durable-streams-server 0.3.0

Durable Streams protocol server in Rust, built with axum and tokio
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271

mod common;

use common::{spawn_test_server, spawn_test_server_with_config, test_client, unique_stream_name};
use durable_streams_server::config::{Config, ForwardedHeadersMode, ProxyIdentityMode};

/// Extract the `Location` header from a PUT response.
///
/// The PUT handler builds the Location URL using `x-forwarded-host` and
/// `x-forwarded-proto` if present — giving us an observable side-effect
/// for testing whether the proxy trust middleware strips or passes them.
async fn put_and_get_location(base_url: &str, headers: Vec<(&str, &str)>) -> String {
    let client = test_client();
    let stream_name = unique_stream_name();
    let url = format!("{base_url}/v1/stream/{stream_name}");

    let mut req = client.put(&url).header("content-type", "text/plain");
    for (key, value) in headers {
        req = req.header(key, value);
    }
    let resp = req.send().await.expect("PUT request failed");

    assert_eq!(resp.status(), 201, "expected 201 Created");
    resp.headers()
        .get("location")
        .expect("missing Location header")
        .to_str()
        .expect("non-UTF-8 Location")
        .to_string()
}

// ── Forwarded headers stripped when proxy disabled (default) ───────

#[tokio::test]
async fn forwarded_headers_stripped_when_proxy_disabled() {
    // Default config: proxy.enabled = false
    let (base_url, _) = spawn_test_server().await;

    let location = put_and_get_location(
        &base_url,
        vec![
            ("x-forwarded-host", "evil.example.com"),
            ("x-forwarded-proto", "https"),
            ("host", "localhost"),
        ],
    )
    .await;

    assert!(
        !location.contains("evil.example.com"),
        "x-forwarded-host should be stripped when proxy is disabled, but Location was: {location}"
    );
    assert!(
        location.starts_with("http://"),
        "x-forwarded-proto should be stripped (no https), but Location was: {location}"
    );
}

// ── Forwarded headers accepted from trusted peer ──────────────────

#[tokio::test]
async fn forwarded_headers_accepted_from_trusted_peer() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::XForwarded;
    config.proxy.trusted_proxies = vec!["127.0.0.1".to_string()];

    let (base_url, _) = spawn_test_server_with_config(config).await;

    let location = put_and_get_location(
        &base_url,
        vec![
            ("x-forwarded-host", "proxy.example.com"),
            ("x-forwarded-proto", "https"),
        ],
    )
    .await;

    assert!(
        location.contains("proxy.example.com"),
        "x-forwarded-host should be passed from trusted peer, but Location was: {location}"
    );
    assert!(
        location.starts_with("https://"),
        "x-forwarded-proto should be passed from trusted peer, but Location was: {location}"
    );
}

// ── Forwarded headers stripped from untrusted peer ────────────────

#[tokio::test]
async fn forwarded_headers_stripped_from_untrusted_peer() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::XForwarded;
    // Only trust 10.0.0.1 — test client connects from 127.0.0.1
    config.proxy.trusted_proxies = vec!["10.0.0.1".to_string()];

    let (base_url, _) = spawn_test_server_with_config(config).await;

    let location = put_and_get_location(
        &base_url,
        vec![
            ("x-forwarded-host", "evil.example.com"),
            ("x-forwarded-proto", "https"),
        ],
    )
    .await;

    assert!(
        !location.contains("evil.example.com"),
        "x-forwarded-host should be stripped from untrusted peer, but Location was: {location}"
    );
    assert!(
        location.starts_with("http://"),
        "x-forwarded-proto should be stripped from untrusted peer, but Location was: {location}"
    );
}

// ── RFC Forwarded header stripped when mode is XForwarded ──────────

#[tokio::test]
async fn rfc_forwarded_stripped_when_mode_is_xforwarded() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::XForwarded;
    config.proxy.trusted_proxies = vec!["127.0.0.1".to_string()];

    let (base_url, _) = spawn_test_server_with_config(config).await;

    // Send both header families; only x-forwarded-* should survive.
    let location = put_and_get_location(
        &base_url,
        vec![
            ("x-forwarded-host", "proxy.example.com"),
            ("x-forwarded-proto", "https"),
            ("forwarded", "host=rfc-evil.example.com;proto=https"),
        ],
    )
    .await;

    // x-forwarded-host should be kept (trusted + correct mode).
    assert!(
        location.contains("proxy.example.com"),
        "x-forwarded-host should survive in XForwarded mode, but Location was: {location}"
    );
}

// ── X-Forwarded-* stripped when mode is Forwarded ─────────────────

#[tokio::test]
async fn x_forwarded_stripped_when_mode_is_forwarded() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::Forwarded;
    config.proxy.trusted_proxies = vec!["127.0.0.1".to_string()];

    let (base_url, _) = spawn_test_server_with_config(config).await;

    // x-forwarded-* should be stripped even from a trusted peer when
    // mode is Forwarded (only RFC 7239 Forwarded is kept).
    let location = put_and_get_location(
        &base_url,
        vec![
            ("x-forwarded-host", "evil.example.com"),
            ("x-forwarded-proto", "https"),
        ],
    )
    .await;

    assert!(
        !location.contains("evil.example.com"),
        "x-forwarded-host should be stripped in Forwarded mode, but Location was: {location}"
    );
    assert!(
        location.starts_with("http://"),
        "x-forwarded-proto should be stripped in Forwarded mode, but Location was: {location}"
    );
}

#[tokio::test]
async fn forwarded_header_accepted_from_trusted_peer() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::Forwarded;
    config.proxy.trusted_proxies = vec!["127.0.0.1".to_string()];

    let (base_url, _) = spawn_test_server_with_config(config).await;

    let location = put_and_get_location(
        &base_url,
        vec![
            (
                "forwarded",
                "for=203.0.113.44;host=proxy.example.com;proto=https",
            ),
            ("x-forwarded-host", "ignored.example.com"),
            ("x-forwarded-proto", "http"),
        ],
    )
    .await;

    assert!(
        location.contains("proxy.example.com"),
        "trusted Forwarded host should be used, but Location was: {location}"
    );
    assert!(
        location.starts_with("https://"),
        "trusted Forwarded proto should be used, but Location was: {location}"
    );
}

// ── Identity header stripped from untrusted peer ──────────────────

#[tokio::test]
async fn identity_header_stripped_from_untrusted_peer() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::XForwarded;
    // Trust 10.0.0.1 only; test client connects from 127.0.0.1
    config.proxy.trusted_proxies = vec!["10.0.0.1".to_string()];
    config.proxy.identity.mode = ProxyIdentityMode::Header;
    config.proxy.identity.header_name = Some("x-client-identity".to_string());

    let (base_url, _) = spawn_test_server_with_config(config).await;

    let client = test_client();
    let stream_name = unique_stream_name();

    // The middleware should strip x-client-identity from untrusted peers.
    // The server should still respond normally (the header is just removed).
    let resp = client
        .put(format!("{base_url}/v1/stream/{stream_name}"))
        .header("content-type", "text/plain")
        .header("x-client-identity", "spoofed-user")
        .send()
        .await
        .expect("PUT with identity header failed");

    assert_eq!(
        resp.status(),
        201,
        "server should still respond after stripping identity header"
    );
}

// ── CIDR trust matching ───────────────────────────────────────────

#[tokio::test]
async fn cidr_trust_matching() {
    let mut config = Config::default();
    config.proxy.enabled = true;
    config.proxy.forwarded_headers = ForwardedHeadersMode::XForwarded;
    // 127.0.0.0/8 matches all loopback addresses including 127.0.0.1.
    config.proxy.trusted_proxies = vec!["127.0.0.0/8".to_string()];

    let (base_url, _) = spawn_test_server_with_config(config).await;

    let location = put_and_get_location(
        &base_url,
        vec![
            ("x-forwarded-host", "proxy.example.com"),
            ("x-forwarded-proto", "https"),
        ],
    )
    .await;

    assert!(
        location.contains("proxy.example.com"),
        "CIDR 127.0.0.0/8 should trust 127.0.0.1, but Location was: {location}"
    );
}