Class: Aikido::Zen::Config
- Inherits:
-
Object
- Object
- Aikido::Zen::Config
- Defined in:
- lib/aikido/zen/config.rb
Instance Attribute Summary collapse
-
#api_endpoint ⇒ URI
The HTTP host for the Aikido API.
-
#api_schema_collection_max_depth ⇒ Integer
private
Max number of levels deep we want to read a nested strcture for performance reasons.
-
#api_schema_collection_max_properties ⇒ Integer
private
Max number of properties that we want to inspect per level of the structure for performance reasons.
-
#api_schema_max_samples ⇒ Integer
Max number of requests we sample per endpoint when computing the schema.
-
#api_timeouts ⇒ Hash
HTTP timeouts for communicating with the API.
-
#api_token ⇒ String
The token obtained when configuring the Firewall in the Aikido interface.
-
#attack_wave_max_cache_entries ⇒ Integer
The maximum number of entries in the LRU cache.
-
#attack_wave_max_cache_samples ⇒ Integer
The maximum number of samples in the LRU cache.
-
#attack_wave_min_time_between_events ⇒ Integer
The minimum time in milliseconds between reporting attack wave events.
-
#attack_wave_min_time_between_requests ⇒ Integer
The minimum time in milliseconds between requests for requests to be part of an attack wave.
-
#attack_wave_threshold ⇒ Integer
How many suspicious requests are allowed before an attack wave detected event is reported.
-
#block_invalid_sql ⇒ Boolean
(also: #block_invalid_sql?)
Whether Aikido Zen should block SQL queries that fail tokenization when user input is present.
-
#blocked_responder ⇒ Proc{(Aikido::Zen::Request, Symbol, reason: String=nil) => Array(Integer, Hash, #each)}
Rack handler used to respond to requests from IPs, users or others blocked in the Aikido dashboard.
-
#blocking_mode ⇒ Boolean
(also: #blocking_mode?)
Whether Aikido should only report infractions or block the request by raising an Exception.
-
#client_ip_header ⇒ String
Environment specific HTTP header providing the client IP.
-
#client_rate_limit_max_events ⇒ Integer
private
Max number of events sent during a sliding #client_rate_limit_period window.
-
#client_rate_limit_period ⇒ Integer
private
Number of seconds to perform client-side rate limiting of events sent to the server.
-
#collect_api_schema ⇒ Boolean
(also: #collect_api_schema?)
Whether Aikido Zen should collect api schemas.
-
#debugging ⇒ Boolean
(also: #debugging?)
Is the agent in debugging mode?.
-
#disabled ⇒ Boolean
(also: #disabled?)
Whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed).
-
#harden ⇒ Boolean
(also: #harden?)
Whether Aikido Zen should harden methods where possible.
-
#idor_excluded_table_names ⇒ Array<String>
The table names to exclude for IDOR protection.
-
#idor_max_cache_entries ⇒ Integer
The maximum number of entries in the LRU cache.
-
#idor_protection_enabled ⇒ Boolean
(also: #idor_protection_enabled?)
Whether the IDOR protection feature is enabled.
-
#idor_tenant_column_name ⇒ String
The tenant column name for IDOR protection.
-
#imds_allowed_hosts ⇒ Array<String>
When checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.
-
#initial_heartbeat_delays ⇒ Array<Integer>
The delays in seconds to wait before sending each initial heartbeat event.
-
#insert_middleware_after ⇒ Class, ...
The Rack middleware class or index after which the Zen middleware should be inserted.
-
#json_decoder ⇒ #call
Callable that can be passed a JSON string and parses it into an Object.
-
#json_encoder ⇒ #call
Callable that can be passed an Object and returns a String of JSON.
- #logger ⇒ Logger
-
#max_compressed_stats ⇒ Integer
Maximum number of compressed performance samples to keep in memory.
-
#max_outbound_connections ⇒ Integer
Maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event.
-
#max_performance_samples ⇒ Integer
Maximum number of timing measurements to keep in memory before compressing them.
-
#max_users_tracked ⇒ Integer
Maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event.
-
#polling_interval ⇒ Integer
The interval in seconds to poll the runtime API for settings changes.
-
#rate_limited_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}
Rack handler used to respond to requests that have been rate limited.
-
#rate_limiting_discriminator ⇒ Proc{Aikido::Zen::Request => String}
A proc that reads information off the current request and returns a String to differentiate different clients.
-
#realtime_endpoint ⇒ URI
The HTTP host for the Aikido Runtime API.
-
#realtime_settings_updates_enabled ⇒ Boolean
(also: #realtime_settings_updates_enabled?)
Whether the realtime settings updates feature is enabled.
-
#redos_regexp_timeout ⇒ Float?
The timeout in seconds for regular expression matching.
-
#request_builder ⇒ Proc<Hash => Aikido::Zen::Context>
private
Callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request.
-
#server_rate_limit_deadline ⇒ Integer
private
Number of seconds to wait before sending an event after the server returns a 429 response.
-
#stored_ssrf ⇒ Boolean
(also: #stored_ssrf?)
Whether Aikido Zen should scan for stored SSSRF attacks.
-
#worker_process_heartbeat_interval ⇒ Integer
The interval in seconds at which forked worker processes flush their collected stats to the parent process.
-
#worker_process_polling_interval ⇒ Integer
The interval in seconds at which forked worker processes poll the parent process for updated runtime settings.
Instance Method Summary collapse
- #api_token_hash ⇒ Object
-
#initialize ⇒ Config
constructor
A new instance of Config.
Constructor Details
#initialize ⇒ Config
Returns a new instance of Config.
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 |
# File 'lib/aikido/zen/config.rb', line 228 def initialize self.insert_middleware_after = ::ActionDispatch::RemoteIp self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false)) self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false)) self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false)) self.api_token = ENV.fetch("AIKIDO_TOKEN", nil) self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT") { regional_api_endpoint(api_token) } self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL) self.api_timeouts = 10 self.polling_interval = 60 # 1 min self.initial_heartbeat_delays = [30, 60 * 2] # 30 sec, 2 min self.worker_process_polling_interval = 10 self.worker_process_heartbeat_interval = 10 self.json_encoder = DEFAULT_JSON_ENCODER self.json_decoder = DEFAULT_JSON_DECODER self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO) self.client_ip_header = ENV.fetch("AIKIDO_CLIENT_IP_HEADER", nil) self.max_performance_samples = 5000 self.max_compressed_stats = 100 self.max_outbound_connections = 200 self.max_users_tracked = 1000 self.blocked_responder = DEFAULT_BLOCKED_RESPONDER self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true)) self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10)) self.api_schema_collection_max_depth = 20 self.api_schema_collection_max_properties = 20 self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER self.client_rate_limit_period = 60 * 60 # 1 hour self.client_rate_limit_max_events = 100 self.server_rate_limit_deadline = 30 * 60 # 30 min self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true)) self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"] self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true)) self.block_invalid_sql = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK_INVALID_SQL", false)) self.attack_wave_threshold = 15 self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms) self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms) self.attack_wave_max_cache_entries = 10_000 self.attack_wave_max_cache_samples = 15 self.redos_regexp_timeout = 1.0 self.idor_protection_enabled = false self.idor_tenant_column_name = nil self.idor_excluded_table_names = [] self.idor_max_cache_entries = 1000 self.realtime_settings_updates_enabled = false end |
Instance Attribute Details
#api_endpoint ⇒ URI
Returns The HTTP host for the Aikido API. Defaults to
https://guard.aikido.dev, or a region-specific host derived from
the api_token (e.g. https://guard.us.aikido.dev).
42 43 44 |
# File 'lib/aikido/zen/config.rb', line 42 def api_endpoint @api_endpoint end |
#api_schema_collection_max_depth ⇒ Integer
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns max number of levels deep we want to read a nested strcture for performance reasons.
129 130 131 |
# File 'lib/aikido/zen/config.rb', line 129 def api_schema_collection_max_depth @api_schema_collection_max_depth end |
#api_schema_collection_max_properties ⇒ Integer
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns max number of properties that we want to inspect per level of the structure for performance reasons.
134 135 136 |
# File 'lib/aikido/zen/config.rb', line 134 def api_schema_collection_max_properties @api_schema_collection_max_properties end |
#api_schema_max_samples ⇒ Integer
Returns max number of requests we sample per endpoint when computing the schema.
124 125 126 |
# File 'lib/aikido/zen/config.rb', line 124 def api_schema_max_samples @api_schema_max_samples end |
#api_timeouts ⇒ Hash
Returns HTTP timeouts for communicating with the API.
49 50 51 |
# File 'lib/aikido/zen/config.rb', line 49 def api_timeouts @api_timeouts end |
#api_token ⇒ String
Returns the token obtained when configuring the Firewall in the Aikido interface.
37 38 39 |
# File 'lib/aikido/zen/config.rb', line 37 def api_token @api_token end |
#attack_wave_max_cache_entries ⇒ Integer
Returns the maximum number of entries in the LRU cache. Defaults to 10,000 entries.
195 196 197 |
# File 'lib/aikido/zen/config.rb', line 195 def attack_wave_max_cache_entries @attack_wave_max_cache_entries end |
#attack_wave_max_cache_samples ⇒ Integer
Returns the maximum number of samples in the LRU cache. Defaults to 15 entries.
199 200 201 |
# File 'lib/aikido/zen/config.rb', line 199 def attack_wave_max_cache_samples @attack_wave_max_cache_samples end |
#attack_wave_min_time_between_events ⇒ Integer
Returns the minimum time in milliseconds between reporting attack wave events. Defaults to 20 minutes in milliseconds.
191 192 193 |
# File 'lib/aikido/zen/config.rb', line 191 def attack_wave_min_time_between_events @attack_wave_min_time_between_events end |
#attack_wave_min_time_between_requests ⇒ Integer
Returns the minimum time in milliseconds between requests for requests to be part of an attack wave. Defaults to 1 minute in milliseconds.
186 187 188 |
# File 'lib/aikido/zen/config.rb', line 186 def attack_wave_min_time_between_requests @attack_wave_min_time_between_requests end |
#attack_wave_threshold ⇒ Integer
Returns how many suspicious requests are allowed before an attack wave detected event is reported. Defaults to 15 requests.
181 182 183 |
# File 'lib/aikido/zen/config.rb', line 181 def attack_wave_threshold @attack_wave_threshold end |
#block_invalid_sql ⇒ Boolean Also known as: block_invalid_sql?
Returns whether Aikido Zen should block SQL queries that fail tokenization when user input is present. Defaults to false. Can be set through AIKIDO_BLOCK_INVALID_SQL environment variable.
175 176 177 |
# File 'lib/aikido/zen/config.rb', line 175 def block_invalid_sql @block_invalid_sql end |
#blocked_responder ⇒ Proc{(Aikido::Zen::Request, Symbol, reason: String=nil) => Array(Integer, Hash, #each)}
Returns Rack handler used to respond to requests from IPs, users or others blocked in the Aikido dashboard.
105 106 107 |
# File 'lib/aikido/zen/config.rb', line 105 def blocked_responder @blocked_responder end |
#blocking_mode ⇒ Boolean Also known as: blocking_mode?
Returns whether Aikido should only report infractions or block
the request by raising an Exception. Defaults to whether AIKIDO_BLOCK
is set to a non-empty value in your environment, or false otherwise.
28 29 30 |
# File 'lib/aikido/zen/config.rb', line 28 def blocking_mode @blocking_mode end |
#client_ip_header ⇒ String
Returns environment specific HTTP header providing the client IP.
79 80 81 |
# File 'lib/aikido/zen/config.rb', line 79 def client_ip_header @client_ip_header end |
#client_rate_limit_max_events ⇒ Integer
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns max number of events sent during a sliding #client_rate_limit_period window.
150 151 152 |
# File 'lib/aikido/zen/config.rb', line 150 def client_rate_limit_max_events @client_rate_limit_max_events end |
#client_rate_limit_period ⇒ Integer
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns number of seconds to perform client-side rate limiting of events sent to the server.
145 146 147 |
# File 'lib/aikido/zen/config.rb', line 145 def client_rate_limit_period @client_rate_limit_period end |
#collect_api_schema ⇒ Boolean Also known as: collect_api_schema?
Returns whether Aikido Zen should collect api schemas. Defaults to true. Can be set through AIKIDO_FEATURE_COLLECT_API_SCHEMA environment variable.
119 120 121 |
# File 'lib/aikido/zen/config.rb', line 119 def collect_api_schema @collect_api_schema end |
#debugging ⇒ Boolean Also known as: debugging?
Returns is the agent in debugging mode?.
32 33 34 |
# File 'lib/aikido/zen/config.rb', line 32 def debugging @debugging end |
#disabled ⇒ Boolean Also known as: disabled?
Returns whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed). Defaults to false (so, enabled). Can be set via the AIKIDO_DISABLE environment variable.
22 23 24 |
# File 'lib/aikido/zen/config.rb', line 22 def disabled @disabled end |
#harden ⇒ Boolean Also known as: harden?
Returns whether Aikido Zen should harden methods where possible. Defaults to true. Can be set through AIKIDO_HARDEN environment variable.
169 170 171 |
# File 'lib/aikido/zen/config.rb', line 169 def harden @harden end |
#idor_excluded_table_names ⇒ Array<String>
Returns the table names to exclude for IDOR protection. Defaults to [].
217 218 219 |
# File 'lib/aikido/zen/config.rb', line 217 def idor_excluded_table_names @idor_excluded_table_names end |
#idor_max_cache_entries ⇒ Integer
Returns the maximum number of entries in the LRU cache. Defaults to 1000 entries.
221 222 223 |
# File 'lib/aikido/zen/config.rb', line 221 def idor_max_cache_entries @idor_max_cache_entries end |
#idor_protection_enabled ⇒ Boolean Also known as: idor_protection_enabled?
Returns whether the IDOR protection feature is enabled. Defaults to false.
208 209 210 |
# File 'lib/aikido/zen/config.rb', line 208 def idor_protection_enabled @idor_protection_enabled end |
#idor_tenant_column_name ⇒ String
Returns the tenant column name for IDOR protection. Defaults to nil.
213 214 215 |
# File 'lib/aikido/zen/config.rb', line 213 def idor_tenant_column_name @idor_tenant_column_name end |
#imds_allowed_hosts ⇒ Array<String>
Returns when checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.
165 166 167 |
# File 'lib/aikido/zen/config.rb', line 165 def imds_allowed_hosts @imds_allowed_hosts end |
#initial_heartbeat_delays ⇒ Array<Integer>
Returns the delays in seconds to wait before sending each initial heartbeat event.
57 58 59 |
# File 'lib/aikido/zen/config.rb', line 57 def initial_heartbeat_delays @initial_heartbeat_delays end |
#insert_middleware_after ⇒ Class, ...
Returns The Rack middleware class or index after which the Zen middleware should be inserted. When set to nil, the middleware is inserted before the first middleware in the then-current middleware stack. Defaults to ::ActionDispatch::RemoteIp.
16 17 18 |
# File 'lib/aikido/zen/config.rb', line 16 def insert_middleware_after @insert_middleware_after end |
#json_decoder ⇒ #call
Returns Callable that can be passed a JSON string and parses it into an Object. Defaults to the standard library's JSON.parse method.
73 74 75 |
# File 'lib/aikido/zen/config.rb', line 73 def json_decoder @json_decoder end |
#json_encoder ⇒ #call
Returns Callable that can be passed an Object and returns a String of JSON. Defaults to the standard library's JSON.dump method.
69 70 71 |
# File 'lib/aikido/zen/config.rb', line 69 def json_encoder @json_encoder end |
#logger ⇒ Logger
76 77 78 |
# File 'lib/aikido/zen/config.rb', line 76 def logger @logger end |
#max_compressed_stats ⇒ Integer
Returns maximum number of compressed performance samples to keep in memory. If we take more than this before reporting them to Aikido, we will discard the oldest samples.
88 89 90 |
# File 'lib/aikido/zen/config.rb', line 88 def max_compressed_stats @max_compressed_stats end |
#max_outbound_connections ⇒ Integer
Returns maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event. If new connections are added to the set before reporting them to Aikido, we will discard the oldest data point.
94 95 96 |
# File 'lib/aikido/zen/config.rb', line 94 def max_outbound_connections @max_outbound_connections end |
#max_performance_samples ⇒ Integer
Returns maximum number of timing measurements to keep in memory before compressing them.
83 84 85 |
# File 'lib/aikido/zen/config.rb', line 83 def max_performance_samples @max_performance_samples end |
#max_users_tracked ⇒ Integer
Returns maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event. If more unique users (by their ID) are tracked than this number, we will discard the oldest seen users.
100 101 102 |
# File 'lib/aikido/zen/config.rb', line 100 def max_users_tracked @max_users_tracked end |
#polling_interval ⇒ Integer
Returns the interval in seconds to poll the runtime API for settings changes. Defaults to evey 60 seconds.
53 54 55 |
# File 'lib/aikido/zen/config.rb', line 53 def polling_interval @polling_interval end |
#rate_limited_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}
Returns Rack handler used to respond to requests that have been rate limited.
109 110 111 |
# File 'lib/aikido/zen/config.rb', line 109 def rate_limited_responder @rate_limited_responder end |
#rate_limiting_discriminator ⇒ Proc{Aikido::Zen::Request => String}
Returns a proc that reads information off the current request and returns a String to differentiate different clients. By default this uses the request IP.
114 115 116 |
# File 'lib/aikido/zen/config.rb', line 114 def rate_limiting_discriminator @rate_limiting_discriminator end |
#realtime_endpoint ⇒ URI
Returns The HTTP host for the Aikido Runtime API. Defaults to
https://runtime.aikido.dev.
46 47 48 |
# File 'lib/aikido/zen/config.rb', line 46 def realtime_endpoint @realtime_endpoint end |
#realtime_settings_updates_enabled ⇒ Boolean Also known as: realtime_settings_updates_enabled?
Returns whether the realtime settings updates feature is enabled. Defaults to false.
225 226 227 |
# File 'lib/aikido/zen/config.rb', line 225 def realtime_settings_updates_enabled @realtime_settings_updates_enabled end |
#redos_regexp_timeout ⇒ Float?
Returns the timeout in seconds for regular expression matching. Applied to selected internal regular expressions to mitigate ReDoS risks. Defaults to 1.0 seconds.
204 205 206 |
# File 'lib/aikido/zen/config.rb', line 204 def redos_regexp_timeout @redos_regexp_timeout end |
#request_builder ⇒ Proc<Hash => Aikido::Zen::Context>
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request. This is meant to be overridden by each framework adapter.
140 141 142 |
# File 'lib/aikido/zen/config.rb', line 140 def request_builder @request_builder end |
#server_rate_limit_deadline ⇒ Integer
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns number of seconds to wait before sending an event after the server returns a 429 response.
155 156 157 |
# File 'lib/aikido/zen/config.rb', line 155 def server_rate_limit_deadline @server_rate_limit_deadline end |
#stored_ssrf ⇒ Boolean Also known as: stored_ssrf?
Returns whether Aikido Zen should scan for stored SSSRF attacks. Defaults to true. Can be set through AIKIDO_FEATURE_STORED_SSRF environment variable.
160 161 162 |
# File 'lib/aikido/zen/config.rb', line 160 def stored_ssrf @stored_ssrf end |
#worker_process_heartbeat_interval ⇒ Integer
Returns the interval in seconds at which forked worker processes flush their collected stats to the parent process. Defaults to 10 seconds.
65 66 67 |
# File 'lib/aikido/zen/config.rb', line 65 def worker_process_heartbeat_interval @worker_process_heartbeat_interval end |
#worker_process_polling_interval ⇒ Integer
Returns the interval in seconds at which forked worker processes poll the parent process for updated runtime settings. Defaults to 10 seconds.
61 62 63 |
# File 'lib/aikido/zen/config.rb', line 61 def worker_process_polling_interval @worker_process_polling_interval end |
Instance Method Details
#api_token_hash ⇒ Object
317 318 319 320 321 |
# File 'lib/aikido/zen/config.rb', line 317 def api_token_hash return unless api_token @api_token_hash ||= Digest::SHA1.hexdigest(api_token)[0, 7] end |