Class: Contrast::Agent::Reporting::Settings::Protect

Inherits:

Object

• Object
• Contrast::Agent::Reporting::Settings::Protect

Defined in:

lib/contrast/agent/reporting/settings/protect.rb

Overview

Application level settings for the Protect featureset

Constant Summary

NG_PROTECT_RULES_MODE =

modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value

%w[OFF MONITORING BLOCKING].cs__freeze

ACTIVE_PROTECT_RULES_LIST =

%w[
  bot-blocker cmd-injection cmd-injection-command-backdoors cmd-injection-semantic-chained-commands
  cmd-injection-semantic-dangerous-paths untrusted-deserialization nosql-injection path-traversal
  path-traversal-semantic-file-security-bypass sql-injection sql-injection-semantic-dangerous-functions
  unsafe-file-upload reflected-xss xxe
].cs__freeze

Instance Method Summary

• #active_defend_rules ⇒ Object

  Returns list of actively used protection rules to be updated, or default list.

• #protection_rules ⇒ Object

  The settings for each protect rule for this application.

• #protection_rules=(protection_rules) ⇒ Object

  Set the protection_rules array.

• #protection_rules_to_settings_hash ⇒ Object

  Converts settings into Agent Settings understandable hash => MODE.

• #rule_settings ⇒ Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>

  Map of rule, by id, to configuration.

• #rules_settings_to_settings_hash ⇒ Object

  Converts settings into Agent Settings understandable hash => MODE Takes Hash<String, Contrast::Agent::Reporting::Settings::ProtectRule> and converts it to Hash<RULE_ID => MODE>.

• #virtual_patches ⇒ Array<Contrast::Agent::Reporting::Settings::VirtualPatch>

  The virtual patches to apply for this application.

• #virtual_patches=(virtual_patches) ⇒ Object

  Set the virtual patches array.

Instance Method Details

#active_defend_rules ⇒ Object

Returns list of actively used protection rules to be updated, or default list. This will be used to query the received settings for the ones used by the Agent.

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 123

def active_defend_rules
  return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::PROTECT)

  current_rules = Contrast::PROTECT.defend_rules.keys
  return current_rules unless current_rules.empty?

  ACTIVE_PROTECT_RULES_LIST
end

#protection_rules ⇒ Object

The settings for each protect rule for this application

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 30

def protection_rules
  @_protection_rules ||= []
end

#protection_rules=(protection_rules) ⇒ Object

Set the protection_rules array

Parameters:

• protection_rules (Array<protectRule>) —

  protectRule: { blockAtEntry [Boolean] If in block mode, to block at perimeter or not. id [String] The id of a rule in Contrast. mode [String] The mode that this rule should run in. [OFF, MONITORING, BLOCKING] }

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 50

def protection_rules= protection_rules
  @_protection_rules = protection_rules if protection_rules.is_a?(Array)
end

#protection_rules_to_settings_hash ⇒ Object

Converts settings into Agent Settings understandable hash => MODE

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 84

def protection_rules_to_settings_hash
  return {} if protection_rules.empty?

  modes_by_id = {}
  protection_rules.each do |rule|
    setting_mode = rule[:mode] || rule['mode']
    # BlockAtEnrtry is only available for the protection_rules Array.
    # It is used in both ng and non ng payloads. If the array is empty
    # this method will short circuit at the very first line and return
    # empty hash. this means that the #rules_settings_to_settings_hash
    # will be used next to extract the settings.
    bap = rule[:blockAtEntry] || rule['blockAtEntry']
    api_mode = assign_mode(setting_mode, block_at_entry: !!bap == bap)

    id = rule[:id] || rule['id']
    modes_by_id[id] = api_mode
  end
  modes_by_id
end

#rule_settings ⇒ Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>

Returns map of rule, by id, to configuration.

Returns:

• (Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>) —

  map of rule, by id, to configuration

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 36

def rule_settings
  @_rule_settings ||= {}
end

#rules_settings_to_settings_hash ⇒ Object

Converts settings into Agent Settings understandable hash => MODE Takes Hash<String, Contrast::Agent::Reporting::Settings::ProtectRule> and converts it to Hash<RULE_ID => MODE>

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 109

def rules_settings_to_settings_hash
  return {} if rule_settings.empty?

  modes_by_id = {}
  rule_settings.each do |rule_id, rule_mode|
    next unless active_defend_rules.include?(rule_id.to_s)

    modes_by_id[rule_id.to_s] = assign_mode(rule_mode.mode)
  end
  modes_by_id
end

#virtual_patches ⇒ Array<Contrast::Agent::Reporting::Settings::VirtualPatch>

The virtual patches to apply for this application

Returns:

• (Array<Contrast::Agent::Reporting::Settings::VirtualPatch>)

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 57

def virtual_patches
  @_virtual_patches ||= []
end

#virtual_patches=(virtual_patches) ⇒ Object

Set the virtual patches array

Parameters:

• virtual_patches (Array<VirtualPatch>) —

  Array of VirtualPatch: { name [String] The name of the Virtual Patch headers [Array] The headers that must be present in the request to result in the request being blocked parameters [Array] The parameters that must be present in the request

  to result in the request being blocked.
  

  urls [Array] The urls that must be present in the request to result in the request being blocked. uuids [String] The UUID of the Virtual Patch }

# File 'lib/contrast/agent/reporting/settings/protect.rb', line 77

def virtual_patches= virtual_patches
  @_virtual_patches = virtual_patches if virtual_patches.is_a?(Array)
end