sqreen 1.18.2-java → 1.19.0-java

data/lib/sqreen/actions/base.rb

@@ -0,0 +1,104 @@
+# typed: false
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+# TODO: remove class vars
+
+require 'sqreen/sdk'
+require 'sqreen/exception'
+
+module Sqreen
+  # Implements actions (behavior taken in response to agent signals)
+  module Actions
+    # Base class for actions
+    # subclasses must also implement some methods in their singleton classes
+    # (actions_matching, index and clear)
+    class Base
+      attr_reader :id, :expiry, :send_response
+
+      def initialize(id, opts)
+        @id = id
+        duration = opts[:duration]
+        @expiry = Time.new + duration unless duration.nil?
+        @send_response = if opts[:send_response].nil?
+                           true
+                         else
+                           opts[:send_response] ? true : false
+                         end
+      end
+
+      # See Sqreen::CB for return values
+      def run(*args)
+        return if expiry && Time.new > expiry
+        ret = do_run(*args)
+        unless ret.nil? || !@send_response
+          Sqreen.internal_track(event_name,
+                                'properties' => {
+                                  'output' => event_properties(*args),
+                                  'action_id' => id,
+                                })
+        end
+        ret
+      end
+
+      protected
+
+      def do_run(*_args)
+        raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
+        # implement in subclasses
+      end
+
+      def event_properties(*_run_args)
+        raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
+        # implement in subclasses
+      end
+
+      private
+
+      def event_name
+        "sq.action.#{self.class.type_name}"
+      end
+
+      @@subclasses = {} # rubocop:disable Style/ClassVars
+      class << self
+        private :new
+
+        attr_reader :type_name
+
+        def get_type_class(name)
+          subclasses[name]
+        end
+
+        def known_subclasses
+          subclasses.values
+        end
+
+        def known_types
+          subclasses.keys
+        end
+
+        def new_index
+          raise 'implement in singletons of subclasses'
+        end
+
+        def inherited(subclass)
+          class << subclass
+            public :new
+          end
+        end
+
+        protected
+
+        def subclasses
+          @@subclasses
+        end
+
+        def type_name=(name)
+          @type_name = name
+          subclasses[name] = self
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/actions/block_ip.rb

@@ -0,0 +1,34 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/ip_range_indexed_action_class'
+
+module Sqreen
+  module Actions
+    # Block a list of IP address ranges. Standard "raise" behavior.
+    class BlockIp < Base
+      extend IpRangeIndexedActionClass
+
+      self.type_name = 'block_ip'
+
+      def initialize(id, opts, _params = {})
+        # no need to store the ranges for this action, the index filter the class
+        super(id, opts)
+      end
+
+      def do_run(client_ip)
+        e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
+          "(action: #{id}). No action is required")
+        { :status => :raise, :exception => e, :skip_rem_cbs => true }
+      end
+
+      def event_properties(client_ip)
+        { 'ip_address' => client_ip }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/block_user.rb

@@ -0,0 +1,46 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/user_action_class'
+
+module Sqreen
+  module Actions
+    # Blocks a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class BlockUser < Base
+      extend UserActionClass
+
+      self.type_name = 'block_user'
+
+      def initialize(id, opts, _params = {})
+        super(id, opts)
+      end
+
+      def do_run(identity_params)
+        Sqreen.log.info(
+          "Will raise due to user being blocked by action #{id}. " \
+          "Blocked user identity: #{identity_params}"
+        )
+
+        e = Sqreen::AttackBlocked.new(
+          "Blocked user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/ip_range_indexed_action_class.rb

@@ -0,0 +1,16 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/actions/ip_ranges_index'
+
+module Sqreen
+  module Actions
+    module IpRangeIndexedActionClass
+      def new_index
+        IpRangesIndex.new
+      end
+    end
+  end
+end

data/lib/sqreen/actions/ip_ranges_index.rb

@@ -0,0 +1,57 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'ipaddr'
+require 'sqreen/actions/actions_index'
+require 'sqreen/trie'
+require 'sqreen/prefix'
+
+module Sqreen
+  module Actions
+    class IpRangesIndex < ActionsIndex
+      def initialize
+        @trie_v4 = Sqreen::Trie.new
+        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+      end
+
+      def index(params, action)
+        ranges = parse_ip_ranges params
+
+        ranges.each do |r|
+          add_prefix r, action
+        end
+      end
+
+      def actions_matching(client_ip)
+        parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
+        trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        return [] unless trie
+        found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
+        return [] unless found.size > 0
+
+        Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
+        found.map(&:data)
+      end
+
+      private
+
+      # returns array of prefixes in string form
+      def parse_ip_ranges(params)
+        ranges = params['ip_cidr']
+        unless ranges && ranges.is_a?(Array) && !ranges.empty?
+          raise 'no non-empty ip_cidr array present'
+        end
+
+        ranges
+      end
+
+      def add_prefix(prefix_str, data)
+        prefix = Sqreen::Prefix.from_str(prefix_str, data)
+        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        trie.insert prefix
+      end
+    end
+  end
+end

data/lib/sqreen/actions/redirect_ip.rb

@@ -0,0 +1,42 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+
+module Sqreen
+  module Actions
+    # Block a list of IP address ranges by forcefully redirecting the user
+    # to a specific URL.
+    class RedirectIp < Base
+      extend IpRangeIndexedActionClass
+
+      self.type_name = 'redirect_ip'
+
+      attr_reader :redirect_url
+
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+
+      def do_run(client_ip)
+        Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
+          "(action: #{id})."
+        {
+          :status => :skip,
+          :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
+          :skip_rem_cbs => true,
+        }
+      end
+
+      def event_properties(client_ip)
+        { 'ip_address' => client_ip, 'url' => @redirect_url }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/redirect_user.rb

@@ -0,0 +1,47 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/user_action_class'
+
+module Sqreen
+  module Actions
+    # Redirects a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class RedirectUser < Base
+      extend UserActionClass
+
+      self.type_name = 'redirect_user'
+
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+
+      def do_run(identity_params)
+        Sqreen.log.info 'Will request redirect for user with identity ' \
+          "#{identity_params} (action: #{id})."
+
+        e = Sqreen::AttackBlocked.new(
+          "Redirected user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        e.redirect_url = @redirect_url
+
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/repository.rb

@@ -0,0 +1,43 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  module Actions
+    # Where the actions are stored
+    # The current ones are stored in Repository.current
+    class Repository
+      def initialize
+        @indexes = Hash[Base.known_subclasses.map do |clazz|
+          [clazz.type_name, clazz.new_index]
+        end]
+      end
+
+      def add(params, action)
+        @indexes[action.class.type_name].index(params || {}, action)
+      end
+
+      # type is either a class or a type name
+      def get(type, key)
+        type = type.type_name if type.class == Class
+        @indexes[type].actions_matching key
+      end
+
+      singleton_class.class_eval do
+        attr_reader :current
+        def current=(new_inst)
+          raise 'nil is unacceptable' if new_inst.nil?
+          @current = new_inst
+        end
+
+        def clear
+          self.current = Repository.new
+        end
+      end
+
+      # initialize current to empty repository
+      clear
+    end
+  end
+end

data/lib/sqreen/actions/unknown_action_type.rb

@@ -0,0 +1,20 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  # Implements actions (behavior taken in response to agent signals)
+  module Actions
+    # Exception for when an unknown action type is gotten from the server
+    class UnknownActionType < ::Sqreen::Exception
+      attr_reader :action_type
+      def initialize(action_type)
+        super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
+        @action_type = action_type
+      end
+    end
+  end
+end

data/lib/sqreen/actions/user_action_class.rb

@@ -0,0 +1,16 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/actions/users_index'
+
+module Sqreen
+  module Actions
+    module UserActionClass
+      def new_index
+        UsersIndex.new
+      end
+    end
+  end
+end

data/lib/sqreen/actions/users_index.rb

@@ -0,0 +1,35 @@
+# typed: true
+require 'sqreen/actions/actions_index'
+
+module Sqreen
+  module Actions
+    class UsersIndex < ActionsIndex
+      def actions_matching(identity_params)
+        return [] unless @idx
+        key = stringify_keys(identity_params)
+        actions = @idx[key]
+        actions || []
+      end
+
+      def index(params, action)
+        @idx ||= {}
+        users = params['users']
+        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
+        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+
+        users.each do |u|
+          @idx[u] ||= []
+          @idx[u] << action
+        end
+      end
+
+      private
+
+      def stringify_keys(hash)
+        Hash[
+          hash.map { |k, v| [k.to_s, v] }
+        ]
+      end
+    end
+  end
+end