Class: Aikido::Zen::Config

Inherits:

Object

• Object
• Aikido::Zen::Config

Defined in:

lib/aikido/zen/config.rb

Instance Attribute Summary

• #api_base_url ⇒ URI

  The HTTP host for the Aikido API.

• #api_schema_collection_max_depth ⇒ Integer private

  Max number of levels deep we want to read a nested strcture for performance reasons.

• #api_schema_collection_max_properties ⇒ Integer private

  Max number of properties that we want to inspect per level of the structure for performance reasons.

• #api_schema_max_samples ⇒ Integer

  Max number of requests we sample per endpoint when computing the schema.

• #api_timeouts ⇒ Hash

  HTTP timeouts for communicating with the API.

• #api_token ⇒ String

  The token obtained when configuring the Firewall in the Aikido interface.

• #blocked_ip_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}

  Rack handler used to respond to requests from IPs blocked in the Aikido dashboard.

• #blocking_mode ⇒ Boolean (also: #blocking_mode?)

  Whether Aikido should only report infractions or block the request by raising an Exception.

• #client_rate_limit_max_events ⇒ Integer private

  Max number of events sent during a sliding #client_rate_limit_period window.

• #client_rate_limit_period ⇒ Integer private

  Number of seconds to perform client-side rate limiting of events sent to the server.

• #disabled ⇒ Boolean (also: #disabled?)

  Whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed).

• #imds_allowed_hosts ⇒ Array<String>

  When checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.

• #initial_heartbeat_delay ⇒ Integer

  The amount in seconds to wait before sending an initial heartbeat event when the server reports no stats have been sent yet.

• #json_decoder ⇒ #call

  Callable that can be passed a JSON string and parses it into an Object.

• #json_encoder ⇒ #call

  Callable that can be passed an Object and returns a String of JSON.

• #logger ⇒ Logger
• #max_compressed_stats ⇒ Integer

  Maximum number of compressed performance samples to keep in memory.

• #max_outbound_connections ⇒ Integer

  Maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event.

• #max_performance_samples ⇒ Integer

  Maximum number of timing measurements to keep in memory before compressing them.

• #max_users_tracked ⇒ Integer

  Maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event.

• #polling_interval ⇒ Integer

  The interval in seconds to poll the runtime API for settings changes.

• #rate_limited_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}

  Rack handler used to respond to requests that have been rate limited.

• #rate_limiting_discriminator ⇒ Proc{Aikido::Zen::Request => String}

  A proc that reads information off the current request and returns a String to differentiate different clients.

• #request_builder ⇒ Proc<Hash => Aikido::Zen::Context> private

  Callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request.

• #runtime_api_base_url ⇒ URI

  The HTTP host for the Aikido Runtime API.

• #server_rate_limit_deadline ⇒ Integer private

  Number of seconds to wait before sending an event after the server returns a 429 response.

Instance Method Summary

• #initialize ⇒ Config constructor

  A new instance of Config.

Constructor Details

#initialize ⇒ Config

Returns a new instance of Config.

# File 'lib/aikido/zen/config.rb', line 132

def initialize
  self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
  self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCKING", false))
  self.api_timeouts = 10
  self.api_base_url = ENV.fetch("AIKIDO_BASE_URL", DEFAULT_API_BASE_URL)
  self.runtime_api_base_url = ENV.fetch("AIKIDO_RUNTIME_URL", DEFAULT_RUNTIME_BASE_URL)
  self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
  self.polling_interval = 60
  self.initial_heartbeat_delay = 60
  self.json_encoder = DEFAULT_JSON_ENCODER
  self.json_decoder = DEFAULT_JSON_DECODER
  self.logger = Logger.new($stdout, progname: "aikido")
  self.max_performance_samples = 5000
  self.max_compressed_stats = 100
  self.max_outbound_connections = 200
  self.max_users_tracked = 1000
  self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
  self.blocked_ip_responder = DEFAULT_BLOCKED_IP_RESPONDER
  self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
  self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
  self.server_rate_limit_deadline = 1800 # 30 min
  self.client_rate_limit_period = 3600 # 1 hour
  self.client_rate_limit_max_events = 100
  self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
  self.api_schema_collection_max_depth = 20
  self.api_schema_collection_max_properties = 20
  self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
end

Instance Attribute Details

#api_base_url ⇒ URI

Returns The HTTP host for the Aikido API. Defaults to https://guard.aikido.dev.

Returns:

• (URI) —

  The HTTP host for the Aikido API. Defaults to https://guard.aikido.dev.

# File 'lib/aikido/zen/config.rb', line 26

def api_base_url
  @api_base_url
end

#api_schema_collection_max_depth ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns max number of levels deep we want to read a nested strcture for performance reasons.

Returns:

• (Integer) —

  max number of levels deep we want to read a nested strcture for performance reasons.

# File 'lib/aikido/zen/config.rb', line 100

def api_schema_collection_max_depth
  @api_schema_collection_max_depth
end

#api_schema_collection_max_properties ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns max number of properties that we want to inspect per level of the structure for performance reasons.

Returns:

• (Integer) —

  max number of properties that we want to inspect per level of the structure for performance reasons.

# File 'lib/aikido/zen/config.rb', line 105

def api_schema_collection_max_properties
  @api_schema_collection_max_properties
end

#api_schema_max_samples ⇒ Integer

Returns max number of requests we sample per endpoint when computing the schema.

Returns:

• (Integer) —

  max number of requests we sample per endpoint when computing the schema.

# File 'lib/aikido/zen/config.rb', line 95

def api_schema_max_samples
  @api_schema_max_samples
end

#api_timeouts ⇒ Hash

Returns HTTP timeouts for communicating with the API.

Returns:

• (Hash) —

  HTTP timeouts for communicating with the API.

# File 'lib/aikido/zen/config.rb', line 33

def api_timeouts
  @api_timeouts
end

#api_token ⇒ String

Returns the token obtained when configuring the Firewall in the Aikido interface.

Returns:

• (String) —

  the token obtained when configuring the Firewall in the Aikido interface.

# File 'lib/aikido/zen/config.rb', line 37

def api_token
  @api_token
end

#blocked_ip_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}

Returns Rack handler used to respond to requests from IPs blocked in the Aikido dashboard.

Returns:

• (Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}) —

  Rack handler used to respond to requests from IPs blocked in the Aikido dashboard.

# File 'lib/aikido/zen/config.rb', line 82

def blocked_ip_responder
  @blocked_ip_responder
end

#blocking_mode ⇒ Boolean Also known as: blocking_mode?

Returns whether Aikido should only report infractions or block the request by raising an Exception. Defaults to whether AIKIDO_BLOCKING is set to a non-empty value in your environment, or false otherwise.

Returns:

• (Boolean) —

  whether Aikido should only report infractions or block the request by raising an Exception. Defaults to whether AIKIDO_BLOCKING is set to a non-empty value in your environment, or false otherwise.

# File 'lib/aikido/zen/config.rb', line 21

def blocking_mode
  @blocking_mode
end

#client_rate_limit_max_events ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns max number of events sent during a sliding #client_rate_limit_period window.

Returns:

• (Integer) —

  max number of events sent during a sliding #client_rate_limit_period window.

# File 'lib/aikido/zen/config.rb', line 121

def client_rate_limit_max_events
  @client_rate_limit_max_events
end

#client_rate_limit_period ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns number of seconds to perform client-side rate limiting of events sent to the server.

Returns:

• (Integer) —

  number of seconds to perform client-side rate limiting of events sent to the server.

# File 'lib/aikido/zen/config.rb', line 116

def client_rate_limit_period
  @client_rate_limit_period
end

#disabled ⇒ Boolean Also known as: disabled?

Returns whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed). Defaults to false (so, enabled). Can be set via the AIKIDO_DISABLED environment variable.

Returns:

• (Boolean) —

  whether Aikido should be turned completely off (no intercepting calls to protect the app, no agent process running, no middleware installed). Defaults to false (so, enabled). Can be set via the AIKIDO_DISABLED environment variable.

# File 'lib/aikido/zen/config.rb', line 15

def disabled
  @disabled
end

#imds_allowed_hosts ⇒ Array<String>

Returns when checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.

Returns:

• (Array<String>) —

  when checking for stored SSRF attacks, we want to allow known hosts that should be able to resolve to the IMDS service.

# File 'lib/aikido/zen/config.rb', line 130

def imds_allowed_hosts
  @imds_allowed_hosts
end

#initial_heartbeat_delay ⇒ Integer

Returns the amount in seconds to wait before sending an initial heartbeat event when the server reports no stats have been sent yet.

Returns:

• (Integer) —

  the amount in seconds to wait before sending an initial heartbeat event when the server reports no stats have been sent yet.

# File 'lib/aikido/zen/config.rb', line 45

def initial_heartbeat_delay
  @initial_heartbeat_delay
end

#json_decoder ⇒ #call

Returns Callable that can be passed a JSON string and parses it into an Object. Defaults to the standard library’s JSON.parse method.

Returns:

• (#call) —

  Callable that can be passed a JSON string and parses it into an Object. Defaults to the standard library’s JSON.parse method.

# File 'lib/aikido/zen/config.rb', line 53

def json_decoder
  @json_decoder
end

#json_encoder ⇒ #call

Returns Callable that can be passed an Object and returns a String of JSON. Defaults to the standard library’s JSON.dump method.

Returns:

• (#call) —

  Callable that can be passed an Object and returns a String of JSON. Defaults to the standard library’s JSON.dump method.

# File 'lib/aikido/zen/config.rb', line 49

def json_encoder
  @json_encoder
end

#logger ⇒ Logger

Returns:

• (Logger)

# File 'lib/aikido/zen/config.rb', line 56

def logger
  @logger
end

#max_compressed_stats ⇒ Integer

Returns maximum number of compressed performance samples to keep in memory. If we take more than this before reporting them to Aikido, we will discard the oldest samples.

Returns:

• (Integer) —

  maximum number of compressed performance samples to keep in memory. If we take more than this before reporting them to Aikido, we will discard the oldest samples.

# File 'lib/aikido/zen/config.rb', line 65

def max_compressed_stats
  @max_compressed_stats
end

#max_outbound_connections ⇒ Integer

Returns maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event. If new connections are added to the set before reporting them to Aikido, we will discard the oldest data point.

Returns:

• (Integer) —

  maximum number of connections to outbound hosts to keep in memory in order to report them in the next heartbeat event. If new connections are added to the set before reporting them to Aikido, we will discard the oldest data point.

# File 'lib/aikido/zen/config.rb', line 71

def max_outbound_connections
  @max_outbound_connections
end

#max_performance_samples ⇒ Integer

Returns maximum number of timing measurements to keep in memory before compressing them.

Returns:

• (Integer) —

  maximum number of timing measurements to keep in memory before compressing them.

# File 'lib/aikido/zen/config.rb', line 60

def max_performance_samples
  @max_performance_samples
end

#max_users_tracked ⇒ Integer

Returns maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event. If more unique users (by their ID) are tracked than this number, we will discard the oldest seen users.

Returns:

• (Integer) —

  maximum number of users tracked via Zen.track_user to share with the Aikido servers on the next heartbeat event. If more unique users (by their ID) are tracked than this number, we will discard the oldest seen users.

# File 'lib/aikido/zen/config.rb', line 77

def max_users_tracked
  @max_users_tracked
end

#polling_interval ⇒ Integer

Returns the interval in seconds to poll the runtime API for settings changes. Defaults to evey 60 seconds.

Returns:

• (Integer) —

  the interval in seconds to poll the runtime API for settings changes. Defaults to evey 60 seconds.

# File 'lib/aikido/zen/config.rb', line 41

def polling_interval
  @polling_interval
end

#rate_limited_responder ⇒ Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}

Returns Rack handler used to respond to requests that have been rate limited.

Returns:

• (Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}) —

  Rack handler used to respond to requests that have been rate limited.

# File 'lib/aikido/zen/config.rb', line 86

def rate_limited_responder
  @rate_limited_responder
end

#rate_limiting_discriminator ⇒ Proc{Aikido::Zen::Request => String}

Returns a proc that reads information off the current request and returns a String to differentiate different clients. By default this uses the request IP.

Returns:

• (Proc{Aikido::Zen::Request => String}) —

  a proc that reads information off the current request and returns a String to differentiate different clients. By default this uses the request IP.

# File 'lib/aikido/zen/config.rb', line 91

def rate_limiting_discriminator
  @rate_limiting_discriminator
end

#request_builder ⇒ Proc<Hash => Aikido::Zen::Context>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request. This is meant to be overridden by each framework adapter.

Returns:

• (Proc<Hash => Aikido::Zen::Context>) —

  callable that takes a Rack-compatible env Hash and returns a Context object with an HTTP request. This is meant to be overridden by each framework adapter.

# File 'lib/aikido/zen/config.rb', line 111

def request_builder
  @request_builder
end

#runtime_api_base_url ⇒ URI

Returns The HTTP host for the Aikido Runtime API. Defaults to https://runtime.aikido.dev.

Returns:

• (URI) —

  The HTTP host for the Aikido Runtime API. Defaults to https://runtime.aikido.dev.

# File 'lib/aikido/zen/config.rb', line 30

def runtime_api_base_url
  @runtime_api_base_url
end

#server_rate_limit_deadline ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns number of seconds to wait before sending an event after the server returns a 429 response.

Returns:

• (Integer) —

  number of seconds to wait before sending an event after the server returns a 429 response.

# File 'lib/aikido/zen/config.rb', line 126

def server_rate_limit_deadline
  @server_rate_limit_deadline
end