contrast-agent 5.2.0 → 6.1.0

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -1,50 +1,148 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/reporting/reporting_utilities/response_extractor'
+
 module Contrast
   module Agent
     module Reporting
       # This module holds utilities required by the reporting service response handler
       module ResponseHandlerUtils
-        ANALYZE_WHEN = '200'
-        SLEEP_WHEN = %w[401 408 500].cs__freeze
+        include Contrast::Agent::Reporting::ResponseExtractor
+
+        ANALYZE_WHEN = %w[200 204].cs__freeze
+        ERROR_CODES = {
+            message_not_sent: '400',
+            access_forbidden: '401',
+            access_forbidden_no_action: '403',
+            application_do_not_exist: '404',
+            unprocessable_entity: '422',
+            too_many_requests: '429'
+        }.cs__freeze
+        APP_NON_EXISTENT_MSG = 'Application does not exist! Either it has not been created or has '\
+                               'been deleted or archived. '\
+                               'Disabling permanently.'
+        SUSPEND_MSG = 'Reporter is temporarily suspended.'
+        UNSUCCESSFULLY_RECEIVED_MSG = 'The Reporter was unable to send message.'
+        FORBIDDEN_MSG = 'Access was forbidden for current Report because the request authentication '\
+                        'information was not provided'
+        FORBIDDEN_NO_ACTION_MSG = 'Report access was forbidden because the supplied credentials failed '\
+                                  'to authenticate the Agent'
+        UNPROCESSABLE_ENTITY_MSG = 'Reporter received Unprocessable Entity response. Disabling permanently.'
+        RETRY_AFTER_MSG = "There are too many requests of this type being sent by this Agent. #{ SUSPEND_MSG }"
 
         private
 
         # check if response code is valid before analyze it
         #
-        # @param response_code [Integer]
+        # @param response [Net::HTTP::Response, nil]
         # @return [Boolean]
-        def analyze_response_code? response_code
-          # 200 Successful recording of the server record on the database. FeatureSet successfully returned
+        def analyze_response? response
+          # Code descriptions:
+          # 200:
+          # Message successfully received and there are new settings
+          # 204:
+          # Message successfully received and it's up to Contrast Server to decide what is done with the data.
+          # 304:
+          # Message successfully received and there are no new settings. Use your current ones.
+          #
+          # ERRORS:
+          # 400:
+          # Message unsuccessfully received. The Contrast Server was unable to process the message properly.
           # 401:
-          # If any authentication errors occur. Agents should enter a suspended mode
-          # (no reporting) and attempt to reconnect in 15 minutes.
-          # 408:
-          # If the FeatureSet from TeamServer cannot be constructed in time.
-          # Agents should enter a suspended mode (no reporting) and attempt to reconnect in 15 minutes.
-          # 500:
-          # If any server error occurs. Agents should enter a suspended mode
-          # (no reporting) and attempt to reconnect in 15 minutes.
-          # 204, 304
-          # Successful update of the server record on the database.
-          # No FeatureSet update since the last time an activity was sent.
-          @_sleep = true if SLEEP_WHEN.include? response_code
-          return true if ANALYZE_WHEN.include? response_code
-
+          # Access was forbidden because the request authentication information was not provided.
+          # headers:
+          # www-Authenticate => Indicate that the API-Key and Authorization header are both required,
+          #                     in the standard format per RFC 2616
+          # 403:
+          # Access was forbidden because the supplied credentials failed to authenticate the Agent.
+          # 404:
+          # The application does not exist - either it has not been created or has been deleted or archived.
+          # If possible, the Agent should no longer analyze this application. For those Agents with multiple
+          # applications in a single process, at a minimum, cease reporting about this application.
+          # 422:
+          # Unprocessable Entity - The application startup is rejected because some piece of data is incorrect.
+          # The session_id could reference a non-existent session or the metadata (not session_metadata) could
+          # fail a constraint check. TeamServer should indicate this is an error message which the Agent should
+          # log. The Agent should no longer analyze this application.
+          # {
+          #   "error": "string"
+          # }
+          # 429:
+          # There are too many requests of this type being sent by this Agent. Back off for the time listed in
+          # the Retry-After header. In this case, it is on the Agent to determine if it is safe to hold onto the
+          # data to attempt to send again or if it needs to be dropped. The Contrast Server can choose what to do
+          # with message from improperly throttled Agents, including dropping them.
+          # header:
+          # Retry-After => how long, in seconds, to wait before attempting to send another request to this endpoint,
+          #                in the standard format per RFC 2616
+          # used for in observed routes message.
+          return false unless response && (response_code = response&.code)
+          return true if ANALYZE_WHEN.include?(response_code)
+
+          handle_error(response) if ERROR_CODES.value?(response_code)
+          # There was error, so analyze the Error and nothing more.
           false
         end
 
+        # Analyze the headers of the response code. They have information about the
+        # retry timeout and some response bodies contains error messages.
+        #
+        # @param response [String] the response code from Net::HTTPResponse, which is obnoxiousy a String, not an
+        # Integer
+        # @param message [String] Message to log.
+        # @param mode [Symbol, nil]
+        def handle_response_errors response, message, mode
+          # Set the current mode status.
+          @_mode.status = mode
+          ready_after, error_message, auth_error = extract_response_info response
+          # log, suspend, disable:
+          if mode == @_mode.running
+            log_debug_msg message,
+                          response: response.__id__,
+                          request: Contrast::Agent::REQUEST_TRACKER.current&.request&.type,
+                          error_message: error_message || 'none',
+                          auth_error: auth_error || 'none'
+          end
+          suspend_reporting message, ready_after, error_message if mode == @_mode.resending
+          return unless mode == @_mode.disabled
+
+          stop_reporting(message, application: Contrast::APP_CONTEXT.app_name, error_message: error_message)
+        rescue StandardError => e
+          logger.debug('Could not handle Response error information', error: e)
+        end
+
+        # Extract what we've received.
+        #
+        # @param response [Net::HTTP::Response, nil]
+        # @return [Array<String, Integer>] all collected error info.
+        def extract_response_info response
+          # Extract what we got from the response:
+          ready_after = response['Ready-After'] if response.to_hash.keys.map(&:downcase).include?('ready-after')
+          if response.to_hash.keys.map(&:downcase).include?('www-authenticate')
+            auth_error = response['www-Authenticate']
+          end
+          error_message = response.message
+          [ready_after.to_i, error_message, auth_error]
+        end
+
+        # Cease reporting about this application
+        #
+        # @param message [String] Message to log
+        # @param info_hash [Hash] information about the context to log.
+        def stop_reporting message, info_hash
+          Contrast::Agent.reporter&.stop!
+          log_debug_msg(message, info_hash)
+          ::Contrast::AGENT.disable!
+        end
+
         # Applies the settings from the TS response
         #
         # @param response [Contrast::Agent::Reporting::Response]
         def update_agent_settings response
-          if response.server_features
-            log_file = response.server_features.log_file
-            log_level = response.server_features.log_level
-            Contrast::Logger::Log.instance.update(log_file, log_level) if log_file && log_level
-            Contrast::SETTINGS.update_from_server_features(response)
-          end
+          return unless response
+
+          Contrast::SETTINGS.update_from_server_features(response) if response.server_features
           Contrast::SETTINGS.update_from_application_settings(response) if response.application_settings
         end
 
@@ -58,19 +156,14 @@ module Contrast
 
           response.application_settings.reactions.each do |reaction|
             # The enums are all uppercase, we need to downcase them before attempting to log.
-            level = if reaction.level.nil?
-                      :error
-                    else
-                      reaction.level.downcase
-                    end
-
+            level = reaction.level.nil? ? :error : reaction.level.downcase
             logger.with_level(level, reaction.message) if reaction.message
 
             case reaction.operation
-            when Contrast::Agent::Reporting::Settings::Reaction::OPERATIONS.second
+            when Contrast::Agent::Reporting::Settings::Reaction::OPERATIONS[1]
               # DISABLED
-              Contrast::Agent::DisableReaction.run reaction, level
-            when Contrast::Agent::Reporting::Settings::Reaction::OPERATIONS.first
+              Contrast::Agent::DisableReaction.run(reaction, level)
+            when Contrast::Agent::Reporting::Settings::Reaction::OPERATIONS[0]
               # NOOP
             else
               logger.warn('ReactionProcessor received a reaction with an unknown operation',
@@ -79,6 +172,24 @@ module Contrast
           end
         end
 
+        # This can't go in the Settings component because protect and assess depend on settings
+        # I don't think it should go into contrast_service because that only handles connection specific data.
+        #
+        # @param response [Contrast::Agent::Reporting::Response]
+        def update_ruleset response
+          logger.info('Updating features from TeamServer')
+          return unless response&.server_features || response&.application_settings
+          return unless ::Contrast::AGENT.enabled?
+
+          logger.trace_with_time('Rebuilding rule modes from TeamServer') do
+            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
+            ::Contrast::AGENT.reset_ruleset
+            logger.info('Current rule settings:')
+            ::Contrast::PROTECT.rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
+            logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+          end
+        end
+
         # Converts response from Net to Reporting Response object
         #
         # @param response [Net::HTTP::Response, nil]
@@ -94,12 +205,14 @@ module Contrast
           # check if response contains application settings or Feature settings
           if response_data[:settings]
             # the response contains ApplicationSettings
-            logger.trace('Agent: Received updated application settings')
-            build_application_settings response_data
+            app_settings = build_application_settings(response_data)
+            logger.trace('Agent: Received updated application settings', raw: response_data, processed: app_settings)
+            app_settings
           else
             # the response contains FeatureSettings
-            logger.trace('Agent: Received updated server features')
-            build_feature_settings response_data
+            server_features = build_feature_settings(response_data)
+            logger.trace('Agent: Received updated application settings', raw: response_data, processed: server_features)
+            server_features
           end
         rescue StandardError => e
           logger.error('Unable to convert response', e)
@@ -109,18 +222,19 @@ module Contrast
         # @param response_data [Hash]
         # @return res [Contrast::Agent::Reporting::Response]
         def build_application_settings response_data
-          res = Contrast::Agent::Reporting::Response.new
+          res = Contrast::Agent::Reporting::Response.application_response
           extract_assess response_data, res
           extract_protect response_data, res
           extract_exclusions response_data, res
           extract_reactions response_data, res
+          extract_sensitive_data_policy response_data, res
           res
         end
 
         # @param response_data [Hash]
         # @return res [Contrast::Agent::Reporting::Response]
         def build_feature_settings response_data
-          res = Contrast::Agent::Reporting::Response.new
+          res = Contrast::Agent::Reporting::Response.server_response
           extract_assess_server_features response_data, res
           extract_protect_server_features response_data, res
           extract_protect_lists response_data, res
@@ -129,79 +243,6 @@ module Contrast
           res.server_features.telemetry = response_data[:telemetry]
           res
         end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_assess response_data, res
-          assessments = response_data[:settings][:assessment]
-          return unless assessments
-
-          res.application_settings.assess.disabled_rules = assessments[:disabledRules]
-          res.application_settings.assess.session_id = assessments[:session_id]
-        end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_protect response_data, res
-          protect = response_data[:settings][:defend]
-          return unless protect
-
-          res.application_settings.protect.protection_rules = protect[:protectionRules]
-          res.application_settings.protect.virtual_patches = protect[:virtualPatches]
-        end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_exclusions response_data, res
-          exclusions = response_data[:settings][:exceptions]
-          return unless exclusions
-
-          res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
-          res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
-          res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
-        end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_reactions response_data, res
-          res.application_settings.reactions = response_data[:settings][:reactions]
-        end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_assess_server_features response_data, res
-          assess = response_data[:assessment]
-          return unless assess
-
-          res.server_features.assess.enabled = assess[:enabled]
-          res.server_features.assess.disabled_rules = assess[:disabledRules]
-          res.server_features.assess.sampling = assess[:sampling]
-          res.server_features.assess.sanitizers = assess[:sanitizers]
-          res.server_features.assess.validators = assess[:validators]
-        end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_protect_server_features response_data, res
-          protect = response_data[:defend]
-          return unless protect
-
-          res.server_features.protect.enabled = protect[:enabled]
-          res.server_features.protect.bot_blocker = protect[:bot_blocker]
-          res.server_features.protect.syslog = protect[:syslog]
-        end
-
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def extract_protect_lists response_data, res
-          protect = response_data[:defend]
-          return unless protect
-
-          res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
-          res.server_features.protect.ip_denylist = protect[:ipDenyList]
-          res.server_features.protect.log_enchancers = protect[:logEnhancers]
-          res.server_features.protect.rule_definition_list = protect[:ruleDefinitionList]
-        end
       end
     end
   end

data/lib/contrast/agent/reporting/settings/application_settings.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/reporting/settings/assess'
 require 'contrast/agent/reporting/settings/protect'
 require 'contrast/agent/reporting/settings/exclusions'
 require 'contrast/agent/reporting/settings/reaction'
+require 'contrast/agent/reporting/settings/sensitive_data_masking'
 
 module Contrast
   module Agent
@@ -43,6 +44,14 @@ module Contrast
             @_reactions
           end
 
+          # This object will hold the masking rules send from TS.
+          #
+          # @return sensitive_data_masking [Contrast::Agent::Reporting::Settings::SensitiveDataMasking] this object
+          # includes mask_http_body flag and Array set of rules with keywords in them.
+          def sensitive_data_masking
+            @_sensitive_data_masking ||= Contrast::Agent::Reporting::Settings::SensitiveDataMasking.new
+          end
+
           # Set the reaction
           #
           # @param reactions [Array<Reaction>] {

data/lib/contrast/agent/reporting/settings/assess_server_feature.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/sampling'
 
 module Contrast
   module Agent
@@ -11,19 +12,6 @@ module Contrast
         # Application level settings for the Assess featureset.
         # Used for the FeatureSet TS response
         class AssessServerFeature
-          # Assess rules to disable for this application.
-          #
-          # @return disabled_rules [Array<AssessRuleID>] Array with string rule_ids
-          def disabled_rules
-            @_disabled_rules ||= []
-          end
-
-          # @param disabled_rules [Array<AssessRuleID>] with AssessRuleID strings
-          # @return disabled_rules [Array<AssessRuleID>] Array with string rule_ids
-          def disabled_rules= disabled_rules
-            @_disabled_rules = disabled_rules if disabled_rules.is_a? Array
-          end
-
           # Indicate if the assess feature set is enabled for this server or not.
           #
           # @return enabled [Boolean]
@@ -41,17 +29,9 @@ module Contrast
 
           # Used to control the sampling feature in the agent.
           #
-          # @return sampling [Hash<AssessSampling>] Hash of AssessSampling: {
-          #  baseline          [Integer] The number of baseline requests to take before switching to sampling
-          #                               for the window.
-          #  enabled           [Boolean] If the sampling feature should be used or not.
-          #  frequency         [Integer] The number of requests to skip before observing during the sampling
-          #                               window after the baseline.
-          #  responseFrequency [Integer]
-          #  window            [Integer]
-          # }
+          # @return [Contrast::Agent::Reporting::Settings::Sampling]
           def sampling
-            @_sampling ||= {}
+            @_sampling ||= Contrast::Agent::Reporting::Settings::Sampling.new({})
           end
 
           # set sampling
@@ -65,17 +45,9 @@ module Contrast
           #  responseFrequency [Integer]
           #  window            [Integer]
           # }
-          # @return sampling [Hash<AssessSampling>] Hash of AssessSampling: {
-          #  baseline          [Integer] The number of baseline requests to take before switching to sampling
-          #                               for the window.
-          #  enabled           [Boolean] If the sampling feature should be used or not.
-          #  frequency         [Integer] The number of requests to skip before observing during the sampling
-          #                               window after the baseline.
-          #  responseFrequency [Integer]
-          #  window            [Integer]
-          # }
+          # @return [Contrast::Agent::Reporting::Settings::Sampling]
           def sampling= sampling
-            @_sampling = sampling if sampling.is_a? Hash
+            @_sampling = Contrast::Agent::Reporting::Settings::Sampling.new(sampling) if sampling.is_a? Hash
           end
 
           # The sanitizers defined by the user for use by the agent on this server for this organization.

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -73,7 +73,7 @@ module Contrast
           #
           # @return rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
           def protection_rules_to_settings_hash
-            return if protection_rules.empty?
+            return {} if protection_rules.empty?
 
             modes_by_id = {}
             protection_rules.each do |rule|

data/lib/contrast/agent/reporting/settings/protect_server_feature.rb

@@ -23,7 +23,7 @@ module Contrast
           # @param enabled [Boolean]
           # @return enabled [Boolean]
           def enabled= enabled
-            @_enabled = enabled if !!enabled == enabled
+            @_enabled = enabled
           end
 
           # Indicate if the bot protection feature set is enabled for this server or not.
@@ -191,7 +191,7 @@ module Contrast
           #                    value          [String] }
           # }
           def rule_definition_list= list
-            @_rule_definition_list = list.is_a? Array
+            @_rule_definition_list = list if list.is_a? Array
           end
 
           # Controls for the syslogging feature in the agent.

data/lib/contrast/agent/reporting/settings/sampling.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Sampling controls for the Assess Features provided by TeamServer
+        class Sampling
+          # @return [Integer] The number of baseline requests to take before switching to sampling for the window.
+          attr_reader :baseline
+          # @return [Boolean] If the sampling feature should be used or not.
+          attr_reader :enabled
+          # @return [Integer] The number of requests to skip before observing during the sampling window after the
+          #   baseline.
+          attr_reader :request_frequency
+          # @return [Integer] The number of responses to skip before observing during the sampling window after the
+          #  baseline.
+          attr_reader :response_frequency
+          # @return [Integer] The length of time for which the sample period is valid, in ms.
+          attr_reader :window_ms
+
+          def initialize hsh
+            @baseline = hsh[:baseline]
+            @enabled = hsh[:enabled]
+            @request_frequency = hsh[:frequency]
+            @response_frequency = hsh[:responseFrequency]
+            @window_ms = hsh[:window]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb

@@ -0,0 +1,110 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/sensitive_data_masking_rule'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold all the settings from the TS responce
+      module Settings
+        # Protect level settings for the sensitive_data_masking_policy.
+        # Configuration of the masking parameters will be delivered dynamically from TeamServer
+        # during an ApplicationSettings response from requests to TS endpoints that return that
+        # structure.
+        # https://contrast.atlassian.net/wiki/spaces/~699189087/pages/807960614/Sensitive+Data+Masking+Design
+        class SensitiveDataMasking
+          # Policy flag to enable the use of masking on request body
+          # Here is set to defaults to true.
+          #
+          # @return true | false
+          def mask_http_body?
+            @_mask_http_body
+          end
+
+          # Set the flag for request body masking
+          #
+          # @param bool [Boolean]
+          # @return true | false
+          def mask_http_body= bool
+            @_mask_http_body = bool.nil? ? true : !!bool
+          end
+
+          # Policy flag to enable the use of masking on attack vector.
+          # Here is set to defaults to false.
+          #
+          # @return true | false
+          def mask_attack_vector?
+            @_mask_attack_vector
+          end
+
+          # Set the flag for using masking on attack vector
+          #
+          # @param bool [Boolean]
+          # @return true | false
+          def mask_attack_vector= bool
+            @_mask_attack_vector = !!bool
+          end
+
+          # Rules to follow when using the masking
+          #
+          # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, []]
+          def rules
+            @_rules ||= Contrast::Agent::Reporting::Settings::RulesArray.new
+          end
+
+          # Assign rules array
+          #
+          # @param rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>]
+          # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, []]
+          def rules= rules
+            @_rules = rules if rules_array? rules
+          end
+
+          # Build rules from hash
+          #
+          # @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
+          # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
+          def build_rules_form_settings settings_rules
+            return unless settings_rules || settings_rules.empty?
+
+            settings_rules.each do |rule|
+              instance = Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule.new
+              instance.rule_id = rule[:id]
+              instance.keywords = rule[:keywords]
+              rules << instance
+            end
+            rules
+          end
+
+          private
+
+          # Determine if parameter is array of Rules.
+          #
+          # @param array [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>] Array of keywords.
+          # @return true | false
+          def rules_array? array
+            return false unless array.is_a?(Array)
+
+            array.all?(Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule)
+          end
+        end
+
+        # Simple validation class for Rules Array.
+        class RulesArray < Array
+          # Do not push anything except Rules instances.
+          # :<< method is called on object directly so this
+          # will make sure the data pushed is as expected.
+          #
+          # @param item [Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule]
+          # @return itself [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>]
+          def << item
+            return itself unless item.instance_of? Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule
+
+            super
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb

@@ -0,0 +1,58 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold all the settings from the TS responce
+      module Settings
+        # Protect level settings for the sensitive_data_masking_policy Rule entry.
+        class SensitiveDataMaskingRule
+          # Id for this rule.
+          #
+          # @return rule_id [String] Name of parameter to mask.
+          def rule_id
+            @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the rule name.
+          #
+          # @param id [String] Name of parameter to mask.
+          # @return rule_id [String]
+          def rule_id= id
+            @_rule_id = id.to_s
+          end
+
+          # Array of keywords to mask values for the rule_id.
+          #
+          # @return keywords [Array<String>] set of keywords
+          def keywords
+            @_keywords ||= []
+          end
+
+          # Set keywords array.
+          #
+          # @param words_array [Array<String>]
+          # @return keywords [Array<String>] set of keywords
+          def keywords= words_array
+            @_keywords = words_array if string_array? words_array
+          end
+
+          private
+
+          # Determine if a array is array of strings.
+          #
+          # @param array [Array<String] Array of keywords.
+          # @return true | false
+          def string_array? array
+            return false unless array.is_a?(Array) && array.any?
+
+            array.all? String
+          end
+        end
+      end
+    end
+  end
+end