Baffle-WAF/baffle-hub
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add a rules controller

Browse Source
This commit is contained in:
Dan Milne
2025-11-04 09:47:11 +11:00
parent 5ff166613e
commit c72d83acda
14 changed files with 272 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
app/controllers/api/events_controller.rb
View File

@@ -18,8 +18,42 @@ class Api::EventsController < ApplicationController
headers: extract_serializable_headers(request)
)
# Always return 200 OK to avoid agent retries
head :ok
# Include rule version in response for agent optimization
rule_version = Rule.latest_version
response.headers['X-Rule-Version'] = rule_version.to_s
# Get current sampling for back-pressure management
current_sampling = HubLoad.current_sampling
response.headers['X-Sample-Rate'] = current_sampling[:allowed_requests].to_s
response.headers['X-Sample-Until'] = current_sampling[:effective_until]
# Check if agent sent a rule version to compare against
client_version = request.headers['X-Rule-Version']&.to_i
response_data = {
success: true,
rule_version: rule_version,
sampling: current_sampling
}
# If agent has old rules or no version, include new rules in response
if client_version.blank? || client_version != rule_version
# Get rules updated since client version
if client_version.present?
since_time = Time.at(client_version / 1_000_000, client_version % 1_000_000)
rules = Rule.where("updated_at > ?", since_time).enabled.sync_order
else
# Full sync for new agents
rules = Rule.active.sync_order
end
response_data[:rules] = rules.map(&:to_agent_format)
response_data[:rules_changed] = true
else
response_data[:rules_changed] = false
end
render json: response_data
rescue DsnAuthenticationService::AuthenticationError => e
Rails.logger.warn "DSN authentication failed: #{e.message}"
head :unauthorized

26
app/controllers/api/rules_controller.rb
View File

@@ -9,15 +9,18 @@ module Api
# GET /api/:public_key/rules/version
# Quick version check - returns latest updated_at timestamp
def version
current_sampling = HubLoad.current_sampling
response.headers['X-Sample-Rate'] = current_sampling[:allowed_requests].to_s
render json: {
version: Rule.latest_version,
count: Rule.active.count,
sampling: HubLoad.current_sampling
sampling: current_sampling
}
end
# GET /api/:public_key/rules?since=2024-11-03T12:00:00.000Z
# Incremental sync - returns rules updated since timestamp
# GET /api/:public_key/rules?since=1730646186272060
# Incremental sync - returns rules updated since timestamp (microsecond Unix timestamp)
# GET /api/:public_key/rules
# Full sync - returns all active rules
def index
@@ -30,9 +33,12 @@ module Api
Rule.active.sync_order
end
current_sampling = HubLoad.current_sampling
response.headers['X-Sample-Rate'] = current_sampling[:allowed_requests].to_s
render json: {
version: Rule.latest_version,
sampling: HubLoad.current_sampling,
sampling: current_sampling,
rules: rules.map(&:to_agent_format)
}
rescue ArgumentError => e
@@ -59,9 +65,17 @@ module Api
end
def parse_timestamp(timestamp_str)
Time.parse(timestamp_str)
# Parse microsecond Unix timestamp
unless timestamp_str.match?(/^\d+$/)
raise ArgumentError, "Invalid timestamp format. Expected microsecond Unix timestamp (e.g., 1730646186272060)"
end
total_microseconds = timestamp_str.to_i
seconds = total_microseconds / 1_000_000
microseconds = total_microseconds % 1_000_000
Time.at(seconds, microseconds)
rescue ArgumentError => e
raise ArgumentError, "Invalid timestamp format. Expected ISO8601 format (e.g., 2024-11-03T12:00:00.000Z)"
raise ArgumentError, "Invalid timestamp format: #{e.message}. Use microsecond Unix timestamp (e.g., 1730646186272060)"
end
end
end

6
app/controllers/projects_controller.rb
View File

@@ -44,7 +44,7 @@ class ProjectsController < ApplicationController
# Apply filters
@events = @events.by_ip(params[:ip]) if params[:ip].present?
@events = @events.by_action(params[:action]) if params[:action].present?
@events = @events.by_waf_action(params[:action]) if params[:action].present?
@events = @events.where(country_code: params[:country]) if params[:country].present?
# Debug info
@@ -81,8 +81,8 @@ class ProjectsController < ApplicationController
# Action distribution
@action_stats = @project.events
.where(timestamp: @time_range.hours.ago..Time.current)
.group(:action)
.select('action, COUNT(*) as count')
.group(:waf_action)
.select('waf_action as action, COUNT(*) as count')
.order('count DESC')
end

88
app/controllers/rules_controller.rb Normal file
View File

@@ -0,0 +1,88 @@
# frozen_string_literal: true
class RulesController < ApplicationController
before_action :set_rule, only: [:show, :edit, :update, :disable, :enable]
before_action :authorize_rule
# GET /rules
def index
@rules = Rule.includes(:project).order(created_at: :desc)
@rule_types = Rule::RULE_TYPES
@actions = Rule::ACTIONS
end
# GET /rules/new
def new
@rule = Rule.new
@rule_types = Rule::RULE_TYPES
@actions = Rule::ACTIONS
end
# POST /rules
def create
@rule = Rule.new(rule_params)
@rule_types = Rule::RULE_TYPES
@actions = Rule::ACTIONS
if @rule.save
redirect_to @rule, notice: 'Rule was successfully created.'
else
render :new, status: :unprocessable_entity
end
end
# GET /rules/:id
def show
end
# GET /rules/:id/edit
def edit
@rule_types = Rule::RULE_TYPES
@actions = Rule::ACTIONS
end
# PATCH/PUT /rules/:id
def update
if @rule.update(rule_params)
redirect_to @rule, notice: 'Rule was successfully updated.'
else
render :edit, status: :unprocessable_entity
end
end
# POST /rules/:id/disable
def disable
reason = params[:reason] || "Disabled manually"
@rule.disable!(reason: reason)
redirect_to @rule, notice: 'Rule was successfully disabled.'
end
# POST /rules/:id/enable
def enable
@rule.enable!
redirect_to @rule, notice: 'Rule was successfully enabled.'
end
private
def set_rule
@rule = Rule.find(params[:id])
end
def authorize_rule
# Add authorization logic here if needed
# For now, allow all authenticated users
end
def rule_params
params.require(:rule).permit(
:rule_type,
:action,
:conditions,
:metadata,
:expires_at,
:enabled,
:source
)
end
end

4
app/models/current.rb
View File

@@ -6,11 +6,11 @@ class Current < ActiveSupport::CurrentAttributes
attribute :project
attribute :ip
def self.baffle_host
def baffle_host
@baffle_host || ENV.fetch("BAFFLE_HOST", "localhost:3000")
end
def self.baffle_internal_host
def baffle_internal_host
@baffle_internal_host || ENV.fetch("BAFFLE_INTERNAL_HOST", nil)
end
end

7
app/models/project.rb
View File

@@ -43,15 +43,16 @@ class Project < ApplicationRecord
end
def dsn
host = Current.baffle_host || "localhost:3000"
host = Current.baffle_host || ENV.fetch("BAFFLE_HOST", "localhost:3000")
protocol = host.include?("localhost") ? "http" : "https"
"#{protocol}://#{public_key}@#{host}/#{slug}"
end
def internal_dsn
return nil unless Current.baffle_internal_host.present?
internal_host = Current.baffle_internal_host || ENV.fetch("BAFFLE_INTERNAL_HOST", nil)
return nil unless internal_host.present?
host = Current.baffle_internal_host
host = internal_host
protocol = "http" # Internal connections use HTTP
"#{protocol}://#{public_key}@#{host}/#{slug}"
end

9
app/models/rule.rb
View File

@@ -62,8 +62,15 @@ class Rule < ApplicationRecord
end
# Class method to get latest version (for sync cursor)
# Returns microsecond Unix timestamp for efficient machine comparison
def self.latest_version
maximum(:updated_at)&.iso8601(6) || Time.current.iso8601(6)
max_time = maximum(:updated_at)
if max_time
# Convert to microseconds since epoch
(max_time.to_f * 1_000_000).to_i
else
(Time.current.to_f * 1_000_000).to_i
end
end
# Disable rule (soft delete)

2
app/services/dsn_authentication_service.rb
View File

@@ -70,7 +70,7 @@ class DsnAuthenticationService
raise AuthenticationError, "Invalid public_key" unless project
# Verify project_id matches (supports both slug and ID)
project_matches = Project.find_by_project_id(project_id)
project_matches = Project.find_by(slug: project_id) || Project.find_by(id: project_id)
raise AuthenticationError, "Invalid project_id" unless project_matches == project
# Ensure project is enabled

14
app/services/hub_load.rb
View File

@@ -35,6 +35,20 @@ class HubLoad
}
end
# Test method for different load levels
def self.test_sampling(load_level)
rates = SAMPLING_RATES[load_level] || SAMPLING_RATES[:normal]
{
allowed_requests: rates[:allowed],
blocked_requests: rates[:blocked],
rate_limited_requests: rates[:rate_limited],
effective_until: next_sync_time,
load_level: load_level,
queue_depth: THRESHOLDS[load_level].first + 100
}
end
# Calculate when sampling should be rechecked (next agent sync)
def self.next_sync_time
10.seconds.from_now.iso8601(3)

6
app/views/projects/show.html.erb
View File

@@ -2,7 +2,7 @@
<h1><%= @project.name %></h1>
<div>
<%= link_to "Edit", edit_project_path(@project), class: "btn btn-secondary" %>
<%= link_to "Events", events_project_path(@project), class: "btn btn-primary" %>
<%= link_to "Events", project_events_path(@project), class: "btn btn-primary" %>
<%= link_to "Analytics", analytics_project_path(@project), class: "btn btn-info" %>
</div>
</div>
@@ -75,7 +75,7 @@
<td><%= event.ip_address %></td>
<td>
<span class="badge bg-<%= event.blocked? ? 'danger' : event.allowed? ? 'success' : 'warning' %>">
<%= event.action %>
<%= event.waf_action %>
</span>
</td>
<td><code><%= event.request_path %></code></td>
@@ -86,7 +86,7 @@
</table>
</div>
<div class="text-end">
<%= link_to "View All Events", events_project_path(@project), class: "btn btn-primary btn-sm" %>
<%= link_to "View All Events", project_events_path(@project), class: "btn btn-primary btn-sm" %>
</div>
<% else %>
<p class="text-muted">No events received yet.</p>