RubyGems - rockstart - Versions diffs - 0.1.0 → 0.1.1 - Mend

rockstart 0.1.0 → 0.1.1

Files changed (240) hide show

data/lib/generators/rockstart/security/{templates → content_security/templates}/session_store_initializer.rb.tt RENAMED

@@ -3,5 +3,4 @@
 # Use Cookies as the session store, and lock them down to the current domain
 Rails.application.config.session_store :cookie_store, key: "<%= session_name %>",
                                                       http_only: true,
-                                                      same_site: :lax,
-                                                      secure: Rails.application.config.force_ssl
+                                                      same_site: :lax

data/lib/generators/rockstart/security/rack_attack/USAGE ADDED

@@ -0,0 +1,8 @@
+Description:
+    Installs Rack::Attack
+Example:
+    rails generate rockstart:security:rack_attack
+    This will create:
+        Configures Rack:Attack based on your application

data/lib/generators/rockstart/security/rack_attack/rack_attack_generator.rb ADDED

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require "rockstart/generators/class_option_helpers"
+require "rockstart/generators/template_helpers"
+module Rockstart::Security
+  class RackAttackGenerator < Rails::Generators::Base
+    include Rockstart::Generators::ClassOptionHelpers
+    include Rockstart::Generators::TemplateHelpers
+    source_root File.expand_path("templates", __dir__)
+    devise_class_option
+    def add_initializer
+      initializer_template "rack_attack"
+    end
+    def add_request_spec
+      template "rack_attack_spec.rb", "spec/requests/rack_attack_spec.rb"
+    end
+    def add_rspec_support
+      copy_file "cache_support.rb", "spec/support/cache.rb"
+    end
+    def enable_cache_store_for_all_environments
+      application do
+        <<~CACHE
+          # Use memory_store cache for testing and default configurations
+          config.cache_store = :memory_store
+        CACHE
+      end
+      comment_lines "config/environments/test.rb", "config.cache_store = "
+    end
+  end
+end

data/lib/generators/rockstart/security/{templates → rack_attack/templates}/cache_support.rb RENAMED

@@ -10,7 +10,7 @@ end
 RSpec.configure do |config|
   config.include CacheSupport
-  config.around(cache_testing: true) do |example|
+  config.around(type: :request) do |example|
     clear_rails_cache
     example.run
     clear_rails_cache

data/lib/generators/rockstart/security/{templates/rack_attack.rb → rack_attack/templates/rack_attack_initializer.rb.tt} RENAMED

@@ -3,10 +3,12 @@
 require "digest/md5"
 # Configuration for rack_attack
-class Rack::Attack
+class Rack::Attack # rubocop:disable Style/ClassAndModuleChildren
+<%- if devise? -%>
   LOGIN_PATH = "/users/sign_in"
   REGISTRATION_PATH = "/users"
+<%- end -%>
   ### Configure Cache ###
   # If you don't want to use Rails.cache (Rack::Attack's default), then
@@ -33,6 +35,26 @@ class Rack::Attack
   # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
   throttle("req/ip", limit: 300, period: 5.minutes, &:ip)
+  def self.pentesting_request?(path, query_string)
+    CGI.unescape(query_string) =~ %r{/etc/passwd} ||
+      path.include?("/etc/passwd") ||
+      path.include?("wp-admin") ||
+      path.include?("wp-login") ||
+      /\.php$/.match?(path)
+  end
+  # Block suspicious requests for '/etc/passwd' or wordpress specific paths.
+  # After 3 blocked requests in 10 minutes, block all requests from that IP for 5 minutes.
+  blocklist("fail2ban/pentesters") do |req|
+    # `filter` returns truthy value if request fails, or if it's from a previously banned IP
+    # so the request is blocked
+    Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", maxretry: 3, findtime: 10.minutes, bantime: 5.minutes) do
+      # The count for the IP is incremented if the return value is truthy
+      pentesting_request?(req.path, req.query_string)
+    end
+  end
+<%- if devise? -%>
   ### Prevent Brute-Force Login Attacks ###
   # The most common brute-force login attack is a brute-force password
@@ -82,6 +104,17 @@ class Rack::Attack
     req.ip if req.path == REGISTRATION_PATH && (req.post? || req.put? || req.patch?)
   end
+<%- end -%>
+  ### Custom Blocklist Response ###
+  self.blocklisted_response = lambda do |request|
+    if pentesting_request?(request.fetch("PATH_INFO"), request.fetch("QUERY_STRING"))
+      [301, { "Location" => "/" }, []]
+    else
+      [302, { "Location" => "https://www.youtube.com/watch?v=dQw4w9WgXcQ" }, []]
+    end
+  end
   ### Custom Throttle Response ###
   # By default, Rack::Attack returns an HTTP 429 for throttled responses,

data/lib/generators/rockstart/security/rack_attack/templates/rack_attack_spec.rb.tt ADDED

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+require "rails_helper"
+RSpec.describe "Rack::Attack", type: :request do
+  describe "req/ip throttle" do
+    it "rate limits requests from spammy clients" do
+      300.times do
+        get root_url
+        expect(response).not_to have_http_status(:too_many_requests)
+      end
+      get root_url
+      expect(response).to have_http_status(:too_many_requests)
+    end
+  end
+<%- if devise? -%>
+  describe "logins/ip throttle" do
+    it "rate limits login requests based off ip address" do
+      5.times do
+        post new_user_session_path, params: {
+          user: {
+            email: Faker::Internet.email,
+            password: Faker::Internet.password
+          }
+        }
+      end
+      post new_user_session_path, params: {
+        user: {
+          email: Faker::Internet.email,
+          password: Faker::Internet.password
+        }
+      }
+      expect(response).to have_http_status(:too_many_requests)
+    end
+  end
+  describe "logins/email throttle" do
+    it "rate limits login requests based off email address" do
+      valid_email_parameters = {
+        user: {
+          email: Faker::Internet.email,
+          password: Faker::Internet.password
+        }
+      }
+      5.times do |n|
+        post new_user_session_path, params: valid_email_parameters, headers: {
+          "REMOTE_ADDR" => format("120.0.1.%<n>d", n: n)
+        }
+      end
+      post new_user_session_path, params: valid_email_parameters
+      expect(response).to have_http_status(:too_many_requests)
+    end
+  end
+  describe "registrations/ip throttle" do
+    it "rate limits regstration requests based off ip address" do
+      5.times do
+        put user_registration_path, params: update_user_email_params
+      end
+      put user_registration_path, params: update_user_email_params
+      expect(response).to have_http_status(:too_many_requests)
+    end
+  end
+<%- end -%>
+  describe "fail2ban/pentesters blocklist" do
+    PENTESTING_PATHS = %w[
+      /etc/passwd
+      /bad_endpoint?secret_file=/etc/passwd
+      /wp-admin
+      /wp-login
+      /example.php
+    ].freeze
+    DENIAL_URL = "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+    PENTESTING_PATHS.each do |pentesting_path|
+      it "blocks clients after repeat visits to #{pentesting_path}" do
+        2.times do
+          get pentesting_path
+          expect(response).to have_http_status(:moved_permanently)
+          expect(response).to redirect_to(root_url)
+        end
+        get root_url
+        expect(response).not_to redirect_to(DENIAL_URL)
+        get pentesting_path
+        expect(response).to have_http_status(:moved_permanently)
+        expect(response).to redirect_to(root_url)
+        get root_url
+        expect(response).to have_http_status(:found)
+        expect(response).to redirect_to(DENIAL_URL)
+      end
+    end
+    PENTESTING_PATHS.shuffle.combination(3).to_a.sample.tap do |url_a, url_b, url_c|
+      it "shares the visit count between pentesting routes (e.g. #{url_a}, #{url_b}, #{url_c})" do
+        get url_a
+        get url_b
+        get url_c
+        get root_url
+        expect(response).to have_http_status(:found)
+        expect(response).to redirect_to(DENIAL_URL)
+      end
+    end
+  end
+end

data/lib/generators/rockstart/security/security_generator.rb CHANGED

@@ -1,80 +1,38 @@
 # frozen_string_literal: true
+require "rockstart/generators/class_option_helpers"
+require "rockstart/generators/content_security_options"
+require "rockstart/generators/template_helpers"
 class Rockstart::SecurityGenerator < Rails::Generators::Base
   include Rails::Generators::AppName
-  source_root File.expand_path("templates", __dir__)
-  class_option :font_hosts, type: :array,
-                            desc: "Known third-party hosts for Fonts",
-                            default: []
-  class_option :image_hosts, type: :array,
-                             desc: "Known third-party hosts for Images",
-                             default: []
-  class_option :script_hosts, type: :array,
-                              desc: "Known third-party hosts for (Java)Scripts",
-                              default: []
-  class_option :style_hosts, type: :array,
-                             desc: "Known third-party hosts for Stylesheets",
-                             default: []
-  class_option :session_name, type: :string,
-                              desc: "Name used for Rails Sessions",
-                              default: Rockstart::Env.default_session_name
-  def install_bundler_audit
-    gem "bundler-audit", github: "rubysec/bundler-audit"
-    Bundler.clean_system("bundle install --quiet")
+  include Rockstart::Generators::ClassOptionHelpers
+  include Rockstart::Generators::ContentSecurityOptions
+  include Rockstart::Generators::TemplateHelpers
-    copy_file "bundler_audit.rake", "lib/tasks/bundler_audit.rake"
-  end
-  def install_brakeman
-    gem "brakeman", group: %i[development test]
-    Bundler.clean_system("bundle install --quiet")
+  source_root File.expand_path("templates", __dir__)
-    copy_file "brakeman.rake", "lib/tasks/brakeman.rake"
+  devise_class_option
+  rollbar_class_option
-    append_to_file ".gitignore", "brakeman\n"
+  def add_bundler_audit
+    generate "rockstart:security:bundler_audit"
   end
-  def add_security_rake_tasks
-    copy_file "security.rake", "lib/tasks/security.rake"
+  def add_brakeman
+    generate "rockstart:security:brakeman"
   end
-  def install_rack_attack
-    gem "rack-attack"
-    Bundler.clean_system("bundle install --quiet")
-    copy_file "rack_attack.rb", "config/initializers/rack_attack.rb"
-    copy_file "cache_support.rb", "spec/support/cache.rb"
-    application do
-      <<~CACHE
-        # Use memory_store cache for testing and default configurations
-        config.cache_store = :memory_store
-      CACHE
-    end
-    comment_lines "config/environments/test.rb", "config.cache_store = "
-  end
-  def add_session_initializer
-    template "session_store_initializer.rb.tt", "config/initializers/session_store.rb"
+  def add_rack_attack
+    generate "rockstart:security:rack_attack", devise_option
   end
   def add_content_security_policy
-    template "content_security_policy_initializer.rb.tt",
-             "config/initializers/content_security_policy.rb"
-    copy_file "csp_violations_controller.rb", "app/controllers/csp_violations_controller.rb"
-    route "resources :csp_violations, only: [:create]"
+    generate "rockstart:security:content_security", rollbar_option, *content_security_options
+  end
-    template "content_security_spec.rb.tt", "spec/requests/content_security_spec.rb"
+  def add_security_rake_tasks
+    copy_file "security.rake", "lib/tasks/security.rake"
   end
   def enforce_ssl
@@ -83,26 +41,4 @@ class Rockstart::SecurityGenerator < Rails::Generators::Base
               'config.force_ssl = ENV["ALLOW_INSECURE_HTTP"].to_i != 1'
     uncomment_lines "config/environments/production.rb", /config.force_ssl =/
   end
-  private
-  def font_hosts
-    options[:font_hosts] || []
-  end
-  def image_hosts
-    options[:image_hosts] || []
-  end
-  def script_hosts
-    options[:script_hosts] || []
-  end
-  def style_hosts
-    options[:style_hosts] || []
-  end
-  def session_name
-    options[:session_name]
-  end
 end

data/lib/generators/rockstart/storage/USAGE ADDED

@@ -0,0 +1,8 @@
+Description:
+    Configures solutions for storing your Rocking
+Example:
+    rails generate rockstart:storage
+    This will create:
+        Installs Postgresql

data/lib/generators/rockstart/storage/active_storage/USAGE ADDED

@@ -0,0 +1,8 @@
+Description:
+    Configures Rails for Active::Storage
+Example:
+    rails generate rockstart:storage:storage
+    This will create:
+        Configures active storage for local file storage

data/lib/generators/rockstart/storage/active_storage/active_storage_generator.rb ADDED

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+require "rockstart/generators/template_helpers"
+module Rockstart::Storage
+  class ActiveStorageGenerator < Rails::Generators::Base
+    include Rockstart::Generators::TemplateHelpers
+    source_root File.expand_path("templates", __dir__)
+    class_option :public_files, type: :boolean,
+                                desc: "Upload files are publically available",
+                                default: false
+    def create_local_storage_directory
+      create_file "storage/.keep", ""
+    end
+    def add_storage_configuration
+      template "storage.yml", "config/storage.yml"
+    end
+    def add_better_s3_service
+      copy_file "better_s3_service.rb", "lib/active_storage/service/better_s3_service.rb"
+    end
+    def add_cloudcube_util
+      copy_file "cloudcube_util.rb", "lib/utils/cloudcube.rb"
+      copy_file "cloudcube_util_spec.rb", "spec/utils/cloudcube_spec.rb"
+    end
+    def add_initializer
+      copy_initializer "active_storage"
+    end
+    def add_active_storage_migrations
+      rake "active_storage:install"
+    end
+    def update_cache_storage
+      comment_lines "config/environments/production.rb", /config\.active_storage\.service = :local$/
+      application(nil, env: :production) do
+        <<~CONFIG
+          config.active_storage.service = if ENV["CLOUDCUBE_ACCESS_KEY_ID"].present?
+                                            :cloudcube
+                                          else
+                                            :local # fallback option
+                                          end
+        CONFIG
+      end
+    end
+    private
+    def public_files?
+      options.fetch(:public_files)
+    end
+  end
+end