RubyGems - sqreen - Versions diffs - 1.18.2-java → 1.19.0-java - Mend

sqreen 1.18.2-java → 1.19.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +35 -0
data/LICENSE +3 -0
data/lib/sqreen.rb +2 -0
data/lib/sqreen/actions.rb +13 -337
data/lib/sqreen/actions/actions_index.rb +16 -0
data/lib/sqreen/actions/base.rb +104 -0
data/lib/sqreen/actions/block_ip.rb +34 -0
data/lib/sqreen/actions/block_user.rb +46 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
data/lib/sqreen/actions/redirect_ip.rb +42 -0
data/lib/sqreen/actions/redirect_user.rb +47 -0
data/lib/sqreen/actions/repository.rb +43 -0
data/lib/sqreen/actions/unknown_action_type.rb +20 -0
data/lib/sqreen/actions/user_action_class.rb +16 -0
data/lib/sqreen/actions/users_index.rb +35 -0
data/lib/sqreen/agent.rb +6 -2
data/lib/sqreen/attack_blocked.rb +19 -0
data/lib/sqreen/backport.rb +2 -0
data/lib/sqreen/backport/clock_gettime.rb +74 -0
data/lib/sqreen/backport/original_name.rb +2 -0
data/lib/sqreen/binding_accessor.rb +11 -102
data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
data/lib/sqreen/binding_accessor/transforms.rb +114 -0
data/lib/sqreen/call_countable.rb +2 -0
data/lib/sqreen/capped_queue.rb +4 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
data/lib/sqreen/condition_evaluator.rb +24 -5
data/lib/sqreen/conditionable.rb +2 -0
data/lib/sqreen/configuration.rb +19 -0
data/lib/sqreen/context.rb +2 -0
data/lib/sqreen/default_cb.rb +22 -0
data/lib/sqreen/deferred_logger.rb +65 -0
data/lib/sqreen/deliveries.rb +12 -0
data/lib/sqreen/deliveries/batch.rb +9 -1
data/lib/sqreen/deliveries/simple.rb +7 -0
data/lib/sqreen/dependency.rb +3 -1
data/lib/sqreen/dependency/detector.rb +22 -14
data/lib/sqreen/dependency/libsqreen.rb +32 -0
data/lib/sqreen/dependency/new_relic.rb +2 -0
data/lib/sqreen/dependency/rack.rb +10 -5
data/lib/sqreen/dependency/rails.rb +8 -0
data/lib/sqreen/dependency/sentry.rb +2 -0
data/lib/sqreen/dependency/sinatra.rb +58 -14
data/lib/sqreen/encoding_sanitizer.rb +2 -0
data/lib/sqreen/error_handling_middleware.rb +32 -0
data/lib/sqreen/event.rb +4 -0
data/lib/sqreen/events/attack.rb +4 -0
data/lib/sqreen/events/remote_exception.rb +2 -0
data/lib/sqreen/events/request_record.rb +13 -56
data/lib/sqreen/exception.rb +11 -40
data/lib/sqreen/formatter_with_tid.rb +47 -0
data/lib/sqreen/framework_cb.rb +30 -0
data/lib/sqreen/frameworks.rb +9 -0
data/lib/sqreen/frameworks/generic.rb +22 -2
data/lib/sqreen/frameworks/rails.rb +3 -0
data/lib/sqreen/frameworks/rails3.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +5 -0
data/lib/sqreen/frameworks/sinatra.rb +4 -0
data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
data/lib/sqreen/graft.rb +12 -0
data/lib/sqreen/graft/call.rb +150 -0
data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
data/lib/sqreen/graft/hook.rb +316 -0
data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
data/lib/sqreen/graft/hook_point_error.rb +10 -0
data/lib/sqreen/invalid_signature_exception.rb +10 -0
data/lib/sqreen/js.rb +11 -0
data/lib/sqreen/js/call_context.rb +12 -0
data/lib/sqreen/js/context_pool.rb +62 -0
data/lib/sqreen/js/exec_js_runnable.rb +22 -0
data/lib/sqreen/js/execjs_adapter.rb +8 -47
data/lib/sqreen/js/executable_js.rb +14 -0
data/lib/sqreen/js/js_service.rb +4 -22
data/lib/sqreen/js/js_service_adapter.rb +20 -0
data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
data/lib/sqreen/log.rb +10 -188
data/lib/sqreen/log/loggable.rb +28 -0
data/lib/sqreen/logger.rb +85 -0
data/lib/sqreen/metrics.rb +2 -0
data/lib/sqreen/metrics/average.rb +2 -0
data/lib/sqreen/metrics/base.rb +2 -0
data/lib/sqreen/metrics/binning.rb +2 -0
data/lib/sqreen/metrics/collect.rb +2 -0
data/lib/sqreen/metrics/sum.rb +2 -0
data/lib/sqreen/metrics_store.rb +5 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
data/lib/sqreen/middleware.rb +2 -34
data/lib/sqreen/mono_time.rb +4 -0
data/lib/sqreen/node.rb +46 -0
data/lib/sqreen/not_implemented_yet.rb +10 -0
data/lib/sqreen/null_logger.rb +26 -0
data/lib/sqreen/payload_creator.rb +4 -19
data/lib/sqreen/payload_creator/header_section.rb +30 -0
data/lib/sqreen/performance_notifications.rb +2 -0
data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
data/lib/sqreen/performance_notifications/log.rb +2 -0
data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
data/lib/sqreen/performance_notifications/metrics.rb +2 -0
data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
data/lib/sqreen/prefix.rb +35 -0
data/lib/sqreen/rails_middleware.rb +16 -0
data/lib/sqreen/remote_command.rb +3 -8
data/lib/sqreen/remote_command/failure_output.rb +16 -0
data/lib/sqreen/rules.rb +34 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
data/lib/sqreen/rules/update_request_context.rb +22 -0
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
data/lib/sqreen/run_when_called_cb.rb +23 -0
data/lib/sqreen/runner.rb +25 -7
data/lib/sqreen/runtime_infos.rb +4 -9
data/lib/sqreen/safe_json.rb +2 -0
data/lib/sqreen/sdk.rb +4 -0
data/lib/sqreen/sensitive_data_redactor.rb +113 -0
data/lib/sqreen/serializer.rb +2 -0
data/lib/sqreen/session.rb +2 -0
data/lib/sqreen/shared_storage.rb +2 -0
data/lib/sqreen/shared_storage23.rb +2 -0
data/lib/sqreen/shrink_wrap.rb +16 -0
data/lib/sqreen/signature_verifier.rb +22 -0
data/lib/sqreen/sinatra_middleware.rb +16 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
data/lib/sqreen/token_invalid_exception.rb +10 -0
data/lib/sqreen/token_not_found_exception.rb +11 -0
data/lib/sqreen/trie.rb +5 -64
data/lib/sqreen/unauthorized.rb +10 -0
data/lib/sqreen/util.rb +7 -0
data/lib/sqreen/util/capped_array.rb +35 -0
data/lib/sqreen/util/capped_hash.rb +41 -0
data/lib/sqreen/util/capped_string.rb +26 -0
data/lib/sqreen/util/capper.rb +67 -0
data/lib/sqreen/version.rb +3 -1
data/lib/sqreen/waf_error.rb +20 -0
data/lib/sqreen/weave.rb +12 -0
data/lib/sqreen/weave/hardcoded.rb +19 -0
data/lib/sqreen/weave/instrumentor.rb +48 -0
data/lib/sqreen/weave/legacy.rb +12 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
data/lib/sqreen/web_server.rb +2 -0
data/lib/sqreen/web_server/generic.rb +2 -0
data/lib/sqreen/web_server/passenger.rb +2 -0
data/lib/sqreen/web_server/puma.rb +2 -0
data/lib/sqreen/web_server/rainbows.rb +2 -0
data/lib/sqreen/web_server/thin.rb +2 -0
data/lib/sqreen/web_server/unicorn.rb +2 -0
data/lib/sqreen/web_server/webrick.rb +2 -0
data/lib/sqreen/worker.rb +2 -0
metadata +105 -39
data/lib/sqreen/dependency/hook.rb +0 -102
data/lib/sqreen/rules_callbacks.rb +0 -35
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06bc081efdb3dd498597a1d2a044b3ced504afd9f30d3eaf7924949fadbde242
-  data.tar.gz: 6870982f1abd957f3f676533698d9d0e74aa5b367773622b37e15793982b5287
+  metadata.gz: 5082d08022b3f107ae50c29fb9f0846ca7398bc3544dc5ee0594a5c0a4d74e72
+  data.tar.gz: a7b3e4d7ab8b5c504b9a460e0504eded5acf96a9dfa4dc9655708205540f00bd
 SHA512:
-  metadata.gz: 89323033681f35c0d1e99675d5a26dd439741b35a9a2a299c881e3e2cbc8c61fbaaf520af47e263f9dfcb6ae57c919b32573106bc3761a1c7268a90f2b930d30
-  data.tar.gz: f2fb38415d5729ea35895997c92651fd0ce6a27865622d3d9ece3ca94c0b2dab33647afd1105aa865a03493f5e9bf78cf97c1f6acede67b775c7a8c7966ce7f7
+  metadata.gz: 393969dbf38bf2ea63688500f4c1902454a0489238c00fd1d11bebfa21017b1d320936b4b2e2871e9477aaaaf23690042d594de1f2fdb1518a4bab8c2b283ee4
+  data.tar.gz: ee617d28aa7f4822dc5c0ad9afbc5562c4550a50aa32a4be937787ae3cef3b7e48acdbc278a9fe8a5ee9ee4bb31266075e92b5401e678024faf939115b734c43

data/CHANGELOG.md CHANGED

@@ -1,3 +1,38 @@
+## 1.19.0
+* Upgrade WAF features via libsqreen 0.6.1
+* Improve time defensiveness in WAF
+* Improve compatibility with APM agents via a new optional instrumentation engine
+* Fix action reloading not being entirely cleared on reload
+* Improve handling of hash symbol keys in some security rules
+* Fix constant resolution scope on agent boot
+## 1.18.6
+* Improve default WAF time budget handling logic
+## 1.18.5
+* Fix type mismatch in WAF time budget handling
+* Improve exception handling for non-WAF errors within WAF
+## 1.18.4
+* Fix instrumentation conflict when a class defines a send method
+* Fix compatibility with Sorbet type checker
+* Improve WAF time budget handling
+## 1.18.3
+* Improve PII protection
+* Improve performance on sizeable request payloads
+* Improve handling of Rails without a database
+* Improve compatibility with Rack and Sinatra middlewares
+* Support JSON payloads with rack-contrib PostBodyContentParser
+* Add libsqreen toggle to configuration
+* Prepare for Ruby 2.7 support
+* Include license file in gem
 ## 1.18.2
 * Improve internal WAF error reporting

data/LICENSE ADDED

@@ -0,0 +1,3 @@
+Sqreen for Ruby is free-to-use, proprietary software.
+Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: ignore
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions.rb CHANGED

@@ -1,51 +1,28 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'ipaddr'
-require 'sqreen/trie'
-require 'sqreen/log'
-require 'sqreen/exception'
-require 'sqreen/sdk'
-require 'sqreen/frameworks'
-require 'singleton'
+require 'sqreen/actions/unknown_action_type'
+require 'sqreen/actions/base'
+require 'sqreen/actions/block_user'
+require 'sqreen/actions/redirect_user'
+require 'sqreen/actions/block_ip'
+require 'sqreen/actions/redirect_ip'
+require 'sqreen/actions/repository'
+require 'sqreen/actions/unknown_action_type'
 module Sqreen
   # Implements actions (behavior taken in response to agent signals)
   module Actions
-    # Exception for when an unknown action type is gotten from the server
-    class UnknownActionType < ::Sqreen::Exception
-      attr_reader :action_type
-      def initialize(action_type)
-        super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
-        @action_type = action_type
-      end
-    end
-    # Where the currently loaded actions are stored. Singleton
-    class Repository
-      include Singleton
-      def add(params, action)
-        action.class.index(params || {}, action)
-      end
-      def get(action_class, key)
-        action_class = Base.get_type_class(action_class) unless action_class.class == Class
-        action_class.actions_matching key
-      end
-      def clear
-        Base.known_subclasses.each(&:clear)
-      end
-    end
     # @return [Sqreen::Actions::Base]
     def self.deserialize_action(hash)
       action_type = hash['action']
       raise 'no action type available' unless action_type
-      subclass = Base.get_type_class(action_type)
-      raise UnknownActionType, action_type unless subclass
+      subclass = Sqreen::Actions::Base.get_type_class(action_type)
+      raise Sqreen::Actions::UnknownActionType, action_type unless subclass
       id = hash['action_id']
       raise 'no action id available' unless id
@@ -63,306 +40,5 @@ module Sqreen
       subclass.new(id, opts, hash['parameters'] || {})
     end
-    # Base class for actions
-    # subclasses must also implement some methods in their singleton classes
-    # (actions_matching, index and clear)
-    class Base
-      attr_reader :id, :expiry, :send_response
-      def initialize(id, opts)
-        @id = id
-        duration = opts[:duration]
-        @expiry = Time.new + duration unless duration.nil?
-        @send_response = if opts[:send_response].nil?
-                           true
-                         else
-                           !!opts[:send_response]
-                         end
-      end
-      # See Sqreen::CB for return values
-      def run(*args)
-        return if expiry && Time.new > expiry
-        ret = do_run *args
-        unless ret.nil? || !@send_response
-          Sqreen.internal_track(event_name,
-                                'properties' => {
-                                  'output' => event_properties(*args),
-                                  'action_id' => id,
-                                })
-        end
-        ret
-      end
-      protected
-      def do_run(*_args)
-        raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
-        # implement in subclasses
-      end
-      def event_properties(*_run_args)
-        raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
-        # implement in subclasses
-      end
-      private
-      def event_name
-        "sq.action.#{self.class.type_name}"
-      end
-      @@subclasses = {}
-      class << self
-        private :new
-        attr_reader :type_name
-        def get_type_class(name)
-          @@subclasses[name]
-        end
-        def known_subclasses
-          @@subclasses.values
-        end
-        def known_types
-          @@subclasses.keys
-        end
-        # all actions matching, possibly already expired
-        def actions_matching(_key)
-          raise 'implement in singletons of subclasses'
-        end
-        def index(_params, _action)
-          raise 'implement in singletons of subclasses'
-        end
-        def clear
-          raise 'implement in singletons of subclasses'
-        end
-        def inherited(subclass)
-          class << subclass
-            public :new
-          end
-        end
-        protected
-        def type_name=(name)
-          @type_name = name
-          @@subclasses[name] = self
-        end
-      end
-    end
-    module IpRangesIndex
-      def add_prefix(prefix_str, data)
-        @trie_v4 ||= Sqreen::Trie.new
-        @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-        prefix = Sqreen::Prefix.from_str(prefix_str, data)
-        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        trie.insert prefix
-      end
-      def matching_actions(client_ip)
-        parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
-        trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        return [] unless trie
-        found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
-        return [] unless found.size > 0
-        Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
-        found.map(&:data)
-      end
-      def clear
-        @trie_v4 = Sqreen::Trie.new
-        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-      end
-    end
-    module IpRangeIndexedActionClass
-      include IpRangesIndex
-      def actions_matching(client_ip)
-         matching_actions client_ip
-      end
-      def index(params, action)
-        ranges = parse_ip_ranges params
-        ranges.each do |r|
-          add_prefix r, action
-        end
-      end
-      private
-      # returns array of prefixes in string form
-      def parse_ip_ranges(params)
-        ranges = params['ip_cidr']
-        unless ranges && ranges.is_a?(Array) && !ranges.empty?
-          raise 'no non-empty ip_cidr array present'
-        end
-        ranges
-      end
-    end
-    # Block a list of IP address ranges. Standard "raise" behavior.
-    class BlockIp < Base
-      extend IpRangeIndexedActionClass
-      self.type_name = 'block_ip'
-      def initialize(id, opts, params = {})
-        # no need to store the ranges for this action, the index filter the class
-        super(id, opts)
-      end
-      def do_run(client_ip)
-        e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
-          "(action: #{id}). No action is required")
-        { :status => :raise, :exception => e, :skip_rem_cbs => true }
-      end
-      def event_properties(client_ip)
-        { 'ip_address' => client_ip }
-      end
-    end
-    # Block a list of IP address ranges by forcefully redirecting the user
-    # to a specific URL.
-    class RedirectIp < Base
-      extend IpRangeIndexedActionClass
-      self.type_name = 'redirect_ip'
-      attr_reader :redirect_url
-      def initialize(id, opts, params = {})
-        super(id, opts)
-        @redirect_url = params['url']
-        raise "no url provided for action #{id}" unless @redirect_url
-      end
-      def do_run(client_ip)
-        Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
-          "(action: #{id})."
-        {
-          :status => :skip,
-          :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
-          :skip_rem_cbs => true,
-        }
-      end
-      def event_properties(client_ip)
-        { 'ip_address' => client_ip, 'url' => @redirect_url }
-      end
-    end
-    module UserActionClass
-      def actions_matching(identity_params)
-        return [] unless @idx
-        key = stringify_keys(identity_params)
-        actions = @idx[key]
-        actions || []
-      end
-      def index(params, action)
-        @idx ||= {}
-        users = params['users']
-        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
-        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
-        users.each do |u|
-          @idx[u] ||= []
-          @idx[u] << action
-        end
-      end
-      def clear
-        @idx = {}
-      end
-      private
-      def stringify_keys(hash)
-        Hash[
-          hash.map { |k, v| [k.to_s, v] }
-        ]
-      end
-    end
-    # Blocks a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class BlockUser < Base
-      extend UserActionClass
-      self.type_name = 'block_user'
-      def initialize(id, opts, params = {})
-        super(id, opts)
-      end
-      def do_run(identity_params)
-        Sqreen.log.info(
-          "Will raise due to user being blocked by action #{id}. " \
-          "Blocked user identity: #{identity_params}"
-        )
-        e = Sqreen::AttackBlocked.new(
-          "Blocked user with identity #{identity_params} " \
-          'due to automatic security response. No action is required'
-        )
-        {
-          :status => :raise,
-          :exception => e,
-        }
-      end
-      def event_properties(identity_params)
-        { 'user' => identity_params }
-      end
-    end
-    # Redirects a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class RedirectUser < Base
-      extend UserActionClass
-      self.type_name = 'redirect_user'
-      def initialize(id, opts, params = {})
-        super(id, opts)
-        @redirect_url = params['url']
-        raise "no url provided for action #{id}" unless @redirect_url
-      end
-      def do_run(identity_params)
-        Sqreen.log.info 'Will request redirect for user with identity ' \
-          "#{identity_params} (action: #{id})."
-        e = Sqreen::AttackBlocked.new(
-          "Redirected user with identity #{identity_params} " \
-          'due to automatic security response. No action is required'
-        )
-        e.redirect_url = @redirect_url
-        {
-          :status => :raise,
-          :exception => e,
-        }
-      end
-      def event_properties(identity_params)
-        { 'user' => identity_params }
-      end
-    end
   end
 end

data/lib/sqreen/actions/actions_index.rb ADDED

@@ -0,0 +1,16 @@
+# typed: true
+module Sqreen
+  module Actions
+    # documents the operations an actions index should implement
+    class ActionsIndex
+      # all actions matching, possibly already expired
+      def actions_matching(_key)
+        raise 'implement in subclasses'
+      end
+      def index(_params, _action)
+        raise 'implement in subclasses'
+      end
+    end
+  end
+end