aikido-zen 0.2.0-arm64-darwin → 1.0.1.beta.2-arm64-darwin

data/tasklib/libzen.rake

@@ -1,23 +1,19 @@
 # frozen_string_literal: true
 
+require "ffi"
 require "open-uri"
 require "rubygems/package_task"
 
 require_relative "../lib/aikido/zen/version"
 
-LibZenDL = Struct.new(:os, :arch, :artifact) do
-  def download
-    puts "Downloading #{path}"
-    File.open(path, "wb") { |file| FileUtils.copy_stream(URI(url).open("rb"), file) }
-  end
-
-  def verify
-    expected = URI(url + ".sha256sum").read.split(/\s+/).first
-    actual = Digest::SHA256.file(path).to_s
+class LibZen
+  attr_reader :platform, :suffix, :artifact
 
-    if expected != actual
-      abort "Checksum mismatch on #{path}: Expected #{expected}, got #{actual}."
-    end
+  def initialize(platform_suffix, artifact = nil)
+    platform, suffix = platform_suffix.split(".", 2)
+    @platform = Gem::Platform.new(platform)
+    @suffix = suffix
+    @artifact = artifact
   end
 
   def version
@@ -25,79 +21,90 @@ LibZenDL = Struct.new(:os, :arch, :artifact) do
   end
 
   def path
-    [prefix, arch, ext].join(".")
+    "lib/aikido/zen/libzen-#{version}-#{platform}.#{suffix}"
   end
 
-  def gem_path
-    platform = "-#{gemspec.platform}" unless gemspec.platform.to_s == "ruby"
-    "pkg/#{gemspec.name}-#{gemspec.version}#{platform}.gem"
+  def url
+    File.join("https://github.com/AikidoSec/zen-internals/releases/download", version, artifact)
   end
 
-  def pkg_dir
-    File.dirname(gem_path)
+  def gemspec(source = Bundler.load_gemspec("aikido-zen.gemspec"))
+    return @spec if defined?(@spec)
+
+    @spec = source.dup
+    @spec.platform = platform
+    @spec.files << path
+    @spec
   end
 
-  def prefix
-    "lib/aikido/zen/libzen-#{version}"
+  def gem_path
+    "pkg/#{gemspec.name}-#{gemspec.version}-#{gemspec.platform}.gem"
   end
 
-  def ext
-    case os
-    when :darwin then "dylib"
-    when :linux then "so"
-    when :windows then "dll"
-    end
+  def resolvable?
+    downloadable? || File.exist?(path)
   end
 
-  def url
-    File.join("https://github.com/AikidoSec/zen-internals/releases/download", version, artifact)
+  def downloadable?
+    !artifact.nil?
   end
 
-  def gem_platform
-    gem_os = (os == :windows) ? "mingw64" : os
-    platform = (arch == "aarch64") ? "arm64" : arch
-    Gem::Platform.new("#{platform}-#{gem_os}")
+  def download
+    puts "Downloading #{path}"
+    File.open(path, "wb") { |file| FileUtils.copy_stream(URI(url).open("rb"), file) }
   end
 
-  def gemspec(source = Bundler.load_gemspec("aikido-zen.gemspec"))
-    return @spec if defined?(@spec)
+  def verify
+    expected = URI(url + ".sha256sum").read.split(/\s+/).first
+    actual = Digest::SHA256.file(path).to_s
 
-    @spec = source.dup
-    @spec.platform = gem_platform
-    @spec.files << path
-    @spec
+    if expected != actual
+      abort "Checksum verification failed for #{path}: expected #{expected}, but got #{actual}"
+    end
   end
 
   def namespace
-    "#{os}:#{arch}"
+    platform.to_s
+  end
+
+  def pkg_dir
+    File.dirname(gem_path)
   end
 end
 
-LIBZEN = [
-  LibZenDL.new(:darwin, "aarch64", "libzen_internals_aarch64-apple-darwin.dylib"),
-  LibZenDL.new(:darwin, "x86_64", "libzen_internals_x86_64-apple-darwin.dylib"),
-  LibZenDL.new(:linux, "aarch64", "libzen_internals_aarch64-unknown-linux-gnu.so"),
-  LibZenDL.new(:linux, "x86_64", "libzen_internals_x86_64-unknown-linux-gnu.so"),
-  LibZenDL.new(:windows, "x86_64", "libzen_internals_x86_64-pc-windows-gnu.dll")
-]
+LIBZENS = [
+  LibZen.new("arm64-darwin.dylib", "libzen_internals_aarch64-apple-darwin.dylib"),
+  LibZen.new("arm64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
+  LibZen.new("arm64-linux-musl.so", "libzen_internals_aarch64-unknown-linux-musl.so"),
+  LibZen.new("x86_64-darwin.dylib", "libzen_internals_x86_64-apple-darwin.dylib"),
+  LibZen.new("x86_64-linux.so", "libzen_internals_x86_64-unknown-linux-gnu.so"),
+  LibZen.new("x86_64-linux-musl.so", "libzen_internals_x86_64-unknown-linux-musl.so"),
+  LibZen.new("x86_64-mingw64.dll", "libzen_internals_x86_64-pc-windows-gnu.dll"),
+  # Not officially supported, but used during testing:
+  LibZen.new("x86_64-freebsd.so"),
+  LibZen.new("x86_64-solaris.so")
+].filter(&:resolvable?)
+
 namespace :libzen do
-  LIBZEN.each do |lib|
-    desc "Download libzen for #{lib.os}-#{lib.arch} if necessary"
+  LIBZENS.each do |lib|
+    desc "Download libzen for #{lib.platform} if necessary"
     task(lib.namespace => lib.path)
 
-    file(lib.path) {
-      lib.download
-      lib.verify
-    }
-    CLEAN.include(lib.path)
+    if lib.downloadable?
+      file(lib.path) do
+        lib.download
+        lib.verify
+      end
+      CLEAN.include(lib.path)
+    end
 
     directory lib.pkg_dir
     CLOBBER.include(lib.pkg_dir)
 
-    file(lib.gem_path => [lib.path, lib.pkg_dir]) {
+    file(lib.gem_path => [lib.path, lib.pkg_dir]) do
       path = Gem::Package.build(lib.gemspec)
       mv path, lib.pkg_dir
-    }
+    end
     CLOBBER.include(lib.pkg_dir)
 
     task "#{lib.namespace}:release" => [lib.gem_path, "release:guard_clean"] do
@@ -105,24 +112,21 @@ namespace :libzen do
     end
   end
 
-  desc "Build all the native gems for the different libzen versions"
-  task gems: LIBZEN.map(&:gem_path)
+  desc "Build all the native gems"
+  task gems: LIBZENS.map(&:gem_path)
 
   desc "Push all the native gems to RubyGems"
-  task release: LIBZEN.map { |lib| "#{lib.namespace}:release" }
+  task release: LIBZENS.map { |lib| "#{lib.namespace}:release" }
 
   desc "Download the libzen pre-built library for all platforms"
-  task "download:all" => LIBZEN.map(&:path)
+  task "download:all" => LIBZENS.map(&:path)
 
   desc "Downloads the libzen library for the current platform"
   task "download:current" do
-    require "rbconfig"
-    os = case RbConfig::CONFIG["host_os"]
-    when /darwin/ then :darwin
-    when /mingw|cygwin|mswin/ then :windows
-    else :linux
-    end
+    platform = Gem::Platform.local.dup
+    platform.version = nil unless Rake::Task.task_defined?("libzen:#{platform}")
 
-    Rake::Task["libzen:#{os}:#{RbConfig::CONFIG["build_cpu"]}"].invoke
+    # Invoke the most specific task
+    Rake::Task["libzen:#{platform}"].invoke
   end
 end

data/tasklib/wrk.rb

@@ -0,0 +1,88 @@
+require "open3"
+require "time"
+
+NUMBER_OF_THREADS = ENV.fetch("BENCHMARK_NUMBER_OF_THREADS") { 12 }.to_s
+CONNECTIONS = ENV.fetch("BENCHMARK_WRK_CONNECTIONS") { 400 }
+
+def generate_wrk_command_for_url(url)
+  # Define the command with wrk included
+  "wrk --threads #{NUMBER_OF_THREADS} --connections #{CONNECTIONS} --duration 15s --timeout 5s --latency #{url}"
+end
+
+def cold_start(url)
+  10.times do
+    _, err, status = Open3.capture3("curl #{url}")
+
+    if status != 0
+      puts err
+      exit(-1)
+    end
+  end
+end
+
+def extract_requests_and_latency_tuple(out, err, status)
+  if status == 0
+    # Extracting requests/sec
+    requests_sec_match = out.match(/Requests\/sec:\s+([\d.]+)/)
+    requests_sec = requests_sec_match[1].to_f if requests_sec_match
+
+    # Extracting latency
+    latency_match = out.match(/Latency\s+([\d.]+)(ms|s)/)
+    latency = latency_match[1].to_f if latency_match
+    latency_unit = latency_match[2] if latency_match
+
+    if latency_unit == "s"
+      latency *= 1000
+    end
+
+    {requests_sec: requests_sec, latency: latency}
+  else
+    puts "Error occurred running benchmark command:"
+    puts err.strip
+    exit(1)
+  end
+end
+
+def run_benchmark(route_no_zen:, route_zen:, description:, throughput_decrease_limit_perc:, latency_increase_limit_ms:)
+  # Cold start
+  cold_start(route_no_zen)
+  cold_start(route_zen)
+
+  out, err, status = Open3.capture3(generate_wrk_command_for_url(route_zen))
+  puts <<~MSG
+    WRK OUTPUT
+    ================
+    FIREWALL ENABLED:
+        #{out}
+    ----------------
+  MSG
+  result_zen_enabled = extract_requests_and_latency_tuple(out, err, status)
+
+  out, err, status = Open3.capture3(generate_wrk_command_for_url(route_no_zen))
+  puts <<~MSG
+    FIREWALL DISABLED:
+        #{out}
+    ================
+  MSG
+  result_zen_disabled = extract_requests_and_latency_tuple(out, err, status)
+
+  # Check if the command was successful
+  if result_zen_enabled && result_zen_disabled
+    # Print the output, which should be the Requests/sec value
+    puts "[ZEN ENABLED ] Requests/sec: #{result_zen_enabled[:requests_sec]} | Latency in ms: #{result_zen_enabled[:latency]}"
+    puts "[ZEN DISABLED] Requests/sec: #{result_zen_disabled[:requests_sec]} | Latency in ms: #{result_zen_disabled[:latency]}"
+
+    latency_increase_ms = (result_zen_enabled[:latency] - result_zen_disabled[:latency]).round(2)
+    puts "-> Delta in ms: #{latency_increase_ms}ms after running load test on #{description}"
+
+    throughput_decrease_perc = ((result_zen_disabled[:requests_sec] - result_zen_enabled[:requests_sec]) / result_zen_disabled[:requests_sec] * 100).round
+    puts "-> #{throughput_decrease_perc}% decrease in throughput after running load test on #{description}\n"
+
+    if latency_increase_ms >= latency_increase_limit_ms
+      exit(1)
+    end
+    if throughput_decrease_perc >= throughput_decrease_limit_perc
+      exit(1)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.1.beta.2
 platform: arm64-darwin
 authors:
-- Nicolas Sanguinetti
+- Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-03-10 00:00:00.000000000 Z
+date: 2025-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -55,17 +55,18 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   force_ruby_platform: false
-description:
+description: Zen by Aikido is an embedded Web Application Firewall that autonomously
+  protects Ruby apps against common and critical attacks.
 email:
-- foca@foca.io
+- dev-admin@aikido.dev
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".aikido"
 - ".ruby-version"
 - ".simplecov"
 - ".standard.yml"
-- CHANGELOG.md
 - LICENSE
 - README.md
 - Rakefile
@@ -75,13 +76,13 @@ files:
 - docs/config.md
 - docs/rails.md
 - lib/aikido-zen.rb
-- lib/aikido.rb
 - lib/aikido/zen.rb
 - lib/aikido/zen/actor.rb
 - lib/aikido/zen/agent.rb
 - lib/aikido/zen/agent/heartbeats_manager.rb
 - lib/aikido/zen/api_client.rb
 - lib/aikido/zen/attack.rb
+- lib/aikido/zen/background_worker.rb
 - lib/aikido/zen/capped_collections.rb
 - lib/aikido/zen/collector.rb
 - lib/aikido/zen/collector/hosts.rb
@@ -93,10 +94,14 @@ files:
 - lib/aikido/zen/context.rb
 - lib/aikido/zen/context/rack_request.rb
 - lib/aikido/zen/context/rails_request.rb
+- lib/aikido/zen/detached_agent.rb
+- lib/aikido/zen/detached_agent/agent.rb
+- lib/aikido/zen/detached_agent/front_object.rb
+- lib/aikido/zen/detached_agent/server.rb
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
 - lib/aikido/zen/internals.rb
-- lib/aikido/zen/libzen-v0.1.37.aarch64.dylib
+- lib/aikido/zen/libzen-v0.1.39-arm64-darwin.dylib
 - lib/aikido/zen/middleware/check_allowed_addresses.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
@@ -158,19 +163,25 @@ files:
 - lib/aikido/zen/sinks/sqlite3.rb
 - lib/aikido/zen/sinks/trilogy.rb
 - lib/aikido/zen/sinks/typhoeus.rb
+- lib/aikido/zen/sinks_dsl.rb
 - lib/aikido/zen/synchronizable.rb
 - lib/aikido/zen/system_info.rb
 - lib/aikido/zen/version.rb
 - lib/aikido/zen/worker.rb
+- placeholder/.gitignore
+- placeholder/README.md
+- placeholder/Rakefile
+- placeholder/lib/placeholder.rb.template
+- placeholder/placeholder.gemspec.template
 - tasklib/bench.rake
 - tasklib/libzen.rake
-homepage: https://aikido.dev
+- tasklib/wrk.rb
+homepage: https://aikido.dev/zen
 licenses:
 - AGPL-3.0-or-later
 metadata:
-  homepage_uri: https://aikido.dev
+  homepage_uri: https://aikido.dev/zen
   source_code_uri: https://github.com/aikidosec/firewall-ruby
-  changelog_uri: https://github.com/aikidosec/firewall-ruby/blob/main/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -189,6 +200,5 @@ requirements: []
 rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
-summary: Embedded Web Application Firewall that autonomously protects Ruby apps against
-  common and critical attacks.
+summary: Embedded Web Application Firewall.
 test_files: []

data/CHANGELOG.md

@@ -1,25 +0,0 @@
-# Changelog
-
-## [Unreleased]
-
-### Fixed
-
-- Avoid an infinite loop when checking for SSRFs in a circular redirects loop.
-
-## 0.1.1
-
-### Fixed
-
-- Avoid an error when sending the initial heartbeat if the Aikido server hasn't
-  received stats yet.
-- Fix the SSRF scanner to ensure the port in the user-supplied payload matches
-  the port in the request.
-- Don't break the HTTP.rb sink when a Zen context isn't set.
-- Don't break the Typhoeus sink when a Zen context isn't set.
-- Don't break the PG sink outside of Rails.
-- Updated [libzen](https://github.com/AikidoSec/zen-internals) to v0.1.31 to
-  prevent flagging false positives in SQL queries with comments.
-
-## 0.1.0
-
-- Initial version

data/lib/aikido.rb

@@ -1,3 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "aikido/zen"