RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.1.13 - Mend

itsi-server 0.1.1 → 0.1.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of itsi-server might be problematic. Click here for more details.

Files changed (143) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/cors.rs ADDED Viewed

@@ -0,0 +1,287 @@
+use super::{FromValue, MiddlewareLayer};
+use crate::server::{
+    itsi_service::RequestContext,
+    types::{HttpRequest, HttpResponse, RequestExt},
+};
+use async_trait::async_trait;
+use http::{HeaderMap, Method, Response};
+use http_body_util::{combinators::BoxBody, Empty};
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use serde::Deserialize;
+#[derive(Debug, Clone, Deserialize)]
+pub struct Cors {
+    pub allowed_origins: Vec<String>,
+    pub allowed_methods: Vec<HttpMethod>,
+    pub allowed_headers: Vec<String>,
+    pub exposed_headers: Vec<String>,
+    pub allow_credentials: bool,
+    pub max_age: Option<u64>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum HttpMethod {
+    #[serde(rename(deserialize = "GET"))]
+    Get,
+    #[serde(rename(deserialize = "POST"))]
+    Post,
+    #[serde(rename(deserialize = "PUT"))]
+    Put,
+    #[serde(rename(deserialize = "DELETE"))]
+    Delete,
+    #[serde(rename(deserialize = "OPTIONS"))]
+    Options,
+    #[serde(rename(deserialize = "HEAD"))]
+    Head,
+    #[serde(rename(deserialize = "PATCH"))]
+    Patch,
+}
+impl HttpMethod {
+    pub fn matches(&self, other: &str) -> bool {
+        match self {
+            HttpMethod::Get => other.eq_ignore_ascii_case("GET"),
+            HttpMethod::Post => other.eq_ignore_ascii_case("POST"),
+            HttpMethod::Put => other.eq_ignore_ascii_case("PUT"),
+            HttpMethod::Delete => other.eq_ignore_ascii_case("DELETE"),
+            HttpMethod::Options => other.eq_ignore_ascii_case("OPTIONS"),
+            HttpMethod::Head => other.eq_ignore_ascii_case("HEAD"),
+            HttpMethod::Patch => other.eq_ignore_ascii_case("PATCH"),
+        }
+    }
+    pub fn to_str(&self) -> &str {
+        match self {
+            HttpMethod::Get => "GET",
+            HttpMethod::Post => "POST",
+            HttpMethod::Put => "PUT",
+            HttpMethod::Delete => "DELETE",
+            HttpMethod::Options => "OPTIONS",
+            HttpMethod::Head => "HEAD",
+            HttpMethod::Patch => "PATCH",
+        }
+    }
+}
+impl Cors {
+    /// Generate the simple CORS headers (used in normal responses)
+    fn cors_headers(&self, origin: &str) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::default)?);
+        if origin.is_empty() {
+            // When credentials are allowed, you cannot return "*".
+            if !self.allow_credentials {
+                headers.insert(
+                    "Access-Control-Allow-Origin",
+                    "*".parse().map_err(ItsiError::default)?,
+                );
+            }
+            return Ok(headers);
+        }
+        // Only return a header if the origin is allowed.
+        if self.allowed_origins.iter().any(|o| o == origin || o == "*") {
+            // If credentials are allowed, we must echo back the exact origin.
+            let value = if self.allow_credentials {
+                origin
+            } else {
+                // If not, and if "*" is allowed, you can still use "*".
+                if self.allowed_origins.iter().any(|o| o == "*") {
+                    "*"
+                } else {
+                    origin
+                }
+            };
+            headers.insert(
+                "Access-Control-Allow-Origin",
+                value.parse().map_err(ItsiError::default)?,
+            );
+        }
+        if !self.allowed_methods.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Methods",
+                self.allowed_methods
+                    .iter()
+                    .map(HttpMethod::to_str)
+                    .collect::<Vec<&str>>()
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        if !self.allowed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Headers",
+                self.allowed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::default)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::default)?,
+            );
+        }
+        if !self.exposed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.exposed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        Ok(headers)
+    }
+    fn preflight_headers(
+        &self,
+        origin: Option<&str>,
+        req_method: Option<&str>,
+        req_headers: Option<&str>,
+    ) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::default)?);
+        let origin = match origin {
+            Some(o) if !o.is_empty() => o,
+            _ => return Ok(headers), // Missing Origin – preflight fails
+        };
+        if !self
+            .allowed_origins
+            .iter()
+            .any(|allowed| allowed == "*" || allowed == origin)
+        {
+            return Ok(headers);
+        }
+        let request_method = match req_method {
+            Some(m) if !m.is_empty() => m,
+            _ => return Ok(headers), // Missing request method – preflight fails
+        };
+        if !self
+            .allowed_methods
+            .iter()
+            .any(|m| m.matches(request_method))
+        {
+            return Ok(headers);
+        }
+        if let Some(request_headers) = req_headers {
+            let req_headers_list: Vec<&str> = request_headers
+                .split(',')
+                .map(|s| s.trim())
+                .filter(|s| !s.is_empty())
+                .collect();
+            for header in req_headers_list {
+                if !self
+                    .allowed_headers
+                    .iter()
+                    .any(|allowed| allowed.eq_ignore_ascii_case(header))
+                {
+                    return Ok(headers);
+                }
+            }
+        }
+        headers.insert("Access-Control-Allow-Origin", origin.parse().unwrap());
+        headers.insert(
+            "Access-Control-Allow-Methods",
+            self.allowed_methods
+                .iter()
+                .map(HttpMethod::to_str)
+                .collect::<Vec<&str>>()
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::default)?,
+        );
+        headers.insert(
+            "Access-Control-Allow-Headers",
+            self.allowed_headers
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::default)?,
+        );
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::default)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::default)?,
+            );
+        }
+        if !self.exposed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.exposed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        Ok(headers)
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for Cors {
+    // For OPTIONS (preflight) requests we:
+    // 1. Extract Origin, Access-Control-Request-Method, and Access-Control-Request-Headers.
+    // 2. Validate them using our hardened preflight_headers function.
+    // 3. If validations pass (i.e. headers is non-empty), return a 204 response with those headers.
+    // Otherwise, the absence of headers indicates the request doesn’t meet the CORS policy.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<either::Either<HttpRequest, HttpResponse>> {
+        let origin = req.header("Origin");
+        if req.method() == Method::OPTIONS {
+            let ac_request_method = req.header("Access-Control-Request-Method");
+            let ac_request_headers = req.header("Access-Control-Request-Headers");
+            let headers = self.preflight_headers(origin, ac_request_method, ac_request_headers)?;
+            let mut response_builder = Response::builder().status(204);
+            *response_builder.headers_mut().unwrap() = headers;
+            let response = response_builder
+                .body(BoxBody::new(Empty::new()))
+                .map_err(ItsiError::default)?;
+            return Ok(either::Either::Right(response));
+        }
+        context.set_origin(origin.map(|s| s.to_string()));
+        Ok(either::Either::Left(req))
+    }
+    // The after hook can be used to inject CORS headers into non-preflight responses.
+    async fn after(&self, mut resp: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+        if let Some(Some(origin)) = context.origin.get() {
+            if let Ok(cors_headers) = self.cors_headers(origin) {
+                for (key, value) in cors_headers.iter() {
+                    resp.headers_mut().insert(key.clone(), value.clone());
+                }
+            }
+        }
+        resp
+    }
+}
+impl FromValue for Cors {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/deny_list.rs ADDED Viewed

@@ -0,0 +1,48 @@
+use crate::server::{
+    itsi_service::RequestContext,
+    types::{HttpRequest, HttpResponse},
+};
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::sync::OnceLock;
+#[derive(Debug, Clone, Deserialize)]
+pub struct DenyList {
+    #[serde(skip_deserializing)]
+    pub denied_ips: OnceLock<RegexSet>,
+    pub denied_patterns: Vec<String>,
+    pub error_response: ErrorResponse,
+}
+#[async_trait]
+impl MiddlewareLayer for DenyList {
+    async fn initialize(&self) -> Result<()> {
+        let denied_ips = RegexSet::new(&self.denied_patterns).map_err(ItsiError::default)?;
+        self.denied_ips
+            .set(denied_ips)
+            .map_err(|e| ItsiError::default(format!("Failed to set allowed IPs: {:?}", e)))?;
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        if let Some(denied_ips) = self.denied_ips.get() {
+            if denied_ips.is_match(&context.addr) {
+                return Ok(Either::Right(
+                    self.error_response.to_http_response(&req).await,
+                ));
+            }
+        }
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for DenyList {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/error_response.rs ADDED Viewed

@@ -0,0 +1,127 @@
+use crate::server::static_file_server::ROOT_STATIC_FILE_SERVER;
+use crate::server::types::RequestExt;
+use crate::server::{
+    itsi_service::RequestContext,
+    types::{HttpRequest, HttpResponse},
+};
+use bytes::Bytes;
+use either::Either;
+use http::Response;
+use http_body_util::{combinators::BoxBody, Full};
+use itsi_error::ItsiError;
+use serde::Deserialize;
+use std::path::{Path, PathBuf};
+#[derive(Debug, Clone, Deserialize)]
+/// Filters can each have a customizable error response.
+/// They can:
+/// * Return Plain-text
+/// * Return HTML
+/// * Return JSON
+pub struct ErrorResponse {
+    code: u16,
+    plaintext: Option<String>,
+    html: Option<PathBuf>,
+    json: Option<serde_json::Value>,
+    default: ErrorFormat,
+}
+#[derive(Debug, Clone, Deserialize, Default)]
+enum ErrorFormat {
+    #[default]
+    #[serde(rename(deserialize = "plaintext"))]
+    Plaintext,
+    #[serde(rename(deserialize = "html"))]
+    Html,
+    #[serde(rename(deserialize = "json"))]
+    Json,
+}
+impl Default for ErrorResponse {
+    fn default() -> Self {
+        ErrorResponse {
+            code: 500,
+            plaintext: Some("Error".to_owned()),
+            html: None,
+            json: None,
+            default: ErrorFormat::Plaintext,
+        }
+    }
+}
+impl ErrorResponse {
+    pub(crate) async fn to_http_response(&self, request: &HttpRequest) -> HttpResponse {
+        let accept = request.accept();
+        let body = match accept {
+            Some(accept) if accept.contains("text/plain") => BoxBody::new(Full::new(Bytes::from(
+                self.plaintext.clone().unwrap_or_else(|| "Error".to_owned()),
+            ))),
+            Some(accept) if accept.contains("text/html") => {
+                if let Some(path) = &self.html {
+                    let path = path.to_str().unwrap();
+                    let response = ROOT_STATIC_FILE_SERVER.serve_single(path).await;
+                    if response.status().is_success() {
+                        response.into_body()
+                    } else {
+                        BoxBody::new(Full::new(Bytes::from("Error")))
+                    }
+                } else {
+                    BoxBody::new(Full::new(Bytes::from("Error")))
+                }
+            }
+            Some(accept) if accept.contains("application/json") => {
+                BoxBody::new(Full::new(Bytes::from(
+                    self.json
+                        .as_ref()
+                        .map(|json| json.to_string())
+                        .unwrap_or_else(|| "Error".to_owned()),
+                )))
+            }
+            _ => match self.default {
+                ErrorFormat::Plaintext => BoxBody::new(Full::new(Bytes::from(
+                    self.plaintext.clone().unwrap_or_else(|| "Error".to_owned()),
+                ))),
+                ErrorFormat::Html => {
+                    if let Some(path) = &self.html {
+                        let path = path.to_str().unwrap();
+                        let response = ROOT_STATIC_FILE_SERVER.serve_single(path).await;
+                        if response.status().is_success() {
+                            response.into_body()
+                        } else {
+                            BoxBody::new(Full::new(Bytes::from("Error")))
+                        }
+                    } else {
+                        BoxBody::new(Full::new(Bytes::from("Error")))
+                    }
+                }
+                ErrorFormat::Json => BoxBody::new(Full::new(Bytes::from(
+                    self.json
+                        .as_ref()
+                        .map(|json| json.to_string())
+                        .unwrap_or_else(|| "Error".to_owned()),
+                ))),
+            },
+        };
+        Response::builder().status(self.code).body(body).unwrap()
+    }
+    pub async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>, ItsiError> {
+        if let Some(path) = req.uri().path().strip_prefix("/error/") {
+            let path = Path::new(path);
+            if path.exists() {
+                let path = path.to_str().unwrap();
+                let response = ROOT_STATIC_FILE_SERVER.serve_single(path).await;
+                return Ok(Either::Right(response));
+            }
+        }
+        Ok(Either::Left(req))
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/etag.rs ADDED Viewed

@@ -0,0 +1,191 @@
+use super::{FromValue, MiddlewareLayer};
+use crate::server::{itsi_service::RequestContext, types::HttpResponse};
+use async_trait::async_trait;
+use base64::{engine::general_purpose, Engine as _};
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{header, HeaderValue, Response, StatusCode};
+use http_body_util::{combinators::BoxBody, BodyExt, Empty, Full};
+use hyper::body::Body;
+use magnus::error::Result;
+use serde::Deserialize;
+use sha2::{Digest, Sha256};
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum ETagType {
+    #[serde(rename = "strong")]
+    #[default]
+    Strong,
+    #[serde(rename = "weak")]
+    Weak,
+}
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum HashAlgorithm {
+    #[serde(rename = "sha256")]
+    #[default]
+    Sha256,
+    #[serde(rename = "md5")]
+    Md5,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct ETag {
+    #[serde(default)]
+    pub r#type: ETagType,
+    #[serde(default)]
+    pub algorithm: HashAlgorithm,
+    #[serde(default)]
+    pub min_body_size: usize,
+    #[serde(default = "default_true")]
+    pub handle_if_none_match: bool,
+}
+fn default_true() -> bool {
+    true
+}
+#[async_trait]
+impl MiddlewareLayer for ETag {
+    async fn before(
+        &self,
+        req: crate::server::types::HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<crate::server::types::HttpRequest, HttpResponse>> {
+        // Store if-none-match header in context if present for later use in after hook
+        if self.handle_if_none_match {
+            if let Some(if_none_match) = req.headers().get(header::IF_NONE_MATCH) {
+                if let Ok(etag_value) = if_none_match.to_str() {
+                    context.set_if_none_match(Some(etag_value.to_string()));
+                }
+            }
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+        // Skip for error responses or responses that shouldn't have ETags
+        match resp.status() {
+            StatusCode::OK
+            | StatusCode::CREATED
+            | StatusCode::ACCEPTED
+            | StatusCode::NON_AUTHORITATIVE_INFORMATION
+            | StatusCode::NO_CONTENT
+            | StatusCode::PARTIAL_CONTENT => {}
+            _ => return resp,
+        }
+        // Skip if already has an ETag
+        if resp.headers().contains_key(header::ETAG) {
+            return resp;
+        }
+        // Skip if Cache-Control: no-store is present
+        if let Some(cache_control) = resp.headers().get(header::CACHE_CONTROL) {
+            if let Ok(cache_control_str) = cache_control.to_str() {
+                if cache_control_str.contains("no-store") {
+                    return resp;
+                }
+            }
+        }
+        // Check if body is a stream or fixed size using size_hint (similar to compression.rs)
+        let body_size = resp.size_hint().exact();
+        // Skip streaming bodies
+        if body_size.is_none() {
+            return resp;
+        }
+        // Skip if body is too small
+        if body_size.unwrap_or(0) < self.min_body_size as u64 {
+            return resp;
+        }
+        let (mut parts, mut body) = resp.into_parts();
+        let etag_value = if let Some(existing_etag) = parts.headers.get(header::ETAG) {
+            existing_etag.to_str().unwrap_or("").to_string()
+        } else {
+            // Get the full bytes from the body
+            let full_bytes: Bytes = match body
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+            {
+                Ok(bytes_mut) => bytes_mut.freeze(),
+                Err(_) => return Response::from_parts(parts, BoxBody::new(Empty::new())),
+            };
+            let computed_etag = match self.algorithm {
+                HashAlgorithm::Sha256 => {
+                    let mut hasher = Sha256::new();
+                    hasher.update(&full_bytes);
+                    let result = hasher.finalize();
+                    general_purpose::STANDARD.encode(result)
+                }
+                HashAlgorithm::Md5 => {
+                    let digest = md5::compute(&full_bytes);
+                    format!("{:x}", digest)
+                }
+            };
+            let formatted_etag = match self.r#type {
+                ETagType::Strong => format!("\"{}\"", computed_etag),
+                ETagType::Weak => format!("W/\"{}\"", computed_etag),
+            };
+            if let Ok(value) = HeaderValue::from_str(&formatted_etag) {
+                parts.headers.insert(header::ETAG, value);
+            }
+            body = Full::new(full_bytes).boxed();
+            formatted_etag
+        };
+        // Handle 304 Not Modified if we have an If-None-Match header and it matches
+        if self.handle_if_none_match {
+            if let Some(if_none_match) = context.get_if_none_match() {
+                if if_none_match == etag_value || if_none_match == "*" {
+                    // Return 304 Not Modified without the body
+                    let mut not_modified = Response::new(BoxBody::new(Empty::new()));
+                    *not_modified.status_mut() = StatusCode::NOT_MODIFIED;
+                    // Copy headers we want to preserve
+                    for (name, value) in parts.headers.iter() {
+                        if matches!(
+                            name,
+                            &header::CACHE_CONTROL
+                                | &header::CONTENT_LOCATION
+                                | &header::DATE
+                                | &header::ETAG
+                                | &header::EXPIRES
+                                | &header::VARY
+                        ) {
+                            not_modified.headers_mut().insert(name, value.clone());
+                        }
+                    }
+                    return not_modified;
+                }
+            }
+        }
+        // Recreate response with the original body and the ETag header
+        Response::from_parts(parts, body)
+    }
+}
+impl Default for ETag {
+    fn default() -> Self {
+        Self {
+            r#type: ETagType::Strong,
+            algorithm: HashAlgorithm::Sha256,
+            min_body_size: 0,
+            handle_if_none_match: true,
+        }
+    }
+}
+impl FromValue for ETag {}