = 'metrics'.freeze @@path_prefix = '/sqreen/v0/' attr_accessor :request_compression def initialize(server_url, token, app_name = nil) @token = token @app_name = app_name @session_id = nil @server_url = server_url @request_compression = false @connected = nil @con = nil uri = parse_uri(server_url) use_ssl = (uri.scheme == 'https') @req_nb = 0 @http = Net::HTTP.new(uri.host, uri.port) @http.use_ssl = use_ssl if use_ssl cert_file = File.join(File.dirname(__FILE__), 'ca.crt') cert_store = OpenSSL::X509::Store.new cert_store.add_file cert_file @http.cert_store = cert_store end end def parse_uri(uri) # This regexp is the Ruby constant URI::PATTERN::HOSTNAME augmented # with the _ character that is frequent in Docker linked containers. re = '(?:(?:[a-zA-Z\\d](?:[-_a-zA-Z\\d]*[a-zA-Z\\d])?)\\.)*(?:[a-zA-Z](?:[-_a-zA-Z\\d]*[a-zA-Z\\d])?)\\.?' parser = URI::Parser.new :HOSTNAME => re parser.parse(uri) end def prefix_path(path) return '/sqreen/v1/' + path if path == 'app-login' || path == 'app-beat' @@path_prefix + path end def connected? @con && @con.started? end def disconnect @http.finish if connected? end NET_ERRORS = [Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, Errno::ECONNREFUSED, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, SocketError, Net::ProtocolError].freeze def connect return if connected? Sqreen.log.warn "connection to #{@server_url}..." @session_id = nil @conn_retry = 0 begin @con = @http.start rescue *NET_ERRORS Sqreen.log.debug "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds" sleep RETRY_CONNECT_SECONDS @conn_retry += 1 retry else Sqreen.log.warn 'connection success.' end end def resilient_post(path, data, headers = {}) post(path, data, headers, RETRY_LONG) end def resilient_get(path, headers = {}) get(path, headers, RETRY_LONG) end def post(path, data, headers = {}, max_retry = 2) do_http_request(:POST, path, data, headers, max_retry) end def get(path, headers = {}, max_retry = 2) do_http_request(:GET, path, nil, headers, max_retry) end def resiliently(retry_request_seconds, max_retry, current_retry = 0) return yield rescue => e Sqreen.log.debug { e.inspect } current_retry += 1 raise e if current_retry >= max_retry || e.is_a?(Sqreen::NotImplementedYet) sleep_delay = [MAX_DELAY, retry_request_seconds * current_retry].min Sqreen.log.debug format('Sleeping %ds', sleep_delay) sleep(sleep_delay) retry end def thread_id th = Thread.current return '' unless th re = th.to_s.scan(/:(0x.*)>/) return '' unless re && !re.empty? res = re[0] return '' unless res && !res.empty? res[0] end def do_http_request(method, path, data, headers = {}, max_retry = 2) connect unless connected? now = Time.now.utc headers['X-Session-Key'] = @session_id if @session_id headers['X-Sqreen-Time'] = now.to_f.to_s headers['User-Agent'] = "sqreen-ruby/#{Sqreen::VERSION}" headers['X-Sqreen-Beta'] = format('pid=%d;tid=%s;nb=%d;t=%f', Process.pid, thread_id, @req_nb, Time.now.utc.to_f) headers['Content-Type'] = 'application/json' if request_compression && !method.casecmp(:GET).zero? headers['Content-Encoding'] = 'gzip' end @req_nb += 1 path = prefix_path(path) Sqreen.log.debug format('%s %s (%s)', method, path, @token) res = {} resiliently(RETRY_REQUEST_SECONDS, max_retry) do json = nil MUTEX.synchronize do json = case method.upcase when :GET @con.get(path, headers) when :POST json_data = nil unless data.nil? serialized = Serializer.serialize(data) json_data = compress(SafeJSON.dump(serialized)) end @con.post(path, json_data, headers) else Sqreen.log.debug format('unknown method %s', method) raise Sqreen::NotImplementedYet end end if json && json.body res = JSON.parse(json.body) unless res['status'] Sqreen.log.debug(format('Cannot %s %s.', method, path)) end else Sqreen.log.debug 'warning: empty return value' end end Sqreen.log.debug format('%s %s (DONE in %f ms)', method, path, (Time.now.utc - now) * 1000) res end def compress(data) return data unless request_compression out = StringIO.new w = Zlib::GzipWriter.new(out) w.write(data) w.close out.string end def login(framework) headers = { 'x-api-key' => @token, 'x-app-name' => @app_name || framework.application_name, }.reject { |k, v| v == nil } Sqreen.log.warn "Using app name: #{headers['x-app-name']}" res = resilient_post('app-login', RuntimeInfos.all(framework), headers) if !res || !res['status'] public_error = format('Cannot login. Token may be invalid: %s', @token) Sqreen.log.error public_error raise(Sqreen::TokenInvalidException, format('invalid response: %s', res.inspect)) end Sqreen.log.info 'Login success.' @session_id = res['session_id'] Sqreen.log.debug "received session_id #{@session_id}" Sqreen.logged_in = true res end def rules resilient_get('rulespack') end def heartbeat(cmd_res = {}, metrics = []) payload = {} payload['metrics'] = metrics unless metrics.nil? || metrics.empty? payload['command_results'] = cmd_res unless cmd_res.nil? || cmd_res.empty? post('app-beat', payload.empty? ? nil : payload, {}, 5) end def post_metrics(metrics) return if metrics.nil? || metrics.empty? payload = { METRICS_KEY => metrics } resilient_post(METRICS_KEY, payload) end def post_attack(attack) resilient_post('attack', attack.to_hash) end def post_bundle(bundle_sig, dependencies) resilient_post('bundle', 'bundle_signature' => bundle_sig, 'dependencies' => dependencies) end def get_actionspack resilient_get('actionspack') end def post_request_record(request_record) resilient_post('request_record', request_record.to_hash) end # Post an exception to Sqreen for analysis # @param exception [RemoteException] Exception and context to be sent over def post_sqreen_exception(exception) post('sqreen_exception', exception.to_hash, {}, 5) rescue *NET_ERRORS => e Sqreen.log.warn(format('Could not post exception (network down? %s) %s', e.inspect, exception.to_hash.inspect)) nil end BATCH_KEY = 'batch'.freeze EVENT_TYPE_KEY = 'event_type'.freeze def post_batch(events) batch = events.map do |event| h = event.to_hash h[EVENT_TYPE_KEY] = event_kind(event) h end Sqreen.log.debug do tally = Hash[events.group_by(&:class).map{ |k,v| [k, v.count] }] "Doing batch with the following tally of event types: #{tally}" end resilient_post(BATCH_KEY, BATCH_KEY => batch) end # Perform agent logout # @param retrying [Boolean] whether to try again on error def logout(retrying = true) # Do not try to connect if we are not connected unless connected? Sqreen.log.debug('Not connected: not trying to logout') return end # Perform not very resilient logout not to slow down client app shutdown get('app-logout', {}, retrying ? 2 : 1) Sqreen.logged_in = false disconnect end protected def event_kind(event) case event when Sqreen::RemoteException then 'sqreen_exception' when Sqreen::Attack then 'attack' when Sqreen::RequestRecord then 'request_record' end end end end