itsi 0.1.20 → 0.2.2

data/gems/server/lib/itsi/server.rb

@@ -17,6 +17,9 @@ require_relative "http_response"
 require_relative "passfile"
 require_relative "../shell_completions/completions"
 
+require "securerandom"
+require "fileutils"
+
 module Itsi
   class Server
     extend RackInterface
@@ -26,19 +29,24 @@ module Itsi
     class << self
 
       def running?
-        !!@running
+        @running && !@running.empty?
       end
 
       def start_in_background_thread(cli_params = {}, &blk)
-        @background_thread = start(cli_params, background: true, &blk)
+        @background_threads ||= []
+        server, background_thread = start(cli_params, background: true, &blk)
+        @background_threads << background_thread
+        server
       end
 
       def start(cli_params, background: false, &blk)
         itsi_file = Itsi::Server::Config.config_file_path(cli_params[:config_file])
+        Itsi.log_debug "Constructing server #{cli_params}: #{itsi_file}"
         server = new(cli_params, itsi_file, blk)
         previous_handler = Signal.trap(:INT, :DEFAULT)
         run = lambda do
-          @running = server
+          @running ||= []
+          @running << server
 
           if cli_params[:daemonize]
             Itsi.log_info("Itsi is running in the background. Writing pid to #{Itsi::Server::Config.pid_file_path}")
@@ -47,13 +55,16 @@ module Itsi
           end
           write_pid
 
+          Itsi.log_info "Starting Itsi..."
           server.start
-          @running = nil
+          @running.delete(server)
           Signal.trap(:INT, previous_handler)
           server
         end
-        background ? Thread.new(&run) : run[]
-      rescue
+        background ? [server, Thread.new(&run)] : run[]
+      rescue Exception => e
+        Itsi.log_error e.message
+        raise e
       end
 
       def static(cli_params)
@@ -74,9 +85,11 @@ module Itsi
         end
       end
 
-      def stop_background_thread
-        @running&.stop
-        @background_thread&.join
+      def stop_background_threads
+        @running && @running.each(&:stop)
+        @background_threads&.each(&:join)
+        @background_threads = []
+        @running = []
       end
 
       def write_pid
@@ -118,7 +131,7 @@ module Itsi
 
       def passfile(options, subcmd)
         filename = options[:passfile]
-        unless filename
+        unless filename || subcmd == 'echo'
           puts "Error: passfile not set. Use --passfile option to provide a path to a file containing hashed credentials."
           puts "This file contains hashed credentials and should not be included in source control without additional protection."
           exit(1)
@@ -141,6 +154,73 @@ module Itsi
         end
       end
 
+      def unique_path(dir, filename)
+        base = File.basename(filename, ".*")
+        ext  = File.extname(filename)
+        candidate = File.join(dir, filename)
+        return candidate unless File.exist?(candidate)
+
+        i = 1
+        loop do
+          new_name = "#{base}_#{i}#{ext}"
+          candidate = File.join(dir, new_name)
+          return candidate unless File.exist?(candidate)
+          i += 1
+        end
+      end
+
+      def save_or_print(filename, content, options)
+        if options[:save_dir]
+          FileUtils.mkdir_p(options[:save_dir])
+          path = unique_path(options[:save_dir], filename)
+          File.write(path, content)
+          puts "Written to #{path}"
+        else
+          puts content
+        end
+      end
+
+      def secret(options)
+        require "openssl"
+        require "base64"
+
+        puts "Enter algorithm (one of: HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384):"
+        alg = $stdin.gets.chomp.upcase
+
+        case alg
+        when /^HS(\d+)$/
+          bits = $1.to_i
+          bytes = bits / 8
+          key = SecureRandom.random_bytes(bytes)
+          pem = Base64.strict_encode64(key)
+          content =  "=== HMAC #{bits}-bit Secret (base64) ===\n#{pem}\n"
+          save_or_print("hmac_#{bits}_secret.txt", content, options)
+
+        when /^RS/, /^PS/
+          rsa = OpenSSL::PKey::RSA.new(2048)
+          priv = rsa.to_pem
+          pub  = rsa.public_key.to_pem
+          save_or_print("rsa_private.pem", "=== RSA Private Key ===\n#{priv}", options)
+          save_or_print("rsa_public.pem",  "=== RSA Public Key ===\n#{pub}", options)
+
+        when "ES256", "ES384"
+          curve = (alg == "ES256" ? "prime256v1" : "secp384r1")
+          ec = OpenSSL::PKey::EC.new(curve)
+          ec.generate_key
+          priv = ec.to_pem
+          pub_ec = ec.dup
+          pub_ec.private_key = nil
+          pub = pub_ec.to_pem
+          save_or_print("ecdsa_private.pem", "=== ECDSA Private Key ===\n#{priv}", options)
+          save_or_print("ecdsa_public.pem",  "=== ECDSA Public Key ===\n#{pub}", options)
+
+        else
+          STDERR.puts "Unsupported algorithm: #{alg}"
+          exit 1
+        end
+      end
+
+
       def add_worker
         return unless pid = get_pid
 
@@ -160,12 +240,16 @@ module Itsi
       end
 
       def load_route_middleware_stack(cli_params)
-        Config.build_config(cli_params, Itsi::Server::Config.config_file_path(cli_params[:config_file_path]))[
-          "middleware_loader"
-          ][]
+        middleware, errors = Config.build_config(cli_params, Itsi::Server::Config.config_file_path(cli_params[:config_file_path]))
+        if errors.any?
+          puts errors
+          []
+        else
+          middleware["middleware_loader"][]
+        end
       end
 
-      def test_route(cli_params = {}, route_str)
+      def test_route(cli_params, route_str)
         matched_route = load_route_middleware_stack(cli_params).find do |route|
           route["route"] =~ route_str
         end

data/gems/server/lib/ruby_lsp/itsi/addon.rb

@@ -100,24 +100,26 @@ module RubyLsp
         end
 
         ::Itsi::Server::Config::Middleware.subclasses.each do |middleware|
-          completion_item = Interface::CompletionItem.new(
-            label: middleware.middleware_name,
-            kind: Constant::CompletionItemKind::METHOD,
-            label_details: Interface::CompletionItemLabelDetails.new(
-              detail: middleware.detail,
-              description: middleware.documentation
-            ),
-            documentation: Interface::MarkupContent.new(
-              kind: Constant::MarkupKind::MARKDOWN,
-              value: middleware.documentation
-            ),
-            insert_text: middleware.insert_text,
-            insert_text_format: Constant::InsertTextFormat::SNIPPET,
-            data: {
-              delegateCompletion: true
-            }
-          )
-          @response_builder << completion_item
+          Array(middleware.insert_text).zip(Array(middleware.detail)).each do |insert_text, detail|
+            completion_item = Interface::CompletionItem.new(
+              label: middleware.middleware_name,
+              kind: Constant::CompletionItemKind::METHOD,
+              label_details: Interface::CompletionItemLabelDetails.new(
+                detail: detail,
+                description: middleware.documentation
+              ),
+              documentation: Interface::MarkupContent.new(
+                kind: Constant::MarkupKind::MARKDOWN,
+                value: middleware.documentation
+              ),
+              insert_text: insert_text,
+              insert_text_format: Constant::InsertTextFormat::SNIPPET,
+              data: {
+                delegateCompletion: true
+              }
+            )
+            @response_builder << completion_item
+          end
         end
       end
 

data/gems/server/test/helpers/test_helper.rb

@@ -11,14 +11,21 @@ require "minitest/autorun"
 
 Minitest::Reporters.use! Minitest::Reporters::SpecReporter.new
 
-def free_bind(protocol)
-  server = TCPServer.new("0.0.0.0", 0)
-  port = server.addr[1]
-  server.close
-  "#{protocol}://0.0.0.0:#{port}"
+def free_bind(protocol="http", unix_socket: false)
+  if unix_socket
+    socket_path = "/tmp/itsi_socket_#{Process.pid}_#{rand(1000)}.sock"
+    UNIXServer.new(socket_path).close
+    protocol == 'https' ? "tls://#{socket_path}" : "unix://#{socket_path}"
+  else
+    server = TCPServer.new("0.0.0.0", 0)
+    port = server.addr[1]
+    server.close
+    "#{protocol}://0.0.0.0:#{port}"
+  end
 end
 
-def server(app: nil, protocol: "http", bind: free_bind(protocol), itsi_rb: nil, &blk)
+
+def server(app: nil, protocol: "http", bind: free_bind(protocol), itsi_rb: nil, cleanup: true, timeout: 5, &blk)
   itsi_rb ||= lambda do
     # Inline Itsi.rb
     bind bind
@@ -31,17 +38,32 @@ def server(app: nil, protocol: "http", bind: free_bind(protocol), itsi_rb: nil,
   cli_params = {}
   cli_params[:binds] = [bind] if bind
 
+  sync = Queue.new
+  cli_params[:hooks] ||= {}
+  cli_params[:hooks]["after_start"] = lambda do
+    sync.push(true)
+  end
+
   Itsi::Server.start_in_background_thread(cli_params, &itsi_rb)
+
+  sync.pop
   uri = URI(bind)
-  RequestContext.new(uri, self).instance_exec(uri, &blk)
+  # Timeout.timeout(timeout) do
+    RequestContext.new(uri, self).instance_exec(uri, &blk)
+  # end
 rescue StandardError => e
   puts e
-  puts e.message
-  puts e.backtrace.join("\n")
+  # puts e.message
+  # puts e.backtrace.join("\n")
+  raise
 ensure
-  Itsi::Server.stop_background_thread
+  Itsi::Server.stop_background_threads if cleanup
 end
 
+require 'net/http'
+require 'net_http_unix'
+require 'uri'
+
 class RequestContext
   def initialize(uri, binding)
     @uri = uri
@@ -52,39 +74,77 @@ class RequestContext
     @binding.send(method_name, *args, &block)
   end
 
-  def post(path, data)
-    Net::HTTP.post(@uri+path, data)
+  def post(path, data="", headers = {})
+    client.post(uri_for(path), data, headers)
   end
 
-  def get(path)
-    Net::HTTP.get(@uri+path)
+  def get(path, headers = {})
+    request = Net::HTTP::Get.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request).body
   end
 
-  def get_resp(path)
-    Net::HTTP.get_response(@uri+path)
+  def get_resp(path, headers = {})
+    request = Net::HTTP::Get.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
   end
 
   def head(path)
-    Net::HTTP.start(@uri.host, @uri.port) {|http|
-      http.head(path)
-    }
+    request = Net::HTTP::Head.new(uri_for(path))
+    client.request(request)
   end
 
-  def options(path)
-    Net::HTTP.start(@uri.host, @uri.port) {|http|
-      http.options(path)
-    }
+  def options(path, headers = {})
+    request = Net::HTTP::Options.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
+  end
+
+  def put(path, data="", headers = {})
+    request = Net::HTTP::Put.new(uri_for(path))
+    request.body = data
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
   end
 
-  def put(path, data)
-    Net::HTTP.put(@uri+path, data)
+  def delete(path, headers = {})
+    request = Net::HTTP::Delete.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
   end
 
-  def delete(path)
-    Net::HTTP.delete(@uri+path)
+  def patch(path, data="", headers = {})
+    request = Net::HTTP::Patch.new(uri_for(path))
+    request.body = data
+    client.request(request)
+  end
+
+  private
+
+  def client
+    opts = {
+      read_timeout: 1,
+      open_timeout: 1
+    }
+    if @uri.scheme == 'unix'
+      NetX::HTTPUnix.new(
+        @uri.to_s,
+        **opts)
+    else
+      Net::HTTP.start(
+        @uri.host,
+        @uri.port,
+        use_ssl: @uri.scheme == 'https',
+        **opts)
+    end
   end
 
-  def patch(path, data)
-    Net::HTTP.patch(@uri+path, data)
+  def uri_for(path)
+    if @uri.scheme == 'unix'
+      URI::HTTP.build(path: path, host: "localhost")
+    else
+      URI.join(@uri.to_s, path)
+    end
   end
 end

data/gems/server/test/middleware/allow_list.rb

@@ -0,0 +1,128 @@
+# test_allow_list.rb
+require_relative "../helpers/test_helper"
+
+class TestAllowList < Minitest::Test
+  # 1. Single‐pattern: only localhost is allowed
+  def test_single_pattern_allows_and_denies
+    server(
+      itsi_rb: lambda do
+        allow_list allowed_patterns: ["^127\\.0\\.0\\.1$"]
+        get("/foo") { |r| r.ok "allowed" }
+      end
+    ) do
+      # Our test client always comes from 127.0.0.1
+      res1 = get_resp("/foo")
+      assert_equal "200", res1.code
+      assert_equal "allowed", res1.body
+
+      # If we change the pattern so it no longer matches, 127.0.0.1 is now forbidden
+      server(
+        itsi_rb: lambda do
+          allow_list allowed_patterns: ["^10\\.0\\."]
+          get("/foo") { |r| r.ok "never" }
+        end
+      ) do
+        res2 = get_resp("/foo")
+        assert_equal "403", res2.code
+      end
+    end
+  end
+
+  # 2. Multiple‐pattern: localhost or 192.168.x.x
+  def test_multiple_patterns
+    server(
+      itsi_rb: lambda do
+        allow_list allowed_patterns: ["^127\\.0\\.0\\.1$", "^192\\.168\\."]
+        get("/ping") { |r| r.ok "pong" }
+      end
+    ) do
+      # localhost matches first pattern
+      res1 = get_resp("/ping")
+      assert_equal "200", res1.code
+      assert_equal "pong", res1.body
+
+      # If we restrict to only 192.168.*, localhost becomes forbidden
+      server(
+        itsi_rb: lambda do
+          allow_list allowed_patterns: ["^192\\.168\\."]
+          get("/ping") { |r| r.ok "never" }
+        end
+      ) do
+        res2 = get_resp("/ping")
+        assert_equal "403", res2.code
+      end
+    end
+  end
+
+  # 3. Custom error_response
+  def test_custom_error_response
+    server(
+      itsi_rb: lambda do
+        allow_list \
+          allowed_patterns: ["^192\\.168\\."],  # localhost no longer matches
+          error_response: {
+            code: 403,
+            plaintext: { inline: "No access" },
+            default: "plaintext"
+          }
+        get("/x") { |r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/x")
+      assert_equal "403", res.code
+      assert_equal "No access", res.body
+    end
+  end
+
+  # 4. Trusted proxies: extract client IP from header if proxy is trusted
+   def test_trusted_proxy_allows_based_on_header
+     server(
+       itsi_rb: lambda do
+         allow_list \
+           allowed_patterns: ["^203\\.0\\.113\\.7$"],  # only allow this client IP
+           trusted_proxies: {
+             "127.0.0.1" => { header: { name: "X-Forwarded-For" } }
+           }
+         get("/trusted") { |r| r.ok "trusted" }
+       end
+     ) do
+       res = get_resp("/trusted", { "X-Forwarded-For" => "203.0.113.7" })
+       assert_equal "200", res.code
+       assert_equal "trusted", res.body
+     end
+   end
+
+   def test_trusted_proxy_denies_if_forwarded_ip_does_not_match
+     server(
+       itsi_rb: lambda do
+         allow_list \
+           allowed_patterns: ["^203\\.0\\.113\\.7$"],  # only allow this
+           trusted_proxies: {
+             "127.0.0.1" => { header: { name: "X-Forwarded-For" } }
+           }
+         get("/trusted") { |r| r.ok "nope" }
+       end
+     ) do
+       # Send a forwarded IP that doesn't match the allow list
+       res = get_resp("/trusted", { "X-Forwarded-For" => "192.0.2.55" })
+       assert_equal "403", res.code
+     end
+   end
+
+   def test_untrusted_proxy_ignores_forwarded_ip
+     server(
+       itsi_rb: lambda do
+         allow_list \
+           allowed_patterns: ["^203\\.0\\.113\\.7$"],  # client IP matches, but header is ignored
+           trusted_proxies: {
+             "10.0.0.1" => { header: { name: "X-Forwarded-For" } } # current proxy (127.0.0.1) is not trusted
+           }
+         get("/trusted") { |r| r.ok "never" }
+       end
+     ) do
+       res = get_resp("/trusted", { "X-Forwarded-For" => "203.0.113.7" })
+       # Since proxy is untrusted, header is ignored, and 127.0.0.1 is checked (not allowed)
+       assert_equal "403", res.code
+     end
+   end
+end

data/gems/server/test/middleware/auth_api_key.rb

@@ -0,0 +1,141 @@
+require_relative "../helpers/test_helper"
+
+class TestAuthApiKey < Minitest::Test
+
+  # 1. Anonymous inline keys: valid secret in Authorization header
+  def test_anonymous_inline_success
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: [
+          Itsi.create_password_hash("supersecret", "sha256")
+        ]
+        get("/foo") {|r| r.ok "ok" }
+      end
+    ) do
+      res = get_resp("/foo", { "Authorization" => "Bearer supersecret" })
+
+      assert_equal "200", res.code
+      assert_equal "ok", res.body
+    end
+  end
+
+  # 2. Anonymous inline: missing token → 401
+  def test_anonymous_inline_missing
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: [Itsi.create_password_hash("supersecret", "sha256")]
+        get("/foo") {|r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/foo")
+      assert_equal "401", res.code
+    end
+  end
+
+  # 3. Identified inline keys: need both ID header and Bearer token
+  def test_identified_inline_success
+    key_id = "Key-1"
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: { "#{key_id}" => Itsi.create_password_hash("supersecret", "sha256") }
+        get("/bar") {|r| r.ok "bar OK" }
+      end
+    ) do
+      headers = {
+        "X-Api-Key-Id" => key_id,
+        "Authorization" => "Bearer supersecret"
+      }
+      res = get_resp("/bar", headers)
+      assert_equal "200", res.code
+      assert_equal "bar OK", res.body
+    end
+  end
+
+  # 4. Identified inline: wrong ID → 401
+  def test_identified_inline_wrong_id
+    key_id = "Key-1"
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: { "#{key_id}" => Itsi.create_password_hash("supersecret", "sha256") }
+        get("/bar") {|r| r.ok "never" }
+      end
+    ) do
+      headers = { "X-Api-Key-Id" => "bad", "Authorization" => "Bearer supersecret" }
+      res = get_resp("/bar", headers)
+      assert_equal "401", res.code
+    end
+  end
+
+  # 5. Custom token_source/query param
+  def test_custom_token_source_query
+    server(
+      itsi_rb: lambda do
+        auth_api_key \
+          valid_keys: [Itsi.create_password_hash("supersecret", "sha256")],
+          token_source: { query: "api_key" }
+        get("/q") {|r| r.ok "qok" }
+      end
+    ) do
+      res = get_resp("/q?api_key=supersecret")
+      assert_equal "200", res.code
+      assert_equal "qok", res.body
+    end
+  end
+
+  # 6. Custom key_id_source/query param
+  def test_custom_key_id_source_query
+    server(
+      itsi_rb: lambda do
+        auth_api_key \
+          valid_keys: { "#{@id1}" => Itsi.create_password_hash("supersecret", "sha256") },
+          key_id_source: { query: "kid" }
+        get("/q") {|r| r.ok "qok" }
+      end
+    ) do
+      res = get_resp("/q?kid=#{@id1}", { "Authorization" => "Bearer supersecret" })
+      assert_equal "200", res.code
+      assert_equal "qok", res.body
+    end
+  end
+
+  # 7. Custom error_response override
+  def test_custom_error_response
+    server(
+      itsi_rb: lambda do
+        auth_api_key \
+          valid_keys: [Itsi.create_password_hash("supersecret", "sha256") ],
+          error_response: { code: 403,
+                            plaintext: { inline: "nope" },
+                            default: "plaintext" }
+        get("/x") {|r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/x")
+      assert_equal "403", res.code
+      assert_equal "nope", res.body
+    end
+  end
+
+  # 8. Scoped to a location path
+  def test_scoped_to_location
+    server(
+      itsi_rb: lambda do
+        location "/admin/*" do
+          auth_api_key valid_keys: [Itsi.create_password_hash("supersecret", "sha256") ]
+        end
+        get("/admin/secret") {|r| r.ok "adm ok" }
+        get("/public") {|r| r.ok "pub ok" }
+      end
+    ) do
+      # Unprotected
+      r1 = get_resp("/public")
+      assert_equal "200", r1.code
+      # Protected
+      r2 = get_resp("/admin/secret")
+      assert_equal "401", r2.code
+      # Then with key
+      r3 = get_resp("/admin/secret", { "Authorization" => "Bearer supersecret" })
+      assert_equal "200", r3.code
+    end
+  end
+end