csp_report 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ed867030fb43d8172decce4b81cebc84457f71ac
-  data.tar.gz: 984d3c43474832016053f1eb3897ce2b8aff975a
+  metadata.gz: 4c3df7be47bd57116be91c9f07e8abdd00e1d34a
+  data.tar.gz: 66ff93264d5f432ecd4b878a2fbd9ce0a29024bf
 SHA512:
-  metadata.gz: b7420708abd3a6e5766508f96c00cc5b8263396fd3ddfaa7336b529413e755589a11200c07dd8f8d690769a7bf0a9601dc40bea6d66a38928092a6aa8ef3161e
-  data.tar.gz: 27a94ad89c75a763a98af01e8fc4b3872594270713bb85cc0018a5dd3fe748035b6bcad35fd4e5d09d58475585925ceb73280c410012099345f2b4bd778a39e2
+  metadata.gz: 0ed72f415782aa6d14d49b9d3a64a416ae1eea4e4d9f15dd3dcafb0aca4a47d035ed1787e922a253e7e28c0e82acad7be78b4d9dca664ec2ca519f2bc699d361
+  data.tar.gz: 9805a4912c9111cebbc1a91e530ef4bd68b2edc05d08fb090eb1d651a5a8e6474f4ff297fd776a5fc75f753c7f1bd7e53f165a6cb02311598d0d864cd53a6228

data/CHANGELOG

@@ -1,3 +1,8 @@
+* From 0.4.0
+	- Follow the upgrade instruction to add the JS hook
+	- Adds charting capabilities for data visualization
+	- Adds styling from bootstrap and a common navigation pattern
+
 * From 0.3.0
 	- Developer additions (test coverage, Guard+Spork, ...)
 	- Mount point for the engine is now configurable as a parameter of the

data/README.md

@@ -18,11 +18,17 @@ page. However, elements have a class so you can add some CSS style before I
 
 I promise something cleaner when I'll get to v1.
 
+[Installation](#install) | [Upgrade](#upgrade-notes) | 
+[Configuration](#trying-it-out) | [Description](#what-is-csp)
+
 **Careful**: If migrating from 0.1.x, please follow 
 [these instructions](#upgrade-from-01x)
 
 **Careful**: If migrating from 0.2.x or below, you can follow 
-[these instructions](#upgrade-from-02x). This is not mandatory.
+[these instructions](#upgrade-from-02x-or-below). This is not mandatory.
+
+**Careful**: If migrating from 0.3.x or below, you can follow 
+[these instructions](#upgrade-from-03x-or-below). This is mandatory.
 
 What is CSP
 ===========
@@ -48,8 +54,29 @@ Features
 
 * Provides a *csp_report* resource that stores the reported violations.
 * Displays the violation for analysis
+* Keeps up-to-date with the CSP W3C RFC
 * Future: provide visualization aids on the report data
 
+Why using this gem
+==================
+
+CSP is yet another layer of protection, basically relying on the browser to do
+some level of control. This is a way to prevent some man in the middle attack 
+where someone intercepts the server response and try to change it. While not
+foolproof, it's a good additional security layer.
+
+This gem comes in handy for 2 reasons:
+* First, when activating CSP directives on your existing site, it is likely 
+that you'll have a hard
+time figuring out all the sources you are using. By recording all the breaches,
+ this gem allows you to setup a policy, run a crawler for example, and then 
+look at what is reported as breaches. It will help you getting rid of your 
+inline js and so on.
+* Second, in normal production mode, it'll help you monitor the situation and 
+see if your server has been victim of some injection (if some input is not 
+sanitize properly) or if your users are being attacked in some way (in which 
+case you might gather stats and maybe warn them in one way or another).
+
 Install
 =======
 
@@ -117,6 +144,26 @@ in one of your HTML rendered file and launch it in a browser. If the setup is
 correct and you browser supports CSP, the script will not play (no pop-up) and 
 you'll have one more record in the /csp/csp_reports list.
 
+Tuning the engine
+=================
+
+#### Overriding the engine's CSS
+
+The engine comes packages with some CSS so that the page do not look ugly.
+Since it is meant to be available for site admins or developers, the look&feel
+is a secondary concern. Still you might want to customize it for consistency
+with your site.
+This is easy to do. Indeed, all the classes used are namespaced with *csp-report*.
+To customize the CSS, just create the following file:
+*app/assets/stylesheets/csp_report/csp_report.css*
+
+Careful though, this is going to remove all the styles definition, so you'll
+have to redefine every single one of them.
+
+#### Changing the CSP rule per controller/action
+
+TODO - gbataille - Fill in this section
+
 Utilities
 =========
 
@@ -127,26 +174,6 @@ typically used in the response header construction.
 I could not get it to work as I wanted, in a view you can use *csp_report.routes.url_helpers*
 and it will give you access to all the engine URL helpers.
 
-Why using this gem
-==================
-
-CSP is yet another layer of protection, basically relying on the browser to do
-some level of control. This is a way to prevent some man in the middle attack 
-where someone intercepts the server response and try to change it. While not
-foolproof, it's a good additional security layer.
-
-This gem comes in handy for 2 reasons:
-* First, when activating CSP directives on your existing site, it is likely 
-that you'll have a hard
-time figuring out all the sources you are using. By recording all the breaches,
- this gem allows you to setup a policy, run a crawler for example, and then 
-look at what is reported as breaches. It will help you getting rid of your 
-inline js and so on.
-* Second, in normal production mode, it'll help you monitor the situation and 
-see if your server has been victim of some injection (if some input is not 
-sanitize properly) or if your users are being attacked in some way (in which 
-case you might gather stats and maybe warn them in one way or another).
-
 To come
 =======
 
@@ -154,8 +181,11 @@ To come
 * Support of CSP 1.1 draft spec
 * Eased data mining
 
+Upgrade notes
+=============
+
 Upgrade from 0.1.x
-==================
+------------------
 
 CAREFUL, 0.2.0 comes with DB changes. I won't do that in a minor after we are at
 v1, but for the moment, I thought it would not trouble too many people.
@@ -167,8 +197,8 @@ rake db:migrate
 ```
 before continuing
 
-Upgrade from 0.2.x
-==================
+Upgrade from 0.2.x or below
+---------------------------
 
 Version 0.3.0 comes with a configurable mount point and a couple of helpers that
 are accessible through the generators.
@@ -185,6 +215,16 @@ rails generate csp_report:mount [NAMESPACE]
 rails generate csp_report:initializer_install
 ```
 
+Upgrade from 0.3.x or below
+---------------------------
+
+Version 0.4.0 and above introduce a new javascript integration point to add the
+highchart library used to produce some visualization of the reporting data.
+The install generator would provide the additional hook. Rather than re-running
+the entire install (not tested), you can either
+* run the `csp_report:highcharts_include` generator
+* or add the `//= require csp_report` in your application.js file.
+
 License
 =======
 

data/app/assets/javascripts/csp_report.js

@@ -0,0 +1,2 @@
+//= require highcharts/highcharts
+//= require highcharts/highcharts-more

data/app/assets/javascripts/csp_report/application.js

@@ -10,4 +10,5 @@
 // Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
 // about supported directives.
 //
+//= require twitter/bootstrap
 //= require_tree .

data/app/assets/javascripts/csp_report/report.js.coffee

@@ -0,0 +1,4 @@
+$(document).ready(() ->
+  data = $.parseJSON( $("#chart")[0].attributes["data-chart"].value )
+  window.chart = new Highcharts.Chart(data)
+)

data/app/assets/stylesheets/csp_report/bootstrap_and_overrides.css

@@ -0,0 +1,7 @@
+/*
+  =require twitter-bootstrap-static/bootstrap
+
+  Use Font Awesome icons (default)
+  To use Glyphicons sprites instead of Font Awesome, replace with "require twitter-bootstrap-static/sprites"
+  =require twitter-bootstrap-static/fontawesome
+  */

data/app/assets/stylesheets/csp_report/csp_report.css.sass

@@ -1,15 +1,19 @@
-.csp-report.report-table
-  border-style: solid
-  border-color: #0000AA
-  border-width: 5px
-  border-collapse: collapse
-
-.csp-report.report-cell
-  padding: 5px
-  border-style: solid
-  border-width: 2px
-
-.csp-report.report-header
-  padding: 5px
-  border-style: solid
-  border-width: 3px
+//= require csp_report/bootstrap_and_overrides
+
+.csp-report.row
+  // You can override the bootstrap scoffolding here
+
+.csp-report.offset3
+  // You can override the bootstrap scoffolding here
+
+.csp-report.span6
+  // You can override the bootstrap scoffolding here
+
+// .csp-report.report-table
+// 
+// .csp-report.report-cell
+// 
+// .csp-report.report-header
+// 
+.csp-report.padding-navbar
+  padding-top: 45px

data/app/controllers/csp_report/csp_reports_controller.rb

@@ -31,4 +31,139 @@ class CspReport::CspReportsController < ApplicationController
     CspReport::CspReport.delete_all
     redirect_to csp_reports_path
   end
+
+  def report_by_ip
+    @report_by_ip = CspReport::CspReport.select(
+      "incoming_ip, count(*) as count").group("incoming_ip")
+
+    data = []
+    for report in @report_by_ip
+      data.push [report.incoming_ip, report.count]
+    end
+
+    @chart = {
+      chart: {
+        :defaultSeriesType=>"pie" ,
+        :margin=> [50, 200, 60, 170]
+      },
+      series: [{
+        :type=> 'pie',
+        :name=> 'Violations by client IP',
+        :data=> data
+      }],
+      title: {text:  "By IP"},
+      legend: {
+        :layout=> 'vertical',
+        :style=> {
+          :left=> 'auto',
+          :bottom=> 'auto',
+          :right=> '50px',
+          :top=> '100px'
+        }
+      },
+      plotOptions: {
+        :pie=>{
+          :allowPointSelect=>true,
+          :cursor=>"pointer" ,
+          :dataLabels=>{
+            :enabled=>true,
+            :color=>"black",
+            :style=>{
+              :font=>"13px Trebuchet MS, Verdana, sans-serif"
+            }
+          }
+        }
+      }
+    }
+  end
+
+  def report_by_rule
+    @report_by_rule = CspReport::CspReport.select(
+      "violated_directive, count(*) as count").group("violated_directive")
+
+    data = []
+    for report in @report_by_rule
+      data.push [report.violated_directive, report.count]
+    end
+
+    @chart = {
+      chart: {
+        :defaultSeriesType=>"pie" ,
+        :margin=> [50, 200, 60, 170]
+      },
+      series: [{
+        :type=> 'pie',
+        :name=> 'Violations by violated policy',
+        :data=> data
+      }],
+      title: {text:  "By rule"},
+      legend: {
+        :layout=> 'vertical',
+        :style=> {
+          :left=> 'auto',
+          :bottom=> 'auto',
+          :right=> '50px',
+          :top=> '100px'
+        }
+      },
+      plotOptions: {
+        :pie=>{
+          :allowPointSelect=>true,
+          :cursor=>"pointer" ,
+          :dataLabels=>{
+            :enabled=>true,
+            :color=>"black",
+            :style=>{
+              :font=>"13px Trebuchet MS, Verdana, sans-serif"
+            }
+          }
+        }
+      }
+    }
+  end
+
+  def report_by_source
+    @report_by_source = CspReport::CspReport.select(
+      "document_uri, count(*) as count").group("document_uri")
+
+    data = []
+    for report in @report_by_source
+      data.push [report.document_uri, report.count]
+    end
+
+    @chart = {
+      chart: {
+        :defaultSeriesType=>"pie" ,
+        :margin=> [50, 200, 60, 170]
+      },
+      series: [{
+        :type=> 'pie',
+        :name=> 'Violations by source document URI',
+        :data=> data
+      }],
+      title: {text:  "By source"},
+      legend: {
+        :layout=> 'vertical',
+        :style=> {
+          :left=> 'auto',
+          :bottom=> 'auto',
+          :right=> '50px',
+          :top=> '100px'
+        }
+      },
+      plotOptions: {
+        :pie=>{
+          :allowPointSelect=>true,
+          :cursor=>"pointer" ,
+          :dataLabels=>{
+            :enabled=>true,
+            :color=>"black",
+            :style=>{
+              :font=>"13px Trebuchet MS, Verdana, sans-serif"
+            }
+          }
+        }
+      }
+    }
+  end
 end

data/app/helpers/csp_report/headers_helpers.rb

@@ -0,0 +1,32 @@
+module CspReport
+  module HeadersHelper
+    def add_navigation_header
+  <<-CONTENT
+  <div class='csp-report row'>
+    <div class='csp-report navbar navbar-fixed-top'>
+      <div class='csp-report navbar-inner'>
+        <div class='csp-report container'>
+          <a class='brand' href="#">CSP Reports</a>
+          <ul class='nav'>
+            <li class='active'>
+              <a href=#{csp_reports_path}>Violations</a>
+            </li>
+            <li class='divider-vertical'/>
+            <li>
+              <a href=#{csp_reports_report_by_ip_path}>By IP</a>
+            </li>
+            <li>
+              <a href=#{csp_reports_report_by_rule_path}>By Violated Directive</a>
+            </li>
+            <li>
+              <a href=#{csp_reports_report_by_source_path}>By Source Document URI</a>
+            </li>
+          </ul>
+        </div>
+      </div>
+    </div>
+  </div>
+  CONTENT
+    end
+  end
+end

data/app/views/csp_report/csp_reports/index.html.haml

@@ -1,38 +1,63 @@
 =stylesheet_link_tag "csp_report/csp_report.css"
 
-%table.csp-report.report-table
-  %tr.csp-report.report-row
-    %th.csp-report.report-header
-      ID
-    %th.csp-report.report-header
-      Document URI
-    %th.csp-report.report-header
-      Referrer
-    %th.csp-report.report-header
-      Server Policy
-    %th.csp-report.report-header
-      Violated Directive
-    %th.csp-report.report-header
-      Blocked URI
-    %th.csp-report.report-header
-      Incoming IP
-    %th.csp-report.report-header
-      Reported At
-    %th.csp-report.report-header
-      Actions
-  - @reports.each do |report|
-    %tr.csp-report.report-row
-      %td.csp-report.report-cell=report.id
-      %td.csp-report.report-cell=report.document_uri
-      %td.csp-report.report-cell=report.referrer
-      %td.csp-report.report-cell=report.original_policy
-      %td.csp-report.report-cell=report.violated_directive
-      %td.csp-report.report-cell=report.blocked_uri
-      %td.csp-report.report-cell=report.incoming_ip
-      %td.csp-report.report-cell=report.created_at
-      %td.csp-report.report-cell
-        =link_to('Delete violation', csp_report_path(report.id), method: 'delete')
+-# TODO: gbataille - Factorize this in a layout
+.csp-report.row
+  .csp-report.navbar.navbar-fixed-top
+    .csp-report.navbar-inner
+      .csp-report.container
+        %a.brand{href: "#"}
+          CSP Reports
+        %ul.nav
+          %li.active
+            =link_to "Violations", csp_reports_path
+          %li.divider-vertical
+          %li
+            =link_to "By IP", csp_reports_report_by_ip_path
+          %li
+            =link_to "By Violated Directive", csp_reports_report_by_rule_path
+          %li
+            =link_to "By Source Document URI", csp_reports_report_by_source_path
 
-%p
-  =link_to "Delete All", csp_reports_destroy_all_path, 
-    data: {confirm: "Are you sure you want to delete all the violation reports?"}
+.csp-report.row.padding-navbar
+  .csp-report.offset2.span8
+    %table.csp-report.report-table.table.table-striped.table-condensed
+      %thead
+        %tr.csp-report.report-row
+          %th.csp-report.report-header
+            ID
+          %th.csp-report.report-header
+            Document URI
+          %th.csp-report.report-header
+            Referrer
+          %th.csp-report.report-header
+            Server Policy
+          %th.csp-report.report-header
+            Violated Directive
+          %th.csp-report.report-header
+            Blocked URI
+          %th.csp-report.report-header
+            Incoming IP
+          %th.csp-report.report-header
+            Reported At
+          %th.csp-report.report-header
+            Actions
+      %tbody
+      - @reports.each do |report|
+        %tr.csp-report.report-row
+          %td.csp-report.report-cell=report.id
+          %td.csp-report.report-cell=report.document_uri
+          %td.csp-report.report-cell=report.referrer
+          %td.csp-report.report-cell=report.original_policy
+          %td.csp-report.report-cell=report.violated_directive
+          %td.csp-report.report-cell=report.blocked_uri
+          %td.csp-report.report-cell=report.incoming_ip
+          %td.csp-report.report-cell=report.created_at
+          %td.csp-report.report-cell
+            =link_to('Delete violation', csp_report_path(report.id), method: 'delete')
+
+.csp-report.row
+  .csp-report.offset2.span8
+
+    %p.csp-report.btn.btn-danger
+      =link_to "Delete All", csp_reports_destroy_all_path, 
+        data: {confirm: "Are you sure you want to delete all the violation reports?"}