contrast-agent 6.9.0 → 6.10.0

data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold the methods for TS response conversion to settings objects. It is used for those
+      # endpoints which have NG in their prefix.
+      module NgResponseExtractor
+        private
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_assess response_data, res
+          assessments = response_data[:settings][:assessment]
+          return unless assessments
+
+          res.application_settings.assess.session_id = assessments[:session_id]
+          disabled = assessments[:disabledRules]
+          return unless disabled
+
+          disabled.each do |rule_id|
+            rule_setting = Contrast::Agent::Reporting::Settings::AssessRule.new.tap { |setting| setting.enable = false }
+            res.application_settings.assess.rule_settings[rule_id] = rule_setting
+          end
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_protect response_data, res
+          protect = response_data[:settings][:defend]
+          return unless protect
+
+          res.application_settings.protect.protection_rules = protect[:protectionRules]
+          protect[:virtualPatches]&.each do |patch_json|
+            res.application_settings.protect.virtual_patches <<
+                Contrast::Agent::Reporting::Settings::VirtualPatch.new(patch_json)
+          end
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_exclusions response_data, res
+          exclusions = response_data[:settings][:exceptions]
+          return unless exclusions
+
+          res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
+          res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
+          res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
+        end
+
+        # The responses we receive for feature and settings from TS have different
+        # place to store these reactions: body.reactions vs body.settings.reactions.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_reactions response_data, res
+          res.reactions = response_data[:settings][:reactions] if response_data[:settings]
+          res.reactions = response_data[:reactions] if response_data[:features]
+        end
+
+        # This method is universal and used for both ng endpoint of feature settings and the new
+        # Server settings endpoint. Used in both build_feature_settings and build_server_settings.
+        # Passing the ng_ flag determines the use of the endpoint and response used because some of
+        # the response fields are with different names or do not exist: [enabled vs enable]
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_assess_features response_data, res
+          assess = response_data[:features][:assessment]
+          return unless assess
+
+          res.server_features.assess.enabled = assess[:enabled]
+          res.server_features.assess.sampling = assess[:sampling]
+          res.server_features.assess.sanitizers = assess[:sanitizers]
+          res.server_features.assess.validators = assess[:validators]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_protect_features response_data, res
+          protect = response_data[:features][:defend]
+          return unless protect
+
+          res.server_features.protect.enabled = protect[:enabled]
+          res.server_features.protect.bot_blocker.enable = protect[:'bot-blocker']
+          res.server_features.protect.bot_blocker.bots = protect[:botBlockers]
+          ng_extract_syslog(response_data, res)
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_syslog response_data, res
+          return unless (syslog = response_data[:features][:defend][:syslog])
+
+          res.server_features.protect.syslog.assign_array(syslog, ng_: true)
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_protect_lists response_data, res
+          protect = response_data[:features][:defend]
+          return unless protect
+
+          res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
+          res.server_features.protect.ip_denylist = protect[:ipDenylist]
+          res.server_features.protect.log_enhancers = protect[:logEnhancers]
+          res.server_features.protect.ng_rule_definition_list(protect[:ruleDefinitionList])
+        end
+
+        # Here we extract the rules and state for the sensitive data masking policy
+        # received from TS.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_sensitive_data_policy response_data, res
+          return unless (sensitive_data = response_data[:settings][:sensitive_data_masking_policy])
+
+          res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
+          res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
+          res.application_settings.sensitive_data_masking.build_rules_form_settings(sensitive_data[:rules])
+        end
+
+        # Here we extract the log settings received from TS.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_log_settings response_data, res
+          return unless (log_level = response_data[:logLevel])
+
+          res.server_features.log_level = log_level
+          res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -11,6 +11,7 @@ require 'contrast/agent/reporting/reporting_utilities/reporter_client_utils'
 require 'contrast/agent/reporting/reporting_utilities/endpoints'
 require 'contrast/agent/reporting/reporting_utilities/headers'
 require 'contrast/agent/reporting/reporting_events/server_settings'
+require 'contrast/agent/reporting/reporting_events/application_settings'
 require 'contrast/config/diagnostics'
 
 module Contrast
@@ -25,8 +26,17 @@ module Contrast
         include Contrast::Agent::Reporting::ReporterClientUtils
         include Contrast::Agent::Reporting::ResponseHandlerUtils
         include Contrast::Components::Logger::InstanceMethods
+
+        # @return [Array<Class>] events that may result in configuration changes
+        RECORDABLE_EVENTS = [
+          Contrast::Agent::Reporting::ServerSettings,
+          Contrast::Agent::Reporting::ApplicationSettings,
+          Contrast::Agent::Reporting::AgentStartup,
+          Contrast::Agent::Reporting::ApplicationStartup
+        ].cs__freeze
         SERVICE_NAME = 'Reporter'
         REPORT_CONFIG_WHEN = %w[200 304].cs__freeze
+
         def initialize
           @headers = Contrast::Agent::Reporting::Headers.new
           super()
@@ -60,7 +70,7 @@ module Contrast
         def send_event event, connection
           return unless connection
 
-          logger.debug('Preparing to send reporting event', event_class: event.cs__class)
+          logger.debug('[Reporter] Preparing to send reporting event', event_class: event.cs__class)
 
           request = build_request(event)
           response = connection.request(request)
@@ -97,9 +107,7 @@ module Contrast
         def record_configuration response, event
           return unless response
           return unless REPORT_CONFIG_WHEN.include?(response_handler.last_response_code)
-          return unless event&.cs__class == Contrast::Agent::Reporting::ServerSettings ||
-              event&.cs__class == Contrast::Agent::Reporting::AgentStartup ||
-              event&.cs__class == Contrast::Agent::Reporting::ApplicationStartup
+          return unless RECORDABLE_EVENTS.include?(event&.cs__class)
 
           logger.info('[Reporter Diagnostics] last response code:', response_code: response_handler.last_response_code)
           diagnostics.write_to_file

data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb

@@ -1,6 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/reporting/settings/assess_rule'
+require 'contrast/agent/reporting/settings/protect_rule'
+
 module Contrast
   module Agent
     module Reporting
@@ -8,46 +11,9 @@ module Contrast
       module ResponseExtractor
         private
 
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_assess response_data, res
-          assessments = response_data[:settings][:assessment]
-          return unless assessments
-
-          res.application_settings.assess.disabled_rules = assessments[:disabledRules]
-          res.application_settings.assess.session_id = assessments[:session_id]
-        end
-
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_protect response_data, res
-          protect = response_data[:settings][:defend]
-          return unless protect
-
-          res.application_settings.protect.protection_rules = protect[:protectionRules]
-          res.application_settings.protect.virtual_patches = protect[:virtualPatches]
-        end
-
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_exclusions response_data, res
-          exclusions = response_data[:settings][:exceptions]
-          return unless exclusions
-
-          res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
-          res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
-          res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
-        end
-
-        # The responses we receive for feature and settings from TS have different
-        # place to store these reactions: body.reactions vs body.settings.reactions.
-        #
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_reactions response_data, res
-          res.reactions = response_data[:settings][:reactions] if response_data[:settings]
-          res.reactions = response_data[:reactions] if response_data[:features]
-        end
+        ##########################################
+        #         Server Settings Parsing        #
+        ##########################################
 
         # This method is universal and used for both ng endpoing of feature settings and the new
         # Server settings endpoint. Used in both build_feature_settings and build_server_settings.
@@ -56,13 +22,12 @@ module Contrast
         #
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
-        # @param ng_ [Boolean]
-        def extract_assess_settings response_data, res, ng_: true
-          assess = ng_ ? response_data[:features][:assessment] : response_data[:assess]
+        def extract_assess_server_settings response_data, res
+          assess = response_data[:assess]
           return unless assess
 
-          res.server_features.assess.enabled = ng_ ? assess[:enabled] : assess[:enable]
-          res.server_features.assess.report_stacktraces = assess[:report_stacktraces] unless ng_
+          res.server_features.assess.enabled = assess[:enable]
+          res.server_features.assess.report_stacktraces = assess[:report_stacktraces]
           res.server_features.assess.sampling = assess[:sampling]
           res.server_features.assess.sanitizers = assess[:sanitizers]
           res.server_features.assess.validators = assess[:validators]
@@ -70,58 +35,14 @@ module Contrast
 
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
-        def extract_protect_server_features response_data, res
-          protect = response_data[:features][:defend]
-          return unless protect
-
-          res.server_features.protect.enabled = protect[:enabled]
-          res.server_features.protect.bot_blocker.enable = protect[:'bot-blocker']
-          res.server_features.protect.bot_blocker.bots = protect[:botBlockers]
-          extract_syslog(response_data, res)
-        end
-
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_syslog response_data, res
-          return unless (syslog = response_data[:features][:defend][:syslog])
-
-          res.server_features.protect.syslog.assign_array(syslog, ng_: true)
-        end
-
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_protect_lists response_data, res
-          protect = response_data[:features][:defend]
+        def extract_protect_server_settings response_data, res
+          protect = response_data[:protect]
           return unless protect
 
-          res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
-          res.server_features.protect.ip_denylist = protect[:ipDenylist]
-          res.server_features.protect.log_enhancers = protect[:logEnhancers]
-          res.server_features.protect.rule_definition_list = protect[:ruleDefinitionList]
-        end
-
-        # Here we extract the rules and state for the sensitive data masking policy
-        # received from TS.
-        #
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_sensitive_data_policy response_data, res
-          return unless (sensitive_data = response_data[:settings][:sensitive_data_masking_policy])
-
-          res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
-          res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
-          res.application_settings.sensitive_data_masking.build_rules_form_settings(sensitive_data[:rules])
-        end
-
-        # Here we extract the log settings received from TS.
-        #
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_log_settings response_data, res
-          return unless (log_level = response_data[:logLevel])
-
-          res.server_features.log_level = log_level
-          res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
+          res.server_features.protect.enabled = protect[:enable]
+          res.server_features.protect.observability = protect[:observability]
+          res.server_features.protect.log_enhancers = protect[:log_enhancers]
+          update_protect_rules(protect, res)
         end
 
         # This method is used with ServerSettings as we expect to have data for
@@ -147,18 +68,6 @@ module Contrast
           res.server_features.security_logger.syslog.assign_array(response_data[:security_logger][:syslog], ng_: false)
         end
 
-        # @param response_data [Hash]
-        # @param res [Contrast::Agent::Reporting::Response]
-        def extract_protect_server_settings response_data, res
-          protect = response_data[:protect]
-          return unless protect
-
-          res.server_features.protect.enabled = protect[:enable]
-          res.server_features.protect.observability = protect[:observability]
-          res.server_features.protect.log_enhancers = protect[:log_enhancers]
-          update_protect_rules(protect, res)
-        end
-
         # @param protect [Hash] response data
         # @param res [Contrast::Agent::Reporting::Response]
         def update_protect_rules protect, res
@@ -170,6 +79,90 @@ module Contrast
           res.server_features.protect.bot_blocker.bots = rules[:bot_blocker][:bots]
           res.server_features.protect.rules_to_definition_list(rules)
         end
+
+        ##########################################
+        #      Application Settings Parsing      #
+        ##########################################
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_assess_application_settings response_data, res
+          assess = response_data[:assess]
+          return unless assess
+
+          assess.each_pair do |rule_id, value|
+            rule_setting =
+              Contrast::Agent::Reporting::Settings::AssessRule.new.tap { |setting| setting.enable = value[:enable] }
+            res.application_settings.assess.rule_settings[rule_id.to_s] = rule_setting
+          end
+
+          # This endpoint can never give us session_id, so we dont need to set it here
+          # res.application_settings.assess.session_id
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_protect_application_settings response_data, res
+          protect = response_data[:protect]
+          return unless protect
+
+          rules = protect[:rules]
+          rules&.each_pair do |rule_id, value|
+            rule_setting =
+              Contrast::Agent::Reporting::Settings::ProtectRule.new.tap { |setting| setting.mode = value[:mode] }
+            res.application_settings.protect.rule_settings[rule_id.to_s] = rule_setting
+          end
+          protect[:'virtual-patches']&.each do |patch_json|
+            res.application_settings.protect.virtual_patches <<
+                Contrast::Agent::Reporting::Settings::VirtualPatch.new(patch_json)
+          end
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_exclusions response_data, res
+          exclusions = response_data[:exclusions]
+          return unless exclusions
+
+          res.application_settings.exclusions.code_exclusions = exclusions[:code]
+          res.application_settings.exclusions.url_exclusions = exclusions[:url]
+          extract_input_exclusions(response_data[:exclusions], res)
+        end
+
+        # Input exclusions between NG and non-NG are different, so need to be cast separately.
+        #
+        # @param exclusions [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_input_exclusions exclusions, res
+          res.application_settings.exclusions.input_exclusions = []
+          exclusions[:input].each do |exclusion_details|
+            input_exclusion = Contrast::Agent::Reporting::Settings::InputExclusion.new
+            input_exclusion.name = exclusion_details[:name]
+            input_exclusion.modes = exclusion_details[:modes]
+            input_exclusion.assess_rules = exclusion_details[:assess_rules]
+            input_exclusion.protect_rules = exclusion_details[:protect_rules]
+            input_exclusion.input_name = exclusion_details[:name]
+            input_exclusion.input_type = exclusion_details[:type]
+            input_exclusion.urls = exclusion_details[:urls]
+            res.application_settings.exclusions.input_exclusions << exclusion
+          end
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_sensitive_data_policy response_data, res
+          return unless (sensitive_data = response_data[:sensitive_data_masking_policy])
+
+          res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
+          res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
+          res.application_settings.sensitive_data_masking.build_rules_form_settings(sensitive_data[:rules])
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def extract_reactions response_data, res
+          res.reactions = response_data[:reactions]
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb

@@ -14,6 +14,7 @@ module Contrast
       class ResponseHandler
         include Contrast::Components::Logger::InstanceMethods
         include Contrast::Agent::Reporting::ResponseHandlerUtils
+
         # 15 min
         TIMEOUT = 900.cs__freeze
 
@@ -23,7 +24,7 @@ module Contrast
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
         # @return response [Net::HTTP::Response, nil]
         def process response, event
-          logger.debug('Reporter Received a response')
+          logger.debug('[Reporter] Received a response')
           return unless analyze_response?(response)
 
           # Handle the response body and obtain server_features or app_settings
@@ -100,7 +101,7 @@ module Contrast
         # @param error_message [String, nil] Error message if any received.
         def suspend_reporting message, timeout, error_message
           @_timeout = timeout || Contrast::Agent::Reporting::ResponseHandler::TIMEOUT
-          log_debug_msg(message, timeout: @_timeout, error_message: error_message || 'none')
+          log_error_msg(message, timeout: @_timeout, error_message: error_message || 'none')
           @_sleep = true
         end
 
@@ -108,8 +109,8 @@ module Contrast
         #
         # @param message [String] Message to log
         # @param info_hash [Hash] information about the context to log.
-        def log_debug_msg message, info_hash
-          logger.debug(message, info_hash)
+        def log_error_msg message, info_hash
+          logger.error(message, info_hash)
         end
       end
     end