RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.2.2 - Mend

itsi-server 0.1.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (457) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/etag.rs ADDED Viewed

@@ -0,0 +1,198 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::{FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use base64::{engine::general_purpose, Engine as _};
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{header, HeaderValue, Response, StatusCode};
+use http_body_util::{combinators::BoxBody, BodyExt, Empty, Full};
+use hyper::body::Body;
+use magnus::error::Result;
+use serde::Deserialize;
+use sha2::{Digest, Sha256};
+use tracing::debug;
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum ETagType {
+    #[serde(rename = "strong")]
+    #[default]
+    Strong,
+    #[serde(rename = "weak")]
+    Weak,
+}
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum HashAlgorithm {
+    #[serde(rename = "sha256")]
+    #[default]
+    Sha256,
+    #[serde(rename = "md5")]
+    Md5,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct ETag {
+    #[serde(default)]
+    pub r#type: ETagType,
+    #[serde(default)]
+    pub algorithm: HashAlgorithm,
+    #[serde(default)]
+    pub min_body_size: usize,
+    #[serde(default = "default_true")]
+    pub handle_if_none_match: bool,
+}
+fn default_true() -> bool {
+    true
+}
+#[async_trait]
+impl MiddlewareLayer for ETag {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Store if-none-match header in context if present for later use in after hook
+        if self.handle_if_none_match {
+            if let Some(if_none_match) = req.headers().get(header::IF_NONE_MATCH) {
+                debug!(target: "middleware::etag", "Received If-None-Match header: {:?}", if_none_match);
+                if let Ok(etag_value) = if_none_match.to_str() {
+                    context.set_if_none_match(Some(etag_value.to_string()));
+                }
+            }
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        // Skip for error responses or responses that shouldn't have ETags
+        match resp.status() {
+            StatusCode::OK
+            | StatusCode::CREATED
+            | StatusCode::ACCEPTED
+            | StatusCode::NON_AUTHORITATIVE_INFORMATION
+            | StatusCode::NO_CONTENT
+            | StatusCode::PARTIAL_CONTENT => {}
+            _ => {
+                debug!(target: "middleware::etag", "Skipping ETag middleware for ineligible response");
+                return resp;
+            }
+        }
+        if resp.headers().contains_key(header::ETAG) {
+            debug!(target: "middleware::etag", "Forwarding response with existing ETag");
+            return resp;
+        }
+        if let Some(cache_control) = resp.headers().get(header::CACHE_CONTROL) {
+            if let Ok(cache_control_str) = cache_control.to_str() {
+                if cache_control_str.contains("no-store") {
+                    debug!(target: "middleware::etag", "Skipping ETag for no-store response");
+                    return resp;
+                }
+            }
+        }
+        let body_size = resp.size_hint().exact();
+        if body_size.is_none() {
+            debug!(target: "middleware::etag", "Skipping ETag for streaming response");
+            return resp;
+        }
+        if body_size.unwrap_or(0) < self.min_body_size as u64 {
+            debug!(target: "middleware::etag", "Skipping ETag for small response");
+            return resp;
+        }
+        let (mut parts, mut body) = resp.into_parts();
+        let etag_value = if let Some(existing_etag) = parts.headers.get(header::ETAG) {
+            existing_etag.to_str().unwrap_or("").to_string()
+        } else {
+            // Get the full bytes from the body
+            let full_bytes: Bytes = match body
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+            {
+                Ok(bytes_mut) => bytes_mut.freeze(),
+                Err(_) => return Response::from_parts(parts, BoxBody::new(Empty::new())),
+            };
+            let computed_etag = match self.algorithm {
+                HashAlgorithm::Sha256 => {
+                    let mut hasher = Sha256::new();
+                    hasher.update(&full_bytes);
+                    let result = hasher.finalize();
+                    general_purpose::STANDARD.encode(result)
+                }
+                HashAlgorithm::Md5 => {
+                    let digest = md5::compute(&full_bytes);
+                    format!("{:x}", digest)
+                }
+            };
+            let formatted_etag = match self.r#type {
+                ETagType::Strong => format!("\"{}\"", computed_etag),
+                ETagType::Weak => format!("W/\"{}\"", computed_etag),
+            };
+            debug!(target: "middleware::etag", "Computed ETag for response {}", formatted_etag);
+            if let Ok(value) = HeaderValue::from_str(&formatted_etag) {
+                parts.headers.insert(header::ETAG, value);
+            }
+            body = Full::new(full_bytes).boxed();
+            formatted_etag
+        };
+        if self.handle_if_none_match {
+            if let Some(if_none_match) = context.get_if_none_match() {
+                if if_none_match == etag_value || if_none_match == "*" {
+                    // Return 304 Not Modified without the body
+                    let mut not_modified = Response::new(BoxBody::new(Empty::new()));
+                    *not_modified.status_mut() = StatusCode::NOT_MODIFIED;
+                    // Copy headers we want to preserve
+                    for (name, value) in parts.headers.iter() {
+                        if matches!(
+                            name,
+                            &header::CACHE_CONTROL
+                                | &header::CONTENT_LOCATION
+                                | &header::DATE
+                                | &header::ETAG
+                                | &header::EXPIRES
+                                | &header::VARY
+                        ) {
+                            not_modified.headers_mut().insert(name, value.clone());
+                        }
+                    }
+                    return not_modified;
+                }
+            }
+        }
+        Response::from_parts(parts, body)
+    }
+}
+impl Default for ETag {
+    fn default() -> Self {
+        Self {
+            r#type: ETagType::Strong,
+            algorithm: HashAlgorithm::Sha256,
+            min_body_size: 0,
+            handle_if_none_match: true,
+        }
+    }
+}
+impl FromValue for ETag {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/header_interpretation.rs ADDED Viewed

@@ -0,0 +1,82 @@
+use http::{header::GetAll, HeaderValue};
+/// Given a list of header values (which may be comma-separated and may have quality parameters)
+/// and a list of supported items (each supported item is a full value or a prefix ending with '*'),
+/// return Some(supported_item) for the first supported item that matches any header value, or None.
+pub fn find_first_supported<'a, I>(header_values: &[HeaderValue], supported: I) -> Option<&'a str>
+where
+    I: IntoIterator<Item = &'a str> + Clone,
+{
+    // best candidate: (quality, supported_index, candidate)
+    let mut best: Option<(f32, usize, &'a str)> = None;
+    for value in header_values.iter() {
+        if let Ok(s) = value.to_str() {
+            for token in s.split(',') {
+                let token = token.trim();
+                if token.is_empty() {
+                    continue;
+                }
+                let mut parts = token.split(';');
+                let enc = parts.next()?.trim();
+                if enc.is_empty() {
+                    continue;
+                }
+                let quality = parts
+                    .find_map(|p| {
+                        let p = p.trim();
+                        if let Some(q_str) = p.strip_prefix("q=") {
+                            q_str.parse::<f32>().ok()
+                        } else {
+                            None
+                        }
+                    })
+                    .unwrap_or(1.0);
+                // For each supported encoding, iterate over a clone of the iterable.
+                for (i, supp) in supported.clone().into_iter().enumerate() {
+                    let is_match = if supp == "*" {
+                        true
+                    } else if let Some(prefix) = supp.strip_suffix('*') {
+                        enc.starts_with(prefix)
+                    } else {
+                        enc.eq_ignore_ascii_case(supp)
+                    };
+                    if is_match {
+                        best = match best {
+                            Some((best_q, best_idx, _))
+                                if quality > best_q || (quality == best_q && i < best_idx) =>
+                            {
+                                Some((quality, i, supp))
+                            }
+                            None => Some((quality, i, supp)),
+                            _ => best,
+                        };
+                    }
+                }
+            }
+        }
+    }
+    best.map(|(_, _, candidate)| candidate)
+}
+pub fn header_contains(header_values: &GetAll<HeaderValue>, needle: &str) -> bool {
+    if needle == "*" {
+        return true;
+    }
+    let mut headers = header_values
+        .iter()
+        .flat_map(|value| value.to_str().unwrap_or("").split(','))
+        .map(|s| s.trim().split(';').next().unwrap_or(""))
+        .filter(|s| !s.is_empty());
+    let needle_lower = needle;
+    if needle.ends_with('*') {
+        let prefix = &needle_lower[..needle_lower.len() - 1];
+        headers.any(|h| h.starts_with(prefix))
+    } else {
+        headers.any(|h| h == needle_lower)
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs ADDED Viewed

@@ -0,0 +1,209 @@
+use crate::server::http_message_types::{HttpRequest, HttpResponse, RequestExt};
+use crate::services::itsi_http_service::HttpRequestContext;
+use crate::services::rate_limiter::{
+    get_ban_manager, get_rate_limiter, BanManager, RateLimiter, RateLimiterConfig,
+};
+use super::token_source::TokenSource;
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::time::Duration;
+use std::{
+    collections::HashMap,
+    sync::{Arc, OnceLock},
+};
+#[derive(Debug, Clone, Deserialize)]
+pub struct IntrusionProtection {
+    #[serde(skip_deserializing)]
+    pub banned_url_pattern_matcher: OnceLock<RegexSet>,
+    #[serde(default)]
+    pub banned_url_patterns: Vec<String>,
+    #[serde(skip_deserializing)]
+    pub banned_header_pattern_matchers: OnceLock<HashMap<String, RegexSet>>,
+    #[serde(default)]
+    pub banned_header_patterns: HashMap<String, Vec<String>>,
+    pub banned_time_seconds: f64,
+    #[serde(skip_deserializing)]
+    pub rate_limiter: OnceLock<Arc<dyn RateLimiter>>,
+    #[serde(skip_deserializing)]
+    pub ban_manager: OnceLock<BanManager>,
+    pub store_config: RateLimiterConfig,
+    pub trusted_proxies: HashMap<String, TokenSource>,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+#[async_trait]
+impl MiddlewareLayer for IntrusionProtection {
+    async fn initialize(&self) -> Result<()> {
+        // Initialize regex matchers for URL patterns
+        if !self.banned_url_patterns.is_empty() {
+            match RegexSet::new(&self.banned_url_patterns) {
+                Ok(regex_set) => {
+                    debug!(target: "middleware::intrusion_protection", "Compiled URL regex patterns: {} items.", regex_set.len());
+                    let _ = self.banned_url_pattern_matcher.set(regex_set);
+                }
+                Err(e) => {
+                    error!("Failed to compile URL regex patterns: {:?}", e);
+                }
+            }
+        }
+        // Initialize regex matchers for header patterns
+        if !self.banned_header_patterns.is_empty() {
+            let mut header_matchers = HashMap::new();
+            for (header_name, patterns) in &self.banned_header_patterns {
+                if !patterns.is_empty() {
+                    match RegexSet::new(patterns) {
+                        Ok(regex_set) => {
+                            debug!(target: "middleware::intrusion_protection", "Compiled header regex patterns for {}: {} items.", header_name, regex_set.len());
+                            header_matchers.insert(header_name.clone(), regex_set);
+                        }
+                        Err(e) => {
+                            error!(
+                                "Failed to compile header regex patterns for {}: {:?}",
+                                header_name, e
+                            );
+                        }
+                    }
+                }
+            }
+            let _ = self.banned_header_pattern_matchers.set(header_matchers);
+        }
+        // Initialize rate limiter (used for tracking bans)
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(limiter) = get_rate_limiter(&self.store_config).await {
+            debug!(target: "middleware::intrusion_protection", "Initialized rate limiter.");
+            let _ = self.rate_limiter.set(limiter);
+        }
+        // Initialize ban manager
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(manager) = get_ban_manager(&self.store_config).await {
+            debug!(target: "middleware::intrusion_protection", "Initialized ban manager.");
+            let _ = self.ban_manager.set(manager);
+        }
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Get client IP address from context's service
+        let client_ip = if self.trusted_proxies.contains_key(&context.addr) {
+            let source = self.trusted_proxies.get(&context.addr).unwrap();
+            source.extract_token(&req).unwrap_or(&context.addr)
+        } else {
+            &context.addr
+        };
+        // Check if the IP is already banned
+        if let Some(ban_manager) = self.ban_manager.get() {
+            match ban_manager.is_banned(client_ip).await {
+                Ok(Some(_)) => {
+                    debug!(target: "middleware::intrusion_protection", "IP {} is banned.", client_ip);
+                    return Ok(Either::Right(
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
+                    ));
+                }
+                Err(e) => {
+                    error!("Error checking IP ban status: {:?}", e);
+                    // Continue processing - fail open
+                }
+                _ => {}
+            }
+        } else {
+            warn!("No ban manager available for intrusion protection");
+        }
+        // Check for banned URL patterns
+        if let Some(url_matcher) = self.banned_url_pattern_matcher.get() {
+            let path = req.uri().path_and_query().map(|p| p.as_str()).unwrap_or("");
+            if url_matcher.is_match(path) {
+                debug!(target: "middleware::intrusion_protection", "Banned URL pattern detected: {}", path);
+                if let Some(ban_manager) = self.ban_manager.get() {
+                    match ban_manager
+                        .ban_ip(
+                            client_ip,
+                            &format!("Banned URL pattern detected: {}", path),
+                            Duration::from_secs_f64(self.banned_time_seconds),
+                        )
+                        .await
+                    {
+                        Ok(_) => {}
+                        Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                    }
+                }
+                // Always return the error response even if banning failed
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+        // Check for banned header patterns
+        if let Some(header_matchers) = self.banned_header_pattern_matchers.get() {
+            for (header_name, pattern_set) in header_matchers {
+                if let Some(header_value) = req.header(header_name) {
+                    if pattern_set.is_match(header_value) {
+                        debug!(target: "middleware::intrusion_protection", "Banned header pattern detected: {} in {}", header_value, header_name);
+                        // Ban the IP address if possible
+                        if let Some(ban_manager) = self.ban_manager.get() {
+                            match ban_manager
+                                .ban_ip(
+                                    client_ip,
+                                    &format!(
+                                        "Banned header pattern detected: {} in {}",
+                                        header_value, header_name
+                                    ),
+                                    Duration::from_secs_f64(self.banned_time_seconds),
+                                )
+                                .await
+                            {
+                                Ok(_) => info!(
+                                    "Successfully banned IP {} for {} seconds",
+                                    client_ip, self.banned_time_seconds
+                                ),
+                                Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                            }
+                        }
+                        // Always return the error response even if banning failed
+                        return Ok(Either::Right(
+                            self.error_response
+                                .to_http_response(req.accept().into())
+                                .await,
+                        ));
+                    }
+                }
+            }
+        }
+        // No intrusion detected
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for IntrusionProtection {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs ADDED Viewed

@@ -0,0 +1,82 @@
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use serde::Deserialize;
+use crate::server::http_message_types::{HttpRequest, HttpResponse};
+use crate::services::itsi_http_service::HttpRequestContext;
+use super::string_rewrite::StringRewrite;
+use super::{FromValue, MiddlewareLayer};
+/// Logging middleware for HTTP requests and responses
+///
+/// Supports customizable log formats with placeholders
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogRequests {
+    pub before: Option<LogConfig>,
+    pub after: Option<LogConfig>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogConfig {
+    level: LogMiddlewareLevel,
+    format: StringRewrite,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum LogMiddlewareLevel {
+    #[serde(rename(deserialize = "INFO"))]
+    Info,
+    #[serde(rename(deserialize = "TRACE"))]
+    Trace,
+    #[serde(rename(deserialize = "DEBUG"))]
+    Debug,
+    #[serde(rename(deserialize = "WARN"))]
+    Warn,
+    #[serde(rename(deserialize = "ERROR"))]
+    Error,
+}
+impl LogMiddlewareLevel {
+    pub fn log(&self, message: String) {
+        match self {
+            LogMiddlewareLevel::Trace => trace!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Debug => debug!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Info => info!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Warn => warn!(target: "middleware::log_requests", message),
+            LogMiddlewareLevel::Error => error!(target: "middleware::log_requests", message),
+        }
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for LogRequests {
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        context.track_start_time();
+        if let Some(LogConfig { level, format }) = self.before.as_ref() {
+            level.log(format.rewrite_request(&req, context));
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(LogConfig { level, format }) = self.after.as_ref() {
+            level.log(format.rewrite_response(&resp, context));
+        }
+        resp
+    }
+}
+impl FromValue for LogRequests {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/max_body.rs ADDED Viewed

@@ -0,0 +1,47 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use http::StatusCode;
+use magnus::error::Result;
+use serde::Deserialize;
+use std::sync::atomic::Ordering;
+#[derive(Debug, Clone, Deserialize)]
+pub struct MaxBody {
+    pub limit_bytes: usize,
+    #[serde(default = "payload_too_large_error_response")]
+    pub error_response: ErrorResponse,
+}
+fn payload_too_large_error_response() -> ErrorResponse {
+    ErrorResponse::payload_too_large()
+}
+#[async_trait]
+impl MiddlewareLayer for MaxBody {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        req.body().limit.store(self.limit_bytes, Ordering::Relaxed);
+        context.set_response_format(req.accept().into());
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if resp.status() == StatusCode::PAYLOAD_TOO_LARGE {
+            self.error_response
+                .to_http_response(context.response_format().clone())
+                .await
+        } else {
+            resp
+        }
+    }
+}
+impl FromValue for MaxBody {}