@alwaysai/device-agent 1.3.1 → 1.5.0

package/src/secure-tunneling/secure-tunneling.ts

@@ -0,0 +1,599 @@
+import { AAI_DIR } from 'alwaysai/lib/paths';
+import { JsSpawner } from 'alwaysai/lib/util';
+import { ChildProcess } from 'child_process';
+import { join } from 'path';
+import { aaiArtifactsBucketUrl } from '../urls';
+import { isValidAwsRegion } from '../util/cloud-mode-ready';
+import {
+  AWS_ROOT_CERTIFICATE_FILE_PATH,
+  SECURE_TUNNEL_BIN_DIR,
+  SECURE_TUNNEL_BIN_NAME,
+  SECURE_TUNNEL_BIN_PATH
+} from '../util/directories';
+import { downloadFile } from '../util/download-file';
+import { logger } from '../util/logger';
+import { getArch, getDistribution, getOsVersion } from '../util/system-info';
+import { killDetachedProcess, runDetachedProcess } from './spawner-detached';
+import {
+  SecureTunnelPortInfo,
+  SecureTunnelShadowDescriptionReported
+} from '@alwaysai/device-agent-schemas';
+
+enum SecureTunnelServiceType {
+  SSH = 'SSH',
+  HTTP = 'HTTP'
+}
+
+export type SecureTunnelShadowState = {
+  reported?: SecureTunnelShadowDescriptionReported;
+  desired?: SecureTunnelShadowDescriptionReported;
+};
+
+export type SecureTunnelShadowUpdateDelta = {
+  version: number;
+  timestamp: number;
+  state: SecureTunnelShadowDescriptionReported;
+  metadata?: any;
+};
+
+export type SecureTunnelShadowUpdate = {
+  version: number;
+  state: SecureTunnelShadowState;
+};
+
+type SecureTunnelProxyMap = {
+  st_port: SecureTunnelPortInfo;
+  localhostPort: number;
+  mapProcess: ChildProcess;
+};
+
+type SecureTunnelLocalProxyInfo = {
+  lpDstAccessKey: string;
+  lpRegion: string;
+  lpServices: string;
+  lpProcess: ChildProcess | null;
+};
+
+const defaultSecureTunnelPortInfo: SecureTunnelPortInfo = {
+  enabled: false,
+  type: SecureTunnelServiceType.SSH,
+  ip: '0.0.0.0',
+  port: 22
+};
+
+type SecureTunnelNotificationType = {
+  clientAccessToken: string;
+  region: string;
+  services: string[];
+};
+
+// socat tcp4-listen:5001,fork tcp4:100.70.31.118:80
+const ST_MAPPING_TOOL = 'socat';
+const ST_START_PORT_NUMBER = 5010;
+
+/**
+ * Handles Secure Tunnel Shadow State
+ */
+export class SecureTunnelHandlerSingleton {
+  private static instance: SecureTunnelHandlerSingleton;
+  private reported: SecureTunnelShadowDescriptionReported;
+  private httpProxyMap: SecureTunnelProxyMap[];
+  private localProxyInfo: SecureTunnelLocalProxyInfo;
+
+  /**
+   * Initializes private variables of SecureTunnel handler.
+   * private constructor to prevent instantiation from outside
+   */
+  private constructor() {
+    logger.debug('-> SecureTunnelHandlerSingleton.constructor');
+    this.reported = {
+      st_ports: [JSON.parse(JSON.stringify(defaultSecureTunnelPortInfo))]
+    };
+    this.httpProxyMap = [];
+    this.localProxyInfo = {
+      lpDstAccessKey: '',
+      lpRegion: '',
+      lpServices: '',
+      lpProcess: null
+    };
+    // TODO: create a recovery process if we just restarted
+    // for that to work we need to store somewhere the dst access key,
+    // recover it to restart local proxy to reconnect to secure tunnel
+    logger.debug('<- SecureTunnelHandlerSingleton.constructor');
+  }
+
+  //---------------------------------------------------------------------------
+  // public functions
+  //---------------------------------------------------------------------------
+  /**
+   * Implements the Singleton of the SecureTunnel
+   */
+  public static getInstance(): SecureTunnelHandlerSingleton {
+    logger.debug('-> SecureTunnelHandlerSingleton.getInstance');
+    if (!SecureTunnelHandlerSingleton.instance) {
+      SecureTunnelHandlerSingleton.instance =
+        new SecureTunnelHandlerSingleton();
+    }
+    logger.debug('<- SecureTunnelHandlerSingleton.getInstance');
+    return SecureTunnelHandlerSingleton.instance;
+  }
+
+  /**
+   * Stops all proxies started before
+   */
+  public async destroy(): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.destroy');
+    logger.debug(`httpProxyMap before : ${JSON.stringify(this.httpProxyMap)}`);
+    logger.debug(`reported before     : ${JSON.stringify(this.reported)}`);
+
+    // We need operate on a copy instead of the original this.httpProxyMap
+    // because stopProxyMapping removes entries and there for manipulates this loop
+    const httpProxyMapCopy: SecureTunnelProxyMap[] = JSON.parse(
+      JSON.stringify(this.httpProxyMap)
+    );
+    for (const item of httpProxyMapCopy) {
+      await this.stopProxyMapping(item.st_port);
+    }
+
+    this.reported = {
+      st_ports: [JSON.parse(JSON.stringify(defaultSecureTunnelPortInfo))]
+    };
+    logger.debug(`httpProxyMap after : ${JSON.stringify(this.httpProxyMap)}`);
+    logger.debug(`reported after     : ${JSON.stringify(this.reported)}`);
+    await this.stopLocalProxy();
+    logger.debug('<- SecureTunnelHandlerSingleton.destroy');
+  }
+
+  /**
+   * Returns current state of SecureTunnel shadow
+   * @returns {SecureTunnelShadowDescriptionReported} - reported state of the SecureTunnel shadow
+   */
+  public getSecureTunnelShadow(): SecureTunnelShadowDescriptionReported {
+    logger.debug('-> SecureTunnelHandlerSingleton.getSecureTunnelShadow');
+    logger.debug(`reported: ${JSON.stringify(this.reported)}`);
+    logger.debug('<- SecureTunnelHandlerSingleton.getSecureTunnelShadow');
+    return this.reported;
+  }
+
+  /**
+   * Updates current state of SecureTunnel shadow
+   * @param {SecureTunnelShadowUpdateDelta} deltaMsg - delta message, which includes desired state of the SecureTunnel shadow
+   * @return {SecureTunnelShadowDescriptionReported} update reported message to send back to AWS IoT device shadow
+   */
+  public async syncShadowToDeviceState(
+    deltaMsg: SecureTunnelShadowUpdateDelta
+  ): Promise<SecureTunnelShadowDescriptionReported> {
+    logger.debug('-> SecureTunnelHandlerSingleton.syncShadowToDeviceState');
+    const { version, state } = deltaMsg;
+    if (!state || typeof state.st_ports === 'undefined') {
+      return this.reported;
+    }
+    logger.debug(`version: ${version}`);
+    logger.debug(`state.st_ports: ${JSON.stringify(state.st_ports)}`);
+    await this.CleanupReportedPorts(state.st_ports);
+
+    for (const item of state.st_ports) {
+      logger.debug(`desiredItem: ${JSON.stringify(item)}`);
+      const existingPort = this.reported.st_ports.find(
+        (portInfo) =>
+          portInfo.ip === item.ip &&
+          portInfo.port === item.port &&
+          portInfo.type === item.type
+      );
+      logger.debug(`existingPort: ${JSON.stringify(existingPort)}`);
+
+      const numberOfEnabledPorts: number = this.reported.st_ports.reduce(
+        (acc, port) => {
+          return port.enabled ? acc + 1 : acc;
+        },
+        0
+      );
+
+      // check that port already exist in the reported shadow
+      if (!existingPort) {
+        if (item.enabled && item.type === SecureTunnelServiceType.HTTP) {
+          await this.startProxyMapping(item);
+        }
+        this.reported.st_ports.push(item);
+      } else if (existingPort.enabled !== item.enabled) {
+        if (item.type === SecureTunnelServiceType.HTTP) {
+          if (item.enabled) {
+            await this.startProxyMapping(item);
+          } else {
+            await this.stopProxyMapping(item);
+          }
+        }
+        existingPort.enabled = item.enabled;
+      }
+    }
+
+    // if all entries are disabled, we need also to kill local proxy
+    if (this.reported.st_ports.every((portInfo) => !portInfo.enabled)) {
+      await this.stopLocalProxy();
+    }
+
+    // need to order list in the same order as desired before sending back
+    const sortedPorts = this.sortPorts(state);
+
+    logger.debug(`sortedPorts: ${JSON.stringify(sortedPorts)}`);
+    logger.debug('<- SecureTunnelHandlerSingleton.syncShadowToDeviceState');
+    return sortedPorts;
+  }
+
+  /**
+   * Starts SecureTunnel
+   * @param {SecureTunnelNotificationType} message - AWS notification received
+   */
+  public async secureTunnelNotifyHandler(
+    message: SecureTunnelNotificationType
+  ): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.secureTunnelNotifyHandler');
+
+    try {
+      await this.stopLocalProxy();
+      this.processNotifyMessage(message);
+      await this.downloadSecureTunnel();
+      await this.startLocalProxy();
+    } catch (error) {
+      logger.error(error);
+    }
+
+    logger.info(`Local Proxy Started: ${JSON.stringify(this.localProxyInfo)}`);
+    logger.debug('<- SecureTunnelHandlerSingleton.secureTunnelNotifyHandler');
+  }
+
+  //---------------------------------------------------------------------------
+  // private functions
+  //---------------------------------------------------------------------------
+  /**
+   * Removes reported ports which are do not exist in desired
+   * @param {SecureTunnelPortInfo[]} desiredPorts - desired port config
+   */
+  private async CleanupReportedPorts(desiredPorts: SecureTunnelPortInfo[]) {
+    logger.debug('-> SecureTunnelHandlerSingleton.CleanupReportedPorts');
+    const itemsToRemove: SecureTunnelPortInfo[] = [];
+
+    for (const item of this.reported.st_ports) {
+      logger.debug(`Checking item: ${JSON.stringify(item)}`);
+      if (
+        !desiredPorts.some(
+          (port) =>
+            port.ip === item.ip &&
+            port.port === item.port &&
+            port.type === item.type
+        )
+      ) {
+        logger.debug(`Marking item for removal: ${JSON.stringify(item)}`);
+        itemsToRemove.push(item);
+      }
+    }
+
+    for (const item of itemsToRemove) {
+      const index = this.reported.st_ports.indexOf(item);
+      if (index !== -1) {
+        const removedItem = this.reported.st_ports.splice(index, 1)[0];
+        logger.debug(`Removing item: ${JSON.stringify(removedItem)}`);
+        if (removedItem.type === SecureTunnelServiceType.HTTP) {
+          await this.stopProxyMapping(removedItem);
+        }
+      }
+    }
+
+    logger.debug(`reportedPorts: ${JSON.stringify(this.reported.st_ports)}`);
+    logger.debug('<- SecureTunnelHandlerSingleton.CleanupReportedPorts');
+  }
+
+  /**
+   * Starts port proxy mapping process
+   * @param {SecureTunnelPortInfo} portInfo - port info to start the port mapping process for
+   */
+  private async startProxyMapping(
+    portInfo: SecureTunnelPortInfo
+  ): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.startProxyMapping');
+    logger.debug(`portInfo: ${JSON.stringify(portInfo)}`);
+
+    // if there is already a process running for the ip:port, don't start another one
+    const itemIndex = this.httpProxyMap.findIndex(
+      (item) =>
+        item.st_port.ip === portInfo.ip && item.st_port.port === portInfo.port
+    );
+    if (itemIndex !== -1) {
+      logger.debug(`socat already active for: ${portInfo.ip}:${portInfo.port}`);
+      logger.debug('<- SecureTunnelHandlerSingleton.startProxyMapping');
+      return;
+    }
+
+    const localPort = this.getNextAvailablePort();
+    try {
+      logger.info(`Starting Port Proxy Mapping on ${localPort}`);
+      const args = [
+        `tcp4-listen:${localPort},fork`,
+        `tcp4:${portInfo.ip}:${portInfo.port}`
+      ];
+      const childProcess = await runDetachedProcess(ST_MAPPING_TOOL, args);
+      // TODO: if there is a device restart, to restore port mapping,
+      // this info needs to be saved on drive to be able to recover
+      this.httpProxyMap.push({
+        st_port: portInfo,
+        localhostPort: localPort,
+        mapProcess: childProcess
+      });
+      logger.info(
+        `Started Port Proxy Mapping for: ${JSON.stringify(
+          this.httpProxyMap[this.httpProxyMap.length - 1]
+        )}`
+      );
+    } catch (error) {
+      logger.error(
+        `ERROR: starting socat for: ${portInfo.ip}:${portInfo.port} on localhost port: ${localPort}, error: ${error}`
+      );
+      const lastHttpProxyMap = this.httpProxyMap.pop();
+      logger.info(`removed last proxyMap: ${JSON.stringify(lastHttpProxyMap)}`);
+    }
+    logger.debug('<- SecureTunnelHandlerSingleton.startProxyMapping');
+  }
+
+  /**
+   * Stops port proxy mapping process
+   * @param {SecureTunnelPortInfo} portInfo - port info to stop the port mapping process for
+   */
+  private async stopProxyMapping(
+    portInfo: SecureTunnelPortInfo
+  ): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.stopProxyMapping');
+    logger.debug(`portInfo: ${JSON.stringify(portInfo)}`);
+
+    const itemIndex = this.httpProxyMap.findIndex(
+      (item) =>
+        item.st_port.ip === portInfo.ip && item.st_port.port === portInfo.port
+    );
+
+    if (itemIndex !== -1) {
+      logger.info(
+        `Stopping Port Proxy Mapping for: ${JSON.stringify(
+          this.httpProxyMap[itemIndex]
+        )}`
+      );
+      try {
+        const processName = [
+          ST_MAPPING_TOOL,
+          `tcp4-listen:${this.httpProxyMap[itemIndex].localhostPort},fork`,
+          `tcp4:${portInfo.ip}:${portInfo.port}`
+        ];
+        await killDetachedProcess(this.httpProxyMap[itemIndex].mapProcess, [
+          processName.join(' ')
+        ]);
+        logger.debug(
+          `SUCCESS: killing socat process: ${JSON.stringify(
+            this.httpProxyMap[itemIndex]
+          )}`
+        );
+        logger.debug(`Remaining map: ${JSON.stringify(this.httpProxyMap)}`);
+      } catch (e) {
+        logger.error('ERROR: killing socat process:', e);
+      }
+      logger.debug(
+        `Removing map: ${JSON.stringify(this.httpProxyMap[itemIndex])}`
+      );
+      this.httpProxyMap.splice(itemIndex, 1);
+    }
+    logger.debug('<- SecureTunnelHandlerSingleton.stopProxyMapping');
+  }
+
+  /**
+   * Starts SecureTunnel localProxy process
+   */
+  private async startLocalProxy(): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.startLocalProxy');
+
+    const args = [
+      '--destination-app',
+      this.localProxyInfo.lpServices,
+      '--region',
+      this.localProxyInfo.lpRegion,
+      '--capath',
+      AWS_ROOT_CERTIFICATE_FILE_PATH,
+      '--local-bind-address',
+      '0.0.0.0',
+      '-t',
+      this.localProxyInfo.lpDstAccessKey
+    ];
+
+    this.localProxyInfo.lpProcess = await runDetachedProcess(
+      SECURE_TUNNEL_BIN_PATH,
+      args
+    );
+    logger.debug('<- SecureTunnelHandlerSingleton.startLocalProxy');
+  }
+
+  /**
+   * Stops SecureTunnel local proxy process
+   */
+  private async stopLocalProxy(): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.stopLocalProxy');
+    if (!this.localProxyInfo.lpProcess) {
+      logger.debug('No local proxy process running');
+      logger.debug('<- SecureTunnelHandlerSingleton.stopLocalProxy');
+      return;
+    }
+
+    try {
+      logger.debug(
+        `About to kill local proxy: ${this.localProxyInfo.lpDstAccessKey}`
+      );
+      await killDetachedProcess(this.localProxyInfo.lpProcess, [
+        SECURE_TUNNEL_BIN_PATH
+      ]);
+      logger.debug('SUCCESS: killing local proxy process');
+    } catch (e) {
+      logger.error('ERROR: killing local proxy process:', e);
+    }
+    this.localProxyInfo = {
+      lpDstAccessKey: '',
+      lpRegion: '',
+      lpServices: '',
+      lpProcess: null
+    };
+    logger.debug('<- SecureTunnelHandlerSingleton.stopLocalProxy');
+  }
+
+  /**
+   * processes and validate notify message
+   * @param {string[]} message - message, which contains: clientAccessToken, region, services
+   */
+  private processNotifyMessage(message: SecureTunnelNotificationType): void {
+    logger.debug('-> SecureTunnelHandlerSingleton.processNotifyMessage');
+    const { clientAccessToken, region, services } = message;
+    const portMappingList: string[] = [];
+
+    if (clientAccessToken === '') {
+      throw new Error('ERROR: invalid destination access token');
+    }
+    if (!isValidAwsRegion(region)) {
+      throw new Error(`ERROR: invalid/unsupported region: ${region}`);
+    }
+    if (services.length === 0) {
+      throw new Error(`ERROR: services field is empty: ${region}`);
+    }
+    if (services.some((field) => field === '')) {
+      throw new Error(`ERROR: one service fields is empty: ${region}`);
+    }
+    if (
+      services.some(
+        (service) =>
+          !service.startsWith(SecureTunnelServiceType.SSH) &&
+          !service.startsWith(SecureTunnelServiceType.HTTP)
+      )
+    ) {
+      throw new Error(
+        `ERROR: one service fields is invalid: ${JSON.stringify(services)}`
+      );
+    }
+    const sshEnabledPorts = this.reported.st_ports.filter(
+      (port) => port.type === SecureTunnelServiceType.SSH && port.enabled
+    );
+    const sshServicePorts = services.filter((service) =>
+      service.startsWith(SecureTunnelServiceType.SSH)
+    );
+    const httpServicePorts = services.filter((service) =>
+      service.startsWith(SecureTunnelServiceType.HTTP)
+    );
+    if (sshServicePorts.length > 1) {
+      throw new Error(
+        `ERROR: None or only 1 SSH port is allowed! sshEnabledPortsCount: ${sshEnabledPorts.length}`
+      );
+    }
+    // the new SSH mismatch, but NOT the SSH, because that device without shadow
+    if (
+      sshEnabledPorts.length !== sshServicePorts.length &&
+      sshServicePorts[0] !== SecureTunnelServiceType.SSH
+    ) {
+      throw new Error(
+        `ERROR: SSH ports mismatch! sshEnabledPortsCount: ${sshEnabledPorts.length}, sshServicePortsCount: ${sshServicePorts.length}`
+      );
+    }
+    if (this.httpProxyMap.length !== httpServicePorts.length) {
+      throw new Error(
+        `ERROR: HTTP ports mismatch! httpMappedPortsCount: ${this.httpProxyMap.length}, httpServicePortsCount: ${httpServicePorts.length}`
+      );
+    }
+
+    // this is the default case: just 1 SSH without any HTTP service
+    if (
+      services.length === 1 &&
+      services[0] === defaultSecureTunnelPortInfo.type
+    ) {
+      portMappingList.push(defaultSecureTunnelPortInfo.port.toString());
+    } else {
+      // this is the multi port case, need port mapping to running services
+      sshServicePorts.forEach((port, index) => {
+        portMappingList.push(`${port}=${sshEnabledPorts[index].port}`);
+      });
+      httpServicePorts.forEach((port, index) => {
+        portMappingList.push(
+          `${port}=${this.httpProxyMap[index].localhostPort}`
+        );
+      });
+    }
+
+    this.localProxyInfo.lpDstAccessKey = clientAccessToken;
+    this.localProxyInfo.lpRegion = region;
+    this.localProxyInfo.lpServices = portMappingList.join(',');
+    logger.debug(`reported =  ${JSON.stringify(this.reported.st_ports)}`);
+    logger.debug(`localProxyInfo =  ${JSON.stringify(this.localProxyInfo)}`);
+    logger.debug('<- SecureTunnelHandlerSingleton.processNotifyMessage');
+  }
+
+  /**
+   * Downloads SecureTunnel local proxy, if it was not downloaded before
+   */
+  private async downloadSecureTunnel(): Promise<void> {
+    logger.debug('-> SecureTunnelHandlerSingleton.downloadSecureTunnel');
+
+    if (await JsSpawner().exists(SECURE_TUNNEL_BIN_PATH)) {
+      logger.debug('<- SecureTunnelHandlerSingleton.downloadSecureTunnel');
+      return;
+    }
+
+    const [arch, linuxDistro, osVersion] = await Promise.all([
+      getArch(),
+      getDistribution(),
+      getOsVersion()
+    ]);
+
+    logger.info('Downloading SecureTunnel local proxy ...');
+    const url = `${aaiArtifactsBucketUrl}/securetunnel/${linuxDistro}/${osVersion}/${arch}/${SECURE_TUNNEL_BIN_NAME}`;
+    await JsSpawner().mkdirp(join(AAI_DIR, SECURE_TUNNEL_BIN_DIR));
+    await downloadFile({
+      url,
+      path: SECURE_TUNNEL_BIN_PATH,
+      errorMessage: `Secure Tunnel bin for ${linuxDistro} ${osVersion} ${arch} not found}`
+    });
+
+    await JsSpawner().run({
+      exe: 'chmod',
+      args: ['+x', SECURE_TUNNEL_BIN_PATH]
+    });
+    logger.debug('<- SecureTunnelHandlerSingleton.downloadSecureTunnel');
+  }
+
+  /**
+   * Gets next available localhost port
+   */
+  private getNextAvailablePort(): number {
+    logger.debug('-> SecureTunnelHandlerSingleton.getNextAvailablePort');
+    let lastLocalhostPort: number = ST_START_PORT_NUMBER;
+    if (this.httpProxyMap.length > 0) {
+      lastLocalhostPort = this.httpProxyMap.reduce((maxPort, proxy) => {
+        return proxy.localhostPort > maxPort ? proxy.localhostPort : maxPort;
+      }, ST_START_PORT_NUMBER);
+    }
+    // for now just check whether we are using specific port number
+    // TODO: in the future we need to check whether some other services are using a specific port
+    // possible way to check taken ports: "sudo netstat -tuln | grep <port_number>""
+    logger.debug(`lastLocalhostPort: ${(lastLocalhostPort + 1).toString()}`);
+    logger.debug('<- SecureTunnelHandlerSingleton.getNextAvailablePort');
+    return lastLocalhostPort + 1;
+  }
+
+  private sortPorts(
+    desired: SecureTunnelShadowDescriptionReported
+  ): SecureTunnelShadowDescriptionReported {
+    logger.debug('-> SecureTunnelHandlerSingleton.sortPorts');
+    const sortedPorts = JSON.parse(JSON.stringify(this.reported));
+    sortedPorts.st_ports.sort((a, b) => {
+      const aOriginalIndex = desired.st_ports.findIndex(
+        (item) =>
+          item.type === a.type && item.ip === a.ip && item.port === a.port
+      );
+      const bOriginalIndex = desired.st_ports.findIndex(
+        (item) =>
+          item.type === b.type && item.ip === b.ip && item.port === b.port
+      );
+      return aOriginalIndex - bOriginalIndex;
+    });
+    logger.debug('<- SecureTunnelHandlerSingleton.sortPorts');
+    return sortedPorts;
+  }
+}