beskar 0.0.2 → 0.1.0

data/lib/beskar/services/waf.rb

@@ -3,11 +3,37 @@ module Beskar
     class Waf
       # Common vulnerability scan patterns
       VULNERABILITY_PATTERNS = {
+        rails_exceptions: {
+          patterns: [
+            %r{/(?:users?|posts?|articles?|comments?|api/v\d+/\w+)/\d+\.(?:exe|bat|cmd|com|scr|vbs|jar|app|deb|rpm)$}i,  # Rails resources with executable extensions
+            %r{/(?:users?|posts?|articles?|comments?|api/v\d+/\w+)\.(?:asp|aspx|jsp|do|action|cgi|pl|py|rb)$}i,  # Rails routes with server-side script extensions
+            %r{\?format=(?:exe|bat|cmd|com|scr|vbs|jar|asp|aspx|jsp|php)$}i,  # Suspicious format in query params
+          ],
+          severity: :medium,
+          description: "Potential Rails exception triggering attempt"
+        },
+        ip_spoofing: {
+          patterns: [
+            %r{X-Forwarded-For.*X-Forwarded-For}i,  # Multiple X-Forwarded-For headers in path (suspicious)
+            %r{Client-IP.*X-Forwarded-For}i,  # Conflicting IP headers in path
+          ],
+          severity: :high,
+          description: "Potential IP spoofing attempt"
+        },
+        record_scanning: {
+          patterns: [
+            %r{/(?:user|admin|account|profile|order|payment|invoice|document|file|download)/\d{6,}}i,  # Large IDs that likely don't exist
+            %r{/(?:user|admin|account|profile)/(?:test|admin|root|administrator|superuser)}i,  # Common test usernames
+            %r{/api/v\d+/(?:users?|accounts?|orders?|payments?)/(?:999999|123456|0|null|undefined)}i,  # Obviously fake API IDs
+          ],
+          severity: :low,
+          description: "Potential record enumeration/scanning"
+        },
         wordpress: {
           patterns: [
             %r{/wp-admin}i,
             %r{/wp-login\.php}i,
-            %r{/wp-content}i,
+            %r{/wp-content/.*\.php}i,  # PHP files in wp-content are suspicious
             %r{/wp-includes}i,
             %r{/xmlrpc\.php}i,
             %r{/wp-config\.php}i,
@@ -17,6 +43,14 @@ module Beskar
           severity: :high,
           description: "WordPress vulnerability scan"
         },
+        wordpress_static: {
+          patterns: [
+            %r{/wp-content/.*\.(?:css|js|jpe?g|png|gif|svg|webp|ico|woff2?|ttf|eot|map)$}i,  # Static files in wp-content
+            %r{/wp-content/(?:uploads|themes|plugins)/[^.]*$}i,  # Directory listing attempts
+          ],
+          severity: :low,
+          description: "WordPress static file probe"
+        },
         php_admin: {
           patterns: [
             %r{/phpmyadmin}i,
@@ -92,6 +126,13 @@ module Beskar
         }
       }.freeze
 
+      # Configuration for RecordNotFound exclusion patterns
+      # These patterns will not trigger WAF violations
+      RECORD_NOT_FOUND_EXCLUSIONS = [
+        # Add default exclusions here if needed
+        # %r{/posts/.*},  # Example: exclude all posts paths
+      ].freeze
+
       class << self
         # Analyze a request for vulnerability scanning patterns
         def analyze_request(request)
@@ -128,17 +169,109 @@ module Beskar
           end
         end
 
+        # Analyze Rails exceptions as potential security threats
+        def analyze_exception(exception, request)
+          case exception
+          when ActionController::UnknownFormat
+            {
+              threat_detected: true,
+              patterns: [{
+                category: :unknown_format,
+                pattern: "ActionController::UnknownFormat",
+                severity: :medium,
+                description: "Unknown format requested - potential scanner",
+                matched_path: request.fullpath
+              }],
+              highest_severity: :medium,
+              ip_address: request.ip,
+              user_agent: request.user_agent,
+              timestamp: Time.current,
+              exception_class: exception.class.name,
+              exception_message: exception.message
+            }
+          when ActionDispatch::RemoteIp::IpSpoofAttackError
+            {
+              threat_detected: true,
+              patterns: [{
+                category: :ip_spoof,
+                pattern: "ActionDispatch::RemoteIp::IpSpoofAttackError",
+                severity: :critical,
+                description: "IP spoofing attack detected",
+                matched_path: request.fullpath
+              }],
+              highest_severity: :critical,
+              ip_address: request.ip,
+              user_agent: request.user_agent,
+              timestamp: Time.current,
+              exception_class: exception.class.name,
+              exception_message: exception.message
+            }
+          when ActiveRecord::RecordNotFound
+            # Check if this path should be excluded from WAF
+            if should_exclude_record_not_found?(request.fullpath)
+              return nil
+            end
+
+            {
+              threat_detected: true,
+              patterns: [{
+                category: :record_not_found,
+                pattern: "ActiveRecord::RecordNotFound",
+                severity: :low,
+                description: "Record not found - potential enumeration scan",
+                matched_path: request.fullpath
+              }],
+              highest_severity: :low,
+              ip_address: request.ip,
+              user_agent: request.user_agent,
+              timestamp: Time.current,
+              exception_class: exception.class.name,
+              exception_message: exception.message
+            }
+          when ActionDispatch::Http::MimeNegotiation::InvalidType
+            {
+              threat_detected: true,
+              patterns: [{
+                category: :invalid_mime_type,
+                pattern: "ActionDispatch::Http::MimeNegotiation::InvalidType",
+                severity: :medium,
+                description: "Invalid MIME type requested - potential scanner",
+                matched_path: request.fullpath
+              }],
+              highest_severity: :medium,
+              ip_address: request.ip,
+              user_agent: request.user_agent,
+              timestamp: Time.current,
+              exception_class: exception.class.name,
+              exception_message: exception.message
+            }
+          else
+            nil
+          end
+        end
+
+        # Check if a RecordNotFound exception should be excluded from WAF
+        def should_exclude_record_not_found?(path)
+          return false if path.blank?
+
+          # Check configured exclusions
+          exclusions = waf_config[:record_not_found_exclusions] || []
+          all_exclusions = RECORD_NOT_FOUND_EXCLUSIONS + exclusions
+
+          all_exclusions.any? { |pattern| path.match?(pattern) }
+        end
+
         # Check if request should be blocked based on violation history
         def should_block?(ip_address)
           config = waf_config
           return false unless config[:enabled]
           return false unless config[:auto_block]
 
-          # Check violation count in cache
-          violation_count = get_violation_count(ip_address)
-          threshold = config[:block_threshold] || 3
+          # Get current risk score (with decay applied)
+          current_score = get_current_score(ip_address)
+          threshold = config[:score_threshold] || 150
 
-          violation_count >= threshold
+          current_score >= threshold
         end
 
         # Record a WAF violation
@@ -146,42 +279,83 @@ module Beskar
           config = waf_config
           return unless config[:enabled]
 
-          # Increment violation count
+          Beskar::Logger.debug("[WAF] Recording violation for IP: #{ip_address}, whitelisted: #{whitelisted}", component: :WAF)
+
+          # Get current violations and add new one
           cache_key = "beskar:waf_violations:#{ip_address}"
-          current_count = Rails.cache.read(cache_key) || 0
-          new_count = current_count + 1
-          
-          # Store with TTL from config (default 1 hour)
-          ttl = config[:violation_window] || 1.hour
-          Rails.cache.write(cache_key, new_count, expires_in: ttl)
+          violations = Rails.cache.read(cache_key) || []
+
+          # Calculate risk score for this violation
+          risk_score = severity_to_risk_score(analysis_result[:highest_severity])
+
+          # Create new violation record
+          new_violation = {
+            timestamp: Time.current.to_i,
+            score: risk_score,
+            severity: analysis_result[:highest_severity],
+            category: analysis_result[:patterns].first[:category],
+            description: analysis_result[:patterns].first[:description],
+            path: analysis_result[:patterns].first[:matched_path]
+          }
+
+          violations << new_violation
+
+          # Prune old violations (outside violation window and max tracked)
+          violations = prune_violations(violations, config)
+
+          # Calculate current score with decay
+          current_score = calculate_current_score(violations, config)
+
+          Beskar::Logger.debug("[WAF] Violation recorded for #{ip_address}: score=#{risk_score}, current_total=#{current_score.round(2)}, violations_count=#{violations.size}", component: :WAF)
+
+          # Store violations with TTL from config
+          ttl = config[:violation_window] || 6.hours
+          Rails.cache.write(cache_key, violations, expires_in: ttl)
 
           # Log the violation
-          log_violation(ip_address, analysis_result, new_count)
+          log_violation(ip_address, analysis_result, current_score, violations.size)
 
           # Create security event if configured
           if config[:create_security_events]
-            create_security_event(ip_address, analysis_result)
+            create_security_event(ip_address, analysis_result, current_score)
           end
 
-          # Check if we should auto-block (skip if whitelisted, in monitor-only mode)
-          threshold = config[:block_threshold] || 3
-          
-          if !whitelisted && config[:auto_block] && new_count >= threshold
-            if config[:monitor_only]
-              # Monitor-only mode: Log what WOULD happen but don't block
-              log_monitor_only_action(ip_address, analysis_result, new_count, threshold)
-            else
-              auto_block_ip(ip_address, analysis_result, new_count)
+          # Check if we should auto-block (skip if whitelisted)
+          threshold = config[:score_threshold] || 150
+
+          Beskar::Logger.debug("[WAF] Auto-block check: whitelisted=#{whitelisted}, auto_block=#{config[:auto_block]}, score=#{current_score.round(2)}, threshold=#{threshold}", component: :WAF)
+
+          if !whitelisted && config[:auto_block] && current_score >= threshold
+            Beskar::Logger.info("[WAF] Score threshold reached for #{ip_address}, creating ban record", component: :WAF)
+            # Always create the ban record (even in monitor-only mode)
+            auto_block_ip(ip_address, analysis_result, current_score)
+
+            # But also log monitor-only message if in monitor mode
+            if Beskar.configuration.monitor_only?
+              log_monitor_only_action(ip_address, analysis_result, current_score, threshold)
             end
+          else
+            Beskar::Logger.debug("[WAF] Not auto-blocking: conditions not met", component: :WAF)
           end
 
-          new_count
+          current_score
         end
 
-        # Get current violation count for an IP
-        def get_violation_count(ip_address)
+        # Get current risk score for an IP (with decay applied)
+        def get_current_score(ip_address)
+          violations = get_violations(ip_address)
+          calculate_current_score(violations, waf_config)
+        end
+
+        # Get violations for an IP
+        def get_violations(ip_address)
           cache_key = "beskar:waf_violations:#{ip_address}"
-          Rails.cache.read(cache_key) || 0
+          Rails.cache.read(cache_key) || []
+        end
+
+        # Get violation count for an IP (number of violations tracked)
+        def get_violation_count(ip_address)
+          get_violations(ip_address).size
         end
 
         # Reset violations for an IP
@@ -192,6 +366,48 @@ module Beskar
 
         private
 
+        # Calculate current cumulative score with decay applied
+        def calculate_current_score(violations, config)
+          return 0.0 if violations.empty?
+          return violations.sum { |v| v[:score] } unless config[:decay_enabled]
+
+          now = Time.current.to_i
+          decay_rates = config[:decay_rates] || {}
+
+          violations.sum do |v|
+            age_seconds = now - v[:timestamp]
+            age_minutes = age_seconds / 60.0
+
+            # Get half-life for this severity (in minutes)
+            half_life = decay_rates[v[:severity]] || 60
+
+            # Exponential decay: score * (1/2)^(age/half_life)
+            # Equivalent to: score * e^(-ln(2) * age / half_life)
+            decay_factor = Math.exp(-Math.log(2) * age_minutes / half_life)
+
+            v[:score] * decay_factor
+          end
+        end
+
+        # Prune violations that are outside the window or exceed max tracked
+        def prune_violations(violations, config)
+          now = Time.current.to_i
+          window_seconds = (config[:violation_window] || 6.hours).to_i
+          max_tracked = config[:max_violations_tracked] || 50
+
+          # Remove violations outside the time window
+          recent = violations.select do |v|
+            (now - v[:timestamp]) <= window_seconds
+          end
+
+          # Keep only the most recent violations if we exceed max_tracked
+          if recent.size > max_tracked
+            recent.sort_by { |v| -v[:timestamp] }.first(max_tracked)
+          else
+            recent
+          end
+        end
+
         # Get WAF configuration
         def waf_config
           Beskar.configuration.waf || {}
@@ -207,7 +423,7 @@ module Beskar
         end
 
         # Log WAF violation
-        def log_violation(ip_address, analysis_result, violation_count)
+        def log_violation(ip_address, analysis_result, current_score, violation_count)
           severity_emoji = {
             critical: "🚨",
             high: "⚠️",
@@ -217,40 +433,36 @@ module Beskar
 
           emoji = severity_emoji[analysis_result[:highest_severity]] || "🔍"
           config = waf_config
-          monitor_mode_notice = config[:monitor_only] ? " [MONITOR-ONLY MODE]" : ""
-          
-          Rails.logger.warn(
-            "[Beskar::WAF] #{emoji} Vulnerability scan detected#{monitor_mode_notice} " \
-            "(#{violation_count} violations) - " \
+          monitor_mode_notice = Beskar.configuration.monitor_only? ? " [MONITOR-ONLY MODE]" : ""
+
+          Beskar::Logger.warn("#{emoji} Vulnerability scan detected#{monitor_mode_notice} " \
+            "(score: #{current_score.round(2)}, violations: #{violation_count}) - " \
             "IP: #{ip_address}, " \
             "Severity: #{analysis_result[:highest_severity]}, " \
             "Patterns: #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}, " \
-            "Path: #{analysis_result[:patterns].first[:matched_path]}"
-          )
+            "Path: #{analysis_result[:patterns].first[:matched_path]}", component: :WAF)
         end
 
         # Log what would happen in monitor-only mode (but don't actually block)
-        def log_monitor_only_action(ip_address, analysis_result, violation_count, threshold)
+        def log_monitor_only_action(ip_address, analysis_result, current_score, threshold)
           config = waf_config
-          duration = calculate_block_duration(violation_count, config)
-          
-          Rails.logger.warn(
-            "[Beskar::WAF] 🔍 MONITOR-ONLY: IP #{ip_address} WOULD BE BLOCKED " \
-            "(threshold reached: #{violation_count}/#{threshold} violations) - " \
+          duration = calculate_block_duration(current_score, config)
+
+          Beskar::Logger.warn("🔍 MONITOR-ONLY: IP #{ip_address} WOULD BE BLOCKED " \
+            "(score threshold reached: #{current_score.round(2)}/#{threshold}) - " \
             "Duration would be: #{duration ? "#{duration / 3600.0} hours" : 'PERMANENT'}, " \
             "Severity: #{analysis_result[:highest_severity]}, " \
             "Patterns: #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}. " \
-            "To enable blocking, set config.waf[:monitor_only] = false"
-          )
+            "To enable blocking, set config.monitor_only = false", component: :WAF)
         end
 
         # Create security event for WAF violation
-        def create_security_event(ip_address, analysis_result)
+        def create_security_event(ip_address, analysis_result, current_score)
           config = waf_config
           violation_count = get_violation_count(ip_address)
-          threshold = config[:block_threshold] || 3
-          would_be_blocked = violation_count >= threshold
-          
+          threshold = config[:score_threshold] || 150
+          would_be_blocked = current_score >= threshold
+
           Beskar::SecurityEvent.create!(
             event_type: 'waf_violation',
             ip_address: ip_address,
@@ -260,50 +472,67 @@ module Beskar
               waf_analysis: analysis_result,
               patterns_matched: analysis_result[:patterns].map { |p| p[:description] },
               severity: analysis_result[:highest_severity],
-              monitor_only_mode: config[:monitor_only],
+              monitor_only_mode: Beskar.configuration.monitor_only?,
               would_be_blocked: would_be_blocked,
               violation_count: violation_count,
-              block_threshold: threshold
+              current_score: current_score.round(2),
+              score_threshold: threshold
             }
           )
         rescue => e
-          Rails.logger.error "[Beskar::WAF] Failed to create security event: #{e.message}"
+          Beskar::Logger.error("Failed to create security event: #{e.message}", component: :WAF)
         end
 
         # Auto-block an IP after threshold violations
-        def auto_block_ip(ip_address, analysis_result, violation_count)
+        def auto_block_ip(ip_address, analysis_result, current_score)
           config = waf_config
-          duration = calculate_block_duration(violation_count, config)
-          
-          Beskar::BannedIp.ban!(
-            ip_address,
-            reason: 'waf_violation',
-            duration: duration,
-            permanent: duration.nil?,
-            details: "WAF violations: #{violation_count} - #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}",
-            metadata: {
-              violation_count: violation_count,
-              patterns: analysis_result[:patterns],
-              highest_severity: analysis_result[:highest_severity],
-              blocked_at: Time.current
-            }
-          )
+          duration = calculate_block_duration(current_score, config)
+          violation_count = get_violation_count(ip_address)
 
-          Rails.logger.warn(
-            "[Beskar::WAF] 🔒 Auto-blocked IP #{ip_address} " \
-            "after #{violation_count} violations " \
-            "(duration: #{duration ? "#{duration / 3600} hours" : 'permanent'})"
-          )
+          Beskar::Logger.debug("[WAF] Attempting to ban IP #{ip_address} with duration: #{duration.inspect}", component: :WAF)
+
+          begin
+            banned_ip = Beskar::BannedIp.ban!(
+              ip_address,
+              reason: 'waf_violation',
+              duration: duration,
+              permanent: duration.nil?,
+              details: "WAF score: #{current_score.round(2)} (#{violation_count} violations) - #{analysis_result[:patterns].map { |p| p[:description] }.join(', ')}",
+              metadata: {
+                violation_count: violation_count,
+                risk_score: current_score.round(2),
+                patterns: analysis_result[:patterns],
+                highest_severity: analysis_result[:highest_severity],
+                blocked_at: Time.current
+              }
+            )
+
+            Beskar::Logger.warn("🔒 Auto-blocked IP #{ip_address} " \
+              "with score #{current_score.round(2)} (#{violation_count} violations) " \
+              "(duration: #{duration ? "#{duration / 3600} hours" : 'permanent'}), " \
+              "Ban ID: #{banned_ip.id}", component: :WAF)
+          rescue => e
+            Beskar::Logger.error("[WAF] Failed to create ban for #{ip_address}: #{e.class} - #{e.message}", component: :WAF)
+            raise
+          end
         end
 
-        # Calculate block duration based on violation count
-        def calculate_block_duration(violation_count, config)
-          return nil if config[:permanent_block_after] && violation_count >= config[:permanent_block_after]
+        # Calculate block duration based on cumulative score
+        def calculate_block_duration(current_score, config)
+          permanent_threshold = config[:permanent_block_after]
+          return nil if permanent_threshold && current_score >= permanent_threshold
 
-          # Default escalating durations: 1h, 6h, 24h, 7d, permanent
+          # Default escalating durations: 1h, 6h, 24h, 7d
           base_durations = config[:block_durations] || [1.hour, 6.hours, 24.hours, 7.days]
-          index = [violation_count - (config[:block_threshold] || 3), base_durations.length - 1].min
-          base_durations[index]
+          score_threshold = config[:score_threshold] || 150
+
+          # Calculate how many times over the threshold we are
+          # 150-300 = 1x = 1 hour
+          # 300-450 = 2x = 6 hours
+          # 450-600 = 3x = 24 hours
+          # 600+ = 4x = 7 days
+          multiplier = ((current_score / score_threshold).floor - 1).clamp(0, base_durations.length - 1)
+          base_durations[multiplier]
         end
 
         # Convert severity level to risk score
@@ -312,7 +541,7 @@ module Beskar
           when :critical then 95
           when :high then 80
           when :medium then 60
-          when :low then 40
+          when :low then 30
           else 50
           end
         end

data/lib/beskar/version.rb

@@ -1,3 +1,3 @@
 module Beskar
-  VERSION = "0.0.2"
+  VERSION = "0.1.0"
 end

data/lib/beskar.rb

@@ -1,5 +1,6 @@
 require "beskar/version"
 require "beskar/configuration"
+require "beskar/logger"
 require "beskar/middleware"
 require "beskar/middleware/request_analyzer"
 require "beskar/models/security_trackable_generic"

data/lib/generators/beskar/install/install_generator.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+require 'rails/generators/migration'
+
+module Beskar
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
+      source_root File.expand_path('templates', __dir__)
+
+      desc "Creates a Beskar initializer and runs migrations"
+
+      def self.next_migration_number(path)
+        if @prev_migration_nr
+          @prev_migration_nr += 1
+        else
+          @prev_migration_nr = Time.now.utc.strftime("%Y%m%d%H%M%S").to_i
+        end
+        @prev_migration_nr.to_s
+      end
+
+      def copy_initializer
+        template "initializer.rb.tt", "config/initializers/beskar.rb"
+      end
+
+      def mount_engine
+        route_text = "mount Beskar::Engine => '/beskar'"
+
+        # Check if the route already exists
+        if File.read("config/routes.rb").include?(route_text)
+          say "Route already mounted, skipping...", :yellow
+        else
+          route route_text
+          say "Mounted Beskar engine at /beskar", :green
+        end
+      end
+
+      def copy_migrations
+        # Copy migrations from the engine to the host app
+        migration_source = File.expand_path("../../../../../db/migrate", __dir__)
+
+        if Dir.exist?(migration_source)
+          Dir.glob("#{migration_source}/*.rb").each do |migration|
+            migration_name = File.basename(migration).sub(/^\d+_/, '')
+
+            # Check if migration already exists
+            if migration_already_exists?(migration_name)
+              say "Migration #{migration_name} already exists, skipping...", :yellow
+            else
+              migration_template migration, "db/migrate/#{migration_name}"
+            end
+          end
+        end
+
+        say "Migrations copied. Run 'rails db:migrate' to create the tables.", :green
+      end
+
+      # CSS Zero is no longer required - styles are embedded in the dashboard
+      # def install_css_zero
+      #   # Removed - dashboard now uses embedded styles
+      # end
+
+      def show_readme
+        readme_content = <<~README
+
+          ===============================================================================
+          🛡️  Beskar Installation Complete!
+          ===============================================================================
+
+          Next steps:
+
+          1. Run migrations to create the security tables:
+             $ rails db:migrate
+
+          2. Configure authentication for the dashboard in config/initializers/beskar.rb
+
+             For Devise users:
+             config.authenticate_admin = proc do
+               authenticate_admin!
+             end
+
+             For custom authentication:
+             config.authenticate_admin = proc do
+               redirect_to main_app.root_path unless current_user&.admin?
+             end
+
+          3. Add Beskar concerns to your User model (or authentication model):
+
+             class User < ApplicationRecord
+               include Beskar::Models::SecurityTrackable
+
+               # For Devise users, also add:
+               include Beskar::Models::SecurityTrackableDevise
+             end
+
+          4. Access the security dashboard at:
+             http://localhost:3000/beskar
+
+          5. Optional: Configure additional settings in config/initializers/beskar.rb
+             - IP whitelist
+             - WAF rules
+             - Rate limiting
+             - Geolocation
+             - Risk-based locking
+
+          ===============================================================================
+          📚 Documentation
+          ===============================================================================
+
+          Dashboard Guide: https://github.com/humadroid-io/beskar/blob/main/DASHBOARD.md
+          Configuration: https://github.com/humadroid-io/beskar/blob/main/README.md
+
+          ===============================================================================
+          ⚠️  Important for Production
+          ===============================================================================
+
+          1. ALWAYS configure authentication for the dashboard
+          2. Set monitor_only = false when ready to block threats
+          3. Configure your IP whitelist to prevent locking yourself out
+          4. Set up database indexes for large-scale deployments:
+
+             $ rails generate beskar:indexes
+             $ rails db:migrate
+
+          ===============================================================================
+          💡 Quick Tips
+          ===============================================================================
+
+          - Start with monitor_only = true to observe without blocking
+          - Use the dashboard to review security events before enabling blocking
+          - Configure email notifications for high-risk events
+          - Export security data regularly for analysis
+          - Consider implementing custom risk scoring for your use case
+
+          ===============================================================================
+
+        README
+
+        say readme_content, :green
+      end
+
+      private
+
+      def migration_already_exists?(migration_name)
+        Dir.glob("db/migrate/*_#{migration_name}").any?
+      end
+
+      def migration_template(source, destination)
+        migration_number = self.class.next_migration_number(nil)
+        file_name = "#{migration_number}_#{destination}"
+
+        copy_file source, file_name
+      end
+    end
+  end
+end