aikido-zen 1.0.1.beta.2-x86_64-linux-musl

data/lib/aikido/zen/actor.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+require "concurrent"
+require_relative "config"
+
+module Aikido::Zen
+  # Converts an object into an Actor for reporting back to the Aikido Dashboard.
+  #
+  # @overload Actor(actor)
+  #   @param actor [#to_aikido_actor] anything that implements #to_aikido_actor
+  #     will have that method called and its value returned.
+  #   @return Aikido::Zen::Actor
+  #
+  # @overload Actor(data)
+  #   @param data [Hash<Symbol, String>]
+  #   @option data [String] :id a unique identifier for this user.
+  #   @option data [String, nil] :name an optional name to display in the UI.
+  #   @return Aikido::Zen::Actor
+  def self.Actor(data)
+    return if data.nil?
+    return data.to_aikido_actor if data.respond_to?(:to_aikido_actor)
+
+    attrs = {}
+    if data.respond_to?(:to_hash)
+      attrs = data.to_hash
+        .slice("id", "name", :id, :name)
+        .compact
+        .transform_keys(&:to_sym)
+        .transform_values(&:to_s)
+    else
+      return nil
+    end
+
+    return nil if attrs[:id].nil? || attrs[:id].to_s.strip.empty?
+
+    Actor.new(**attrs)
+  end
+
+  # Represents someone connecting to the application and making requests.
+  class Actor
+    # @return [String] a unique identifier for this user.
+    attr_reader :id
+
+    # @return [String, nil] an optional name to display in the Aikido UI.
+    attr_reader :name
+
+    # @return [Time]
+    attr_reader :first_seen_at
+
+    # @param id [String]
+    # @param name [String, nil]
+    # @param ip [String, nil]
+    # @param seen_at [Time]
+    def initialize(
+      id:,
+      name: nil,
+      ip: Aikido::Zen.current_context&.request&.ip,
+      seen_at: Time.now.utc
+    )
+      @id = id
+      @name = name
+      @first_seen_at = seen_at
+      @last_seen_at = Concurrent::AtomicReference.new(seen_at)
+      @ip = Concurrent::AtomicReference.new(ip)
+    end
+
+    # @return [Time]
+    def last_seen_at
+      @last_seen_at.get
+    end
+
+    # @return [String, nil] the IP address last used by this user, if available.
+    def ip
+      @ip.get
+    end
+
+    # Atomically update the last IP used by the user, and the last time they've
+    # been "seen" connecting to the app.
+    #
+    # @param ip [String, nil] the last-seen IP address for the user. If +nil+
+    #   and we had a non-empty value before, we won't update it. Defaults to
+    #   the current HTTP request's IP address, if any.
+    # @param seen_at [Time] the time at which we're making the update. We will
+    #   always keep the most recent time if this conflicts with the current
+    #   value.
+    # @return [void]
+    def update(seen_at: Time.now.utc, ip: Aikido::Zen.current_context&.request&.ip)
+      @last_seen_at.try_update { |last_seen_at| [last_seen_at, seen_at].max }
+      @ip.try_update { |last_ip| [ip, last_ip].compact.first }
+    end
+
+    # @return [self]
+    def to_aikido_actor
+      self
+    end
+
+    def ==(other)
+      other.is_a?(Actor) && id == other.id
+    end
+    alias_method :eql?, :==
+
+    def hash
+      id.hash
+    end
+
+    def as_json
+      {
+        id: id,
+        name: name,
+        lastIpAddress: ip,
+        firstSeenAt: first_seen_at.to_i * 1000,
+        lastSeenAt: last_seen_at.to_i * 1000
+      }.compact
+    end
+  end
+end

data/lib/aikido/zen/agent/heartbeats_manager.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Handles scheduling the heartbeats we send to the Aikido servers, managing
+  # runtime changes to the heartbeat interval.
+  class Agent::HeartbeatsManager
+    def initialize(worker:, settings: Aikido::Zen.runtime_settings, config: Aikido::Zen.config)
+      @settings = settings
+      @config = config
+      @worker = worker
+
+      @timer = nil
+    end
+
+    # @return [Boolean]
+    def running?
+      !!@timer&.running?
+    end
+
+    # @return [Boolean] whether the currently running heartbeat matches the
+    #   expected interval in the runtime settings.
+    def stale_settings?
+      running? && @timer.execution_interval != @settings.heartbeat_interval
+    end
+
+    # Sets up the the timer to run the given block at the appropriate interval.
+    # Re-entrant, and does nothing if already running.
+    #
+    # @return [void]
+    def start(&task)
+      return if running?
+
+      if @settings.heartbeat_interval&.nonzero?
+        @config.logger.debug "Scheduling heartbeats every #{@settings.heartbeat_interval} seconds"
+        @timer = @worker.every(@settings.heartbeat_interval, run_now: false, &task)
+      else
+        @config.logger.warn(format("Heartbeat could not be set up (interval: %p)", @settings.heartbeat_interval))
+      end
+    end
+
+    # Cleans up the timer.
+    #
+    # @return [void]
+    def stop
+      return unless running?
+
+      @timer.shutdown
+      @timer = nil
+    end
+
+    # Resets the timer to start with any new settings, if needed.
+    #
+    # @return [void]
+    def restart(&task)
+      stop
+      start(&task)
+    end
+
+    # @api private
+    #
+    # @return [Integer] the current delay between events.
+    def interval
+      @settings.heartbeat_interval
+    end
+  end
+end

data/lib/aikido/zen/agent.rb

@@ -0,0 +1,179 @@
+# frozen_string_literal: true
+
+require "concurrent"
+require_relative "event"
+require_relative "config"
+require_relative "system_info"
+
+module Aikido::Zen
+  # Handles the background processes that communicate with the Aikido servers,
+  # including managing the runtime settings that keep the app protected.
+  class Agent
+    # Initialize and start an agent instance.
+    #
+    # @return [Aikido::Zen::Agent]
+    def self.start(**opts)
+      new(**opts).tap(&:start!)
+    end
+
+    def initialize(
+      config: Aikido::Zen.config,
+      collector: Aikido::Zen.collector,
+      detached_agent: Aikido::Zen.detached_agent,
+      worker: Aikido::Zen::Worker.new(config: config),
+      api_client: Aikido::Zen::APIClient.new(config: config)
+    )
+      @started_at = nil
+
+      @config = config
+      @worker = worker
+      @api_client = api_client
+      @collector = collector
+      @detached_agent = detached_agent
+    end
+
+    def started?
+      !!@started_at
+    end
+
+    def start!
+      @config.logger.info "Starting Aikido agent v#{Aikido::Zen::VERSION}"
+
+      raise Aikido::ZenError, "Aikido Agent already started!" if started?
+      @started_at = Time.now.utc
+      @collector.start(at: @started_at)
+
+      if @config.blocking_mode?
+        @config.logger.info "Requests identified as attacks will be blocked"
+      else
+        @config.logger.warn "Non-blocking mode enabled! No requests will be blocked."
+      end
+
+      if @api_client.can_make_requests?
+        @config.logger.info "API Token set! Reporting has been enabled."
+      else
+        @config.logger.warn "No API Token set! Reporting has been disabled."
+        return
+      end
+
+      at_exit { stop! if started? }
+
+      report(Events::Started.new(time: @started_at)) do |response|
+        updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
+        @config.logger.info "Updated runtime settings."
+      rescue => err
+        @config.logger.error(err.message)
+      end
+
+      poll_for_setting_updates
+
+      @worker.delay(@config.initial_heartbeat_delay) do
+        send_heartbeat if @collector.stats.any?
+      end
+    end
+
+    # Clean up any ongoing threads, and reset the state. Called automatically
+    # when the process exits.
+    #
+    # @return [void]
+    def stop!
+      @config.logger.info "Stopping Aikido agent"
+      @started_at = nil
+      @worker.shutdown
+    end
+
+    # Respond to the runtime settings changing after being fetched from the
+    # Aikido servers.
+    #
+    # @return [void]
+    def updated_settings!
+      if !heartbeats.running?
+        heartbeats.start { send_heartbeat }
+      elsif heartbeats.stale_settings?
+        heartbeats.restart { send_heartbeat }
+      end
+    end
+
+    # Given an Attack, report it to the Aikido server, and/or block the request
+    # depending on configuration.
+    #
+    # @param attack [Attack] a detected attack.
+    # @return [void]
+    #
+    # @raise [Aikido::Zen::UnderAttackError] if the firewall is configured
+    #   to block requests.
+    def handle_attack(attack)
+      attack.will_be_blocked! if @config.blocking_mode?
+
+      @config.logger.error(
+        format("Zen has %s a %s: %s", attack.blocked? ? "blocked" : "detected", attack.humanized_name, attack.as_json.to_json)
+      )
+      report(Events::Attack.new(attack: attack)) if @api_client.can_make_requests?
+
+      @collector.track_attack(attack)
+      raise attack if attack.blocked?
+    end
+
+    # Asynchronously reports an Event of any kind to the Aikido dashboard. If
+    # given a block, the API response will be passed to the block for handling.
+    #
+    # @param event [Aikido::Zen::Event]
+    # @yieldparam response [Object] the response from the reporting API in case
+    #   of a successful request.
+    #
+    # @return [void]
+    def report(event)
+      @worker.perform do
+        response = @api_client.report(event)
+        yield response if response && block_given?
+      rescue Aikido::Zen::APIError, Aikido::Zen::NetworkError => err
+        @config.logger.error(err.message)
+      end
+    end
+
+    # @api private
+    #
+    # Atomically flushes all the stats stored by the agent, and sends a
+    # heartbeat event. Scheduled to run automatically on a recurring schedule
+    # when reporting is enabled.
+    #
+    # @param at [Time] the event time. Defaults to now.
+    # @return [void]
+    # @see Aikido::Zen::RuntimeSettings#heartbeat_interval
+    def send_heartbeat(at: Time.now.utc)
+      return unless @api_client.can_make_requests?
+
+      @collector.flush_heartbeats.each do |heartbeat|
+        report(heartbeat) do |response|
+          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
+          @config.logger.info "Updated runtime settings after heartbeat"
+        end
+      end
+    end
+
+    # @api private
+    #
+    # Sets up the timer task that polls the Aikido Runtime API for updates to
+    # the runtime settings every minute.
+    #
+    # @return [void]
+    # @see Aikido::Zen::RuntimeSettings
+    def poll_for_setting_updates
+      @worker.every(@config.polling_interval) do
+        if @api_client.should_fetch_settings?
+          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(@api_client.fetch_settings)
+          @config.logger.info "Updated runtime settings after polling"
+        end
+      end
+    end
+
+    private def heartbeats
+      @heartbeats ||= Aikido::Zen::Agent::HeartbeatsManager.new(
+        config: @config,
+        worker: @worker
+      )
+    end
+  end
+end
+
+require_relative "agent/heartbeats_manager"

data/lib/aikido/zen/api_client.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require "net/http"
+require_relative "rate_limiter"
+
+module Aikido::Zen
+  # Implements all communication with the Aikido servers.
+  class APIClient
+    def initialize(
+      config: Aikido::Zen.config,
+      rate_limiter: Aikido::Zen::RateLimiter::Breaker.new,
+      system_info: Aikido::Zen.system_info
+    )
+      @config = config
+      @system_info = system_info
+      @rate_limiter = rate_limiter
+    end
+
+    # @return [Boolean] whether we have a configured token.
+    def can_make_requests?
+      @config.api_token.to_s.size > 0
+    end
+
+    # Checks with the Aikido Runtime API the timestamp of the last settings
+    # update, and compares against the given value.
+    #
+    # @param last_updated_at [Time]
+    #
+    # @return [Boolean]
+    # @raise (see #request)
+    def should_fetch_settings?(last_updated_at = Aikido::Zen.runtime_settings.updated_at)
+      @config.logger.debug("Polling for new runtime settings to fetch")
+
+      return false unless can_make_requests?
+      return true if last_updated_at.nil?
+
+      response = request(
+        Net::HTTP::Get.new("/config", default_headers),
+        base_url: @config.realtime_endpoint
+      )
+
+      new_updated_at = Time.at(response["configUpdatedAt"].to_i / 1000)
+      new_updated_at > last_updated_at
+    end
+
+    # Fetches the runtime settings from the server. In case of a timeout or
+    # other low-lever error, the request will be automatically retried up to two
+    # times, after which it will raise an error.
+    #
+    # @return [Hash] decoded JSON response from the server with the runtime
+    #   settings.
+    # @raise (see #request)
+    def fetch_settings
+      @config.logger.debug("Fetching new runtime settings")
+
+      request(Net::HTTP::Get.new("/api/runtime/config", default_headers))
+    end
+
+    # @overload report(event)
+    #   Reports an event to the server.
+    #
+    #   @param event [Aikido::Zen::Event]
+    #   @return [void]
+    #   @raise (see #request)
+    #
+    # @overload report(settings_updating_event)
+    #   Reports an event that responds with updated runtime settings, and
+    #   requires us to update settings afterwards.
+    #
+    #   @param settings_updating_event [Aikido::Zen::Events::Started,
+    #     Aikido::Zen::Events::Heartbeat]
+    #   @return (see #fetch_settings)
+    #   @raise (see #request)
+    def report(event)
+      event_type = if event.respond_to?(:type)
+        event.type
+      else
+        event[:type]
+      end
+
+      if @rate_limiter.throttle?(event_type)
+        @config.logger.error("Not reporting #{event_type.upcase} event due to rate limiting")
+        return
+      end
+
+      @config.logger.debug("Reporting #{event_type.upcase} event")
+
+      req = Net::HTTP::Post.new("/api/runtime/events", default_headers)
+      req.content_type = "application/json"
+      req.body = if event.respond_to?(:as_json)
+        @config.json_encoder.call(event.as_json)
+      else
+        @config.json_encoder.call(event)
+      end
+
+      request(req)
+    rescue Aikido::Zen::RateLimitedError
+      @rate_limiter.open!
+      raise
+    end
+
+    # Perform an HTTP request against one of our API endpoints, and process the
+    # response.
+    #
+    # @param request [Net::HTTPRequest]
+    # @param base_url [URI] which API to use. Defaults to +Config#api_endpoint+.
+    #
+    # @return [Object] the result of decoding the JSON response from the server.
+    #
+    # @raise [Aikido::Zen::APIError] in case of a 4XX or 5XX response.
+    # @raise [Aikido::Zen::NetworkError] if an error occurs trying to make the
+    #   request.
+    private def request(request, base_url: @config.api_endpoint)
+      Net::HTTP.start(base_url.host, base_url.port, http_settings) do |http|
+        response = http.request(request)
+
+        case response
+        when Net::HTTPSuccess
+          @config.json_decoder.call(response.body)
+        when Net::HTTPTooManyRequests
+          raise RateLimitedError.new(request, response)
+        else
+          raise APIError.new(request, response)
+        end
+      end
+    rescue Timeout::Error, IOError, SystemCallError, OpenSSL::OpenSSLError => err
+      raise NetworkError.new(request, err)
+    end
+
+    private def http_settings
+      @http_settings ||= {use_ssl: true, max_retries: 2}.merge(@config.api_timeouts)
+    end
+
+    private def default_headers
+      @default_headers ||= {
+        "Authorization" => @config.api_token,
+        "Accept" => "application/json",
+        "User-Agent" => "#{@system_info.library_name} v#{@system_info.library_version}"
+      }
+    end
+  end
+end

data/lib/aikido/zen/attack.rb

@@ -0,0 +1,207 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Attack objects gather information about a type of detected attack.
+  # They can be used in a few ways, like for reporting an attack event
+  # to the Aikido server, or can be raised as errors to block requests
+  # if blocking_mode is on.
+  class Attack
+    attr_reader :context
+    attr_reader :operation
+    attr_accessor :sink
+
+    def initialize(context:, sink:, operation:)
+      @context = context
+      @operation = operation
+      @sink = sink
+      @blocked = false
+    end
+
+    def will_be_blocked!
+      @blocked = true
+    end
+
+    def blocked?
+      @blocked
+    end
+
+    def humanized_name
+      raise NotImplementedError, "implement in subclasses"
+    end
+
+    def kind
+      raise NotImplementedError, "implement in subclasses"
+    end
+
+    def input
+      raise NotImplementedError, "implement in subclasses"
+    end
+
+    def metadata
+      raise NotImplementedError, "implement in subclasses"
+    end
+
+    def as_json
+      {
+        kind: kind,
+        blocked: blocked?,
+        metadata: metadata,
+        operation: @operation
+      }.merge(input.as_json)
+    end
+
+    def exception(*)
+      raise NotImplementedError, "implement in subclasses"
+    end
+  end
+
+  module Attacks
+    class PathTraversalAttack < Attack
+      attr_reader :input
+      attr_reader :filepath
+
+      def initialize(input:, filepath:, **opts)
+        super(**opts)
+        @input = input
+        @filepath = filepath
+      end
+
+      def metadata
+        {filename: filepath}
+      end
+
+      def humanized_name
+        "path traversal attack"
+      end
+
+      def kind
+        "path_traversal"
+      end
+
+      def exception(*)
+        PathTraversalError.new(self)
+      end
+    end
+
+    class ShellInjectionAttack < Attack
+      attr_reader :input
+      attr_reader :command
+
+      def initialize(input:, command:, **opts)
+        super(**opts)
+        @input = input
+        @command = command
+      end
+
+      def humanized_name
+        "shell injection"
+      end
+
+      def kind
+        "shell_injection"
+      end
+
+      def metadata
+        {
+          command: @command
+        }
+      end
+
+      def exception(*)
+        ShellInjectionError.new(self)
+      end
+    end
+
+    class SQLInjectionAttack < Attack
+      attr_reader :query
+      attr_reader :input
+      attr_reader :dialect
+
+      def initialize(query:, input:, dialect:, **opts)
+        super(**opts)
+        @query = query
+        @input = input
+        @dialect = dialect
+      end
+
+      def humanized_name
+        "SQL injection"
+      end
+
+      def kind
+        "sql_injection"
+      end
+
+      def metadata
+        {sql: @query}
+      end
+
+      def exception(*)
+        SQLInjectionError.new(self)
+      end
+    end
+
+    class SSRFAttack < Attack
+      attr_reader :input
+      attr_reader :request
+
+      def initialize(request:, input:, **opts)
+        super(**opts)
+        @input = input
+        @request = request
+      end
+
+      def humanized_name
+        "server-side request forgery"
+      end
+
+      def kind
+        "ssrf"
+      end
+
+      def exception(*)
+        SSRFDetectedError.new(self)
+      end
+
+      def metadata
+        {
+          host: @request.uri.hostname,
+          port: @request.uri.port
+        }
+      end
+    end
+
+    # Special case of an SSRF attack where we don't have a context—we're just
+    # detecting a request to a particularly sensitive address.
+    class StoredSSRFAttack < Attack
+      attr_reader :hostname
+      attr_reader :address
+
+      def initialize(hostname:, address:, **opts)
+        super(**opts)
+        @hostname = hostname
+        @address = address
+      end
+
+      def humanized_name
+        "server-side request forgery"
+      end
+
+      def exception(*)
+        SSRFDetectedError.new(self)
+      end
+
+      def kind
+        "ssrf"
+      end
+
+      def input
+        Aikido::Zen::Payload::UNKNOWN_PAYLOAD
+      end
+
+      def metadata
+        {}
+      end
+    end
+  end
+end