aikido-zen 1.1.0 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00d07a2e96b782a13c2ab2ec94582f318660ce4e2a3b77ff896490c5382bea47
-  data.tar.gz: a9b4db0b7157206284d78f35e6530ccb5bdf2e851ea28152788a7d195406b7a3
+  metadata.gz: 22a0e7e94d5a020957f061bf7139e15f67d599a8a479ebed19d41b3b53893b44
+  data.tar.gz: 249cd01e1fb339ff5cfb87dcb6944247e7ee31e990643ca815f1bdcae34a1961
 SHA512:
-  metadata.gz: 3e7229c3918e282d565ef0d25841e641e9133af719769748ee3626d6c7ad70573d899c33f46e290f8a5fdd56118d569c282d62ba6dab006970426bbccc33febb
-  data.tar.gz: f1388b4b07679712ee999f245db8faf4c811f76c08ac7ca67e68df06ca8e5d74707cf53f35ca6e25fe195d31d41ba13ef51145804ae7f60a6e451f194672f670
+  metadata.gz: d18a0dba5e3a68b979f6a8f628f9cdac035786d9abd05fc917c45ffd391c7e9a82d8c844a738c933865d28133fedd74e7696addbd30901a2831c1c7680445a26
+  data.tar.gz: ecf92bcb0a52fb3949abccd325d32b81faad3053ee2e92686be5d3315c1b1e157a2fb2ae7cbce68017ca77045acb66edacb4f96e3dfd4ce928c4f3db5cdfc9f7

data/docs/rails.md

@@ -6,7 +6,7 @@ To install Zen, add the gem:
 bundle add aikido-zen
 ```
 
-And require it before `Bundler.require` in `config/application.rb`:
+And be sure to **require it before** `Bundler.require` in `config/application.rb`:
 
 ```ruby
 # config/application.rb

data/lib/aikido/zen/actor.rb

@@ -65,7 +65,7 @@ module Aikido::Zen
     def initialize(
       id:,
       name: nil,
-      ip: Aikido::Zen.current_context&.request&.ip,
+      ip: Aikido::Zen.current_context&.request&.client_ip,
       first_seen_at: Time.now.utc,
       last_seen_at: first_seen_at
     )
@@ -96,7 +96,7 @@ module Aikido::Zen
     #   always keep the most recent time if this conflicts with the current
     #   value.
     # @return [void]
-    def update(seen_at: Time.now.utc, ip: Aikido::Zen.current_context&.request&.ip)
+    def update(seen_at: Time.now.utc, ip: Aikido::Zen.current_context&.request&.client_ip)
       @last_seen_at.try_update { |last_seen_at| [last_seen_at, seen_at].max }
       @ip.try_update { |last_ip| [ip, last_ip].compact.first }
     end

data/lib/aikido/zen/agent.rb

@@ -160,6 +160,9 @@ module Aikido::Zen
         if Aikido::Zen.runtime_settings.update_from_runtime_config_json(response)
           updated_settings!
           @config.logger.info("Updated runtime settings after heartbeat")
+
+          Aikido::Zen.runtime_settings.update_from_runtime_firewall_lists_json(@api_client.fetch_runtime_firewall_lists)
+          @config.logger.info("Updated runtime firewall list after heartbeat")
         end
       end
     end

data/lib/aikido/zen/attack_wave/helpers.rb

@@ -80,7 +80,7 @@ module Aikido::Zen
         ".dbus",
         ".docker",
         ".drush",
-        ".TODO: gem",
+        ".gem",
         ".git",
         ".github",
         ".gnupg",

data/lib/aikido/zen/attack_wave.rb

@@ -6,12 +6,19 @@ require_relative "attack_wave/helpers"
 module Aikido::Zen
   module AttackWave
     class Detector
+      # @return [Aikido::Zen::CappedSet]
+      attr_reader :samples
+
       def initialize(config: Aikido::Zen.config, clock: nil)
         @config = config
 
         @event_times = Cache.new(@config.attack_wave_max_cache_entries, ttl: @config.attack_wave_min_time_between_events, clock: clock)
 
         @request_counts = Cache.new(@config.attack_wave_max_cache_entries, 0, ttl: @config.attack_wave_min_time_between_requests, clock: clock)
+
+        @samples = Cache.new(@config.attack_wave_max_cache_entries, ttl: @config.attack_wave_min_time_between_requests, clock: clock) do
+          CappedSet.new(@config.attack_wave_max_cache_samples)
+        end
       end
 
       def attack_wave?(context)
@@ -25,6 +32,13 @@ module Aikido::Zen
 
         request_count = @request_counts[client_ip] += 1
 
+        context.request.then do |request|
+          @samples[client_ip] <<= Sample.new(
+            verb: request.request_method,
+            path: request.fullpath
+          )
+        end
+
         return false if request_count < @config.attack_wave_threshold
 
         @event_times[client_ip] = Time.now.utc
@@ -60,29 +74,77 @@ module Aikido::Zen
           source: @source
         }.compact
       end
+
+      def ==(other)
+        other.is_a?(self.class) &&
+          other.ip_address == ip_address &&
+          other.user_agent == user_agent &&
+          other.source == source
+      end
+      alias_method :eql?, :==
     end
 
     class Attack
-      # @return [Hash<String, String>]
-      attr_reader :metadata
+      # @return [Aikido::Zen::AttackWave::Sample]
+      attr_reader :samples
 
       # @return [Aikido::Zen::Actor]
       attr_reader :user
 
-      # @param metadata [Hash<String, String>]
-      # @param metadata [Aikido::Zen::Actor]
+      # @param samples [Aikido::Zen::AttackWave::Sample]
+      # @param user [Aikido::Zen::Actor]
       # @return [Aikido::Zen::AttackWave::Attack]
-      def initialize(metadata:, user:)
-        @metadata = metadata
+      def initialize(samples:, user:)
+        @samples = samples
         @user = user
       end
 
       def as_json
         {
-          metadata: @metadata.as_json,
+          metadata: {
+            samples: @samples.as_json.to_json # The API only accepts string values in metadata
+          },
           user: @user.as_json
         }.compact
       end
+
+      def ==(other)
+        other.is_a?(self.class) &&
+          other.samples == samples &&
+          other.user == user
+      end
+      alias_method :eql?, :==
+    end
+
+    class Sample
+      # @return [String]
+      attr_reader :verb
+
+      # @return [String]
+      attr_reader :path
+
+      def initialize(verb:, path:)
+        @verb = verb
+        @path = path
+      end
+
+      def as_json
+        {
+          method: @verb.as_json,
+          url: @path.as_json
+        }.compact
+      end
+
+      def ==(other)
+        other.is_a?(self.class) &&
+          other.verb == verb &&
+          other.path == path
+      end
+      alias_method :eql?, :==
+
+      def hash
+        [verb, path].hash
+      end
     end
   end
 end

data/lib/aikido/zen/cache.rb

@@ -9,11 +9,13 @@ module Aikido::Zen
     def_delegators :@data,
       :size, :empty?
 
-    def initialize(capacity, default_value = nil, ttl:, clock: nil)
+    def initialize(capacity, default_value = nil, ttl:, clock: nil, &block)
       @default_value = default_value
       @ttl = ttl
       @clock = clock
 
+      @initialize_block = block
+
       @data = CappedMap.new(capacity, mode: :lru)
     end
 
@@ -38,7 +40,7 @@ module Aikido::Zen
       if key?(key)
         @data[key].value
       else
-        @default_value
+        default_value
       end
     end
 
@@ -62,6 +64,10 @@ module Aikido::Zen
     def to_h
       to_a.to_h
     end
+
+    private def default_value
+      @default_value || @initialize_block&.call
+    end
   end
 
   class CacheEntry

data/lib/aikido/zen/collector/event.rb

@@ -39,7 +39,7 @@ module Aikido::Zen
       class TrackRequest < Event
         register "track_request"
 
-        def self.from_json(data)
+        def self.from_json(_data)
           new
         end
 
@@ -52,6 +52,22 @@ module Aikido::Zen
         end
       end
 
+      class TrackRateLimitedRequest < Event
+        register "track_rate_limited_request"
+
+        def self.from_json(_data)
+          new
+        end
+
+        def handle(collector)
+          collector.handle_track_rate_limited_request
+        end
+
+        def inspect
+          "#<#{self.class.name}>"
+        end
+      end
+
       class TrackUserAgent < Event
         register "track_user_agent"
 
@@ -79,6 +95,33 @@ module Aikido::Zen
         end
       end
 
+      class TrackIPList < Event
+        register "track_ip_list"
+
+        def self.from_json(data)
+          new(data[:ip_list_keys])
+        end
+
+        def initialize(ip_list_keys)
+          super()
+          @ip_list_keys = ip_list_keys
+        end
+
+        def as_json
+          super.update({
+            ip_list_keys: @ip_list_keys
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_ip_list(@ip_list_keys)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@ip_list_keys.inspect}>"
+        end
+      end
+
       class TrackAttackWave < Event
         register "track_attack_wave"
 

data/lib/aikido/zen/collector/stats.rb

@@ -8,7 +8,7 @@ module Aikido::Zen
   # Tracks information about how the Aikido Agent is used in the app.
   class Collector::Stats
     # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :user_agents, :attack_waves, :blocked_attack_waves, :sinks
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :rate_limited_requests, :user_agents, :ip_lists, :attack_waves, :blocked_attack_waves, :sinks
 
     # @!visibility private
     attr_writer :ended_at
@@ -20,7 +20,9 @@ module Aikido::Zen
       @started_at = @ended_at = nil
       @requests = 0
       @aborted_requests = 0
+      @rate_limited_requests = 0
       @user_agents = Hash.new { |h, k| h[k] = 0 }
+      @ip_lists = Hash.new { |h, k| h[k] = 0 }
       @attack_waves = 0
       @blocked_attack_waves = 0
       @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
@@ -67,12 +69,23 @@ module Aikido::Zen
       @requests += 1
     end
 
+    # @return [void]
+    def add_rate_limited_request
+      @rate_limited_requests += 1
+    end
+
     # @param user_agent_keys [Array<String>] the user agent keys
     # @return [void]
     def add_user_agent(user_agent_keys)
       user_agent_keys&.each { |user_agent_key| @user_agents[user_agent_key] += 1 }
     end
 
+    # @param user_agent_keys [Array<String>] the user agent keys
+    # @return [void]
+    def add_ip_list(ip_list_keys)
+      ip_list_keys&.each { |ip_list_key| @ip_lists[ip_list_key] += 1 }
+    end
+
     # @param being_blocked [Boolean] whether the Agent blocked the request
     # @return [void]
     def add_attack_wave(being_blocked:)
@@ -109,6 +122,7 @@ module Aikido::Zen
         requests: {
           total: @requests,
           aborted: @aborted_requests,
+          rateLimited: @rate_limited_requests,
           attacksDetected: {
             total: total_attacks,
             blocked: total_blocked
@@ -120,6 +134,9 @@ module Aikido::Zen
         },
         userAgents: {
           breakdown: @user_agents
+        },
+        ipAddresses: {
+          breakdown: @ip_lists
         }
       }
     end

data/lib/aikido/zen/collector.rb

@@ -88,12 +88,23 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_request }
     end
 
+    # Track stats about the rate_limited_requests
+    #
+    # @return [void]
+    def track_rate_limited_request
+      add_event(Events::TrackRateLimitedRequest.new)
+    end
+
+    def handle_track_rate_limited_request
+      synchronize(@stats) { |stats| stats.add_rate_limited_request }
+    end
+
     # Track stats about monitored and blocked user agents
     #
-    # @param [Array<String>, nil] the user agent keys
+    # @param user_agent_keys [Array<String>, nil] the user agent keys
     # @return [void]
     def track_user_agent(user_agent_keys)
-      return if user_agent_keys.nil?
+      return if user_agent_keys.nil? || user_agent_keys.empty?
 
       add_event(Events::TrackUserAgent.new(user_agent_keys))
     end
@@ -102,6 +113,20 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_user_agent(user_agent_keys) }
     end
 
+    # Track stats about blocked and monitored IP lists
+    #
+    # @param ip_list_keys [Array<String>, nil]
+    # @return [void]
+    def track_ip_list(ip_list_keys)
+      return if ip_list_keys.nil? || ip_list_keys.empty?
+
+      add_event(Events::TrackIPList.new(ip_list_keys))
+    end
+
+    def handle_track_ip_list(ip_list_keys)
+      synchronize(@stats) { |stats| stats.add_ip_list(ip_list_keys) }
+    end
+
     # Track stats about an attack detected by our scanners.
     #
     # @param attack [Aikido::Zen::Events::AttackWave]

data/lib/aikido/zen/config.rb

@@ -3,6 +3,7 @@
 require "uri"
 require "json"
 require "logger"
+require "digest"
 
 require_relative "context"
 
@@ -11,7 +12,7 @@ module Aikido::Zen
     # @return [Class, Integer, nil] The Rack middleware class or index after which
     #   the Zen middleware should be inserted. When set to nil, the middleware is
     #   inserted before the first middleware in the then-current middleware stack.
-    #   Defaults to ::ActionDispatch::Executor.
+    #   Defaults to ::ActionDispatch::RemoteIp.
     attr_accessor :insert_middleware_after
 
     # @return [Boolean] whether Aikido should be turned completely off (no
@@ -62,8 +63,8 @@ module Aikido::Zen
     attr_reader :logger
 
     # @return [String] Path of the socket where the detached agent will listen.
-    # By default, is stored under the root application path with file name
-    # `aikido-detached-agent.sock`
+    # By default, the socket file is created in the current working directory.
+    # Defaults to `aikido-detached-agent.sock`.
     attr_accessor :detached_agent_socket_path
 
     # @return [Boolean] is the agent in debugging mode?
@@ -94,7 +95,7 @@ module Aikido::Zen
     #   the oldest seen users.
     attr_accessor :max_users_tracked
 
-    # @return [Proc{(Aikido::Zen::Request, Symbol) => Array(Integer, Hash, #each)}]
+    # @return [Proc{(Aikido::Zen::Request, Symbol, reason: String=nil) => Array(Integer, Hash, #each)}]
     #   Rack handler used to respond to requests from IPs, users or others blocked in the Aikido
     #   dashboard.
     attr_accessor :blocked_responder
@@ -183,8 +184,12 @@ module Aikido::Zen
     #   Defaults to 10,000 entries.
     attr_accessor :attack_wave_max_cache_entries
 
+    # @return [Integer] the maximum number of samples in the LRU cache.
+    #   Defaults to 15 entries.
+    attr_accessor :attack_wave_max_cache_samples
+
     def initialize
-      self.insert_middleware_after = ::ActionDispatch::Executor
+      self.insert_middleware_after = ::ActionDispatch::RemoteIp
       self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
       self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
       self.api_timeouts = 10
@@ -221,6 +226,7 @@ module Aikido::Zen
       self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms)
       self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
       self.attack_wave_max_cache_entries = 10_000
+      self.attack_wave_max_cache_samples = 15
     end
 
     # Set the base URL for API requests.
@@ -263,12 +269,32 @@ module Aikido::Zen
       @api_timeouts.update(value)
     end
 
+    def api_token_hash
+      return unless api_token
+
+      @api_token_hash ||= Digest::SHA1.hexdigest(api_token)[0, 7]
+    end
+
     def detached_agent_socket_uri
       "drbunix:" + @detached_agent_socket_path
     end
 
+    def expanded_detached_agent_socket_path
+      @exanded_detached_agent_path ||= expand_socket_path(detached_agent_socket_path)
+    end
+
+    def expanded_detached_agent_socket_uri
+      @exanded_detached_agent_uri ||= expand_socket_path(detached_agent_socket_uri)
+    end
+
     private
 
+    def expand_socket_path(socket_path)
+      socket_path = socket_path.dup
+      socket_path.gsub!("%h", api_token_hash) if api_token_hash
+      socket_path
+    end
+
     def read_boolean_from_env(value)
       return value unless value.respond_to?(:to_str)
 
@@ -293,13 +319,21 @@ module Aikido::Zen
     DEFAULT_JSON_DECODER = JSON.method(:parse)
 
     # @!visibility private
-    DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.sock"
+    DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.%h.sock"
 
     # @!visibility private
-    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type) do
+    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type, reason = nil) do
       message = case blocking_type
       when :ip
-        format("Your IP address is not allowed to access this resource. (Your IP: %s)", request.ip)
+        "Your IP address is not allowed to access this resource. (Your IP: #{request.ip})"
+      when :ip_allowed_list
+        "Your IP address is not allowed to access this resource. (Your IP: #{request.client_ip})"
+      when :ip_blocked_list
+        if reason.nil?
+          "Your IP is blocked."
+        else
+          "Your IP is blocked due to #{reason}."
+        end
       when :user_agent
         "You are not allowed to access this resource because you have been identified as a bot."
       else
@@ -315,7 +349,7 @@ module Aikido::Zen
 
     # @!visibility private
     DEFAULT_RATE_LIMITING_DISCRIMINATOR = ->(request) {
-      request.actor ? "actor:#{request.actor.id}" : request.ip
+      request.actor ? "actor:#{request.actor.id}" : request.client_ip
     }
   end
 end

data/lib/aikido/zen/current_context.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+# The current context is stored in an additional Fiber instance variable and
+# is though the aikido_current_context accessor methods.
+
+class Fiber
+  # @api private
+  attr_accessor :aikido_current_context
+end
+
+# When a new Fiber is instantiated the current context of the Fiber that is
+# creating the new Fiber is copied into the new Fiber.
+
+class << Fiber
+  # @api private
+  alias_method :new__internal_for_aikido_zen, :new
+
+  def new(*args, **kwargs, &blk)
+    context = Fiber.current.aikido_current_context
+
+    new__internal_for_aikido_zen(*args, **kwargs) do |*args|
+      Fiber.current.aikido_current_context = context
+
+      blk.call(*args)
+    end
+  end
+end

data/lib/aikido/zen/detached_agent/agent.rb

@@ -34,7 +34,7 @@ module Aikido::Zen::DetachedAgent
 
       @collector = collector
 
-      @front_object = DRbObject.new_with_uri(config.detached_agent_socket_uri)
+      @front_object = DRbObject.new_with_uri(config.expanded_detached_agent_socket_uri)
 
       @has_forked = false
       schedule_tasks
@@ -46,7 +46,7 @@ module Aikido::Zen::DetachedAgent
     end
 
     def calculate_rate_limits(request)
-      @front_object.calculate_rate_limits(request.route.as_json, request.ip, request.actor.as_json)
+      @front_object.calculate_rate_limits(request.route.as_json, request.client_ip, request.actor.as_json)
     end
 
     # Every time a fork occurs (a new child process is created), we need to start

data/lib/aikido/zen/detached_agent/front_object.rb

@@ -17,7 +17,7 @@ module Aikido::Zen::DetachedAgent
       @rate_limiter = rate_limiter
     end
 
-    RequestKind = Struct.new(:route, :schema, :ip, :actor)
+    RequestKind = Struct.new(:route, :schema, :client_ip, :actor)
 
     def send_collector_events(events_data)
       events_data.each do |event_data|

data/lib/aikido/zen/detached_agent/server.rb

@@ -16,8 +16,8 @@ module Aikido::Zen::DetachedAgent
 
       @config = config
 
-      @socket_path = config.detached_agent_socket_path
-      @socket_uri = config.detached_agent_socket_uri
+      @socket_path = config.expanded_detached_agent_socket_path
+      @socket_uri = config.expanded_detached_agent_socket_uri
     end
 
     def started?

data/lib/aikido/zen/errors.rb

@@ -114,5 +114,11 @@ module Aikido
         super
       end
     end
+
+    class OutboundConnectionBlockedError < StandardError
+      def initialize(connection)
+        super("Zen blocked an outbound connection to #{connection.host}.")
+      end
+    end
   end
 end

data/lib/aikido/zen/event.rb

@@ -71,23 +71,6 @@ module Aikido::Zen
     end
 
     class AttackWave < Event
-      # @param [Aikido::Zen::Context] a context
-      # @return [Aikido::Zen::Events::AttackWave] an attack wave event
-      def self.from_context(context)
-        request = Aikido::Zen::AttackWave::Request.new(
-          ip_address: context.request.client_ip,
-          user_agent: context.request.user_agent,
-          source: context.request.framework
-        )
-
-        attack = Aikido::Zen::AttackWave::Attack.new(
-          metadata: {}, # not used yet
-          user: context.request.actor
-        )
-
-        new(request: request, attack: attack)
-      end
-
       # @return [Aikido::Zen::AttackWave::Request]
       attr_reader :request
 

data/lib/aikido/zen/middleware/allowed_address_checker.rb

@@ -2,7 +2,8 @@
 
 module Aikido::Zen
   module Middleware
-    # Middleware that rejects requests from IPs blocked in the Aikido dashboard.
+    # Middleware that only allows allowed IPs when allowed IPs are configured for
+    # any matching route in the Aikido dashboard.
     class AllowedAddressChecker
       def initialize(app, config: Aikido::Zen.config, settings: Aikido::Zen.runtime_settings)
         @app = app
@@ -13,14 +14,21 @@ module Aikido::Zen
       def call(env)
         request = Aikido::Zen::Middleware.request_from(env)
 
-        allowed_ips = @settings.endpoints[request.route].allowed_ips
-
-        if allowed_ips.empty? || allowed_ips.include?(request.ip)
+        if allowed?(request)
           @app.call(env)
         else
           @config.blocked_responder.call(request, :ip)
         end
       end
+
+      private def allowed?(request)
+        return true if @settings.bypassed_ips.include?(request.client_ip)
+
+        matches = @settings.endpoints.matched_settings(request.route)
+
+        matches.all? { |settings| settings.allowed_ips.empty? } ||
+          matches.any? { |settings| settings.allowed_ips.include?(request.ip) }
+      end
     end
   end
 end

data/lib/aikido/zen/middleware/attack_protector.rb

@@ -19,10 +19,9 @@ module Aikido::Zen
       end
 
       private def protection_disabled?(request)
-        # Bypass attack protection for allowed IPs
-        return true if @settings.allowed_ips.include?(request.ip)
+        return true if @settings.bypassed_ips.include?(request.client_ip)
 
-        !@settings.endpoints.match(request.route).all?(&:protected?)
+        !@settings.endpoints.matched_settings(request.route).all?(&:protected?)
       end
     end
   end