otto 1.6.0 → 2.0.0.pre1

data/lib/otto/security/authentication.rb

@@ -1,289 +1,35 @@
+# frozen_string_literal: true
+
 # lib/otto/security/authentication.rb
 #
-# Configurable authentication strategy system for Otto framework
-# Provides pluggable authentication patterns that can be customized per application
-#
-# Usage:
-#   otto = Otto.new('routes.txt', {
-#     auth_strategies: {
-#       'publically' => PublicStrategy.new,
-#       'authenticated' => SessionStrategy.new,
-#       'role:admin' => RoleStrategy.new(['admin']),
-#       'api_key' => APIKeyStrategy.new
-#     }
-#   })
-
-class Otto
-  module Security
-    # Base class for all authentication strategies
-    class AuthStrategy
-      # Check if the request meets the authentication requirements
-      # @param env [Hash] Rack environment
-      # @param requirement [String] Authentication requirement string
-      # @return [AuthResult] Result containing success status and context
-      def authenticate(env, requirement)
-        raise NotImplementedError, 'Subclasses must implement #authenticate'
-      end
-
-      # Optional: Extract user context for authenticated requests
-      # @param env [Hash] Rack environment
-      # @return [Hash] User context hash
-      def user_context(env)
-        {}
-      end
-
-      protected
-
-      # Helper to create successful auth result
-      def success(user_context = {})
-        AuthResult.new(true, user_context)
-      end
-
-      # Helper to create failed auth result
-      def failure(reason = 'Authentication failed')
-        AuthResult.new(false, {}, reason)
-      end
-    end
-
-    # Result object for authentication attempts
-    class AuthResult
-      attr_reader :user_context, :failure_reason
-
-      def initialize(success, user_context = {}, failure_reason = nil)
-        @success = success
-        @user_context = user_context
-        @failure_reason = failure_reason
-      end
-
-      def success?
-        @success
-      end
-
-      def failure?
-        !@success
-      end
-    end
-
-    # Public access strategy - always allows access
-    class PublicStrategy < AuthStrategy
-      def authenticate(env, requirement)
-        success
-      end
-    end
-
-    # Session-based authentication strategy
-    class SessionStrategy < AuthStrategy
-      def initialize(session_key: 'user_id', session_store: nil)
-        @session_key = session_key
-        @session_store = session_store
-      end
-
-      def authenticate(env, requirement)
-        session = env['rack.session']
-        return failure('No session available') unless session
-
-        user_id = session[@session_key]
-        return failure('Not authenticated') unless user_id
-
-        success(user_id: user_id, session: session)
-      end
-
-      def user_context(env)
-        session = env['rack.session']
-        return {} unless session
-
-        user_id = session[@session_key]
-        user_id ? { user_id: user_id } : {}
-      end
-    end
-
-    # Role-based authentication strategy
-    class RoleStrategy < AuthStrategy
-      def initialize(allowed_roles, session_key: 'user_roles')
-        @allowed_roles = Array(allowed_roles)
-        @session_key = session_key
-      end
-
-      def authenticate(env, requirement)
-        session = env['rack.session']
-        return failure('No session available') unless session
-
-        user_roles = session[@session_key] || []
-        user_roles = Array(user_roles)
-
-        # For requirements like "role:admin", extract the role part
-        if requirement.include?(':')
-          required_role = requirement.split(':', 2).last
-          if user_roles.include?(required_role)
-            success(user_roles: user_roles, required_role: required_role)
-          else
-            failure("Insufficient privileges - requires role: #{required_role}")
-          end
-        else
-          # For direct strategy matches, check if user has any of the allowed roles
-          matching_roles = user_roles & @allowed_roles
-          if matching_roles.any?
-            success(user_roles: user_roles, allowed_roles: @allowed_roles, matching_roles: matching_roles)
-          else
-            failure("Insufficient privileges - requires one of roles: #{@allowed_roles.join(', ')}")
-          end
-        end
-      end
-
-      def user_context(env)
-        session = env['rack.session']
-        return {} unless session
-
-        user_roles = session[@session_key] || []
-        { user_roles: Array(user_roles) }
-      end
-    end
-
-    # API key authentication strategy
-    class APIKeyStrategy < AuthStrategy
-      def initialize(api_keys: [], header_name: 'X-API-Key', param_name: 'api_key')
-        @api_keys = Array(api_keys)
-        @header_name = header_name
-        @param_name = param_name
-      end
-
-      def authenticate(env, requirement)
-        # Try header first, then query parameter
-        api_key = env["HTTP_#{@header_name.upcase.tr('-', '_')}"]
+# Index file for Otto authentication module
+# Requires all authentication-related components for backward compatibility
 
-        if api_key.nil?
-          request = Rack::Request.new(env)
-          api_key = request.params[@param_name]
-        end
+require_relative 'authentication/auth_strategy'
+require_relative 'authentication/strategy_result'
+require_relative 'authentication/failure_result'
+require_relative 'authentication/authentication_middleware'
 
-        return failure('No API key provided') unless api_key
+# Load all strategies
+require_relative 'authentication/strategies/public_strategy'
+require_relative 'authentication/strategies/session_strategy'
+require_relative 'authentication/strategies/role_strategy'
+require_relative 'authentication/strategies/api_key_strategy'
+require_relative 'authentication/strategies/permission_strategy'
 
-        if @api_keys.empty? || @api_keys.include?(api_key)
-          success(api_key: api_key)
-        else
-          failure('Invalid API key')
-        end
-      end
-    end
-
-    # Permission-based authentication strategy
-    class PermissionStrategy < AuthStrategy
-      def initialize(required_permissions, session_key: 'user_permissions')
-        @required_permissions = Array(required_permissions)
-        @session_key = session_key
-      end
-
-      def authenticate(env, requirement)
-        session = env['rack.session']
-        return failure('No session available') unless session
-
-        user_permissions = session[@session_key] || []
-        user_permissions = Array(user_permissions)
-
-        # Extract permission from requirement (e.g., "permission:write" -> "write")
-        required_permission = requirement.split(':', 2).last
-
-        if user_permissions.include?(required_permission)
-          success(user_permissions: user_permissions, required_permission: required_permission)
-        else
-          failure("Insufficient privileges - requires permission: #{required_permission}")
-        end
-      end
-
-      def user_context(env)
-        session = env['rack.session']
-        return {} unless session
-
-        user_permissions = session[@session_key] || []
-        { user_permissions: Array(user_permissions) }
-      end
-    end
-
-    # Authentication middleware that enforces route-level auth requirements
-    class AuthenticationMiddleware
-      def initialize(app, config = {})
-        @app = app
-        @config = config
-        @strategies = config[:auth_strategies] || {}
-        @default_strategy = config[:default_auth_strategy] || 'publically'
-
-        # Add default public strategy if not provided
-        @strategies['publically'] ||= PublicStrategy.new
-      end
-
-      def call(env)
-        # Check if this route has auth requirements
-        route_definition = env['otto.route_definition']
-        return @app.call(env) unless route_definition
-
-        auth_requirement = route_definition.auth_requirement
-        return @app.call(env) unless auth_requirement
-
-        # Find appropriate strategy
-        strategy = find_strategy(auth_requirement)
-        unless strategy
-          return auth_error_response("Unknown authentication strategy: #{auth_requirement}")
-        end
-
-        # Perform authentication
-        auth_result = strategy.authenticate(env, auth_requirement)
-
-        if auth_result.success?
-          # Add user context to environment for handlers to use
-          env['otto.user_context'] = auth_result.user_context
-          env['otto.auth_result'] = auth_result
-          @app.call(env)
-        else
-          auth_error_response(auth_result.failure_reason)
-        end
-      end
-
-      private
-
-      def find_strategy(requirement)
-        # Try exact match first - this has highest priority
-        return @strategies[requirement] if @strategies[requirement]
-
-        # For colon-separated requirements like "role:admin", try prefix match
-        if requirement.include?(':')
-          prefix = requirement.split(':', 2).first
-
-          # Check if we have a strategy registered for the prefix
-          prefix_strategy = @strategies[prefix]
-          return prefix_strategy if prefix_strategy
-
-          # Try fallback patterns for role: and permission: requirements
-          if requirement.start_with?('role:')
-            return @strategies['role'] || RoleStrategy.new([])
-          elsif requirement.start_with?('permission:')
-            return @strategies['permission'] || PermissionStrategy.new([])
-          end
-        end
-
-        nil
-      end
-
-      def auth_error_response(message)
-        body = JSON.generate({
-          error: 'Authentication Required',
-          message: message,
-          timestamp: Time.now.to_i
-        })
-
-        headers = {
-          'Content-Type' => 'application/json',
-          'Content-Length' => body.bytesize.to_s
-        }
-
-        # Add security headers if available from config hash or Otto instance
-        if @config.is_a?(Hash) && @config[:security_headers]
-          headers.merge!(@config[:security_headers])
-        elsif @config.respond_to?(:security_config) && @config.security_config
-          headers.merge!(@config.security_config.security_headers)
-        end
-
-        [401, headers, [body]]
-      end
-    end
+class Otto
+  module Security
+    # Backward compatibility aliases for the old namespace
+    AuthStrategy = Authentication::AuthStrategy
+    PublicStrategy = Authentication::Strategies::PublicStrategy
+    SessionStrategy = Authentication::Strategies::SessionStrategy
+    RoleStrategy = Authentication::Strategies::RoleStrategy
+    APIKeyStrategy = Authentication::Strategies::APIKeyStrategy
+    PermissionStrategy = Authentication::Strategies::PermissionStrategy
+    AuthenticationMiddleware = Authentication::AuthenticationMiddleware
   end
+
+  # Top-level backward compatibility aliases
+  StrategyResult = Security::Authentication::StrategyResult
+  FailureResult = Security::Authentication::FailureResult
 end

data/lib/otto/security/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # lib/otto/security/config.rb
 
 require 'securerandom'
@@ -22,11 +24,11 @@ class Otto
     #   config.max_param_depth = 16
     class Config
       attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
-        :max_request_size, :max_param_depth, :max_param_keys,
-        :trusted_proxies, :require_secure_cookies,
-        :security_headers, :input_validation,
-        :csp_nonce_enabled, :debug_csp, :mcp_auth,
-        :rate_limiting_config
+                    :max_request_size, :max_param_depth, :max_param_keys,
+                    :trusted_proxies, :require_secure_cookies,
+                    :security_headers, :input_validation,
+                    :csp_nonce_enabled, :debug_csp, :mcp_auth,
+                    :rate_limiting_config
 
       # Initialize security configuration with safe defaults
       #
@@ -96,12 +98,12 @@ class Otto
       #   config.add_trusted_proxy(['10.0.0.1', '172.16.0.0/12'])
       def add_trusted_proxy(proxy)
         case proxy
-        when String
+        when String, Regexp
           @trusted_proxies << proxy
         when Array
           @trusted_proxies.concat(proxy)
         else
-          raise ArgumentError, 'Proxy must be a String or Array'
+          raise ArgumentError, 'Proxy must be a String, Regexp, or Array'
         end
       end
 
@@ -135,7 +137,7 @@ class Otto
         size = content_length.to_i
         if size > @max_request_size
           raise Otto::Security::RequestTooLargeError,
-            "Request size #{size} exceeds maximum #{@max_request_size}"
+                "Request size #{size} exceeds maximum #{@max_request_size}"
         end
         true
       end
@@ -308,8 +310,8 @@ class Otto
       end
 
       def store_session_id(request, session_id)
-          session                   = request.session
-          session[csrf_session_key] = session_id if session
+        session                   = request.session
+        session[csrf_session_key] = session_id if session
       rescue StandardError
         # Cookie fallback handled in inject_csrf_token
       end
@@ -361,9 +363,9 @@ class Otto
       def development_csp_directives(nonce)
         [
           "default-src 'none';",
-          "script-src 'nonce-#{nonce}' 'unsafe-inline';",  # Allow inline scripts for development tools
+          "script-src 'nonce-#{nonce}' 'unsafe-inline';", # Allow inline scripts for development tools
           "style-src 'self' 'unsafe-inline';",
-          "connect-src 'self' ws: wss: http: https:;",      # Allow HTTP and all WebSocket connections for dev tools
+          "connect-src 'self' ws: wss: http: https:;", # Allow HTTP and all WebSocket connections for dev tools
           "img-src 'self' data:;",
           "font-src 'self';",
           "object-src 'none';",

data/lib/otto/security/configurator.rb

@@ -0,0 +1,219 @@
+# frozen_string_literal: true
+
+# lib/otto/security/configurator.rb
+
+require_relative 'middleware/csrf_middleware'
+require_relative 'middleware/validation_middleware'
+require_relative 'authentication/authentication_middleware'
+require_relative 'middleware/rate_limit_middleware'
+
+# Security configuration facade for Otto framework
+class Otto
+  module Security
+    # Consolidates all security configuration methods into a single configurator class.
+    # This provides a unified interface for configuring CSRF protection, input validation,
+    # rate limiting, trusted proxies, and authentication strategies.
+    class Configurator
+      attr_reader :security_config, :middleware_stack
+      attr_accessor :auth_config
+
+      def initialize(security_config, middleware_stack, auth_config = nil)
+        @security_config = security_config
+        @middleware_stack = middleware_stack
+        # Use provided auth_config or initialize a new one
+        @auth_config = auth_config || { auth_strategies: {}, default_auth_strategy: 'publicly' }
+      end
+
+      # Unified security configuration method with sensible defaults
+      #
+      # Provides a comprehensive, one-stop configuration method for Otto's security features.
+      # This method allows configuring multiple security aspects in a single call, with flexible options.
+      #
+      # @param csrf_protection [Boolean, Hash] Enable CSRF protection
+      #   - `true`: Enable with default settings
+      #   - `Hash`: Provide custom CSRF configuration
+      # @param request_validation [Boolean] Enable input validation and sanitization
+      # @param rate_limiting [Boolean, Hash] Enable rate limiting
+      #   - `true`: Enable with default settings
+      #   - `Hash`: Provide custom rate limiting rules
+      # @param trusted_proxies [String, Array<String>] IP addresses or CIDR ranges to trust
+      # @param security_headers [Hash] Custom security headers to merge with defaults
+      # @param hsts [Boolean] Enable HTTP Strict Transport Security
+      # @param csp [Boolean, String] Enable Content Security Policy
+      # @param frame_protection [Boolean, String] Enable frame protection
+      # @param authentication [Boolean] Enable authentication
+      #
+      # @example Configure multiple security features in one call
+      #   otto.security.configure(
+      #     csrf_protection: true,
+      #     request_validation: true,
+      #     rate_limiting: { requests_per_minute: 100 },
+      #     trusted_proxies: ['10.0.0.0/8'],
+      #     security_headers: { 'x-custom-header' => 'value' },
+      #     hsts: true,
+      #     csp: "default-src 'self'",
+      #     frame_protection: 'SAMEORIGIN'
+      #   )
+      def configure(
+        csrf_protection: false,
+        request_validation: false,
+        rate_limiting: false,
+        trusted_proxies: [],
+        security_headers: {},
+        hsts: false,
+        csp: false,
+        frame_protection: false,
+        authentication: false
+      )
+        enable_csrf_protection! if csrf_protection
+        enable_request_validation! if request_validation
+        enable_rate_limiting!(rate_limiting.is_a?(Hash) ? rate_limiting : {}) if rate_limiting
+
+        Array(trusted_proxies).each { |proxy| add_trusted_proxy(proxy) }
+        self.security_headers = security_headers unless security_headers.empty?
+
+        enable_hsts! if hsts
+        enable_csp! if csp
+        enable_frame_protection! if frame_protection
+        enable_authentication! if authentication
+      end
+
+      # Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.
+      # This will automatically add CSRF tokens to HTML forms and validate
+      # them on unsafe HTTP methods.
+      def enable_csrf_protection!
+        return if middleware_enabled?(Otto::Security::Middleware::CSRFMiddleware)
+
+        @security_config.enable_csrf_protection!
+        @middleware_stack.add(Otto::Security::Middleware::CSRFMiddleware)
+      end
+
+      # Enable request validation including input sanitization, size limits,
+      # and protection against XSS and SQL injection attacks.
+      def enable_request_validation!
+        return if middleware_enabled?(Otto::Security::Middleware::ValidationMiddleware)
+
+        @security_config.input_validation = true
+        @middleware_stack.add(Otto::Security::Middleware::ValidationMiddleware)
+      end
+
+      # Enable rate limiting to protect against abuse and DDoS attacks.
+      # This will automatically add rate limiting rules based on client IP.
+      #
+      # @param options [Hash] Rate limiting configuration options
+      # @option options [Integer] :requests_per_minute Maximum requests per minute per IP (default: 100)
+      # @option options [Hash] :custom_rules Custom rate limiting rules
+      def enable_rate_limiting!(options = {})
+        return if middleware_enabled?(Otto::Security::Middleware::RateLimitMiddleware)
+
+        configure_rate_limiting(options)
+        @middleware_stack.add(Otto::Security::Middleware::RateLimitMiddleware)
+      end
+
+      # Add a custom rate limiting rule.
+      #
+      # @param name [String, Symbol] Rule name
+      # @param options [Hash] Rule configuration
+      # @option options [Integer] :limit Maximum requests
+      # @option options [Integer] :period Time period in seconds (default: 60)
+      # @option options [Proc] :condition Optional condition proc that receives request
+      def add_rate_limit_rule(name, options)
+        @security_config.rate_limiting_config[:custom_rules] ||= {}
+        @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
+      end
+
+      # Add a trusted proxy server for accurate client IP detection.
+      # Only requests from trusted proxies will have their forwarded headers honored.
+      #
+      # @param proxy [String, Regexp] IP address, CIDR range, or regex pattern
+      def add_trusted_proxy(proxy)
+        @security_config.add_trusted_proxy(proxy)
+      end
+
+      # Set custom security headers that will be added to all responses.
+      # These merge with the default security headers.
+      #
+      # @param headers [Hash] Hash of header name => value pairs
+      def security_headers=(headers)
+        @security_config.security_headers.merge!(headers)
+      end
+
+      # Enable HTTP Strict Transport Security (HSTS) header.
+      # WARNING: This can make your domain inaccessible if HTTPS is not properly
+      # configured. Only enable this when you're certain HTTPS is working correctly.
+      #
+      # @param max_age [Integer] Maximum age in seconds (default: 1 year)
+      # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
+      def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
+      end
+
+      # Enable Content Security Policy (CSP) header to prevent XSS attacks.
+      # The default policy only allows resources from the same origin.
+      #
+      # @param policy [String] CSP policy string (default: "default-src 'self'")
+      def enable_csp!(policy = "default-src 'self'")
+        @security_config.enable_csp!(policy)
+      end
+
+      # Enable X-Frame-Options header to prevent clickjacking attacks.
+      #
+      # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
+      def enable_frame_protection!(option = 'SAMEORIGIN')
+        @security_config.enable_frame_protection!(option)
+      end
+
+      # Enable Content Security Policy (CSP) with nonce support for dynamic header generation.
+      # This enables the res.send_csp_headers response helper method.
+      #
+      # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+      def enable_csp_with_nonce!(debug: false)
+        @security_config.enable_csp_with_nonce!(debug: debug)
+      end
+
+      # Enable authentication middleware for route-level access control.
+      # This will automatically check route auth parameters and enforce authentication.
+      def enable_authentication!
+        return if middleware_enabled?(Otto::Security::Authentication::AuthenticationMiddleware)
+
+        @middleware_stack.add(Otto::Security::Authentication::AuthenticationMiddleware, @auth_config)
+      end
+
+      # Add a single authentication strategy
+      #
+      # @param name [String] Strategy name
+      # @param strategy [Otto::Security::Authentication::AuthStrategy] Strategy instance
+      def add_auth_strategy(name, strategy)
+        @auth_config[:auth_strategies][name] = strategy
+        enable_authentication!
+      end
+
+      # Configure authentication strategies for route-level access control.
+      #
+      # @param strategies [Hash] Hash mapping strategy names to strategy instances
+      # @param default_strategy [String] Default strategy to use when none specified
+      def configure_auth_strategies(strategies, default_strategy: 'publicly')
+        # Merge new strategies with existing ones, preserving shared state
+        @auth_config[:auth_strategies].merge!(strategies)
+        @auth_config[:default_auth_strategy] = default_strategy
+        enable_authentication! unless strategies.empty?
+      end
+
+      # Configure rate limiting settings.
+      #
+      # @param config [Hash] Rate limiting configuration
+      # @option config [Integer] :requests_per_minute Maximum requests per minute per IP
+      # @option config [Hash] :custom_rules Hash of custom rate limiting rules
+      # @option config [Object] :cache_store Custom cache store for rate limiting
+      def configure_rate_limiting(config)
+        @security_config.rate_limiting_config.merge!(config)
+      end
+
+      private
+
+      def middleware_enabled?(middleware_class)
+        @middleware_stack.includes?(middleware_class)
+      end
+    end
+  end
+end