Set rate limiting group (#250)

Author: tudor-timcu

README.md

@@ -38,25 +38,25 @@ Prerequisites:
 
 ##### x86_64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.x86_64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.x86_64.rpm
 ```
 
 ##### arm64 / aarch64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.aarch64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.aarch64.rpm
 ```
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ##### x86_64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
 ##### arm64 / aarch64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.aarch64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.aarch64.deb
 dpkg -i -E ./aikido-php-firewall.aarch64.deb
 ```
 

docs/aws-elastic-beanstalk.md

@@ -4,7 +4,7 @@
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files:

docs/fly-io.md

@@ -32,7 +32,7 @@ Create a script to install the Aikido PHP Firewall during deployment:
 #!/usr/bin/env bash
 cd /tmp
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 

docs/laravel-forge.md

@@ -21,7 +21,7 @@ cd /tmp
 
 # Install commands from the "Manual install" section below, based on your OS
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.2.0/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.0/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 
 # Restarting the php services in order to load the Aikido PHP Firewall

docs/should_block_request.md

@@ -72,6 +72,9 @@ class AikidoMiddleware implements MiddlewareInterface
             else if ($decision->trigger == "ip") {
                 $message = "Your IP ({$decision->ip}) exceeded the rate limit for this endpoint!";
             }
+            else if ($decision->trigger == "group") {
+                $message = "Your group exceeded the rate limit for this endpoint!";
+            }
             return new Response([
                 'message' => $message,
             ], 429);
@@ -147,6 +150,9 @@ class AikidoMiddleware
                 else if ($decision->trigger == "ip") {
                     return response("Your IP ({$decision->ip}) exceeded the rate limit for this endpoint!", 429);
                 }
+                else if ($decision->trigger == "group") {
+                    return response("Your group exceeded the rate limit for this endpoint!", 429);
+                }
             }
         }
 

docs/user.md

@@ -17,3 +17,12 @@ Using `\aikido\set_user` has the following benefits:
 - Whenever attacks are detected, the user will be included in the report to Aikido.
 - The dashboard will show all your users, where you can also block them.
 - Passing the user's name is optional, but it can help you identify the user in the dashboard. You will be required to list Aikido Security as a subprocessor if you choose to share personal identifiable information (PII).
+
+# Rate limiting groups
+
+To limit the number of requests for a group of users, you can use the `set_rate_limit_group` function. For example, this is useful if you want to limit the number of requests per team or company.
+Please note that if a rate limit group is set, the configured rate limits are only applied to the group and not to individual users or IP addresses.
+
+```php
+\aikido\set_rate_limit_group("123");
+```

lib/API.h

@@ -6,6 +6,7 @@ enum EVENT_ID {
     EVENT_PRE_REQUEST,
     EVENT_POST_REQUEST,
     EVENT_SET_USER,
+    EVENT_SET_RATE_LIMIT_GROUP,
     EVENT_GET_AUTO_BLOCKING_STATUS,
     EVENT_GET_BLOCKING_STATUS,
     EVENT_PRE_OUTGOING_REQUEST,
@@ -35,6 +36,8 @@ enum CALLBACK_ID {
 
     CONTEXT_USER_ID,
     CONTEXT_USER_NAME,
+    
+    CONTEXT_RATE_LIMIT_GROUP,
 
     FUNCTION_NAME,
 

lib/agent/aikido_types/stats.go

@@ -47,11 +47,12 @@ type RateLimitingKey struct {
 }
 
 type RateLimitingValue struct {
-	Method     string
-	Route      string
-	Config     RateLimitingConfig
-	UserCounts map[string]*RateLimitingCounts
-	IpCounts   map[string]*RateLimitingCounts
+	Method               string
+	Route                string
+	Config               RateLimitingConfig
+	UserCounts           map[string]*RateLimitingCounts
+	IpCounts             map[string]*RateLimitingCounts
+	RateLimitGroupCounts map[string]*RateLimitingCounts
 }
 
 type RateLimitingWildcardValue struct {

lib/agent/cloud/common.go

@@ -91,8 +91,9 @@ func UpdateRateLimitingConfig() {
 			Config: RateLimitingConfig{
 				MaxRequests:         newEndpointConfig.RateLimiting.MaxRequests,
 				WindowSizeInMinutes: newEndpointConfig.RateLimiting.WindowSizeInMS / MinRateLimitingIntervalInMs},
-			UserCounts: make(map[string]*RateLimitingCounts),
-			IpCounts:   make(map[string]*RateLimitingCounts),
+			UserCounts:           make(map[string]*RateLimitingCounts),
+			IpCounts:             make(map[string]*RateLimitingCounts),
+			RateLimitGroupCounts: make(map[string]*RateLimitingCounts),
 		}
 
 		if isWildcardEndpoint(k.Route) {

lib/agent/globals/constants.go

@@ -1,7 +1,7 @@
 package globals
 
 const (
-	Version                             = "1.2.0"
+	Version                             = "1.3.0"
 	ConfigUpdatedAtMethod               = "GET"
 	ConfigUpdatedAtAPI                  = "/config"
 	ConfigAPIMethod                     = "GET"