slimer 0.1.1

data/lib/slimer/web/action.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Slimer
+  # Everything needed for handling an HTTP request
+  # Borrowed from Sidekiq:
+  #   https://github.com/mperham/sidekiq/blob/master/lib/sidekiq/web/action.rb
+  class WebAction
+    RACK_SESSION = "rack.session"
+
+    attr_accessor :env, :block, :type
+
+    def settings
+      Web.settings
+    end
+
+    def request
+      @request ||= ::Rack::Request.new(env)
+    end
+
+    def halt(res)
+      throw :halt, res
+    end
+
+    def redirect(location)
+      throw :halt, [302, { "Location" => "#{request.base_url}#{location}" }, []]
+    end
+
+    def forbidden
+      throw :halt, [403, { "Content-Type" => "text/plain" }, ["Forbidden"]]
+    end
+
+    def authorized?
+      api_key = route_params.delete(:api_key)
+      return false unless api_key
+
+      # Ensure a connection to the DB has been made and models loaded
+      Slimer.db
+      Slimer::ApiKey.where(token: api_key).count.positive?
+    end
+
+    def params
+      indifferent_hash = Hash.new { |hash, key| hash[key.to_s] if Symbol === key } # rubocop:disable Style/CaseEquality
+
+      indifferent_hash.merge! request.params
+      route_params.each { |k, v| indifferent_hash[k.to_s] = v }
+
+      indifferent_hash
+    end
+
+    def route_params
+      env[WebRouter::ROUTE_PARAMS]
+    end
+
+    def session
+      env[RACK_SESSION]
+    end
+
+    def json(payload)
+      [200, { "Content-Type" => "application/json", "Cache-Control" => "no-cache" }, [JSON.generate(payload)]]
+    end
+
+    def initialize(env, block)
+      @env = env
+      @block = block
+      @files ||= {}
+    end
+  end
+end

data/lib/slimer/web/application.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+module Slimer
+  # Defines routes and responses for the Slimer web app.
+  class WebApplication
+    extend WebRouter
+
+    CONTENT_LENGTH = "Content-Length"
+    REDIS_KEYS = %w[redis_version uptime_in_days connected_clients used_memory_human used_memory_peak_human].freeze
+    CSP_HEADER = [
+      "default-src 'self' https: http:",
+      "child-src 'self'",
+      "connect-src 'self' https: http: wss: ws:",
+      "font-src 'self' https: http:",
+      "frame-src 'self'",
+      "img-src 'self' https: http: data:",
+      "manifest-src 'self'",
+      "media-src 'self'",
+      "object-src 'none'",
+      "script-src 'self' https: http: 'unsafe-inline'",
+      "style-src 'self' https: http: 'unsafe-inline'",
+      "worker-src 'self'",
+      "base-uri 'self'"
+    ].join("; ").freeze
+
+    def initialize(klass)
+      @klass = klass
+    end
+
+    def settings
+      @klass.settings
+    end
+
+    def self.settings
+      Slimer::Web.settings
+    end
+
+    def root_path
+      "#{env["SCRIPT_NAME"]}/"
+    end
+
+    get "/" do
+      json(:ok)
+    end
+
+    get "/status" do
+      json(:ok)
+    end
+
+    get "/:api_key/consume" do
+      forbidden unless authorized?
+
+      Slimer::Substance.consume(params)
+
+      json(:ok)
+    end
+
+    post "/:api_key/consume" do
+      forbidden unless authorized?
+
+      Slimer::Substance.consume(params)
+
+      json(:ok)
+    end
+
+    get "/:api_key/:group/consume" do
+      forbidden unless authorized?
+
+      exclude_keys = ["group"]
+      substance_params = params.select { |k, _v| !exclude_keys.include?(k.to_s) } # rubocop:disable Style/InverseMethods
+      Slimer::Substance.consume(substance_params, group: params["group"])
+
+      json(:ok)
+    end
+
+    post "/:api_key/:group/consume" do
+      forbidden unless authorized?
+
+      exclude_keys = ["group"]
+      substance_params = params.select { |k, _v| !exclude_keys.include?(k.to_s) } # rubocop:disable Style/InverseMethods
+      Slimer::Substance.consume(substance_params, group: params["group"])
+
+      json(:ok)
+    end
+
+    def call(env)
+      action = self.class.match(env)
+      return [404, { "Content-Type" => "text/plain", "X-Cascade" => "pass" }, ["Not Found"]] unless action
+
+      resp = catch(:halt) do
+        action.instance_exec env, &action.block
+      end
+
+      resolve_response(resp)
+    end
+
+    def resolve_response(resp)
+      return resp if resp.is_a?(Array)
+
+      # rendered content goes here
+      headers = {
+        "Content-Type" => "text/html",
+        "Cache-Control" => "no-cache",
+        "Content-Language" => "en",
+        "Content-Security-Policy" => CSP_HEADER
+      }
+      # we'll let Rack calculate Content-Length for us.
+      [200, headers, [resp]]
+    end
+
+    def self.helpers(mod = nil, &block)
+      if block
+        WebAction.class_eval(&block)
+      else
+        WebAction.send(:include, mod)
+      end
+    end
+  end
+end

data/lib/slimer/web/csfr_protection.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+# this file originally based on authenticity_token.rb from the sinatra/rack-protection project
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2011-2017 Konstantin Haase
+# Copyright (c) 2015-2017 Zachary Scott
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# 'Software'), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require "securerandom"
+require "base64"
+require "rack/request"
+
+module Slimer
+  class Web
+    class CsrfProtection
+      def initialize(app, options = nil)
+        @app = app
+      end
+
+      def call(env)
+        accept?(env) ? admit(env) : deny(env)
+      end
+
+      private
+
+      def admit(env)
+        # On each successful request, we create a fresh masked token
+        # which will be used in any forms rendered for this request.
+        s = session(env)
+        s[:csrf] ||= SecureRandom.base64(TOKEN_LENGTH)
+        env[:csrf_token] = mask_token(s[:csrf])
+        @app.call(env)
+      end
+
+      def safe?(env)
+        %w[GET HEAD OPTIONS TRACE].include? env["REQUEST_METHOD"]
+      end
+
+      def logger(env)
+        @logger ||= (env["rack.logger"] || ::Logger.new(env["rack.errors"]))
+      end
+
+      def deny(env)
+        logger(env).warn "attack prevented by #{self.class}"
+        [403, {"Content-Type" => "text/plain"}, ["Forbidden"]]
+      end
+
+      def session(env)
+        env["rack.session"] || fail("you need to set up a session middleware *before* #{self.class}")
+      end
+
+      def accept?(env)
+        return true if safe?(env)
+
+        giventoken = ::Rack::Request.new(env).params["authenticity_token"]
+        valid_token?(env, giventoken)
+      end
+
+      TOKEN_LENGTH = 32
+
+      # Checks that the token given to us as a parameter matches
+      # the token stored in the session.
+      def valid_token?(env, giventoken)
+        return false if giventoken.nil? || giventoken.empty?
+
+        begin
+          token = decode_token(giventoken)
+        rescue ArgumentError # client input is invalid
+          return false
+        end
+
+        sess = session(env)
+        localtoken = sess[:csrf]
+
+        # Checks that Rack::Session::Cookie actualy contains the csrf toekn
+        return false if localtoken.nil?
+
+        # Rotate the session token after every use
+        sess[:csrf] = SecureRandom.base64(TOKEN_LENGTH)
+
+        # See if it's actually a masked token or not. We should be able
+        # to handle any unmasked tokens that we've issued without error.
+
+        if unmasked_token?(token)
+          compare_with_real_token token, localtoken
+        elsif masked_token?(token)
+          unmasked = unmask_token(token)
+          compare_with_real_token unmasked, localtoken
+        else
+          false # Token is malformed
+        end
+      end
+
+      # Creates a masked version of the authenticity token that varies
+      # on each request. The masking is used to mitigate SSL attacks
+      # like BREACH.
+      def mask_token(token)
+        token = decode_token(token)
+        one_time_pad = SecureRandom.random_bytes(token.length)
+        encrypted_token = xor_byte_strings(one_time_pad, token)
+        masked_token = one_time_pad + encrypted_token
+        Base64.strict_encode64(masked_token)
+      end
+
+      # Essentially the inverse of +mask_token+.
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        token_length = masked_token.length / 2
+        one_time_pad = masked_token[0...token_length]
+        encrypted_token = masked_token[token_length..-1]
+        xor_byte_strings(one_time_pad, encrypted_token)
+      end
+
+      def unmasked_token?(token)
+        token.length == TOKEN_LENGTH
+      end
+
+      def masked_token?(token)
+        token.length == TOKEN_LENGTH * 2
+      end
+
+      def compare_with_real_token(token, local)
+        ::Rack::Utils.secure_compare(token.to_s, decode_token(local).to_s)
+      end
+
+      def decode_token(token)
+        Base64.strict_decode64(token)
+      end
+
+      def xor_byte_strings(s1, s2)
+        s1.bytes.zip(s2.bytes).map { |(c1, c2)| c1 ^ c2 }.pack("c*")
+      end
+    end
+  end
+end

data/lib/slimer/web/helpers.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Slimer
+  # @nodoc
+  module WebHelpers
+    def root_path
+      "#{env["SCRIPT_NAME"]}/"
+    end
+
+    def current_path
+      @current_path ||= request.path_info.gsub(%r{^/}, "")
+    end
+  end
+end

data/lib/slimer/web/router.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "rack"
+
+module Slimer
+  # A simple Rack router.
+  # Borrowed from Sidekiq:
+  #   https://github.com/mperham/sidekiq/blob/master/lib/sidekiq/web/router.rb
+  module WebRouter
+    GET = "GET"
+    DELETE = "DELETE"
+    POST = "POST"
+    PUT = "PUT"
+    PATCH = "PATCH"
+    HEAD = "HEAD"
+
+    ROUTE_PARAMS = "rack.route_params"
+    REQUEST_METHOD = "REQUEST_METHOD"
+    PATH_INFO = "PATH_INFO"
+
+    def get(path, &block)
+      route(GET, path, &block)
+    end
+
+    def post(path, &block)
+      route(POST, path, &block)
+    end
+
+    def put(path, &block)
+      route(PUT, path, &block)
+    end
+
+    def patch(path, &block)
+      route(PATCH, path, &block)
+    end
+
+    def delete(path, &block)
+      route(DELETE, path, &block)
+    end
+
+    def route(method, path, &block)
+      @routes ||= { GET => [], POST => [], PUT => [], PATCH => [], DELETE => [], HEAD => [] }
+
+      @routes[method] << WebRoute.new(method, path, block)
+      @routes[HEAD] << WebRoute.new(method, path, block) if method == GET
+    end
+
+    def match(env)
+      request_method = env[REQUEST_METHOD]
+      path_info = ::Rack::Utils.unescape env[PATH_INFO]
+
+      # There are servers which send an empty string when requesting the root.
+      # These servers should be ashamed of themselves.
+      path_info = "/" if path_info == ""
+
+      @routes[request_method].each do |route|
+        params = route.match(request_method, path_info)
+        next unless params
+
+        env[ROUTE_PARAMS] = params
+
+        return WebAction.new(env, route.block)
+      end
+
+      nil
+    end
+  end
+
+  # @abstract A simple Rack request extractor and matcher
+  class WebRoute
+    attr_accessor :request_method, :pattern, :block, :name
+
+    NAMED_SEGMENTS_PATTERN = %r{/([^/]*):([^.:$/]+)}.freeze
+
+    def initialize(request_method, pattern, block)
+      @request_method = request_method
+      @pattern = pattern
+      @block = block
+    end
+
+    def matcher
+      @matcher ||= compile
+    end
+
+    def compile
+      if pattern.match?(NAMED_SEGMENTS_PATTERN)
+        p = pattern.gsub(NAMED_SEGMENTS_PATTERN, '/\1(?<\2>[^$/]+)')
+
+        Regexp.new("\\A#{p}\\Z")
+      else
+        pattern
+      end
+    end
+
+    def match(_request_method, path)
+      case matcher
+      when String
+        {} if path == matcher
+      else
+        path_match = path.match(matcher)
+        path_match&.named_captures&.transform_keys(&:to_sym)
+      end
+    end
+  end
+end