RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.1.18 - Mend

itsi-server 0.1.1 → 0.1.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

data/ext/itsi_server/src/server/binds/tls.rs ADDED Viewed

@@ -0,0 +1,270 @@
+use base64::{engine::general_purpose, Engine as _};
+use itsi_error::Result;
+use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
+use rcgen::{
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, SanType,
+};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
+use rustls_pemfile::{certs, pkcs8_private_keys};
+use std::{
+    collections::HashMap,
+    fs,
+    io::{BufReader, Error},
+    sync::Arc,
+};
+use tokio::sync::Mutex;
+use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
+mod locked_dir_cache;
+#[derive(Clone)]
+pub enum ItsiTlsAcceptor {
+    Manual(TlsAcceptor),
+    Automatic(
+        AcmeAcceptor,
+        Arc<Mutex<AcmeState<Error>>>,
+        Arc<ServerConfig>,
+    ),
+}
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
+pub fn configure_tls(
+    host: &str,
+    query_params: &HashMap<String, String>,
+) -> Result<ItsiTlsAcceptor> {
+    let domains = query_params
+        .get("domains")
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>())
+        .or_else(|| query_params.get("domain").map(|v| vec![v.to_string()]));
+    if query_params.get("cert").is_some_and(|c| c == "acme") {
+        if let Some(domains) = domains {
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
+            info!(
+                domains = format!("{:?}", domains),
+                directory_url, "Requesting acme cert"
+            );
+            let acme_contact_email = query_params
+                .get("acme_email")
+                .map(|s| s.to_string())
+                .or_else(|| (*ITSI_ACME_CONTACT_EMAIL).as_ref().ok().map(|s| s.to_string()))
+                .ok_or_else(|| itsi_error::ItsiError::ArgumentError(
+                    "acme_email query param or ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate let's encrypt certificates".to_string(),
+                ))?;
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", acme_contact_email)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+            let mut rustls_config = ServerConfig::builder()
+                .with_no_client_auth()
+                .with_cert_resolver(acme_state.resolver());
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+            let acceptor = acme_state.acceptor();
+            return Ok(ItsiTlsAcceptor::Automatic(
+                acceptor,
+                Arc::new(Mutex::new(acme_state)),
+                Arc::new(rustls_config),
+            ));
+        }
+    }
+    let (certs, key) = if let (Some(cert_path), Some(key_path)) =
+        (query_params.get("cert"), query_params.get("key"))
+    {
+        // Load from file or Base64
+        let certs = load_certs(cert_path);
+        let key = load_private_key(key_path);
+        (certs, key)
+    } else {
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
+    };
+    let mut config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(certs, key)
+        .expect("Failed to build TLS config");
+    config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+    Ok(ItsiTlsAcceptor::Manual(TlsAcceptor::from(Arc::new(config))))
+}
+pub fn load_certs(path: &str) -> Vec<CertificateDer<'static>> {
+    let data = if let Some(stripped) = path.strip_prefix("base64:") {
+        general_purpose::STANDARD
+            .decode(stripped)
+            .expect("Invalid base64 certificate")
+    } else {
+        fs::read(path).expect("Failed to read certificate file")
+    };
+    if data.starts_with(b"-----BEGIN ") {
+        let mut reader = BufReader::new(&data[..]);
+        let certs_der: Vec<Vec<u8>> = certs(&mut reader)
+            .map(|r| {
+                r.map(|der| der.as_ref().to_vec())
+                    .map_err(itsi_error::ItsiError::from)
+            })
+            .collect::<Result<_>>()
+            .expect("Failed to parse certificate file");
+        certs_der
+            .into_iter()
+            .map(|vec| {
+                // Convert the owned Vec<u8> into a CertificateDer and force 'static.
+                unsafe { std::mem::transmute(CertificateDer::from(vec)) }
+            })
+            .collect()
+    } else {
+        vec![CertificateDer::from(data)]
+    }
+}
+/// Loads a private key from a file or Base64.
+pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
+    let key_data = if let Some(stripped) = path.strip_prefix("base64:") {
+        general_purpose::STANDARD
+            .decode(stripped)
+            .expect("Invalid base64 private key")
+    } else {
+        fs::read(path).expect("Failed to read private key file")
+    };
+    if key_data.starts_with(b"-----BEGIN ") {
+        let mut reader = BufReader::new(&key_data[..]);
+        let keys: Vec<Vec<u8>> = pkcs8_private_keys(&mut reader)
+            .map(|r| {
+                r.map(|key| key.secret_pkcs8_der().to_vec())
+                    .map_err(itsi_error::ItsiError::from)
+            })
+            .collect::<Result<_>>()
+            .expect("Failed to parse private key");
+        if !keys.is_empty() {
+            return PrivateKeyDer::try_from(keys[0].clone()).unwrap();
+        }
+    }
+    PrivateKeyDer::try_from(key_data).unwrap()
+}
+pub fn generate_ca_signed_cert(
+    domains: Vec<String>,
+) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
+    info!(
+        domains = format!("{}", domains.join(", ")),
+        "Self signed cert",
+    );
+    info!(
+        "Add {} to your system's trusted cert store to resolve certificate errors.",
+        format!("{}/itsi_dev_ca.crt", ITSI_LOCAL_CA_DIR.to_str().unwrap())
+    );
+    info!("Dev CA path can be overridden by setting env var: `ITSI_LOCAL_CA_DIR`.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
+        .expect("Failed to parse embedded CA certificate")
+        .self_signed(&ca_kp)
+        .expect("Failed to self-sign embedded CA cert");
+    let ee_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
+    let mut ee_params = CertificateParams::default();
+    use std::net::IpAddr;
+    ee_params.subject_alt_names = domains
+        .iter()
+        .map(|domain| {
+            if let Ok(ip) = domain.parse::<IpAddr>() {
+                SanType::IpAddress(ip)
+            } else {
+                SanType::DnsName(domain.clone().try_into().unwrap())
+            }
+        })
+        .collect();
+    ee_params
+        .distinguished_name
+        .push(DnType::CommonName, domains[0].clone());
+    ee_params.use_authority_key_identifier_extension = true;
+    let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ca_kp).unwrap();
+    let ee_cert_der = ee_cert.der().to_vec();
+    let ee_cert = CertificateDer::from(ee_cert_der);
+    let ca_cert = CertificateDer::from(ca_cert.der().to_vec());
+    Ok((
+        vec![ee_cert, ca_cert],
+        PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
+    ))
+}
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+        let mut params = CertificateParams::new(subject_alt_names)?;
+        let mut distinguished_name = DistinguishedName::new();
+        distinguished_name.push(DnType::CommonName, "Itsi Development CA");
+        params.distinguished_name = distinguished_name;
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        let key_pair = KeyPair::generate()?;
+        let cert = params.self_signed(&key_pair)?;
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/ext/itsi_server/src/server/byte_frame.rs ADDED Viewed

@@ -0,0 +1,32 @@
+use std::ops::Deref;
+use bytes::Bytes;
+#[derive(Debug)]
+pub enum ByteFrame {
+    Data(Bytes),
+    End(Bytes),
+    Empty,
+}
+impl Deref for ByteFrame {
+    type Target = Bytes;
+    fn deref(&self) -> &Self::Target {
+        match self {
+            ByteFrame::Data(data) => data,
+            ByteFrame::End(data) => data,
+            ByteFrame::Empty => unreachable!(),
+        }
+    }
+}
+impl From<ByteFrame> for Bytes {
+    fn from(frame: ByteFrame) -> Self {
+        match frame {
+            ByteFrame::Data(data) => data,
+            ByteFrame::End(data) => data,
+            ByteFrame::Empty => unreachable!(),
+        }
+    }
+}

data/ext/itsi_server/src/server/http_message_types.rs ADDED Viewed

@@ -0,0 +1,97 @@
+use std::convert::Infallible;
+use bytes::Bytes;
+use http::{Request, Response};
+use http_body_util::combinators::BoxBody;
+use hyper::body::Incoming;
+use super::size_limited_incoming::SizeLimitedIncoming;
+pub type HttpResponse = Response<BoxBody<Bytes, Infallible>>;
+pub type HttpRequest = Request<SizeLimitedIncoming<Incoming>>;
+pub trait ConversionExt {
+    fn limit(self) -> HttpRequest;
+}
+impl ConversionExt for Request<Incoming> {
+    fn limit(self) -> HttpRequest {
+        let (parts, body) = self.into_parts();
+        Request::from_parts(parts, SizeLimitedIncoming::new(body))
+    }
+}
+pub trait RequestExt {
+    fn content_type(&self) -> Option<&str>;
+    fn accept(&self) -> Option<&str>;
+    fn header(&self, header_name: &str) -> Option<&str>;
+    fn query_param(&self, query_name: &str) -> Option<&str>;
+}
+pub trait PathExt {
+    fn no_trailing_slash(&self) -> &str;
+}
+#[derive(Debug, Clone)]
+pub enum ResponseFormat {
+    JSON,
+    HTML,
+    TEXT,
+    UNKNOWN,
+}
+#[derive(Debug, Clone, Default)]
+pub struct SupportedEncodingSet {
+    pub zstd: bool,
+    pub br: bool,
+    pub deflate: bool,
+    pub gzip: bool,
+}
+impl From<Option<&str>> for ResponseFormat {
+    fn from(value: Option<&str>) -> Self {
+        match value {
+            Some("application/json") => ResponseFormat::JSON,
+            Some("text/html") => ResponseFormat::HTML,
+            Some("text/plain") => ResponseFormat::TEXT,
+            _ => ResponseFormat::UNKNOWN,
+        }
+    }
+}
+impl PathExt for str {
+    fn no_trailing_slash(&self) -> &str {
+        if self == "/" {
+            self
+        } else {
+            self.trim_end_matches("/")
+        }
+    }
+}
+impl RequestExt for HttpRequest {
+    fn content_type(&self) -> Option<&str> {
+        self.headers()
+            .get("content-type")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+    fn accept(&self) -> Option<&str> {
+        self.headers()
+            .get("accept")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+    fn header(&self, header_name: &str) -> Option<&str> {
+        self.headers()
+            .get(header_name)
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+    fn query_param(&self, query_name: &str) -> Option<&str> {
+        self.uri()
+            .query()
+            .and_then(|query| query.split('&').find(|param| param.starts_with(query_name)))
+            .map(|param| param.split('=').nth(1).unwrap_or(""))
+    }
+}

data/ext/itsi_server/src/server/io_stream.rs ADDED Viewed

@@ -0,0 +1,105 @@
+use pin_project::pin_project;
+use tokio::net::{TcpStream, UnixStream};
+use tokio_rustls::server::TlsStream;
+use std::os::unix::io::{AsRawFd, RawFd};
+use std::pin::Pin;
+use std::task::{Context, Poll};
+use tokio::io::{AsyncRead, AsyncWrite};
+use super::binds::listener::SockAddr;
+#[pin_project(project = IoStreamEnumProj)]
+pub enum IoStream {
+    Tcp {
+        #[pin]
+        stream: TcpStream,
+        addr: SockAddr,
+    },
+    TcpTls {
+        #[pin]
+        stream: TlsStream<TcpStream>,
+        addr: SockAddr,
+    },
+    Unix {
+        #[pin]
+        stream: UnixStream,
+        addr: SockAddr,
+    },
+    UnixTls {
+        #[pin]
+        stream: TlsStream<UnixStream>,
+        addr: SockAddr,
+    },
+}
+impl IoStream {
+    pub fn addr(&self) -> SockAddr {
+        match self {
+            IoStream::Tcp { addr, .. } => addr.clone(),
+            IoStream::TcpTls { addr, .. } => addr.clone(),
+            IoStream::Unix { addr, .. } => addr.clone(),
+            IoStream::UnixTls { addr, .. } => addr.clone(),
+        }
+    }
+}
+impl AsyncRead for IoStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_read(cx, buf),
+        }
+    }
+}
+impl AsyncWrite for IoStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<std::io::Result<usize>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_write(cx, buf),
+        }
+    }
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_flush(cx),
+        }
+    }
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_shutdown(cx),
+        }
+    }
+}
+impl AsRawFd for IoStream {
+    fn as_raw_fd(&self) -> RawFd {
+        // For immutable access, we can simply pattern-match on self.
+        match self {
+            IoStream::Tcp { stream, .. } => stream.as_raw_fd(),
+            IoStream::TcpTls { stream, .. } => stream.get_ref().0.as_raw_fd(),
+            IoStream::Unix { stream, .. } => stream.as_raw_fd(),
+            IoStream::UnixTls { stream, .. } => stream.get_ref().0.as_raw_fd(),
+        }
+    }
+}

data/ext/itsi_server/src/server/lifecycle_event.rs ADDED Viewed

@@ -0,0 +1,12 @@
+#[derive(Debug, Clone)]
+pub enum LifecycleEvent {
+    Start,
+    Shutdown,
+    Restart,
+    Reload,
+    IncreaseWorkers,
+    DecreaseWorkers,
+    ForceShutdown,
+    PrintInfo,
+    ChildTerminated,
+}

data/ext/itsi_server/src/server/middleware_stack/middleware.rs ADDED Viewed

@@ -0,0 +1,165 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::middlewares::*;
+use async_trait::async_trait;
+use either::Either;
+use magnus::error::Result;
+use std::cmp::Ordering;
+#[derive(Debug)]
+pub enum Middleware {
+    AllowList(AllowList),
+    AuthAPIKey(AuthAPIKey),
+    AuthBasic(AuthBasic),
+    AuthJwt(Box<AuthJwt>),
+    CacheControl(CacheControl),
+    Compression(Compression),
+    Cors(Box<Cors>),
+    DenyList(DenyList),
+    ETag(ETag),
+    IntrusionProtection(IntrusionProtection),
+    LogRequests(LogRequests),
+    MaxBody(MaxBody),
+    Proxy(Proxy),
+    RateLimit(RateLimit),
+    Redirect(Redirect),
+    RequestHeaders(RequestHeaders),
+    ResponseHeaders(ResponseHeaders),
+    RubyApp(RubyApp),
+    StaticAssets(StaticAssets),
+    StaticResponse(StaticResponse),
+}
+#[async_trait]
+impl MiddlewareLayer for Middleware {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        match self {
+            Middleware::DenyList(filter) => filter.initialize().await,
+            Middleware::AllowList(filter) => filter.initialize().await,
+            Middleware::AuthBasic(filter) => filter.initialize().await,
+            Middleware::AuthJwt(filter) => filter.initialize().await,
+            Middleware::AuthAPIKey(filter) => filter.initialize().await,
+            Middleware::IntrusionProtection(filter) => filter.initialize().await,
+            Middleware::MaxBody(filter) => filter.initialize().await,
+            Middleware::RateLimit(filter) => filter.initialize().await,
+            Middleware::RequestHeaders(filter) => filter.initialize().await,
+            Middleware::ResponseHeaders(filter) => filter.initialize().await,
+            Middleware::CacheControl(filter) => filter.initialize().await,
+            Middleware::Cors(filter) => filter.initialize().await,
+            Middleware::ETag(filter) => filter.initialize().await,
+            Middleware::StaticAssets(filter) => filter.initialize().await,
+            Middleware::StaticResponse(filter) => filter.initialize().await,
+            Middleware::Compression(filter) => filter.initialize().await,
+            Middleware::LogRequests(filter) => filter.initialize().await,
+            Middleware::Redirect(filter) => filter.initialize().await,
+            Middleware::Proxy(filter) => filter.initialize().await,
+            Middleware::RubyApp(filter) => filter.initialize().await,
+        }
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        match self {
+            Middleware::DenyList(filter) => filter.before(req, context).await,
+            Middleware::AllowList(filter) => filter.before(req, context).await,
+            Middleware::AuthBasic(filter) => filter.before(req, context).await,
+            Middleware::AuthJwt(filter) => filter.before(req, context).await,
+            Middleware::AuthAPIKey(filter) => filter.before(req, context).await,
+            Middleware::IntrusionProtection(filter) => filter.before(req, context).await,
+            Middleware::MaxBody(filter) => filter.before(req, context).await,
+            Middleware::RequestHeaders(filter) => filter.before(req, context).await,
+            Middleware::ResponseHeaders(filter) => filter.before(req, context).await,
+            Middleware::RateLimit(filter) => filter.before(req, context).await,
+            Middleware::CacheControl(filter) => filter.before(req, context).await,
+            Middleware::Cors(filter) => filter.before(req, context).await,
+            Middleware::ETag(filter) => filter.before(req, context).await,
+            Middleware::StaticAssets(filter) => filter.before(req, context).await,
+            Middleware::StaticResponse(filter) => filter.before(req, context).await,
+            Middleware::Compression(filter) => filter.before(req, context).await,
+            Middleware::LogRequests(filter) => filter.before(req, context).await,
+            Middleware::Redirect(filter) => filter.before(req, context).await,
+            Middleware::Proxy(filter) => filter.before(req, context).await,
+            Middleware::RubyApp(filter) => filter.before(req, context).await,
+        }
+    }
+    async fn after(&self, res: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        match self {
+            Middleware::DenyList(filter) => filter.after(res, context).await,
+            Middleware::AllowList(filter) => filter.after(res, context).await,
+            Middleware::AuthBasic(filter) => filter.after(res, context).await,
+            Middleware::AuthJwt(filter) => filter.after(res, context).await,
+            Middleware::AuthAPIKey(filter) => filter.after(res, context).await,
+            Middleware::IntrusionProtection(filter) => filter.after(res, context).await,
+            Middleware::MaxBody(filter) => filter.after(res, context).await,
+            Middleware::RateLimit(filter) => filter.after(res, context).await,
+            Middleware::RequestHeaders(filter) => filter.after(res, context).await,
+            Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
+            Middleware::CacheControl(filter) => filter.after(res, context).await,
+            Middleware::Cors(filter) => filter.after(res, context).await,
+            Middleware::ETag(filter) => filter.after(res, context).await,
+            Middleware::StaticAssets(filter) => filter.after(res, context).await,
+            Middleware::StaticResponse(filter) => filter.after(res, context).await,
+            Middleware::Compression(filter) => filter.after(res, context).await,
+            Middleware::LogRequests(filter) => filter.after(res, context).await,
+            Middleware::Redirect(filter) => filter.after(res, context).await,
+            Middleware::Proxy(filter) => filter.after(res, context).await,
+            Middleware::RubyApp(filter) => filter.after(res, context).await,
+        }
+    }
+}
+impl Middleware {
+    fn variant_order(&self) -> usize {
+        match self {
+            Middleware::DenyList(_) => 0,
+            Middleware::AllowList(_) => 1,
+            Middleware::IntrusionProtection(_) => 2,
+            Middleware::Redirect(_) => 3,
+            Middleware::LogRequests(_) => 4,
+            Middleware::CacheControl(_) => 5,
+            Middleware::RequestHeaders(_) => 6,
+            Middleware::ResponseHeaders(_) => 7,
+            Middleware::MaxBody(_) => 8,
+            Middleware::AuthBasic(_) => 9,
+            Middleware::AuthJwt(_) => 10,
+            Middleware::AuthAPIKey(_) => 11,
+            Middleware::RateLimit(_) => 12,
+            Middleware::ETag(_) => 13,
+            Middleware::Compression(_) => 14,
+            Middleware::Proxy(_) => 15,
+            Middleware::Cors(_) => 16,
+            Middleware::StaticResponse(_) => 17,
+            Middleware::StaticAssets(_) => 18,
+            Middleware::RubyApp(_) => 19,
+        }
+    }
+}
+impl PartialEq for Middleware {
+    fn eq(&self, other: &Self) -> bool {
+        self.variant_order() == other.variant_order()
+    }
+}
+impl Eq for Middleware {}
+impl PartialOrd for Middleware {
+    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
+        Some(self.variant_order().cmp(&other.variant_order()))
+    }
+}
+impl Ord for Middleware {
+    fn cmp(&self, other: &Self) -> Ordering {
+        self.variant_order().cmp(&other.variant_order())
+    }
+}