tako-rs-plugins 2.0.0

Internal plugin and concrete-middleware implementations for tako-rs. Use the `tako-rs` umbrella crate instead.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

//! Multi-tenant middleware: extracts a tenant identifier from the request
//! and exposes it to handlers via the [`Tenant`] extension.
//!
//! Strategies:
//!
//! - `Header(name)` — read a fixed header value (default: `X-Tenant-ID`).
//! - `Subdomain` — peel the leading label off the `Host` header
//!   (`acme.example.com` → `acme`).
//! - `PathPrefix(pos)` — pick a positional path segment (`/t/{id}/...`).
//! - `Custom(fn)` — handler-supplied closure for hybrid extraction.
//!
//! When extraction fails, the middleware optionally rejects with `400 Bad
//! Request`. Otherwise the extension is simply absent.

use std::future::Future;
use std::pin::Pin;
use std::sync::Arc;

use http::HeaderName;
use http::StatusCode;
use tako_rs_core::body::TakoBody;
use tako_rs_core::middleware::IntoMiddleware;
use tako_rs_core::middleware::Next;
use tako_rs_core::types::Request;
use tako_rs_core::types::Response;

/// Decoded tenant identifier inserted into request extensions.
#[derive(Debug, Clone)]
pub struct Tenant(pub String);

/// Tenant extraction strategy.
#[derive(Clone)]
pub enum TenantStrategy {
  /// Read a fixed header.
  Header(HeaderName),
  /// First label of the `Host` header.
  Subdomain,
  /// Zero-based path segment index (e.g. `1` selects `acme` in `/t/acme/...`).
  PathPrefix(usize),
  /// Caller-defined closure.
  Custom(TenantCustomFn),
}

/// Closure that extracts a tenant identifier from the request.
pub type TenantCustomFn = Arc<dyn Fn(&Request) -> Option<String> + Send + Sync + 'static>;

/// Multi-tenant middleware.
pub struct TenantMiddleware {
  strategy: TenantStrategy,
  required: bool,
}

impl TenantMiddleware {
  /// Header-based extraction (default header name is `X-Tenant-ID`).
  pub fn from_header(name: HeaderName) -> Self {
    Self {
      strategy: TenantStrategy::Header(name),
      required: false,
    }
  }

  /// Subdomain-based extraction.
  pub fn from_subdomain() -> Self {
    Self {
      strategy: TenantStrategy::Subdomain,
      required: false,
    }
  }

  /// Path-segment-based extraction.
  pub fn from_path_segment(index: usize) -> Self {
    Self {
      strategy: TenantStrategy::PathPrefix(index),
      required: false,
    }
  }

  /// Custom closure-based extraction.
  pub fn custom<F>(f: F) -> Self
  where
    F: Fn(&Request) -> Option<String> + Send + Sync + 'static,
  {
    Self {
      strategy: TenantStrategy::Custom(Arc::new(f)),
      required: false,
    }
  }

  /// When set, requests without a tenant identifier are rejected with 400.
  pub fn require(mut self, required: bool) -> Self {
    self.required = required;
    self
  }
}

fn extract_subdomain(host: &str) -> Option<String> {
  // Drop port if present (`acme.example.com:8080`).
  let host = host.split(':').next().unwrap_or(host);
  let mut labels = host.split('.');
  let first = labels.next()?;
  // Need at least one further label so we don't return the whole apex domain.
  labels.next()?;
  if first.is_empty() {
    return None;
  }
  Some(first.to_ascii_lowercase())
}

fn extract_path_segment(path: &str, index: usize) -> Option<String> {
  path
    .split('/')
    .filter(|s| !s.is_empty())
    .nth(index)
    .map(str::to_string)
}

/// Restrictive tenant-id charset. Tenant identifiers commonly flow into file
/// paths, database keys, log labels and metrics labels; any segment that can
/// be confused with `..`, contain a `/`, or smuggle whitespace would let a
/// client cross those boundaries.
///
/// Allowed: ASCII alphanumerics plus `_-.` (with `.` rejected as the whole
/// value to keep `.` and `..` out). Max length: 64 bytes.
fn is_valid_tenant_id(id: &str) -> bool {
  const MAX_LEN: usize = 64;
  if id.is_empty() || id.len() > MAX_LEN {
    return false;
  }
  if id == "." || id == ".." {
    return false;
  }
  id.bytes()
    .all(|b| b.is_ascii_alphanumeric() || matches!(b, b'_' | b'-' | b'.'))
}

impl IntoMiddleware for TenantMiddleware {
  fn into_middleware(
    self,
  ) -> impl Fn(Request, Next) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>>
  + Clone
  + Send
  + Sync
  + 'static {
    let strategy = self.strategy;
    let required = self.required;

    move |mut req: Request, next: Next| {
      let strategy = strategy.clone();
      Box::pin(async move {
        let tenant = match &strategy {
          TenantStrategy::Header(h) => req
            .headers()
            .get(h)
            .and_then(|v| v.to_str().ok())
            .map(str::trim)
            .filter(|s| !s.is_empty())
            .map(str::to_string),
          TenantStrategy::Subdomain => req
            .headers()
            .get(http::header::HOST)
            .and_then(|v| v.to_str().ok())
            .and_then(extract_subdomain),
          TenantStrategy::PathPrefix(idx) => extract_path_segment(req.uri().path(), *idx),
          TenantStrategy::Custom(f) => f(&req),
        };

        let tenant = tenant.filter(|t| is_valid_tenant_id(t));

        match tenant {
          Some(t) => {
            req.extensions_mut().insert(Tenant(t));
            next.run(req).await
          }
          None if required => http::Response::builder()
            .status(StatusCode::BAD_REQUEST)
            .body(TakoBody::from("missing tenant identifier"))
            .expect("valid response"),
          None => next.run(req).await,
        }
      })
    }
  }
}