Merge pull request #212 from PerimeterX/dev

Dev

Author: ori-gold-px

CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.2.0] - 2022-01-24
+
+### Added
+
+- Support for credentials intelligence protocols `v1` and `multistep_sso`
+- Support for login successful reporting methods `header`, `status`, and `custom`
+- Support for automatic sending of `additional_s2s` activity
+- Support for manual sending of `additional_s2s` activity via header or API call
+- Support for sending raw username on `additional_s2s` activity
+- Support for login credentials extraction via custom callback
+- New `request_id` field to all enforcer activities
+
+### Changed
+
+- Login credentials extraction handles body encoding based on `Content-Type` request header
+- Successful login credentials extraction automatically triggers risk_api call without needing to enable sensitive routes
+
+### Fixed
+
+- Enforced routes work in monitor mode
+- Bypass monitor header works with configured monitored routes
+
 ## [3.1.2] - 2022-01-18
 
 ### Added

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.1.2](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.2.0](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

lib/enums/CIVersion.js

@@ -0,0 +1,8 @@
+const CIVersion = {
+    V1: 'v1',
+    MULTISTEP_SSO: 'multistep_sso'
+};
+
+module.exports = {
+    CIVersion
+};

lib/enums/LoginSuccessfulReportingMethod.js

@@ -0,0 +1,11 @@
+const LoginSuccessfulReportingMethod = {
+    NONE: '',
+    HEADER: 'header',
+    BODY: 'body',
+    STATUS: 'status',
+    CUSTOM: 'custom'
+};
+
+module.exports = {
+    LoginSuccessfulReportingMethod
+};

lib/enums/SSOStep.js

@@ -0,0 +1,8 @@
+const SSOStep = {
+    USER: 'user',
+    PASS: 'pass'
+};
+
+module.exports = {
+    SSOStep
+};

lib/extract_field/FieldExtractor.js

@@ -5,32 +5,32 @@ const SentThrough = { BODY: 'body', QUERY_PARAM: 'query-param', HEADER: 'header'
 const ContentType = { JSON: 'application/json', URL_ENCODED: 'application/x-www-form-urlencoded', MULTIPART_FORM: 'multipart/form-data' };
 
 class FieldExtractor {
-    constructor(sentThrough, fieldsToExtract) {
+    constructor(sentThrough, customExtractionCallback, fieldsToExtract) {
         this.containerName = this._getContainerName(sentThrough);
+        this.customExtractionCallback = customExtractionCallback || null;
         this.fieldsToExtract = fieldsToExtract instanceof Array ? fieldsToExtract : [fieldsToExtract];
     }
 
     ExtractFields(request) {
+        if (this.customExtractionCallback) {
+            return this.customExtractionCallback(request);
+        }
+
         const container = this._getContainer(request);
         if (!container) {
-            return {};
+            return null;
         }
         const fields = {};
         this.fieldsToExtract.forEach((desiredField) => {
-            let value = accessNestedObjectValueByStringPath(desiredField.oldFieldName, container) || container[desiredField.oldFieldName];
+            const value = accessNestedObjectValueByStringPath(desiredField.oldFieldName, container) || container[desiredField.oldFieldName];
             if (!value || typeof value !== 'string') {
                 return;
             }
-            value = desiredField.shouldNormalize ? this._normalizeField(value) : value;
             fields[desiredField.newFieldName] = value;
         });
         return fields;
     }
 
-    _normalizeField(fieldValue) {
-        return fieldValue.toLowerCase();
-    }
-
     _getContainerName(sentThrough) {
         switch (sentThrough) {
             case SentThrough.QUERY_PARAM:

…b/extract_field/FieldExtractorManager.js …tract_field/LoginCredentialsExtractor.jslib/extract_field/FieldExtractorManager.js renamed to lib/extract_field/LoginCredentialsExtractor.js lib/extract_field/FieldExtractorManager.js renamed to lib/extract_field/LoginCredentialsExtractor.js

@@ -1,30 +1,28 @@
 const FieldExtractor = require('./FieldExtractor');
 const ExtractionField = require('../models/ExtractionField');
-const { sha256 } = require('../pxutil');
+const { CredentialsIntelligenceProtocolFactory } = require('./credentials_intelligence/CredentialsIntelligenceProtocolFactory');
+const { CI_USERNAME_FIELD, CI_PASSWORD_FIELD } = require('../utils/constants');
 
-const USERNAME_FIELD = 'user';
-const PASSWORD_FIELD = 'pass';
-const CREDENTIALS_FIELD = 'creds';
-
-class FieldExtractorManager { 
-    constructor(logger, extractObjects) {
+class LoginCredentialsExtractor {
+    constructor(logger, version, extractObjects) {
         this.logger = logger;
         this.extractorMap = this._createExtractorsMap(extractObjects);
+        this.protocol = CredentialsIntelligenceProtocolFactory.Create(version);
     }
 
-    ExtractFields(request) {
+    ExtractLoginCredentials(request) {
         const key = this._generateMapKey(request.path, request.method);
         const extractor = this.extractorMap[key];
         if (!extractor) {
-            return {};
+            return null;
         }
         this.logger.debug(`Attempting to extract credentials for ${request.method} ${request.path} request`);
         try {
             const fields = extractor.ExtractFields(request);
             return this._processFields(fields);
         } catch (e) {
-            this.logger.error(e);
-            return {};
+            this.logger.debug(`Encountered error extracting credentials: ${e}`);
+            return null;
         }
     }
 
@@ -36,25 +34,22 @@ class FieldExtractorManager {
         const map = {};
         for (const extractFields of extractObjects) {
             const key = this._generateMapKey(extractFields.path, extractFields.method.toUpperCase());
-            map[key] = new FieldExtractor(extractFields.sent_through, [
-                new ExtractionField(extractFields.user_field, USERNAME_FIELD, true),
-                new ExtractionField(extractFields.pass_field, PASSWORD_FIELD, false)
+            map[key] = new FieldExtractor(extractFields.sent_through, extractFields.callback, [
+                new ExtractionField(extractFields.user_field, CI_USERNAME_FIELD),
+                new ExtractionField(extractFields.pass_field, CI_PASSWORD_FIELD)
             ]);
         }
         return map;
     }
 
     _processFields(fields) {
-        if (!fields || !fields[USERNAME_FIELD] || !fields[PASSWORD_FIELD]) {
+        if (!fields || !fields[CI_USERNAME_FIELD] && !fields[CI_PASSWORD_FIELD]) {
             this.logger.debug('Failed extracting credentials');
-            return {};
+            return null;
         }
-        this.logger.debug('Successfully extracted credentials')
-        return {
-            [USERNAME_FIELD]: sha256(fields[USERNAME_FIELD]),
-            [CREDENTIALS_FIELD]: sha256(fields[USERNAME_FIELD] + fields[PASSWORD_FIELD])
-        };
+        this.logger.debug('Successfully extracted credentials');
+        return this.protocol.ProcessCredentials(fields[CI_USERNAME_FIELD], fields[CI_PASSWORD_FIELD]);
     }
 }
 
-module.exports = FieldExtractorManager;
+module.exports = LoginCredentialsExtractor;

lib/extract_field/credentials_intelligence/CredentialsIntelligenceProtocolFactory.js

@@ -0,0 +1,20 @@
+const { CIVersion } = require('../../enums/CIVersion');
+const { V1CredentialsIntelligenceProtocol } = require('./V1CredentialsIntelligenceProtocol');
+const { MultistepSSOCredentialsIntelligenceProtocol } = require('./MultistepSSOCredentialsIntelligenceProtocol');
+
+class CredentialsIntelligenceProtocolFactory {
+    static Create(protocolVersion) {
+        switch (protocolVersion) {
+            case CIVersion.V1:
+                return new V1CredentialsIntelligenceProtocol();
+            case CIVersion.MULTISTEP_SSO:
+                return new MultistepSSOCredentialsIntelligenceProtocol();
+            default:
+                throw new Error(`Unknown CI protocol version '${protocolVersion}', acceptable versions are ${Object.values(CIVersion)}`);
+        }
+    }
+}
+
+module.exports = {
+    CredentialsIntelligenceProtocolFactory
+};

lib/extract_field/credentials_intelligence/ICredentialsIntelligenceProtocol.js

@@ -0,0 +1,9 @@
+class ICredentialsIntelligenceProtocol {
+    ProcessCredentials(username, password) {
+        throw new Error('Unimplemented method!');
+    }
+}
+
+module.exports = {
+    ICredentialsIntelligenceProtocol
+};

lib/extract_field/credentials_intelligence/MultistepSSOCredentialsIntelligenceProtocol.js

@@ -0,0 +1,21 @@
+const { ICredentialsIntelligenceProtocol } = require('./ICredentialsIntelligenceProtocol');
+const { LoginCredentialsFields } = require('../../models/LoginCredentialsFields');
+const { CIVersion } = require('../../enums/CIVersion');
+const { sha256 } = require('../../pxutil');
+
+class MultistepSSOCredentialsIntelligenceProtocol extends ICredentialsIntelligenceProtocol {
+    ProcessCredentials(username, password) {
+        const rawUsername = username || null;
+
+        return new LoginCredentialsFields(
+            rawUsername,
+            password ? sha256(password) : null,
+            rawUsername,
+            CIVersion.MULTISTEP_SSO
+        );
+    }
+}
+
+module.exports = {
+    MultistepSSOCredentialsIntelligenceProtocol
+};