Merge branch 'main' into version-119

Author: tudor-timcu

.github/workflows/build.yml

@@ -499,4 +499,4 @@ jobs:
           name: test-results-aikido-${{ env.AIKIDO_VERSION }}-${{ matrix.os }}-php-${{ matrix.php_version }}
           if-no-files-found: ignore
           path: |
-            ${{ github.workspace }}/tests/cli/**/*.diff
+            ${{ github.workspace }}/tests/cli/**/*.diff

.vscode/c_cpp_properties.json

@@ -0,0 +1,21 @@
+{
+    "configurations": [
+        {
+            "name": "Linux",
+            "includePath": [
+                "${workspaceFolder}/**",
+                "/usr/include/php",
+                "/usr/include/php/main",
+                "/usr/include/php/Zend",
+                "/usr/include/php/TSRM",
+                "/usr/include/php/ext"
+            ],
+            "defines": [],
+            "compilerPath": "/usr/bin/gcc",
+            "cStandard": "c11",
+            "cppStandard": "c++17",
+            "intelliSenseMode": "linux-gcc-x64"
+        }
+    ],
+    "version": 4
+} 

README.md

@@ -36,17 +36,30 @@ Prerequisites:
 
 #### For Red Hat-based Systems (RHEL, CentOS, Fedora)
 
+##### x86_64
 ```
 rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.119/aikido-php-firewall.x86_64.rpm
 ```
 
+##### arm64 / aarch64
+```
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.119/aikido-php-firewall.aarch64.rpm
+```
+
 #### For Debian-based Systems (Debian, Ubuntu)
 
+##### x86_64
 ```
 curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.119/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
+##### arm64 / aarch64
+```
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.118/aikido-php-firewall.aarch64.deb
+dpkg -i -E ./aikido-php-firewall.aarch64.deb
+```
+
 We support Debian >= 11 and Ubuntu >= 20.04.
 You can run on Debian 10, by doing this setup before install: [Debian10 setup](./docs/debian10.md)
 

docs/should_block_request.md

@@ -55,12 +55,6 @@ class AikidoMiddleware implements MiddlewareInterface
             if ($decision->trigger == "user") {
                 $message = "Your user is blocked!";
             }
-            else if ($decision->trigger == "ip") {
-                $message = "Your IP ({$decision->ip}) is blocked due to: {$decision->description}!";
-            }
-            else if ($decision->trigger == "user-agent") {
-                $message = "Your user agent ({$decision->user_agent}) is blocked due to: {$decision->description}!";
-            }
 
             return new Response([
                 'message' => $message,
@@ -118,14 +112,14 @@ class ZenBlockDecision
             return $next($request);
         }
 
-	// Get the authenticated user's ID from Laravel's Auth system
-	$userId = Auth::id();
+        // Get the authenticated user's ID from Laravel's Auth system
+        $userId = Auth::id();
 
-	// If a user is authenticated, set the user in Aikido's firewall context
-	if ($userId) {
-	    // If username is available, you can set it as the second parameter in the \aikido\set_user function call
-	    \aikido\set_user($userId);
-	}
+        // If a user is authenticated, set the user in Aikido's firewall context
+        if ($userId) {
+            // If username is available, you can set it as the second parameter in the \aikido\set_user function call
+            \aikido\set_user($userId);
+        }
 
         // Check blocking decision from Aikido
         $decision = \aikido\should_block_request();
@@ -135,9 +129,6 @@ class ZenBlockDecision
                 if ($decision->trigger == "user") {
                     return response('Your user is blocked!', 403);
                 }
-                else if ($decision->trigger == "ip") {
-                    return response("Your IP ({$decision->ip}) is blocked due to: {$decision->description}!", 403);
-                }
             }
             else if ($decision->type == "ratelimited") {
                 if ($decision->trigger == "user") {

lib/API.h

@@ -6,6 +6,7 @@ enum EVENT_ID {
     EVENT_PRE_REQUEST,
     EVENT_POST_REQUEST,
     EVENT_SET_USER,
+    EVENT_GET_AUTO_BLOCKING_STATUS,
     EVENT_GET_BLOCKING_STATUS,
     EVENT_PRE_OUTGOING_REQUEST,
     EVENT_POST_OUTGOING_REQUEST,

lib/agent/aikido_types/events.go

@@ -52,17 +52,23 @@ type MonitoredSinkStats struct {
 	CompressedTimings     []CompressedTiming `json:"compressedTimings"`
 }
 
+type MonitoredListsBreakdown struct {
+	Breakdown map[string]int `json:"breakdown"`
+}
+
 type Requests struct {
 	Total           int             `json:"total"`
 	Aborted         int             `json:"aborted"`
 	AttacksDetected AttacksDetected `json:"attacksDetected"`
 }
 
 type Stats struct {
-	Sinks     map[string]MonitoredSinkStats `json:"sinks"`
-	StartedAt int64                         `json:"startedAt"`
-	EndedAt   int64                         `json:"endedAt"`
-	Requests  Requests                      `json:"requests"`
+	Sinks       map[string]MonitoredSinkStats `json:"sinks"`
+	StartedAt   int64                         `json:"startedAt"`
+	EndedAt     int64                         `json:"endedAt"`
+	Requests    Requests                      `json:"requests"`
+	UserAgents  MonitoredListsBreakdown       `json:"userAgents"`
+	IpAddresses MonitoredListsBreakdown       `json:"ipAddresses"`
 }
 
 type AgentInfo struct {

lib/agent/aikido_types/init_data.go

@@ -60,6 +60,9 @@ type CloudConfigData struct {
 	Block                 *bool      `json:"block,omitempty"`
 	BlockedIpsList        map[string]IpBlocklist
 	BlockedUserAgents     string
+	MonitoredIpsList      map[string]IpBlocklist
+	MonitoredUserAgents   string
+	UserAgentDetails      map[string]string
 }
 
 type BlockedIpsData struct {
@@ -68,11 +71,19 @@ type BlockedIpsData struct {
 	Ips         []string `json:"ips"`
 }
 
+type UserAgentDetails struct {
+	Key     string `json:"key"`
+	Pattern string `json:"pattern"`
+}
+
 type ListsConfigData struct {
-	Success            bool             `json:"success"`
-	ServiceId          int              `json:"serviceId"`
-	BlockedIpAddresses []BlockedIpsData `json:"blockedIPAddresses"`
-	BlockedUserAgents  string           `json:"blockedUserAgents"`
+	Success              bool               `json:"success"`
+	ServiceId            int                `json:"serviceId"`
+	BlockedIpAddresses   []BlockedIpsData   `json:"blockedIPAddresses"`
+	BlockedUserAgents    string             `json:"blockedUserAgents"`
+	MonitoredIpAddresses []BlockedIpsData   `json:"monitoredIpAddresses"`
+	MonitoredUserAgents  string             `json:"monitoredUserAgents"`
+	UserAgentDetails     []UserAgentDetails `json:"userAgentDetails"`
 }
 
 type CloudConfigUpdatedAt struct {

lib/agent/aikido_types/queue.go

@@ -1,33 +1,46 @@
 package aikido_types
 
-type Queue struct {
-	items []int
+type Queue[T any] struct {
+	items   []T
+	maxSize int
 }
 
-func (q *Queue) Push(item int) {
+func NewQueue[T any](maxSize int) Queue[T] {
+	// Passing 0 as maxSize means no limit on the queue size.
+	return Queue[T]{
+		items:   []T{},
+		maxSize: maxSize,
+	}
+}
+
+func (q *Queue[T]) Clear() {
+	q.items = []T{}
+}
+
+func (q *Queue[T]) PushAndGetRemovedItemIfMaxExceeded(item T) *T {
+	var oldest *T
+	if q.maxSize > 0 && q.Length() >= q.maxSize {
+		temp := q.Pop()
+		oldest = &temp
+	}
 	q.items = append(q.items, item)
+	return oldest
 }
 
-func (q *Queue) Pop() int {
+func (q *Queue[T]) Pop() T {
+	var zero T
 	if len(q.items) == 0 {
-		return -1
+		return zero
 	}
 	item := q.items[0]
 	q.items = q.items[1:]
 	return item
 }
 
-func (q *Queue) IsEmpty() bool {
+func (q *Queue[T]) IsEmpty() bool {
 	return q.Length() == 0
 }
 
-func (q *Queue) IncrementLast() {
-	if q.IsEmpty() {
-		return
-	}
-	q.items[q.Length()-1] += 1
-}
-
-func (q *Queue) Length() int {
+func (q *Queue[T]) Length() int {
 	return len(q.items)
 }

lib/agent/aikido_types/queue_test.go

@@ -0,0 +1,29 @@
+package aikido_types
+
+import (
+	"testing"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewQueue(t *testing.T) {
+	t.Run("it works", func(t *testing.T) {
+		maxSize := 2
+		q := NewQueue[string](maxSize)
+		assert.Nil(t, q.PushAndGetRemovedItemIfMaxExceeded("a"))
+		assert.Nil(t, q.PushAndGetRemovedItemIfMaxExceeded("b"))
+		expected := "a"
+		removedItem := q.PushAndGetRemovedItemIfMaxExceeded("c")
+		assert.NotNil(t, removedItem)
+		assert.Equal(t, expected, *removedItem)
+		assert.Equal(t, maxSize, q.Length())
+		assert.False(t, q.IsEmpty())
+	})
+
+	t.Run("it can clear the queue", func(t *testing.T) {
+		q := NewQueue[string](2)
+		q.PushAndGetRemovedItemIfMaxExceeded("a")
+		q.Clear()
+		assert.Equal(t, 0, q.Length())
+		assert.True(t, q.IsEmpty())
+	})
+}

lib/agent/aikido_types/rate_limiting_queue.go

@@ -0,0 +1,33 @@
+package aikido_types
+
+type RateLimitingQueue struct {
+	items []int
+}
+
+func (q *RateLimitingQueue) Push(item int) {
+	q.items = append(q.items, item)
+}
+
+func (q *RateLimitingQueue) Pop() int {
+	if len(q.items) == 0 {
+		return -1
+	}
+	item := q.items[0]
+	q.items = q.items[1:]
+	return item
+}
+
+func (q *RateLimitingQueue) IsEmpty() bool {
+	return q.Length() == 0
+}
+
+func (q *RateLimitingQueue) IncrementLast() {
+	if q.IsEmpty() {
+		return
+	}
+	q.items[q.Length()-1]++
+}
+
+func (q *RateLimitingQueue) Length() int {
+	return len(q.items)
+}