RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.2.2 - Mend

itsi-server 0.1.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (457) hide show

data/ext/itsi_server/src/server/middleware_stack/middleware.rs ADDED Viewed

@@ -0,0 +1,170 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::middlewares::*;
+use async_trait::async_trait;
+use either::Either;
+use magnus::error::Result;
+use std::{cmp::Ordering, sync::Arc};
+#[derive(Debug, Clone)]
+pub enum Middleware {
+    AllowList(Arc<AllowList>),
+    AuthAPIKey(Arc<AuthAPIKey>),
+    AuthBasic(Arc<AuthBasic>),
+    AuthJwt(Arc<AuthJwt>),
+    CacheControl(Arc<CacheControl>),
+    Compression(Arc<Compression>),
+    Cors(Arc<Cors>),
+    Csp(Arc<Csp>),
+    DenyList(Arc<DenyList>),
+    ETag(Arc<ETag>),
+    IntrusionProtection(Arc<IntrusionProtection>),
+    LogRequests(Arc<LogRequests>),
+    MaxBody(Arc<MaxBody>),
+    Proxy(Arc<Proxy>),
+    RateLimit(Arc<RateLimit>),
+    Redirect(Arc<Redirect>),
+    RequestHeaders(Arc<RequestHeaders>),
+    ResponseHeaders(Arc<ResponseHeaders>),
+    RubyApp(Arc<RubyApp>),
+    StaticAssets(Arc<StaticAssets>),
+    StaticResponse(Arc<StaticResponse>),
+}
+#[async_trait]
+impl MiddlewareLayer for Middleware {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        match self {
+            Middleware::DenyList(filter) => filter.initialize().await,
+            Middleware::AllowList(filter) => filter.initialize().await,
+            Middleware::AuthBasic(filter) => filter.initialize().await,
+            Middleware::AuthJwt(filter) => filter.initialize().await,
+            Middleware::AuthAPIKey(filter) => filter.initialize().await,
+            Middleware::IntrusionProtection(filter) => filter.initialize().await,
+            Middleware::MaxBody(filter) => filter.initialize().await,
+            Middleware::RateLimit(filter) => filter.initialize().await,
+            Middleware::RequestHeaders(filter) => filter.initialize().await,
+            Middleware::ResponseHeaders(filter) => filter.initialize().await,
+            Middleware::CacheControl(filter) => filter.initialize().await,
+            Middleware::Cors(filter) => filter.initialize().await,
+            Middleware::Csp(filter) => filter.initialize().await,
+            Middleware::ETag(filter) => filter.initialize().await,
+            Middleware::StaticAssets(filter) => filter.initialize().await,
+            Middleware::StaticResponse(filter) => filter.initialize().await,
+            Middleware::Compression(filter) => filter.initialize().await,
+            Middleware::LogRequests(filter) => filter.initialize().await,
+            Middleware::Redirect(filter) => filter.initialize().await,
+            Middleware::Proxy(filter) => filter.initialize().await,
+            Middleware::RubyApp(filter) => filter.initialize().await,
+        }
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        match self {
+            Middleware::DenyList(filter) => filter.before(req, context).await,
+            Middleware::AllowList(filter) => filter.before(req, context).await,
+            Middleware::AuthBasic(filter) => filter.before(req, context).await,
+            Middleware::AuthJwt(filter) => filter.before(req, context).await,
+            Middleware::AuthAPIKey(filter) => filter.before(req, context).await,
+            Middleware::IntrusionProtection(filter) => filter.before(req, context).await,
+            Middleware::MaxBody(filter) => filter.before(req, context).await,
+            Middleware::RequestHeaders(filter) => filter.before(req, context).await,
+            Middleware::ResponseHeaders(filter) => filter.before(req, context).await,
+            Middleware::RateLimit(filter) => filter.before(req, context).await,
+            Middleware::CacheControl(filter) => filter.before(req, context).await,
+            Middleware::Cors(filter) => filter.before(req, context).await,
+            Middleware::Csp(filter) => filter.before(req, context).await,
+            Middleware::ETag(filter) => filter.before(req, context).await,
+            Middleware::StaticAssets(filter) => filter.before(req, context).await,
+            Middleware::StaticResponse(filter) => filter.before(req, context).await,
+            Middleware::Compression(filter) => filter.before(req, context).await,
+            Middleware::LogRequests(filter) => filter.before(req, context).await,
+            Middleware::Redirect(filter) => filter.before(req, context).await,
+            Middleware::Proxy(filter) => filter.before(req, context).await,
+            Middleware::RubyApp(filter) => filter.before(req, context).await,
+        }
+    }
+    async fn after(&self, res: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        match self {
+            Middleware::DenyList(filter) => filter.after(res, context).await,
+            Middleware::AllowList(filter) => filter.after(res, context).await,
+            Middleware::AuthBasic(filter) => filter.after(res, context).await,
+            Middleware::AuthJwt(filter) => filter.after(res, context).await,
+            Middleware::AuthAPIKey(filter) => filter.after(res, context).await,
+            Middleware::IntrusionProtection(filter) => filter.after(res, context).await,
+            Middleware::MaxBody(filter) => filter.after(res, context).await,
+            Middleware::RateLimit(filter) => filter.after(res, context).await,
+            Middleware::RequestHeaders(filter) => filter.after(res, context).await,
+            Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
+            Middleware::CacheControl(filter) => filter.after(res, context).await,
+            Middleware::Csp(filter) => filter.after(res, context).await,
+            Middleware::Cors(filter) => filter.after(res, context).await,
+            Middleware::ETag(filter) => filter.after(res, context).await,
+            Middleware::StaticAssets(filter) => filter.after(res, context).await,
+            Middleware::StaticResponse(filter) => filter.after(res, context).await,
+            Middleware::Compression(filter) => filter.after(res, context).await,
+            Middleware::LogRequests(filter) => filter.after(res, context).await,
+            Middleware::Redirect(filter) => filter.after(res, context).await,
+            Middleware::Proxy(filter) => filter.after(res, context).await,
+            Middleware::RubyApp(filter) => filter.after(res, context).await,
+        }
+    }
+}
+impl Middleware {
+    fn variant_order(&self) -> usize {
+        match self {
+            Middleware::DenyList(_) => 0,
+            Middleware::AllowList(_) => 1,
+            Middleware::IntrusionProtection(_) => 2,
+            Middleware::Redirect(_) => 3,
+            Middleware::LogRequests(_) => 4,
+            Middleware::CacheControl(_) => 5,
+            Middleware::RequestHeaders(_) => 6,
+            Middleware::ResponseHeaders(_) => 7,
+            Middleware::MaxBody(_) => 8,
+            Middleware::AuthBasic(_) => 9,
+            Middleware::AuthJwt(_) => 10,
+            Middleware::AuthAPIKey(_) => 11,
+            Middleware::RateLimit(_) => 12,
+            Middleware::ETag(_) => 13,
+            Middleware::Csp(_) => 14,
+            Middleware::Compression(_) => 15,
+            Middleware::Proxy(_) => 16,
+            Middleware::Cors(_) => 17,
+            Middleware::StaticResponse(_) => 18,
+            Middleware::StaticAssets(_) => 19,
+            Middleware::RubyApp(_) => 20,
+        }
+    }
+}
+impl PartialEq for Middleware {
+    fn eq(&self, other: &Self) -> bool {
+        self.variant_order() == other.variant_order()
+    }
+}
+impl Eq for Middleware {}
+impl PartialOrd for Middleware {
+    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
+        Some(self.variant_order().cmp(&other.variant_order()))
+    }
+}
+impl Ord for Middleware {
+    fn cmp(&self, other: &Self) -> Ordering {
+        self.variant_order().cmp(&other.variant_order())
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/allow_list.rs ADDED Viewed

@@ -0,0 +1,63 @@
+use super::{token_source::TokenSource, ErrorResponse, FromValue, MiddlewareLayer};
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use async_trait::async_trait;
+use either::Either;
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::{collections::HashMap, sync::OnceLock};
+use tracing::debug;
+#[derive(Debug, Clone, Deserialize)]
+pub struct AllowList {
+    #[serde(skip_deserializing)]
+    pub allowed_ips: OnceLock<RegexSet>,
+    pub allowed_patterns: Vec<String>,
+    pub trusted_proxies: HashMap<String, TokenSource>,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+#[async_trait]
+impl MiddlewareLayer for AllowList {
+    async fn initialize(&self) -> Result<()> {
+        let allowed_ips = RegexSet::new(&self.allowed_patterns).map_err(ItsiError::new)?;
+        self.allowed_ips
+            .set(allowed_ips)
+            .map_err(|e| ItsiError::new(format!("Failed to set allowed IPs: {:?}", e)))?;
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        if let Some(allowed_ips) = self.allowed_ips.get() {
+            let addr = if self.trusted_proxies.contains_key(&context.addr) {
+                let source = self.trusted_proxies.get(&context.addr).unwrap();
+                source.extract_token(&req).unwrap_or(&context.addr)
+            } else {
+                &context.addr
+            };
+            if !allowed_ips.is_match(addr) {
+                debug!(target: "middleware::allow_list", "IP address {} is not allowed", addr);
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for AllowList {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/auth_api_key.rs ADDED Viewed

@@ -0,0 +1,94 @@
+use std::collections::HashMap;
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher},
+};
+use super::{error_response::ErrorResponse, token_source::TokenSource, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use magnus::error::Result;
+use serde::Deserialize;
+use tracing::debug;
+type PasswordHash = String;
+/// A simple API key filter.
+/// The API key can be given inside the header or a query string
+/// Keys are validated against a list of allowed key values (Changing these requires a restart)
+#[derive(Debug, Clone, Deserialize)]
+pub struct AuthAPIKey {
+    pub valid_keys: HashMap<String, PasswordHash>,
+    pub key_id_source: Option<TokenSource>,
+    pub token_source: TokenSource,
+    #[serde(default = "unauthorized_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn unauthorized_error_response() -> ErrorResponse {
+    ErrorResponse::unauthorized()
+}
+#[async_trait]
+impl MiddlewareLayer for AuthAPIKey {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        if let Some(submitted_key) = match &self.token_source {
+            TokenSource::Header { name, prefix } => {
+                if let Some(header) = req.header(name) {
+                    if let Some(prefix) = prefix {
+                        Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
+                    } else {
+                        Some(header.trim_ascii())
+                    }
+                } else {
+                    None
+                }
+            }
+            TokenSource::Query(query_name) => req.query_param(query_name),
+        } {
+            debug!(target: "middleware::auth_api_key", "API Key Retrieved. Anonymous {}", self.key_id_source.is_none());
+            if let Some(key_id) = self.key_id_source.as_ref() {
+                let key_id = match &key_id {
+                    TokenSource::Header { name, prefix } => {
+                        if let Some(header) = req.header(name) {
+                            if let Some(prefix) = prefix {
+                                Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
+                            } else {
+                                Some(header.trim_ascii())
+                            }
+                        } else {
+                            None
+                        }
+                    }
+                    TokenSource::Query(query_name) => req.query_param(query_name),
+                };
+                debug!(target: "middleware::auth_api_key", "Key ID Retrieved");
+                if let Some(hash) = key_id.and_then(|kid| self.valid_keys.get(kid)) {
+                    debug!(target: "middleware::auth_api_key", "Key for ID found");
+                    if password_hasher::verify_password_hash(submitted_key, hash).is_ok_and(|v| v) {
+                        return Ok(Either::Left(req));
+                    }
+                }
+            } else if self.valid_keys.values().any(|key| {
+                password_hasher::verify_password_hash(submitted_key, key).is_ok_and(|v| v)
+            }) {
+                return Ok(Either::Left(req));
+            }
+        }
+        debug!(target: "middleware::auth_api_key", "Failed to authenticate API key");
+        Ok(Either::Right(
+            self.error_response
+                .to_http_response(req.accept().into())
+                .await,
+        ))
+    }
+}
+impl FromValue for AuthAPIKey {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/auth_basic.rs ADDED Viewed

@@ -0,0 +1,94 @@
+use async_trait::async_trait;
+use base64::{engine::general_purpose, Engine};
+use bytes::Bytes;
+use either::Either;
+use http::{Response, StatusCode};
+use http_body_util::{combinators::BoxBody, Full};
+use magnus::error::Result;
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::str;
+use tracing::debug;
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher::verify_password_hash},
+};
+use super::{FromValue, MiddlewareLayer};
+type PasswordHash = String;
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthBasic {
+    pub realm: String,
+    /// Maps usernames to passwords.
+    pub credential_pairs: HashMap<String, PasswordHash>,
+}
+impl AuthBasic {
+    fn basic_auth_failed_response(&self) -> HttpResponse {
+        Response::builder()
+            .status(StatusCode::UNAUTHORIZED)
+            .header(
+                "WWW-Authenticate",
+                format!("Basic realm=\"{}\"", self.realm),
+            )
+            .body(BoxBody::new(Full::new(Bytes::from("Unauthorized"))))
+            .unwrap()
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for AuthBasic {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Retrieve the Authorization header.
+        let auth_header = req.header("Authorization");
+        if !auth_header.is_some_and(|header| header.starts_with("Basic ")) {
+            debug!(target: "middleware::auth_basic", "Basic auth failed. Authorization Header doesn't start with 'Basic '");
+            return Ok(Either::Right(self.basic_auth_failed_response()));
+        }
+        let auth_header = auth_header.unwrap();
+        let encoded_credentials = &auth_header["Basic ".len()..];
+        let decoded = match general_purpose::STANDARD.decode(encoded_credentials) {
+            Ok(bytes) => bytes,
+            Err(_) => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Decoding failed");
+                return Ok(Either::Right(self.basic_auth_failed_response()));
+            }
+        };
+        let decoded_str = match str::from_utf8(&decoded) {
+            Ok(s) => s,
+            Err(_) => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Decoding failed");
+                return Ok(Either::Right(self.basic_auth_failed_response()));
+            }
+        };
+        let mut parts = decoded_str.splitn(2, ':');
+        let username = parts.next().unwrap_or("");
+        let password = parts.next().unwrap_or("");
+        match self.credential_pairs.get(username) {
+            Some(expected_password_hash) => {
+                match verify_password_hash(password, expected_password_hash) {
+                    Ok(true) => Ok(Either::Left(req)),
+                    _ => Ok(Either::Right(self.basic_auth_failed_response())),
+                }
+            }
+            None => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Username {} not found", username);
+                Ok(Either::Right(self.basic_auth_failed_response()))
+            }
+        }
+    }
+}
+impl FromValue for AuthBasic {}