contrast-agent 6.1.0 → 6.2.0

data/lib/contrast/agent/reporting/settings/helpers.rb

@@ -0,0 +1,56 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Helper methods used across the settings.
+        module Helpers
+          class << self
+            # Fills instance variable [Array] with new settings as new instance type
+            # for each entry.
+            #
+            # @param instance_type [Class] a class to create new instance from to
+            # @param instance_variable [Array] instance variable accessor method
+            # return an array to fill.
+            # @param array [Array] array to be used to fill the iv.
+            # fill the iv with the new type containing data from the provided array
+            # param.
+            # @return instance_variable [Class]
+            def array_to_iv instance_type, instance_variable, array
+              return unless array.is_a?(Array)
+
+              array.each_with_index do |entry, index|
+                new_instance = instance_type.new
+                instance_type::ATTRIBUTES.each do |attr|
+                  new_instance.send("#{ attr }=".to_sym, entry[no_more_underscore(attr)])
+                end
+                instance_variable[index] = new_instance
+              end
+
+              instance_variable
+            end
+
+            # :attr_name => :attrName
+            # return original if no '_'
+            #
+            # @param attr_name [Symbol]
+            # @return normalized_name [Symbol]
+            def no_more_underscore attr_name
+              name = attr_name.to_s
+              idx = name.index('_')
+              return attr_name if idx.nil? || (idx.zero? && idx >= name.length)
+
+              result = name
+              result.slice!(idx)
+              result.insert(idx, name[idx]&.upcase)
+              result.slice!(idx + 1)
+              result.index('_') ? no_more_underscore(result).to_sym : result.to_sym
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/input_exclusion.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/exclusion_base'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # InputExclusions class
+        class InputExclusion < ExclusionBase
+          ATTRIBUTES = BASE_ATTRIBUTES.dup << :type
+          ATTRIBUTES.cs__freeze
+          VALID_INPUT_TYPES = %w[COOKIE PARAMETER HEADER BODY QUERYSTRING].cs__freeze
+
+          # @return type [String] The type of the input
+          def type
+            @_type ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # @param new_type [String] Set new input type.
+          # @return type [String] The type of the input.
+          def type= new_type
+            @_type = new_type if VALID_INPUT_TYPES.include?(new_type)
+          end
+
+          def to_controlled_hash
+            hash = super
+            hash[:type] = type
+            hash
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/ip_filter.rb

@@ -0,0 +1,35 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The IP addresses for which to disable protection.
+        class IpFilter
+          ATTRIBUTES = %i[expires ip name uuid].cs__freeze
+
+          # The value in milliseconds since epoch for expiration. Value of '0' means no expiration.
+          #
+          # @return expires [Integer] The time after which the filter is no longer valid.
+          attr_accessor :expires
+          # @return  ip [String] The IP or range of IPs to which this message pertains.
+          attr_accessor :ip
+          # @return  name [String] The user defined name of the filter.
+          attr_accessor :name
+          # @return  uuid [String] The identifier of the filter as defined by TeamServer.
+          attr_accessor :uuid
+
+          def to_controlled_hash
+            {
+                expires: expires,
+                ip: ip,
+                name: name, # rubocop:disable Security/Module/Name
+                uuid: uuid
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/keyword.rb

@@ -0,0 +1,74 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/helpers'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The words to search for in input that indicate an attack
+        class Keyword
+          ATTRIBUTES = %i[id value case_sensitive score prohibited_features mandatory_features].cs__freeze
+
+          # @return id [String]
+          attr_accessor :id
+          # @return value [string]
+          attr_accessor :value
+          # @return case_sensitive [Boolean]
+          attr_accessor :case_sensitive
+          # @return score [Integer] The impact of matching this entry;
+          # higher meaning more likely to be an attack
+          attr_accessor :score
+
+          # Disable this pattern or keyword if agent implements one of
+          # the specified features
+          #
+          # @return [Array<String>]
+          def prohibited_features
+            @_prohibited_features ||= []
+          end
+
+          # Disable this pattern or keyword if agent implements one of
+          # the specified features
+          #
+          # @return [Array<String>]
+          def mandatory_features
+            @_mandatory_features ||= []
+          end
+
+          # Set the features.
+          #
+          # @param features [Array]
+          # @return [Array<String>]
+          def prohibited_features= features
+            @_prohibited_features = features if features.is_a?(Array)
+          end
+
+          # Set the features.
+          #
+          # @param features [Array]
+          # @return [Array<String>]
+          def mandatory_features= features
+            @_mandatory_features = features if features.is_a?(Array)
+          end
+
+          def to_controlled_hash
+            {
+                id: id,
+                value: value,
+                caseSensitive: case_sensitive,
+                score: score,
+                prohibitedFeatures: prohibited_features,
+                mandatoryFeatures: mandatory_features
+            }
+          end
+        end
+
+        #  A word or pattern whose presence in an input represents an attack
+        class Pattern < Keyword
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/log_enhancer.rb

@@ -0,0 +1,65 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # All of the apis to add new logging calls to the application at runtime
+        class LogEnhancer
+          ATTRIBUTES = %i[id api format level name type].cs__freeze
+          LOG_LEVELS = %w[TRACE DEBUG INFO WARN ERROR].cs__freeze
+          TYPES = %w[AUDIT ERROR SECURITY].cs__freeze
+
+          # @return api [String]  The method signature to instrument, as understood by the agent.
+          attr_accessor :api
+          # @return format [String] The format of the message to log.
+          attr_accessor :format
+          # @return id [Integer] The identifier of the enhancer as defined by TeamServer.
+          attr_accessor :id
+          # @return name [String] The user defined name of the enhancer.
+          attr_accessor :name
+
+          # @return level [String] The level at which to log this message. Trace as 0 and Error as 4.
+          # [ TRACE, DEBUG, INFO, WARN, ERROR ]
+          def level
+            @_level ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # @param new_level [String] new level to set.
+          # @return level [String] The level at which to log this message. Trace as 0 and Error as 4.
+          # [ TRACE, DEBUG, INFO, WARN, ERROR ]
+          def level= new_level
+            @_level = new_level if LOG_LEVELS.include?(new_level)
+          end
+
+          # @return type [String] The type of log message to generate. Audit as 0, Security as 2.
+          # [ AUDIT, ERROR, SECURITY ]
+          def type
+            @_type ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # @param new_type [String] new type to set.
+          # @return type [String] The type of log message to generate. Audit as 0, Security as 2.
+          # [ AUDIT, ERROR, SECURITY ]
+          def type= new_type
+            @_type = new_type if TYPES.include?(new_type)
+          end
+
+          def to_controlled_hash
+            {
+                id: id,
+                api: api,
+                format: format,
+                name: name, # rubocop:disable Security/Module/Name
+                level: level,
+                type: type
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/api/dtm.pb'
+require 'contrast/api/settings.pb'
 
 module Contrast
   module Agent
@@ -11,7 +13,7 @@ module Contrast
         # Application level settings for the Protect featureset
         class Protect
           # block at perimeter needs to be check against the blockAtEntry boolean value
-          PROTECT_RULES_MODE = %w[OFF BLOCKING MONITORING].cs__freeze
+          PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
           # The settings for each protect rule for this application
           #
           # @return protection_rules [Array<protectRule>] protectRule: {
@@ -33,7 +35,7 @@ module Contrast
           #   id           [String] The id of a rule in Contrast.
           #   mode         [String] The mode that this rule should run in. [OFF, MONITORING, BLOCKING] }
           def protection_rules= protection_rules
-            @_protection_rules = protection_rules if protection_rules.is_a? Array
+            @_protection_rules = protection_rules if protection_rules.is_a?(Array)
           end
 
           # The virtual patches to apply for this application
@@ -66,7 +68,7 @@ module Contrast
           #   urls       [Array] The urls that must be present in the request to result in the request being blocked.
           #   uuids      [String] The UUID of the Virtual Patch }
           def virtual_patches= virtual_patches
-            @_virtual_patches = virtual_patches if virtual_patches.is_a? Array
+            @_virtual_patches = virtual_patches if virtual_patches.is_a?(Array)
           end
 
           # Converts settings into Agent Settings understandable hash {RULE_ID => MODE}
@@ -77,8 +79,23 @@ module Contrast
 
             modes_by_id = {}
             protection_rules.each do |rule|
-              PROTECT_RULES_MODE.include? rule[:mode]
-              modes_by_id[rule[:id]] = rule[:mode]
+              setting_mode = rule[:mode]
+              next unless PROTECT_RULES_MODE.include?(setting_mode)
+
+              api_mode = case setting_mode
+                         when PROTECT_RULES_MODE[1]
+                           ::Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
+                         when PROTECT_RULES_MODE[2]
+                           if rule[:blockAtEntry]
+                             ::Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
+                           else
+                             ::Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
+                           end
+                         else
+                           ::Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+                         end
+
+              modes_by_id[rule[:id]] = api_mode
             end
             modes_by_id
           end

data/lib/contrast/agent/reporting/settings/protect_server_feature.rb

@@ -2,6 +2,12 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/bot_blocker'
+require 'contrast/agent/reporting/settings/ip_filter'
+require 'contrast/agent/reporting/settings/log_enhancer'
+require 'contrast/agent/reporting/settings/rule_definition'
+require 'contrast/agent/reporting/settings/syslog'
+require 'contrast/agent/reporting/settings/helpers'
 
 module Contrast
   module Agent
@@ -28,22 +34,14 @@ module Contrast
 
           # Indicate if the bot protection feature set is enabled for this server or not.
           #
-          # @return bot_blocker [Boolean]
+          # @return bot_blocker [Contrast::Agent::Reporting::Settings::BotBlocker]
           def bot_blocker
-            @_bot_blocker
-          end
-
-          # set bot_blocker
-          #
-          # @param bot_blocker [Boolean]
-          # @return bot_blocker [Boolean]
-          def bot_blocker= bot_blocker
-            @_bot_blocker = bot_blocker if !!bot_blocker == bot_blocker
+            @_bot_blocker ||= Contrast::Agent::Reporting::Settings::BotBlocker.new
           end
 
           # The IP addresses for which to disable protection.
           #
-          # @return ip_allowlist [Array<IpFilter>]
+          # @return ip_allowlist [Array<Contrast::Agent::Reporting::Settings::IpFilter>, []]
           #   expires [Integer] The time after which the filter is no longer valid.
           #   ip      [String] The IP or range of IPs to which this message pertains.
           #   name    [String] The user defined name of the filter.
@@ -60,18 +58,16 @@ module Contrast
           #   name    [String] The user defined name of the filter.
           #   uuid    [String] The identifier of the filter as defined by TeamServer.
           # }
-          # @return ip_allowlist [Array<IpFilter>]
-          #   expires [Integer] The time after which the filter is no longer valid.
-          #   ip      [String] The IP or range of IPs to which this message pertains.
-          #   name    [String] The user defined name of the filter.
-          #   uuid    [String] The identifier of the filter as defined by TeamServer.
+          # @return ip_allowlist [Array<Contrast::Agent::Reporting::Settings::IpFilter>]
           def ip_allowlist= allowlist
-            @_ip_allowlist = allowlist if allowlist.is_a? Array
+            Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(Contrast::Agent::Reporting::Settings::IpFilter,
+                                                                      ip_allowlist,
+                                                                      allowlist)
           end
 
           # The IP addresses for which to disable protection.
           #
-          # @return ip_denylist [Array<IpFilter>]
+          # @return ip_denylist [Array<IpFilter>, []]
           #                     expires [Integer] The time after which the filter is no longer valid.
           #                     ip      [String] The IP or range of IPs to which this message pertains.
           #                     name    [String] The user defined name of the filter.
@@ -88,72 +84,42 @@ module Contrast
           #   name    [String] The user defined name of the filter.
           #   uuid    [String] The identifier of the filter as defined by TeamServer.
           # }
-          # @return ip_denylist [Array<IpFilter>]
-          #                     expires [Integer] The time after which the filter is no longer valid.
-          #                     ip      [String] The IP or range of IPs to which this message pertains.
-          #                     name    [String] The user defined name of the filter.
-          #                     uuid    [String] The identifier of the filter as defined by TeamServer.
+          # @return ip_denylist [Array<Contrast::Agent::Reporting::Settings::IpFilter>]
           def ip_denylist= denylist
-            @_ip_denylist = denylist if denylist.is_a? Array
+            Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(Contrast::Agent::Reporting::Settings::IpFilter,
+                                                                      ip_denylist,
+                                                                      denylist)
           end
 
           # All of the apis to add new logging calls to the application at runtime.
           #
-          # @return log_enchancers [Array<LogEnchancers>]
-          #    api     [String]  The method signature to instrument, as understood by the agent.
-          #    format  [String]  The format of the message to log.
-          #    id      [Integer] The identifier of the enhancer as defined by TeamServer.
-          #    level   [String] The level at which to log this message. Trace as 0 and Error as 4.
-          #                     [ TRACE, DEBUG, INFO, WARN, ERROR ]
-          #    name    [String] The user defined name of the enhancer.
-          #    type    [String] The type of log message to tenerate. Audit as 0, Security as 2.
-          #                     [ AUDIT, ERROR, SECURITY ]
-          def log_enchancers
-            @_log_enchancers ||= []
+          # @return log_enhancers [Array<Contrast::Agent::Reporting::Settings::LogEnhancer>, []]
+          def log_enhancers
+            @_log_enhancers ||= []
           end
 
           # All of the apis to add new logging calls to the application at runtime.
           #
-          # @param log_enchancers [Array<LogEnchancers>] of LogEnchancers: {
+          # @param log_enhancers_array [Array<LogEnhancers>] of LogEnhancers: {
           #    api     [String]  The method signature to instrument, as understood by the agent.
           #    format  [String]  The format of the message to log.
           #    id      [Integer] The identifier of the enhancer as defined by TeamServer.
           #    level   [String] The level at which to log this message. Trace as 0 and Error as 4.
           #                     [ TRACE, DEBUG, INFO, WARN, ERROR ]
           #    name    [String] The user defined name of the enhancer.
-          #    type    [String] The type of log message to tenerate. Audit as 0, Security as 2.
+          #    type    [String] The type of log message to generate. Audit as 0, Security as 2.
           #                     [ AUDIT, ERROR, SECURITY ]
           # }
-          # @return log_enchancers [Array<LogEnchancers>]
-          #    api     [String]  The method signature to instrument, as understood by the agent.
-          #    format  [String]  The format of the message to log.
-          #    id      [Integer] The identifier of the enhancer as defined by TeamServer.
-          #    level   [String] The level at which to log this message. Trace as 0 and Error as 4.
-          #                     [ TRACE, DEBUG, INFO, WARN, ERROR ]
-          #    name    [String] The user defined name of the enhancer.
-          #    type    [String] The type of log message to tenerate. Audit as 0, Security as 2.
-          #                     [ AUDIT, ERROR, SECURITY ]
-          def log_enchancers= log_enchancers
-            @_log_enchancers = log_enchancers if log_enchancers.is_a? Array
+          # @return log_enhancers [Array<Contrast::Agent::Reporting::Settings::LogEnhancer>]
+          def log_enhancers= log_enhancers_array
+            Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(Contrast::Agent::Reporting::Settings::LogEnhancer,
+                                                                      log_enhancers,
+                                                                      log_enhancers_array)
           end
 
           # The keywords and patterns required for the input analysis of each rule with that capability.
           #
-          # @return rule_defenition_list [Array<RuleDefinition>]
-          #   keywords [Array] The words to search for in input that indicate an attack.{
-          #                     caseSensitive [Boolean]
-          #                     id            [String]
-          #                     score         [Integer] The impact of matching this entry; higher meaning more
-          #                                             likely to be an attack
-          #                     value         [String] }
-          #   name   [String] 	AssessRuleID
-          #   patterns [Array] A word or pattern whose presence in an input represents an attack {
-          #                     caseSensitive [Boolean]
-          #                     id            [String]
-          #                    score          [Integer] The impact of matching this entry; higher meaning more
-          #                                            likely to be an attack
-          #                    value          [String] }
-          # }
+          # @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
           def rule_definition_list
             @_rule_definition_list ||= []
           end
@@ -175,66 +141,47 @@ module Contrast
           #                                            likely to be an attack
           #                    value          [String] }
           # }
-          # @return rule_defenition_list [Array<RuleDefinition>]  Array of RuleDefinition: {
-          #   keywords [Array] The words to search for in input that indicate an attack.{
-          #                     caseSensitive [Boolean]
-          #                     id            [String]
-          #                     score         [Integer] The impact of matching this entry; higher meaning more
-          #                                             likely to be an attack
-          #                     value         [String] }
-          #   name   [String] 	AssessRuleID
-          #   patterns [Array] A word or pattern whose presence in an input represents an attack {
-          #                     caseSensitive [Boolean]
-          #                     id            [String]
-          #                    score          [Integer] The impact of matching this entry; higher meaning more
-          #                                            likely to be an attack
-          #                    value          [String] }
-          # }
+          # @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
           def rule_definition_list= list
-            @_rule_definition_list = list if list.is_a? Array
+            Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(
+                Contrast::Agent::Reporting::Settings::RuleDefinition,
+                rule_definition_list,
+                list)
           end
 
           # Controls for the syslogging feature in the agent.
           #
-          # @return syslog [Hash<logsSettings>]
-          #   syslogConnectionType    [String]
-          #   syslogEnabled           [Integer]
-          #   syslogFacilityCode      [Integer]
-          #   syslogIpAddress         [String]
-          #   syslogPortNumber        [Integer]
-          #   syslogProtocol          [String]
-          #   syslogSeverityExploited [String]
-          #   syslogSeverityProbed    [String]
-          #   syslogSeveritySuspicous [String]
+          # @return syslog [Contrast::Agent::Reporting::Settings::Syslog]
           def syslog
-            @_syslog ||= {}
+            @_syslog ||= Contrast::Agent::Reporting::Settings::Syslog.new
           end
 
-          # Controls for the syslogging feature in the agent.
-          #
-          # @param log [Hash<logsSettings>] {
-          #   syslogConnectionType    [String]
-          #   syslogEnabled           [Integer]
-          #   syslogFacilityCode      [Integer]
-          #   syslogIpAddress         [String]
-          #   syslogPortNumber        [Integer]
-          #   syslogProtocol          [String]
-          #   syslogSeverityExploited [String]
-          #   syslogSeverityProbed    [String]
-          #   syslogSeveritySuspicous [String]
-          # }
-          # @return syslog [Hash<logsSettings>]
-          #   syslogConnectionType    [String]
-          #   syslogEnabled           [Integer]
-          #   syslogFacilityCode      [Integer]
-          #   syslogIpAddress         [String]
-          #   syslogPortNumber        [Integer]
-          #   syslogProtocol          [String]
-          #   syslogSeverityExploited [String]
-          #   syslogSeverityProbed    [String]
-          #   syslogSeveritySuspicous [String]
-          def syslog= log
-            @_syslog = log if log.is_a? Hash
+          # The protect response should be structured like this:
+          # protect{ enable, observability, rules, log_enhancers }
+          # instead we receive all the data under the protect:
+          # the rules array is merged under protect and the ruleDefinition
+          # list is separate:
+          # "defend" : {
+          #       "botBlockers" : [],
+          #       "enabled" : true,
+          #       "logEnhancers" : [],
+          #       "ipDenylist" : [],
+          #       "ipAllowlist" : [],
+          #       "syslog" : {},
+          #       "ruleDefinitionList" : [{...}],
+          #       "bot-blocker" : false
+          #     },
+          def to_controlled_hash
+            {
+                botBlockers: bot_blocker.bots.map(&:to_controlled_hash),
+                enabled: enabled?,
+                logEnhancers: log_enhancers.map(&:to_controlled_hash),
+                ipDenylist: ip_denylist.map(&:to_controlled_hash),
+                ipAllowlist: ip_allowlist.map(&:to_controlled_hash),
+                syslog: syslog.to_controlled_hash,
+                ruleDefinitionList: rule_definition_list.map(&:to_controlled_hash),
+                'bot-blocker': bot_blocker.to_controlled_hash
+            }
           end
         end
       end

data/lib/contrast/agent/reporting/settings/reaction.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/reporting/settings/log_enhancer'
+
 module Contrast
   module Agent
     module Reporting
@@ -10,7 +12,6 @@ module Contrast
           attr_accessor :level, :operation, :message
 
           # used to check the parameters and also before reactions settings update
-          LEVELS = %w[ERROR WARN INFO DEBUG TRACE].cs__freeze
           OPERATIONS = %w[NOOP DISABLE].cs__freeze
 
           # Reaction the agent should take based on a state in TS.
@@ -19,9 +20,17 @@ module Contrast
           # @param message [String] A message to log when receiving this reaction.
           # @param operation [String] What to do in response to this reaction.[NOOP, DISABLE]
           def initialize level, operation, message
-            @level = level if LEVELS.include? level
-            @operation = operation if OPERATIONS.include? operation
-            @message = message if message.is_a? String
+            @level = level if Contrast::Agent::Reporting::Settings::LogEnhancer::LOG_LEVELS.include?(level)
+            @operation = operation if OPERATIONS.include?(operation)
+            @message = message if message.is_a?(String)
+          end
+
+          def to_controlled_hash
+            {
+                message: message,
+                level: level,
+                operation: operation
+            }
           end
         end
       end