aikido-zen 0.1.0.alpha4-x86_64-darwin → 0.1.1-x86_64-darwin

data/lib/aikido/zen.rb

@@ -4,7 +4,9 @@ require_relative "zen/version"
 require_relative "zen/errors"
 require_relative "zen/actor"
 require_relative "zen/config"
+require_relative "zen/collector"
 require_relative "zen/system_info"
+require_relative "zen/worker"
 require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
@@ -24,12 +26,24 @@ module Aikido
       @config ||= Config.new
     end
 
+    # @return [Aikido::Zen::RuntimeSettings] the firewall configuration sourced
+    #   from your Aikido dashboard. This is periodically polled for updates.
+    def self.runtime_settings
+      @runtime_settings ||= RuntimeSettings.new
+    end
+
     # Gets information about the current system configuration, which is sent to
     # the server along with any events.
     def self.system_info
       @system_info ||= SystemInfo.new
     end
 
+    # Manages runtime metrics extracted from your app, which are uploaded to the
+    # Aikido servers if configured to do so.
+    def self.collector
+      @collector ||= Collector.new
+    end
+
     # Gets the current context object that holds all information about the
     # current request.
     #
@@ -47,24 +61,13 @@ module Aikido
       Thread.current[:_aikido_current_context_] = context
     end
 
-    # Track statistics about the result of a Sink's scan, and report it as an
-    # Attack if one is detected.
-    #
-    # @param scan [Aikido::Zen::Scan]
-    # @return [void]
-    # @raise [Aikido::Zen::UnderAttackError] if the scan detected an Attack
-    #   and blocking_mode is enabled.
-    def self.track_scan(scan)
-      agent.stats.add_scan(scan)
-      agent.handle_attack(scan.attack) if scan.attack?
-    end
-
     # Track statistics about an HTTP request the app is handling.
     #
-    # @param context [Aikido::Zen::Request]
+    # @param request [Aikido::Zen::Request]
     # @return [void]
     def self.track_request(request)
-      agent.stats.add_request(request)
+      autostart
+      collector.track_request(request)
     end
 
     # Tracks a network connection made to an external service.
@@ -72,7 +75,21 @@ module Aikido
     # @param connection [Aikido::Zen::OutboundConnection]
     # @return [void]
     def self.track_outbound(connection)
-      agent.stats.add_outbound(connection)
+      autostart
+      collector.track_outbound(connection)
+    end
+
+    # Track statistics about the result of a Sink's scan, and report it as
+    # an Attack if one is detected.
+    #
+    # @param scan [Aikido::Zen::Scan]
+    # @return [void]
+    # @raise [Aikido::Zen::UnderAttackError] if the scan detected an Attack
+    #   and blocking_mode is enabled.
+    def self.track_scan(scan)
+      autostart
+      collector.track_scan(scan)
+      agent.handle_attack(scan.attack) if scan.attack?
     end
 
     # Track the user making the current request.
@@ -80,43 +97,22 @@ module Aikido
     # @param (see Aikido::Zen.Actor)
     # @return [void]
     def self.track_user(user)
-      actor = Aikido::Zen::Actor(user)
+      return if config.disabled?
 
-      if actor
-        agent.stats.add_user(actor)
+      if (actor = Aikido::Zen::Actor(user))
+        autostart
+        collector.track_user(actor)
+        current_context.request.actor = actor if current_context
       else
-        id_attr, name_attr = config.user_attribute_mappings.values_at(:id, :name)
-        config.logger.warn(format(<<~LOG, obj: user, id: id_attr, name: name_attr))
-          Incompatible object sent to Aikido::Zen.track_user: %<obj>p
-
-          The object must satisfy one of the following:
+        config.logger.warn(format(<<~LOG, obj: user))
+          Incompatible object sent to track_user: %<obj>p
 
-          * Implement #to_aikido_actor
-          * Implement #to_model and have %<id>p and %<name>p attributes
-          * Be a Hash with :id (or "id") and, optionally, :name (or "name") keys
+          The object must either implement #to_aikido_actor, or be a Hash with
+          an :id (or "id") and, optionally, a :name (or "name") key.
         LOG
       end
     end
 
-    # Starts the background threads that keep the agent running.
-    #
-    # @return [void]
-    def self.initialize!
-      @agent ||= Agent.new
-      @agent.start!
-    end
-
-    # Stop any background threads.
-    def self.stop!
-      @agent&.stop!
-    end
-
-    # @return [Aikido::Zen::RuntimeSettings] the firewall configuration sourced
-    #   from your Aikido dashboard. This is periodically polled for updates.
-    def self.runtime_settings
-      @runtime_settings ||= RuntimeSettings.new
-    end
-
     # Load all sinks matching libraries loaded into memory. This method should
     # be called after all other dependencies have been loaded into memory (i.e.
     # at the end of the initialization process).
@@ -128,11 +124,20 @@ module Aikido
       require_relative "zen/sinks"
     end
 
-    private_class_method def self.agent
-      # We shouldn't start collecting data before we even initialize the agent,
-      # but might as well make sure we have a @agent going to report to.
-      @agent or initialize!
-      @agent
+    # @!visibility private
+    # Stop any background threads.
+    def self.stop!
+      agent&.stop!
+    end
+
+    # @!visibility private
+    # Starts the background agent if it has not been started yet.
+    def self.agent
+      @agent ||= Agent.start
+    end
+
+    class << self
+      alias_method :autostart, :agent
     end
   end
 end

data/tasklib/bench.rake

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "socket"
+require "timeout"
+
+SERVER_PIDS = {}
+
+def stop_servers
+  SERVER_PIDS.each { |_, pid| Process.kill("TERM", pid) }
+  SERVER_PIDS.clear
+end
+
+def boot_server(dir, port:, env: {})
+  env["PORT"] = port.to_s
+
+  Dir.chdir(dir) do
+    SERVER_PIDS[port] = Process.spawn(
+      env,
+      "rails", "server", "--pid", "#{Dir.pwd}/tmp/pids/server.#{port}.pid",
+      out: "/dev/null"
+    )
+  rescue
+    SERVER_PIDS.delete(port)
+  end
+end
+
+def port_open?(port, timeout: 1)
+  Timeout.timeout(timeout) do
+    TCPSocket.new("127.0.0.1", port).close
+    true
+  rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, SocketError
+    false
+  end
+rescue Timeout::Error
+  false
+end
+
+def wait_for_servers
+  ports = SERVER_PIDS.keys
+
+  Timeout.timeout(10) do
+    ports.reject! { |port| port_open?(port) } while ports.any?
+  end
+rescue Timeout::Error
+  raise "Could not reach ports: #{ports.join(", ")}"
+end
+
+Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
+  namespace :bench do
+    namespace dir.basename.to_s do
+      desc "Run benchmarks for the #{dir.basename} sample app"
+      task run: [:boot_protected_app, :boot_unprotected_app] do
+        wait_for_servers
+        Dir.chdir("benchmarks") { sh "k6 run #{dir.basename}.js" }
+      ensure
+        stop_servers
+      end
+
+      task :boot_protected_app do
+        boot_server(dir, port: 3001)
+      end
+
+      task :boot_unprotected_app do
+        boot_server(dir, port: 3002, env: {"AIKIDO_DISABLE" => "true"})
+      end
+    end
+
+    task default: "#{dir.basename}:run"
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 0.1.0.alpha4
+  version: 0.1.1
 platform: x86_64-darwin
 authors:
 - Nicolas Sanguinetti
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-10-24 00:00:00.000000000 Z
+date: 2024-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -63,20 +63,32 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".ruby-version"
+- ".simplecov"
 - ".standard.yml"
 - CHANGELOG.md
-- CODE_OF_CONDUCT.md
 - LICENSE
 - README.md
 - Rakefile
+- benchmarks/README.md
+- benchmarks/rails7.1_sql_injection.js
+- docs/banner.svg
+- docs/config.md
+- docs/rails.md
 - lib/aikido-zen.rb
 - lib/aikido.rb
 - lib/aikido/zen.rb
 - lib/aikido/zen/actor.rb
 - lib/aikido/zen/agent.rb
+- lib/aikido/zen/agent/heartbeats_manager.rb
 - lib/aikido/zen/api_client.rb
 - lib/aikido/zen/attack.rb
 - lib/aikido/zen/capped_collections.rb
+- lib/aikido/zen/collector.rb
+- lib/aikido/zen/collector/hosts.rb
+- lib/aikido/zen/collector/routes.rb
+- lib/aikido/zen/collector/sink_stats.rb
+- lib/aikido/zen/collector/stats.rb
+- lib/aikido/zen/collector/users.rb
 - lib/aikido/zen/config.rb
 - lib/aikido/zen/context.rb
 - lib/aikido/zen/context/rack_request.rb
@@ -84,7 +96,7 @@ files:
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
 - lib/aikido/zen/internals.rb
-- lib/aikido/zen/libzen-v0.1.26.x86_64.dylib
+- lib/aikido/zen/libzen-v0.1.31.x86_64.dylib
 - lib/aikido/zen/middleware/check_allowed_addresses.rb
 - lib/aikido/zen/middleware/set_context.rb
 - lib/aikido/zen/middleware/throttler.rb
@@ -121,6 +133,7 @@ files:
 - lib/aikido/zen/scanners/stored_ssrf_scanner.rb
 - lib/aikido/zen/sink.rb
 - lib/aikido/zen/sinks.rb
+- lib/aikido/zen/sinks/action_controller.rb
 - lib/aikido/zen/sinks/async_http.rb
 - lib/aikido/zen/sinks/curb.rb
 - lib/aikido/zen/sinks/em_http.rb
@@ -137,13 +150,11 @@ files:
 - lib/aikido/zen/sinks/sqlite3.rb
 - lib/aikido/zen/sinks/trilogy.rb
 - lib/aikido/zen/sinks/typhoeus.rb
-- lib/aikido/zen/stats.rb
-- lib/aikido/zen/stats/routes.rb
-- lib/aikido/zen/stats/sink_stats.rb
-- lib/aikido/zen/stats/users.rb
 - lib/aikido/zen/synchronizable.rb
 - lib/aikido/zen/system_info.rb
 - lib/aikido/zen/version.rb
+- lib/aikido/zen/worker.rb
+- tasklib/bench.rake
 - tasklib/libzen.rake
 homepage: https://aikido.dev
 licenses:
@@ -167,7 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Embedded Web Application Firewall that autonomously protects Ruby apps against

data/CODE_OF_CONDUCT.md

@@ -1,132 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official email address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-[hello@aikido.dev](mailto:hello@aikido.dev).
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations

data/lib/aikido/zen/stats/routes.rb

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "../request/schema/empty_schema"
-
-class Aikido::Zen::Stats
-  # @api private
-  #
-  # Keeps track of the visited routes.
-  class Routes
-    def initialize
-      @routes = Hash.new do |h, k|
-        h[k] = Record.new(0, Aikido::Zen::Request::Schema::EMPTY_SCHEMA)
-      end
-    end
-
-    # @param route [Aikido::Zen::Route, nil] tracks the visit, if given.
-    # @param schema [Aikido::Zen::Request::Schema, nil] the schema of the
-    #   request, if the feature is enabled.
-    # @return [void]
-    def add(route, schema = nil)
-      @routes[route].add(schema) if route
-    end
-
-    # @!visibility private
-    def [](route)
-      @routes[route]
-    end
-
-    # @!visibility private
-    def empty?
-      @routes.empty?
-    end
-
-    def as_json
-      @routes.map do |route, record|
-        {
-          method: route.verb,
-          path: route.path,
-          hits: record.hits,
-          apispec: record.schema&.as_json
-        }.compact
-      end
-    end
-
-    # @!visibility private
-    Record = Struct.new(:hits, :schema) do
-      def add(new_schema = nil)
-        self.hits += 1
-        self.schema |= new_schema
-      end
-    end
-  end
-end

data/lib/aikido/zen/stats.rb

@@ -1,171 +0,0 @@
-# frozen_string_literal: true
-
-require "concurrent"
-
-require_relative "capped_collections"
-
-module Aikido::Zen
-  # Tracks information about how the Aikido Agent is used in the app.
-  class Stats < Concurrent::Synchronization::LockableObject
-    # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :sinks
-
-    # @!visibility private
-    attr_writer :ended_at
-
-    def initialize(config = Aikido::Zen.config)
-      super()
-      @config = config
-      reset_state
-    end
-
-    # @return [Boolean]
-    def empty?
-      synchronize { @requests.zero? && @sinks.empty? }
-    end
-
-    # @return [Boolean]
-    def any?
-      !empty?
-    end
-
-    # Track the timestamp we start tracking this series of stats.
-    #
-    # @return [void]
-    def start(at = Time.now.utc)
-      synchronize { @started_at = at }
-    end
-
-    # Atomically copies the stats and resets them to their initial values, so
-    # you can start gathering a new set while being able to read the old ones
-    # without fear that a thread might modify them.
-    #
-    # @param at [Time] the time at which we're resetting, which is set as the
-    #   ending time for the returned copy.
-    #
-    # @return [Aikido::Zen::Stats] a frozen copy of the object before
-    #   resetting, so you can access the data there, with its +ended_at+
-    #   set to the given timestamp.
-    def reset(at: Time.now.utc)
-      synchronize {
-        # Make sure the timing stats are compressed before copying, since we
-        # need these compressed when we serialize this for the API.
-        @sinks.each_value(&:compress_timings)
-
-        copy = clone
-        copy.ended_at = at
-
-        reset_state
-        start(at)
-
-        copy
-      }
-    end
-
-    # @param request [Aikido::Zen::Request]
-    # @return [void]
-    def add_request(request)
-      synchronize {
-        @requests += 1
-        @routes.add(request.route, request.schema)
-      }
-      self
-    end
-
-    # @param connection [Aikido::Zen::OutboundConnection]
-    # @return [void]
-    def add_outbound(connection)
-      synchronize { @outbound_connections << connection }
-      self
-    end
-
-    # @param [Aikido::Zen::Scan]
-    # @return [void]
-    def add_scan(scan)
-      synchronize {
-        stats = @sinks[scan.sink.name]
-        stats.scans += 1
-        stats.errors += 1 if scan.errors?
-        stats.add_timing(scan.duration)
-      }
-      self
-    end
-
-    # @param attack [Aikido::Zen::Attack]
-    # @param being_blocked [Boolean] whether the Agent blocked the
-    #   request where this Attack happened or not.
-    #
-    # @return [void]
-    def add_attack(attack, being_blocked:)
-      synchronize {
-        stats = @sinks[attack.sink.name]
-        stats.attacks += 1
-        stats.blocked_attacks += 1 if being_blocked
-      }
-      self
-    end
-
-    # @param actor [Aikido::Zen::Actor]
-    # @return [void]
-    def add_user(actor)
-      synchronize { @users.add(actor) }
-    end
-
-    # @return [#as_json] the set of routes visited during this stats-gathering
-    #   period.
-    def routes
-      synchronize { @routes }
-    end
-
-    # @return [Enumerable<#as_json>] the set of users that had an active session
-    #   during this stats-gathering period.
-    def users
-      synchronize { @users }
-    end
-
-    # @return [#as_json] the set of connections to outbound hosts that were
-    #   established during this stats-gathering period.
-    def outbound_connections
-      synchronize { @outbound_connections }
-    end
-
-    def as_json
-      synchronize {
-        total_attacks, total_blocked = aggregate_attacks_from_sinks
-        {
-          startedAt: @started_at.to_i * 1000,
-          endedAt: (@ended_at.to_i * 1000 if @ended_at),
-          sinks: @sinks.transform_values(&:as_json),
-          requests: {
-            total: @requests,
-            aborted: @aborted_requests,
-            attacksDetected: {
-              total: total_attacks,
-              blocked: total_blocked
-            }
-          }
-        }
-      }
-    end
-
-    private def reset_state
-      @sinks = Hash.new { |h, k| h[k] = SinkStats.new(k, @config) }
-      @started_at = @ended_at = nil
-      @requests = 0
-      @routes = Routes.new
-      @users = Users.new(@config.max_users_tracked)
-      @outbound_connections = CappedSet.new(@config.max_outbound_connections)
-      @aborted_requests = 0
-    end
-
-    private def aggregate_attacks_from_sinks
-      @sinks.each_value.reduce([0, 0]) { |(attacks, blocked), stats|
-        [attacks + stats.attacks, blocked + stats.blocked_attacks]
-      }
-    end
-  end
-end
-
-require_relative "stats/users"
-require_relative "stats/routes"
-require_relative "stats/sink_stats"