Class: Aikido::Zen::Agent

Inherits:

Object

• Object
• Aikido::Zen::Agent

Defined in:

lib/aikido/zen/agent.rb

Overview

Handles the background processes that communicate with the Aikido servers, including managing the runtime settings that keep the app protected.

Defined Under Namespace

Classes: HeartbeatsManager

Class Method Summary

• .start(**opts) ⇒ Aikido::Zen::Agent

  Initialize and start an agent instance.

Instance Method Summary

• #handle_attack(attack) ⇒ void

  Given an Attack, report it to the Aikido server, and/or block the request depending on configuration.

• #initialize(config: Aikido::Zen.config, collector: Aikido::Zen.collector, detached_agent: Aikido::Zen.detached_agent, worker: Aikido::Zen::Worker.new(config: config), api_client: Aikido::Zen::APIClient.new(config: config), api_stream: Aikido::Zen::APIStream.new(config: config)) ⇒ Agent constructor

  A new instance of Agent.

• #poll_for_setting_updates ⇒ void private

  Sets up the timer task that polls the Aikido Runtime API for updates to the runtime settings every minute.

• #report(event) {|response| ... } ⇒ void

  Asynchronously reports an Event of any kind to the Aikido dashboard.

• #send_heartbeat(at: Time.now.utc) ⇒ void private

  Atomically flushes all the stats stored by the agent, and sends a heartbeat event.

• #start! ⇒ Object
• #started? ⇒ Boolean
• #stop! ⇒ void

  Clean up any ongoing threads, and reset the state.

• #updated_settings! ⇒ void

  Respond to the runtime settings changing after being fetched from the Aikido servers.

Constructor Details

#initialize(config: Aikido::Zen.config, collector: Aikido::Zen.collector, detached_agent: Aikido::Zen.detached_agent, worker: Aikido::Zen::Worker.new(config: config), api_client: Aikido::Zen::APIClient.new(config: config), api_stream: Aikido::Zen::APIStream.new(config: config)) ⇒ Agent

Returns a new instance of Agent.

# File 'lib/aikido/zen/agent.rb', line 19

def initialize(
  config: Aikido::Zen.config,
  collector: Aikido::Zen.collector,
  detached_agent: Aikido::Zen.detached_agent,
  worker: Aikido::Zen::Worker.new(config: config),
  api_client: Aikido::Zen::APIClient.new(config: config),
  api_stream: Aikido::Zen::APIStream.new(config: config)
)
  @config = config
  @collector = collector
  @detached_agent = detached_agent
  @worker = worker
  @api_client = api_client
  @api_stream = api_stream

  @started_at = nil

  @runtime_config_update_mutex = Mutex.new
  @runtime_firewall_lists_update_mutex = Mutex.new
end

Class Method Details

.start(**opts) ⇒ Aikido::Zen::Agent

Initialize and start an agent instance.

Returns:

• (Aikido::Zen::Agent)

# File 'lib/aikido/zen/agent.rb', line 15

def self.start(**opts)
  new(**opts).tap(&:start!)
end

Instance Method Details

#handle_attack(attack) ⇒ void

This method returns an undefined value.

Given an Attack, report it to the Aikido server, and/or block the request depending on configuration.

Parameters:

• attack (Attack) —

  a detected attack.

Raises:

• (Aikido::Zen::UnderAttackError) —

  if the firewall is configured to block requests.

# File 'lib/aikido/zen/agent.rb', line 137

def handle_attack(attack)
  attack.will_be_blocked! if Aikido::Zen.blocking_mode?

  @config.logger.error(
    format("Zen has %s a %s: %s", attack.blocked? ? "blocked" : "detected", attack.humanized_name, attack.as_json.to_json)
  )
  report(Events::Attack.new(attack: attack)) if @api_client.can_make_requests?

  @collector.track_attack(attack)
  raise attack if attack.blocked?
end

#poll_for_setting_updates ⇒ void

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method returns an undefined value.

Sets up the timer task that polls the Aikido Runtime API for updates to the runtime settings every minute.

See Also:

• RuntimeSettings

# File 'lib/aikido/zen/agent.rb', line 197

def poll_for_setting_updates
  @worker.every(@config.polling_interval) do
    if @api_client.should_fetch_settings?
      if update_settings_from_runtime_config!(@api_client.fetch_runtime_config)
        updated_settings!
        @config.logger.info("Updated runtime settings after polling")
      end

      update_settings_from_runtime_firewall_lists!(@api_client.fetch_runtime_firewall_lists)
      @config.logger.info("Updated runtime firewall list after polling")
    end
  end
end

#report(event) {|response| ... } ⇒ void

This method returns an undefined value.

Asynchronously reports an Event of any kind to the Aikido dashboard. If given a block, the API response will be passed to the block for handling.

Parameters:

• event (Aikido::Zen::Event)

Yield Parameters:

• response (Object) —

  the response from the reporting API in case of a successful request.

# File 'lib/aikido/zen/agent.rb', line 157

def report(event)
  @worker.perform do
    response = @api_client.report(event)
    yield response if response && block_given?
  rescue Aikido::Zen::APIError, Aikido::Zen::NetworkError => err
    @config.logger.error(err.message)
  end
end

#send_heartbeat(at: Time.now.utc) ⇒ void

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method returns an undefined value.

Atomically flushes all the stats stored by the agent, and sends a heartbeat event. Scheduled to run automatically on a recurring schedule when reporting is enabled.

Parameters:

• at (Time) (defaults to: Time.now.utc) —

  the event time. Defaults to now.

See Also:

• RuntimeSettings#heartbeat_interval

# File 'lib/aikido/zen/agent.rb', line 175

def send_heartbeat(at: Time.now.utc)
  return unless @api_client.can_make_requests?

  heartbeat = @collector.flush
  report(heartbeat) do |response|
    if update_settings_from_runtime_config!(response)
      updated_settings!
      @config.logger.info("Updated runtime settings after heartbeat")

      update_settings_from_runtime_firewall_lists!(@api_client.fetch_runtime_firewall_lists)
      @config.logger.info("Updated runtime firewall list after heartbeat")
    end
  end
end

#start! ⇒ Object

Raises:

• (Aikido::ZenError)

# File 'lib/aikido/zen/agent.rb', line 44

def start!
  @config.logger.info("Starting Aikido agent v#{Aikido::Zen::VERSION}")

  raise Aikido::ZenError, "Aikido Agent already started!" if started?
  @started_at = Time.now.utc
  @collector.start(at: @started_at)

  if Aikido::Zen.blocking_mode?
    @config.logger.info("Requests identified as attacks will be blocked")
  else
    @config.logger.warn("Non-blocking mode enabled! No requests will be blocked")
  end

  if @api_client.can_make_requests?
    @config.logger.info("API Token set! Reporting has been enabled")
  else
    @config.logger.warn("No API Token set! Reporting has been disabled")
    return
  end

  at_exit { stop! if started? }

  report(Events::Started.new(time: @started_at)) do |response|
    if update_settings_from_runtime_config!(response)
      updated_settings!
      @config.logger.info("Updated runtime settings")
    end
  rescue => err
    @config.logger.error(err.message)
  end

  begin
    update_settings_from_runtime_firewall_lists!(@api_client.fetch_runtime_firewall_lists)
    @config.logger.info("Updated runtime firewall list")
  rescue => err
    @config.logger.error(err.message)
  end

  if @config.realtime_settings_updates_enabled?
    if @api_stream.can_connect?
      @api_stream.handle("config-updated") { |event| settings_updated(event) }
      @api_stream.start!

      # Use the realtime setting updates endpoint when polling to check
      # whether settings should be fetched.
      @api_client.should_fetch_settings_endpoint = @config.realtime_settings_updates_endpoint
    else
      @config.logger.warn("Can't reach #{Aikido::Zen.config.realtime_settings_updates_endpoint}, make sure it's in your outbound firewall allowlist. Realtime config updates won't be available, switched to polling.")
    end
  end

  poll_for_setting_updates

  @config.initial_heartbeat_delays.each do |heartbeat_delay|
    @worker.delay(heartbeat_delay) do
      send_heartbeat
      @config.logger.info("Executed initial heartbeat after #{heartbeat_delay} seconds")
    end
  end
end

#started? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/agent.rb', line 40

def started?
  !!@started_at
end

#stop! ⇒ void

This method returns an undefined value.

Clean up any ongoing threads, and reset the state. Called automatically when the process exits.

# File 'lib/aikido/zen/agent.rb', line 109

def stop!
  @config.logger.info("Stopping Aikido agent")
  @started_at = nil
  @worker.shutdown

  @api_stream.stop!
end

#updated_settings! ⇒ void

This method returns an undefined value.

Respond to the runtime settings changing after being fetched from the Aikido servers.

# File 'lib/aikido/zen/agent.rb', line 121

def updated_settings!
  if !heartbeats.running?
    heartbeats.start { send_heartbeat }
  elsif heartbeats.stale_settings?
    heartbeats.restart { send_heartbeat }
  end
end