@dcrays/dcgchat-test 0.2.33 → 0.3.0

package/src/gateway/index.ts

@@ -0,0 +1,458 @@
+// Gateway connection handler - connects to local OpenClaw gateway
+import { WebSocket } from 'ws'
+import crypto from 'crypto'
+import { deriveDeviceIdFromPublicKey, publicKeyRawBase64UrlFromPem, buildDeviceAuthPayloadV3, signDevicePayload } from './security.js'
+import { dcgLogger } from '../utils/log.js'
+import { sendDcgchatCron, updateCronJobSessionKey } from '../cron.js'
+
+export interface GatewayEvent {
+  type: string
+  payload?: Record<string, unknown>
+  seq?: number
+}
+
+export interface GatewayHelloOk {
+  server: {
+    connId: string
+  }
+  features: {
+    methods: string[]
+    events: string[]
+  }
+  policy?: {
+    tickIntervalMs?: number
+  }
+  auth?: {
+    deviceToken?: string
+    role?: string
+    scopes?: string[]
+  }
+}
+
+export interface GatewayResponse {
+  type: 'res'
+  id: string
+  ok: boolean
+  /** 多数 RPC 成功时的返回值 */
+  result?: unknown
+  /** connect 及部分响应使用 payload（见 docs/gateway/protocol.md） */
+  payload?: unknown
+  error?: {
+    code: string
+    message: string
+    details?: Record<string, unknown>
+  }
+}
+
+export interface GatewayEventFrame {
+  type: 'event'
+  event: string
+  payload?: Record<string, unknown>
+  seq?: number
+}
+
+export interface GatewayHelloOkFrame {
+  type: 'hello-ok'
+  server: {
+    connId: string
+  }
+  features: {
+    methods: string[]
+    events: string[]
+  }
+  policy?: {
+    tickIntervalMs?: number
+  }
+}
+
+// Union of all possible gateway messages
+export type GatewayMessage = GatewayEventFrame | GatewayResponse | GatewayHelloOkFrame
+
+export interface GatewayConfig {
+  url: string
+  token: string
+  role: string
+  scopes: string[]
+  reconnectInterval?: number
+  maxReconnectAttempts?: number
+}
+
+/**
+ * Gateway connection handler
+ */
+export class GatewayConnection {
+  private ws: WebSocket | null = null
+  private config: Required<GatewayConfig>
+  private deviceId: string
+  private privateKeyPem: string
+  private publicKeyB64Url: string
+  private connected: boolean = false
+  private connId: string | null = null
+  /** 服务端 connect.challenge 提供的 nonce，须与签名载荷一致 */
+  private connectChallengeNonce: string | null = null
+  private connectSent: boolean = false
+  private messageHandlers: Map<string, (response: GatewayResponse) => void> = new Map()
+  private eventHandlers: Set<(event: GatewayEvent) => void> = new Set()
+
+  constructor(config: GatewayConfig) {
+    this.config = {
+      url: config.url,
+      token: config.token,
+      role: config.role || 'operator',
+      scopes: config.scopes || ['operator.admin'],
+      reconnectInterval: config.reconnectInterval || 5000,
+      maxReconnectAttempts: config.maxReconnectAttempts || 10
+    }
+
+    const identity = this.loadOrCreateDeviceIdentity()
+    // 必须与公钥指纹一致（deriveDeviceIdFromPublicKey），不可用随机 UUID
+    this.deviceId = identity.deviceId
+    this.privateKeyPem = identity.privateKeyPem
+    this.publicKeyB64Url = identity.publicKeyB64Url
+  }
+
+  private loadOrCreateDeviceIdentity() {
+    const fs = require('fs')
+    const path = require('path')
+    const stateDir = path.join(process.cwd(), '.state')
+    const deviceFile = path.join(stateDir, 'device.json')
+
+    // Try to load existing identity
+    if (fs.existsSync(deviceFile)) {
+      const stored = JSON.parse(fs.readFileSync(deviceFile, 'utf8'))
+      if (stored.deviceId && stored.publicKeyPem && stored.privateKeyPem) {
+        const derivedId = deriveDeviceIdFromPublicKey(stored.publicKeyPem)
+        const deviceId = derivedId !== stored.deviceId ? derivedId : stored.deviceId
+        if (derivedId !== stored.deviceId) {
+          try {
+            fs.writeFileSync(deviceFile, JSON.stringify({ ...stored, deviceId: derivedId }, null, 2))
+          } catch {
+            /* keep in-memory fixed id only */
+          }
+        }
+        return {
+          deviceId,
+          publicKeyPem: stored.publicKeyPem,
+          privateKeyPem: stored.privateKeyPem,
+          publicKeyB64Url: publicKeyRawBase64UrlFromPem(stored.publicKeyPem)
+        }
+      }
+    }
+
+    // Create new identity
+    const keyPair = crypto.generateKeyPairSync('ed25519')
+    const publicKeyPem = keyPair.publicKey.export({ type: 'spki', format: 'pem' }).toString()
+    const privateKeyPem = keyPair.privateKey.export({ type: 'pkcs8', format: 'pem' }).toString()
+    const deviceId = deriveDeviceIdFromPublicKey(publicKeyPem)
+    const publicKeyB64Url = publicKeyRawBase64UrlFromPem(publicKeyPem)
+
+    // Ensure directory exists
+    if (!fs.existsSync(stateDir)) {
+      fs.mkdirSync(stateDir, { recursive: true })
+    }
+
+    // Save identity
+    fs.writeFileSync(
+      deviceFile,
+      JSON.stringify(
+        {
+          version: 1,
+          deviceId,
+          publicKeyPem,
+          privateKeyPem,
+          createdAtMs: Date.now()
+        },
+        null,
+        2
+      )
+    )
+    fs.chmodSync(deviceFile, 0o600)
+
+    return { deviceId, publicKeyPem, privateKeyPem, publicKeyB64Url }
+  }
+
+  /**
+   * Connect to the gateway
+   */
+  async connect(): Promise<GatewayHelloOk> {
+    return new Promise((resolve, reject) => {
+      this.connectChallengeNonce = null
+      this.connectSent = false
+      this.ws = new WebSocket(this.config.url)
+
+      let handshakeSettled = false
+      const finishHandshake = (fn: () => void) => {
+        if (handshakeSettled) return
+        handshakeSettled = true
+        clearTimeout(timeout)
+        fn()
+      }
+
+      const timeout = setTimeout(() => {
+        finishHandshake(() => reject(new Error('Gateway connection timeout')))
+      }, 15000)
+
+      this.ws.on('open', () => {
+        dcgLogger('Gateway connection opened（等待 connect.challenge）')
+      })
+
+      this.ws.on('message', (data) => {
+        try {
+          const msg = JSON.parse(data.toString())
+          this.handleMessage(
+            msg,
+            (hello) => finishHandshake(() => resolve(hello)),
+            (err) => finishHandshake(() => reject(err)),
+            timeout
+          )
+        } catch (err) {
+          dcgLogger(`[Gateway] 解析消息失败: ${err}`, 'error')
+        }
+      })
+
+      this.ws.on('close', () => {
+        this.connected = false
+        finishHandshake(() => reject(new Error('Gateway 在握手完成前关闭了连接')))
+      })
+
+      this.ws.on('error', (err) => {
+        console.log('🚀 ~ GatewayConnection ~ connect ~ err:', err)
+        finishHandshake(() => reject(err))
+      })
+    })
+  }
+
+  /**
+   * Send initial connect request
+   */
+  private sendConnect(): void {
+    if (this.connectSent) return
+    const nonce = this.connectChallengeNonce?.trim() ?? ''
+    if (!nonce) return
+
+    this.connectSent = true
+    const signedAtMs = Date.now()
+    const platform = process.platform
+
+    const payload = buildDeviceAuthPayloadV3({
+      deviceId: this.deviceId,
+      clientId: 'gateway-client',
+      clientMode: 'backend',
+      role: this.config.role,
+      scopes: this.config.scopes,
+      signedAtMs,
+      token: this.config.token,
+      nonce,
+      platform,
+      deviceFamily: ''
+    })
+
+    const signature = signDevicePayload(this.privateKeyPem, payload)
+
+    this.ws?.send(
+      JSON.stringify({
+        type: 'req',
+        id: '1',
+        method: 'connect',
+        params: {
+          minProtocol: 3,
+          maxProtocol: 3,
+          client: {
+            id: 'gateway-client',
+            version: '1.0.0',
+            platform,
+            mode: 'backend'
+          },
+          auth: { token: this.config.token },
+          role: this.config.role,
+          scopes: this.config.scopes,
+          device: {
+            id: this.deviceId,
+            publicKey: this.publicKeyB64Url,
+            signature,
+            signedAt: signedAtMs,
+            nonce
+          }
+        }
+      })
+    )
+  }
+
+  /**
+   * Handle incoming messages
+   */
+  private mapHelloPayloadToHelloOk(payload: Record<string, unknown>): GatewayHelloOk {
+    const serverRaw = payload.server as Record<string, unknown> | undefined
+    const featuresRaw = payload.features as Record<string, unknown> | undefined
+    return {
+      server: { connId: typeof serverRaw?.connId === 'string' ? serverRaw.connId : '' },
+      features: {
+        methods: Array.isArray(featuresRaw?.methods) ? (featuresRaw.methods as string[]) : [],
+        events: Array.isArray(featuresRaw?.events) ? (featuresRaw.events as string[]) : []
+      },
+      policy: payload.policy as GatewayHelloOk['policy'],
+      auth: payload.auth as GatewayHelloOk['auth']
+    }
+  }
+
+  private handleMessage(
+    msg: Record<string, any>,
+    resolveHello: (helloOk: GatewayHelloOk) => void,
+    rejectHello: (err: Error) => void,
+    timeout: NodeJS.Timeout
+  ): void {
+    const msgType = msg.type as string | undefined
+
+    if (msg.type === 'event' && msg.event === 'connect.challenge') {
+      const payload = msg.payload as Record<string, unknown> | undefined
+      const nonce = typeof payload?.nonce === 'string' ? payload.nonce.trim() : ''
+      if (!nonce) {
+        rejectHello(new Error('connect.challenge 缺少 nonce'))
+        return
+      }
+      this.connectChallengeNonce = nonce
+      this.sendConnect()
+      return
+    }
+
+    // 协议 v3：握手成功为 type:"res" + payload.type:"hello-ok"（见 openclaw docs/gateway/protocol.md）
+    if (msg.type === 'res' && !this.connected) {
+      const ok = msg.ok === true
+      const inner = msg.payload as Record<string, unknown> | undefined
+      if (ok && inner && inner.type === 'hello-ok') {
+        this.connected = true
+        const serverRaw = inner.server as Record<string, unknown> | undefined
+        this.connId = typeof serverRaw?.connId === 'string' ? serverRaw.connId : null
+        clearTimeout(timeout)
+        dcgLogger(`[Gateway] 已连接 connId=${this.connId ?? '(none)'}`)
+        resolveHello(this.mapHelloPayloadToHelloOk(inner))
+        return
+      }
+      if (msg.ok === false) {
+        const errObj = msg.error as Record<string, unknown> | undefined
+        const message = (typeof errObj?.message === 'string' && errObj.message) || 'Gateway connect 被拒绝'
+        clearTimeout(timeout)
+        rejectHello(new Error(message))
+        return
+      }
+    }
+
+    // 旧式或其它实现：顶层 hello-ok
+    if (msgType === 'hello-ok' || (!msgType && msg.server)) {
+      this.connected = true
+      this.connId = ((msg.server as Record<string, unknown>)?.connId as string) || null
+      clearTimeout(timeout)
+      dcgLogger(`[Gateway] 已连接 connId=${this.connId ?? '(none)'}`)
+      resolveHello(msg as unknown as GatewayHelloOk)
+      return
+    }
+    if (msg.type === 'res') {
+      const handler = this.messageHandlers.get(msg.id as string)
+      if (handler) {
+        this.messageHandlers.delete(msg.id as string)
+        handler(msg as unknown as GatewayResponse)
+      }
+      return
+    }
+
+    if (msg.type === 'event') {
+      if (msg.event === 'cron') {
+        dcgLogger(`[Gateway] 收到事件: ${JSON.stringify(msg)}`)
+        if (msg.payload?.action === 'added') {
+          updateCronJobSessionKey(msg.payload?.jobId as string)
+        }
+        if (msg.payload?.action === 'updated') {
+          sendDcgchatCron()
+        }
+      }
+      const event: GatewayEvent = {
+        type: msg.event as string,
+        payload: msg.payload as Record<string, unknown> | undefined,
+        seq: msg.seq as number | undefined
+      }
+      this.eventHandlers.forEach((h) => h(event))
+    }
+  }
+
+  /**
+   * Call a gateway method
+   */
+  async callMethod<T = unknown>(method: string, params: Record<string, unknown> = {}): Promise<T> {
+    const id = crypto.randomUUID()
+
+    return new Promise((resolve, reject) => {
+      if (!this.connected || !this.ws) {
+        reject(new Error('Not connected to gateway'))
+        return
+      }
+
+      const timeout = setTimeout(() => {
+        this.messageHandlers.delete(id)
+        reject(new Error('Method call timeout'))
+      }, 30000)
+
+      this.messageHandlers.set(id, (response) => {
+        clearTimeout(timeout)
+        if (response.ok) {
+          const body = response.result !== undefined ? response.result : (response as GatewayResponse).payload
+          resolve(body as T)
+        } else {
+          reject(new Error(response.error?.message || 'Method call failed'))
+        }
+      })
+
+      this.ws.send(
+        JSON.stringify({
+          type: 'req',
+          id,
+          method,
+          params
+        })
+      )
+    })
+  }
+
+  /**
+   * Register event handler
+   */
+  onEvent(handler: (event: GatewayEvent) => void): () => void {
+    this.eventHandlers.add(handler)
+    return () => this.eventHandlers.delete(handler)
+  }
+
+  /**
+   * Close connection
+   */
+  close(): void {
+    this.ws?.close(1000, 'Plugin stopped')
+    this.connected = false
+  }
+
+  /**
+   * Check if connected
+   */
+  isConnected(): boolean {
+    return this.connected
+  }
+
+  /**
+   * Get connection ID
+   */
+  getConnId(): string | null {
+    return this.connId
+  }
+
+  /**
+   * Get the WebSocket instance (for external use)
+   */
+  getWebSocket(): WebSocket | null {
+    return this.ws
+  }
+
+  /**
+   * Ping the gateway
+   */
+  ping(): void {
+    this.ws?.ping()
+  }
+}

package/src/gateway/security.ts

@@ -0,0 +1,101 @@
+// Security utilities for the tunnel plugin
+import crypto from 'crypto'
+import fs from 'fs'
+import jwt from 'jsonwebtoken'
+import { z } from 'zod'
+
+// ED25519 SubjectPublicKeyInfo prefix (must match openclaw gateway `ED25519_SPKI_PREFIX`)
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex')
+
+/**
+ * Raw 32-byte Ed25519 public key bytes from PEM (same rules as openclaw `derivePublicKeyRaw`).
+ */
+export function derivePublicKeyRawFromPem(publicKeyPem: string): Buffer {
+  const spki = crypto.createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' }) as Buffer
+  if (
+    spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+    spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)
+  ) {
+    return spki.subarray(ED25519_SPKI_PREFIX.length)
+  }
+  return spki
+}
+
+/**
+ * Base64url encode (no padding)
+ */
+export function base64UrlEncode(buffer: Buffer): string {
+  return buffer.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+}
+
+/** Wire-format device public key (base64url of raw 32 bytes), matches gateway expectations. */
+export function publicKeyRawBase64UrlFromPem(publicKeyPem: string): string {
+  return base64UrlEncode(derivePublicKeyRawFromPem(publicKeyPem))
+}
+
+/**
+ * Derive device ID from ED25519 public key
+ * Device ID = sha256(rawPublicKey)
+ */
+export function deriveDeviceIdFromPublicKey(publicKeyPem: string): string {
+  const rawPublicKey = derivePublicKeyRawFromPem(publicKeyPem)
+  return crypto.createHash('sha256').update(rawPublicKey).digest('hex')
+}
+
+/**
+ * Sign device payload
+ */
+export function signDevicePayload(privateKeyPem: string, payload: string, encoding: 'base64' | 'base64url' = 'base64url'): string {
+  const key = crypto.createPrivateKey(privateKeyPem)
+  const sig = crypto.sign(null, Buffer.from(payload, 'utf8'), key)
+  return encoding === 'base64url' ? base64UrlEncode(sig) : sig.toString('base64')
+}
+function normalizeTrimmedMetadata(value: unknown): string {
+  if (typeof value !== 'string') return ''
+  const trimmed = value.trim()
+  return trimmed ? trimmed : ''
+}
+
+function toLowerAscii(input: string): string {
+  return input.replace(/[A-Z]/g, (char) => String.fromCharCode(char.charCodeAt(0) + 32))
+}
+
+function normalizeDeviceMetadataForAuth(value: unknown): string {
+  const trimmed = normalizeTrimmedMetadata(value)
+  if (!trimmed) return ''
+  return toLowerAscii(trimmed)
+}
+
+/**
+ * Device authentication payload v3（与 openclaw `buildDeviceAuthPayloadV3` 一致）
+ */
+export function buildDeviceAuthPayloadV3(params: {
+  deviceId: string
+  clientId: string
+  clientMode: string
+  role: string
+  scopes: string[]
+  signedAtMs: number
+  token: string
+  nonce: string
+  platform?: string
+  deviceFamily?: string
+}): string {
+  const scopes = params.scopes.join(',')
+  const token = params.token ?? ''
+  const platform = normalizeDeviceMetadataForAuth(params.platform ?? '')
+  const deviceFamily = normalizeDeviceMetadataForAuth(params.deviceFamily ?? '')
+  return [
+    'v3',
+    params.deviceId,
+    params.clientId,
+    params.clientMode,
+    params.role,
+    scopes,
+    String(params.signedAtMs),
+    token,
+    params.nonce,
+    platform,
+    deviceFamily
+  ].join('|')
+}