# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/patching/policy/policy_node' require 'contrast/api/decorators/trace_taint_range_tags' module Contrast module Agent module Assess module Policy # This class functions to translate our policy.json into an actionable # Ruby object, allowing for dynamic patching over hardcoded patching. class PolicyNode < Contrast::Agent::Patching::Policy::PolicyNode attr_accessor :tags, :type attr_reader :sources, :targets, :source_string, :target_string def initialize policy_hash = {} super(policy_hash) @source_string = policy_hash[JSON_SOURCE] @target_string = policy_hash[JSON_TARGET] @tags = Set.new(policy_hash[JSON_TAGS]) generate_sources generate_targets end def feature 'Assess' end def node_class 'Node' end def node_type :TYPE_METHOD end def target @_target ||= begin if targets&.any? targets[0] elsif sources&.any? sources[0] end end end def target_string= value @target_string = value generate_targets end # Sometimes we need to tie information to an event. We'll add a # properties section to the patch node, which can pass them along to # the pre-dtm event def add_property name, value return unless name && value @properties ||= {} @properties[name] = value end def get_property name return unless @properties @properties[name] end # Given a source in the format A,B,C, populate the sources of this node # 1) Split on ',' # 2) If 'O', add the source, else it's P (we don't have R sources) and # needs to be converted. P type will either be P:name or P# where # # is the index of the parameter. Drop the P and store the int as int # or name as symbol def generate_sources if source_string @sources = [] source_string.split(Contrast::Utils::ObjectShare::COMMA).each do |s| is_object = (s == Contrast::Utils::ObjectShare::OBJECT_KEY) if is_object @sources << s else parameter_source = s[1..-1] @sources << if parameter_source.start_with?(Contrast::Utils::ObjectShare::COLON) parameter_source[1..-1].to_sym else parameter_source.to_i end end end else @sources = Contrast::Utils::ObjectShare::EMPTY_ARRAY end end # Given a target in the format A,B,C, populate the targets of this node # 1) Split on ',' # 2) If 'O' or 'R', add the target, else it's P and needs to be # converted. P type will either be P:name or P# where # is the index # of the paramter. Drop the P and store the int as int or name as # symbol def generate_targets if target_string @targets = [] target_string.split(Contrast::Utils::ObjectShare::COMMA).each do |t| case t when Contrast::Utils::ObjectShare::OBJECT_KEY @targets << t when Contrast::Utils::ObjectShare::RETURN_KEY @targets << t else parameter_target = t[1..-1] @targets << if parameter_target.start_with?(Contrast::Utils::ObjectShare::COLON) parameter_target[1..-1].to_sym else parameter_target.to_i end end end else @targets = Contrast::Utils::ObjectShare::EMPTY_ARRAY end end # Don't let nodes be created that will be missing things we need # later on. Really, if they don't have these things, they couldn't have # done their jobs anyway. def validate super validate_tags end # TeamServer is picky. The tags here match to ENUMs there. If there # isn't a matching ENUM in TS land, the database gets got. We really # don't want to get them, so we're going to prevent the node from being # made. def validate_tags return unless tags tags.each do |tag| next if Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) || Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag) raise(ArgumentError, "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.") end end ALL_TYPE = 'A' TO_MARKER = '2' # Convert our action, built from our source and target, into # the TS appropriate action. That's a single source to single # target marker (A,O,P,R) # # Creation (source nodes) don't have sources (they are the source) # Trigger (trigger nodes) don't have targets (they are the target) # Everything else (propagation nodes) are Source2Target def build_action @event_action ||= begin case node_class when Contrast::Agent::Assess::Policy::SourceNode::SOURCE :CREATION when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER :TRIGGER else if source_string.nil? :CREATION elsif target_string.nil? :TRIGGER else # TeamServer can't handle the multi-source or multi-target # values. Give it some help by changing them to 'A' source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string str = source[0] + TO_MARKER + target[0] str.to_sym end end end @event_action end # The keys used to read from policy.json to create the individual # policy nodes. These are common across node types JSON_SOURCE = 'source' JSON_TARGET = 'target' JSON_TAGS = 'tags' JSON_DATAFLOW = 'dataflow' end end end end end