itsi-server 0.2.22-aarch64-linux

data/ext/itsi_server/src/server/io_stream.rs

@@ -0,0 +1,128 @@
+use pin_project::pin_project;
+use tokio::net::{TcpStream, UnixStream};
+use tokio_rustls::server::TlsStream;
+
+use std::io::{self, IoSlice};
+use std::os::unix::io::{AsRawFd, RawFd};
+use std::pin::Pin;
+use std::task::{Context, Poll};
+use tokio::io::{AsyncRead, AsyncWrite};
+
+use super::binds::listener::SockAddr;
+
+#[pin_project(project = IoStreamEnumProj)]
+pub enum IoStream {
+    Tcp {
+        #[pin]
+        stream: TcpStream,
+        addr: SockAddr,
+    },
+    TcpTls {
+        #[pin]
+        stream: TlsStream<TcpStream>,
+        addr: SockAddr,
+    },
+    Unix {
+        #[pin]
+        stream: UnixStream,
+        addr: SockAddr,
+    },
+    UnixTls {
+        #[pin]
+        stream: TlsStream<UnixStream>,
+        addr: SockAddr,
+    },
+}
+
+impl IoStream {
+    pub fn addr(&self) -> String {
+        match self {
+            IoStream::Tcp { addr, .. } => addr.to_string(),
+            IoStream::TcpTls { addr, .. } => addr.to_string(),
+            IoStream::Unix { addr, .. } => addr.to_string(),
+            IoStream::UnixTls { addr, .. } => addr.to_string(),
+        }
+    }
+}
+
+impl AsyncRead for IoStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_read(cx, buf),
+        }
+    }
+}
+
+impl AsyncWrite for IoStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<std::io::Result<usize>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_write(cx, buf),
+        }
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_flush(cx),
+        }
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_shutdown(cx),
+        }
+    }
+
+    fn poll_write_vectored(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        bufs: &[IoSlice<'_>],
+    ) -> Poll<io::Result<usize>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_write_vectored(cx, bufs),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_write_vectored(cx, bufs),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_write_vectored(cx, bufs),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_write_vectored(cx, bufs),
+        }
+    }
+
+    fn is_write_vectored(&self) -> bool {
+        match self {
+            IoStream::Tcp { stream, .. } => stream.is_write_vectored(),
+            IoStream::TcpTls { stream, .. } => stream.is_write_vectored(),
+            IoStream::Unix { stream, .. } => stream.is_write_vectored(),
+            IoStream::UnixTls { stream, .. } => stream.is_write_vectored(),
+        }
+    }
+}
+
+impl AsRawFd for IoStream {
+    fn as_raw_fd(&self) -> RawFd {
+        // For immutable access, we can simply pattern-match on self.
+        match self {
+            IoStream::Tcp { stream, .. } => stream.as_raw_fd(),
+            IoStream::TcpTls { stream, .. } => stream.get_ref().0.as_raw_fd(),
+            IoStream::Unix { stream, .. } => stream.as_raw_fd(),
+            IoStream::UnixTls { stream, .. } => stream.get_ref().0.as_raw_fd(),
+        }
+    }
+}

data/ext/itsi_server/src/server/lifecycle_event.rs

@@ -0,0 +1,12 @@
+#[derive(Debug, Clone, PartialEq)]
+pub enum LifecycleEvent {
+    Start,
+    Shutdown,
+    Restart,
+    Reload,
+    IncreaseWorkers,
+    DecreaseWorkers,
+    ForceShutdown,
+    PrintInfo,
+    ChildTerminated,
+}

data/ext/itsi_server/src/server/middleware_stack/middleware.rs

@@ -0,0 +1,170 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+
+use super::middlewares::*;
+
+use async_trait::async_trait;
+use either::Either;
+use magnus::error::Result;
+use std::{cmp::Ordering, sync::Arc};
+
+#[derive(Debug, Clone)]
+pub enum Middleware {
+    AllowList(Arc<AllowList>),
+    AuthAPIKey(Arc<AuthAPIKey>),
+    AuthBasic(Arc<AuthBasic>),
+    AuthJwt(Arc<AuthJwt>),
+    CacheControl(Arc<CacheControl>),
+    Compression(Arc<Compression>),
+    Cors(Arc<Cors>),
+    Csp(Arc<Csp>),
+    DenyList(Arc<DenyList>),
+    ETag(Arc<ETag>),
+    IntrusionProtection(Arc<IntrusionProtection>),
+    LogRequests(Arc<LogRequests>),
+    MaxBody(Arc<MaxBody>),
+    Proxy(Arc<Proxy>),
+    RateLimit(Arc<RateLimit>),
+    Redirect(Arc<Redirect>),
+    RequestHeaders(Arc<RequestHeaders>),
+    ResponseHeaders(Arc<ResponseHeaders>),
+    RubyApp(Arc<RubyApp>),
+    StaticAssets(Arc<StaticAssets>),
+    StaticResponse(Arc<StaticResponse>),
+}
+
+#[async_trait]
+impl MiddlewareLayer for Middleware {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        match self {
+            Middleware::DenyList(filter) => filter.initialize().await,
+            Middleware::AllowList(filter) => filter.initialize().await,
+            Middleware::AuthBasic(filter) => filter.initialize().await,
+            Middleware::AuthJwt(filter) => filter.initialize().await,
+            Middleware::AuthAPIKey(filter) => filter.initialize().await,
+            Middleware::IntrusionProtection(filter) => filter.initialize().await,
+            Middleware::MaxBody(filter) => filter.initialize().await,
+            Middleware::RateLimit(filter) => filter.initialize().await,
+            Middleware::RequestHeaders(filter) => filter.initialize().await,
+            Middleware::ResponseHeaders(filter) => filter.initialize().await,
+            Middleware::CacheControl(filter) => filter.initialize().await,
+            Middleware::Cors(filter) => filter.initialize().await,
+            Middleware::Csp(filter) => filter.initialize().await,
+            Middleware::ETag(filter) => filter.initialize().await,
+            Middleware::StaticAssets(filter) => filter.initialize().await,
+            Middleware::StaticResponse(filter) => filter.initialize().await,
+            Middleware::Compression(filter) => filter.initialize().await,
+            Middleware::LogRequests(filter) => filter.initialize().await,
+            Middleware::Redirect(filter) => filter.initialize().await,
+            Middleware::Proxy(filter) => filter.initialize().await,
+            Middleware::RubyApp(filter) => filter.initialize().await,
+        }
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        match self {
+            Middleware::DenyList(filter) => filter.before(req, context).await,
+            Middleware::AllowList(filter) => filter.before(req, context).await,
+            Middleware::AuthBasic(filter) => filter.before(req, context).await,
+            Middleware::AuthJwt(filter) => filter.before(req, context).await,
+            Middleware::AuthAPIKey(filter) => filter.before(req, context).await,
+            Middleware::IntrusionProtection(filter) => filter.before(req, context).await,
+            Middleware::MaxBody(filter) => filter.before(req, context).await,
+            Middleware::RequestHeaders(filter) => filter.before(req, context).await,
+            Middleware::ResponseHeaders(filter) => filter.before(req, context).await,
+            Middleware::RateLimit(filter) => filter.before(req, context).await,
+            Middleware::CacheControl(filter) => filter.before(req, context).await,
+            Middleware::Cors(filter) => filter.before(req, context).await,
+            Middleware::Csp(filter) => filter.before(req, context).await,
+            Middleware::ETag(filter) => filter.before(req, context).await,
+            Middleware::StaticAssets(filter) => filter.before(req, context).await,
+            Middleware::StaticResponse(filter) => filter.before(req, context).await,
+            Middleware::Compression(filter) => filter.before(req, context).await,
+            Middleware::LogRequests(filter) => filter.before(req, context).await,
+            Middleware::Redirect(filter) => filter.before(req, context).await,
+            Middleware::Proxy(filter) => filter.before(req, context).await,
+            Middleware::RubyApp(filter) => filter.before(req, context).await,
+        }
+    }
+
+    async fn after(&self, res: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        match self {
+            Middleware::DenyList(filter) => filter.after(res, context).await,
+            Middleware::AllowList(filter) => filter.after(res, context).await,
+            Middleware::AuthBasic(filter) => filter.after(res, context).await,
+            Middleware::AuthJwt(filter) => filter.after(res, context).await,
+            Middleware::AuthAPIKey(filter) => filter.after(res, context).await,
+            Middleware::IntrusionProtection(filter) => filter.after(res, context).await,
+            Middleware::MaxBody(filter) => filter.after(res, context).await,
+            Middleware::RateLimit(filter) => filter.after(res, context).await,
+            Middleware::RequestHeaders(filter) => filter.after(res, context).await,
+            Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
+            Middleware::CacheControl(filter) => filter.after(res, context).await,
+            Middleware::Csp(filter) => filter.after(res, context).await,
+            Middleware::Cors(filter) => filter.after(res, context).await,
+            Middleware::ETag(filter) => filter.after(res, context).await,
+            Middleware::StaticAssets(filter) => filter.after(res, context).await,
+            Middleware::StaticResponse(filter) => filter.after(res, context).await,
+            Middleware::Compression(filter) => filter.after(res, context).await,
+            Middleware::LogRequests(filter) => filter.after(res, context).await,
+            Middleware::Redirect(filter) => filter.after(res, context).await,
+            Middleware::Proxy(filter) => filter.after(res, context).await,
+            Middleware::RubyApp(filter) => filter.after(res, context).await,
+        }
+    }
+}
+
+impl Middleware {
+    fn variant_order(&self) -> usize {
+        match self {
+            Middleware::DenyList(_) => 0,
+            Middleware::AllowList(_) => 1,
+            Middleware::IntrusionProtection(_) => 2,
+            Middleware::Redirect(_) => 3,
+            Middleware::LogRequests(_) => 4,
+            Middleware::CacheControl(_) => 5,
+            Middleware::RequestHeaders(_) => 6,
+            Middleware::ResponseHeaders(_) => 7,
+            Middleware::MaxBody(_) => 8,
+            Middleware::AuthBasic(_) => 9,
+            Middleware::AuthJwt(_) => 10,
+            Middleware::AuthAPIKey(_) => 11,
+            Middleware::RateLimit(_) => 12,
+            Middleware::ETag(_) => 13,
+            Middleware::Csp(_) => 14,
+            Middleware::Compression(_) => 15,
+            Middleware::Proxy(_) => 16,
+            Middleware::Cors(_) => 17,
+            Middleware::StaticResponse(_) => 18,
+            Middleware::StaticAssets(_) => 19,
+            Middleware::RubyApp(_) => 20,
+        }
+    }
+}
+
+impl PartialEq for Middleware {
+    fn eq(&self, other: &Self) -> bool {
+        self.variant_order() == other.variant_order()
+    }
+}
+
+impl Eq for Middleware {}
+
+impl PartialOrd for Middleware {
+    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
+        Some(self.cmp(other))
+    }
+}
+
+impl Ord for Middleware {
+    fn cmp(&self, other: &Self) -> Ordering {
+        self.variant_order().cmp(&other.variant_order())
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/allow_list.rs

@@ -0,0 +1,63 @@
+use super::{token_source::TokenSource, ErrorResponse, FromValue, MiddlewareLayer};
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+use async_trait::async_trait;
+use either::Either;
+use itsi_error::ItsiError;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::{collections::HashMap, sync::OnceLock};
+use tracing::debug;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct AllowList {
+    #[serde(skip_deserializing)]
+    pub allowed_ips: OnceLock<RegexSet>,
+    pub allowed_patterns: Vec<String>,
+    pub trusted_proxies: HashMap<String, TokenSource>,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+
+#[async_trait]
+impl MiddlewareLayer for AllowList {
+    async fn initialize(&self) -> Result<()> {
+        let allowed_ips = RegexSet::new(&self.allowed_patterns).map_err(ItsiError::new)?;
+        self.allowed_ips
+            .set(allowed_ips)
+            .map_err(|e| ItsiError::new(format!("Failed to set allowed IPs: {:?}", e)))?;
+        Ok(())
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        if let Some(allowed_ips) = self.allowed_ips.get() {
+            let addr = if self.trusted_proxies.contains_key(&context.addr) {
+                let source = self.trusted_proxies.get(&context.addr).unwrap();
+                source.extract_token(&req).unwrap_or(&context.addr)
+            } else {
+                &context.addr
+            };
+            if !allowed_ips.is_match(addr) {
+                debug!(target: "middleware::allow_list", "IP address {} is not allowed", addr);
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for AllowList {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/auth_api_key.rs

@@ -0,0 +1,94 @@
+use std::collections::HashMap;
+
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher},
+};
+
+use super::{error_response::ErrorResponse, token_source::TokenSource, FromValue, MiddlewareLayer};
+
+use async_trait::async_trait;
+use either::Either;
+use magnus::error::Result;
+use serde::Deserialize;
+use tracing::debug;
+
+type PasswordHash = String;
+
+/// A simple API key filter.
+/// The API key can be given inside the header or a query string
+/// Keys are validated against a list of allowed key values (Changing these requires a restart)
+#[derive(Debug, Clone, Deserialize)]
+pub struct AuthAPIKey {
+    pub valid_keys: HashMap<String, PasswordHash>,
+    pub key_id_source: Option<TokenSource>,
+    pub token_source: TokenSource,
+    #[serde(default = "unauthorized_error_response")]
+    pub error_response: ErrorResponse,
+}
+
+fn unauthorized_error_response() -> ErrorResponse {
+    ErrorResponse::unauthorized()
+}
+
+#[async_trait]
+impl MiddlewareLayer for AuthAPIKey {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        if let Some(submitted_key) = match &self.token_source {
+            TokenSource::Header { name, prefix } => {
+                if let Some(header) = req.header(name) {
+                    if let Some(prefix) = prefix {
+                        Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
+                    } else {
+                        Some(header.trim_ascii())
+                    }
+                } else {
+                    None
+                }
+            }
+            TokenSource::Query(query_name) => req.query_param(query_name),
+        } {
+            debug!(target: "middleware::auth_api_key", "API Key Retrieved. Anonymous {}", self.key_id_source.is_none());
+
+            if let Some(key_id) = self.key_id_source.as_ref() {
+                let key_id = match &key_id {
+                    TokenSource::Header { name, prefix } => {
+                        if let Some(header) = req.header(name) {
+                            if let Some(prefix) = prefix {
+                                Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
+                            } else {
+                                Some(header.trim_ascii())
+                            }
+                        } else {
+                            None
+                        }
+                    }
+                    TokenSource::Query(query_name) => req.query_param(query_name),
+                };
+                debug!(target: "middleware::auth_api_key", "Key ID Retrieved");
+                if let Some(hash) = key_id.and_then(|kid| self.valid_keys.get(kid)) {
+                    debug!(target: "middleware::auth_api_key", "Key for ID found");
+                    if password_hasher::verify_password_hash(submitted_key, hash).is_ok_and(|v| v) {
+                        return Ok(Either::Left(req));
+                    }
+                }
+            } else if self.valid_keys.values().any(|key| {
+                password_hasher::verify_password_hash(submitted_key, key).is_ok_and(|v| v)
+            }) {
+                return Ok(Either::Left(req));
+            }
+        }
+
+        debug!(target: "middleware::auth_api_key", "Failed to authenticate API key");
+        Ok(Either::Right(
+            self.error_response
+                .to_http_response(req.accept().into())
+                .await,
+        ))
+    }
+}
+impl FromValue for AuthAPIKey {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/auth_basic.rs

@@ -0,0 +1,93 @@
+use async_trait::async_trait;
+use base64::{engine::general_purpose, Engine};
+use bytes::Bytes;
+use either::Either;
+use http::{Response, StatusCode};
+use magnus::error::Result;
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::str;
+use tracing::debug;
+
+use crate::{
+    server::http_message_types::{HttpBody, HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher::verify_password_hash},
+};
+
+use super::{FromValue, MiddlewareLayer};
+
+type PasswordHash = String;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthBasic {
+    pub realm: String,
+    /// Maps usernames to passwords.
+    pub credential_pairs: HashMap<String, PasswordHash>,
+}
+
+impl AuthBasic {
+    fn basic_auth_failed_response(&self) -> HttpResponse {
+        Response::builder()
+            .status(StatusCode::UNAUTHORIZED)
+            .header(
+                "WWW-Authenticate",
+                format!("Basic realm=\"{}\"", self.realm),
+            )
+            .body(HttpBody::full(Bytes::from("Unauthorized")))
+            .unwrap()
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for AuthBasic {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Retrieve the Authorization header.
+        let auth_header = req.header("Authorization");
+
+        if !auth_header.is_some_and(|header| header.starts_with("Basic ")) {
+            debug!(target: "middleware::auth_basic", "Basic auth failed. Authorization Header doesn't start with 'Basic '");
+            return Ok(Either::Right(self.basic_auth_failed_response()));
+        }
+
+        let auth_header = auth_header.unwrap();
+
+        let encoded_credentials = &auth_header["Basic ".len()..];
+        let decoded = match general_purpose::STANDARD.decode(encoded_credentials) {
+            Ok(bytes) => bytes,
+            Err(_) => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Decoding failed");
+                return Ok(Either::Right(self.basic_auth_failed_response()));
+            }
+        };
+
+        let decoded_str = match str::from_utf8(&decoded) {
+            Ok(s) => s,
+            Err(_) => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Decoding failed");
+                return Ok(Either::Right(self.basic_auth_failed_response()));
+            }
+        };
+
+        let mut parts = decoded_str.splitn(2, ':');
+        let username = parts.next().unwrap_or("");
+        let password = parts.next().unwrap_or("");
+
+        match self.credential_pairs.get(username) {
+            Some(expected_password_hash) => {
+                match verify_password_hash(password, expected_password_hash) {
+                    Ok(true) => Ok(Either::Left(req)),
+                    _ => Ok(Either::Right(self.basic_auth_failed_response())),
+                }
+            }
+            None => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Username {} not found", username);
+                Ok(Either::Right(self.basic_auth_failed_response()))
+            }
+        }
+    }
+}
+
+impl FromValue for AuthBasic {}