perimeter_x 1.2.0 → 2.2.0

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -1,41 +1,89 @@
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 
 module PxModule
   class PerimeterXContext
 
     attr_accessor :context
     attr_accessor :px_config
+    
+    # class methods
+
+    def self.extract_ip(req, px_config)
+      # Get IP from header/custom function
+      if px_config[:ip_headers].length() > 0
+        px_config[:ip_headers].each do |ip_header|
+          if req.headers[ip_header]
+            return PerimeterXContext.force_utf8(req.headers[ip_header])
+          end
+        end
+      elsif px_config[:ip_header_function] != nil
+        return px_config[:ip_header_function].call(req) 
+      end      
+      return req.ip
+    end
+
+    def self.force_utf8(str)
+      return str.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+    end
+
+    # instance methods
 
     def initialize(px_config, req)
-      @logger = px_config[:logger];
-      @logger.debug("PerimeterXContext[initialize] ")
+      @logger = px_config[:logger]
+      @logger.debug('PerimeterXContext[initialize]')
       @context = Hash.new
 
       @context[:px_cookie] = Hash.new
       @context[:headers] = Hash.new
+      @context[:cookie_origin] = 'cookie'
+      @context[:made_s2s_risk_api_call] = false
+      @context[:first_party_enabled] = px_config[:first_party_enabled]
+      
       cookies = req.cookies
-      if (!cookies.empty?)
+
+      @context[:ip] = PerimeterXContext.extract_ip(req, px_config)
+
+      # Get token from header
+      if req.headers[PxModule::TOKEN_HEADER]
+        @context[:cookie_origin] = 'header'
+        token = PerimeterXContext.force_utf8(req.headers[PxModule::TOKEN_HEADER])
+        if token.match(PxModule::MOBILE_TOKEN_V3_REGEX)
+          @context[:px_cookie][:v3] = token[2..-1]
+        elsif token.match(PxModule::MOBILE_ERROR_REGEX)
+          @context[:mobile_error] = token
+          if req.headers[PxModule::ORIGINAL_TOKEN_HEADER]
+            token = PerimeterXContext.force_utf8(req.headers[PxModule::ORIGINAL_TOKEN_HEADER])
+            if token.match(PxModule::MOBILE_TOKEN_V3_REGEX)
+              @context[:px_cookie][:v3] = token[2..-1]
+            end
+          end
+        end
+      elsif !cookies.empty? # Get cookie from jar
         # Prepare hashed cookies
         cookies.each do |k, v|
           case k.to_s
-            when "_px3"
-              @context[:px_cookie][:v3] = v
-            when "_px"
-              @context[:px_cookie][:v1] = v
-            when "_pxCaptcha"
-              @context[:px_captcha] = v
+            when '_px3'
+              @context[:px_cookie][:v3] = PerimeterXContext.force_utf8(v)
+            when '_px'
+              @context[:px_cookie][:v1] = PerimeterXContext.force_utf8(v)
+            when '_pxvid'
+              if v.is_a?(String) && v.match(PxModule::VID_REGEX)
+                @context[:vid_source] = "vid_cookie"
+                @context[:vid] = PerimeterXContext.force_utf8(v)
+              end
           end
         end #end case
       end #end empty cookies
 
       req.headers.each do |k, v|
-        if (k.start_with? "HTTP_")
-          header = k.to_s.gsub("HTTP_", "")
-          header = header.gsub("_", "-").downcase
-          @context[:headers][header.to_sym] = v
+        if (k.start_with? 'HTTP_')
+          header = k.to_s.gsub('HTTP_', '')
+          header = header.gsub('_', '-').downcase
+          @context[:headers][header.to_sym] = PerimeterXContext.force_utf8(v)
         end
       end #end headers foreach
-
+      
       @context[:hostname]= req.server_name
       @context[:user_agent] = req.user_agent ? req.user_agent : ''
       @context[:uri] = px_config[:custom_uri] ? px_config[:custom_uri].call(req)  : req.fullpath 
@@ -43,18 +91,10 @@ module PxModule
       @context[:format] = req.format.symbol
       @context[:score] = 0
 
-      if px_config.key?(:custom_user_ip)
-        @context[:ip] = req.headers[px_config[:custom_user_ip]]
-      elsif px_config.key?(:px_custom_user_ip_method)
-        @context[:ip] = px_config[:px_custom_user_ip_method].call(req)
-      else
-        @context[:ip] = req.ip
-      end
-
       if req.server_protocol
-          httpVer = req.server_protocol.split("/")
+          httpVer = req.server_protocol.split('/')
           if httpVer.size > 0
-              @context[:http_version] = httpVer[1];
+              @context[:http_version] = httpVer[1]
           end
       end
       @context[:http_method] = req.method
@@ -65,19 +105,21 @@ module PxModule
 		sensitive_routes.each do |sensitive_route|
 			return true if uri.start_with? sensitive_route
 		end
-		return false
+    false
 	end
 
     def set_block_action_type(action)
       @context[:block_action] = case action
-        when "c"
-          "captcha"
-        when "b"
-          return "block"
-        when "j"
-          return "challenge"
+        when 'c'
+          'captcha'
+        when 'b'
+          return 'block'
+        when 'j'
+          return 'challenge'
+        when 'r'
+          return 'rate_limit'
         else
-          return "captcha"
+          return captcha
         end
     end
 

data/lib/perimeterx/internal/validators/hash_schema_validator.rb

@@ -0,0 +1,26 @@
+def validate_hash_schema(hash, schema)
+  hash.each do |key, value|
+    if schema.key?(key) && value != nil
+      # validate value types in hash are according to schema
+      if !schema[key][:types].include?(value.class)
+        raise PxConfigurationException.new("PerimeterX: Type of #{key} should be one of #{schema[key][:types]} but instead is #{value.class}")
+      end
+      
+      # validate arrays elments types are according to schema
+      if value.class == Array
+        value.each do |element|
+          if !schema[key][:allowed_element_types].include?(element.class)
+            raise PxConfigurationException.new("PerimeterX: #{key} may only contain elements of the following types: #{schema[key][:allowed_element_types]} but includes element of type #{element.class}")
+          end
+        end
+      end
+    end
+  end
+
+  # validate required fields exist in hash
+  schema.each do |key, value|
+    if value[:required] && hash[key].nil?
+      raise PxConfigurationException.new("PerimeterX: #{key} configuration is missing")
+    end
+  end
+end

data/lib/perimeterx/internal/validators/perimeter_x_cookie_validator.rb

@@ -1,7 +1,9 @@
 require 'perimeterx/utils/px_constants'
-require 'perimeterx/internal/perimeter_x_cookie'
-require 'perimeterx/internal/perimeter_x_cookie_v1'
-require 'perimeterx/internal/perimeter_x_cookie_v3'
+require 'perimeterx/internal/payload/perimeter_x_payload'
+require 'perimeterx/internal/payload/perimeter_x_token_v1'
+require 'perimeterx/internal/payload/perimeter_x_token_v3'
+require 'perimeterx/internal/payload/perimeter_x_cookie_v1'
+require 'perimeterx/internal/payload/perimeter_x_cookie_v3'
 
 module PxModule
   class PerimeterxCookieValidator
@@ -16,57 +18,63 @@ module PxModule
 
     def verify(px_ctx)
       begin
-        # Case no cookie
         if px_ctx.context[:px_cookie].empty?
-          @logger.warn("PerimeterxCookieValidator:[verify]: cookie not found")
+          @logger.warn("PerimeterxCookieValidator:[verify]: no cookie")
           px_ctx.context[:s2s_call_reason] = PxModule::NO_COOKIE
           return false, px_ctx
         end
-
+        
         # Deserialize cookie start
-        cookie = PerimeterxCookie.px_cookie_factory(px_ctx, @px_config)
-        if (!cookie.deserialize())
+        cookie = PerimeterxPayload.px_cookie_factory(px_ctx, @px_config)
+        if !cookie.deserialize()
           @logger.warn("PerimeterxCookieValidator:[verify]: invalid cookie")
+          px_ctx.context[:px_orig_cookie] = px_ctx.get_px_cookie
           px_ctx.context[:s2s_call_reason] =  PxModule::COOKIE_DECRYPTION_FAILED
           return false, px_ctx
         end
         px_ctx.context[:decoded_cookie] = cookie.decoded_cookie
         px_ctx.context[:score] = cookie.cookie_score()
         px_ctx.context[:uuid] = cookie.decoded_cookie[:u]
-        px_ctx.context[:vid] = cookie.decoded_cookie[:v]
         px_ctx.context[:block_action] = px_ctx.set_block_action_type(cookie.cookie_block_action())
         px_ctx.context[:cookie_hmac] = cookie.cookie_hmac()
 
-        if (cookie.expired?)
+        vid = cookie.decoded_cookie[:v]
+        if vid.is_a?(String) && vid.match(PxModule::VID_REGEX)
+          px_ctx.context[:vid_source] = "risk_cookie"
+          px_ctx.context[:vid] = vid
+        end
+
+        if cookie.expired?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie expired")
           px_ctx.context[:s2s_call_reason] = PxModule::EXPIRED_COOKIE
           return false, px_ctx
         end
 
-        if (cookie.high_score?)
+        if cookie.high_score?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie high score")
-          px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_HIGH_SCORE
+          px_ctx.context[:blocking_reason] = 'cookie_high_score'
           return true, px_ctx
         end
 
-        if (!cookie.secured?)
+        if !cookie.secured?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie invalid hmac")
-          px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_VALIDATION_FAILED
+          px_ctx.context[:s2s_call_reason] = PxModule:: COOKIE_VALIDATION_FAILED
+          return false, px_ctx
+        end
+
+        if px_ctx.context[:sensitive_route]
+          @logger.info("PerimeterxCookieValidator:[verify]: cookie was verified but route is sensitive")
+          px_ctx.context[:s2s_call_reason] = PxModule::SENSITIVE_ROUTE
           return false, px_ctx
         end
-		
-	if (px_ctx.context[:sensitive_route])
-	  @logger.info("PerimeterxCookieValidator:[verify]: cookie was verified but route is sensitive")
-	  px_ctx.context[:s2s_call_reason] = PxModule::SENSITIVE_ROUTE
-	  return false, px_ctx
-	end
 
         @logger.debug("PerimeterxCookieValidator:[verify]: cookie validation passed succesfully")
 
+        px_ctx.context[:pass_reason] = 'cookie'
         return true, px_ctx
       rescue Exception => e
         @logger.error("PerimeterxCookieValidator:[verify]: exception while verifying cookie => #{e.message}")
-        px_ctx.context[:px_orig_cookie] = cookie.px_cookie
+        px_ctx.context[:px_orig_cookie] = px_ctx.context[:px_cookie]
         px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_DECRYPTION_FAILED
         return false, px_ctx
       end

data/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb

@@ -5,11 +5,11 @@ module PxModule
 
     def initialize(px_config, http_client)
       super(px_config, http_client)
-      @logger.debug("PerimeterxS2SValidator[initialize]")
+      @logger.debug('PerimeterxS2SValidator[initialize]')
     end
 
     def send_risk_request(px_ctx)
-      @logger.debug("PerimeterxS2SValidator[send_risk_request]: send_risk_request")
+      @logger.debug('PerimeterxS2SValidator[send_risk_request]: send_risk_request')
 
       risk_mode = PxModule::RISK_MODE_ACTIVE
       if @px_config[:module_mode] == PxModule::MONITOR_MODE
@@ -31,6 +31,17 @@ module PxModule
           :risk_mode => risk_mode
         }
       }
+
+      #Check for cookie_origin
+      if !px_ctx.context[:px_cookie].empty?
+        request_body[:additional][:cookie_origin] = px_ctx.context[:cookie_origin]
+      end
+
+      #Override s2s_call_reason in case of mobile error
+      if !px_ctx.context[:mobile_error].nil?
+        request_body[:additional][:s2s_call_reason] = "mobile_error_#{px_ctx.context[:mobile_error]}"
+      end
+
       #Check for hmac
       @logger.debug("px_ctx cookie_hmac key = #{px_ctx.context.key?(:cookie_hmac)}, value is: #{px_ctx.context[:cookie_hmac]}")
       if px_ctx.context.key?(:cookie_hmac)
@@ -66,11 +77,19 @@ module PxModule
       };
 
       # Custom risk handler
+      risk_start = Time.now
       if (risk_mode == PxModule::ACTIVE_MODE && @px_config.key?(:custom_risk_handler))
-        response = @px_config[:custom_risk_handler].call(PxModule::API_V2_RISK, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+        response = @px_config[:custom_risk_handler].call(PxModule::API_V3_RISK, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
       else
-        response = @http_client.post(PxModule::API_V2_RISK , request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+        response = @http_client.post(PxModule::API_V3_RISK , request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+      end
+
+      # Set risk_rtt
+      if(response)
+        risk_end = Time.now
+        px_ctx.context[:risk_rtt] = ((risk_end-risk_start)*1000).round
       end
+
       return response
     end
 
@@ -78,6 +97,7 @@ module PxModule
       @logger.debug("PerimeterxS2SValidator[verify]")
       response = send_risk_request(px_ctx)
       if (!response)
+        px_ctx.context[:pass_reason] = "s2s_timeout"
         return px_ctx
       end
       px_ctx.context[:made_s2s_risk_api_call] = true
@@ -85,7 +105,7 @@ module PxModule
       # From here response should be valid, if success or error
       response_body = eval(response.body);
       # When success
-      if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action))
+      if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action) && response_body.key?(:status) && response_body[:status] == 0 )
         @logger.debug("PerimeterxS2SValidator[verify]: response ok")
         score = response_body[:score]
         px_ctx.context[:score] = score
@@ -96,14 +116,18 @@ module PxModule
           px_ctx.context[:blocking_reason] = 'challenge'
         elsif (score >= @px_config[:blocking_score])
           px_ctx.context[:blocking_reason] = 's2s_high_score'
+        else
+          px_ctx.context[:pass_reason] = 's2s'
         end #end challange or blocking score
       end #end success response
 
       # When error
-      if(response.code != 200)
-        @logger.warn("PerimeterxS2SValidator[verify]: bad response, return code #{response.code}")
-        px_ctx.context[:uuid] = ""
-        px_ctx.context[:s2s_error_msg] = response_body[:message]
+      risk_error_status = response_body && response_body.key?(:status) && response_body[:status] == -1
+      if(response.code != 200 || risk_error_status)
+        @logger.warn("PerimeterxS2SValidator[verify]: bad response, returned code #{response.code} #{risk_error_status ? "risk status: -1" : ""}")
+        px_ctx.context[:pass_reason] = 'request_failed'
+        px_ctx.context[:uuid] = (!response_body || response_body[:uuid].nil?)? "" : response_body[:uuid]
+        px_ctx.context[:s2s_error_msg] = !response_body || response_body[:message].nil? ? 'unknown' : response_body[:message]
       end
 
       @logger.debug("PerimeterxS2SValidator[verify]: done")

data/lib/perimeterx/utils/px_constants.rb

@@ -4,33 +4,34 @@ module PxModule
   # Misc
   MONITOR_MODE = 1
   ACTIVE_MODE = 2
-  RISK_MODE_ACTIVE = "active_blocking"
-  RISK_MODE_MONITOR = "monitor"
+  RISK_MODE_ACTIVE = 'active_blocking'
+  RISK_MODE_MONITOR = 'monitor'
   SDK_NAME = "RUBY SDK v#{PxModule::VERSION}"
 
   # Routes
-  API_V1_S2S = "/api/v1/collector/s2s"
-  API_V1_CAPTCHA = "/api/v1/risk/captcha"
-  API_V2_RISK = "/api/v2/risk"
+  API_V1_S2S = '/api/v1/collector/s2s'
+  API_V3_RISK = '/api/v3/risk'
 
   # Activity Types
-  BLOCK_ACTIVITY = "block"
-  PAGE_REQUESTED_ACTIVITY = "page_requested"
+  BLOCK_ACTIVITY = 'block'
+  PAGE_REQUESTED_ACTIVITY = 'page_requested'
 
   # PxContext
-  NO_COOKIE = "no_cookie"
-  INVALID_COOKIE = "invalid_cookie"
-  EXPIRED_COOKIE = "cookie_expired"
-  COOKIE_HIGH_SCORE = "cookie_high_score"
-  COOKIE_VALIDATION_FAILED = "cookie_validation_failed"
-  COOKIE_DECRYPTION_FAILED = "cookie_decryption_failed"
-  SENSITIVE_ROUTE = "sensitive_route"
+  NO_COOKIE = 'no_cookie'
+  INVALID_COOKIE = 'invalid_cookie'
+  EXPIRED_COOKIE = 'cookie_expired'
+  COOKIE_HIGH_SCORE = 'cookie_high_score'
+  COOKIE_VALIDATION_FAILED = 'cookie_validation_failed'
+  COOKIE_DECRYPTION_FAILED = 'cookie_decryption_failed'
+  SENSITIVE_ROUTE = 'sensitive_route'
 
   # Templates
-  BLOCK_TEMPLATE = "block.mustache"
-  CAPTCHA_TEMPLATE = "captcha.mustache"
+  CHALLENGE_TEMPLATE = 'block_template'
+  TEMPLATE_EXT = '.mustache'
+  RATELIMIT_TEMPLATE = 'ratelimit'
 
-  # Tempalte Props
+
+  # Template Props
   PROP_REF_ID = :refId
   PROP_APP_ID = :appId
   PROP_VID = :vid
@@ -39,7 +40,24 @@ module PxModule
   PROP_CUSTOM_LOGO = :customLogo
   PROP_CSS_REF = :cssRef
   PROP_JS_REF = :jsRef
+  PROP_BLOCK_SCRIPT = :blockScript
+  PROP_JS_CLIENT_SRC = :jsClientSrc
+  PROP_HOST_URL = :hostUrl
+  PROP_FIRST_PARTY_ENABLED = :firstPartyEnabled
+
+  # Hosts
+  CLIENT_HOST = 'client.perimeterx.net'
+  CAPTCHA_HOST = 'captcha.px-cdn.net'
 
   VISIBLE = 'visible'
   HIDDEN = 'hidden'
+
+  # Mobile SDK
+  TOKEN_HEADER = 'X-PX-AUTHORIZATION'
+  ORIGINAL_TOKEN_HEADER = 'X-PX-ORIGINAL-TOKEN'
+
+  # Regular Expressions
+  VID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/
+  MOBILE_TOKEN_V3_REGEX = /\A3:(.*)\z/ 
+  MOBILE_ERROR_REGEX = /\A[0-9]\z/           
 end

data/lib/perimeterx/utils/px_http_client.rb

@@ -1,6 +1,7 @@
 require 'perimeterx/utils/px_logger'
 require 'typhoeus'
 require 'concurrent'
+require 'net/http'
 
 module PxModule
   class PxHttpClient
@@ -12,10 +13,10 @@ module PxModule
     def initialize(px_config)
       @px_config = px_config
       @logger = px_config[:logger]
-      @logger.debug("PxHttpClient[initialize]: HTTP client is being initilized with base_uri: #{px_config[:perimeterx_server_host]}")
+      @logger.debug("PxHttpClient[initialize]: HTTP client is being initilized with base_uri: #{px_config[:backend_url]}")
     end
 
-    # Runs a POST commant to Perimeter X servers
+    # Runs a POST command to Perimeter X servers
     # Params:
     # +path+:: string containing uri
     # +body+:: hash object, containing the request body, must be converted to json format
@@ -28,7 +29,7 @@ module PxModule
       begin
         @logger.debug("PxHttpClient[post]: posting to #{path} headers {#{headers.to_json()}} body: {#{body.to_json()}} ")
         response = Typhoeus.post(
-            "#{px_config[:perimeterx_server_host]}#{path}",
+            "#{px_config[:backend_url]}#{path}",
             headers: headers,
             body: body.to_json,
             timeout: api_timeout,
@@ -45,5 +46,61 @@ module PxModule
       return response
     end
 
+
+    def post_xhr(url, body, headers)
+      s = Time.now
+      begin
+        @logger.debug("PxHttpClient[post]: sending xhr post request to #{url} with headers {#{headers.to_json()}}")
+        
+        #set url
+        uri = URI(url)
+        req = Net::HTTP::Post.new(uri)
+        
+        # set body
+        req.body=body
+        
+        # set headers
+        headers.each do |key, value|
+          req[key] = value
+        end
+        
+        # send request   
+        response = Net::HTTP.start(uri.hostname, uri.port) {|http|
+          http.request(req)
+        }
+
+      ensure
+        e = Time.now
+        @logger.debug("PxHttpClient[get]: runtime: #{(e-s) * 1000.0}")
+      end
+      return response
+    end
+
+
+    def get(url, headers)
+      s = Time.now
+      begin
+        @logger.debug("PxHttpClient[get]: sending get request to #{url} with headers {#{headers.to_json()}}")
+        
+        #set url
+        uri = URI(url)
+        req = Net::HTTP::Get.new(uri)
+        
+        # set headers
+        headers.each do |key, value|
+          req[key] = value
+        end
+        
+        # send request   
+        response = Net::HTTP.start(uri.hostname, uri.port) {|http|
+          http.request(req)
+        }
+        
+      ensure
+        e = Time.now
+        @logger.debug("PxHttpClient[get]: runtime: #{(e-s) * 1000.0}")
+      end
+      return response
+    end
   end
 end