fixes for host authorization

Author: ndbroadbent

AGENTS.md

@@ -6,6 +6,7 @@
 2. **ALWAYS run `task ci` before claiming completion**
 3. **NO EXCEPTIONS to the above rules - features are NOT complete until all checks pass**
 4. **This rule must ALWAYS be followed no matter what**
+5. **`additional_data` is ONLY for unknown and dynamic fields that a user or integration might send. IF YOU KNOW THE NAME OF A FIELD, IT GOES IN THE SCHEMA. NEVER use `additional_data` for known fields.**
 
 ## Commands
 

lib/log_struct/enums/log_field.rb

@@ -47,6 +47,8 @@ class LogField < T::Enum
       # Security-specific fields
       BlockedHost = new(:blocked_host)
       BlockedHosts = new(:blocked_hosts)
+      AllowedHosts = new(:allowed_hosts)
+      AllowIpHosts = new(:allow_ip_hosts)
       ClientIp = new(:client_ip)
       XForwardedFor = new(:x_forwarded_for)
 

lib/log_struct/integrations/host_authorization.rb

@@ -3,6 +3,7 @@
 
 require "action_dispatch/middleware/host_authorization"
 require_relative "../enums/event"
+require_relative "../log/security/blocked_host"
 
 module LogStruct
   module Integrations
@@ -34,56 +35,46 @@ def self.setup(config)
         return nil unless config.enabled
         return nil unless config.integrations.enable_host_authorization
 
-        # In test environment, ensure HostAuthorization does not block requests
-        # from the default integration test hosts. Allow all hosts explicitly.
-        if ::Rails.env.test? && ::Rails.application.config.respond_to?(:hosts)
-          begin
-            ::Rails.application.config.hosts << /.*\z/
-          rescue
-            # best-effort; ignore if hosts not configurable
-          end
-          # Additionally, exclude all requests from HostAuthorization in test
-          begin
-            ::Rails.application.config.host_authorization ||= {}
-            ::Rails.application.config.host_authorization[:exclude] = ->(_request) { true }
-          rescue
-            # best-effort
-          end
-        end
-
         # Define the response app as a separate variable to fix block alignment
         response_app = lambda do |env|
           request = ::ActionDispatch::Request.new(env)
           # Include the blocked hosts app configuration in the log entry
           # This can be helpful later when reviewing logs.
           blocked_hosts = env["action_dispatch.blocked_hosts"]
 
-          # Create a security error to be handled
-          blocked_host_error = ::ActionController::BadRequest.new(
-            "Blocked host detected: #{request.host}"
-          )
+          # Build allowed_hosts array
+          allowed_hosts_array = T.let(nil, T.nilable(T::Array[String]))
+          if blocked_hosts.respond_to?(:allowed_hosts)
+            allowed_hosts_array = blocked_hosts.allowed_hosts
+          end
+
+          # Get allow_ip_hosts value
+          allow_ip_hosts_value = T.let(nil, T.nilable(T::Boolean))
+          if blocked_hosts.respond_to?(:allow_ip_hosts)
+            allow_ip_hosts_value = blocked_hosts.allow_ip_hosts
+          end
 
-          # Create request context hash
-          context = {
+          # Create structured log entry for blocked host
+          log_entry = LogStruct::Log::Security::BlockedHost.new(
+            message: "Blocked host detected: #{request.host}",
             blocked_host: request.host,
-            client_ip: request.ip,
-            x_forwarded_for: request.x_forwarded_for,
-            http_method: request.method,
             path: request.path,
+            http_method: request.method,
+            source_ip: request.ip,
             user_agent: request.user_agent,
-            allowed_hosts: blocked_hosts.allowed_hosts,
-            allow_ip_hosts: blocked_hosts.allow_ip_hosts
-          }
-
-          # Handle error according to configured mode (log, report, raise)
-          LogStruct.handle_exception(
-            blocked_host_error,
-            source: Source::Security,
-            context: context
+            referer: request.referer,
+            request_id: request.request_id,
+            x_forwarded_for: request.x_forwarded_for,
+            allowed_hosts: allowed_hosts_array&.empty? ? nil : allowed_hosts_array,
+            allow_ip_hosts: allow_ip_hosts_value
           )
 
+          # Log the blocked host
+          LogStruct.warn(log_entry)
+
           # Use pre-defined headers and response if we are only logging or reporting
-          [FORBIDDEN_STATUS, RESPONSE_HEADERS, [RESPONSE_HTML]]
+          # Dup the headers so they can be modified by downstream middleware
+          [FORBIDDEN_STATUS, RESPONSE_HEADERS.dup, [RESPONSE_HTML]]
         end
 
         # Merge our response_app into existing host_authorization config to preserve excludes

lib/log_struct/log/security/blocked_host.rb

@@ -40,6 +40,9 @@ class BlockedHost < T::Struct
         const :message, T.nilable(String), default: nil
         const :blocked_host, T.nilable(String), default: nil
         const :blocked_hosts, T.nilable(T::Array[String]), default: nil
+        const :x_forwarded_for, T.nilable(String), default: nil
+        const :allowed_hosts, T.nilable(T::Array[String]), default: nil
+        const :allow_ip_hosts, T.nilable(T::Boolean), default: nil
 
         # Additional data
         include LogStruct::Log::Interfaces::AdditionalDataField
@@ -66,6 +69,9 @@ def to_h
           h[LogField::Message] = message unless message.nil?
           h[LogField::BlockedHost] = blocked_host unless blocked_host.nil?
           h[LogField::BlockedHosts] = blocked_hosts unless blocked_hosts.nil?
+          h[LogField::XForwardedFor] = x_forwarded_for unless x_forwarded_for.nil?
+          h[LogField::AllowedHosts] = allowed_hosts unless allowed_hosts.nil?
+          h[LogField::AllowIpHosts] = allow_ip_hosts unless allow_ip_hosts.nil?
           h
         end
       end

lib/log_struct/railtie.rb

@@ -10,25 +10,6 @@
 module LogStruct
   # Railtie to integrate with Rails
   class Railtie < ::Rails::Railtie
-    # Ensure test hosts are allowed early enough for middleware build
-    initializer "logstruct.allow_test_hosts", before: :build_middleware_stack do |app|
-      if ::Rails.env.test? && app.config.respond_to?(:hosts)
-        begin
-          app.config.hosts << /.*\z/
-        rescue
-          # best-effort
-        end
-        begin
-          app.config.middleware.delete(::ActionDispatch::HostAuthorization)
-        rescue
-          # best-effort
-        end
-      end
-    end
-
-    # After ActionDispatch is configured, remove HostAuthorization in test to prevent 403s
-    # (No late deletion needed; handled above before middleware stack is built)
-
     # Configure early, right after logger initialization
     initializer "logstruct.configure_logger", after: :initialize_logger do |app|
       next unless LogStruct.enabled?

rails_test_app/templates/test/integration/host_authorization_test.rb

@@ -0,0 +1,123 @@
+# typed: true
+# frozen_string_literal: true
+
+require "test_helper"
+
+class HostAuthorizationTest < ActionDispatch::IntegrationTest
+  def setup
+    # Capture JSON output via a dedicated SemanticLogger appender
+    @io = StringIO.new
+    ::SemanticLogger.clear_appenders!
+    # Use synchronous appender to avoid timing issues in tests
+    ::SemanticLogger.add_appender(io: @io, formatter: LogStruct::SemanticLogger::Formatter.new, async: false)
+  end
+
+  def test_blocked_host_is_logged_with_logstruct
+    # Make a request with a blocked host
+    host! "blocked-host.example.com"
+    get "/health"
+
+    # Should return 403 Forbidden
+    assert_response :forbidden
+
+    # Ensure all logs are flushed from buffers
+    ::SemanticLogger.flush
+
+    # Read all logged lines
+    @io.rewind
+    lines = @io.read.to_s.split("\n").map(&:strip).reject(&:empty?)
+
+    # Parse JSON logs
+    parsed_logs = lines.filter_map { |l|
+      begin
+        JSON.parse(l)
+      rescue
+        nil
+      end
+    }
+
+    # Find blocked host logs
+    blocked_host_logs = parsed_logs.select { |log| log["evt"] == "blocked_host" }
+
+    assert_equal 1, blocked_host_logs.size, "Expected exactly one blocked host log entry"
+
+    log_entry = blocked_host_logs.first
+
+    # Verify the log entry has the correct structure
+    assert_equal "security", log_entry["src"]
+    assert_equal "blocked_host", log_entry["evt"]
+    assert_equal "blocked-host.example.com", log_entry["blocked_host"]
+    assert_equal "/health", log_entry["path"]
+    assert_equal "GET", log_entry["method"]
+  end
+
+  def test_allowed_host_is_not_blocked
+    # Make a request with an allowed host (.localhost is allowed by default)
+    host! "www.localhost"
+    get "/health"
+
+    # Should return 200 OK
+    assert_response :success
+
+    # Ensure all logs are flushed from buffers
+    ::SemanticLogger.flush
+
+    # Read all logged lines
+    @io.rewind
+    lines = @io.read.to_s.split("\n").map(&:strip).reject(&:empty?)
+
+    # Parse JSON logs
+    parsed_logs = lines.filter_map { |l|
+      begin
+        JSON.parse(l)
+      rescue
+        nil
+      end
+    }
+
+    # Find blocked host logs
+    blocked_host_logs = parsed_logs.select { |log| log["evt"] == "blocked_host" }
+
+    assert_equal 0, blocked_host_logs.size, "Should not log blocked host for allowed hosts"
+  end
+
+  def test_blocked_host_log_can_be_serialized
+    host! "malicious.example.com"
+    get "/health"
+
+    assert_response :forbidden
+
+    # Ensure all logs are flushed from buffers
+    ::SemanticLogger.flush
+
+    # Read all logged lines
+    @io.rewind
+    lines = @io.read.to_s.split("\n").map(&:strip).reject(&:empty?)
+
+    # Parse JSON logs
+    parsed_logs = lines.filter_map { |l|
+      begin
+        JSON.parse(l)
+      rescue
+        nil
+      end
+    }
+
+    # Find blocked host logs
+    blocked_host_logs = parsed_logs.select { |log| log["evt"] == "blocked_host" }
+
+    assert_equal 1, blocked_host_logs.size
+
+    log_entry = blocked_host_logs.first
+
+    # Verify it's a properly serialized hash
+    assert_kind_of Hash, log_entry
+
+    # Verify key fields are in serialized output
+    assert_equal "security", log_entry["src"]
+    assert_equal "blocked_host", log_entry["evt"]
+    assert_equal "malicious.example.com", log_entry["blocked_host"]
+    assert_equal "/health", log_entry["path"]
+    assert_equal "GET", log_entry["method"]
+  end
+end

schemas/log_sources/security.yml

@@ -26,3 +26,6 @@ events:
       Message: String
       BlockedHost: String
       BlockedHosts: 'T::Array[String]'
+      XForwardedFor: String
+      AllowedHosts: 'T::Array[String]'
+      AllowIpHosts: T::Boolean

schemas/meta/log-fields.json

@@ -11,6 +11,8 @@
         "Adapter",
         "Address",
         "AhoyEvent",
+        "AllowIpHosts",
+        "AllowedHosts",
         "Arguments",
         "AttachmentCount",
         "Attempt",