rustio-admin 0.19.0

Django Admin, but for Rust. A small, focused admin framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

//! Per-request correlation identifier.
//!
//! Doctrine 8: audit logs must be forensically useful. Every audit
//! row written under a single HTTP request shares one `correlation_id`
//! so a future `/admin/history/<id>` page can reconstruct the chain
//! ("admin reset password → all sessions revoked → security email
//! dispatched"). The id is also returned to clients in the
//! `x-correlation-id` response header so external consumers (proxy
//! logs, browser dev tools, support tickets) can pivot through the
//! same trail.
//!
//! ## Placement in the middleware chain
//!
//! This middleware **must** sit before [`csrf_protect`](super::csrf_protect)
//! so that even rejected requests (403 from CSRF, 429 from rate-limit)
//! are emitted with a correlation id. That is intentional: every
//! reasonable observability story for an admin panel needs the
//! "request 7f… was blocked by CSRF" trace, not just successful
//! requests.
//!
//! Recommended ordering inside `Router::middleware`:
//!
//! ```ignore
//! Router::new()
//!     .middleware(middleware::logger)
//!     .middleware(middleware::correlation_id)   // ← before csrf_protect
//!     .middleware(middleware::security_headers)
//!     .middleware(middleware::csrf_protect)
//! ```
//!
//! ## Reading the id from a handler
//!
//! ```ignore
//! use rustio_admin::middleware::CorrelationId;
//!
//! let cid = req.ctx().get::<CorrelationId>().map(|c| c.0.as_str());
//! ```

use uuid::Uuid;

use crate::error::Result;
use crate::http::{Request, Response};
use crate::router::Next;

// public:
/// Response + request header name. Lower-case to keep parity with the
/// HTTP/2 wire format and to match what other observability tooling
/// (OpenTelemetry, Cloudflare, etc.) writes.
pub const CORRELATION_ID_HEADER: &str = "x-correlation-id";

// public:
/// Wrapper carried in the request context so handlers can pull it
/// out via `req.ctx().get::<CorrelationId>()`. The inner string is
/// the UUID rendered in hyphenated lowercase form.
#[derive(Debug, Clone)]
pub struct CorrelationId(pub String);

impl CorrelationId {
    // public:
    /// Borrow the underlying id string.
    pub fn as_str(&self) -> &str {
        &self.0
    }
}

// public:
/// Middleware: attach a UUID v7 to every request, surface it in the
/// response, and stash it in the request context for the audit
/// pipeline to pick up.
///
/// Honours an inbound `x-correlation-id` header so a proxy or test
/// harness can pin the id from outside. Only accepts values that
/// look like a UUID (rough sanity: between 16 and 64 chars, no
/// whitespace, no control bytes); anything else is replaced with a
/// fresh UUID v7 so a malicious sender can't poison the audit trail
/// with adversarial strings.
pub async fn correlation_id(mut req: Request, next: Next) -> Result<Response> {
    let id = inbound_id_or_fresh(req.header(CORRELATION_ID_HEADER));
    req.ctx_mut().insert(CorrelationId(id.clone()));
    let mut resp = next.run(req).await?;
    resp = resp.with_header(CORRELATION_ID_HEADER, id);
    Ok(resp)
}

/// Either trust an inbound id (when it looks safe) or mint a fresh
/// time-sortable UUID v7. Pulled out for unit testing.
fn inbound_id_or_fresh(header: Option<&str>) -> String {
    if let Some(raw) = header {
        let trimmed = raw.trim();
        if looks_like_id(trimmed) {
            return trimmed.to_string();
        }
    }
    Uuid::now_v7().hyphenated().to_string()
}

fn looks_like_id(s: &str) -> bool {
    if s.is_empty() || s.len() > 64 || s.len() < 16 {
        return false;
    }
    s.chars()
        .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_')
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn fresh_id_is_uuid_v7_shape() {
        let id = inbound_id_or_fresh(None);
        // 36 chars, hyphenated, version 7.
        assert_eq!(id.len(), 36);
        let uuid = Uuid::parse_str(&id).expect("valid uuid");
        assert_eq!(uuid.get_version(), Some(uuid::Version::SortRand));
    }

    #[test]
    fn inbound_safe_value_is_kept() {
        // A reasonable-looking inbound id passes through.
        let inbound = "01910e4f-4b0a-7e62-8d87-1e7a09c3b1aa";
        let out = inbound_id_or_fresh(Some(inbound));
        assert_eq!(out, inbound);
    }

    #[test]
    fn inbound_with_whitespace_is_trimmed() {
        let inbound = "  01910e4f-4b0a-7e62-8d87-1e7a09c3b1aa  ";
        let out = inbound_id_or_fresh(Some(inbound));
        assert_eq!(out, inbound.trim());
    }

    #[test]
    fn inbound_too_short_is_replaced() {
        let out = inbound_id_or_fresh(Some("short"));
        assert_ne!(out, "short");
        assert!(Uuid::parse_str(&out).is_ok());
    }

    #[test]
    fn inbound_too_long_is_replaced() {
        let evil = "x".repeat(200);
        let out = inbound_id_or_fresh(Some(&evil));
        assert_ne!(out, evil);
    }

    #[test]
    fn inbound_with_control_chars_is_replaced() {
        // Spaces, newlines, ANSI escapes — any are rejected.
        for evil in [
            "abc def 1234567890",
            "abc\ndef-1234567890",
            "\x1b[31mevil\x1b[0m-1234",
        ] {
            let out = inbound_id_or_fresh(Some(evil));
            assert_ne!(out, evil, "header {evil:?} should have been replaced");
        }
    }

    #[test]
    fn fresh_ids_are_unique() {
        // Two fresh ids back-to-back must differ — ensures the v7
        // mint isn't returning a stale singleton.
        assert_ne!(inbound_id_or_fresh(None), inbound_id_or_fresh(None));
    }
}