aiwaf 0.1.8.4__tar.gz → 0.1.8.6__tar.gz

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aiwaf
-Version: 0.1.8.4
+Version: 0.1.8.6
 Summary: AI-powered Web Application Firewall
 Home-page: https://github.com/aayushgauba/aiwaf
 Author: Aayush Gauba
@@ -99,7 +99,26 @@ AIWAF_EXEMPT_PATHS = [
 ]
 ```
 
-All exempt paths are:
+**Exempt Views (Decorator):**
+Use the `@aiwaf_exempt` decorator to exempt specific views from all AI-WAF protection:
+
+```python
+from aiwaf.decorators import aiwaf_exempt
+from django.http import JsonResponse
+
+@aiwaf_exempt
+def my_api_view(request):
+    """This view will be exempt from all AI-WAF protection"""
+    return JsonResponse({"status": "success"})
+
+# Works with class-based views too
+@aiwaf_exempt
+class MyAPIView(View):
+    def get(self, request):
+        return JsonResponse({"method": "GET"})
+```
+
+All exempt paths and views are:
   - Skipped from keyword learning
   - Immune to AI blocking
   - Ignored in log training

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/README.md

@@ -78,7 +78,26 @@ AIWAF_EXEMPT_PATHS = [
 ]
 ```
 
-All exempt paths are:
+**Exempt Views (Decorator):**
+Use the `@aiwaf_exempt` decorator to exempt specific views from all AI-WAF protection:
+
+```python
+from aiwaf.decorators import aiwaf_exempt
+from django.http import JsonResponse
+
+@aiwaf_exempt
+def my_api_view(request):
+    """This view will be exempt from all AI-WAF protection"""
+    return JsonResponse({"status": "success"})
+
+# Works with class-based views too
+@aiwaf_exempt
+class MyAPIView(View):
+    def get(self, request):
+        return JsonResponse({"method": "GET"})
+```
+
+All exempt paths and views are:
   - Skipped from keyword learning
   - Immune to AI blocking
   - Ignored in log training

aiwaf-0.1.8.6/aiwaf/decorators.py

@@ -0,0 +1,28 @@
+from functools import wraps
+from django.utils.decorators import method_decorator
+
+def aiwaf_exempt(view_func):
+    """
+    Decorator to exempt a view from AI-WAF protection.
+    Can be used on function-based views or class-based views.
+    
+    Usage:
+        @aiwaf_exempt
+        def my_view(request):
+            return HttpResponse("This view is exempt from AI-WAF")
+        
+        # Or for class-based views:
+        @method_decorator(aiwaf_exempt, name='dispatch')
+        class MyView(View):
+            pass
+    """
+    @wraps(view_func)
+    def wrapped_view(*args, **kwargs):
+        return view_func(*args, **kwargs)
+    
+    # Mark the view as AI-WAF exempt
+    wrapped_view.aiwaf_exempt = True
+    return wrapped_view
+
+# For class-based views
+aiwaf_exempt_view = method_decorator(aiwaf_exempt, name='dispatch')

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/aiwaf/middleware.py

@@ -14,37 +14,10 @@ from django.core.cache import cache
 from django.db.models import F
 from django.apps import apps
 from django.urls import get_resolver
-from .trainer import STATIC_KW, STATUS_IDX, is_exempt_path, path_exists_in_django
+from .trainer import STATIC_KW, STATUS_IDX, path_exists_in_django
 from .blacklist_manager import BlacklistManager
 from .models import DynamicKeyword, IPExemption
-def is_ip_exempted(ip):
-    return IPExemption.objects.filter(ip_address=ip).exists()
-
-def is_exempt_path(path):
-    path = path.lower()
-    
-    # Default login paths that should always be exempt
-    default_login_paths = [
-        "/admin/login/",
-        "/admin/",
-        "/login/",
-        "/accounts/login/",
-        "/auth/login/",
-        "/signin/",
-    ]
-    
-    # Check default login paths
-    for login_path in default_login_paths:
-        if path.startswith(login_path):
-            return True
-    
-    # Check user-configured exempt paths
-    exempt_paths = getattr(settings, "AIWAF_EXEMPT_PATHS", [])
-    for exempt in exempt_paths:
-        if path == exempt or path.startswith(exempt.rstrip("/") + "/"):
-            return True
-    
-    return False
+from .utils import is_exempt, get_ip, is_ip_exempted
 
 MODEL_PATH = getattr(
     settings,
@@ -93,7 +66,7 @@ class IPAndKeywordBlockMiddleware:
 
     def __call__(self, request):
         raw_path = request.path.lower()
-        if is_exempt_path(raw_path):
+        if is_exempt(request):
             return self.get_response(request)
         ip = get_ip(request)
         path = raw_path.lstrip("/")
@@ -132,7 +105,7 @@ class RateLimitMiddleware:
         self.get_response = get_response
 
     def __call__(self, request):
-        if is_exempt_path(request.path):
+        if is_exempt(request):
             return self.get_response(request)
 
         ip = get_ip(request)
@@ -161,7 +134,7 @@ class AIAnomalyMiddleware(MiddlewareMixin):
         self.model = joblib.load(model_path)
 
     def process_request(self, request):
-        if is_exempt_path(request.path):
+        if is_exempt(request):
             return None
         request._start_time = time.time()
         ip = get_ip(request)
@@ -172,14 +145,14 @@ class AIAnomalyMiddleware(MiddlewareMixin):
         return None
 
     def process_response(self, request, response):
-        if is_exempt_path(request.path):
+        if is_exempt(request):
             return response
         ip = get_ip(request)
         now = time.time()
         key = f"aiwaf:{ip}"
         data = cache.get(key, [])
         path_len = len(request.path)
-        if not path_exists_in_django(request.path) and not is_exempt_path(request.path):
+        if not path_exists_in_django(request.path) and not is_exempt(request):
             kw_hits = sum(1 for kw in STATIC_KW if kw in request.path.lower())
         else:
             kw_hits = 0
@@ -211,7 +184,7 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
     MIN_FORM_TIME = getattr(settings, "AIWAF_MIN_FORM_TIME", 1.0)  # seconds
     
     def process_request(self, request):
-        if is_exempt_path(request.path):
+        if is_exempt(request):
             return None
             
         ip = get_ip(request)
@@ -219,7 +192,8 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             return None
             
         if request.method == "GET":
-            # Store timestamp for this IP's GET request
+            # Store timestamp for this IP's GET request  
+            # Use a general key for the IP, not path-specific
             cache.set(f"honeypot_get:{ip}", time.time(), timeout=300)  # 5 min timeout
         
         elif request.method == "POST":
@@ -228,22 +202,33 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             
             if get_time is None:
                 # No GET request - likely bot posting directly
-                BlacklistManager.block(ip, "Direct POST without GET")
-                return JsonResponse({"error": "blocked"}, status=403)
-            
-            # Check timing
-            time_diff = time.time() - get_time
-            if time_diff < self.MIN_FORM_TIME:
-                # Posted too quickly - likely bot
-                BlacklistManager.block(ip, f"Form submitted too quickly ({time_diff:.2f}s)")
-                return JsonResponse({"error": "blocked"}, status=403)
+                # But be more lenient for login paths since users might bookmark them
+                if not any(request.path.lower().startswith(login_path) for login_path in [
+                    "/admin/login/", "/login/", "/accounts/login/", "/auth/login/", "/signin/"
+                ]):
+                    BlacklistManager.block(ip, "Direct POST without GET")
+                    return JsonResponse({"error": "blocked"}, status=403)
+            else:
+                # Check timing - be more lenient for login paths
+                time_diff = time.time() - get_time
+                min_time = self.MIN_FORM_TIME
+                
+                # Use shorter time threshold for login paths (users can login quickly)
+                if any(request.path.lower().startswith(login_path) for login_path in [
+                    "/admin/login/", "/login/", "/accounts/login/", "/auth/login/", "/signin/"
+                ]):
+                    min_time = 0.1  # Very short threshold for login forms
+                
+                if time_diff < min_time:
+                    BlacklistManager.block(ip, f"Form submitted too quickly ({time_diff:.2f}s)")
+                    return JsonResponse({"error": "blocked"}, status=403)
         
         return None
 
 
 class UUIDTamperMiddleware(MiddlewareMixin):
     def process_view(self, request, view_func, view_args, view_kwargs):
-        if is_exempt_path(request.path):
+        if is_exempt(request):
             return None
         uid = view_kwargs.get("uuid")
         if not uid:

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/aiwaf/trainer.py

@@ -13,6 +13,7 @@ from sklearn.ensemble import IsolationForest
 from django.conf import settings
 from django.apps import apps
 from django.db.models import F
+from .utils import is_exempt_path
 
 # ─────────── Configuration ───────────
 LOG_PATH   = settings.AIWAF_ACCESS_LOG
@@ -32,31 +33,6 @@ DynamicKeyword = apps.get_model("aiwaf", "DynamicKeyword")
 IPExemption = apps.get_model("aiwaf", "IPExemption")
 
 
-def is_exempt_path(path: str) -> bool:
-    path = path.lower()
-    
-    # Default login paths that should always be exempt
-    default_login_paths = [
-        "/admin/login/",
-        "/admin/",
-        "/login/",
-        "/accounts/login/",
-        "/auth/login/",
-        "/signin/",
-    ]
-    
-    # Check default login paths
-    for login_path in default_login_paths:
-        if path.startswith(login_path):
-            return True
-    
-    # Check user-configured exempt paths
-    for exempt in getattr(settings, "AIWAF_EXEMPT_PATHS", []):
-        if path == exempt or path.startswith(exempt.rstrip("/") + "/"):
-            return True
-    return False
-
-
 def path_exists_in_django(path: str) -> bool:
     from django.urls import get_resolver
     from django.urls.resolvers import URLResolver
@@ -203,13 +179,48 @@ def train() -> None:
     os.makedirs(os.path.dirname(MODEL_PATH), exist_ok=True)
     joblib.dump(model, MODEL_PATH)
     print(f"Model trained on {len(X)} samples → {MODEL_PATH}")
+    
+    # Check for anomalies and intelligently decide which IPs to block
     preds = model.predict(X)
     anomalous_ips = set(df.loc[preds == -1, "ip"])
-    for ip in anomalous_ips:
-        BlacklistEntry.objects.get_or_create(
-            ip_address=ip,
-            defaults={"reason": "Anomalous behavior"}
-        )
+    
+    if anomalous_ips:
+        print(f"⚠️  Detected {len(anomalous_ips)} potentially anomalous IPs during training")
+        
+        blocked_count = 0
+        for ip in anomalous_ips:
+            # Skip if IP is exempted
+            if IPExemption.objects.filter(ip_address=ip).exists():
+                continue
+            
+            # Get this IP's behavior from the data
+            ip_data = df[df["ip"] == ip]
+            
+            # Criteria to determine if this is likely a legitimate user vs threat:
+            avg_kw_hits = ip_data["kw_hits"].mean()
+            max_404s = ip_data["total_404"].max()
+            avg_burst = ip_data["burst_count"].mean()
+            total_requests = len(ip_data)
+            
+            # Don't block if it looks like legitimate behavior:
+            if (
+                avg_kw_hits < 2 and           # Not hitting many malicious keywords
+                max_404s < 10 and            # Not excessive 404s
+                avg_burst < 15 and           # Not excessive burst activity
+                total_requests < 100         # Not excessive total requests
+            ):
+                print(f"   - {ip}: Anomalous but looks legitimate (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f}) - NOT blocking")
+                continue
+            
+            # Block if it shows clear signs of malicious behavior
+            BlacklistEntry.objects.get_or_create(
+                ip_address=ip,
+                defaults={"reason": f"AI anomaly + suspicious patterns (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})"}
+            )
+            blocked_count += 1
+            print(f"   - {ip}: Blocked for suspicious behavior (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})")
+        
+        print(f"   → Blocked {blocked_count}/{len(anomalous_ips)} anomalous IPs (others looked legitimate)")
 
     tokens = Counter()
     for r in parsed:

aiwaf-0.1.8.6/aiwaf/utils.py

@@ -0,0 +1,105 @@
+import os
+import re
+import glob
+import gzip
+from datetime import datetime
+from django.conf import settings
+from .models import IPExemption
+
+_LOG_RX = re.compile(
+    r'(\d+\.\d+\.\d+\.\d+).*\[(.*?)\].*"(GET|POST) (.*?) HTTP/.*?" (\d{3}).*?"(.*?)" "(.*?)"'
+)
+
+def get_ip(request):
+    xff = request.META.get("HTTP_X_FORWARDED_FOR", "")
+    if xff:
+        return xff.split(",")[0].strip()
+    return request.META.get("REMOTE_ADDR", "")
+
+def read_rotated_logs(base_path):
+    lines = []
+    if os.path.exists(base_path):
+        with open(base_path, "r", encoding="utf-8", errors="ignore") as f:
+            lines.extend(f.readlines())
+    for path in sorted(glob.glob(base_path + ".*")):
+        opener = gzip.open if path.endswith(".gz") else open
+        try:
+            with opener(path, "rt", encoding="utf-8", errors="ignore") as f:
+                lines.extend(f.readlines())
+        except OSError:
+            continue
+    return lines
+
+def parse_log_line(line):
+    m = _LOG_RX.search(line)
+    if not m:
+        return None
+    ip, ts_str, _, path, status, ref, ua = m.groups()
+    try:
+        ts = datetime.strptime(ts_str.split()[0], "%d/%b/%Y:%H:%M:%S")
+    except ValueError:
+        return None
+    rt_m = re.search(r'response-time=(\d+\.\d+)', line)
+    rt = float(rt_m.group(1)) if rt_m else 0.0
+    return {
+        "ip": ip,
+        "timestamp": ts,
+        "path": path,
+        "status": status,
+        "referer": ref,
+        "user_agent": ua,
+        "response_time": rt
+    }
+
+def is_ip_exempted(ip):
+    """Check if IP is in exemption list"""
+    return IPExemption.objects.filter(ip_address=ip).exists()
+
+def is_view_exempt(request):
+    """Check if the current view is marked as AI-WAF exempt"""
+    if hasattr(request, 'resolver_match') and request.resolver_match:
+        view_func = request.resolver_match.func
+        
+        # Check if view function has aiwaf_exempt attribute
+        if hasattr(view_func, 'aiwaf_exempt'):
+            return True
+            
+        # For class-based views, check the view class
+        if hasattr(view_func, 'view_class'):
+            view_class = view_func.view_class
+            if hasattr(view_class, 'aiwaf_exempt'):
+                return True
+                
+            # Check dispatch method for method_decorator usage
+            dispatch_method = getattr(view_class, 'dispatch', None)
+            if dispatch_method and hasattr(dispatch_method, 'aiwaf_exempt'):
+                return True
+                
+    return False
+
+def is_exempt_path(path):
+    """Check if path should be exempt from AI-WAF"""
+    path = path.lower()
+    
+    # Default login paths (always exempt)
+    default_exempt = [
+        "/admin/login/", "/admin/", "/login/", "/accounts/login/", 
+        "/auth/login/", "/signin/"
+    ]
+    
+    # Check default exempt paths
+    for exempt_path in default_exempt:
+        if path.startswith(exempt_path):
+            return True
+        
+    # Check configured exempt paths
+    exempt_paths = getattr(settings, "AIWAF_EXEMPT_PATHS", [])
+    for exempt_path in exempt_paths:
+        if path == exempt_path or path.startswith(exempt_path.rstrip("/") + "/"):
+            return True
+    
+    return False
+
+def is_exempt(request):
+    """Check if request should be exempt (either by path or view decorator)"""
+    return is_exempt_path(request.path) or is_view_exempt(request)

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/aiwaf.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aiwaf
-Version: 0.1.8.4
+Version: 0.1.8.6
 Summary: AI-powered Web Application Firewall
 Home-page: https://github.com/aayushgauba/aiwaf
 Author: Aayush Gauba
@@ -99,7 +99,26 @@ AIWAF_EXEMPT_PATHS = [
 ]
 ```
 
-All exempt paths are:
+**Exempt Views (Decorator):**
+Use the `@aiwaf_exempt` decorator to exempt specific views from all AI-WAF protection:
+
+```python
+from aiwaf.decorators import aiwaf_exempt
+from django.http import JsonResponse
+
+@aiwaf_exempt
+def my_api_view(request):
+    """This view will be exempt from all AI-WAF protection"""
+    return JsonResponse({"status": "success"})
+
+# Works with class-based views too
+@aiwaf_exempt
+class MyAPIView(View):
+    def get(self, request):
+        return JsonResponse({"method": "GET"})
+```
+
+All exempt paths and views are:
   - Skipped from keyword learning
   - Immune to AI blocking
   - Ignored in log training

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/aiwaf.egg-info/SOURCES.txt

@@ -5,6 +5,7 @@ setup.py
 aiwaf/__init__.py
 aiwaf/apps.py
 aiwaf/blacklist_manager.py
+aiwaf/decorators.py
 aiwaf/middleware.py
 aiwaf/models.py
 aiwaf/storage.py

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "aiwaf"
-version = "0.1.8.4"
+version = "0.1.8.6"
 description = "AI-powered Web Application Firewall"
 readme = "README.md"
 requires-python = ">=3.8"

{aiwaf-0.1.8.4 → aiwaf-0.1.8.6}/setup.py

@@ -9,7 +9,7 @@ long_description = (HERE / "README.md").read_text(encoding="utf-8")
 
 setup(
     name="aiwaf",
-    version="0.1.8.4",
+    version="0.1.8.6",
     description="AI‑driven, self‑learning Web Application Firewall for Django",
     long_description=long_description,
     long_description_content_type="text/markdown",

aiwaf-0.1.8.4/aiwaf/utils.py

@@ -1,50 +0,0 @@
-import os
-import re
-import glob
-import gzip
-from datetime import datetime
-
-_LOG_RX = re.compile(
-    r'(\d+\.\d+\.\d+\.\d+).*\[(.*?)\].*"(GET|POST) (.*?) HTTP/.*?" (\d{3}).*?"(.*?)" "(.*?)"'
-)
-
-def get_ip(request):
-    xff = request.META.get("HTTP_X_FORWARDED_FOR", "")
-    if xff:
-        return xff.split(",")[0].strip()
-    return request.META.get("REMOTE_ADDR", "")
-
-def read_rotated_logs(base_path):
-    lines = []
-    if os.path.exists(base_path):
-        with open(base_path, "r", encoding="utf-8", errors="ignore") as f:
-            lines.extend(f.readlines())
-    for path in sorted(glob.glob(base_path + ".*")):
-        opener = gzip.open if path.endswith(".gz") else open
-        try:
-            with opener(path, "rt", encoding="utf-8", errors="ignore") as f:
-                lines.extend(f.readlines())
-        except OSError:
-            continue
-    return lines
-
-def parse_log_line(line):
-    m = _LOG_RX.search(line)
-    if not m:
-        return None
-    ip, ts_str, _, path, status, ref, ua = m.groups()
-    try:
-        ts = datetime.strptime(ts_str.split()[0], "%d/%b/%Y:%H:%M:%S")
-    except ValueError:
-        return None
-    rt_m = re.search(r'response-time=(\d+\.\d+)', line)
-    rt = float(rt_m.group(1)) if rt_m else 0.0
-    return {
-        "ip": ip,
-        "timestamp": ts,
-        "path": path,
-        "status": status,
-        "referer": ref,
-        "user_agent": ua,
-        "response_time": rt
-    }