contrast-agent 4.11.0 → 4.14.0

data/lib/contrast/components/config.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/env_configuration_item'
+require 'ougai'
 require 'contrast/configuration'
 
 module Contrast
@@ -23,17 +24,33 @@ module Contrast
     # time than to silently fail to deliver functionality.
     module Config
       CONTRAST_ENV_MARKER = 'CONTRAST__'
+      CONTRAST_LOG = 'contrast_agent.log'
+      CONTRAST_NAME = 'Contrast Agent'
 
       class Interface # :nodoc:
         def initialize
           build
         end
 
-        def build log: true
+        # Basic logger for handling configuration validation logging
+        # the file to log is determined by the default one or set
+        # by the config file, if that configuration is found
+        def proto_logger
+          @_proto_logger ||= begin
+            @_proto_logger = ::Ougai::Logger.new(logger_path || CONTRAST_LOG)
+            @_proto_logger.progname = CONTRAST_NAME
+            @_proto_logger.level = ::Ougai::Logging::Severity::WARN
+            @_proto_logger.formatter = Contrast::Logger::Format.new
+            @_proto_logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+            @_proto_logger
+          end
+        end
+
+        def build
           @_valid = nil
           @config = Contrast::Configuration.new
           env_overrides
-          validate(log: log)
+          validate
         end
         alias_method :rebuild, :build
 
@@ -43,7 +60,7 @@ module Contrast
         end
 
         def valid?
-          @_valid = validate(log: false) if @_valid.nil?
+          @_valid = validate if @_valid.nil?
           @_valid
         end
 
@@ -59,20 +76,28 @@ module Contrast
 
         SESSION_VARIABLES = 'Invalid configuration. '\
                             "Setting both application.session_id and application.session_metadata is not allowed.\n"
-        def validate log: false
+        API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
+        API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
+        API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
+        API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
+        def validate
           # The config has information about how to construct the logger.
           # If the config is invalid, and you want to know about it, then
           # you have a circular dependency if you try to log it,
-          # hence `log: false`.
+          # so we use basic proto_logger to do this job.
           if !session_id.empty? && !session_metadata.empty?
-            if log
-              cs__class.log_error(SESSION_VARIABLES)
-            else
-              puts SESSION_VARIABLES
-            end
+            proto_logger.error(SESSION_VARIABLES)
             return false
           end
-
+          if bypass
+            msg = []
+            msg << API_URL unless api_url
+            msg << API_KEY unless api_key
+            msg << API_SERVICE_KEY unless api_service_key
+            msg << API_USERNAME unless api_username
+            msg.any? { |m| proto_logger.error(m) }
+            return false unless msg.empty?
+          end
           true
         end
 
@@ -95,7 +120,7 @@ module Contrast
         # @return [String,nil] the value of the session id set in the
         #   configuration, or nil if unset
         def session_id
-          @config.application.session_id
+          root.application.session_id
         end
 
         # Typically, this would be accessed through
@@ -106,7 +131,61 @@ module Contrast
         # @return [String,nil] the value of the session metadata set in the
         #   configuration, or nil if unset
         def session_metadata
-          @config.application.session_metadata
+          root.application.session_metadata
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_url
+          root.api.url
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_key
+          root.api.api_key
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_service_key
+          root.api.service_key
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_username
+          root.api.user_name
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def bypass
+          root.agent.service.bypass
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::Logger, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def logger_path
+          root.agent.logger.path
         end
       end
     end

data/lib/contrast/components/contrast_service.rb

@@ -15,6 +15,7 @@ module Contrast
         include Contrast::Components::ComponentBase
 
         DEFAULT_SERVICE_LOG = 'contrast_service.log'
+        DEFAULT_SERVICE_LEVEL = :TRACE
         # The Rails ActionDispatch regexp for localhost IP + literal localhost
         # https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/request.rb#L32
         LOCALHOST = Regexp.union [/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/, /^localhost$/]
@@ -31,6 +32,12 @@ module Contrast
               (LOCALHOST.match?(host) || !!socket_path)
         end
 
+        def use_agent_communication?
+          return @_use_agent_communication unless @_use_agent_communication.nil?
+
+          @_use_agent_communication = true?(::Contrast::CONFIG.root.agent.service.bypass)
+        end
+
         def host
           @_host ||=
             (::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s
@@ -53,6 +60,10 @@ module Contrast
           @_logger_path ||= ::Contrast::CONFIG.root.agent.service.logger.path || DEFAULT_SERVICE_LOG
         end
 
+        def logger_level
+          @_logger_level ||= ::Contrast::CONFIG.root.agent.service.logger.level || DEFAULT_SERVICE_LEVEL
+        end
+
         private
 
         def disabled?

data/lib/contrast/components/sampling.rb

@@ -14,7 +14,7 @@ module Contrast
         DEFAULT_SAMPLING_WINDOW_MS          = 180_000
       end
 
-      module ClassMethods #:nodoc:
+      module ClassMethods # :nodoc:
         include Contrast::Components::ComponentBase
         include Constants
 
@@ -90,7 +90,7 @@ module Contrast
         end
       end
 
-      module InstanceMethods #:nodoc:
+      module InstanceMethods # :nodoc:
         include Contrast::Components::ComponentBase
         include Constants
         include ClassMethods

data/lib/contrast/config/agent_configuration.rb

@@ -8,7 +8,7 @@ module Contrast
     class AgentConfiguration < BaseConfiguration
       KEYS = {
           enable: EMPTY_VALUE,
-          start_bundled_service: Contrast::Config::DefaultValue.new(true),
+          start_bundled_service: true,
           omit_body: EMPTY_VALUE,
           service: Contrast::Config::ServiceConfiguration,
           logger: Contrast::Config::LoggerConfiguration,

data/lib/contrast/config/api_configuration.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/config/api_proxy_configuration'
+require 'contrast/config/certification_configuration'
+require 'contrast/config/request_audit_configuration'
+
+module Contrast
+  module Config
+    # Api keys configuration
+    class ApiConfiguration < BaseConfiguration
+      URL = 'https://app.contrastsecurity.com/contrast'
+      KEYS = {
+          api_key: EMPTY_VALUE,
+          url: URL,
+          user_name: EMPTY_VALUE,
+          service_key: EMPTY_VALUE,
+          proxy: Contrast::Config::ApiProxyConfiguration,
+          request_audit: Contrast::Config::RequestAuditConfiguration,
+          certificate: Contrast::Config::CertificationConfiguration
+      }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/api_proxy_configuration.rb

@@ -0,0 +1,14 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    # Api Proxy keys configuration
+    class ApiProxyConfiguration < BaseConfiguration
+      KEYS = { enable: false, url: EMPTY_VALUE }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/application_configuration.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/config/default_value'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -18,8 +17,8 @@ module Contrast
           tags: EMPTY_VALUE,
           code: EMPTY_VALUE,
           metadata: EMPTY_VALUE,
-          session_id: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::EMPTY_STRING),
-          session_metadata: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::EMPTY_STRING)
+          session_id: Contrast::Utils::ObjectShare::EMPTY_STRING,
+          session_metadata: Contrast::Utils::ObjectShare::EMPTY_STRING
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/assess_configuration.rb

@@ -9,10 +9,11 @@ module Contrast
       KEYS = {
           tags: EMPTY_VALUE,
           enable: EMPTY_VALUE,
-          enable_scan_response: Contrast::Config::DefaultValue.new('true'),
+          enable_scan_response: true,
+          enable_dynamic_sources: true,
           sampling: Contrast::Config::SamplingConfiguration,
           rules: Contrast::Config::AssessRulesConfiguration,
-          stacktraces: Contrast::Config::DefaultValue.new('ALL')
+          stacktraces: 'ALL'
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/base_configuration.rb

@@ -12,17 +12,18 @@ module Contrast
     class BaseConfiguration
       extend Forwardable
 
-      STRING_BOOLEANS = %w[false true].cs__freeze
+      attr_reader :configuration_map
 
-      attr_reader :map
-
-      alias_method :to_hash, :map
-      def_delegators :@map, :empty?, :key?, :delete, :fetch, :[], :[]=, :each, :each_pair, :each_key, :each_value
+      alias_method :to_hash, :configuration_map
+      def_delegators :@configuration_map, :empty?, :key?, :delete, :fetch,
+                     :[], :[]=, :each, :each_pair, :each_key, :each_value
 
       EMPTY_VALUE = :EMPTY_VALUE
 
       def initialize hsh = {}, keys = {}
-        @map = {}
+        # holds configuration key value pairs
+        # each configuration class can contain nested BaseConfigurations
+        @configuration_map = {}
         traverse_config(hsh, keys)
       end
 
@@ -39,7 +40,7 @@ module Contrast
       end
 
       def nil?
-        @map.empty?
+        @configuration_map.empty?
       end
 
       private
@@ -69,25 +70,13 @@ module Contrast
       end
 
       def assign_config_value str_key, spec_value, user_provided_value
-        @map[str_key] = if spec_value.is_a?(Class) && spec_value <= Contrast::Config::BaseConfiguration
-                          spec_value.new(user_provided_value)
-                        elsif spec_value.is_a?(Contrast::Config::DefaultValue) && user_provided_value == EMPTY_VALUE
-                          spec_value.value
-                        elsif user_provided_value.cs__is_a?(String)
-                          value = user_provided_value.downcase
-                          # converts string values to 'true' => true or 'false' => false
-                          case value
-                          when STRING_BOOLEANS[1]
-                            true
-                          when STRING_BOOLEANS[0]
-                            false
-                          else
-                            # returns non boolean string values
-                            user_provided_value
-                          end
-                        else
-                          user_provided_value
-                        end
+        @configuration_map[str_key] = if spec_value.is_a?(Class) && spec_value <= Contrast::Config::BaseConfiguration
+                                        spec_value.new(user_provided_value)
+                                      elsif user_provided_value == EMPTY_VALUE
+                                        spec_value
+                                      else
+                                        user_provided_value
+                                      end
       end
 
       def value_from_key_config key, config_hash
@@ -99,13 +88,13 @@ module Contrast
 
       def define_getter str_key
         define_singleton_method str_key.to_sym do
-          @map[str_key] == EMPTY_VALUE ? nil : @map[str_key]
+          @configuration_map[str_key] == EMPTY_VALUE ? nil : @configuration_map[str_key]
         end
       end
 
       def define_setter str_key
         define_singleton_method "#{ str_key }=".to_sym do |new_value|
-          @map[str_key] = new_value
+          @configuration_map[str_key] = new_value
         end
       end
     end

data/lib/contrast/config/certification_configuration.rb

@@ -0,0 +1,15 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    # Certificate Configuration
+    class CertificationConfiguration < BaseConfiguration
+      KEYS = { enable: false, ca_file: EMPTY_VALUE, cert_file: EMPTY_VALUE, key_file: EMPTY_VALUE }.cs__freeze
+
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/env_variables.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    # This module is holding all the Env Variables that we could use through the agent lifecycle
+    module EnvVariables
+      ENV_VARIABLES = { telemetry_opt_outs: ENV['CONTRAST_AGENT_TELEMETRY_OPTOUT'].to_s || false }.cs__freeze
+
+      def return_value key
+        return unless ENV_VARIABLES.key?(key.to_sym)
+
+        sym_key = key.downcase.to_sym
+        ENV_VARIABLES[sym_key]
+      end
+    end
+  end
+end

data/lib/contrast/config/heap_dump_configuration.rb

@@ -8,17 +8,17 @@ module Contrast
     class HeapDumpConfiguration < BaseConfiguration
       KEYS = {
           enable:                                                                   # should dumps be taken
-            Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE),
+            Contrast::Utils::ObjectShare::FALSE,
           path:                                                                     # dir to which dumps should be
-            Contrast::Config::DefaultValue.new('contrast_heap_dumps'), #   saved
+            'contrast_heap_dumps', # saved
           delay_ms:                                                                 # time, in ms, after initialization
-            Contrast::Config::DefaultValue.new(10_000), #   to delay before taking dump
+            10_000, # to delay before taking dump
           window_ms:                                                                # ms between each dump
-            Contrast::Config::DefaultValue.new(10_000), #
+            10_000, #
           count:                                                                    # number of dumps to take
-            Contrast::Config::DefaultValue.new(5), #
+            5, #
           clean:                                                                    # remove temporary objects or not
-            Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE)  #
+            Contrast::Utils::ObjectShare::FALSE #
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/inventory_configuration.rb

@@ -6,11 +6,7 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # inventory functionality of the Agent.
     class InventoryConfiguration < BaseConfiguration
-      KEYS = {
-          enable: Contrast::Config::DefaultValue.new(true),
-          analyze_libraries: Contrast::Config::DefaultValue.new(true),
-          tags: EMPTY_VALUE
-      }.cs__freeze
+      KEYS = { enable: true, analyze_libraries: true, tags: EMPTY_VALUE }.cs__freeze
 
       def initialize hsh
         super(hsh, KEYS)

data/lib/contrast/config/protect_rule_configuration.rb

@@ -12,7 +12,7 @@ module Contrast
           enable: EMPTY_VALUE,
           mode: EMPTY_VALUE,
           disable_system_commands: EMPTY_VALUE,
-          detect_custom_code_accessing_system_files: Contrast::Config::DefaultValue.new('true')
+          detect_custom_code_accessing_system_files: true
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/request_audit_configuration.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    # This class holds the Common Settings for the
+    # hidden functionality of the TS
+    class RequestAuditConfiguration < BaseConfiguration
+      DEFAULT_PATH = './messages'
+
+      KEYS = { enable: false, requests: false, responses: false, path: DEFAULT_PATH }.cs__freeze
+
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/root_configuration.rb

@@ -6,6 +6,7 @@ module Contrast
     # The base of the Common Configuration settings.
     class RootConfiguration < BaseConfiguration
       KEYS = {
+          api: Contrast::Config::ApiConfiguration,
           enable: BaseConfiguration::EMPTY_VALUE,
           agent: Contrast::Config::AgentConfiguration,
           application: Contrast::Config::ApplicationConfiguration,

data/lib/contrast/config/ruby_configuration.rb

@@ -23,17 +23,17 @@ module Contrast
       DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
 
       KEYS = {
-          disabled_agent_rake_tasks: Contrast::Config::DefaultValue.new(DISABLED_RAKE_TASK_LIST),
+          disabled_agent_rake_tasks: DISABLED_RAKE_TASK_LIST,
           exceptions: Contrast::Config::ExceptionConfiguration,
           # controls whether or not we patch interpolation, either by rewrite or by funchook
-          interpolate: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
+          interpolate: Contrast::Utils::ObjectShare::TRUE,
           # controls whether or not we patch the rb_yield block to track split propagation
-          propagate_yield: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
+          propagate_yield: Contrast::Utils::ObjectShare::TRUE,
           # control whether or not we run file scanning rules on require
-          require_scan: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
+          require_scan: Contrast::Utils::ObjectShare::TRUE,
           # controls whether or not we track frozen Strings by replacing them
-          track_frozen_sources: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
-          uninstrument_namespace: Contrast::Config::DefaultValue.new(DEFAULT_UNINSTRUMENTED_NAMESPACES)
+          track_frozen_sources: Contrast::Utils::ObjectShare::TRUE,
+          uninstrument_namespace: DEFAULT_UNINSTRUMENTED_NAMESPACES
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/service_configuration.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/config/default_value'
 require 'contrast/config/logger_configuration'
 
 module Contrast
@@ -19,7 +18,8 @@ module Contrast
           host: EMPTY_VALUE,
           port: EMPTY_VALUE,
           socket: EMPTY_VALUE,
-          logger: Contrast::Config::LoggerConfiguration
+          logger: Contrast::Config::LoggerConfiguration,
+          bypass: false
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config.rb

@@ -11,7 +11,6 @@ module Contrast
 end
 
 require 'contrast/config/base_configuration'
-require 'contrast/config/default_value'
 
 require 'contrast/config/logger_configuration'
 
@@ -24,6 +23,7 @@ require 'contrast/config/protect_rules_configuration'
 require 'contrast/config/sampling_configuration'
 
 require 'contrast/config/ruby_configuration'
+require 'contrast/config/api_configuration'
 require 'contrast/config/agent_configuration'
 require 'contrast/config/application_configuration'
 require 'contrast/config/server_configuration'

data/lib/contrast/configuration.rb

@@ -7,6 +7,7 @@ require 'fileutils'
 require 'contrast/config'
 require 'contrast/utils/object_share'
 require 'contrast/components/scope'
+require 'contrast/utils/exclude_key'
 
 module Contrast
   # This is how we read in the local settings for the Agent, both ENV/ CMD line
@@ -86,7 +87,7 @@ module Contrast
     def yaml_to_hash path
       if path && File.readable?(path)
         begin
-          yaml = IO.read(path)
+          yaml = File.read(path)
           yaml = ERB.new(yaml).result if defined?(ERB)
           return YAML.safe_load(yaml)
         rescue Psych::Exception => e
@@ -204,7 +205,6 @@ module Contrast
     # in the thing to convert and setting them in the given hash. For now, this
     # logs every possible key, whether set or not. If we want to change that
     # behavior, we can skip adding keys to the hash if the value is nil, blank,
-    # or Contrast::Config::DefaultValue depending on desired behavior
     #
     # @param hash [Hash] the hash to populate
     # @param convert [Contrast::Config::BaseConfiguration, Object] the level of
@@ -218,6 +218,8 @@ module Contrast
       case convert
       when Contrast::Config::BaseConfiguration
         convert.cs__class::KEYS.each_key do |key|
+          next if Contrast::Utils::ExcludeKey.excludable? key.to_s
+
           hash[key] = convert_to_hash(convert.send(key), {})
         end
         hash

data/lib/contrast/extension/assess/array.rb

@@ -42,13 +42,11 @@ module Contrast
               shift = 0
               separator_length = separator.nil? ? 0 : separator.to_s.length
               parent_events = []
-              ary.each do |obj|
-                if obj # skip nil here
-                  properties.copy_from(obj, ret, shift)
-                  shift += obj.to_s.length
-                  parent_event = Contrast::Agent::Assess::Tracker.properties(obj)&.event
-                  parent_events << parent_event if parent_event
-                end
+              ary.compact.each do |obj|
+                properties.copy_from(obj, ret, shift)
+                shift += obj.to_s.length
+                parent_event = Contrast::Agent::Assess::Tracker.properties(obj)&.event
+                parent_events << parent_event if parent_event
                 shift += separator_length
               end
               return ret unless Contrast::Agent::Assess::Tracker.tracked?(ret)