rack-ai 0.2.0 → 0.4.0

data/examples/sinatra_microservice.rb

@@ -0,0 +1,431 @@
+# frozen_string_literal: true
+
+# Sinatra Microservice Example with Rack::AI
+# This example demonstrates how to build a secure microservice using Sinatra and Rack::AI
+# with comprehensive AI-powered security, monitoring, and optimization features.
+
+require 'sinatra/base'
+require 'json'
+require 'rack/ai'
+
+class SecureMicroservice < Sinatra::Base
+  # Configure Rack::AI middleware with security-focused settings
+  use Rack::AI::Middleware,
+    provider: :openai,
+    api_key: ENV['OPENAI_API_KEY'] || 'demo-key',
+    features: [:classification, :security, :rate_limiting, :anomaly_detection, :logging],
+    fail_safe: true,
+    async_processing: false, # Synchronous for microservice reliability
+    sanitize_logs: true,
+    explain_decisions: true,
+    
+    # Strict security settings for microservice
+    classification: {
+      confidence_threshold: 0.7,
+      categories: [:human, :bot, :spam, :suspicious, :malicious]
+    },
+    
+    security: {
+      injection_detection: true,
+      anomaly_threshold: 0.6,
+      block_suspicious: true
+    },
+    
+    # Aggressive rate limiting for API protection
+    rate_limiting: {
+      window_size: 300, # 5 minutes
+      max_requests: 100,
+      block_duration: 900, # 15 minutes
+      cleanup_interval: 60
+    },
+    
+    # Sensitive anomaly detection
+    anomaly_detection: {
+      baseline_window: 3600, # 1 hour
+      anomaly_threshold: 1.5, # Lower threshold for microservice
+      min_requests: 5,
+      learning_rate: 0.2
+    }
+
+  # Enable JSON parsing
+  set :protection, except: [:json_csrf]
+  
+  # Helper methods for AI analysis
+  helpers do
+    def ai_results
+      @ai_results ||= request.env['rack.ai']
+    end
+    
+    def ai_classification
+      ai_results&.dig(:results, :classification)
+    end
+    
+    def ai_security
+      ai_results&.dig(:results, :security)
+    end
+    
+    def ai_rate_limiting
+      ai_results&.dig(:results, :rate_limiting)
+    end
+    
+    def ai_anomaly
+      ai_results&.dig(:results, :anomaly_detection)
+    end
+    
+    def request_blocked?
+      ai_rate_limiting&.dig(:blocked) || 
+      ai_security&.dig(:threat_level) == :high ||
+      ai_classification&.dig(:classification) == :malicious
+    end
+    
+    def suspicious_request?
+      ai_classification&.dig(:classification) == :suspicious ||
+      ai_security&.dig(:threat_level) == :medium ||
+      ai_anomaly&.dig(:risk_score)&.> 0.7
+    end
+    
+    def log_request_analysis
+      return unless ai_results
+      
+      logger.info "AI Analysis: #{ai_results[:results].keys.join(', ')}"
+      
+      if request_blocked?
+        logger.warn "Request blocked: #{request.path_info}"
+      elsif suspicious_request?
+        logger.warn "Suspicious request: #{request.path_info}"
+      end
+    end
+    
+    def security_headers
+      {
+        'X-AI-Classification' => ai_classification&.dig(:classification)&.to_s,
+        'X-AI-Security-Level' => ai_security&.dig(:threat_level)&.to_s,
+        'X-AI-Risk-Score' => ai_anomaly&.dig(:risk_score)&.to_s,
+        'X-Content-Type-Options' => 'nosniff',
+        'X-Frame-Options' => 'DENY',
+        'X-XSS-Protection' => '1; mode=block'
+      }.compact
+    end
+  end
+  
+  # Before filter for security checks
+  before do
+    content_type :json
+    log_request_analysis
+    
+    # Block malicious requests immediately
+    if request_blocked?
+      halt 403, security_headers, {
+        error: 'Request blocked by AI security system',
+        reason: determine_block_reason,
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Add security headers to all responses
+    headers security_headers
+  end
+  
+  # Health check endpoint (bypasses AI processing)
+  get '/health' do
+    {
+      status: 'healthy',
+      service: 'secure-microservice',
+      timestamp: Time.now.iso8601,
+      ai_middleware: ai_results ? 'active' : 'inactive'
+    }.to_json
+  end
+  
+  # Service status with AI metrics
+  get '/status' do
+    {
+      service: {
+        name: 'secure-microservice',
+        version: '1.0.0',
+        uptime: Process.clock_gettime(Process::CLOCK_MONOTONIC),
+        status: 'operational'
+      },
+      ai: {
+        active: ai_results.present?,
+        provider: ai_results&.dig(:provider),
+        features: ai_results&.dig(:results)&.keys || [],
+        processing_time: ai_results&.dig(:processing_time),
+        classification: ai_classification,
+        security_level: ai_security&.dig(:threat_level),
+        rate_limit_status: ai_rate_limiting,
+        anomaly_score: ai_anomaly&.dig(:risk_score)
+      },
+      timestamp: Time.now.iso8601
+    }.to_json
+  end
+  
+  # User authentication endpoint
+  post '/auth/login' do
+    request.body.rewind
+    data = JSON.parse(request.body.read) rescue {}
+    
+    # AI analysis helps detect credential stuffing attacks
+    if ai_anomaly&.dig(:risk_score)&.> 0.8
+      logger.warn "Potential credential stuffing attack detected"
+      
+      halt 429, {
+        error: 'Too many authentication attempts',
+        retry_after: 300,
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Simulate authentication logic
+    username = data['username']
+    password = data['password']
+    
+    if username && password && username.length > 3 && password.length > 6
+      token = "secure_token_#{Time.now.to_i}_#{rand(1000)}"
+      
+      {
+        success: true,
+        token: token,
+        expires_at: (Time.now + 3600).iso8601,
+        security_analysis: {
+          classification: ai_classification&.dig(:classification),
+          risk_score: ai_anomaly&.dig(:risk_score) || 0.0
+        }
+      }.to_json
+    else
+      halt 400, {
+        error: 'Invalid credentials format',
+        requirements: {
+          username: 'minimum 4 characters',
+          password: 'minimum 7 characters'
+        }
+      }.to_json
+    end
+  end
+  
+  # Data processing endpoint with content validation
+  post '/data/process' do
+    request.body.rewind
+    raw_data = request.body.read
+    
+    # Check for suspicious content patterns
+    if ai_security&.dig(:injection_detection, :sql_injection_detected)
+      logger.error "SQL injection attempt detected"
+      halt 400, {
+        error: 'Malicious content detected',
+        type: 'sql_injection',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    if ai_security&.dig(:injection_detection, :xss_detected)
+      logger.error "XSS attempt detected"
+      halt 400, {
+        error: 'Malicious content detected',
+        type: 'xss_injection',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    begin
+      data = JSON.parse(raw_data)
+    rescue JSON::ParserError
+      halt 400, {
+        error: 'Invalid JSON format',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Process data (simulation)
+    processed_data = {
+      original_size: raw_data.bytesize,
+      processed_at: Time.now.iso8601,
+      items_count: data.is_a?(Array) ? data.length : 1,
+      security_scan: {
+        threats_detected: ai_security&.dig(:injection_detection, :threats) || [],
+        risk_level: ai_security&.dig(:threat_level) || :low,
+        classification: ai_classification&.dig(:classification) || :unknown
+      }
+    }
+    
+    {
+      success: true,
+      result: processed_data,
+      ai_analysis: {
+        processing_safe: ai_security&.dig(:threat_level) != :high,
+        confidence: ai_classification&.dig(:confidence) || 0.0
+      }
+    }.to_json
+  end
+  
+  # Analytics endpoint with anomaly detection
+  get '/analytics/requests' do
+    # Simulate analytics data
+    analytics = {
+      total_requests: 1250,
+      requests_by_classification: {
+        human: 1000,
+        bot: 150,
+        suspicious: 80,
+        spam: 15,
+        malicious: 5
+      },
+      security_events: {
+        blocked_requests: 25,
+        sql_injection_attempts: 8,
+        xss_attempts: 12,
+        rate_limit_violations: 45
+      },
+      anomaly_detection: {
+        anomalies_detected: 18,
+        current_baseline: ai_anomaly&.dig(:baseline_metrics) || {},
+        risk_distribution: {
+          low: 1180,
+          medium: 55,
+          high: 15
+        }
+      },
+      performance: {
+        avg_response_time: 125,
+        ai_processing_time: ai_results&.dig(:processing_time) || 0,
+        cache_hit_rate: 0.72
+      },
+      timestamp: Time.now.iso8601
+    }
+    
+    # Add current request analysis
+    if ai_results
+      analytics[:current_request] = {
+        classification: ai_classification,
+        security: ai_security,
+        anomaly_score: ai_anomaly&.dig(:risk_score)
+      }
+    end
+    
+    analytics.to_json
+  end
+  
+  # File upload endpoint with security scanning
+  post '/upload' do
+    unless params[:file] && params[:file][:tempfile]
+      halt 400, {
+        error: 'No file provided',
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    file = params[:file]
+    filename = file[:filename]
+    content = file[:tempfile].read
+    
+    # AI-powered content analysis
+    suspicious_patterns = []
+    
+    if content.include?('<script')
+      suspicious_patterns << 'javascript_code'
+    end
+    
+    if content.match?(/\b(SELECT|INSERT|UPDATE|DELETE|DROP)\b/i)
+      suspicious_patterns << 'sql_statements'
+    end
+    
+    if ai_security&.dig(:threat_level) == :high
+      logger.error "High-risk file upload blocked: #{filename}"
+      halt 403, {
+        error: 'File upload blocked by security system',
+        filename: filename,
+        threats: ai_security[:injection_detection][:threats],
+        timestamp: Time.now.iso8601
+      }.to_json
+    end
+    
+    # Simulate file processing
+    file_info = {
+      filename: filename,
+      size: content.bytesize,
+      content_type: file[:type],
+      uploaded_at: Time.now.iso8601,
+      security_scan: {
+        suspicious_patterns: suspicious_patterns,
+        threat_level: ai_security&.dig(:threat_level) || :low,
+        safe_to_process: suspicious_patterns.empty? && ai_security&.dig(:threat_level) != :high
+      },
+      ai_classification: ai_classification&.dig(:classification)
+    }
+    
+    {
+      success: true,
+      file: file_info,
+      message: suspicious_patterns.empty? ? 'File uploaded successfully' : 'File uploaded with warnings'
+    }.to_json
+  end
+  
+  # Error handlers
+  error 404 do
+    {
+      error: 'Endpoint not found',
+      path: request.path_info,
+      method: request.request_method,
+      timestamp: Time.now.iso8601,
+      ai_classification: ai_classification&.dig(:classification)
+    }.to_json
+  end
+  
+  error 500 do
+    logger.error "Internal server error: #{env['sinatra.error']}"
+    
+    {
+      error: 'Internal server error',
+      timestamp: Time.now.iso8601,
+      request_id: env['HTTP_X_REQUEST_ID'] || SecureRandom.hex(8)
+    }.to_json
+  end
+  
+  private
+  
+  def determine_block_reason
+    reasons = []
+    
+    if ai_rate_limiting&.dig(:blocked)
+      reasons << "rate_limit_exceeded"
+    end
+    
+    if ai_security&.dig(:threat_level) == :high
+      reasons << "high_security_threat"
+    end
+    
+    if ai_classification&.dig(:classification) == :malicious
+      reasons << "malicious_classification"
+    end
+    
+    reasons.join(', ')
+  end
+end
+
+# CLI runner
+if __FILE__ == $0
+  require 'rack'
+  
+  puts "🔒 Secure Microservice with Rack::AI"
+  puts "🛡️  Features: Classification, Security, Rate Limiting, Anomaly Detection, Logging"
+  puts "🔗 Available endpoints:"
+  puts "  GET  /health              - Health check (AI processing bypassed)"
+  puts "  GET  /status              - Service and AI status"
+  puts "  POST /auth/login          - User authentication with anomaly detection"
+  puts "  POST /data/process        - Data processing with injection detection"
+  puts "  GET  /analytics/requests  - Request analytics and security metrics"
+  puts "  POST /upload              - File upload with security scanning"
+  puts ""
+  puts "🔧 Configuration:"
+  puts "  - Set OPENAI_API_KEY for full AI functionality"
+  puts "  - Aggressive security settings for microservice protection"
+  puts "  - Real-time threat detection and blocking"
+  puts ""
+  puts "🧪 Testing commands:"
+  puts "  curl http://localhost:4567/health"
+  puts "  curl http://localhost:4567/status"
+  puts "  curl -X POST http://localhost:4567/auth/login -d '{\"username\":\"test\",\"password\":\"password123\"}' -H 'Content-Type: application/json'"
+  puts "  curl -X POST http://localhost:4567/data/process -d '[{\"id\":1,\"data\":\"test\"}]' -H 'Content-Type: application/json'"
+  puts ""
+  
+  Rack::Handler::WEBrick.run(SecureMicroservice, Port: 4567, Host: '0.0.0.0')
+end

data/lib/rack/ai/configuration.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
-require "dry/configurable"
-require "dry/validation"
+require "dry-configurable"
+require "dry-validation"
+require "ostruct"
 
 module Rack
   module AI
@@ -105,45 +106,38 @@ module Rack
         @metrics_enabled = true
         @explain_decisions = false
         
-        # Initialize nested configurations
-        @classification = {
-          confidence_threshold: 0.8,
-          categories: [:spam, :bot, :human, :suspicious]
-        }
-        
-        @moderation = {
-          toxicity_threshold: 0.7,
-          check_response: false,
-          block_on_violation: true
-        }
-        
-        @caching = {
-          predictive_enabled: true,
-          prefetch_threshold: 0.9,
-          redis_url: "redis://localhost:6379"
-        }
-        
-        @routing = {
-          smart_routing_enabled: true,
-          suspicious_route: "/captcha",
-          bot_route: "/api/bot"
-        }
+        # Nested configuration objects with OpenStruct-like behavior
       end
 
       def classification
-        @classification
+        @classification ||= OpenStruct.new(
+          confidence_threshold: 0.8,
+          categories: [:spam, :bot, :human, :suspicious]
+        )
       end
 
       def moderation
-        @moderation
+        @moderation ||= OpenStruct.new(
+          toxicity_threshold: 0.7,
+          check_response: false,
+          block_on_violation: true
+        )
       end
 
       def caching
-        @caching
+        @caching ||= OpenStruct.new(
+          predictive_enabled: true,
+          prefetch_threshold: 0.9,
+          redis_url: "redis://localhost:6379"
+        )
       end
 
       def routing
-        @routing
+        @routing ||= OpenStruct.new(
+          smart_routing_enabled: true,
+          suspicious_route: "/captcha",
+          bot_route: "/api/bot"
+        )
       end
 
       # For compatibility with middleware
@@ -186,11 +180,11 @@ module Rack
 
       def to_h
         {
-          provider: @provider,
-          api_key: @api_key,
-          api_url: @api_url,
-          timeout: @timeout,
-          retries: @retries,
+          provider: provider,
+          api_key: api_key,
+          api_url: api_url,
+          timeout: timeout,
+          retries: retries,
           features: @features,
           fail_safe: @fail_safe,
           async_processing: @async_processing,
@@ -212,16 +206,13 @@ module Rack
       end
 
       def provider_config
-        case @provider
-        when :openai
-          { api_key: @api_key, api_url: @api_url, timeout: @timeout, retries: @retries }
-        when :huggingface
-          { api_key: @api_key, api_url: @api_url, timeout: @timeout, retries: @retries }
-        when :local
-          { api_url: @api_url, timeout: @timeout, retries: @retries }
-        else
-          {}
-        end
+        {
+          provider: provider,
+          api_key: api_key,
+          api_url: api_url,
+          timeout: timeout,
+          retries: retries
+        }
       end
     end
   end

data/lib/rack/ai/features/classification.rb

@@ -48,9 +48,9 @@ module Rack
           when :spam
             :block
           when :suspicious
-            @config.routing.smart_routing_enabled ? :route : :allow
+            smart_routing_enabled? ? :route : :allow
           when :bot
-            @config.routing.smart_routing_enabled ? :route : :allow
+            smart_routing_enabled? ? :route : :allow
           when :human
             :allow
           else
@@ -58,6 +58,12 @@ module Rack
           end
         end
 
+        def smart_routing_enabled?
+          @config.respond_to?(:routing) && 
+            @config.routing.respond_to?(:smart_routing_enabled) && 
+            @config.routing.smart_routing_enabled
+        end
+
         def generate_request_id(env)
           "#{Time.now.to_i}-#{env.object_id}"
         end

data/lib/rack/ai/features/moderation.rb

@@ -17,7 +17,9 @@ module Rack
         end
 
         def process_response?
-          @config.moderation.check_response
+          @config.respond_to?(:moderation) && 
+            @config.moderation.respond_to?(:check_response) && 
+            @config.moderation.check_response
         end
 
         def process_request(env)
@@ -27,11 +29,11 @@ module Rack
           result = @provider.moderate_content(content.join(" "))
           
           # Apply toxicity threshold
-          threshold = @config.moderation.toxicity_threshold
+          threshold = get_toxicity_threshold
           max_score = result[:category_scores]&.values&.max || 0.0
           
           result[:action] = if result[:flagged] && max_score > threshold
-                             @config.moderation.block_on_violation ? :block : :flag
+                             should_block_on_violation? ? :block : :flag
                            else
                              :allow
                            end
@@ -87,6 +89,18 @@ module Rack
           content.compact.reject(&:empty?)
         end
 
+        def get_toxicity_threshold
+          return 0.7 unless @config.respond_to?(:moderation)
+          return 0.7 unless @config.moderation.respond_to?(:toxicity_threshold)
+          @config.moderation.toxicity_threshold
+        end
+
+        def should_block_on_violation?
+          return true unless @config.respond_to?(:moderation)
+          return true unless @config.moderation.respond_to?(:block_on_violation)
+          @config.moderation.block_on_violation
+        end
+
         def extract_content_from_response(body)
           return "" unless body.respond_to?(:each)