Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Agent integration updates #1233

Open
wants to merge 36 commits into
base: test-k2-integration
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
33b51fc
Testing install requires.
umaannamalai Jun 1, 2023
0c2cbbc
Merge conflicts.
umaannamalai Jun 1, 2023
7041783
Fixed k2 reference to Security Agent
AnupamJuniwal Jun 12, 2023
5cba84e
Merge remote-tracking branch 'refs/remotes/newrelic-public-fork/devel…
AnupamJuniwal Nov 14, 2023
a7e4870
Merge branch 'main' into develop-k2-integration
AnupamJuniwal Nov 14, 2023
34fc7f4
branch update for develop branch to use k2-python-agent's dev branch
AnupamJuniwal Dec 13, 2023
140bb54
Merge branch 'main' into develop-k2-integration
AnupamJuniwal Dec 13, 2023
2da32e5
Merge branch 'develop-k2-integration' into develop
AnupamJuniwal Dec 13, 2023
941a38b
Fix for high security flag handling
AnupamJuniwal Dec 13, 2023
675e009
added log in case security is disabled due to config
AnupamJuniwal Jan 2, 2024
3909f52
branch update for newrelic_security module
AnupamJuniwal Feb 1, 2024
b969fc9
branch update
AnupamJuniwal Feb 23, 2024
6afb0ce
Updates as per new api changes
AnupamJuniwal Feb 28, 2024
6417d80
Merge pull request #1 from k2io/task/NR-181061/high_security_config_a…
AnupamJuniwal Feb 29, 2024
d1ef2f8
Rolledback SA branch to develop in setup.py
AnupamJuniwal Feb 29, 2024
9dd7cf8
introduced a new config: security.request.body_limit
AnupamJuniwal Mar 13, 2024
ec18d6f
Updated csec agent branch for testing
AnupamJuniwal Apr 22, 2024
8cc81eb
Merge pull request #3 from k2io/task/NR-181060/request_body_truncate
AnupamJuniwal Apr 22, 2024
d21f366
branch change rollback
AnupamJuniwal Apr 22, 2024
f941800
Temporary changes to update csec branch to task/python_27_support
AnupamJuniwal Apr 23, 2024
5377dde
Merge branch 'task/python_27_support' into develop
AnupamJuniwal Jun 27, 2024
7fb5280
Updated security agent branch after merge
AnupamJuniwal Jun 27, 2024
9b5754b
Merge branch 'main' into develop
AnupamJuniwal Jul 19, 2024
466b31e
Merge branch 'main' into test-k2-integration
AnupamJuniwal Jul 19, 2024
d97a15c
Updates for csec agent moved to newrelic org
AnupamJuniwal Sep 17, 2024
5e9eed9
Merge branch 'apm-main' into apm-test-k2-integration
AnupamJuniwal Sep 25, 2024
824a13b
Merge branch 'apm-test-k2-integration' into develop
AnupamJuniwal Sep 25, 2024
a936b71
Merge branch 'main' into test-k2-integration
AnupamJuniwal Oct 10, 2024
2179d76
Merge branch 'test-k2-integration' into k2-develop
AnupamJuniwal Oct 10, 2024
1d36fda
Merge branch 'develop' into test-k2-integration
AnupamJuniwal Oct 10, 2024
f2ec2a9
removed Security agent install_requires from setup
AnupamJuniwal Oct 10, 2024
e242902
Minor fix for newrelic_security tox install
AnupamJuniwal Oct 10, 2024
1dc1728
Minor fix
AnupamJuniwal Oct 10, 2024
2f78743
Minor fix
AnupamJuniwal Oct 10, 2024
f8176ca
Removed newrelic_security installation from tox.ini
AnupamJuniwal Oct 10, 2024
ca62f46
Merge branch 'apm-main' into test-k2-integration
AnupamJuniwal Oct 22, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions newrelic/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,14 @@ def _process_configuration(section):
_process_setting(section, "ca_bundle_path", "get", None)
_process_setting(section, "audit_log_file", "get", None)
_process_setting(section, "monitor_mode", "getboolean", None)
_process_setting(section, "security.agent.enabled", "getboolean", None)
_process_setting(section, "security.enabled", "getboolean", None)
_process_setting(section, "security.mode", "get", None)
_process_setting(section, "security.validator_service_url", "get", None)
_process_setting(section, "security.detection.rci.enabled", "getboolean", None)
_process_setting(section, "security.detection.rxss.enabled", "getboolean", None)
_process_setting(section, "security.detection.deserialization.enabled", "getboolean", None)
_process_setting(section, "security.request.body_limit", "get", None)
_process_setting(section, "developer_mode", "getboolean", None)
_process_setting(section, "high_security", "getboolean", None)
_process_setting(section, "capture_params", "getboolean", None)
Expand Down Expand Up @@ -4687,6 +4695,24 @@ def _setup_agent_console():
newrelic.core.agent.Agent.run_on_startup(_startup_agent_console)


def _setup_security_module():
"""Initiates security module and adds a
callback to agent startup to propagate NR config
"""
try:
if not _settings.security.agent.enabled or _settings.high_security:
_logger.warning("New Relic Security is disabled by one of the user provided config `security.agent.enabled` or `high_security`.")
return
from newrelic_security.api.agent import get_agent

# initialize security agent
security_agent = get_agent()
# create a callback to reinitialise the security module
newrelic.core.agent.Agent.run_on_startup(security_agent.refresh_agent)
except Exception as csec_error:
_logger.error("Security Agent Startup failed with error %s", csec_error)


def initialize(
config_file=None,
environment=None,
Expand All @@ -4705,6 +4731,8 @@ def initialize(

_load_configuration(config_file, environment, ignore_errors, log_file, log_level)

_setup_security_module()

if _settings.monitor_mode or _settings.developer_mode:
_settings.enabled = True
_setup_instrumentation()
Expand Down
45 changes: 44 additions & 1 deletion newrelic/core/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,32 @@ class ApplicationLoggingLocalDecoratingSettings(Settings):
pass


class SecuritySettings(Settings):
pass


class SecurityDetectionSettings(Settings):
pass


class SecurityAgentSettings(Settings):
pass


class SecurityDetectionRCISettings(Settings):
pass


class SecurityDetectionRXSSSettings(Settings):
pass


class SecurityDetectionDeserializationSettings(Settings):
pass

class SecurityRequestSettings(Settings):
pass

class InfiniteTracingSettings(Settings):
_trace_observer_host = None

Expand Down Expand Up @@ -463,6 +489,13 @@ class EventHarvestConfigHarvestLimitSettings(Settings):
_settings.message_tracer = MessageTracerSettings()
_settings.process_host = ProcessHostSettings()
_settings.rum = RumSettings()
_settings.security = SecuritySettings()
_settings.security.agent = SecurityAgentSettings()
_settings.security.detection = SecurityDetectionSettings()
_settings.security.detection.deserialization = SecurityDetectionDeserializationSettings()
_settings.security.detection.rci = SecurityDetectionRCISettings()
_settings.security.detection.rxss = SecurityDetectionRXSSSettings()
_settings.security.request = SecurityRequestSettings()
_settings.serverless_mode = ServerlessModeSettings()
_settings.slow_sql = SlowSqlSettings()
_settings.span_events = SpanEventSettings()
Expand All @@ -480,7 +513,6 @@ class EventHarvestConfigHarvestLimitSettings(Settings):
_settings.transaction_tracer.attributes = TransactionTracerAttributesSettings()
_settings.utilization = UtilizationSettings()


_settings.log_file = os.environ.get("NEW_RELIC_LOG", None)
_settings.audit_log_file = os.environ.get("NEW_RELIC_AUDIT_LOG", None)

Expand Down Expand Up @@ -965,6 +997,17 @@ def default_otlp_host(host):
_settings.package_reporting.enabled = _environ_as_bool("NEW_RELIC_PACKAGE_REPORTING_ENABLED", default=True)
_settings.ml_insights_events.enabled = _environ_as_bool("NEW_RELIC_ML_INSIGHTS_EVENTS_ENABLED", default=False)

_settings.security.agent.enabled = _environ_as_bool("NEW_RELIC_SECURITY_AGENT_ENABLED", False)
_settings.security.enabled = _environ_as_bool("NEW_RELIC_SECURITY_ENABLED", False)
_settings.security.mode = os.environ.get("NEW_RELIC_SECURITY_MODE", "IAST")
_settings.security.validator_service_url = os.environ.get("NEW_RELIC_SECURITY_VALIDATOR_SERVICE_URL", None)
_settings.security.detection.rci.enabled = _environ_as_bool("NEW_RELIC_SECURITY_DETECTION_RCI_ENABLED", True)
_settings.security.detection.rxss.enabled = _environ_as_bool("NEW_RELIC_SECURITY_DETECTION_RXSS_ENABLED", True)
_settings.security.detection.deserialization.enabled = _environ_as_bool(
"NEW_RELIC_SECURITY_DETECTION_DESERIALIZATION_ENABLED", True
)
_settings.security.request.body_limit = os.environ.get("NEW_RELIC_SECURITY_REQUEST_BODY_LIMIT", None)


def global_settings():
"""This returns the default global settings. Generally only used
Expand Down
31 changes: 30 additions & 1 deletion newrelic/newrelic.ini
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,36 @@ app_name = Python Application
# NEW_RELIC_MONITOR_MODE environment variable.
monitor_mode = true

# Indicates if attack detection security module is to be enabled
security.enabled = false

# To completely disable security set flag to false If the flag is
# set to false, the security module is not loaded. This property
# is read only once at application start.
security.agent.enabled = false


# security module provides two modes IAST or RASP
# RASP stands for Runtime Application Self Protection
# while IAST for Interactive Application Security Testing
# Default mode is IAST
security.mode = IAST


# web-protect agent endpoint connection URLs
security.validator_service_url = wss://csec.nr-data.net


# vulnerabilty detection flags
security.detection.rci.enabled = true
security.detection.rxss.enabled = true
security.detection.deserialization.enabled = true


# security request body read limiting in kb
security.request.body_limit = 300


# Sets the name of a file to log agent messages to. Whatever you
# set this to, you must ensure that the permissions for the
# containing directory and the file itself are correct, and
Expand Down Expand Up @@ -251,5 +281,4 @@ monitor_mode = true

[newrelic:production]
monitor_mode = true

# ---------------------------------------------------------------------------
4 changes: 4 additions & 0 deletions tests/framework_bottle/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@
"transaction_tracer.stack_trace_threshold": 0.0,
"debug.log_data_collector_payloads": True,
"debug.record_transaction_failure": True,
"security.agent.enabled": True,
"security.enabled": True,
"security.mode": "IAST",
"security.validator_service_url": "wss://csec-staging.nr-data.net"
}

collector_agent_registration = collector_agent_registration_fixture(
Expand Down
4 changes: 4 additions & 0 deletions tests/framework_django/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@
"debug.record_transaction_failure": True,
"debug.log_autorum_middleware": True,
"feature_flag": set(["django.instrumentation.inclusion-tags.r1"]),
"security.agent.enabled": True,
"security.enabled": True,
"security.mode": "IAST",
"security.validator_service_url": "wss://csec-staging.nr-data.net"
}

collector_agent_registration = collector_agent_registration_fixture(
Expand Down
4 changes: 4 additions & 0 deletions tests/framework_flask/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@
"debug.log_data_collector_payloads": True,
"debug.record_transaction_failure": True,
"debug.log_autorum_middleware": True,
"security.agent.enabled": True,
"security.enabled": True,
"security.mode": "IAST",
"security.validator_service_url": "wss://csec-staging.nr-data.net"
}

collector_agent_registration = collector_agent_registration_fixture(
Expand Down
1 change: 1 addition & 0 deletions tox.ini
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ deps =
WebTest==3.0.0
py313: legacy-cgi==2.6.1 # cgi was removed from the stdlib in 3.13, and is required for WebTest


# Test Suite Dependencies
adapter_asgiref-asgireflatest: asgiref
adapter_asgiref-asgiref0303: asgiref<3.4
Expand Down
Loading