contrast-agent 6.7.0 → 6.8.0

data/lib/contrast/agent_lib/interface_base.rb

@@ -0,0 +1,118 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module AgentLib
+    # Base class to set basic rule sets and input list.
+    class InterfaceBase
+      # This could be changed to regular Hash.
+      # This format is used to supports this kind of log_level assignment:
+      # via Contrast::Api::Settings::LogLevel::WARN => 3
+      # ( note -1 is not supported in the protobuf LogLevel)
+      LOG_LEVEL = { -1 => 'OFF', 0 => 'TRACE', 1 => 'DEBUG', 2 => 'INFO', 3 => 'WARN', 4 => 'ERROR' }.cs__freeze
+      LOG_DIR = File.join(Dir.pwd).cs__freeze
+      # Named after Protect rule_id / Names
+      # Corresponding to Rust's ulong enum
+      RULE_SET = {
+          'unsafe-file-upload' => 1 << 0,
+          'path-traversal' => 1 << 1,
+          'reflected-xss' => 1 << 2,
+          'sql-injection' => 1 << 3,
+          'cmd-injection' => 1 << 4,
+          'nosql-injection' => 1 << 5,
+          'bot-blocker' => 1 << 6,
+          'ssjs-injection' => 1 << 7,
+          'method-tampering' => 1 << 8
+      }.cs__freeze
+      # Named same as Contrast::Agent::Reporting::InputTypes
+      INPUT_SET = {
+          COOKIE_NAME: 1,
+          COOKIE_VALUE: 2,
+          HEADER_NAME: 3,
+          HEADER_VALUE: 4,
+          JSON_NAME: 5,
+          JSON_VALUE: 6,
+          METHOD: 7,
+          PARAMETER_NAME: 8,
+          PARAMETER_VALUE: 9,
+          URI: 10,
+          URL_PARAMETER: 11,
+          MULTIPART_NAME: 12,
+          XML_VALUE: 13
+      }.cs__freeze
+      EVAL_OPTIONS = { NONE: 0, WORTHWATCHING: 1 }.cs__freeze
+
+      # Initializes the Agent lib.
+      #
+      # @param enable_logging [Boolean, nil] flag to enable or disable logging.
+      # @param set_log_level [Integer, nil]
+      # @param set_log_dir [String, nil] dir to write log files.
+      # @return [Boolean] true if success.
+      # @raise [StandardError] Any Errors raised in the init process are most
+      # likely to be a C segfaults and termination, probably redundant but safe.
+      def initialize enable_logging = nil, set_log_level = nil, set_log_dir = nil
+        # Override
+      end
+
+      # Return list of available rules
+      #
+      # @return [Hash]
+      def rule_set
+        RULE_SET
+      end
+
+      # Returns list of available input types.
+      #
+      # @return [Hash]
+      def input_set
+        INPUT_SET
+      end
+
+      # Return list of input evaluation options:
+      # WorthWatching or none
+      #
+      # @return [Hash]
+      def eval_option
+        EVAL_OPTIONS
+      end
+
+      private
+
+      # Updates the logging status:
+      # Enabled && Level
+      #
+      # @param level [Integer] one of:
+      # [-1...4]
+      # @param enabled [Boolean] logging status.
+      def update_logging level, enabled
+        update_log_level(level)
+        @enable_log = !!enabled
+      end
+
+      # Updates the log level for the AgentLib.
+      #
+      # @param level [Integer] one of:
+      # [-1...4]
+      def update_log_level level
+        value = LOG_LEVEL[level]
+        @log_level = value if value
+      end
+
+      # Creates the directory for AgentLib log files.
+      # If no path provided use default.
+      #
+      # @param log_dir [String, nil] path to log.
+      # @rescue [StandardError] any error concerning
+      # the directory creation.
+      def create_log_dir log_dir = nil
+        path = log_dir.nil? ? LOG_DIR : log_dir
+        FileUtils.mkdir_p(path)
+        path
+      rescue StandardError => e
+        logger.debug('Could not create log directory', error: e)
+        FileUtils.mkdir_p(LOG_DIR)
+        LOG_DIR
+      end
+    end
+  end
+end

data/lib/contrast/agent_lib/return_types/eval_result.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent_lib/interface'
+
+module Contrast
+  module AgentLib
+    # This class will hold resulst received form AgentLib structs.
+    class EvalResult
+      # Name of the Protect rule analyzed.
+      # @return [String]
+      attr_accessor :rule_id
+      # Type of the input.
+      # @return [String]
+      attr_accessor :input_type
+      # Score of the input after AgentLib
+      # Analysis
+      #
+      # @return score [Float]
+      attr_accessor :score
+
+      # Init a new EvalResult, and translate results to usable for
+      # reporting values.
+      #
+      # @param hsh [Hash, nil] return from AgentLib populated struct.
+      def initialize hsh
+        return unless hsh&.cs__is_a?(Hash)
+
+        @rule_id = Contrast::AgentLib::Interface::RULE_SET.key(hsh[:rule_id])
+        @input_type = Contrast::AgentLib::Interface::INPUT_SET.key(hsh[:input_type])
+        @score = hsh[:score]
+      end
+
+      # Used in specs.
+      def to_controlled_hash
+        {
+            rule_id: rule_id,
+            input_type: input_type,
+            score: score
+        }
+      end
+    end
+  end
+end

data/lib/contrast/agent_lib/test.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require_relative 'api/init'
+
+module Contrast # :nodoc:
+  module Test # :nodoc:
+    extend Contrast::AgentLib::Init
+
+    LOG_DIR = File.join(File.dirname(__FILE__))
+
+    class << self
+      def test_init_with_options enable_log, log_level
+        dl__init_with_options(enable_log, LOG_DIR, log_level)
+      end
+    end
+  end
+end
+
+# for the other cases - I tried with loop and everything, but nothing worked
+# Contrast::Test.test_init_with_options(true, "WARN")
+# Contrast::Test.test_init_with_options(true, "ERROR")
+# Contrast::Test.test_init_with_options(true, "DEBUG")
+# Contrast::Test.test_init_with_options(true, "TRACE")
+response = Contrast::Test.test_init_with_options(true, 'INFO')
+puts response # rubocop:disable Rails/Output
+
+# we cannot check here for the file as it's being created after the execution of the file is done
+raise(StandardError, 'Not Working') if response == false

data/lib/contrast/api/communication/connection_status.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Api
     module Communication
-      # Keeps track of the state of connections to SpeedRacer.
+      # Keeps track of the state of connections to TeamServer.
       class ConnectionStatus
         def initialize
           @last_success = nil
@@ -12,8 +12,8 @@ module Contrast
           @startup_messages_sent = false
         end
 
-        # Whether we have sent startup message to SpeedRacer. True after successfully sending startup messages to
-        # SpeedRacer and reset to false if we lose connection.
+        # Whether we have sent startup message to TeamServer. True after successfully sending startup messages to
+        # TeamServer and reset to false if we lose connection.
         #
         # @return [Boolean]
         def startup_messages_sent?
@@ -27,13 +27,13 @@ module Contrast
           @last_success && (@last_failure.nil? || @last_success > @last_failure)
         end
 
-        # The current state of the SpeedRacer is active with a successful message sent
+        # The current state of the TeamServer is active with a successful message sent
         def success!
           @startup_messages_sent = true
           @last_success = Time.now.to_f
         end
 
-        # The SpeedRacer may be in some sort of error state
+        # The TeamServer may be in some sort of error state
         def failure!
           @startup_messages_sent = false
           @last_failure = Time.now.to_f

data/lib/contrast/components/agent.rb

@@ -6,7 +6,6 @@ require 'contrast/agent/rule_set'
 require 'contrast/components/logger'
 require 'contrast/components/security_logger'
 require 'contrast/components/heap_dump'
-require 'contrast/components/service'
 require 'contrast/components/ruby_component'
 
 module Contrast
@@ -22,26 +21,13 @@ module Contrast
           return unless hsh
 
           @_enable = hsh[:enable]
-          @_start_bundled_service = hsh[:start_bundled_service]
           @_omit_body = hsh[:omit_body]
-          @_service = Contrast::Components::Service::Interface.new(hsh[:service])
           @_logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
           @_security_logger = Contrast::Components::SecurityLogger::Interface.new(hsh[:security_logger])
           @_ruby = Contrast::Components::Ruby::Interface.new(hsh[:ruby])
           @_heap_dump = Contrast::Components::HeapDump::Interface.new(hsh[:heap_dump])
         end
 
-        # @return [Boolean, true]
-        def start_bundled_service?
-          @_start_bundled_service.nil? ? true : @_start_bundled_service
-        end
-
-        def service
-          return @_service unless @_service.nil?
-
-          @_service = Contrast::Components::Service::Interface.new
-        end
-
         def logger
           return @_logger unless @_logger.nil?
 

data/lib/contrast/components/app_context.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require 'rubygems/version'
-require 'contrast/api/decorators/agent_startup'
-require 'contrast/api/decorators/application_startup'
 require 'contrast/utils/object_share'
 require 'contrast/components/app_context_extend'
 require 'contrast/config/base_configuration'

data/lib/contrast/components/app_context_extend.rb

@@ -12,23 +12,6 @@ module Contrast
       SUPPORTED_FRAMEWORKS = %w[rails sinatra grape rack].cs__freeze
       SUPPORTED_SERVERS = %w[passenger puma thin unicorn].cs__freeze
 
-      def build_app_startup_message
-        @_build_app_startup_message ||= Contrast::Api::Dtm::ApplicationCreate.build
-      end
-
-      def build_agent_startup_message
-        msg = Contrast::Api::Dtm::AgentStartup.build(server_name, server_path, server_type)
-        Contrast::CONFIG.proto_logger.info('Application context',
-                                           server_name: msg.server_name,
-                                           server_path: msg.server_path,
-                                           server_type: msg.server_type,
-                                           application_name: name, # rubocop:disable Security/Module/Name
-                                           application_path: path,
-                                           application_language: Contrast::Utils::ObjectShare::RUBY)
-
-        msg
-      end
-
       def pid
         Process.pid
       end
@@ -37,14 +20,6 @@ module Contrast
         Process.ppid
       end
 
-      def pgid
-        Process.getpgid(pid)
-      end
-
-      def client_id
-        @_client_id ||= [name, pgid].join('-') # rubocop:disable Security/Module/Name
-      end
-
       def app_and_server_information
         {
             application_info: find_gem_information(SUPPORTED_FRAMEWORKS),

data/lib/contrast/components/config.rb

@@ -100,11 +100,6 @@ module Contrast
           @config.protect
         end
 
-        # @return [Contrast::Components::Service::Interface]
-        def service
-          @config.service
-        end
-
         def valid?
           @_valid = validate if @_valid.nil?
           @_valid
@@ -157,13 +152,10 @@ module Contrast
           true
         end
 
-        # If the agent is to use the bypass to communicate with TeamServer directly, than it must have the
-        # configuration values required for that connection.
+        # The agent must have the configuration values required for the connection to TeamServer.
         #
         # @return [boolean]
         def valid_api?
-          return true unless bypass
-
           msg = []
           msg << API_URL unless api_url
           msg << API_KEY unless api_key
@@ -220,15 +212,6 @@ module Contrast
           api.user_name
         end
 
-        # Typically, the following values would be accessed through Contrast::Components::AppContext
-        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
-        # that mechanism, so we look it up directly for ourselves.
-        #
-        # @return [String, nil]
-        def bypass
-          agent.service.bypass
-        end
-
         # Typically, the following values would be accessed through Contrast::Components::AppContext
         # and Contrast::Components::Logger, but we're too early in the initialization of the Agent to use
         # that mechanism, so we look it up directly for ourselves.

data/lib/contrast/components/protect.rb

@@ -16,6 +16,8 @@ module Contrast
 
         # @return [Boolean, nil]
         attr_accessor :enable
+        # @return [Boolean, nil]
+        attr_accessor :agent_lib
 
         def initialize hsh = {}
           return unless hsh
@@ -23,6 +25,7 @@ module Contrast
           @_exceptions = Contrast::Config::ExceptionConfiguration.new(hsh[:exceptions])
           @_rules = Contrast::Config::ProtectRulesConfiguration.new(hsh[:rules])
           @enable = hsh[:enable]
+          @agent_lib = hsh[:agent_lib]
         end
 
         # @return [Contrast::Config::ExceptionConfiguration]
@@ -71,7 +74,7 @@ module Contrast
           str = rule_id.tr('-', '_')
           ::Contrast::CONFIG.protect.rules[str]&.applicable_mode ||
               ::Contrast::SETTINGS.application_state.modes_by_id[rule_id] ||
-              Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+              :NO_ACTION
         end
 
         def rule name

data/lib/contrast/components/ruby_component.rb

@@ -19,7 +19,7 @@ module Contrast
           log:clear middleware notes notes:custom rails:template rails:update routes secret spec spec:features
           spec:requests spec:controllers spec:helpers spec:models spec:views spec:routing spec:rcov stats
           test test:all test:all:db test:recent test:single test:uncommitted time:zones:all tmp:clear
-          tmp:create webpacker:compile contrast:service:start contrast:service:status contrast:service:stop
+          tmp:create webpacker:compile
         ].cs__freeze
 
         DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze

data/lib/contrast/components/settings.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/settings.pb'
 require 'contrast/agent/excluder'
 require 'contrast/agent/reporting/settings/sensitive_data_masking'
 require 'contrast/components/config'
@@ -13,8 +12,7 @@ module Contrast
     # directives (likely provided by TeamServer) about product operation.
     # 'Settings' is not a generic term for 'configurable stuff'.
     module Settings
-      APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
-          new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
+      APPLICATION_STATE_BASE = Struct.new(:modes_by_id).new(Hash.new(:NO_ACTION))
       PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
       ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
                                                                                                             [], nil) do
@@ -26,7 +24,7 @@ module Contrast
       SENSITIVE_DATA_MASKING_BASE = Contrast::Agent::Reporting::Settings::SensitiveDataMasking.new
 
       # This is a class.
-      class Interface # rubocop:disable Metrics/ClassLength
+      class Interface
         extend Contrast::Components::Config
 
         # tainted_columns are database columns that receive unsanitized input.
@@ -55,30 +53,6 @@ module Contrast
         # Current Application State.
         #
         # modes_by_id [Hash<Rule_id => Mode] Returns Hash with rules and their current mode.
-        # exclusion_matchers [Array] Array of all the exclusions.
-        # code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
-        #   name         [String] The name of the exclusion as defined by the user in TS.
-        #   modes        [String] If this exclusion applies to assess or protect. [assess, defend]
-        #   assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
-        #   denylist     [String] The call, if in the stack, should result in the agent not taking action.
-        # input_exclusions [Array<InputExclusions>] Array of InputExclusions: {
-        #   name           [String] The name of the input.
-        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
-        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
-        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
-        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
-        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
-        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
-        # }
-        # url_exclusions [Array<UrlExclusions>] Array of UrlExclusions: {
-        #   name           [String] The name of the input.
-        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
-        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
-        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
-        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
-        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
-        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
-        # }
         attr_reader :application_state
         # This the structure that will hold the masking rules send from TS.
         #
@@ -100,37 +74,32 @@ module Contrast
         end
 
         def code_exclusions
-          @application_state.exclusion_matchers.select(&:code?)
+          excluder&.exclusions&.select(&:code?)
         end
 
-        # @param features_response [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
+        # @param features_response [Contrast::Agent::Reporting::Response]
         def update_from_server_features features_response
-          if features_response.cs__is_a?(Contrast::Agent::Reporting::Response)
-            update_from_response(features_response)
-          else
-            @protect_state.enabled = features_response.protect_enabled?
-            @assess_state.enabled = features_response.assess_enabled?
-            @assess_state.sampling_settings = features_response.assess.sampling
-            @last_server_update_ms = Contrast::Utils::Timer.now_ms
-          end
+          return unless (server_features = features_response&.server_features)
+
+          log_file = server_features.log_file
+          log_level = server_features.log_level
+          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+          @protect_state.enabled = server_features.protect.enabled?
+          @assess_state.enabled = server_features.assess.enabled?
+          @assess_state.sampling_settings = server_features.assess.sampling
           @last_server_update_ms = Contrast::Utils::Timer.now_ms
         end
 
-        # @param settings_response [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
+        # @param settings_response [Contrast::Agent::Reporting::Response]
         def update_from_application_settings settings_response
-          if settings_response&.cs__class == Contrast::Agent::Reporting::Response
-            update_from_response(settings_response)
-          else
-            new_vals = settings_response.application_state_translation
-            @application_state.modes_by_id = new_vals[:modes_by_id]
-            @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-            @excluder = Contrast::Agent::Excluder.new(@application_state.exclusion_matchers)
-            @assess_state.disabled_assess_rules = new_vals[:disabled_assess_rules]
-            if settings_response.session_id && !settings_response.session_id.blank?
-              @assess_state.session_id = settings_response.session_id
-            end
-            @last_app_update_ms = Contrast::Utils::Timer.now_ms
-          end
+          return unless (app_settings = settings_response&.application_settings)
+
+          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          update_exclusion_matchers(app_settings.exclusions)
+          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+          @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
+          new_session_id = app_settings.assess.session_id
+          @assess_state.session_id = new_session_id if new_session_id && !new_session_id.blank?
           @last_app_update_ms = Contrast::Utils::Timer.now_ms
         end
 
@@ -148,6 +117,7 @@ module Contrast
           @protect_state.rules = {}
 
           # Rules. They add themselves on initialize.
+          Contrast::Agent::Protect::Rule::BotBlocker.new
           Contrast::Agent::Protect::Rule::CmdInjection.new
           Contrast::Agent::Protect::Rule::Deserialization.new
           Contrast::Agent::Protect::Rule::HttpMethodTampering.new
@@ -159,6 +129,21 @@ module Contrast
           Contrast::Agent::Protect::Rule::Xxe.new
         end
 
+        # @param exclusions [Contrast::Agent::Reporting::Settings::Exclusions]
+        def update_exclusion_matchers exclusions
+          matchers = []
+          exclusions.url_exclusions.each do |exclusion|
+            matchers << Contrast::Agent::ExclusionMatcher.new(exclusion)
+          end
+          exclusions.input_exclusions.each do |exclusion|
+            matchers << Contrast::Agent::ExclusionMatcher.new(exclusion)
+          end
+          exclusions.code_exclusions.each do |exclusion|
+            matchers << Contrast::Agent::ExclusionMatcher.new(exclusion)
+          end
+          @excluder = Contrast::Agent::Excluder.new(matchers)
+        end
+
         # Update the sensitive data masking policy from settings,
         # received from TS. In case the settings are empty,
         # keep current ones.
@@ -179,43 +164,6 @@ module Contrast
 
         private
 
-        # @param response [Contrast::Agent::Reporting::Response]
-        def update_from_response response
-          if (server_features = response.server_features)
-            update_server_features(server_features)
-          end
-          return unless (app_settings = response.application_settings)
-
-          update_application_settings(app_settings)
-        end
-
-        # @param server_features [Contrast::Agent::Reporting::Settings::FeatureSettings]
-        def update_server_features server_features
-          return unless server_features
-
-          log_file = server_features.log_file
-          log_level = server_features.log_level
-          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
-          @protect_state.enabled = server_features.protect.enabled?
-          @assess_state.enabled = server_features.assess.enabled?
-          @assess_state.sampling_settings = server_features.assess.sampling
-          @last_server_update_ms = Contrast::Utils::Timer.now_ms
-        end
-
-        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
-        def update_application_settings app_settings
-          return unless app_settings
-
-          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
-          # TODO: RUBY-1438 this needs to be translated
-          # @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-          update_sensitive_data_policy(app_settings.sensitive_data_masking)
-          @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
-          new_session_id = app_settings.assess.session_id
-          @assess_state.session_id = new_session_id if new_session_id && !new_session_id.blank?
-          @last_app_update_ms = Contrast::Utils::Timer.now_ms
-        end
-
         # check if settings are empty and return true if so.
         #
         # @param settings [String, Boolean, Array, Hash]

data/lib/contrast/config/protect_rule_configuration.rb

@@ -33,24 +33,24 @@ module Contrast
       end
 
       # To convert the user input mode from config to a standard format used by TS & SR, we need to convert the given
-      # String to its Contrast::Api::Settings::ProtectionRule::Mode equivalent. If a nonsense value is provided, it'll
+      # String to its recognized symbol equivalent. If a nonsense value is provided, it'll
       # be treated the same as disabling the rule.
       #
-      # @return [Contrast::Api::Settings::ProtectionRule::Mode, nil]
+      # @return [Symbol]
       def applicable_mode
         return unless mode
 
         case mode
         when 'permit'
-          Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+          :PERMIT
         when 'block_at_perimeter'
-          Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
+          :BLOCK_AT_PERIMETER
         when 'block'
-          Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
+          :BLOCK
         when 'monitor'
-          Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
+          :MONITOR
         else
-          Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+          :NO_ACTION
         end
       end
     end