contrast-agent 4.13.1 → 4.14.0

data/lib/contrast/agent.rb

@@ -29,6 +29,9 @@ require 'contrast/utils/os'
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/invalid_configuration_util'
 
+# Collect findings
+require 'contrast/utils/findings'
+
 # scoping
 require 'contrast/agent/scope'
 
@@ -48,25 +51,37 @@ module Contrast
   module Agent
     # build a map for tracking the context of the current request
     REQUEST_TRACKER = Contrast::Utils::ThreadTracker.new
+    FINDINGS = Contrast::Utils::Findings.new
 
+    # @return [Contrast::Framework::Manager]
     def self.framework_manager
       @_framework_manager ||= Contrast::Framework::Manager.new
     end
 
+    # @return [nil, Contrast::Utils::HeapDumpUtil]
     def self.heapdump_util
       thread_watcher.heapdump_util
     end
 
+    # @return [nil, Contrast::Api::Communication::MessagingQueue]
     def self.messaging_queue
       thread_watcher.messaging_queue
     end
 
+    # @return [nil, Contrast::Agent::Telemetry]
     def self.telemetry_queue
       return unless thread_watcher.telemetry_queue
 
       thread_watcher.telemetry_queue
     end
 
+    # @return [nil, Contrast::Agent::Reporter]
+    def self.reporter_queue
+      return unless  thread_watcher.reporter_queue
+
+      thread_watcher.reporter_queue
+    end
+
     def self.thread_watcher
       @_thread_watcher ||= Contrast::Agent::ThreadWatcher.new
     end

data/lib/contrast/api/communication/connection_status.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Api
     module Communication
-      # Keeps track of the state of connections to the service.
+      # Keeps track of the state of connections to SpeedRacer.
       class ConnectionStatus
         def initialize
           @last_success = nil
@@ -12,25 +12,28 @@ module Contrast
           @startup_messages_sent = false
         end
 
-        # Whether we have sent startup message to the service. True after successfully
-        # sending startup messages to service and reset to false if we lose connection
-        # to the service.
+        # Whether we have sent startup message to SpeedRacer. True after successfully sending startup messages to
+        # SpeedRacer and reset to false if we lose connection.
+        #
+        # @return [Boolean]
         def startup_messages_sent?
           @startup_messages_sent
         end
 
-        # The last message sent was successful
+        # The last message sent was successful or not
+        #
+        # @return [Boolean]
         def connected?
           @last_success && (@last_failure.nil? || @last_success > @last_failure)
         end
 
-        # The current state of the service is active with a successful message sent
+        # The current state of the SpeedRacer is active with a successful message sent
         def success!
           @startup_messages_sent = true
           @last_success = Time.now.to_f
         end
 
-        # The service may be in some sort of error state
+        # The SpeedRacer may be in some sort of error state
         def failure!
           @startup_messages_sent = false
           @last_failure = Time.now.to_f

data/lib/contrast/api/communication/messaging_queue.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/reporting_utilities/audit'
 
 module Contrast
   module Api
@@ -15,23 +16,46 @@ module Contrast
 
         def initialize
           @speedracer = Contrast::Api::Communication::Speedracer.new
+          @audit = Contrast::Agent::Reporting::Audit.new if ::Contrast::API.request_audit_enable
           super
         end
 
-        # Use this to bypass the messaging queue and leave response processing to the caller
+        # Use this to bypass the messaging queue and leave response processing to the caller. We use this method for
+        # those operations which are blocking, meaning they must complete for the Agent to continue operations. These
+        # types of events include initial settings/ setup on startup and analysis required to complete before handing
+        # execution from our pre-filter operations to the application code (i.e. Protect's input analysis).
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        #   Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+        # @return [Contrast::Api::Settings::AgentSettings,nil]
         def send_event_immediately event
           if ::Contrast::AGENT.disabled?
             logger.warn('Attempted to send event immediately with Agent disabled', caller: caller, event: event)
             return
           end
-          speedracer.return_response(event)
+          response_data = speedracer.return_response(event)
+          return response_data unless ::Contrast::API.request_audit_enable
+
+          @audit&.audit_event(event, response_data)
+          response_data
         end
 
+        # A simple Queue used to hold messages that are ready to be sent to SpeedRacer but for which we do not need an
+        # immediate response
+        #
+        # @return [Queue]
         def queue
           @_queue ||= Queue.new
         end
 
-        # Use this to add a message to the queue and process the response internally
+        # Use this to add a message to the queue and process the response internally. We use this method for those
+        # operations which are non-blocking, meaning they don't need to complete for the Agent to continue operations.
+        # These types of events include any post-request messaging that occurs after execution is returned from the
+        # application to our post-filter operations as well as those that don't alter the application's execution (i.e.
+        # Assess' vulnerability reporting).
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        #   Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
         def send_event_eventually event
           if ::Contrast::AGENT.disabled?
             logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
@@ -39,8 +63,14 @@ module Contrast
           end
           logger.debug('Enqueued event for sending', event_type: event.cs__class)
           queue << event if event
+          return unless ::Contrast::API.request_audit_enable
+
+          @audit&.audit_event(event)
         end
 
+        # Create the reporting thread, which will pull from the queue in order to send messages to SpeedRacer. If
+        # SpeedRacer is not running and should be, meaning the Agent is configured to control it, then we will also
+        # try to start that process.
         def start_thread!
           speedracer.ensure_startup!
           return if running?
@@ -60,12 +90,16 @@ module Contrast
           logger.debug('Started background sending thread.')
         end
 
+        # When the Agent shuts down, we terminate the message sending operations. This method clears, closes, and
+        # destroys the queue.
         def delete_queue!
           @_queue&.clear
           @_queue&.close
           @_queue = nil
         end
 
+        # When the Agent shuts down, we terminate the thread responsible for reporting. This method destroys that
+        # thread and any data we would have sent with it.
         def stop!
           return unless running?
 

data/lib/contrast/api/communication/response_processor.rb

@@ -7,10 +7,13 @@ require 'contrast/components/logger'
 module Contrast
   module Api
     module Communication
-      # Handles processing deferred messages
+      # Handles processing deferred messages sent to SpeedRacer.
       class ResponseProcessor
         include Contrast::Components::Logger::InstanceMethods
 
+        # Use the given response to update the Agent's server features and application settings, allowing it to reflect
+        # the latest options configured by the user in TeamServer
+        #
         # @param response [Contrast::Api::Settings::AgentSettings]
         def process response
           logger.debug('Received a response', sent_ms: response&.sent_ms)
@@ -18,8 +21,8 @@ module Contrast
           server_features = process_server_response(response)
           app_settings = process_application_response(response)
 
-          # ReactionProcessor is a design pattern from TeamServer.
-          # Right now, there's one potential reaction, which is disabling the agent
+          # ReactionProcessor is a design pattern from TeamServer. Right now, there's one potential reaction, which is
+          # disabling the agent
           Contrast::Agent::ReactionProcessor.process(response&.application_settings)
 
           Contrast::Logger::Log.instance.update(server_features&.log_file, server_features&.log_level)
@@ -30,10 +33,10 @@ module Contrast
 
         private
 
-        # Given some protobuf messages, update server features.
-        # This is the bridge between Contrast Service <-> Settings.
+        # Given some protobuf messages, update server features. This is the bridge between SpeedRacer <-> Settings.
         #
         # @param response [Contrast::Api::Settings::AgentSettings]
+        # @return [Contrast::Api::Settings::ServerFeatures]
         def process_server_response response
           server_features = response&.server_features
           return unless server_features
@@ -45,10 +48,11 @@ module Contrast
           server_features
         end
 
-        # Given some protobuf messages, update application settings.
-        # This is the bridge between Contrast Service <-> Settings.
+        # Given some protobuf messages, update application settings. This is the bridge between SpeedRacer <->
+        # Settings.
         #
         # @param response [Contrast::Api::Settings::AgentSettings]
+        # @return [Contrast::Api::Settings::ApplicationSettings]
         def process_application_response response
           app_settings = response&.application_settings
           return unless app_settings
@@ -61,7 +65,10 @@ module Contrast
         end
 
         # This can't go in the Settings component because protect and assess depend on settings
-        # I don't think it should go into contrast_service because that only handles connection specific data
+        # I don't think it should go into contrast_service because that only handles connection specific data.
+        #
+        # @param server_features [Contrast::Api::Settings::AgentSettings]
+        # @param app_settings [Contrast::Api::Settings::ApplicationSettings]
         def update_features server_features, app_settings
           return unless !!(server_features || app_settings)
           return unless ::Contrast::AGENT.enabled?

data/lib/contrast/api/communication/service_lifecycle.rb

@@ -13,6 +13,10 @@ module Contrast
 
         private
 
+        # Attempt to start up a local process with SpeedRacer. This will ensure the process isn't just a zombie and is
+        # a real functioning process.
+        #
+        # @return [Boolean] Did the SpeedRacer process start?
         def attempt_local_service_startup
           zombie_check
           service_starter_thread.join(5)
@@ -25,8 +29,8 @@ module Contrast
           is_service_started
         end
 
-        # check if there's a zombie service that exists, and wait on it if so. currently, this only happens when trying
-        # to initialize speedracer
+        # Check if there's a zombie service that exists, and wait on it if so. Currently, this only happens when trying
+        # to initialize SpeedRacer. If there is a zombie, we'll wait until the zombie completes.
         def zombie_check
           zombie_pid_list = Contrast::Utils::OS.zombie_pids
           zombie_pid_list.each do |pid|
@@ -36,6 +40,10 @@ module Contrast
           end
         end
 
+        # Determine the options used to set up the SpeedRacer process. Specifically, this handles if we need to adjust
+        # where the process needs to log.
+        #
+        # @return [Hash] options used to spawn the SpeedRacer process
         def determine_startup_options
           return { out: :out, err: :out } if ::Contrast::CONTRAST_SERVICE.logger_path == 'STDOUT'
           return { out: :err, err: :err } if ::Contrast::CONTRAST_SERVICE.logger_path == 'STDERR'
@@ -43,13 +51,15 @@ module Contrast
           { out: File::NULL, err: File::NULL }
         end
 
-        # This is a separate method so we can overwrite it globally in specs
+        # Create a new process for the SpeedRacer. This is a separate method so we can overwrite it globally in specs.
         def spawn_service
           options = determine_startup_options
           logger.debug('Spawning service')
           spawn 'contrast_service', options
         end
 
+        # Create a thread to start the SpeedRacer, making calls to spawn until one starts successfully. As soon as the
+        # SpeedRacer process starts, this thread terminates.
         def service_starter_thread
           Contrast::Agent::Thread.new do
             # Always check to see if it already started

data/lib/contrast/api/communication/socket.rb

@@ -4,16 +4,15 @@
 module Contrast
   module Api
     module Communication
-      # Behavior common to all sockets used
-      # to communicate with the Contrast Service.
+      # Behavior common to all sockets used to communicate with the Contrast Service.
       module Socket
         SOCKET_MONITOR = Monitor.new
 
         # Send a message across the socket and read back the response.
-        # @param marshaled [String] some marshaled form of data to be sent across
-        #   the socket. Typically an encoded form of Contrast::Api::Dtm::Message.
-        # @return [String] some marshalled form of data returned by the socket.
-        #   Typically an encoded form of Contrast::Api::Settings::AgentSettings.
+        # @param marshaled [String] some marshaled form of data to be sent across the socket. Typically an encoded form
+        #   of Contrast::Api::Dtm::Message.
+        # @return [String] some marshalled form of data returned by the socket. Typically an encoded form of
+        #   Contrast::Api::Settings::AgentSettings.
         def send_marshaled marshaled
           SOCKET_MONITOR.synchronize do
             socket = new_socket
@@ -34,8 +33,7 @@ module Contrast
           end
         end
 
-        # Override this method to return a socket.
-        # Should be interface compatible with TCPSocket, UNIXSocket, etc.
+        # Override this method to return a socket. Should be interface compatible with TCPSocket, UNIXSocket, etc.
         def new_socket
           raise NoMethodError, 'This is abstract, override it.'
         end

data/lib/contrast/api/communication/socket_client.rb

@@ -11,8 +11,8 @@ require 'contrast/components/logger'
 module Contrast
   module Api
     module Communication
-      # SocketClient acts as a interface between the agent and the service. It instantiates a
-      # service proxy and tracks the state of that proxy.
+      # SocketClient acts as a interface between the agent and the service. It instantiates a service proxy and tracks
+      # the state of that proxy.
       class SocketClient
         include Contrast::Components::Logger::InstanceMethods
 
@@ -20,12 +20,13 @@ module Contrast
           @socket = init_connection
         end
 
-        # Wrap the given DTM in a Contrast::Api::Dtm::Message and send it to the
-        # Service for processing
+        # Wrap the given DTM in a Contrast::Api::Dtm::Message and send it to the SpeedRacer for processing. The
+        # Message is the top level object required to communicate to SpeedRacer as it encompasses the information
+        # needed to find this process' context.
         #
         # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
         #   Contrast::Api::Dtm::Message
-        # @return [Contrast::Api::Settings::AgentSettings]
+        # @return [Contrast::Api::Settings::AgentSettings, nil]
         def send_one event
           msg = Contrast::Api::Dtm::Message.build(event)
           send_message(msg)
@@ -33,6 +34,12 @@ module Contrast
 
         private
 
+        # Initialize the connection to the SpeedRacer process based on the configuration provided by the user. This can
+        # be either TCP or UDP. Note that unlike the Go and the Node Agents, we cannot use the GRPC communication
+        # option as we cannot use Google's protobuf gems; they do not compile reliably and result in segmentation
+        # faults in customer environments.
+        #
+        # @return [Contrast::Api::Communication::TcpSocket, Contrast::Api::Communication::UnixSocket]
         def init_connection
           log_connection
           if ::Contrast::CONTRAST_SERVICE.use_tcp?
@@ -43,6 +50,7 @@ module Contrast
           end
         end
 
+        # Log information about the connection being used to communicate between the Agent and SpeedRacer.
         def log_connection
           # The socket is set,
           if ::Contrast::CONFIG.root.agent.service.socket
@@ -72,19 +80,24 @@ module Contrast
         def log_connection_error_msg
           if ::Contrast::CONFIG.root.agent.service.host
             'Missing a required connection value to the Contrast Service. ' \
-            '`agent.service.port` is not set. ' \
-            'Falling back to default TCP socket port.'
+              '`agent.service.port` is not set. ' \
+              'Falling back to default TCP socket port.'
           elsif ::Contrast::CONFIG.root.agent.service.port
             'Missing a required connection value to the Contrast Service. ' \
-            '`agent.service.host` is not set. ' \
-            'Falling back to default TCP socket host.'
+              '`agent.service.host` is not set. ' \
+              'Falling back to default TCP socket host.'
           else
             'Missing a required connection value to the Contrast Service. ' \
-            'Neither `agent.service.socket` nor the pair of `agent.service.host` and `agent.service.port` are set. '\
-            'Falling back to default TCP socket.'
+              'Neither `agent.service.socket` nor the pair of `agent.service.host` and `agent.service.port` are set. '\
+              'Falling back to default TCP socket.'
           end
         end
 
+        # Send the given message to SpeedRacer and return the response from it.
+        #
+        # @param msg [Contrast::Api::Dtm::Message] the packaged message to send to SpeedRacer
+        # @return [Contrast::Api::Settings::AgentSettings, nil]
+        # @raise [StandardError] if unable to send a message to SpeedRacer
         def send_message msg
           return unless msg
 
@@ -98,9 +111,13 @@ module Contrast
         rescue StandardError => e
           logger.error('Sending failed for message.', e, msg_id: msg.__id__, p_id: msg.pid,
                                                          msg_count: msg.message_count, response_id: response&.__id__)
-          raise e # reraise to let Speedracer manage the connection
+          raise e # reraise to let SpeedRacer manage the connection
         end
 
+        # Send the marshaled Contrast::Api::Dtm::Message across the socket used to talk to SpeedRacer
+        #
+        # @param marshaled [String]
+        # @return [String] the marshaled from of Contrast::Api::Settings::AgentSettings
         def send_marshaled marshaled
           @socket.send_marshaled(marshaled)
         end

data/lib/contrast/api/communication/speedracer.rb

@@ -6,7 +6,10 @@ require 'contrast/components/logger'
 module Contrast
   module Api
     module Communication
-      # Wraps all connection data to speedracer
+      # Wraps all connection data to SpeedRacer. SpeedRacer, also known as the Contrast Service, is a standalone
+      # executable that sits between the Agent and TeamServer. It handles converting our Protobuf messages into a
+      # format consumable by TeamServer. The Agent requires a SpeedRacer process to be running somewhere to which it
+      # can connect, as specified by the user configuration, in order to function.
       class Speedracer
         include Contrast::Api::Communication::ServiceLifecycle
         include Contrast::Components::Logger::InstanceMethods
@@ -20,6 +23,14 @@ module Contrast
           @ensure_running = Mutex.new
         end
 
+        # If there is not a SpeedRacer at the location specified by the configuration of this Agent and the Agent is
+        # set such that it should manage one, start up a new child process to run the SpeedRacer executable. If a
+        # connection has not already been made to that process, after starting it, this method will also send the
+        # messages necessary to create a context for this Agent process in the SpeedRacer as well as trigger
+        # SpeedRacer's sending of startup messages which will return features and settings from TeamServer.
+        #
+        # This operation is synchronous and blocking, so it will only happen one at a time per process and will halt
+        # Thread execution here until completion.
         def ensure_startup!
           return if status.connected?
 
@@ -40,12 +51,24 @@ module Contrast
           end
         end
 
+        # Send the given Event to SpeedRacer, returning the response from it. This response will either be new settings
+        # if anything's changed in TeamServer meaning the Agent needs to replace its current settings or there is
+        # Protect analysis information or nil if the current Agent settings do not need updating.
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        # Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+        # @return [Contrast::Api::Settings::AgentSettings,nil]
         def return_response event
           send_to_speedracer(event) do |response|
             return response
           end
         end
 
+        # Send the given Event to SpeedRacer and pass the result to our Contrast::Api::Communication::ResponseProcessor
+        # as there is no immediate action required from sending this Event.
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        # Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
         def process_internally event
           send_to_speedracer(event) do |response|
             response_processor.process(response)
@@ -54,6 +77,12 @@ module Contrast
 
         private
 
+        # Ensure there is a running SpeedRacer and then send the given Event to it. It is necessary to ensure the
+        # SpeedRacer is running as, if the process has crashed or restarted, we must rebuild our context there.
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        # Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+        # @return [Contrast::Api::Settings::AgentSettings, nil]
         def send_to_speedracer event
           ensure_startup!
 
@@ -68,6 +97,9 @@ module Contrast
           nil
         end
 
+        # Send those messages which are required to build a context for this Agent process on SpeedRacer as well as
+        # report server and application startup to TeamServer. With these messages, the SpeedRacer will be able to
+        # retrieve settings from TeamServer and provide those for the Agent to complete its initialization.
         def send_initialization_messages
           agent_startup_msg = ::Contrast::APP_CONTEXT.build_agent_startup_message
 
@@ -97,6 +129,10 @@ module Contrast
           nil
         end
 
+        # Log the startup message we're sending to SpeedRacer
+        #
+        # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
+        # Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
         def log_send_event event
           logger.debug('Immediately sending event.', event_id: event.__id__, event_type: event.cs__class.cs__name)
         end

data/lib/contrast/api/communication/tcp_socket.rb

@@ -6,15 +6,15 @@ require 'contrast/api/communication/socket'
 module Contrast
   module Api
     module Communication
-      # This class allows us to create a TCP Socket to communicate to the Service
-      # (Speed Racer). Either it or the Unix Socket will be used, as determined
-      # by the configuration options set for Service communication.
+      # This class allows us to create a TCP Socket to communicate to the Service (Speed Racer). Either it or the Unix
+      # Socket will be used, as determined by the configuration options set for Service communication.
       class TcpSocket
         include Contrast::Api::Communication::Socket
 
         attr_reader :host, :port
 
         # Create the socket
+        #
         # @param host [String] socket target hostname or IP address
         # @param port [String,Integer] socket target port
         def initialize host, port
@@ -22,6 +22,7 @@ module Contrast
           @port = port.to_i
         end
 
+        # @return [::TCPSocket]
         def new_socket
           ::TCPSocket.new(host, port)
         end

data/lib/contrast/api/communication/unix_socket.rb

@@ -18,6 +18,7 @@ module Contrast
           @path = path
         end
 
+        # @return [::UNIXSocket]
         def new_socket
           ::UNIXSocket.new(path)
         end

data/lib/contrast/api/decorators/finding.rb

@@ -0,0 +1,45 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::Finding} protobuf
+      # model so it can own the request which its data is for.
+      module Finding
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          def to_controlled_hash finding, *_args
+            {
+                hash_code: finding.hash_code,
+                platform: finding.platform,
+                rule_id: finding.rule_id,
+                evidence: finding.evidence,
+                properties: finding.properties,
+                events: finding.events,
+                tags: finding.tags,
+                version: finding.version,
+                routes: finding.routes,
+                session_id: finding.session_id,
+                teamserver_url: ::Contrast::API.api_url
+            }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::Finding.include(Contrast::Api::Decorators::Finding)

data/lib/contrast/components/api.rb

@@ -28,6 +28,62 @@ module Contrast
         def username
           @_username ||= ::Contrast::CONFIG.root.api.user_name
         end
+
+        def proxy_enabled?
+          @_proxy_enabled = true?(::Contrast::CONFIG.root.api.proxy.enable) if @_proxy_enabled.nil?
+          @_proxy_enabled
+        end
+
+        def proxy_url
+          @_proxy_url ||= ::Contrast::CONFIG.root.api.proxy.url
+        end
+
+        def request_audit_enable
+          @_request_audit_enable ||= true?(::Contrast::CONFIG.root.api.request_audit.enable)
+        end
+
+        def request_audit_requests
+          return @_request_audit_requests unless @_request_audit_requests.nil?
+
+          @_request_audit_requests = true?(::Contrast::CONFIG.root.api.request_audit.requests)
+        end
+
+        def request_audit_responses
+          return @_request_audit_responses unless @_request_audit_responses.nil?
+
+          @_request_audit_responses = true?(::Contrast::CONFIG.root.api.request_audit.responses)
+        end
+
+        def request_audit_path
+          @_request_audit_path ||= ::Contrast::CONFIG.root.api.request_audit.path.to_s
+        end
+
+        def certification_enabled?
+          @_certification_enabled ||= certification_truly_enabled?(::Contrast::CONFIG.root.api.certificate)
+        end
+
+        def certification_ca_file
+          @_certification_ca_file ||= ::Contrast::CONFIG.root.api.certificate.ca_file
+        end
+
+        def certification_cert_file
+          @_certification_cert_file ||= ::Contrast::CONFIG.root.api.certificate.cert_file
+        end
+
+        def certification_key_file
+          @_certification_key_file ||= ::Contrast::CONFIG.root.api.certificate.key_file
+        end
+
+        private
+
+        def certification_truly_enabled? config_path
+          return false unless true?(config_path.enable)
+          return true if file_exists?(certification_ca_file) && valid_cert?(certification_ca_file)
+          return true if file_exists?(certification_cert_file) && valid_cert?(certification_cert_file)
+          return true if file_exists?(certification_key_file) && valid_cert?(certification_key_file)
+
+          false
+        end
       end
     end
   end