castle-rb 4.2.1 → 7.0.0

data/lib/castle/context/{merger.rb → merge.rb}

@@ -2,11 +2,11 @@
 
 module Castle
   module Context
-    class Merger
+    class Merge
       class << self
         def call(initial_context, request_context)
-          main_context = Castle::Utils::Cloner.call(initial_context)
-          Castle::Utils::Merger.call(main_context, request_context || {})
+          main_context = Castle::Utils::Clone.call(initial_context)
+          Castle::Utils::Merge.call(main_context, request_context || {})
         end
       end
     end

data/lib/castle/context/prepare.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Castle
+  module Context
+    # prepares the context from the request
+    module Prepare
+      class << self
+        # @param request [Request]
+        # @param options [Hash]
+        # @return [Hash]
+        def call(request, options = {})
+          default_context = Castle::Context::GetDefault.new(request, options[:cookies]).call
+          Castle::Context::Merge.call(default_context, options[:context])
+        end
+      end
+    end
+  end
+end

data/lib/castle/context/{sanitizer.rb → sanitize.rb}

@@ -3,7 +3,7 @@
 module Castle
   module Context
     # removes not proper active flag values
-    class Sanitizer
+    class Sanitize
       class << self
         def call(context)
           sanitized_active_mode(context) || {}

data/lib/castle/core/get_connection.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Castle
+  module Core
+    # this module returns a new configured Net::HTTP object
+    module GetConnection
+      HTTPS_SCHEME = 'https'
+
+      class << self
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration]
+        # @return [Net::HTTP]
+        def call(config = nil)
+          config ||= Castle.config
+          http = Net::HTTP.new(config.base_url.host, config.base_url.port)
+          http.read_timeout = config.request_timeout / 1000.0
+
+          if config.base_url.scheme == HTTPS_SCHEME
+            http.use_ssl = true
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          end
+
+          http
+        end
+      end
+    end
+  end
+end

data/lib/castle/{api/response.rb → core/process_response.rb}

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 module Castle
-  module API
+  module Core
     # parses api response
-    module Response
+    module ProcessResponse
       RESPONSE_ERRORS = {
         400 => Castle::BadRequestError,
         401 => Castle::UnauthorizedError,
@@ -14,9 +14,14 @@ module Castle
       }.freeze
 
       class << self
-        def call(response)
+        # @param response [Response]
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration, nil]
+        # @return [Hash]
+        def call(response, config = nil)
           verify!(response)
 
+          Castle::Logger.call('response:', response.body.to_s, config)
+
           return {} if response.body.nil? || response.body.empty?
 
           begin

data/lib/castle/core/process_webhook.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Castle
+  module Core
+    # Parses a webhook
+    module ProcessWebhook
+      class << self
+        # Checks if webhook is valid
+        # @param webhook [Request]
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration, nil]
+        # @return [String]
+        def call(webhook, config = nil)
+          webhook
+            .body
+            .read
+            .tap do |result|
+              raise Castle::ApiError, 'Invalid webhook from Castle API' if result.blank?
+
+              Castle::Logger.call('webhook:', result.to_s, config)
+            end
+        end
+      end
+    end
+  end
+end

data/lib/castle/core/send_request.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Castle
+  module Core
+    # this class is responsible for making requests to api
+    module SendRequest
+      # Default headers that we add to passed ones
+      DEFAULT_HEADERS = { 'Content-Type' => 'application/json' }.freeze
+
+      private_constant :DEFAULT_HEADERS
+
+      class << self
+        # @param command [String]
+        # @param headers [Hash]
+        # @param http [Net::HTTP]
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration, nil]
+        def call(command, headers, http = nil, config = nil)
+          (http || Castle::Core::GetConnection.call).request(
+            build(command, headers.merge(DEFAULT_HEADERS), config)
+          )
+        end
+
+        # @param command [String]
+        # @param headers [Hash]
+        # @param config [Castle::Configuration, Castle::SingletonConfiguration, nil]
+        def build(command, headers, config)
+          url = "#{config.base_url.path}/#{command.path}"
+          request_obj = Net::HTTP.const_get(command.method.to_s.capitalize).new(url, headers)
+
+          unless command.method == :get
+            request_obj.body = ::Castle::Utils::CleanInvalidChars.call(command.data).to_json
+          end
+
+          Castle::Logger.call("#{url}:", request_obj.body, config)
+
+          request_obj.basic_auth('', config.api_secret)
+          request_obj
+        end
+      end
+    end
+  end
+end

data/lib/castle/errors.rb

@@ -2,7 +2,9 @@
 
 module Castle
   # general error
-  class Error < RuntimeError; end
+  class Error < RuntimeError
+  end
+
   # Raised when anything is wrong with the request (any unhappy path)
   # This error indicates that either we would wait too long for a response or something
   # else happened somewhere in the middle and we weren't able to get the results
@@ -14,28 +16,52 @@ module Castle
       @reason = reason
     end
   end
+
   # security error
-  class SecurityError < Castle::Error; end
+  class SecurityError < Castle::Error
+  end
+
   # wrong configuration error
-  class ConfigurationError < Castle::Error; end
+  class ConfigurationError < Castle::Error
+  end
+
   # error returned by api
-  class ApiError < Castle::Error; end
+  class ApiError < Castle::Error
+  end
+
+  # webhook signature verification error
+  class WebhookVerificationError < Castle::Error
+  end
 
   # api error bad request 400
-  class BadRequestError < Castle::ApiError; end
+  class BadRequestError < Castle::ApiError
+  end
+
   # api error forbidden 403
-  class ForbiddenError < Castle::ApiError; end
+  class ForbiddenError < Castle::ApiError
+  end
+
   # api error not found 404
-  class NotFoundError < Castle::ApiError; end
+  class NotFoundError < Castle::ApiError
+  end
+
   # api error user unauthorized 419
-  class UserUnauthorizedError < Castle::ApiError; end
+  class UserUnauthorizedError < Castle::ApiError
+  end
+
   # api error invalid param 422
-  class InvalidParametersError < Castle::ApiError; end
+  class InvalidParametersError < Castle::ApiError
+  end
+
   # api error unauthorized 401
-  class UnauthorizedError < Castle::ApiError; end
+  class UnauthorizedError < Castle::ApiError
+  end
+
   # all internal server errors
-  class InternalServerError < Castle::ApiError; end
+  class InternalServerError < Castle::ApiError
+  end
 
   # impersonation command failed
-  class ImpersonationFailed < Castle::ApiError; end
+  class ImpersonationFailed < Castle::ApiError
+  end
 end

data/lib/castle/failover/prepare_response.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Castle
+  module Failover
+    # generate failover authentication response
+    class PrepareResponse
+      def initialize(user_id, reason:, strategy:)
+        @strategy = strategy
+        @reason = reason
+        @user_id = user_id
+      end
+
+      def call
+        { action: @strategy.to_s, user_id: @user_id, failover: true, failover_reason: @reason }
+      end
+    end
+  end
+end

data/lib/castle/failover/strategy.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Castle
+  module Failover
+    # handles failover strategy consts
+    module Strategy
+      # allow
+      ALLOW = :allow
+
+      # deny
+      DENY = :deny
+
+      # challenge
+      CHALLENGE = :challenge
+
+      # throw an error
+      THROW = :throw
+    end
+
+    # list of possible strategies
+    STRATEGIES = %i[allow deny challenge throw].freeze
+  end
+end

data/lib/castle/headers/extract.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Castle
+  module Headers
+    # used for extraction of cookies and headers from the request
+    class Extract
+      # Headers that we will never scrub, even if they land on the configuration denylist.
+      ALWAYS_ALLOWLISTED = %w[User-Agent].freeze
+
+      # Headers that will always be scrubbed, even if allowlisted.
+      ALWAYS_DENYLISTED = %w[Cookie Authorization].freeze
+
+      private_constant :ALWAYS_ALLOWLISTED, :ALWAYS_DENYLISTED
+
+      # @param headers [Hash]
+      # @param config [Castle::Configuration, Castle::SingletonConfiguration, nil]
+      def initialize(headers, config = nil)
+        @headers = headers
+        @config = config || Castle.config
+        @no_allowlist = @config.allowlisted.empty?
+      end
+
+      # Serialize HTTP headers
+      # @return [Hash]
+      def call
+        @headers.each_with_object({}) do |(name, value), acc|
+          acc[name] = header_value(name, value)
+        end
+      end
+
+      private
+
+      # scrub header value
+      # @param name [String]
+      # @param value [String]
+      # @return [TrueClass | FalseClass | String]
+      def header_value(name, value)
+        return true if ALWAYS_DENYLISTED.include?(name)
+        return value if ALWAYS_ALLOWLISTED.include?(name)
+        return true if @config.denylisted.include?(name)
+        return value if @no_allowlist || @config.allowlisted.include?(name)
+
+        true
+      end
+    end
+  end
+end

data/lib/castle/headers/filter.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Castle
+  module Headers
+    # used for preparing valuable headers list
+    class Filter
+      # headers filter
+      # HTTP_ - this is how Rack prefixes incoming HTTP headers
+      # CONTENT_LENGTH - for responses without Content-Length or Transfer-Encoding header
+      # REMOTE_ADDR - ip address header returned by web server
+      VALUABLE_HEADERS = /^
+      HTTP(?:_|-).*|
+        CONTENT(?:_|-)LENGTH|
+      REMOTE(?:_|-)ADDR
+      $/xi
+        .freeze
+
+      private_constant :VALUABLE_HEADERS
+
+      # @param request [Rack::Request]
+      def initialize(request)
+        @request_env = request.env
+        @header_format = Castle::Headers::Format
+      end
+
+      # Serialize HTTP headers
+      # @return [Hash]
+      def call
+        @request_env
+          .keys
+          .each_with_object({}) do |header_name, acc|
+            next unless header_name.match(VALUABLE_HEADERS)
+
+            formatted_name = @header_format.call(header_name)
+            acc[formatted_name] = @request_env[header_name]
+          end
+      end
+    end
+  end
+end

data/lib/castle/headers/format.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Castle
+  module Headers
+    # formats header name
+    class Format
+      class << self
+        # @param header [String]
+        # @return [String]
+        def call(header)
+          format(header.to_s.gsub(/^HTTP(?:_|-)/i, ''))
+        end
+
+        private
+
+        # @param header [String]
+        # @return [String]
+        def format(header)
+          header.split(/_|-/).map(&:capitalize).join('-')
+        end
+      end
+    end
+  end
+end

data/lib/castle/{extractors/ip.rb → ips/extract.rb}

@@ -1,19 +1,27 @@
 # frozen_string_literal: true
 
 module Castle
-  module Extractors
+  # IPs-related module
+  module IPs
     # used for extraction of ip from the request
-    class IP
+    class Extract
       # ordered list of ip headers for ip extraction
       DEFAULT = %w[X-Forwarded-For Remote-Addr].freeze
 
+      # list of header which are used with proxy depth setting
+      DEPTH_RELATED = %w[X-Forwarded-For].freeze
+
       private_constant :DEFAULT
 
       # @param headers [Hash]
-      def initialize(headers)
+      # @param config [Castle::Configuration, Castle::SingletonConfiguration, nil]
+      def initialize(headers, config = nil)
+        config ||= Castle.config
         @headers = headers
-        @ip_headers = Castle.config.ip_headers.empty? ? DEFAULT : Castle.config.ip_headers
-        @proxies = Castle.config.trusted_proxies + Castle::Configuration::TRUSTED_PROXIES
+        @ip_headers = config.ip_headers.empty? ? DEFAULT : config.ip_headers
+        @proxies = config.trusted_proxies + Castle::Configuration::TRUSTED_PROXIES
+        @trust_proxy_chain = config.trust_proxy_chain
+        @trusted_proxy_depth = config.trusted_proxy_depth
       end
 
       # Order of headers:
@@ -26,13 +34,14 @@ module Castle
 
         @ip_headers.each do |ip_header|
           ips = ips_from(ip_header)
-          ip_value = remove_proxies(ips).last
+          ip_value = remove_proxies(ips)
+
           return ip_value if ip_value
 
           all_ips.push(*ips)
         end
 
-        # fallback to first whatever ip
+        # fallback to first listed ip
         all_ips.first
       end
 
@@ -41,7 +50,9 @@ module Castle
       # @param ips [Array<String>]
       # @return [Array<String>]
       def remove_proxies(ips)
-        ips.reject { |ip| proxy?(ip) }
+        return ips.first if @trust_proxy_chain
+
+        ips.reject { |ip| proxy?(ip) }.last
       end
 
       # @param ip [String]
@@ -57,7 +68,18 @@ module Castle
 
         return [] unless value
 
-        value.strip.split(/[,\s]+/)
+        ips = value.strip.split(/[,\s]+/)
+
+        limit_proxy_depth(ips, header)
+      end
+
+      # @param ips [Array<String>]
+      # @param ip_header [String]
+      # @return [Array<String>]
+      def limit_proxy_depth(ips, ip_header)
+        ips.pop(@trusted_proxy_depth) if DEPTH_RELATED.include?(ip_header)
+
+        ips
       end
     end
   end