Merge pull request #1879 from newrelic/saxon/log-security-env-values

When IAST is disabled log security related env and system properties

Author: jasonjkeller

newrelic-agent/src/main/java/com/newrelic/agent/Agent.java

@@ -10,7 +10,6 @@
 import com.google.common.collect.ImmutableMap;
 import com.newrelic.agent.bridge.AgentBridge;
 import com.newrelic.agent.config.AgentConfig;
-import com.newrelic.agent.config.AgentConfigImpl;
 import com.newrelic.agent.config.AgentJarHelper;
 import com.newrelic.agent.config.ConfigService;
 import com.newrelic.agent.config.ConfigServiceFactory;
@@ -29,8 +28,6 @@
 import com.newrelic.agent.util.UnwindableInstrumentation;
 import com.newrelic.agent.util.UnwindableInstrumentationImpl;
 import com.newrelic.agent.util.asm.ClassStructure;
-import com.newrelic.api.agent.Config;
-import com.newrelic.api.agent.NewRelic;
 import com.newrelic.api.agent.security.NewRelicSecurity;
 import com.newrelic.bootstrap.BootstrapAgent;
 import com.newrelic.bootstrap.BootstrapLoader;
@@ -275,17 +272,10 @@ public void disconnected(IRPMService rpmService) {
             }
         } else {
             LOG.info("New Relic Security is completely disabled by one of the user provided config `security.enabled`, `security.agent.enabled` or `high_security`. Not loading security capabilities.");
-            Config config = NewRelic.getAgent().getConfig();
-            logConfig(config, Level.FINE, AgentConfigImpl.HIGH_SECURITY);
-            logConfig(config, Level.FINE, SecurityAgentConfig.SECURITY_ENABLED);
-            logConfig(config, Level.FINE, SecurityAgentConfig.SECURITY_AGENT_ENABLED);
+            SecurityAgentConfig.logSettings(Level.FINE);
         }
     }
 
-    private static void logConfig(Config config, Level logLevel, String key) {
-        LOG.log(logLevel, "{0} = {1}", key, config.getValue(key));
-    }
-
     private static Instrumentation maybeWrapInstrumentation(Instrumentation inst) {
         if (System.getProperty(BootstrapAgent.NR_AGENT_ARGS_SYSTEM_PROPERTY) != null) {
             return UnwindableInstrumentationImpl.wrapInstrumentation(inst);

newrelic-agent/src/main/java/com/newrelic/agent/config/SecurityAgentConfig.java

@@ -9,10 +9,14 @@
 
 import com.google.common.collect.Sets;
 import com.newrelic.api.agent.Config;
+import com.newrelic.api.agent.Logger;
 import com.newrelic.api.agent.NewRelic;
 
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.Map;
 import java.util.Set;
+import java.util.logging.Level;
 
 /* Default config should look like:
  *
@@ -150,4 +154,32 @@ public static boolean isSecurityLowPriorityInstrumentationEnabled() {
         return config.getValue(SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED, SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED_DEFAULT);
     }
 
+    /**
+     * Log security settings to help debug when the IAST agent is not enabled.
+     */
+    public static void logSettings(Level logLevel) {
+        logSettings(NewRelic.getAgent().getConfig(), NewRelic.getAgent().getLogger(), logLevel,
+                System.getenv(), System.getProperties());
+    }
+
+    static void logSettings(final Config config, final Logger logger, Level logLevel,
+                            Map<String, String> environment,
+                            Map<Object, Object> systemProperties) {
+
+        if (logger.isLoggable(logLevel)) {
+            Arrays.asList(AgentConfigImpl.HIGH_SECURITY, SECURITY_ENABLED, SECURITY_AGENT_ENABLED).forEach(key ->
+                    logger.log(logLevel, "{0} = {1}", key, config.getValue(key)));
+
+            environment.forEach((key, value) -> {
+                if (key.contains("NEW_RELIC") && key.contains("SECURITY")) {
+                    logger.log(logLevel, "Environment {0} = {1}", key, value);
+                }
+            });
+            systemProperties.forEach((key, value) -> {
+                if (key.toString().contains("newrelic.config.") && key.toString().contains("security")) {
+                    logger.log(logLevel, "System property {0} = {1}", key, value);
+                }
+            });
+        }
+    }
 }

newrelic-agent/src/test/java/com/newrelic/agent/config/SecurityAgentConfigTest.java

@@ -1,12 +1,18 @@
 package com.newrelic.agent.config;
 
+import com.google.common.collect.ImmutableMap;
 import com.newrelic.api.agent.Agent;
+import com.newrelic.api.agent.Config;
+import com.newrelic.api.agent.Logger;
 import com.newrelic.api.agent.NewRelic;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.mockito.MockedStatic;
 
+import java.util.Map;
+import java.util.logging.Level;
+
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_AGENT_ENABLED;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_AGENT_ENABLED_DEFAULT;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_DETECTION_DESERIALIZATION_ENABLED;
@@ -28,6 +34,8 @@
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 public class SecurityAgentConfigTest {
@@ -163,4 +171,23 @@ public void isSecurityLowPriorityInstrumentationEnabled_returnsCorrectEnabledFla
         assertFalse(SecurityAgentConfig.isSecurityLowPriorityInstrumentationEnabled());
     }
 
+    @Test
+    public void testLogSettings() {
+        Config config = mock(Config.class);
+        Logger logger = mock(Logger.class);
+        when(logger.isLoggable(Level.FINE)).thenReturn(true);
+        final String test = "test";
+        final String environmentValueToSkip = "SECURITY_THING";
+        Map<String, String> env = ImmutableMap.of("NEW_RELIC_SECURITY_AGENT_ENABLED", "true",
+                environmentValueToSkip, test);
+        final String systemPropertyToSkip = "security.test";
+        Map<Object, Object> systemProperties = ImmutableMap.of("newrelic.config.security.enabled", "true",
+                systemPropertyToSkip, test);
+        SecurityAgentConfig.logSettings(config, logger, Level.FINE, env, systemProperties);
+
+        verify(logger, times(1)).log(Level.FINE, "Environment {0} = {1}", "NEW_RELIC_SECURITY_AGENT_ENABLED", "true");
+        verify(logger, times(0)).log(Level.FINE, "Environment {0} = {1}", environmentValueToSkip, test);
+        verify(logger, times(1)).log(Level.FINE, "System property {0} = {1}", "newrelic.config.security.enabled", "true");
+        verify(logger, times(0)).log(Level.FINE, "System property {0} = {1}", systemPropertyToSkip, test);
+    }
 }