Application Layer

TrafficCoordinates


com.gremlin.TrafficCoordinates instances are used to control the blast radius of an ALFI experiment. The blast radius for ALFI could be all or a subset of HTTP verbs, all or a subset of your application’s HTTP request paths, or even a specific block of code within your application.

Outbound HTTP Traffic

The com.gremlin.TrafficCoordinates instance for Outbound HTTP Traffic will be automatically generated by the com.gremlin.http.client.GremlinApacheHttpRequestInterceptor which comes with the alfi-apache-http-client library. This interceptor will give you the ability to impact any HTTP verb or request route within your application. To take advantage of the com.gremlin.http.client.GremlinApacheHttpRequestInterceptor, you will need to add an instance of it to org.apache.http.impl.client.HttpClientBuilder when you create your org.apache.http.client.HttpClient client.

java
1final GremlinApacheHttpRequestInterceptor gremlinInterceptor = new GremlinApacheHttpRequestInterceptor(gremlinService, "alfi-client-demo");
2final HttpClientBuilder clientBuilder = HttpClientBuilder.create().addInterceptorFirst(gremlinInterceptor);

Outbound HTTP Traffic

Inbound HTTP Traffic

com.gremlin.TrafficCoordinates instances are automatically created for you if alfi-http-servlet-filter is on the classpath.

Inbound HTTP Traffic

Dynamo DB Traffic

The com.gremlin.TrafficCoordinates instance for Dynamo DB Traffic will be automatically generated by the com.gremlin.aws.GremlinDynamoRequestInterceptor which comes with the alfi-aws library. This interceptor will give you the ability to impact any DynamoDB operation (Get Item, Delete Item, etc…). To take advantage of the com.gremlin.aws.GremlinDynamoRequestInterceptor, you will need to add an instance of it to com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder when you create your com.amazonaws.services.dynamodbv2.AmazonDynamoDB client.

java
1final RequestHandler2 gremlinDynamoInterceptor = new GremlinDynamoRequestInterceptor(gremlinService(), CLIENT_EXECUTION_TIMEOUT, CLIENT_REQUEST_TIMEOUT);
2final AmazonDynamoDB dbClient = AmazonDynamoDBClientBuilder
3 .standard()
4 .withRegion(region)
5 .withClientConfiguration(new ClientConfiguration()
6 .withClientExecutionTimeout(CLIENT_EXECUTION_TIMEOUT)
7 .withConnectionTimeout(CLIENT_REQUEST_TIMEOUT)
8 .withMaxErrorRetry(2)
9 ).withRequestHandlers(gremlinDynamoInterceptor)
10 .build();

Dynamo DB Traffic

Custom Traffic Type

java
1final TrafficCoordinates trafficCoordinates = new TrafficCoordinates.Builder()
2 .withType("PaymentController")
3 .withField("method", "submitPayment")
4 .build();
5
6public HttpEntity<PaymentResponse> submitPayment(Payment paymentRequest) {
7 this.gremlinService.applyImpact(trafficCoordinates); // Fault injected!
8 return paymentService.makePayment(paymentRequest);
9}

Custom Traffic Type

Extend TrafficCoordinates

Often, companies set up their infrastructure to maintain a per-request data structure and use this information to provide logging, monitoring, and observability data points. A common pattern is to set up a RequestContext and have authentication filters put in information like customerId or deviceId into the RequestContext object. This object then permits access from any later point, so that those attributes are easily available. These are often excellent locations on which to create attacks. If your system operates in this way, then you can set up a mapping to populate these values on all TrafficCoordinates. This code lives in a concrete subclass of GremlinCoordinatesProvider, which you’ve already seen in: Initialize Application Coordinates.

java
1import com.gremlin.GremlinCoordinatesProvider;
2import com.gremlin.TrafficCoordinates;
3
4public class MyCoordinatesProvider extends GremlinCoordinatesProvider {
5
6 @Override
7 public TrafficCoordinates extendEachTrafficCoordinates(TrafficCoordinates incomingCoordinates) {
8 incomingCoordinates.putField("customerId", MyRequestContext.getCustomerId());
9 incomingCoordinates.putField("deviceId", MyRequestContext.getDeviceId());
10 incomingCoordinates.putField("country", MyRequestContext.getCountry());
11 return incomingCoordinates;
12 }
13}

With this code wired into the construction of your GremlinService instance, all TrafficCoordinates will now get those 3 attributes and they are eligible to be matched for any type of traffic you’d like to attack.