RubyGems - itsi-scheduler - Versions diffs - 0.1.5 → 0.1.19 - Mend

itsi-scheduler 0.1.5 → 0.1.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of itsi-scheduler might be problematic. Click here for more details.

Files changed (125) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs ADDED Viewed

@@ -0,0 +1,201 @@
+use crate::server::http_message_types::{HttpRequest, HttpResponse, RequestExt};
+use crate::services::itsi_http_service::HttpRequestContext;
+use crate::services::rate_limiter::{
+    get_ban_manager, get_rate_limiter, BanManager, RateLimiter, RateLimiterConfig,
+};
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::time::Duration;
+use std::{
+    collections::HashMap,
+    sync::{Arc, OnceLock},
+};
+#[derive(Debug, Clone, Deserialize)]
+pub struct IntrusionProtection {
+    #[serde(skip_deserializing)]
+    pub banned_url_pattern_matcher: OnceLock<RegexSet>,
+    #[serde(default)]
+    pub banned_url_patterns: Vec<String>,
+    #[serde(skip_deserializing)]
+    pub banned_header_pattern_matchers: OnceLock<HashMap<String, RegexSet>>,
+    #[serde(default)]
+    pub banned_header_patterns: HashMap<String, Vec<String>>,
+    pub banned_time_seconds: u64,
+    #[serde(skip_deserializing)]
+    pub rate_limiter: OnceLock<Arc<dyn RateLimiter>>,
+    #[serde(skip_deserializing)]
+    pub ban_manager: OnceLock<BanManager>,
+    pub store_config: RateLimiterConfig,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+#[async_trait]
+impl MiddlewareLayer for IntrusionProtection {
+    async fn initialize(&self) -> Result<()> {
+        // Initialize regex matchers for URL patterns
+        if !self.banned_url_patterns.is_empty() {
+            match RegexSet::new(&self.banned_url_patterns) {
+                Ok(regex_set) => {
+                    let _ = self.banned_url_pattern_matcher.set(regex_set);
+                }
+                Err(e) => {
+                    error!("Failed to compile URL regex patterns: {:?}", e);
+                }
+            }
+        }
+        // Initialize regex matchers for header patterns
+        if !self.banned_header_patterns.is_empty() {
+            let mut header_matchers = HashMap::new();
+            for (header_name, patterns) in &self.banned_header_patterns {
+                if !patterns.is_empty() {
+                    match RegexSet::new(patterns) {
+                        Ok(regex_set) => {
+                            header_matchers.insert(header_name.clone(), regex_set);
+                        }
+                        Err(e) => {
+                            error!(
+                                "Failed to compile header regex patterns for {}: {:?}",
+                                header_name, e
+                            );
+                        }
+                    }
+                }
+            }
+            let _ = self.banned_header_pattern_matchers.set(header_matchers);
+        }
+        // Initialize rate limiter (used for tracking bans)
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(limiter) = get_rate_limiter(&self.store_config).await {
+            let _ = self.rate_limiter.set(limiter);
+        }
+        // Initialize ban manager
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(manager) = get_ban_manager(&self.store_config).await {
+            let _ = self.ban_manager.set(manager);
+        }
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Get client IP address from context's service
+        let client_ip = &context.addr;
+        // Check if the IP is already banned
+        if let Some(ban_manager) = self.ban_manager.get() {
+            match ban_manager.is_banned(client_ip).await {
+                Ok(Some(_)) => {
+                    return Ok(Either::Right(
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
+                    ));
+                }
+                Err(e) => {
+                    error!("Error checking IP ban status: {:?}", e);
+                    // Continue processing - fail open
+                }
+                _ => {
+                    // Not banned, continue with intrusion checks
+                }
+            }
+        } else {
+            warn!("No ban manager available for intrusion protection");
+        }
+        // Check for banned URL patterns
+        if let Some(url_matcher) = self.banned_url_pattern_matcher.get() {
+            let path = req.uri().path_and_query().map(|p| p.as_str()).unwrap_or("");
+            if url_matcher.is_match(path) {
+                if let Some(ban_manager) = self.ban_manager.get() {
+                    match ban_manager
+                        .ban_ip(
+                            client_ip,
+                            &format!("Banned URL pattern detected: {}", path),
+                            Duration::from_secs(self.banned_time_seconds),
+                        )
+                        .await
+                    {
+                        Ok(_) => {}
+                        Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                    }
+                }
+                // Always return the error response even if banning failed
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+        // Check for banned header patterns
+        if let Some(header_matchers) = self.banned_header_pattern_matchers.get() {
+            for (header_name, pattern_set) in header_matchers {
+                if let Some(header_value) = req.header(header_name) {
+                    if pattern_set.is_match(header_value) {
+                        info!(
+                            "Intrusion detected: Header pattern match for {} in header {}",
+                            header_value, header_name
+                        );
+                        // Ban the IP address if possible
+                        if let Some(ban_manager) = self.ban_manager.get() {
+                            match ban_manager
+                                .ban_ip(
+                                    client_ip,
+                                    &format!(
+                                        "Banned header pattern detected: {} in {}",
+                                        header_value, header_name
+                                    ),
+                                    Duration::from_secs(self.banned_time_seconds),
+                                )
+                                .await
+                            {
+                                Ok(_) => info!(
+                                    "Successfully banned IP {} for {} seconds",
+                                    client_ip, self.banned_time_seconds
+                                ),
+                                Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                            }
+                        }
+                        // Always return the error response even if banning failed
+                        return Ok(Either::Right(
+                            self.error_response
+                                .to_http_response(req.accept().into())
+                                .await,
+                        ));
+                    }
+                }
+            }
+        }
+        // No intrusion detected
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for IntrusionProtection {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs ADDED Viewed

@@ -0,0 +1,82 @@
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use serde::Deserialize;
+use crate::server::http_message_types::{HttpRequest, HttpResponse};
+use crate::services::itsi_http_service::HttpRequestContext;
+use super::string_rewrite::StringRewrite;
+use super::{FromValue, MiddlewareLayer};
+/// Logging middleware for HTTP requests and responses
+///
+/// Supports customizable log formats with placeholders
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogRequests {
+    pub before: Option<LogConfig>,
+    pub after: Option<LogConfig>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogConfig {
+    level: LogMiddlewareLevel,
+    format: StringRewrite,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum LogMiddlewareLevel {
+    #[serde(rename(deserialize = "INFO"))]
+    Info,
+    #[serde(rename(deserialize = "TRACE"))]
+    Trace,
+    #[serde(rename(deserialize = "DEBUG"))]
+    Debug,
+    #[serde(rename(deserialize = "WARN"))]
+    Warn,
+    #[serde(rename(deserialize = "ERROR"))]
+    Error,
+}
+impl LogMiddlewareLevel {
+    pub fn log(&self, message: String) {
+        match self {
+            LogMiddlewareLevel::Trace => trace!(message),
+            LogMiddlewareLevel::Debug => debug!(message),
+            LogMiddlewareLevel::Info => info!(message),
+            LogMiddlewareLevel::Warn => warn!(message),
+            LogMiddlewareLevel::Error => error!(message),
+        }
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for LogRequests {
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        context.track_start_time();
+        if let Some(LogConfig { level, format }) = self.before.as_ref() {
+            level.log(format.rewrite_request(&req, context));
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(LogConfig { level, format }) = self.after.as_ref() {
+            level.log(format.rewrite_response(&resp, context));
+        }
+        resp
+    }
+}
+impl FromValue for LogRequests {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/max_body.rs ADDED Viewed

@@ -0,0 +1,47 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use http::StatusCode;
+use magnus::error::Result;
+use serde::Deserialize;
+use std::sync::atomic::Ordering;
+#[derive(Debug, Clone, Deserialize)]
+pub struct MaxBody {
+    pub max_size: usize,
+    #[serde(default = "payload_too_large_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn payload_too_large_error_response() -> ErrorResponse {
+    ErrorResponse::payload_too_large()
+}
+#[async_trait]
+impl MiddlewareLayer for MaxBody {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        req.body().limit.store(self.max_size, Ordering::Relaxed);
+        context.set_response_format(req.accept().into());
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if resp.status() == StatusCode::PAYLOAD_TOO_LARGE {
+            self.error_response
+                .to_http_response(context.response_format().clone())
+                .await
+        } else {
+            resp
+        }
+    }
+}
+impl FromValue for MaxBody {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/mod.rs ADDED Viewed

@@ -0,0 +1,87 @@
+mod allow_list;
+mod auth_api_key;
+mod auth_basic;
+mod auth_jwt;
+mod cache_control;
+mod compression;
+mod cors;
+mod deny_list;
+mod error_response;
+mod etag;
+mod header_interpretation;
+mod intrusion_protection;
+mod log_requests;
+mod max_body;
+mod proxy;
+mod rate_limit;
+mod redirect;
+mod request_headers;
+mod response_headers;
+mod ruby_app;
+mod static_assets;
+mod static_response;
+mod string_rewrite;
+mod token_source;
+pub use allow_list::AllowList;
+use async_trait::async_trait;
+pub use auth_api_key::AuthAPIKey;
+pub use auth_basic::AuthBasic;
+pub use auth_jwt::AuthJwt;
+pub use cache_control::CacheControl;
+pub use compression::Compression;
+pub use compression::CompressionAlgorithm;
+pub use cors::Cors;
+pub use deny_list::DenyList;
+use either::Either;
+pub use error_response::ErrorResponse;
+pub use etag::ETag;
+pub use intrusion_protection::IntrusionProtection;
+pub use log_requests::LogRequests;
+use magnus::error::Result;
+use magnus::Value;
+pub use max_body::MaxBody;
+pub use proxy::Proxy;
+pub use rate_limit::RateLimit;
+pub use redirect::Redirect;
+pub use request_headers::RequestHeaders;
+pub use response_headers::ResponseHeaders;
+pub use ruby_app::RubyApp;
+use serde::Deserialize;
+use serde_magnus::deserialize;
+pub use static_assets::StaticAssets;
+pub use static_response::StaticResponse;
+use crate::server::http_message_types::HttpRequest;
+use crate::server::http_message_types::HttpResponse;
+use crate::services::itsi_http_service::HttpRequestContext;
+pub trait FromValue: Sized + Send + Sync + 'static {
+    fn from_value(value: Value) -> Result<Self>
+    where
+        Self: Deserialize<'static>,
+    {
+        deserialize(value)
+    }
+}
+#[async_trait]
+pub trait MiddlewareLayer: Sized + Send + Sync + 'static {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    /// The "before" hook. By default, it passes through the request.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        Ok(Either::Left(req))
+    }
+    /// The "after" hook. By default, it passes through the response.
+    async fn after(&self, resp: HttpResponse, _context: &mut HttpRequestContext) -> HttpResponse {
+        resp
+    }
+}