# frozen_string_literal: true class Event < ApplicationRecord # Normalized association for hosts (most valuable compression) belongs_to :request_host, optional: true # WAF rule associations belongs_to :rule, optional: true has_one :waf_policy, through: :rule # Enums for fixed value sets enum :waf_action, { allow: 0, # allow/pass deny: 1, # deny/block redirect: 2, # redirect challenge: 3 # challenge (future implementation) }, default: :allow, scopes: false enum :request_method, { get: 0, # GET post: 1, # POST put: 2, # PUT patch: 3, # PATCH delete: 4, # DELETE head: 5, # HEAD options: 6 # OPTIONS }, default: :get, scopes: false # Serialize segment IDs as array for easy manipulation in Railssqit serialize :request_segment_ids, type: Array, coder: JSON # Tags are stored as JSON arrays with PostgreSQL jsonb type # This provides direct array access and efficient indexing attribute :tags, :json, default: -> { [] } validates :request_id, presence: true, uniqueness: true validates :timestamp, presence: true scope :recent, -> { order(timestamp: :desc) } scope :by_ip, ->(ip) { where(ip_address: ip) } scope :by_user_agent, ->(user_agent) { where(user_agent: user_agent) } scope :by_waf_action, ->(waf_action) { where(waf_action: waf_action) } scope :blocked, -> { where(waf_action: :deny) } scope :allowed, -> { where(waf_action: :allow) } scope :rate_limited, -> { where(waf_action: 'rate_limit') } # Tag-based filtering scopes using PostgreSQL array operators scope :with_tag, ->(tag) { where("tags @> ARRAY[?]", tag.to_s) } scope :with_any_tags, ->(tags) { return none if tags.blank? tag_array = Array(tags).map(&:to_s) where("tags && ARRAY[?]", tag_array) } scope :with_all_tags, ->(tags) { return none if tags.blank? tag_array = Array(tags).map(&:to_s) where("tags @> ARRAY[?]", tag_array) } # Network-based filtering scopes - now using denormalized columns scope :by_company, ->(company) { where("company ILIKE ?", "%#{company}%") } scope :by_country, ->(country) { where(country: country) } scope :by_network_type, ->(type) { case type.to_s.downcase when "datacenter" where(is_datacenter: true) when "vpn" where(is_vpn: true) when "proxy" where(is_proxy: true) when "standard" where(is_datacenter: false, is_vpn: false, is_proxy: false) else none end } scope :by_asn, ->(asn) { where(asn: asn.to_i) } scope :by_network_cidr, ->(cidr) { # This still requires a join since we need to match CIDR joins(:network_range).where("network_ranges.network = ?", cidr) } # Add association for the optional network_range_id belongs_to :network_range, optional: true # Path prefix matching using range queries (uses B-tree index efficiently) scope :with_path_prefix, ->(prefix_segment_ids) { return none if prefix_segment_ids.blank? # Use range queries instead of LIKE for index usage # Example: [1,2] prefix matches [1,2], [1,2,3], [1,2,3,4], etc. prefix_str = prefix_segment_ids.to_json # "[1,2]" # For exact match: request_segment_ids = "[1,2]" # For prefix match: "[1,2," <= request_segment_ids < "[1,3," # This works because JSON arrays sort lexicographically # Build the range upper bound by incrementing last segment ID upper_prefix = prefix_segment_ids[0..-2] + [prefix_segment_ids.last + 1] upper_str = upper_prefix.to_json lower_prefix_str = "#{prefix_str[0..-2]}," # "[1,2," - matches longer paths # Use raw SQL to bypass serializer (it expects Array but we're comparing strings) where("request_segment_ids = ? OR (request_segment_ids >= ? AND request_segment_ids < ?)", prefix_str, lower_prefix_str, upper_str) } # Path depth queries scope :path_depth, ->(depth) { where("json_array_length(request_segment_ids) = ?", depth) } scope :path_depth_greater_than, ->(depth) { where("json_array_length(request_segment_ids) > ?", depth) } # Helper methods def path_depth request_segment_ids&.length || 0 end def reconstructed_path return request_path if request_segment_ids.blank? segments = PathSegment.where(id: request_segment_ids).index_by(&:id) '/' + request_segment_ids.map { |id| segments[id]&.segment }.compact.join('/') end # Extract key fields from payload before saving before_validation :extract_fields_from_payload # Normalize event fields after extraction after_validation :normalize_event_fields, if: :should_normalize? # Populate network intelligence from IP address before_save :populate_network_intelligence, if: :should_populate_network_intelligence? # Backfill network intelligence for all events def self.backfill_network_intelligence!(batch_size: 10_000) total = where(country: nil).count return 0 if total.zero? puts "Backfilling network intelligence for #{total} events..." processed = 0 where(country: nil).find_in_batches(batch_size: batch_size) do |batch| batch.each(&:save) # Triggers before_save callback processed += batch.size puts " Processed #{processed}/#{total} (#{(processed.to_f / total * 100).round(1)}%)" end processed end # Backfill network intelligence for a specific event def backfill_network_intelligence! populate_network_intelligence save! end def self.create_from_waf_payload!(request_id, payload) # Normalize headers in payload during import phase normalized_payload = normalize_payload_headers(payload) # Create the WAF request event create!( request_id: request_id, timestamp: parse_timestamp(normalized_payload["timestamp"]), payload: normalized_payload, # WAF-specific fields ip_address: normalized_payload.dig("request", "ip"), user_agent: normalized_payload.dig("request", "headers", "user-agent") || normalized_payload.dig("request", "headers", "User-Agent"), # request_method will be set by extract_fields_from_payload + normalize_event_fields request_path: normalized_payload.dig("request", "path"), request_url: normalized_payload.dig("request", "url"), # request_protocol will be set by extract_fields_from_payload + normalize_event_fields response_status: normalized_payload.dig("response", "status_code"), response_time_ms: normalized_payload.dig("response", "duration_ms"), waf_action: normalize_action(normalized_payload["waf_action"]), # Normalize incoming action values # Support both new (rule_id) and old (rule_matched) field names during cutover rule_id: normalized_payload["rule_id"] || normalized_payload["rule_matched"], blocked_reason: normalized_payload["blocked_reason"], # Server/Environment info server_name: normalized_payload["server_name"], environment: normalized_payload["environment"], # WAF agent info agent_version: normalized_payload.dig("agent", "version"), agent_name: normalized_payload.dig("agent", "name") ) end # Normalize headers in payload to lower case during import phase def self.normalize_payload_headers(payload) return payload unless payload.is_a?(Hash) # Create a deep copy to avoid modifying the original normalized = Marshal.load(Marshal.dump(payload)) # Normalize request headers if normalized.dig("request", "headers")&.is_a?(Hash) normalized["request"]["headers"] = normalized["request"]["headers"].transform_keys(&:downcase) end # Normalize response headers if they exist if normalized.dig("response", "headers")&.is_a?(Hash) normalized["response"]["headers"] = normalized["response"]["headers"].transform_keys(&:downcase) end normalized end def self.normalize_action(action) return "allow" if action.nil? || action.blank? case action.to_s.downcase when "allow", "pass", "allowed" "allow" when "deny", "block", "blocked", "deny_access" "deny" when "challenge" "challenge" when "redirect" "redirect" else Rails.logger.warn "Unknown action '#{action}', defaulting to 'allow'" "allow" end end def self.parse_timestamp(timestamp) case timestamp when String Time.parse(timestamp) when Numeric # Sentry timestamps can be in seconds with decimals Time.at(timestamp) when Time timestamp else Time.current end rescue => e Rails.logger.error "Failed to parse timestamp #{timestamp}: #{e.message}" Time.current end def request_details return {} unless payload.present? request_data = payload.dig("request") || {} { ip: request_data["ip"], method: request_data["method"], path: request_data["path"], url: request_data["url"], protocol: request_data["protocol"], headers: request_data["headers"] || {}, query: request_data["query"] || {}, body_size: request_data["body_size"] } end def response_details return {} unless payload.present? response_data = payload.dig("response") || {} { status_code: response_data["status_code"], duration_ms: response_data["duration_ms"], size: response_data["size"] } end def geo_details return {} unless payload.present? payload.dig("geo") || {} end def tags # Use the dedicated tags column (array), fallback to payload during transition super.presence || (payload&.dig("tags") || []) end def headers raw_headers = payload&.dig("request", "headers") || {} normalize_headers(raw_headers) end def query_params payload&.dig("request", "query") || {} end def blocked? waf_action.in?(['block', 'deny']) end def allowed? waf_action.in?(['allow', 'pass']) end def rate_limited? waf_action == 'rate_limit' end def challenged? waf_action == 'challenge' end def rule_matched? rule_id.present? end # New path methods for normalization def path_segments return [] unless request_path.present? request_path.split('/').reject(&:blank?) end def path_segments_array @path_segments_array ||= path_segments end def request_hostname return nil unless request_url.present? URI.parse(request_url).hostname rescue nil end # Tag helper methods def add_tag(tag) tag_str = tag.to_s self.tags = (tags + [tag_str]).uniq unless tags.include?(tag_str) end def remove_tag(tag) tag_str = tag.to_s self.tags = tags - [tag_str] if tags.include?(tag_str) end def has_tag?(tag) tags.include?(tag.to_s) end def tag_list tags.join(', ') end # Normalize headers to lower case keys during import phase def normalize_headers(headers) return {} unless headers.is_a?(Hash) headers.transform_keys(&:downcase) end # Network range resolution methods def matching_network_ranges return [] unless ip_address.present? NetworkRange.contains_ip(ip_address.to_s).map do |range| { range: range, cidr: range.cidr, prefix_length: range.prefix_length, specificity: range.prefix_length, intelligence: range.inherited_intelligence } end.sort_by { |r| -r[:specificity] } # Most specific first end def most_specific_range # Use the cached network_range_id if available (much faster) return NetworkRange.find_by(id: network_range_id) if network_range_id.present? # Fallback to expensive lookup matching_network_ranges.first&.dig(:range) end def broadest_range matching_network_ranges.last&.dig(:range) end def network_intelligence # Use denormalized fields instead of expensive lookup { country: country, company: company, asn: asn, asn_org: asn_org, is_datacenter: is_datacenter, is_vpn: is_vpn, is_proxy: is_proxy } end # Denormalized attribute accessors - these now use the columns directly # No need to override - Rails provides these automatically: # - country (column) # - company (column) # - asn (column) # - asn_org (column) # - is_datacenter (column) # - is_vpn (column) # - is_proxy (column) # IP validation def valid_ipv4? return false unless ip_address.present? IPAddr.new(ip_address).ipv4? rescue IPAddr::InvalidAddressError false end def valid_ipv6? return false unless ip_address.present? IPAddr.new(ip_address).ipv6? rescue IPAddr::InvalidAddressError false end def valid_ip? valid_ipv4? || valid_ipv6? end # Rules affecting this IP def matching_rules return Rule.none unless ip_address.present? # Get all network ranges that contain this IP range_ids = matching_network_ranges.map { |r| r[:range].id } # Find rules for those ranges, ordered by priority (most specific first) Rule.network_rules .where(network_range_id: range_ids) .enabled .includes(:network_range) .order('masklen(network_ranges.network) DESC') end def active_blocking_rules matching_rules.where(action: 'deny') end def has_blocking_rules? active_blocking_rules.exists? end # Get full geo location details from network range def geo_location network_info = network_intelligence { country_code: network_info[:country], ip_address: ip_address, has_data: network_info[:country].present?, network_intelligence: network_info } end # Check if event has valid geo location data via network range def has_geo_data? network_intelligence[:country].present? end # Lookup country code for this event's IP via network range def lookup_country return nil if ip_address.blank? network_info = network_intelligence network_info[:country] rescue => e Rails.logger.error "Network lookup failed for #{ip_address}: #{e.message}" nil end private def should_normalize? request_host_id.nil? || request_segment_ids.blank? end def normalize_event_fields EventNormalizer.normalize_event!(self) rescue => e Rails.logger.error "Failed to normalize event #{id}: #{e.message}" end def extract_fields_from_payload return unless payload.present? # Extract WAF-specific fields for direct querying request_data = payload.dig("request") || {} response_data = payload.dig("response") || {} self.ip_address = request_data["ip"] # Extract user agent with header name standardization headers = request_data["headers"] || {} normalized_headers = normalize_headers(headers) self.user_agent = normalized_headers["user-agent"] || normalized_headers["User-Agent"] self.request_path = request_data["path"] self.request_url = request_data["url"] self.response_status = response_data["status_code"] self.response_time_ms = response_data["duration_ms"] # Support both new (rule_id) and old (rule_matched) field names during cutover self.rule_id = payload["rule_id"] || payload["rule_matched"] self.blocked_reason = payload["blocked_reason"] # Store original values for normalization only if they don't exist yet # This prevents overwriting during multiple callback runs @raw_request_method ||= request_data["method"] @raw_request_protocol ||= request_data["protocol"] @raw_action ||= payload["waf_action"] # Extract server/environment info self.server_name = payload["server_name"] self.environment = payload["environment"] # Extract agent info agent_data = payload.dig("agent") || {} self.agent_version = agent_data["version"] self.agent_name = agent_data["name"] end end