Refactor environment loading and handling for FrankenPHP (#397)

Author: ioaniftimesei

README.md

@@ -39,25 +39,25 @@ Prerequisites:
 
 ##### x86_64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.x86_64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.rpm
 ```
 
 ##### arm64 / aarch64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.aarch64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.aarch64.rpm
 ```
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ##### x86_64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
 ##### arm64 / aarch64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.aarch64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.aarch64.deb
 dpkg -i -E ./aikido-php-firewall.aarch64.deb
 ```
 

docs/aws-elastic-beanstalk.md

@@ -4,7 +4,7 @@
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files:

docs/fly-io.md

@@ -32,7 +32,7 @@ Create a script to install the Aikido PHP Firewall during deployment:
 #!/usr/bin/env bash
 cd /tmp
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 

docs/laravel-forge.md

@@ -8,7 +8,7 @@ You can get your token from the [Aikido Security Dashboard](https://help.aikido.
 
 Go to "Commands" and run the following by replacing the sudo password with the one that Forge displays when the server is created:
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.1/aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S dpkg -i -E ./aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S service php8.4-fpm restart
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.5.2/aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S dpkg -i -E ./aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S service php8.4-fpm restart
 ```
 
 ![Forge Commands](./forge-commands.png)

lib/agent/constants/constants.go

@@ -1,7 +1,7 @@
 package constants
 
 const (
-	Version                             = "1.5.1"
+	Version                             = "1.5.2"
 	SocketPath                          = "/run/aikido-" + Version + "/aikido-agent.sock"
 	PidPath                             = "/run/aikido-" + Version + "/aikido-agent.pid"
 	ConfigUpdatedAtMethod               = "GET"

lib/php-extension/Aikido.cpp

@@ -4,14 +4,8 @@
 ZEND_DECLARE_MODULE_GLOBALS(aikido)
 
 PHP_MINIT_FUNCTION(aikido) {
-    // For FrankenPHP: Set sapi_name but skip rest of LoadEnvironment during MINIT
-    // Full environment will be loaded in RINIT when Caddyfile env vars are available
-    if (sapi_module.name == std::string("frankenphp")) {
-        AIKIDO_GLOBAL(sapi_name) = sapi_module.name;
-    } else {
-        // For other SAPIs: Load environment during MINIT as normal
-        LoadEnvironment();
-    }
+    LoadSystemEnvironment();
+    
     AIKIDO_GLOBAL(logger).Init();
 
     AIKIDO_LOG_INFO("MINIT started!\n");

lib/php-extension/Environment.cpp

@@ -152,14 +152,19 @@ std::string GetLaravelEnvVariable(const std::string& env_key) {
 */
 
 using EnvGetterFn = std::string(*)(const std::string&);
-EnvGetterFn envGetters[] = {
+
+const std::vector<EnvGetterFn> completeEnvGetters = {
     &GetSystemEnvVariable,
     &GetFrankenEnvVariable,
     &GetPhpEnvVariable,
     &GetLaravelEnvVariable
 };
 
-std::string GetEnvVariable(const std::string& env_key) {
+const std::vector<EnvGetterFn> systemEnvGetters = {
+    &GetSystemEnvVariable,
+};
+
+std::string GetEnvVariable(const std::vector<EnvGetterFn>& envGetters, const std::string& env_key) {
     for (EnvGetterFn envGetter : envGetters) {
         std::string env_value = envGetter(env_key);
         if (!env_value.empty()) {
@@ -169,8 +174,8 @@ std::string GetEnvVariable(const std::string& env_key) {
     return "";
 }
 
-std::string GetEnvString(const std::string& env_key, const std::string default_value) {
-    std::string env_value = GetEnvVariable(env_key);
+std::string GetEnvString(const std::vector<EnvGetterFn>& envGetters, const std::string& env_key, const std::string default_value) {
+    std::string env_value = GetEnvVariable(envGetters, env_key);
     if (!env_value.empty()) {
         return env_value;
     }
@@ -185,12 +190,16 @@ bool GetBoolFromString(const std::string& env, bool default_value) {
     return default_value;
 }
 
-bool GetEnvBool(const std::string& env_key, bool default_value) {
-    return GetBoolFromString(GetEnvVariable(env_key), default_value);
+bool GetEnvBool(const std::vector<EnvGetterFn>& envGetters, const std::string& env_key, bool default_value) {
+    return GetBoolFromString(GetEnvVariable(envGetters, env_key), default_value);
 }
 
-unsigned int GetEnvNumber(const std::string& env_key, unsigned int default_value) {
-    std::string env_value = GetEnvVariable(env_key.c_str());
+bool GetEnvBoolWithAllGetters(const std::string& env_key, bool default_value) {
+    return GetBoolFromString(GetEnvVariable(completeEnvGetters, env_key), default_value);
+}
+
+unsigned int GetEnvNumber(const std::vector<EnvGetterFn>& envGetters, const std::string& env_key, unsigned int default_value) {
+    std::string env_value = GetEnvVariable(envGetters, env_key);
     if (!env_value.empty()) {
         try {
             unsigned int number = std::stoi(env_value);
@@ -203,26 +212,34 @@ unsigned int GetEnvNumber(const std::string& env_key, unsigned int default_value
     return default_value;
 }
 
-void LoadEnvironment() {
+void LoadEnvironmentFromGetters(const std::vector<EnvGetterFn>& envGetters) {
     auto& logLevelStr = AIKIDO_GLOBAL(log_level_str);
     auto& logLevel = AIKIDO_GLOBAL(log_level);
-    if (GetEnvBool("AIKIDO_DEBUG", false)) {
+    if (GetEnvBool(envGetters, "AIKIDO_DEBUG", false)) {
         logLevelStr = "DEBUG";
         logLevel = AIKIDO_LOG_LEVEL_DEBUG;
     } else {
-        logLevelStr = GetEnvString("AIKIDO_LOG_LEVEL", "WARN");
+        logLevelStr = GetEnvString(envGetters, "AIKIDO_LOG_LEVEL", "WARN");
         logLevel = Log::ToLevel(logLevelStr);
     }
 
-    AIKIDO_GLOBAL(blocking) = GetEnvBool("AIKIDO_BLOCK", false) || GetEnvBool("AIKIDO_BLOCKING", false);;
-    AIKIDO_GLOBAL(disable) = GetEnvBool("AIKIDO_DISABLE", false);
-    AIKIDO_GLOBAL(collect_api_schema) = GetEnvBool("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true);
-    AIKIDO_GLOBAL(localhost_allowed_by_default) = GetEnvBool("AIKIDO_LOCALHOST_ALLOWED_BY_DEFAULT", true);
-    AIKIDO_GLOBAL(trust_proxy) = GetEnvBool("AIKIDO_TRUST_PROXY", true);
-    AIKIDO_GLOBAL(disk_logs) = GetEnvBool("AIKIDO_DISK_LOGS", false);
+    AIKIDO_GLOBAL(blocking) = GetEnvBool(envGetters, "AIKIDO_BLOCK", false) || GetEnvBool(envGetters, "AIKIDO_BLOCKING", false);
+    AIKIDO_GLOBAL(disable) = GetEnvBool(envGetters, "AIKIDO_DISABLE", false);
+    AIKIDO_GLOBAL(collect_api_schema) = GetEnvBool(envGetters,"AIKIDO_FEATURE_COLLECT_API_SCHEMA", true);
+    AIKIDO_GLOBAL(localhost_allowed_by_default) = GetEnvBool(envGetters, "AIKIDO_LOCALHOST_ALLOWED_BY_DEFAULT", true);
+    AIKIDO_GLOBAL(trust_proxy) = GetEnvBool(envGetters, "AIKIDO_TRUST_PROXY", true);
+    AIKIDO_GLOBAL(disk_logs) = GetEnvBool(envGetters, "AIKIDO_DISK_LOGS", false);
     AIKIDO_GLOBAL(sapi_name) = sapi_module.name;
-    AIKIDO_GLOBAL(token) = GetEnvString("AIKIDO_TOKEN", "");
-    AIKIDO_GLOBAL(endpoint) = GetEnvString("AIKIDO_ENDPOINT", "https://guard.aikido.dev/");
-    AIKIDO_GLOBAL(config_endpoint) = GetEnvString("AIKIDO_REALTIME_ENDPOINT", "https://runtime.aikido.dev/");
-    AIKIDO_GLOBAL(report_stats_interval_to_agent) = GetEnvNumber("AIKIDO_REPORT_STATS_INTERVAL", 100);
-}
+    AIKIDO_GLOBAL(token) = GetEnvString(envGetters, "AIKIDO_TOKEN", "");
+    AIKIDO_GLOBAL(endpoint) = GetEnvString(envGetters, "AIKIDO_ENDPOINT", "https://guard.aikido.dev/");
+    AIKIDO_GLOBAL(config_endpoint) = GetEnvString(envGetters, "AIKIDO_REALTIME_ENDPOINT", "https://runtime.aikido.dev/");
+    AIKIDO_GLOBAL(report_stats_interval_to_agent) = GetEnvNumber(envGetters, "AIKIDO_REPORT_STATS_INTERVAL", 100);
+}
+
+void LoadEnvironment() {
+    LoadEnvironmentFromGetters(completeEnvGetters);
+}
+
+void LoadSystemEnvironment() {
+    LoadEnvironmentFromGetters(systemEnvGetters);
+}

lib/php-extension/HandleFileCompilation.cpp

@@ -1,6 +1,10 @@
 #include "Includes.h"
 
 zend_op_array* handle_file_compilation(zend_file_handle* file_handle, int type) {
+    if(AIKIDO_GLOBAL(disable) == true) {
+        return original_file_compilation_handler(file_handle, type);
+    }
+
     auto& eventCacheStack = AIKIDO_GLOBAL(eventCacheStack);
 
     // Create a new event context for file compilation

lib/php-extension/HookAst.cpp

@@ -114,9 +114,17 @@ void insert_call_to_ast(zend_ast *ast) {
 }
 
 void aikido_ast_process(zend_ast *ast) {
+    auto& original_ast_process = AIKIDO_GLOBAL(originalAstProcess);
+
+    if(AIKIDO_GLOBAL(disable) == true) {
+        if(original_ast_process){
+            original_ast_process(ast);
+        }
+        return;
+    }
+
     insert_call_to_ast(ast);
 
-    auto& original_ast_process = AIKIDO_GLOBAL(originalAstProcess);
     if(original_ast_process){
         original_ast_process(ast);
     }

lib/php-extension/RequestProcessor.cpp

@@ -207,6 +207,14 @@ bool RequestProcessorInstance::ReportStats() {
 bool RequestProcessorInstance::RequestInit() {
     std::string sapiName = sapi_module.name;
 
+    if (sapiName == "frankenphp") {
+        if (GetEnvBoolWithAllGetters("FRANKENPHP_WORKER", false)) {
+            AIKIDO_GLOBAL(isWorkerMode) = true;
+            AIKIDO_LOG_INFO("FrankenPHP worker warm-up request detected, skipping RequestInit\n");
+            return true;
+        }
+    }
+
     if (sapiName == "apache2handler" || sapiName == "frankenphp") {
         // Apache-mod-php and FrankenPHP can serve multiple sites per process
         // We need to reload config each request to detect token changes
@@ -222,14 +230,6 @@ bool RequestProcessorInstance::RequestInit() {
           }
       }
 
-        if (sapiName == "frankenphp") {
-            if (GetEnvBool("FRANKENPHP_WORKER", false)) {
-                AIKIDO_GLOBAL(isWorkerMode) = true;
-                AIKIDO_LOG_INFO("FrankenPHP worker warm-up request detected, skipping RequestInit\n");
-                return true;
-            }
-        }
-
         // Initialize the request processor only once(lazy) during RINIT because php-fpm forks the main process 
         // for workers and we need to load the library after the worker process is forked because
         // the request processor is a go library that brings in the Go runtime, which (once initialized)