itsi 0.1.20 → 0.2.2

data/gems/server/test/middleware/auth_basic.rb

@@ -0,0 +1,91 @@
+require_relative "../helpers/test_helper"
+
+class TestAuthBasic < Minitest::Test
+
+
+  # 1. Inline credentials success
+  def test_inline_success
+    server(
+      itsi_rb: lambda do
+        auth_basic realm: "Admin", credential_pairs: { "alice" => Itsi.create_password_hash("wonderland", "sha256") }
+        get("/secure") {|r| r.ok "hello" }
+      end
+    ) do
+      hdr = { "Authorization" => "Basic #{["alice:wonderland"].pack("m0")}" }
+      res = get_resp("/secure", hdr)
+      assert_equal "200", res.code
+      assert_equal "hello", res.body
+    end
+  end
+
+  # 2. Missing credentials → 401 + WWW-Authenticate header
+  def test_missing_credentials
+    server(
+      itsi_rb: lambda do
+        auth_basic realm: "Admin", credential_pairs: { "alice" => Itsi.create_password_hash("wonderland", "sha256") }
+        get("/secure") {|r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/secure")
+      assert_equal "401", res.code
+      assert_match /Basic realm="Admin"/, res["WWW-Authenticate"]
+    end
+  end
+
+  # 3. Invalid credentials → 401
+  def test_invalid_credentials
+    server(
+      itsi_rb: lambda do
+        auth_basic realm: "Area", credential_pairs: { "alice" => Itsi.create_password_hash("wonderland", "sha256") }
+        get("/secure") {|r| r.ok "never" }
+      end
+    ) do
+      bad = ["bob:wrong"].pack("m0")
+      res = get_resp("/secure", { "Authorization" => "Basic #{bad}" })
+      assert_equal "401", res.code
+    end
+  end
+
+  # 4. Load from credentials_file
+  def test_credentials_file
+    Dir.mktmpdir do |dir|
+      Dir.chdir("#{dir}") do
+        path = File.join(dir, ".itsi-credentials")
+        File.write(path, "alice:#{Itsi.create_password_hash("wonderland", "sha256")}\n")
+        server(
+          itsi_rb: lambda do
+            auth_basic  # default will load .itsi-credentials
+            get("/a") {|r| r.ok "ok" }
+          end
+        ) do
+          hdr = { "Authorization" => "Basic #{["alice:wonderland"].pack("m0")}" }
+          res = get_resp("/a", hdr)
+          assert_equal "200", res.code
+        end
+      end
+    end
+  end
+
+  # 5. Apply to sub-path only
+  def test_scoped_to_location
+    server(
+      itsi_rb: lambda do
+        location "/admin/*" do
+          auth_basic realm: "Adm", credential_pairs: { "alice" => Itsi.create_password_hash("wonderland", "sha256") }
+        end
+        get("/admin/yes") {|r| r.ok "y"}
+        get("/no")        {|r| r.ok "n"}
+      end
+    ) do
+      # outside
+      assert_equal "n", get_resp("/no").body
+      # inside, need auth
+      res1 = get_resp("/admin/yes")
+      assert_equal "401", res1.code
+      # then with creds
+      hdr = { "Authorization" => "Basic #{["alice:wonderland"].pack("m0")}" }
+      res2 = get_resp("/admin/yes", hdr)
+      assert_equal "200", res2.code
+    end
+  end
+end

data/gems/server/test/middleware/auth_jwt.rb

@@ -0,0 +1,214 @@
+require_relative "../helpers/test_helper"
+require "jwt"
+require "openssl"
+require "securerandom"
+require "base64"
+
+class TestAuthJwt < Minitest::Test
+  ALGORITHMS = {
+    "HS256" => -> {
+      secret = Base64.strict_encode64(SecureRandom.random_bytes(32))
+      verifier = secret
+      signer  = Base64.decode64(secret)
+      [verifier, signer]
+    },
+    "HS384" => -> {
+      secret = Base64.strict_encode64(SecureRandom.random_bytes(48))
+      [secret, Base64.decode64(secret)]
+    },
+    "HS512" => -> {
+      secret = Base64.strict_encode64(SecureRandom.random_bytes(64))
+      [secret, Base64.decode64(secret)]
+    },
+    "RS256" => -> {
+      rsa = OpenSSL::PKey::RSA.new(2048)
+      [rsa.public_key.to_pem, rsa]
+    },
+    "RS384" => -> {
+      rsa = OpenSSL::PKey::RSA.new(2048)
+      [rsa.public_key.to_pem, rsa]
+    },
+    "RS512" => -> {
+      rsa = OpenSSL::PKey::RSA.new(2048)
+      [rsa.public_key.to_pem, rsa]
+    },
+    "PS256" => -> {
+      rsa = OpenSSL::PKey::RSA.new(2048)
+      [rsa.public_key.to_pem, rsa]
+    },
+    "PS384" => -> {
+      rsa = OpenSSL::PKey::RSA.new(2048)
+      [rsa.public_key.to_pem, rsa]
+    },
+    "PS512" => -> {
+      rsa = OpenSSL::PKey::RSA.new(2048)
+      [rsa.public_key.to_pem, rsa]
+    },
+    "ES256" => -> {
+      private_key = OpenSSL::PKey::EC.generate("prime256v1")
+      asn1 = OpenSSL::ASN1::Sequence(
+          [
+            OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                OpenSSL::ASN1::ObjectId(private_key.public_key.group.curve_name)
+              ]
+            ),
+            OpenSSL::ASN1::BitString(private_key.public_key.to_octet_string(:uncompressed))
+          ]
+        )
+      public_key = OpenSSL::PKey::EC.new(asn1.to_der)
+      [public_key.to_pem, private_key]
+    },
+    "ES384" => -> {
+      private_key = OpenSSL::PKey::EC.generate("secp384r1")
+      asn1 = OpenSSL::ASN1::Sequence(
+          [
+            OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                OpenSSL::ASN1::ObjectId(private_key.public_key.group.curve_name)
+              ]
+            ),
+            OpenSSL::ASN1::BitString(private_key.public_key.to_octet_string(:uncompressed))
+          ]
+        )
+      public_key = OpenSSL::PKey::EC.new(asn1.to_der)
+      [public_key.to_pem, private_key]
+    }
+  }
+
+  # 1. Missing token → 401
+  def test_missing_token
+    server(
+      itsi_rb: lambda do
+        auth_jwt verifiers: { "HS256" => ["Zm9v"] }
+        get("/j") { |r| r.ok "j" }
+      end
+    ) do
+      res = get_resp("/j")
+      assert_equal "401", res.code
+    end
+  end
+
+  # 2. Invalid token → 401
+  def test_invalid_token
+    server(
+      itsi_rb: lambda do
+        auth_jwt verifiers: { "HS256" => ["Zm9v"] }
+        get("/j") { |r| r.ok "j" }
+      end
+    ) do
+      res = get_resp("/j", { "Authorization" => "Bearer invalid.token" })
+      assert_equal "401", res.code
+    end
+
+  end
+
+  # Dynamically define one test per algorithm
+  ALGORITHMS.each do |alg, gen|
+    define_method("test_#{alg.downcase}_success") do
+      verifier, signer = gen.call
+      # build a minimal payload
+      payload = { "sub" => "user", "aud" => "aud1", "iss" => "iss1", "iat" => Time.now.to_i, exp: Time.now.to_i + 10 }
+      token = JWT.encode(payload, signer, alg)
+      server(
+        itsi_rb: lambda do
+          auth_jwt verifiers: { alg => [verifier] }
+          get("/#{alg.downcase}") { |r| r.ok alg }
+        end
+      ) do
+        res = get_resp("/#{alg.downcase}", { "Authorization" => "Bearer #{token}" })
+        assert_equal "200", res.code, "#{alg} should verify successfully"
+        assert_equal alg, res.body
+      end
+    end
+  end
+
+  # 5. Audience restriction
+  def test_audience_restriction
+    verifier, signer = ALGORITHMS["HS256"].call
+    payload = { "aud" => "good", exp: Time.now.to_i + 10 }
+    token   = JWT.encode(payload, signer, "HS256")
+    server(
+      itsi_rb: lambda do
+        auth_jwt verifiers: { "HS256" => [verifier] }, audiences: ["good"]
+        get("/a") { |r| r.ok "ok" }
+      end
+    ) do
+      res1 = get_resp("/a", { "Authorization" => "Bearer #{token}" })
+      assert_equal "200", res1.code
+      # wrong audience
+      bad = JWT.encode({ "aud" => "bad" }, signer, "HS256")
+      res2 = get_resp("/a", { "Authorization" => "Bearer #{bad}" })
+      assert_equal "401", res2.code
+    end
+  end
+
+  # 6. Subject & issuer restrictions
+  def test_subject_and_issuer
+    verifier, signer = ALGORITHMS["HS256"].call
+    payload = { "sub" => "mysub", "iss" => "myiss", exp: Time.now.to_i + 10 }
+    token   = JWT.encode(payload, signer, "HS256")
+    server(
+      itsi_rb: lambda do
+        auth_jwt verifiers: { "HS256" => [verifier] },
+                 subjects: ["mysub"], issuers: ["myiss"]
+        get("/si") { |r| r.ok "si" }
+      end
+    ) do
+      res = get_resp("/si", { "Authorization" => "Bearer #{token}" })
+      assert_equal "200", res.code
+    end
+  end
+
+  # 7. Custom token_source query
+  def test_custom_token_source_query
+    verifier, signer = ALGORITHMS["HS256"].call
+    token = JWT.encode({exp: Time.now.to_i + 10}, signer, "HS256")
+    server(
+      itsi_rb: lambda do
+        auth_jwt verifiers: { "HS256" => [verifier] }, token_source: { query: "jwt" }
+        get("/") { |r| r.ok "root" }
+      end
+    ) do
+      res = get_resp("/?jwt=#{token}")
+      assert_equal "200", res.code
+    end
+  end
+
+  # 8. Leeway works for 'exp' skew
+  def test_leeway_exp
+    verifier, signer = ALGORITHMS["HS256"].call
+    expired_iat = Time.now.to_i - 120
+    token = JWT.encode({ "exp" => expired_iat }, signer, "HS256")
+    server(
+      itsi_rb: lambda do
+        auth_jwt verifiers: { "HS256" => [verifier] }, leeway: 300
+        get("/") { |r| r.ok "ok" }
+      end
+    ) do
+      res = get_resp("/", { "Authorization" => "Bearer #{token}" })
+      assert_equal "200", res.code
+    end
+  end
+
+  # 9. Scoped to location
+  def test_scoped_to_location
+    verifier, signer = ALGORITHMS["HS256"].call
+    token = JWT.encode({exp: Time.now.to_i + 10}, signer, "HS256")
+    server(
+      itsi_rb: lambda do
+        location "/api/*" do
+          auth_jwt verifiers: { "HS256" => [verifier] }
+          get("x") { |r| r.ok "x" }
+        end
+        get("/public") { |r| r.ok "p" }
+      end
+    ) do
+      assert_equal "p", get_resp("/public").body
+      assert_equal "401", get_resp("/api/x").code
+      assert_equal "x", get_resp("/api/x", { "Authorization" => "Bearer #{token}" }).body
+    end
+  end
+end

data/gems/server/test/middleware/cache_control.rb

@@ -0,0 +1,82 @@
+require_relative "../helpers/test_helper"
+
+require_relative "../helpers/test_helper"
+
+class TestCacheControl < Minitest::Test
+  def test_cache_control_headers_are_set
+    server(
+      itsi_rb: lambda do
+        cache_control \
+          max_age: 3600,
+          public: true,
+          vary: ["Accept-Encoding"],
+          additional_headers: { "X-Custom-Header" => "HIT" }
+        get("/foo") { |r| r.ok "content" }
+      end
+    ) do
+      require 'debug'
+      res = get_resp("/foo")
+      # Check that the Cache-Control header is present and contains required directives
+      assert_includes res["Cache-Control"], "public"
+      assert_includes res["Cache-Control"], "max-age=3600"
+
+      # Check that the Expires header exists and is a valid HTTP date string
+      assert res.key?("Expires"), "Expires header should be present"
+      # A basic check: the Expires header should include a comma and a GMT designation
+      assert_match /GMT/, res["Expires"]
+
+      # Check that the Vary header is set correctly
+      assert_equal "Accept-Encoding", res["Vary"]
+
+      # Check that additional custom header is set
+      assert_equal "HIT", res["X-Custom-Header"]
+    end
+  end
+
+  def test_cache_control_not_set_for_error_statuses
+    server(
+      itsi_rb: lambda do
+        cache_control max_age: 3600, public: true
+        get("/foo") { |r| r.respond("error", 500) }
+      end
+    ) do
+      res = get_resp("/foo")
+      refute res.key?("Cache-Control"), "Cache-Control should not be set for 500 errors"
+      refute res.key?("Expires"), "Expires should not be set for 500 errors"
+    end
+  end
+
+  def test_cache_control_s_max_age_and_stale_directives
+    server(
+      itsi_rb: lambda do
+        cache_control \
+          max_age: 3600,
+          s_max_age: 1800,
+          stale_while_revalidate: 30,
+          stale_if_error: 60,
+          private: true
+        get("/foo") { |r| r.ok "some content" }
+      end
+    ) do
+      res = get_resp("/foo")
+      cc = res["Cache-Control"]
+      assert_includes cc, "private"
+      assert_includes cc, "s-maxage=1800"
+      assert_includes cc, "stale-while-revalidate=30"
+      assert_includes cc, "stale-if-error=60"
+    end
+  end
+
+  def test_cache_control_set_without_optional_fields
+    server(
+      itsi_rb: lambda do
+        cache_control public: true
+        get("/foo") { |r| r.ok "minimal" }
+      end
+    ) do
+      res = get_resp("/foo")
+      cc = res["Cache-Control"]
+      assert_includes cc, "public"
+    end
+  end
+end

data/gems/server/test/middleware/cidr_to_regex.rb

@@ -0,0 +1,46 @@
+require 'minitest/autorun'
+require 'ipaddr'
+
+class TestCidrToRegex < Minitest::Test
+  include Itsi::Server::CidrToRegex
+
+  def test_simple_cidr
+    regex = cidr_to_regex("192.168.1.0/24")
+    assert_match regex, "192.168.1.0"
+    assert_match regex, "192.168.1.255"
+    refute_match regex, "192.168.2.0"
+  end
+
+  def test_class_b_cidr
+    regex = cidr_to_regex("10.1.0.0/16")
+    assert_match regex, "10.1.0.1"
+    assert_match regex, "10.1.255.255"
+    refute_match regex, "10.2.0.0"
+  end
+
+  def test_class_a_cidr
+    regex = cidr_to_regex("10.0.0.0/8")
+    assert_match regex, "10.255.255.255"
+    refute_match regex, "11.0.0.0"
+  end
+
+  def test_tiny_range
+    regex = cidr_to_regex("127.0.0.0/30")
+    assert_match regex, "127.0.0.0"
+    assert_match regex, "127.0.0.3"
+    refute_match regex, "127.0.0.4"
+  end
+
+  def test_single_ip
+    regex = cidr_to_regex("8.8.8.8/32")
+    assert_match regex, "8.8.8.8"
+    refute_match regex, "8.8.8.9"
+  end
+
+  def test_edge_case_lower_bound
+    regex = cidr_to_regex("0.0.0.0/8")
+    assert_match regex, "0.0.0.0"
+    assert_match regex, "0.255.255.255"
+    refute_match regex, "1.0.0.0"
+  end
+end

data/gems/server/test/middleware/compression.rb

@@ -0,0 +1,89 @@
+require_relative "../helpers/test_helper"
+class TestCompression < Minitest::Test
+
+  def test_supports_compression
+    require 'zlib'
+    require 'stringio'
+
+    payload = "I will be gzip compressed"
+    server(
+      itsi_rb: lambda do
+        compress min_size: 0
+        get("/foo"){|r| r.ok payload}
+      end) do
+        string_io = StringIO.new(get("/foo", {"Accept-Encoding" => "gzip"}))
+        gzip_reader = Zlib::GzipReader.new(string_io)
+        decompressed = gzip_reader.read
+        gzip_reader.close
+        assert_equal payload, decompressed
+    end
+  end
+
+  def test_supports_compression_size_limit
+    require 'zlib'
+    require 'stringio'
+
+    server(
+      itsi_rb: lambda do
+        compress min_size: 100
+        get("/foo") do |r|
+          r.ok "data" * r.query_params["repeat"].to_i
+        end
+      end) do
+
+        string_io = StringIO.new(get("/foo?repeat=100", {"Accept-Encoding" => "gzip"}))
+        gzip_reader = Zlib::GzipReader.new(string_io)
+        decompressed = gzip_reader.read
+        gzip_reader.close
+        assert_equal "data" * 100, decompressed
+
+        assert_equal get("/foo?repeat=1"), "data"
+    end
+  end
+
+  def test_supports_compression_mime_type_conditions
+    require 'zlib'
+    require 'stringio'
+
+    server(
+      itsi_rb: lambda do
+        compress mime_types: %w[image], min_size: 0
+        get("/foo") do |r|
+          r.respond("data", 200,  {"Content-Type" => r.query_params["type"]})
+        end
+      end) do
+
+        string_io = StringIO.new(get("/foo?type=image/png", {"Accept-Encoding" => "gzip"}))
+        gzip_reader = Zlib::GzipReader.new(string_io)
+        decompressed = gzip_reader.read
+        gzip_reader.close
+        assert_equal "data", decompressed
+        assert_equal get("/foo?type=application/octet-stream"), "data"
+    end
+  end
+
+  def test_supports_compression_streaming_compression
+    require 'zlib'
+    require 'stringio'
+
+    server(
+      itsi_rb: lambda do
+        compress mime_types: %w[all], min_size: 0, compress_streams: true
+        get("/foo") do |req|
+          r = req.response
+          r << "one\n"
+          r << "two\n"
+          r << "three\n"
+          r.close
+        end
+      end) do
+
+        string_io = StringIO.new(get("/foo", {"Accept-Encoding" => "gzip"}))
+        gzip_reader = Zlib::GzipReader.new(string_io)
+        decompressed = gzip_reader.read
+        gzip_reader.close
+        assert_equal "one\ntwo\nthree\n", decompressed
+    end
+  end
+
+end

data/gems/server/test/middleware/cors.rb

@@ -0,0 +1,113 @@
+require_relative "../helpers/test_helper"
+
+class TestCORS < Minitest::Test
+
+  def test_cors_supports_origin_and_methods
+    server(
+      itsi_rb: lambda do
+        cors \
+          allow_origins: ["https://itsi.fyi"],
+          allow_methods: %w[GET POST],
+          allow_headers: %w[Content-Type Authorization],
+          allow_credentials: true,
+          expose_headers: ["X-Special-Header"],
+          max_age: 3600
+
+        get("/foo") { |r| r.ok "ok" }
+      end
+    ) do
+      res = options("/foo", {
+        "Origin" => "https://itsi.fyi",
+        "Access-Control-Request-Method" => "POST",
+        "Access-Control-Request-Headers" => "Content-Type"
+      })
+
+      assert_includes res["Access-Control-Allow-Origin"], "https://itsi.fyi"
+      assert_includes res["Access-Control-Allow-Methods"], "POST"
+      assert_includes res["Access-Control-Allow-Headers"], "Content-Type"
+      assert_equal "true", res["Access-Control-Allow-Credentials"]
+      assert_equal "3600", res["Access-Control-Max-Age"]
+    end
+  end
+
+  def test_cors_exposes_headers_and_allows_credentials
+    server(
+      itsi_rb: lambda do
+        cors \
+          allow_origins: ["https://itsi.fyi"],
+          allow_methods: %w[GET],
+          allow_headers: %w[Content-Type],
+          allow_credentials: true,
+          expose_headers: ["X-Special-Header"],
+          max_age: 1000
+
+        get("/foo") do |r|
+          r.respond("ok", 200, {
+            "X-Special-Header" => "42"
+          })
+        end
+      end
+    ) do
+      res = get("/foo", {
+        "Origin" => "https://itsi.fyi"
+      })
+
+      assert_equal "https://itsi.fyi", res["Access-Control-Allow-Origin"]
+      assert_equal "true", res["Access-Control-Allow-Credentials"]
+      assert_equal "X-Special-Header", res["Access-Control-Expose-Headers"]
+    end
+  end
+
+  def test_cors_blocks_unauthorized_origin
+    server(
+      itsi_rb: lambda do
+        cors \
+          allow_origins: ["https://itsi.fyi"],
+          allow_methods: %w[GET],
+          allow_headers: %w[Content-Type],
+          allow_credentials: false,
+          expose_headers: [],
+          max_age: 600
+
+        get("/foo") { |r| r.ok "ok" }
+      end
+    ) do
+      res = options("/foo", {
+        "Origin" => "https://evil.com",
+        "Access-Control-Request-Method" => "GET"
+      })
+
+      refute res.key?("Access-Control-Allow-Origin")
+      refute res.key?("Access-Control-Allow-Headers")
+      refute res.key?("Access-Control-Allow-Credentials")
+    end
+  end
+
+  def test_cors_exposes_headers_and_allows_credentials
+    server(
+      itsi_rb: lambda do
+        cors \
+          allow_origins: ["https://itsi.fyi"],
+          allow_methods: %w[GET],
+          allow_headers: %w[Content-Type],
+          allow_credentials: true,
+          expose_headers: ["X-Special-Header"],
+          max_age: 1000
+
+        get("/foo") do |r|
+          r.respond("ok", 200, {
+            "X-Special-Header" => "42"
+          })
+        end
+      end
+    ) do
+      res = get_resp("/foo", {
+        "Origin" => "https://itsi.fyi"
+      })
+      assert_equal "https://itsi.fyi", res["Access-Control-Allow-Origin"]
+      assert_equal "true", res["Access-Control-Allow-Credentials"]
+      assert_equal "X-Special-Header", res["Access-Control-Expose-Headers"]
+    end
+  end
+
+end

data/gems/server/test/middleware/csp.rb

@@ -0,0 +1,62 @@
+require_relative "../helpers/test_helper"
+require "json"
+
+class TestCsp < Minitest::Test
+  def test_header_is_added
+    server(
+      itsi_rb: lambda do
+        csp \
+          policy: {
+            default_src: ["'self'"],
+            script_src: ["example.com"]
+          }
+        get("/") { |r| r.ok "hello" }
+      end
+    ) do
+      res = get_resp("/")
+      header = res["Content-Security-Policy"]
+      assert header.include?("default-src 'self'")
+      assert header.include?("script-src example.com")
+    end
+  end
+
+  def test_reports_get_logged
+    Tempfile.create("csp-log") do |f|
+      server(
+        itsi_rb: lambda do
+          csp \
+            policy: {
+              default_src: ["'none'"],
+              report_uri: ["/csp-report"]
+            },
+            reporting_enabled: true,
+            report_file: f.path,
+            report_endpoint: "/csp-report",
+            flush_interval: 0.1
+
+          get("/") { |r| r.ok "ok" }
+        end
+      ) do
+        report = {
+          "csp-report" => {
+            "document-uri" => "http://example.com/",
+            "referrer" => "",
+            "violated-directive" => "script-src",
+            "original-policy" => "default-src 'none';",
+            "blocked-uri" => "inline"
+          }
+        }
+
+        post("/csp-report", JSON.dump(report), {
+          "Content-Type" => "application/csp-report"
+        })
+
+        sleep 0.15
+
+        content = File.read(f.path)
+        assert_includes content, "violated-directive"
+        assert_includes content, "blocked-uri"
+      end
+    end
+  end
+end