Baffle-WAF/baffle-hub
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

First commit!

Browse Source
This commit is contained in:
Dan Milne
2025-11-03 17:37:28 +11:00
commit 429d41eead
141 changed files with 5890 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
app/assets/builds/.keep Normal file
View File

0
app/assets/images/.keep Normal file
View File

10
app/assets/stylesheets/application.css Normal file
View File

@@ -0,0 +1,10 @@
/*
* This is a manifest file that'll be compiled into application.css.
*
* With Propshaft, assets are served efficiently without preprocessing steps. You can still include
* application-wide styles in this file, but keep in mind that CSS precedence will follow the standard
* cascading order, meaning styles declared later in the document or manifest will override earlier ones,
* depending on specificity.
*
* Consider organizing styles into separate files for maintainability.
*/

1
app/assets/tailwind/application.css Normal file
View File

@@ -0,0 +1 @@
@import "tailwindcss";

75
app/controllers/api/events_controller.rb Normal file
View File

@@ -0,0 +1,75 @@
# frozen_string_literal: true
class Api::EventsController < ApplicationController
skip_before_action :verify_authenticity_token
# POST /api/:project_id/events
def create
project = authenticate_project!
return head :not_found unless project
# Parse the incoming WAF event data
event_data = parse_event_data(request)
# Create event asynchronously
ProcessWafEventJob.perform_later(
project_id: project.id,
event_data: event_data,
headers: extract_serializable_headers(request)
)
# Always return 200 OK to avoid agent retries
head :ok
rescue DsnAuthenticationService::AuthenticationError => e
Rails.logger.warn "DSN authentication failed: #{e.message}"
head :unauthorized
rescue JSON::ParserError => e
Rails.logger.error "Invalid JSON in event data: #{e.message}"
head :bad_request
end
private
def authenticate_project!
DsnAuthenticationService.authenticate(request, params[:project_id])
end
def parse_event_data(request)
# Handle different content types
content_type = request.content_type || "application/json"
case content_type
when /application\/json/
JSON.parse(request.body.read)
when /application\/x-www-form-urlencoded/
# Convert form data to JSON-like hash
request.request_parameters
else
# Try to parse as JSON anyway
JSON.parse(request.body.read)
end
rescue => e
Rails.logger.error "Failed to parse event data: #{e.message}"
{}
ensure
request.body.rewind if request.body.respond_to?(:rewind)
end
def extract_serializable_headers(request)
# Only extract the headers we need for analytics, avoiding IO objects
important_headers = %w[
User-Agent Content-Type Content-Length Accept
X-Forwarded-For X-Real-IP X-Forwarded-Proto
Authorization X-Baffle-Auth X-Sentry-Auth
Referer Accept-Language Accept-Encoding
]
headers = {}
important_headers.each do |header|
value = request.headers[header]
headers[header] = value if value.present?
end
headers
end
end

9
app/controllers/application_controller.rb Normal file
View File

@@ -0,0 +1,9 @@
class ApplicationController < ActionController::Base
# Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
allow_browser versions: :modern
# Changes to the importmap will invalidate the etag for HTML responses
stale_when_importmap_changes
include Pagy::Backend
end

0
app/controllers/concerns/.keep Normal file
View File

33
app/controllers/events_controller.rb Normal file
View File

@@ -0,0 +1,33 @@
# frozen_string_literal: true
class EventsController < ApplicationController
before_action :set_project
def index
@events = @project.events.order(timestamp: :desc)
Rails.logger.debug "Found project? #{@project.name} / #{@project.events.count} / #{@events.count}"
Rails.logger.debug "Action: #{params[:waf_action]}"
# Apply filters
@events = @events.by_ip(params[:ip]) if params[:ip].present?
@events = @events.by_waf_action(params[:waf_action]) if params[:waf_action].present?
@events = @events.where(country_code: params[:country]) if params[:country].present?
Rails.logger.debug "after filter #{@project.name} / #{@project.events.count} / #{@events.count}"
# Debug info
Rails.logger.debug "Events count before pagination: #{@events.count}"
Rails.logger.debug "Project: #{@project&.name} (ID: #{@project&.id})"
# Paginate
@pagy, @events = pagy(@events, items: 50)
Rails.logger.debug "Events count after pagination: #{@events.count}"
Rails.logger.debug "Pagy info: #{@pagy.count} total, #{@pagy.pages} pages"
end
private
def set_project
@project = Project.find(params[:project_id]) || Project.find_by(slug: params[:project_id])
redirect_to projects_path, alert: "Project not found" unless @project
end
end

99
app/controllers/projects_controller.rb Normal file
View File

@@ -0,0 +1,99 @@
# frozen_string_literal: true
class ProjectsController < ApplicationController
before_action :set_project, only: [:show, :edit, :update, :events, :analytics]
def index
@projects = Project.order(created_at: :desc)
end
def show
@recent_events = @project.recent_events(limit: 10)
@event_count = @project.event_count(24.hours.ago)
@blocked_count = @project.blocked_count(24.hours.ago)
@waf_status = @project.waf_status
end
def new
@project = Project.new
end
def create
@project = Project.new(project_params)
if @project.save
redirect_to @project, notice: "Project was successfully created. Use this DSN for your baffle-agent: #{@project.dsn}"
else
render :new, status: :unprocessable_entity
end
end
def edit
end
def update
if @project.update(project_params)
redirect_to @project, notice: "Project was successfully updated."
else
render :edit, status: :unprocessable_entity
end
end
def events
@events = @project.events.recent.includes(:project)
# Apply filters
@events = @events.by_ip(params[:ip]) if params[:ip].present?
@events = @events.by_action(params[:action]) if params[:action].present?
@events = @events.where(country_code: params[:country]) if params[:country].present?
# Debug info
Rails.logger.debug "Events count before pagination: #{@events.count}"
Rails.logger.debug "Project: #{@project&.name} (ID: #{@project&.id})"
# Paginate
@pagy, @events = pagy(@events, items: 50)
Rails.logger.debug "Events count after pagination: #{@events.count}"
Rails.logger.debug "Pagy info: #{@pagy.count} total, #{@pagy.pages} pages"
end
def analytics
@time_range = params[:time_range]&.to_i || 24 # hours
# Basic analytics
@total_events = @project.event_count(@time_range.hours.ago)
@blocked_events = @project.blocked_count(@time_range.hours.ago)
@allowed_events = @project.allowed_count(@time_range.hours.ago)
# Top blocked IPs
@top_blocked_ips = @project.top_blocked_ips(limit: 10, time_range: @time_range.hours.ago)
# Country distribution
@country_stats = @project.events
.where(timestamp: @time_range.hours.ago..Time.current)
.where.not(country_code: nil)
.group(:country_code)
.select('country_code, COUNT(*) as count')
.order('count DESC')
.limit(10)
# Action distribution
@action_stats = @project.events
.where(timestamp: @time_range.hours.ago..Time.current)
.group(:action)
.select('action, COUNT(*) as count')
.order('count DESC')
end
private
def set_project
@project = Project.find_by(slug: params[:id]) || Project.find_by(id: params[:id])
redirect_to projects_path, alert: "Project not found" unless @project
end
def project_params
params.require(:project).permit(:name, :enabled, settings: {})
end
end

53
app/controllers/rule_sets_controller.rb Normal file
View File

@@ -0,0 +1,53 @@
# frozen_string_literal: true
class RuleSetsController < ApplicationController
before_action :set_rule_set, only: [:show, :edit, :update, :push_to_agents]
def index
@rule_sets = RuleSet.includes(:rules).by_priority
end
def show
@rules = @rule_set.rules.includes(:rule_set).by_priority
end
def new
@rule_set = RuleSet.new
end
def create
@rule_set = RuleSet.new(rule_set_params)
if @rule_set.save
redirect_to @rule_set, notice: "Rule set was successfully created."
else
render :new, status: :unprocessable_entity
end
end
def edit
end
def update
if @rule_set.update(rule_set_params)
redirect_to @rule_set, notice: "Rule set was successfully updated."
else
render :edit, status: :unprocessable_entity
end
end
def push_to_agents
@rule_set.push_to_agents!
redirect_to @rule_set, notice: "Rule set pushed to agents successfully."
end
private
def set_rule_set
@rule_set = RuleSet.find_by(slug: params[:id]) || RuleSet.find(params[:id])
end
def rule_set_params
params.require(:rule_set).permit(:name, :description, :enabled, :priority)
end
end

3
app/helpers/application_helper.rb Normal file
View File

@@ -0,0 +1,3 @@
module ApplicationHelper
include Pagy::Frontend if defined?(Pagy)
end

3
app/javascript/application.js Normal file
View File

@@ -0,0 +1,3 @@
// Configure your import map in config/importmap.rb. Read more: https://github.com/rails/importmap-rails
import "@hotwired/turbo-rails"
import "controllers"

9
app/javascript/controllers/application.js Normal file
View File

@@ -0,0 +1,9 @@
import { Application } from "@hotwired/stimulus"
const application = Application.start()
// Configure Stimulus development experience
application.debug = false
window.Stimulus = application
export { application }

7
app/javascript/controllers/hello_controller.js Normal file
View File

@@ -0,0 +1,7 @@
import { Controller } from "@hotwired/stimulus"
export default class extends Controller {
connect() {
this.element.textContent = "Hello World!"
}
}

4
app/javascript/controllers/index.js Normal file
View File

@@ -0,0 +1,4 @@
// Import and register all your controllers from the importmap via controllers/**/*_controller
import { application } from "controllers/application"
import { eagerLoadControllersFrom } from "@hotwired/stimulus-loading"
eagerLoadControllersFrom("controllers", application)

7
app/jobs/application_job.rb Normal file
View File

@@ -0,0 +1,7 @@
class ApplicationJob < ActiveJob::Base
# Automatically retry jobs that encountered a deadlock
# retry_on ActiveRecord::Deadlocked
# Most jobs are safe to ignore if the underlying records are no longer available
# discard_on ActiveJob::DeserializationError
end

87
app/jobs/event_normalization_job.rb Normal file
View File

@@ -0,0 +1,87 @@
# frozen_string_literal: true
class EventNormalizationJob < ApplicationJob
queue_as :default
# Normalize all existing events
def perform_all_events(batch_size: 1000)
total_events = Event.where(request_host_id: nil).count
Rails.logger.info "Starting normalization of #{total_events} events"
offset = 0
processed = 0
loop do
events = Event.where(request_host_id: nil)
.limit(batch_size)
.offset(offset)
.includes(:project)
break if events.empty?
events.each do |event|
begin
EventNormalizer.normalize_event!(event)
event.save!
processed += 1
rescue => e
Rails.logger.error "Failed to normalize event #{event.id}: #{e.message}"
end
end
Rails.logger.info "Processed #{processed}/#{total_events} events"
offset += batch_size
end
Rails.logger.info "Completed normalization of #{processed} events"
end
# Normalize a specific event
def perform(event_id)
event = Event.find(event_id)
EventNormalizer.normalize_event!(event)
event.save!
Rails.logger.info "Successfully normalized event #{event_id}"
rescue ActiveRecord::RecordNotFound
Rails.logger.error "Event #{event_id} not found for normalization"
rescue => e
Rails.logger.error "Failed to normalize event #{event_id}: #{e.message}"
raise
end
# Normalize events for a specific project
def perform_for_project(project_id, batch_size: 1000)
project = Project.find(project_id)
total_events = project.events.where(request_host_id: nil).count
Rails.logger.info "Starting normalization of #{total_events} events for project #{project.name}"
offset = 0
processed = 0
loop do
events = project.events
.where(request_host_id: nil)
.limit(batch_size)
.offset(offset)
break if events.empty?
events.each do |event|
begin
EventNormalizer.normalize_event!(event)
event.save!
processed += 1
rescue => e
Rails.logger.error "Failed to normalize event #{event.id}: #{e.message}"
end
end
Rails.logger.info "Processed #{processed}/#{total_events} events for project #{project.name}"
offset += batch_size
end
Rails.logger.info "Completed normalization of #{processed} events for project #{project.name}"
end
end

171
app/jobs/generate_waf_rules_job.rb Normal file
View File

@@ -0,0 +1,171 @@
# frozen_string_literal: true
class GenerateWafRulesJob < ApplicationJob
queue_as :waf_rules
def perform(project_id:, event_id:)
project = Project.find(project_id)
event = Event.find(event_id)
# Only analyze blocked events for rule generation
return unless event.blocked?
# Generate different types of rules based on patterns
generate_ip_rules(project, event)
generate_path_rules(project, event)
generate_user_agent_rules(project, event)
generate_parameter_rules(project, event)
# Notify project of new rules
project.broadcast_rules_refresh
rescue => e
Rails.logger.error "Error generating WAF rules: #{e.message}"
Rails.logger.error e.backtrace.join("\n")
end
private
def generate_ip_rules(project, event)
return unless event.ip_address.present?
# Check if this IP has multiple violations
violation_count = project.events
.by_ip(event.ip_address)
.blocked
.where(timestamp: 24.hours.ago..Time.current)
.count
# Auto-block IPs with 10+ violations in 24 hours
if violation_count >= 10 && !project.blocked_ips.include?(event.ip_address)
project.add_ip_rule(
event.ip_address,
'block',
expires_at: 7.days.from_now,
reason: "Auto-generated: #{violation_count} violations in 24 hours"
)
Rails.logger.info "Auto-blocked IP #{event.ip_address} for project #{project.slug}"
end
end
def generate_path_rules(project, event)
return unless event.request_path.present?
# Look for repeated attack patterns on specific paths
path_violations = project.events
.where(request_path: event.request_path)
.blocked
.where(timestamp: 1.hour.ago..Time.current)
.count
# Suggest path rules if 20+ violations on same path
if path_violations >= 20
suggest_path_rule(project, event.request_path, path_violations)
end
end
def generate_user_agent_rules(project, event)
return unless event.user_agent.present?
# Look for malicious user agents
ua_violations = project.events
.by_user_agent(event.user_agent)
.blocked
.where(timestamp: 1.hour.ago..Time.current)
.count
# Suggest user agent rules if 15+ violations from same UA
if ua_violations >= 15
suggest_user_agent_rule(project, event.user_agent, ua_violations)
end
end
def generate_parameter_rules(project, event)
params = event.query_params
return unless params.present?
# Look for suspicious parameter patterns
params.each do |key, value|
next unless value.is_a?(String)
# Check for common attack patterns in parameter values
if contains_attack_pattern?(value)
param_violations = project.events
.where("payload LIKE ?", "%#{key}%#{value}%")
.blocked
.where(timestamp: 6.hours.ago..Time.current)
.count
if param_violations >= 5
suggest_parameter_rule(project, key, value, param_violations)
end
end
end
end
def suggest_path_rule(project, path, violation_count)
# Create an issue for manual review
Issue.create!(
project: project,
title: "Suggested Path Rule",
description: "Path '#{path}' has #{violation_count} violations in 1 hour",
severity: "low",
metadata: {
type: "path_rule",
path: path,
violation_count: violation_count,
suggested_action: "block"
}
)
end
def suggest_user_agent_rule(project, user_agent, violation_count)
# Create an issue for manual review
Issue.create!(
project: project,
title: "Suggested User Agent Rule",
description: "User Agent '#{user_agent}' has #{violation_count} violations in 1 hour",
severity: "low",
metadata: {
type: "user_agent_rule",
user_agent: user_agent,
violation_count: violation_count,
suggested_action: "block"
}
)
end
def suggest_parameter_rule(project, param_name, param_value, violation_count)
# Create an issue for manual review
Issue.create!(
project: project,
title: "Suggested Parameter Rule",
description: "Parameter '#{param_name}' with suspicious values has #{violation_count} violations",
severity: "medium",
metadata: {
type: "parameter_rule",
param_name: param_name,
param_value: param_value,
violation_count: violation_count,
suggested_action: "block"
}
)
end
def contains_attack_pattern?(value)
# Common attack patterns
attack_patterns = [
/<script/i, # XSS
/union.*select/i, # SQL injection
/\.\./, # Directory traversal
/\/etc\/passwd/i, # File inclusion
/cmd\.exe/i, # Command injection
/eval\(/i, # Code injection
/javascript:/i, # JavaScript protocol
/onload=/i, # Event handler injection
]
attack_patterns.any? { |pattern| value.match?(pattern) }
end
end

126
app/jobs/process_waf_analytics_job.rb Normal file
View File

@@ -0,0 +1,126 @@
# frozen_string_literal: true
class ProcessWafAnalyticsJob < ApplicationJob
queue_as :waf_analytics
def perform(project_id:, event_id:)
project = Project.find(project_id)
event = Event.find(event_id)
# Analyze event patterns
analyze_traffic_patterns(project, event)
analyze_geographic_distribution(project, event)
analyze_attack_vectors(project, event)
# Update project analytics cache
update_project_analytics(project)
rescue => e
Rails.logger.error "Error processing WAF analytics: #{e.message}"
Rails.logger.error e.backtrace.join("\n")
end
private
def analyze_traffic_patterns(project, event)
# Look for unusual traffic spikes
recent_events = project.events.where(timestamp: 5.minutes.ago..Time.current)
if recent_events.count > project.rate_limit_threshold * 5
# High traffic detected - create an issue
Issue.create!(
project: project,
title: "High Traffic Spike Detected",
description: "Detected #{recent_events.count} requests in the last 5 minutes",
severity: "medium",
event_id: event.id,
metadata: {
event_count: recent_events.count,
time_window: "5 minutes",
threshold: project.rate_limit_threshold * 5
}
)
end
end
def analyze_geographic_distribution(project, event)
return unless event.country_code.present?
# Check if this country is unusual for this project
country_events = project.events
.where(country_code: event.country_code)
.where(timestamp: 1.hour.ago..Time.current)
# If this is the first event from this country or unusual spike
if country_events.count == 1 || country_events.count > 100
Rails.logger.info "Unusual geographic activity from #{event.country_code} for project #{project.slug}"
end
end
def analyze_attack_vectors(project, event)
return unless event.blocked?
# Analyze common attack patterns
analyze_ip_reputation(project, event)
analyze_user_agent_patterns(project, event)
analyze_path_attacks(project, event)
end
def analyze_ip_reputation(project, event)
return unless event.ip_address.present?
# Count recent blocks from this IP
recent_blocks = project.events
.by_ip(event.ip_address)
.blocked
.where(timestamp: 1.hour.ago..Time.current)
if recent_blocks.count >= 5
# Suggest automatic IP block
project.add_ip_rule(
event.ip_address,
'block',
expires_at: 24.hours.from_now,
reason: "Automated block: #{recent_blocks.count} violations in 1 hour"
)
end
end
def analyze_user_agent_patterns(project, event)
return unless event.user_agent.present?
# Look for common bot/user agent patterns
suspicious_patterns = [
/bot/i, /crawler/i, /spider/i, /scanner/i,
/python/i, /curl/i, /wget/i, /nmap/i
]
if suspicious_patterns.any? { |pattern| event.user_agent.match?(pattern) }
# Log suspicious user agent for potential rule generation
Rails.logger.info "Suspicious user agent detected: #{event.user_agent}"
end
end
def analyze_path_attacks(project, event)
return unless event.request_path.present?
# Look for common attack paths
attack_patterns = [
/\.\./, # Directory traversal
/admin/i, # Admin panel access
/wp-admin/i, # WordPress admin
/\.php/i, # PHP files
/union.*select/i, # SQL injection
/script.*>/i # XSS attempts
]
if attack_patterns.any? { |pattern| event.request_path.match?(pattern) }
Rails.logger.info "Potential attack path detected: #{event.request_path}"
end
end
def update_project_analytics(project)
# Update cached analytics for faster dashboard loading
Rails.cache.delete("project_#{project.id}_analytics")
end
end

52
app/jobs/process_waf_event_job.rb Normal file
View File

@@ -0,0 +1,52 @@
# frozen_string_literal: true
class ProcessWafEventJob < ApplicationJob
queue_as :waf_events
def perform(project_id:, event_data:, headers:)
project = Project.find(project_id)
# Handle both single event and events array
events_to_process = []
if event_data.key?('events') && event_data['events'].is_a?(Array)
# Multiple events in an array
events_to_process = event_data['events']
elsif event_data.key?('event_id')
# Single event
events_to_process = [event_data]
else
Rails.logger.warn "Invalid event data format: missing event_id or events array"
return
end
events_to_process.each do |single_event_data|
begin
# Generate unique event ID if not provided
event_id = single_event_data['event_id'] || SecureRandom.uuid
# Create the WAF event record
event = Event.create_from_waf_payload!(event_id, single_event_data, project)
# Trigger analytics processing
ProcessWafAnalyticsJob.perform_later(project_id: project_id, event_id: event.id)
# Check for automatic rule generation opportunities
GenerateWafRulesJob.perform_later(project_id: project_id, event_id: event.id)
Rails.logger.info "Processed WAF event #{event_id} for project #{project.slug}"
rescue ActiveRecord::RecordInvalid => e
Rails.logger.error "Failed to create WAF event: #{e.message}"
Rails.logger.error e.record.errors.full_messages.join(", ")
rescue => e
Rails.logger.error "Error processing WAF event: #{e.message}"
Rails.logger.error e.backtrace.join("\n")
end
end
# Broadcast real-time updates once per batch
project.broadcast_events_refresh
Rails.logger.info "Processed #{events_to_process.count} WAF events for project #{project.slug}"
end
end

4
app/mailers/application_mailer.rb Normal file
View File

@@ -0,0 +1,4 @@
class ApplicationMailer < ActionMailer::Base
default from: "from@example.com"
layout "mailer"
end

3
app/models/application_record.rb Normal file
View File

@@ -0,0 +1,3 @@
class ApplicationRecord < ActiveRecord::Base
primary_abstract_class
end

0
app/models/concerns/.keep Normal file
View File

16
app/models/current.rb Normal file
View File

@@ -0,0 +1,16 @@
# frozen_string_literal: true
class Current < ActiveSupport::CurrentAttributes
attribute :baffle_host
attribute :baffle_internal_host
attribute :project
attribute :ip
def self.baffle_host
@baffle_host || ENV.fetch("BAFFLE_HOST", "localhost:3000")
end
def self.baffle_internal_host
@baffle_internal_host || ENV.fetch("BAFFLE_INTERNAL_HOST", nil)
end
end

287
app/models/event.rb Normal file
View File

@@ -0,0 +1,287 @@
# frozen_string_literal: true
class Event < ApplicationRecord
belongs_to :project
# Normalized association for hosts (most valuable compression)
belongs_to :request_host, optional: true
# Enums for fixed value sets
enum :waf_action, {
allow: 0, # allow/pass
deny: 1, # deny/block
redirect: 2, # redirect
challenge: 3 # challenge (future implementation)
}, default: :allow, scopes: false
enum :request_method, {
get: 0, # GET
post: 1, # POST
put: 2, # PUT
patch: 3, # PATCH
delete: 4, # DELETE
head: 5, # HEAD
options: 6 # OPTIONS
}, default: :get, scopes: false
# Serialize segment IDs as array for easy manipulation in Railssqit
serialize :request_segment_ids, type: Array, coder: JSON
validates :event_id, presence: true, uniqueness: true
validates :timestamp, presence: true
scope :recent, -> { order(timestamp: :desc) }
scope :by_ip, ->(ip) { where(ip_address: ip) }
scope :by_user_agent, ->(user_agent) { where(user_agent: user_agent) }
scope :by_waf_action, ->(waf_action) { where(waf_action: waf_action) }
scope :blocked, -> { where(waf_action: ['block', 'deny']) }
scope :allowed, -> { where(waf_action: ['allow', 'pass']) }
scope :rate_limited, -> { where(waf_action: 'rate_limit') }
# Path prefix matching using range queries (uses B-tree index efficiently)
scope :with_path_prefix, ->(prefix_segment_ids) {
return none if prefix_segment_ids.blank?
# Use range queries instead of LIKE for index usage
# Example: [1,2] prefix matches [1,2], [1,2,3], [1,2,3,4], etc.
prefix_str = prefix_segment_ids.to_json # "[1,2]"
# For exact match: request_segment_ids = "[1,2]"
# For prefix match: "[1,2," <= request_segment_ids < "[1,3,"
# This works because JSON arrays sort lexicographically
# Build the range upper bound by incrementing last segment ID
upper_prefix = prefix_segment_ids[0..-2] + [prefix_segment_ids.last + 1]
upper_str = upper_prefix.to_json
lower_prefix_str = "#{prefix_str[0..-2]}," # "[1,2," - matches longer paths
# Use raw SQL to bypass serializer (it expects Array but we're comparing strings)
where("request_segment_ids = ? OR (request_segment_ids >= ? AND request_segment_ids < ?)",
prefix_str, lower_prefix_str, upper_str)
}
# Path depth queries
scope :path_depth, ->(depth) {
where("json_array_length(request_segment_ids) = ?", depth)
}
scope :path_depth_greater_than, ->(depth) {
where("json_array_length(request_segment_ids) > ?", depth)
}
# Helper methods
def path_depth
request_segment_ids&.length || 0
end
def reconstructed_path
return request_path if request_segment_ids.blank?
segments = PathSegment.where(id: request_segment_ids).index_by(&:id)
'/' + request_segment_ids.map { |id| segments[id]&.segment }.compact.join('/')
end
# Extract key fields from payload before saving
before_validation :extract_fields_from_payload
# Normalize event fields after extraction
after_validation :normalize_event_fields, if: :should_normalize?
def self.create_from_waf_payload!(event_id, payload, project)
# Create the WAF request event
create!(
project: project,
event_id: event_id,
timestamp: parse_timestamp(payload["timestamp"]),
payload: payload,
# WAF-specific fields
ip_address: payload.dig("request", "ip"),
user_agent: payload.dig("request", "headers", "User-Agent"),
request_method: payload.dig("request", "method")&.downcase,
request_path: payload.dig("request", "path"),
request_url: payload.dig("request", "url"),
request_protocol: payload.dig("request", "protocol"),
response_status: payload.dig("response", "status_code"),
response_time_ms: payload.dig("response", "duration_ms"),
waf_action: normalize_action(payload["waf_action"]), # Normalize incoming action values
rule_matched: payload["rule_matched"],
blocked_reason: payload["blocked_reason"],
# Server/Environment info
server_name: payload["server_name"],
environment: payload["environment"],
# Geographic data
country_code: payload.dig("geo", "country_code"),
city: payload.dig("geo", "city"),
# WAF agent info
agent_version: payload.dig("agent", "version"),
agent_name: payload.dig("agent", "name")
)
end
def self.normalize_action(action)
return "allow" if action.nil? || action.blank?
case action.to_s.downcase
when "allow", "pass", "allowed"
"allow"
when "deny", "block", "blocked", "deny_access"
"deny"
when "challenge"
"challenge"
when "redirect"
"redirect"
else
Rails.logger.warn "Unknown action '#{action}', defaulting to 'allow'"
"allow"
end
end
def self.parse_timestamp(timestamp)
case timestamp
when String
Time.parse(timestamp)
when Numeric
# Sentry timestamps can be in seconds with decimals
Time.at(timestamp)
when Time
timestamp
else
Time.current
end
rescue => e
Rails.logger.error "Failed to parse timestamp #{timestamp}: #{e.message}"
Time.current
end
def request_details
return {} unless payload.present?
request_data = payload.dig("request") || {}
{
ip: request_data["ip"],
method: request_data["method"],
path: request_data["path"],
url: request_data["url"],
protocol: request_data["protocol"],
headers: request_data["headers"] || {},
query: request_data["query"] || {},
body_size: request_data["body_size"]
}
end
def response_details
return {} unless payload.present?
response_data = payload.dig("response") || {}
{
status_code: response_data["status_code"],
duration_ms: response_data["duration_ms"],
size: response_data["size"]
}
end
def geo_details
return {} unless payload.present?
payload.dig("geo") || {}
end
def tags
payload&.dig("tags") || {}
end
def headers
payload&.dig("request", "headers") || {}
end
def query_params
payload&.dig("request", "query") || {}
end
def blocked?
waf_action.in?(['block', 'deny'])
end
def allowed?
waf_action.in?(['allow', 'pass'])
end
def rate_limited?
waf_action == 'rate_limit'
end
def challenged?
waf_action == 'challenge'
end
def rule_matched?
rule_matched.present?
end
# New path methods for normalization
def path_segments
return [] unless request_path.present?
request_path.split('/').reject(&:blank?)
end
def path_segments_array
@path_segments_array ||= path_segments
end
def request_hostname
return nil unless request_url.present?
URI.parse(request_url).hostname rescue nil
end
private
def should_normalize?
request_host_id.nil? || request_segment_ids.blank?
end
def normalize_event_fields
EventNormalizer.normalize_event!(self)
rescue => e
Rails.logger.error "Failed to normalize event #{id}: #{e.message}"
end
def extract_fields_from_payload
return unless payload.present?
# Extract WAF-specific fields for direct querying
request_data = payload.dig("request") || {}
response_data = payload.dig("response") || {}
self.ip_address = request_data["ip"]
self.user_agent = request_data.dig("headers", "User-Agent")
self.request_path = request_data["path"]
self.request_url = request_data["url"]
self.response_status = response_data["status_code"]
self.response_time_ms = response_data["duration_ms"]
self.rule_matched = payload["rule_matched"]
self.blocked_reason = payload["blocked_reason"]
# Store original values for normalization (these will be normalized to IDs)
@raw_request_method = request_data["method"]
@raw_request_protocol = request_data["protocol"]
@raw_action = payload["waf_action"]
# Extract server/environment info
self.server_name = payload["server_name"]
self.environment = payload["environment"]
# Extract geographic data
geo_data = payload.dig("geo") || {}
self.country_code = geo_data["country_code"]
self.city = geo_data["city"]
# Extract agent info
agent_data = payload.dig("agent") || {}
self.agent_version = agent_data["version"]
self.agent_name = agent_data["name"]
end
end

97
app/models/issue.rb Normal file
View File

@@ -0,0 +1,97 @@
# frozen_string_literal: true
class Issue < ApplicationRecord
belongs_to :project
has_many :events, dependent: :nullify
enum :status, { open: 0, resolved: 1, ignored: 2 }
validates :title, presence: true
scope :recent, -> { order(last_seen: :desc) }
scope :by_frequency, -> { order(count: :desc) }
# Callbacks for email notifications
after_create :notify_new_issue, if: :should_notify_new_issue?
after_update :notify_issue_reopened, if: :was_reopened?
# Real-time updates
after_create_commit do
broadcast_refresh_to(project)
end
after_update_commit do
broadcast_refresh # Refreshes the issue show page
broadcast_refresh_to(project, "issues") # Refreshes the project's issues index
end
def self.group_event(event_payload, project)
fingerprint = generate_fingerprint(event_payload)
find_or_create_by(project: project, fingerprint: fingerprint) do |issue|
issue.title = extract_title(event_payload)
issue.exception_type = extract_exception_type(event_payload)
issue.first_seen = Time.current
issue.last_seen = Time.current
issue.status = :open
end
end
def self.generate_fingerprint(payload)
# Use Sentry's fingerprint if provided
if payload["fingerprint"].present?
payload["fingerprint"].join("::")
else
# Generate from exception type + location
type = payload.dig("exception", "values", 0, "type")
file = payload.dig("exception", "values", 0, "stacktrace", "frames", -1, "filename")
line = payload.dig("exception", "values", 0, "stacktrace", "frames", -1, "lineno")
# Fallback to message if no exception
if type.blank?
message = payload["message"] || "Unknown Error"
Digest::MD5.hexdigest(message)
else
"#{type}::#{file}::#{line}"
end
end
end
def self.extract_title(payload)
payload.dig("exception", "values", 0, "value") ||
payload["message"] ||
payload.dig("exception", "values", 0, "type") ||
"Unknown Error"
end
def self.extract_exception_type(payload)
payload.dig("exception", "values", 0, "type")
end
def record_event!(timestamp: Time.current)
update!(
count: count + 1,
last_seen: timestamp
)
end
private
def notify_new_issue
IssueMailer.new_issue(self).deliver_later
end
def notify_issue_reopened
IssueMailer.issue_reopened(self).deliver_later
end
def should_notify_new_issue?
# Only notify for new issues in production environment or if explicitly enabled
Rails.env.production? || ENV['SPLAT_EMAIL_NOTIFICATIONS'] == 'true'
end
def was_reopened?
# Check if status changed from resolved to open
saved_change_to_status?(from: 1, to: 0) # resolved=1, open=0
end
end

63
app/models/network_range.rb Normal file
View File

@@ -0,0 +1,63 @@
class NetworkRange < ApplicationRecord
validates :ip_address, presence: true
validates :network_prefix, presence: true, numericality: {greater_than_or_equal_to: 0, less_than_or_equal_to: 128}
validates :ip_version, presence: true, inclusion: {in: [4, 6]}
# Convenience methods for JSON fields
def abuser_scores_hash
abuser_scores ? JSON.parse(abuser_scores) : {}
end
def abuser_scores_hash=(hash)
self.abuser_scores = hash.to_json
end
def additional_data_hash
additional_data ? JSON.parse(additional_data) : {}
end
def additional_data_hash=(hash)
self.additional_data = hash.to_json
end
# Scope methods for common queries
scope :ipv4, -> { where(ip_version: 4) }
scope :ipv6, -> { where(ip_version: 6) }
scope :datacenter, -> { where(is_datacenter: true) }
scope :proxy, -> { where(is_proxy: true) }
scope :vpn, -> { where(is_vpn: true) }
scope :by_country, ->(country) { where(ip_api_country: country) }
scope :by_company, ->(company) { where(company: company) }
scope :by_asn, ->(asn) { where(asn: asn) }
# Find network ranges that contain a specific IP address
def self.contains_ip(ip_string)
ip_bytes = IPAddr.new(ip_string).hton
version = ip_string.include?(":") ? 6 : 4
where(ip_version: version).select do |range|
range.contains_ip_bytes?(ip_bytes)
end
end
def contains_ip?(ip_string)
contains_ip_bytes?(IPAddr.new(ip_string).hton)
end
def to_s
"#{ip_address_to_s}/#{network_prefix}"
end
private
def contains_ip_bytes?(ip_bytes)
# This is a simplified version - you'll need proper network math here
# For now, just check if the IP matches exactly
ip_address == ip_bytes
end
def ip_address_to_s
# Convert binary IP back to string representation
IPAddr.ntop(ip_address)
end
end

17
app/models/path_segment.rb Normal file
View File

@@ -0,0 +1,17 @@
class PathSegment < ApplicationRecord
validates :segment, presence: true, uniqueness: true
validates :usage_count, presence: true, numericality: { greater_than: 0 }
# Class method to find or create a segment
def self.find_or_create_segment(segment)
find_or_create_by(segment: segment) do |path_segment|
path_segment.usage_count = 1
path_segment.first_seen_at = Time.current
end
end
# Increment usage count
def increment_usage!
increment!(:usage_count)
end
end

211
app/models/project.rb Normal file
View File

@@ -0,0 +1,211 @@
# frozen_string_literal: true
class Project < ApplicationRecord
has_many :events, dependent: :destroy
validates :name, presence: true
validates :slug, presence: true, uniqueness: true
validates :public_key, presence: true, uniqueness: true
scope :by_slug, ->(slug) { where(slug: slug) }
scope :by_public_key, ->(key) { where(public_key: key) }
scope :enabled, -> { where(enabled: true) }
before_validation :generate_slug, if: :name?
before_validation :generate_public_key, if: -> { public_key.blank? }
before_validation :set_default_settings, if: -> { settings.blank? }
def broadcast_events_refresh
# Broadcast to the events stream for this project
broadcast_refresh_to(self, "events")
end
def broadcast_rules_refresh
# Broadcast to the rules stream for this project (for future rule management UI)
broadcast_refresh_to(self, "rules")
end
def self.find_by_dsn(dsn)
# Parse DSN: https://public_key@host/project_id
return nil unless dsn.present?
# Extract public_key from DSN
match = dsn.match(/https?:\/\/([^@]+)@/)
return nil unless match
public_key = match[1]
find_by(public_key: public_key)
end
def self.find_by_project_id(project_id)
# Try slug first (nicer URLs), then fall back to ID
find_by(slug: project_id.to_s) || find_by(id: project_id.to_i)
end
def dsn
host = Current.baffle_host || "localhost:3000"
protocol = host.include?("localhost") ? "http" : "https"
"#{protocol}://#{public_key}@#{host}/#{slug}"
end
def internal_dsn
return nil unless Current.baffle_internal_host.present?
host = Current.baffle_internal_host
protocol = "http" # Internal connections use HTTP
"#{protocol}://#{public_key}@#{host}/#{slug}"
end
# WAF Analytics Methods
def recent_events(limit: 100)
events.recent.limit(limit)
end
def recent_blocked_events(limit: 100)
events.blocked.recent.limit(limit)
end
def recent_rate_limited_events(limit: 100)
events.rate_limited.recent.limit(limit)
end
def top_blocked_ips(limit: 10, time_range: 1.hour.ago)
events.blocked
.where(timestamp: time_range)
.group(:ip_address)
.select('ip_address, COUNT(*) as count')
.order('count DESC')
.limit(limit)
end
def event_count(time_range = nil)
if time_range
events.where(timestamp: time_range).count
else
events.count
end
end
def blocked_count(time_range = nil)
if time_range
events.blocked.where(timestamp: time_range).count
else
events.blocked.count
end
end
def allowed_count(time_range = nil)
if time_range
events.allowed.where(timestamp: time_range).count
else
events.allowed.count
end
end
# Helper method to parse settings safely
def parsed_settings
if settings.is_a?(String)
JSON.parse(settings || '{}')
else
settings || {}
end
rescue JSON::ParserError
{}
end
# WAF Configuration Methods
def rate_limit_enabled?
parsed_settings.dig('rate_limiting', 'enabled') != false
end
def rate_limit_threshold
parsed_settings.dig('rate_limiting', 'threshold') || 100
end
def custom_rules_enabled?
parsed_settings.dig('custom_rules', 'enabled') == true
end
def block_by_country_enabled?
parsed_settings.dig('geo_blocking', 'enabled') == true
end
def blocked_countries
parsed_settings.dig('geo_blocking', 'blocked_countries') || []
end
def block_datacenters_enabled?
parsed_settings.dig('datacenter_blocking', 'enabled') == true
end
# WAF Rule Management
def add_ip_rule(ip_address, action, expires_at: nil, reason: nil)
# This will integrate with the IP rules storage system
# For now, store in settings as a temporary solution
current_settings = parsed_settings
ip_rules = current_settings['ip_rules'] || {}
ip_rules[ip_address] = {
action: action,
expires_at: expires_at&.iso8601,
reason: reason,
created_at: Time.current.iso8601
}
update(settings: current_settings.merge('ip_rules' => ip_rules))
end
def remove_ip_rule(ip_address)
current_settings = parsed_settings
ip_rules = current_settings['ip_rules'] || {}
ip_rules.delete(ip_address)
update(settings: current_settings.merge('ip_rules' => ip_rules))
end
def blocked_ips
ip_rules = parsed_settings['ip_rules'] || {}
ip_rules.select { |_ip, rule| rule['action'] == 'block' }.keys
end
def waf_status
return 'disabled' unless enabled?
return 'active' if events.where(timestamp: 1.hour.ago..).exists?
'idle'
end
private
def generate_slug
self.slug = name&.parameterize&.downcase
end
def generate_public_key
# Generate a random 32-character hex string for WAF authentication
self.public_key = SecureRandom.hex(16)
end
def set_default_settings
self.settings = {
'rate_limiting' => {
'enabled' => true,
'threshold' => 100, # requests per minute
'window' => 60 # seconds
},
'geo_blocking' => {
'enabled' => false,
'blocked_countries' => []
},
'datacenter_blocking' => {
'enabled' => false,
'allow_known_datacenters' => true
},
'custom_rules' => {
'enabled' => false,
'rules' => []
},
'ip_rules' => {},
'challenge' => {
'enabled' => true,
'provider' => 'recaptcha'
}
}
end
end

19
app/models/request_host.rb Normal file
View File

@@ -0,0 +1,19 @@
class RequestHost < ApplicationRecord
validates :hostname, presence: true, uniqueness: true
validates :usage_count, presence: true, numericality: { greater_than: 0 }
has_many :events, dependent: :nullify
# Class method to find or create a host
def self.find_or_create_host(hostname)
find_or_create_by(hostname: hostname) do |host|
host.usage_count = 1
host.first_seen_at = Time.current
end
end
# Increment usage count
def increment_usage!
increment!(:usage_count)
end
end

126
app/models/rule.rb Normal file
View File

@@ -0,0 +1,126 @@
# frozen_string_literal: true
class Rule < ApplicationRecord
belongs_to :rule_set
validates :rule_type, presence: true, inclusion: { in: RuleSet::RULE_TYPES }
validates :target, presence: true
validates :action, presence: true, inclusion: { in: RuleSet::ACTIONS }
validates :priority, presence: true, numericality: { greater_than: 0 }
scope :enabled, -> { where(enabled: true) }
scope :by_priority, -> { order(priority: :desc, created_at: :desc) }
scope :expired, -> { where("expires_at < ?", Time.current) }
scope :not_expired, -> { where("expires_at IS NULL OR expires_at > ?", Time.current) }
# Check if rule is currently active
def active?
enabled? && (expires_at.nil? || expires_at > Time.current)
end
# Check if rule matches given request context
def matches?(context)
return false unless active?
case rule_type
when 'ip'
match_ip_rule?(context)
when 'cidr'
match_cidr_rule?(context)
when 'path'
match_path_rule?(context)
when 'user_agent'
match_user_agent_rule?(context)
when 'parameter'
match_parameter_rule?(context)
when 'method'
match_method_rule?(context)
when 'country'
match_country_rule?(context)
else
false
end
end
def to_waf_format
{
id: id,
type: rule_type,
target: target,
action: action,
conditions: conditions || {},
priority: priority,
expires_at: expires_at,
active: active?
}
end
private
def match_ip_rule?(context)
return false unless context[:ip_address]
target == context[:ip_address]
end
def match_cidr_rule?(context)
return false unless context[:ip_address]
begin
range = IPAddr.new(target)
range.include?(context[:ip_address])
rescue IPAddr::InvalidAddressError
false
end
end
def match_path_rule?(context)
return false unless context[:request_path]
# Support exact match and regex patterns
if conditions&.dig('regex') == true
Regexp.new(target).match?(context[:request_path])
else
context[:request_path].start_with?(target)
end
end
def match_user_agent_rule?(context)
return false unless context[:user_agent]
# Support exact match and regex patterns
if conditions&.dig('regex') == true
Regexp.new(target, Regexp::IGNORECASE).match?(context[:user_agent])
else
context[:user_agent].downcase.include?(target.downcase)
end
end
def match_parameter_rule?(context)
return false unless context[:query_params]
param_name = conditions&.dig('parameter_name') || target
param_value = context[:query_params][param_name]
return false unless param_value
# Check if parameter value matches pattern
if conditions&.dig('regex') == true
Regexp.new(target, Regexp::IGNORECASE).match?(param_value.to_s)
else
param_value.to_s.downcase.include?(target.downcase)
end
end
def match_method_rule?(context)
return false unless context[:request_method]
target.upcase == context[:request_method].upcase
end
def match_country_rule?(context)
return false unless context[:country_code]
target.upcase == context[:country_code].upcase
end
end

108
app/models/rule_set.rb Normal file
View File

@@ -0,0 +1,108 @@
# frozen_string_literal: true
class RuleSet < ApplicationRecord
has_many :rules, dependent: :destroy
validates :name, presence: true, uniqueness: true
validates :slug, presence: true, uniqueness: true
scope :enabled, -> { where(enabled: true) }
scope :by_priority, -> { order(priority: :desc, created_at: :desc) }
before_validation :generate_slug, if: :name?
before_validation :set_default_values
# Rule Types
RULE_TYPES = %w[ip cidr path user_agent parameter method rate_limit country].freeze
ACTIONS = %w[allow deny challenge rate_limit].freeze
def to_waf_rules
return [] unless enabled?
rules.enabled.by_priority.map do |rule|
{
id: rule.id,
type: rule.rule_type,
target: rule.target,
action: rule.action,
conditions: rule.conditions,
priority: rule.priority,
expires_at: rule.expires_at
}
end
end
def add_rule(rule_type, target, action, conditions: {}, expires_at: nil, priority: 100)
rules.create!(
rule_type: rule_type,
target: target,
action: action,
conditions: conditions,
expires_at: expires_at,
priority: priority
)
end
def remove_rule(rule_id)
rules.find(rule_id).destroy
end
def block_ip(ip_address, expires_at: nil, reason: nil)
add_rule('ip', ip_address, 'deny', expires_at: expires_at, priority: 1000)
end
def allow_ip(ip_address, expires_at: nil)
add_rule('ip', ip_address, 'allow', expires_at: expires_at, priority: 1000)
end
def block_cidr(cidr, expires_at: nil, reason: nil)
add_rule('cidr', cidr, 'deny', expires_at: expires_at, priority: 900)
end
def block_path(path, conditions: {}, expires_at: nil)
add_rule('path', path, 'deny', conditions: conditions, expires_at: expires_at, priority: 500)
end
def block_user_agent(user_agent_pattern, expires_at: nil)
add_rule('user_agent', user_agent_pattern, 'deny', expires_at: expires_at, priority: 600)
end
def push_to_agents!
# This would integrate with the agent distribution system
Rails.logger.info "Pushing rule set '#{name}' with #{rules.count} rules to agents"
# Broadcast update to connected projects
projects = Project.where(id: projects_subscription || [])
projects.each(&:broadcast_rules_refresh)
end
def active_projects
return Project.none unless projects_subscription.present?
Project.where(id: projects_subscription).enabled
end
def subscribe_project(project)
subscriptions = projects_subscription || []
subscriptions << project.id unless subscriptions.include?(project.id)
update(projects_subscription: subscriptions.uniq)
end
def unsubscribe_project(project)
subscriptions = projects_subscription || []
subscriptions.delete(project.id)
update(projects_subscription: subscriptions)
end
private
def generate_slug
self.slug = name&.parameterize&.downcase
end
def set_default_values
self.enabled = true if enabled.nil?
self.priority = 100 if priority.nil?
self.projects_subscription = [] if projects_subscription.nil?
end
end

81
app/services/dsn_authentication_service.rb Normal file
View File

@@ -0,0 +1,81 @@
# frozen_string_literal: true
class DsnAuthenticationService
class AuthenticationError < StandardError; end
def self.authenticate(request, project_id)
# Try multiple authentication methods in order of preference
# Method 1: Query parameter authentication
public_key = extract_key_from_query_params(request)
return find_project(public_key, project_id) if public_key
# Method 2: X-Baffle-Auth header (similar to X-Sentry-Auth)
public_key = extract_key_from_baffle_auth_header(request)
return find_project(public_key, project_id) if public_key
# Method 3: Authorization Bearer token
public_key = extract_key_from_authorization_header(request)
return find_project(public_key, project_id) if public_key
# Method 4: Basic auth (username is the public_key)
public_key = extract_key_from_basic_auth(request)
return find_project(public_key, project_id) if public_key
raise AuthenticationError, "No valid authentication method found"
end
private
def self.extract_key_from_query_params(request)
# Support both baffle_key and sentry_key for compatibility
request.GET['baffle_key'] || request.GET['sentry_key'] || request.GET['glitchtip_key']
end
def self.extract_key_from_baffle_auth_header(request)
auth_header = request.headers['X-Baffle-Auth'] || request.headers['X-Sentry-Auth']
return nil unless auth_header
# Parse: Baffle baffle_key=public_key, baffle_version=1
# Or: Sentry sentry_key=public_key, sentry_version=7
match = auth_header.match(/(?:baffle_key|sentry_key)=([^,\s]+)/)
match&.[](1)
end
def self.extract_key_from_authorization_header(request)
authorization_header = request.headers['Authorization']
return nil unless authorization_header
# Parse: Bearer public_key
if authorization_header.start_with?('Bearer ')
authorization_header[7..-1].strip
end
end
def self.extract_key_from_basic_auth(request)
authorization_header = request.headers['Authorization']
return nil unless authorization_header&.start_with?('Basic ')
# Decode basic auth: username:password (password is ignored)
credentials = Base64.decode64(authorization_header[6..-1])
username = credentials.split(':').first
username
end
def self.find_project(public_key, project_id)
return nil unless public_key.present? && project_id.present?
# Find project by public_key first
project = Project.find_by(public_key: public_key)
raise AuthenticationError, "Invalid public_key" unless project
# Verify project_id matches (supports both slug and ID)
project_matches = Project.find_by_project_id(project_id)
raise AuthenticationError, "Invalid project_id" unless project_matches == project
# Ensure project is enabled
raise AuthenticationError, "Project is disabled" unless project.enabled?
project
end
end

122
app/services/event_normalizer.rb Normal file
View File

@@ -0,0 +1,122 @@
# frozen_string_literal: true
class EventNormalizer
class NormalizationError < StandardError; end
# Normalize an event by populating all the normalized fields
def self.normalize_event!(event)
normalizer = new(event)
normalizer.normalize!
event
end
def initialize(event)
@event = event
end
def normalize!
return unless @event.present?
normalize_host
normalize_action
normalize_method
normalize_protocol
normalize_path_segments
end
private
def normalize_host
hostname = extract_hostname
return unless hostname
host = RequestHost.find_or_create_host(hostname)
host.increment_usage! unless host.new_record?
@event.request_host = host
end
def normalize_action
raw_action = @event.instance_variable_get(:@raw_action)
return unless raw_action.present?
action_enum = case raw_action.to_s.downcase
when 'allow', 'pass' then :allow
when 'deny', 'block' then :deny
when 'challenge' then :challenge
when 'redirect' then :redirect
else :allow
end
@event.action = action_enum
end
def normalize_method
raw_method = @event.instance_variable_get(:@raw_request_method)
return unless raw_method.present?
method_enum = case raw_method.to_s.upcase
when 'GET' then :get
when 'POST' then :post
when 'PUT' then :put
when 'PATCH' then :patch
when 'DELETE' then :delete
when 'HEAD' then :head
when 'OPTIONS' then :options
else :get
end
@event.request_method = method_enum
end
def normalize_protocol
raw_protocol = @event.instance_variable_get(:@raw_request_protocol)
return unless raw_protocol.present?
# Store the protocol directly (HTTP/1.1, HTTP/2, etc.)
# Could normalize to enum if needed, but keeping as string for flexibility
@event.request_protocol = raw_protocol
end
def normalize_path_segments
segments = @event.path_segments_array
return if segments.empty?
segment_ids = segments.map do |segment|
path_segment = PathSegment.find_or_create_segment(segment)
path_segment.increment_usage! unless path_segment.new_record?
path_segment.id
end
@event.request_segment_ids = segment_ids
end
def extract_hostname
# Try to extract hostname from various sources
return @event.request_hostname if @event.respond_to?(:request_hostname)
# Extract from request URL if available
if @event.request_url.present?
begin
uri = URI.parse(@event.request_url)
return uri.hostname
rescue URI::InvalidURIError
nil
end
end
# Extract from payload as fallback
if @event.payload.present?
url = @event.payload.dig("request", "url")
if url.present?
begin
uri = URI.parse(url)
return uri.hostname
rescue URI::InvalidURIError
nil
end
end
end
nil
end
end

112
app/views/events/index.html.erb Normal file
View File

@@ -0,0 +1,112 @@
<div class="d-flex justify-content-between align-items-center mb-4">
<h1><%= @project.name %> - Events</h1>
<div>
<%= link_to "← Back to Project", @project, class: "btn btn-secondary" %>
<%= link_to "Analytics", analytics_project_path(@project), class: "btn btn-info" %>
</div>
</div>
<!-- Filters -->
<div class="card mb-4">
<div class="card-header">
<h5>Filters</h5>
</div>
<div class="card-body">
<%= form_with url: project_events_path(@project), method: :get, local: true, class: "row g-3" do |form| %>
<div class="col-md-3">
<%= form.label :ip, "IP Address", class: "form-label" %>
<%= form.text_field :ip, value: params[:ip], class: "form-control", placeholder: "Filter by IP" %>
</div>
<div class="col-md-3">
<%= form.label :waf_action, "Action", class: "form-label" %>
<%= form.select :waf_action,
options_for_select([['All', ''], ['Allow', 'allow'], ['Block', 'block'], ['Challenge', 'challenge']], params[:waf_action]),
{}, { class: "form-select" } %>
</div>
<div class="col-md-3">
<%= form.label :country, "Country", class: "form-label" %>
<%= form.text_field :country, value: params[:country], class: "form-control", placeholder: "Country code (e.g. US)" %>
</div>
<div class="col-md-3 d-flex align-items-end">
<%= form.submit "Apply Filters", class: "btn btn-primary me-2" %>
<%= link_to "Clear", project_events_path(@project), class: "btn btn-outline-secondary" %>
</div>
<% end %>
</div>
</div>
<!-- Events Table -->
<div class="card">
<div class="card-header d-flex justify-content-between align-items-center">
<h5>Events (<%= @events.count %>)</h5>
</div>
<div class="card-body">
<% if @events.any? %>
<div class="table-responsive">
<table class="table">
<thead>
<tr>
<th>Time</th>
<th>IP Address</th>
<th>Action</th>
<th>Path</th>
<th>Method</th>
<th>Status</th>
<th>Country</th>
<th>User Agent</th>
</tr>
</thead>
<tbody>
<% @events.each do |event| %>
<tr>
<td><%= event.timestamp.strftime("%Y-%m-%d %H:%M:%S") %></td>
<td><code><%= event.ip_address %></code></td>
<td>
<span class="badge bg-<%= event.blocked? ? 'danger' : event.allowed? ? 'success' : 'warning' %>">
<%= event.waf_action %>
</span>
</td>
<td><code><%= event.request_path %></code></td>
<td><%= event.request_method %></td>
<td><%= event.response_status %></td>
<td>
<% if event.country_code.present? %>
<span class="badge bg-light text-dark"><%= event.country_code %></span>
<% else %>
<span class="text-muted">-</span>
<% end %>
</td>
<td class="text-truncate" style="max-width: 200px;" title="<%= event.user_agent %>">
<%= event.user_agent&.truncate(30) || '-' %>
</td>
</tr>
<% end %>
</tbody>
</table>
</div>
<!-- Pagination -->
<% if @pagy.pages > 1 %>
<div class="d-flex justify-content-center mt-4">
<%== pagy_nav(@pagy) %>
</div>
<div class="text-center text-muted mt-2">
Showing <%= @pagy.from %> to <%= @pagy.to %> of <%= @pagy.count %> events
</div>
<% end %>
<% else %>
<div class="text-center py-5">
<p class="text-muted mb-3">
<% if params[:ip].present? || params[:waf_action].present? || params[:country].present? %>
No events found matching your filters.
<% else %>
No events have been received yet.
<% end %>
</p>
<% if params[:ip].present? || params[:waf_action].present? || params[:country].present? %>
<%= link_to "Clear Filters", project_events_path(@project), class: "btn btn-outline-primary" %>
<% end %>
</div>
<% end %>
</div>
</div>

85
app/views/layouts/application.html.erb Normal file
View File

@@ -0,0 +1,85 @@
<!DOCTYPE html>
<html>
<head>
<title><%= content_for(:title) || "Baffle Hub - WAF Analytics" %></title>
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="application-name" content="Baffle Hub">
<meta name="mobile-web-app-capable" content="yes">
<%= csrf_meta_tags %>
<%= csp_meta_tag %>
<%= yield :head %>
<%# Enable PWA manifest for installable apps (make sure to enable in config/routes.rb too!) %>
<%#= tag.link rel: "manifest", href: pwa_manifest_path(format: :json) %>
<link rel="icon" href="/icon.png" type="image/png">
<link rel="icon" href="/icon.svg" type="image/svg+xml">
<link rel="apple-touch-icon" href="/icon.png">
<!-- Bootstrap CSS -->
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
<%# Includes all stylesheet files in app/assets/stylesheets %>
<%= stylesheet_link_tag :app, "data-turbo-track": "reload" %>
<%= javascript_importmap_tags %>
<style>
.badge { font-size: 0.8em; }
code {
background-color: #f8f9fa;
padding: 0.2rem 0.4rem;
border-radius: 0.25rem;
font-size: 0.875em;
}
.navbar-brand {
font-weight: bold;
}
</style>
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<div class="container">
<%= link_to "Baffle Hub", root_path, class: "navbar-brand" %>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav me-auto">
<li class="nav-item">
<%= link_to "Projects", projects_path, class: "nav-link" %>
</li>
<li class="nav-item">
<%= link_to "Rule Sets", rule_sets_path, class: "nav-link" %>
</li>
</ul>
</div>
</div>
</nav>
<div class="container mt-4">
<% if notice %>
<div class="alert alert-success alert-dismissible fade show" role="alert">
<%= notice %>
<button type="button" class="btn-close" data-bs-dismiss="alert"></button>
</div>
<% end %>
<% if alert %>
<div class="alert alert-danger alert-dismissible fade show" role="alert">
<%= alert %>
<button type="button" class="btn-close" data-bs-dismiss="alert"></button>
</div>
<% end %>
<%= yield %>
</div>
<!-- Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>

13
app/views/layouts/mailer.html.erb Normal file
View File

@@ -0,0 +1,13 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>
<body>
<%= yield %>
</body>
</html>

1
app/views/layouts/mailer.text.erb Normal file
View File

@@ -0,0 +1 @@
<%= yield %>

200
app/views/projects/analytics.html.erb Normal file
View File

@@ -0,0 +1,200 @@
<div class="d-flex justify-content-between align-items-center mb-4">
<h1><%= @project.name %> - Analytics</h1>
<div>
<%= link_to "← Back to Project", project_path(@project), class: "btn btn-secondary" %>
</div>
</div>
<!-- Time Range Selector -->
<div class="card mb-4">
<div class="card-header">
<h5>Time Range</h5>
</div>
<div class="card-body">
<%= form_with url: analytics_project_path(@project), method: :get, local: true do |form| %>
<div class="row align-items-end">
<div class="col-md-6">
<%= form.label :time_range, "Time Range", class: "form-label" %>
<%= form.select :time_range,
options_for_select([
["Last Hour", 1],
["Last 6 Hours", 6],
["Last 24 Hours", 24],
["Last 7 Days", 168],
["Last 30 Days", 720]
], @time_range),
{}, class: "form-select" %>
</div>
<div class="col-md-6">
<%= form.submit "Update", class: "btn btn-primary" %>
</div>
</div>
<% end %>
</div>
</div>
<!-- Summary Stats -->
<div class="row mb-4">
<div class="col-md-4">
<div class="card text-center">
<div class="card-body">
<h3 class="text-primary"><%= number_with_delimiter(@total_events) %></h3>
<p class="card-text">Total Events</p>
</div>
</div>
</div>
<div class="col-md-4">
<div class="card text-center">
<div class="card-body">
<h3 class="text-success"><%= number_with_delimiter(@allowed_events) %></h3>
<p class="card-text">Allowed</p>
</div>
</div>
</div>
<div class="col-md-4">
<div class="card text-center">
<div class="card-body">
<h3 class="text-danger"><%= number_with_delimiter(@blocked_events) %></h3>
<p class="card-text">Blocked</p>
</div>
</div>
</div>
</div>
<div class="row">
<!-- Top Blocked IPs -->
<div class="col-md-6">
<div class="card">
<div class="card-header">
<h5>Top Blocked IPs</h5>
</div>
<div class="card-body">
<% if @top_blocked_ips.any? %>
<div class="table-responsive">
<table class="table table-sm">
<thead>
<tr>
<th>IP Address</th>
<th>Blocked Count</th>
</tr>
</thead>
<tbody>
<% @top_blocked_ips.each do |stat| %>
<tr>
<td><code><%= stat.ip_address %></code></td>
<td><%= number_with_delimiter(stat.count) %></td>
</tr>
<% end %>
</tbody>
</table>
</div>
<% else %>
<p class="text-muted">No blocked events in this time range.</p>
<% end %>
</div>
</div>
</div>
<!-- Country Distribution -->
<div class="col-md-6">
<div class="card">
<div class="card-header">
<h5>Top Countries</h5>
</div>
<div class="card-body">
<% if @country_stats.any? %>
<div class="table-responsive">
<table class="table table-sm">
<thead>
<tr>
<th>Country</th>
<th>Events</th>
</tr>
</thead>
<tbody>
<% @country_stats.each do |stat| %>
<tr>
<td><%= stat.country_code || 'Unknown' %></td>
<td><%= number_with_delimiter(stat.count) %></td>
</tr>
<% end %>
</tbody>
</table>
</div>
<% else %>
<p class="text-muted">No country data available.</p>
<% end %>
</div>
</div>
</div>
</div>
<!-- Action Distribution -->
<div class="row mt-4">
<div class="col-md-12">
<div class="card">
<div class="card-header">
<h5>Action Distribution</h5>
</div>
<div class="card-body">
<% if @action_stats.any? %>
<div class="row">
<% @action_stats.each do |stat| %>
<div class="col-md-3 text-center mb-3">
<div class="card">
<div class="card-body">
<h4><%= stat.action.upcase %></h4>
<p class="card-text">
<span class="badge bg-<%=
case stat.action
when 'allow', 'pass' then 'success'
when 'block', 'deny' then 'danger'
when 'challenge' then 'warning'
when 'rate_limit' then 'info'
else 'secondary'
end %>">
<%= number_with_delimiter(stat.count) %>
</span>
</p>
</div>
</div>
</div>
<% end %>
</div>
<% else %>
<p class="text-muted">No action data available.</p>
<% end %>
</div>
</div>
</div>
</div>
<% if @total_events > 0 %>
<div class="row mt-4">
<div class="col-md-12">
<div class="card">
<div class="card-header">
<h5>Block Rate</h5>
</div>
<div class="card-body">
<div class="progress" style="height: 30px;">
<% blocked_percentage = (@blocked_events.to_f / @total_events * 100).round(1) %>
<% allowed_percentage = (@allowed_events.to_f / @total_events * 100).round(1) %>
<div class="progress-bar bg-success" style="width: <%= allowed_percentage %>%">
<%= allowed_percentage %>% Allowed
</div>
<div class="progress-bar bg-danger" style="width: <%= blocked_percentage %>%">
<%= blocked_percentage %>% Blocked
</div>
</div>
</div>
</div>
</div>
</div>
<% end %>
<div class="mt-4">
<%= link_to "View Events", events_project_path(@project), class: "btn btn-primary" %>
<%= link_to "Export Data", "#", class: "btn btn-secondary", onclick: "alert('Export feature coming soon!')" %>
</div>

49
app/views/projects/index.html.erb Normal file
View File

@@ -0,0 +1,49 @@
<h1>Projects</h1>
<%= link_to "New Project", new_project_path, class: "btn btn-primary mb-3" %>
<div class="row">
<% @projects.each do |project| %>
<div class="col-md-6 col-lg-4 mb-4">
<div class="card">
<div class="card-header d-flex justify-content-between align-items-center">
<h5 class="mb-0"><%= project.name %></h5>
<span class="badge <%= project.enabled? ? 'bg-success' : 'bg-secondary' %>">
<%= project.enabled? ? 'Active' : 'Disabled' %>
</span>
</div>
<div class="card-body">
<p class="card-text">
<strong>Status:</strong>
<span class="badge bg-<%= project.waf_status == 'active' ? 'success' : project.waf_status == 'idle' ? 'warning' : 'danger' %>">
<%= project.waf_status %>
</span>
</p>
<p class="card-text">
<strong>Events (24h):</strong> <%= project.event_count(24.hours.ago) %>
</p>
<p class="card-text">
<strong>Blocked (24h):</strong> <%= project.blocked_count(24.hours.ago) %>
</p>
<small class="text-muted">
<strong>DSN:</strong><br>
<code><%= project.dsn %></code>
</small>
</div>
<div class="card-footer">
<%= link_to "View", project_path(project), class: "btn btn-primary btn-sm" %>
<%= link_to "Events", events_project_path(project), class: "btn btn-secondary btn-sm" %>
<%= link_to "Analytics", analytics_project_path(project), class: "btn btn-info btn-sm" %>
</div>
</div>
</div>
<% end %>
</div>
<% if @projects.empty? %>
<div class="text-center my-5">
<h3>No projects yet</h3>
<p>Create your first project to start monitoring WAF events.</p>
<%= link_to "Create Project", new_project_path, class: "btn btn-primary" %>
</div>
<% end %>

32
app/views/projects/new.html.erb Normal file
View File

@@ -0,0 +1,32 @@
<h1>New Project</h1>
<%= form_with(model: @project, local: true) do |form| %>
<% if @project.errors.any? %>
<div class="alert alert-danger">
<h4><%= pluralize(@project.errors.count, "error") %> prohibited this project from being saved:</h4>
<ul>
<% @project.errors.full_messages.each do |message| %>
<li><%= message %></li>
<% end %>
</ul>
</div>
<% end %>
<div class="mb-3">
<%= form.label :name, class: "form-label" %>
<%= form.text_field :name, class: "form-control" %>
</div>
<div class="mb-3">
<%= form.label :enabled, class: "form-label" %>
<div class="form-check">
<%= form.check_box :enabled, class: "form-check-input" %>
<%= form.label :enabled, "Enable this project", class: "form-check-label" %>
</div>
</div>
<div class="mb-3">
<%= form.submit "Create Project", class: "btn btn-primary" %>
<%= link_to "Cancel", projects_path, class: "btn btn-secondary" %>
</div>
<% end %>

118
app/views/projects/show.html.erb Normal file
View File

@@ -0,0 +1,118 @@
<div class="d-flex justify-content-between align-items-center mb-4">
<h1><%= @project.name %></h1>
<div>
<%= link_to "Edit", edit_project_path(@project), class: "btn btn-secondary" %>
<%= link_to "Events", events_project_path(@project), class: "btn btn-primary" %>
<%= link_to "Analytics", analytics_project_path(@project), class: "btn btn-info" %>
</div>
</div>
<div class="row">
<div class="col-md-6">
<div class="card">
<div class="card-header">
<h5>Project Status</h5>
</div>
<div class="card-body">
<p><strong>Status:</strong>
<span class="badge bg-<%= @waf_status == 'active' ? 'success' : @waf_status == 'idle' ? 'warning' : 'danger' %>">
<%= @waf_status %>
</span>
</p>
<p><strong>Enabled:</strong>
<span class="badge bg-<%= @project.enabled? ? 'success' : 'secondary' %>">
<%= @project.enabled? ? 'Yes' : 'No' %>
</span>
</p>
<p><strong>Events (24h):</strong> <%= @event_count %></p>
<p><strong>Blocked (24h):</strong> <%= @blocked_count %></p>
</div>
</div>
</div>
<div class="col-md-6">
<div class="card">
<div class="card-header">
<h5>DSN Configuration</h5>
</div>
<div class="card-body">
<p><strong>DSN:</strong></p>
<code><%= @project.dsn %></code>
<button class="btn btn-sm btn-outline-primary ms-2" onclick="copyDSN()">Copy</button>
<% if @project.internal_dsn.present? %>
<hr>
<p><strong>Internal DSN:</strong></p>
<code><%= @project.internal_dsn %></code>
<% end %>
</div>
</div>
</div>
</div>
<div class="mt-4">
<div class="card">
<div class="card-header">
<h5>Recent Events</h5>
</div>
<div class="card-body">
<% if @recent_events.any? %>
<div class="table-responsive">
<table class="table table-sm">
<thead>
<tr>
<th>Time</th>
<th>IP</th>
<th>Action</th>
<th>Path</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<% @recent_events.limit(5).each do |event| %>
<tr>
<td><%= event.timestamp.strftime("%H:%M:%S") %></td>
<td><%= event.ip_address %></td>
<td>
<span class="badge bg-<%= event.blocked? ? 'danger' : event.allowed? ? 'success' : 'warning' %>">
<%= event.action %>
</span>
</td>
<td><code><%= event.request_path %></code></td>
<td><%= event.response_status %></td>
</tr>
<% end %>
</tbody>
</table>
</div>
<div class="text-end">
<%= link_to "View All Events", events_project_path(@project), class: "btn btn-primary btn-sm" %>
</div>
<% else %>
<p class="text-muted">No events received yet.</p>
<% end %>
</div>
</div>
</div>
<script>
function copyDSN() {
const dsnElement = document.querySelector('code');
const textArea = document.createElement('textarea');
textArea.value = dsnElement.textContent;
document.body.appendChild(textArea);
textArea.select();
document.execCommand('copy');
document.body.removeChild(textArea);
// Show feedback
const button = event.target;
const originalText = button.textContent;
button.textContent = 'Copied!';
button.classList.add('btn-success');
setTimeout(() => {
button.textContent = originalText;
button.classList.remove('btn-success');
}, 2000);
}
</script>

22
app/views/pwa/manifest.json.erb Normal file
View File

@@ -0,0 +1,22 @@
{
"name": "BaffleHub",
"icons": [
{
"src": "/icon.png",
"type": "image/png",
"sizes": "512x512"
},
{
"src": "/icon.png",
"type": "image/png",
"sizes": "512x512",
"purpose": "maskable"
}
],
"start_url": "/",
"display": "standalone",
"scope": "/",
"description": "BaffleHub.",
"theme_color": "red",
"background_color": "red"
}

26
app/views/pwa/service-worker.js Normal file
View File

@@ -0,0 +1,26 @@
// Add a service worker for processing Web Push notifications:
//
// self.addEventListener("push", async (event) => {
// const { title, options } = await event.data.json()
// event.waitUntil(self.registration.showNotification(title, options))
// })
//
// self.addEventListener("notificationclick", function(event) {
// event.notification.close()
// event.waitUntil(
// clients.matchAll({ type: "window" }).then((clientList) => {
// for (let i = 0; i < clientList.length; i++) {
// let client = clientList[i]
// let clientPath = (new URL(client.url)).pathname
//
// if (clientPath == event.notification.data.path && "focus" in client) {
// return client.focus()
// }
// }
//
// if (clients.openWindow) {
// return clients.openWindow(event.notification.data.path)
// }
// })
// )
// })