fortifier 0.1.4

data/app/models/fortifier/batch_updater.rb

@@ -0,0 +1,148 @@
+module Fortifier
+
+  class BatchUpdater
+    
+    attr_reader :users_to_update, :application_uuid, :account_uuid, :user_status
+
+    def initialize(users_to_upd)
+      @account_uuid = users_to_upd['account_uuid']
+      @application_uuid = users_to_upd['application_uuid']
+      @users_to_update = users_to_upd['users']
+      @user_status = Hash.new { | h, k | h[k] = { status: :new, messages: [] }}
+    end
+
+    def perform_updates
+      identify_deltas # Determine what we need to do
+      users_with_unidentified_status = []
+      
+      user_status.each_pair do | login, status_info |
+        case status_info[:status]
+        when :new
+          add_new_user(login, users_to_update[login], status_info)
+        when :delete
+          unlink_user(login, status_info)
+        when :update
+          update_user(login, users_to_update[login], status_info)
+        when :error
+          # Not doing anything with users that have an error
+        else
+          # Need to log and email users in this state
+        end
+      end
+    end
+
+    private
+
+    def set_error_info(status_info, errors)
+      status_info[:status] = :error
+      status_info[:messages] += errors
+    end
+
+    def add_new_user(login, user_info, status_info)
+      auth_user = AuthUser.where(login: login).includes(:secrets).references(:secrets).first
+      auth_user ||= AuthUser.new
+      auth_user.login = login
+      auth_user.email = user_info['email']
+      auth_user.name  = user_info['name']
+      auth_user.app_uuids = [ application_uuid ]
+      auth_user.account_uuids = [ account_uuid ]
+      auth_user.secrets << Secret.new(secret: user_info['token'],
+                                      secret_confirmation: user_info['token'],
+                                      enc_type: Secret::SSO_TOKEN)
+      if auth_user.valid?
+        auth_user.save
+        status_info[:uuid] = auth_user.uuid
+      else
+        set_error_info(status_info, auth_user.errors.full_messages)
+      end
+    end
+
+    def unlink_user(login, status_info)
+      auth_user = AuthUser.where(login: login).includes(:secrets).references(:secrets).first
+      if auth_user.present?
+        # In the case of batch SSO, the way we 'unlink' a user is to remove
+        # their secret (token). Removal of their secret disallows the possibility
+        # of begin authenticated. Leaving the auth user is necessary to allow
+        # app-user ressurection.
+        auth_user.secrets.destroy_all
+        status_info[:uuid] = auth_user.uuid
+      else
+        set_error_info(status_info, [ "Unable to find user to unlink: #{login}" ])
+      end
+    end
+
+    def update_user(login, user_info, status_info)
+      auth_user = AuthUser.where(login: login).includes(:secrets).references(:secrets).first
+      if auth_user.present?
+        auth_user.email = user_info['email']
+        auth_user.name  = user_info['name']
+        status_info[:uuid] = auth_user.uuid
+        secret = auth_user.secrets.first
+        if secret.present?
+          secret.update_attributes(secret: user_info['token'], secret_confirmation: user_info['token'])
+        else
+          auth_user.secrets << Secret.new(secret: user_info['token'],
+                                          secret_confirmation: user_info['token'],
+                                          enc_type: Secret::SSO_TOKEN)
+        end
+        if auth_user.valid?
+          auth_user.save
+        else
+          set_error_info(status_info, auth_user.errors.full_messages)
+        end
+      else
+        set_error_info(status_info, [ "Unable to find user to update: #{login}" ])
+      end
+    end
+
+    def identify_deltas
+      account_auth_user_logins = AuthUser.joins(:secrets).where("FIND_IN_SET(?, account_uuids_csv) > 0", account_uuid).pluck(:login).uniq
+
+      identify_existing_users
+      identify_users_to_be_deleted account_auth_user_logins
+      identify_users_to_be_added account_auth_user_logins
+
+      user_status
+    end
+
+    def identify_existing_users
+      # Find the auth users that currently exist
+      existing_auth_users = AuthUser.where("login in (?)", logins)
+      existing_auth_users.reduce(user_status) do | u_status, auth_user |
+        u_status[auth_user.login][:status] = :update
+        unless auth_user.account_uuids.include?(account_uuid)
+          u_status[auth_user.login][:status] = :error
+          u_status[auth_user.login][:messages] << "Login already used" 
+        end
+        u_status
+      end
+    end
+
+    def identify_users_to_be_deleted(account_auth_user_logins)
+      auth_users_to_delete = (account_auth_user_logins - logins)
+      auth_users_to_delete.reduce(user_status) do | u_status, login_to_delete |
+        u_status[login_to_delete][:status] = :delete
+        u_status
+      end
+      account_auth_user_logins
+    end
+
+    def identify_users_to_be_added(account_auth_user_logins)
+      # Find the auth users that need to be added
+      auth_users_to_add = (logins - account_auth_user_logins)
+      auth_users_to_add.reduce(user_status) do | u_status, login_to_add |
+        unless u_status.has_key?(login_to_add)
+          u_status[login_to_add][:status] = :new
+        end
+        u_status
+      end
+
+    end
+  
+    def logins
+      users_to_update.keys
+    end
+
+  end
+
+end

data/app/models/fortifier/max_mind.rb

@@ -0,0 +1,64 @@
+module Fortifier
+  class MaxMind 
+
+    def self.valid_ip?(auth_log)
+      return true unless Rails.env=="production"
+
+      ip_address = auth_log[:remote_addr]
+
+      return true if local_ip?(ip_address)
+      return true if previously_validated_ip?(ip_address)
+      return true if auth_log.auth_user.try(:matching_whitelist_ip?,ip_address)
+      return false if previously_rejected_ip?(ip_address)
+
+      fields = [:country_code, :error]
+      options = { :license => "KqA72c39qtQs", :ip => ip_address }
+
+      uri = URI::HTTP.build(:scheme => 'http',
+                            :host   => 'geoip.maxmind.com',
+                            :path   => '/a',
+                            :query  => URI.encode_www_form(:l => options[:license],
+                                                           :i => ip_address))
+      begin
+        response = Net::HTTP.get_response(uri)
+
+        raise Exception.new("MaxMind Request failed with status #{response.code}") unless response.is_a?(Net::HTTPSuccess)
+
+        info = Hash[fields.zip(response.body.encode('utf-8', 'iso-8859-1').parse_csv)]
+        country = info[:country_code]
+
+        raise Exception.new("MaxMind Request failed - IP not found: #{ip_address}") if info[:error]=="IP_NOT_FOUND"
+
+        if country=="CA" || country=="US" || country=="UM" || country=="PR" || country==nil
+          MaxMindReferenceIp.create(ip_address: ip_address, country: country, allowed: true)
+          return true
+        else
+          NotifierMailer.foreign_access(auth_log.auth_user, auth_log).deliver
+          MaxMindReferenceIp.create(ip_address: ip_address, country: country, allowed: false)
+          return false
+        end
+      rescue Exception=>e
+        NotifierMailer.task_exception(e).deliver
+        return true
+      end
+    end
+
+    private
+
+    def self.local_ip?(ip)
+      ip_regex = /(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1)|(^0:0:0:0:0:0:0:1)$/
+      return true if ip_regex.match(ip)
+    end
+
+    def self.previously_validated_ip?(ip)
+      match = MaxMindReferenceIp.where(ip_address: ip).where("updated_at > ? and allowed = ?", Date.today - 6.months, true).first
+      return match.present?
+    end
+
+    def self.previously_rejected_ip?(ip)
+      match = MaxMindReferenceIp.where(ip_address: ip).where("updated_at > ? and allowed = ?", Date.today - 6.months, false).first
+      return match.present?
+    end
+
+  end
+end

data/app/models/fortifier/max_mind_reference_ip.rb

@@ -0,0 +1,5 @@
+module Fortifier
+  class MaxMindReferenceIp < ActiveRecord::Base
+
+  end
+end

data/app/models/fortifier/rufus/rufus_password_expiration.rb

@@ -0,0 +1,23 @@
+#  .---------------- minute (0 - 59) 
+#  |   .------------- hour (0 - 23)
+#  |   |   .---------- day of month (1 - 31)
+#  |   |   |   .------- month (1 - 12) OR jan,feb,mar,apr ... 
+#  |   |   |   |  .----- day of week (0 - 6) (Sunday=0 or 7)  OR sun,mon,tue,wed,thu,fri,sat 
+#  |   |   |   |  |
+#  *   *   *   *  *  command to be executed
+
+module Fortifier
+  class RufusNotificationDigest
+
+    def self.schedule(scheduler)
+
+      # DAILY - every day at half past midnight
+      scheduler.cron '30 0 * * * America/Denver', :blocking => true do    
+        ActiveRecord::Base.establish_connection
+        ScheduledJob.log("Daily Password Expiration") do
+          Password.evaluate_for_expiration
+        end
+      end
+    end
+  end
+end

data/app/models/fortifier/secret.rb

@@ -0,0 +1,189 @@
+module Fortifier
+  class Secret < ActiveRecord::Base
+
+  	EXPIRATION_PERIOD = 90 # days
+  	RESTRICTION_PERIOD = 1 # year
+  	GRACE_PERIOD = EXPIRATION_PERIOD - 8 # days
+  	SHA = "SHA"
+  	BCRYPT = "BCRYPT"
+    SSO_TOKEN = "SSO_TOKEN" # i.e. no encryption
+    RESET_TOKEN = 'RESET_TOKEN'
+	
+  	attr_accessor :secret, :secret_confirmation
+    attr_accessor :skip_validation
+    attr_accessor :reset_token
+	
+  	belongs_to :auth_user
+	
+    scope :active, -> { where(expired: 0) }
+  	scope :past_expiration, -> do
+  	  active.joins(:user, :account)
+  	        .where("accounts.id in (select accounts.id from accounts left outer join configurations c on c.account_id = accounts.id
+                    where c.add_on_id=#{AddOn::PW_ENHANCEMENTS_ADD_ON_ID} and c.kee='enabled' and c.value='true')")
+  	        .where("secrets.created_at < ?", Time.now - EXPIRATION_PERIOD.days)
+  	end
+  	scope :week_to_expiration, -> do
+  	  active.select("users.*, secrets.*")
+  	        .joins(:user, :account)
+  	        .where("accounts.id in (select accounts.id from accounts left outer join configurations c on c.account_id = accounts.id
+                    where c.add_on_id=#{AddOn::PW_ENHANCEMENTS_ADD_ON_ID} and c.kee='enabled' and c.value='true')")
+  	        .where("DATEDIFF(secrets.created_at, '#{Time.now - EXPIRATION_PERIOD.days}') = 7")
+  	end
+
+    # NOTE: These custom validations are used so that symbols/codes
+    # can be returned to applications, rather than explicit text.
+    # Fortifier provides the symbols and the apps are responsible 
+    # for handling error messaging.
+    validate    :secret_is_present,
+                :unless => :skip_validation
+    validate    :secret_confirmation_is_present,
+                :unless => :skip_validation
+    validate    :secret_matches_confirmation,
+                :unless => :skip_validation
+    validate    :secret_matches_regex,
+                :unless => :skip_validation
+    # TODO: (DK) turn back on when ready:
+    # validate  :secret_not_used_recently,
+    #           :unless=>:sso_auth_user?
+	
+  	before_save :encrypt_secret, :unless => :skip_validation
+    before_save :set_sso_token, :if => :sso_auth_user?
+    # TODO: (DK) remove when no longer needed: before_save :set_auth_user_id
+    before_save :expire_previous_secret
+
+    def secret_is_present
+      return if secret.present?
+      errors[:base] << :blank_password
+    end
+
+    def secret_confirmation_is_present
+      return if secret_confirmation.present?
+      errors[:base] << :blank_password_confirmation
+    end
+
+  	def secret_matches_confirmation
+      return if secret == secret_confirmation
+      errors[:base] << :passwords_do_not_match
+    end
+
+    def secret_matches_regex
+      # 10 to 40 characters, one letter, one number
+      errors[:base] << :bad_password if secret and secret.match(Fortifier::Authentication::SECRET_REGEX).nil?
+    end
+
+    # TODO: (DK)
+    # def secret_not_used_recently
+    #   # enhanced secret validation
+    #   errors[:base] << :password_previously_used if matches_previous_secret?(secret)
+    # end
+
+    def sso_auth_user?; self.enc_type==SSO_TOKEN; end
+
+    def password_reset?; self.enc_type==RESET_TOKEN || self.reset_token; end
+
+    def skip_validation?
+      self.skip_validation || self.sso_auth_user? || self.password_reset?
+    end
+
+  	def expire!; update_column(:expired, 1); end
+
+  	def expired?; expired == 1; end
+
+    def enable!; expired == 0; end
+
+  	def expiration_date; (created_at.to_time + EXPIRATION_PERIOD.days); end
+
+  	def within_a_week_of_expiration?
+     t = (expiration_date.to_date - Date.today).to_i
+     t <= 7 && t > 0
+    end
+
+    def self.reset_token_unique?(token)
+      return false if token.blank?
+      Fortifier::Secret.where("enc_type='#{RESET_TOKEN}' 
+                                AND secret_value='#{token}' 
+                                AND (expired IS NULL OR expired=false)").blank?
+    end
+
+    def expire_previous_secret
+      return if (self.reset_token || auth_user.current_secret.blank?)
+      old_secrets = Secret.where("auth_user_id='#{auth_user.id}' AND (expired IS NULL OR expired=false)")
+      old_secrets.each{|s| s.expire!}
+    end
+	
+  	# This is called by the rufus job to determine whether users should be locked for not changing secrets
+  	def self.evaluate_for_expiration
+  	  Secret.past_expiration.each do |secret|
+  	    secret.user.disable!
+  	    secret.expire!
+  	  end
+  	  Secret.week_to_expiration.each do |secret|
+  	    NotifierMailer.secret_expiration(secret, secret.user.email).deliver
+  	  end
+  	end
+	
+  	def matches?(secret_string)
+  	  if enc_type == SHA
+        # deprecated pw hashing
+  	    secret_value == Digest::SHA1.hexdigest("--#{salt}--#{secret_string}--")
+      elsif enc_type == Secret::SSO_TOKEN
+            secret_value == secret_string
+  	  else
+  	    BCrypt::Password.new(secret_value) == secret_string
+  	  end
+  	end
+	
+  	def update_encryption_method(secret_string)
+  	  # TODO: dave, test if this works: return if enc_type == (BCRYPT || SSO_TOKEN)
+  	  return if self.enc_type == Secret::BCRYPT || self.enc_type == Secret::SSO_TOKEN or secret_string.blank?
+      new_secret = Secret.new
+      new_secret.auth_user = self.auth_user
+  	  new_secret.secret_value = secret_string
+  	  new_secret.salt = nil
+  	  new_secret.enc_type = BCRYPT
+  	  new_secret.save!(validate: false)
+  	end
+  
+    def self.make_token
+      token=rand(36**30).to_s(36) while Secret.reset_token_unique?(token)==false
+      token
+    end
+  
+    def self.make_sso_token
+      token=rand(36**30).to_s(36) while Secret.reset_token_unique?(token)==false
+      token
+    end
+
+    private
+	
+  	# before_save filter
+  	def encrypt_secret
+      # TODO: (DK) make sure this works for old encryption changes and new records, etc
+      secret = new_record? ? self.secret : self.secret_value
+      if self.reset_token
+        self.secret_value = secret
+        self.enc_type = RESET_TOKEN
+      elsif self.enc_type==SSO_TOKEN
+        self.secret_value = secret
+        self.enc_type = SSO_TOKEN
+      else
+    	  self.secret_value = BCrypt::Password.create(secret)
+        self.enc_type = "BCRYPT"
+      end
+  	end
+
+    def set_sso_token; self.secret_value = secret; end
+	
+  	def matches_previous_secret?(secret_string)
+      return false unless new_record?
+  	  return if !auth_user || auth_user.new_record? # || !Account.enhanced_secret_protection_enabled?(user.account_id) TODO: still necessary?
+  	  past_secrets = auth_user.secrets.where("id IS NOT NULL and created_at > '#{Time.now.utc - RESTRICTION_PERIOD.year}'")
+  	  past_secrets.detect { |past_secret| past_secret.matches?(secret_string) }
+  	end
+
+    # TODO: (DK) remove when no longer needed
+    # def set_auth_user_id
+    #   self.auth_user_id ||= auth_user.id
+    # end
+  end
+end

data/app/views/fortifier/notifier_mailer/account_ip_blocked.html.erb

@@ -0,0 +1,30 @@
+<!-- TODO: (DK) make appropriate changes here to specify generic address and no specific app (including logo) -->
+
+<html style="font-family:helvetica,arial,sans-serif; color:#888">
+  <head>
+    <title>Security Alert</title>
+  </head>
+  <body>
+    <div style="border-bottom:3px solid #AFAFAF;padding:0 20px 10px 20px;position:relative;height:52px;min-width:340px">
+      <h1 style="font-size:23px;color:#7F8084;line-height:52px;margin:0;padding:0;">abaqis Security Alert</h1>
+      <img style="position:absolute;right:20px;top:0" src="http://www.providigm.com/wp-content/uploads/2011/08/abaqis_logo_transparent2.png"/>
+    </div>
+    <div style="padding:0 20px;font-size:14px;position:relative;color:#404040;overflow:hidden;min-width:340px">
+      <div style="width:340px;padding:10px 20px 10px 0;float:left;">
+        <h2 style="font-size:16px;margin:2% 0 1% 0;">IP Block</h2>
+        <p style="line-height:18px">At <%=Time.now.in_time_zone(DISPLAY_TIME_ZONE).strftime("%m/%-d/%Y %H:%M:%S")%> MST we detected numerous failed attempts to access your account. The sudden increase in failed logins indicates the possibility that an unauthorized party is trying to gain access to your account.</p>
+        <p style="line-height:18px">To protect you from potentially fraudulent activity, we've placed a 10 minute block on the IP address(es) from where the login attempts originated: </p>
+        <p style="line-height:18px"><%= @remote_addr %></p>
+        <p style="line-height:18px">Access will be restored at <strong><%=(Time.now+600).in_time_zone(DISPLAY_TIME_ZONE).strftime("%m/%-d/%Y %H:%M:%S")%> MST</strong>.</p>
+        <p style="line-height:18px"> –– The Providigm team</p>
+      </div>
+      <p style="width:179px;float:left;font-size:12px;line-height:20px;border-left:1px solid #ddd;padding-left:20px;">
+        <strong>Need further assistance?</strong><br/>
+        Client Support<br/>
+        <strong>866-922-8655</strong><br/>
+        <a href="mailto:abaqis_support@providigm.com" style="color:#369">abaqis_support@providigm.com</a><br/>
+      </p>
+    </div>
+  </body>
+</html>
+

data/app/views/fortifier/notifier_mailer/account_ip_blocked_providigm.html.erb

@@ -0,0 +1,20 @@
+<!-- TODO: (DK) make appropriate changes here to specify generic address and no specific app (including logo) -->
+
+<html style="font-family:helvetica,arial,sans-serif; color:#888">
+  <head>
+    <title>Security Alert</title>
+  </head>
+  <body>
+    <div style="border-bottom:3px solid #AFAFAF;padding:0 20px 10px 20px;position:relative;height:52px;min-width:340px">
+      <h1 style="font-size:23px;color:#7F8084;line-height:52px;margin:0;padding:0;">abaqis Security Alert</h1>
+      <img style="position:absolute;right:20px;top:0" src="http://www.providigm.com/wp-content/uploads/2011/08/abaqis_logo_transparent2.png"/>
+    </div>
+    <div style="padding:0 20px;font-size:14px;position:relative;color:#404040;overflow:hidden;min-width:340px">
+      <div style="width:340px;padding:10px 20px 10px 0;float:left;">
+        <h2 style="font-size:16px;margin:2% 0 1% 0;">IP Block - <%= @account[:organization] || @account[:name] %></h2>
+        <p style="line-height:18px">At <%=Time.now.in_time_zone(DISPLAY_TIME_ZONE).strftime("%m/%-d/%Y %H:%M:%S")%> MST we blocked access to the following IP(s) for 10 minutes:</p>
+        <p style="line-height:18px"><%= @remote_addr %></p>
+      </div>
+    </div>
+  </body>
+</html>

data/app/views/fortifier/notifier_mailer/exception_notification.html.erb

@@ -0,0 +1,88 @@
+<%
+user = User.find_by_id(@request.session[:user_id]) 
+prov_user = User.where(id: @request.session[:sudoer]).first if @request.session[:sudo]
+facility = Facility.find_by_id(@request.session[:facility_id])
+def filter_params(params)
+  (params && params["password"]) ? params.merge!({"password"=>"*******"}) : params
+  (params && params["password_confirmation"]) ? params.merge!({"password_confirmation"=>"*******"}) : params
+  (params && params["current"]) ? params.merge!({"current"=>"*******"}) : params
+  (params && params["user"] && params["user"]["password"]) ? params["user"].merge!({"password"=>"*******"}) : params
+  (params && params["user"] && params["user"]["password_confirmation"]) ? params["user"].merge!({"password_confirmation"=>"*******"}) : params
+end
+%>
+<img src="http://<%= @request.env["HTTP_HOST"] %>/images/kablooie.gif"/>
+
+<h1>Transcendent Kablooie!!!</h1>
+<p><strong>Something just blew up at:</strong> http://<%= @request.env["HTTP_HOST"] %></p>
+
+<table border="0" cellpadding="5" cellspacing="0">
+  <tr>
+    <td>Facility:</td>
+    <td><%= "(#{facility.id}) #{facility.name}" if facility %></td>
+  </tr>
+  <tr>
+    <td>Account (:</td>
+    <td><%= "(#{user.account.id}) #{user.account.organization}" if user%></td>
+  </tr>
+  <tr>
+    <td>User:</td>
+    <td><%= "(#{user.id}) #{user.login}" if user%><%= " - via (#{prov_user.id}) #{prov_user.login}" if prov_user %></td>
+  </tr>
+  <tr>
+    <td>Exception Message:</td>
+    <td><%= @exception.message if @exception%></td>
+  </tr>
+  <tr>
+    <td>Controller:</td>
+    <td><%= @request.params["controller"].to_s if controller%></td>
+  </tr>
+  <tr>
+    <td>Action:</td>
+    <td><%= @request.params["action"].to_s.capitalize if controller %></td>
+  </tr>
+  <tr>
+    <td>Params:</td>
+    <td><%= filter_params(@request.params) if @request %></td>
+  </tr>
+<% if @request && @request.headers -%>
+  <tr>
+    <td>Accept:</td>
+    <td><%= @request.headers["Accept"] %></td>
+  </tr>
+  <tr>
+    <td>Request Method:</td>
+    <td><%= @request.headers["REQUEST_METHOD"] %></td>
+  </tr>
+  <tr>
+    <td>Content Type:</td>
+    <td><%= @request.headers["CONTENT_TYPE"] %></td>
+  </tr>
+  <tr>
+    <td>Request URI:</td>
+    <td><%= @request.headers["REQUEST_URI"] %></td>
+  </tr>
+  <tr>
+    <td>User Agent:</td>
+    <td><%= @request.headers["HTTP_USER_AGENT"] %></td>
+  </tr>
+  <tr>
+    <td>Remote IP:</td>
+    <td><%= @request.headers["REMOTE_ADDR"] %></td>
+  </tr>
+  <tr>
+    <td>Http X Request:</td>
+    <td><%= @request.headers["X_REQUESTED_WITH"] %></td>
+  </tr>
+  <tr>
+    <td>Request Time (UTC):</td>
+    <td><%= Time.now.utc.to_s %></td>
+  </tr>
+  <tr>
+    <td>Request Time (Mountain):</td>
+    <td><%= Time.now.in_time_zone(DISPLAY_TIME_ZONE) %></td>
+  </tr>
+<% end -%>
+</table>
+
+<p><strong>Exception Backtrace:</strong></p>
+<%= @exception.backtrace.join("<br />\n").html_safe if @exception %> <%# DS Verified XSS potential; nothing bad in back trace %>

data/app/views/fortifier/notifier_mailer/foreign_access.html.erb

@@ -0,0 +1,22 @@
+<html style="font-family:helvetica,arial,sans-serif; color:#888">
+  <head>
+    <title>abaqis Security Alert</title>
+  </head>
+  <body>
+    <div style="border-bottom:3px solid #AFAFAF;padding:0 20px 10px 20px;position:relative;height:52px;min-width:340px">
+      <h1 style="font-size:23px;color:#7F8084;line-height:52px;margin:0;padding:0;">abaqis Security Alert</h1>
+      <img style="position:absolute;right:20px;top:0" src="http://www.providigm.com/wp-content/uploads/2011/08/abaqis_logo_transparent2.png"/>
+    </div>
+    <div style="padding:0 20px;font-size:14px;position:relative;color:#404040;overflow:hidden;min-width:340px">
+      <div style="width:340px;padding:10px 20px 10px 0;float:left;">
+        <h2 style="font-size:16px;margin:2% 0 1% 0;">abaqis&reg; foreign IP access attempt - <%#TODO: (DK) fix reference to account = @user.account.organization || @user.account.name %></h2>
+        <p>Foreign IP access attempt at: <%#TODO: (DK) fix reference to Abaqis = Abaqis.get_host_uri %></p>
+        <p style="line-height:18px">At <%#TODO: (DK) fix reference to constant =Time.now.in_time_zone(DISPLAY_TIME_ZONE).strftime("%m/%-d/%Y %H:%M:%S")%> MST there was an attempt to access abaqis from a foreign IP address.</p>
+        <p style="line-height:18px">User: <%= @user.try(:login) %></p>
+        <p style="line-height:18px">Organization: <%#TODO: (DK) fix reference to account = @user.account.organization || @user.account.name %></p>
+        <p style="line-height:18px">IP: <%= @visitor_log.try(:remote_addr) %></p>
+        <p style="line-height:18px">Country Code: <%= @visitor_log.try(:country) %></p>
+      </div>
+    </div>
+  </body>
+</html>

data/app/views/fortifier/notifier_mailer/password_expiration.html.erb

@@ -0,0 +1,28 @@
+<% url  = defined?(HOST_URI) ? HOST_URI : "http://abaqis.com" %>
+<% path = url + new_password_path + "?pu=t" %>
+<html style="font-family:helvetica,arial,sans-serif; color:#888">
+  <head>
+    <title>Password Expiration Notice</title>
+  </head>
+  <body>
+    <div style="border-bottom:3px solid #AFAFAF;padding:0 20px 10px 20px;position:relative;height:52px;min-width:340px">
+        <img style="position:absolute;right:20px;top:0" src="http://www.providigm.com/wp-content/uploads/2011/08/abaqis_logo_transparent2.png"/>
+    </div>
+    <div style="padding:0 20px;font-size:14px;position:relative;color:#404040;overflow:hidden;min-width:340px">
+      <div style="width:340px;padding:10px 20px 10px 0;float:left;">
+        <h2 style="font-size:16px;margin:2% 0 1% 0;">Password Expiration Notice</h2>
+        <p style="line-height:18px">Your abaqis password will expire on <%= @pw_expiration_date.strftime("%B %d, %Y") %>.</p>
+        <p style="line-height:18px">You can change your password by clicking on the link below or by copying and pasting it into your browser's address bar.</p>
+        <p style="line-height:18px">Password reset:<br/>
+          <a href='<%= path %>'><%= path %></a></p>
+        <p style ="line-height:18px">–– The abaqis team</p>
+      </div>
+      <p style="width:179px;float:left;font-size:12px;line-height:20px;border-left:1px solid #ddd;padding-left:20px;">
+        <strong>Need further assistance?</strong><br/>
+        Client Support<br/>
+        <strong>866-922-8655</strong><br/>
+        <a href="mailto:abaqis_support@providigm.com" style="color:#369">abaqis_support@providigm.com</a><br/>
+      </p>
+    </div>
+  </body>
+</html>

data/app/views/fortifier/notifier_mailer/password_reset_token.html.erb

@@ -0,0 +1,28 @@
+<% url = defined?(HOST_URI) ? HOST_URI : "http://abaqis.com" %>
+<html style="font-family:helvetica,arial,sans-serif; color:#888">
+  <head>
+    <title>abaqis Support Request</title>
+  </head>
+  <body>
+    <div style="border-bottom:3px solid #AFAFAF;padding:0 20px 10px 20px;position:relative;height:52px;min-width:340px">
+        <h1 style="font-size:23px;color:#7F8084;line-height:52px;margin:0;padding:0;">Support Request</h1>
+        <img style="position:absolute;right:20px;top:0" src="http://www.providigm.com/wp-content/uploads/2011/08/abaqis_logo_transparent2.png"/>
+    </div>
+    <div style="padding:0 20px;font-size:14px;position:relative;color:#404040;overflow:hidden;min-width:340px">
+      <div style="width:340px;padding:10px 20px 10px 0;float:left;">
+        <h2 style="font-size:16px;margin:2% 0 1% 0;">abaqis Password Reset</h2>
+        <p style="line-height:18px">A request to change your password was made at <%= format_time_12hr(Time.now) %> MST on <%= format_date_long(Date.today) %>, from IP address <%= @request.try(:remote_ip) %>.</p>
+        <p style="line-height:18px">If you want to keep your current password, please disregard this message.</p>
+        <p style="line-height:18px">To change your password, please click the link below or copy and paste it into your browser's address bar:</p>
+        <p style="line-height:18px"><a href="<%= url + "/setpw?token=#{@user.token}" %>" style="color:#369"><%= url + "/setpw?token=#{@user.token}" %></a></p>
+        <p style ="line-height:18px">The abaqis team</p>
+      </div>
+      <p style="width:179px;float:left;font-size:12px;line-height:20px;border-left:1px solid #ddd;padding-left:20px;">
+        <strong>Need further assistance?</strong><br/>
+        Client Support<br/>
+        <strong>866-922-8655</strong><br/>
+        <a href="mailto:abaqis_support@providigm.com" style="color:#369">abaqis_support@providigm.com</a><br/>
+      </p>
+    </div>
+  </body>
+</html>