@aikidosec/broker-client 1.0.1 → 1.0.3

package/README.md

@@ -55,9 +55,11 @@ Resource IDs are displayed in the Aikido UI when you register them.
 
 **Optional:**
 - `ALLOWED_INTERNAL_SUBNETS` - Comma-separated subnet whitelist (e.g., `10.0.0.0/8,172.16.0.0/12`)
-- `DNS_SERVERS` - Custom DNS servers for internal hostname resolution
-- `CUSTOM_CA_BUNDLE` - Path to CA cert for self-signed certificates
-- `HTTP_PROXY` - HTTP proxy for outbound requests to internal resources (e.g., `http://proxy.company.local:8080`)
+- `DNS_SERVERS` - Custom DNS servers for internal hostname resolution (e.g., `8.8.8.8,8.8.4.4`)
+- `NODE_EXTRA_CA_CERTS` - Path to custom CA certificate bundle for self-signed certificates (e.g., `/certs/corporate-ca.crt`)
+- `HTTP_PROXY` - Proxy server for HTTP requests (e.g., `http://proxy.company.local:8080`)
+- `HTTPS_PROXY` - Proxy server for HTTPS requests (e.g., `http://proxy.company.local:8080`)
+- `ALL_PROXY` - Universal proxy fallback for all protocols if protocol-specific proxy is not set
 
 ## How It Works
 
@@ -74,6 +76,9 @@ Resource IDs are displayed in the Aikido UI when you register them.
 CLIENT_SECRET=aikido_broker_123_123_123456789
 ALLOWED_INTERNAL_SUBNETS=10.0.0.0/8,172.16.0.0/12
 HTTP_PROXY=http://proxy.company.local:8080
+HTTPS_PROXY=http://proxy.company.local:8080
+NODE_EXTRA_CA_CERTS=/certs/corporate-ca.crt
+DNS_SERVERS=10.0.0.1,10.0.0.2
 ```
 
 After registering resources through the Aikido UI, they will be accessible via subdomains like:

package/app/client.js

@@ -35,42 +35,12 @@ const DNS_SERVERS = process.env.DNS_SERVERS
   ? process.env.DNS_SERVERS.split(',').map(s => s.trim()).filter(s => s)
   : null;
 
-// Optional: Custom CA certificate bundle for self-signed certificates
-const CUSTOM_CA_BUNDLE = process.env.CUSTOM_CA_BUNDLE || null;
-
-// Optional: HTTP proxy for outbound requests to internal resources
-const HTTP_PROXY = process.env.HTTP_PROXY || null;
-
-// Determine TLS verification setting
-let httpsAgent = null;
-if (CUSTOM_CA_BUNDLE) {
-  const https = await import('https');
-  const ca = fs.readFileSync(CUSTOM_CA_BUNDLE);
-  httpsAgent = new https.Agent({ ca });
-  log.info(`Using custom CA bundle: ${CUSTOM_CA_BUNDLE}`);
-} else {
-  log.info("Using system CA certificates for TLS verification");
-}
-
 // Configure axios defaults
 const axiosConfig = {
   timeout: 30000,
-  maxRedirects: 5,
-  httpsAgent
+  maxRedirects: 5
 };
 
-if (HTTP_PROXY) {
-  const proxyUrl = new URL(HTTP_PROXY);
-  axiosConfig.proxy = {
-    host: proxyUrl.hostname,
-    port: proxyUrl.port || 80,
-    protocol: proxyUrl.protocol
-  };
-  log.info(`Using HTTP proxy for internal requests: ${HTTP_PROXY}`);
-} else {
-  log.info("No HTTP proxy configured for internal requests");
-}
-
 // Create axios instance for internal requests
 const internalHttpClient = axios.create(axiosConfig);
 
@@ -113,7 +83,6 @@ async function resolveInternalHostname(hostname) {
       const dnsPromises = await import('dns/promises');
       const result = await dnsPromises.resolve4(hostname);
       const ip = result[0];
-      log.debug(`Resolved ${hostname} to ${ip} (system DNS)`);
       return ip;
     } catch (e) {
       log.error(`Failed to resolve ${hostname}: ${e.message}`);
@@ -192,13 +161,11 @@ function isInternalUrl(url) {
         // Not an IP, allow it through if we have custom DNS configured
         // The actual resolution will happen in the forward_request handler
         if (DNS_SERVERS !== null && DNS_SERVERS.length > 0) {
-          log.debug(`Hostname ${hostname} will be resolved with custom DNS during forward`);
           return true;
         }
         
         // For system DNS, we can't do synchronous lookup here
         // Allow all private hostnames through and validate during forward
-        log.debug(`Hostname ${hostname} will be validated during forward`);
         return true;
       }
     }
@@ -313,6 +280,30 @@ socket.on('disconnect', () => {
   log.warn("Disconnected from broker server");
 });
 
+socket.on('connect_error', (error) => {
+  log.error(`Socket.IO connection error: ${error.message}`);
+  if (error.description) {
+    log.error(`  Description: ${JSON.stringify(error.description)}`);
+  }
+  if (error.context) {
+    log.error(`  Context: ${JSON.stringify(error.context)}`);
+  }
+  log.error(`  Type: ${error.type || 'unknown'}`);
+});
+
+// Manager events (on socket.io)
+socket.io.on('error', (error) => {
+  log.error(`Socket.IO Manager error: ${error.message || JSON.stringify(error)}`);
+});
+
+socket.io.on('reconnect_error', (error) => {
+  log.error(`Socket.IO reconnection error: ${error.message}`);
+});
+
+socket.io.on('reconnect_failed', () => {
+  log.error(`Socket.IO reconnection failed after all attempts`);
+});
+
 socket.on('forward_request', async (data, callback) => {
   /**
    * Receive request from broker server and forward to internal resource
@@ -407,11 +398,13 @@ async function registerWithServer() {
   
   for (let attempt = 0; attempt < maxRetries; attempt++) {
     try {
+      const axiosConfig = {
+        timeout: 10000
+      };
+      
       const response = await axios.post(serverUrl, {
         client_secret: CLIENT_SECRET
-      }, {
-        timeout: 10000
-      });
+      }, axiosConfig);
       
       if (response.status === 200) {
         const clientId = response.data.client_id;
@@ -449,7 +442,14 @@ async function registerWithServer() {
         log.warn(`Registration attempt ${attempt + 1} failed: ${response.status} - ${response.data}`);
       }
     } catch (error) {
-      log.warn(`Registration attempt ${attempt + 1} failed: ${error.name}: ${error.message}`);
+      if (error.response) {
+        // HTTP error response
+        log.warn(`Registration attempt ${attempt + 1} failed: ${error.response.status} - ${JSON.stringify(error.response.data)}`);
+      } else {
+        // Error setting up request
+        log.warn(`Registration attempt ${attempt + 1} failed: ${error.message}`);
+      }
+      
       if (getClientId() !== null) {
         // If we have a client_id already, don't retry
         // we should try once to deal with secret rotation
@@ -498,10 +498,10 @@ async function main() {
   log.info(`Registered resources: ${Object.keys(registeredResources).length > 0 ? Object.keys(registeredResources).join(', ') : 'None'}`);
   
   log.info(`Server URL: ${SERVER_URL}`);
-  if (HTTP_PROXY) {
-    log.info(`HTTP Proxy: ${HTTP_PROXY}`);
+  if (process.env.HTTP_PROXY || process.env.HTTPS_PROXY) {
+    log.info(`Proxy configured: HTTP_PROXY=${process.env.HTTP_PROXY || 'not set'}, HTTPS_PROXY=${process.env.HTTPS_PROXY || 'not set'}`);
   } else {
-    log.info("HTTP Proxy: Not configured");
+    log.info("Proxy: Not configured");
   }
   
   // Register with server (creates client_id file, waits for propagation)

package/app/resourceManager.js

@@ -102,7 +102,7 @@ export class ResourceManager {
       this._resources = { ...resourcesDict };
       this._saveToFile();
     } else {
-      log.debug("No resource changes detected");
+      log.info("No resource changes detected");
     }
   }
 
@@ -183,7 +183,13 @@ export class ResourceManager {
       }
       
     } catch (error) {
-      log.error(`Error fetching resources from broker: ${error.message}`);
+      if (error.response) {
+        // HTTP error response
+        log.error(`Error fetching resources from broker: ${error.response.status} - ${JSON.stringify(error.response.data)}`);
+      } else {
+        // Error setting up request
+        log.error(`Error fetching resources from broker: ${error.message}`);
+      }
     }
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/broker-client",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "Aikido Broker Client - Runs in customer network to forward requests to internal resources",
   "main": "app/client.js",
   "type": "module",