From d04d5ac2c13d040bf310172fa19eb8e571411bef Mon Sep 17 00:00:00 2001 From: fallwith Date: Thu, 27 Apr 2023 22:02:18 -0700 Subject: [PATCH 01/44] k2 k2 --- .gitignore | 1 + .../agent/configuration/default_source.rb | 59 +++++++++++++++++++ lib/new_relic/control/instance_methods.rb | 1 + .../control/private_instance_methods.rb | 13 ++++ newrelic.yml | 25 ++++++++ newrelic_rpm.gemspec | 3 + 6 files changed, 102 insertions(+) diff --git a/.gitignore b/.gitignore index e9b456f626..89f3c8dc30 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ Brewfile.lock.json .github/actions/simplecov-report/lib/ test/minitest/minitest_time_report gem_manifest_*.json +nr-security-home diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 397944f272..de31b140be 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2210,6 +2210,65 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Integer, :allowed_from_server => false, :description => 'This value represents the total amount of memory available to the host (not the process), in mebibytes (1024 squared or 1,048,576 bytes).' + }, + # security agent + :'security.agent.enabled' => { + :default => false, + :external => true, + :public => true, + :type => Boolean, + :allowed_from_server => false, + :description => 'If `true`, the security agent is loaded' + }, + :'security.enabled' => { + :default => false, + :external => true, + :public => true, + :type => Boolean, + :allowed_from_server => false, + :description => 'If `true`, the security agent is activated' + }, + :'security.mode' => { + :default => 'IAST', + :external => true, + :public => true, + :type => String, + :allowed_from_server => true, + :description => 'Defines the mode for the security agent to operate in. Currently only `IAST` is supported', + :dynamic_name => true + }, + :'security.validator_service_url' => { + :default => 'wss://csec.nr-data.net', + :external => true, + :public => true, + :type => String, + :allowed_from_server => true, + :description => 'Defines the end point URL for posting security related data', + :dynamic_name => true + }, + :'security.detection.rci.enabled' => { + :default => true, + :external => true, + :public => true, + :type => Boolean, + :allowed_from_server => false, + :description => 'If `true`, enables rci detection' + }, + :'security.detection.rxss.enabled' => { + :default => true, + :external => true, + :public => true, + :type => Boolean, + :allowed_from_server => false, + :description => 'If `true`, enables rxss detection' + }, + :'security.detection.deserialization.enabled' => { + :default => true, + :external => true, + :public => true, + :type => Boolean, + :allowed_from_server => false, + :description => 'If `true`, enables deserialization detection' } }.freeze end diff --git a/lib/new_relic/control/instance_methods.rb b/lib/new_relic/control/instance_methods.rb index 44e8f1dd47..ffba1f335d 100644 --- a/lib/new_relic/control/instance_methods.rb +++ b/lib/new_relic/control/instance_methods.rb @@ -116,6 +116,7 @@ def handle_invalid_security_settings def start_agent @started_in_env = self.env NewRelic::Agent.agent.start + init_security_agent end def app diff --git a/lib/new_relic/control/private_instance_methods.rb b/lib/new_relic/control/private_instance_methods.rb index bcd14c7a81..7f28f88baa 100644 --- a/lib/new_relic/control/private_instance_methods.rb +++ b/lib/new_relic/control/private_instance_methods.rb @@ -43,6 +43,19 @@ def init_instrumentation DependencyDetection.detect! end end + + def init_security_agent + if Agent.config[:'security.agent.enabled'] + Agent.logger.info('Invoking K2 security module') + require 'newrelic_security' + else + Agent.logger.info('K2 security module is disabled.') + end + rescue LoadError + Agent.logger.info('K2 security agent not found - skipping') + rescue StandardError => exception + Agent.logger.error("Exception in K2 Agent module loading: #{exception} #{exception.backtrace}") + end end end end diff --git a/newrelic.yml b/newrelic.yml index 691109eff5..8e75d4ef9c 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -692,6 +692,31 @@ common: &default_settings # If true, the agent automatically detects that it is running in a Pivotal Cloud Foundry environment. # utilization.detect_pcf: true + # BEGIN security agent + + # If true, the security agent is loaded + # security.agent.enabled: false + + # If true, the security agent is activated + # security.enabled: false + + # The mode for the security agent to operate in. Currently only 'IAST' is supported + # security.mode: IAST + + # Defines the end point URL for posting security related data + # security.validator_service_url: wss://csec.nr-data.net + + # If `true`, enables rci detection + # security.detection.rci.enabled: true + + # If `true`, enables rxss detection + # security.detection.rxss.enabled: true + + # If `true`, enables deserialization detection + # security.detection.deserialization.enabled: true + + # END security agent + # Environment-specific settings are in this section. # RAILS_ENV or RACK_ENV (as appropriate) is used to determine the environment. # If your application has other named environments, configure them here. diff --git a/newrelic_rpm.gemspec b/newrelic_rpm.gemspec index 9cb2889314..32dbacd932 100644 --- a/newrelic_rpm.gemspec +++ b/newrelic_rpm.gemspec @@ -46,6 +46,9 @@ Gem::Specification.new do |s| s.homepage = 'https://github.com/newrelic/rpm' s.require_paths = ['lib'] s.summary = 'New Relic Ruby Agent' + +# s.add_dependency 'newrelic_security', '1.0.0-limited-preview' + s.add_development_dependency 'bundler' s.add_development_dependency 'feedjira', '3.2.1' unless ENV['CI'] || RUBY_VERSION < '2.5' # for Gabby s.add_development_dependency 'httparty' unless ENV['CI'] # for perf tests and Gabby From b930ca7408fcf26f22874b62e3428ec19ca41210 Mon Sep 17 00:00:00 2001 From: fallwith Date: Fri, 28 Apr 2023 09:31:38 -0700 Subject: [PATCH 02/44] New Relic name updates --- lib/new_relic/control/private_instance_methods.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/new_relic/control/private_instance_methods.rb b/lib/new_relic/control/private_instance_methods.rb index 7f28f88baa..73771752d5 100644 --- a/lib/new_relic/control/private_instance_methods.rb +++ b/lib/new_relic/control/private_instance_methods.rb @@ -46,15 +46,15 @@ def init_instrumentation def init_security_agent if Agent.config[:'security.agent.enabled'] - Agent.logger.info('Invoking K2 security module') + Agent.logger.info('Invoking New Relic security module') require 'newrelic_security' else - Agent.logger.info('K2 security module is disabled.') + Agent.logger.info('New Relic security module is disabled.') end rescue LoadError - Agent.logger.info('K2 security agent not found - skipping') + Agent.logger.info('New Relic security agent not found - skipping') rescue StandardError => exception - Agent.logger.error("Exception in K2 Agent module loading: #{exception} #{exception.backtrace}") + Agent.logger.error("Exception in New Relic security module loading: #{exception} #{exception.backtrace}") end end end From fcd86040bd1642322e0caccf7811b07f2374f333 Mon Sep 17 00:00:00 2001 From: fallwith Date: Tue, 9 May 2023 08:29:19 -0700 Subject: [PATCH 03/44] add security.applicationinfo.port a manual port value can be passed to the security agent when needed --- lib/new_relic/agent/configuration/default_source.rb | 8 ++++++++ newrelic.yml | 3 +++ 2 files changed, 11 insertions(+) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index de31b140be..a68b66d144 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2269,6 +2269,14 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Boolean, :allowed_from_server => false, :description => 'If `true`, enables deserialization detection' + }, + :'security.applicationinfo.port' => { + :default => -1, + :public => true, + :type => Integer, + :external => true, + :allowed_from_server => false, + :description => 'The port the application listens on (guessed by default, may be needed for Passenger)' } }.freeze end diff --git a/newrelic.yml b/newrelic.yml index 8e75d4ef9c..114ddea394 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -715,6 +715,9 @@ common: &default_settings # If `true`, enables deserialization detection # security.detection.deserialization.enabled: true + # The port the application listens on (guessed by default, may be needed for Passenger) + # security.applicationinfo.port: -1 + # END security agent # Environment-specific settings are in this section. From 9d56dfe4d0e0d9daed2f9e1eb1c499c18a9d2646 Mon Sep 17 00:00:00 2001 From: fallwith Date: Tue, 9 May 2023 10:58:37 -0700 Subject: [PATCH 04/44] description for security.applicationinfo.port update description for security.applicationinfo.port --- lib/new_relic/agent/configuration/default_source.rb | 2 +- newrelic.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index a68b66d144..efaf9a9283 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2276,7 +2276,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Integer, :external => true, :allowed_from_server => false, - :description => 'The port the application listens on (guessed by default, may be needed for Passenger)' + :description => 'The port the application listens on (Mandatory for Passenger, for other servers detected by default)' } }.freeze end diff --git a/newrelic.yml b/newrelic.yml index 114ddea394..459bab6518 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -715,7 +715,7 @@ common: &default_settings # If `true`, enables deserialization detection # security.detection.deserialization.enabled: true - # The port the application listens on (guessed by default, may be needed for Passenger) + # The port the application listens on (Mandatory for Passenger, for other servers detected by default) # security.applicationinfo.port: -1 # END security agent From 2e8db5d6e66584530e461d6f79a3ba032aa39d03 Mon Sep 17 00:00:00 2001 From: fallwith Date: Wed, 10 May 2023 20:50:18 -0700 Subject: [PATCH 05/44] NewRelic::Control::SecurityInterface - introduce NewRelic::Control::SecurityInterface singleton class - leverage the singleton class to ensure the security agent is only ever initialized once - leverage the singleton class to defer security agent initialization in lockstep with dependency detection deference - have each singleton class perform its own `require` of the singleton library so that it's not necessary to understand that the library is coming in from the `Control` class that might seem to have nothing to do with the singleton class --- lib/new_relic/agent/agent_logger.rb | 1 + lib/new_relic/agent/database/obfuscator.rb | 1 + .../instrumentation/rack/instrumentation.rb | 3 ++ lib/new_relic/control.rb | 2 +- lib/new_relic/control/instance_methods.rb | 2 +- .../control/private_instance_methods.rb | 11 +----- lib/new_relic/control/security_interface.rb | 36 +++++++++++++++++++ .../suites/sidekiq/sidekiq_server.rb | 1 + 8 files changed, 45 insertions(+), 12 deletions(-) create mode 100644 lib/new_relic/control/security_interface.rb diff --git a/lib/new_relic/agent/agent_logger.rb b/lib/new_relic/agent/agent_logger.rb index e5fe2fa1e9..60a411887b 100644 --- a/lib/new_relic/agent/agent_logger.rb +++ b/lib/new_relic/agent/agent_logger.rb @@ -4,6 +4,7 @@ require 'thread' require 'logger' +require 'singleton' require 'new_relic/agent/hostname' require 'new_relic/agent/log_once' require 'new_relic/agent/instrumentation/logger/instrumentation' diff --git a/lib/new_relic/agent/database/obfuscator.rb b/lib/new_relic/agent/database/obfuscator.rb index 0a90dcdb6c..5063fdcfa0 100644 --- a/lib/new_relic/agent/database/obfuscator.rb +++ b/lib/new_relic/agent/database/obfuscator.rb @@ -2,6 +2,7 @@ # See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details. # frozen_string_literal: true +require 'singleton' require 'new_relic/agent/database/obfuscation_helpers' module NewRelic diff --git a/lib/new_relic/agent/instrumentation/rack/instrumentation.rb b/lib/new_relic/agent/instrumentation/rack/instrumentation.rb index f72bbb176f..3439275653 100644 --- a/lib/new_relic/agent/instrumentation/rack/instrumentation.rb +++ b/lib/new_relic/agent/instrumentation/rack/instrumentation.rb @@ -11,6 +11,7 @@ class << builder_class attr_accessor :_nr_deferred_detection_ran end builder_class._nr_deferred_detection_ran = false + NewRelic::Control::SecurityInterface.instance.wait = true end def deferred_dependency_check @@ -19,6 +20,8 @@ def deferred_dependency_check NewRelic::Agent.logger.info('Doing deferred dependency-detection before Rack startup') DependencyDetection.detect! self.class._nr_deferred_detection_ran = true + NewRelic::Control::SecurityInterface.instance.wait = false + NewRelic::Control::SecurityInterface.instance.init_agent end def check_for_late_instrumentation(app) diff --git a/lib/new_relic/control.rb b/lib/new_relic/control.rb index fda4a2fac4..66d4c8ab29 100644 --- a/lib/new_relic/control.rb +++ b/lib/new_relic/control.rb @@ -8,7 +8,6 @@ require 'new_relic/language_support' require 'new_relic/helper' -require 'singleton' require 'erb' require 'socket' require 'net/https' @@ -18,6 +17,7 @@ require 'new_relic/control/instrumentation' require 'new_relic/control/class_methods' require 'new_relic/control/instance_methods' +require 'new_relic/control/security_interface' require 'new_relic/agent' require 'new_relic/delayed_job_injection' diff --git a/lib/new_relic/control/instance_methods.rb b/lib/new_relic/control/instance_methods.rb index ffba1f335d..eb04398277 100644 --- a/lib/new_relic/control/instance_methods.rb +++ b/lib/new_relic/control/instance_methods.rb @@ -73,6 +73,7 @@ def init_plugin(options = {}) init_config(options) NewRelic::Agent.agent = NewRelic::Agent::Agent.instance init_instrumentation + init_security_agent end def determine_env(options) @@ -116,7 +117,6 @@ def handle_invalid_security_settings def start_agent @started_in_env = self.env NewRelic::Agent.agent.start - init_security_agent end def app diff --git a/lib/new_relic/control/private_instance_methods.rb b/lib/new_relic/control/private_instance_methods.rb index 73771752d5..2cd45cc827 100644 --- a/lib/new_relic/control/private_instance_methods.rb +++ b/lib/new_relic/control/private_instance_methods.rb @@ -45,16 +45,7 @@ def init_instrumentation end def init_security_agent - if Agent.config[:'security.agent.enabled'] - Agent.logger.info('Invoking New Relic security module') - require 'newrelic_security' - else - Agent.logger.info('New Relic security module is disabled.') - end - rescue LoadError - Agent.logger.info('New Relic security agent not found - skipping') - rescue StandardError => exception - Agent.logger.error("Exception in New Relic security module loading: #{exception} #{exception.backtrace}") + SecurityInterface.instance.init_agent end end end diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb new file mode 100644 index 0000000000..dac43257a6 --- /dev/null +++ b/lib/new_relic/control/security_interface.rb @@ -0,0 +1,36 @@ +require 'singleton' + +module NewRelic + class Control + class SecurityInterface + include Singleton + + attr_accessor :wait + + def agent_started? + @agent_started == true + end + + def waiting? + @wait == true + end + + def init_agent + return if agent_started? || waiting? + + if Agent.config[:'security.agent.enabled'] + Agent.logger.info('Invoking New Relic security module') + require 'newrelic_security' + + @agent_started = true + else + Agent.logger.info('New Relic security module is disabled.') + end + rescue LoadError + Agent.logger.info('New Relic security agent not found - skipping') + rescue StandardError => exception + Agent.logger.error("Exception in New Relic security module loading: #{exception} #{exception.backtrace}") + end + end + end +end diff --git a/test/multiverse/suites/sidekiq/sidekiq_server.rb b/test/multiverse/suites/sidekiq/sidekiq_server.rb index 7f33ac403e..371a37ac87 100644 --- a/test/multiverse/suites/sidekiq/sidekiq_server.rb +++ b/test/multiverse/suites/sidekiq/sidekiq_server.rb @@ -4,6 +4,7 @@ require 'sidekiq' require 'sidekiq/cli' +require 'singleton' require_relative '../../../helpers/docker' class SidekiqServer From 27fd636d3186791003355cc6f513494d31c36dd3 Mon Sep 17 00:00:00 2001 From: fallwith Date: Wed, 10 May 2023 20:56:53 -0700 Subject: [PATCH 06/44] security interface and gem dependency - update NewRelic::Control::Security source file with license header and frozen string literal magic comment - remove commented out dev dependency from gemspec, as Gemfile will be used --- lib/new_relic/control/security_interface.rb | 4 ++++ newrelic_rpm.gemspec | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index dac43257a6..855c615af5 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -1,3 +1,7 @@ +# This file is distributed under New Relic's license terms. +# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details. +# frozen_string_literal: true + require 'singleton' module NewRelic diff --git a/newrelic_rpm.gemspec b/newrelic_rpm.gemspec index 32dbacd932..1de0447bc0 100644 --- a/newrelic_rpm.gemspec +++ b/newrelic_rpm.gemspec @@ -47,8 +47,6 @@ Gem::Specification.new do |s| s.require_paths = ['lib'] s.summary = 'New Relic Ruby Agent' -# s.add_dependency 'newrelic_security', '1.0.0-limited-preview' - s.add_development_dependency 'bundler' s.add_development_dependency 'feedjira', '3.2.1' unless ENV['CI'] || RUBY_VERSION < '2.5' # for Gabby s.add_development_dependency 'httparty' unless ENV['CI'] # for perf tests and Gabby From c9c7c06c4ff22c1713fe5396482df64606b61575 Mon Sep 17 00:00:00 2001 From: fallwith Date: Wed, 10 May 2023 21:14:33 -0700 Subject: [PATCH 07/44] gemspec: remove blank line remove blank line left over from testing to cut down on diff noise --- newrelic_rpm.gemspec | 1 - 1 file changed, 1 deletion(-) diff --git a/newrelic_rpm.gemspec b/newrelic_rpm.gemspec index 1de0447bc0..9cb2889314 100644 --- a/newrelic_rpm.gemspec +++ b/newrelic_rpm.gemspec @@ -46,7 +46,6 @@ Gem::Specification.new do |s| s.homepage = 'https://github.com/newrelic/rpm' s.require_paths = ['lib'] s.summary = 'New Relic Ruby Agent' - s.add_development_dependency 'bundler' s.add_development_dependency 'feedjira', '3.2.1' unless ENV['CI'] || RUBY_VERSION < '2.5' # for Gabby s.add_development_dependency 'httparty' unless ENV['CI'] # for perf tests and Gabby From 8caad2d2d40a4d6b02b9c198e34fc4e36815499b Mon Sep 17 00:00:00 2001 From: fallwith Date: Wed, 10 May 2023 21:39:17 -0700 Subject: [PATCH 08/44] SecurityInterface: Ruby <= 2.4 compatibility initialize the instance vars --- lib/new_relic/control/security_interface.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 855c615af5..f50b229648 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -12,11 +12,11 @@ class SecurityInterface attr_accessor :wait def agent_started? - @agent_started == true + (@agent_started ||= false) == true end def waiting? - @wait == true + (@wait ||= false) == true end def init_agent From ca1ad1bee84ccb0369616c6e739e0225bf7050b9 Mon Sep 17 00:00:00 2001 From: fallwith Date: Wed, 31 May 2023 22:38:13 -0700 Subject: [PATCH 09/44] unit tests for SecurityInterface make sure the SecurityInterface singleton behaves as expected --- .../control/security_interface_test.rb | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 test/new_relic/control/security_interface_test.rb diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb new file mode 100644 index 0000000000..2d06cc1587 --- /dev/null +++ b/test/new_relic/control/security_interface_test.rb @@ -0,0 +1,107 @@ +# This file is distributed under New Relic's license terms. +# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details. +# frozen_string_literal: true + +require_relative '../../test_helper' +require 'new_relic/control/security_interface' + +class NewRelic::Control::SecurityInterfaceTest < Minitest::Test + def setup + %i[@agent_started @wait].each do |variable| + instance = NewRelic::Control::SecurityInterface.instance + instance.remove_instance_variable(variable) if instance.instance_variable_defined?(variable) + end + end + + def test_initialization_short_circuits_when_the_security_agent_is_disabled + logger = MiniTest::Mock.new + with_config('security.agent.enabled' => false) do + NewRelic::Agent.stub :logger, logger do + logger.expect :info, nil, [/security module is disabled/] + + NewRelic::Control::SecurityInterface.instance.init_agent + end + + refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + end + logger.verify + end + + def test_initialization_short_circuits_if_the_agent_has_already_been_started + reached = false + with_config('security.agent.enabled' => true) do + NewRelic::Agent.stub :config, -> { reached = true } do + NewRelic::Control::SecurityInterface.instance.instance_variable_set(:@agent_started, true) + NewRelic::Control::SecurityInterface.instance.init_agent + end + end + + refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' + end + + def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait + reached = false + with_config('security.agent.enabled' => true) do + NewRelic::Agent.stub :config, -> { reached = true } do + NewRelic::Control::SecurityInterface.instance.instance_variable_set(:@wait, true) + NewRelic::Control::SecurityInterface.instance.init_agent + end + end + + refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' + end + + def test_initialization_requires_the_security_agent + required = false + logger = MiniTest::Mock.new + with_config('security.agent.enabled' => true) do + NewRelic::Agent.stub :logger, logger do + logger.expect :info, nil, [/Invoking New Relic security/] + + NewRelic::Control::SecurityInterface.instance.stub :require, proc { |_gem| required = true }, %w[newrelic_security] do + NewRelic::Control::SecurityInterface.instance.init_agent + end + end + end + logger.verify + + assert required, 'Expected init_agent to perform a require statement' + assert_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + end + + def test_initialization_anticipates_a_load_error + logger = MiniTest::Mock.new + with_config('security.agent.enabled' => true) do + NewRelic::Agent.stub :logger, logger do + logger.expect :info, nil, [/Invoking New Relic security/] + logger.expect :info, nil, [/security agent not found/] + + error_proc = proc { |_gem| raise LoadError.new } + NewRelic::Control::SecurityInterface.instance.stub :require, error_proc, %w[newrelic_security] do + NewRelic::Control::SecurityInterface.instance.init_agent + end + end + logger.verify + + refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + end + end + + def test_initialization_handles_errors + logger = MiniTest::Mock.new + with_config('security.agent.enabled' => true) do + NewRelic::Agent.stub :logger, logger do + logger.expect :info, nil, [/Invoking New Relic security/] + logger.expect :error, nil, [/Exception in New Relic security module loading/] + + error_proc = proc { |_gem| raise StandardError } + NewRelic::Control::SecurityInterface.instance.stub :require, error_proc, %w[newrelic_security] do + NewRelic::Control::SecurityInterface.instance.init_agent + end + end + end + logger.verify + + refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + end +end From 96fa2148079208b62e489cb7bf83ba53bf05003e Mon Sep 17 00:00:00 2001 From: fallwith Date: Wed, 31 May 2023 23:05:35 -0700 Subject: [PATCH 10/44] security interface tests: skip MiniTest 4 when relying on the 3 argument version of `stub`, make sure it's available --- test/new_relic/control/security_interface_test.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 2d06cc1587..32df241f89 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -52,6 +52,8 @@ def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait end def test_initialization_requires_the_security_agent + skip_unless_minitest5_or_above + required = false logger = MiniTest::Mock.new with_config('security.agent.enabled' => true) do @@ -70,6 +72,8 @@ def test_initialization_requires_the_security_agent end def test_initialization_anticipates_a_load_error + skip_unless_minitest5_or_above + logger = MiniTest::Mock.new with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :logger, logger do @@ -88,6 +92,8 @@ def test_initialization_anticipates_a_load_error end def test_initialization_handles_errors + skip_unless_minitest5_or_above + logger = MiniTest::Mock.new with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :logger, logger do From 561b92a912a0d91662b7ecf87ac5c10646d0ecba Mon Sep 17 00:00:00 2001 From: James Bunch Date: Thu, 1 Jun 2023 19:03:15 -0700 Subject: [PATCH 11/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: Kayla Reopelle (she/her) <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 95cd8285b1..faa3036e63 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2228,7 +2228,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, the security agent is activated' + :description => 'If `true`, the security agent is started' }, :'security.mode' => { :default => 'IAST', From dca3f037f9b383080f77808cf73e85e9984e61b1 Mon Sep 17 00:00:00 2001 From: James Bunch Date: Thu, 1 Jun 2023 19:04:28 -0700 Subject: [PATCH 12/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: Kayla Reopelle (she/her) <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index faa3036e63..cdda868472 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2245,7 +2245,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => String, :allowed_from_server => true, - :description => 'Defines the end point URL for posting security related data', + :description => 'Defines the endpoint URL for posting security-related data', :dynamic_name => true }, :'security.detection.rci.enabled' => { From 042017fdcaf5af182a5fa60f922c487c24695761 Mon Sep 17 00:00:00 2001 From: James Bunch Date: Thu, 1 Jun 2023 19:08:43 -0700 Subject: [PATCH 13/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: Kayla Reopelle (she/her) <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index cdda868472..3740e5b959 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2262,7 +2262,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, enables rxss detection' + :description => 'If `true`, enables RXSS detection' }, :'security.detection.deserialization.enabled' => { :default => true, From 5ace3bfe87a26b852d083c613c8b744f88f2cc50 Mon Sep 17 00:00:00 2001 From: James Bunch Date: Fri, 2 Jun 2023 10:50:57 -0700 Subject: [PATCH 14/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: Kayla Reopelle (she/her) <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 3740e5b959..e5b3dca6d1 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2278,7 +2278,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Integer, :external => true, :allowed_from_server => false, - :description => 'The port the application listens on (Mandatory for Passenger, for other servers detected by default)' + :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.' } }.freeze end From 0e7bc167762c14b1c25730a376920a22a06bc77c Mon Sep 17 00:00:00 2001 From: fallwith Date: Fri, 2 Jun 2023 14:58:34 -0700 Subject: [PATCH 15/44] more security agent config descriptions add a security agent note, update descriptions further --- .../agent/configuration/default_source.rb | 8 ++--- newrelic.yml | 33 +++++++++++++++---- 2 files changed, 31 insertions(+), 10 deletions(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index e5b3dca6d1..182186030d 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2220,7 +2220,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, the security agent is loaded' + :description => "If `true`, the security agent is loaded (a Ruby 'require' is performed)" }, :'security.enabled' => { :default => false, @@ -2228,7 +2228,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, the security agent is started' + :description => 'If `true`, the security agent is started (the agent runs in its event loop)' }, :'security.mode' => { :default => 'IAST', @@ -2254,7 +2254,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, enables rci detection' + :description => 'If `true`, enables RCI detection' }, :'security.detection.rxss.enabled' => { :default => true, @@ -2278,7 +2278,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Integer, :external => true, :allowed_from_server => false, - :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.' + :description => 'The port the application listens on (mandatory for Passenger, for other servers detected by default)' } }.freeze end diff --git a/newrelic.yml b/newrelic.yml index 459bab6518..dcf8a2050f 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -692,12 +692,33 @@ common: &default_settings # If true, the agent automatically detects that it is running in a Pivotal Cloud Foundry environment. # utilization.detect_pcf: true + # # BEGIN security agent - - # If true, the security agent is loaded + # + # NOTE: At this time, the security agent is intended for use only within + # a dedicated security testing environment with data that can tolerate + # modification or deletion. The security agent is available as a + # separate Ruby gem, newrelic_security. It is recommended that this + # separate gem only be introduced to a security testing environment + # by leveraging Bundler grouping like so: + # + # # Gemfile + # gem 'newrelic_rpm' # New Relic APM observability agent + # gem 'newrelic-infinite_tracing' # New Relic Infinite Tracing + # + # group :security do + # gem 'newrelic_security' # New Relic security agent + # end + # + # NOTE: All "security.*" configuration parameters are related only to the + # security agent, and all other configuration parameters that may + # have "security" in the name some where are related to the APM agent. + # + + # If true, the security agent is loaded (a Ruby 'require' is performed) # security.agent.enabled: false - # If true, the security agent is activated + # If true, the security agent is started (the agent runs in its event loop) # security.enabled: false # The mode for the security agent to operate in. Currently only 'IAST' is supported @@ -706,16 +727,16 @@ common: &default_settings # Defines the end point URL for posting security related data # security.validator_service_url: wss://csec.nr-data.net - # If `true`, enables rci detection + # If `true`, enables RCI detection # security.detection.rci.enabled: true - # If `true`, enables rxss detection + # If `true`, enables RXSS detection # security.detection.rxss.enabled: true # If `true`, enables deserialization detection # security.detection.deserialization.enabled: true - # The port the application listens on (Mandatory for Passenger, for other servers detected by default) + # The port the application listens on (mandatory for Passenger, for other servers detected by default) # security.applicationinfo.port: -1 # END security agent From 075f2ae59e1c130f7a1cfebe80affe8caddb469c Mon Sep 17 00:00:00 2001 From: fallwith Date: Fri, 2 Jun 2023 15:02:00 -0700 Subject: [PATCH 16/44] still more security agent config reconcile .rb and .yml changes from the PR --- lib/new_relic/agent/configuration/default_source.rb | 2 +- newrelic.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 182186030d..a0fd0207e6 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2278,7 +2278,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Integer, :external => true, :allowed_from_server => false, - :description => 'The port the application listens on (mandatory for Passenger, for other servers detected by default)' + :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.' } }.freeze end diff --git a/newrelic.yml b/newrelic.yml index dcf8a2050f..ad7029473b 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -721,10 +721,10 @@ common: &default_settings # If true, the security agent is started (the agent runs in its event loop) # security.enabled: false - # The mode for the security agent to operate in. Currently only 'IAST' is supported + # Defines the The mode for the security agent to operate in. Currently only 'IAST' is supported # security.mode: IAST - # Defines the end point URL for posting security related data + # Defines the endpoint URL for posting security related data # security.validator_service_url: wss://csec.nr-data.net # If `true`, enables RCI detection @@ -736,7 +736,7 @@ common: &default_settings # If `true`, enables deserialization detection # security.detection.deserialization.enabled: true - # The port the application listens on (mandatory for Passenger, for other servers detected by default) + # The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default. # security.applicationinfo.port: -1 # END security agent From 91b4beb907df35d5dedd4ae5fe16776d3daed06f Mon Sep 17 00:00:00 2001 From: fallwith Date: Fri, 2 Jun 2023 17:10:33 -0700 Subject: [PATCH 17/44] the The typo fix --- newrelic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/newrelic.yml b/newrelic.yml index ad7029473b..e5c9e6e9a4 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -721,7 +721,7 @@ common: &default_settings # If true, the security agent is started (the agent runs in its event loop) # security.enabled: false - # Defines the The mode for the security agent to operate in. Currently only 'IAST' is supported + # Defines the mode for the security agent to operate in. Currently only 'IAST' is supported # security.mode: IAST # Defines the endpoint URL for posting security related data From 6567ddcc3ecd3dd634e2c93eb8bb130e2d0c7dd2 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Mon, 5 Jun 2023 11:46:40 +0530 Subject: [PATCH 18/44] updated security config: application_info --- lib/new_relic/agent/configuration/default_source.rb | 4 ++-- newrelic.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index a0fd0207e6..22834cb940 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2272,8 +2272,8 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :allowed_from_server => false, :description => 'If `true`, enables deserialization detection' }, - :'security.applicationinfo.port' => { - :default => -1, + :'security.application_info.port' => { + :default => nil, :public => true, :type => Integer, :external => true, diff --git a/newrelic.yml b/newrelic.yml index e5c9e6e9a4..726ddb3b06 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -737,7 +737,7 @@ common: &default_settings # security.detection.deserialization.enabled: true # The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default. - # security.applicationinfo.port: -1 + # security.application_info.port: nil # END security agent From b0a8c86c6a6dfc66081510b4e692cb066fd39386 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Tue, 6 Jun 2023 11:32:11 +0530 Subject: [PATCH 19/44] set allow_nil to true for security.application_info.port --- lib/new_relic/agent/configuration/default_source.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 22834cb940..4758b43ddf 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2274,6 +2274,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) }, :'security.application_info.port' => { :default => nil, + :allow_nil => true, :public => true, :type => Integer, :external => true, From 54970dc25377bf6786a965acd3ef8c0f5e9ecf50 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Thu, 8 Jun 2023 15:39:38 +0530 Subject: [PATCH 20/44] add handling security disable of high security enabled --- lib/new_relic/control/security_interface.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index f50b229648..045017a1c6 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -22,13 +22,13 @@ def waiting? def init_agent return if agent_started? || waiting? - if Agent.config[:'security.agent.enabled'] + if Agent.config[:'security.agent.enabled'] && Agent.config[:'security.enabled'] && !Agent.config[:high_security] Agent.logger.info('Invoking New Relic security module') require 'newrelic_security' @agent_started = true else - Agent.logger.info('New Relic security module is disabled.') + Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, `security.enabled`, or `high_security`. Not loading security capabilities.') end rescue LoadError Agent.logger.info('New Relic security agent not found - skipping') From d5dda8ad43ea0ccef507187b86b9ffe630cf037b Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Thu, 8 Jun 2023 17:48:12 +0530 Subject: [PATCH 21/44] update security_interface_test for high_security config changes --- .../control/security_interface_test.rb | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 32df241f89..1c8c2c6cfb 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -17,7 +17,21 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled logger = MiniTest::Mock.new with_config('security.agent.enabled' => false) do NewRelic::Agent.stub :logger, logger do - logger.expect :info, nil, [/security module is disabled/] + logger.expect :info, nil, [/Security is completely disabled/] + + NewRelic::Control::SecurityInterface.instance.init_agent + end + + refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + end + logger.verify + end + + def test_initialization_short_circuits_when_the_security_is_disabled + logger = MiniTest::Mock.new + with_config('security.enabled' => false) do + NewRelic::Agent.stub :logger, logger do + logger.expect :info, nil, [/Security is completely disabled/] NewRelic::Control::SecurityInterface.instance.init_agent end @@ -29,7 +43,7 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled def test_initialization_short_circuits_if_the_agent_has_already_been_started reached = false - with_config('security.agent.enabled' => true) do + with_config('security.agent.enabled' => true, 'security.enabled' => true) do NewRelic::Agent.stub :config, -> { reached = true } do NewRelic::Control::SecurityInterface.instance.instance_variable_set(:@agent_started, true) NewRelic::Control::SecurityInterface.instance.init_agent @@ -41,7 +55,7 @@ def test_initialization_short_circuits_if_the_agent_has_already_been_started def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait reached = false - with_config('security.agent.enabled' => true) do + with_config('security.agent.enabled' => true, 'security.enabled' => true) do NewRelic::Agent.stub :config, -> { reached = true } do NewRelic::Control::SecurityInterface.instance.instance_variable_set(:@wait, true) NewRelic::Control::SecurityInterface.instance.init_agent @@ -56,7 +70,7 @@ def test_initialization_requires_the_security_agent required = false logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true) do + with_config('security.agent.enabled' => true, 'security.enabled' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Invoking New Relic security/] @@ -75,7 +89,7 @@ def test_initialization_anticipates_a_load_error skip_unless_minitest5_or_above logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true) do + with_config('security.agent.enabled' => true, 'security.enabled' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Invoking New Relic security/] logger.expect :info, nil, [/security agent not found/] @@ -95,7 +109,7 @@ def test_initialization_handles_errors skip_unless_minitest5_or_above logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true) do + with_config('security.agent.enabled' => true, 'security.enabled' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Invoking New Relic security/] logger.expect :error, nil, [/Exception in New Relic security module loading/] From 120d6152f4f2b6820a7e201f91b14b02521c2dde Mon Sep 17 00:00:00 2001 From: fallwith Date: Thu, 8 Jun 2023 10:18:31 -0700 Subject: [PATCH 22/44] security agent tests: updates to 3 param checks make it abundantly clear which combinations of the 3 options will disable the security agent --- .../control/security_interface_test.rb | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 1c8c2c6cfb..79d63efade 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -15,7 +15,7 @@ def setup def test_initialization_short_circuits_when_the_security_agent_is_disabled logger = MiniTest::Mock.new - with_config('security.agent.enabled' => false) do + with_config('security.agent.enabled' => false, 'security.enabled' => true, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] @@ -29,7 +29,21 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled def test_initialization_short_circuits_when_the_security_is_disabled logger = MiniTest::Mock.new - with_config('security.enabled' => false) do + with_config('security.agent.enabled' => true, 'security.enabled' => false, 'high_security' => false) do + NewRelic::Agent.stub :logger, logger do + logger.expect :info, nil, [/Security is completely disabled/] + + NewRelic::Control::SecurityInterface.instance.init_agent + end + + refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + end + logger.verify + end + + def test_initialization_short_circuits_when_high_security_mode_is_enabled + logger = MiniTest::Mock.new + with_config('security.agent.enabled' => true, 'security.enabled' => true, 'high_security' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] From 36b3bc47f432d326d1711c47b50d141ebd7ebfdf Mon Sep 17 00:00:00 2001 From: fallwith Date: Thu, 8 Jun 2023 10:50:15 -0700 Subject: [PATCH 23/44] CI: upgrade to setup-ruby v1.151.0 upgrade our GHA workflows to use setup-ruby v1.151.0 so that we can install JRuby 9.4.3.0 --- .github/workflows/ci.yml | 10 +++++----- .github/workflows/ci_cron.yml | 8 ++++---- .github/workflows/ci_jruby.yml | 4 ++-- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d584281db6..a473673b3c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: - name: Configure git run: 'git config --global init.defaultBranch main' - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + - uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: '3.2' - run: bundle @@ -44,7 +44,7 @@ jobs: run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libsasl2-dev libxslt1-dev - name: Install Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: ${{ matrix.ruby-version }} @@ -197,7 +197,7 @@ jobs: run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libsasl2-dev libxslt1-dev - name: Install Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: ${{ matrix.ruby-version }} @@ -289,7 +289,7 @@ jobs: - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - name: Install Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: ${{ matrix.ruby-version }} @@ -328,7 +328,7 @@ jobs: - name: Configure git run: 'git config --global init.defaultBranch main' - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + - uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: '3.1' - run: bundle diff --git a/.github/workflows/ci_cron.yml b/.github/workflows/ci_cron.yml index f8e65ff723..09798f22a6 100644 --- a/.github/workflows/ci_cron.yml +++ b/.github/workflows/ci_cron.yml @@ -16,7 +16,7 @@ jobs: - name: Configure git run: 'git config --global init.defaultBranch main' - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + - uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: '3.2' - run: bundle @@ -50,7 +50,7 @@ jobs: run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libsasl2-dev libxslt1-dev - name: Install Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: ${{ matrix.ruby-version }} @@ -212,7 +212,7 @@ jobs: run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libsasl2-dev libxslt1-dev - name: Install Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: ${{ matrix.ruby-version }} @@ -284,7 +284,7 @@ jobs: - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - name: Install Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: ${{ matrix.ruby-version }} diff --git a/.github/workflows/ci_jruby.yml b/.github/workflows/ci_jruby.yml index 69bf460489..69aaca468f 100644 --- a/.github/workflows/ci_jruby.yml +++ b/.github/workflows/ci_jruby.yml @@ -24,7 +24,7 @@ jobs: - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - name: Install Ruby jruby-9.4.2.0 - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: jruby-9.4.2.0 @@ -123,7 +123,7 @@ jobs: uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag v3.5.0 - name: Install JRuby - uses: ruby/setup-ruby@7d546f4868fb108ed378764d873683f920672ae2 # tag v1.149.0 + uses: ruby/setup-ruby@bc1dd263b68cb5626dbb55d5c89777d79372c484 # tag v1.151.0 with: ruby-version: jruby-9.4.2.0 From d9d66b1be11803412ada84875d1a831c7ff8954e Mon Sep 17 00:00:00 2001 From: hramadan Date: Tue, 24 Oct 2023 11:16:55 -0700 Subject: [PATCH 24/44] Add supportability enabed/disabled metric --- lib/new_relic/control/security_interface.rb | 14 ++++++++++++++ test/new_relic/control/security_interface_test.rb | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 045017a1c6..6f412fcdce 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -11,6 +11,8 @@ class SecurityInterface attr_accessor :wait + SUPPORTABILITY_METRIC = 'Supportability/Ruby/SecurityAgent/Enabled/' + def agent_started? (@agent_started ||= false) == true end @@ -24,11 +26,13 @@ def init_agent if Agent.config[:'security.agent.enabled'] && Agent.config[:'security.enabled'] && !Agent.config[:high_security] Agent.logger.info('Invoking New Relic security module') + NewRelic::Agent.record_metric_once(SUPPORTABILITY_METRIC + 'enabled') require 'newrelic_security' @agent_started = true else Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, `security.enabled`, or `high_security`. Not loading security capabilities.') + NewRelic::Agent.record_metric_once(SUPPORTABILITY_METRIC + 'disabled') end rescue LoadError Agent.logger.info('New Relic security agent not found - skipping') @@ -38,3 +42,13 @@ def init_agent end end end + +# __END__ + +# SUPPORTABILITY_METRIC = 'Supportability/Ruby/SecurityAgent/Agent/Enabled/{enabled|disabled}' + +# NewRelic::Agent.record_metric_once(SUPPORTABILITY_METRIC) + +# record_metric(metric_name, value) + + diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 79d63efade..306b97a9d8 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -23,6 +23,7 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end logger.verify end @@ -37,6 +38,7 @@ def test_initialization_short_circuits_when_the_security_is_disabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end logger.verify end @@ -51,6 +53,7 @@ def test_initialization_short_circuits_when_high_security_mode_is_enabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end logger.verify end @@ -65,6 +68,7 @@ def test_initialization_short_circuits_if_the_agent_has_already_been_started end refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait @@ -77,6 +81,7 @@ def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait end refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end def test_initialization_requires_the_security_agent @@ -97,6 +102,7 @@ def test_initialization_requires_the_security_agent assert required, 'Expected init_agent to perform a require statement' assert_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end def test_initialization_anticipates_a_load_error @@ -116,6 +122,7 @@ def test_initialization_anticipates_a_load_error logger.verify refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end end @@ -137,5 +144,6 @@ def test_initialization_handles_errors logger.verify refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end end From 944d421d84ea6be674fae2d48a9d01c29c158ded Mon Sep 17 00:00:00 2001 From: hramadan Date: Tue, 24 Oct 2023 11:18:19 -0700 Subject: [PATCH 25/44] Remove scratch work --- lib/new_relic/control/security_interface.rb | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 6f412fcdce..fca406e385 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -42,13 +42,3 @@ def init_agent end end end - -# __END__ - -# SUPPORTABILITY_METRIC = 'Supportability/Ruby/SecurityAgent/Agent/Enabled/{enabled|disabled}' - -# NewRelic::Agent.record_metric_once(SUPPORTABILITY_METRIC) - -# record_metric(metric_name, value) - - From 5546674de8cff7fd7f9282c02dfe47cc1e3c7c99 Mon Sep 17 00:00:00 2001 From: hramadan Date: Tue, 24 Oct 2023 14:04:15 -0700 Subject: [PATCH 26/44] 2 supportability metrics --- lib/new_relic/control/security_interface.rb | 22 ++++++++++++++++--- .../control/security_interface_test.rb | 16 ++++++++++---- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index fca406e385..630a81ae82 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -11,7 +11,10 @@ class SecurityInterface attr_accessor :wait - SUPPORTABILITY_METRIC = 'Supportability/Ruby/SecurityAgent/Enabled/' + SUPPORTABILITY_PREFIX_SECURITY = 'Supportability/Ruby/SecurityAgent/Enabled/' + SUPPORTABILITY_PREFIX_SECURITY_AGENT = 'Supportability/Ruby/SecurityAgent/Agent/Enabled/' + ENABLED = 'enabled' + DISABLED = 'disabled' def agent_started? (@agent_started ||= false) == true @@ -24,21 +27,34 @@ def waiting? def init_agent return if agent_started? || waiting? + record_supportability_metrics + if Agent.config[:'security.agent.enabled'] && Agent.config[:'security.enabled'] && !Agent.config[:high_security] Agent.logger.info('Invoking New Relic security module') - NewRelic::Agent.record_metric_once(SUPPORTABILITY_METRIC + 'enabled') require 'newrelic_security' @agent_started = true else Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, `security.enabled`, or `high_security`. Not loading security capabilities.') - NewRelic::Agent.record_metric_once(SUPPORTABILITY_METRIC + 'disabled') end rescue LoadError Agent.logger.info('New Relic security agent not found - skipping') rescue StandardError => exception Agent.logger.error("Exception in New Relic security module loading: #{exception} #{exception.backtrace}") end + + def record_supportability_metrics + Agent.config[:'security.enabled'] ? security_metric(ENABLED) : security_metric(DISABLED) + Agent.config[:'security.agent.enabled'] ? security_agent_metric(ENABLED) : security_agent_metric(DISABLED) + end + + def security_metric(setting) + NewRelic::Agent.record_metric_once(SUPPORTABILITY_PREFIX_SECURITY + setting) + end + + def security_agent_metric(setting) + NewRelic::Agent.record_metric_once(SUPPORTABILITY_PREFIX_SECURITY_AGENT + setting) + end end end end diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 306b97a9d8..9892c69394 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -23,7 +23,8 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/disabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end logger.verify end @@ -38,6 +39,7 @@ def test_initialization_short_circuits_when_the_security_is_disabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end logger.verify @@ -53,7 +55,8 @@ def test_initialization_short_circuits_when_high_security_mode_is_enabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end logger.verify end @@ -68,7 +71,8 @@ def test_initialization_short_circuits_if_the_agent_has_already_been_started end refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait @@ -81,7 +85,8 @@ def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait end refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end def test_initialization_requires_the_security_agent @@ -102,6 +107,7 @@ def test_initialization_requires_the_security_agent assert required, 'Expected init_agent to perform a require statement' assert_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end @@ -122,6 +128,7 @@ def test_initialization_anticipates_a_load_error logger.verify refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end end @@ -144,6 +151,7 @@ def test_initialization_handles_errors logger.verify refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end end From 92f3b0f85f9f89c1288089ed9151792020ab380c Mon Sep 17 00:00:00 2001 From: hramadan Date: Tue, 24 Oct 2023 14:27:42 -0700 Subject: [PATCH 27/44] Fix test --- test/new_relic/control/security_interface_test.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 9892c69394..dfa5d6d15a 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -71,8 +71,6 @@ def test_initialization_short_circuits_if_the_agent_has_already_been_started end refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait @@ -85,8 +83,6 @@ def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait end refute reached, 'Expected init_agent to short circuit but it reached code within the method instead!' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end def test_initialization_requires_the_security_agent From 6d7b4114c694ac415a7e84c820362c9193f70648 Mon Sep 17 00:00:00 2001 From: hramadan Date: Wed, 25 Oct 2023 11:39:04 -0700 Subject: [PATCH 28/44] Reset supportability metrics --- test/new_relic/control/security_interface_test.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index dfa5d6d15a..5e0aaf7162 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -13,7 +13,15 @@ def setup end end + # For testing purposes, clear out the supportability metrics that have already been recorded. + def reset_supportability_metrics + NewRelic::Agent.shutdown + NewRelic::Agent.instance_variable_get(:@metrics_already_recorded)&.clear + end + def test_initialization_short_circuits_when_the_security_agent_is_disabled + reset_supportability_metrics + logger = MiniTest::Mock.new with_config('security.agent.enabled' => false, 'security.enabled' => true, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do @@ -30,6 +38,8 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled end def test_initialization_short_circuits_when_the_security_is_disabled + reset_supportability_metrics + logger = MiniTest::Mock.new with_config('security.agent.enabled' => true, 'security.enabled' => false, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do From da5b18cabce2aa041e459e8bb7d4f7322437ef94 Mon Sep 17 00:00:00 2001 From: hramadan Date: Wed, 25 Oct 2023 15:43:58 -0700 Subject: [PATCH 29/44] Add supportability metrics enabled method --- .../control/security_interface_test.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 5e0aaf7162..f1a77f3001 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -15,10 +15,14 @@ def setup # For testing purposes, clear out the supportability metrics that have already been recorded. def reset_supportability_metrics - NewRelic::Agent.shutdown NewRelic::Agent.instance_variable_get(:@metrics_already_recorded)&.clear end + def assert_supportability_metrics_enabled + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' + assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' + end + def test_initialization_short_circuits_when_the_security_agent_is_disabled reset_supportability_metrics @@ -65,8 +69,7 @@ def test_initialization_short_circuits_when_high_security_mode_is_enabled end refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' + assert_supportability_metrics_enabled end logger.verify end @@ -113,8 +116,7 @@ def test_initialization_requires_the_security_agent assert required, 'Expected init_agent to perform a require statement' assert_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' + assert_supportability_metrics_enabled end def test_initialization_anticipates_a_load_error @@ -134,8 +136,7 @@ def test_initialization_anticipates_a_load_error logger.verify refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' + assert_supportability_metrics_enabled end end @@ -157,7 +158,6 @@ def test_initialization_handles_errors logger.verify refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' + assert_supportability_metrics_enabled end end From 51da1f47df4d4ab02a73c2f1e2838b1ffec820f5 Mon Sep 17 00:00:00 2001 From: hramadan Date: Thu, 26 Oct 2023 15:51:01 -0700 Subject: [PATCH 30/44] regenerate rubocop todo --- .rubocop_todo.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index b1f2816be7..09ca734555 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,12 +1,12 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2023-05-18 21:20:20 UTC using RuboCop version 1.51.0. +# on 2023-10-26 22:49:16 UTC using RuboCop version 1.54.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new # versions of RuboCop, may require this file to be generated again. -# Offense count: 30 +# Offense count: 31 # Configuration parameters: EnforcedStyle, AllowedGems, Include. # SupportedStyles: Gemfile, gems.rb, gemspec # Include: **/*.gemspec, **/Gemfile, **/gems.rb @@ -15,11 +15,12 @@ Gemspec/DevelopmentDependencies: - 'infinite_tracing/newrelic-infinite_tracing.gemspec' - 'newrelic_rpm.gemspec' -# Offense count: 416 +# Offense count: 443 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes. Metrics/AbcSize: Max: 40 Exclude: + - 'lib/new_relic/agent/configuration/default_source.rb' - infinite_tracing/test/**/* - lib/new_relic/cli/commands/deployments.rb - test/**/* @@ -37,7 +38,7 @@ Minitest/DuplicateTestRun: - 'test/multiverse/suites/rails/error_tracing_test.rb' - 'test/multiverse/suites/sinatra/ignoring_test.rb' -# Offense count: 276 +# Offense count: 284 Minitest/MultipleAssertions: Max: 28 @@ -45,7 +46,7 @@ Minitest/MultipleAssertions: Minitest/TestFileName: Enabled: false -# Offense count: 22 +# Offense count: 20 # This cop supports safe autocorrection (--autocorrect). Minitest/TestMethodName: Enabled: false From c3111766d31cc4325bdd1df73c54db4976b86cf8 Mon Sep 17 00:00:00 2001 From: hramadan Date: Thu, 26 Oct 2023 15:55:25 -0700 Subject: [PATCH 31/44] regenerate todo --- .rubocop_todo.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 09ca734555..a7d2e1dbcd 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,6 +1,6 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2023-10-26 22:49:16 UTC using RuboCop version 1.54.0. +# on 2023-10-26 22:54:31 UTC using RuboCop version 1.54.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new @@ -25,6 +25,10 @@ Metrics/AbcSize: - lib/new_relic/cli/commands/deployments.rb - test/**/* +Metrics/CollectionLiteralLength: + Exclude: + - 'lib/new_relic/agent/configuration/default_source.rb' + # Offense count: 7 Minitest/AssertRaisesCompoundBody: Exclude: From ec33d219361697cd07f70e5e9b0266b177d22a9c Mon Sep 17 00:00:00 2001 From: hramadan Date: Thu, 26 Oct 2023 16:03:32 -0700 Subject: [PATCH 32/44] appease rubocop once more --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 5a63a3e4b8..b53ea76743 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -57,7 +57,7 @@ def self.transform_for(key) default_settings[:transform] if default_settings end - def self.config_search_paths # rubocop:disable Metrics/AbcSize + def self.config_search_paths proc { yaml = 'newrelic.yml' config_yaml = File.join('config', yaml) From 78036b94f5549a3468b01e7617426d88c447d416 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Mon, 15 Apr 2024 17:23:25 +0530 Subject: [PATCH 33/44] add allowlist[IAST RASP] for security.mode & new security config security.request.body_limit --- lib/new_relic/agent/configuration/default_source.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index aade713e69..8419397147 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2500,6 +2500,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => String, :allowed_from_server => true, + :allowlist => %w[IAST RASP], :description => 'Defines the mode for the security agent to operate in. Currently only `IAST` is supported', :dynamic_name => true }, @@ -2544,6 +2545,15 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :external => true, :allowed_from_server => false, :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.' + }, + :'security.request.body_limit' => { + :default => 300, + :allow_nil => true, + :public => true, + :type => Integer, + :external => true, + :allowed_from_server => false, + :description => 'Defines the request body limit to process in security events(In KB). The default value is 300KB.' } }.freeze # rubocop:enable Metrics/CollectionLiteralLength From 863aeee219d84099239960ab150b2c86a4c1789e Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Mon, 13 May 2024 16:45:40 +0530 Subject: [PATCH 34/44] log security config when IAST is disabled --- lib/new_relic/control/security_interface.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 630a81ae82..85cadf0276 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -36,6 +36,9 @@ def init_agent @agent_started = true else Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, `security.enabled`, or `high_security`. Not loading security capabilities.') + Agent.logger.info("high_security = #{Agent.config[:high_security]}") + Agent.logger.info("security.enabled = #{Agent.config[:'security.enabled']}") + Agent.logger.info("security.agent.enabled = #{Agent.config[:'security.agent.enabled']}") end rescue LoadError Agent.logger.info('New Relic security agent not found - skipping') From 0008a949d058efc4307c5151125ba117b4efb6a2 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Thu, 11 Jul 2024 11:12:16 +0530 Subject: [PATCH 35/44] Update UTs for SecurityInterface --- test/new_relic/control/security_interface_test.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index f1a77f3001..3997b39e42 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -30,6 +30,9 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled with_config('security.agent.enabled' => false, 'security.enabled' => true, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] + logger.expect :info, nil, [/high_security = false/] + logger.expect :info, nil, [/security.enabled = true/] + logger.expect :info, nil, [/security.agent.enabled = false/] NewRelic::Control::SecurityInterface.instance.init_agent end @@ -48,6 +51,9 @@ def test_initialization_short_circuits_when_the_security_is_disabled with_config('security.agent.enabled' => true, 'security.enabled' => false, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] + logger.expect :info, nil, [/high_security = false/] + logger.expect :info, nil, [/security.enabled = false/] + logger.expect :info, nil, [/security.agent.enabled = true/] NewRelic::Control::SecurityInterface.instance.init_agent end @@ -64,6 +70,9 @@ def test_initialization_short_circuits_when_high_security_mode_is_enabled with_config('security.agent.enabled' => true, 'security.enabled' => true, 'high_security' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] + logger.expect :info, nil, [/high_security = true/] + logger.expect :info, nil, [/security.enabled = true/] + logger.expect :info, nil, [/security.agent.enabled = true/] NewRelic::Control::SecurityInterface.instance.init_agent end From 5840f64d3ec3e7eb32f63b9e70f7eab2ef3b4d33 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Tue, 16 Jul 2024 12:32:15 +0530 Subject: [PATCH 36/44] security.enabled should be checked in Security agent only and not in APM agent --- lib/new_relic/control/security_interface.rb | 6 +-- .../control/security_interface_test.rb | 39 ++++--------------- 2 files changed, 9 insertions(+), 36 deletions(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 85cadf0276..05065b30f3 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -29,15 +29,14 @@ def init_agent record_supportability_metrics - if Agent.config[:'security.agent.enabled'] && Agent.config[:'security.enabled'] && !Agent.config[:high_security] + if Agent.config[:'security.agent.enabled'] && !Agent.config[:high_security] Agent.logger.info('Invoking New Relic security module') require 'newrelic_security' @agent_started = true else - Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, `security.enabled`, or `high_security`. Not loading security capabilities.') + Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, or `high_security`. Not loading security capabilities.') Agent.logger.info("high_security = #{Agent.config[:high_security]}") - Agent.logger.info("security.enabled = #{Agent.config[:'security.enabled']}") Agent.logger.info("security.agent.enabled = #{Agent.config[:'security.agent.enabled']}") end rescue LoadError @@ -47,7 +46,6 @@ def init_agent end def record_supportability_metrics - Agent.config[:'security.enabled'] ? security_metric(ENABLED) : security_metric(DISABLED) Agent.config[:'security.agent.enabled'] ? security_agent_metric(ENABLED) : security_agent_metric(DISABLED) end diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 3997b39e42..9f3994c32e 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -20,18 +20,16 @@ def reset_supportability_metrics def assert_supportability_metrics_enabled assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' end def test_initialization_short_circuits_when_the_security_agent_is_disabled reset_supportability_metrics logger = MiniTest::Mock.new - with_config('security.agent.enabled' => false, 'security.enabled' => true, 'high_security' => false) do + with_config('security.agent.enabled' => false, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] logger.expect :info, nil, [/high_security = false/] - logger.expect :info, nil, [/security.enabled = true/] logger.expect :info, nil, [/security.agent.enabled = false/] NewRelic::Control::SecurityInterface.instance.init_agent @@ -39,39 +37,16 @@ def test_initialization_short_circuits_when_the_security_agent_is_disabled refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/disabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/enabled' - end - logger.verify - end - - def test_initialization_short_circuits_when_the_security_is_disabled - reset_supportability_metrics - - logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true, 'security.enabled' => false, 'high_security' => false) do - NewRelic::Agent.stub :logger, logger do - logger.expect :info, nil, [/Security is completely disabled/] - logger.expect :info, nil, [/high_security = false/] - logger.expect :info, nil, [/security.enabled = false/] - logger.expect :info, nil, [/security.agent.enabled = true/] - - NewRelic::Control::SecurityInterface.instance.init_agent - end - - refute_predicate NewRelic::Control::SecurityInterface.instance, :agent_started? - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Agent/Enabled/enabled' - assert_metrics_recorded 'Supportability/Ruby/SecurityAgent/Enabled/disabled' end logger.verify end def test_initialization_short_circuits_when_high_security_mode_is_enabled logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true, 'security.enabled' => true, 'high_security' => true) do + with_config('security.agent.enabled' => true, 'high_security' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Security is completely disabled/] logger.expect :info, nil, [/high_security = true/] - logger.expect :info, nil, [/security.enabled = true/] logger.expect :info, nil, [/security.agent.enabled = true/] NewRelic::Control::SecurityInterface.instance.init_agent @@ -85,7 +60,7 @@ def test_initialization_short_circuits_when_high_security_mode_is_enabled def test_initialization_short_circuits_if_the_agent_has_already_been_started reached = false - with_config('security.agent.enabled' => true, 'security.enabled' => true) do + with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :config, -> { reached = true } do NewRelic::Control::SecurityInterface.instance.instance_variable_set(:@agent_started, true) NewRelic::Control::SecurityInterface.instance.init_agent @@ -97,7 +72,7 @@ def test_initialization_short_circuits_if_the_agent_has_already_been_started def test_initialization_short_circuits_if_the_agent_has_been_told_to_wait reached = false - with_config('security.agent.enabled' => true, 'security.enabled' => true) do + with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :config, -> { reached = true } do NewRelic::Control::SecurityInterface.instance.instance_variable_set(:@wait, true) NewRelic::Control::SecurityInterface.instance.init_agent @@ -112,7 +87,7 @@ def test_initialization_requires_the_security_agent required = false logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true, 'security.enabled' => true) do + with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Invoking New Relic security/] @@ -132,7 +107,7 @@ def test_initialization_anticipates_a_load_error skip_unless_minitest5_or_above logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true, 'security.enabled' => true) do + with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Invoking New Relic security/] logger.expect :info, nil, [/security agent not found/] @@ -153,7 +128,7 @@ def test_initialization_handles_errors skip_unless_minitest5_or_above logger = MiniTest::Mock.new - with_config('security.agent.enabled' => true, 'security.enabled' => true) do + with_config('security.agent.enabled' => true) do NewRelic::Agent.stub :logger, logger do logger.expect :info, nil, [/Invoking New Relic security/] logger.expect :error, nil, [/Exception in New Relic security module loading/] From 37d26c9218e36c09ca29d8e04e1bda5cb9ad5ee2 Mon Sep 17 00:00:00 2001 From: Tanna McClure Date: Wed, 17 Jul 2024 12:29:38 -0500 Subject: [PATCH 37/44] add config reset to prevent leaky tests --- test/new_relic/control/security_interface_test.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 9f3994c32e..3746d79587 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -7,6 +7,7 @@ class NewRelic::Control::SecurityInterfaceTest < Minitest::Test def setup + NewRelic::Agent.config.reset_to_defaults %i[@agent_started @wait].each do |variable| instance = NewRelic::Control::SecurityInterface.instance instance.remove_instance_variable(variable) if instance.instance_variable_defined?(variable) From 9e552c987db29f3b51852ba667cba37d8f423faf Mon Sep 17 00:00:00 2001 From: Tanna McClure Date: Wed, 17 Jul 2024 15:21:43 -0500 Subject: [PATCH 38/44] reset metrics for tests --- test/new_relic/control/security_interface_test.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/new_relic/control/security_interface_test.rb b/test/new_relic/control/security_interface_test.rb index 3746d79587..8eee07c86e 100644 --- a/test/new_relic/control/security_interface_test.rb +++ b/test/new_relic/control/security_interface_test.rb @@ -7,6 +7,7 @@ class NewRelic::Control::SecurityInterfaceTest < Minitest::Test def setup + reset_supportability_metrics NewRelic::Agent.config.reset_to_defaults %i[@agent_started @wait].each do |variable| instance = NewRelic::Control::SecurityInterface.instance @@ -24,8 +25,6 @@ def assert_supportability_metrics_enabled end def test_initialization_short_circuits_when_the_security_agent_is_disabled - reset_supportability_metrics - logger = MiniTest::Mock.new with_config('security.agent.enabled' => false, 'high_security' => false) do NewRelic::Agent.stub :logger, logger do From 863c5f184c10687e651fffb3237c4bd986fa7897 Mon Sep 17 00:00:00 2001 From: Prateek Sen <33506953+prateeksen@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:29:21 +0530 Subject: [PATCH 39/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: James Bunch --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index ab2242c8ed..c94b7b50bb 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2647,7 +2647,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :type => Integer, :external => true, :allowed_from_server => false, - :description => 'Defines the request body limit to process in security events(In KB). The default value is 300KB.' + :description => 'Defines the request body limit to process in security events (in KB). The default value is 300, for 300KB.' } }.freeze # rubocop:enable Metrics/CollectionLiteralLength From d933a5d066ef8ba3a167a4ad436277a1bf351e27 Mon Sep 17 00:00:00 2001 From: Prateek Sen <33506953+prateeksen@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:29:37 +0530 Subject: [PATCH 40/44] Update lib/new_relic/control/security_interface.rb Co-authored-by: Kayla Reopelle <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/control/security_interface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 05065b30f3..27a11962ef 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -35,7 +35,7 @@ def init_agent @agent_started = true else - Agent.logger.info('New Relic Security is completely disabled by one of the user provided config `security.agent.enabled`, or `high_security`. Not loading security capabilities.') + Agent.logger.info('New Relic Security is completely disabled by one of the user-provided configurations: `security.agent.enabled` or `high_security`. Not loading security capabilities.') Agent.logger.info("high_security = #{Agent.config[:high_security]}") Agent.logger.info("security.agent.enabled = #{Agent.config[:'security.agent.enabled']}") end From db297b85b582ce3fc273476bed28016634de1d85 Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Thu, 18 Jul 2024 10:38:23 +0530 Subject: [PATCH 41/44] PR review suggestions incorporated --- lib/new_relic/agent/configuration/default_source.rb | 6 +++--- lib/new_relic/control/security_interface.rb | 4 ---- newrelic.yml | 4 ++-- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index c94b7b50bb..83f1a96f7a 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2594,7 +2594,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => String, :allowed_from_server => true, - :allowlist => %w[IAST RASP], + :allowlist => %w[IAST], :description => 'Defines the mode for the security agent to operate in. Currently only `IAST` is supported', :dynamic_name => true }, @@ -2613,7 +2613,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, enables RCI detection' + :description => 'If `true`, enables RCI(Remote Code Injection) detection' }, :'security.detection.rxss.enabled' => { :default => true, @@ -2621,7 +2621,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, enables RXSS detection' + :description => 'If `true`, enables RXSS(Reflected Cross-site Scripting) detection' }, :'security.detection.deserialization.enabled' => { :default => true, diff --git a/lib/new_relic/control/security_interface.rb b/lib/new_relic/control/security_interface.rb index 27a11962ef..7edbea5c62 100644 --- a/lib/new_relic/control/security_interface.rb +++ b/lib/new_relic/control/security_interface.rb @@ -49,10 +49,6 @@ def record_supportability_metrics Agent.config[:'security.agent.enabled'] ? security_agent_metric(ENABLED) : security_agent_metric(DISABLED) end - def security_metric(setting) - NewRelic::Agent.record_metric_once(SUPPORTABILITY_PREFIX_SECURITY + setting) - end - def security_agent_metric(setting) NewRelic::Agent.record_metric_once(SUPPORTABILITY_PREFIX_SECURITY_AGENT + setting) end diff --git a/newrelic.yml b/newrelic.yml index c0390e10f4..f38f26e660 100644 --- a/newrelic.yml +++ b/newrelic.yml @@ -888,10 +888,10 @@ common: &default_settings # Defines the endpoint URL for posting security related data # security.validator_service_url: wss://csec.nr-data.net - # If `true`, enables RCI detection + # If `true`, enables RCI(Remote Code Injection) detection # security.detection.rci.enabled: true - # If `true`, enables RXSS detection + # If `true`, enables RXSS(Reflected Cross-site Scripting) detection # security.detection.rxss.enabled: true # If `true`, enables deserialization detection From bd0d524234ec77023bbefffe935b8e20e1a4f5be Mon Sep 17 00:00:00 2001 From: prateek-ap Date: Mon, 22 Jul 2024 12:37:33 +0530 Subject: [PATCH 42/44] add RASP in allowlist for dev and testing --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 83f1a96f7a..ba72498a5f 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2594,7 +2594,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => String, :allowed_from_server => true, - :allowlist => %w[IAST], + :allowlist => %w[IAST RASP], :description => 'Defines the mode for the security agent to operate in. Currently only `IAST` is supported', :dynamic_name => true }, From 5d9c813a1a5ebe168cabd11655af49fc7b8ee10b Mon Sep 17 00:00:00 2001 From: Prateek Sen <33506953+prateeksen@users.noreply.github.com> Date: Mon, 22 Jul 2024 22:59:29 +0530 Subject: [PATCH 43/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: Kayla Reopelle <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index ba72498a5f..32b281d04e 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2613,7 +2613,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, enables RCI(Remote Code Injection) detection' + :description => 'If `true`, enables RCI (remote code injection) detection' }, :'security.detection.rxss.enabled' => { :default => true, From 7c0b4757d2894212f39157df24a3a5d492aaa355 Mon Sep 17 00:00:00 2001 From: Prateek Sen <33506953+prateeksen@users.noreply.github.com> Date: Mon, 22 Jul 2024 22:59:41 +0530 Subject: [PATCH 44/44] Update lib/new_relic/agent/configuration/default_source.rb Co-authored-by: Kayla Reopelle <87386821+kaylareopelle@users.noreply.github.com> --- lib/new_relic/agent/configuration/default_source.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/new_relic/agent/configuration/default_source.rb b/lib/new_relic/agent/configuration/default_source.rb index 32b281d04e..b104da010c 100644 --- a/lib/new_relic/agent/configuration/default_source.rb +++ b/lib/new_relic/agent/configuration/default_source.rb @@ -2621,7 +2621,7 @@ def self.enforce_fallback(allowed_values: nil, fallback: nil) :public => true, :type => Boolean, :allowed_from_server => false, - :description => 'If `true`, enables RXSS(Reflected Cross-site Scripting) detection' + :description => 'If `true`, enables RXSS (reflected cross-site scripting) detection' }, :'security.detection.deserialization.enabled' => { :default => true,