├── Berksfile ├── spec ├── spec_helper.rb └── unit │ └── recipes │ ├── default_spec.rb │ └── tomcat_spec.rb ├── templates └── contrast_startup.sh.erb ├── attributes ├── tomcat.rb └── default.rb ├── test └── smoke │ └── default │ ├── default_test.rb │ └── tomcat_test.rb ├── recipes ├── tomcat.rb └── default.rb ├── README.md ├── metadata.rb ├── LICENSE └── chefignore /Berksfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | source 'https://supermarket.chef.io' 3 | 4 | metadata 5 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | require 'chefspec' 3 | require 'chefspec/berkshelf' 4 | -------------------------------------------------------------------------------- /templates/contrast_startup.sh.erb: -------------------------------------------------------------------------------- 1 | export JAVA_OPTS="$JAVA_OPTS -javaagent:<%=@contrast%>" 2 | source <%=@tomcat_path%>/<%=@tomcat_startup%> 3 | -------------------------------------------------------------------------------- /attributes/tomcat.rb: -------------------------------------------------------------------------------- 1 | default[:contrast_agent][:tomcat_owner] = "tomcat" 2 | default[:contrast_agent][:tomcat_group] = "tomcat" 3 | default[:contrast_agent][:tomcat_path] = "/opt/tomcat/bin" 4 | default[:contrast_agent][:tomcat_startup] = "startup.sh" 5 | -------------------------------------------------------------------------------- /test/smoke/default/default_test.rb: -------------------------------------------------------------------------------- 1 | # # encoding: utf-8 2 | 3 | # Inspec test for recipe contrast_agent::default 4 | 5 | # The Inspec reference, with examples and extensive documentation, can be 6 | # found at http://inspec.io/docs/reference/resources/ 7 | 8 | unless os.windows? 9 | # This is an example test, replace with your own test. 10 | describe user('root'), :skip do 11 | it { should exist } 12 | end 13 | end 14 | 15 | # This is an example test, replace it with your own test. 16 | describe port(80), :skip do 17 | it { should_not be_listening } 18 | end 19 | -------------------------------------------------------------------------------- /test/smoke/default/tomcat_test.rb: -------------------------------------------------------------------------------- 1 | # # encoding: utf-8 2 | 3 | # Inspec test for recipe contrast_agent::tomcat 4 | 5 | # The Inspec reference, with examples and extensive documentation, can be 6 | # found at http://inspec.io/docs/reference/resources/ 7 | 8 | unless os.windows? 9 | # This is an example test, replace with your own test. 10 | describe user('root'), :skip do 11 | it { should exist } 12 | end 13 | end 14 | 15 | # This is an example test, replace it with your own test. 16 | describe port(80), :skip do 17 | it { should_not be_listening } 18 | end 19 | -------------------------------------------------------------------------------- /recipes/tomcat.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: contrast_agent 3 | # Recipe:: tomcat 4 | # 5 | # David Dooley 6 | 7 | include_recipe "contrast_agent::default" 8 | 9 | template "#{node[:contrast_agent][:tomcat_path]}/contrast_startup.sh" do 10 | source 'contrast_startup.sh.erb' 11 | mode '0755' 12 | owner node[:contrast_agent][:tomcat_owner] 13 | group node[:contrast_agent][:tomcat_group] 14 | variables(:contrast => "#{node[:contrast_agent][:install_path]}/contrast.jar", 15 | :tomcat_path => node[:contrast_agent][:tomcat_path], 16 | :tomcat_startup => node[:contrast_agent][:tomcat_startup] 17 | ) 18 | end 19 | -------------------------------------------------------------------------------- /attributes/default.rb: -------------------------------------------------------------------------------- 1 | default[:contrast_agent][:owner] = "contrast" 2 | default[:contrast_agent][:owner_group] = "contrast" 3 | default[:contrast_agent][:install_path] = "/opt/contrast" 4 | 5 | default[:contrast_agent][:teamserver_url] = "https://app.contrastsecurity.com" 6 | default[:contrast_agent][:teamserver_org_uuid] = "ORG_UUID_AS_PER_UI" 7 | 8 | default[:contrast_agent][:api_key] = "API_KEY_AS_PER_UI" 9 | 10 | default[:contrast_agent][:username] = "HANDLE@awesome.com" 11 | default[:contrast_agent][:service_key] = "YOUR_SERVICE_KEY_AS_PER_UI" 12 | 13 | # java, dotnet, ruby, node, dot_net_profiler. 14 | default[:contrast_agent][:agent_type] = "java" 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # contrast_agent 2 | 3 | A Chef cookbook to install the contrast security agent. 4 | 5 | Basically, it will automatically install the contrast agent in a specific directory under the ownership and permissions of a specified user (e.g. a "contrast" user"). This is the default recipe, but more recipes could be added. 6 | 7 | It also has a basic recipe for Tomcat to automatically inject our Java agent (creates a wrapper script that sets JAVA_OPTS for the agent and calls startup.sh or equivalent); 8 | 9 | attributes/default.rb need to be configured with your particular user/Team Server details. 10 | attributes/tomcat.rb need to be configured with your particular Tomcat details. 11 | 12 | A simple way to test attributes are all correct is to use chef-client in local mode on a MAC/Unix workstation; 13 | sudo chef-client -z -o contrast_agent 14 | 15 | Check that contrast.jar is installed in /opt/contrast/. 16 | 17 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | name 'contrast_agent' 2 | maintainer 'David Dooley' 3 | maintainer_email 'david.dooley@contrastsecurity.com' 4 | license 'MIT' 5 | description 'Installs the Contrast Security agent' 6 | long_description 'Installs the Contrast Security agent. Contains a Tomcat recipe that creates a script that sets JAVA_OPTS and wraps around the tomcat startup script' 7 | version '0.2.1' 8 | chef_version '>= 12.1' if respond_to?(:chef_version) 9 | 10 | # The `issues_url` points to the location where issues for this cookbook are 11 | # tracked. A `View Issues` link will be displayed on this cookbook's page when 12 | # uploaded to a Supermarket. 13 | # 14 | issues_url 'https://github.com/ddooley77/contrast_agent/issues' 15 | 16 | # The `source_url` points to the development repository for this cookbook. A 17 | # `View Source` link will be displayed on this cookbook's page when uploaded to 18 | # a Supermarket. 19 | # 20 | source_url 'https://github.com/ddooley77/contrast_agent' 21 | -------------------------------------------------------------------------------- /recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: contrast_agent 3 | # Recipe:: default 4 | # 5 | # David Dooley 6 | 7 | group node[:contrast_agent][:owner_group] 8 | 9 | user node[:contrast_agent][:owner] do 10 | group node[:contrast_agent][:owner_group] 11 | system true 12 | shell '/bin/false' 13 | end 14 | 15 | directory node[:contrast_agent][:install_path] do 16 | owner node[:contrast_agent][:owner] 17 | group node[:contrast_agent][:owner_group] 18 | mode '0755' 19 | action :create 20 | end 21 | 22 | remote_file "#{node[:contrast_agent][:install_path]}/contrast.jar" do 23 | source "#{node[:contrast_agent][:teamserver_url]}/Contrast/api/ng/#{node[:contrast_agent][:teamserver_org_uuid]}/agents/default/#{node[:contrast_agent][:agent_type]}" 24 | group node[:contrast_agent][:owner_group] 25 | owner node[:contrast_agent][:owner] 26 | mode '0644' 27 | action :create 28 | headers({'Authorization' => "#{ 29 | Base64.encode64("#{node[:contrast_agent][:username]}:#{node[:contrast_agent][:service_key]}").gsub("\n", "")}", 30 | 'API-Key' => "#{node[:contrast_agent][:api_key]}" 31 | }) 32 | end 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Contrast Security OSS 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /spec/unit/recipes/default_spec.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: contrast_agent 3 | # Spec:: default 4 | # 5 | # Copyright:: 2018, The Authors, All Rights Reserved. 6 | 7 | require 'spec_helper' 8 | 9 | describe 'contrast_agent::default' do 10 | context 'When all attributes are default, on Ubuntu 16.04' do 11 | let(:chef_run) do 12 | # for a complete list of available platforms and versions see: 13 | # https://github.com/customink/fauxhai/blob/master/PLATFORMS.md 14 | runner = ChefSpec::ServerRunner.new(platform: 'ubuntu', version: '16.04') 15 | runner.converge(described_recipe) 16 | end 17 | 18 | it 'converges successfully' do 19 | expect { chef_run }.to_not raise_error 20 | end 21 | end 22 | 23 | context 'When all attributes are default, on CentOS 7.4.1708' do 24 | let(:chef_run) do 25 | # for a complete list of available platforms and versions see: 26 | # https://github.com/customink/fauxhai/blob/master/PLATFORMS.md 27 | runner = ChefSpec::ServerRunner.new(platform: 'centos', version: '7.4.1708') 28 | runner.converge(described_recipe) 29 | end 30 | 31 | it 'converges successfully' do 32 | expect { chef_run }.to_not raise_error 33 | end 34 | end 35 | end 36 | -------------------------------------------------------------------------------- /spec/unit/recipes/tomcat_spec.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: contrast_agent 3 | # Spec:: default 4 | # 5 | # Copyright:: 2018, The Authors, All Rights Reserved. 6 | 7 | require 'spec_helper' 8 | 9 | describe 'contrast_agent::tomcat' do 10 | context 'When all attributes are default, on Ubuntu 16.04' do 11 | let(:chef_run) do 12 | # for a complete list of available platforms and versions see: 13 | # https://github.com/customink/fauxhai/blob/master/PLATFORMS.md 14 | runner = ChefSpec::ServerRunner.new(platform: 'ubuntu', version: '16.04') 15 | runner.converge(described_recipe) 16 | end 17 | 18 | it 'converges successfully' do 19 | expect { chef_run }.to_not raise_error 20 | end 21 | end 22 | 23 | context 'When all attributes are default, on CentOS 7.4.1708' do 24 | let(:chef_run) do 25 | # for a complete list of available platforms and versions see: 26 | # https://github.com/customink/fauxhai/blob/master/PLATFORMS.md 27 | runner = ChefSpec::ServerRunner.new(platform: 'centos', version: '7.4.1708') 28 | runner.converge(described_recipe) 29 | end 30 | 31 | it 'converges successfully' do 32 | expect { chef_run }.to_not raise_error 33 | end 34 | end 35 | end 36 | -------------------------------------------------------------------------------- /chefignore: -------------------------------------------------------------------------------- 1 | # Put files/directories that should be ignored in this file when uploading 2 | # to a chef-server or supermarket. 3 | # Lines that start with '# ' are comments. 4 | 5 | # OS generated files # 6 | ###################### 7 | .DS_Store 8 | Icon? 9 | nohup.out 10 | ehthumbs.db 11 | Thumbs.db 12 | 13 | # SASS # 14 | ######## 15 | .sass-cache 16 | 17 | # EDITORS # 18 | ########### 19 | \#* 20 | .#* 21 | *~ 22 | *.sw[a-z] 23 | *.bak 24 | REVISION 25 | TAGS* 26 | tmtags 27 | *_flymake.* 28 | *_flymake 29 | *.tmproj 30 | .project 31 | .settings 32 | mkmf.log 33 | 34 | ## COMPILED ## 35 | ############## 36 | a.out 37 | *.o 38 | *.pyc 39 | *.so 40 | *.com 41 | *.class 42 | *.dll 43 | *.exe 44 | */rdoc/ 45 | 46 | # Testing # 47 | ########### 48 | .watchr 49 | .rspec 50 | spec/* 51 | spec/fixtures/* 52 | test/* 53 | features/* 54 | examples/* 55 | Guardfile 56 | Procfile 57 | .kitchen* 58 | .rubocop.yml 59 | spec/* 60 | Rakefile 61 | .travis.yml 62 | .foodcritic 63 | .codeclimate.yml 64 | 65 | # SCM # 66 | ####### 67 | .git 68 | */.git 69 | .gitignore 70 | .gitmodules 71 | .gitconfig 72 | .gitattributes 73 | .svn 74 | */.bzr/* 75 | */.hg/* 76 | */.svn/* 77 | 78 | # Berkshelf # 79 | ############# 80 | Berksfile 81 | Berksfile.lock 82 | cookbooks/* 83 | tmp 84 | 85 | # Policyfile # 86 | ############## 87 | Policyfile.rb 88 | Policyfile.lock.json 89 | 90 | # Cookbooks # 91 | ############# 92 | CONTRIBUTING* 93 | CHANGELOG* 94 | TESTING* 95 | MAINTAINERS.toml 96 | 97 | # Strainer # 98 | ############ 99 | Colanderfile 100 | Strainerfile 101 | .colander 102 | .strainer 103 | 104 | # Vagrant # 105 | ########### 106 | .vagrant 107 | Vagrantfile 108 | --------------------------------------------------------------------------------