beskar 0.0.1 → 0.1.0

data/lib/beskar/middleware/request_analyzer.rb

@@ -0,0 +1,305 @@
+module Beskar
+  module Middleware
+    class RequestAnalyzer
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new(env)
+        ip_address = request.ip
+
+        Beskar::Logger.debug("[RequestAnalyzer] Processing request from IP: #{ip_address}, Path: #{request.path}", component: :Middleware)
+
+        # 1. Check if IP is whitelisted (whitelisted IPs skip blocking but still get logged)
+        is_whitelisted = Beskar::Services::IpWhitelist.whitelisted?(ip_address)
+
+        # 2. Check if IP is banned (early exit for blocked IPs, unless whitelisted or in monitor-only mode)
+        if !is_whitelisted && Beskar::BannedIp.banned?(ip_address)
+          if Beskar.configuration.monitor_only?
+            Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block request from banned IP: #{ip_address}, but monitor_only=true. Request proceeding normally.", component: :Middleware)
+          else
+            Beskar::Logger.warn("Blocked request from banned IP: #{ip_address}", component: :Middleware)
+            return blocked_response("Your IP address has been blocked due to suspicious activity.")
+          end
+        end
+
+        # 3. Check rate limiting (unless whitelisted)
+        if !is_whitelisted && rate_limited?(request)
+          # Auto-block after excessive rate limiting violations (even in monitor-only mode - we create the ban record)
+          if should_auto_block_rate_limit?(ip_address)
+            Beskar::BannedIp.ban!(
+              ip_address,
+              reason: "rate_limit_abuse",
+              duration: 1.hour,
+              details: "Excessive rate limit violations"
+            )
+          end
+
+          if Beskar.configuration.monitor_only?
+            Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block rate limit exceeded for IP: #{ip_address}, but monitor_only=true. Request proceeding normally.", component: :Middleware)
+          else
+            Beskar::Logger.warn("Rate limit exceeded for IP: #{ip_address}", component: :Middleware)
+            return rate_limit_response
+          end
+        end
+
+        # 4. Check WAF patterns (vulnerability scans)
+        if Beskar.configuration.waf_enabled?
+          Beskar::Logger.debug("[RequestAnalyzer] WAF enabled, analyzing request", component: :Middleware)
+          waf_analysis = Beskar::Services::Waf.analyze_request(request)
+
+          if waf_analysis
+            Beskar::Logger.debug("[RequestAnalyzer] WAF detected threat: #{waf_analysis[:patterns].map { |p| p[:description] }.join(", ")}", component: :Middleware)
+            # Log the violation (and create security event if configured)
+            # Pass whitelist status to prevent auto-blocking whitelisted IPs
+            current_score = Beskar::Services::Waf.record_violation(ip_address, waf_analysis, whitelisted: is_whitelisted)
+            Beskar::Logger.debug("[RequestAnalyzer] Current score after recording: #{current_score.round(2)}", component: :Middleware)
+
+            # Log even for whitelisted IPs (but don't block)
+            if is_whitelisted
+              Beskar::Logger.info("WAF violation from whitelisted IP #{ip_address} " \
+                "(not blocking): #{waf_analysis[:patterns].map { |p| p[:description] }.join(", ")}", component: :Middleware)
+            else
+              # Check if we should block
+              should_block = Beskar::Services::Waf.should_block?(ip_address)
+              Beskar::Logger.debug("[RequestAnalyzer] Should block IP #{ip_address}?: #{should_block}", component: :Middleware)
+
+              if Beskar.configuration.monitor_only?
+                # Monitor-only mode: Just log, don't block (but ban record was created by WAF.record_violation)
+                if should_block
+                  Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block IP #{ip_address} " \
+                    "with score #{current_score.round(2)}, but monitor_only=true. " \
+                    "Request proceeding normally.", component: :Middleware)
+                end
+              elsif should_block && !Beskar.configuration.monitor_only?
+                # Actually block the request (not in monitor-only mode)
+                Beskar::Logger.warn("🔒 Blocking IP #{ip_address} " \
+                  "with WAF score #{current_score.round(2)}", component: :Middleware)
+                # Block already handled by WAF.record_violation auto-block logic
+                # But we return 403 immediately
+                return blocked_response("Access denied due to suspicious activity.")
+              end
+            end
+          else
+            Beskar::Logger.debug("[RequestAnalyzer] No WAF threat detected for path: #{request.path}", component: :Middleware)
+          end
+        else
+          Beskar::Logger.debug("[RequestAnalyzer] WAF is disabled", component: :Middleware)
+        end
+
+        # 5. Process the request normally (will raise 404 if route not found)
+        Beskar::Logger.debug("[RequestAnalyzer] Passing request to application", component: :Middleware)
+        @app.call(env)
+      rescue ActionController::UnknownFormat => e
+        # Analyze unknown format as potential scanner
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActionDispatch::RemoteIp::IpSpoofAttackError => e
+        # Handle IP spoofing attack
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActiveRecord::RecordNotFound => e
+        # Analyze record not found as potential enumeration scan
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActionDispatch::Http::MimeNegotiation::InvalidType => e
+        # Analyze invalid MIME type as potential scanner
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActionController::RoutingError => e
+        # If WAF is enabled, log 404s as potential scanning attempts
+        if Beskar.configuration.waf_enabled?
+          log_404_for_waf(request, e)
+        end
+        # Re-raise to allow normal 404 handling
+        raise
+      end
+
+      private
+
+      def rate_limited?(request)
+        # Check both IP rate limit and authentication abuse
+        ip_check = Beskar::Services::RateLimiter.check_ip_rate_limit(request.ip)
+        auth_abused = authentication_brute_force?(request.ip)
+
+        !ip_check[:allowed] || auth_abused
+      end
+
+      def should_auto_block_rate_limit?(ip_address)
+        # Check how many times this IP has been rate limited in the past hour
+        cache_key = "beskar:rate_limit_violations:#{ip_address}"
+        violations = Rails.cache.read(cache_key) || 0
+        violations += 1
+        Rails.cache.write(cache_key, violations, expires_in: 1.hour)
+
+        # Block after 5 rate limit violations in an hour
+        violations >= 5
+      end
+
+      def authentication_brute_force?(ip_address)
+        # Check authentication failure count from RateLimiter
+        cache_key = "beskar:ip_auth_failures:#{ip_address}"
+
+        # Get current failure count and timestamp
+        failure_data = Rails.cache.read(cache_key)
+        return false unless failure_data.is_a?(Hash)
+
+        # Count recent failures (within the configured period)
+        config = Beskar.configuration.rate_limiting[:ip_attempts] || {}
+        period = config[:period] || 1.hour
+        limit = config[:limit] || 10
+
+        now = Time.current.to_i
+        recent_failures = failure_data.select { |timestamp, _| now - timestamp.to_i < period.to_i }
+
+        # If too many auth failures, it's brute force
+        if recent_failures.length >= limit
+          # Auto-ban for authentication abuse (create ban record even in monitor-only mode)
+          Beskar::BannedIp.ban!(
+            ip_address,
+            reason: "authentication_abuse",
+            duration: 1.hour,
+            details: "#{recent_failures.length} failed authentication attempts in #{period / 60} minutes",
+            metadata: {failure_count: recent_failures.length, detection_time: Time.current}
+          )
+
+          if Beskar.configuration.monitor_only?
+            Beskar::Logger.warn("🔍 MONITOR-ONLY: Would auto-block IP #{ip_address} " \
+              "for authentication brute force (#{recent_failures.length} failures), but monitor_only=true", component: :Middleware)
+          else
+            Beskar::Logger.warn("🔒 Auto-blocked IP #{ip_address} " \
+              "for authentication brute force (#{recent_failures.length} failures)", component: :Middleware)
+          end
+
+          return true
+        end
+
+        false
+      end
+
+      def handle_rails_exception(request, exception, ip_address, is_whitelisted)
+        # Analyze the exception using WAF
+        waf_analysis = Beskar::Services::Waf.analyze_exception(exception, request)
+
+        if waf_analysis
+          Beskar::Logger.debug("[RequestAnalyzer] WAF detected threat from exception: #{exception.class.name}", component: :Middleware)
+
+          # Record the violation (similar to regular WAF violations)
+          current_score = Beskar::Services::Waf.record_violation(ip_address, waf_analysis, whitelisted: is_whitelisted)
+
+          # Log for whitelisted IPs
+          if is_whitelisted
+            Beskar::Logger.info("Exception-based WAF violation from whitelisted IP #{ip_address} " \
+              "(not blocking): #{exception.class.name} - #{waf_analysis[:patterns].first[:description]}", component: :Middleware)
+          else
+            # Check if we should block
+            should_block = Beskar::Services::Waf.should_block?(ip_address)
+
+            if Beskar.configuration.monitor_only?
+              if should_block
+                Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block IP #{ip_address} " \
+                  "with score #{current_score.round(2)} (exception: #{exception.class.name}), " \
+                  "but monitor_only=true. Request proceeding normally.", component: :Middleware)
+              end
+            elsif should_block && !Beskar.configuration.monitor_only?
+              Beskar::Logger.warn("🔒 Blocking IP #{ip_address} " \
+                "with score #{current_score.round(2)} (exception: #{exception.class.name})", component: :Middleware)
+              # Note: We don't return blocked response here as exception is already raised
+              # The ban record is created by WAF.record_violation
+            end
+          end
+        end
+      end
+
+      def log_404_for_waf(request, error)
+        # 404s on suspicious paths might indicate scanning
+        path = request.fullpath || request.path
+
+        # Only log if it matches WAF patterns (already analyzed in analyze_request)
+        waf_analysis = Beskar::Services::Waf.analyze_request(request)
+
+        if waf_analysis
+          Beskar::Logger.info("404 on suspicious path from #{request.ip}: #{path} " \
+            "(WAF patterns: #{waf_analysis[:patterns].map { |p| p[:description] }.join(", ")})", component: :Middleware)
+        end
+      end
+
+      def blocked_response(message = "Forbidden")
+        [
+          403,
+          {
+            "Content-Type" => "text/html",
+            "X-Beskar-Blocked" => "true"
+          },
+          [render_blocked_page(message)]
+        ]
+      end
+
+      def rate_limit_response
+        [
+          429,
+          {
+            "Content-Type" => "text/html",
+            "Retry-After" => "3600",
+            "X-Beskar-Rate-Limited" => "true"
+          },
+          [render_rate_limit_page]
+        ]
+      end
+
+      def render_blocked_page(message)
+        <<~HTML
+          <!DOCTYPE html>
+          <html>
+          <head>
+            <title>Access Denied</title>
+            <style>
+              body { font-family: Arial, sans-serif; text-align: center; padding: 50px; }
+              h1 { color: #d32f2f; }
+              p { color: #666; }
+            </style>
+          </head>
+          <body>
+            <h1>Access Denied</h1>
+            <p>#{message}</p>
+            <p>If you believe this is an error, please contact the site administrator.</p>
+          </body>
+          </html>
+        HTML
+      end
+
+      def render_rate_limit_page
+        <<~HTML
+          <!DOCTYPE html>
+          <html>
+          <head>
+            <title>Too Many Requests</title>
+            <style>
+              body { font-family: Arial, sans-serif; text-align: center; padding: 50px; }
+              h1 { color: #ff9800; }
+              p { color: #666; }
+            </style>
+          </head>
+          <body>
+            <h1>Too Many Requests</h1>
+            <p>You have exceeded the rate limit. Please try again later.</p>
+          </body>
+          </html>
+        HTML
+      end
+    end
+  end
+end

data/lib/beskar/middleware.rb

@@ -0,0 +1,4 @@
+module Beskar
+  module Middleware
+  end
+end

data/lib/beskar/models/security_trackable.rb

@@ -0,0 +1,25 @@
+module Beskar
+  module Models
+    # Main SecurityTrackable module - delegates to Devise-specific implementation
+    # for backward compatibility with existing Devise integrations
+    #
+    # This is now a thin wrapper around the modular implementation:
+    # - SecurityTrackableGeneric: Shared functionality for all auth systems
+    # - SecurityTrackableDevise: Devise/Warden specific (included by default here)
+    # - SecurityTrackableAuthenticable: Rails 8 has_secure_password specific
+    #
+    # Usage:
+    #   For Devise models:
+    #     include Beskar::Models::SecurityTrackable  # (this module)
+    #   For Rails 8 auth models:
+    #     include Beskar::Models::SecurityTrackableAuthenticable
+    module SecurityTrackable
+      extend ActiveSupport::Concern
+
+      included do
+        # Include Devise-specific tracking by default for backward compatibility
+        include Beskar::Models::SecurityTrackableDevise
+      end
+    end
+  end
+end

data/lib/beskar/models/security_trackable_authenticable.rb

@@ -0,0 +1,167 @@
+module Beskar
+  module Models
+    # Rails 8 authentication-specific security tracking functionality
+    # This module provides security tracking for models using has_secure_password
+    # and session-based authentication (Rails 8 built-in authentication)
+    module SecurityTrackableAuthenticable
+      extend ActiveSupport::Concern
+
+      included do
+        # Include the generic functionality first
+        include Beskar::Models::SecurityTrackableGeneric
+
+        # No automatic callbacks like Devise - tracking is done explicitly
+        # in controllers via the Beskar::Controllers::SecurityTracking concern
+      end
+
+      # Make handle_high_risk_lock public (it's private in Generic)
+      public
+      
+      # Rails 8 auth-specific: Handle high risk lock by destroying sessions
+      # Public method called when high-risk event is detected
+      def handle_high_risk_lock(security_event, request)
+        reason = determine_lock_reason(security_event)
+        
+        Beskar::Logger.warn("Rails auth high-risk lock detected: #{reason}")
+        
+        # Destroy all sessions to immediately lock out attacker
+        destroy_all_sessions(except: request.session.id)
+        
+        # Check if this warrants emergency password reset
+        if should_reset_password?(security_event, reason)
+          perform_emergency_password_reset(security_event, reason)
+        end
+      end
+
+      # Destroy all user sessions (for impossible travel / high-risk scenarios)
+      def destroy_all_sessions(except: nil)
+        if respond_to?(:sessions) && sessions.respond_to?(:destroy_all)
+          if except
+            # Keep current session but destroy all others
+            sessions.where.not(id: except).destroy_all
+            Beskar::Logger.info("Destroyed #{sessions.count} sessions except current")
+          else
+            # Destroy ALL sessions including current
+            count = sessions.count
+            sessions.destroy_all
+            Beskar::Logger.info("Destroyed all #{count} sessions")
+          end
+        else
+          Beskar::Logger.warn("Model does not have sessions association, cannot destroy sessions")
+        end
+      rescue => e
+        Beskar::Logger.error("Failed to destroy sessions: #{e.message}")
+      end
+
+      # Determine if emergency password reset is warranted
+      def should_reset_password?(security_event, reason)
+        config = Beskar.configuration.emergency_password_reset
+        return false unless config[:enabled]
+
+        case reason
+        when :impossible_travel
+          # Count impossible travel events in recent history
+          recent_impossible_travel = security_events
+            .where(event_type: ["account_locked", "login_success"])
+            .where("created_at >= ?", 24.hours.ago)
+            .where("metadata->>'geolocation' LIKE ?", '%impossible_travel%')
+            .count
+          
+          recent_impossible_travel >= (config[:impossible_travel_threshold] || 3)
+          
+        when :suspicious_device
+          # Multiple suspicious device logins
+          recent_suspicious = security_events
+            .where(event_type: "account_locked")
+            .where("created_at >= ?", 24.hours.ago)
+            .where("metadata->>'device_info' LIKE ?", '%suspicious%')
+            .count
+          
+          recent_suspicious >= (config[:suspicious_device_threshold] || 5)
+          
+        else
+          # For other reasons, check total lock count
+          recent_locks = security_events
+            .where(event_type: "account_locked")
+            .where("created_at >= ?", 24.hours.ago)
+            .count
+          
+          recent_locks >= (config[:total_locks_threshold] || 5)
+        end
+      end
+
+      # Perform emergency password reset
+      def perform_emergency_password_reset(security_event, reason)
+        config = Beskar.configuration.emergency_password_reset
+        
+        # Generate a cryptographically secure random password
+        new_password = SecureRandom.base58(32)
+        
+        begin
+          # Update password
+          update!(password: new_password, password_confirmation: new_password)
+          
+          # Log the reset event
+          security_events.create!(
+            event_type: "emergency_password_reset",
+            ip_address: security_event.ip_address,
+            user_agent: security_event.user_agent,
+            metadata: {
+              reason: reason.to_s,
+              triggering_event_id: security_event.id,
+              timestamp: Time.current.iso8601,
+              reset_method: "automatic"
+            },
+            risk_score: 100
+          )
+          
+          # Send notification to user
+          if config[:send_notification]
+            send_emergency_reset_notification(reason)
+          end
+          
+          # Notify security team
+          if config[:notify_security_team]
+            notify_security_team_of_reset(reason, security_event)
+          end
+          
+          Beskar::Logger.warn("Emergency password reset performed for user #{id}, reason: #{reason}")
+          
+        rescue => e
+          Beskar::Logger.error("Failed to perform emergency password reset: #{e.message}")
+          
+          # Create failed reset event
+          security_events.create!(
+            event_type: "emergency_password_reset_failed",
+            ip_address: security_event.ip_address,
+            user_agent: security_event.user_agent,
+            metadata: {
+              reason: reason.to_s,
+              error: e.message,
+              timestamp: Time.current.iso8601
+            },
+            risk_score: 100
+          )
+        end
+      end
+
+      # Send notification to user about emergency password reset
+      def send_emergency_reset_notification(reason)
+        # This should be implemented by the application
+        # Example: UserMailer.emergency_password_reset(self, reason).deliver_later
+        Beskar::Logger.info("Would send emergency reset notification to user #{id}")
+      rescue => e
+        Beskar::Logger.error("Failed to send emergency reset notification: #{e.message}")
+      end
+
+      # Notify security team about emergency password reset
+      def notify_security_team_of_reset(reason, security_event)
+        # This should be implemented by the application
+        # Example: SecurityMailer.emergency_reset_alert(self, reason, security_event).deliver_later
+        Beskar::Logger.info("Would notify security team about reset for user #{id}")
+      rescue => e
+        Beskar::Logger.error("Failed to notify security team: #{e.message}")
+      end
+    end
+  end
+end

data/lib/beskar/models/security_trackable_devise.rb

@@ -0,0 +1,82 @@
+module Beskar
+  module Models
+    # Devise-specific security tracking functionality
+    # This module hooks into Devise/Warden callbacks and provides
+    # Devise-specific authentication tracking and account locking
+    module SecurityTrackableDevise
+      extend ActiveSupport::Concern
+
+      included do
+        # Include the generic functionality first
+        include Beskar::Models::SecurityTrackableGeneric
+
+        # Hook into Devise callbacks if Devise is present and available
+        if defined?(Devise) && respond_to?(:after_database_authentication)
+          # Track successful authentications
+          after_database_authentication :track_successful_login
+        end
+      end
+
+      # Track successful login via Devise callback
+      def track_successful_login
+        # Skip tracking if disabled in configuration
+        unless Beskar.configuration.track_successful_logins?
+          Beskar::Logger.debug("Successful login tracking disabled in configuration")
+          return
+        end
+
+        if current_request = request_from_context
+          track_authentication_event(current_request, :success)
+        end
+      rescue => e
+        Beskar::Logger.warn("Failed to track successful login: #{e.message}")
+        nil
+      end
+
+      # PUBLIC method called from Warden callback in engine.rb
+      # Checks if account was just locked due to high risk and signs out if needed
+      def check_high_risk_lock_and_signout(auth)
+        return unless Beskar.configuration.risk_based_locking_enabled?
+
+        # Check if there's a very recent lock event (within last 5 seconds)
+        recent_lock = security_events
+          .where(event_type: ["account_locked", "lock_attempted"])
+          .where("created_at >= ?", 5.seconds.ago)
+          .exists?
+
+        if recent_lock
+          Beskar::Logger.warn("High-risk lock detected, signing out user #{id}")
+          auth.logout
+          throw :warden, message: :account_locked_due_to_high_risk
+        end
+      end
+
+      private
+
+      # Devise-specific: Try to get request from various Warden/Devise contexts
+      def request_from_context
+        # Try to get request from various contexts
+        if defined?(Current) && Current.respond_to?(:request)
+          Current.request
+        elsif Thread.current[:request]
+          Thread.current[:request]
+        elsif defined?(ActionController::Base) && ActionController::Base.respond_to?(:current_request)
+          ActionController::Base.current_request
+        elsif defined?(Warden) && Warden::Manager.respond_to?(:current_request)
+          Warden::Manager.current_request
+        end
+      rescue => e
+        Beskar::Logger.debug("Could not get request from context: #{e.message}")
+        nil
+      end
+
+      # Devise-specific: Handle high risk lock by creating lock event
+      # The actual sign-out is handled by Warden callback in engine.rb
+      def handle_high_risk_lock(security_event, request)
+        Beskar::Logger.debug("Devise account locked - Warden callback will handle sign-out")
+        # The lock event is already created by AccountLocker service
+        # The Warden callback will detect it and perform the actual sign-out
+      end
+    end
+  end
+end