ai_root_shield 0.3.0 → 0.5.0

data/lib/ai_root_shield/advanced_proxy_detector.rb

@@ -0,0 +1,406 @@
+# frozen_string_literal: true
+
+require "resolv"
+require "net/http"
+require "ipaddr"
+
+module AiRootShield
+  # Advanced proxy detection for VPN, Tor, custom DNS, and MITM appliances
+  class AdvancedProxyDetector
+    # Known Tor exit node IP ranges and identifiers
+    TOR_INDICATORS = {
+      dns_names: [
+        "tor-exit", "torservers", "artikel5ev", "privacyfoundation",
+        "torproject", "exitnode", "tor-relay"
+      ],
+      asn_patterns: [
+        /tor/i, /privacy/i, /anonymous/i, /vpn/i
+      ]
+    }.freeze
+
+    # Common VPN provider indicators
+    VPN_INDICATORS = {
+      dns_patterns: [
+        /vpn/i, /proxy/i, /tunnel/i, /shield/i, /secure/i,
+        /private/i, /anonymous/i, /hide/i, /mask/i
+      ],
+      asn_patterns: [
+        /vpn/i, /virtual private/i, /proxy/i, /datacenter/i,
+        /hosting/i, /cloud/i, /server/i
+      ],
+      known_providers: [
+        "nordvpn", "expressvpn", "surfshark", "cyberghost", "pia",
+        "mullvad", "protonvpn", "windscribe", "tunnelbear", "hotspotshield"
+      ]
+    }.freeze
+
+    # MITM appliance indicators
+    MITM_INDICATORS = {
+      certificate_issuers: [
+        /blue coat/i, /websense/i, /forcepoint/i, /zscaler/i,
+        /checkpoint/i, /palo alto/i, /fortinet/i, /sophos/i,
+        /mcafee/i, /symantec/i, /broadcom/i
+      ],
+      proxy_headers: [
+        "x-bluecoat-via", "x-forwarded-for", "x-real-ip",
+        "x-proxy-id", "x-cache", "via", "x-forwarded-proto"
+      ]
+    }.freeze
+
+    # Custom DNS server indicators
+    CUSTOM_DNS_INDICATORS = {
+      public_dns: [
+        "8.8.8.8", "8.8.4.4",           # Google
+        "1.1.1.1", "1.0.0.1",           # Cloudflare
+        "208.67.222.222", "208.67.220.220", # OpenDNS
+        "9.9.9.9", "149.112.112.112"    # Quad9
+      ],
+      privacy_dns: [
+        "94.140.14.14", "94.140.15.15", # AdGuard
+        "76.76.19.19", "76.223.100.101", # Alternate DNS
+        "185.228.168.9", "185.228.169.9" # CleanBrowsing
+      ]
+    }.freeze
+
+    def initialize(config = {})
+      @config = {
+        enable_tor_detection: true,
+        enable_vpn_detection: true,
+        enable_mitm_detection: true,
+        enable_dns_detection: true,
+        timeout: 5,
+        max_retries: 2,
+        use_external_apis: false
+      }.merge(config)
+      
+      @detection_cache = {}
+      @last_detection_time = {}
+    end
+
+    # Perform comprehensive proxy detection
+    # @param target_ip [String] IP address to analyze
+    # @param additional_data [Hash] Additional network data
+    # @return [Hash] Detection results
+    def detect_proxy(target_ip, additional_data = {})
+      return cached_result(target_ip) if cached_and_fresh?(target_ip)
+      
+      results = {
+        ip_address: target_ip,
+        timestamp: Time.now.to_f,
+        proxy_detected: false,
+        proxy_types: [],
+        confidence_score: 0.0,
+        indicators: [],
+        details: {}
+      }
+      
+      # Perform different detection methods
+      results = detect_tor_exit_node(target_ip, results) if @config[:enable_tor_detection]
+      results = detect_vpn_service(target_ip, results) if @config[:enable_vpn_detection]
+      results = detect_mitm_appliance(target_ip, additional_data, results) if @config[:enable_mitm_detection]
+      results = detect_custom_dns(additional_data, results) if @config[:enable_dns_detection]
+      
+      # Calculate overall confidence
+      results[:confidence_score] = calculate_confidence_score(results)
+      results[:proxy_detected] = results[:confidence_score] > 0.5
+      
+      # Cache results
+      cache_result(target_ip, results)
+      
+      results
+    end
+
+    # Detect Tor exit nodes
+    # @param ip [String] IP address to check
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_tor_exit_node(ip, results)
+      tor_indicators = []
+      
+      # Check reverse DNS for Tor indicators
+      begin
+        hostname = Resolv.getname(ip)
+        TOR_INDICATORS[:dns_names].each do |indicator|
+          if hostname.downcase.include?(indicator)
+            tor_indicators << "tor_dns_pattern: #{indicator}"
+          end
+        end
+      rescue Resolv::ResolvError
+        # No reverse DNS available
+      end
+      
+      # Check if IP is in known Tor exit node lists (if external APIs enabled)
+      if @config[:use_external_apis]
+        tor_indicators.concat(check_tor_exit_lists(ip))
+      end
+      
+      # Check for Tor-specific network characteristics
+      tor_indicators.concat(analyze_tor_network_characteristics(ip))
+      
+      unless tor_indicators.empty?
+        results[:proxy_types] << "tor_exit_node"
+        results[:indicators].concat(tor_indicators)
+        results[:details][:tor] = {
+          detected: true,
+          indicators: tor_indicators,
+          risk_level: "high"
+        }
+      end
+      
+      results
+    end
+
+    # Detect VPN services
+    # @param ip [String] IP address to check
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_vpn_service(ip, results)
+      vpn_indicators = []
+      
+      # Check reverse DNS for VPN patterns
+      begin
+        hostname = Resolv.getname(ip)
+        VPN_INDICATORS[:dns_patterns].each do |pattern|
+          if hostname.match?(pattern)
+            vpn_indicators << "vpn_dns_pattern: #{pattern}"
+          end
+        end
+        
+        # Check for known VPN providers
+        VPN_INDICATORS[:known_providers].each do |provider|
+          if hostname.downcase.include?(provider)
+            vpn_indicators << "known_vpn_provider: #{provider}"
+          end
+        end
+      rescue Resolv::ResolvError
+        # No reverse DNS available
+      end
+      
+      # Check ASN information for VPN characteristics
+      vpn_indicators.concat(analyze_asn_for_vpn(ip))
+      
+      # Check for datacenter/hosting characteristics
+      vpn_indicators.concat(analyze_hosting_characteristics(ip))
+      
+      unless vpn_indicators.empty?
+        results[:proxy_types] << "vpn_service"
+        results[:indicators].concat(vpn_indicators)
+        results[:details][:vpn] = {
+          detected: true,
+          indicators: vpn_indicators,
+          risk_level: "medium"
+        }
+      end
+      
+      results
+    end
+
+    # Detect MITM appliances
+    # @param ip [String] IP address to check
+    # @param additional_data [Hash] Additional network data
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_mitm_appliance(ip, additional_data, results)
+      mitm_indicators = []
+      
+      # Check for MITM certificate issuers
+      if additional_data[:certificates]
+        additional_data[:certificates].each do |cert_info|
+          issuer = cert_info[:issuer] || ""
+          MITM_INDICATORS[:certificate_issuers].each do |pattern|
+            if issuer.match?(pattern)
+              mitm_indicators << "mitm_certificate_issuer: #{pattern}"
+            end
+          end
+        end
+      end
+      
+      # Check for proxy headers
+      if additional_data[:http_headers]
+        MITM_INDICATORS[:proxy_headers].each do |header|
+          if additional_data[:http_headers].key?(header.downcase)
+            mitm_indicators << "proxy_header_detected: #{header}"
+          end
+        end
+      end
+      
+      # Check for transparent proxy characteristics
+      mitm_indicators.concat(detect_transparent_proxy(ip, additional_data))
+      
+      unless mitm_indicators.empty?
+        results[:proxy_types] << "mitm_appliance"
+        results[:indicators].concat(mitm_indicators)
+        results[:details][:mitm] = {
+          detected: true,
+          indicators: mitm_indicators,
+          risk_level: "high"
+        }
+      end
+      
+      results
+    end
+
+    # Detect custom DNS configuration
+    # @param additional_data [Hash] Additional network data
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_custom_dns(additional_data, results)
+      dns_indicators = []
+      
+      # Check configured DNS servers
+      if additional_data[:dns_servers]
+        dns_servers = Array(additional_data[:dns_servers])
+        
+        dns_servers.each do |dns_server|
+          # Check for public DNS services
+          if CUSTOM_DNS_INDICATORS[:public_dns].include?(dns_server)
+            dns_indicators << "public_dns_detected: #{dns_server}"
+          elsif CUSTOM_DNS_INDICATORS[:privacy_dns].include?(dns_server)
+            dns_indicators << "privacy_dns_detected: #{dns_server}"
+          elsif !is_isp_dns?(dns_server)
+            dns_indicators << "custom_dns_detected: #{dns_server}"
+          end
+        end
+      end
+      
+      # Check for DNS over HTTPS/TLS usage
+      if additional_data[:doh_enabled] || additional_data[:dot_enabled]
+        dns_indicators << "encrypted_dns_detected"
+      end
+      
+      unless dns_indicators.empty?
+        results[:proxy_types] << "custom_dns"
+        results[:indicators].concat(dns_indicators)
+        results[:details][:dns] = {
+          detected: true,
+          indicators: dns_indicators,
+          risk_level: "low"
+        }
+      end
+      
+      results
+    end
+
+    # Get detection statistics
+    # @return [Hash] Detection statistics
+    def detection_statistics
+      {
+        total_detections: @detection_cache.size,
+        cache_hits: @detection_cache.values.count { |v| v[:cached] },
+        detection_types: @detection_cache.values.flat_map { |v| v[:proxy_types] }.tally,
+        average_confidence: calculate_average_confidence,
+        last_detection: @last_detection_time.values.max
+      }
+    end
+
+    # Clear detection cache
+    def clear_cache
+      @detection_cache.clear
+      @last_detection_time.clear
+    end
+
+    private
+
+    def cached_and_fresh?(ip, ttl = 300)
+      return false unless @detection_cache[ip]
+      return false unless @last_detection_time[ip]
+      
+      Time.now.to_f - @last_detection_time[ip] < ttl
+    end
+
+    def cached_result(ip)
+      result = @detection_cache[ip].dup
+      result[:cached] = true
+      result
+    end
+
+    def cache_result(ip, results)
+      @detection_cache[ip] = results
+      @last_detection_time[ip] = Time.now.to_f
+    end
+
+    def calculate_confidence_score(results)
+      base_score = 0.0
+      
+      # Weight different proxy types
+      type_weights = {
+        "tor_exit_node" => 0.9,
+        "mitm_appliance" => 0.8,
+        "vpn_service" => 0.6,
+        "custom_dns" => 0.3
+      }
+      
+      results[:proxy_types].each do |type|
+        base_score += type_weights[type] || 0.5
+      end
+      
+      # Factor in number of indicators
+      indicator_bonus = [results[:indicators].size * 0.1, 0.3].min
+      
+      # Cap at 1.0
+      [base_score + indicator_bonus, 1.0].min
+    end
+
+    def check_tor_exit_lists(ip)
+      # Placeholder for external Tor exit node list checking
+      # In production, this would query Tor directory authorities
+      []
+    end
+
+    def analyze_tor_network_characteristics(ip)
+      indicators = []
+      
+      # Check for common Tor exit node ports
+      common_tor_ports = [80, 443, 993, 995]
+      # This would require actual port scanning in production
+      
+      indicators
+    end
+
+    def analyze_asn_for_vpn(ip)
+      indicators = []
+      
+      # This would require ASN lookup in production
+      # For now, return empty array
+      
+      indicators
+    end
+
+    def analyze_hosting_characteristics(ip)
+      indicators = []
+      
+      # Check if IP is in known datacenter ranges
+      # This would require GeoIP database in production
+      
+      indicators
+    end
+
+    def detect_transparent_proxy(ip, additional_data)
+      indicators = []
+      
+      # Check for transparent proxy indicators
+      if additional_data[:tcp_timestamp_anomaly]
+        indicators << "tcp_timestamp_anomaly"
+      end
+      
+      if additional_data[:ttl_anomaly]
+        indicators << "ttl_hop_anomaly"
+      end
+      
+      indicators
+    end
+
+    def is_isp_dns?(dns_server)
+      # Check if DNS server belongs to common ISP ranges
+      # This would require ISP database lookup in production
+      false
+    end
+
+    def calculate_average_confidence
+      return 0.0 if @detection_cache.empty?
+      
+      total_confidence = @detection_cache.values.sum { |v| v[:confidence_score] }
+      total_confidence / @detection_cache.size
+    end
+  end
+end

data/lib/ai_root_shield/certificate_pinning_helper.rb

@@ -0,0 +1,258 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "net/http"
+require "uri"
+
+module AiRootShield
+  # Certificate pinning helper for TLS public key pinning integration
+  class CertificatePinningHelper
+    # Supported hash algorithms for pinning
+    SUPPORTED_ALGORITHMS = %w[sha256 sha1].freeze
+    
+    # Common certificate authorities and their pins
+    COMMON_CA_PINS = {
+      "letsencrypt" => [
+        "sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=", # ISRG Root X1
+        "sha256/sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="  # ISRG Root X2
+      ],
+      "digicert" => [
+        "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=", # DigiCert Global Root G2
+        "sha256/RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="  # DigiCert Global Root CA
+      ],
+      "google" => [
+        "sha256/KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I=", # GTS Root R1
+        "sha256/FEzVOUp4dF3gI0ZVPRJhFbSD608T5Wx5Bp0+jBw/gQo="  # GTS Root R2
+      ]
+    }.freeze
+
+    def initialize(config = {})
+      @config = {
+        algorithm: "sha256",
+        backup_pins: [],
+        pin_validation_enabled: true,
+        allow_backup_pins: true,
+        strict_mode: false
+      }.merge(config)
+      
+      @pinned_hosts = {}
+      @validation_cache = {}
+    end
+
+    # Add certificate pin for a host
+    # @param host [String] Hostname to pin
+    # @param pins [Array<String>] Array of certificate pins
+    # @param options [Hash] Additional options
+    def add_pin(host, pins, options = {})
+      normalized_host = normalize_host(host)
+      
+      @pinned_hosts[normalized_host] = {
+        pins: Array(pins),
+        algorithm: options[:algorithm] || @config[:algorithm],
+        backup_pins: options[:backup_pins] || [],
+        strict_mode: options[:strict_mode] || @config[:strict_mode],
+        added_at: Time.now
+      }
+    end
+
+    # Validate certificate chain against pinned certificates
+    # @param host [String] Hostname being validated
+    # @param cert_chain [Array<OpenSSL::X509::Certificate>] Certificate chain
+    # @return [Hash] Validation result
+    def validate_pin(host, cert_chain)
+      normalized_host = normalize_host(host)
+      pin_config = @pinned_hosts[normalized_host]
+      
+      return { valid: true, reason: "no_pin_configured" } unless pin_config
+      
+      # Check cache first
+      cache_key = generate_cache_key(host, cert_chain)
+      return @validation_cache[cache_key] if @validation_cache[cache_key]
+      
+      result = perform_pin_validation(pin_config, cert_chain)
+      
+      # Cache result for performance
+      @validation_cache[cache_key] = result
+      
+      result
+    end
+
+    # Extract certificate pin from certificate
+    # @param certificate [OpenSSL::X509::Certificate] Certificate to extract pin from
+    # @param algorithm [String] Hash algorithm to use
+    # @return [String] Certificate pin
+    def extract_pin(certificate, algorithm = "sha256")
+      public_key_der = certificate.public_key.to_der
+      
+      case algorithm.downcase
+      when "sha256"
+        digest = OpenSSL::Digest::SHA256.digest(public_key_der)
+        "sha256/#{[digest].pack('m0')}"
+      when "sha1"
+        digest = OpenSSL::Digest::SHA1.digest(public_key_der)
+        "sha1/#{[digest].pack('m0')}"
+      else
+        raise ArgumentError, "Unsupported algorithm: #{algorithm}"
+      end
+    end
+
+    # Get certificate chain from URL
+    # @param url [String] URL to get certificate chain from
+    # @return [Array<OpenSSL::X509::Certificate>] Certificate chain
+    def get_certificate_chain(url)
+      uri = URI.parse(url)
+      return [] unless uri.scheme == "https"
+      
+      cert_chain = []
+      
+      begin
+        tcp_socket = TCPSocket.new(uri.host, uri.port || 443)
+        ssl_context = OpenSSL::SSL::SSLContext.new
+        ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+        ssl_socket.hostname = uri.host
+        ssl_socket.connect
+        
+        cert_chain = ssl_socket.peer_cert_chain || []
+        
+        ssl_socket.close
+        tcp_socket.close
+      rescue => e
+        # Log error but don't raise to allow graceful handling
+        warn "Certificate chain retrieval failed for #{url}: #{e.message}"
+      end
+      
+      cert_chain
+    end
+
+    # Generate pins for a URL
+    # @param url [String] URL to generate pins for
+    # @param algorithm [String] Hash algorithm to use
+    # @return [Array<String>] Generated pins
+    def generate_pins_for_url(url, algorithm = "sha256")
+      cert_chain = get_certificate_chain(url)
+      return [] if cert_chain.empty?
+      
+      cert_chain.map { |cert| extract_pin(cert, algorithm) }
+    end
+
+    # Validate current pinning configuration
+    # @return [Hash] Validation report
+    def validate_configuration
+      report = {
+        total_pins: @pinned_hosts.size,
+        valid_pins: 0,
+        invalid_pins: 0,
+        issues: []
+      }
+      
+      @pinned_hosts.each do |host, config|
+        begin
+          # Test connectivity and pin validation
+          test_url = "https://#{host}"
+          cert_chain = get_certificate_chain(test_url)
+          
+          if cert_chain.empty?
+            report[:issues] << "Cannot retrieve certificate chain for #{host}"
+            report[:invalid_pins] += 1
+          else
+            validation_result = perform_pin_validation(config, cert_chain)
+            if validation_result[:valid]
+              report[:valid_pins] += 1
+            else
+              report[:invalid_pins] += 1
+              report[:issues] << "Pin validation failed for #{host}: #{validation_result[:reason]}"
+            end
+          end
+        rescue => e
+          report[:invalid_pins] += 1
+          report[:issues] << "Error validating #{host}: #{e.message}"
+        end
+      end
+      
+      report
+    end
+
+    # Get pinning status for all configured hosts
+    # @return [Hash] Pinning status
+    def pinning_status
+      {
+        enabled: @config[:pin_validation_enabled],
+        total_hosts: @pinned_hosts.size,
+        hosts: @pinned_hosts.keys,
+        cache_size: @validation_cache.size,
+        configuration: @config
+      }
+    end
+
+    # Clear validation cache
+    def clear_cache
+      @validation_cache.clear
+    end
+
+    # Remove pin for host
+    # @param host [String] Host to remove pin for
+    def remove_pin(host)
+      normalized_host = normalize_host(host)
+      @pinned_hosts.delete(normalized_host)
+      
+      # Clear related cache entries
+      @validation_cache.delete_if { |key, _| key.include?(normalized_host) }
+    end
+
+    # Load pins from common CA configurations
+    # @param ca_name [String] CA name (letsencrypt, digicert, google)
+    # @param hosts [Array<String>] Hosts to apply CA pins to
+    def load_ca_pins(ca_name, hosts)
+      ca_pins = COMMON_CA_PINS[ca_name.downcase]
+      raise ArgumentError, "Unknown CA: #{ca_name}" unless ca_pins
+      
+      Array(hosts).each do |host|
+        add_pin(host, ca_pins, backup_pins: ca_pins)
+      end
+    end
+
+    private
+
+    def normalize_host(host)
+      # Remove protocol and path, keep only hostname
+      host.gsub(/^https?:\/\//, "").split("/").first.downcase
+    end
+
+    def generate_cache_key(host, cert_chain)
+      cert_fingerprints = cert_chain.map { |cert| cert.to_der }.join
+      "#{normalize_host(host)}_#{Digest::SHA256.hexdigest(cert_fingerprints)}"
+    end
+
+    def perform_pin_validation(pin_config, cert_chain)
+      return { valid: false, reason: "empty_certificate_chain" } if cert_chain.empty?
+      
+      algorithm = pin_config[:algorithm]
+      expected_pins = pin_config[:pins] + (pin_config[:backup_pins] || [])
+      
+      # Extract pins from certificate chain
+      actual_pins = cert_chain.map { |cert| extract_pin(cert, algorithm) }
+      
+      # Check if any actual pin matches expected pins
+      matching_pins = actual_pins & expected_pins
+      
+      if matching_pins.any?
+        {
+          valid: true,
+          reason: "pin_match_found",
+          matched_pins: matching_pins,
+          algorithm: algorithm
+        }
+      else
+        {
+          valid: false,
+          reason: "no_pin_match",
+          expected_pins: expected_pins,
+          actual_pins: actual_pins,
+          algorithm: algorithm
+        }
+      end
+    end
+  end
+end