RubyGems - itsi-server - Versions diffs - 0.1.19 → 0.1.20 - Mend

itsi-server 0.1.19 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/auth_jwt.rs CHANGED Viewed

@@ -18,7 +18,7 @@ use std::{
     collections::{HashMap, HashSet},
     sync::OnceLock,
 };
-use tracing::error;
+use tracing::{debug, error};
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthJwt {
@@ -137,6 +137,11 @@ struct Claims {
 #[async_trait]
 impl MiddlewareLayer for AuthJwt {
     async fn initialize(&self) -> Result<()> {
+        debug!(
+            target: "middleware::auth_jwt",
+            "Instantiating auth_jwt with {} verifiers", self.verifiers.len()
+        );
         let keys: HashMap<JwtAlgorithm, Vec<DecodingKey>> = self
             .verifiers
             .iter()
@@ -145,10 +150,24 @@ impl MiddlewareLayer for AuthJwt {
                 let keys: itsi_error::Result<Vec<DecodingKey>> = key_strings
                     .iter()
                     .map(|key_string| algorithm.key_from(key_string))
+                    .inspect(|key_result| {
+                        if key_result.is_err() {
+                            debug!(
+                                target: "middleware::auth_jwt",
+                                "Failed to load key for algorithm {:?}", algorithm
+                            )
+                        } else {
+                            debug!(
+                                target: "middleware::auth_jwt",
+                                "Loaded key for algorithm {:?}", algorithm
+                            )
+                        }
+                    })
                     .collect();
                 keys.map(|keys| (algo, keys))
             })
             .collect::<itsi_error::Result<HashMap<JwtAlgorithm, Vec<DecodingKey>>>>()?;
         self.keys
             .set(keys)
             .map_err(|_| ItsiError::new("Failed to set keys"))?;
@@ -158,11 +177,16 @@ impl MiddlewareLayer for AuthJwt {
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut HttpRequestContext,
+        _: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         // Retrieve the JWT token from either a header or a query parameter.
         let token_str = match &self.token_source {
             TokenSource::Header { name, prefix } => {
+                debug!(
+                    target: "middleware::auth_jwt",
+                    "Extracting JWT from header: {}, prefix: {:?}",
+                    name, prefix
+                );
                 if let Some(header) = req.header(name) {
                     if let Some(prefix) = prefix {
                         Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
@@ -173,10 +197,21 @@ impl MiddlewareLayer for AuthJwt {
                     None
                 }
             }
-            TokenSource::Query(query_name) => req.query_param(query_name),
+            TokenSource::Query(query_name) => {
+                debug!(
+                  target: "middleware::auth_jwt",
+                    "Extracting JWT from query parameter: {}",
+                    query_name
+                );
+                req.query_param(query_name)
+            }
         };
         if token_str.is_none() {
+            debug!(
+              target: "middleware::auth_jwt",
+                "No JWT found in headers or query parameters"
+            );
             return Ok(Either::Right(
                 self.error_response
                     .to_http_response(req.accept().into())
@@ -186,8 +221,13 @@ impl MiddlewareLayer for AuthJwt {
         let token_str = token_str.unwrap();
         let header =
             decode_header(token_str).map_err(|_| ItsiError::new("Invalid token header"))?;
         let alg: JwtAlgorithm = header.alg.into();
+        debug!(
+          target: "middleware::auth_jwt",
+            "Matched algorithm {:?}", alg
+        );
         if !self.verifiers.contains_key(&alg) {
             return Ok(Either::Right(
                 self.error_response
@@ -225,6 +265,7 @@ impl MiddlewareLayer for AuthJwt {
                         None
                     }
                 });
         let token_data = if let Some(data) = token_data {
             data
         } else {
@@ -244,6 +285,10 @@ impl MiddlewareLayer for AuthJwt {
                     Audience::Multiple(v) => v.iter().cloned().collect(),
                 };
                 if expected_audiences.is_disjoint(&token_auds) {
+                    debug!(
+                        "AUD check failed, token_auds: {:?}, expected_audiences: {:?}",
+                        token_auds, expected_audiences
+                    );
                     return Ok(Either::Right(
                         self.error_response
                             .to_http_response(req.accept().into())
@@ -256,6 +301,10 @@ impl MiddlewareLayer for AuthJwt {
         if let Some(expected_subjects) = &self.subjects {
             if let Some(sub) = &claims.sub {
                 if !expected_subjects.contains(sub) {
+                    debug!(
+                        "SUB check failed, token_sub: {:?}, expected_subjects: {:?}",
+                        sub, expected_subjects
+                    );
                     return Ok(Either::Right(
                         self.error_response
                             .to_http_response(req.accept().into())
@@ -269,6 +318,10 @@ impl MiddlewareLayer for AuthJwt {
         if let Some(expected_issuers) = &self.issuers {
             if let Some(iss) = &claims.iss {
                 if !expected_issuers.contains(iss) {
+                    debug!(
+                        "ISS check failed, token_iss: {:?}, expected_issuers: {:?}",
+                        iss, expected_issuers
+                    );
                     return Ok(Either::Right(
                         self.error_response
                             .to_http_response(req.accept().into())

data/ext/itsi_server/src/server/middleware_stack/middlewares/csp.rs ADDED Viewed

@@ -0,0 +1,179 @@
+use super::FromValue;
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+use async_trait::async_trait;
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{HeaderValue, StatusCode};
+use http_body_util::{combinators::BoxBody, BodyExt, Empty};
+use itsi_error::ItsiError;
+use serde::{Deserialize, Serialize};
+use std::sync::Arc;
+use std::{path::PathBuf, sync::OnceLock};
+use tokio::sync::Mutex;
+use tokio::time::{self, Duration};
+#[derive(Debug, Serialize, Deserialize)]
+pub struct CspReport {
+    #[serde(rename = "csp-report")]
+    pub report: ReportDetails,
+}
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ReportDetails {
+    #[serde(rename = "document-uri")]
+    pub document_uri: String,
+    #[serde(rename = "referrer")]
+    pub referrer: Option<String>,
+    #[serde(rename = "violated-directive")]
+    pub violated_directive: String,
+    #[serde(rename = "original-policy")]
+    pub original_policy: String,
+    #[serde(rename = "blocked-uri")]
+    pub blocked_uri: String,
+}
+#[derive(Debug, Deserialize)]
+pub struct CspConfig {
+    pub default_src: Vec<String>,
+    pub script_src: Vec<String>,
+    pub style_src: Vec<String>,
+    pub report_uri: Vec<String>,
+}
+#[derive(Debug, Deserialize)]
+pub struct Csp {
+    pub policy_input: Option<CspConfig>,
+    pub reporting_enabled: bool,
+    pub report_file: Option<PathBuf>,
+    pub report_endpoint: String,
+    pub flush_interval: u64,
+    #[serde(skip)]
+    pub computed_policy: OnceLock<String>,
+    #[serde(skip)]
+    pub pending_reports: Arc<Mutex<Vec<CspReport>>>,
+    #[serde(skip)]
+    pub flush_task: OnceLock<tokio::task::JoinHandle<()>>,
+}
+#[async_trait]
+impl super::MiddlewareLayer for Csp {
+    async fn initialize(&self) -> Result<(), magnus::error::Error> {
+        if let Some(policy_config) = &self.policy_input {
+            let mut parts = Vec::new();
+            if !policy_config.default_src.is_empty() {
+                parts.push(format!(
+                    "default-src {}",
+                    policy_config.default_src.join(" ")
+                ));
+            }
+            if !policy_config.script_src.is_empty() {
+                parts.push(format!("script-src {}", policy_config.script_src.join(" ")));
+            }
+            if !policy_config.style_src.is_empty() {
+                parts.push(format!("style-src {}", policy_config.style_src.join(" ")));
+            }
+            if !policy_config.report_uri.is_empty() {
+                parts.push(format!("report-uri {}", policy_config.report_uri.join(" ")));
+            }
+            let policy = parts.join("; ");
+            self.computed_policy
+                .set(policy)
+                .map_err(|_| ItsiError::new("Failed to set computed CSP policy"))?;
+        }
+        if self.reporting_enabled {
+            if let Some(ref report_file) = self.report_file {
+                let flush_interval = self.flush_interval;
+                let report_path = report_file.clone();
+                let pending_reports = Arc::clone(&self.pending_reports);
+                let handle = tokio::spawn(async move {
+                    let mut interval = time::interval(Duration::from_secs(flush_interval));
+                    loop {
+                        interval.tick().await;
+                        let mut reports = pending_reports.lock().await;
+                        if !reports.is_empty() {
+                            let mut lines = String::new();
+                            for report in reports.iter() {
+                                if let Ok(line) = serde_json::to_string(report) {
+                                    lines.push_str(&line);
+                                    lines.push('\n');
+                                }
+                            }
+                            reports.clear();
+                            if let Err(e) = tokio::fs::OpenOptions::new()
+                                .append(true)
+                                .create(true)
+                                .open(&report_path)
+                                .await
+                                .map(|mut file| async move {
+                                    use tokio::io::AsyncWriteExt;
+                                    file.write_all(lines.as_bytes()).await
+                                })
+                                .map_err(ItsiError::new)
+                            {
+                                eprintln!("Error writing CSP reports: {:?}", e);
+                            }
+                        }
+                    }
+                });
+                self.flush_task
+                    .set(handle)
+                    .map_err(|_| ItsiError::new("Failed to set flush task handle"))?;
+            }
+        }
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>, magnus::error::Error> {
+        if self.reporting_enabled && req.uri().path() == self.report_endpoint {
+            let full_bytes: Result<Bytes, _> = req
+                .into_body()
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+                .map(|b| b.freeze());
+            if let Ok(body_bytes) = full_bytes {
+                if let Ok(report) = serde_json::from_slice::<CspReport>(&body_bytes) {
+                    let mut pending = self.pending_reports.lock().await;
+                    pending.push(report);
+                }
+            }
+            let mut resp = HttpResponse::new(BoxBody::new(Empty::new()));
+            *resp.status_mut() = StatusCode::NO_CONTENT;
+            return Ok(Either::Right(resp));
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, _context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(policy) = self.computed_policy.get() {
+            if !resp.headers().contains_key("Content-Security-Policy") {
+                let (mut parts, body) = resp.into_parts();
+                if let Ok(header_value) = HeaderValue::from_str(policy) {
+                    parts
+                        .headers
+                        .insert("Content-Security-Policy", header_value);
+                }
+                return HttpResponse::from_parts(parts, body);
+            }
+        }
+        resp
+    }
+}
+impl FromValue for Csp {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/mod.rs CHANGED Viewed

@@ -5,6 +5,7 @@ mod auth_jwt;
 mod cache_control;
 mod compression;
 mod cors;
+mod csp;
 mod deny_list;
 mod error_response;
 mod etag;
@@ -23,6 +24,9 @@ mod static_response;
 mod string_rewrite;
 mod token_source;
+use std::sync::Arc;
+use std::sync::LazyLock;
 pub use allow_list::AllowList;
 use async_trait::async_trait;
 pub use auth_api_key::AuthAPIKey;
@@ -32,6 +36,7 @@ pub use cache_control::CacheControl;
 pub use compression::Compression;
 pub use compression::CompressionAlgorithm;
 pub use cors::Cors;
+pub use csp::Csp;
 pub use deny_list::DenyList;
 use either::Either;
 pub use error_response::ErrorResponse;
@@ -39,6 +44,7 @@ pub use etag::ETag;
 pub use intrusion_protection::IntrusionProtection;
 pub use log_requests::LogRequests;
 use magnus::error::Result;
+use magnus::rb_sys::AsRawValue;
 use magnus::Value;
 pub use max_body::MaxBody;
 pub use proxy::Proxy;
@@ -57,11 +63,28 @@ use crate::server::http_message_types::HttpResponse;
 use crate::services::itsi_http_service::HttpRequestContext;
 pub trait FromValue: Sized + Send + Sync + 'static {
-    fn from_value(value: Value) -> Result<Self>
+    fn from_value(value: Value) -> Result<Arc<Self>>
     where
         Self: Deserialize<'static>,
     {
-        deserialize(value)
+        use std::collections::HashMap;
+        use std::sync::Mutex;
+        let raw = value.as_raw();
+        static CACHE: LazyLock<Mutex<HashMap<u64, Arc<dyn std::any::Any + Send + Sync>>>> =
+            LazyLock::new(|| Mutex::new(HashMap::new()));
+        let mut cache = CACHE.lock().unwrap();
+        if let Some(cached) = cache.get(&raw) {
+            if let Some(deserialized) = cached.downcast_ref::<Arc<Self>>() {
+                return Ok(deserialized.clone());
+            }
+        }
+        let deserialized: Arc<Self> = Arc::new(deserialize(value)?);
+        cache.insert(raw, deserialized.clone());
+        Ok(deserialized)
     }
 }

data/ext/itsi_server/src/server/middleware_stack/middlewares/ruby_app.rs CHANGED Viewed

@@ -42,7 +42,7 @@ impl FromStr for RequestType {
 }
 impl RubyApp {
-    pub fn from_value(params: HeapVal) -> magnus::error::Result<Self> {
+    pub fn from_value(params: HeapVal) -> magnus::error::Result<Arc<Self>> {
         let app = params.funcall::<_, _, Proc>(Symbol::new("[]"), ("app_proc",))?;
         let sendfile = params
             .funcall::<_, _, bool>(Symbol::new("[]"), ("sendfile",))
@@ -61,13 +61,13 @@ impl RubyApp {
             .parse()
             .unwrap_or(RequestType::Http);
-        Ok(RubyApp {
+        Ok(Arc::new(RubyApp {
             app: Arc::new(app.into()),
             sendfile,
             nonblocking,
             request_type,
             base_path,
-        })
+        }))
     }
 }

data/ext/itsi_server/src/server/middleware_stack/middlewares/static_assets.rs CHANGED Viewed

@@ -59,6 +59,7 @@ impl MiddlewareLayer for StaticAssets {
         self.base_path_regex
             .set(Regex::new(&self.base_path).map_err(ItsiError::new)?)
             .map_err(ItsiError::new)?;
         self.file_server
             .set(StaticFileServer::new(StaticFileServerConfig {
                 root_dir: self.root_dir.clone(),
@@ -70,7 +71,7 @@ impl MiddlewareLayer for StaticAssets {
                 recheck_interval: Duration::from_secs(self.file_check_interval),
                 serve_hidden_files: self.serve_hidden_files,
                 allowed_extensions: self.allowed_extensions.clone(),
-            }))
+            })?)
             .map_err(ItsiError::new)?;
         Ok(())
     }

data/ext/itsi_server/src/server/middleware_stack/mod.rs CHANGED Viewed

@@ -2,12 +2,14 @@ mod middleware;
 mod middlewares;
 use http::header::{ACCEPT, CONTENT_TYPE, HOST};
 use itsi_rb_helpers::HeapVal;
-use magnus::{error::Result, value::ReprValue, RArray, RHash, Ruby, TryConvert, Value};
+use magnus::{
+    error::Result, rb_sys::AsRawValue, value::ReprValue, RArray, RHash, Ruby, TryConvert, Value,
+};
 pub use middleware::Middleware;
 pub use middlewares::*;
 use regex::{Regex, RegexSet};
 use std::{collections::HashMap, sync::Arc};
-use tracing::debug;
+use tracing::{debug, info};
 use super::http_message_types::HttpRequest;
@@ -16,6 +18,7 @@ pub struct MiddlewareSet {
     pub route_set: RegexSet,
     pub patterns: Vec<Arc<Regex>>,
     pub stacks: HashMap<usize, MiddlewareStack>,
+    unique_middlewares: HashMap<u64, Middleware>,
 }
 #[derive(Debug)]
@@ -128,6 +131,7 @@ impl MiddlewareStack {
 impl MiddlewareSet {
     pub fn new(routes_raw: Option<HeapVal>) -> Result<Self> {
+        let mut unique_middlewares = HashMap::new();
         if let Some(routes_raw) = routes_raw {
             let mut stacks = HashMap::new();
             let mut routes = vec![];
@@ -147,19 +151,30 @@ impl MiddlewareSet {
                         "Route is missing :route key",
                     ))?
                     .funcall::<_, _, String>("source", ())?;
                 let middleware =
-                    RArray::from_value(route_hash.get("middleware").ok_or(magnus::Error::new(
+                    RHash::from_value(route_hash.get("middleware").ok_or(magnus::Error::new(
                         magnus::exception::standard_error(),
                         "Route is missing middleware key",
                     ))?)
                     .ok_or(magnus::Error::new(
                         magnus::exception::standard_error(),
-                        format!("middleware must be an array. Got {:?}", routes_raw),
+                        format!("middleware must be a hash. Got {:?}", routes_raw),
                     ))?;
                 let mut layers = middleware
-                    .into_iter()
-                    .map(MiddlewareSet::parse_middleware)
+                    .enumeratorize("each", ())
+                    .map(|pair| {
+                        let pair = RArray::from_value(pair.unwrap()).unwrap();
+                        let middleware_type: String = pair.entry(0).unwrap();
+                        let value: Value = pair.entry(1).unwrap();
+                        info!("Parsing middleware from value {}", value);
+                        let middleware = MiddlewareSet::parse_middleware(middleware_type, value);
+                        if let Ok(middleware) = middleware.as_ref() {
+                            unique_middlewares.insert(value.as_raw(), middleware.clone());
+                        };
+                        middleware
+                    })
                     .collect::<Result<Vec<_>>>()?;
                 routes.push(route_raw);
                 layers.sort();
@@ -184,6 +199,7 @@ impl MiddlewareSet {
                         format!("Failed to create route set: {}", e),
                     )
                 })?,
+                unique_middlewares,
                 patterns: routes
                     .into_iter()
                     .map(|r| Regex::new(&r))
@@ -241,47 +257,27 @@ impl MiddlewareSet {
         ))
     }
-    pub fn parse_middleware(middleware: Value) -> Result<Middleware> {
-        let middleware_hash = RHash::from_value(middleware).ok_or(magnus::Error::new(
-            magnus::exception::standard_error(),
-            format!("Filter must be a hash. Got {:?}", middleware),
-        ))?;
-        let middleware_type: String = middleware_hash
-            .get("type")
-            .ok_or(magnus::Error::new(
-                magnus::exception::standard_error(),
-                format!("Filter must have a :type key. Got {:?}", middleware_hash),
-            ))?
-            .to_string();
+    pub fn parse_middleware(middleware_type: String, parameters: Value) -> Result<Middleware> {
         let mw_type = middleware_type.clone();
-        let parameters: Value = middleware_hash.get("parameters").ok_or(magnus::Error::new(
-            magnus::exception::standard_error(),
-            format!(
-                "Filter must have a :parameters key. Got {:?}",
-                middleware_hash
-            ),
-        ))?;
         let result = (move || -> Result<Middleware> {
             match mw_type.as_str() {
                 "allow_list" => Ok(Middleware::AllowList(AllowList::from_value(parameters)?)),
                 "auth_basic" => Ok(Middleware::AuthBasic(AuthBasic::from_value(parameters)?)),
-                "auth_jwt" => Ok(Middleware::AuthJwt(Box::new(AuthJwt::from_value(
-                    parameters,
-                )?))),
+                "auth_jwt" => Ok(Middleware::AuthJwt(AuthJwt::from_value(parameters)?)),
                 "auth_api_key" => Ok(Middleware::AuthAPIKey(AuthAPIKey::from_value(parameters)?)),
                 "cache_control" => Ok(Middleware::CacheControl(CacheControl::from_value(
                     parameters,
                 )?)),
                 "deny_list" => Ok(Middleware::DenyList(DenyList::from_value(parameters)?)),
                 "etag" => Ok(Middleware::ETag(ETag::from_value(parameters)?)),
+                "csp" => Ok(Middleware::Csp(Csp::from_value(parameters)?)),
                 "intrusion_protection" => Ok({
                     Middleware::IntrusionProtection(IntrusionProtection::from_value(parameters)?)
                 }),
                 "max_body" => Ok(Middleware::MaxBody(MaxBody::from_value(parameters)?)),
                 "rate_limit" => Ok(Middleware::RateLimit(RateLimit::from_value(parameters)?)),
-                "cors" => Ok(Middleware::Cors(Box::new(Cors::from_value(parameters)?))),
+                "cors" => Ok(Middleware::Cors(Cors::from_value(parameters)?)),
                 "request_headers" => Ok(Middleware::RequestHeaders(RequestHeaders::from_value(
                     parameters,
                 )?)),
@@ -323,10 +319,12 @@ impl MiddlewareSet {
     }
     pub async fn initialize_layers(&self) -> Result<()> {
-        for stack in self.stacks.values() {
-            for middleware in &stack.layers {
-                middleware.initialize().await?;
-            }
+        info!(
+            "Unique middleware keys: {:?}",
+            self.unique_middlewares.keys()
+        );
+        for middleware in self.unique_middlewares.values() {
+            middleware.initialize().await?;
         }
         Ok(())
     }

data/ext/itsi_server/src/server/serve_strategy/cluster_mode.rs CHANGED Viewed

@@ -73,13 +73,18 @@ impl ClusterMode {
                 Ok(())
             }
             LifecycleEvent::Restart => {
-                self.server_config.dup_fds()?;
-                self.shutdown().await.ok();
-                info!("Shutdown complete. Calling reload exec");
-                self.server_config.reload_exec()?;
+                if self.server_config.check_config() {
+                    self.server_config.dup_fds()?;
+                    self.shutdown().await.ok();
+                    info!("Shutdown complete. Calling reload exec");
+                    self.server_config.reload_exec()?;
+                }
                 Ok(())
             }
             LifecycleEvent::Reload => {
+                if !self.server_config.check_config() {
+                    return Ok(());
+                }
                 let should_reexec = self.server_config.clone().reload(true)?;
                 if should_reexec {
                     self.server_config.dup_fds()?;
@@ -286,6 +291,7 @@ impl ClusterMode {
         self.build_runtime().block_on(async {
           let self_ref = self_ref.clone();
           let mut memory_check_interval = time::interval(time::Duration::from_secs(2));
           loop {
             tokio::select! {
               _ = receiver.changed() => {