contrast-agent 6.0.0 → 6.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 47aa135a205e4a74d64b778ae543f892213ca70e47be654032147a8bfe16dc82
-  data.tar.gz: 60f0de0e2675578bfb735c4f90303748bdc5e2053f2722dac4907bf84364d2f9
+  metadata.gz: c901ed882ebff8176fe2f3794907e29b03cc2903b61260f138d93b2ef02a465c
+  data.tar.gz: 72e4f01ccf5a57bbd5afa0cac58c51cddbe26183691d9495f563dfd9fb37e7e1
 SHA512:
-  metadata.gz: fdd2d1209de7366f810cb1d7355700a54cd7d7749d94736213cf96c47b8e5cedad449ec0dc2ab09753c0ecc3d064498d18d1d001edc5d998c6c615c4cd05b571
-  data.tar.gz: 888016b33c67e7f2f77f320affcd1e945a7cc6e1c01c87d559d231cbed3309bbd4fff74833a5296f21680492955977d042594a39d807d4cb91eecd6adc4b4636
+  metadata.gz: 1d60653e61e95443c45bb43caac325b3c72449ddea435096e2d8e49c0a0851ff9ae6486fc16a17f65f663c2f069c58f6157f4f7ef8745d0b082d4fe7c5c0b8b6
+  data.tar.gz: e1e5dd1a542009d153fa6e77f86d889d8bb852d85d66c84400a583b63536be06a70423c4f05e547280f06368851a43720ac941efedf3aeb17a314ff3c9f61a14

data/.simplecov

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-SimpleCov.minimum_coverage line: 95
+SimpleCov.minimum_coverage(line: 94)
 SimpleCov.start do
   add_filter '/spec/'
   enable_coverage :branch

data/Rakefile

@@ -13,7 +13,7 @@ CLOBBER << 'shared_libraries/*'
 
 Dir['ext/cs__*'].each do |extension|
   name = extension.split('/')[1]
-  Rake::ExtensionTask.new name do |ext|
+  Rake::ExtensionTask.new(name) do |ext|
     ext.lib_dir = "lib/#{ name }"
   end
 end

data/ext/build_funchook.rb

@@ -52,13 +52,13 @@ unless find_header('funchook.h', ext_path)
 
     TARGET_PATHS.each do |target_path|
       unless File.writable?(target_path)
-        puts "Unable to copy into #{ target_path } - directory not writable"
+        puts("Unable to copy into #{ target_path } - directory not writable")
         next
       end
-      puts "Copying #{ source_file_path } into #{ target_path }"
+      puts("Copying #{ source_file_path } into #{ target_path }")
       FileUtils.cp(source_file_path, target_path)
     rescue StandardError
-      puts "Error while copying #{ source_file } to #{ target_path }"
+      puts("Error while copying #{ source_file } to #{ target_path }")
     end
   end
 end

data/ext/cs__assess_basic_object/cs__assess_basic_object.c

@@ -17,6 +17,10 @@
  *  }
  */
 
+VALUE contrast_check_and_register_instance_patch(
+    const char *module_name, const char *method_name,
+    VALUE(c_fn)(const int, VALUE *, const VALUE));
+
 void contrast_assess_instance_eval_trigger_check(VALUE self, VALUE source,
                                                  VALUE ret) {
     rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
@@ -61,6 +65,6 @@ void Init_cs__assess_basic_object(void) {
      * but if someone else patched BasicObject#instance_eval,
      * IDK if this is intentional... noting it.  -ajm
      */
-    contrast_register_patch("BasicObject", "instance_eval",
+    contrast_check_and_register_instance_patch("BasicObject", "instance_eval",
                             contrast_assess_basic_object_instance_eval);
 }

data/ext/cs__assess_regexp/cs__assess_regexp.c

@@ -3,8 +3,20 @@
 
 #include "cs__assess_regexp.h"
 #include "../cs__common/cs__common.h"
+#include "../cs__contrast_patch/cs__contrast_patch.h"
 #include <ruby.h>
 
+extern VALUE contrast_force_patch(const int argc, VALUE *argv) {
+  return contrast_check_and_register_instance_patch(
+        "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
+}
+
+/* check if method is prepended and register instance alias or prepend patch */
+VALUE contrast_check_and_register_instance_patch(const char *module_name,
+                                                  const char *method_name,
+                                                  VALUE(c_fn)(const int, VALUE *,
+                                                              const VALUE));
+
 void contrast_alias_method(const VALUE target, const char *to,
                            const char *from);
 
@@ -46,7 +58,8 @@ void Init_cs__assess_regexp(void) {
     rb_global_variable(&rb_sym_string);
     rb_sym_back_ref = ID2SYM(rb_intern("back_ref"));
     rb_global_variable(&rb_sym_back_ref);
+    rb_define_singleton_method(assess, "contrast_force_repatch_regexp", contrast_force_patch, 0);
 
-    rb_sym_assess_regexp_equal_squiggle = contrast_register_patch(
-        "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
+    rb_sym_assess_regexp_equal_squiggle = contrast_check_and_register_instance_patch(
+      "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
 }

data/ext/cs__assess_regexp/cs__assess_regexp.h

@@ -20,4 +20,6 @@ static VALUE contrast_assess_regexp_equal_squiggle(const int argc,
                                                    const VALUE *argv,
                                                    const VALUE regexp);
 
+extern VALUE contrast_force_patch(const int argc, VALUE *argv);
+
 void Init_cs__assess_regexp(void);

data/ext/cs__assess_string/cs__assess_string.c

@@ -17,6 +17,13 @@
  *     return rb_fstring(str);
  * }
  */
+
+/*
+ * This patch won't do the Prepend. We would call to the String instance'
+ * uminus directly and skip other propagation from prepended modules.
+ * We could come back to this one and rethink it's prepend patching.
+ */
+
 static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
                                            const VALUE obj) {
     if (!OBJ_FROZEN(obj)) {
@@ -55,6 +62,7 @@ void Init_cs__assess_string(void) {
     VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
     properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
 
+    /* We only do alias for this one */
     rb_sym_assess_string_uminus =
         contrast_register_patch("String", "-@", &contrast_assess_string_uminus);
     rb_sym_assess_string_freeze = contrast_register_patch(

data/ext/cs__assess_test/cs__assess_test.h

@@ -0,0 +1,9 @@
+#include <ruby.h>
+
+static VALUE dummy_regexp;
+static VALUE test_regexp;
+
+VALUE rb_equal_squiggle(const int argc, const VALUE *argv)
+void rb_force_prepend(void);
+
+void Init_cs__assess_test(void)

data/ext/cs__assess_test/cs__assess_tests.c

@@ -0,0 +1,22 @@
+#include "../cs__common/cs__common.h";
+#include "ruby.h"
+#include <ruby/re.h>
+
+static VALUE dummy_regexp;
+static VALUE test_regexp;
+
+VALUE rb_equal_squiggle(const int argc, const VALUE *argv) {
+    return rb_call_super(argc, argv);
+}
+
+void rb_force_prepend(void) {
+    rb_prepend_module(rb_cRegexp, dummy_regexp);
+}
+
+void Init_cs__assess_test(void) {
+    test_regexp = rb_define_module("ForcePrepend");
+    rb_define_singleton_method(test_regexp, "cs__force_prepend",
+                               rb_force_prepend, 0);
+    dummy_regexp = rb_define_module("DummyMod");
+    rb_define_method(dummy_regexp, "=~", rb_equal_squiggle, -1);
+}

data/ext/cs__assess_test/extconf.rb

@@ -0,0 +1,5 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/ext/cs__common/cs__common.c

@@ -59,12 +59,14 @@ VALUE contrast_patcher() {
     return patcher;
 }
 
+/* register instance alias patch */
 VALUE contrast_register_patch(const char *module_name, const char *method_name,
                               VALUE(c_fn)(const int, VALUE *, const VALUE)) {
     return _contrast_register_patch(module_name, method_name, c_fn,
                                     IMPL_ALIAS_INSTANCE);
 }
 
+/* register singleton alias patch */
 VALUE contrast_register_singleton_patch(const char *module_name,
                                         const char *method_name,
                                         VALUE(c_fn)(const int, VALUE *,
@@ -73,6 +75,7 @@ VALUE contrast_register_singleton_patch(const char *module_name,
                                     IMPL_ALIAS_SINGLETON);
 }
 
+/* register instance prepend patch */
 VALUE contrast_register_prepend_patch(const char *module_name,
                                       const char *method_name,
                                       VALUE(c_fn)(const int, VALUE *,
@@ -81,6 +84,7 @@ VALUE contrast_register_prepend_patch(const char *module_name,
                                     IMPL_PREPEND_INSTANCE);
 }
 
+/* register singleton prepend patch */
 VALUE contrast_register_singleton_prepend_patch(const char *module_name,
                                                 const char *method_name,
                                                 VALUE(c_fn)(const int, VALUE *,
@@ -89,6 +93,31 @@ VALUE contrast_register_singleton_prepend_patch(const char *module_name,
                                     IMPL_PREPEND_SINGLETON);
 }
 
+/* check if method is prepended and register instance alias or prepend patch */
+/* module name c_char "Module"; */
+/* method name c_char  "method"; */
+/* c_func => pointer */
+VALUE contrast_check_and_register_instance_patch(
+    const char *module_name, const char *method_name,
+    VALUE(c_fn)(const int, VALUE *, const VALUE)) {
+
+    VALUE object, method, is_prepended, patch_type;
+    /* check if method is prepended */
+    object = rb_const_get(rb_cObject, rb_intern(module_name));
+    method = ID2SYM(rb_intern(method_name));
+    is_prepended = contrast_check_prepended(object, method, Qtrue);
+
+    if (is_prepended == Qtrue) {
+        /* prepend patch */
+        return _contrast_register_patch(module_name, method_name, c_fn,
+                                        IMPL_PREPEND_INSTANCE);
+    } else {
+        /* alias patch */
+        return _contrast_register_patch(module_name, method_name, c_fn,
+                                        IMPL_ALIAS_INSTANCE);
+    }
+}
+
 static VALUE
 _contrast_register_patch(const char *module_name, const char *method_name,
                          VALUE(c_fn)(const int, VALUE *, const VALUE),
@@ -133,6 +162,7 @@ _contrast_register_patch(const char *module_name, const char *method_name,
         break;
     case IMPL_PREPEND_INSTANCE:
         impl = ID2SYM(rb_sym_prepend_instance);
+        break;
     case IMPL_PREPEND_SINGLETON:
         impl = ID2SYM(rb_sym_prepend_singleton);
         break;
@@ -151,6 +181,71 @@ int rb_ver_below_three() {
     return ruby_version < 3;
 }
 
+/* used for direct check on object: String.cs__prepended? *args  */
+extern VALUE contrast_check_prepended(VALUE self, VALUE method_name,
+                                      VALUE is_instance) {
+    return _contrast_check_prepended(self, method_name, is_instance);
+}
+
+/* used for passing object to look if not called on itself.
+Contrast::Agent::Assess.cs__object_method_prepended? object, :method_name,
+true/false */
+extern VALUE contrast_lookout_prepended(VALUE self, VALUE object_name,
+                                        VALUE method_name, VALUE is_instance) {
+    /* object_name must be the object, the self value is needed to prevent
+     lookout for self, since is always passed first we skip it */
+    VALUE result =
+        _contrast_check_prepended(object_name, method_name, is_instance);
+    return result;
+}
+
+static VALUE _contrast_check_prepended(VALUE object, VALUE method_name,
+                                       VALUE is_instance) {
+    VALUE entry, ancestors, object_idx, entry_methods;
+    VALUE result = Qfalse;
+    int i;
+    int y;
+
+    /* get self ancestors */
+    ancestors = rb_mod_ancestors(object);
+    /* get the size of the array */
+    int length = RARRAY_LEN(ancestors);
+    /* Locate self in ancestors: */
+    for (i = 0; i < length; ++i) {
+        entry = rb_ary_entry(ancestors, i);
+        if (entry == object) {
+            object_idx = i;
+            break;
+        }
+    }
+
+    /* find all the prepended modules */
+    /* we have the object place in ancestors: */
+    /* [suspect, suspect, object, ...] */
+    for (i = 0; i < object_idx; ++i) {
+        entry = rb_ary_entry(ancestors, i);
+        if (is_instance == Qtrue) {
+            entry_methods = rb_class_instance_methods(1, entry, entry);
+        } else {
+            entry_methods = rb_obj_singleton_methods(1, entry, entry);
+        }
+
+        /* Loop through the instance/singleton methods of the prepended modules
+         */
+        int entry_methods_length = RARRAY_LEN(entry_methods);
+        for (y = 0; y <= entry_methods_length; ++y) {
+            if (rb_ary_entry(entry_methods, y) == method_name) {
+                result = Qtrue;
+                break;
+            }
+        }
+        if (result == Qtrue) {
+            break;
+        }
+    }
+    return result;
+}
+
 void Init_cs__common(void) {
     cs__send_method = rb_intern("send");
     cs__alias_method_sym = ID2SYM(rb_intern("alias_method"));
@@ -191,4 +286,10 @@ void Init_cs__common(void) {
 
     core_extensions = rb_define_module_under(contrast, "Extension");
     core_assess = rb_define_module_under(core_extensions, "Assess");
+    /* defined for direct object check */
+    rb_define_singleton_method(rb_cObject, "cs__prepended?",
+                               contrast_check_prepended, 2);
+    /* defined for object lookout */
+    rb_define_singleton_method(assess, "cs__object_method_prepended?",
+                               contrast_lookout_prepended, 4);
 }

data/ext/cs__common/cs__common.h

@@ -57,15 +57,39 @@ VALUE contrast_register_singleton_patch(const char *module_name,
                                         VALUE(c_fn)(const int, VALUE *,
                                                     const VALUE));
 
-VALUE contrast_register_singleton_prepend_patch(
-    const char *module_name, const char *method_name,
-    VALUE(c_fn)(const int, VALUE *, const VALUE));
+VALUE contrast_register_prepend_patch(const char *module_name,
+                                      const char *method_name,
+                                      VALUE(c_fn)(const int, VALUE *,
+                                                  const VALUE));
 
-static VALUE
-_contrast_register_patch(const char *module_name, const char *method_name,
+
+VALUE contrast_register_singleton_prepend_patch(const char *module_name,
+                                                const char *method_name,
+                                                VALUE(c_fn)(const int, VALUE *,
+                                                             const VALUE));
+
+VALUE contrast_register_prepend_patch(const char *module_name,
+                                                const char *method_name,
+                                                VALUE(c_fn)(const int, VALUE *,
+                                                             const VALUE));
+
+static VALUE _contrast_register_patch(const char *module_name, const char *method_name,
                          VALUE(c_fn)(const int, VALUE *, const VALUE),
                          patch_impl patch_impl);
 
+static VALUE _contrast_check_prepended(VALUE self, VALUE method_name, VALUE is_instance);
+
+extern VALUE contrast_check_prepended(VALUE self, VALUE method_name, VALUE is_instance);
+
+extern VALUE contrast_lookout_prepended(VALUE self, VALUE object_name, VALUE method_name,
+                               VALUE is_instance);
+
+/* check if method is prepended and register instance alias or prepend patch */
+VALUE contrast_check_and_register_instance_patch(const char *module_name,
+                                                const char *method_name,
+                                                VALUE(c_fn)(const int, VALUE *,
+                                                            const VALUE));
+
 VALUE contrast_patcher();
 
 void Init_cs__common(void);

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -488,7 +488,7 @@ VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule,
             rb_funcall(originalModule, rb_intern("included_in"), 0);
         if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
             int i = 0;
-            int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+            int size = RARRAY_LEN(rb_incl_in_mod_ary);
             for (i = 0; i < size; ++i) {
                 module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
                 if (RB_TYPE_P(module_at, T_MODULE)) {

data/ext/cs__tests/cs__tests.c

@@ -0,0 +1,12 @@
+/* Copyright (c) 2022 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__tests.h"
+#include "../cs__common/cs__common.h"
+#include <ruby.h>
+
+/* Define any tests functions here, you could call a patch function and define
+ * it in Ruby */
+
+void Init_cs__tests(void) {
+}

data/ext/cs__tests/cs__tests.h

@@ -0,0 +1,3 @@
+#include <ruby.h>
+
+void Init_cs__tests(void);

data/ext/cs__tests/extconf.rb

@@ -0,0 +1,5 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/ext/extconf_common.rb

@@ -5,7 +5,7 @@ require 'mkmf'
 require_relative '../lib/contrast/agent/version'
 
 def make!
-  create_makefile "#{ $TO_MAKE }/#{ $TO_MAKE }"
+  create_makefile("#{ $TO_MAKE }/#{ $TO_MAKE }")
 end
 
 def ext_path

data/lib/contrast/agent/assess/contrast_object.rb

@@ -8,24 +8,22 @@ require 'contrast/agent/assess/tracker'
 module Contrast
   module Agent
     module Assess
-      # This class is a convenient holder of our version of an Object. It
-      # creates a String version of the Object from the original provided
-      # and keeps reference to the original's Tags, letting us determine if it
-      # was tracked when we try to report to TeamServer.
+      # This class is a convenient holder of our version of an Object. It creates a String version of the Object from
+      # the original provided and keeps reference to the original's Tags, letting us determine if it was tracked when
+      # we try to report to TeamServer.
       #
-      # @attr_reader object [String, nil] the Contrast string representing the
-      #   object.
-      # @attr_reader object_type [String] the name of the object's module.
-      # @attr_reader tags [Hash{String => Contrast::Agent::Assess::Tag}, nil]
-      #   the tags on the object before it was captured.
-      #
-      # TODO: RUBY-1083 determine if this is expensive and/or worth not storing
-      #   these values directly on ContrastEvent and passing them around. Args
-      #   probably make the argument for wrapping them b/c otherwise we'll have
-      #   to keep two arrays in synch or make an array of arrays, at which
-      #   point, we may as well make this.
+      # TODO: RUBY-1083 determine if this is expensive and/or worth not storing these values directly on ContrastEvent
+      #   and passing them around. Args probably make the argument for wrapping them b/c otherwise we'll have to keep
+      #   two arrays in synch or make an array of arrays, at which point, we may as well make this.
       class ContrastObject
-        attr_reader :object, :object_type, :tags
+        # @return [String] the Contrast String representation of the Object.
+        attr_reader :object
+        # @return [Integer] the __id__ of the original Object.
+        attr_reader :tracked_object_id
+        # @return [String] the name of the Class/Module of the Object.
+        attr_reader :object_type
+        # @return [Hash<Contrast::Agent::Assess::Tag>] the tags on the original Object.
+        attr_reader :tags
 
         # Capture the details about the object which we need to render it in
         # TeamServer.
@@ -34,10 +32,12 @@ module Contrast
         def initialize object
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
+            @tracked_object_id = object.__id__
             @object_type = object.cs__class.cs__name
             @tags = Contrast::Agent::Assess::Tracker.properties(object)&.get_tags
           else
             @object = Contrast::Utils::ObjectShare::NIL_STRING
+            @tracked_object_id = nil.__id__
             @object_type = nil.cs__class.cs__name
           end
         end

data/lib/contrast/agent/assess/events/source_event.rb

@@ -9,22 +9,22 @@ module Contrast
   module Agent
     module Assess
       module Events
-        # This class holds the data about an event in the application
-        # We'll use it to build an event that TeamServer can consume if
-        # the object to which this event belongs ends in a trigger.
-        #
-        # @attr_reader request [Contrast::Agent::Request] our wrapper around the Rack::Request at the time this source
-        #  was created
-        # @attr_reader source_name [String] the name of the source if it comes from a map-like entity
-        # @attr_reader source_type [String] the TeamServer understood type of source; i.e. parameter
+        # This class holds the data about an event in the application. We'll use it to build an event that TeamServer
+        # can consume if the object to which this event belongs ends in a trigger.
         class SourceEvent < Contrast::Agent::Assess::ContrastEvent
-          attr_reader :request, :source_name, :source_type
+          # @return [Contrast::Agent::Request] our wrapper around the Rack::Request at the time this source
+          #   was created
+          attr_reader :request
+          # @return [String] the name of the source if it comes from a map-like entity
+          attr_reader :source_name
+          # @return [String] the TeamServer understood type of source; i.e. parameter
+          attr_reader :source_type
 
           # @param event_data [Contrast::Agent::Assess::Events::EventData]
-          # @param source_type [String] the type of this source, from the
-          #       source_node, or a KEY_TYPE if invoked for a map,
-          # @param source_name [String, nil] the name of this source, i.e.
-          #       the key used to accessed if from a map or nil if a type like,
+          # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
+          #   Hash
+          # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a Hash or
+          #   nil if a type like
           def initialize event_data, source_type = nil, source_name = nil
             super(event_data)
             @source_type = source_type
@@ -54,8 +54,7 @@ module Contrast
             @_forced_source_name ||= Contrast::Utils::StringUtils.force_utf8(source_name)
           end
 
-          # Probably only for source events, but we'll go
-          # with source_type instead. java & .net support source_type
+          # Probably only for source events, but we'll go with source_type instead. java & .net support source_type
           # in propagation events, so we'll future proof this
           def build_event_source_dtm
             # You can have a source w/o a name, but not w/o a type
@@ -67,8 +66,7 @@ module Contrast
             dtm
           end
 
-          # Probably only for source events, but we'll go
-          # with source_type instead. java & .net support source_type
+          # Probably only for source events, but we'll go with source_type instead. java & .net support source_type
           # in propagation events, so we'll future proof this
           def build_event_source
             # You can have a source w/o a name, but not w/o a type
@@ -80,8 +78,8 @@ module Contrast
             trace_event_source
           end
 
-          # We have to do a little work to figure out what our TS appropriate
-          # target is. To break this down, the logic is as follows:
+          # We have to do a little work to figure out what our TS appropriate target is. To break this down, the logic
+          # is as follows:
           # 1) I'll set the event's source and target to TS values.
           # 2) Return the first source/target as the taint target.
           def determine_taint_target event_dtm

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -22,11 +22,11 @@ module Contrast
             else
               ObjectSpace.define_finalizer(key, finalizing_proc)
             end
-            super key.__id__, obj
+            super(key.__id__, obj)
           end
 
           def [] key
-            super key.__id__
+            super(key.__id__)
           end
 
           # Something is trackable if it is not a collection and either not frozen or it was frozen after we put a

data/lib/contrast/agent/assess/policy/policy.rb

@@ -18,11 +18,20 @@ module Contrast
         # This is just a holder for our policy. Takes the policy JSON and
         # converts it into hashes that we can access nicely
         class Policy < Contrast::Agent::Patching::Policy::Policy
+          PROVIDER_CLASSES = [
+            Contrast::Agent::Assess::Rule::Provider::HardcodedKey,
+            Contrast::Agent::Assess::Rule::Provider::HardcodedPassword
+          ].cs__freeze
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
             'assess'
           end
 
+          def initialize
+            super
+            load_providers
+          end
+
           # Indicates is this feature has been disabled by the configuration,
           # read at startup, and therefore can never be enabled.
           def disabled_globally?
@@ -33,11 +42,6 @@ module Contrast
             Contrast::Agent::Assess::Policy::TriggerNode
           end
 
-          def initialize
-            super
-            load_providers
-          end
-
           # Our policy for dataflow rules is a 'dope ass' JSON file. Rather than
           # hard code in a bunch of things to monkey patch, we let the JSON file
           # define the conditions in which sources, propagators, and triggers are
@@ -88,11 +92,6 @@ module Contrast
               providers[instance.rule_id] = instance
             end
           end
-
-          PROVIDER_CLASSES = [
-            Contrast::Agent::Assess::Rule::Provider::HardcodedKey,
-            Contrast::Agent::Assess::Rule::Provider::HardcodedPassword
-          ].cs__freeze
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -14,6 +14,14 @@ module Contrast
         # Ruby object, allowing for dynamic patching over hardcoded patching.
         class PolicyNode < Contrast::Agent::Patching::Policy::PolicyNode
           include PolicyNodeUtils
+          JSON_TAGS = 'tags'
+          JSON_DATAFLOW = 'dataflow'
+          # The keys used to read from policy.json to create the individual
+          # policy nodes. These are common across node types
+          JSON_SOURCE = 'source'
+          ALL_TYPE = 'A'
+          JSON_TARGET = 'target'
+          TO_MARKER = '2'
 
           attr_accessor :tags, :type
           attr_reader   :sources, :targets, :source_string, :target_string
@@ -45,7 +53,7 @@ module Contrast
             @sources = convert_policy_markers(source_string)
             @targets = convert_policy_markers(target_string)
             @_use_original_object = ORIGINAL_OBJECT_METHODS.include?(@method_name)
-            @_use_original_on_bang_method = assign_on_bang_check policy_hash
+            @_use_original_on_bang_method = assign_on_bang_check(policy_hash)
           end
 
           def assign_on_bang_check policy_hash
@@ -116,8 +124,6 @@ module Contrast
             end
           end
 
-          ALL_TYPE = 'A'
-          TO_MARKER = '2'
           # Convert our action, built from our source and target, into
           # the TS appropriate action. That's a single source to single
           # target marker (A,O,P,R)
@@ -149,13 +155,6 @@ module Contrast
             @event_action
           end
 
-          # The keys used to read from policy.json to create the individual
-          # policy nodes. These are common across node types
-          JSON_SOURCE = 'source'
-          JSON_TARGET = 'target'
-          JSON_TAGS = 'tags'
-          JSON_DATAFLOW = 'dataflow'
-
           # This method will check if a method is fit to use it's original object and
           # that the method is without bang - it does not change the source, but rather
           # creates a copy of it.