perimeter_x 1.0.4.pre.alpha → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 06e2c5c971a383cbe30a9fd777519711735f2941
-  data.tar.gz: b60d023d7d84d4c5ba8821ecc6fae8418f244c38
+  metadata.gz: 2e226c7753af5094d03889b452cb6208ca1c264b
+  data.tar.gz: d4cbd74100e85512f11ad154761ce6813ecf22a4
 SHA512:
-  metadata.gz: 5bc27249704a2ae11d305efa9785d8d5b8d4b8185462bf50206349b584f0427f257738041014099beefb33a99ecb246532e8c118e86ad4512efe443098cb0e77
-  data.tar.gz: 92b3a2439befe5fd8f481935d06562eaa275b6f03992abd390f41761981b984d06a0404cd9c786e59d5e7363f4ff4e48f80bc59e268ab2f82ae0228ff31508af
+  metadata.gz: 9fc6c5652f1a22da0b604bf72a072ba8eb4b43762217fc33f93fae0709ab0573ee19cb8aa8dcf11aa06339c9ef11097de39d9ecbfb8fdcdaaa5e61c6d1f526ba
+  data.tar.gz: ca7c07317ddbf5cb7a3987451b2ef6e0658fa95e6a27ae2be2243a3c1a5bfdc6ef9e6ea9c3a744bc9f854c7700a80bd1249839607613b2603e4fee6530c2ac16

data/.gitignore

@@ -3,13 +3,15 @@ capybara-*.html
 .rspec
 /log
 /tmp
+/bin
 /dev
 /db/*.sqlite3
 /db/*.sqlite3-journal
 /public/system
 /coverage/
 /spec/tmp
-examples/home_controller.rb
+examples/config/initializers/perimeterx.rb
+examples/app/views/home/index.html.erb
 **.orig
 *.gem
 rerun.txt

data/Dockerfile

@@ -37,12 +37,14 @@ RUN /bin/bash -l -c "gem install bundler"
 RUN /bin/bash -l -c "gem install rails -v 4.2.0"
 RUN mkdir -p /tmp/ruby_sandbox
 WORKDIR /tmp/ruby_sandbox
+RUN git clone https://github.com/PerimeterX/perimeterx-ruby-sdk.git
 RUN /bin/bash -l -c "rails new webapp"
 WORKDIR /tmp/ruby_sandbox/webapp
 RUN /bin/bash -l -c "rails generate controller home index"
 WORKDIR /tmp/ruby_sandbox/webapp
 EXPOSE 3000
-RUN sed -i "2i gem 'perimeter_x', '~> 1.0.3.pre.alpha'" /tmp/ruby_sandbox/webapp/Gemfile
+# TODO: make it take the files from git
+RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox/perimeterx-ruby-sdk"' /tmp/ruby_sandbox/webapp/Gemfile
 RUN /bin/bash -l -c "bundler update"
-RUN /bin/bash -l -c "gem list|grep peri"
+COPY ./examples/ /tmp/ruby_sandbox/webapp
 CMD ["/bin/bash", "-l", "-c", "rails server -b 0.0.0.0;"]

data/Gemfile

@@ -1,3 +1,3 @@
 source "https://rubygems.org"
 
-gem 'httpclient', '2.8.2.4'
+gemspec

data/Gemfile.lock

@@ -1,13 +1,55 @@
+PATH
+  remote: .
+  specs:
+    perimeter_x (1.0.3)
+      activesupport (>= 4.2.0)
+      httpclient (= 2.8.2.4)
+      mustache (~> 1.0, >= 1.0.3)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    httpclient (2.8.3)
+    activesupport (5.0.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    concurrent-ruby (1.0.5)
+    diff-lcs (1.3)
+    httpclient (2.8.2.4)
+    i18n (0.8.1)
+    metaclass (0.0.4)
+    minitest (5.10.1)
+    mocha (1.2.1)
+      metaclass (~> 0.0.1)
+    mustache (1.0.4)
+    rake (10.4.2)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.3)
+      thread_safe (~> 0.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  httpclient (= 2.8.3)
+  bundler (~> 1.14)
+  mocha (~> 1.2, >= 1.2.1)
+  perimeter_x!
+  rake (~> 10.0)
+  rspec (~> 3.0)
 
 BUNDLED WITH
    1.14.6

data/LICENSE.txt

@@ -1,6 +1,4 @@
-The MIT License (MIT)
-
-Copyright (c) 2017 nitzanpx
+Copyright © 2016 PerimeterX, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -9,13 +7,12 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -1,2 +1,9 @@
-require "bundler/gem_tasks"
-task :default => :spec
+begin
+  require 'rspec/core/rake_task'
+
+  RSpec::Core::RakeTask.new(:spec)
+
+  task :test => :spec
+rescue LoadError
+  # no rspec available
+end

data/changelog.md

@@ -0,0 +1,12 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [1.0.4] - 2017-04-27
+### Fixed
+ - Constants on px_constants
+ - Cookie Validation flow when cookie score was over the configured threshold
+ - Using symbols instead of strings for requests body

data/examples/app/controllers/home_controller.rb

@@ -0,0 +1,9 @@
+class HomeController < ApplicationController
+  include PxModule
+
+  before_filter :px_verify_request
+
+  def index
+  end
+
+end

data/examples/app/views/home/index.html.erb.dist

@@ -0,0 +1,20 @@
+<h1>Home#index</h1>
+<p>Find me in app/views/home/index.html.erb</p>
+
+<script type="text/javascript">
+	(function(){
+		window._pxAppId ='APP_ID';
+		// Custom parameters
+		// window._pxParam1 = "<param1>";
+		var p = document.getElementsByTagName('script')[0],
+			s = document.createElement('script');
+		s.async = 1;
+		s.src = '//client.perimeterx.net/APP_ID/main.min.js';
+		p.parentNode.insertBefore(s,p);
+	}());
+</script>
+<noscript>
+	<div style="position:fixed; top:0; left:0; display:none" width="1" height="1">
+		<img src="//collector-APP_ID.perimeterx.net/api/v1/collector/noScript.gif?appId=APP_ID">
+	</div>
+</noscript>

data/examples/config/initializers/perimeterx.rb.dist

@@ -0,0 +1,8 @@
+params = {
+  :app_id => "APP_ID",
+  :cookie_key => "COOKIE_KEY",
+  :auth_token => "AUTH_TOKEN"
+}
+
+
+PxModule.configure(params)

data/lib/perimeter_x.rb

@@ -1,69 +1,145 @@
 require 'perimeterx/configuration'
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 require 'perimeterx/utils/px_http_client'
+require 'perimeterx/utils/px_template_factory'
 require 'perimeterx/internal/perimeter_x_context'
-require 'perimeterx/internal/perimeter_x_s2s_validator'
+require 'perimeterx/internal/clients/perimeter_x_activity_client'
+require 'perimeterx/internal/validators/perimeter_x_s2s_validator'
+require 'perimeterx/internal/validators/perimeter_x_cookie_validator'
+require 'perimeterx/internal/validators/perimeter_x_captcha_validator'
 
-module PerimeterX
-  class PxModule
-    L = PxLogger.instance
+module PxModule
 
-    @@singleton__instance__ = nil
-    @@singleton__mutex__ = Mutex.new
+  # Module expose API
+  def px_verify_request
+    verified, px_ctx = PerimeterX.instance.verify(env)
+
+    # Invalidate _pxCaptcha, can be done only on the controller level
+    cookies[:_pxCaptcha] = { value: "", expires: -1.minutes.from_now }
+
+    if (!verified)
+      # In case custon block handler exists
+      if (PerimeterX.instance.px_config.key?(:custom_block_handler))
+        PerimeterX.instance.px_config[:logger].debug("PxModule[px_verify_request]: custom_block_handler triggered")
+        return instance_exec(px_ctx, &PerimeterX.instance.px_config[:custom_block_handler])
+      else
+        # Generate template
+        PerimeterX.instance.px_config[:logger].debug("PxModule[px_verify_request]: sending default block page")
+        html = PxTemplateFactory.get_template(px_ctx, PerimeterX.instance.px_config)
+        response.headers["Content-Type"] = "text/html"
+        response.status = 403
+        render :html => html
+      end
+    end
+
+    return verified
+  end
+
+  def self.configure(params)
+    @px_instance = PerimeterX.configure(params)
+  end
+
+
+  # PerimtereX Module
+  class PerimeterX
+    @@__instance = nil
+    @@mutex = Mutex.new
 
     attr_reader :px_config
     attr_accessor :px_http_client
+    attr_accessor :px_activity_client
 
-    def self.instance(params)
-      return @@singleton__instance__ if @@singleton__instance__
-      @@singleton__mutex__.synchronize {
-        return @@singleton__instance__ if @@singleton__instance__
-        @@singleton__instance__ = new(params)
+    #Static methods
+    def self.configure(params)
+      return true if @@__instance
+      @@mutex.synchronize {
+        return @@__instance if @@__instance
+        @@__instance = new(params)
       }
-      @@singleton__instance__
+      return true
     end
 
-
-    private def initialize(params)
-      L.info("PerimeterX[initialize]")
-      @px_config = Configuration.new(params).configuration
-      @px_http_client = PxHttpClient.new(@px_config)
+    def self.instance
+      return @@__instance if !@@__instance.nil?
+      raise Exception.new("Please initialize perimeter x first")
     end
 
-    def px_verify(env)
+
+    #Instance Methods
+    def verify(env)
       begin
-        L.info("PerimeterX[pxVerify]")
+        @logger.debug("PerimeterX[pxVerify]")
         req = ActionDispatch::Request.new(env)
-
-        if (!@px_config['module_enabled'])
-          L.warn("Module is disabled")
+        if (!@px_config[:module_enabled])
+          @logger.warn("Module is disabled")
           return true
         end
-
         px_ctx = PerimeterXContext.new(@px_config, req)
-        px_ctx.context[:s2s_call_reason] = "no_cookie"
 
-        s2sValidator = PerimeterxS2SValidator.new(px_ctx, @px_config, @px_http_client)
-        px_ctx = s2sValidator.verify()
+        # Captcha phase
+        captcha_verified, px_ctx = @px_captcha_validator.verify(px_ctx)
+        if (captcha_verified)
+          return handle_verification(px_ctx)
+        end
+
+        # Cookie phase
+        cookie_verified, px_ctx = @px_cookie_validator.verify(px_ctx)
+        if (!cookie_verified)
+          @px_s2s_validator.verify(px_ctx)
+        end
 
-        if (px_config.key?('custom_verification_handler'))
-          return px_config['custom_verification_handler'].call(px_ctx.context)
+        if (@px_config.key?(:custom_verification_handler))
+          return @px_config[:custom_verification_handler].call(px_ctx.context)
         else
           return handle_verification(px_ctx)
         end
       rescue Exception => e
-        puts("#{e.backtrace.first}: #{e.message} (#{e.class})", e.backtrace.drop(1).map { |s| "\t#{s}" })
+        @logger.error("#{e.backtrace.first}: #{e.message} (#{e.class})")
+        e.backtrace.drop(1).map { |s| @logger.error("\t#{s}") }
         return true
       end
     end
 
-    # private methods
+    private def initialize(params)
+      @px_config = Configuration.new(params).configuration
+      @logger = @px_config[:logger]
+      @px_http_client = PxHttpClient.new(@px_config)
+
+      @px_activity_client = PerimeterxActivitiesClient.new(@px_config, @px_http_client)
+
+      @px_cookie_validator = PerimeterxCookieValidator.new(@px_config)
+      @px_s2s_validator = PerimeterxS2SValidator.new(@px_config, @px_http_client)
+      @px_captcha_validator = PerimeterxCaptchaValidator.new(@px_config, @px_http_client)
+      @logger.debug("PerimeterX[initialize]")
+    end
+
     private def handle_verification(px_ctx)
-      L.info("perimeterx processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
-      return true
+      @logger.debug("PerimeterX[handle_verification]")
+      @logger.debug("PerimeterX[handle_verification]: processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
+
+      score = px_ctx.context[:score]
+      # Case PASS request
+      if (score < @px_config[:blocking_score])
+        @logger.debug("PerimeterX[handle_verification]: score:#{score} < blocking score, passing request")
+        @px_activity_client.send_page_requested_activity(px_ctx)
+        return true
+      end
+
+      # Case blocking activity
+      @px_activity_client.send_block_activity(px_ctx)
+
+      # In case were in monitor mode, end here
+      if(@px_config[:module_mode] == PxModule::MONITOR_MODE)
+        @logger.debug("PerimeterX[handle_verification]: monitor mode is on, passing request")
+        return true
+      end
+
+      @logger.debug("PerimeterX[handle_verification]: verification ended, the request should be blocked")
+
+      return false, px_ctx
     end
 
     private_class_method :new
   end
-
 end

data/lib/perimeterx/configuration.rb

@@ -1,30 +1,37 @@
-module PerimeterX
+require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
+
+module PxModule
   class Configuration
 
     attr_accessor :configuration
     attr_accessor :PX_DEFAULT
-    attr_accessor :MONITOR_MODE
-    attr_accessor :ACTIVE_MODE
-
-    MONITOR_MODE = 1
-    ACTIVE_MODE = 2
 
     PX_DEFAULT = {
-      "app_id"                   => nil,
-      "auth_token"               => nil,
-      "module_enabled"           => true,
-      "blocking_score"           => 70,
-      "sensitive_headers"        => ["cookie", "cookies"],
-      "api_connect_timeout"      => 1,
-      "api_timeout"              => 1,
-      "sdk_name"                 => "RUBY SLIM SDK v1.0.0",
-      "debug_mode"               => false,
-      "module_mode"              => MONITOR_MODE,
+      :app_id                   => nil,
+      :cookie_key               => nil,
+      :auth_token               => nil,
+      :module_enabled           => true,
+      :captcha_enabled          => true,
+      :challenge_enabled        => true,
+      :encryption_enabled       => true,
+      :blocking_score           => 70,
+      :sensitive_headers        => ["http-cookie", "http-cookies"],
+      :api_connect_timeout      => 0,
+      :api_timeout              => 0,
+      :max_buffer_len           => 30,
+      :send_page_activities     => false,
+      :send_block_activities    => true,
+      :sdk_name                 => PxModule::SDK_NAME,
+      :debug                    => false,
+      :module_mode              => PxModule::ACTIVE_MODE,
+      :local_proxy              => false
     }
 
     def initialize(params)
-      PX_DEFAULT["perimeterx_server_host"] = "https://sapi-#{params['app_id'].downcase}.perimeterx.net"
+      PX_DEFAULT[:perimeterx_server_host] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
       @configuration = PX_DEFAULT.merge(params);
+      @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end
 end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -0,0 +1,92 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+
+module PxModule
+  class PerimeterxActivitiesClient < PerimeterxRiskClient
+
+    attr_accessor :activities
+
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+      @logger.debug("PerimeterxActivitiesClients[initialize]")
+      @activities = [];
+    end
+
+    def send_to_perimeterx(activity_type, px_ctx, details = [])
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]")
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: new activity #{activity_type} logged")
+
+      if (@px_config.key?(:additional_activity_handler))
+        @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
+      end
+
+      details[:module_version] = @px_config[:sdk_name]
+      px_data = {
+        :type       => activity_type,
+        :headers    => format_headers(px_ctx),
+        :timestamp  => (Time.now.to_f*1000).floor,
+        :socket_ip  => px_ctx.context[:ip],
+        :px_app_id  => @px_config[:app_id],
+        :url        => px_ctx.context[:full_url],
+        :details    => details,
+      }
+
+      if (px_ctx.context.key?(:vid))
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: found vid in ctx")
+        px_data[:vid] = px_ctx.context[:vid]
+      end
+
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+
+      @activities.push(px_data)
+      if (@activities.size == @px_config[:max_buffer_len])
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: max buffer length reached, sending activities")
+        @http_client.async_post(PxModule::API_V1_S2S, @activities, headers)
+
+        @activities.clear
+      end
+    end
+
+    def send_block_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
+      if (!@px_config[:send_page_acitivites])
+        @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
+        return
+      end
+
+      details = {
+        :block_uuid    => px_ctx.context[:uuid],
+        :block_score   => px_ctx.context[:score],
+        :block_reason  => px_ctx.context[:block_reason]
+      }
+
+      send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
+
+    end
+
+    def send_page_requested_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
+      if (!@px_config[:send_page_acitivites])
+        return
+      end
+
+      details = {
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method]
+      }
+
+      if (px_ctx.context.key?(:decoded_cookie))
+        details[:px_cookie] = px_ctx.context[:decoded_cookie]
+      end
+
+      if (px_ctx.context.key?(:cookie_hmac))
+        details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
+      end
+
+      send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
+    end
+  end
+end

data/lib/perimeterx/internal/clients/perimeter_x_risk_client.rb

@@ -0,0 +1,28 @@
+require 'perimeterx/utils/px_logger'
+
+module PxModule
+  class PerimeterxRiskClient
+    attr_accessor :px_config
+    attr_accessor :http_client
+
+    def initialize(px_config, http_client)
+      @px_config = px_config
+      @http_client = http_client;
+      @logger = px_config[:logger]
+    end
+
+    def format_headers(px_ctx)
+      @logger.debug("PerimeterxRiskClient[format_headers]")
+      formated_headers = []
+      px_ctx.context[:headers].each do |k,v|
+        if (!@px_config[:sensitive_headers].include? k.to_s)
+          formated_headers.push({
+            :name => k.to_s,
+            :value => v
+            })
+          end #end if
+        end #end forech
+        return formated_headers
+    end #end method
+  end #end class
+end

data/lib/perimeterx/internal/exceptions/px_cookie_decryption_exception.rb

@@ -0,0 +1,5 @@
+class PxCookieDecryptionException < StandardError
+  def initialize(msg)
+   super(msg)
+ end
+end