Merge pull request #97 from AikidoSec/support-laravel-env

Extensive Forge & Laravel support

README.md

@@ -35,12 +35,12 @@ Prerequisites:
 
 #### For Red Hat-based Systems (RHEL, CentOS, Fedora)
 
-`rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.98/aikido-php-firewall.x86_64.rpm`
+`rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.rpm`
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.98/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.deb
 dpkg -i ./aikido-php-firewall.x86_64.deb
 ```
 
@@ -52,7 +52,7 @@ Create a new file in `.ebextensions/01_aikido_php_firewall.config` with the foll
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.98/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files: 

lib/agent/aikido_types/init_data.go

@@ -24,7 +24,7 @@ type AikidoConfigData struct {
 	LogLevel                  string `json:"log_level,omitempty"`                    // default: 'INFO'
 	Blocking                  bool   `json:"blocking,omitempty"`                     // default: false
 	LocalhostAllowedByDefault bool   `json:"localhost_allowed_by_default,omitempty"` // default: true
-	CollectApiSchema          bool   `json:"collect_api_schema,omitempty"`           // default: false
+	CollectApiSchema          bool   `json:"collect_api_schema,omitempty"`           // default: true
 }
 
 type RateLimiting struct {

lib/agent/globals/constants.go

@@ -1,7 +1,7 @@
 package globals
 
 const (
-	Version                            = "1.0.98"
+	Version                            = "1.0.99"
 	ConfigUpdatedAtMethod              = "GET"
 	ConfigUpdatedAtAPI                 = "/config"
 	ConfigAPIMethod                    = "GET"

lib/agent/go.mod

@@ -6,7 +6,7 @@ toolchain go1.23.3
 
 require (
 	github.com/stretchr/testify v1.9.0
-	google.golang.org/grpc v1.68.0
+	google.golang.org/grpc v1.68.1
 	google.golang.org/protobuf v1.34.2
 )
 

lib/agent/go.sum

@@ -26,6 +26,8 @@ google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
 google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
 google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

lib/agent/grpc/server.go

@@ -10,6 +10,7 @@ import (
 	"main/log"
 	"net"
 	"os"
+	"path/filepath"
 
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
@@ -80,18 +81,37 @@ func StartServer(lis net.Listener) {
 	lis.Close()
 }
 
+// Creates the /run/aikido-* folder if it does not exist, in order for the socket creation to succeed
+// For now, this folder has 777 permissions as we don't know under which user the php requests will run under (apache, nginx, www-data, forge, ...)
+func createRunDirFolderIfNotExists() {
+	runDirectory := filepath.Dir(globals.EnvironmentConfig.SocketPath)
+	if _, err := os.Stat(runDirectory); os.IsNotExist(err) {
+		err := os.MkdirAll(runDirectory, 0777)
+		if err != nil {
+			log.Errorf("Error in creating run directory: %v\n", err)
+		} else {
+			log.Infof("Run directory %s created successfully.\n", runDirectory)
+		}
+	} else {
+		log.Infof("Run directory %s already exists.\n", runDirectory)
+	}
+}
+
 func Init() bool {
 	// Remove the socket file if it already exists
 	if _, err := os.Stat(globals.EnvironmentConfig.SocketPath); err == nil {
 		os.RemoveAll(globals.EnvironmentConfig.SocketPath)
 	}
 
+	createRunDirFolderIfNotExists()
+
 	lis, err := net.Listen("unix", globals.EnvironmentConfig.SocketPath)
 	if err != nil {
 		panic(fmt.Sprintf("failed to listen: %v", err))
 	}
 
 	// Change the permissions of the socket to make it accessible by non-root users
+	// For now, this socket has 777 permissions as we don't know under which user the php requests will run under (apache, nginx, www-data, forge, ...)
 	if err := os.Chmod(globals.EnvironmentConfig.SocketPath, 0777); err != nil {
 		panic(fmt.Sprintf("failed to change permissions of Unix socket: %v", err))
 	}

lib/php-extension/Aikido.cpp

@@ -54,11 +54,6 @@ PHP_MSHUTDOWN_FUNCTION(aikido) {
 
 PHP_RINIT_FUNCTION(aikido) {
     AIKIDO_LOG_DEBUG("RINIT started!\n");
-
-    if (!AIKIDO_GLOBAL(environment_loaded)) {
-        LoadEnvironment();
-        AIKIDO_GLOBAL(environment_loaded) = true;
-    }
 
     if (AIKIDO_GLOBAL(disable) == true) {
         AIKIDO_LOG_INFO("RINIT finished earlier because AIKIDO_DISABLE is set to 1!\n");

lib/php-extension/Environment.cpp

@@ -1,22 +1,43 @@
 #include "Includes.h"
 
-std::string GetEnvVariable(const std::string& env_key) {
+std::string GetLaravelEnvVariable(const std::string& env_key) {
+    zval env_value;
+    if (!CallPhpFunctionWithOneParam("getenv", env_key, &env_value) || Z_TYPE(env_value) != IS_STRING) {
+        return "";
+    }
+
+    std::string env_value_str = Z_STRVAL_P(&env_value);
+    zval_ptr_dtor(&env_value);
+
+    AIKIDO_LOG_DEBUG("laravel_env[%s] = %s\n", env_key.c_str(), env_value_str.c_str());
+    return env_value_str;
+} 
+
+std::string GetSystemEnvVariable(const std::string& env_key) {
     const char* env_value = getenv(env_key.c_str());
     if (!env_value) return "";
     AIKIDO_LOG_DEBUG("env[%s] = %s\n", env_key.c_str(), env_value);
     return env_value;
 }
 
+std::string GetEnvVariable(const std::string& env_key) {
+    std::string env_value = GetSystemEnvVariable(env_key);
+    if (env_value.empty()) {
+        return GetLaravelEnvVariable(env_key);
+    }
+    return env_value;
+}
+
 std::string GetEnvString(const std::string& env_key, const std::string default_value) {
-    std::string env_value = GetEnvVariable(env_key.c_str());
+    std::string env_value = GetEnvVariable(env_key);
     if (!env_value.empty()) {
         return env_value;
     }
     return default_value;
 }
 
 bool GetEnvBool(const std::string& env_key, bool default_value) {
-    std::string env_value = GetEnvVariable(env_key.c_str());
+    std::string env_value = GetEnvVariable(env_key);
     if (!env_value.empty()) {
         return (env_value == "1" || env_value == "true");
     }

lib/php-extension/HandleShouldBlockRequest.cpp

@@ -23,6 +23,8 @@ ZEND_FUNCTION(should_block_request) {
         return;
     }
 
+    requestProcessor.LoadConfigOnce();
+
     if (!GetBlockingStatus()) {
         return;
     }

lib/php-extension/HandleUsers.cpp

@@ -23,6 +23,8 @@ ZEND_FUNCTION(set_user) {
         RETURN_BOOL(false);
     }
 
+    requestProcessor.LoadConfigOnce();
+
     char *id;
     size_t id_len;
     char *name;

lib/php-extension/PhpWrappers.cpp

@@ -7,6 +7,11 @@ bool CallPhpEcho(std::string message) {
 }
 
 bool CallPhpFunction(std::string function_name, unsigned int params_number, zval* params, zval* return_value, zval* object) {
+    if (!object && !zend_hash_str_exists(CG(function_table), function_name.c_str(), function_name.size())) {
+        AIKIDO_LOG_INFO("Function name '%s' does not exist!\n", function_name.c_str());
+        return false;
+    }
+
     zval _function_name;
     zend_string* _function_name_str = zend_string_init(function_name.c_str(), function_name.length(), 0);
     if (!_function_name_str) {

lib/php-extension/RequestProcessor.cpp

@@ -3,6 +3,8 @@
 RequestProcessor requestProcessor;
 
 std::string RequestProcessor::GetInitData() {
+    LoadEnvironment();
+
     json initData = {
         {"token", AIKIDO_GLOBAL(token)},
         {"log_level", AIKIDO_GLOBAL(log_level_str)},
@@ -96,11 +98,13 @@ bool RequestProcessor::Init() {
 
     RequestProcessorInitFn requestProcessorInitFn = (RequestProcessorInitFn)dlsym(libHandle, "RequestProcessorInit");
     this->requestProcessorContextInitFn = (RequestProcessorContextInitFn)dlsym(libHandle, "RequestProcessorContextInit");
+    this->requestProcessorConfigUpdateFn = (RequestProcessorConfigUpdateFn)dlsym(libHandle, "RequestProcessorConfigUpdate");
     this->requestProcessorOnEventFn = (RequestProcessorOnEventFn)dlsym(libHandle, "RequestProcessorOnEvent");
     this->requestProcessorGetBlockingModeFn = (RequestProcessorGetBlockingModeFn)dlsym(libHandle, "RequestProcessorGetBlockingMode");
     this->requestProcessorUninitFn = (RequestProcessorUninitFn)dlsym(libHandle, "RequestProcessorUninit");
     if (!requestProcessorInitFn ||
         !this->requestProcessorContextInitFn ||
+        !this->requestProcessorConfigUpdateFn ||
         !this->requestProcessorOnEventFn ||
         !this->requestProcessorGetBlockingModeFn ||
         !this->requestProcessorUninitFn) {
@@ -138,11 +142,24 @@ bool RequestProcessor::RequestInit() {
     return true;
 }
 
+void RequestProcessor::LoadConfigOnce() {
+    if (this->configReloaded) {
+        return;
+    }
+
+    AIKIDO_LOG_INFO("Reloading Aikido config...\n");
+    std::string initJson = this->GetInitData();
+    this->requestProcessorConfigUpdateFn(GoCreateString(initJson));
+    this->configReloaded = true;
+}
+
 void RequestProcessor::RequestShutdown() {
     if (!request.Init()) {
         AIKIDO_LOG_WARN("Failed to initialize the current request!\n");
         return;
     }
+
+    LoadConfigOnce();
     SendPostRequestEvent();
     requestInitialized = false;
 }

lib/php-extension/include/RequestProcessor.h

@@ -2,6 +2,7 @@
 
 typedef GoUint8 (*RequestProcessorInitFn)(GoString initJson);
 typedef GoUint8 (*RequestProcessorContextInitFn)(ContextCallback);
+typedef GoUint8 (*RequestProcessorConfigUpdateFn)(GoString initJson);
 typedef char* (*RequestProcessorOnEventFn)(GoInt eventId);
 typedef int (*RequestProcessorGetBlockingModeFn)();
 typedef void (*RequestProcessorUninitFn)();
@@ -10,8 +11,10 @@ class RequestProcessor {
    private:
     bool initFailed = false;
     bool requestInitialized = false;
+    bool configReloaded = false;
     void* libHandle = nullptr;
     RequestProcessorContextInitFn requestProcessorContextInitFn = nullptr;
+    RequestProcessorConfigUpdateFn requestProcessorConfigUpdateFn = nullptr;
     RequestProcessorOnEventFn requestProcessorOnEventFn = nullptr;
     RequestProcessorGetBlockingModeFn requestProcessorGetBlockingModeFn = nullptr;
     RequestProcessorUninitFn requestProcessorUninitFn = nullptr;
@@ -29,6 +32,7 @@ class RequestProcessor {
     bool RequestInit();
     bool SendEvent(EVENT_ID eventId, std::string& output);
     bool IsBlockingEnabled();
+    void LoadConfigOnce();
     void RequestShutdown();
     void Uninit();
 

lib/php-extension/include/php_aikido.h

@@ -3,7 +3,7 @@
 extern zend_module_entry aikido_module_entry;
 #define phpext_aikido_ptr &aikido_module_entry
 
-#define PHP_AIKIDO_VERSION "1.0.98"
+#define PHP_AIKIDO_VERSION "1.0.99"
 
 #if defined(ZTS) && defined(COMPILE_DL_AIKIDO)
 ZEND_TSRMLS_CACHE_EXTERN()

lib/request-processor/aikido_types/config.go

@@ -2,19 +2,19 @@ package aikido_types
 
 type EnvironmentConfigData struct {
 	SocketPath                string `json:"socket_path"`                  // '/run/aikido-{version}/aikido-{datetime}-{randint}.sock'
-	LogLevel                  string `json:"log_level"`                    // default: 'INFO'
 	SAPI                      string `json:"sapi"`                         // '{php-sapi}'
 	TrustProxy                bool   `json:"trust_proxy"`                  // default: true
 	LocalhostAllowedByDefault bool   `json:"localhost_allowed_by_default"` // default: true
-	CollectApiSchema          bool   `json:"collect_api_schema"`           // default: false
+	CollectApiSchema          bool   `json:"collect_api_schema"`           // default: true
 }
 
 type AikidoConfigData struct {
 	Token                     string `json:"token"`                        // default: ''
+	LogLevel                  string `json:"log_level"`                    // default: 'WARN'
 	Blocking                  bool   `json:"blocking"`                     // default: false
 	TrustProxy                bool   `json:"trust_proxy"`                  // default: true
 	LocalhostAllowedByDefault bool   `json:"localhost_allowed_by_default"` // default: true
-	CollectApiSchema          bool   `json:"collect_api_schema"`           // default: false
+	CollectApiSchema          bool   `json:"collect_api_schema"`           // default: true
 }
 
 type RateLimiting struct {

lib/request-processor/config/config.go

@@ -7,6 +7,17 @@ import (
 	"main/log"
 )
 
+func ReloadAikidoConfig(initJson string) {
+	err := json.Unmarshal([]byte(initJson), &globals.AikidoConfig)
+	if err != nil {
+		panic(fmt.Sprintf("Error parsing JSON to AikidoConfig: %s", err))
+	}
+
+	if err := log.SetLogLevel(globals.AikidoConfig.LogLevel); err != nil {
+		panic(fmt.Sprintf("Error setting log level: %s", err))
+	}
+}
+
 func Init(initJson string) {
 	globals.CloudConfig.Block = -1
 
@@ -15,15 +26,11 @@ func Init(initJson string) {
 		panic(fmt.Sprintf("Error parsing JSON to EnvironmentConfig: %s", err))
 	}
 
-	err = json.Unmarshal([]byte(initJson), &globals.AikidoConfig)
-	if err != nil {
-		panic(fmt.Sprintf("Error parsing JSON to AikidoConfig: %s", err))
-	}
-
 	if globals.EnvironmentConfig.SocketPath == "" {
 		panic("Socket path not set!")
 	}
 
+	ReloadAikidoConfig(initJson)
 	log.Init()
 }
 

lib/request-processor/globals/globals.go

@@ -13,5 +13,5 @@ var CloudConfig CloudConfigData
 var CloudConfigMutex sync.Mutex
 
 const (
-	Version = "1.0.98"
+	Version = "1.0.99"
 )

lib/request-processor/go.mod

@@ -6,7 +6,7 @@ toolchain go1.23.3
 
 require (
 	github.com/stretchr/testify v1.10.0
-	google.golang.org/grpc v1.68.0
+	google.golang.org/grpc v1.68.1
 	google.golang.org/protobuf v1.34.2
 )
 

lib/request-processor/go.sum

@@ -28,6 +28,8 @@ google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
 google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
 google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

lib/request-processor/grpc/client.go

@@ -31,7 +31,7 @@ func Init() {
 
 	log.Debugf("Current connection state: %s\n", conn.GetState().String())
 
-	sendAikidoConfig()
+	SendAikidoConfig()
 	startCloudConfigRoutine()
 }
 
@@ -43,15 +43,15 @@ func Uninit() {
 }
 
 /* Send Aikido Config to Aikido Agent via gRPC */
-func sendAikidoConfig() {
+func SendAikidoConfig() {
 	if client == nil {
 		return
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
 
-	_, err := client.OnConfig(ctx, &protos.Config{Token: globals.AikidoConfig.Token, LogLevel: globals.EnvironmentConfig.LogLevel,
+	_, err := client.OnConfig(ctx, &protos.Config{Token: globals.AikidoConfig.Token, LogLevel: globals.AikidoConfig.LogLevel,
 		Blocking: globals.AikidoConfig.Blocking, LocalhostAllowedByDefault: globals.AikidoConfig.LocalhostAllowedByDefault,
 		CollectApiSchema: globals.AikidoConfig.CollectApiSchema})
 	if err != nil {

lib/request-processor/log/log.go

@@ -116,10 +116,6 @@ func SetLogLevel(level string) error {
 }
 
 func Init() {
-	if err := SetLogLevel(globals.EnvironmentConfig.LogLevel); err != nil {
-		panic(fmt.Sprintf("Error setting log level: %s", err))
-	}
-
 	if globals.EnvironmentConfig.SAPI == "cli" {
 		cliLogging = true
 		return