itsi-server 0.1.11 → 0.1.12

data/ext/itsi_server/src/server/middleware_stack/middlewares/compression.rs

@@ -0,0 +1,300 @@
+use super::{
+    header_interpretation::{find_first_supported, header_contains},
+    FromValue, MiddlewareLayer,
+};
+use crate::server::{
+    itsi_service::RequestContext,
+    types::{HttpRequest, HttpResponse},
+};
+use async_compression::{
+    tokio::bufread::{BrotliEncoder, DeflateEncoder, GzipEncoder, ZstdEncoder},
+    Level,
+};
+use async_trait::async_trait;
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{
+    header::{GetAll, ACCEPT_ENCODING, CONTENT_ENCODING, CONTENT_LENGTH, CONTENT_TYPE},
+    HeaderValue, Response,
+};
+use http_body_util::{combinators::BoxBody, BodyExt, Full, StreamBody};
+use hyper::body::{Body, Frame};
+use magnus::error::Result;
+use serde::{Deserialize, Serialize};
+use std::convert::Infallible;
+use tokio::io::{AsyncRead, AsyncReadExt, BufReader};
+use tokio_stream::StreamExt;
+use tokio_util::io::{ReaderStream, StreamReader};
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Compression {
+    min_size: usize,
+    algorithms: Vec<CompressionAlgorithm>,
+    compress_streams: bool,
+    mime_types: Vec<MimeType>,
+    level: CompressionLevel,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+enum CompressionLevel {
+    #[serde(rename(deserialize = "fastest"))]
+    Fastest,
+    #[serde(rename(deserialize = "best"))]
+    Best,
+    #[serde(rename(deserialize = "default"))]
+    Default,
+    #[serde(rename(deserialize = "precise"))]
+    Precise(i32),
+}
+
+impl CompressionLevel {
+    fn to_async_compression_level(&self) -> Level {
+        match self {
+            CompressionLevel::Fastest => Level::Fastest,
+            CompressionLevel::Best => Level::Best,
+            CompressionLevel::Default => Level::Default,
+            CompressionLevel::Precise(level) => Level::Precise(*level),
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, PartialOrd, Eq, Ord)]
+pub enum CompressionAlgorithm {
+    #[serde(rename(deserialize = "gzip"))]
+    Gzip,
+    #[serde(rename(deserialize = "brotli"))]
+    Brotli,
+    #[serde(rename(deserialize = "deflate"))]
+    Deflate,
+    #[serde(rename(deserialize = "zstd"))]
+    Zstd,
+    #[serde(rename(deserialize = "none"))]
+    None,
+}
+
+impl CompressionAlgorithm {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            CompressionAlgorithm::Gzip => "gzip",
+            CompressionAlgorithm::Brotli => "br",
+            CompressionAlgorithm::Deflate => "deflate",
+            CompressionAlgorithm::Zstd => "zstd",
+            CompressionAlgorithm::None => "none",
+        }
+    }
+
+    pub fn header_value(&self) -> HeaderValue {
+        HeaderValue::from_str(self.as_str()).unwrap()
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+enum MimeType {
+    #[serde(rename(deserialize = "text"))]
+    Text,
+    #[serde(rename(deserialize = "image"))]
+    Image,
+    #[serde(rename(deserialize = "application"))]
+    Application,
+    #[serde(rename(deserialize = "audio"))]
+    Audio,
+    #[serde(rename(deserialize = "video"))]
+    Video,
+    #[serde(rename(deserialize = "other"))]
+    Other(String),
+    #[serde(rename(deserialize = "all"))]
+    All,
+}
+
+impl MimeType {
+    pub fn matches(&self, content_encodings: &GetAll<HeaderValue>) -> bool {
+        match self {
+            MimeType::Text => header_contains(content_encodings, "text/*"),
+            MimeType::Image => header_contains(content_encodings, "image/*"),
+            MimeType::Application => header_contains(content_encodings, "application/*"),
+            MimeType::Audio => header_contains(content_encodings, "audio/*"),
+            MimeType::Video => header_contains(content_encodings, "video/*"),
+            MimeType::Other(v) => header_contains(content_encodings, v),
+            MimeType::All => header_contains(content_encodings, "*"),
+        }
+    }
+}
+
+fn stream_encode<R>(encoder: R) -> BoxBody<Bytes, Infallible>
+where
+    R: AsyncRead + Unpin + Sync + Send + 'static,
+{
+    let encoded_stream = ReaderStream::new(encoder).map(|res| {
+        res.map(Frame::data)
+            .map_err(|_| -> Infallible { unreachable!("We handle IO errors above") })
+    });
+    BoxBody::new(StreamBody::new(encoded_stream))
+}
+
+fn update_content_encoding(parts: &mut http::response::Parts, new_encoding: HeaderValue) {
+    if let Some(existing) = parts.headers.get(CONTENT_ENCODING) {
+        let mut encodings = existing.to_str().unwrap_or("").to_owned();
+        if !encodings.is_empty() {
+            encodings.push_str(", ");
+        }
+        encodings.push_str(new_encoding.to_str().unwrap());
+        parts
+            .headers
+            .insert(CONTENT_ENCODING, HeaderValue::from_str(&encodings).unwrap());
+    } else {
+        parts.headers.insert(CONTENT_ENCODING, new_encoding);
+    }
+}
+
+#[async_trait]
+impl MiddlewareLayer for Compression {
+    /// A the request comes in, take note of the accepted content encodings,
+    /// so that we can apply compression on the response, where appropriate.
+    ///
+    /// We store the temporary state inside the RequestContext.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        let algo = match find_first_supported(
+            &req.headers().get_all(ACCEPT_ENCODING),
+            self.algorithms.iter().map(|algo| algo.as_str()),
+        ) {
+            Some("gzip") => CompressionAlgorithm::Gzip,
+            Some("br") => CompressionAlgorithm::Brotli,
+            Some("deflate") => CompressionAlgorithm::Deflate,
+            Some("zstd") => CompressionAlgorithm::Zstd,
+            _ => CompressionAlgorithm::None,
+        };
+
+        if matches!(algo, CompressionAlgorithm::None) {
+            return Ok(Either::Left(req));
+        }
+
+        context.set_compression_method(algo);
+
+        Ok(Either::Left(req))
+    }
+
+    /// We'll apply compression on the response, where appropriate.
+    /// This is if:
+    /// * The response body is larger than the minimum size.
+    /// * The response content type is supported.
+    /// * The client supports the compression algorithm.
+    async fn after(&self, resp: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+        let compression_method;
+        if let Some(method) = context.compression_method.get() {
+            compression_method = method.clone();
+        } else {
+            return resp;
+        }
+
+        if matches!(compression_method, CompressionAlgorithm::None) {
+            return resp;
+        }
+
+        let body_size = resp.size_hint().exact();
+        let resp = resp;
+
+        if !self
+            .mime_types
+            .iter()
+            .any(|mt| mt.matches(&resp.headers().get_all(CONTENT_TYPE)))
+        {
+            return resp;
+        }
+
+        if body_size.is_none() && !self.compress_streams {
+            return resp;
+        }
+
+        if body_size.is_some_and(|s| s < self.min_size as u64) {
+            return resp;
+        }
+
+        let (mut parts, body) = resp.into_parts();
+
+        let new_body = if let Some(_size) = body_size {
+            let full_bytes: Bytes = body
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+                .unwrap()
+                .freeze();
+
+            let cursor = std::io::Cursor::new(full_bytes);
+            let reader = BufReader::new(cursor);
+            let compressed_bytes = match compression_method {
+                CompressionAlgorithm::Gzip => {
+                    let mut encoder =
+                        GzipEncoder::with_quality(reader, self.level.to_async_compression_level());
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::Brotli => {
+                    let mut encoder = BrotliEncoder::with_quality(
+                        reader,
+                        self.level.to_async_compression_level(),
+                    );
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::Deflate => {
+                    let mut encoder = DeflateEncoder::with_quality(
+                        reader,
+                        self.level.to_async_compression_level(),
+                    );
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::Zstd => {
+                    let mut encoder =
+                        ZstdEncoder::with_quality(reader, self.level.to_async_compression_level());
+                    let mut buf = Vec::new();
+                    encoder.read_to_end(&mut buf).await.unwrap();
+                    buf
+                }
+                CompressionAlgorithm::None => unreachable!(),
+            };
+            BoxBody::new(Full::new(Bytes::from(compressed_bytes)))
+        } else {
+            let stream = body
+                .into_data_stream()
+                .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e));
+            let async_read_fut = StreamReader::new(stream);
+            let reader = BufReader::new(async_read_fut);
+            match compression_method {
+                CompressionAlgorithm::Gzip => stream_encode(GzipEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::Brotli => stream_encode(BrotliEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::Deflate => stream_encode(DeflateEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::Zstd => stream_encode(ZstdEncoder::with_quality(
+                    reader,
+                    self.level.to_async_compression_level(),
+                )),
+                CompressionAlgorithm::None => unreachable!(),
+            }
+        };
+
+        update_content_encoding(&mut parts, compression_method.header_value());
+        parts.headers.remove(CONTENT_LENGTH);
+
+        Response::from_parts(parts, new_body)
+    }
+}
+impl FromValue for Compression {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/cors.rs

@@ -0,0 +1,287 @@
+use super::{FromValue, MiddlewareLayer};
+use crate::server::{
+    itsi_service::RequestContext,
+    types::{HttpRequest, HttpResponse, RequestExt},
+};
+use async_trait::async_trait;
+use http::{HeaderMap, Method, Response};
+use http_body_util::{combinators::BoxBody, Empty};
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use serde::Deserialize;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct Cors {
+    pub allowed_origins: Vec<String>,
+    pub allowed_methods: Vec<HttpMethod>,
+    pub allowed_headers: Vec<String>,
+    pub exposed_headers: Vec<String>,
+    pub allow_credentials: bool,
+    pub max_age: Option<u64>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub enum HttpMethod {
+    #[serde(rename(deserialize = "GET"))]
+    Get,
+    #[serde(rename(deserialize = "POST"))]
+    Post,
+    #[serde(rename(deserialize = "PUT"))]
+    Put,
+    #[serde(rename(deserialize = "DELETE"))]
+    Delete,
+    #[serde(rename(deserialize = "OPTIONS"))]
+    Options,
+    #[serde(rename(deserialize = "HEAD"))]
+    Head,
+    #[serde(rename(deserialize = "PATCH"))]
+    Patch,
+}
+
+impl HttpMethod {
+    pub fn matches(&self, other: &str) -> bool {
+        match self {
+            HttpMethod::Get => other.eq_ignore_ascii_case("GET"),
+            HttpMethod::Post => other.eq_ignore_ascii_case("POST"),
+            HttpMethod::Put => other.eq_ignore_ascii_case("PUT"),
+            HttpMethod::Delete => other.eq_ignore_ascii_case("DELETE"),
+            HttpMethod::Options => other.eq_ignore_ascii_case("OPTIONS"),
+            HttpMethod::Head => other.eq_ignore_ascii_case("HEAD"),
+            HttpMethod::Patch => other.eq_ignore_ascii_case("PATCH"),
+        }
+    }
+
+    pub fn to_str(&self) -> &str {
+        match self {
+            HttpMethod::Get => "GET",
+            HttpMethod::Post => "POST",
+            HttpMethod::Put => "PUT",
+            HttpMethod::Delete => "DELETE",
+            HttpMethod::Options => "OPTIONS",
+            HttpMethod::Head => "HEAD",
+            HttpMethod::Patch => "PATCH",
+        }
+    }
+}
+
+impl Cors {
+    /// Generate the simple CORS headers (used in normal responses)
+    fn cors_headers(&self, origin: &str) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::default)?);
+
+        if origin.is_empty() {
+            // When credentials are allowed, you cannot return "*".
+            if !self.allow_credentials {
+                headers.insert(
+                    "Access-Control-Allow-Origin",
+                    "*".parse().map_err(ItsiError::default)?,
+                );
+            }
+            return Ok(headers);
+        }
+
+        // Only return a header if the origin is allowed.
+        if self.allowed_origins.iter().any(|o| o == origin || o == "*") {
+            // If credentials are allowed, we must echo back the exact origin.
+            let value = if self.allow_credentials {
+                origin
+            } else {
+                // If not, and if "*" is allowed, you can still use "*".
+                if self.allowed_origins.iter().any(|o| o == "*") {
+                    "*"
+                } else {
+                    origin
+                }
+            };
+            headers.insert(
+                "Access-Control-Allow-Origin",
+                value.parse().map_err(ItsiError::default)?,
+            );
+        }
+
+        if !self.allowed_methods.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Methods",
+                self.allowed_methods
+                    .iter()
+                    .map(HttpMethod::to_str)
+                    .collect::<Vec<&str>>()
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        if !self.allowed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Allow-Headers",
+                self.allowed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::default)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::default)?,
+            );
+        }
+        if !self.exposed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.exposed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+        Ok(headers)
+    }
+
+    fn preflight_headers(
+        &self,
+        origin: Option<&str>,
+        req_method: Option<&str>,
+        req_headers: Option<&str>,
+    ) -> Result<HeaderMap> {
+        let mut headers = HeaderMap::new();
+
+        headers.insert("Vary", "Origin".parse().map_err(ItsiError::default)?);
+
+        let origin = match origin {
+            Some(o) if !o.is_empty() => o,
+            _ => return Ok(headers), // Missing Origin – preflight fails
+        };
+
+        if !self
+            .allowed_origins
+            .iter()
+            .any(|allowed| allowed == "*" || allowed == origin)
+        {
+            return Ok(headers);
+        }
+
+        let request_method = match req_method {
+            Some(m) if !m.is_empty() => m,
+            _ => return Ok(headers), // Missing request method – preflight fails
+        };
+
+        if !self
+            .allowed_methods
+            .iter()
+            .any(|m| m.matches(request_method))
+        {
+            return Ok(headers);
+        }
+
+        if let Some(request_headers) = req_headers {
+            let req_headers_list: Vec<&str> = request_headers
+                .split(',')
+                .map(|s| s.trim())
+                .filter(|s| !s.is_empty())
+                .collect();
+            for header in req_headers_list {
+                if !self
+                    .allowed_headers
+                    .iter()
+                    .any(|allowed| allowed.eq_ignore_ascii_case(header))
+                {
+                    return Ok(headers);
+                }
+            }
+        }
+
+        headers.insert("Access-Control-Allow-Origin", origin.parse().unwrap());
+        headers.insert(
+            "Access-Control-Allow-Methods",
+            self.allowed_methods
+                .iter()
+                .map(HttpMethod::to_str)
+                .collect::<Vec<&str>>()
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::default)?,
+        );
+        headers.insert(
+            "Access-Control-Allow-Headers",
+            self.allowed_headers
+                .join(", ")
+                .parse()
+                .map_err(ItsiError::default)?,
+        );
+        if self.allow_credentials {
+            headers.insert(
+                "Access-Control-Allow-Credentials",
+                "true".parse().map_err(ItsiError::default)?,
+            );
+        }
+        if let Some(max_age) = self.max_age {
+            headers.insert(
+                "Access-Control-Max-Age",
+                max_age.to_string().parse().map_err(ItsiError::default)?,
+            );
+        }
+        if !self.exposed_headers.is_empty() {
+            headers.insert(
+                "Access-Control-Expose-Headers",
+                self.exposed_headers
+                    .join(", ")
+                    .parse()
+                    .map_err(ItsiError::default)?,
+            );
+        }
+
+        Ok(headers)
+    }
+}
+
+#[async_trait]
+impl MiddlewareLayer for Cors {
+    // For OPTIONS (preflight) requests we:
+    // 1. Extract Origin, Access-Control-Request-Method, and Access-Control-Request-Headers.
+    // 2. Validate them using our hardened preflight_headers function.
+    // 3. If validations pass (i.e. headers is non-empty), return a 204 response with those headers.
+    // Otherwise, the absence of headers indicates the request doesn’t meet the CORS policy.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<either::Either<HttpRequest, HttpResponse>> {
+        let origin = req.header("Origin");
+        if req.method() == Method::OPTIONS {
+            let ac_request_method = req.header("Access-Control-Request-Method");
+            let ac_request_headers = req.header("Access-Control-Request-Headers");
+            let headers = self.preflight_headers(origin, ac_request_method, ac_request_headers)?;
+
+            let mut response_builder = Response::builder().status(204);
+            *response_builder.headers_mut().unwrap() = headers;
+            let response = response_builder
+                .body(BoxBody::new(Empty::new()))
+                .map_err(ItsiError::default)?;
+            return Ok(either::Either::Right(response));
+        }
+        context.set_origin(origin.map(|s| s.to_string()));
+        Ok(either::Either::Left(req))
+    }
+
+    // The after hook can be used to inject CORS headers into non-preflight responses.
+    async fn after(&self, mut resp: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+        if let Some(Some(origin)) = context.origin.get() {
+            if let Ok(cors_headers) = self.cors_headers(origin) {
+                for (key, value) in cors_headers.iter() {
+                    resp.headers_mut().insert(key.clone(), value.clone());
+                }
+            }
+        }
+        resp
+    }
+}
+impl FromValue for Cors {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/deny_list.rs

@@ -0,0 +1,48 @@
+use crate::server::{
+    itsi_service::RequestContext,
+    types::{HttpRequest, HttpResponse},
+};
+
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::sync::OnceLock;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct DenyList {
+    #[serde(skip_deserializing)]
+    pub denied_ips: OnceLock<RegexSet>,
+    pub denied_patterns: Vec<String>,
+    pub error_response: ErrorResponse,
+}
+
+#[async_trait]
+impl MiddlewareLayer for DenyList {
+    async fn initialize(&self) -> Result<()> {
+        let denied_ips = RegexSet::new(&self.denied_patterns).map_err(ItsiError::default)?;
+        self.denied_ips
+            .set(denied_ips)
+            .map_err(|e| ItsiError::default(format!("Failed to set allowed IPs: {:?}", e)))?;
+        Ok(())
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        if let Some(denied_ips) = self.denied_ips.get() {
+            if denied_ips.is_match(&context.addr) {
+                return Ok(Either::Right(
+                    self.error_response.to_http_response(&req).await,
+                ));
+            }
+        }
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for DenyList {}