RubyGems - itsi - Versions diffs - 0.1.20 → 0.2.2 - Mend

itsi 0.1.20 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (319) hide show

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_jwt.rs CHANGED Viewed

@@ -18,7 +18,7 @@ use std::{
     collections::{HashMap, HashSet},
     sync::OnceLock,
 };
-use tracing::{debug, error};
+use tracing::debug;
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthJwt {
@@ -32,6 +32,10 @@ pub struct AuthJwt {
     pub audiences: Option<HashSet<String>>,
     pub subjects: Option<HashSet<String>>,
     pub issuers: Option<HashSet<String>>,
+    #[serde(skip_deserializing)]
+    pub audience_vec: OnceLock<Option<Vec<String>>>,
+    #[serde(skip_deserializing)]
+    pub issuer_vec: OnceLock<Option<Vec<String>>>,
     pub leeway: Option<u64>,
     #[serde(default = "unauthorized_error_response")]
     pub error_response: ErrorResponse,
@@ -91,7 +95,7 @@ impl JwtAlgorithm {
     /// Given a base64-encoded key string, decode and construct a jsonwebtoken::DecodingKey.
     pub fn key_from(&self, base64: &str) -> itsi_error::Result<DecodingKey> {
         match self {
-            // For HMAC algorithms, use the secret directly.
+            // For HMAC algorithms, expect a base64 encoded secret.
             JwtAlgorithm::Hs256 | JwtAlgorithm::Hs384 | JwtAlgorithm::Hs512 => {
                 Ok(DecodingKey::from_secret(
                     &general_purpose::STANDARD
@@ -118,15 +122,16 @@ impl JwtAlgorithm {
 #[derive(Debug, Deserialize)]
 #[serde(untagged)]
+#[allow(dead_code)]
 enum Audience {
     Single(String),
     Multiple(Vec<String>),
 }
 #[derive(Debug, Deserialize)]
+#[allow(dead_code)]
 struct Claims {
     // Here we assume the token includes an expiration.
-    #[allow(dead_code)]
     exp: usize,
     // The audience claim may be a single string or an array.
     aud: Option<Audience>,
@@ -171,6 +176,17 @@ impl MiddlewareLayer for AuthJwt {
         self.keys
             .set(keys)
             .map_err(|_| ItsiError::new("Failed to set keys"))?;
+        if let Some(audiences) = self.audiences.as_ref() {
+            self.audience_vec
+                .set(Some(audiences.iter().cloned().collect::<Vec<_>>()))
+                .ok();
+        }
+        if let Some(issuers) = self.issuers.as_ref() {
+            self.issuer_vec
+                .set(Some(issuers.iter().cloned().collect::<Vec<_>>()))
+                .ok();
+        }
         Ok(())
     }
@@ -219,8 +235,17 @@ impl MiddlewareLayer for AuthJwt {
             ));
         }
         let token_str = token_str.unwrap();
-        let header =
-            decode_header(token_str).map_err(|_| ItsiError::new("Invalid token header"))?;
+        let header = match decode_header(token_str) {
+            Ok(header) => header,
+            Err(_) => {
+                debug!(target: "middleware::auth_jwt", "JWT decoding failed");
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        };
         let alg: JwtAlgorithm = header.alg.into();
@@ -256,12 +281,28 @@ impl MiddlewareLayer for AuthJwt {
             validation.leeway = leeway;
         }
+        if let Some(Some(auds)) = &self.audience_vec.get() {
+            validation.set_audience(auds);
+            validation.required_spec_claims.insert("aud".to_owned());
+        } else {
+            validation.validate_aud = false;
+        }
+        if let Some(Some(issuers)) = &self.issuer_vec.get() {
+            validation.set_issuer(issuers);
+            validation.required_spec_claims.insert("iss".to_owned());
+        }
+        if self.subjects.is_some() {
+            validation.required_spec_claims.insert("sub".to_owned());
+        }
         let token_data: Option<TokenData<Claims>> =
             keys.iter()
                 .find_map(|key| match decode::<Claims>(token_str, key, &validation) {
                     Ok(data) => Some(data),
                     Err(e) => {
-                        error!("Token validation failed: {:?}", e);
+                        debug!("Token validation failed: {:?}", e);
                         None
                     }
                 });
@@ -278,30 +319,11 @@ impl MiddlewareLayer for AuthJwt {
         let claims = token_data.claims;
-        if let Some(expected_audiences) = &self.audiences {
-            if let Some(aud) = &claims.aud {
-                let token_auds: HashSet<String> = match aud {
-                    Audience::Single(s) => [s.clone()].into_iter().collect(),
-                    Audience::Multiple(v) => v.iter().cloned().collect(),
-                };
-                if expected_audiences.is_disjoint(&token_auds) {
-                    debug!(
-                        "AUD check failed, token_auds: {:?}, expected_audiences: {:?}",
-                        token_auds, expected_audiences
-                    );
-                    return Ok(Either::Right(
-                        self.error_response
-                            .to_http_response(req.accept().into())
-                            .await,
-                    ));
-                }
-            }
-        }
         if let Some(expected_subjects) = &self.subjects {
             if let Some(sub) = &claims.sub {
                 if !expected_subjects.contains(sub) {
                     debug!(
+                        target: "middleware::auth_jwt",
                         "SUB check failed, token_sub: {:?}, expected_subjects: {:?}",
                         sub, expected_subjects
                     );
@@ -314,23 +336,6 @@ impl MiddlewareLayer for AuthJwt {
             }
         }
-        // Verify expected issuer.
-        if let Some(expected_issuers) = &self.issuers {
-            if let Some(iss) = &claims.iss {
-                if !expected_issuers.contains(iss) {
-                    debug!(
-                        "ISS check failed, token_iss: {:?}, expected_issuers: {:?}",
-                        iss, expected_issuers
-                    );
-                    return Ok(Either::Right(
-                        self.error_response
-                            .to_http_response(req.accept().into())
-                            .await,
-                    ));
-                }
-            }
-        }
         Ok(Either::Left(req))
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/cache_control.rs CHANGED Viewed

@@ -8,8 +8,9 @@ use http::{HeaderName, HeaderValue};
 use magnus::error::Result;
 use serde::Deserialize;
 use std::{collections::HashMap, sync::OnceLock};
+use tracing::debug;
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Deserialize)]
 pub struct CacheControl {
     #[serde(default)]
     pub max_age: Option<u64>,
@@ -87,6 +88,7 @@ impl MiddlewareLayer for CacheControl {
         // Set the Cache-Control header if we have directives
         if !directives.is_empty() {
             let cache_control_value = directives.join(", ");
+            debug!(target: "middleware::cache_control", "Built cache-control directive {}", cache_control_value);
             self.cache_control_str.set(cache_control_value).unwrap();
         }
@@ -97,20 +99,27 @@ impl MiddlewareLayer for CacheControl {
         // Skip for statuses where caching doesn't make sense
         let status = resp.status().as_u16();
         if matches!(status, 401 | 403 | 500..=599) {
+            debug!(target: "middleware::cache_control", "Skipping cache-control for status {}", status);
             return resp;
         }
         // Set the Cache-Control header if we have directives
         if let Some(cache_control_value) = self.cache_control_str.get() {
             if let Ok(value) = HeaderValue::from_str(cache_control_value) {
+                debug!(target: "middleware::cache_control", "Setting cache-control header to {}", cache_control_value);
                 resp.headers_mut().insert("Cache-Control", value);
+            } else {
+                debug!(target: "middleware::cache_control", "Failed to parse cache-control value {}", cache_control_value);
             }
+        } else {
+            debug!(target: "middleware::cache_control", "No cache-control value provided");
         }
         // Set Expires header based on max-age if present
         if let Some(max_age) = self.max_age {
             // Set the Expires header based on max-age
             // Use a helper to format the HTTP date correctly
+            debug!(target: "middleware::cache_control", "Setting expires header to {}", max_age);
             let expires = chrono::Utc::now() + chrono::Duration::seconds(max_age as i64);
             let expires_str = expires.format("%a, %d %b %Y %H:%M:%S GMT").to_string();
             if let Ok(value) = HeaderValue::from_str(&expires_str) {
@@ -118,7 +127,6 @@ impl MiddlewareLayer for CacheControl {
             }
         }
-        // Set Vary header
         if !self.vary.is_empty() {
             let vary_value = self.vary.join(", ");
             if let Ok(value) = HeaderValue::from_str(&vary_value) {
@@ -130,6 +138,7 @@ impl MiddlewareLayer for CacheControl {
         for (name, value) in &self.additional_headers {
             if let Ok(header_value) = HeaderValue::from_str(value) {
                 if let Ok(header_name) = name.parse::<HeaderName>() {
+                    debug!(target: "middleware::cache_control", "Setting custom header {} to {:?}", header_name, header_value);
                     resp.headers_mut().insert(header_name, header_value);
                 }
             }

data/crates/itsi_server/src/server/middleware_stack/middlewares/compression.rs CHANGED Viewed

@@ -25,6 +25,7 @@ use std::convert::Infallible;
 use tokio::io::{AsyncRead, AsyncReadExt, BufReader};
 use tokio_stream::StreamExt;
 use tokio_util::io::{ReaderStream, StreamReader};
+use tracing::debug;
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Compression {
     min_size: usize,
@@ -40,8 +41,8 @@ enum CompressionLevel {
     Fastest,
     #[serde(rename(deserialize = "best"))]
     Best,
-    #[serde(rename(deserialize = "default"))]
-    Default,
+    #[serde(rename(deserialize = "balanced"))]
+    Balanced,
     #[serde(rename(deserialize = "precise"))]
     Precise(i32),
 }
@@ -51,7 +52,7 @@ impl CompressionLevel {
         match self {
             CompressionLevel::Fastest => Level::Fastest,
             CompressionLevel::Best => Level::Best,
-            CompressionLevel::Default => Level::Default,
+            CompressionLevel::Balanced => Level::Default,
             CompressionLevel::Precise(level) => Level::Precise(*level),
         }
     }
@@ -61,14 +62,14 @@ impl CompressionLevel {
 pub enum CompressionAlgorithm {
     #[serde(rename(deserialize = "gzip"))]
     Gzip,
-    #[serde(rename(deserialize = "brotli"))]
+    #[serde(rename(deserialize = "br"))]
     Brotli,
     #[serde(rename(deserialize = "deflate"))]
     Deflate,
     #[serde(rename(deserialize = "zstd"))]
     Zstd,
-    #[serde(rename(deserialize = "none"))]
-    None,
+    #[serde(rename(deserialize = "identity"))]
+    Identity,
 }
 impl CompressionAlgorithm {
@@ -78,7 +79,7 @@ impl CompressionAlgorithm {
             CompressionAlgorithm::Brotli => "br",
             CompressionAlgorithm::Deflate => "deflate",
             CompressionAlgorithm::Zstd => "zstd",
-            CompressionAlgorithm::None => "none",
+            CompressionAlgorithm::Identity => "identity",
         }
     }
@@ -99,6 +100,8 @@ enum MimeType {
     Audio,
     #[serde(rename(deserialize = "video"))]
     Video,
+    #[serde(rename(deserialize = "font"))]
+    Font,
     #[serde(rename(deserialize = "other"))]
     Other(String),
     #[serde(rename(deserialize = "all"))]
@@ -113,6 +116,7 @@ impl MimeType {
             MimeType::Application => header_contains(content_encodings, "application/*"),
             MimeType::Audio => header_contains(content_encodings, "audio/*"),
             MimeType::Video => header_contains(content_encodings, "video/*"),
+            MimeType::Font => header_contains(content_encodings, "font/*"),
             MimeType::Other(v) => header_contains(content_encodings, v),
             MimeType::All => header_contains(content_encodings, "*"),
         }
@@ -162,16 +166,28 @@ impl MiddlewareLayer for Compression {
             .iter()
             .any(|mt| mt.matches(&resp.headers().get_all(CONTENT_TYPE)))
         {
+            debug!(
+                target: "middleware::compress",
+                "Mime type not supported for compression"
+            );
             return resp;
         }
         // Don't compress streams unless compress streams is enabled.
         if body_size.is_none() && !self.compress_streams {
+            debug!(
+                target: "middleware::compress",
+                "Stream compression disabled"
+            );
             return resp;
         }
         // Don't compress too small bodies
         if body_size.is_some_and(|s| s < self.min_size as u64) {
+            debug!(
+                target: "middleware::compress",
+                "Body size too small for compression"
+            );
             return resp;
         }
@@ -181,6 +197,10 @@ impl MiddlewareLayer for Compression {
                 for encoding in encodings.split(',').map(str::trim) {
                     let encoding = encoding.split(';').next().unwrap_or(encoding).trim();
                     if self.algorithms.iter().any(|algo| algo.as_str() == encoding) {
+                        debug!(
+                            target: "middleware::compress",
+                            "Body already compressed with supported algorithm"
+                        );
                         return resp;
                     }
                 }
@@ -195,10 +215,14 @@ impl MiddlewareLayer for Compression {
             Some("br") => CompressionAlgorithm::Brotli,
             Some("deflate") => CompressionAlgorithm::Deflate,
             Some("zstd") => CompressionAlgorithm::Zstd,
-            _ => CompressionAlgorithm::None,
+            _ => CompressionAlgorithm::Identity,
         };
-        if matches!(compression_method, CompressionAlgorithm::None) {
+        debug!(
+            target: "middleware::compress",
+            "Selected compression method: {:?}", compression_method
+        );
+        if matches!(compression_method, CompressionAlgorithm::Identity) {
             return resp;
         }
@@ -250,7 +274,7 @@ impl MiddlewareLayer for Compression {
                     encoder.read_to_end(&mut buf).await.unwrap();
                     buf
                 }
-                CompressionAlgorithm::None => unreachable!(),
+                CompressionAlgorithm::Identity => unreachable!(),
             };
             BoxBody::new(Full::new(Bytes::from(compressed_bytes)))
         } else {
@@ -276,13 +300,16 @@ impl MiddlewareLayer for Compression {
                     reader,
                     self.level.to_async_compression_level(),
                 )),
-                CompressionAlgorithm::None => unreachable!(),
+                CompressionAlgorithm::Identity => unreachable!(),
             }
         };
         update_content_encoding(&mut parts, compression_method.header_value());
         parts.headers.remove(CONTENT_LENGTH);
+        debug!(
+            target: "middleware::compress",
+            "Response compressed"
+        );
         Response::from_parts(parts, new_body)
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/cors.rs CHANGED Viewed

@@ -10,14 +10,15 @@ use http_body_util::{combinators::BoxBody, Empty};
 use itsi_error::ItsiError;
 use magnus::error::Result;
 use serde::Deserialize;
+use tracing::debug;
 #[derive(Debug, Clone, Deserialize)]
 pub struct Cors {
-    pub allowed_origins: Vec<String>,
-    pub allowed_methods: Vec<HttpMethod>,
-    pub allowed_headers: Vec<String>,
-    pub exposed_headers: Vec<String>,
+    pub allow_origins: Vec<String>,
+    pub allow_methods: Vec<HttpMethod>,
+    pub allow_headers: Vec<String>,
     pub allow_credentials: bool,
+    pub expose_headers: Vec<String>,
     pub max_age: Option<u64>,
 }
@@ -74,6 +75,7 @@ impl Cors {
         if origin.is_empty() {
             // When credentials are allowed, you cannot return "*".
+            debug!(target: "middleware::cors", "Origin empty {}", origin);
             if !self.allow_credentials {
                 headers.insert(
                     "Access-Control-Allow-Origin",
@@ -84,13 +86,13 @@ impl Cors {
         }
         // Only return a header if the origin is allowed.
-        if self.allowed_origins.iter().any(|o| o == origin || o == "*") {
+        if self.allow_origins.iter().any(|o| o == origin || o == "*") {
             // If credentials are allowed, we must echo back the exact origin.
             let value = if self.allow_credentials {
                 origin
             } else {
                 // If not, and if "*" is allowed, you can still use "*".
-                if self.allowed_origins.iter().any(|o| o == "*") {
+                if self.allow_origins.iter().any(|o| o == "*") {
                     "*"
                 } else {
                     origin
@@ -102,10 +104,10 @@ impl Cors {
             );
         }
-        if !self.allowed_methods.is_empty() {
+        if !self.allow_methods.is_empty() {
             headers.insert(
                 "Access-Control-Allow-Methods",
-                self.allowed_methods
+                self.allow_methods
                     .iter()
                     .map(HttpMethod::to_str)
                     .collect::<Vec<&str>>()
@@ -114,10 +116,10 @@ impl Cors {
                     .map_err(ItsiError::new)?,
             );
         }
-        if !self.allowed_headers.is_empty() {
+        if !self.allow_headers.is_empty() {
             headers.insert(
                 "Access-Control-Allow-Headers",
-                self.allowed_headers
+                self.allow_headers
                     .join(", ")
                     .parse()
                     .map_err(ItsiError::new)?,
@@ -135,10 +137,10 @@ impl Cors {
                 max_age.to_string().parse().map_err(ItsiError::new)?,
             );
         }
-        if !self.exposed_headers.is_empty() {
+        if !self.expose_headers.is_empty() {
             headers.insert(
                 "Access-Control-Expose-Headers",
-                self.exposed_headers
+                self.expose_headers
                     .join(", ")
                     .parse()
                     .map_err(ItsiError::new)?,
@@ -159,27 +161,31 @@ impl Cors {
         let origin = match origin {
             Some(o) if !o.is_empty() => o,
-            _ => return Ok(headers), // Missing Origin – preflight fails
+            _ => {
+                debug!(target: "middleware::cors", "Missing Origin – preflight fails");
+                return Ok(headers);
+            }
         };
         if !self
-            .allowed_origins
+            .allow_origins
             .iter()
             .any(|allowed| allowed == "*" || allowed == origin)
         {
+            debug!(target: "middleware::cors", "Origin not allowed");
             return Ok(headers);
         }
         let request_method = match req_method {
             Some(m) if !m.is_empty() => m,
-            _ => return Ok(headers), // Missing request method – preflight fails
+            _ => {
+                debug!(target: "middleware::cors", "Missing request method – preflight fails");
+                return Ok(headers);
+            }
         };
-        if !self
-            .allowed_methods
-            .iter()
-            .any(|m| m.matches(request_method))
-        {
+        if !self.allow_methods.iter().any(|m| m.matches(request_method)) {
+            debug!(target: "middleware::cors", "Method not allowed");
             return Ok(headers);
         }
@@ -191,10 +197,11 @@ impl Cors {
                 .collect();
             for header in req_headers_list {
                 if !self
-                    .allowed_headers
+                    .allow_headers
                     .iter()
                     .any(|allowed| allowed.eq_ignore_ascii_case(header))
                 {
+                    debug!(target: "middleware::cors", "Header not allowed {}", header);
                     return Ok(headers);
                 }
             }
@@ -203,7 +210,7 @@ impl Cors {
         headers.insert("Access-Control-Allow-Origin", origin.parse().unwrap());
         headers.insert(
             "Access-Control-Allow-Methods",
-            self.allowed_methods
+            self.allow_methods
                 .iter()
                 .map(HttpMethod::to_str)
                 .collect::<Vec<&str>>()
@@ -213,7 +220,7 @@ impl Cors {
         );
         headers.insert(
             "Access-Control-Allow-Headers",
-            self.allowed_headers
+            self.allow_headers
                 .join(", ")
                 .parse()
                 .map_err(ItsiError::new)?,
@@ -230,10 +237,10 @@ impl Cors {
                 max_age.to_string().parse().map_err(ItsiError::new)?,
             );
         }
-        if !self.exposed_headers.is_empty() {
+        if !self.expose_headers.is_empty() {
             headers.insert(
                 "Access-Control-Expose-Headers",
-                self.exposed_headers
+                self.expose_headers
                     .join(", ")
                     .parse()
                     .map_err(ItsiError::new)?,
@@ -257,11 +264,12 @@ impl MiddlewareLayer for Cors {
         context: &mut HttpRequestContext,
     ) -> Result<either::Either<HttpRequest, HttpResponse>> {
         let origin = req.header("Origin");
+        debug!(target: "middleware::cors", "Origin: {:?}", origin);
         if req.method() == Method::OPTIONS {
             let ac_request_method = req.header("Access-Control-Request-Method");
             let ac_request_headers = req.header("Access-Control-Request-Headers");
             let headers = self.preflight_headers(origin, ac_request_method, ac_request_headers)?;
+            debug!(target: "middleware::cors", "Preflight Headers: {:?}", headers);
             let mut response_builder = Response::builder().status(204);
             *response_builder.headers_mut().unwrap() = headers;
             let response = response_builder
@@ -273,14 +281,15 @@ impl MiddlewareLayer for Cors {
         Ok(either::Either::Left(req))
     }
-    // The after hook can be used to inject CORS headers into non-preflight responses.
     async fn after(
         &self,
         mut resp: HttpResponse,
         context: &mut HttpRequestContext,
     ) -> HttpResponse {
         if let Some(Some(origin)) = context.origin.get() {
+            debug!(target: "middleware::cors", "fetching cors headers for origin {}", origin);
             if let Ok(cors_headers) = self.cors_headers(origin) {
+                debug!(target: "middleware::cors", "Cors Headers: {:?}", cors_headers);
                 for (key, value) in cors_headers.iter() {
                     resp.headers_mut().insert(key.clone(), value.clone());
                 }