RubyGems - itsi - Versions diffs - 0.1.13 → 0.1.18 - Mend

itsi 0.1.13 → 0.1.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

data/crates/itsi_server/src/server/binds/mod.rs ADDED Viewed

@@ -0,0 +1,4 @@
+pub mod bind;
+pub mod bind_protocol;
+pub mod listener;
+pub mod tls;

data/crates/itsi_server/src/server/{tls.rs → binds/tls.rs} RENAMED Viewed

@@ -3,7 +3,7 @@ use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
 use rcgen::{
-    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, SanType,
 };
 use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer},
@@ -24,6 +24,7 @@ use crate::env::{
     ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
     ITSI_LOCAL_CA_DIR,
 };
 mod locked_dir_cache;
 #[derive(Clone)]
@@ -253,9 +254,13 @@ fn get_or_create_local_dev_ca() -> Result<(String, String)> {
         Ok((key_pem, cert_pem))
     } else {
         let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
-        let CertifiedKey { cert, key_pair } =
-            generate_simple_self_signed(subject_alt_names).unwrap();
+        let mut params = CertificateParams::new(subject_alt_names)?;
+        let mut distinguished_name = DistinguishedName::new();
+        distinguished_name.push(DnType::CommonName, "Itsi Development CA");
+        params.distinguished_name = distinguished_name;
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        let key_pair = KeyPair::generate()?;
+        let cert = params.self_signed(&key_pair)?;
         fs::write(&key_path, key_pair.serialize_pem())?;
         fs::write(&cert_path, cert.pem())?;

data/crates/itsi_server/src/server/http_message_types.rs ADDED Viewed

@@ -0,0 +1,97 @@
+use std::convert::Infallible;
+use bytes::Bytes;
+use http::{Request, Response};
+use http_body_util::combinators::BoxBody;
+use hyper::body::Incoming;
+use super::size_limited_incoming::SizeLimitedIncoming;
+pub type HttpResponse = Response<BoxBody<Bytes, Infallible>>;
+pub type HttpRequest = Request<SizeLimitedIncoming<Incoming>>;
+pub trait ConversionExt {
+    fn limit(self) -> HttpRequest;
+}
+impl ConversionExt for Request<Incoming> {
+    fn limit(self) -> HttpRequest {
+        let (parts, body) = self.into_parts();
+        Request::from_parts(parts, SizeLimitedIncoming::new(body))
+    }
+}
+pub trait RequestExt {
+    fn content_type(&self) -> Option<&str>;
+    fn accept(&self) -> Option<&str>;
+    fn header(&self, header_name: &str) -> Option<&str>;
+    fn query_param(&self, query_name: &str) -> Option<&str>;
+}
+pub trait PathExt {
+    fn no_trailing_slash(&self) -> &str;
+}
+#[derive(Debug, Clone)]
+pub enum ResponseFormat {
+    JSON,
+    HTML,
+    TEXT,
+    UNKNOWN,
+}
+#[derive(Debug, Clone, Default)]
+pub struct SupportedEncodingSet {
+    pub zstd: bool,
+    pub br: bool,
+    pub deflate: bool,
+    pub gzip: bool,
+}
+impl From<Option<&str>> for ResponseFormat {
+    fn from(value: Option<&str>) -> Self {
+        match value {
+            Some("application/json") => ResponseFormat::JSON,
+            Some("text/html") => ResponseFormat::HTML,
+            Some("text/plain") => ResponseFormat::TEXT,
+            _ => ResponseFormat::UNKNOWN,
+        }
+    }
+}
+impl PathExt for str {
+    fn no_trailing_slash(&self) -> &str {
+        if self == "/" {
+            self
+        } else {
+            self.trim_end_matches("/")
+        }
+    }
+}
+impl RequestExt for HttpRequest {
+    fn content_type(&self) -> Option<&str> {
+        self.headers()
+            .get("content-type")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+    fn accept(&self) -> Option<&str> {
+        self.headers()
+            .get("accept")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+    fn header(&self, header_name: &str) -> Option<&str> {
+        self.headers()
+            .get(header_name)
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+    fn query_param(&self, query_name: &str) -> Option<&str> {
+        self.uri()
+            .query()
+            .and_then(|query| query.split('&').find(|param| param.starts_with(query_name)))
+            .map(|param| param.split('=').nth(1).unwrap_or(""))
+    }
+}

data/crates/itsi_server/src/server/io_stream.rs CHANGED Viewed

@@ -1,4 +1,3 @@
-use super::listener::SockAddr;
 use pin_project::pin_project;
 use tokio::net::{TcpStream, UnixStream};
 use tokio_rustls::server::TlsStream;
@@ -8,6 +7,8 @@ use std::pin::Pin;
 use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncWrite};
+use super::binds::listener::SockAddr;
 #[pin_project(project = IoStreamEnumProj)]
 pub enum IoStream {
     Tcp {

data/crates/itsi_server/src/server/middleware_stack/middleware.rs CHANGED Viewed

@@ -1,8 +1,10 @@
-use super::middlewares::*;
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
 };
+use super::middlewares::*;
 use async_trait::async_trait;
 use either::Either;
 use magnus::error::Result;
@@ -21,6 +23,7 @@ pub enum Middleware {
     ETag(ETag),
     IntrusionProtection(IntrusionProtection),
     LogRequests(LogRequests),
+    MaxBody(MaxBody),
     Proxy(Proxy),
     RateLimit(RateLimit),
     Redirect(Redirect),
@@ -28,6 +31,7 @@ pub enum Middleware {
     ResponseHeaders(ResponseHeaders),
     RubyApp(RubyApp),
     StaticAssets(StaticAssets),
+    StaticResponse(StaticResponse),
 }
 #[async_trait]
@@ -41,6 +45,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::AuthJwt(filter) => filter.initialize().await,
             Middleware::AuthAPIKey(filter) => filter.initialize().await,
             Middleware::IntrusionProtection(filter) => filter.initialize().await,
+            Middleware::MaxBody(filter) => filter.initialize().await,
             Middleware::RateLimit(filter) => filter.initialize().await,
             Middleware::RequestHeaders(filter) => filter.initialize().await,
             Middleware::ResponseHeaders(filter) => filter.initialize().await,
@@ -48,6 +53,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::Cors(filter) => filter.initialize().await,
             Middleware::ETag(filter) => filter.initialize().await,
             Middleware::StaticAssets(filter) => filter.initialize().await,
+            Middleware::StaticResponse(filter) => filter.initialize().await,
             Middleware::Compression(filter) => filter.initialize().await,
             Middleware::LogRequests(filter) => filter.initialize().await,
             Middleware::Redirect(filter) => filter.initialize().await,
@@ -59,7 +65,7 @@ impl MiddlewareLayer for Middleware {
     async fn before(
         &self,
         req: HttpRequest,
-        context: &mut RequestContext,
+        context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         match self {
             Middleware::DenyList(filter) => filter.before(req, context).await,
@@ -68,6 +74,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::AuthJwt(filter) => filter.before(req, context).await,
             Middleware::AuthAPIKey(filter) => filter.before(req, context).await,
             Middleware::IntrusionProtection(filter) => filter.before(req, context).await,
+            Middleware::MaxBody(filter) => filter.before(req, context).await,
             Middleware::RequestHeaders(filter) => filter.before(req, context).await,
             Middleware::ResponseHeaders(filter) => filter.before(req, context).await,
             Middleware::RateLimit(filter) => filter.before(req, context).await,
@@ -75,6 +82,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::Cors(filter) => filter.before(req, context).await,
             Middleware::ETag(filter) => filter.before(req, context).await,
             Middleware::StaticAssets(filter) => filter.before(req, context).await,
+            Middleware::StaticResponse(filter) => filter.before(req, context).await,
             Middleware::Compression(filter) => filter.before(req, context).await,
             Middleware::LogRequests(filter) => filter.before(req, context).await,
             Middleware::Redirect(filter) => filter.before(req, context).await,
@@ -83,7 +91,7 @@ impl MiddlewareLayer for Middleware {
         }
     }
-    async fn after(&self, res: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+    async fn after(&self, res: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
         match self {
             Middleware::DenyList(filter) => filter.after(res, context).await,
             Middleware::AllowList(filter) => filter.after(res, context).await,
@@ -91,6 +99,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::AuthJwt(filter) => filter.after(res, context).await,
             Middleware::AuthAPIKey(filter) => filter.after(res, context).await,
             Middleware::IntrusionProtection(filter) => filter.after(res, context).await,
+            Middleware::MaxBody(filter) => filter.after(res, context).await,
             Middleware::RateLimit(filter) => filter.after(res, context).await,
             Middleware::RequestHeaders(filter) => filter.after(res, context).await,
             Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
@@ -98,6 +107,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::Cors(filter) => filter.after(res, context).await,
             Middleware::ETag(filter) => filter.after(res, context).await,
             Middleware::StaticAssets(filter) => filter.after(res, context).await,
+            Middleware::StaticResponse(filter) => filter.after(res, context).await,
             Middleware::Compression(filter) => filter.after(res, context).await,
             Middleware::LogRequests(filter) => filter.after(res, context).await,
             Middleware::Redirect(filter) => filter.after(res, context).await,
@@ -118,16 +128,18 @@ impl Middleware {
             Middleware::CacheControl(_) => 5,
             Middleware::RequestHeaders(_) => 6,
             Middleware::ResponseHeaders(_) => 7,
-            Middleware::AuthBasic(_) => 8,
-            Middleware::AuthJwt(_) => 9,
-            Middleware::AuthAPIKey(_) => 10,
-            Middleware::RateLimit(_) => 11,
-            Middleware::ETag(_) => 12,
-            Middleware::Compression(_) => 13,
-            Middleware::Proxy(_) => 14,
-            Middleware::Cors(_) => 15,
-            Middleware::StaticAssets(_) => 16,
-            Middleware::RubyApp(_) => 17,
+            Middleware::MaxBody(_) => 8,
+            Middleware::AuthBasic(_) => 9,
+            Middleware::AuthJwt(_) => 10,
+            Middleware::AuthAPIKey(_) => 11,
+            Middleware::RateLimit(_) => 12,
+            Middleware::ETag(_) => 13,
+            Middleware::Compression(_) => 14,
+            Middleware::Proxy(_) => 15,
+            Middleware::Cors(_) => 16,
+            Middleware::StaticResponse(_) => 17,
+            Middleware::StaticAssets(_) => 18,
+            Middleware::RubyApp(_) => 19,
         }
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/allow_list.rs CHANGED Viewed

@@ -1,8 +1,10 @@
-use super::{ErrorResponse, FromValue, MiddlewareLayer};
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
 };
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
 use async_trait::async_trait;
 use either::Either;
 use itsi_error::ItsiError;
@@ -16,28 +18,35 @@ pub struct AllowList {
     #[serde(skip_deserializing)]
     pub allowed_ips: OnceLock<RegexSet>,
     pub allowed_patterns: Vec<String>,
+    #[serde(default = "forbidden_error_response")]
     pub error_response: ErrorResponse,
 }
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
 #[async_trait]
 impl MiddlewareLayer for AllowList {
     async fn initialize(&self) -> Result<()> {
-        let allowed_ips = RegexSet::new(&self.allowed_patterns).map_err(ItsiError::default)?;
+        let allowed_ips = RegexSet::new(&self.allowed_patterns).map_err(ItsiError::new)?;
         self.allowed_ips
             .set(allowed_ips)
-            .map_err(|e| ItsiError::default(format!("Failed to set allowed IPs: {:?}", e)))?;
+            .map_err(|e| ItsiError::new(format!("Failed to set allowed IPs: {:?}", e)))?;
         Ok(())
     }
     async fn before(
         &self,
         req: HttpRequest,
-        context: &mut RequestContext,
+        context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         if let Some(allowed_ips) = self.allowed_ips.get() {
             if !allowed_ips.is_match(&context.addr) {
                 return Ok(Either::Right(
-                    self.error_response.to_http_response(&req).await,
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
                 ));
             }
         }

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_api_key.rs CHANGED Viewed

@@ -1,6 +1,8 @@
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse, RequestExt},
+use std::collections::HashMap;
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher},
 };
 use super::{error_response::ErrorResponse, token_source::TokenSource, FromValue, MiddlewareLayer};
@@ -10,25 +12,32 @@ use either::Either;
 use magnus::error::Result;
 use serde::Deserialize;
+type PasswordHash = String;
 /// A simple API key filter.
 /// The API key can be given inside the header or a query string
 /// Keys are validated against a list of allowed key values (Changing these requires a restart)
-///
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthAPIKey {
-    pub valid_keys: Vec<String>,
+    pub valid_keys: HashMap<String, PasswordHash>,
+    pub key_id_source: Option<TokenSource>,
     pub token_source: TokenSource,
+    #[serde(default = "unauthorized_error_response")]
     pub error_response: ErrorResponse,
 }
+fn unauthorized_error_response() -> ErrorResponse {
+    ErrorResponse::unauthorized()
+}
 #[async_trait]
 impl MiddlewareLayer for AuthAPIKey {
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut RequestContext,
+        _context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
-        let submitted_value = match &self.token_source {
+        if let Some(submitted_key) = match &self.token_source {
             TokenSource::Header { name, prefix } => {
                 if let Some(header) = req.header(name) {
                     if let Some(prefix) = prefix {
@@ -41,18 +50,38 @@ impl MiddlewareLayer for AuthAPIKey {
                 }
             }
             TokenSource::Query(query_name) => req.query_param(query_name),
-        };
-        if !self
-            .valid_keys
-            .iter()
-            .any(|key| submitted_value.is_some_and(|sv| sv == key))
-        {
-            Ok(Either::Right(
-                self.error_response.to_http_response(&req).await,
-            ))
-        } else {
-            Ok(Either::Left(req))
+        } {
+            if let Some(key_id) = self.key_id_source.as_ref() {
+                let key_id = match &key_id {
+                    TokenSource::Header { name, prefix } => {
+                        if let Some(header) = req.header(name) {
+                            if let Some(prefix) = prefix {
+                                Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
+                            } else {
+                                Some(header.trim_ascii())
+                            }
+                        } else {
+                            None
+                        }
+                    }
+                    TokenSource::Query(query_name) => req.query_param(query_name),
+                };
+                if let Some(hash) = key_id.and_then(|kid| self.valid_keys.get(kid)) {
+                    if password_hasher::verify_password_hash(submitted_key, hash).is_ok_and(|v| v) {
+                        return Ok(Either::Left(req));
+                    }
+                }
+            } else if self.valid_keys.iter().any(|(_key_id, key)| {
+                password_hasher::verify_password_hash(submitted_key, key).is_ok_and(|v| v)
+            }) {
+                return Ok(Either::Left(req));
+            }
         }
+        Ok(Either::Right(
+            self.error_response
+                .to_http_response(req.accept().into())
+                .await,
+        ))
     }
 }
 impl FromValue for AuthAPIKey {}

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_basic.rs CHANGED Viewed

@@ -9,18 +9,20 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::str;
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse, RequestExt},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher::verify_password_hash},
 };
 use super::{FromValue, MiddlewareLayer};
+type PasswordHash = String;
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AuthBasic {
     pub realm: String,
     /// Maps usernames to passwords.
-    pub credential_pairs: HashMap<String, String>,
+    pub credential_pairs: HashMap<String, PasswordHash>,
 }
 impl AuthBasic {
@@ -40,7 +42,7 @@ impl MiddlewareLayer for AuthBasic {
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut RequestContext,
+        _context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         // Retrieve the Authorization header.
         let auth_header = req.header("Authorization");
@@ -69,12 +71,14 @@ impl MiddlewareLayer for AuthBasic {
         let mut parts = decoded_str.splitn(2, ':');
         let username = parts.next().unwrap_or("");
         let password = parts.next().unwrap_or("");
         match self.credential_pairs.get(username) {
-            Some(expected_password) if expected_password == password => Ok(Either::Left(req)),
-            _ => {
-                return Ok(Either::Right(self.basic_auth_failed_response()));
+            Some(expected_password_hash) => {
+                match verify_password_hash(password, expected_password_hash) {
+                    Ok(true) => Ok(Either::Left(req)),
+                    _ => Ok(Either::Right(self.basic_auth_failed_response())),
+                }
             }
+            None => Ok(Either::Right(self.basic_auth_failed_response())),
         }
     }
 }