@entity-access/server-pages 1.0.30 → 1.0.32

package/src/core/AsyncStream.ts

@@ -0,0 +1,83 @@
+import { closeSync, openSync, read, statSync } from "fs";
+
+export abstract class AsyncStream implements Disposable {
+
+    abstract read(n: number): Promise<Buffer>;
+
+    abstract [Symbol.dispose]();
+
+}
+
+const maxBufferSize = 16*1024;
+
+export class AsyncFileStream extends AsyncStream {
+
+    public readonly size: number;
+
+    private fd: any;
+
+    private buffer: Buffer;
+
+    constructor(
+        private readonly filePath: string,
+        public readPosition = 0,
+        lockFile = true,
+        bufferSize = maxBufferSize
+        ) {
+        super();
+
+        if (lockFile) {
+            this.fd = openSync(filePath, "r");
+        }
+        this.buffer = Buffer.alloc(bufferSize);
+        const { size } = statSync(filePath);
+        this.size = size;
+    }
+
+    read(): Promise<Buffer> {
+
+        return new Promise<Buffer>((resolve, reject) => {
+
+            const size = this.size - this.readPosition;
+
+            if (size <= 0) {
+                resolve(null);
+                return;
+            }
+
+            const buffer = (size) > this.buffer.byteLength
+                ? this.buffer
+                : Buffer.alloc(size);
+
+            this.readPosition += size;
+
+            if (this.fd) {
+
+                read(this.fd, buffer, 0, buffer.byteLength, this.readPosition,
+                    (error) => error ? reject(error) : resolve(buffer));
+                return;
+            }
+            const fd = openSync(this.filePath, "r");
+            read(this.fd, buffer, 0, buffer.byteLength, this.readPosition,
+                (error) => {
+                    try {
+                        closeSync(fd);
+                    } catch (e) {
+                        reject(e);
+                        return;
+                    }
+                    if(error ) {
+                        reject(error);
+                        return;
+                    }
+                    resolve(buffer);
+                });
+        });
+    }
+    [Symbol.dispose]() {
+        if (this.fd) {
+            closeSync(this.fd);
+        }
+    }
+
+}

package/src/core/FileApi.ts

@@ -0,0 +1,52 @@
+import { existsSync, unlinkSync, mkdirSync } from "fs";
+
+import { dirname } from "path";
+import { AsyncFileStream } from "./AsyncStream.js";
+
+export function ensureParentFolder(filePath: string) {
+    ensureDir(dirname(filePath));
+}
+
+export default function ensureDir(folder: string) {
+
+    if (existsSync(folder)) {
+        return;
+    }
+
+    const parent = dirname(folder);
+    if (parent !== "/") {
+        ensureDir(parent);
+    }
+
+    mkdirSync(folder);
+
+}
+
+export const deleteIfExists = (path) => existsSync(path) ? unlinkSync(path) : void 0;
+
+export const areFilesEqual = async (file1: string, file2: string) => {
+
+    using f1 = new AsyncFileStream(file1);
+    using f2 = new AsyncFileStream(file2);
+
+    if(f1.size !== f2.size) {
+        return false;
+    }
+
+    for(;;) {
+        const [b1,b2] = await Promise.all([f1.read(), f2.read()]);
+        if (b1 === null && b2 === null) {
+            return f1.readPosition === f2.readPosition;
+        }
+        if (b1 === null) {
+            return false;
+        }
+        if (b2 === null) {
+            return false;
+        }
+        if (!b1.equals(b2)) {
+            return false;
+        }
+    }
+
+};

package/src/ssl/AcmeCertificateService.ts

@@ -0,0 +1,225 @@
+import * as forge from "node-forge";
+import * as crypto from "crypto";
+import * as acme from "acme-client";
+import DateTime from "@entity-access/entity-access/dist/types/DateTime.js";
+import cluster from "cluster";
+import { existsSync, writeFileSync, readFileSync, unlinkSync, mkdirSync } from "fs";
+import { join } from "path"
+import ensureDir, { deleteIfExists } from "../core/FileApi.js";
+import Inject, { RegisterSingleton } from "@entity-access/entity-access/dist/di/di.js";
+import ChallengeStore from "./AcmeChallengeStore.js";
+import * as tls from "node:tls";
+import CertificateStore from "./CertificateStore.js";
+
+export interface IAcmeOptions {
+    sslMode?: string,
+    accountPrivateKeyPath?: string,
+    emailAddress?: string,
+    mode?:  "production" | "self-signed" | "staging",
+    endPoint?: string,
+    eabKid?: string,
+    eabHmac?: string   
+}
+
+export interface ICertOptions extends IAcmeOptions {
+    host: string,
+};
+
+@RegisterSingleton
+export default class AcmeCertficateService {
+
+    @Inject
+    private challengeStore: ChallengeStore;
+
+    @Inject
+    private certificateStore: CertificateStore;
+
+    private map = new Map<string, tls.SecureContext>();
+
+    public async getSecureContext(options: ICertOptions) {
+        const { host } = options;
+        let sc = this.map.get(host);
+        if (sc) {
+            return sc;
+        }
+        
+        const { key , cert } = await this.setup(options)
+        sc = tls.createSecureContext({ cert, key });
+        this.map.set(host, sc);
+        return sc;
+    }
+
+    public async setup({
+        host,
+        sslMode = "./",
+        accountPrivateKeyPath = "./",
+        emailAddress = "",
+        mode = "production" as "production" | "self-signed" | "staging",
+        endPoint = "",
+        eabKid = "",
+        eabHmac = ""
+    }) {
+
+        if (mode === "self-signed") {
+            return this.setupSelfSigned(sslMode);
+        }
+
+        const hostRoot = join(sslMode, host);
+
+        ensureDir(hostRoot);
+
+        const keyPath = join(hostRoot, "cert.key");
+        const certPath = join(hostRoot, "cert.crt");
+
+        const logs = [];
+
+        try {
+
+            const maintainerEmail = emailAddress;
+
+            let externalAccountBinding;
+
+            if (eabKid) {
+                externalAccountBinding = {
+                    kid: eabKid,
+                    hmacKey: eabHmac
+                };
+            }
+
+            let { cert, key } = await this.certificateStore.get({ host });
+
+            // load cert...
+            if (cert) {
+                const certificate = new crypto.X509Certificate(cert);
+                const validTo = DateTime.parse(certificate.validTo).diff(DateTime.now);
+                if (validTo.totalDays > 30) {
+                    console.log(`Reusing certificate, valid for ${validTo.totalDays}`);
+                    return { cert , key };
+                }
+            }
+
+            const accountKey = await this.certificateStore.getAccountKey();
+
+            acme.setLogger((message) => {
+                // console.log(message);
+                logs.push(message);
+            });
+
+            let altNames;
+
+            // auto renew...
+            const client = new acme.Client({
+                directoryUrl: endPoint || acme.directory.letsencrypt[mode],
+                accountKey,
+                externalAccountBinding,
+            });
+
+            /* Create CSR */
+            const [csrKey, csr] = await acme.crypto.createCsr({
+                commonName: host,
+                altNames
+            }, key);
+
+
+
+            /* Certificate */
+            cert = await client.auto({
+                csr,
+                email: maintainerEmail,
+                termsOfServiceAgreed: true,
+                skipChallengeVerification: true,
+                challengePriority: ["http-01"],
+                challengeCreateFn: (authz, challenge, keyAuthorization) => {
+                    if (challenge.type !== "http-01") {
+                        return;
+                    }
+                    return this.challengeStore.save(challenge.token, keyAuthorization);
+                },
+                challengeRemoveFn: (authz, challenge, keyAuthorization) => {
+                    return this.challengeStore.remove(challenge.token);
+                },
+            });
+
+            writeFileSync(certPath, cert);
+
+            return { cert, key };
+        } catch (error) {
+            console.log(logs.join("\n"));
+            console.error(error);
+            throw error;
+        }
+    }
+
+    public setupSelfSigned(sslMode = "./") {
+
+        const selfSigned = `${sslMode}/self-signed/`;
+
+        ensureDir(selfSigned);
+
+        const certPath  = `${selfSigned}/cert.crt`;
+        const keyPath  = `${selfSigned}/key.pem`;
+
+        let key;
+        let cert;
+
+        if (existsSync(certPath) && existsSync(keyPath)) {
+            key = readFileSync(keyPath);
+            cert = readFileSync(certPath);
+            return { key, cert };
+        }
+
+        const pki = forge.default.pki;
+
+        // generate a key pair or use one you have already
+        const keys = pki.rsa.generateKeyPair(2048);
+
+        // create a new certificate
+        const crt = pki.createCertificate();
+
+        // fill the required fields
+        crt.publicKey = keys.publicKey;
+        crt.serialNumber = '01';
+        crt.validity.notBefore = new Date();
+        crt.validity.notAfter = new Date();
+        crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 40);
+
+        // use your own attributes here, or supply a csr (check the docs)
+        const attrs = [
+            {
+                name: 'commonName',
+                value: 'dev.socialmail.in'
+            }, {
+                name: 'countryName',
+                value: 'IN'
+            }, {
+                shortName: 'ST',
+                value: 'Maharashtra'
+            }, {
+                name: 'localityName',
+                value: 'Navi Mumbai'
+            }, {
+                name: 'organizationName',
+                value: 'NeuroSpeech Technologies Pvt Ltd'
+            }, {
+                shortName: 'OU',
+                value: 'Test'
+            }
+        ];
+
+        // here we set subject and issuer as the same one
+        crt.setSubject(attrs);
+        crt.setIssuer(attrs);
+
+        // the actual certificate signing
+        crt.sign(keys.privateKey);
+
+        // now convert the Forge certificate to PEM format
+        cert = pki.certificateToPem(crt);
+        key = pki.privateKeyToPem(keys.privateKey);
+
+        writeFileSync(certPath, cert);
+        writeFileSync(keyPath, key);
+
+        return { key, cert };
+    }
+}

package/src/ssl/AcmeChallengeStore.ts

@@ -0,0 +1,26 @@
+import { RegisterSingleton } from "@entity-access/entity-access/dist/di/di.js";
+import ensureDir from "../core/FileApi.js";
+import { readFileSync, unlinkSync, writeFileSync } from "fs";
+import { join } from "node:path";
+
+const path = "./challenges";
+
+@RegisterSingleton
+export default class ChallengeStore {
+
+    constructor() {
+        ensureDir(path);
+    }
+
+    async get(name: string) {
+        return readFileSync(join(path, name), "utf8");
+    }
+
+    async save(name: string, value: string) {
+        writeFileSync(join(path, name), value, "utf8");
+    }
+
+    async remove(name: string) {
+        unlinkSync(join(path, name));
+    }
+}

package/src/ssl/CertificateStore.ts

@@ -0,0 +1,68 @@
+import { RegisterSingleton } from "@entity-access/entity-access/dist/di/di.js";
+import { join } from "node:path";
+import ensureDir from "../core/FileApi.js";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import * as acme from "acme-client";
+
+export interface ICertificate {
+    host?: string;
+    key?: Buffer;
+    cert?: string;
+}
+
+let folder = "./certs";
+
+@RegisterSingleton
+export default class CertificateStore {
+
+    public get folder() {
+        return folder;
+    }
+    
+    public set folder(v: string) {
+        folder = v;
+    }
+
+    public async getAccountKey() {
+        const keyPath = join(folder, "keys");
+        let key: Buffer;
+        ensureDir(keyPath);
+        if (!existsSync(keyPath)) {
+            key = await acme.crypto.createPrivateRsaKey();
+            writeFileSync(keyPath, key);
+            console.log(`Creating New Account key: ${keyPath}`);
+        } else {
+            key = readFileSync(keyPath);
+        }
+        return key;
+    }
+
+    public async get( { host }: ICertificate): Promise<ICertificate> {
+        const { certPath, keyPath } = this.getPaths(folder, host);
+        const cert = existsSync(certPath) ? readFileSync(certPath, "utf8") : "";
+        let key: Buffer;
+        if (!existsSync(keyPath)) {
+            key = await acme.crypto.createPrivateRsaKey();
+            writeFileSync(keyPath, key);
+            console.log(`Creating New key: ${keyPath}`);
+        } else {
+            key = readFileSync(keyPath);
+        }
+        return { host, cert, key };
+    }
+
+    public async save({ host, cert, key }: ICertificate) {
+        const { certPath, keyPath } = this.getPaths(folder, host);
+        writeFileSync(certPath, cert, "utf8");
+        writeFileSync(keyPath, key);
+    }
+
+    private getPaths(folder: string, host: string) {
+        const hostRoot = join(folder, host);
+        ensureDir(hostRoot);
+        const certPath = join(hostRoot, "cert.crt");
+        const keyPath = join(hostRoot, "key.pem");
+        return { certPath, keyPath }
+    }
+
+}

package/src/ssl/ChallengeServer.ts

@@ -0,0 +1,34 @@
+import * as http from "node:http";
+import Inject, { RegisterSingleton } from "@entity-access/entity-access/dist/di/di.js";
+import ChallengeStore from "./AcmeChallengeStore.js";
+
+@RegisterSingleton
+export default class ChallengeServer {
+
+    @Inject
+    private challengeStore: ChallengeStore;
+
+    start() {
+        const server = http.createServer(async (req, res) => {
+            try {
+                const url = new URL(req.url, `https://${req.headers.host || "localhost"}`);
+                const path = url.pathname.split("/").filter((x) => x);
+                if(url.pathname.startsWith("/.well-known/acme-challenge/")) {
+                    const token = path[2];
+                    const value = await this.challengeStore.get(token);
+                    res.writeHead(200, { "content-type": "text/plain" });
+                    await new Promise<void>((resolve, reject) => res.write(Buffer.from(value), (error) => error ? reject(error) : resolve()));
+                } else {
+                    res.writeHead(301, { location: url.toString() });
+                }
+                await new Promise<void>((resolve) => res.end(resolve));
+                
+            } catch (error) {
+                console.error(error);
+            }
+        });
+
+        server.listen(80);
+    }
+
+}

package/dist/ssl/SelfSigned.d.ts

@@ -1,7 +0,0 @@
-export declare class SelfSigned {
-    static setupSelfSigned(sslMode?: string): {
-        key: any;
-        cert: any;
-    };
-}
-//# sourceMappingURL=SelfSigned.d.ts.map

package/dist/ssl/SelfSigned.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"SelfSigned.d.ts","sourceRoot":"","sources":["../../src/ssl/SelfSigned.ts"],"names":[],"mappings":"AAIA,qBAAa,UAAU;WACL,eAAe,CAAC,OAAO,SAAO;;;;CAwE/C"}

package/dist/ssl/SelfSigned.js

@@ -1,62 +0,0 @@
-import * as forge from "node-forge";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-export class SelfSigned {
-    static setupSelfSigned(sslMode = "./") {
-        const selfSigned = `${sslMode}/self-signed/`;
-        mkdirSync(selfSigned, { recursive: true });
-        const certPath = `${selfSigned}/cert.crt`;
-        const keyPath = `${selfSigned}/key.pem`;
-        let key;
-        let cert;
-        if (existsSync(certPath) && existsSync(keyPath)) {
-            key = readFileSync(keyPath);
-            cert = readFileSync(certPath);
-            return { key, cert };
-        }
-        const pki = forge.default.pki;
-        // generate a key pair or use one you have already
-        const keys = pki.rsa.generateKeyPair(2048);
-        // create a new certificate
-        const crt = pki.createCertificate();
-        // fill the required fields
-        crt.publicKey = keys.publicKey;
-        crt.serialNumber = '01';
-        crt.validity.notBefore = new Date();
-        crt.validity.notAfter = new Date();
-        crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 40);
-        // use your own attributes here, or supply a csr (check the docs)
-        const attrs = [
-            {
-                name: 'commonName',
-                value: 'dev.socialmail.in'
-            }, {
-                name: 'countryName',
-                value: 'IN'
-            }, {
-                shortName: 'ST',
-                value: 'Maharashtra'
-            }, {
-                name: 'localityName',
-                value: 'Navi Mumbai'
-            }, {
-                name: 'organizationName',
-                value: 'NeuroSpeech Technologies Pvt Ltd'
-            }, {
-                shortName: 'OU',
-                value: 'Test'
-            }
-        ];
-        // here we set subject and issuer as the same one
-        crt.setSubject(attrs);
-        crt.setIssuer(attrs);
-        // the actual certificate signing
-        crt.sign(keys.privateKey);
-        // now convert the Forge certificate to PEM format
-        cert = pki.certificateToPem(crt);
-        key = pki.privateKeyToPem(keys.privateKey);
-        writeFileSync(certPath, cert);
-        writeFileSync(keyPath, key);
-        return { key, cert };
-    }
-}
-//# sourceMappingURL=SelfSigned.js.map

package/dist/ssl/SelfSigned.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"SelfSigned.js","sourceRoot":"","sources":["../../src/ssl/SelfSigned.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAExE,MAAM,OAAO,UAAU;IACZ,MAAM,CAAC,eAAe,CAAC,OAAO,GAAG,IAAI;QAExC,MAAM,UAAU,GAAG,GAAG,OAAO,eAAe,CAAC;QAE7C,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE3C,MAAM,QAAQ,GAAI,GAAG,UAAU,WAAW,CAAC;QAC3C,MAAM,OAAO,GAAI,GAAG,UAAU,UAAU,CAAC;QAEzC,IAAI,GAAG,CAAC;QACR,IAAI,IAAI,CAAC;QAET,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9C,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;YAC5B,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC9B,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAE9B,kDAAkD;QAClD,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAE3C,2BAA2B;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAEpC,2BAA2B;QAC3B,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,GAAG,CAAC,YAAY,GAAG,IAAI,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QACpC,GAAG,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC;QACnC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAE7E,iEAAiE;QACjE,MAAM,KAAK,GAAG;YACV;gBACI,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,mBAAmB;aAC7B,EAAE;gBACC,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,IAAI;aACd,EAAE;gBACC,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,aAAa;aACvB,EAAE;gBACC,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,aAAa;aACvB,EAAE;gBACC,IAAI,EAAE,kBAAkB;gBACxB,KAAK,EAAE,kCAAkC;aAC5C,EAAE;gBACC,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,MAAM;aAChB;SACJ,CAAC;QAEF,iDAAiD;QACjD,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACtB,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAErB,iCAAiC;QACjC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE1B,kDAAkD;QAClD,IAAI,GAAG,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACjC,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE3C,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9B,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE5B,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;CACJ"}

package/src/ssl/SelfSigned.ts

@@ -1,78 +0,0 @@
-import * as forge from "node-forge";
-import * as crypto from "crypto";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-
-export class SelfSigned {
-    public static setupSelfSigned(sslMode = "./") {
-
-        const selfSigned = `${sslMode}/self-signed/`;
-
-        mkdirSync(selfSigned, { recursive: true });
-
-        const certPath  = `${selfSigned}/cert.crt`;
-        const keyPath  = `${selfSigned}/key.pem`;
-
-        let key;
-        let cert;
-
-        if (existsSync(certPath) && existsSync(keyPath)) {
-            key = readFileSync(keyPath);
-            cert = readFileSync(certPath);
-            return { key, cert };
-        }
-
-        const pki = forge.default.pki;
-
-        // generate a key pair or use one you have already
-        const keys = pki.rsa.generateKeyPair(2048);
-
-        // create a new certificate
-        const crt = pki.createCertificate();
-
-        // fill the required fields
-        crt.publicKey = keys.publicKey;
-        crt.serialNumber = '01';
-        crt.validity.notBefore = new Date();
-        crt.validity.notAfter = new Date();
-        crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 40);
-
-        // use your own attributes here, or supply a csr (check the docs)
-        const attrs = [
-            {
-                name: 'commonName',
-                value: 'dev.socialmail.in'
-            }, {
-                name: 'countryName',
-                value: 'IN'
-            }, {
-                shortName: 'ST',
-                value: 'Maharashtra'
-            }, {
-                name: 'localityName',
-                value: 'Navi Mumbai'
-            }, {
-                name: 'organizationName',
-                value: 'NeuroSpeech Technologies Pvt Ltd'
-            }, {
-                shortName: 'OU',
-                value: 'Test'
-            }
-        ];
-
-        // here we set subject and issuer as the same one
-        crt.setSubject(attrs);
-        crt.setIssuer(attrs);
-
-        // the actual certificate signing
-        crt.sign(keys.privateKey);
-
-        // now convert the Forge certificate to PEM format
-        cert = pki.certificateToPem(crt);
-        key = pki.privateKeyToPem(keys.privateKey);
-
-        writeFileSync(certPath, cert);
-        writeFileSync(keyPath, key);
-
-        return { key, cert };
-    }
-}