beskar 0.0.1 → 0.0.2

data/app/controllers/concerns/beskar/controllers/security_tracking.rb

@@ -0,0 +1,70 @@
+module Beskar
+  module Controllers
+    # Controller concern for tracking Rails 8 authentication events
+    # 
+    # Usage in SessionsController:
+    #   class SessionsController < ApplicationController
+    #     include Beskar::Controllers::SecurityTracking
+    #     
+    #     def create
+    #       if user = User.authenticate_by(params.permit(:email_address, :password))
+    #         track_authentication_success(user)
+    #         start_new_session_for user
+    #         redirect_to after_authentication_url
+    #       else
+    #         track_authentication_failure(User, :user)
+    #         redirect_to new_session_path, alert: "Try another email address or password."
+    #       end
+    #     end
+    #   end
+    module SecurityTracking
+      extend ActiveSupport::Concern
+
+      private
+
+      # Track successful authentication for a user
+      # This should be called after verifying credentials but before creating session
+      def track_authentication_success(user)
+        return unless user
+        return unless Beskar.configuration.track_successful_logins?
+
+        user.track_authentication_event(request, :success)
+        Rails.logger.info "[Beskar] Tracked successful authentication for user #{user.id}"
+      rescue => e
+        Rails.logger.error "[Beskar] Failed to track authentication success: #{e.message}"
+      end
+
+      # Track failed authentication attempt
+      # This should be called when authentication fails
+      def track_authentication_failure(model_class, scope = :user)
+        return unless Beskar.configuration.track_failed_logins?
+
+        model_class.track_failed_authentication(request, scope)
+        Rails.logger.info "[Beskar] Tracked failed authentication for scope #{scope}"
+      rescue => e
+        Rails.logger.error "[Beskar] Failed to track authentication failure: #{e.message}"
+      end
+
+      # Track logout event
+      def track_logout(user)
+        return unless user
+        return unless Beskar.configuration.security_tracking_enabled?
+
+        user.security_events.create!(
+          event_type: "logout",
+          ip_address: request.ip,
+          user_agent: request.user_agent,
+          metadata: {
+            timestamp: Time.current.iso8601,
+            session_id: request.session.id,
+            request_path: request.path
+          },
+          risk_score: 0
+        )
+        Rails.logger.info "[Beskar] Tracked logout for user #{user.id}"
+      rescue => e
+        Rails.logger.error "[Beskar] Failed to track logout: #{e.message}"
+      end
+    end
+  end
+end

data/app/models/beskar/banned_ip.rb

@@ -0,0 +1,152 @@
+module Beskar
+  class BannedIp < ApplicationRecord
+    # Serialize metadata as JSON
+    serialize :metadata, coder: JSON
+
+    validates :ip_address, presence: true, uniqueness: true
+    validates :reason, presence: true
+    validates :banned_at, presence: true
+
+    # Ensure metadata is always a hash
+    after_initialize do
+      self.metadata ||= {}
+    end
+
+    scope :active, -> { where("expires_at IS NULL OR expires_at > ?", Time.current) }
+    scope :permanent, -> { where(permanent: true) }
+    scope :temporary, -> { where(permanent: false) }
+    scope :expired, -> { where("expires_at IS NOT NULL AND expires_at <= ?", Time.current) }
+    scope :by_reason, ->(reason) { where(reason: reason) }
+
+    # Check if a ban is currently active
+    def active?
+      permanent? || (expires_at.present? && expires_at > Time.current)
+    end
+
+    # Check if ban has expired
+    def expired?
+      !permanent? && expires_at.present? && expires_at <= Time.current
+    end
+
+    # Extend ban duration (for repeat offenders)
+    def extend_ban!(additional_time = nil)
+      self.violation_count += 1
+      
+      if permanent?
+        # Already permanent, just increment violation count
+        save!
+      elsif additional_time
+        self.expires_at = [expires_at || Time.current, Time.current].max + additional_time
+        save!
+      else
+        # Calculate exponential backoff based on violation count
+        # 1 hour, 6 hours, 24 hours, 7 days, permanent
+        duration = case violation_count
+        when 1 then 1.hour
+        when 2 then 6.hours
+        when 3 then 24.hours
+        when 4 then 7.days
+        else
+          self.permanent = true
+          nil
+        end
+
+        if duration
+          self.expires_at = Time.current + duration
+        end
+        save!
+      end
+    end
+
+    # Unban an IP address
+    def unban!
+      destroy
+    end
+
+    # Class methods for ban management
+    class << self
+      # Ban an IP address
+      def ban!(ip_address, reason:, duration: nil, permanent: false, details: nil, metadata: {})
+        banned_ip = find_or_initialize_by(ip_address: ip_address)
+        
+        if banned_ip.persisted?
+          # Existing ban - extend it
+          banned_ip.extend_ban!(duration)
+          banned_ip.details = details if details
+          # Deep stringify keys to avoid duplicate key issues
+          if metadata.any?
+            banned_ip.metadata = banned_ip.metadata.deep_stringify_keys.merge(metadata.deep_stringify_keys)
+          end
+          banned_ip.save!
+        else
+          # New ban
+          banned_ip.assign_attributes(
+            reason: reason,
+            banned_at: Time.current,
+            expires_at: permanent ? nil : (Time.current + (duration || 1.hour)),
+            permanent: permanent,
+            details: details,
+            metadata: metadata
+          )
+          banned_ip.save!
+        end
+
+        # Update cache
+        cache_key = "beskar:banned_ip:#{ip_address}"
+        Rails.cache.write(cache_key, true, expires_in: permanent ? nil : (duration || 1.hour))
+
+        banned_ip
+      end
+
+      # Check if an IP is banned (cache-first approach)
+      def banned?(ip_address)
+        # Check cache first for performance
+        cache_key = "beskar:banned_ip:#{ip_address}"
+        cached_result = Rails.cache.read(cache_key)
+        return true if cached_result == true
+        return false if cached_result == false
+
+        # Check database
+        banned_record = active.find_by(ip_address: ip_address)
+        is_banned = banned_record&.active? || false
+
+        # Update cache
+        if is_banned && banned_record
+          ttl = banned_record.permanent? ? 30.days : (banned_record.expires_at - Time.current).to_i
+          Rails.cache.write(cache_key, true, expires_in: ttl)
+        else
+          Rails.cache.write(cache_key, false, expires_in: 5.minutes)
+        end
+
+        is_banned
+      end
+
+      # Unban an IP address
+      def unban!(ip_address)
+        banned_ip = find_by(ip_address: ip_address)
+        if banned_ip
+          banned_ip.destroy
+          # Clear cache
+          Rails.cache.delete("beskar:banned_ip:#{ip_address}")
+          true
+        else
+          false
+        end
+      end
+
+      # Load all active bans into cache (called on app startup)
+      def preload_cache!
+        active.find_each do |banned_ip|
+          cache_key = "beskar:banned_ip:#{banned_ip.ip_address}"
+          ttl = banned_ip.permanent? ? 30.days : [(banned_ip.expires_at - Time.current).to_i, 60].max
+          Rails.cache.write(cache_key, true, expires_in: ttl)
+        end
+      end
+
+      # Clean up expired bans
+      def cleanup_expired!
+        expired.destroy_all
+      end
+    end
+  end
+end

data/app/models/beskar/security_event.rb

@@ -0,0 +1,50 @@
+module Beskar
+  class SecurityEvent < ApplicationRecord
+    belongs_to :user, polymorphic: true, optional: true
+
+    validates :event_type, presence: true
+    validates :ip_address, presence: true
+    validates :risk_score, numericality: {in: 0..100}
+
+    scope :login_failures, -> { where(event_type: "login_failure") }
+    scope :login_successes, -> { where(event_type: "login_success") }
+    scope :recent, ->(time = 1.hour.ago) { where("created_at >= ?", time) }
+    scope :by_ip, ->(ip) { where(ip_address: ip) }
+    scope :high_risk, -> { where("risk_score >= ?", 70) }
+    scope :critical_risk, -> { where("risk_score >= ?", 90) }
+
+    def critical_threat?
+      risk_score >= 90
+    end
+
+    def high_risk?
+      risk_score >= 70
+    end
+
+    def login_failure?
+      event_type == "login_failure"
+    end
+
+    def login_success?
+      event_type == "login_success"
+    end
+
+    def attempted_email
+      read_attribute(:attempted_email) || metadata&.dig("attempted_email")
+    end
+
+    def attempted_email=(value)
+      write_attribute(:attempted_email, value)
+      # Also store in metadata for backwards compatibility
+      self.metadata = (metadata || {}).merge("attempted_email" => value) if value.present?
+    end
+
+    def device_info
+      metadata&.dig("device_info") || {}
+    end
+
+    def geolocation
+      metadata&.dig("geolocation") || {}
+    end
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,10 @@
+en:
+  devise:
+    failure:
+      account_locked_due_to_high_risk: "Your account has been locked due to suspicious activity. Please contact support or wait for automatic unlock."
+  
+  beskar:
+    account_locking:
+      high_risk_detected: "High risk activity detected on your account"
+      locked_for_security: "Account locked for security reasons"
+      contact_support: "Please contact support to unlock your account"

data/db/migrate/20251016000001_create_beskar_security_events.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class CreateBeskarSecurityEvents < ActiveRecord::Migration[8.0]
+  def change
+    create_table :beskar_security_events do |t|
+      t.references :user, polymorphic: true, null: true, index: true
+      t.string :event_type, null: false
+      t.string :ip_address
+      t.string :attempted_email
+      t.text :user_agent
+      t.json :metadata, default: {}
+      t.integer :risk_score
+
+      t.timestamps
+    end
+
+    add_index :beskar_security_events, :ip_address
+    add_index :beskar_security_events, :event_type
+    add_index :beskar_security_events, :attempted_email
+    add_index :beskar_security_events, :created_at
+    add_index :beskar_security_events, :risk_score
+    add_index :beskar_security_events, [:ip_address, :event_type, :created_at], 
+              name: 'index_security_events_on_ip_event_time'
+  end
+end

data/db/migrate/20251016000002_create_beskar_banned_ips.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class CreateBeskarBannedIps < ActiveRecord::Migration[8.0]
+  def change
+    create_table :beskar_banned_ips do |t|
+      t.string :ip_address, null: false
+      t.string :reason, null: false
+      t.text :details
+      t.datetime :banned_at, null: false
+      t.datetime :expires_at
+      t.boolean :permanent, default: false, null: false
+      t.integer :violation_count, default: 1, null: false
+      t.text :metadata # Using text to store JSON (compatible with SQLite and PostgreSQL)
+
+      t.timestamps
+    end
+
+    add_index :beskar_banned_ips, :ip_address, unique: true
+    add_index :beskar_banned_ips, :banned_at
+    add_index :beskar_banned_ips, :expires_at
+    add_index :beskar_banned_ips, [:ip_address, :expires_at]
+  end
+end

data/lib/beskar/configuration.rb

@@ -0,0 +1,200 @@
+module Beskar
+  class Configuration
+    attr_accessor :rate_limiting, :security_tracking, :risk_based_locking, :geolocation, :ip_whitelist, :waf, :authentication_models, :emergency_password_reset
+
+    def initialize
+      @ip_whitelist = [] # Array of IP addresses or CIDR ranges
+
+      # Authentication models configuration
+      # Auto-detect by default, or can be explicitly configured
+      @authentication_models = {
+        devise: [], # Will be auto-detected: [:devise_user, :admin, etc.]
+        rails_auth: [], # Will be auto-detected: [:user, etc.]
+        auto_detect: true # Set to false to use only explicitly configured models
+      }
+
+      @waf = {
+        enabled: false,                  # Master switch for WAF
+        auto_block: true,                # Automatically block IPs after threshold
+        block_threshold: 3,              # Number of violations before blocking
+        violation_window: 1.hour,        # Time window to count violations
+        block_durations: [ 1.hour, 6.hours, 24.hours, 7.days ], # Escalating block durations
+        permanent_block_after: 5,        # Permanent block after N violations (nil = never)
+        create_security_events: true,    # Create SecurityEvent records
+        monitor_only: false              # If true, log but don't block (even if auto_block is true)
+      }
+      @security_tracking = {
+        enabled: true,
+        track_successful_logins: true,
+        track_failed_logins: true,
+        auto_analyze_patterns: true
+      }
+      @rate_limiting = {
+        ip_attempts: {
+          limit: 10,
+          period: 1.hour,
+          exponential_backoff: true
+        },
+        account_attempts: {
+          limit: 5,
+          period: 15.minutes,
+          exponential_backoff: true
+        },
+        global_attempts: {
+          limit: 100,
+          period: 1.minute,
+          exponential_backoff: false
+        }
+      }
+      @risk_based_locking = {
+        enabled: false,                    # Master switch for risk-based locking
+        risk_threshold: 75,                # Lock account if risk score >= this value
+        lock_strategy: :devise_lockable,   # Strategy: :devise_lockable, :custom, :none
+        auto_unlock_time: 1.hour,          # Time until automatic unlock (if supported by strategy)
+        notify_user: true,                 # Send notification on lock
+        log_lock_events: true,             # Create security event for locks
+        immediate_signout: false           # Sign out user immediately via Warden callback (requires :lockable)
+      }
+      @geolocation = {
+        provider: :mock,                   # Provider: :maxmind, :mock
+        maxmind_city_db_path: nil,         # Path to MaxMind GeoLite2-City.mmdb or GeoIP2-City.mmdb
+        cache_ttl: 4.hours                 # How long to cache geolocation results
+      }
+      @emergency_password_reset = {
+        enabled: false,                    # Master switch for emergency password reset
+        impossible_travel_threshold: 3,    # Reset after N impossible travel events in 24h
+        suspicious_device_threshold: 5,    # Reset after N suspicious device events in 24h
+        total_locks_threshold: 5,          # Reset after N total locks in 24h (any reason)
+        send_notification: true,           # Send email to user about reset
+        notify_security_team: true,        # Alert security team about automatic resets
+        require_manual_unlock: false       # Require manual admin unlock after reset
+      }
+    end
+
+    def security_tracking_enabled?
+      @security_tracking[:enabled]
+    end
+
+    def track_successful_logins?
+      security_tracking_enabled? && @security_tracking[:track_successful_logins]
+    end
+
+    def track_failed_logins?
+      security_tracking_enabled? && @security_tracking[:track_failed_logins]
+    end
+
+    def auto_analyze_patterns?
+      security_tracking_enabled? && @security_tracking[:auto_analyze_patterns]
+    end
+
+    # Risk-based locking configuration helpers
+    def risk_based_locking_enabled?
+      @risk_based_locking[:enabled]
+    end
+
+    def risk_threshold
+      @risk_based_locking[:risk_threshold] || 75
+    end
+
+    def lock_strategy
+      @risk_based_locking[:lock_strategy] || :devise_lockable
+    end
+
+    def auto_unlock_time
+      @risk_based_locking[:auto_unlock_time] || 1.hour
+    end
+
+    def notify_user_on_lock?
+      @risk_based_locking[:notify_user] != false
+    end
+
+    def log_lock_events?
+      @risk_based_locking[:log_lock_events] != false
+    end
+
+    def immediate_signout?
+      @risk_based_locking[:immediate_signout] == true
+    end
+
+    # Geolocation configuration helpers
+    def geolocation_provider
+      @geolocation[:provider] || :mock
+    end
+
+    def maxmind_city_db_path
+      @geolocation[:maxmind_city_db_path]
+    end
+
+    def geolocation_cache_ttl
+      @geolocation[:cache_ttl] || 4.hours
+    end
+
+    # WAF configuration helpers
+    def waf_enabled?
+      @waf && @waf[:enabled]
+    end
+
+    def waf_auto_block?
+      waf_enabled? && @waf[:auto_block] && !@waf[:monitor_only]
+    end
+
+    def waf_monitor_only?
+      @waf[:monitor_only] == true
+    end
+
+    # IP Whitelist configuration helpers
+    def ip_whitelist_enabled?
+      @ip_whitelist.is_a?(Array) && @ip_whitelist.any?
+    end
+
+    # Authentication models helpers
+    def devise_scopes
+      return @authentication_models[:devise] unless @authentication_models[:auto_detect]
+
+      # Auto-detect Devise models
+      detected = []
+      if defined?(Devise)
+        Devise.mappings.keys.each do |scope|
+          detected << scope
+        end
+      end
+
+      # Merge with explicitly configured models
+      (detected + Array(@authentication_models[:devise])).uniq
+    end
+
+    def rails_auth_scopes
+      return @authentication_models[:rails_auth] unless @authentication_models[:auto_detect]
+
+      # Auto-detect Rails authentication models (has_secure_password)
+      detected = []
+      if defined?(ActiveRecord::Base)
+        # Try to find models with has_secure_password
+        # This is a heuristic - models that have password_digest column
+        ActiveRecord::Base.descendants.each do |model|
+          next unless model.table_exists?
+          if model.column_names.include?("password_digest")
+            scope = model.name.underscore.to_sym
+            detected << scope unless devise_scopes.include?(scope)
+          end
+        rescue => e
+          # Ignore errors during detection
+          Rails.logger.debug "[Beskar] Error detecting Rails auth model #{model.name}: #{e.message}"
+        end
+      end
+
+      # Merge with explicitly configured models
+      (detected + Array(@authentication_models[:rails_auth])).uniq
+    end
+
+    def all_auth_scopes
+      (devise_scopes + rails_auth_scopes).uniq
+    end
+
+    def model_class_for_scope(scope)
+      scope.to_s.camelize.constantize
+    rescue NameError
+      nil
+    end
+  end
+end

data/lib/beskar/engine.rb

@@ -1,5 +1,110 @@
 module Beskar
   class Engine < ::Rails::Engine
     isolate_namespace Beskar
+
+    initializer "beskar.middleware" do |app|
+      app.config.middleware.use ::Beskar::Middleware::RequestAnalyzer
+    end
+
+    # Preload banned IPs into cache on startup
+    config.after_initialize do
+      if defined?(Beskar::BannedIp)
+        Rails.application.executor.wrap do
+          Beskar::BannedIp.preload_cache!
+          Rails.logger.info "[Beskar] Preloaded banned IPs into cache"
+        rescue => e
+          Rails.logger.warn "[Beskar] Failed to preload banned IPs: #{e.message}"
+        end
+      end
+    end
+
+    initializer "beskar.warden_callbacks", after: :load_config_initializers do |app|
+      if defined?(Warden)
+        # Track successful authentication and check for high-risk locks
+        Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
+          # Only proceed if Beskar security tracking is available and enabled
+          if user.respond_to?(:track_authentication_event) && auth.request
+            # Track the authentication event (creates security event)
+            security_event = user.track_authentication_event(auth.request, :success)
+
+            # Check if account was locked due to high risk (only if immediate_signout is enabled)
+            # This happens AFTER successful authentication but BEFORE the request completes
+            # Requires :lockable module to be enabled on the user model
+            if Beskar.configuration.immediate_signout? &&
+               Beskar.configuration.risk_based_locking_enabled? &&
+               security_event &&
+               user_was_just_locked?(user, security_event) &&
+               user.respond_to?(:access_locked?) && user.access_locked?
+              Rails.logger.warn "[Beskar] Signing out user #{user.id} due to high-risk lock"
+              auth.logout
+              throw :warden, scope: opts[:scope], message: :account_locked_due_to_high_risk
+            end
+          end
+        end
+
+        # Alternative approach using after_authentication is available but not enabled by default
+        # Uncomment this to use the alternative approach (more targeted, only on authentication)
+        # Warden::Manager.after_authentication do |user, auth, opts|
+        #   if user.respond_to?(:check_high_risk_lock_and_signout)
+        #     user.check_high_risk_lock_and_signout(auth)
+        #   end
+        # end
+
+        Warden::Manager.before_failure do |env, opts|
+          if env
+            request = ActionDispatch::Request.new(env)
+            scope = opts[:scope]
+            
+            # Try to get model class from configuration
+            model_class = Beskar.configuration&.model_class_for_scope(scope)
+            
+            if model_class && model_class.respond_to?(:track_failed_authentication)
+              model_class.track_failed_authentication(request, scope)
+            else
+              Rails.logger.debug "[Beskar] No trackable model found for scope: #{scope}"
+            end
+          end
+        end
+      end
+    end
+
+    # Helper method to check if user was just locked
+    def self.user_was_just_locked?(user, security_event)
+      return false unless Beskar.configuration.risk_based_locking_enabled?
+      return false unless security_event
+      return false unless user&.respond_to?(:security_events)
+
+      # Check if an account_locked or lock_attempted event was just created
+      recent_lock = user.security_events
+        .where(event_type: [ "account_locked", "lock_attempted" ])
+        .where("created_at >= ?", 10.seconds.ago)
+        .order(created_at: :desc)
+        .first
+
+      recent_lock.present?
+    end
+
+    # Add engine migrations to host app's migration paths
+    initializer "beskar.append_migrations" do |app|
+      # Don't add migrations if we're inside the engine itself (testing)
+      if !root.to_s.include?(app.root.to_s) && !app.root.to_s.include?(root.to_s)
+        engine_migrations = root.join("db", "migrate").to_s
+
+        # Add to Rails paths
+        app.config.paths["db/migrate"] << engine_migrations
+      end
+    end
+
+    # Ensure ActiveRecord sees the engine migrations after initialization
+    # config.after_initialize do |app|
+    #   unless root.to_s.include?(app.root.to_s)
+    #     engine_migrations = root.join("db", "migrate").to_s
+
+    #     # Update ActiveRecord::Tasks paths
+    #     current_paths = Array(ActiveRecord::Tasks::DatabaseTasks.migrations_paths)
+    #     current_paths << engine_migrations
+    #     ActiveRecord::Tasks::DatabaseTasks.migrations_paths = current_paths.uniq
+    #   end
+    # end
   end
 end