perimeter_x 1.0.6.pre.alpha → 2.0.0

data/lib/perimeterx/internal/payload/perimeter_x_token_v3.rb

@@ -0,0 +1,36 @@
+module PxModule
+  class PerimeterxTokenV3 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx, :cookie_hash
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      hash, cookie = px_ctx.get_px_cookie().split(':', 2)
+      @px_cookie = cookie
+      @cookie_hash = hash
+      @px_ctx = px_ctx
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug('PerimeterxTokenV3[initialize]')
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s]
+    end
+
+    def cookie_hmac
+      return @cookie_hash
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+    end
+
+    def cookie_block_action
+      @decoded_cookie[:a]
+    end
+
+    def secured?
+      return hmac_valid?(@px_cookie, cookie_hmac)
+    end
+  end
+end

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -1,62 +1,121 @@
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 
-class PerimeterXContext
-  L = PxLogger.instance
-
-  attr_accessor :context
-  attr_accessor :px_config
-
-  def initialize(px_config, req)
-    L.info("PerimeterXContext: initialize")
-    @context = Hash.new
-
-    @context[:px_cookies] = Hash.new
-    @context[:headers] = Hash.new
-    cookies = req.cookies
-    if (!cookies.empty?)
-      # Prepare hashed cookies
-      cookies.each do |k, v|
-        case k
-          when "_px3"
-            @context[:px_cookies] = v
-          when "_px"
-            @context[:px_cookies] = v
-          when "_pxCaptcha"
-            @context[:px_captcha] = v
+module PxModule
+  class PerimeterXContext
+
+    attr_accessor :context
+    attr_accessor :px_config
+
+    def initialize(px_config, req)
+      @logger = px_config[:logger]
+      @logger.debug('PerimeterXContext[initialize]')
+      @context = Hash.new
+
+      @context[:px_cookie] = Hash.new
+      @context[:headers] = Hash.new
+      @context[:cookie_origin] = 'cookie'
+      @context[:made_s2s_risk_api_call] = false
+      cookies = req.cookies
+
+      # Get IP from header/custom function
+      if px_config[:ip_headers].length() > 0
+        px_config[:ip_headers].each do |ip_header|
+          if req.headers[ip_header]
+            @context[:ip]  = force_utf8(req.headers[ip_header])
+          end
         end
-      end #end case
-    end #end empty cookies
-
-    req.headers.each do |k, v|
-      if (k.start_with? "HTTP_")
-        header = k.to_s.gsub("HTTP_", "")
-        header = header.gsub("_", "-").downcase
-        @context[:headers][header.to_sym] = v
+      elsif px_config[:ip_header_function] != nil
+        @context[:ip] = px_config[:ip_header_function].call(req)
       end
-    end #end headers foreach
-
-    @context[:hostname]= req.headers['HTTP_HOST']
-    @context[:user_agent] = req.headers['HTTP_USER_AGENT'] ? req.headers['HTTP_USER_AGENT'] : ''
-    @context[:full_url] = req.original_url
-    @context[:score] = 0
-
-    if px_config.key?('custom_user_ip')
-      @context[:ip] = px_config['custom_user_ip']
-    elsif px_config.key?('px_custom_user_ip_method')
-      puts "px_custom_user_ip_method triggered"
-      @context[:ip] = px_config['px_custom_user_ip_method'].call(req)
-    else
-      @context[:ip] = req.headers['REMOTE_ADDR'];
-    end
 
-    if req.headers['SERVER_PROTOCOL']
-      httpVer = req.headers['SERVER_PROTOCOL'].split("/")
-      if httpVer.size > 0
-        @context[:http_version] = httpVer[1];
+      if @context[:ip] == nil
+        @context[:ip] = req.ip
       end
+
+      # Get token from header
+      if req.headers[PxModule::TOKEN_HEADER]
+        @context[:cookie_origin] = 'header'
+        token = force_utf8(req.headers[PxModule::TOKEN_HEADER])
+        if token.include? ':'
+          exploded_token = token.split(':', 2)
+          cookie_sym = "v#{exploded_token[0]}".to_sym
+          @context[:px_cookie][cookie_sym] = exploded_token[1]
+        else  # TOKEN_HEADER exists yet there's no ':' delimiter - may indicate an error (storing original value)
+          @context[:px_cookie] = force_utf8(req.headers[PxModule::TOKEN_HEADER])
+        end
+      elsif !cookies.empty? # Get cookie from jar
+        # Prepare hashed cookies
+        cookies.each do |k, v|
+          case k.to_s
+            when '_px3'
+              @context[:px_cookie][:v3] = force_utf8(v)
+            when '_px'
+              @context[:px_cookie][:v1] = force_utf8(v)
+            when '_pxvid'
+              if v.is_a?(String) && v.match(PxModule::VID_REGEX)
+                @context[:vid_source] = "vid_cookie"
+                @context[:vid] = force_utf8(v)
+              end
+          end
+        end #end case
+      end #end empty cookies
+
+      req.headers.each do |k, v|
+        if (k.start_with? 'HTTP_')
+          header = k.to_s.gsub('HTTP_', '')
+          header = header.gsub('_', '-').downcase
+          @context[:headers][header.to_sym] = force_utf8(v)
+        end
+      end #end headers foreach
+
+      @context[:hostname]= req.server_name
+      @context[:user_agent] = req.user_agent ? req.user_agent : ''
+      @context[:uri] = px_config[:custom_uri] ? px_config[:custom_uri].call(req)  : req.fullpath 
+      @context[:full_url] = req.original_url
+      @context[:format] = req.format.symbol
+      @context[:score] = 0
+
+      if req.server_protocol
+          httpVer = req.server_protocol.split('/')
+          if httpVer.size > 0
+              @context[:http_version] = httpVer[1]
+          end
+      end
+      @context[:http_method] = req.method
+	  @context[:sensitive_route] = check_sensitive_route(px_config[:sensitive_routes], @context[:uri]) 
+    end #end init
+
+	def check_sensitive_route(sensitive_routes, uri)
+		sensitive_routes.each do |sensitive_route|
+			return true if uri.start_with? sensitive_route
+		end
+    false
+	end
+
+  def force_utf8(str)
+    return str.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+  end
+
+    def set_block_action_type(action)
+      @context[:block_action] = case action
+        when 'c'
+          'captcha'
+        when 'b'
+          return 'block'
+        when 'j'
+          return 'challenge'
+        when 'r'
+          return 'rate_limit'
+        else
+          return captcha
+        end
     end
-    @context[:http_method] = req.headers['REQUEST_METHOD'];
 
-  end #end init
+    def get_px_cookie
+      cookie = @context[:px_cookie].key?(:v3) ? @context[:px_cookie][:v3] : @context[:px_cookie][:v1]
+      return cookie.tr(' ','+') if !cookie.nil?
+    end
 
-end #end class
+  end
+end

data/lib/perimeterx/internal/validators/perimeter_x_cookie_validator.rb

@@ -0,0 +1,103 @@
+require 'perimeterx/utils/px_constants'
+require 'perimeterx/internal/payload/perimeter_x_payload'
+require 'perimeterx/internal/payload/perimeter_x_token_v1'
+require 'perimeterx/internal/payload/perimeter_x_token_v3'
+require 'perimeterx/internal/payload/perimeter_x_cookie_v1'
+require 'perimeterx/internal/payload/perimeter_x_cookie_v3'
+
+module PxModule
+  class PerimeterxCookieValidator
+
+    attr_accessor :px_config
+
+    def initialize(px_config)
+      @px_config = px_config
+      @logger = px_config[:logger]
+    end
+
+
+    def verify(px_ctx)
+      begin
+        # Mobile Error cases
+        if px_ctx.context[:cookie_origin] == 'header'
+          if px_ctx.context[:px_cookie].to_s.empty?
+            @logger.warn("PerimeterxCookieValidator:[verify]: Empty token value - decryption failed")
+            px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_DECRYPTION_FAILED
+            return false, px_ctx
+          elsif px_ctx.context[:px_cookie] == "1"
+            @logger.warn("PerimeterxCookieValidator:[verify]: no cookie")
+            px_ctx.context[:s2s_call_reason] = PxModule::NO_COOKIE
+            return false, px_ctx
+          elsif px_ctx.context[:px_cookie] == "2"   # Mobile SDK connection error
+            @logger.warn("PerimeterxCookieValidator:[verify]: mobile sdk connection error")
+            px_ctx.context[:s2s_call_reason] = PxModule::MOBILE_SDK_CONNECTION_ERROR
+            return false, px_ctx
+          elsif px_ctx.context[:px_cookie] == "3"   # Mobile SDK pinning error
+            @logger.warn("PerimeterxCookieValidator:[verify]: mobile sdk pinning error")
+            px_ctx.context[:s2s_call_reason] = PxModule::MOBILE_SDK_PINNING_ERROR
+            return false, px_ctx
+          end
+        elsif px_ctx.context[:px_cookie].empty?
+          @logger.warn("PerimeterxCookieValidator:[verify]: no cookie")
+          px_ctx.context[:s2s_call_reason] = PxModule::NO_COOKIE
+          return false, px_ctx
+        end
+
+        # Deserialize cookie start
+        cookie = PerimeterxPayload.px_cookie_factory(px_ctx, @px_config)
+        if !cookie.deserialize()
+          @logger.warn("PerimeterxCookieValidator:[verify]: invalid cookie")
+          px_ctx.context[:px_orig_cookie] = px_ctx.get_px_cookie
+          px_ctx.context[:s2s_call_reason] =  PxModule::COOKIE_DECRYPTION_FAILED
+          return false, px_ctx
+        end
+        px_ctx.context[:decoded_cookie] = cookie.decoded_cookie
+        px_ctx.context[:score] = cookie.cookie_score()
+        px_ctx.context[:uuid] = cookie.decoded_cookie[:u]
+        px_ctx.context[:block_action] = px_ctx.set_block_action_type(cookie.cookie_block_action())
+        px_ctx.context[:cookie_hmac] = cookie.cookie_hmac()
+
+        vid = cookie.decoded_cookie[:v]
+        if vid.is_a?(String) && vid.match(PxModule::VID_REGEX)
+          px_ctx.context[:vid_source] = "risk_cookie"
+          px_ctx.context[:vid] = vid
+        end
+
+        if cookie.expired?
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie expired")
+          px_ctx.context[:s2s_call_reason] = PxModule::EXPIRED_COOKIE
+          return false, px_ctx
+        end
+
+        if cookie.high_score?
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie high score")
+          px_ctx.context[:blocking_reason] = 'cookie_high_score'
+          return true, px_ctx
+        end
+
+        if !cookie.secured?
+          @logger.warn("PerimeterxCookieValidator:[verify]: cookie invalid hmac")
+          px_ctx.context[:s2s_call_reason] = PxModule:: COOKIE_VALIDATION_FAILED
+          return false, px_ctx
+        end
+
+        if px_ctx.context[:sensitive_route]
+          @logger.info("PerimeterxCookieValidator:[verify]: cookie was verified but route is sensitive")
+          px_ctx.context[:s2s_call_reason] = PxModule::SENSITIVE_ROUTE
+          return false, px_ctx
+        end
+
+        @logger.debug("PerimeterxCookieValidator:[verify]: cookie validation passed succesfully")
+
+        px_ctx.context[:pass_reason] = 'cookie'
+        return true, px_ctx
+      rescue Exception => e
+        @logger.error("PerimeterxCookieValidator:[verify]: exception while verifying cookie => #{e.message}")
+        px_ctx.context[:px_orig_cookie] = px_ctx.context[:px_cookie]
+        px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_DECRYPTION_FAILED
+        return false, px_ctx
+      end
+    end
+
+  end
+end

data/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb

@@ -0,0 +1,128 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+
+module PxModule
+  class PerimeterxS2SValidator < PerimeterxRiskClient
+
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+      @logger.debug('PerimeterxS2SValidator[initialize]')
+    end
+
+    def send_risk_request(px_ctx)
+      @logger.debug('PerimeterxS2SValidator[send_risk_request]: send_risk_request')
+
+      risk_mode = PxModule::RISK_MODE_ACTIVE
+      if @px_config[:module_mode] == PxModule::MONITOR_MODE
+        risk_mode = PxModule::RISK_MODE_MONITOR
+      end
+
+      request_body = {
+        :request => {
+          :ip      => px_ctx.context[:ip],
+          :headers => format_headers(px_ctx),
+          :uri     => px_ctx.context[:uri],
+          :url     => px_ctx.context[:full_url]
+        },
+        :additional => {
+          :s2s_call_reason => px_ctx.context[:s2s_call_reason],
+          :module_version => @px_config[:sdk_name],
+          :cookie_origin => px_ctx.context[:cookie_origin],
+          :http_method => px_ctx.context[:http_method],
+          :http_version => px_ctx.context[:http_version],
+          :risk_mode => risk_mode
+        }
+      }
+      #Check for hmac
+      @logger.debug("px_ctx cookie_hmac key = #{px_ctx.context.key?(:cookie_hmac)}, value is: #{px_ctx.context[:cookie_hmac]}")
+      if px_ctx.context.key?(:cookie_hmac)
+        request_body[:additional][:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
+      end
+
+
+      #Check for VID
+      if px_ctx.context.key?(:vid)
+        request_body[:vid] = px_ctx.context[:vid]
+      end
+
+      #Check for uuid
+      if px_ctx.context.key?(:uuid)
+        request_body[:uuid] = px_ctx.context[:uuid]
+      end
+
+      #S2S Call reason
+      decode_cookie_reasons = [PxModule::EXPIRED_COOKIE, PxModule::COOKIE_VALIDATION_FAILED]
+      if ( px_ctx.context[:s2s_call_reason] == PxModule::COOKIE_DECRYPTION_FAILED )
+        @logger.debug("PerimeterxS2SValidator[send_risk_request]: attaching px_orig_cookie to request")
+        request_body[:additional][:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      elsif decode_cookie_reasons.include? (px_ctx.context[:s2s_call_reason])
+        if (px_ctx.context.key?(:decoded_cookie))
+          request_body[:additional][:px_cookie] = px_ctx.context[:decoded_cookie]
+        end
+      end
+
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+
+      # Custom risk handler
+      risk_start = Time.now
+      if (risk_mode == PxModule::ACTIVE_MODE && @px_config.key?(:custom_risk_handler))
+        response = @px_config[:custom_risk_handler].call(PxModule::API_V3_RISK, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+      else
+        response = @http_client.post(PxModule::API_V3_RISK , request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+      end
+
+      # Set risk_rtt
+      if(response)
+        risk_end = Time.now
+        px_ctx.context[:risk_rtt] = ((risk_end-risk_start)*1000).round
+      end
+
+      return response
+    end
+
+    def verify(px_ctx)
+      @logger.debug("PerimeterxS2SValidator[verify]")
+      response = send_risk_request(px_ctx)
+      if (!response)
+        px_ctx.context[:pass_reason] = "s2s_timeout"
+        return px_ctx
+      end
+      px_ctx.context[:made_s2s_risk_api_call] = true
+
+      # From here response should be valid, if success or error
+      response_body = eval(response.body);
+      # When success
+      if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action) && response_body.key?(:status) && response_body[:status] == 0 )
+        @logger.debug("PerimeterxS2SValidator[verify]: response ok")
+        score = response_body[:score]
+        px_ctx.context[:score] = score
+        px_ctx.context[:uuid] = response_body[:uuid]
+        px_ctx.context[:block_action] = px_ctx.set_block_action_type(response_body[:action])
+        if (response_body[:action] == 'j' && response_body.key?(:action_data) && response_body[:action_data].key?(:body))
+          px_ctx.context[:block_action_data] = response_body[:action_data][:body]
+          px_ctx.context[:blocking_reason] = 'challenge'
+        elsif (score >= @px_config[:blocking_score])
+          px_ctx.context[:blocking_reason] = 's2s_high_score'
+        else
+          px_ctx.context[:pass_reason] = 's2s'
+        end #end challange or blocking score
+      end #end success response
+
+      # When error
+      risk_error_status = response_body && response_body.key?(:status) && response_body[:status] == -1
+      if(response.code != 200 || risk_error_status)
+        @logger.warn("PerimeterxS2SValidator[verify]: bad response, returned code #{response.code} #{risk_error_status ? "risk status: -1" : ""}")
+        px_ctx.context[:pass_reason] = 'request_failed'
+        px_ctx.context[:uuid] = (!response_body || response_body[:uuid].nil?)? "" : response_body[:uuid]
+        px_ctx.context[:s2s_error_msg] = !response_body || response_body[:message].nil? ? 'unknown' : response_body[:message]
+      end
+
+      @logger.debug("PerimeterxS2SValidator[verify]: done")
+      return px_ctx
+    end #end method
+
+  end
+end

data/lib/perimeterx/utils/px_constants.rb

@@ -0,0 +1,62 @@
+require 'perimeterx/version'
+
+module PxModule
+  # Misc
+  MONITOR_MODE = 1
+  ACTIVE_MODE = 2
+  RISK_MODE_ACTIVE = 'active_blocking'
+  RISK_MODE_MONITOR = 'monitor'
+  SDK_NAME = "RUBY SDK v#{PxModule::VERSION}"
+
+  # Routes
+  API_V1_S2S = '/api/v1/collector/s2s'
+  API_V3_RISK = '/api/v3/risk'
+
+  # Activity Types
+  BLOCK_ACTIVITY = 'block'
+  PAGE_REQUESTED_ACTIVITY = 'page_requested'
+
+  # PxContext
+  NO_COOKIE = 'no_cookie'
+  INVALID_COOKIE = 'invalid_cookie'
+  EXPIRED_COOKIE = 'cookie_expired'
+  COOKIE_HIGH_SCORE = 'cookie_high_score'
+  COOKIE_VALIDATION_FAILED = 'cookie_validation_failed'
+  COOKIE_DECRYPTION_FAILED = 'cookie_decryption_failed'
+  SENSITIVE_ROUTE = 'sensitive_route'
+
+  # Templates
+  CHALLENGE_TEMPLATE = 'block_template'
+  TEMPLATE_EXT = '.mustache'
+  RATELIMIT_TEMPLATE = 'ratelimit'
+
+
+  # Template Props
+  PROP_REF_ID = :refId
+  PROP_APP_ID = :appId
+  PROP_VID = :vid
+  PROP_UUID = :uuid
+  PROP_LOGO_VISIBILITY = :logoVisibility
+  PROP_CUSTOM_LOGO = :customLogo
+  PROP_CSS_REF = :cssRef
+  PROP_JS_REF = :jsRef
+  PROP_BLOCK_SCRIPT = :blockScript
+  PROP_JS_CLIENT_SRC = :jsClientSrc
+  PROP_HOST_URL = :hostUrl
+  PROP_FIRST_PARTY_ENABLED = :firstPartyEnabled
+
+  # Hosts
+  CLIENT_HOST = 'client.px-cloud.net'
+  CAPTCHA_HOST = 'captcha.px-cloud.net'
+
+  VISIBLE = 'visible'
+  HIDDEN = 'hidden'
+
+  # Mobile SDK
+  TOKEN_HEADER = 'X-PX-AUTHORIZATION'
+  MOBILE_SDK_CONNECTION_ERROR = 'mobile_sdk_connection_error'
+  MOBILE_SDK_PINNING_ERROR = 'mobile_sdk_pinning_error'
+
+  # Regular Expressions
+  VID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/
+end