RubyGems - contrast-agent - Versions diffs - 6.1.0 → 6.2.0 - Mend

contrast-agent 6.1.0 → 6.2.0

Files changed (214) hide show

data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb CHANGED Viewed

@@ -17,15 +17,84 @@ module Contrast
       # recorded.
       class DiscoveredRoute < Contrast::Agent::Reporting::ObservedRoute
         class << self
-          # @param dtm [Contrast::Api::Dtm::RouteCoverage]
+          # @param obj [Regexp, Object]
+          # @return [String]
+          def source_or_string obj
+            if obj.cs__is_a?(Regexp)
+              obj.source
+            elsif obj.cs__respond_to?(:safe_string)
+              obj.safe_string
+            else
+              obj.to_s
+            end
+          end
+          # Convert ActionDispatch::Journey::Route to Contrast::Agent::Reporting::DiscoveredRoute
+          #
+          # @param journey_obj [ActionDispatch::Journey::Route] a rails route
+          # @param url [String, nil] use url from string instead of journey object.
+          # @return [Contrast::Agent::Reporting::DiscoveredRoute]
+          def from_action_dispatch_journey journey_obj, url = nil
+            msg = new
+            msg.signature = "#{ journey_obj.defaults[:controller] }##{ journey_obj.defaults[:action] }"
+            verb = source_or_string(journey_obj.verb)
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(verb)
+            url ||= source_or_string(journey_obj.path.spec)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(url)
+            msg
+          end
+          # Convert Grape route data to discovered route.
+          #
+          # @param controller [::Grape::API] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @param pattern [String, Grape::Router::Route] the pattern that was matched in routing.
           # @return [Contrast::Agent::Reporting::DiscoveredRoute]
-          def convert dtm
-            discovered_route = new
-            discovered_route.attach_data dtm
-            discovered_route
+          def from_grape_controller controller, method, pattern, url = nil
+            if pattern.cs__is_a?(Grape::Router::Route)
+              safe_pattern = pattern.pattern&.path&.to_s
+              safe_url = source_or_string(url || safe_pattern)
+            else
+              safe_pattern = source_or_string(pattern)
+              safe_url = source_or_string(url || pattern)
+            end
+            msg = new
+            msg.signature = "#{ controller }##{ method } #{ safe_pattern }"
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
+            msg
+          end
+          # Convert Sinatra route data to discovered route.
+          #
+          # @param controller [::Sinatra::Base] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param pattern [::Mustermann::Sinatra]  the pattern that was matched in routing.
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @return [Contrast::Agent::Reporting::DiscoveredRoute]
+          def from_sinatra_route controller, method, pattern, url = nil
+            safe_pattern = source_or_string(pattern)
+            safe_url = source_or_string(url || pattern)
+            msg = new
+            msg.signature = "#{ controller }##{ method } #{ safe_pattern }"
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
+            msg
           end
         end
+        # @return [String] the controller, method, and pattern of this route
+        attr_accessor :signature
+        # @return [String] the url (or url pattern) used to access this route
+        attr_accessor :url
+        # @return [String, nil] the HTTP verb used to access this route or nil for any verb
+        attr_accessor :verb
         def initialize
           super
           @event_type = :discovered_route
@@ -34,18 +103,9 @@ module Contrast
           @url = Contrast::Utils::ObjectShare::EMPTY_STRING
         end
-        # @param dtm[Contrast::Api::Dtm::RouteCoverage]
-        def attach_data dtm
-          @signature = dtm.route
-          @verb = dtm.verb
-          @url = dtm.url
-        end
         def to_controlled_hash
           validate
-          dr_hash = { session_id: @agent_session_id_value, signature: @signature, verb: @verb, url: @url }
-          dr_hash.delete(:verb) unless @verb
-          dr_hash
+          { session_id: ::Contrast::ASSESS.session_id, signature: @signature, verb: @verb, url: @url }.compact
         end
         def validate

data/lib/contrast/agent/reporting/reporting_events/finding.rb CHANGED Viewed

@@ -135,7 +135,7 @@ module Contrast
               created: created,
               hash: hash_code.to_s,
               ruleId: rule_id,
-              session_id: @agent_session_id_value.to_s,
+              session_id: ::Contrast::ASSESS.session_id,
               version: 4
           }
           hsh[:events] = events.map(&:to_controlled_hash) if event_based?
@@ -152,7 +152,7 @@ module Contrast
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
-          unless @agent_session_id_value
+          unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ self } did not have a proper session id. Unable to continue.")
           end
           if event_based? && events.empty?

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb CHANGED Viewed

@@ -11,25 +11,11 @@ module Contrast
         # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
         attr_reader :names
-        class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param usage_dtm [Contrast::Api::Dtm::LibraryUsageUpdate]
-          # @return [Contrast::Agent::Reporting::LibraryUsageObservation]
-          def convert usage_dtm
-            observation = new
-            observation.attach_data(usage_dtm)
-            observation
-          end
-        end
-        def initialize
-          @names = []
-        end
-        def attach_data usage_dtm
-          @id = usage_dtm.hash_code
-          @names = usage_dtm.class_names.keys
+        # @param id [String] Sha256Sum of library as identified by the agent
+        # @param class_names [Array<String>] List of file paths that have been loaded out of or executed by the library
+        def initialize id, class_names
+          @id = id
+          @names = class_names
         end
         def to_controlled_hash

data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb CHANGED Viewed

@@ -9,23 +9,11 @@ module Contrast
     module Reporting
       # List of libraries that have been observed to have something loaded or executed.
       #
-      # @attr_reader observations - Array[Contrast::Agent::Reporting::LibraryUsageObservation]
-      #                            - Hash of LibraryUsageObservations
       class ObservedLibraryUsage < Contrast::Agent::Reporting::ApplicationReportingEvent
+        # @attr_reader observations - Array[Contrast::Agent::Reporting::LibraryUsageObservation]
+        #                            - Hash of LibraryUsageObservations
         attr_reader :observations
-        class << self
-          # Convert a Hash of LibraryUsageUpdate DTMs for SpeedRacer to an Event for TeamServer.
-          #
-          # @param usages_dtm_hash Hash[Contrast::Api::Dtm::LibraryUsageUpdate]
-          # @return [Contrast::Agent::Reporting::ObservedLibraryUsage]
-          def convert usages_dtm_hash
-            report = new
-            report.attach_data(usages_dtm_hash)
-            report
-          end
-        end
         def initialize
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.library_usage
           @observations = []
@@ -41,17 +29,13 @@ module Contrast
           { observations: @observations.map(&:to_controlled_hash) }
         end
-        def attach_data usages_dtm_hash
-          usages_dtm_hash.each do |_key, value|
-            next unless value.class_names.any?
-            @observations << Contrast::Agent::Reporting::LibraryUsageObservation.convert(value)
-          end
-        end
         def validate
           raise(ArgumentError, "#{ self } did not have observations. Unable to continue.") if observations.empty?
         end
+        def clear
+          @observations = []
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb CHANGED Viewed

@@ -47,7 +47,7 @@ module Contrast
         def to_controlled_hash
           validate
           rc_hash = {
-              session_id: @agent_session_id_value,
+              session_id: ::Contrast::ASSESS.session_id,
               sources: @sources.map(&:to_controlled_hash),
               signature: @signature,
               verb: @verb,

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb CHANGED Viewed

@@ -30,7 +30,6 @@ module Contrast
           @app_name = ::Contrast::APP_CONTEXT.app_name
           @app_version = ::Contrast::APP_CONTEXT.app_version
           @routes = []
-          @agent_session_id_value = ::Contrast::ASSESS.session_id
         end
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -48,7 +47,7 @@ module Contrast
               data: '',
               key: 0,
               routes: @routes,
-              session_id: @agent_session_id_value
+              session_id: ::Contrast::ASSESS.session_id
           }
         end
@@ -60,7 +59,7 @@ module Contrast
           unless @app_language
             raise(ArgumentError, "#{ cs__class } did not have a proper application language. Unable to continue.")
           end
-          unless @agent_session_id_value
+          unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
           end

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb CHANGED Viewed

@@ -20,9 +20,7 @@ module Contrast
         attr_reader :event_method
         def initialize
-          @agent_session_id_value = ::Contrast::ASSESS.session_id
-          @event_endpoint ||= nil
-          @event_method ||= :POST
+          @event_method ||= :POST # rubocop:disable Lint/DisjunctiveAssignmentInConstructor
         end
         # Some reports require specific additional headers to be used. To that end, we'll attach them here, letting

data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb CHANGED Viewed

@@ -32,6 +32,15 @@ module Contrast
           @count = 0
         end
+        # Parse the given controller and route from a Rack based application framework in order to create an instance
+        # of this class
+        #
+        # @param final_controller [Grape::API, Sinatra::Base] the controller responsible for the definition of the
+        #   entrypoint of the route actively being executed
+        # @param method [String] the HTTP request method of the route actively being executed
+        # @param route_pattern [Grape::Router::Route, Mustermann::Sinatra] the pattern to which the url maps
+        # @param url [String] the literal url of the route actively being executed
+        # @return [Contrast::Agent::Reporting::RouteCoverage]
         def attach_rack_based_data final_controller, method, route_pattern, url = nil
           if route_pattern.cs__is_a?(Grape::Router::Route)
             safe_pattern = route_pattern.pattern&.path&.to_s

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Contrast
         attr_reader :path_for_requests, :path_for_responses
         def initialize
-          generate_paths if enabled? && Contrast::CONTRAST_SERVICE.use_agent_communication?
+          generate_paths if enabled?
         end
         # This method will be handling the auditing of the requests and responses we send to SpeedRacer. If the audit
@@ -45,7 +45,6 @@ module Contrast
         # @param data[String] String representation if the logged data
         def log_data type, file_name, data = nil
           return unless enabled?
-          return unless Contrast::CONTRAST_SERVICE.use_agent_communication?
           logger.debug('logging to file', file_name: file_name) # TODO: RUBY-99999 DO NOT COMMIT THIS
           write_to_file(type, file_name, data)

data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb CHANGED Viewed

@@ -21,15 +21,6 @@ module Contrast
             dtm.cs__is_a?(Contrast::Api::Dtm::ServerActivity)
           end
-          # Checks if the message is a Hash of Contrast::Api::Dtm::LibraryUsageUpdate class
-          #
-          # @param message [Protobuf::Field::FieldHash<String,::Contrast::Api::Dtm::LibraryUsageUpdate>]
-          # @return [Boolean]
-          def library_usage? message
-            message.cs__is_a?(Protobuf::Field::FieldHash) &&
-                message.values[0].cs__is_a?(Contrast::Api::Dtm::LibraryUsageUpdate)
-          end
           # Checks if the message is of Contrast::Api::Dtm::ApplicationUpdate class
           #
           # @param dtm [Contrast::Api::Dtm::ApplicationUpdate,Object]
@@ -61,7 +52,6 @@ module Contrast
             return Contrast::Agent::Reporting::ServerActivity.new if server_activity?(dtm)
             # For the others, we convert them.
-            return Contrast::Agent::Reporting::ObservedLibraryUsage.convert(dtm) if library_usage?(dtm)
             return Contrast::Agent::Reporting::ApplicationUpdate.convert(dtm) if application_update?(dtm)
             return Contrast::Agent::Reporting::Finding.convert(dtm) if finding?(dtm)
             return Contrast::Agent::Reporting::ApplicationActivity.convert(dtm) if activity?(dtm)

data/lib/contrast/agent/reporting/reporting_utilities/headers.rb CHANGED Viewed

@@ -13,11 +13,10 @@ module Contrast
         attr_reader :app_name, :api_key, :agent_version, :app_language, :app_path, :app_version, :authorization,
                     :server_name, :server_path, :server_type, :content_type, :encoding
+        include Contrast::Utils::ObjectShare
         ENCODING = 'base64'
         CONTENT_TYPE = 'application/json'
-        include Contrast::Utils::ObjectShare
         def initialize
           @app_name = Base64.strict_encode64(Contrast::APP_CONTEXT.app_name)
           @api_key = Contrast::API.api_key

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb CHANGED Viewed

@@ -21,8 +21,13 @@ module Contrast
         include Contrast::Agent::Reporting::Endpoints
         include Contrast::Agent::Reporting::ReporterClientUtils
-        SERVICE_NAME = 'Reporter'
         include Contrast::Components::Logger::InstanceMethods
+        SERVICE_NAME = 'Reporter'
+        def initialize
+          @headers = Contrast::Agent::Reporting::Headers.new
+          super()
+        end
         # This method initializes the Net::HTTP client we'll need. it will validate
         # the connection and make the first request. If connection is valid and response
         # is available then the open connection is returned.
@@ -33,11 +38,6 @@ module Contrast
           super(SERVICE_NAME, Contrast::API.api_url, use_proxy: true, use_custom_cert: true)
         end
-        def initialize
-          @headers = Contrast::Agent::Reporting::Headers.new
-          super()
-        end
         # Start the client for first time and sent startup event
         #
         # @param connection [Net::HTTP] open connection
@@ -56,7 +56,6 @@ module Contrast
         # @param send_immediately [Boolean] flag for the logger
         # @return response [Net::HTTP::Response, nil] response from TS if no response
         def send_event event, connection, send_immediately: false
-          return unless Contrast::Agent::Reporter.enabled?
           return unless connection
           log_send_event(event) if send_immediately

data/lib/contrast/agent/reporting/reporting_utilities/response.rb CHANGED Viewed

@@ -3,6 +3,7 @@
 require 'contrast/agent/reporting/settings/application_settings'
 require 'contrast/agent/reporting/settings/server_features'
+require 'contrast/agent/reporting/settings/reaction'
 module Contrast
   module Agent
@@ -18,22 +19,79 @@ module Contrast
         # All of the feature server_features
         #
-        # @return server_features [Contrast::Agent::Reporting::Settings::FeatureSettings, nil]
+        # @return [Contrast::Agent::Reporting::Settings::FeatureSettings, nil]
         attr_accessor :server_features
+        # Success boolean message value
+        #
+        # @return [Boolean]
+        attr_accessor :success
+        # Message with reasons for success or fail.
+        #
+        # @return [Array<String>] Messages received from TS.
+        attr_accessor :messages
         class << self
-          def application_response
+          # All of the settings from TeamServer that apply at the application level.
+          #
+          # @return response [Contrast::Agent::Reporting::Response]
+          def build_application_response
             res = new
             res.application_settings = Contrast::Agent::Reporting::Settings::ApplicationSettings.new
             res
           end
-          def server_response
+          # All of the settings from TeamServer that apply at the server level.
+          #
+          # @return response [Contrast::Agent::Reporting::Response]
+          def build_server_response
             res = new
             res.server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
             res
           end
         end
+        # Reaction the agent should take based on a state in TS.
+        # This is moved one level up because the responses we
+        # receive for feature and settings from TS have different
+        # place to store these reactions:
+        #
+        # body.reactions vs body.settings.reactions
+        #
+        # @return [Array<Contrast::Agent::Reporting::Settings::Reaction>]
+        def reactions
+          @_reactions ||= []
+        end
+        # Set the reaction
+        #
+        # @param reaction_array [Array<Reaction>] {
+        #   level     [String] The level at which the agent should log this reaction.
+        #                      [ERROR, WARN, INFO, DEBUG, TRACE]
+        #   message   [String] A message to log when receiving this reaction.
+        #   operation [String] What to do in response to this reaction.[NOOP, DISABLE] }
+        # @return [Array<Contrast::Agent::Reporting::Settings::Reaction>]
+        def reactions= reaction_array
+          return unless reaction_array.is_a?(Array)
+          reaction_array.each do |r|
+            reactions << Contrast::Agent::Reporting::Settings::Reaction.new(r[:level], r[:operation], r[:message])
+          end
+        end
+        # This method is used only for testing with golden files.
+        def to_controlled_hash
+          {
+              success: success,
+              messages: messages,
+              features: server_features.nil? ? nil : server_features.to_controlled_hash,
+              settings: application_settings.nil? ? nil : application_settings.to_controlled_hash,
+              logLevel: server_features&.log_level,
+              logFile: server_features&.log_file,
+              reactions: server_features.nil? ? nil : reactions.map(&:to_controlled_hash)
+          }.compact
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb CHANGED Viewed

@@ -24,7 +24,6 @@ module Contrast
           protect = response_data[:settings][:defend]
           return unless protect
-          # TODO: RUBY-1636 should this be `:rules` or `:protectionRules`
           res.application_settings.protect.protection_rules = protect[:protectionRules]
           res.application_settings.protect.virtual_patches = protect[:virtualPatches]
         end
@@ -40,10 +39,14 @@ module Contrast
           res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
         end
+        # The responses we receive for feature and settings from TS have different
+        # place to store these reactions: body.reactions vs body.settings.reactions.
+        #
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
         def extract_reactions response_data, res
-          res.application_settings.reactions = response_data[:settings][:reactions]
+          res.reactions = response_data[:settings][:reactions] if response_data[:settings]
+          res.reactions = response_data[:reactions] if response_data[:features]
         end
         # @param response_data [Hash]
@@ -65,10 +68,17 @@ module Contrast
           return unless protect
           res.server_features.protect.enabled = protect[:enabled]
-          res.server_features.protect.bot_blocker = protect[:'bot-blocker']
-          # TODO: RUBY-1636 should this be `:rules` or `:protectionRules`
-          # process the botBlockers field
-          res.server_features.protect.syslog = protect[:syslog]
+          res.server_features.protect.bot_blocker.enable = protect[:'bot-blocker']
+          res.server_features.protect.bot_blocker.bots = protect[:botBlockers]
+          extract_syslog(response_data, res)
+        end
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_syslog response_data, res
+          return unless (syslog = response_data[:features][:defend][:syslog])
+          res.server_features.protect.syslog.assign_array(syslog)
         end
         # @param response_data [Hash]
@@ -78,21 +88,33 @@ module Contrast
           return unless protect
           res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
-          res.server_features.protect.ip_denylist = protect[:ipDenyList]
-          res.server_features.protect.log_enchancers = protect[:logEnhancers]
+          res.server_features.protect.ip_denylist = protect[:ipDenylist]
+          res.server_features.protect.log_enhancers = protect[:logEnhancers]
           res.server_features.protect.rule_definition_list = protect[:ruleDefinitionList]
         end
         # Here we extract the rules and state for the sensitive data masking policy
-        # Received from TS.
+        # received from TS.
         #
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
         def extract_sensitive_data_policy response_data, res
-          sensitive_data = response_data[:settings][:sensitive_data_masking_policy]
+          return unless (sensitive_data = response_data[:settings][:sensitive_data_masking_policy])
           res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
           res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
-          res.application_settings.sensitive_data_masking.build_rules_form_settings sensitive_data[:rules]
+          res.application_settings.sensitive_data_masking.build_rules_form_settings(sensitive_data[:rules])
+        end
+        # Here we extract the log settings received from TS.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_log_settings response_data, res
+          return unless (log_level = response_data[:logLevel])
+          res.server_features.log_level = log_level
+          res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb CHANGED Viewed

@@ -78,19 +78,19 @@ module Contrast
         def handle_error response
           case response&.code
           when ERROR_CODES[:message_not_sent]
-            handle_response_errors response, UNSUCCESSFULLY_RECEIVED_MSG, mode.running
+            handle_response_errors(response, UNSUCCESSFULLY_RECEIVED_MSG, mode.running)
           when ERROR_CODES[:access_forbidden]
-            handle_response_errors response, FORBIDDEN_MSG, mode.running
+            handle_response_errors(response, FORBIDDEN_MSG, mode.running)
           when ERROR_CODES[:access_forbidden_no_action]
-            handle_response_errors response, FORBIDDEN_NO_ACTION_MSG, mode.running
+            handle_response_errors(response, FORBIDDEN_NO_ACTION_MSG, mode.running)
           when ERROR_CODES[:application_do_not_exist]
-            handle_response_errors response, APP_NON_EXISTENT_MSG, mode.disabled
+            handle_response_errors(response, APP_NON_EXISTENT_MSG, mode.disabled)
           when ERROR_CODES[:unprocessable_entity]
-            handle_response_errors response, UNPROCESSABLE_ENTITY_MSG, mode.disabled
+            handle_response_errors(response, UNPROCESSABLE_ENTITY_MSG, mode.disabled)
           when ERROR_CODES[:too_many_requests]
-            handle_response_errors response, RETRY_AFTER_MSG, mode.resending
+            handle_response_errors(response, RETRY_AFTER_MSG, mode.resending)
           else
-            logger.debug('Response Error code could not be processed')
+            logger.error('Response Error code could not be processed')
           end
         end
@@ -102,7 +102,7 @@ module Contrast
         # @param error_message [String, nil] Error message if any received.
         def suspend_reporting message, timeout, error_message
           @_timeout = timeout || Contrast::Agent::Reporting::ResponseHandler::TIMEOUT
-          log_debug_msg message, timeout: @_timeout, error_message: error_message || 'none'
+          log_debug_msg(message, timeout: @_timeout, error_message: error_message || 'none')
           @_sleep = true
         end