castle-rb 4.2.1 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 597a4ac18e086d61da2f12af123772abb29ed477693384a82d1da08118fe416b
-  data.tar.gz: 3478f6a1432422fddc390f94be0be3f8a3b56dedf4c24522bac07df9a9651218
+  metadata.gz: 0dd544ffa6fc2660fc67c058011df5b9d83a8078b48506ab611809166960f501
+  data.tar.gz: 1720630a7f1925ba1142208114198cf176a8a3fec5c04be480aa4d2384e03de2
 SHA512:
-  metadata.gz: 7487f023f013238558bd36f26fed0ae800b7d720b365870264dc15210a1020f14a97d9c99d019a9774d9884a23485df63482179fba78049f26f47907f2af329e
-  data.tar.gz: adedcf7725c0d586dae9e230294b424116163b065653c54de473a5685a8a9213762204a8678b7582fdff7a0fb809bf830fd726efe2239aa6bfbd3e917916ab0b
+  metadata.gz: 71320c8ff0a5dd2a137723efc76c5530449bdf4635eed38f4c5fcad8bcb9253c5b2557b9113071cd606528eb58d3d66921fa1a728e6ea123d65ab2173e71ad59
+  data.tar.gz: d2f57e05bd976a294385808757b148248f01b2319cd99e88277bc18e104d4a2fabbcd2d1aa55057d7fc5a12e4ab7e3ec66086502c74ba6d8e5f6b8e51acfba01

data/README.md

@@ -87,17 +87,33 @@ Castle.configure do |config|
   config.blacklisted = ['HTTP-X-header']
 
   # Castle needs the original IP of the client, not the IP of your proxy or load balancer.
-  # we try to fetch proper ip based on X-Forwarded-For or Remote-Addr headers in that order
-  # but sometimes proper ip may be stored in different header or order could be different.
-  # SDK can extract ip automatically for you, but you must configure which ip_headers you would like to use
+  # The SDK will only trust the proxy chain as defined in the configuration.
+  # We try to fetch the client IP based on X-Forwarded-For or Remote-Addr headers in that order,
+  # but sometimes the client IP may be stored in a different header or order.
+  # The SDK can be configured to look for the client IP address in headers that you specify.
+  # If the specified header or X-Forwarded-For default contains a proxy chain with public IP addresses,
+  # then one of the following must be set
+  # 1. The trusted_proxies value must match the known proxy IP's
+  # 2. The trusted_proxy_depth value must be set to the number of known trusted proxies in the chain (see below)
   configuration.ip_headers = []
 
   # Additionally to make X-Forwarded-For and other headers work better discovering client ip address,
   # and not the address of a reverse proxy server, you can define trusted proxies
   # which will help to fetch proper ip from those headers
+
+  # In order to extract the client IP of the X-Forwarded-For header
+  # and not the address of a reverse proxy server, you must define all trusted public proxies
+  # you can achieve this by listing all the proxies ip defined by string or regular expressions
+  # in trusted_proxies setting
   configuration.trusted_proxies = []
-  # *Note: proxies list can be provided as an array of regular expressions
-  # *Note: default always marked as trusty list is here: Castle::Configuration::TRUSTED_PROXIES
+  # or by providing number of trusted proxies used in the chain
+  configuration.trusted_proxy_depth = 0
+
+  # If there is no possibility to define options above and there is no other header which can have client ip
+  # then you may set trust_proxy_chain = true to trust all of the proxy IP's in X-Forwarded-For
+  configuration.trust_proxy_chain = false
+
+  # *Note: default list of proxies which is always marked as trusted: Castle::Configuration::TRUSTED_PROXIES
 end
 ```
 

data/lib/castle/configuration.rb

@@ -44,8 +44,9 @@ module Castle
       X-Castle-Client-Id
     ].freeze
 
-    attr_accessor :host, :port, :request_timeout, :url_prefix
-    attr_reader :api_secret, :whitelisted, :blacklisted, :failover_strategy, :ip_headers, :trusted_proxies
+    attr_accessor :host, :port, :request_timeout, :url_prefix, :trust_proxy_chain
+    attr_reader :api_secret, :whitelisted, :blacklisted, :failover_strategy, :ip_headers,
+                :trusted_proxies, :trusted_proxy_depth
 
     def initialize
       @formatter = Castle::HeadersFormatter
@@ -63,6 +64,8 @@ module Castle
       self.api_secret = ENV.fetch('CASTLE_API_SECRET', '')
       self.ip_headers = [].freeze
       self.trusted_proxies = [].freeze
+      self.trust_proxy_chain = false
+      self.trusted_proxy_depth = nil
     end
 
     def api_secret=(value)
@@ -86,13 +89,18 @@ module Castle
     end
 
     # sets trusted proxies
-    # @param value [Array<String|Regexp>]
+    # @param value [Array<String,Regexp>]
     def trusted_proxies=(value)
       raise Castle::ConfigurationError, 'trusted proxies must be an Array' unless value.is_a?(Array)
 
       @trusted_proxies = value
     end
 
+    # @param value [String,Number,NilClass]
+    def trusted_proxy_depth=(value)
+      @trusted_proxy_depth = value.to_i
+    end
+
     def valid?
       !api_secret.to_s.empty? && !host.to_s.empty? && !port.to_s.empty?
     end

data/lib/castle/extractors/ip.rb

@@ -6,6 +6,8 @@ module Castle
     class IP
       # ordered list of ip headers for ip extraction
       DEFAULT = %w[X-Forwarded-For Remote-Addr].freeze
+      # list of header which are used with proxy depth setting
+      DEPTH_RELATED = %w[X-Forwarded-For].freeze
 
       private_constant :DEFAULT
 
@@ -14,6 +16,8 @@ module Castle
         @headers = headers
         @ip_headers = Castle.config.ip_headers.empty? ? DEFAULT : Castle.config.ip_headers
         @proxies = Castle.config.trusted_proxies + Castle::Configuration::TRUSTED_PROXIES
+        @trust_proxy_chain = Castle.config.trust_proxy_chain
+        @trusted_proxy_depth = Castle.config.trusted_proxy_depth
       end
 
       # Order of headers:
@@ -26,13 +30,14 @@ module Castle
 
         @ip_headers.each do |ip_header|
           ips = ips_from(ip_header)
-          ip_value = remove_proxies(ips).last
+          ip_value = remove_proxies(ips)
+
           return ip_value if ip_value
 
           all_ips.push(*ips)
         end
 
-        # fallback to first whatever ip
+        # fallback to first listed ip
         all_ips.first
       end
 
@@ -41,7 +46,9 @@ module Castle
       # @param ips [Array<String>]
       # @return [Array<String>]
       def remove_proxies(ips)
-        ips.reject { |ip| proxy?(ip) }
+        return ips.first if @trust_proxy_chain
+
+        ips.reject { |ip| proxy?(ip) }.last
       end
 
       # @param ip [String]
@@ -57,7 +64,18 @@ module Castle
 
         return [] unless value
 
-        value.strip.split(/[,\s]+/)
+        ips = value.strip.split(/[,\s]+/)
+
+        limit_proxy_depth(ips, header)
+      end
+
+      # @param ips [Array<String>]
+      # @param ip_header [String]
+      # @return [Array<String>]
+      def limit_proxy_depth(ips, ip_header)
+        ips.pop(@trusted_proxy_depth) if DEPTH_RELATED.include?(ip_header)
+
+        ips
       end
     end
   end

data/lib/castle/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Castle
-  VERSION = '4.2.1'
+  VERSION = '4.3.0'
 end

data/spec/lib/castle/api/session_spec.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+describe Castle::API::Session do
+  describe '#get' do
+    it { expect(described_class.get).to eql(described_class.get) }
+    it { expect(described_class.get).to eql(described_class.instance.http) }
+  end
+
+  describe '#initialize' do
+    subject(:session) { described_class.get }
+
+    after do
+      described_class.instance.reset
+    end
+
+    context 'when ssl false' do
+      before do
+        Castle.config.host = 'localhost'
+        Castle.config.port = 3002
+        described_class.instance.reset
+      end
+
+      after do
+        Castle.config.host = Castle::Configuration::HOST
+        Castle.config.port = Castle::Configuration::PORT
+      end
+
+      it { expect(session).to be_instance_of(Net::HTTP) }
+      it { expect(session.address).to eq('localhost') }
+      it { expect(session.port).to eq(3002) }
+      it { expect(session.use_ssl?).to be false }
+      it { expect(session.verify_mode).to be_nil }
+    end
+
+    context 'when ssl true' do
+      before do
+        described_class.instance.reset
+      end
+
+      it { expect(session).to be_instance_of(Net::HTTP) }
+      it { expect(session.address).to eq(Castle.config.host) }
+      it { expect(session.port).to eq(Castle.config.port) }
+      it { expect(session.use_ssl?).to be true }
+      it { expect(session.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER) }
+    end
+  end
+end

data/spec/lib/castle/extractors/ip_spec.rb

@@ -44,7 +44,7 @@ describe Castle::Extractors::IP do
 
     context 'with all the trusted proxies' do
       let(:http_x_header) do
-        '127.0.0.1,10.0.0.1,172.31.0.1,192.168.0.1,::1,fd00::,localhost,unix,unix:/tmp/sock'
+        '127.0.0.1,10.0.0.1,172.31.0.1,192.168.0.1'
       end
 
       let(:headers) { { 'Remote-Addr' => '127.0.0.1', 'X-Forwarded-For' => http_x_header } }
@@ -54,6 +54,34 @@ describe Castle::Extractors::IP do
       end
     end
 
+    context 'with trust_proxy_chain option' do
+      let(:http_x_header) do
+        '6.6.6.6, 2.2.2.3, 6.6.6.5'
+      end
+
+      let(:headers) { { 'Remote-Addr' => '6.6.6.4', 'X-Forwarded-For' => http_x_header } }
+
+      before { Castle.config.trust_proxy_chain = true }
+
+      it 'selects first available header' do
+        expect(extractor.call).to eql('6.6.6.6')
+      end
+    end
+
+    context 'with trusted_proxy_depth option' do
+      let(:http_x_header) do
+        '6.6.6.6, 2.2.2.3, 6.6.6.5'
+      end
+
+      let(:headers) { { 'Remote-Addr' => '6.6.6.4', 'X-Forwarded-For' => http_x_header } }
+
+      before { Castle.config.trusted_proxy_depth = 1 }
+
+      it 'selects first available header' do
+        expect(extractor.call).to eql('2.2.2.3')
+      end
+    end
+
     context 'when list of not trusted ips provided in X_FORWARDED_FOR' do
       let(:headers) do
         {

data/spec/lib/castle/headers_filter_spec.rb

@@ -4,18 +4,19 @@ describe Castle::HeadersFilter do
   subject(:headers) { described_class.new(request).call }
 
   let(:env) do
-    Rack::MockRequest.env_for(
+    result = Rack::MockRequest.env_for(
       '/',
       'Action-Dispatch.request.content-Type' => 'application/json',
       'HTTP_AUTHORIZATION' => 'Basic 123456',
       'HTTP_COOKIE' => '__cid=abcd;other=efgh',
-      'http-ok' => 'OK',
       'HTTP_ACCEPT' => 'application/json',
       'HTTP_X_FORWARDED_FOR' => '1.2.3.4',
       'HTTP_USER_AGENT' => 'Mozilla 1234',
       'TEST' => '1',
       'REMOTE_ADDR' => '1.2.3.4'
     )
+    result[:HTTP_OK] = 'OK'
+    result
   end
   let(:filtered) do
     {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: castle-rb
 version: !ruby/object:Gem::Version
-  version: 4.2.1
+  version: 4.3.0
 platform: ruby
 authors:
 - Johan Brissmyr
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-07 00:00:00.000000000 Z
+date: 2020-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -75,6 +75,7 @@ files:
 - spec/integration/rails/support/home_controller.rb
 - spec/lib/castle/api/request_spec.rb
 - spec/lib/castle/api/response_spec.rb
+- spec/lib/castle/api/session_spec.rb
 - spec/lib/castle/api_spec.rb
 - spec/lib/castle/client_spec.rb
 - spec/lib/castle/command_spec.rb
@@ -123,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.3
 signing_key: 
 specification_version: 4
 summary: Castle
@@ -148,6 +149,7 @@ test_files:
 - spec/lib/castle/utils/merger_spec.rb
 - spec/lib/castle/command_spec.rb
 - spec/lib/castle/headers_formatter_spec.rb
+- spec/lib/castle/api/session_spec.rb
 - spec/lib/castle/api/request_spec.rb
 - spec/lib/castle/api/response_spec.rb
 - spec/lib/castle/commands/review_spec.rb