@interopio/gateway-server 0.20.0 → 0.22.0

package/bin/gateway-server.cjs

@@ -0,0 +1,726 @@
+#!/usr/bin/env node
+
+'use strict';
+
+const { parseArgs } = require('node:util');
+const { configure } = require('@interopio/gateway/logging/core');
+
+// import { GatewayServer } from './src/index.ts';
+// import { mkcert, argon2, manage } from './src/tools/index.ts';
+
+const { mkcert, argon2, manage } = require('@interopio/gateway-server/tools');
+const { GatewayServer } =  require('@interopio/gateway-server');
+
+function showHelp() {
+    console.log(`
+Usage: npx @interopio/gateway-server <command> [options]
+
+Commands:
+  run                      Start the gateway server
+  manage                   Send management commands to a running gateway server
+  passwd                   Generate password hash (default using Argon2)
+  mkcert                   Generate client and/or server certificate signed by Dev CA
+
+run options:
+  -p, --port <port>        Specify port or port range to bind the server to (default: 0 i.e. random)
+                           examples: 8385, 8000-8100, 3000,4000-4050
+  -H, --host <host>        Network address to bind to (default: unspecified, listens on all)
+                           examples: localhost, 127.0.0.1, 0.0.0.0, ::1
+  -u, --user <name>        Enables basic authentication and sets the admin username
+  --no-auth                Disable authentication (overrides config, sets auth type to 'none')
+  -S, --ssl, --tls         Enable HTTPS. Auto-generates Dev CA and/or server certificates if not
+                           present. Enables x509 client cert auth if --user not specified.
+  --cert <file>            File with SSL/TLS certificate (default: ./gateway-server.crt)
+  --key <file>             File with SSL/TLS private key (default: ./gateway-server.key)
+  --ca <file>              File with CA certificates (default: ./gateway-ca.crt)
+  --ca-key <file>          File with CA private key (default: ./gateway-ca.key)
+  --no-ssl, --no-tls       Disable SSL/TLS (overrides config)
+  -g, --gateway            Enable gateway endpoint (default route: /)
+  --no-gateway             Disable gateway endpoint (overrides config)
+  -s, --static <location>  Serve static files from specified location (e.g., ./public)
+  -c, --config <file>      Server configuration file (JSON format)
+  --debug                  Enable debug logging (default: info level)
+
+manage options:
+  --path <path>            Path to the gateway control socket (named pipe on Windows, Unix socket)
+                           examples: \\\\.\\pipe\\glue42-gateway-xxx, /tmp/gateway.sock
+  -p, --port <port>        TCP port of the management server
+  --timeout <ms>           Connection timeout in milliseconds (default: 5000)
+  <command>                Management command to execute: info, shutdown
+  [key=value...]           Additional command parameters as key=value pairs
+                           Values are parsed as JSON (numbers, booleans, arrays, objects)
+                           or kept as strings if not valid JSON
+  <json>                   Alternatively, pass entire command as a JSON object
+                           example: '{"command":"update-auth","type":"basic"}'
+
+passwd options:
+  (no args)                Prompt for password interactively (masked input)
+  --stdin                  Read password from stdin (for piping, e.g., echo "pass" | ...)
+
+mkcert options:
+  --client                 Generate client certificate (default: server certificate)
+  -u, --user <name>        Common Name for the certificate (default: dev-user for client certs)
+                           (--client only)
+  --ca <file>              File with CA certificate (default: ./gateway-ca.crt)
+  --ca-key <file>          File with CA private key (default: ./gateway-ca.key)
+  --key <file>             Output file for private key (default: ./gateway-server.key for server,
+                           ./gateway-client.key for client)
+  --cert <file>            Output file for certificate (default: ./gateway-server.crt for server,
+                           ./gateway-client.crt for client)
+  [name...]                DNS names, IP addresses, or email addresses for subjectAltName
+                           (DNS by default, prefix with 'IP:' or 'EMAIL:' for other types)
+
+Global Options:
+  -v, --version            Show version information and exit
+  --help                   Show this help message and exit
+
+Examples:
+  gateway-server run -p 3000
+  gateway-server run -u admin --port 8385,8388 --debug
+  gateway-server run -p 8443 --ssl --user admin --gateway
+  gateway-server run --port 42443 --tls --ca-key ./ssl/ca.key --host example.com --gateway
+  gateway-server run -p 3000 --static ./public --config ./server-config.json
+  gateway-server run --config ./server-config.json --no-gateway --no-ssl --no-auth
+  gateway-server manage --path \\\\.\\pipe\\glue42-gateway-xxx info
+  gateway-server manage --path \\\\.\\pipe\\glue42-gateway-xxx shutdown
+  gateway-server manage --path \\\\.\\pipe\\glue42-gateway-xxx custom-cmd key1=value1 count=42 'data={"user":"test"}' --timeout 10000
+  gateway-server manage --path \\\\.\\pipe\\glue42-gateway-xxx '{"command":"update-auth","auth":{"token":"my-token"}}}'
+  gateway-server passwd
+  echo "mySecret123" | gateway-server passwd --stdin
+  gateway-server mkcert
+  gateway-server mkcert localhost 127.0.0.1 IP:192.168.1.100
+  gateway-server mkcert --client EMAIL:john.doe@example.com
+  gateway-server mkcert example.com *.example.com --key ./gateway-server.key --cert ./gateway-server.crt
+`);
+    process.exit(0);
+}
+
+function showVersion() {
+    console.log(GatewayServer.VERSION);
+    process.exit(0);
+}
+
+// Parse command-line arguments
+const { values: globalValues, positionals } = parseArgs({
+    args: process.argv.slice(2),
+    options: {
+        version: { type: 'boolean', short: 'v' },
+        help: { type: 'boolean', short: 'h' },
+    },
+    strict: false,
+    allowPositionals: true,
+});
+
+// Check for global flags first
+if (globalValues.version) {
+    showVersion();
+}
+if (globalValues.help) {
+    showHelp();
+}
+
+// Determine command (required)
+if (positionals.length === 0) {
+    console.error('Error: Command is required');
+    console.log('Use --help to see available commands');
+    process.exit(1);
+}
+
+const command = positionals[0];
+
+// Route to appropriate command handler
+switch (command) {
+    case 'run':
+        runServer().catch(e => {console.error(e); process.exit(1);});
+        break;
+    case 'manage':
+        manageCommand().catch(e => {console.error(e); process.exit(1);});
+        break;
+    case 'passwd':
+        passwdCommand().catch(e => {console.error(e); process.exit(1);});
+        break;
+    case 'mkcert':
+        mkcertCommand().catch(e => {console.error(e); process.exit(1);});
+        break;
+    default:
+        console.error(`Error: Unknown command "${command}"`);
+        console.log('Use --help to see available commands');
+        process.exit(1);
+}
+
+// Command: manage - Send management commands to a running gateway server
+async function manageCommand() {
+    const { values, positionals } = parseArgs({
+        args: process.argv.slice(3), // Skip 'node', 'gateway-server', and 'manage'
+        options: {
+            path: { type: 'string' },
+            port: { type: 'string', short: 'p' },
+            timeout: { type: 'string' },
+        },
+        strict: true,
+        allowPositionals: true,
+    });
+
+    const socketPath = values.path;
+    const port = values.port ? parseInt(values.port, 10) : undefined;
+    const timeout = values.timeout ? parseInt(values.timeout, 10) : undefined;
+    const firstArg = positionals[0];
+
+    if (!socketPath && !port) {
+        console.error('Error: --path or --port is required');
+        console.error('Example: gateway-server manage --path \\\\.\\pipe\\glue42-gateway-xxx info');
+        process.exit(1);
+    }
+
+    if (!firstArg) {
+        console.error('Error: management command is required');
+        console.error('Available commands: info, shutdown');
+        console.error('Or pass a JSON object: gateway-server manage --path ... \'{"command":"info"}\'');
+        process.exit(1);
+    }
+
+    // Try to parse first argument as JSON (entire command object)
+    let commandParams;
+    if (firstArg.startsWith('{')) {
+        try {
+            commandParams = JSON.parse(firstArg);
+            if (!commandParams.command) {
+                console.error('Error: JSON command must have a "command" property');
+                process.exit(1);
+            }
+        }
+        catch (e) {
+            console.error(`Error: invalid JSON: ${e.message}`);
+            process.exit(1);
+        }
+    }
+    else {
+        // Parse as command name + key=value pairs
+        commandParams = { command: firstArg };
+        for (let i = 1; i < positionals.length; i++) {
+            const arg = positionals[i];
+            const eqIndex = arg.indexOf('=');
+            if (eqIndex === -1) {
+                console.error(`Error: invalid parameter "${arg}". Expected format: key=value`);
+                process.exit(1);
+            }
+            const key = arg.slice(0, eqIndex);
+            let value = arg.slice(eqIndex + 1);
+
+            // Try to parse as JSON for numbers, booleans, arrays, objects
+            try {
+                value = JSON.parse(value);
+            } catch {
+                // Keep as string if not valid JSON
+            }
+
+            commandParams[key] = value;
+        }
+    }
+
+    const server = socketPath ? { path: socketPath } : { port };
+    try {
+        const result = await manage.sendCommand(server, commandParams, { timeout });
+        if (result === undefined) {
+            console.log('<no response>');
+        }
+        else if (typeof result === 'string') {
+            console.log(result);
+        }
+        else {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        process.exit(0);
+    }
+    catch (e) {
+        console.error(`Error: ${e.message || e}`);
+        process.exit(1);
+    }
+}
+
+// Command: passwd - Generate password hash
+async function passwdCommand() {
+    const { values } = parseArgs({
+        args: process.argv.slice(3), // Skip 'node', 'gateway-server', and 'passwd'
+        options: {
+            stdin: { type: 'boolean' },
+        },
+        strict: true,
+        allowPositionals: false,
+    });
+
+    let password/*: string = undefined!*/;
+
+    // Read password from stdin if specified
+    if (values.stdin) {
+        password = await readPasswordFromStdin();
+    }
+
+    // If no password provided, prompt interactively
+    if (!password) {
+        password = await promptPassword('Enter password: ');
+    }
+
+    if (!password) {
+        console.error('Error: password is required');
+        process.exit(1);
+    }
+
+    const hashValue = await argon2.hash(password);
+    const hash = `{argon2id}${hashValue}`;
+    console.log(hash);
+    process.exit(0);
+}
+
+// Read password from piped stdin (non-interactive)
+async function readPasswordFromStdin() {
+    // Check if stdin is a TTY (interactive terminal)
+    if (process.stdin.isTTY) {
+        // Interactive mode - use readline with hidden input
+        return promptPassword('Password: ');
+    }
+
+    // Piped mode - read until EOF or newline
+    const chunks/*: Uint8Array[]*/ = [];
+    for await (const chunk of process.stdin) {
+        chunks.push(chunk);
+    }
+    const content = Buffer.concat(chunks).toString('utf8');
+    // Strip trailing newline
+    return content.replace(/\r?\n$/, '');
+}
+
+// Prompt for password with masked input
+async function promptPassword(prompt/*: string*/) {
+    return new Promise/*<string>*/((resolve) => {
+        process.stdout.write(prompt);
+
+        // Only set raw mode if stdin is a TTY
+        if (!process.stdin.isTTY) {
+            console.error('Error: Interactive password prompt requires a terminal');
+            process.exit(1);
+        }
+
+        process.stdin.setRawMode(true);
+        process.stdin.resume();
+        process.stdin.setEncoding('utf8');
+
+        let password = '';
+
+        const cleanup = () => {
+            process.stdin.setRawMode(false);
+            process.stdin.pause();
+            process.stdin.removeListener('data', onData);
+            process.stdout.write('\n');
+        };
+
+        const onData = (char/*: string*/) => {
+            // Ctrl+C
+            if (char === '\u0003') {
+                cleanup();
+                process.exit(1);
+            }
+
+            // Enter
+            if (char === '\r' || char === '\n') {
+                cleanup();
+                resolve(password);
+                return;
+            }
+
+            // Backspace
+            if (char === '\u007f' || char === '\b') {
+                if (password.length > 0) {
+                    password = password.slice(0, -1);
+                    process.stdout.write('\b \b');
+                }
+                return;
+            }
+
+            // Regular character
+            password += char;
+            process.stdout.write('*');
+        };
+
+        process.stdin.on('data', onData);
+    });
+}
+
+// Command: mkcert - Generate client or server certificate
+async function mkcertCommand() {
+    const { values, positionals } = parseArgs({
+        args: process.argv.slice(3), // Skip 'node', 'gateway-server', and 'mkcert'
+        options: {
+            client: { type: 'boolean' },
+            user: { type: 'string', short: 'u' },
+            ca: { type: 'string' },
+            'ca-key': { type: 'string' },
+            key: { type: 'string' },
+            cert: { type: 'string' },
+        },
+        strict: true,
+        allowPositionals: true,
+    });
+
+    const isClientCert = values.client || false;
+    const user = values.user || 'dev-user';
+    const caCert = values.ca || './gateway-ca.crt';
+    const caKey = values['ca-key'] || './gateway-ca.key';
+    let keyPath = values.key;
+    let certPath = values.cert;
+    const sanEntries = positionals;
+
+    // Default output paths
+    // Users typically specify just --cert, and key should go in the same file
+    if (!keyPath && !certPath) {
+        // Neither specified: use defaults based on certificate type
+        if (isClientCert) {
+            // Client certificate: combined file by default
+            keyPath = './gateway-client.key';
+            certPath = './gateway-client.crt';
+        }
+        else {
+            // Server certificate: separate files by default
+            keyPath = './gateway-server.key';
+            certPath = './gateway-server.crt';
+        }
+    }
+    else if (keyPath && !certPath) {
+        // Only --key specified: cert goes in the same file (combined)
+        certPath = keyPath;
+    }
+    else if (!keyPath && certPath) {
+        // Only --cert specified: key goes in the same file (combined)
+        keyPath = certPath;
+    }
+    // else: both specified, use as-is
+
+    if (sanEntries.length === 0) {
+        if (isClientCert) {
+            sanEntries.push(user);
+        }
+        else {
+            // Default SAN entry for server certs
+            sanEntries.push('localhost');
+        }
+    }
+
+    const { readFile, writeFile } = await import('node:fs/promises');
+    const { KEYUTIL, X509 } = await import('jsrsasign');
+
+    // Load CA key
+    let caKeyObj/*: ReturnType<typeof KEYUTIL.getKey>*/;
+    try {
+        const caKeyPem = await readFile(caKey, 'utf8');
+        caKeyObj = KEYUTIL.getKey(caKeyPem);
+    } catch (error) {
+        console.error(`Error: Cannot read CA key from ${caKey}`);
+        console.error(error?.['message']);
+        process.exit(1);
+    }
+
+    // Extract issuer from CA certificate
+    let issuer/*: string*/;
+    try {
+        const caCertPem = await readFile(caCert, 'utf8');
+        const caCertObj = new X509();
+        caCertObj.readCertPEM(caCertPem);
+        issuer = caCertObj.getSubjectString();
+    } catch (error) {
+        console.error(`Error: Cannot read CA certificate from ${caCert}`);
+        console.error(error?.['message']);
+        process.exit(1);
+    }
+
+    // Generate certificate using SAN entries
+    const cert = mkcert.generateCert(caKeyObj, issuer, sanEntries, isClientCert);
+
+    // Write files
+    try {
+        if (keyPath === certPath) {
+            // Concatenate cert and key into single file (cert first, then key)
+            const combined = cert.cert + cert.key;
+            await writeFile(keyPath, combined, { mode: 0o600 });
+            console.log(`${isClientCert ? 'Client' : 'Server'} certificate generated successfully:`);
+            console.log(`  Combined (cert+key): ${keyPath}`);
+            if (sanEntries.length > 0) {
+                console.log(`  SAN: ${sanEntries.join(', ')}`);
+            }
+        }
+        else {
+            // Write separate files
+            await writeFile(keyPath, cert.key, { mode: 0o600 });
+            await writeFile(certPath, cert.cert, { mode: 0o644 });
+            console.log(`${isClientCert ? 'Client' : 'Server'} certificate generated successfully:`);
+            console.log(`  Private key: ${keyPath}`);
+            console.log(`  Certificate: ${certPath}`);
+            if (sanEntries.length > 0) {
+                console.log(`  SAN: ${sanEntries.join(', ')}`);
+            }
+        }
+
+        process.exit(0);
+    }
+    catch (error) {
+        console.error(`Error: Cannot write certificate files`);
+        console.error(error?.['message']);
+        process.exit(1);
+    }
+}
+
+// Command: run - Start the server
+async function runServer() {
+    const { values } = parseArgs({
+        args: process.argv.slice(3), // Skip 'node', 'gateway-server', and 'run'
+        options: {
+            port: { type: 'string', short: 'p' },
+            host: { type: 'string', short: 'H' },
+            user: { type: 'string', short: 'u' },
+            debug: { type: 'boolean' },
+            ssl: { type: 'boolean', short: 'S' },
+            tls: { type: 'boolean' },
+            cert: { type: 'string' },
+            key: { type: 'string' },
+            ca: { type: 'string' },
+            'ca-key': { type: 'string' },
+            config: { type: 'string', short: 'c' },
+            gateway: { type: 'boolean', short: 'g' },
+            static: { type: 'string', short: 's', multiple: true },
+            auth: { type: 'boolean' }
+        },
+        strict: true,
+        allowNegative: true,
+        allowPositionals: false,
+    });
+
+    const options = {
+        port: values.port,
+        host: values.host,
+        user: values.user,
+        debug: values.debug || false,
+        ssl: values.ssl || values.tls || false,
+        noSsl: values.ssl === false, // --no-ssl explicitly set
+        cert: values.cert,
+        key: values.key,
+        ca: values.ca,
+        caKey: values['ca-key'],
+        config: values.config,
+        gateway: values.gateway,
+        noGateway: values.gateway === false, // --no-gateway explicitly set
+        static: values.static,
+    };
+
+    configure({
+        level: options.debug ? {
+            gateway: 'debug',
+            "gateway.node": 'info',
+        } : 'info',
+    });
+
+    // Load server configuration from file if specified
+    let serverConfig/*: GatewayServer.ServerConfig*/ = {};
+
+    const { access, constants } = await import('node:fs/promises');
+    const { resolve, extname } = await import('node:path');
+
+    let configPath/*: string*/;
+    for (const fileName of
+        [
+            'gateway-server.config.js',
+            'gateway-server.config.mjs',
+            'gateway-server.config.cjs',
+            'gateway-server.config.ts',
+            'gateway-server.config.mts',
+            'gateway-server.config.cts',
+            'gateway-server.config.json'
+        ]) {
+        configPath = resolve(process.cwd(), fileName);
+        try {
+            await access(configPath, constants.R_OK);
+            // found readable config file, load it
+            break;
+        }
+        catch {
+            configPath = undefined;
+            // continue to next candidate
+        }
+    }
+
+    if (options.config) {
+        configPath = options.config;
+    }
+    if (configPath) {
+        try {
+            if (['.json'].includes(extname(configPath))) {
+                // JSON config file - read and parse manually
+                const { readFile } = await import('node:fs/promises');
+                const configContent = await readFile(configPath, 'utf8');
+                serverConfig = JSON.parse(configContent);
+            }
+            else {
+                // JS/TS config file - import dynamically
+                const { pathToFileURL } = await import('node:url');
+                const importedConfig = await import(pathToFileURL(configPath));
+                serverConfig = importedConfig.default || importedConfig;
+            }
+        }
+        catch (error) {
+            console.error(`Error: Cannot read server config from ${configPath}`);
+            console.error(error?.['message']);
+            process.exit(1);
+        }
+    }
+
+    // Apply CLI overrides to server config
+    // CLI arguments take precedence over config file
+
+    // Override port if specified
+    if (values.port !== undefined) {
+        serverConfig.port = options.port;
+    }
+
+    // Override host if specified
+    if (values.host !== undefined) {
+        serverConfig.host = options.host;
+    }
+
+    // Override SSL configuration
+    if (options.noSsl) {
+        // --no-ssl: delete SSL config completely
+        delete serverConfig.ssl;
+        options.ssl = false;
+    } else if (options.ssl) {
+        // --ssl specified: merge CLI args with existing config
+        if (!serverConfig.ssl) {
+            serverConfig.ssl = {};
+        }
+        // Only set properties if CLI options are explicitly provided
+        if (options.key !== undefined) {
+            serverConfig.ssl.key = options.key;
+        }
+        if (options.cert !== undefined) {
+            serverConfig.ssl.cert = options.cert;
+        }
+        if (options.ca !== undefined) {
+            serverConfig.ssl.ca = options.ca;
+        }
+    }
+    // else: use whatever is in serverConfig (if any)
+
+    // Determine effective SSL state
+    const effectiveSsl = options.ssl || (!options.noSsl && serverConfig?.ssl !== undefined);
+
+    // Configure authentication
+    let auth/*: GatewayServer.AuthConfig*/;
+    if (values.auth === false) {
+        // --no-auth: delete auth config from server config and set to 'none'
+        delete serverConfig.auth;
+        auth = { type: 'none' };
+    }
+    else if (serverConfig.auth) {
+        // Use auth from config file if present
+        auth = serverConfig.auth;
+
+        // Allow --user CLI option to override auth.user.name from config
+        if (options.user) {
+            if (!auth.user) {
+                auth.user = {name: options.user};
+            }
+            auth.user.name = options.user;
+        }
+    }
+    else {
+        // No auth in config file, determine from CLI args or defaults
+        auth = {
+            type: options.user ? 'basic' : effectiveSsl ? 'x509' : 'none'
+        };
+
+        if (options.user) {
+            auth.user = { name: options.user };
+        }
+
+        if (effectiveSsl && auth.type === 'x509') {
+            auth.x509 = {
+                key: options.caKey || './gateway-ca.key',
+                // principalAltName: 'email',
+            };
+
+            // Ensure SSL config exists and has proper mutual TLS settings
+            if (!serverConfig.ssl) {
+                serverConfig.ssl = {};
+            }
+
+            // Enable client certificate verification with proper mutual TLS
+            serverConfig.ssl.requestCert = true;
+
+            // Enforce trust verification to prevent certificate spoofing
+            // rejectUnauthorized must be true to ensure only trusted client certs are accepted
+            serverConfig.ssl.rejectUnauthorized = true;
+
+            // Set CA for client certificate verification (required for mutual TLS)
+            // Use the same CA that signs client certificates
+            if (!serverConfig.ssl.ca) {
+                serverConfig.ssl.ca = options.ca || './gateway-ca.crt';
+            }
+        }
+    }
+
+    // Handle SSL certificate auto-generation when --ssl is specified via CLI
+    // but config file doesn't have server certificates
+    if (options.ssl && effectiveSsl && serverConfig.ssl) {
+        const hasCert = serverConfig.ssl.cert || serverConfig.ssl.key;
+        if (!hasCert) {
+            // SSL enabled but no server cert/key provided
+            // We need a CA key for auto-generating server certificates
+            // Set default CA key path if not already configured
+            if (!auth.x509) {
+                auth.x509 = {};
+            }
+            if (!auth.x509.key) {
+                // Use CLI option, or default to ./gateway-ca.key
+                auth.x509.key = options.caKey || './gateway-ca.key';
+            }
+        }
+    }
+
+    // Override gateway configuration
+    if (options.noGateway) {
+        // --no-gateway: delete gateway config completely
+        delete serverConfig.gateway;
+    } else if (options.gateway) {
+        // --gateway specified: enable gateway endpoint, respect existing config
+        if (!serverConfig.gateway) {
+            serverConfig.gateway = {};
+        }
+        // Set defaults only if not already present in config
+        if (!serverConfig.gateway.route) {
+            serverConfig.gateway.route = '/';
+        }
+        if (!serverConfig.gateway.authorize) {
+            serverConfig.gateway.authorize = { access: auth.type !== 'none' ? 'authenticated' : 'permitted' };
+        }
+    }
+    // else: use whatever is in serverConfig (if any)
+
+    // Override static resources if specified
+    if (options.static && options.static.length > 0) {
+        if (!serverConfig.resources) {
+            serverConfig.resources = {locations: options.static};
+        }
+        serverConfig.resources.locations = options.static;
+    }
+
+    // Set auth in server config
+    serverConfig.auth = auth;
+
+    const server = await GatewayServer.Factory({
+        ...(serverConfig)
+    });
+
+    process.on('SIGINT', async () => {
+        await server.close();
+        process.exit(0);
+    });
+
+    // process.title = `${GatewayServer.VERSION} ${server.address.port}`;
+}