aikido-zen 1.0.1.beta.4-arm64-linux-musl → 1.0.2.beta.1-arm64-linux-musl

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13229846adf3a7f9c9d90bf7d435102a022ea66e9910a64dbb9431768fb5534f
-  data.tar.gz: 79262ea8aea354f906a3f192f5ee83b0751279190d0f90e0393a01700a5e9540
+  metadata.gz: 465d5decea5ac5abf60172f2db49977bea1e3325451e594c22890e7f7dabf06a
+  data.tar.gz: 4ae92c15b6b57ca6ea4c7050c49667c8a5bc63349982ec354491ea06c76f4c91
 SHA512:
-  metadata.gz: 85564fc7801f6a11b906c65d24976cb1794294e15b0df0e30ca2e6e3da7333096d2f75d9f530b468f57f7cea3789db304283566ff7335c315672d755946ecb5c
-  data.tar.gz: cd89e78e392e9b0a01ce750bf5f42536e42cdfe61330ac64c9fdadf82ddfc159c361b6d3be576c46dcdd946ee8fcf7666ae11d0a8cf1960a689b95964380de94
+  metadata.gz: 967c7e53e134f863289a9be77903ead79998bdbcf4abcfdd60d2ed06b9a79e7e98a158648a0043a616a3a27101820d6a49698f5c32f904eb80cc376d75fc9228
+  data.tar.gz: 95a5a5fb3531e3212cbc285d362d7179c35abb818671764115db449c2d39cfb8b9b652ed5d89c186b7482a311a4db3b233a43b9abcacd0312ca15f61fb163351

data/docs/rails.md

@@ -2,19 +2,63 @@
 
 To install Zen, add the gem:
 
-```
+```sh
 bundle add aikido-zen
 ```
 
+And require it before `Bundler.require` in `config/application.rb`:
+
+```ruby
+# config/application.rb
+require_relative "boot"
+
+require "rails/all"
+
+require "aikido-zen"
+Aikido::Zen.protect!
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+...
+```
+
 That's it! Zen will start to run inside your app when it starts getting
 requests.
 
+## Rate limiting and user blocking
+
+If you want to add the rate limiting feature to your app, modify your code like this:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  private
+
+  def current_user
+    return unless session[:user_id]
+    User.find(session[:user_id])
+  end
+
+  def authenticate_user!
+    # Your authentication logic here
+    # ...
+    # Optional, if you want to use user based rate limiting or block specific users
+    Aikido::Zen.set_user(
+      id: current_user.id,
+      name: current_user.name
+    )
+  end
+end
+```
+
 ## Configuration
 
 Zen exposes its configuration object to the Rails configuration, which you can
 modify in an initializer if desired:
 
-``` ruby
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.api_timeouts = 20
 ```
@@ -30,7 +74,7 @@ If you're using Rails' [encrypted credentials][creds], and prefer not storing
 sensitive values in your env vars, you can easily configure Zen for it. For
 example, assuming the following credentials structure:
 
-``` yaml
+```yaml
 # config/credentials.yml.enc
 zen:
   token: "AIKIDO_RUNTIME_..."
@@ -38,7 +82,7 @@ zen:
 
 You can just tell Zen to use it like so:
 
-``` ruby
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.token = Rails.application.credentials.zen.token
 ```
@@ -61,7 +105,7 @@ way.
 By default, Zen will use the Rails logger, prefixing messages with `[aikido]`.
 You can redirect the log to a separate stream by overriding the logger:
 
-```
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.logger = Logger.new(...)
 ```

data/lib/aikido/zen/config.rb

@@ -64,7 +64,7 @@ module Aikido::Zen
     # @return [string] Path of the socket where the detached agent will listen.
     # By default, is stored under the root application path with file name
     # `aikido-detached-agent.sock`
-    attr_reader :detached_agent_socket_path
+    attr_accessor :detached_agent_socket_path
 
     # @return [Boolean] is the agent in debugging mode?
     attr_accessor :debugging
@@ -222,9 +222,8 @@ module Aikido::Zen
       @api_timeouts.update(value)
     end
 
-    def detached_agent_socket_path=(path)
-      @detached_agent_socket_path = path
-      @detached_agent_socket_path = "drbunix:" + @detached_agent_socket_path unless @detached_agent_socket_path.start_with?("drbunix:")
+    def detached_agent_socket_uri
+      "drbunix:" + @detached_agent_socket_path
     end
 
     private

data/lib/aikido/zen/detached_agent/agent.rb

@@ -32,7 +32,7 @@ module Aikido::Zen::DetachedAgent
       @polling_interval = polling_interval
       @worker = worker
       @collector = collector
-      @detached_agent_front = DRbObject.new_with_uri(config.detached_agent_socket_path)
+      @detached_agent_front = DRbObject.new_with_uri(config.detached_agent_socket_uri)
       @has_forked = false
       schedule_tasks
     end

data/lib/aikido/zen/detached_agent/server.rb

@@ -1,41 +1,78 @@
 # frozen_string_literal: true
 
+require "fileutils"
+
 module Aikido::Zen::DetachedAgent
   class Server
+    # Initialize and start a detached agent server instance.
+    #
+    # @return [Aikido::Zen::DetachedAgent::Server]
+    def self.start(**opts)
+      new(**opts).tap(&:start!)
+    end
+
     def initialize(config: Aikido::Zen.config)
-      @detached_agent_front = FrontObject.new
-      @drb_server = DRb.start_service(config.detached_agent_socket_path, @detached_agent_front)
+      @started_at = nil
 
-      # We don't want to see drb logs unless in debug mode
-      @drb_server.verbose = config.logger.debug?
-    end
+      @config = config
 
-    def alive?
-      @drb_server.alive?
+      @socket_path = config.detached_agent_socket_path
+      @socket_uri = config.detached_agent_socket_uri
     end
 
-    def stop!
-      @drb_server.stop_service
-      DRb.stop_service
+    def started?
+      !!@started_at
     end
 
-    class << self
-      def start!
-        Aikido::Zen.config.logger.debug("Starting DRb Server...")
-        max_attempts = 10
-        @server = new
-
-        attempts = 0
-        until @server.alive?
-          Aikido::Zen.config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
-          sleep 0.1
-          attempts += 1
-          raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
-            if attempts == max_attempts
-        end
-
-        @server
+    def start!
+      @config.logger.info("Starting DRb Server...")
+
+      # Try to ensure that the DRb service can start if the DRb service did
+      # not stop cleanly.
+      begin
+        # Check whether the Unix domain socket is in use by another process.
+        UNIXSocket.new(@socket_path).close
+      rescue Errno::ECONNREFUSED
+        @config.logger.debug("Removing residual Unix domain socket...")
+
+        # Remove the residual Unix domain socket.
+        FileUtils.rm_f(@socket_path)
+      rescue
+        # empty
+      end
+
+      @front = FrontObject.new
+
+      # If the Unix domain socket is in use by another process and/or the
+      # residual Unix domain socket could not be removed DRb will raise an
+      # appropriate error.
+      @drb_server = DRb.start_service(@socket_uri, @front)
+
+      # Only show DRb output in debug mode.
+      @drb_server.verbose = @config.logger.debug?
+
+      # Ensure that the DRb server is alive.
+      max_attempts = 10
+      attempts = 0
+      until @drb_server.alive?
+        @config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
+        sleep 0.1
+        attempts += 1
+        raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
+          if attempts == max_attempts
       end
+
+      @started_at = Time.now.utc
+
+      at_exit { stop! if started? }
+    end
+
+    def stop!
+      @config.logger.info("Stopping DRb Server...")
+      @started_at = nil
+
+      @drb_server.stop_service if @drb_server.alive?
+      DRb.stop_service
     end
   end
 end

data/lib/aikido/zen/sinks/async_http.rb

@@ -7,14 +7,6 @@ module Aikido::Zen
   module Sinks
     module Async
       module HTTP
-        def self.load_sinks!
-          if Aikido::Zen.satisfy "async-http", ">= 0.70.0"
-            require "async/http"
-
-            ::Async::HTTP::Client.prepend(Async::HTTP::ClientExtensions)
-          end
-        end
-
         SINK = Sinks.add("async-http", scanners: [
           Scanners::SSRFScanner,
           OutboundConnectionMonitor
@@ -30,48 +22,54 @@ module Aikido::Zen
           end
         end
 
-        module ClientExtensions
-          extend Sinks::DSL
+        def self.load_sinks!
+          if Aikido::Zen.satisfy "async-http", ">= 0.70.0"
+            require "async/http"
 
-          sink_around :call do |super_call, request|
-            uri = URI(format("%<scheme>s://%<authority>s%<path>s", {
-              scheme: request.scheme || scheme,
-              authority: request.authority || authority,
-              path: request.path
-            }))
+            ::Async::HTTP::Client.class_eval do
+              extend Sinks::DSL
 
-            wrapped_request = Scanners::SSRFScanner::Request.new(
-              verb: request.method,
-              uri: uri,
-              headers: request.headers.to_h,
-              header_normalizer: ->(value) { Array(value).join(", ") }
-            )
+              sink_around :call do |original_call, request|
+                uri = URI(format("%<scheme>s://%<authority>s%<path>s", {
+                  scheme: request.scheme || scheme,
+                  authority: request.authority || authority,
+                  path: request.path
+                }))
 
-            # Store the request information so the DNS sinks can pick it up.
-            context = Aikido::Zen.current_context
-            if context
-              prev_request = context["ssrf.request"]
-              context["ssrf.request"] = wrapped_request
-            end
+                wrapped_request = Scanners::SSRFScanner::Request.new(
+                  verb: request.method,
+                  uri: uri,
+                  headers: request.headers.to_h,
+                  header_normalizer: ->(value) { Array(value).join(", ") }
+                )
 
-            connection = OutboundConnection.from_uri(uri)
+                # Store the request information so the DNS sinks can pick it up.
+                context = Aikido::Zen.current_context
+                if context
+                  prev_request = context["ssrf.request"]
+                  context["ssrf.request"] = wrapped_request
+                end
 
-            Helpers.scan(wrapped_request, connection, "request")
+                connection = OutboundConnection.from_uri(uri)
 
-            response = super_call.call
+                Helpers.scan(wrapped_request, connection, "request")
 
-            Scanners::SSRFScanner.track_redirects(
-              request: wrapped_request,
-              response: Scanners::SSRFScanner::Response.new(
-                status: response.status,
-                headers: response.headers.to_h,
-                header_normalizer: ->(value) { Array(value).join(", ") }
-              )
-            )
+                response = original_call.call
+
+                Scanners::SSRFScanner.track_redirects(
+                  request: wrapped_request,
+                  response: Scanners::SSRFScanner::Response.new(
+                    status: response.status,
+                    headers: response.headers.to_h,
+                    header_normalizer: ->(value) { Array(value).join(", ") }
+                  )
+                )
 
-            response
-          ensure
-            context["ssrf.request"] = prev_request if context
+                response
+              ensure
+                context["ssrf.request"] = prev_request if context
+              end
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/curb.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module Curl
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "curb", ">= 0.2.3"
-          require "curb"
-
-          ::Curl::Easy.prepend(Curl::EasyExtensions)
-        end
-      end
-
       SINK = Sinks.add("curb", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -53,59 +45,65 @@ module Aikido::Zen
         end
       end
 
-      module EasyExtensions
-        extend Sinks::DSL
-
-        sink_around :perform do |super_call|
-          wrapped_request = Helpers.wrap_request(self)
-
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
-
-          connection = OutboundConnection.from_uri(URI(url))
-
-          Helpers.scan(wrapped_request, connection, "request")
-
-          response = super_call.call
-
-          Scanners::SSRFScanner.track_redirects(
-            request: wrapped_request,
-            response: Helpers.wrap_response(self)
-          )
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "curb", ">= 0.2.3"
+          require "curb"
 
-          # When libcurl has follow_location set, it will handle redirections
-          # internally, and expose the "last_effective_url" as the URI that was
-          # last requested in the redirect chain.
-          #
-          # In this case, we can't actually stop the request from happening, but
-          # we can scan again (now that we know another request happened), to
-          # stop the response from being exposed to the user. This downgrades
-          # the SSRF into a blind SSRF, which is better than doing nothing.
-          if url != last_effective_url
-            last_effective_request = Helpers.wrap_request(self, url: last_effective_url)
-
-            # Code coverage is disabled here because the else clause is a no-op,
-            # so there is nothing to cover.
-            # :nocov:
-            if context
-              context["ssrf.request"] = last_effective_request
-            else
-              # empty
+          ::Curl::Easy.class_eval do
+            extend Sinks::DSL
+
+            sink_around :perform do |original_call|
+              wrapped_request = Helpers.wrap_request(self)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = OutboundConnection.from_uri(URI(url))
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(self)
+              )
+
+              # When libcurl has follow_location set, it will handle redirections
+              # internally, and expose the "last_effective_url" as the URI that was
+              # last requested in the redirect chain.
+              #
+              # In this case, we can't actually stop the request from happening, but
+              # we can scan again (now that we know another request happened), to
+              # stop the response from being exposed to the user. This downgrades
+              # the SSRF into a blind SSRF, which is better than doing nothing.
+              if url != last_effective_url
+                last_effective_request = Helpers.wrap_request(self, url: last_effective_url)
+
+                # Code coverage is disabled here because the else clause is a no-op,
+                # so there is nothing to cover.
+                # :nocov:
+                if context
+                  context["ssrf.request"] = last_effective_request
+                else
+                  # empty
+                end
+                # :nocov:
+
+                connection = OutboundConnection.from_uri(URI(last_effective_url))
+
+                Helpers.scan(last_effective_request, connection, "request")
+              end
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
             end
-            # :nocov:
-
-            connection = OutboundConnection.from_uri(URI(last_effective_url))
-
-            Helpers.scan(last_effective_request, connection, "request")
           end
-
-          response
-        ensure
-          context["ssrf.request"] = prev_request if context
         end
       end
     end

data/lib/aikido/zen/sinks/em_http.rb

@@ -7,19 +7,6 @@ module Aikido::Zen
   module Sinks
     module EventMachine
       module HttpRequest
-        def self.load_sinks!
-          if Aikido::Zen.satisfy "em-http-request", ">= 1.0"
-            require "em-http-request"
-
-            ::EventMachine::HttpRequest.use(EventMachine::HttpRequest::Middleware)
-
-            # NOTE: We can't use middleware to intercept requests as we want to ensure any
-            # modifications to the request from user-supplied middleware are already applied
-            # before we scan the request.
-            ::EventMachine::HttpClient.prepend(EventMachine::HttpRequest::HttpClientExtensions)
-          end
-        end
-
         SINK = Sinks.add("em-http-request", scanners: [
           Scanners::SSRFScanner,
           OutboundConnectionMonitor
@@ -35,26 +22,37 @@ module Aikido::Zen
           end
         end
 
-        module HttpClientExtensions
-          extend Sinks::DSL
+        def self.load_sinks!
+          if Aikido::Zen.satisfy "em-http-request", ">= 1.0"
+            require "em-http-request"
 
-          sink_before :send_request do
-            wrapped_request = Scanners::SSRFScanner::Request.new(
-              verb: req.method.to_s,
-              uri: URI(req.uri),
-              headers: req.headers
-            )
+            ::EventMachine::HttpRequest.use(EventMachine::HttpRequest::Middleware)
 
-            # Store the request information so the DNS sinks can pick it up.
-            context = Aikido::Zen.current_context
-            context["ssrf.request"] = wrapped_request if context
+            # NOTE: We can't use middleware to intercept requests as we want to ensure any
+            # modifications to the request from user-supplied middleware are already applied
+            # before we scan the request.
+            ::EventMachine::HttpClient.class_eval do
+              extend Sinks::DSL
 
-            connection = OutboundConnection.new(
-              host: req.host,
-              port: req.port
-            )
+              sink_before :send_request do
+                wrapped_request = Scanners::SSRFScanner::Request.new(
+                  verb: req.method.to_s,
+                  uri: URI(req.uri),
+                  headers: req.headers
+                )
+
+                # Store the request information so the DNS sinks can pick it up.
+                context = Aikido::Zen.current_context
+                context["ssrf.request"] = wrapped_request if context
+
+                connection = OutboundConnection.new(
+                  host: req.host,
+                  port: req.port
+                )
 
-            Helpers.scan(wrapped_request, connection, "request")
+                Helpers.scan(wrapped_request, connection, "request")
+              end
+            end
           end
         end