Class: Aikido::Zen::Config

Inherits:

Object

• Object
• Aikido::Zen::Config

Defined in:

lib/aikido/zen/config.rb

Instance Attribute Summary

• #api_endpoint ⇒ URI

  The HTTP host for the Aikido API.

• #api_schema_collection_max_depth ⇒ Integer private

  Max number of levels deep we want to read a nested strcture for performance reasons.

• #api_schema_collection_max_properties ⇒ Integer private

  Max number of properties that we want to inspect per level of the structure for performance reasons.

• #api_schema_max_samples ⇒ Integer

  Max number of requests we sample per endpoint when computing the schema.

• #api_timeouts ⇒ Hash

  HTTP timeouts for communicating with the API.

• #api_token ⇒ String

  The token obtained when configuring the Firewall in the Aikido interface.

• #attack_wave_max_cache_entries ⇒ Integer

  The maximum number of entries in the LRU cache.

• #attack_wave_max_cache_samples ⇒ Integer

  The maximum number of samples in the LRU cache.

• #attack_wave_min_time_between_events ⇒ Integer

  The minimum time in milliseconds between reporting attack wave events.

• #attack_wave_min_time_between_requests ⇒ Integer

  The minimum time in milliseconds between requests for requests to be part of an attack wave.

• #attack_wave_threshold ⇒ Integer

  How many suspicious requests are allowed before an attack wave detected event is reported.

• #blocked_responder ⇒ Proc{(Aikido::Zen::Request, Symbol, reason: String=nil) => Array(Integer, Hash, #each)}

  Rack handler used to respond to requests from IPs, users or others blocked in the Aikido dashboard.

• #blocking_mode ⇒ Boolean (also: #blocking_mode?)

  Whether Aikido should only report infractions or block the request by raising an Exception.

• #client_ip_header ⇒ String

  Environment specific HTTP header providing the client IP.

• #client_rate_limit_max_events ⇒ Integer private

  Max number of events sent during a sliding #client_rate_limit_period window.

• #client_rate_limit_period ⇒ Integer private

  Number of seconds to perform client-side rate limiting of events sent to the server.

• #collect_api_schema ⇒ Boolean (also: #collect_api_schema?)

  Whether Aikido Zen should collect api schemas.

• #debugging ⇒ Boolean (also: #debugging?)

  Is the agent in debugging mode?.

• #detached_agent_socket_path ⇒ String

  By default, the socket file is created in the current working directory.

• #disabled ⇒ Boolean (also: #disabled?)

  Whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed).

• #harden ⇒ Boolean (also: #harden?)

  Whether Aikido Zen should harden methods where possible.

• #imds_allowed_hosts ⇒ Array<String>

  When checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.

• #initial_heartbeat_delays ⇒ Array<Integer>

  The delays in seconds to wait before sending each initial heartbeat event.

• #insert_middleware_after ⇒ Class, ...

  The Rack middleware class or index after which the Zen middleware should be inserted.

• #json_decoder ⇒ #call

  Callable that can be passed a JSON string and parses it into an Object.

• #json_encoder ⇒ #call

  Callable that can be passed an Object and returns a String of JSON.

• #logger ⇒ Logger
• #max_compressed_stats ⇒ Integer

  Maximum number of compressed performance samples to keep in memory.

• #max_outbound_connections ⇒ Integer

  Maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event.

• #max_performance_samples ⇒ Integer

  Maximum number of timing measurements to keep in memory before compressing them.

• #max_users_tracked ⇒ Integer

  Maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event.

• #polling_interval ⇒ Integer

  The interval in seconds to poll the runtime API for settings changes.

• #rate_limited_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}

  Rack handler used to respond to requests that have been rate limited.

• #rate_limiting_discriminator ⇒ Proc{Aikido::Zen::Request => String}

  A proc that reads information off the current request and returns a String to differentiate different clients.

• #realtime_endpoint ⇒ URI

  The HTTP host for the Aikido Runtime API.

• #request_builder ⇒ Proc<Hash => Aikido::Zen::Context> private

  Callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request.

• #server_rate_limit_deadline ⇒ Integer private

  Number of seconds to wait before sending an event after the server returns a 429 response.

• #stored_ssrf ⇒ Boolean (also: #stored_ssrf?)

  Whether Aikido Zen should scan for stored SSSRF attacks.

Instance Method Summary

• #api_token_hash ⇒ Object
• #detached_agent_socket_uri ⇒ Object
• #expanded_detached_agent_socket_path ⇒ Object
• #expanded_detached_agent_socket_uri ⇒ Object
• #initialize ⇒ Config constructor

  A new instance of Config.

Constructor Details

#initialize ⇒ Config

Returns a new instance of Config.

# File 'lib/aikido/zen/config.rb', line 191

def initialize
  self.insert_middleware_after = ::ActionDispatch::RemoteIp
  self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
  self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
  self.api_timeouts = 10
  self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT", DEFAULT_AIKIDO_ENDPOINT)
  self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL)
  self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
  self.polling_interval = 60 # 1 min
  self.initial_heartbeat_delays = [30, 60 * 2] # 30 sec, 2 min
  self.json_encoder = DEFAULT_JSON_ENCODER
  self.json_decoder = DEFAULT_JSON_DECODER
  self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
  self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
  self.detached_agent_socket_path = ENV.fetch("AIKIDO_DETACHED_AGENT_SOCKET_PATH", DEFAULT_DETACHED_AGENT_SOCKET_PATH)
  self.client_ip_header = ENV.fetch("AIKIDO_CLIENT_IP_HEADER", nil)
  self.max_performance_samples = 5000
  self.max_compressed_stats = 100
  self.max_outbound_connections = 200
  self.max_users_tracked = 1000
  self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
  self.blocked_responder = DEFAULT_BLOCKED_RESPONDER
  self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
  self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
  self.server_rate_limit_deadline = 30 * 60 # 30 min
  self.client_rate_limit_period = 60 * 60 # 1 hour
  self.client_rate_limit_max_events = 100
  self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true))
  self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
  self.api_schema_collection_max_depth = 20
  self.api_schema_collection_max_properties = 20
  self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
  self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
  self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
  self.attack_wave_threshold = 15
  self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms)
  self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
  self.attack_wave_max_cache_entries = 10_000
  self.attack_wave_max_cache_samples = 15
end

Instance Attribute Details

#api_endpoint ⇒ URI

Returns The HTTP host for the Aikido API. Defaults to https://guard.aikido.dev.

Returns:

• (URI) —

  The HTTP host for the Aikido API. Defaults to https://guard.aikido.dev.

# File 'lib/aikido/zen/config.rb', line 33

def api_endpoint
  @api_endpoint
end

#api_schema_collection_max_depth ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns max number of levels deep we want to read a nested strcture for performance reasons.

Returns:

• (Integer) —

  max number of levels deep we want to read a nested strcture for performance reasons.

# File 'lib/aikido/zen/config.rb', line 125

def api_schema_collection_max_depth
  @api_schema_collection_max_depth
end

#api_schema_collection_max_properties ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns max number of properties that we want to inspect per level of the structure for performance reasons.

Returns:

• (Integer) —

  max number of properties that we want to inspect per level of the structure for performance reasons.

# File 'lib/aikido/zen/config.rb', line 130

def api_schema_collection_max_properties
  @api_schema_collection_max_properties
end

#api_schema_max_samples ⇒ Integer

Returns max number of requests we sample per endpoint when computing the schema.

Returns:

• (Integer) —

  max number of requests we sample per endpoint when computing the schema.

# File 'lib/aikido/zen/config.rb', line 120

def api_schema_max_samples
  @api_schema_max_samples
end

#api_timeouts ⇒ Hash

Returns HTTP timeouts for communicating with the API.

Returns:

• (Hash) —

  HTTP timeouts for communicating with the API.

# File 'lib/aikido/zen/config.rb', line 40

def api_timeouts
  @api_timeouts
end

#api_token ⇒ String

Returns the token obtained when configuring the Firewall in the Aikido interface.

Returns:

• (String) —

  the token obtained when configuring the Firewall in the Aikido interface.

# File 'lib/aikido/zen/config.rb', line 44

def api_token
  @api_token
end

#attack_wave_max_cache_entries ⇒ Integer

Returns the maximum number of entries in the LRU cache. Defaults to 10,000 entries.

Returns:

• (Integer) —

  the maximum number of entries in the LRU cache. Defaults to 10,000 entries.

# File 'lib/aikido/zen/config.rb', line 185

def attack_wave_max_cache_entries
  @attack_wave_max_cache_entries
end

#attack_wave_max_cache_samples ⇒ Integer

Returns the maximum number of samples in the LRU cache. Defaults to 15 entries.

Returns:

• (Integer) —

  the maximum number of samples in the LRU cache. Defaults to 15 entries.

# File 'lib/aikido/zen/config.rb', line 189

def attack_wave_max_cache_samples
  @attack_wave_max_cache_samples
end

#attack_wave_min_time_between_events ⇒ Integer

Returns the minimum time in milliseconds between reporting attack wave events. Defaults to 20 minutes in milliseconds.

Returns:

• (Integer) —

  the minimum time in milliseconds between reporting attack wave events. Defaults to 20 minutes in milliseconds.

# File 'lib/aikido/zen/config.rb', line 181

def attack_wave_min_time_between_events
  @attack_wave_min_time_between_events
end

#attack_wave_min_time_between_requests ⇒ Integer

Returns the minimum time in milliseconds between requests for requests to be part of an attack wave. Defaults to 1 minute in milliseconds.

Returns:

• (Integer) —

  the minimum time in milliseconds between requests for requests to be part of an attack wave. Defaults to 1 minute in milliseconds.

# File 'lib/aikido/zen/config.rb', line 176

def attack_wave_min_time_between_requests
  @attack_wave_min_time_between_requests
end

#attack_wave_threshold ⇒ Integer

Returns how many suspicious requests are allowed before an attack wave detected event is reported. Defaults to 15 requests.

Returns:

• (Integer) —

  how many suspicious requests are allowed before an attack wave detected event is reported. Defaults to 15 requests.

# File 'lib/aikido/zen/config.rb', line 171

def attack_wave_threshold
  @attack_wave_threshold
end

#blocked_responder ⇒ Proc{(Aikido::Zen::Request, Symbol, reason: String=nil) => Array(Integer, Hash, #each)}

Returns Rack handler used to respond to requests from IPs, users or others blocked in the Aikido dashboard.

Returns:

• (Proc{(Aikido::Zen::Request, Symbol, reason: String=nil) => Array(Integer, Hash, #each)}) —

  Rack handler used to respond to requests from IPs, users or others blocked in the Aikido dashboard.

# File 'lib/aikido/zen/config.rb', line 101

def blocked_responder
  @blocked_responder
end

#blocking_mode ⇒ Boolean Also known as: blocking_mode?

Returns whether Aikido should only report infractions or block the request by raising an Exception. Defaults to whether AIKIDO_BLOCK is set to a non-empty value in your environment, or false otherwise.

Returns:

• (Boolean) —

  whether Aikido should only report infractions or block the request by raising an Exception. Defaults to whether AIKIDO_BLOCK is set to a non-empty value in your environment, or false otherwise.

# File 'lib/aikido/zen/config.rb', line 28

def blocking_mode
  @blocking_mode
end

#client_ip_header ⇒ String

Returns environment specific HTTP header providing the client IP.

Returns:

• (String) —

  environment specific HTTP header providing the client IP.

# File 'lib/aikido/zen/config.rb', line 75

def client_ip_header
  @client_ip_header
end

#client_rate_limit_max_events ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns max number of events sent during a sliding #client_rate_limit_period window.

Returns:

• (Integer) —

  max number of events sent during a sliding #client_rate_limit_period window.

# File 'lib/aikido/zen/config.rb', line 146

def client_rate_limit_max_events
  @client_rate_limit_max_events
end

#client_rate_limit_period ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns number of seconds to perform client-side rate limiting of events sent to the server.

Returns:

• (Integer) —

  number of seconds to perform client-side rate limiting of events sent to the server.

# File 'lib/aikido/zen/config.rb', line 141

def client_rate_limit_period
  @client_rate_limit_period
end

#collect_api_schema ⇒ Boolean Also known as: collect_api_schema?

Returns whether Aikido Zen should collect api schemas. Defaults to true. Can be set through AIKIDO_FEATURE_COLLECT_API_SCHEMA environment variable.

Returns:

• (Boolean) —

  whether Aikido Zen should collect api schemas. Defaults to true. Can be set through AIKIDO_FEATURE_COLLECT_API_SCHEMA environment variable.

# File 'lib/aikido/zen/config.rb', line 115

def collect_api_schema
  @collect_api_schema
end

#debugging ⇒ Boolean Also known as: debugging?

Returns is the agent in debugging mode?.

Returns:

• (Boolean) —

  is the agent in debugging mode?

# File 'lib/aikido/zen/config.rb', line 71

def debugging
  @debugging
end

#detached_agent_socket_path ⇒ String

By default, the socket file is created in the current working directory. Defaults to ‘aikido-detached-agent.sock`.

Returns:

• (String) —

  Path of the socket where the detached agent will listen.

# File 'lib/aikido/zen/config.rb', line 68

def detached_agent_socket_path
  @detached_agent_socket_path
end

#disabled ⇒ Boolean Also known as: disabled?

Returns whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed). Defaults to false (so, enabled). Can be set via the AIKIDO_DISABLE environment variable.

Returns:

• (Boolean) —

  whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed). Defaults to false (so, enabled). Can be set via the AIKIDO_DISABLE environment variable.

# File 'lib/aikido/zen/config.rb', line 22

def disabled
  @disabled
end

#harden ⇒ Boolean Also known as: harden?

Returns whether Aikido Zen should harden methods where possible. Defaults to true. Can be set through AIKIDO_HARDEN environment variable.

Returns:

• (Boolean) —

  whether Aikido Zen should harden methods where possible. Defaults to true. Can be set through AIKIDO_HARDEN environment variable.

# File 'lib/aikido/zen/config.rb', line 165

def harden
  @harden
end

#imds_allowed_hosts ⇒ Array<String>

Returns when checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.

Returns:

• (Array<String>) —

  when checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.

# File 'lib/aikido/zen/config.rb', line 161

def imds_allowed_hosts
  @imds_allowed_hosts
end

#initial_heartbeat_delays ⇒ Array<Integer>

Returns the delays in seconds to wait before sending each initial heartbeat event.

Returns:

• (Array<Integer>) —

  the delays in seconds to wait before sending each initial heartbeat event.

# File 'lib/aikido/zen/config.rb', line 52

def initial_heartbeat_delays
  @initial_heartbeat_delays
end

#insert_middleware_after ⇒ Class, ...

Returns The Rack middleware class or index after which the Zen middleware should be inserted. When set to nil, the middleware is inserted before the first middleware in the then-current middleware stack. Defaults to ::ActionDispatch::RemoteIp.

Returns:

• (Class, Integer, nil) —

  The Rack middleware class or index after which the Zen middleware should be inserted. When set to nil, the middleware is inserted before the first middleware in the then-current middleware stack. Defaults to ::ActionDispatch::RemoteIp.

# File 'lib/aikido/zen/config.rb', line 16

def insert_middleware_after
  @insert_middleware_after
end

#json_decoder ⇒ #call

Returns Callable that can be passed a JSON string and parses it into an Object. Defaults to the standard library’s JSON.parse method.

Returns:

• (#call) —

  Callable that can be passed a JSON string and parses it into an Object. Defaults to the standard library’s JSON.parse method.

# File 'lib/aikido/zen/config.rb', line 60

def json_decoder
  @json_decoder
end

#json_encoder ⇒ #call

Returns Callable that can be passed an Object and returns a String of JSON. Defaults to the standard library’s JSON.dump method.

Returns:

• (#call) —

  Callable that can be passed an Object and returns a String of JSON. Defaults to the standard library’s JSON.dump method.

# File 'lib/aikido/zen/config.rb', line 56

def json_encoder
  @json_encoder
end

#logger ⇒ Logger

Returns:

• (Logger)

# File 'lib/aikido/zen/config.rb', line 63

def logger
  @logger
end

#max_compressed_stats ⇒ Integer

Returns maximum number of compressed performance samples to keep in memory. If we take more than this before reporting them to Aikido, we will discard the oldest samples.

Returns:

• (Integer) —

  maximum number of compressed performance samples to keep in memory. If we take more than this before reporting them to Aikido, we will discard the oldest samples.

# File 'lib/aikido/zen/config.rb', line 84

def max_compressed_stats
  @max_compressed_stats
end

#max_outbound_connections ⇒ Integer

Returns maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event. If new connections are added to the set before reporting them to Aikido, we will discard the oldest data point.

Returns:

• (Integer) —

  maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event. If new connections are added to the set before reporting them to Aikido, we will discard the oldest data point.

# File 'lib/aikido/zen/config.rb', line 90

def max_outbound_connections
  @max_outbound_connections
end

#max_performance_samples ⇒ Integer

Returns maximum number of timing measurements to keep in memory before compressing them.

Returns:

• (Integer) —

  maximum number of timing measurements to keep in memory before compressing them.

# File 'lib/aikido/zen/config.rb', line 79

def max_performance_samples
  @max_performance_samples
end

#max_users_tracked ⇒ Integer

Returns maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event. If more unique users (by their ID) are tracked than this number, we will discard the oldest seen users.

Returns:

• (Integer) —

  maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event. If more unique users (by their ID) are tracked than this number, we will discard the oldest seen users.

# File 'lib/aikido/zen/config.rb', line 96

def max_users_tracked
  @max_users_tracked
end

#polling_interval ⇒ Integer

Returns the interval in seconds to poll the runtime API for settings changes. Defaults to evey 60 seconds.

Returns:

• (Integer) —

  the interval in seconds to poll the runtime API for settings changes. Defaults to evey 60 seconds.

# File 'lib/aikido/zen/config.rb', line 48

def polling_interval
  @polling_interval
end

#rate_limited_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}

Returns Rack handler used to respond to requests that have been rate limited.

Returns:

• (Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}) —

  Rack handler used to respond to requests that have been rate limited.

# File 'lib/aikido/zen/config.rb', line 105

def rate_limited_responder
  @rate_limited_responder
end

#rate_limiting_discriminator ⇒ Proc{Aikido::Zen::Request => String}

Returns a proc that reads information off the current request and returns a String to differentiate different clients. By default this uses the request IP.

Returns:

• (Proc{Aikido::Zen::Request => String}) —

  a proc that reads information off the current request and returns a String to differentiate different clients. By default this uses the request IP.

# File 'lib/aikido/zen/config.rb', line 110

def rate_limiting_discriminator
  @rate_limiting_discriminator
end

#realtime_endpoint ⇒ URI

Returns The HTTP host for the Aikido Runtime API. Defaults to https://runtime.aikido.dev.

Returns:

• (URI) —

  The HTTP host for the Aikido Runtime API. Defaults to https://runtime.aikido.dev.

# File 'lib/aikido/zen/config.rb', line 37

def realtime_endpoint
  @realtime_endpoint
end

#request_builder ⇒ Proc<Hash => Aikido::Zen::Context>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request. This is meant to be overridden by each framework adapter.

Returns:

• (Proc<Hash => Aikido::Zen::Context>) —

  callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request. This is meant to be overridden by each framework adapter.

# File 'lib/aikido/zen/config.rb', line 136

def request_builder
  @request_builder
end

#server_rate_limit_deadline ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns number of seconds to wait before sending an event after the server returns a 429 response.

Returns:

• (Integer) —

  number of seconds to wait before sending an event after the server returns a 429 response.

# File 'lib/aikido/zen/config.rb', line 151

def server_rate_limit_deadline
  @server_rate_limit_deadline
end

#stored_ssrf ⇒ Boolean Also known as: stored_ssrf?

Returns whether Aikido Zen should scan for stored SSSRF attacks. Defaults to true. Can be set through AIKIDO_FEATURE_STORED_SSRF environment variable.

Returns:

• (Boolean) —

  whether Aikido Zen should scan for stored SSSRF attacks. Defaults to true. Can be set through AIKIDO_FEATURE_STORED_SSRF environment variable.

# File 'lib/aikido/zen/config.rb', line 156

def stored_ssrf
  @stored_ssrf
end

Instance Method Details

#api_token_hash ⇒ Object

# File 'lib/aikido/zen/config.rb', line 272

def api_token_hash
  return unless api_token

  @api_token_hash ||= Digest::SHA1.hexdigest(api_token)[0, 7]
end

#detached_agent_socket_uri ⇒ Object

# File 'lib/aikido/zen/config.rb', line 278

def detached_agent_socket_uri
  "drbunix:" + @detached_agent_socket_path
end

#expanded_detached_agent_socket_path ⇒ Object

# File 'lib/aikido/zen/config.rb', line 282

def expanded_detached_agent_socket_path
  @exanded_detached_agent_path ||= expand_socket_path(detached_agent_socket_path)
end

#expanded_detached_agent_socket_uri ⇒ Object

# File 'lib/aikido/zen/config.rb', line 286

def expanded_detached_agent_socket_uri
  @exanded_detached_agent_uri ||= expand_socket_path(detached_agent_socket_uri)
end