Agent with full support for Apache (mod-php) multi-site configurations (#312)

Author: tudor-timcu

.github/workflows/build.yml

@@ -11,12 +11,13 @@ on:
 
 jobs:
   build_libs:
-    runs-on: ${{ matrix.os }}
+    name: Build Go libs${{ matrix.arch }}
+    runs-on: ubuntu-24.04${{ matrix.arch }}
     container:
       image: ghcr.io/aikidosec/firewall-php-build-libs:v1
     strategy:
       matrix:
-        os: [ ubuntu-24.04, ubuntu-24.04-arm ]
+        arch: [ '', '-arm' ]
       fail-fast: false
 
     steps:
@@ -78,12 +79,13 @@ jobs:
           ${{ github.workspace }}/build/aikido-request-processor.so
 
   build_php_extension:
-    runs-on: ${{ matrix.os }}
+    name: Build php${{ matrix.php_version }} extension${{ matrix.arch }}
+    runs-on: ubuntu-24.04${{ matrix.arch }}
     container: ghcr.io/aikidosec/firewall-php-build-extension:${{ matrix.php_version }}-v1
     strategy:
       matrix:
         php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
-        os: [ ubuntu-24.04, ubuntu-24.04-arm ]
+        arch: [ '', '-arm' ]
       fail-fast: false
 
     steps:
@@ -133,12 +135,13 @@ jobs:
           ${{ github.workspace }}/tests/*.diff
 
   build_rpm:
-    runs-on: ${{ matrix.os }}
+    name: Build rpm${{ matrix.arch }}
+    runs-on: ubuntu-24.04${{ matrix.arch }}
     container:
       image: quay.io/centos/centos:stream9
     strategy:
       matrix:
-        os: ['ubuntu-24.04', 'ubuntu-24.04-arm']
+        arch: ['', '-arm']
       fail-fast: false
     needs: [ build_libs, build_php_extension ]
     steps:
@@ -227,12 +230,13 @@ jobs:
             ~/rpmbuild/RPMS/${{ env.ARCH }}/${{ env.AIKIDO_ARTIFACT_RELEASE }}
 
   build_deb:
-    runs-on: ${{ matrix.os }}
+    name: Build deb${{ matrix.arch }}
+    runs-on: ubuntu-24.04${{ matrix.arch }}
     container:
       image: ubuntu:22.04
     strategy:
       matrix:
-        os: [ ubuntu-24.04, ubuntu-24.04-arm ]
+        arch: [ '', '-arm' ]
       fail-fast: false
     needs: [ build_rpm ]
     steps:
@@ -295,7 +299,8 @@ jobs:
             ${{ env.AIKIDO_ARTIFACT }}
 
   test_php_centos:
-    runs-on: ${{ matrix.os }}
+    name: CentOS php-${{ matrix.php_version }} ${{ matrix.server }}${{ matrix.arch }}
+    runs-on: ubuntu-24.04${{ matrix.arch }}
     container:
       image: ghcr.io/aikidosec/firewall-php-test-centos:${{ matrix.php_version }}-v1
       options: --privileged
@@ -304,7 +309,7 @@ jobs:
       matrix:
         php_version: ['7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
-        os: ['ubuntu-24.04', 'ubuntu-24.04-arm']
+        arch: ['', '-arm']
       fail-fast: false
 
     steps:
@@ -377,17 +382,18 @@ jobs:
       - name: Run ${{ matrix.server }} server tests
         run: |
           cd tools
-          python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }}
+          python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }} --max-runs=3
 
   test_php_ubuntu:
-    runs-on: ${{ matrix.os }}
+    name: Ubuntu php-${{ matrix.php_version }} ${{ matrix.server }}${{ matrix.arch }}
+    runs-on: ubuntu-24.04${{ matrix.arch }}
     container:
       image: ghcr.io/aikidosec/firewall-php-test-ubuntu:${{ matrix.php_version }}-v1
       options: --privileged
     needs: [ build_deb ]
     strategy:
       matrix:
-        os: ['ubuntu-24.04', 'ubuntu-24.04-arm']
+        arch: ['', '-arm']
         php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
       fail-fast: false
@@ -434,26 +440,17 @@ jobs:
           dpkg -i -E ${{ env.AIKIDO_DEB }}/${{ env.AIKIDO_DEB }}
 
       - name: Run CLI tests
-        if: matrix.os == 'ubuntu-24.04' || matrix.os == 'ubuntu-24.04-arm'
         run: |
           php lib/php-extension/run-tests.php ./tests/cli
 
       - name: Run ${{ matrix.server }} server tests
         run: |
+          . /etc/apache2/envvars
           cd tools
-          python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }}
-
-      - name: Archive test artifacts
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: test-results-aikido-${{ env.AIKIDO_VERSION }}-${{ matrix.os }}-php-${{ matrix.php_version }}
-          if-no-files-found: ignore
-          path: |
-            ${{ github.workspace }}/tests/cli/**/*.diff
+          python3 run_server_tests.py ../tests/server ../tests/testlib --server=${{ matrix.server }} --max-runs=3
 
   test_php_qa_action_controlling_tests_apache_mod_php:
-    name: Tests (apache2 - mod_php)
+    name: QA apache-mod-php
     runs-on: ubuntu-latest
     needs: [ build_deb ]
     steps:
@@ -480,7 +477,7 @@ jobs:
           echo "#!/usr/bin/env bash" > ./zen-demo-php/.fly/scripts/aikido.sh
           echo "dpkg -i -E \"/var/www/html/aikido-php-firewall.\$(uname -i).deb\"" >> ./zen-demo-php/.fly/scripts/aikido.sh
       - name: Run Firewall QA Tests
-        uses: AikidoSec/firewall-tester-action@add-control-server-tests
+        uses: AikidoSec/firewall-tester-action@releases/v1
         with:
           dockerfile_path: ./zen-demo-php/Dockerfile
           extra_args: '--env-file=./zen-demo-php/.env.example -e APP_KEY=base64:W2v6u6VR4lURkxuMT9xZ6pdhXSt5rxsmWTbd1HGqlIM='
@@ -489,7 +486,7 @@ jobs:
           test_type: control
 
   test_php_qa_action_controlling_tests_apache_php_fpm:
-    name: Tests (apache2 - php-fpm)
+    name: QA apache-php-fpm
     runs-on: ubuntu-latest
     needs: [ build_deb ]
     steps:
@@ -516,7 +513,7 @@ jobs:
           echo "#!/usr/bin/env bash" > ./zen-demo-php/.fly/scripts/aikido.sh
           echo "dpkg -i -E \"/var/www/html/aikido-php-firewall.\$(uname -i).deb\"" >> ./zen-demo-php/.fly/scripts/aikido.sh
       - name: Run Firewall QA Tests
-        uses: AikidoSec/firewall-tester-action@add-control-server-tests
+        uses: AikidoSec/firewall-tester-action@releases/v1
         with:
           dockerfile_path: ./zen-demo-php/Dockerfile
           extra_args: '--env-file=./zen-demo-php/.env.example -e APP_KEY=base64:W2v6u6VR4lURkxuMT9xZ6pdhXSt5rxsmWTbd1HGqlIM='
@@ -525,7 +522,7 @@ jobs:
           test_type: control
 
   test_php_qa_action_controlling_tests_nginx_php_fpm:
-    name: Tests (nginx - php-fpm)
+    name: QA nginx-php-fpm
     runs-on: ubuntu-latest
     needs: [ build_deb ]
     steps:
@@ -552,7 +549,7 @@ jobs:
           echo "#!/usr/bin/env bash" > ./zen-demo-php/.fly/scripts/aikido.sh
           echo "dpkg -i -E \"/var/www/html/aikido-php-firewall.\$(uname -i).deb\"" >> ./zen-demo-php/.fly/scripts/aikido.sh
       - name: Run Firewall QA Tests
-        uses: AikidoSec/firewall-tester-action@add-control-server-tests
+        uses: AikidoSec/firewall-tester-action@releases/v1
         with:
           dockerfile_path: ./zen-demo-php/Dockerfile
           extra_args: '--env-file=./zen-demo-php/.env.example -e APP_KEY=base64:W2v6u6VR4lURkxuMT9xZ6pdhXSt5rxsmWTbd1HGqlIM='

README.md

@@ -39,25 +39,25 @@ Prerequisites:
 
 ##### x86_64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.x86_64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.x86_64.rpm
 ```
 
 ##### arm64 / aarch64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.aarch64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.aarch64.rpm
 ```
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ##### x86_64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
 ##### arm64 / aarch64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.aarch64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.aarch64.deb
 dpkg -i -E ./aikido-php-firewall.aarch64.deb
 ```
 

docs/aws-elastic-beanstalk.md

@@ -4,7 +4,7 @@
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files:

docs/fly-io.md

@@ -32,7 +32,7 @@ Create a script to install the Aikido PHP Firewall during deployment:
 #!/usr/bin/env bash
 cd /tmp
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 

docs/laravel-forge.md

@@ -21,7 +21,7 @@ cd /tmp
 
 # Install commands from the "Manual install" section below, based on your OS
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.5/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.6/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 
 # Restarting the php services in order to load the Aikido PHP Firewall

lib/agent/aikido_types/init_data.go

@@ -129,6 +129,11 @@ func NewServerDataPolling() *ServerDataPolling {
 	}
 }
 
+type ServerKey struct {
+	ServerPID int32
+	Token     string
+}
+
 type ServerData struct {
 	// Logger for the server
 	Logger *log.AikidoLogger

lib/agent/cloud/cloud.go

@@ -8,7 +8,8 @@ import (
 func Init(server *ServerData) {
 	server.StatsData.StartedAt = utils.GetTime()
 	server.StatsData.MonitoredSinkTimings = make(map[string]MonitoredSinkTimings)
-	SendStartEvent(server)
+
+	CheckConfigUpdatedAt(server)
 
 	utils.StartPollingRoutine(server.PollingData.HeartbeatRoutineChannel, server.PollingData.HeartbeatTicker, SendHeartbeatEvent, server)
 	utils.StartPollingRoutine(server.PollingData.ConfigPollingRoutineChannel, server.PollingData.ConfigPollingTicker, CheckConfigUpdatedAt, server)

lib/agent/cloud/event.go

@@ -9,6 +9,7 @@ import (
 	. "main/aikido_types"
 	"main/config"
 	"main/log"
+	"main/utils"
 	"net/http"
 	"net/url"
 )
@@ -32,11 +33,11 @@ func SendCloudRequest(server *ServerData, endpoint string, route string, method
 			return nil, fmt.Errorf("failed to marshal payload: %v", err)
 		}
 
-		log.Infof(server.Logger, "Sending %s request to %s with size %d and content: %s", method, apiEndpoint, len(jsonData), jsonData)
+		log.Infof(server.Logger, "[%s] Sending %s request to %s with size %d and content: %s", utils.AnonymizeToken(token), method, apiEndpoint, len(jsonData), jsonData)
 
 		req, err = http.NewRequest(method, apiEndpoint, bytes.NewBuffer(jsonData))
 	} else {
-		log.Infof(server.Logger, "Sending %s request to %s", method, apiEndpoint)
+		log.Infof(server.Logger, "[%s] Sending %s request to %s", utils.AnonymizeToken(token), method, apiEndpoint)
 		req, err = http.NewRequest(method, apiEndpoint, nil)
 	}
 

lib/agent/constants/constants.go

@@ -1,7 +1,7 @@
 package constants
 
 const (
-	Version                             = "1.4.5"
+	Version                             = "1.4.6"
 	SocketPath                          = "/run/aikido-" + Version + "/aikido-agent.sock"
 	PidPath                             = "/run/aikido-" + Version + "/aikido-agent.pid"
 	ConfigUpdatedAtMethod               = "GET"

lib/agent/globals/globals.go

@@ -7,14 +7,15 @@ import (
 
 var Machine MachineData
 
-var Servers = make(map[string]*ServerData)
+var Servers = make(map[ServerKey]*ServerData)
+var PastDeletedServers = make(map[ServerKey]bool)
 var ServersMutex sync.RWMutex
 
-func GetServer(token string) *ServerData {
+func GetServer(serverKey ServerKey) *ServerData {
 	ServersMutex.RLock()
 	defer ServersMutex.RUnlock()
 
-	server, exists := Servers[token]
+	server, exists := Servers[serverKey]
 	if !exists {
 		return nil
 	}
@@ -32,26 +33,34 @@ func GetServers() []*ServerData {
 	return servers
 }
 
-func GetServersTokens() []string {
+func GetServersKeys() []ServerKey {
 	ServersMutex.RLock()
 	defer ServersMutex.RUnlock()
 
-	tokens := []string{}
-	for token := range Servers {
-		tokens = append(tokens, token)
+	serverKeys := []ServerKey{}
+	for serverKey := range Servers {
+		serverKeys = append(serverKeys, serverKey)
 	}
-	return tokens
+	return serverKeys
 }
 
-func CreateServer(token string) *ServerData {
+func CreateServer(ServerKey ServerKey) *ServerData {
 	ServersMutex.Lock()
 	defer ServersMutex.Unlock()
-	Servers[token] = NewServerData()
-	return Servers[token]
+	Servers[ServerKey] = NewServerData()
+	return Servers[ServerKey]
 }
 
-func DeleteServer(token string) {
+func DeleteServer(ServerKey ServerKey) {
 	ServersMutex.Lock()
 	defer ServersMutex.Unlock()
-	delete(Servers, token)
+	delete(Servers, ServerKey)
+	PastDeletedServers[ServerKey] = true
+}
+
+func IsPastDeletedServer(ServerKey ServerKey) bool {
+	ServersMutex.RLock()
+	defer ServersMutex.RUnlock()
+	_, exists := PastDeletedServers[ServerKey]
+	return exists
 }