beskar 0.0.1 → 0.1.0

data/app/controllers/concerns/beskar/controllers/security_tracking.rb

@@ -0,0 +1,70 @@
+module Beskar
+  module Controllers
+    # Controller concern for tracking Rails 8 authentication events
+    # 
+    # Usage in SessionsController:
+    #   class SessionsController < ApplicationController
+    #     include Beskar::Controllers::SecurityTracking
+    #     
+    #     def create
+    #       if user = User.authenticate_by(params.permit(:email_address, :password))
+    #         track_authentication_success(user)
+    #         start_new_session_for user
+    #         redirect_to after_authentication_url
+    #       else
+    #         track_authentication_failure(User, :user)
+    #         redirect_to new_session_path, alert: "Try another email address or password."
+    #       end
+    #     end
+    #   end
+    module SecurityTracking
+      extend ActiveSupport::Concern
+
+      private
+
+      # Track successful authentication for a user
+      # This should be called after verifying credentials but before creating session
+      def track_authentication_success(user)
+        return unless user
+        return unless Beskar.configuration.track_successful_logins?
+
+        user.track_authentication_event(request, :success)
+        Beskar::Logger.info("Tracked successful authentication for user #{user.id}")
+      rescue => e
+        Beskar::Logger.error("Failed to track authentication success: #{e.message}")
+      end
+
+      # Track failed authentication attempt
+      # This should be called when authentication fails
+      def track_authentication_failure(model_class, scope = :user)
+        return unless Beskar.configuration.track_failed_logins?
+
+        model_class.track_failed_authentication(request, scope)
+        Beskar::Logger.info("Tracked failed authentication for scope #{scope}")
+      rescue => e
+        Beskar::Logger.error("Failed to track authentication failure: #{e.message}")
+      end
+
+      # Track logout event
+      def track_logout(user)
+        return unless user
+        return unless Beskar.configuration.security_tracking_enabled?
+
+        user.security_events.create!(
+          event_type: "logout",
+          ip_address: request.ip,
+          user_agent: request.user_agent,
+          metadata: {
+            timestamp: Time.current.iso8601,
+            session_id: request.session.id,
+            request_path: request.path
+          },
+          risk_score: 0
+        )
+        Beskar::Logger.info("Tracked logout for user #{user.id}")
+      rescue => e
+        Beskar::Logger.error("Failed to track logout: #{e.message}")
+      end
+    end
+  end
+end

data/app/models/beskar/banned_ip.rb

@@ -0,0 +1,193 @@
+module Beskar
+  class BannedIp < ApplicationRecord
+    # Serialize metadata as JSON
+    serialize :metadata, coder: JSON
+
+    validates :ip_address, presence: true, uniqueness: true
+    validates :reason, presence: true
+    validates :banned_at, presence: true
+
+    # Ensure metadata is always a hash
+    after_initialize do
+      self.metadata ||= {}
+    end
+
+    # Cache management callbacks
+    after_save :update_cache
+    after_destroy :clear_cache
+
+    scope :active, -> { where("expires_at IS NULL OR expires_at > ?", Time.current) }
+    scope :permanent, -> { where(permanent: true) }
+    scope :temporary, -> { where(permanent: false) }
+    scope :expired, -> { where("expires_at IS NOT NULL AND expires_at <= ?", Time.current) }
+    scope :by_reason, ->(reason) { where(reason: reason) }
+
+    # Check if a ban is currently active
+    def active?
+      permanent? || (expires_at.present? && expires_at > Time.current)
+    end
+
+    # Check if ban has expired
+    def expired?
+      !permanent? && expires_at.present? && expires_at <= Time.current
+    end
+
+    # Extend ban duration (for repeat offenders)
+    def extend_ban!(additional_time = nil)
+      self.violation_count += 1
+      
+      if permanent?
+        # Already permanent, just increment violation count
+        save!
+      elsif additional_time
+        self.expires_at = [expires_at || Time.current, Time.current].max + additional_time
+        save!
+      else
+        # Calculate exponential backoff based on violation count
+        # 1 hour, 6 hours, 24 hours, 7 days, permanent
+        duration = case violation_count
+        when 1 then 1.hour
+        when 2 then 6.hours
+        when 3 then 24.hours
+        when 4 then 7.days
+        else
+          self.permanent = true
+          nil
+        end
+
+        if duration
+          self.expires_at = Time.current + duration
+        end
+        save!
+      end
+    end
+
+    # Unban an IP address
+    def unban!
+      destroy
+    end
+
+    # Class methods for ban management
+    class << self
+      # Ban an IP address
+      def ban!(ip_address, reason:, duration: nil, permanent: false, details: nil, metadata: {})
+        # Retry logic to handle race conditions when multiple requests try to ban the same IP
+        retries = 0
+        max_retries = 2
+
+        begin
+          banned_ip = find_or_initialize_by(ip_address: ip_address)
+
+          if banned_ip.persisted?
+            # Existing ban - extend it
+            banned_ip.extend_ban!(duration)
+            banned_ip.details = details if details
+            # Deep stringify keys to avoid duplicate key issues
+            if metadata.any?
+              banned_ip.metadata = banned_ip.metadata.deep_stringify_keys.merge(metadata.deep_stringify_keys)
+            end
+            banned_ip.save!
+          else
+            # New ban
+            banned_ip.assign_attributes(
+              reason: reason,
+              banned_at: Time.current,
+              expires_at: permanent ? nil : (Time.current + (duration || 1.hour)),
+              permanent: permanent,
+              details: details,
+              metadata: metadata
+            )
+            banned_ip.save!
+          end
+
+          # Update cache
+          cache_key = "beskar:banned_ip:#{ip_address}"
+          Rails.cache.write(cache_key, true, expires_in: permanent ? nil : (duration || 1.hour))
+
+          banned_ip
+        rescue ActiveRecord::RecordInvalid => e
+          # Race condition: another request created the record between find and save
+          if e.message.include?("Ip address has already been taken") && retries < max_retries
+            retries += 1
+            # Small random delay to reduce contention (1-10ms)
+            sleep(rand(1..10) / 1000.0)
+            retry
+          else
+            # Re-raise if it's a different validation error or we've exceeded retries
+            raise
+          end
+        end
+      end
+
+      # Check if an IP is banned (cache-first approach)
+      def banned?(ip_address)
+        # Check cache first for performance
+        cache_key = "beskar:banned_ip:#{ip_address}"
+        cached_result = Rails.cache.read(cache_key)
+        return true if cached_result == true
+        return false if cached_result == false
+
+        # Check database
+        banned_record = active.find_by(ip_address: ip_address)
+        is_banned = banned_record&.active? || false
+
+        # Update cache
+        if is_banned && banned_record
+          ttl = banned_record.permanent? ? 30.days : (banned_record.expires_at - Time.current).to_i
+          Rails.cache.write(cache_key, true, expires_in: ttl)
+        else
+          Rails.cache.write(cache_key, false, expires_in: 5.minutes)
+        end
+
+        is_banned
+      end
+
+      # Unban an IP address
+      def unban!(ip_address)
+        banned_ip = find_by(ip_address: ip_address)
+        if banned_ip
+          banned_ip.destroy
+          # Clear cache
+          Rails.cache.delete("beskar:banned_ip:#{ip_address}")
+          true
+        else
+          false
+        end
+      end
+
+      # Load all active bans into cache (called on app startup)
+      def preload_cache!
+        active.find_each do |banned_ip|
+          cache_key = "beskar:banned_ip:#{banned_ip.ip_address}"
+          ttl = banned_ip.permanent? ? 30.days : [(banned_ip.expires_at - Time.current).to_i, 60].max
+          Rails.cache.write(cache_key, true, expires_in: ttl)
+        end
+      end
+
+      # Clean up expired bans
+      def cleanup_expired!
+        expired.destroy_all
+      end
+    end
+
+    private
+
+    def update_cache
+      return unless active?
+
+      cache_key = "beskar:banned_ip:#{ip_address}"
+      ttl = calculate_cache_ttl
+      Rails.cache.write(cache_key, true, expires_in: ttl)
+    end
+
+    def clear_cache
+      Rails.cache.delete("beskar:banned_ip:#{ip_address}")
+    end
+
+    def calculate_cache_ttl
+      return nil if permanent? || expires_at.nil?
+
+      (expires_at - Time.current).to_i
+    end
+  end
+end

data/app/models/beskar/security_event.rb

@@ -0,0 +1,64 @@
+module Beskar
+  class SecurityEvent < ApplicationRecord
+    belongs_to :user, polymorphic: true, optional: true
+
+    validates :event_type, presence: true
+    validates :ip_address, presence: true
+    validates :risk_score, numericality: {in: 0..100}
+
+    scope :login_failures, -> { where(event_type: "login_failure") }
+    scope :login_successes, -> { where(event_type: "login_success") }
+    scope :recent, ->(time = 1.hour.ago) { where("created_at >= ?", time) }
+    scope :by_ip, ->(ip) { where(ip_address: ip) }
+    scope :high_risk, -> { where("risk_score >= ?", 70) }
+    scope :critical_risk, -> { where("risk_score >= ?", 90) }
+
+    def critical_threat?
+      risk_score >= 90
+    end
+
+    def high_risk?
+      risk_score >= 70
+    end
+
+    def login_failure?
+      event_type == "login_failure"
+    end
+
+    def login_success?
+      event_type == "login_success"
+    end
+
+    def attempted_email
+      read_attribute(:attempted_email) || metadata&.dig("attempted_email")
+    end
+
+    def attempted_email=(value)
+      write_attribute(:attempted_email, value)
+      # Also store in metadata for backwards compatibility
+      self.metadata = (metadata || {}).merge("attempted_email" => value) if value.present?
+    end
+
+    def device_info
+      metadata&.dig("device_info") || {}
+    end
+
+    def geolocation
+      metadata&.dig("geolocation") || {}
+    end
+
+    def details
+      # Extract details from metadata if available
+      # Check multiple possible fields where details might be stored
+      return nil unless metadata.present?
+
+      metadata["details"] ||
+        metadata["description"] ||
+        metadata["message"] ||
+        metadata["reason"] ||
+        metadata["error"] ||
+        metadata["info"] ||
+        nil
+    end
+  end
+end

data/app/services/beskar/banned_ip_manager.rb

@@ -0,0 +1,78 @@
+module Beskar
+  class BannedIpManager
+    attr_reader :banned_ip, :errors
+
+    def initialize(params)
+      @params = params
+      @errors = []
+      @banned_ip = nil
+    end
+
+    def create
+      @banned_ip = BannedIp.new(base_attributes)
+      configure_ban_duration
+
+      @banned_ip.save
+    end
+
+    def success?
+      @banned_ip&.persisted?
+    end
+
+    private
+
+    def base_attributes
+      {
+        ip_address: @params[:ip_address],
+        reason: @params[:reason],
+        details: @params[:details],
+        violation_count: @params[:violation_count] || 1,
+        metadata: @params[:metadata] || {},
+        banned_at: Time.current
+      }
+    end
+
+    def configure_ban_duration
+      return set_permanent_ban if permanent_ban?
+
+      set_temporary_ban
+    end
+
+    def permanent_ban?
+      @params[:ban_type] == 'permanent'
+    end
+
+    def set_permanent_ban
+      @banned_ip.permanent = true
+      @banned_ip.expires_at = nil
+    end
+
+    def set_temporary_ban
+      @banned_ip.permanent = false
+      @banned_ip.expires_at = calculate_expiry_time
+    end
+
+    def calculate_expiry_time
+      return custom_expiry_time if custom_expiry_time.present?
+      return preset_duration_expiry if preset_duration.present?
+
+      default_expiry_time
+    end
+
+    def custom_expiry_time
+      @params[:expires_at]
+    end
+
+    def preset_duration
+      @params[:duration]
+    end
+
+    def preset_duration_expiry
+      Time.current + preset_duration.to_i.seconds
+    end
+
+    def default_expiry_time
+      24.hours.from_now
+    end
+  end
+end

data/app/views/beskar/banned_ips/edit.html.erb

@@ -0,0 +1,259 @@
+<% content_for :page_title, "Edit Ban: #{@banned_ip.ip_address}" %>
+
+<% content_for :header_actions do %>
+  <%= link_to "← Cancel", banned_ip_path(@banned_ip), class: "btn btn-secondary" %>
+<% end %>
+
+<div class="card">
+  <div class="card-header">
+    <h3 class="card-title">Edit IP Ban</h3>
+    <div class="card-subtitle">Modify ban settings for <%= @banned_ip.ip_address %></div>
+  </div>
+  <div class="card-body">
+    <%= form_with model: @banned_ip, url: banned_ip_path(@banned_ip), method: :patch, local: true do |f| %>
+      <% if @banned_ip.errors.any? %>
+        <div class="alert alert-danger">
+          <h4 style="font-size: 14px; font-weight: 600; margin-bottom: 0.5rem;">
+            <%= pluralize(@banned_ip.errors.count, "error") %> prohibited this ban from being saved:
+          </h4>
+          <ul style="margin: 0; padding-left: 1.5rem;">
+            <% @banned_ip.errors.full_messages.each do |message| %>
+              <li style="font-size: 13px;"><%= message %></li>
+            <% end %>
+          </ul>
+        </div>
+      <% end %>
+
+      <div style="display: grid; grid-template-columns: 1fr; gap: 1.5rem; max-width: 600px;">
+        <!-- IP Address (Read-only) -->
+        <div class="form-group">
+          <%= f.label :ip_address, "IP Address" %>
+          <%= f.text_field :ip_address,
+              disabled: true,
+              style: "font-family: monospace; background: #F4F5F7; cursor: not-allowed;" %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            IP addresses cannot be changed. To ban a different IP, create a new ban.
+          </div>
+        </div>
+
+        <!-- Current Status -->
+        <div class="form-group">
+          <label>Current Status</label>
+          <div style="display: flex; align-items: center; gap: 1rem;">
+            <% if @banned_ip.permanent? %>
+              <span class="badge badge-critical">Permanent Ban</span>
+            <% elsif @banned_ip.active? %>
+              <span class="badge badge-danger">Active</span>
+              <span style="font-size: 13px; color: #697386;">
+                Expires in <%= distance_of_time_in_words(Time.current, @banned_ip.expires_at) %>
+              </span>
+            <% else %>
+              <span class="badge badge-neutral">Expired</span>
+              <span style="font-size: 13px; color: #697386;">
+                Expired <%= time_ago_in_words(@banned_ip.expires_at) %> ago
+              </span>
+            <% end %>
+          </div>
+        </div>
+
+        <!-- Reason -->
+        <div class="form-group">
+          <%= f.label :reason, "Ban Reason *" %>
+          <%= f.select :reason,
+              options_for_select([
+                ['Rate Limit Abuse', 'rate_limit_abuse'],
+                ['Authentication Abuse', 'authentication_abuse'],
+                ['WAF Violation', 'waf_violation'],
+                ['Brute Force Attack', 'brute_force_attack'],
+                ['Suspicious Activity', 'suspicious_activity'],
+                ['Manual Ban', 'manual_ban'],
+                ['Other', 'other']
+              ], @banned_ip.reason),
+              { prompt: 'Select a reason...' },
+              { required: true } %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            Update the reason for this ban if needed.
+          </div>
+        </div>
+
+        <!-- Ban Duration -->
+        <div class="form-group">
+          <label>Ban Duration</label>
+          <div style="display: flex; flex-direction: column; gap: 0.5rem;">
+            <label style="display: flex; align-items: center; gap: 0.5rem; cursor: pointer;">
+              <%= f.radio_button :permanent, false,
+                  onchange: "toggleDurationFields()",
+                  checked: !@banned_ip.permanent? %>
+              <span style="font-weight: normal;">Temporary Ban</span>
+            </label>
+            <label style="display: flex; align-items: center; gap: 0.5rem; cursor: pointer;">
+              <%= f.radio_button :permanent, true,
+                  onchange: "toggleDurationFields()",
+                  checked: @banned_ip.permanent? %>
+              <span style="font-weight: normal; color: #D32F2F;">Permanent Ban</span>
+            </label>
+          </div>
+          <% if @banned_ip.permanent? %>
+            <div class="alert alert-warning" style="margin-top: 0.5rem;">
+              <strong>Warning:</strong> This is currently a permanent ban. Changing it to temporary will set an expiration date.
+            </div>
+          <% end %>
+        </div>
+
+        <!-- Temporary Ban Options -->
+        <div id="temporary-options" style="<%= @banned_ip.permanent? ? 'display: none;' : '' %>">
+          <div class="form-group">
+            <%= f.label :expires_at, "Expiry Date/Time" %>
+            <%= f.datetime_field :expires_at,
+                value: @banned_ip.expires_at&.strftime('%Y-%m-%dT%H:%M'),
+                min: DateTime.now.strftime('%Y-%m-%dT%H:%M') %>
+            <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+              Set when this ban should expire. Leave empty for default duration.
+            </div>
+          </div>
+
+          <!-- Quick Extension Options -->
+          <div class="form-group">
+            <label>Quick Extension</label>
+            <div style="display: grid; grid-template-columns: repeat(3, 1fr); gap: 0.5rem;">
+              <button type="button" onclick="extendBan(1)" class="btn btn-sm btn-secondary">+1 Hour</button>
+              <button type="button" onclick="extendBan(24)" class="btn btn-sm btn-secondary">+1 Day</button>
+              <button type="button" onclick="extendBan(168)" class="btn btn-sm btn-secondary">+7 Days</button>
+              <button type="button" onclick="extendBan(720)" class="btn btn-sm btn-secondary">+30 Days</button>
+              <button type="button" onclick="extendBan(2160)" class="btn btn-sm btn-secondary">+90 Days</button>
+              <button type="button" onclick="makePermanent()" class="btn btn-sm btn-danger">Make Permanent</button>
+            </div>
+          </div>
+        </div>
+
+        <!-- Details -->
+        <div class="form-group">
+          <%= f.label :details, "Additional Details" %>
+          <%= f.text_area :details,
+              rows: 3,
+              placeholder: "Provide any additional context or details about this ban..." %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            Update any relevant information about why this IP is banned.
+          </div>
+        </div>
+
+        <!-- Violation Count -->
+        <div class="form-group">
+          <%= f.label :violation_count, "Violation Count" %>
+          <%= f.number_field :violation_count, min: 0 %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            Current violation count: <%= @banned_ip.violation_count %>. Higher counts may result in longer bans for repeat offenders.
+          </div>
+        </div>
+
+        <hr style="border: none; border-top: 1px solid #E3E8EE; margin: 1.5rem 0;">
+
+        <!-- Ban History -->
+        <div class="form-group">
+          <label>Ban History</label>
+          <div style="background: #FAFBFC; border: 1px solid #E3E8EE; border-radius: 6px; padding: 1rem;">
+            <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 1rem;">
+              <div>
+                <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.025em; color: #697386;">
+                  Originally Banned
+                </div>
+                <div style="font-size: 13px; color: #1A1F36; margin-top: 0.25rem;">
+                  <%= @banned_ip.banned_at.strftime("%Y-%m-%d %H:%M:%S") %>
+                </div>
+              </div>
+              <div>
+                <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.025em; color: #697386;">
+                  Time Banned
+                </div>
+                <div style="font-size: 13px; color: #1A1F36; margin-top: 0.25rem;">
+                  <%= time_ago_in_words(@banned_ip.banned_at) %>
+                </div>
+              </div>
+              <% if @banned_ip.updated_at != @banned_ip.created_at %>
+                <div>
+                  <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.025em; color: #697386;">
+                    Last Modified
+                  </div>
+                  <div style="font-size: 13px; color: #1A1F36; margin-top: 0.25rem;">
+                    <%= @banned_ip.updated_at.strftime("%Y-%m-%d %H:%M:%S") %>
+                  </div>
+                </div>
+              <% end %>
+            </div>
+          </div>
+        </div>
+
+        <!-- Submit Buttons -->
+        <div style="display: flex; gap: 0.5rem;">
+          <%= f.submit "Update Ban", class: "btn btn-primary" %>
+          <%= link_to "Cancel", banned_ip_path(@banned_ip), class: "btn btn-secondary" %>
+          <%= link_to "Delete Ban", banned_ip_path(@banned_ip),
+              data: {
+                "turbo-method": "delete",
+                "turbo-confirm": "Are you sure you want to unban #{@banned_ip.ip_address}?"
+              },
+              class: "btn btn-danger" %>
+        </div>
+      </div>
+    <% end %>
+  </div>
+</div>
+
+<script>
+  function toggleDurationFields() {
+    const isPermanent = document.querySelector('input[name="banned_ip[permanent]"]:checked').value === 'true';
+    const temporaryOptions = document.getElementById('temporary-options');
+
+    if (isPermanent) {
+      temporaryOptions.style.display = 'none';
+      document.getElementById('banned_ip_expires_at').value = '';
+    } else {
+      temporaryOptions.style.display = 'block';
+      // If switching from permanent to temporary, set a default expiry
+      if (!document.getElementById('banned_ip_expires_at').value) {
+        const defaultExpiry = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours from now
+        document.getElementById('banned_ip_expires_at').value = defaultExpiry.toISOString().slice(0, 16);
+      }
+    }
+  }
+
+  function extendBan(hours) {
+    const expiresField = document.getElementById('banned_ip_expires_at');
+    let currentExpiry;
+
+    if (expiresField.value) {
+      currentExpiry = new Date(expiresField.value);
+    } else {
+      // Use current ban expiry or current time
+      <% if @banned_ip.expires_at %>
+        currentExpiry = new Date('<%= @banned_ip.expires_at.iso8601 %>');
+      <% else %>
+        currentExpiry = new Date();
+      <% end %>
+    }
+
+    // Add the specified hours
+    currentExpiry.setHours(currentExpiry.getHours() + hours);
+
+    // Update the field
+    expiresField.value = currentExpiry.toISOString().slice(0, 16);
+
+    // Show a visual feedback
+    const originalBg = expiresField.style.background;
+    expiresField.style.background = '#E8F5E9';
+    setTimeout(() => {
+      expiresField.style.background = originalBg;
+    }, 500);
+  }
+
+  function makePermanent() {
+    document.querySelector('input[name="banned_ip[permanent]"][value="true"]').checked = true;
+    toggleDurationFields();
+  }
+
+  // Initialize on page load
+  document.addEventListener('DOMContentLoaded', function() {
+    // Set initial state
+    toggleDurationFields();
+  });
+</script>