RubyGems - itsi-scheduler - Versions diffs - 0.1.5 → 0.2.2 - Mend

itsi-scheduler 0.1.5 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/cors.rs ADDED Viewed

@@ -0,0 +1,301 @@
+use super::{FromValue, MiddlewareLayer};
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use async_trait::async_trait;
+use http::{HeaderMap, Method, Response};
+use http_body_util::{combinators::BoxBody, Empty};
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use serde::Deserialize;
+use tracing::debug;
+#[derive(Debug, Clone, Deserialize)]
+pub struct Cors {
+    pub allow_origins: Vec<String>,
+    pub allow_methods: Vec<HttpMethod>,
+    pub allow_headers: Vec<String>,
+    pub allow_credentials: bool,
+    pub expose_headers: Vec<String>,
+    pub max_age: Option<u64>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum HttpMethod {
+    #[serde(rename(deserialize = "GET"))]
+    Get,
+    #[serde(rename(deserialize = "POST"))]
+    Post,
+    #[serde(rename(deserialize = "PUT"))]
+    Put,
+    #[serde(rename(deserialize = "DELETE"))]
+    Delete,
+    #[serde(rename(deserialize = "OPTIONS"))]
+    Options,
+    #[serde(rename(deserialize = "HEAD"))]
+    Head,
+    #[serde(rename(deserialize = "PATCH"))]
+    Patch,
+}
+impl HttpMethod {
+    pub fn matches(&self, other: &str) -> bool {
+        match self {
+            HttpMethod::Get => other.eq_ignore_ascii_case("GET"),
+            HttpMethod::Post => other.eq_ignore_ascii_case("POST"),
+            HttpMethod::Put => other.eq_ignore_ascii_case("PUT"),
+            HttpMethod::Delete => other.eq_ignore_ascii_case("DELETE"),
+            HttpMethod::Options => other.eq_ignore_ascii_case("OPTIONS"),
+            HttpMethod::Head => other.eq_ignore_ascii_case("HEAD"),
+            HttpMethod::Patch => other.eq_ignore_ascii_case("PATCH"),
+        }
+    }
+    pub fn to_str(&self) -> &str {
+        match self {
+            HttpMethod::Get => "GET",
+            HttpMethod::Post => "POST",
+            HttpMethod::Put => "PUT",
+            HttpMethod::Delete => "DELETE",
+            HttpMethod::Options => "OPTIONS",
+            HttpMethod::Head => "HEAD",
+            HttpMethod::Patch => "PATCH",
+        }
+    }
+}
+impl Cors {
+    /// Generate the simple CORS headers (used in normal responses)
+    fn cors_headers(&self, origin: &str) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::new)?);
+        if origin.is_empty() {
+            // When credentials are allowed, you cannot return "*".
+            debug!(target: "middleware::cors", "Origin empty {}", origin);
+            if !self.allow_credentials {
+                headers.insert(
+                    "Access-Control-Allow-Origin",
+                    "*".parse().map_err(ItsiError::new)?,
+                );
+            }
+            return Ok(headers);
+        }
+        // Only return a header if the origin is allowed.
+        if self.allow_origins.iter().any(|o| o == origin || o == "*") {
+            // If credentials are allowed, we must echo back the exact origin.
+            let value = if self.allow_credentials {
+                origin
+            } else {
+                // If not, and if "*" is allowed, you can still use "*".
+                if self.allow_origins.iter().any(|o| o == "*") {
+                    "*"
+                } else {
+                    origin
+                }
+            };
+            headers.insert(
+                "Access-Control-Allow-Origin",
+                value.parse().map_err(ItsiError::new)?,
+            );
+        }
+        if !self.allow_methods.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Methods",
+                self.allow_methods
+                    .iter()
+                    .map(HttpMethod::to_str)
+                    .collect::<Vec<&str>>()
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        if !self.allow_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Headers",
+                self.allow_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::new)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::new)?,
+            );
+        }
+        if !self.expose_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.expose_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        Ok(headers)
+    }
+    fn preflight_headers(
+        &self,
+        origin: Option<&str>,
+        req_method: Option<&str>,
+        req_headers: Option<&str>,
+    ) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::new)?);
+        let origin = match origin {
+            Some(o) if !o.is_empty() => o,
+            _ => {
+                debug!(target: "middleware::cors", "Missing Origin – preflight fails");
+                return Ok(headers);
+            }
+        };
+        if !self
+            .allow_origins
+            .iter()
+            .any(|allowed| allowed == "*" || allowed == origin)
+        {
+            debug!(target: "middleware::cors", "Origin not allowed");
+            return Ok(headers);
+        }
+        let request_method = match req_method {
+            Some(m) if !m.is_empty() => m,
+            _ => {
+                debug!(target: "middleware::cors", "Missing request method – preflight fails");
+                return Ok(headers);
+            }
+        };
+        if !self.allow_methods.iter().any(|m| m.matches(request_method)) {
+            debug!(target: "middleware::cors", "Method not allowed");
+            return Ok(headers);
+        }
+        if let Some(request_headers) = req_headers {
+            let req_headers_list: Vec<&str> = request_headers
+                .split(',')
+                .map(|s| s.trim())
+                .filter(|s| !s.is_empty())
+                .collect();
+            for header in req_headers_list {
+                if !self
+                    .allow_headers
+                    .iter()
+                    .any(|allowed| allowed.eq_ignore_ascii_case(header))
+                {
+                    debug!(target: "middleware::cors", "Header not allowed {}", header);
+                    return Ok(headers);
+                }
+            }
+        }
+        headers.insert("Access-Control-Allow-Origin", origin.parse().unwrap());
+        headers.insert(
+            "Access-Control-Allow-Methods",
+            self.allow_methods
+                .iter()
+                .map(HttpMethod::to_str)
+                .collect::<Vec<&str>>()
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::new)?,
+        );
+        headers.insert(
+            "Access-Control-Allow-Headers",
+            self.allow_headers
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::new)?,
+        );
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::new)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::new)?,
+            );
+        }
+        if !self.expose_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.expose_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        Ok(headers)
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for Cors {
+    // For OPTIONS (preflight) requests we:
+    // 1. Extract Origin, Access-Control-Request-Method, and Access-Control-Request-Headers.
+    // 2. Validate them using our hardened preflight_headers function.
+    // 3. If validations pass (i.e. headers is non-empty), return a 204 response with those headers.
+    // Otherwise, the absence of headers indicates the request doesn’t meet the CORS policy.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<either::Either<HttpRequest, HttpResponse>> {
+        let origin = req.header("Origin");
+        debug!(target: "middleware::cors", "Origin: {:?}", origin);
+        if req.method() == Method::OPTIONS {
+            let ac_request_method = req.header("Access-Control-Request-Method");
+            let ac_request_headers = req.header("Access-Control-Request-Headers");
+            let headers = self.preflight_headers(origin, ac_request_method, ac_request_headers)?;
+            debug!(target: "middleware::cors", "Preflight Headers: {:?}", headers);
+            let mut response_builder = Response::builder().status(204);
+            *response_builder.headers_mut().unwrap() = headers;
+            let response = response_builder
+                .body(BoxBody::new(Empty::new()))
+                .map_err(ItsiError::new)?;
+            return Ok(either::Either::Right(response));
+        }
+        context.set_origin(origin.map(|s| s.to_string()));
+        Ok(either::Either::Left(req))
+    }
+    async fn after(
+        &self,
+        mut resp: HttpResponse,
+        context: &mut HttpRequestContext,
+    ) -> HttpResponse {
+        if let Some(Some(origin)) = context.origin.get() {
+            debug!(target: "middleware::cors", "fetching cors headers for origin {}", origin);
+            if let Ok(cors_headers) = self.cors_headers(origin) {
+                debug!(target: "middleware::cors", "Cors Headers: {:?}", cors_headers);
+                for (key, value) in cors_headers.iter() {
+                    resp.headers_mut().insert(key.clone(), value.clone());
+                }
+            }
+        }
+        resp
+    }
+}
+impl FromValue for Cors {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/csp.rs ADDED Viewed

@@ -0,0 +1,193 @@
+use super::FromValue;
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+use async_trait::async_trait;
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{HeaderValue, StatusCode};
+use http_body_util::{combinators::BoxBody, BodyExt, Empty};
+use itsi_error::ItsiError;
+use serde::{Deserialize, Serialize};
+use std::sync::Arc;
+use std::{path::PathBuf, sync::OnceLock};
+use tokio::sync::Mutex;
+use tokio::time::{self, Duration};
+use tracing::debug;
+#[derive(Debug, Serialize, Deserialize)]
+pub struct CspReport {
+    #[serde(rename = "csp-report")]
+    pub report: ReportDetails,
+}
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ReportDetails {
+    #[serde(rename = "document-uri")]
+    pub document_uri: String,
+    #[serde(rename = "referrer")]
+    pub referrer: Option<String>,
+    #[serde(rename = "violated-directive")]
+    pub violated_directive: String,
+    #[serde(rename = "original-policy")]
+    pub original_policy: String,
+    #[serde(rename = "blocked-uri")]
+    pub blocked_uri: String,
+}
+#[derive(Debug, Deserialize)]
+pub struct CspConfig {
+    pub default_src: Vec<String>,
+    pub script_src: Vec<String>,
+    pub style_src: Vec<String>,
+    pub report_uri: Vec<String>,
+}
+#[derive(Debug, Deserialize)]
+pub struct Csp {
+    pub policy: Option<CspConfig>,
+    pub reporting_enabled: bool,
+    pub report_file: Option<PathBuf>,
+    pub report_endpoint: String,
+    pub flush_interval: f64,
+    #[serde(skip)]
+    pub computed_policy: OnceLock<String>,
+    #[serde(skip)]
+    pub pending_reports: Arc<Mutex<Vec<CspReport>>>,
+    #[serde(skip)]
+    pub flush_task: OnceLock<tokio::task::JoinHandle<()>>,
+}
+#[async_trait]
+impl super::MiddlewareLayer for Csp {
+    async fn initialize(&self) -> Result<(), magnus::error::Error> {
+        if let Some(policy_config) = &self.policy {
+            let mut parts = Vec::new();
+            if !policy_config.default_src.is_empty() {
+                parts.push(format!(
+                    "default-src {}",
+                    policy_config.default_src.join(" ")
+                ));
+            }
+            if !policy_config.script_src.is_empty() {
+                parts.push(format!("script-src {}", policy_config.script_src.join(" ")));
+            }
+            if !policy_config.style_src.is_empty() {
+                parts.push(format!("style-src {}", policy_config.style_src.join(" ")));
+            }
+            if !policy_config.report_uri.is_empty() {
+                parts.push(format!("report-uri {}", policy_config.report_uri.join(" ")));
+            }
+            let policy = parts.join("; ");
+            debug!(target: "middleware::csp", "Computed CSP policy: {}", policy);
+            self.computed_policy
+                .set(policy)
+                .map_err(|_| ItsiError::new("Failed to set computed CSP policy"))?;
+        }
+        if self.reporting_enabled {
+            if let Some(ref report_file) = self.report_file {
+                let flush_interval = self.flush_interval;
+                let report_path = report_file.clone();
+                let pending_reports = Arc::clone(&self.pending_reports);
+                let handle = tokio::spawn(async move {
+                    let mut interval = time::interval(Duration::from_secs_f64(flush_interval));
+                    loop {
+                        interval.tick().await;
+                        let mut reports = pending_reports.lock().await;
+                        if !reports.is_empty() {
+                            let mut lines = String::new();
+                            for report in reports.iter() {
+                                if let Ok(line) = serde_json::to_string(report) {
+                                    lines.push_str(&line);
+                                    lines.push('\n');
+                                }
+                            }
+                            reports.clear();
+                            debug!("Flushing CSP report to file {:?}", &report_path.display());
+                            use tokio::io::AsyncWriteExt;
+                            match tokio::fs::OpenOptions::new()
+                                .append(true)
+                                .create(true)
+                                .open(&report_path)
+                                .await
+                            {
+                                Ok(mut file) => {
+                                    if let Err(e) = file.write_all(lines.as_bytes()).await {
+                                        eprintln!("Error writing CSP reports: {:?}", e);
+                                    }
+                                }
+                                Err(e) => {
+                                    eprintln!("Error opening CSP report file: {:?}", e);
+                                }
+                            }
+                        }
+                    }
+                });
+                self.flush_task
+                    .set(handle)
+                    .map_err(|_| ItsiError::new("Failed to set flush task handle"))?;
+            }
+        }
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>, magnus::error::Error> {
+        if self.reporting_enabled && req.uri().path() == self.report_endpoint {
+            debug!(target: "middleware::csp", "Received CSP report");
+            let full_bytes: Result<Bytes, _> = req
+                .into_body()
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+                .map(|b| b.freeze());
+            if let Ok(body_bytes) = full_bytes {
+                if let Ok(report) = serde_json::from_slice::<CspReport>(&body_bytes) {
+                    debug!(target: "middleware::csp", "Report: {:?}", report);
+                    let mut pending = self.pending_reports.lock().await;
+                    pending.push(report);
+                }
+            }
+            let mut resp = HttpResponse::new(BoxBody::new(Empty::new()));
+            *resp.status_mut() = StatusCode::NO_CONTENT;
+            return Ok(Either::Right(resp));
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, _context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(policy) = self.computed_policy.get() {
+            if !resp.headers().contains_key("Content-Security-Policy") {
+                debug!(target: "middleware::csp", "Adding CSP header");
+                let (mut parts, body) = resp.into_parts();
+                if let Ok(header_value) = HeaderValue::from_str(policy) {
+                    parts
+                        .headers
+                        .insert("Content-Security-Policy", header_value);
+                }
+                return HttpResponse::from_parts(parts, body);
+            } else {
+                debug!(target: "middleware::csp", "CSP header already present");
+            }
+        }
+        resp
+    }
+}
+impl FromValue for Csp {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/deny_list.rs ADDED Viewed

@@ -0,0 +1,64 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::{token_source::TokenSource, ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::{collections::HashMap, sync::OnceLock};
+use tracing::debug;
+#[derive(Debug, Clone, Deserialize)]
+pub struct DenyList {
+    #[serde(skip_deserializing)]
+    pub denied_ips: OnceLock<RegexSet>,
+    pub denied_patterns: Vec<String>,
+    pub trusted_proxies: HashMap<String, TokenSource>,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+#[async_trait]
+impl MiddlewareLayer for DenyList {
+    async fn initialize(&self) -> Result<()> {
+        let denied_ips = RegexSet::new(&self.denied_patterns).map_err(ItsiError::new)?;
+        self.denied_ips
+            .set(denied_ips)
+            .map_err(|e| ItsiError::new(format!("Failed to set allowed IPs: {:?}", e)))?;
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        let addr = if self.trusted_proxies.contains_key(&context.addr) {
+            let source = self.trusted_proxies.get(&context.addr).unwrap();
+            source.extract_token(&req).unwrap_or(&context.addr)
+        } else {
+            &context.addr
+        };
+        if let Some(denied_ips) = self.denied_ips.get() {
+            if denied_ips.is_match(addr) {
+                debug!(target: "middleware::deny_list", "IP address {} is not allowed", addr);
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for DenyList {}