aikido-zen 0.2.0-x86_64-darwin → 1.0.1.beta.2-x86_64-darwin

data/lib/aikido/zen/sinks_dsl.rb

@@ -0,0 +1,226 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module DSL
+      extend self
+
+      # In the context of `Aikido::Zen::Sinks::DSL`, the terms safe and presafe
+      # are defined as follows:
+      #
+      # safe: the desired state for a sink, particularly with respect to rescue.
+      #
+      # A sink is considered safe when unintended errors in the sink are handled,
+      # and-so are prevented from disrupting the operation of the original method
+      # (by raising unintended errors).
+      #
+      # presafe: the default state of a sink, particularly with respect to rescue.
+      #
+      # A sink is in the presafe state before and while unintended errors in the
+      # sink are not handled.
+      #
+      # Sink methods (like all methods) are in the presafe state when defined and
+      # become safe when unexpected errors cannot cause harm. The `safe` method
+      # is used to establish a safe state for the duration of the block executed.
+      # It is sometimes useful to be able to reestablish the presafe safe while
+      # inside a `safe` block; the `presafe` method allows this.
+      #
+      # Methods that contain the term presafe in their name should be used with
+      # appropriate care and understanding.
+      #
+      # IMPORTANT: All sinks should be safe!
+      #
+      # While this DSL proves useful for defining safe sink methods that follow
+      # common patterns, there are exceptions. It is always possible to define
+      # sink methods without using this DSL, but this should only be done when
+      # absolutely necessary. The sink methods defined using this DSL are safe,
+      # unless explicitly declared presafe.
+      #
+      # IMPORTANT: No sinks should be presafe in production!
+      #
+      # We are all responsible for ensuring that the sinks we implement are safe
+      # for production use. This DSL is only here to assist, by taking care of
+      # delicate edge cases and reducing the space for errors.
+      #
+      # When writing sink methods manually, some principles should be considered,
+      # to ensure safety for production:
+      #
+      # 1. Sink methods should ensure that the original method is always called,
+      # passing all parameters (positional, keyword, and block) exactly as they
+      # were passed to the original method, and return the result returned by
+      # the original method exactly as it was returned by the original method.
+      # (Unless intervention is required.)
+      #
+      # 2. Sink methods should not predict the signature of the original method,
+      # and-so restrict it from varying. The original method implementation is
+      # the sole and ultimate reference for its own behavior. We are observers
+      # (unless intervention is required).
+      #
+      # 3. Unexpected errors that are encountered in sink methods should not be
+      # capable of interfering with or preventing the normal operation of the
+      # original method. This includes but is not limited to exceptions that
+      # that may be raised when the sink method is called. Safe sink methods
+      # should return control to their caller (unless intervention is required).
+      #
+      # These are the guidelines adhered to by the `Aikido::Zen::Sinks::DSL`.
+
+      # The error with an original error as its cause to re-raise in `safe`.
+      class PresafeError < StandardError
+      end
+
+      # Safely execute the given block
+      #
+      # All standard errors are suppressed except `Aikido::Zen::UnderAttackError`s.
+      # This ensures that unexpected errors do not interrupt the execution of the
+      # original method, while all detected attacks are raised.
+      #
+      # When an error is wrapped in `PresafeError` the original error is reraised.
+      #
+      # @yield the block to execute
+      def safe
+        yield
+      rescue Aikido::Zen::UnderAttackError
+        raise
+      rescue PresafeError => err
+        raise err.cause
+      rescue => err
+        Aikido::Zen.config.logger.debug("[safe] #{err.class}: #{err.message}")
+      end
+
+      # Presafely execute the given block
+      #
+      # Safely wrap standard errors in `PresafeError` so that the original error is
+      # reraised when rescued in `safe`.
+      #
+      # @yield the block to execute
+      def presafe
+        yield
+      rescue => err
+        raise PresafeError, cause: err
+      end
+
+      # Define a method `method_name` that presafely executes the given block before
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute before the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      def presafe_sink_before(method_name, &block)
+        define_method(method_name) do |*args, **kwargs, &blk|
+          instance_exec(*args, **kwargs, &block)
+          super(*args, **kwargs, &blk)
+        end
+      end
+
+      # Define a method `method_name` that safely executes the given block before
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute before the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      #
+      # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
+      def sink_before(method_name, &block)
+        presafe_sink_before(method_name) do |*args, **kwargs|
+          DSL.safe do
+            instance_exec(*args, **kwargs, &block)
+          end
+        end
+      end
+
+      # Define a method `method_name` that presafely executes the given block after
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute after the original method
+      # @yieldparam result [Object] the result returned by the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      def presafe_sink_after(method_name, &block)
+        define_method(method_name) do |*args, **kwargs, &blk|
+          result = super(*args, **kwargs, &blk)
+          instance_exec(result, *args, **kwargs, &block)
+          result
+        end
+      end
+
+      # Define a method `method_name` that safely executes the given block after
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute after the original method
+      # @yieldparam result [Object] the result returned by the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      #
+      # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
+      def sink_after(method_name, &block)
+        presafe_sink_after(method_name) do |result, *args, **kwargs|
+          DSL.safe do
+            instance_exec(result, *args, **kwargs, &block)
+          end
+        end
+      end
+
+      # Define a method `method_name` that presafely executes the given block around
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute around the original method
+      # @yieldparam super_call [Proc] the proc that calls the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      def presafe_sink_around(method_name, &block)
+        define_method(method_name) do |*args, **kwargs, &blk|
+          result = nil
+          super_call = proc do
+            result = super(*args, **kwargs, &blk)
+          end
+          instance_exec(super_call, *args, **kwargs, &block)
+          result
+        end
+      end
+
+      # Define a method `method_name` that safely executes the given block around
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute around the original method
+      # @yieldparam super_call [Proc] the proc that calls the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      #
+      # @note the block is executed within `safe` to handle errors safely; the original method is executed within `presafe` to preserve the original behavior
+      # @note if the block does not call `super_call`, the original method is called automatically after the block is executed
+      def sink_around(method_name, &block)
+        presafe_sink_around(method_name) do |presafe_super_call, *args, **kwargs|
+          super_called = false
+          super_call = proc do
+            super_called = true
+            DSL.presafe do
+              presafe_super_call.call
+            end
+          end
+          DSL.safe do
+            instance_exec(super_call, *args, **kwargs, &block)
+          end
+          presafe_super_call.call unless super_called
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/version.rb

@@ -2,9 +2,9 @@
 
 module Aikido
   module Zen
-    VERSION = "0.2.0"
+    VERSION = "1.0.1.beta.2"
 
     # The version of libzen_internals that we build against.
-    LIBZEN_VERSION = "0.1.37"
+    LIBZEN_VERSION = "0.1.39"
   end
 end

data/lib/aikido/zen/worker.rb

@@ -78,5 +78,10 @@ module Aikido::Zen
       @executor.shutdown
       @executor.wait_for_termination(30)
     end
+
+    def restart
+      shutdown
+      @executor = Concurrent::SingleThreadExecutor.new
+    end
   end
 end

data/lib/aikido/zen.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+# IMPORTANT: Any files that load sinks or start the Aikido Agent should
+# be required in `Aikido::Zen.protect!`.
+
 require_relative "zen/version"
 require_relative "zen/errors"
 require_relative "zen/actor"
@@ -10,6 +13,7 @@ require_relative "zen/worker"
 require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
+require_relative "zen/detached_agent"
 require_relative "zen/middleware/check_allowed_addresses"
 require_relative "zen/middleware/middleware"
 require_relative "zen/middleware/request_tracker"
@@ -19,10 +23,24 @@ require_relative "zen/outbound_connection_monitor"
 require_relative "zen/runtime_settings"
 require_relative "zen/rate_limiter"
 require_relative "zen/scanners"
-require_relative "zen/rails_engine" if defined?(::Rails)
 
 module Aikido
   module Zen
+    # Enable protection. Until this method is called no sinks are loaded
+    # and the Aikido Agent does not start.
+    #
+    # @return [void]
+    def self.protect!
+      if config.disabled?
+        config.logger.warn("Zen has been disabled and will not run.")
+        return
+      end
+
+      # IMPORTANT: Any files that load sinks or start the Aikido Agent
+      # should be required here only.
+      require_relative "zen/rails_engine" if defined?(::Rails)
+    end
+
     # @return [Aikido::Zen::Config] the agent configuration.
     def self.config
       @config ||= Config.new
@@ -34,6 +52,10 @@ module Aikido
       @runtime_settings ||= RuntimeSettings.new
     end
 
+    def self.runtime_settings=(settings)
+      @runtime_settings = settings
+    end
+
     # Gets information about the current system configuration, which is sent to
     # the server along with any events.
     def self.system_info
@@ -43,9 +65,15 @@ module Aikido
     # Manages runtime metrics extracted from your app, which are uploaded to the
     # Aikido servers if configured to do so.
     def self.collector
+      check_and_handle_fork
       @collector ||= Collector.new
     end
 
+    def self.detached_agent
+      check_and_handle_fork
+      @detached_agent ||= DetachedAgent::Agent.new
+    end
+
     # Gets the current context object that holds all information about the
     # current request.
     #
@@ -68,12 +96,10 @@ module Aikido
     # @param request [Aikido::Zen::Request]
     # @return [void]
     def self.track_request(request)
-      autostart
-      collector.track_request(request)
+      collector.track_request
     end
 
     def self.track_discovered_route(request)
-      autostart
       collector.track_route(request)
     end
 
@@ -82,7 +108,6 @@ module Aikido
     # @param connection [Aikido::Zen::OutboundConnection]
     # @return [void]
     def self.track_outbound(connection)
-      autostart
       collector.track_outbound(connection)
     end
 
@@ -94,7 +119,6 @@ module Aikido
     # @raise [Aikido::Zen::UnderAttackError] if the scan detected an Attack
     #   and blocking_mode is enabled.
     def self.track_scan(scan)
-      autostart
       collector.track_scan(scan)
       agent.handle_attack(scan.attack) if scan.attack?
     end
@@ -107,7 +131,6 @@ module Aikido
       return if config.disabled?
 
       if (actor = Aikido::Zen::Actor(user))
-        autostart
         collector.track_user(actor)
         current_context.request.actor = actor if current_context
       else
@@ -140,7 +163,8 @@ module Aikido
     # @!visibility private
     # Stop any background threads.
     def self.stop!
-      agent&.stop!
+      @agent&.stop!
+      @detached_agent_server&.stop!
     end
 
     # @!visibility private
@@ -149,8 +173,34 @@ module Aikido
       @agent ||= Agent.start
     end
 
+    def self.detached_agent_server
+      @detached_agent_server ||= DetachedAgent::Server.start!
+    end
+
     class << self
-      alias_method :autostart, :agent
+      # `agent` and `detached_agent` are started on the first method call.
+      # A mutex controls thread execution to prevent multiple attempts.
+      LOCK = Mutex.new
+
+      def start!
+        @pid = Process.pid
+        LOCK.synchronize do
+          agent
+          detached_agent_server
+        end
+      end
+
+      def check_and_handle_fork
+        if has_forked
+          @detached_agent&.handle_fork
+        end
+      end
+
+      def has_forked
+        pid_changed = Process.pid != @pid
+        @pid = Process.pid
+        pid_changed
+      end
     end
   end
 end

data/placeholder/.gitignore

@@ -0,0 +1,4 @@
+LICENSE
+*.gemspec
+/lib/*.rb
+*.gem

data/placeholder/README.md

@@ -0,0 +1,11 @@
+# Security Placeholder
+
+This gem has been published by [Aikido Security](https://aikido.dev) to help prevent supply chain attacks and protect the integrity of the Ruby ecosystem.
+
+It is **not intended for direct use** and contains no functional code.
+
+If you are looking for the actual library, please use [`aikido-zen`](https://rubygems.org/gems/aikido-zen).
+
+---
+
+This package exists solely for security purposes. For more information, visit [aikido.dev](https://aikido.dev).

data/placeholder/Rakefile

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "rake"
+require "rake/clean"
+require "rubygems/package"
+require "fileutils"
+
+GEM_NAMES = %w[aikido]
+
+# Clean up created files
+CLEAN.include("LICENSE")
+CLEAN.include(*GEM_NAMES.map { |name| "#{name}.gemspec" })
+CLEAN.include(*GEM_NAMES.map { |name| "lib/#{name}.rb" })
+CLOBBER.include(*GEM_NAMES.map { |name| "#{name}-*.gem" })
+
+namespace :build do
+  GEM_NAMES.each do |gem_name|
+    file "LICENSE" => ["../LICENSE"] do
+      FileUtils.cp("../LICENSE", "LICENSE")
+      puts "Copied LICENSE"
+    end
+
+    entry_point_path = "lib/#{gem_name}.rb"
+
+    # Generate the entry point file from template if needed
+    file entry_point_path => ["lib/placeholder.rb.template"] do
+      template = File.read("lib/placeholder.rb.template")
+      content = template.gsub("@GEM_NAME", gem_name)
+      File.write(entry_point_path, content)
+      puts "Generated #{entry_point_path}"
+    end
+
+    gemspec_path = "#{gem_name}.gemspec"
+
+    # Generate gemspec file from template if needed
+    file gemspec_path => ["placeholder.gemspec.template"] do
+      template = File.read("placeholder.gemspec.template")
+      content = template.gsub("@GEM_NAME", gem_name)
+      File.write(gemspec_path, content)
+      puts "Generated #{gemspec_path}"
+    end
+
+    desc "Build the #{gem_name} gem"
+    task gem_name => [entry_point_path, gemspec_path, "LICENSE"] do
+      gemspec = Gem::Specification.load(gemspec_path)
+      raise "Failed to load gemspec: #{gemspec_path}" unless gemspec
+
+      gem_path = Gem::Package.build(gemspec)
+      puts "Built #{gem_path}"
+    end
+  end
+
+  desc "Build all gems"
+  task all: GEM_NAMES.map { |gem_name| "build:#{gem_name}" }
+end
+
+namespace :release do
+  GEM_NAMES.each do |gem_name|
+    gemspec_path = "#{gem_name}.gemspec"
+
+    desc "Build and publish the #{gem_name} to RubyGems"
+    task gem_name => ["build:#{gem_name}"] do
+      gemspec = Gem::Specification.load(gemspec_path)
+      raise "Failed to load gemspec: #{gemspec_path}" unless gemspec
+
+      gem_path = "#{gemspec.name}-#{gemspec.version}.gem"
+
+      puts "Publishing #{gem_path} to RubyGem..."
+      sh "gem push #{gem_path}"
+    end
+  end
+
+  desc "Build and publish all gems to RubyGems"
+  task all: GEM_NAMES.map { |gem_name| "release:#{gem_name}" }
+end

data/placeholder/lib/placeholder.rb.template

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+raise LoadError, "This gem has been published by Aikido Security to help prevent supply chain attacks. It is not intended for direct use. Please use 'aikido-zen' instead."

data/placeholder/placeholder.gemspec.template

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  spec.name = "@GEM_NAME"
+  spec.version = "0.0.2"
+  spec.authors = ["Aikido Security"]
+  spec.email = ["dev-admin@aikido.dev"]
+  spec.summary = "Security placeholder for 'aikido-zen'."
+  spec.description = "This gem has been published by Aikido Security to help prevent supply chain attacks. It is not intended for direct use. Please use 'aikido-zen' instead."
+  spec.homepage = "https://aikido.dev/zen"
+  spec.license = "AGPL-3.0-or-later"
+
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/aikidosec/firewall-ruby"
+
+  spec.files = ["lib/@GEM_NAME.rb", "README.md", "LICENSE"]
+  spec.require_paths = ["lib"]
+end

data/tasklib/bench.rake

@@ -2,8 +2,11 @@
 
 require "socket"
 require "timeout"
+require_relative "wrk"
 
 SERVER_PIDS = {}
+PORT_PROTECTED = 3001
+PORT_UNPROTECTED = 3002
 
 def stop_servers
   SERVER_PIDS.each { |_, pid| Process.kill("TERM", pid) }
@@ -11,6 +14,8 @@ def stop_servers
 end
 
 def boot_server(dir, port:, env: {})
+  env["RAILS_MIN_THREADS"] = NUMBER_OF_THREADS
+  env["RAILS_MAX_THREADS"] = NUMBER_OF_THREADS
   env["PORT"] = port.to_s
   env["SECRET_KEY_BASE"] = rand(36**64).to_s(36)
 
@@ -49,8 +54,28 @@ end
 Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
   namespace :bench do
     namespace dir.basename.to_s do
-      desc "Run benchmarks for the #{dir.basename} sample app"
-      task run: [:boot_protected_app, :boot_unprotected_app] do
+      desc "Run WRK benchmarks for the #{dir.basename} sample app"
+      task wrk_run: [:boot_protected_app, :boot_unprotected_app] do
+        throughput_decrease_limit_perc = 25
+        if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0.0") && Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.1.0")
+          # add higher limit for ruby 3.0
+          throughput_decrease_limit_perc = 35
+        end
+
+        wait_for_servers
+        run_benchmark(
+          route_zen: "http://localhost:#{PORT_PROTECTED}/benchmark", # Application with Zen
+          route_no_zen: "http://localhost:#{PORT_UNPROTECTED}/benchmark", # Application without Zen
+          description: "An empty route (1ms simulated delay)",
+          throughput_decrease_limit_perc: throughput_decrease_limit_perc,
+          latency_increase_limit_ms: 200
+        )
+      ensure
+        stop_servers
+      end
+
+      desc "Run K6 benchmarks for the #{dir.basename} sample app"
+      task k6_run: [:boot_protected_app, :boot_unprotected_app] do
         wait_for_servers
         Dir.chdir("benchmarks") { sh "k6 run #{dir.basename}.js" }
       ensure
@@ -58,14 +83,12 @@ Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
       end
 
       task :boot_protected_app do
-        boot_server(dir, port: 3001)
+        boot_server(dir, port: PORT_PROTECTED)
       end
 
       task :boot_unprotected_app do
-        boot_server(dir, port: 3002, env: {"AIKIDO_DISABLED" => "true"})
+        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLED" => "true"})
       end
     end
-
-    task default: "#{dir.basename}:run"
   end
 end