web_shield 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7770e88cb028cf1b22ef97d1fe7b4cfdfdacd668
-  data.tar.gz: 8d6ca04e94a030f8549519dc612b21fb9b44615a
+  metadata.gz: 3bb3b5807870d938c333e58039fffd21e6e3a028
+  data.tar.gz: f1e43ecd7c806d1995305ad34987ff90dbb93036
 SHA512:
-  metadata.gz: 90b662cce0a88025b954d57ee89212574afec1d91f11e98afc25ae301d42e13a0635a5d387f88b0e20e9734c2b2c3f57becf51db42af74dff0415c1116f52142
-  data.tar.gz: 5abad4f941f28c259ba8acc486fd75d7d975481aff5cce472e5831db775a8fc689591d4686b346b59f9009f71b6b9a1d9553fc975c76f29cdea34c6c6ab10ec8
+  metadata.gz: 291f5ad8c073b8bea8ebf8b2cf701d1cfb0bd1e429cc3358d7d0265da1707302595de3032a17334b206795f4e0683ee5f036c662b0451298ba823db3286c5e3d
+  data.tar.gz: d857687ca7eada1dbd5994e0f1c3aa1a79f7fb353d5d6de7fbe06390adbccdc4647a25f22fa58e9a0c51c4965adfa0bbcaf5d47c5b18a60a78aeef129913ba62

data/.gitignore

@@ -9,3 +9,4 @@
 /tmp/
 
 *.swp
+*.gem

data/README.md

@@ -18,7 +18,20 @@ Or install it yourself as:
 
 ## Usage
 
-See `exmaples/base_config.rb`
+
+```
+config = WebShield::Config.new
+config.store = WebShield::MemoryStore.new # or WebShield::RedisStore.new(redis: Redis.current)
+config.user_parser = Proc.new {|request| request.params[:token] || request.ip }
+
+config.build_shield("*", {
+  whitelist: %w{127.0.0.1, 192.168.10.1/8},
+  blacklist: %w{123.123.123.123 222.222.222.0/8}
+}, WebShield::IPShield)
+config.build_shield "/api/:ver/*", {period: 30, limit: 10}
+```
+
+More see `exmaples/*_config.rb`
 
 ### Config options
 
@@ -26,7 +39,7 @@ See `exmaples/base_config.rb`
 * `logger`: Logger instance
 * `user_parser`: 每个请求的限制都是按用户来的
 * `blocked_response`: 当 block 时返回的内容
-* `build_shield`: 构建防御，一个请求过来请会按构建的顺序去一一检查，如果有一个未通过，直接拒绝请求，如果带 skip_shields，当此 shield 被匹配时，如果通过则执行正常的业务，如果不通过则拒绝请求
+* `build_shield`: 构建防御，一个请求过来请会按构建的顺序去一一检查，如果有一个未通过，直接拒绝请求，如果指定了 dictatorial，当此 shield 被匹配时，如果通过则执行正常的业务，如果不通过则拒绝请求
 
 ### Build shield options
 
@@ -38,7 +51,7 @@ See `exmaples/base_config.rb`
 
 ## TODO
 
-* UserShield: user whitelist and blacklist
+* Optimize IPShield#ip_in_list?
 * HoneypotShield: 
 * Auto block request:
 

data/examples/config.ru

@@ -3,6 +3,7 @@
 require 'pry'
 require File.expand_path('../base_config', __FILE__)
 require File.expand_path('../more_shields_config', __FILE__)
+require File.expand_path('../ip_shield_config', __FILE__)
 
 class RackBenchmark
   def initialize(app)
@@ -41,3 +42,9 @@ map '/api/v2' do
   run app
 end
 
+map '/api/ip' do
+  use WebShield::Middleware, $ip_config
+  run app
+end
+
+

data/examples/ip_shield_config.rb

@@ -0,0 +1,24 @@
+require 'web_shield'
+
+config = WebShield::Config.new
+config.store = WebShield::MemoryStore.new # or WebShield::RedisStore.new(redis: Redis.current)
+
+config.user_parser = Proc.new {|request| request.params[:token] || request.ip }
+
+# filter order
+$ip_shield = config.build_shield(
+  "/api/ip*", {
+    whitelist: %w{127.0.0.1},
+    blacklist: %w{1.1.1.1}
+  },
+  WebShield::IPShield
+)
+
+config.build_shield "/api/ip*", {period: 5, limit: 3}
+
+# dynamic add ips
+$ip_shield.push_to_whitelist(%w{192.168.0.0/16 10.0.0.1/16})
+$ip_shield.push_to_blacklist(%w{111.1.1.1/24 1.2.3.4})
+
+$ip_config = config
+

data/lib/web_shield.rb

@@ -8,9 +8,13 @@ module WebShield
   class Error < StandardError; end
 
   autoload :Config, 'web_shield/config'
+
   autoload :MemoryStore, 'web_shield/memory_store'
+
   autoload :Shield, 'web_shield/shield'
   autoload :ThrottleShield, 'web_shield/throttle_shield'
+  autoload :IPShield, 'web_shield/ip_shield'
+
   autoload :Middleware, 'web_shield/middleware'
 
   class << self

data/lib/web_shield/config.rb

@@ -8,6 +8,7 @@ module WebShield
     def initialize
       @shields = []
       @shield_counter = 0
+      @id_prefix = Time.now.to_f.to_s
 
       @user_parser = Proc.new {|req| req.ip }
       @blocked_response = Proc.new {|req| [429, {}, ['Too Many Requests']] }
@@ -30,9 +31,19 @@ module WebShield
       end
     end
 
+    # return shield
     def build_shield(path_matcher, options, shield_class = ThrottleShield)
-      shields << shield_class.new(@shield_counter += 1, path_matcher, options, self)
-      logger.info("Build shield #{shields.last.id} #{path_matcher} #{options}")
+      shield_class.new(generate_id, path_matcher, options, self).tap do |shield|
+        shields << shield
+        logger.info("Build #{shield.shield_name} #{path_matcher} #{options}")
+      end
+    end
+
+
+    private
+
+    def generate_id
+      "#{@id_prefix}-#{@shield_counter += 1}"
     end
   end
 end

data/lib/web_shield/ip_shield.rb

@@ -0,0 +1,73 @@
+require 'digest'
+require 'ipaddr'
+
+module WebShield
+  class IPShield < Shield
+    OPTION_KEYS =[:whitelist, :blacklist]
+
+    # Params:
+    #   path:
+    #   options:
+    #     whitelist: options, defualt [], like 172.10.10.10 172.10.10.10/16
+    #     blacklist: options, default [], like 172.10.10.10 172.10.10.10/16
+    def initialize(id, shield_path, options, config)
+      super
+
+      check_options(@options)
+      @options[:dictatorial] = true
+      push_to_whitelist(options[:whitelist]) if options[:whitelist]
+      push_to_blacklist(options[:blacklist]) if options[:blacklist]
+    end
+
+    def filter(request)
+      req_path = request.path
+      return unless path_matcher.match(req_path)
+
+      if in_blacklist?(request.ip)
+        user = config.user_parser.call(request)
+        write_log(:info, "Blacklist block '#{user}' #{request.request_method} #{req_path}")
+        :block
+      elsif in_whitelist?(request.ip)
+        write_log(:info, "Whitelist pass '#{user}' #{request.request_method} #{req_path}")
+        :pass
+      else
+        nil
+      end
+    end
+
+    def in_whitelist?(ip)
+      in_ip_list?(get_store_key('whitelist'), ip)
+    end
+
+    def in_blacklist?(ip)
+      in_ip_list?(get_store_key('blacklist'), ip)
+    end
+
+    def push_to_whitelist(ips)
+      config.store.push_to_set(get_store_key('whitelist'), ips)
+    end
+
+    def push_to_blacklist(ips)
+      config.store.push_to_set(get_store_key('blacklist'), ips)
+    end
+
+
+    private
+
+    # TODO optimize it
+    def in_ip_list?(list_key, ip)
+      config.store.read_set(list_key).any? {|ip_range| IPAddr.new(ip_range).include?(ip) }
+    end
+
+    def get_store_key(list_name)
+      ['web_shield', 'ip_shield', list_name].join('/')
+    end
+
+    def check_options(options)
+      options.each do |key, val|
+        raise Error, "Invalid shield option '#{key}'" unless OPTION_KEYS.include?(key)
+      end
+    end
+  end
+end
+

data/lib/web_shield/memory_store.rb

@@ -1,4 +1,5 @@
 require 'monitor'
+require 'set'
 
 module WebShield
   class MemoryStore
@@ -26,6 +27,29 @@ module WebShield
       end
     end
 
+    def push_to_set(key, vals)
+      values = vals.is_a?(Array) ? vals.map(&:to_s) : [vals.to_s]
+      @lock.synchronize do
+        @data[key] ||= Set.new
+        @data[key].merge(values)
+      end
+      true
+    end
+
+    def del_from_set(key, vals)
+      key_data = @data[key]
+      return false unless key_data && key_data.is_a?(Set)
+      values = vals.is_a?(Array) ? vals.map(&:to_s) : [vals.to_s]
+      @lock.synchronize do
+        key_data.delete_if {|val| values.include?(val) }
+      end
+      true
+    end
+
+    def read_set(key)
+      @data[key] || Set.new
+    end
+
     def reset(key)
       @data.delete(key.to_sym)
     end

data/lib/web_shield/shield.rb

@@ -3,15 +3,7 @@ require 'digest'
 module WebShield
   class Shield
     attr_reader :id, :shield_path, :path_matcher, :options, :config
-    OPTION_KEYS =[:period, :limit, :method, :path_sensitive, :dictatorial]
-
-    # Params:
-    #   path:
-    #   options:
-    #     period: required
-    #     limit: required
-    #     method: optional
-    #     path_sensitive: optional, defualt false
+
     def initialize(id, shield_path, options, config)
       @id = id
       @shield_path = shield_path
@@ -29,6 +21,18 @@ module WebShield
       @options[:dictatorial]
     end
 
+    def write_log(severity, msg)
+      case svrt = severity.to_sym
+      when :debug, :info, :warn, :error
+        config.logger.send(svrt, "#{shield_name} #{msg}")
+      else
+        raise "Invalid log severity '#{svrt}'"
+      end
+    end
+
+    def shield_name
+      self.class.name.split('::', 2).last + "\##{id}"
+    end
 
     private
 
@@ -45,7 +49,6 @@ module WebShield
     def hash_to_symbol_keys(hash)
       hash.each_with_object({}) do |kv, result|
         key, val = kv[0].to_sym, kv[1]
-        raise Error, "Invalid shield option '#{key}'" unless OPTION_KEYS.include?(key)
         result[key] = val
       end
     end

data/lib/web_shield/throttle_shield.rb

@@ -2,6 +2,20 @@ require 'digest'
 
 module WebShield
   class ThrottleShield < Shield
+    OPTION_KEYS =[:period, :limit, :method, :path_sensitive, :dictatorial]
+
+    # Params:
+    #   path:
+    #   options:
+    #     period: required
+    #     limit: required
+    #     method: optional
+    #     path_sensitive: optional, defualt false
+    def initialize(id, shield_path, options, config)
+      super
+
+      check_options(@options)
+    end
 
     def filter(request)
       req_path = request.path
@@ -10,21 +24,35 @@ module WebShield
       return if options[:method] && options[:method].to_s.upcase != request.request_method
 
       user = config.user_parser.call(request)
-      store_keys = [id.to_s, user.to_s]
-      if options[:path_sensitive]
-        route = [request.request_method, req_path]
-      else
-        route = (options[:method] ? [options[:method].to_s.upcase, shield_path] : [shield_path])
-      end
-      store_keys << Digest::MD5.hexdigest(route.join('-'))
 
-      if @config.store.incr(store_keys.join('-'), options[:period]) <= options[:limit]
+      if @config.store.incr(get_store_key(request, user), options[:period]) <= options[:limit]
+        write_log(:debug, "Pass '#{user}' #{request.request_method} #{req_path}")
         :pass
       else
-        config.logger.info("[#{id}] Block '#{user}' #{request.request_method} #{req_path}")
+        write_log(:info, "Block '#{user}' #{request.request_method} #{req_path}")
         :block
       end
     end
+
+
+    private
+
+    def get_store_key(request, user)
+      keys = ['web_shield', id.to_s, user.to_s]
+      route = if options[:path_sensitive]
+        [request.request_method, request.path]
+      else
+        (options[:method] ? [options[:method].to_s.upcase, shield_path] : [shield_path])
+      end
+      keys << Digest::MD5.hexdigest(route.join('-'))
+      keys.join('/')
+    end
+
+    def check_options(options)
+      options.each do |key, val|
+        raise Error, "Invalid shield option '#{key}'" unless OPTION_KEYS.include?(key)
+      end
+    end
   end
 end
 

data/lib/web_shield/version.rb

@@ -1,3 +1,3 @@
 module WebShield
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: web_shield
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - jiangzhi.xie
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-07-10 00:00:00.000000000 Z
+date: 2016-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -98,9 +98,11 @@ files:
 - bin/setup
 - examples/base_config.rb
 - examples/config.ru
+- examples/ip_shield_config.rb
 - examples/more_shields_config.rb
 - lib/web_shield.rb
 - lib/web_shield/config.rb
+- lib/web_shield/ip_shield.rb
 - lib/web_shield/memory_store.rb
 - lib/web_shield/middleware.rb
 - lib/web_shield/shield.rb