RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.1.20 - Mend

itsi-server 0.1.1 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of itsi-server might be problematic. Click here for more details.

Files changed (324) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/etag.rs ADDED Viewed

@@ -0,0 +1,195 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::{FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use base64::{engine::general_purpose, Engine as _};
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{header, HeaderValue, Response, StatusCode};
+use http_body_util::{combinators::BoxBody, BodyExt, Empty, Full};
+use hyper::body::Body;
+use magnus::error::Result;
+use serde::Deserialize;
+use sha2::{Digest, Sha256};
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum ETagType {
+    #[serde(rename = "strong")]
+    #[default]
+    Strong,
+    #[serde(rename = "weak")]
+    Weak,
+}
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum HashAlgorithm {
+    #[serde(rename = "sha256")]
+    #[default]
+    Sha256,
+    #[serde(rename = "md5")]
+    Md5,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct ETag {
+    #[serde(default)]
+    pub r#type: ETagType,
+    #[serde(default)]
+    pub algorithm: HashAlgorithm,
+    #[serde(default)]
+    pub min_body_size: usize,
+    #[serde(default = "default_true")]
+    pub handle_if_none_match: bool,
+}
+fn default_true() -> bool {
+    true
+}
+#[async_trait]
+impl MiddlewareLayer for ETag {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Store if-none-match header in context if present for later use in after hook
+        if self.handle_if_none_match {
+            if let Some(if_none_match) = req.headers().get(header::IF_NONE_MATCH) {
+                if let Ok(etag_value) = if_none_match.to_str() {
+                    context.set_if_none_match(Some(etag_value.to_string()));
+                }
+            }
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        // Skip for error responses or responses that shouldn't have ETags
+        match resp.status() {
+            StatusCode::OK
+            | StatusCode::CREATED
+            | StatusCode::ACCEPTED
+            | StatusCode::NON_AUTHORITATIVE_INFORMATION
+            | StatusCode::NO_CONTENT
+            | StatusCode::PARTIAL_CONTENT => {}
+            _ => return resp,
+        }
+        // Skip if already has an ETag
+        if resp.headers().contains_key(header::ETAG) {
+            return resp;
+        }
+        // Skip if Cache-Control: no-store is present
+        if let Some(cache_control) = resp.headers().get(header::CACHE_CONTROL) {
+            if let Ok(cache_control_str) = cache_control.to_str() {
+                if cache_control_str.contains("no-store") {
+                    return resp;
+                }
+            }
+        }
+        // Check if body is a stream or fixed size using size_hint (similar to compression.rs)
+        let body_size = resp.size_hint().exact();
+        // Skip streaming bodies
+        if body_size.is_none() {
+            return resp;
+        }
+        // Skip if body is too small
+        if body_size.unwrap_or(0) < self.min_body_size as u64 {
+            return resp;
+        }
+        let (mut parts, mut body) = resp.into_parts();
+        let etag_value = if let Some(existing_etag) = parts.headers.get(header::ETAG) {
+            existing_etag.to_str().unwrap_or("").to_string()
+        } else {
+            // Get the full bytes from the body
+            let full_bytes: Bytes = match body
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+            {
+                Ok(bytes_mut) => bytes_mut.freeze(),
+                Err(_) => return Response::from_parts(parts, BoxBody::new(Empty::new())),
+            };
+            let computed_etag = match self.algorithm {
+                HashAlgorithm::Sha256 => {
+                    let mut hasher = Sha256::new();
+                    hasher.update(&full_bytes);
+                    let result = hasher.finalize();
+                    general_purpose::STANDARD.encode(result)
+                }
+                HashAlgorithm::Md5 => {
+                    let digest = md5::compute(&full_bytes);
+                    format!("{:x}", digest)
+                }
+            };
+            let formatted_etag = match self.r#type {
+                ETagType::Strong => format!("\"{}\"", computed_etag),
+                ETagType::Weak => format!("W/\"{}\"", computed_etag),
+            };
+            if let Ok(value) = HeaderValue::from_str(&formatted_etag) {
+                parts.headers.insert(header::ETAG, value);
+            }
+            body = Full::new(full_bytes).boxed();
+            formatted_etag
+        };
+        // Handle 304 Not Modified if we have an If-None-Match header and it matches
+        if self.handle_if_none_match {
+            if let Some(if_none_match) = context.get_if_none_match() {
+                if if_none_match == etag_value || if_none_match == "*" {
+                    // Return 304 Not Modified without the body
+                    let mut not_modified = Response::new(BoxBody::new(Empty::new()));
+                    *not_modified.status_mut() = StatusCode::NOT_MODIFIED;
+                    // Copy headers we want to preserve
+                    for (name, value) in parts.headers.iter() {
+                        if matches!(
+                            name,
+                            &header::CACHE_CONTROL
+                                | &header::CONTENT_LOCATION
+                                | &header::DATE
+                                | &header::ETAG
+                                | &header::EXPIRES
+                                | &header::VARY
+                        ) {
+                            not_modified.headers_mut().insert(name, value.clone());
+                        }
+                    }
+                    return not_modified;
+                }
+            }
+        }
+        // Recreate response with the original body and the ETag header
+        Response::from_parts(parts, body)
+    }
+}
+impl Default for ETag {
+    fn default() -> Self {
+        Self {
+            r#type: ETagType::Strong,
+            algorithm: HashAlgorithm::Sha256,
+            min_body_size: 0,
+            handle_if_none_match: true,
+        }
+    }
+}
+impl FromValue for ETag {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/header_interpretation.rs ADDED Viewed

@@ -0,0 +1,82 @@
+use http::{header::GetAll, HeaderValue};
+/// Given a list of header values (which may be comma-separated and may have quality parameters)
+/// and a list of supported items (each supported item is a full value or a prefix ending with '*'),
+/// return Some(supported_item) for the first supported item that matches any header value, or None.
+pub fn find_first_supported<'a, I>(header_values: &[HeaderValue], supported: I) -> Option<&'a str>
+where
+    I: IntoIterator<Item = &'a str> + Clone,
+{
+    // best candidate: (quality, supported_index, candidate)
+    let mut best: Option<(f32, usize, &'a str)> = None;
+    for value in header_values.iter() {
+        if let Ok(s) = value.to_str() {
+            for token in s.split(',') {
+                let token = token.trim();
+                if token.is_empty() {
+                    continue;
+                }
+                let mut parts = token.split(';');
+                let enc = parts.next()?.trim();
+                if enc.is_empty() {
+                    continue;
+                }
+                let quality = parts
+                    .find_map(|p| {
+                        let p = p.trim();
+                        if let Some(q_str) = p.strip_prefix("q=") {
+                            q_str.parse::<f32>().ok()
+                        } else {
+                            None
+                        }
+                    })
+                    .unwrap_or(1.0);
+                // For each supported encoding, iterate over a clone of the iterable.
+                for (i, supp) in supported.clone().into_iter().enumerate() {
+                    let is_match = if supp == "*" {
+                        true
+                    } else if let Some(prefix) = supp.strip_suffix('*') {
+                        enc.starts_with(prefix)
+                    } else {
+                        enc.eq_ignore_ascii_case(supp)
+                    };
+                    if is_match {
+                        best = match best {
+                            Some((best_q, best_idx, _))
+                                if quality > best_q || (quality == best_q && i < best_idx) =>
+                            {
+                                Some((quality, i, supp))
+                            }
+                            None => Some((quality, i, supp)),
+                            _ => best,
+                        };
+                    }
+                }
+            }
+        }
+    }
+    best.map(|(_, _, candidate)| candidate)
+}
+pub fn header_contains(header_values: &GetAll<HeaderValue>, needle: &str) -> bool {
+    if needle == "*" {
+        return true;
+    }
+    let mut headers = header_values
+        .iter()
+        .flat_map(|value| value.to_str().unwrap_or("").split(','))
+        .map(|s| s.trim().split(';').next().unwrap_or(""))
+        .filter(|s| !s.is_empty());
+    let needle_lower = needle;
+    if needle.ends_with('*') {
+        let prefix = &needle_lower[..needle_lower.len() - 1];
+        headers.any(|h| h.starts_with(prefix))
+    } else {
+        headers.any(|h| h == needle_lower)
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs ADDED Viewed

@@ -0,0 +1,201 @@
+use crate::server::http_message_types::{HttpRequest, HttpResponse, RequestExt};
+use crate::services::itsi_http_service::HttpRequestContext;
+use crate::services::rate_limiter::{
+    get_ban_manager, get_rate_limiter, BanManager, RateLimiter, RateLimiterConfig,
+};
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::time::Duration;
+use std::{
+    collections::HashMap,
+    sync::{Arc, OnceLock},
+};
+#[derive(Debug, Clone, Deserialize)]
+pub struct IntrusionProtection {
+    #[serde(skip_deserializing)]
+    pub banned_url_pattern_matcher: OnceLock<RegexSet>,
+    #[serde(default)]
+    pub banned_url_patterns: Vec<String>,
+    #[serde(skip_deserializing)]
+    pub banned_header_pattern_matchers: OnceLock<HashMap<String, RegexSet>>,
+    #[serde(default)]
+    pub banned_header_patterns: HashMap<String, Vec<String>>,
+    pub banned_time_seconds: u64,
+    #[serde(skip_deserializing)]
+    pub rate_limiter: OnceLock<Arc<dyn RateLimiter>>,
+    #[serde(skip_deserializing)]
+    pub ban_manager: OnceLock<BanManager>,
+    pub store_config: RateLimiterConfig,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+#[async_trait]
+impl MiddlewareLayer for IntrusionProtection {
+    async fn initialize(&self) -> Result<()> {
+        // Initialize regex matchers for URL patterns
+        if !self.banned_url_patterns.is_empty() {
+            match RegexSet::new(&self.banned_url_patterns) {
+                Ok(regex_set) => {
+                    let _ = self.banned_url_pattern_matcher.set(regex_set);
+                }
+                Err(e) => {
+                    error!("Failed to compile URL regex patterns: {:?}", e);
+                }
+            }
+        }
+        // Initialize regex matchers for header patterns
+        if !self.banned_header_patterns.is_empty() {
+            let mut header_matchers = HashMap::new();
+            for (header_name, patterns) in &self.banned_header_patterns {
+                if !patterns.is_empty() {
+                    match RegexSet::new(patterns) {
+                        Ok(regex_set) => {
+                            header_matchers.insert(header_name.clone(), regex_set);
+                        }
+                        Err(e) => {
+                            error!(
+                                "Failed to compile header regex patterns for {}: {:?}",
+                                header_name, e
+                            );
+                        }
+                    }
+                }
+            }
+            let _ = self.banned_header_pattern_matchers.set(header_matchers);
+        }
+        // Initialize rate limiter (used for tracking bans)
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(limiter) = get_rate_limiter(&self.store_config).await {
+            let _ = self.rate_limiter.set(limiter);
+        }
+        // Initialize ban manager
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(manager) = get_ban_manager(&self.store_config).await {
+            let _ = self.ban_manager.set(manager);
+        }
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Get client IP address from context's service
+        let client_ip = &context.addr;
+        // Check if the IP is already banned
+        if let Some(ban_manager) = self.ban_manager.get() {
+            match ban_manager.is_banned(client_ip).await {
+                Ok(Some(_)) => {
+                    return Ok(Either::Right(
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
+                    ));
+                }
+                Err(e) => {
+                    error!("Error checking IP ban status: {:?}", e);
+                    // Continue processing - fail open
+                }
+                _ => {
+                    // Not banned, continue with intrusion checks
+                }
+            }
+        } else {
+            warn!("No ban manager available for intrusion protection");
+        }
+        // Check for banned URL patterns
+        if let Some(url_matcher) = self.banned_url_pattern_matcher.get() {
+            let path = req.uri().path_and_query().map(|p| p.as_str()).unwrap_or("");
+            if url_matcher.is_match(path) {
+                if let Some(ban_manager) = self.ban_manager.get() {
+                    match ban_manager
+                        .ban_ip(
+                            client_ip,
+                            &format!("Banned URL pattern detected: {}", path),
+                            Duration::from_secs(self.banned_time_seconds),
+                        )
+                        .await
+                    {
+                        Ok(_) => {}
+                        Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                    }
+                }
+                // Always return the error response even if banning failed
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+        // Check for banned header patterns
+        if let Some(header_matchers) = self.banned_header_pattern_matchers.get() {
+            for (header_name, pattern_set) in header_matchers {
+                if let Some(header_value) = req.header(header_name) {
+                    if pattern_set.is_match(header_value) {
+                        info!(
+                            "Intrusion detected: Header pattern match for {} in header {}",
+                            header_value, header_name
+                        );
+                        // Ban the IP address if possible
+                        if let Some(ban_manager) = self.ban_manager.get() {
+                            match ban_manager
+                                .ban_ip(
+                                    client_ip,
+                                    &format!(
+                                        "Banned header pattern detected: {} in {}",
+                                        header_value, header_name
+                                    ),
+                                    Duration::from_secs(self.banned_time_seconds),
+                                )
+                                .await
+                            {
+                                Ok(_) => info!(
+                                    "Successfully banned IP {} for {} seconds",
+                                    client_ip, self.banned_time_seconds
+                                ),
+                                Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                            }
+                        }
+                        // Always return the error response even if banning failed
+                        return Ok(Either::Right(
+                            self.error_response
+                                .to_http_response(req.accept().into())
+                                .await,
+                        ));
+                    }
+                }
+            }
+        }
+        // No intrusion detected
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for IntrusionProtection {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs ADDED Viewed

@@ -0,0 +1,82 @@
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use serde::Deserialize;
+use crate::server::http_message_types::{HttpRequest, HttpResponse};
+use crate::services::itsi_http_service::HttpRequestContext;
+use super::string_rewrite::StringRewrite;
+use super::{FromValue, MiddlewareLayer};
+/// Logging middleware for HTTP requests and responses
+///
+/// Supports customizable log formats with placeholders
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogRequests {
+    pub before: Option<LogConfig>,
+    pub after: Option<LogConfig>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogConfig {
+    level: LogMiddlewareLevel,
+    format: StringRewrite,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum LogMiddlewareLevel {
+    #[serde(rename(deserialize = "INFO"))]
+    Info,
+    #[serde(rename(deserialize = "TRACE"))]
+    Trace,
+    #[serde(rename(deserialize = "DEBUG"))]
+    Debug,
+    #[serde(rename(deserialize = "WARN"))]
+    Warn,
+    #[serde(rename(deserialize = "ERROR"))]
+    Error,
+}
+impl LogMiddlewareLevel {
+    pub fn log(&self, message: String) {
+        match self {
+            LogMiddlewareLevel::Trace => trace!(message),
+            LogMiddlewareLevel::Debug => debug!(message),
+            LogMiddlewareLevel::Info => info!(message),
+            LogMiddlewareLevel::Warn => warn!(message),
+            LogMiddlewareLevel::Error => error!(message),
+        }
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for LogRequests {
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        context.track_start_time();
+        if let Some(LogConfig { level, format }) = self.before.as_ref() {
+            level.log(format.rewrite_request(&req, context));
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(LogConfig { level, format }) = self.after.as_ref() {
+            level.log(format.rewrite_response(&resp, context));
+        }
+        resp
+    }
+}
+impl FromValue for LogRequests {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/max_body.rs ADDED Viewed

@@ -0,0 +1,47 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use http::StatusCode;
+use magnus::error::Result;
+use serde::Deserialize;
+use std::sync::atomic::Ordering;
+#[derive(Debug, Clone, Deserialize)]
+pub struct MaxBody {
+    pub max_size: usize,
+    #[serde(default = "payload_too_large_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn payload_too_large_error_response() -> ErrorResponse {
+    ErrorResponse::payload_too_large()
+}
+#[async_trait]
+impl MiddlewareLayer for MaxBody {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        req.body().limit.store(self.max_size, Ordering::Relaxed);
+        context.set_response_format(req.accept().into());
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if resp.status() == StatusCode::PAYLOAD_TOO_LARGE {
+            self.error_response
+                .to_http_response(context.response_format().clone())
+                .await
+        } else {
+            resp
+        }
+    }
+}
+impl FromValue for MaxBody {}