contrast-agent 6.9.0 → 6.11.0

data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb

@@ -11,6 +11,7 @@ module Contrast
       # This is the new AttackerActivity class which will includes the attacker information discovered during this
       # activity period.
       class ApplicationDefendAttackerActivity
+        include Contrast::Components::Logger::InstanceMethods
         # @return [Hash<String,Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] map of rule-id to violated
         #   samples for that rule
         attr_accessor :protection_rules
@@ -32,8 +33,11 @@ module Contrast
         end
 
         def to_controlled_hash
+          processed_rules = process_protection_rules
+          validate(processed_rules)
+
           {
-              protectionRules: process_protection_rules,
+              protectionRules: processed_rules,
               source: {
                   ip: source_ip,
                   xForwardedFor: source_forwarded_for
@@ -41,6 +45,11 @@ module Contrast
           }
         end
 
+        def validate processed_rules
+          raise(ArgumentError, 'Protection Rules are not presented') if processed_rules.empty?
+          raise(ArgumentError, 'Source is not presented') unless source_ip
+        end
+
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           @protection_rules[attack_result.rule_id] = Contrast::Agent::Reporting::ApplicationDefendAttackActivity.new.

data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb

@@ -22,7 +22,7 @@ module Contrast
           @event_method = :POST
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_inventory
           # The API spec limits us to 500 routes, so we'll enforce that here to not hold on to superfulous data.
-          @routes = Contrast::Agent.framework_manager.find_route_discovery_data.take(500)
+          @routes = Contrast::Agent.framework_manager.find_route_discovery_data&.take(500)
           super
         end
 
@@ -33,6 +33,7 @@ module Contrast
         def to_controlled_hash
           {
               session_id: ::Contrast::ASSESS.session_id,
+              # documentation lists routes as deprecated from the agent_ng_endpoints.yml
               routes: routes.map(&:to_controlled_hash)
           }
         end

data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb

@@ -17,10 +17,20 @@ module Contrast
         # The timestamp field is a bit of a misnomer. It's really the time, in ms, since the settings for this
         # application have been updated. If I've never updated, then it's been 0ms since then.
         #
+        #
         # @return [Integer]
         def since_last_update
           (update_time = Contrast::SETTINGS.last_app_update_ms) ? Contrast::Utils::Timer.now_ms - update_time : 0
         end
+
+        # Human readable last time update for header set. Set to 0 if the agent is just starting and have not received
+        # the latest header from TS.
+        #
+        #
+        # @return [String]
+        def since_last_update_httpdate
+          Contrast::SETTINGS.app_settings_last_httpdate || Contrast::Utils::Timer.ms_to_httpdate(0)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/application_settings.rb

@@ -0,0 +1,40 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/application_reporting_event'
+require 'contrast/agent/reporting/reporting_utilities/endpoints'
+require 'contrast/utils/timer'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will initialize a GET request to be send to TS. The application settings endpoint is the way
+      # the Agent receives application sittings
+      class ApplicationSettings < Contrast::Agent::Reporting::ApplicationReportingEvent
+        def initialize
+          @event_method = :GET
+          @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_settings
+          super
+        end
+
+        def file_name
+          'application-settings'
+        end
+
+        # Attach the last server settings received timestamp to the request as it is required.
+        #
+        # If-Modified-Since: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
+        # @param request [Net::HTTPRequest]
+        def attach_headers request
+          request['If-Modified-Since'] = since_last_update_httpdate
+        end
+
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_hash
+          {}
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb

@@ -5,6 +5,7 @@ require 'json'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/reporting_event'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Agent
@@ -16,9 +17,9 @@ module Contrast
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
       class DiscoveredRoute < Contrast::Agent::Reporting::ObservedRoute
-        include Contrast::Components::Logger::InstanceMethods
-
         class << self
+          include Contrast::Components::Logger::InstanceMethods
+
           # @param obj [Regexp, Object]
           # @return [String]
           def source_or_string obj
@@ -100,9 +101,7 @@ module Contrast
         def initialize
           super
           @event_type = :discovered_route
-          @signature = Contrast::Utils::ObjectShare::EMPTY_STRING
           @verb = Contrast::Utils::ObjectShare::EMPTY_STRING
-          @url = Contrast::Utils::ObjectShare::EMPTY_STRING
         end
 
         def to_controlled_hash
@@ -116,7 +115,12 @@ module Contrast
         end
 
         def validate
-          raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature
+          if Contrast::Utils::DuckUtils.empty_duck?(signature)
+            raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.")
+          end
+          if Contrast::Utils::DuckUtils.empty_duck?(url)
+            raise(ArgumentError, "#{ self } did not have a proper url. Unable to continue.")
+          end
 
           nil
         end

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -6,6 +6,7 @@ require 'json'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/application_reporting_event'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Agent
@@ -32,9 +33,7 @@ module Contrast
         def initialize
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.observed_route
           @sources = []
-          @signature = Contrast::Utils::ObjectShare::EMPTY_STRING
           @verb = Contrast::Utils::ObjectShare::EMPTY_STRING
-          @url = Contrast::Utils::ObjectShare::EMPTY_STRING
           super()
         end
 
@@ -69,7 +68,7 @@ module Contrast
         # @return [String]
         #
         def hash_id
-          hashable_data = to_controlled_hash.except(:session_id)
+          hashable_data = to_controlled_hash.reject { |key, _value| key == :session_id } # rubocop:disable Style/HashExcept
           hashable_data[:sources] = hashable_data[:sources].sort_by { |s| s[:name] }
 
           Digest::SHA2.new(256).hexdigest(hashable_data.to_s)
@@ -78,8 +77,12 @@ module Contrast
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper sources. Unable to continue.") if @sources.nil?
-          raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature
-          raise(ArgumentError, "#{ self } did not have a proper url. Unable to continue.") unless url
+          if Contrast::Utils::DuckUtils.empty_duck?(signature)
+            raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.")
+          end
+          if Contrast::Utils::DuckUtils.empty_duck?(url)
+            raise(ArgumentError, "#{ self } did not have a proper url. Unable to continue.")
+          end
 
           nil
         end

data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb

@@ -89,7 +89,7 @@ module Contrast
           #
           # @return [String]
           def application_endpoint
-            @_application_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/applications"\
+            @_application_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/applications" \
                                        "#{ server_path_segment }#{ application_path_segment }"
           end
 
@@ -97,7 +97,7 @@ module Contrast
           #
           # @return [String]
           def route_endpoint
-            @_route_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/routes"\
+            @_route_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/routes" \
                                  "#{ server_path_segment }#{ application_path_segment }"
           end
 
@@ -105,7 +105,7 @@ module Contrast
           #
           # @return [String]
           def server_endpoint
-            @_server_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/servers"\
+            @_server_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/servers" \
                                   "#{ server_path_segment }"
           end
 
@@ -113,7 +113,7 @@ module Contrast
           #
           # @return [String]
           def trace_endpoint
-            @_trace_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/traces"\
+            @_trace_endpoint ||= "#{ Contrast::API.api_url }/agents#{ ENDPOINT_VERSION }/traces" \
                                  "#{ server_path_segment }#{ application_path_segment }"
           end
 
@@ -121,8 +121,8 @@ module Contrast
           #
           # @return [String]
           def server_path_segment
-            @_server_path_segment ||= "/#{ Base64.urlsafe_encode64(server_host_name, padding: false) }"\
-                                      "/#{ Base64.urlsafe_encode64(server_path, padding: false) }"\
+            @_server_path_segment ||= "/#{ Base64.urlsafe_encode64(server_host_name, padding: false) }" \
+                                      "/#{ Base64.urlsafe_encode64(server_path, padding: false) }" \
                                       "/#{ Base64.urlsafe_encode64(server_type, padding: false) }"
           end
 
@@ -130,7 +130,7 @@ module Contrast
           #
           # @return [String]
           def application_path_segment
-            @_application_path_segment ||= "/#{ Base64.urlsafe_encode64(APP_LANGUAGE, padding: false) }"\
+            @_application_path_segment ||= "/#{ Base64.urlsafe_encode64(APP_LANGUAGE, padding: false) }" \
                                            "/#{ Base64.urlsafe_encode64(app_name, padding: false) }"
           end
 

data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold the methods for TS response conversion to settings objects. It is used for those
+      # endpoints which have NG in their prefix.
+      module NgResponseExtractor
+        private
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_assess response_data, res
+          assessments = response_data[:settings][:assessment]
+          return unless assessments
+
+          res.application_settings.assess.session_id = assessments[:session_id]
+          disabled = assessments[:disabledRules]
+          return unless disabled
+
+          disabled.each do |rule_id|
+            rule_setting = Contrast::Agent::Reporting::Settings::AssessRule.new.tap { |setting| setting.enable = false }
+            res.application_settings.assess.rule_settings[rule_id] = rule_setting
+          end
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_protect response_data, res
+          protect = response_data[:settings][:defend]
+          return unless protect
+
+          res.application_settings.protect.protection_rules = protect[:protectionRules]
+          protect[:virtualPatches]&.each do |patch_json|
+            res.application_settings.protect.virtual_patches <<
+                Contrast::Agent::Reporting::Settings::VirtualPatch.new(patch_json)
+          end
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_exclusions response_data, res
+          exclusions = response_data[:settings][:exceptions]
+          return unless exclusions
+
+          res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
+          res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
+          res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
+        end
+
+        # The responses we receive for feature and settings from TS have different
+        # place to store these reactions: body.reactions vs body.settings.reactions.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_reactions response_data, res
+          res.reactions = response_data[:settings][:reactions] if response_data[:settings]
+          res.reactions = response_data[:reactions] if response_data[:features]
+        end
+
+        # This method is universal and used for both ng endpoint of feature settings and the new
+        # Server settings endpoint. Used in both build_feature_settings and build_server_settings.
+        # Passing the ng_ flag determines the use of the endpoint and response used because some of
+        # the response fields are with different names or do not exist: [enabled vs enable]
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_assess_features response_data, res
+          assess = response_data[:features][:assessment]
+          return unless assess
+
+          res.server_features.assess.enabled = assess[:enabled]
+          res.server_features.assess.sampling = assess[:sampling]
+          res.server_features.assess.sanitizers = assess[:sanitizers]
+          res.server_features.assess.validators = assess[:validators]
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_protect_features response_data, res
+          protect = response_data[:features][:defend]
+          return unless protect
+
+          res.server_features.protect.enabled = protect[:enabled]
+          res.server_features.protect.bot_blocker.enable = protect[:'bot-blocker']
+          res.server_features.protect.bot_blocker.bots = protect[:botBlockers]
+          ng_extract_syslog(response_data, res)
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_syslog response_data, res
+          return unless (syslog = response_data[:features][:defend][:syslog])
+
+          res.server_features.protect.syslog.assign_array(syslog, ng_: true)
+        end
+
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_protect_lists response_data, res
+          protect = response_data[:features][:defend]
+          return unless protect
+
+          res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
+          res.server_features.protect.ip_denylist = protect[:ipDenylist]
+          res.server_features.protect.log_enhancers = protect[:logEnhancers]
+          res.server_features.protect.ng_rule_definition_list(protect[:ruleDefinitionList])
+        end
+
+        # Here we extract the rules and state for the sensitive data masking policy
+        # received from TS.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_sensitive_data_policy response_data, res
+          return unless (sensitive_data = response_data[:settings][:sensitive_data_masking_policy])
+
+          res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
+          res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
+          res.application_settings.sensitive_data_masking.build_rules_form_settings(sensitive_data[:rules])
+        end
+
+        # Here we extract the log settings received from TS.
+        #
+        # @param response_data [Hash]
+        # @param res [Contrast::Agent::Reporting::Response]
+        def ng_extract_log_settings response_data, res
+          return unless (log_level = response_data[:logLevel])
+
+          res.server_features.log_level = log_level
+          res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -11,6 +11,7 @@ require 'contrast/agent/reporting/reporting_utilities/reporter_client_utils'
 require 'contrast/agent/reporting/reporting_utilities/endpoints'
 require 'contrast/agent/reporting/reporting_utilities/headers'
 require 'contrast/agent/reporting/reporting_events/server_settings'
+require 'contrast/agent/reporting/reporting_events/application_settings'
 require 'contrast/config/diagnostics'
 
 module Contrast
@@ -25,8 +26,17 @@ module Contrast
         include Contrast::Agent::Reporting::ReporterClientUtils
         include Contrast::Agent::Reporting::ResponseHandlerUtils
         include Contrast::Components::Logger::InstanceMethods
+
+        # @return [Array<Class>] events that may result in configuration changes
+        RECORDABLE_EVENTS = [
+          Contrast::Agent::Reporting::ServerSettings,
+          Contrast::Agent::Reporting::ApplicationSettings,
+          Contrast::Agent::Reporting::AgentStartup,
+          Contrast::Agent::Reporting::ApplicationStartup
+        ].cs__freeze
         SERVICE_NAME = 'Reporter'
         REPORT_CONFIG_WHEN = %w[200 304].cs__freeze
+
         def initialize
           @headers = Contrast::Agent::Reporting::Headers.new
           super()
@@ -60,7 +70,7 @@ module Contrast
         def send_event event, connection
           return unless connection
 
-          logger.debug('Preparing to send reporting event', event_class: event.cs__class)
+          logger.debug('[Reporter] Preparing to send reporting event', event_class: event.cs__class)
 
           request = build_request(event)
           response = connection.request(request)
@@ -97,9 +107,7 @@ module Contrast
         def record_configuration response, event
           return unless response
           return unless REPORT_CONFIG_WHEN.include?(response_handler.last_response_code)
-          return unless event&.cs__class == Contrast::Agent::Reporting::ServerSettings ||
-              event&.cs__class == Contrast::Agent::Reporting::AgentStartup ||
-              event&.cs__class == Contrast::Agent::Reporting::ApplicationStartup
+          return unless RECORDABLE_EVENTS.include?(event&.cs__class)
 
           logger.info('[Reporter Diagnostics] last response code:', response_code: response_handler.last_response_code)
           diagnostics.write_to_file