From 0d33b0b7888d3c774da39b7e9204b6cba72609b5 Mon Sep 17 00:00:00 2001 From: Walter Verhoeven <44400822+PeterPann23@users.noreply.github.com> Date: Tue, 6 Apr 2021 08:11:57 +0200 Subject: [PATCH 1/3] update sample after NuGet update up date the Guard Module enumerator FireWallGuardActions --- .../Controllers/HomeController.cs | 4 ++-- .../Infrastructure/MyFireWall.cs | 4 ++-- .../Walter.Web.FireWall.Geo.IP2Loaction.csproj | 8 ++++---- .../Walter.Web.FireWall.Geo.IP2LoactionTests.csproj | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Controllers/HomeController.cs b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Controllers/HomeController.cs index d540e10..7ceb0c3 100644 --- a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Controllers/HomeController.cs +++ b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Controllers/HomeController.cs @@ -37,7 +37,7 @@ public IActionResult Index() , blockDurationInSeconds: 6 , redirectToController: "home" , redirectToAction: "index" - , id: (int)Filters.FireWallGuardModules.RejectRefreshViolations)] + , id: (int)Filters.FireWallGuardActions.RejectRefreshViolations)] public async Task Query(WhoisQuery model) { @@ -65,7 +65,7 @@ public async Task Query(WhoisQuery model) /// Allow the user to get 5 visits to the block page /// /// - [Walter.Web.FireWall.Annotations.Ignore(skip: Filters.FireWallGuardModules.ALL, skipCount: 5)] + [Walter.Web.FireWall.Annotations.Ignore(skip: Filters.FireWallGuardActions.ALL, skipCount: 5)] public IActionResult Blocked() { diff --git a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs index ac9f62d..47d827a 100644 --- a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs +++ b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs @@ -34,7 +34,7 @@ public MyFireWall(IServiceProvider serviceProvider, IMemoryCache memory, ILogger foreach (var item in data) { item.AddHock = null; - item.NoValidate = Filters.FireWallGuardModules.RejectAddHockRequests | Filters.FireWallGuardModules.RejectCrossSiteRequests; + item.NoValidate = Filters.FireWallGuardActions.RejectAddHockRequests | Filters.FireWallGuardActions.RejectCrossSiteRequests; } data = KnownLinks.EndpointsInPath("*.css", "*.png", "*.jpg", "*.js"); @@ -181,7 +181,7 @@ private void MyFireWall_OnIncident(object sender, Walter.Web.FireWall.EventArgum e.AllowRaiseIncident = true; // It's no big deal if the user refreshes the page - if (e.Page.HasViolated(Filters.FireWallGuardModules.RejectRefreshViolations)) + if (e.Page.HasViolated(Filters.FireWallGuardActions.RejectRefreshViolations)) { e.AllowRaiseIncident = false; } diff --git a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Walter.Web.FireWall.Geo.IP2Loaction.csproj b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Walter.Web.FireWall.Geo.IP2Loaction.csproj index 61f93f4..c8caf76 100644 --- a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Walter.Web.FireWall.Geo.IP2Loaction.csproj +++ b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Walter.Web.FireWall.Geo.IP2Loaction.csproj @@ -5,11 +5,11 @@ - - + + - - + + diff --git a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2LoactionTests/Walter.Web.FireWall.Geo.IP2LoactionTests.csproj b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2LoactionTests/Walter.Web.FireWall.Geo.IP2LoactionTests.csproj index 3479484..7e8b04e 100644 --- a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2LoactionTests/Walter.Web.FireWall.Geo.IP2LoactionTests.csproj +++ b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2LoactionTests/Walter.Web.FireWall.Geo.IP2LoactionTests.csproj @@ -19,10 +19,10 @@ - + - - + + all runtime; build; native; contentfiles; analyzers; buildtransitive From 36b9cd532678c2dcc433ae351ec80696b1df882f Mon Sep 17 00:00:00 2001 From: Walter Verhoeven <44400822+PeterPann23@users.noreply.github.com> Date: Tue, 6 Apr 2021 08:20:31 +0200 Subject: [PATCH 2/3] update Action enum name --- .../Infrastructure/MyFireWall.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs index ac9f62d..bbc4a9f 100644 --- a/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs +++ b/Samples/IGeoFactory implementation/Walter.Web.FireWall.Geo.IP2Loaction/Infrastructure/MyFireWall.cs @@ -181,7 +181,7 @@ private void MyFireWall_OnIncident(object sender, Walter.Web.FireWall.EventArgum e.AllowRaiseIncident = true; // It's no big deal if the user refreshes the page - if (e.Page.HasViolated(Filters.FireWallGuardModules.RejectRefreshViolations)) + if (e.Page.HasViolated(Filters.FireWallGuardActions.RejectRefreshViolations)) { e.AllowRaiseIncident = false; } From a5c4226ac9758cb2e0637d38562875aff8e86f50 Mon Sep 17 00:00:00 2001 From: Walter Verhoeven <44400822+PeterPann23@users.noreply.github.com> Date: Tue, 6 Apr 2021 08:39:24 +0200 Subject: [PATCH 3/3] update sample implementation discocery endpoints --- .../Controllers/UserDiscoveryController.cs | 116 +++++++----------- .../MVC_Core_31_Application.csproj | 4 +- .../MVC_Core_31_Application/Startup.cs | 10 +- 3 files changed, 52 insertions(+), 78 deletions(-) diff --git a/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Controllers/UserDiscoveryController.cs b/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Controllers/UserDiscoveryController.cs index 7df5161..bcd423d 100644 --- a/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Controllers/UserDiscoveryController.cs +++ b/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Controllers/UserDiscoveryController.cs @@ -40,7 +40,7 @@ public UserDiscoveryController(ILogger logger, IFireWal /// there is also a Json version allowing you to automate monitoring /// /// the text report of the firewall, - [Ignore(skip: FireWallGuardModules.API_ENDPOINT_LAX)] + [Ignore(skip: FireWallGuardActions.API_ENDPOINT_LAX)] [NoCache] [HttpGet("API/Reporting/Text")] public string Get() @@ -114,7 +114,8 @@ public IActionResult CSP(CSPModel model) [HttpGet] [NoCache] [Route(Links.UserEndpointJavaScript)] - [Ignore(Walter.Web.FireWall.Filters.FireWallGuardModules.EmbeddedResources)] + [Ignore(Walter.Web.FireWall.Filters.FireWallGuardActions.EmbeddedResources)] + [FireWallConfiguration(FireWallConfigurationElement.DiscoveryJavaScript)] public FileContentResult ValidateUser() { //use the ID to force reloading the script after the user has logged in or logged off @@ -130,51 +131,59 @@ public FileContentResult ValidateUser() } else { - _logger?.LogError("ValidateUser javascript generation failed for {Page}", _page.ToString()); - javaScript = UTF8Encoding.UTF8.GetBytes($"console.log('could not generate userValidation')"); + _logger?.Lazy().LogError("ValidateUser javascript generation failed for {Page}", _page.ToString()); + javaScript = System.Text.UTF8Encoding.UTF8.GetBytes($"console.log('could not generate userValidation')"); return File(fileContents: javaScript, contentType: "text/javascript"); } } catch (ArgumentException e) { + _page.Exception = e; + _fireWall.LogException(RunTimeErrors.ArgumentNullException, e, "Missing a configuration element or using wrong release for your deployment"); var javaScript = System.Diagnostics.Debugger.IsAttached - ? UTF8Encoding.UTF8.GetBytes($"console.log('could not generate userValidation due to {e.Message}')") - : UTF8Encoding.UTF8.GetBytes($"//Validate log {DateTime.Now} for errors and update settings"); + ? System.Text.UTF8Encoding.UTF8.GetBytes($"console.log('could not generate userValidation due to {e.Message}')") + : System.Text.UTF8Encoding.UTF8.GetBytes($"//Validate log {DateTime.Now} for errors and update settings"); return File(fileContents: javaScript, contentType: "text/javascript"); } catch (Exception e) { + _page.Exception = e; + _fireWall.LogException(RunTimeErrors.ArgumentNullException, e, $"User type discovery will not work as good as it could please fix {e.Message}"); - var javaScript = UTF8Encoding.UTF8.GetBytes($"console.log('could not generate userValidation due to {e.Message}')"); + var javaScript = System.Text.UTF8Encoding.UTF8.GetBytes($"console.log('could not generate userValidation due to {e.Message}')"); return File(fileContents: javaScript, contentType: "text/javascript"); } finally { - _logger?.LogInformation("ValidateUser called"); + _logger?.Lazy().LogInformation("ValidateUser called"); } } [HttpPost] [Route(Links.BeaconPoint)] - [DisableFirewall] - [CrossSite(useDefaultRedirect: false), Ignore(skip: FireWallGuardModules.ALL & ~FireWallGuardModules.RejectCrossSiteRequests)] - public StatusCodeResult Beacon(string model) + [CrossSite, Ignore(skip: FireWallGuardActions.ALL & ~FireWallGuardActions.RejectCrossSiteRequests)] + [ModelFilter(associations: RequestersAssociations.InCurrentPage, generateIncident: false)] + [FireWallConfiguration(FireWallConfigurationElement.Beacon)] + public StatusCodeResult Beacon([FromBody] Beacon model) { - if (!string.IsNullOrEmpty(model)) + if (!ModelState.IsValid) { - var beacon = JsonConvert.DeserializeObject(model); - _fireWall.ModelIsValid(pageContext: _page, model: beacon, out var errors); - if (errors.Sum(s => s.BlockinSeverityScore) < 100) - { - _fireWall.LogPageRequest(beacon, _page); - } - else + _logger?.Lazy().LogWarning("beacon: failed has {errors} errors", ModelState.ErrorCount); + return this.Ok();//no need to make a fuss + } + + + _fireWall.ModelIsValid(pageContext: _page, model: model, out var errors); + if (errors.Sum(s => s.BlockingSeverityScore) < 100) + { + _fireWall.LogPageRequest(model, _page); + } + else + { + foreach (var error in errors) { - foreach (var error in errors) - { - _logger?.LogWarning("beacon: {warn}", error); - } + _logger?.Lazy().LogWarning("beacon: {warn}", error); } } return this.Ok(); @@ -182,64 +191,31 @@ public StatusCodeResult Beacon(string model) [HttpPost] [Route(Links.IsUserEndpoint)] - [CrossSite(useDefaultRedirect: false), Ignore(skip: FireWallGuardModules.ALL & ~FireWallGuardModules.RejectCrossSiteRequests)] - public StatusCodeResult UserDiscovery([FromBody] Discovery model) + [CrossSite, Ignore(skip: FireWallGuardActions.ALL & ~FireWallGuardActions.RejectCrossSiteRequests)] + [FireWallConfiguration(FireWallConfigurationElement.DiscoveryModel)] + public StatusCodeResult UserDiscovery([FromBody] string json) { - if (model is null) - { - _logger?.LogInformation("user discovery called but the model field or data types are not compatible, please wait, update the model to fix the users discovery javascript"); - return this.NoContent(); - } - else + if (_page.TryLogDiscovery(json)) { - _fireWall.ModelIsValid(pageContext: _page, model: model, out var errors); - if (errors.Count == 0 || (errors.Count > 0 && errors.Sum(s => s.BlockinSeverityScore) < 100)) - { - _fireWall.LogPageRequest(model, _page); - return Ok(); - } - else - { - _logger?.LogWarning("Assume an attempt was made to send a tampered model to {url} due to it achieving an error score of {score}", _page.OriginalUrl.AbsoluteUri, errors.Sum(s => s.BlockinSeverityScore)); - if (errors.Sum(s => s.BlockinSeverityScore) > 100) - { - var fwu = _page.User.AsFirewallUser(); - using (var scope = _logger?.BeginScope($"User {fwu.Id} from {fwu.IPAddress} tampered with the model send back to {Links.IsUserEndpoint} and triggered {errors.Count} warnings")) - { - for (var i = 0; i < errors.Count; i++) - { - _logger?.LogWarning("incident:{count} reason:{reason} context:{context} weight:{weight}", i + 1, errors[i].Reason, errors[i].BlockingContext, errors[i].BlockinSeverityScore); - } - } - //tamper detected so return a 404 - return this.NotFound(); - } - //model data is not valid, could be tampered but could also just be not containing required values - return this.BadRequest(); - } + return Ok(); } + return this.BadRequest(); } [HttpPost] [Route(Links.SiteMapEndPoint)] - [CrossSite(useDefaultRedirect: false), Ignore(skip: FireWallGuardModules.ALL & ~FireWallGuardModules.RejectCrossSiteRequests)] - public async Task SiteMap([FromBody] SiteMapDiscovery model) + [CrossSite(useDefaultRedirect: false), Ignore(skip: FireWallGuardActions.ALL & ~FireWallGuardActions.RejectCrossSiteRequests)] + [FireWallConfiguration(FireWallConfigurationElement.SiteMapModel)] + public async Task SiteMap([FromBody] string json) { - _logger.Lazy().LogInformation("Url discovery called"); - - if (model is null) - return NoContent(); - else + if (_page.TryLogSiteMap(json)) { - _fireWall.ModelIsValid(pageContext: _page, model: model, out var errors); - - if (errors.Sum(s => s.BlockinSeverityScore) < 100 && _page.RootPage != null) - { - _logger.Lazy().LogDebug("Url discovery send to firewall"); - await _fireWall.LogSiteMapAsync(page: _page, model: model).ConfigureAwait(false); - } return Ok(); } + else + { + return BadRequest(); + } } } diff --git a/Samples/MVC_Core_31_Application/MVC_Core_31_Application/MVC_Core_31_Application.csproj b/Samples/MVC_Core_31_Application/MVC_Core_31_Application/MVC_Core_31_Application.csproj index 4266b83..884546b 100644 --- a/Samples/MVC_Core_31_Application/MVC_Core_31_Application/MVC_Core_31_Application.csproj +++ b/Samples/MVC_Core_31_Application/MVC_Core_31_Application/MVC_Core_31_Application.csproj @@ -10,8 +10,8 @@ - - + + diff --git a/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Startup.cs b/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Startup.cs index 691ecdd..decb596 100644 --- a/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Startup.cs +++ b/Samples/MVC_Core_31_Application/MVC_Core_31_Application/Startup.cs @@ -93,8 +93,9 @@ public void ConfigureServices(IServiceCollection services) services.AddFireWall(FireWallTrial.License, FireWallTrial.DomainKey, new Uri("https://www.mydomain.com", UriKind.Absolute), options => { - - + //use nuget package default endpoints to enable firewall management dashboard, than use administration to manage it + options.Administration.GenerateConnectFile = false; + options.Cypher.ApplicationPassword = "The password is 5 x 5, but I will not say in what order!"; options.UseSession = true; @@ -162,10 +163,7 @@ public void ConfigureServices(IServiceCollection services) //configure the firewall to be active on each request by registering the firewall filter services.AddMvc(setupAction => { - //enable the firewall on all endpoints in this application - setupAction.Filters.Add(); - //inform the browser of our privacy policy if you render views - + //inform the browser of our privacy policy if you render views setupAction.Filters.Add(); //view the filter documentation at https://firewallapi.asp-waf.com/?topic=html/N-Walter.Web.FireWall.Filters.htm