perimeter_x 1.0.4.pre.alpha → 1.0.4

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -1,74 +1,82 @@
 require 'perimeterx/utils/px_logger'
 
-class PerimeterXContext
-  L = PxLogger.instance
+module PxModule
+  class PerimeterXContext
 
-  attr_accessor :context
-  attr_accessor :px_config
+    attr_accessor :context
+    attr_accessor :px_config
 
-  def initialize(px_config, req)
-    L.info("PerimeterXContext: initialize")
-    @context = Hash.new
+    def initialize(px_config, req)
+      @logger = px_config[:logger];
+      @logger.debug("PerimeterXContext[initialize] ")
+      @context = Hash.new
 
-    @context[:px_cookies] = Hash.new
-    @context[:headers] = Hash.new
-    cookies = req.cookies
-    if (!cookies.empty?)
-      # Prepare hashed cookies
-      cookies.each do |k,v|
-        case k
-          when"_px3"
-            @context[:px_cookies] = v
-          when "_px"
-            @context[:px_cookies] = v
-          when "_pxCaptcha"
-            @context[:px_captcha] = v
+      @context[:px_cookie] = Hash.new
+      @context[:headers] = Hash.new
+      cookies = req.cookies
+      if (!cookies.empty?)
+        # Prepare hashed cookies
+        cookies.each do |k, v|
+          case k.to_s
+            when "_px3"
+              @context[:px_cookie][:v3] = v
+            when "_px"
+              @context[:px_cookie][:v1] = v
+            when "_pxCaptcha"
+              @context[:px_captcha] = v
+          end
+        end #end case
+      end #end empty cookies
+
+      req.headers.each do |k, v|
+        if (k.start_with? "HTTP_")
+          header = k.to_s.gsub("HTTP_", "")
+          header = header.gsub("_", "-").downcase
+          @context[:headers][header.to_sym] = v
         end
-      end #end case
-    end#end empty cookies
+      end #end headers foreach
+
+      @context[:hostname]= req.server_name
+      @context[:user_agent] = req.user_agent ? req.user_agent : ''
+      @context[:uri] = px_config[:custom_uri] ? px_config[:custom_uri].call(req)  : req.headers['REQUEST_URI']
+      @context[:full_url] = req.original_url
+      @context[:score] = 0
 
-    @context[:start_time] = DateTime.now.strftime('%Q')
-    req.headers.each do |k,v|
-      if(k.start_with? "HTTP_")
-        header = k.to_s.gsub("HTTP_","")
-        header = header.gsub("_","-").downcase
-        @context[:headers][header.to_sym] = v
+      if px_config.key?(:custom_user_ip)
+        @context[:ip] = req.headers[px_config[:custom_user_ip]]
+      elsif px_config.key?(:px_custom_user_ip_method)
+        @context[:ip] = px_config[:px_custom_user_ip_method].call(req)
+      else
+        @context[:ip] = req.ip
       end
-    end#end headers foreach
 
-    @context[:hostname]= req.headers['HTTP_HOST']
-    @context[:user_agent] = req.headers['HTTP_USER_AGENT'] ? req.headers['HTTP_USER_AGENT'] : ''
-    @context[:uri] = px_config[:custom_uri] ? px_config[:custom_uri]  : req.headers['REQUEST_URI']
-    @context[:full_url] = self_url(req)
-    @context[:score] = 0
+      if req.server_protocol
+          httpVer = req.server_protocol.split("/")
+          if httpVer.size > 0
+              @context[:http_version] = httpVer[1];
+          end
+      end
+      @context[:http_method] = req.method
 
-    if px_config.key?('custom_user_ip')
-      @context[:ip] = px_config['custom_user_ip']
-    elsif px_config.key?('px_custom_user_ip_method')
-      puts "px_custom_user_ip_method triggered"
-      @context[:ip] = px_config['px_custom_user_ip_method'].call(req)
-    else
-      @context[:ip] = req.headers['REMOTE_ADDR'];
-    end
+    end #end init
 
-    if req.headers['SERVER_PROTOCOL']
-        httpVer = req.headers['SERVER_PROTOCOL'].split("/")
-        if httpVer.size > 0
-            @context[:http_version] = httpVer[1];
+    def set_block_action_type(action)
+      @context[:block_action] = case action
+        when "c"
+          "captcha"
+        when "b"
+          return "block"
+        when "j"
+          return "challenge"
+        else
+          return "captcha"
         end
     end
-    @context[:http_method] = req.headers['REQUEST_METHOD'];
 
-  end #end init
+    def get_px_cookie
+      cookie = @context[:px_cookie].key?(:v3) ? @context[:px_cookie][:v3] : @context[:px_cookie][:v1]
+      return cookie.tr(' ','+') if !cookie.nil?
+    end
 
-  def self_url(req)
-    s = req.headers.key?('HTTPS') && req.headers['HTTPS'] == "on" ? "s" : "" #check if HTTPS or HTTP
-    l = req.headers['SERVER_PROTOCOL'].downcase #get protocol and downcase it
-    protocol = "#{l[0,l.index('/')]}#{s}#{l[(l.index('/') ),l.size]}" #concat http{s}:/x.y
-    port = (req.headers["SERVER_PORT"] != "80") ? ":#{req.headers["SERVER_PORT"]}" : ""
-    return "#{l}://#{req.headers['HTTP_HOST']}#{@uri}" #concant str
   end
-
-  private :self_url
-
-end #end class
+end

data/lib/perimeterx/internal/perimeter_x_cookie.rb

@@ -0,0 +1,140 @@
+require 'active_support/security_utils'
+require 'base64'
+require 'openssl'
+require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
+
+module PxModule
+  class PerimeterxCookie
+    attr_accessor :px_cookie, :px_config, :px_ctx, :cookie_secret, :decoded_cookie
+
+    def initialize(px_config)
+      @px_config = px_config
+      @logger = px_config[:logger]
+    end
+
+    def self.px_cookie_factory(px_ctx, px_config)
+      if (px_ctx.context[:px_cookie].key?(:v3))
+        return PerimeterxCookieV3.new(px_config, px_ctx)
+      end
+      return PerimeterxCookieV1.new(px_config, px_ctx)
+    end
+
+    def cookie_score
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def cookie_hmac
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def valid_format?(cookie)
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def cookie_block_action
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def secured?
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def is_valid?
+      return deserialize && !expired? && secured?
+    end
+
+    def cookie_time
+      return @decoded_cookie[:t]
+    end
+
+    def cookie_uuid
+      return @decoded_cookie[:u]
+    end
+
+    def cookie_vid
+      return @decoded_cookie[:v]
+    end
+
+    def high_score?
+      return cookie_score >= @px_config[:blocking_score]
+    end
+
+    def expired?
+      return cookie_time < (Time.now.to_f*1000).floor
+    end
+
+
+    def deserialize
+      if (!@decoded_cookie.nil?)
+        return true
+      end
+
+      # Decode or decrypt, depends on configuration
+      if (@px_config[:encryption_enabled])
+        cookie = decrypt(@px_cookie)
+      else
+        cookie = decode(@px_cookie)
+      end
+
+      if (cookie.nil?)
+        return false
+      end
+
+      if (!valid_format?(cookie))
+        return false
+      end
+
+      @decoded_cookie = cookie
+
+      return true
+    end
+
+
+    def decrypt(px_cookie)
+      begin
+        if (px_cookie.nil?)
+          return
+        end
+        px_cookie = px_cookie.gsub(' ', '+')
+        salt, iterations, cipher_text = px_cookie.split(':')
+        iterations = iterations.to_i
+        salt = Base64.decode64(salt)
+        cipher_text = Base64.decode64(cipher_text)
+        digest = OpenSSL::Digest::SHA256.new
+        value = OpenSSL::PKCS5.pbkdf2_hmac(@px_config[:cookie_key], salt, iterations, 48, digest)
+        key = value[0..31]
+        iv = value[32..-1]
+        cipher = OpenSSL::Cipher::AES256.new(:CBC)
+        cipher.decrypt
+        cipher.key = key
+        cipher.iv = iv
+        plaintext = cipher.update(cipher_text) + cipher.final
+
+        return eval(plaintext)
+      rescue Exception => e
+        @logger.debug("PerimeterxCookie[decrypt]: Cookie decrypt fail #{e.message}")
+        raise PxCookieDecryptionException.new("Cookie decrypt fail => #{e.message}");
+      end
+    end
+
+    def decode(px_cookie)
+      return eval(Base64.decode64(px_cookie))
+    end
+
+
+    def hmac_valid?(hmac_str, cookie_hmac)
+      hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
+      # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
+      password_correct = ActiveSupport::SecurityUtils.secure_compare(
+      ::Digest::SHA256.hexdigest(cookie_hmac),
+      ::Digest::SHA256.hexdigest(hmac)
+      )
+
+    end
+  end
+end

data/lib/perimeterx/internal/perimeter_x_cookie_v1.rb

@@ -0,0 +1,42 @@
+module PxModule
+  class PerimeterxCookieV1 < PerimeterxCookie
+
+    attr_accessor :px_config, :px_ctx
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      @px_ctx = px_ctx
+      @px_cookie = px_ctx.get_px_cookie
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug("PerimeterxCookieV1[initialize]")
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s][:b]
+    end
+
+    def cookie_hmac
+      return @decoded_cookie[:h]
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie[:s].key?(:b) && cookie.key?(:s) && cookie.key?(:v) && cookie.key?(:h)
+    end
+
+    def cookie_block_action
+      return 'c'
+    end
+
+    def secured?
+      base_hmac_str = "#{cookie_time}#{@decoded_cookie[:s][:a]}#{cookie_score}#{cookie_uuid}#{cookie_vid}"
+
+      hmac_str_withip = "#{base_hmac_str}#{@px_ctx.context[:ip]}#{@px_ctx.context[:user_agent]}"
+
+      hmac_str_withoutip = "#{base_hmac_str}#{@px_ctx.context[:user_agent]}"
+
+      return (hmac_valid?(hmac_str_withoutip, cookie_hmac) || hmac_valid?(hmac_str_withip, cookie_hmac))
+    end
+
+  end
+
+end

data/lib/perimeterx/internal/perimeter_x_cookie_v3.rb

@@ -0,0 +1,37 @@
+module PxModule
+  class PerimeterxCookieV3 < PerimeterxCookie
+
+    attr_accessor :px_config, :px_ctx, :cookie_hash
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      hash, cookie = px_ctx.get_px_cookie().split(':', 2)
+      @px_cookie = cookie
+      @cookie_hash = hash
+      @px_ctx = px_ctx
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug("PerimeterxCookieV3[initialize]")
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s]
+    end
+
+    def cookie_hmac
+      return @cookie_hash
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+    end
+
+    def cookie_block_action
+      @decoded_cookie[:a]
+    end
+
+    def secured?
+      hmac_string = "#{@px_cookie}#{@px_ctx.context[:user_agent]}"
+      return hmac_valid?(hmac_string, cookie_hmac)
+    end
+  end
+end

data/lib/perimeterx/internal/validators/perimeter_x_captcha_validator.rb

@@ -0,0 +1,65 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+
+module PxModule
+  class PerimeterxCaptchaValidator < PerimeterxRiskClient
+
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+    end
+
+    def send_captcha_request(vid, uuid, captcha, px_ctx)
+
+      request_body = {
+        :request => {
+          :ip => px_ctx.context[:ip],
+          :headers => format_headers(px_ctx),
+          :uri => px_ctx.context[:uri]
+        },
+        :pxCaptcha => captcha,
+        :vid => vid,
+        :uuid => uuid,
+        :hostname => px_ctx.context[:hostname]
+      }
+
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+
+      return @http_client.post(PxModule::API_V1_CAPTCHA, request_body, headers, @px_config[:api_timeout])
+
+    end
+
+    def verify(px_ctx)
+      captcha_validated = false
+      begin
+        if(!px_ctx.context.key?(:px_captcha))
+          return captcha_validated, px_ctx
+        end
+        captcha, vid, uuid = px_ctx.context[:px_captcha].split(':', 3)
+        if captcha.nil? || vid.nil? || uuid.nil?
+          return captcha_validated, px_ctx
+        end
+
+        px_ctx.context[:vid] = vid
+        px_ctx.context[:uuid] = uuid
+        response = send_captcha_request(vid, uuid, captcha, px_ctx)
+
+        if (response.status_code == 200)
+          response_body = eval(response.body)
+          if ( response_body[:status] == 0 )
+            captcha_validated = true
+          end
+        end
+
+        return captcha_validated, px_ctx
+
+      rescue Exception => e
+        @logger.error("PerimeterxCaptchaValidator[verify]: failed, returning false")
+        return captcha_validated, px_ctx
+      end
+    end
+
+  end
+end

data/lib/perimeterx/internal/validators/perimeter_x_cookie_validator.rb

@@ -0,0 +1,70 @@
+require 'perimeterx/utils/px_constants'
+require 'perimeterx/internal/perimeter_x_cookie'
+require 'perimeterx/internal/perimeter_x_cookie_v1'
+require 'perimeterx/internal/perimeter_x_cookie_v3'
+
+module PxModule
+  class PerimeterxCookieValidator
+
+    attr_accessor :px_config
+
+    def initialize(px_config)
+      @px_config = px_config
+      @logger = px_config[:logger]
+    end
+
+
+    def verify(px_ctx)
+      begin
+        # Case no cookie
+        if px_ctx.context[:px_cookie].empty?
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie not found")
+          px_ctx.context[:s2s_call_reason] = PxModule::NO_COOKIE
+          return false, px_ctx
+        end
+
+        # Deserialize cookie start
+        cookie = PerimeterxCookie.px_cookie_factory(px_ctx, @px_config)
+        if (!cookie.deserialize())
+          @logger.warn("PerimeterxCookieValidator:[verify]: invalid cookie")
+          px_ctx.context[:s2s_call_reason] =  PxModule::COOKIE_DECRYPTION_FAILED
+          return false, px_ctx
+        end
+        px_ctx.context[:decoded_cookie] = cookie.decoded_cookie
+        px_ctx.context[:score] = cookie.cookie_score()
+        px_ctx.context[:uuid] = cookie.decoded_cookie[:u]
+        px_ctx.context[:vid] = cookie.decoded_cookie[:v]
+        px_ctx.context[:block_action] = px_ctx.set_block_action_type(cookie.cookie_block_action())
+        px_ctx.context[:cookie_hmac] = cookie.cookie_hmac()
+
+        if (cookie.expired?)
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie expired")
+          px_ctx.context[:s2s_call_reason] = PxModule::EXPIRED_COOKIE
+          return false, px_ctx
+        end
+
+        if (cookie.high_score?)
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie high score")
+          px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_HIGH_SCORE
+          return true, px_ctx
+        end
+
+        if (!cookie.secured?)
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie invalid hmac")
+          px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_VALIDATION_FAILED
+          return false, px_ctx
+        end
+
+        @logger.debug("PerimeterxCookieValidator:[verify]: cookie validation passed succesfully")
+
+        return true, px_ctx
+      rescue Exception => e
+        @logger.error("PerimeterxCookieValidator:[verify]: exception while verifying cookie => #{e.message}")
+        px_ctx.context[:px_orig_cookie] = cookie.px_cookie
+        px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_DECRYPTION_FAILED
+        return false, px_ctx
+      end
+    end
+
+  end
+end

data/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb

@@ -0,0 +1,114 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+
+module PxModule
+  class PerimeterxS2SValidator < PerimeterxRiskClient
+
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+      @logger.debug("PerimeterxS2SValidator[initialize]")
+    end
+
+    def send_risk_request(px_ctx)
+      @logger.debug("PerimeterxS2SValidator[send_risk_request]: send_risk_request")
+
+      risk_mode = PxModule::RISK_MODE_ACTIVE
+      if @px_config[:module_mode] == PxModule::MONITOR_MODE
+        risk_mode = PxModule::RISK_MODE_MONITOR
+      end
+
+      request_body = {
+        :request => {
+          :ip      => px_ctx.context[:ip],
+          :headers => format_headers(px_ctx),
+          :uri     => px_ctx.context[:uri],
+          :url     => px_ctx.context[:full_url]
+        },
+        :additional => {
+          :s2s_call_reason => px_ctx.context[:s2s_call_reason],
+          :module_version => @px_config[:sdk_name],
+          :http_method => px_ctx.context[:http_method],
+          :http_version => px_ctx.context[:http_version],
+          :risk_mode => risk_mode
+        }
+      }
+      #Check for hmac
+      @logger.debug("px_ctx cookie_hmac key = #{px_ctx.context.key?(:cookie_hmac)}, value is: #{px_ctx.context[:cookie_hmac]}")
+      if px_ctx.context.key?(:cookie_hmac)
+        request_body[:additional][:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
+      end
+
+
+      #Check for VID
+      if px_ctx.context.key?(:vid)
+        request_body[:vid] = px_ctx.context[:vid]
+      end
+
+      #Check for uuid
+      if px_ctx.context.key?(:uuid)
+        request_body[:uuid] = px_ctx.context[:uuid]
+      end
+
+      #S2S Call reason
+      decode_cookie_reasons = [PxModule::EXPIRED_COOKIE, PxModule::COOKIE_VALIDATION_FAILED]
+      if ( px_ctx.context[:s2s_call_reason] == PxModule::COOKIE_DECRYPTION_FAILED )
+        @logger.debug("PerimeterxS2SValidator[send_risk_request]: attaching px_orig_cookie to request")
+        request_body[:additional][:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      elsif decode_cookie_reasons.include? (px_ctx.context[:s2s_call_reason])
+        if (px_ctx.context.key?(:decoded_cookie))
+          request_body[:additional][:px_cookie] = px_ctx.context[:decoded_cookie]
+        end
+      end
+
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+
+      # Custom risk handler
+      if (risk_mode == PxModule::ACTIVE_MODE && @px_config.key?(:custom_risk_handler))
+        response = @px_config[:custom_risk_handler].call(PxModule::API_V2_RISK, request_body, headers, @px_config[:api_timeout])
+      else
+        response = @http_client.post(PxModule::API_V2_RISK , request_body, headers)
+      end
+      return response
+    end
+
+    def verify(px_ctx)
+      @logger.debug("PerimeterxS2SValidator[verify]")
+      response = send_risk_request(px_ctx)
+      if (!response)
+        return px_ctx
+      end
+      px_ctx.context[:made_s2s_risk_api_call] = true
+
+      # From here response should be valid, if success or error
+      response_body = eval(response.content);
+      # When success
+      if (response.status == 200 && response_body.key?(:score) && response_body.key?(:action))
+        @logger.debug("PerimeterxS2SValidator[verify]: response ok")
+        score = response_body[:score]
+        px_ctx.context[:score] = score
+        px_ctx.context[:uuid] = response_body[:uuid]
+        px_ctx.context[:block_action] = px_ctx.set_block_action_type(response_body[:action])
+        if (response_body[:action] == 'j' && response_body.key?(:action_data) && response_body[:action_data].key?(:body))
+          px_ctx.context[:block_action_data] = response_body[:action_data][:body]
+          px_ctx.context[:blocking_reason] = 'challenge'
+        elsif (score >= @px_config[:blocking_score])
+          px_ctx.context[:blocking_reason] = 's2s_high_score'
+        end #end challange or blocking score
+      end #end success response
+
+      # When error
+      if(response.status != 200)
+        @logger.warn("PerimeterxS2SValidator[verify]: bad response, return code #{response.code}")
+        px_ctx.context[:uuid] = ""
+        px_ctx.context[:s2s_error_msg] = response_body[:message]
+      end
+
+      @logger.debug("PerimeterxS2SValidator[verify]: done")
+      return px_ctx
+    end #end method
+
+  end
+end

data/lib/perimeterx/utils/px_constants.rb

@@ -0,0 +1,44 @@
+require 'perimeterx/version'
+
+module PxModule
+  # Misc
+  MONITOR_MODE = 1
+  ACTIVE_MODE = 2
+  RISK_MODE_ACTIVE = "active_blocking"
+  RISK_MODE_MONITOR = "monitor"
+  SDK_NAME = "RUBY SDK v#{PxModule::VERSION}"
+
+  # Routes
+  API_V1_S2S = "/api/v1/collector/s2s"
+  API_V1_CAPTCHA = "/api/v1/risk/captcha"
+  API_V2_RISK = "/api/v2/risk"
+
+  # Activity Types
+  BLOCK_ACTIVITY = "block"
+  PAGE_REQUESTED_ACTIVITY = "page_requested"
+
+  # PxContext
+  NO_COOKIE = "no_cookie"
+  INVALID_COOKIE = "invalid_cookie"
+  EXPIRED_COOKIE = "cookie_expired"
+  COOKIE_HIGH_SCORE = "cookie_high_score"
+  COOKIE_VALIDATION_FAILED = "cookie_validation_failed"
+  COOKIE_DECRYPTION_FAILED = "cookie_decryption_failed"
+
+  # Templates
+  BLOCK_TEMPLATE = "block.mustache"
+  CAPTCHA_TEMPLATE = "captcha.mustache"
+
+  # Tempalte Props
+  PROP_REF_ID = :refId
+  PROP_APP_ID = :appId
+  PROP_VID = :vid
+  PROP_UUID = :uuid
+  PROP_LOGO_VISIBILITY = :logoVisibility
+  PROP_CUSTOM_LOGO = :customLogo
+  PROP_CSS_REF = :cssRef
+  PROP_JS_REF = :jsRef
+
+  VISIBLE = 'visible'
+  HIDDEN = 'hidden'
+end