contrast-agent 4.11.0 → 4.14.0

data/lib/contrast/agent/reporting/reporter.rb

@@ -0,0 +1,142 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'contrast/agent/version'
+require 'base64'
+
+module Contrast
+  module Agent
+    # This module will hold everything essential to reporting to TeamServer
+    class Reporter < WorkerThread
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Utils::ObjectShare
+
+      class << self
+        include Contrast::Components::Logger::InstanceMethods
+
+        # check if we can report to TS
+        #
+        # @return[Boolean] true if bypass is enabled, or false if bypass disabled
+        def enabled?
+          @_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
+          @_enabled
+        end
+      end
+
+      def headers
+        @_headers ||= {
+            app_name: Base64.encode64(Contrast::APP_CONTEXT.app_name).chomp!,
+            api_key: Contrast::API.api_key,
+            agent_version: [RUBY, Contrast::Agent::VERSION].join(SPACE),
+            app_language: RUBY,
+            app_path: Base64.encode64(Contrast::APP_CONTEXT.path).chomp!,
+            app_version: Contrast::APP_CONTEXT.app_version,
+            authorization: Base64.encode64("#{ Contrast::API.username }:#{ Contrast::API.service_key }").chomp!,
+            server_name: Base64.encode64(Contrast::APP_CONTEXT.server_name).chomp!,
+            server_path: Base64.encode64(Contrast::APP_CONTEXT.server_path).chomp!,
+            server_type: Base64.encode64(Contrast::APP_CONTEXT.server_type).chomp!,
+            content_type: 'application/json',
+            encoding: 'base64'
+        }.cs__freeze
+      end
+
+      def client
+        @_client ||= Contrast::Utils::ReporterClient.new headers
+      end
+
+      def connection
+        @_connection ||= client.initialize_connection
+      end
+
+      def audit
+        @_audit ||= Contrast::Agent::Reporting::Audit.new
+      end
+
+      def attempt_to_start?
+        unless cs__class.enabled?
+          logger.warn('Reporter service is disabled!')
+          return false
+        end
+
+        logger.debug('Attempting to start Reporter thread') unless running?
+        true
+      end
+
+      def start_thread!
+        return if running?
+
+        @_thread = Contrast::Agent::Thread.new do
+          logger.debug('Starting background Reporter thread.')
+          event = queue.pop
+
+          begin
+            logger.debug('This is the current processed event', event)
+            client.send_event event, connection
+          rescue StandardError => e
+            logger.error('Could not send message to service from Reporter queue.', e)
+          end
+        end
+      end
+
+      def send_event event
+        if ::Contrast::AGENT.disabled?
+          logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
+          return
+        end
+
+        return unless cs__class.enabled?
+
+        logger.debug('Enqueued event for sending', event_type: event.cs__class)
+
+        result = queue << event if event
+        return result unless ::Contrast::API.request_audit_enable
+
+        audit&.audit_event(event)
+        result
+      end
+
+      # Use this to bypass the messaging queue and leave response processing to the caller
+      def send_event_immediately event
+        if ::Contrast::AGENT.disabled?
+          logger.warn('Reporter attempted to send event immediately with Agent disabled', caller: caller, event: event)
+          return
+        end
+        response_data = client.send_event event, connection, true
+        if response_data.status == 200
+          # handle_response
+          client.send(:handle_response, event, response_data, connection)
+        end
+
+        return unless ::Contrast::API.request_audit_enable
+
+        audit&.audit_event(event, response_data)
+        response_data
+      rescue StandardError => e
+        logger.error('Could not send message to service from Reporter queue.', e)
+      end
+
+      def delete_queue!
+        @_queue&.clear
+        @_queue&.close
+        @_queue = nil
+      end
+
+      def stop!
+        return unless running?
+
+        super
+        delete_queue!
+      end
+
+      private
+
+      def queue
+        @_queue ||= Queue.new
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -0,0 +1,90 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'json'
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new Findings class which will include all the needed information
+      # for the new reporting system
+      class Finding < Contrast::Agent::Reporting::ReportingEvent
+        attr_accessor :events, :properties, :request, :hash_code
+        attr_reader :rule_id
+
+        def initialize rule_id
+          super
+          @event_type = :report_vulnerability
+          @events = []
+          @platform = Contrast::Utils::ObjectShare::RUBY
+          @rule_id = Contrast::Utils::StringUtils.truncate(rule_id)
+          @properties = {}
+        end
+
+        def attach_data trigger_node, source, object, ret, request, *args
+          @events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args)
+          @request = request
+          from_properties source, @events
+          attach_routes request
+        end
+
+        def to_controlled_hash **_args
+          validate
+          {
+              platform: @platform,
+              ruleId: @rule_id,
+              request: request,
+              properties: properties,
+              events: events,
+              routes: routes
+          }
+        end
+
+        def validate
+          raise(ArgumentError, "#{ self } did not have a proper platform. Unable to continue.") unless @platform
+          raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
+          raise(ArgumentError, "#{ self } did not have proper events. Unable to continue.") if events.empty?
+          raise(ArgumentError, "#{ self } did not have proper properties. Unable to continue.") if properties.empty?
+          raise(ArgumentError, "#{ self } did not have a proper request. Unable to continue.") unless request
+
+          nil
+        end
+
+        private
+
+        def from_properties source, events
+          return unless source
+          return unless Contrast::Agent::Assess::Tracker.trackable?(source)
+
+          properties = Contrast::Agent::Assess::Tracker.properties(source)
+
+          build_events events, properties.event if properties.event
+          @properties = properties if properties
+        end
+
+        def build_events events, event
+          return unless event
+
+          event.parent_events&.each do |parent_event|
+            build_events(events, parent_event)
+          end
+
+          events << event
+        end
+
+        def attach_routes request
+          context = Contrast::Agent::REQUEST_TRACKER.current
+          if context
+            @routes << context.route if context.route
+          elsif request&.route
+            @routes << request.route
+          elsif request&.path
+            @routes << request.path
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/preflight.rb

@@ -0,0 +1,25 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class here will hold the needed preflights we will send for certain trace/traces
+      class Preflight < Contrast::Agent::Reporting::ReportingEvent
+        attr_accessor :messages
+
+        def initialize
+          super
+          @event_type = :preflight
+          @messages = []
+        end
+
+        def to_controlled_hash **_args
+          { messages: @messages }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -0,0 +1,56 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new PreflightMessage class which will include all the needed information
+      # for the new reporting system to report a single message, part of the main Preflight
+      class PreflightMessage < Contrast::Agent::Reporting::ReportingEvent
+        attr_accessor :data, :routes, :hash_code
+
+        def initialize
+          super
+          @event_type = :preflight_message
+          @app_language = Contrast::Utils::ObjectShare::RUBY
+          @app_name = ::Contrast::APP_CONTEXT.app_name
+          @app_version = ::Contrast::APP_CONTEXT.app_version
+        end
+
+        def to_controlled_hash **_args
+          validate
+          super.merge!({
+                           app_language: @app_language,
+                           app_name: @app_name,
+                           app_version: @app_version,
+                           data: '',
+                           key: 0,
+                           routes: @routes,
+                           session_id: @agent_session_id_value
+                       })
+        end
+
+        def validate
+          raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.") unless data
+          unless @app_name
+            raise(ArgumentError, "#{ cs__class } did not have a proper application name. Unable to continue.")
+          end
+          unless @app_language
+            raise(ArgumentError, "#{ cs__class } did not have a proper application language. Unable to continue.")
+          end
+          unless @app_version
+            raise(ArgumentError, "#{ cs__class } did not have a proper application version. Unable to continue.")
+          end
+          unless @agent_session_id_value
+            raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
+          end
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/utils/assess/trigger_method_utils'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new ReportingEvent class which will include all the needed and mutual information
+      # for the new reporting system
+      # @abstract
+      class ReportingEvent
+        attr_reader :routes
+        attr_accessor :event_type
+
+        CODE = :TRACE
+
+        def initialize(*) # rubocop:disable Style/MethodDefParentheses
+          @event_type = Contrast::Utils::ObjectShare::EMPTY_STRING
+          @agent_session_id_value = 0
+          @routes = []
+        end
+
+        def to_controlled_hash **_args
+          { code: CODE, routes: routes }
+        end
+
+        def validate
+          raise(ArgumentError, "#{ self } did not have a proper routes. Unable to continue.") if routes.empty?
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -0,0 +1,127 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'fileutils'
+require 'json'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will facilitate the Audit functionality and it will be
+      # controlled from the configuration classes
+      class Audit
+        include Contrast::Components::Logger::InstanceMethods
+
+        attr_reader :path_for_requests, :path_for_responses
+
+        def initialize
+          generate_paths if enabled? && Contrast::CONTRAST_SERVICE.use_agent_communication?
+        end
+
+        # This method will be handling the auditing of the requests and responses we send to SpeedRacer. If the audit
+        # feature is enabled, we'll log to file the request and/or response protobuf objects.
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        #   Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+        # @param response_data [Contrast::Api::Settings::AgentSettings,nil]
+        def audit_event event, response_data = nil
+          return unless ::Contrast::API.request_audit_requests || ::Contrast::API.request_audit_responses
+
+          type = event.cs__respond_to?(:file_name) ? event.file_name : event.cs__class.cs__name.to_s.downcase
+          if ::Contrast::API.request_audit_requests
+            data = event.to_s
+            log_data :request, type, data if data
+          end
+          return unless ::Contrast::API.request_audit_responses
+
+          data = response_data.to_s || event.http_response.try(:body) || 'There is no available response'
+          log_data :response, type, data
+        end
+
+        private
+
+        # This method will proceed with passing the data with to the writing method
+        # @param type [Symbol] This is the type of the file /:request, :response/
+        # @param data_type[String] DTM type String representation
+        # @param data[String] String representation if the logged data
+        def log_data type, data_type, data = nil
+          return unless enabled?
+          return unless Contrast::CONTRAST_SERVICE.use_agent_communication?
+
+          write_to_file type, data_type, data
+        end
+
+        # This method will be actually writing to the file
+        # @param type [Symbol] This is the type of the file /:request, :response/
+        # @param data_type [String] Data type /Activity/Finding../
+        # @param data [any] The data to be written to the file
+        def write_to_file type, data_type, data = nil
+          time = Time.now.to_i
+          destination = type == :request ? path_for_requests : path_for_responses
+          # If the feature is disabled or we have yet to create the directory structure, then we could have a nil
+          # destination. In that case, take no action
+          return unless destination
+
+          filename = "#{ time }-#{ data_type.gsub('::', '_') }-teamserver.json"
+          filepath = File.join(destination, filename)
+          # Here is use append mode, because of a slightly possibility of overwriting an existing file
+          File.open(filepath, 'a') do |f|
+            f.write({ data_type: Contrast::Utils::StringUtils.force_utf8(data) }.to_json)
+          end
+        end
+
+        # Here we will generate the directories for the requests and responses
+        def generate_paths
+          message_directories = File.expand_path(path_to_audits)
+          FileUtils.mkdir_p(message_directories) unless Dir.exist?(message_directories)
+
+          requests_destination = File.expand_path(File.join(message_directories, '/requests'))
+          responses_destination = File.expand_path(File.join(message_directories, '/responses'))
+
+          Dir.mkdir(requests_destination) if enabled_for_requests? && !Dir.exist?(requests_destination)
+          Dir.mkdir(responses_destination) if enabled_for_responses? && !Dir.exist?(responses_destination)
+
+          @path_for_requests ||= requests_destination if enabled_for_requests?
+          @path_for_responses ||= responses_destination if enabled_for_responses?
+        rescue StandardError => e
+          logger.warn('Generating the paths failed with: ', e: e)
+        end
+
+        # Retrieves the configuration value if the request audit is enabled
+        # @return [Boolean]
+        def enabled?
+          ::Contrast::API.request_audit_enable
+        end
+
+        # The boolean values for the requests and the responses should be taken under
+        # consideration only if it's in combination with enabled
+        # So in order for us to actually audit the requests, we need:
+        # - enabled? -> ture and enabled_for_requests? -> true
+        # The same is for the responses
+        #
+        #
+        # Retrieve the configuration value if the audit for requests is enabled
+        # @return [Boolean]
+        def enabled_for_requests?
+          ::Contrast::API.request_audit_requests
+        end
+
+        # Retrieve the configuration value if the audit for responses is enabled
+        # @return [Boolean]
+        def enabled_for_responses?
+          ::Contrast::API.request_audit_requests
+        end
+
+        # Retrieve the configuration value for the path of the audits
+        # The value will be read from the configuration yml
+        # but if it isn't defined any - here will be returned the default path from
+        # Contrast::Config::RequestAuditConfiguration::DEFAULT_PATH
+        # @return [String]
+        def path_to_audits
+          ::Contrast::API.request_audit_path
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -0,0 +1,168 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'json'
+require 'net/http'
+require 'contrast/components/logger'
+require 'contrast/utils/net_http_base'
+require 'contrast/agent/reporting/reporting_events/finding'
+require 'contrast/agent/reporting/reporting_events/preflight_message'
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client and initiates a connection to the provided result
+    class ReporterClient < NetHttpBase
+      include ObjectShare
+      SERVICE_NAME = 'Reporter'
+      ENDPOINTS = {
+          application_activity: '/api/ng/activity/application',
+          application_create: '/api/ng/applications/create',
+          agent_startup: '/api/ng/servers/',
+          preflight: '/api/ng/preflight/',
+          report_vulnerability: '/api/ng/traces',
+          server_activity: '/api/ng/servers/',
+          server_update: '/api/ng/update/application'
+      }.cs__freeze
+      # EVENT_TYPES = {
+      #     agent_startup: Contrast::Api::Dtm::AgentStartup,
+      #     report_vulnerability: Contrast::Agent::Reporting::Finding,
+      #     preflight: Contrast::Agent::Reporting::Preflight
+      # }.cs__freeze
+      include Contrast::Components::Logger::InstanceMethods
+      # This method initializes the Net::HTTP client we'll need. it will validate
+      # the connection and make the first request. If connection is valid and response
+      # is available then the open connection is returned.
+      #
+      # @return [Net::HTTP, nil] Return open connection or nil
+      def initialize_connection
+        # for this client we would use proxy and custom certificate file if available
+        super(SERVICE_NAME, Contrast::API.api_url, true, true)
+      end
+
+      # @param headers [Hash] all the headers needed for communication with TS
+      def initialize headers
+        @headers = headers
+        super()
+      end
+
+      # Send Agent Startup event
+      #
+      # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+      #   Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      # @param connection [Net::HTTP] open connection
+      # @return response [Net::HTTP::Response] response from TS
+      def send_agent_startup event, connection
+        logger.debug('Preparing to send startup messages')
+        request = build_request ENDPOINTS[:agent_startup], event
+        response = connection.request(request)
+        logger.debug('Successfully sent startup messages to service.') if response
+        response
+      end
+
+      # Check event type and send it to appropriate TS endpoint
+      #
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] One of the DTMs valid for the event
+      # field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      # @param connection [Net::HTTP] open connection
+      # @param send_immediately [Boolean] flag for the logger
+      # @return response [Net::HTTP::Response, nil] response from TS if no response
+      def send_event event, connection, send_immediately = false
+        event_type = symbolized_event_type event.event_type
+        @response = send_events event, event_type, connection
+        log_send_event event if send_immediately
+        @response
+      end
+
+      private
+
+      # This method will build headers of the request required for TS communication
+      #
+      # @param request [Net::HTTP::Post]
+      def build_headers request
+        @app_version = @headers[:app_version]
+        request['API-Key'] = @headers[:api_key]
+        request['Application-Language'] = @headers[:app_language]
+        request['Application-Name'] = @headers[:app_name]
+        request['Application-Path'] = @headers[:app_path]
+        request['Application-Version'] = @app_version if @app_version
+        request['Authorization'] = @headers[:authorization]
+        request['Content-Type'] = @headers[:content_type]
+        request['Server-Name'] = @headers[:server_name]
+        request['Server-Path'] = @headers[:server_path]
+        request['Server-Type'] = @headers[:server_type]
+        request['X-Contrast-Agent'] = @headers[:agent_version]
+        request['X-Contrast-Header-Encoding'] = @headers[:encoding]
+        request
+      end
+
+      # build the request headers and assign endpoint
+      #
+      # @param endpoint [String] endpoint to report to
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent]
+      # One of the DTMs valid for the event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      # @return [Net::HTTP::Post]
+      def build_request endpoint, event
+        @request = build_headers Net::HTTP::Post.new(endpoint)
+        @request.body = if event.cs__is_a?(Contrast::Agent::Reporting::ReportingEvent)
+                          event.to_controlled_hash.to_json
+                        else
+                          event.to_json
+                        end
+        @request
+      end
+
+      # log the event sent immediately
+      #
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] One of the DTMs valid for the
+      # event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      def log_send_event event
+        logger.debug('Immediately sending event.', event_id: event.__id__, event_type: event.cs__class.cs__name)
+      end
+
+      # Sent different events to different endpoints
+      #
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] Main reporting event, all events
+      # inherit it
+      # @param event_type [Symbol] We'll use this symbol to match the urls
+      # @param connection [Net::HTTP] open connection
+      def send_events event, event_type, connection
+        logger.debug("Preparing to send #{ event_type.to_s.capitalize } messages")
+        request = build_request ENDPOINTS[event_type], event
+        response = connection.request(request)
+        logger.debug("Successfully sent #{ event_type.to_s.capitalize } messages to service.") if response
+        response
+      end
+
+      # Eventually here we'll handle more response types and etc
+
+      # @param event [Contrast::Agent::Reporting::Preflight] the preflight we handle here
+      # @param response [Net::HTTP::Response,nil] The response we handle and read from
+      # @param connection [Net::HTTP] open connection
+      def handle_response event, response, connection
+        return unless event || response || connection
+
+        preflight_message = event.messages[0]
+        event_type = symbolized_event_type preflight_message.event_type
+        return unless event_type == :preflight_message
+
+        # for handling multiple findings
+        # we'll only extract the indexes without *
+        # findings_to_return = response.body.split(',').delete_if { |el| el.include?('*') }
+        # after that we'll do some magic and return them the same way we do for corresponding_finding
+        corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.hash_code)
+        return unless corresponding_finding
+
+        send_event corresponding_finding, connection, true
+        nil
+      end
+
+      def symbolized_event_type event_type
+        return unless event_type
+        return event_type unless event_type.cs__is_a?(String)
+
+        event_type.downcase.to_sym
+      end
+    end
+  end
+end