@aikidosec/broker-client 1.0.2 → 1.0.4

package/app/client.js

@@ -12,6 +12,7 @@ import { Address4, Address6 } from 'ip-address';
 import dns from 'native-dns';
 import fs from 'fs';
 import { ResourceManager } from './resourceManager.js';
+import { HttpsProxyAgent } from 'https-proxy-agent';
 
 // Configure logging
 const log = {
@@ -83,7 +84,6 @@ async function resolveInternalHostname(hostname) {
       const dnsPromises = await import('dns/promises');
       const result = await dnsPromises.resolve4(hostname);
       const ip = result[0];
-      log.debug(`Resolved ${hostname} to ${ip} (system DNS)`);
       return ip;
     } catch (e) {
       log.error(`Failed to resolve ${hostname}: ${e.message}`);
@@ -162,13 +162,11 @@ function isInternalUrl(url) {
         // Not an IP, allow it through if we have custom DNS configured
         // The actual resolution will happen in the forward_request handler
         if (DNS_SERVERS !== null && DNS_SERVERS.length > 0) {
-          log.debug(`Hostname ${hostname} will be resolved with custom DNS during forward`);
           return true;
         }
         
         // For system DNS, we can't do synchronous lookup here
         // Allow all private hostnames through and validate during forward
-        log.debug(`Hostname ${hostname} will be validated during forward`);
         return true;
       }
     }
@@ -216,36 +214,9 @@ function isInternalUrl(url) {
   }
 }
 
-/**
- * Check if a resource is registered with the broker.
- */
-function isResourceAllowed(resource) {
-  const registeredResources = resourceManager.getResources();
-  
-  // If no resources registered yet, deny (customer must register resources first)
-  if (Object.keys(registeredResources).length === 0) {
-    log.warn("No resources registered - customer must register resources via setup mode");
-    return false;
-  }
-  
-  // Normalize the target URL for comparison
-  const resourceParsed = new URL(resource);
-  const resourceNormalized = `${resourceParsed.protocol}//${resourceParsed.host}${resourceParsed.pathname || '/'}`;
-  
-  // Check if the exact base_url is registered
-  for (const baseUrl of Object.keys(registeredResources)) {
-    const baseParsed = new URL(baseUrl);
-    const baseNormalized = `${baseParsed.protocol}//${baseParsed.host}${baseParsed.pathname || '/'}`;
-    
-    // Allow if target URL starts with registered base URL
-    if (resourceNormalized.startsWith(baseNormalized)) {
-      log.info(`Resource ${resource} matches registered base_url ${baseUrl}`);
-      return true;
-    }
-  }
-  
-  log.warn(`Resource ${resource} not found in registered resources: ${Object.keys(registeredResources)}`);
-  return false;
+let agent;
+if (process.env.HTTPS_PROXY || process.env.ALL_PROXY) {
+  agent = new HttpsProxyAgent(process.env.HTTPS_PROXY || process.env.ALL_PROXY);
 }
 
 // Create Socket.IO client
@@ -253,12 +224,14 @@ const socket = io(SERVER_URL, {
   auth: {
     client_secret: CLIENT_SECRET
   },
+  agent,
   transports: ['websocket', 'polling'],
   reconnection: true,
   reconnectionAttempts: Infinity,
   reconnectionDelay: 1000,
   reconnectionDelayMax: 30000,
   randomizationFactor: 0.5,
+  tryAllTransports: true, // if we don't, it won't try to fallback from websocket to polling
   autoConnect: false  // Don't connect until after registration
 });
 
@@ -283,6 +256,30 @@ socket.on('disconnect', () => {
   log.warn("Disconnected from broker server");
 });
 
+socket.on('connect_error', (error) => {
+  log.error(`Socket.IO connection error: ${error.message}`);
+  if (error.description) {
+    log.error(`  Description: ${JSON.stringify(error.description)}`);
+  }
+  if (error.context) {
+    log.error(`  Context: ${JSON.stringify(error.context)}`);
+  }
+  log.error(`  Type: ${error.type || 'unknown'}`);
+});
+
+// Manager events (on socket.io)
+socket.io.on('error', (error) => {
+  log.error(`Socket.IO Manager error: ${error.message || JSON.stringify(error)}`);
+});
+
+socket.io.on('reconnect_error', (error) => {
+  log.error(`Socket.IO reconnection error: ${error.message}`);
+});
+
+socket.io.on('reconnect_failed', () => {
+  log.error(`Socket.IO reconnection failed after all attempts`);
+});
+
 socket.on('forward_request', async (data, callback) => {
   /**
    * Receive request from broker server and forward to internal resource
@@ -308,7 +305,7 @@ socket.on('forward_request', async (data, callback) => {
     return;
   }
 
-  if (!isResourceAllowed(targetUrl)) {
+  if (!(await resourceManager.isResourceAllowedWithSync(targetUrl))) {
     callback({
       request_id: requestId,
       status_code: 403,
@@ -421,7 +418,14 @@ async function registerWithServer() {
         log.warn(`Registration attempt ${attempt + 1} failed: ${response.status} - ${response.data}`);
       }
     } catch (error) {
-      log.warn(`Registration attempt ${attempt + 1} failed: ${error.name}: ${error.message}`);
+      if (error.response) {
+        // HTTP error response
+        log.warn(`Registration attempt ${attempt + 1} failed: ${error.response.status} - ${JSON.stringify(error.response.data)}`);
+      } else {
+        // Error setting up request
+        log.warn(`Registration attempt ${attempt + 1} failed: ${error.message}`);
+      }
+      
       if (getClientId() !== null) {
         // If we have a client_id already, don't retry
         // we should try once to deal with secret rotation

package/app/resourceManager.js

@@ -29,6 +29,8 @@ export class ResourceManager {
     this._serverUrl = null;
     this._clientId = null;
     this._clientSecret = null;
+    this._lastResourceSync = 0;
+    this._syncThrottleMs = 30000; // 30 seconds
     this._loadFromFile();
   }
 
@@ -102,7 +104,7 @@ export class ResourceManager {
       this._resources = { ...resourcesDict };
       this._saveToFile();
     } else {
-      log.debug("No resource changes detected");
+      log.info("No resource changes detected");
     }
   }
 
@@ -114,6 +116,70 @@ export class ResourceManager {
     return { ...this._resources };
   }
 
+  /**
+   * Check if a resource URL is allowed (registered).
+   * @param {string} resource - The full URL to check
+   * @returns {boolean} True if allowed, false otherwise
+   */
+  isResourceAllowed(resource) {
+    // If no resources registered yet, deny
+    if (Object.keys(this._resources).length === 0) {
+      log.warn("No resources registered - customer must register resources via setup mode");
+      return false;
+    }
+    
+    // Normalize the target URL for comparison
+    const resourceParsed = new URL(resource);
+    const resourceNormalized = `${resourceParsed.protocol}//${resourceParsed.host}${resourceParsed.pathname || '/'}`;
+    
+    // Check if the exact base_url is registered
+    for (const baseUrl of Object.keys(this._resources)) {
+      const baseParsed = new URL(baseUrl);
+      const baseNormalized = `${baseParsed.protocol}//${baseParsed.host}${baseParsed.pathname || '/'}`;
+      
+      // Allow if target URL starts with registered base URL
+      if (resourceNormalized.startsWith(baseNormalized)) {
+        log.info(`Resource ${resource} matches registered base_url ${baseUrl}`);
+        return true;
+      }
+    }
+    
+    log.warn(`Resource ${resource} not found in registered resources: ${Object.keys(this._resources)}`);
+    return false;
+  }
+
+  /**
+   * Check if a resource is allowed, with automatic sync retry if not found.
+   * Syncs from broker if resource not found and throttle period has passed.
+   * @param {string} resource - The full URL to check
+   * @returns {Promise<boolean>} True if allowed, false otherwise
+   */
+  async isResourceAllowedWithSync(resource) {
+    // First check without syncing
+    if (this.isResourceAllowed(resource)) {
+      return true;
+    }
+    
+    // Resource not found - try syncing from broker if enough time has passed
+    const now = Date.now();
+    if (now - this._lastResourceSync > this._syncThrottleMs) {
+      log.info(`Resource ${resource} not found, syncing from broker...`);
+      this._lastResourceSync = now;
+      try {
+        await this.syncFromBroker();
+        // Check again after sync
+        if (this.isResourceAllowed(resource)) {
+          log.info(`Resource ${resource} found after sync`);
+          return true;
+        }
+      } catch (error) {
+        log.error(`Failed to sync resources: ${error.message}`);
+      }
+    }
+    
+    return false;
+  }
+
   /**
    * Get resource_id for a base_url.
    * @param {string} baseUrl - The base URL to look up
@@ -177,13 +243,20 @@ export class ResourceManager {
         
         // Sync from broker response
         this.syncFromCore(resources);
+        this._lastResourceSync = Date.now();
         log.info(`✓ Synced ${Object.keys(resources).length} resources from broker`);
       } else {
         log.warn(`Failed to fetch resources: ${response.status} - ${response.data}`);
       }
       
     } catch (error) {
-      log.error(`Error fetching resources from broker: ${error.message}`);
+      if (error.response) {
+        // HTTP error response
+        log.error(`Error fetching resources from broker: ${error.response.status} - ${JSON.stringify(error.response.data)}`);
+      } else {
+        // Error setting up request
+        log.error(`Error fetching resources from broker: ${error.message}`);
+      }
     }
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/broker-client",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Aikido Broker Client - Runs in customer network to forward requests to internal resources",
   "main": "app/client.js",
   "type": "module",
@@ -33,6 +33,7 @@
   },
   "dependencies": {
     "axios": "1.13.2",
+    "https-proxy-agent": "^7.0.6",
     "ip-address": "10.0.1",
     "native-dns": "0.7.0",
     "socket.io-client": "4.8.1"