Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rack から見るミドルウェアの世界

otomi
April 23, 2021
0
750

Rack から見るミドルウェアの世界

「omniauth を使って GitHub 認証を実装する」のプラクティスをやっているときに読んだパーフェクト Ruby on Rails に以下のような記述があり興味を持ったので、Rack とたわむれてみてミドルウェアの世界を覗き見してみます。

otomi

April 23, 2021
Tweet

More Decks by otomi

See All by otomi
ロリポップ!のメール送信の信頼性向上についての取り組み
ot0m1
0
1.2k

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Adopting Sorbet at Scale
ufuk
73
9.1k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
For a Future-Friendly Web
brad_frost
175
9.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Typedesign – Prime Four
hannesfritz
40
2.4k
Unsuck your backbone
ammeep
668
57k

Transcript

  1. Rack ͔ΒݟΔϛυϧ΢ΣΞͷੈք @ot0m1 https://github.com/ot0m1/

  2. ͳͥ Rack Λ৮Ζ͏ͱࢥ͔ͬͨ ʮomniauth Λ࢖ͬͯ GitHub ೝূΛ࣮૷͢ΔʯͷϓϥΫςΟεΛ΍͍ͬͯΔͱ͖ʹಡΜͩύʔϑΣΫτ Ruby on Rails

    ʹҎԼͷΑ͏ͳهड़͕͋ΓڵຯΛ࣋ͬͨͨΊɻ ΞΫηεΛड͚औΔͱ͸ʁͲΜͳಈ͖Λ͍ͯ͠Δͷ͔ͱ͍͏ͱ͜ΖΛௐ΂͔ͨͬͨɻ “ OmniAuth͸Rackϛυϧ΢ΣΞͱͯ͠ಈ࡞͠ɺʮ/auth/:providerʯͱ͍͏URLͷϧʔϧʹϚον ͢ΔΞΫηεΛड͚औΔͱೝূॲཧΛ։࢝͢ΔΑ͏ʹͳ͍ͬͯ·͢ ”

  3. Rack ͱ͸ WEB αʔόͱ WEB ΞϓϦέʔγϣϯʗϑϨʔϜϫʔΫ ؒͷΠϯλʔϑΣʔεͷ໾ׂΛՌͨ͢ϥΠϒϥϦ https://gihyo.jp/dev/serial/01/ruby/0023

  4. Rack ͕Ͱ͖ͨഎܠ • WSGI ͱ͍͏ɺPython ͷͨΊͷ Web αʔόͱ Web ΞϓϦέʔγϣϯ/ϑϨʔϜϫʔΫؒͷඪ४ΠϯλʔϑΣʔεΛఆΊΔ

    ࢓༷͕͋ΓɺRack ͸͜ͷ WSGI ʹӨڹ͞Εͯ։ൃ͞Εͨ
 • WSGI ͕ఏএ͞Εͨഎܠ͸ɼ౰࣌ Python ੡ͷϑϨʔϜϫʔΫ͸ଟ਺ଘࡏ͍ͯͨ͠΋ͷͷɼ֤ϑϨʔϜϫʔΫͷ࣮૷͸ಛఆ ͷ Web αʔόʹґଘ͍ͯ͠Δ͜ͱ͕ଟ͘ɼ࢖༻͍ͨ͠ϑϨʔϜϫʔΫͷҝʹ؀ڥΛ੍ݶ͞ΕΔͱ͍͏͜ͱ͕͋ͬͨͨΊ
 • ༷ʑͳ Web αʔό΍ϑϨʔϜϫʔΫ͕։ൃ͞Εͯ΋ɼ૒ํ͕ Rack Λ࢖༻ͯ͠ΠϯλʔϑΣʔε෦෼Λ࣮૷͍ͯ͑͢͠͞ Ε͹ɺαʔόͱΞϓϦέʔγϣϯͷ૊Έ߹ΘͤΛؾʹ͠ͳͯ͘Α͘ͳΔ ཁ͸ Web ΞϓϦέʔγϣϯ/ϑϨʔϜϫʔΫ ͱ Web αʔόͷ૊Έ߹ΘͤΛؾʹ͠ͳͯ͘Α͍΋ͷΒ͍͠Ͱ͢ɻ

  5. ΈΜͳ࢖͍ͬͯΔ Rack Sinatora ΍ Ruby on Rails Ͱ΋͜ͷ Rack ͸࢖ΘΕ͍ͯ

    ΔΈ͍ͨʂ

  6. ͬͦ͘͞৮ͬͯΈΔ ࠷ॳʹ؆୯ͳΞϓϦέʔγϣϯΛ࡞ͬͯ Rack ͷΠϯλʔϑΣʔεʹ৮ΕͯΈΔɻ Rack ΞϓϦέʔγϣϯͱͯ͠࠷௿ݶඞཁͳͷ͜ͱ͸࣍ͷ௨Γɻ • call ͱ͍͏ϝιουΛ͍࣋ͬͯΔ͜ͱ
 •

    call ϝιουͷҾ਺ͱͯ͠ Web αʔό͔ΒͷϦΫΤετΛड͚Δ͜ͱ
 • callϝιου͸ɼ࣍ͷཁૉΛؚΉϨεϙϯεΛฦ͢Δ͜ͱ ◦ εςʔλείʔυ ◦ ϨεϙϯεϔομʢHashʣ ◦ ϨεϙϯεϘσΟʢArrayʣ

  7. Ͱ͖·ͨ͠ https://github.com/ot0m1/sibatora GET ϦΫΤετͰϑΥʔϜΛඳըͯ͠ɺPOST ͰϑΥʔϜʹॻ͔Εͨ಺༰Λදࣔ͢Δɻ Rack ͕৭ʑ΍ͬͯ͘ΕΔͷͰ Web αʔόͷ͜ͱΛॻ͔ͳͯ͘΋ɺrackup ͢Ε͹ࣗಈͰαʔόΛىಈ

    ͯ͠ɺϒϥ΢βͰΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔɻ

  8. ͞Βʹ Rack Ͱϛυϧ΢ΣΞ΋࡞ͬͯΈΔ ΠϯλʔϑΣΠεʹ৮ͬͨͷͰɺࠓ౓͸ϛυϧ΢ΣΞͱͯ͠ͷ Rack ʹ৮Δɻ Web ΞϓϦέʔγϣϯΛ࡞͍ͬͯΔͱɼϦΫΤετ΍ϨεϙϯεΛΞϓϦέʔγϣϯʹߦ͘લ΍ΞϓϦέʔ γϣϯͷॲཧͷޙʹՃ޻ͨ͘͠ͳΔ͜ͱ͕͋Δɻ ྫ͑͹ɼ৚݅ʹԠͯ͡

    URL ͷॻ͖׵͑Λͨ͠ΓɼΤϯίʔσΟϯάͷม׵Λͨ͠ΓɺCookie ͷॲཧΛͨ͠Γɻ ͦ͏͍ͬͨՃ޻ॲཧΛɼαʔόͱΞϓϦέʔγϣϯͷதؒͰߦͳ͏ͷ͕ϛυϧ΢ΣΞɻ ๯಄Ͱ Rack ʹڵຯΛ͖͔͚࣋ͬͨͬͱͳΔ OmniAuth ΋͜ͷΑ͏ͳՃ޻ॲཧΛ͍ͯ͠ΔΒ͍͠ɻ

  9. WAF Λ࡞Δ ͱ͍͏Θ͚Ͱɺ΢ΣϒΞϓϦέʔγϣϯϑϨʔϜ͡Όͳ͍΄͏ͷ WAFʢ΢ΣϒΞϓϦέʔγϣϯϑΝ ΠΞ΢ΥʔϧʣΛ࡞ͬͯΈͨɻ ͖ͬ͞ͷΞϓϦέʔγϣϯʹ URL ͕ॻ͖ࠐ·ΕͨΒܯࠂจͱεςʔλείʔυ 403 Λฦ͢Α͏ʹΑ

    ͏ʹ͢Δɻ

  10. Ͱ͖·ͨ͠ ϑΥʔϜʹ URL Λೖྗͨ͠৔߹ɺϛυϧ΢ΣΞͱͯ͠؆қ΢ΣϒΞϓϦέʔγϣϯϑΝΠΞ΢Υʔϧ ͕࣮ߦ͞Ε 403 ͷϨεϙϯείʔυͱܯࠂจΛදࣔ͠·͢ɻ -> % curl

    http://127.0.0.1:9292/ -X POST -d 'hello' -i HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Content-Length: 31 <html><body>hello</body></html>% -> % curl http://127.0.0.1:9292/ -X POST -d 'https://example.com' -i HTTP/1.1 403 Forbidden Content-Type: text/html;charset=utf-8 Content-Length: 68 <html><body>URLΛؚΉจষ͸౤ߘͰ͖·ͤΜ</body></html>%

  11. ϛυϧ΢ΣΞͱͯ͠ಈ͍͍ͯΔ͜ͱ͕֬ೝͰ͖Δ ΞϓϦέʔγϣϯͱͯ͠ͷίʔυ͕ॻ͔Ε͍ͯΔ shibatora.rb ʹ͸Ұ੾ WAF ͷ͜ͱ͕ॻ͔Ε͍ͯͳ͍ ͠ɺshibatora.rb ͸ৗʹϨεϙϯείʔυ 200 Λฦ͢Α͏ʹ͍ͯ͠Δͷʹ

    403 ͕ฦ͞Ε͍ͯΔɻ shibatora_waf.rb ͕ϛυϧ΢ΣΞͱͯ͠ৼΔ෣ͬͯ͘ΕɺαʔόͱΞϓϦέʔγϣϯͷؒͷ௨৴ʹׂΓ ࠐΜͰ͍Δɻ ͱ͍͏Θ͚Ͱ๯಄ͷ OmniAuth ͷৼΔ෣͍ΛͳΜͱͳ͘ΠϝʔδͰ͖·ͨ͠ɻ “ OmniAuth͸Rackϛυϧ΢ΣΞͱͯ͠ಈ࡞͠ɺʮ/auth/:providerʯͱ͍͏URLͷϧʔϧʹϚον ͢ΔΞΫηεΛड͚औΔͱೝূॲཧΛ։࢝͢ΔΑ͏ʹͳ͍ͬͯ·͢ ”

  12. ࠓ೔ͷίʔυ͸ҎԼͷϦϙδτϦʹஔ͍͍ͯ·͢ Ϋϩʔϯͯ͠༡ΜͰΈ͍ͯͩ͘͞ɻ https://github.com/ot0m1/sibatora