perimeter_x 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e61d04b45a194ff17fd78a20e69daaf0816f105c
+  data.tar.gz: 7adfcc853eb8b8f17957e0103157ff96c00f80e5
+SHA512:
+  metadata.gz: 680ae56d9caa2be50863b3e4cecf0cb34d2f4f1702437e8853344f279068f659d8ef19a7077924f00ce90be3a8ba49fe2491f6df0b6d102544ab7c602801890f
+  data.tar.gz: 4016e3c1ad702745335ff15bd2987ee0120db8579ede2ad6b23c165e98bec303413033260e521b53792d37bad3af4bd425a148fad275ff3657a16f6f06c210ef

data/.gitignore

@@ -0,0 +1,47 @@
+*.rbc
+capybara-*.html
+.rspec
+/log
+/tmp
+/bin
+/dev
+/db/*.sqlite3
+/db/*.sqlite3-journal
+/public/system
+/coverage/
+/spec/tmp
+examples/config/initializers/perimeterx.rb
+examples/app/views/home/index.html.erb
+**.orig
+*.gem
+rerun.txt
+pickle-email-*.html
+
+# TODO Comment out these rules if you are OK with secrets being uploaded to the repo
+config/initializers/secret_token.rb
+config/secrets.yml
+
+# dotenv
+# TODO Comment out this rule if environment variables can be committed
+.env
+
+## Environment normalization:
+/.bundle
+/vendor/bundle
+
+# these should all be checked in to normalize the environment:
+# Gemfile.lock, .ruby-version, .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# if using bower-rails ignore default bower_components path bower.json files
+/vendor/assets/bower_components
+*.bowerrc
+bower.json
+
+# Ignore pow environment settings
+.powenv
+
+# Ignore Byebug command history file.
+.byebug_history

data/Dockerfile

@@ -0,0 +1,50 @@
+# Based on manual compile instructions at http://wiki.nginx.org/HttpLuaModule#Installation
+FROM ubuntu:14.04
+RUN apt-get update && apt-get --force-yes -qq -y install \
+    build-essential \
+    ca-certificates \
+    curl \
+    git \
+    libpcre3 \
+    libpcre3-dev \
+    libssl-dev \
+    libreadline-dev \
+    libyaml-dev \
+    libgdbm-dev \
+    libtool \
+    automake \
+    bison \
+    lua-cjson \
+    libncurses5-dev \
+    m4 \
+    libsqlite3-dev \
+    rsyslog \
+    sqlite3 \
+    libxml2-dev \
+    libxslt1-dev \
+    libcurl4-openssl-dev \
+    python-software-properties \
+    libffi-dev \
+    nodejs \
+    wget \
+    zlib1g-dev
+
+RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
+RUN /bin/bash -l -c "curl -L get.rvm.io | bash -s stable --rails"
+RUN /bin/bash -l -c "rvm install 2.3.0"
+RUN /bin/bash -l -c "rvm use 2.3.0"
+RUN /bin/bash -l -c "gem install bundler"
+RUN /bin/bash -l -c "gem install rails -v 4.2.0"
+RUN mkdir -p /tmp/ruby_sandbox
+WORKDIR /tmp/ruby_sandbox
+RUN git clone https://github.com/PerimeterX/perimeterx-ruby-sdk.git
+RUN /bin/bash -l -c "rails new webapp"
+WORKDIR /tmp/ruby_sandbox/webapp
+RUN /bin/bash -l -c "rails generate controller home index"
+WORKDIR /tmp/ruby_sandbox/webapp
+EXPOSE 3000
+# TODO: make it take the files from git
+RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox/perimeterx-ruby-sdk"' /tmp/ruby_sandbox/webapp/Gemfile
+RUN /bin/bash -l -c "bundler update"
+COPY ./examples/ /tmp/ruby_sandbox/webapp
+CMD ["/bin/bash", "-l", "-c", "rails server -b 0.0.0.0;"]

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,55 @@
+PATH
+  remote: .
+  specs:
+    perimeter_x (1.0.0)
+      activesupport (>= 4.2.0)
+      httpclient (= 2.8.2.4)
+      mustache (~> 1.0, >= 1.0.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.0.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    concurrent-ruby (1.0.5)
+    diff-lcs (1.3)
+    httpclient (2.8.2.4)
+    i18n (0.8.1)
+    metaclass (0.0.4)
+    minitest (5.10.1)
+    mocha (1.2.1)
+      metaclass (~> 0.0.1)
+    mustache (1.0.4)
+    rake (10.4.2)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.3)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.14)
+  mocha (~> 1.2, >= 1.2.1)
+  perimeter_x!
+  rake (~> 10.0)
+  rspec (~> 3.0)
+
+BUNDLED WITH
+   1.14.6

data/LICENSE.txt

@@ -0,0 +1,18 @@
+Copyright © 2016 PerimeterX, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,9 @@
+begin
+  require 'rspec/core/rake_task'
+
+  RSpec::Core::RakeTask.new(:spec)
+
+  task :test => :spec
+rescue LoadError
+  # no rspec available
+end

data/examples/app/controllers/home_controller.rb

@@ -0,0 +1,9 @@
+class HomeController < ApplicationController
+  include PxModule
+
+  before_filter :px_verify_request
+
+  def index
+  end
+
+end

data/examples/app/views/home/index.html.erb.dist

@@ -0,0 +1,20 @@
+<h1>Home#index</h1>
+<p>Find me in app/views/home/index.html.erb</p>
+
+<script type="text/javascript">
+	(function(){
+		window._pxAppId ='APP_ID';
+		// Custom parameters
+		// window._pxParam1 = "<param1>";
+		var p = document.getElementsByTagName('script')[0],
+			s = document.createElement('script');
+		s.async = 1;
+		s.src = '//client.perimeterx.net/APP_ID/main.min.js';
+		p.parentNode.insertBefore(s,p);
+	}());
+</script>
+<noscript>
+	<div style="position:fixed; top:0; left:0; display:none" width="1" height="1">
+		<img src="//collector-APP_ID.perimeterx.net/api/v1/collector/noScript.gif?appId=APP_ID">
+	</div>
+</noscript>

data/examples/config/initializers/perimeterx.rb.dist

@@ -0,0 +1,8 @@
+params = {
+  :app_id => "APP_ID",
+  :cookie_key => "COOKIE_KEY",
+  :auth_token => "AUTH_TOKEN"
+}
+
+
+PxModule.configure(params)

data/examples/config/routes.rb

@@ -0,0 +1,62 @@
+Rails.application.routes.draw do
+  get 'users/index'
+
+  get 'home/index'
+
+  # The priority is based upon order of creation: first created -> highest priority.
+  # See how all your routes lay out with "rake routes".
+
+  # You can have the root of your site routed with "root"
+  # root 'welcome#index'
+
+  root 'home#index'
+
+  # Example of regular route:
+  #   get 'products/:id' => 'catalog#view'
+
+  # Example of named route that can be invoked with purchase_url(id: product.id)
+  #   get 'products/:id/purchase' => 'catalog#purchase', as: :purchase
+
+  # Example resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Example resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Example resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Example resource route with more complex sub-resources:
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', on: :collection
+  #     end
+  #   end
+
+  # Example resource route with concerns:
+  #   concern :toggleable do
+  #     post 'toggle'
+  #   end
+  #   resources :posts, concerns: :toggleable
+  #   resources :photos, concerns: :toggleable
+
+  # Example resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+end

data/lib/perimeter_x.rb

@@ -0,0 +1,149 @@
+require 'perimeterx/configuration'
+require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
+require 'perimeterx/utils/px_http_client'
+require 'perimeterx/utils/px_template_factory'
+require 'perimeterx/internal/perimeter_x_context'
+require 'perimeterx/internal/clients/perimeter_x_activity_client'
+require 'perimeterx/internal/validators/perimeter_x_s2s_validator'
+require 'perimeterx/internal/validators/perimeter_x_cookie_validator'
+require 'perimeterx/internal/validators/perimeter_x_captcha_validator'
+
+module PxModule
+
+  # Module expose API
+  def px_verify_request
+    verified, px_ctx = PerimeterX.instance.verify(env)
+
+    # Invalidate _pxCaptcha, can be done only on the controller level
+    cookies[:_pxCaptcha] = { value: "", expires: -1.minutes.from_now }
+
+    if (!verified)
+      # In case custon block handler exists
+      if (PerimeterX.instance.px_config.key?(:custom_block_handler))
+        return PerimeterX.instance.px_config[:custom_block_handler].call(px_ctx)
+      elsif (!verified)
+        # Generate template
+        html = PxTemplateFactory.get_template(px_ctx, PerimeterX.instance.px_config)
+        response.headers["Content-Type"] = "text/html"
+        response.status = 403
+        render :html => html
+      end
+    end
+
+    return verified
+  end
+
+  def self.configure(params)
+    @px_instance = PerimeterX.configure(params)
+  end
+
+
+  # PerimtereX Module
+  class PerimeterX
+    @@__instance = nil
+    @@mutex = Mutex.new
+
+    attr_reader :px_config
+    attr_accessor :px_http_client
+    attr_accessor :px_activity_client
+
+    #Static methods
+    def self.configure(params)
+      return true if @@__instance
+      @@mutex.synchronize {
+        return @@__instance if @@__instance
+        @@__instance = new(params)
+      }
+      return true
+    end
+
+    def self.instance
+      return @@__instance if !@@__instance.nil?
+      raise Exception.new("Please initialize perimeter x first")
+    end
+
+
+    #Instance Methods
+    def verify(env)
+      begin
+        @logger.debug("PerimeterX[pxVerify]")
+        req = ActionDispatch::Request.new(env)
+        if (!@px_config[:module_enabled])
+          @logger.warn("Module is disabled")
+          return true
+        end
+        px_ctx = PerimeterXContext.new(@px_config, req)
+
+        # Captcha phase
+        captcha_verified, px_ctx = @px_captcha_validator.verify(px_ctx)
+        if (captcha_verified)
+          return handle_verification(px_ctx)
+        end
+
+        # Cookie phase
+        cookie_verified, px_ctx = @px_cookie_validator.verify(px_ctx)
+        if (!cookie_verified)
+          @px_s2s_validator.verify(px_ctx)
+        end
+
+        if (@px_config.key?(:custom_verification_handler))
+          return @px_config[:custom_verification_handler].call(px_ctx.context)
+        else
+          return handle_verification(px_ctx)
+        end
+      rescue Exception => e
+        @logger.error("#{e.backtrace.first}: #{e.message} (#{e.class})")
+        e.backtrace.drop(1).map { |s| @logger.error("\t#{s}") }
+        return true
+      end
+    end
+
+    private def initialize(params)
+      @px_config = Configuration.new(params).configuration
+      @logger = @px_config[:logger]
+      @px_http_client = PxHttpClient.new(@px_config)
+
+      @px_activity_client = PerimeterxActivitiesClient.new(@px_config, @px_http_client)
+
+      @px_cookie_validator = PerimeterxCookieValidator.new(@px_config)
+      @px_s2s_validator = PerimeterxS2SValidator.new(@px_config, @px_http_client)
+      @px_captcha_validator = PerimeterxCaptchaValidator.new(@px_config, @px_http_client)
+      @logger.debug("PerimeterX[initialize]")
+    end
+
+    private def handle_verification(px_ctx)
+      @logger.debug("PerimeterX[handle_verification]")
+      @logger.debug("PerimeterX[handle_verification]: processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
+
+      score = px_ctx.context[:score]
+      # Case PASS request
+      if (score < @px_config[:blocking_score])
+        @logger.debug("PerimeterX[handle_verification]: score:#{score} < blocking score, passing request")
+        @px_activity_client.send_page_requested_activity(px_ctx)
+        return true
+      end
+
+      # Case blocking activity
+      @px_activity_client.send_block_activity(px_ctx)
+
+      # custom_block_handler - custom block handler defined by the user
+      if(@px_config.key?(:custom_block_handler))
+        @logger.debug("PerimeterX[handle_verification]: custom block handler triggered")
+        @px_config[custom_block_handler].call(px_ctx)
+      end
+
+      # In case were in monitor mode, end here
+      if(@px_config[:module_mode] == PxModule::MONITOR_MODE)
+        @logger.debug("PerimeterX[handle_verification]: monitor mode is on, passing request")
+        return true
+      end
+
+      @logger.debug("PerimeterX[handle_verification]: sending block page")
+
+      return false, px_ctx
+    end
+
+    private_class_method :new
+  end
+end

data/lib/perimeterx/configuration.rb

@@ -0,0 +1,37 @@
+require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
+
+module PxModule
+  class Configuration
+
+    attr_accessor :configuration
+    attr_accessor :PX_DEFAULT
+
+    PX_DEFAULT = {
+      :app_id                   => nil,
+      :cookie_key               => nil,
+      :auth_token               => nil,
+      :module_enabled           => true,
+      :captcha_enabled          => true,
+      :challenge_enabled        => true,
+      :encryption_enabled       => true,
+      :blocking_score           => 70,
+      :sensitive_headers        => ["http-cookie", "http-cookies"],
+      :api_connect_timeout      => 0,
+      :api_timeout              => 0,
+      :max_buffer_len           => 30,
+      :send_page_activities     => false,
+      :send_block_activities    => true,
+      :sdk_name                 => PxModule::SDK_NAME,
+      :debug                    => false,
+      :module_mode              => PxModule::ACTIVE_MODE,
+      :local_proxy              => false
+    }
+
+    def initialize(params)
+      PX_DEFAULT[:perimeterx_server_host] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
+      @configuration = PX_DEFAULT.merge(params);
+      @configuration[:logger] = PxLogger.new(@configuration[:debug])
+    end
+  end
+end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -0,0 +1,92 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+
+module PxModule
+  class PerimeterxActivitiesClient < PerimeterxRiskClient
+
+    attr_accessor :activities
+
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+      @logger.debug("PerimeterxActivitiesClients[initialize]")
+      @activities = [];
+    end
+
+    def send_to_perimeterx(activity_type, px_ctx, details = [])
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]")
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: new activity #{activity_type} logged")
+
+      if (@px_config.key?(:additional_activity_handler))
+        @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
+      end
+
+      details[:module_version] = @px_config[:sdk_name]
+      px_data = {
+        :type       => activity_type,
+        :headers    => format_headers(px_ctx),
+        :timestamp  => (Time.now.to_f*1000).floor,
+        :socket_ip  => px_ctx.context[:ip],
+        :px_app_id  => @px_config[:app_id],
+        :url        => px_ctx.context[:full_url],
+        :details    => details,
+      }
+
+      if (px_ctx.context.key?(:vid))
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: found vid in ctx")
+        px_data[:vid] = px_ctx.context[:vid]
+      end
+
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+
+      @activities.push(px_data)
+      if (@activities.size == @px_config[:max_buffer_len])
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: max buffer length reached, sending activities")
+        @http_client.async_post(PxModule::API_V1_S2S, @activities, headers)
+
+        @activities.clear
+      end
+    end
+
+    def send_block_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
+      if (!@px_config[:send_page_acitivites])
+        @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
+        return
+      end
+
+      details = {
+        :block_uuid    => px_ctx.context[:uuid],
+        :block_score   => px_ctx.context[:score],
+        :block_reason  => px_ctx.context[:block_reason]
+      }
+
+      send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
+
+    end
+
+    def send_page_requested_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
+      if (!@px_config[:send_page_acitivites])
+        return
+      end
+
+      details = {
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method]
+      }
+
+      if (px_ctx.context.key?(:decoded_cookie))
+        details[:px_cookie] = px_ctx.context[:decoded_cookie]
+      end
+
+      if (px_ctx.context.key?(:cookie_hmac))
+        details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
+      end
+
+      send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
+    end
+  end
+end

data/lib/perimeterx/internal/clients/perimeter_x_risk_client.rb

@@ -0,0 +1,28 @@
+require 'perimeterx/utils/px_logger'
+
+module PxModule
+  class PerimeterxRiskClient
+    attr_accessor :px_config
+    attr_accessor :http_client
+
+    def initialize(px_config, http_client)
+      @px_config = px_config
+      @http_client = http_client;
+      @logger = px_config[:logger]
+    end
+
+    def format_headers(px_ctx)
+      @logger.debug("PerimeterxRiskClient[format_headers]")
+      formated_headers = []
+      px_ctx.context[:headers].each do |k,v|
+        if (!@px_config[:sensitive_headers].include? k.to_s)
+          formated_headers.push({
+            :name => k.to_s,
+            :value => v
+            })
+          end #end if
+        end #end forech
+        return formated_headers
+    end #end method
+  end #end class
+end

data/lib/perimeterx/internal/exceptions/px_cookie_decryption_exception.rb

@@ -0,0 +1,5 @@
+class PxCookieDecryptionException < StandardError
+  def initialize(msg)
+   super(msg)
+ end
+end