decidim-cdtb 0.1.8 → 0.2.0

data/README.md

@@ -65,17 +65,35 @@ To migrate from S3 to local storage, the identified steps will be:
     `bin/rake cache:clear`
 5. Restart the Rails server
 
-### Detect spam
+### Spam & bots
 
-To detect spam in Decidim.
+Spam and bots are daily menaces in the current Internet. Decidim is not an exception, and is affected by both security concerns and performance.
+
+#### Bad bots and crawlers
+
+Decidim is already bundled with Rack::Attack but it lacks some features like IP banning or throttling by forwarded IP (useful when Decidim is behind a proxy). CDTB by default enables Rack::Attack with these features.
+
+Four ENV variables exist to configure its behaviour:
+
+- CDTB_RACK_ATTACK_DISABLED: Set to 1 to disable CDTB's Rack:Attack.
+- RACK_ATTACK_THROTTLE_LIMIT: The max. allowed number of requests during the period. Defaults to 30.
+- RACK_ATTACK_THROTTLE_PERIOD: The period in seconds. Defaults to 60.
+- RACK_ATTACK_BLOCKED_IPS: A comma separated list of blocked IPs or subnets (in the form 1.2.3.0/32).
+
+
+Available rake tasks to help analize crawlers:
+
+- `bin/rake cdtb:logs:num_rq_per_ip` Counts the number of requests for each IP in the logs. Accepts a logfile param, it must be in log/.
 
 #### Detect spam users
+
 Detects users susceptible of being spammers. It can run on all organizations or be scoped to a single organization by passing the organization ID as the rake task parameter.
 
 This rake task export a .csv with a list of all the searched users. A column indicates if each user is suspicious of being a spammer or not.
 The columns in the CSV are: "ID, "Is suspicious?", "Name", "Email", "Nickname", "Personal URL", "About"
 
 Examples:
+
 `bin/rake cdtb:spam:users[org_id]` --> find users in organization with an id.
 `bin/rake cdtb:spam:users` --> find all users in all organizations.
 

data/config/initializers/rack_attack.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
+  require "rack/attack"
+
+  limit= ENV.fetch("RACK_ATTACK_THROTTLE_LIMIT", 30)
+  period= ENV.fetch("RACK_ATTACK_THROTTLE_PERIOD", 60)
+  Rails.logger.info("Configuring Rack::Attack.throttle with limit: #{limit}, period: #{period}")
+  Rack::Attack.throttle("requests by (forwarded) ip", limit: limit.to_i, period: period.to_i) do |request|
+    # ignore requests to assets
+    next if request.path.start_with?("/rails/active_storage")
+
+    x_forwarded_for= request.get_header("HTTP_X_FORWARDED_FOR")
+    Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{x_forwarded_for}" }
+    if x_forwarded_for.present?
+      ip= x_forwarded_for.split(":").first
+      ip
+    else
+      request.ip
+    end
+  end
+
+  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
+    ENV["RACK_ATTACK_BLOCKED_IPS"].split(",").each do |ip_or_subnet|
+      Rack::Attack.blocklist_ip(ip_or_subnet)
+    end
+  end
+end

data/decidim-cdtb.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.description = "A gem to help managing Decidim applications."
   spec.homepage = "https://github.com/CodiTramuntana/decidim-module-cdtb"
   spec.license = "MIT"
-  spec.required_ruby_version = ">= 2.7.5"
+  spec.required_ruby_version = ">= 3.0.7"
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
@@ -35,4 +35,5 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "decidim-dev", Decidim::Cdtb::DECIDIM_MIN_VERSION
   spec.add_development_dependency "faker"
+  spec.metadata["rubygems_mfa_required"] = "true"
 end

data/lib/decidim/cdtb/spam/user_spam_detector.rb

@@ -11,7 +11,7 @@ module Decidim
         # rubocop:disable Style/RedundantRegexpEscape
         URL_REGEX = %r{(https?:\/\/(?:www\.|(?!www))[a-zA-Z0-9][a-zA-Z0-9-]+[a-zA-Z0-9]\.[^\s]{2,}|
         www\.[a-zA-Z0-9][a-zA-Z0-9-]+[a-zA-Z0-9]\.[^\s]{2,}|https?:\/\/(?:www\.|
-        (?!www))[a-zA-Z0-9]+\.[^\s]{2,}|www\.[a-zA-Z0-9]+\.[^\s]{2,})}.freeze
+        (?!www))[a-zA-Z0-9]+\.[^\s]{2,}|www\.[a-zA-Z0-9]+\.[^\s]{2,})}
         # rubocop:enable Style/RedundantRegexpEscape
 
         def initialize(organization = nil)
@@ -40,7 +40,9 @@ module Decidim
         # rubocop:disable Metrics/AbcSize
         def do_execution(context)
           progress_bar = context[:progress_bar]
-          CSV.open("spam_users.csv", "w") do |csv|
+          filename= "spam_users.csv"
+          filepath= Rails.env.test? ? "tmp/#{filename}" : filename
+          CSV.open(filepath, "w") do |csv|
             csv_headers = ["ID", "Is suspicious?", "Name", "Email", "Nickname", "Personal URL", "About",
                            "Organization ID", "Organization Name"]
             csv << csv_headers

data/lib/decidim/cdtb/version.rb

@@ -2,7 +2,7 @@
 
 module Decidim
   module Cdtb
-    VERSION = "0.1.8"
-    DECIDIM_MIN_VERSION = ">= 0.26.2"
+    VERSION = "0.2.0"
+    DECIDIM_MIN_VERSION = ">= 0.27.0"
   end
 end

data/lib/tasks/anonymize.rake

@@ -97,8 +97,8 @@ namespace :cdtb do
           unconfirmed_email: nil,
           avatar: nil,
           extended_data: user_group.extended_data.merge({
-                                                          "phone": "123456789",
-                                                          "document_number":
+                                                          phone: "123456789",
+                                                          document_number:
                                                           "document-#{user_group.id}"
                                                         })
         )

data/lib/tasks/census.rake

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "decidim/cdtb/tasks"
+
+namespace :cdtb do
+  namespace :verifications do
+    desc <<~EODESC
+      Lists the verifications handlers in the current Decidim application.
+    EODESC
+    task handlers: :environment do |_task, _args|
+      puts "Verification Handlers in this Decidim application:"
+      Decidim.authorization_handlers.each do |manifest|
+        attrs= if manifest.form.present?
+                 manifest.form.constantize.attribute_set.to_a.map(&:name).excluding(:id, :user, :handler_name).join(", ")
+               else
+                 "No form."
+               end
+        puts "- #{manifest.name}: (#{attrs})"
+      end
+    end
+
+    desc <<~EODESC
+            Returns the unique_id version of the given arguments for the given authorization handler.
+            Params:
+              - handler_name
+              - (optional) organization_id
+              - credential_1,  credential_2, ...: in the form "id_document:00000000T", "birthdate:24/03/1977".
+            For example:
+            `bin/rake cdtb:verifications:to_unique_id[file_authorization_handler,id_document:00000000T,birthdate:01/01/2000]
+      `
+    EODESC
+    task :to_unique_id, [:handler_name] => :environment do |_task, args|
+      puts "Resolving #{args.handler_name} form class"
+      handler= find_handler_by_name(args.handler_name)
+      puts "Found handler with form class: #{handler.class}"
+
+      fill_handler_args(handler, args)
+
+      puts "unique_id: #{handler.unique_id}"
+    end
+
+    def find_handler_by_name(handler_name)
+      handler_class= Decidim::Verifications.find_workflow_manifest(handler_name).form
+      handler_class.constantize.new
+    end
+
+    def fill_handler_args(handler, args)
+      arguments= args.to_a[1..]
+      current_organization= if arguments.first.include?(":")
+                              Decidim::Organization.first
+                            else
+                              Decidim::Organization.find(arguments.first)
+                            end
+      handler.with_context(current_organization: current_organization)
+
+      credentials= arguments.map { |arg| arg.split(":") }
+      puts "Setting credentials: #{credentials}"
+      credentials.each do |attr, val|
+        handler.send("#{attr}=".to_sym, val)
+      end
+    end
+
+    desc <<~EODESC
+      Checks the given credentials against the specified verification handler. Params [handler_name,credential1,credential2,...]"
+    EODESC
+    task :census_check, [:handler_name] => :environment do |_task, args|
+      handler= find_handler_by_name(args.handler_name)
+      fill_handler_args(handler, args)
+      raise "This handler does not support Cdtb's verification_service" unless handler.respond_to?(:verification_service)
+
+      service= handler.verification_service
+      puts "Invoking #{service.class.name}..."
+      rs= service.send_request
+      puts "Response Ok?: #{service.rs_ok?}"
+      puts "RS: #{rs.body}"
+    end
+  end
+end

data/lib/tasks/logs.rake

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+namespace :cdtb do
+  namespace :logs do
+    desc "Analize logs in Rails format. Counts the number of requests for each IP in the logs. Accepts a logfile param, it must be in log/."
+    task :num_rq_per_ip, [:logfile] do |_task, args|
+      logfile= args.logfile || "development.log"
+
+      file_path= "log/#{logfile}"
+      first_cmd= "grep Started"
+      piped_cmds= [%(grep " for "), "cut -d ' ' -f13", "sort", "uniq -c", "sort"].join(" | ")
+      puts "Running: `#{first_cmd} #{file_path} | #{piped_cmds}`"
+      puts `#{first_cmd} #{file_path} | #{piped_cmds}`
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-cdtb
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.2.0
 platform: ruby
 authors:
 - Oliver Valls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-04-24 00:00:00.000000000 Z
+date: 2024-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.26.2
+        version: 0.27.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.26.2
+        version: 0.27.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.26.2
+        version: 0.27.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.26.2
+        version: 0.27.0
 - !ruby/object:Gem::Dependency
   name: faker
   requirement: !ruby/object:Gem::Requirement
@@ -100,6 +100,7 @@ files:
 - Rakefile
 - app/jobs/application_job.rb
 - app/jobs/cdtb/fix_nickname_job.rb
+- config/initializers/rack_attack.rb
 - decidim-cdtb.gemspec
 - lib/decidim/cdtb.rb
 - lib/decidim/cdtb/engine.rb
@@ -120,6 +121,8 @@ files:
 - lib/generators/cdtb/templates/validate_migrations.yml
 - lib/generators/cdtb/validate_migrations_ci_generator.rb
 - lib/tasks/anonymize.rake
+- lib/tasks/census.rake
+- lib/tasks/logs.rake
 - lib/tasks/multitenants.rake
 - lib/tasks/spam.rake
 - lib/tasks/storage.rake
@@ -133,6 +136,7 @@ metadata:
   homepage_uri: https://github.com/CodiTramuntana/decidim-module-cdtb
   source_code_uri: https://github.com/CodiTramuntana/decidim-module-cdtb
   changelog_uri: https://github.com/CodiTramuntana/decidim-module-cdtb/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -141,14 +145,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.5
+      version: 3.0.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.33
 signing_key: 
 specification_version: 4
 summary: CodiTramuntana's Decidim Toolbelt (cdtb).