beskar 0.0.2 → 0.1.0

data/lib/generators/beskar/install/templates/initializer.rb.tt

@@ -0,0 +1,177 @@
+# frozen_string_literal: true
+
+Beskar.configure do |config|
+  # ============================================================================
+  # DASHBOARD AUTHENTICATION (REQUIRED)
+  # ============================================================================
+  # Configure how to authenticate access to the Beskar security dashboard.
+  # This is REQUIRED for all environments.
+  #
+  # The authenticate_admin callback receives the request object and is executed
+  # in the controller context, giving you access to all controller methods
+  # (cookies, session, authenticate_or_request_with_http_basic, etc.).
+  # The block should return truthy value to allow access, falsey to deny.
+
+  # Option 1: Using Devise with admin role (recommended for production)
+  # config.authenticate_admin = ->(request) do
+  #   user = request.env['warden']&.authenticate(scope: :user)
+  #   user&.admin?
+  # end
+
+  # Option 2: HTTP Basic Authentication (uses controller method)
+  # config.authenticate_admin = ->(request) do
+  #   authenticate_or_request_with_http_basic("Beskar Admin") do |username, password|
+  #     username == ENV['BESKAR_ADMIN_USERNAME'] &&
+  #     password == ENV['BESKAR_ADMIN_PASSWORD']
+  #   end
+  # end
+
+  # Option 3: Token-based authentication
+  # config.authenticate_admin = ->(request) do
+  #   request.headers['Authorization'] == "Bearer #{ENV['BESKAR_ADMIN_TOKEN']}"
+  # end
+
+  # Option 4: Cookie-based authentication (uses controller cookies)
+  # config.authenticate_admin = ->(request) do
+  #   cookies.signed[:admin_token] == ENV['BESKAR_ADMIN_TOKEN']
+  # end
+
+  # Option 5: Using CanCanCan (uses controller method)
+  # config.authenticate_admin = ->(request) do
+  #   authorize! :manage, :beskar_dashboard
+  # end
+
+  # Option 6: Using Pundit (uses controller method)
+  # config.authenticate_admin = ->(request) do
+  #   authorize :beskar_dashboard, :access?
+  # end
+
+  # Option 7: For development/testing ONLY (NOT for production!)
+  # config.authenticate_admin = ->(request) do
+  #   Rails.env.development? || Rails.env.test?
+  # end
+
+  # ============================================================================
+  # MONITOR-ONLY MODE
+  # ============================================================================
+  # When enabled, Beskar will log all security events but won't actually block
+  # any requests. Useful for testing or initial deployment.
+  config.monitor_only = <%= Rails.env.development? ? 'true' : 'false' %>
+
+  # ============================================================================
+  # IP WHITELIST
+  # ============================================================================
+  # IPs that should never be blocked (your office, monitoring services, etc.)
+  config.ip_whitelist = [
+    # '192.168.1.0/24',  # Local network
+    # '10.0.0.0/8',      # Private network
+    # '127.0.0.1',       # Localhost
+  ]
+
+  # ============================================================================
+  # WAF (WEB APPLICATION FIREWALL) - Score-Based Blocking
+  # ============================================================================
+  # Enable WAF to protect against common attacks and vulnerability scans.
+  # Uses score-based blocking with exponential decay for intelligent threat detection.
+  config.waf[:enabled] = true
+
+  # Optionally customize WAF settings (these are the defaults):
+  # config.waf[:auto_block] = true                 # Automatically block IPs after threshold
+  # config.waf[:score_threshold] = 150             # Cumulative risk score before blocking
+  # config.waf[:violation_window] = 6.hours        # Maximum time window to track violations
+  # config.waf[:block_durations] = [1.hour, 6.hours, 24.hours, 7.days] # Escalating durations
+  # config.waf[:permanent_block_after] = 500       # Permanent block when cumulative score reaches this
+  # config.waf[:create_security_events] = true     # Create SecurityEvent records
+  #
+  # === Exponential Decay Configuration ===
+  # Violations decay over time based on severity (reduces false positives)
+  # config.waf[:decay_enabled] = true
+  # config.waf[:decay_rates] = {                   # Half-life in minutes
+  #   critical: 360,  # 6 hour half-life (config files, path traversal)
+  #   high: 120,      # 2 hour half-life (WordPress, PHP admin scans)
+  #   medium: 45,     # 45 minute half-life (unknown formats)
+  #   low: 15         # 15 minute half-life (RecordNotFound/404s)
+  # }
+  # config.waf[:max_violations_tracked] = 50       # Maximum violations to track per IP
+  #
+  # === RecordNotFound Exclusions ===
+  # Exclude legitimate 404-prone paths from triggering violations
+  # config.waf[:record_not_found_exclusions] = [
+  #   %r{/posts/.*},              # Blog posts with slugs
+  #   %r{/products/[\w-]+},       # Product URLs with slugs
+  #   %r{/public/.*}              # Public content
+  # ]
+  #
+  # === Pre-configured Profiles ===
+  # See WAF_CONFIGURATION_PROFILES.md for complete profile examples:
+  # - STRICT: score_threshold = 100 (high-security)
+  # - BALANCED: score_threshold = 150 (recommended default)
+  # - PERMISSIVE: score_threshold = 200 (high-traffic sites)
+
+  # ============================================================================
+  # SECURITY TRACKING
+  # ============================================================================
+  # Security tracking is enabled by default. To disable or customize:
+  # config.security_tracking[:enabled] = false
+  # config.security_tracking[:track_successful_logins] = true
+  # config.security_tracking[:track_failed_logins] = true
+  # config.security_tracking[:auto_analyze_patterns] = true
+
+  # ============================================================================
+  # RATE LIMITING
+  # ============================================================================
+  # Rate limiting is configured by default. To customize:
+  # config.rate_limiting[:ip_attempts][:limit] = 10
+  # config.rate_limiting[:ip_attempts][:period] = 1.hour
+  # config.rate_limiting[:ip_attempts][:exponential_backoff] = true
+  #
+  # config.rate_limiting[:account_attempts][:limit] = 5
+  # config.rate_limiting[:account_attempts][:period] = 15.minutes
+  # config.rate_limiting[:account_attempts][:exponential_backoff] = true
+  #
+  # config.rate_limiting[:global_attempts][:limit] = 100
+  # config.rate_limiting[:global_attempts][:period] = 1.minute
+  # config.rate_limiting[:global_attempts][:exponential_backoff] = false
+
+  # ============================================================================
+  # RISK-BASED ACCOUNT LOCKING
+  # ============================================================================
+  # Risk-based locking is disabled by default. To enable:
+  # config.risk_based_locking[:enabled] = true
+  # config.risk_based_locking[:immediate_signout] = false  # Sign out users immediately when locked
+  # config.risk_based_locking[:risk_threshold] = 75        # Risk score threshold for locking
+  # config.risk_based_locking[:auto_unlock_time] = 1.hour  # How long to lock the account
+  # config.risk_based_locking[:notify_user] = true         # Notify user on lock
+  # config.risk_based_locking[:log_lock_events] = true     # Log lock events
+
+  # ============================================================================
+  # GEOLOCATION
+  # ============================================================================
+  # Geolocation uses a mock provider by default. To use MaxMind:
+  # 1. Download GeoLite2-City database from maxmind.com
+  # 2. Place it in config/GeoLite2-City.mmdb
+  # 3. Configure:
+  # config.geolocation[:provider] = :maxmind
+  # config.geolocation[:maxmind_city_db_path] = Rails.root.join('config', 'GeoLite2-City.mmdb').to_s
+  # config.geolocation[:cache_ttl] = 4.hours
+
+  # ============================================================================
+  # AUTHENTICATION MODELS
+  # ============================================================================
+  # Authentication models are auto-detected by default. To customize:
+  # config.authentication_models[:auto_detect] = false  # Disable auto-detection
+  # config.authentication_models[:devise] = [:user, :admin]
+  # config.authentication_models[:rails_auth] = [:customer]
+
+  # ============================================================================
+  # EMERGENCY PASSWORD RESET
+  # ============================================================================
+  # Emergency password reset is disabled by default. To enable:
+  # config.emergency_password_reset[:enabled] = true
+  # config.emergency_password_reset[:impossible_travel_threshold] = 3
+  # config.emergency_password_reset[:suspicious_device_threshold] = 5
+  # config.emergency_password_reset[:total_locks_threshold] = 5
+  # config.emergency_password_reset[:send_notification] = true
+  # config.emergency_password_reset[:notify_security_team] = true
+  # config.emergency_password_reset[:require_manual_unlock] = false
+end

data/lib/tasks/beskar_tasks.rake

@@ -37,8 +37,17 @@ namespace :beskar do
     end
 
     puts "📝 Creating initializer..."
-    template_path = File.expand_path("../beskar/templates/beskar_initializer.rb", __dir__)
-    FileUtils.cp(template_path, initializer_path)
+    template_path = File.expand_path("../generators/beskar/install/templates/initializer.rb.tt", __dir__)
+
+    # Read the template and process ERB (Rails will be available in the rake task context)
+    template_content = File.read(template_path)
+    erb = ERB.new(template_content, trim_mode: '-')
+
+    # Evaluate the ERB template in a context where Rails is available
+    processed_content = erb.result(binding)
+
+    # Write the processed initializer
+    File.write(initializer_path, processed_content)
     puts "✓ Created config/initializers/beskar.rb"
     puts
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: beskar
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Maciej Litwiniuk
@@ -23,6 +23,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 8.0.0
+- !ruby/object:Gem::Dependency
+  name: csv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: maxminddb
   requirement: !ruby/object:Gem::Requirement
@@ -66,7 +80,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: ostruct
+  name: factory_bot_rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -80,7 +94,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: factory_bot_rails
+  name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -94,7 +108,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: mocha
+  name: ostruct
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -117,11 +131,15 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
 - MIT-LICENSE
 - README.md
 - Rakefile
 - app/assets/stylesheets/beskar/application.css
 - app/controllers/beskar/application_controller.rb
+- app/controllers/beskar/banned_ips_controller.rb
+- app/controllers/beskar/dashboard_controller.rb
+- app/controllers/beskar/security_events_controller.rb
 - app/controllers/concerns/beskar/controllers/security_tracking.rb
 - app/helpers/beskar/application_helper.rb
 - app/jobs/beskar/application_job.rb
@@ -129,6 +147,14 @@ files:
 - app/models/beskar/application_record.rb
 - app/models/beskar/banned_ip.rb
 - app/models/beskar/security_event.rb
+- app/services/beskar/banned_ip_manager.rb
+- app/views/beskar/banned_ips/edit.html.erb
+- app/views/beskar/banned_ips/index.html.erb
+- app/views/beskar/banned_ips/new.html.erb
+- app/views/beskar/banned_ips/show.html.erb
+- app/views/beskar/dashboard/index.html.erb
+- app/views/beskar/security_events/index.html.erb
+- app/views/beskar/security_events/show.html.erb
 - app/views/layouts/beskar/application.html.erb
 - config/locales/en.yml
 - config/routes.rb
@@ -137,6 +163,7 @@ files:
 - lib/beskar.rb
 - lib/beskar/configuration.rb
 - lib/beskar/engine.rb
+- lib/beskar/logger.rb
 - lib/beskar/middleware.rb
 - lib/beskar/middleware/request_analyzer.rb
 - lib/beskar/models/security_trackable.rb
@@ -149,8 +176,9 @@ files:
 - lib/beskar/services/ip_whitelist.rb
 - lib/beskar/services/rate_limiter.rb
 - lib/beskar/services/waf.rb
-- lib/beskar/templates/beskar_initializer.rb
 - lib/beskar/version.rb
+- lib/generators/beskar/install/install_generator.rb
+- lib/generators/beskar/install/templates/initializer.rb.tt
 - lib/tasks/beskar_tasks.rake
 homepage: https://humadroid.io/beskar
 licenses:
@@ -158,6 +186,7 @@ licenses:
 metadata:
   homepage_uri: https://humadroid.io/beskar
   source_code_uri: https://github.com/humadroid-io/beskar
+  changelog_uri: https://github.com/humadroid-io/beskar/blob/master/CHANGELOG.md
 rdoc_options: []
 require_paths:
 - lib
@@ -172,7 +201,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: An all-in-one security engine for Rails providing WAF, bot detection, and
   account takeover prevention.

data/lib/beskar/templates/beskar_initializer.rb

@@ -1,107 +0,0 @@
-# frozen_string_literal: true
-
-Beskar.configure do |config|
-  # ============================================================================
-  # Web Application Firewall (WAF) - ENABLED IN MONITOR MODE BY DEFAULT
-  # ============================================================================
-  # Detects and logs vulnerability scanning attempts (WordPress, phpMyAdmin, etc.)
-  # Start in monitor-only mode to observe patterns before enabling blocking.
-  #
-  config.waf = {
-    enabled: true,                        # Master switch for WAF
-    monitor_only: true,                   # LOG ONLY - does not block (recommended to start)
-    auto_block: true,                     # Auto-block IPs after threshold (when monitor_only=false)
-    block_threshold: 3,                   # Number of violations before blocking
-    violation_window: 1.hour,             # Time window for counting violations
-    block_durations: [1.hour, 6.hours, 24.hours, 7.days], # Escalating ban durations
-    permanent_block_after: 5,             # Permanent ban after N violations (nil = never)
-    create_security_events: true          # Log violations to SecurityEvent table
-  }
-  
-  # After monitoring for 24-48 hours, review logs and disable monitor_only:
-  # config.waf[:monitor_only] = false
-  
-  # View WAF activity in logs:
-  # tail -f log/production.log | grep "Beskar::WAF"
-  
-  # Query violations that would be blocked:
-  # Beskar::SecurityEvent.where(event_type: 'waf_violation')
-  #   .where("metadata->>'would_be_blocked' = ?", 'true').count
-
-  # ============================================================================
-  # IP Whitelisting (RECOMMENDED)
-  # ============================================================================
-  # Trusted IPs bypass all blocking (bans, rate limits, WAF) while still
-  # logging activity for audit purposes.
-  #
-  # config.ip_whitelist = [
-  #   "192.168.1.100",      # Single IP address
-  #   "10.0.0.0/24",        # CIDR notation - entire subnet
-  #   "172.16.0.0/16"       # Larger CIDR range
-  #   # Add your office IPs, monitoring services, trusted partners, etc.
-  # ]
-
-  # ============================================================================
-  # Security Event Tracking (OPTIONAL)
-  # ============================================================================
-  # Track authentication events for risk analysis and threat detection.
-  # Disable if you don't need historical security event data.
-  #
-  # config.security_tracking = {
-  #   enabled: true,                    # Master switch for all tracking
-  #   track_successful_logins: true,    # Track successful authentications
-  #   track_failed_logins: true,        # Track failed authentication attempts
-  #   auto_analyze_patterns: true       # Enable automatic pattern analysis
-  # }
-
-  # ============================================================================
-  # Rate Limiting (OPTIONAL)
-  # ============================================================================
-  # Protect against brute force attacks by limiting authentication attempts.
-  #
-  # config.rate_limiting = {
-  #   ip_attempts: {
-  #     limit: 10,                    # Max attempts per IP
-  #     period: 1.hour,               # Time window
-  #     exponential_backoff: true     # Increase delay after each attempt
-  #   },
-  #   account_attempts: {
-  #     limit: 5,                     # Max attempts per account
-  #     period: 15.minutes,
-  #     exponential_backoff: true
-  #   },
-  #   global_attempts: {
-  #     limit: 100,                   # System-wide limit (DDoS protection)
-  #     period: 1.minute,
-  #     exponential_backoff: false
-  #   }
-  # }
-
-  # ============================================================================
-  # Risk-Based Account Locking (OPTIONAL)
-  # ============================================================================
-  # Automatically lock accounts when authentication risk score is too high.
-  # Requires Devise :lockable module.
-  #
-  # config.risk_based_locking = {
-  #   enabled: false,                 # Disabled by default
-  #   risk_threshold: 75,             # Lock if risk score >= this (0-100)
-  #   lock_strategy: :devise_lockable, # Strategy: :devise_lockable, :custom, :none
-  #   auto_unlock_time: 1.hour,       # Time until automatic unlock
-  #   notify_user: true,              # Send notification on lock
-  #   log_lock_events: true           # Create security events for locks
-  # }
-
-  # ============================================================================
-  # IP Geolocation (OPTIONAL)
-  # ============================================================================
-  # Enhance risk assessment with geographic information.
-  # Requires MaxMind GeoLite2-City database (free with registration).
-  # Download from: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
-  #
-  # config.geolocation = {
-  #   provider: :maxmind,
-  #   maxmind_city_db_path: Rails.root.join('db', 'geoip', 'GeoLite2-City.mmdb').to_s,
-  #   cache_ttl: 4.hours
-  # }
-end