decidim-cdtb 0.1.7 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ea237b7898bc194b0f63514d1f699d5cd1cf649ac7dd7433de19d9319541474
-  data.tar.gz: be9a6f3251d35022b933524b3227edac2186a1c338a4025f6d73eb5495633e61
+  metadata.gz: 75ef34f5e24554377da1d31d2d17912828f34931343aeea22a03a79baeeeee27
+  data.tar.gz: 843c0aba1905b12edaeccbeffc6d6d5361c0eae9bc460882686edc0bde34a70f
 SHA512:
-  metadata.gz: 3999c77a44817f3c0b3bc6b97663a47f3dade93f896958cdce06298bd9695d734cdd82859315607ecc3fcd990efd6e567e2e63d6e0141f5c3d256bc44d6b91ef
-  data.tar.gz: 513123ffe284a654f47666d8a0e355b29cb3dd011a30bab73cdef0348776f45cd44dab8c8c9f23f5e962fb5f00a5dc9acb9d68a70ced7b39335cfc225ce56839
+  metadata.gz: 8f3b10d8e6c9bd8abdbb576b1f2faf0fe29cd4e49c511d0fb2a99d21044b38ce7d31bd21d4bc7d880d6e6f88cf7fa72b3938913b0b31706680a81075513a26a6
+  data.tar.gz: b591f9d9902bee32151d4f54e7675666d7870bea37fdab308708c7a8d7c1d175666e44aafa0cbcd871c47845cf2eec147650fe13a5b0836499f2f6af630088d4

data/.rubocop.yml

@@ -32,7 +32,7 @@ Style/StringLiteralsInInterpolation:
   EnforcedStyle: double_quotes
 
 Layout/LineLength:
-  Max: 120
+  Max: 140
 
 Layout/SpaceAroundOperators:
   Enabled: false

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 ## [Unreleased]
 
+## [0.1.9] - 2024-05-08 (Dona'm gelat o l'hem liat)
+
+- Include a versatile rack attack anti bots and crawlers.
+- Add rake task to analyse logs for abusing IPs.
+
+## [0.1.8] - 2024-04-24 (Sapastre i bonastre)
+
+- Fix spam users detector with deleted_at param and hide comments in remover users.
+
 ## [0.1.7] - 2024-04-22 (Emocions de colors)
 
 - Fix remove users task and add the reporter user mailer to arguments

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    decidim-cdtb (0.1.7)
+    decidim-cdtb (0.1.9)
       decidim (>= 0.26.2)
       rails (>= 6)
       ruby-progressbar
@@ -775,4 +775,4 @@ DEPENDENCIES
   sqlite3
 
 BUNDLED WITH
-   2.4.22
+   2.3.6

data/README.md

@@ -65,17 +65,35 @@ To migrate from S3 to local storage, the identified steps will be:
     `bin/rake cache:clear`
 5. Restart the Rails server
 
-### Detect spam
+### Spam & bots
 
-To detect spam in Decidim.
+Spam and bots are daily menaces in the current Internet. Decidim is not an exception, and is affected by both security concerns and performance.
+
+#### Bad bots and crawlers
+
+Decidim is already bundled with Rack::Attack but it lacks some features like IP banning or throttling by forwarded IP (useful when Decidim is behind a proxy). CDTB by default enables Rack::Attack with these features.
+
+Four ENV variables exist to configure its behaviour:
+
+- CDTB_RACK_ATTACK_DISABLED: Set to 1 to disable CDTB's Rack:Attack.
+- RACK_ATTACK_THROTTLE_LIMIT: The max. allowed number of requests during the period. Defaults to 30.
+- RACK_ATTACK_THROTTLE_PERIOD: The period in seconds. Defaults to 60.
+- RACK_ATTACK_BLOCKED_IPS: A comma separated list of blocked IPs or subnets (in the form 1.2.3.0/32).
+
+
+Available rake tasks to help analize crawlers:
+
+- `bin/rake cdtb:logs:num_rq_per_ip` Counts the number of requests for each IP in the logs. Accepts a logfile param, it must be in log/.
 
 #### Detect spam users
+
 Detects users susceptible of being spammers. It can run on all organizations or be scoped to a single organization by passing the organization ID as the rake task parameter.
 
 This rake task export a .csv with a list of all the searched users. A column indicates if each user is suspicious of being a spammer or not.
 The columns in the CSV are: "ID, "Is suspicious?", "Name", "Email", "Nickname", "Personal URL", "About"
 
 Examples:
+
 `bin/rake cdtb:spam:users[org_id]` --> find users in organization with an id.
 `bin/rake cdtb:spam:users` --> find all users in all organizations.
 

data/config/initializers/rack_attack.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
+  require "rack/attack"
+
+  limit= ENV["RACK_ATTACK_THROTTLE_LIMIT"] || 30
+  period= ENV["RACK_ATTACK_THROTTLE_PERIOD"] || 60
+  Rails.logger.info("Configuring Rack::Attack.throttle with limit: #{limit}, period: #{period}")
+  Rack::Attack.throttle("requests by (forwarded) ip", limit: limit.to_i, period: period.to_i) do |request|
+    # ignore requests to assets
+    next if request.path.start_with?("/rails/active_storage")
+
+    x_forwarded_for= request.get_header("HTTP_X_FORWARDED_FOR")
+    Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{x_forwarded_for}" }
+    if x_forwarded_for.present?
+      ip= x_forwarded_for.split(":").first
+      ip
+    else
+      request.ip
+    end
+  end
+
+  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
+    ENV["RACK_ATTACK_BLOCKED_IPS"].split(",").each do |ip_or_subnet|
+      Rack::Attack.blocklist_ip(ip_or_subnet)
+    end
+  end
+end

data/lib/decidim/cdtb/spam/user_spam_detector.rb

@@ -21,10 +21,12 @@ module Decidim
         end
 
         def prepare_execution(_ctx)
+          base_query = Decidim::User.where(deleted_at: nil)
+
           @users = if @organization.present?
-                     Decidim::User.where(organization: @organization)
+                     base_query.where(organization: @organization)
                    else
-                     Decidim::User.all
+                     base_query
                    end
 
           @num_users = @users.count

data/lib/decidim/cdtb/users/remover.rb

@@ -5,6 +5,7 @@ module Decidim
     module Users
       # Remove Decidim::User's
       #
+      # rubocop:disable Metrics/ClassLength
       class Remover < ::Decidim::Cdtb::Task
         def initialize(csv_path, reporter_user_email)
           @csv_path = csv_path
@@ -44,6 +45,7 @@ module Decidim
         def manage_comments(comments, user, reporter_user)
           comments.find_each do |comment|
             report_comment(comment, user, reporter_user)
+            hide_comment(comment, user, reporter_user) unless comment.hidden?
           end
         end
 
@@ -111,6 +113,18 @@ module Decidim
           end
         end
 
+        def hide_comment(comment, user, reporter_user)
+          Admin::HideResource.call(comment, reporter_user) do
+            on(:ok) do
+              puts "OK: Comment #{comment.id} of User #{user.id} hided"
+            end
+
+            on(:invalid) do
+              puts "ERROR: Comment #{comment.id} of User #{user.id} not hided"
+            end
+          end
+        end
+
         def context_for_report(user, comment, reporter_user)
           {
             current_organization: user.organization,
@@ -120,6 +134,7 @@ module Decidim
           }
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/decidim/cdtb/version.rb

@@ -2,7 +2,7 @@
 
 module Decidim
   module Cdtb
-    VERSION = "0.1.7"
+    VERSION = "0.1.9"
     DECIDIM_MIN_VERSION = ">= 0.26.2"
   end
 end

data/lib/tasks/census.rake

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "decidim/cdtb/tasks"
+
+namespace :cdtb do
+  namespace :verifications do
+    desc <<~EODESC
+      Lists the verifications handlers in the current Decidim application.
+    EODESC
+    task handlers: :environment do |_task, _args|
+      puts "Verification Handlers in this Decidim application:"
+      Decidim.authorization_handlers.each do |manifest|
+        attrs= if manifest.form.present?
+                 manifest.form.constantize.attribute_set.to_a.map(&:name).excluding(:id, :user, :handler_name).join(", ")
+               else
+                 "No form."
+               end
+        puts "- #{manifest.name}: (#{attrs})"
+      end
+    end
+
+    desc <<~EODESC
+            Returns the unique_id version of the given arguments for the given authorization handler.
+            Params:
+              - handler_name
+              - (optional) organization_id
+              - credential_1,  credential_2, ...: in the form "id_document:00000000T", "birthdate:24/03/1977".
+            For example:
+            `bin/rake cdtb:verifications:to_unique_id[file_authorization_handler,id_document:00000000T,birthdate:01/01/2000]
+      `
+    EODESC
+    task :to_unique_id, [:handler_name] => :environment do |_task, args|
+      puts "Resolving #{args.handler_name} form class"
+      handler= find_handler_by_name(args.handler_name)
+      puts "Found handler with form class: #{handler.class}"
+
+      fill_handler_args(handler, args)
+
+      puts "unique_id: #{handler.unique_id}"
+    end
+
+    def find_handler_by_name(handler_name)
+      handler_class= Decidim::Verifications.find_workflow_manifest(handler_name).form
+      handler_class.constantize.new
+    end
+
+    def fill_handler_args(handler, args)
+      arguments= args.to_a[1..]
+      current_organization= if !arguments.first.include?(":")
+                              Decidim::Organization.find(arguments.first)
+                            else
+                              Decidim::Organization.first
+                            end
+      handler.with_context(current_organization: current_organization)
+
+      credentials= arguments.map { |arg| arg.split(":") }
+      puts "Setting credentials: #{credentials}"
+      credentials.each do |attr, val|
+        handler.send("#{attr}=".to_sym, val)
+      end
+    end
+
+    desc <<~EODESC
+      Checks the given credentials against the specified verification handler. Params [handler_name,credential1,credential2,...]"
+    EODESC
+    task :census_check, [:handler_name] => :environment do |_task, args|
+      handler= find_handler_by_name(args.handler_name)
+      fill_handler_args(handler, args)
+      raise "This handler does not support Cdtb's verification_service" unless handler.respond_to?(:verification_service)
+
+      service= handler.verification_service
+      puts "Invoking #{service.class.name}..."
+      rs= service.send_request
+      puts "Response Ok?: #{service.rs_ok?}"
+      puts "RS: #{rs.body}"
+    end
+  end
+end

data/lib/tasks/logs.rake

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+namespace :cdtb do
+  namespace :logs do
+    desc "Analize logs in Rails format. Counts the number of requests for each IP in the logs. Accepts a logfile param, it must be in log/."
+    task :num_rq_per_ip, [:logfile] do |_task, args|
+      logfile= args.logfile || "development.log"
+
+      file_path= "log/#{logfile}"
+      first_cmd= "grep Started"
+      piped_cmds= [%(grep " for "), "cut -d ' ' -f13", "sort", "uniq -c", "sort"].join(" | ")
+      puts "Running: `#{first_cmd} #{file_path} | #{piped_cmds}`"
+      puts `#{first_cmd} #{file_path} | #{piped_cmds}`
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-cdtb
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.9
 platform: ruby
 authors:
 - Oliver Valls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-04-22 00:00:00.000000000 Z
+date: 2024-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim
@@ -100,6 +100,7 @@ files:
 - Rakefile
 - app/jobs/application_job.rb
 - app/jobs/cdtb/fix_nickname_job.rb
+- config/initializers/rack_attack.rb
 - decidim-cdtb.gemspec
 - lib/decidim/cdtb.rb
 - lib/decidim/cdtb/engine.rb
@@ -120,6 +121,8 @@ files:
 - lib/generators/cdtb/templates/validate_migrations.yml
 - lib/generators/cdtb/validate_migrations_ci_generator.rb
 - lib/tasks/anonymize.rake
+- lib/tasks/census.rake
+- lib/tasks/logs.rake
 - lib/tasks/multitenants.rake
 - lib/tasks/spam.rake
 - lib/tasks/storage.rake