castle-rb 4.1.0 → 6.0.0

data/lib/castle/{api/response.rb → core/process_response.rb}

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 module Castle
-  module API
+  module Core
     # parses api response
-    module Response
+    module ProcessResponse
       RESPONSE_ERRORS = {
         400 => Castle::BadRequestError,
         401 => Castle::UnauthorizedError,
@@ -17,6 +17,8 @@ module Castle
         def call(response)
           verify!(response)
 
+          Castle::Logger.call('response:', response.body.to_s)
+
           return {} if response.body.nil? || response.body.empty?
 
           begin

data/lib/castle/core/process_webhook.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Castle
+  module Core
+    # Parses a webhook
+    module ProcessWebhook
+      class << self
+        # Checks if webhook is valid
+        # @param webhook [Request]
+        def call(webhook)
+          webhook.body.read.tap do |result|
+            raise Castle::ApiError, 'Invalid webhook from Castle API' if result.blank?
+
+            Castle::Logger.call('webhook:', result.to_s)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/castle/core/send_request.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Castle
+  module Core
+    # this class is responsible for making requests to api
+    module SendRequest
+      # Default headers that we add to passed ones
+      DEFAULT_HEADERS = {
+        'Content-Type' => 'application/json'
+      }.freeze
+
+      private_constant :DEFAULT_HEADERS
+
+      class << self
+        # @param command [String]
+        # @param headers [Hash]
+        # @param http [Net::HTTP]
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+        def call(command, headers, http = nil, config = Castle.config)
+          (http || Castle::Core::GetConnection.call).request(
+            build(
+              command,
+              headers.merge(DEFAULT_HEADERS),
+              config
+            )
+          )
+        end
+
+        # @param command [String]
+        # @param headers [Hash]
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+        def build(command, headers, config = Castle.config)
+          url = "#{config.base_url.path}/#{command.path}"
+          request_obj = Net::HTTP.const_get(command.method.to_s.capitalize).new(url, headers)
+
+          unless command.method == :get
+            request_obj.body = ::Castle::Utils::CleanInvalidChars.call(
+              command.data
+            ).to_json
+          end
+
+          Castle::Logger.call("#{url}:", request_obj.body)
+
+          request_obj.basic_auth('', config.api_secret)
+          request_obj
+        end
+      end
+    end
+  end
+end

data/lib/castle/errors.rb

@@ -20,6 +20,8 @@ module Castle
   class ConfigurationError < Castle::Error; end
   # error returned by api
   class ApiError < Castle::Error; end
+  # webhook signature verification error
+  class WebhookVerificationError < Castle::Error; end
 
   # api error bad request 400
   class BadRequestError < Castle::ApiError; end

data/lib/castle/events.rb

@@ -3,7 +3,7 @@
 module Castle
   # list of events based on https://docs.castle.io/api_reference/#list-of-recognized-events
   module Events
-    # Record when a user succesfully logs in.
+    # Record when a user successfully logs in.
     LOGIN_SUCCEEDED = '$login.succeeded'
     # Record when a user failed to log in.
     LOGIN_FAILED = '$login.failed'

data/lib/castle/failover/prepare_response.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Castle
+  module Failover
+    # generate failover authentication response
+    class PrepareResponse
+      def initialize(user_id, reason:, strategy: Castle.config.failover_strategy)
+        @strategy = strategy
+        @reason = reason
+        @user_id = user_id
+      end
+
+      def call
+        {
+          action: @strategy.to_s,
+          user_id: @user_id,
+          failover: true,
+          failover_reason: @reason
+        }
+      end
+    end
+  end
+end

data/lib/castle/failover/strategy.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Castle
+  module Failover
+    # handles failover strategy consts
+    module Strategy
+      # allow
+      ALLOW = :allow
+      # deny
+      DENY = :deny
+      # challenge
+      CHALLENGE = :challenge
+      # throw an error
+      THROW = :throw
+    end
+
+    # list of possible strategies
+    STRATEGIES = %i[allow deny challenge throw].freeze
+  end
+end

data/lib/castle/headers/extract.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Castle
+  module Headers
+    # used for extraction of cookies and headers from the request
+    class Extract
+      # Headers that we will never scrub, even if they land on the configuration denylist.
+      ALWAYS_ALLOWLISTED = %w[User-Agent].freeze
+
+      # Headers that will always be scrubbed, even if allowlisted.
+      ALWAYS_DENYLISTED = %w[Cookie Authorization].freeze
+
+      private_constant :ALWAYS_ALLOWLISTED, :ALWAYS_DENYLISTED
+
+      # @param headers [Hash]
+      # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+      def initialize(headers, config = Castle.config)
+        @headers = headers
+        @config = config
+        @no_allowlist = config.allowlisted.empty?
+      end
+
+      # Serialize HTTP headers
+      # @return [Hash]
+      def call
+        @headers.each_with_object({}) do |(name, value), acc|
+          acc[name] = header_value(name, value)
+        end
+      end
+
+      private
+
+      # scrub header value
+      # @param name [String]
+      # @param value [String]
+      # @return [TrueClass | FalseClass | String]
+      def header_value(name, value)
+        return true if ALWAYS_DENYLISTED.include?(name)
+        return value if ALWAYS_ALLOWLISTED.include?(name)
+        return true if @config.denylisted.include?(name)
+        return value if @no_allowlist || @config.allowlisted.include?(name)
+
+        true
+      end
+    end
+  end
+end

data/lib/castle/headers/filter.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Castle
+  module Headers
+    # used for preparing valuable headers list
+    class Filter
+      # headers filter
+      # HTTP_ - this is how Rack prefixes incoming HTTP headers
+      # CONTENT_LENGTH - for responses without Content-Length or Transfer-Encoding header
+      # REMOTE_ADDR - ip address header returned by web server
+      VALUABLE_HEADERS = /^
+      HTTP(?:_|-).*|
+        CONTENT(?:_|-)LENGTH|
+      REMOTE(?:_|-)ADDR
+      $/xi.freeze
+
+      private_constant :VALUABLE_HEADERS
+
+      # @param request [Rack::Request]
+      def initialize(request)
+        @request_env = request.env
+        @header_format = Castle::Headers::Format
+      end
+
+      # Serialize HTTP headers
+      # @return [Hash]
+      def call
+        @request_env.keys.each_with_object({}) do |header_name, acc|
+          next unless header_name.match(VALUABLE_HEADERS)
+
+          formatted_name = @header_format.call(header_name)
+          acc[formatted_name] = @request_env[header_name]
+        end
+      end
+    end
+  end
+end

data/lib/castle/headers/format.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Castle
+  module Headers
+    # formats header name
+    class Format
+      class << self
+        # @param header [String]
+        # @return [String]
+        def call(header)
+          format(header.to_s.gsub(/^HTTP(?:_|-)/i, ''))
+        end
+
+        private
+
+        # @param header [String]
+        # @return [String]
+        def format(header)
+          header.split(/_|-/).map(&:capitalize).join('-')
+        end
+      end
+    end
+  end
+end

data/lib/castle/ip/extract.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Castle
+  module IP
+    # used for extraction of ip from the request
+    class Extract
+      # ordered list of ip headers for ip extraction
+      DEFAULT = %w[X-Forwarded-For Remote-Addr].freeze
+      # list of header which are used with proxy depth setting
+      DEPTH_RELATED = %w[X-Forwarded-For].freeze
+
+      private_constant :DEFAULT
+
+      # @param headers [Hash]
+      # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+      def initialize(headers, config = Castle.config)
+        @headers = headers
+        @ip_headers = config.ip_headers.empty? ? DEFAULT : config.ip_headers
+        @proxies = config.trusted_proxies + Castle::Configuration::TRUSTED_PROXIES
+        @trust_proxy_chain = config.trust_proxy_chain
+        @trusted_proxy_depth = config.trusted_proxy_depth
+      end
+
+      # Order of headers:
+      #   .... list of headers defined by ip_headers
+      #   X-Forwarded-For
+      #   Remote-Addr
+      # @return [String]
+      def call
+        all_ips = []
+
+        @ip_headers.each do |ip_header|
+          ips = ips_from(ip_header)
+          ip_value = remove_proxies(ips)
+
+          return ip_value if ip_value
+
+          all_ips.push(*ips)
+        end
+
+        # fallback to first listed ip
+        all_ips.first
+      end
+
+      private
+
+      # @param ips [Array<String>]
+      # @return [Array<String>]
+      def remove_proxies(ips)
+        return ips.first if @trust_proxy_chain
+
+        ips.reject { |ip| proxy?(ip) }.last
+      end
+
+      # @param ip [String]
+      # @return [Boolean]
+      def proxy?(ip)
+        @proxies.any? { |proxy| proxy.match(ip) }
+      end
+
+      # @param header [String]
+      # @return [Array<String>]
+      def ips_from(header)
+        value = @headers[header]
+
+        return [] unless value
+
+        ips = value.strip.split(/[,\s]+/)
+
+        limit_proxy_depth(ips, header)
+      end
+
+      # @param ips [Array<String>]
+      # @param ip_header [String]
+      # @return [Array<String>]
+      def limit_proxy_depth(ips, ip_header)
+        ips.pop(@trusted_proxy_depth) if DEPTH_RELATED.include?(ip_header)
+
+        ips
+      end
+    end
+  end
+end

data/lib/castle/logger.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Castle
+  # module for logger handling
+  module Logger
+    class << self
+      # @param message [String]
+      # @param data [String]
+      # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+      def call(message, data = nil, config = Castle.config)
+        logger = config.logger
+
+        return unless logger
+
+        logger.info("[CASTLE] #{message} #{data}".strip)
+      end
+    end
+  end
+end

data/lib/castle/payload/prepare.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Castle
+  module Payload
+    # this prepare payload based on the request
+    module Prepare
+      class << self
+        # @param payload_options [Hash]
+        # @param request [Request]
+        # @param options [Hash] required for context preparation
+        # @return [Hash]
+        def call(payload_options, request, options = {})
+          context = Castle::Context::Prepare.call(request, payload_options.merge(options))
+
+          payload = Castle::Utils::DeepSymbolizeKeys.call(
+            payload_options || {}
+          ).merge(context: context)
+          payload[:timestamp] ||= Castle::Utils::GetTimestamp.call
+
+          warn '[DEPRECATION] use user_traits instead of traits key' if payload.key?(:traits)
+
+          payload
+        end
+      end
+    end
+  end
+end

data/lib/castle/secure_mode.rb

@@ -4,8 +4,12 @@ require 'openssl'
 
 module Castle
   module SecureMode
-    def self.signature(user_id)
-      OpenSSL::HMAC.hexdigest('sha256', Castle.config.api_secret, user_id.to_s)
+    class << self
+      # @param user_id [String]
+      # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+      def signature(user_id, config = Castle.config)
+        OpenSSL::HMAC.hexdigest('sha256', config.api_secret, user_id.to_s)
+      end
     end
   end
 end

data/lib/castle/session.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Castle
+  # this module uses the Connection object
+  # and provides start method for persistent connection usage
+  # when there is a need of sending multiple requests at once
+  module Session
+    HTTPS_SCHEME = 'https'
+
+    class << self
+      def call(&block)
+        return unless block_given?
+
+        Castle::Core::GetConnection.call.start(&block)
+      end
+    end
+  end
+end

data/lib/castle/singleton_configuration.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+module Castle
+  class SingletonConfiguration < Configuration
+    include Singleton
+  end
+end