perimeter_x 1.2.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 52e3418c30763e225706ca5ee7a3a88958c4a210
-  data.tar.gz: 4671a1eb52edc4cfdb9ba4e85932c2dcb7e33dbb
+SHA256:
+  metadata.gz: 475e2577bfe9b12bb7edbe3286fb4f1861a9c508791f38b0196dea0f493f355e
+  data.tar.gz: b0c61698741743a62ad0a7c9fb67dc6d5ed9f9b78c01d08b764cb1297ee37c98
 SHA512:
-  metadata.gz: 13ca73c6ac3c22ff0d9d93d42cab42049a06e458f9596538cd2225a07dd1ea9e20db8bf4c6921519ed29c349e717eb929643051ef1510337b1414bf6ea8f6c01
-  data.tar.gz: 2bc1a8fe0845f3899537bb34151c545ea7c6a5343b271c7bceb4d221a9551d74dec174042e30b02e7e29d533d7e0453235163ee0635d2275576c75ed4758efd5
+  metadata.gz: 3bae8b3e45c8ee8aba86a56ed977158adec12bccfa2542e1a4e54344b6b6fb0503182585816c1b55640bd49ea4d6323831e93ad6c8d3335703e33d695df362ba
+  data.tar.gz: d7a64faa2f03fd4bc467cdea545a2f530001431f37281c2a9561dd83c28c00006fe827e8cd510560fbbbd1a69d382993ae513edd214a18a277bcca57dd561fdc

data/.gitignore

@@ -1,4 +1,5 @@
 *.rbc
+*.iml
 capybara-*.html
 .rspec
 /log

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+    - 2.7.1

data/Dockerfile

@@ -1,21 +1,26 @@
 # Based on manual compile instructions at http://wiki.nginx.org/HttpLuaModule#Installation
-FROM ruby:2.3.0
+FROM ruby:2.7.1
 
-RUN apt-get update && apt-get --force-yes -qq -y install \
- nodejs
-ENV RAILS_VERSION 4.2.0
+RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg -o /root/yarn-pubkey.gpg && apt-key add /root/yarn-pubkey.gpg
+RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list
+RUN apt-get update && apt-get install -y --no-install-recommends nodejs yarn vim
+
+ENV RAILS_VERSION 6.0.3.2
 RUN gem install rails --version "$RAILS_VERSION"
 RUN gem install bundler
 RUN mkdir -p /tmp/ruby_sandbox
 WORKDIR /tmp/ruby_sandbox
-RUN git clone https://github.com/PerimeterX/perimeterx-ruby-sdk.git
+COPY lib /tmp/ruby_sandbox/lib
+COPY Gemfile /tmp/ruby_sandbox/
+COPY perimeter_x.gemspec /tmp/ruby_sandbox/
+COPY Rakefile /tmp/ruby_sandbox/
 RUN rails new webapp
 WORKDIR /tmp/ruby_sandbox/webapp
 
 RUN rails generate controller home index
 WORKDIR /tmp/ruby_sandbox/webapp
 EXPOSE 3000
-RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox/perimeterx-ruby-sdk"' /tmp/ruby_sandbox/webapp/Gemfile
+RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox"' /tmp/ruby_sandbox/webapp/Gemfile
 RUN bundler update
-COPY ./examples/ /tmp/ruby_sandbox/webapp
+COPY ./dev/site/ /tmp/ruby_sandbox/webapp
 CMD ["rails","server","-b","0.0.0.0"]

data/Gemfile.lock

@@ -1,55 +1,61 @@
 PATH
   remote: .
   specs:
-    perimeter_x (1.0.5)
-      activesupport (>= 4.2.0)
-      httpclient (= 2.8.2.4)
+    perimeter_x (2.0.0)
+      activesupport (>= 5.2.4.3)
+      concurrent-ruby (~> 1.0, >= 1.0.5)
       mustache (~> 1.0, >= 1.0.3)
+      typhoeus (~> 1.1, >= 1.1.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (5.0.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    concurrent-ruby (1.0.5)
-    diff-lcs (1.3)
-    httpclient (2.8.2.4)
-    i18n (0.8.1)
-    metaclass (0.0.4)
-    minitest (5.10.1)
-    mocha (1.2.1)
-      metaclass (~> 0.0.1)
-    mustache (1.0.4)
-    rake (10.4.2)
-    rspec (3.5.0)
-      rspec-core (~> 3.5.0)
-      rspec-expectations (~> 3.5.0)
-      rspec-mocks (~> 3.5.0)
-    rspec-core (3.5.4)
-      rspec-support (~> 3.5.0)
-    rspec-expectations (3.5.0)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    concurrent-ruby (1.1.6)
+    diff-lcs (1.4.4)
+    ethon (0.12.0)
+      ffi (>= 1.3.0)
+    ffi (1.13.1)
+    i18n (1.8.3)
+      concurrent-ruby (~> 1.0)
+    minitest (5.14.1)
+    mocha (1.11.2)
+    mustache (1.1.1)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-mocks (3.5.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-support (3.5.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
     thread_safe (0.3.6)
-    tzinfo (1.2.3)
+    typhoeus (1.4.0)
+      ethon (>= 0.9.0)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
+    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.14)
+  bundler (>= 2.1)
   mocha (~> 1.2, >= 1.2.1)
   perimeter_x!
-  rake (~> 10.0)
+  rake (>= 12.3)
   rspec (~> 3.0)
 
 BUNDLED WITH
-   1.14.6
+   2.1.4

data/Rakefile

@@ -3,6 +3,7 @@ begin
 
   RSpec::Core::RakeTask.new(:spec)
 
+  task :default => :spec
   task :test => :spec
 rescue LoadError
   # no rspec available

data/changelog.md

@@ -5,6 +5,63 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.2.0] - 2020-09-15
+### Added
+ - First Party
+
+## [2.1.0] - 2020-09-01
+### Added
+ - Added option to set a different px configuration on each request
+ - Added types validation on configuration fields
+
+### Fixed
+ - New cookie logic for mobile requests
+ - Renamed api_connect_timeout to api_timeout_conncection on default configuration
+ - Removed unsapported configuration fields: max_buffer_len and local_proxy
+ - Send cookie_origin only if there is a cookie
+
+## [2.0.0] - 2020-07-24
+### Added
+ - Added fields to Block Activity: simulated_block, http_version, http_method, risk_rtt, px_orig_cookie
+ - Added fields to page_requested activity: pass_reason, risk_rtt, px_orig_cookie
+ - Added px_orig_cookie field to risk_api in case of cookie_decryption_failed
+ - Added support for captcha v2
+ - Added support for Advanced Blocking Response
+ - Added support for whitelise routes
+ - Added support for bypass monitor header
+ - Added support for extracting vid from _pxvid cookie
+ - Added support for rate limit
+ - Added risk_cookie_max_iterations configuration
+
+### Fixed
+ - Updated dependencies
+ - Updated sample site dockerfile
+ - Fixed monitor mode
+ - Fixed send_page_activities and send_block_activities configurations
+ - Updated risk to v3
+ - Refactored ip header extraction
+ - Renamed block_uuid field to client_uuid
+ - Renamed perimeterx_server_host configuration to backend_url
+ - Updated risk_response handling: pass the request if risk_response.status is -1
+ - Forcing http header values to be utf8
+
+## [1.4.0] - 2018-03-18
+### Fixed
+ - Incorrect assigment for s2s_call_reason
+ - Fixed empty token result correct s2s reason
+
+### Added
+ - Added support to captcha api v2
+ - Mobile sdk support for special tokens 1/2/3
+
+
+## [1.3.0] - 2017-07-27
+### Added
+ - Sending client_uuid on page_requested activities
+ - Supporting mobile sdk
+### Fixed
+ - Using `request.env` instead of `env`
+
 ## [1.2.0] - 2017-06-04
 ### Fixed 
     - Default timeouts for post api requests
@@ -27,3 +84,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
  - Constants on px_constants
  - Cookie Validation flow when cookie score was over the configured threshold
  - Using symbols instead of strings for requests body
+

data/examples/app/controllers/home_controller.rb

@@ -1,7 +1,7 @@
 class HomeController < ApplicationController
   include PxModule
 
-  before_filter :px_verify_request
+  before_action :px_verify_request
 
   def index
   end

data/lib/perimeter_x.rb

@@ -1,3 +1,7 @@
+require 'concurrent'
+require 'json'
+require 'base64'
+require 'uri'
 require 'perimeterx/configuration'
 require 'perimeterx/utils/px_logger'
 require 'perimeterx/utils/px_constants'
@@ -7,139 +11,259 @@ require 'perimeterx/internal/perimeter_x_context'
 require 'perimeterx/internal/clients/perimeter_x_activity_client'
 require 'perimeterx/internal/validators/perimeter_x_s2s_validator'
 require 'perimeterx/internal/validators/perimeter_x_cookie_validator'
-require 'perimeterx/internal/validators/perimeter_x_captcha_validator'
+require 'perimeterx/internal/exceptions/px_config_exception'
+require 'perimeterx/internal/first_party/px_first_party'
 
 module PxModule
-
   # Module expose API
-  def px_verify_request
-    verified, px_ctx = PerimeterX.instance.verify(env)
-
-    # Invalidate _pxCaptcha, can be done only on the controller level
-    cookies[:_pxCaptcha] = { value: "", expires: -1.minutes.from_now }
-
-    if (!verified)
-      # In case custon block handler exists
-      if (PerimeterX.instance.px_config.key?(:custom_block_handler))
-        PerimeterX.instance.px_config[:logger].debug("PxModule[px_verify_request]: custom_block_handler triggered")
-        return instance_exec(px_ctx, &PerimeterX.instance.px_config[:custom_block_handler])
-      else
-        # Generate template
-        PerimeterX.instance.px_config[:logger].debug("PxModule[px_verify_request]: sending default block page")
-        html = PxTemplateFactory.get_template(px_ctx, PerimeterX.instance.px_config)
-        response.headers["Content-Type"] = "text/html"
-        response.status = 403
-        render :html => html
+  def px_verify_request(request_config={})    
+    begin
+      px_instance = PerimeterX.new(request_config)
+      req = ActionDispatch::Request.new(request.env)
+
+      # handle first party requests
+      if px_instance.first_party.is_first_party_request(req)
+        render_first_party_response(req, px_instance)
+        return true
+      end
+
+      # verify request
+      px_ctx = px_instance.verify(req)
+      px_config = px_instance.px_config
+
+      msg_title = 'PxModule[px_verify_request]'
+
+      # In case custom verification handler is in use
+      if px_config.key?(:custom_verification_handler)
+        px_config[:logger].debug("#{msg_title}: custom_verification_handler triggered")
+        return instance_exec(px_ctx, &px_config[:custom_verification_handler])
       end
+
+      unless px_ctx.nil? || px_ctx.context[:verified] || (px_config[:module_mode] == PxModule::MONITOR_MODE && !px_ctx.context[:should_bypass_monitor])
+        # In case custom block handler exists (soon to be deprecated)
+        if px_config.key?(:custom_block_handler)
+          px_config[:logger].debug("#{msg_title}: custom_block_handler triggered")
+          px_config[:logger].debug(
+              "#{msg_title}: Please note that custom_block_handler is deprecated. Use custom_verification_handler instead.")
+          return instance_exec(px_ctx, &px_config[:custom_block_handler])
+        else
+          if px_ctx.context[:block_action]== 'rate_limit'
+            px_config[:logger].debug("#{msg_title}: sending rate limit page")
+            response.status = 429
+          else
+            px_config[:logger].debug("#{msg_title}: sending default block page")
+            response.status = 403
+          end
+
+          is_mobile = px_ctx.context[:cookie_origin] == 'header' ? '1' : '0'
+          action = px_ctx.context[:block_action][0,1]          
+
+          if px_config[:first_party_enabled]
+            px_template_object = {
+            js_client_src:  "/#{px_config[:app_id][2..-1]}/init.js",
+            block_script: "/#{px_config[:app_id][2..-1]}/captcha/#{px_config[:app_id]}/captcha.js?a=#{action}&u=#{px_ctx.context[:uuid]}&v=#{px_ctx.context[:vid]}&m=#{is_mobile}",
+            host_url: "/#{px_config[:app_id][2..-1]}/xhr"
+            }
+          else
+            px_template_object = {
+            js_client_src: "//#{PxModule::CLIENT_HOST}/#{px_config[:app_id]}/main.min.js",
+            block_script: "//#{PxModule::CAPTCHA_HOST}/#{px_config[:app_id]}/captcha.js?a=#{action}&u=#{px_ctx.context[:uuid]}&v=#{px_ctx.context[:vid]}&m=#{is_mobile}",
+            host_url: "https://collector-#{px_config[:app_id]}.perimeterx.net"
+            }
+          end
+
+          html = PxTemplateFactory.get_template(px_ctx, px_config, px_template_object)
+
+          # Web handler
+          if px_ctx.context[:cookie_origin] == 'cookie'
+
+            accept_header_value = request.headers['accept'] || request.headers['content-type'];
+            is_json_response = px_ctx.context[:block_action] != 'rate_limit' && accept_header_value && accept_header_value.split(',').select {|e| e.downcase.include? 'application/json'}.length > 0;
+
+            if (is_json_response)
+              px_config[:logger].debug("#{msg_title}: advanced blocking response response")
+              response.headers['Content-Type'] = 'application/json'
+
+              hash_json = {
+                  :appId => px_config[:app_id],
+                  :jsClientSrc => px_template_object[:js_client_src],
+                  :firstPartyEnabled => px_ctx.context[:first_party_enabled],
+                  :uuid => px_ctx.context[:uuid],
+                  :vid => px_ctx.context[:vid],
+                  :hostUrl => "https://collector-#{px_config[:app_id]}.perimeterx.net",
+                  :blockScript => px_template_object[:block_script],
+              }
+
+              render :json => hash_json
+            else
+              px_config[:logger].debug('#{msg_title}: web block')
+              response.headers['Content-Type'] = 'text/html'
+              render :html => html
+            end
+          else # Mobile SDK
+            px_config[:logger].debug("#{msg_title}: mobile sdk block")
+            response.headers['Content-Type'] = 'application/json'
+            hash_json = {
+                :action => px_ctx.context[:block_action],
+                :uuid => px_ctx.context[:uuid],
+                :vid => px_ctx.context[:vid],
+                :appId => px_config[:app_id],
+                :page => Base64.strict_encode64(html),
+                :collectorUrl => "https://collector-#{px_config[:app_id]}.perimeterx.net"
+            }
+            render :json => hash_json
+          end
+        end
+      end
+
+      # Request was verified
+      return px_ctx.nil? ? true : px_ctx.context[:verified]
+      
+    rescue PxConfigurationException
+      raise
+    rescue Exception => e
+      error_logger = PxLogger.new(true)
+      error_logger.error("#{e.backtrace.first}: #{e.message} (#{e.class})")
+      e.backtrace.drop(1).map {|s| error_logger.error("\t#{s}")}
+      return nil
     end
+  end
 
-    return verified
+  def render_first_party_response(req, px_instance)
+    fp = px_instance.first_party
+    px_config = px_instance.px_config
+    
+    if px_config[:first_party_enabled]
+      # first party enabled - proxy response
+      fp_response = fp.send_first_party_request(req)
+      response.status = fp_response.code
+      fp_response.to_hash.each do |header_name, header_value_arr| 
+        if header_name!="content-length"
+          response.headers[header_name] = header_value_arr[0]
+        end
+      end
+      res_type = fp.get_response_content_type(req)
+      render res_type => fp_response.body
+    else
+      # first party disabled - return empty response
+      response.status = 200
+      res_type = fp.get_response_content_type(req)
+      render res_type => ""
+    end
   end
 
-  def self.configure(params)
-    @px_instance = PerimeterX.configure(params)
+  def self.configure(basic_config)
+    PerimeterX.set_basic_config(basic_config)
   end
 
 
-  # PerimtereX Module
+  # PerimeterX Module
   class PerimeterX
-    @@__instance = nil
-    @@mutex = Mutex.new
 
     attr_reader :px_config
+    attr_reader :first_party
     attr_accessor :px_http_client
     attr_accessor :px_activity_client
 
     #Static methods
-    def self.configure(params)
-      return true if @@__instance
-      @@mutex.synchronize {
-        return @@__instance if @@__instance
-        @@__instance = new(params)
-      }
-      return true
-    end
-
-    def self.instance
-      return @@__instance if !@@__instance.nil?
-      raise Exception.new("Please initialize perimeter x first")
+    def self.set_basic_config(basic_config)
+      Configuration.set_basic_config(basic_config)
     end
 
-
     #Instance Methods
-    def verify(env)
+    def verify(req)
       begin
-        @logger.debug("PerimeterX[pxVerify]")
-        req = ActionDispatch::Request.new(env)
-        if (!@px_config[:module_enabled])
-          @logger.warn("Module is disabled")
-          return true
-        end
-        px_ctx = PerimeterXContext.new(@px_config, req)
 
-        # Captcha phase
-        captcha_verified, px_ctx = @px_captcha_validator.verify(px_ctx)
-        if (captcha_verified)
-          return handle_verification(px_ctx)
+        # check module_enabled 
+        @logger.debug('PerimeterX[pxVerify]')
+        if !@px_config[:module_enabled]
+          @logger.warn('Module is disabled')
+          return nil
+        end
+        
+        # filter whitelist routes
+        url_path = URI.parse(req.original_url).path
+        if url_path && !url_path.empty?
+          if check_whitelist_routes(px_config[:whitelist_routes], url_path) 
+            @logger.debug("PerimeterX[pxVerify]: whitelist route: #{url_path}")
+            return nil
+          end
         end
+        
+        # create context
+        px_ctx = PerimeterXContext.new(@px_config, req)
 
         # Cookie phase
         cookie_verified, px_ctx = @px_cookie_validator.verify(px_ctx)
-        if (!cookie_verified)
+        if !cookie_verified
+          if !px_ctx.context[:mobile_error].nil?
+            px_ctx.context[:s2s_call_reason] = "mobile_error_#{px_ctx.context[:mobile_error]}"
+          end
           @px_s2s_validator.verify(px_ctx)
         end
 
-        if (@px_config.key?(:custom_verification_handler))
-          return @px_config[:custom_verification_handler].call(px_ctx.context)
-        else
-          return handle_verification(px_ctx)
-        end
+        return handle_verification(px_ctx)
       rescue Exception => e
         @logger.error("#{e.backtrace.first}: #{e.message} (#{e.class})")
-        e.backtrace.drop(1).map { |s| @logger.error("\t#{s}") }
-        return true
+        e.backtrace.drop(1).map {|s| @logger.error("\t#{s}")}
+        return nil
       end
     end
 
-    private def initialize(params)
-      @px_config = Configuration.new(params).configuration
+    def initialize(request_config)
+
+      @px_config = Configuration.new(request_config).configuration
       @logger = @px_config[:logger]
       @px_http_client = PxHttpClient.new(@px_config)
 
       @px_activity_client = PerimeterxActivitiesClient.new(@px_config, @px_http_client)
+      @first_party = FirstPartyManager.new(@px_config, @px_http_client, @logger)
 
       @px_cookie_validator = PerimeterxCookieValidator.new(@px_config)
       @px_s2s_validator = PerimeterxS2SValidator.new(@px_config, @px_http_client)
-      @px_captcha_validator = PerimeterxCaptchaValidator.new(@px_config, @px_http_client)
-      @logger.debug("PerimeterX[initialize]")
+      @logger.debug('PerimeterX[initialize]')
     end
 
     private def handle_verification(px_ctx)
-      @logger.debug("PerimeterX[handle_verification]")
+      @logger.debug('PerimeterX[handle_verification]')
       @logger.debug("PerimeterX[handle_verification]: processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
 
       score = px_ctx.context[:score]
+      px_ctx.context[:should_bypass_monitor] = @px_config[:bypass_monitor_header] && px_ctx.context[:headers][@px_config[:bypass_monitor_header].to_sym] == '1';
+
+      px_ctx.context[:verified] = score < @px_config[:blocking_score]
       # Case PASS request
-      if (score < @px_config[:blocking_score])
+      if px_ctx.context[:verified]
         @logger.debug("PerimeterX[handle_verification]: score:#{score} < blocking score, passing request")
         @px_activity_client.send_page_requested_activity(px_ctx)
-        return true
+        return px_ctx
       end
 
       # Case blocking activity
       @px_activity_client.send_block_activity(px_ctx)
 
       # In case were in monitor mode, end here
-      if(@px_config[:module_mode] == PxModule::MONITOR_MODE)
+      if @px_config[:module_mode] == PxModule::MONITOR_MODE && !px_ctx.context[:should_bypass_monitor]
         @logger.debug("PerimeterX[handle_verification]: monitor mode is on, passing request")
-        return true
+        return px_ctx
       end
 
-      @logger.debug("PerimeterX[handle_verification]: verification ended, the request should be blocked")
+      @logger.debug('PerimeterX[handle_verification]: verification ended, the request should be blocked')
+
+      return px_ctx
+    end
 
-      return false, px_ctx
+    private def check_whitelist_routes(whitelist_routes, path)
+      whitelist_routes.each do |whitelist_route|
+        if whitelist_route.is_a?(Regexp) && path.match(whitelist_route)
+          return true
+        end
+        if whitelist_route.is_a?(String) && path.start_with?(whitelist_route)
+          return true
+        end
+      end
+      false
     end
 
-    private_class_method :new
   end
 end