camo-rb 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b410ac3bfb745c4cb2ef0aaa82f435c465258ec7aa888ec1dce17e767d132307
+  data.tar.gz: 06110020de592ca9708ab8fc6c341cc1c569cae0c3bc26263e1670e16b18c578
+SHA512:
+  metadata.gz: 1edb89a1a15b0fd13071bbe511253e71f975858f37078ec699f2c1319d32c05303ae860018bc5a9bc3d50fcb99b29e854842013353fdf56aa15bc608150810d8
+  data.tar.gz: d6dd14481dc67966dbf4bc1c91057272d0f9beaeefa7f718fb46251fd1d2b48851f43a838718945dfc06a403090ea31ac21bbc6e34b1c6b9faeaf0abef222b42

data/bin/camorb

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "rack/handler/falcon"
+require_relative "../environment"
+
+host = "0.0.0.0"
+port = ENV["CAMORB_PORT"] || 9292
+
+trap("SIGINT") do
+  puts "\nExiting gracefully..."
+  exit
+end
+
+begin
+  app = Camo::Server.new(ENV["CAMORB_KEY"])
+  Rack::Handler::Falcon.run(app, host: host, port: port)
+rescue Camo::Errors::AppError => e
+  abort("Error: #{e.message}")
+end

data/bin/generate_url

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "openssl"
+
+def encode_url(url)
+  url.bytes.map { |byte| "%02x" % byte }.join
+end
+
+def digest(url, key)
+  OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), key, url)
+end
+
+url = String(ARGV[0])
+abort("Error: Wrong format\nExample:\n\nCAMORB_KEY=somekey ./generate_url http://google.com/logo.png") if url.empty?
+key = String(ENV["CAMORB_KEY"])
+abort("Key is required. Use the environment variable `CAMORB_KEY` to define it.") if key.empty?
+result = "/#{digest(url, key)}/#{encode_url(url)}"
+result = "#{ENV["CAMORB_HOST"]}#{result}" if ENV["CAMORB_HOST"]
+puts result

data/bin/rspec

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/lib/camo.rb

@@ -0,0 +1,10 @@
+require "camo/version"
+require "camo/headers_utils"
+require "camo/request"
+require "camo/mime_type_utils"
+require "camo/logger"
+require "camo/client"
+require "camo/server"
+require "camo/errors"
+
+module Camo; end

data/lib/camo/client.rb

@@ -0,0 +1,97 @@
+require "faraday"
+
+module Camo
+  class Client
+    include Rack::Utils
+    include HeadersUtils
+    include MimeTypeUtils
+
+    ALLOWED_TRANSFERRED_HEADERS = HeaderHash[%w[Host Accept Accept-Encoding]]
+    KEEP_ALIVE = ["1", "true", true].include?(ENV.fetch("CAMORB_KEEP_ALIVE", false))
+    MAX_REDIRECTS = ENV.fetch("CAMORB_MAX_REDIRECTS", 4)
+    SOCKET_TIMEOUT = ENV.fetch("CAMORB_SOCKET_TIMEOUT", 10)
+    CONTENT_LENGTH_LIMIT = ENV.fetch("CAMORB_LENGTH_LIMIT", 5242880).to_i
+
+    attr_reader :logger
+
+    def initialize(logger = Logger.stdio)
+      @logger = logger
+    end
+
+    def get(url, transferred_headers = {}, remaining_redirects = MAX_REDIRECTS)
+      logger.debug "Handling request to #{url}", {transferred_headers: transferred_headers, remaining_redirects: remaining_redirects}
+
+      url = URI.parse(url)
+      headers = build_request_headers(transferred_headers, url: url)
+      response = get_request(url, headers, timeout: SOCKET_TIMEOUT)
+
+      logger.debug "Request result", {status: response.status, headers: response.headers, body_bytesize: response.body.bytesize}
+
+      case response.status
+      when redirect?
+        redirect(response, headers, remaining_redirects)
+      when not_modified?
+        [response.status, response.headers]
+      else
+        validate_response!(response)
+        [response.status, response.headers, response.body]
+      end
+    end
+
+    private
+
+    def validate_response!(response)
+      raise Errors::ContentLengthExceededError if response.headers["content-length"].to_i > CONTENT_LENGTH_LIMIT
+      content_type = String(response.headers["content-type"])
+      raise Errors::EmptyContentTypeError if content_type.empty?
+      raise Errors::UnsupportedContentTypeError, content_type unless SUPPORTED_CONTENT_TYPES.include?(content_type)
+    end
+
+    def get_request(url, headers, options = {})
+      Faraday.get(url, {}, headers) do |req|
+        options.each do |key, value|
+          req.options.public_send("#{key}=", value)
+        end
+      end
+    rescue Faraday::TimeoutError
+      raise Errors::TimeoutError
+    end
+
+    def redirect(response, headers, remaining_redirects)
+      raise Errors::TooManyRedirectsError if remaining_redirects < 0
+      new_url = String(response.headers["location"])
+      logger.debug "Redirect to #{new_url}", {remaining_redirects: remaining_redirects}
+      raise Errors::RedirectWithoutLocationError if new_url.empty?
+
+      get(new_url, headers, remaining_redirects - 1)
+    end
+
+    def not_modified?
+      ->(code) { code === 304 }
+    end
+
+    def redirect?
+      ->(code) { [301, 302, 303, 307, 308].include? code }
+    end
+
+    def build_request_headers(headers, url:)
+      headers = headers.each_with_object({}) do |header, headers|
+        key = header[0].tr("_", "-")
+        headers[key] = header[1]
+      end
+
+      headers = headers
+        .select { |k, _| ALLOWED_TRANSFERRED_HEADERS.include?(k) }
+        .merge(default_request_headers)
+
+      if String(headers["Host"]).empty?
+        headers["Host"] = String(url.host)
+        headers["Host"] += ":#{url.port}" unless [80, 443].include?(url.port)
+      end
+
+      headers["Connection"] = KEEP_ALIVE ? "keep-alive" : "close"
+
+      HeaderHash[headers]
+    end
+  end
+end

data/lib/camo/errors.rb

@@ -0,0 +1,49 @@
+module Camo
+  module Errors
+    class AppError < ::StandardError; end
+
+    class UndefinedKeyError < AppError
+      def initialize(message = "Key is required. Use the environment variable `CAMORB_KEY` to define it.")
+        super
+      end
+    end
+
+    class ClientError < AppError; end
+
+    class RedirectWithoutLocationError < ClientError
+      def initialize(message = "Redirect with no location")
+        super
+      end
+    end
+
+    class TooManyRedirectsError < ClientError
+      def initialize(message = "Too many redirects")
+        super
+      end
+    end
+
+    class TimeoutError < ClientError
+      def initialize(message = "Request timeout")
+        super
+      end
+    end
+
+    class ContentLengthExceededError < ClientError
+      def initialize(message = "Max Content-Length is exceeded")
+        super
+      end
+    end
+
+    class UnsupportedContentTypeError < ClientError
+      def initialize(content_type, message = "Unsupported Content-Type: '#{content_type}'")
+        super(message)
+      end
+    end
+
+    class EmptyContentTypeError < ClientError
+      def initialize(message = "Empty Content-Type")
+        super
+      end
+    end
+  end
+end

data/lib/camo/headers_utils.rb

@@ -0,0 +1,39 @@
+module Camo
+  module HeadersUtils
+    HOSTNAME = ENV.fetch("CAMORB_HOSTNAME", "unknown")
+    TIMING_ALLOW_ORIGIN = ENV.fetch("CAMORB_TIMING_ALLOW_ORIGIN", nil)
+
+    REQUEST_SECURITY_HEADERS = {
+      "X-Frame-Options" => "deny",
+      "X-XSS-Protection" => "1; mode=block",
+      "X-Content-Type-Options" => "nosniff",
+      "Content-Security-Policy" => "default-src 'none'; img-src data:; style-src 'unsafe-inline'"
+    }
+
+    RESPONSE_SECURITY_HEADERS = REQUEST_SECURITY_HEADERS.merge({
+      "Strict-Transport-Security" => "max-age=31536000; includeSubDomains"
+    })
+
+    def self.user_agent
+      ENV.fetch("CAMORB_HEADER_VIA", "CamoRB Asset Proxy #{Camo::Version::GEM}")
+    end
+
+    def default_response_headers
+      RESPONSE_SECURITY_HEADERS.merge({
+        "Camo-Host" => HOSTNAME,
+        "Timing-Allow-Origin" => TIMING_ALLOW_ORIGIN
+      }).compact
+    end
+
+    def default_request_headers
+      REQUEST_SECURITY_HEADERS.merge({
+        "Via" => user_agent,
+        "User-Agent" => user_agent
+      })
+    end
+
+    def user_agent
+      HeadersUtils.user_agent
+    end
+  end
+end

data/lib/camo/logger.rb

@@ -0,0 +1,73 @@
+module Camo
+  class Logger
+    attr_reader :outpipe, :errpipe
+
+    LOG_LEVELS = ["debug", "info", "error", "fatal"].freeze
+    LOG_LEVEL = (LOG_LEVELS.find { |level| level == ENV["CAMORB_LOG_LEVEL"] } || "info").freeze
+
+    def initialize(outpipe, errpipe)
+      @outpipe = outpipe
+      @errpipe = errpipe
+    end
+
+    def self.stdio
+      new $stdout, $stderr
+    end
+
+    def debug(msg, params = {})
+      outpipe.puts(compile_output("debug", msg, params)) if debug?
+    end
+
+    def info(msg, params = {})
+      outpipe.puts(compile_output("info", msg, params)) if info?
+    end
+
+    def error(msg, params = {})
+      errpipe.puts(compile_output("error", msg, params)) if error?
+    end
+
+    private
+
+    def debug?
+      LOG_LEVELS.find_index(LOG_LEVEL) <= LOG_LEVELS.find_index("debug")
+    end
+
+    def info?
+      LOG_LEVELS.find_index(LOG_LEVEL) <= LOG_LEVELS.find_index("info")
+    end
+
+    def error?
+      LOG_LEVELS.find_index(LOG_LEVEL) <= LOG_LEVELS.find_index("error")
+    end
+
+    def compile_output(level, msg, params)
+      output = []
+      output << "[#{level.upcase}]"
+      output << (msg.is_a?(Array) ? msg.join(", ") : msg)
+
+      if params.any?
+        output << "|"
+        output << convert_params_to_string(params)
+      end
+
+      output.join(" ")
+    end
+
+    def convert_params_to_string(params)
+      elements = []
+
+      params.each do |key, value|
+        compiled_value =
+          if value.is_a?(Hash)
+            convert_params_to_string(value)
+          else
+            "\"#{value}\""
+          end
+
+        elements << "#{key}: #{compiled_value}"
+      end
+
+      "{ #{elements.join(", ")} }"
+    end
+  end
+end

data/lib/camo/mime_type_utils.rb

@@ -0,0 +1,49 @@
+module Camo
+  module MimeTypeUtils
+    SUPPORTED_CONTENT_TYPES = %w[
+      image/bmp
+      image/cgm
+      image/g3fax
+      image/gif
+      image/ief
+      image/jp2
+      image/jpeg
+      image/jpg
+      image/pict
+      image/png
+      image/prs.btif
+      image/svg+xml
+      image/tiff
+      image/vnd.adobe.photoshop
+      image/vnd.djvu
+      image/vnd.dwg
+      image/vnd.dxf
+      image/vnd.fastbidsheet
+      image/vnd.fpx
+      image/vnd.fst
+      image/vnd.fujixerox.edmics-mmr
+      image/vnd.fujixerox.edmics-rlc
+      image/vnd.microsoft.icon
+      image/vnd.ms-modi
+      image/vnd.net-fpx
+      image/vnd.wap.wbmp
+      image/vnd.xiff
+      image/webp
+      image/x-cmu-raster
+      image/x-cmx
+      image/x-icon
+      image/x-macpaint
+      image/x-pcx
+      image/x-pict
+      image/x-portable-anymap
+      image/x-portable-bitmap
+      image/x-portable-graymap
+      image/x-portable-pixmap
+      image/x-quicktime
+      image/x-rgb
+      image/x-xbitmap
+      image/x-xpixmap
+      image/x-xwindowdump
+    ].freeze
+  end
+end

data/lib/camo/request.rb

@@ -0,0 +1,78 @@
+require "rack/utils"
+require "addressable/uri"
+
+module Camo
+  class Request
+    include Rack::Utils
+    include HeadersUtils
+
+    SUPPORTED_PROTOCOLS = %w[http https]
+
+    attr_reader :key, :method, :protocol, :host, :path, :headers, :query_string, :params, :destination_url, :digest, :digest_type, :errors
+
+    def initialize(env, key)
+      @method = env["REQUEST_METHOD"]
+      @query_string = env["QUERY_STRING"]
+      @params = parse_query(@query_string)
+      @protocol = env["rack.url_scheme"] || "http"
+      @host = env["HTTP_HOST"]
+      @path = env["PATH_INFO"]
+      @headers = build_headers(env)
+      @key = key
+
+      @digest, encoded_url = path[1..].split("/", 2).map { |part| String(part) }
+
+      if encoded_url
+        @digest_type = "path"
+        @destination_url = Addressable::URI.parse(String(decode_hex(encoded_url)))
+      else
+        @digest_type = "query"
+        @destination_url = Addressable::URI.parse(String(params["url"]))
+      end
+
+      @errors = []
+    end
+
+    def url
+      "#{protocol}://#{host}#{path}#{query_string.empty? ? nil : "?#{query_string}"}"
+    end
+
+    def valid_request?
+      validate_request
+      Array(errors).empty?
+    end
+
+    def valid_digest?
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), key, destination_url) == digest
+    end
+
+    private
+
+    def build_headers(env)
+      hash = env.select { |k, _| k.start_with?("HTTP_") }
+      hash = hash.each_with_object({}) do |header, headers|
+        headers[header[0].sub("HTTP_", "")] = header[1]
+      end
+
+      HeaderHash[hash]
+    end
+
+    def validate_request
+      @errors ||= []
+
+      errors << "Empty URL" if destination_url.empty?
+      errors << "Empty host" if !destination_url.empty? && String(destination_url.host).empty?
+
+      if destination_url.scheme && !SUPPORTED_PROTOCOLS.include?(destination_url.scheme)
+        errors << "Unsupported protocol: '#{destination_url.scheme}'"
+      end
+
+      errors << "Recursive request" if headers["VIA"] == user_agent
+      errors
+    end
+
+    def decode_hex(str)
+      [str].pack("H*")
+    end
+  end
+end

data/lib/camo/server.rb

@@ -0,0 +1,79 @@
+require "rack/utils"
+require "openssl"
+
+module Camo
+  class Server
+    include Rack::Utils
+    include HeadersUtils
+
+    ALLOWED_REMOTE_HEADERS = HeaderHash[%w[
+      Content-Type
+      Cache-Control
+      eTag
+      Expires
+      Last-Modified
+      Content-Length
+      Content-Encoding
+    ].map(&:downcase)]
+
+    attr_reader :request, :key
+
+    def initialize(key)
+      @key = String(key)
+      raise Errors::UndefinedKeyError if @key.empty?
+    end
+
+    def call(env)
+      build_request(env)
+
+      return [404, default_response_headers, []] unless request.method == "GET"
+
+      unless request.valid_digest?
+        logger.error("Invalid digest")
+        return [401, default_response_headers, ["Invalid digest"]]
+      end
+
+      unless request.valid_request?
+        logger.error(request.errors)
+        return [422, default_response_headers, request.errors.join(", ")]
+      end
+
+      logger.debug "Request", {
+        type: request.digest_type,
+        url: request.url,
+        headers: request.headers,
+        destination: request.destination_url,
+        digest: request.digest
+      }
+
+      status, headers, body = client.get(request.destination_url, request.headers)
+      headers = build_response_headers(headers)
+      logger.debug "Response", {status: status, headers: headers, body_bytesize: body.bytesize}
+
+      [status, headers, [body]]
+    rescue Errors::ClientError => e
+      logger.error(e.message)
+      [422, default_response_headers, e.message]
+    end
+
+    private
+
+    def logger
+      @logger ||= Logger.stdio
+    end
+
+    def build_request(env)
+      @request ||= Request.new(env, key)
+    end
+
+    def client
+      @client ||= Client.new
+    end
+
+    def build_response_headers(headers)
+      headers
+        .select { |k, _| ALLOWED_REMOTE_HEADERS.include?(k.downcase) }
+        .merge(default_response_headers)
+    end
+  end
+end

data/lib/camo/version.rb

@@ -0,0 +1,5 @@
+module Camo
+  module Version
+    GEM = "0.0.1"
+  end
+end

metadata

@@ -0,0 +1,57 @@
+--- !ruby/object:Gem::Specification
+name: camo-rb
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Vyacheslav Alexeev
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-06-05 00:00:00.000000000 Z
+dependencies: []
+description: A camo server is a special type of image proxy that proxies non-secure
+  images over SSL/TLS, in order to prevent mixed content warnings on secure pages.
+  The server works in conjunction with back-end code that rewrites image URLs and
+  signs them with an HMAC.
+email: alexeev.corp@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/camorb
+- bin/generate_url
+- bin/rspec
+- lib/camo.rb
+- lib/camo/client.rb
+- lib/camo/errors.rb
+- lib/camo/headers_utils.rb
+- lib/camo/logger.rb
+- lib/camo/mime_type_utils.rb
+- lib/camo/request.rb
+- lib/camo/server.rb
+- lib/camo/version.rb
+homepage: https://github.com/alexeevit/camo-rb
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.15
+signing_key:
+specification_version: 4
+summary: An SSL/TLS image proxy that uses HMAC signed URLs.
+test_files: []