contrast-agent 6.1.1 → 6.3.0

data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -16,41 +18,31 @@ module Contrast
       # @attr_reader file [String] the name of the Gem. Required for reporting.
       # @attr_reader hash [String] the Sha256 of the Gem, matching its hash in RubyGems. Required for reporting.
       # @attr_reader internal_date [Integer] the time, in ms, when the Gem was published. Required for reporting.
-      # @attr_reader manifest [String] the YAML form of the Gem's specification.
+      # @attr_accessor manifest [String] the YAML form of the Gem's specification.
       # @attr_reader tags [String] Inventory tags set by the user via configuration.
       # @attr_reader url [String] The homepage of the Gem.
       # @attr_reader version [String] The version of the Gem.
       class LibraryDiscovery
+        include Contrast::Components::Logger::InstanceMethods
+
+        StringUtils = Contrast::Utils::StringUtils
+
         # required attributes
         attr_reader :external_date, :file, :hash, :internal_date
         # optional attributes
-        attr_reader :class_count, :manifest, :tags, :url, :version
-
-        class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param library_dtm [Contrast::Api::Dtm::Library]
-          # @return [Contrast::Agent::Reporting::LibraryDiscovery]
-          def convert library_dtm
-            report = new
-            report.attach_data(library_dtm)
-            report
-          end
-        end
+        attr_reader :class_count, :tags, :url, :version
+        attr_accessor :manifest
 
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly
-        #
-        # @param library_dtm [Contrast::Api::Dtm::Library]
-        def attach_data library_dtm
-          @class_count = library_dtm.class_count
-          @external_date = library_dtm.external_ms
-          @file = library_dtm.file_path
-          @hash = library_dtm.hash_code
-          @internal_date = library_dtm.internal_ms
-          @manifest = library_dtm.manifest
+        def initialize digest, spec
+          @file = StringUtils.force_utf8(spec.name) # rubocop:disable Security/Module/Name
+          @hash = StringUtils.force_utf8(digest)
+          @version     = StringUtils.force_utf8(spec.version)
+          @manifest    = StringUtils.force_utf8(StringUtils.force_utf8(spec.to_yaml.to_s))
+          @external_date = (spec.date.to_f * 1000.0).to_i
+          @internal_date = @external_date
+          @url         = StringUtils.force_utf8(spec.homepage)
+          @class_count = Contrast::Utils::Sha256Builder.instance.files(spec.full_gem_path.to_s).length
           @tags = Contrast::INVENTORY.tags
-          @url = library_dtm.url
-          @version = library_dtm.version
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -59,8 +51,14 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
-          msg = {
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('LibraryDiscovery validation failed with: ', e)
+            return
+          end
+
+          {
               classCount: class_count,
               externalDate: external_date,
               file: file,
@@ -68,10 +66,9 @@ module Contrast
               internalDate: internal_date,
               manifest: manifest,
               url: url,
-              version: version
-          }
-          msg[:tags] = tags if tags
-          msg
+              version: version,
+              tags: tags
+          }.compact
         end
 
         # Ensure the required fields are present.

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb

@@ -1,45 +1,43 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     module Reporting
       # The usage, meaning loaded files, of a library seen during this request
       class LibraryUsageObservation
+        include Contrast::Components::Logger::InstanceMethods
+
         # @param [String] Sha256Sum of library as identified by the agent
         attr_accessor :id
         # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
         attr_reader :names
 
-        class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param usage_dtm [Contrast::Api::Dtm::LibraryUsageUpdate]
-          # @return [Contrast::Agent::Reporting::LibraryUsageObservation]
-          def convert usage_dtm
-            observation = new
-            observation.attach_data(usage_dtm)
-            observation
-          end
-        end
-
-        def initialize
-          @names = []
-        end
-
-        def attach_data usage_dtm
-          @id = usage_dtm.hash_code
-          @names = usage_dtm.class_names.keys
+        # @param id [String] Sha256Sum of library as identified by the agent
+        # @param class_names [Array<String>] List of file paths that have been loaded out of or executed by the library
+        def initialize id, class_names
+          @id = id
+          @names = class_names
         end
 
+        # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('LibraryUsageObservation validation failed with: ', e)
+            return
+          end
+
           {
               id: @id,
               names: @names
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper id. Unable to continue.") unless id
           raise(ArgumentError, "#{ self } did not have a proper names. Unable to continue.") if names.empty?

data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb

@@ -3,28 +3,17 @@
 
 require 'contrast/agent/reporting/reporting_events/application_reporting_event'
 require 'contrast/agent/reporting/reporting_events/library_usage_observation'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
     module Reporting
       # List of libraries that have been observed to have something loaded or executed.
-      #
-      # @attr_reader observations - Array[Contrast::Agent::Reporting::LibraryUsageObservation]
-      #                            - Hash of LibraryUsageObservations
       class ObservedLibraryUsage < Contrast::Agent::Reporting::ApplicationReportingEvent
-        attr_reader :observations
+        include Contrast::Components::Logger::InstanceMethods
 
-        class << self
-          # Convert a Hash of LibraryUsageUpdate DTMs for SpeedRacer to an Event for TeamServer.
-          #
-          # @param usages_dtm_hash Hash[Contrast::Api::Dtm::LibraryUsageUpdate]
-          # @return [Contrast::Agent::Reporting::ObservedLibraryUsage]
-          def convert usages_dtm_hash
-            report = new
-            report.attach_data(usages_dtm_hash)
-            report
-          end
-        end
+        # @return Array[Contrast::Agent::Reporting::LibraryUsageObservation]
+        attr_reader :observations
 
         def initialize
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.library_usage
@@ -37,16 +26,14 @@ module Contrast
         end
 
         def to_controlled_hash
-          validate
-          { observations: @observations.map(&:to_controlled_hash) }
-        end
-
-        def attach_data usages_dtm_hash
-          usages_dtm_hash.each do |_key, value|
-            next unless value.class_names.any?
-
-            @observations << Contrast::Agent::Reporting::LibraryUsageObservation.convert(value)
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ObservedLibraryUsage validation failed with: ', e)
+            return
           end
+
+          { observations: @observations.map(&:to_controlled_hash) }
         end
 
         def validate

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -16,6 +16,8 @@ module Contrast
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
       class ObservedRoute < Contrast::Agent::Reporting::ApplicationReportingEvent
+        include Contrast::Components::Logger::InstanceMethods
+
         # @param [String] the method signature used to uniquely identify the coverage report.
         attr_accessor :signature
         # @param [String] the normalized URL used to access the method in the route.
@@ -45,18 +47,23 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
-          rc_hash = {
-              session_id: @agent_session_id_value,
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ObservedRoute validation failed with: ', e)
+            return
+          end
+
+          {
+              session_id: ::Contrast::ASSESS.session_id,
               sources: @sources.map(&:to_controlled_hash),
               signature: @signature,
               verb: @verb,
               url: @url
-          }
-          rc_hash.delete(:verb) unless @verb
-          rc_hash
+          }.compact
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper sources. Unable to continue.") if @sources.nil?
           raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -30,7 +30,6 @@ module Contrast
           @app_name = ::Contrast::APP_CONTEXT.app_name
           @app_version = ::Contrast::APP_CONTEXT.app_version
           @routes = []
-          @agent_session_id_value = ::Contrast::ASSESS.session_id
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -39,7 +38,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('PreflightMessage validation failed with: ', e)
+            return
+          end
+
           {
               code: CODE,
               app_language: @app_language,
@@ -48,10 +53,11 @@ module Contrast
               data: '',
               key: 0,
               routes: @routes,
-              session_id: @agent_session_id_value
+              session_id: ::Contrast::ASSESS.session_id
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.") unless data
           unless @app_name
@@ -60,7 +66,7 @@ module Contrast
           unless @app_language
             raise(ArgumentError, "#{ cs__class } did not have a proper application language. Unable to continue.")
           end
-          unless @agent_session_id_value
+          unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
           end
 

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -14,15 +14,15 @@ module Contrast
       #
       # @abstract
       class ReportingEvent
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the endpoint, with host, to which this event should be sent
         attr_reader :event_endpoint
         # @return event_method [Symbol] the HTTP method to use to send this event
         attr_reader :event_method
 
         def initialize
-          @agent_session_id_value = ::Contrast::ASSESS.session_id
-          @event_endpoint ||= nil
-          @event_method ||= :POST
+          @event_method ||= :POST # rubocop:disable Lint/DisjunctiveAssignmentInConstructor
         end
 
         # Some reports require specific additional headers to be used. To that end, we'll attach them here, letting
@@ -37,7 +37,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ReportingEvent validation failed with: ', e)
+            return
+          end
+
           {}
         end
 

data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb

@@ -32,6 +32,15 @@ module Contrast
           @count = 0
         end
 
+        # Parse the given controller and route from a Rack based application framework in order to create an instance
+        # of this class
+        #
+        # @param final_controller [Grape::API, Sinatra::Base] the controller responsible for the definition of the
+        #   entrypoint of the route actively being executed
+        # @param method [String] the HTTP request method of the route actively being executed
+        # @param route_pattern [Grape::Router::Route, Mustermann::Sinatra] the pattern to which the url maps
+        # @param url [String] the literal url of the route actively being executed
+        # @return [Contrast::Agent::Reporting::RouteCoverage]
         def attach_rack_based_data final_controller, method, route_pattern, url = nil
           if route_pattern.cs__is_a?(Grape::Router::Route)
             safe_pattern = route_pattern.pattern&.path&.to_s

data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/reporting/reporting_events/route_discovery_observation'
 require 'contrast/api/dtm.pb'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -17,6 +18,8 @@ module Contrast
       # @attr_reader signature [String] the unique identifier for this route; typically the method signature. Required
       #   for reporting.
       class RouteDiscovery
+        include Contrast::Components::Logger::InstanceMethods
+
         # required attributes
         attr_reader :observations, :signature
 
@@ -47,7 +50,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('RouteDiscovery validation failed with: ', e)
+            return
+          end
+
           {
               count: 0, # we have this to make TS happy
               observations: @observations.map(&:to_controlled_hash),

data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/api/dtm.pb'
 require 'contrast/utils/string_utils'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -16,6 +17,8 @@ module Contrast
       # @attr_reader verb [String] the HTTP Method requested to his this endpoint. Empty means all, so is allowed.
       #   for reporting.
       class RouteDiscoveryObservation
+        include Contrast::Components::Logger::InstanceMethods
+
         # required attributes
         attr_reader :url
         # optional attributes
@@ -47,10 +50,14 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
-          hash = { url: url }
-          hash[:verb] = verb if verb
-          hash
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('RouteDiscoveryObservation validation failed with: ', e)
+            return
+          end
+
+          { url: url, verb: verb }.compact
         end
 
         # Ensure the required fields are present.

data/lib/contrast/agent/reporting/reporting_events/server_activity.rb

@@ -12,14 +12,6 @@ module Contrast
       # for its response, which contains any updated server feature settings from TeamServer. The new Server Settings
       # endpoint should let us remove this.
       class ServerActivity < Contrast::Agent::Reporting::ServerReportingEvent
-        class << self
-          # @param _server_activity_dtm [Contrast::Api::Dtm::ServerActivity]
-          # @return [Contrast::Agent::Reporting::ServerActivity]
-          def convert _server_activity_dtm
-            new
-          end
-        end
-
         def initialize
           @event_method = :PUT
           @event_endpoint = "#{ Contrast::API.api_url }/api/ng/activity/server"

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -16,7 +16,7 @@ module Contrast
         attr_reader :path_for_requests, :path_for_responses
 
         def initialize
-          generate_paths if enabled? && Contrast::CONTRAST_SERVICE.use_agent_communication?
+          generate_paths if enabled?
         end
 
         # This method will be handling the auditing of the requests and responses we send to SpeedRacer. If the audit
@@ -44,11 +44,7 @@ module Contrast
         # @param file_name[String] file_name to log
         # @param data[String] String representation if the logged data
         def log_data type, file_name, data = nil
-          return unless enabled?
-          return unless Contrast::CONTRAST_SERVICE.use_agent_communication?
-
-          logger.debug('logging to file', file_name: file_name) # TODO: RUBY-99999 DO NOT COMMIT THIS
-          write_to_file(type, file_name, data)
+          write_to_file(type, file_name, data) if enabled?
         end
 
         # This method will be actually writing to the file

data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/reporting/reporting_events/server_activity'
 require 'contrast/agent/reporting/reporting_events/application_activity'
 require 'contrast/api/dtm.pb'
 
@@ -13,31 +12,6 @@ module Contrast
       # TODO: RUBY-1438 -- remove
       module DtmMessage
         class << self
-          # Checks if the message is of Contrast::Api::Dtm::ServerActivity class
-          #
-          # @param dtm [Contrast::Api::Dtm::ServerActivity, Object]
-          # @return [Boolean]
-          def server_activity? dtm
-            dtm.cs__is_a?(Contrast::Api::Dtm::ServerActivity)
-          end
-
-          # Checks if the message is a Hash of Contrast::Api::Dtm::LibraryUsageUpdate class
-          #
-          # @param message [Protobuf::Field::FieldHash<String,::Contrast::Api::Dtm::LibraryUsageUpdate>]
-          # @return [Boolean]
-          def library_usage? message
-            message.cs__is_a?(Protobuf::Field::FieldHash) &&
-                message.values[0].cs__is_a?(Contrast::Api::Dtm::LibraryUsageUpdate)
-          end
-
-          # Checks if the message is of Contrast::Api::Dtm::ApplicationUpdate class
-          #
-          # @param dtm [Contrast::Api::Dtm::ApplicationUpdate,Object]
-          # @return [Boolean]
-          def application_update? dtm
-            dtm.cs__is_a?(Contrast::Api::Dtm::ApplicationUpdate)
-          end
-
           # @param dtm [Contrast::Api::Dtm::Finding,Object]
           # @return [Boolean]
           def finding? dtm
@@ -56,13 +30,7 @@ module Contrast
           # @param dtm [Contrast::Api::Dtm]
           # @return event [Contrast::Agent::Reporting::ReportingEvent, nil]
           def dtm_to_event dtm
-            # For the ServerActivity we need to create and send empty body only. This is done because we need the
-            # response from TS.
-            return Contrast::Agent::Reporting::ServerActivity.new if server_activity?(dtm)
-
             # For the others, we convert them.
-            return Contrast::Agent::Reporting::ObservedLibraryUsage.convert(dtm) if library_usage?(dtm)
-            return Contrast::Agent::Reporting::ApplicationUpdate.convert(dtm) if application_update?(dtm)
             return Contrast::Agent::Reporting::Finding.convert(dtm) if finding?(dtm)
             return Contrast::Agent::Reporting::ApplicationActivity.convert(dtm) if activity?(dtm)
 

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -53,13 +53,10 @@ module Contrast
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event to send to TeamServer. Really a
         #   child of the ReportingEvent rather than a literal one.
         # @param connection [Net::HTTP] open connection
-        # @param send_immediately [Boolean] flag for the logger
         # @return response [Net::HTTP::Response, nil] response from TS if no response
-        def send_event event, connection, send_immediately: false
-          return unless Contrast::Agent::Reporter.enabled?
+        def send_event event, connection
           return unless connection
 
-          log_send_event(event) if send_immediately
           request = build_request(event)
           response = connection.request(request)
           audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -39,7 +39,7 @@ module Contrast
 
           STARTUP_EVENTS.each do |event|
             startup_event = event.new
-            send_event(startup_event, connection, send_immediately: true)
+            send_event(startup_event, connection)
           rescue StandardError => e
             handle_error(startup_event, e)
           end
@@ -66,15 +66,6 @@ module Contrast
           request
         end
 
-        # log the event sent immediately
-        #
-        # @param event [Contrast::Agent::Reporting::ReportingEvent] The event to send to TeamServer. Really a
-        #   child of the ReportingEvent rather than a literal one.
-        def log_send_event event
-          logger.debug("#{ Contrast::Agent::Reporting::ReporterClient::SERVICE_NAME } immediately sending event.",
-                       event_id: event.__id__, event_type: event.cs__class.cs__name)
-        end
-
         # Handles standard error case, logs and set status for failure
         #
         # @param event [Contrast::Agent::Reporting::ReportingEvent]
@@ -96,7 +87,6 @@ module Contrast
         # @param response [Net::HTTP::Response]
         def process_settings_response response
           response_handler.process(response)
-          logger.debug('Successfully sent startup messages to TeamServer.')
           status.success!
         end
 

data/lib/contrast/agent/reporting/reporting_utilities/response.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/reporting/settings/application_settings'
 require 'contrast/agent/reporting/settings/server_features'
+require 'contrast/agent/reporting/settings/reaction'
 
 module Contrast
   module Agent
@@ -21,19 +22,76 @@ module Contrast
         # @return [Contrast::Agent::Reporting::Settings::FeatureSettings, nil]
         attr_accessor :server_features
 
+        # Success boolean message value
+        #
+        # @return [Boolean]
+        attr_accessor :success
+
+        # Message with reasons for success or fail.
+        #
+        # @return [Array<String>] Messages received from TS.
+        attr_accessor :messages
+
         class << self
-          def application_response
+          # All of the settings from TeamServer that apply at the application level.
+          #
+          # @return response [Contrast::Agent::Reporting::Response]
+          def build_application_response
             res = new
             res.application_settings = Contrast::Agent::Reporting::Settings::ApplicationSettings.new
             res
           end
 
-          def server_response
+          # All of the settings from TeamServer that apply at the server level.
+          #
+          # @return response [Contrast::Agent::Reporting::Response]
+          def build_server_response
             res = new
             res.server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
             res
           end
         end
+
+        # Reaction the agent should take based on a state in TS.
+        # This is moved one level up because the responses we
+        # receive for feature and settings from TS have different
+        # place to store these reactions:
+        #
+        # body.reactions vs body.settings.reactions
+        #
+        # @return [Array<Contrast::Agent::Reporting::Settings::Reaction>]
+        def reactions
+          @_reactions ||= []
+        end
+
+        # Set the reaction
+        #
+        # @param reaction_array [Array<Reaction>] {
+        #   level     [String] The level at which the agent should log this reaction.
+        #                      [ERROR, WARN, INFO, DEBUG, TRACE]
+        #   message   [String] A message to log when receiving this reaction.
+        #   operation [String] What to do in response to this reaction.[NOOP, DISABLE] }
+        # @return [Array<Contrast::Agent::Reporting::Settings::Reaction>]
+        def reactions= reaction_array
+          return unless reaction_array.is_a?(Array)
+
+          reaction_array.each do |r|
+            reactions << Contrast::Agent::Reporting::Settings::Reaction.new(r[:level], r[:operation], r[:message])
+          end
+        end
+
+        # This method is used only for testing with golden files.
+        def to_controlled_hash
+          {
+              success: success,
+              messages: messages,
+              features: server_features.nil? ? nil : server_features.to_controlled_hash,
+              settings: application_settings.nil? ? nil : application_settings.to_controlled_hash,
+              logLevel: server_features&.log_level,
+              logFile: server_features&.log_file,
+              reactions: server_features.nil? ? nil : reactions.map(&:to_controlled_hash)
+          }.compact
+        end
       end
     end
   end