perimeter_x 1.0.6.pre.alpha → 2.0.0

data/lib/perimeterx/configuration.rb

@@ -1,30 +1,42 @@
-module PerimeterX
+require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
+
+module PxModule
   class Configuration
 
     attr_accessor :configuration
     attr_accessor :PX_DEFAULT
-    attr_accessor :MONITOR_MODE
-    attr_accessor :ACTIVE_MODE
-
-    MONITOR_MODE = 1
-    ACTIVE_MODE = 2
 
     PX_DEFAULT = {
-      "app_id"                   => nil,
-      "auth_token"               => nil,
-      "module_enabled"           => true,
-      "blocking_score"           => 70,
-      "sensitive_headers"        => ["cookie", "cookies"],
-      "api_connect_timeout"      => 1,
-      "api_timeout"              => 1,
-      "sdk_name"                 => "RUBY SLIM SDK v1.0.0",
-      "debug_mode"               => false,
-      "module_mode"              => MONITOR_MODE,
+      :app_id                       => nil,
+      :cookie_key                   => nil,
+      :auth_token                   => nil,
+      :module_enabled               => true,
+      :challenge_enabled            => true,
+      :encryption_enabled           => true,
+      :blocking_score               => 100,
+      :sensitive_headers            => ["http-cookie", "http-cookies"],
+      :api_connect_timeout          => 1,
+      :api_timeout                  => 1,
+      :max_buffer_len               => 10,
+      :send_page_activities         => true,
+      :send_block_activities        => true,
+      :sdk_name                     => PxModule::SDK_NAME,
+      :debug                        => false,
+      :module_mode                  => PxModule::MONITOR_MODE,
+      :local_proxy                  => false,
+      :sensitive_routes             => [],
+      :whitelist_routes             => [],
+      :ip_headers                   => [],
+      :ip_header_function           => nil,
+      :bypass_monitor_header        => nil,
+      :risk_cookie_max_iterations   => 5000
     }
 
     def initialize(params)
-      PX_DEFAULT["perimeterx_server_host"] = "https://sapi-#{params['app_id'].downcase}.perimeterx.net"
-      @configuration = PX_DEFAULT.merge(params);
+      PX_DEFAULT[:backend_url] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
+      @configuration = PX_DEFAULT.merge(params)
+      @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end
 end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -0,0 +1,110 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+
+module PxModule
+  class PerimeterxActivitiesClient < PerimeterxRiskClient
+
+
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+      @logger.debug("PerimeterxActivitiesClients[initialize]")
+    end
+
+    def send_to_perimeterx(activity_type, px_ctx, details = [])
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]")
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: new activity #{activity_type} logged")
+
+      if (@px_config.key?(:additional_activity_handler))
+        @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
+      end
+
+      details[:module_version] = @px_config[:sdk_name]
+      details[:cookie_origin] = px_ctx.context[:cookie_origin]
+
+      px_data = {
+        :type       => activity_type,
+        :headers    => format_headers(px_ctx),
+        :timestamp  => (Time.now.to_f*1000).floor,
+        :socket_ip  => px_ctx.context[:ip],
+        :px_app_id  => @px_config[:app_id],
+        :url        => px_ctx.context[:full_url],
+        :details    => details,
+      }
+
+      if (px_ctx.context.key?(:vid))
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: found vid in ctx")
+        px_data[:vid] = px_ctx.context[:vid]
+      end
+
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+
+      s = Time.now
+      @http_client.async.post(PxModule::API_V1_S2S, px_data, headers)
+      e = Time.now
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: post runtime #{(e-s)*1000}")
+    end
+
+    def send_block_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
+      if (!@px_config[:send_block_activities])
+        @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
+        return
+      end
+
+      details = {
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid => px_ctx.context[:uuid],
+        :block_score => px_ctx.context[:score],
+        :block_reason => px_ctx.context[:blocking_reason],
+        :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
+      }
+
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
+      send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
+
+    end
+
+    def send_page_requested_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
+      if (!@px_config[:send_page_activities])
+        return
+      end
+
+      details = {
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid   => px_ctx.context[:uuid],
+        :pass_reason  => px_ctx.context[:pass_reason]
+      }
+
+      if (px_ctx.context.key?(:decoded_cookie))
+        details[:px_cookie] = px_ctx.context[:decoded_cookie]
+      end
+
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
+      if (px_ctx.context.key?(:cookie_hmac))
+        details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
+      end
+
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
+      send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
+    end
+  end
+end

data/lib/perimeterx/internal/clients/perimeter_x_risk_client.rb

@@ -0,0 +1,28 @@
+require 'perimeterx/utils/px_logger'
+
+module PxModule
+  class PerimeterxRiskClient
+    attr_accessor :px_config
+    attr_accessor :http_client
+
+    def initialize(px_config, http_client)
+      @px_config = px_config
+      @http_client = http_client;
+      @logger = px_config[:logger]
+    end
+
+    def format_headers(px_ctx)
+      @logger.debug("PerimeterxRiskClient[format_headers]")
+      formated_headers = []
+      px_ctx.context[:headers].each do |k,v|
+        if (!@px_config[:sensitive_headers].include? k.to_s)
+          formated_headers.push({
+            :name => k.to_s,
+            :value => v
+            })
+          end #end if
+        end #end forech
+        return formated_headers
+    end #end method
+  end #end class
+end

data/lib/perimeterx/internal/exceptions/px_cookie_decryption_exception.rb

@@ -0,0 +1,5 @@
+class PxCookieDecryptionException < StandardError
+  def initialize(msg)
+   super(msg)
+ end
+end

data/lib/perimeterx/internal/payload/perimeter_x_cookie_v1.rb

@@ -0,0 +1,42 @@
+module PxModule
+  class PerimeterxCookieV1 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      @px_ctx = px_ctx
+      @px_cookie = px_ctx.get_px_cookie
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug("PerimeterxCookieV1[initialize]")
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s][:b]
+    end
+
+    def cookie_hmac
+      return @decoded_cookie[:h]
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie[:s].key?(:b) && cookie.key?(:s) && cookie.key?(:v) && cookie.key?(:h)
+    end
+
+    def cookie_block_action
+      return 'c'
+    end
+
+    def secured?
+      base_hmac_str = "#{cookie_time}#{@decoded_cookie[:s][:a]}#{cookie_score}#{cookie_uuid}#{cookie_vid}"
+
+      hmac_str_withip = "#{base_hmac_str}#{@px_ctx.context[:ip]}#{@px_ctx.context[:user_agent]}"
+
+      hmac_str_withoutip = "#{base_hmac_str}#{@px_ctx.context[:user_agent]}"
+
+      return (hmac_valid?(hmac_str_withoutip, cookie_hmac) || hmac_valid?(hmac_str_withip, cookie_hmac))
+    end
+
+  end
+
+end

data/lib/perimeterx/internal/payload/perimeter_x_cookie_v3.rb

@@ -0,0 +1,37 @@
+module PxModule
+  class PerimeterxCookieV3 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx, :cookie_hash
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      hash, cookie = px_ctx.get_px_cookie().split(':', 2)
+      @px_cookie = cookie
+      @cookie_hash = hash
+      @px_ctx = px_ctx
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug("PerimeterxCookieV3[initialize]")
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s]
+    end
+
+    def cookie_hmac
+      return @cookie_hash
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+    end
+
+    def cookie_block_action
+      @decoded_cookie[:a]
+    end
+
+    def secured?
+      hmac_string = "#{@px_cookie}#{@px_ctx.context[:user_agent]}"
+      return hmac_valid?(hmac_string, cookie_hmac)
+    end
+  end
+end

data/lib/perimeterx/internal/payload/perimeter_x_payload.rb

@@ -0,0 +1,148 @@
+require 'active_support/security_utils'
+require 'base64'
+require 'openssl'
+require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
+
+module PxModule
+  class PerimeterxPayload
+    attr_accessor :px_cookie, :px_config, :px_ctx, :cookie_secret, :decoded_cookie
+
+    def initialize(px_config)
+      @px_config = px_config
+      @logger = px_config[:logger]
+    end
+
+    def self.px_cookie_factory(px_ctx, px_config)
+      if px_ctx.context[:cookie_origin] == 'header'
+        if (px_ctx.context[:px_cookie].key?(:v3))
+          return PerimeterxTokenV3.new(px_config,px_ctx)
+        end
+        return PerimeterxTokenV1.new(px_config,px_ctx)
+      elsif (px_ctx.context[:px_cookie].key?(:v3))
+        return PerimeterxCookieV3.new(px_config, px_ctx)
+      end
+      return PerimeterxCookieV1.new(px_config, px_ctx)
+    end
+
+    def cookie_score
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def cookie_hmac
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def valid_format?(cookie)
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def cookie_block_action
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def secured?
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+
+    def is_valid?
+      return deserialize && !expired? && secured?
+    end
+
+    def cookie_time
+      return @decoded_cookie[:t]
+    end
+
+    def cookie_uuid
+      return @decoded_cookie[:u]
+    end
+
+    def cookie_vid
+      return @decoded_cookie[:v]
+    end
+
+    def high_score?
+      return cookie_score >= @px_config[:blocking_score]
+    end
+
+    def expired?
+      return cookie_time < (Time.now.to_f*1000).floor
+    end
+
+
+    def deserialize
+      if (!@decoded_cookie.nil?)
+        return true
+      end
+
+      # Decode or decrypt, depends on configuration
+      if (@px_config[:encryption_enabled])
+        cookie = decrypt(@px_cookie)
+      else
+        cookie = decode(@px_cookie)
+      end
+
+      if (cookie.nil?)
+        return false
+      end
+
+      if (!valid_format?(cookie))
+        return false
+      end
+
+      @decoded_cookie = cookie
+
+      return true
+    end
+
+
+    def decrypt(px_cookie)
+      begin
+        if (px_cookie.nil?)
+          return
+        end
+        px_cookie = px_cookie.gsub(' ', '+')
+        salt, iterations, cipher_text = px_cookie.split(':')
+        iterations = iterations.to_i
+        if (iterations > @px_config[:risk_cookie_max_iterations] || iterations < 500)
+          return
+        end
+        salt = Base64.decode64(salt)
+        cipher_text = Base64.decode64(cipher_text)
+        digest = OpenSSL::Digest::SHA256.new
+        value = OpenSSL::PKCS5.pbkdf2_hmac(@px_config[:cookie_key], salt, iterations, 48, digest)
+        key = value[0..31]
+        iv = value[32..-1]
+        cipher = OpenSSL::Cipher::AES256.new(:CBC)
+        cipher.decrypt
+        cipher.key = key
+        cipher.iv = iv
+        plaintext = cipher.update(cipher_text) + cipher.final
+
+        return eval(plaintext)
+      rescue Exception => e
+        @logger.debug("PerimeterxCookie[decrypt]: Cookie decrypt fail #{e.message}")
+        raise PxCookieDecryptionException.new("Cookie decrypt fail => #{e.message}");
+      end
+    end
+
+    def decode(px_cookie)
+      return eval(Base64.decode64(px_cookie))
+    end
+
+
+    def hmac_valid?(hmac_str, cookie_hmac)
+      hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
+      # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
+      password_correct = ActiveSupport::SecurityUtils.secure_compare(
+          ::Digest::SHA256.hexdigest(cookie_hmac),
+          ::Digest::SHA256.hexdigest(hmac)
+      )
+
+    end
+  end
+end

data/lib/perimeterx/internal/payload/perimeter_x_token_v1.rb

@@ -0,0 +1,38 @@
+module PxModule
+  class PerimeterxTokenV1 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      @px_ctx = px_ctx
+      @px_cookie = px_ctx.get_px_cookie
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug('PerimeterxTokenV1[initialize]')
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s][:b]
+    end
+
+    def cookie_hmac
+      return @decoded_cookie[:h]
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie[:s].key?(:b) && cookie.key?(:s) && cookie.key?(:v) && cookie.key?(:h)
+    end
+
+    def cookie_block_action
+      return 'c'
+    end
+
+    def secured?
+      hmac_str = "#{cookie_time}#{@decoded_cookie[:s][:a]}#{cookie_score}#{cookie_uuid}#{cookie_vid}"
+
+      return hmac_valid?(hmac_str, cookie_hmac)
+    end
+
+  end
+
+end