Class: Aikido::Zen::RuntimeSettings

Inherits:

Struct

• Object
• Struct
• Aikido::Zen::RuntimeSettings

Defined in:

lib/aikido/zen/runtime_settings.rb

Overview

Stores the firewall configuration sourced from the Aikido dashboard. This object is updated by the Agent regularly.

Because the RuntimeSettings object can be modified in runtime, it implements the Observable API, allowing you to subscribe to updates. These are triggered whenever #update_from_runtime_settings_json makes a change (i.e. if the settings don't change, no update is triggered).

You can subscribe to changes with #add_observer(object, func_name), which will call the function passing the settings as an argument

Defined Under Namespace

Classes: DomainSettings, Domains, Endpoints, IPList, IPSet, ProtectionSettings, RateLimitSettings

Instance Attribute Summary

• #allowed_ip_lists ⇒ Array<Aikido::Zen::RuntimeSettings::IPList>
• #block_new_outbound ⇒ Boolean
• #blocked_ip_lists ⇒ Array<Aikido::Zen::RuntimeSettings::IPList>
• #blocked_user_agent_regexp ⇒ Regexp
• #blocked_user_ids ⇒ Array
• #blocking_mode ⇒ Boolean
• #bypassed_ips ⇒ Aikido::Zen::RuntimeSettings::IPSet
• #domains ⇒ Array<Aikido::Zen::RuntimeSettings::DomainSettings>
• #endpoints ⇒ Aikido::Zen::RuntimeSettings::Endpoints
• #excluded_user_ids_from_rate_limiting ⇒ Array<String>^?

  The user IDs that should be skipped from rate limiting entirely.

• #heartbeat_interval ⇒ Integer

  Duration in seconds between heartbeat requests to the Aikido server.

• #monitored_ip_lists ⇒ Array<Aikido::Zen::RuntimeSettings::IPList>
• #monitored_user_agent_regexp ⇒ Regexp
• #received_any_stats ⇒ Boolean

  Whether the Aikido server has received any data from this application.

• #updated_at ⇒ Time

  When these settings were updated in the Aikido dashboard.

• #user_agent_details ⇒ Regexp

Instance Method Summary

• #allowed_ip?(ip) ⇒ Boolean
• #block_outbound?(connection) ⇒ Boolean
• #blocked_ip?(ip) ⇒ Boolean
• #blocked_user_agent?(user_agent) ⇒ Boolean

  Whether the user agent should be blocked.

• #bypassed_ip?(ip) ⇒ Boolean

  Whether the IP is included in the bypassed IPs set.

• #initialize ⇒ RuntimeSettings constructor

  A new instance of RuntimeSettings.

• #monitored_ip?(ip) ⇒ Boolean
• #monitored_ip_list_keys(ip) ⇒ Object
• #monitored_user_agent?(user_agent) ⇒ Boolean

  Whether the user agent should be monitored.

• #update_from_runtime_config_json(data) ⇒ Boolean

  Parse and interpret the JSON response from the core API with updated runtime settings, and apply the changes.

• #update_from_runtime_firewall_lists_json(data) ⇒ Boolean

  Parse and interpret the JSON response from the core API with updated runtime firewall lists, and apply the changes.

• #user_agent_keys(user_agent) ⇒ Array<String>

  The matching user agent keys.

• #user_excluded_from_rate_limiting?(user_id) ⇒ Boolean

  Whether the user is excluded from rate limiting.

Constructor Details

#initialize ⇒ RuntimeSettings

Returns a new instance of RuntimeSettings.

# File 'lib/aikido/zen/runtime_settings.rb', line 15

def initialize(*)
  super
  self.endpoints ||= RuntimeSettings::Endpoints.new
  self.bypassed_ips ||= RuntimeSettings::IPSet.new
  self.blocked_ip_lists ||= []
  self.allowed_ip_lists ||= []
  self.monitored_ip_lists ||= []
  self.domains ||= RuntimeSettings::Domains.new
end

Instance Attribute Details

#allowed_ip_lists ⇒ Array<Aikido::Zen::RuntimeSettings::IPList>

Returns:

• (Array<Aikido::Zen::RuntimeSettings::IPList>)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def allowed_ip_lists
  @allowed_ip_lists
end

#block_new_outbound ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def block_new_outbound
  @block_new_outbound
end

#blocked_ip_lists ⇒ Array<Aikido::Zen::RuntimeSettings::IPList>

Returns:

• (Array<Aikido::Zen::RuntimeSettings::IPList>)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def blocked_ip_lists
  @blocked_ip_lists
end

#blocked_user_agent_regexp ⇒ Regexp

Returns:

• (Regexp)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def blocked_user_agent_regexp
  @blocked_user_agent_regexp
end

#blocked_user_ids ⇒ Array

Returns:

• (Array)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def blocked_user_ids
  @blocked_user_ids
end

#blocking_mode ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def blocking_mode
  @blocking_mode
end

#bypassed_ips ⇒ Aikido::Zen::RuntimeSettings::IPSet

Returns:

• (Aikido::Zen::RuntimeSettings::IPSet)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def bypassed_ips
  @bypassed_ips
end

#domains ⇒ Array<Aikido::Zen::RuntimeSettings::DomainSettings>

Returns:

• (Array<Aikido::Zen::RuntimeSettings::DomainSettings>)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def domains
  @domains
end

#endpoints ⇒ Aikido::Zen::RuntimeSettings::Endpoints

Returns:

• (Aikido::Zen::RuntimeSettings::Endpoints)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def endpoints
  @endpoints
end

#excluded_user_ids_from_rate_limiting ⇒ Array<String>^?

Returns the user IDs that should be skipped from rate limiting entirely.

Returns:

• (Array<String>, nil) —

  the user IDs that should be skipped from rate limiting entirely.

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def excluded_user_ids_from_rate_limiting
  @excluded_user_ids_from_rate_limiting
end

#heartbeat_interval ⇒ Integer

Returns duration in seconds between heartbeat requests to the Aikido server.

Returns:

• (Integer) —

  duration in seconds between heartbeat requests to the Aikido server.

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def heartbeat_interval
  @heartbeat_interval
end

#monitored_ip_lists ⇒ Array<Aikido::Zen::RuntimeSettings::IPList>

Returns:

• (Array<Aikido::Zen::RuntimeSettings::IPList>)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def monitored_ip_lists
  @monitored_ip_lists
end

#monitored_user_agent_regexp ⇒ Regexp

Returns:

• (Regexp)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def monitored_user_agent_regexp
  @monitored_user_agent_regexp
end

#received_any_stats ⇒ Boolean

Returns whether the Aikido server has received any data from this application.

Returns:

• (Boolean) —

  whether the Aikido server has received any data from this application.

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def received_any_stats
  @received_any_stats
end

#updated_at ⇒ Time

Returns when these settings were updated in the Aikido dashboard.

Returns:

• (Time) —

  when these settings were updated in the Aikido dashboard.

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def updated_at
  @updated_at
end

#user_agent_details ⇒ Regexp

Returns:

• (Regexp)

# File 'lib/aikido/zen/runtime_settings.rb', line 14

def user_agent_details
  @user_agent_details
end

Instance Method Details

#allowed_ip?(ip) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 203

def allowed_ip?(ip)
  allowed_ip_lists.empty? || allowed_ip_lists.any? { |ip_list| ip_list.include?(ip) }
end

#block_outbound?(connection) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 221

def block_outbound?(connection)
  domain = domains[connection.host]

  (!domain.nil? && domain.block?) || (domain.nil? && block_new_outbound)
end

#blocked_ip?(ip) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 207

def blocked_ip?(ip)
  blocked_ip_lists.any? { |ip_list| ip_list.include?(ip) }
end

#blocked_user_agent?(user_agent) ⇒ Boolean

Returns whether the user agent should be blocked.

Parameters:

• user_agent (String) —

  the user agent

Returns:

• (Boolean) —

  whether the user agent should be blocked

# File 'lib/aikido/zen/runtime_settings.rb', line 181

def blocked_user_agent?(user_agent)
  return false if blocked_user_agent_regexp.nil?

  blocked_user_agent_regexp.match?(user_agent)
end

#bypassed_ip?(ip) ⇒ Boolean

Returns Whether the IP is included in the bypassed IPs set.

Parameters:

• ip (String)

Returns:

• (Boolean) —

  Whether the IP is included in the bypassed IPs set.

# File 'lib/aikido/zen/runtime_settings.rb', line 168

def bypassed_ip?(ip)
  bypassed_ips.include?(ip)
end

#monitored_ip?(ip) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 211

def monitored_ip?(ip)
  monitored_ip_lists.any? { |ip_list| ip_list.include?(ip) }
end

#monitored_ip_list_keys(ip) ⇒ Object

# File 'lib/aikido/zen/runtime_settings.rb', line 215

def monitored_ip_list_keys(ip)
  return [] if ip.nil?

  monitored_ip_lists.filter_map { |ip_list| ip_list.key if ip_list.include?(ip) }
end

#monitored_user_agent?(user_agent) ⇒ Boolean

Returns whether the user agent should be monitored.

Parameters:

• user_agent (String) —

  the user agent

Returns:

• (Boolean) —

  whether the user agent should be monitored

# File 'lib/aikido/zen/runtime_settings.rb', line 189

def monitored_user_agent?(user_agent)
  return false if monitored_user_agent_regexp.nil?

  monitored_user_agent_regexp.match?(user_agent)
end

#update_from_runtime_config_json(data) ⇒ Boolean

Parse and interpret the JSON response from the core API with updated runtime settings, and apply the changes.

This will also notify any subscriber to updates.

Parameters:

• data (Hash) —

  the decoded JSON payload from the /api/runtime/config API endpoint.

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 84

def update_from_runtime_config_json(data)
  last_updated_at = updated_at

  self.updated_at = Time.at(data["configUpdatedAt"].to_i)
  self.heartbeat_interval = data["heartbeatIntervalInMS"].to_i / 1000
  self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
  self.blocked_user_ids = data["blockedUserIds"]
  self.bypassed_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
  self.received_any_stats = data["receivedAnyStats"]
  self.blocking_mode = data["block"]

  self.block_new_outbound = data["blockNewOutgoingRequests"]
  self.domains = RuntimeSettings::Domains.from_json(data["domains"])

  self.excluded_user_ids_from_rate_limiting = data["excludedUserIdsFromRateLimiting"]

  updated_at != last_updated_at
end

#update_from_runtime_firewall_lists_json(data) ⇒ Boolean

Parse and interpret the JSON response from the core API with updated runtime firewall lists, and apply the changes.

Parameters:

• data (Hash) —

  the decoded JSON payload from the /api/runtime/firewall/lists API endpoint.

Returns:

• (Boolean)

# File 'lib/aikido/zen/runtime_settings.rb', line 109

def update_from_runtime_firewall_lists_json(data)
  self.blocked_user_agent_regexp = pattern(data["blockedUserAgents"])

  self.monitored_user_agent_regexp = pattern(data["monitoredUserAgents"])

  self.user_agent_details = []

  data["userAgentDetails"]&.each do |record|
    key = record["key"]
    pattern = pattern(record["pattern"])

    next if key.nil? || pattern.nil?

    user_agent_details << {
      key: key,
      pattern: pattern
    }
  end

  self.blocked_ip_lists = []

  data["blockedIPAddresses"]&.each do |ip_list|
    blocked_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
  end

  self.allowed_ip_lists = []

  data["allowedIPAddresses"]&.each do |ip_list|
    allowed_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
  end

  self.monitored_ip_lists = []

  data["monitoredIPAddresses"]&.each do |ip_list|
    monitored_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
  end

  true
end

#user_agent_keys(user_agent) ⇒ Array<String>

Returns the matching user agent keys.

Parameters:

• user_agent (String) —

  the user agent

Returns:

• (Array<String>) —

  the matching user agent keys

# File 'lib/aikido/zen/runtime_settings.rb', line 197

def user_agent_keys(user_agent)
  return [] if user_agent_details.nil?

  user_agent_details.filter_map { |record| record[:key] if record[:pattern].match?(user_agent) }
end

#user_excluded_from_rate_limiting?(user_id) ⇒ Boolean

Returns Whether the user is excluded from rate limiting.

Parameters:

• user_id (String, nil)

Returns:

• (Boolean) —

  Whether the user is excluded from rate limiting.

# File 'lib/aikido/zen/runtime_settings.rb', line 174

def user_excluded_from_rate_limiting?(user_id)
  return false if user_id.nil?
  excluded_user_ids_from_rate_limiting&.include?(user_id.to_s) || false
end