firewool 0.1.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in firewool.gemspec
+gemspec

data/README.rdoc

@@ -0,0 +1,95 @@
+== Firewool
+Firewool is an IP firewall for rails.  You set what IPs to block and what IPs to allow.  Specifics below.
+
+== Why would I need this?
+- A layer 7 firewall is too expensive.
+- Anonymous authentication doesn't equate to all access authorization.
+- Belt and suspenders style double security check.
+
+== Install
+gem install firewool
+
+- Tested on rails 3.0.4.
+- Untested on rails 2.x.  Probably won't work because no engines.
+
+== Configuration
+Add firewool and dependency to Gemfile:
+ gem 'firewool'
+ gem 'ipaddress'
+  
+Create a configuration file in config/firewool.yml
+
+ # config/firewool.yml
+ # changing any valves requires app server restart (apache/webrick/etc)
+	
+ development:
+   ip_restriction: true
+	 allow: [ 192.168.0.0/16 ]
+
+ test:
+   ip_restriction: false
+
+ production:
+   ip_restriction: true
+   allow: [ 1.1.0.0/16, 1.2.0.0/16, 1.3.0.0/16 ]
+   deny:  [ 10.50.0.0/16 ]
+
+
+Add these lines to your controller you want to protect:
+
+ class DummyController < ApplicationController
+   include Firewool
+   acts_as_firewalled
+   before_filter :ip_filter
+
+
+Optionally, you can just filter certain actions like any filter:
+ before_filter :ip_filter, :only => [:admin, :secret]
+
+== About
+Firewool has an implicit deny by default.  This means that Firewool does the following evalation:
+ Deny first
+ Allow all in allow list
+ Deny all in deny list
+
+This allows you to have security by default, a whitelist and then exceptions to that whitelist.  However, sometimes you want a default allow and only exceptions to that rule.  In that case, use an allow with 0.0.0.0 like this:
+ allow: [ 0.0.0.0 ]
+ deny:  [ whatever ]
+
+So then firewool will do allow -> deny.
+
+IPs can be spoofed so in the case of strong security, you'll want to use this with one or more factor authentication.
+
+== Quick Network Primer
+So how do I write the rules when I'm not a network guy?  No problem, let's go through some examples.
+
+First, the IP is four numbers separated by periods.  Each number is called an ocet.  The slash number (like /16 up above) is how many octets match.  So to match every usable IP from 10.0.0.1 to 10.0.0.254, we can just say:
+ 10.0.0.0/24 (matches 10.0.0.*)
+   10.0.0.1      (match)
+   10.0.0.204    (match)
+   10.0.1.1      (no match)
+   7.8.9.10      (no match)
+
+If we just want to match one IP we can use the /32 or just specify the IP by itself.
+ 192.168.0.1/32  (matches only 192.168.0.1)
+   192.168.0.1     (matches only 192.168.0.1, same meaning as /32)
+   5.0.0.0/8       (matches 5.*.*.*)
+   5.6.0.0/16      (matches 5.6.*.*)
+   5.6.0.0/24      (matches 5.6.0.*)
+   5.6.7.0/24      (matches 5.6.7.*)
+    
+These are the simplest examples of this notation (called CIDR if you want to read more) but it's enough to build a few use cases.  Let's say we want to allow anyone from our company network but block anyone coming from Evil Hackers' Inc.  Our company's external network is 5.6.7.* (ie: what users see when they go to whatismyip.com from inside their network) and let's say that Evil Hackers' proxy is 58.14.0.0.  This would be our firewool.yml config:
+ production:
+   ip_restriction: true
+   allow: [ 5.6.7.0/24 ]
+   deny:  [ 58.14.0.0/16 ]
+    
+Now we'd want to be careful that 5.6.7.* was really where our users are coming from.  If people that we want to keep out are coming from 5.6.7.200 then we'd want to tighten up our rule a little bit and not allow all of the 5.6.7.0 network in.  Maybe we research what our IP block really is, or add only the IPs we know about as /32 IPs.
+
+As a special case, 0.0.0.0 means *.*.*.*, or all IPs.
+
+== Pretty up
+If 403.html doesn't exist in your public directory, then a blocked user will simply see "Public Access Denied." which isn't that great.  Create a 403.html file in public, you can use this {403.html template as an example}[https://github.com/squarism/firewool/blob/master/test/dummy/public/403.html].
+
+== Thanks to
+Bluemonk for his awesome ipaddress gem.

data/Rakefile

@@ -0,0 +1,13 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+# gem tests for TDD
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib' << 'test'
+  t.pattern = 'test/*_test.rb'
+  t.verbose = true
+end
+
+
+task :default => :test

data/firewool.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "firewool/version"
+
+Gem::Specification.new do |s|
+  s.name        = "firewool"
+  s.version     = Firewool::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Chris Dillon"]
+  s.email       = ["squarism@gmail.com"]
+  s.homepage    = "http://github.com/squarism/firewool"
+  s.summary     = %q{Firewalling gem for rails.  Baa.}
+  s.description = %q{Provides ip filtering based on a black/white list.}
+
+  s.rubyforge_project = "firewool"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  
+  s.add_dependency('ipaddress', '>= 0.7.0')
+  s.add_development_dependency('shoulda')
+end

data/lib/firewool.rb

@@ -0,0 +1,23 @@
+require 'active_support/core_ext'
+require 'ipaddress'
+
+# rails engine setup
+require File.join(File.dirname(__FILE__), "firewool/railtie.rb")
+
+module Firewool
+  
+  def self.included(base)
+    base.extend(Firewool::Hook)
+  end
+  
+  class Config
+    attr_reader :yaml_config
+    
+    def initialize
+      @yaml_config = YAML.load_file("#{Rails.root.to_s}/config/firewool.yml")
+    end
+  end
+
+  autoload :Hook, File.join(File.dirname(__FILE__), "firewool/hook")
+  autoload :InstanceMethods, File.join(File.dirname(__FILE__), "firewool/instance_methods")
+end

data/lib/firewool/hook.rb

@@ -0,0 +1,12 @@
+module Firewool
+  module Hook
+    def acts_as_firewalled
+      @firewool_config = Firewool::Config.new
+      include Firewool::InstanceMethods
+    end
+
+    def firewool_config
+      @firewool_config.yaml_config || self.superclass.instance_variable_get('@firewool_config').yaml_config
+    end
+  end
+end

data/lib/firewool/instance_methods.rb

@@ -0,0 +1,68 @@
+module Firewool
+  module InstanceMethods
+    # TODO: opinionated.  provide instructions on how to forget about this filter
+    # and redirect to their own thing.  but this should redirect to the 403.html in public
+    def ip_filter
+      # if no allowed ranges match, then deny
+      if !ip_allow?(request.remote_ip)
+        if File.exists? "#{::Rails.root.to_s}/public/403.html"
+          render :file => "#{::Rails.root.to_s}/public/403.html", :layout => false, :status => 403
+        else
+          render :text => "Public Access Denied.", :status => 403
+        end
+      end
+    end
+
+    def ip_allow?(ip)
+      firewool_config = self.class.firewool_config[Rails.env]
+    
+      if firewool_config['ip_restriction']
+        # get our policy from the conf file
+        allowed_ranges = firewool_config['allow']
+        denied_ranges = firewool_config['deny']
+
+        # default allow check
+        if allowed_ranges.include?("0.0.0.0")
+          # default_allow done with access_decision true first
+          # allow -> deny
+          access_decision = true
+        else
+          # without default_allow is access_decision is false by default
+          # deny -> allow -> deny
+          access_decision = false
+        end
+
+        client_ip = IPAddress::parse ip
+
+        # apply allow rules
+        if !allowed_ranges.nil?
+          if in_range?(allowed_ranges, client_ip)
+            access_decision = true
+          end
+        end
+
+        # apply deny rules      
+        if !denied_ranges.nil?
+          if in_range?(denied_ranges, client_ip)
+            access_decision = false
+          end
+        end
+
+        # return our shizz
+        access_decision
+      end
+    end
+
+    #-----------------------------------------------------------------------------------------------
+    private
+    def in_range?(range, ip)
+      range.each do |r|
+        range_ip = IPAddress::parse r
+        if range_ip.include? ip
+          return true
+        end
+      end
+      return false
+    end
+  end
+end

data/lib/firewool/railtie.rb

@@ -0,0 +1,19 @@
+require 'rails'
+require 'firewool'
+
+begin
+module Firewool
+
+  class Railtie < Rails::Railtie
+    # nothing here right now
+    config.to_prepare do
+      # p "hook added"
+      #ApplicationController.send(:extend, Firewool::Hook)
+    end
+  end
+
+end
+rescue
+p $!, $!.message
+raise $!
+end

data/lib/firewool/version.rb

@@ -0,0 +1,3 @@
+module Firewool
+  VERSION = "0.1.0"
+end

data/test/dummy/.gitignore

@@ -0,0 +1,4 @@
+.bundle
+db/*.sqlite3
+log/*.log
+tmp/

data/test/dummy/Gemfile

@@ -0,0 +1,31 @@
+source 'http://rubygems.org'
+
+gem 'rails', '~>3.0.4'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+# gem 'sqlite3'
+
+# Use unicorn as the web server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger (ruby-debug for Ruby 1.8.7+, ruby-debug19 for Ruby 1.9.2+)
+# gem 'ruby-debug'
+# gem 'ruby-debug19'
+
+# Bundle the extra gems:
+# gem 'bj'
+# gem 'nokogiri'
+# gem 'sqlite3-ruby', :require => 'sqlite3'
+# gem 'aws-s3', :require => 'aws/s3'
+
+# Bundle gems for the local environment. Make sure to
+# put test-only gems in this group so their generators
+# and rake tasks are available in development mode:
+# group :development, :test do
+#   gem 'webrat'
+# end

data/test/dummy/README

@@ -0,0 +1,3 @@
+== Dummy App
+
+This is a dummy rails app for testing firewool.  Rake test hits this for TDD gem development.  Sort of TDD anyway.  :P

data/test/dummy/Rakefile

@@ -0,0 +1,7 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+require 'rake'
+
+Dummy::Application.load_tasks

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/test/dummy/app/controllers/dummy_controller.rb

@@ -0,0 +1,5 @@
+class DummyController < ApplicationController
+  include Firewool
+  acts_as_firewalled
+  before_filter :ip_filter
+end

data/test/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/test/dummy/app/helpers/dummy_helper.rb

@@ -0,0 +1,2 @@
+module DummyHelper
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Dummy</title>
+  <%= stylesheet_link_tag :all %>
+  <%= javascript_include_tag :defaults %>
+  <%= csrf_meta_tag %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/test/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application

data/test/dummy/config/application.rb

@@ -0,0 +1,47 @@
+require File.expand_path('../boot', __FILE__)
+
+# get rid of activerecord, we don't need it to test
+#require 'rails/all'
+require "action_controller/railtie"
+require "action_mailer/railtie"
+require "active_resource/railtie"
+require "rails/test_unit/railtie"
+
+# If you have a Gemfile, require the gems listed there, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(:default, Rails.env) if defined?(Bundler)
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Custom directories with classes and modules you want to be autoloadable.
+    # config.autoload_paths += %W(#{config.root}/extras)
+
+    # Only load the plugins named here, in the order given (default is alphabetical).
+    # :all can be used as a placeholder for all plugins not explicitly named.
+    # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+
+    # Activate observers that should always be running.
+    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+
+    # JavaScript files you want as :defaults (application.js is always included).
+    # config.action_view.javascript_expansions[:defaults] = %w(jquery rails)
+
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
+    # Configure sensitive parameters which will be filtered from the log file.
+    config.filter_parameters += [:password]
+  end
+end

data/test/dummy/config/boot.rb

@@ -0,0 +1,6 @@
+require 'rubygems'
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])

data/test/dummy/config/database.yml

@@ -0,0 +1,22 @@
+# SQLite version 3.x
+#   gem install sqlite3
+development:
+  adapter: sqlite3
+  database: db/development.sqlite3
+  pool: 5
+  timeout: 5000
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+  adapter: sqlite3
+  database: db/test.sqlite3
+  pool: 5
+  timeout: 5000
+
+production:
+  adapter: sqlite3
+  database: db/production.sqlite3
+  pool: 5
+  timeout: 5000