aikido-zen 0.1.0.alpha4-arm64-darwin

data/lib/aikido/zen.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require_relative "zen/version"
+require_relative "zen/errors"
+require_relative "zen/actor"
+require_relative "zen/config"
+require_relative "zen/system_info"
+require_relative "zen/agent"
+require_relative "zen/api_client"
+require_relative "zen/context"
+require_relative "zen/middleware/set_context"
+require_relative "zen/outbound_connection"
+require_relative "zen/outbound_connection_monitor"
+require_relative "zen/runtime_settings"
+require_relative "zen/rate_limiter"
+require_relative "zen/scanners"
+require_relative "zen/middleware/check_allowed_addresses"
+require_relative "zen/rails_engine" if defined?(::Rails)
+
+module Aikido
+  module Zen
+    # @return [Aikido::Zen::Config] the agent configuration.
+    def self.config
+      @config ||= Config.new
+    end
+
+    # Gets information about the current system configuration, which is sent to
+    # the server along with any events.
+    def self.system_info
+      @system_info ||= SystemInfo.new
+    end
+
+    # Gets the current context object that holds all information about the
+    # current request.
+    #
+    # @return [Aikido::Zen::Context, nil]
+    def self.current_context
+      Thread.current[:_aikido_current_context_]
+    end
+
+    # Sets the current context object that holds all information about the
+    # current request, or +nil+ to clear the current context.
+    #
+    # @param context [Aikido::Zen::Context, nil]
+    # @return [Aikido::Zen::Context, nil]
+    def self.current_context=(context)
+      Thread.current[:_aikido_current_context_] = context
+    end
+
+    # Track statistics about the result of a Sink's scan, and report it as an
+    # Attack if one is detected.
+    #
+    # @param scan [Aikido::Zen::Scan]
+    # @return [void]
+    # @raise [Aikido::Zen::UnderAttackError] if the scan detected an Attack
+    #   and blocking_mode is enabled.
+    def self.track_scan(scan)
+      agent.stats.add_scan(scan)
+      agent.handle_attack(scan.attack) if scan.attack?
+    end
+
+    # Track statistics about an HTTP request the app is handling.
+    #
+    # @param context [Aikido::Zen::Request]
+    # @return [void]
+    def self.track_request(request)
+      agent.stats.add_request(request)
+    end
+
+    # Tracks a network connection made to an external service.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def self.track_outbound(connection)
+      agent.stats.add_outbound(connection)
+    end
+
+    # Track the user making the current request.
+    #
+    # @param (see Aikido::Zen.Actor)
+    # @return [void]
+    def self.track_user(user)
+      actor = Aikido::Zen::Actor(user)
+
+      if actor
+        agent.stats.add_user(actor)
+      else
+        id_attr, name_attr = config.user_attribute_mappings.values_at(:id, :name)
+        config.logger.warn(format(<<~LOG, obj: user, id: id_attr, name: name_attr))
+          Incompatible object sent to Aikido::Zen.track_user: %<obj>p
+
+          The object must satisfy one of the following:
+
+          * Implement #to_aikido_actor
+          * Implement #to_model and have %<id>p and %<name>p attributes
+          * Be a Hash with :id (or "id") and, optionally, :name (or "name") keys
+        LOG
+      end
+    end
+
+    # Starts the background threads that keep the agent running.
+    #
+    # @return [void]
+    def self.initialize!
+      @agent ||= Agent.new
+      @agent.start!
+    end
+
+    # Stop any background threads.
+    def self.stop!
+      @agent&.stop!
+    end
+
+    # @return [Aikido::Zen::RuntimeSettings] the firewall configuration sourced
+    #   from your Aikido dashboard. This is periodically polled for updates.
+    def self.runtime_settings
+      @runtime_settings ||= RuntimeSettings.new
+    end
+
+    # Load all sinks matching libraries loaded into memory. This method should
+    # be called after all other dependencies have been loaded into memory (i.e.
+    # at the end of the initialization process).
+    #
+    # If a new gem is required, this method can be called again safely.
+    #
+    # @return [void]
+    def self.load_sinks!
+      require_relative "zen/sinks"
+    end
+
+    private_class_method def self.agent
+      # We shouldn't start collecting data before we even initialize the agent,
+      # but might as well make sure we have a @agent going to report to.
+      @agent or initialize!
+      @agent
+    end
+  end
+end

data/lib/aikido-zen.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative "aikido/zen"

data/lib/aikido.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative "aikido/zen"

data/tasklib/libzen.rake

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require "open-uri"
+require "rubygems/package_task"
+
+require_relative "../lib/aikido/zen/version"
+
+LibZenDL = Struct.new(:os, :arch, :artifact) do
+  def download
+    puts "Downloading #{path}"
+    File.open(path, "wb") { |file| FileUtils.copy_stream(URI(url).open("rb"), file) }
+  end
+
+  def verify
+    expected = URI(url + ".sha256sum").read.split(/\s+/).first
+    actual = Digest::SHA256.file(path).to_s
+
+    if expected != actual
+      abort "Checksum mismatch on #{path}: Expected #{expected}, got #{actual}."
+    end
+  end
+
+  def version
+    "v#{Aikido::Zen::LIBZEN_VERSION}"
+  end
+
+  def path
+    [prefix, arch, ext].join(".")
+  end
+
+  def gem_path
+    platform = "-#{gemspec.platform}" unless gemspec.platform.to_s == "ruby"
+    "pkg/#{gemspec.name}-#{gemspec.version}#{platform}.gem"
+  end
+
+  def pkg_dir
+    File.dirname(gem_path)
+  end
+
+  def prefix
+    "lib/aikido/zen/libzen-#{version}"
+  end
+
+  def ext
+    case os
+    when :darwin then "dylib"
+    when :linux then "so"
+    when :windows then "dll"
+    end
+  end
+
+  def url
+    File.join("https://github.com/AikidoSec/zen-internals/releases/download", version, artifact)
+  end
+
+  def gem_platform
+    gem_os = (os == :windows) ? "mingw64" : os
+    platform = (arch == "aarch64") ? "arm64" : arch
+    Gem::Platform.new("#{platform}-#{gem_os}")
+  end
+
+  def gemspec(source = Bundler.load_gemspec("aikido-zen.gemspec"))
+    return @spec if defined?(@spec)
+
+    @spec = source.dup
+    @spec.platform = gem_platform
+    @spec.files << path
+    @spec
+  end
+
+  def namespace
+    "#{os}:#{arch}"
+  end
+end
+
+LIBZEN = [
+  LibZenDL.new(:darwin, "aarch64", "libzen_internals_aarch64-apple-darwin.dylib"),
+  LibZenDL.new(:darwin, "x86_64", "libzen_internals_x86_64-apple-darwin.dylib"),
+  LibZenDL.new(:linux, "aarch64", "libzen_internals_aarch64-unknown-linux-gnu.so"),
+  LibZenDL.new(:linux, "x86_64", "libzen_internals_x86_64-unknown-linux-gnu.so"),
+  LibZenDL.new(:windows, "x86_64", "libzen_internals_x86_64-pc-windows-gnu.dll")
+]
+namespace :libzen do
+  LIBZEN.each do |lib|
+    desc "Download libzen for #{lib.os}-#{lib.arch} if necessary"
+    task(lib.namespace => lib.path)
+
+    file(lib.path) {
+      lib.download
+      lib.verify
+    }
+    CLEAN.include(lib.path)
+
+    directory lib.pkg_dir
+    CLOBBER.include(lib.pkg_dir)
+
+    file(lib.gem_path => [lib.path, lib.pkg_dir]) {
+      path = Gem::Package.build(lib.gemspec)
+      mv path, lib.pkg_dir
+    }
+    CLOBBER.include(lib.pkg_dir)
+
+    task "#{lib.namespace}:release" => [lib.gem_path, "release:guard_clean"] do
+      sh "gem", "push", lib.gem_path
+    end
+  end
+
+  desc "Build all the native gems for the different libzen versions"
+  task gems: LIBZEN.map(&:gem_path)
+
+  desc "Push all the native gems to RubyGems"
+  task release: LIBZEN.map { |lib| "#{lib.namespace}:release" }
+
+  desc "Download the libzen pre-built library for all platforms"
+  task "download:all" => LIBZEN.map(&:path)
+
+  desc "Downloads the libzen library for the current platform"
+  task "download:current" do
+    require "rbconfig"
+    os = case RbConfig::CONFIG["host_os"]
+    when /darwin/ then :darwin
+    when /mingw|cygwin|mswin/ then :windows
+    else :linux
+    end
+
+    Rake::Task["libzen:#{os}:#{RbConfig::CONFIG["build_cpu"]}"].invoke
+  end
+end

metadata

@@ -0,0 +1,175 @@
+--- !ruby/object:Gem::Specification
+name: aikido-zen
+version: !ruby/object:Gem::Version
+  version: 0.1.0.alpha4
+platform: arm64-darwin
+authors:
+- Nicolas Sanguinetti
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2024-10-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  force_ruby_platform: false
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  force_ruby_platform: false
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  force_ruby_platform: false
+description: 
+email:
+- foca@foca.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".ruby-version"
+- ".standard.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE
+- README.md
+- Rakefile
+- lib/aikido-zen.rb
+- lib/aikido.rb
+- lib/aikido/zen.rb
+- lib/aikido/zen/actor.rb
+- lib/aikido/zen/agent.rb
+- lib/aikido/zen/api_client.rb
+- lib/aikido/zen/attack.rb
+- lib/aikido/zen/capped_collections.rb
+- lib/aikido/zen/config.rb
+- lib/aikido/zen/context.rb
+- lib/aikido/zen/context/rack_request.rb
+- lib/aikido/zen/context/rails_request.rb
+- lib/aikido/zen/errors.rb
+- lib/aikido/zen/event.rb
+- lib/aikido/zen/internals.rb
+- lib/aikido/zen/libzen-v0.1.26.aarch64.dylib
+- lib/aikido/zen/middleware/check_allowed_addresses.rb
+- lib/aikido/zen/middleware/set_context.rb
+- lib/aikido/zen/middleware/throttler.rb
+- lib/aikido/zen/outbound_connection.rb
+- lib/aikido/zen/outbound_connection_monitor.rb
+- lib/aikido/zen/package.rb
+- lib/aikido/zen/payload.rb
+- lib/aikido/zen/rails_engine.rb
+- lib/aikido/zen/rate_limiter.rb
+- lib/aikido/zen/rate_limiter/breaker.rb
+- lib/aikido/zen/rate_limiter/bucket.rb
+- lib/aikido/zen/rate_limiter/result.rb
+- lib/aikido/zen/request.rb
+- lib/aikido/zen/request/heuristic_router.rb
+- lib/aikido/zen/request/rails_router.rb
+- lib/aikido/zen/request/schema.rb
+- lib/aikido/zen/request/schema/auth_discovery.rb
+- lib/aikido/zen/request/schema/auth_schemas.rb
+- lib/aikido/zen/request/schema/builder.rb
+- lib/aikido/zen/request/schema/definition.rb
+- lib/aikido/zen/request/schema/empty_schema.rb
+- lib/aikido/zen/route.rb
+- lib/aikido/zen/runtime_settings.rb
+- lib/aikido/zen/runtime_settings/endpoints.rb
+- lib/aikido/zen/runtime_settings/ip_set.rb
+- lib/aikido/zen/runtime_settings/protection_settings.rb
+- lib/aikido/zen/runtime_settings/rate_limit_settings.rb
+- lib/aikido/zen/scan.rb
+- lib/aikido/zen/scanners.rb
+- lib/aikido/zen/scanners/sql_injection_scanner.rb
+- lib/aikido/zen/scanners/ssrf/dns_lookups.rb
+- lib/aikido/zen/scanners/ssrf/private_ip_checker.rb
+- lib/aikido/zen/scanners/ssrf_scanner.rb
+- lib/aikido/zen/scanners/stored_ssrf_scanner.rb
+- lib/aikido/zen/sink.rb
+- lib/aikido/zen/sinks.rb
+- lib/aikido/zen/sinks/async_http.rb
+- lib/aikido/zen/sinks/curb.rb
+- lib/aikido/zen/sinks/em_http.rb
+- lib/aikido/zen/sinks/excon.rb
+- lib/aikido/zen/sinks/http.rb
+- lib/aikido/zen/sinks/httpclient.rb
+- lib/aikido/zen/sinks/httpx.rb
+- lib/aikido/zen/sinks/mysql2.rb
+- lib/aikido/zen/sinks/net_http.rb
+- lib/aikido/zen/sinks/patron.rb
+- lib/aikido/zen/sinks/pg.rb
+- lib/aikido/zen/sinks/resolv.rb
+- lib/aikido/zen/sinks/socket.rb
+- lib/aikido/zen/sinks/sqlite3.rb
+- lib/aikido/zen/sinks/trilogy.rb
+- lib/aikido/zen/sinks/typhoeus.rb
+- lib/aikido/zen/stats.rb
+- lib/aikido/zen/stats/routes.rb
+- lib/aikido/zen/stats/sink_stats.rb
+- lib/aikido/zen/stats/users.rb
+- lib/aikido/zen/synchronizable.rb
+- lib/aikido/zen/system_info.rb
+- lib/aikido/zen/version.rb
+- tasklib/libzen.rake
+homepage: https://aikido.dev
+licenses:
+- AGPL-3.0-or-later
+metadata:
+  homepage_uri: https://aikido.dev
+  source_code_uri: https://github.com/aikidosec/firewall-ruby
+  changelog_uri: https://github.com/aikidosec/firewall-ruby/blob/main/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.7'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.16
+signing_key: 
+specification_version: 4
+summary: Embedded Web Application Firewall that autonomously protects Ruby apps against
+  common and critical attacks.
+test_files: []