aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/collector.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Handles collecting all the runtime statistics to report back to the Aikido
+  # servers.
+  class Collector
+    def initialize(config: Aikido::Zen.config)
+      @config = config
+
+      @stats = Concurrent::AtomicReference.new(Stats.new(@config))
+      @users = Concurrent::AtomicReference.new(Users.new(@config))
+      @hosts = Concurrent::AtomicReference.new(Hosts.new(@config))
+      @routes = Concurrent::AtomicReference.new(Routes.new(@config))
+      @heartbeats = Queue.new
+      @middleware_installed = Concurrent::AtomicBoolean.new
+    end
+
+    # Flush all the stats into a Heartbeat event that can be reported back to
+    # the Aikido servers.
+    #
+    # @param at [Time] the time at which stats collection stopped and the start
+    #   of the new stats collection period. Defaults to now.
+    # @return [Aikido::Zen::Events::Heartbeat]
+    def flush(at: Time.now.utc)
+      stats = @stats.get_and_set(Stats.new(@config))
+      users = @users.get_and_set(Users.new(@config))
+      hosts = @hosts.get_and_set(Hosts.new(@config))
+      routes = @routes.get_and_set(Routes.new(@config))
+
+      start(at: at)
+      stats = stats.flush(at: at)
+
+      Events::Heartbeat.new(
+        stats: stats, users: users, hosts: hosts, routes: routes, middleware_installed: middleware_installed?
+      )
+    end
+
+    # Put heartbeats coming from child processes into the internal queue.
+    def push_heartbeat(heartbeat)
+      @heartbeats << heartbeat
+    end
+
+    # Drains into an array all the queued heartbeats
+    def flush_heartbeats
+      Array.new(@heartbeats.size) { @heartbeats.pop }
+    end
+
+    # Sets the start time for this collection period.
+    #
+    # @param at [Time] defaults to now.
+    # @return [void]
+    def start(at: Time.now.utc)
+      synchronize(@stats) { |stats| stats.start(at) }
+    end
+
+    # Track stats about the requests
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [void]
+    def track_request(*)
+      synchronize(@stats) { |stats| stats.add_request }
+    end
+
+    #  Record the visited endpoint, and if enabled, the API schema for this endpoint.
+    # @param request [Aikido::Zen::Request]
+    def track_route(request)
+      synchronize(@routes) { |routes| routes.add(request) if request.route }
+    end
+
+    # Track stats about a scan performed by one of our sinks.
+    #
+    # @param scan [Aikido::Zen::Scan]
+    # @return [void]
+    def track_scan(scan)
+      synchronize(@stats) { |stats| stats.add_scan(scan) }
+    end
+
+    # Track stats about an attack detected by our scanners.
+    #
+    # @param attack [Aikido::Zen::Attack]
+    # @return [void]
+    def track_attack(attack)
+      synchronize(@stats) do |stats|
+        stats.add_attack(attack, being_blocked: attack.blocked?)
+      end
+    end
+
+    # Track an HTTP connections to an external host.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def track_outbound(connection)
+      synchronize(@hosts) { |hosts| hosts.add(connection) }
+    end
+
+    # Track the user reported by the developer to be behind this request.
+    #
+    # @param actor [Aikido::Zen::Actor]
+    # @return [void]
+    def track_user(actor)
+      synchronize(@users) { |users| users.add(actor) }
+    end
+
+    def middleware_installed!
+      @middleware_installed.make_true
+    end
+
+    # @api private
+    def routes
+      @routes.get
+    end
+
+    # @api private
+    def users
+      @users.get
+    end
+
+    # @api private
+    def hosts
+      @hosts.get
+    end
+
+    # @api private
+    def stats
+      @stats.get
+    end
+
+    # @api private
+    def middleware_installed?
+      @middleware_installed.true?
+    end
+
+    # Atomically modify an object's state within a block, ensuring it's safe
+    # from other threads.
+    private def synchronize(object)
+      object.update { |obj| obj.tap { yield obj } }
+    end
+  end
+end
+
+require_relative "collector/stats"
+require_relative "collector/users"
+require_relative "collector/hosts"
+require_relative "collector/routes"

data/lib/aikido/zen/config.rb

@@ -0,0 +1,282 @@
+# frozen_string_literal: true
+
+require "uri"
+require "json"
+require "logger"
+
+require_relative "context"
+
+module Aikido::Zen
+  class Config
+    # @api private
+    # @return [Boolean] whether Aikido should protect.
+    def protect?
+      !api_token.nil? || blocking_mode? || debugging?
+    end
+
+    # @return [Boolean] whether Aikido should be turned completely off (no
+    #   intercepting calls to protect the app, no agent process running, no
+    #   middleware installed). Defaults to false (so, enabled). Can be set
+    #   via the AIKIDO_DISABLED environment variable.
+    attr_accessor :disabled
+    alias_method :disabled?, :disabled
+
+    # @return [Boolean] whether Aikido should only report infractions or block
+    #   the request by raising an Exception. Defaults to whether AIKIDO_BLOCK
+    #   is set to a non-empty value in your environment, or +false+ otherwise.
+    attr_accessor :blocking_mode
+    alias_method :blocking_mode?, :blocking_mode
+
+    # @return [URI] The HTTP host for the Aikido API. Defaults to
+    #   +https://guard.aikido.dev+.
+    attr_reader :api_endpoint
+
+    # @return [URI] The HTTP host for the Aikido Runtime API. Defaults to
+    #   +https://runtime.aikido.dev+.
+    attr_reader :realtime_endpoint
+
+    # @return [Hash] HTTP timeouts for communicating with the API.
+    attr_reader :api_timeouts
+
+    # @return [String] the token obtained when configuring the Firewall in the
+    #   Aikido interface.
+    attr_accessor :api_token
+
+    # @return [Integer] the interval in seconds to poll the runtime API for
+    #   settings changes. Defaults to evey 60 seconds.
+    attr_accessor :polling_interval
+
+    # @return [Integer] the amount in seconds to wait before sending an initial
+    #   heartbeat event when the server reports no stats have been sent yet.
+    attr_accessor :initial_heartbeat_delay
+
+    # @return [#call] Callable that can be passed an Object and returns a String
+    #   of JSON. Defaults to the standard library's JSON.dump method.
+    attr_accessor :json_encoder
+
+    # @return [#call] Callable that can be passed a JSON string and parses it
+    #   into an Object. Defaults to the standard library's JSON.parse method.
+    attr_accessor :json_decoder
+
+    # @return [Logger]
+    attr_reader :logger
+
+    # @return [String] Path of the socket where the detached agent will listen.
+    # By default, is stored under the root application path with file name
+    # `aikido-detached-agent.sock`
+    attr_accessor :detached_agent_socket_path
+
+    # @return [Boolean] is the agent in debugging mode?
+    attr_accessor :debugging
+    alias_method :debugging?, :debugging
+
+    # @return [Integer] maximum number of timing measurements to keep in memory
+    #   before compressing them.
+    attr_accessor :max_performance_samples
+
+    # @return [Integer] maximum number of compressed performance samples to keep
+    #   in memory. If we take more than this before reporting them to Aikido, we
+    #   will discard the oldest samples.
+    attr_accessor :max_compressed_stats
+
+    # @return [Integer] maximum number of connections to outbound hosts to keep
+    #   in memory in order to report them in the next heartbeat event. If new
+    #   connections are added to the set before reporting them to Aikido, we
+    #   will discard the oldest data point.
+    attr_accessor :max_outbound_connections
+
+    # @return [Integer] maximum number of users tracked via Zen.track_user to
+    #   share with the Aikido servers on the next heartbeat event. If more
+    #   unique users (by their ID) are tracked than this number, we will discard
+    #   the oldest seen users.
+    attr_accessor :max_users_tracked
+
+    # @return [Proc{(Aikido::Zen::Request, Symbol) => Array(Integer, Hash, #each)}]
+    #   Rack handler used to respond to requests from IPs, users or others blocked in the Aikido
+    #   dashboard.
+    attr_accessor :blocked_responder
+
+    # @return [Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}]
+    #   Rack handler used to respond to requests that have been rate limited.
+    attr_accessor :rate_limited_responder
+
+    # @return [Proc{Aikido::Zen::Request => String}] a proc that reads
+    #   information off the current request and returns a String to
+    #   differentiate different clients. By default this uses the request IP.
+    attr_accessor :rate_limiting_discriminator
+
+    # @return [Boolean] whether Aikido Zen should collect api schemas.
+    #   Defaults to true. Can be set through AIKIDO_FEATURE_COLLECT_API_SCHEMA
+    #   environment variable.
+    attr_accessor :collect_api_schema
+    alias_method :collect_api_schema?, :collect_api_schema
+
+    # @return [Integer] max number of requests we sample per endpoint when
+    #   computing the schema.
+    attr_accessor :api_schema_max_samples
+
+    # @api private
+    # @return [Integer] max number of levels deep we want to read a nested
+    #   strcture for performance reasons.
+    attr_accessor :api_schema_collection_max_depth
+
+    # @api private
+    # @return [Integer] max number of properties that we want to inspect per
+    #   level of the structure for performance reasons.
+    attr_accessor :api_schema_collection_max_properties
+
+    # @api private
+    # @return [Proc<Hash => Aikido::Zen::Context>] callable that takes a
+    #   Rack-compatible env Hash and returns a Context object with an HTTP
+    #   request. This is meant to be overridden by each framework adapter.
+    attr_accessor :request_builder
+
+    # @api private
+    # @return [Integer] number of seconds to perform client-side rate limiting
+    #   of events sent to the server.
+    attr_accessor :client_rate_limit_period
+
+    # @api private
+    # @return [Integer] max number of events sent during a sliding
+    #   {client_rate_limit_period} window.
+    attr_accessor :client_rate_limit_max_events
+
+    # @api private
+    # @return [Integer] number of seconds to wait before sending an event after
+    #   the server returns a 429 response.
+    attr_accessor :server_rate_limit_deadline
+
+    # @return [Array<String>] when checking for stored SSRF attacks, we want to
+    #   allow known hosts that should be able to resolve to the IMDS service.
+    attr_accessor :imds_allowed_hosts
+
+    # @return [String] environment specific HTTP header providing the client IP.
+    attr_accessor :client_ip_header
+
+    def initialize
+      self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
+      self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
+      self.api_timeouts = 10
+      self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT", DEFAULT_AIKIDO_ENDPOINT)
+      self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL)
+      self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
+      self.polling_interval = 60
+      self.initial_heartbeat_delay = 60
+      self.json_encoder = DEFAULT_JSON_ENCODER
+      self.json_decoder = DEFAULT_JSON_DECODER
+      self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
+      self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
+      self.detached_agent_socket_path = ENV.fetch("AIKIDO_DETACHED_AGENT_SOCKET_PATH", DEFAULT_DETACHED_AGENT_SOCKET_PATH)
+      self.client_ip_header = ENV.fetch("AIKIDO_CLIENT_IP_HEADER", nil)
+      self.max_performance_samples = 5000
+      self.max_compressed_stats = 100
+      self.max_outbound_connections = 200
+      self.max_users_tracked = 1000
+      self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
+      self.blocked_responder = DEFAULT_BLOCKED_RESPONDER
+      self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
+      self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
+      self.server_rate_limit_deadline = 1800 # 30 min
+      self.client_rate_limit_period = 3600 # 1 hour
+      self.client_rate_limit_max_events = 100
+      self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true))
+      self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
+      self.api_schema_collection_max_depth = 20
+      self.api_schema_collection_max_properties = 20
+      self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
+    end
+
+    # Set the base URL for API requests.
+    #
+    # @param url [String, URI]
+    def api_endpoint=(url)
+      @api_endpoint = URI(url)
+    end
+
+    # Set the base URL for runtime API requests.
+    #
+    # @param url [String, URI]
+    def realtime_endpoint=(url)
+      @realtime_endpoint = URI(url)
+    end
+
+    # Set the logger and configure its severity level according to agent's debug mode
+    # @param logger [::Logger]
+    def logger=(logger)
+      @logger = logger
+      @logger.level = Logger::DEBUG if debugging
+    end
+
+    # @overload def api_timeouts=(timeouts)
+    #   Configure granular connection timeouts for the Aikido Zen API. You
+    #   can set any of these per call.
+    #   @param timeouts [Hash]
+    #   @option timeouts [Integer] :open_timeout Duration in seconds.
+    #   @option timeouts [Integer] :read_timeout Duration in seconds.
+    #   @option timeouts [Integer] :write_timeout Duration in seconds.
+    #
+    # @overload def api_timeouts=(duration)
+    #   Configure the connection timeouts for the Aikido Zen API.
+    #   @param duration [Integer] Duration in seconds to set for all three
+    #     timeouts (open, read, and write).
+    def api_timeouts=(value)
+      value = {open_timeout: value, read_timeout: value, write_timeout: value} if value.respond_to?(:to_int)
+
+      @api_timeouts ||= {}
+      @api_timeouts.update(value)
+    end
+
+    def detached_agent_socket_uri
+      "drbunix:" + @detached_agent_socket_path
+    end
+
+    private
+
+    def read_boolean_from_env(value)
+      return value unless value.respond_to?(:to_str)
+
+      case value.to_str.strip
+      when "false", "", "0", "f"
+        false
+      else
+        true
+      end
+    end
+
+    # @!visibility private
+    DEFAULT_AIKIDO_ENDPOINT = "https://guard.aikido.dev"
+
+    # @!visibility private
+    DEFAULT_RUNTIME_BASE_URL = "https://runtime.aikido.dev"
+
+    # @!visibility private
+    DEFAULT_JSON_ENCODER = JSON.method(:dump)
+
+    # @!visibility private
+    DEFAULT_JSON_DECODER = JSON.method(:parse)
+
+    # @!visibility private
+    DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.sock"
+
+    # @!visibility private
+    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type) do
+      message = case blocking_type
+      when :ip
+        format("Your IP address is not allowed to access this resource. (Your IP: %s)", request.ip)
+      else
+        "You are blocked by Zen."
+      end
+      [403, {"Content-Type" => "text/plain"}, [message]]
+    end
+
+    # @!visibility private
+    DEFAULT_RATE_LIMITED_RESPONDER = ->(request) do
+      [429, {"Content-Type" => "text/plain"}, ["Too many requests."]]
+    end
+
+    # @!visibility private
+    DEFAULT_RATE_LIMITING_DISCRIMINATOR = ->(request) {
+      request.actor ? "actor:#{request.actor.id}" : request.ip
+    }
+  end
+end

data/lib/aikido/zen/context/rack_request.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "../request"
+require_relative "../request/heuristic_router"
+
+module Aikido::Zen
+  # @!visibility private
+  Context::RACK_REQUEST_BUILDER = ->(env) do
+    delegate = Rack::Request.new(env)
+    router = Aikido::Zen::Request::HeuristicRouter.new
+    request = Aikido::Zen::Request.new(delegate, framework: "rack", router: router)
+
+    Context.new(request) do |req|
+      {
+        query: req.GET,
+        body: req.POST,
+        route: {},
+        header: req.normalized_headers,
+        cookie: req.cookies,
+        subdomain: []
+      }
+    end
+  end
+end

data/lib/aikido/zen/context/rails_request.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative "../request"
+require_relative "../request/rails_router"
+
+module Aikido::Zen
+  module Rails
+    def self.router
+      @router ||= Request::RailsRouter.new(::Rails.application.routes)
+    end
+  end
+
+  # @!visibility private
+  Context::RAILS_REQUEST_BUILDER = ->(env) do
+    # Duplicate the Rack environment to prevent unexpected modifications from
+    # breaking Rails routing.
+    delegate = ActionDispatch::Request.new(env.dup)
+    request = Aikido::Zen::Request.new(
+      delegate, framework: "rails", router: Rails.router
+    )
+
+    decrypt_cookies = ->(req) do
+      return req.cookies unless req.respond_to?(:cookie_jar)
+
+      req.cookie_jar.map { |key, value|
+        plain_text = req.cookie_jar.encrypted[key].presence ||
+          req.cookie_jar.signed[key].presence ||
+          value
+        [key, plain_text]
+      }.to_h
+    end
+
+    Context.new(request) do |req|
+      {
+        query: req.query_parameters,
+        body: req.request_parameters,
+        route: req.path_parameters,
+        header: req.normalized_headers,
+        cookie: decrypt_cookies.call(req),
+        subdomain: req.subdomains
+      }
+    end
+  end
+end

data/lib/aikido/zen/context.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+require_relative "request"
+require_relative "payload"
+
+module Aikido::Zen
+  class Context
+    # Build a Context object for the current HTTP request based on the currently
+    # configured request builder.
+    #
+    # @param env [Hash] the Rack env hash.
+    # @param config [Aikido::Zen::Config]
+    # @return [Aikido::Zen::Context]
+    def self.from_rack_env(env, config = Aikido::Zen.config)
+      config.request_builder.call(env)
+    end
+
+    # @return [Aikido::Zen::Request]
+    attr_reader :request
+
+    # @return [Boolean]
+    attr_accessor :scanning
+
+    # @param request [Rack::Request] a Request object that implements the
+    #   Rack::Request API, to which we will delegate behavior.
+    # @param settings [Aikido::Zen::RuntimeSettings]
+    #
+    # @yieldparam request [Rack::Request] the given request object.
+    # @yieldreturn [Hash<Symbol, #flat_map>] map of payload source types
+    #   to the actual data from the request to populate them.
+    def initialize(request, settings: Aikido::Zen.runtime_settings, &sources)
+      @request = request
+      @settings = settings
+      @payload_sources = sources
+      @metadata = {}
+      @scanning = false
+    end
+
+    # Fetch some metadata stored in the Context.
+    #
+    # @param key [String]
+    # @return [Object, nil]
+    def [](key)
+      @metadata[key]
+    end
+
+    # Store some metadata in the Context so other Scanners can use it.
+    #
+    # @param key [String]
+    # @param value [Object]
+    # @return [void]
+    def []=(key, value)
+      @metadata[key] = value
+    end
+
+    # Overrides the current request, and invalidates any memoized data obtained
+    # from it. This is useful for scenarios where setting the request in the
+    # middleware isn't enough, such as Rails, where the router modifies it after
+    # the middleware has seen it.
+    #
+    # @param new_request [Rack::Request]
+    # @return [void]
+    def update_request(new_request)
+      @payloads = nil
+      request.__setobj__(new_request)
+    end
+
+    # @return [Array<Aikido::Zen::Payload>] list of user inputs from all the
+    #   different sources we recognize.
+    def payloads
+      @payloads ||= payload_sources.flat_map do |source, data|
+        extract_payloads_from(data, source)
+      end
+    end
+
+    # @return [Boolean] whether attack protection for the currently requested
+    #   endpoint was disabled on the Aikido dashboard, or if the source IP for
+    #   this request is in the "Bypass List".
+    def protection_disabled?
+      return false if request.nil?
+
+      !@settings.endpoints[request.route].protected? ||
+        @settings.skip_protection_for_ips.include?(request.ip)
+    end
+
+    # @!visibility private
+    def payload_sources
+      @payload_sources.call(request)
+    end
+
+    private
+
+    def extract_payloads_from(data, source_type, prefix = nil)
+      if data.respond_to?(:to_hash)
+        data.to_hash.flat_map { |name, val|
+          extract_payloads_from(val, source_type, [prefix, name].compact.join("."))
+        }
+      elsif data.respond_to?(:to_ary)
+        data.to_ary.flat_map.with_index { |val, idx|
+          extract_payloads_from(val, source_type, [prefix, idx].compact.join("."))
+        }
+      else
+        Payload.new(data, source_type, prefix.to_s)
+      end
+    end
+  end
+end
+
+require_relative "context/rack_request"
+require_relative "context/rails_request"

data/lib/aikido/zen/detached_agent/agent.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "drb/drb"
+require "drb/unix"
+require_relative "front_object"
+require_relative "../background_worker"
+
+module Aikido::Zen::DetachedAgent
+  # Agent that runs in forked processes. It communicates with the parent process to dRB
+  # calls. It's in charge of schedule and send heartbeats to the *parent process*, to be
+  # later pushed.
+  #
+  # heartbeat & polling interval are configured to 10s , because they are connecting with
+  # parent process. We want to have the freshest data.
+  #
+  # It's possible to use `extend Forwardable` here for one-line forward calls to the
+  # @detached_agent_front object. Unfortunately, the methods to be called are
+  # created at runtime by `DRbObject`, which leads to an ugly warning about
+  # private methods after the delegator is bound.
+  class Agent
+    attr_reader :worker
+
+    def initialize(
+      heartbeat_interval: 10,
+      polling_interval: 10,
+      config: Aikido::Zen.config,
+      collector: Aikido::Zen.collector,
+      worker: Aikido::Zen::Worker.new(config: config)
+    )
+      @config = config
+      @heartbeat_interval = heartbeat_interval
+      @polling_interval = polling_interval
+      @worker = worker
+      @collector = collector
+      @detached_agent_front = DRbObject.new_with_uri(config.detached_agent_socket_uri)
+      @has_forked = false
+      schedule_tasks
+    end
+
+    def send_heartbeat(at: Time.now.utc)
+      return unless @collector.stats.any?
+
+      heartbeat = @collector.flush(at: at)
+      @detached_agent_front.send_heartbeat_to_parent_process(heartbeat.as_json)
+    end
+
+    private def schedule_tasks
+      # For heartbeats is correct to send them from parent or child process. Otherwise, we'll lose
+      # stats made by the parent process.
+      @worker.every(@heartbeat_interval, run_now: false) { send_heartbeat }
+
+      # Runtime_settings fetch must happens only in the child processes, otherwise, due to
+      # we are updating the global runtime_settings, we could have an infinite recursion.
+      if @has_forked
+        @worker.every(@polling_interval) do
+          Aikido::Zen.runtime_settings = @detached_agent_front.updated_settings
+          @config.logger.debug "Updated runtime settings after polling from child process #{Process.pid}"
+        end
+      end
+    end
+
+    def calculate_rate_limits(request)
+      @detached_agent_front.calculate_rate_limits(request.route, request.ip, request.actor.to_json)
+    end
+
+    # Every time a fork occurs (a new child process is created), we need to start
+    # a DRb service in a background thread within the child process. This service
+    # will manage the connection and handle resource cleanup.
+    def handle_fork
+      @has_forked = true
+      DRb.start_service
+      # we need to ensure that there are not more jobs in the queue, but
+      # we reuse the same object
+      @worker.restart
+      schedule_tasks
+    end
+  end
+end