rack-ai 0.1.0 → 0.3.0

data/examples/sinatra_microservice.rb

@@ -0,0 +1,431 @@
+# frozen_string_literal: true
+
+# Sinatra Microservice Example with Rack::AI
+# This example demonstrates how to build a secure microservice using Sinatra and Rack::AI
+# with comprehensive AI-powered security, monitoring, and optimization features.
+
+require 'sinatra/base'
+require 'json'
+require 'rack/ai'
+
+class SecureMicroservice < Sinatra::Base
+  # Configure Rack::AI middleware with security-focused settings
+  use Rack::AI::Middleware,
+    provider: :openai,
+    api_key: ENV['OPENAI_API_KEY'] || 'demo-key',
+    features: [:classification, :security, :rate_limiting, :anomaly_detection, :logging],
+    fail_safe: true,
+    async_processing: false, # Synchronous for microservice reliability
+    sanitize_logs: true,
+    explain_decisions: true,
+    
+    # Strict security settings for microservice
+    classification: {
+      confidence_threshold: 0.7,
+      categories: [:human, :bot, :spam, :suspicious, :malicious]
+    },
+    
+    security: {
+      injection_detection: true,
+      anomaly_threshold: 0.6,
+      block_suspicious: true
+    },
+    
+    # Aggressive rate limiting for API protection
+    rate_limiting: {
+      window_size: 300, # 5 minutes
+      max_requests: 100,
+      block_duration: 900, # 15 minutes
+      cleanup_interval: 60
+    },
+    
+    # Sensitive anomaly detection
+    anomaly_detection: {
+      baseline_window: 3600, # 1 hour
+      anomaly_threshold: 1.5, # Lower threshold for microservice
+      min_requests: 5,
+      learning_rate: 0.2
+    }
+
+  # Enable JSON parsing
+  set :protection, except: [:json_csrf]
+  
+  # Helper methods for AI analysis
+  helpers do
+    def ai_results
+      @ai_results ||= request.env['rack.ai']
+    end
+    
+    def ai_classification
+      ai_results&.dig(:results, :classification)
+    end
+    
+    def ai_security
+      ai_results&.dig(:results, :security)
+    end
+    
+    def ai_rate_limiting
+      ai_results&.dig(:results, :rate_limiting)
+    end
+    
+    def ai_anomaly
+      ai_results&.dig(:results, :anomaly_detection)
+    end
+    
+    def request_blocked?
+      ai_rate_limiting&.dig(:blocked) || 
+      ai_security&.dig(:threat_level) == :high ||
+      ai_classification&.dig(:classification) == :malicious
+    end
+    
+    def suspicious_request?
+      ai_classification&.dig(:classification) == :suspicious ||
+      ai_security&.dig(:threat_level) == :medium ||
+      ai_anomaly&.dig(:risk_score)&.> 0.7
+    end
+    
+    def log_request_analysis
+      return unless ai_results
+      
+      logger.info "AI Analysis: #{ai_results[:results].keys.join(', ')}"
+      
+      if request_blocked?
+        logger.warn "Request blocked: #{request.path_info}"
+      elsif suspicious_request?
+        logger.warn "Suspicious request: #{request.path_info}"
+      end
+    end
+    
+    def security_headers
+      {
+        'X-AI-Classification' => ai_classification&.dig(:classification)&.to_s,
+        'X-AI-Security-Level' => ai_security&.dig(:threat_level)&.to_s,
+        'X-AI-Risk-Score' => ai_anomaly&.dig(:risk_score)&.to_s,
+        'X-Content-Type-Options' => 'nosniff',
+        'X-Frame-Options' => 'DENY',
+        'X-XSS-Protection' => '1; mode=block'
+      }.compact
+    end
+  end
+  
+  # Before filter for security checks
+  before do
+    content_type :json
+    log_request_analysis
+    
+    # Block malicious requests immediately
+    if request_blocked?
+      halt 403, security_headers, {
+        error: 'Request blocked by AI security system',
+        reason: determine_block_reason,
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Add security headers to all responses
+    headers security_headers
+  end
+  
+  # Health check endpoint (bypasses AI processing)
+  get '/health' do
+    {
+      status: 'healthy',
+      service: 'secure-microservice',
+      timestamp: Time.now.iso8601,
+      ai_middleware: ai_results ? 'active' : 'inactive'
+    }.to_json
+  end
+  
+  # Service status with AI metrics
+  get '/status' do
+    {
+      service: {
+        name: 'secure-microservice',
+        version: '1.0.0',
+        uptime: Process.clock_gettime(Process::CLOCK_MONOTONIC),
+        status: 'operational'
+      },
+      ai: {
+        active: ai_results.present?,
+        provider: ai_results&.dig(:provider),
+        features: ai_results&.dig(:results)&.keys || [],
+        processing_time: ai_results&.dig(:processing_time),
+        classification: ai_classification,
+        security_level: ai_security&.dig(:threat_level),
+        rate_limit_status: ai_rate_limiting,
+        anomaly_score: ai_anomaly&.dig(:risk_score)
+      },
+      timestamp: Time.now.iso8601
+    }.to_json
+  end
+  
+  # User authentication endpoint
+  post '/auth/login' do
+    request.body.rewind
+    data = JSON.parse(request.body.read) rescue {}
+    
+    # AI analysis helps detect credential stuffing attacks
+    if ai_anomaly&.dig(:risk_score)&.> 0.8
+      logger.warn "Potential credential stuffing attack detected"
+      
+      halt 429, {
+        error: 'Too many authentication attempts',
+        retry_after: 300,
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Simulate authentication logic
+    username = data['username']
+    password = data['password']
+    
+    if username && password && username.length > 3 && password.length > 6
+      token = "secure_token_#{Time.now.to_i}_#{rand(1000)}"
+      
+      {
+        success: true,
+        token: token,
+        expires_at: (Time.now + 3600).iso8601,
+        security_analysis: {
+          classification: ai_classification&.dig(:classification),
+          risk_score: ai_anomaly&.dig(:risk_score) || 0.0
+        }
+      }.to_json
+    else
+      halt 400, {
+        error: 'Invalid credentials format',
+        requirements: {
+          username: 'minimum 4 characters',
+          password: 'minimum 7 characters'
+        }
+      }.to_json
+    end
+  end
+  
+  # Data processing endpoint with content validation
+  post '/data/process' do
+    request.body.rewind
+    raw_data = request.body.read
+    
+    # Check for suspicious content patterns
+    if ai_security&.dig(:injection_detection, :sql_injection_detected)
+      logger.error "SQL injection attempt detected"
+      halt 400, {
+        error: 'Malicious content detected',
+        type: 'sql_injection',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    if ai_security&.dig(:injection_detection, :xss_detected)
+      logger.error "XSS attempt detected"
+      halt 400, {
+        error: 'Malicious content detected',
+        type: 'xss_injection',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    begin
+      data = JSON.parse(raw_data)
+    rescue JSON::ParserError
+      halt 400, {
+        error: 'Invalid JSON format',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Process data (simulation)
+    processed_data = {
+      original_size: raw_data.bytesize,
+      processed_at: Time.now.iso8601,
+      items_count: data.is_a?(Array) ? data.length : 1,
+      security_scan: {
+        threats_detected: ai_security&.dig(:injection_detection, :threats) || [],
+        risk_level: ai_security&.dig(:threat_level) || :low,
+        classification: ai_classification&.dig(:classification) || :unknown
+      }
+    }
+    
+    {
+      success: true,
+      result: processed_data,
+      ai_analysis: {
+        processing_safe: ai_security&.dig(:threat_level) != :high,
+        confidence: ai_classification&.dig(:confidence) || 0.0
+      }
+    }.to_json
+  end
+  
+  # Analytics endpoint with anomaly detection
+  get '/analytics/requests' do
+    # Simulate analytics data
+    analytics = {
+      total_requests: 1250,
+      requests_by_classification: {
+        human: 1000,
+        bot: 150,
+        suspicious: 80,
+        spam: 15,
+        malicious: 5
+      },
+      security_events: {
+        blocked_requests: 25,
+        sql_injection_attempts: 8,
+        xss_attempts: 12,
+        rate_limit_violations: 45
+      },
+      anomaly_detection: {
+        anomalies_detected: 18,
+        current_baseline: ai_anomaly&.dig(:baseline_metrics) || {},
+        risk_distribution: {
+          low: 1180,
+          medium: 55,
+          high: 15
+        }
+      },
+      performance: {
+        avg_response_time: 125,
+        ai_processing_time: ai_results&.dig(:processing_time) || 0,
+        cache_hit_rate: 0.72
+      },
+      timestamp: Time.now.iso8601
+    }
+    
+    # Add current request analysis
+    if ai_results
+      analytics[:current_request] = {
+        classification: ai_classification,
+        security: ai_security,
+        anomaly_score: ai_anomaly&.dig(:risk_score)
+      }
+    end
+    
+    analytics.to_json
+  end
+  
+  # File upload endpoint with security scanning
+  post '/upload' do
+    unless params[:file] && params[:file][:tempfile]
+      halt 400, {
+        error: 'No file provided',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    file = params[:file]
+    filename = file[:filename]
+    content = file[:tempfile].read
+    
+    # AI-powered content analysis
+    suspicious_patterns = []
+    
+    if content.include?('<script')
+      suspicious_patterns << 'javascript_code'
+    end
+    
+    if content.match?(/\b(SELECT|INSERT|UPDATE|DELETE|DROP)\b/i)
+      suspicious_patterns << 'sql_statements'
+    end
+    
+    if ai_security&.dig(:threat_level) == :high
+      logger.error "High-risk file upload blocked: #{filename}"
+      halt 403, {
+        error: 'File upload blocked by security system',
+        filename: filename,
+        threats: ai_security[:injection_detection][:threats],
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Simulate file processing
+    file_info = {
+      filename: filename,
+      size: content.bytesize,
+      content_type: file[:type],
+      uploaded_at: Time.now.iso8601,
+      security_scan: {
+        suspicious_patterns: suspicious_patterns,
+        threat_level: ai_security&.dig(:threat_level) || :low,
+        safe_to_process: suspicious_patterns.empty? && ai_security&.dig(:threat_level) != :high
+      },
+      ai_classification: ai_classification&.dig(:classification)
+    }
+    
+    {
+      success: true,
+      file: file_info,
+      message: suspicious_patterns.empty? ? 'File uploaded successfully' : 'File uploaded with warnings'
+    }.to_json
+  end
+  
+  # Error handlers
+  error 404 do
+    {
+      error: 'Endpoint not found',
+      path: request.path_info,
+      method: request.request_method,
+      timestamp: Time.now.iso8601,
+      ai_classification: ai_classification&.dig(:classification)
+    }.to_json
+  end
+  
+  error 500 do
+    logger.error "Internal server error: #{env['sinatra.error']}"
+    
+    {
+      error: 'Internal server error',
+      timestamp: Time.now.iso8601,
+      request_id: env['HTTP_X_REQUEST_ID'] || SecureRandom.hex(8)
+    }.to_json
+  end
+  
+  private
+  
+  def determine_block_reason
+    reasons = []
+    
+    if ai_rate_limiting&.dig(:blocked)
+      reasons << "rate_limit_exceeded"
+    end
+    
+    if ai_security&.dig(:threat_level) == :high
+      reasons << "high_security_threat"
+    end
+    
+    if ai_classification&.dig(:classification) == :malicious
+      reasons << "malicious_classification"
+    end
+    
+    reasons.join(', ')
+  end
+end
+
+# CLI runner
+if __FILE__ == $0
+  require 'rack'
+  
+  puts "🔒 Secure Microservice with Rack::AI"
+  puts "🛡️  Features: Classification, Security, Rate Limiting, Anomaly Detection, Logging"
+  puts "🔗 Available endpoints:"
+  puts "  GET  /health              - Health check (AI processing bypassed)"
+  puts "  GET  /status              - Service and AI status"
+  puts "  POST /auth/login          - User authentication with anomaly detection"
+  puts "  POST /data/process        - Data processing with injection detection"
+  puts "  GET  /analytics/requests  - Request analytics and security metrics"
+  puts "  POST /upload              - File upload with security scanning"
+  puts ""
+  puts "🔧 Configuration:"
+  puts "  - Set OPENAI_API_KEY for full AI functionality"
+  puts "  - Aggressive security settings for microservice protection"
+  puts "  - Real-time threat detection and blocking"
+  puts ""
+  puts "🧪 Testing commands:"
+  puts "  curl http://localhost:4567/health"
+  puts "  curl http://localhost:4567/status"
+  puts "  curl -X POST http://localhost:4567/auth/login -d '{\"username\":\"test\",\"password\":\"password123\"}' -H 'Content-Type: application/json'"
+  puts "  curl -X POST http://localhost:4567/data/process -d '[{\"id\":1,\"data\":\"test\"}]' -H 'Content-Type: application/json'"
+  puts ""
+  
+  Rack::Handler::WEBrick.run(SecureMicroservice, Port: 4567, Host: '0.0.0.0')
+end

data/lib/rack/ai/configuration.rb

@@ -16,8 +16,8 @@ module Rack
       setting :timeout, default: 30
       setting :retries, default: 3
 
-      # Feature toggles
-      setting :features, default: [:classification, :moderation]
+      # Features
+      setting :features, default: [:classification, :security]
       setting :fail_safe, default: true
       setting :async_processing, default: true
 
@@ -55,6 +55,24 @@ module Rack
         setting :redis_url, default: "redis://localhost:6379"
       end
 
+      # Rate limiting configuration
+      setting :rate_limiting do
+        setting :window_size, default: 3600 # 1 hour in seconds
+        setting :max_requests, default: 1000 # max requests per window
+        setting :block_duration, default: 3600 # block duration in seconds
+        setting :cleanup_interval, default: 300 # cleanup old entries every 5 minutes
+      end
+
+      # Anomaly detection configuration
+      setting :anomaly_detection do
+        setting :sensitivity, default: 0.8 # Detection sensitivity (0-1)
+        setting :baseline_window, default: 86400 # 24 hours for baseline calculation
+        setting :min_requests_for_baseline, default: 100
+        setting :risk_threshold_monitor, default: 20
+        setting :risk_threshold_challenge, default: 50
+        setting :risk_threshold_block, default: 80
+      end
+
       setting :routing do
         setting :smart_routing_enabled, default: true
         setting :suspicious_route, default: "/captcha"
@@ -88,47 +106,40 @@ module Rack
         @metrics_enabled = true
         @explain_decisions = false
         
-        # Initialize nested configurations
-        @classification = OpenStruct.new(
+        # Nested configuration objects with OpenStruct-like behavior
+      end
+
+      def classification
+        @classification ||= OpenStruct.new(
           confidence_threshold: 0.8,
           categories: [:spam, :bot, :human, :suspicious]
         )
-        
-        @moderation = OpenStruct.new(
+      end
+
+      def moderation
+        @moderation ||= OpenStruct.new(
           toxicity_threshold: 0.7,
           check_response: false,
           block_on_violation: true
         )
-        
-        @caching = OpenStruct.new(
+      end
+
+      def caching
+        @caching ||= OpenStruct.new(
           predictive_enabled: true,
           prefetch_threshold: 0.9,
           redis_url: "redis://localhost:6379"
         )
-        
-        @routing = OpenStruct.new(
+      end
+
+      def routing
+        @routing ||= OpenStruct.new(
           smart_routing_enabled: true,
           suspicious_route: "/captcha",
           bot_route: "/api/bot"
         )
       end
 
-      def classification
-        @classification
-      end
-
-      def moderation
-        @moderation
-      end
-
-      def caching
-        @caching
-      end
-
-      def routing
-        @routing
-      end
-
       # For compatibility with middleware
       def config
         self
@@ -169,11 +180,11 @@ module Rack
 
       def to_h
         {
-          provider: @provider,
-          api_key: @api_key,
-          api_url: @api_url,
-          timeout: @timeout,
-          retries: @retries,
+          provider: provider,
+          api_key: api_key,
+          api_url: api_url,
+          timeout: timeout,
+          retries: retries,
           features: @features,
           fail_safe: @fail_safe,
           async_processing: @async_processing,
@@ -196,11 +207,11 @@ module Rack
 
       def provider_config
         {
-          provider: @provider,
-          api_key: @api_key,
-          api_url: @api_url,
-          timeout: @timeout,
-          retries: @retries
+          provider: provider,
+          api_key: api_key,
+          api_url: api_url,
+          timeout: timeout,
+          retries: retries
         }
       end
     end