RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.1.20 - Mend

itsi-server 0.1.1 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of itsi-server might be problematic. Click here for more details.

Files changed (324) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/compression.rs ADDED Viewed

@@ -0,0 +1,289 @@
+use crate::{
+    server::http_message_types::HttpResponse, services::itsi_http_service::HttpRequestContext,
+};
+use super::{
+    header_interpretation::{find_first_supported, header_contains},
+    FromValue, MiddlewareLayer,
+};
+use async_compression::{
+    tokio::bufread::{BrotliEncoder, DeflateEncoder, GzipEncoder, ZstdEncoder},
+    Level,
+};
+use async_trait::async_trait;
+use bytes::{Bytes, BytesMut};
+use futures::TryStreamExt;
+use http::{
+    header::{GetAll, CONTENT_ENCODING, CONTENT_LENGTH, CONTENT_TYPE},
+    HeaderValue, Response,
+};
+use http_body_util::{combinators::BoxBody, BodyExt, Full, StreamBody};
+use hyper::body::{Body, Frame};
+use serde::{Deserialize, Serialize};
+use std::convert::Infallible;
+use tokio::io::{AsyncRead, AsyncReadExt, BufReader};
+use tokio_stream::StreamExt;
+use tokio_util::io::{ReaderStream, StreamReader};
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Compression {
+    min_size: usize,
+    algorithms: Vec<CompressionAlgorithm>,
+    compress_streams: bool,
+    mime_types: Vec<MimeType>,
+    level: CompressionLevel,
+}
+#[derive(Debug, Clone, Serialize, Deserialize)]
+enum CompressionLevel {
+    #[serde(rename(deserialize = "fastest"))]
+    Fastest,
+    #[serde(rename(deserialize = "best"))]
+    Best,
+    #[serde(rename(deserialize = "default"))]
+    Default,
+    #[serde(rename(deserialize = "precise"))]
+    Precise(i32),
+}
+impl CompressionLevel {
+    fn to_async_compression_level(&self) -> Level {
+        match self {
+            CompressionLevel::Fastest => Level::Fastest,
+            CompressionLevel::Best => Level::Best,
+            CompressionLevel::Default => Level::Default,
+            CompressionLevel::Precise(level) => Level::Precise(*level),
+        }
+    }
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, PartialOrd, Eq, Ord)]
+pub enum CompressionAlgorithm {
+    #[serde(rename(deserialize = "gzip"))]
+    Gzip,
+    #[serde(rename(deserialize = "brotli"))]
+    Brotli,
+    #[serde(rename(deserialize = "deflate"))]
+    Deflate,
+    #[serde(rename(deserialize = "zstd"))]
+    Zstd,
+    #[serde(rename(deserialize = "none"))]
+    None,
+}
+impl CompressionAlgorithm {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            CompressionAlgorithm::Gzip => "gzip",
+            CompressionAlgorithm::Brotli => "br",
+            CompressionAlgorithm::Deflate => "deflate",
+            CompressionAlgorithm::Zstd => "zstd",
+            CompressionAlgorithm::None => "none",
+        }
+    }
+    pub fn header_value(&self) -> HeaderValue {
+        HeaderValue::from_str(self.as_str()).unwrap()
+    }
+}
+#[derive(Debug, Clone, Serialize, Deserialize)]
+enum MimeType {
+    #[serde(rename(deserialize = "text"))]
+    Text,
+    #[serde(rename(deserialize = "image"))]
+    Image,
+    #[serde(rename(deserialize = "application"))]
+    Application,
+    #[serde(rename(deserialize = "audio"))]
+    Audio,
+    #[serde(rename(deserialize = "video"))]
+    Video,
+    #[serde(rename(deserialize = "other"))]
+    Other(String),
+    #[serde(rename(deserialize = "all"))]
+    All,
+}
+impl MimeType {
+    pub fn matches(&self, content_encodings: &GetAll<HeaderValue>) -> bool {
+        match self {
+            MimeType::Text => header_contains(content_encodings, "text/*"),
+            MimeType::Image => header_contains(content_encodings, "image/*"),
+            MimeType::Application => header_contains(content_encodings, "application/*"),
+            MimeType::Audio => header_contains(content_encodings, "audio/*"),
+            MimeType::Video => header_contains(content_encodings, "video/*"),
+            MimeType::Other(v) => header_contains(content_encodings, v),
+            MimeType::All => header_contains(content_encodings, "*"),
+        }
+    }
+}
+fn stream_encode<R>(encoder: R) -> BoxBody<Bytes, Infallible>
+where
+    R: AsyncRead + Unpin + Sync + Send + 'static,
+{
+    let encoded_stream = ReaderStream::new(encoder).map(|res| {
+        res.map(Frame::data)
+            .map_err(|_| -> Infallible { unreachable!("We handle IO errors above") })
+    });
+    BoxBody::new(StreamBody::new(encoded_stream))
+}
+fn update_content_encoding(parts: &mut http::response::Parts, new_encoding: HeaderValue) {
+    if let Some(existing) = parts.headers.get(CONTENT_ENCODING) {
+        let mut encodings = existing.to_str().unwrap_or("").to_owned();
+        if !encodings.is_empty() {
+            encodings.push_str(", ");
+        }
+        encodings.push_str(new_encoding.to_str().unwrap());
+        parts
+            .headers
+            .insert(CONTENT_ENCODING, HeaderValue::from_str(&encodings).unwrap());
+    } else {
+        parts.headers.insert(CONTENT_ENCODING, new_encoding);
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for Compression {
+    /// We'll apply compression on the response, where appropriate.
+    /// This is if:
+    /// * The response body is larger than the minimum size.
+    /// * The response content type is supported.
+    /// * The client supports the compression algorithm.
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        let body_size = resp.size_hint().exact();
+        let resp = resp;
+        // Don't compress if it's not an explicitly listed compressable type
+        if !self
+            .mime_types
+            .iter()
+            .any(|mt| mt.matches(&resp.headers().get_all(CONTENT_TYPE)))
+        {
+            return resp;
+        }
+        // Don't compress streams unless compress streams is enabled.
+        if body_size.is_none() && !self.compress_streams {
+            return resp;
+        }
+        // Don't compress too small bodies
+        if body_size.is_some_and(|s| s < self.min_size as u64) {
+            return resp;
+        }
+        // Don't recompress if we're already compressed in a supported format
+        for existing_encoding in resp.headers().get_all(CONTENT_ENCODING) {
+            if let Ok(encodings) = existing_encoding.to_str() {
+                for encoding in encodings.split(',').map(str::trim) {
+                    let encoding = encoding.split(';').next().unwrap_or(encoding).trim();
+                    if self.algorithms.iter().any(|algo| algo.as_str() == encoding) {
+                        return resp;
+                    }
+                }
+            }
+        }
+        let compression_method = match find_first_supported(
+            &context.supported_encoding_set,
+            self.algorithms.iter().map(|algo| algo.as_str()),
+        ) {
+            Some("gzip") => CompressionAlgorithm::Gzip,
+            Some("br") => CompressionAlgorithm::Brotli,
+            Some("deflate") => CompressionAlgorithm::Deflate,
+            Some("zstd") => CompressionAlgorithm::Zstd,
+            _ => CompressionAlgorithm::None,
+        };
+        if matches!(compression_method, CompressionAlgorithm::None) {
+            return resp;
+        }
+        let (mut parts, body) = resp.into_parts();
+        let new_body = if let Some(_size) = body_size {
+            let full_bytes: Bytes = body
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+                .unwrap()
+                .freeze();
+            let cursor = std::io::Cursor::new(full_bytes);
+            let reader = BufReader::new(cursor);
+            let compressed_bytes = match compression_method {
+                CompressionAlgorithm::Gzip => {
+                    let mut encoder =
+                        GzipEncoder::with_quality(reader, self.level.to_async_compression_level());
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::Brotli => {
+                    let mut encoder = BrotliEncoder::with_quality(
+                        reader,
+                        self.level.to_async_compression_level(),
+                    );
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::Deflate => {
+                    let mut encoder = DeflateEncoder::with_quality(
+                        reader,
+                        self.level.to_async_compression_level(),
+                    );
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::Zstd => {
+                    let mut encoder =
+                        ZstdEncoder::with_quality(reader, self.level.to_async_compression_level());
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::None => unreachable!(),
+            };
+            BoxBody::new(Full::new(Bytes::from(compressed_bytes)))
+        } else {
+            let stream = body
+                .into_data_stream()
+                .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e));
+            let async_read_fut = StreamReader::new(stream);
+            let reader = BufReader::new(async_read_fut);
+            match compression_method {
+                CompressionAlgorithm::Gzip => stream_encode(GzipEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::Brotli => stream_encode(BrotliEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::Deflate => stream_encode(DeflateEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::Zstd => stream_encode(ZstdEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::None => unreachable!(),
+            }
+        };
+        update_content_encoding(&mut parts, compression_method.header_value());
+        parts.headers.remove(CONTENT_LENGTH);
+        Response::from_parts(parts, new_body)
+    }
+}
+impl FromValue for Compression {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/cors.rs ADDED Viewed

@@ -0,0 +1,292 @@
+use super::{FromValue, MiddlewareLayer};
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use async_trait::async_trait;
+use http::{HeaderMap, Method, Response};
+use http_body_util::{combinators::BoxBody, Empty};
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use serde::Deserialize;
+#[derive(Debug, Clone, Deserialize)]
+pub struct Cors {
+    pub allowed_origins: Vec<String>,
+    pub allowed_methods: Vec<HttpMethod>,
+    pub allowed_headers: Vec<String>,
+    pub exposed_headers: Vec<String>,
+    pub allow_credentials: bool,
+    pub max_age: Option<u64>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum HttpMethod {
+    #[serde(rename(deserialize = "GET"))]
+    Get,
+    #[serde(rename(deserialize = "POST"))]
+    Post,
+    #[serde(rename(deserialize = "PUT"))]
+    Put,
+    #[serde(rename(deserialize = "DELETE"))]
+    Delete,
+    #[serde(rename(deserialize = "OPTIONS"))]
+    Options,
+    #[serde(rename(deserialize = "HEAD"))]
+    Head,
+    #[serde(rename(deserialize = "PATCH"))]
+    Patch,
+}
+impl HttpMethod {
+    pub fn matches(&self, other: &str) -> bool {
+        match self {
+            HttpMethod::Get => other.eq_ignore_ascii_case("GET"),
+            HttpMethod::Post => other.eq_ignore_ascii_case("POST"),
+            HttpMethod::Put => other.eq_ignore_ascii_case("PUT"),
+            HttpMethod::Delete => other.eq_ignore_ascii_case("DELETE"),
+            HttpMethod::Options => other.eq_ignore_ascii_case("OPTIONS"),
+            HttpMethod::Head => other.eq_ignore_ascii_case("HEAD"),
+            HttpMethod::Patch => other.eq_ignore_ascii_case("PATCH"),
+        }
+    }
+    pub fn to_str(&self) -> &str {
+        match self {
+            HttpMethod::Get => "GET",
+            HttpMethod::Post => "POST",
+            HttpMethod::Put => "PUT",
+            HttpMethod::Delete => "DELETE",
+            HttpMethod::Options => "OPTIONS",
+            HttpMethod::Head => "HEAD",
+            HttpMethod::Patch => "PATCH",
+        }
+    }
+}
+impl Cors {
+    /// Generate the simple CORS headers (used in normal responses)
+    fn cors_headers(&self, origin: &str) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::new)?);
+        if origin.is_empty() {
+            // When credentials are allowed, you cannot return "*".
+            if !self.allow_credentials {
+                headers.insert(
+                    "Access-Control-Allow-Origin",
+                    "*".parse().map_err(ItsiError::new)?,
+                );
+            }
+            return Ok(headers);
+        }
+        // Only return a header if the origin is allowed.
+        if self.allowed_origins.iter().any(|o| o == origin || o == "*") {
+            // If credentials are allowed, we must echo back the exact origin.
+            let value = if self.allow_credentials {
+                origin
+            } else {
+                // If not, and if "*" is allowed, you can still use "*".
+                if self.allowed_origins.iter().any(|o| o == "*") {
+                    "*"
+                } else {
+                    origin
+                }
+            };
+            headers.insert(
+                "Access-Control-Allow-Origin",
+                value.parse().map_err(ItsiError::new)?,
+            );
+        }
+        if !self.allowed_methods.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Methods",
+                self.allowed_methods
+                    .iter()
+                    .map(HttpMethod::to_str)
+                    .collect::<Vec<&str>>()
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        if !self.allowed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Headers",
+                self.allowed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::new)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::new)?,
+            );
+        }
+        if !self.exposed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.exposed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        Ok(headers)
+    }
+    fn preflight_headers(
+        &self,
+        origin: Option<&str>,
+        req_method: Option<&str>,
+        req_headers: Option<&str>,
+    ) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::new)?);
+        let origin = match origin {
+            Some(o) if !o.is_empty() => o,
+            _ => return Ok(headers), // Missing Origin – preflight fails
+        };
+        if !self
+            .allowed_origins
+            .iter()
+            .any(|allowed| allowed == "*" || allowed == origin)
+        {
+            return Ok(headers);
+        }
+        let request_method = match req_method {
+            Some(m) if !m.is_empty() => m,
+            _ => return Ok(headers), // Missing request method – preflight fails
+        };
+        if !self
+            .allowed_methods
+            .iter()
+            .any(|m| m.matches(request_method))
+        {
+            return Ok(headers);
+        }
+        if let Some(request_headers) = req_headers {
+            let req_headers_list: Vec<&str> = request_headers
+                .split(',')
+                .map(|s| s.trim())
+                .filter(|s| !s.is_empty())
+                .collect();
+            for header in req_headers_list {
+                if !self
+                    .allowed_headers
+                    .iter()
+                    .any(|allowed| allowed.eq_ignore_ascii_case(header))
+                {
+                    return Ok(headers);
+                }
+            }
+        }
+        headers.insert("Access-Control-Allow-Origin", origin.parse().unwrap());
+        headers.insert(
+            "Access-Control-Allow-Methods",
+            self.allowed_methods
+                .iter()
+                .map(HttpMethod::to_str)
+                .collect::<Vec<&str>>()
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::new)?,
+        );
+        headers.insert(
+            "Access-Control-Allow-Headers",
+            self.allowed_headers
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::new)?,
+        );
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::new)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::new)?,
+            );
+        }
+        if !self.exposed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.exposed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::new)?,
+            );
+        }
+        Ok(headers)
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for Cors {
+    // For OPTIONS (preflight) requests we:
+    // 1. Extract Origin, Access-Control-Request-Method, and Access-Control-Request-Headers.
+    // 2. Validate them using our hardened preflight_headers function.
+    // 3. If validations pass (i.e. headers is non-empty), return a 204 response with those headers.
+    // Otherwise, the absence of headers indicates the request doesn’t meet the CORS policy.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<either::Either<HttpRequest, HttpResponse>> {
+        let origin = req.header("Origin");
+        if req.method() == Method::OPTIONS {
+            let ac_request_method = req.header("Access-Control-Request-Method");
+            let ac_request_headers = req.header("Access-Control-Request-Headers");
+            let headers = self.preflight_headers(origin, ac_request_method, ac_request_headers)?;
+            let mut response_builder = Response::builder().status(204);
+            *response_builder.headers_mut().unwrap() = headers;
+            let response = response_builder
+                .body(BoxBody::new(Empty::new()))
+                .map_err(ItsiError::new)?;
+            return Ok(either::Either::Right(response));
+        }
+        context.set_origin(origin.map(|s| s.to_string()));
+        Ok(either::Either::Left(req))
+    }
+    // The after hook can be used to inject CORS headers into non-preflight responses.
+    async fn after(
+        &self,
+        mut resp: HttpResponse,
+        context: &mut HttpRequestContext,
+    ) -> HttpResponse {
+        if let Some(Some(origin)) = context.origin.get() {
+            if let Ok(cors_headers) = self.cors_headers(origin) {
+                for (key, value) in cors_headers.iter() {
+                    resp.headers_mut().insert(key.clone(), value.clone());
+                }
+            }
+        }
+        resp
+    }
+}
+impl FromValue for Cors {}