ai_root_shield 0.3.0 → 0.5.0

data/lib/ai_root_shield/enterprise_policy_manager.rb

@@ -0,0 +1,431 @@
+# frozen_string_literal: true
+
+require "json"
+
+module AiRootShield
+  # Enterprise policy management for customizable security rules and compliance
+  class EnterprisePolicyManager
+    # Default enterprise policy template
+    DEFAULT_POLICY = {
+      "version" => "1.0",
+      "name" => "Default Enterprise Policy",
+      "description" => "Standard enterprise security policy",
+      "minimum_security_level" => 70,
+      "compliance_rules" => {
+        "device_requirements" => {
+          "allow_rooted_devices" => false,
+          "allow_jailbroken_devices" => false,
+          "allow_emulators" => false,
+          "require_screen_lock" => true,
+          "minimum_os_version" => {
+            "android" => "8.0",
+            "ios" => "12.0"
+          }
+        },
+        "network_security" => {
+          "allow_vpn" => true,
+          "allow_proxy" => false,
+          "allow_tor" => false,
+          "require_certificate_pinning" => true,
+          "allowed_dns_servers" => [],
+          "blocked_dns_servers" => []
+        },
+        "application_integrity" => {
+          "allow_debug_builds" => false,
+          "allow_repackaged_apps" => false,
+          "require_code_signing" => true,
+          "allowed_certificate_issuers" => []
+        },
+        "runtime_protection" => {
+          "enable_rasp" => true,
+          "allow_debugging" => false,
+          "allow_hooking_frameworks" => false,
+          "enable_tamper_detection" => true
+        }
+      },
+      "risk_thresholds" => {
+        "low" => 20,
+        "medium" => 50,
+        "high" => 70,
+        "critical" => 90
+      },
+      "actions" => {
+        "on_policy_violation" => "block",
+        "on_high_risk" => "alert",
+        "on_critical_risk" => "block",
+        "custom_actions" => {}
+      },
+      "reporting" => {
+        "enable_audit_logs" => true,
+        "log_level" => "info",
+        "retention_days" => 90
+      }
+    }.freeze
+
+    # Policy violation severity levels
+    VIOLATION_LEVELS = %w[info warning critical].freeze
+
+    def initialize(policy_config = nil)
+      @policy = load_policy(policy_config)
+      @violations = []
+      @compliance_cache = {}
+      @audit_logs = []
+    end
+
+    # Load policy from file or use provided configuration
+    # @param policy_source [String, Hash, nil] Policy file path, hash, or nil for default
+    # @return [Hash] Loaded policy
+    def load_policy(policy_source = nil)
+      case policy_source
+      when String
+        load_policy_from_file(policy_source)
+      when Hash
+        merge_with_default_policy(policy_source)
+      when nil
+        DEFAULT_POLICY.dup
+      else
+        raise ArgumentError, "Invalid policy source type: #{policy_source.class}"
+      end
+    end
+
+    # Validate device compliance against enterprise policy
+    # @param scan_result [Hash] Device scan result from AI Root Shield
+    # @return [Hash] Compliance validation result
+    def validate_compliance(scan_result)
+      compliance_result = {
+        compliant: true,
+        violations: [],
+        risk_assessment: {},
+        recommended_actions: [],
+        policy_version: @policy["version"],
+        validation_timestamp: Time.now.to_f
+      }
+
+      # Check device requirements
+      compliance_result = validate_device_requirements(scan_result, compliance_result)
+      
+      # Check network security
+      compliance_result = validate_network_security(scan_result, compliance_result)
+      
+      # Check application integrity
+      compliance_result = validate_application_integrity(scan_result, compliance_result)
+      
+      # Check runtime protection
+      compliance_result = validate_runtime_protection(scan_result, compliance_result)
+      
+      # Assess overall risk against thresholds
+      compliance_result = assess_risk_thresholds(scan_result, compliance_result)
+      
+      # Determine final compliance status
+      compliance_result[:compliant] = compliance_result[:violations].empty?
+      
+      # Log compliance check
+      log_compliance_check(scan_result, compliance_result)
+      
+      compliance_result
+    end
+
+    # Check if minimum security level is met
+    # @param risk_score [Integer] Current risk score
+    # @return [Boolean] True if minimum security level is met
+    def meets_minimum_security_level?(risk_score)
+      minimum_level = @policy["minimum_security_level"]
+      (100 - risk_score) >= minimum_level
+    end
+
+    # Get policy configuration
+    # @return [Hash] Current policy configuration
+    def policy_configuration
+      @policy.dup
+    end
+
+    # Update policy configuration
+    # @param new_policy [Hash] New policy configuration
+    def update_policy(new_policy)
+      @policy = merge_with_default_policy(new_policy)
+      clear_compliance_cache
+      log_audit_event("policy_updated", "Enterprise policy configuration updated")
+    end
+
+    # Get compliance violations
+    # @return [Array<Hash>] List of compliance violations
+    def compliance_violations
+      @violations.dup
+    end
+
+    # Get audit logs
+    # @return [Array<Hash>] Audit log entries
+    def audit_logs
+      @audit_logs.dup
+    end
+
+    # Clear compliance cache
+    def clear_compliance_cache
+      @compliance_cache.clear
+    end
+
+    # Export policy to JSON
+    # @return [String] Policy as JSON string
+    def export_policy
+      JSON.pretty_generate(@policy)
+    end
+
+    # Import policy from JSON
+    # @param json_policy [String] Policy as JSON string
+    def import_policy(json_policy)
+      policy_hash = JSON.parse(json_policy)
+      update_policy(policy_hash)
+    end
+
+    # Get policy statistics
+    # @return [Hash] Policy usage statistics
+    def policy_statistics
+      {
+        policy_version: @policy["version"],
+        total_violations: @violations.size,
+        violation_types: @violations.group_by { |v| v[:type] }.transform_values(&:size),
+        compliance_checks: @compliance_cache.size,
+        audit_log_entries: @audit_logs.size,
+        last_policy_update: @audit_logs.reverse.find { |log| log[:event] == "policy_updated" }&.dig(:timestamp)
+      }
+    end
+
+    private
+
+    def load_policy_from_file(file_path)
+      unless File.exist?(file_path)
+        raise ArgumentError, "Policy file not found: #{file_path}"
+      end
+      
+      policy_content = File.read(file_path)
+      policy_hash = JSON.parse(policy_content)
+      merge_with_default_policy(policy_hash)
+    rescue JSON::ParserError => e
+      raise ArgumentError, "Invalid JSON in policy file: #{e.message}"
+    end
+
+    def merge_with_default_policy(custom_policy)
+      # Deep merge custom policy with default policy
+      deep_merge(DEFAULT_POLICY.dup, custom_policy)
+    end
+
+    def deep_merge(hash1, hash2)
+      hash1.merge(hash2) do |key, old_val, new_val|
+        if old_val.is_a?(Hash) && new_val.is_a?(Hash)
+          deep_merge(old_val, new_val)
+        else
+          new_val
+        end
+      end
+    end
+
+    def validate_device_requirements(scan_result, compliance_result)
+      device_rules = @policy.dig("compliance_rules", "device_requirements") || {}
+      
+      # Check rooted/jailbroken devices
+      if !device_rules["allow_rooted_devices"] && has_root_indicators?(scan_result)
+        add_violation(compliance_result, "device_rooted", "critical", "Rooted device detected")
+      end
+      
+      if !device_rules["allow_jailbroken_devices"] && has_jailbreak_indicators?(scan_result)
+        add_violation(compliance_result, "device_jailbroken", "critical", "Jailbroken device detected")
+      end
+      
+      # Check emulators
+      if !device_rules["allow_emulators"] && has_emulator_indicators?(scan_result)
+        add_violation(compliance_result, "emulator_detected", "warning", "Emulator/simulator detected")
+      end
+      
+      compliance_result
+    end
+
+    def validate_network_security(scan_result, compliance_result)
+      network_rules = @policy.dig("compliance_rules", "network_security") || {}
+      
+      # Check VPN usage
+      if !network_rules["allow_vpn"] && has_vpn_indicators?(scan_result)
+        add_violation(compliance_result, "vpn_detected", "warning", "VPN usage detected")
+      end
+      
+      # Check proxy usage
+      if !network_rules["allow_proxy"] && has_proxy_indicators?(scan_result)
+        add_violation(compliance_result, "proxy_detected", "warning", "Proxy usage detected")
+      end
+      
+      # Check Tor usage
+      if !network_rules["allow_tor"] && has_tor_indicators?(scan_result)
+        add_violation(compliance_result, "tor_detected", "critical", "Tor usage detected")
+      end
+      
+      compliance_result
+    end
+
+    def validate_application_integrity(scan_result, compliance_result)
+      app_rules = @policy.dig("compliance_rules", "application_integrity") || {}
+      
+      # Check debug builds
+      if !app_rules["allow_debug_builds"] && has_debug_indicators?(scan_result)
+        add_violation(compliance_result, "debug_build", "warning", "Debug build detected")
+      end
+      
+      # Check repackaged apps
+      if !app_rules["allow_repackaged_apps"] && has_repackaging_indicators?(scan_result)
+        add_violation(compliance_result, "app_repackaged", "critical", "Repackaged application detected")
+      end
+      
+      compliance_result
+    end
+
+    def validate_runtime_protection(scan_result, compliance_result)
+      runtime_rules = @policy.dig("compliance_rules", "runtime_protection") || {}
+      
+      # Check debugging
+      if !runtime_rules["allow_debugging"] && has_debugging_indicators?(scan_result)
+        add_violation(compliance_result, "debugging_detected", "critical", "Runtime debugging detected")
+      end
+      
+      # Check hooking frameworks
+      if !runtime_rules["allow_hooking_frameworks"] && has_hooking_indicators?(scan_result)
+        add_violation(compliance_result, "hooking_detected", "critical", "Hooking framework detected")
+      end
+      
+      compliance_result
+    end
+
+    def assess_risk_thresholds(scan_result, compliance_result)
+      risk_score = scan_result[:risk_score] || 0
+      thresholds = @policy["risk_thresholds"] || {}
+      
+      risk_level = case risk_score
+                   when 0..thresholds["low"]
+                     "low"
+                   when thresholds["low"]..thresholds["medium"]
+                     "medium"
+                   when thresholds["medium"]..thresholds["high"]
+                     "high"
+                   else
+                     "critical"
+                   end
+      
+      compliance_result[:risk_assessment] = {
+        score: risk_score,
+        level: risk_level,
+        threshold_exceeded: risk_score > thresholds["high"]
+      }
+      
+      # Add violation if risk threshold exceeded
+      if risk_score > thresholds["critical"]
+        add_violation(compliance_result, "critical_risk", "critical", 
+                     "Risk score #{risk_score} exceeds critical threshold #{thresholds['critical']}")
+      elsif risk_score > thresholds["high"]
+        add_violation(compliance_result, "high_risk", "warning", 
+                     "Risk score #{risk_score} exceeds high threshold #{thresholds['high']}")
+      end
+      
+      compliance_result
+    end
+
+    def add_violation(compliance_result, type, severity, message)
+      violation = {
+        type: type,
+        severity: severity,
+        message: message,
+        timestamp: Time.now.to_f
+      }
+      
+      compliance_result[:violations] << violation
+      @violations << violation
+    end
+
+    def has_root_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("ROOT") }
+    end
+
+    def has_jailbreak_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("JAILBREAK") || factor.to_s.upcase.include?("CYDIA") }
+    end
+
+    def has_emulator_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("EMULATOR") || factor.to_s.upcase.include?("SIMULATOR") }
+    end
+
+    def has_vpn_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| 
+        factor_str = factor.to_s.upcase
+        factor_str.include?("VPN") || factor_str.include?("NETWORK_VPN_SERVICE_DETECTED")
+      }
+    end
+
+    def has_proxy_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("PROXY") }
+    end
+
+    def has_tor_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("TOR") }
+    end
+
+    def has_debug_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("DEBUG") }
+    end
+
+    def has_repackaging_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("REPACKAG") }
+    end
+
+    def has_debugging_indicators?(scan_result)
+      rasp_status = scan_result[:rasp_status] || {}
+      rasp_status.dig(:events_detected).to_i > 0
+    end
+
+    def has_hooking_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("FRIDA") || factor.to_s.upcase.include?("XPOSED") }
+    end
+
+    def log_compliance_check(scan_result, compliance_result)
+      return unless @policy.dig("reporting", "enable_audit_logs")
+      
+      log_audit_event("compliance_check", "Device compliance validation performed", {
+        device_id: scan_result[:device_id],
+        risk_score: scan_result[:risk_score],
+        compliant: compliance_result[:compliant],
+        violations_count: compliance_result[:violations].size
+      })
+      
+      # Update compliance cache for statistics
+      @compliance_cache[scan_result[:device_id]] = compliance_result
+    end
+
+    def log_audit_event(event_type, message, details = {})
+      return unless @policy.dig("reporting", "enable_audit_logs")
+      
+      audit_entry = {
+        event: event_type,
+        message: message,
+        details: details,
+        timestamp: Time.now.to_f,
+        policy_version: @policy["version"]
+      }
+      
+      @audit_logs << audit_entry
+      
+      # Clean up old logs based on retention policy
+      cleanup_old_logs
+    end
+
+    def cleanup_old_logs
+      retention_days = @policy.dig("reporting", "retention_days") || 90
+      cutoff_time = Time.now.to_f - (retention_days * 24 * 60 * 60)
+      
+      @audit_logs.reject! { |log| log[:timestamp] < cutoff_time }
+    end
+  end
+end

data/lib/ai_root_shield/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AiRootShield
-  VERSION = "0.3.0"
+  VERSION = "0.5.0"
 end