aikido-zen 1.1.2 → 1.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22a0e7e94d5a020957f061bf7139e15f67d599a8a479ebed19d41b3b53893b44
-  data.tar.gz: 249cd01e1fb339ff5cfb87dcb6944247e7ee31e990643ca815f1bdcae34a1961
+  metadata.gz: 3312144ec7337da035ccdafd8a804cd64ebd67c8e671eaa9114a3326d2dfef16
+  data.tar.gz: 9b4c37976859977fc634a9af783f5b08287d1e0b5232cdf1b276fb5720d6c981
 SHA512:
-  metadata.gz: d18a0dba5e3a68b979f6a8f628f9cdac035786d9abd05fc917c45ffd391c7e9a82d8c844a738c933865d28133fedd74e7696addbd30901a2831c1c7680445a26
-  data.tar.gz: ecf92bcb0a52fb3949abccd325d32b81faad3053ee2e92686be5d3315c1b1e157a2fb2ae7cbce68017ca77045acb66edacb4f96e3dfd4ce928c4f3db5cdfc9f7
+  metadata.gz: e2ccd10321a51f382a3bd6f308ddb9abb09bf2241d35ec55c0cf17fe4d5abf81e3626a53217af717141b7fc8d728398aeb42c705f552ff260042b5e136a5d067
+  data.tar.gz: 1a77ca857611ee1038862f24f2b98704c9d241f4d1c0c945ff51e9942eed3cbc767acaf8e0e5059c6655432a3967b6860e2d530a456b62cdf64cace02b8fac07

data/lib/aikido/zen/agent.rb

@@ -160,9 +160,6 @@ module Aikido::Zen
         if Aikido::Zen.runtime_settings.update_from_runtime_config_json(response)
           updated_settings!
           @config.logger.info("Updated runtime settings after heartbeat")
-
-          Aikido::Zen.runtime_settings.update_from_runtime_firewall_lists_json(@api_client.fetch_runtime_firewall_lists)
-          @config.logger.info("Updated runtime firewall list after heartbeat")
         end
       end
     end

data/lib/aikido/zen/collector/event.rb

@@ -95,33 +95,6 @@ module Aikido::Zen
         end
       end
 
-      class TrackIPList < Event
-        register "track_ip_list"
-
-        def self.from_json(data)
-          new(data[:ip_list_keys])
-        end
-
-        def initialize(ip_list_keys)
-          super()
-          @ip_list_keys = ip_list_keys
-        end
-
-        def as_json
-          super.update({
-            ip_list_keys: @ip_list_keys
-          })
-        end
-
-        def handle(collector)
-          collector.handle_track_ip_list(@ip_list_keys)
-        end
-
-        def inspect
-          "#<#{self.class.name} #{@ip_list_keys.inspect}>"
-        end
-      end
-
       class TrackAttackWave < Event
         register "track_attack_wave"
 

data/lib/aikido/zen/collector/stats.rb

@@ -8,7 +8,7 @@ module Aikido::Zen
   # Tracks information about how the Aikido Agent is used in the app.
   class Collector::Stats
     # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :rate_limited_requests, :user_agents, :ip_lists, :attack_waves, :blocked_attack_waves, :sinks
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :rate_limited_requests, :user_agents, :attack_waves, :blocked_attack_waves, :sinks
 
     # @!visibility private
     attr_writer :ended_at
@@ -22,7 +22,6 @@ module Aikido::Zen
       @aborted_requests = 0
       @rate_limited_requests = 0
       @user_agents = Hash.new { |h, k| h[k] = 0 }
-      @ip_lists = Hash.new { |h, k| h[k] = 0 }
       @attack_waves = 0
       @blocked_attack_waves = 0
       @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
@@ -80,12 +79,6 @@ module Aikido::Zen
       user_agent_keys&.each { |user_agent_key| @user_agents[user_agent_key] += 1 }
     end
 
-    # @param user_agent_keys [Array<String>] the user agent keys
-    # @return [void]
-    def add_ip_list(ip_list_keys)
-      ip_list_keys&.each { |ip_list_key| @ip_lists[ip_list_key] += 1 }
-    end
-
     # @param being_blocked [Boolean] whether the Agent blocked the request
     # @return [void]
     def add_attack_wave(being_blocked:)
@@ -134,9 +127,6 @@ module Aikido::Zen
         },
         userAgents: {
           breakdown: @user_agents
-        },
-        ipAddresses: {
-          breakdown: @ip_lists
         }
       }
     end

data/lib/aikido/zen/collector.rb

@@ -101,10 +101,10 @@ module Aikido::Zen
 
     # Track stats about monitored and blocked user agents
     #
-    # @param user_agent_keys [Array<String>, nil] the user agent keys
+    # @param [Array<String>, nil] the user agent keys
     # @return [void]
     def track_user_agent(user_agent_keys)
-      return if user_agent_keys.nil? || user_agent_keys.empty?
+      return if user_agent_keys.nil?
 
       add_event(Events::TrackUserAgent.new(user_agent_keys))
     end
@@ -113,20 +113,6 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_user_agent(user_agent_keys) }
     end
 
-    # Track stats about blocked and monitored IP lists
-    #
-    # @param ip_list_keys [Array<String>, nil]
-    # @return [void]
-    def track_ip_list(ip_list_keys)
-      return if ip_list_keys.nil? || ip_list_keys.empty?
-
-      add_event(Events::TrackIPList.new(ip_list_keys))
-    end
-
-    def handle_track_ip_list(ip_list_keys)
-      synchronize(@stats) { |stats| stats.add_ip_list(ip_list_keys) }
-    end
-
     # Track stats about an attack detected by our scanners.
     #
     # @param attack [Aikido::Zen::Events::AttackWave]

data/lib/aikido/zen/config.rb

@@ -322,18 +322,10 @@ module Aikido::Zen
     DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.%h.sock"
 
     # @!visibility private
-    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type, reason = nil) do
+    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type) do
       message = case blocking_type
       when :ip
-        "Your IP address is not allowed to access this resource. (Your IP: #{request.ip})"
-      when :ip_allowed_list
-        "Your IP address is not allowed to access this resource. (Your IP: #{request.client_ip})"
-      when :ip_blocked_list
-        if reason.nil?
-          "Your IP is blocked."
-        else
-          "Your IP is blocked due to #{reason}."
-        end
+        format("Your IP address is not allowed to access this resource. (Your IP: %s)", request.ip)
       when :user_agent
         "You are not allowed to access this resource because you have been identified as a bot."
       else

data/lib/aikido/zen/rails_engine.rb

@@ -17,7 +17,6 @@ module Aikido::Zen
         Aikido::Zen::Middleware::ForkDetector,
         Aikido::Zen::Middleware::ContextSetter,
         Aikido::Zen::Middleware::AllowedAddressChecker,
-        Aikido::Zen::Middleware::IPListChecker,
         Aikido::Zen::Middleware::UserAgentChecker,
         Aikido::Zen::Middleware::AttackProtector,
         Aikido::Zen::Middleware::AttackWaveProtector,

data/lib/aikido/zen/runtime_settings.rb

@@ -11,14 +11,11 @@ module Aikido::Zen
   #
   # You can subscribe to changes with +#add_observer(object, func_name)+, which
   # will call the function passing the settings as an argument
-  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :bypassed_ips, :received_any_stats, :blocking_mode, :blocked_user_agent_regexp, :monitored_user_agent_regexp, :user_agent_details, :blocked_ip_lists, :allowed_ip_lists, :monitored_ip_lists, :block_new_outbound, :domains, :excluded_user_ids_from_rate_limiting) do
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :bypassed_ips, :received_any_stats, :blocking_mode, :blocked_user_agent_regexp, :monitored_user_agent_regexp, :user_agent_details, :block_new_outbound, :domains, :excluded_user_ids_from_rate_limiting) do
     def initialize(*)
       super
       self.endpoints ||= RuntimeSettings::Endpoints.new
       self.bypassed_ips ||= RuntimeSettings::IPSet.new
-      self.blocked_ip_lists ||= []
-      self.allowed_ip_lists ||= []
-      self.monitored_ip_lists ||= []
       self.domains ||= RuntimeSettings::Domains.new
     end
 
@@ -45,15 +42,6 @@ module Aikido::Zen
     # @!attribute [rw] blocking_mode
     #   @return [Boolean]
 
-    # @!attribute [rw] blocked_ip_lists
-    #   @return [Array<Aikido::Zen::RuntimeSettings::IPList>]
-
-    # @!attribute [rw] allowed_ip_lists
-    #   @return [Array<Aikido::Zen::RuntimeSettings::IPList>]
-
-    # @!attribute [rw] monitored_ip_lists
-    #   @return [Array<Aikido::Zen::RuntimeSettings::IPList>]
-
     # @!attribute [rw] blocked_user_agent_regexp
     #   @return [Regexp]
 
@@ -124,24 +112,6 @@ module Aikido::Zen
           pattern: pattern
         }
       end
-
-      self.blocked_ip_lists = []
-
-      data["blockedIPAddresses"]&.each do |ip_list|
-        blocked_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
-      end
-
-      self.allowed_ip_lists = []
-
-      data["allowedIPAddresses"]&.each do |ip_list|
-        allowed_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
-      end
-
-      self.monitored_ip_lists = []
-
-      data["monitoredIPAddresses"]&.each do |ip_list|
-        monitored_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
-      end
     end
 
     # Construct a regular expression from the non-nil and non-empty string,
@@ -195,25 +165,9 @@ module Aikido::Zen
     def user_agent_keys(user_agent)
       return [] if user_agent_details.nil?
 
-      user_agent_details.filter_map { |record| record[:key] if record[:pattern].match?(user_agent) }
-    end
-
-    def allowed_ip?(ip)
-      allowed_ip_lists.empty? || allowed_ip_lists.any? { |ip_list| ip_list.include?(ip) }
-    end
-
-    def blocked_ip?(ip)
-      blocked_ip_lists.any? { |ip_list| ip_list.include?(ip) }
-    end
-
-    def monitored_ip?(ip)
-      monitored_ip_lists.any? { |ip_list| ip_list.include?(ip) }
-    end
-
-    def monitored_ip_list_keys(ip)
-      return [] if ip.nil?
-
-      monitored_ip_lists.filter_map { |ip_list| ip_list.key if ip_list.include?(ip) }
+      user_agent_details
+        .filter { |record| record[:pattern].match?(user_agent) }
+        .map { |record| record[:key] }
     end
 
     def block_outbound?(connection)
@@ -227,6 +181,5 @@ module Aikido::Zen
 end
 
 require_relative "runtime_settings/ip_set"
-require_relative "runtime_settings/ip_list"
 require_relative "runtime_settings/endpoints"
 require_relative "runtime_settings/domains"

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.1.2"
+    VERSION = "1.2.3"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.60"

data/lib/aikido/zen.rb

@@ -17,7 +17,6 @@ require_relative "zen/middleware/middleware"
 require_relative "zen/middleware/fork_detector"
 require_relative "zen/middleware/context_setter"
 require_relative "zen/middleware/allowed_address_checker"
-require_relative "zen/middleware/ip_list_checker"
 require_relative "zen/middleware/user_agent_checker"
 require_relative "zen/middleware/attack_protector"
 require_relative "zen/middleware/attack_wave_protector"
@@ -134,7 +133,7 @@ module Aikido
       collector.track_rate_limited_request
     end
 
-    # Track blocked and monitored user agents.
+    # Track monitored and blocked user agents.
     #
     # @param user_agent_keys [Array<String>, nil] the user agent keys
     #   from matching runtime firewall list user agent details.
@@ -143,15 +142,6 @@ module Aikido
       collector.track_user_agent(user_agent_keys)
     end
 
-    # Track blocked and monitored IP lists.
-    #
-    # @param ip_list_keys [Array<String>, nil] the IP list keys
-    #   from matching runtime firewall list IP lists.
-    # @return [void]
-    def self.track_ip_list(ip_list_keys)
-      collector.track_ip_list(ip_list_keys)
-    end
-
     # Track statistics about an attack wave the app is handling.
     #
     # @param attack_wave [Aikido::Zen::Events::AttackWave]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.3
 platform: ruby
 authors:
 - Aikido Security
@@ -126,7 +126,6 @@ files:
 - lib/aikido/zen/middleware/attack_wave_protector.rb
 - lib/aikido/zen/middleware/context_setter.rb
 - lib/aikido/zen/middleware/fork_detector.rb
-- lib/aikido/zen/middleware/ip_list_checker.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb
@@ -153,7 +152,6 @@ files:
 - lib/aikido/zen/runtime_settings/domain_settings.rb
 - lib/aikido/zen/runtime_settings/domains.rb
 - lib/aikido/zen/runtime_settings/endpoints.rb
-- lib/aikido/zen/runtime_settings/ip_list.rb
 - lib/aikido/zen/runtime_settings/ip_set.rb
 - lib/aikido/zen/runtime_settings/protection_settings.rb
 - lib/aikido/zen/runtime_settings/rate_limit_settings.rb

data/lib/aikido/zen/middleware/ip_list_checker.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-module Aikido::Zen
-  module Middleware
-    class IPListChecker
-      def initialize(app, zen: Aikido::Zen, config: zen.config, settings: zen.runtime_settings)
-        @app = app
-        @zen = zen
-        @config = config
-        @settings = settings
-      end
-
-      def call(env)
-        request = Aikido::Zen::Middleware.request_from(env)
-
-        client_ip = request.client_ip
-
-        return @app.call(env) if bypassed_ip?(client_ip)
-
-        if !@settings.allowed_ip?(client_ip)
-          return @config.blocked_responder.call(request, :ip_allowed_list)
-        end
-
-        monitored_ip_list_keys = @settings.monitored_ip_list_keys(client_ip)
-        @zen.track_ip_list(monitored_ip_list_keys)
-
-        blocked_ip_lists = @settings.blocked_ip_lists.filter { |ip_list| ip_list.include?(client_ip) }
-
-        if !blocked_ip_lists.empty?
-          @zen.track_ip_list(blocked_ip_lists.map(&:key))
-
-          return @config.blocked_responder.call(
-            request,
-            :ip_blocked_list,
-            blocked_ip_lists.first.description
-          )
-        end
-
-        @app.call(env)
-      end
-
-      def bypassed_ip?(client_ip)
-        @settings.bypassed_ips.include?(client_ip)
-      end
-    end
-  end
-end

data/lib/aikido/zen/runtime_settings/ip_list.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-module Aikido::Zen
-  class RuntimeSettings::IPList
-    attr_reader :key
-    attr_reader :source
-    attr_reader :description
-    attr_reader :ips
-
-    def self.from_json(data)
-      new(
-        key: data["key"],
-        source: data["source"],
-        description: data["description"],
-        ips: RuntimeSettings::IPSet.from_json(data["ips"])
-      )
-    end
-
-    def initialize(key:, source:, description:, ips:)
-      @key = key
-      @source = source
-      @description = description
-      @ips = ips
-    end
-
-    def inspect
-      "#<#{self.class} #{@key}>"
-    end
-
-    def include?(ip)
-      @ips.include?(ip)
-    end
-  end
-end