@live-change/security-service 0.2.5

package/ban.js

@@ -0,0 +1,188 @@
+const app = require("@live-change/framework").app()
+const definition = require('./definition.js')
+const { getClientKeysStrings } = require('./utils.js')
+const lcp = require('@live-change/pattern')
+
+const banProperties = {
+  actions: {
+    type: Array,
+    of: {
+      type: String
+    }
+  },
+  keys: {
+    type: Array,
+    of: {
+      type: Object,
+      properties: {
+        key: {
+          type: {
+            String
+          }
+        },
+        value: {
+          type: {
+            String
+          }
+        }
+      }
+    }
+  },
+  expire: {
+    type: Date
+  },
+  type: {
+    type: String,
+    options: ['captcha', 'block', 'delay']
+  }
+}
+
+const Ban = definition.model({
+  name: "Ban",
+  properties: {
+    ...banProperties
+  },
+  indexes: {
+    bans: {
+      property: 'keys',
+      multi: true
+    },
+    actionBans: {
+      function: async function(input, output) {
+        const values = (ban) => {
+          const v = ban.keys.length
+          const w = ban.actions.length
+          let res = new Array(v * w)
+          for(let i = 0; i < v; i++) {
+            for(let j = 0; j < w; j++) {
+              const key = ban.keys[i]
+              res[i * v + j] = `${ban.actions[j]}:${key.key}:${key.value}`
+            }
+          }
+          return res
+        }
+        await input.table("securityService_Ban").onChange((obj, oldObj) => {
+          if(obj && oldObj) {
+            let pointers = obj && new Set(values(obj))
+            let oldPointers = oldObj && new Set(values(oldObj))
+            for(let pointer of pointers) {
+              if(!!oldPointers.has(pointer)) output.change({ id: pointer+'_'+obj.id, to: obj.id }, null)
+            }
+            for(let pointer of oldPointers) {
+              if(!!pointers.has(pointer)) output.change(null, { id: pointer+'_'+obj.id, to: obj.id })
+            }
+          } else if(obj) {
+            values(obj).forEach(v => output.change({ id: v+'_'+obj.id, to: obj.id }, null))
+          } else if(oldObj) {
+            values(oldObj).forEach(v => output.change(null, { id: v+'_'+obj.id, to: obj.id }))
+          }
+        })
+      }
+    }
+  }
+})
+
+definition.event({
+  name: "banCreated",
+  async execute({ ban, data }) {
+    Ban.create({ id: ban, ...data })
+  }
+})
+
+definition.event({
+  name: "banRemoved",
+  async execute({ ban }) {
+    Ban.delete(ban)
+  }
+})
+
+definition.view({
+  name: "myBans",
+  properties: {},
+  daoPath(params, { client, service }) {
+    const keys = getClientKeysStrings(client)
+    return multiKeyIndexQuery(keys, 'Ban_bans')
+  },
+})
+
+definition.view({
+  name: "myActionBans",
+  properties: {
+    action: {
+      type: String
+    }
+  },
+  daoPath({ action }, { client, service }) {
+    const keys = getClientKeysStrings(client, action + ':')
+    return multiKeyIndexQuery(keys, 'Ban_actionBans')
+  },
+})
+
+definition.trigger({
+  name: "securityActionBan",
+  properties: {
+    ban: {
+      type: Object,
+      properties: {
+        actions: banProperties.actions,
+        expire: {
+          type: String
+        },
+        type: banProperties.type
+      }
+    },
+    keys: {
+      type: Object
+    }
+  },
+  async execute({ keys, event, ban: { actions, expire, type } }, { service }, emit) {
+    const ban = app.generateUid()
+
+    console.log("SECURITY BAN!", arguments[0])
+
+    const banKeys = []
+    for(const key of keys) {
+      //keys[key] = event.keys[key]
+      banKeys.push({ key, value: event.keys[key] })
+    }
+    console.log("ACTION KEYS", event.keys, '=>', banKeys)
+
+    const banExpire = expire && new Date(new Date().getTime() + lcp.parseDuration(expire))
+
+    console.log("BAN KEYS", banKeys)
+    console.log("BAN EXPIRE", banExpire)
+
+    // service.trigger({
+    //   type: 'createTimer',
+    //   timer: {
+    //     timestamp: banExpire.getTime() + 1000,
+    //     service: 'security',
+    //     trigger: {
+    //       type: 'removeExpiredBan',
+    //       ban
+    //     }
+    //   }
+    // })
+
+    // emit({
+    //   type: "banCreated",
+    //   ban,
+    //   data: { actions, banKeys, expire, type }
+    // })
+  }
+})
+
+definition.trigger({
+  name: "removeExpiredBan",
+  properties: {
+    ...banProperties
+  },
+  async execute({ ban }, {client, service}, emit) {
+    emit({
+      type: "banRemoved",
+      ban
+    })
+  }
+})
+
+module.exports = { Ban }

package/definition.js

@@ -0,0 +1,8 @@
+const app = require("@live-change/framework").app()
+
+const definition = app.createServiceDefinition({
+  name: "securityService"
+})
+const config = definition.config
+
+module.exports = definition

package/event.js

@@ -0,0 +1,254 @@
+const crypto = require('crypto')
+const app = require("@live-change/framework").app()
+const definition = require('./definition.js')
+const { getClientKeysObject } = require('./utils.js')
+
+const lcp = require('@live-change/pattern')
+const lcpDb = require('@live-change/pattern-db')
+const { request } = require('http')
+
+const securityPatterns = definition.config.patterns
+const relationsStore = lcpDb.relationsStore(app.dao, app.databaseName, 'securityService_relations')
+lcp.prepareModelForLive(securityPatterns)
+//console.log("SECURITY PATTERNS", securityPatterns)
+
+const securityCounters = definition.config.counters
+
+definition.beforeStart(service => {
+  relationsStore.createTable()
+})
+
+const eventProperties = {
+  type: {
+    type: String
+  },
+  keys: {
+    type: Array,
+    of: {
+      type: Object,
+      properties: {
+        key: {
+          type: {
+            String
+          }
+        },
+        value: {
+          type: {
+            String
+          }
+        }
+      }
+    }
+  },
+  timestamp: {
+    type: Date
+  }
+}
+
+const Event = definition.model({
+  name: "Event",
+  properties: {
+    ...eventProperties
+  },
+  indexes: {
+    byTypeAndTimestamp: {
+      property: ['type', 'timestamp']
+    }
+  }
+})
+
+definition.event({
+  name: "securityEvent",
+  async execute({ event, eventType, keys, newRelations, canceledRelations }) {
+    await Event.create({ id: event, type: eventType, keys, timestamp: new Date() })
+    const promises = []
+    for(const relation of newRelations) {
+      promises.push(relationsStore.saveRelation(relation))
+    }
+    for(const relation of canceledRelations) {
+      promises.push(relationsStore.removeRelation(relation))
+    }
+    await Promise.all(promises)
+  }
+})
+
+
+async function processSecurityPatterns(event, time, service) {
+  const changes = await lcp.processEvent({...event, time}, securityPatterns, relationsStore.getRelations)
+  console.log("PROCESSED EVENT PATTERNS", event, '=>', changes)
+  const { newRelations, canceledRelations, actions } = changes
+
+  for (const relation of newRelations) {
+    if (relation.prev) {
+      for (const prev of relation.prev) {
+        if (prev.relation) prev.relation.prev = null
+      }
+    }
+  }
+
+  let promises = []
+  for (const relation of newRelations) {
+    if (relation.type == 'eq') {
+      // will be handled by event
+    } else if (relation.type == 'timeout') {
+      const id = crypto.createHash('md5').update(event.id + relation.relation).digest('hex')
+      promises.push(service.trigger({
+        type: "createTimer",
+        timer: {
+          id,
+          timestamp: relation.time,
+          service: 'security',
+          trigger: {
+            type: 'handleTimeout',
+            timeout: relation
+          }
+        }
+      }))
+    } else {
+      throw new Error(`Relation type ${JSON.stringify(relation.type)} not supported`)
+    }
+  }
+
+  await Promise.all(promises)
+  promises = []
+
+  for (const relation of canceledRelations) {
+    const relationModel = securityPatterns.relations[relation.relation]
+    if (relationModel.eq) {
+      // will be handled by event
+    } else if (relationModel.wait) {
+      const id = crypto.createHash('md5').update(event.id + relation.relation).digest('hex')
+      promises.push(service.trigger({
+        type: "cancelTimerIfExists",
+        timer: id
+      }))
+    } else {
+      throw new Error(`Relation ${JSON.stringify(relation.relation)} not supported`)
+    }
+  }
+
+  await Promise.all(promises)
+  return { newRelations, canceledRelations, actions }
+}
+
+async function processSecurityCounters(event, timestamp, service) {
+  const now = Date.now()
+  const actions = []
+  const counters = securityCounters.filter(counter => counter.match.includes(event.type))
+  if(counters.length == 0) return
+  const counterEventsRequests = []
+  for(const counter of counters) {
+    const duration = lcp.parseDuration(counter.duration)
+    for(const eventType of counter.match) {
+      const request = counterEventsRequests.find(req => req.type == eventType)
+      if(request) {
+        request.max = Math.max(request.max, counter.max)
+        request.duration = Math.max(request.duration, duration)
+      } else {
+        counterEventsRequests.push({
+          type: eventType,
+          max: counter.max,
+          duration
+        })
+      }
+    }
+  }
+  console.log("COUNTER EVENTS REQUESTS", counterEventsRequests)
+  const counterEvents = await Promise.all(counterEventsRequests.map(async request => ({
+    type: request.type,
+    events: await Event.indexRangeGet('byTypeAndTimestamp',{
+      gt: `"${request.type}":"${(new Date(now - request.duration - 1000)).toISOString()}"`,
+      lt: `"${request.type}":\xFF`,
+      reverse: true,
+      limit: request.max
+    })
+  })))
+  console.log("COUNTER EVENTS", counterEvents)
+  for(const counter of counters) {
+    const duration = lcp.parseDuration(counter.duration)
+    const fromTime = (new Date(now - duration)).toISOString()
+    let count = 0
+    for(const events of counterEvents) {
+      if(!counter.match.includes(events.type)) continue
+      for(const event of events.events) {
+        if(event.timestamp > fromTime) {
+          count ++
+        }
+      }
+    }
+    if(count + 1 > counter.max) { // +1 for the new event, not added yet
+      console.log("COUNTER FIRE", counter)
+      actions.push(...counter.actions)
+    }
+  }
+  return { actions }
+}
+
+definition.trigger({
+  name: "securityEvent",
+  properties: {
+    event: {
+      type: Object,
+      properties: {
+        type: {
+          type: String
+        },
+        keys: {
+          type: Object
+        },
+        properties: {
+          type: Object
+        }
+      }
+    },
+    client: {
+      type: Object
+    }
+  },
+  async execute({ event, client, timestamp }, { service }, emit) {
+    console.log("SECURITY EVENT TRIGGERED", arguments[0])
+    event.id = event.id || app.generateUid()
+    event.time = event.time || timestamp
+    const time = (typeof event.time == 'number') ? event.time : new Date(event.time).getTime()
+
+    if(client) {
+      event.keys = { ...getClientKeysObject(client), ...event.keys }
+    }
+
+    console.log("PROCESS EVENT", event)
+    let [
+      { newRelations, canceledRelations, actions: patternsActions },
+      { actions: countersActions }
+    ] = await Promise.all([
+      processSecurityPatterns(event, time, service),
+      processSecurityCounters(event, time, service)
+    ])
+
+    let promises = []
+    const actions = patternsActions.concat(countersActions)
+
+    for(const action of actions) {
+      const actionTypeUpperCase = action.type[0].toUpperCase() + action.type.slice(1)
+      console.log("ACTION", JSON.stringify(action, null, '  '))
+      promises.push(service.trigger({
+        ...action,
+        event,
+        type: 'securityAction' + actionTypeUpperCase
+      }))
+    }
+
+    await Promise.all(promises)
+
+    emit({
+      type: "securityEvent",
+      event: event.id,
+      eventType: event.type,
+      keys: event.keys,
+      actions,
+      newRelations: newRelations.filter(rel => rel.type == 'eq'),
+      canceledRelations: canceledRelations.filter(rel => rel.type == 'eq')
+    })
+
+  }
+})
+

package/index.js

@@ -0,0 +1,9 @@
+const app = require("@live-change/framework").app()
+
+const definition = require('./definition.js')
+
+require('./ban.js')
+require('./event.js')
+require('./secured.js')
+
+module.exports = definition

package/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@live-change/security-service",
+  "version": "0.2.5",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "NODE_ENV=test tape tests/*"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/live-change/live-change-services.git"
+  },
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/live-change/live-change-services/issues"
+  },
+  "homepage": "https://github.com/live-change/live-change-services",
+  "author": {
+    "email": "michal@laszczewski.pl",
+    "name": "Michał Łaszczewski",
+    "url": "https://www.viamage.com/"
+  },
+  "dependencies": {
+    "@live-change/framework": "^0.5.7",
+    "@live-change/pattern": "^0.2.1",
+    "@live-change/pattern-db": "^0.2.2",
+    "nodemailer": "^6.7.2"
+  },
+  "gitHead": "7691357c7569a18373668691eb6a81a9e161194d"
+}

package/secured.js

@@ -0,0 +1,50 @@
+const definition = require('./definition.js')
+const { getClientKeysObject, getClientKeysStrings, multiKeyIndexQuery } = require('./utils.js')
+
+definition.processor(function(service, app) {
+
+  for(let actionName in service.actions) {
+    const action = service.actions[actionName]
+    if(!action.secured) continue
+    const config = action.secured
+
+    console.log("SECURED", service.name, action.name)
+
+    const oldExec = action.execute
+    action.execute = async (...args) => {
+      const [ properties, context, emit ] = args
+      const { client } = context
+      oldExec.apply(action, args)
+    }
+
+    /// TODO: detect bans, block actions
+    /// TODO: detect associated events
+    /// TODO: report security violation if succeded
+    /// TODO: report security violation if failed - another event
+    /// TODO: additional validation based on ban type(captcha)
+    /// TODO: additional delay based on ban type
+  }
+
+  for(let triggerName in service.actions) {
+    const trigger = service.actions[triggerName]
+    if(!trigger.secured) continue
+    const config = trigger.secured
+
+    console.log("SECURED TRIGGER", service.name, trigger.name)
+
+    const oldExec = trigger.execute
+    trigger.execute = async (...args) => {
+      const [ properties, context, emit ] = args
+      const { client, ...otherProperties } = properties
+      oldExec.apply(trigger, args)
+    }
+
+    /// TODO: detect bans, block triggers
+    /// TODO: detect associated events
+    /// TODO: report security violation if succeded
+    /// TODO: report security violation if failed - another event
+    /// TODO: additional validation based on ban type(captcha)
+    /// TODO: additional delay based on ban type
+  }
+
+})

package/utils.js

@@ -0,0 +1,85 @@
+const definition = require('./definition.js')
+
+const clientKeys = definition.config.clientKeys
+
+function multiKeyIndexQuery(keys, indexName) {
+  return ['database', 'query', database, `(${
+    async (input, output, { keys, indexName, tableName }) => {
+      const objectStates = new Map()
+      async function mapper(res) {
+        input.table(tableName).object(res.to).get()
+      }
+      async function onIndexChange(obj, oldObj) {
+        if(obj && !oldObj) {
+          const data = await mapper(obj)
+          if(data) output.change(data, null)
+        }
+        if(obj && obj.to) {
+          let objectState = objectStates.get(obj.to)
+          if(!objectState) {
+            objectState = { data: undefined, refs: 1 }
+            objectState.reader = input.table(tableName).object(obj.to)
+            const ind = obj
+            objectState.observer = await objectState.reader.onChange(async obj => {
+              const data = obj
+              const oldData = objectState.data
+              output.change(data, oldData)
+              if(data) {
+                objectState.data = obj
+              } else if(oldObj) {
+                objectState.data = null
+              }
+            })
+            objectStates.set(ind.to, objectState)
+          } else if(!oldObj || oldObj.to != obj.to) {
+            objectState.refs ++
+          }
+        }
+        if(oldObj && oldObj.to && (!obj || obj.to != oldObj.to)) {
+          let objectState = objectStates.get(oldObj.to)
+          if(objectState) {
+            objectState.refs --
+            if(objectState.refs <= 0) {
+              objectState.reader.unobserve(objectState.observer)
+              objectStates.delete(oldObj.to)
+              output.change(null, objectState.data)
+            }
+          }
+        }
+      }
+      await Promise.all(keys.map(async (encodedKey) => {
+        const range = {
+          gte: encodedKey + '_',
+          lte: encodedKey + "_\xFF\xFF\xFF\xFF"
+        }
+        await (await input.index(indexName)).range(range).onChange(onIndexChange)
+      }))
+    }
+  })`, { keys, indexName, tableName: Ban.tableName }]
+}
+
+function getClientKeysStrings(client, prefix = '') {
+  if(clientKeys) {
+    return clientKeys(client).map(k => prefix + k.key + ':' + k.value)
+  } else {
+    const keys = []
+    for(let key in client) {
+      keys.push(prefix + key + ':' + client[key])
+    }
+    return keys
+  }
+}
+
+function getClientKeysObject(client, prefix = '') {
+  if(clientKeys) {
+    const obj = {}
+    for(const { key, value } of clientKeys(client)) {
+      obj[key] = value
+    }
+    return obj
+  } else {
+    return client
+  }
+}
+
+module.exports = { multiKeyIndexQuery, getClientKeysStrings, getClientKeysObject }