Merge pull request #49 from crowdsecurity/standalone

mobula9 · web-flow · commit 94d687743751 · 2021-06-24T00:29:38.000+02:00
add standalone mode
diff --git a/.gitignore b/.gitignore
@@ -11,4 +11,9 @@ super-linter.log
 # App
 /var/
 .bouncer-key
-.cache
+.cache
+
+# Auto prepend demo
+examples/auto-prepend/settings.php
+examples/auto-prepend/.logs
+examples/auto-prepend/.cache
diff --git a/docs/standalone-mode.md b/docs/standalone-mode.md
@@ -0,0 +1,47 @@
+# Standalone mode
+
+There is many technical ways to bounce users.
+
+In this quick guide, you will learn how to bounce **without modifying the existing code** by running the bouncing behavior just before running the project code. For this, there is an example showing how to do it using the PHP setting `auto_prepend_file`. We will test it now.
+
+## Step 1: Create the settings.php file
+
+Start from the exising `settings.example.php`:
+
+```bash
+cd path/to/this/lib
+cp examples/auto-prepend/settings.example.php examples/auto-prepend/settings.php
+```
+
+> Note: don't forget to replace the values according to your needs in `examples/auto-prepend/settings.php`.
+
+## Step 2: start the "auto_prepend_file" mechanism
+
+Considering you're using Apache, modify (or add) the main `.htaccess` file at the root of your project, adding this single line to the top:
+
+```apacheconf
+php_value auto_prepend_file "./path/to/this/lib/examples/auto-prepend/script/bounce-via-autoprepend.php"
+```
+
+> Remember to **adapt the path to yours**. You can use absolute or relative.
+
+> **Not using apache?** If you using _NGINX_ or an other webserver, the way to modify the _PHP_ flag is different but still possible (ndlr: add a example).
+
+This will run the `bounce-via-autoprepend.php` script each time before running the main php script. If the IP has to be bounce, the script will show the wall (ban or captcha) and stop execution of the main script.
+
+## Step 3: Test the standalone bouncer
+
+Now you can a decision to ban your own IP for 5 minutes to test the correct behavior:
+
+```bash
+cscli decisions add --ip <YOUR_IP> --duration 5m --type ban
+```
+
+You can also test a captcha:
+
+```bash
+cscli decisions delete --all # be careful with this command!
+cscli decisions add --ip <YOUR_IP> --duration 15m --type captcha
+```
+
+> Well done! Feel free to give some feedback using adding Github issues.
diff --git a/examples/auto-prepend/public/.htaccess b/examples/auto-prepend/public/.htaccess
@@ -0,0 +1 @@
+php_value auto_prepend_file "../scripts/bounce-via-auto-prepend.php"
diff --git a/examples/auto-prepend/public/protected-page.php b/examples/auto-prepend/public/protected-page.php
@@ -0,0 +1,2 @@
+<h1>The way is clear!</h1>
+<p>In this example page, if you can see this text, the bouncer considers your IP as clean.</p>
diff --git a/examples/auto-prepend/scripts/bounce-via-auto-prepend.php b/examples/auto-prepend/scripts/bounce-via-auto-prepend.php
@@ -0,0 +1,11 @@
+<?php
+
+require_once __DIR__.'/../../../vendor/autoload.php';
+require_once __DIR__.'/../settings.php';
+
+use CrowdSecBouncer\StandAloneBounce;
+
+$bounce = new StandAloneBounce();
+$bounce->init($crowdSecStandaloneBouncerConfig);
+$bounce->setDebug($crowdSecStandaloneBouncerConfig['debug_mode']);
+$bounce->safelyBounce();
diff --git a/examples/auto-prepend/scripts/cron-refresh-decisions.php b/examples/auto-prepend/scripts/cron-refresh-decisions.php
@@ -0,0 +1,12 @@
+<?php
+
+require_once __DIR__.'/../../../vendor/autoload.php';
+require_once __DIR__.'/../settings.php';
+
+use CrowdSecBouncer\StandAloneBounce;
+
+$bounce = new StandAloneBounce();
+$bounce->init($crowdSecStandaloneBouncerConfig);
+$bouncer = $bounce->getBouncerInstance();
+$bouncer->refreshBlocklistCache();
+echo 'OK';
diff --git a/examples/auto-prepend/settings.example.php b/examples/auto-prepend/settings.example.php
@@ -0,0 +1,51 @@
+<?php
+
+use CrowdSecBouncer\Constants;
+
+$crowdSecStandaloneBouncerConfig = [
+    'api_url' => 'http://url-to-your-lapi:8080', // [FILL ME] Set the LAPI URL here. Example in the docker-compose dev context, use http://crowdsec:8080
+    'api_key' => '...', // [FILL ME] Set a bouncer key here
+    'debug_mode' => false, // [FILL ME] Set to true to stop the process and display errors if any
+    'log_directory_path' => __DIR__.'/.logs', // [FILL ME] Important note: be sur this path won't be publicly accessible!
+    'fs_cache_path' => __DIR__.'/.cache', // [FILL ME] Important note: be sur this path won't be publicly accessible!
+
+    'bouncing_level' => Constants::BOUNCING_LEVEL_NORMAL,
+
+    'stream_mode' => false,
+
+    'cache_system' => Constants::CACHE_SYSTEM_PHPFS,
+    'redis_dsn' => '',
+    'memcached_dsn' => '',
+
+    'clean_ip_cache_duration' => Constants::CACHE_EXPIRATION_FOR_CLEAN_IP,
+    'bad_ip_cache_duration' => Constants::CACHE_EXPIRATION_FOR_BAD_IP,
+    'fallback_remediation' => Constants::REMEDIATION_CAPTCHA,
+
+    'hide_mentions' => false,
+    'trust_ip_forward' => '',
+    'trust_ip_forward_array' => [],
+
+    'theme_color_text_primary' => 'black',
+    'theme_color_text_secondary' => '#AAA',
+    'theme_color_text_button' => 'white',
+    'theme_color_text_error_message' => '#b90000',
+    'theme_color_background_page' => '#eee',
+    'theme_color_background_container' => 'white',
+    'theme_color_background_button' => '#626365',
+    'theme_color_background_button_hover' => '#333',
+
+    'theme_text_captcha_wall_tab_title' => 'Oops..',
+    'theme_text_captcha_wall_title' => 'Hmm, sorry but...',
+    'theme_text_captcha_wall_subtitle' => 'Please complete the security check.',
+    'theme_text_captcha_wall_refresh_image_link' => 'refresh image',
+    'theme_text_captcha_wall_captcha_placeholder' => 'Type here...',
+    'theme_text_captcha_wall_send_button' => 'CONTINUE',
+    'theme_text_captcha_wall_error_message' => 'Please try again.',
+    'theme_text_captcha_wall_footer' => '',
+
+    'theme_text_ban_wall_tab_title' => 'Oops..',
+    'theme_text_ban_wall_title' => '🤭 Oh!',
+    'theme_text_ban_wall_subtitle' => 'This page is protected against cyber attacks and your IP has been banned by our system.',
+    'theme_text_ban_wall_footer' => '',
+    'theme_custom_css' => '',
+];
diff --git a/src/AbstractBounce.php b/src/AbstractBounce.php
@@ -0,0 +1,250 @@
+<?php
+
+namespace CrowdSecBouncer;
+
+require_once __DIR__.'/templates/captcha.php';
+require_once __DIR__.'/templates/access-forbidden.php';
+
+use IPLib\Factory;
+use Monolog\Formatter\LineFormatter;
+use Monolog\Handler\RotatingFileHandler;
+use Monolog\Logger;
+use Psr\Log\LoggerInterface;
+
+/**
+ * The class that apply a bounce.
+ *
+ * @author    CrowdSec team
+ *
+ * @see      https://crowdsec.net CrowdSec Official Website
+ *
+ * @copyright Copyright (c) 2021+ CrowdSec
+ * @license   MIT License
+ */
+abstract class AbstractBounce
+{
+    /** @var array */
+    protected $settings = [];
+
+    /** @var bool */
+    protected $debug = false;
+
+    /** @var LoggerInterface */
+    protected $logger;
+
+    /** @var Bouncer */
+    protected $bouncer;
+
+    protected function getStringSettings(string $name): string
+    {
+        return $this->settings[$name];
+    }
+
+    protected function getArraySettings(string $name): array
+    {
+        return $this->settings[$name];
+    }
+
+    /**
+     * Run a bounce.
+     */
+    public function run(
+    ): void {
+        if ($this->shouldBounceCurrentIp()) {
+            $this->bounceCurrentIp();
+        }
+    }
+
+    public function setDebug(bool $debug)
+    {
+        $this->debug = $debug;
+    }
+
+    protected function initLoggerHelper($logDirectoryPath, $loggerName): void
+    {
+        // Singleton for this function
+        if ($this->logger) {
+            return;
+        }
+
+        $this->logger = new Logger($loggerName);
+        $logPath = $logDirectoryPath.'/prod.log';
+        $fileHandler = new RotatingFileHandler($logPath, 0, Logger::INFO);
+        $fileHandler->setFormatter(new LineFormatter("%datetime%|%level%|%context%\n"));
+        $this->logger->pushHandler($fileHandler);
+
+        // Set custom readable logger when debug=true
+        if ($this->debug) {
+            $debugLogPath = $logDirectoryPath.'/debug.log';
+            $debugFileHandler = new RotatingFileHandler($debugLogPath, 0, Logger::DEBUG);
+            if (class_exists('\Bramus\Monolog\Formatter\ColoredLineFormatter')) {
+                $debugFileHandler->setFormatter(new \Bramus\Monolog\Formatter\ColoredLineFormatter(null, "[%datetime%] %message% %context%\n", 'H:i:s'));
+                $this->logger->pushHandler($debugFileHandler);
+            }
+        }
+    }
+
+    protected function bounceCurrentIp()
+    {
+        $ip = $this->getRemoteIp();
+
+        // X-Forwarded-For override
+        $XForwardedForHeader = $this->getHttpRequestHeader('X-Forwarded-For');
+        if (null !== $XForwardedForHeader) {
+            $ipList = array_map('trim', array_values(array_filter(explode(',', $XForwardedForHeader))));
+            $forwardedIp = end($ipList);
+            if ($this->shouldTrustXforwardedFor($ip)) {
+                $ip = $forwardedIp;
+            } else {
+                $this->logger->warning('', [
+                'type' => 'NON_AUTHORIZED_X_FORWARDED_FOR_USAGE',
+                'original_ip' => $ip,
+                'x_forwarded_for_ip' => $forwardedIp,
+            ]);
+            }
+        }
+
+        try {
+            $this->getBouncerInstance();
+            $remediation = $this->bouncer->getRemediationForIp($ip);
+            $this->handleRemediation($remediation, $ip);
+        } catch (\Exception $e) {
+            $this->logger->warning('', [
+                'type' => 'UNKNOWN_EXCEPTION_WHILE_BOUNCING',
+                'ip' => $ip,
+                'messsage' => $e->getMessage(),
+                'code' => $e->getCode(),
+                'file' => $e->getFile(),
+                'line' => $e->getLine(),
+            ]);
+            if ($this->debug) {
+                throw $e;
+            }
+        }
+    }
+
+    protected function shouldTrustXforwardedFor(string $ip): bool
+    {
+        $comparableAddress = Factory::addressFromString($ip)->getComparableString();
+        foreach ($this->getTrustForwardedIpBoundsList() as $comparableIpBounds) {
+            if ($comparableAddress >= $comparableIpBounds[0] && $comparableAddress <= $comparableIpBounds[1]) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    protected function displayCaptchaWall()
+    {
+        $options = $this->getCaptchaWallOptions();
+        $body = Bouncer::getCaptchaHtmlTemplate(
+            $this->getSessionVariable('crowdsec_captcha_resolution_failed'),
+            $this->getSessionVariable('crowdsec_captcha_inline_image'),
+            '',
+            $options
+        );
+        $this->sendResponse($body, 401);
+    }
+
+    protected function handleBanRemediation()
+    {
+        $options = $this->getBanWallOptions();
+        $body = Bouncer::getAccessForbiddenHtmlTemplate($options);
+        $this->sendResponse($body, 403);
+    }
+
+    protected function storeNewCaptchaCoupleInSession()
+    {
+        $captchaCouple = Bouncer::buildCaptchaCouple();
+        $this->setSessionVariable('crowdsec_captcha_phrase_to_guess', $captchaCouple['phrase']);
+        $this->setSessionVariable('crowdsec_captcha_inline_image', $captchaCouple['inlineImage']);
+    }
+
+    protected function clearCaptchaSessionContext()
+    {
+        $this->unsetSessionVariable('crowdsec_captcha_has_to_be_resolved');
+        $this->unsetSessionVariable('crowdsec_captcha_phrase_to_guess');
+        $this->unsetSessionVariable('crowdsec_captcha_inline_image');
+        $this->unsetSessionVariable('crowdsec_captcha_resolution_failed');
+    }
+
+    protected function handleCaptchaResolutionForm(string $ip)
+    {
+        // Early return if no captcha has to be resolved or if captcha already resolved.
+        if (\in_array($this->getSessionVariable('crowdsec_captcha_has_to_be_resolved'), [null, false])) {
+            return;
+        }
+
+        // Early return if no form captcha form has been filled.
+        if ('POST' !== $this->getHttpMethod() || null === $this->getPostedVariable('crowdsec_captcha')) {
+            return;
+        }
+
+        // Handle image refresh.
+        if (null !== $this->getPostedVariable('refresh') && (bool) (int) $this->getPostedVariable('refresh')) {
+            // Generate new captcha image for the user
+            $this->storeNewCaptchaCoupleInSession();
+            $this->setSessionVariable('crowdsec_captcha_resolution_failed', false);
+
+            return;
+        }
+
+        // Handle a captcha resolution try
+        if (null !== $this->getPostedVariable('phrase') && null !== $this->getSessionVariable('crowdsec_captcha_phrase_to_guess')) {
+            $this->getBouncerInstance();
+            if ($this->bouncer->checkCaptcha(
+                $this->getSessionVariable('crowdsec_captcha_phrase_to_guess'),
+                $this->getPostedVariable('phrase'),
+                $ip)) {
+                // User has correctly fill the captcha
+
+                $this->setSessionVariable('crowdsec_captcha_has_to_be_resolved', false);
+                $this->unsetSessionVariable('crowdsec_captcha_phrase_to_guess');
+                $this->unsetSessionVariable('crowdsec_captcha_inline_image');
+                $this->unsetSessionVariable('crowdsec_captcha_resolution_failed');
+            } else {
+                // The user failed to resolve the captcha.
+                $this->setSessionVariable('crowdsec_captcha_resolution_failed', true);
+            }
+        }
+    }
+
+    protected function handleCaptchaRemediation($ip)
+    {
+        // Check captcha resolution form
+        $this->handleCaptchaResolutionForm($ip);
+
+        if (null === $this->getSessionVariable('crowdsec_captcha_has_to_be_resolved')) {
+            // Setup the first captcha remediation.
+
+            $this->storeNewCaptchaCoupleInSession();
+            $this->setSessionVariable('crowdsec_captcha_has_to_be_resolved', true);
+            $this->setSessionVariable('crowdsec_captcha_resolution_failed', false);
+        }
+
+        // Display captcha page if this is required.
+        if ($this->getSessionVariable('crowdsec_captcha_has_to_be_resolved')) {
+            $this->displayCaptchaWall();
+        }
+    }
+
+    protected function handleRemediation(string $remediation, string $ip)
+    {
+        if (Constants::REMEDIATION_CAPTCHA !== $remediation && null !== $this->getSessionVariable('crowdsec_captcha_has_to_be_resolved')) {
+            $this->clearCaptchaSessionContext();
+        }
+        switch ($remediation) {
+            case Constants::REMEDIATION_BYPASS:
+                return;
+            case Constants::REMEDIATION_CAPTCHA:
+                $this->handleCaptchaRemediation($ip);
+                break;
+            case Constants::REMEDIATION_BAN:
+                $this->handleBanRemediation();
+                break;
+            default:
+                return;
+        }
+    }
+}
diff --git a/src/Constants.php b/src/Constants.php
diff --git a/src/IBounce.php b/src/IBounce.php
diff --git a/src/StandAloneBounce.php b/src/StandAloneBounce.php

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+php_value auto_prepend_file "../scripts/bounce-via-auto-prepend.php"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+<h1>The way is clear!</h1>`
	`2`	`+<p>In this example page, if you can see this text, the bouncer considers your IP as clean.</p>`