beskar 0.0.2 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +143 -0
- data/README.md +298 -110
- data/app/controllers/beskar/application_controller.rb +170 -0
- data/app/controllers/beskar/banned_ips_controller.rb +280 -0
- data/app/controllers/beskar/dashboard_controller.rb +70 -0
- data/app/controllers/beskar/security_events_controller.rb +182 -0
- data/app/controllers/concerns/beskar/controllers/security_tracking.rb +6 -6
- data/app/models/beskar/banned_ip.rb +68 -27
- data/app/models/beskar/security_event.rb +14 -0
- data/app/services/beskar/banned_ip_manager.rb +78 -0
- data/app/views/beskar/banned_ips/edit.html.erb +259 -0
- data/app/views/beskar/banned_ips/index.html.erb +361 -0
- data/app/views/beskar/banned_ips/new.html.erb +310 -0
- data/app/views/beskar/banned_ips/show.html.erb +310 -0
- data/app/views/beskar/dashboard/index.html.erb +280 -0
- data/app/views/beskar/security_events/index.html.erb +309 -0
- data/app/views/beskar/security_events/show.html.erb +307 -0
- data/app/views/layouts/beskar/application.html.erb +647 -5
- data/config/routes.rb +41 -0
- data/lib/beskar/configuration.rb +24 -10
- data/lib/beskar/engine.rb +4 -4
- data/lib/beskar/logger.rb +293 -0
- data/lib/beskar/middleware/request_analyzer.rb +128 -53
- data/lib/beskar/models/security_trackable_authenticable.rb +11 -11
- data/lib/beskar/models/security_trackable_devise.rb +5 -5
- data/lib/beskar/models/security_trackable_generic.rb +12 -12
- data/lib/beskar/services/account_locker.rb +12 -12
- data/lib/beskar/services/geolocation_service.rb +8 -8
- data/lib/beskar/services/ip_whitelist.rb +2 -2
- data/lib/beskar/services/waf.rb +307 -78
- data/lib/beskar/version.rb +1 -1
- data/lib/beskar.rb +1 -0
- data/lib/generators/beskar/install/install_generator.rb +158 -0
- data/lib/generators/beskar/install/templates/initializer.rb.tt +177 -0
- data/lib/tasks/beskar_tasks.rake +11 -2
- metadata +35 -6
- data/lib/beskar/templates/beskar_initializer.rb +0 -107
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 025703c477080d31ed167a7012be2cd390d3d73b2447b61624bffd3243f1aa6b
|
|
4
|
+
data.tar.gz: a056e8c20364351e9f96734836991be7949a92b279dfba05a6b327dad0b3d823
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1a70b96954525ebdf9867fcc1656b5313e111a0fd6c4e2e31f111d3d8c9320a156f5d29ed582ee06c5d418f26c7c04601147d749c7825747b601ae1975855211
|
|
7
|
+
data.tar.gz: 6523638cd97d91b78779f5fd8cf6276e5d07c39f3ba87ec342abae007ffed99dd505adf346917ed3601be0085d81ff247c874feed92effe27b34e94d523ab7c5
|
data/CHANGELOG.md
ADDED
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to Beskar will be documented in this file.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [Unreleased]
|
|
9
|
+
|
|
10
|
+
### ⚠️ BREAKING CHANGES
|
|
11
|
+
|
|
12
|
+
- **Monitor-only mode refactored to top-level configuration**
|
|
13
|
+
- `config.waf[:monitor_only]` has been **removed**
|
|
14
|
+
- Use `config.monitor_only = true/false` at the configuration root level instead
|
|
15
|
+
- The method `Beskar.configuration.waf_monitor_only?` has been **removed**
|
|
16
|
+
- Use `Beskar.configuration.monitor_only?` instead
|
|
17
|
+
- See [BREAKING_CHANGES.md](BREAKING_CHANGES.md) for detailed migration guide
|
|
18
|
+
|
|
19
|
+
- **Dashboard authentication now required in all environments**
|
|
20
|
+
- Previous behavior: Dashboard allowed access in development/test without authentication
|
|
21
|
+
- New behavior: `config.authenticate_admin` must be explicitly configured for all environments
|
|
22
|
+
- **Why this change**: Prevents production security surprises by requiring explicit authentication setup
|
|
23
|
+
- **Migration**: Add `config.authenticate_admin` proc to your initializer (see examples in template)
|
|
24
|
+
- Developers who want to bypass auth in development must explicitly configure it
|
|
25
|
+
|
|
26
|
+
### Added
|
|
27
|
+
|
|
28
|
+
- Ban records (`Beskar::BannedIp`) are now created even in monitor-only mode
|
|
29
|
+
- Provides full visibility into what would be blocked
|
|
30
|
+
- Allows querying `Beskar::BannedIp.active` to see potential blocks
|
|
31
|
+
- Makes verification and testing much more reliable
|
|
32
|
+
- Global monitor-only mode affecting all blocking features (WAF, rate limiting, IP bans)
|
|
33
|
+
- **Centralized logging system** (`Beskar::Logger`)
|
|
34
|
+
- Consistent log formatting with automatic `[Beskar]` or `[Beskar::Component]` prefixes
|
|
35
|
+
- Component name aliasing for cleaner output (e.g., `Beskar::Services::Waf` → `WAF`)
|
|
36
|
+
- Configurable log levels and output backends
|
|
37
|
+
- Include module support for automatic component detection in classes
|
|
38
|
+
- Single point of configuration for all logging
|
|
39
|
+
- **Security Dashboard** - Mountable web interface for monitoring and managing security
|
|
40
|
+
- Real-time security event monitoring with advanced filtering and pagination
|
|
41
|
+
- IP ban management with bulk actions, extend, and unban capabilities
|
|
42
|
+
- Statistics overview with risk distribution and threat analysis
|
|
43
|
+
- Export functionality for security events and banned IPs (CSV/JSON)
|
|
44
|
+
- Stripe-inspired minimalist design with embedded styles (no CSS dependencies)
|
|
45
|
+
- Custom pagination and filtering (no Kaminari/Pagy dependency)
|
|
46
|
+
- Configurable authentication via `config.authenticate_admin` proc
|
|
47
|
+
- Rails 7+ compatible with built-in CSRF protection
|
|
48
|
+
- Install generator for easy setup (`rails generate beskar:install`)
|
|
49
|
+
- Full documentation in [DASHBOARD.md](DASHBOARD.md)
|
|
50
|
+
- **WAF Rails Exception Detection** - Enhanced security through Rails exception analysis
|
|
51
|
+
- Detects `ActionController::UnknownFormat` exceptions (e.g., `/users/1.exe`) as potential scanning attempts
|
|
52
|
+
- Detects `ActionDispatch::RemoteIp::IpSpoofAttackError` as critical IP spoofing attacks
|
|
53
|
+
- Detects `ActiveRecord::RecordNotFound` as potential record enumeration scans
|
|
54
|
+
- Configurable exclusion patterns for `RecordNotFound` to prevent false positives
|
|
55
|
+
- New configuration: `config.waf[:record_not_found_exclusions]` accepts regex patterns
|
|
56
|
+
- Different severity levels: Critical (IP spoofing), Medium (UnknownFormat), Low (RecordNotFound)
|
|
57
|
+
- Exception-based violations count toward auto-blocking thresholds
|
|
58
|
+
- Works seamlessly alongside existing WAF vulnerability patterns
|
|
59
|
+
- **Enhanced Dashboard Authentication System**
|
|
60
|
+
- Helpful error messages with configuration examples when authentication not configured
|
|
61
|
+
- Clear, actionable guidance shows 4 authentication strategy examples (Devise, token-based, HTTP Basic, development bypass)
|
|
62
|
+
- Error response includes properly formatted code examples in initializer format
|
|
63
|
+
- Authentication configuration prominently documented at top of initializer template
|
|
64
|
+
- Support for any authentication strategy via flexible proc-based configuration
|
|
65
|
+
|
|
66
|
+
### Changed
|
|
67
|
+
|
|
68
|
+
- **Refactored ApplicationController authentication for better maintainability**
|
|
69
|
+
- Simplified authentication flow from deeply nested conditionals to flat, single-responsibility methods
|
|
70
|
+
- Reduced method complexity: main `authenticate_admin!` is now 4 lines (was 20+ lines with 3-4 nesting levels)
|
|
71
|
+
- Extracted authentication logic into focused methods:
|
|
72
|
+
- `authenticate_admin!`: Routes to appropriate strategy (configuration check + delegation)
|
|
73
|
+
- `handle_custom_authentication`: Executes configured authentication with error handling
|
|
74
|
+
- `handle_missing_authentication_configuration`: Shows helpful error with examples
|
|
75
|
+
- All authentication paths now explicitly return `true` (allow) or `false` (deny)
|
|
76
|
+
- Consistent error handling for both HTML and JSON responses
|
|
77
|
+
- Improved exception handling with detailed error logging
|
|
78
|
+
- Added comprehensive test suite: 42 tests with 122 assertions covering all authentication scenarios
|
|
79
|
+
|
|
80
|
+
- Monitor-only mode is now a system-wide concept rather than WAF-specific
|
|
81
|
+
- Ban records are created but not enforced when `monitor_only = true`
|
|
82
|
+
- Security events include `monitor_only_mode` metadata flag
|
|
83
|
+
- All blocking decisions (WAF, rate limiting, authentication abuse) respect global monitor-only setting
|
|
84
|
+
- Improved logging with clear "MONITOR-ONLY" indicators
|
|
85
|
+
- Better separation of ban creation from ban enforcement
|
|
86
|
+
- All internal logging now uses `Beskar::Logger` instead of direct `Rails.logger` calls
|
|
87
|
+
- Log messages no longer require manual prefix formatting
|
|
88
|
+
|
|
89
|
+
### Fixed
|
|
90
|
+
|
|
91
|
+
- Monitor-only mode now provides actual data for verification (ban records exist)
|
|
92
|
+
- Consistent behavior across all security features
|
|
93
|
+
- Clearer semantics for what monitor-only mode means
|
|
94
|
+
|
|
95
|
+
### Security
|
|
96
|
+
|
|
97
|
+
- **Dashboard authentication hardening**: Removed environment-based authentication defaults
|
|
98
|
+
- Eliminates risk of accidentally deploying without authentication configured
|
|
99
|
+
- Forces explicit security decisions during initial setup
|
|
100
|
+
- All environments (development, test, production) now require authentication configuration
|
|
101
|
+
- Provides clear, immediate feedback when authentication is missing
|
|
102
|
+
- Reduces attack surface by failing secure (deny by default)
|
|
103
|
+
|
|
104
|
+
### Documentation
|
|
105
|
+
|
|
106
|
+
- Updated README with new configuration structure
|
|
107
|
+
- Enhanced MONITOR_ONLY_MODE.md with examples of querying ban records
|
|
108
|
+
- Added migration guide in BREAKING_CHANGES.md
|
|
109
|
+
- Created PROJECT_DOCUMENTATION.md for development reference
|
|
110
|
+
- Updated PROJECT_DOCUMENTATION.md with comprehensive dashboard authentication section
|
|
111
|
+
- Documented authentication flow and architecture
|
|
112
|
+
- Added configuration examples and design principles
|
|
113
|
+
- Included test coverage details
|
|
114
|
+
- Updated initializer template (`lib/beskar/templates/beskar_initializer.rb`) with prominent authentication documentation
|
|
115
|
+
- Dashboard Authentication section moved to top (REQUIRED)
|
|
116
|
+
- Four complete authentication strategy examples
|
|
117
|
+
- Clear warnings about development-only bypass patterns
|
|
118
|
+
|
|
119
|
+
|
|
120
|
+
### Versioning Policy
|
|
121
|
+
|
|
122
|
+
- **Major version (X.0.0)**: Breaking changes that require code changes
|
|
123
|
+
- **Minor version (0.X.0)**: New features, backward compatible
|
|
124
|
+
- **Patch version (0.0.X)**: Bug fixes and minor improvements
|
|
125
|
+
|
|
126
|
+
### Upgrade Guide
|
|
127
|
+
|
|
128
|
+
When upgrading between versions with breaking changes:
|
|
129
|
+
|
|
130
|
+
1. Read the [BREAKING_CHANGES.md](BREAKING_CHANGES.md) file
|
|
131
|
+
2. Update your configuration according to the migration guide
|
|
132
|
+
3. Run any new migrations: `rails db:migrate`
|
|
133
|
+
4. Test in development/staging before deploying to production
|
|
134
|
+
5. Start with `monitor_only = true` to verify behavior
|
|
135
|
+
|
|
136
|
+
### Support
|
|
137
|
+
|
|
138
|
+
- GitHub Issues: https://github.com/humadroid-io/beskar/issues
|
|
139
|
+
- Documentation: https://humadroid.io/beskar
|
|
140
|
+
|
|
141
|
+
---
|
|
142
|
+
|
|
143
|
+
[Unreleased]: https://github.com/humadroid-io/beskar/compare/v0.0.2...HEAD
|