beskar 0.0.2 → 0.1.0

data/app/controllers/concerns/beskar/controllers/security_tracking.rb

@@ -29,9 +29,9 @@ module Beskar
         return unless Beskar.configuration.track_successful_logins?
 
         user.track_authentication_event(request, :success)
-        Rails.logger.info "[Beskar] Tracked successful authentication for user #{user.id}"
+        Beskar::Logger.info("Tracked successful authentication for user #{user.id}")
       rescue => e
-        Rails.logger.error "[Beskar] Failed to track authentication success: #{e.message}"
+        Beskar::Logger.error("Failed to track authentication success: #{e.message}")
       end
 
       # Track failed authentication attempt
@@ -40,9 +40,9 @@ module Beskar
         return unless Beskar.configuration.track_failed_logins?
 
         model_class.track_failed_authentication(request, scope)
-        Rails.logger.info "[Beskar] Tracked failed authentication for scope #{scope}"
+        Beskar::Logger.info("Tracked failed authentication for scope #{scope}")
       rescue => e
-        Rails.logger.error "[Beskar] Failed to track authentication failure: #{e.message}"
+        Beskar::Logger.error("Failed to track authentication failure: #{e.message}")
       end
 
       # Track logout event
@@ -61,9 +61,9 @@ module Beskar
           },
           risk_score: 0
         )
-        Rails.logger.info "[Beskar] Tracked logout for user #{user.id}"
+        Beskar::Logger.info("Tracked logout for user #{user.id}")
       rescue => e
-        Rails.logger.error "[Beskar] Failed to track logout: #{e.message}"
+        Beskar::Logger.error("Failed to track logout: #{e.message}")
       end
     end
   end

data/app/models/beskar/banned_ip.rb

@@ -12,6 +12,10 @@ module Beskar
       self.metadata ||= {}
     end
 
+    # Cache management callbacks
+    after_save :update_cache
+    after_destroy :clear_cache
+
     scope :active, -> { where("expires_at IS NULL OR expires_at > ?", Time.current) }
     scope :permanent, -> { where(permanent: true) }
     scope :temporary, -> { where(permanent: false) }
@@ -67,35 +71,52 @@ module Beskar
     class << self
       # Ban an IP address
       def ban!(ip_address, reason:, duration: nil, permanent: false, details: nil, metadata: {})
-        banned_ip = find_or_initialize_by(ip_address: ip_address)
-        
-        if banned_ip.persisted?
-          # Existing ban - extend it
-          banned_ip.extend_ban!(duration)
-          banned_ip.details = details if details
-          # Deep stringify keys to avoid duplicate key issues
-          if metadata.any?
-            banned_ip.metadata = banned_ip.metadata.deep_stringify_keys.merge(metadata.deep_stringify_keys)
+        # Retry logic to handle race conditions when multiple requests try to ban the same IP
+        retries = 0
+        max_retries = 2
+
+        begin
+          banned_ip = find_or_initialize_by(ip_address: ip_address)
+
+          if banned_ip.persisted?
+            # Existing ban - extend it
+            banned_ip.extend_ban!(duration)
+            banned_ip.details = details if details
+            # Deep stringify keys to avoid duplicate key issues
+            if metadata.any?
+              banned_ip.metadata = banned_ip.metadata.deep_stringify_keys.merge(metadata.deep_stringify_keys)
+            end
+            banned_ip.save!
+          else
+            # New ban
+            banned_ip.assign_attributes(
+              reason: reason,
+              banned_at: Time.current,
+              expires_at: permanent ? nil : (Time.current + (duration || 1.hour)),
+              permanent: permanent,
+              details: details,
+              metadata: metadata
+            )
+            banned_ip.save!
           end
-          banned_ip.save!
-        else
-          # New ban
-          banned_ip.assign_attributes(
-            reason: reason,
-            banned_at: Time.current,
-            expires_at: permanent ? nil : (Time.current + (duration || 1.hour)),
-            permanent: permanent,
-            details: details,
-            metadata: metadata
-          )
-          banned_ip.save!
-        end
 
-        # Update cache
-        cache_key = "beskar:banned_ip:#{ip_address}"
-        Rails.cache.write(cache_key, true, expires_in: permanent ? nil : (duration || 1.hour))
-
-        banned_ip
+          # Update cache
+          cache_key = "beskar:banned_ip:#{ip_address}"
+          Rails.cache.write(cache_key, true, expires_in: permanent ? nil : (duration || 1.hour))
+
+          banned_ip
+        rescue ActiveRecord::RecordInvalid => e
+          # Race condition: another request created the record between find and save
+          if e.message.include?("Ip address has already been taken") && retries < max_retries
+            retries += 1
+            # Small random delay to reduce contention (1-10ms)
+            sleep(rand(1..10) / 1000.0)
+            retry
+          else
+            # Re-raise if it's a different validation error or we've exceeded retries
+            raise
+          end
+        end
       end
 
       # Check if an IP is banned (cache-first approach)
@@ -148,5 +169,25 @@ module Beskar
         expired.destroy_all
       end
     end
+
+    private
+
+    def update_cache
+      return unless active?
+
+      cache_key = "beskar:banned_ip:#{ip_address}"
+      ttl = calculate_cache_ttl
+      Rails.cache.write(cache_key, true, expires_in: ttl)
+    end
+
+    def clear_cache
+      Rails.cache.delete("beskar:banned_ip:#{ip_address}")
+    end
+
+    def calculate_cache_ttl
+      return nil if permanent? || expires_at.nil?
+
+      (expires_at - Time.current).to_i
+    end
   end
 end

data/app/models/beskar/security_event.rb

@@ -46,5 +46,19 @@ module Beskar
     def geolocation
       metadata&.dig("geolocation") || {}
     end
+
+    def details
+      # Extract details from metadata if available
+      # Check multiple possible fields where details might be stored
+      return nil unless metadata.present?
+
+      metadata["details"] ||
+        metadata["description"] ||
+        metadata["message"] ||
+        metadata["reason"] ||
+        metadata["error"] ||
+        metadata["info"] ||
+        nil
+    end
   end
 end

data/app/services/beskar/banned_ip_manager.rb

@@ -0,0 +1,78 @@
+module Beskar
+  class BannedIpManager
+    attr_reader :banned_ip, :errors
+
+    def initialize(params)
+      @params = params
+      @errors = []
+      @banned_ip = nil
+    end
+
+    def create
+      @banned_ip = BannedIp.new(base_attributes)
+      configure_ban_duration
+
+      @banned_ip.save
+    end
+
+    def success?
+      @banned_ip&.persisted?
+    end
+
+    private
+
+    def base_attributes
+      {
+        ip_address: @params[:ip_address],
+        reason: @params[:reason],
+        details: @params[:details],
+        violation_count: @params[:violation_count] || 1,
+        metadata: @params[:metadata] || {},
+        banned_at: Time.current
+      }
+    end
+
+    def configure_ban_duration
+      return set_permanent_ban if permanent_ban?
+
+      set_temporary_ban
+    end
+
+    def permanent_ban?
+      @params[:ban_type] == 'permanent'
+    end
+
+    def set_permanent_ban
+      @banned_ip.permanent = true
+      @banned_ip.expires_at = nil
+    end
+
+    def set_temporary_ban
+      @banned_ip.permanent = false
+      @banned_ip.expires_at = calculate_expiry_time
+    end
+
+    def calculate_expiry_time
+      return custom_expiry_time if custom_expiry_time.present?
+      return preset_duration_expiry if preset_duration.present?
+
+      default_expiry_time
+    end
+
+    def custom_expiry_time
+      @params[:expires_at]
+    end
+
+    def preset_duration
+      @params[:duration]
+    end
+
+    def preset_duration_expiry
+      Time.current + preset_duration.to_i.seconds
+    end
+
+    def default_expiry_time
+      24.hours.from_now
+    end
+  end
+end

data/app/views/beskar/banned_ips/edit.html.erb

@@ -0,0 +1,259 @@
+<% content_for :page_title, "Edit Ban: #{@banned_ip.ip_address}" %>
+
+<% content_for :header_actions do %>
+  <%= link_to "← Cancel", banned_ip_path(@banned_ip), class: "btn btn-secondary" %>
+<% end %>
+
+<div class="card">
+  <div class="card-header">
+    <h3 class="card-title">Edit IP Ban</h3>
+    <div class="card-subtitle">Modify ban settings for <%= @banned_ip.ip_address %></div>
+  </div>
+  <div class="card-body">
+    <%= form_with model: @banned_ip, url: banned_ip_path(@banned_ip), method: :patch, local: true do |f| %>
+      <% if @banned_ip.errors.any? %>
+        <div class="alert alert-danger">
+          <h4 style="font-size: 14px; font-weight: 600; margin-bottom: 0.5rem;">
+            <%= pluralize(@banned_ip.errors.count, "error") %> prohibited this ban from being saved:
+          </h4>
+          <ul style="margin: 0; padding-left: 1.5rem;">
+            <% @banned_ip.errors.full_messages.each do |message| %>
+              <li style="font-size: 13px;"><%= message %></li>
+            <% end %>
+          </ul>
+        </div>
+      <% end %>
+
+      <div style="display: grid; grid-template-columns: 1fr; gap: 1.5rem; max-width: 600px;">
+        <!-- IP Address (Read-only) -->
+        <div class="form-group">
+          <%= f.label :ip_address, "IP Address" %>
+          <%= f.text_field :ip_address,
+              disabled: true,
+              style: "font-family: monospace; background: #F4F5F7; cursor: not-allowed;" %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            IP addresses cannot be changed. To ban a different IP, create a new ban.
+          </div>
+        </div>
+
+        <!-- Current Status -->
+        <div class="form-group">
+          <label>Current Status</label>
+          <div style="display: flex; align-items: center; gap: 1rem;">
+            <% if @banned_ip.permanent? %>
+              <span class="badge badge-critical">Permanent Ban</span>
+            <% elsif @banned_ip.active? %>
+              <span class="badge badge-danger">Active</span>
+              <span style="font-size: 13px; color: #697386;">
+                Expires in <%= distance_of_time_in_words(Time.current, @banned_ip.expires_at) %>
+              </span>
+            <% else %>
+              <span class="badge badge-neutral">Expired</span>
+              <span style="font-size: 13px; color: #697386;">
+                Expired <%= time_ago_in_words(@banned_ip.expires_at) %> ago
+              </span>
+            <% end %>
+          </div>
+        </div>
+
+        <!-- Reason -->
+        <div class="form-group">
+          <%= f.label :reason, "Ban Reason *" %>
+          <%= f.select :reason,
+              options_for_select([
+                ['Rate Limit Abuse', 'rate_limit_abuse'],
+                ['Authentication Abuse', 'authentication_abuse'],
+                ['WAF Violation', 'waf_violation'],
+                ['Brute Force Attack', 'brute_force_attack'],
+                ['Suspicious Activity', 'suspicious_activity'],
+                ['Manual Ban', 'manual_ban'],
+                ['Other', 'other']
+              ], @banned_ip.reason),
+              { prompt: 'Select a reason...' },
+              { required: true } %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            Update the reason for this ban if needed.
+          </div>
+        </div>
+
+        <!-- Ban Duration -->
+        <div class="form-group">
+          <label>Ban Duration</label>
+          <div style="display: flex; flex-direction: column; gap: 0.5rem;">
+            <label style="display: flex; align-items: center; gap: 0.5rem; cursor: pointer;">
+              <%= f.radio_button :permanent, false,
+                  onchange: "toggleDurationFields()",
+                  checked: !@banned_ip.permanent? %>
+              <span style="font-weight: normal;">Temporary Ban</span>
+            </label>
+            <label style="display: flex; align-items: center; gap: 0.5rem; cursor: pointer;">
+              <%= f.radio_button :permanent, true,
+                  onchange: "toggleDurationFields()",
+                  checked: @banned_ip.permanent? %>
+              <span style="font-weight: normal; color: #D32F2F;">Permanent Ban</span>
+            </label>
+          </div>
+          <% if @banned_ip.permanent? %>
+            <div class="alert alert-warning" style="margin-top: 0.5rem;">
+              <strong>Warning:</strong> This is currently a permanent ban. Changing it to temporary will set an expiration date.
+            </div>
+          <% end %>
+        </div>
+
+        <!-- Temporary Ban Options -->
+        <div id="temporary-options" style="<%= @banned_ip.permanent? ? 'display: none;' : '' %>">
+          <div class="form-group">
+            <%= f.label :expires_at, "Expiry Date/Time" %>
+            <%= f.datetime_field :expires_at,
+                value: @banned_ip.expires_at&.strftime('%Y-%m-%dT%H:%M'),
+                min: DateTime.now.strftime('%Y-%m-%dT%H:%M') %>
+            <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+              Set when this ban should expire. Leave empty for default duration.
+            </div>
+          </div>
+
+          <!-- Quick Extension Options -->
+          <div class="form-group">
+            <label>Quick Extension</label>
+            <div style="display: grid; grid-template-columns: repeat(3, 1fr); gap: 0.5rem;">
+              <button type="button" onclick="extendBan(1)" class="btn btn-sm btn-secondary">+1 Hour</button>
+              <button type="button" onclick="extendBan(24)" class="btn btn-sm btn-secondary">+1 Day</button>
+              <button type="button" onclick="extendBan(168)" class="btn btn-sm btn-secondary">+7 Days</button>
+              <button type="button" onclick="extendBan(720)" class="btn btn-sm btn-secondary">+30 Days</button>
+              <button type="button" onclick="extendBan(2160)" class="btn btn-sm btn-secondary">+90 Days</button>
+              <button type="button" onclick="makePermanent()" class="btn btn-sm btn-danger">Make Permanent</button>
+            </div>
+          </div>
+        </div>
+
+        <!-- Details -->
+        <div class="form-group">
+          <%= f.label :details, "Additional Details" %>
+          <%= f.text_area :details,
+              rows: 3,
+              placeholder: "Provide any additional context or details about this ban..." %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            Update any relevant information about why this IP is banned.
+          </div>
+        </div>
+
+        <!-- Violation Count -->
+        <div class="form-group">
+          <%= f.label :violation_count, "Violation Count" %>
+          <%= f.number_field :violation_count, min: 0 %>
+          <div style="font-size: 12px; color: #697386; margin-top: 0.25rem;">
+            Current violation count: <%= @banned_ip.violation_count %>. Higher counts may result in longer bans for repeat offenders.
+          </div>
+        </div>
+
+        <hr style="border: none; border-top: 1px solid #E3E8EE; margin: 1.5rem 0;">
+
+        <!-- Ban History -->
+        <div class="form-group">
+          <label>Ban History</label>
+          <div style="background: #FAFBFC; border: 1px solid #E3E8EE; border-radius: 6px; padding: 1rem;">
+            <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 1rem;">
+              <div>
+                <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.025em; color: #697386;">
+                  Originally Banned
+                </div>
+                <div style="font-size: 13px; color: #1A1F36; margin-top: 0.25rem;">
+                  <%= @banned_ip.banned_at.strftime("%Y-%m-%d %H:%M:%S") %>
+                </div>
+              </div>
+              <div>
+                <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.025em; color: #697386;">
+                  Time Banned
+                </div>
+                <div style="font-size: 13px; color: #1A1F36; margin-top: 0.25rem;">
+                  <%= time_ago_in_words(@banned_ip.banned_at) %>
+                </div>
+              </div>
+              <% if @banned_ip.updated_at != @banned_ip.created_at %>
+                <div>
+                  <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.025em; color: #697386;">
+                    Last Modified
+                  </div>
+                  <div style="font-size: 13px; color: #1A1F36; margin-top: 0.25rem;">
+                    <%= @banned_ip.updated_at.strftime("%Y-%m-%d %H:%M:%S") %>
+                  </div>
+                </div>
+              <% end %>
+            </div>
+          </div>
+        </div>
+
+        <!-- Submit Buttons -->
+        <div style="display: flex; gap: 0.5rem;">
+          <%= f.submit "Update Ban", class: "btn btn-primary" %>
+          <%= link_to "Cancel", banned_ip_path(@banned_ip), class: "btn btn-secondary" %>
+          <%= link_to "Delete Ban", banned_ip_path(@banned_ip),
+              data: {
+                "turbo-method": "delete",
+                "turbo-confirm": "Are you sure you want to unban #{@banned_ip.ip_address}?"
+              },
+              class: "btn btn-danger" %>
+        </div>
+      </div>
+    <% end %>
+  </div>
+</div>
+
+<script>
+  function toggleDurationFields() {
+    const isPermanent = document.querySelector('input[name="banned_ip[permanent]"]:checked').value === 'true';
+    const temporaryOptions = document.getElementById('temporary-options');
+
+    if (isPermanent) {
+      temporaryOptions.style.display = 'none';
+      document.getElementById('banned_ip_expires_at').value = '';
+    } else {
+      temporaryOptions.style.display = 'block';
+      // If switching from permanent to temporary, set a default expiry
+      if (!document.getElementById('banned_ip_expires_at').value) {
+        const defaultExpiry = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours from now
+        document.getElementById('banned_ip_expires_at').value = defaultExpiry.toISOString().slice(0, 16);
+      }
+    }
+  }
+
+  function extendBan(hours) {
+    const expiresField = document.getElementById('banned_ip_expires_at');
+    let currentExpiry;
+
+    if (expiresField.value) {
+      currentExpiry = new Date(expiresField.value);
+    } else {
+      // Use current ban expiry or current time
+      <% if @banned_ip.expires_at %>
+        currentExpiry = new Date('<%= @banned_ip.expires_at.iso8601 %>');
+      <% else %>
+        currentExpiry = new Date();
+      <% end %>
+    }
+
+    // Add the specified hours
+    currentExpiry.setHours(currentExpiry.getHours() + hours);
+
+    // Update the field
+    expiresField.value = currentExpiry.toISOString().slice(0, 16);
+
+    // Show a visual feedback
+    const originalBg = expiresField.style.background;
+    expiresField.style.background = '#E8F5E9';
+    setTimeout(() => {
+      expiresField.style.background = originalBg;
+    }, 500);
+  }
+
+  function makePermanent() {
+    document.querySelector('input[name="banned_ip[permanent]"][value="true"]').checked = true;
+    toggleDurationFields();
+  }
+
+  // Initialize on page load
+  document.addEventListener('DOMContentLoaded', function() {
+    // Set initial state
+    toggleDurationFields();
+  });
+</script>