add support for csec php agent

newrelic · anmol-ap · Jun 12, 2024 · Jun 19, 2024 · Jun 25, 2024 · Mar 13, 2025
commit a88db4e3249ab4f7839c6a223a031764e8977220
diff --git a/agent/config.m4 b/agent/config.m4
@@ -220,7 +220,7 @@ if test "$PHP_NEWRELIC" = "yes"; then
   php_pdo_mysql.c php_pdo_pgsql.c php_pgsql.c php_psr7.c php_redis.c \
   php_rinit.c php_rshutdown.c php_samplers.c php_stack.c \
   php_stacked_segment.c php_txn.c php_user_instrument.c \
-  php_user_instrument_hashmap.c php_vm.c php_wrapper.c"
+  php_user_instrument_hashmap.c php_vm.c php_wrapper.c csec_metadata.c"
   FRAMEWORKS="fw_cakephp.c fw_codeigniter.c fw_drupal8.c \
   fw_drupal.c fw_drupal_common.c fw_joomla.c fw_kohana.c \
   fw_laminas3.c fw_laravel.c fw_laravel_queue.c fw_lumen.c \

diff --git a/agent/csec_metadata.c b/agent/csec_metadata.c
@@ -0,0 +1,48 @@
+#include "csec_metadata.h"
+#include "util_strings.h"
+#include "php_hash.h"
+#include "php_api_internal.h"
+
+static void nr_csec_php_add_assoc_string_const(zval* arr,
+                                          const char* key,
+                                          const char* value) {
+  char* val = NULL;
+
+  if (NULL == arr || NULL == key || NULL == value) {
+    return;
+  }
+
+  val = nr_strdup(value);
+  nr_php_add_assoc_string(arr, key, val);
+  nr_free(val);
+}
+
+#ifdef TAGS
+void zif_newrelic_get_security_metadata(void); /* ctags landing pad only */
+void newrelic_get_security_metadata(void);     /* ctags landing pad only */
+#endif
+PHP_FUNCTION(newrelic_get_security_metadata) {
+
+  NR_UNUSED_RETURN_VALUE;
+  NR_UNUSED_RETURN_VALUE_PTR;
+  NR_UNUSED_RETURN_VALUE_USED;
+  NR_UNUSED_THIS_PTR;
+  NR_UNUSED_EXECUTE_DATA;
+
+  array_init(return_value);
+
+  nr_csec_php_add_assoc_string_const(return_value, KEY_ENTITY_NAME, nr_app_get_entity_name(NRPRG(app)));
+  nr_csec_php_add_assoc_string_const(return_value, KEY_ENTITY_TYPE, nr_app_get_entity_type(NRPRG(app)));
+  nr_csec_php_add_assoc_string_const(return_value, KEY_ENTITY_GUID, nr_app_get_entity_guid(NRPRG(app)));
+  nr_csec_php_add_assoc_string_const(return_value, KEY_HOSTNAME, nr_app_get_host_name(NRPRG(app)));
+  nr_csec_php_add_assoc_string_const(return_value, KEY_LICENSE, NRPRG(license).value);
+
+  if (NRPRG(app)) {
+    nr_csec_php_add_assoc_string_const(return_value, KEY_AGENT_RUN_ID, NRPRG(app)->agent_run_id);
+    nr_csec_php_add_assoc_string_const(return_value, KEY_ACCOUNT_ID, NRPRG(app)->account_id);
+    nr_csec_php_add_assoc_string_const(return_value, KEY_PLICENSE, NRPRG(app)->plicense);
+    int high_security = NRPRG(app)->info.high_security;
+    add_assoc_long(return_value, KEY_HIGH_SECURITY, (long)high_security);
+  }
+
+}
diff --git a/agent/csec_metadata.h b/agent/csec_metadata.h
@@ -0,0 +1,12 @@
+#include "php_agent.h"
+#include "util_hashmap.h"
+
+#define KEY_ENTITY_NAME "entity.name"
+#define KEY_ENTITY_TYPE "entity.type"
+#define KEY_ENTITY_GUID "entity.guid"
+#define KEY_HOSTNAME "hostname"
+#define KEY_AGENT_RUN_ID "agent.run.id"
+#define KEY_ACCOUNT_ID "account.id"
+#define KEY_LICENSE "license"
+#define KEY_PLICENSE "plicense"
+#define KEY_HIGH_SECURITY "high_security"
diff --git a/agent/php_api_internal.h b/agent/php_api_internal.h
@@ -16,6 +16,8 @@
  */
 extern PHP_FUNCTION(newrelic_get_request_metadata);
 
+extern PHP_FUNCTION(newrelic_get_security_metadata);
+
 #ifdef ENABLE_TESTING_API
 
 /*

diff --git a/agent/php_globals.h b/agent/php_globals.h
@@ -66,6 +66,8 @@ typedef struct _nrphpglobals_t {
   int instrument_internal; /* newrelic.transaction_tracer.internal_functions_enabled
                             */
   int high_security;       /* newrelic.high_security */
+  bool nr_security_agent_enabled; /* newrelic.security.agent.enabled */
+  bool nr_security_enabled;     /* newrelic.security.enabled */
 
   int apache_major;    /* Apache major version */
   int apache_minor;    /* Apache minor version */

diff --git a/agent/php_minit.c b/agent/php_minit.c
@@ -719,6 +719,13 @@ PHP_MINIT_FUNCTION(newrelic) {
   nr_wordpress_minit();
   nr_php_set_opcode_handlers();
 
+  if (!NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) || !NR_PHP_PROCESS_GLOBALS(nr_security_enabled) || NR_PHP_PROCESS_GLOBALS(high_security)) {
+    nrl_info(NRL_INIT, "New Relic Security is completely disabled by one of the user provided config `newrelic.security.enabled`, `newrelic.security.agent.enabled` or `newrelic.high_security`. Not loading security capabilities.");
+    nrl_debug(NRL_INIT, "newrelic.security.agent.enabled : %s", NR_PHP_PROCESS_GLOBALS(nr_security_enabled) ? "true" : "false");
+    nrl_debug(NRL_INIT, "newrelic.security.enabled : %s", NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) ? "true" : "false");
+    nrl_debug(NRL_INIT, "newrelic.high_security : %s", NR_PHP_PROCESS_GLOBALS(high_security) ? "true" : "false");
+  }
+
   nrl_debug(NRL_INIT, "MINIT processing done");
 #if ZEND_MODULE_API_NO >= ZEND_8_0_X_API_NO /* PHP 7.4+ */
   NR_PHP_PROCESS_GLOBALS(zend_offset) = zend_get_resource_handle(dummy);

diff --git a/agent/php_newrelic.c b/agent/php_newrelic.c
@@ -342,9 +342,11 @@ static zend_function_entry newrelic_functions[] = {
 #ifdef PHP8
     PHP_FE(newrelic_get_linking_metadata, newrelic_arginfo_void)
     PHP_FE(newrelic_get_trace_metadata, newrelic_arginfo_void)
+    PHP_FE(newrelic_get_security_metadata, newrelic_arginfo_void)
 #else
     PHP_FE(newrelic_get_linking_metadata, 0)
     PHP_FE(newrelic_get_trace_metadata, 0)
+    PHP_FE(newrelic_get_security_metadata, 0)
 #endif /* PHP 8 */
     /*
      * Integration test helpers

diff --git a/agent/php_nrini.c b/agent/php_nrini.c
@@ -515,6 +515,58 @@ static PHP_INI_MH(nr_high_security_mh) {
   return SUCCESS;
 }
 
+static PHP_INI_MH(nr_security_enabled_mh) {
+  int val;
+
+  (void)entry;
+  (void)NEW_VALUE_LEN;
+  (void)mh_arg1;
+  (void)mh_arg2;
+  (void)mh_arg3;
+  (void)stage;
+  NR_UNUSED_TSRMLS;
+
+  val = nr_bool_from_str(NEW_VALUE);
+
+  if (-1 == val) {
+    return FAILURE;
+  }
+
+  if (val) {
+    NR_PHP_PROCESS_GLOBALS(nr_security_enabled) = true;
+  } else {
+    NR_PHP_PROCESS_GLOBALS(nr_security_enabled) = false;
+  }
+
+  return SUCCESS;
+}
+
+static PHP_INI_MH(nr_security_agent_enabled_mh) {
+  int val;
+
+  (void)entry;
+  (void)NEW_VALUE_LEN;
+  (void)mh_arg1;
+  (void)mh_arg2;
+  (void)mh_arg3;
+  (void)stage;
+  NR_UNUSED_TSRMLS;
+
+  val = nr_bool_from_str(NEW_VALUE);
+
+  if (-1 == val) {
+    return FAILURE;
+  }
+
+  if (val) {
+    NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) = true;
+  } else {
+    NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) = false;
+  }
+
+  return SUCCESS;
+}
+
 static PHP_INI_MH(nr_preload_framework_library_detection_mh) {
   int val;
 
@@ -2009,6 +2061,18 @@ PHP_INI_ENTRY_EX("newrelic.high_security",
                  nr_high_security_mh,
                  0)
 
+PHP_INI_ENTRY_EX("newrelic.security.agent.enabled",
+                 "0",
+                 NR_PHP_SYSTEM,
+                 nr_security_agent_enabled_mh,
+                 0)
+
+PHP_INI_ENTRY_EX("newrelic.security.enabled",
+                 "0",
+                 NR_PHP_SYSTEM,
+                 nr_security_enabled_mh,
+                 0)
+
 /*
  * Feature flag handling.
  */

diff --git a/axiom/cmd_appinfo_transmit.c b/axiom/cmd_appinfo_transmit.c
@@ -287,6 +287,7 @@ nr_status_t nr_cmd_appinfo_process_reply(const uint8_t* data,
   int reply_len;
   const char* reply_json;
   const char* entity_guid;
+  const char* account_id; /* Csec : Added for extracting account_id */
 
   if ((NULL == data) || (0 == len)) {
     return NR_FAILURE;
@@ -384,6 +385,20 @@ nr_status_t nr_cmd_appinfo_process_reply(const uint8_t* data,
     app->entity_guid = NULL;
   }
 
+  /*
+   * Csec : Added for extracting account_id
+   */
+  nr_free(app->account_id);
+  account_id = nro_get_hash_string(app->connect_reply, "account_id", NULL);
+  if (NULL != account_id) {
+    app->account_id = nr_strdup(account_id);
+  } else {
+    app->account_id = NULL;
+  }
+  /*
+   * Csec : Added for extracting account_id
+   */
+
   nrl_debug(NRL_ACCT, "APPINFO reply full app='%.*s' agent_run_id=%s",
             NRP_APPNAME(app->info.appname), app->agent_run_id);
 

diff --git a/axiom/nr_app.c b/axiom/nr_app.c
@@ -121,6 +121,7 @@ void nr_app_destroy(nrapp_t** app_ptr) {
   nr_free(app->host_name);
   nr_free(app->entity_guid);
   nr_free(app->entity_name);
+  nr_free(app->account_id);
   nr_rules_destroy(&app->url_rules);
   nr_rules_destroy(&app->txn_rules);
   nr_segment_terms_destroy(&app->segment_terms);

diff --git a/axiom/nr_app.h b/axiom/nr_app.h
@@ -105,6 +105,7 @@ typedef struct _nrapp_t {
   char* host_name;          /* Local host name reported to the daemon */
   char* entity_name;        /* Entity name related to this application */
   char* entity_guid;        /* Entity guid related to this application */
+  char* account_id;         /* Security : Added for getting account id */
   time_t last_daemon_query; /* Used by agent: Last time we queried daemon about
                                this app */
   int failed_daemon_query_count; /* Used by agent: Number of times daemon query
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,8 @@ @@
      */
     extern PHP_FUNCTION(newrelic_get_request_metadata);
+    extern PHP_FUNCTION(newrelic_get_security_metadata);
     #ifdef ENABLE_TESTING_API
     /*
@@ Expand Down @@