itsi 0.1.14 → 0.1.18

data/crates/itsi_server/src/services/mod.rs

@@ -0,0 +1,6 @@
+pub mod cache_store;
+pub mod itsi_http_service;
+pub mod mime_types;
+pub mod password_hasher;
+pub mod rate_limiter;
+pub mod static_file_server;

data/crates/itsi_server/src/services/password_hasher.rs

@@ -0,0 +1,83 @@
+use argon2::{
+    password_hash::{rand_core::OsRng, PasswordHasher, PasswordVerifier, SaltString},
+    Argon2, PasswordHash,
+};
+
+use itsi_error::ItsiError;
+use magnus::{error::Result, Value};
+use serde::Deserialize;
+use serde_magnus::deserialize;
+use sha_crypt::{
+    sha256_check, sha256_simple, sha512_check, sha512_simple, Sha256Params, Sha512Params,
+};
+
+#[derive(Debug, Deserialize)]
+pub enum HashAlgorithm {
+    #[serde(rename(deserialize = "bcrypt"))]
+    Bcrypt,
+    #[serde(rename(deserialize = "sha256"))]
+    Sha256Crypt,
+    #[serde(rename(deserialize = "sha512"))]
+    Sha512Crypt,
+    #[serde(rename(deserialize = "argon2"))]
+    Argon2,
+    #[serde(rename(deserialize = "none"))]
+    None,
+}
+
+pub fn create_password_hash(password: String, algo: Value) -> Result<String> {
+    let hash_algorithm: HashAlgorithm = deserialize(algo)?;
+    match hash_algorithm {
+        HashAlgorithm::Bcrypt => {
+            // Use the bcrypt crate for password hashing.
+            bcrypt::hash(&password, bcrypt::DEFAULT_COST)
+                .map_err(ItsiError::new)
+                .map(Ok)?
+        }
+        HashAlgorithm::Sha256Crypt => {
+            let params = Sha256Params::new(1000).unwrap();
+            let hash = sha256_simple(&password, &params)
+                .map_err(|_| ItsiError::new("SHA256 hashing failed"))?;
+            Ok(hash)
+        }
+        HashAlgorithm::Sha512Crypt => {
+            let params = Sha512Params::new(1000).unwrap();
+            let hash = sha512_simple(&password, &params)
+                .map_err(|_| ItsiError::new("SHA512 hashing failed"))?;
+            Ok(hash)
+        }
+        HashAlgorithm::Argon2 => {
+            let salt = SaltString::generate(&mut OsRng);
+            let argon2 = Argon2::default();
+            let password_hash = argon2
+                .hash_password(password.as_bytes(), &salt)
+                .map_err(|_| ItsiError::new("Argon2 hashing failed"))?
+                .to_string();
+            Ok(password_hash)
+        }
+        HashAlgorithm::None => Ok(format!("$none${}", password)),
+    }
+}
+
+pub fn verify_password_hash(password: &str, hash: &str) -> Result<bool> {
+    if hash.starts_with("$2a$") || hash.starts_with("$2b$") || hash.starts_with("$2y$") {
+        Ok(bcrypt::verify(password, hash).map_err(ItsiError::new)?)
+    } else if hash.starts_with("$5$") {
+        Ok(sha256_check(password, hash).is_ok())
+    } else if hash.starts_with("$6$") {
+        Ok(sha512_check(password, hash).is_ok())
+    } else if hash.starts_with("$argon2") {
+        let parsed_hash =
+            PasswordHash::new(hash).map_err(|_| ItsiError::new("Argon2 hash parsing failed"))?;
+        Ok(Argon2::default()
+            .verify_password(password.as_bytes(), &parsed_hash)
+            .is_ok())
+    } else if hash
+        .strip_prefix("$none$")
+        .is_some_and(|stripped| stripped == password)
+    {
+        Ok(true)
+    } else {
+        Err(ItsiError::new("Unsupported hash algorithm").into())
+    }
+}

data/crates/itsi_server/src/{server → services}/rate_limiter.rs

@@ -14,10 +14,9 @@ use url::Url;
 #[derive(Debug)]
 pub enum RateLimitError {
     RedisError(RedisError),
-    RateLimitExceeded { limit: u64, count: u64 },
+    RateLimitExceeded { limit: u64, count: u64, ttl: u64 },
     LockError,
     ConnectionTimeout,
-    // Other error variants as needed.
 }
 
 impl From<RedisError> for RateLimitError {
@@ -30,8 +29,8 @@ impl std::fmt::Display for RateLimitError {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
             RateLimitError::RedisError(e) => write!(f, "Redis error: {}", e),
-            RateLimitError::RateLimitExceeded { limit, count } => {
-                write!(f, "Rate limit exceeded: {}/{}", count, limit)
+            RateLimitError::RateLimitExceeded { limit, count, ttl } => {
+                write!(f, "Rate limit exceeded: {}/{} (ttl: {})", count, limit, ttl)
             }
             RateLimitError::LockError => write!(f, "Failed to acquire lock"),
             RateLimitError::ConnectionTimeout => write!(f, "Connection timeout"),
@@ -46,7 +45,7 @@ pub trait RateLimiter: Send + Sync + std::fmt::Debug {
     /// Returns the new counter value.
     ///
     /// If the operation fails, returns Ok(0) to fail open.
-    async fn increment(&self, key: &str, timeout: Duration) -> Result<u64, RateLimitError>;
+    async fn increment(&self, key: &str, timeout: Duration) -> Result<(u64, u64), RateLimitError>;
 
     /// Checks if the rate limit is exceeded for the given key.
     /// Returns Ok(current_count) if not exceeded, or Err(RateLimitExceeded) if exceeded.
@@ -58,7 +57,7 @@ pub trait RateLimiter: Send + Sync + std::fmt::Debug {
         key: &str,
         limit: u64,
         timeout: Duration,
-    ) -> Result<u64, RateLimitError>;
+    ) -> Result<(u64, u64), RateLimitError>;
 
     /// Returns self as Any for downcasting
     fn as_any(&self) -> &dyn Any;
@@ -99,15 +98,9 @@ impl RedisRateLimiter {
                 "Invalid Redis URL format",
             ))));
         }
-
-        // Create a Redis client
         let client = Client::open(connection_url).map_err(RateLimitError::RedisError)?;
-
-        // Use tokio timeout to prevent hanging on connection attempt
         let connection_manager_result =
             timeout(CONNECTION_TIMEOUT, ConnectionManager::new(client)).await;
-
-        // Handle timeout and connection errors
         let connection_manager = match connection_manager_result {
             Ok(result) => result.map_err(RateLimitError::RedisError)?,
             Err(_) => return Err(RateLimitError::ConnectionTimeout),
@@ -120,7 +113,7 @@ impl RedisRateLimiter {
             if redis.call('TTL', KEYS[1]) < 0 then
                 redis.call('EXPIRE', KEYS[1], ARGV[1])
             end
-            return current
+            return { current, ttl }
             "#,
         );
 
@@ -172,7 +165,7 @@ impl RedisRateLimiter {
 
 #[async_trait]
 impl RateLimiter for RedisRateLimiter {
-    async fn increment(&self, key: &str, timeout: Duration) -> Result<u64, RateLimitError> {
+    async fn increment(&self, key: &str, timeout: Duration) -> Result<(u64, u64), RateLimitError> {
         let timeout_secs = timeout.as_secs();
         let mut connection = (*self.connection).clone();
 
@@ -184,11 +177,11 @@ impl RateLimiter for RedisRateLimiter {
             .invoke_async(&mut connection)
             .await
         {
-            Ok(value) => Ok(value),
+            Ok((count, ttl)) => Ok((count, ttl)),
             Err(err) => {
                 // Log the error but return 0 to fail open
                 tracing::warn!("Redis rate limit error: {}", err);
-                Ok(0)
+                Ok((0, timeout_secs))
             }
         }
     }
@@ -198,12 +191,14 @@ impl RateLimiter for RedisRateLimiter {
         key: &str,
         limit: u64,
         timeout: Duration,
-    ) -> Result<u64, RateLimitError> {
+    ) -> Result<(u64, u64), RateLimitError> {
         match self.increment(key, timeout).await {
-            Ok(count) if count <= limit => Ok(count),
-            Ok(count) if count > limit => Err(RateLimitError::RateLimitExceeded { limit, count }),
+            Ok((count, ttl)) if count <= limit => Ok((count, ttl)),
+            Ok((count, ttl)) if count > limit => {
+                Err(RateLimitError::RateLimitExceeded { limit, count, ttl })
+            }
             // For any error or other case, fail open
-            _ => Ok(0),
+            _ => Ok((0, timeout.as_secs())),
         }
     }
 
@@ -297,10 +292,8 @@ impl Default for InMemoryRateLimiter {
 
 #[async_trait]
 impl RateLimiter for InMemoryRateLimiter {
-    async fn increment(&self, key: &str, timeout: Duration) -> Result<u64, RateLimitError> {
-        // Periodically clean up expired entries
+    async fn increment(&self, key: &str, timeout: Duration) -> Result<(u64, u64), RateLimitError> {
         if rand::rng().random_bool(0.01) {
-            // 1% chance on each call
             self.cleanup().await;
         }
 
@@ -315,11 +308,20 @@ impl RateLimiter for InMemoryRateLimiter {
                 expires_at: now + timeout,
             });
 
-        // Update expiry time if it's an existing entry
-        entry.expires_at = now + timeout;
-        entry.count += 1;
+        if entry.expires_at < now {
+            entry.expires_at = now + timeout;
+            entry.count = 1;
+        } else {
+            entry.count += 1;
+        }
+
+        let ttl = if entry.expires_at > now {
+            entry.expires_at.duration_since(now).as_secs()
+        } else {
+            0
+        };
 
-        Ok(entry.count)
+        Ok((entry.count, ttl))
     }
 
     async fn check_limit(
@@ -327,12 +329,14 @@ impl RateLimiter for InMemoryRateLimiter {
         key: &str,
         limit: u64,
         timeout: Duration,
-    ) -> Result<u64, RateLimitError> {
+    ) -> Result<(u64, u64), RateLimitError> {
         match self.increment(key, timeout).await {
-            Ok(count) if count <= limit => Ok(count),
-            Ok(count) if count > limit => Err(RateLimitError::RateLimitExceeded { limit, count }),
+            Ok((count, ttl)) if count <= limit => Ok((count, ttl)),
+            Ok((count, ttl)) if count > limit => {
+                Err(RateLimitError::RateLimitExceeded { limit, count, ttl })
+            }
             // For any error or other case, fail open
-            _ => Ok(0),
+            _ => Ok((0, timeout.as_secs())),
         }
     }