contrast-agent 4.13.1 → 4.14.0

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -0,0 +1,56 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new PreflightMessage class which will include all the needed information
+      # for the new reporting system to report a single message, part of the main Preflight
+      class PreflightMessage < Contrast::Agent::Reporting::ReportingEvent
+        attr_accessor :data, :routes, :hash_code
+
+        def initialize
+          super
+          @event_type = :preflight_message
+          @app_language = Contrast::Utils::ObjectShare::RUBY
+          @app_name = ::Contrast::APP_CONTEXT.app_name
+          @app_version = ::Contrast::APP_CONTEXT.app_version
+        end
+
+        def to_controlled_hash **_args
+          validate
+          super.merge!({
+                           app_language: @app_language,
+                           app_name: @app_name,
+                           app_version: @app_version,
+                           data: '',
+                           key: 0,
+                           routes: @routes,
+                           session_id: @agent_session_id_value
+                       })
+        end
+
+        def validate
+          raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.") unless data
+          unless @app_name
+            raise(ArgumentError, "#{ cs__class } did not have a proper application name. Unable to continue.")
+          end
+          unless @app_language
+            raise(ArgumentError, "#{ cs__class } did not have a proper application language. Unable to continue.")
+          end
+          unless @app_version
+            raise(ArgumentError, "#{ cs__class } did not have a proper application version. Unable to continue.")
+          end
+          unless @agent_session_id_value
+            raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
+          end
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/utils/assess/trigger_method_utils'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new ReportingEvent class which will include all the needed and mutual information
+      # for the new reporting system
+      # @abstract
+      class ReportingEvent
+        attr_reader :routes
+        attr_accessor :event_type
+
+        CODE = :TRACE
+
+        def initialize(*) # rubocop:disable Style/MethodDefParentheses
+          @event_type = Contrast::Utils::ObjectShare::EMPTY_STRING
+          @agent_session_id_value = 0
+          @routes = []
+        end
+
+        def to_controlled_hash **_args
+          { code: CODE, routes: routes }
+        end
+
+        def validate
+          raise(ArgumentError, "#{ self } did not have a proper routes. Unable to continue.") if routes.empty?
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -0,0 +1,127 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'fileutils'
+require 'json'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will facilitate the Audit functionality and it will be
+      # controlled from the configuration classes
+      class Audit
+        include Contrast::Components::Logger::InstanceMethods
+
+        attr_reader :path_for_requests, :path_for_responses
+
+        def initialize
+          generate_paths if enabled? && Contrast::CONTRAST_SERVICE.use_agent_communication?
+        end
+
+        # This method will be handling the auditing of the requests and responses we send to SpeedRacer. If the audit
+        # feature is enabled, we'll log to file the request and/or response protobuf objects.
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        #   Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+        # @param response_data [Contrast::Api::Settings::AgentSettings,nil]
+        def audit_event event, response_data = nil
+          return unless ::Contrast::API.request_audit_requests || ::Contrast::API.request_audit_responses
+
+          type = event.cs__respond_to?(:file_name) ? event.file_name : event.cs__class.cs__name.to_s.downcase
+          if ::Contrast::API.request_audit_requests
+            data = event.to_s
+            log_data :request, type, data if data
+          end
+          return unless ::Contrast::API.request_audit_responses
+
+          data = response_data.to_s || event.http_response.try(:body) || 'There is no available response'
+          log_data :response, type, data
+        end
+
+        private
+
+        # This method will proceed with passing the data with to the writing method
+        # @param type [Symbol] This is the type of the file /:request, :response/
+        # @param data_type[String] DTM type String representation
+        # @param data[String] String representation if the logged data
+        def log_data type, data_type, data = nil
+          return unless enabled?
+          return unless Contrast::CONTRAST_SERVICE.use_agent_communication?
+
+          write_to_file type, data_type, data
+        end
+
+        # This method will be actually writing to the file
+        # @param type [Symbol] This is the type of the file /:request, :response/
+        # @param data_type [String] Data type /Activity/Finding../
+        # @param data [any] The data to be written to the file
+        def write_to_file type, data_type, data = nil
+          time = Time.now.to_i
+          destination = type == :request ? path_for_requests : path_for_responses
+          # If the feature is disabled or we have yet to create the directory structure, then we could have a nil
+          # destination. In that case, take no action
+          return unless destination
+
+          filename = "#{ time }-#{ data_type.gsub('::', '_') }-teamserver.json"
+          filepath = File.join(destination, filename)
+          # Here is use append mode, because of a slightly possibility of overwriting an existing file
+          File.open(filepath, 'a') do |f|
+            f.write({ data_type: Contrast::Utils::StringUtils.force_utf8(data) }.to_json)
+          end
+        end
+
+        # Here we will generate the directories for the requests and responses
+        def generate_paths
+          message_directories = File.expand_path(path_to_audits)
+          FileUtils.mkdir_p(message_directories) unless Dir.exist?(message_directories)
+
+          requests_destination = File.expand_path(File.join(message_directories, '/requests'))
+          responses_destination = File.expand_path(File.join(message_directories, '/responses'))
+
+          Dir.mkdir(requests_destination) if enabled_for_requests? && !Dir.exist?(requests_destination)
+          Dir.mkdir(responses_destination) if enabled_for_responses? && !Dir.exist?(responses_destination)
+
+          @path_for_requests ||= requests_destination if enabled_for_requests?
+          @path_for_responses ||= responses_destination if enabled_for_responses?
+        rescue StandardError => e
+          logger.warn('Generating the paths failed with: ', e: e)
+        end
+
+        # Retrieves the configuration value if the request audit is enabled
+        # @return [Boolean]
+        def enabled?
+          ::Contrast::API.request_audit_enable
+        end
+
+        # The boolean values for the requests and the responses should be taken under
+        # consideration only if it's in combination with enabled
+        # So in order for us to actually audit the requests, we need:
+        # - enabled? -> ture and enabled_for_requests? -> true
+        # The same is for the responses
+        #
+        #
+        # Retrieve the configuration value if the audit for requests is enabled
+        # @return [Boolean]
+        def enabled_for_requests?
+          ::Contrast::API.request_audit_requests
+        end
+
+        # Retrieve the configuration value if the audit for responses is enabled
+        # @return [Boolean]
+        def enabled_for_responses?
+          ::Contrast::API.request_audit_requests
+        end
+
+        # Retrieve the configuration value for the path of the audits
+        # The value will be read from the configuration yml
+        # but if it isn't defined any - here will be returned the default path from
+        # Contrast::Config::RequestAuditConfiguration::DEFAULT_PATH
+        # @return [String]
+        def path_to_audits
+          ::Contrast::API.request_audit_path
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -0,0 +1,168 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'json'
+require 'net/http'
+require 'contrast/components/logger'
+require 'contrast/utils/net_http_base'
+require 'contrast/agent/reporting/reporting_events/finding'
+require 'contrast/agent/reporting/reporting_events/preflight_message'
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client and initiates a connection to the provided result
+    class ReporterClient < NetHttpBase
+      include ObjectShare
+      SERVICE_NAME = 'Reporter'
+      ENDPOINTS = {
+          application_activity: '/api/ng/activity/application',
+          application_create: '/api/ng/applications/create',
+          agent_startup: '/api/ng/servers/',
+          preflight: '/api/ng/preflight/',
+          report_vulnerability: '/api/ng/traces',
+          server_activity: '/api/ng/servers/',
+          server_update: '/api/ng/update/application'
+      }.cs__freeze
+      # EVENT_TYPES = {
+      #     agent_startup: Contrast::Api::Dtm::AgentStartup,
+      #     report_vulnerability: Contrast::Agent::Reporting::Finding,
+      #     preflight: Contrast::Agent::Reporting::Preflight
+      # }.cs__freeze
+      include Contrast::Components::Logger::InstanceMethods
+      # This method initializes the Net::HTTP client we'll need. it will validate
+      # the connection and make the first request. If connection is valid and response
+      # is available then the open connection is returned.
+      #
+      # @return [Net::HTTP, nil] Return open connection or nil
+      def initialize_connection
+        # for this client we would use proxy and custom certificate file if available
+        super(SERVICE_NAME, Contrast::API.api_url, true, true)
+      end
+
+      # @param headers [Hash] all the headers needed for communication with TS
+      def initialize headers
+        @headers = headers
+        super()
+      end
+
+      # Send Agent Startup event
+      #
+      # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+      #   Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      # @param connection [Net::HTTP] open connection
+      # @return response [Net::HTTP::Response] response from TS
+      def send_agent_startup event, connection
+        logger.debug('Preparing to send startup messages')
+        request = build_request ENDPOINTS[:agent_startup], event
+        response = connection.request(request)
+        logger.debug('Successfully sent startup messages to service.') if response
+        response
+      end
+
+      # Check event type and send it to appropriate TS endpoint
+      #
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] One of the DTMs valid for the event
+      # field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      # @param connection [Net::HTTP] open connection
+      # @param send_immediately [Boolean] flag for the logger
+      # @return response [Net::HTTP::Response, nil] response from TS if no response
+      def send_event event, connection, send_immediately = false
+        event_type = symbolized_event_type event.event_type
+        @response = send_events event, event_type, connection
+        log_send_event event if send_immediately
+        @response
+      end
+
+      private
+
+      # This method will build headers of the request required for TS communication
+      #
+      # @param request [Net::HTTP::Post]
+      def build_headers request
+        @app_version = @headers[:app_version]
+        request['API-Key'] = @headers[:api_key]
+        request['Application-Language'] = @headers[:app_language]
+        request['Application-Name'] = @headers[:app_name]
+        request['Application-Path'] = @headers[:app_path]
+        request['Application-Version'] = @app_version if @app_version
+        request['Authorization'] = @headers[:authorization]
+        request['Content-Type'] = @headers[:content_type]
+        request['Server-Name'] = @headers[:server_name]
+        request['Server-Path'] = @headers[:server_path]
+        request['Server-Type'] = @headers[:server_type]
+        request['X-Contrast-Agent'] = @headers[:agent_version]
+        request['X-Contrast-Header-Encoding'] = @headers[:encoding]
+        request
+      end
+
+      # build the request headers and assign endpoint
+      #
+      # @param endpoint [String] endpoint to report to
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent]
+      # One of the DTMs valid for the event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      # @return [Net::HTTP::Post]
+      def build_request endpoint, event
+        @request = build_headers Net::HTTP::Post.new(endpoint)
+        @request.body = if event.cs__is_a?(Contrast::Agent::Reporting::ReportingEvent)
+                          event.to_controlled_hash.to_json
+                        else
+                          event.to_json
+                        end
+        @request
+      end
+
+      # log the event sent immediately
+      #
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] One of the DTMs valid for the
+      # event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+      def log_send_event event
+        logger.debug('Immediately sending event.', event_id: event.__id__, event_type: event.cs__class.cs__name)
+      end
+
+      # Sent different events to different endpoints
+      #
+      # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] Main reporting event, all events
+      # inherit it
+      # @param event_type [Symbol] We'll use this symbol to match the urls
+      # @param connection [Net::HTTP] open connection
+      def send_events event, event_type, connection
+        logger.debug("Preparing to send #{ event_type.to_s.capitalize } messages")
+        request = build_request ENDPOINTS[event_type], event
+        response = connection.request(request)
+        logger.debug("Successfully sent #{ event_type.to_s.capitalize } messages to service.") if response
+        response
+      end
+
+      # Eventually here we'll handle more response types and etc
+
+      # @param event [Contrast::Agent::Reporting::Preflight] the preflight we handle here
+      # @param response [Net::HTTP::Response,nil] The response we handle and read from
+      # @param connection [Net::HTTP] open connection
+      def handle_response event, response, connection
+        return unless event || response || connection
+
+        preflight_message = event.messages[0]
+        event_type = symbolized_event_type preflight_message.event_type
+        return unless event_type == :preflight_message
+
+        # for handling multiple findings
+        # we'll only extract the indexes without *
+        # findings_to_return = response.body.split(',').delete_if { |el| el.include?('*') }
+        # after that we'll do some magic and return them the same way we do for corresponding_finding
+        corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.hash_code)
+        return unless corresponding_finding
+
+        send_event corresponding_finding, connection, true
+        nil
+      end
+
+      def symbolized_event_type event_type
+        return unless event_type
+        return event_type unless event_type.cs__is_a?(String)
+
+        event_type.downcase.to_sym
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb

@@ -0,0 +1,66 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will be used to store everything that would be sent
+      # and depends on the response we receive
+      module ReportingStorage
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+
+          # So the collection will be used to store those events
+          def collection
+            @_collection ||= {}
+          end
+
+          # @param key[String] the key for the pair
+          # @param value[Object] the value we need to store
+          # @return [Object] the value we saved
+          def []= key, value
+            return unless key
+            return unless value
+
+            logger.debug('Saving new value', key: key)
+
+            key = key.to_s.downcase.strip
+            collection[key] = value
+
+            value # rubocop:disable Lint/Void
+          end
+
+          # @param key[String] the key for the pair
+          def [] key
+            return unless key
+
+            collection[key]
+          end
+          alias_method :get, :[]
+          alias_method :set, :[]=
+
+          def delete key
+            return unless key
+
+            logger.debug('Starting deleting value for', key: key)
+
+            deleted_value = collection.delete(key)
+            logger.debug('Key wasn\'t found') unless deleted_value
+
+            deleted_value
+          end
+
+          # @param rule_id [String] the rule_id
+          # @return [Hash, nil] return array with key and value of the pair
+          def find_by_rule_id rule_id
+            return unless rule_id
+
+            collection.find { |_, v| v.rule_id == rule_id }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request.rb

@@ -9,6 +9,7 @@ require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/request_utils'
 
 module Contrast
   module Agent
@@ -17,6 +18,7 @@ module Contrast
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Request
+      include Contrast::Utils::RequestUtils
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
 
@@ -152,87 +154,6 @@ module Contrast
 
         accepts.start_with?(*MEDIA_TYPE_MARKERS)
       end
-
-      private
-
-      # Return a flattened hash of params with realized paths for keys, in
-      # addition to a separate, valueless, entry for each nest key.
-      # See RUBY-621 for more details.
-      # { key : { nested_key : ['x','y','z' ] } }
-      # becomes
-      # {
-      #   key[nested_key][0] : 'x'
-      #   key[nested_key][1] : 'y'
-      #   key[nested_key][2] : 'z'
-      #   key :                ''
-      #   nested_key :         ''
-      # }
-      def normalize_params val, prefix: nil
-        # In non-recursive invocations, val should always be a Hash
-        # (rather than breaking this out into two methods)
-        case val
-        when Tempfile
-          # Skip if it's the auto-generated value from rails when it handles
-          # file uploads. The file name will still be sent to SR for analysis.
-          {}
-        when Hash
-          res = val.each_with_object({}) do |(k, v), hash|
-            k = Contrast::Utils::StringUtils.force_utf8(k)
-            nested_prefix = prefix.nil? ? k : "#{ prefix }[#{ k }]"
-            hash[k] = Contrast::Utils::ObjectShare::EMPTY_STRING
-            hash.merge! normalize_params(v, prefix: nested_prefix)
-          end
-          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
-          res
-        when Enumerable
-          idx = 0
-          res = {}
-          while idx < val.length
-            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
-            idx += 1
-          end
-          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
-          res
-        else
-          { prefix => Contrast::Utils::StringUtils.force_utf8(val) }
-        end
-      end
-
-      def read_body body
-        return body if body.is_a?(String)
-
-        begin
-          can_rewind = Contrast::Utils::DuckUtils.quacks_to?(body, :rewind)
-          # if we are after a middleware that failed to rewind
-          body.rewind if can_rewind
-          body.read
-        rescue StandardError => e
-          logger.error('Error in attempt to read body', message: e.message)
-          logger.trace('With Stack', e)
-          body.to_s
-        ensure
-          # be a good citizen and rewind
-          body.rewind if can_rewind
-        end
-      end
-
-      def traverse_parsed_multipart multipart_data, current_names
-        return current_names unless multipart_data
-
-        multipart_data.each_value do |data_value|
-          next unless data_value.is_a?(Hash)
-
-          tempfile = data_value[:tempfile]
-          if tempfile.nil?
-            traverse_parsed_multipart(data_value, current_names)
-          else
-            name = data_value[:name].to_s
-            file_name = data_value[:filename].to_s
-            current_names[name] = file_name
-          end
-        end
-        current_names
-      end
     end
   end
 end