Testing K2 Integration

newrelic/config.py

@@ -329,6 +329,13 @@ def _process_configuration(section):
     _process_setting(section, "ca_bundle_path", "get", None)
     _process_setting(section, "audit_log_file", "get", None)
     _process_setting(section, "monitor_mode", "getboolean", None)
+    _process_setting(section, "security.agent.enabled", "getboolean", None)
+    _process_setting(section, "security.enabled", "getboolean", None)
+    _process_setting(section, "security.mode", "get", None)
+    _process_setting(section, "security.validator_service_url", "get", None)
+    _process_setting(section, "security.detection.rci.enabled", "getboolean", None)
+    _process_setting(section, "security.detection.rxss.enabled", "getboolean", None)
+    _process_setting(section, "security.detection.deserialization.enabled", "getboolean", None)
     _process_setting(section, "developer_mode", "getboolean", None)
     _process_setting(section, "high_security", "getboolean", None)
     _process_setting(section, "capture_params", "getboolean", None)
@@ -3169,6 +3176,23 @@ def _setup_agent_console():
         newrelic.core.agent.Agent.run_on_startup(_startup_agent_console)
 
 
+def _setup_security_module():
+    """Initiates k2 security module and adds a
+    callback to agent startup to propagate NR config
+    """
+    try:
+        if not _settings.security.agent.enabled:
+            return
+        from newrelic_security.api.agent import Agent as SecurityAgent
+
+        # initialize security agent
+        security_agent = SecurityAgent()
+        # create a callback to reinitialise the security module
+        newrelic.core.agent.Agent.run_on_startup(security_agent.refresh_agent)
+    except Exception as k2error:
+        _logger.error("K2 Startup failed with error %s", k2error)
+
+
 def initialize(
     config_file=None,
     environment=None,
@@ -3187,6 +3211,8 @@ def initialize(
 
     _load_configuration(config_file, environment, ignore_errors, log_file, log_level)
 
+    _setup_security_module()
+
     if _settings.monitor_mode or _settings.developer_mode:
         _settings.enabled = True
         _setup_instrumentation()

newrelic/core/config.py

@@ -279,6 +279,30 @@ class ApplicationLoggingLocalDecoratingSettings(Settings):
     pass
 
 
+class SecuritySettings(Settings):
+    pass
+
+
+class SecurityDetectionSettings(Settings):
+    pass
+
+
+class SecurityAgentSettings(Settings):
+    pass
+
+
+class SecurityDetectionRCISettings(Settings):
+    pass
+
+
+class SecurityDetectionRXSSSettings(Settings):
+    pass
+
+
+class SecurityDetectionDeserializationSettings(Settings):
+    pass
+
+
 class InfiniteTracingSettings(Settings):
     _trace_observer_host = None
 
@@ -395,6 +419,12 @@ class EventHarvestConfigHarvestLimitSettings(Settings):
 _settings.message_tracer = MessageTracerSettings()
 _settings.process_host = ProcessHostSettings()
 _settings.rum = RumSettings()
+_settings.security = SecuritySettings()
+_settings.security.agent = SecurityAgentSettings()
+_settings.security.detection = SecurityDetectionSettings()
+_settings.security.detection.deserialization = SecurityDetectionDeserializationSettings()
+_settings.security.detection.rci = SecurityDetectionRCISettings()
+_settings.security.detection.rxss = SecurityDetectionRXSSSettings()
 _settings.serverless_mode = ServerlessModeSettings()
 _settings.slow_sql = SlowSqlSettings()
 _settings.span_events = SpanEventSettings()
@@ -412,7 +442,6 @@ class EventHarvestConfigHarvestLimitSettings(Settings):
 _settings.transaction_tracer.attributes = TransactionTracerAttributesSettings()
 _settings.utilization = UtilizationSettings()
 
-
 _settings.log_file = os.environ.get("NEW_RELIC_LOG", None)
 _settings.audit_log_file = os.environ.get("NEW_RELIC_AUDIT_LOG", None)
 
@@ -840,6 +869,16 @@ def default_host(license_key):
     "NEW_RELIC_APPLICATION_LOGGING_LOCAL_DECORATING_ENABLED", default=False
 )
 
+_settings.security.agent.enabled = _environ_as_bool("NEW_RELIC_SECURITY_AGENT_ENABLED", False)
+_settings.security.enabled = _environ_as_bool("NEW_RELIC_SECURITY_ENABLED", False)
+_settings.security.mode = os.environ.get("NEW_RELIC_SECURITY_MODE", "IAST")
+_settings.security.validator_service_url = os.environ.get("NEW_RELIC_SECURITY_VALIDATOR_SERVICE_URL", None)
+_settings.security.detection.rci.enabled = _environ_as_bool("NEW_RELIC_SECURITY_DETECTION_RCI_ENABLED", True)
+_settings.security.detection.rxss.enabled = _environ_as_bool("NEW_RELIC_SECURITY_DETECTION_RXSS_ENABLED", True)
+_settings.security.detection.deserialization.enabled = _environ_as_bool(
+    "NEW_RELIC_SECURITY_DETECTION_DESERIALIZATION_ENABLED", True
+)
+
 
 def global_settings():
     """This returns the default global settings. Generally only used

newrelic/newrelic.ini

@@ -49,6 +49,32 @@ app_name = Python Application
 # NEW_RELIC_MONITOR_MODE environment variable.
 monitor_mode = true
 
+# Indicates if attack detection security module is to be enabled
+security.enabled = false
+
+# To completely disable security set flag to false If the flag is
+# set to false, the security module is not loaded. This property
+# is read only once at application start.
+security.agent.enabled = false
+
+
+# security module provides two modes IAST or RASP
+# RASP stands for Runtime Application Self Protection
+# while IAST for Interactive Application Security Testing
+# Default mode is IAST
+security.mode = IAST
+
+
+# web-protect agent endpoint connection URLs
+security.validator_service_url = wss://csec.nr-data.net
+
+
+# vulnerabilty detection flags
+security.detection.rci.enabled = true
+security.detection.rxss.enabled = true
+security.detection.deserialization.enabled = true
+
+
 # Sets the name of a file to log agent messages to. Whatever you
 # set this to, you must ensure that the permissions for the
 # containing directory and the file itself are correct, and
@@ -251,5 +277,4 @@ monitor_mode = true
 
 [newrelic:production]
 monitor_mode = true
-
 # ---------------------------------------------------------------------------

setup.py

@@ -151,6 +151,7 @@ def build_extension(self, ext):
     package_data={
         "newrelic": ["newrelic.ini", "version.txt", "packages/urllib3/LICENSE.txt", "common/cacert.pem"],
     },
+    #install_requires=["newrelic-security @ git+https://github.com/newrelic/csec-python-agent.git@develop#egg=newrelic-security"],
     extras_require={"infinite-tracing": ["grpcio", "protobuf"]},
 )
 

tests/framework_bottle/conftest.py

@@ -23,6 +23,10 @@
     'transaction_tracer.stack_trace_threshold': 0.0,
     'debug.log_data_collector_payloads': True,
     'debug.record_transaction_failure': True,
+    "security.agent.enabled": True,
+    "security.enabled": True,
+    "security.mode": "IAST",
+    "security.validator_service_url": "wss://csec-staging.nr-data.net"
 }
 
 collector_agent_registration = collector_agent_registration_fixture(

tests/framework_django/conftest.py

@@ -25,6 +25,10 @@
     'debug.record_transaction_failure': True,
     'debug.log_autorum_middleware': True,
     'feature_flag': set(['django.instrumentation.inclusion-tags.r1']),
+    "security.agent.enabled": True,
+    "security.enabled": True,
+    "security.mode": "IAST",
+    "security.validator_service_url": "wss://csec-staging.nr-data.net"
 }
 
 collector_agent_registration = collector_agent_registration_fixture(

tests/framework_flask/conftest.py

@@ -19,14 +19,17 @@
 
 from testing_support.fixtures import collector_agent_registration_fixture, collector_available_fixture  # noqa: F401; pylint: disable=W0611
 
-
 _default_settings = {
     'transaction_tracer.explain_threshold': 0.0,
     'transaction_tracer.transaction_threshold': 0.0,
     'transaction_tracer.stack_trace_threshold': 0.0,
     'debug.log_data_collector_payloads': True,
     'debug.record_transaction_failure': True,
     'debug.log_autorum_middleware': True,
+    "security.agent.enabled": True,
+    "security.enabled": True,
+    "security.mode": "IAST",
+    "security.validator_service_url": "wss://csec-staging.nr-data.net"
 }
 
 collector_agent_registration = collector_agent_registration_fixture(

tox.ini

@@ -173,8 +173,10 @@ deps =
     {py27,pypy}: pytest==4.6.11
     iniconfig
     coverage
+    git+git@github.com:newrelic/csec-python-agent.git#egg=newrelic-security
     WebTest==2.0.35
 
+
     # Test Suite Dependencies
     adapter_cheroot: cheroot
     adapter_daphne-daphnelatest: daphne