aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen.rb

@@ -0,0 +1,246 @@
+# frozen_string_literal: true
+
+require_relative "zen/version"
+require_relative "zen/errors"
+require_relative "zen/actor"
+require_relative "zen/config"
+require_relative "zen/collector"
+require_relative "zen/system_info"
+require_relative "zen/worker"
+require_relative "zen/agent"
+require_relative "zen/api_client"
+require_relative "zen/context"
+require_relative "zen/detached_agent"
+require_relative "zen/middleware/check_allowed_addresses"
+require_relative "zen/middleware/middleware"
+require_relative "zen/middleware/request_tracker"
+require_relative "zen/middleware/set_context"
+require_relative "zen/outbound_connection"
+require_relative "zen/outbound_connection_monitor"
+require_relative "zen/runtime_settings"
+require_relative "zen/rate_limiter"
+require_relative "zen/scanners"
+
+module Aikido
+  module Zen
+    # Enable protection. Until this method is called no sinks are loaded
+    # and the Aikido Agent does not start.
+    #
+    # This method should be called only once, in the application after the
+    # initialization process is complete.
+    #
+    # @return [void]
+    def self.protect!
+      if config.disabled?
+        config.logger.warn("Zen has been disabled and will not run.")
+        return
+      end
+
+      return unless config.protect?
+
+      unless load_sources! && load_sinks!
+        config.logger.warn("Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information.")
+        return
+      end
+
+      middleware_installed!
+    end
+
+    # @!visibility private
+    # Returns whether the loaded gem specification satisfies the listed requirements.
+    #
+    # Returns false if the gem specification is not loaded.
+    #
+    # @param name [String] the gem name
+    # @param requirements [Array<String>] a variable number of gem requirement strings
+    #
+    # @return [Boolean] true if the gem specification is loaded and all gem requirements are satisfied
+    def self.satisfy(name, *requirements)
+      spec = Gem.loaded_specs[name]
+
+      return false if spec.nil?
+
+      Gem::Requirement.new(*requirements).satisfied_by?(spec.version)
+    end
+
+    # @return [Aikido::Zen::Config] the agent configuration.
+    def self.config
+      @config ||= Config.new
+    end
+
+    # @return [Aikido::Zen::RuntimeSettings] the firewall configuration sourced
+    #   from your Aikido dashboard. This is periodically polled for updates.
+    def self.runtime_settings
+      @runtime_settings ||= RuntimeSettings.new
+    end
+
+    def self.runtime_settings=(settings)
+      @runtime_settings = settings
+    end
+
+    # Gets information about the current system configuration, which is sent to
+    # the server along with any events.
+    def self.system_info
+      @system_info ||= SystemInfo.new
+    end
+
+    # Manages runtime metrics extracted from your app, which are uploaded to the
+    # Aikido servers if configured to do so.
+    def self.collector
+      check_and_handle_fork
+      @collector ||= Collector.new
+    end
+
+    def self.detached_agent
+      check_and_handle_fork
+      @detached_agent ||= DetachedAgent::Agent.new
+    end
+
+    # Gets the current context object that holds all information about the
+    # current request.
+    #
+    # @return [Aikido::Zen::Context, nil]
+    def self.current_context
+      Thread.current[:_aikido_current_context_]
+    end
+
+    # Sets the current context object that holds all information about the
+    # current request, or +nil+ to clear the current context.
+    #
+    # @param context [Aikido::Zen::Context, nil]
+    # @return [Aikido::Zen::Context, nil]
+    def self.current_context=(context)
+      Thread.current[:_aikido_current_context_] = context
+    end
+
+    # Track statistics about an HTTP request the app is handling.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [void]
+    def self.track_request(request)
+      collector.track_request
+    end
+
+    def self.track_discovered_route(request)
+      collector.track_route(request)
+    end
+
+    # Tracks a network connection made to an external service.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def self.track_outbound(connection)
+      collector.track_outbound(connection)
+    end
+
+    # Track statistics about the result of a Sink's scan, and report it as
+    # an Attack if one is detected.
+    #
+    # @param scan [Aikido::Zen::Scan]
+    # @return [void]
+    # @raise [Aikido::Zen::UnderAttackError] if the scan detected an Attack
+    #   and blocking_mode is enabled.
+    def self.track_scan(scan)
+      collector.track_scan(scan)
+      agent.handle_attack(scan.attack) if scan.attack?
+    end
+
+    # Track the user making the current request.
+    #
+    # @param (see Aikido::Zen.Actor)
+    # @return [void]
+    def self.track_user(user)
+      return if config.disabled?
+
+      if (actor = Aikido::Zen::Actor(user))
+        collector.track_user(actor)
+        current_context.request.actor = actor if current_context
+      else
+        config.logger.warn(format(<<~LOG, obj: user))
+          Incompatible object sent to track_user: %<obj>p
+
+          The object must either implement #to_aikido_actor, or be a Hash with
+          an :id (or "id") and, optionally, a :name (or "name") key.
+        LOG
+      end
+    end
+
+    # Align with other Zen implementations, while keeping internal consistency.
+    class << self
+      alias_method :set_user, :track_user
+    end
+
+    # Marks that the Zen middleware was installed properly
+    # @return void
+    def self.middleware_installed!
+      collector.middleware_installed!
+    end
+
+    # @!visibility private
+    # Load all sources.
+    #
+    # @return [Boolean] true if any sources were loaded
+    def self.load_sources!
+      if Aikido::Zen.satisfy("rails", ">= 7.0")
+        require_relative "zen/rails_engine"
+
+        return true
+      end
+
+      false
+    end
+
+    # @!visibility private
+    # Load all sinks.
+    #
+    # @return [Boolean] true if any sinks were loaded
+    def self.load_sinks!
+      require_relative "zen/sinks"
+
+      !Aikido::Zen::Sinks.registry.empty?
+    end
+
+    # @!visibility private
+    # Stop any background threads.
+    def self.stop!
+      @agent&.stop!
+      @detached_agent_server&.stop!
+    end
+
+    # @!visibility private
+    # Starts the background agent if it has not been started yet.
+    def self.agent
+      @agent ||= Agent.start
+    end
+
+    def self.detached_agent_server
+      @detached_agent_server ||= DetachedAgent::Server.start
+    end
+
+    class << self
+      # `agent` and `detached_agent` are started on the first method call.
+      # A mutex controls thread execution to prevent multiple attempts.
+      LOCK = Mutex.new
+
+      def start!
+        @pid = Process.pid
+        LOCK.synchronize do
+          agent
+          detached_agent_server
+        end
+      end
+
+      def check_and_handle_fork
+        if has_forked
+          @detached_agent&.handle_fork
+        end
+      end
+
+      def has_forked
+        pid_changed = Process.pid != @pid
+        @pid = Process.pid
+        pid_changed
+      end
+    end
+  end
+end

data/lib/aikido-zen.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative "aikido/zen"

data/placeholder/.gitignore

@@ -0,0 +1,4 @@
+LICENSE
+*.gemspec
+/lib/*.rb
+*.gem

data/placeholder/README.md

@@ -0,0 +1,11 @@
+# Security Placeholder
+
+This gem has been published by [Aikido Security](https://aikido.dev) to help prevent supply chain attacks and protect the integrity of the Ruby ecosystem.
+
+It is **not intended for direct use** and contains no functional code.
+
+If you are looking for the actual library, please use [`aikido-zen`](https://rubygems.org/gems/aikido-zen).
+
+---
+
+This package exists solely for security purposes. For more information, visit [aikido.dev](https://aikido.dev).

data/placeholder/Rakefile

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "rake"
+require "rake/clean"
+require "rubygems/package"
+require "fileutils"
+
+GEM_NAMES = %w[aikido]
+
+# Clean up created files
+CLEAN.include("LICENSE")
+CLEAN.include(*GEM_NAMES.map { |name| "#{name}.gemspec" })
+CLEAN.include(*GEM_NAMES.map { |name| "lib/#{name}.rb" })
+CLOBBER.include(*GEM_NAMES.map { |name| "#{name}-*.gem" })
+
+namespace :build do
+  GEM_NAMES.each do |gem_name|
+    file "LICENSE" => ["../LICENSE"] do
+      FileUtils.cp("../LICENSE", "LICENSE")
+      puts "Copied LICENSE"
+    end
+
+    entry_point_path = "lib/#{gem_name}.rb"
+
+    # Generate the entry point file from template if needed
+    file entry_point_path => ["lib/placeholder.rb.template"] do
+      template = File.read("lib/placeholder.rb.template")
+      content = template.gsub("@GEM_NAME", gem_name)
+      File.write(entry_point_path, content)
+      puts "Generated #{entry_point_path}"
+    end
+
+    gemspec_path = "#{gem_name}.gemspec"
+
+    # Generate gemspec file from template if needed
+    file gemspec_path => ["placeholder.gemspec.template"] do
+      template = File.read("placeholder.gemspec.template")
+      content = template.gsub("@GEM_NAME", gem_name)
+      File.write(gemspec_path, content)
+      puts "Generated #{gemspec_path}"
+    end
+
+    desc "Build the #{gem_name} gem"
+    task gem_name => [entry_point_path, gemspec_path, "LICENSE"] do
+      gemspec = Gem::Specification.load(gemspec_path)
+      raise "Failed to load gemspec: #{gemspec_path}" unless gemspec
+
+      gem_path = Gem::Package.build(gemspec)
+      puts "Built #{gem_path}"
+    end
+  end
+
+  desc "Build all gems"
+  task all: GEM_NAMES.map { |gem_name| "build:#{gem_name}" }
+end
+
+namespace :release do
+  GEM_NAMES.each do |gem_name|
+    gemspec_path = "#{gem_name}.gemspec"
+
+    desc "Build and publish the #{gem_name} to RubyGems"
+    task gem_name => ["build:#{gem_name}"] do
+      gemspec = Gem::Specification.load(gemspec_path)
+      raise "Failed to load gemspec: #{gemspec_path}" unless gemspec
+
+      gem_path = "#{gemspec.name}-#{gemspec.version}.gem"
+
+      puts "Publishing #{gem_path} to RubyGem..."
+      sh "gem push #{gem_path}"
+    end
+  end
+
+  desc "Build and publish all gems to RubyGems"
+  task all: GEM_NAMES.map { |gem_name| "release:#{gem_name}" }
+end

data/placeholder/lib/placeholder.rb.template

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+raise LoadError, "This gem has been published by Aikido Security to help prevent supply chain attacks. It is not intended for direct use. Please use 'aikido-zen' instead."

data/placeholder/placeholder.gemspec.template

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  spec.name = "@GEM_NAME"
+  spec.version = "0.0.2"
+  spec.authors = ["Aikido Security"]
+  spec.email = ["dev-admin@aikido.dev"]
+  spec.summary = "Security placeholder for 'aikido-zen'."
+  spec.description = "This gem has been published by Aikido Security to help prevent supply chain attacks. It is not intended for direct use. Please use 'aikido-zen' instead."
+  spec.homepage = "https://aikido.dev/zen"
+  spec.license = "AGPL-3.0-or-later"
+
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/aikidosec/firewall-ruby"
+
+  spec.files = ["lib/@GEM_NAME.rb", "README.md", "LICENSE"]
+  spec.require_paths = ["lib"]
+end

data/tasklib/bench.rake

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require "socket"
+require "timeout"
+require_relative "wrk"
+
+SERVER_PIDS = {}
+PORT_PROTECTED = 3001
+PORT_UNPROTECTED = 3002
+
+def stop_servers
+  SERVER_PIDS.each { |_, pid| Process.kill("TERM", pid) }
+  SERVER_PIDS.clear
+end
+
+def boot_server(dir, port:, env: {})
+  env["RAILS_MIN_THREADS"] = NUMBER_OF_THREADS
+  env["RAILS_MAX_THREADS"] = NUMBER_OF_THREADS
+  env["PORT"] = port.to_s
+  env["SECRET_KEY_BASE"] = rand(36**64).to_s(36)
+
+  Dir.chdir(dir) do
+    SERVER_PIDS[port] = Process.spawn(
+      env,
+      "rails", "server", "--pid", "#{Dir.pwd}/tmp/pids/server.#{port}.pid", "-e", "production",
+      out: "/dev/null"
+    )
+  rescue
+    SERVER_PIDS.delete(port)
+  end
+end
+
+def port_open?(port, timeout: 1)
+  Timeout.timeout(timeout) do
+    TCPSocket.new("127.0.0.1", port).close
+    true
+  rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, SocketError
+    false
+  end
+rescue Timeout::Error
+  false
+end
+
+def wait_for_servers
+  ports = SERVER_PIDS.keys
+
+  Timeout.timeout(10) do
+    ports.reject! { |port| port_open?(port) } while ports.any?
+  end
+rescue Timeout::Error
+  raise "Could not reach ports: #{ports.join(", ")}"
+end
+
+Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
+  namespace :bench do
+    namespace dir.basename.to_s do
+      desc "Run WRK benchmarks for the #{dir.basename} sample app"
+      task wrk_run: [:boot_protected_app, :boot_unprotected_app] do
+        throughput_decrease_limit_perc = 25
+        if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0.0") && Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.1.0")
+          # add higher limit for ruby 3.0
+          throughput_decrease_limit_perc = 35
+        end
+
+        wait_for_servers
+        run_benchmark(
+          route_zen: "http://localhost:#{PORT_PROTECTED}/benchmark", # Application with Zen
+          route_no_zen: "http://localhost:#{PORT_UNPROTECTED}/benchmark", # Application without Zen
+          description: "An empty route (1ms simulated delay)",
+          throughput_decrease_limit_perc: throughput_decrease_limit_perc,
+          latency_increase_limit_ms: 200
+        )
+      ensure
+        stop_servers
+      end
+
+      desc "Run K6 benchmarks for the #{dir.basename} sample app"
+      task k6_run: [:boot_protected_app, :boot_unprotected_app] do
+        wait_for_servers
+        Dir.chdir("benchmarks") { sh "k6 run #{dir.basename}.js" }
+      ensure
+        stop_servers
+      end
+
+      task :boot_protected_app do
+        boot_server(dir, port: PORT_PROTECTED)
+      end
+
+      task :boot_unprotected_app do
+        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLED" => "true"})
+      end
+    end
+  end
+end

data/tasklib/libzen.rake

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "ffi"
+require "open-uri"
+require "rubygems/package_task"
+
+require_relative "../lib/aikido/zen/version"
+
+class LibZen
+  attr_reader :platform, :suffix, :artifact
+
+  def initialize(platform_suffix, artifact = nil)
+    platform, suffix = platform_suffix.split(".", 2)
+    @platform = Gem::Platform.new(platform)
+    @suffix = suffix
+    @artifact = artifact
+  end
+
+  def version
+    "v#{Aikido::Zen::LIBZEN_VERSION}"
+  end
+
+  def path
+    "lib/aikido/zen/libzen-#{version}-#{platform}.#{suffix}"
+  end
+
+  def url
+    File.join("https://github.com/AikidoSec/zen-internals/releases/download", version, artifact)
+  end
+
+  def gemspec(source = Bundler.load_gemspec("aikido-zen.gemspec"))
+    return @spec if defined?(@spec)
+
+    @spec = source.dup
+    @spec.platform = platform
+    @spec.files << path
+    @spec
+  end
+
+  def gem_path
+    "pkg/#{gemspec.name}-#{gemspec.version}-#{gemspec.platform}.gem"
+  end
+
+  def resolvable?
+    downloadable? || File.exist?(path)
+  end
+
+  def downloadable?
+    !artifact.nil?
+  end
+
+  def download
+    puts "Downloading #{path}"
+    File.open(path, "wb") { |file| FileUtils.copy_stream(URI(url).open("rb"), file) }
+  end
+
+  def verify
+    expected = URI(url + ".sha256sum").read.split(/\s+/).first
+    actual = Digest::SHA256.file(path).to_s
+
+    if expected != actual
+      abort "Checksum verification failed for #{path}: expected #{expected}, but got #{actual}"
+    end
+  end
+
+  def namespace
+    platform.to_s
+  end
+
+  def pkg_dir
+    File.dirname(gem_path)
+  end
+end
+
+LIBZENS = [
+  LibZen.new("arm64-darwin.dylib", "libzen_internals_aarch64-apple-darwin.dylib"),
+  LibZen.new("arm64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
+  LibZen.new("arm64-linux-musl.so", "libzen_internals_aarch64-unknown-linux-musl.so"),
+  LibZen.new("aarch64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
+  LibZen.new("x86_64-darwin.dylib", "libzen_internals_x86_64-apple-darwin.dylib"),
+  LibZen.new("x86_64-linux.so", "libzen_internals_x86_64-unknown-linux-gnu.so"),
+  LibZen.new("x86_64-linux-musl.so", "libzen_internals_x86_64-unknown-linux-musl.so"),
+  LibZen.new("x86_64-mingw64.dll", "libzen_internals_x86_64-pc-windows-gnu.dll"),
+  # Not officially supported, but used during testing:
+  LibZen.new("x86_64-freebsd.so"),
+  LibZen.new("x86_64-solaris.so")
+].filter(&:resolvable?)
+
+namespace :libzen do
+  LIBZENS.each do |lib|
+    desc "Download libzen for #{lib.platform} if necessary"
+    task(lib.namespace => lib.path)
+
+    if lib.downloadable?
+      file(lib.path) do
+        lib.download
+        lib.verify
+      end
+      CLEAN.include(lib.path)
+    end
+
+    directory lib.pkg_dir
+    CLOBBER.include(lib.pkg_dir)
+
+    file(lib.gem_path => [lib.path, lib.pkg_dir]) do
+      path = Gem::Package.build(lib.gemspec)
+      mv path, lib.pkg_dir
+    end
+    CLOBBER.include(lib.pkg_dir)
+
+    task "#{lib.namespace}:release" => [lib.gem_path, "release:guard_clean"] do
+      sh "gem", "push", lib.gem_path
+    end
+  end
+
+  desc "Build all the native gems"
+  task gems: LIBZENS.map(&:gem_path)
+
+  desc "Push all the native gems to RubyGems"
+  task release: LIBZENS.map { |lib| "#{lib.namespace}:release" }
+
+  desc "Download the libzen pre-built library for all platforms"
+  task "download:all" => LIBZENS.map(&:path)
+
+  desc "Downloads the libzen library for the current platform"
+  task "download:current" do
+    platform = Gem::Platform.local.dup
+    platform.version = nil unless Rake::Task.task_defined?("libzen:#{platform}")
+
+    # Invoke the most specific task
+    Rake::Task["libzen:#{platform}"].invoke
+  end
+end

data/tasklib/wrk.rb

@@ -0,0 +1,88 @@
+require "open3"
+require "time"
+
+NUMBER_OF_THREADS = ENV.fetch("BENCHMARK_NUMBER_OF_THREADS") { 12 }.to_s
+CONNECTIONS = ENV.fetch("BENCHMARK_WRK_CONNECTIONS") { 400 }
+
+def generate_wrk_command_for_url(url)
+  # Define the command with wrk included
+  "wrk --threads #{NUMBER_OF_THREADS} --connections #{CONNECTIONS} --duration 15s --timeout 5s --latency #{url}"
+end
+
+def cold_start(url)
+  10.times do
+    _, err, status = Open3.capture3("curl #{url}")
+
+    if status != 0
+      puts err
+      exit(-1)
+    end
+  end
+end
+
+def extract_requests_and_latency_tuple(out, err, status)
+  if status == 0
+    # Extracting requests/sec
+    requests_sec_match = out.match(/Requests\/sec:\s+([\d.]+)/)
+    requests_sec = requests_sec_match[1].to_f if requests_sec_match
+
+    # Extracting latency
+    latency_match = out.match(/Latency\s+([\d.]+)(ms|s)/)
+    latency = latency_match[1].to_f if latency_match
+    latency_unit = latency_match[2] if latency_match
+
+    if latency_unit == "s"
+      latency *= 1000
+    end
+
+    {requests_sec: requests_sec, latency: latency}
+  else
+    puts "Error occurred running benchmark command:"
+    puts err.strip
+    exit(1)
+  end
+end
+
+def run_benchmark(route_no_zen:, route_zen:, description:, throughput_decrease_limit_perc:, latency_increase_limit_ms:)
+  # Cold start
+  cold_start(route_no_zen)
+  cold_start(route_zen)
+
+  out, err, status = Open3.capture3(generate_wrk_command_for_url(route_zen))
+  puts <<~MSG
+    WRK OUTPUT
+    ================
+    FIREWALL ENABLED:
+        #{out}
+    ----------------
+  MSG
+  result_zen_enabled = extract_requests_and_latency_tuple(out, err, status)
+
+  out, err, status = Open3.capture3(generate_wrk_command_for_url(route_no_zen))
+  puts <<~MSG
+    FIREWALL DISABLED:
+        #{out}
+    ================
+  MSG
+  result_zen_disabled = extract_requests_and_latency_tuple(out, err, status)
+
+  # Check if the command was successful
+  if result_zen_enabled && result_zen_disabled
+    # Print the output, which should be the Requests/sec value
+    puts "[ZEN ENABLED ] Requests/sec: #{result_zen_enabled[:requests_sec]} | Latency in ms: #{result_zen_enabled[:latency]}"
+    puts "[ZEN DISABLED] Requests/sec: #{result_zen_disabled[:requests_sec]} | Latency in ms: #{result_zen_disabled[:latency]}"
+
+    latency_increase_ms = (result_zen_enabled[:latency] - result_zen_disabled[:latency]).round(2)
+    puts "-> Delta in ms: #{latency_increase_ms}ms after running load test on #{description}"
+
+    throughput_decrease_perc = ((result_zen_disabled[:requests_sec] - result_zen_enabled[:requests_sec]) / result_zen_disabled[:requests_sec] * 100).round
+    puts "-> #{throughput_decrease_perc}% decrease in throughput after running load test on #{description}\n"
+
+    if latency_increase_ms >= latency_increase_limit_ms
+      exit(1)
+    end
+    if throughput_decrease_perc >= throughput_decrease_limit_perc
+      exit(1)
+    end
+  end
+end