contrast-agent 6.13.0 → 6.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf537fe7f51e1701577cb567c81862d9ed3b9eaadf89d45da26ddc65e9135afb
-  data.tar.gz: b344f21256b15416fb395ed6f91880d4579b39d9bdb331df9492965ddf385129
+  metadata.gz: 577b0810f45b302615af1f151ebb6b772d76c0bccd460057022f5fbadf065d73
+  data.tar.gz: f3e882dd5e3d7e63e4cf09f37733acd02ad3b70b2d195b8a9377175cfe1b4330
 SHA512:
-  metadata.gz: cab435e1cfaf07a8f5c101805d3ca0046062071e10d61e3fcef4012e989e145bca2d586113176c89a96019eb32c2a6487de7149a01b4139d95c3b31d648a3ec5
-  data.tar.gz: 5270af8f8b5c398d974857194adff85b826c75cd603006eac060d8762985220f13d095cd4b01ae94976b22a261c6250daa4ee05176b2bc635f7455bbd5eeeaf0
+  metadata.gz: 168ea3d43d19acbe29a80b9b244a91c29b0f7c091137b7a0575edd39f763ec013e1402bc1337c167e8147738428813b7d1010e92a8e102aa3b72570685d73605
+  data.tar.gz: ddbf43ffe314bfd53c19687dc7bfc549a1b5374a43ede461a73487519ef263672f6dc7fe449140159c5e26587a55052b132242c20b1673d2dbed3d882340f157

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a REDOS finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the TeamServer.
+          # before serializing that finding as a Event to report to the TeamServer.
           module REDOSValidator
             RULE_NAME = 'redos'
             # If Regexp is set to Float::Infinite this is the maximum number it will receive

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.13.0'
+    VERSION = '6.14.0'
   end
 end

data/lib/contrast/config/validate.rb

@@ -0,0 +1,140 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'yaml'
+require 'contrast/configuration'
+require 'contrast/agent/reporting/reporter'
+require 'base64'
+
+module Contrast
+  module Config
+    # Helper module with methods to validate the existing yaml file.
+    module Validate
+      # rubocop:disable Rails/Output
+      SKIP_LOG = %w[service_key api_key].cs__freeze
+      REQUIRED = %i[url api_key service_key user_name].cs__freeze
+      PASS = " \u{2705}  "
+      FAIL = " \u{274C}  "
+      REQUIRED_HEADERS = %i[server_type server_name server_path app_language app_name].cs__freeze
+
+      def validate_file
+        puts("\u{1F9EA} Validating Agent Configuration...\n")
+        Contrast::Config.validate_config
+        puts('done...')
+        puts("Validating Contrast Reporter Headers...\n")
+        reporter = Contrast::Config.validate_headers
+        puts('done...')
+        puts("Testing Reporter Client Connection...\n")
+        Contrast::Config.test_connection(reporter) if reporter
+        puts('Validation complete')
+      end
+
+      def validate_config
+        config = Contrast::Configuration.new
+        abort("Unable to Build Config #{ FAIL }") unless config
+        missing = []
+
+        api_hash = config.api.to_contrast_hash
+
+        api_hash.each_key do |key|
+          value = mask_keys(api_hash, key)
+          if value.is_a?(Contrast::Config::ApiProxyConfiguration)
+            Contrast::Config.validate_proxy(value)
+          elsif value.is_a?(Contrast::Config::CertificationConfiguration)
+            Contrast::Config.validate_cert(value)
+            next
+          elsif value.is_a?(Contrast::Config::RequestAuditConfiguration)
+            Contrast::Config.validate_audit(value)
+            next
+          elsif value.nil? && REQUIRED.include?(key.to_sym)
+            missing << key
+          end
+        end
+        return if missing.empty?
+
+        abort("Validation failed: Missing required API configuration values: #{ missing.join(', ') } #{ FAIL }")
+      end
+
+      def validate_proxy config
+        puts("  Proxy Enabled: #{ config.enable }")
+        return unless config.enable
+
+        mark = config.url.nil? ? FAIL : PASS
+        puts("  Proxy URL: #{ config.url } #{ mark }")
+        abort('Proxy Enabled but no Proxy URL given') unless config.url
+      end
+
+      def validate_cert config
+        puts("  Certification Enabled: #{ config.enable }")
+        return unless config.enable
+
+        mark = config.ca_file.nil? ? FAIL : PASS
+        puts("  CA File: #{ config.ca_file } #{ mark }")
+        abort('CA file path not provided') unless config.ca_file
+        mark = config.cert_file.nil? ? FAIL : PASS
+        puts("  Cert File: #{ config.cert_file } #{ mark }")
+        abort('Cert file path not provided') unless config.cert_file
+        mark = config.key_file.nil? ? FAIL : PASS
+        puts("  Key File: #{ config.key_file } #{ mark }")
+        abort('Key file path not provided') unless config.key_file
+      end
+
+      def validate_audit config
+        puts("  Request Audit Enabled: #{ config.enable }")
+        return unless config.enable
+
+        config.cs__class::CONFIG_VALUES.each do |value_name|
+          puts("  #{ value_name }::#{ config.send(value_name.to_sym) }")
+        end
+      end
+
+      def init_reporter
+        Contrast::Agent::Reporter.new
+      end
+
+      def validate_headers
+        missing = []
+        reporter = init_reporter
+        reporter_headers = reporter.client.headers.to_contrast_hash
+        REQUIRED_HEADERS.each do |key|
+          value = decode_header(reporter_headers, key)
+          missing << key if value.nil?
+        end
+        unless missing.empty?
+          abort("Validation failed: Missing required header values: #{ missing.join(', ') } #{ FAIL }")
+        end
+        reporter
+      end
+
+      def test_connection reporter
+        puts("  Connection failed #{ FAIL }") unless reporter
+        connection = reporter.connection
+        abort("Failed to Initialize Connection please check error logs for details #{ FAIL } ") unless connection
+        abort('Failed to Start Client please check error logs for details') unless reporter.client.startup!(connection)
+        last_response = reporter.client.response_handler.last_response_code
+        if last_response.include?('40')
+          puts("  Last response code: #{ last_response  } #{ FAIL }")
+          abort("Failed to Initialize Connection please check error logs for details #{ FAIL } ")
+        elsif connection
+          puts("  Last response code: #{ last_response  } #{ PASS }")
+          puts("  Connection successful #{ PASS }") if connection
+        end
+      end
+
+      def mask_keys hash, key
+        value = hash[key]
+        redacted_value = Contrast::Configuration::REDACTED if SKIP_LOG.include?(key.to_s)
+        puts("  #{ key }::#{ redacted_value || value }") unless value.is_a?(Contrast::Config::BaseConfiguration)
+        value
+      end
+
+      def decode_header hash, key
+        value = hash[key]
+        decoded_header = Base64.strict_decode64(value)
+        puts("  #{ key }::#{ key == :app_language ? value : decoded_header }")
+        value
+      end
+      # rubocop:enable Rails/Output
+    end
+  end
+end

data/lib/contrast/config/yaml_file.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'yaml'
+
+module Contrast
+  module Config
+    # Helper module with methods to find active configuration file used by the agent or create it.\
+    # This file is used before the agent start so methods added here must not be dependent on Agent
+    # instrumentation.
+    module YamlFile
+      CONFIG_FILE_NAME = 'contrast_security'
+      EXT = { yml: 'yml', yaml: 'yaml' }.freeze # rubocop:disable Security/Object/Freeze
+
+      POSSIBLE_TARGET_PATHS = %w[
+        ./
+        ./config/
+        /etc/contrast/ruby/
+        /etc/contrast/
+        /etc/
+      ].freeze # rubocop:disable Security/Object/Freeze
+
+      HEADER = "# +-------------------------------------------------------------------------+\n" \
+               "#    This Contrast Security configuration is Auto-generated by rake task.\n" \
+               "#    To List all available rake task use 'rake -T'. \n" \
+               "#\n" \
+               "#    Please enter valid api information, for the Ruby Agent to be able to\n" \
+               "#    connect to Contrast UI. You can validate your config file by running: \n" \
+               "#    'bundle exec rake contrast:config:validate' \n" \
+               "#\n" \
+               "#    To find your organization keys please follow this documentation:\n" \
+               "#    https://docs.contrastsecurity.com/en/find-the-agent-keys.html\n" \
+               "# +-------------------------------------------------------------------------+\n"
+
+      FOOTER = "\n# For more information visit the full Ruby agent configuration guide:\n" \
+               '# https://docs.contrastsecurity.com/en/ruby-configuration.html'
+
+      COMMENT = "#agent:\n" \
+                "#  logger:\n" \
+                "#    level: WARN\n" \
+                "#    path: contrast_agent.log\n" \
+                "#server:\n" \
+                "#  name: Server name\n" \
+                "#application:\n" \
+                "#  name: Application name\n" \
+                "#  code: Application name\n" \
+                "#  group: Application group\n" \
+                "#  session_metadata: Application metadata used for creation of Session ID\n" \
+                "#  version: Application version\n"
+
+      DEFAULT_CONFIG = {
+          'api' => {
+              'url' => 'https://app.contrastsecurity.com',
+              'api_key' => 'contrast_user',
+              'service_key' => 'demo',
+              'user_name' => 'demo'
+          }
+      }.freeze # rubocop:disable Security/Object/Freeze
+
+      class << self
+        # Checks all accessible by the agent path for active configuration created.
+        #
+        # @return [Boolean]
+        def created?
+          return true if File.exist?(Contrast::Config::YamlFile.target_path)
+          return true unless find!.empty?
+
+          false
+        end
+
+        # Finds active configuration used.
+        #
+        # @return [String] path of the config file.
+        def find!
+          found = ''
+          paths = POSSIBLE_TARGET_PATHS.dup
+          paths << ENV['CONTRAST_CONFIG_PATH'] if ENV['CONTRAST_CONFIG_PATH']
+          paths.each do |path|
+            EXT.each_value do |extension|
+              effective_config = "#{ path }#{ file_name }.#{ extension }"
+              found = effective_config if File.exist?(effective_config)
+            end
+          end
+          found
+        end
+
+        # Create new config file to the default destination.
+        #
+        def create
+          # rubocop:disable Rails/Output
+          puts("\u{1F48E} Generating: Contrast Configuration file.")
+          if Contrast::Config::YamlFile.created?
+            puts("\u{2705}  Configuration file already exists: #{ Contrast::Config::YamlFile.find! }")
+          else
+            File.open(Contrast::Config::YamlFile.target_path, 'w') do |file|
+              file.write(HEADER)
+              file.write(YAML.dump(DEFAULT_CONFIG).gsub('---', ' '))
+              file.write(COMMENT)
+              file.write(FOOTER)
+              file.close
+            end
+
+            puts("\u{2728}  Created! path #{ Contrast::Config::YamlFile.target_path }\n")
+            puts("\nOpen the file and enter your Contrast Security api keys or set them via environment variables.\n")
+            puts('Visit our documentation for more details: ' \
+                 'https://docs.contrastsecurity.com/en/ruby-configuration.html')
+          end
+        rescue StandardError => e
+          puts("\u{2757} WARNING configuration could not be created due to error: '#{ e }'. " \
+               "Try created in manually by running 'bundle exec rake contrast:config:create'.")
+          # rubocop:enable Rails/Output
+        end
+
+        def target_path
+          File.join(execution_directory, "#{ file_name }.#{ EXT[:yml] }")
+        end
+
+        def execution_directory
+          Dir.pwd
+        end
+
+        def file_name
+          ENV['CONTRAST_YAML_FILE_TEST_CREATE_CONFIG_FILE_NAME_VALUE'] || CONFIG_FILE_NAME
+        end
+      end
+    end
+  end
+end

data/lib/contrast/tasks/config.rb

@@ -1,47 +1,22 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'yaml'
-require 'contrast/configuration'
-require 'contrast/agent/reporting/reporter'
+require 'contrast/config/yaml_file'
+require 'contrast/config/validate'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
   module Config
     extend Rake::DSL
-    DEFAULT_CONFIG = {
-        'api' => {
-            'url' => 'Enter your Contrast URL ex: https://app.contrastsecurity.com/Contrast',
-            'api_key' => 'Enter your Contrast api key',
-            'service_key' => 'Enter your Contrast service key',
-            'user_name' => 'Enter your Contrast user name'
-        },
-        'agent' => {
-            'logger' => {
-                'level' => 'ERROR',
-                'path' => 'contrast_agent.log'
-            }
-        }
-    }.cs__freeze
-
-    SKIP_LOG = %w[service_key api_key].cs__freeze
-    REQUIRED = %i[url api_key service_key user_name].cs__freeze
+    # The file create methods are required in the gemspec. Some of the Agent functions are not
+    # available there. To be safe the validate mechanics are extracted in different module.
+    extend Contrast::Config::Validate
 
     namespace :contrast do
       namespace :config do
         desc 'Create a contrast_security.yaml in the applications root directory'
         task :create do
-          execution_directory = Dir.pwd
-          target_path = File.join(execution_directory, 'contrast_security.yaml')
-          if File.exist?(target_path)
-            puts 'WARNING: contrast_security.yaml already exists'
-          else
-            File.write(target_path, YAML.dump(DEFAULT_CONFIG))
-
-            puts "Created contrast_security.yaml at #{ target_path }"
-            puts 'Open the file and enter your Contrast Security api keys or set them via environment variables'
-            puts 'Visit our documentation site for more details: https://docs.contrastsecurity.com/installation-rubyconfig.html'
-          end
+          Contrast::Config::YamlFile.create
         end
       end
     end
@@ -50,94 +25,8 @@ module Contrast
       namespace :config do
         desc 'Validate the provided Contrast configuration and confirm connectivity'
         task validate: :environment do
-          puts 'Validating Agent Configuration...'
-          Contrast::Config.validate_config
-          puts '...done!'
-          puts 'Validating Contrast Reporter Headers...'
-          reporter = Contrast::Config.validate_headers
-          puts '...done!'
-          puts 'Testing Reporter Client Connection...'
-          Contrast::Config.test_connection(reporter) if reporter
-          puts '...done!'
-        end
-      end
-
-      def self.validate_config
-        config = Contrast::Configuration.new
-        abort('Unable to Build Config') unless config
-        missing = []
-
-        api_hash = config.api.to_contrast_hash
-
-        api_hash.each_key do |key|
-          value = mask_keys(api_hash, key)
-          if value.is_a?(Contrast::Config::ApiProxyConfiguration)
-            Contrast::Config.validate_proxy(value)
-          elsif value.is_a?(Contrast::Config::CertificationConfiguration)
-            Contrast::Config.validate_cert(value)
-            next
-          elsif value.is_a?(Contrast::Config::RequestAuditConfiguration)
-            Contrast::Config.validate_audit(value)
-            next
-          elsif value.nil? && REQUIRED.includes?(key.to_sym)
-            missing << key
-          end
-        end
-        abort("Missing required API configuration values: #{ missing.join(', ') }") unless missing.empty?
-      end
-
-      def self.validate_proxy config
-        puts("Proxy Enabled: #{ config.enable }")
-        return unless config.enable
-
-        puts("Proxy URL: #{ config.url }")
-        abort('Proxy Enabled but no Proxy URL given') unless config.url
-      end
-
-      def self.validate_cert config
-        puts("Certification Enabled: #{ config.enable }")
-        return unless config.enable
-
-        puts("CA File: #{ config.ca_file }")
-        abort('CA file path not provided') unless config.ca_file
-        puts("Cert File: #{ config.cert_file }")
-        abort('Cert file path not provided') unless config.cert_file
-        puts("Key File: #{ config.key_file }")
-        abort('Key file path not provided') unless config.key_file
-      end
-
-      def self.validate_audit config
-        puts("Request Audit Enabled: #{ config.enable }")
-        return unless config.enable
-
-        config.each do |k, v|
-          puts("#{ k }::#{ v }")
-        end
-      end
-
-      def self.validate_headers
-        missing = []
-        reporter = Contrast::Agent::Reporter.new
-        reporter_headers = reporter.client.headers.to_contrast_hash
-        reporter_headers.each_key do |key|
-          value = mask_keys(reporter_headers, key)
-          missing << key if value.nil?
+          validate_file
         end
-        abort("Missing required header values: #{ missing.join(', ') }") unless missing.empty?
-        reporter
-      end
-
-      def self.test_connection reporter
-        connection = reporter.connection
-        abort('Failed to Initialize Connection please check error logs for details') unless connection
-        abort('Failed to Start Client please check error logs for details') unless reporter.client.startup!(connection)
-      end
-
-      def self.mask_keys hash, key
-        value = hash[key]
-        redacted_value = Contrast::Configuration::REDACTED if SKIP_LOG.include?(key.to_s)
-        puts("#{ key }::#{ redacted_value || value }") unless value.is_a?(Contrast::Config::BaseConfiguration)
-        value
       end
     end
   end

data/lib/contrast/utils/middleware_utils.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/config/yaml_file'
+
 module Contrast
   module Utils
     # helper methods for Contrast::Agent::Middleware
@@ -16,6 +18,8 @@ module Contrast
         "April #{ LANGUAGE_DEPRECATION_YEAR }. Please contact Customer Support prior if you require continued support."
 
       def setup_agent
+        # Generate new config file if one is not already created:
+        Contrast::Config::YamlFile.create unless Contrast::Config::YamlFile.created?
         ::Contrast::SETTINGS.reset_state
 
         inform_deprecations

data/ruby-agent.gemspec

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require_relative './lib/contrast/agent/version'
+require_relative './lib/contrast/config/yaml_file'
 
 lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
@@ -185,7 +186,7 @@ Gem::Specification.new do |spec|
   spec.extensions = Dir['ext/cs__common/extconf.rb', 'ext/**/extconf.rb']
   spec.require_paths = ['lib']
 
-  unless File.exist?(File.join(Dir.pwd, 'contrast_security.yaml'))
+  unless Contrast::Config::YamlFile.created?
     spec.post_install_message = 'To generate the required contrast_security.yaml file you can run: '\
                                 'bundle exec rake contrast:config:create'
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 6.13.0
+  version: 6.14.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-01-20 00:00:00.000000000 Z
+date: 2023-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -1234,6 +1234,8 @@ files:
 - lib/contrast/config/protect_rules_configuration.rb
 - lib/contrast/config/request_audit_configuration.rb
 - lib/contrast/config/server_configuration.rb
+- lib/contrast/config/validate.rb
+- lib/contrast/config/yaml_file.rb
 - lib/contrast/configuration.rb
 - lib/contrast/extension/assess.rb
 - lib/contrast/extension/assess/array.rb
@@ -1337,8 +1339,7 @@ metadata:
   support_uri: https://support.contrastsecurity.com
   trouble_shooting_uri: https://support.contrastsecurity.com/hc/en-us/search?utf8=%E2%9C%93&query=Ruby
   wiki_uri: https://docs.contrastsecurity.com/
-post_install_message: 'To generate the required contrast_security.yaml file you can
-  run: bundle exec rake contrast:config:create'
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib