DEV Community: Paweł Pacana The latest articles on DEV Community by Paweł Pacana (@mostlyobvious). https://dev.to/mostlyobvious https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F618595%2F9c4ac19c-988d-4f70-bad2-da1d945ea131.png DEV Community: Paweł Pacana https://dev.to/mostlyobvious en Explaining Rack — desugaring Rack::Builder DSL Paweł Pacana Thu, 22 Apr 2021 16:32:07 +0000 https://dev.to/mostlyobvious/explaining-rack-desugaring-rack-builder-dsl-dal https://dev.to/mostlyobvious/explaining-rack-desugaring-rack-builder-dsl-dal <p>Yesterday I <a href="https://blog.arkency.com/common-authentication-for-mounted-rack-apps-in-rails/">wrote a post</a> highlighting Basic Auth and how can we protect Rack applications mounted in Rails with it.<br> Today when discussing some ideas from this post with my colleague, our focus immediately shifted to <code>Rack::Builder</code>.</p> <p>On one hand Rack interface is simple, fairly constrained and well described in <a href="https://github.com/rack/rack/blob/master/SPEC.rdoc">spec</a>. And ships with a <a href="https://github.com/rack/rack/blob/2c95c7d1eb2f743f64c134bde06c92be24a70717/lib/rack/lint.rb">linter</a> to help your Rack apps and middleware pass this compliance.</p> <blockquote> <p>A Rack application is a Ruby object (not a class) that responds to call. It takes exactly one argument, the environment and returns an Array of exactly three values: <a href="https://github.com/rack/rack/blob/master/SPEC.rdoc#the-status-">The status</a>, <a href="https://github.com/rack/rack/blob/master/SPEC.rdoc#the-headers-">the headers</a>, and <a href="https://github.com/rack/rack/blob/master/SPEC.rdoc#the-body-">the body</a>.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">HelloWorld</span> <span class="k">def</span> <span class="nf">call</span><span class="p">(</span><span class="n">env</span><span class="p">)</span> <span class="p">[</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span><span class="s2">"Content-Type"</span> <span class="o">=&gt;</span> <span class="s2">"text/plain"</span><span class="p">},</span> <span class="p">[</span><span class="s2">"Hello world!"</span><span class="p">]]</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>On the other hand your first exposure to Rack is usually via <code>config.ru</code> in Rails application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># This file is used by Rack-based servers to start the application.</span> <span class="nb">require_relative</span> <span class="s2">"config/environment"</span> <span class="n">run</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span> </code></pre> </div> <p>Behind the scenes, this file <a href="https://github.com/rack/rack/blob/2c95c7d1eb2f743f64c134bde06c92be24a70717/lib/rack/server.rb#L344-L350">is eventually passed to</a> <code>Rack::Builder</code>. It is a convenient DSL to compose Rack application out of other Rack applications. In <a href="https://blog.arkency.com/common-authentication-for-mounted-rack-apps-in-rails/">yesterday's blogpost</a> we've seen it being used directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">Rack</span><span class="o">::</span><span class="no">Builder</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="n">use</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Auth</span><span class="o">::</span><span class="no">Basic</span> <span class="k">do</span> <span class="o">|</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">|</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">username</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s2">"DEV_UI_USERNAME"</span><span class="p">)))</span> <span class="o">&amp;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">password</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s2">"DEV_UI_PASSWORD"</span><span class="p">)))</span> <span class="k">end</span> <span class="n">run</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span> <span class="k">end</span> </code></pre> </div> <p>Whether you use <code>Rack::Builder</code> directly or via <a href="https://github.com/rack/rack#rackup-">rackup</a> files, you're immediately associating Rack with the <code>use</code> and <code>run</code> DSL. <br> And that triggered an honest question from my colleague — how does this DSL relate to that rather simple Rack interface?</p> <h1> De-sugaring Rack::Builder DSL </h1> <p>To add even more nuance, some Rack apps are called a <em>middleware</em>. What is a middleware? In simple words — it's a Rack application that wraps another Rack application. It may affect the input passed to the wrapped app. Or it may affect the output if it.</p> <p>An example of a <em>middleware</em> that makes everything sound more dramatic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">Dramatize</span> <span class="k">def</span> <span class="nf">initialize</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="vi">@app</span> <span class="o">=</span> <span class="n">app</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">call</span><span class="p">(</span><span class="n">env</span><span class="p">)</span> <span class="n">status</span><span class="p">,</span> <span class="n">headers</span><span class="p">,</span> <span class="n">body</span> <span class="o">=</span> <span class="vi">@app</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">env</span><span class="p">)</span> <span class="p">[</span><span class="n">status</span><span class="p">,</span> <span class="n">headers</span><span class="p">,</span> <span class="n">body</span><span class="p">.</span><span class="nf">map</span> <span class="p">{</span> <span class="o">|</span><span class="n">x</span><span class="o">|</span> <span class="s2">"</span><span class="si">#{</span><span class="n">x</span><span class="si">}</span><span class="s2">111one!1"</span> <span class="p">}]</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>A composition of such middleware and our previous sample <code>HelloWorld</code> application with <code>config.ru</code> would look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config.ru</span> <span class="k">class</span> <span class="nc">HelloWorld</span> <span class="c1"># omitted for brevity</span> <span class="k">end</span> <span class="k">class</span> <span class="nc">Dramatize</span> <span class="c1"># omitted for brevity</span> <span class="k">end</span> <span class="n">use</span> <span class="no">Dramatize</span> <span class="n">run</span> <span class="no">HelloWorld</span><span class="p">.</span><span class="nf">new</span> </code></pre> </div> <p>When executed, it would return very dramatic greeting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ bundle exec rackup config.ru * Listening on http://127.0.0.1:9292 * Listening on http://[::1]:9292 Use Ctrl-C to stop $ curl localhost:9292 Hello world!111one!1⏎ </code></pre> </div> <p>Now back to the question that started it all:</p> <blockquote> <p>How does this DSL relate to that rather simple Rack interface?</p> </blockquote> <p>The last example of composition via <code>Rack::Builder</code> can be rewritten to avoid some of the DSL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config.ru</span> <span class="n">run</span> <span class="no">Dramatize</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="no">HelloWorld</span><span class="p">.</span><span class="nf">new</span><span class="p">)</span> </code></pre> </div> <p>A single <code>run</code> is needed to tell a Ruby application server what is our Rack application that we'd like to run. The use of <code>use</code> is on the other hand just optional.</p> <p>If this post got you curious on Rack, a fun way to learn more about it is to check the code of each middleware powering your Rails application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ bin/rails middleware use Webpacker::DevServerProxy use Honeybadger::Rack::UserInformer use Honeybadger::Rack::UserFeedback use Honeybadger::Rack::ErrorNotifier use Rack::Cors use ActionDispatch::HostAuthorization use Rack::Sendfile use ActionDispatch::Static use ActionDispatch::Executor use ActiveSupport::Cache::Strategy::LocalCache::Middleware use Rack::Runtime use Rack::MethodOverride use ActionDispatch::RequestId use ActionDispatch::RemoteIp use Rails::Rack::Logger use ActionDispatch::ShowExceptions use ActionDispatch::DebugExceptions use ActionDispatch::ActionableExceptions use ActionDispatch::Reloader use ActionDispatch::Callbacks use ActionDispatch::Cookies use ActionDispatch::Session::CookieStore use ActionDispatch::Flash use ActionDispatch::ContentSecurityPolicy::Middleware use ActionDispatch::PermissionsPolicy::Middleware use Rack::Head use Rack::ConditionalGet use Rack::ETag use Rack::TempfileReaper use Warden::Manager use Rack::Deflater use RailsEventStore::Middleware run MyApp::Application.routes </code></pre> </div> <p>Happy learning!</p> rack ruby rails 5days5blogposts Rack apps mounted in Rails — how to protect access to them? Paweł Pacana Wed, 21 Apr 2021 23:07:26 +0000 https://dev.to/mostlyobvious/rack-apps-mounted-in-rails-how-to-protect-access-to-them-592e https://dev.to/mostlyobvious/rack-apps-mounted-in-rails-how-to-protect-access-to-them-592e <p>Sidekiq, Flipper, RailsEventStore — what do these Rails gems have in common? They all ship web apps with UI to enhance their usefulness in the application. Getting an overview of processed jobs, managing visibility of feature toggles, browsing events, their correlations and streams — nothing you could not do in code or Rails console already. But never really wanted to do there 😉</p> <p>In Rails apps we add those UI apps with <code>mount</code> in routing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/routes.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="n">mount</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span><span class="p">,</span> <span class="ss">at: </span><span class="s2">"/sidekiq"</span> <span class="k">end</span> </code></pre> </div> <p>In production application you'll want to protect access to this Sidekiq dashboard. Let's assume this Rails application is API-only. There's no Devise nor any other authentication library of your choice there. Fair scenario to rely on HTTP Basic Auth, as illustrated with wonderfully commented example from Sidekiq <a href="https://github.com/mperham/sidekiq/wiki/Monitoring#rails-http-basic-auth-from-routes">wiki</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/routes.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span><span class="p">.</span><span class="nf">use</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Auth</span><span class="o">::</span><span class="no">Basic</span> <span class="k">do</span> <span class="o">|</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">|</span> <span class="c1"># Protect against timing attacks:</span> <span class="c1"># - See https://codahale.com/a-lesson-in-timing-attacks/</span> <span class="c1"># - See https://thisdata.com/blog/timing-attacks-against-string-comparison/</span> <span class="c1"># - Use &amp; (do not use &amp;&amp;) so that it doesn't short circuit.</span> <span class="c1"># - Use digests to stop length information leaking (see also ActiveSupport::SecurityUtils.variable_size_secure_compare)</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">username</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">[</span><span class="s2">"SIDEKIQ_USERNAME"</span><span class="p">]))</span> <span class="o">&amp;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">password</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">[</span><span class="s2">"SIDEKIQ_PASSWORD"</span><span class="p">]))</span> <span class="k">end</span> <span class="n">mount</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span><span class="p">,</span> <span class="ss">at: </span><span class="s2">"/sidekiq"</span> <span class="k">end</span> </code></pre> </div> <p>Let's transform this example a bit to not rely on <code>Sidekiq::Web.use</code>. That's very convenient to provide such interface from a library. I want to show you something else here — <code>Sidekiq::Web</code> is a <a href="https://github.com/rack/rack/blob/master/SPEC.rdoc">Rack</a> application and can be treated as such.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/routes.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="n">mount</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Builder</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="n">use</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Auth</span><span class="o">::</span><span class="no">Basic</span> <span class="k">do</span> <span class="o">|</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">|</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">username</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s2">"DEV_UI_USERNAME"</span><span class="p">)))</span> <span class="o">&amp;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">password</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s2">"DEV_UI_PASSWORD"</span><span class="p">)))</span> <span class="k">end</span> <span class="n">run</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span> <span class="k">end</span><span class="p">,</span> <span class="ss">at: </span><span class="s2">"/sidekiq"</span> <span class="k">end</span> </code></pre> </div> <p>Little explanation:</p> <ul> <li>Rack::Builder is a DSL to create new Rack application</li> <li>Rack applications can wrap each other, like layers</li> <li>when the request comes in, a chain of Rack apps is executed from outermost to innermost</li> <li>when the response is to be returned, it goes from innermost Rack app to outermost</li> </ul> <p>Right. Wasn't it supposed to be about protecting access? </p> <p>Imagine now that aforementioned Rails application includes all those UIs for Sidekiq, Flipper, RailsEventStore at the same time. How can we have common protection for them without boring copying and pasting same wrapper again and again?</p> <p>Let's extract (bad word detected) a factory!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/routes.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="n">with_dev_auth</span> <span class="o">=</span> <span class="nb">lambda</span> <span class="k">do</span> <span class="o">|</span><span class="n">app</span><span class="o">|</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Builder</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="n">use</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Auth</span><span class="o">::</span><span class="no">Basic</span> <span class="k">do</span> <span class="o">|</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">|</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">username</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s2">"DEV_UI_USERNAME"</span><span class="p">)))</span> <span class="o">&amp;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span><span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="n">password</span><span class="p">),</span> <span class="o">::</span><span class="no">Digest</span><span class="o">::</span><span class="no">SHA256</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span><span class="no">ENV</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s2">"DEV_UI_PASSWORD"</span><span class="p">)))</span> <span class="k">end</span> <span class="n">run</span> <span class="n">app</span> <span class="k">end</span> <span class="k">end</span> <span class="n">mount</span> <span class="n">with_dev_auth</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span><span class="p">),</span> <span class="ss">at: </span><span class="s2">"sidekiq"</span> <span class="k">end</span> </code></pre> </div> <p>Fun fact is that a <code>Proc#[]</code> is an <a href="https://ruby-doc.org/core-3.0.0/Proc.html#method-i-3D-3D-3D">equivalent</a> to <code>Proc#call</code>.<br> The last line can be as well written as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">mount</span> <span class="n">with_dev_auth</span><span class="p">[</span><span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span><span class="p">],</span> <span class="ss">at: </span><span class="s2">"sidekiq"</span> </code></pre> </div> <p>And with all those UIs in place we receive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">mount</span> <span class="n">with_dev_auth</span><span class="p">[</span><span class="no">Sidekiq</span><span class="o">::</span><span class="no">Web</span><span class="p">],</span> <span class="ss">at: </span><span class="s2">"/sidekiq"</span> <span class="n">mount</span> <span class="n">with_dev_auth</span><span class="p">[</span><span class="no">RailsEventStore</span><span class="o">::</span><span class="no">Browser</span><span class="p">],</span> <span class="ss">at: </span><span class="s2">"/res"</span> <span class="n">mount</span> <span class="n">with_dev_auth</span><span class="p">[</span><span class="no">Flipper</span><span class="o">::</span><span class="no">UI</span><span class="p">.</span><span class="nf">app</span><span class="p">(</span><span class="no">Flipper</span><span class="p">)],</span> <span class="ss">at: </span><span class="s2">"/flipper"</span> </code></pre> </div> <p>In the future we could swap Basic Auth to one or another authentication mechanism. The <code>with_dev_auth</code> factory would remain useful and probably survive them all.</p> rails rack 5days5blogposts