wafris 1.1.10 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 031d8144c5556cf40a2325f2299edfadbe4e9f1528d8150df8d87548b47ace09
-  data.tar.gz: baa7327a7cd765ccd5ebe098490e108f1e04d4ca66a57c6c19eead5a9ba4ff84
+  metadata.gz: f0dfe47e533d91f974d391af755f1bd8e148808cbfe86dd6755b839201282b47
+  data.tar.gz: bd7135922d96fa7789cc65dbd47635c4b1e84a4e7b27a6b4dde5a1a00cc15ac8
 SHA512:
-  metadata.gz: 8ea901efba9cb37e0756ffdb94c2f35d18927b78874da49dbb5c52d1cd06a5f152ecfac867fcd5232ae823e3809e24e6c7f7f8f1174c233cd16bb9c56d93a20f
-  data.tar.gz: 2f38a25d6cd4a16be22bd422e47fbb8cda1d1553794daf7da2fa5190d70f3ef4a04f5e5a382b66c36741ada88562d9cdbed697821b97aaa2fa5d1646c61ea72e
+  metadata.gz: 0c1e66690ca97e6f9a9349f1960f92f5376175660bebc9a172eabe849af6806d4c5f278f1765a22b36ce75797a757bf9cb3719a58446aaa5fa8fe0356c348cf0
+  data.tar.gz: 35a3e86f1f3c63ec38c3d67adbfb952fa89a062dad78450bfd365f45c1a1607f689e104e2c7ef6faac3a00461e07022d041e5d2f667396ad81baa3af30be8acf

data/lib/wafris/configuration.rb

@@ -1,56 +1,140 @@
-# frozen_string_literal: true
 
 require_relative 'version'
 
 module Wafris
   class Configuration
-    attr_accessor :redis
-    attr_accessor :redis_pool_size
-    attr_accessor :maxmemory
-    attr_accessor :quiet_mode
+
+    attr_accessor :api_key
+    attr_accessor :db_file_path
+    attr_accessor :db_file_name
+    attr_accessor :downsync_custom_rules_interval
+    attr_accessor :downsync_data_subscriptions_interval
+    attr_accessor :downsync_url
+    attr_accessor :upsync_url
+    attr_accessor :upsync_interval
+    attr_accessor :upsync_queue_limit
+    attr_accessor :upsync_status
+    attr_accessor :upsync_queue
+    attr_accessor :local_only
+    attr_accessor :last_upsync_timestamp
+    attr_accessor :max_body_size_mb
+    attr_accessor :rate_limiters
 
     def initialize
-      @redis_pool_size = 20
-      @maxmemory = 25
-      @quiet_mode = false
-    end
 
-    def connection_pool
-      @connection_pool ||=
-        ConnectionPool.new(size: redis_pool_size) { redis }
-    end
+      # API Key - Required
+      if ENV['WAFRIS_API_KEY']
+        @api_key = ENV['WAFRIS_API_KEY']        
+      else
+        unless @api_key         
+          LogSuppressor.puts_log("Firewall disabled as neither local only or API key set")        
+        end
+      end
 
-    def create_settings
-      redis.hset('waf-settings',
-                 'version', Wafris::VERSION,
-                 'client', 'ruby',
-                 'maxmemory', @maxmemory)
-      LogSuppressor.puts_log(
-        "[Wafris] firewall enabled. Connected to Redis on #{redis.connection[:host]}. Ready to process requests. Set rules at: https://wafris.org/hub"
-      ) unless @quiet_mode
-    end
+      # DB FILE PATH LOCATION - Optional
+      if ENV['WAFRIS_DB_FILE_PATH']
+        @db_file_path = ENV['WAFRIS_DB_FILE_PATH']      
+      else
+        #@db_file_path = Rails.root.join('tmp', 'wafris').to_s
+        @db_file_path = './tmp/wafris'
+      end
 
-    def core_sha
-      @core_sha ||= redis.script(:load, wafris_core)
-    end
+      # Ensure that the db_file_path exists
+      unless File.directory?(@db_file_path)
+        LogSuppressor.puts_log("DB File Path does not exist - creating it now.")
+        FileUtils.mkdir_p(@db_file_path) unless File.exist?(@db_file_path)
+      end
+
+      # DB FILE NAME - For local
+      if ENV['WAFRIS_DB_FILE_NAME']
+        @db_file_name = ENV['WAFRIS_DB_FILE_NAME']
+      else
+        @db_file_name = 'wafris.db'
+      end
+  
+      # DOWNSYNC
+      # Custom Rules are checked often (default 1 minute) - Optional
+      if ENV['WAFRIS_DOWNSYNC_CUSTOM_RULES_INTERVAL']
+        @downsync_custom_rules_interval = ENV['WAFRIS_DOWNSYNC_CUSTOM_RULES_INTERVAL'].to_i
+      else
+        @downsync_custom_rules_interval = 60
+      end
+  
+      # Data Subscriptions are checked rarely (default 1 day) - Optional
+      if ENV['WAFRIS_DOWNSYNC_DATA_SUBSCRIPTIONS_INTERVAL'] 
+        @downsync_data_subscriptions_interval = ENV['WAFRIS_DOWNSYNC_DATA_SUBSCRIPTIONS_INTERVAL'].to_i
+      else
+        @downsync_data_subscriptions_interval = 60
+      end
+  
+      # Set Downsync URL - Optional
+      # Used for both DataSubscription and CustomRules
+      if ENV['WAFRIS_DOWNSYNC_URL']
+        @downsync_url = ENV['WAFRIS_DOWNSYNC_URL']
+      else
+        @downsync_url = 'https://distributor.wafris.org/v2/downsync'
+      end
+      
+      # UPSYNC - Optional
+      # Set Upsync URL
+      if ENV['WAFRIS_UPSYNC_URL']
+        @upsync_url = ENV['WAFRIS_UPSYNC_URL']
+      else
+        @upsync_url = 'https://collector.wafris.org/v2/upsync' 
+      end
+  
+      # Set Upsync Interval - Optional
+      if ENV['WAFRIS_UPSYNC_INTERVAL']
+        @upsync_interval = ENV['WAFRIS_UPSYNC_INTERVAL'].to_i
+      else
+        @upsync_interval = 10
+      end
+    
+      # Set Upsync Queued Request Limit - Optional
+      if ENV['WAFRIS_UPSYNC_QUEUE_LIMIT']
+        @upsync_queue_limit = ENV['WAFRIS_UPSYNC_QUEUE_LIMIT'].to_i
+      else
+        @upsync_queue_limit = 250
+      end
+  
+      # Set Maximium Body Size for Requests - Optional (in Megabytes)
+      if ENV['WAFRIS_MAX_BODY_SIZE_MB'] && ENV['WAFRIS_MAX_BODY_SIZE_MB'].to_i > 0  
+        @max_body_size_mb = ENV['WAFRIS_MAX_BODY_SIZE_MB'].to_i
+      else
+        @max_body_size_mb = 10
+      end
 
-    def wafris_core
-      read_lua_dist("wafris_core")
+      # Upsync Queue Defaults
+      @upsync_queue = []
+      @last_upsync_timestamp = Time.now.to_i
+  
+      # Memory structure for rate limiting
+      @rate_limiters = {}
+  
+      # Disable Upsync if Downsync API Key is invalid
+      # This prevents the client from sending upsync requests
+      # if the API key is known bad
+      @upsync_status = 'Disabled'
+
+      return true
+  
     end
 
-    private
+    def current_config
+
+      output = {}
+
+      instance_variables.each do |var|
+        output[var.to_s] = instance_variable_get(var)
+      end
+
+      return output
 
-    def read_lua_dist(filename)
-      File.read(
-        file_path(filename)
-      )
     end
 
-    def file_path(filename)
-      File.join(
-        File.dirname(__FILE__),
-        "../lua/dist/#{filename}.lua"
-      )
+    def create_settings
+      @version = Wafris::VERSION
     end
+
   end
 end

data/lib/wafris/log_suppressor.rb

@@ -3,11 +3,12 @@
 module Wafris
   class LogSuppressor
     def self.puts_log(message)
-      puts(message) unless suppress_logs?
+      puts("[Wafris] " + message) unless suppress_logs?
     end
 
     def self.suppress_logs?
-      suppressed_environments.include?(current_environment)
+      suppressed_environments.include?(current_environment) || 
+      (ENV['WAFRIS_LOG_LEVEL'] && ENV['WAFRIS_LOG_LEVEL'] == 'silent')
     end
 
     def self.suppressed_environments

data/lib/wafris/middleware.rb

@@ -1,12 +1,15 @@
 # frozen_string_literal: true
 
+
 module Wafris
   class Middleware
     def initialize(app)
       @app = app
     end
 
+    
     def call(env)
+
       user_defined_proxies = ENV['TRUSTED_PROXY_RANGES'].split(',') if ENV['TRUSTED_PROXY_RANGES']
 
       valid_ipv4_octet = /\.(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])/
@@ -25,25 +28,53 @@ module Wafris
       Rack::Request.ip_filter = lambda { |ip| trusted_proxies.match?(ip) }
 
       request = Rack::Request.new(env)
+      # Forcing UTF-8 encoding on all strings for Sqlite3 compatibility
+
+      # List of possible IP headers in order of priority
+      ip_headers = [
+        'HTTP_X_REAL_IP', 
+        'HTTP_X_TRUE_CLIENT_IP', 
+        'HTTP_FLY_CLIENT_IP', 
+        'HTTP_CF_CONNECTING_IP'
+      ]
+
+      # Find the first header that is present in the environment
+      ip_header = ip_headers.find { |header| env[header] }
+
+      # Use the found header or fallback to remote_ip if none of the headers are present
+      ip = (ip_header ? env[ip_header] : request.ip).force_encoding('UTF-8')
+
+      user_agent = request.user_agent ? request.user_agent.force_encoding('UTF-8') : nil
+      path = request.path.force_encoding('UTF-8')    
+      parameters = Rack::Utils.build_query(request.params).force_encoding('UTF-8')
+      host = request.host.to_s.force_encoding('UTF-8')      
+      request_method = String.new(request.request_method).force_encoding('UTF-8')
+
+      # Submitted for evaluation
+      headers = env.each_with_object({}) { |(k, v), h| h[k] = v.force_encoding('UTF-8') if k.start_with?('HTTP_') }
+      body = request.body.read
+
+      request_id = env.fetch('action_dispatch.request_id', SecureRandom.uuid.to_s)
+      request_timestamp = Time.now.utc.to_i
 
-      if Wafris.allow_request?(request)
-        @app.call(env)
+      treatment = Wafris.evaluate(ip, user_agent, path, parameters, host, request_method, headers, body, request_id, request_timestamp)
+
+      # These values match what the client tests expect (200, 404, 403, 500
+      if treatment == 'Allowed' || treatment == 'Passed'
+        @app.call(env)        
+      elsif treatment == 'Blocked'
+        [403, { 'content-type' => 'text/plain' }, ['Blocked']]
       else
-        LogSuppressor.puts_log(
-          "[Wafris] Blocked: #{request.ip} #{request.request_method} #{request.host} #{request.url}}"
-        )
-        [403, {}, ['Blocked']]
+        #ap request 
+        [500, { 'content-type' => 'text/plain' }, ['Error']]
       end
-    rescue Redis::TimeoutError
-      LogSuppressor.puts_log(
-        "[Wafris] Wafris timed out during processing. Request passed without rules check."
-      )
-      @app.call(env)
+
     rescue StandardError => e
-      LogSuppressor.puts_log(
-        "[Wafris] Redis connection error: #{e.message}. Request passed without rules check."
-      )
+
+      LogSuppressor.puts_log "[Wafris] Detailed Error: #{e.class} - #{e.message}"
+      LogSuppressor.puts_log "[Wafris] Backtrace: #{e.backtrace.join("\n")}"
       @app.call(env)
+
     end
   end
 end

data/lib/wafris/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Wafris
-  VERSION = "1.1.10"
+  VERSION = "2.0.0"
 end

data/lib/wafris.rb

@@ -1,61 +1,605 @@
 # frozen_string_literal: true
 
-require 'connection_pool'
+
 require 'rails'
-require 'redis'
+require 'sqlite3'
+require 'ipaddr'
+require 'httparty'
+require 'awesome_print'
 
 require 'wafris/configuration'
 require 'wafris/middleware'
 require 'wafris/log_suppressor'
 
 require 'wafris/railtie' if defined?(Rails::Railtie)
+ActiveSupport::Deprecation.behavior = :silence
 
 module Wafris
   class << self
     attr_accessor :configuration
 
     def configure
-      raise ArgumentError unless block_given?
-
-      self.configuration ||= Wafris::Configuration.new
-      yield(configuration)
-      LogSuppressor.puts_log(
-        "[Wafris] attempting firewall connection via Wafris.configure initializer."
-      ) unless configuration.quiet_mode
-      configuration.create_settings
-    rescue ArgumentError
-      LogSuppressor.puts_log(
-        "[Wafris] block is required to configure Wafris. More info can be found at: https://github.com/Wafris/wafris-rb"
-      )
-    rescue StandardError => e
-      LogSuppressor.puts_log(
-        "[Wafris] firewall disabled due to: #{e.message}. Cannot connect via Wafris.configure. Please check your configuration settings. More info can be found at: https://github.com/Wafris/wafris-rb"
-      )
-    end
-
-    def allow_request?(request)
-      configuration.connection_pool.with do |conn|
-        time = Time.now.utc.to_i * 1000
-        status = conn.evalsha(
-          configuration.core_sha,
-          argv: [
-            request.ip,
-            IPAddr.new(request.ip).to_i,
-            time,
-            request.user_agent,
-            request.path,
-            request.query_string,
-            request.host,
-            request.request_method
-          ]
-        )
+      begin
+        self.configuration ||= Wafris::Configuration.new      
+        yield(configuration)
+        
+        LogSuppressor.puts_log("[Wafris] Configuration settings created.")
+        configuration.create_settings
+
+      rescue StandardError => e
+        puts "[Wafris] firewall disabled due to: #{e.message}. Cannot connect via Wafris.configure. Please check your configuration settings. More info can be found at: https://github.com/Wafris/wafris-rb"
+      end 
 
-        if status.eql? 'Blocked'
+    end
+
+    def zero_pad(number, length)
+      number.to_s.rjust(length, "0")
+    end
+  
+    def ip_to_decimal_lexical_string(ip)
+      num = 0
+  
+      if ip.include?(":")
+        ip = IPAddr.new(ip).to_string
+        hex = ip.delete(":")
+        (0...hex.length).step(4) do |i|
+          chunk = hex[i, 4].to_i(16)
+          num = num * (2**16) + chunk
+        end
+      elsif ip.include?(".")
+        ip.split(".").each do |chunk|
+          num = num * 256 + chunk.to_i
+        end
+      end
+  
+      str = num.to_s
+      zero_pad(str, 39)
+    end
+  
+    def ip_in_cidr_range(ip_address, table_name, db_connection)
+      lexical_address = ip_to_decimal_lexical_string(ip_address)
+      higher_value = db_connection.get_first_value("SELECT * FROM #{table_name} WHERE member > ? ORDER BY member ASC", [lexical_address])
+      lower_value = db_connection.get_first_value("SELECT * FROM #{table_name} WHERE member < ? ORDER BY member DESC", [lexical_address])
+  
+      if higher_value.nil? || lower_value.nil?
+        return nil
+      else 
+        higher_compare = higher_value.split("-").last
+        lower_compare = lower_value.split("-").last
+    
+        if higher_compare == lower_compare
+          return lower_compare
+        else
+          return nil
+        end
+      end
+    end
+  
+    def get_country_code(ip, db_connection)
+      country_code = ip_in_cidr_range(ip, 'country_ip_ranges', db_connection)
+  
+      if country_code
+        country_code = country_code.split("_").first.split("G").last
+        return country_code
+      else 
+        return "ZZ"
+      end 
+    end
+  
+    def substring_match(request_property, table_name, db_connection)
+      result = db_connection.execute("SELECT entries FROM #{table_name}")
+      result.flatten.each do |entry|
+        if request_property.include?(entry)
+          return entry
+        end
+      end
+      return false
+    end
+  
+    def exact_match(request_property, table_name, db_connection)
+      result = db_connection.execute("SELECT entries FROM #{table_name} WHERE entries = ?", [request_property])
+      return result.any?
+    end
+  
+    def check_rate_limit(ip, path, method, db_connection)
+  
+      # Correctly format the SQL query with placeholders
+      limiters = db_connection.execute("SELECT * FROM blocked_rate_limits WHERE path = ? AND method = ?", [path, method])
+    
+      # If no rate limiters are matched
+      if limiters.empty?        
+        return false
+      end 
+  
+      current_timestamp = Time.now.to_i
+  
+      # If any rate limiters are matched
+      # This implementation will block the request on any of the rate limiters
+      limiters.each do |limiter|
+  
+        # Limiter array mapping
+        # 0: id
+        # 1: path
+        # 2: method
+        # 3: interval
+        # 4: max_count
+        # 5: rule_id
+  
+        interval = limiter[3]
+        max_count = limiter[4]      
+        rule_id = limiter[5]
+  
+        # Expire old timestamps
+        @configuration.rate_limiters.each do |ip, timestamps|
+          # Removes timestamps older than the interval
+  
+          @configuration.rate_limiters[ip] = timestamps.select { |timestamp| timestamp > current_timestamp - interval }
+          
+          # Remove the IP if there are no more timestamps for the IP
+          @configuration.rate_limiters.delete(ip) if @configuration.rate_limiters[ip].empty?
+        end
+  
+        # Check if the IP+Method is rate limited 
+  
+        if @configuration.rate_limiters[ip] && @configuration.rate_limiters[ip].length >= max_count
+          # Request is rate limited
+  
+          
+          return rule_id
+  
+        else
+          # Request is not rate limited, so add the current timestamp
+          if @configuration.rate_limiters[ip]
+            @configuration.rate_limiters[ip] << current_timestamp              
+          else 
+            @configuration.rate_limiters[ip] = [current_timestamp]
+          end
+  
           return false
+        end
+  
+      end
+  
+    end
+  
+    def send_upsync_requests(requests_array)
+  
+      begin
+        
+        headers = {'Content-Type' => 'application/json'}
+
+        if Rails && Rails.application
+          framework = "Rails v#{Rails::VERSION::STRING}"
+        else
+          framework = "Rack v#{Rack::VERSION::STRING}"
+        end
+
+        body = {
+          meta: {
+            version: Wafris::VERSION,
+            client: 'wafris-rb',
+            framework: framework
+          },
+          batch: requests_array
+        }.to_json
+
+        url_and_api_key = @configuration.upsync_url + '/' + @configuration.api_key
+
+        response = HTTParty.post(url_and_api_key, 
+                                 :body => body, 
+                                 :headers => headers, 
+                                 :timeout => 300)
+
+        if response.code == 200          
+          @configuration.upsync_status = 'Complete'
+        else
+          LogSuppressor.puts_log("Upsync Error. HTTP Response: #{response.code}")          
+        end    
+      rescue HTTParty::Error => e
+        LogSuppressor.puts_log("Upsync Error. Failed to send upsync requests: #{e.message}")
+      end
+      return true
+    end
+  
+    # This method is used to queue upsync requests. It takes in several parameters including 
+    # ip, user_agent, path, parameters, host, method, treatment, category, and rule. 
+    #
+    # The 'treatment' parameter represents the action taken on the request, which can be 
+    # 'Allowed', 'Blocked', or 'Passed'.
+    #
+    # The 'category' parameter represents the category of the rule that was matched, such as 
+    # 'blocked_ip', 'allowed_cidr', etc.
+    #
+    # The 'rule' parameter represents the specific rule that was matched within the category 
+    # ex: '192.23.5.4', 'SemRush', etc.
+    def queue_upsync_request(ip, user_agent, path, parameters, host, method, treatment, category, rule, request_id, request_timestamp)
+      
+      if @configuration.upsync_status != 'Disabled' || @configuration.upsync_status != 'Uploading'
+        @configuration.upsync_status = 'Uploading'
+
+        # Add request to the queue
+        request = [ip, user_agent, path, parameters, host, method, treatment, category, rule, request_id, request_timestamp]
+        @configuration.upsync_queue << request
+  
+        # If the queue is full, send the requests to the upsync server
+        if @configuration.upsync_queue.length >= @configuration.upsync_queue_limit || (Time.now.to_i - @configuration.last_upsync_timestamp) >= @configuration.upsync_interval
+          requests_array = @configuration.upsync_queue
+          @configuration.upsync_queue = []
+          @configuration.last_upsync_timestamp = Time.now.to_i
+          
+          send_upsync_requests(requests_array)
+        end
+  
+        @configuration.upsync_status = 'Enabled'
+        # Return the treatment - used to return 403 or 200
+
+        message = "Request #{treatment}"
+        message += " | Category: #{category}" unless category.blank?
+        message += " | Rule: #{rule}" unless rule.blank?
+        LogSuppressor.puts_log(message)
+
+        return treatment
+      else
+        @configuration.upsync_status = 'Enabled'        
+        return "Passed"
+      end
+  
+    end
+  
+    # Pulls the latest rules from the server
+    def downsync_db(db_rule_category, current_filename = nil)
+  
+      lockfile_path = "#{@configuration.db_file_path}/#{db_rule_category}.lockfile"
+  
+      # Ensure the directory exists before attempting to open the lockfile
+      FileUtils.mkdir_p(@configuration.db_file_path) unless Dir.exist?(@configuration.db_file_path)
+
+      # Attempt to create a lockfile with exclusive access; skip if it exists
+      begin
+        lockfile = File.open(lockfile_path, File::RDWR|File::CREAT|File::EXCL)
+      rescue Errno::EEXIST
+        LogSuppressor.puts_log("[Wafris][Downsync] Lockfile already exists, skipping downsync.")
+        return
+      rescue Exception => e
+        LogSuppressor.puts_log("[Wafris][Downsync] Error creating lockfile: #{e.message}")
+      end
+  
+      begin
+        # Actual Downsync operations
+        filename = ""
+  
+        if Rails && Rails.application
+          framework = "Rails v#{Rails::VERSION::STRING}"
         else
-          return true
+          framework = "Rack v#{Rack::VERSION::STRING}"
         end
+
+        data = {
+          client_db: current_filename,
+          process_id: Process.pid,
+          hostname: Socket.gethostname,
+          version: Wafris::VERSION,
+          client: 'wafris-rb',
+          framework: framework
+        }
+
+        # Check server for new rules including process id
+        #puts "Downloading from #{@configuration.downsync_url}/#{db_rule_category}/#{@configuration.api_key}?current_version=#{current_filename}&process_id=#{Process.pid}"
+        uri = "#{@configuration.downsync_url}/#{db_rule_category}/#{@configuration.api_key}?#{data.to_query}"
+    
+        response = HTTParty.get(
+          uri,
+          follow_redirects: true,   # Enable following redirects
+          max_redirects: 2          # Maximum number of redirects to follow
+        )
+  
+        # TODO: What to do if timeout
+        # TODO: What to do if error        
+
+        if response.code == 401
+          @configuration.upsync_status = 'Disabled'
+          LogSuppressor.puts_log("[Wafris][Downsync] Unauthorized: Bad or missing API key")
+          LogSuppressor.puts_log("[Wafris][Downsync] API Key: #{@configuration.api_key}")
+          filename = current_filename
+          
+        elsif response.code == 304
+          @configuration.upsync_status = 'Enabled'
+          LogSuppressor.puts_log("[Wafris][Downsync] No new rules to download")
+    
+          filename = current_filename
+          
+        elsif response.code == 200
+          @configuration.upsync_status = 'Enabled'
+  
+          if current_filename
+            old_file_name = current_filename
+          end
+    
+          # Extract the filename from the response        
+          content_disposition = response.headers['content-disposition']          
+          filename = content_disposition.split('filename=')[1].strip
+    
+          # Save the body of the response to a new SQLite file      
+          File.open(@configuration.db_file_path + "/" + filename, 'wb') { |file| file.write(response.body) }
+          
+          # Write the filename into the db_category.modfile
+          File.open("#{@configuration.db_file_path}/#{db_rule_category}.modfile", 'w') { |file| file.write(filename) }
+    
+          # Sanity check that the downloaded db file has tables
+          # not empty or corrupted
+          db = SQLite3::Database.new @configuration.db_file_path + "/" + filename          
+          if db.execute("SELECT name FROM sqlite_master WHERE type='table';").any?
+              # Remove the old database file      
+              if old_file_name                 
+                if File.exist?(@configuration.db_file_path + "/" + old_file_name)
+                File.delete(@configuration.db_file_path + "/" + old_file_name) 
+                end
+              end
+
+          # DB file is bad or empty so keep using whatever we have now
+          else
+            filename = old_file_name
+            LogSuppressor.puts_log("[Wafris][Downsync] DB Error - No tables exist in the db file #{@configuration.db_file_path}/#{filename}")
+          end
+
+          
+        end
+    
+      rescue Exception => e
+        LogSuppressor.puts_log("[Wafris][Downsync] Error downloading rules: #{e.message}")
+  
+      # This gets set even if the API key is bad or other issues
+      # to prevent hammering the distribution server on every request
+      ensure
+    
+        # Reset the modified time of the modfile
+        unless File.exist?("#{@configuration.db_file_path}/#{db_rule_category}.modfile")
+          File.new("#{@configuration.db_file_path}/#{db_rule_category}.modfile", 'w')
+        end
+  
+        # Set the modified time of the modfile to the current time
+        File.utime(Time.now, Time.now, "#{@configuration.db_file_path}/#{db_rule_category}.modfile")
+    
+        # Ensure the lockfile is removed after operations
+        lockfile.close
+        File.delete(lockfile_path)
+      end
+  
+      return filename
+  
+    end
+  
+    # Returns the current database file, 
+    # if the file is older than the interval, it will download the latest db
+    # if the file doesn't exist, it will download the latest db
+    # if the lockfile exists, it will return the current db
+    def current_db(db_rule_category)
+        
+      if db_rule_category == 'custom_rules'
+        interval = @configuration.downsync_custom_rules_interval
+      else 
+        interval = @configuration.downsync_data_subscriptions_interval
+      end 
+  
+      # Checks for existing current modfile, which contains the current db filename
+      if File.exist?("#{@configuration.db_file_path}/#{db_rule_category}.modfile")
+  
+        LogSuppressor.puts_log("[Wafris][Downsync] Modfile exists, skipping downsync")
+
+        # Get last Modified Time and current database file name
+        last_db_synctime = File.mtime("#{@configuration.db_file_path}/#{db_rule_category}.modfile").to_i
+        returned_db = File.read("#{@configuration.db_file_path}/#{db_rule_category}.modfile").strip
+  
+        LogSuppressor.puts_log("[Wafris][Downsync] Modfile Last Modified Time: #{last_db_synctime}")
+        LogSuppressor.puts_log("[Wafris][Downsync] DB in Modfile: #{returned_db}")        
+
+        # Check if the db file is older than the interval      
+        if (Time.now.to_i - last_db_synctime) > interval
+  
+          LogSuppressor.puts_log("[Wafris][Downsync] DB is older than the interval")
+
+          # Make sure that another process isn't already downloading the rules
+          if !File.exist?("#{@configuration.db_file_path}/#{db_rule_category}.lockfile")
+            returned_db = downsync_db(db_rule_category, returned_db)        
+          end
+  
+          return returned_db
+  
+        # Current db is up to date
+        else 
+  
+          LogSuppressor.puts_log("[Wafris][Downsync] DB is up to date")
+
+          returned_db = File.read("#{@configuration.db_file_path}/#{db_rule_category}.modfile").strip
+  
+          # If the modfile is empty (no db file name), return nil
+          # this can happen if the the api key is bad
+          if returned_db == ''
+            return ''
+          else
+            return returned_db
+          end
+  
+        end
+  
+      # No modfile exists, so download the latest db
+      else 
+  
+        LogSuppressor.puts_log("[Wafris][Downsync] No modfile exists, downloading latest db")
+
+        # Make sure that another process isn't already downloading the rules
+        if File.exist?("#{@configuration.db_file_path}/#{db_rule_category}.lockfile")
+          LogSuppressor.puts_log("[Wafris][Downsync] Lockfile exists, skipping downsync")
+          # Lockfile exists, but no modfile with a db filename
+          return nil
+        else
+  
+          LogSuppressor.puts_log("[Wafris][Downsync] No modfile exists, downloading latest db")
+          # No modfile exists, so download the latest db
+          returned_db = downsync_db(db_rule_category, nil)
+  
+          if returned_db.nil?
+            return nil
+          else 
+            return returned_db
+          end
+  
+        end
+  
+      end 
+  
+    end
+  
+    # This is the main loop that evaluates the request
+    # as well as sorts out when downsync and upsync should be called
+    def evaluate(ip, user_agent, path, parameters, host, method, headers, body, request_id, request_timestamp)
+        @configuration ||= Wafris::Configuration.new
+
+        if @configuration.api_key.nil?          
+          return "Passed"
+        else
+
+          rules_db_filename = current_db('custom_rules')
+          data_subscriptions_db_filename = current_db('data_subscriptions')
+    
+          if rules_db_filename.to_s.strip != '' && data_subscriptions_db_filename.strip.to_s.strip != ''
+    
+            rules_db = SQLite3::Database.new "#{@configuration.db_file_path}/#{rules_db_filename}"
+            data_subscriptions_db = SQLite3::Database.new "#{@configuration.db_file_path}/#{data_subscriptions_db_filename}"
+
+            # Allowed IPs
+            if exact_match(ip, 'allowed_ips', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Allowed', 'ai', ip, request_id, request_timestamp)
+            end
+    
+            # Allowed CIDR Ranges
+            if ip_in_cidr_range(ip, 'allowed_cidr_ranges', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Allowed', 'ac', ip, request_id, request_timestamp)
+            end
+    
+            # Blocked IPs
+            if exact_match(ip, 'blocked_ips', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bi', ip, request_id, request_timestamp)
+            end
+    
+            # Blocked CIDR Ranges
+            if ip_in_cidr_range(ip, 'blocked_cidr_ranges', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bc', ip, request_id, request_timestamp)
+            end
+    
+            # Blocked Country Codes
+            country_code = get_country_code(ip, data_subscriptions_db)      
+            if exact_match(country_code, 'blocked_country_codes', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bs', "G_#{country_code}", request_id, request_timestamp)
+            end 
+    
+            # Blocked Reputation IP Ranges
+            if ip_in_cidr_range(ip, 'reputation_ip_ranges', data_subscriptions_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bs', "R", request_id, request_timestamp)
+            end
+    
+            # Blocked User Agents
+            user_agent_match = substring_match(user_agent, 'blocked_user_agents', rules_db)
+            if user_agent_match
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bu', user_agent_match, request_id, request_timestamp)
+            end
+    
+            # Blocked Paths
+            path_match = substring_match(path, 'blocked_paths', rules_db)
+            if path_match
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bp', path_match, request_id, request_timestamp)
+            end
+    
+            # Blocked Parameters
+            parameters_match = substring_match(parameters, 'blocked_parameters', rules_db)
+            if parameters_match
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'ba', parameters_match, request_id, request_timestamp)
+            end
+    
+            # Blocked Hosts
+            if exact_match(host, 'blocked_hosts', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bh', host, request_id, request_timestamp)
+            end
+    
+            # Blocked Methods
+            if exact_match(method, 'blocked_methods', rules_db)
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bm', method, request_id, request_timestamp)
+            end
+    
+            # Rate Limiting
+            rule_id = check_rate_limit(ip, path, method, rules_db)
+            if rule_id
+              return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'brl', rule_id, request_id, request_timestamp)
+            end
+    
+          end
+    
+          # Passed if no allow or block rules matched
+          return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Passed', 'passed', '-', request_id, request_timestamp)
+
+        end # end api_key.nil?
+    end # end evaluate
+  
+    def debug(api_key)
+
+      if ENV['WAFRIS_API_KEY']
+        puts "Wafris API Key environment variable is set."
+        puts " - API Key: #{ENV['WAFRIS_API_KEY']}"
+      else
+        puts "Wafris API Key environment variable is not set."
       end
+
+      puts "\n"
+      puts "Wafris Configuration:"
+
+      Wafris.configure do |config|
+        config.api_key = api_key
+      end
+
+      settings = Wafris.configuration
+
+      settings.instance_variables.each do |ivar|
+        puts " - #{ivar}: #{Wafris.configuration.instance_variable_get(ivar)}"
+      end
+
+      puts "\n"
+      if File.exist?(settings.db_file_path + "/" + "custom_rules.lockfile")
+        puts "Custom Rules Lockfile: #{settings.db_file_path}/custom_rules.lockfile exists"
+        puts " - Last Modified Time: #{File.mtime(settings.db_file_path + "/" + "custom_rules.lockfile")}"
+      else
+        puts "Custom Rules Lockfile: #{settings.db_file_path}/custom_rules.lockfile does not exist."
+      end
+
+      puts "\n"
+      if File.exist?(settings.db_file_path + "/" + "custom_rules.modfile")
+        puts "Custom Rules Modfile: #{settings.db_file_path}/custom_rules.modfile exists"
+        puts " - Last Modified Time: #{File.mtime(settings.db_file_path + "/" + "custom_rules.modfile")}"
+        puts " - Contents: #{File.open(settings.db_file_path + "/" + "custom_rules.modfile", 'r').read}"
+      else
+        puts "Custom Rules Modfile: #{settings.db_file_path}/custom_rules.modfile does not exist."
+      end
+
+      puts "\n"
+      if File.exist?(settings.db_file_path + "/" + "data_subscriptions.lockfile")
+        puts "Data Subscriptions Lockfile: #{settings.db_file_path}/data_subscriptions.lockfile exists"
+        puts " - Last Modified Time: #{File.mtime(settings.db_file_path + "/" + "data_subscriptions.lockfile")}"
+      else
+        puts "Data Subscriptions Lockfile: #{settings.db_file_path}/data_subscriptions.lockfile does not exist."
+      end
+
+      puts "\n"
+      if File.exist?(settings.db_file_path + "/" + "data_subscriptions.modfile")
+        puts "Data Subscriptions Modfile: #{settings.db_file_path}/data_subscriptions.modfile exists"
+        puts " - Last Modified Time: #{File.mtime(settings.db_file_path + "/" + "data_subscriptions.modfile")}"
+        puts " - Contents: #{File.open(settings.db_file_path + "/" + "data_subscriptions.modfile", 'r').read}"
+      else
+        puts "Data Subscriptions Modfile: #{settings.db_file_path}/data_subscriptions.modfile does not exist."
+      end
+
+
+
+      return true
     end
+  
   end
 end

metadata

@@ -1,58 +1,86 @@
 --- !ruby/object:Gem::Specification
 name: wafris
 version: !ruby/object:Gem::Version
-  version: 1.1.10
+  version: 2.0.0
 platform: ruby
 authors:
-- Micahel Buckbee
+- Michael Buckbee
 - Ryan Castillo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-05 00:00:00.000000000 Z
+date: 2024-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: connection_pool
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: redis
+  name: ipaddr
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.8.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.8.0
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -107,14 +135,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -149,7 +177,6 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/lua/dist/wafris_core.lua
 - lib/wafris.rb
 - lib/wafris/configuration.rb
 - lib/wafris/log_suppressor.rb
@@ -161,11 +188,9 @@ licenses:
 - Elastic-2.0
 metadata: {}
 post_install_message: |2+
-      Thank you for installing the wafris gem.
-
-      If you haven't already, please sign up for Wafris Hub at:
+      Thank you for installing the Wafris gem.
 
-      https://github.com/Wafris/wafris-rb
+      Get your API key and set firewall rules at https://hub.wafris.org
 
 rdoc_options: []
 require_paths:

data/lib/lua/dist/wafris_core.lua

@@ -1,305 +0,0 @@
-
-
-local USE_TIMESTAMPS_AS_REQUEST_IDS = false
-local EXPIRATION_IN_SECONDS = tonumber(redis.call("HGET", "waf-settings", "expiration-time")) or 86400
-local EXPIRATION_OFFSET_IN_SECONDS = 3600
-
-
-local function get_timebucket(timestamp_in_seconds)
-  local startOfHourTimestamp = math.floor(timestamp_in_seconds / 3600) * 3600
-  return tostring(startOfHourTimestamp)
-end
-
-local function set_property_value_id_lookups(property_abbreviation, property_value)
-
-  local value_key = property_abbreviation .. "V" .. property_value
-  local property_id = redis.call("GET", value_key)
-
-  if property_id == false then
-    property_id = redis.call("INCR", property_abbreviation .. "-id-counter")
-    redis.call("SET", value_key, property_id)
-    redis.call("SET", property_abbreviation .. "I" .. property_id, property_value)
-  end
-
-  redis.call("EXPIRE", value_key, EXPIRATION_IN_SECONDS + EXPIRATION_OFFSET_IN_SECONDS)
-  redis.call("EXPIRE", property_abbreviation .. "I" .. property_id, EXPIRATION_IN_SECONDS + EXPIRATION_OFFSET_IN_SECONDS)
-
-  return property_id
-end
-
-local function increment_leaderboard_for(property_abbreviation, property_id, timebucket)
-
-  local key = property_abbreviation .. "L" .. timebucket
-  redis.call("ZINCRBY", key, 1, property_id)
-  redis.call("EXPIRE", key, EXPIRATION_IN_SECONDS)
-end
-
-local function set_property_to_requests_list(property_abbreviation, property_id, request_id, timebucket)
-
-  local key = property_abbreviation .. "R" .. property_id .. "-" .. timebucket
-  redis.call("LPUSH", key, request_id)
-
-  redis.call("EXPIRE", key, EXPIRATION_IN_SECONDS + EXPIRATION_OFFSET_IN_SECONDS)
-end
-
-
-local function ip_in_hash(hash_name, ip_address)
-  local found_ip = redis.call('HEXISTS', hash_name, ip_address)
-
-  if found_ip == 1 then
-    return ip_address
-  else
-    return false
-  end
-end
-
-local function ip_in_cidr_range(cidr_set, ip_decimal_lexical)
-
-  local higher_value = redis.call('ZRANGEBYLEX', cidr_set, '['..ip_decimal_lexical, '+', 'LIMIT', 0, 1)[1]
-
-  local lower_value = redis.call('ZREVRANGEBYLEX', cidr_set, '['..ip_decimal_lexical, '-', 'LIMIT', 0, 1)[1]
-
-  if not (higher_value and lower_value) then
-      return false
-  end
-
-  local higher_compare = higher_value:match('([^%-]+)$')
-  local lower_compare = lower_value:match('([^%-]+)$')
-
-  if higher_compare == lower_compare then
-      return lower_compare
-  else
-      return false
-  end
-end
-
-local function escapePattern(s)
-    local patternSpecials = "[%^%$%(%)%%%.%[%]%*%+%-%?]"
-    return s:gsub(patternSpecials, "%%%1")
-end
-
-local function match_by_pattern(property_abbreviation, property_value)
-  local hash_name = "rules-blocked-" .. property_abbreviation
-
-  local patterns = redis.call('HKEYS', hash_name)
-
-  for _, pattern in ipairs(patterns) do
-    if string.find(string.lower(property_value), string.lower(escapePattern(pattern))) then
-      return pattern
-    end
-  end
-
-  return false
-end
-
-local function blocked_by_rate_limit(request_properties)
-
-  local rate_limiting_rules_values = redis.call('HKEYS', 'rules-blocked-rate-limits')
-
-  for i, rule_name in ipairs(rate_limiting_rules_values) do
-
-    local conditions_hash = redis.call('HGETALL', rule_name .. "-conditions")
-
-    local all_conditions_match = true
-
-    for j = 1, #conditions_hash, 2 do
-      local condition_key = conditions_hash[j]
-      local condition_value = conditions_hash[j + 1]
-
-      if request_properties[condition_key] ~= condition_value then
-        all_conditions_match = false
-        break
-      end
-    end
-
-    if all_conditions_match then
-
-      local rule_settings_key = rule_name .. "-settings"
-
-      local limit, time_period, limited_by, rule_id = unpack(redis.call('HMGET', rule_settings_key, 'limit', 'time-period', 'limited-by', 'rule-id'))
-
-      local throttle_key = rule_name .. ":" .. limit .. "V" .. request_properties.ip
-
-      local new_value = redis.call('INCR', throttle_key)
-
-      if new_value == 1 then
-        redis.call('EXPIRE', throttle_key, tonumber(time_period))
-      end
-
-      if tonumber(new_value) >= tonumber(limit) then
-        return rule_id
-      else
-        return false
-      end
-    end
-  end
-end
-
-local function check_rules(functions_to_check)
-  for _, check in ipairs(functions_to_check) do
-
-    local rule = check.func(unpack(check.args))
-    local category = check.category
-
-    if type(rule) == "string" then
-      return rule, category
-    end
-  end
-
-  return false, false
-end
-
-local function check_blocks(request)
-  local rule_categories = {
-    { category = "bi", func = ip_in_hash, args = { "rules-blocked-i", request.ip } },
-    { category = "bc", func = ip_in_cidr_range, args = { "rules-blocked-cidrs-set", request.ip_decimal_lexical } },
-    { category = "bs", func = ip_in_cidr_range, args = { "rules-blocked-cidrs-subscriptions-set", request.ip_decimal_lexical } },    
-    { category = "bu", func = match_by_pattern, args = { "u", request.user_agent } },
-    { category = "bp", func = match_by_pattern, args = { "p", request.path } },
-    { category = "ba", func = match_by_pattern, args = { "a", request.parameters } },
-    { category = "bh", func = match_by_pattern, args = { "h", request.host } },
-    { category = "bm", func = match_by_pattern, args = { "m", request.method } },
-    { category = "bd", func = match_by_pattern, args = { "rh", request.headers } },
-    { category = "bpb", func = match_by_pattern, args = { "pb", request.post_body } },
-    { category = "brl", func = blocked_by_rate_limit, args = { request } }
-  }
-
-  return check_rules(rule_categories)
-end
-
-local function check_allowed(request)
-  local rule_categories = {
-    { category = "ai", func = ip_in_hash, args = { "rules-allowed-i", request.ip } },
-    { category = "ac", func = ip_in_cidr_range, args = { "rules-allowed-cidrs-set", request.ip_decimal_lexical } }
-  }
-
-  return check_rules(rule_categories)
-end
-
-local request = {
-  ["ip"] = ARGV[1],
-  ["ip_decimal_lexical"] = string.rep("0", 39 - #ARGV[2]) .. ARGV[2],
-  ["ts_in_milliseconds"] = ARGV[3],
-  ["ts_in_seconds"] = ARGV[3] / 1000,
-  ["user_agent"] = ARGV[4],
-  ["path"] = ARGV[5],
-  ["parameters"] = ARGV[6],
-  ["host"] = ARGV[7],
-  ["method"] = ARGV[8],
-  ["headers"] = ARGV[9],
-  ["post_body"] = ARGV[10],
-  ["ip_id"] = set_property_value_id_lookups("i", ARGV[1]),
-  ["user_agent_id"] = set_property_value_id_lookups("u", ARGV[4]),
-  ["path_id"] = set_property_value_id_lookups("p", ARGV[5]),
-  ["parameters_id"] = set_property_value_id_lookups("a", ARGV[6]),
-  ["host_id"] = set_property_value_id_lookups("h", ARGV[7]),
-  ["method_id"] = set_property_value_id_lookups("m", ARGV[8])
-}
-
-
-
-local current_timebucket = get_timebucket(request.ts_in_seconds)
-
-  local blocked_rule = false
-  local blocked_category = nil
-  local treatment = "p"
-
-  local stream_id
-
-  if USE_TIMESTAMPS_AS_REQUEST_IDS == true then
-      stream_id = request.ts_in_milliseconds
-  else
-      stream_id = "*"
-  end
-
-  local stream_args = {
-    "XADD",
-    "rStream",
-    "MINID",
-    tostring((current_timebucket - EXPIRATION_IN_SECONDS) * 1000 ),
-    stream_id,
-    "i", request.ip_id,
-    "u", request.user_agent_id,
-    "p", request.path_id,
-    "h", request.host_id,
-    "m", request.method_id,
-    "a", request.parameters_id,
-  }
-
-  local allowed_rule, allowed_category = check_allowed(request)
-
-  if allowed_rule then
-    table.insert(stream_args, "t")
-    table.insert(stream_args, "a")
-
-    treatment = "a"
-
-    table.insert(stream_args, "ac")
-    table.insert(stream_args, allowed_category)
-
-    table.insert(stream_args, "ar")
-    table.insert(stream_args, allowed_rule)
-
-  else
-    blocked_rule, blocked_category = check_blocks(request)
-  end
-
-  if blocked_rule then
-    table.insert(stream_args, "t")
-    table.insert(stream_args, "b")
-
-    treatment = "b"
-
-    table.insert(stream_args, "bc")
-    table.insert(stream_args, blocked_category)
-
-    table.insert(stream_args, "br")
-    table.insert(stream_args, blocked_rule)
-  end
-
-  if blocked_rule == false and allowed_rule == false then
-    table.insert(stream_args, "t")
-    table.insert(stream_args, "p")
-  end
-
-  local request_id = redis.call(unpack(stream_args))
-
-  increment_leaderboard_for("i", request.ip_id, current_timebucket)
-  increment_leaderboard_for("u", request.user_agent_id, current_timebucket)
-  increment_leaderboard_for("p", request.path_id, current_timebucket)
-  increment_leaderboard_for("a", request.parameters_id, current_timebucket)
-  increment_leaderboard_for("h", request.host_id, current_timebucket)
-  increment_leaderboard_for("m", request.method_id, current_timebucket)
-  increment_leaderboard_for("t", treatment, current_timebucket)
-
-  set_property_to_requests_list("i", request.ip_id, request_id, current_timebucket)
-  set_property_to_requests_list("u", request.user_agent_id, request_id, current_timebucket)
-  set_property_to_requests_list("p", request.path_id, request_id, current_timebucket)
-  set_property_to_requests_list("a", request.parameters_id, request_id, current_timebucket)
-  set_property_to_requests_list("h", request.host_id, request_id, current_timebucket)
-  set_property_to_requests_list("m", request.method_id, request_id, current_timebucket)
-  set_property_to_requests_list("t", treatment, request_id, current_timebucket)
-
-  if blocked_rule ~= false then
-    increment_leaderboard_for("bc", blocked_category, current_timebucket)
-    set_property_to_requests_list("bc", blocked_category, request_id, current_timebucket)
-
-    increment_leaderboard_for("br", blocked_rule, current_timebucket)
-    set_property_to_requests_list("br", blocked_rule, request_id, current_timebucket)
-  end
-
-  if allowed_rule ~= false then
-    increment_leaderboard_for("ac", allowed_category, current_timebucket)
-    set_property_to_requests_list("ac", allowed_category, request_id, current_timebucket)
-
-    increment_leaderboard_for("ar", allowed_rule, current_timebucket)
-    set_property_to_requests_list("ar", allowed_rule, request_id, current_timebucket)
-  end
-
-if blocked_rule ~= false then
-  return "Blocked"
-elseif allowed_rule ~= false then
-  return "Allowed"
-else
-  return "Passed"
-end