Add Trusted Clients HTTP middleware

Author: andrewdalpino

CHANGELOG.md

@@ -5,6 +5,7 @@
     - Rename Rank and RankSample to Score and ScoreSample
     - Move Verbose interface to Server
     - Abstracted Router and Command Bus instantiation
+    - Implemented Trusted Clients HTTP middleware
 
 - 0.0.2-beta
     - Changed name of Binary serializer to Igbinary

README.md

@@ -25,6 +25,7 @@ $ composer require rubix/server
 	- [RPC Client](#rpc-client)
 - [Http Middleware](#http-middeware)
 	- [Shared Token Authenticator](#shared-token-authenticator)
+	- [Trusted Clients](#trusted-clients)
 - [Messages](#messages)
 	- [Commands](#commands)
 		- [Predict](#predict)
@@ -224,6 +225,25 @@ use Rubix\Server\Http\Middleware\SharedTokenAuthenticator;
 $middleware = new SharedTokenAuthenticator('secret');
 ```
 
+### Trusted Clients
+A whitelist of trust clients - all other clients will be dropped.
+
+**Parameters:**
+
+| # | Param | Default | Type | Description |
+|--|--|--|--|--|
+| 1 | ips | ['127.0.0.1'] | array | An array of trusted client ip addresses. |
+
+**Example:**
+
+```php
+use Rubix\Server\Http\Middleware\TrustedClients;
+
+$middleware = new TrustedClients([
+	'127.0.0.1', '192.168.4.1', '45.63.67.15',
+]);
+```
+
 ---
 ### Messages
 Messages are containers for the data that flow across the network between clients and model servers. They provide an object oriented interface to making requests and receiving responses through client/server interaction. There are two types of messages to consider in Rubix Server - [Commands](#commands) and [Responses](#responses). Commands signal an action to be performed by the server and are instantiated by the user and sent by the client API. Responses are returned by the server and contain the data that was sent back as a result of a command.

examples/RPC/client.php

@@ -11,7 +11,11 @@
 use Rubix\Server\Commands\QueryModel;
 use Rubix\Server\Commands\ServerStatus;
 
-$client = new RPCClient('127.0.0.1', 8888);
+const SHARED_SECRET = '2e2c47bbda4e531c585d796c0c8a4ac9';
+
+$client = new RPCClient('127.0.0.1', 8888, false, [
+    'Authorization' => SHARED_SECRET,
+]);
 
 $dataset = new Unlabeled([
     [228, 28, 138],

examples/RPC/server.php

@@ -3,22 +3,31 @@
 include __DIR__ . '../../../vendor/autoload.php';
 
 use Rubix\Server\RPCServer;
+use Rubix\Server\Http\Middleware\TrustedClients;
+use Rubix\Server\Http\Middleware\SharedTokenAuthenticator;
 use Rubix\ML\Datasets\Generators\Blob;
 use Rubix\ML\Datasets\Generators\Agglomerate;
 use Rubix\ML\Classifiers\KNearestNeighbors;
 use Rubix\ML\Other\Loggers\Screen;
 
+const SHARED_SECRET = '2e2c47bbda4e531c585d796c0c8a4ac9';
+
 $generator = new Agglomerate([
-    'red' => new Blob([255, 0, 0], 10.),
-    'green' => new Blob([0, 128, 0], 10.),
-    'blue' => new Blob([0, 0, 255], 10.),
+    'red' => new Blob([255, 0, 0], 10.0),
+    'green' => new Blob([0, 128, 0], 10.0),
+    'blue' => new Blob([0, 0, 255], 10.0),
 ]);
 
+$dataset = $generator->generate(1000);
+
 $estimator = new KNearestNeighbors(3);
 
-$estimator->train($generator->generate(500));
+$estimator->train($dataset);
 
-$server = new RPCServer('127.0.0.1', 8888);
+$server = new RPCServer('127.0.0.1', 8888, null, [
+    new TrustedClients(['127.0.0.1']),
+    new SharedTokenAuthenticator(SHARED_SECRET),
+]);
 
 $server->setLogger(new Screen('server'));
 

src/Http/Middleware/TrustedClients.php

@@ -0,0 +1,72 @@
+<?php
+
+namespace Rubix\Server\Http\Middleware;
+
+use React\Http\Message\Response as ReactResponse;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Message\ResponseInterface as Response;
+use InvalidArgumentException;
+
+/**
+ * Trusted Clients
+ *
+ * A whitelist of trust clients - all other clients will be dropped.
+ *
+ * @category    Machine Learning
+ * @package     Rubix/Server
+ * @author      Andrew DalPino
+ */
+class TrustedClients extends Middleware
+{
+    protected const UNAUTHORIZED = 401;
+
+    protected const FLAGS = FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6;
+
+    /**
+     * An array of trusted client ip addresses.
+     *
+     * @var string[]
+     */
+    protected $ips;
+
+    /**
+     * @param string[] $ips
+     * @throws \InvalidArgumentException
+     */
+    public function __construct(array $ips = ['127.0.0.1'])
+    {
+        if (empty($ips)) {
+            throw new InvalidArgumentException('At least 1 trusted client is required.');
+        }
+
+        foreach ($ips as $i => $ip) {
+            if (filter_var($ip, FILTER_VALIDATE_IP, self::FLAGS) === false) {
+                throw new InvalidArgumentException("Invalid IP address at position $i.");
+            }
+        }
+
+        $this->ips = $ips;
+    }
+
+    /**
+     * Run the middleware over the request.
+     *
+     * @param Request $request
+     * @param callable $next
+     * @return Response
+     */
+    public function handle(Request $request, callable $next) : Response
+    {
+        $params = $request->getServerParams();
+
+        if (isset($params['REMOTE_ADDR'])) {
+            $ip = (string) explode(':', $params['REMOTE_ADDR'])[0];
+
+            if (in_array($ip, $this->ips)) {
+                return $next($request);
+            }
+        }
+
+        return new ReactResponse(self::UNAUTHORIZED);
+    }
+}

src/RPCClient.php

@@ -141,7 +141,6 @@ public function __construct(
      * Send a command to the server and return the results.
      *
      * @param \Rubix\Server\Commands\Command $command
-     * @throws \InvalidArgumentException
      * @throws \RuntimeException
      * @return \Rubix\Server\Responses\Response
      */
@@ -151,6 +150,8 @@ public function send(Command $command) : Response
 
         $delay = $this->delay;
 
+        $lastException = null;
+
         for ($tries = 1 + $this->retries; $tries > 0; --$tries) {
             try {
                 $payload = $this->client->request('POST', '/', [
@@ -165,12 +166,16 @@ public function send(Command $command) : Response
                 if ($delay < self::MAX_DELAY) {
                     $delay *= 2;
                 }
+
+                $lastException = $e;
             }
         }
 
         if (empty($payload)) {
-            throw new RuntimeException('There was a problem'
-                . ' communicating with the server.');
+            $message = $lastException ? $lastException->getMessage() : '';
+
+            throw new RuntimeException('There was a problem communicating'
+                . " with the server. $message");
         }
 
         $response = $this->serializer->unserialize($payload);

tests/Http/Middleware/TrustedClientsTest.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace Rubix\Server\Tests\Http\Middleware;
+
+use Rubix\Server\Http\Middleware\Middleware;
+use Rubix\Server\Http\Middleware\TrustedClients;
+use PHPUnit\Framework\TestCase;
+use InvalidArgumentException;
+
+/**
+ * @group Middleware
+ * @covers \Rubix\Server\Http\Middleware\TrustedClients
+ */
+class TrustedClientsTest extends TestCase
+{
+    /**
+     * @var \Rubix\Server\Http\Middleware\TrustedClients
+     */
+    protected $middleware;
+
+    /**
+     * @before
+     */
+    protected function setUp() : void
+    {
+        $this->middleware = new TrustedClients([
+            '127.0.0.1', '192.168.4.1', '45.63.67.15',
+        ]);
+    }
+
+    /**
+     * @test
+     */
+    public function build() : void
+    {
+        $this->assertInstanceOf(TrustedClients::class, $this->middleware);
+        $this->assertInstanceOf(Middleware::class, $this->middleware);
+    }
+
+    /**
+     * @test
+     */
+    public function badIp() : void
+    {
+        $this->expectException(InvalidArgumentException::class);
+
+        $middleware = new TrustedClients([
+            '127.0.0.1', 'bad', '45.63.67.15',
+        ]);
+    }
+}