contrast-agent 4.12.0 → 4.14.1

data/lib/contrast/api/communication/tcp_socket.rb

@@ -6,15 +6,15 @@ require 'contrast/api/communication/socket'
 module Contrast
   module Api
     module Communication
-      # This class allows us to create a TCP Socket to communicate to the Service
-      # (Speed Racer). Either it or the Unix Socket will be used, as determined
-      # by the configuration options set for Service communication.
+      # This class allows us to create a TCP Socket to communicate to the Service (Speed Racer). Either it or the Unix
+      # Socket will be used, as determined by the configuration options set for Service communication.
       class TcpSocket
         include Contrast::Api::Communication::Socket
 
         attr_reader :host, :port
 
         # Create the socket
+        #
         # @param host [String] socket target hostname or IP address
         # @param port [String,Integer] socket target port
         def initialize host, port
@@ -22,6 +22,7 @@ module Contrast
           @port = port.to_i
         end
 
+        # @return [::TCPSocket]
         def new_socket
           ::TCPSocket.new(host, port)
         end

data/lib/contrast/api/communication/unix_socket.rb

@@ -18,6 +18,7 @@ module Contrast
           @path = path
         end
 
+        # @return [::UNIXSocket]
         def new_socket
           ::UNIXSocket.new(path)
         end

data/lib/contrast/api/decorators/finding.rb

@@ -0,0 +1,45 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::Finding} protobuf
+      # model so it can own the request which its data is for.
+      module Finding
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          def to_controlled_hash finding, *_args
+            {
+                hash_code: finding.hash_code,
+                platform: finding.platform,
+                rule_id: finding.rule_id,
+                evidence: finding.evidence,
+                properties: finding.properties,
+                events: finding.events,
+                tags: finding.tags,
+                version: finding.version,
+                routes: finding.routes,
+                session_id: finding.session_id,
+                teamserver_url: ::Contrast::API.api_url
+            }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::Finding.include(Contrast::Api::Decorators::Finding)

data/lib/contrast/components/api.rb

@@ -0,0 +1,90 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/base'
+require 'contrast/components/config'
+
+module Contrast
+  module Components
+    module Api
+      # A wrapper build around the Common Agent Configuration project to allow
+      # for Api keys to be mapped with their values contained in their
+      # parent_configuration_spec.yaml.
+      class Interface
+        include Contrast::Components::ComponentBase
+
+        def api_url
+          @_api_url ||= ::Contrast::CONFIG.root.api.url
+        end
+
+        def api_key
+          @_api_key ||= ::Contrast::CONFIG.root.api.api_key
+        end
+
+        def service_key
+          @_service_key ||= ::Contrast::CONFIG.root.api.service_key
+        end
+
+        def username
+          @_username ||= ::Contrast::CONFIG.root.api.user_name
+        end
+
+        def proxy_enabled?
+          @_proxy_enabled = true?(::Contrast::CONFIG.root.api.proxy.enable) if @_proxy_enabled.nil?
+          @_proxy_enabled
+        end
+
+        def proxy_url
+          @_proxy_url ||= ::Contrast::CONFIG.root.api.proxy.url
+        end
+
+        def request_audit_enable
+          @_request_audit_enable ||= true?(::Contrast::CONFIG.root.api.request_audit.enable)
+        end
+
+        def request_audit_requests
+          return @_request_audit_requests unless @_request_audit_requests.nil?
+
+          @_request_audit_requests = true?(::Contrast::CONFIG.root.api.request_audit.requests)
+        end
+
+        def request_audit_responses
+          return @_request_audit_responses unless @_request_audit_responses.nil?
+
+          @_request_audit_responses = true?(::Contrast::CONFIG.root.api.request_audit.responses)
+        end
+
+        def request_audit_path
+          @_request_audit_path ||= ::Contrast::CONFIG.root.api.request_audit.path.to_s
+        end
+
+        def certification_enabled?
+          @_certification_enabled ||= certification_truly_enabled?(::Contrast::CONFIG.root.api.certificate)
+        end
+
+        def certification_ca_file
+          @_certification_ca_file ||= ::Contrast::CONFIG.root.api.certificate.ca_file
+        end
+
+        def certification_cert_file
+          @_certification_cert_file ||= ::Contrast::CONFIG.root.api.certificate.cert_file
+        end
+
+        def certification_key_file
+          @_certification_key_file ||= ::Contrast::CONFIG.root.api.certificate.key_file
+        end
+
+        private
+
+        def certification_truly_enabled? config_path
+          return false unless true?(config_path.enable)
+          return true if file_exists?(certification_ca_file) && valid_cert?(certification_ca_file)
+          return true if file_exists?(certification_cert_file) && valid_cert?(certification_cert_file)
+          return true if file_exists?(certification_key_file) && valid_cert?(certification_key_file)
+
+          false
+        end
+      end
+    end
+  end
+end

data/lib/contrast/components/app_context.rb

@@ -5,6 +5,7 @@ require 'rubygems/version'
 require 'contrast/api/decorators/agent_startup'
 require 'contrast/api/decorators/application_startup'
 require 'contrast/utils/object_share'
+require 'contrast/components/app_context_extend'
 
 module Contrast
   module Components
@@ -15,6 +16,7 @@ module Contrast
       # Specifically, this allows for querying the state of the Application,
       # including the Client, Process, and Server information.
       class Interface
+        include Contrast::Components::AppContextExtend
         include Contrast::Components::ComponentBase
         include Contrast::Components::Logger::InstanceMethods
 
@@ -46,6 +48,14 @@ module Contrast
           end
         end
 
+        def session_id
+          @_session_id ||= build_app_startup_message.session_id
+        end
+
+        def app_version
+          @_app_version ||= Contrast::CONFIG.root.application.version
+        end
+
         def path
           @_path ||= begin
             tmp = ::Contrast::CONFIG.root.application.path
@@ -76,47 +86,6 @@ module Contrast
           end
         end
 
-        def build_app_startup_message
-          Contrast::Api::Dtm::ApplicationCreate.build
-        end
-
-        def build_agent_startup_message
-          msg = Contrast::Api::Dtm::AgentStartup.build(server_name, server_path, server_type)
-          logger.info('Application context',
-                      server_name: msg.server_name,
-                      server_path: msg.server_path,
-                      server_type: msg.server_type,
-                      application_name: app_name,
-                      application_path: path,
-                      application_language: Contrast::Utils::ObjectShare::RUBY)
-
-          msg
-        end
-
-        def pid
-          Process.pid
-        end
-
-        def ppid
-          Process.ppid
-        end
-
-        def pgid
-          Process.getpgid(pid)
-        end
-
-        def client_id
-          @_client_id ||= [app_name, pgid].join('-')
-        end
-
-        def instrument_middleware_stack?
-          !Contrast::Utils::JobServersRunning.job_servers_running?
-        end
-
-        def disabled_agent_rake_tasks
-          ::Contrast::CONFIG.root.agent.ruby.disabled_agent_rake_tasks
-        end
-
         # Determines if the Process we're currently in matches that of the
         # Process in which the App Context instance was created.
         # If it doesn't, that indicates the running context is in a new

data/lib/contrast/components/app_context_extend.rb

@@ -0,0 +1,78 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Components
+    # A wrapper build around the Common Agent Configuration project to allow
+    # for access of the values contained in its
+    # parent_configuration_spec.yaml.
+    # Specifically, this allows for querying the state of the Application,
+    # including the Client, Process, and Server information.
+    module AppContextExtend
+      SUPPORTED_FRAMEWORKS = %w[rails sinatra grape rack].cs__freeze
+      SUPPORTED_SERVERS = %w[passenger puma thin unicorn].cs__freeze
+
+      def build_app_startup_message
+        @_build_app_startup_message ||= Contrast::Api::Dtm::ApplicationCreate.build
+      end
+
+      def build_agent_startup_message
+        msg = Contrast::Api::Dtm::AgentStartup.build(server_name, server_path, server_type)
+        logger.info('Application context',
+                    server_name: msg.server_name,
+                    server_path: msg.server_path,
+                    server_type: msg.server_type,
+                    application_name: app_name,
+                    application_path: path,
+                    application_language: Contrast::Utils::ObjectShare::RUBY)
+
+        msg
+      end
+
+      def pid
+        Process.pid
+      end
+
+      def ppid
+        Process.ppid
+      end
+
+      def pgid
+        Process.getpgid(pid)
+      end
+
+      def client_id
+        @_client_id ||= [app_name, pgid].join('-')
+      end
+
+      def app_and_server_information
+        {
+            application_info: find_gem_information(SUPPORTED_FRAMEWORKS),
+            server_info: find_gem_information(SUPPORTED_SERVERS)
+        }
+      end
+
+      def find_gem_information arr
+        arr.each do |framework|
+          next unless Gem.loaded_specs.key?(framework)
+
+          loaded = Gem.loaded_specs[framework]
+          next unless loaded
+
+          name = loaded.instance_variable_get(:@name)
+          version = loaded.instance_variable_get(:@version).to_s
+          return [name, version].join(' ')
+        end
+        nil
+      end
+
+      def instrument_middleware_stack?
+        !Contrast::Utils::JobServersRunning.job_servers_running?
+      end
+
+      def disabled_agent_rake_tasks
+        ::Contrast::CONFIG.root.agent.ruby.disabled_agent_rake_tasks
+      end
+    end
+  end
+end

data/lib/contrast/components/base.rb

@@ -35,6 +35,29 @@ module Contrast
 
         config_param.downcase == Contrast::Utils::ObjectShare::TRUE
       end
+
+      # this method will check if a path could be possibly used
+      # So for example if we pass a path to a file - we'll check
+      # if there is actually that file and if it's with certain extension
+      #
+      # @param config_path [String,nil]
+      # @return [Boolean]
+      def valid_cert? config_path
+        return false if config_path.nil?
+
+        exts = %w[.pem .crt .cer].cs__freeze
+        return false unless exts.include?(File.extname(config_path))
+
+        true
+      end
+
+      # check if file exists at all
+      # @param path [String,nil]
+      def file_exists? path
+        return false unless path
+
+        File.exist? path
+      end
     end
   end
 end

data/lib/contrast/components/config.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/env_configuration_item'
+require 'ougai'
 require 'contrast/configuration'
 
 module Contrast
@@ -23,17 +24,33 @@ module Contrast
     # time than to silently fail to deliver functionality.
     module Config
       CONTRAST_ENV_MARKER = 'CONTRAST__'
+      CONTRAST_LOG = 'contrast_agent.log'
+      CONTRAST_NAME = 'Contrast Agent'
 
       class Interface # :nodoc:
         def initialize
           build
         end
 
-        def build log: true
+        # Basic logger for handling configuration validation logging
+        # the file to log is determined by the default one or set
+        # by the config file, if that configuration is found
+        def proto_logger
+          @_proto_logger ||= begin
+            @_proto_logger = ::Ougai::Logger.new(logger_path || CONTRAST_LOG)
+            @_proto_logger.progname = CONTRAST_NAME
+            @_proto_logger.level = ::Ougai::Logging::Severity::WARN
+            @_proto_logger.formatter = Contrast::Logger::Format.new
+            @_proto_logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+            @_proto_logger
+          end
+        end
+
+        def build
           @_valid = nil
           @config = Contrast::Configuration.new
           env_overrides
-          validate(log: log)
+          validate
         end
         alias_method :rebuild, :build
 
@@ -43,7 +60,7 @@ module Contrast
         end
 
         def valid?
-          @_valid = validate(log: false) if @_valid.nil?
+          @_valid = validate if @_valid.nil?
           @_valid
         end
 
@@ -59,20 +76,28 @@ module Contrast
 
         SESSION_VARIABLES = 'Invalid configuration. '\
                             "Setting both application.session_id and application.session_metadata is not allowed.\n"
-        def validate log: false
+        API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
+        API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
+        API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
+        API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
+        def validate
           # The config has information about how to construct the logger.
           # If the config is invalid, and you want to know about it, then
           # you have a circular dependency if you try to log it,
-          # hence `log: false`.
+          # so we use basic proto_logger to do this job.
           if !session_id.empty? && !session_metadata.empty?
-            if log
-              cs__class.log_error(SESSION_VARIABLES)
-            else
-              puts SESSION_VARIABLES
-            end
+            proto_logger.error(SESSION_VARIABLES)
             return false
           end
-
+          if bypass
+            msg = []
+            msg << API_URL unless api_url
+            msg << API_KEY unless api_key
+            msg << API_SERVICE_KEY unless api_service_key
+            msg << API_USERNAME unless api_username
+            msg.any? { |m| proto_logger.error(m) }
+            return false unless msg.empty?
+          end
           true
         end
 
@@ -95,7 +120,7 @@ module Contrast
         # @return [String,nil] the value of the session id set in the
         #   configuration, or nil if unset
         def session_id
-          @config.application.session_id
+          root.application.session_id
         end
 
         # Typically, this would be accessed through
@@ -106,7 +131,61 @@ module Contrast
         # @return [String,nil] the value of the session metadata set in the
         #   configuration, or nil if unset
         def session_metadata
-          @config.application.session_metadata
+          root.application.session_metadata
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_url
+          root.api.url
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_key
+          root.api.api_key
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_service_key
+          root.api.service_key
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_username
+          root.api.user_name
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def bypass
+          root.agent.service.bypass
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::Logger, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def logger_path
+          root.agent.logger.path
         end
       end
     end

data/lib/contrast/components/contrast_service.rb

@@ -15,6 +15,7 @@ module Contrast
         include Contrast::Components::ComponentBase
 
         DEFAULT_SERVICE_LOG = 'contrast_service.log'
+        DEFAULT_SERVICE_LEVEL = :TRACE
         # The Rails ActionDispatch regexp for localhost IP + literal localhost
         # https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/request.rb#L32
         LOCALHOST = Regexp.union [/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/, /^localhost$/]
@@ -31,6 +32,12 @@ module Contrast
               (LOCALHOST.match?(host) || !!socket_path)
         end
 
+        def use_agent_communication?
+          return @_use_agent_communication unless @_use_agent_communication.nil?
+
+          @_use_agent_communication = true?(::Contrast::CONFIG.root.agent.service.bypass)
+        end
+
         def host
           @_host ||=
             (::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s
@@ -53,6 +60,10 @@ module Contrast
           @_logger_path ||= ::Contrast::CONFIG.root.agent.service.logger.path || DEFAULT_SERVICE_LOG
         end
 
+        def logger_level
+          @_logger_level ||= ::Contrast::CONFIG.root.agent.service.logger.level || DEFAULT_SERVICE_LEVEL
+        end
+
         private
 
         def disabled?

data/lib/contrast/components/sampling.rb

@@ -14,7 +14,7 @@ module Contrast
         DEFAULT_SAMPLING_WINDOW_MS          = 180_000
       end
 
-      module ClassMethods #:nodoc:
+      module ClassMethods # :nodoc:
         include Contrast::Components::ComponentBase
         include Constants
 
@@ -90,7 +90,7 @@ module Contrast
         end
       end
 
-      module InstanceMethods #:nodoc:
+      module InstanceMethods # :nodoc:
         include Contrast::Components::ComponentBase
         include Constants
         include ClassMethods

data/lib/contrast/config/agent_configuration.rb

@@ -8,7 +8,7 @@ module Contrast
     class AgentConfiguration < BaseConfiguration
       KEYS = {
           enable: EMPTY_VALUE,
-          start_bundled_service: Contrast::Config::DefaultValue.new(true),
+          start_bundled_service: true,
           omit_body: EMPTY_VALUE,
           service: Contrast::Config::ServiceConfiguration,
           logger: Contrast::Config::LoggerConfiguration,

data/lib/contrast/config/api_configuration.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/config/api_proxy_configuration'
+require 'contrast/config/certification_configuration'
+require 'contrast/config/request_audit_configuration'
+
+module Contrast
+  module Config
+    # Api keys configuration
+    class ApiConfiguration < BaseConfiguration
+      URL = 'https://app.contrastsecurity.com/contrast'
+      KEYS = {
+          api_key: EMPTY_VALUE,
+          url: URL,
+          user_name: EMPTY_VALUE,
+          service_key: EMPTY_VALUE,
+          proxy: Contrast::Config::ApiProxyConfiguration,
+          request_audit: Contrast::Config::RequestAuditConfiguration,
+          certificate: Contrast::Config::CertificationConfiguration
+      }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/api_proxy_configuration.rb

@@ -0,0 +1,14 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    # Api Proxy keys configuration
+    class ApiProxyConfiguration < BaseConfiguration
+      KEYS = { enable: false, url: EMPTY_VALUE }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/application_configuration.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/config/default_value'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -18,8 +17,8 @@ module Contrast
           tags: EMPTY_VALUE,
           code: EMPTY_VALUE,
           metadata: EMPTY_VALUE,
-          session_id: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::EMPTY_STRING),
-          session_metadata: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::EMPTY_STRING)
+          session_id: Contrast::Utils::ObjectShare::EMPTY_STRING,
+          session_metadata: Contrast::Utils::ObjectShare::EMPTY_STRING
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/assess_configuration.rb

@@ -9,11 +9,11 @@ module Contrast
       KEYS = {
           tags: EMPTY_VALUE,
           enable: EMPTY_VALUE,
-          enable_scan_response: Contrast::Config::DefaultValue.new('true'),
-          enable_dynamic_sources: Contrast::Config::DefaultValue.new('true'),
+          enable_scan_response: true,
+          enable_dynamic_sources: true,
           sampling: Contrast::Config::SamplingConfiguration,
           rules: Contrast::Config::AssessRulesConfiguration,
-          stacktraces: Contrast::Config::DefaultValue.new('ALL')
+          stacktraces: 'ALL'
       }.cs__freeze
 
       def initialize hsh