RubyGems - ai_root_shield - Versions diffs - 0.2.0 → 0.4.0 - Mend

ai_root_shield 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +52 -3
data/Gemfile.lock +1 -1
data/README.md +109 -3
data/examples/policies/banking_policy.json +79 -0
data/examples/policies/development_policy.json +64 -0
data/examples/policies/enterprise_policy.json +89 -0
data/exe/ai_root_shield +157 -14
data/lib/ai_root_shield/advanced_proxy_detector.rb +406 -0
data/lib/ai_root_shield/certificate_pinning_helper.rb +258 -0
data/lib/ai_root_shield/enterprise_policy_manager.rb +431 -0
data/lib/ai_root_shield/rasp_protection.rb +359 -0
data/lib/ai_root_shield/version.rb +1 -1
data/lib/ai_root_shield.rb +171 -4
metadata +16 -5

data/lib/ai_root_shield/certificate_pinning_helper.rb ADDED Viewed

@@ -0,0 +1,258 @@
+# frozen_string_literal: true
+require "openssl"
+require "net/http"
+require "uri"
+module AiRootShield
+  # Certificate pinning helper for TLS public key pinning integration
+  class CertificatePinningHelper
+    # Supported hash algorithms for pinning
+    SUPPORTED_ALGORITHMS = %w[sha256 sha1].freeze
+    # Common certificate authorities and their pins
+    COMMON_CA_PINS = {
+      "letsencrypt" => [
+        "sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=", # ISRG Root X1
+        "sha256/sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="  # ISRG Root X2
+      ],
+      "digicert" => [
+        "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=", # DigiCert Global Root G2
+        "sha256/RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="  # DigiCert Global Root CA
+      ],
+      "google" => [
+        "sha256/KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I=", # GTS Root R1
+        "sha256/FEzVOUp4dF3gI0ZVPRJhFbSD608T5Wx5Bp0+jBw/gQo="  # GTS Root R2
+      ]
+    }.freeze
+    def initialize(config = {})
+      @config = {
+        algorithm: "sha256",
+        backup_pins: [],
+        pin_validation_enabled: true,
+        allow_backup_pins: true,
+        strict_mode: false
+      }.merge(config)
+      @pinned_hosts = {}
+      @validation_cache = {}
+    end
+    # Add certificate pin for a host
+    # @param host [String] Hostname to pin
+    # @param pins [Array<String>] Array of certificate pins
+    # @param options [Hash] Additional options
+    def add_pin(host, pins, options = {})
+      normalized_host = normalize_host(host)
+      @pinned_hosts[normalized_host] = {
+        pins: Array(pins),
+        algorithm: options[:algorithm] || @config[:algorithm],
+        backup_pins: options[:backup_pins] || [],
+        strict_mode: options[:strict_mode] || @config[:strict_mode],
+        added_at: Time.now
+      }
+    end
+    # Validate certificate chain against pinned certificates
+    # @param host [String] Hostname being validated
+    # @param cert_chain [Array<OpenSSL::X509::Certificate>] Certificate chain
+    # @return [Hash] Validation result
+    def validate_pin(host, cert_chain)
+      normalized_host = normalize_host(host)
+      pin_config = @pinned_hosts[normalized_host]
+      return { valid: true, reason: "no_pin_configured" } unless pin_config
+      # Check cache first
+      cache_key = generate_cache_key(host, cert_chain)
+      return @validation_cache[cache_key] if @validation_cache[cache_key]
+      result = perform_pin_validation(pin_config, cert_chain)
+      # Cache result for performance
+      @validation_cache[cache_key] = result
+      result
+    end
+    # Extract certificate pin from certificate
+    # @param certificate [OpenSSL::X509::Certificate] Certificate to extract pin from
+    # @param algorithm [String] Hash algorithm to use
+    # @return [String] Certificate pin
+    def extract_pin(certificate, algorithm = "sha256")
+      public_key_der = certificate.public_key.to_der
+      case algorithm.downcase
+      when "sha256"
+        digest = OpenSSL::Digest::SHA256.digest(public_key_der)
+        "sha256/#{[digest].pack('m0')}"
+      when "sha1"
+        digest = OpenSSL::Digest::SHA1.digest(public_key_der)
+        "sha1/#{[digest].pack('m0')}"
+      else
+        raise ArgumentError, "Unsupported algorithm: #{algorithm}"
+      end
+    end
+    # Get certificate chain from URL
+    # @param url [String] URL to get certificate chain from
+    # @return [Array<OpenSSL::X509::Certificate>] Certificate chain
+    def get_certificate_chain(url)
+      uri = URI.parse(url)
+      return [] unless uri.scheme == "https"
+      cert_chain = []
+      begin
+        tcp_socket = TCPSocket.new(uri.host, uri.port || 443)
+        ssl_context = OpenSSL::SSL::SSLContext.new
+        ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+        ssl_socket.hostname = uri.host
+        ssl_socket.connect
+        cert_chain = ssl_socket.peer_cert_chain || []
+        ssl_socket.close
+        tcp_socket.close
+      rescue => e
+        # Log error but don't raise to allow graceful handling
+        warn "Certificate chain retrieval failed for #{url}: #{e.message}"
+      end
+      cert_chain
+    end
+    # Generate pins for a URL
+    # @param url [String] URL to generate pins for
+    # @param algorithm [String] Hash algorithm to use
+    # @return [Array<String>] Generated pins
+    def generate_pins_for_url(url, algorithm = "sha256")
+      cert_chain = get_certificate_chain(url)
+      return [] if cert_chain.empty?
+      cert_chain.map { |cert| extract_pin(cert, algorithm) }
+    end
+    # Validate current pinning configuration
+    # @return [Hash] Validation report
+    def validate_configuration
+      report = {
+        total_pins: @pinned_hosts.size,
+        valid_pins: 0,
+        invalid_pins: 0,
+        issues: []
+      }
+      @pinned_hosts.each do |host, config|
+        begin
+          # Test connectivity and pin validation
+          test_url = "https://#{host}"
+          cert_chain = get_certificate_chain(test_url)
+          if cert_chain.empty?
+            report[:issues] << "Cannot retrieve certificate chain for #{host}"
+            report[:invalid_pins] += 1
+          else
+            validation_result = perform_pin_validation(config, cert_chain)
+            if validation_result[:valid]
+              report[:valid_pins] += 1
+            else
+              report[:invalid_pins] += 1
+              report[:issues] << "Pin validation failed for #{host}: #{validation_result[:reason]}"
+            end
+          end
+        rescue => e
+          report[:invalid_pins] += 1
+          report[:issues] << "Error validating #{host}: #{e.message}"
+        end
+      end
+      report
+    end
+    # Get pinning status for all configured hosts
+    # @return [Hash] Pinning status
+    def pinning_status
+      {
+        enabled: @config[:pin_validation_enabled],
+        total_hosts: @pinned_hosts.size,
+        hosts: @pinned_hosts.keys,
+        cache_size: @validation_cache.size,
+        configuration: @config
+      }
+    end
+    # Clear validation cache
+    def clear_cache
+      @validation_cache.clear
+    end
+    # Remove pin for host
+    # @param host [String] Host to remove pin for
+    def remove_pin(host)
+      normalized_host = normalize_host(host)
+      @pinned_hosts.delete(normalized_host)
+      # Clear related cache entries
+      @validation_cache.delete_if { |key, _| key.include?(normalized_host) }
+    end
+    # Load pins from common CA configurations
+    # @param ca_name [String] CA name (letsencrypt, digicert, google)
+    # @param hosts [Array<String>] Hosts to apply CA pins to
+    def load_ca_pins(ca_name, hosts)
+      ca_pins = COMMON_CA_PINS[ca_name.downcase]
+      raise ArgumentError, "Unknown CA: #{ca_name}" unless ca_pins
+      Array(hosts).each do |host|
+        add_pin(host, ca_pins, backup_pins: ca_pins)
+      end
+    end
+    private
+    def normalize_host(host)
+      # Remove protocol and path, keep only hostname
+      host.gsub(/^https?:\/\//, "").split("/").first.downcase
+    end
+    def generate_cache_key(host, cert_chain)
+      cert_fingerprints = cert_chain.map { |cert| cert.to_der }.join
+      "#{normalize_host(host)}_#{Digest::SHA256.hexdigest(cert_fingerprints)}"
+    end
+    def perform_pin_validation(pin_config, cert_chain)
+      return { valid: false, reason: "empty_certificate_chain" } if cert_chain.empty?
+      algorithm = pin_config[:algorithm]
+      expected_pins = pin_config[:pins] + (pin_config[:backup_pins] || [])
+      # Extract pins from certificate chain
+      actual_pins = cert_chain.map { |cert| extract_pin(cert, algorithm) }
+      # Check if any actual pin matches expected pins
+      matching_pins = actual_pins & expected_pins
+      if matching_pins.any?
+        {
+          valid: true,
+          reason: "pin_match_found",
+          matched_pins: matching_pins,
+          algorithm: algorithm
+        }
+      else
+        {
+          valid: false,
+          reason: "no_pin_match",
+          expected_pins: expected_pins,
+          actual_pins: actual_pins,
+          algorithm: algorithm
+        }
+      end
+    end
+  end
+end

data/lib/ai_root_shield/enterprise_policy_manager.rb ADDED Viewed

@@ -0,0 +1,431 @@
+# frozen_string_literal: true
+require "json"
+module AiRootShield
+  # Enterprise policy management for customizable security rules and compliance
+  class EnterprisePolicyManager
+    # Default enterprise policy template
+    DEFAULT_POLICY = {
+      "version" => "1.0",
+      "name" => "Default Enterprise Policy",
+      "description" => "Standard enterprise security policy",
+      "minimum_security_level" => 70,
+      "compliance_rules" => {
+        "device_requirements" => {
+          "allow_rooted_devices" => false,
+          "allow_jailbroken_devices" => false,
+          "allow_emulators" => false,
+          "require_screen_lock" => true,
+          "minimum_os_version" => {
+            "android" => "8.0",
+            "ios" => "12.0"
+          }
+        },
+        "network_security" => {
+          "allow_vpn" => true,
+          "allow_proxy" => false,
+          "allow_tor" => false,
+          "require_certificate_pinning" => true,
+          "allowed_dns_servers" => [],
+          "blocked_dns_servers" => []
+        },
+        "application_integrity" => {
+          "allow_debug_builds" => false,
+          "allow_repackaged_apps" => false,
+          "require_code_signing" => true,
+          "allowed_certificate_issuers" => []
+        },
+        "runtime_protection" => {
+          "enable_rasp" => true,
+          "allow_debugging" => false,
+          "allow_hooking_frameworks" => false,
+          "enable_tamper_detection" => true
+        }
+      },
+      "risk_thresholds" => {
+        "low" => 20,
+        "medium" => 50,
+        "high" => 70,
+        "critical" => 90
+      },
+      "actions" => {
+        "on_policy_violation" => "block",
+        "on_high_risk" => "alert",
+        "on_critical_risk" => "block",
+        "custom_actions" => {}
+      },
+      "reporting" => {
+        "enable_audit_logs" => true,
+        "log_level" => "info",
+        "retention_days" => 90
+      }
+    }.freeze
+    # Policy violation severity levels
+    VIOLATION_LEVELS = %w[info warning critical].freeze
+    def initialize(policy_config = nil)
+      @policy = load_policy(policy_config)
+      @violations = []
+      @compliance_cache = {}
+      @audit_logs = []
+    end
+    # Load policy from file or use provided configuration
+    # @param policy_source [String, Hash, nil] Policy file path, hash, or nil for default
+    # @return [Hash] Loaded policy
+    def load_policy(policy_source = nil)
+      case policy_source
+      when String
+        load_policy_from_file(policy_source)
+      when Hash
+        merge_with_default_policy(policy_source)
+      when nil
+        DEFAULT_POLICY.dup
+      else
+        raise ArgumentError, "Invalid policy source type: #{policy_source.class}"
+      end
+    end
+    # Validate device compliance against enterprise policy
+    # @param scan_result [Hash] Device scan result from AI Root Shield
+    # @return [Hash] Compliance validation result
+    def validate_compliance(scan_result)
+      compliance_result = {
+        compliant: true,
+        violations: [],
+        risk_assessment: {},
+        recommended_actions: [],
+        policy_version: @policy["version"],
+        validation_timestamp: Time.now.to_f
+      }
+      # Check device requirements
+      compliance_result = validate_device_requirements(scan_result, compliance_result)
+      # Check network security
+      compliance_result = validate_network_security(scan_result, compliance_result)
+      # Check application integrity
+      compliance_result = validate_application_integrity(scan_result, compliance_result)
+      # Check runtime protection
+      compliance_result = validate_runtime_protection(scan_result, compliance_result)
+      # Assess overall risk against thresholds
+      compliance_result = assess_risk_thresholds(scan_result, compliance_result)
+      # Determine final compliance status
+      compliance_result[:compliant] = compliance_result[:violations].empty?
+      # Log compliance check
+      log_compliance_check(scan_result, compliance_result)
+      compliance_result
+    end
+    # Check if minimum security level is met
+    # @param risk_score [Integer] Current risk score
+    # @return [Boolean] True if minimum security level is met
+    def meets_minimum_security_level?(risk_score)
+      minimum_level = @policy["minimum_security_level"]
+      (100 - risk_score) >= minimum_level
+    end
+    # Get policy configuration
+    # @return [Hash] Current policy configuration
+    def policy_configuration
+      @policy.dup
+    end
+    # Update policy configuration
+    # @param new_policy [Hash] New policy configuration
+    def update_policy(new_policy)
+      @policy = merge_with_default_policy(new_policy)
+      clear_compliance_cache
+      log_audit_event("policy_updated", "Enterprise policy configuration updated")
+    end
+    # Get compliance violations
+    # @return [Array<Hash>] List of compliance violations
+    def compliance_violations
+      @violations.dup
+    end
+    # Get audit logs
+    # @return [Array<Hash>] Audit log entries
+    def audit_logs
+      @audit_logs.dup
+    end
+    # Clear compliance cache
+    def clear_compliance_cache
+      @compliance_cache.clear
+    end
+    # Export policy to JSON
+    # @return [String] Policy as JSON string
+    def export_policy
+      JSON.pretty_generate(@policy)
+    end
+    # Import policy from JSON
+    # @param json_policy [String] Policy as JSON string
+    def import_policy(json_policy)
+      policy_hash = JSON.parse(json_policy)
+      update_policy(policy_hash)
+    end
+    # Get policy statistics
+    # @return [Hash] Policy usage statistics
+    def policy_statistics
+      {
+        policy_version: @policy["version"],
+        total_violations: @violations.size,
+        violation_types: @violations.group_by { |v| v[:type] }.transform_values(&:size),
+        compliance_checks: @compliance_cache.size,
+        audit_log_entries: @audit_logs.size,
+        last_policy_update: @audit_logs.reverse.find { |log| log[:event] == "policy_updated" }&.dig(:timestamp)
+      }
+    end
+    private
+    def load_policy_from_file(file_path)
+      unless File.exist?(file_path)
+        raise ArgumentError, "Policy file not found: #{file_path}"
+      end
+      policy_content = File.read(file_path)
+      policy_hash = JSON.parse(policy_content)
+      merge_with_default_policy(policy_hash)
+    rescue JSON::ParserError => e
+      raise ArgumentError, "Invalid JSON in policy file: #{e.message}"
+    end
+    def merge_with_default_policy(custom_policy)
+      # Deep merge custom policy with default policy
+      deep_merge(DEFAULT_POLICY.dup, custom_policy)
+    end
+    def deep_merge(hash1, hash2)
+      hash1.merge(hash2) do |key, old_val, new_val|
+        if old_val.is_a?(Hash) && new_val.is_a?(Hash)
+          deep_merge(old_val, new_val)
+        else
+          new_val
+        end
+      end
+    end
+    def validate_device_requirements(scan_result, compliance_result)
+      device_rules = @policy.dig("compliance_rules", "device_requirements") || {}
+      # Check rooted/jailbroken devices
+      if !device_rules["allow_rooted_devices"] && has_root_indicators?(scan_result)
+        add_violation(compliance_result, "device_rooted", "critical", "Rooted device detected")
+      end
+      if !device_rules["allow_jailbroken_devices"] && has_jailbreak_indicators?(scan_result)
+        add_violation(compliance_result, "device_jailbroken", "critical", "Jailbroken device detected")
+      end
+      # Check emulators
+      if !device_rules["allow_emulators"] && has_emulator_indicators?(scan_result)
+        add_violation(compliance_result, "emulator_detected", "warning", "Emulator/simulator detected")
+      end
+      compliance_result
+    end
+    def validate_network_security(scan_result, compliance_result)
+      network_rules = @policy.dig("compliance_rules", "network_security") || {}
+      # Check VPN usage
+      if !network_rules["allow_vpn"] && has_vpn_indicators?(scan_result)
+        add_violation(compliance_result, "vpn_detected", "warning", "VPN usage detected")
+      end
+      # Check proxy usage
+      if !network_rules["allow_proxy"] && has_proxy_indicators?(scan_result)
+        add_violation(compliance_result, "proxy_detected", "warning", "Proxy usage detected")
+      end
+      # Check Tor usage
+      if !network_rules["allow_tor"] && has_tor_indicators?(scan_result)
+        add_violation(compliance_result, "tor_detected", "critical", "Tor usage detected")
+      end
+      compliance_result
+    end
+    def validate_application_integrity(scan_result, compliance_result)
+      app_rules = @policy.dig("compliance_rules", "application_integrity") || {}
+      # Check debug builds
+      if !app_rules["allow_debug_builds"] && has_debug_indicators?(scan_result)
+        add_violation(compliance_result, "debug_build", "warning", "Debug build detected")
+      end
+      # Check repackaged apps
+      if !app_rules["allow_repackaged_apps"] && has_repackaging_indicators?(scan_result)
+        add_violation(compliance_result, "app_repackaged", "critical", "Repackaged application detected")
+      end
+      compliance_result
+    end
+    def validate_runtime_protection(scan_result, compliance_result)
+      runtime_rules = @policy.dig("compliance_rules", "runtime_protection") || {}
+      # Check debugging
+      if !runtime_rules["allow_debugging"] && has_debugging_indicators?(scan_result)
+        add_violation(compliance_result, "debugging_detected", "critical", "Runtime debugging detected")
+      end
+      # Check hooking frameworks
+      if !runtime_rules["allow_hooking_frameworks"] && has_hooking_indicators?(scan_result)
+        add_violation(compliance_result, "hooking_detected", "critical", "Hooking framework detected")
+      end
+      compliance_result
+    end
+    def assess_risk_thresholds(scan_result, compliance_result)
+      risk_score = scan_result[:risk_score] || 0
+      thresholds = @policy["risk_thresholds"] || {}
+      risk_level = case risk_score
+                   when 0..thresholds["low"]
+                     "low"
+                   when thresholds["low"]..thresholds["medium"]
+                     "medium"
+                   when thresholds["medium"]..thresholds["high"]
+                     "high"
+                   else
+                     "critical"
+                   end
+      compliance_result[:risk_assessment] = {
+        score: risk_score,
+        level: risk_level,
+        threshold_exceeded: risk_score > thresholds["high"]
+      }
+      # Add violation if risk threshold exceeded
+      if risk_score > thresholds["critical"]
+        add_violation(compliance_result, "critical_risk", "critical",
+                     "Risk score #{risk_score} exceeds critical threshold #{thresholds['critical']}")
+      elsif risk_score > thresholds["high"]
+        add_violation(compliance_result, "high_risk", "warning",
+                     "Risk score #{risk_score} exceeds high threshold #{thresholds['high']}")
+      end
+      compliance_result
+    end
+    def add_violation(compliance_result, type, severity, message)
+      violation = {
+        type: type,
+        severity: severity,
+        message: message,
+        timestamp: Time.now.to_f
+      }
+      compliance_result[:violations] << violation
+      @violations << violation
+    end
+    def has_root_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("ROOT") }
+    end
+    def has_jailbreak_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("JAILBREAK") || factor.to_s.upcase.include?("CYDIA") }
+    end
+    def has_emulator_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("EMULATOR") || factor.to_s.upcase.include?("SIMULATOR") }
+    end
+    def has_vpn_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor|
+        factor_str = factor.to_s.upcase
+        factor_str.include?("VPN") || factor_str.include?("NETWORK_VPN_SERVICE_DETECTED")
+      }
+    end
+    def has_proxy_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("PROXY") }
+    end
+    def has_tor_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("TOR") }
+    end
+    def has_debug_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("DEBUG") }
+    end
+    def has_repackaging_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("REPACKAG") }
+    end
+    def has_debugging_indicators?(scan_result)
+      rasp_status = scan_result[:rasp_status] || {}
+      rasp_status.dig(:events_detected).to_i > 0
+    end
+    def has_hooking_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("FRIDA") || factor.to_s.upcase.include?("XPOSED") }
+    end
+    def log_compliance_check(scan_result, compliance_result)
+      return unless @policy.dig("reporting", "enable_audit_logs")
+      log_audit_event("compliance_check", "Device compliance validation performed", {
+        device_id: scan_result[:device_id],
+        risk_score: scan_result[:risk_score],
+        compliant: compliance_result[:compliant],
+        violations_count: compliance_result[:violations].size
+      })
+      # Update compliance cache for statistics
+      @compliance_cache[scan_result[:device_id]] = compliance_result
+    end
+    def log_audit_event(event_type, message, details = {})
+      return unless @policy.dig("reporting", "enable_audit_logs")
+      audit_entry = {
+        event: event_type,
+        message: message,
+        details: details,
+        timestamp: Time.now.to_f,
+        policy_version: @policy["version"]
+      }
+      @audit_logs << audit_entry
+      # Clean up old logs based on retention policy
+      cleanup_old_logs
+    end
+    def cleanup_old_logs
+      retention_days = @policy.dig("reporting", "retention_days") || 90
+      cutoff_time = Time.now.to_f - (retention_days * 24 * 60 * 60)
+      @audit_logs.reject! { |log| log[:timestamp] < cutoff_time }
+    end
+  end
+end