contrast-agent 3.8.4

data/lib/contrast/agent/socket_client.rb

@@ -0,0 +1,125 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'socket'
+cs__scoped_require 'uri'
+
+cs__scoped_require 'contrast/api/speedracer'
+cs__scoped_require 'contrast/api/tcp_socket'
+cs__scoped_require 'contrast/api/unix_socket'
+cs__scoped_require 'contrast/api/connection_status'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    # SocketClient acts as a interface between the agent and the service. It instantiates a
+    # service proxy and tracks the state of that proxy.
+    class SocketClient
+      include Contrast::Components::Interface
+
+      access_component :logging, :contrast_service, :app_context
+
+      attr_accessor :speedracer, :status
+
+      def initialize
+        @status = Contrast::Api::ConnectionStatus.new
+        @speedracer = Contrast::Api::Speedracer.new(init_connection)
+        @ensure_running = Mutex.new
+      end
+
+      def init_connection
+        if CONTRAST_SERVICE.use_tcp?
+          Contrast::Api::TcpSocket.new(CONTRAST_SERVICE.host, CONTRAST_SERVICE.port)
+        else
+          Contrast::Api::UnixSocket.new(CONTRAST_SERVICE.socket_path)
+        end
+      end
+
+      def service_unavailable?
+        speedracer.nil?
+      end
+
+      def connection_established?
+        status.connected?
+      end
+
+      # Attempt to send the passed message to SpeedRacer. If we're using bundled
+      # service config option, we must first start up the service. Afterwards, we
+      # must send agent startup messages no matter what the config options are.
+      #
+      # @param msg [Contrast::Api::Dtm::Message] the message to be sent.
+      # @return [Array<Contrast::Api::Settings::AgentSettings>] the response from SpeedRacer or nil
+      #   if it failed to send or the service is unavailable.
+      def send_to_speedracer msg
+        return if service_unavailable?
+
+        @ensure_running.synchronize do
+          if CONTRAST_SERVICE.use_bundled_service?
+            return unless start_or_restart
+          end
+          build_service_context unless status.startup_messages_sent?
+        end
+
+        logger.debug_with_time(msg.cs__class.name) do
+          logger.debug "[m__id__:#{ msg.__id__ }]\tSending message."
+          response = speedracer.send_one msg
+          status.success!
+          logger.debug "[m__id__:#{ msg.__id__ }]\tReceived response:#{ response ? response.__id__ : '[No Response]' } for message."
+          response
+        end
+      rescue StandardError => e
+        status.failure!
+        logger.error(e, "Unable to send message=#{ msg.cs__class }.")
+        nil
+      end
+
+      private
+
+      def restart?
+        status.was_connected? && status.failed?
+      end
+
+      # Now that we know we're running with bundled service option, we can tell SpeedRacer that we're
+      # ready for it to be started up.
+      #
+      # @return [Boolean] true if the service is started, false if the service is still offline after
+      # we've attempted to start it up.
+      def start_or_restart
+        if restart?
+          logger.info(nil, 'Attempting to restart service.')
+          return speedracer.start_service
+        elsif !status.was_connected?
+          logger.info(nil, 'Attempting to start service.')
+          return speedracer.start_service
+        end
+
+        true
+      end
+
+      def build_service_context
+        agent_startup_msg = APP_CONTEXT.build_agent_startup_message
+        app_startup_msg = APP_CONTEXT.build_app_startup_message
+
+        # 1 initial attempt, + 3 potential retries.
+        # The agent-service-api REQUIREMENTS.md spec mandates this #.
+        4.times do
+          next unless (agent_response = speedracer.send_one(agent_startup_msg))
+
+          # Connection was successful
+          app_response = speedracer.send_one(app_startup_msg)
+          [agent_response, app_response].each do |msg|
+            Contrast::Utils::ServiceResponseUtil.process_response msg
+          end
+          status.success!
+          logger.debug(nil, 'Successfully sent startup messages to service.')
+          return
+        end
+
+        logger.error('Could not send agent startup message context')
+      rescue StandardError => e
+        logger.error(e, 'Could not build service context')
+        raise # re-raise the error to be caught by SocketClient#send_to_speedracer
+      end
+    end
+  end
+end

data/lib/contrast/agent/thread.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    # Threads used by Contrast.
+    class Thread < ::Thread
+      include Contrast::Components::Interface
+
+      access_component :logging, :scope
+
+      # Make our internal code run in Contrast scope.
+      def initialize *args
+        wrapped_block = proc do |block_args|
+          with_contrast_scope do
+            yield(*block_args)
+          end
+        end
+
+        super(*args, &wrapped_block)
+      end
+    end
+  end
+end

data/lib/contrast/agent/tracepoint_hook.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    # This module is used to apply instrumentation to classes as they are required
+    module TracePointHook
+      include Contrast::Components::Interface
+
+      access_component :logging, :scope
+
+      class << self
+        def active?
+          instance_variable_defined?(:@require_hook) && @require_hook.enabled?
+        end
+
+        def enable!
+          @require_hook ||= TracePoint.new(:end) do |tracepoint_event|
+            process(tracepoint_event)
+          end
+
+          @require_hook.enable
+          logger.debug('Enabled :end event tracing')
+        end
+
+        def disable
+          instance_variable_defined?(:@require_hook) && @require_hook.disable
+        end
+
+        private
+
+        def process tracepoint_event
+          with_contrast_scope do
+            logger.debug("Received end event for #{ tracepoint_event.self }")
+
+            loaded_module = tracepoint_event.self
+            path = tracepoint_event.path
+            return if path&.include?('contrast')
+
+            Contrast::Utils::InventoryUtil.inventory_class(path) if path
+            Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
+            Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
+            Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/version.rb

@@ -0,0 +1,8 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    VERSION = '3.8.4'
+  end
+end

data/lib/contrast/api.rb

@@ -0,0 +1,17 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  # Builds out the Contrast::Api namespace and requires the classes in the api
+  # directory, making available those classes required to communicate with the
+  # Contrast Service, including those generated from Protobuf
+  module Api
+    ENCODING_STRING = 'I>'
+  end
+end
+
+cs__scoped_require 'contrast/api/dtm_pb'
+cs__scoped_require 'contrast/api/settings_pb'
+cs__scoped_require 'contrast/api/unix_socket'
+cs__scoped_require 'contrast/api/tcp_socket'
+cs__scoped_require 'contrast/api/speedracer'

data/lib/contrast/api/connection_status.rb

@@ -0,0 +1,49 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Api
+    # Keeps track of the state of connections to the service.
+    class ConnectionStatus
+      def initialize
+        @last_success = nil
+        @last_failure = nil
+        @startup_messages_sent = false
+      end
+
+      # Whether we have sent startup message to the service. True after successfully
+      # sending startup messages to service and reset to false if we lose connection
+      # to the service.
+      def startup_messages_sent?
+        @startup_messages_sent
+      end
+
+      # A message was successfully sent to the service at some point
+      def was_connected?
+        @last_success
+      end
+
+      # The last message sent was successful
+      def connected?
+        @last_success && (@last_failure.nil? || @last_success > @last_failure)
+      end
+
+      # The last message sent was unsuccessful
+      def failed?
+        @last_failure && (@last_success.nil? || @last_failure > @last_success)
+      end
+
+      # The current state of the service is active with a successful message sent
+      def success!
+        @startup_messages_sent = true
+        @last_success = Time.now.to_f
+      end
+
+      # The service may be in some sort of error state
+      def failure!
+        @startup_messages_sent = false
+        @last_failure = Time.now.to_f
+      end
+    end
+  end
+end

data/lib/contrast/api/socket.rb

@@ -0,0 +1,43 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Api
+    # Behavior common to all sockets used
+    # to communicate with the Contrast Service.
+    module Socket
+      SOCKET_MONITOR = Monitor.new
+
+      # Send a message across the socket and read back the response.
+      # @param marshaled [String] some marshaled form of data to be sent across
+      #   the socket. Typically an encoded form of Contrast::Api::Dtm::Message.
+      # @return [String] some marshalled form of data returned by the socket.
+      #   Typically an encoded form of Contrast::Api::Settings::AgentSettings.
+      def send_marshaled marshaled
+        SOCKET_MONITOR.synchronize do
+          socket = new_socket
+
+          # write message length
+          len = marshaled.length
+          socket.write([len].pack(Contrast::Api::ENCODING_STRING))
+
+          # write the entire message
+          socket.write(marshaled)
+          socket.close_write
+
+          # read the response length
+          len = socket.read(4).unpack1(Contrast::Api::ENCODING_STRING)
+
+          # read expected response to end
+          socket.read(len)
+        end
+      end
+
+      # Override this method to return a socket.
+      # Should be interface compatible with TCPSocket, UNIXSocket, etc.
+      def new_socket
+        raise NotImplementedError, 'This is abstract, override it.'
+      end
+    end
+  end
+end

data/lib/contrast/api/speedracer.rb

@@ -0,0 +1,206 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/utils/os'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Api
+    # This class acts as the interface for the communication between the Agent
+    # and the Service (SpeedRacer) as well as functions as a way for the Agent
+    # to manage the bundled Service.
+    class Speedracer
+      include Contrast::Components::Interface
+      access_component :logging, :contrast_service, :app_context
+
+      attr_reader :client_number,
+                  :host,
+                  :port,
+                  :socket,
+                  :connection,
+                  :messages_total
+
+      @instance_count = 0
+      @instance_mutex = Mutex.new
+
+      def self.next_client_number
+        @instance_mutex.synchronize do
+          begin
+            @instance_count += 1
+          # Rollover things
+          rescue StandardError
+            @instance_count = 1
+          end
+        end
+      end
+
+      def self.read_only_instance_count
+        @instance_count.dup
+      end
+
+      def initialize connection
+        @client_number = Contrast::Api::Speedracer.next_client_number
+        @messages_total = 0
+
+        @pid = Process.pid.to_i
+        @ppid = Process.ppid.to_i
+        @connection = connection
+      end
+
+      # Allow for the start of a Service, but block so that we only attempt to
+      # start the service one try at a time in the case multiple threads are
+      # trying to send messages.
+      def start_service
+        zombie_check
+        service_starter_thread.join(5)
+        is_service_started = Contrast::Utils::OS.running?
+        logger.error(nil, 'The bundled service could not be started. The agent will not function properly.') unless is_service_started
+        is_service_started
+      end
+
+      def send_one msg
+        case msg
+        when Contrast::Api::Dtm::ServerActivity
+          send_server_activity(msg)
+        when Contrast::Api::Dtm::AgentStartup
+          send_agent_startup(msg)
+        when Contrast::Api::Dtm::ApplicationCreate
+          send_application_create(msg)
+        when Contrast::Api::Dtm::ApplicationUpdate
+          send_application_update(msg)
+        when Contrast::Api::Dtm::Activity
+          send_application_activity(msg)
+        when Contrast::Api::Dtm::HttpRequest
+          send_prefilter(msg)
+        when Contrast::Api::Dtm::HttpResponse
+          send_postfilter(msg)
+        when Contrast::Api::Dtm::Noop
+          send_noop(msg)
+        when Contrast::Api::Dtm::ObservedRoute
+          send_observed_route(msg)
+        end
+      end
+
+      private
+
+      # check if there's a zombie service that exists, and wait on it if so.
+      # currently, this only happens when trying to initialize speedracer
+      def zombie_check
+        return if windows?
+
+        zombie_pid_list = Contrast::Utils::OS.zombie_pids
+        zombie_pid_list.each do |pid|
+          Process.wait(pid.to_i)
+        end
+      end
+
+      def windows?
+        @_windows = Contrast::Utils::OS.windows? if @_windows.nil?
+        @_windows
+      end
+
+      def determine_startup_options
+        return { out: :out, err: :err } if Contrast::Agent::FeatureState.instance.service_control[:logger_path] == 'STDOUT'
+
+        { out: File::NULL, err: File::NULL }
+      end
+
+      # This is a separate method so we can overwrite it globally in specs
+      def spawn_service
+        options = determine_startup_options
+        spawn 'contrast_service', options
+      end
+
+      def service_starter_thread
+        Contrast::Agent::Thread.new do
+          # Always check to see if it already started
+          unless Contrast::Utils::OS.running?
+            # Spawn the service process
+            spawn_service
+            # Block until service is running
+            sleep(0.1) until Contrast::Utils::OS.running?
+          end
+        end
+      end
+
+      def send_server_activity server_activity
+        msg = base_message
+        msg.server_activity = server_activity
+        send_message(msg)
+      end
+
+      def send_agent_startup agent_startup
+        msg = base_message
+        msg.agent_startup = agent_startup
+        send_message(msg)
+      end
+
+      def send_application_create app_create
+        msg = base_message
+        msg.application_create = app_create
+        send_message(msg)
+      end
+
+      def send_application_update app_update
+        msg = base_message
+        msg.application_update = app_update
+        send_message(msg)
+      end
+
+      def send_application_activity activity
+        msg = base_message
+        msg.activity = activity
+        send_message(msg)
+      end
+
+      def send_prefilter http_request
+        msg = base_message
+        msg.prefilter = http_request
+        send_message(msg)
+      end
+
+      def send_postfilter http_response
+        msg = base_message
+        msg.postfilter = http_response
+        send_message(msg)
+      end
+
+      def send_noop noop = nil
+        msg = base_message
+        msg.noop = noop || Contrast::Api::Dtm::Noop.new
+        send_message(msg)
+      end
+
+      def send_observed_route observed_route
+        msg = base_message
+        msg.observed_route = observed_route
+        send_message(msg)
+      end
+
+      def base_message
+        msg               = Contrast::Api::Dtm::Message.new
+        msg.app_name      = APP_CONTEXT.name
+        msg.app_path      = APP_CONTEXT.path
+        msg.app_language  = Contrast::Utils::ObjectShare::RUBY
+        msg.client_id     = APP_CONTEXT.client_id
+        msg.client_number = client_number
+        msg.client_total  = Contrast::Api::Speedracer.read_only_instance_count
+        msg.message_count = (@messages_total += 1)
+        msg.pid           = APP_CONTEXT.pid
+        msg.ppid          = APP_CONTEXT.ppid
+        msg
+      end
+
+      def send_message message
+        to_service = Contrast::Api::Dtm::Message.encode(message)
+        from_service = send_marshaled(to_service)
+        Contrast::Api::Settings::AgentSettings.decode(from_service)
+      end
+
+      def send_marshaled marshaled
+        connection.send_marshaled(marshaled)
+      end
+    end
+  end
+end