contrast-agent 6.9.0 → 6.10.0

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/reporting/reporting_utilities/ng_response_extractor'
 require 'contrast/agent/reporting/reporting_utilities/response_extractor'
 require 'contrast/agent/disable_reaction'
 
@@ -9,6 +10,7 @@ module Contrast
     module Reporting
       # This module holds utilities required by the reporting service response handler
       module ResponseHandlerUtils
+        include Contrast::Agent::Reporting::NgResponseExtractor
         include Contrast::Agent::Reporting::ResponseExtractor
 
         ANALYZE_WHEN = %w[200 204].cs__freeze
@@ -115,7 +117,7 @@ module Contrast
           ready_after, error_message, auth_error = extract_response_info(response)
           # log, suspend, disable:
           if mode == @_mode.running
-            log_debug_msg(message,
+            log_error_msg(message,
                           response: response.__id__,
                           request: Contrast::Agent::REQUEST_TRACKER.current&.request&.type,
                           error_message: error_message || 'none',
@@ -151,9 +153,9 @@ module Contrast
         # @return last_modified[integer, nil] Time since last server update
         def extract_response_last_modified response
           return unless response.cs__is_a?(Net::HTTPResponse)
+          return unless (header = response['last-modified'])
 
-          header = response['Last-Modified'] if response&.to_hash&.keys&.map(&:downcase)&.include?('last-modified')
-          @_last_server_modified = header if header
+          @_last_server_modified = header
         end
 
         # Cease reporting about this application
@@ -162,7 +164,7 @@ module Contrast
         # @param info_hash [Hash] information about the context to log.
         def stop_reporting message, info_hash
           Contrast::Agent.reporter&.stop!
-          log_debug_msg(message, info_hash)
+          log_error_msg(message, info_hash)
           ::Contrast::AGENT.disable!
         end
 
@@ -220,7 +222,16 @@ module Contrast
           end
         end
 
-        # Converts response from Net to Reporting Response object
+        # Converts response from Net to Reporting Response object. Unfortunately, there are four types of responses
+        # that TeamServer can send back to us. The FeatureSet for Servers, which come from Agent Startup and Server
+        # Settings, and the SettingsState for Applications, which come from Application Startup and Application
+        # Settings.
+        #
+        # The Startup messages come from NG and have the nested structure w/ success, message, and features/settings.
+        # The Settings messages come from v1 and have the flat structure.
+        # Neither have uniform keys, for instance assessment in startup vs assess in settings.
+        #
+        # This method works to extract away these differences.
         #
         # @param response [Net::HTTP::Response, nil]
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
@@ -248,70 +259,95 @@ module Contrast
         # this is used to check the expected response type for this event.
         # @return response [Contrast::Agent::Reporting::Response, nil]
         def populate_response response_data, event
-          return unless (success, messages = extract_success(response_data, event))
-
-          # check if response contains application settings or Feature settings
-          if response_data[:settings]
-            # the response contains ApplicationSettings
-            response = Contrast::Agent::Reporting::Response.build_application_response
-            response.success = success
-            response.messages = messages
-            app_settings = build_application_settings(response_data, response)
-            logger.trace('Agent: Received updated application settings', raw: response_data, processed: app_settings)
-            app_settings
+          # Responses fall into one of two types - those for Servers or those for Applications
+          response = case event
+                       # Server feature based events
+                     when Contrast::Agent::Reporting::AgentStartup, Contrast::Agent::Reporting::ServerSettings
+                       Contrast::Agent::Reporting::Response.build_server_response
+                       # Application settings based events
+                     when Contrast::Agent::Reporting::ApplicationStartup,
+                       Contrast::Agent::Reporting::ApplicationSettings
+
+                       Contrast::Agent::Reporting::Response.build_application_response
+                     end
+          return unless response
+
+          return unless (success, messages = extract_success(response_data))
+
+          response.success = success
+          response.messages = messages
+          # Features & Settings have to be parsed from the response based on the event type sent
+          case event
+          when Contrast::Agent::Reporting::AgentStartup
+            extract_agent_startup(response_data, response)
+          when Contrast::Agent::Reporting::ApplicationStartup
+            extract_application_startup(response_data, response)
+          when Contrast::Agent::Reporting::ServerSettings
+            extract_server_settings(response_data, response)
+          when Contrast::Agent::Reporting::ApplicationSettings
+            extract_application_settings(response_data, response)
           else
-            # the response contains FeatureSettings. The ng endpoint data feature
-            response = Contrast::Agent::Reporting::Response.build_server_response
-            response.success = success
-            response.messages = messages
-            server_features = if event.cs__is_a?(Contrast::Agent::Reporting::ServerSettings)
-                                # do the new extraction.
-                                build_server_settings(response_data, response)
-                              else
-                                build_feature_settings(response_data, response)
-                              end
-            logger.trace('Agent: Received updated feature settings', raw: response_data, processed: server_features)
-            server_features
+            return
           end
+          logger.trace('Agent: Received updated features or settings',
+                       event: event.cs__class,
+                       raw: response_data,
+                       processed: response)
+          response
         end
 
         # This method is used with the ng endpoint.
         #
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def build_application_settings response_data, response
-          extract_assess(response_data, response)
-          extract_protect(response_data, response)
-          extract_exclusions(response_data, response)
-          extract_reactions(response_data, response)
-          extract_sensitive_data_policy(response_data, response)
-          response
+        # @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::ApplicationStartup
+        #   event
+        # @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
+        def extract_application_startup response_data, response
+          return unless response_data[:settings]
+
+          ng_extract_assess(response_data, response)
+          ng_extract_protect(response_data, response)
+          ng_extract_exclusions(response_data, response)
+          ng_extract_reactions(response_data, response)
+          ng_extract_sensitive_data_policy(response_data, response)
         end
 
         # This method is used with the ng startup endpoint.
         #
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def build_feature_settings response_data, response
-          extract_reactions(response_data, response)
-          extract_assess_settings(response_data, response)
-          extract_protect_server_features(response_data, response)
-          extract_protect_lists(response_data, response)
-          extract_log_settings(response_data, response)
+        # @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::AgentStartup event
+        # @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
+        def extract_agent_startup response_data, response
+          ng_extract_log_settings(response_data, response)
           response.server_features.telemetry = response_data[:telemetry]
-          response
+          return unless response_data[:features]
+
+          ng_extract_reactions(response_data, response)
+          ng_extract_assess_features(response_data, response)
+          ng_extract_protect_features(response_data, response)
+          ng_extract_protect_lists(response_data, response)
         end
 
         # This method is used with the server settings endpoint.
         #
-        # @param response_data [Hash]
-        # @return res [Contrast::Agent::Reporting::Response]
-        def build_server_settings response_data, response
+        # @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::ServerSettings event
+        # @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
+        def extract_server_settings response_data, response
           extract_loggers(response_data, response)
           extract_protect_server_settings(response_data, response)
-          extract_assess_settings(response_data, response, ng_: false)
+          extract_assess_server_settings(response_data, response)
           response.server_features.telemetry = response_data[:telemetry][:enable]
-          response
+        end
+
+        # This method is used with the ng startup endpoint.
+        #
+        # @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::ApplicationSettings
+        #   event
+        # @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
+        def extract_application_settings response_data, response
+          extract_assess_application_settings(response_data, response)
+          extract_protect_application_settings(response_data, response)
+          extract_exclusions(response_data, response)
+          extract_sensitive_data_policy(response_data, response)
+          extract_reactions(response_data, response)
         end
 
         # This method with check the success and messages field of the response.
@@ -320,20 +356,18 @@ module Contrast
         # @param response_data [Hash]
         # @return [Array, nil] Returns the success status or nil if request
         # was not processed by TS.
-        def extract_success response_data, event
-          if event.cs__is_a?(Contrast::Agent::Reporting::ServerSettings)
-            # we don't those in the body but we can count on the response code.
-            success = @_last_response_code == '200' ? true : nil
-            messages = @_last_response_code == '200' ? ['success'] : nil
-          else
-            success = response_data[:success]
-            messages = response_data[:messages]
-          end
+        def extract_success response_data
+          # If we are here we have receive 200 or 204 response code. We'll try and
+          # extract the success and messages received,but not all of the responses
+          # we receive will have success field or messages. All of the new non-ng
+          # endpoints won't have messages or success. The way we'll be sure that
+          # a response is successful is by checking the response code.
+          #
+          # To extract response we need only 200 response code.
+          success = @_last_response_code == '200'
+          messages = response_data[:messages] || []
           return [success, messages] if success
 
-          logger.error('Unable to connect to Contrast UI') if messages.nil?
-          logger.error('Failure on Contrast UI processing request', reasons: messages.join(', ')) if messages
-
           nil
         end
       end

data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb

@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+
+module Contrast
+  module Agent
+    module ReportingWorkers
+      # The ApplicationServerWorker will send request on interval, to make sure the Agent gets the settings it
+      # need to operate, from TS. This Thead should be started after the ApplicationStartup is complete.
+      class ApplicationServerWorker < WorkerThread
+        RESEND_INTERVAL_MS = 30_000.cs__freeze
+
+        def start_thread!
+          return if running?
+
+          @_thread = Contrast::Agent::Thread.new do
+            logger.info('[ApplicationSettingsWorker] Starting thread.', sending_interval: application_server_ms)
+            loop do
+              logger.info('[ApplicationSettingsWorker] Fetching Settings', sending_interval: application_server_ms)
+              Contrast::Agent.reporter&.send_event(application_settings_message)
+              sleep(application_server_ms / 1000)
+            end
+          end
+        end
+
+        private
+
+        # This method will generate the reporting event for the application settings
+        #
+        # @return [Contrast::Agent::Reporting::ReportingEvent]
+        def application_settings_message
+          @_application_settings_message ||= Contrast::Agent::Reporting::ApplicationSettings.new
+        end
+
+        # Get the value from settings or use the default one.
+        #
+        # @return resend_ms [Integer] time to resend the message
+        def application_server_ms
+          @_application_server_ms ||= Contrast::AGENT.polling.app_settings_ms&.to_i || RESEND_INTERVAL_MS
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+require 'contrast/agent/inventory/dependency_usage_analysis'
+require 'contrast/agent/reporting/reporting_events/poll'
+
+module Contrast
+  module Agent
+    module ReportingWorkers
+      # The ReporterHeartbeat will make sure that the process remains marked alive by TeamServer and that we
+      # periodically reach out to get the latest settings for this application. It also sends out those
+      # messages which do not need to be associated directly with a request,
+      # such as Server Activity and Library Observation.
+      class ReporterHeartbeat < WorkerThread
+        # TeamServer will mark an application offline after 5 minutes. Sending this every one should be more than enough
+        # to satisfy our goals.
+        REFRESH_INTERVAL_SEC = 60
+
+        def start_thread!
+          return if running?
+
+          @_thread = Contrast::Agent::Thread.new do
+            logger.info('[Heartbeat] Starting thread.')
+            loop do
+              polling_events.each do |event|
+                Contrast::Agent.reporter&.send_event(event)
+              end
+              clean_properties
+              sleep(REFRESH_INTERVAL_SEC)
+            end
+          end
+        end
+
+        private
+
+        def poll_message
+          @_poll_message ||= Contrast::Agent::Reporting::Poll.new
+        end
+
+        # Those events which should be sent periodically, rather than on event or request.
+        #
+        # @return [Array<Contrast::Agent::Reporting::ReportingEvent>]
+        def polling_events
+          [Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage, poll_message].compact
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb

@@ -0,0 +1,14 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # This module will include all the worker that we have, which are not part of the regular thread reporters
+    module ReportingWorkers
+    end
+  end
+end
+
+require 'contrast/agent/reporting/reporting_workers/reporter_heartbeat'
+require 'contrast/agent/reporting/reporting_workers/server_settings_worker'
+require 'contrast/agent/reporting/reporting_workers/application_server_worker'

data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb

@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+
+module Contrast
+  module Agent
+    module ReportingWorkers
+      # The ServerSettingsWorker will send request on interval, to make sure the Agent gets the settings it
+      # need to operate, from TS. This Thead should be started after the AgentStartup is complete.
+      class ServerSettingsWorker < WorkerThread
+        RESEND_INTERVAL_MS = 60_000.cs__freeze
+
+        def start_thread!
+          return if running?
+
+          @_thread = Contrast::Agent::Thread.new do
+            logger.info('[ServerSettingsWorker] Starting thread.', sending_interval: server_settings_resend_ms)
+            loop do
+              logger.info('[ServerSettingsWorker] Fetching Settings', sending_interval: server_settings_resend_ms)
+              Contrast::Agent.reporter&.send_event(settings_message)
+              sleep(server_settings_resend_ms / 1000)
+            end
+          end
+        end
+
+        private
+
+        # Polling messages for this thread. Including Server settings:
+        #
+        # @return [Contrast::Agent::Reporting::ReportingEvent]
+        def settings_message
+          @_settings_message ||= Contrast::Agent::Reporting::ServerSettings.new
+        end
+
+        # Get the value from settings or use the default one.
+        #
+        # @return resend_ms [Integer] time to resend the message
+        def server_settings_resend_ms
+          @_server_settings_resend_ms ||= Contrast::AGENT.polling.server_settings_ms&.to_i || RESEND_INTERVAL_MS
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/assess.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/assess_rule'
 
 module Contrast
   module Agent
@@ -14,7 +15,13 @@ module Contrast
           #
           # @return disabled_rules [Array<String>] Array with string rule_ids
           def disabled_rules
-            @_disabled_rules ||= []
+            @_disabled_rules ||= begin
+              disabled = []
+              rule_settings.each_pair do |rule_id, rules_setting|
+                disabled << rule_id unless rules_setting.enable
+              end
+              disabled
+            end
           end
 
           # @param disabled_rules [Array] with AssessRuleID strings
@@ -23,6 +30,12 @@ module Contrast
             @_disabled_rules = disabled_rules if disabled_rules.is_a?(Array)
           end
 
+          # @return [Hash<String,Contrast::Agent::Reporting::Settings::AssessRule>] map of rule, by id, to
+          #   configuration
+          def rule_settings
+            @_rule_settings ||= {}
+          end
+
           # The id of a session on TeamServer under which this session of this application should report
           # Overrides that set by application.session_id (should match if provided).
           #

data/lib/contrast/agent/reporting/settings/assess_rule.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Settings for each assess rule
+        class AssessRule
+          # @return [Boolean] is the rule enabled or not
+          attr_accessor :enable
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/helpers.rb

@@ -51,9 +51,11 @@ module Contrast
 
             # rule_id => rule-id
             #
-            # @param id [String]
+            # @param id [String, Symbol]
             def to_rule_id id
-              id.to_s.tr('_', '-')
+              return Contrast::Utils::ObjectShare::EMPTY_STRING unless id.cs__is_a?(String) || id.cs__is_a?(Symbol)
+
+              id.to_s.downcase.tr('_', '-')
             end
           end
         end

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/protect_rule'
+require 'contrast/agent/reporting/settings/virtual_patch'
 
 module Contrast
   module Agent
@@ -10,8 +12,8 @@ module Contrast
       module Settings
         # Application level settings for the Protect featureset
         class Protect
-          # block at perimeter needs to be check against the blockAtEntry boolean value
-          PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
+          # modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
+          NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
           # The settings for each protect rule for this application
           #
           # @return protection_rules [Array<protectRule>] protectRule: {
@@ -22,6 +24,12 @@ module Contrast
             @_protection_rules ||= []
           end
 
+          # @return [Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>] map of rule, by id, to
+          #   configuration
+          def rule_settings
+            @_rule_settings ||= {}
+          end
+
           # Set the protection_rules array
           #
           # @param protection_rules [Array<protectRule>] protectRule: {
@@ -38,13 +46,7 @@ module Contrast
 
           # The virtual patches to apply for this application
           #
-          # @return virtual_patches [Array<VirtualPatch>] Array of VirtualPatch: {
-          #   name       [String] The name of the Virtual Patch
-          #   headers    [Array] The headers that must be present in the request to result in the request being blocked
-          #   parameters [Array] The parameters that must be present in the request
-          #                       to result in the request being blocked.
-          #   urls       [Array] The urls that must be present in the request to result in the request being blocked.
-          #   uuids      [String] The UUID of the Virtual Patch }
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatch>]
           def virtual_patches
             @_virtual_patches ||= []
           end
@@ -78,11 +80,11 @@ module Contrast
             modes_by_id = {}
             protection_rules.each do |rule|
               setting_mode = rule[:mode] || rule['mode']
-              api_mode = if PROTECT_RULES_MODE.include?(setting_mode)
+              api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
                            case setting_mode
-                           when PROTECT_RULES_MODE[1]
+                           when NG_PROTECT_RULES_MODE[1]
                              :MONITOR
-                           when PROTECT_RULES_MODE[2]
+                           when NG_PROTECT_RULES_MODE[2]
                              if rule[:blockAtEntry] || rule['blockAtEntry']
                                :BLOCK_AT_PERIMETER
                              else
@@ -92,8 +94,11 @@ module Contrast
                              :NO_ACTION
                            end
                          else
+                           # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
+                           # can just be cast to symbols
                            setting_mode.to_sym
                          end
+
               id = rule[:id] || rule['id']
               modes_by_id[id] = api_mode
             end

data/lib/contrast/agent/reporting/settings/protect_rule.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Settings for each protect rule
+        class ProtectRule
+          # @return [Symbol] the configured mode of the rule; OFF, MONITOR, BLOCK
+          attr_accessor :mode
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/protect_server_feature.rb

@@ -161,7 +161,7 @@ module Contrast
           #                    value          [String] }
           # }
           # @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
-          def rule_definition_list= list
+          def ng_rule_definition_list list
             Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(
                 Contrast::Agent::Reporting::Settings::RuleDefinition,
                 rule_definition_list,

data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb

@@ -63,7 +63,7 @@ module Contrast
 
           # Build rules from hash
           #
-          # @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
+          # @param settings_rules [Array<Hash>] Response settings under Settings/sensitive_data_masking_policy/rules
           # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
           def build_rules_form_settings settings_rules
             return if settings_rules.nil? || settings_rules.empty?

data/lib/contrast/agent/reporting/settings/virtual_patch.rb

@@ -0,0 +1,56 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/virtual_patch_condition'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The settings for each virtual patch in the agent.
+        class VirtualPatch
+          # @return [String]
+          attr_reader :name
+          # @return [String]
+          attr_reader :key
+          # @return [String]
+          attr_reader :uuid
+
+          def initialize hash
+            @name = hash[:name]
+            @key = hash[:key]
+            @uuid = hash[:uuid]
+
+            hash[:headers]&.each do |header_json|
+              headers << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+
+            hash[:parameters]&.each do |header_json|
+              parameters << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+
+            hash[:urls]&.each do |header_json|
+              urls << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def headers
+            @_headers ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def parameters
+            @_parameters ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def urls
+            @_urls ||= []
+          end
+        end
+      end
+    end
+  end
+end