Add Security Agent comments to newrelic.yml (#2773)

* Add Security Agent comments to newrelic.yml

---------

Co-authored-by: James Bunch <fallwith@gmail.com>
Co-authored-by: Kayla Reopelle <87386821+kaylareopelle@users.noreply.github.com>

lib/tasks/helpers/newrelicyml.rb

@@ -45,6 +45,34 @@ module NewRelicYML
 
   HEADER
 
+  SECURITY_BEGIN = <<-SECURITY
+  # BEGIN security agent
+  #
+  #   NOTE: At this time, the security agent is intended for use only within
+  #         a dedicated security testing environment with data that can tolerate
+  #         modification or deletion. The security agent is available as a
+  #         separate Ruby gem, newrelic_security. It is recommended that this
+  #         separate gem only be introduced to a security testing environment
+  #         by leveraging Bundler grouping like so:
+  #
+  #         # Gemfile
+  #         gem 'newrelic_rpm'               # New Relic APM observability agent
+  #         gem 'newrelic-infinite_tracing'  # New Relic Infinite Tracing
+  #
+  #         group :security do
+  #           gem 'newrelic_security', require: false # New Relic security agent
+  #         end
+  #
+  #   NOTE: All "security.*" configuration parameters are related only to the
+  #         security agent, and all other configuration parameters that may
+  #         have "security" in the name somewhere are related to the APM agent.
+  
+  SECURITY
+
+  SECURITY_END = <<-SECURITY
+  # END security agent
+  SECURITY
+
   FOOTER = <<~FOOTER
     # Environment-specific settings are in this section.
     # RAILS_ENV or RACK_ENV (as appropriate) is used to determine the environment.
@@ -67,16 +95,35 @@ module NewRelicYML
   FOOTER
 
   def self.get_configs(defaults)
-    defaults.sort.each_with_object({}) do |(key, value), final_configs|
+    agent_configs = {}
+    security_configs = {}
+
+    defaults.sort.each do |key, value|
       next if CRITICAL.include?(key) || SKIP.include?(key)
 
       next unless public_config?(value) && !deprecated?(value)
 
-      sanitized_description = sanitize_description(value[:description])
-      description = format_description(sanitized_description)
-      default = default_value(key, value)
-      final_configs[key] = {description: description, default: default}
+      # TODO: OLD RUBIES < 2.6
+      # Remove `to_s`. `start_with?` doesn't accept symbols in Ruby <2.6
+      if key.to_s.start_with?('security.')
+        description, default = build_config(key, value)
+        security_configs[key] = {description: description, default: default}
+        next
+      end
+
+      description, default = build_config(key, value)
+      agent_configs[key] = {description: description, default: default}
     end
+
+    [agent_configs, security_configs]
+  end
+
+  def self.build_config(key, value)
+    sanitized_description = sanitize_description(value[:description])
+    description = format_description(sanitized_description)
+    default = default_value(key, value)
+
+    [description, default]
   end
 
   def self.public_config?(value)
@@ -126,15 +173,30 @@ def self.default_value(key, config_hash)
     end
   end
 
-  def self.build_string(defaults)
-    configs = get_configs(defaults)
-    yml_string = ''
+  def self.agent_configs_yml(agent_configs)
+    agent_yml = ''
+    agent_configs.each do |key, value|
+      agent_yml += "#{value[:description]}\n  # #{key}: #{value[:default]}\n\n"
+    end
+
+    agent_yml
+  end
 
-    configs.each do |key, value|
-      yml_string += "#{value[:description]}\n  # #{key}: #{value[:default]}\n\n"
+  def self.security_configs_yml(security_configs)
+    security_yml = ''
+    security_configs.each do |key, value|
+      security_yml += "#{value[:description]}\n  # #{key}: #{value[:default]}\n\n"
     end
 
-    yml_string
+    security_yml
+  end
+
+  def self.build_string(defaults)
+    agent_configs, security_configs = get_configs(defaults)
+    agent_string = agent_configs_yml(agent_configs)
+    security_string = security_configs_yml(security_configs)
+
+    agent_string + SECURITY_BEGIN + security_string + SECURITY_END + "\n"
   end
 
   # :nocov:

newrelic.yml

@@ -645,60 +645,6 @@ common: &default_settings
   # ignoring specific transactions.
   # rules.ignore_url_regexes: []
 
-  # BEGIN security agent
-  #
-  #   NOTE: At this time, the security agent is intended for use only within
-  #         a dedicated security testing environment with data that can tolerate
-  #         modification or deletion. The security agent is available as a
-  #         separate Ruby gem, newrelic_security. It is recommended that this
-  #         separate gem only be introduced to a security testing environment
-  #         by leveraging Bundler grouping like so:
-  #
-  #         # Gemfile
-  #         gem 'newrelic_rpm'               # New Relic APM observability agent
-  #         gem 'newrelic-infinite_tracing'  # New Relic Infinite Tracing
-  #
-  #         group :security do
-  #           gem 'newrelic_security', require: false # New Relic security agent
-  #         end
-  #
-  #   NOTE: All "security.*" configuration parameters are related only to the
-  #         security agent, and all other configuration parameters that may
-  #         have "security" in the name some where are related to the APM agent.
-  #
-
-  # If true, the security agent is loaded (a Ruby 'require' is performed)
-  # security.agent.enabled: false
-
-  # The port the application is listening on. This setting is mandatory for
-  # Passenger servers. Other servers should be detected by default.
-  # security.application_info.port: nil
-
-  # If true, enables deserialization detection
-  # security.detection.deserialization.enabled: true
-
-  # If true, enables RCI (remote code injection) detection
-  # security.detection.rci.enabled: true
-
-  # If true, enables RXSS (reflected cross-site scripting) detection
-  # security.detection.rxss.enabled: true
-
-  # If true, the security agent is started (the agent runs in its event loop)
-  # security.enabled: false
-
-  # Defines the mode for the security agent to operate in. Currently only IAST is
-  # supported
-  # security.mode: IAST
-
-  # Defines the request body limit to process in security events (in KB). The
-  # default value is 300, for 300KB.
-  # security.request.body_limit: 300
-
-  # Defines the endpoint URL for posting security-related data
-  # security.validator_service_url: wss://csec.nr-data.net
-
-  # END security agent
-
   # Applies Language Agent Security Policy settings.
   # security_policies_token: ""
 
@@ -916,6 +862,59 @@ common: &default_settings
   # Foundry environment.
   # utilization.detect_pcf: true
 
+  # BEGIN security agent
+  #
+  #   NOTE: At this time, the security agent is intended for use only within
+  #         a dedicated security testing environment with data that can tolerate
+  #         modification or deletion. The security agent is available as a
+  #         separate Ruby gem, newrelic_security. It is recommended that this
+  #         separate gem only be introduced to a security testing environment
+  #         by leveraging Bundler grouping like so:
+  #
+  #         # Gemfile
+  #         gem 'newrelic_rpm'               # New Relic APM observability agent
+  #         gem 'newrelic-infinite_tracing'  # New Relic Infinite Tracing
+  #
+  #         group :security do
+  #           gem 'newrelic_security', require: false # New Relic security agent
+  #         end
+  #
+  #   NOTE: All "security.*" configuration parameters are related only to the
+  #         security agent, and all other configuration parameters that may
+  #         have "security" in the name somewhere are related to the APM agent.
+
+  # If true, the security agent is loaded (a Ruby 'require' is performed)
+  # security.agent.enabled: false
+
+  # The port the application is listening on. This setting is mandatory for
+  # Passenger servers. Other servers should be detected by default.
+  # security.application_info.port: nil
+
+  # If true, enables deserialization detection
+  # security.detection.deserialization.enabled: true
+
+  # If true, enables RCI (remote code injection) detection
+  # security.detection.rci.enabled: true
+
+  # If true, enables RXSS (reflected cross-site scripting) detection
+  # security.detection.rxss.enabled: true
+
+  # If true, the security agent is started (the agent runs in its event loop)
+  # security.enabled: false
+
+  # Defines the mode for the security agent to operate in. Currently only IAST is
+  # supported
+  # security.mode: IAST
+
+  # Defines the request body limit to process in security events (in KB). The
+  # default value is 300, for 300KB.
+  # security.request.body_limit: 300
+
+  # Defines the endpoint URL for posting security-related data
+  # security.validator_service_url: wss://csec.nr-data.net
+
+  # END security agent
+
 # Environment-specific settings are in this section.
 # RAILS_ENV or RACK_ENV (as appropriate) is used to determine the environment.
 # If your application has other named environments, configure them here.

test/new_relic/newrelicyml_test.rb

@@ -103,30 +103,41 @@ def test_build_string
       :default => 'newrelic.yml',
       :public => true,
       :description => 'Config path'
+    },
+    :'security.firethorn' => {
+      :default => false,
+      :public => true,
+      :description => 'Thorny shrub.'
     }
   }
 
   def final_config_hash
-    config_hash = {
-      :begonia => {
-        :description => '  # If true, green with white polka dots.',
-        :default => 'nil'
-      },
-      :config_path => {
-        :description => '  # Config path',
-        :default => 'newrelic.yml'
+    config_hash = [
+      {
+        :begonia => {
+          :description => '  # If true, green with white polka dots.',
+          :default => 'nil'
+        },
+        :config_path => {
+          :description => '  # Config path',
+          :default => 'newrelic.yml'
+        },
+        :lily => {
+          :description => '  # White flowers.',
+          :default => 2
+        },
+        :monstera => {
+          :description => '  # Leafy and pretty.',
+          :default => '""'
+        }
       },
-      :lily => {
-        :description => '  # White flowers.',
-        :default => 2
-      },
-      :monstera => {
-        :description => '  # Leafy and pretty.',
-        :default => '""'
+      {
+        :'security.firethorn' => {
+          :description => '  # Thorny shrub.',
+          :default => false
+        }
       }
-    }
-
-    config_hash
+    ]
   end
 
   def final_string
@@ -143,6 +154,32 @@ def final_string
   # Leafy and pretty.
   # monstera: ""
 
+  # BEGIN security agent
+  #
+  #   NOTE: At this time, the security agent is intended for use only within
+  #         a dedicated security testing environment with data that can tolerate
+  #         modification or deletion. The security agent is available as a
+  #         separate Ruby gem, newrelic_security. It is recommended that this
+  #         separate gem only be introduced to a security testing environment
+  #         by leveraging Bundler grouping like so:
+  #
+  #         # Gemfile
+  #         gem 'newrelic_rpm'               # New Relic APM observability agent
+  #         gem 'newrelic-infinite_tracing'  # New Relic Infinite Tracing
+  #
+  #         group :security do
+  #           gem 'newrelic_security', require: false # New Relic security agent
+  #         end
+  #
+  #   NOTE: All "security.*" configuration parameters are related only to the
+  #         security agent, and all other configuration parameters that may
+  #         have "security" in the name somewhere are related to the APM agent.
+  
+  # Thorny shrub.
+  # security.firethorn: false
+
+  # END security agent
+
     YML
   end
 end