itsi-scheduler 0.1.5 → 0.2.2

data/ext/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs

@@ -0,0 +1,209 @@
+use crate::server::http_message_types::{HttpRequest, HttpResponse, RequestExt};
+use crate::services::itsi_http_service::HttpRequestContext;
+use crate::services::rate_limiter::{
+    get_ban_manager, get_rate_limiter, BanManager, RateLimiter, RateLimiterConfig,
+};
+
+use super::token_source::TokenSource;
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::time::Duration;
+use std::{
+    collections::HashMap,
+    sync::{Arc, OnceLock},
+};
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct IntrusionProtection {
+    #[serde(skip_deserializing)]
+    pub banned_url_pattern_matcher: OnceLock<RegexSet>,
+    #[serde(default)]
+    pub banned_url_patterns: Vec<String>,
+    #[serde(skip_deserializing)]
+    pub banned_header_pattern_matchers: OnceLock<HashMap<String, RegexSet>>,
+    #[serde(default)]
+    pub banned_header_patterns: HashMap<String, Vec<String>>,
+    pub banned_time_seconds: f64,
+    #[serde(skip_deserializing)]
+    pub rate_limiter: OnceLock<Arc<dyn RateLimiter>>,
+    #[serde(skip_deserializing)]
+    pub ban_manager: OnceLock<BanManager>,
+    pub store_config: RateLimiterConfig,
+    pub trusted_proxies: HashMap<String, TokenSource>,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+
+#[async_trait]
+impl MiddlewareLayer for IntrusionProtection {
+    async fn initialize(&self) -> Result<()> {
+        // Initialize regex matchers for URL patterns
+        if !self.banned_url_patterns.is_empty() {
+            match RegexSet::new(&self.banned_url_patterns) {
+                Ok(regex_set) => {
+                    debug!(target: "middleware::intrusion_protection", "Compiled URL regex patterns: {} items.", regex_set.len());
+                    let _ = self.banned_url_pattern_matcher.set(regex_set);
+                }
+                Err(e) => {
+                    error!("Failed to compile URL regex patterns: {:?}", e);
+                }
+            }
+        }
+
+        // Initialize regex matchers for header patterns
+        if !self.banned_header_patterns.is_empty() {
+            let mut header_matchers = HashMap::new();
+            for (header_name, patterns) in &self.banned_header_patterns {
+                if !patterns.is_empty() {
+                    match RegexSet::new(patterns) {
+                        Ok(regex_set) => {
+                            debug!(target: "middleware::intrusion_protection", "Compiled header regex patterns for {}: {} items.", header_name, regex_set.len());
+                            header_matchers.insert(header_name.clone(), regex_set);
+                        }
+                        Err(e) => {
+                            error!(
+                                "Failed to compile header regex patterns for {}: {:?}",
+                                header_name, e
+                            );
+                        }
+                    }
+                }
+            }
+            let _ = self.banned_header_pattern_matchers.set(header_matchers);
+        }
+
+        // Initialize rate limiter (used for tracking bans)
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(limiter) = get_rate_limiter(&self.store_config).await {
+            debug!(target: "middleware::intrusion_protection", "Initialized rate limiter.");
+            let _ = self.rate_limiter.set(limiter);
+        }
+
+        // Initialize ban manager
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(manager) = get_ban_manager(&self.store_config).await {
+            debug!(target: "middleware::intrusion_protection", "Initialized ban manager.");
+            let _ = self.ban_manager.set(manager);
+        }
+
+        Ok(())
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Get client IP address from context's service
+        let client_ip = if self.trusted_proxies.contains_key(&context.addr) {
+            let source = self.trusted_proxies.get(&context.addr).unwrap();
+            source.extract_token(&req).unwrap_or(&context.addr)
+        } else {
+            &context.addr
+        };
+
+        // Check if the IP is already banned
+        if let Some(ban_manager) = self.ban_manager.get() {
+            match ban_manager.is_banned(client_ip).await {
+                Ok(Some(_)) => {
+                    debug!(target: "middleware::intrusion_protection", "IP {} is banned.", client_ip);
+                    return Ok(Either::Right(
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
+                    ));
+                }
+                Err(e) => {
+                    error!("Error checking IP ban status: {:?}", e);
+                    // Continue processing - fail open
+                }
+                _ => {}
+            }
+        } else {
+            warn!("No ban manager available for intrusion protection");
+        }
+
+        // Check for banned URL patterns
+        if let Some(url_matcher) = self.banned_url_pattern_matcher.get() {
+            let path = req.uri().path_and_query().map(|p| p.as_str()).unwrap_or("");
+
+            if url_matcher.is_match(path) {
+                debug!(target: "middleware::intrusion_protection", "Banned URL pattern detected: {}", path);
+                if let Some(ban_manager) = self.ban_manager.get() {
+                    match ban_manager
+                        .ban_ip(
+                            client_ip,
+                            &format!("Banned URL pattern detected: {}", path),
+                            Duration::from_secs_f64(self.banned_time_seconds),
+                        )
+                        .await
+                    {
+                        Ok(_) => {}
+                        Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                    }
+                }
+
+                // Always return the error response even if banning failed
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+
+        // Check for banned header patterns
+        if let Some(header_matchers) = self.banned_header_pattern_matchers.get() {
+            for (header_name, pattern_set) in header_matchers {
+                if let Some(header_value) = req.header(header_name) {
+                    if pattern_set.is_match(header_value) {
+                        debug!(target: "middleware::intrusion_protection", "Banned header pattern detected: {} in {}", header_value, header_name);
+
+                        // Ban the IP address if possible
+                        if let Some(ban_manager) = self.ban_manager.get() {
+                            match ban_manager
+                                .ban_ip(
+                                    client_ip,
+                                    &format!(
+                                        "Banned header pattern detected: {} in {}",
+                                        header_value, header_name
+                                    ),
+                                    Duration::from_secs_f64(self.banned_time_seconds),
+                                )
+                                .await
+                            {
+                                Ok(_) => info!(
+                                    "Successfully banned IP {} for {} seconds",
+                                    client_ip, self.banned_time_seconds
+                                ),
+                                Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                            }
+                        }
+
+                        // Always return the error response even if banning failed
+                        return Ok(Either::Right(
+                            self.error_response
+                                .to_http_response(req.accept().into())
+                                .await,
+                        ));
+                    }
+                }
+            }
+        }
+
+        // No intrusion detected
+        Ok(Either::Left(req))
+    }
+}
+
+impl FromValue for IntrusionProtection {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs

@@ -0,0 +1,82 @@
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use serde::Deserialize;
+
+use crate::server::http_message_types::{HttpRequest, HttpResponse};
+use crate::services::itsi_http_service::HttpRequestContext;
+
+use super::string_rewrite::StringRewrite;
+use super::{FromValue, MiddlewareLayer};
+
+/// Logging middleware for HTTP requests and responses
+///
+/// Supports customizable log formats with placeholders
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogRequests {
+    pub before: Option<LogConfig>,
+    pub after: Option<LogConfig>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogConfig {
+    level: LogMiddlewareLevel,
+    format: StringRewrite,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub enum LogMiddlewareLevel {
+    #[serde(rename(deserialize = "INFO"))]
+    Info,
+    #[serde(rename(deserialize = "TRACE"))]
+    Trace,
+    #[serde(rename(deserialize = "DEBUG"))]
+    Debug,
+    #[serde(rename(deserialize = "WARN"))]
+    Warn,
+    #[serde(rename(deserialize = "ERROR"))]
+    Error,
+}
+
+impl LogMiddlewareLevel {
+    pub fn log(&self, message: String) {
+        match self {
+            LogMiddlewareLevel::Trace => trace!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Debug => debug!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Info => info!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Warn => warn!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Error => error!(target: "middleware::log_requests", message),
+        }
+    }
+}
+
+#[async_trait]
+impl MiddlewareLayer for LogRequests {
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        context.track_start_time();
+        if let Some(LogConfig { level, format }) = self.before.as_ref() {
+            level.log(format.rewrite_request(&req, context));
+        }
+
+        Ok(Either::Left(req))
+    }
+
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(LogConfig { level, format }) = self.after.as_ref() {
+            level.log(format.rewrite_response(&resp, context));
+        }
+
+        resp
+    }
+}
+
+impl FromValue for LogRequests {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/max_body.rs

@@ -0,0 +1,47 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use http::StatusCode;
+use magnus::error::Result;
+use serde::Deserialize;
+use std::sync::atomic::Ordering;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct MaxBody {
+    pub limit_bytes: usize,
+    #[serde(default = "payload_too_large_error_response")]
+    pub error_response: ErrorResponse,
+}
+
+fn payload_too_large_error_response() -> ErrorResponse {
+    ErrorResponse::payload_too_large()
+}
+
+#[async_trait]
+impl MiddlewareLayer for MaxBody {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        req.body().limit.store(self.limit_bytes, Ordering::Relaxed);
+        context.set_response_format(req.accept().into());
+        Ok(Either::Left(req))
+    }
+
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if resp.status() == StatusCode::PAYLOAD_TOO_LARGE {
+            self.error_response
+                .to_http_response(context.response_format().clone())
+                .await
+        } else {
+            resp
+        }
+    }
+}
+impl FromValue for MaxBody {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/mod.rs

@@ -0,0 +1,116 @@
+mod allow_list;
+mod auth_api_key;
+mod auth_basic;
+mod auth_jwt;
+mod cache_control;
+mod compression;
+mod cors;
+mod csp;
+mod deny_list;
+mod error_response;
+mod etag;
+mod header_interpretation;
+mod intrusion_protection;
+mod log_requests;
+mod max_body;
+mod proxy;
+mod rate_limit;
+mod redirect;
+mod request_headers;
+mod response_headers;
+mod ruby_app;
+mod static_assets;
+mod static_response;
+mod string_rewrite;
+mod token_source;
+
+use std::sync::Arc;
+use std::sync::LazyLock;
+
+pub use allow_list::AllowList;
+use async_trait::async_trait;
+pub use auth_api_key::AuthAPIKey;
+pub use auth_basic::AuthBasic;
+pub use auth_jwt::AuthJwt;
+pub use cache_control::CacheControl;
+pub use compression::Compression;
+pub use compression::CompressionAlgorithm;
+pub use cors::Cors;
+pub use csp::Csp;
+pub use deny_list::DenyList;
+use either::Either;
+pub use error_response::ErrorResponse;
+pub use etag::ETag;
+pub use intrusion_protection::IntrusionProtection;
+pub use log_requests::LogRequests;
+use magnus::error::Result;
+use magnus::rb_sys::AsRawValue;
+use magnus::Value;
+pub use max_body::MaxBody;
+pub use proxy::Proxy;
+pub use rate_limit::RateLimit;
+pub use redirect::Redirect;
+pub use request_headers::RequestHeaders;
+pub use response_headers::ResponseHeaders;
+pub use ruby_app::RubyApp;
+use serde::Deserialize;
+use serde_magnus::deserialize;
+pub use static_assets::StaticAssets;
+pub use static_response::StaticResponse;
+pub use string_rewrite::StringRewrite;
+
+use crate::server::http_message_types::HttpRequest;
+use crate::server::http_message_types::HttpResponse;
+use crate::services::itsi_http_service::HttpRequestContext;
+
+use std::collections::HashMap;
+use std::sync::Mutex;
+static CACHE: LazyLock<Mutex<HashMap<u64, Arc<dyn std::any::Any + Send + Sync>>>> =
+    LazyLock::new(|| Mutex::new(HashMap::new()));
+
+pub fn clear_value_cache() {
+    let mut cache = CACHE.lock().unwrap();
+    cache.clear();
+}
+
+pub trait FromValue: Sized + Send + Sync + 'static {
+    fn from_value(value: Value) -> Result<Arc<Self>>
+    where
+        Self: Deserialize<'static>,
+    {
+        let raw = value.as_raw();
+
+        let mut cache = CACHE.lock().unwrap();
+
+        if let Some(cached) = cache.get(&raw) {
+            if let Some(deserialized) = cached.downcast_ref::<Arc<Self>>() {
+                return Ok(deserialized.clone());
+            }
+        }
+
+        let deserialized: Arc<Self> = Arc::new(deserialize(value)?);
+        cache.insert(raw, deserialized.clone());
+        Ok(deserialized)
+    }
+}
+
+#[async_trait]
+pub trait MiddlewareLayer: Sized + Send + Sync + 'static {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    /// The "before" hook. By default, it passes through the request.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        Ok(Either::Left(req))
+    }
+
+    /// The "after" hook. By default, it passes through the response.
+    async fn after(&self, resp: HttpResponse, _context: &mut HttpRequestContext) -> HttpResponse {
+        resp
+    }
+}