castle-rb 2.3.2 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f939445efe5b4a33c2907c272077c731037e3098
-  data.tar.gz: 928e47fa3ad0459534b1453c4bad4b09a5fdbb16
+SHA256:
+  metadata.gz: 42c05b0f98dc4b62b7dd63aa69c0f78b3470c4e3a9432a454b1d7ca7918dbc17
+  data.tar.gz: a8761230e18ee47bb2337878774f637bea68ddd1d96bdc55827ec475d29a0026
 SHA512:
-  metadata.gz: 2100298d0f3a413d392c520136ab25f18077ae57bf3bd173121feacd5c351f1b7d2e018e62777dd80a084e39839490656e8e896a3da66cdab6f4a7dc19a85ec5
-  data.tar.gz: '0696b449a74bffcda95879e55e9a07d791a3afa88d68998c2a6131c695c4674039197e5a0c245ec0e6fb535aaa6d58a491bc2c78821e5aa012169705711528ce'
+  metadata.gz: '08a34db09b0d770ae486c520d71d5643c07aa436643679303f679bafbb7bf783222282db54dcfcbf36217a47401a19f73aaca49a3534e2919f5378f26fead199'
+  data.tar.gz: f502877e392ec738ff2425bb98ba4c8b9bdaa73a2ca9025dad7b2c51f7e20e4c50544f5275df10a9f83639fc8410feae33787bdd8b312b5d98017e40541f5fa9

data/README.md

@@ -1,8 +1,9 @@
 # Ruby SDK for Castle
 
-[![Build Status](https://travis-ci.org/castle/castle-ruby.png)](https://travis-ci.org/castle/castle-ruby)
-[![Gem Version](https://badge.fury.io/rb/castle-rb.png)](http://badge.fury.io/rb/castle-rb)
-[![Dependency Status](https://gemnasium.com/castle/castle-ruby.png)](https://gemnasium.com/castle/castle-ruby)
+[![Build Status](https://travis-ci.org/castle/castle-ruby.svg?branch=master)](https://travis-ci.org/castle/castle-ruby)
+[![Coverage Status](https://coveralls.io/repos/github/castle/castle-ruby/badge.svg?branch=coveralls)](https://coveralls.io/github/castle/castle-ruby?branch=coveralls)
+[![Gem Version](https://badge.fury.io/rb/castle-rb.svg)](https://badge.fury.io/rb/castle-rb)
+[![Dependency Status](https://gemnasium.com/badges/github.com/castle/castle-ruby.svg)](https://gemnasium.com/github.com/castle/castle-ruby)
 
 **[Castle](https://castle.io) adds real-time monitoring of your authentication stack, instantly notifying you and your users on potential account hijacks.**
 
@@ -20,7 +21,35 @@ Load and configure the library with your Castle API secret in an initializer or
 Castle.api_secret = 'YOUR_API_SECRET'
 ```
 
-A Castle client instance will be made available as `castle` in your Rails, Sinatra or Padrino controllers. The client will automatically configure the [request context](https://api.castle.io/docs#request-context) for each request.
+A Castle client instance will be made available as `castle` in your
+
+* Rails controllers when you add `require 'castle/support/rails'`
+
+* Padrino controllers when you add `require 'castle/support/padrino'`
+
+* Sinatra app when you add `require 'castle/support/sinatra'` (and additionally explicitly add `register Sinatra::Castle` to your `Sinatra::Base` class if you have a modular application)
+
+```
+require 'castle/support/sinatra'
+
+class ApplicationController < Sinatra::Base
+  register Sinatra::Castle
+end
+```
+
+* Hanami when you add `require 'castle/support/hanami'` and include `Castle::Hanami` to your Hanami application
+
+```
+require 'castle/support/hanami'
+
+module Web
+  class Application < Hanami::Application
+    include Castle::Hanami
+  end
+end
+```
+
+The client will automatically configure the [request context](https://api.castle.io/docs#request-context) for each request.
 
 ## Documentation
 
@@ -34,7 +63,8 @@ A Castle client instance will be made available as `castle` in your Rails, Sinat
 begin
   castle.track(
     name: '$login.succeeded',
-    user_id: user.id)
+    user_id: user.id
+  )
 rescue Castle::Error => e
   puts e.message
 end
@@ -47,10 +77,26 @@ Castle.configure do |config|
   # Same as setting it through Castle.api_secret
   config.api_secret = 'secret'
 
-  # Castle::RequestError is raised when timing out (default: 30.0)
-  config.request_timeout = 2.0
+  # For authenticate method you can set failover strategies: allow(default), deny, challenge, throw
+  config.failover_strategy = :deny
 
-  # For tracking in non-web environments: https://castle.io/docs/sources (default: 'web')
-  config.source_header = 'backend'
+  # Castle::RequestError is raised when timing out in seconds (default: 500 milliseconds)
+  config.request_timeout = 2000
+
+  # Whitelisted and Blacklisted headers are case insensitive and allow to use _ and - as a separator, http prefixes are removed
+  # Whitelisted headers
+  config.whitelisted = ['X_HEADER']
+  # or append to default
+  config.whitelisted += ['http-x-header']
+
+  # Blacklisted headers take advantage over whitelisted elements
+  config.blacklisted = ['HTTP-X-header']
+  # or append to default
+  config.blacklisted += ['X_HEADER']
 end
 ```
+
+
+## Signature
+
+`Castle::SecureMode.signature(user_id)` will create a signed user_id.

data/lib/castle.rb

@@ -2,21 +2,33 @@
 
 require 'openssl'
 require 'net/http'
+require 'json'
 
 require 'castle/version'
-
+require 'castle/errors'
+require 'castle/command'
+require 'castle/utils'
+require 'castle/utils/merger'
+require 'castle/utils/cloner'
+require 'castle/context_merger'
+require 'castle/default_context'
+require 'castle/commands/with_context'
+require 'castle/commands/identify'
+require 'castle/commands/authenticate'
+require 'castle/commands/track'
+require 'castle/commands/review'
 require 'castle/configuration'
+require 'castle/failover_auth_response'
 require 'castle/client'
-require 'castle/errors'
-require 'castle/system'
+require 'castle/header_formatter'
+require 'castle/secure_mode'
 require 'castle/extractors/client_id'
 require 'castle/extractors/headers'
 require 'castle/extractors/ip'
-require 'castle/headers'
 require 'castle/response'
 require 'castle/request'
+require 'castle/review'
 require 'castle/api'
-require 'castle/cookie_store'
 
 # main sdk module
 module Castle
@@ -38,5 +50,3 @@ module Castle
     end
   end
 end
-
-require 'castle/support'

data/lib/castle/api.rb

@@ -3,32 +3,27 @@
 module Castle
   # this class is responsible for making requests to api
   class API
-    def initialize(cookie_id, ip, headers)
+    def initialize(headers = {})
       @config = Castle.config
-      @config_api_endpoint = @config.api_endpoint
       @http = prepare_http
-      @headers = Castle::Headers.new.prepare(cookie_id, ip, headers)
+      @headers = headers.merge('Content-Type' => 'application/json')
     end
 
-    def request_query(endpoint)
-      request = Castle::Request.new(@headers).build_query(endpoint)
-      perform_request(request)
-    end
-
-    def request(endpoint, args, method = :post)
-      request = Castle::Request.new(@headers).build(endpoint, args, method)
+    def request(command)
+      request = Castle::Request.new(@headers).build(
+        command.path,
+        command.data,
+        command.method
+      )
       perform_request(request)
     end
 
     private
 
     def prepare_http
-      http = Net::HTTP.new(
-        @config_api_endpoint.host,
-        @config_api_endpoint.port
-      )
-      http.read_timeout = @config.request_timeout
-      prepare_http_for_ssl(http) if @config_api_endpoint.scheme == 'https'
+      http = Net::HTTP.new(@config.host, @config.port)
+      http.read_timeout = @config.request_timeout / 1000.0
+      prepare_http_for_ssl(http) if @config.port == 443
       http
     end
 
@@ -37,12 +32,15 @@ module Castle
       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
     end
 
-    def perform_request(req)
-      Castle::Response.new(@http.request(req)).parse
-    rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError,
-           Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError,
-           Net::ProtocolError
-      raise Castle::RequestError, 'Castle API connection error'
+    def perform_request(request)
+      raise Castle::ConfigurationError, 'configuration is not valid' unless @config.valid?
+      begin
+        Castle::Response.new(@http.request(request)).parse
+      rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError,
+             Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError,
+             Net::ProtocolError
+        raise Castle::RequestError, 'Castle API connection error'
+      end
     end
   end
 end

data/lib/castle/client.rb

@@ -4,40 +4,71 @@ module Castle
   class Client
     attr_accessor :api
 
-    def initialize(request, response)
-      @do_not_track = false
-      cookie_id = Extractors::ClientId.new(request).call(response, '__cid')
-      ip = Extractors::IP.new(request).call
-      headers = Extractors::Headers.new(request).call
-      @api = API.new(cookie_id, ip, headers)
+    def initialize(request, options = {})
+      @do_not_track = default_tracking(options)
+      @context = setup_context(request, options[:cookies], options[:context])
+      @api = API.new
     end
 
-    def fetch_review(id)
-      @api.request_query("reviews/#{id}")
-    end
+    def authenticate(options = {})
+      options = Castle::Utils.deep_symbolize_keys(options || {})
 
-    def identify(args)
-      @api.request('identify', args) unless do_not_track?
+      if tracked?
+        command = Castle::Commands::Authenticate.new(@context).build(options)
+        begin
+          @api.request(command).merge('failover' => false, 'failover_reason' => nil)
+        rescue Castle::RequestError, Castle::InternalServerError => error
+          failover_response_or_raise(FailoverAuthResponse.new(options[:user_id], reason: error.to_s), error)
+        end
+      else
+        FailoverAuthResponse.new(options[:user_id], strategy: :allow, reason: 'Castle set to do not track.').generate
+      end
     end
 
-    def authenticate(args)
-      @api.request('authenticate', args)
+    def identify(options = {})
+      options = Castle::Utils.deep_symbolize_keys(options || {})
+
+      return unless tracked?
+
+      command = Castle::Commands::Identify.new(@context).build(options)
+      @api.request(command)
     end
 
-    def track(args)
-      @api.request('track', args) unless do_not_track?
+    def track(options = {})
+      options = Castle::Utils.deep_symbolize_keys(options || {})
+
+      return unless tracked?
+
+      command = Castle::Commands::Track.new(@context).build(options)
+      @api.request(command)
     end
 
-    def do_not_track!
+    def disable_tracking
       @do_not_track = true
     end
 
-    def track!
+    def enable_tracking
       @do_not_track = false
     end
 
-    def do_not_track?
-      @do_not_track
+    def tracked?
+      !@do_not_track
+    end
+
+    private
+
+    def setup_context(request, cookies, additional_context)
+      default_context = Castle::DefaultContext.new(request, cookies).call
+      Castle::ContextMerger.new(default_context).call(additional_context || {})
+    end
+
+    def failover_response_or_raise(failover_response, error)
+      return failover_response.generate unless Castle.config.failover_strategy == :throw
+      raise error
+    end
+
+    def default_tracking(options)
+      options.key?(:do_not_track) ? options[:do_not_track] : false
     end
   end
 end

data/lib/castle/command.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Castle
+  Command = Struct.new(:path, :data, :method)
+end

data/lib/castle/commands/authenticate.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Castle
+  module Commands
+    class Authenticate
+      include WithContext
+
+      def build(options = {})
+        validate!(options)
+        build_context!(options)
+
+        Castle::Command.new('authenticate', options, :post)
+      end
+
+      private
+
+      def validate!(options)
+        %i[event user_id].each do |key|
+          next unless options[key].to_s.empty?
+          raise Castle::InvalidParametersError, "#{key} is missing or empty"
+        end
+      end
+    end
+  end
+end

data/lib/castle/commands/identify.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Castle
+  module Commands
+    class Identify
+      include WithContext
+
+      def build(options = {})
+        validate!(options)
+        build_context!(options)
+
+        Castle::Command.new('identify', options, :post)
+      end
+
+      private
+
+      def validate!(options)
+        %i[user_id].each do |key|
+          next unless options[key].to_s.empty?
+          raise Castle::InvalidParametersError, "#{key} is missing or empty"
+        end
+
+        if options[:properties]
+          raise Castle::InvalidParametersError,
+                'properties are not supported in identify calls'
+        end
+      end
+    end
+  end
+end

data/lib/castle/commands/review.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Castle
+  module Commands
+    class Review
+      def build(review_id)
+        raise Castle::InvalidParametersError if review_id.nil? || review_id.to_s.empty?
+
+        Castle::Command.new("reviews/#{review_id}", nil, :get)
+      end
+    end
+  end
+end

data/lib/castle/commands/track.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Castle
+  module Commands
+    class Track
+      include WithContext
+
+      def build(options = {})
+        validate!(options)
+        build_context!(options)
+
+        Castle::Command.new('track', options, :post)
+      end
+
+      private
+
+      def validate!(options)
+        %i[event].each do |key|
+          next unless options[key].to_s.empty?
+          raise Castle::InvalidParametersError, "#{key} is missing or empty"
+        end
+      end
+    end
+  end
+end

data/lib/castle/commands/with_context.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Castle
+  module Commands
+    module WithContext
+      def initialize(context)
+        @context_merger = ContextMerger.new(context)
+      end
+
+      private
+
+      def build_context!(options)
+        sanitize_active_mode!(options)
+        options[:context] = merge_context(options[:context])
+      end
+
+      def sanitize_active_mode!(options)
+        return unless options[:context] && options[:context].key?(:active)
+        return if [true, false].include?(options[:context][:active])
+        options[:context].delete(:active)
+      end
+
+      def merge_context(request_context)
+        @context_merger.call(request_context || {})
+      end
+    end
+  end
+end

data/lib/castle/configuration.rb

@@ -3,37 +3,69 @@
 module Castle
   # manages configuration variables
   class Configuration
-    SUPPORTED = %i[source_header request_timeout api_secret api_endpoint].freeze
-    REQUEST_TIMEOUT = 30.0
-    API_ENDPOINT = 'https://api.castle.io/v1'
+    REQUEST_TIMEOUT = 500 # in milliseconds
+    FAILOVER_STRATEGIES = %i[allow deny challenge throw].freeze
+    WHITELISTED = [
+      'User-Agent',
+      'Accept-Language',
+      'Accept-Encoding',
+      'Accept-Charset',
+      'Accept',
+      'Accept-Datetime',
+      'X-Forwarded-For',
+      'Forwarded',
+      'X-Forwarded',
+      'X-Real-IP',
+      'REMOTE_ADDR'
+    ].freeze
 
-    attr_accessor :request_timeout, :source_header
-    attr_reader :api_secret, :api_endpoint
+    BLACKLISTED = ['HTTP_COOKIE'].freeze
+
+    attr_accessor :host, :port, :request_timeout, :url_prefix
+    attr_reader :api_secret, :host, :port, :whitelisted, :blacklisted, :failover_strategy
 
     def initialize
+      @formatter = Castle::HeaderFormatter.new
       @request_timeout = REQUEST_TIMEOUT
-      self.api_endpoint = API_ENDPOINT
+      self.failover_strategy = :allow
+      self.host = 'api.castle.io'
+      self.port = 443
+      self.url_prefix = 'v1'
+      self.whitelisted = WHITELISTED
+      self.blacklisted = BLACKLISTED
       self.api_secret = ''
     end
 
-    def api_endpoint=(value)
-      @api_endpoint = URI(
-        ENV.fetch('CASTLE_API_ENDPOINT', value)
-      )
-    end
-
     def api_secret=(value)
       @api_secret = ENV.fetch('CASTLE_API_SECRET', value).to_s
     end
 
+    def whitelisted=(value)
+      @whitelisted = (value ? value.map { |header| @formatter.call(header) } : []).freeze
+    end
+
+    def blacklisted=(value)
+      @blacklisted = (value ? value.map { |header| @formatter.call(header) } : []).freeze
+    end
+
+    def valid?
+      !api_secret.to_s.empty? && !host.to_s.empty? && !port.to_s.empty?
+    end
+
+    def failover_strategy=(value)
+      @failover_strategy = FAILOVER_STRATEGIES.detect { |strategy| strategy == value.to_sym }
+      raise Castle::ConfigurationError, 'unrecognized failover strategy' if @failover_strategy.nil?
+      @failover_strategy
+    end
+
     private
 
     def respond_to_missing?(method_name, _include_private)
       /^(\w+)=$/ =~ method_name
     end
 
-    def method_missing(_m, *_args)
-      raise Castle::ConfigurationError, 'there is no such a config'
+    def method_missing(m, *_args)
+      raise Castle::ConfigurationError, "there is no such a config #{m}"
     end
   end
 end