contrast-agent 5.3.0 → 6.0.0

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb

@@ -4,12 +4,12 @@
 module Contrast
   module Agent
     module Reporting
-      #
-      # @attr_accessor id - [String]  - Hash of library as identified by the agent
-      # @attr_accessor names Array[String] - List of file paths that have been loaded out of or executed by the library
-      #
+      # The usage, meaning loaded files, of a library seen during this request
       class LibraryUsageObservation
-        attr_accessor :id, :names
+        # @param [String] Sha256Sum of library as identified by the agent
+        attr_accessor :id
+        # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
+        attr_reader :names
 
         class << self
           # Convert a DTM for SpeedRacer to an Event for TeamServer.

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -15,16 +15,16 @@ module Contrast
       # externally accessible endpoints within the application, as registered to the application framework. This also
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
-      #
-      # @attr_accessor signature [String] the method signature used to uniquely identify the coverage report.
-      # @attr_accessor url [String] the normalized URL used to access the method in the route.
-      # @attr_accessor verb [String] the HTTP Verb used  to access the method in the route.
-      # @attr_accessor agent_session_id_value [Integer] the session of this process, as determined from TeamServer on
-      #   application create.
-      # @attr_accessor sources [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed
-      #   during this request. Used for remediation determinations in TeamServer.
       class ObservedRoute < Contrast::Agent::Reporting::ReportingEvent
-        attr_accessor :sources, :agent_session_id_value, :signature, :verb, :url
+        # @param [String] the method signature used to uniquely identify the coverage report.
+        attr_accessor :signature
+        # @param [String] the normalized URL used to access the method in the route.
+        attr_accessor :url
+        # @param [String] the HTTP Verb used  to access the method in the route.
+        attr_accessor :verb
+        # @param [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed during this
+        #   request. Used for remediation determinations in TeamServer.
+        attr_reader :sources
 
         def initialize
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.observed_route

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/assess'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/reporting_event'
 
@@ -29,7 +30,7 @@ module Contrast
           @app_name = ::Contrast::APP_CONTEXT.app_name
           @app_version = ::Contrast::APP_CONTEXT.app_version
           @routes = []
-          @agent_session_id_value = Contrast::APP_CONTEXT.session_id
+          @agent_session_id_value = ::Contrast::ASSESS.session_id
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -4,6 +4,7 @@
 require 'contrast/components/logger'
 require 'contrast/utils/assess/trigger_method_utils'
 require 'contrast/agent/reporting/reporting_utilities/endpoints'
+require 'contrast/components/assess'
 
 module Contrast
   module Agent
@@ -19,7 +20,7 @@ module Contrast
         attr_reader :event_method
 
         def initialize
-          @agent_session_id_value = '0' # TODO: RUBY-1514 Contrast::APP_CONTEXT.session_id once we have app start
+          @agent_session_id_value = ::Contrast::ASSESS.session_id
           @event_endpoint ||= nil
           @event_method ||= :POST
         end

data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb

@@ -15,13 +15,15 @@ module Contrast
       # externally accessible endpoints within the application, as registered to the application framework. This also
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
-      #
-      # @attr_accessor route [String] the method signature used to uniquely identify the coverage report.
-      # @attr_accessor url [String] the normalized URL used to access the method in the route.
-      # @attr_accessor verb [String] the HTTP Verb used  to access the method in the route.
-      # @attr_accessor count [Integer] the number of times this was hit; no longer needed as it can be derived.
       class RouteCoverage
-        attr_accessor :route, :url, :verb, :count
+        # @param [String] the method signature used to uniquely identify the coverage report.
+        attr_accessor :route
+        # @param [String] the normalized URL used to access the method in the route.
+        attr_accessor :url
+        # @param [String] the HTTP Verb used  to access the method in the route.
+        attr_accessor :verb
+        # @param [Integer] the number of times this was hit; no longer needed as it can be derived.
+        attr_reader :count
 
         def initialize
           @route = Contrast::Utils::ObjectShare::EMPTY_STRING

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -30,7 +30,7 @@ module Contrast
         # @return [Net::HTTP, nil] Return open connection or nil
         def initialize_connection
           # for this client we would use proxy and custom certificate file if available
-          super(SERVICE_NAME, Contrast::API.api_url, true, true)
+          super(SERVICE_NAME, Contrast::API.api_url, use_proxy: true, use_custom_cert: true)
         end
 
         def initialize
@@ -55,13 +55,12 @@ module Contrast
         # @param connection [Net::HTTP] open connection
         # @param send_immediately [Boolean] flag for the logger
         # @return response [Net::HTTP::Response, nil] response from TS if no response
-        def send_event event, connection, send_immediately = false
+        def send_event event, connection, send_immediately: false
           return unless Contrast::Agent::Reporter.enabled?
           return unless connection
 
-          response = send_events(event, connection)
-          log_send_event event if send_immediately
-          response
+          log_send_event(event) if send_immediately
+          send_events(event, connection)
         rescue StandardError => e
           handle_error event, e
         end
@@ -78,6 +77,18 @@ module Contrast
           response_handler.sleep?
         end
 
+        def timeout
+          response_handler.timeout
+        end
+
+        def mode
+          response_handler.mode
+        end
+
+        def reset_mode
+          response_handler.reset_mode
+        end
+
         def wake_up
           response_handler.wake_up
         end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/agent/reporting/reporting_events/application_startup'
 require 'contrast/agent/reporting/reporting_utilities/reporter_client'
 require 'contrast/agent/reporting/reporting_utilities/endpoints'
 
@@ -15,6 +16,12 @@ module Contrast
         include Contrast::Components::Scope::InstanceMethods
         include Contrast::Agent::Reporting::Endpoints
 
+        # List the events that need to be sent when agent starts up
+        STARTUP_EVENTS = [
+          Contrast::Agent::Reporting::ApplicationStartup,
+          Contrast::Agent::Reporting::AgentStartup
+        ].cs__freeze
+
         # @param event [Contrast::Agent::Reporting::Preflight] the preflight we handle here
         # @param response [Net::HTTP::Response,nil] The response we handle and read from
         # @param connection [Net::HTTP] open connection
@@ -31,7 +38,7 @@ module Contrast
           return unless corresponding_finding
 
           audit&.audit_event(corresponding_finding, response) if ::Contrast::API.request_audit_enable?
-          send_event(corresponding_finding, connection, true)
+          send_event(corresponding_finding, connection, send_immediately: true)
           nil
         rescue StandardError => e
           logger.error('Unable to handle response', e)
@@ -92,38 +99,28 @@ module Contrast
         # Handles response processing and sets status
         #
         # @param response [Net::HTTP::Response]
-        # @return response [Net::HTTP::Response]
         def process_response response
           response_handler.process(response)
           logger.debug('Successfully sent startup messages to service.')
           status.success!
-          response
         end
 
         # build the request headers and assign endpoint
         #
-        # @param event event [Contrast::Api::Dtm::AgentStartup, Contrast::Agent::Reporting::ReportingEvent]
+        # @param event event [Contrast::Agent::Reporting::ReportingEvent]
         # One of the DTMs valid for the event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
         # @return [Net::HTTP::Post,Net::HTTP::Put]
         def build_request event
           with_contrast_scope do
-            request = if event.cs__is_a?(Contrast::Agent::Reporting::ReportingEvent)
-                        case event.event_method
-                        when :PUT
-                          Net::HTTP::Put.new(event.event_endpoint)
-                        when :POST
-                          Net::HTTP::Post.new(event.event_endpoint)
-                        end
-                      else # TODO: RUBY-1438 -- remove
-                        Net::HTTP::Put.new(Contrast::Agent::Reporting::Endpoints::NG_ENDPOINTS[:agent_startup])
+            request = case event.event_method
+                      when :PUT
+                        Net::HTTP::Put.new(event.event_endpoint)
+                      else # :POST
+                        Net::HTTP::Post.new(event.event_endpoint)
                       end
             build_headers(request)
-            if event.cs__is_a?(Contrast::Agent::Reporting::ReportingEvent)
-              event.attach_headers(request)
-              request.body = event.to_controlled_hash.to_json
-            else
-              request.body = event.to_json
-            end
+            event.attach_headers(request)
+            request.body = event.to_controlled_hash.to_json
             request
           end
         end
@@ -131,15 +128,17 @@ module Contrast
         # Send Agent Startup event
         #
         # @param connection [Net::HTTP] open connection
-        # @return response [Net::HTTP::Response] response from TS
         def send_agent_startup connection
           logger.debug('Preparing to send startup messages')
-          startup = Contrast::APP_CONTEXT.build_agent_startup_message
-          request = build_request(startup)
-          response = connection.request(request)
-          process_response(response)
-        rescue StandardError => e
-          handle_error(startup, e)
+
+          STARTUP_EVENTS.each do |event|
+            startup_event = event.new
+            request = build_request(startup_event)
+            response = connection.request(request)
+            process_response(response)
+          rescue StandardError => e
+            handle_error(startup_event, e)
+          end
         end
 
         # Sent different events to different endpoints
@@ -147,10 +146,12 @@ module Contrast
         # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] Main reporting event, all events
         # inherit it
         # @param connection [Net::HTTP] open connection
+        # @return [Net::HTTP::Response]
         def send_events event, connection
           request = build_request(event)
           response = connection.request(request)
           process_response(response)
+          response
         rescue StandardError => e
           handle_error(event, e)
         end

data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb

@@ -53,7 +53,7 @@ module Contrast
           end
 
           # @param rule_id [String] the rule_id
-          # @return [Hash, nil] return array with key and value of the pair
+          # @return [Array, nil] return array with key and value of the pair
           def find_by_rule_id rule_id
             return unless rule_id
 

data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb

@@ -0,0 +1,97 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold the methods for TS response conversion to settings objects.
+      module ResponseExtractor
+        private
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_assess response_data, res
+          assessments = response_data[:settings][:assessment]
+          return unless assessments
+
+          res.application_settings.assess.disabled_rules = assessments[:disabledRules]
+          res.application_settings.assess.session_id = assessments[:sessionId]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_protect response_data, res
+          protect = response_data[:settings][:defend]
+          return unless protect
+
+          res.application_settings.protect.protection_rules = protect[:protectionRules]
+          res.application_settings.protect.virtual_patches = protect[:virtualPatches]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_exclusions response_data, res
+          exclusions = response_data[:settings][:exceptions]
+          return unless exclusions
+
+          res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
+          res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
+          res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_reactions response_data, res
+          res.application_settings.reactions = response_data[:settings][:reactions]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_assess_server_features response_data, res
+          assess = response_data[:assessment]
+          return unless assess
+
+          res.server_features.assess.enabled = assess[:enabled]
+          res.server_features.assess.sampling = assess[:sampling]
+          res.server_features.assess.sanitizers = assess[:sanitizers]
+          res.server_features.assess.validators = assess[:validators]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_protect_server_features response_data, res
+          protect = response_data[:defend]
+          return unless protect
+
+          res.server_features.protect.enabled = protect[:enabled]
+          res.server_features.protect.bot_blocker = protect[:bot_blocker]
+          res.server_features.protect.syslog = protect[:syslog]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_protect_lists response_data, res
+          protect = response_data[:defend]
+          return unless protect
+
+          res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
+          res.server_features.protect.ip_denylist = protect[:ipDenyList]
+          res.server_features.protect.log_enchancers = protect[:logEnhancers]
+          res.server_features.protect.rule_definition_list = protect[:ruleDefinitionList]
+        end
+
+        # Here we extract the rules and state for the sensitive data masking policy
+        # Received from TS.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_sensitive_data_policy response_data, res
+          sensitive_data = response_data[:settings][:sensitive_data_masking_policy]
+          res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
+          res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
+          res.application_settings.sensitive_data_masking.build_rules_form_settings sensitive_data[:rules]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb

@@ -5,6 +5,7 @@ require 'contrast/api/communication/response_processor'
 require 'contrast/api/decorators/application_settings'
 require 'contrast/agent/reporting/reporting_utilities/response'
 require 'contrast/agent/reporting/reporting_utilities/response_handler_utils'
+require 'contrast/agent/reporting/reporting_utilities/response_handler_mode'
 require 'contrast/api/decorators/server_features'
 require 'contrast/components/logger'
 require 'json'
@@ -16,23 +17,26 @@ module Contrast
       class ResponseHandler < Contrast::Api::Communication::ResponseProcessor
         include Contrast::Components::Logger::InstanceMethods
         include Contrast::Agent::Reporting::ResponseHandlerUtils
+        # 15 min
+        TIMEOUT = 900.cs__freeze
+
         # Process the response from TS
         #
         # @param response [Net::HTTP::Response, nil]
         # @return response [Net::HTTP::Response, nil]
         def process response
           logger.debug('Reporter Received a response')
-          return unless analyze_response_code? response&.code
+          return unless analyze_response? response
 
-          # handle the response body and obtain server_features or app_settings
+          # Handle the response body and obtain server_features or app_settings
           report_response = convert_response response
 
           return unless report_response
 
           update_agent_settings report_response
           update_reaction report_response
-          # this one is called from super needs to be placed here after protobuf
-          update_features report_response.server_features, report_response.application_settings
+          # This one is called from super needs to be placed here after protobuf end of life.
+          update_features(report_response.server_features, report_response.application_settings)
           logger.trace('Agent settings updated in response to Service', protect_on: ::Contrast::PROTECT.enabled?,
                                                                         assess_on: ::Contrast::ASSESS.enabled?)
           response
@@ -41,16 +45,74 @@ module Contrast
           nil
         end
 
-        # if sleep is true puts reporting service to sleep
+        # If sleep is true puts reporting service to sleep.
         def sleep?
           @_sleep = wake_up if @_sleep.nil?
           @_sleep
         end
 
-        # wakes the reporting service
+        # For how long the agent should wait until retry
+        # to send message
+        #
+        # @return timeout [Integer] the time for reporter
+        # to be suspended.
+        def timeout
+          @_timeout ||= TIMEOUT
+        end
+
+        def mode
+          @_mode ||= Contrast::Agent::Reporting::ResponseHandlerMode.new
+        end
+
+        # Wakes the reporting service
         def wake_up
           @_sleep = false
         end
+
+        private
+
+        # Handles the errors code received from TS and takes appropriate action.
+        # If we are here the response.code is an error that needs handling [4XX]
+        #
+        # @param response [Net::HTTP::Response]
+        def handle_error response
+          case response&.code
+          when ERROR_CODES[:message_not_sent]
+            handle_response_errors response, UNSUCCESSFULLY_RECEIVED_MSG, mode.running
+          when ERROR_CODES[:access_forbidden]
+            handle_response_errors response, FORBIDDEN_MSG, mode.running
+          when ERROR_CODES[:access_forbidden_no_action]
+            handle_response_errors response, FORBIDDEN_NO_ACTION_MSG, mode.running
+          when ERROR_CODES[:application_do_not_exist]
+            handle_response_errors response, APP_NON_EXISTENT_MSG, mode.disabled
+          when ERROR_CODES[:unprocessable_entity]
+            handle_response_errors response, UNPROCESSABLE_ENTITY_MSG, mode.disabled
+          when ERROR_CODES[:too_many_requests]
+            handle_response_errors response, RETRY_AFTER_MSG, mode.resending
+          else
+            logger.debug('Response Error code could not be processed')
+          end
+        end
+
+        # Suspend the reporter and try again in time. If not set
+        # the timeout is set to 15 min As default:
+        #
+        # @param message [String] Message to log.
+        # @param timeout [Integer,nil] The timeout to wait and retry after.
+        # @param error_message [String, nil] Error message if any received.
+        def suspend_reporting message, timeout, error_message
+          @_timeout = timeout || Contrast::Agent::Reporting::ResponseHandler::TIMEOUT
+          log_debug_msg message, timeout: @_timeout, error_message: error_message || 'none'
+          @_sleep = true
+        end
+
+        # Log what we've received.
+        #
+        # @param message [String] Message to log
+        # @param info_hash [Hash] information about the context to log.
+        def log_debug_msg message, info_hash
+          logger.debug(message, info_hash)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the mode state in which the reporter will send
+      # event ot TS.
+      class ResponseHandlerMode
+        # Reader for the running mode type.
+        #
+        # @return [Symbol] Reporter's client and Response Handler are running
+        # and responses are being processed.
+        attr_reader :running
+        # Reader for the disabled mode type.
+        #
+        # @return [Symbol] Reporter's client and Response Handler are disabled
+        # due to received Error. The Reporting is disabled for this application.
+        attr_reader :disabled
+        # Reader for the resending/retry mode type.
+        #
+        # @return [Symbol] Reporter's client and Response Handler are suspended
+        # for a TS received amount of time and will try to resend the previous
+        # request after that.
+        attr_reader :resending
+        # Reader for all supported modes.
+        #
+        # @return [Array<Symbol>] Reporter's client and Response Handler all
+        # available modes of operation.
+        attr_reader :modes
+
+        def initialize
+          @running = :running
+          @disabled = :disabled
+          @resending = :resending
+          @modes = [@running, @disabled, @resending].cs__freeze
+        end
+
+        # Current mode.
+        #
+        # @return [Symbol] Reporter's client and Response Handler
+        # current mode of operation.
+        def status
+          @_status ||= running
+        end
+
+        # Set current mode.
+        #
+        # @return [Symbol] Reporter's client and Response Handler
+        # current mode of operation.
+        def status= mode
+          @_status = mode if mode.cs__is_a?(Symbol) && modes.include?(mode)
+        end
+
+        # Reset mode
+        #
+        def reset_mode
+          @_status = running
+        end
+      end
+    end
+  end
+end