RubyGems - decidim-cdtb - Versions diffs - 0.1.8 → 0.1.9 - Mend

decidim-cdtb 0.1.8 → 0.1.9

Files changed (10) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -1
data/CHANGELOG.md +5 -0
data/Gemfile.lock +2 -2
data/README.md +20 -2
data/config/initializers/rack_attack.rb +28 -0
data/lib/decidim/cdtb/version.rb +1 -1
data/lib/tasks/census.rake +78 -0
data/lib/tasks/logs.rake +16 -0
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d7f9bf148f8840d5c1a477beeaff15fc28202a1ed2ec1362f7d4ce877a7b7ba
-  data.tar.gz: f24fc484d095684afffeacb808370927bbf4d7653da349cf8c036ecbad1c2f62
+  metadata.gz: 75ef34f5e24554377da1d31d2d17912828f34931343aeea22a03a79baeeeee27
+  data.tar.gz: 843c0aba1905b12edaeccbeffc6d6d5361c0eae9bc460882686edc0bde34a70f
 SHA512:
-  metadata.gz: afdcf2aaf7ec1b44c41035d6953c9fc2c1b5d025f4e4f0632e2dc8f54d61a16da866b3060a6d77c2ad0d6e86aa432815e202123a705a48492fcd93bc487698a1
-  data.tar.gz: 00141eb4d4e782c16ef0f6f17e1a7be55e029f6ec1d29e6c957a4cedd5c4f7dead2f5ba96491b447955f41f5fdf9e69aa83ce6f4d6119735b9d5adc91b6c8afa
+  metadata.gz: 8f3b10d8e6c9bd8abdbb576b1f2faf0fe29cd4e49c511d0fb2a99d21044b38ce7d31bd21d4bc7d880d6e6f88cf7fa72b3938913b0b31706680a81075513a26a6
+  data.tar.gz: b591f9d9902bee32151d4f54e7675666d7870bea37fdab308708c7a8d7c1d175666e44aafa0cbcd871c47845cf2eec147650fe13a5b0836499f2f6af630088d4

data/.rubocop.yml CHANGED Viewed

@@ -32,7 +32,7 @@ Style/StringLiteralsInInterpolation:
   EnforcedStyle: double_quotes
 Layout/LineLength:
-  Max: 120
+  Max: 140
 Layout/SpaceAroundOperators:
   Enabled: false

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,10 @@
 ## [Unreleased]
+## [0.1.9] - 2024-05-08 (Dona'm gelat o l'hem liat)
+- Include a versatile rack attack anti bots and crawlers.
+- Add rake task to analyse logs for abusing IPs.
 ## [0.1.8] - 2024-04-24 (Sapastre i bonastre)
 - Fix spam users detector with deleted_at param and hide comments in remover users.

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    decidim-cdtb (0.1.8)
+    decidim-cdtb (0.1.9)
       decidim (>= 0.26.2)
       rails (>= 6)
       ruby-progressbar
@@ -775,4 +775,4 @@ DEPENDENCIES
   sqlite3
 BUNDLED WITH
-   2.4.22
+   2.3.6

data/README.md CHANGED Viewed

@@ -65,17 +65,35 @@ To migrate from S3 to local storage, the identified steps will be:
     `bin/rake cache:clear`
 5. Restart the Rails server
-### Detect spam
+### Spam & bots
-To detect spam in Decidim.
+Spam and bots are daily menaces in the current Internet. Decidim is not an exception, and is affected by both security concerns and performance.
+#### Bad bots and crawlers
+Decidim is already bundled with Rack::Attack but it lacks some features like IP banning or throttling by forwarded IP (useful when Decidim is behind a proxy). CDTB by default enables Rack::Attack with these features.
+Four ENV variables exist to configure its behaviour:
+- CDTB_RACK_ATTACK_DISABLED: Set to 1 to disable CDTB's Rack:Attack.
+- RACK_ATTACK_THROTTLE_LIMIT: The max. allowed number of requests during the period. Defaults to 30.
+- RACK_ATTACK_THROTTLE_PERIOD: The period in seconds. Defaults to 60.
+- RACK_ATTACK_BLOCKED_IPS: A comma separated list of blocked IPs or subnets (in the form 1.2.3.0/32).
+Available rake tasks to help analize crawlers:
+- `bin/rake cdtb:logs:num_rq_per_ip` Counts the number of requests for each IP in the logs. Accepts a logfile param, it must be in log/.
 #### Detect spam users
 Detects users susceptible of being spammers. It can run on all organizations or be scoped to a single organization by passing the organization ID as the rake task parameter.
 This rake task export a .csv with a list of all the searched users. A column indicates if each user is suspicious of being a spammer or not.
 The columns in the CSV are: "ID, "Is suspicious?", "Name", "Email", "Nickname", "Personal URL", "About"
 Examples:
 `bin/rake cdtb:spam:users[org_id]` --> find users in organization with an id.
 `bin/rake cdtb:spam:users` --> find all users in all organizations.

data/config/initializers/rack_attack.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
+  require "rack/attack"
+  limit= ENV["RACK_ATTACK_THROTTLE_LIMIT"] || 30
+  period= ENV["RACK_ATTACK_THROTTLE_PERIOD"] || 60
+  Rails.logger.info("Configuring Rack::Attack.throttle with limit: #{limit}, period: #{period}")
+  Rack::Attack.throttle("requests by (forwarded) ip", limit: limit.to_i, period: period.to_i) do |request|
+    # ignore requests to assets
+    next if request.path.start_with?("/rails/active_storage")
+    x_forwarded_for= request.get_header("HTTP_X_FORWARDED_FOR")
+    Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{x_forwarded_for}" }
+    if x_forwarded_for.present?
+      ip= x_forwarded_for.split(":").first
+      ip
+    else
+      request.ip
+    end
+  end
+  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
+    ENV["RACK_ATTACK_BLOCKED_IPS"].split(",").each do |ip_or_subnet|
+      Rack::Attack.blocklist_ip(ip_or_subnet)
+    end
+  end
+end

data/lib/decidim/cdtb/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 module Decidim
   module Cdtb
-    VERSION = "0.1.8"
+    VERSION = "0.1.9"
     DECIDIM_MIN_VERSION = ">= 0.26.2"
   end
 end

data/lib/tasks/census.rake ADDED Viewed

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require "decidim/cdtb/tasks"
+namespace :cdtb do
+  namespace :verifications do
+    desc <<~EODESC
+      Lists the verifications handlers in the current Decidim application.
+    EODESC
+    task handlers: :environment do |_task, _args|
+      puts "Verification Handlers in this Decidim application:"
+      Decidim.authorization_handlers.each do |manifest|
+        attrs= if manifest.form.present?
+                 manifest.form.constantize.attribute_set.to_a.map(&:name).excluding(:id, :user, :handler_name).join(", ")
+               else
+                 "No form."
+               end
+        puts "- #{manifest.name}: (#{attrs})"
+      end
+    end
+    desc <<~EODESC
+            Returns the unique_id version of the given arguments for the given authorization handler.
+            Params:
+              - handler_name
+              - (optional) organization_id
+              - credential_1,  credential_2, ...: in the form "id_document:00000000T", "birthdate:24/03/1977".
+            For example:
+            `bin/rake cdtb:verifications:to_unique_id[file_authorization_handler,id_document:00000000T,birthdate:01/01/2000]
+      `
+    EODESC
+    task :to_unique_id, [:handler_name] => :environment do |_task, args|
+      puts "Resolving #{args.handler_name} form class"
+      handler= find_handler_by_name(args.handler_name)
+      puts "Found handler with form class: #{handler.class}"
+      fill_handler_args(handler, args)
+      puts "unique_id: #{handler.unique_id}"
+    end
+    def find_handler_by_name(handler_name)
+      handler_class= Decidim::Verifications.find_workflow_manifest(handler_name).form
+      handler_class.constantize.new
+    end
+    def fill_handler_args(handler, args)
+      arguments= args.to_a[1..]
+      current_organization= if !arguments.first.include?(":")
+                              Decidim::Organization.find(arguments.first)
+                            else
+                              Decidim::Organization.first
+                            end
+      handler.with_context(current_organization: current_organization)
+      credentials= arguments.map { |arg| arg.split(":") }
+      puts "Setting credentials: #{credentials}"
+      credentials.each do |attr, val|
+        handler.send("#{attr}=".to_sym, val)
+      end
+    end
+    desc <<~EODESC
+      Checks the given credentials against the specified verification handler. Params [handler_name,credential1,credential2,...]"
+    EODESC
+    task :census_check, [:handler_name] => :environment do |_task, args|
+      handler= find_handler_by_name(args.handler_name)
+      fill_handler_args(handler, args)
+      raise "This handler does not support Cdtb's verification_service" unless handler.respond_to?(:verification_service)
+      service= handler.verification_service
+      puts "Invoking #{service.class.name}..."
+      rs= service.send_request
+      puts "Response Ok?: #{service.rs_ok?}"
+      puts "RS: #{rs.body}"
+    end
+  end
+end

data/lib/tasks/logs.rake ADDED Viewed

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+namespace :cdtb do
+  namespace :logs do
+    desc "Analize logs in Rails format. Counts the number of requests for each IP in the logs. Accepts a logfile param, it must be in log/."
+    task :num_rq_per_ip, [:logfile] do |_task, args|
+      logfile= args.logfile || "development.log"
+      file_path= "log/#{logfile}"
+      first_cmd= "grep Started"
+      piped_cmds= [%(grep " for "), "cut -d ' ' -f13", "sort", "uniq -c", "sort"].join(" | ")
+      puts "Running: `#{first_cmd} #{file_path} | #{piped_cmds}`"
+      puts `#{first_cmd} #{file_path} | #{piped_cmds}`
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-cdtb
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - Oliver Valls
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-04-24 00:00:00.000000000 Z
+date: 2024-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim
@@ -100,6 +100,7 @@ files:
 - Rakefile
 - app/jobs/application_job.rb
 - app/jobs/cdtb/fix_nickname_job.rb
+- config/initializers/rack_attack.rb
 - decidim-cdtb.gemspec
 - lib/decidim/cdtb.rb
 - lib/decidim/cdtb/engine.rb
@@ -120,6 +121,8 @@ files:
 - lib/generators/cdtb/templates/validate_migrations.yml
 - lib/generators/cdtb/validate_migrations_ci_generator.rb
 - lib/tasks/anonymize.rake
+- lib/tasks/census.rake
+- lib/tasks/logs.rake
 - lib/tasks/multitenants.rake
 - lib/tasks/spam.rake
 - lib/tasks/storage.rake