contrast-agent 7.3.1 → 7.4.0

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -31,7 +31,7 @@ module Contrast
         attr_reader :uri
         # @return [String] the HTTP version of this request
         attr_reader :version
-        # @return [Integer]
+        # @return [String]
         attr_reader :ip
         # @return [String] Byte representation of the body
         attr_accessor :body_binary
@@ -40,7 +40,7 @@ module Contrast
 
         class << self
           # @param request [Contrast::Agent::Request]
-          # @return [Contrast::Agent::Reporting::FindingRequest]
+          # @return [Contrast::Agent::Reporting::FindingRequest, nil]
           def convert request
             return unless request
 
@@ -108,6 +108,8 @@ module Contrast
             raise(ArgumentError, "#{ self } did not have a proper method. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper uri. Unable to continue.") unless uri && !uri.empty?
+
+          nil
         end
 
         # @param request [Contrast::Agent::Request]

data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb

@@ -30,6 +30,8 @@ module Contrast
 
         def validate
           raise(ArgumentError, "#{ self } did not have observations. Unable to continue.") if observations.empty?
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -38,14 +38,15 @@ module Contrast
         def to_controlled_hash
           validate
           {
+              appLanguage: Contrast::Utils::ObjectShare::RUBY,
+              appName: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              appPath: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              appVersion: ::Contrast::APP_CONTEXT.version,
               code: CODE,
-              app_language: Contrast::Utils::ObjectShare::RUBY,
-              app_name: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
-              app_version: ::Contrast::APP_CONTEXT.version,
               data: '',
               key: 0,
-              routes: @routes.map(&:to_controlled_hash),
-              session_id: ::Contrast::ASSESS.session_id
+              session_id: ::Contrast::ASSESS.session_id,
+              routes: @routes.map(&:to_controlled_hash)
           }
         end
 
@@ -57,6 +58,9 @@ module Contrast
           unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
           end
+          unless Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
+            raise(ArgumentError, "#{ cs__class } did not have a proper Application Name. Unable to continue.")
+          end
 
           nil
         end

data/lib/contrast/agent/reporting/reporting_events/reportable_hash.rb

@@ -28,12 +28,31 @@ module Contrast
         #
         #  @return [String, nil] - JSON
         def event_json
-          hsh = to_controlled_hash
-          hsh.to_json
-        rescue ArgumentError => e
-          # Log the error and raise it for the client to handle:
-          logger.error(validation_error_message, e)
-          raise(e)
+          return unless valid?
+
+          to_controlled_hash.to_json
+        end
+
+        # Check before building the json if the event is valid.
+        # This will also log the error if the event is invalid.
+        # This will save some object creation in the reporter
+        # in the case of an invalid event, and will stop the
+        # reporting of the event.
+        #
+        # @return [Boolean]
+        # @raise [ArgumentError]
+        def valid?
+          @_valid ||= begin
+            validate
+            # Some deeply nested validations only happens on
+            # the to_controlled_hash method, so we need to
+            # invoke it.
+            to_controlled_hash
+            true
+          rescue ArgumentError => e
+            handle_validation_error(e)
+            false
+          end
         end
 
         private
@@ -41,6 +60,11 @@ module Contrast
         def validation_error_message
           "#{ cs__class } failed validation with: "
         end
+
+        # @param error [ArgumentError]
+        def handle_validation_error error
+          logger.error(validation_error_message, error)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb

@@ -126,10 +126,23 @@ module Contrast
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
         def ng_extract_log_settings response_data, res
-          return unless (log_level = response_data[:logLevel])
+          # agent_startup event defines the log level under features.
+          log_level = if response_data[:features]
+                        response_data[:features][:logLevel]
+                      else
+                        response_data[:logLevel]
+                      end
+          return unless log_level
 
           res.server_features.log_level = log_level
-          res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
+          log_file = if response_data[:features]
+                       response_data[:features][:logFile]
+                     else
+                       response_data[:logFile]
+                     end
+          return unless log_file
+
+          res.server_features.log_file = log_file
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -72,8 +72,8 @@ module Contrast
         # @return response [Net::HTTP::Response, nil] response from TS if no response
         def send_event event, connection
           return unless connection
+          return unless event.valid?
 
-          response = nil
           logger.debug('[Reporter] Preparing to send reporting event', event_class: event.cs__class)
           request = build_request(event)
           response = connection.request(request)

data/lib/contrast/agent/reporting/reporting_utilities/resend.rb

@@ -12,7 +12,7 @@ module Contrast
         RESCUE_ATTEMPTS = 3
         TIMEOUT = 5
         RETRY_ERRORS = [
-          Net::OpenTimeout, Net::ReadTimeout, ArgumentError, EOFError, OpenSSL::SSL::SSLError, Resolv::ResolvError,
+          Net::OpenTimeout, Net::ReadTimeout, EOFError, OpenSSL::SSL::SSLError, Resolv::ResolvError,
           Errno::ECONNRESET, Errno::ECONNREFUSED, Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, NameError,
           Errno::EHOSTUNREACH, Errno::EISCONN, Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH, SocketError,
           NameError, NoMethodError, Timeout::Error, RuntimeError

data/lib/contrast/agent/reporting/reporting_utilities/response.rb

@@ -87,8 +87,6 @@ module Contrast
               messages: messages,
               features: server_features.nil? ? nil : server_features.to_controlled_hash,
               settings: application_settings.nil? ? nil : application_settings.to_controlled_hash,
-              logLevel: server_features&.log_level,
-              logFile: server_features&.log_file,
               reactions: server_features.nil? ? nil : reactions.map(&:to_controlled_hash)
           }.compact
         end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -232,11 +232,10 @@ module Contrast
           return unless ::Contrast::AGENT.enabled?
 
           logger.trace_with_time('Rebuilding rule modes from TeamServer') do
-            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
-            ::Contrast::AGENT.reset_ruleset
-            logger.info('Current rule settings:')
-            ::Contrast::PROTECT.defend_rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
-            logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+            ::Contrast::PROTECT.state.update if ::Contrast::PROTECT.enabled?
+            if ::Contrast::ASSESS.enabled?
+              logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+            end
           end
         end
 

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -14,6 +14,13 @@ module Contrast
         class Protect
           # modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
           NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
+          ACTIVE_PROTECT_RULES_LIST = %w[
+            bot-blocker cmd-injection cmd-injection-command-backdoors cmd-injection-semantic-chained-commands
+            cmd-injection-semantic-dangerous-paths untrusted-deserialization nosql-injection path-traversal
+            path-traversal-semantic-file-security-bypass sql-injection sql-injection-semantic-dangerous-functions
+            unsafe-file-upload reflected-xss xxe
+          ].cs__freeze
+
           # The settings for each protect rule for this application
           #
           # @return protection_rules [Array<protectRule>] protectRule: {
@@ -80,30 +87,66 @@ module Contrast
             modes_by_id = {}
             protection_rules.each do |rule|
               setting_mode = rule[:mode] || rule['mode']
-              api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
-                           case setting_mode
-                           when NG_PROTECT_RULES_MODE[1]
-                             :MONITOR
-                           when NG_PROTECT_RULES_MODE[2]
-                             if rule[:blockAtEntry] || rule['blockAtEntry']
-                               :BLOCK_AT_PERIMETER
-                             else
-                               :BLOCK
-                             end
-                           else
-                             :NO_ACTION
-                           end
-                         else
-                           # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
-                           # can just be cast to symbols
-                           setting_mode.to_sym
-                         end
+              # BlockAtEnrtry is only available for the protection_rules Array.
+              # It is used in both ng and non ng payloads. If the array is empty
+              # this method will short circuit at the very first line and return
+              # empty hash. this means that the #rules_settings_to_settings_hash
+              # will be used next to extract the settings.
+              bap = rule[:blockAtEntry] || rule['blockAtEntry']
+              api_mode = assign_mode(setting_mode, block_at_entry: !!bap == bap)
 
               id = rule[:id] || rule['id']
               modes_by_id[id] = api_mode
             end
             modes_by_id
           end
+
+          # Converts settings into Agent Settings understandable hash {RULE_ID => MODE}
+          # Takes Hash<String, Contrast::Agent::Reporting::Settings::ProtectRule> and converts it
+          # to Hash<RULE_ID => MODE>
+          #
+          # @return rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+          def rules_settings_to_settings_hash
+            return {} if rule_settings.empty?
+
+            modes_by_id = {}
+            rule_settings.each do |rule_id, rule_mode|
+              next unless active_defend_rules.include?(rule_id.to_s)
+
+              modes_by_id[rule_id.to_s] = assign_mode(rule_mode.mode)
+            end
+            modes_by_id
+          end
+
+          # Returns list of actively used protection rules to be updated, or default list.
+          # This will be used to query the received settings for the ones used by the Agent.
+          def active_defend_rules
+            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::PROTECT)
+
+            current_rules = Contrast::PROTECT.defend_rules.keys
+            return current_rules unless current_rules.empty?
+
+            ACTIVE_PROTECT_RULES_LIST
+          end
+
+          private
+
+          # Assigns the received settings mode to be used as actual config.
+          # @param setting_mode []
+          def assign_mode setting_mode, block_at_entry: false
+            # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
+            # can just be cast to symbols
+            return setting_mode.to_sym unless NG_PROTECT_RULES_MODE.include?(setting_mode)
+
+            case setting_mode
+            when NG_PROTECT_RULES_MODE[1]
+              :MONITOR
+            when NG_PROTECT_RULES_MODE[2]
+              block_at_entry ? :BLOCK_AT_PERIMETER : :BLOCK
+            else
+              :NO_ACTION
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/settings/sampling.rb

@@ -24,10 +24,11 @@ module Contrast
 
           def initialize hsh
             @baseline = hsh[:baseline]
-            @enabled = hsh[:enabled]
-            @request_frequency = hsh[:frequency]
-            @response_frequency = hsh[:responseFrequency]
-            @window_ms = hsh[:window]
+            # NG endpoints vs non-ng
+            @enabled = hsh[:enabled] || hsh[:enable]
+            @request_frequency = hsh[:frequency] || hsh[:request_frequency]
+            @response_frequency = hsh[:responseFrequency] || hsh[:response_frequency]
+            @window_ms = hsh[:window] || hsh[:window_ms]
           end
 
           def to_controlled_hash

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -85,6 +85,8 @@ module Contrast
                 security_logger: security_logger.settings_blank? ? nil : security_logger.to_controlled_hash,
                 assessment: @_assess ? assess.to_controlled_hash : {},
                 defend: @_protect ? protect.to_controlled_hash : {},
+                logLevel: log_level,
+                logFile: log_file,
                 telemetry: telemetry
             }.compact
           end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.3.1'
+    VERSION = '7.4.0'
   end
 end

data/lib/contrast/components/agent.rb

@@ -26,6 +26,8 @@ module Contrast
         attr_reader :config_values
         # @return [Boolean]
         attr_accessor :enable
+        # @return [Boolean]
+        attr_accessor :omit_body
 
         CANON_NAME = 'agent'
         CONFIG_VALUES = %w[enabled? omit_body?].cs__freeze
@@ -95,16 +97,12 @@ module Contrast
           @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_protect_ruleset.values)
         end
 
-        def reset_ruleset
-          @_ruleset = nil
-        end
-
         def patch_yield?
           !false?(ruby.propagate_yield)
         end
 
         def omit_body?
-          @_omit_body
+          true?(@_omit_body)
         end
 
         def disable_agent!

data/lib/contrast/components/api.rb

@@ -129,7 +129,7 @@ module Contrast
         #
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def to_effective_config effective_config
-          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CONTRAST)
+          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CANON_NAME)
           effective_proxy(effective_config)
           request_audit&.to_effective_config(effective_config)
           certificate&.to_effective_config(effective_config)
@@ -139,10 +139,10 @@ module Contrast
 
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def effective_proxy effective_config
-          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME, "#{ CONTRAST }.proxy")
+          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME)
           return unless proxy_url && proxy_enable
 
-          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME, "#{ CONTRAST }.proxy")
+          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME)
         end
 
         def certification_truly_enabled? config_path

data/lib/contrast/components/assess_rules.rb

@@ -16,7 +16,6 @@ module Contrast
 
         SPEC_KEY = :disabled_rules.cs__freeze
         CANON_NAME = 'assess.rules'
-        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }".cs__freeze
 
         # @return [Array, nil] list of disabled assess rules
         attr_accessor :disabled_rules
@@ -36,7 +35,7 @@ module Contrast
         #
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def to_effective_config effective_config
-          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules, canon_name, NAME_PREFIX)
+          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules || [], canon_name)
         end
 
         private

data/lib/contrast/components/base.rb

@@ -12,7 +12,6 @@ module Contrast
     module ComponentBase
       include Contrast::Config::Diagnostics::Tools
 
-      CONTRAST = 'contrast'
       ENABLE = 'enable'
 
       # Used for config diagnostics. Override per rule.
@@ -87,7 +86,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, config_values, canon_name, "#{ CONTRAST }.#{ canon_name }")
+        add_effective_config_values(effective_config, config_values, canon_name)
       end
 
       # attempts to stringify the config value if it is an array with the join char

data/lib/contrast/components/config/sources.rb

@@ -11,6 +11,8 @@ module Contrast
       # This component encapsulates storing the source for each entry in the config,
       # so that we can report on where the value was set from.
       class Sources
+        # [ CORPORATE_RULE, COMMAND_LINE, JAVA_SYSTEM_PROPERTY, ENVIRONMENT_VARIABLE, APP_CONFIGURATION_FILE,
+        # USER_CONFIGURATION_FILE, CONTRAST_UI, DEFAULT_VALUE ]
         ENVIRONMENT_VARIABLE = 'ENVIRONMENT_VARIABLE'
         COMMAND_LINE = 'COMMAND_LINE'
         CONTRAST_UI = 'CONTRAST_UI'
@@ -57,6 +59,27 @@ module Contrast
           deep_select(data.dup, type, [])
         end
 
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable) or source
+        #   if the source(CONTRAST_UI, ENVIRONMENT_VARIABLE...) flag is set true.
+        # @param source [Boolean] flag to specify we are passing in a source, no need to look for it.
+        # @return [Boolean] true if the entry is from a YAML file
+        def configuration_file_source? path, source: false
+          s = source ? path : Contrast::CONFIG.sources.get(path)
+          return true if s.include?(APP_CONFIGURATION_EXTENSIONS[0]) || s.include?(APP_CONFIGURATION_EXTENSIONS[1])
+
+          false
+        end
+
+        # Check to see whether the source has been overridden by local settings.
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable)
+        def source_overridden? path
+          source = Contrast::CONFIG.sources.get(path)
+          return true if [ENVIRONMENT_VARIABLE, COMMAND_LINE].include?(source)
+          return true if configuration_file_source?(source, source: true)
+
+          false
+        end
+
         private
 
         # @param path [String] the canonical name for a config entry (such as api.proxy.enable)

data/lib/contrast/components/logger.rb

@@ -33,6 +33,8 @@ module Contrast
         include InstanceMethods
         include Contrast::Components::ComponentBase
 
+        DEFAULT_NAME = 'contrast.log'
+        DEFAULT_LEVEL = 'INFO'
         CANON_NAME = 'agent.logger'
         CONFIG_VALUES = %w[path level progname].cs__freeze
 
@@ -56,6 +58,23 @@ module Contrast
           @level = hsh[:level]
           @progname = hsh[:progname]
         end
+
+        def to_effective_config effective_config
+          path_setting = nil
+          level_setting = nil
+
+          if defined?(Contrast::SETTINGS)
+            path_setting = Contrast::SETTINGS.agent_state.logger_path
+            level_setting = Contrast::SETTINGS.agent_state.logger_level
+          end
+
+          path_setting ||= DEFAULT_NAME
+          level_setting ||= DEFAULT_LEVEL
+
+          add_single_effective_value(effective_config, config_values[0], path || path_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[1], level || level_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[2], progname, CANON_NAME)
+        end
       end
     end
   end

data/lib/contrast/components/protect.rb

@@ -4,13 +4,15 @@
 require 'contrast/components/base'
 require 'contrast/config/exception_configuration'
 require 'contrast/config/protect_rule_configuration'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/state'
 
 module Contrast
   module Components
     module Protect
       # A wrapper build around the Common Agent Configuration project to allow for access of the values contained in
       # its parent_configuration_spec.yaml.  Specifically, this allows for querying the state of the Protect product.
-      class Interface
+      class Interface # rubocop:disable Metrics/ClassLength
         include Contrast::Components::ComponentBase
         include Contrast::Config::BaseConfiguration
 
@@ -68,7 +70,7 @@ module Contrast
           return false if forcibly_disabled?
           return true  if forcibly_enabled?
 
-          ::Contrast::SETTINGS.protect_state.enabled == true
+          state.enabled?
         end
 
         # Check to determine if the base64 decoding is required for user inputs.
@@ -85,12 +87,19 @@ module Contrast
           ::Contrast::CONFIG.protect.rules
         end
 
+        # Current Active Protect rules and the state/mode they are in.
+        #
+        # @return [Contrast::Agent::Protect::State]
+        def state
+          @_state ||= Contrast::Agent::Protect::State.new
+        end
+
         # Returns Protect array of all initialized
         # protect rules.
         #
         # @return defend_rules[Hash<Contrast::SETTINGS.protect_state.rules>]
         def defend_rules
-          ::Contrast::SETTINGS.protect_state.rules
+          state.rules
         end
 
         # The Contrast::CONFIG.protect.rules is object so we need to check it's
@@ -102,16 +111,27 @@ module Contrast
         # @return mode [Symbol]
         def rule_mode rule_id
           str = rule_id.tr('-', '_')
-          ::Contrast::CONFIG.protect.rules[str]&.applicable_mode ||
-              ::Contrast::SETTINGS.application_state.modes_by_id[rule_id] ||
-              :NO_ACTION
+          config_mode = Contrast::CONFIG.protect.rules[str]&.applicable_mode
+          settings_mode = ::Contrast::SETTINGS.application_state.modes_by_id[rule_id]
+
+          if config_mode
+            update_config_for_rule(rule_id, config_mode)
+            return config_mode
+          end
+
+          if settings_mode
+            update_config_for_rule(rule_id, settings_mode, ui_source: true)
+            return settings_mode
+          end
+          :NO_ACTION
         end
 
         # Name of the protect rule
         #
-        # @return [String]
+        # @param name [String]
+        # @return [Contrast::Agent::Protect::Rule::Base]
         def rule name
-          ::Contrast::SETTINGS.protect_state.rules[name]
+          state.rules[name]
         end
 
         def report_any_command_execution?
@@ -124,7 +144,8 @@ module Contrast
 
         def report_custom_code_sysfile_access?
           if @_report_custom_code_sysfile_access.nil?
-            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.tr('-', '_')
+            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.
+                tr(Contrast::Utils::ObjectShare::DASH, Contrast::Utils::ObjectShare::UNDERSCORE)
             ctrl = rule_config[name_changed]
             @_report_custom_code_sysfile_access = ctrl && true?(ctrl.detect_custom_code_accessing_system_files)
           end
@@ -150,16 +171,15 @@ module Contrast
 
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def protect_rules_to_effective_config effective_config
-          return unless defend_rules
-
-          defend_rules.each do |key, value|
+          state.rules.each do |key, value|
             next unless key && value
 
             config_prefix = "#{ CANON_NAME }.#{ RULES }.#{ key }"
-            name_prefix = "#{ CONTRAST }.#{ CANON_NAME }.#{ RULES }.#{ key }"
-            add_single_effective_value(effective_config, ENABLE, value.enabled?, config_prefix, name_prefix)
+            add_single_effective_value(effective_config, ENABLE, value.enabled?, config_prefix)
             # Get the mode by checking Current Configs or Settings received:
-            add_single_effective_value(effective_config, MODE, rule_mode(key), config_prefix, name_prefix)
+            mode = rule_mode(key)
+            mode = :OFF if mode == :NO_ACTION
+            add_single_effective_value(effective_config, MODE, mode, config_prefix)
           end
         end
 
@@ -168,6 +188,40 @@ module Contrast
 
           @_forcibly_enabled ||= true?(::Contrast::CONFIG.protect.enable)
         end
+
+        # Used for conversion to contrast metrics hash:
+        def forcibly_enabled
+          forcibly_enabled?
+        end
+
+        def forcibly_disabled
+          forcibly_disabled?
+        end
+
+        def report_custom_code_sysfile_access
+          report_custom_code_sysfile_access?
+        end
+
+        # @param rule_id [String] the canonical name for a config entry (such as api.proxy.enable).
+        # @param mode [Symbol] to set the value of the config entry.
+        # @param ui_source [Boolean] whether to se the source as contrast ui or not.
+        def update_config_for_rule rule_id, mode, ui_source: false
+          str = rule_id.tr('-', '_').to_sym
+          config = Contrast::CONFIG.config.loaded_config
+          return unless config
+
+          config[:protect] ||= {}
+          config[:protect][:rules] ||= {}
+          config[:protect][:rules][str] ||= {}
+          config[:protect][:rules][str][:mode] = mode
+          config[:protect][:rules][str][:enable] = (mode != :NO_ACTION)
+          return unless ui_source
+
+          Contrast::CONFIG.sources.set("#{ CANON_NAME }.#{ RULES }.#{ str }.mode",
+                                       Contrast::Components::Config::Sources::CONTRAST_UI)
+          Contrast::CONFIG.sources.set("#{ CANON_NAME }.#{ RULES }.#{ str }.enable",
+                                       Contrast::Components::Config::Sources::CONTRAST_UI)
+        end
       end
     end
   end