Class: Aikido::Zen::Request

Inherits:

SimpleDelegator

• Object
• SimpleDelegator
• Aikido::Zen::Request

Defined in:

lib/aikido/zen/request.rb

Overview

Wrapper around Rack::Request-like objects to add some behavior.

Defined Under Namespace

Classes: HeuristicRouter, RailsRouter, Schema

Constant Summary

BLESSED_CGI_HEADERS =

%w[CONTENT_TYPE CONTENT_LENGTH]

Instance Attribute Summary

• #actor ⇒ Aikido::Zen::Actor^?

  The current user, if set by the host app.

• #framework ⇒ String readonly

  Identifier of the framework handling this HTTP request.

• #router ⇒ Aikido::Zen::Router readonly

Instance Method Summary

• #__setobj__(delegate) ⇒ Object

  :nodoc:.

• #as_json ⇒ Object
• #initialize(delegate, framework:, router:) ⇒ Request constructor

  A new instance of Request.

• #normalized_headers ⇒ Hash<String, String>

  Map the CGI-style env Hash into “pretty-looking” headers, preserving the values as-is.

• #route ⇒ Aikido::Zen::Route

  The framework route being requested.

• #schema ⇒ Aikido::Zen::Request::Schema^?
• #truncated_body(max_size: 16384) ⇒ String private

  Reads the first 16KiB of the request body, to include in attack reports back to the Aikido server.

Constructor Details

#initialize(delegate, framework:, router:) ⇒ Request

Returns a new instance of Request.

# File 'lib/aikido/zen/request.rb', line 20

def initialize(delegate, framework:, router:)
  super(delegate)
  @framework = framework
  @router = router
  @body_read = false
end

Instance Attribute Details

#actor ⇒ Aikido::Zen::Actor^?

The current user, if set by the host app.

Returns:

• (Aikido::Zen::Actor, nil)

See Also:

• Aikido::Zen.track_user

# File 'lib/aikido/zen/request.rb', line 18

def actor
  @actor
end

#framework ⇒ String (readonly)

Returns identifier of the framework handling this HTTP request.

Returns:

• (String) —

  identifier of the framework handling this HTTP request.

# File 'lib/aikido/zen/request.rb', line 9

def framework
  @framework
end

#router ⇒ Aikido::Zen::Router (readonly)

Returns:

• (Aikido::Zen::Router)

# File 'lib/aikido/zen/request.rb', line 12

def router
  @router
end

Instance Method Details

#__setobj__(delegate) ⇒ Object

:nodoc:

# File 'lib/aikido/zen/request.rb', line 27

def __setobj__(delegate) # :nodoc:
  super
  @body_read = false
  @route = @normalized_header = @truncated_body = nil
end

#as_json ⇒ Object

# File 'lib/aikido/zen/request.rb', line 86

def as_json
  {
    method: request_method.downcase,
    url: url,
    ipAddress: ip,
    userAgent: user_agent,
    headers: normalized_headers.reject { |_, val| val.to_s.empty? },
    body: truncated_body,
    source: framework,
    route: route&.path
  }
end

#normalized_headers ⇒ Hash<String, String>

Map the CGI-style env Hash into “pretty-looking” headers, preserving the values as-is. For example, HTTP_ACCEPT turns into “Accept”, CONTENT_TYPE turns into “Content-Type”, and HTTP_X_FORWARDED_FOR turns into “X-Forwarded-For”.

Returns:

• (Hash<String, String>)

# File 'lib/aikido/zen/request.rb', line 49

def normalized_headers
  @normalized_headers ||= env.slice(*BLESSED_CGI_HEADERS)
    .merge(env.select { |key, _| key.start_with?("HTTP_") })
    .transform_keys { |header|
      name = header.sub(/^HTTP_/, "").downcase
      name.split("_").map { |part| part[0].upcase + part[1..] }.join("-")
    }
end

#route ⇒ Aikido::Zen::Route

Returns the framework route being requested.

Returns:

• (Aikido::Zen::Route) —

  the framework route being requested.

# File 'lib/aikido/zen/request.rb', line 34

def route
  @route ||= @router.recognize(self)
end

#schema ⇒ Aikido::Zen::Request::Schema^?

Returns:

• (Aikido::Zen::Request::Schema, nil)

# File 'lib/aikido/zen/request.rb', line 39

def schema
  @schema ||= Aikido::Zen::Request::Schema.build
end

#truncated_body(max_size: 16384) ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Reads the first 16KiB of the request body, to include in attack reports back to the Aikido server. This method should only be called if an attack is detected during the current request.

If the underlying IO object has been partially (or fully) read before, this will attempt to restore the previous cursor position after reading it if possible, or leave if rewund if not.

Parameters:

• max_size (Integer) (defaults to: 16384) —

  number of bytes to read at most.

Returns:

• (String)

# File 'lib/aikido/zen/request.rb', line 71

def truncated_body(max_size: 16384)
  return @truncated_body if @body_read
  return nil if body.nil?

  begin
    initial_pos = body.pos if body.respond_to?(:pos)
    body.rewind
    @truncated_body = body.read(max_size)
  ensure
    @body_read = true
    body.rewind
    body.seek(initial_pos) if initial_pos && body.respond_to?(:seek)
  end
end