newrelic · AnupamJuniwal · Sep 21, 2022 · Sep 21, 2022 · Sep 22, 2022 · Sep 27, 2022
@@ -329,6 +329,13 @@ def _process_configuration(section):
     _process_setting(section, "ca_bundle_path", "get", None)
     _process_setting(section, "audit_log_file", "get", None)
     _process_setting(section, "monitor_mode", "getboolean", None)
+    _process_setting(section, "security.agent.enabled", "getboolean", None)
+    _process_setting(section, "security.enabled", "getboolean", None)
+    _process_setting(section, "security.mode", "get", None)
+    _process_setting(section, "security.validator_service_url", "get", None)
+    _process_setting(section, "security.detection.rci.enabled", "getboolean", None)
+    _process_setting(section, "security.detection.rxss.enabled", "getboolean", None)
+    _process_setting(section, "security.detection.deserialization.enabled", "getboolean", None)
     _process_setting(section, "developer_mode", "getboolean", None)
     _process_setting(section, "high_security", "getboolean", None)
     _process_setting(section, "capture_params", "getboolean", None)
@@ -3169,6 +3176,23 @@ def _setup_agent_console():
         newrelic.core.agent.Agent.run_on_startup(_startup_agent_console)
 
 
+def _setup_security_module():
+    """Initiates k2 security module and adds a
+    callback to agent startup to propagate NR config
+    """
+    try:
+        if not _settings.security.agent.enabled:
+            return
+        from newrelic_security.api.agent import Agent as SecurityAgent
+
+        # initialize security agent
+        security_agent = SecurityAgent()
+        # create a callback to reinitialise the security module
+        newrelic.core.agent.Agent.run_on_startup(security_agent.refresh_agent)
+    except Exception as k2error:
+        _logger.error("K2 Startup failed with error %s", k2error)
+
-def _setup_security_module():
-    """Initiates k2 security module and adds a
-    callback to agent startup to propagate NR config
-    """
-    try:
-        if not _settings.security.agent.enabled:
-            return
-        from newrelic_security.api.agent import Agent as SecurityAgent
-
-        # initialize security agent
-        security_agent = SecurityAgent()
-        # create a callback to reinitialise the security module
-        newrelic.core.agent.Agent.run_on_startup(security_agent.refresh_agent)
-    except Exception as k2error:
-        _logger.error("K2 Startup failed with error %s", k2error)
+def _setup_security_module():
+    def _security_agent_registration_callback():
+        """Callback that initializes k2 security module and propagates NR config."""
+        try:
+            from newrelic.api.application import application_instance
+            application = application_instance(activate=False)
+            if not application or not application.settings or not application.settings.security.agent.enabled:
+                return
+            
+            from newrelic_security.api.agent import Agent as SecurityAgent
+            
+            # initialize security agent
+            security_agent = SecurityAgent()
+            security_agent.refresh_agent()
+
+        except Exception as k2error:
+            _logger.error("K2 Startup failed with error %s", k2error)
+
+    # create a callback to only initialize the security module after high security settings have been applied
+    newrelic.core.agent.Agent.run_on_registration(_security_agent_registration_callback)
-def _setup_security_module():
-    """Initiates k2 security module and adds a
-    callback to agent startup to propagate NR config
-    """
-    try:
-        if not _settings.security.agent.enabled:
-            return
-        from newrelic_security.api.agent import Agent as SecurityAgent
-
-        # initialize security agent
-        security_agent = SecurityAgent()
-        # create a callback to reinitialise the security module
-        newrelic.core.agent.Agent.run_on_startup(security_agent.refresh_agent)
-    except Exception as k2error:
-        _logger.error("K2 Startup failed with error %s", k2error)
+def _setup_security_module():
+    def _security_agent_registration_callback():
+        """Callback that initializes k2 security module and propagates NR config."""
+        try:
+            from newrelic.api.application import application_instance
+            application = application_instance(activate=False)
+            if not application or not application.settings or not application.settings.security.agent.enabled:
+                return
+            
+            from newrelic_security.api.agent import Agent as SecurityAgent
+            
+            # initialize security agent
+            security_agent = SecurityAgent()
+            security_agent.refresh_agent()
+
+        except Exception as k2error:
+            _logger.error("K2 Startup failed with error %s", k2error)
+
+    # create a callback to only initialize the security module after high security settings have been applied
+    newrelic.core.agent.Agent.run_on_registration(_security_agent_registration_callback)
+
 def initialize(
     config_file=None,
     environment=None,
@@ -3187,6 +3211,8 @@ def initialize(
 
     _load_configuration(config_file, environment, ignore_errors, log_file, log_level)
 
+    _setup_security_module()
+
     if _settings.monitor_mode or _settings.developer_mode:
         _settings.enabled = True
         _setup_instrumentation()

@@ -279,6 +279,30 @@ class ApplicationLoggingLocalDecoratingSettings(Settings):
     pass
 
 
+class SecuritySettings(Settings):
+    pass
+
+
+class SecurityDetectionSettings(Settings):
+    pass
+
+
+class SecurityAgentSettings(Settings):
+    pass
+
+
+class SecurityDetectionRCISettings(Settings):
+    pass
+
+
+class SecurityDetectionRXSSSettings(Settings):
+    pass
+
+
+class SecurityDetectionDeserializationSettings(Settings):
+    pass
+
+
 class InfiniteTracingSettings(Settings):
     _trace_observer_host = None
 
@@ -395,6 +419,12 @@ class EventHarvestConfigHarvestLimitSettings(Settings):
 _settings.message_tracer = MessageTracerSettings()
 _settings.process_host = ProcessHostSettings()
 _settings.rum = RumSettings()
+_settings.security = SecuritySettings()
+_settings.security.agent = SecurityAgentSettings()
+_settings.security.detection = SecurityDetectionSettings()
+_settings.security.detection.deserialization = SecurityDetectionDeserializationSettings()
+_settings.security.detection.rci = SecurityDetectionRCISettings()
+_settings.security.detection.rxss = SecurityDetectionRXSSSettings()
 _settings.serverless_mode = ServerlessModeSettings()
 _settings.slow_sql = SlowSqlSettings()
 _settings.span_events = SpanEventSettings()
@@ -412,7 +442,6 @@ class EventHarvestConfigHarvestLimitSettings(Settings):
 _settings.transaction_tracer.attributes = TransactionTracerAttributesSettings()
 _settings.utilization = UtilizationSettings()
 
-
 _settings.log_file = os.environ.get("NEW_RELIC_LOG", None)
 _settings.audit_log_file = os.environ.get("NEW_RELIC_AUDIT_LOG", None)
 
@@ -840,6 +869,16 @@ def default_host(license_key):
     "NEW_RELIC_APPLICATION_LOGGING_LOCAL_DECORATING_ENABLED", default=False
 )
 
+_settings.security.agent.enabled = _environ_as_bool("NEW_RELIC_SECURITY_AGENT_ENABLED", False)
+_settings.security.enabled = _environ_as_bool("NEW_RELIC_SECURITY_ENABLED", False)
+_settings.security.mode = os.environ.get("NEW_RELIC_SECURITY_MODE", "IAST")
+_settings.security.validator_service_url = os.environ.get("NEW_RELIC_SECURITY_VALIDATOR_SERVICE_URL", None)
+_settings.security.detection.rci.enabled = _environ_as_bool("NEW_RELIC_SECURITY_DETECTION_RCI_ENABLED", True)
+_settings.security.detection.rxss.enabled = _environ_as_bool("NEW_RELIC_SECURITY_DETECTION_RXSS_ENABLED", True)
+_settings.security.detection.deserialization.enabled = _environ_as_bool(
+    "NEW_RELIC_SECURITY_DETECTION_DESERIALIZATION_ENABLED", True
+)
+
 
 def global_settings():
     """This returns the default global settings. Generally only used

@@ -49,6 +49,32 @@ app_name = Python Application
 # NEW_RELIC_MONITOR_MODE environment variable.
 monitor_mode = true
 
+# Indicates if attack detection security module is to be enabled
+security.enabled = false
+
+# To completely disable security set flag to false If the flag is
+# set to false, the security module is not loaded. This property
+# is read only once at application start.
+security.agent.enabled = false
+
+
+# security module provides two modes IAST or RASP
+# RASP stands for Runtime Application Self Protection
+# while IAST for Interactive Application Security Testing
+# Default mode is IAST
+security.mode = IAST
+
+
+# web-protect agent endpoint connection URLs
+security.validator_service_url = wss://csec.nr-data.net
+
+
+# vulnerabilty detection flags
+security.detection.rci.enabled = true
+security.detection.rxss.enabled = true
+security.detection.deserialization.enabled = true
+
+
 # Sets the name of a file to log agent messages to. Whatever you
 # set this to, you must ensure that the permissions for the
 # containing directory and the file itself are correct, and
@@ -251,5 +277,4 @@ monitor_mode = true
 
 [newrelic:production]
 monitor_mode = true
-
 # ---------------------------------------------------------------------------
@@ -152,6 +152,7 @@ def build_extension(self, ext):
         "newrelic": ["newrelic.ini", "version.txt", "packages/urllib3/LICENSE.txt", "common/cacert.pem"],
     },
     extras_require={"infinite-tracing": ["grpcio", "protobuf"]},
+    install_requires=["newrelic_security @ git+https://github.com/newrelic/csec-python-agent.git@develop"]
 )
 
 if with_setuptools: