aikido-zen 1.0.8 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b690b6afc8d07c5c30a8995fe06f35b4b16fcf2e74b56ed0ba0d0b1736955b7b
-  data.tar.gz: 461b7f991225fa92f76cc6db6bbbf48eccb1ed15cb7a8f2f5ce9b9a95f576e52
+  metadata.gz: 00d07a2e96b782a13c2ab2ec94582f318660ce4e2a3b77ff896490c5382bea47
+  data.tar.gz: a9b4db0b7157206284d78f35e6530ccb5bdf2e851ea28152788a7d195406b7a3
 SHA512:
-  metadata.gz: 0dad1650feacdcebb020c5bb94ffa9a30e540d21b942dff4322731052bc21815c354ecd22f7ecde8b9bae8af3b4b8cc83dcd6cd8714f644712bdda12f37cf918
-  data.tar.gz: 5dcb46b46e9095d6bf9afbcfe4e4f7faeb4142c01fdbc3d742be52965e0fcb1bc423d358ac6d117c4e9f7f19c404e753d7a4570f0d1baba7dec394d7d5c5265b
+  metadata.gz: 3e7229c3918e282d565ef0d25841e641e9133af719769748ee3626d6c7ad70573d899c33f46e290f8a5fdd56118d569c282d62ba6dab006970426bbccc33febb
+  data.tar.gz: f1388b4b07679712ee999f245db8faf4c811f76c08ac7ca67e68df06ca8e5d74707cf53f35ca6e25fe195d31d41ba13ef51145804ae7f60a6e451f194672f670

data/lib/aikido/zen/agent.rb

@@ -46,21 +46,30 @@ module Aikido::Zen
       if Aikido::Zen.blocking_mode?
         @config.logger.info("Requests identified as attacks will be blocked")
       else
-        @config.logger.warn("Non-blocking mode enabled! No requests will be blocked.")
+        @config.logger.warn("Non-blocking mode enabled! No requests will be blocked")
       end
 
       if @api_client.can_make_requests?
-        @config.logger.info("API Token set! Reporting has been enabled.")
+        @config.logger.info("API Token set! Reporting has been enabled")
       else
-        @config.logger.warn("No API Token set! Reporting has been disabled.")
+        @config.logger.warn("No API Token set! Reporting has been disabled")
         return
       end
 
       at_exit { stop! if started? }
 
       report(Events::Started.new(time: @started_at)) do |response|
-        updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
-        @config.logger.info("Updated runtime settings.")
+        if Aikido::Zen.runtime_settings.update_from_runtime_config_json(response)
+          updated_settings!
+          @config.logger.info("Updated runtime settings")
+        end
+      rescue => err
+        @config.logger.error(err.message)
+      end
+
+      begin
+        Aikido::Zen.runtime_settings.update_from_runtime_firewall_lists_json(@api_client.fetch_runtime_firewall_lists)
+        @config.logger.info("Updated runtime firewall list")
       rescue => err
         @config.logger.error(err.message)
       end
@@ -148,8 +157,10 @@ module Aikido::Zen
 
       heartbeat = @collector.flush
       report(heartbeat) do |response|
-        updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
-        @config.logger.info("Updated runtime settings after heartbeat")
+        if Aikido::Zen.runtime_settings.update_from_runtime_config_json(response)
+          updated_settings!
+          @config.logger.info("Updated runtime settings after heartbeat")
+        end
       end
     end
 
@@ -163,8 +174,13 @@ module Aikido::Zen
     def poll_for_setting_updates
       @worker.every(@config.polling_interval) do
         if @api_client.should_fetch_settings?
-          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(@api_client.fetch_settings)
-          @config.logger.info("Updated runtime settings after polling")
+          if Aikido::Zen.runtime_settings.update_from_runtime_config_json(@api_client.fetch_runtime_config)
+            updated_settings!
+            @config.logger.info("Updated runtime settings after polling")
+          end
+
+          Aikido::Zen.runtime_settings.update_from_runtime_firewall_lists_json(@api_client.fetch_runtime_firewall_lists)
+          @config.logger.info("Updated runtime firewall list after polling")
         end
       end
     end

data/lib/aikido/zen/api_client.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "net/http"
+require "zlib"
+require "stringio"
 require_relative "rate_limiter"
 
 module Aikido::Zen
@@ -43,19 +45,29 @@ module Aikido::Zen
       new_updated_at > last_updated_at
     end
 
-    # Fetches the runtime settings from the server. In case of a timeout or
+    # Fetches the runtime config from the server. In case of a timeout or
     # other low-lever error, the request will be automatically retried up to two
     # times, after which it will raise an error.
     #
     # @return [Hash] decoded JSON response from the server with the runtime
     #   settings.
     # @raise (see #request)
-    def fetch_settings
-      @config.logger.debug("Fetching new runtime settings")
+    def fetch_runtime_config
+      @config.logger.debug("Fetching new runtime config")
 
       request(Net::HTTP::Get.new("/api/runtime/config", default_headers))
     end
 
+    def fetch_runtime_firewall_lists
+      @config.logger.debug("Fetching new runtime firewall lists")
+
+      headers = default_headers.merge({
+        "Accept-Encoding" => "gzip"
+      })
+
+      request(Net::HTTP::Get.new("/api/runtime/firewall/lists", headers))
+    end
+
     # @overload report(event)
     #   Reports an event to the server.
     #
@@ -69,7 +81,7 @@ module Aikido::Zen
     #
     #   @param settings_updating_event [Aikido::Zen::Events::Started,
     #     Aikido::Zen::Events::Heartbeat]
-    #   @return (see #fetch_settings)
+    #   @return (see #fetch_runtime_config)
     #   @raise (see #request)
     def report(event)
       event_type = if event.respond_to?(:type)
@@ -116,7 +128,12 @@ module Aikido::Zen
 
         case response
         when Net::HTTPSuccess
-          @config.json_decoder.call(response.body)
+          begin
+            body = decode(response.body, response["Content-Encoding"])
+            @config.json_decoder.call(body)
+          rescue => err
+            raise DecodeError.new(request, err)
+          end
         when Net::HTTPTooManyRequests
           raise RateLimitedError.new(request, response)
         else
@@ -127,6 +144,22 @@ module Aikido::Zen
       raise NetworkError.new(request, err)
     end
 
+    # @param data [String, nil]
+    # @param encoding [String, nil]
+    # @return [String, nil]
+    private def decode(data, encoding)
+      return data unless data
+
+      case encoding&.downcase
+      when "gzip"
+        StringIO.open(data, "r") do |io|
+          Zlib::GzipReader.wrap(io) { |gz| gz.read }
+        end
+      else
+        data
+      end
+    end
+
     private def http_settings(base_url)
       @http_settings ||= {
         use_ssl: base_url.scheme == "https",

data/lib/aikido/zen/collector/event.rb

@@ -52,6 +52,33 @@ module Aikido::Zen
         end
       end
 
+      class TrackUserAgent < Event
+        register "track_user_agent"
+
+        def self.from_json(data)
+          new(data[:user_agent_keys])
+        end
+
+        def initialize(user_agent_keys)
+          super()
+          @user_agent_keys = user_agent_keys
+        end
+
+        def as_json
+          super.update({
+            user_agent_keys: @user_agent_keys
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_user_agent(@user_agent_keys)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@user_agent_keys.inspect}>"
+        end
+      end
+
       class TrackAttackWave < Event
         register "track_attack_wave"
 

data/lib/aikido/zen/collector/stats.rb

@@ -8,7 +8,7 @@ module Aikido::Zen
   # Tracks information about how the Aikido Agent is used in the app.
   class Collector::Stats
     # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :attack_waves, :blocked_attack_waves, :sinks
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :user_agents, :attack_waves, :blocked_attack_waves, :sinks
 
     # @!visibility private
     attr_writer :ended_at
@@ -20,6 +20,7 @@ module Aikido::Zen
       @started_at = @ended_at = nil
       @requests = 0
       @aborted_requests = 0
+      @user_agents = Hash.new { |h, k| h[k] = 0 }
       @attack_waves = 0
       @blocked_attack_waves = 0
       @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
@@ -27,7 +28,10 @@ module Aikido::Zen
 
     # @return [Boolean]
     def empty?
-      @requests.zero? && @sinks.empty?
+      @requests.zero? &&
+        @user_agents.empty? &&
+        @attack_waves.zero? &&
+        @sinks.empty?
     end
 
     # @return [Boolean]
@@ -63,6 +67,12 @@ module Aikido::Zen
       @requests += 1
     end
 
+    # @param user_agent_keys [Array<String>] the user agent keys
+    # @return [void]
+    def add_user_agent(user_agent_keys)
+      user_agent_keys&.each { |user_agent_key| @user_agents[user_agent_key] += 1 }
+    end
+
     # @param being_blocked [Boolean] whether the Agent blocked the request
     # @return [void]
     def add_attack_wave(being_blocked:)
@@ -107,6 +117,9 @@ module Aikido::Zen
             total: @attack_waves,
             blocked: @blocked_attack_waves
           }
+        },
+        userAgents: {
+          breakdown: @user_agents
         }
       }
     end

data/lib/aikido/zen/collector.rb

@@ -88,6 +88,20 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_request }
     end
 
+    # Track stats about monitored and blocked user agents
+    #
+    # @param [Array<String>, nil] the user agent keys
+    # @return [void]
+    def track_user_agent(user_agent_keys)
+      return if user_agent_keys.nil?
+
+      add_event(Events::TrackUserAgent.new(user_agent_keys))
+    end
+
+    def handle_track_user_agent(user_agent_keys)
+      synchronize(@stats) { |stats| stats.add_user_agent(user_agent_keys) }
+    end
+
     # Track stats about an attack detected by our scanners.
     #
     # @param attack [Aikido::Zen::Events::AttackWave]

data/lib/aikido/zen/config.rb

@@ -300,6 +300,8 @@ module Aikido::Zen
       message = case blocking_type
       when :ip
         format("Your IP address is not allowed to access this resource. (Your IP: %s)", request.ip)
+      when :user_agent
+        "You are not allowed to access this resource because you have been identified as a bot."
       else
         "You are blocked by Zen."
       end

data/lib/aikido/zen/errors.rb

@@ -54,6 +54,17 @@ module Aikido
     # Raised whenever a response to the API results in a 429 response.
     class RateLimitedError < APIError; end
 
+    # Raised whenever a request body cannot be decoded.
+    class DecodeError < StandardError
+      include Error
+
+      def initialize(request, cause = nil)
+        @request = request.dup
+
+        super("Error in #{request.method} #{request.path}: #{cause.message}")
+      end
+    end
+
     class UnderAttackError < StandardError
       include Error
 

data/lib/aikido/zen/middleware/user_agent_checker.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    class UserAgentChecker
+      def initialize(app, zen: Aikido::Zen, config: zen.config, settings: zen.runtime_settings)
+        @app = app
+        @zen = zen
+        @config = config
+        @settings = settings
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+
+        return @app.call(env) if bypassed?(request)
+
+        user_agent = request.user_agent
+
+        if @settings.blocked_user_agent?(user_agent)
+          user_agent_keys = @settings.user_agent_keys(user_agent)
+          @zen.track_user_agent(user_agent_keys)
+
+          return @config.blocked_responder.call(request, :user_agent)
+        end
+
+        if @settings.monitored_user_agent?(user_agent)
+          user_agent_keys = @settings.user_agent_keys(user_agent)
+          @zen.track_user_agent(user_agent_keys)
+        end
+
+        @app.call(env)
+      end
+
+      def bypassed?(request)
+        # Bypass bot blocking and monitoring for allowed IPs
+        @settings.allowed_ips.include?(request.ip)
+      end
+    end
+  end
+end

data/lib/aikido/zen/rails_engine.rb

@@ -17,6 +17,7 @@ module Aikido::Zen
         Aikido::Zen::Middleware::ForkDetector,
         Aikido::Zen::Middleware::ContextSetter,
         Aikido::Zen::Middleware::AllowedAddressChecker,
+        Aikido::Zen::Middleware::UserAgentChecker,
         Aikido::Zen::Middleware::AttackProtector,
         Aikido::Zen::Middleware::AttackWaveProtector,
         # Request Tracker stats do not consider failed requests, so the middleware

data/lib/aikido/zen/runtime_settings.rb

@@ -6,12 +6,12 @@ module Aikido::Zen
   #
   # Because the RuntimeSettings object can be modified in runtime, it implements
   # the {Observable} API, allowing you to subscribe to updates. These are
-  # triggered whenever #update_from_json makes a change (i.e. if the settings
-  # don't change, no update is triggered).
+  # triggered whenever #update_from_runtime_settings_json makes a change
+  # (i.e. if the settings don't change, no update is triggered).
   #
   # You can subscribe to changes with +#add_observer(object, func_name)+, which
-  # will call the function passing the settings as an argument.
-  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :allowed_ips, :received_any_stats, :blocking_mode) do
+  # will call the function passing the settings as an argument
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :allowed_ips, :received_any_stats, :blocking_mode, :blocked_user_agent_regexp, :monitored_user_agent_regexp, :user_agent_details) do
     def initialize(*)
       super
       self.endpoints ||= RuntimeSettings::Endpoints.new
@@ -25,10 +25,6 @@ module Aikido::Zen
     #   @return [Integer] duration in seconds between heartbeat requests to the
     #     Aikido server.
 
-    # @!attribute [rw] received_any_stats
-    #   @return [Boolean] whether the Aikido server has received any data from
-    #     this application.
-
     # @!attribute [rw] endpoints
     #   @return [Aikido::Zen::RuntimeSettings::Endpoints]
 
@@ -38,15 +34,31 @@ module Aikido::Zen
     # @!attribute [rw] allowed_ips
     #   @return [Aikido::Zen::RuntimeSettings::IPSet]
 
+    # @!attribute [rw] received_any_stats
+    #   @return [Boolean] whether the Aikido server has received any data from
+    #     this application.
+
+    # @!attribute [rw] blocking_mode
+    #   @return [Boolean]
+
+    # @!attribute [rw] blocked_user_agent_regexp
+    #   @return [Regexp]
+
+    # @!attribute [rw] monitored_user_agent_regexp
+    #   @return [Regexp]
+
+    # @!attribute [rw] user_agent_details
+    #   @return [Regexp]
+
     # Parse and interpret the JSON response from the core API with updated
-    # settings, and apply the changes. This will also notify any subscriber
-    # to updates
+    # runtime settings, and apply the changes.
+    #
+    # This will also notify any subscriber to updates.
     #
     # @param data [Hash] the decoded JSON payload from the /api/runtime/config
     #   API endpoint.
-    #
     # @return [bool]
-    def update_from_json(data)
+    def update_from_runtime_config_json(data)
       last_updated_at = updated_at
 
       self.updated_at = Time.at(data["configUpdatedAt"].to_i / 1000)
@@ -59,6 +71,75 @@ module Aikido::Zen
 
       updated_at != last_updated_at
     end
+
+    # Parse and interpret the JSON response from the core API with updated
+    # runtime firewall lists, and apply the changes.
+    #
+    # @param data [Hash] the decoded JSON payload from the /api/runtime/firewall/lists
+    #   API endpoint.
+    # @return [void]
+    def update_from_runtime_firewall_lists_json(data)
+      self.blocked_user_agent_regexp = pattern(data["blockedUserAgents"])
+
+      self.monitored_user_agent_regexp = pattern(data["monitoredUserAgents"])
+
+      self.user_agent_details = []
+
+      data["userAgentDetails"]&.each do |record|
+        key = record["key"]
+        pattern = pattern(record["pattern"])
+
+        next if key.nil? || pattern.nil?
+
+        user_agent_details << {
+          key: key,
+          pattern: pattern
+        }
+      end
+    end
+
+    # Construct a regular expression from the non-nil and non-empty string,
+    # otherwise return nil.
+    #
+    # The resulting regular expression is case insensitive.
+    #
+    # @param string [String, nil]
+    # @return [Regexp, nil]
+    private def pattern(string)
+      return nil if string.nil? || string.empty?
+
+      begin
+        /#{string}/i
+      rescue RegexpError
+        nil
+      end
+    end
+
+    # @param user_agent [String] the user agent
+    # @return [Boolean] whether the user agent should be blocked
+    def blocked_user_agent?(user_agent)
+      return false if blocked_user_agent_regexp.nil?
+
+      blocked_user_agent_regexp.match?(user_agent)
+    end
+
+    # @param user_agent [String] the user agent
+    # @return [Boolean] whether the user agent should be monitored
+    def monitored_user_agent?(user_agent)
+      return false if monitored_user_agent_regexp.nil?
+
+      monitored_user_agent_regexp.match?(user_agent)
+    end
+
+    # @param user_agent [String] the user agent
+    # @return [Array<String>] the matching user agent keys
+    def user_agent_keys(user_agent)
+      return [] if user_agent_details.nil?
+
+      user_agent_details
+        .filter { |record| record[:pattern].match?(user_agent) }
+        .map { |record| record[:key] }
+    end
   end
 end
 

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.8"
+    VERSION = "1.1.0"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.48"

data/lib/aikido/zen.rb

@@ -16,6 +16,7 @@ require_relative "zen/middleware/middleware"
 require_relative "zen/middleware/fork_detector"
 require_relative "zen/middleware/context_setter"
 require_relative "zen/middleware/allowed_address_checker"
+require_relative "zen/middleware/user_agent_checker"
 require_relative "zen/middleware/attack_protector"
 require_relative "zen/middleware/attack_wave_protector"
 require_relative "zen/middleware/request_tracker"
@@ -37,7 +38,7 @@ module Aikido
     # @return [void]
     def self.protect!
       if config.disabled?
-        config.logger.warn("Zen has been disabled and will not run.")
+        config.logger.warn("Zen has been disabled and will not run")
         return
       end
 
@@ -128,6 +129,15 @@ module Aikido
       collector.track_request
     end
 
+    # Track monitored and blocked user agents.
+    #
+    # @param user_agent_keys [Array<String>, nil] the user agent keys
+    #   from matching runtime firewall list user agent details.
+    # @return [void]
+    def self.track_user_agent(user_agent_keys)
+      collector.track_user_agent(user_agent_keys)
+    end
+
     # Track statistics about an attack wave the app is handling.
     #
     # @param attack_wave [Aikido::Zen::Events::AttackWave]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.1.0
 platform: ruby
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-01-09 00:00:00.000000000 Z
+date: 2026-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -114,6 +114,7 @@ files:
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb
+- lib/aikido/zen/middleware/user_agent_checker.rb
 - lib/aikido/zen/outbound_connection.rb
 - lib/aikido/zen/outbound_connection_monitor.rb
 - lib/aikido/zen/package.rb