RubyGems - sqreen - Versions diffs - 1.18.2-java → 1.19.0-java - Mend

sqreen 1.18.2-java → 1.19.0-java

Files changed (184) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +35 -0
data/LICENSE +3 -0
data/lib/sqreen.rb +2 -0
data/lib/sqreen/actions.rb +13 -337
data/lib/sqreen/actions/actions_index.rb +16 -0
data/lib/sqreen/actions/base.rb +104 -0
data/lib/sqreen/actions/block_ip.rb +34 -0
data/lib/sqreen/actions/block_user.rb +46 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
data/lib/sqreen/actions/redirect_ip.rb +42 -0
data/lib/sqreen/actions/redirect_user.rb +47 -0
data/lib/sqreen/actions/repository.rb +43 -0
data/lib/sqreen/actions/unknown_action_type.rb +20 -0
data/lib/sqreen/actions/user_action_class.rb +16 -0
data/lib/sqreen/actions/users_index.rb +35 -0
data/lib/sqreen/agent.rb +6 -2
data/lib/sqreen/attack_blocked.rb +19 -0
data/lib/sqreen/backport.rb +2 -0
data/lib/sqreen/backport/clock_gettime.rb +74 -0
data/lib/sqreen/backport/original_name.rb +2 -0
data/lib/sqreen/binding_accessor.rb +11 -102
data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
data/lib/sqreen/binding_accessor/transforms.rb +114 -0
data/lib/sqreen/call_countable.rb +2 -0
data/lib/sqreen/capped_queue.rb +4 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
data/lib/sqreen/condition_evaluator.rb +24 -5
data/lib/sqreen/conditionable.rb +2 -0
data/lib/sqreen/configuration.rb +19 -0
data/lib/sqreen/context.rb +2 -0
data/lib/sqreen/default_cb.rb +22 -0
data/lib/sqreen/deferred_logger.rb +65 -0
data/lib/sqreen/deliveries.rb +12 -0
data/lib/sqreen/deliveries/batch.rb +9 -1
data/lib/sqreen/deliveries/simple.rb +7 -0
data/lib/sqreen/dependency.rb +3 -1
data/lib/sqreen/dependency/detector.rb +22 -14
data/lib/sqreen/dependency/libsqreen.rb +32 -0
data/lib/sqreen/dependency/new_relic.rb +2 -0
data/lib/sqreen/dependency/rack.rb +10 -5
data/lib/sqreen/dependency/rails.rb +8 -0
data/lib/sqreen/dependency/sentry.rb +2 -0
data/lib/sqreen/dependency/sinatra.rb +58 -14
data/lib/sqreen/encoding_sanitizer.rb +2 -0
data/lib/sqreen/error_handling_middleware.rb +32 -0
data/lib/sqreen/event.rb +4 -0
data/lib/sqreen/events/attack.rb +4 -0
data/lib/sqreen/events/remote_exception.rb +2 -0
data/lib/sqreen/events/request_record.rb +13 -56
data/lib/sqreen/exception.rb +11 -40
data/lib/sqreen/formatter_with_tid.rb +47 -0
data/lib/sqreen/framework_cb.rb +30 -0
data/lib/sqreen/frameworks.rb +9 -0
data/lib/sqreen/frameworks/generic.rb +22 -2
data/lib/sqreen/frameworks/rails.rb +3 -0
data/lib/sqreen/frameworks/rails3.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +5 -0
data/lib/sqreen/frameworks/sinatra.rb +4 -0
data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
data/lib/sqreen/graft.rb +12 -0
data/lib/sqreen/graft/call.rb +150 -0
data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
data/lib/sqreen/graft/hook.rb +316 -0
data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
data/lib/sqreen/graft/hook_point_error.rb +10 -0
data/lib/sqreen/invalid_signature_exception.rb +10 -0
data/lib/sqreen/js.rb +11 -0
data/lib/sqreen/js/call_context.rb +12 -0
data/lib/sqreen/js/context_pool.rb +62 -0
data/lib/sqreen/js/exec_js_runnable.rb +22 -0
data/lib/sqreen/js/execjs_adapter.rb +8 -47
data/lib/sqreen/js/executable_js.rb +14 -0
data/lib/sqreen/js/js_service.rb +4 -22
data/lib/sqreen/js/js_service_adapter.rb +20 -0
data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
data/lib/sqreen/log.rb +10 -188
data/lib/sqreen/log/loggable.rb +28 -0
data/lib/sqreen/logger.rb +85 -0
data/lib/sqreen/metrics.rb +2 -0
data/lib/sqreen/metrics/average.rb +2 -0
data/lib/sqreen/metrics/base.rb +2 -0
data/lib/sqreen/metrics/binning.rb +2 -0
data/lib/sqreen/metrics/collect.rb +2 -0
data/lib/sqreen/metrics/sum.rb +2 -0
data/lib/sqreen/metrics_store.rb +5 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
data/lib/sqreen/middleware.rb +2 -34
data/lib/sqreen/mono_time.rb +4 -0
data/lib/sqreen/node.rb +46 -0
data/lib/sqreen/not_implemented_yet.rb +10 -0
data/lib/sqreen/null_logger.rb +26 -0
data/lib/sqreen/payload_creator.rb +4 -19
data/lib/sqreen/payload_creator/header_section.rb +30 -0
data/lib/sqreen/performance_notifications.rb +2 -0
data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
data/lib/sqreen/performance_notifications/log.rb +2 -0
data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
data/lib/sqreen/performance_notifications/metrics.rb +2 -0
data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
data/lib/sqreen/prefix.rb +35 -0
data/lib/sqreen/rails_middleware.rb +16 -0
data/lib/sqreen/remote_command.rb +3 -8
data/lib/sqreen/remote_command/failure_output.rb +16 -0
data/lib/sqreen/rules.rb +34 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
data/lib/sqreen/rules/update_request_context.rb +22 -0
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
data/lib/sqreen/run_when_called_cb.rb +23 -0
data/lib/sqreen/runner.rb +25 -7
data/lib/sqreen/runtime_infos.rb +4 -9
data/lib/sqreen/safe_json.rb +2 -0
data/lib/sqreen/sdk.rb +4 -0
data/lib/sqreen/sensitive_data_redactor.rb +113 -0
data/lib/sqreen/serializer.rb +2 -0
data/lib/sqreen/session.rb +2 -0
data/lib/sqreen/shared_storage.rb +2 -0
data/lib/sqreen/shared_storage23.rb +2 -0
data/lib/sqreen/shrink_wrap.rb +16 -0
data/lib/sqreen/signature_verifier.rb +22 -0
data/lib/sqreen/sinatra_middleware.rb +16 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
data/lib/sqreen/token_invalid_exception.rb +10 -0
data/lib/sqreen/token_not_found_exception.rb +11 -0
data/lib/sqreen/trie.rb +5 -64
data/lib/sqreen/unauthorized.rb +10 -0
data/lib/sqreen/util.rb +7 -0
data/lib/sqreen/util/capped_array.rb +35 -0
data/lib/sqreen/util/capped_hash.rb +41 -0
data/lib/sqreen/util/capped_string.rb +26 -0
data/lib/sqreen/util/capper.rb +67 -0
data/lib/sqreen/version.rb +3 -1
data/lib/sqreen/waf_error.rb +20 -0
data/lib/sqreen/weave.rb +12 -0
data/lib/sqreen/weave/hardcoded.rb +19 -0
data/lib/sqreen/weave/instrumentor.rb +48 -0
data/lib/sqreen/weave/legacy.rb +12 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
data/lib/sqreen/web_server.rb +2 -0
data/lib/sqreen/web_server/generic.rb +2 -0
data/lib/sqreen/web_server/passenger.rb +2 -0
data/lib/sqreen/web_server/puma.rb +2 -0
data/lib/sqreen/web_server/rainbows.rb +2 -0
data/lib/sqreen/web_server/thin.rb +2 -0
data/lib/sqreen/web_server/unicorn.rb +2 -0
data/lib/sqreen/web_server/webrick.rb +2 -0
data/lib/sqreen/worker.rb +2 -0
metadata +105 -39
data/lib/sqreen/dependency/hook.rb +0 -102
data/lib/sqreen/rules_callbacks.rb +0 -35
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06bc081efdb3dd498597a1d2a044b3ced504afd9f30d3eaf7924949fadbde242
-  data.tar.gz: 6870982f1abd957f3f676533698d9d0e74aa5b367773622b37e15793982b5287
+  metadata.gz: 5082d08022b3f107ae50c29fb9f0846ca7398bc3544dc5ee0594a5c0a4d74e72
+  data.tar.gz: a7b3e4d7ab8b5c504b9a460e0504eded5acf96a9dfa4dc9655708205540f00bd
 SHA512:
-  metadata.gz: 89323033681f35c0d1e99675d5a26dd439741b35a9a2a299c881e3e2cbc8c61fbaaf520af47e263f9dfcb6ae57c919b32573106bc3761a1c7268a90f2b930d30
-  data.tar.gz: f2fb38415d5729ea35895997c92651fd0ce6a27865622d3d9ece3ca94c0b2dab33647afd1105aa865a03493f5e9bf78cf97c1f6acede67b775c7a8c7966ce7f7
+  metadata.gz: 393969dbf38bf2ea63688500f4c1902454a0489238c00fd1d11bebfa21017b1d320936b4b2e2871e9477aaaaf23690042d594de1f2fdb1518a4bab8c2b283ee4
+  data.tar.gz: ee617d28aa7f4822dc5c0ad9afbc5562c4550a50aa32a4be937787ae3cef3b7e48acdbc278a9fe8a5ee9ee4bb31266075e92b5401e678024faf939115b734c43

data/CHANGELOG.md CHANGED

@@ -1,3 +1,38 @@
+## 1.19.0
+* Upgrade WAF features via libsqreen 0.6.1
+* Improve time defensiveness in WAF
+* Improve compatibility with APM agents via a new optional instrumentation engine
+* Fix action reloading not being entirely cleared on reload
+* Improve handling of hash symbol keys in some security rules
+* Fix constant resolution scope on agent boot
+## 1.18.6
+* Improve default WAF time budget handling logic
+## 1.18.5
+* Fix type mismatch in WAF time budget handling
+* Improve exception handling for non-WAF errors within WAF
+## 1.18.4
+* Fix instrumentation conflict when a class defines a send method
+* Fix compatibility with Sorbet type checker
+* Improve WAF time budget handling
+## 1.18.3
+* Improve PII protection
+* Improve performance on sizeable request payloads
+* Improve handling of Rails without a database
+* Improve compatibility with Rack and Sinatra middlewares
+* Support JSON payloads with rack-contrib PostBodyContentParser
+* Add libsqreen toggle to configuration
+* Prepare for Ruby 2.7 support
+* Include license file in gem
 ## 1.18.2
 * Improve internal WAF error reporting

data/LICENSE ADDED

@@ -0,0 +1,3 @@
+Sqreen for Ruby is free-to-use, proprietary software.
+Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: ignore
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions.rb CHANGED

@@ -1,51 +1,28 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'ipaddr'
-require 'sqreen/trie'
-require 'sqreen/log'
-require 'sqreen/exception'
-require 'sqreen/sdk'
-require 'sqreen/frameworks'
-require 'singleton'
+require 'sqreen/actions/unknown_action_type'
+require 'sqreen/actions/base'
+require 'sqreen/actions/block_user'
+require 'sqreen/actions/redirect_user'
+require 'sqreen/actions/block_ip'
+require 'sqreen/actions/redirect_ip'
+require 'sqreen/actions/repository'
+require 'sqreen/actions/unknown_action_type'
 module Sqreen
   # Implements actions (behavior taken in response to agent signals)
   module Actions
-    # Exception for when an unknown action type is gotten from the server
-    class UnknownActionType < ::Sqreen::Exception
-      attr_reader :action_type
-      def initialize(action_type)
-        super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
-        @action_type = action_type
-      end
-    end
-    # Where the currently loaded actions are stored. Singleton
-    class Repository
-      include Singleton
-      def add(params, action)
-        action.class.index(params || {}, action)
-      end
-      def get(action_class, key)
-        action_class = Base.get_type_class(action_class) unless action_class.class == Class
-        action_class.actions_matching key
-      end
-      def clear
-        Base.known_subclasses.each(&:clear)
-      end
-    end
     # @return [Sqreen::Actions::Base]
     def self.deserialize_action(hash)
       action_type = hash['action']
       raise 'no action type available' unless action_type
-      subclass = Base.get_type_class(action_type)
-      raise UnknownActionType, action_type unless subclass
+      subclass = Sqreen::Actions::Base.get_type_class(action_type)
+      raise Sqreen::Actions::UnknownActionType, action_type unless subclass
       id = hash['action_id']
       raise 'no action id available' unless id
@@ -63,306 +40,5 @@ module Sqreen
       subclass.new(id, opts, hash['parameters'] || {})
     end
-    # Base class for actions
-    # subclasses must also implement some methods in their singleton classes
-    # (actions_matching, index and clear)
-    class Base
-      attr_reader :id, :expiry, :send_response
-      def initialize(id, opts)
-        @id = id
-        duration = opts[:duration]
-        @expiry = Time.new + duration unless duration.nil?
-        @send_response = if opts[:send_response].nil?
-                           true
-                         else
-                           !!opts[:send_response]
-                         end
-      end
-      # See Sqreen::CB for return values
-      def run(*args)
-        return if expiry && Time.new > expiry
-        ret = do_run *args
-        unless ret.nil? || !@send_response
-          Sqreen.internal_track(event_name,
-                                'properties' => {
-                                  'output' => event_properties(*args),
-                                  'action_id' => id,
-                                })
-        end
-        ret
-      end
-      protected
-      def do_run(*_args)
-        raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
-        # implement in subclasses
-      end
-      def event_properties(*_run_args)
-        raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
-        # implement in subclasses
-      end
-      private
-      def event_name
-        "sq.action.#{self.class.type_name}"
-      end
-      @@subclasses = {}
-      class << self
-        private :new
-        attr_reader :type_name
-        def get_type_class(name)
-          @@subclasses[name]
-        end
-        def known_subclasses
-          @@subclasses.values
-        end
-        def known_types
-          @@subclasses.keys
-        end
-        # all actions matching, possibly already expired
-        def actions_matching(_key)
-          raise 'implement in singletons of subclasses'
-        end
-        def index(_params, _action)
-          raise 'implement in singletons of subclasses'
-        end
-        def clear
-          raise 'implement in singletons of subclasses'
-        end
-        def inherited(subclass)
-          class << subclass
-            public :new
-          end
-        end
-        protected
-        def type_name=(name)
-          @type_name = name
-          @@subclasses[name] = self
-        end
-      end
-    end
-    module IpRangesIndex
-      def add_prefix(prefix_str, data)
-        @trie_v4 ||= Sqreen::Trie.new
-        @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-        prefix = Sqreen::Prefix.from_str(prefix_str, data)
-        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        trie.insert prefix
-      end
-      def matching_actions(client_ip)
-        parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
-        trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        return [] unless trie
-        found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
-        return [] unless found.size > 0
-        Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
-        found.map(&:data)
-      end
-      def clear
-        @trie_v4 = Sqreen::Trie.new
-        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-      end
-    end
-    module IpRangeIndexedActionClass
-      include IpRangesIndex
-      def actions_matching(client_ip)
-         matching_actions client_ip
-      end
-      def index(params, action)
-        ranges = parse_ip_ranges params
-        ranges.each do |r|
-          add_prefix r, action
-        end
-      end
-      private
-      # returns array of prefixes in string form
-      def parse_ip_ranges(params)
-        ranges = params['ip_cidr']
-        unless ranges && ranges.is_a?(Array) && !ranges.empty?
-          raise 'no non-empty ip_cidr array present'
-        end
-        ranges
-      end
-    end
-    # Block a list of IP address ranges. Standard "raise" behavior.
-    class BlockIp < Base
-      extend IpRangeIndexedActionClass
-      self.type_name = 'block_ip'
-      def initialize(id, opts, params = {})
-        # no need to store the ranges for this action, the index filter the class
-        super(id, opts)
-      end
-      def do_run(client_ip)
-        e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
-          "(action: #{id}). No action is required")
-        { :status => :raise, :exception => e, :skip_rem_cbs => true }
-      end
-      def event_properties(client_ip)
-        { 'ip_address' => client_ip }
-      end
-    end
-    # Block a list of IP address ranges by forcefully redirecting the user
-    # to a specific URL.
-    class RedirectIp < Base
-      extend IpRangeIndexedActionClass
-      self.type_name = 'redirect_ip'
-      attr_reader :redirect_url
-      def initialize(id, opts, params = {})
-        super(id, opts)
-        @redirect_url = params['url']
-        raise "no url provided for action #{id}" unless @redirect_url
-      end
-      def do_run(client_ip)
-        Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
-          "(action: #{id})."
-        {
-          :status => :skip,
-          :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
-          :skip_rem_cbs => true,
-        }
-      end
-      def event_properties(client_ip)
-        { 'ip_address' => client_ip, 'url' => @redirect_url }
-      end
-    end
-    module UserActionClass
-      def actions_matching(identity_params)
-        return [] unless @idx
-        key = stringify_keys(identity_params)
-        actions = @idx[key]
-        actions || []
-      end
-      def index(params, action)
-        @idx ||= {}
-        users = params['users']
-        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
-        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
-        users.each do |u|
-          @idx[u] ||= []
-          @idx[u] << action
-        end
-      end
-      def clear
-        @idx = {}
-      end
-      private
-      def stringify_keys(hash)
-        Hash[
-          hash.map { |k, v| [k.to_s, v] }
-        ]
-      end
-    end
-    # Blocks a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class BlockUser < Base
-      extend UserActionClass
-      self.type_name = 'block_user'
-      def initialize(id, opts, params = {})
-        super(id, opts)
-      end
-      def do_run(identity_params)
-        Sqreen.log.info(
-          "Will raise due to user being blocked by action #{id}. " \
-          "Blocked user identity: #{identity_params}"
-        )
-        e = Sqreen::AttackBlocked.new(
-          "Blocked user with identity #{identity_params} " \
-          'due to automatic security response. No action is required'
-        )
-        {
-          :status => :raise,
-          :exception => e,
-        }
-      end
-      def event_properties(identity_params)
-        { 'user' => identity_params }
-      end
-    end
-    # Redirects a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class RedirectUser < Base
-      extend UserActionClass
-      self.type_name = 'redirect_user'
-      def initialize(id, opts, params = {})
-        super(id, opts)
-        @redirect_url = params['url']
-        raise "no url provided for action #{id}" unless @redirect_url
-      end
-      def do_run(identity_params)
-        Sqreen.log.info 'Will request redirect for user with identity ' \
-          "#{identity_params} (action: #{id})."
-        e = Sqreen::AttackBlocked.new(
-          "Redirected user with identity #{identity_params} " \
-          'due to automatic security response. No action is required'
-        )
-        e.redirect_url = @redirect_url
-        {
-          :status => :raise,
-          :exception => e,
-        }
-      end
-      def event_properties(identity_params)
-        { 'user' => identity_params }
-      end
-    end
   end
 end

data/lib/sqreen/actions/actions_index.rb ADDED

@@ -0,0 +1,16 @@
+# typed: true
+module Sqreen
+  module Actions
+    # documents the operations an actions index should implement
+    class ActionsIndex
+      # all actions matching, possibly already expired
+      def actions_matching(_key)
+        raise 'implement in subclasses'
+      end
+      def index(_params, _action)
+        raise 'implement in subclasses'
+      end
+    end
+  end
+end