beskar 0.0.1 → 0.0.2

data/lib/beskar/services/ip_whitelist.rb

@@ -0,0 +1,113 @@
+require 'ipaddr'
+
+module Beskar
+  module Services
+    class IpWhitelist
+      class << self
+        # Check if an IP address is whitelisted
+        def whitelisted?(ip_address)
+          return false if ip_address.blank?
+          return false unless whitelist_entries.any?
+
+          ip = parse_ip(ip_address)
+          return false unless ip
+
+          whitelist_entries.any? do |entry|
+            match_entry?(ip, entry)
+          end
+        rescue IPAddr::InvalidAddressError, ArgumentError => e
+          Rails.logger.warn "[Beskar::IpWhitelist] Invalid IP address: #{ip_address} - #{e.message}"
+          false
+        end
+
+        # Get whitelist entries from configuration
+        def whitelist_entries
+          @whitelist_entries ||= begin
+            entries = Beskar.configuration.ip_whitelist || []
+            # Ensure it's an array
+            entries = [entries] unless entries.is_a?(Array)
+            entries.compact
+          end
+        end
+
+        # Clear cached whitelist (useful when config changes)
+        def clear_cache!
+          @whitelist_entries = nil
+          @parsed_entries = nil
+        end
+
+        # Validate whitelist configuration
+        def validate_configuration!
+          errors = []
+          
+          whitelist_entries.each_with_index do |entry, index|
+            begin
+              parse_entry(entry)
+            rescue IPAddr::InvalidAddressError, ArgumentError => e
+              errors << "Entry #{index} (#{entry}): #{e.message}"
+            end
+          end
+
+          if errors.any?
+            raise ConfigurationError, "Invalid IP whitelist configuration:\n#{errors.join("\n")}"
+          end
+
+          true
+        end
+
+        private
+
+        # Parse IP address string to IPAddr object
+        def parse_ip(ip_string)
+          IPAddr.new(ip_string.to_s.strip)
+        rescue IPAddr::InvalidAddressError
+          nil
+        end
+
+        # Parse whitelist entry (can be single IP or CIDR notation)
+        def parse_entry(entry)
+          return nil if entry.blank?
+          
+          entry_str = entry.to_s.strip
+          
+          # Check if it's CIDR notation
+          if entry_str.include?('/')
+            IPAddr.new(entry_str)
+          else
+            # Single IP address
+            IPAddr.new(entry_str)
+          end
+        end
+
+        # Check if IP matches whitelist entry
+        def match_entry?(ip, entry)
+          parsed_entry = parsed_entries[entry]
+          return false unless parsed_entry
+
+          # IPAddr#include? handles both single IPs and CIDR ranges
+          parsed_entry.include?(ip)
+        rescue IPAddr::InvalidAddressError, ArgumentError
+          false
+        end
+
+        # Cache parsed entries for performance
+        def parsed_entries
+          @parsed_entries ||= begin
+            entries = {}
+            whitelist_entries.each do |entry|
+              begin
+                entries[entry] = parse_entry(entry)
+              rescue IPAddr::InvalidAddressError, ArgumentError => e
+                Rails.logger.warn "[Beskar::IpWhitelist] Skipping invalid entry: #{entry} - #{e.message}"
+              end
+            end
+            entries
+          end
+        end
+      end
+
+      # Error class for configuration issues
+      class ConfigurationError < StandardError; end
+    end
+  end
+end

data/lib/beskar/services/rate_limiter.rb

@@ -0,0 +1,257 @@
+module Beskar
+  module Services
+    class RateLimiter
+      DEFAULT_CONFIG = {
+        ip_attempts: {
+          limit: 10,
+          period: 1.hour,
+          exponential_backoff: true
+        },
+        account_attempts: {
+          limit: 5,
+          period: 15.minutes,
+          exponential_backoff: true
+        },
+        global_attempts: {
+          limit: 100,
+          period: 1.minute
+        }
+      }.freeze
+
+      class << self
+        def check_authentication_attempt(request, result, user = nil)
+          ip_address = request.ip
+
+          # Check IP-based rate limiting
+          ip_result = check_ip_rate_limit(ip_address)
+
+          # Check account-based rate limiting if we have a user
+          account_result = user ? check_account_rate_limit(user) : {allowed: true}
+
+          # Check global rate limiting to prevent system overload
+          global_result = check_global_rate_limit
+
+          # Record the attempt
+          record_attempt(ip_address, result, user)
+
+          # Return most restrictive result
+          most_restrictive_result([ip_result, account_result, global_result])
+        end
+
+        def check_ip_rate_limit(ip_address)
+          config = Beskar.configuration.rate_limiting&.dig(:ip_attempts) || DEFAULT_CONFIG[:ip_attempts]
+          cache_key = "beskar:ip_attempts:#{ip_address}"
+          check_rate_limit(cache_key, config)
+        end
+
+        def check_account_rate_limit(user)
+          config = Beskar.configuration.rate_limiting&.dig(:account_attempts) || DEFAULT_CONFIG[:account_attempts]
+          cache_key = "beskar:account_attempts:#{user.class.name}:#{user.id}"
+          check_rate_limit(cache_key, config)
+        end
+
+        def check_global_rate_limit
+          config = Beskar.configuration.rate_limiting&.dig(:global_attempts) || DEFAULT_CONFIG[:global_attempts]
+          cache_key = "beskar:global_attempts"
+          check_rate_limit(cache_key, config)
+        end
+
+        def is_rate_limited?(request, user = nil)
+          result = check_authentication_attempt(request, :check, user)
+          !result[:allowed]
+        end
+
+        def time_until_allowed(request, user = nil)
+          result = check_authentication_attempt(request, :check, user)
+          result[:retry_after] || 0
+        end
+
+        def reset_rate_limit(ip_address: nil, user: nil)
+          if ip_address
+            Rails.cache.delete("beskar:ip_attempts:#{ip_address}")
+            Rails.cache.delete("beskar:ip_backoff:#{ip_address}")
+          end
+
+          if user
+            cache_key = "beskar:account_attempts:#{user.class.name}:#{user.id}"
+            Rails.cache.delete(cache_key)
+            Rails.cache.delete("beskar:account_backoff:#{user.class.name}:#{user.id}")
+          end
+        end
+
+        private
+
+        def check_rate_limit(cache_key, config)
+          now = Time.current.to_i
+          period = config[:period].to_i
+          limit = config[:limit]
+          window_start = now - period
+
+          # Get current window data
+          window_data = Rails.cache.read(cache_key) || {}
+
+          # Clean old entries
+          cleaned_data = window_data.select { |timestamp, _| timestamp.to_i > window_start }
+
+          # Update cache with cleaned data if it changed
+          if cleaned_data != window_data
+            if cleaned_data.empty?
+              Rails.cache.delete(cache_key)
+            else
+              Rails.cache.write(cache_key, cleaned_data, expires_in: period + 60)
+            end
+          end
+
+          current_count = cleaned_data.values.sum
+
+          # Check if we're over the limit
+          if current_count >= limit
+            # Calculate retry after time with exponential backoff if configured
+            retry_after = calculate_retry_after(cache_key, config, current_count, limit)
+
+            reset_time = if cleaned_data.empty?
+              Time.at(now + period)
+            else
+              Time.at(cleaned_data.keys.map(&:to_i).min + period)
+            end
+
+            {
+              allowed: false,
+              count: current_count,
+              limit: limit,
+              reset_time: reset_time,
+              retry_after: retry_after,
+              reason: "rate_limit_exceeded"
+            }
+          else
+            {
+              allowed: true,
+              count: current_count,
+              limit: limit,
+              remaining: limit - current_count
+            }
+          end
+        end
+
+        def record_attempt(ip_address, result, user)
+          return if result == :check # Don't record check operations
+
+          now = Time.current.to_i
+
+          # Record IP attempt
+          ip_cache_key = "beskar:ip_attempts:#{ip_address}"
+          record_attempt_in_cache(ip_cache_key, now)
+
+          # Record account attempt if user exists
+          if user
+            account_cache_key = "beskar:account_attempts:#{user.class.name}:#{user.id}"
+            record_attempt_in_cache(account_cache_key, now)
+          end
+
+          # Record global attempt
+          global_cache_key = "beskar:global_attempts"
+          record_attempt_in_cache(global_cache_key, now, 1.minute)
+        end
+
+        def record_attempt_in_cache(cache_key, timestamp, expiry = 1.hour)
+          window_data = Rails.cache.read(cache_key) || {}
+          window_data[timestamp] = (window_data[timestamp] || 0) + 1
+          Rails.cache.write(cache_key, window_data, expires_in: expiry + 60)
+        end
+
+        def calculate_retry_after(cache_key, config, current_count, limit)
+          return 0 unless config[:exponential_backoff]
+
+          backoff_key = cache_key.gsub("_attempts:", "_backoff:")
+          failure_count = Rails.cache.read(backoff_key) || 0
+
+          # Increment failure count
+          Rails.cache.write(backoff_key, failure_count + 1, expires_in: 1.hour)
+
+          # Exponential backoff: 1min, 5min, 15min, 1hour, 4hours, 24hours
+          base_delays = [60, 300, 900, 3600, 14400, 86400] # in seconds
+          delay_index = [failure_count, base_delays.length - 1].min
+
+          base_delays[delay_index]
+        end
+
+        def most_restrictive_result(results)
+          # Find the most restrictive (not allowed) result
+          restricted = results.find { |r| !r[:allowed] }
+          return restricted if restricted
+
+          # If all are allowed, return the one with the lowest remaining count
+          results.min_by { |r| r[:remaining] || Float::INFINITY }
+        end
+      end
+
+      # Instance methods for more complex scenarios
+      def initialize(ip_address, user = nil)
+        @ip_address = ip_address
+        @user = user
+      end
+
+      def allowed?
+        self.class.check_ip_rate_limit(@ip_address)[:allowed] &&
+          (@user.nil? || self.class.check_account_rate_limit(@user)[:allowed])
+      end
+
+      def attempts_remaining
+        ip_result = self.class.check_ip_rate_limit(@ip_address)
+        account_result = @user ? self.class.check_account_rate_limit(@user) : {remaining: Float::INFINITY}
+
+        [ip_result[:remaining] || 0, account_result[:remaining] || 0].min
+      end
+
+      def time_until_reset
+        ip_result = self.class.check_ip_rate_limit(@ip_address)
+        account_result = @user ? self.class.check_account_rate_limit(@user) : {retry_after: 0}
+
+        [ip_result[:retry_after] || 0, account_result[:retry_after] || 0].max
+      end
+
+      def reset!
+        self.class.reset_rate_limit(ip_address: @ip_address, user: @user)
+      end
+
+      # Sliding window analysis for pattern detection
+      def suspicious_pattern?
+        return false unless @user
+
+        # Check for rapid-fire attempts
+        recent_events = @user.security_events
+          .login_failures
+          .recent(5.minutes.ago)
+          .order(:created_at)
+
+        return true if recent_events.count >= 3
+
+        # Check for distributed attack (same user, different IPs)
+        if recent_events.count >= 2
+          unique_ips = recent_events.pluck(:ip_address).uniq
+          return true if unique_ips.length >= 2
+        end
+
+        false
+      end
+
+      def attack_pattern_type
+        return :none unless suspicious_pattern?
+
+        recent_events = @user.security_events.login_failures.recent(5.minutes.ago)
+        unique_ips = recent_events.pluck(:ip_address).uniq
+        unique_emails = recent_events.map(&:attempted_email).compact.uniq
+
+        if unique_ips.length >= 2 && unique_emails.length == 1
+          :distributed_single_account
+        elsif unique_ips.length == 1 && unique_emails.length >= 3
+          :single_ip_multiple_accounts
+        elsif unique_ips.length == 1 && unique_emails.length == 1
+          :brute_force_single_account
+        else
+          :mixed_attack_pattern
+        end
+      end
+    end
+  end
+end

data/lib/beskar/services/waf.rb

@@ -0,0 +1,322 @@
+module Beskar
+  module Services
+    class Waf
+      # Common vulnerability scan patterns
+      VULNERABILITY_PATTERNS = {
+        wordpress: {
+          patterns: [
+            %r{/wp-admin}i,
+            %r{/wp-login\.php}i,
+            %r{/wp-content}i,
+            %r{/wp-includes}i,
+            %r{/xmlrpc\.php}i,
+            %r{/wp-config\.php}i,
+            %r{/wp-config\.bak}i,
+            %r{/wordpress}i
+          ],
+          severity: :high,
+          description: "WordPress vulnerability scan"
+        },
+        php_admin: {
+          patterns: [
+            %r{/phpmyadmin}i,
+            %r{/pma}i,
+            %r{/admin\.php}i,
+            %r{/administrator}i,
+            %r{/admin/config\.php}i,
+            %r{/phpinfo\.php}i
+          ],
+          severity: :high,
+          description: "PHP admin panel scan"
+        },
+        config_files: {
+          patterns: [
+            %r{/\.env},
+            %r{/\.git},
+            %r{/config\.php}i,
+            %r{/configuration\.php}i,
+            %r{/settings\.php}i,
+            %r{/database\.yml},
+            %r{/credentials\.yml}i
+          ],
+          severity: :critical,
+          description: "Configuration file access attempt"
+        },
+        path_traversal: {
+          patterns: [
+            %r{/etc/passwd},
+            %r{/etc/shadow},
+            %r{/etc/hosts},
+            %r{\.\./},
+            %r{\.\.\\},
+            %r{%2e%2e/}i,
+            %r{%252e%252e/}i
+          ],
+          severity: :critical,
+          description: "Path traversal attempt"
+        },
+        framework_debug: {
+          patterns: [
+            %r{/rails/info/routes},
+            %r{/__debug__},
+            %r{/debug},
+            %r{/telescope},
+            %r{/_profiler},
+            %r{/\.well-known}
+          ],
+          severity: :medium,
+          description: "Framework debug endpoint scan"
+        },
+        cms_scan: {
+          patterns: [
+            %r{/joomla}i,
+            %r{/drupal}i,
+            %r{/magento}i,
+            %r{/prestashop}i,
+            %r{/typo3}i
+          ],
+          severity: :medium,
+          description: "CMS detection scan"
+        },
+        common_exploits: {
+          patterns: [
+            %r{/shell\.php}i,
+            %r{/cmd\.php}i,
+            %r{/backdoor}i,
+            %r{/c99\.php}i,
+            %r{/r57\.php}i,
+            %r{/webshell}i
+          ],
+          severity: :critical,
+          description: "Common exploit file access"
+        }
+      }.freeze
+
+      class << self
+        # Analyze a request for vulnerability scanning patterns
+        def analyze_request(request)
+          path = request.fullpath || request.path
+          return nil if path.blank?
+
+          detected_patterns = []
+
+          VULNERABILITY_PATTERNS.each do |category, config|
+            config[:patterns].each do |pattern|
+              if path.match?(pattern)
+                detected_patterns << {
+                  category: category,
+                  pattern: pattern.source,
+                  severity: config[:severity],
+                  description: config[:description],
+                  matched_path: path
+                }
+              end
+            end
+          end
+
+          if detected_patterns.any?
+            {
+              threat_detected: true,
+              patterns: detected_patterns,
+              highest_severity: calculate_highest_severity(detected_patterns),
+              ip_address: request.ip,
+              user_agent: request.user_agent,
+              timestamp: Time.current
+            }
+          else
+            nil
+          end
+        end
+
+        # Check if request should be blocked based on violation history
+        def should_block?(ip_address)
+          config = waf_config
+          return false unless config[:enabled]
+          return false unless config[:auto_block]
+
+          # Check violation count in cache
+          violation_count = get_violation_count(ip_address)
+          threshold = config[:block_threshold] || 3
+
+          violation_count >= threshold
+        end
+
+        # Record a WAF violation
+        def record_violation(ip_address, analysis_result, whitelisted: false)
+          config = waf_config
+          return unless config[:enabled]
+
+          # Increment violation count
+          cache_key = "beskar:waf_violations:#{ip_address}"
+          current_count = Rails.cache.read(cache_key) || 0
+          new_count = current_count + 1
+          
+          # Store with TTL from config (default 1 hour)
+          ttl = config[:violation_window] || 1.hour
+          Rails.cache.write(cache_key, new_count, expires_in: ttl)
+
+          # Log the violation
+          log_violation(ip_address, analysis_result, new_count)
+
+          # Create security event if configured
+          if config[:create_security_events]
+            create_security_event(ip_address, analysis_result)
+          end
+
+          # Check if we should auto-block (skip if whitelisted, in monitor-only mode)
+          threshold = config[:block_threshold] || 3
+          
+          if !whitelisted && config[:auto_block] && new_count >= threshold
+            if config[:monitor_only]
+              # Monitor-only mode: Log what WOULD happen but don't block
+              log_monitor_only_action(ip_address, analysis_result, new_count, threshold)
+            else
+              auto_block_ip(ip_address, analysis_result, new_count)
+            end
+          end
+
+          new_count
+        end
+
+        # Get current violation count for an IP
+        def get_violation_count(ip_address)
+          cache_key = "beskar:waf_violations:#{ip_address}"
+          Rails.cache.read(cache_key) || 0
+        end
+
+        # Reset violations for an IP
+        def reset_violations(ip_address)
+          cache_key = "beskar:waf_violations:#{ip_address}"
+          Rails.cache.delete(cache_key)
+        end
+
+        private
+
+        # Get WAF configuration
+        def waf_config
+          Beskar.configuration.waf || {}
+        end
+
+        # Calculate highest severity from detected patterns
+        def calculate_highest_severity(patterns)
+          severities = patterns.map { |p| p[:severity] }
+          return :critical if severities.include?(:critical)
+          return :high if severities.include?(:high)
+          return :medium if severities.include?(:medium)
+          :low
+        end
+
+        # Log WAF violation
+        def log_violation(ip_address, analysis_result, violation_count)
+          severity_emoji = {
+            critical: "🚨",
+            high: "⚠️",
+            medium: "⚡",
+            low: "ℹ️"
+          }
+
+          emoji = severity_emoji[analysis_result[:highest_severity]] || "🔍"
+          config = waf_config
+          monitor_mode_notice = config[:monitor_only] ? " [MONITOR-ONLY MODE]" : ""
+          
+          Rails.logger.warn(
+            "[Beskar::WAF] #{emoji} Vulnerability scan detected#{monitor_mode_notice} " \
+            "(#{violation_count} violations) - " \
+            "IP: #{ip_address}, " \
+            "Severity: #{analysis_result[:highest_severity]}, " \
+            "Patterns: #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}, " \
+            "Path: #{analysis_result[:patterns].first[:matched_path]}"
+          )
+        end
+
+        # Log what would happen in monitor-only mode (but don't actually block)
+        def log_monitor_only_action(ip_address, analysis_result, violation_count, threshold)
+          config = waf_config
+          duration = calculate_block_duration(violation_count, config)
+          
+          Rails.logger.warn(
+            "[Beskar::WAF] 🔍 MONITOR-ONLY: IP #{ip_address} WOULD BE BLOCKED " \
+            "(threshold reached: #{violation_count}/#{threshold} violations) - " \
+            "Duration would be: #{duration ? "#{duration / 3600.0} hours" : 'PERMANENT'}, " \
+            "Severity: #{analysis_result[:highest_severity]}, " \
+            "Patterns: #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}. " \
+            "To enable blocking, set config.waf[:monitor_only] = false"
+          )
+        end
+
+        # Create security event for WAF violation
+        def create_security_event(ip_address, analysis_result)
+          config = waf_config
+          violation_count = get_violation_count(ip_address)
+          threshold = config[:block_threshold] || 3
+          would_be_blocked = violation_count >= threshold
+          
+          Beskar::SecurityEvent.create!(
+            event_type: 'waf_violation',
+            ip_address: ip_address,
+            user_agent: analysis_result[:user_agent],
+            risk_score: severity_to_risk_score(analysis_result[:highest_severity]),
+            metadata: {
+              waf_analysis: analysis_result,
+              patterns_matched: analysis_result[:patterns].map { |p| p[:description] },
+              severity: analysis_result[:highest_severity],
+              monitor_only_mode: config[:monitor_only],
+              would_be_blocked: would_be_blocked,
+              violation_count: violation_count,
+              block_threshold: threshold
+            }
+          )
+        rescue => e
+          Rails.logger.error "[Beskar::WAF] Failed to create security event: #{e.message}"
+        end
+
+        # Auto-block an IP after threshold violations
+        def auto_block_ip(ip_address, analysis_result, violation_count)
+          config = waf_config
+          duration = calculate_block_duration(violation_count, config)
+          
+          Beskar::BannedIp.ban!(
+            ip_address,
+            reason: 'waf_violation',
+            duration: duration,
+            permanent: duration.nil?,
+            details: "WAF violations: #{violation_count} - #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}",
+            metadata: {
+              violation_count: violation_count,
+              patterns: analysis_result[:patterns],
+              highest_severity: analysis_result[:highest_severity],
+              blocked_at: Time.current
+            }
+          )
+
+          Rails.logger.warn(
+            "[Beskar::WAF] 🔒 Auto-blocked IP #{ip_address} " \
+            "after #{violation_count} violations " \
+            "(duration: #{duration ? "#{duration / 3600} hours" : 'permanent'})"
+          )
+        end
+
+        # Calculate block duration based on violation count
+        def calculate_block_duration(violation_count, config)
+          return nil if config[:permanent_block_after] && violation_count >= config[:permanent_block_after]
+
+          # Default escalating durations: 1h, 6h, 24h, 7d, permanent
+          base_durations = config[:block_durations] || [1.hour, 6.hours, 24.hours, 7.days]
+          index = [violation_count - (config[:block_threshold] || 3), base_durations.length - 1].min
+          base_durations[index]
+        end
+
+        # Convert severity level to risk score
+        def severity_to_risk_score(severity)
+          case severity
+          when :critical then 95
+          when :high then 80
+          when :medium then 60
+          when :low then 40
+          else 50
+          end
+        end
+      end
+    end
+  end
+end