contrast-agent 6.7.0 → 6.9.0

data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_events/route_discovery_observation'
-require 'contrast/api/dtm.pb'
 require 'contrast/components/logger'
 
 module Contrast

data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
 require 'contrast/utils/string_utils'
 require 'contrast/components/logger'
 

data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb

@@ -21,6 +21,14 @@ module Contrast
         def since_last_update
           (update_time = Contrast::SETTINGS.last_server_update_ms) ? Contrast::Utils::Timer.now_ms - update_time : 0
         end
+
+        # Human readable last time update for header set. Set to 0 if the agent is just starting and have not received
+        # the latest header from TS.
+        #
+        # @return [String]
+        def since_last_update_httpdate
+          Contrast::SETTINGS.server_settings_last_httpdate || Contrast::Utils::Timer.ms_to_httpdate(0)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/server_settings.rb

@@ -0,0 +1,40 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/server_reporting_event'
+require 'contrast/agent/reporting/reporting_utilities/endpoints'
+require 'contrast/utils/timer'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will initialize a GET request to be send to TS. The server settings endpoint is the way the Agent
+      # receives server sittings - Protect rules settings, patterns, keywords and deny/allow lists, log setting.
+      class ServerSettings < Contrast::Agent::Reporting::ServerReportingEvent
+        def initialize
+          @event_method = :GET
+          @event_endpoint = Contrast::Agent::Reporting::Endpoints.server_settings
+          super
+        end
+
+        def file_name
+          'server-settings'
+        end
+
+        # Attach the last server settings received timestamp to the request as it is required.
+        #
+        # If-Modified-Since: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
+        # @param request [Net::HTTPRequest]
+        def attach_headers request
+          request['If-Modified-Since'] = since_last_update_httpdate
+        end
+
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_hash
+          {}
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -19,8 +19,8 @@ module Contrast
           generate_paths if enabled?
         end
 
-        # This method will be handling the auditing of the requests and responses we send to SpeedRacer. If the audit
-        # feature is enabled, we'll log to file the request and/or response protobuf objects.
+        # This method will be handling the auditing of the requests and responses we send to TeamServer. If the audit
+        # feature is enabled, we'll log to file the request and/or response JSON objects.
         #
         # @param event [Contrast::Agent::Reporting::ReportingEvent] One of the DTMs valid for the
         #   event field of Contrast::Agent::Reporting::ReportingEvent

data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb

@@ -70,6 +70,12 @@ module Contrast
             end
           end
 
+          def server_settings
+            with_rescue do
+              "#{ server_endpoint }/settings".cs__freeze
+            end
+          end
+
           # @return [String,nil]
           def trace_observed
             with_rescue do

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -10,6 +10,8 @@ require 'contrast/agent/reporting/reporting_utilities/response_handler'
 require 'contrast/agent/reporting/reporting_utilities/reporter_client_utils'
 require 'contrast/agent/reporting/reporting_utilities/endpoints'
 require 'contrast/agent/reporting/reporting_utilities/headers'
+require 'contrast/agent/reporting/reporting_events/server_settings'
+require 'contrast/config/diagnostics'
 
 module Contrast
   module Agent
@@ -21,8 +23,10 @@ module Contrast
 
         include Contrast::Agent::Reporting::Endpoints
         include Contrast::Agent::Reporting::ReporterClientUtils
+        include Contrast::Agent::Reporting::ResponseHandlerUtils
         include Contrast::Components::Logger::InstanceMethods
         SERVICE_NAME = 'Reporter'
+        REPORT_CONFIG_WHEN = %w[200 304].cs__freeze
         def initialize
           @headers = Contrast::Agent::Reporting::Headers.new
           super()
@@ -61,13 +65,47 @@ module Contrast
           request = build_request(event)
           response = connection.request(request)
           audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable
-          process_settings_response(response)
+          process_settings_response(response, event)
+          record_status(response, event)
+          record_configuration(response, event)
           process_preflight_response(event, response, connection)
           response
         rescue StandardError => e
           handle_error(event, e)
         end
 
+        # This is going to populate the config status value in the diagnostics json
+        #
+        # @param response [Contrast::Agent::Reporting::Response, nil]
+        # @param event [Contrast::Agent::Reporting::ReportingEvent]
+        def record_status response, event
+          return unless response
+          return unless event&.cs__class == Contrast::Agent::Reporting::AgentStartup ||
+              event&.cs__class == Contrast::Agent::Reporting::ApplicationStartup
+
+          diagnostics.config.determine_config_status(response)
+          nil
+        end
+
+        # Write effective config to file:
+        # If we are here the create and server messages are sent and the code received is
+        # 200 or 304. In case of 304 there will be no new settings and we can write current ones.
+        # This is done on every settings request.
+        #
+        # @param response [Contrast::Agent::Reporting::Response, nil]
+        # @param event [Contrast::Agent::Reporting::ReportingEvent]
+        def record_configuration response, event
+          return unless response
+          return unless REPORT_CONFIG_WHEN.include?(response_handler.last_response_code)
+          return unless event&.cs__class == Contrast::Agent::Reporting::ServerSettings ||
+              event&.cs__class == Contrast::Agent::Reporting::AgentStartup ||
+              event&.cs__class == Contrast::Agent::Reporting::ApplicationStartup
+
+          logger.info('[Reporter Diagnostics] last response code:', response_code: response_handler.last_response_code)
+          diagnostics.write_to_file
+          status.server_response_success!
+        end
+
         def status
           @_status ||= Contrast::Api::Communication::ConnectionStatus.new
         end
@@ -76,6 +114,10 @@ module Contrast
           @_response_handler ||= Contrast::Agent::Reporting::ResponseHandler.new
         end
 
+        def diagnostics
+          @_diagnostics ||= Contrast::Agent::DiagnosticsConfig::Diagnostics.new(Contrast::LOGGER.path)
+        end
+
         def sleep?
           response_handler.sleep?
         end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -84,10 +84,12 @@ module Contrast
 
         # Handles response processing and sets status
         #
+        # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
         # @param response [Net::HTTP::Response]
-        def process_settings_response response
-          response_handler.process(response)
-          status.success!
+        def process_settings_response response, event
+          res = response_handler.process(response, event)
+          status.success! if res
+          res
         end
 
         # Given a response from preflght, when the finding hash is desired, then send the finding to which it pertains.
@@ -100,7 +102,7 @@ module Contrast
         # @param connection [Net::HTTP] open connection
         def process_preflight_response event, response, connection
           return unless event.cs__is_a?(Contrast::Agent::Reporting::Preflight)
-          return unless response && connection
+          return unless response&.body && connection
 
           findings_to_return = response.body.split(',').delete_if { |el| el.include?('*') }
           findings_to_return.each do |index|
@@ -125,6 +127,8 @@ module Contrast
             request = case event.event_method
                       when :PUT
                         Net::HTTP::Put.new(event.event_endpoint)
+                      when :GET
+                        Net::HTTP::Get.new(event.event_endpoint)
                       else # :POST
                         Net::HTTP::Post.new(event.event_endpoint)
                       end

data/lib/contrast/agent/reporting/reporting_utilities/response.rb

@@ -19,7 +19,7 @@ module Contrast
 
         # All of the feature server_features
         #
-        # @return [Contrast::Agent::Reporting::Settings::FeatureSettings, nil]
+        # @return [Contrast::Agent::Reporting::Settings::ServerFeatures, nil]
         attr_accessor :server_features
 
         # Success boolean message value

data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb

@@ -49,13 +49,20 @@ module Contrast
           res.reactions = response_data[:reactions] if response_data[:features]
         end
 
+        # This method is universal and used for both ng endpoing of feature settings and the new
+        # Server settings endpoint. Used in both build_feature_settings and build_server_settings.
+        # Passing the ng_ flag determines the use of the endpoint and response used because some of
+        # the response fields are with different names or do not exist: [enabled vs enable]
+        #
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
-        def extract_assess_server_features response_data, res
-          assess = response_data[:features][:assessment]
+        # @param ng_ [Boolean]
+        def extract_assess_settings response_data, res, ng_: true
+          assess = ng_ ? response_data[:features][:assessment] : response_data[:assess]
           return unless assess
 
-          res.server_features.assess.enabled = assess[:enabled]
+          res.server_features.assess.enabled = ng_ ? assess[:enabled] : assess[:enable]
+          res.server_features.assess.report_stacktraces = assess[:report_stacktraces] unless ng_
           res.server_features.assess.sampling = assess[:sampling]
           res.server_features.assess.sanitizers = assess[:sanitizers]
           res.server_features.assess.validators = assess[:validators]
@@ -78,7 +85,7 @@ module Contrast
         def extract_syslog response_data, res
           return unless (syslog = response_data[:features][:defend][:syslog])
 
-          res.server_features.protect.syslog.assign_array(syslog)
+          res.server_features.protect.syslog.assign_array(syslog, ng_: true)
         end
 
         # @param response_data [Hash]
@@ -116,6 +123,53 @@ module Contrast
           res.server_features.log_level = log_level
           res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
         end
+
+        # This method is used with ServerSettings as we expect to have data for
+        # all the loggers - security_logger, logger, syslog.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_loggers response_data, res
+          logger = response_data[:logger]
+          security_logger = response_data[:security_logger]
+
+          if logger
+            res.server_features.log_level = logger[:level]
+            res.server_features.log_file = logger[:path]
+          end
+          return unless security_logger
+
+          log_level = security_logger[:level]
+          log_file = security_logger[:path]
+          res.server_features.security_logger.log_level = log_level
+          res.server_features.security_logger.log_file = log_file
+          res.server_features.security_logger.not_blank!
+          res.server_features.security_logger.syslog.assign_array(response_data[:security_logger][:syslog], ng_: false)
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_protect_server_settings response_data, res
+          protect = response_data[:protect]
+          return unless protect
+
+          res.server_features.protect.enabled = protect[:enable]
+          res.server_features.protect.observability = protect[:observability]
+          res.server_features.protect.log_enhancers = protect[:log_enhancers]
+          update_protect_rules(protect, res)
+        end
+
+        # @param protect [Hash] response data
+        # @param res [Contrast::Agent::Reporting::Response]
+        def update_protect_rules protect, res
+          return unless (rules = protect[:rules])
+
+          res.server_features.protect.ip_allowlist = rules[:ip_allowlist]
+          res.server_features.protect.ip_denylist = rules[:ip_denylist]
+          res.server_features.protect.bot_blocker.enable = rules[:bot_blocker][:enable]
+          res.server_features.protect.bot_blocker.bots = rules[:bot_blocker][:bots]
+          res.server_features.protect.rules_to_definition_list(rules)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb

@@ -1,12 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/communication/response_processor'
-require 'contrast/api/decorators/application_settings'
 require 'contrast/agent/reporting/reporting_utilities/response'
 require 'contrast/agent/reporting/reporting_utilities/response_handler_utils'
 require 'contrast/agent/reporting/reporting_utilities/response_handler_mode'
-require 'contrast/api/decorators/server_features'
 require 'contrast/components/logger'
 require 'json'
 
@@ -23,13 +20,14 @@ module Contrast
         # Process the response from TS
         #
         # @param response [Net::HTTP::Response, nil]
+        # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
         # @return response [Net::HTTP::Response, nil]
-        def process response
+        def process response, event
           logger.debug('Reporter Received a response')
           return unless analyze_response?(response)
 
           # Handle the response body and obtain server_features or app_settings
-          report_response = convert_response(response)
+          report_response = convert_response(response, event)
           return unless report_response
 
           # Update Server Features and Application Settings to provide current agent settings
@@ -90,7 +88,7 @@ module Contrast
           when ERROR_CODES[:too_many_requests]
             handle_response_errors(response, RETRY_AFTER_MSG, mode.resending)
           else
-            logger.error('Response Error code could not be processed')
+            logger.error('Unable to execute agent post_call')
           end
         end
 

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_utilities/response_extractor'
+require 'contrast/agent/disable_reaction'
 
 module Contrast
   module Agent
@@ -31,6 +32,17 @@ module Contrast
         UNPROCESSABLE_ENTITY_MSG = 'Reporter received Unprocessable Entity response. Disabling permanently.'
         RETRY_AFTER_MSG = "There are too many requests of this type being sent by this Agent. #{ SUSPEND_MSG }"
 
+        def last_response_code
+          @_last_response_code ||= ''
+        end
+
+        # String format of the Header:<day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
+        #
+        # @return [String]
+        def last_server_modified
+          @_last_server_modified
+        end
+
         private
 
         # check if response code is valid before analyze it
@@ -78,6 +90,11 @@ module Contrast
           #                in the standard format per RFC 2616
           # used for in observed routes message.
           return false unless response && (response_code = response&.code)
+
+          # We still need to check the response code even if we are not analyzing it, since the 304 code does not
+          # contain settings to be extracted but we still need to know for the diagnostics. Do not move this bellow
+          # the ANALYZE_WHEN check.
+          @_last_response_code = response_code
           return true if ANALYZE_WHEN.include?(response_code)
 
           handle_error(response) if ERROR_CODES.value?(response_code)
@@ -109,7 +126,7 @@ module Contrast
 
           stop_reporting(message, application: Contrast::APP_CONTEXT.name, error_message: error_message) # rubocop:disable Security/Module/Name
         rescue StandardError => e
-          logger.debug('Could not handle Response error information', error: e)
+          logger.debug('Could not handle Response error information', error: e, backtrace: e.backtrace)
         end
 
         # Extract what we've received.
@@ -126,6 +143,19 @@ module Contrast
           [ready_after.to_i, error_message, auth_error]
         end
 
+        # Extract Last-Modified header from ServerSettings response.
+        # The new GET server settings endpoint have different payload.
+        # Extract the last modify headers with last update form TS.
+        #
+        # @param response [Net::HTTP::Response, nil]
+        # @return last_modified[integer, nil] Time since last server update
+        def extract_response_last_modified response
+          return unless response.cs__is_a?(Net::HTTPResponse)
+
+          header = response['Last-Modified'] if response&.to_hash&.keys&.map(&:downcase)&.include?('last-modified')
+          @_last_server_modified = header if header
+        end
+
         # Cease reporting about this application
         #
         # @param message [String] Message to log
@@ -193,27 +223,32 @@ module Contrast
         # Converts response from Net to Reporting Response object
         #
         # @param response [Net::HTTP::Response, nil]
+        # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
         # @return response [Contrast::Agent::Reporting::Response]
-        def convert_response response
+        def convert_response response, event
           response_body = response&.body
           return unless response_body
 
           response_data = JSON.parse(response_body, symbolize_names: true)
           return unless response_data.cs__is_a?(Hash)
 
-          populate_response(response_data)
+          extract_response_last_modified(response)
+          populate_response(response_data, event)
         rescue StandardError => e
           logger.error('Unable to convert response', e)
           nil
         end
 
-        # Extracts the data from the response and coverts it to
-        # Contrast::Agent::Reporting::Response.
+        # Extracts the data from the response and coverts it to Contrast::Agent::Reporting::Response.
+        # The response is being checked for it's type and settings received so the extractor methods
+        # are invoked accordingly to the response type.
         #
         # @param response_data[Hash]
-        # @return response [Contrast::Agent::Reporting::Response]
-        def populate_response response_data
-          return unless (success, messages = extract_success(response_data))
+        # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
+        # this is used to check the expected response type for this event.
+        # @return response [Contrast::Agent::Reporting::Response, nil]
+        def populate_response response_data, event
+          return unless (success, messages = extract_success(response_data, event))
 
           # check if response contains application settings or Feature settings
           if response_data[:settings]
@@ -225,17 +260,23 @@ module Contrast
             logger.trace('Agent: Received updated application settings', raw: response_data, processed: app_settings)
             app_settings
           else
-            # the response contains FeatureSettings
+            # the response contains FeatureSettings. The ng endpoint data feature
             response = Contrast::Agent::Reporting::Response.build_server_response
             response.success = success
             response.messages = messages
-            server_features = build_feature_settings(response_data, response)
-            logger.trace('Agent: Received updated application settings', raw: response_data, processed: server_features)
+            server_features = if event.cs__is_a?(Contrast::Agent::Reporting::ServerSettings)
+                                # do the new extraction.
+                                build_server_settings(response_data, response)
+                              else
+                                build_feature_settings(response_data, response)
+                              end
+            logger.trace('Agent: Received updated feature settings', raw: response_data, processed: server_features)
             server_features
           end
-          response
         end
 
+        # This method is used with the ng endpoint.
+        #
         # @param response_data [Hash]
         # @return res [Contrast::Agent::Reporting::Response]
         def build_application_settings response_data, response
@@ -247,11 +288,13 @@ module Contrast
           response
         end
 
+        # This method is used with the ng startup endpoint.
+        #
         # @param response_data [Hash]
         # @return res [Contrast::Agent::Reporting::Response]
         def build_feature_settings response_data, response
           extract_reactions(response_data, response)
-          extract_assess_server_features(response_data, response)
+          extract_assess_settings(response_data, response)
           extract_protect_server_features(response_data, response)
           extract_protect_lists(response_data, response)
           extract_log_settings(response_data, response)
@@ -259,15 +302,33 @@ module Contrast
           response
         end
 
+        # This method is used with the server settings endpoint.
+        #
+        # @param response_data [Hash]
+        # @return res [Contrast::Agent::Reporting::Response]
+        def build_server_settings response_data, response
+          extract_loggers(response_data, response)
+          extract_protect_server_settings(response_data, response)
+          extract_assess_settings(response_data, response, ng_: false)
+          response.server_features.telemetry = response_data[:telemetry][:enable]
+          response
+        end
+
         # This method with check the success and messages field of the response.
         # If the success is false, then it will return nil and log the error.
         #
         # @param response_data [Hash]
         # @return [Array, nil] Returns the success status or nil if request
         # was not processed by TS.
-        def extract_success response_data
-          success = response_data[:success]
-          messages = response_data[:messages]
+        def extract_success response_data, event
+          if event.cs__is_a?(Contrast::Agent::Reporting::ServerSettings)
+            # we don't those in the body but we can count on the response code.
+            success = @_last_response_code == '200' ? true : nil
+            messages = @_last_response_code == '200' ? ['success'] : nil
+          else
+            success = response_data[:success]
+            messages = response_data[:messages]
+          end
           return [success, messages] if success
 
           logger.error('Unable to connect to Contrast UI') if messages.nil?

data/lib/contrast/agent/reporting/server_settings_worker.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+
+module Contrast
+  module Agent
+    # The ServerSettingsWorker will send request on interval, to make sure the Agent gets the settings it
+    # need to operate, from TS. This Thead should be started after the AgentStartup is complete.
+    class ServerSettingsWorker < WorkerThread
+      RESEND_INTERVAL_MS = 60_000.cs__freeze
+
+      def start_thread!
+        return if running?
+
+        @_thread = Contrast::Agent::Thread.new do
+          logger.info('Starting Server Settings Worker thread.', sending_interval: server_settings_resend_ms)
+          loop do
+            logger.info('Fetching Settings', sending_interval: server_settings_resend_ms)
+            Contrast::Agent.reporter&.send_event(settings_message)
+            sleep(server_settings_resend_ms / 1000)
+          end
+        end
+      end
+
+      private
+
+      # Polling messages for this thread. Including Server settings:
+      #
+      # @return [Contrast::Agent::Reporting::ReportingEvent]
+      def settings_message
+        @_settings_message ||= Contrast::Agent::Reporting::ServerSettings.new
+      end
+
+      # Get the value from settings or use the default one.
+      #
+      # @return resend_ms [Integer] time to resend the message
+      def server_settings_resend_ms
+        @_server_settings_resend_ms ||= Contrast::AGENT.polling.server_settings_ms&.to_i || RESEND_INTERVAL_MS
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/assess_server_feature.rb

@@ -15,6 +15,7 @@ module Contrast
         # Application level settings for the Assess featureset.
         # Used for the FeatureSet TS response
         class AssessServerFeature
+          REPORT_STACKTRACES = %w[ALL SOME NONE].cs__freeze
           # Indicate if the assess feature set is enabled for this server or not.
           #
           # @return enabled [Boolean]
@@ -27,7 +28,17 @@ module Contrast
           # @param enabled [Boolean]
           # @return enabled [Boolean]
           def enabled= enabled
-            @_enabled = enabled if !!enabled == enabled
+            @_enabled = enabled
+          end
+
+          # @return [String] ALL, SOME, NONE
+          def report_stacktraces
+            @_report_stacktraces
+          end
+
+          # @return [String] ALL, SOME, NONE
+          def report_stacktraces= level
+            @_report_stacktraces = level if REPORT_STACKTRACES.include?(level)
           end
 
           # Used to control the sampling feature in the agent.
@@ -91,9 +102,10 @@ module Contrast
             {
                 enabled: enabled?,
                 sampling: sampling.to_controlled_hash,
+                report_stacktraces: report_stacktraces, # used with ServerSettings only
                 sanitizers: sanitizers.map(&:to_controlled_hash),
                 validators: validators.map(&:to_controlled_hash)
-            }
+            }.compact
           end
         end
       end

data/lib/contrast/agent/reporting/settings/code_exclusion.rb

@@ -12,9 +12,14 @@ module Contrast
           ATTRIBUTES = BASE_ATTRIBUTES.dup << :denylist
           ATTRIBUTES.cs__freeze
 
-          # @return denylist [Array<String>] #rubocop:disable [Naming/InclusiveLanguage]
+          # @return [Array<String>]
           attr_accessor :denylist
 
+          def initialize
+            super
+            @denylist = []
+          end
+
           def to_controlled_hash
             hash = super
             hash[:denylist] = denylist

data/lib/contrast/agent/reporting/settings/exclusion_base.rb

@@ -18,6 +18,24 @@ module Contrast
           # @return protect_rules [Array<String>]
           attr_accessor :protect_rules
 
+          def initialize
+            @modes = []
+            @assess_rules = []
+            @protect_rules = []
+          end
+
+          # @return [Boolean] does this exclusion apply to Assess or not
+          def assess
+            @_assess = modes&.include?('assess') if @_assess.nil?
+            @_assess
+          end
+
+          # @return [Boolean] does this exclusion apply to Protect or not
+          def protect
+            @_protect = modes&.include?('defend') if @_protect.nil?
+            @_protect
+          end
+
           def to_controlled_hash
             {
                 name: name, # rubocop:disable Security/Module/Name