Class: Contrast::Agent::Assess::Policy::Policy

Inherits:

Patching::Policy::Policy

Object
Patching::Policy::Policy
Contrast::Agent::Assess::Policy::Policy

show all

Defined in:: lib/contrast/agent/assess/policy/policy.rb

Overview

This is just a holder for our policy. Takes the policy JSON and converts it into hashes that we can access nicely

Constant Summary collapse

PROVIDER_CLASSES =

[
  Contrast::Agent::Assess::Rule::Provider::HardcodedKey,
  Contrast::Agent::Assess::Rule::Provider::HardcodedPassword
].cs__freeze

Constants inherited from Patching::Policy::Policy

Patching::Policy::Policy::PROPAGATION_KEY, Patching::Policy::Policy::RULES_KEY, Patching::Policy::Policy::SOURCES_KEY, Patching::Policy::Policy::TRIGGERS_KEY

Instance Attribute Summary

Attributes inherited from Patching::Policy::Policy

#propagators, #providers, #sources, #triggers

Class Method Summary collapse

.policy_folder ⇒ Object

Indicates the folder in ‘resources` where this policy lives.

Instance Method Summary collapse

#disabled_globally? ⇒ Boolean

Indicates is this feature has been disabled by the configuration, read at startup, and therefore can never be enabled.
#from_hash_string(string) ⇒ Object

Our policy for dataflow rules is a ‘dope ass’ JSON file.
#initialize ⇒ Policy constructor

A new instance of Policy.
#load_providers ⇒ Object

Providers is a term that we’re taking from Java until we come up with a name that we (I) don’t hate.
#node_type ⇒ Object

Methods inherited from Patching::Policy::Policy

#add_node, #find_node, #find_propagator_node, #find_source_node, #find_triggers_by_rule, #module_names, policy_json

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Constructor Details

#initialize ⇒ `Policy`

Returns a new instance of Policy.

# File 'lib/contrast/agent/assess/policy/policy.rb', line 30

def initialize
  super
  load_providers
end

Class Method Details

.policy_folder ⇒ `Object`

Indicates the folder in ‘resources` where this policy lives.



26
27
28

# File 'lib/contrast/agent/assess/policy/policy.rb', line 26

def self.policy_folder
  'assess'
end

Instance Method Details

#disabled_globally? ⇒ `Boolean`

Indicates is this feature has been disabled by the configuration, read at startup, and therefore can never be enabled.

Returns:

(Boolean)



37
38
39

# File 'lib/contrast/agent/assess/policy/policy.rb', line 37

def disabled_globally?
  ::Contrast::ASSESS.forcibly_disabled?
end

#from_hash_string(string) ⇒ `Object`

Our policy for dataflow rules is a ‘dope ass’ JSON file. Rather than hard code in a bunch of things to monkey patch, we let the JSON file define the conditions in which sources, propagators, and triggers are applied. This let’s us be flexible and extensible

when we want to do lvl 2 rules, we could have the customers unzip

our gem, insert things into the json, zip, and go *

# File 'lib/contrast/agent/assess/policy/policy.rb', line 52

def from_hash_string string
  # The default behavior of the agent is to load the policy on startup,
  # as at this point we do not know in which mode we'll be run.
  #
  # If the configuration file explicitly disables a feature, we know
  # that we will not ever be able to enable it, so in that case, we
  # can skip policy loading.
  return if disabled_globally?

  policy_data = Contrast::Utils::Json.parse(string)

  policy_data[SOURCES_KEY].each do |source_hash|
    source = Contrast::Agent::Assess::Policy::SourceNode.new(source_hash)
    add_node(source, :source)
  end

  policy_data[PROPAGATION_KEY].each do |propagator_hash|
    prop = Contrast::Agent::Assess::Policy::PropagationNode.new(propagator_hash)
    add_node(prop, :propagator)
  end

  policy_data[RULES_KEY].each do |rule_hash|
    rule_hash[TRIGGERS_KEY].each do |trigger_hash|
      trigger_node = node_type.new(trigger_hash, rule_hash)
      add_node(trigger_node)
    end
  end
end

#load_providers ⇒ `Object`

Providers is a term that we’re taking from Java until we come up with a name that we (I) don’t hate. Basically, these are more static like rules. They don’t do dataflow or response scanning. Instead, they watch for things to be loaded (configs, classes, whateves) and determine if these loaded things are unsafe.

** if we want, we could add this as a section to the aforementioned ‘dope ass’ JSON

# File 'lib/contrast/agent/assess/policy/policy.rb', line 89

def load_providers
  PROVIDER_CLASSES.each do |clazz|
    instance = clazz.new
    providers[instance.rule_id] = instance
  end
end

#node_type ⇒ `Object`



41
42
43

# File 'lib/contrast/agent/assess/policy/policy.rb', line 41

def node_type
  Contrast::Agent::Assess::Policy::TriggerNode
end