Class: TCellAgent::Policies::DataLossPolicy

Inherits:
Policy
  • Object
show all
Defined in:
lib/tcell_agent/policies/dataloss_policy.rb,
lib/tcell_agent/rails/dlp.rb

Overview

rubocop:disable Metrics/ClassLength

Defined Under Namespace

Classes: FilterActions, RequestProtectionManager

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(policies_json) ⇒ DataLossPolicy

Returns a new instance of DataLossPolicy.



45
46
47
48
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 45

def initialize(policies_json)
  init_options
  from_json(policies_json) unless policies_json.nil? || policies_json.empty?
end

Instance Attribute Details

#database_actionsObject

Returns the value of attribute database_actions.



38
39
40
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 38

def database_actions
  @database_actions
end

#database_discovery_enabledObject

Returns the value of attribute database_discovery_enabled.



40
41
42
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 40

def database_discovery_enabled
  @database_discovery_enabled
end

#database_filter_actionsObject

Returns the value of attribute database_filter_actions.



32
33
34
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 32

def database_filter_actions
  @database_filter_actions
end

#enabledObject

Returns the value of attribute enabled.



29
30
31
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 29

def enabled
  @enabled
end

#field_alertsObject

Returns the value of attribute field_alerts.



43
44
45
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 43

def field_alerts
  @field_alerts
end

#field_redact_bodyObject

Returns the value of attribute field_redact_body.



42
43
44
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 42

def field_redact_body
  @field_redact_body
end

#policy_idObject

Returns the value of attribute policy_id.



34
35
36
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 34

def policy_id
  @policy_id
end

#request_filter_actionsObject

Returns the value of attribute request_filter_actions.



31
32
33
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 31

def request_filter_actions
  @request_filter_actions
end

#session_id_actionsObject

Returns the value of attribute session_id_actions.



37
38
39
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 37

def session_id_actions
  @session_id_actions
end

#session_id_filter_actionsObject

Returns the value of attribute session_id_filter_actions.



30
31
32
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 30

def session_id_filter_actions
  @session_id_filter_actions
end

#table_field_actionsObject

Returns the value of attribute table_field_actions.



36
37
38
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 36

def table_field_actions
  @table_field_actions
end

Class Method Details

.actions_from_json(options) ⇒ Object 



170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 170

def self.actions_from_json(options)
  actions = nil
  if options.key?('log')
    if options['log'].include? 'redact'
      actions ||= FilterActions.new
      actions.log_redact = true
    end
    if options['log'].include? 'event'
      actions ||= FilterActions.new
      actions.log_event = true
    end
    if options['log'].include? 'hash'
      actions ||= FilterActions.new
      actions.log_hash = true
    end
  end
  if options.key?('body')
    if options['body'].include? 'redact'
      actions ||= FilterActions.new
      actions.body_redact = true
    end
    if options['body'].include? 'event'
      actions ||= FilterActions.new
      actions.body_event = true
    end
    if options['body'].include? 'hash'
      actions ||= FilterActions.new
      actions.body_hash = true
    end
  end
  actions
end

.api_identifierObject 



7
8
9
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 7

def self.api_identifier
  'dlp'
end

Instance Method Details

#actions_for_cookie?Boolean

Returns:

  • (Boolean) 


95
96
97
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 95

def actions_for_cookie?
  !@request_filter_actions[RequestProtectionManager::COOKIE].empty?
end

#actions_for_form_parameter?Boolean

Returns:

  • (Boolean) 


87
88
89
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 87

def actions_for_form_parameter?
  !@request_filter_actions[RequestProtectionManager::FORM].empty?
end

#actions_for_headers?Boolean

Returns:

  • (Boolean) 


91
92
93
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 91

def actions_for_headers?
  !@request_filter_actions[RequestProtectionManager::HEADER].empty?
end

#from_json(policy_json) ⇒ Object 



203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 203

def from_json(policy_json)
  return unless policy_json

  @policy_id = policy_json['policy_id']
  raise 'Policy ID missing' unless @policy_id

  data_json = (policy_json['data'] || {})

  if data_json.key?('data_discovery')
    data_discovery_json = data_json['data_discovery']
    @database_discovery_enabled = data_discovery_json.fetch('database_enabled', false)
    @enabled = @database_discovery_enabled
  end

  if data_json.key?('session_id_protections')
    session_id_protection = data_json['session_id_protections']
    rule_id = session_id_protection.fetch('id', nil)
    filter_actions = DataLossPolicy.actions_from_json(session_id_protection)
    unless filter_actions.nil?
      @enabled = true
      filter_actions.action_id = rule_id
      @session_id_filter_actions = filter_actions
    end
  end

  if data_json.key?('request_protections')
    data_json['request_protections'].each do |protection|
      context = protection.fetch('variable_context', nil)
      variables = protection.fetch('variables', nil)
      scope = protection.fetch('scope', 'global')
      rule_id = protection.fetch('id', nil)
      options = protection.fetch('actions', nil)
      route_ids = []

      if scope == 'global'
        route_ids = ['*']
      elsif scope == 'route'
        route_ids = protection.fetch('route_ids', [])
      else
        next
      end

      next unless context && @request_filter_actions.key?(context) && variables && options

      filter_actions = DataLossPolicy.actions_from_json(options)
      next if filter_actions.nil?

      @enabled = true
      filter_actions.action_id = rule_id
      variables.each do |variable|
        route_ids.each  do |route_id|
          if context == RequestProtectionManager::COOKIE
            # Case sensitive variable name
            @request_filter_actions[context][route_id][variable].add(filter_actions)
          else
            @request_filter_actions[context][route_id][variable.downcase].add(filter_actions)
          end
        end
      end
    end
  end

  return unless data_json.key?('db_protections')

  protections = data_json['db_protections']
  return unless protections

  protections.each do |protection_json|
    scope = protection_json.fetch('scope', nil)
    databases = protection_json.fetch('databases', ['*'])
    schemas = protection_json.fetch('schemas', ['*'])
    tables = protection_json.fetch('tables', ['*'])
    fields = protection_json.fetch('fields', nil)
    rule_id = protection_json.fetch('id', nil)
    actions = protection_json.fetch('actions', {})
    filter_actions = DataLossPolicy.actions_from_json(actions)
    route_ids = ['*']

    if !scope.nil? && scope != 'global' && scope == 'route'
      route_ids = protection_json.fetch('route_ids', [])
    end

    next if fields.nil? || filter_actions.nil?

    @enabled = true
    filter_actions.action_id = rule_id
    databases.each do |database|
      schemas.each do |schema|
        tables.each do |table|
          fields.each do |field|
            route_ids.each do |route_id|
              @database_actions[database][schema][table][field][route_id].add(filter_actions)
            end
          end
        end
      end
    end
  end
end

#get_actions_for(table, field) ⇒ Object 



163
164
165
166
167
168
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 163

def get_actions_for(table, field)
  actions = Set.new
  key = "#{table}.#{field}"
  actions.merge(@table_field_actions.fetch(key, [].to_set))
  actions
end

#get_actions_for_cookie(cookie_name, route_id = nil) ⇒ Object 



99
100
101
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 99

def get_actions_for_cookie(cookie_name, route_id = nil)
  get_actions_for_request(RequestProtectionManager::COOKIE, cookie_name, route_id)
end

#get_actions_for_form_parameter(parameter_name, route_id = nil) ⇒ Object 



107
108
109
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 107

def get_actions_for_form_parameter(parameter_name, route_id = nil)
  get_actions_for_request(RequestProtectionManager::FORM, parameter_name.downcase, route_id)
end

#get_actions_for_header(header_name, route_id = nil) ⇒ Object 



103
104
105
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 103

def get_actions_for_header(header_name, route_id = nil)
  get_actions_for_request(RequestProtectionManager::HEADER, header_name.downcase, route_id)
end

#get_actions_for_request(context, variable, route_id = nil) ⇒ Object 



111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 111

def get_actions_for_request(context, variable, route_id = nil)
  return nil if context.nil? || variable.nil?

  route_id = '*' if route_id.nil?
  if context != RequestProtectionManager::COOKIE
    variable = variable.downcase
  end
  actions = Set.new
  if @request_filter_actions.key?(context)
    if @request_filter_actions[context].key?(route_id) && @request_filter_actions[context][route_id].key?(variable)
      actions.merge(@request_filter_actions[context][route_id][variable])
    end
    if route_id != '*' && @request_filter_actions[context].key?('*') && @request_filter_actions[context]['*'].key?(variable)
      actions.merge(@request_filter_actions[context]['*'][variable])
    end
  end
  return nil if actions.size <= 0

  actions
end

#get_actions_for_session_id(_route_id = nil) ⇒ Object 



83
84
85
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 83

def get_actions_for_session_id(_route_id = nil)
  @session_id_filter_actions
end

#get_actions_for_table(database, schema, table, field, route_id = '*') ⇒ Object 



132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 132

def get_actions_for_table(database, schema, table, field, route_id = '*')
  route_id = '*' if route_id.nil?
  actions = Set.new
  [database, '*'].each do |d|
    next if @database_actions.key?(d) == false

    [schema, '*'].each do |s|
      next if @database_actions[d].key?(s) == false

      [table, '*'].each do |t|
        next if @database_actions[d][s].key?(t) == false

        [field, '*'].each do |f|
          next if @database_actions[d][s][t].key?(f) == false

          route_id_rules = @database_actions[d][s][t][f]
          if route_id_rules.key?(route_id)
            actions.merge(@database_actions[d][s][t][f][route_id])
          end
          if route_id != '*' && route_id_rules.key?('*')
            actions.merge(@database_actions[d][s][t][f]['*'])
          end
        end
      end
    end
  end
  return nil if actions.empty?

  actions
end

#init_optionsObject 



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/tcell_agent/policies/dataloss_policy.rb', line 50

def init_options
  @enabled = false
  @policy_id = nil

  @table_field_actions = {}
  @session_id_actions = []

  @database_discovery_enabled = false

  @field_redact_body = Set.new # ["work_infos.SSN"].to_set #
  @field_alerts = Set.new

  @session_id_filter_actions = nil
  @request_filter_actions = {
    RequestProtectionManager::FORM => Hash.new { |h, k| h[k] = Hash.new { |i_h, i_k| i_h[i_k] = Set.new } },
    RequestProtectionManager::COOKIE => Hash.new { |h, k| h[k] = Hash.new { |i_h, i_k| i_h[i_k] = Set.new } },
    RequestProtectionManager::HEADER => Hash.new { |h, k| h[k] = Hash.new { |i_h, i_k| i_h[i_k] = Set.new } }
  }
  @database_actions = Hash.new do |h, k|
    h[k] = Hash.new do |d_h, d_k|
      d_h[d_k] = Hash.new do |s_h, s_k|
        s_h[s_k] = Hash.new do |t_h, t_k|
          t_h[t_k] = Hash.new do |f_h, f_k|
            f_h[f_k] = Set.new
          end
        end
      end
    end
  end

  @log_actions = nil
end

#log_enforce(tcell_context, sanitize_string) ⇒ Object 



303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
 
# File 'lib/tcell_agent/rails/dlp.rb', line 303

def log_enforce(tcell_context, sanitize_string)
  if TCellAgent.configuration.should_instrument? &&
     TCellAgent.configuration.should_intercept_requests?
    session_id_actions = get_actions_for_session_id
    if tcell_context && tcell_context.session_id && session_id_actions
      send_event = false
      sanitize_string.gsub!(tcell_context.session_id) do |m|
        if session_id_actions.log_redact
          send_event = true
          m = '[session_id]'
        elsif session_id_actions.log_hash
          send_event = true
          m = '[hash]'
        elsif session_id_actions.log_event
          send_event = true
        end
        m
      end
      if send_event
        TCellAgent.send_event(
          TCellAgent::SensorEvents::DlpEvent.new(
            tcell_context.route_id,
            tcell_context.uri,
            TCellAgent::SensorEvents::DlpEvent::FOUND_IN_LOG
          ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
        )
      end
    end
  end

  sanitize_string
end

#response_body_enforce(tcell_context, sanitize_string) ⇒ Object 



336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
 
# File 'lib/tcell_agent/rails/dlp.rb', line 336

def response_body_enforce(tcell_context, sanitize_string)
  if TCellAgent.configuration.should_instrument? &&
     TCellAgent.configuration.should_intercept_requests?
    session_id_actions = get_actions_for_session_id
    if tcell_context && tcell_context.session_id && session_id_actions
      send_event = false
      sanitize_string.gsub!(tcell_context.session_id) do |m|
        # rubocop:disable Lint/DuplicateBranch
        if session_id_actions.body_redact
          # m = "[session_id]"
          send_event = true
        elsif session_id_actions.body_hash
          # m = "[hash]"
          send_event = true
        elsif session_id_actions.body_event
          send_event = true
        end
        # rubocop:enable Lint/DuplicateBranch
        m
      end
    end
    if send_event
      TCellAgent.send_event(
        TCellAgent::SensorEvents::DlpEvent.new(
          tcell_context.route_id,
          tcell_context.uri,
          TCellAgent::SensorEvents::DlpEvent::FOUND_IN_BODY
        ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
      )
    end
  end

  sanitize_string
end