ruby-common 1.0.0

data/lib/ruby-common/v4/Signature4VerifierService.rb

@@ -0,0 +1,203 @@
+require 'base64'
+require 'date'
+require 'openssl'
+require 'securerandom'
+
+require_relative '../common/PhpUnpack.rb'
+require_relative '../common/Ipv6Utils.rb'
+require_relative './AsymmetricOpenSSL.rb'
+require_relative '../common/Utils.rb'
+require_relative '../common/Exceptions'
+require_relative '../common/VerifierConstants.rb'
+require_relative './Signature4VerificationResult.rb'
+
+
+# Helper class to represent field information
+class Field
+attr_reader :name, :type
+
+  def initialize(name, type)
+    @name = name
+    @type = type
+  end
+end
+
+# Signature4VerifierService class
+class Signature4VerifierService
+  FIELD_IDS = {
+    0x00 => Field.new('requestTime', 'ulong'),
+    0x01 => Field.new('signatureTime', 'ulong'),
+    0x10 => Field.new('ipv4', 'ulong'),
+    0x40 => Field.new(nil, 'ushort'),
+    0x80 => Field.new('masterSignType', 'uchar'),
+    0x81 => Field.new('customerSignType', 'uchar'),
+    0xC0 => Field.new('masterToken', 'string'),
+    0xC1 => Field.new('customerToken', 'string'),
+    0xC2 => Field.new('masterTokenV6', 'string'),
+    0xC3 => Field.new('customerTokenV6', 'string'),
+    0xc4 => Field.new('ipv6', 'string'),
+    0xc5 => Field.new('masterChecksum', 'string'),
+    0xd0 => Field.new('userAgent', 'string') #DEBUG FIELD
+  }.freeze
+
+  def self.verifySignature(signature, user_agent, key, ip_addresses, expiry, is_key_base64_encoded)
+    validation_result = {}
+
+    begin
+      data = parse4(signature)
+    rescue VersionError
+      data = parse3(signature)
+    end
+
+    sign_role_token = data["customerToken"]
+
+    if sign_role_token.nil? || sign_role_token.empty?
+      raise VerifyError, 'sign role signature mismatch'
+    end
+
+    sign_type = data["customerSignType"]
+
+    ip_addresses.each do |ip_address|
+      next if ip_address.nil? || ip_address.empty?
+
+      token = if IpV6Utils.validate(ip_address)
+                next unless data.key?("customerTokenV6")
+                IpV6Utils.abbreviate(ip_address)
+                data["customerTokenV6"]
+              else
+                next unless data.key?("customerToken")
+                data["customerToken"]
+              end
+
+      signature_time = data['signatureTime'].first
+      request_time = data['requestTime'].first
+
+      VerifierConstants::RESULTS.each do |result, verdict|
+        signature_base = get_base(result, request_time, signature_time, ip_address, user_agent)
+
+        case sign_type.first
+        when 1 # HASH_SHA256
+          is_hashed_data_equal_to_token = SignatureVerifierUtils.encode(
+            is_key_base64_encoded ? SignatureVerifierUtils.base64_decode(key) : key,
+            signature_base
+          ) == token
+          
+          if is_hashed_data_equal_to_token
+            if is_expired(expiry, signature_time, request_time)
+              return Signature4VerificationResult.is_expired
+            end
+
+            return Signature4VerificationResult.new(
+              score: result.to_i,
+              verdict: verdict,
+              ip_address: ip_address,
+              request_time: request_time,
+              signature_time: signature_time
+            )
+          end
+        when 2 # SIGN_SHA256
+          if AsymmetricOpenSSL.verify_data(signature_base, token, key)
+            return Signature4VerificationResult.new(
+              score: result.to_i,
+              verdict: verdict,
+              ip_address: ip_address,
+              request_time: request_time,
+              signature_time: signature_time
+            )
+          end
+        else
+          raise VerifyError, 'unrecognized signature'
+        end
+      end
+    end
+    raise StructParseError, 'no verdict'
+  end
+
+  class << self
+    private
+
+    def parse3(signature)
+      sign_decoded = SignatureVerifierUtils.base64_decode(signature)
+      unpack_result = PhpUnpack.unpack('Cversion/NrequestTime/NsignatureTime/CmasterSignType/nmasterTokenLength', sign_buffer)
+
+      version = unpack_result['version']
+      raise VersionError, 'Invalid signature version' if version != 3
+
+      timestamp = unpack_result['timestamp']
+      raise SignatureParseError, 'invalid timestamp (future time)' if timestamp > (Time.now.to_i)
+
+      master_token_length = unpack_result['masterTokenLength']
+      #TODO CO TO KURWA JEST ZA METODA?
+      master_token = get_bytes_and_advance_position(sign_decoded, master_token_length)
+      unpack_result['masterToken'] = master_token
+
+      customer_data = PhpUnpack.unpack('CcustomerSignType/ncustomerTokenLength', sign_buffer)
+      customer_token_length = customer_data['customerTokenLength']
+      customer_token = get_bytes_and_advance_position(sign_decoded, customer_token_length)
+      customer_data['customerToken'] = customer_token
+
+      unpack_result.merge!(customer_data)
+    end
+
+    def parse4(signature)
+      sign_decoded = SignatureVerifierUtils.base64_decode(signature)
+      raise SignatureParseError, 'invalid base64 payload' if sign_decoded.empty?
+
+      data = PhpUnpack.unpack('Cversion/CfieldNum', sign_decoded)
+
+      version = data['version'].first
+      raise VersionError, 'Invalid signature version' if version != 4
+
+      field_num = data['fieldNum'].first
+      field_num.times do |i|
+        header = PhpUnpack.unpack('CfieldId', sign_decoded)
+
+        raise SignatureParseError, 'premature end of signature 0x01' if header.empty? || !header.key?('fieldId')
+
+        field = FIELD_IDS[header['fieldId'].first]
+        v = {}
+
+        case field&.type
+        when 'uchar'
+          v = PhpUnpack.unpack('Cv', sign_decoded)
+          data[field.name] = v['v'] if v.key?('v')
+        when 'ushort'
+          v = PhpUnpack.unpack('nv', sign_decoded)
+          data[field.name] = v['v'] if v.key?('v')
+        when 'ulong'
+          v = PhpUnpack.unpack('Nv', sign_decoded)
+          data[field.name] = v['v'] if v.key?('v')
+        when 'string'
+          l = PhpUnpack.unpack('nl', sign_decoded)
+          raise SignatureParseError, 'premature end of signature 0x05' unless l.key?('l')
+
+          l_length = l['l'].first
+          new_v = sign_decoded.slice!(0, l_length)
+          v['v'] = new_v
+          data[field.name] = new_v
+
+          raise SignatureParseError, 'premature end of signature 0x06' if new_v.bytesize != l_length
+        else
+          raise SignatureParseError, 'unsupported variable type'
+        end
+      end
+      data.delete(field_num.to_s)
+      data
+    end
+
+    def is_expired(expiry, signature_time, request_time)
+      return false if expiry.nil?
+
+      current_epoch_in_seconds = (Time.now.to_f * 1000).to_i / 1000
+
+      signature_time_expired = (signature_time + expiry) < current_epoch_in_seconds
+      request_time_expired = request_time + expiry < current_epoch_in_seconds
+
+      signature_time_expired || request_time_expired
+    end
+
+    def get_base(verdict, request_time, signature_time, ip_address, user_agent)
+      [verdict, request_time, signature_time, ip_address, user_agent].join("\n")
+    end
+  end
+end

data/lib/ruby-common/v5/AbstractSymmetricCrypt.rb

@@ -0,0 +1,25 @@
+require_relative './DecryptResult.rb'
+
+class AbstractSymmetricCrypt
+  @@method_size = 2
+
+  def parse(payload, lengths)
+    total_length = @@method_size + lengths.values.inject(0) { |sum, value| sum + value }
+
+    raise DecryptError, "Premature data end" if payload.size < total_length
+
+    decrypt_result = DecryptResult.new
+
+    decrypt_result.method = PhpUnpack.unpack("vX", payload)['X'].first
+
+    lengths.each do |key, length|
+      bytes_for_key = payload.byteslice(0,length)
+      payload.slice!(0,length)
+      decrypt_result.byte_buffer_map[key] = bytes_for_key
+    end
+
+    decrypt_result.data = payload
+
+    decrypt_result
+  end
+end

data/lib/ruby-common/v5/CryptFactory.rb

@@ -0,0 +1,20 @@
+class CryptFactory
+  def self.create_from_payload(payload)
+    header = payload.byteslice(0,2)
+    return create_crypt(header)
+  end
+
+  private
+  def self.create_crypt(name)
+    case name.unpack("v").first
+    when MyOpenSSL::METHOD
+      MyOpenSSL.new
+    when OpenSSLAEAD::METHOD
+      OpenSSLAEAD.new
+    when Secretbox::METHOD
+      Secretbox.new
+    else
+      raise SignatureParseError, "Unsupported crypt class"
+    end
+  end
+end

data/lib/ruby-common/v5/CryptMethodConstans.rb

@@ -0,0 +1,10 @@
+class CryptMethodConstans
+  CRYPT_METHODS = {
+    "AES-128-GCM" => 12,
+    "AES-192-GCM" => 12,
+    "AES-256-GCM" => 12,
+    "AES-128-CBC" => 16,
+    "AES-192-CBC" => 16,
+    "AES-256-CBC" => 16
+  }.freeze
+end

data/lib/ruby-common/v5/DecryptResult.rb

@@ -0,0 +1,27 @@
+class DecryptResult
+  def initialize
+    @method = nil
+    @byte_buffer_map = {}
+    @data = nil
+  end
+
+  def method
+    @method
+  end
+
+  def method=(method)
+    @method = method
+  end
+
+  def byte_buffer_map
+    @byte_buffer_map
+  end
+
+  def data
+    @data
+  end
+
+  def data=(data)
+    @data = data
+  end
+end

data/lib/ruby-common/v5/MyOpenSSL.rb

@@ -0,0 +1,39 @@
+require_relative "./AbstractSymmetricCrypt.rb"
+require_relative "./CryptMethodConstans.rb"
+
+
+class MyOpenSSL < AbstractSymmetricCrypt
+  METHOD = 0x0200
+
+  def initialize(crypt_method: "AES-256-CBC")
+    if CryptMethodConstans::CRYPT_METHODS.key?(crypt_method)
+      @crypt_method = crypt_method
+      @crypt_iv = CryptMethodConstans::CRYPT_METHODS[crypt_method]
+    else
+      raise DecryptError, "Method not supported #{crypt_method}"
+    end
+  end
+
+  def decrypt_with_key(payload, key)
+    lengths = {"iv" => @crypt_iv}
+    result = parse(payload, lengths)
+
+    raise DecryptError, 'Unrecognized payload' if result.method != METHOD;
+
+    return decode(payload, key, result.byte_buffer_map['iv'])
+  end
+
+  def decode(input, key, iv)
+    begin
+      cipher = OpenSSL::Cipher.new(@crypt_method)
+      cipher.decrypt
+
+      cipher.key = key.bytes.pack('C*')
+      cipher.iv = iv.bytes.pack('C*')
+
+      return cipher.update(input) + cipher.final
+    rescue StandardError => e
+      raise DecryptError, "Decryption OpenSSL failed: #{e.message}"
+    end
+  end
+end

data/lib/ruby-common/v5/OpenSSLAEAD.rb

@@ -0,0 +1,41 @@
+require_relative "./AbstractSymmetricCrypt.rb"
+
+class OpenSSLAEAD < AbstractSymmetricCrypt
+  METHOD = 0x0201
+
+  def initialize(tag: 16, crypt_method: "AES-256-GCM")
+    @tag= tag
+    @crypt_method = crypt_method
+    @crypt_iv = CryptMethodConstans::CRYPT_METHODS[crypt_method]
+  end
+
+  def decrypt_with_key(payload, key)
+    lengths = {"iv" => @crypt_iv, "tag" => @tag}
+    result = parse(payload, lengths)
+
+    raise DecryptError, 'Unrecognized payload' if result.method != METHOD;
+
+    return decode(
+      result.data,
+      key,
+      result.byte_buffer_map['iv'],
+      result.byte_buffer_map['tag']
+    )
+  end
+
+  private
+  def decode(input, key, iv, tag)
+    cipher = OpenSSL::Cipher.new(@crypt_method)
+    cipher.decrypt
+
+    cipher.key = key.bytes.pack('C*')
+    cipher.iv = iv.bytes.pack('C*')
+    cipher.auth_tag = tag.bytes.pack('C*')
+
+    return cipher.update(input) + cipher.final
+  rescue OpenSSL::Cipher::CipherError => e
+    raise DecryptError.new("Decryption failed: #{e.message}")
+  end
+
+
+end

data/lib/ruby-common/v5/PhpUnserializer.rb

@@ -0,0 +1,88 @@
+class PhpUnserializer
+  def initialize(data)
+    @data = data
+    @index = 0
+  end
+
+  def unserialize
+    type = @data[@index]
+    @index += 2 
+
+    case type
+    when 'i' then parse_int
+    when 'd' then parse_float
+    when 'b' then parse_boolean
+    when 's' then parse_string
+    when 'a' then parse_array
+    when 'O' then parse_object
+    else
+      raise ArgumentError, "Unsupported type: #{type}"
+    end
+  end
+
+  private
+
+  def parse_int
+    semi_colon_index = @data.index(';', @index)
+    int_str = @data[@index...semi_colon_index]
+    @index = semi_colon_index + 1
+    int_str.to_i
+  end
+
+  def parse_float
+    semi_colon_index = @data.index(';', @index)
+    float_str = @data[@index...semi_colon_index]
+    @index = semi_colon_index + 1
+    float_str.to_f
+  end
+
+  def parse_boolean
+    bool_char = @data[@index]
+    @index += 2
+    bool_char == '1'
+  end
+
+  def parse_string
+    colon_index = @data.index(':', @index)
+    length = @data[@index...colon_index].to_i
+    @index = colon_index + 2
+    str = @data[@index...@index + length]
+    @index += length + 2
+    str
+  end
+
+  def parse_array
+    colon_index = @data.index(':', @index)
+    length = @data[@index...colon_index].to_i
+    @index = colon_index + 2
+    map = {}
+    length.times do
+      key = unserialize
+      value = unserialize
+      map[key] = value
+    end
+    @index += 1 
+    map
+  end
+
+  def parse_object
+    colon_index = @data.index(':', @index)
+    class_name_length = @data[@index...colon_index].to_i
+    @index = colon_index + 2
+    class_name = @data[@index...@index + class_name_length]
+    @index += class_name_length + 2
+
+    colon_index = @data.index(':', @index)
+    length = @data[@index...colon_index].to_i
+    @index = colon_index + 2
+    fields = {}
+    length.times do
+      key = unserialize
+      value = unserialize
+      fields[key] = value
+    end
+    @index += 1 
+
+    { class_name => fields }
+  end
+end

data/lib/ruby-common/v5/Secretbox.rb

@@ -0,0 +1,14 @@
+require 'rbnacl'
+
+class Secretbox < AbstractSymmetricCrypt
+  METHOD = 0x0101
+
+  def decrypt_with_key(payload, key)
+    nonce_bytes = 24
+    parse = parse(payload, { iv: nonce_bytes })
+    secret_box = RbNaCl::SecretBox.new(key)
+    return secret_box.decrypt(parse.byte_buffer_map[:iv], parse.data)
+  rescue RbNaCl::CryptoError
+    raise 'Decryption failed'
+  end
+end

data/lib/ruby-common/v5/Signature5VerificationResult.rb

@@ -0,0 +1,154 @@
+class Signature5VerificationResult
+  # Zone-id
+  attr_accessor :zone_id
+  # Detection result as number, one of following: 0, 3, 6, 9
+  attr_accessor :result
+  # Detection result as text, one of following: ok, junk, proxy, bot
+  attr_accessor :verdict
+  # Visitor's User Agent
+  attr_accessor :visitor_user_agent
+  # Data
+  attr_accessor :data
+  # IPv4 address
+  attr_accessor :ipv4_ip
+  # Number of bytes required for IP matching
+  attr_accessor :ipv4_v
+  # IPv6 address
+  attr_accessor :ipv6_ip
+  # Number of left-most bytes of IPv6 address needed to match
+  attr_accessor :ipv6_v
+  # Number of CPU logical cores gathered from navigator.hardwareConcurrency
+  attr_accessor :cpu_cores
+  # Amount of RAM memory in GB gathered from navigator.deviceMemory
+  attr_accessor :ram
+  # Timezone offset from GMT in minutes
+  attr_accessor :tz_offset
+  # User-Agent Client Hints Platform
+  attr_accessor :b_platform
+  # Content of Sec-CH-UA-Platform-Version request header
+  attr_accessor :platform_v
+  # GPU Model obtained from WebGL and WebGPU APIs
+  attr_accessor :gpu
+  # Detected iPhone/iPad model by Adscore AppleSense
+  attr_accessor :apple_sense
+  # Physical screen horizontal resolution
+  attr_accessor :horizontal_resolution
+  # Physical screen vertical resolution
+  attr_accessor :vertical_resolution
+  # Adscore TrueUA-enriched User-Agent
+  attr_accessor :true_ua
+  # Adscore True Location Country
+  attr_accessor :true_ua_location
+  # Adscore True Location Confidence
+  attr_accessor :true_ua_location_c
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA
+  attr_accessor :truech_ua
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Arch
+  attr_accessor :truech_arch
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Bitness
+  attr_accessor :truech_bitness
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Model
+  attr_accessor :truech_model
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Platform
+  attr_accessor :truech_platform
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Platform-Version
+  attr_accessor :truech_platform_v
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Full-Version
+  attr_accessor :truech_full_v
+  # Adscore TrueUA-enriched Client Hints header Sec-CH-UA-Mobile
+  attr_accessor :truech_mobile
+  # Indicates whether visitor is using Private Browsing (Incognito) Mode
+  attr_accessor :incognito
+  # Adscore zone subId
+  attr_accessor :sub_id
+  # Request time
+  attr_accessor :request_time
+  # Signature time
+  attr_accessor :signature_time
+  # Signature time
+  attr_accessor :h_signature_time
+  # Token
+  attr_accessor :token
+  # Other, which has not been mapped to a field, or getting error during parsing
+  attr_accessor :additional_data
+
+  def initialize(hash)
+    @zone_id = hash.delete('zone_id')&.to_i
+    @result = hash.delete('result')&.to_i
+    @verdict = hash.delete('verdict')
+    @visitor_user_agent = hash.delete('b.ua')
+    @data = hash.delete('data')
+    @ipv4_ip = hash.delete('ipv4.ip')
+    @ipv4_v = hash.delete('ipv4.v')&.to_i
+    @ipv6_ip = hash.delete('ipv6.ip')
+    @ipv6_v = hash.delete('ipv6.v')&.to_i
+    @cpu_cores = hash.delete('b.cpucores')&.to_i
+    @ram = hash.delete('b.ram')&.to_i
+    @tz_offset = hash.delete('b.tzoffset')&.to_i
+    @b_platform = hash.delete('b.platform')
+    @platform_v = hash.delete('b.platform.v')
+    @gpu = hash.delete('b.gpu')
+    @apple_sense = hash.delete('apple_sense')
+    @horizontal_resolution = hash.delete('b.sr.w')&.to_i
+    @vertical_resolution = hash.delete('b.sr.h')&.to_i
+    @true_ua = hash.delete('b.trueua')
+    @true_ua_location = hash.delete('b.trueloc.c')
+    @true_ua_location_c = hash.delete('b.truech.location.c')&.to_i
+    @truech_ua = hash.delete('b.truech.ua')
+    @truech_arch = hash.delete('b.truech.arch')
+    @truech_bitness = hash.delete('b.truech.bitness')&.to_i
+    @truech_model = hash.delete('b.truech.model')
+    @truech_platform = hash.delete('b.truech.platform')
+    @truech_platform_v = hash.delete('b.truech.platform.v')
+    @truech_full_v = hash.delete('b.truech.full.v')
+    @truech_mobile = hash.delete('b.truech.mobile')
+    @incognito = hash.delete('incognito')
+    @sub_id = hash.delete('sub_id')
+    @request_time = hash.delete('requestTime')&.to_i
+    @h_signature_time = hash.delete('HsignatureTime')
+    @signature_time = hash.delete('signatureTime')
+    @token = hash.delete('token')
+    @additional_data = hash
+  end
+
+  def to_s
+    <<~STRING
+      Zone ID: #{@zone_id}
+      Result: #{@result}
+      Verdict: #{@verdict}
+      Visitor User Agent: #{@visitor_user_agent}
+      Data: #{@data}
+      IPv4 IP: #{@ipv4_ip}
+      IPv4 Version: #{@ipv4_v}
+      IPv6 IP: #{@ipv6_ip}
+      IPv6 Version: #{@ipv6_v}
+      CPU Cores: #{@cpu_cores}
+      RAM: #{@ram}
+      Time Zone Offset: #{@tz_offset}
+      Browser Platform: #{@b_platform}
+      Platform Version: #{@platform_v}
+      GPU: #{@gpu}
+      Apple Sense: #{@apple_sense}
+      Horizontal Resolution: #{@horizontal_resolution}
+      Vertical Resolution: #{@vertical_resolution}
+      True User Agent: #{@true_ua}
+      True User Agent Location: #{@true_ua_location}
+      True User Agent Location Code: #{@true_ua_location_c}
+      Truech User Agent: #{@truech_ua}
+      Truech Architecture: #{@truech_arch}
+      Truech Bitness: #{@truech_bitness}
+      Truech Model: #{@truech_model}
+      Truech Platform: #{@truech_platform}
+      Truech Platform Version: #{@truech_platform_v}
+      Truech Full Version: #{@truech_full_v}
+      Truech Mobile: #{@truech_mobile}
+      Incognito: #{@incognito}
+      Subscriber ID: #{@sub_id}
+      Request Time: #{@request_time}
+      Signature Time: #{@signature_time}
+      H Signature Time: #{@h_signature_time}
+      Token: #{@token}
+      Additional Data: #{@additional_data}
+    STRING
+  end
+end