itsi-server 0.2.22-aarch64-linux

data/ext/itsi_server/src/server/middleware_stack/middlewares/etag.rs

@@ -0,0 +1,183 @@
+use crate::{
+    server::http_message_types::{HttpBody, HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+
+use super::{FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use base64::{engine::general_purpose, Engine as _};
+use bytes::{Bytes, BytesMut};
+use either::Either;
+use futures::TryStreamExt;
+use http::{header, HeaderValue, Response, StatusCode};
+use http_body_util::BodyExt;
+use hyper::body::Body;
+use magnus::error::Result;
+use serde::Deserialize;
+use sha2::{Digest, Sha256};
+use tracing::debug;
+
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum ETagType {
+    #[serde(rename = "strong")]
+    #[default]
+    Strong,
+    #[serde(rename = "weak")]
+    Weak,
+}
+
+#[derive(Debug, Clone, Copy, Deserialize, Default)]
+pub enum HashAlgorithm {
+    #[serde(rename = "sha256")]
+    #[default]
+    Sha256,
+    #[serde(rename = "md5")]
+    Md5,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct ETag {
+    #[serde(default)]
+    pub r#type: ETagType,
+    #[serde(default)]
+    pub algorithm: HashAlgorithm,
+    #[serde(default)]
+    pub min_body_size: usize,
+}
+
+#[async_trait]
+impl MiddlewareLayer for ETag {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Store if-none-match header in context if present for later use in after hook
+        if let Some(if_none_match) = req.headers().get(header::IF_NONE_MATCH) {
+            debug!(target: "middleware::etag", "Received If-None-Match header: {:?}", if_none_match);
+            if let Ok(etag_value) = if_none_match.to_str() {
+                context.set_if_none_match(Some(etag_value.to_string()));
+            }
+        }
+
+        Ok(Either::Left(req))
+    }
+
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        // Skip for error responses or responses that shouldn't have ETags
+        match resp.status() {
+            StatusCode::OK
+            | StatusCode::CREATED
+            | StatusCode::ACCEPTED
+            | StatusCode::NON_AUTHORITATIVE_INFORMATION
+            | StatusCode::NO_CONTENT
+            | StatusCode::PARTIAL_CONTENT => {}
+            _ => {
+                debug!(target: "middleware::etag", "Skipping ETag middleware for ineligible response");
+                return resp;
+            }
+        }
+
+        if let Some(cache_control) = resp.headers().get(header::CACHE_CONTROL) {
+            if let Ok(cache_control_str) = cache_control.to_str() {
+                if cache_control_str.contains("no-store") {
+                    debug!(target: "middleware::etag", "Skipping ETag for no-store response");
+                    return resp;
+                }
+            }
+        }
+
+        let body_size = resp.size_hint().exact();
+
+        if body_size.is_none() {
+            debug!(target: "middleware::etag", "Skipping ETag for streaming response");
+            return resp;
+        }
+
+        if body_size.unwrap_or(0) < self.min_body_size as u64 {
+            debug!(target: "middleware::etag", "Skipping ETag for small response");
+            return resp;
+        }
+
+        let (mut parts, mut body) = resp.into_parts();
+        let etag_value = if let Some(existing_etag) = parts.headers.get(header::ETAG) {
+            existing_etag.to_str().unwrap_or("").to_string()
+        } else {
+            // Get the full bytes from the body
+            let full_bytes: Bytes = match body
+                .into_data_stream()
+                .try_fold(BytesMut::new(), |mut acc, chunk| async move {
+                    acc.extend_from_slice(&chunk);
+                    Ok(acc)
+                })
+                .await
+            {
+                Ok(bytes_mut) => bytes_mut.freeze(),
+                Err(_) => return Response::from_parts(parts, HttpBody::empty()),
+            };
+
+            let computed_etag = match self.algorithm {
+                HashAlgorithm::Sha256 => {
+                    let mut hasher = Sha256::new();
+                    hasher.update(&full_bytes);
+                    let result = hasher.finalize();
+                    general_purpose::STANDARD.encode(result)
+                }
+                HashAlgorithm::Md5 => {
+                    let digest = md5::compute(&full_bytes);
+                    format!("{:x}", digest)
+                }
+            };
+
+            let formatted_etag = match self.r#type {
+                ETagType::Strong => format!("\"{}\"", computed_etag),
+                ETagType::Weak => format!("W/\"{}\"", computed_etag),
+            };
+
+            debug!(target: "middleware::etag", "Computed ETag for response {}", formatted_etag);
+            if let Ok(value) = HeaderValue::from_str(&formatted_etag) {
+                parts.headers.insert(header::ETAG, value);
+            }
+
+            body = HttpBody::full(full_bytes);
+            formatted_etag
+        };
+
+        if let Some(if_none_match) = context.get_if_none_match() {
+            if if_none_match == etag_value || if_none_match == "*" {
+                // Return 304 Not Modified without the body
+                let mut not_modified = Response::new(HttpBody::empty());
+                *not_modified.status_mut() = StatusCode::NOT_MODIFIED;
+                // Copy headers we want to preserve
+                for (name, value) in parts.headers.iter() {
+                    if matches!(
+                        name,
+                        &header::CACHE_CONTROL
+                            | &header::CONTENT_LOCATION
+                            | &header::DATE
+                            | &header::ETAG
+                            | &header::EXPIRES
+                            | &header::VARY
+                    ) {
+                        not_modified.headers_mut().insert(name, value.clone());
+                    }
+                }
+                return not_modified;
+            }
+        }
+
+        Response::from_parts(parts, body)
+    }
+}
+
+impl Default for ETag {
+    fn default() -> Self {
+        Self {
+            r#type: ETagType::Strong,
+            algorithm: HashAlgorithm::Sha256,
+            min_body_size: 0,
+        }
+    }
+}
+
+impl FromValue for ETag {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/header_interpretation.rs

@@ -0,0 +1,82 @@
+use http::{header::GetAll, HeaderValue};
+
+/// Given a list of header values (which may be comma-separated and may have quality parameters)
+/// and a list of supported items (each supported item is a full value or a prefix ending with '*'),
+/// return Some(supported_item) for the first supported item that matches any header value, or None.
+pub fn find_first_supported<'a, I>(header_values: &[HeaderValue], supported: I) -> Option<&'a str>
+where
+    I: IntoIterator<Item = &'a str> + Clone,
+{
+    // best candidate: (quality, supported_index, candidate)
+    let mut best: Option<(f32, usize, &'a str)> = None;
+
+    for value in header_values.iter() {
+        if let Ok(s) = value.to_str() {
+            for token in s.split(',') {
+                let token = token.trim();
+                if token.is_empty() {
+                    continue;
+                }
+                let mut parts = token.split(';');
+                let enc = parts.next()?.trim();
+                if enc.is_empty() {
+                    continue;
+                }
+                let quality = parts
+                    .find_map(|p| {
+                        let p = p.trim();
+                        if let Some(q_str) = p.strip_prefix("q=") {
+                            q_str.parse::<f32>().ok()
+                        } else {
+                            None
+                        }
+                    })
+                    .unwrap_or(1.0);
+
+                // For each supported encoding, iterate over a clone of the iterable.
+                for (i, supp) in supported.clone().into_iter().enumerate() {
+                    let is_match = if supp == "*" {
+                        true
+                    } else if let Some(prefix) = supp.strip_suffix('*') {
+                        enc.starts_with(prefix)
+                    } else {
+                        enc.eq_ignore_ascii_case(supp)
+                    };
+
+                    if is_match {
+                        best = match best {
+                            Some((best_q, best_idx, _))
+                                if quality > best_q || (quality == best_q && i < best_idx) =>
+                            {
+                                Some((quality, i, supp))
+                            }
+                            None => Some((quality, i, supp)),
+                            _ => best,
+                        };
+                    }
+                }
+            }
+        }
+    }
+
+    best.map(|(_, _, candidate)| candidate)
+}
+
+pub fn header_contains(header_values: &GetAll<HeaderValue>, needle: &str) -> bool {
+    if needle == "*" {
+        return true;
+    }
+    let mut headers = header_values
+        .iter()
+        .flat_map(|value| value.to_str().unwrap_or("").split(','))
+        .map(|s| s.trim().split(';').next().unwrap_or(""))
+        .filter(|s| !s.is_empty());
+
+    let needle_lower = needle;
+    if needle.ends_with('*') {
+        let prefix = &needle_lower[..needle_lower.len() - 1];
+        headers.any(|h| h.starts_with(prefix))
+    } else {
+        headers.any(|h| h == needle_lower)
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs

@@ -0,0 +1,209 @@
+use crate::server::http_message_types::{HttpRequest, HttpResponse, RequestExt};
+use crate::services::itsi_http_service::HttpRequestContext;
+use crate::services::rate_limiter::{
+    get_ban_manager, get_rate_limiter, BanManager, RateLimiter, RateLimiterConfig,
+};
+
+use super::token_source::TokenSource;
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::time::Duration;
+use std::{
+    collections::HashMap,
+    sync::{Arc, OnceLock},
+};
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct IntrusionProtection {
+    #[serde(skip_deserializing)]
+    pub banned_url_pattern_matcher: OnceLock<RegexSet>,
+    #[serde(default)]
+    pub banned_url_patterns: Vec<String>,
+    #[serde(skip_deserializing)]
+    pub banned_header_pattern_matchers: OnceLock<HashMap<String, RegexSet>>,
+    #[serde(default)]
+    pub banned_header_patterns: HashMap<String, Vec<String>>,
+    pub banned_time_seconds: f64,
+    #[serde(skip_deserializing)]
+    pub rate_limiter: OnceLock<Arc<dyn RateLimiter>>,
+    #[serde(skip_deserializing)]
+    pub ban_manager: OnceLock<BanManager>,
+    pub store_config: RateLimiterConfig,
+    pub trusted_proxies: HashMap<String, TokenSource>,
+    #[serde(default = "forbidden_error_response")]
+    pub error_response: ErrorResponse,
+}
+
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+
+#[async_trait]
+impl MiddlewareLayer for IntrusionProtection {
+    async fn initialize(&self) -> Result<()> {
+        // Initialize regex matchers for URL patterns
+        if !self.banned_url_patterns.is_empty() {
+            match RegexSet::new(&self.banned_url_patterns) {
+                Ok(regex_set) => {
+                    debug!(target: "middleware::intrusion_protection", "Compiled URL regex patterns: {} items.", regex_set.len());
+                    let _ = self.banned_url_pattern_matcher.set(regex_set);
+                }
+                Err(e) => {
+                    error!("Failed to compile URL regex patterns: {:?}", e);
+                }
+            }
+        }
+
+        // Initialize regex matchers for header patterns
+        if !self.banned_header_patterns.is_empty() {
+            let mut header_matchers = HashMap::new();
+            for (header_name, patterns) in &self.banned_header_patterns {
+                if !patterns.is_empty() {
+                    match RegexSet::new(patterns) {
+                        Ok(regex_set) => {
+                            debug!(target: "middleware::intrusion_protection", "Compiled header regex patterns for {}: {} items.", header_name, regex_set.len());
+                            header_matchers.insert(header_name.clone(), regex_set);
+                        }
+                        Err(e) => {
+                            error!(
+                                "Failed to compile header regex patterns for {}: {:?}",
+                                header_name, e
+                            );
+                        }
+                    }
+                }
+            }
+            let _ = self.banned_header_pattern_matchers.set(header_matchers);
+        }
+
+        // Initialize rate limiter (used for tracking bans)
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(limiter) = get_rate_limiter(&self.store_config).await {
+            debug!(target: "middleware::intrusion_protection", "Initialized rate limiter.");
+            let _ = self.rate_limiter.set(limiter);
+        }
+
+        // Initialize ban manager
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(manager) = get_ban_manager(&self.store_config).await {
+            debug!(target: "middleware::intrusion_protection", "Initialized ban manager.");
+            let _ = self.ban_manager.set(manager);
+        }
+
+        Ok(())
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Get client IP address from context's service
+        let client_ip = if self.trusted_proxies.contains_key(&context.addr) {
+            let source = self.trusted_proxies.get(&context.addr).unwrap();
+            source.extract_token(&req).unwrap_or(&context.addr)
+        } else {
+            &context.addr
+        };
+
+        // Check if the IP is already banned
+        if let Some(ban_manager) = self.ban_manager.get() {
+            match ban_manager.is_banned(client_ip).await {
+                Ok(Some(_)) => {
+                    debug!(target: "middleware::intrusion_protection", "IP {} is banned.", client_ip);
+                    return Ok(Either::Right(
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
+                    ));
+                }
+                Err(e) => {
+                    error!("Error checking IP ban status: {:?}", e);
+                    // Continue processing - fail open
+                }
+                _ => {}
+            }
+        } else {
+            warn!("No ban manager available for intrusion protection");
+        }
+
+        // Check for banned URL patterns
+        if let Some(url_matcher) = self.banned_url_pattern_matcher.get() {
+            let path = req.uri().path_and_query().map(|p| p.as_str()).unwrap_or("");
+
+            if url_matcher.is_match(path) {
+                debug!(target: "middleware::intrusion_protection", "Banned URL pattern detected: {}", path);
+                if let Some(ban_manager) = self.ban_manager.get() {
+                    match ban_manager
+                        .ban_ip(
+                            client_ip,
+                            &format!("Banned URL pattern detected: {}", path),
+                            Duration::from_secs_f64(self.banned_time_seconds),
+                        )
+                        .await
+                    {
+                        Ok(_) => {}
+                        Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                    }
+                }
+
+                // Always return the error response even if banning failed
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        }
+
+        // Check for banned header patterns
+        if let Some(header_matchers) = self.banned_header_pattern_matchers.get() {
+            for (header_name, pattern_set) in header_matchers {
+                if let Some(header_value) = req.header(header_name) {
+                    if pattern_set.is_match(header_value) {
+                        debug!(target: "middleware::intrusion_protection", "Banned header pattern detected: {} in {}", header_value, header_name);
+
+                        // Ban the IP address if possible
+                        if let Some(ban_manager) = self.ban_manager.get() {
+                            match ban_manager
+                                .ban_ip(
+                                    client_ip,
+                                    &format!(
+                                        "Banned header pattern detected: {} in {}",
+                                        header_value, header_name
+                                    ),
+                                    Duration::from_secs_f64(self.banned_time_seconds),
+                                )
+                                .await
+                            {
+                                Ok(_) => info!(
+                                    "Successfully banned IP {} for {} seconds",
+                                    client_ip, self.banned_time_seconds
+                                ),
+                                Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                            }
+                        }
+
+                        // Always return the error response even if banning failed
+                        return Ok(Either::Right(
+                            self.error_response
+                                .to_http_response(req.accept().into())
+                                .await,
+                        ));
+                    }
+                }
+            }
+        }
+
+        // No intrusion detected
+        Ok(Either::Left(req))
+    }
+}
+
+impl FromValue for IntrusionProtection {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs

@@ -0,0 +1,133 @@
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use serde::Deserialize;
+use tracing::enabled;
+
+use crate::server::http_message_types::{HttpRequest, HttpResponse};
+use crate::services::itsi_http_service::HttpRequestContext;
+
+use super::string_rewrite::StringRewrite;
+use super::{FromValue, MiddlewareLayer};
+
+/// Logging middleware for HTTP requests and responses
+///
+/// Supports customizable log formats with placeholders
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogRequests {
+    pub before: Option<LogConfig>,
+    pub after: Option<LogConfig>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogConfig {
+    level: LogMiddlewareLevel,
+    format: StringRewrite,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub enum LogMiddlewareLevel {
+    #[serde(rename(deserialize = "INFO"))]
+    Info,
+    #[serde(rename(deserialize = "TRACE"))]
+    Trace,
+    #[serde(rename(deserialize = "DEBUG"))]
+    Debug,
+    #[serde(rename(deserialize = "WARN"))]
+    Warn,
+    #[serde(rename(deserialize = "ERROR"))]
+    Error,
+}
+
+#[async_trait]
+impl MiddlewareLayer for LogRequests {
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        context.init_logging_params();
+        if let Some(LogConfig { level, format }) = self.before.as_ref() {
+            match level {
+                LogMiddlewareLevel::Trace => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::TRACE) {
+                        let message = format.rewrite_request(&req, context);
+                        trace!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Debug => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::DEBUG) {
+                        let message = format.rewrite_request(&req, context);
+                        debug!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Info => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::INFO) {
+                        let message = format.rewrite_request(&req, context);
+                        info!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Warn => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::WARN) {
+                        let message = format.rewrite_request(&req, context);
+                        warn!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Error => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::ERROR) {
+                        let message = format.rewrite_request(&req, context);
+                        error!(target: "middleware::log_requests", message);
+                    }
+                }
+            }
+        }
+
+        Ok(Either::Left(req))
+    }
+
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if let Some(LogConfig { level, format }) = self.after.as_ref() {
+            match level {
+                LogMiddlewareLevel::Trace => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::TRACE) {
+                        let message = format.rewrite_response(&resp, context);
+                        trace!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Debug => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::DEBUG) {
+                        let message = format.rewrite_response(&resp, context);
+                        debug!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Info => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::INFO) {
+                        let message = format.rewrite_response(&resp, context);
+                        info!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Warn => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::WARN) {
+                        let message = format.rewrite_response(&resp, context);
+                        warn!(target: "middleware::log_requests", message);
+                    }
+                }
+                LogMiddlewareLevel::Error => {
+                    if enabled!(target: "middleware::log_requests", tracing::Level::ERROR) {
+                        let message = format.rewrite_response(&resp, context);
+                        error!(target: "middleware::log_requests", message);
+                    }
+                }
+            }
+        }
+
+        resp
+    }
+}
+
+impl FromValue for LogRequests {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/max_body.rs

@@ -0,0 +1,47 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
+};
+
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use async_trait::async_trait;
+use either::Either;
+use http::StatusCode;
+use magnus::error::Result;
+use serde::Deserialize;
+use std::sync::atomic::Ordering;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct MaxBody {
+    pub limit_bytes: usize,
+    #[serde(default = "payload_too_large_error_response")]
+    pub error_response: ErrorResponse,
+}
+
+fn payload_too_large_error_response() -> ErrorResponse {
+    ErrorResponse::payload_too_large()
+}
+
+#[async_trait]
+impl MiddlewareLayer for MaxBody {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        req.body().limit.store(self.limit_bytes, Ordering::Relaxed);
+        context.set_response_format(req.accept().into());
+        Ok(Either::Left(req))
+    }
+
+    async fn after(&self, resp: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        if resp.status() == StatusCode::PAYLOAD_TOO_LARGE {
+            self.error_response
+                .to_http_response(*context.response_format())
+                .await
+        } else {
+            resp
+        }
+    }
+}
+impl FromValue for MaxBody {}