Module: Aikido::Zen
- Defined in:
- lib/aikido/zen.rb,
lib/aikido/zen/scan.rb,
lib/aikido/zen/sink.rb,
lib/aikido/zen/actor.rb,
lib/aikido/zen/agent.rb,
lib/aikido/zen/cache.rb,
lib/aikido/zen/event.rb,
lib/aikido/zen/route.rb,
lib/aikido/zen/attack.rb,
lib/aikido/zen/config.rb,
lib/aikido/zen/errors.rb,
lib/aikido/zen/worker.rb,
lib/aikido/zen/context.rb,
lib/aikido/zen/helpers.rb,
lib/aikido/zen/package.rb,
lib/aikido/zen/payload.rb,
lib/aikido/zen/request.rb,
lib/aikido/zen/version.rb,
lib/aikido/zen/sinks/pg.rb,
lib/aikido/zen/collector.rb,
lib/aikido/zen/internals.rb,
lib/aikido/zen/sinks_dsl.rb,
lib/aikido/zen/api_client.rb,
lib/aikido/zen/sinks/curb.rb,
lib/aikido/zen/sinks/file.rb,
lib/aikido/zen/sinks/http.rb,
lib/aikido/zen/attack_wave.rb,
lib/aikido/zen/sinks/excon.rb,
lib/aikido/zen/sinks/httpx.rb,
lib/aikido/zen/system_info.rb,
lib/aikido/zen/rails_engine.rb,
lib/aikido/zen/rate_limiter.rb,
lib/aikido/zen/sinks/kernel.rb,
lib/aikido/zen/sinks/mysql2.rb,
lib/aikido/zen/sinks/patron.rb,
lib/aikido/zen/sinks/resolv.rb,
lib/aikido/zen/sinks/socket.rb,
lib/aikido/zen/sinks/em_http.rb,
lib/aikido/zen/sinks/sqlite3.rb,
lib/aikido/zen/sinks/trilogy.rb,
lib/aikido/zen/request/schema.rb,
lib/aikido/zen/sinks/net_http.rb,
lib/aikido/zen/sinks/typhoeus.rb,
lib/aikido/zen/synchronizable.rb,
lib/aikido/zen/collector/event.rb,
lib/aikido/zen/collector/hosts.rb,
lib/aikido/zen/collector/stats.rb,
lib/aikido/zen/collector/users.rb,
lib/aikido/zen/collector/routes.rb,
lib/aikido/zen/runtime_settings.rb,
lib/aikido/zen/sinks/async_http.rb,
lib/aikido/zen/sinks/httpclient.rb,
lib/aikido/zen/background_worker.rb,
lib/aikido/zen/capped_collections.rb,
lib/aikido/zen/attack_wave/helpers.rb,
lib/aikido/zen/outbound_connection.rb,
lib/aikido/zen/rate_limiter/bucket.rb,
lib/aikido/zen/rate_limiter/result.rb,
lib/aikido/zen/collector/sink_stats.rb,
lib/aikido/zen/context/rack_request.rb,
lib/aikido/zen/rate_limiter/breaker.rb,
lib/aikido/zen/request/rails_router.rb,
lib/aikido/zen/context/rails_request.rb,
lib/aikido/zen/scanners/ssrf_scanner.rb,
lib/aikido/zen/request/schema/builder.rb,
lib/aikido/zen/runtime_settings/ip_set.rb,
lib/aikido/zen/sinks/action_controller.rb,
lib/aikido/zen/agent/heartbeats_manager.rb,
lib/aikido/zen/middleware/fork_detector.rb,
lib/aikido/zen/request/heuristic_router.rb,
lib/aikido/zen/runtime_settings/domains.rb,
lib/aikido/zen/middleware/context_setter.rb,
lib/aikido/zen/middleware/rack_throttler.rb,
lib/aikido/zen/request/schema/definition.rb,
lib/aikido/zen/scanners/ssrf/dns_lookups.rb,
lib/aikido/zen/middleware/request_tracker.rb,
lib/aikido/zen/runtime_settings/endpoints.rb,
lib/aikido/zen/middleware/attack_protector.rb,
lib/aikido/zen/request/schema/auth_schemas.rb,
lib/aikido/zen/request/schema/empty_schema.rb,
lib/aikido/zen/scanners/stored_ssrf_scanner.rb,
lib/aikido/zen/middleware/user_agent_checker.rb,
lib/aikido/zen/request/schema/auth_discovery.rb,
lib/aikido/zen/scanners/sql_injection_scanner.rb,
lib/aikido/zen/scanners/path_traversal/helpers.rb,
lib/aikido/zen/scanners/path_traversal_scanner.rb,
lib/aikido/zen/middleware/attack_wave_protector.rb,
lib/aikido/zen/runtime_settings/domain_settings.rb,
lib/aikido/zen/scanners/shell_injection_scanner.rb,
lib/aikido/zen/scanners/ssrf/private_ip_checker.rb,
lib/aikido/zen/middleware/allowed_address_checker.rb,
lib/aikido/zen/runtime_settings/protection_settings.rb,
lib/aikido/zen/runtime_settings/rate_limit_settings.rb
Defined Under Namespace
Modules: AttackWave, Attacks, DetachedAgent, Events, Helpers, Internals, Middleware, Rails, Scanners, Sinks Classes: APIClient, APIError, Actor, Agent, Attack, BackgroundWorker, Cache, CacheEntry, CappedMap, CappedSet, Collector, Config, Context, DecodeError, DetachedAgentError, Event, InternalsError, NetworkError, OutboundConnection, OutboundConnectionBlockedError, Package, PathTraversalError, Payload, RailsEngine, RateLimitedError, RateLimiter, Request, Route, RuntimeSettings, SQLInjectionError, SSRFDetectedError, Scan, ShellInjectionError, Sink, SystemInfo, UnderAttackError, Worker
Constant Summary collapse
- LOCK =
‘agent` and `detached_agent` are started on the first method call. A mutex controls thread execution to prevent multiple attempts.
Mutex.new
- VERSION =
"1.2.3"- LIBZEN_VERSION =
The version of libzen_internals that we build against.
"0.1.60"
Class Method Summary collapse
-
.Actor(data) ⇒ Object
Converts an object into an Actor for reporting back to the Aikido Dashboard.
-
.attack_wave_detector ⇒ Aikido::Zen::AttackWave::Detector
The attack wave detector.
-
.blocking_mode? ⇒ Boolean
Whether the Aikido agent is currently blocking requests.
- .check_and_handle_fork ⇒ Object
-
.collector ⇒ Object
Manages runtime metrics extracted from your app, which are uploaded to the Aikido servers if configured to do so.
-
.config ⇒ Aikido::Zen::Config
The agent configuration.
-
.current_context ⇒ Aikido::Zen::Context?
Gets the current context object that holds all information about the current request.
-
.current_context=(context) ⇒ Aikido::Zen::Context?
Sets the current context object that holds all information about the current request, or
nilto clear the current context. - .detached_agent ⇒ Object
- .detached_agent_server ⇒ Object
- .forked? ⇒ Boolean
- .handle_fork ⇒ Object
-
.middleware_installed! ⇒ Object
Marks that the Zen middleware was installed properly.
-
.protect! ⇒ void
Enable protection.
-
.runtime_settings ⇒ Aikido::Zen::RuntimeSettings
The firewall configuration sourced from your Aikido dashboard.
- .runtime_settings=(settings) ⇒ Object
- .start! ⇒ Object
- .start? ⇒ Boolean
-
.system_info ⇒ Object
Gets information about the current system configuration, which is sent to the server along with any events.
-
.track_attack_wave(_attack_wave) ⇒ void
Track statistics about an attack wave the app is handling.
-
.track_discovered_route(request) ⇒ void
Track statistics about a route that the app has discovered.
-
.track_outbound(connection) ⇒ void
Tracks a network connection made to an external service.
- .track_rate_limited_request(_request) ⇒ Object
-
.track_request(_request) ⇒ void
Track statistics about an HTTP request the app is handling.
-
.track_scan(scan) ⇒ void
Track statistics about the result of a Sink’s scan, and report it as an Attack if one is detected.
-
.track_user(user) ⇒ void
(also: set_user)
Track the user making the current request.
-
.track_user_agent(user_agent_keys) ⇒ void
Track monitored and blocked user agents.
Class Method Details
.Actor(actor) ⇒ Object .Actor(data) ⇒ Object
Converts an object into an Actor for reporting back to the Aikido Dashboard.
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# File 'lib/aikido/zen/actor.rb', line 19 def self.Actor(data) return if data.nil? return data.to_aikido_actor if data.respond_to?(:to_aikido_actor) attrs = {} if data.respond_to?(:to_hash) attrs = data.to_hash .slice("id", "name", :id, :name) .compact .transform_keys(&:to_sym) .transform_values(&:to_s) else return nil end return nil if attrs[:id].nil? || attrs[:id].to_s.strip.empty? Actor.new(**attrs) end |
.attack_wave_detector ⇒ Aikido::Zen::AttackWave::Detector
Returns the attack wave detector.
213 214 215 |
# File 'lib/aikido/zen.rb', line 213 def self.attack_wave_detector @attack_wave_detector ||= AttackWave::Detector.new end |
.blocking_mode? ⇒ Boolean
Returns whether the Aikido agent is currently blocking requests. Blocking mode is configured at startup and can be controlled through the Aikido dashboard at runtime.
88 89 90 91 92 93 |
# File 'lib/aikido/zen.rb', line 88 def self.blocking_mode? blocking_mode = runtime_settings.blocking_mode return blocking_mode unless blocking_mode.nil? config.blocking_mode end |
.check_and_handle_fork ⇒ Object
284 285 286 |
# File 'lib/aikido/zen.rb', line 284 def check_and_handle_fork handle_fork if forked? end |
.collector ⇒ Object
Manages runtime metrics extracted from your app, which are uploaded to the Aikido servers if configured to do so.
103 104 105 |
# File 'lib/aikido/zen.rb', line 103 def self.collector @collector ||= Collector.new end |
.config ⇒ Aikido::Zen::Config
Returns the agent configuration.
71 72 73 |
# File 'lib/aikido/zen.rb', line 71 def self.config @config ||= Config.new end |
.current_context ⇒ Aikido::Zen::Context?
Gets the current context object that holds all information about the current request.
111 112 113 |
# File 'lib/aikido/zen.rb', line 111 def self.current_context Fiber.current.aikido_current_context end |
.current_context=(context) ⇒ Aikido::Zen::Context?
Sets the current context object that holds all information about the current request, or nil to clear the current context.
120 121 122 |
# File 'lib/aikido/zen.rb', line 120 def self.current_context=(context) Fiber.current.aikido_current_context = context end |
.detached_agent ⇒ Object
254 255 256 |
# File 'lib/aikido/zen.rb', line 254 def self.detached_agent @detached_agent ||= DetachedAgent::Agent.new end |
.detached_agent_server ⇒ Object
258 259 260 |
# File 'lib/aikido/zen.rb', line 258 def self.detached_agent_server @detached_agent_server ||= DetachedAgent::Server.start end |
.forked? ⇒ Boolean
288 289 290 291 292 |
# File 'lib/aikido/zen.rb', line 288 def forked? pid_changed = Process.pid != @pid @pid = Process.pid pid_changed end |
.handle_fork ⇒ Object
294 295 296 |
# File 'lib/aikido/zen.rb', line 294 def handle_fork @detached_agent&.handle_fork end |
.middleware_installed! ⇒ Object
Marks that the Zen middleware was installed properly
208 209 210 |
# File 'lib/aikido/zen.rb', line 208 def self.middleware_installed! collector.middleware_installed! end |
.protect! ⇒ void
This method returns an undefined value.
Enable protection. Until this method is called no sinks are loaded and the Aikido Agent does not start.
This method should be called only once, in the application after the initialization process is complete.
39 40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'lib/aikido/zen.rb', line 39 def self.protect! if config.disabled? config.logger.warn("Zen has been disabled and will not run") return end unless load_sources! && load_sinks! config.logger.warn("Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information.") return end middleware_installed! end |
.runtime_settings ⇒ Aikido::Zen::RuntimeSettings
Returns the firewall configuration sourced from your Aikido dashboard. This is periodically polled for updates.
77 78 79 |
# File 'lib/aikido/zen.rb', line 77 def self.runtime_settings @runtime_settings ||= RuntimeSettings.new end |
.runtime_settings=(settings) ⇒ Object
81 82 83 |
# File 'lib/aikido/zen.rb', line 81 def self.runtime_settings=(settings) @runtime_settings = settings end |
.start! ⇒ Object
267 268 269 270 271 272 273 274 275 276 |
# File 'lib/aikido/zen.rb', line 267 def start! return unless start? @pid = Process.pid LOCK.synchronize do agent detached_agent_server end end |
.start? ⇒ Boolean
278 279 280 281 282 |
# File 'lib/aikido/zen.rb', line 278 def start? !config.api_token.nil? || config.blocking_mode? || config.debugging? end |
.system_info ⇒ Object
Gets information about the current system configuration, which is sent to the server along with any events.
97 98 99 |
# File 'lib/aikido/zen.rb', line 97 def self.system_info @system_info ||= SystemInfo.new end |
.track_attack_wave(_attack_wave) ⇒ void
This method returns an undefined value.
Track statistics about an attack wave the app is handling.
149 150 151 |
# File 'lib/aikido/zen.rb', line 149 def self.track_attack_wave(_attack_wave) collector.track_attack_wave(being_blocked: false) end |
.track_discovered_route(request) ⇒ void
This method returns an undefined value.
Track statistics about a route that the app has discovered.
157 158 159 |
# File 'lib/aikido/zen.rb', line 157 def self.track_discovered_route(request) collector.track_route(request) end |
.track_outbound(connection) ⇒ void
This method returns an undefined value.
Tracks a network connection made to an external service.
165 166 167 |
# File 'lib/aikido/zen.rb', line 165 def self.track_outbound(connection) collector.track_outbound(connection) end |
.track_rate_limited_request(_request) ⇒ Object
132 133 134 |
# File 'lib/aikido/zen.rb', line 132 def self.track_rate_limited_request(_request) collector.track_rate_limited_request end |
.track_request(_request) ⇒ void
This method returns an undefined value.
Track statistics about an HTTP request the app is handling.
128 129 130 |
# File 'lib/aikido/zen.rb', line 128 def self.track_request(_request) collector.track_request end |
.track_scan(scan) ⇒ void
This method returns an undefined value.
Track statistics about the result of a Sink’s scan, and report it as an Attack if one is detected.
176 177 178 179 |
# File 'lib/aikido/zen.rb', line 176 def self.track_scan(scan) collector.track_scan(scan) agent.handle_attack(scan.attack) if scan.attack? end |
.track_user(user) ⇒ void Also known as: set_user
This method returns an undefined value.
Track the user making the current request.
185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
# File 'lib/aikido/zen.rb', line 185 def self.track_user(user) return if config.disabled? if (actor = Aikido::Zen::Actor(user)) collector.track_user(actor) current_context.request.actor = actor if current_context else config.logger.warn(format(<<~LOG, obj: user)) Incompatible object sent to track_user: %<obj>p The object must either implement #to_aikido_actor, or be a Hash with an :id (or "id") and, optionally, a :name (or "name") key. LOG end end |
.track_user_agent(user_agent_keys) ⇒ void
This method returns an undefined value.
Track monitored and blocked user agents.
141 142 143 |
# File 'lib/aikido/zen.rb', line 141 def self.track_user_agent(user_agent_keys) collector.track_user_agent(user_agent_keys) end |