apigatewayv2_rack 0.1.3 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9c5a5dcc23b7a6e524d7a8c847befb580b8771839ae013c977991e35db824ef
-  data.tar.gz: e33794f5ffae56ad06cb14f12fcac3b3a41ad5e33f6119a9c262756801d9f3b6
+  metadata.gz: dcad9826619202901586bc17c2dddd75779e75bbfdb194a461c853c49fc8798d
+  data.tar.gz: c06b602502a62c1e069d3d88c5180afa47660db4344618d73c311a3503a77f3e
 SHA512:
-  metadata.gz: 6a27469fcbc9c1bc754aca949ed94fce1ec83f4e1cd5909fa70bee771267dd480ef12f78d69508205913f88c23bc4082a149279975ec6e5ed8897c0d5e777fbd
-  data.tar.gz: 88ff099fa17b319cf2f1cedd08091eeeff14874a7c9fa9eac37430e4ed98b2e51b7e2f1b2bf6146cb215730c637cbc639016ecd1b64e6759e96c26892c541491
+  metadata.gz: 9d45ecda50b157c99dc848d12c79a8bd9e4dc6d9d5f649f8908facfb3e8854bd9974be14427ab51af5b309070b94030b316a600b669066888a955ee6f1cb9ed7
+  data.tar.gz: 2507eb06ba132526f2e405538f3fd07adedb03c53051798a3e3cccae35b87c9bbc3838c5876f4efb63975b1e9ef3e76e1842da2bf86492e84b224aba58de013b

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 ## [Unreleased]
 
+## [0.2.1] - 2025-03-07
+
+- Address `Rack::VERSION` removal.
+
+## [0.2.0] - 2023-03-24
+
+- `Apigatewayv2Rack.handle_request` now takes a block and pass rack env and `Apigatewayv2Rack::Request` object to allow final modification before passing env to a Rack app.
+- `Apigatewayv2Rack.generate_handler` and `handler_from_rack_config_file` propagates given block to `handle_request` for the enhancement above.
+- Introduce `Apigatewayv2Rack::Middlewares::CloudfrontXff` and `Apigatewayv2Rack::Middlewares::CloudfrontVerify` as a helper middleware.
+
 ## [0.1.3] - 2023-03-22
 
 - Fixed Errno::EACCES from StringIO when a streaming body (body does not respond to `#each`) is returned

data/Gemfile.lock

@@ -1,28 +1,32 @@
 PATH
   remote: .
   specs:
-    apigatewayv2_rack (0.1.3)
+    apigatewayv2_rack (0.2.1)
+      base64
       rack
+      stringio
 
 GEM
   remote: https://rubygems.org/
   specs:
-    diff-lcs (1.5.0)
-    rack (3.0.7)
-    rake (13.0.6)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.1)
+    base64 (0.2.0)
+    diff-lcs (1.6.0)
+    rack (3.1.11)
+    rake (13.2.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.3)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-support (3.11.1)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.2)
+    stringio (3.1.5)
 
 PLATFORMS
   ruby
@@ -33,4 +37,4 @@ DEPENDENCIES
   rspec (~> 3.0)
 
 BUNDLED WITH
-   2.3.16
+   2.3.21

data/README.md

@@ -43,6 +43,13 @@ p resp.as_json
 
 See [./Dockerfile.integration](./Dockerfile.integration) and [./integration](./integration).
 
+### Middlewares
+
+This gem includes several utility middlewares:
+
+- [CloudfrontVerify](./lib/apigatewayv2_rack/middlewares/cloudfront_verify.rb): Verify `x-origin-verify` value to protect unwanted direct access.
+- [CloudfrontXff](./lib/apigatewayv2_rack/middlewares/cloudfront_xff.rb): Respect `cloudfront-viewer-address` as `x-forwarded-for` value.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/apigatewayv2_rack.gemspec

@@ -31,6 +31,8 @@ Gem::Specification.new do |spec|
   # Uncomment to register a new dependency of your gem
   # spec.add_dependency "example-gem", "~> 1.0"
   spec.add_dependency 'rack'
+  spec.add_dependency 'base64'
+  spec.add_dependency 'stringio'
 
   # For more information and examples about making a new gem, check out our
   # guide at: https://bundler.io/guides/creating_gem.html

data/lib/apigatewayv2_rack/middlewares/cloudfront_verify.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+require 'rack/utils'
+
+module Apigatewayv2Rack
+  module Middlewares
+    # Compare X-Origin-Verify header matches the expected value and otherwise returns 403.
+    # This is useful to use with CloudFront's origin custom request header to protect from direct access to function.
+    #
+    # See also: https://www.wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/
+    class CloudfrontVerify
+      # +value+ is an expected string value of x-origin-verify.
+      def initialize(app, value)
+        @app = app
+        @value = value
+      end
+
+      def env_name
+        'HTTP_X_ORIGIN_VERIFY'
+      end
+
+      def call(env)
+        given = env[env_name]
+
+        unless given && Rack::Utils.secure_compare(given, @value)
+          env['rack.logger']&.warn("#{self.class.name} protected unwanted access from #{env['REMOTE_ADDR'].inspect}")
+          return [401, {'Content-Type' => 'text/plain'}, ['Unauthorized']]
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/apigatewayv2_rack/middlewares/cloudfront_xff.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Apigatewayv2Rack
+  module Middlewares
+    # Apigatewayv2Rack::Middlewares::CloudfrontXff transforms cloudfront-viewer-address to x-forwarded-for value.
+    # It is recommended to use with Apigatewayv2Rack::Middlewares::CloudfrontVerify.
+    class CloudfrontXff
+      # When +replace_remote_addr_with+ is set, REMOTE_ADDR will be replaced with given value; this
+      # allows Rack::Request#ip to respect xff on its default ip_filter. Default to 127.0.0.1.
+      def initialize(app, replace_remote_addr_with: '127.0.0.1')
+        @app = app
+        @replace_remote_addr_with = replace_remote_addr_with
+      end
+
+      V6_REGEXP = /^([a-f0-9:]+):(\d+)$/
+
+      def call(env)
+        viewer = env['HTTP_CLOUDFRONT_VIEWER_ADDRESS']
+        if viewer
+          addr,port = if viewer.include?('.')
+            viewer.split(?:, 2)
+          else
+            viewer.downcase.match(V6_REGEXP)&.to_a[1,2]
+          end
+
+          if addr && port
+            env['HTTP_X_APIGATEWAYV2RACK_ORIG_X_FORWARDED_FOR'] = env['HTTP_X_FORWARDED_FOR'] if env['HTTP_X_FORWARDED_FOR']
+            env['HTTP_X_APIGATEWAYV2RACK_ORIG_X_FORWARDED_PORT'] = env['HTTP_X_FORWARDED_PORT'] if env['HTTP_X_FORWARDED_PORT']
+            env['HTTP_X_FORWARDED_FOR'] = addr
+            env['HTTP_X_FORWARDED_PORT'] = port
+
+            if @replace_remote_addr_with
+              env['HTTP_X_APIGATEWAYV2RACK_ORIG_REMOTE_ADDR'] = env['REMOTE_ADDR'] if env['REMOTE_ADDR']
+              env['REMOTE_ADDR'] = @replace_remote_addr_with
+            end
+          end
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/apigatewayv2_rack/request.rb

@@ -81,6 +81,8 @@ module Apigatewayv2Rack
       end
     end
 
+    RACK_VERSION = defined?(Rack::VERSION) ? Rack::VERSION : Rack.release
+
     def to_h
       {
         'SERVER_PROTOCOL' => protocol,
@@ -93,7 +95,7 @@ module Apigatewayv2Rack
         'CONTENT_LENGTH' => body.bytesize.to_s,
         'CONTENT_TYPE' => headers['content-type'] || '',
         'REMOTE_ADDR' => source_ip,
-        'rack.version' => Rack::VERSION,
+        'rack.version' => RACK_VERSION,
         'rack.url_scheme' => (use_x_forwarded_host && headers['x-forwarded-proto']) || 'https',
         'rack.input' => StringIO.new(body),
         'rack.errors' => $stderr,

data/lib/apigatewayv2_rack/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Apigatewayv2Rack
-  VERSION = "0.1.3"
+  VERSION = "0.2.1"
 end

data/lib/apigatewayv2_rack.rb

@@ -5,30 +5,41 @@ require_relative "apigatewayv2_rack/error"
 require_relative "apigatewayv2_rack/request"
 require_relative "apigatewayv2_rack/response"
 
+require_relative "apigatewayv2_rack/middlewares/cloudfront_xff"
+require_relative "apigatewayv2_rack/middlewares/cloudfront_verify"
+
 module Apigatewayv2Rack
   # Takes Rack +app+, Lambda +event+ and +context+ of API Gateway V2 event and
   # returns a HTTP response from +app+ as API Gateway V2 Lambda event format.
-  def self.handle_request(app:, event:, context:, request_options: {})
+  #
+  # When block is given, converted Rack env will be passed to make some final
+  # modification before passing it to an +app+.
+  def self.handle_request(app:, event:, context:, request_options: {}, &block)
     req = Request.new(event, context, **request_options)
-    status, headers, body = app.call(req.to_h)
+    env = req.to_h
+    block&.call(env, req)
+    status, headers, body = app.call(env)
     Response.new(status: status, headers: headers, body: body, elb: req.elb?, multivalued: req.multivalued?).as_json
   end
 
   module Handler
-    attr_reader :app 
-    def handle(event:, context:)
-      Apigatewayv2Rack.handle_request(event: event, context: context, app: @app)
+    attr_reader :app
+    attr_reader :block
+    def handle(event:, context:, &givenblock)
+      b = givenblock || @block
+      Apigatewayv2Rack.handle_request(event: event, context: context, app: @app, &b)
     end
   end
 
-  def self.generate_handler(app)
+  def self.generate_handler(app, &block)
     m = Module.new
     m.extend(Handler)
     m.instance_variable_set(:@app, app)
+    m.instance_variable_set(:@block, block)
     m
   end
 
-  def self.handler_from_rack_config_file(path = './config.ru')
+  def self.handler_from_rack_config_file(path = './config.ru', &block)
     require 'rack'
     require 'rack/builder'
     app = if Rack.release[0] == '2'
@@ -36,6 +47,6 @@ module Apigatewayv2Rack
     else
       Rack::Builder.load_file(path)
     end
-    generate_handler(app)
+    generate_handler(app, &block)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apigatewayv2_rack
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.1
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-21 00:00:00.000000000 Z
+date: 2025-03-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -24,6 +24,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: stringio
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description:
 email:
 - her@sorah.jp
@@ -50,6 +78,8 @@ files:
 - integration/template.jsonnet
 - lib/apigatewayv2_rack.rb
 - lib/apigatewayv2_rack/error.rb
+- lib/apigatewayv2_rack/middlewares/cloudfront_verify.rb
+- lib/apigatewayv2_rack/middlewares/cloudfront_xff.rb
 - lib/apigatewayv2_rack/request.rb
 - lib/apigatewayv2_rack/response.rb
 - lib/apigatewayv2_rack/version.rb
@@ -76,7 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.0.dev
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: handle AWS Lambda API Gateway V2 or ALB (ELBv2) lambda request event with